CostBudgetAmount stores protocol decimal amounts as f64 in src/messages/permissions.rs:18, and BudgetTracker::charge in src/runtime/context.rs:120 checks only whether the remaining budget is already at or below zero before adding the new amount. A single call such as charging USD 100.0 against a remaining budget of 1.0 succeeds and returns a negative remaining value, so the operation that exceeded the lease is allowed to complete and the next charge is the one that fails. That contradicts the README's claim at README.md:108 that the runtime enforces the lease at every operation boundary, and binary floating point also makes boundary comparisons for decimal money or credits vulnerable to rounding artifacts.
Fix prompt: Represent cost budgets with an exact decimal or fixed-point type at the protocol boundary, preserving string serialization while avoiding binary floating point comparisons. Update BudgetTracker::charge to reject the charge that would exceed the remaining budget, optionally recording the attempted overspend for metrics without returning success, and add boundary tests for an oversized single charge, exact exhaustion, fractional decimal values such as 0.10 plus 0.20, and multi-currency accounting.
CostBudgetAmountstores protocol decimal amounts asf64insrc/messages/permissions.rs:18, andBudgetTracker::chargeinsrc/runtime/context.rs:120checks only whether the remaining budget is already at or below zero before adding the new amount. A single call such as chargingUSD100.0 against a remaining budget of 1.0 succeeds and returns a negative remaining value, so the operation that exceeded the lease is allowed to complete and the next charge is the one that fails. That contradicts the README's claim atREADME.md:108that the runtime enforces the lease at every operation boundary, and binary floating point also makes boundary comparisons for decimal money or credits vulnerable to rounding artifacts.Fix prompt: Represent cost budgets with an exact decimal or fixed-point type at the protocol boundary, preserving string serialization while avoiding binary floating point comparisons. Update
BudgetTracker::chargeto reject the charge that would exceed the remaining budget, optionally recording the attempted overspend for metrics without returning success, and add boundary tests for an oversized single charge, exact exhaustion, fractional decimal values such as 0.10 plus 0.20, and multi-currency accounting.