tests(server): property-based testing for ordering independency for hash

Reviewed-on: #51

mise.lock

@@ -48,6 +48,10 @@ backend = "cargo:cargo-features-manager"
 version = "1.46.3"
 backend = "cargo:cargo-insta"
 
+[[tools."cargo:cargo-mutants"]]
+version = "27.0.0"
+backend = "cargo:cargo-mutants"
+
 [[tools."cargo:cargo-nextest"]]
 version = "0.9.126"
 backend = "cargo:cargo-nextest"
@@ -111,30 +115,37 @@ backend = "core:python"
 [tools.python."platforms.linux-arm64"]
 checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.linux-arm64-musl"]
 checksum = "sha256:53700338695e402a1a1fe22be4a41fbdacc70e22bb308a48eca8ed67cb7992be"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.linux-x64"]
 checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.linux-x64-musl"]
 checksum = "sha256:d7a9f970914bb4c88756fe3bdcc186d4feb90e9500e54f1db47dae4dc9687e39"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.macos-arm64"]
 checksum = "sha256:c43aecde4a663aebff99b9b83da0efec506479f1c3f98331442f33d2c43501f9"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-aarch64-apple-darwin-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.macos-x64"]
 checksum = "sha256:9ab41dbc2f100a2a45d1833b9c11165f51051c558b5213eda9a9731d5948a0c0"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-apple-darwin-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [tools.python."platforms.windows-x64"]
 checksum = "sha256:bbe19034b35b0267176a7442575ae7dc6343480fd4d35598cb7700173d431e09"
 url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260324/cpython-3.14.3+20260324-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
+provenance = "github-attestations"
 
 [[tools.rust]]
 version = "1.93.0"

mise.toml

@@ -12,6 +12,7 @@ protoc = "29.6"
 python = "3.14.3"
 ast-grep = "0.42.0"
 "cargo:cargo-edit" = "0.13.9"
+"cargo:cargo-mutants" = "27.0.0"
 
 [tasks.codegen]
 sources = ['protobufs/*.proto', 'protobufs/**/*.proto']

protobufs/shared/evm.proto

@@ -36,6 +36,10 @@ message GasLimitExceededViolation {
 }
 
 message EvalViolation {
+  message ChainIdMismatch {
+    uint64 expected = 1;
+    uint64 actual = 2;
+  }
   oneof kind {
     bytes invalid_target = 1; // 20-byte Ethereum address
     GasLimitExceededViolation gas_limit_exceeded = 2;
@@ -43,6 +47,8 @@ message EvalViolation {
     google.protobuf.Empty volumetric_limit_exceeded = 4;
     google.protobuf.Empty invalid_time = 5;
     google.protobuf.Empty invalid_transaction_type = 6;
+
+    ChainIdMismatch chain_id_mismatch = 7;
   }
 }
 

server/.cargo/mutants.toml

@@ -0,0 +1 @@
+test_tool = "nextest"

server/.gitignore

@@ -0,0 +1,2 @@
+mutants.out/
+mutants.out.old/

server/Cargo.lock

@@ -743,17 +743,18 @@ dependencies = [
  "k256",
  "kameo",
  "memsafe",
+ "mutants",
  "pem",
- "postcard",
+ "proptest",
  "prost",
  "prost-types",
  "rand 0.10.0",
  "rcgen",
  "restructed",
  "rsa",
+ "rstest",
  "rustls",
  "secrecy",
- "serde",
  "serde_with",
  "sha2 0.10.9",
  "smlang",
@@ -1057,15 +1058,6 @@ dependencies = [
  "syn 2.0.117",
 ]
 
-[[package]]
-name = "atomic-polyfill"
-version = "1.0.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8cf2bce30dfe09ef0bfaef228b9d414faaf7e563035494d7fe092dba54b300f4"
-dependencies = [
- "critical-section",
-]
-
 [[package]]
 name = "atomic-waker"
 version = "1.1.2"
@@ -1456,15 +1448,6 @@ dependencies = [
  "cc",
 ]
 
-[[package]]
-name = "cobs"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fa961b519f0b462e3a3b4a34b64d119eeaca1d59af726fe450bbba07a9fc0a1"
-dependencies = [
- "thiserror 2.0.18",
-]
-
 [[package]]
 name = "console"
 version = "0.15.11"
@@ -1572,12 +1555,6 @@ dependencies = [
  "cfg-if",
 ]
 
-[[package]]
-name = "critical-section"
-version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b"
-
 [[package]]
 name = "crossbeam-utils"
 version = "0.8.21"
@@ -2043,18 +2020,6 @@ dependencies = [
  "zeroize",
 ]
 
-[[package]]
-name = "embedded-io"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ef1a6892d9eef45c8fa6b9e0086428a2cca8491aca8f787c534a3d6d0bcb3ced"
-
-[[package]]
-name = "embedded-io"
-version = "0.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "edd0f118536f44f5ccd48bcb8b111bdc3de888b58c74639dfb034a357d0f206d"
-
 [[package]]
 name = "encode_unicode"
 version = "1.0.0"
@@ -2472,15 +2437,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "hash32"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0c35f58762feb77d74ebe43bdbc3210f09be9fe6742234d573bacc26ed92b67"
-dependencies = [
- "byteorder",
-]
-
 [[package]]
 name = "hashbrown"
 version = "0.12.3"
@@ -2515,20 +2471,6 @@ dependencies = [
  "serde_core",
 ]
 
