Tests: JSON-RPC correctness, limit & security coverage, and OpenRPC schema compliance

[vfusco]

Context / Problem

The JSON-RPC server is Rollups-Node’s public contract.
There is no automated test suite that

1. Verifies functional correctness for every method under normal, edge-case, and error conditions.
2. Exercises boundary & security behaviour (oversize inputs, malformed JSON, injection vectors, race conditions).
3. Confirms responses match the shapes defined in internal/jsonrpc/jsonrpc-discover.json.

Lacking this coverage, regressions can ship unnoticed, breaking clients or exposing vulnerabilities.

---

Suggested Solution

1. Spec-driven inventory

   • Parse the OpenRPC document at test start to obtain the full list of declared methods.
   • A “contract-guard” test fails if any listed method lacks a dedicated test file, ensuring future coverage.

2. Execution harness

   • Integration layer – spawn the standalone executable ./cartesi-rollups-jsonrpc-api as a subprocess on a random local port for end-to-end tests.
   • Unit layer – import the internal handler package and use httptest.NewServer for fast, handler-level tests that don’t require the full binary.
   • Both layers point to a developer-supplied Postgres DSN (e.g., PG_DSN_FOR_TESTS) and load SQL fixtures that create:
     • Minimal happy-path data
     • Edge-case rows (max uint256, empty epochs, huge payloads)

3. Table-driven cases per method

   Bucket	Coverage goals
   Happy	Valid inputs → deterministic, domain-correct result
   Boundary	Max/min values, pagination edges, numeric overflows
   Invalid	Missing params, wrong types, unknown IDs
   Security	Injection strings, extremely large payloads, replay
   Concurrency	50–100 goroutines issuing mixed requests (go test -race)

   • Each response is first validated against its JSON Schema (shape).
   • Additional assertions check content correctness (values, ordering, counts, error codes/messages).

4. CI integration

   • GitHub Actions spins up a Postgres container, sets PG_DSN_FOR_TESTS, then runs go test ./internal/jsonrpc/... -race.
   • Failures on schema drift or behavioural mismatch block the merge.

---

Deliverables & File Layout

File / Dir	Purpose
internal/jsonrpc/tests/contract_guard_test.go	Parses jsonrpc-discover.json; fails if any method lacks its own test cases.
internal/jsonrpc/tests/method_<name>_test.go	Table-driven cases for each RPC method, e.g. method_getEpochs_test.go.
internal/jsonrpc/tests/security_test.go	Cross-method security checks (injection, oversize payloads, DoS attempts).
internal/jsonrpc/tests/concurrency_test.go	High-RPS mixed-call stress under go test -race.
internal/jsonrpc/tests/testutil/	Helpers: subprocess launcher for cartesi-rollups-jsonrpc-api, fixture loader, JSON-Schema validator.

---

Acceptance Criteria

#	Scenario	Expected outcome
1	Run go test ./internal/jsonrpc/... -race with local Postgres	All tests pass; handler code coverage ≥ 80 %
2	Intentionally change an RPC handler to return an incorrect value	Corresponding method test fails with a clear assertion diff
3	Remove a field required by the OpenRPC spec	Shape validation test fails with descriptive error
4	Add a new method to the spec without adding tests	contract_guard_test.go fails, listing the missing method
5	Send payload "\\"' OR 1=1 --"	Service responds with a JSON-RPC error; no panic or leaked stack trace
6	Run concurrency test (100 parallel mixed calls) with go test -race	No data races; all responses pass schema and behavioural checks

This suite will lock down the JSON-RPC API’s correctness, robustness, security, and contract compliance, catching regressions early while remaining runnable on any developer workstation.