fix: unify filter protocol - isFilterAST, naming, param safety, response fields

- Add isFilterAST() with structural validation to spec (replaces naive Array.isArray)
- Add VALID_AST_OPERATORS constant for AST operator validation
- Add HttpFindQueryParamsSchema standardizing HTTP query param names (canonical `filter` singular)
- Add select/expand fields to GetDataRequestSchema to prevent parameter pollution
- Fix handleApiEndpoint response field mismatch (result.records/total instead of result.data/count)
- Fix GET by ID parameter whitelisting (only select/expand allowed)
- Update client SDK to use spec isFilterAST and canonical `filter` param name
- Update protocol.ts to normalize filters→filter and use isFilterAST
- Add 17 new tests covering isFilterAST, VALID_AST_OPERATORS, GetData select/expand, HttpFindQueryParams

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

packages/client/src/index.ts

@@ -1,6 +1,6 @@
 // Copyright (c) 2025 ObjectStack. Licensed under the Apache-2.0 license.
 
-import { QueryAST, SortNode, AggregationNode } from '@objectstack/spec/data';
+import { QueryAST, SortNode, AggregationNode, isFilterAST } from '@objectstack/spec/data';
 import { 
   BatchUpdateRequest, 
   BatchUpdateResponse, 
@@ -115,7 +115,10 @@ export type DiscoveryResult = GetDiscoveryResponse;
 
 export interface QueryOptions {
   select?: string[]; // Simplified Selection
-  filters?: Record<string, any>; // Map or AST
+  /** @canonical Preferred filter parameter (singular). */
+  filter?: Record<string, any> | unknown[]; // Map or AST
+  /** @deprecated Use `filter` (singular). Kept for backward compatibility. */
+  filters?: Record<string, any> | unknown[]; // Map or AST
   sort?: string | string[] | SortNode[]; // 'name' or ['-created_at'] or AST
   top?: number;
   skip?: number;
@@ -1445,14 +1448,17 @@ export class ObjectStackClient {
         }
 
         // 4. Handle Filters (Simple vs AST)
-        if (options.filters) {
+        // Canonical HTTP param name: `filter` (singular). `filters` (plural) is accepted
+        // for backward compatibility but `filter` is the standard going forward.
+        const filterValue = options.filter ?? options.filters;
+        if (filterValue) {
              // Detect AST filter format vs simple key-value map. AST filters use an array structure
-             // with [field, operator, value] or [logicOp, ...nodes] shape (see isFilterAST).
+             // with [field, operator, value] or [logicOp, ...nodes] shape (see isFilterAST from spec).
              // For complex filter expressions, use .query() which builds a proper QueryAST.
-             if (this.isFilterAST(options.filters)) {
-                 queryParams.set('filters', JSON.stringify(options.filters));
+             if (this.isFilterAST(filterValue)) {
+                 queryParams.set('filter', JSON.stringify(filterValue));
              } else {
-                 Object.entries(options.filters).forEach(([k, v]) => {
+                 Object.entries(filterValue).forEach(([k, v]) => {
                      if (v !== undefined && v !== null) {
                         queryParams.append(k, String(v));
                      }
@@ -1571,10 +1577,9 @@ export class ObjectStackClient {
    */
 
   private isFilterAST(filter: any): boolean {
-    // Basic check: if array, it's [field, op, val] or [logic, node, node]
-    // If object but not basic KV map... harder to tell without schema
-    // For now, assume if it passes Array.isArray it's an AST root
-    return Array.isArray(filter);
+    // Delegate to the spec-exported structural validator instead of naive Array.isArray.
+    // This checks for valid AST shapes: [field, op, val], [logic, ...nodes], or [[cond], ...].
+    return isFilterAST(filter);
   }
 
   /**

packages/objectql/src/protocol.ts

@@ -10,7 +10,7 @@ import type {
 } from '@objectstack/spec/api';
 import type { MetadataCacheRequest, MetadataCacheResponse, ServiceInfo, ApiRoutes, WellKnownCapabilities } from '@objectstack/spec/api';
 import type { IFeedService } from '@objectstack/spec/contracts';
-import { parseFilterAST } from '@objectstack/spec/data';
+import { parseFilterAST, isFilterAST } from '@objectstack/spec/data';
 
 // We import SchemaRegistry directly since this class lives in the same package
 import { SchemaRegistry } from './registry.js';
@@ -304,17 +304,21 @@ export class ObjectStackProtocolImplementation implements ObjectStackProtocol {
             delete options.orderBy;
         }
 
