Feature/report additional fields (#140)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Staging (#125)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

* ci: bump the github-actions-updates group with 2 updates (#126)

Bumps the github-actions-updates group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action).


Updates `github/codeql-action` from 4.32.2 to 4.32.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4.32.2...v4.32.3)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@0.33.1...0.34.0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-updates
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Staging (#137)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

* Jeffcumpsty tpx patch 1 (#135)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Staging (#125)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

* Enhance error message for non-staging merges

Added echo statement to display current actor during merge error.

* chore: Bump Swashbuckle.AspNetCore from 10.1.2 to 10.1.3 (#131)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* chore: Bump Swashbuckle.AspNetCore from 10.1.2 to 10.1.3

---
updated-dependencies:
- dependency-name: Swashbuckle.AspNetCore
  dependency-version: 10.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Staging (#125)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jeff Cumpsty <jeff.cumpsty@tpximpact.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Bump Serilog.Sinks.File from 6.0.0 to 7.0.0 (#130)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* chore: Bump Serilog.Sinks.File from 6.0.0 to 7.0.0

---
updated-dependencies:
- dependency-name: Serilog.Sinks.File
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jeff Cumpsty <jeff.cumpsty@tpximpact.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Bump Serilog.AspNetCore and Serilog.Sinks.File (#129)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* chore: Bump Serilog.AspNetCore and Serilog.Sinks.File

Bumps Serilog.AspNetCore from 8.0.3 to 10.0.0
Bumps Serilog.Sinks.File from 6.0.0 to 7.0.0

---
updated-dependencies:
- dependency-name: Serilog.AspNetCore
  dependency-version: 10.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
- dependency-name: Serilog.Sinks.File
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jeff Cumpsty <jeff.cumpsty@tpximpact.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Bump the testing-packages group with 1 update (#128)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* chore: Bump the testing-packages group with 1 update

Bumps coverlet.collector from 6.0.4 to 8.0.0

---
updated-dependencies:
- dependency-name: coverlet.collector
  dependency-version: 8.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: testing-packages
...

Signed-off-by: dependabot[bot] <support@github.com>

* Staging (#125)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jeff Cumpsty <jeff.cumpsty@tpximpact.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update .gitignore to ignore all log files in the logs directory (#136)

* chore: Bump the microsoft-packages group with 1 update (#127)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* chore: Bump the microsoft-packages group with 1 update

Bumps System.IdentityModel.Tokens.Jwt from 8.15.0 to 8.16.0

---
updated-dependencies:
- dependency-name: System.IdentityModel.Tokens.Jwt
  dependency-version: 8.16.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: microsoft-packages
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Jeff Cumpsty <jeff.cumpsty@tpximpact.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Merge maion to staging (#139)

* Staging (#118)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Staging (#125)

* Update permissions in deploy.yml to allow writing for GitHub releases

* Add job name to staging-to-main workflow for clarity

* Sanitize URLs in logging for schema loading and error handling (#124)

* Update staging-to-main workflow to allow dependabot merges and modify .gitignore to include log files (#132)

* Update .gitignore to ignore all log files in the logs directory (#134)

* ci: bump the github-actions-updates group with 2 updates (#126)

Bumps the github-actions-updates group with 2 updates: [github/codeql-action](https://github.com/github/codeql-action) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action).


Updates `github/codeql-action` from 4.32.2 to 4.32.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4.32.2...v4.32.3)

Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@0.33.1...0.34.0)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-updates
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.34.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat: add support for reporting additional fields in JSON validation

* feat: add option to report additional fields in OpenAPI validation

* feat: flatten resolved allOf properties to enhance composite field discovery

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: jeffcumpsty-tpx

OpenReferralApi.Core/Models/OpenApiModels.cs

@@ -207,6 +207,16 @@ public class OpenApiValidationOptions
     /// </summary>
     [JsonProperty("returnRawResult")]
     public bool ReturnRawResult { get; set; } = false;
+
+    /// <summary>
+    /// Whether to report fields in endpoint responses that are not defined in the schema.
+    /// When true, validates response data against the schema and reports any fields that exist in the response
+    /// but are not defined in the schema as informational messages.
+    /// When false (default), only standard schema validation is performed.
+    /// Useful for identifying undocumented fields, schema drift, or incomplete specifications.
+    /// </summary>
+    [JsonProperty("reportAdditionalFields")]
+    public bool ReportAdditionalFields { get; set; } = false;
 }
 
 /// <summary>

OpenReferralApi.Core/Models/ValidationRequest.cs

@@ -67,5 +67,8 @@ public class ValidationOptions
 
     [JsonProperty("validateSslCertificate")]
     public bool ValidateSslCertificate { get; set; } = true;
+    [JsonProperty("reportAdditionalFields")]
+    public bool ReportAdditionalFields { get; set; } = false;
+
 }
 

