Skip to content

feat(compliance): comply_controller_mode_gate storyboard + acme-outdoor-live kit (#4028)#4384

Merged
bokelley merged 1 commit into
3.0.xfrom
claude/issue-4028-comply-controller-mode-gate
May 11, 2026
Merged

feat(compliance): comply_controller_mode_gate storyboard + acme-outdoor-live kit (#4028)#4384
bokelley merged 1 commit into
3.0.xfrom
claude/issue-4028-comply-controller-mode-gate

Conversation

@bokelley
Copy link
Copy Markdown
Contributor

@bokelley bokelley commented May 11, 2026

Summary

Closes #4028.

  • Adds universal/comply-controller-mode-gate.yaml — new storyboard that verifies sellers refuse comply_test_controller dispatch with FORBIDDEN when the calling account is in live mode (non-sandbox).
  • Adds test-kits/acme-outdoor-live.yaml — live-mode twin of the sandbox acme-outdoor kit (sandbox: false, auth.api_key: "demo-acme-outdoor-live-v1").
  • One phase (live_account_denial, optional: true) with one step (deny_live_caller): sends a well-formed force_creative_status request authenticated as the live-mode principal and asserts FORBIDDEN.

What changed

static/compliance/source/universal/comply-controller-mode-gate.yaml (new)

  • category: deterministic_testing, track: security
  • requires: [controller] gates the storyboard at load time — sellers without comply_test_controller skip cleanly (requirement_unmet)
  • Phase live_account_denial is optional: true: two-deployment sellers whose sandbox endpoint has no per-account gate will fail this phase (they return success, not FORBIDDEN) but the storyboard still passes — they correctly prevent live-mode misuse by not advertising the tool on their production endpoint. Single-endpoint sellers that implement the gate MUST pass.
  • Step uses auth: { type: api_key, from_test_kit: true } (live-mode key) and expect_error: true / negative_path: payload_well_formed (well-formed request, runtime rejection).
  • Validations use check: field_value path: 'error' allowed_values: ['FORBIDDEN'] (ControllerError shape, not canonical error-code.json — matches the deterministic-testing.yaml convention for controller-surface codes).

static/compliance/source/test-kits/acme-outdoor-live.yaml (new)

  • sandbox: false signals live/production mode for controller gating tests.
  • Full brand block mirrors the canonical acme-outdoor kit (same entity, different mode).
  • Passes lint-storyboard-test-kits.cjs (auth.api_key present).

Non-breaking justification

New universal storyboard + new test kit. No existing files modified. Per playbook: "additive scenarios, new universal storyboards are patch-eligible." The storyboard is gated by requires: [controller] — sellers that don't expose comply_test_controller are unaffected.

Changeset

patch — new universal storyboard, additive only.

Pre-PR review

  • ad-tech-protocol-expert: approved — check: field_value path: 'error' is the correct assertion for ControllerError (not check: error_code, which targets errors[0].code in the canonical envelope); optional: true without skip_if is permitted by schema and correct for Option A intent (advisory, not hard-enforced for two-deployment sellers).
  • code-reviewer: approved — confirmed check: error_code value: FORBIDDEN blocker fixed; optional: true semantics are correct per design intent; redundancy of success + error field checks dissolves with field_value pattern (matches deterministic-testing.yaml).

Reviewer note: requires: [controller] is the first use of a root-level requires stanza across all universal storyboards. The schema supports it and all lints pass (npm run build:compliance — 11 checks green), but worth a manual scan if the review touches that section.

Milestone note: Milestone could not be confirmed via available tooling — please set to the active 3.0.x patch target (currently 3.0.12 per the open Version Packages PR #4381) before merge.

Triage-managed PR — opened automatically by the AdCP issue-triage agent in response to Issue #4028 (/triage execute by @bokelley). Review against the triage checklist in .agents/routines/triage-prompt.md before merging.

https://claude.ai/code/session_01WEcfSgq5grVGRgRdbmgLNW

Generated by Claude Code

@claude
feat(compliance): add comply_controller_mode_gate storyboard and acme…
7a99eda 
…-outdoor-live test kit

Exercises the live-account denial path for comply_test_controller:
sellers that expose the controller must return FORBIDDEN when called
by a live-mode (non-sandbox) principal. Optional phase accommodates
two-deployment sellers whose sandbox endpoint has no per-account gate;
required for single-endpoint sellers implementing the gate.

Closes #4028.

https://claude.ai/code/session_01WEcfSgq5grVGRgRdbmgLNW
@bokelley bokelley mentioned this pull request May 11, 2026
Open
@bokelley bokelley marked this pull request as ready for review May 11, 2026 11:25
@bokelley bokelley merged commit d8d5cfa into 3.0.x May 11, 2026
12 checks passed
@bokelley bokelley deleted the claude/issue-4028-comply-controller-mode-gate branch May 11, 2026 11:25
@bokelley bokelley mentioned this pull request May 11, 2026
Merged
bokelley added a commit that referenced this pull request May 11, 2026
@bokelley @claude
docs(verification): rewrite framing for (Sandbox) verdict (closes doc…
5714fb0 
…s half of #4380) (#4387)

Three pages updated to reflect the (Sandbox) verdict from #4379:

aao-verified.mdx:
- Title / description / intro / TL;DR — (Sandbox) replaces (Live) as the
  higher tier
- "What each axis certifies" tables — (Sandbox) tested against
  registered production URL with account.sandbox: true; same storyboard
  suite as (Spec), zero real-world side effects
- "How agents earn each axis" — (Sandbox) earn instructions describe
  the seller-side sandbox-account gate
- "Reading a badge" — display rows updated
- "Lifecycle" — (Sandbox) lifecycle replaces (Live), cross-mode
  leakage flagged as immediate-revoke trigger
- "Coverage gaps" — universal storyboards run as standard suite, no
  observability carve-out
- JWT verification_modes — ["spec"] / ["spec", "sandbox"]
- Supporting specs — #3755/#4382 (schema gate), #4028/#4384
  (mode-gate storyboard), #4226/#4228 (UNKNOWN grading)
- Warning banner above the deprecated canonical-campaign sections
  (eight checks, webhook ownership, two discovery paths,
  maintenance windows) — full removal in follow-up sweep

conformance.mdx:
- Intro / "Two words, not three" — (Sandbox) replaces (Live)
- "Storyboard conformance vs. AAO Verified" — both qualifiers run
  the same storyboards; (Sandbox) is the stronger claim because it
  attests prod-stack sandbox tolerance

comply-test-controller.mdx:
- Prominent Note callout at the top: controller is dev/staging-only,
  AAO grading does NOT require or use it. Connects to (Sandbox)
  framing via #4379. Production-stack sandbox-flag honoring is
  what (Sandbox) attests, not controller exposure.

Push A item 4 of 4 in the compliance reporting fidelity initiative
is now complete. Follow-up: remove deprecated canonical-campaign
sections from aao-verified.mdx (tracked in #4380).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bokelley @claude