Fix audit findings (non-docs): wire format, spec-conformance, bugs, security (#120)

* fix(core): pin spec wire format for union payloads (#94)

Add custom JSON converters for JobStatus, LogLevel, ChunkEncoding,
LeaseGrant (bare namespace map), CredentialConstraints (dotted keys),
AgentInventory (plain array) and JobEventPayload (flat kind-specific
body). Reorder Json.fs after Messages.fs so converters can reference
the payload types. Add golden wire-format tests pinning the spec
JSON shapes (§6.2, §7.3, §8.2, §8.4).

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(runtime): spec-conformance blockers — close ack, cancel, idempotency, leases, credentials

- session.close/session.closed wire types replace session.bye (#73)
- idempotency replay compares param fingerprint, emits DUPLICATE_KEY on conflict (#76)
- cancellation acks job.cancelled then job.error(CANCELLED) (#77, #100); job.cancel returns JOB_NOT_FOUND/PERMISSION_DENIED (#78)
- EmitDelegateAsync validates lease subset, raises LEASE_SUBSET_VIOLATION (#81)
- credential_rotated value redacted from subscribers (#82)
- streamed job.result carries result_id; mixing inline+chunks errors (#83)
- anonymous sessions never receive credentials; startup guard (#88)
- EventLog.EvictExpired honors lastAckedSeq; periodic pruning timer + PruneEmpty (#75, #105)
- terminal job records dispose CTS/watchdog, clear credentials, evicted after retention (#113)

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(runtime): implement session.resume flow + replay (#74, #80)

Add session.resume message type, move resume out of session.hello,
retain disconnected sessions as resumable within the window, replay
buffered events on reattach, rotate resume token, and return
RESUME_WINDOW_EXPIRED for unknown/expired sessions. Add integration
tests.

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(runtime): enforce timeout, terminal guard, replay payload, telemetry, anonymous isolation

- max_runtime_sec watchdog emits job.error(TIMEOUT)/timed_out (#101)
- idempotent replay returns the original job.accepted verbatim (#102)
- single terminal message per job via terminal gate (#103)
- cost.budget.* telemetry no longer decrements budget (#104)
- unique per-session anonymous principal id (#110)
- malformed/unknown inbound -> session.error INVALID_REQUEST, session survives (#99)

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(runtime/client): pagination, subscribe history, ordering, rotation, client races

- list_jobs stable ordering + cursor pagination + next_cursor; bare-name agent filter; limit applied via take+1 (#109, #91, #108)
- job.subscribe history:true replays buffered events; replayed reflects reality (#115)
- per-session gate serializes event_seq assignment with send (#112)
- credential rotation keeps id outstanding for terminal revocation (#107)
- client buffers job-addressed envelopes until handle registered (#95)
- SubscribeAsync surfaces denials instead of a dead handle (#96)
- receive-loop exit faults pending waiters and completes handles (#97)

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(runtime): agent_versions gating, chunk/progress/metric validation, revocation surfacing

- reject name@version without agent_versions; strip suffix from non-negotiated sessions (#79)
- enforce chunk_seq monotonicity and single-stream completion (#84)
- progress current>=0 (reject) and current<=total (clamp) (#85)
- negative cost metrics rejected; negative non-cost metrics still emit (#86)
- permanent credential revocation failures logged + exposed via RevocationFailures (#87)

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(bugs): crypto trace ids, error mapping, caps, lifecycle, transports

- crypto RNG for trace/span ids (#41)
- handler resolved before job.accepted; shared unwind (#47)
- lease/runtime watchdog callbacks observe exceptions (#48)
- 3-state RevocationOutcome; permanent failures keep credential outstanding (#49)
- auto-ack/receive-loop/dispose tasks observed; Completion exposed (#60,#61,#62)
- JobErrorMapper parses details fields (#63)
- AutoAck docs corrected to event-driven (#64)
- ChunkAssembler + WebSocket message size/chunk caps (#65,#66)
- Giraffe short-circuits ws/400 branches (#40)
- CLI awaits enumerator dispose and honors --stdio (#38,#39)

Co-authored-by: Cursor <cursoragent@cursor.com>

* fix(minors): clean-code, perf, safety, feature gating

- watchdog skips terminal jobs (#89); wire retryable + Unknown arm (#90)
- client observes cancellation tokens (#98); reject re-hello (#106)
- session-scoped LastEventSeq via Interlocked; subscribed_from in subscriber space (#111)
- enforce negotiated features on submit (#114); duplicate-currency budget subset sum (#116)
- readEnvelope rejects null/empty envelopes (#117); ArcpResult avoids shadowing FSharp.Core Result (#118)
- StaticBearerVerifier constant-time compare (#119); DevMode rejects whitespace (#54)
- glob regex cache (#44); literalPrefix/isSubset cleanup (#43,#45); array retryDelays (#55)
- single idempotency lookup (#52); credential revoke failure observable (#53)
- dead-code removal (#51,#67); volatile stdio closed (#68); typed pending error (#69)
- Connected member (#70); optional jobId mapping (#71); lazy Otel source from Version.Sdk (#42)

