Reject signed non-authorizing receipt statuses

[manuelsampedro1]

Summary

• reject signed receipts whose status is not one of the v1 authorization lifecycle states
• narrow runtime JSON status values to ReceiptStatus = "valid" | "revoked" at the schema boundary
• keep revoked classified as expired/revoked, but fail closed for unknown or non-canonical statuses
• add regressions for signed DENIED, trailing-whitespace valid , and non-string status values

Why

The local verifier previously treated every signed, unexpired status except lowercase revoked as authorization-valid. That means any signed receipt carrying a non-authorizing or legacy status such as DENIED, PENDING, or EXPIRED could be accepted by downstream consumers that rely on pp verify / verifyReceipt exit code as the authorization decision.

The latest patch makes the schema boundary explicit before key resolution and before Ed25519 signature verification. Unknown or non-canonical statuses now fail as MALFORMED_RECEIPT, so downstream verifier consumers never get a successful verification result for a signed non-authorizing status.

Related to permission-protocol/deploy-gate#49 and the permission-protocol/deploy-gate#36 bypass challenge because this is a flaw in the signing/verification acceptance flow rather than a raw signature forgery.

Validation

• node node_modules/vitest/vitest.mjs run
• node node_modules/typescript/bin/tsc -p tsconfig.json
• git diff --check origin/main...HEAD

Result: 8 tests passed, TypeScript compile passed, diff whitespace check passed.