feat(signing): key_origins check + brand.json chain error codes (#350 stage 4) (#775)

* feat(signing): key_origins consistency check + brand.json chain error codes (#350 stage 4)

Per ADCP request-signing spec #3690, an agent advertising signing
posture declares ``identity.key_origins`` on its capabilities response —
keyed by purpose (request_signing / webhook_signing / governance_signing
/ tmp_signing) and valued with the origin URI that hosts the JWKS for
that purpose. After resolving an agent's keys via the brand.json chain,
the verifier MUST confirm the resolved jwks_uri host matches the
declared origin for the purpose under check.

**4a — new error codes** (errors.py):

Nine new ``request_signature_*`` codes covering the brand.json discovery
chain (#3690 §"Discovering an agent's signing keys") and the
``identity.key_origins`` consistency check:

- _brand_json_url_missing      (capabilities.identity.brand_json_url absent)
- _capabilities_unreachable    (transport failure fetching capabilities)
- _brand_json_unreachable      (transport failure fetching brand.json)
- _brand_json_malformed        (strict-parse failure on brand.json)
- _brand_origin_mismatch       (agent eTLD+1 ≠ brand eTLD+1 + no delegation)
- _agent_not_in_brand_json     (agent URL absent from agents[])
- _brand_json_ambiguous        (multiple agents[] entries byte-equal)
- _key_origin_mismatch         (resolved jwks_uri host ≠ declared origin)
- _key_origin_missing          (signing posture asserted, declaration absent)

Plus the nine ``webhook_signature_*`` mirror constants and entries in
REQUEST_TO_WEBHOOK_CODE so the webhook verifier wrapper retags
request-family codes into webhook-family ones without each callsite
re-declaring the mapping.

**4b — key_origins consistency check** (key_origins.py, new):

``check_key_origin_consistency(jwks_uri, key_origins, purpose,
posture=None, code_family="request")`` — the standalone primitive for
the consistency check. Pure function on (resolved jwks_uri, declared
key_origins map, purpose); raises SignatureVerificationError with the
right spec code. ``code_family="webhook"`` swaps to the webhook code
family.

Canonicalization: ASCII-lowercase + stdlib host.encode("idna") to
A-label form. The spec asks for IDNA-2008 strictly while stdlib
encodings.idna is IDNA-2003; this divergence is rare in practice and
matching the package's existing convention (jwks.py:201,
ip_pinned_transport.py:110, revocation_fetcher.py:380) keeps the
canonicalization story coherent. A future IDNA-2008 migration would
update all four callsites together.

The verifier integration (calling this check after RFC 9421 verification
when the JWKS source was a brand.json walk vs. a publisher pin) belongs
to stage 5's dispatch wire-up — the primitive lands here, ready to
compose with the BrandAuthorizationResolver gate.

12 new tests cover: success (declared matches resolved), missing
declaration, mismatch on different host, mismatch on subdomain drift,
case-insensitive comparison, posture propagation in diagnostics,
bare-host declarations, ``None`` and empty key_origins maps, invalid
jwks_uri (fail-closed), and webhook code-family routing.

Re-exports from ``adcp.signing`` so adopters can import:
- check_key_origin_consistency
- All 9 new REQUEST_SIGNATURE_* code constants
(Webhook mirrors stay submodule-only; webhook code routing is internal
to the webhook verifier wrapper.)

Refs #350, adcontextprotocol/adcp#3690

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(signing): expert-review fixes for key_origins consistency check

Folds three expert review passes into the stage 4 PR (ad-tech-protocol-expert,
code-reviewer, security-reviewer all run in parallel on the original
commit 62d2379).

**1. Spec-mandated structured detail fields (MUST-FIX, protocol expert)**

ADCP #3690 security.mdx step 7 mandates that
``request_signature_key_origin_mismatch`` carry
``{purpose, expected_origin, actual_origin}`` and
``_key_origin_missing`` carry ``{purpose, posture}`` as structured
fields, not just an opaque message string. Middleware adapters surface
them on the 401 / in a DLQ; without this, the SDK can't be spec-
conformant once Stage 5 wires the verifier.

