Category: spec-conformance Severity: major
Location: src/Arcp.Runtime/JobContext.cs:125-131
Spec: ARCP v1.1 §9.3
What
ToolCallAsync and DelegateAsync gate the operation only when the lease already declares tool.call / agent.delegate. Spec §9.1/§9.3 require every authority-bearing operation to be covered by the lease and uncovered operations to fail with PERMISSION_DENIED (deny-by-default); the explicit permissive carve-out in §9.7 is scoped to model.use only. As written, a job whose lease omits tool.call can emit tool_call for any tool with no authorization check.
Evidence
private void EnforceIfLeased(string namespaceName, string pattern)
{
if (_job.Lease.Capabilities.ContainsKey(namespaceName))
{
AuthorizeOperation(namespaceName, pattern);
}
}Proposed fix
Default to deny: when the namespace is absent, raise PERMISSION_DENIED (offer an explicit opt-in 'permissive namespace' option for the §9.7-style relaxation). At minimum align the behavior across namespaces and document it.
Acceptance criteria
Category: spec-conformance Severity: major
Location:
src/Arcp.Runtime/JobContext.cs:125-131Spec: ARCP v1.1 §9.3
What
ToolCallAsync and DelegateAsync gate the operation only when the lease already declares tool.call / agent.delegate. Spec §9.1/§9.3 require every authority-bearing operation to be covered by the lease and uncovered operations to fail with PERMISSION_DENIED (deny-by-default); the explicit permissive carve-out in §9.7 is scoped to model.use only. As written, a job whose lease omits tool.call can emit tool_call for any tool with no authorization check.
Evidence
Proposed fix
Default to deny: when the namespace is absent, raise PERMISSION_DENIED (offer an explicit opt-in 'permissive namespace' option for the §9.7-style relaxation). At minimum align the behavior across namespaces and document it.
Acceptance criteria