Fix audit findings: bugs, spec-conformance, security, docs (#37-76)

* Bump the dotnet-dependencies group with 2 updates

Bumps Microsoft.Extensions.Hosting.Abstractions from 9.0.0 to 10.0.8
Bumps Microsoft.NET.Test.Sdk from 18.5.1 to 18.6.0

---
updated-dependencies:
- dependency-name: Microsoft.Extensions.Hosting.Abstractions
  dependency-version: 10.0.8
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: dotnet-dependencies
- dependency-name: Microsoft.NET.Test.Sdk
  dependency-version: 18.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dotnet-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>

* chore(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0

Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 6.0.1 to 7.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](codecov/codecov-action@e79a696...fb8b358)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* fix: idempotency, cancel authority, client robustness, lease boundary (#71, #72, #73, #74, #75, #76)

- #71 idempotent job.submit replay no longer re-runs the agent (skip Resolve/RunAsync on replay)
- #72 lease glob "/prefix/**" keeps the path-boundary separator so siblings are not authorized
- #73 server-rejected job.submit/list_jobs now fault the awaiting client instead of hanging
- #74 cancel authority is session-scoped (fail-closed), not principal-scoped
- #75 add job.cancelled ack and JOB_NOT_FOUND for unknown jobs
- #76 populate session.jobs last_event_seq from a per-job high-water mark

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix: spec-conformance, concurrency, and security audit fixes (#37, #38, #39, #40, #41, #42, #43, #45, #46, #47, #67, #68)

Runtime / spec-conformance:
- #37 root running jobs at a runtime-scoped token so session teardown (heartbeat loss,
  graceful close, transport drop) no longer terminates in-flight jobs (spec §6.4, §6.7)
- #41 add session.close/session.closed wire types; the runtime acks a graceful close with
  session.closed (session.bye kept as a deprecated alias) (spec §6.7)
- #40 dispatch now surfaces session.error{INTERNAL_ERROR} for unexpected exceptions (spec §12)
- #46 advertise model.use independently of credential provisioning (spec §9.7)

Event delivery / ordering:
- #39 serialize event_seq assignment with the outbound enqueue via a per-session emit gate so
  wire order is strictly monotonic under concurrent emitters (spec §8.3)
- #38 subscriber fan-out is back-pressure-aware: on a full channel the subscription is torn down
  deterministically instead of silently dropping an already-sequenced event (spec §8.3)
- #44 make the subscribe history/live-fan-out boundary exact via an atomic register+snapshot and a
  per-job event index, so a mid-stream subscriber sees each event exactly once (spec §7.6)

Authorization / security:
- #42 gate lease operations on remaining budget (BUDGET_EXHAUSTED) before the pattern check (spec §9.6)
- #43 deny-by-default for uncovered tool.call/agent.delegate, with an explicit
  PermissiveUnleasedOperations opt-in (spec §9.3)
- #45 list_jobs fails closed: an empty/absent principal sees only what the policy permits (spec §6.6, §14)

Performance / correctness:
- #67 keyset pagination over (created_at, job_id): stable ties and page work bounded to limit+1
- #68 AgentRegistry no longer exposes its mutable version dictionary; ToInventory snapshots under lock
- #47 client detects event_seq gaps and raises a broken-session signal (spec §8.3)

Co-authored-by: Cursor <cursoragent@cursor.com>

* test: cover audit fixes; update samples/recipes for deny-by-default leases

- Add unit tests for the budget authorization gate (#42) and AgentRegistry concurrency (#68).
- Add integration tests for job survival across session teardown (#37), session.close/closed
  (#41), INTERNAL_ERROR on unexpected dispatch failure (#40), fail-closed empty-principal listing
  (#45), model.use advertisement (#46), keyset pagination stability (#67), deny-by-default
  tool.call (#43), strictly-monotonic event_seq under concurrent emitters (#39), exactly-once
  subscribe boundary (#44), and client event_seq gap detection (#47).
- Grant tool.call/agent.delegate leases in the CostBudget, Delegate, and multi-agent-budget
  samples/recipes so they remain runnable under deny-by-default (#43); enable permissive mode in
  the event round-trip test which exercises event kinds rather than lease enforcement.

