SShortSingh.
Back to feed

UCP Conformance Tests Miss Critical Agent Behavior Flaws, Developer Warns

0
·1 views

A developer writing on DEV Community has highlighted a significant gap in Universal Checkout Protocol (UCP) conformance testing: while nearly 99% of stores score an 'A' on conformance, many shopping agents still fail in real-world scenarios. Conformance tools verify only that messages are correctly structured, but cannot detect behavioral failures such as completing purchases with mismatched totals, following phishing URLs, or skipping cryptographic signature verification. The agent side of a UCP transaction — where real user funds and account access are at stake — is largely ungraded by existing tools. To address this, the author built spck.dev, an open-source reverse harness that tests shopping agents against adversarial stores designed to expose these blind spots. The suite uses kill-rate testing to ensure each check reliably catches its targeted defect, and is free to use, though it is not affiliated with the official UCP project.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

Tutorial: Build a Local Services Flutter App Using HosteDay Backend Platform

A new developer tutorial demonstrates how to build a local services app called 'At Your Service' using Flutter and the HosteDay backend platform. The guide walks through creating a free backend server on HosteDay, setting up a database table for service providers, and auto-generating CRUD API endpoints without writing manual backend code. Developers then create a Flutter project in Android Studio and integrate the hosteday_flutter package to connect the app to the backend. API token protection is configured within the Flutter project to secure backend requests from unauthorized access. This first part of the series lays the foundation for future authentication and service-listing features.

0
ProgrammingDEV Community ·

How HTTP/2 Multiplexing Replaced Multiple Connections with One Efficient Link

HTTP/1.1 handled growing web traffic by opening multiple TCP connections simultaneously, which improved page load speeds but created significant overhead in handshakes, memory, and CPU usage. Engineers identified that the core issue was not network capacity but how HTTP utilized the network. HTTP/2 was developed to address this by introducing multiplexing, which allows multiple requests and responses to travel concurrently over a single TCP connection as independent streams. The protocol breaks data into smaller units called frames, which can be interleaved across streams and reassembled correctly by the browser. HTTP/2 also shifted from a text-based format to binary, making it more efficient for computers to process.

0
ProgrammingDEV Community ·

Guide: Migrating Python Projects from mypy to ty and Pyrefly

A practical migration guide documents how the fastkml Python package was moved from mypy to Astral's ty and Meta's pyrefly type checkers. The guide recommends running both tools simultaneously, as they each catch different subsets of type errors that the other may miss. Before making any changes, developers are advised to establish a baseline error count and categorize issues by error kind to identify systemic root causes rather than fixing problems file by file. The guide also warns that mypy configuration flags do not map one-to-one to ty or pyrefly equivalents, urging developers to re-derive intent rather than hunt for identical settings. Finally, it stresses verifying that both tools pass cleanly alongside a full test suite before retiring the existing mypy configuration.

0
ProgrammingDEV Community ·

Free PHP Scripts on Forums Found Stealing Server Credentials and Sensitive Data

A developer discovered that a free PHP script downloaded from platforms like 4shared and online forums contained hidden malicious code. The script silently collected and transmitted sensitive server data — including email credentials, usernames, passwords, and environment details — to an external destination without the user's knowledge. The malicious code used obfuscation techniques such as base64 encoding and dynamic execution functions to disguise its true purpose and evade casual inspection. The incident highlights the risks of using unverified third-party code, particularly free scripts shared outside reputable platforms. Security experts recommend auditing all third-party code for suspicious functions like eval() and base64_decode() before deploying it in any production environment.