I fiddled with it for a while and came up with this policy and attached the XML file to the post:
EDIT: I previously exported the wrong policy by mistake. I will attach the right one when I get back to to office Apologies...
You'll have to adjust the authentication section to your needs and also change the JDBC connection mapping.
The (STM) Return HTTP Response and Raise Error assertion is a custom encapsulated policy that returns a basic HTTP plain/text status/error and then exits. I've attached it to the post as well in case you're interested. We use it pretty much everywhere.
The policy is limited to 100 results only per search, but you can change that in the JDBC Query assertion (the limit clause) and the Run For Each Item assertion as well. The limit is enforced at every possible place to help performance.
Notice the complex Xpath that looks confusing at first: //L7p:HttpRoutingAssertion[not(L7p:Enabled)]/L7p:ProtectedServiceUrl/@stringValue ... The L7p:Enabled child is only present when it's set to false, otherwise it's absent, which is why I'm only looking for RoutingAssertions that don't have it.
Hope it can help someone else, and thanks for the boost!