Category: spec-conformance Severity: blocker
Location: src/Arcp.Runtime/Internal/JobSubmitFlow.fs:91-118
Spec: ARCP v1.1 §14
What
Spec §14: 'Runtimes MUST issue them [credentials] over authenticated, encrypted transports only'. If ArcpServerOptions.AllowAnonymousAuth=true and a Provisioner is also configured, an AnonymousPrincipal session can submit jobs and receive minted credentials. Nothing in ArcpServer constructor or JobSubmitFlow prevents this combination or short-circuits issuance for anonymous principals.
Evidence
let private issueCredentialsAsync (provisioner) (registry) (record: JobRecord) (ct) =
task {
let ctx: CredentialIssueContext = { JobId = record.JobId; Principal = record.Principal; Lease = record.Lease; LeaseConstraints = record.Constraints; ParentJobId = ... }
try
let! credentials = provisioner.IssueAsync(ctx, ct)
for cred in credentials do do! registry.Track(record.JobId, cred)
return Ok credentials
with ...
}Proposed fix
In ArcpServer constructor invalidArg when AllowAnonymousAuth=true && Provisioner.IsSome. Additionally guard issueCredentialsAsync: if record.Principal is AnonymousPrincipal, return Ok [] (skip issuance) and never call the provisioner.
Acceptance criteria
Category: spec-conformance Severity: blocker
Location:
src/Arcp.Runtime/Internal/JobSubmitFlow.fs:91-118Spec: ARCP v1.1 §14
What
Spec §14: 'Runtimes MUST issue them [credentials] over authenticated, encrypted transports only'. If ArcpServerOptions.AllowAnonymousAuth=true and a Provisioner is also configured, an AnonymousPrincipal session can submit jobs and receive minted credentials. Nothing in ArcpServer constructor or JobSubmitFlow prevents this combination or short-circuits issuance for anonymous principals.
Evidence
Proposed fix
In ArcpServer constructor invalidArg when AllowAnonymousAuth=true && Provisioner.IsSome. Additionally guard issueCredentialsAsync: if record.Principal is AnonymousPrincipal, return Ok [] (skip issuance) and never call the provisioner.
Acceptance criteria