fix(grader): fail agents without published 9421 webhook-signing JWKS (#3360 part A)

[bokelley]

Closes #3360 (Part A — webhook signing on-ramp lever).

What this does

Closes the on-ramp loophole in the webhook-emission universal that let agents self-declare themselves out of webhook signing via webhook_auth_mode == 'hmac_legacy'. Operationalizes the "no new HMAC implementers after date X" lever from the RFC 9421 migration plan (#4205).

Two changes to static/compliance/source/universal/webhook-emission.yaml

1. New signing_keys_published precheck phase

Runner fetches the agent's brand.json, resolves agents[].jwks_uri, and asserts at least one key carries adcp_use: "webhook-signing". Agents that only ever signed HMAC and never published a 9421 key fail here, before the signature phase runs.

Three specific error codes for diagnostic clarity:

• webhook_signing_keys_unpublished — no JWKS or empty
• webhook_signing_keys_wrong_purpose — JWKS present but no key with the webhook-signing purpose
• webhook_signing_keys_all_revoked — all webhook-signing keys revoked

This separates "did you set up keys" from "do you sign correctly," which previously produced signature_key_unknown deep in the verifier checklist with no operator-level diagnostic.

2. signature_validity phase is now required

Dropped optional: true and skip_if: agent.webhook_auth_mode == 'hmac_legacy'.

The runner registers the trigger as a 9421-default buyer (no authentication block on push_notification_config, already the case at line 141). The agent is graded on the signatures it emits in that mode. Buyer-side HMAC registration choices are out of scope for grading the agent.

What this does not change

• Buyer-side HMAC fallback registration is unaffected. Buyers can still register HMAC at push_notification_config.authentication in 3.x. Schema-level removal is tracked at 4.0: drop required: ["authentication"] from reporting-webhook and artifact_webhook #4288 against the 4.0 milestone.
• Idempotency phases are unchanged. Agents are still graded on idempotency_key_presence and idempotency_key_stability independently of signing.
• HMAC-fallback receivers in production are unaffected. This is grader behavior, not protocol behavior.

Net behavior

Agent posture	Outcome
Publishes JWKS + signs with 9421	✅ pass
Publishes JWKS, but specific buyer registered HMAC	✅ pass (runner doesn't register HMAC)
Publishes JWKS but signs incorrectly	❌ fails signature_validity with specific webhook_signature_* code
Never published JWKS, only ever signed HMAC	❌ fails signing_keys_published with webhook_signing_keys_unpublished

Refs

• Grade tools: add OAuth and request signing setup evaluation #3360 (parent — Grade tools: OAuth and request signing setup evaluation)
• [meta] Coordinate RFC 9421 webhook signing migration — adoption telemetry + threshold + ownership #4205 (RFC 9421 migration coordination)
• Storyboard / SDK skill on-ramp inventory: HMAC vs RFC 9421 #4270 / fix(schema,skill): align HMAC framing to RFC 9421 default in reporting-webhook, auth-scheme, call-adcp-agent SKILL.md #4271 (storyboard / SDK skill on-ramp framing — landed)
• 4.0: drop required: ["authentication"] from reporting-webhook and artifact_webhook #4288 (4.0 follow-up — drop required: ["authentication"])

Out of scope (Part B → 3.2.0)

OAuth 2.1 + OIDC metadata grading (RFC 8414 / 9728 / 7591). Will be filed as a separate issue against the 3.2.0 milestone.

Changeset

minor — adds new fail conditions to the grader. Existing agents that already publish 9421 keys are unaffected; HMAC-only agents that previously passed the universal will now fail.