docs(bridge): trust-boundary + multi-tenant adopter responsibility#1779
Merged
Conversation
…g as adopter responsibility Adds two paragraphs to the top-of-file JSDoc on TestControllerBridge: 1. Scope of verification — a storyboard pass through this bridge proves wire conformance against fixture data, not adapter health against the real upstream. Sellers must still exercise adapters against a live-OAuth sandbox runner separately. Cross-references the runner-visible-bridge-marker ask at #1775. 2. Adopter responsibilities — names two patterns the SDK can't enforce: (a) resolveAccount is the trust boundary; production bindings MUST configure it or the request-signal check is the only line of defense, because the dispatcher gate falls through to permissive when ctx.account === undefined. (b) Multi-tenant keying is the adopter's job; the SDK does no defensive cross-check between fixture-entry account IDs and the resolved ctx.account. No code change. Security-review-driven during the post-merge review of #1754 — main shipped the bridge surface (#1753 + phases #1759/#1761/ #1772) but no public-surface warning about either trust pattern. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- "bypassed by the post-handler merge" → "shadowed by the post-handler merge" (more accurate: the upstream is called, then its response is overridden). - "request-signal check is the only line of defense" → "buyer-supplied sandbox marker is the only gate" (flatter, more accurate). - Drop the "Snap, Meta, TikTok, Google Ads" brand list → "social / search / programmatic inventory APIs" (illustrative without pulling toward a specific adopter or violating fictional-names-only convention). - Echo a one-paragraph trust-boundary note on createAdcpServer's testController config field — that's where a wiring author lands when they hit autocomplete, and the last chance to warn before resolveAccount gets omitted. Cross-references the top-of-file JSDoc on TestControllerBridge. All four changes from the docs-expert review of PR #1779. No code behavior change; pure JSDoc. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
bokelley
added a commit
that referenced
this pull request
May 16, 2026
…roxy sellers only (#1787) Names the audience explicitly so state-local sellers don't wire the bridge unnecessarily, and upstream-proxy sellers know to wire it. Cross-links the upstream taxonomy proposal at adcontextprotocol/adcp#4593 and the leaderboard policy at #1782. Also collapses a duplicate trust-boundary blurb (added in #1779 alongside the security-review note in #1786) into a single coherent section. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
src/lib/server/test-controller-bridge.ts:resolveAccountas the trust boundary (production bindings MUST configure it; otherwise the request-signal check is the only line of defense) and multi-tenant keying as the adopter's job (SDK does no defensive cross-check).Background
After #1753 + phases #1759/#1761/#1772 grew the bridge surface to 13 tools on
main, the four-expert review of (now-closed) #1754 found that the public-surface JSDoc didn't name either trust pattern. Security review flagged thectx.account === undefinedpermissive branch in the dispatcher gate atsrc/lib/server/create-adcp-server.ts:3913-3917as a real adopter footgun — adopters who deploy the bridge to a production binding withoutresolveAccountconfigured can have buyers stampcontext.sandbox:trueand trigger the merge.The patterns themselves are intentional (storyboard runners often have no account scoping); the gap was naming them on the public surface so adopters don't deploy through them by accident.
Test plan
tsc --noEmitclean (docs-only change).prettier --checkclean.test-controller-bridge.ts, all inside the leading/** ... */block.