hardening: round-5 reviewer findings (alg-mismatch + warning scope + non-ASCII keys fixture)

verify_ucp_profile now rejects matched JWKs whose declared alg disagrees with
the JWS protected header alg (RFC 7517 §4.4: a JWK with `alg` constrains its
use to that algorithm). Closes a small security gap where a JWKS publisher
advertising the wrong alg on a key would silently let mismatched signatures
through joserfc's verify path.

_suppress_joserfc_eddsa_warning docstring corrected. The previous text claimed
joserfc emits the RFC-9864 SecurityWarning at every call including key
generation; empirically the warning fires only at JWS sign/verify (in the JWS
registry), not at OKPKey.generate_key. Removed the redundant suppression
wrapper around generate_key in generate_ucp_signing_key — it was a no-op.

New cross-language fixture py-emoji-keys.json mirrors the node-emoji-keys.json
fixture landing in node-commerce. Locks codepoint-aware key sort: Python's
default sorted() orders by Unicode codepoint, JS default sort orders by UTF-16
code units which diverges for supplementary-plane chars (e.g. U+1F377). The
fixture covers BMP CJK Compatibility (U+8C48), non-BMP wine glass (U+1F377),
and ASCII so both languages must explicitly sort by codepoint to maintain byte
parity.

Tests: 786 pass + 3 skipped, 95.17% coverage. ruff + ty clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

agentscore_commerce/identity/ucp_jwks.py

@@ -43,12 +43,14 @@
 
 @contextlib.contextmanager
 def _suppress_joserfc_eddsa_warning() -> Iterator[None]:
-    """Silence joserfc's exact RFC 9864 EdDSA SecurityWarning.
+    """Suppress joserfc's RFC-9864-deprecation SecurityWarning around JWS sign/verify.
 
-    UCP §6 requires EdDSA support and joserfc emits a per-call deprecation
-    warning. The filter is pinned to the exact message + class
+    joserfc emits this on every JWS operation that uses EdDSA, despite EdDSA
+    being the actively-recommended-by-IETF algorithm for new deployments. The
+    filter is pinned to the exact message + class
     (``joserfc.errors.SecurityWarning``: ``"EdDSA is deprecated via RFC 9864"``)
-    so a future, unrelated EdDSA warning still surfaces normally.
+    so any other SecurityWarning still surfaces normally. Key generation does
+    not emit this warning, so suppression has no effect there.
     """
     from joserfc.errors import SecurityWarning  # type: ignore[import-not-found]
 
@@ -138,8 +140,7 @@ def generate_ucp_signing_key(*, kid: str, alg: Literal["EdDSA", "ES256"] = "EdDS
     if alg == "EdDSA":
         from joserfc.jwk import OKPKey  # type: ignore[import-not-found]
 
-        with _suppress_joserfc_eddsa_warning():
-            priv = OKPKey.generate_key(crv="Ed25519", parameters={"kid": kid, "alg": alg, "use": "sig"})
+        priv = OKPKey.generate_key(crv="Ed25519", parameters={"kid": kid, "alg": alg, "use": "sig"})
     elif alg == "ES256":
         from joserfc.jwk import ECKey  # type: ignore[import-not-found]
 
@@ -357,13 +358,22 @@ def verify_ucp_profile(
             "duplicate_kid",
             f"JWKS contains {len(matches)} keys with kid={kid!r}; expected exactly one.",
         )
+    matched = matches[0]
     # RFC 7517 §4.2: reject keys not intended for signature verification.
-    matched_use = matches[0].get("use")
+    matched_use = matched.get("use")
     if matched_use is not None and matched_use != "sig":
         raise UCPVerificationError(
             "unusable_key",
             f"JWK with kid={kid!r} has use={matched_use!r}; expected 'sig'.",
         )
+    # RFC 7517 §4.4: a JWK with declared `alg` constrains its use to that algorithm.
+    header_alg = header.get("alg")
+    matched_alg = matched.get("alg")
+    if matched_alg is not None and matched_alg != header_alg:
+        raise UCPVerificationError(
+            "unusable_key",
+            f"JWK alg {matched_alg!r} does not match JWS header alg {header_alg!r}.",
+        )
 
     stripped = {k: v for k, v in signed_profile.items() if k != "signature"}
     expected_payload = _canonicalize_profile(stripped)

