Enforce atomic operation semantics with success XOR error responses (#186)

* Enforce atomic operation semantics with success XOR error responses

Task response schemas now use oneOf discriminators to ensure responses contain either complete success data OR error information, never both. This prevents dangerous partial success scenarios in advertising operations (e.g., buyer requests "US + Tuesdays only" but gets created campaign without Tuesday constraint).

**Changes:**
- create-media-buy-response.json: oneOf success (requires media_buy_id, buyer_ref, packages) vs error (requires errors array)
- update-media-buy-response.json: oneOf success (requires media_buy_id, buyer_ref) vs error (requires errors array)
- build-creative-response.json: oneOf success (requires creative_manifest) vs error (requires errors array)
- provide-performance-feedback-response.json: oneOf success (requires success: true) vs error (requires errors array)
- webhook-payload.json: Conditional validation (if/then with allOf) to validate result field against appropriate task response schema based on task_type

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

* Add atomic response semantics to sync_creatives and activate_signal

Extended oneOf pattern to remaining mutating operations:
- sync-creatives-response.json: Distinguishes operation-level failures (auth, service down) from per-item failures (validation errors). Maintains best-effort batch semantics while enforcing atomic operation boundaries.
- activate-signal-response.json: Success requires decisioning_platform_segment_id; error requires errors array. Prevents dangerous scenarios where buyers think signal is active but it's not deployed.

All mutating operations across media-buy, signals, and creative protocols now enforce success XOR error semantics.

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: bokelley

.changeset/atomic-response-semantics.md

@@ -0,0 +1,105 @@
+---
+"adcontextprotocol": minor
+---
+
+Enforce atomic operation semantics with success XOR error response pattern. Task response schemas now use `oneOf` discriminators to ensure responses contain either complete success data OR error information, never both, never neither.
+
+**Response Pattern:**
+
+All mutating operations (create, update, build) now enforce strict either/or semantics:
+
+1. **Success response** - Operation completed fully:
+   ```json
+   {
+     "media_buy_id": "mb_123",
+     "buyer_ref": "campaign_2024_q1",
+     "packages": [...]
+   }
+   ```
+
+2. **Error response** - Operation failed completely:
+   ```json
+   {
+     "errors": [
+       {
+         "code": "INVALID_TARGETING",
+         "message": "Tuesday-only targeting not supported",
+         "suggestion": "Remove day-of-week constraint or select all days"
+       }
+     ]
+   }
+   ```
+
+**Why This Matters:**
+
+Partial success in advertising operations is dangerous and can lead to unintended spend or incorrect targeting. For example:
+- Buyer requests "US targeting + Tuesday-only dayparting"
+- Partial success returns created media buy without Tuesday constraint
+- Buyer might not notice error, campaign runs with wrong targeting
+- Result: Budget spent on unwanted inventory
+
+The `oneOf` discriminator enforces atomic semantics at the schema level - operations either succeed completely or fail completely. Buyers must explicitly choose to modify their requirements rather than having the system silently omit constraints.
+
+**Updated Schemas:**
+
+All mutating operation schemas now use `oneOf` with explicit success/error branches:
+
+**Media Buy Operations:**
+- `create-media-buy-response.json` - Success requires `media_buy_id`, `buyer_ref`, `packages`; Error requires `errors` array
+- `update-media-buy-response.json` - Success requires `media_buy_id`, `buyer_ref`; Error requires `errors` array
+- `build-creative-response.json` - Success requires `creative_manifest`; Error requires `errors` array
+- `provide-performance-feedback-response.json` - Success requires `success: true`; Error requires `errors` array
+- `sync-creatives-response.json` - Success requires `creatives` array (with per-item results); Error requires `errors` array (operation-level failures only)
+
+**Signals Operations:**
+- `activate-signal-response.json` - Success requires `decisioning_platform_segment_id`; Error requires `errors` array
+
+**Webhook Validation:**
+- `webhook-payload.json` - Uses conditional validation (`if/then` with `allOf`) to validate result field against the appropriate task response schema based on task_type. Ensures webhook results are properly validated against their respective task schemas.
+
+**Schema Structure:**
+
+```json
+{
+  "oneOf": [
+    {
+      "description": "Success response",
+      "required": ["media_buy_id", "buyer_ref", "packages"],
+      "not": {"required": ["errors"]}
+    },
+    {
+      "description": "Error response",
+      "required": ["errors"],
+      "not": {"required": ["media_buy_id", "buyer_ref", "packages"]}
+    }
+  ]
+}
+```
+
+The `not` constraints ensure responses cannot contain both success and error fields simultaneously.
+
+**Benefits:**
+
+- **Safety**: Prevents dangerous partial success scenarios in advertising operations
+- **Clarity**: Unambiguous success vs failure - no mixed signals
+- **Validation**: Schema-level enforcement of atomic semantics
+- **Consistency**: All mutating operations follow same pattern
+
+**Batch Operations Pattern**
+
+`sync_creatives` uses a two-level error model that distinguishes:
+- **Operation-level failures** (oneOf error branch): Authentication failed, service down, invalid request format - no creatives processed
+- **Per-item failures**: Individual creative validation errors (action='failed' within the creatives array) - rest of batch still processed
+
+This provides best-effort batch semantics (process what you can, report what failed) while maintaining atomic operation boundaries (either you can process the batch OR you can't).
+
+**Migration:**
+
+This is a backward-compatible change. Existing valid responses (success with all required fields) continue to validate successfully. The change prevents invalid responses (missing required success fields or mixing success/error fields) that were technically possible but semantically incorrect.
+
+**Alignment with Protocol Standards:**
+
+This pattern aligns with both MCP and A2A error handling:
+- **MCP**: Tool returns either result content OR sets `isError: true`, not both
+- **A2A**: Task reaches terminal state `completed` OR `failed`, not both
+- **AdCP**: Task payload contains success data XOR errors, enforced at schema level

