Feature/gam graceful order approval

.github/ISSUE_TEMPLATE/test-coverage-remediation.md

@@ -141,7 +141,7 @@ Already configured in `.pre-commit-config.yaml`:
 ```yaml
 - id: detect-test-antipatterns
   entry: uv run python scripts/detect_test_antipatterns.py
-  files: '^(tests/.*\.py|src/a2a_server/adcp_a2a_server\.py)$'
+  files: '^tests/.*\.py$'
 ```
 
 ## Testing Philosophy

.github/workflows/publish-image.yml

@@ -0,0 +1,140 @@
+name: Publish Image
+
+on:
+  push:
+    branches: [ main, develop ]
+    tags: ['v*.*.*']
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    name: Build and Push to GHCR
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git init "$GITHUB_WORKSPACE"
+          cd "$GITHUB_WORKSPACE"
+          git remote add origin "https://github.com/${GITHUB_REPOSITORY}.git"
+          git fetch --no-tags --prune --depth=1 origin "$GITHUB_REF"
+          git -c advice.detachedHead=false checkout --force FETCH_HEAD
+          git clean -ffdx
+
+      - name: Set up QEMU
+        run: docker run --privileged --rm tonistiigi/binfmt --install amd64,arm64
+
+      - name: Set up Docker Buildx
+        run: |
+          docker buildx create --name salesagent-builder --use
+          docker buildx inspect --bootstrap
+
+      - name: Log in to GHCR
+        env:
+          GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: echo "${GHCR_TOKEN}" | docker login "${REGISTRY}" -u "${{ github.actor }}" --password-stdin
+
+      - name: Extract metadata
+        id: meta
+        run: |
+          set -euo pipefail
+
+          image="${REGISTRY}/${IMAGE_NAME}"
+          tags=()
+
+          if [ "${GITHUB_REF_TYPE}" = "branch" ]; then
+            safe_ref="${GITHUB_REF_NAME//\//-}"
+            tags+=("${image}:${safe_ref}")
+          fi
+
+          if [[ "${GITHUB_REF_TYPE}" = "tag" && "${GITHUB_REF_NAME}" =~ ^v?([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+            version="${GITHUB_REF_NAME#v}"
+            IFS=. read -r major minor patch <<< "${version}"
+            tags+=("${image}:${version}")
+            tags+=("${image}:${major}.${minor}")
+          fi
+
+          tags+=("${image}:sha-${GITHUB_SHA:0:7}")
+
+          if [ "${GITHUB_REF_NAME}" = "${{ github.event.repository.default_branch }}" ]; then
+            tags+=("${image}:latest")
+          fi
+
+          {
+            echo "tags<<EOF"
+            printf '%s\n' "${tags[@]}"
+            echo "EOF"
+            echo "labels<<EOF"
+            echo "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}"
+            echo "org.opencontainers.image.revision=${GITHUB_SHA}"
+            echo "EOF"
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Compute lockfile hash
+        id: lockhash
+        run: |
+          # ``LOCKFILE_HASH`` invalidates the uv install layer when
+          # uv.lock changes — otherwise a BuildKit cache-mount edge case
+          # can reuse a stale venv across dep bumps. See CLAUDE.md.
+          echo "value=$(shasum -a 256 uv.lock | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+
+      - name: Build image for vulnerability scan
+        env:
+          LOCKFILE_HASH: ${{ steps.lockhash.outputs.value }}
+          SCAN_IMAGE: salesagent-scan:${{ github.sha }}
+        run: |
+          set -euo pipefail
+
+          docker buildx build \
+            --platform linux/amd64 \
+            --load \
+            --tag "${SCAN_IMAGE}" \
+            --build-arg "LOCKFILE_HASH=${LOCKFILE_HASH}" \
+            --build-arg "GIT_SHA=${GITHUB_SHA}" \
+            --build-arg "GIT_BRANCH=${GITHUB_REF_NAME}" \
+            .
+
+      - name: Trivy vulnerability gate
+        env:
+          SCAN_IMAGE: salesagent-scan:${{ github.sha }}
+        run: scripts/ci/trivy_image_gate.sh "${SCAN_IMAGE}"
+
+      - name: Build and push
+        env:
+          TAGS: ${{ steps.meta.outputs.tags }}
+          LABELS: ${{ steps.meta.outputs.labels }}
+          LOCKFILE_HASH: ${{ steps.lockhash.outputs.value }}
+        run: |
+          set -euo pipefail
+
+          tag_args=()
+          while IFS= read -r tag; do
+            [ -n "$tag" ] && tag_args+=(--tag "$tag")
+          done <<< "$TAGS"
+
+          label_args=()
+          while IFS= read -r label; do
+            [ -n "$label" ] && label_args+=(--label "$label")
+          done <<< "$LABELS"
+
+          docker buildx build \
+            --platform linux/amd64,linux/arm64 \
+            --push \
+            "${tag_args[@]}" \
+            "${label_args[@]}" \
+            --build-arg "LOCKFILE_HASH=${LOCKFILE_HASH}" \
+            --build-arg "GIT_SHA=${GITHUB_SHA}" \
+            --build-arg "GIT_BRANCH=${GITHUB_REF_NAME}" \
+            .