-[[package]]
-name = "heapless"
-version = "0.7.17"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cdc6457c0eb62c71aac4bc17216026d8410337c4126773b9c5daba343f17964f"
-dependencies = [
- "atomic-polyfill",
- "hash32",
- "rustc_version 0.4.1",
- "serde",
- "spin",
- "stable_deref_trait",
-]
-
 [[package]]
 name = "heck"
 version = "0.5.0"
@@ -3236,6 +3178,12 @@ version = "0.10.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1d87ecb2933e8aeadb3e3a02b828fed80a7528047e68b4f424523a0981a3a084"
 
+[[package]]
+name = "mutants"
+version = "0.0.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "add0ac067452ff1aca8c5002111bd6b1c895baee6e45fcbc44e0193aea17be56"
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -3589,19 +3537,6 @@ version = "1.13.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
 
-[[package]]
-name = "postcard"
-version = "1.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6764c3b5dd454e283a30e6dfe78e9b31096d9e32036b5d1eaac7a6119ccb9a24"
-dependencies = [
- "cobs",
- "embedded-io 0.4.0",
- "embedded-io 0.6.1",
- "heapless",
- "serde",
-]
-
 [[package]]
 name = "potential_utf"
 version = "0.1.4"
@@ -3713,9 +3648,9 @@ dependencies = [
 
 [[package]]
 name = "proptest"
-version = "1.10.0"
+version = "1.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "37566cb3fdacef14c0737f9546df7cfeadbfbc9fef10991038bf5015d0c80532"
+checksum = "4b45fcc2344c680f5025fe57779faef368840d0bd1f42f216291f0dc4ace4744"
 dependencies = [
  "bit-set",
  "bit-vec",
@@ -4790,9 +4725,6 @@ name = "spin"
 version = "0.9.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67"
-dependencies = [
- "lock_api",
-]
 
 [[package]]
 name = "spki"

server/Cargo.toml

@@ -44,3 +44,4 @@ sha2 = "0.10"
 spki = "0.7"
 prost = "0.14.3"
 miette = { version = "7.6.0", features = ["fancy", "serde"] }
+mutants = "0.0.4"

server/crates/arbiter-server/Cargo.toml

@@ -58,10 +58,11 @@ prost-types.workspace = true
 prost.workspace = true
 arbiter-tokens-registry.path = "../arbiter-tokens-registry"
 anyhow = "1.0.102"
-postcard = { version = "1.1.3", features = ["use-std"] }
-serde = { version = "1.0.228", features = ["derive"] }
 serde_with = "3.18.0"
+mutants.workspace = true
 
 [dev-dependencies]
 insta = "1.46.3"
+proptest = "1.11.0"
+rstest.workspace = true
 test-log = { version = "0.2", default-features = false, features = ["trace"] }

server/crates/arbiter-server/src/actors/evm/mod.rs

@@ -15,10 +15,11 @@ use crate::{
         schema,
     },
     evm::{
-        self, ListError, RunKind, policies::{
+        self, ListError, RunKind,
+        policies::{
             CombinedSettings, Grant, SharedGrantSettings, SpecificGrant, SpecificMeaning,
             ether_transfer::EtherTransfer, token_transfers::TokenTransfer,
-        }
+        },
     },
     safe_cell::{SafeCell, SafeCellHandle as _},
 };

server/crates/arbiter-server/src/actors/user_agent/auth/state.rs

@@ -103,7 +103,6 @@ async fn verify_integrity(
     })?;
 
     Ok(())
-
 }
 
 async fn create_nonce(

server/crates/arbiter-server/src/actors/user_agent/mod.rs

@@ -1,59 +1,23 @@
 use crate::{
-    actors::{GlobalActors, client::ClientProfile}, crypto::integrity::Integrable, db::{self, models::KeyType}
+    actors::{GlobalActors, client::ClientProfile},
+    crypto::integrity::Integrable,
+    db::{self, models::KeyType},
 };
 
-fn serialize_ecdsa<S>(key: &k256::ecdsa::VerifyingKey, serializer: S) -> Result<S::Ok, S::Error>
-where
-    S: serde::Serializer,
-{
-    // Serialize as hex string for easier debugging (33 bytes compressed SEC1 format)
-    let key = key.to_encoded_point(true);
-    let bytes = key.as_bytes();
-    serializer.serialize_bytes(bytes)
-}
-
-fn deserialize_ecdsa<'de, D>(deserializer: D) -> Result<k256::ecdsa::VerifyingKey, D::Error>
-where
-    D: serde::Deserializer<'de>,
-{
-    struct EcdsaVisitor;
-
-    impl<'de> serde::de::Visitor<'de> for EcdsaVisitor {
-        type Value = k256::ecdsa::VerifyingKey;
-
-        fn expecting(&self, formatter: &mut std::fmt::Formatter) -> std::fmt::Result {
-            formatter.write_str("a compressed SEC1-encoded ECDSA public key")
-        }
-
-        fn visit_bytes<E>(self, v: &[u8]) -> Result<Self::Value, E>
-        where
-            E: serde::de::Error,
-        {
-            let point = k256::EncodedPoint::from_bytes(v)
-                .map_err(|_| E::custom("invalid compressed SEC1 format"))?;
-            k256::ecdsa::VerifyingKey::from_encoded_point(&point)
-                .map_err(|_| E::custom("invalid ECDSA public key"))
-        }
-    }
-
-    deserializer.deserialize_bytes(EcdsaVisitor)
-}
-
 /// Abstraction over Ed25519 / ECDSA-secp256k1 / RSA public keys used during the auth handshake.
-#[derive(Clone, Debug, Serialize)]
+#[derive(Clone, Debug)]
 pub enum AuthPublicKey {
     Ed25519(ed25519_dalek::VerifyingKey),
     /// Compressed SEC1 public key; signature bytes are raw 64-byte (r||s).
-    #[serde(serialize_with = "serialize_ecdsa", deserialize_with = "deserialize_ecdsa")]
     EcdsaSecp256k1(k256::ecdsa::VerifyingKey),
     /// RSA-2048+ public key (Windows Hello / KeyCredentialManager); signature bytes are PSS+SHA-256.
     Rsa(rsa::RsaPublicKey),
 }
 