Co-authored-by: Cursor <cursoragent@cursor.com>

* style: apply fantomas formatting

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

---------

Co-authored-by: Nick Ficano <nficano@teachmehipaa.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>

Author: 4 people

recipes/_common/RecipeHarness.fs

@@ -44,7 +44,7 @@ let connectWithOptions
                 Features = features
                 BearerVerifier = DevModeBearerVerifier() :> IBearerVerifier }
             |> configureOptions
-        let server = ArcpServer(options)
+        let server = new ArcpServer(options)
         configureServer server
         let clientTransport, serverTransport = MemoryTransport.CreatePair()
         let serverTask = server.HandleSessionAsync(serverTransport, cts.Token)

samples/AspNetCore/Program.fs

@@ -15,7 +15,7 @@ let main argv =
     let builder = WebApplication.CreateBuilder(argv)
 
     let server =
-        ArcpServer(
+        new ArcpServer(
             { ArcpServerOptions.defaults with
                 Features = Features.All
             }

samples/CustomAuth/Program.fs

@@ -29,7 +29,7 @@ let main _argv =
             let cts = new System.Threading.CancellationTokenSource()
 
             let server =
-                ArcpServer(
+                new ArcpServer(
                     { ArcpServerOptions.defaults with
                         BearerVerifier = FixedBearerVerifier "secret" :> IBearerVerifier
                         Features = Features.All

samples/Giraffe/Program.fs

@@ -15,7 +15,7 @@ let main argv =
     let builder = WebApplication.CreateBuilder(argv)
 
     let server =
-        ArcpServer(
+        new ArcpServer(
             { ArcpServerOptions.defaults with
                 Features = Features.All
             }

samples/LiteLLM/Program.fs

@@ -89,7 +89,7 @@ type LiteLLMProvisioner(baseUrl: Uri, adminKey: string, http: HttpClient) =
             task {
                 let body = {| key = credentialId |} :> obj
                 let! _ = postJsonAsync "/key/delete" body ct
-                return true
+                return RevocationOutcome.Revoked
             }
 
 [<EntryPoint>]

samples/ProvisionedCredentials/Program.fs

@@ -31,7 +31,7 @@ type StaticProvisioner(revoked: HashSet<string>) =
 
         member _.RevokeAsync(credentialId, _ct) =
             lock revoked (fun () -> revoked.Add credentialId |> ignore)
-            Task.FromResult true
+            Task.FromResult RevocationOutcome.Revoked
 
 [<EntryPoint>]
 let main _argv =

samples/Stdio/Program.fs

@@ -12,7 +12,7 @@ open ARCP.Runtime
 [<EntryPoint>]
 let main _argv =
     let server =
-        ArcpServer(
+        new ArcpServer(
             { ArcpServerOptions.defaults with
                 Features = Features.All
                 AllowAnonymousAuth = true

samples/_common/SampleHarness.fs

@@ -42,7 +42,7 @@ let private makeServerWithOptions
         }
         |> configureOptions
 
-    let server = ArcpServer(options)
+    let server = new ArcpServer(options)
     configure server
     server
 

src/Arcp.Cli/Program.fs

@@ -65,7 +65,7 @@ let private serveStdio (token: string option) : Task<int> =
                 AllowAnonymousAuth = Option.isNone token
             }
 
-        let server = ArcpServer(options)
+        let server = new ArcpServer(options)
         server.RegisterAgent("echo", fun ctx -> task { return Json.serializeToElement<string> "echo" })
         let transport = StdioTransport.fromConsole ()
         errorLine "serve --stdio: ready"
@@ -88,7 +88,11 @@ let private streamEventsAsync (handle: JobHandle) : Task =
                 else
                     writeLine (sprintf "event: %s" (JobEventBody.kind enumerator.Current))
         finally
-            ignore (enumerator.DisposeAsync().AsTask())
+            ()
+
+        // §38: await disposal so teardown errors surface and complete
+        // before this function returns.
+        do! enumerator.DisposeAsync()
     }
     :> Task
 
@@ -162,7 +166,12 @@ let main argv =
                         let env = Environment.GetEnvironmentVariable "ARCP_TOKEN"
                         if String.IsNullOrEmpty env then None else Some env)
 
-                (serveStdio token).GetAwaiter().GetResult()
+                // §39: honor the --stdio flag instead of ignoring it.
+                if sub.Contains ServeArgs.Stdio then
+                    (serveStdio token).GetAwaiter().GetResult()
+                else
+                    errorLine "serve requires a transport flag; only --stdio is currently supported (pass --stdio)"
+                    2
             | Send sub :: _ ->
                 let url = sub.GetResult SendArgs.Url