.github/workflows/release-please.yml

@@ -37,6 +37,30 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
+      - name: Compute lockfile hash
+        id: lockhash
+        run: |
+          # ``LOCKFILE_HASH`` invalidates the uv install layer when
+          # uv.lock changes — otherwise a BuildKit cache-mount edge case
+          # can reuse a stale venv across dep bumps. See CLAUDE.md.
+          echo "value=$(shasum -a 256 uv.lock | awk '{print $1}')" >> "$GITHUB_OUTPUT"
+
+      - name: Build image for vulnerability scan
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: Dockerfile
+          load: true
+          tags: salesagent-scan:${{ github.sha }}
+          build-args: |
+            LOCKFILE_HASH=${{ steps.lockhash.outputs.value }}
+            GIT_SHA=${{ github.sha }}
+            GIT_BRANCH=${{ github.ref_name }}
+          cache-from: type=gha
+
+      - name: Trivy vulnerability gate
+        run: scripts/ci/trivy_image_gate.sh "salesagent-scan:${{ github.sha }}"
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@v3
         with:
@@ -72,5 +96,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            LOCKFILE_HASH=${{ steps.lockhash.outputs.value }}
+            GIT_SHA=${{ github.sha }}
+            GIT_BRANCH=${{ github.ref_name }}
           cache-from: type=gha
           cache-to: type=gha,mode=max

