npm - @adcp/sdk - Versions diffs - 6.9.0 → 6.11.0 - Mend

@adcp/sdk 6.9.0 → 6.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (261) hide show

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/012-missing-expires-param.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "Signature-Input omits the required expires parameter",
+  "spec_reference": "#webhook-callbacks (params_incomplete at step 2)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_params_incomplete",
+    "failed_step": 2
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/013-expires-le-created.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "expires ≤ created — rejected at step 5",
+  "spec_reference": "#webhook-callbacks (window_invalid at step 5)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776520800;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:2ZJGvmo9D5t_6m4wyzcFeOmj1wULo5XqmYKIB2S85WsLNyn6g--ZL9ABa3y66kcdNW9hyvjPHdUr4HnHngQbAw:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776520800;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_window_invalid",
+    "failed_step": 5
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/014-missing-nonce-param.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "Signature-Input omits the required nonce parameter",
+  "spec_reference": "#webhook-callbacks (params_incomplete at step 2)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_params_incomplete",
+    "failed_step": 2
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/015-signature-invalid.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "Signature bytes do not verify against the declared key",
+  "spec_reference": "#webhook-callbacks (invalid at step 10)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:YaTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_invalid",
+    "failed_step": 10
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/016-replayed-nonce.json ADDED Viewed

@@ -0,0 +1,37 @@
+{
+  "name": "Nonce already seen within the replay-cache window — requires runner state",
+  "spec_reference": "#webhook-callbacks (replayed at step 12)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"REPLAYEDwebhook16byteA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:ZVRllejdoOlcnH1VkRrzv901IucAouTrwja2a0fv5F08f2Q2ahbpSxRrmnTLtXVEMgRfBZ_n1X8SGurLifJ_BQ:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"REPLAYEDwebhook16byteA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_replayed",
+    "failed_step": 12
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2.",
+  "requires_contract": "webhook_receiver_runner",
+  "test_harness_state": {
+    "replay_cache_entries": [
+      {
+        "keyid": "test-ed25519-webhook-2026",
+        "nonce": "REPLAYEDwebhook16byteA"
+      }
+    ]
+  },
+  "black_box_behavior": "deliver_twice",
+  "black_box_note": "In black-box mode, the runner delivers this vector twice with the same nonce within the replay window; the receiver MUST accept the first and reject the second with webhook_signature_replayed."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/017-key-revoked.json ADDED Viewed

@@ -0,0 +1,32 @@
+{
+  "name": "keyid is in the revocation list — rejected at step 9",
+  "spec_reference": "#webhook-callbacks (key_revoked at step 9)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-revoked-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:NjUVgJNsca2rd5ulEXjVwqlmpqBzGXbZ_EKgc188KklSV__NOngjvEDpUXeAqhOsF5BhXuf4zP3jtdtvk6jEAg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-revoked-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-revoked-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_key_revoked",
+    "failed_step": 9
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2.",
+  "requires_contract": "webhook_receiver_runner",
+  "test_harness_state": {
+    "revoked_kids": [
+      "test-revoked-webhook-2026"
+    ]
+  }
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/018-rate-abuse.json ADDED Viewed

@@ -0,0 +1,33 @@
+{
+  "name": "Per-keyid replay cache exceeded its entry cap — rejected at step 9a",
+  "spec_reference": "#webhook-callbacks; rate_abuse at step 9a",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_rate_abuse",
+    "failed_step": 9,
+    "sub_step": "a"
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2.",
+  "requires_contract": "webhook_receiver_runner",
+  "test_harness_state": {
+    "per_keyid_cap_filled_for": "test-ed25519-webhook-2026"
+  },
+  "black_box_behavior": "pre_fill_per_keyid_cap",
+  "black_box_note": "Runner pre-fills the per-keyid replay cache for this keyid to its grading_target_per_keyid_cap_entries before delivering this vector; receiver MUST reject with webhook_signature_rate_abuse without cryptographic verification (step 9a runs before step 10)."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/019-revocation-stale.json ADDED Viewed