- Extend ``SignatureVerificationError`` with optional
  ``detail: Mapping[str, str] | None``. ``str(exc)`` still renders the
  free-form message for unstructured logs; structured callers read
  ``exc.detail``.
- ``check_key_origin_consistency`` now passes the spec-mandated keys.
- Two new tests pin the detail shape for both code paths.

**2. Bare-host vs URL canonicalization asymmetry (HIGH, security reviewer)**

The previous ``_origin_host`` fallback path for bare-host inputs only
guarded against ``/`` and space — accepting ``user@host``,
``host:port``, ``host?query``, ``host#fragment`` verbatim. An attacker
with capability-write access could declare a bare-host-with-port
(``keys.brand.com:8443``) to force a mismatch against the operator's
brand.json origin and DoS the honest verification path.

Fix: factor a ``_extract_host`` helper that re-parses bare-host inputs
through ``urlsplit`` with a synthetic ``https://`` scheme prepended.
URL form and bare-host form now strip port / userinfo / query /
fragment symmetrically. Two new tests cover ``host:port`` and
``user@host`` declaration shapes.

**3. Trailing-dot FQDN asymmetry (HIGH, security reviewer)**

``host.example.`` and ``host.example`` are the same FQDN — the trailing
dot denotes the root zone. Previous code preserved the dot, so a
brand.json serving the dot form against a capability declaring the
no-dot form (or vice versa) byte-mismatched. An attacker controlling
capabilities could weaponize this to deny verification against the
real counterparty.

Fix: strip a single trailing dot before IDNA-encoding. Test covers
both directions.

**4. IDN U-label vs A-label equivalence test (NICE, all three)**

The docstring promised IDN canonicalization but no test exercised it.
Added a test using ``münchen.example`` ↔ ``xn--mnchen-3ya.example``
in both directions.

**5. Carve-out for publisher-pin source in function docstring (MEDIUM, security)**

Previously the publisher-pin skip was documented only in the module
docstring. A caller reading just the function doc would miss it. Added
a "Caller contract" paragraph at the top of the function docstring
flagging that callers MUST skip this call for publisher-pinned tuples.

**6. Symmetric fail-closed test on declared side (LOW, security)**

The existing ``test_consistency_raises_mismatch_on_invalid_jwks_uri``
covers the resolved side but not the declared side. Added a symmetric
test so a future refactor can't silently invert the fail direction on
one side.

**Deferred to follow-up issues** (not in scope for this PR):

- Plumbing the ``source`` discriminant ("brand.json walk" vs
  "publisher adagents.json pin") through ``BrandJsonJwksResolver`` so
  Stage 5 can enforce the carve-out automatically. Belongs in the
  Stage 5 verifier-integration PR.
- Migrating all four codebase callsites (jwks.py, ip_pinned_transport.py,
  revocation_fetcher.py, key_origins.py) from stdlib IDNA-2003 to the
  ``idna`` PyPI package's IDNA-2008 in one commit. Package-wide
  conformance pass, separate concern.

Tests: 20 in test_key_origins (up from 12). Full signing surface
(582 tests across tests/test_*.py + tests/conformance/signing/)
remains green. ruff + mypy clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(storyboard): vendor AAO reference-formats fixture into @adcp/sdk install

Three of the four storyboard runners (seller_agent.py, sales-proposal-mode,
v3 reference seller (translator)) have been failing on main and on every
PR for the same upstream reason: ``@adcp/sdk@latest`` (which the storyboard
jobs install unpinned for drift-detection) does not ship
``aao-reference-formats.json`` in its npm tarball. Every step that
touches AAO format resolution rejects with:

    AAO catalog (reference-formats.json) not found. Looked in:
      .../node_modules/@adcp/sdk/test/lib/v2-projection-fixtures/aao-reference-formats.json
      .../node_modules/@adcp/sdk/.context/adcp-3307/server/src/creative-agent/reference-formats.json
    Vendor a copy at test/lib/v2-projection-fixtures/aao-reference-formats.json.

