LeaseManager.grant converts seconds directly into an expiry date at Sources/ARCP/Runtime/LeaseManager.swift:42, and LeaseManager.refresh adds requestedSeconds directly to the existing expiry at Sources/ARCP/Runtime/LeaseManager.swift:82. Negative or zero durations can be accepted from PermissionGrantPayload.leaseSeconds or LeaseRefreshPayload.requestedSeconds, producing an already expired lease or shortening a lease through an API documented as an extension. JobManager.handleLeaseRefresh then swallows refresh errors with try? at Sources/ARCP/Runtime/JobManager.swift:347, so clients can send invalid refreshes without receiving a protocol error.
Fix prompt: Validate lease durations at the message boundary and inside LeaseManager so grant and refresh reject nonpositive values with ARCPError.invalidArgument. Make handleLeaseRefresh surface a nack or an appropriate lease error instead of dropping failures. Add tests for negative, zero, and positive grant and refresh values, including the runtime dispatch path.
LeaseManager.grantconvertssecondsdirectly into an expiry date atSources/ARCP/Runtime/LeaseManager.swift:42, andLeaseManager.refreshaddsrequestedSecondsdirectly to the existing expiry atSources/ARCP/Runtime/LeaseManager.swift:82. Negative or zero durations can be accepted fromPermissionGrantPayload.leaseSecondsorLeaseRefreshPayload.requestedSeconds, producing an already expired lease or shortening a lease through an API documented as an extension.JobManager.handleLeaseRefreshthen swallows refresh errors withtry?atSources/ARCP/Runtime/JobManager.swift:347, so clients can send invalid refreshes without receiving a protocol error.Fix prompt: Validate lease durations at the message boundary and inside
LeaseManagerso grant and refresh reject nonpositive values withARCPError.invalidArgument. MakehandleLeaseRefreshsurface anackor an appropriate lease error instead of dropping failures. Add tests for negative, zero, and positive grant and refresh values, including the runtime dispatch path.