fix: use strict Base64 decoding for result_chunk (§8.4) (#77)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: nficano

lib/arcp/job/event_body/result_chunk.rb

@@ -32,8 +32,16 @@ def to_h
 
         def decoded
           case encoding
-          when 'utf8'   then data
-          when 'base64' then Base64.decode64(data)
+          when 'utf8' then data
+          when 'base64'
+            # Mirror the strict encoder (Base64.strict_encode64): reject
+            # malformed/whitespace-injected input instead of silently
+            # truncating it into corrupt bytes.
+            begin
+              Base64.strict_decode64(data)
+            rescue ArgumentError => e
+              raise Arcp::Errors::InvalidRequest, "malformed base64 result_chunk: #{e.message}"
+            end
           end
         end
       end

spec/unit/audit_findings_2026_06_11_spec.rb

@@ -92,6 +92,25 @@ def enqueue(item) = @items << item
     end
   end
 
+  describe 'ResultChunk#decoded uses strict base64 (#77)' do
+    def chunk(data)
+      Arcp::Job::EventBody::ResultChunk.new(
+        result_id: 'res_1', chunk_seq: 0, data: data, encoding: 'base64', more: false
+      )
+    end
+
+    it 'round-trips binary data byte-for-byte' do
+      binary = (0..255).to_a.pack('C*')
+      encoded = Base64.strict_encode64(binary)
+      expect(chunk(encoded).decoded).to eq(binary)
+    end
+
+    it 'raises InvalidRequest on malformed (line-wrapped/whitespace) base64' do
+      wrapped = "#{Base64.strict_encode64('hello world payload')}\n"
+      expect { chunk(wrapped).decoded }.to raise_error(Arcp::Errors::InvalidRequest)
+    end
+  end
+
   describe 'EventLog#replay_job boundary helper (#75)' do
     it 'excludes the event equal to the strict from_event_seq cursor' do
       clock = Arcp::FakeClock.new