hardening(identity): typed-empty wins over raw + preserve empty payment_handler config

Three cross-language parity fixes for build_ucp_profile / UCPPaymentHandler:

1. `data.account_verification == {}` (and `data.operator_verification == {}`)
   means "API returned the block with no populated values" and now wins over
   the `data.raw` fallback. The previous `if not account_verification:` check
   treated empty-dict as falsy and bled raw values through. Mirrors the Node
   sibling, which reads the typed field directly without consulting raw.

2. `UCPPaymentHandler.to_dict()` always emits `config` (even when empty).
   TypeScript serializes `{name: 'tempo', config: {}}` with `config`
   preserved; the dataclass default is `field(default_factory=dict)` so the
   field is always a dict. The previous `if self.config:` truthy gate
   produced byte divergence on explicit `config={}` callers.

3. New `typed-claims` cross-lang fixture exercises the typed-field-only read
   path (`AssessResult(account_verification={...}, raw=None)`) that the
   existing `data-driven-claims` fixture didn't cover (it uses `raw=`).
   Both languages must produce byte-identical canonical bytes for the typed
   path or cross-lang verify silently drifts in production.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

agentscore_commerce/identity/ucp.py

@@ -165,10 +165,12 @@ class UCPPaymentHandler:
     config: dict[str, Any] = field(default_factory=dict)
 
     def to_dict(self) -> dict[str, Any]:
-        out: dict[str, Any] = {"name": self.name}
-        if self.config:
-            out["config"] = self.config
-        return out
+        # Always emit `config` (even when empty) so a Python-built handler matches
+        # the Node sibling byte-for-byte: TypeScript serializes
+        # `{name: 'tempo', config: {}}` with `config` preserved, and the dataclass
+        # default is `field(default_factory=dict)` so the field is always a dict.
+        # Cross-language verify drifts otherwise on explicit `config={}` callers.
+        return {"name": self.name, "config": self.config}
 
 
 @dataclass
@@ -273,35 +275,39 @@ async def ucp_profile():
 
     if data is not None and data.resolved_operator:
         # Match node-commerce read order: prefer the typed AssessResult fields,
-        # fall back to ``data.raw`` only when the typed field is missing. The
-        # Node sibling reads ``input.data.operator_verification`` /
-        # ``input.data.account_verification`` directly without consulting
-        # ``raw``; if a caller hand-constructs an AssessResult with mismatched
-        # typed and raw verification blocks, both languages must pick the same
-        # source so a profile signed in one verifies in the other.
+        # fall back to ``data.raw`` only when the typed field is ``None`` (absent).
+        # An explicitly-empty typed dict means "API returned the block with no
+        # populated values" and wins over raw — same as the Node sibling, which
+        # reads ``input.data.operator_verification`` / ``input.data.account_verification``
+        # directly without consulting ``raw``. ``is None`` (not truthy) is the
+        # correct distinction so a caller hand-constructing
+        # ``AssessResult(account_verification={}, raw={"account_verification": {...}})``
+        # gets the same empty-block behavior in both languages.
         typed_op = data.operator_verification
-        operator_verification: dict[str, Any] = {}
-        if isinstance(typed_op, dict):
+        operator_verification: dict[str, Any]
+        if typed_op is None:
+            raw = data.raw or {}
+            raw_op = raw.get("operator_verification") if isinstance(raw, dict) else None
+            operator_verification = raw_op if isinstance(raw_op, dict) else {}
+        elif isinstance(typed_op, dict):
             operator_verification = cast("dict[str, Any]", typed_op)
-        elif typed_op is not None:
+        else:
             # Convert OperatorVerification dataclass to a plain dict.
             operator_verification = {
                 "level": getattr(typed_op, "level", None),
                 "operator_type": getattr(typed_op, "operator_type", None),
                 "verified_at": getattr(typed_op, "verified_at", None),
             }
-        if not operator_verification:
-            raw = data.raw or {}
-            raw_op = raw.get("operator_verification") if isinstance(raw, dict) else None
-            if isinstance(raw_op, dict):
-                operator_verification = raw_op
 
