Critical HMAC Signing Flaw in Dispatch Contract Allows Payload Tampering and Replay Attacks

A critical cryptographic vulnerability has been identified in the `dispatch_contract.py` module, where the HMAC envelope signing mechanism fails to incorporate the `payload` field into its canonical signing input. The flaw, located at lines 107–123 in the `_sign_envelope_payload` function, signs only metadata fields—`action`, `source`, `target`, `requested_by`, `issued_at`, `envelope_version`, `principal`, `on_behalf_of`, and `correlation_id`—while excluding the `payload` entirely. This omission creates a fundamental gap in the dispatch contract's integrity guarantees.

The implications are severe. Any attacker who obtains a valid, signed envelope for an action such as `agents.dispatch.adhoc` targeting one repository can modify critical `payload` attributes—including `target_repository`, `prompt`, and `ref`—and the HMAC signature will still validate successfully. This means the signing mechanism, intended to prevent tampering and unauthorized command injection, provides no actual protection for the payload itself. Every dispatch action whose effect depends on payload contents is vulnerable to this replay and mutation vector.

The discovery has prompted formal acceptance criteria requiring that `payload` be included in the canonical signing input using deterministic JSON serialization (`json.dumps(payload, sort_keys=True, separators=(",",":"), default=_canonical_default)`). Additionally, a schema migration test must verify that envelopes signed under the old protocol are rejected as invalid signatures rather than being silently accepted. Until patches are deployed, any system relying on this dispatch contract should treat captured envelopes as untrusted and implement compensating controls around payload handling to prevent unauthorized repository or instruction manipulation.