list_jobs returns all principals' jobs when requester principal is empty (§6.6)

[nficano]

Category: spec-conformance Severity: minor
Location: src/Arcp.Runtime/JobManager.Listing.cs:31-36
Spec: ARCP v1.1 §6.6

What

When requesterPrincipal is null/empty the predicate short-circuits to true for every job, so the listing returns all jobs across all principals. Spec §6.6/§14 require that implementations MUST NOT leak job existence across principals not authorized to know about them. The default no-auth path uses the subject 'anonymous' (non-empty), but a custom IAuthVerifier that yields an empty subject would expose every job in the runtime.

Evidence

private List<Job> FilterByPrincipal(string? requesterPrincipal, IJobAuthorizationPolicy policy) =>
    _jobs.Values
        .Where(j => string.IsNullOrEmpty(requesterPrincipal) ||
                    string.Equals(j.SubmitterPrincipal, requesterPrincipal, StringComparison.Ordinal) ||
                    policy.CanObserve(j.SubmitterPrincipal, new AuthPrincipal(requesterPrincipal)))
        .ToList();

Proposed fix

Treat an empty/absent principal as 'authorized to see nothing' (or require the policy to make the decision), rather than as a wildcard that matches all jobs.

Acceptance criteria

• A session whose principal subject is empty sees only jobs the authorization policy explicitly permits, never the full cross-principal set.