The SDK's error message itself recommends vendoring the file at the
expected path. Upstream tracking issue is adcp#3307.

Fix:
- Vendor the file at ``tests/fixtures/aao-reference-formats.json``
  (sourced from ``adcontextprotocol/adcp:server/src/creative-agent/reference-formats.json``,
  the canonical reference catalog the SDK is supposed to ship).
- Add three lines to each of the four storyboard jobs' ``Pre-install
  @adcp/sdk`` steps to drop the file into
  ``$(npm root -g)/@adcp/sdk/test/lib/v2-projection-fixtures/`` after
  the npm install. Idempotent — if upstream later ships the file the
  ``cp`` overwrites with the same bytes; if upstream moves it the
  overwrite is a safer floor than the missing-file failure.

The four storyboard jobs affected:
- AdCP storyboard runner — examples/seller_agent.py
- AdCP storyboard runner — examples/multi_platform_seller (PlatformRouter)
  (currently passing — doesn't exercise the AAO path — but covered for
  symmetry against future drift)
- AdCP storyboard runner — v3 reference seller (translator)
- AdCP storyboard runner — sales-proposal-mode (proposal_finalize)

The vendored file is 145 KiB JSON with 50 format entries. Not committed
to the package distribution (lives under ``tests/fixtures/``).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(storyboard): also vendor v1-canonical-mapping schema fixture

The AAO reference-formats fix in the previous commit cleared one of the
two missing-fixture errors and unmasked a second one of the same shape:

    v1-canonical-mapping.json not found. Looked in:
      .../node_modules/@adcp/sdk/schemas/cache/3.1.0-beta.2/registries/v1-canonical-mapping.json
      .../node_modules/@adcp/sdk/schemas/cache/3.1.0-beta.1/registries/v1-canonical-mapping.json
      .../node_modules/@adcp/sdk/schemas/cache/3.1.0-beta.0/registries/v1-canonical-mapping.json
      .../node_modules/@adcp/sdk/schemas/cache/latest/registries/v1-canonical-mapping.json
    Run `npm run sync-schemas` for a 3.1+ AdCP version.

Same root cause: ``@adcp/sdk`` published an npm tarball that omits the
v1-canonical-mapping schema cache for 3.1.0-beta.* versions. The
storyboard runner's v1→v2 format projection walks this registry; missing
the file causes a cascade of step failures (and incorrectly-routed error
codes like ``PRODUCT_NOT_FOUND`` instead of ``TERMS_REJECTED`` because
the canonical mapping is consulted before product lookup).

Vendor ``v1-canonical-mapping.json`` from
``adcontextprotocol/adcp:dist/schemas/3.1.0-beta.2/registries/``
(14 KiB) into ``tests/fixtures/`` and drop it into the SDK install path
the SDK looks up first (the SDK's lookup order falls back through
.2 → .1 → .0 → latest, so vendoring .2 is sufficient).

Same four storyboard jobs as the prior fix:
- examples/seller_agent.py
- examples/multi_platform_seller (PlatformRouter)
- v3 reference seller (translator)
- sales-proposal-mode (proposal_finalize)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bokelley