-#[derive(Debug, Serialize)]
+#[derive(Debug)]
 pub struct UserAgentCredentials {
     pub pubkey: AuthPublicKey,
-    pub nonce: i32
+    pub nonce: i32,
 }
 
 impl Integrable for UserAgentCredentials {
@@ -138,5 +102,19 @@ pub mod auth;
 pub mod session;
 
 pub use auth::authenticate;
-use serde::Serialize;
 pub use session::UserAgentSession;
+
+use crate::crypto::integrity::hashing::Hashable;
+
+impl Hashable for AuthPublicKey {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        hasher.update(&self.to_stored_bytes());
+    }
+}
+
+impl Hashable for UserAgentCredentials {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.pubkey.hash(hasher);
+        self.nonce.hash(hasher);
+    }
+}

server/crates/arbiter-server/src/crypto/integrity/v1.rs

@@ -1,7 +1,7 @@
-use crate::{actors::keyholder, crypto::KeyCell,safe_cell::SafeCellHandle as _};
+use crate::{
-use chacha20poly1305::Key;
+    actors::keyholder, crypto::integrity::hashing::Hashable, safe_cell::SafeCellHandle as _,
+};
 use hmac::{Hmac, Mac as _};
-use serde::Serialize;
 use sha2::Sha256;
 
 use diesel::{ExpressionMethods as _, QueryDsl, dsl::insert_into, sqlite::Sqlite};
@@ -9,6 +9,8 @@ use diesel_async::{AsyncConnection, RunQueryDsl};
 use kameo::{actor::ActorRef, error::SendError};
 use sha2::Digest as _;
 
+pub mod hashing;
+
 use crate::{
     actors::keyholder::{KeyHolder, SignIntegrity, VerifyIntegrity},
     db::{
@@ -43,9 +45,6 @@ pub enum Error {
 
     #[error("Integrity MAC mismatch for entity {entity_kind}")]
     MacMismatch { entity_kind: &'static str },
-
-    #[error("Payload serialization error: {0}")]
-    PayloadSerialization(#[from] postcard::Error),
 }
 
 #[derive(Debug, Clone, Copy, PartialEq, Eq)]
@@ -59,13 +58,15 @@ pub const INTEGRITY_SUBKEY_TAG: &[u8] = b"arbiter/db-integrity-key/v1";
 
 pub type HmacSha256 = Hmac<Sha256>;
 
-pub trait Integrable: Serialize {
+pub trait Integrable: Hashable {
     const KIND: &'static str;
     const VERSION: i32 = 1;
 }
 
-fn payload_hash(payload: &[u8]) -> [u8; 32] {
+fn payload_hash(payload: &impl Hashable) -> [u8; 32] {
-    Sha256::digest(payload).into()
+    let mut hasher = Sha256::new();
+    payload.hash(&mut hasher);
+    hasher.finalize().into()
 }
 
 fn push_len_prefixed(out: &mut Vec<u8>, bytes: &[u8]) {
@@ -109,8 +110,7 @@ pub async fn sign_entity<E: Integrable>(
     entity: &E,
     entity_id: impl IntoId,
 ) -> Result<(), Error> {
-    let payload = postcard::to_stdvec(entity)?;
+    let payload_hash = payload_hash(&entity);
-    let payload_hash = payload_hash(&payload);
 
     let entity_id = entity_id.into_id();
 
@@ -128,7 +128,7 @@ pub async fn sign_entity<E: Integrable>(
         .values(NewIntegrityEnvelope {
             entity_kind: E::KIND.to_owned(),
             entity_id: entity_id,
-            payload_version: E::VERSION ,
+            payload_version: E::VERSION,
             key_version,
             mac: mac.to_vec(),
         })
@@ -162,7 +162,9 @@ pub async fn verify_entity<E: Integrable>(
         .first(conn)
         .await
         .map_err(|err| match err {
-            diesel::result::Error::NotFound => Error::MissingEnvelope { entity_kind: E::KIND },
+            diesel::result::Error::NotFound => Error::MissingEnvelope {
+                entity_kind: E::KIND,
+            },
             other => Error::Database(db::DatabaseError::from(other)),
         })?;
 
@@ -174,14 +176,8 @@ pub async fn verify_entity<E: Integrable>(
         });
     }
 
