Skip to content

docs(proposals): trust-boundary section + deprecate Account.sandbox#1516

Merged
bokelley merged 1 commit into
mainfrom
bokelley/sandbox-authority-doc-tidy
May 3, 2026
Merged

docs(proposals): trust-boundary section + deprecate Account.sandbox#1516
bokelley merged 1 commit into
mainfrom
bokelley/sandbox-authority-doc-tidy

Conversation

@bokelley

@bokelley bokelley commented May 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Three doc-tidy items from PR #1453's expert reviews. No behavior change.

docs/proposals/lifecycle-state-and-sandbox-authority.md

Adds an explicit Trust boundary section at the top of the cross-implementation story. Names what the boundary IS (resolver-stamped Account.mode, sourced from the seller's tenant store keyed by authenticated principal) and what it is NOT:

  • The wire AccountReference.sandbox flag (buyer input — buyer has every incentive to claim sandbox status when calling test-only surfaces against a live tenant).
  • The presence of a sandbox_<id> prefix or similar seller-internal convention.
  • An environment variable like ADCP_SANDBOX=1 (process-scoped, wrong granularity).

Calls out the resolver-discipline gotcha — spreading buyer input into the resolved account effectively moves the trust boundary onto the wire and defeats the framework gate. Includes a wrong/right code example.

Account.sandbox deprecation

Server-side Account.sandbox (in src/lib/server/decisioning/account.ts) is now @deprecated in favor of Account.mode. Existing adopters stamping sandbox: true keep working via getAccountMode's legacy fallback. The field will be removed in a future major.

Wire-side AccountReference.sandbox is unchanged — it's part of AdCP's natural-key disambiguation per the spec's core/account-ref.json. Deprecation is server-side only.

Changeset

Documents the deprecation queue so the next major-version bump knows what to drop.

Out of scope

Two related items the protocol-expert review flagged that don't fit this PR:

  • Mock-server normative-status statement in docs/architecture/adcp-stack.md — that doc lives upstream on adcontextprotocol.org's protocol docs site, not in this repo. Filing as a separate upstream issue.
  • Storyboard coverage gap for live-mode denial — filed as adcontextprotocol/adcp#4028.

Test plan

  • npm run build clean
  • npm run format:check clean
  • No code-behavior changes — pure docs + JSDoc deprecation marker

Refs

🤖 Generated with Claude Code

Three doc-tidy items from PR #1453's expert reviews. No behavior change.

- docs/proposals/lifecycle-state-and-sandbox-authority.md: adds an
  explicit "Trust boundary" section. Names what the boundary IS
  (resolver-stamped Account.mode, sourced from the seller's tenant store
  keyed by authenticated principal) and what it is NOT (wire
  AccountReference.sandbox, account-id prefix shape, env vars). Calls
  out the resolver-discipline gotcha — spreading buyer input into the
  resolved account effectively moves the trust boundary onto the wire,
  defeating the framework gate.
- Account.sandbox in src/lib/server/decisioning/account.ts is now
  @deprecated in favor of Account.mode. Existing adopters keep working
  via getAccountMode's legacy fallback. Wire-side
  AccountReference.sandbox is unchanged — it's part of AdCP's
  natural-key disambiguation per core/account-ref.json.
- Changeset documents the deprecation queue for the next major.

Filed separately upstream: adcontextprotocol/adcp#4028 (storyboard
coverage gap — no scenario exercises comply_test_controller denial
against live-mode accounts).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@bokelley bokelley merged commit 6dd6e53 into main May 3, 2026
10 checks passed
@bokelley bokelley deleted the bokelley/sandbox-authority-doc-tidy branch May 3, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant