Skip to content

fix: preserve __proto__ during receipt canonicalization#4

Open
Mirochill wants to merge 1 commit into
permission-protocol:mainfrom
Mirochill:fix/preserve-proto-canonicalization
Open

fix: preserve __proto__ during receipt canonicalization#4
Mirochill wants to merge 1 commit into
permission-protocol:mainfrom
Mirochill:fix/preserve-proto-canonicalization

Conversation

@Mirochill
Copy link
Copy Markdown

@Mirochill Mirochill commented May 30, 2026

Summary

  • build recursively sorted canonical JSON objects with a null prototype
  • preserve nested __proto__ properties as signed receipt data
  • add a regression test that signs one nested __proto__ value and rejects a substituted value

Context

Regular object assignment treats __proto__ as a special setter. The previous recursive sorter therefore omitted that key from signing bytes instead of serializing it as JSON data.

Refs permission-protocol/deploy-gate#51.

Validation

npm test
  6 passed

npm run build
  passed

git diff --check
  passed

receipt-spec conformance fixtures
  valid-deploy: exit=0 expected=0
  valid-mcp: exit=0 expected=0
  valid-payment: exit=0 expected=0
  expired: exit=2 expected=2
  tampered: exit=1 expected=1

@Mirochill Mirochill mentioned this pull request May 30, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Mirochill