.github/workflows/ci.yml

@@ -391,9 +391,25 @@ jobs:
         # own CI running AdCP's own canonical runner — tracking latest
         # surfaces protocol drift as soon as it ships, which is the
         # point of this job.
+        #
+        # Vendor missing fixtures into the SDK install:
+        # ``@adcp/sdk`` does not ship two fixtures its storyboard runner
+        # needs — ``aao-reference-formats.json`` (AAO format catalog,
+        # upstream adcontextprotocol/adcp#3307) and
+        # ``v1-canonical-mapping.json`` (v1→v2 format mapping registry
+        # at schemas/cache/3.1.0-beta.2/registries/). The SDK's own
+        # error messages recommend vendoring both at the exact paths
+        # below. We keep copies under ``tests/fixtures/`` and drop them
+        # into the SDK's expected locations post-install; idempotent if
+        # upstream later ships them in the npm tarball.
         run: |
           npm install -g @adcp/sdk@latest
           adcp --version
+          SDK_ROOT="$(npm root -g)/@adcp/sdk"
+          mkdir -p "${SDK_ROOT}/test/lib/v2-projection-fixtures"
+          cp tests/fixtures/aao-reference-formats.json "${SDK_ROOT}/test/lib/v2-projection-fixtures/aao-reference-formats.json"
+          mkdir -p "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries"
+          cp tests/fixtures/v1-canonical-mapping.json "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries/v1-canonical-mapping.json"
 
       - name: Install dependencies
         run: |
@@ -548,9 +564,16 @@ jobs:
           pip install "sqlalchemy>=2.0" "asyncpg>=0.29" "respx>=0.20"
 
       - name: Pre-install @adcp/sdk (once, then call binary directly)
+        # See the comment on the storyboard job's install step for the
+        # AAO reference-formats fixture rationale (upstream adcp#3307).
         run: |
           npm install -g @adcp/sdk@latest
           adcp --version
+          SDK_ROOT="$(npm root -g)/@adcp/sdk"
+          mkdir -p "${SDK_ROOT}/test/lib/v2-projection-fixtures"
+          cp tests/fixtures/aao-reference-formats.json "${SDK_ROOT}/test/lib/v2-projection-fixtures/aao-reference-formats.json"
+          mkdir -p "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries"
+          cp tests/fixtures/v1-canonical-mapping.json "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries/v1-canonical-mapping.json"
 
       - name: Start JS mock-server upstream
         run: |
@@ -757,9 +780,16 @@ jobs:
             ${{ runner.os }}-npm-
 
       - name: Pre-install @adcp/sdk
+        # See the comment on the storyboard job's install step for the
+        # AAO reference-formats fixture rationale (upstream adcp#3307).
         run: |
           npm install -g @adcp/sdk@latest
           adcp --version
+          SDK_ROOT="$(npm root -g)/@adcp/sdk"
+          mkdir -p "${SDK_ROOT}/test/lib/v2-projection-fixtures"
+          cp tests/fixtures/aao-reference-formats.json "${SDK_ROOT}/test/lib/v2-projection-fixtures/aao-reference-formats.json"
+          mkdir -p "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries"
+          cp tests/fixtures/v1-canonical-mapping.json "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries/v1-canonical-mapping.json"
 
       - name: Install dependencies
         run: |
@@ -858,9 +888,16 @@ jobs:
             ${{ runner.os }}-npm-
 
       - name: Pre-install @adcp/sdk
+        # See the comment on the storyboard job's install step for the
+        # AAO reference-formats fixture rationale (upstream adcp#3307).
         run: |
           npm install -g @adcp/sdk@latest
           adcp --version
+          SDK_ROOT="$(npm root -g)/@adcp/sdk"
+          mkdir -p "${SDK_ROOT}/test/lib/v2-projection-fixtures"
+          cp tests/fixtures/aao-reference-formats.json "${SDK_ROOT}/test/lib/v2-projection-fixtures/aao-reference-formats.json"
+          mkdir -p "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries"
+          cp tests/fixtures/v1-canonical-mapping.json "${SDK_ROOT}/schemas/cache/3.1.0-beta.2/registries/v1-canonical-mapping.json"
 
