hardening(identity): reject U+2028/U+2029 in profile canonicalization

Mirrors the rejection in core/api/src/lib/canonicalize.ts so the SDK
canonicalizer stays byte-symmetric across the Node and Python siblings
on any pre-ES2019 V8 (where JSON.stringify still escapes these
codepoints) or browser-side verifier path; today's V8 emits them raw,
so the divergence is theoretical but the contract is now consistent
with the upstream check.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

agentscore_commerce/identity/ucp_jwks.py

@@ -162,9 +162,9 @@ def generate_ucp_signing_key(*, kid: str, alg: Literal["EdDSA", "ES256"] = "EdDS
 
 
 def _reject_unsafe_numbers(value: Any) -> None:
-    """Walk ``value`` and raise on any number that won't survive cross-language parity.
+    """Walk ``value`` and raise on anything that won't survive cross-language parity.
 
-    Two failure modes are rejected:
+    Three failure modes are rejected:
 
     * Non-integer ``float`` values. Cross-language float canonicalization (RFC 8785
       §3.2.2.3) diverges between Python's ``json.dumps`` and Node's ``JSON.stringify``
@@ -174,6 +174,12 @@ def _reject_unsafe_numbers(value: Any) -> None:
       Python ints are arbitrary-width, but JS verifiers parse the canonical body via
       ``JSON.parse`` which silently loses precision past 2^53. Use a decimal string
       for any integer that may exceed the safe range.
+    * Strings containing U+2028 (LINE SEPARATOR) or U+2029 (PARAGRAPH SEPARATOR).
+      Pre-ES2019 V8 (and any environment whose ``JSON.stringify`` still escapes
+      these codepoints) emits the escaped sequences while
+      ``json.dumps(ensure_ascii=False)`` emits them raw, so the canonical bytes
+      would diverge across the Node and Python siblings. Mirror of the rejection
+      in ``core/api/src/lib/canonicalize.ts``.
 
     Catching the drift at sign-time prevents silent verifier-side failures in
     production.
@@ -194,6 +200,17 @@ def _reject_unsafe_numbers(value: Any) -> None:
             "parse this; use a decimal string to preserve cross-language byte-parity."
         )
         raise ValueError(msg)
+    if isinstance(value, str):
+        if "\u2028" in value or "\u2029" in value:
+            msg = (
+                "UCP profile strings containing U+2028 (LINE SEPARATOR) or "
+                "U+2029 (PARAGRAPH SEPARATOR) are not allowed; cross-language "
+                "byte parity requires neither be present (Node JSON.stringify "
+                "on older V8 escapes them; Python json.dumps with "
+                "ensure_ascii=False does not)."
+            )
+            raise ValueError(msg)
+        return
     if isinstance(value, dict):
         for k, v in value.items():
             _reject_unsafe_numbers(k)

tests/test_ucp_jwks.py

@@ -671,6 +671,73 @@ def test_sign_accepts_bool_dict_keys(self) -> None:
         assert verify_ucp_profile(signed, build_jwks_response([signer.public_jwk])) is True
 
 
+# U+2028 / U+2029 named via escape so the RUF001 ambiguous-character lint
+# doesn't fire on the test inputs (the codepoints are intentional, not typos).
+_U2028 = "\u2028"
+_U2029 = "\u2029"
+
+
+class TestLineParagraphSeparatorRejection:
+    """U+2028 / U+2029 are escaped by pre-ES2019 V8 (``JSON.stringify`` emits
+    the escaped sequences) but emitted raw by ``json.dumps(ensure_ascii=False)``.
+
+    Modern V8 emits them raw too, so the divergence is theoretical on today's
+    Node, but the rejection mirrors core/api/src/lib/canonicalize.ts so the
+    contract stays symmetric for any pre-ES2019 verifier path (older V8,
+    browser-side verifier code).
+    """
+
+    def test_rejects_u2028_at_top_level(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"note": f"before{_U2028}after"}}
+        with pytest.raises(ValueError, match="U\\+2028"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2029_at_top_level(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"note": f"before{_U2029}after"}}
+        with pytest.raises(ValueError, match="U\\+2029"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2028_nested_in_list(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"items": ["ok", f"bad{_U2028}tail"]}}
+        with pytest.raises(ValueError, match="U\\+2028"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2029_nested_in_list(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"items": ["ok", f"bad{_U2029}tail"]}}
+        with pytest.raises(ValueError, match="U\\+2029"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2028_nested_in_dict_value(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"deep": {"inner": f"before{_U2028}after"}}}
+        with pytest.raises(ValueError, match="U\\+2028"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2029_nested_in_dict_value(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"deep": {"inner": f"before{_U2029}after"}}}
+        with pytest.raises(ValueError, match="U\\+2029"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_u2028_in_dict_key(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {f"bad{_U2028}key": "value"}}
+        with pytest.raises(ValueError, match="U\\+2028"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_accepts_u2027_sanity_case(self) -> None:
+        # U+2027 (HYPHENATION POINT) is a different codepoint, not a target of
+        # the rejection. Confirms we're matching exactly U+2028 / U+2029.
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"note": "before\u2027after"}}
+        signed = sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+        assert verify_ucp_profile(signed, build_jwks_response([signer.public_jwk])) is True
+
+
 class TestVerifierErrorPrecedence:
     def test_null_profile_with_malformed_jwks_returns_no_signature(self) -> None:
         with pytest.raises(UCPVerificationError) as exc: