feat(runtime): lease gate on tool_call / delegate emission (§9.3)

`LeaseManager.AuthorizeOperation` previously had no in-runtime caller
outside `AuthorizeModelUse`/tests — meaning a buggy or hostile agent
could ignore the lease entirely. Spec §9.3 requires the runtime to
evaluate the lease before any authority-bearing operation.

- Expose `JobContext.AuthorizeOperation(namespace, pattern)` so agents
  building their own dispatch can call it explicitly.
- Auto-gate `JobContext.ToolCallAsync` against `tool.call` and
  `JobContext.DelegateAsync` against `agent.delegate`, but only when
  the lease actually declares the namespace — leases that omit it
  remain permissive (matches §9.7's "MAY allow when configured" wording
  and preserves existing tests that don't set up tool leases).
- Plumb the `LeaseManager` from `JobManager` into `JobContext` so the
  gate uses the runtime-configured time provider.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nficano

src/Arcp.Runtime/JobContext.cs

@@ -23,14 +23,28 @@ public sealed class JobContext
 {
     private readonly Job _job;
     private readonly CredentialManager? _credentials;
+    private readonly Arcp.Runtime.Leases.LeaseManager? _leases;
 
-    internal JobContext(Job job, ILogger logger, CredentialManager? credentials = null)
+    internal JobContext(Job job, ILogger logger, CredentialManager? credentials = null,
+                        Arcp.Runtime.Leases.LeaseManager? leases = null)
     {
         _job = job;
         _credentials = credentials;
+        _leases = leases;
         Logger = logger;
     }
 
+    /// <summary>Synchronously evaluate the job's lease for an operation under
+    /// <paramref name="namespaceName"/> against <paramref name="pattern"/> (spec §9.3).
+    /// Throws <see cref="PermissionDeniedException"/> on lease miss and
+    /// <see cref="LeaseExpiredException"/> on lease expiry. Agents that build their own tool
+    /// dispatch SHOULD call this before performing any authority-bearing operation.</summary>
+    public void AuthorizeOperation(string namespaceName, string pattern)
+    {
+        var leases = _leases ?? new Arcp.Runtime.Leases.LeaseManager();
+        leases.AuthorizeOperation(_job.Lease, _job.LeaseConstraints, namespaceName, pattern);
+    }
+
     /// <summary>Gets the job id.</summary>
     public JobId JobId => _job.JobId;
 
@@ -88,14 +102,31 @@ public ValueTask RotateCredentialAsync(
         return _credentials.RotateAsync(_job, credentialId, next, cancellationToken);
     }
 
-    /// <summary>Tool call (asynchronous).</summary>
-    public ValueTask ToolCallAsync(string tool, string callId, object? args, CancellationToken cancellationToken = default) =>
-        _job.EmitEventAsync(EventKinds.ToolCall, new ToolCallBody
+    /// <summary>Emit a <c>tool_call</c> event. If the job's lease declares <c>tool.call</c>, the
+    /// tool name is gated against the lease patterns first (spec §9.3); a non-matching tool
+    /// raises <see cref="PermissionDeniedException"/> before the event is emitted.</summary>
+    public ValueTask ToolCallAsync(string tool, string callId, object? args, CancellationToken cancellationToken = default)
+    {
+        EnforceIfLeased(LeaseNamespaces.ToolCall, tool);
+        return _job.EmitEventAsync(EventKinds.ToolCall, new ToolCallBody
         {
             Tool = tool,
             CallId = callId,
             Args = args is null ? null : ArcpJson.ToJsonElement(args),
         }, cancellationToken);
+    }
+
+    /// <summary>Gate an operation when the lease declares the given namespace. Leases that omit
+    /// the namespace remain permissive (spec §9.7 explicitly allows this when a runtime is
+    /// configured to do so; tighter policies SHOULD call <see cref="AuthorizeOperation"/>
+    /// directly).</summary>
+    private void EnforceIfLeased(string namespaceName, string pattern)
+    {
+        if (_job.Lease.Capabilities.ContainsKey(namespaceName))
+        {
+            AuthorizeOperation(namespaceName, pattern);
+        }
+    }
 
     /// <summary>Tool result (asynchronous).</summary>
     public ValueTask ToolResultAsync(string callId, object? result, ToolError? error = null, CancellationToken cancellationToken = default) =>
@@ -120,14 +151,18 @@ public ValueTask ArtifactRefAsync(string uri, string? contentType = null, long?
             Sha256 = sha256,
         }, cancellationToken);
 
-    /// <summary>Delegate (asynchronous).</summary>
-    public ValueTask DelegateAsync(string childJobId, string agent, object? input, CancellationToken cancellationToken = default) =>
-        _job.EmitEventAsync(EventKinds.Delegate, new DelegateBody
+    /// <summary>Emit a <c>delegate</c> event. If the job's lease declares <c>agent.delegate</c>, the
+    /// child agent name is gated against the lease patterns first (spec §9.3, §10).</summary>
+    public ValueTask DelegateAsync(string childJobId, string agent, object? input, CancellationToken cancellationToken = default)
+    {
+        EnforceIfLeased(LeaseNamespaces.AgentDelegate, agent);
+        return _job.EmitEventAsync(EventKinds.Delegate, new DelegateBody
         {
             ChildJobId = childJobId,
             Agent = agent,
             Input = input is null ? null : ArcpJson.ToJsonElement(input),
         }, cancellationToken);
+    }
 
     /// <summary>Emit a <c>progress</c> event (spec §8.2.1).</summary>
     public ValueTask ProgressAsync(long current, long? total = null, string? units = null, string? message = null, CancellationToken cancellationToken = default)

src/Arcp.Runtime/JobManager.cs

@@ -177,7 +177,7 @@ private static JobAcceptedPayload BuildAccepted(Job job)
     public async Task RunAsync(Job job, IAgent agent, Func<Envelope, CancellationToken, ValueTask> emit, CancellationToken cancellationToken)
     {
         job.MarkRunning();
-        var ctx = new JobContext(job, _loggers.CreateLogger($"Arcp.Job.{job.JobId.Value}"), _credentials);
+        var ctx = new JobContext(job, _loggers.CreateLogger($"Arcp.Job.{job.JobId.Value}"), _credentials, _leases);
 
         // Watchdog cancellation source — cancelled in `finally` so the watchdog never outlives
         // the job and never emits a late lease-expired event after the terminal result.

src/Arcp.Runtime/PublicAPI.Unshipped.txt

@@ -91,6 +91,7 @@ Arcp.Runtime.Job.WriteChunkAsync(Arcp.Core.Ids.ResultId resultId, string! data,
 Arcp.Runtime.JobContext
 Arcp.Runtime.JobContext.Agent.get -> Arcp.Core.Agents.AgentRef
 Arcp.Runtime.JobContext.ArtifactRefAsync(string! uri, string? contentType = null, long? byteSize = null, string? sha256 = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) -> System.Threading.Tasks.ValueTask
+Arcp.Runtime.JobContext.AuthorizeOperation(string! namespaceName, string! pattern) -> void
 Arcp.Runtime.JobContext.BeginResultStream() -> Arcp.Core.Ids.ResultId
 Arcp.Runtime.JobContext.Budget.get -> System.Collections.Generic.IReadOnlyDictionary<string!, decimal>!
 Arcp.Runtime.JobContext.Cancellation.get -> System.Threading.CancellationToken

tests/Arcp.UnitTests/LeaseTests.cs

@@ -77,4 +77,23 @@ public void BudgetAmount_parse_throws_on_invalid()
         var act = () => BudgetAmount.Parse("not a budget");
         act.Should().Throw<FormatException>();
     }
+
+    [Fact]
+    public void GlobMatch_is_permissive_for_double_star_and_strict_otherwise()
+    {
+        // Anchor the runtime's lease-gate behavior: when a lease declares tool.call:["calc.*"],
+        // ctx.ToolCallAsync("calc.add", ...) is allowed but ctx.ToolCallAsync("fs.write", ...)
+        // raises PermissionDenied (spec §9.3).
+        var manager = new Arcp.Runtime.Leases.LeaseManager();
+        var lease = new Lease(new Dictionary<string, IReadOnlyList<string>>
+        {
+            [LeaseNamespaces.ToolCall] = new[] { "calc.*" },
+        });
+
+        var ok = () => manager.AuthorizeOperation(lease, null, LeaseNamespaces.ToolCall, "calc.add");
+        var bad = () => manager.AuthorizeOperation(lease, null, LeaseNamespaces.ToolCall, "fs.write");
+
+        ok.Should().NotThrow();
+        bad.Should().Throw<Arcp.Core.Errors.PermissionDeniedException>();
+    }
 }