       - name: Install dependencies
         run: |

src/adcp/signing/__init__.py

@@ -162,14 +162,23 @@
 )
 from adcp.signing.digest import compute_content_digest_sha256, content_digest_matches
 from adcp.signing.errors import (
+    REQUEST_SIGNATURE_AGENT_NOT_IN_BRAND_JSON,
     REQUEST_SIGNATURE_ALG_NOT_ALLOWED,
+    REQUEST_SIGNATURE_BRAND_JSON_AMBIGUOUS,
+    REQUEST_SIGNATURE_BRAND_JSON_MALFORMED,
+    REQUEST_SIGNATURE_BRAND_JSON_UNREACHABLE,
+    REQUEST_SIGNATURE_BRAND_JSON_URL_MISSING,
+    REQUEST_SIGNATURE_BRAND_ORIGIN_MISMATCH,
+    REQUEST_SIGNATURE_CAPABILITIES_UNREACHABLE,
     REQUEST_SIGNATURE_COMPONENTS_INCOMPLETE,
     REQUEST_SIGNATURE_COMPONENTS_UNEXPECTED,
     REQUEST_SIGNATURE_DIGEST_MISMATCH,
     REQUEST_SIGNATURE_HEADER_MALFORMED,
     REQUEST_SIGNATURE_INVALID,
     REQUEST_SIGNATURE_JWKS_UNAVAILABLE,
     REQUEST_SIGNATURE_JWKS_UNTRUSTED,
+    REQUEST_SIGNATURE_KEY_ORIGIN_MISMATCH,
+    REQUEST_SIGNATURE_KEY_ORIGIN_MISSING,
     REQUEST_SIGNATURE_KEY_PURPOSE_INVALID,
     REQUEST_SIGNATURE_KEY_REVOKED,
     REQUEST_SIGNATURE_KEY_UNKNOWN,
@@ -219,6 +228,7 @@
     verify_detached_jws,
     verify_jws_document,
 )
+from adcp.signing.key_origins import check_key_origin_consistency
 from adcp.signing.keygen import generate_signing_keypair, pem_to_adcp_jwk
 from adcp.signing.middleware import (
     unauthorized_response_headers,
@@ -336,14 +346,23 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "NEGATIVE_CACHE_TTL_SECONDS",
     "NONCE_BYTES",
     "PgReplayStore",
+    "REQUEST_SIGNATURE_AGENT_NOT_IN_BRAND_JSON",
     "REQUEST_SIGNATURE_ALG_NOT_ALLOWED",
+    "REQUEST_SIGNATURE_BRAND_JSON_AMBIGUOUS",
+    "REQUEST_SIGNATURE_BRAND_JSON_MALFORMED",
+    "REQUEST_SIGNATURE_BRAND_JSON_UNREACHABLE",
+    "REQUEST_SIGNATURE_BRAND_JSON_URL_MISSING",
+    "REQUEST_SIGNATURE_BRAND_ORIGIN_MISMATCH",
+    "REQUEST_SIGNATURE_CAPABILITIES_UNREACHABLE",
     "REQUEST_SIGNATURE_COMPONENTS_INCOMPLETE",
     "REQUEST_SIGNATURE_COMPONENTS_UNEXPECTED",
     "REQUEST_SIGNATURE_DIGEST_MISMATCH",
     "REQUEST_SIGNATURE_HEADER_MALFORMED",
     "REQUEST_SIGNATURE_INVALID",
     "REQUEST_SIGNATURE_JWKS_UNAVAILABLE",
     "REQUEST_SIGNATURE_JWKS_UNTRUSTED",
+    "REQUEST_SIGNATURE_KEY_ORIGIN_MISMATCH",
+    "REQUEST_SIGNATURE_KEY_ORIGIN_MISSING",
     "REQUEST_SIGNATURE_KEY_PURPOSE_INVALID",
     "REQUEST_SIGNATURE_KEY_REVOKED",
     "REQUEST_SIGNATURE_KEY_UNKNOWN",
@@ -395,6 +414,7 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "build_signature_base",
     "canonicalize_authority",
     "canonicalize_target_uri",
+    "check_key_origin_consistency",
     "compute_content_digest_sha256",
     "content_digest_matches",
     "decode_standard_webhook_secret",