static/schemas/v1/core/webhook-payload.json

@@ -68,14 +68,7 @@
     },
     "result": {
       "type": ["object"],
-      "description": "Task-specific payload for this status update. For 'completed', contains the final result. For 'input-required', may contain approval or clarification context. Optional for non-terminal updates.",
-      "oneOf": [
-        { "$ref": "/schemas/v1/media-buy/create-media-buy-response.json" },
-        { "$ref": "/schemas/v1/media-buy/update-media-buy-response.json" },
-        { "$ref": "/schemas/v1/media-buy/sync-creatives-response.json" },
-        { "$ref": "/schemas/v1/signals/activate-signal-response.json" },
-        { "$ref": "/schemas/v1/signals/get-signals-response.json" }
-      ]
+      "description": "Task-specific payload for this status update. Validated against the appropriate response schema based on task_type."
     },
     "error": {
       "type": ["string", "null"],
@@ -84,6 +77,78 @@
   },
   "required": ["task_id", "task_type", "status", "timestamp"],
   "additionalProperties": true,
+  "allOf": [
+    {
+      "if": {
+        "properties": {
+          "task_type": {"const": "create_media_buy"}
+        }
+      },
+      "then": {
+        "properties": {
+          "result": {
+            "$ref": "/schemas/v1/media-buy/create-media-buy-response.json"
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "properties": {
+          "task_type": {"const": "update_media_buy"}
+        }
+      },
+      "then": {
+        "properties": {
+          "result": {
+            "$ref": "/schemas/v1/media-buy/update-media-buy-response.json"
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "properties": {
+          "task_type": {"const": "sync_creatives"}
+        }
+      },
+      "then": {
+        "properties": {
+          "result": {
+            "$ref": "/schemas/v1/media-buy/sync-creatives-response.json"
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "properties": {
+          "task_type": {"const": "activate_signal"}
+        }
+      },
+      "then": {
+        "properties": {
+          "result": {
+            "$ref": "/schemas/v1/signals/activate-signal-response.json"
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "properties": {
+          "task_type": {"const": "get_signals"}
+        }
+      },
+      "then": {
+        "properties": {
+          "result": {
+            "$ref": "/schemas/v1/signals/get-signals-response.json"
+          }
+        }
+      }
+    }
+  ],
   "notes": [
     "Webhooks are ONLY triggered when the initial response status is 'submitted' (long-running operations)",
     "Webhook payloads include protocol-level fields (operation_id, task_type, status, optional task_id/context_id/timestamp/message) and the task-specific payload nested under 'result'",
@@ -104,7 +169,13 @@
         "context_id": "ctx_abc123",
         "message": "Campaign budget $150K requires VP approval to proceed",
         "result": {
-          "buyer_ref": "nike_q1_campaign_2024"
+          "errors": [
+            {
+              "code": "APPROVAL_REQUIRED",
+              "message": "Budget exceeds auto-approval threshold of $100K. Awaiting VP approval before media buy creation.",
+              "field": "packages[0].budget"
+            }
+          ]
         }
       }
     },
@@ -145,4 +216,4 @@
       }
     }
   ]
-}
+}

static/schemas/v1/media-buy/build-creative-response.json

@@ -2,23 +2,42 @@
   "$schema": "http://json-schema.org/draft-07/schema#",
   "$id": "/schemas/v1/media-buy/build-creative-response.json",
   "title": "Build Creative Response",
-  "description": "Response containing the transformed or generated creative manifest, ready for use with preview_creative or sync_creatives",
+  "description": "Response containing the transformed or generated creative manifest, ready for use with preview_creative or sync_creatives. Returns either the complete creative manifest OR error information, never both.",
   "type": "object",
-  "properties": {
-    "creative_manifest": {
-      "$ref": "/schemas/v1/core/creative-manifest.json",
-      "description": "The generated or transformed creative manifest"
+  "oneOf": [
+    {
+      "description": "Success response - creative manifest generated successfully",
+      "type": "object",
+      "properties": {
+        "creative_manifest": {
+          "$ref": "/schemas/v1/core/creative-manifest.json",
+          "description": "The generated or transformed creative manifest"
+        }
+      },
+      "required": ["creative_manifest"],
+      "additionalProperties": false,
+      "not": {
+        "required": ["errors"]
+      }
     },
-    "errors": {
-      "type": "array",
-      "description": "Task-specific errors and warnings",
-      "items": {
-        "$ref": "/schemas/v1/core/error.json"
+    {
+      "description": "Error response - creative generation failed",
+      "type": "object",
+      "properties": {
+        "errors": {
+          "type": "array",
+          "description": "Array of errors explaining why creative generation failed",
+          "items": {
+            "$ref": "/schemas/v1/core/error.json"
+          },
+          "minItems": 1
+        }
+      },
+      "required": ["errors"],
+      "additionalProperties": false,
+      "not": {
+        "required": ["creative_manifest"]
       }
     }
-  },
-  "required": [
-    "creative_manifest"
-  ],
-  "additionalProperties": false
+  ]
 }