feat(decisioning): Account.mode + sandbox-authority gate for comply_test_controller (Phase 1) (#483)

* feat(decisioning): Account.mode + sandbox-authority gate for comply_test_controller (Phase 1 of #1435 port)

Port of JS PR adcontextprotocol/adcp-client#1453. Phase 1 of the
lifecycle-state-and-sandbox-authority work — the SDK now enforces that
`comply_test_controller` only operates on accounts whose resolved
`mode` is `sandbox` or `mock`. Trust boundary is the resolved account,
NOT the wire — buyer-supplied `account.sandbox: true` is ignored when
the resolver returned a live account.

What ships:

- `Account.mode: Literal['live', 'sandbox', 'mock']` (default `'live'`)
  + derived `Account.sandbox` property for back-compat with adopters
  reading the boolean.
- `Account._mode_explicit` flag (resolver opts in) so the observed-modes
  tracker distinguishes deliberate stamping from the dataclass default.
- `adcp.decisioning.account_mode` — `get_account_mode`,
  `is_sandbox_or_mock_account`, `assert_sandbox_account` (mirrors JS
  `account-mode.ts`).
- `adcp.decisioning.observed_modes` — process-scoped tracker of
  explicit mode values from `accounts.resolve` calls.
- `register_test_controller(..., account_resolver=...)` — applies the
  Phase 1 gate when a resolver is wired. Decisioning's `serve()`
  auto-builds the resolver from `platform.accounts`.
- Gate fires on the universal `_handle_test_controller` choke point so
  both MCP and A2A pick it up.
- `ADCP_SANDBOX=1` env-fallback retained for back-compat AND
  fail-closed: throws loudly when paired with any observed explicit
  live-mode resolution in the same process.
- `list_scenarios` (capability probe) exempt from the gate.
- 16-test matrix in `tests/test_account_mode_gate.py` covering
  resolver / context.sandbox / env-fallback paths + the trust-boundary
  invariants (spoofed wire flag ignored, resolved-live beats context
  override).

Back-compat posture: when no `account_resolver` is wired AND
`ADCP_SANDBOX` is not set, the gate is dormant. Adopters who haven't
opted in keep pre-Phase-1 behavior; opt-in happens automatically when
they wire `serve(test_controller=...)` against a `DecisioningPlatform`,
or by setting `ADCP_SANDBOX=1`.

Migration: adopters running the conformance harness with `ADCP_SANDBOX=1`
and otherwise un-flagged accounts must mark conformance accounts in
their `AccountStore.resolve` implementation. For `SingletonAccounts`
deployments, pass `mode='sandbox'` at construction:

    accounts = SingletonAccounts(account_id="hello", mode="sandbox")

For `ExplicitAccounts` / `FromAuthAccounts`, return Accounts with
`mode='sandbox'` (or `_mode_explicit=True` to opt into observed-modes
tracking) from your loader.

Out of scope (Phase 2): mock-mode dispatch, PlatformRouter, mock-server
routing.

Refs:
- adcontextprotocol/adcp-client#1435 — umbrella issue
- adcontextprotocol/adcp-client#1453 — JS Phase 1 implementation
- docs/proposals/lifecycle-state-and-sandbox-authority.md (in
  adcp-client) — full design

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(decisioning): close sandbox-authority gate trust-boundary holes

Security review on PR #483 found two ways the comply controller's
sandbox gate fails open. Both are closed here.

B1 — FromAuthAccounts adopters fail-open via wire ``account.sandbox``.
The auto-wired resolver in ``decisioning.serve`` called
``platform.accounts.resolve(ref, auth_info=None)``;
``FromAuthAccounts.resolve`` raises ``AUTH_INVALID`` when auth_info is
absent. The gate's bare ``except Exception`` swallowed the raise, set
``resolved_account = None``, and admitted via the buyer-supplied
``account.sandbox: true`` wire flag — letting a buyer flip state on a
live principal.

Fix:
- Thread verified ``AuthInfo`` from
  ``ToolContext.metadata['adcp.auth_info']`` through
  ``_handle_test_controller`` into ``_apply_sandbox_gate`` and
  ultimately the resolver, mirroring
  ``PlatformHandler._extract_auth_info``.
- ``_AccountResolver`` Protocol now declares ``auth_info`` kwarg.
- The auto-wired resolver in ``decisioning.serve`` forwards auth_info
  to ``platform.accounts.resolve``.
- Resolver-raise is now fail-CLOSED (DENY), not fall-through. The
  buyer's wire claim never trumps a resolver that signaled it could
  not affirm sandbox status.

