Centralize jmes logic (#1582)

* [US-001] Create jmespath-utils module with core validation functions

Add packages/agents-core/src/utils/jmespath-utils.ts with:
- ValidationResult interface
- MAX_EXPRESSION_LENGTH constant (1000)
- validateJMESPath() for syntax validation
- validateRegex() for regex pattern validation
- compileJMESPath() wrapper with proper typing
- searchJMESPath<T>() safe search wrapper
- JMESPathExtended interface for missing compile method types

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* [US-002] Add security validation with dangerous pattern detection

- Export DANGEROUS_PATTERNS array with 6 patterns for injection prevention
- Export SecurityOptions interface with maxLength and dangerousPatterns
- Export validateJMESPathSecure() with ordered checks: length, patterns, compile
- Validation checks follow O(1) -> O(n) -> expensive ordering for efficiency

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* [US-003] Add jmespathString Zod factory for OpenAPI compatibility

- Import z from '@hono/zod-openapi'
- Export JMESPathStringOptions interface with maxLength option
- Export jmespathString() function that returns z.string().max().describe()
- Description includes valid/invalid JMESPath examples for OpenAPI docs

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* [US-004] Update signature-validation to re-export from jmespath-utils

- Remove original validateJMESPath and validateRegex implementations
- Import and re-export both functions from jmespath-utils
- Re-export ValidationResult type for backward compatibility
- Public export path @inkeep/agents-core/utils/signature-validation preserved

* [US-005] Refactor JsonTransformer to use shared jmespath-utils

- Remove private validateJMESPath method, MAX_EXPRESSION_LENGTH constant,
  DANGEROUS_PATTERNS constant, and JMESPathExtended interface
- Import validateJMESPathSecure, compileJMESPath, DANGEROUS_PATTERNS,
  and MAX_EXPRESSION_LENGTH from ./jmespath-utils
- Update transform() method to use shared validation
- Update objectToJMESPath() to use compileJMESPath()
- Maintain backward compatibility with existing error message format

* [US-006] Update trigger-auth.ts to use searchJMESPath from shared jmespath-utils

- Replace direct jmespath import with searchJMESPath from './jmespath-utils'
- Update extractSignature() to use searchJMESPath<string | undefined>()
- Update extractComponent() to use searchJMESPath<string | undefined>()
- Removes direct jmespath dependency in this file

* [US-007] Update TemplateEngine.ts to use searchJMESPath from shared jmespath-utils

* [US-008] Update Zod schemas to use shared jmespath-utils

- Remove JMESPathExtended interface and jmespathExt constant
- Import jmespathString, validateJMESPathSecure, validateRegex from jmespath-utils
- Replace z.string().optional() in TriggerOutputTransformSchema with jmespathString().optional()
- Update TriggerInsertSchema.superRefine() to use validateJMESPathSecure() and validateRegex()
- Remove direct jmespath import

* [US-009] Update trigger-form to use shared validation from agents-core

- Import validateJMESPath and validateRegex from @inkeep/agents-core/utils/signature-validation
- Add adapter functions to convert ValidationResult to string | undefined for form validation
- Remove duplicate validateJMESPath function (lines 412-425)
- Remove duplicate validateRegex function (lines 427-436)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* [US-010] Add comprehensive jmespath-utils test file

- Add tests for validateJMESPath: valid expressions, invalid syntax errors
- Add tests for validateRegex: valid patterns, invalid patterns
- Add tests for validateJMESPathSecure: length validation, all 6 dangerous patterns, custom options
- Add tests for searchJMESPath: successful search, type inference
- Add tests for compileJMESPath: valid compile, invalid syntax throws
- Add tests for jmespathString(): returns schema with maxLength, description contains examples
- Add tests for MAX_EXPRESSION_LENGTH constant and ValidationResult type

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* [US-011] Clean up duplicate tests and verify exports

- Remove signature-validation.test.ts (duplicate tests now in jmespath-utils.test.ts)
- Verified @inkeep/agents-core/utils/signature-validation export continues to work
- Evaluated jmespath-utils export path: not needed since signature-validation re-exports for external use
- Typecheck passes

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* format fixes and openapi snapshot update

* lint ignores

* extracting jmes logic to jmes utils file

* jmes changesets

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>

Author: amikofalvy

.changeset/competitive-violet-lizard.md

@@ -0,0 +1,5 @@
+---
+"@inkeep/agents-core": patch
+---
+
+Centralized jmes validation

.changeset/mobile-pink-parakeet.md

@@ -0,0 +1,5 @@
+---
+"@inkeep/agents-manage-ui": patch
+---
+
+Use centralized jmes validation

