Reject non-decimal MRWK amount notation

[YunHeTracyLee]

Refs #122.

Summary

• require MRWK amount inputs to use plain decimal notation before Decimal parsing
• reject scientific notation such as 1e3 / 1E-3 and leading plus notation such as +1
• preserve existing behavior for normal decimal amounts, over-precision errors, and negative amounts reporting amount must be positive

Repro before fix

On current origin/main, parse_mrwk_amount() accepted non-decimal-looking amount strings:

'1e3' => 1000
'1E-3' => 0.001
'1e-6' => 0.000001
'+1' => 1
'1.5' => 1.5
'0.000001' => 0.000001
'1.0000001' ERR MRWK supports at most 6 decimal places

Those values can flow through admin bounty creation and wallet transfer APIs because both call the shared parser.

Validation

• python -m pytest tests/test_security.py::test_amount_parser_rejects_non_finite_values tests/test_security.py::test_amount_parser_rejects_non_decimal_notation tests/test_security.py::test_amount_parser_rejects_values_above_fixed_supply tests/test_wallet_api.py::test_wallet_transfer_api_rejects_invalid_requests -q -> 7 passed
• python -m pytest tests/test_security.py tests/test_ledger.py tests/test_wallet_api.py tests/test_wallets.py -q -> 73 passed
• python -m pytest -q -> 168 passed, 2 warnings
• ruff check app/ledger/service.py tests/test_security.py
• ruff format --check app/ledger/service.py tests/test_security.py
• mypy app
• python scripts/docs_smoke.py
• python scripts/check_agents.py
• git diff --check

No secrets, wallet material, deployment values, private context, or MRWK price claims are included.

[Ckeplinger199]

No blockers from my review.

I checked PR #167 at head 895dd016c539bf9ee696cba45ea9e9ee44c25655. The change is focused on the shared MRWK amount parser: it requires plain decimal notation before Decimal parsing, so scientific notation and leading-plus values no longer slip through while ordinary decimal values and existing error paths are preserved.

Local verification:

• uv run --extra dev python -m pytest tests/test_security.py::test_amount_parser_rejects_non_finite_values tests/test_security.py::test_amount_parser_rejects_non_decimal_notation tests/test_security.py::test_amount_parser_rejects_values_above_fixed_supply tests/test_wallet_api.py::test_wallet_transfer_api_rejects_invalid_requests -q -> 7 passed
• uv run --extra dev python -m pytest tests/test_security.py tests/test_ledger.py tests/test_wallet_api.py tests/test_wallets.py -q -> 73 passed
• uv run --extra dev python -m pytest -q -> 168 passed, 2 warnings
• uv run --extra dev ruff format --check app/ledger/service.py tests/test_security.py -> 2 files already formatted; ruff check -> all checks passed
• uv run --extra dev python -m mypy app -> success
• uv run --extra dev python scripts/check_agents.py && uv run --extra dev python scripts/docs_smoke.py && git diff --check origin/main...HEAD -> passed

I also ran a direct parser probe: 1e3, 1E-3, and +1 now raise invalid MRWK amount; 1.5 and 0.000001 still convert correctly; -1 still raises amount must be positive. Hosted quality/readiness/docs/image checks are green.

[TateLyman]

No blockers found.

I reviewed PR #167 at head 895dd01, which rejects non-decimal-looking MRWK amount strings before shared Decimal parsing.

What I checked:

• parse_mrwk_amount() now strips once, validates against a plain decimal pattern, then passes the same cleaned string into Decimal.
• Scientific notation (1e3, 1E-3) and leading plus notation (+1) now take the invalid MRWK amount path before they can normalize into accepted decimal values.
• Normal decimal values like 1.5 still parse, and negative plain decimals still reach the existing amount must be positive error.
• This shared parser covers admin bounty creation and wallet transfer amount inputs, so the fix applies at the right layer.
• Hosted CI is green.

Local validation on the PR branch:

• uv run --python 3.12 --extra dev pytest tests/test_security.py::test_amount_parser_rejects_non_decimal_notation tests/test_security.py::test_amount_parser_rejects_non_finite_values tests/test_security.py::test_amount_parser_rejects_values_above_fixed_supply tests/test_wallet_api.py::test_wallet_transfer_api_rejects_invalid_requests -q -> 7 passed.
• uv run --python 3.12 --extra dev pytest tests/test_security.py tests/test_ledger.py tests/test_wallet_api.py tests/test_wallets.py -q -> 73 passed.
• uv run --python 3.12 --extra dev ruff check app/ledger/service.py tests/test_security.py -> passed.
• uv run --python 3.12 --extra dev ruff format --check app/ledger/service.py tests/test_security.py -> passed.
• uv run --python 3.12 --extra dev mypy app -> success.
• python3 scripts/check_agents.py and python3 scripts/docs_smoke.py -> passed.
• git diff --check origin/main...HEAD -> no output.

One earlier parallel focused-test command hit a transient SQLite lock while another pytest process was already collecting the same app; rerunning after the broader test pass succeeded cleanly. No secrets, wallet material, private context, deployment values, or MRWK price claims involved.

[Lucas-FManager]

Review for bounty #219: no blockers from my pass on PR #167.

Evidence checked:

• Inspected app/ledger/service.py and tests/test_security.py on the PR diff.
• Confirmed amount strings are normalized once with strip() and must match plain decimal notation before Decimal() parsing, so scientific notation and leading-plus notation no longer reach shared ledger amount parsing.
• Confirmed negative decimal strings still reach the existing amount must be positive branch, preserving the previous error semantics for -1.
• Confirmed valid decimal examples such as 1.5 still parse to expected microunits and existing fixed-supply / non-finite guards remain covered.
• Ran uv run --python 3.12 --extra dev python -m pytest tests/test_security.py::test_amount_parser_rejects_non_decimal_notation tests/test_security.py::test_amount_parser_rejects_non_finite_values tests/test_security.py::test_amount_parser_rejects_values_above_fixed_supply -q -> 3 passed.
• Ran uv run --python 3.12 --extra dev ruff check app/ledger/service.py tests/test_security.py -> passed.
• Ran uv run --python 3.12 --extra dev ruff format --check app/ledger/service.py tests/test_security.py -> 2 files already formatted.
• Ran git diff --check origin/main...HEAD -> clean.
• Hosted CI Quality, readiness, docs, and image checks is green.

No secrets, wallet material, payout details, private deployment values, private context, private vulnerability details, or MRWK price claims were reviewed or disclosed.