Skip to content

fix(training-agent): restore per-tenant /<tenant>/mcp-strict, close #3965 Class C#4061

Merged
bokelley merged 1 commit intomainfrom
bokelley/3965-class-c-strict-route
May 4, 2026
Merged

fix(training-agent): restore per-tenant /<tenant>/mcp-strict, close #3965 Class C#4061
bokelley merged 1 commit intomainfrom
bokelley/3965-class-c-strict-route

Conversation

@bokelley
Copy link
Copy Markdown
Contributor

@bokelley bokelley commented May 4, 2026

Summary

  • Restores per-tenant /<tenant>/mcp-strict mounts that the 6.0.0 multi-tenant migration (feat(training-agent)!: migrate to @adcp/sdk@6.0.0 + split into per-specialism tenants #3713) dropped along with STRICT_REQUIRED_FOR enforcement and enforceSigningWhenWebhookAuthPresent. The signed_requests conformance storyboard has been failing at discovery on every tenant since then — the runner targets /<tenant>/mcp-strict (run-storyboards.ts:350-352) but only /<tenant>/mcp was mounted.
  • Strict route shares one v5 monolith handler stamped with ctx.strict = true so selectSigningCapability(ctx) advertises STRICT_REQUIRED_FOR. Request-signing is a transport-layer property — not specialism-specific — so the strict route doesn't need v6 platform dispatch.
  • Strict authenticator composition rebuilds two enforcement gates the migration dropped:
    • requireSignatureWhenPresent with requiredFor: STRICT_REQUIRED_FOR + mcpToolNameResolver → unsigned create_media_buy calls surface request_signature_required (vector 001) instead of admitting bearer.
    • enforceSigningWhenWebhookAuthPresent wrapper → unsigned webhook-registration carrying push_notification_config.authentication fires the same error (vector 027). Bearer-bypass is the exact downgrade this rule prevents.
  • Each route owns its own InMemoryReplayStore (training-agent verifier: replay store doesn't reject duplicate (keyid, nonce) — fails grader neg/016 #3338) so a nonce consumed on /mcp can't falsely fire request_signature_replayed on /mcp-strict.

Floors ratchet to capture the +31 step lift across all six tenants:

Tenant Old (post-#4052) New Delta
/signals 65 / 23 66 / 54 +1 / +31
/sales 64 / 217 64 / 248 flat / +31
/governance 65 / 70 65 / 101 flat / +31
/creative 66 / 83 66 / 114 flat / +31
/creative-builder 60 / 65 60 / 96 flat / +31
/brand 66 / 14 66 / 45 +1 / +31

Closes #3965 Class C. The full #3965 cluster is now closed.

Test plan

  • Local matrix run — all six tenants pass new floors
  • CI matrix run on PR
  • signed_requests storyboard now grades all positive + negative vectors per tenant

🤖 Generated with Claude Code

@bokelley @claude
fix(training-agent): restore per-tenant /<tenant>/mcp-strict, close #…
ef4d36e 
…3965 Class C

Mounts the conformance grader's strict route per tenant using the v5
monolith with ctx.strict=true. Strict authenticator composition rebuilds
the requiredFor enforcement (vector 001) and webhook-auth enforcement
(vector 027) the multi-tenant migration dropped. Floors ratchet for the
+31 step lift across all six tenants.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bokelley bokelley merged commit 18b3db7 into main May 4, 2026
19 checks passed
@bokelley bokelley deleted the bokelley/3965-class-c-strict-route branch May 4, 2026 09:41
This was referenced May 4, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Training-agent baseline regressions exposed by @adcp/sdk@6.7.0 bump (PR #3962)

1 participant

@bokelley