Category: security Severity: blocker
Location: Sources/ARCP/Runtime/ARCPRuntime.swift:147-151, Sources/ARCP/Runtime/SubscriptionManager.swift:75-86, Sources/ARCP/Store/EventLog.swift:37-86
Spec: ARCP v1.1 §9.8.2, §14 ("Credential confidentiality")
What
job.accepted envelopes carry credentials[].value (real bearer secrets). Every outbound envelope, including job.accepted, goes through ARCPRuntime.send, which (a) persists the full envelope JSON — secret included — into the SQLite event log forever (no redaction, no deletion at job end), and (b) routes it through SubscriptionManager.route, which wraps the whole envelope (secret included) in a subscribe.event and delivers it to every subscriber whose filter matches.
The spec is explicit: subscribers MUST NOT receive credentials they did not submit; value MUST NOT be logged or persisted beyond the job. Here a dashboard/auditor subscribed with an empty or job.accepted-matching filter receives live credential material, and the event log retains it indefinitely (the resume replay at handleResume will even re-transmit it).
Evidence
private func send(_ envelope: Envelope, transport: any Transport) async throws {
try await transport.send(envelope)
try? await persistOptional(envelope, sessionId: envelope.sessionId) // writes value to SQLite
await subscriptionManager.route(envelope: envelope) // fans value to subscribers
}job.accepted is sent through JobManager.send → rawSend → this method. SubscriptionManager.route wraps the envelope verbatim:
payload: .subscribeEvent(SubscribeEventPayload(event: encode(envelope)))
and EventLog.append stores envelope_json (the full JSON) with no field stripping.
Proposed fix
- In
JobManager/ARCPRuntime, emit job.accepted with credentials to the owning transport only; build a redacted copy (credentials removed) for both persistOptional and subscriptionManager.route. Concretely, in ARCPRuntime.send, detect .jobAccepted payloads with non-nil credentials, and pass a redacted variant to persistOptional and route.
- Add the same redaction to
handleResume replay so credential material is never re-transmitted on resume.
- Add a test: subscribe with empty filter, submit a job that provisions credentials, assert the
subscribe.event payload's job.accepted has credentials: null; and assert EventLog.replay returns the job.accepted with credentials stripped.
Acceptance criteria
Category: security Severity: blocker
Location:
Sources/ARCP/Runtime/ARCPRuntime.swift:147-151,Sources/ARCP/Runtime/SubscriptionManager.swift:75-86,Sources/ARCP/Store/EventLog.swift:37-86Spec: ARCP v1.1 §9.8.2, §14 ("Credential confidentiality")
What
job.acceptedenvelopes carrycredentials[].value(real bearer secrets). Every outbound envelope, includingjob.accepted, goes throughARCPRuntime.send, which (a) persists the full envelope JSON — secret included — into the SQLite event log forever (no redaction, no deletion at job end), and (b) routes it throughSubscriptionManager.route, which wraps the whole envelope (secret included) in asubscribe.eventand delivers it to every subscriber whose filter matches.The spec is explicit: subscribers MUST NOT receive
credentialsthey did not submit;valueMUST NOT be logged or persisted beyond the job. Here a dashboard/auditor subscribed with an empty orjob.accepted-matching filter receives live credential material, and the event log retains it indefinitely (the resume replay athandleResumewill even re-transmit it).Evidence
job.acceptedis sent throughJobManager.send→rawSend→ this method.SubscriptionManager.routewraps the envelope verbatim:and
EventLog.appendstoresenvelope_json(the full JSON) with no field stripping.Proposed fix
JobManager/ARCPRuntime, emitjob.acceptedwith credentials to the owning transport only; build a redacted copy (credentials removed) for bothpersistOptionalandsubscriptionManager.route. Concretely, inARCPRuntime.send, detect.jobAcceptedpayloads with non-nilcredentials, and pass a redacted variant topersistOptionalandroute.handleResumereplay so credential material is never re-transmitted on resume.subscribe.eventpayload'sjob.acceptedhascredentials: null; and assertEventLog.replayreturns thejob.acceptedwith credentials stripped.Acceptance criteria
credentialsarray for a job it did not submit.credentials[].value.