Add coverage tests for readOnly/writeOnly rejection paths

Cover checkReadWriteOnlyViolation calls in:
- recurseIntoDeclaredProperties (explicit + pattern properties)
- validateVariantWithParent (oneOf)
- recurseIntoDeclaredPropertiesWithMerged (oneOf + additionalProperties: false)
- recurseIntoAllOfDeclaredProperties (allOf + additionalProperties: false)
- WithStrictRejectReadOnly/WithStrictRejectWriteOnly option functions
- WithExistingOpts copy of new fields

Author: byted

config/config_test.go

@@ -466,6 +466,8 @@ func TestWithLogger(t *testing.T) {
 func TestWithExistingOpts_StrictFields(t *testing.T) {
 	original := &ValidationOptions{
 		StrictMode:                true,
+		StrictRejectReadOnly:      true,
+		StrictRejectWriteOnly:     true,
 		StrictIgnorePaths:         []string{"$.body.*"},
 		StrictIgnoredHeaders:      []string{"x-custom"},
 		strictIgnoredHeadersMerge: true,
@@ -475,12 +477,24 @@ func TestWithExistingOpts_StrictFields(t *testing.T) {
 	opts := NewValidationOptions(WithExistingOpts(original))
 
 	assert.True(t, opts.StrictMode)
+	assert.True(t, opts.StrictRejectReadOnly)
+	assert.True(t, opts.StrictRejectWriteOnly)
 	assert.Equal(t, original.StrictIgnorePaths, opts.StrictIgnorePaths)
 	assert.Equal(t, original.StrictIgnoredHeaders, opts.StrictIgnoredHeaders)
 	assert.True(t, opts.strictIgnoredHeadersMerge)
 	assert.Equal(t, original.Logger, opts.Logger)
 }
 
+func TestWithStrictRejectReadOnly(t *testing.T) {
+	opts := NewValidationOptions(WithStrictRejectReadOnly())
+	assert.True(t, opts.StrictRejectReadOnly)
+}
+
+func TestWithStrictRejectWriteOnly(t *testing.T) {
+	opts := NewValidationOptions(WithStrictRejectWriteOnly())
+	assert.True(t, opts.StrictRejectWriteOnly)
+}
+
 func TestStrictModeWithIgnorePaths(t *testing.T) {
 	paths := []string{"$.body.metadata.*"}
 	opts := NewValidationOptions(

requests/validate_body_test.go

@@ -1614,6 +1614,50 @@ paths:
 	assert.Len(t, errors, 0)
 }
 
+func TestValidateBody_StrictMode_ReadOnlyProperty(t *testing.T) {
+	spec := `openapi: 3.1.0
+paths:
+  /users:
+    post:
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                id:
+                  type: string
+                  readOnly: true
+                name:
+                  type: string`
+
+	doc, _ := libopenapi.NewDocument([]byte(spec))
+
+	m, _ := doc.BuildV3Model()
+	v := NewRequestBodyValidator(&m.Model,
+		config.WithStrictMode(),
+		config.WithStrictRejectReadOnly(),
+	)
+
+	body := map[string]interface{}{
+		"id":   "user-123",
+		"name": "John",
+	}
+
+	bodyBytes, _ := json.Marshal(body)
+
+	request, _ := http.NewRequest(http.MethodPost, "https://things.com/users",
+		bytes.NewBuffer(bodyBytes))
+	request.Header.Set("Content-Type", "application/json")
+
+	valid, errors := v.ValidateRequestBody(request)
+
+	assert.False(t, valid)
+	assert.Len(t, errors, 1)
+	assert.Contains(t, errors[0].Message, "readOnly")
+	assert.Contains(t, errors[0].Message, "id")
+}
+
 func TestValidateRequestBody_XMLMarshalError(t *testing.T) {
 	spec := []byte(`
 openapi: 3.1.0

