credential_rotated event carrying the credential value is fanned out to subscribers (§14)

[nficano]

Category: spec-conformance Severity: blocker
Location: arcp-runtime/src/main/java/dev/arcp/runtime/credentials/CredentialBinding.java:62-76
Spec: ARCP v1.1 §14 (also §9.8.2)

What

On rotation the status event body carries the new credential value (required for the submitter by §9.8.2). The eventSink is SessionLoop::emitJobEvent, which fans every job event out to all subscribers (SessionLoop.java:850-854). §14 states subscribers MUST NOT receive the credential, and the runtime MUST redact value from any introspection surface; a subscriber with provisioned_credentials + subscribe negotiated therefore receives plaintext credential material.

Evidence

  public void rotate(JobRecord record, CredentialId id, IssuedCredential next) {
    IssuedCredential prior = record.replaceCredential(id, next);
    if (prior != null) {
      revoke(prior);
    }
    store.record(
        next.wire().id(),
        next.providerHandle() != null ? next.providerHandle() : next.wire().id().value());
    eventSink.accept(
        record,
        new StatusEvent(
            "credential_rotated",
            null,
            mapper.valueToTree(new CredentialRotatedBody(next.wire().id(), next.wire().value()))));

Proposed fix

Deliver credential_rotated (with value) only to the submitting session; either skip the subscriber fan-out for this event kind, or redact the value field from the body before forwarding to non-submitter subscribers.

Acceptance criteria

• A subscriber attached to a job that rotates a credential never receives the credential value; the submitting session still receives the credential_rotated event with the new value.