-    let payload = postcard::to_stdvec(entity)?;
+    let payload_hash = payload_hash(&entity);
-    let payload_hash = payload_hash(&payload);
+    let mac_input = build_mac_input(E::KIND, &entity_id, envelope.payload_version, &payload_hash);
-    let mac_input = build_mac_input(
-        E::KIND,
-        &entity_id,
-        envelope.payload_version,
-        &payload_hash,
-    );
 
     let result = keyholder
         .ask(VerifyIntegrity {
@@ -189,13 +185,16 @@ pub async fn verify_entity<E: Integrable>(
             expected_mac: envelope.mac,
             key_version: envelope.key_version,
         })
-        .await
+        .await;
-        ;
 
     match result {
         Ok(true) => Ok(AttestationStatus::Attested),
-        Ok(false) => Err(Error::MacMismatch { entity_kind: E::KIND }),
+        Ok(false) => Err(Error::MacMismatch {
-        Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => Ok(AttestationStatus::Unavailable),
+            entity_kind: E::KIND,
+        }),
+        Err(SendError::HandlerError(keyholder::Error::NotBootstrapped)) => {
+            Ok(AttestationStatus::Unavailable)
+        }
         Err(_) => Err(Error::KeyholderSend),
     }
 }
@@ -205,6 +204,10 @@ mod tests {
     use diesel::{ExpressionMethods as _, QueryDsl};
     use diesel_async::RunQueryDsl;
     use kameo::{actor::ActorRef, prelude::Spawn};
+    use rand::seq::SliceRandom;
+    use sha2::Digest;
+
+    use proptest::prelude::*;
 
     use crate::{
         actors::keyholder::{Bootstrap, KeyHolder},
@@ -213,13 +216,20 @@ mod tests {
     };
 
     use super::{Error, Integrable, sign_entity, verify_entity};
+    use super::{hashing::Hashable, payload_hash};
 
-    #[derive(Clone, serde::Serialize)]
+    #[derive(Clone)]
     struct DummyEntity {
         payload_version: i32,
         payload: Vec<u8>,
     }
 
+    impl Hashable for DummyEntity {
+        fn hash<H: Digest>(&self, hasher: &mut H) {
+            self.payload_version.hash(hasher);
+            self.payload.hash(hasher);
+        }
+    }
     impl Integrable for DummyEntity {
         const KIND: &'static str = "dummy_entity";
     }
@@ -248,7 +258,9 @@ mod tests {
             payload: b"payload-v1".to_vec(),
         };
 
-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
+            .await
+            .unwrap();
 
         let count: i64 = schema::integrity_envelope::table
             .filter(schema::integrity_envelope::entity_kind.eq("dummy_entity"))
@@ -259,7 +271,9 @@ mod tests {
             .unwrap();
 
         assert_eq!(count, 1, "envelope row must be created exactly once");
-        verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();
+        verify_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
+            .await
+            .unwrap();
     }
 
     #[tokio::test]
@@ -275,7 +289,9 @@ mod tests {
             payload: b"payload-v1".to_vec(),
         };
 
-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
+            .await
+            .unwrap();
 
         diesel::update(schema::integrity_envelope::table)
             .filter(schema::integrity_envelope::entity_kind.eq("dummy_entity"))
@@ -304,7 +320,9 @@ mod tests {
             payload: b"payload-v1".to_vec(),
         };
 
-        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID).await.unwrap();
+        sign_entity(&mut conn, &keyholder, &entity, ENTITY_ID)
+            .await
+            .unwrap();
 
         let tampered = DummyEntity {
             payload: b"payload-v1-but-tampered".to_vec(),

server/crates/arbiter-server/src/crypto/integrity/v1/hashing.rs

@@ -0,0 +1,107 @@
+use hmac::digest::Digest;
+use std::collections::HashSet;
+
+/// Deterministically hash a value by feeding its fields into the hasher in a consistent order.
+pub trait Hashable {
+    fn hash<H: Digest>(&self, hasher: &mut H);
+}
+
+macro_rules! impl_numeric {
+($($t:ty),*) => {
+    $(
+        impl Hashable for $t {
+            fn hash<H: Digest>(&self, hasher: &mut H) {
+                hasher.update(&self.to_be_bytes());
+            }
+        }
+    )*
+};
+}
+
+impl_numeric!(u8, u16, u32, u64, i8, i16, i32, i64);
+
+impl Hashable for &[u8] {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(self);
+    }
+}
+
+impl Hashable for String {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(self.as_bytes());
+    }
+}
+
+impl<T: Hashable + PartialOrd> Hashable for Vec<T> {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        let ref_sorted = {
+            let mut sorted = self.iter().collect::<Vec<_>>();
+            sorted.sort_by(|a, b| a.partial_cmp(b).unwrap());
+            sorted
+        };
+        for item in ref_sorted {
+            item.hash(hasher);
+        }
+    }
+}
+
+impl<T: Hashable + PartialOrd> Hashable for HashSet<T> {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        let ref_sorted = {
+            let mut sorted = self.iter().collect::<Vec<_>>();
+            sorted.sort_by(|a, b| a.partial_cmp(b).unwrap());
+            sorted
+        };
+        for item in ref_sorted {
+            item.hash(hasher);
+        }
+    }
+}
+
+impl<T: Hashable> Hashable for Option<T> {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        match self {
+            Some(value) => {
+                hasher.update(&[1]);
+                value.hash(hasher);
+            }
+            None => hasher.update(&[0]),
+        }
+    }
+}
+
+impl<T: Hashable> Hashable for Box<T> {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        self.as_ref().hash(hasher);
+    }
+}
+
+impl<T: Hashable> Hashable for &T {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        (*self).hash(hasher);
+    }
+}
+
+impl Hashable for alloy::primitives::Address {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(self.as_slice());
+    }
+}
+
+impl Hashable for alloy::primitives::U256 {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(self.to_be_bytes::<32>());
+    }
+}
+
+impl Hashable for chrono::Duration {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(&self.num_seconds().to_be_bytes());
+    }
+}
+
+impl Hashable for chrono::DateTime<chrono::Utc> {
+    fn hash<H: Digest>(&self, hasher: &mut H) {
+        hasher.update(&self.timestamp_millis().to_be_bytes());
+    }
+}