Co-authored-by: Cursor <cursoragent@cursor.com>

* docs: fix audit documentation issues (#48-66); format AuditFixesTests

Correct XML comments, guides, OTel/conformance tables, and README for
all open docs audit findings. Fix dotnet format whitespace in integration tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Cursor <cursoragent@cursor.com>

Author: 3 people

.github/workflows/test.yml

@@ -95,7 +95,7 @@ jobs:
       # Non-blocking: a Codecov outage must not break CI.
       - name: Upload coverage to Codecov
         # codecov/codecov-action v6.0.1
-        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+        uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0
         with:
           fail_ci_if_error: false
           flags: unittests

CONFORMANCE.md

@@ -69,7 +69,7 @@ Status legend: Implemented ✅ · Partial 🚧 · Not implemented ⛔.
 | ---- | ----------- | ------ | ----- |
 | §10  | `delegate` event kind on parent's `job.event` stream | ✅ | `JobContext.DelegateAsync` |
 | §11  | `trace_id` propagation; OTel span attrs | ✅ | `TraceAttributes`, `ArcpTracing.WithTracing` |
-| §11 (v1.1) | Span attrs `arcp.lease.expires_at`, `arcp.budget.remaining` | ✅ | `TraceAttributes` |
+| §11 (v1.1) | Span attrs `arcp.lease.expires_at`, `arcp.budget.remaining` | ❌ | Not emitted by `ArcpTracing` |
 | §12  | 15 canonical error codes with retryable booleans | ✅ | `ErrorCode.All`, `ErrorCode.IsRetryable` |
 
 ## Test cross-reference

Directory.Packages.props

@@ -8,7 +8,7 @@
   <ItemGroup Label="Runtime">
     <PackageVersion Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.8" />
     <PackageVersion Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.8" />
-    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="9.0.0" />
+    <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="10.0.8" />
     <PackageVersion Include="Microsoft.Extensions.Options" Version="10.0.8" />
     <PackageVersion Include="Microsoft.IdentityModel.JsonWebTokens" Version="8.2.0" />
     <PackageVersion Include="Ulid" Version="1.4.1" />
@@ -23,7 +23,7 @@
   </ItemGroup>
 
   <ItemGroup Label="Test">
-    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.5.1" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.6.0" />
     <PackageVersion Include="xunit" Version="2.9.3" />
     <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
     <PackageVersion Include="FluentAssertions" Version="8.10.0" />

README.md

@@ -105,7 +105,7 @@ await using var client = await ArcpClient.ConnectAsync(transport, new ArcpClient
 
 var sessionId = client.SessionId;
 var resumeToken = client.ResumeToken;
-var effective = client.EffectiveFeatures; // intersection of client/runtime hello.features
+var effective = client.EffectiveFeatures; // intersection of hello.features and welcome.features
 
 // ... transport drops; track the last seq your reader observed ...
 var lastSeq = client.LastReceivedSeq;

docs/architecture.md

@@ -9,7 +9,7 @@
 | `Arcp.Runtime`    | `ArcpServer`, `JobManager`, `LeaseManager`, `SessionState` — the side that runs them. |
 | `Arcp.AspNetCore` | Mounts a runtime on Kestrel via `IEndpointRouteBuilder.MapArcp("/arcp")`. |
 | `Arcp.Otel`       | Wraps `ITransport` with `ActivitySource`-based OTel instrumentation. |
-| `Arcp.Hosting`    | Registers a runtime in `IHostedService` for non-ASP.NET workers. |
+| `Arcp.Hosting`    | Registers `ArcpServer` in DI via `AddArcpRuntime` for non-ASP.NET workers. |
 | `Arcp.Cli`        | `arcp serve` / `arcp submit` / `arcp version` executable. |
 | `Arcp`            | Umbrella meta-package — `dotnet add package Arcp` pulls Core + Client + Runtime. |
 
@@ -37,12 +37,12 @@ Every message is a JSON object envelope:
 
 Unknown top-level fields are preserved verbatim in
 `Envelope.Extensions` (`Dictionary<string, JsonElement>`), so
-vendor-extension hints round-trip without loss (spec §5.1).
+vendor-extension hints round-trip without loss (spec §5).
 
