1. Critical HMAC Signing Flaw in Dispatch Contract Allows Payload Tampering and Replay Attacks
A critical cryptographic vulnerability has been identified in the `dispatch_contract.py` module, where the HMAC envelope signing mechanism fails to incorporate the `payload` field into its canonical signing input. The flaw, located at lines 107–123 in the `_sign_envelope_payload` function, signs only metadata fields—`a...