fix(proof): reject non-string keys in proof metadata

[Karry2019web]

Bounty #228

Summary

_clean_proof_metadata now validates that all dict keys are strings before processing. Non-string keys (integers, booleans, etc.) are rejected with a clear error message.

Changes

• app/ledger/service.py: Added isinstance(key, str) check at the start of the loop in _clean_proof_metadata
• tests/test_security.py: Added test_clean_proof_metadata_rejects_non_string_keys covering integer keys, boolean keys, and the string-keys-still-pass path

Evidence

Without this check, pay_bounty accepts verifier_result={1: "value"} which Python automatically stringifies during json.dumps, creating a discrepancy between the validated dict and the serialized JSON. This is a type-safety hardening for the proof metadata pipeline.

Refs #228

[SihyeonJeon]

Requesting changes: the implementation idea is reasonable, but the current PR fails the quality gate because the new test block is not formatted and includes unused imports.

Evidence checked:

• Inspected app/ledger/service.py and tests/test_security.py on head 72ea021.
• The service change adds the intended non-string key guard in _clean_proof_metadata() before control-character validation.
• The regression does exercise _clean_proof_metadata({1: ...}), _clean_proof_metadata({True: ...}), and the pay_bounty(... verifier_result={123: ...}) path, and the focused test itself passes.
• However, tests/test_security.py adds a long inline import inside the test and imports add_ledger_entry and TREASURY_ACCOUNT without using them.
• The new block also has trailing whitespace on multiple blank lines.

Validation run on current head 72ea021:

• ./.venv/bin/python -m pytest tests/test_security.py::test_clean_proof_metadata_rejects_non_string_keys -q -> 1 passed
• ./.venv/bin/python -m ruff check app/ledger/service.py tests/test_security.py -> fails with I001 import formatting, E501 line too long, and unused imports for add_ledger_entry and TREASURY_ACCOUNT
• ./.venv/bin/python -m ruff format --check app/ledger/service.py tests/test_security.py -> would reformat tests/test_security.py
• git diff --check origin/main...HEAD -> fails with trailing whitespace in tests/test_security.py
• Hosted Quality, readiness, docs, and image checks is failing.

Suggested fix: move the needed imports to the module import section or split the local import into a formatted block, remove add_ledger_entry and TREASURY_ACCOUNT, remove trailing whitespace, then rerun Ruff, format-check, and git diff --check.

No secrets, wallet material, payout details, private deployment values, private vulnerability details, or MRWK price claims were reviewed or disclosed.

[g8rr5dg2p7-svg]

Thanks for the pass. I think this needs changes before merge.

Blocking:

• This scope is already covered by #252 (Reject non-string proof metadata keys), which changes the same proof metadata key path for bounty #228. Please coordinate with or close in favor of that PR to avoid duplicate acceptance work.
• The branch currently fails the hosted quality check. I reproduced locally: .venv/bin/ruff format --check tests/test_security.py says tests/test_security.py would be reformatted, and .venv/bin/ruff check app/ledger/service.py tests/test_security.py reports an unsorted import, E501, and two unused imports on the new test import line.

Evidence: the targeted regression itself passes: .venv/bin/python -m pytest tests/test_security.py::test_clean_proof_metadata_rejects_non_string_keys -q -> 1 passed.

Once this is deduped and formatted, the underlying guard/test direction looks reasonable, but I would not merge this PR as-is.

[iccccccccccccc]

Quick review: the core change makes sense to me, and the full pytest run in CI got through the test suite. The red CI is coming from formatting/lint on the new test file.

I checked the patch and reproduced the local checks:

• python -m ruff format --check tests/test_security.py -> Would reformat: tests\test_security.py
• python -m ruff check app/ledger/service.py tests/test_security.py -> import formatting/order on the local import block, the long import line at tests/test_security.py:918, plus unused add_ledger_entry and TREASURY_ACCOUNT

So I think the fix is just to run ruff format tests/test_security.py, remove the two unused imports, and rerun the focused ruff checks. The behavior being tested looks aligned with the PR description; this is mostly cleanup before CI can pass.

[Karry2019web]

Closing this PR — scope is already covered by #252 (Reject non-string proof metadata keys) for the same bounty #228. Keeping #252 as the canonical change.