-        account_verification: dict[str, Any] = data.account_verification or {}
-        if not account_verification:
+        account_verification: dict[str, Any]
+        if data.account_verification is None:
             raw = data.raw or {}
             raw_av = raw.get("account_verification") if isinstance(raw, dict) else None
-            if isinstance(raw_av, dict):
-                account_verification = raw_av
+            account_verification = raw_av if isinstance(raw_av, dict) else {}
+        elif isinstance(data.account_verification, dict):
+            account_verification = data.account_verification
+        else:
+            account_verification = {}
         # `dict.get(k) or DEFAULT` (not `dict.get(k, DEFAULT)`) coerces both a
         # missing key AND a present-but-falsy (None / "") value to the default,
         # matching the node sibling's `||` semantics. The API can return

scripts/generate_typed_claims_fixture.py

@@ -0,0 +1,82 @@
+"""One-shot generator for the typed-claims cross-lang fixture (Python side).
+
+Writes ``tests/fixtures/cross-lang/py-typed-claims.json``. Sibling to
+``generate_data_driven_claims_fixture.py`` but exercises the **typed**
+``AssessResult.account_verification`` / ``AssessResult.operator_verification``
+read path (with ``raw=None``) instead of the raw-dict fallback. This catches
+drift in typed-field-only callers — production code populates both, but a
+hand-constructed AssessResult with only typed fields must produce a profile
+that the Node sibling verifies byte-for-byte, since Node's
+``buildUCPProfile`` reads the typed fields directly without ever consulting
+``raw``.
+"""
+
+from __future__ import annotations
+
+import json
+from pathlib import Path
+
+from agentscore_commerce.identity import (
+    AssessResult,
+    OperatorVerification,
+    UCPService,
+    UCPSigningKey,
+    build_ucp_profile,
+)
+from agentscore_commerce.identity.ucp_jwks import (
+    build_jwks_response,
+    generate_ucp_signing_key,
+    sign_ucp_profile,
+)
+
+OUT = Path(__file__).resolve().parent.parent / "tests" / "fixtures" / "cross-lang" / "py-typed-claims.json"
+
+KID = "py-typed-claims-EdDSA"
+
+
+def main() -> None:
+    key = generate_ucp_signing_key(kid=KID)
+
+    result = AssessResult(
+        allow=True,
+        resolved_operator="op_typed_claims",
+        verify_url="https://agentscore.sh/verify/op_typed_claims",
+        operator_verification=OperatorVerification(
+            level="enhanced",
+            operator_type="api",
+            verified_at="2026-04-01T00:00:00Z",
+        ),
+        account_verification={
+            "kyc_level": "enhanced",
+            "sanctions_clear": True,
+            "age_bracket": "21+",
+            "jurisdiction": "US",
+            "verified_at": "2026-04-01T00:00:00Z",
+        },
+        raw=None,
+    )
+
+    profile = build_ucp_profile(
+        name="Typed Claims Merchant",
+        services=[UCPService(type="rest", url="https://t.example.com")],
+        payment_handlers=[],
+        signing_keys=[UCPSigningKey.from_jwk(key.public_jwk)],
+        data=result,
+    )
+
+    signed = sign_ucp_profile(profile.to_dict(), signing_key=key.private_key, kid=KID)
+
+    fixture = {
+        "profile": signed,
+        "jwks": build_jwks_response([key.public_jwk]),
+        "alg": "EdDSA",
+        "kid": KID,
+        "generator": "python",
+    }
+
+    OUT.write_text(json.dumps(fixture, indent=2) + "\n")
+    print(f"wrote {OUT}")
+
+
+if __name__ == "__main__":
+    main()

