Skip to content

docs(security): add governance_agents[].url to the SSRF URL-field enumeration#5718

Merged
bokelley merged 1 commit into
mainfrom
fix/governance-agent-url-ssrf-doc
Jun 26, 2026
Merged

docs(security): add governance_agents[].url to the SSRF URL-field enumeration#5718
bokelley merged 1 commit into
mainfrom
fix/governance-agent-url-ssrf-doc

Conversation

@bokelley

Copy link
Copy Markdown
Contributor

Closes #5715.

What

Adds accounts[].governance_agents[].url to the SSRF URL-field enumeration in docs/building/by-layer/L1/security.mdx.

Why

When a buyer registers a governance agent via sync_governance, the seller persists governance_agents[].url and calls out to it (check_governance) before committing a media buy. That is a counterparty-supplied URL the seller fetches — a textbook SSRF vector — on par with the webhook/notification URLs already listed.

The enumeration already framed the rule as covering URLs that "a buyer, seller, or governance agent provides," but the explicit list omitted the governance-agent URL itself. The URL otherwise appeared in security.mdx only within the JWS profile (which SSRF-controls jwks_uri and the revocation-list URL), never as the check_governance target.

Listing it routes the seller's outbound check_governance fetch through the existing Webhook URL validation checklist (HTTPS-only, reserved-range rejection, connection pinning, no redirects, body/timeout caps).

Notes

🤖 Generated with Claude Code

…tion (#5715)

The seller's outbound check_governance call targets the buyer-supplied
accounts[].governance_agents[].url, making it a counterparty-supplied-URL
SSRF vector on par with the webhook/notification URLs already enumerated.
Add it to the Webhook URL validation (SSRF) list in security.mdx so the
same checklist (HTTPS-only, reserved-range rejection, connection pinning,
no redirects, body/timeout caps) applies.

Closes #5715

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mintlify

mintlify Bot commented Jun 26, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
adcp 🟢 Ready View Preview Jun 26, 2026, 9:52 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@aao-release-bot aao-release-bot Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct gap-closer. A counterparty-supplied URL the seller fetches belongs in the SSRF enumeration, full stop — the prose already claimed to cover "governance agent" URLs but the explicit list didn't carry the field.

Things I checked

  • Field path is real and exact. accounts[].governance_agents[].url exists in static/schemas/source/core/account.json:106-114format: uri, required, additionalProperties: false, registered via sync_governance. The doc string matches the schema path character-for-character.
  • The egress is real. check_governance is a defined governance task (static/schemas/source/governance/check-governance-request.json). The seller persists the buyer-supplied agent URL and calls out to it before committing a media buy — textbook counterparty-supplied-URL SSRF, on par with push_notification_config.url and the notification_configs[].url already listed at security.mdx:100.
  • The parenthetical does load-bearing work: "(the seller fetches this when it calls check_governance)" names who fetches and when, which is the distinction that makes it an SSRF vector rather than just another URL field. Right shape.
  • Changeset correctly omitted — docs/building/** is not a protocol release surface per the changeset policy, and the wire shape is unchanged.

No follow-ups, no nits. One line, correct, and it tightens a security checklist that was already framed to include this.

LGTM.

@bokelley bokelley merged commit b351546 into main Jun 26, 2026
20 checks passed
@bokelley bokelley deleted the fix/governance-agent-url-ssrf-doc branch June 26, 2026 10:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

docs(security): add governance_agents[].url to the SSRF URL-field enumeration

1 participant