B2 — Gate fail-OPEN by default. When no resolver was wired AND
``ADCP_SANDBOX`` was unset, the gate returned None (admit) before any
check. Manually-wired ``ADCPHandler`` / ``ComplianceHandler`` deployments
were unprotected.

Fix:
- Default fail-CLOSED: no resolver + no env opt-in → DENY.
- Add ``INSECURE_ALLOW_ALL`` sentinel for tests / dev fixtures that
  intentionally bypass the gate. Adopter production code must not use
  it.
- Existing comply tests in ``test_test_controller_context.py``,
  ``test_force_create_media_buy_arm_and_force_task_completion.py``,
  ``test_server_dx.py``, ``test_a2a_server.py``, and the A2A
  conformance suite get a per-file autouse fixture setting
  ``ADCP_SANDBOX=1`` so they keep exercising the dispatcher /
  scenarios / wire-shape contracts they were written to test. The
  gate's own behavior continues to be exercised in
  ``test_account_mode_gate.py``.

Tests added:
- B1 regression: resolver raises ``AUTH_INVALID`` + buyer-supplied
  wire ``account.sandbox: true`` → DENIED.
- B2 regression: no resolver + no ADCP_SANDBOX → DENIED.
- B2 escape: ``INSECURE_ALLOW_ALL`` sentinel admits.
- Auth-info threading: resolver receives the AuthInfo from
  ``ctx.metadata['adcp.auth_info']``.

Docstrings:
- ``_apply_sandbox_gate`` docstring rewritten to reflect the new
  fail-closed posture; the prior text claimed wire-flag fallback was
  fail-closed (it was fail-open).
- ``observed_modes`` module docstring now flags the multi-tenant SaaS
  blast radius — the observed-modes set is process-scoped, so one
  tenant resolving live + ``ADCP_SANDBOX=1`` raises across all tenants.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(examples): demo seller declares test-controller bypass intent

Phase 1's sandbox-authority gate is now fail-closed by default — adopters
who wire test_controller= without a resolver and without ADCP_SANDBOX
get DENY on every comply call. Demo example now passes
test_controller_account_resolver=INSECURE_ALLOW_ALL to declare its
'demo, not production' posture explicitly. Production sellers MUST
populate Account.mode and let the framework gate enforce.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bokelley

examples/seller_agent.py

@@ -38,6 +38,7 @@
     sync_governance_response,
     update_media_buy_response,
 )
+from adcp.server import INSECURE_ALLOW_ALL
 from adcp.server.test_controller import TestControllerError, TestControllerStore
 
 PORT = int(os.environ.get("ADCP_PORT") or os.environ.get("PORT") or 3001)
@@ -958,4 +959,9 @@ async def seed_creative_format(
         name="demo-seller",
         port=PORT,
         test_controller=DemoStore(),
+        # Demo example: bypass the comply_test_controller sandbox-mode gate
+        # so storyboard runs work without an Account.mode-aware AccountStore.
+        # Production sellers MUST populate Account.mode (live/sandbox/mock) on
+        # resolved accounts and let the framework's gate enforce it.
+        test_controller_account_resolver=INSECURE_ALLOW_ALL,
     )

src/adcp/decisioning/__init__.py

@@ -49,6 +49,12 @@ def create_media_buy(
 
 from __future__ import annotations
 
+from adcp.decisioning.account_mode import (
+    AccountMode,
+    assert_sandbox_account,
+    get_account_mode,
+    is_sandbox_or_mock_account,
+)
 from adcp.decisioning.account_projection import (
     project_account_for_response,
     project_business_entity_for_response,
@@ -234,6 +240,7 @@ def __init__(self, *args: object, **kwargs: object) -> None:
 
 __all__ = [
     "Account",
+    "AccountMode",
     "AccountNotFoundError",
     "AccountStore",
     "AccountStoreList",
@@ -319,6 +326,9 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "ShortCircuit",
     "assert_creative_transition",
     "assert_media_buy_transition",
+    "assert_sandbox_account",
+    "get_account_mode",
+    "is_sandbox_or_mock_account",
     "bearer_only_registry",
     "compose_method",
     "create_adcp_server_from_platform",

