hardening: round-6 reviewer findings (cross-lang corpus + extras + reject set)

Tighten cross-lang fixture corpus + extras-collision defenses + _reject_floats
walking so cross-language byte parity has airtight regression coverage.

Cross-lang fixture corpus: previous py-emoji-keys.json used chars (cafe, JP, wine
glass, CJK Compat) where UTF-16 first-unit sort and Unicode codepoint sort produce
identical canonical bodies, so the codepoint-sort fix was silently untested in
the verifier-side parity check. Regenerates py-emoji-keys.json with a key set
that genuinely distinguishes the two: BMP private use (U+E000, codepoint 57344)
alongside supplementary-plane wine glass (U+1F377, codepoint 127863, UTF-16 first
unit 55356). Codepoint sort puts U+E000 BEFORE U+1F377; UTF-16 first-unit sort
reverses that. Both repos now ship both node-emoji-keys.json and py-emoji-keys.json
in their fixture corpus so each repo's verifier validates the OTHER language's
canonical body. A regression in either language's key sort surfaces here.

UCPProfile.to_dict reserved set adds __class__, __dict__, __init__ for symmetry
with node-commerce's prototype-pollution defense. Python's runtime model doesn't
have JS-style __proto__ pollution but the reserved-name check guards against
bidirectional vendor data passing through both SDKs and surprising downstream
consumers.

_reject_floats now walks set / frozenset in addition to list / tuple. A profile
containing a set with a float would otherwise crash later in json.dumps with an
untyped TypeError; catching it at the same surface as the list/tuple path keeps
the error message consistent.

README joserfc note adds tested-version pin (joserfc>=1.0.0,<2) mirroring
node-commerce's "tested against jose v5.x; pin jose@^5".

Tests: 800 pass + 3 skipped, 95.22% coverage. ruff + ty clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: vvillait88

README.md

@@ -202,7 +202,11 @@ profile = build_ucp_profile(
 )
 ```
 
-UCP §6 trust-mode requires profiles to carry a JWS signature backed by a JWKS at `/.well-known/jwks.json`. Sign + verify via the optional `joserfc` extra (`pip install agentscore-commerce[ucp]`):
+UCP §6 trust-mode requires profiles to carry a JWS signature backed by a JWKS at `/.well-known/jwks.json`. Sign + verify via the optional `joserfc` extra (tested against joserfc v1.x; pin `joserfc>=1.0.0,<2`):
+
+```bash
+pip install agentscore-commerce[ucp]
+```
 
 ```python
 from agentscore_commerce.identity import (

agentscore_commerce/identity/ucp.py

@@ -184,7 +184,9 @@ def to_dict(self) -> dict[str, Any]:
         # Filter `extras` so a caller passing
         # ``extras={"signing_keys": [...]}`` can't silently destroy the
         # explicit field. Reserved-field collisions are rejected at
-        # build-time-equivalent surface.
+        # build-time-equivalent surface. ``__class__`` / ``__dict__`` /
+        # ``__init__`` mirror node-commerce's prototype-pollution defense
+        # against bidirectional vendor data passing through both SDKs.
         reserved = {
             "version",
             "spec",
@@ -194,6 +196,9 @@ def to_dict(self) -> dict[str, Any]:
             "signing_keys",
             "name",
             "signature",
+            "__class__",
+            "__dict__",
+            "__init__",
         }
         for k, v in self.extras.items():
             if k in reserved:

agentscore_commerce/identity/ucp_jwks.py

@@ -179,7 +179,7 @@ def _reject_floats(value: Any) -> None:
     if isinstance(value, dict):
         for v in value.values():
             _reject_floats(v)
-    elif isinstance(value, list | tuple):
+    elif isinstance(value, list | tuple | set | frozenset):
         for v in value:
             _reject_floats(v)
 

