fix(runtime): emit LEASE_EXPIRED terminal on lease watchdog expiry (§9.5)

The lease watchdog used to emit a synthetic `tool_result.error` with a
fake `call_id` (`lease_{job_id}`) — that doesn't correspond to any
prior `tool_call`, so any subscriber correlating tool_call→tool_result
saw a dangling reference. Worse, after that it cancelled the job,
which routed the run-loop's `OperationCanceledException` catch to
`job.error{code:CANCELLED, final_status:"cancelled"}` rather than the
spec-required `LEASE_EXPIRED` / `final_status:"error"`.

- Add `Job.MarkLeaseExpired()` / `Job.LeaseExpired` analogous to the
  existing `MarkRuntimeLimitExceeded`.
- Have `RunLeaseWatchdog` emit a `status{phase:"lease_expired"}` event
  (well-known phase added to `StatusPhases`), set the flag, then
  cancel.
- Branch the run-loop's `OperationCanceledException` catch on the flag
  and emit `job.error{LEASE_EXPIRED, final_status:"error",
  retryable:false}`.
- Update the LeaseExpiresAt sample header comment to match what the
  runtime now delivers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nficano

samples/LeaseExpiresAt/Program.cs

@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: Apache-2.0
 // samples/LeaseExpiresAt: a short-lived lease expires while the agent is running; the runtime
-// emits tool_result.error{LEASE_EXPIRED} and then job.error{LEASE_EXPIRED}. Spec §9.5, §13.4.
+// emits a status{phase:"lease_expired"} event and then job.error{LEASE_EXPIRED,
+// final_status:"error"}. Spec §9.5.
 using Arcp.Client;
 using Arcp.Core.Leases;
 using Arcp.Core.Messages;

src/Arcp.Core/Messages/StatusPhases.cs

@@ -7,4 +7,8 @@ public static class StatusPhases
 {
     /// <summary>Gets the credential rotated.</summary>
     public const string CredentialRotated = "credential_rotated";
+
+    /// <summary>Emitted by the runtime when a job's lease has expired (spec §9.5). The terminal
+    /// <c>job.error</c> with code <c>LEASE_EXPIRED</c> and <c>final_status:"error"</c> follows.</summary>
+    public const string LeaseExpired = "lease_expired";
 }

src/Arcp.Core/PublicAPI.Unshipped.txt

@@ -719,6 +719,7 @@ const Arcp.Core.Messages.MessageTypeNames.SessionPong = "session.pong" -> string
 const Arcp.Core.Messages.MessageTypeNames.SessionResume = "session.resume" -> string!
 const Arcp.Core.Messages.MessageTypeNames.SessionWelcome = "session.welcome" -> string!
 const Arcp.Core.Messages.StatusPhases.CredentialRotated = "credential_rotated" -> string!
+const Arcp.Core.Messages.StatusPhases.LeaseExpired = "lease_expired" -> string!
 const Arcp.Core.Tracing.ArcpDiagnostics.RuntimeSourceName = "Arcp.Runtime" -> string!
 const Arcp.Core.Tracing.ArcpDiagnostics.TransportSourceName = "Arcp.Transport" -> string!
 const Arcp.Core.Tracing.TraceAttributes.Agent = "arcp.agent" -> string!

src/Arcp.Runtime/Job.cs

@@ -91,6 +91,13 @@ public sealed class Job
 
     internal void MarkRuntimeLimitExceeded() => RuntimeLimitExceeded = true;
 
+    /// <summary>Set by the lease watchdog when <c>lease_constraints.expires_at</c> elapses so the
+    /// run-loop can surface <c>LEASE_EXPIRED</c> / <c>final_status:"error"</c> instead of
+    /// <c>CANCELLED</c> (spec §9.5).</summary>
+    public bool LeaseExpired { get; private set; }
+
+    internal void MarkLeaseExpired() => LeaseExpired = true;
+
     /// <summary>Gets the credentials.</summary>
     public IReadOnlyList<ProvisionedCredential> Credentials
     {

