fix: address open audit issues #36-#58

Spans client correlation/cancellation, runtime handshake/resume/heartbeat
supervision, idempotency replay, result stream sizing/units, eventlog
streaming/serialization, stdio transport, CLI/conformance/guides docs
alignment, and test determinism + branch coverage.

Closes #36
Closes #37
Closes #38
Closes #39
Closes #40
Closes #41
Closes #42
Closes #43
Closes #44
Closes #45
Closes #46
Closes #47
Closes #48
Closes #49
Closes #50
Closes #51
Closes #52
Closes #53
Closes #54
Closes #55
Closes #56
Closes #57
Closes #58

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nficano

docs/cli.md

@@ -31,22 +31,23 @@ arcp serve --token demo-token --principal cli-user
 
 ### `arcp submit`
 
-Submit a job to a running runtime and print the result.
+Submit a single job and print the terminal `job.result` JSON.
 
 ```bash
-arcp submit --url ws://localhost:7777/arcp --agent echo \
-  --input '{"url":"https://example.com"}' --token my-bearer-token
+arcp submit --url ws://localhost:7777/arcp --token my-bearer-token \
+  --agent echo --input '{"url":"https://example.com"}' \
+  --lease '{"net.fetch":["https://*"]}'
 ```
 
 **Arguments:**
 
-| Argument | Description |
-|---|---|
-| `--url` | WebSocket URL of the runtime |
-| `--agent` | Agent name |
-| `--input` | JSON-encoded input |
-| `--token` | Bearer token |
-| `--lease` | Lease JSON object |
+| Argument | Default | Description |
+|---|---|---|
+| `--url` | required | WebSocket URL of the runtime (e.g. `ws://host:7777/arcp`) |
+| `--token` | required | Bearer token |
+| `--agent` | required | Agent name (optionally `name@version`) |
+| `--input` | `null` | JSON-encoded input passed to the agent |
+| `--lease` | `{}` | Lease as JSON object (e.g. `{"net.fetch":["https://*"]}`) |
 
 ### `arcp tail`
 
@@ -60,10 +61,18 @@ Prints each `JobEvent` as a JSON line. Press `Ctrl-C` to stop.
 
 ### `arcp replay`
 
-Replay a recorded event stream from a JSONL file.
+Replay a recorded event stream from a SQLite event log.
 
 ```bash
-arcp replay --db events.sqlite --session SESSION_ID
+arcp replay --db events.sqlite --session SESSION_ID --after-seq 0
 ```
 
-Useful for debugging: record a live stream from `tail` and replay it from the SQLite event log.
+**Arguments:**
+
+| Argument | Default | Description |
+|---|---|---|
+| `--db` | required | SQLite event log path |
+| `--session` | required | Session id to replay |
+| `--after-seq` | `0` | Skip envelopes whose `event_seq` is <= this value |
+
+Each line is one envelope as JSON. Useful for debugging an event stream recorded with `arcp serve --db events.sqlite` after the fact.

docs/conformance.md

@@ -1,57 +1,78 @@
 # Conformance
 
-This page records which sections of the [ARCP v1.1 specification](https://arcp.dev/spec/v1.1) are implemented by the Python SDK, and points to the source that implements each requirement.
+This page records which sections of the [ARCP v1.1 specification](https://arcp.dev/spec/v1.1) are implemented by the Python SDK, and points to the source that implements each requirement. Every source path listed below exists in this repository under `src/arcp/`.
 
