feat(compliance): signals tenant — sync_governance + activate_signal GOVERNANCE_DENIED storyboard coverage

[bokelley]

Refs #4094

Register sync_governance on the /signals training-agent tenant and fix the v6-platform path so activate_signal GOVERNANCE_DENIED errors surface in the response body for storyboard validation. Lifts signal_marketplace/governance_denied from 1P/4S to 1P/0S (+4 steps).

The storyboard skipped all four coverage phases (sync_accounts, sync_governance, get_signals_list, activate_signal_denied) because /signals had no sync_governance tool, causing the runner to pre-empt required-tools checks. Three changes fix this:

1. tenants/signals.ts — registers sync_governance via serverOptions.customTools (same pattern as creative_approval on /brand). handleSyncGovernance stores the governance agent URL per account.

2. v6-platform.ts:activateSignal — bypasses translateV5Result when errors are present, returning errors in the response body with context echoed from the request. Without this, translateV5Result would convert {errors: [...]} to a thrown AdcpError (MCP envelope), and the storyboard's error_code + field_present path:"context" validators would see the envelope instead of the body. ERROR_IN_BODY_TOOLS in task-handlers.ts only applies to the legacy /mcp path — the v6 per-tenant path needs this bypass directly in the platform method.

3. tenants/tool-catalog.ts — adds sync_governance: ['signals'] so the catalog drift test stays green.

Session-sharing by brand.domain propagates governance plans from /governance to /signals without HTTP calls: sync_plans on /governance and activate_signal on /signals both key on open:acmeoutdoor.example, so session.governancePlans is already populated when handleActivateSignal runs its if (session.governancePlans.size > 0) guard. This is the same pattern as brand_rights/governance_denied.

Non-breaking justification: adds new tool registration and modifies training-agent internals only; no AdCP protocol schemas, task definitions, or public API surfaces changed.

Pre-PR review:

• code-reviewer: approved after blocker fix — initial ERROR_IN_BODY_TOOLS addition was dead code on the v6 path (fixed by adding errors-in-body bypass in v6-platform.ts:activateSignal). Nits (surfaced, not fixed): tool description says "seller calls via check_governance during signal activation" (check_governance is /governance-owned); "governance-aware-seller pattern" comment not used elsewhere in codebase.
• ad-tech-protocol-expert: approved — activate_signal response schema has no structured rejection arm; errors[] placement is correct per spec's GOVERNANCE_DENIED wire-placement rule (case 2, error-code.json line 91); .min(1).max(1) on governance_agents consistent with the one-agent-per-account invariant.

Triage-managed PR. This bot does not currently iterate on
review comments or PR conversation threads (only on the source
issue). To unblock:

• Push fixup commits directly: gh pr checkout <num> →
  fix → push.
• Or re-trigger: comment /triage execute on the source
  issue.

See #3121
for context.

Session: https://claude.ai/code/session_018Q3qbzpf4Jo2yPpDJY3YL9

---

Generated by Claude Code