+        // Filter: normalize `filter`/`filters` (plural) → `filter` (singular, canonical)
+        // Accept both `filter` and `filters` for backward compatibility.
+        if (options.filters !== undefined && options.filter === undefined) {
+            options.filter = options.filters;
+        }
+        delete options.filters;
+
         // Filter: JSON string → object
         if (typeof options.filter === 'string') {
             try { options.filter = JSON.parse(options.filter); } catch { /* keep as-is */ }
         }
-        if (typeof options.filters === 'string') {
-            try { options.filter = JSON.parse(options.filters); delete options.filters; } catch { /* keep as-is */ }
-        }
 
         // Filter AST array → FilterCondition object
         // Converts ["and", ["field", "=", "val"], ...] to { $and: [{ field: "val" }, ...] }
-        if (Array.isArray(options.filter)) {
+        if (isFilterAST(options.filter)) {
             options.filter = parseFilterAST(options.filter);
         }
 

packages/runtime/src/http-dispatcher.ts

@@ -377,8 +377,14 @@ export class HttpDispatcher {
             // GET /data/:object/:id
             if (parts.length === 2 && m === 'GET') {
                 const id = parts[1];
+                // Spec: Only select/expand are allowlisted query params for GET by ID.
+                // All other query parameters are discarded to prevent parameter pollution.
+                const { select, expand } = query || {};
+                const allowedParams: Record<string, any> = {};
+                if (select != null) allowedParams.select = select;
+                if (expand != null) allowedParams.expand = expand;
                 // Spec: broker returns GetDataResponse = { object, id, record }
-                const result = await broker.call('data.get', { object: objectName, id, ...query }, { request: context.request });
+                const result = await broker.call('data.get', { object: objectName, id, ...allowedParams }, { request: context.request });
                 return { handled: true, response: this.success(result) };
             }
 
@@ -942,7 +948,8 @@ export class HttpDispatcher {
                         // Map standard CRUD operations
                         if (operation === 'find') {
                              const result = await broker.call('data.query', { object, query }, { request: context.request });
-                             return { handled: true, response: this.success(result.data, { count: result.count }) };
+                             // Spec: FindDataResponse = { object, records, total?, hasMore? }
+                             return { handled: true, response: this.success(result.records, { total: result.total }) };
                         }
                         if (operation === 'get' && query.id) {
                              const result = await broker.call('data.get', { object, id: query.id }, { request: context.request });

packages/spec/src/api/protocol.test.ts

@@ -5,6 +5,7 @@ import {
   GetDataResponseSchema,
   FindDataRequestSchema,
   FindDataResponseSchema,
+  HttpFindQueryParamsSchema,
   CreateDataRequestSchema,
   CreateDataResponseSchema,
   UpdateDataRequestSchema,
@@ -367,3 +368,102 @@ describe('GetDiscoveryResponseSchema (capabilities)', () => {
     expect(result.success).toBe(false);
   });
 });
+
+// ==========================================
+// GetDataRequestSchema — select/expand params
+// ==========================================
+
+describe('GetDataRequestSchema (select/expand)', () => {
+  it('should accept request with select and expand', () => {
+    const result = GetDataRequestSchema.safeParse({
+      object: 'contact',
+      id: 'c1',
+      select: ['name', 'email'],
+      expand: ['account', 'owner'],
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.select).toEqual(['name', 'email']);
+      expect(result.data.expand).toEqual(['account', 'owner']);
+    }
+  });
+
+  it('should accept request without select/expand (optional)', () => {
+    const result = GetDataRequestSchema.safeParse({
+      object: 'contact',
+      id: 'c1',
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.select).toBeUndefined();
+      expect(result.data.expand).toBeUndefined();
+    }
+  });
+
+  it('should strip unknown query parameters via strict parsing', () => {
+    const result = GetDataRequestSchema.strict().safeParse({
+      object: 'contact',
+      id: 'c1',
+      select: ['name'],
+      // Unknown params that should be rejected by strict mode
+      unknownParam: 'should-be-stripped',
+    });
+    expect(result.success).toBe(false);
+  });
+});
+
+// ==========================================
+// HttpFindQueryParamsSchema — HTTP parameter naming
+// ==========================================
+
+describe('HttpFindQueryParamsSchema', () => {
+  it('should accept canonical filter (singular) parameter', () => {
+    const result = HttpFindQueryParamsSchema.safeParse({
+      filter: '{"status":"active"}',
+      select: 'name,email',
+      top: 10,
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.filter).toBe('{"status":"active"}');
+      expect(result.data.top).toBe(10);
+    }
+  });
+
+  it('should accept deprecated filters (plural) parameter for backward compat', () => {
+    const result = HttpFindQueryParamsSchema.safeParse({
+      filters: '{"status":"active"}',
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.filters).toBe('{"status":"active"}');
+    }
+  });
+
+  it('should coerce string numbers for top/skip', () => {
+    const result = HttpFindQueryParamsSchema.safeParse({
+      top: '25',
+      skip: '50',
+    });
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.top).toBe(25);
+      expect(result.data.skip).toBe(50);
+    }
+  });
+
+  it('should accept sort, orderBy, expand, search, distinct, count', () => {
+    const result = HttpFindQueryParamsSchema.safeParse({
+      sort: 'name asc,created_at desc',
+      expand: 'owner,account',
+      search: 'John',
+      distinct: true,
+      count: true,
+    });
+    expect(result.success).toBe(true);
+  });
+
+  it('should accept empty object (all params optional)', () => {
+    expect(HttpFindQueryParamsSchema.safeParse({}).success).toBe(true);
+  });
+});

