feat: surface the job authority descriptor to subscribers (§7.6)

[nficano]

What

Surfaces a job's authority descriptor to subscribers, so an observing
principal (a dashboard/console) can render a job's authority surface — expiry
clock and budget gauge — without being the job's submitter.

• Runtime: job.subscribed now populates budget (current per-currency
  counters), alongside the lease_constraints it already sent. The budget
  cap is derivable from the lease's cost.budget pattern; subsequent
  cost.budget.remaining metric events keep the gauge live.
• Client: JobSubscription now exposes the full descriptor —
  currentStatus, agent, lease, leaseConstraints, budget, and
  (submitter-only) credentials.
• Security: credentials remain redacted for non-submitters (§14) —
  unchanged.

Why

The JobSubscribedPayloadSchema already declared these fields and the client
already captured lease/budget/lease_constraints into invocation state,
but the runtime never sent budget and JobSubscription exposed none of it.
This finishes that path and documents it in spec §7.6.

Compatibility

Backward-compatible — only additive optional fields. minor for runtime +
client (changeset included).

Tests

Adds a runtime test asserting an observer receives budget + lease_constraints
on job.subscribed but never credentials. Full suite green.

Spec change: agentruntimecontrolprotocol/spec (§7.6).

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Observing subscribers can now access job authority descriptor and budget information from the runtime
  • JobSubscription interface expanded to expose additional fields including current status, agent, and lease details
  • Changes maintain backward compatibility through additive-only updates

• Tests

  • Added end-to-end test to verify proper budget exposure and credentials redaction for non-submitters

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: b3c6e6b2-5ae2-4663-a4d6-5ef4dcafc6b9

📥 Commits

Reviewing files that changed from the base of the PR and between b1cc6dd and 543b38b.

📒 Files selected for processing (5)

• .changeset/observer-authority-descriptor.md
• packages/client/src/client.ts
• packages/client/src/types.ts
• packages/runtime/src/server-subscribe.ts
• packages/runtime/test/provisioned-credentials.test.ts

---

Walkthrough

The runtime's buildSubscribedPayload now computes a per-currency budget map from job.budget and conditionally includes it in the job.subscribed payload. The client's JobSubscription interface gains six new readonly fields (currentStatus, agent, lease, leaseConstraints, budget, credentials), which the subscribe method populates from the ack payload. A new E2E test validates observer-vs-submitter visibility rules.

Changes

Observer authority descriptor on job.subscribed

Layer / File(s)	Summary
Runtime budget computation in buildSubscribedPayload packages/runtime/src/server-subscribe.ts	Iterates job.budget entries to build a per-currency budget record, sets hasBudget, and conditionally spreads budget into the job.subscribed payload only when non-empty.
JobSubscription interface and subscribe population packages/client/src/types.ts, packages/client/src/client.ts	JobSubscription gains six new readonly fields (currentStatus, agent, lease, leaseConstraints, budget, credentials); subscribe maps these from the resolved ack payload onto the returned subscription object.
E2E test and changeset packages/runtime/test/provisioned-credentials.test.ts, .changeset/observer-authority-descriptor.md	New E2E test negotiates budget/lease features, submits as alice, subscribes as bob, and asserts bob receives budget and expires_at but never credentials. Changeset documents the additive minor-version bump.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: surface the job authority descriptor to subscribers (§7.6)' clearly and specifically describes the main change—surfacing the job authority descriptor to subscribers—which aligns with the primary objective and all file changes in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/subscribe-authority-descriptor

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

packages/client/src/client.ts

Multiple projects found, consider using a single tsconfig with references to speed up, or use noWarnOnMultipleProjects to suppress this warning

Oops! Something went wrong! :(

ESLint: 10.5.0

TypeError: Error while loading rule 'import/no-default-export': Cannot use 'in' operator to search for 'sourceType' in undefined
Occurred while linting /packages/client/src/client.ts
at sourceType (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/core/sourceType.js:8:63)
at Object.create (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/rules/no-default-export.js:19:39)
at createRuleListeners (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:497:15)
at /node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:623:7
at Array.forEach ()
at runRules (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:557:31)
at #flatVerifyWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1264:4)
at Linter._verifyWithFlatConfigArrayAndWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1349:43)
at Linter._verifyWithFlatConfigArray (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1416:15)
at Linter.verify (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:861:9)

packages/client/src/types.ts

Multiple projects found, consider using a single tsconfig with references to speed up, or use noWarnOnMultipleProjects to suppress this warning

Oops! Something went wrong! :(

ESLint: 10.5.0

TypeError: Error while loading rule 'import/no-default-export': Cannot use 'in' operator to search for 'sourceType' in undefined
Occurred while linting /packages/client/src/types.ts
at sourceType (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/core/sourceType.js:8:63)
at Object.create (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/rules/no-default-export.js:19:39)
at createRuleListeners (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:497:15)
at /node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:623:7
at Array.forEach ()
at runRules (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:557:31)
at #flatVerifyWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1264:4)
at Linter._verifyWithFlatConfigArrayAndWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1349:43)
at Linter._verifyWithFlatConfigArray (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1416:15)
at Linter.verify (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:861:9)

packages/runtime/src/server-subscribe.ts

Multiple projects found, consider using a single tsconfig with references to speed up, or use noWarnOnMultipleProjects to suppress this warning

Oops! Something went wrong! :(

ESLint: 10.5.0

TypeError: Error while loading rule 'import/no-default-export': Cannot use 'in' operator to search for 'sourceType' in undefined
Occurred while linting /packages/runtime/src/server-subscribe.ts
at sourceType (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/core/sourceType.js:8:63)
at Object.create (/node_modules/.pnpm/eslint-plugin-import@2.32.0_@typescript-eslint+parser@8.61.1_eslint@10.5.0_typescript@6.0.3___ibm4kygjueg7ex7qci7l77dlni/node_modules/eslint-plugin-import/lib/rules/no-default-export.js:19:39)
at createRuleListeners (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:497:15)
at /node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:623:7
at Array.forEach ()
at runRules (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:557:31)
at #flatVerifyWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1264:4)
at Linter._verifyWithFlatConfigArrayAndWithoutProcessors (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1349:43)
at Linter._verifyWithFlatConfigArray (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:1416:15)
at Linter.verify (/node_modules/.pnpm/eslint@10.5.0/node_modules/eslint/lib/linter/linter.js:861:9)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!