From dd56ab8e9c03d45c28f64f8e43e6cf188df1b99e Mon Sep 17 00:00:00 2001 From: Nick Ficano Date: Tue, 16 Jun 2026 15:57:58 -0400 Subject: [PATCH] =?UTF-8?q?=C2=A77.6:=20document=20the=20subscriber=20auth?= =?UTF-8?q?ority=20descriptor=20(lease=5Fconstraints,=20budget)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit job.subscribed now documents the non-secret authority bounds an observer needs to render a job's authority surface — lease_constraints (expiry) and budget (current per-currency counters) — alongside the lease. The budget cap is derivable from the lease's cost.budget pattern; cost.budget.remaining metrics keep an observer's gauge live. These bounds follow the observing principal; credentials remain submitter-only and redacted for other observers (§14). Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/draft-arcp-1.1.md | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/docs/draft-arcp-1.1.md b/docs/draft-arcp-1.1.md index ba44856..68a71aa 100644 --- a/docs/draft-arcp-1.1.md +++ b/docs/draft-arcp-1.1.md @@ -582,18 +582,44 @@ The runtime responds: "type": "job.subscribed", "session_id": "sess_...", "payload": { - "job_id": "job_01JABC...", - "current_status": "running", - "agent": "code-refactor@2.0.0", - "lease": { ... }, - "parent_job_id": null, - "trace_id": "4bf92f...", - "subscribed_from": 1830, - "replayed": false + "job_id": "job_01JABC...", + "current_status": "running", + "agent": "code-refactor@2.0.0", + "lease": { ... }, + "lease_constraints": { "expires_at": "2026-05-13T23:42:00Z" }, + "budget": { "USD": 3.58 }, + "parent_job_id": null, + "trace_id": "4bf92f...", + "subscribed_from": 1830, + "replayed": false } } ``` +The `job.subscribed` payload is the subscriber's **authority +descriptor** for the job — the same observable, non-secret view a +runtime presents in `session.list_jobs`, plus the bounds an observer +needs to render the job's authority surface: + +- `lease` — the effective capability grants (§9.1). +- `lease_constraints` (OPTIONAL) — echoed when present, currently + `expires_at` (§9.5). Lets an observer show when the job's authority + ends. +- `budget` (OPTIONAL) — the **current** per-currency counters at + subscription time (§9.6), present when `cost.budget` is in the + lease. Combined with the cap parsed from the lease's `cost.budget` + pattern and subsequent `cost.budget.remaining` metric events + (§8.2), this gives an observer a live budget gauge without a + separate read. + +These fields are non-secret authority bounds and follow the +**observing principal**, not the submitter. `credentials`, by +contrast, follow the **submitter only**: per §14 the runtime MUST +include `credentials` in `job.subscribed` (and `session.list_jobs`) +solely when the subscribing principal is the job's original +submitter, and MUST redact the field for every other authorized +observer. + After subscription, `job.event` messages for the subscribed job appear in the session's stream interleaved with other jobs' events, using the session's normal `event_seq` space.