packages/spec/src/api/protocol.zod.ts

@@ -240,9 +240,9 @@ export const GetUiViewResponseSchema = ViewSchema;
  * {
  *   "object": "customers",
  *   "query": {
- *     "filters": [["status", "=", "active"], ["revenue", ">", 10000]],
- *     "sort": "name desc",
- *     "top": 10
+ *     "where": { "status": "active", "revenue": { "$gt": 10000 } },
+ *     "orderBy": [{ "field": "name", "order": "desc" }],
+ *     "limit": 10
  *   }
  * }
  */
@@ -263,19 +263,55 @@ export const FindDataResponseSchema = z.object({
   hasMore: z.boolean().optional().describe('True if there are more records available (pagination).'),
 });
 
+/**
+ * HTTP Find Query Parameters
+ * 
+ * Canonical HTTP query parameter names for GET /data/:object list endpoints.
+ * The canonical filter parameter is `filter` (singular). The plural `filters` is
+ * accepted for backward compatibility but `filter` is the standard going forward.
+ * 
+ * This schema defines the allowlisted query parameters for HTTP GET list requests.
+ * Server-side parsers (protocol.ts) should accept both `filter` and `filters` and
+ * normalize to `filter` (singular) internally.
+ * 
+ * @example
+ * GET /api/v1/data/contacts?filter={"status":"active"}&select=name,email&top=10&sort=name
+ */
+export const HttpFindQueryParamsSchema = z.object({
+  /** @canonical Singular form — the standard going forward. JSON string of filter expression or AST. */
+  filter: z.string().optional().describe('JSON-encoded filter expression (canonical, singular).'),
+  /** @deprecated Use `filter` (singular). Accepted for backward compatibility. */
+  filters: z.string().optional().describe('JSON-encoded filter expression (deprecated plural alias).'),
+  select: z.string().optional().describe('Comma-separated list of fields to retrieve.'),
+  sort: z.string().optional().describe('Sort expression (e.g. "name asc,created_at desc" or "-created_at").'),
+  orderBy: z.string().optional().describe('Alias for sort (OData compatibility).'),
+  top: z.coerce.number().optional().describe('Max records to return (limit).'),
+  skip: z.coerce.number().optional().describe('Records to skip (offset).'),
+  expand: z.string().optional().describe('Comma-separated list of relations to eager-load.'),
+  search: z.string().optional().describe('Full-text search query.'),
+  distinct: z.coerce.boolean().optional().describe('SELECT DISTINCT flag.'),
+  count: z.coerce.boolean().optional().describe('Include total count in response.'),
+});
+
 /**
  * Get Data Request
  * Retrieval of a single record by its unique identifier.
+ * Only `select` and `expand` are permitted as additional query parameters.
+ * All other query parameters should be discarded to prevent parameter pollution.
  * 
  * @example
  * {
  *   "object": "contracts",
- *   "id": "cnt_123456"
+ *   "id": "cnt_123456",
+ *   "select": ["name", "status", "amount"],
+ *   "expand": ["owner", "account"]
  * }
  */
 export const GetDataRequestSchema = z.object({
   object: z.string().describe('The object name.'),
   id: z.string().describe('The unique record identifier (primary key).'),
+  select: z.array(z.string()).optional().describe('Fields to include in the response (allowlisted query param).'),
+  expand: z.array(z.string()).optional().describe('Relations to eager-load (allowlisted query param).'),
 });
 
