Add opt-in readOnly/writeOnly rejection to strict mode

When StrictRejectReadOnly is enabled, readOnly properties in requests
are reported as validation errors instead of being silently skipped.
When StrictRejectWriteOnly is enabled, writeOnly properties in
responses are reported similarly.

Addresses #90

Author: byted

config/config.go

@@ -42,6 +42,8 @@ type ValidationOptions struct {
 	StrictIgnorePaths         []string // Instance JSONPath patterns to exclude from strict checks
 	StrictIgnoredHeaders      []string // Headers to always ignore in strict mode (nil = use defaults)
 	strictIgnoredHeadersMerge bool     // Internal: true if merging with defaults
+	StrictRejectReadOnly      bool     // Reject readOnly properties in requests
+	StrictRejectWriteOnly     bool     // Reject writeOnly properties in responses
 }
 
 // Option Enables an 'Options pattern' approach
@@ -88,6 +90,8 @@ func WithExistingOpts(options *ValidationOptions) Option {
 			o.StrictIgnorePaths = options.StrictIgnorePaths
 			o.StrictIgnoredHeaders = options.StrictIgnoredHeaders
 			o.strictIgnoredHeadersMerge = options.strictIgnoredHeadersMerge
+			o.StrictRejectReadOnly = options.StrictRejectReadOnly
+			o.StrictRejectWriteOnly = options.StrictRejectWriteOnly
 		}
 	}
 }
@@ -241,6 +245,24 @@ func WithStrictIgnorePaths(paths ...string) Option {
 	}
 }
 
+// WithStrictRejectReadOnly enables rejection of readOnly properties in requests.
+// When enabled, readOnly properties present in request bodies are reported as
+// validation errors instead of being silently skipped.
+func WithStrictRejectReadOnly() Option {
+	return func(o *ValidationOptions) {
+		o.StrictRejectReadOnly = true
+	}
+}
+
+// WithStrictRejectWriteOnly enables rejection of writeOnly properties in responses.
+// When enabled, writeOnly properties present in response bodies are reported as
+// validation errors instead of being silently skipped.
+func WithStrictRejectWriteOnly() Option {
+	return func(o *ValidationOptions) {
+		o.StrictRejectWriteOnly = true
+	}
+}
+
 // WithStrictIgnoredHeaders replaces the default ignored headers list entirely.
 // Use this to fully control which headers are ignored in strict mode.
 // For the default list, see the strict package's DefaultIgnoredHeaders.

errors/strict_errors.go

@@ -11,12 +11,14 @@ import (
 // StrictValidationType is the validation type for strict mode errors.
 const StrictValidationType = "strict"
 
-// StrictValidationSubTypes for different kinds of undeclared values.
+// StrictValidationSubTypes for different kinds of strict validation errors.
 const (
-	StrictSubTypeProperty = "undeclared-property"
-	StrictSubTypeHeader   = "undeclared-header"
-	StrictSubTypeQuery    = "undeclared-query-param"
-	StrictSubTypeCookie   = "undeclared-cookie"
+	StrictSubTypeProperty          = "undeclared-property"
+	StrictSubTypeHeader            = "undeclared-header"
+	StrictSubTypeQuery             = "undeclared-query-param"
+	StrictSubTypeCookie            = "undeclared-cookie"
+	StrictSubTypeReadOnlyProperty  = "readonly-property"
+	StrictSubTypeWriteOnlyProperty = "writeonly-property"
 )
 
 // UndeclaredPropertyError creates a ValidationError for an undeclared property.
@@ -132,6 +134,62 @@ func UndeclaredCookieError(
 	}
 }
 
+// ReadOnlyPropertyError creates a ValidationError for a readOnly property in a request.
+func ReadOnlyPropertyError(
+	path string,
+	name string,
+	value any,
+	requestPath string,
+	requestMethod string,
+	specLine int,
+	specCol int,
+) *ValidationError {
+	return &ValidationError{
+		ValidationType:    StrictValidationType,
+		ValidationSubType: StrictSubTypeReadOnlyProperty,
+		Message: fmt.Sprintf("request property '%s' at '%s' is readOnly and should not be sent in the request",
+			name, path),
+		Reason: fmt.Sprintf("Strict mode: property '%s' is marked readOnly in the schema",
+			name),
+		HowToFix: fmt.Sprintf("Remove the readOnly annotation from '%s' in the schema, "+
+			"remove it from the request, or add '%s' to StrictIgnorePaths", name, path),
+		RequestPath:   requestPath,
+		RequestMethod: requestMethod,
+		ParameterName: name,
+		Context:       truncateForContext(value),
+		SpecLine:      specLine,
+		SpecCol:       specCol,
+	}
+}
+
+// WriteOnlyPropertyError creates a ValidationError for a writeOnly property in a response.
+func WriteOnlyPropertyError(
+	path string,
+	name string,
+	value any,
+	requestPath string,
+	requestMethod string,
+	specLine int,
+	specCol int,
+) *ValidationError {
+	return &ValidationError{
+		ValidationType:    StrictValidationType,
+		ValidationSubType: StrictSubTypeWriteOnlyProperty,
+		Message: fmt.Sprintf("response property '%s' at '%s' is writeOnly and should not be returned in the response",
+			name, path),
+		Reason: fmt.Sprintf("Strict mode: property '%s' is marked writeOnly in the schema",
+			name),
+		HowToFix: fmt.Sprintf("Remove the writeOnly annotation from '%s' in the schema, "+
+			"remove it from the response, or add '%s' to StrictIgnorePaths", name, path),
+		RequestPath:   requestPath,
+		RequestMethod: requestMethod,
+		ParameterName: name,
+		Context:       truncateForContext(value),
+		SpecLine:      specLine,
+		SpecCol:       specCol,
+	}
+}
+
 // truncateForContext creates a truncated string representation for error context.
 func truncateForContext(v any) string {
 	switch val := v.(type) {