 ## Conformance matrix
 
 | Spec section | Title | Status | Source |
 |---|---|---|---|
-| §4 | Versioning | ✅ Full | `src/arcp/_version.py` |
-| §5 | Transport framing | ✅ Full | `src/arcp/_transport/` |
-| §6 | Sessions | ✅ Full | `src/arcp/_runtime/session.py` |
-| §6.1 | Authentication — Bearer | ✅ Full | `src/arcp/_auth/bearer.py` |
-| §6.1 | Authentication — custom verifier | ✅ Full | `src/arcp/_auth/jwt.py` |
-| §6.2 | Agent versions | ✅ Full | `src/arcp/_runtime/server.py` |
-| §6.3 | Stream resume | ✅ Full | `src/arcp/_runtime/session.py` |
-| §7 | Jobs | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §7.1 | Idempotency keys | ✅ Full | `src/arcp/_store/idempotency.py` |
-| §7.2 | Job cancellation | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8 | Job events | ✅ Full | `src/arcp/_envelope.py` |
-| §8.1 | `job.queued` | ✅ Full | `src/arcp/_envelope.py` |
-| §8.2 | `job.started` | ✅ Full | `src/arcp/_envelope.py` |
-| §8.3 | `job.log` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.4 | `job.progress` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.5 | `job.result_chunk` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.6 | `job.completed` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.7 | `job.failed` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.8 | `job.cancelled` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §8.9 | `job.heartbeat` | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §9 | Leases | ✅ Full | `src/arcp/_runtime/lease.py` |
-| §9.1 | Cost budgets | ✅ Full | `src/arcp/_runtime/lease.py` |
-| §9.2 | Time budgets (`expires_in_s`) | ✅ Full | `src/arcp/_runtime/lease.py` |
-| §9.3 | `expires_at` (absolute timestamp) | ✅ Full | `src/arcp/_runtime/lease.py` |
-| §10 | Delegation | ✅ Full | `src/arcp/_runtime/_handlers.py` |
-| §11 | Observability | ✅ Full | `src/arcp/middleware/otel.py` |
-| §12 | Errors | ✅ Full | `src/arcp/_errors.py` |
-| §13 | Capability negotiation | ✅ Full | `src/arcp/_runtime/server.py` |
-| §14 | List jobs | ✅ Full | `src/arcp/_runtime/_handler_list_jobs.py` |
-| §15 | Vendor extensions | ✅ Full | `src/arcp/_extensions.py` |
+| §4 | Versioning / protocol constant | Full | `src/arcp/_version.py`, `src/arcp/_envelope.py` |
+| §5.1 | Envelope shape (8 fields) | Full | `src/arcp/_envelope.py` |
+| §5.2 | Wire framing (WebSocket / stdio / memory) | Full | `src/arcp/_transport/` |
+| §6.1 | `session.hello` / `session.welcome` | Full | `src/arcp/_runtime/_handshake.py` |
+| §6.1 | Authentication — bearer (static + custom) | Full | `src/arcp/_auth/bearer.py` |
+| §6.1 | Authentication — JWT / JWKS | Full | `src/arcp/_auth/jwt.py` |
+| §6.2 | Capability / feature negotiation | Full | `src/arcp/_runtime/_handshake.py`, `src/arcp/_version.py` |
+| §6.3 | Session resume (`hello.resume`) | Full | `src/arcp/_runtime/_handshake.py`, `src/arcp/_store/eventlog.py` |
+| §6.4 | Heartbeat / liveness | Full | `src/arcp/_runtime/session.py` (`heartbeat_loop`) |
+| §6.5 | Ack backpressure | Full | `src/arcp/_runtime/_handlers.py` (`handle_ack`) |
+| §6.6 | `session.bye` / orderly close | Full | `src/arcp/_runtime/_handlers.py` (`handle_bye`) |
+| §7.1 | `job.submit` / `job.accepted` | Full | `src/arcp/_runtime/_handlers.py` (`handle_submit`) |
+| §7.2 | Idempotency keys (accept + terminal replay) | Full | `src/arcp/_store/idempotency.py`, `src/arcp/_runtime/_handlers.py` |
+| §7.3 | Agent versions (`agent@version` selection) | Full | `src/arcp/_runtime/server.py` (`_resolve_agent`) |
+| §7.4 | `job.cancel` (submitter-only) | Full | `src/arcp/_runtime/_handlers.py` (`handle_cancel`) |
+| §7.5 | `session.list_jobs` (filter + cursor) | Full | `src/arcp/_runtime/_handler_list_jobs.py` |
+| §7.6 | `job.subscribe` / `job.unsubscribe` | Full | `src/arcp/_runtime/_handlers.py` |
+| §8.1 | `log`, `thought`, `status` events | Full | `src/arcp/_runtime/job.py` (`JobContext`) |
+| §8.2 | `metric`, `tool_call`, `tool_result` | Full | `src/arcp/_runtime/job.py`, `src/arcp/_messages/event_bodies.py` |
+| §8.3 | `progress` events | Full | `src/arcp/_runtime/job.py` (`JobContext.progress`) |
+| §8.4 | `result_chunk` + streamed `job.result` | Full | `src/arcp/_runtime/result_stream.py` |
+| §8.5 | Terminal `job.result` / `job.error` | Full | `src/arcp/_runtime/job.py` (`Job.emit_result`, `Job.emit_error`) |
+| §9.1 | Lease shape + glob validation | Full | `src/arcp/_runtime/lease.py` (`validate_lease_shape`) |
+| §9.2 | Cost budgets (Decimal arithmetic) | Full | `src/arcp/_runtime/lease.py`, `src/arcp/_runtime/job.py` |
+| §9.3 | Lease constraints (`expires_at`, `model.use`) | Full | `src/arcp/_runtime/lease.py` (`validate_lease_constraints`) |
+| §9.4 | Lease watchdog (auto-expiry) | Full | `src/arcp/_runtime/_job_runner.py` (`_lease_watchdog`) |
+| §9.5 | Sublease shape rules for delegation | Full | `src/arcp/_runtime/lease.py` (`assert_lease_subset`) |
+| §10 | Provisioned credentials + revocation | Full | `src/arcp/_runtime/credentials.py`, `src/arcp/_runtime/_handlers.py` |
+| §11 | Observability — OTel transport wrapper | Full | `src/arcp/middleware/otel.py` |
+| §12 | Typed errors + `session.error` payload | Full | `src/arcp/_errors.py` |
+| §13 | Vendor extensions (`x-*` passthrough) | Full | `src/arcp/_extensions.py` |
+| §14 | Authorization defaults + policy seam | Full | `src/arcp/_runtime/server.py` (`AuthorizationContext`) |
 