tests/fixtures/cross-lang/node-typed-claims.json

@@ -0,0 +1,57 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://t.example.com"
+      }
+    ],
+    "capabilities": [
+      {
+        "name": "agentscore-identity",
+        "version": "1",
+        "schema": "https://agentscore.sh/schemas/ucp/agentscore-identity.v1.json",
+        "claims": {
+          "operator_id": "op_typed_claims",
+          "kyc_level": "enhanced",
+          "sanctions_clear": true,
+          "age_bracket": "21+",
+          "jurisdiction": "US",
+          "verified_at": "2026-04-01T00:00:00Z",
+          "verify_url": "https://agentscore.sh/verify/op_typed_claims",
+          "issuer": "https://agentscore.sh"
+        }
+      }
+    ],
+    "payment_handlers": [],
+    "signing_keys": [
+      {
+        "kid": "node-typed-claims-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "hkhmYJSOPyC7tC2baujBsjvTdDs0M2gnmiTGEm_H9y0"
+      }
+    ],
+    "name": "Typed Claims Merchant",
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6Im5vZGUtdHlwZWQtY2xhaW1zLUVkRFNBIiwidHlwIjoidWNwLXByb2ZpbGUrandzIn0.eyJjYXBhYmlsaXRpZXMiOlt7ImNsYWltcyI6eyJhZ2VfYnJhY2tldCI6IjIxKyIsImlzc3VlciI6Imh0dHBzOi8vYWdlbnRzY29yZS5zaCIsImp1cmlzZGljdGlvbiI6IlVTIiwia3ljX2xldmVsIjoiZW5oYW5jZWQiLCJvcGVyYXRvcl9pZCI6Im9wX3R5cGVkX2NsYWltcyIsInNhbmN0aW9uc19jbGVhciI6dHJ1ZSwidmVyaWZpZWRfYXQiOiIyMDI2LTA0LTAxVDAwOjAwOjAwWiIsInZlcmlmeV91cmwiOiJodHRwczovL2FnZW50c2NvcmUuc2gvdmVyaWZ5L29wX3R5cGVkX2NsYWltcyJ9LCJuYW1lIjoiYWdlbnRzY29yZS1pZGVudGl0eSIsInNjaGVtYSI6Imh0dHBzOi8vYWdlbnRzY29yZS5zaC9zY2hlbWFzL3VjcC9hZ2VudHNjb3JlLWlkZW50aXR5LnYxLmpzb24iLCJ2ZXJzaW9uIjoiMSJ9XSwibmFtZSI6IlR5cGVkIENsYWltcyBNZXJjaGFudCIsInBheW1lbnRfaGFuZGxlcnMiOltdLCJzZXJ2aWNlcyI6W3sidHlwZSI6InJlc3QiLCJ1cmwiOiJodHRwczovL3QuZXhhbXBsZS5jb20ifV0sInNpZ25pbmdfa2V5cyI6W3siYWxnIjoiRWREU0EiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoibm9kZS10eXBlZC1jbGFpbXMtRWREU0EiLCJrdHkiOiJPS1AiLCJ1c2UiOiJzaWciLCJ4IjoiaGtobVlKU09QeUM3dEMyYmF1akJzanZUZERzME0yZ25taVRHRW1fSDl5MCJ9XSwic3BlYyI6Imh0dHBzOi8vdWNwLmRldi8iLCJ2ZXJzaW9uIjoiMjAyNi0wNC0xNyJ9.GJZcFBMvdIPmELSrUGzu--PmKwjItbpV74peSvcJcXRk6DRHgivYZOaTOPjFgZgOqnvhAEeG-gvy4O6jP5NrCA"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "kid": "node-typed-claims-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "hkhmYJSOPyC7tC2baujBsjvTdDs0M2gnmiTGEm_H9y0"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "node-typed-claims-EdDSA",
+  "generator": "node"
+}

