Credential rotation revoke does not retry transient failures (§9.8.2)

[nficano]

Category: spec-conformance Severity: major
Location: src/Runtime/JobCredentialControls.php:43-55
Spec: ARCP v1.1 §9.8.2

What

§9.8.2: 'Revocation is best-effort; the runtime SHOULD retry on transient failure and MUST log permanent failures.' CredentialLifecycle::revokeCredential implements a two-attempt retry; the rotation path here makes a single attempt and goes straight to a warning log.

Evidence

private function revokePreviousCredential(
    CredentialProvisioner $provisioner,
    string $credentialId,
): void {
    try {
        $provisioner->revoke($credentialId);
    } catch (\Throwable $e) {
        $this->runtime->logger->warning(
            'credential revocation failed during rotation',
            ['credential_id' => $credentialId, 'error' => $e->getMessage()],
        );
    }
}

Proposed fix

Reuse the retry loop from CredentialLifecycle::revokeCredential (or extract a shared helper) so rotation also retries before logging a permanent failure.

Acceptance criteria

• When the provisioner throws on the first revoke() during rotation, the runtime retries at least once before logging a permanent failure.