tests/fixtures/cross-lang/node-emoji-keys.json

@@ -0,0 +1,52 @@
+{
+  "profile": {
+    "version": "2026-04-17",
+    "spec": "https://ucp.dev/",
+    "services": [
+      {
+        "type": "rest",
+        "url": "https://emoji.example.com"
+      }
+    ],
+    "capabilities": [],
+    "payment_handlers": [
+      {
+        "name": "tempo",
+        "config": {}
+      }
+    ],
+    "signing_keys": [
+      {
+        "kid": "node-emoji-keys-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "SEqAXr_hDfmdqLqepK--97NMkVlYF_A1ByPa2xycou8"
+      }
+    ],
+    "name": "Emoji Keys Merchant",
+    "extras": {
+      "a": 1,
+      "豈": 2,
+      "": 3,
+      "🍷": 4
+    },
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6Im5vZGUtZW1vamkta2V5cy1FZERTQSIsInR5cCI6InVjcC1wcm9maWxlK2p3cyJ9.eyJjYXBhYmlsaXRpZXMiOltdLCJleHRyYXMiOnsiYSI6MSwi6LGIIjoyLCLugIAiOjMsIvCfjbciOjR9LCJuYW1lIjoiRW1vamkgS2V5cyBNZXJjaGFudCIsInBheW1lbnRfaGFuZGxlcnMiOlt7ImNvbmZpZyI6e30sIm5hbWUiOiJ0ZW1wbyJ9XSwic2VydmljZXMiOlt7InR5cGUiOiJyZXN0IiwidXJsIjoiaHR0cHM6Ly9lbW9qaS5leGFtcGxlLmNvbSJ9XSwic2lnbmluZ19rZXlzIjpbeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJub2RlLWVtb2ppLWtleXMtRWREU0EiLCJrdHkiOiJPS1AiLCJ1c2UiOiJzaWciLCJ4IjoiU0VxQVhyX2hEZm1kcUxxZXBLLS05N05Na1ZsWUZfQTFCeVBhMnh5Y291OCJ9XSwic3BlYyI6Imh0dHBzOi8vdWNwLmRldi8iLCJ2ZXJzaW9uIjoiMjAyNi0wNC0xNyJ9.QD_zQMZ4UkUkuZQ-rNNEDrEalu2eYrI280Migljdk67UqHWMMOcB4nsBR9mj4E3RJ5M7sgAZ9CWWptdrcTqXCQ"
+  },
+  "jwks": {
+    "keys": [
+      {
+        "kid": "node-emoji-keys-EdDSA",
+        "alg": "EdDSA",
+        "use": "sig",
+        "crv": "Ed25519",
+        "kty": "OKP",
+        "x": "SEqAXr_hDfmdqLqepK--97NMkVlYF_A1ByPa2xycou8"
+      }
+    ]
+  },
+  "alg": "EdDSA",
+  "kid": "node-emoji-keys-EdDSA",
+  "generator": "node"
+}

tests/fixtures/cross-lang/py-emoji-keys.json

@@ -19,25 +19,26 @@
     "signing_keys": [
       {
         "crv": "Ed25519",
-        "x": "CX-4oqEqpxhUtsTrsaF2df7KBeIR0Wpe4bgwnlsMk8A",
+        "x": "xrTm5ZIZUbFC1_S2Yw5KZkf-9m8--CmwP6-bkttx-ik",
         "kid": "py-emoji-keys-EdDSA",
         "alg": "EdDSA",
         "use": "sig",
         "kty": "OKP"
       }
     ],
     "extras": {
-      "豈": 1,
-      "🍷": 2,
-      "a": 3
+      "a": 1,
+      "豈": 2,
+      "": 3,
+      "🍷": 4
     },
-    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6InB5LWVtb2ppLWtleXMtRWREU0EiLCJ0eXAiOiJ1Y3AtcHJvZmlsZStqd3MifQ.eyJjYXBhYmlsaXRpZXMiOltdLCJleHRyYXMiOnsiYSI6Mywi6LGIIjoxLCLwn423IjoyfSwibmFtZSI6IkVtb2ppIEtleXMgTWVyY2hhbnQiLCJwYXltZW50X2hhbmRsZXJzIjpbeyJjb25maWciOnt9LCJuYW1lIjoidGVtcG8ifV0sInNlcnZpY2VzIjpbeyJ0eXBlIjoicmVzdCIsInVybCI6Imh0dHBzOi8vZW1vamkuZXhhbXBsZS5jb20ifV0sInNpZ25pbmdfa2V5cyI6W3siYWxnIjoiRWREU0EiLCJjcnYiOiJFZDI1NTE5Iiwia2lkIjoicHktZW1vamkta2V5cy1FZERTQSIsImt0eSI6Ik9LUCIsInVzZSI6InNpZyIsIngiOiJDWC00b3FFcXB4aFV0c1Ryc2FGMmRmN0tCZUlSMFdwZTRiZ3dubHNNazhBIn1dLCJzcGVjIjoiaHR0cHM6Ly91Y3AuZGV2LyIsInZlcnNpb24iOiIyMDI2LTA0LTE3In0.aXPJHy4hcLxAF1zd9zLSZbbSMBP56BTeZVXY3V_Ywv4sqabLWgJGRmmp2iyJNamCFgYJ8jPIfd9nF1UU2R9WBg"
+    "signature": "eyJhbGciOiJFZERTQSIsImtpZCI6InB5LWVtb2ppLWtleXMtRWREU0EiLCJ0eXAiOiJ1Y3AtcHJvZmlsZStqd3MifQ.eyJjYXBhYmlsaXRpZXMiOltdLCJleHRyYXMiOnsiYSI6MSwi6LGIIjoyLCLugIAiOjMsIvCfjbciOjR9LCJuYW1lIjoiRW1vamkgS2V5cyBNZXJjaGFudCIsInBheW1lbnRfaGFuZGxlcnMiOlt7ImNvbmZpZyI6e30sIm5hbWUiOiJ0ZW1wbyJ9XSwic2VydmljZXMiOlt7InR5cGUiOiJyZXN0IiwidXJsIjoiaHR0cHM6Ly9lbW9qaS5leGFtcGxlLmNvbSJ9XSwic2lnbmluZ19rZXlzIjpbeyJhbGciOiJFZERTQSIsImNydiI6IkVkMjU1MTkiLCJraWQiOiJweS1lbW9qaS1rZXlzLUVkRFNBIiwia3R5IjoiT0tQIiwidXNlIjoic2lnIiwieCI6InhyVG01WklaVWJGQzFfUzJZdzVLWmtmLTltOC0tQ213UDYtYmt0dHgtaWsifV0sInNwZWMiOiJodHRwczovL3VjcC5kZXYvIiwidmVyc2lvbiI6IjIwMjYtMDQtMTcifQ.O2ENDO4OJreRSvRZqbyMzbQlaG3SKy_zsfMFqqV6HUkwvIzmpH2bot_XtJzyz23RTsBdwvZtLxQJOSnBFkIfBQ"
   },
   "jwks": {
     "keys": [
       {
         "crv": "Ed25519",
-        "x": "CX-4oqEqpxhUtsTrsaF2df7KBeIR0Wpe4bgwnlsMk8A",
+        "x": "xrTm5ZIZUbFC1_S2Yw5KZkf-9m8--CmwP6-bkttx-ik",
         "kid": "py-emoji-keys-EdDSA",
         "alg": "EdDSA",
         "use": "sig",

