Forbid fragments on many schema endpoints

[jviotti]

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

[augmentcode]

🤖 Augment PR Summary

Summary: This PR tightens schema-handling endpoints by rejecting schema URIs/paths that contain a fragment (directly via # or via the encoded form %23).

Changes:

• Added fragment checks to REST schema routes (serve schema, serve artifacts, dependency tree, explorer artifacts, evaluate/trace POST handlers) and returns a 400 invalid-uri problem response.
• Added fragment checks to MCP/JSON-RPC tools that take a schema argument, returning JSON-RPC -32602 (Invalid params) when a fragment is present.
• Expanded Hurl E2E coverage to assert fragment rejection behavior across multiple MCP tools (evaluate, trace, dependencies, dependents, health, locations, metadata, positions, stats).
• Added a dedicated Hurl suite (schemas-fragment.all.hurl) to verify REST endpoints reject fragment-containing schema paths.

Technical Notes: REST validation checks both # and %23 to catch fragment attempts that cannot be transmitted as raw fragments in HTTP paths; MCP validation rejects URIs containing a # fragment delimiter.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 1 suggestion posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

serve_post rejects fragment-like paths before the OPTIONS preflight branch, so a browser CORS preflight to an invalid schema path (e.g. containing %23) will likely fail and surface as a CORS error instead of returning the intended problem response. This also affects the trace endpoint since it reuses ActionJSONSchemaEvaluate_v1::serve_post.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[cubic-dev-ai]

1 issue found across 18 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[github-actions]

Benchmark Index (community)

Details

Benchmark suite	Current: 2c51935	Previous: 90f0040	Ratio
Add one schema (0 existing)	288 ms	285 ms	1.01
Add one schema (100 existing)	26 ms	26 ms	1
Add one schema (1000 existing)	84 ms	84 ms	1
Add one schema (10000 existing)	715 ms	819 ms	0.87
Update one schema (1 existing)	19 ms	18 ms	1.06
Update one schema (101 existing)	27 ms	27 ms	1
Update one schema (1001 existing)	85 ms	85 ms	1
Update one schema (10001 existing)	882 ms	709 ms	1.24
Cached rebuild (1 existing)	6 ms	6 ms	1
Cached rebuild (101 existing)	8 ms	8 ms	1
Cached rebuild (1001 existing)	30 ms	30 ms	1
Cached rebuild (10001 existing)	305 ms	311 ms	0.98
Index 100 schemas	111 ms	111 ms	1
Index 1000 schemas	877 ms	875 ms	1.00
Index 10000 schemas	12765 ms	13189 ms	0.97

This comment was automatically generated by workflow using github-action-benchmark.

[github-actions]

Benchmark Index (enterprise)

Details

Benchmark suite	Current: 2c51935	Previous: 90f0040	Ratio
Add one schema (0 existing)	297 ms	289 ms	1.03
Add one schema (100 existing)	29 ms	28 ms	1.04
Add one schema (1000 existing)	83 ms	81 ms	1.02
Add one schema (10000 existing)	678 ms	676 ms	1.00
Update one schema (1 existing)	22 ms	21 ms	1.05
Update one schema (101 existing)	29 ms	28 ms	1.04
Update one schema (1001 existing)	86 ms	83 ms	1.04
Update one schema (10001 existing)	698 ms	696 ms	1.00
Cached rebuild (1 existing)	7 ms	6 ms	1.17
Cached rebuild (101 existing)	9 ms	9 ms	1
Cached rebuild (1001 existing)	30 ms	29 ms	1.03
Cached rebuild (10001 existing)	256 ms	254 ms	1.01
Index 100 schemas	131 ms	119 ms	1.10
Index 1000 schemas	1053 ms	1152 ms	0.91
Index 10000 schemas	14420 ms	14015 ms	1.03

This comment was automatically generated by workflow using github-action-benchmark.