OpenReferralApi.Core/Services/JsonValidatorService.cs

@@ -95,8 +95,15 @@ private async Task<ValidationResult> ValidateCoreAsync(ValidationRequest request
             var jsonDataString = JsonConvert.SerializeObject(jsonData, Formatting.Indented);
             var validationErrors = await ValidateJsonAgainstSchemaAsync(jsonDataString, schema, request.Options);
 
-            // Build result
-            result.IsValid = !validationErrors.Any();
+            // Report additional fields if requested
+            if (request.Options?.ReportAdditionalFields == true)
+            {
+                var additionalFieldWarnings = DetectAdditionalFields(jsonDataString, schema);
+                validationErrors.AddRange(additionalFieldWarnings);
+            }
+
+            // Build result - only count Error severity as validation failures
+            result.IsValid = !validationErrors.Any(e => e.Severity == "Error");
             result.Errors = validationErrors;
             result.SchemaVersion = "2020-12";
             result.Metadata = new ValidationMetadata
@@ -433,5 +440,83 @@ private async Task<object> FetchJsonDataFromUrlAsync(string dataUrl, ValidationO
         }
     }
 
+    /// <summary>
+    /// Detects fields in the JSON data that are not defined in the schema.
+    /// Returns a list of validation warnings for each additional field found.
+    /// </summary>
+    private List<ValidationError> DetectAdditionalFields(string jsonData, JSchema schema)
+    {
+        var warnings = new List<ValidationError>();
+
+        try
+        {
+            var jsonToken = JToken.Parse(jsonData);
+            DetectAdditionalFieldsRecursive(jsonToken, schema, "", warnings);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Error detecting additional fields");
+        }
+
+        return warnings;
+    }
+
+    /// <summary>
+    /// Recursively traverses the JSON data and schema to detect fields not defined in the schema.
+    /// </summary>
+    private void DetectAdditionalFieldsRecursive(JToken jsonToken, JSchema schema, string currentPath, List<ValidationError> warnings)
+    {
+        // Handle objects
+        if (jsonToken.Type == JTokenType.Object && jsonToken is JObject jObject)
+        {
+            // Get the properties defined in the schema
+            var schemaProperties = schema.Properties ?? new Dictionary<string, JSchema>();
+            var additionalPropertiesAllowed = schema.AllowAdditionalProperties;
+            var additionalPropertiesSchema = schema.AdditionalProperties;
+
+            foreach (var property in jObject.Properties())
+            {
+                var propertyPath = string.IsNullOrEmpty(currentPath) ? property.Name : $"{currentPath}.{property.Name}";
+
+                // Check if this property is defined in the schema
+                if (!schemaProperties.ContainsKey(property.Name))
+                {
+                    // Property not defined in schema - report it
+                    warnings.Add(new ValidationError
+                    {
+                        Path = propertyPath,
+                        Message = $"Field '{property.Name}' is not defined in the schema",
+                        ErrorCode = "ADDITIONAL_FIELD",
+                        Severity = "Info"
+                    });
+                }
+
+                // Recursively check nested properties if there's a schema definition
+                if (schemaProperties.TryGetValue(property.Name, out var propertySchema))
+                {
+                    DetectAdditionalFieldsRecursive(property.Value, propertySchema, propertyPath, warnings);
+                }
+                else if (additionalPropertiesSchema != null)
+                {
+                    // If there's an additionalProperties schema, use it for validation
+                    DetectAdditionalFieldsRecursive(property.Value, additionalPropertiesSchema, propertyPath, warnings);
+                }
+            }
+        }
+        // Handle arrays
+        else if (jsonToken.Type == JTokenType.Array && jsonToken is JArray jArray)
+        {
+            var itemsSchema = schema.Items?.FirstOrDefault();
+            if (itemsSchema != null)
+            {
+                for (int i = 0; i < jArray.Count; i++)
+                {
+                    var itemPath = $"{currentPath}[{i}]";
+                    DetectAdditionalFieldsRecursive(jArray[i], itemsSchema, itemPath, warnings);
+                }
+            }
+        }
+    }
+
 }
 

OpenReferralApi.Core/Services/OpenApiValidationService.cs

@@ -576,7 +576,7 @@ private async Task<EndpointTestResult> TestSingleEndpointAsync(string path, stri
                 // Validate response if schema is defined
                 if (testResult.IsSuccess && testResult.ResponseBody != null)
                 {
-                    await ValidateResponseAsync(testResult, operation, openApiDocument, documentUri, cancellationToken);
+                    await ValidateResponseAsync(testResult, operation, openApiDocument, documentUri, options, cancellationToken);
                     result.Status = testResult.ValidationResult != null && testResult.ValidationResult.IsValid ? "Success" : "Failed";
                 }
 
@@ -685,7 +685,7 @@ private async Task TestPaginatedEndpointAsync(
         // Validate first page response schema
         if (firstPageResult.ResponseBody != null)
         {
-            await ValidateResponseAsync(firstPageResult, operation, openApiDocument, documentUri, cancellationToken);
+            await ValidateResponseAsync(firstPageResult, operation, openApiDocument, documentUri, options, cancellationToken);
         }
 