src/adcp/signing/errors.py

@@ -7,20 +7,34 @@
 
 from __future__ import annotations
 
+from collections.abc import Mapping
+
 
 class SignatureVerificationError(Exception):
-    """Raised when a request signature fails any step of the verifier checklist."""
+    """Raised when a request signature fails any step of the verifier checklist.
+
+    ``detail`` carries the spec-mandated structured fields for codes that
+    require them — e.g. ``request_signature_key_origin_mismatch`` carries
+    ``{purpose, expected_origin, actual_origin}`` per ADCP #3690
+    security.mdx step 7, and ``request_signature_brand_json_url_missing``
+    carries ``{agent_url}`` per the same section's rejection-code table.
+    Middleware adapters surface these as structured fields on the 401
+    response or in a DLQ payload; ``str(exc)`` continues to render the
+    free-form message for unstructured logs.
+    """
 
     def __init__(
         self,
         code: str,
         *,
         step: int | str | None = None,
         message: str | None = None,
+        detail: Mapping[str, str] | None = None,
     ) -> None:
         super().__init__(message or code)
         self.code = code
         self.step = step
+        self.detail = dict(detail) if detail is not None else None
 
 
 REQUEST_SIGNATURE_REQUIRED = "request_signature_required"
@@ -42,6 +56,28 @@ def __init__(
 REQUEST_SIGNATURE_JWKS_UNTRUSTED = "request_signature_jwks_untrusted"
 REQUEST_SIGNATURE_RATE_ABUSE = "request_signature_rate_abuse"
 
+# brand.json discovery chain (ADCP #3690). Verifiers bootstrap an agent's
+# signing keys via ``identity.brand_json_url`` on the agent's
+# ``get_adcp_capabilities`` response → brand.json → ``agents[]`` →
+# ``jwks_uri``. Each step has a dedicated rejection code so callers can
+# disambiguate retryable transport failures (``*_unreachable``) from
+# misconfiguration (``*_missing`` / ``*_malformed`` / ``*_mismatch``).
+REQUEST_SIGNATURE_BRAND_JSON_URL_MISSING = "request_signature_brand_json_url_missing"
+REQUEST_SIGNATURE_CAPABILITIES_UNREACHABLE = "request_signature_capabilities_unreachable"
+REQUEST_SIGNATURE_BRAND_JSON_UNREACHABLE = "request_signature_brand_json_unreachable"
+REQUEST_SIGNATURE_BRAND_JSON_MALFORMED = "request_signature_brand_json_malformed"
+REQUEST_SIGNATURE_BRAND_ORIGIN_MISMATCH = "request_signature_brand_origin_mismatch"
+REQUEST_SIGNATURE_AGENT_NOT_IN_BRAND_JSON = "request_signature_agent_not_in_brand_json"
+REQUEST_SIGNATURE_BRAND_JSON_AMBIGUOUS = "request_signature_brand_json_ambiguous"
+
+# identity.key_origins consistency check (ADCP #3690). For every purpose
+# declared under capabilities ``identity.key_origins``, the resolved
+# ``jwks_uri`` host MUST equal the declared origin (after IDNA-A-label
+# canonicalization). Mismatch → ``_key_origin_mismatch``. Missing
+# declaration when signing posture is asserted → ``_key_origin_missing``.
+REQUEST_SIGNATURE_KEY_ORIGIN_MISMATCH = "request_signature_key_origin_mismatch"
+REQUEST_SIGNATURE_KEY_ORIGIN_MISSING = "request_signature_key_origin_missing"
+
 # Webhook-signing error taxonomy — adcp#2423 / webhooks.mdx + security.mdx.
 # Distinct strings from the request-signing family so receivers can route the
 # 401 response through webhook-specific observability.
@@ -64,6 +100,20 @@ def __init__(
 WEBHOOK_SIGNATURE_JWKS_UNTRUSTED = "webhook_signature_jwks_untrusted"
 WEBHOOK_SIGNATURE_RATE_ABUSE = "webhook_signature_rate_abuse"
 
