CredentialManager.rotate(jobId:credentialId:) calls provisioner.issue(lease:jobId:sessionId:) to mint a fresh set of credentials and then takes next.first at Sources/ARCP/Runtime/CredentialManager.swift:65. The provisioner contract returns the full credential set for the lease, not just the one being rotated, so any additional credentials in the returned array are silently dropped on the floor: they are never appended to the job's credentialsByJob entry and never reach the caller, but the provisioner has no way to know they were ignored. Providers that mint paired credentials (for example an access token plus a refresh token, or vendor credentials emitted in a single transactional issue) end up with leaks on the provider side and partial state on the runtime side. A subsequent rotate of the same credential id then re-issues the whole set again, compounding the leak.
Fix prompt: Rework rotate(jobId:credentialId:) so the provisioner contract is unambiguous and so no minted credentials are dropped. Either extend the CredentialProvisioner protocol with a rotate(credentialId:) method that issues exactly one replacement credential, or treat the full next array as the new credential set for the job — revoke the old credential, replace the matching entry with the corresponding new credential from next, and append any additional credentials to credentialsByJob[jobId] while persisting them through retention.persistOutstanding. Document whichever contract the SDK settles on and add tests covering a provisioner that returns multiple credentials, a provisioner that returns the rotated credential first, and a provisioner that returns it later in the array.
CredentialManager.rotate(jobId:credentialId:)callsprovisioner.issue(lease:jobId:sessionId:)to mint a fresh set of credentials and then takesnext.firstatSources/ARCP/Runtime/CredentialManager.swift:65. The provisioner contract returns the full credential set for the lease, not just the one being rotated, so any additional credentials in the returned array are silently dropped on the floor: they are never appended to the job'scredentialsByJobentry and never reach the caller, but the provisioner has no way to know they were ignored. Providers that mint paired credentials (for example an access token plus a refresh token, or vendor credentials emitted in a single transactional issue) end up with leaks on the provider side and partial state on the runtime side. A subsequent rotate of the same credential id then re-issues the whole set again, compounding the leak.Fix prompt: Rework
rotate(jobId:credentialId:)so the provisioner contract is unambiguous and so no minted credentials are dropped. Either extend theCredentialProvisionerprotocol with arotate(credentialId:)method that issues exactly one replacement credential, or treat the fullnextarray as the new credential set for the job — revoke the old credential, replace the matching entry with the corresponding new credential fromnext, and append any additional credentials tocredentialsByJob[jobId]while persisting them throughretention.persistOutstanding. Document whichever contract the SDK settles on and add tests covering a provisioner that returns multiple credentials, a provisioner that returns the rotated credential first, and a provisioner that returns it later in the array.