fix(compliance): treat deprecated signed-requests specialism as universal alias

[kapoost]

Summary

Fixes #2237. Two coupled fixes per bokelley's triage — both must land together; either alone leaves adopters stuck.

What changed

1. Pre-flight resolveStoryboardsForCapabilities (compliance.ts)

resolveStoryboardsForCapabilities was throwing unknown_specialism on the deprecated signed-requests claim because the bundle lives in universal/signed-requests.yaml, not specialisms/signed-requests/. That blocked every other storyboard from running and prevented the signed_requests_specialism_deprecated notice (#2082) from ever firing.

• Added DEPRECATED_SPECIALISM_UNIVERSAL_ALIASES map (one entry today: signed-requests → signed-requests).
• When the declared specialism is in this map AND its universal bundle exists in the cache, resolution continues silently. The universal storyboard is already pushed unconditionally; the deprecation notice fires from runner.ts:collectCapabilityNotices.
• Throw preserved when the universal bundle is absent (stale cache guard).

2. Boot guard createAdcpServer (create-adcp-server.ts)

The previous guard required the deprecated signed-requests specialism claim whenever signedRequests was configured, contradicting the universal storyboard's "drop the now-redundant specialism claim and rely solely on request_signing.supported: true" guidance.

• Widens the guard to accept either discovery surface:
  • Canonical 3.1+ (recommended): capabilities.request_signing.supported: true, no deprecated claim.
  • Back-compat: specialisms: ['signed-requests'].
• Still rejects the "config present, nothing advertised" case (both surfaces absent / supported: false).
• JSDoc on SignedRequestsConfig updated to document both paths.

The companion guard at L3683 (claim + supported !== true throws) is unchanged — back-compat path still requires the capability flag, the canonical path doesn't need both.

Test plan

• node --test --test-name-pattern="resolveStoryboardsForCapabilities" test/lib/storyboard-security.test.js — 11/11 green (8 existing + 3 new for the deprecated alias path)
• node --test --test-name-pattern="startup validation" test/server-auto-signed-requests.test.js — 11/11 green (8 existing + 3 new for the canonical 3.1+ form + both failure modes)
• npm run build — clean
• Spot-checked against real seller against @adcp/sdk@9.0.0-beta.27: with both fixes, adcp storyboard run no longer pre-flight aborts when the seller wires signedRequests config; whether the seller uses the canonical 3.1+ form OR the back-compat specialism claim, the boot succeeds, the verifier blocks unsigned mutating ops as expected, and the rest of the sales-non-guaranteed track grades normally.

Triage compliance

bokelley's #2237 triage is implemented as specified:

• ✅ compliance.ts L821: continue before throw when universal bundle exists (not a fall-through suppress)
• ✅ create-adcp-server.ts L3663: guard widened with && capConfig?.request_signing?.supported !== true
• ✅ JSDoc updated at SignedRequestsConfig ("both together or neither" → 3.1+ alternative documented)
• ✅ Unit tests for both surfaces in their respective test files
• ✅ One PR covers both files

Related

• Closes adcp-client#2237
• Companion to adcp-client#2082 (notice emission, completed) — notice now actually reaches the runner
• Universal storyboard contract: compliance/cache/3.1.0-rc.10/universal/signed-requests.yaml § "Backward-compatible specialism claims"
• 4.0 enum removal: patch: reclassify signed-requests from specialism to universal capability-gated storyboard adcp#3075

🤖 Generated with Claude Code

[aao-ipr-bot]

⚠️ Argus review could not complete

The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.

View workflow run

_{This is an automated message from the Argus AI review workflow.}

[aao-ipr-bot]

⚠️ Argus review could not complete

The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.

View workflow run

_{This is an automated message from the Argus AI review workflow.}

[aao-ipr-bot]

⚠️ Argus review could not complete

The automated review encountered an issue (possibly reached max turns, timed out, or failed to post the final gh pr review). A human reviewer should take this PR.

View workflow run

_{This is an automated message from the Argus AI review workflow.}