src/adcp/decisioning/account_mode.py

@@ -0,0 +1,153 @@
+"""Account-mode primitives for sandbox-authority enforcement of
+``comply_test_controller`` and other test-only surfaces.
+
+The hard rule: under no circumstances should the comply test controller
+(or any test-only surface) operate on a ``live``-mode account. The flag
+must live on the resolved account, not on a process-level env var —
+env vars are operator-error-prone proxies for what is fundamentally an
+authority decision per principal.
+
+Mirrors the JS-side ``src/lib/server/account-mode.ts`` for cross-language
+parity. Phase 1 of the lifecycle-state-and-sandbox-authority proposal —
+ships the field, helpers, and dispatch gate. Mock-mode routing
+(Phase 2) is deferred.
+
+See ``docs/proposals/lifecycle-state-and-sandbox-authority.md`` for the
+full three-mode design.
+"""
+
+from __future__ import annotations
+
+from typing import Any, Literal, cast
+
+from adcp.decisioning.types import AdcpError
+
+#: Three operationally distinct account modes:
+#:
+#:  - ``live``: production traffic. Adopter's upstream is truth.
+#:    Test-only surfaces (comply controller, force_*, simulate_*) are denied.
+#:  - ``sandbox``: adopter's own test account. Their code path runs against
+#:    their test infrastructure. Test-only surfaces are allowed.
+#:  - ``mock``: SDK-routed-to-mock-server. Adopter's code is bypassed; the
+#:    SDK forwards to the mock upstream backend (Phase 2). Test-only
+#:    surfaces are allowed.
+#:
+#: Default when unspecified: ``live``. A missing or unknown ``mode`` reads
+#: as production, fail-closed for any test-only dispatch.
+AccountMode = Literal["live", "sandbox", "mock"]
+
+
+def get_account_mode(account: Any) -> AccountMode:
+    """Read ``mode`` off any account-shaped value, with back-compat for
+    the legacy ``sandbox: bool`` field.
+
+    Returns the explicit mode if present; otherwise infers ``'sandbox'``
+    from ``sandbox is True``; otherwise ``'live'``.
+
+    Adopters that have not yet migrated to the ``mode`` field continue to
+    work — ``account.sandbox is True`` reads as sandbox mode through this
+    helper. New code should prefer ``mode`` directly.
+
+    Unknown / unrecognized ``mode`` values fall through to ``'live'`` —
+    we never silently admit on a misspelled mode string.
+    """
+    if account is None:
+        return "live"
+    mode = _attr(account, "mode")
+    if mode == "live" or mode == "sandbox" or mode == "mock":
+        return cast(AccountMode, mode)
+    # Back-compat: legacy `sandbox: True` flag reads as `sandbox` mode.
+    if _attr(account, "sandbox") is True:
+        return "sandbox"
+    return "live"
+
+
+def is_sandbox_or_mock_account(account: Any) -> bool:
+    """Predicate: is the account in a non-production mode that admits
+    test-only surfaces (comply controller, force_*, simulate_*)?
+
+    Returns ``True`` for ``mode in {'sandbox', 'mock'}`` (or legacy
+    ``sandbox is True``); ``False`` for ``mode == 'live'`` or any account
+    shape that doesn't carry the field.
+    """
+    mode = get_account_mode(account)
+    return mode == "sandbox" or mode == "mock"
+
+
+def assert_sandbox_account(
+    account: Any,
+    *,
+    tool: str | None = None,
+    message: str | None = None,
+) -> None:
+    """Raise ``AdcpError('PERMISSION_DENIED')`` if the account is not in
+    a non-production mode. Use to gate dispatch of test-only surfaces.
+
+    Fail-closed semantics:
+
+    - ``account is None`` (no resolved account): raises.
+    - ``mode == 'live'`` or unspecified + no ``sandbox is True``: raises.
+    - ``mode in {'sandbox', 'mock'}`` (or legacy ``sandbox is True``):
+      no-op, dispatch proceeds.
+
+    The ``details`` payload carries ``{scope: 'sandbox-gate', tool?}``
+    so dashboards can distinguish gate-rejections from other permission
+    denials.
+
+    **Resolver discipline.** The strength of this gate depends entirely
+    on how the adopter's :meth:`AccountStore.resolve` constructs its
+    return value. Resolvers MUST NOT spread untrusted input (request
+    body, headers, ``ctx_metadata``, query params) into the resolved
+    account — doing so lets a buyer self-promote to ``mode='sandbox'``
+    and unlock test-only surfaces on a live principal. Source ``mode``
+    (and ``sandbox``) from a trusted store keyed by the authenticated
+    principal; never from request data.
+
+    **opts.message must be a static string literal.** The message is
+    echoed on the wire inside the error envelope. Interpolating
+    user-controlled values into it creates a reflection sink (PII
+    leakage, log injection, downstream HTML rendering). Pick from a
+    fixed set of messages keyed by ``tool`` if you need variants.
+    """
+    if is_sandbox_or_mock_account(account):
+        return
+    details: dict[str, Any] = {
+        "scope": "sandbox-gate",
+        "reason": "sandbox-or-mock-required",
+    }
+    if tool is not None:
+        details["tool"] = tool
+    raise AdcpError(
+        "PERMISSION_DENIED",
+        message=message
+        or (
+            "Test-only surface requires a sandbox or mock account; "
+            "resolved account is in live mode."
+        ),
+        recovery="terminal",
+        details=details,
+    )
+
+
+def _attr(obj: Any, name: str) -> Any:
+    """Own-attribute read mirroring the JS-side ``Object.hasOwn`` posture.
+
+    Python doesn't have prototype-pollution the same way JS does, but
+    the equivalent risk is class-level attribute inheritance: an
+    adopter who defines ``Account`` subclasses and accidentally sets a
+    class-level ``mode = 'sandbox'`` would have every instance read as
+    sandbox. We only consult instance state (``__dict__``) for known
+    attribute carriers; for dataclass instances the field lives there.
+    Falls back to ``getattr`` for dict-shaped accounts.
+
+    Returns ``None`` when the attribute is absent — the caller treats
+    that as "field not present" and falls through to the next check.
+    """
+    if isinstance(obj, dict):
+        return obj.get(name)
+    inst = getattr(obj, "__dict__", None)
+    if isinstance(inst, dict) and name in inst:
+        return inst[name]
+    # Fallback: bare attribute read for objects without a writable
+    # ``__dict__`` (slots, namedtuple, custom descriptors).
+    return getattr(obj, name, None)

