feat(governance): Add get_creative_features task for creative governance

[bokelley]

Summary

• Adds get_creative_features — a general-purpose task for evaluating creatives and returning feature values, following the same pattern as get_property_features
• Supports security scanning (Add Creative Security Scanning to Compliance & Governance Protocol #1035), creative quality assessment, content categorization (Add IAB Content Categorization to Compliance & Governance Protocol #1036), and any other creative evaluation through a single task
• Adds creative_features to governance section of get_adcp_capabilities so agents can advertise which creative features they evaluate

Motivation

Issues #1035 (Creative Security Scanning) and #1036 (Content Categorization) both propose elaborate custom protocol machinery. Both are better served by a single general-purpose task that applies the existing property governance feature pattern to creatives.

A security scanner evaluates auto_redirect and credential_harvest (binary features). CreativeX evaluates brand_consistency (quantitative) and logo_placement (binary). A content categorizer evaluates iab_casinos_gambling (binary with confidence). Same task, same response shape — the protocol doesn't need to know the difference.

Changes

New schemas:

• creative/get-creative-features-request.json — accepts creative manifest + optional feature_ids filter
• creative/get-creative-features-response.json — discriminated union (success with results / error)
• creative/creative-feature-result.json — individual feature evaluation (value, confidence, expires_at, etc.)

Modified schemas:

• index.json — register get-creative-features task under governance
• get-adcp-capabilities-response.json — add creative_features array alongside property_features

Documentation:

• docs/governance/creative/index.mdx — creative governance overview
• docs/governance/creative/get_creative_features.mdx — task reference with examples for security, quality, and categorization agents
• docs/governance/overview.mdx — link creative governance
• docs.json — navigation entry

Design decisions

• Reuses property governance pattern rather than inventing new protocol machinery — agents declare features, return values, orchestrators evaluate against requirements
• No task-type.json enum addition — governance evaluation tasks (like get_property_features, calibrate_content) are invoked directly via A2A/MCP, not tracked through the task lifecycle
• No separate creative-feature-definition.json — feature definitions are the same shape as property features, declared inline in get_adcp_capabilities
• Orchestrator-side logic — declared vs detected comparison (MATCH/MISMATCH from Add IAB Content Categorization to Compliance & Governance Protocol #1036), severity levels, and rejection thresholds are all orchestrator concerns, not protocol

How this addresses #1035 and #1036

#1035 concern	How get_creative_features handles it
Threat detection categories	Vendor-declared binary features (auto_redirect, credential_harvest, etc.)
Opaque results	Feature values are pass/fail on wire. Details behind detail_url
Detection methodology protection	methodology_url in feature definition, not in results
Async scanning	Standard async task pattern (status: "working" → webhook)
Caching/TTL	expires_at on feature values (existing schema field)

#1036 concern	How get_creative_features handles it
IAB category detection	Binary features per category (iab_casinos_gambling, iab_automotive)
Confidence scores	confidence field (0-1) on feature results
Declared vs detected comparison	Orchestrator logic — compare declared categories against detected features
Taxonomy versioning	Implicit in feature_id naming + methodology_version field

Test plan

• npm run build:schemas — 77 schemas bundled, 3 skill schema sets generated
• npm test — all 297 tests pass (schema validation, examples, extensions, error handling, JSON schema, composed, migrations, unit, typecheck)
• Pre-push hooks pass (version sync, broken links, accessibility)

🤖 Generated with Claude Code