+# brand.json discovery chain mirrors for the webhook profile. The chain
+# walks identically (capabilities → brand.json → agents[] → jwks_uri),
+# just consulting the ``webhook_signing`` purpose under
+# ``identity.key_origins`` instead of ``request_signing``.
+WEBHOOK_SIGNATURE_BRAND_JSON_URL_MISSING = "webhook_signature_brand_json_url_missing"
+WEBHOOK_SIGNATURE_CAPABILITIES_UNREACHABLE = "webhook_signature_capabilities_unreachable"
+WEBHOOK_SIGNATURE_BRAND_JSON_UNREACHABLE = "webhook_signature_brand_json_unreachable"
+WEBHOOK_SIGNATURE_BRAND_JSON_MALFORMED = "webhook_signature_brand_json_malformed"
+WEBHOOK_SIGNATURE_BRAND_ORIGIN_MISMATCH = "webhook_signature_brand_origin_mismatch"
+WEBHOOK_SIGNATURE_AGENT_NOT_IN_BRAND_JSON = "webhook_signature_agent_not_in_brand_json"
+WEBHOOK_SIGNATURE_BRAND_JSON_AMBIGUOUS = "webhook_signature_brand_json_ambiguous"
+WEBHOOK_SIGNATURE_KEY_ORIGIN_MISMATCH = "webhook_signature_key_origin_mismatch"
+WEBHOOK_SIGNATURE_KEY_ORIGIN_MISSING = "webhook_signature_key_origin_missing"
+
 # Code-family translation used by the webhook verifier wrapper. The verifier
 # pipeline raises request_signature_* codes; the wrapper retags them into
 # webhook_signature_* before exposing to callers. Keeps the 300-line verifier
@@ -87,4 +137,13 @@ def __init__(
     REQUEST_SIGNATURE_JWKS_UNAVAILABLE: WEBHOOK_SIGNATURE_JWKS_UNAVAILABLE,
     REQUEST_SIGNATURE_JWKS_UNTRUSTED: WEBHOOK_SIGNATURE_JWKS_UNTRUSTED,
     REQUEST_SIGNATURE_RATE_ABUSE: WEBHOOK_SIGNATURE_RATE_ABUSE,
+    REQUEST_SIGNATURE_BRAND_JSON_URL_MISSING: WEBHOOK_SIGNATURE_BRAND_JSON_URL_MISSING,
+    REQUEST_SIGNATURE_CAPABILITIES_UNREACHABLE: WEBHOOK_SIGNATURE_CAPABILITIES_UNREACHABLE,
+    REQUEST_SIGNATURE_BRAND_JSON_UNREACHABLE: WEBHOOK_SIGNATURE_BRAND_JSON_UNREACHABLE,
+    REQUEST_SIGNATURE_BRAND_JSON_MALFORMED: WEBHOOK_SIGNATURE_BRAND_JSON_MALFORMED,
+    REQUEST_SIGNATURE_BRAND_ORIGIN_MISMATCH: WEBHOOK_SIGNATURE_BRAND_ORIGIN_MISMATCH,
+    REQUEST_SIGNATURE_AGENT_NOT_IN_BRAND_JSON: WEBHOOK_SIGNATURE_AGENT_NOT_IN_BRAND_JSON,
+    REQUEST_SIGNATURE_BRAND_JSON_AMBIGUOUS: WEBHOOK_SIGNATURE_BRAND_JSON_AMBIGUOUS,
+    REQUEST_SIGNATURE_KEY_ORIGIN_MISMATCH: WEBHOOK_SIGNATURE_KEY_ORIGIN_MISMATCH,
+    REQUEST_SIGNATURE_KEY_ORIGIN_MISSING: WEBHOOK_SIGNATURE_KEY_ORIGIN_MISSING,
 }