src/adcp/decisioning/accounts.py

@@ -386,6 +386,15 @@ class TrainingAgentSeller(DecisioningPlatform):
     :param metadata_factory: Optional factory for ``Account.metadata``
         — adopters with typed metadata pass a closure that returns the
         right TypedDict / dataclass instance.
+    :param mode: Optional account-mode flag. When set, every resolved
+        :class:`Account` carries ``mode`` and is stamped explicit so
+        the framework's observed-modes tracker counts the resolution.
+        Default ``None`` — leaves accounts at the implicit-default
+        ``'live'`` (pre-mode behavior). Pass ``'sandbox'`` for a
+        single-platform conformance / dev deployment that should admit
+        ``comply_test_controller``; pass ``'live'`` to deliberately mark
+        the singleton as production (the env-fallback guard then trips
+        loudly if ``ADCP_SANDBOX=1`` is also set).
     """
 
     resolution: Literal["derived"] = "derived"
@@ -396,6 +405,7 @@ def __init__(
         *,
         name: str = "",
         metadata_factory: Callable[[], TMeta] | None = None,
+        mode: Literal["live", "sandbox", "mock"] | None = None,
     ) -> None:
         if not account_id or not isinstance(account_id, str):
             raise ValueError(
@@ -404,6 +414,7 @@ def __init__(
         self._account_id = account_id
         self._name = name or account_id
         self._metadata_factory = metadata_factory
+        self._mode = mode
 
     def resolve(
         self,
@@ -416,12 +427,21 @@ def resolve(
         metadata: TMeta = (
             self._metadata_factory() if self._metadata_factory else {}  # type: ignore[assignment]
         )
+        kwargs: dict[str, Any] = {}
+        if self._mode is not None:
+            # Adopter passed explicit mode at construction — stamp it on
+            # the Account AND mark explicit so the observed-modes tracker
+            # counts this resolution for the env-fallback fail-closed
+            # guard.
+            kwargs["mode"] = self._mode
+            kwargs["_mode_explicit"] = True
         return Account(
             id=scoped_id,
             name=f"{self._name} ({principal})" if principal != "anonymous" else self._name,
             status="active",
             metadata=metadata,
             auth_info=_auth_info_to_dict(auth_info),
+            **kwargs,
         )
 
 

src/adcp/decisioning/handler.py

@@ -742,8 +742,18 @@ async def _resolve_account(
             ref_dict = cast("dict[str, Any]", ref)
         result = self._platform.accounts.resolve(ref_dict, auth_info=auth_info)
         if asyncio.iscoroutine(result):
-            return cast("Account[Any]", await result)
-        return cast("Account[Any]", result)
+            resolved = cast("Account[Any]", await result)
+        else:
+            resolved = cast("Account[Any]", result)
+        # Phase 1 sandbox-authority — track explicit mode values for the
+        # comply controller's env-fallback fail-closed guard. Implicit
+        # default-live (resolver didn't populate mode) is intentionally
+        # NOT recorded so pre-migration adopters keep working with
+        # ADCP_SANDBOX=1.
+        from adcp.decisioning.observed_modes import record_resolved_account_mode
+
+        record_resolved_account_mode(resolved)
+        return resolved
 
