fix: reject widening overlays on referenced leases (§9.4) (#61)

When a tool.invoke references an existing lease and overlays expires_at,
model.use, or cost.budget, CredentialLifecycle::overlayLease() now validates
the derived lease against the parent via ensureSubset(), rejecting any widening
with LEASE_SUBSET_VIOLATION. The tool-invocation handler surfaces any lease
ARCPException (permission denied, subset violation, ...) as a correlated
tool.error.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: nficano

src/Internal/Runtime/CredentialLifecycle.php

@@ -133,7 +133,7 @@ private function overlayLease(
         ?ModelUse $modelUse,
         ?CostBudget $costBudget,
     ): LeaseGranted {
-        return new LeaseGranted(
+        $candidate = new LeaseGranted(
             $base->leaseId,
             $base->permission,
             $base->resource,
@@ -144,6 +144,11 @@ private function overlayLease(
             // lease does not alias (and mutate) the shared counter (§9.6).
             $costBudget ?? $base->costBudget?->snapshot(),
         );
+        // §9.4: a lease derived from a referenced parent may only narrow it.
+        // Reject any overlay that widens model.use, cost.budget, or expires_at.
+        $this->runtime->leases->ensureSubset($base, $candidate);
+
+        return $candidate;
     }
 
     private function expiresAt(mixed $leaseArg): ?\DateTimeImmutable

src/Internal/Runtime/ToolInvocationHandler.php

@@ -71,7 +71,10 @@ public function handle(Session $session, Envelope $env, ToolInvoke $msg): void
         }
         try {
             $lease = $this->credentials->leaseFromArguments($msg->arguments, $resolved, $session);
-        } catch (\Arcp\Errors\PermissionDeniedException $e) {
+        } catch (ARCPException $e) {
+            // Lease resolution can fail with PERMISSION_DENIED (scope/owner),
+            // LEASE_SUBSET_VIOLATION (widening overlay, §9.4), or another
+            // lease error; surface any of them as a correlated tool.error.
             $this->runtime->emit($session, new ToolError(ErrorPayload::fromException($e)), [
                 'correlation_id' => $env->id,
                 'trace_id' => $env->traceId,

tests/Integration/PermissionLeaseTest.php

@@ -108,6 +108,46 @@ public function invoke(array $arguments, JobContext $ctx, ?Cancellation $cancell
         $serverFuture->await();
     }
 
+    public function testReferencedLeaseOverlayCannotWidenBudget(): void
+    {
+        $runtime = new ARCPRuntime(authRouter: new AuthRouter([new NoneAuth()]));
+        $runtime->registerTool('spend', new class () implements ToolHandler {
+            #[\Override]
+            public function invoke(array $arguments, JobContext $ctx, ?Cancellation $cancellation = null): mixed
+            {
+                return ['ok' => true];
+            }
+        });
+        [$serverT, $clientT] = MemoryTransport::pair();
+        $serverFuture = $runtime->serveAsync($serverT);
+        $client = new ARCPClient($clientT);
+        $client->open(Auth::none(), new PeerInfo('cli', '0.1'), new Capabilities(anonymous: true));
+
+        $leaseId = LeaseId::random();
+        $runtime->leases->register(
+            new LeaseGranted(
+                $leaseId,
+                'tool.invoke',
+                'spend',
+                'run',
+                new \DateTimeImmutable('+5 minutes'),
+                null,
+                CostBudget::fromPatterns(['USD:0.50']),
+            ),
+            $client->session->sessionId,
+        );
+
+        // Overlay a wider budget than the parent grants: §9.4 forbids it.
+        $args = ['lease' => ['lease_id' => (string) $leaseId, 'cost.budget' => ['USD:5.00']]];
+        $this->expectException(\Arcp\Errors\LeaseSubsetViolationException::class);
+        try {
+            $client->invokeTool('spend', $args);
+        } finally {
+            $client->close();
+            $serverFuture->await();
+        }
+    }
+
     public function testPermissionDenyRaisesException(): void
     {
         $denyHandler = new class () implements PermissionHandler {