Input validation strict mode (OpenAPI + GraphQL)

[tayebmokni]

Summary

Implement strict input validation on REST (OpenAPI 3.1) and GraphQL boundaries per doc 13 §8.1, §8.2. REST: OpenAPI is the source of truth; oapi-codegen generates Go request types with strict validators; unknown fields rejected by default (additionalProperties: false); numeric ranges, string lengths, and enums enforced before the handler. GraphQL: schema-first with gqlgen; variables validated by runtime; no JSON scalar except for BlockAttributes (validated downstream by block registry); introspection disabled in production by default with super-admin opt-in. Also: URL-bearing fields canonicalized (§8.4), JSON body/depth/array caps (§8.5).

Design reference

• docs/13-security-baseline.md §8.1 (REST), §8.2 (GraphQL), §8.4 (URL-bearing fields), §8.5 (JSON depth and size)

Acceptance criteria

• OpenAPI 3.1 spec with additionalProperties: false on every schema (or explicit x-allow-additional opt-in)
• oapi-codegen integrated with strict validators in the request-decoding path
• Numeric ranges, string lengths, and enums enforced before handler logic
• gqlgen schema-first integration with no JSON scalar except BlockAttributes
• GraphQL introspection disabled in production; super-admin opt-in toggle
• URL-validation helper: scheme allowlist, no bare IP, no userinfo, no fragment, no trailing whitespace, partial SSRF guard at validation time
• JSON body size caps per route (REST default 1 MiB, content-creation 16 MiB)
• JSON max depth 100, max array length 10k unless route declares otherwise
• Tests cover unknown-field rejection, oversized body, deep JSON, and bad URL inputs

Dependencies

none

Complexity

L

[tayebmokni]

Closing — shipped in the final-wave PR (#487-#492). Auto-close only fires for first ref.