 ## Notes
 
 ### §6.3 Stream resume
 
-Resume remains session-scoped in the current implementation. Treat the older
-`resume_token` submit flow as deferred until the runtime exposes it publicly.
+`SessionResume` carries `(session_id, resume_token, last_event_seq)` in a
+`session.hello`. The runtime keeps a per-session resume record for
+`resume_window_sec` after disconnect, validates the resume token + principal
+on rejoin, reuses the original `session_id`, rotates the resume token, and
+replays buffered envelopes from the event log past `last_event_seq`. Jobs do
+not run across the disconnect boundary; only history is replayed.
 
-### §9.3 `expires_at`
+### §6.5 Ack backpressure
 
-`expires_at` accepts an ISO 8601 datetime string (UTC). The runtime converts it to `expires_in_s` for internal tracking.
+`session.ack` releases acked prefixes from the in-memory or SQLite event log
+synchronously inside the dispatch loop (per-session serialized).
+`AutoAckOptions` on the client coalesces acks by event count and interval.
 
-### §10 Delegation
+### §7.2 Idempotency
 
-Delegation tokens are signed JWTs. The SDK provides `runtime.create_delegation_token(principal, scopes)` and verifies incoming tokens automatically.
+A duplicate `job.submit` with the same `(principal, idempotency_key)`
+replays the original `job.accepted` AND, if the original job has reached a
+terminal state, also replays the stored `job.result` or `job.error`. This
+prevents the duplicate `JobHandle` from hanging on `await handle.done`.
 
-### §15 Vendor extensions
+### §10 Provisioned credentials
 
-Any `x-*` key in a submit payload or event payload is passed through without modification. Use `arcp._extensions.get_extension(event, "x-my-field")` to read them safely.
+Credentials are issued via a pluggable `CredentialProvisioner`, recorded in
+a durable `RevocationLog`, attached to `job.accepted`, and revoked when the
+job ends. Credential rotation is exposed via `JobContext.rotate_credential`.
+
+### §13 Vendor extensions
+
+Any `x-vendor.*` key in an envelope payload or event body is passed through
+without modification — every pydantic payload model in `arcp._messages.*`
+uses `model_config = ConfigDict(extra="allow")`. Validate keys with
+`arcp._extensions.validate_extension_key("x-vendor.my-field")` before sending
+to ensure forward compatibility.

docs/guides/jobs.md

@@ -50,35 +50,46 @@ async def my_agent(input, ctx):
     await ctx.log("info", "starting")
     await ctx.progress(0, total=100)
 