responses/validate_body_test.go

@@ -1619,6 +1619,50 @@ paths:
 	assert.Len(t, errs, 0)
 }
 
+func TestValidateBody_StrictMode_WriteOnlyProperty(t *testing.T) {
+	spec := `openapi: 3.1.0
+paths:
+  /users/123:
+    get:
+      responses:
+        '200':
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  name:
+                    type: string
+                  password:
+                    type: string
+                    writeOnly: true`
+
+	doc, _ := libopenapi.NewDocument([]byte(spec))
+
+	m, _ := doc.BuildV3Model()
+	v := NewResponseBodyValidator(&m.Model,
+		config.WithStrictMode(),
+		config.WithStrictRejectWriteOnly(),
+	)
+
+	request, _ := http.NewRequest(http.MethodGet, "https://things.com/users/123", nil)
+
+	responseBody := `{"name": "John", "password": "secret"}`
+	response := &http.Response{
+		Header:     http.Header{},
+		StatusCode: http.StatusOK,
+		Body:       io.NopCloser(strings.NewReader(responseBody)),
+	}
+	response.Header.Set("Content-Type", "application/json")
+
+	valid, errs := v.ValidateResponseBody(request, response)
+
+	assert.False(t, valid)
+	assert.Len(t, errs, 1)
+	assert.Contains(t, errs[0].Message, "writeOnly")
+	assert.Contains(t, errs[0].Message, "password")
+}
+
 func TestValidateBody_ValidURLEncodedBody(t *testing.T) {
 	spec := `openapi: 3.1.0
 paths:

