Category: spec-conformance Severity: blocker
Location: lib/arcp/runtime/job_context.rb:58-68
Spec: ARCP v1.1 §14
What
Spec §14 states credential value MUST NOT be echoed to subscribers. rotate_credential emits a status event whose fields include the raw new_value, and status events go through publish_event -> SubscriptionManager#fanout to every attached subscriber, leaking the secret to non-submitters.
Evidence
def rotate_credential(id:, new_value:)
new_id = @sink.runtime.credential_registry&.rotate(...)
status(
phase: 'credential_rotated',
fields: { 'id' => new_id || id, 'value' => new_value }
)
endProposed fix
Deliver the rotated value only to the submitter (out-of-band of the fanned-out event stream), or redact value from the broadcast status event.
Acceptance criteria
Category: spec-conformance Severity: blocker
Location:
lib/arcp/runtime/job_context.rb:58-68Spec: ARCP v1.1 §14
What
Spec §14 states credential
valueMUST NOT be echoed to subscribers. rotate_credential emits a status event whose fields include the raw new_value, and status events go through publish_event -> SubscriptionManager#fanout to every attached subscriber, leaking the secret to non-submitters.Evidence
Proposed fix
Deliver the rotated value only to the submitter (out-of-band of the fanned-out event stream), or redact
valuefrom the broadcast status event.Acceptance criteria
valueon rotation.