-    for i in range(10):
-        chunk = await do_work(i)
-        await ctx.result_chunk(chunk)
-        await ctx.progress((i + 1) * 10, total=100)
-        await ctx.metric({"name": "cost.inference", "value": 0.001, "unit": "USD"})
+    async with ctx.stream_result() as stream:
+        for i in range(10):
+            await stream.write(await do_work(i))
+            await ctx.progress((i + 1) * 10, total=100)
+            await ctx.metric({"name": "cost.inference", "value": 0.001, "unit": "USD"})
 
     return {"done": True}
 ```
 
-| Method | Description |
+| Member | Description |
 |---|---|
-| `ctx.log(level, message)` | Emit a `job.log` event |
-| `ctx.progress(current, total=..., units=..., message=...)` | Emit a `job.progress` event |
-| `ctx.result_chunk(chunk)` | Emit a `job.result_chunk` event |
-| `ctx.metric(body)` | Emit a `metric` event |
-| `ctx.principal` | The authenticated client identity |
-| `ctx.job_id` | The current job ID |
-| `ctx.session_id` | The current session ID |
+| `ctx.log(level, message, attributes=...)` | Emit a `log` event (`level` ∈ `debug`/`info`/`warn`/`error`) |
+| `ctx.progress(current, *, total=..., units=..., message=...)` | Emit a `progress` event (`total` is keyword-only) |
+| `ctx.result_chunk(body)` | Emit one `result_chunk` event |
+| `ctx.stream_result()` | Open a `ResultStream` writer for chunked results |
+| `ctx.metric(body)` | Emit a `metric` event (cost.* automatically decrements budget) |
+| `ctx.status(phase, message=...)` | Emit a `status` event |
+| `ctx.tool_call(body)` / `ctx.tool_result(body)` | Emit MCP-style tool-call events |
+| `ctx.authorize(capability, target)` | Validate a lease op for `capability:target` |
+| `ctx.rotate_credential(id, new_value)` | Publish a credential rotation |
+| `ctx.budget` | Read-only snapshot of remaining `cost.budget` |
+| `ctx.lease` / `ctx.lease_constraints` | The lease attached to this job |
+| `ctx.job_id` / `ctx.session_id` / `ctx.trace_id` | Identity helpers |
+| `ctx.agent` / `ctx.agent_version` / `ctx.agent_ref` | Agent name + selected version |
 
 ## Streaming results
 
+The agent returns chunks through a `ResultStream`; the client consumes them via `JobHandle.chunks()` and joins on `JobHandle.done` for the terminal `job.result`.
+
 ```python
 handle = await client.submit(agent="stream", input={"n": 5})
-async for event in handle.events():
-    if event.kind == "job.result_chunk":
-        print(event.chunk)  # each chunk as it arrives
-    elif event.kind == "job.completed":
-        print("Final:", event.result)
-        break
+
+# Collect chunks as they arrive (each chunk is a dict from the wire body).
+async for chunk in handle.chunks():
+    print("chunk:", chunk)
+
+# All other event kinds (log, progress, metric, status, …) are surfaced on
+# `events()` and the terminal payload is awaited via `done`.
+result = await handle.done
+print("final:", result.result_size, "bytes")
 ```
 
 ## Cancellation
@@ -87,10 +98,12 @@ async for event in handle.events():
 handle = await client.submit(agent="slow", input={})
 await asyncio.sleep(1.0)
 await client.cancel_job(handle.job_id)
-# handle.done raises JobCancelledError
+# handle.done resolves to a JobResultPayload with final_status="cancelled".
+result = await handle.done
+assert result.final_status == "cancelled"
 ```
 
-Cancellation is cooperative: the runtime sends a cancellation signal and waits for the agent to finish its current operation. Agents can check `ctx.cancelled` to exit early.
+Cancellation is cooperative: the runtime cancels the running task, which surfaces in the agent coroutine as `asyncio.CancelledError`. Agents should let it propagate (or catch, clean up, and re-raise).
 