tests/fixtures/cross-lang/py-typed-claims.json

@@ -0,0 +1,57 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://t.example.com"
+      }
+    ],
+    "capabilities": [
+      {
+        "name": "agentscore-identity",
+        "schema": "https://agentscore.sh/schemas/ucp/agentscore-identity.v1.json",
+        "version": "1",
+        "claims": {
+          "operator_id": "op_typed_claims",
+          "kyc_level": "enhanced",
+          "sanctions_clear": true,
+          "age_bracket": "21+",
+          "jurisdiction": "US",
+          "verified_at": "2026-04-01T00:00:00Z",
+          "verify_url": "https://agentscore.sh/verify/op_typed_claims",
+          "issuer": "https://agentscore.sh"
+        }
+      }
+    ],
+    "payment_handlers": [],
+    "signing_keys": [
+      {
+        "kid": "py-typed-claims-EdDSA",
+        "kty": "OKP",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "x": "Qu9H2p75WjLc0DCdYY7MTaTkDZ0YPBFKHH3jsZMjFiA"
+      }
+    ],
+    "name": "Typed Claims Merchant",
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6InB5LXR5cGVkLWNsYWltcy1FZERTQSIsInR5cCI6InVjcC1wcm9maWxlK2p3cyJ9.eyJjYXBhYmlsaXRpZXMiOlt7ImNsYWltcyI6eyJhZ2VfYnJhY2tldCI6IjIxKyIsImlzc3VlciI6Imh0dHBzOi8vYWdlbnRzY29yZS5zaCIsImp1cmlzZGljdGlvbiI6IlVTIiwia3ljX2xldmVsIjoiZW5oYW5jZWQiLCJvcGVyYXRvcl9pZCI6Im9wX3R5cGVkX2NsYWltcyIsInNhbmN0aW9uc19jbGVhciI6dHJ1ZSwidmVyaWZpZWRfYXQiOiIyMDI2LTA0LTAxVDAwOjAwOjAwWiIsInZlcmlmeV91cmwiOiJodHRwczovL2FnZW50c2NvcmUuc2gvdmVyaWZ5L29wX3R5cGVkX2NsYWltcyJ9LCJuYW1lIjoiYWdlbnRzY29yZS1pZGVudGl0eSIsInNjaGVtYSI6Imh0dHBzOi8vYWdlbnRzY29yZS5zaC9zY2hlbWFzL3VjcC9hZ2VudHNjb3JlLWlkZW50aXR5LnYxLmpzb24iLCJ2ZXJzaW9uIjoiMSJ9XSwibmFtZSI6IlR5cGVkIENsYWltcyBNZXJjaGFudCIsInBheW1lbnRfaGFuZGxlcnMiOltdLCJzZXJ2aWNlcyI6W3sidHlwZSI6InJlc3QiLCJ1cmwiOiJodHRwczovL3QuZXhhbXBsZS5jb20ifV0sInNpZ25pbmdfa2V5cyI6W3siYWxnIjoiRWREU0EiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoicHktdHlwZWQtY2xhaW1zLUVkRFNBIiwia3R5IjoiT0tQIiwidXNlIjoic2lnIiwieCI6IlF1OUgycDc1V2pMYzBEQ2RZWTdNVGFUa0RaMFlQQkZLSEgzanNaTWpGaUEifV0sInNwZWMiOiJodHRwczovL3VjcC5kZXYvIiwidmVyc2lvbiI6IjIwMjYtMDQtMTcifQ.Awkp_QIMwjiiBE4CSiZQBkxXNdxwGBIPW36sAFIngbax_otu5N5S2kBlnt4xUhvRCJ-_CHieGCPJseIXa0i9Dg"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "crv": "Ed25519",
+        "x": "Qu9H2p75WjLc0DCdYY7MTaTkDZ0YPBFKHH3jsZMjFiA",
+        "kid": "py-typed-claims-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "kty": "OKP"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "py-typed-claims-EdDSA",
+  "generator": "python"
+}

tests/test_ucp.py

@@ -1,5 +1,7 @@
 """Tests for build_ucp_profile."""
 