src/Arcp.Runtime/JobManager.cs

@@ -207,6 +207,17 @@ public async Task RunAsync(Job job, IAgent agent, Func<Envelope, CancellationTok
                 await EmitTimeoutAsync(job, emit, cancellationToken).ConfigureAwait(false);
                 job.MarkTerminal(JobStatus.TimedOut);
             }
+            else if (job.LeaseExpired)
+            {
+                await EmitJobErrorAsync(job, emit, new JobErrorPayload
+                {
+                    FinalStatus = "error",
+                    Code = ErrorCode.LeaseExpired,
+                    Message = "Lease expired",
+                    Retryable = false,
+                }, cancellationToken).ConfigureAwait(false);
+                job.MarkTerminal(JobStatus.Error);
+            }
             else
             {
                 await EmitJobErrorAsync(job, emit, new JobErrorPayload
@@ -358,17 +369,15 @@ private async Task RunLeaseWatchdog(Job job, DateTimeOffset expiresAt, Func<Enve
             if (cancellationToken.IsCancellationRequested || IsTerminal(job.Status)) return;
             if (!job.CancellationToken.IsCancellationRequested)
             {
-                // Emit a tool_result.error then job.error per spec §13.4.
-                await job.EmitEventAsync(EventKinds.ToolResult, new ToolResultBody
+                // Surface lease expiry as a status event (spec §9.5); the terminal
+                // job.error{LEASE_EXPIRED, final_status:"error"} is emitted by the run-loop
+                // once cancellation unwinds the agent.
+                await job.EmitEventAsync(EventKinds.Status, new StatusBody
                 {
-                    CallId = $"lease_{job.JobId.Value}",
-                    Error = new ToolError
-                    {
-                        Code = ErrorCode.LeaseExpired,
-                        Message = $"Lease expired at {expiresAt:O}",
-                        Retryable = false,
-                    },
+                    Phase = StatusPhases.LeaseExpired,
+                    Message = $"Lease expired at {expiresAt:O}",
                 }, cancellationToken).ConfigureAwait(false);
+                job.MarkLeaseExpired();
                 job.CancellationSource.Cancel();
             }
         }

src/Arcp.Runtime/PublicAPI.Unshipped.txt

@@ -197,6 +197,7 @@ Arcp.Runtime.Job.Credentials.get -> System.Collections.Generic.IReadOnlyList<Arc
 Arcp.Runtime.JobContext.Credentials.get -> System.Collections.Generic.IReadOnlyList<Arcp.Core.Messages.ProvisionedCredential!>!
 Arcp.Runtime.JobContext.RotateCredentialAsync(string! credentialId, Arcp.Core.Messages.ProvisionedCredential! next, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask
 Arcp.Runtime.JobManager.JobManager(Arcp.Runtime.Agents.AgentRegistry! agents, Arcp.Runtime.Leases.LeaseManager! leases, System.TimeProvider! time, Microsoft.Extensions.Logging.ILoggerFactory! loggers, Arcp.Runtime.Credentials.CredentialManager? credentials = null, int idempotencyWindowSec = 3600) -> void
+Arcp.Runtime.Job.LeaseExpired.get -> bool
 Arcp.Runtime.Job.MaxRuntimeSec.get -> int?
 Arcp.Runtime.Job.RuntimeLimitExceeded.get -> bool
 Arcp.Runtime.ArcpServerOptions.IdempotencyWindowSec.get -> int

tests/Arcp.IntegrationTests/RuntimeLimitTests.cs

@@ -73,4 +73,39 @@ public async Task Job_finishing_before_lease_expiry_does_not_emit_late_lease_exp
         sw.Elapsed.Should().BeLessThan(TimeSpan.FromSeconds(3),
             because: "the watchdog must not keep the run task alive until lease expiry");
     }
+
+    [Fact]
+    public async Task Lease_expiry_terminates_job_with_LEASE_EXPIRED_error_status()
+    {
+        // Spec §9.5: lease expiry yields `job.error{code: LEASE_EXPIRED, final_status: "error"}`,
+        // not `cancelled` — a separate terminal from the `job.cancel`-driven CANCELLED path.
+        var server = new ArcpServer(new ArcpServerOptions
+        {
+            Runtime = new RuntimeInfo { Name = "test-runtime", Version = "1.0.0" },
+        });
+        server.RegisterAgent("worker", async (ctx, ct) =>
+        {
+            try { await Task.Delay(TimeSpan.FromSeconds(10), ct); }
+            catch (OperationCanceledException) { throw; }
+            return null;
+        });
+        var (client, srv) = MemoryTransport.Pair();
+        _ = Task.Run(() => server.AcceptAsync(srv));
+
+        await using var c = await ArcpClient.ConnectAsync(client, new ArcpClientOptions
+        {
+            Client = new ClientInfo { Name = "test", Version = "1.0" },
+        });
+
+        var handle = await c.SubmitAsync("worker", leaseConstraints: new Arcp.Core.Leases.LeaseConstraints
+        {
+            ExpiresAt = DateTimeOffset.UtcNow.AddMilliseconds(500),
+        });
+        var result = await handle.Result.WaitAsync(TimeSpan.FromSeconds(5));
+
+        result.Success.Should().BeFalse();
+        result.Error!.Code.Should().Be(Arcp.Core.Errors.ErrorCode.LeaseExpired);
+        result.Error.FinalStatus.Should().Be("error");
+        result.Error.Retryable.Should().BeFalse();
+    }
 }