.changeset/tasteless-aquamarine-starfish.md

@@ -0,0 +1,5 @@
+---
+"@inkeep/agents-api": patch
+---
+
+Updated openapi snapshot

agents-api/__snapshots__/openapi.json

@@ -8547,7 +8547,8 @@
         "nullable": true,
         "properties": {
           "jmespath": {
-            "description": "JMESPath expression for payload transformation",
+            "description": "JMESPath expression (max 1000 chars). Valid: \"data.items[0].name\", \"results[?status=='active']\", \"keys(@)\". Invalid: \"${...}\" (template injection), \"eval(...)\", \"constructor\", \"__proto__\".",
+            "maxLength": 1000,
             "type": "string"
           },
           "objectTransformation": {

agents-manage-ui/src/components/triggers/trigger-form.tsx

@@ -1,6 +1,10 @@
 'use client';
 
 import { zodResolver } from '@hookform/resolvers/zod';
+import {
+  validateJMESPath as coreValidateJMESPath,
+  validateRegex as coreValidateRegex,
+} from '@inkeep/agents-core/utils/signature-validation';
 import { ArrowDown, ArrowUp, Check, ChevronDown, KeyRound, Plus, Trash2 } from 'lucide-react';
 import { useRouter } from 'next/navigation';
 import { useEffect, useMemo, useState } from 'react';
@@ -33,6 +37,19 @@ import { fetchCredentialsAction } from '@/lib/actions/credentials';
 import { createTriggerAction, updateTriggerAction } from '@/lib/actions/triggers';
 import type { Trigger } from '@/lib/api/triggers';
 
+// Adapter functions that convert ValidationResult to string | undefined for form validation
+const validateJMESPath = (value: string): string | undefined => {
+  if (!value.trim()) return undefined;
+  const result = coreValidateJMESPath(value);
+  return result.valid ? undefined : result.error;
+};
+
+const validateRegex = (value: string): string | undefined => {
+  if (!value.trim()) return undefined;
+  const result = coreValidateRegex(value);
+  return result.valid ? undefined : result.error;
+};
+
 // Transform type options
 const transformTypeOptions: SelectOption[] = [
   { value: 'none', label: 'None' },
@@ -408,33 +425,6 @@ export function TriggerForm({ tenantId, projectId, agentId, trigger, mode }: Tri
   const transformType = form.watch('transformType');
   const signatureSource = form.watch('signatureSource');
 
-  // Validation functions for JMESPath and regex
-  const validateJMESPath = (value: string): string | undefined => {
-    if (!value.trim()) return undefined;
-
-    try {
-      // Simple JMESPath validation - check for basic syntax issues
-      // Full validation happens on the backend
-      if (value.includes('..') || value.includes('[[')) {
-        return 'Invalid JMESPath syntax';
-      }
-      return undefined;
-    } catch {
-      return 'Invalid JMESPath expression';
-    }
-  };
-
-  const validateRegex = (value: string): string | undefined => {
-    if (!value.trim()) return undefined;
-
-    try {
-      new RegExp(value);
-      return undefined;
-    } catch {
-      return 'Invalid regular expression';
-    }
-  };
-
   // Apply provider preset to form fields
   const applyPreset = (presetKey: string) => {
     const preset = providerPresets[presetKey];

packages/agents-core/src/context/TemplateEngine.ts

@@ -1,4 +1,4 @@
-import jmespath from 'jmespath';
+import { normalizeJMESPath, searchJMESPath } from '../utils/jmespath-utils';
 import { getLogger } from '../utils/logger';
 
 const logger = getLogger('template-engine');
@@ -52,35 +52,6 @@ export class TemplateEngine {
     }
   }
 
-  /**
-   * Normalize JMES path by wrapping property names with dashes in quotes
-   * Example: headers.x-tenant-id -> headers."x-tenant-id"
-   * Example: api-responses[0].response-code -> "api-responses"[0]."response-code"
-   */
-  private static normalizeJMESPath(path: string): string {
-    const segments = path.split('.');
-    return segments
-      .map((segment) => {
-        if (!segment.includes('-')) {
-          return segment;
-        }
-
-        if (segment.startsWith('"') && segment.includes('"')) {
-          return segment;
-        }
-
-        const bracketIndex = segment.indexOf('[');
-        if (bracketIndex !== -1) {
-          const propertyName = segment.substring(0, bracketIndex);
-          const arrayAccess = segment.substring(bracketIndex);
-          return `"${propertyName}"${arrayAccess}`;
-        }
-
-        return `"${segment}"`;
-      })
-      .join('.');
-  }
-
   /**
    * Process variable substitutions {{variable.path}} using JMESPath
    */
@@ -99,10 +70,10 @@ export class TemplateEngine {
         }
 
         // Normalize path to handle dashes in property names
-        const normalizedPath = TemplateEngine.normalizeJMESPath(trimmedPath);
+        const normalizedPath = normalizeJMESPath(trimmedPath);
 
         // Use JMESPath to extract value from context
-        const result = jmespath.search(context, normalizedPath);
+        const result = searchJMESPath(context, normalizedPath);
 
         if (result === undefined || result === null) {
           if (options.strict) {
@@ -147,7 +118,7 @@ export class TemplateEngine {
         return String(result);
       } catch (error) {
         const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-        const normalizedPath = TemplateEngine.normalizeJMESPath(trimmedPath);
+        const normalizedPath = normalizeJMESPath(trimmedPath);
 
         if (options.strict) {
           throw new Error(

packages/agents-core/src/utils/JsonTransformer.ts

@@ -1,13 +1,10 @@
 import * as jmespath from 'jmespath';
-
-// TypeScript workaround for missing compile method in type definitions
-interface JMESPathExtended {
-  search: typeof jmespath.search;
-  compile: (expression: string) => any;
-}
-
-const jmespathExt = jmespath as unknown as JMESPathExtended;
-
+import {
+  compileJMESPath,
+  DANGEROUS_PATTERNS,
+  MAX_EXPRESSION_LENGTH,
+  validateJMESPathSecure,
+} from './jmespath-utils';
 import { getLogger } from './logger';
 
 const logger = getLogger('JsonTransformer');
@@ -20,45 +17,35 @@ interface TransformOptions {
 
 export class JsonTransformer {
   private static readonly DEFAULT_TIMEOUT = 5000; // 5 seconds
-  private static readonly MAX_EXPRESSION_LENGTH = 1000;
-  private static readonly DANGEROUS_PATTERNS = [
-    /\$\{.*\}/, // Template injection
-    /eval\s*\(/, // Eval calls
-    /function\s*\(/, // Function definitions
-    /constructor/, // Constructor access
-    /prototype/, // Prototype manipulation
-    /__proto__/, // Proto access
-  ];
 
   /**
    * Validate JMESPath expression for security and correctness
    */
-  private static validateJMESPath(expression: string, _allowedFunctions?: string[]): void {
+  private static validateExpression(expression: string, _allowedFunctions?: string[]): void {
     if (!expression || typeof expression !== 'string') {
       throw new Error('JMESPath expression must be a non-empty string');
     }
 
-    if (expression.length > JsonTransformer.MAX_EXPRESSION_LENGTH) {
-      throw new Error(
-        `JMESPath expression too long (max ${JsonTransformer.MAX_EXPRESSION_LENGTH} characters)`
-      );
+    // Check length first
+    if (expression.length > MAX_EXPRESSION_LENGTH) {
+      throw new Error(`JMESPath expression too long (max ${MAX_EXPRESSION_LENGTH} characters)`);
     }
 
-    // Check for dangerous patterns
-    for (const pattern of JsonTransformer.DANGEROUS_PATTERNS) {
+    // Check dangerous patterns
+    for (const pattern of DANGEROUS_PATTERNS) {
       if (pattern.test(expression)) {
         throw new Error(`JMESPath expression contains dangerous pattern: ${pattern.source}`);
       }
     }
 
-    // Basic syntax validation - try to compile the expression
-    try {
-      // Use compile to validate syntax without requiring specific data
-      jmespathExt.compile(expression);
-    } catch (error) {
-      throw new Error(
-        `Invalid JMESPath syntax: ${error instanceof Error ? error.message : String(error)}`
-      );
+    // Use validateJMESPathSecure for syntax validation (patterns already checked above)
+    const result = validateJMESPathSecure(expression, {
+      maxLength: MAX_EXPRESSION_LENGTH + 1, // Skip length check (already done)
+      dangerousPatterns: [], // Skip pattern check (already done)
+    });
+
+    if (!result.valid) {
+      throw new Error(`Invalid JMESPath syntax: ${result.error}`);
     }
 
     logger.debug('JMESPath expression validated', `${expression.substring(0, 100)}...`);
@@ -95,7 +82,7 @@ export class JsonTransformer {
     const { timeout = JsonTransformer.DEFAULT_TIMEOUT, allowedFunctions } = options;
 
     // Validate expression before execution
-    JsonTransformer.validateJMESPath(jmesPathExpression, allowedFunctions);
+    JsonTransformer.validateExpression(jmesPathExpression, allowedFunctions);
 
     try {
       logger.debug(
@@ -137,8 +124,7 @@ export class JsonTransformer {
       }
       // Validate each path is a valid JMESPath expression
       try {
-        // Use compile to validate syntax without requiring specific data
-        jmespathExt.compile(path);
+        compileJMESPath(path);
       } catch (error) {
         throw new Error(
           `Invalid JMESPath in object transformation value "${path}": ${error instanceof Error ? error.message : String(error)}`