tests/fixtures/cross-lang/py-emoji-keys.json

@@ -0,0 +1,51 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "name": "Emoji Keys Merchant",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://emoji.example.com"
+      }
+    ],
+    "capabilities": [],
+    "payment_handlers": [
+      {
+        "name": "tempo",
+        "config": {}
+      }
+    ],
+    "signing_keys": [
+      {
+        "crv": "Ed25519",
+        "x": "CX-4oqEqpxhUtsTrsaF2df7KBeIR0Wpe4bgwnlsMk8A",
+        "kid": "py-emoji-keys-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "kty": "OKP"
+      }
+    ],
+    "extras": {
+      "豈": 1,
+      "🍷": 2,
+      "a": 3
+    },
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6InB5LWVtb2ppLWtleXMtRWREU0EiLCJ0eXAiOiJ1Y3AtcHJvZmlsZStqd3MifQ.eyJjYXBhYmlsaXRpZXMiOltdLCJleHRyYXMiOnsiYSI6Mywi6LGIIjoxLCLwn423IjoyfSwibmFtZSI6IkVtb2ppIEtleXMgTWVyY2hhbnQiLCJwYXltZW50X2hhbmRsZXJzIjpbeyJjb25maWciOnt9LCJuYW1lIjoidGVtcG8ifV0sInNlcnZpY2VzIjpbeyJ0eXBlIjoicmVzdCIsInVybCI6Imh0dHBzOi8vZW1vamkuZXhhbXBsZS5jb20ifV0sInNpZ25pbmdfa2V5cyI6W3siYWxnIjoiRWREU0EiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoicHktZW1vamkta2V5cy1FZERTQSIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiJDWC00b3FFcXB4aFV0c1Ryc2FGMmRmN0tCZUlSMFdwZTRiZ3dubHNNazhBIn1dLCJzcGVjIjoiaHR0cHM6Ly91Y3AuZGV2LyIsInZlcnNpb24iOiIyMDI2LTA0LTE3In0.aXPJHy4hcLxAF1zd9zLSZbbSMBP56BTeZVXY3V_Ywv4sqabLWgJGRmmp2iyJNamCFgYJ8jPIfd9nF1UU2R9WBg"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "crv": "Ed25519",
+        "x": "CX-4oqEqpxhUtsTrsaF2df7KBeIR0Wpe4bgwnlsMk8A",
+        "kid": "py-emoji-keys-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "kty": "OKP"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "py-emoji-keys-EdDSA",
+  "generator": "python"
+}

tests/test_ucp_cross_lang.py

@@ -30,8 +30,13 @@ def test_corpus_covers_canonical_scenarios() -> None:
     generators = {json.loads(p.read_text())["generator"] for p in FIXTURES}
     assert "node" in generators
     assert "python" in generators
-    # Each language ships 6 scenarios so cross-lang verify exercises all of them.
+    # Each language ships 6 base scenarios so cross-lang verify exercises all of them.
     for lang in ("node", "py"):
         for scenario in ("minimal", "es256-rails", "extras-int", "capability", "unicode", "multikey"):
             assert f"{lang}-{scenario}.json" in names, f"missing fixture {lang}-{scenario}.json"
-    assert len(FIXTURES) == 12
+    # `py-emoji-keys.json` locks codepoint-aware key sort: Python sorts by Unicode
+    # codepoint by default, JS default sort orders by UTF-16 code units which
+    # diverges for supplementary-plane chars. The signed body covers BMP CJK
+    # Compatibility (U+8C48), non-BMP wine glass (U+1F377), and ASCII so both
+    # languages must explicitly sort by codepoint to maintain byte parity.
+    assert "py-emoji-keys.json" in names

tests/test_ucp_jwks.py

@@ -389,6 +389,19 @@ def test_verify_rejects_unusable_key_use_enc(self) -> None:
             verify_ucp_profile(signed, build_jwks_response([enc_jwk]))
         assert exc.value.code == "unusable_key"
 
+    def test_verify_rejects_unusable_key_alg_mismatch(self) -> None:
+        key = generate_ucp_signing_key(kid="k")
+        profile = _base_profile([key.public_jwk])
+        signed = sign_ucp_profile(profile, signing_key=key.private_key, kid="k")
+        # JWKS advertises the same kid but with a wrong `alg` (RFC 7517 §4.4 violation):
+        # JWS header carries alg=EdDSA, JWK declares alg=ES256.
+        wrong_alg_jwk = {**key.public_jwk, "alg": "ES256"}
+        with pytest.raises(UCPVerificationError) as exc:
+            verify_ucp_profile(signed, build_jwks_response([wrong_alg_jwk]))
+        assert exc.value.code == "unusable_key"
+        assert "ES256" in str(exc.value)
+        assert "EdDSA" in str(exc.value)
+
     @pytest.mark.parametrize("bad_sig", [42, None, [], {}])
     def test_verify_rejects_non_string_signature(self, bad_sig: object) -> None:
         key = generate_ucp_signing_key(kid="k")