+from typing import Any, cast
+
 import pytest
 
 from agentscore_commerce.identity import (
@@ -335,3 +337,59 @@ def test_ucp_signing_key_extras_non_reserved_pass_through() -> None:
     sk = UCPSigningKey(kid="me", kty="EC", alg="ES256", crv="P-256", extras={"x": "abc", "y": "def"})
     out = sk.to_dict()
     assert out == {"kid": "me", "kty": "EC", "alg": "ES256", "crv": "P-256", "x": "abc", "y": "def"}
+
+
+# UCPPaymentHandler.to_dict always emits `config`. The Node sibling serializes
+# `{name: 'tempo', config: {}}` with `config` preserved (TypeScript optional
+# field initialized to a new object). Cross-language byte-parity requires the
+# Python emitter to do the same — even when the dataclass default
+# `field(default_factory=dict)` left config empty.
+
+
+def test_ucp_payment_handler_to_dict_preserves_empty_config() -> None:
+    assert UCPPaymentHandler(name="tempo").to_dict() == {"name": "tempo", "config": {}}
+
+
+def test_ucp_payment_handler_to_dict_preserves_explicit_empty_config() -> None:
+    assert UCPPaymentHandler(name="tempo", config={}).to_dict() == {"name": "tempo", "config": {}}
+
+
+def test_ucp_payment_handler_to_dict_preserves_populated_config() -> None:
+    assert UCPPaymentHandler(name="tempo", config={"recipient": "0xabc"}).to_dict() == {
+        "name": "tempo",
+        "config": {"recipient": "0xabc"},
+    }
+
+
+# Typed-vs-raw read order: `data.account_verification == {}` means "API
+# explicitly returned an empty block" and must win over `data.raw`. Only when
+# the typed field is `None` does the builder fall back to raw. Mirrors the Node
+# sibling, which reads the typed field directly without consulting raw.
+
+
+def test_typed_empty_account_verification_wins_over_raw() -> None:
+    result = AssessResult(
+        allow=True,
+        resolved_operator="op_xyz",
+        account_verification={},
+        raw={"account_verification": {"kyc_level": "verified"}},
+    )
+    profile = build_ucp_profile(**_base_kwargs(), data=result)
+    cap = next(c for c in profile.capabilities if c.name == AGENTSCORE_UCP_CAPABILITY)
+    # Empty typed dict suppresses the raw fallback; kyc_level falls through to
+    # the schema default "none" instead of bleeding the raw "verified" value.
+    assert cap.extras["claims"]["kyc_level"] == "none"
+
+
+def test_typed_empty_operator_verification_wins_over_raw() -> None:
+    result = AssessResult(
+        allow=True,
+        resolved_operator="op_xyz",
+        # Empty dict is a valid typed value (means "operator block returned empty").
+        operator_verification=cast("Any", {}),
+        raw={"operator_verification": {"level": "enhanced", "verified_at": "2026-01-01T00:00:00Z"}},
+    )
+    profile = build_ucp_profile(**_base_kwargs(), data=result)
+    cap = next(c for c in profile.capabilities if c.name == AGENTSCORE_UCP_CAPABILITY)
+    # Empty typed dict suppresses raw fallback; verified_at falls through to None.
+    assert cap.extras["claims"]["verified_at"] is None

tests/test_ucp_cross_lang.py

@@ -46,10 +46,15 @@ def test_corpus_covers_canonical_scenarios() -> None:
             "multikey",
             "emoji-keys",
             "int-boundary",
-            # `data-driven-claims` is the only fixture in the corpus that
-            # exercises ``build_ucp_profile`` / ``buildUCPProfile``'s data path
-            # (vs. hand-crafted capabilities). Catches drift in
-            # ``account_verification`` coalescing.
+            # `data-driven-claims` exercises the raw-dict fallback read path
+            # (`AssessResult(raw={"account_verification": {...}})`) that
+            # production callers populate. `typed-claims` exercises the typed
+            # field path (`AssessResult(account_verification={...}, raw=None)`)
+            # that hand-constructed callers use — Node's `buildUCPProfile`
+            # reads typed fields directly without consulting raw, so both
+            # paths must produce byte-identical canonical bytes across
+            # languages or cross-lang verify silently drifts.
             "data-driven-claims",
+            "typed-claims",
         ):
             assert f"{lang}-{scenario}.json" in names, f"missing fixture {lang}-{scenario}.json"