         // Try to determine total pages and check for empty feed
@@ -722,7 +722,7 @@ private async Task TestPaginatedEndpointAsync(
 
                 if (middlePageResult.IsSuccess && middlePageResult.ResponseBody != null)
                 {
-                    await ValidateResponseAsync(middlePageResult, operation, openApiDocument, documentUri, cancellationToken);
+                    await ValidateResponseAsync(middlePageResult, operation, openApiDocument, documentUri, options, cancellationToken);
                 }
             }
 
@@ -734,7 +734,7 @@ private async Task TestPaginatedEndpointAsync(
 
             if (lastPageResult.IsSuccess && lastPageResult.ResponseBody != null)
             {
-                await ValidateResponseAsync(lastPageResult, operation, openApiDocument, documentUri, cancellationToken);
+                await ValidateResponseAsync(lastPageResult, operation, openApiDocument, documentUri, options, cancellationToken);
             }
         }
         else
@@ -964,7 +964,7 @@ private async Task<HttpTestResult> ExecuteHttpRequestAsync(string url, string me
         return testResult;
     }
 
-    private async Task ValidateResponseAsync(HttpTestResult testResult, JObject operation, JObject openApiDocument, string? documentUri, CancellationToken cancellationToken)
+    private async Task ValidateResponseAsync(HttpTestResult testResult, JObject operation, JObject openApiDocument, string? documentUri, OpenApiValidationOptions options, CancellationToken cancellationToken)
     {
         try
         {
@@ -996,7 +996,11 @@ private async Task ValidateResponseAsync(HttpTestResult testResult, JObject oper
                                     var validationRequest = new ValidationRequest
                                     {
                                         JsonData = JsonConvert.DeserializeObject(testResult.ResponseBody ?? "{}"),
-                                        Schema = schema
+                                        Schema = schema,
+                                        Options = new ValidationOptions
+                                        {
+                                            ReportAdditionalFields = options?.ReportAdditionalFields ?? false
+                                        }
                                     };
                                     var validationResult = await _jsonValidatorService.ValidateAsync(validationRequest, cancellationToken);
                                     testResult.ValidationResult = validationResult;

OpenReferralApi.Core/Services/SchemaResolverService.cs

@@ -608,12 +608,92 @@ private bool HasSelfReference(JsonNode? schema, string refPointer)
       {
         result[kvp.Key] = await ResolveAllRefsAsync(kvp.Value, visitedRefs);
       }
+
+      // Flatten resolved allOf properties to make composite fields discoverable.
+      MergeAllOfIntoObject(result);
+
       return result;
     }
 
     return obj;
   }
 
+  private static void MergeAllOfIntoObject(JsonObject target)
+  {
+    if (!target.TryGetPropertyValue("allOf", out var allOfNode) || allOfNode is not JsonArray allOfArray)
+    {
+      return;
+    }
+
+    JsonObject? targetProperties = null;
+    if (target.TryGetPropertyValue("properties", out var propsNode) && propsNode is JsonObject propsObject)
+    {
+      targetProperties = propsObject;
+    }
+
+    JsonArray? targetRequired = null;
+    if (target.TryGetPropertyValue("required", out var requiredNode) && requiredNode is JsonArray requiredArray)
+    {
+      targetRequired = requiredArray;
+    }
+
+    foreach (var item in allOfArray)
+    {
+      if (item is not JsonObject itemObject)
+      {
+        continue;
+      }
+
+      if (itemObject.TryGetPropertyValue("properties", out var itemPropsNode) && itemPropsNode is JsonObject itemProps)
+      {
+        targetProperties ??= new JsonObject();
+
+        foreach (var kvp in itemProps)
+        {
+          if (!targetProperties.ContainsKey(kvp.Key))
+          {
+            targetProperties[kvp.Key] = kvp.Value?.DeepClone();
+          }
+        }
+      }
+
+      if (itemObject.TryGetPropertyValue("required", out var itemRequiredNode) && itemRequiredNode is JsonArray itemRequired)
+      {
+        targetRequired ??= new JsonArray();
+
+        foreach (var requiredItem in itemRequired)
+        {
+          if (requiredItem is not JsonValue requiredValue)
+          {
+            continue;
+          }
+
+          var requiredName = requiredValue.GetValue<string>();
+          if (!targetRequired.Any(existing => existing?.GetValue<string>() == requiredName))
+          {
+            targetRequired.Add(requiredName);
+          }
+        }
+      }
+
+      if (!target.TryGetPropertyValue("type", out _) &&
+          itemObject.TryGetPropertyValue("type", out var itemTypeNode))
+      {
+        target["type"] = itemTypeNode?.DeepClone();
+      }
+    }
+
+    if (targetProperties != null)
+    {
+      target["properties"] = targetProperties;
+    }
+
+    if (targetRequired != null)
+    {
+      target["required"] = targetRequired;
+    }
+  }
+
   /// <summary>
   /// Creates a JSON schema from JSON string with proper reference resolution
   /// </summary>