@@ -0,0 +1,32 @@
+{
+  "name": "Revocation list has not been refreshed within grace — rejected at step 9",
+  "spec_reference": "#webhook-callbacks; revocation_stale at step 9",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_revocation_stale",
+    "failed_step": 9
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2.",
+  "requires_contract": "webhook_receiver_runner",
+  "test_harness_state": {
+    "revocation_list_stale_seconds": 3600
+  },
+  "black_box_behavior": "simulate_stale_revocation_fetch",
+  "black_box_note": "Runner signals to the receiver that the revocation list has not refreshed within grace (the receiver's next_update + grace window has elapsed). Receiver MUST block new webhook verifications with webhook_signature_revocation_stale until the list is refreshed. Runners without this capability skip the vector as not_applicable."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/020-key-ops-missing-verify.json ADDED Viewed

@@ -0,0 +1,41 @@
+{
+  "name": "Signing JWK has key_ops=[\"sign\"] (missing \"verify\") — rejected at step 8",
+  "spec_reference": "#webhook-callbacks; key_purpose_invalid at step 8",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_key_purpose_invalid",
+    "failed_step": 8
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2.",
+  "jwks_override": {
+    "test-ed25519-webhook-2026": {
+      "kid": "test-ed25519-webhook-2026",
+      "kty": "OKP",
+      "crv": "Ed25519",
+      "alg": "EdDSA",
+      "use": "sig",
+      "key_ops": [
+        "sign"
+      ],
+      "adcp_use": "webhook-signing",
+      "x": "y7tTfeqazsFeTn3ccCzQlcJ4qFWuYsu-JkJAcfc9VoA"
+    }
+  },
+  "jwks_override_note": "Vector presents the verifier with a JWK whose key_ops excludes \"verify\". Step 8 requires key_ops includes \"verify\" — receiver MUST reject. The signature itself is valid; step 8 short-circuits before signature verification (step 10)."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/negative/021-base64-alphabet-mixing.json ADDED Viewed

@@ -0,0 +1,26 @@
+{
+  "name": "Signature sf-binary token mixes base64url and standard-base64 alphabets — rejected at step 1",
+  "spec_reference": "#adcp-rfc-9421-profile (binary value encoding); header_malformed at step 1",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:A+B-CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": false,
+    "error_code": "webhook_signature_header_malformed",
+    "failed_step": 1
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/001-basic-post.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "Basic POST webhook, Ed25519, all five required components covered",
+  "spec_reference": "#verifier-checklist-for-webhooks (all steps pass)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/002-es256-post.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "ES256 webhook POST, all required components covered",
+  "spec_reference": "#verifier-checklist-for-webhooks, #adcp-rfc-9421-profile (alg allowlist)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-es256-webhook-2026\";alg=\"ecdsa-p256-sha256\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:iVB5KDEpieLdhi-wx1z9ZEPPJLDCN0JRjInTVCxN4STDBFCAgk78UIIbwWNlSVT3pChDfloWxXezPRxqT5IspQ:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-es256-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-es256-webhook-2026\";alg=\"ecdsa-p256-sha256\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/003-multiple-signature-labels.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "Multiple Signature-Input labels; verifier processes sig1 only",
+  "spec_reference": "#webhook-callbacks (one signature per webhook)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\", relay=(\"@method\" \"@target-uri\" \"@authority\");created=1776520800;expires=1776521100;nonce=\"relayNonce000000000\";keyid=\"relay-key\";alg=\"ed25519\";tag=\"some-other-profile\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/004-default-port-stripped.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "URL has :443 explicitly; canonicalization strips it before signing",
+  "spec_reference": "#adcp-rfc-9421-profile (target-uri canonicalization step 4)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com:443/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:nqTKCpjlqf1OqZPuJyPeiF7HJ01G8KmPNSzzmad0PAJv7OUVKthI7ks_j4G-6x1H4mBpXDIISgX_iZQiYvG7Dg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/005-percent-encoded-path.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "Path has lowercase %xx; canonicalization uppercases hex digits",
+  "spec_reference": "#adcp-rfc-9421-profile (target-uri canonicalization step 6)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_%e2%98%83",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:xVYEHK2oS2PWxIYU9iyB96ObGdP-xl-4PoNazA12JO-GLXULtEwoEd9b9yM40Y-XcZ3kTX9ZA8KMms4ZTfA2Bg:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_%E2%98%83\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/006-query-byte-preserved.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "Query string preserved byte-for-byte (not alphabetized)",
+  "spec_reference": "#adcp-rfc-9421-profile (target-uri canonicalization step 7)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook?b=2&a=1&c=3",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:a7ON0g72rNf2Y1BmlkoUiqBpKM-GhPSc-crRm9SBSDkKlefoy4NVS0LxElWANQPUyrmtK91Nsomg43rFD_kYAw:"
+    },
+    "body": "{\"idempotency_key\":\"whk_01HW9D3H8FZP2N6R8T0V4X6Z9B\",\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook?b=2&a=1&c=3\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:dJ2koiIMZIhdGE7tidErCHV13FFvOIowCcXDiwyG54I=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}

