docs(governance): audit-trail internal-vs-shareable views + Addie anonymous knowledge tools

[bokelley]

Three related changes from a governance WG question on Slack about how to design audit logging.

What's in this PR

1. New doc: docs/governance/campaign/audit-trail.mdx

Explains the internal-vs-shareable view split for get_plan_audit_logs with:

• Field-by-field tagging table (which fields stay buyer-side, which are seller-shareable, which are regulator-shareable)
• A 4-field minimum compliance attestation pattern
• Four worked examples generated by scripts/gen-governance-audit-examples.ts:
  • Clean buy (full audit response, $150K committed against a $500K plan)
  • Security-shaped denial (seller_compliance finding when an unauthorized seller tries to commit)
  • Coaching-shaped denial (Annex III data_subject_contestation missing — denial doubles as actionable guidance)
  • Mode comparison (same payload, three different outcomes under enforce/advisory/audit)

All 6 schema-tagged JSON blocks validate against the canonical schemas via tests/json-schema-validation.test.cjs.

2. Anonymous web-chat gets search_docs/get_doc/search_repos/search_resources/get_recent_news

Previously: Addie's system prompt told her to call search_docs to ground answers, but the web-chat anonymous path didn't register the tool. Result: she'd call a non-existent tool, get "Unknown tool", and fall through to in-prompt speculation. The MCP chat path already exposed these read-only tools to anonymous callers; this aligns the web path.

Anonymous tool count: 7 → 13. The full knowledge-search surface (Slack history, bookmarking) still requires authentication.

Verified the fix end-to-end: production Addie answering this WG question produced speculation about Policy Registry versioning ("are policies versioned by timestamp, version number, or content hash?"); local Addie with the fix produced a grounded answer naming policy_id, version, effective_date, enforcement — fields she retrieved via search_docs.

3. Constraints rule: "Tool Unavailable Is Not 'No Result'"

Adds a section to server/src/addie/rules/constraints.md distinguishing three outcomes:

1. Tool returned results → cite and answer
2. Tool returned empty → "I searched and didn't find that in the spec" (per existing No Speculative Answers rule)
3. Tool was unavailable → state the limitation, offer the path forward, don't retry more than once

Generalizes beyond search_docs to every tool. Caps the failure mode where Addie tries the same broken tool three times in a row.

4. Skill update: skills/adcp-governance/SKILL.md

Adds the campaign-governance task surface (sync_plans, check_governance, report_plan_outcome, get_plan_audit_logs) and three operator-facing invariants:

• Inline policies can only ADD restrictions over registry policies — they cannot relax enforcement levels
• effective_date enables informational-before-enforcement (the "minimal restrictions initially" pattern)
• governance_context is the seller-visible correlation token; plan-level data (budget aggregates, drift metrics, channel allocation) is buyer-side

Issues filed and resolved during this work

• Document campaign governance audit trail: internal vs shareable views #3139 (filed) — Document campaign governance audit trail (this PR delivers it)
• Document Policy Registry sync pattern: version pinning, change handling, effective_date transitions #3140 (filed, open) — Policy Registry sync pattern doc (separate follow-up)
• get_plan_audit_logs: surface plan.mode on entries and summary #3156 (filed → feat(schema): add mode to get_plan_audit_logs audit entries #3160 merged) — Surface plan.mode in audit responses
• Training agent emits non-canonical fields on governance responses (binding, mode) #3162 (filed → fix(schema): add mode to governance responses; replace binding with check_type in audit entries #3163 merged) — Training agent emits non-canonical fields
• schema(governance): mark governance-mode enum experimental + clarify per-check mode semantics #3169 (merged) — governance-mode.json x-status: experimental + per-check description tightening

Test plan

• npm run test:docs-nav passes
• npm run test:json-schema passes (255 schema-tagged blocks validate)
• npm run typecheck passes
• Targeted vitest run on server/tests/unit/training-agent.test.ts — all governance audit-log tests pass
• node tests/json-schema-validation.test.cjs --file docs/governance/campaign/audit-trail.mdx — 6/6 schema-tagged blocks valid
• Manual: Addie before/after captured in .context/addie-before.json and .context/addie-after-real-fix.json (anonymous chat went from speculation to grounded retrieval)

🤖 Generated with Claude Code

[bokelley]

Pushed e0d1cfa97 addressing all expert-review feedback. Summary:

Must-Fix (security)

• Private working-group docs were leaking through search_docs/get_doc to anonymous callers — getIndexedDocumentsWithContent now filters wg.is_private = false. The PR didn't introduce the bug but exposing search_docs anonymously widened the surface; this closes that.
• bookmark_resource (Slack-authenticated) → addie_notes (LLM summary of arbitrary URL content) → anonymous search_resources/get_recent_news was a prompt-injection pipeline. Two-layer fix: DB methods take excludeUserSubmitted to drop source_type='web_search'/'community'; handler factory takes anonymous to also strip addie_notes from formatted output. Both addie-chat.ts (web) and chat-tool.ts (MCP) pass anonymous: true on the global registration. Authenticated callers get the full handler via per-request override (last-wins merge in claude-client.ts:594).

Must-Fix (doc gap)

• Field-tagging table now includes entries[].mode (the whole point of feat(schema): add mode to get_plan_audit_logs audit entries #3160 / get_plan_audit_logs: surface plan.mode on entries and summary #3156) and entries[].purchase_type.

Should-Fix

• budget.utilization_pct flagged as a one-step inverse problem in §1 (just as leaky as raw amounts).
• Regulator "on request" wording for drift_metrics softened to match the existing §103 caveat that the protocol does not define a regulator API.
• Constraint rule "Tool Unavailable Is Not 'No Result'": dropped the fragile back-reference, replaced the upsell script with a behavioral shape (don't pitch; one line is enough), made the no-retry rule unambiguous.
• SKILL.md: renamed "Three invariants to lead with" → "for audit and disclosure decisions" (the skill loads into orchestrator context, not chat persona); demoted effective_date to a doc-link note; promoted plan_hash as the third load-bearing invariant.
• anonymousTools log line now uses claudeClient.getRegisteredTools().length as source of truth.
• Added FIXME annotation in gen-governance-audit-examples.ts referencing FRAMEWORK_MIGRATION.md so the in-flight migration sweep catches the script.

Nits skipped (per reviewer note)

• .context/ is gitignored at the conductor level (system docs note this).
• The "Sign in at agenticadvertising.org" example phrasing was already softened to a behavioral shape; no infrastructure leak per security review.

Changeset bump — keeping --empty. The doc is purely descriptive (restates existing schema invariants and spec; cites specifications.mdx and policy-entry.json); no normative claims, no protocol-spec changes. Per .agents/playbook.md: "Only use patch/minor/major for changes to the published AdCP protocol spec."

Verified end-to-end: anonymous local Addie answering the original WG question produces grounded retrieval (6 tool calls, 0 errors, cites the audit-trail doc) — the security scoping doesn't break the legitimate use case.

CI re-running.