requests/validate_request.go

@@ -332,18 +332,28 @@ func ValidateRequestSchema(input *ValidateRequestSchemaInput) (bool, []*errors.V
 
 		if !strictResult.Valid {
 			for _, undeclared := range strictResult.UndeclaredValues {
-				validationErrors = append(validationErrors,
-					errors.UndeclaredPropertyError(
-						undeclared.Path,
-						undeclared.Name,
-						undeclared.Value,
-						undeclared.DeclaredProperties,
-						undeclared.Direction.String(),
-						request.URL.Path,
-						request.Method,
-						undeclared.SpecLine,
-						undeclared.SpecCol,
-					))
+				switch undeclared.Type {
+				case strict.TypeReadOnlyProperty:
+					validationErrors = append(validationErrors,
+						errors.ReadOnlyPropertyError(
+							undeclared.Path, undeclared.Name, undeclared.Value,
+							request.URL.Path, request.Method,
+							undeclared.SpecLine, undeclared.SpecCol,
+						))
+				default:
+					validationErrors = append(validationErrors,
+						errors.UndeclaredPropertyError(
+							undeclared.Path,
+							undeclared.Name,
+							undeclared.Value,
+							undeclared.DeclaredProperties,
+							undeclared.Direction.String(),
+							request.URL.Path,
+							request.Method,
+							undeclared.SpecLine,
+							undeclared.SpecCol,
+						))
+				}
 			}
 		}
 	}

responses/validate_response.go

@@ -354,18 +354,28 @@ func ValidateResponseSchema(input *ValidateResponseSchemaInput) (bool, []*errors
 
 		if !strictResult.Valid {
 			for _, undeclared := range strictResult.UndeclaredValues {
-				validationErrors = append(validationErrors,
-					errors.UndeclaredPropertyError(
-						undeclared.Path,
-						undeclared.Name,
-						undeclared.Value,
-						undeclared.DeclaredProperties,
-						undeclared.Direction.String(),
-						request.URL.Path,
-						request.Method,
-						undeclared.SpecLine,
-						undeclared.SpecCol,
-					))
+				switch undeclared.Type {
+				case strict.TypeWriteOnlyProperty:
+					validationErrors = append(validationErrors,
+						errors.WriteOnlyPropertyError(
+							undeclared.Path, undeclared.Name, undeclared.Value,
+							request.URL.Path, request.Method,
+							undeclared.SpecLine, undeclared.SpecCol,
+						))
+				default:
+					validationErrors = append(validationErrors,
+						errors.UndeclaredPropertyError(
+							undeclared.Path,
+							undeclared.Name,
+							undeclared.Value,
+							undeclared.DeclaredProperties,
+							undeclared.Direction.String(),
+							request.URL.Path,
+							request.Method,
+							undeclared.SpecLine,
+							undeclared.SpecCol,
+						))
+				}
 			}
 		}
 	}

strict/polymorphic.go

@@ -113,6 +113,10 @@ func (v *Validator) validateAllOf(ctx *traversalContext, schema *base.Schema, da
 			// Recurse into the property
 			propSchema := v.findPropertySchemaInAllOf(schema.AllOf, propName, allDeclared)
 			if propSchema != nil {
+				if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+					undeclared = append(undeclared, violation)
+					continue
+				}
 				if v.shouldSkipProperty(propSchema, ctx.direction) {
 					continue
 				}
@@ -219,6 +223,10 @@ func (v *Validator) validateVariantWithParent(ctx *traversalContext, parent *bas
 			// Find the property schema (prefer variant, fallback to parent)
 			propSchema := v.findPropertySchemaInMerged(variant, parent, propName, allDeclared)
 			if propSchema != nil {
+				if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+					undeclared = append(undeclared, violation)
+					continue
+				}
 				if v.shouldSkipProperty(propSchema, ctx.direction) {
 					continue
 				}
@@ -293,6 +301,10 @@ func (v *Validator) recurseIntoDeclaredPropertiesWithMerged(ctx *traversalContex
 
 		propSchema := v.findPropertySchemaInMerged(variant, parent, propName, declared)
 		if propSchema != nil {
+			if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+				undeclared = append(undeclared, violation)
+				continue
+			}
 			if v.shouldSkipProperty(propSchema, ctx.direction) {
 				continue
 			}
@@ -463,6 +475,10 @@ func (v *Validator) recurseIntoAllOfDeclaredProperties(ctx *traversalContext, al
 
 		propSchema := v.findPropertySchemaInAllOf(allOf, propName, declared)
 		if propSchema != nil {
+			if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+				undeclared = append(undeclared, violation)
+				continue
+			}
 			if v.shouldSkipProperty(propSchema, ctx.direction) {
 				continue
 			}

strict/property_collector.go

@@ -147,6 +147,26 @@ func getPropertySchema(name string, declared map[string]*declaredProperty) *base
 	return nil
 }
 
+// checkReadWriteOnlyViolation checks if a property violates readOnly/writeOnly rules
+// when the corresponding rejection flag is enabled. Returns a violation and true if so.
+func (v *Validator) checkReadWriteOnlyViolation(
+	path string, name string, value any,
+	schema *base.Schema, direction Direction,
+) (UndeclaredValue, bool) {
+	if schema == nil || v.options == nil {
+		return UndeclaredValue{}, false
+	}
+	if direction == DirectionRequest && v.options.StrictRejectReadOnly &&
+		schema.ReadOnly != nil && *schema.ReadOnly {
+		return newReadWriteOnlyViolation(path, name, value, direction, schema), true
+	}
+	if direction == DirectionResponse && v.options.StrictRejectWriteOnly &&
+		schema.WriteOnly != nil && *schema.WriteOnly {
+		return newReadWriteOnlyViolation(path, name, value, direction, schema), true
+	}
+	return UndeclaredValue{}, false
+}
+
 // shouldSkipProperty checks if a property should be skipped based on
 // readOnly/writeOnly and the current validation direction.
 func (v *Validator) shouldSkipProperty(schema *base.Schema, direction Direction) bool {

strict/schema_walker.go

@@ -90,7 +90,10 @@ func (v *Validator) validateObject(ctx *traversalContext, schema *base.Schema, d
 		if propProxy != nil {
 			propSchema := propProxy.Schema()
 			if propSchema != nil {
-				// check readOnly/writeOnly
+				if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+					undeclared = append(undeclared, violation)
+					continue
+				}
 				if v.shouldSkipProperty(propSchema, ctx.direction) {
 					continue
 				}
@@ -191,6 +194,10 @@ func (v *Validator) recurseIntoDeclaredProperties(ctx *traversalContext, schema
 
 			propSchema := propProxy.Schema()
 			if propSchema != nil {
+				if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+					undeclared = append(undeclared, violation)
+					continue
+				}
 				if v.shouldSkipProperty(propSchema, ctx.direction) {
 					continue
 				}
@@ -222,6 +229,10 @@ func (v *Validator) recurseIntoDeclaredProperties(ctx *traversalContext, schema
 
 			propSchema := propProxy.Schema()
 			if propSchema != nil {
+				if violation, ok := v.checkReadWriteOnlyViolation(propPath, propName, propValue, propSchema, ctx.direction); ok {
+					undeclared = append(undeclared, violation)
+					continue
+				}
 				if v.shouldSkipProperty(propSchema, ctx.direction) {
 					continue
 				}

strict/types.go

@@ -62,6 +62,13 @@ func (d Direction) String() string {
 	return "request"
 }
 
+// Type constants for UndeclaredValue.Type, defined here for use in the
+// request/response dispatch switch (existing types use inline strings).
+const (
+	TypeReadOnlyProperty  = "readonly"
+	TypeWriteOnlyProperty = "writeonly"
+)
+
 // UndeclaredValue represents a value found in data that is not declared
 // in the schema. This is the core output of strict validation.
 type UndeclaredValue struct {
@@ -77,7 +84,7 @@ type UndeclaredValue struct {
 	Value any
 
 	// Type indicates what kind of value this is.
-	// one of: "property", "header", "query", "cookie", "item"
+	// one of: "property", "header", "query", "cookie", "item", "readonly", "writeonly"
 	Type string
 
 	// DeclaredProperties lists property names that ARE declared at this
@@ -127,6 +134,24 @@ func newUndeclaredProperty(path, name string, value any, declaredNames []string,
 	}
 }
 
+// newReadWriteOnlyViolation creates an UndeclaredValue for a readOnly/writeOnly violation.
+func newReadWriteOnlyViolation(path, name string, value any, direction Direction, schema *base.Schema) UndeclaredValue {
+	line, col := extractSchemaLocation(schema)
+	violationType := TypeReadOnlyProperty
+	if direction == DirectionResponse {
+		violationType = TypeWriteOnlyProperty
+	}
+	return UndeclaredValue{
+		Path:      path,
+		Name:      name,
+		Value:     TruncateValue(value),
+		Type:      violationType,
+		Direction: direction,
+		SpecLine:  line,
+		SpecCol:   col,
+	}
+}
+
 // newUndeclaredParam creates an UndeclaredValue for an undeclared parameter (query/header/cookie).
 // note: parameters don't have SpecLine/SpecCol because they're defined in OpenAPI parameter objects,
 // not schema objects. the parameter itself is the issue, not a schema definition.