package/compliance/cache/3.0.6.previous/test-vectors/webhook-signing/positive/007-body-without-idempotency-key.json ADDED Viewed

@@ -0,0 +1,25 @@
+{
+  "name": "Body omits idempotency_key; signature still verifies (schema validation is a separate later check)",
+  "spec_reference": "#webhook-callbacks; demonstrates signature/payload-schema separation (idempotency_key required at payload schema per #2417, not at signature layer)",
+  "reference_now": 1776520800,
+  "request": {
+    "method": "POST",
+    "url": "https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc",
+    "headers": {
+      "Content-Type": "application/json",
+      "Content-Digest": "sha-256=:OuudqWPNz6iqVxXQsQaJYc8qkpeYonU3vsHE5ONY0V8=:",
+      "Signature-Input": "sig1=(\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+      "Signature": "sig1=:ne1wlfDbj56y3YNTA6M55QI6ZpLmGlvXU6fi1UDIscjyiD7r6LA2uTQghBK11Z2MzaPXN-c7iUzPw9ulXMMBAw:"
+    },
+    "body": "{\"task_id\":\"task_456\",\"operation_id\":\"op_abc\",\"status\":\"completed\",\"result\":{\"media_buy_id\":\"mb_001\"}}"
+  },
+  "jwks_ref": [
+    "test-ed25519-webhook-2026"
+  ],
+  "expected_signature_base": "\"@method\": POST\n\"@target-uri\": https://buyer.example.com/adcp/webhook/create_media_buy/agent_123/op_abc\n\"@authority\": buyer.example.com\n\"content-type\": application/json\n\"content-digest\": sha-256=:OuudqWPNz6iqVxXQsQaJYc8qkpeYonU3vsHE5ONY0V8=:\n\"@signature-params\": (\"@method\" \"@target-uri\" \"@authority\" \"content-type\" \"content-digest\");created=1776520800;expires=1776521100;nonce=\"KXYnfEfJ0PBRZXQyVXfVQA\";keyid=\"test-ed25519-webhook-2026\";alg=\"ed25519\";tag=\"adcp/webhook-signing/v1\"",
+  "expected_outcome": {
+    "success": true,
+    "notes": "9421 signature verifies. A conformant receiver SHOULD subsequently reject this payload at schema validation (mcp-webhook-payload.json requires idempotency_key); that is NOT a signature error and does not map to any webhook_signature_* code."
+  },
+  "$comment": "Signature generated by .context/generate-webhook-vectors.mjs from expected_signature_base using the named private key in keys.json. Ed25519 is deterministic; ES256 uses IEEE P1363 (r||s) encoding per RFC 9421 §3.3.2."
+}