Conversation
…n scope gate The explicit-publisher-scoping gate from #4173 only inspected per-agent paths (authorized_agents[].publisher_properties[].publisher_domain and authorized_agents[].collections[].publisher_domain). Probing real production manifests showed every managed-network manager rejects under that gate — Mediavine, the only manager currently serving an adagents.json against a publisher with a managerdomain pointer (homestratosphere.com → mediavine.com), uses property-level scoping with tag-based agent references. Real shape: properties: [{ publisher_domain: "...", tags: ["scope3-aee"] }] authorized_agents: [{ authorization_type: "property_tags", property_tags: ["scope3-aee"] }] The cross-publisher commitment IS expressly declared — just routed through the property layer rather than re-spelled per-agent. Gate now accepts either shape. Per-agent paths unchanged; new property- level path requires a properties[] entry with publisher_domain matching the source AND an authorized_agents[] entry that reaches that property via property_ids or property_tags. Cross-publisher confusion still fails closed — foreign properties can't satisfy the gate, and agents referencing tags none of the publisher's properties carry can't either. Tests: property_tags + property-level publisher_domain (Mediavine pattern), property_ids + property-level publisher_domain, foreign- property rejection, no-matching-tag rejection. 84/84 unit tests green. Surfaced via real-world probe of homestratosphere.com / mediavine.com. Sent design question to @patmmccann on #4173 about whether per-agent should remain the only normative shape — landing additive in the meantime since the property-level shape is in deployed production manifests today and the cross-publisher commitment holds.
bokelley
added a commit
that referenced
this pull request
May 9, 2026
Adds server/scripts/probe-managerdomain-fallback.ts — ad-hoc developer tool that hits live DNS / public web against a small fixture of known publisher-manager pairs and asserts the AdAgentsValidationResult envelope. Not for CI; meant as a manual probe to confirm the fallback path still works against real managed-network publishers. Existed as a manual curl exercise; moving the fixture set into version control so future regressions are caught on demand. The original gap fixed in #4283 is exactly what this would have caught. Initial run surfaced three real-world divergences (captured as TODOs in fixture rationales): craftgossip's malformed JSON, homestratosphere's fallback not reaching the scope gate (likely validator schema delta against Mediavine's agent_url field), and freestar.com not yet serving a manifest. Refs #4173, #4200, #4283.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The explicit-publisher-scoping gate from #4173 only inspected per-agent paths (`authorized_agents[].publisher_properties[].publisher_domain` and `authorized_agents[].collections[].publisher_domain`). Probing real production manifests after #4251 landed showed every managed-network manager rejects under that gate — Mediavine, the only manager currently serving an `adagents.json` against a publisher with a `MANAGERDOMAIN` pointer (`homestratosphere.com → mediavine.com`), uses property-level scoping with tag-based agent references:
```json
"properties": [{
"property_id": "the_hollywood_gossip",
"publisher_domain": "thehollywoodgossip.com",
"tags": ["scope3-aee"]
}],
"authorized_agents": [{
"authorization_type": "property_tags",
"property_tags": ["scope3-aee"]
}]
```
The cross-publisher commitment IS expressly declared — just routed through the property layer rather than re-spelled per-agent.
Fix
Gate now accepts either shape:
Cross-publisher confusion still fails closed:
Tests
84/84 unit tests green.
Discussion
Sent design question to @patmmccann on #4173 (comment) about whether per-agent should remain the only normative shape, or both are equally valid. Landing the additive fix in the meantime since:
Will update if Patrick prefers a stricter reading.
Refs #4173, #4200, #4251.