Pin Then Spread

A handler pins a server-derived authoritative field (the authenticated user, the tenant ID, the resource owner) at the head of an object literal, then spreads attacker-controlled JSON over the same object. JavaScript's object-literal semantics resolve colliding keys by source order; the spread always wins. The pin reads to code review as enforcement and ships as a default.