Category: spec-conformance Severity: minor
Location: packages/core/src/messages/credentials.ts:23-25
Spec: ARCP v1.1 §9.5
What
The TSDoc states the Z-suffix is required (matching §9.5 'expires_at MUST be UTC'), but the schema accepts any non-empty string; e.g. '2026-01-01T00:00:00+05:00' (non-UTC) decodes. Leases are backstopped by validateLeaseConstraints at submit, but the credential expires_at is not re-validated in the issuance path audited here.
Evidence
/** ISO 8601 UTC expiry (`Z`-suffix required). */
expires_at: Schema.optional(Schema.String.pipe(Schema.nonEmptyString())),
Proposed fix
Apply a Z-suffix/RFC3339-UTC pattern to expires_at, or align the TSDoc to state enforcement is deferred and name the enforcing component.
Acceptance criteria
Category: spec-conformance Severity: minor
Location:
packages/core/src/messages/credentials.ts:23-25Spec: ARCP v1.1 §9.5
What
The TSDoc states the Z-suffix is required (matching §9.5 'expires_at MUST be UTC'), but the schema accepts any non-empty string; e.g. '2026-01-01T00:00:00+05:00' (non-UTC) decodes. Leases are backstopped by validateLeaseConstraints at submit, but the credential expires_at is not re-validated in the issuance path audited here.
Evidence
Proposed fix
Apply a Z-suffix/RFC3339-UTC pattern to expires_at, or align the TSDoc to state enforcement is deferred and name the enforcing component.
Acceptance criteria