server/crates/arbiter-server/src/crypto/mod.rs

@@ -102,11 +102,21 @@ impl KeyCell {
     }
 }
 
-/// User password might be of different length, have not enough entropy, etc...
 /// Derive a fixed-length key from the password using Argon2id, which is designed for password hashing and key derivation.
 pub fn derive_key(mut password: SafeCell<Vec<u8>>, salt: &Salt) -> KeyCell {
+    let params = {
+        #[cfg(debug_assertions)]
+        {
+            argon2::Params::new(8, 1, 1, None).unwrap()
+        }
+
+        #[cfg(not(debug_assertions))]
+        {
+            argon2::Params::new(262_144, 3, 4, None).unwrap()
+        }
+    };
+
     #[allow(clippy::unwrap_used)]
-    let params = argon2::Params::new(262_144, 3, 4, None).unwrap();
     let hasher = Argon2::new(Algorithm::Argon2id, argon2::Version::V0x13, params);
     let mut key = SafeCell::new(Key::default());
     password.read_inline(|password_source| {

server/crates/arbiter-server/src/db/mod.rs

@@ -133,6 +133,7 @@ pub async fn create_pool(url: Option<&str>) -> Result<DatabasePool, DatabaseSetu
     Ok(pool)
 }
 
+#[mutants::skip]
 pub async fn create_test_pool() -> DatabasePool {
     use rand::distr::{Alphanumeric, SampleString as _};
 

server/crates/arbiter-server/src/evm/mod.rs

@@ -21,8 +21,8 @@ use crate::{
         schema::{self, evm_transaction_log},
     },
     evm::policies::{
-        DatabaseID, EvalContext, EvalViolation, Grant, Policy, CombinedSettings, SharedGrantSettings,
+        CombinedSettings, DatabaseID, EvalContext, EvalViolation, Grant, Policy,
-        SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
+        SharedGrantSettings, SpecificGrant, SpecificMeaning, ether_transfer::EtherTransfer,
         token_transfers::TokenTransfer,
     },
 };
@@ -90,6 +90,14 @@ async fn check_shared_constraints(
     let mut violations = Vec::new();
     let now = Utc::now();
 
+    if shared.chain != context.chain {
+        violations.push(EvalViolation::MismatchingChainId {
+            expected: shared.chain,
+            actual: context.chain,
+        });
+        return Ok(violations);
+    }
+
     // Validity window
     if shared.valid_from.is_some_and(|t| now < t) || shared.valid_until.is_some_and(|t| now > t) {
         violations.push(EvalViolation::InvalidTime);
@@ -250,14 +258,9 @@ impl Engine {
 
                     P::create_grant(&basic_grant, &full_grant.specific, conn).await?;
 
-                    integrity::sign_entity(
+                    integrity::sign_entity(conn, &keyholder, &full_grant, basic_grant.id)
-                        conn,
+                        .await
-                        &keyholder,
+                        .map_err(|_| diesel::result::Error::RollbackTransaction)?;
-                        &full_grant,
-                    basic_grant.id,
-                    )
-                    .await
-                    .map_err(|_| diesel::result::Error::RollbackTransaction)?;
 