 ## Idempotency
 

docs/recipes/mcp-skill.md

@@ -24,44 +24,37 @@ uv add arcp mcp
 
 ```python
 import asyncio
-import json
 from typing import Any
 
 from mcp import ClientSession, StdioServerParameters
 from mcp.client.stdio import stdio_client
 
-from arcp import ARCPRuntime, JobContext
-from arcp.auth import StaticBearerVerifier
-from arcp.transport import pair_memory_transports
+from arcp import (
+    ARCPClient,
+    ClientInfo,
+    RuntimeInfo,
+    pair_memory_transports,
+)
+from arcp.runtime import ARCPRuntime, StaticBearerVerifier
+from arcp._runtime.job import JobContext
 
 
 def make_mcp_skill(tool_name: str, server_params: StdioServerParameters):
     """Return an ARCP agent function that proxies *tool_name* on the MCP server."""
 
-    async def agent(ctx: JobContext) -> None:
-        # Collect arguments from the single-item input stream.
-        args: dict[str, Any] = {}
-        async for item in ctx.input_stream():
-            args.update(item)
-
-        # Connect to the MCP server and call the tool.
+    async def agent(arguments: dict[str, Any], ctx: JobContext) -> dict[str, Any]:
         async with stdio_client(server_params) as (read, write):
             async with ClientSession(read, write) as session:
                 await session.initialize()
-                result = await session.call_tool(tool_name, args)
-
-        # Emit MCP result content as ARCP result chunks.
-        for content_block in result.content:
-            if content_block.type == "text":
-                await ctx.emit_event(
-                    "result.chunk",
-                    {"text": content_block.text},
-                )
-            else:
-                await ctx.emit_event(
-                    "result.chunk",
-                    {"data": json.loads(content_block.model_dump_json())},
-                )
+                result = await session.call_tool(tool_name, arguments)
+
+        async with ctx.stream_result() as stream:
+            for content_block in result.content:
+                if content_block.type == "text":
+                    await stream.write(content_block.text)
+                else:
+                    await stream.write(content_block.model_dump_json())
+        return {"tool": tool_name}
 
     agent.__name__ = f"mcp_{tool_name}"
     return agent
@@ -79,33 +72,38 @@ fs_server = StdioServerParameters(
 server_transport, client_transport = pair_memory_transports()
 
 runtime = ARCPRuntime(
-    transport=server_transport,
-    auth=StaticBearerVerifier("secret"),
+    runtime=RuntimeInfo(name="mcp-bridge", version="1.0.0"),
+    bearer=StaticBearerVerifier({"secret": "principal-1"}),
 )
 runtime.register_agent("read_file", make_mcp_skill("read_file", fs_server))
 ```
 
 ## Client
 
 ```python
-from arcp import ARCPClient
+import asyncio
+from arcp import ARCPClient, ClientInfo
 
 
 async def main() -> None:
-    async with ARCPClient(client_transport, token="secret") as client:
-        handle = await client.submit(
-            agent="read_file",
-            input=[{"path": "/tmp/hello.txt"}],
-        )
+    asyncio.create_task(runtime.accept(server_transport))
+    client = ARCPClient(
+        client=ClientInfo(name="mcp-caller", version="1.0.0"),
+        token="secret",
+    )
+    await client.connect(client_transport)
+    handle = await client.submit(
+        agent="read_file",
+        input={"path": "/tmp/hello.txt"},
+    )
+    async for chunk in handle.chunks():
+        # `chunk` is the result_chunk wire body; `data` is the decoded text
+        # or base64 bytes (per `encoding`).
+        print(chunk.get("data"))
+    await handle.done
+    await client.close()
 
-        async for event in handle.events():
-            if event.kind == "result.chunk":
-                print(event.data.get("text", event.data))
 
-        await handle.done
-
-
-import asyncio
 asyncio.run(main())
 ```
 
@@ -121,18 +119,18 @@ for tool in TOOLS:
 ## Error propagation
 
 If the MCP tool raises, the exception propagates naturally and ARCP converts it
-to a `job.failed` event with an appropriate error code (spec
+to a `job.error` envelope with an appropriate error code (spec
 [§12](https://arcp.dev/spec/v1.1#section-12)).  You can also catch MCP errors
 explicitly and re-raise as typed ARCP exceptions:
 
 ```python
-from mcp.exceptions import McpError
-from arcp.errors import AgentError
+from mcp.shared.exceptions import McpError
+from arcp import InvalidRequestError
 
 try:
-    result = await session.call_tool(tool_name, args)
+    result = await session.call_tool(tool_name, arguments)
 except McpError as exc:
-    raise AgentError(str(exc)) from exc
+    raise InvalidRequestError(str(exc)) from exc
 ```
 
 ## Related