Invalid (non-UTC / malformed) job.submit silently dropped instead of INVALID_REQUEST (§9.5 / §12)

[nficano]

Category: spec-conformance Severity: major
Location: arcp-runtime/src/main/java/dev/arcp/runtime/session/SessionLoop.java:204-210
Spec: ARCP v1.1 §9.5 (also §12)

What

LeaseConstraints.fromJson rejects a non-UTC / malformed expires_at by throwing during decode (LeaseConstraints.java:42-55). handle() catches that decode failure, logs it, and returns without emitting any error. §9.5 states past or invalid expires_at values are rejected with INVALID_REQUEST, and §12 defines INVALID_REQUEST for malformed/schema-violating envelopes; the client receives only silence. (A submit with a past-but-parseable expires_at is correctly answered with INVALID_REQUEST at handleSubmit:403-409 — only the decode-time failures are swallowed.)

Evidence

    Message m;
    try {
      m = Messages.decode(mapper, envelope);
    } catch (RuntimeException e) {
      log.warn("rejecting malformed envelope type={}: {}", envelope.type(), e.getMessage());
      return;
    }

Proposed fix

When a decodable top-level envelope (carrying id/type) fails payload validation, emit a top-level job.error with INVALID_REQUEST rather than silently dropping it. Surface the LeaseConstraints validation failure as INVALID_REQUEST.

Acceptance criteria

• A job.submit whose lease_constraints.expires_at is non-UTC or otherwise malformed produces a job.error with code INVALID_REQUEST instead of being silently discarded.