chore: release package

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@adcp/client@5.1.0

Minor Changes

• 50c809a: Pull storyboards from the AdCP compliance tarball instead of bundling them.

  Released as a minor bump: 5.0 was intentionally shipped incomplete while the
  upstream compliance tarball + cosign signing work landed (feat(security): sign protocol tarballs with Sigstore (cosign keyless) adcp#2273).
  5.0 has not seen meaningful adoption, so the removals below are treated as finishing
  the 5.x surface rather than a 6.0 breaking release.

  npm run sync-schemas fetches /protocol/{version}.tgz from adcontextprotocol.org,
  verifies its sha256 sidecar, and extracts both schemas/ and compliance/ into
  schemas/cache/{version}/ and compliance/cache/{version}/. Per-file schema sync is kept
  as a fallback. The compliance cache ships with the published npm package — no network
  call required for first use.

  When a pinned version ships cosign sidecars (.sig / .crt, per
  feat(security): sign protocol tarballs with Sigstore (cosign keyless) adcp#2273), sync-schemas verifies them against the upstream
  release workflow's Sigstore identity. latest.tgz is intentionally unsigned and skipped.
  Missing sidecars or a missing cosign binary fall back to checksum-only trust with a
  clear log line; a present-but-failed verification is a hard error.

  Storyboard selection is driven by the agent's get_adcp_capabilities response:
  supported_protocols resolves to domain baselines and specialisms resolves to
  specialism bundles. The runner fails closed when:

  • an agent declares a specialism whose bundle isn't in the local cache (stale cache — re-sync);
  • an agent declares a specialism whose parent domain isn't in supported_protocols.
    Unknown supported_protocols entries (new spec version, typo) log a warning and are skipped.

  discoverAgentProfile now calls get_adcp_capabilities to populate
  profile.supported_protocols + profile.specialisms. A probe failure is surfaced
  as profile.capabilities_probe_error and a top-level error-severity observation,
  rather than silently downgrading the assessment.

  Breaking changes:

  • The storyboards/ directory is no longer shipped in the npm package. Consumers
    relying on direct file paths must read from /compliance/{version}/ on
    adcontextprotocol.org or the compliance/cache/ tree after running sync.
  • ComplyOptions.platform_type is removed. Callers that still pass it get a
    runtime error pointing to this changeset. Capability-driven selection replaces
    platform-type curated lists. Pass storyboards: [id] for explicit/targeted runs;
    bundle ids (e.g., sales-guaranteed) expand to every storyboard in the bundle.
  • ComplianceResult.platform_coherence and ComplianceResult.expected_tracks are
    removed along with the expected track status.
  • ComplianceSummary.tracks_expected is removed.
  • Removed exports: PlatformType, SalesPlatformType, CreativeAgentType,
    SponsoredIntelligenceType, AINativePlatformType, PlatformProfile,
    PlatformCoherenceResult, CoherenceFinding, InventoryModel, PricingModel,
    getPlatformProfile, getAllPlatformTypes, getPlatformTypesWithLabels,
    PLATFORM_STORYBOARDS, getStoryboardIdsForPlatform, extractScenariosFromStoryboard,
    filterToKnownScenarios, loadBundledStoryboards, loadBundledScenarios,
    getStoryboardById, getScenarioById, getStoryboardsForPlatformType,
    getComplianceStoryboards, getApplicableComplianceStoryboards, listStoryboards.
  • CLI: adcp storyboard list --platform-type and
    adcp storyboard run --platform-type / --list-platform-types are removed.
    Added adcp storyboard run <agent> --file <path.yaml> for ad-hoc spec-evolution runs.

  New exports on @adcp/client/testing: resolveStoryboardsForCapabilities,
  resolveBundleOrStoryboard, findBundleById, listBundles, loadBundleStoryboards,
  listAllComplianceStoryboards, getComplianceStoryboardById, loadComplianceIndex,
  getComplianceCacheDir.

• 6953c35: Optimistic concurrency primitives on AdcpStateStore.

  New

  • putIfMatch(collection, id, data, expectedVersion) — atomic compare-and-swap. Returns {ok: true, version} on success, {ok: false, currentVersion} on conflict. expectedVersion: null means insert-only.
  • getWithVersion(collection, id) — read a document with its row version.
  • patchWithRetry(store, collection, id, updateFn, options?) — get → compute → putIfMatch → retry loop for read-modify-write updates. Throws PatchConflictError after maxAttempts (default 5).
  • Both built-in stores (InMemoryStateStore, PostgresStateStore) track a monotonically increasing version per row. Every put/patch/putIfMatch bumps it.
  • Sessioned stores (createSessionedStore / store.scoped(key)) proxy the new methods through so scoped views get CAS for free.

  Postgres migration

  • getAdcpStateMigration() adds version INTEGER NOT NULL DEFAULT 1 via ADD COLUMN IF NOT EXISTS. Existing rows start at version 1. No data rewrite.

  Docs

  • docs/guides/CONCURRENCY.md gains a section covering patchWithRetry, putIfMatch, and when to reach for each.

  No breaking changes. Both new methods are optional on the AdcpStateStore interface; custom stores that don't implement them keep working.

• 835e633: SessionStore ergonomics + state-store validation (batch 1 of upstream feedback).

  New

  • store.scoped(sessionKey) on built-in stores + scopedStore(store, key) helper that works on any AdcpStateStore (falls back to createSessionedStore when a custom store doesn't implement the method). Returns a session-isolated view that auto-prefixes ids and filters list() by _session_key. :: is reserved as the scope separator and is rejected in session keys and ids so scopes can't collide.
  • HandlerContext.sessionKey + resolveSessionKey hook on createAdcpServer. Sellers derive the scoping key once; handlers read ctx.sessionKey instead of re-parsing params.
  • StateError with typed codes (INVALID_COLLECTION, INVALID_ID, PAYLOAD_TOO_LARGE, …), built-in charset/length validation on every store operation, configurable maxDocumentBytes (5 MB default) on InMemoryStateStore and PostgresStateStore.
  • structuredSerialize / structuredDeserialize helpers so handlers can round-trip Map, Set, and Date through the state store without writing per-type converters. Envelope tag is namespaced as __adcpType and the deserializer validates payload shape, so caller data that happens to use the same field is passed through unchanged.

  Docs

  • docs/guides/CONCURRENCY.md — explicit last-writer-wins vs per-row isolation model, the read-modify-write race on whole-session blobs, and why per-entity rows are safer.
  • docs/guides/TASKRESULT-5-MIGRATION.md — the four migration patterns for the 5.0 discriminated-union TaskResult (success check, error extraction, status narrowing, intermediate states).

  No breaking changes. scoped on AdcpStateStore is an optional method; custom store implementations that don't define it keep working.

Patch Changes

• 97f8c8f: Regenerate AdCP schemas and registry from upstream. Pulls in sponsored-intelligence / sales specialism and related domain enums into the generated type exports. Mechanical regen — no handwritten code changes.
• 4e0c482: Response builders now throw a descriptive error when setup is placed at the top level of a media buy response. The IO-signing setup URL belongs inside account.setup (a field on Account), not on the media buy itself. This was a silent trap because DomainHandler accepts Record<string, unknown> so the strict type wasn't catching it. Affects mediaBuyResponse, updateMediaBuyResponse, and getMediaBuysResponse.