feat: reject empty-string and boolean->float scalar coercions in the default mapper

Extend the default ObjectMapper's coercion lockdown to two cases the
initial rules left open:

- boolean -> floating-point is now rejected, matching the existing
  boolean<->integer rejections, so `true` cannot become `1.0`.
- an empty string into an integer/floating-point/boolean field is now
  rejected. Jackson otherwise coerces `""` to a null/zero scalar, which
  silently masks a malformed payload. An empty string into a textual
  field is still accepted — `""` is a legitimate string value.

Tests cover each new rejection plus the empty-string-binds-to-string case.

Author: OmarAlJarrah

sdk-serde-jackson/src/main/kotlin/org/dexpace/sdk/serde/jackson/JacksonObjectMappers.kt

@@ -96,13 +96,16 @@ public object JacksonObjectMappers {
      *
      *  - string → integer / floating-point / boolean (the headline `"5"` → numeric case),
      *  - floating-point → integer (the lossy `1.5` → `1` narrowing),
-     *  - boolean ↔ integer,
-     *  - integer / floating-point / boolean → string.
+     *  - boolean ↔ integer and boolean → floating-point,
+     *  - integer / floating-point / boolean → string,
+     *  - empty string → integer / floating-point / boolean (Jackson otherwise coerces `""` to a
+     *    null/zero scalar, masking a malformed payload).
      *
      * Untouched on purpose: numeric **widening** (an integer JSON value into a floating-point
      * field) stays legal because it is a representation-preserving conversion, not a shape mismatch;
      * and genuinely typed values bind exactly as before. The inverse — a floating-point JSON value
-     * into an integer field — is rejected because it silently truncates (`1.5` → `1`).
+     * into an integer field — is rejected because it silently truncates (`1.5` → `1`). An empty
+     * string into a textual field is left alone: `""` is a legitimate string value.
      */
     private fun applyStrictScalarCoercion(builder: JsonMapper.Builder) {
         fun JsonMapper.Builder.failOn(
@@ -114,17 +117,30 @@ public object JacksonObjectMappers {
             }
 
         builder
-            // string "5"/"1.5"/"true" must not flow into numeric or boolean fields, and a
-            // floating-point value must not be lossily narrowed into an integer field (1.5 -> 1).
+            // string "5"/"1.5"/"true" (and an empty string) must not flow into numeric or boolean
+            // fields, and a floating-point value must not be lossily narrowed into an integer field
+            // (1.5 -> 1).
             .failOn(
                 LogicalType.Integer,
                 CoercionInputShape.String,
+                CoercionInputShape.EmptyString,
                 CoercionInputShape.Boolean,
                 CoercionInputShape.Float,
             )
-            .failOn(LogicalType.Float, CoercionInputShape.String)
-            .failOn(LogicalType.Boolean, CoercionInputShape.String, CoercionInputShape.Integer)
-            // a non-string scalar must not be stringified into a textual field.
+            .failOn(
+                LogicalType.Float,
+                CoercionInputShape.String,
+                CoercionInputShape.EmptyString,
+                CoercionInputShape.Boolean,
+            )
+            .failOn(
+                LogicalType.Boolean,
+                CoercionInputShape.String,
+                CoercionInputShape.EmptyString,
+                CoercionInputShape.Integer,
+            )
+            // a non-string scalar must not be stringified into a textual field. An empty string is a
+            // valid string, so EmptyString is intentionally absent here.
             .failOn(
                 LogicalType.Textual,
                 CoercionInputShape.Integer,

sdk-serde-jackson/src/test/kotlin/org/dexpace/sdk/serde/jackson/JacksonObjectMappersTest.kt

@@ -125,4 +125,45 @@ class JacksonObjectMappersTest {
             mapper.readValue<Numbers>("""{"count":1.5,"ratio":2.0}""")
         }
     }
+
+    @Test
+    fun `boolean for a floating-point field is rejected, not coerced`() {
+        val mapper = JacksonObjectMappers.defaultObjectMapper()
+        // Symmetric with the boolean<->integer rejections: true must not become 1.0.
+        assertFailsWith<MismatchedInputException> {
+            mapper.readValue<Numbers>("""{"count":1,"ratio":true}""")
+        }
+    }
+
+    @Test
+    fun `empty string for an integer field is rejected, not coerced to null or zero`() {
+        val mapper = JacksonObjectMappers.defaultObjectMapper()
+        // Jackson otherwise turns "" into a null/zero scalar, masking a malformed payload.
+        assertFailsWith<MismatchedInputException> {
+            mapper.readValue<Numbers>("""{"count":"","ratio":1.5}""")
+        }
+    }
+
+    @Test
+    fun `empty string for a floating-point field is rejected, not coerced to null or zero`() {
+        val mapper = JacksonObjectMappers.defaultObjectMapper()
+        assertFailsWith<MismatchedInputException> {
+            mapper.readValue<Numbers>("""{"count":5,"ratio":""}""")
+        }
+    }
+
+    @Test
+    fun `empty string for a boolean field is rejected, not coerced to null`() {
+        val mapper = JacksonObjectMappers.defaultObjectMapper()
+        assertFailsWith<MismatchedInputException> {
+            mapper.readValue<Flag>("""{"enabled":""}""")
+        }
+    }
+
+    @Test
+    fun `empty string still binds to a string field`() {
+        val mapper = JacksonObjectMappers.defaultObjectMapper()
+        // "" is a legitimate string value: the lockdown must not reject it for a textual target.
+        assertEquals(Label(""), mapper.readValue<Label>("""{"text":""}"""))
+    }
 }