     @staticmethod
     def _extract_auth_info(ctx: ToolContext) -> AuthInfo | None:

src/adcp/decisioning/observed_modes.py

@@ -0,0 +1,102 @@
+"""Process-scoped tracker of explicit ``Account.mode`` values returned
+from :meth:`AccountStore.resolve` during framework-side comply-controller
+dispatch.
+
+Used by the sandbox gate's deprecated env-fallback path (``ADCP_SANDBOX=1``)
+to fail closed when a process has resolved any explicit live-mode account.
+
+Rationale: the env-fallback exists for back-compat with adopters that
+have not yet adopted the per-account ``mode`` field. If those adopters
+have ALSO begun returning explicit ``mode='live'`` from their resolver,
+the env var is a misconfiguration — leaving it set would re-open the
+gate for live principals after the resolver was meant to close it.
+
+Implicit-default ``live`` (resolver returns no mode field, so the
+dataclass default ``'live'`` applies) is NOT observed here — those
+adopters are exactly who the env-fallback bridge exists for. Only the
+deliberate explicit mode (resolver populated ``mode='...'`` and stamped
+``_mode_explicit=True``) trips the guard.
+
+**Multi-tenant blast radius.** This tracker is process-scoped, not
+tenant-scoped. In a multi-tenant SaaS process (salesagent-style — many
+tenants share one Python process), if ANY tenant's resolver returns an
+explicit ``mode='live'`` account, every subsequent comply-controller
+call that would admit only via ``ADCP_SANDBOX=1`` raises ``RuntimeError``
+across ALL tenants. SaaS adopters MUST NOT set ``ADCP_SANDBOX=1`` in
+shared dev/staging environments where some tenants may resolve live
+accounts; either gate per tenant via ``mode='sandbox'`` on the resolved
+account or run sandbox tenants in a separate process. JS takes the same
+posture; the cross-tenant tripping is intentional (silent admission
+under env-fallback would be the worse failure mode) but worth
+surfacing.
+
+Mirrors the JS-side
+``src/lib/server/decisioning/runtime/observed-modes.ts``.
+"""
+
+from __future__ import annotations
+
+import os
+from typing import Any
+
+from adcp.decisioning.account_mode import AccountMode
+
+_observed: set[AccountMode] = set()
+
+
+def record_resolved_account_mode(account: Any) -> None:
+    """Record an account returned from :meth:`AccountStore.resolve`.
+
+    Only counts EXPLICIT mode values — those where the resolver
+    deliberately populated ``mode`` (signaled via the
+    ``_mode_explicit=True`` flag on the framework's :class:`Account`
+    dataclass). Adopters whose resolvers don't yet stamp ``mode`` keep
+    working with the env-fallback bridge: their accounts read as
+    implicit live, which doesn't trip this guard.
+
+    No-op when ``account`` is ``None`` / not an account-shaped value /
+    lacks an explicit mode flag / mode is not a known string. The set
+    only collects deliberate, resolver-stamped mode values.
+    """
+    if account is None:
+        return
+    # Only count explicit modes — implicit-default live (legacy adopter
+    # whose resolver didn't populate mode) is the back-compat target the
+    # env-fallback exists for, not a misconfiguration.
+    if not getattr(account, "_mode_explicit", False):
+        return
+    mode = getattr(account, "mode", None)
+    if mode in ("live", "sandbox", "mock"):
+        _observed.add(mode)
+
+
+def has_observed_live_mode() -> bool:
+    """``True`` when this process has observed at least one explicit
+    ``mode='live'`` account from :meth:`AccountStore.resolve`.
+
+    The sandbox-gate env-fallback consults this to decide whether
+    ``ADCP_SANDBOX=1`` is a safe legacy bridge or a misconfiguration.
+    """
+    return "live" in _observed
+
+
+def _reset_observed_account_modes() -> None:
+    """Test seam — reset the observed-modes set between test cases.
+
+    Refuses to clear when ``ADCP_ENV`` is anything that looks like
+    production. The observed-modes set is intentionally process-scoped
+    — clearing it in production would re-arm the env-fallback admit
+    path for live principals already seen, defeating the whole point
+    of the fail-closed guard.
+
+    Not part of the public API. Adopter code MUST NOT call this.
+    """
+    env = os.environ.get("ADCP_ENV", "").strip().lower()
+    if env in {"prod", "production"}:
+        raise RuntimeError(
+            f"_reset_observed_account_modes is a test seam; refusing to clear "
+            f"observed account modes in ADCP_ENV={env!r}. The set is process-"
+            f"scoped to keep the comply controller's env-fallback fail-closed "
+            f"guard armed once a live account has been seen."
+        )
+    _observed.clear()