Category: spec-conformance Severity: major
Location: lib/arcp/runtime/session_actor.rb:265-274 (secondary: lib/arcp/runtime/job_manager.rb:79-90)
Spec: ARCP v1.1 §7.2
What
Spec §7.2: "the runtime MUST return the same job.accepted payload for any subsequent submission with the same key and identical parameters." On an idempotency hit, JobManager#submit returns a bare job_id (not the [job_id, resolved, lease, credentials] tuple). handle_submit then takes the else branch and reconstructs job.accepted with credentials: nil and re-reads the lease from the manager — so the replayed acceptance drops the credentials array that the first acceptance carried (and may differ in accepted_at, using record.created_at). A client that resubmits to recover its provisioned credentials receives none. This is distinct from #50 (which only concerns conflict detection comparing agent vs. other params).
Evidence
# lib/arcp/runtime/session_actor.rb:265-274 — idempotent replay branch
else
job_id = result
record = @runtime.job_manager.lookup(job_id)
accepted = Arcp::Job::Accepted.new(
job_id: job_id, agent: record.agent,
accepted_at: record.created_at,
lease: @runtime.lease_manager.get(job_id),
credentials: nil # original credentials are lost
)
endProposed fix
Cache the full original job.accepted payload (resolved agent, lease, credentials, accepted_at, budget) keyed by [principal, idempotency_key] at first acceptance, and return that cached payload verbatim on a hit. Alternatively have JobManager#submit always return the tuple (re-fetching the stored credentials from the registry) so handle_submit has a single code path. Add a test that submits with credentials provisioned, resubmits the same key, and asserts byte-identical job.accepted payloads.
Acceptance criteria
Category: spec-conformance Severity: major
Location:
lib/arcp/runtime/session_actor.rb:265-274(secondary:lib/arcp/runtime/job_manager.rb:79-90)Spec: ARCP v1.1 §7.2
What
Spec §7.2: "the runtime MUST return the same
job.acceptedpayload for any subsequent submission with the same key and identical parameters." On an idempotency hit,JobManager#submitreturns a barejob_id(not the[job_id, resolved, lease, credentials]tuple).handle_submitthen takes theelsebranch and reconstructsjob.acceptedwithcredentials: niland re-reads the lease from the manager — so the replayed acceptance drops thecredentialsarray that the first acceptance carried (and may differ inaccepted_at, usingrecord.created_at). A client that resubmits to recover its provisioned credentials receives none. This is distinct from #50 (which only concerns conflict detection comparing agent vs. other params).Evidence
Proposed fix
Cache the full original
job.acceptedpayload (resolved agent, lease, credentials, accepted_at, budget) keyed by[principal, idempotency_key]at first acceptance, and return that cached payload verbatim on a hit. Alternatively haveJobManager#submitalways return the tuple (re-fetching the stored credentials from the registry) sohandle_submithas a single code path. Add a test that submits with credentials provisioned, resubmits the same key, and asserts byte-identicaljob.acceptedpayloads.Acceptance criteria
credentialsarray as the first acceptance.lease,agent, andaccepted_atmatch the original acceptance.