programmatic-supply-chain-integrity-review

Programmatic Supply Chain Integrity Review

Purpose

This skill reviews ads.txt, app-ads.txt, and sellers.json declarations for a publisher's or advertiser's programmatic supply chain to detect unauthorized resellers, domain-spoofing exposure, SupplyChain Object gaps, and IVT-exposure vectors. Ads.txt (IAB Tech Lab v1.1) and app-ads.txt are the publisher's machine-readable authorization of which exchanges and resellers may sell their inventory; sellers.json (IAB Tech Lab v1.0) is the exchange's machine-readable disclosure of which sellers it represents. When these files are inconsistent — an ads.txt RESELLER entry that no exchange discloses in sellers.json, a DIRECT entry that resolves as is_confidential:1, or a whitelisted domain whose ads.txt is absent — the supply chain is opaque to buyers, exposing them to unauthorized intermediary fees and exposing publishers to domain spoofing. The SupplyChain Object (OpenRTB extension) enables bid-time audit of the complete reseller path; gaps in the declared path are treated as invalid traffic by MRC-compliant measurement vendors and many DSP procurement teams. The review works from the raw text of the artifact files pasted as input and produces severity-labelled findings with remediation.

Lean operating rules

• Treat ads.txt RESELLER entries for exchange accounts that do not appear in any sellers.json file for that exchange as HIGH — these are undisclosed intermediaries whose presence in the resale chain cannot be verified by buyers, constituting unauthorized supply path opacity under IAB Tech Lab ads.txt 1.1.
• Treat a whitelisted publisher domain whose ads.txt file is entirely absent as HIGH — the absence means buyers cannot verify any authorized seller relationship; the domain is categorically IVT-exposed per MRC Invalid Traffic Detection guidelines and most DSP whitelisting criteria.
• Treat a DIRECT entry in ads.txt where the corresponding seller account in sellers.json carries is_confidential:1 as HIGH — a DIRECT relationship by definition requires transparent publisher identity; confidential resolution contradicts the DIRECT classification and is a domain-spoofing risk vector.
• Treat ads.txt entries that reference exchange account IDs not present in the exchange's sellers.json at all (orphaned account IDs) as HIGH — the account cannot be verified as a legitimate seller, which is a signal of domain spoofing or stale declarations.
• Treat a seller_type: INTERMEDIARY entry in sellers.json that has no corresponding ads.txt RESELLER entry on the publisher domain as MEDIUM — the intermediary is declared by the exchange but not authorized by the publisher, creating a supply path discrepancy.
• Treat SupplyChain Object declarations with incomplete node chains (missing asi, sid, or rid fields in intermediate nodes) as MEDIUM — incomplete chains reduce bid-time auditability and may cause DSP procurement filters to reject the bid.
• Flag MEDIUM when the ads.txt file has not been updated within twelve months and active exchange relationships are known to have changed — stale declarations expose revenue to unauthorized resellers who retain old account relationships.
• Flag the absence of app-ads.txt for a mobile app publisher as MEDIUM when the publisher's ads.txt covers only web inventory — app inventory without app-ads.txt is unprotected by IAB Tech Lab supply-chain controls.
• Do not recommend removing a RESELLER entry without first confirming whether it represents a legitimate revenue path that can be replaced with a DIRECT relationship or a disclosed intermediary.
• Label every finding with evidence basis: ads.txt provided, sellers.json provided, documentation-based, or inference from absent file.

References

Load these only when needed:

• Workflow and output contract — use when executing the full review or formatting the final answer.

Response minimum

Return, at minimum:

• RESELLER-to-sellers.json consistency assessment (unauthorized intermediaries)
• DIRECT-entry confidentiality conflict assessment (domain-spoofing risk)
• Orphaned account ID assessment (account IDs in ads.txt not in sellers.json)
• Absent ads.txt / app-ads.txt assessment for whitelisted domains
• SupplyChain Object completeness assessment
• Stale declaration assessment
• Severity-labelled finding list (critical / high / medium / low)
• Safe next actions