 ## Versioning
 
 The SDK follows SemVer strictly. The `arcp` wire version field
-(`"1.1"`) is fixed in `Arcp.Core.WireVersion.Current`. Adding a
+defaults to `"1.1"` on `Envelope.Arcp` (also exposed as `Arcp.ArcpInfo.ProtocolVersion`). Adding a
 public member is a minor bump; changing a signature is a major bump.
 One minor deprecation cycle (`[Obsolete]`) before removal. See the
 [style guide](./style-guide.md#14-versioning--compatibility).

docs/conformance.md

@@ -60,7 +60,7 @@ Opt out of features on either peer:
 ```csharp
 new ArcpClientOptions
 {
-    Features = new FeatureSet(["heartbeat", "ack"]), // drop the rest
+    Features = new[] { FeatureFlags.Heartbeat, FeatureFlags.Ack }, // drop the rest
 };
 ```
 

docs/guides/errors.md

@@ -90,7 +90,7 @@ Agents can produce errors by throwing:
 ```csharp
 server.RegisterAgent("strict", async (ctx, ct) =>
 {
-    if (!ctx.Lease.Contains(LeaseNamespaces.FsRead))
+    if (ctx.Lease.Get(LeaseNamespaces.FsRead).Count == 0)
         throw new PermissionDeniedException("fs.read required");
 
     // ...

docs/guides/job-events.md

@@ -27,11 +27,11 @@ server.RegisterAgent("researcher", async (ctx, ct) =>
     await ctx.StatusAsync("starting", "Fetching data...", ct);
 
     await ctx.ToolCallAsync("fetch", callId: "c1",
-        args: new { url = "https://api.example.com/data" }, ct);
+        args: new { url = "https://api.example.com/data" }, cancellationToken: ct);
     var data = /* ... */ "";
-    await ctx.ToolResultAsync("c1", result: data, ct);
+    await ctx.ToolResultAsync("c1", result: data, cancellationToken: ct);
 
-    await ctx.ProgressAsync(current: 1, total: 3, message: "fetched", ct);
+    await ctx.ProgressAsync(current: 1, total: 3, message: "fetched", cancellationToken: ct);
 
     await ctx.LogAsync("info", "Processing ...", ct);
     await ctx.MetricAsync("cost.inference", 0.012, unit: "USD", cancellationToken: ct);
@@ -40,7 +40,7 @@ server.RegisterAgent("researcher", async (ctx, ct) =>
         uri: "s3://bucket/report.pdf",
         contentType: "application/pdf",
         byteSize: 42_000,
-        ct: ct);
+        cancellationToken: ct);
 
     return new { status = "done" };
 });

docs/guides/leases.md

@@ -47,7 +47,7 @@ server.RegisterAgent("file-writer", async (ctx, ct) =>
             ctx.Lease,
             ctx.LeaseConstraints,
             LeaseNamespaces.FsWrite,
-            path: "/workspace/src/output.cs");
+            pattern: "/workspace/src/output.cs");
     }
     catch (PermissionDeniedException ex)
     {

docs/guides/observability.md

@@ -41,7 +41,7 @@ constants.
 | Name              | Purpose                                            |
 | ----------------- | -------------------------------------------------- |
 | `Arcp.Transport`  | One span per envelope (send and receive).          |
-| `Arcp.Runtime`    | Runtime-internal spans (dispatch, agent run).      |
+| `Arcp.Runtime`    | Application spans you start manually (e.g. delegation). |
 
 ## Span shape
 
@@ -66,10 +66,6 @@ For each envelope, the wrapper:
 | `arcp.job_id`              | envelope `job_id`                             |
 | `arcp.trace_id`            | envelope `trace_id`                           |
 | `arcp.event_seq`           | envelope `event_seq`                          |
-| `arcp.agent`               | `payload.agent` (on submit / accept)          |
-| `arcp.lease.capabilities`  | comma-joined lease keys                       |
-| `arcp.lease.expires_at`    | ISO 8601 string (v1.1)                        |
-| `arcp.budget.remaining`    | JSON-stringified currency map (v1.1)          |
 
 ## Use with ASP.NET Core