 /**

packages/spec/src/data/filter.test.ts

@@ -14,6 +14,8 @@ import {
   LOGICAL_OPERATORS,
   ALL_OPERATORS,
   parseFilterAST,
+  isFilterAST,
+  VALID_AST_OPERATORS,
   type Filter,
   type QueryFilter,
   type FieldOperators,
@@ -921,3 +923,80 @@ describe('parseFilterAST', () => {
     expect(() => FilterConditionSchema.parse(result)).not.toThrow();
   });
 });
+
+// ============================================================================
+// isFilterAST — structural validation
+// ============================================================================
+
+describe('isFilterAST', () => {
+  it('should return false for null/undefined/empty', () => {
+    expect(isFilterAST(null)).toBe(false);
+    expect(isFilterAST(undefined)).toBe(false);
+    expect(isFilterAST([])).toBe(false);
+  });
+
+  it('should return false for non-array types', () => {
+    expect(isFilterAST('not an array')).toBe(false);
+    expect(isFilterAST(42)).toBe(false);
+    expect(isFilterAST(true)).toBe(false);
+    expect(isFilterAST({ status: 'active' })).toBe(false);
+  });
+
+  it('should detect valid comparison node', () => {
+    expect(isFilterAST(['status', '=', 'active'])).toBe(true);
+    expect(isFilterAST(['age', '>', 18])).toBe(true);
+    expect(isFilterAST(['age', '>=', 18])).toBe(true);
+    expect(isFilterAST(['role', 'in', ['admin', 'editor']])).toBe(true);
+    expect(isFilterAST(['name', 'contains', 'John'])).toBe(true);
+    expect(isFilterAST(['name', 'like', 'John'])).toBe(true);
+    expect(isFilterAST(['created_at', 'between', ['2024-01-01', '2024-12-31']])).toBe(true);
+    expect(isFilterAST(['deleted_at', 'is_null', null])).toBe(true);
+  });
+
+  it('should detect valid logical nodes', () => {
+    expect(isFilterAST(['and', ['status', '=', 'active'], ['priority', '=', 'high']])).toBe(true);
+    expect(isFilterAST(['or', ['role', '=', 'admin'], ['role', '=', 'editor']])).toBe(true);
+    expect(isFilterAST(['AND', ['status', '=', 'active']])).toBe(true);
+    expect(isFilterAST(['OR', ['a', '=', 1], ['b', '=', 2]])).toBe(true);
+  });
+
+  it('should detect legacy flat array format', () => {
+    expect(isFilterAST([['status', '=', 'active'], ['priority', '=', 'high']])).toBe(true);
+  });
+
+  it('should reject invalid arrays that are not filter ASTs', () => {
+    // Arbitrary number arrays
+    expect(isFilterAST([1, 2, 3])).toBe(false);
+    // Array of strings that aren't a valid comparison
+    expect(isFilterAST(['hello', 'world'])).toBe(false);
+    // Array where second element is not a known operator
+    expect(isFilterAST(['field', 'UNKNOWN_OP', 'value'])).toBe(false);
+    // Mixed array types
+    expect(isFilterAST([true, false, null])).toBe(false);
+  });
+
+  it('should reject "and"/"or" with no children', () => {
+    expect(isFilterAST(['and'])).toBe(false);
+    expect(isFilterAST(['or'])).toBe(false);
+  });
+
+  it('should reject "and"/"or" with non-array children', () => {
+    expect(isFilterAST(['and', 'not-an-array'])).toBe(false);
+    expect(isFilterAST(['or', 123])).toBe(false);
+  });
+});
+
+// ============================================================================
+// VALID_AST_OPERATORS constant
+// ============================================================================
+
+describe('VALID_AST_OPERATORS', () => {
+  it('should contain all standard comparison operators', () => {
+    const expected = ['=', '==', '!=', '<>', '>', '>=', '<', '<=', 'in', 'nin', 'not_in',
+      'contains', 'like', 'startswith', 'starts_with', 'endswith', 'ends_with',
+      'between', 'is_null', 'is_not_null'];
+    for (const op of expected) {
+      expect(VALID_AST_OPERATORS.has(op)).toBe(true);
+    }
+  });
+});