.github/workflows/storyboard.yml

@@ -0,0 +1,192 @@
+name: Storyboard Validation
+
+on:
+  pull_request:
+    branches: [ main, develop ]
+  push:
+    branches: [ main, develop ]
+  schedule:
+    # Nightly latest-SDK drift check.
+    - cron: "23 9 * * *"
+  workflow_dispatch:
+    inputs:
+      latest_sdk_full:
+        description: "Also run the latest-SDK full assessment"
+        required: false
+        default: "false"
+        type: choice
+        options:
+          - "false"
+          - "true"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+env:
+  CONDUCTOR_PORT: "8000"
+  SEED_DEMO_AUTO_APPROVE: "1"
+
+permissions:
+  contents: read
+
+jobs:
+  pinned-smoke:
+    name: Pinned Storyboard Gate
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set up Node
+      uses: actions/setup-node@v5
+      with:
+        node-version: "24"
+
+    - name: Start services with docker compose
+      run: |
+        export LOCKFILE_HASH=$(shasum -a 256 uv.lock | awk '{print $1}')
+        docker compose up -d --wait --wait-timeout 180
+
+    - name: Run pinned storyboard gate
+      env:
+        AGENT_URL: http://localhost:8000
+        AGENT_TOKEN: ci-test-token
+        ADCP_SDK_VERSION: "7.11.0"
+        ALLOW_HTTP: "1"
+        PROTOCOLS: mcp,a2a
+        STORYBOARDS: capability_discovery,pagination_integrity_list_accounts,get_signals_pagination_integrity,signal_owned
+        REPORT_DIR: ${{ runner.temp }}/storyboard-pinned-smoke
+        TIMEOUT: "180"
+      run: ./scripts/storyboard-check.sh
+
+    - name: Upload storyboard reports
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: storyboard-pinned-smoke
+        path: ${{ runner.temp }}/storyboard-pinned-smoke
+        if-no-files-found: ignore
+
+    - name: Cleanup
+      if: always()
+      run: docker compose down -v
+
+  pinned-sales-non-guaranteed:
+    name: Pinned Sales Non-Guaranteed Assessment
+    runs-on: ubuntu-latest
+    timeout-minutes: 35
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set up Node
+      uses: actions/setup-node@v5
+      with:
+        node-version: "24"
+
+    - name: Start services with docker compose
+      run: |
+        export LOCKFILE_HASH=$(shasum -a 256 uv.lock | awk '{print $1}')
+        docker compose up -d --wait --wait-timeout 180
+
+    - name: Run pinned sales non-guaranteed assessment
+      shell: bash
+      env:
+        AGENT_URL: http://localhost:8000
+        AGENT_TOKEN: ci-test-token
+        ADCP_SDK_VERSION: "7.11.0"
+        ALLOW_HTTP: "1"
+        PROTOCOLS: mcp,a2a
+        SPECIALISMS: sales-non-guaranteed
+        EXCLUDED_STORYBOARDS: security_baseline
+        BETWEEN_PROTOCOLS_HOOK: ./scripts/storyboard-reset-compose.sh
+        REPORT_DIR: ${{ runner.temp }}/storyboard-sales-non-guaranteed
+        TIMEOUT: "240"
+      run: |
+        set +e
+        ./scripts/storyboard-check.sh
+        rc=$?
+        if [[ $rc -eq 1 ]]; then
+          echo "Non-blocking storyboard assertion failures recorded; see uploaded reports."
+          exit 0
+        fi
+        exit "$rc"
+
+    - name: Upload storyboard reports
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: storyboard-sales-non-guaranteed
+        path: ${{ runner.temp }}/storyboard-sales-non-guaranteed
+        if-no-files-found: ignore
+
+    - name: Collect service logs
+      if: always()
+      run: docker compose logs > "${{ runner.temp }}/storyboard-sales-non-guaranteed-compose.log" 2>&1 || true
+
+    - name: Cleanup
+      if: always()
+      run: docker compose down -v
+
+    - name: Upload service logs
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: storyboard-sales-non-guaranteed-compose-logs
+        path: ${{ runner.temp }}/storyboard-sales-non-guaranteed-compose.log
+        if-no-files-found: ignore
+
+  latest-sdk-full:
+    name: Latest SDK Storyboard Drift
+    runs-on: ubuntu-latest
+    timeout-minutes: 35
+    if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.latest_sdk_full == 'true')
+
+    steps:
+    - uses: actions/checkout@v6
+
+    - name: Set up Node
+      uses: actions/setup-node@v5
+      with:
+        node-version: "24"
+
+    - name: Start services with docker compose
+      run: |
+        export LOCKFILE_HASH=$(shasum -a 256 uv.lock | awk '{print $1}')
+        docker compose up -d --wait --wait-timeout 180
+
+    - name: Run latest-SDK full assessment
+      shell: bash
+      env:
+        AGENT_URL: http://localhost:8000
+        AGENT_TOKEN: ci-test-token
+        ADCP_SDK_VERSION: latest
+        ALLOW_HTTP: "1"
+        PROTOCOLS: mcp,a2a
+        STORYBOARD: ""
+        BETWEEN_PROTOCOLS_HOOK: ./scripts/storyboard-reset-compose.sh
+        REPORT_DIR: ${{ runner.temp }}/storyboard-latest-sdk
+        TIMEOUT: "240"
+      run: |
+        set +e
+        ./scripts/storyboard-check.sh
+        rc=$?
+        if [[ $rc -eq 1 ]]; then
+          echo "Non-blocking storyboard assertion failures recorded; see uploaded reports."
+          exit 0
+        fi
+        exit "$rc"
+
+    - name: Upload storyboard reports
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: storyboard-latest-sdk
+        path: ${{ runner.temp }}/storyboard-latest-sdk
+        if-no-files-found: ignore
+
+    - name: Cleanup
+      if: always()
+      run: docker compose down -v