                     QueryResult::Ok(basic_grant.id)
                 })
@@ -342,3 +345,255 @@ impl Engine {
         Err(VetError::UnsupportedTransactionType)
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use alloy::primitives::{Address, Bytes, U256, address};
+    use chrono::{Duration, Utc};
+    use diesel::{SelectableHelper, insert_into};
+    use diesel_async::RunQueryDsl;
+    use rstest::rstest;
+
+    use crate::db::{
+        self, DatabaseConnection,
+        models::{
+            EvmBasicGrant, EvmWalletAccess, NewEvmBasicGrant, NewEvmTransactionLog, SqliteTimestamp,
+        },
+        schema::{evm_basic_grant, evm_transaction_log},
+    };
+    use crate::evm::policies::{
+        EvalContext, EvalViolation, SharedGrantSettings, TransactionRateLimit,
+    };
+
+    use super::check_shared_constraints;
+
+    const WALLET_ACCESS_ID: i32 = 1;
+    const CHAIN_ID: u64 = 1;
+    const RECIPIENT: Address = address!("1111111111111111111111111111111111111111");
+
+    fn context() -> EvalContext {
+        EvalContext {
+            target: EvmWalletAccess {
+                id: WALLET_ACCESS_ID,
+                wallet_id: 10,
+                client_id: 20,
+                created_at: SqliteTimestamp(Utc::now()),
+            },
+            chain: CHAIN_ID,
+            to: RECIPIENT,
+            value: U256::ZERO,
+            calldata: Bytes::new(),
+            max_fee_per_gas: 100,
+            max_priority_fee_per_gas: 10,
+        }
+    }
+
+    fn shared_settings() -> SharedGrantSettings {
+        SharedGrantSettings {
+            wallet_access_id: WALLET_ACCESS_ID,
+            chain: CHAIN_ID,
+            valid_from: None,
+            valid_until: None,
+            max_gas_fee_per_gas: None,
+            max_priority_fee_per_gas: None,
+            rate_limit: None,
+        }
+    }
+
+    async fn insert_basic_grant(
+        conn: &mut DatabaseConnection,
+        shared: &SharedGrantSettings,
+    ) -> EvmBasicGrant {
+        insert_into(evm_basic_grant::table)
+            .values(NewEvmBasicGrant {
+                wallet_access_id: shared.wallet_access_id,
+                chain_id: shared.chain as i32,
+                valid_from: shared.valid_from.map(SqliteTimestamp),
+                valid_until: shared.valid_until.map(SqliteTimestamp),
+                max_gas_fee_per_gas: shared
+                    .max_gas_fee_per_gas
+                    .map(|fee| super::utils::u256_to_bytes(fee).to_vec()),
+                max_priority_fee_per_gas: shared
+                    .max_priority_fee_per_gas
+                    .map(|fee| super::utils::u256_to_bytes(fee).to_vec()),
+                rate_limit_count: shared.rate_limit.as_ref().map(|limit| limit.count as i32),
+                rate_limit_window_secs: shared
+                    .rate_limit
+                    .as_ref()
+                    .map(|limit| limit.window.num_seconds() as i32),
+                revoked_at: None,
+            })
+            .returning(EvmBasicGrant::as_select())
+            .get_result(conn)
+            .await
+            .unwrap()
+    }
+
+    #[rstest]
+    #[case::matching_chain(CHAIN_ID, false)]
+    #[case::mismatching_chain(CHAIN_ID + 1, true)]
+    #[tokio::test]
+    async fn check_shared_constraints_enforces_chain_id(
+        #[case] context_chain: u64,
+        #[case] expect_mismatch: bool,
+    ) {
+        let db = db::create_test_pool().await;
+        let mut conn = db.get().await.unwrap();
+
+        let context = EvalContext {
+            chain: context_chain,
+            ..context()
+        };
+
+        let violations = check_shared_constraints(&context, &shared_settings(), 999, &mut *conn)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            violations
+                .iter()
+                .any(|violation| matches!(violation, EvalViolation::MismatchingChainId { .. })),
+            expect_mismatch
+        );
+
+        if expect_mismatch {
+            assert_eq!(violations.len(), 1);
+        } else {
+            assert!(violations.is_empty());
+        }
+    }
+
+    #[rstest]
+    #[case::valid_from_in_bounds(Some(Utc::now() - Duration::hours(1)), None, false)]
+    #[case::valid_from_out_of_bounds(Some(Utc::now() + Duration::hours(1)), None, true)]
+    #[case::valid_until_in_bounds(None, Some(Utc::now() + Duration::hours(1)), false)]
+    #[case::valid_until_out_of_bounds(None, Some(Utc::now() - Duration::hours(1)), true)]
+    #[tokio::test]
+    async fn check_shared_constraints_enforces_validity_window(
+        #[case] valid_from: Option<chrono::DateTime<Utc>>,
+        #[case] valid_until: Option<chrono::DateTime<Utc>>,
+        #[case] expect_invalid_time: bool,
+    ) {
+        let db = db::create_test_pool().await;
+        let mut conn = db.get().await.unwrap();
+
+        let shared = SharedGrantSettings {
+            valid_from,
+            valid_until,
+            ..shared_settings()
+        };
+
+        let violations = check_shared_constraints(&context(), &shared, 999, &mut *conn)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            violations
+                .iter()
+                .any(|violation| matches!(violation, EvalViolation::InvalidTime)),
+            expect_invalid_time
+        );
+
+        if expect_invalid_time {
+            assert_eq!(violations.len(), 1);
+        } else {
+            assert!(violations.is_empty());
+        }
+    }
+
+    #[rstest]
+    #[case::max_fee_within_limit(Some(U256::from(100u64)), None, 100, 10, false)]
+    #[case::max_fee_exceeded(Some(U256::from(99u64)), None, 100, 10, true)]
+    #[case::priority_fee_within_limit(None, Some(U256::from(10u64)), 100, 10, false)]
+    #[case::priority_fee_exceeded(None, Some(U256::from(9u64)), 100, 10, true)]
+    #[tokio::test]
+    async fn check_shared_constraints_enforces_gas_fee_caps(
+        #[case] max_gas_fee_per_gas: Option<U256>,
+        #[case] max_priority_fee_per_gas: Option<U256>,
+        #[case] actual_max_fee_per_gas: u128,
+        #[case] actual_max_priority_fee_per_gas: u128,
+        #[case] expect_gas_limit_violation: bool,
+    ) {
+        let db = db::create_test_pool().await;
+        let mut conn = db.get().await.unwrap();
+
+        let context = EvalContext {
+            max_fee_per_gas: actual_max_fee_per_gas,
+            max_priority_fee_per_gas: actual_max_priority_fee_per_gas,
+            ..context()
+        };
+
+        let shared = SharedGrantSettings {
+            max_gas_fee_per_gas,
+            max_priority_fee_per_gas,
+            ..shared_settings()
+        };
+        let violations = check_shared_constraints(&context, &shared, 999, &mut *conn)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            violations
+                .iter()
+                .any(|violation| matches!(violation, EvalViolation::GasLimitExceeded { .. })),
+            expect_gas_limit_violation
+        );
+
+        if expect_gas_limit_violation {
+            assert_eq!(violations.len(), 1);
+        } else {
+            assert!(violations.is_empty());
+        }
+    }
+
+    #[rstest]
+    #[case::under_rate_limit(2, false)]
+    #[case::at_rate_limit(1, true)]
+    #[tokio::test]
+    async fn check_shared_constraints_enforces_rate_limit(
+        #[case] rate_limit_count: u32,
+        #[case] expect_rate_limit_violation: bool,
+    ) {
+        let db = db::create_test_pool().await;
+        let mut conn = db.get().await.unwrap();
+
+        let shared = SharedGrantSettings {
+            rate_limit: Some(TransactionRateLimit {
+                count: rate_limit_count,
+                window: Duration::hours(1),
+            }),
+            ..shared_settings()
+        };
+
+        let basic_grant = insert_basic_grant(&mut conn, &shared).await;
+
+        insert_into(evm_transaction_log::table)
+            .values(NewEvmTransactionLog {
+                grant_id: basic_grant.id,
+                wallet_access_id: WALLET_ACCESS_ID,
+                chain_id: CHAIN_ID as i32,
+                eth_value: super::utils::u256_to_bytes(U256::ZERO).to_vec(),
+                signed_at: SqliteTimestamp(Utc::now()),
+            })
+            .execute(&mut *conn)
+            .await
+            .unwrap();
+
+        let violations = check_shared_constraints(&context(), &shared, basic_grant.id, &mut *conn)
+            .await
+            .unwrap();
+
+        assert_eq!(
+            violations
+                .iter()
+                .any(|violation| matches!(violation, EvalViolation::RateLimitExceeded)),
+            expect_rate_limit_violation
+        );
+
+        if expect_rate_limit_violation {
+            assert_eq!(violations.len(), 1);
+        } else {
+            assert!(violations.is_empty());
+        }
+    }
+}

server/crates/arbiter-server/src/evm/policies.rs

@@ -7,11 +7,12 @@ use diesel::{
 };
 use diesel_async::{AsyncConnection, RunQueryDsl};
 
-use serde::Serialize;
 use thiserror::Error;
 
 use crate::{
-    crypto::integrity::v1::Integrable, db::models::{self, EvmBasicGrant, EvmWalletAccess}, evm::utils
+    crypto::integrity::v1::Integrable,
+    db::models::{self, EvmBasicGrant, EvmWalletAccess},
+    evm::utils,
 };
 
 pub mod ether_transfer;
@@ -55,11 +56,14 @@ pub enum EvalViolation {
 
     #[error("Transaction type is not allowed by this grant")]
     InvalidTransactionType,
+
+    #[error("Mismatching chain ID")]
+    MismatchingChainId { expected: ChainId, actual: ChainId },
 }
 
 pub type DatabaseID = i32;
 
-#[derive(Debug, Serialize)]
+#[derive(Debug)]
 pub struct Grant<PolicySettings> {
     pub id: DatabaseID,
     pub common_settings_id: DatabaseID, // ID of the basic grant for shared-logic checks like rate limits and validity periods
@@ -123,19 +127,19 @@ pub enum SpecificMeaning {
     TokenTransfer(token_transfers::Meaning),
 }
 
-#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize)]
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
 pub struct TransactionRateLimit {
     pub count: u32,
     pub window: Duration,
 }
 
-#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize)]
+#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord)]
 pub struct VolumeRateLimit {
     pub max_volume: U256,
     pub window: Duration,
 }
 
-#[derive(Clone, Debug, PartialEq, Eq, Hash, Serialize)]
+#[derive(Clone, Debug, PartialEq, Eq, Hash)]
 pub struct SharedGrantSettings {
     pub wallet_access_id: i32,
     pub chain: ChainId,
@@ -196,7 +200,7 @@ pub enum SpecificGrant {
     TokenTransfer(token_transfers::Settings),
 }
 
-#[derive(Debug, Serialize)]
+#[derive(Debug)]
 pub struct CombinedSettings<PolicyGrant> {
     pub shared: SharedGrantSettings,
     pub specific: PolicyGrant,
@@ -216,3 +220,37 @@ impl<P: Integrable> Integrable for CombinedSettings<P> {
     const VERSION: i32 = P::VERSION;
 }
 
+use crate::crypto::integrity::hashing::Hashable;
+
+impl Hashable for TransactionRateLimit {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.count.hash(hasher);
+        self.window.hash(hasher);
+    }
+}
+
+impl Hashable for VolumeRateLimit {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.max_volume.hash(hasher);
+        self.window.hash(hasher);
+    }
+}
+
+impl Hashable for SharedGrantSettings {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.wallet_access_id.hash(hasher);
+        self.chain.hash(hasher);
+        self.valid_from.hash(hasher);
+        self.valid_until.hash(hasher);
+        self.max_gas_fee_per_gas.hash(hasher);
+        self.max_priority_fee_per_gas.hash(hasher);
+        self.rate_limit.hash(hasher);
+    }
+}
+
+impl<P: Hashable> Hashable for CombinedSettings<P> {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.shared.hash(hasher);
+        self.specific.hash(hasher);
+    }
+}

server/crates/arbiter-server/src/evm/policies/ether_transfer/mod.rs

@@ -52,7 +52,7 @@ impl From<Meaning> for SpecificMeaning {
 }
 
 // A grant for ether transfers, which can be scoped to specific target addresses and volume limits
-#[derive(Debug, Clone, serde::Serialize)]
+#[derive(Debug, Clone)]
 pub struct Settings {
     pub target: Vec<Address>,
     pub limit: VolumeRateLimit,
@@ -61,6 +61,15 @@ impl Integrable for Settings {
     const KIND: &'static str = "EtherTransfer";
 }
 
