fix: enforce message nonce TTL + bundle hash

Author: bb-connor

crates/hush-multi-agent/src/message.rs

@@ -143,7 +143,8 @@ impl SignedMessage {
 
         // Replay protection: per (iss, sub).
         let scope = format!("msg:{}:{}", self.claims.iss, self.claims.sub);
-        revocations.check_and_mark_nonce(&scope, &self.claims.nonce, now_unix, 300)?;
+        let ttl_secs = (self.claims.exp - now_unix).max(1);
+        revocations.check_and_mark_nonce(&scope, &self.claims.nonce, now_unix, ttl_secs)?;
 
         // Optional delegation token.
         if let Some(token) = &self.claims.delegation {

crates/hushd/src/api/policy.rs

@@ -4,7 +4,8 @@ use axum::{extract::State, http::StatusCode, Json};
 use serde::{Deserialize, Serialize};
 
 use clawdstrike::{HushEngine, Policy, PolicyBundle, SignedPolicyBundle};
-use hush_core::Keypair;
+use hush_core::canonical::canonicalize;
+use hush_core::{sha256, Keypair};
 
 use crate::audit::AuditEvent;
 use crate::state::AppState;
@@ -110,6 +111,28 @@ pub async fn update_policy_bundle(
         .validate()
         .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid policy: {}", e)))?;
 
+    // Ensure policy_hash is correctly derived from the policy itself.
+    //
+    // The bundle is signed, but we still treat policy_hash as a derived field (it must not be
+    // allowed to lie).
+    let computed_policy_hash = {
+        let value = serde_json::to_value(&signed.bundle.policy)
+            .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid policy: {}", e)))?;
+        let canonical = canonicalize(&value)
+            .map_err(|e| (StatusCode::BAD_REQUEST, format!("Invalid policy: {}", e)))?;
+        sha256(canonical.as_bytes())
+    };
+    if computed_policy_hash != signed.bundle.policy_hash {
+        return Err((
+            StatusCode::UNPROCESSABLE_ENTITY,
+            format!(
+                "Policy bundle policy_hash mismatch (expected {}, got {})",
+                computed_policy_hash.to_hex_prefixed(),
+                signed.bundle.policy_hash.to_hex_prefixed(),
+            ),
+        ));
+    }
+
     // Update the engine (preserve signing keypair so receipts remain verifiable).
     let mut engine = state.engine.write().await;
     let keypair = if let Some(ref key_path) = state.config.signing_key {

crates/hushd/tests/integration.rs

@@ -106,6 +106,42 @@ async fn test_get_policy() {
     assert!(policy["policy_hash"].is_string());
 }
 
+#[tokio::test]
+async fn test_update_policy_bundle_rejects_policy_hash_mismatch() {
+    let (client, url) = test_setup();
+
+    let signer = hush_core::Keypair::generate();
+    let policy = clawdstrike::Policy::new();
+    let correct_hash = clawdstrike::PolicyBundle::new(policy.clone())
+        .unwrap()
+        .policy_hash;
+    let bad_hash = {
+        let mut bytes = *correct_hash.as_bytes();
+        bytes[0] ^= 0x01;
+        hush_core::Hash::from_bytes(bytes)
+    };
+
+    let bundle = clawdstrike::PolicyBundle {
+        version: clawdstrike::POLICY_BUNDLE_SCHEMA_VERSION.to_string(),
+        bundle_id: "test-bundle".to_string(),
+        compiled_at: chrono::Utc::now().to_rfc3339(),
+        policy,
+        policy_hash: bad_hash,
+        sources: Vec::new(),
+        metadata: None,
+    };
+    let signed = clawdstrike::SignedPolicyBundle::sign_with_public_key(bundle, &signer).unwrap();
+
+    let resp = client
+        .put(format!("{}/api/v1/policy/bundle", url))
+        .json(&signed)
+        .send()
+        .await
+        .expect("Failed to connect to daemon");
+
+    assert_eq!(resp.status(), reqwest::StatusCode::UNPROCESSABLE_ENTITY);
+}
+
 #[tokio::test]
 async fn test_audit_query() {
     let (client, url) = test_setup();