`LeaseManager.refresh` contradicts the spec: §9.5 says lease renewal is NOT supported, yet `lease.refresh` extends `expires_at` (§9.5)

[nficano]

Category: spec-conformance Severity: major
Location: Sources/ARCP/Runtime/LeaseManager.swift:87-112, Sources/ARCP/Runtime/JobManager.swift:400-423
Spec: ARCP v1.1 §9.5 ("Renewal is NOT supported. To extend authority, the submitting client MUST cancel and resubmit.")

What

§9.5 is explicit that lease renewal is not supported and that extending authority requires cancel+resubmit. The SDK ships a full lease.refresh → lease.extended flow (LeaseManager.refresh, JobManager.handleLeaseRefresh) that mutates expiresAt forward, directly contradicting the normative requirement. A job's leaseConstraints.expiresAt (the §9.5 expiry that gates checkLeaseExpiration) is a separate value from the LeaseManager permission leases, so the refresh flow operates on permission-challenge leases — but §9.5's no-renewal rule is unqualified, and shipping lease.refresh/lease.extended invites callers to extend authority the spec forbids extending. At minimum the SDK advertises and implements a renewal mechanism the spec says must not exist.

Evidence

let newExpires = max(record.expiresAt, Date()).addingTimeInterval(TimeInterval(seconds))
record.expiresAt = newExpires
leases[leaseId] = record
try await send(Envelope(..., payload: .leaseExtended(LeaseExtendedPayload(leaseId: leaseId, expiresAt: newExpires))))

Proposed fix

1. Either remove the lease.refresh/lease.extended capability, or scope it clearly to permission-challenge leases (§15.4) that are outside §9.5's job-lease renewal prohibition, and document the distinction in code and CONFORMANCE.md.
2. Ensure no path lets a lease.refresh extend a job's lease_constraints.expires_at (§9.5 authority).

Acceptance criteria

• No mechanism extends a job's §9.5 expires_at.
• CONFORMANCE.md documents the renewal stance.