strict/validator_test.go

@@ -6666,3 +6666,214 @@ components:
 	assert.Equal(t, "password", resultResponse.UndeclaredValues[0].Name)
 	assert.Equal(t, TypeWriteOnlyProperty, resultResponse.UndeclaredValues[0].Type)
 }
+
+func TestStrictValidator_RejectReadOnly_AdditionalPropertiesFalse(t *testing.T) {
+	// Covers schema_walker.go recurseIntoDeclaredProperties:
+	// explicit property path and patternProperties path
+	yml := `openapi: "3.1.0"
+info:
+  title: Test
+  version: "1.0"
+paths: {}
+components:
+  schemas:
+    Strict:
+      type: object
+      additionalProperties: false
+      properties:
+        id:
+          type: string
+          readOnly: true
+        name:
+          type: string
+      patternProperties:
+        "^x-":
+          type: string
+          readOnly: true
+`
+	model := buildSchemaFromYAML(t, yml)
+	schema := getSchema(t, model, "Strict")
+
+	opts := config.NewValidationOptions(config.WithStrictMode(), config.WithStrictRejectReadOnly())
+	v := NewValidator(opts, 3.1)
+
+	data := map[string]any{
+		"id":       "user-1",
+		"name":     "John",
+		"x-custom": "value",
+	}
+
+	result := v.Validate(Input{
+		Schema:    schema,
+		Data:      data,
+		Direction: DirectionRequest,
+		Options:   opts,
+		BasePath:  "$.body",
+		Version:   3.1,
+	})
+
+	assert.False(t, result.Valid)
+	assert.Len(t, result.UndeclaredValues, 2)
+
+	names := []string{result.UndeclaredValues[0].Name, result.UndeclaredValues[1].Name}
+	assert.Contains(t, names, "id")
+	assert.Contains(t, names, "x-custom")
+	for _, uv := range result.UndeclaredValues {
+		assert.Equal(t, TypeReadOnlyProperty, uv.Type)
+	}
+}
+
+func TestStrictValidator_RejectReadOnly_OneOf(t *testing.T) {
+	// Covers polymorphic.go validateVariantWithParent path
+	yml := `openapi: "3.1.0"
+info:
+  title: Test
+  version: "1.0"
+paths: {}
+components:
+  schemas:
+    OneOfSchema:
+      type: object
+      oneOf:
+        - type: object
+          properties:
+            id:
+              type: string
+              readOnly: true
+            email:
+              type: string
+`
+	model := buildSchemaFromYAML(t, yml)
+	schema := getSchema(t, model, "OneOfSchema")
+
+	opts := config.NewValidationOptions(config.WithStrictMode(), config.WithStrictRejectReadOnly())
+	v := NewValidator(opts, 3.1)
+
+	data := map[string]any{
+		"id":    "user-1",
+		"email": "test@example.com",
+	}
+
+	result := v.Validate(Input{
+		Schema:    schema,
+		Data:      data,
+		Direction: DirectionRequest,
+		Options:   opts,
+		BasePath:  "$.body",
+		Version:   3.1,
+	})
+
+	assert.False(t, result.Valid)
+	require.Len(t, result.UndeclaredValues, 1)
+	assert.Equal(t, "id", result.UndeclaredValues[0].Name)
+	assert.Equal(t, TypeReadOnlyProperty, result.UndeclaredValues[0].Type)
+}
+
+func TestStrictValidator_RejectReadOnly_OneOfAdditionalPropertiesFalse(t *testing.T) {
+	// Covers polymorphic.go recurseIntoDeclaredPropertiesWithMerged path
+	yml := `openapi: "3.1.0"
+info:
+  title: Test
+  version: "1.0"
+paths: {}
+components:
+  schemas:
+    OneOfStrict:
+      type: object
+      additionalProperties: false
+      properties:
+        name:
+          type: string
+      oneOf:
+        - type: object
+          additionalProperties: false
+          properties:
+            name:
+              type: string
+            id:
+              type: string
+              readOnly: true
+            data:
+              type: string
+`
+	model := buildSchemaFromYAML(t, yml)
+	schema := getSchema(t, model, "OneOfStrict")
+
+	opts := config.NewValidationOptions(config.WithStrictMode(), config.WithStrictRejectReadOnly())
+	v := NewValidator(opts, 3.1)
+
+	data := map[string]any{
+		"name": "test",
+		"id":   "should-be-rejected",
+		"data": "valid",
+	}
+
+	result := v.Validate(Input{
+		Schema:    schema,
+		Data:      data,
+		Direction: DirectionRequest,
+		Options:   opts,
+		BasePath:  "$.body",
+		Version:   3.1,
+	})
+
+	assert.False(t, result.Valid)
+	require.Len(t, result.UndeclaredValues, 1)
+	assert.Equal(t, "id", result.UndeclaredValues[0].Name)
+	assert.Equal(t, TypeReadOnlyProperty, result.UndeclaredValues[0].Type)
+}
+
+func TestStrictValidator_RejectReadOnly_AllOfAdditionalPropertiesFalse(t *testing.T) {
+	// Covers polymorphic.go recurseIntoAllOfDeclaredProperties path
+	yml := `openapi: "3.1.0"
+info:
+  title: Test
+  version: "1.0"
+paths: {}
+components:
+  schemas:
+    AllOfStrict:
+      type: object
+      additionalProperties: false
+      allOf:
+        - type: object
+          properties:
+            id:
+              type: string
+              readOnly: true
+            name:
+              type: string
+`
+	model := buildSchemaFromYAML(t, yml)
+	schema := getSchema(t, model, "AllOfStrict")
+
+	opts := config.NewValidationOptions(config.WithStrictMode(), config.WithStrictRejectReadOnly())
+	v := NewValidator(opts, 3.1)
+
+	data := map[string]any{
+		"id":   "should-be-rejected",
+		"name": "John",
+	}
+
+	result := v.Validate(Input{
+		Schema:    schema,
+		Data:      data,
+		Direction: DirectionRequest,
+		Options:   opts,
+		BasePath:  "$.body",
+		Version:   3.1,
+	})
+
+	assert.False(t, result.Valid)
+	require.Len(t, result.UndeclaredValues, 1)
+	assert.Equal(t, "id", result.UndeclaredValues[0].Name)
+	assert.Equal(t, TypeReadOnlyProperty, result.UndeclaredValues[0].Type)
+}
+
+func TestStrictValidator_CheckReadWriteOnlyViolation_NilSchema(t *testing.T) {
+	opts := config.NewValidationOptions(config.WithStrictMode(), config.WithStrictRejectReadOnly())
+	v := NewValidator(opts, 3.1)
+
+	_, ok := v.checkReadWriteOnlyViolation("$.body.x", "x", "val", nil, DirectionRequest)
+	assert.False(t, ok)
+}

validator_test.go

@@ -2784,7 +2784,7 @@ components:
 	})
 }
 
-func TestStrictRejectReadOnly_RequestIntegration(t *testing.T) {
+func TestStrictMode_RejectReadOnly_RequestIntegration(t *testing.T) {
 	spec := `openapi: 3.1.0
 paths:
   /users:
@@ -2834,7 +2834,7 @@ paths:
 	assert.True(t, foundReadOnly, "should report readOnly violation")
 }
 
-func TestStrictRejectWriteOnly_ResponseIntegration(t *testing.T) {
+func TestStrictMode_RejectWriteOnly_ResponseIntegration(t *testing.T) {
 	spec := `openapi: 3.1.0
 paths:
   /users/{id}: