fix(ucp): round-7 review parity fixes

vvillait88 · claude · vvillait88 · commit 2fed413f74a6 · 2026-05-08T17:38:06.000-07:00
- verify_ucp_profile: compare signed payload against canonical body
  using hmac.compare_digest for constant-time equality, matching the
  node-commerce sibling.
- UCPProfile.to_dict reserved set: replace Python dunders with
  __proto__ / constructor / prototype so the reserved set is
  byte-identical across the Node and Python SDKs (Node-signed
  profiles carrying those keys are rejected by both).
- README: tell publishers to set Cache-Control: public, max-age=300
  on /.well-known/jwks.json and wait at least that long before
  removing the old JWK during rotation.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/README.md b/README.md
@@ -236,7 +236,7 @@ jwks = build_jwks_response([key.public_jwk])
 
 **Persisting the private JWK.** Mint once via `generate_ucp_signing_key()`, serialize via `key.private_key.as_dict(private=True)`, store in your secret manager. On each container start, read the secret, `OKPKey.import_key(jwk_dict)` (or `ECKey.import_key` for ES256) to re-hydrate. Remote-signer flows (KMS-backed asymmetric keys) require subclassing the joserfc Key to delegate the sign hook; `OKPKey`/`ECKey` themselves only carry local key material.
 
-**Key rotation.** Mint a new key with a new `kid`, add the public JWK to your JWKS endpoint alongside the old one, then sign new profiles with the new key. Drop the old JWK after your verifier-side cache TTL has elapsed.
+**Key rotation.** Mint a new key with a new `kid`, add the public JWK to your JWKS endpoint alongside the old one, then sign new profiles with the new key. Set `Cache-Control: public, max-age=300` on `/.well-known/jwks.json` and wait at least that long after publishing the new key before removing the old JWK.
 
 **Inline JWK in the profile vs separate JWKS endpoint.** UCP §6 mandates the separate `/.well-known/jwks.json` endpoint as the canonical trust source. The profile's `signing_keys[]` is informational; verifiers MUST resolve the kid against the JWKS to prevent a swap-after-sign attack.
 
diff --git a/agentscore_commerce/identity/ucp.py b/agentscore_commerce/identity/ucp.py
@@ -183,10 +183,9 @@ def to_dict(self) -> dict[str, Any]:
             out["name"] = self.name
         # Filter `extras` so a caller passing
         # ``extras={"signing_keys": [...]}`` can't silently destroy the
-        # explicit field. Reserved-field collisions are rejected at
-        # build-time-equivalent surface. ``__class__`` / ``__dict__`` /
-        # ``__init__`` mirror node-commerce's prototype-pollution defense
-        # against bidirectional vendor data passing through both SDKs.
+        # explicit field. ``__proto__`` / ``constructor`` / ``prototype``
+        # match the node-commerce reserved set so a Node-signed profile
+        # carrying those keys is rejected identically by both SDKs.
         reserved = {
             "version",
             "spec",
@@ -196,9 +195,9 @@ def to_dict(self) -> dict[str, Any]:
             "signing_keys",
             "name",
             "signature",
-            "__class__",
-            "__dict__",
-            "__init__",
+            "__proto__",
+            "constructor",
+            "prototype",
         }
         for k, v in self.extras.items():
             if k in reserved:
diff --git a/agentscore_commerce/identity/ucp_jwks.py b/agentscore_commerce/identity/ucp_jwks.py
@@ -25,6 +25,7 @@
 from __future__ import annotations
 
 import contextlib
+import hmac
 import json
 import warnings
 from dataclasses import dataclass
@@ -410,7 +411,7 @@ def verify_ucp_profile(
     # profile we received. ``deserialize_compact`` validates the JWS against the bytes
     # embedded in the JWS payload segment — but the profile body could have been
     # swapped after signing while the JWS stayed unchanged.
-    if obj.payload != expected_payload:
+    if not hmac.compare_digest(obj.payload, expected_payload):
         raise UCPVerificationError(
             "body_mismatch",
             "UCP profile body does not match the signed payload (tampered or non-canonical).",
diff --git a/tests/test_ucp.py b/tests/test_ucp.py
@@ -124,9 +124,9 @@ def test_respects_agentscore_schema_url_override():
         "signing_keys",
         "name",
         "signature",
-        "__class__",
-        "__dict__",
-        "__init__",
+        "__proto__",
+        "constructor",
+        "prototype",
     ],
 )
 def test_extras_reserved_collision_rejected(key: str) -> None:
