fix: enforce expires_at containment in lease subsetting (§9.4) (#155)

LeaseManager::ensureSubset() now rejects a child lease whose expires_at
exceeds the parent's with LEASE_SUBSET_VIOLATION, matching §9.4.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: nficano

src/Runtime/LeaseManager.php

@@ -167,6 +167,14 @@ public function ensureSubset(LeaseGranted $parent, LeaseGranted $child): void
                 'cost.budget',
             );
         }
+        // §9.4: a delegated lease's expires_at MUST NOT exceed the parent's.
+        if ($child->expiresAt > $parent->expiresAt) {
+            throw new LeaseSubsetViolationException(
+                (string) $parent->leaseId,
+                (string) $child->leaseId,
+                'lease_constraints.expires_at',
+            );
+        }
     }
 
     public function revoke(LeaseId $id, string $reason = ''): LeaseRevoked

tests/Unit/Runtime/LeaseSubsetTest.php

@@ -34,6 +34,17 @@ public function testCostBudgetSubsetEnforced(): void
         $manager->ensureSubset($parent, $child);
     }
 
+    public function testExpiresAtSubsetEnforced(): void
+    {
+        $manager = new LeaseManager();
+        $now = new \DateTimeImmutable('2026-01-01T00:00:00Z');
+        $parent = new LeaseGranted(new LeaseId('lease_parent'), 'tool.invoke', 'planner', 'run', $now->modify('+1 hour'));
+        $child = new LeaseGranted(new LeaseId('lease_child'), 'tool.invoke', 'planner', 'run', $now->modify('+2 hours'));
+
+        $this->expectException(LeaseSubsetViolationException::class);
+        $manager->ensureSubset($parent, $child);
+    }
+
     private function lease(
         string $id,
         ?ModelUse $modelUse = null,