hardening(identity): align UCP read order to typed-first + reject bytes

Two cross-language parity fixes from round-29 SDK review:

LOW-1: build_ucp_profile now reads operator_verification and
account_verification from the typed AssessResult fields first, falling
back to data.raw only when the typed field is missing. Previously raw
won, diverging from node-commerce which reads typed fields directly.
With raw and typed in disagreement, both languages now pick the same
source so a profile signed by one verifies in the other.

LOW-2: _reject_unsafe_numbers now rejects bytes / bytearray with a
typed ValueError before json.dumps can raise its raw
"Object of type bytes is not JSON serializable" TypeError. Mirrors the
node sibling's "typed arrays are not allowed" rejection in
stableStringify.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

agentscore_commerce/identity/ucp.py

@@ -272,28 +272,33 @@ async def ucp_profile():
     base_capabilities = list(capabilities or [])
 
     if data is not None and data.resolved_operator:
-        raw = data.raw or {}
-        operator_verification = raw.get("operator_verification") if isinstance(raw, dict) else None
+        # Match node-commerce read order: prefer the typed AssessResult fields,
+        # fall back to ``data.raw`` only when the typed field is missing. The
+        # Node sibling reads ``input.data.operator_verification`` /
+        # ``input.data.account_verification`` directly without consulting
+        # ``raw``; if a caller hand-constructs an AssessResult with mismatched
+        # typed and raw verification blocks, both languages must pick the same
+        # source so a profile signed in one verifies in the other.
+        typed_op = getattr(data, "operator_verification", None)
+        if typed_op is not None and not isinstance(typed_op, dict):
+            # Convert OperatorVerification dataclass to a plain dict.
+            operator_verification = {
+                "level": getattr(typed_op, "level", None),
+                "operator_type": getattr(typed_op, "operator_type", None),
+                "verified_at": getattr(typed_op, "verified_at", None),
+            }
+        else:
+            operator_verification = typed_op
         if not operator_verification:
-            # Fallback to the typed AssessResult.operator_verification field when
-            # `raw` doesn't carry it. Mirrors the node sibling's typed-field read
-            # path so a hand-constructed AssessResult (no `raw`) still surfaces
-            # the operator verification block in the UCP capability claims.
-            typed_op = getattr(data, "operator_verification", None)
-            if typed_op is not None and not isinstance(typed_op, dict):
-                # Convert OperatorVerification dataclass to a plain dict.
-                operator_verification = {
-                    "level": getattr(typed_op, "level", None),
-                    "operator_type": getattr(typed_op, "operator_type", None),
-                    "verified_at": getattr(typed_op, "verified_at", None),
-                }
-            else:
-                operator_verification = typed_op
-        account_verification = raw.get("account_verification") if isinstance(raw, dict) else None
-        if not account_verification:
-            account_verification = getattr(data, "account_verification", None)
+            raw = data.raw or {}
+            operator_verification = raw.get("operator_verification") if isinstance(raw, dict) else None
         if not isinstance(operator_verification, dict):
             operator_verification = {}
+
+        account_verification = getattr(data, "account_verification", None)
+        if not account_verification:
+            raw = data.raw or {}
+            account_verification = raw.get("account_verification") if isinstance(raw, dict) else None
         if not isinstance(account_verification, dict):
             account_verification = {}
         # `dict.get(k) or DEFAULT` (not `dict.get(k, DEFAULT)`) coerces both a

agentscore_commerce/identity/ucp_jwks.py

@@ -222,6 +222,17 @@ def _reject_unsafe_numbers(value: Any) -> None:
             "Convert to a sorted list before passing."
         )
         raise ValueError(msg)
+    # Reject bytes / bytearray with a typed message (mirrors the node sibling's
+    # "typed arrays are not allowed" rejection in stableStringify). Without this,
+    # raw bytes fall through cleanly and surface a confusing
+    # `TypeError: Object of type bytes is not JSON serializable` from
+    # `json.dumps` later. Convert to a base64url string before passing.
+    if isinstance(value, bytes | bytearray):
+        msg = (
+            f"{type(value).__name__} values are not allowed in canonicalized JSON. "
+            "Convert to a base64url string before passing."
+        )
+        raise ValueError(msg)
     if isinstance(value, dict):
         for k, v in value.items():
             _reject_unsafe_numbers(k)

tests/test_ucp.py

@@ -235,26 +235,51 @@ def test_typed_account_verification_fallback_via_setattr() -> None:
     assert claims["sanctions_clear"] is True
 
 
-def test_raw_takes_precedence_over_typed_fallback() -> None:
-    # When raw carries `operator_verification`, the typed-field fallback is NOT
-    # consulted. Production callers populate raw and the typed fields stay
-    # in sync; this test pins the precedence so a typed mismatch can't silently
-    # override the raw payload.
+def test_typed_takes_precedence_over_raw() -> None:
+    # When the typed `operator_verification` / `account_verification` fields
+    # disagree with `data.raw`, the typed values win. Mirrors the node sibling
+    # which reads `input.data.operator_verification` directly without
+    # consulting `raw`. Production callers populate raw and the typed fields
+    # stay in sync; pinning typed-precedence keeps a hand-constructed
+    # AssessResult from emitting a profile that one language verifies and the
+    # other rejects.
     result = AssessResult(
         allow=True,
         resolved_operator="op_xyz",
-        operator_verification=OperatorVerification(level="enhanced"),
+        operator_verification=OperatorVerification(level="verified"),
         raw={
-            "operator_verification": {"level": "verified"},
-            "account_verification": {"kyc_level": "verified"},
+            "operator_verification": {"level": "none"},
+            "account_verification": {"kyc_level": "none"},
         },
     )
+    result.account_verification = {"kyc_level": "verified"}  # type: ignore[attr-defined]
     profile = build_ucp_profile(**_base_kwargs(), data=result)
     cap = next(c for c in profile.capabilities if c.name == AGENTSCORE_UCP_CAPABILITY)
-    # `kyc_level` reads from raw account_verification.kyc_level first.
+    # Typed `account_verification.kyc_level == 'verified'` wins over the
+    # `none` value carried in `data.raw`.
     assert cap.extras["claims"]["kyc_level"] == "verified"
 
 
+def test_raw_fallback_used_when_typed_missing() -> None:
+    # When typed `operator_verification` / `account_verification` are absent,
+    # the builder falls back to `data.raw`. This is the production path:
+    # `AgentScoreClient` populates both, but legacy or ad-hoc callers may
+    # only set raw.
+    result = AssessResult(
+        allow=True,
+        resolved_operator="op_raw",
+        operator_verification=None,
+        raw={
+            "operator_verification": {"level": "enhanced"},
+            "account_verification": {"kyc_level": "enhanced"},
+        },
+    )
+    profile = build_ucp_profile(**_base_kwargs(), data=result)
+    cap = next(c for c in profile.capabilities if c.name == AGENTSCORE_UCP_CAPABILITY)
+    # `kyc_level` falls back to raw `account_verification.kyc_level`.
+    assert cap.extras["claims"]["kyc_level"] == "enhanced"
+
+
 # Per-element to_dict reserved-key collision guard. Mirrors the parent
 # UCPProfile.to_dict guard so vendor extras can't silently overwrite a canonical
 # field on UCPService / UCPCapability / UCPSigningKey via `out.update(extras)`.

tests/test_ucp_jwks.py

@@ -344,6 +344,31 @@ def test_rejects_set_of_valid_strings_with_typed_message(self) -> None:
         with pytest.raises(ValueError, match="set values are not allowed"):
             sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
 
+    def test_rejects_bytes_values_outright(self) -> None:
+        # `bytes` is not representable in JSON; the canonicalizer rejects it with a
+        # typed message before `json.dumps` can raise its raw
+        # `TypeError: Object of type bytes is not JSON serializable`. Mirrors
+        # node's `stableStringify: typed arrays are not allowed`.
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"blob": b"hello"}}
+        with pytest.raises(ValueError, match="bytes values are not allowed"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_bytearray_values_outright(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"blob": bytearray(b"hello")}}
+        with pytest.raises(ValueError, match="bytearray values are not allowed"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_empty_bytes_with_typed_message(self) -> None:
+        # Empty bytes would fall through `_reject_unsafe_numbers` cleanly and
+        # surface a raw `TypeError` from `json.dumps` later. The typed reject
+        # ensures callers get a guiding ValueError instead.
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"blob": b""}}
+        with pytest.raises(ValueError, match="bytes values are not allowed"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
     def test_accepts_max_safe_int_boundary(self) -> None:
         signer = generate_ucp_signing_key(kid="k")
         profile = {**_base_profile([signer.public_jwk]), "extras": {"big": 2**53 - 1}}