Category: spec-conformance Severity: minor
Location: packages/core/src/messages/lease-schema.ts:41-54
Spec: ARCP v1.1 §9.1
What
A malformed lease such as { "": ["*"] } decodes to an empty (no-capability) lease rather than failing. This fails closed (the client gets less authority, not more), but the client cannot detect that part of its requested lease was discarded; validateLeaseShape runs on the already-decoded record so the dropped key is invisible. Same for JobBudgetSchema (execution.ts:163-170).
Evidence
* Effect's `Schema.Record` silently drops keys that fail the key schema, so
* `{ "": [...] }` decodes to `{}` (zod's twin used to reject at the wire
* layer ...).Proposed fix
Add a filter that compares decoded vs raw key counts and rejects when any key was dropped, restoring reject-on-bad-key semantics.
Acceptance criteria
Category: spec-conformance Severity: minor
Location:
packages/core/src/messages/lease-schema.ts:41-54Spec: ARCP v1.1 §9.1
What
A malformed lease such as { "": ["*"] } decodes to an empty (no-capability) lease rather than failing. This fails closed (the client gets less authority, not more), but the client cannot detect that part of its requested lease was discarded; validateLeaseShape runs on the already-decoded record so the dropped key is invisible. Same for JobBudgetSchema (execution.ts:163-170).
Evidence
Proposed fix
Add a filter that compares decoded vs raw key counts and rejects when any key was dropped, restoring reject-on-bad-key semantics.
Acceptance criteria