feat(signing): BrandAuthorizationResolver (Tier 3, #350 stages 1-3)

pyproject.toml

@@ -86,6 +86,15 @@ dependencies = [
     # bundled AdCP schemas. Pin to the Draft 7 generation the schemas
     # declare via ``$schema``.
     "jsonschema>=4.0.0",
+    # Public Suffix List lookups — used by ``adcp.signing.etld`` to compute
+    # the eTLD+1 (registrable domain) for the brand-authorization binding
+    # mandated by ADCP request-signing spec (#3690). We pin a recent floor
+    # so the bundled PSL snapshot is fresh; the helper constructs the
+    # extractor with ``suffix_list_urls=()`` to disable network refresh —
+    # production verifiers must not silently re-fetch the PSL at request
+    # time, and pinned snapshot semantics are what the spec requires for
+    # cross-implementation conformance.
+    "tldextract>=5.1.0",
 ]
 
 [project.scripts]

src/adcp/signing/__init__.py

@@ -101,6 +101,13 @@
     SigningDecision,
     operation_needs_signing,
 )
+from adcp.signing.brand_authz import (
+    BrandAuthorizationReason,
+    BrandAuthorizationResolver,
+    BrandAuthorizationResult,
+    BrandJsonAuthorizationResolver,
+    build_brand_json_resolvers,
+)
 from adcp.signing.brand_jwks import (
     BrandAgentType,
     BrandJsonJwksResolver,
@@ -175,6 +182,11 @@
     REQUEST_SIGNATURE_WINDOW_INVALID,
     SignatureVerificationError,
 )
+from adcp.signing.etld import (
+    host_from,
+    registrable_domain,
+    same_registrable_domain,
+)
 from adcp.signing.ip_pinned_transport import (
     AsyncIpPinnedTransport,
     IpPinnedTransport,
@@ -293,6 +305,10 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "AsyncJwksResolver",
     "AsyncRevocationListFetcher",
     "BrandAgentType",
+    "BrandAuthorizationReason",
+    "BrandAuthorizationResolver",
+    "BrandAuthorizationResult",
+    "BrandJsonAuthorizationResolver",
     "BrandJsonJwksResolver",
     "BrandJsonResolverError",
     "BrandJsonResolverErrorCode",
@@ -373,6 +389,7 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "b64url_decode",
     "b64url_encode",
     "build_async_ip_pinned_transport",
+    "build_brand_json_resolvers",
     "build_capability_cache_key",
     "build_ip_pinned_transport",
     "build_signature_base",
@@ -388,15 +405,18 @@ def __init__(self, *args: object, **kwargs: object) -> None:
     "extract_signature_bytes",
     "format_signature_header",
     "generate_signing_keypair",
+    "host_from",
     "install_signing_event_hook",
     "load_private_key_pem",
     "operation_needs_signing",
     "parse_signature_input_header",
     "pem_to_adcp_jwk",
     "private_key_from_jwk",
     "public_key_from_jwk",
+    "registrable_domain",
     "resolve_agent",
     "resolve_and_validate_host",
+    "same_registrable_domain",
     "sign_request",
     "sign_signature_base",
     "sign_standard_webhook",