tests/test_ucp.py

@@ -1,5 +1,7 @@
 """Tests for build_ucp_profile."""
 
+import pytest
+
 from agentscore_commerce.identity import (
     AGENTSCORE_UCP_CAPABILITY,
     AssessResult,
@@ -109,3 +111,25 @@ def test_respects_agentscore_schema_url_override():
     )
     cap = next(c for c in profile.capabilities if c.name == AGENTSCORE_UCP_CAPABILITY)
     assert cap.schema == "https://custom.example/schema.json"
+
+
+@pytest.mark.parametrize(
+    "key",
+    [
+        "version",
+        "spec",
+        "services",
+        "capabilities",
+        "payment_handlers",
+        "signing_keys",
+        "name",
+        "signature",
+        "__class__",
+        "__dict__",
+        "__init__",
+    ],
+)
+def test_extras_reserved_collision_rejected(key: str) -> None:
+    profile = build_ucp_profile(**_base_kwargs(), extras={key: "attacker"})
+    with pytest.raises(ValueError, match="collides with a reserved profile field"):
+        profile.to_dict()

tests/test_ucp_cross_lang.py

@@ -30,13 +30,20 @@ def test_corpus_covers_canonical_scenarios() -> None:
     generators = {json.loads(p.read_text())["generator"] for p in FIXTURES}
     assert "node" in generators
     assert "python" in generators
-    # Each language ships 6 base scenarios so cross-lang verify exercises all of them.
+    # `emoji-keys` exercises non-ASCII object keys with codepoints that genuinely
+    # distinguish UTF-16 first-unit sort from Unicode codepoint sort: BMP private use
+    # (U+E000) ranks BEFORE supplementary plane (U+1F377) by codepoint but AFTER it by
+    # UTF-16 first unit (because the high surrogate 55356 < 57344). Both repos ship the
+    # node and python emoji-keys fixtures so a regression in either language's key sort
+    # surfaces here.
     for lang in ("node", "py"):
-        for scenario in ("minimal", "es256-rails", "extras-int", "capability", "unicode", "multikey"):
+        for scenario in (
+            "minimal",
+            "es256-rails",
+            "extras-int",
+            "capability",
+            "unicode",
+            "multikey",
+            "emoji-keys",
+        ):
             assert f"{lang}-{scenario}.json" in names, f"missing fixture {lang}-{scenario}.json"
-    # `py-emoji-keys.json` locks codepoint-aware key sort: Python sorts by Unicode
-    # codepoint by default, JS default sort orders by UTF-16 code units which
-    # diverges for supplementary-plane chars. The signed body covers BMP CJK
-    # Compatibility (U+8C48), non-BMP wine glass (U+1F377), and ASCII so both
-    # languages must explicitly sort by codepoint to maintain byte parity.
-    assert "py-emoji-keys.json" in names

tests/test_ucp_jwks.py

@@ -313,6 +313,18 @@ def test_accepts_int_and_string(self) -> None:
         signed = sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
         assert verify_ucp_profile(signed, build_jwks_response([signer.public_jwk])) is True
 
+    def test_rejects_float_in_set(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"vals": {0.5}}}
+        with pytest.raises(ValueError, match="rejects float"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
+    def test_rejects_float_in_frozenset(self) -> None:
+        signer = generate_ucp_signing_key(kid="k")
+        profile = {**_base_profile([signer.public_jwk]), "extras": {"vals": frozenset({0.25})}}
+        with pytest.raises(ValueError, match="rejects float"):
+            sign_ucp_profile(profile, signing_key=signer.private_key, kid="k")
+
 
 class TestUCPSigningKeyFromJWK:
     def test_round_trip_eddsa(self) -> None: