Lease enforcement is cooperative, not synchronous-before-dispatch; fs/net/tool/delegate capabilities are unenforced (§9.3)

[nficano]

Category: spec-conformance Severity: major
Location: Sources/ARCP/Runtime/JobManager.swift:497-519
Spec: ARCP v1.1 §9.3

What

§9.1/§9.3 require every authority-bearing operation to be covered by the effective lease and enforced synchronously before dispatch, with uncovered operations failing PERMISSION_DENIED. The runtime only offers opt-in helpers (context.checkLeaseExpiration / checkModelUse / charge); it never evaluates fs.*/net.fetch/tool.call/agent.delegate, so a handler that omits the checks operates without lease enforcement. README §9 claims 'a job can never act outside it' (see f-0017), which the implementation does not back.

Evidence

private func runJob(
    jobId: JobId, invokeId: MessageId, handler: any ToolHandler,
    invocation: ToolInvocation, context: ConcreteJobContext
) async {
    transition(jobId: jobId, to: .running)
    ... 
    let result = try await handler.execute(invocation: invocation, context: context)
    // runtime never evaluates fs.read/fs.write/net.fetch/tool.call/agent.delegate before dispatch

Proposed fix

Either mediate authority-bearing operations through the runtime so the lease is checked before dispatch (PERMISSION_DENIED on uncovered ops), or narrow the documented contract to state enforcement is agent-cooperative and which namespaces are actually enforced.

Acceptance criteria

• Either uncovered operations are denied by the runtime with PERMISSION_DENIED, or the docs no longer claim runtime-enforced 'never act outside it' lease coverage.