+use crate::crypto::integrity::hashing::Hashable;
+
+impl Hashable for Settings {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.target.hash(hasher);
+        self.limit.hash(hasher);
+    }
+}
+
 impl From<Settings> for SpecificGrant {
     fn from(val: Settings) -> SpecificGrant {
         SpecificGrant::EtherTransfer(val)

server/crates/arbiter-server/src/evm/policies/ether_transfer/tests.rs

@@ -84,8 +84,6 @@ fn shared() -> SharedGrantSettings {
     }
 }
 
-// ── analyze ─────────────────────────────────────────────────────────────
-
 #[test]
 fn analyze_matches_empty_calldata() {
     let m = EtherTransfer::analyze(&ctx(ALLOWED, U256::from(1_000u64))).unwrap();
@@ -102,8 +100,6 @@ fn analyze_rejects_nonempty_calldata() {
     assert!(EtherTransfer::analyze(&context).is_none());
 }
 
-// ── evaluate ────────────────────────────────────────────────────────────
-
 #[tokio::test]
 async fn evaluate_passes_for_allowed_target() {
     let db = db::create_test_pool().await;
@@ -276,8 +272,6 @@ async fn evaluate_passes_at_exactly_volume_limit() {
     );
 }
 
-// ── try_find_grant ───────────────────────────────────────────────────────
-
 #[tokio::test]
 async fn try_find_grant_roundtrip() {
     let db = db::create_test_pool().await;
@@ -336,7 +330,36 @@ async fn try_find_grant_wrong_target_returns_none() {
     assert!(found.is_none());
 }
 
-// ── find_all_grants ──────────────────────────────────────────────────────
+proptest::proptest! {
+    #[test]
+    fn target_order_does_not_affect_hash(
+        raw_addrs in proptest::collection::vec(proptest::prelude::any::<[u8; 20]>(), 0..8),
+        seed in proptest::prelude::any::<u64>(),
+        max_volume in proptest::prelude::any::<u64>(),
+        window_secs in 1i64..=86400,
+    ) {
+        use rand::{SeedableRng, seq::SliceRandom};
+        use sha2::Digest;
+        use crate::crypto::integrity::hashing::Hashable;
+
+        let addrs: Vec<Address> = raw_addrs.iter().map(|b| Address::from(*b)).collect();
+        let mut shuffled = addrs.clone();
+        shuffled.shuffle(&mut rand::rngs::StdRng::seed_from_u64(seed));
+
+        let limit = VolumeRateLimit {
+            max_volume: U256::from(max_volume),
+            window: Duration::seconds(window_secs),
+        };
+
+        let mut h1 = sha2::Sha256::new();
+        Settings { target: addrs, limit: limit.clone() }.hash(&mut h1);
+
+        let mut h2 = sha2::Sha256::new();
+        Settings { target: shuffled, limit }.hash(&mut h2);
+
+        proptest::prop_assert_eq!(h1.finalize(), h2.finalize());
+    }
+}
 
 #[tokio::test]
 async fn find_all_grants_empty_db() {

server/crates/arbiter-server/src/evm/policies/token_transfers/mod.rs

@@ -1,17 +1,5 @@
 use std::collections::HashMap;
 
-use alloy::{
-    primitives::{Address, U256},
-    sol_types::SolCall,
-};
-use arbiter_tokens_registry::evm::nonfungible::{self, TokenInfo};
-use chrono::{DateTime, Duration, Utc};
-use diesel::dsl::{auto_type, insert_into};
-use diesel::sqlite::Sqlite;
-use diesel::{ExpressionMethods, prelude::*};
-use diesel_async::{AsyncConnection, RunQueryDsl};
-use serde::Serialize;
-
 use crate::db::schema::{
     evm_basic_grant, evm_token_transfer_grant, evm_token_transfer_log,
     evm_token_transfer_volume_limit,
@@ -32,6 +20,16 @@ use crate::{
     },
     evm::policies::CombinedSettings,
 };
+use alloy::{
+    primitives::{Address, U256},
+    sol_types::SolCall,
+};
+use arbiter_tokens_registry::evm::nonfungible::{self, TokenInfo};
+use chrono::{DateTime, Duration, Utc};
+use diesel::dsl::{auto_type, insert_into};
+use diesel::sqlite::Sqlite;
+use diesel::{ExpressionMethods, prelude::*};
+use diesel_async::{AsyncConnection, RunQueryDsl};
 
 use super::{DatabaseID, EvalContext, EvalViolation};
 
@@ -64,7 +62,7 @@ impl From<Meaning> for SpecificMeaning {
 }
 
 // A grant for token transfers, which can be scoped to specific target addresses and volume limits
-#[derive(Debug, Clone, Serialize)]
+#[derive(Debug, Clone)]
 pub struct Settings {
     pub token_contract: Address,
     pub target: Option<Address>,
@@ -73,6 +71,17 @@ pub struct Settings {
 impl Integrable for Settings {
     const KIND: &'static str = "TokenTransfer";
 }
+
+use crate::crypto::integrity::hashing::Hashable;
+
+impl Hashable for Settings {
+    fn hash<H: sha2::Digest>(&self, hasher: &mut H) {
+        self.token_contract.hash(hasher);
+        self.target.hash(hasher);
+        self.volume_limits.hash(hasher);
+    }
+}
+
 impl From<Settings> for SpecificGrant {
     fn from(val: Settings) -> SpecificGrant {
         SpecificGrant::TokenTransfer(val)

server/crates/arbiter-server/src/evm/policies/token_transfers/tests.rs

@@ -101,8 +101,6 @@ fn shared() -> SharedGrantSettings {
     }
 }
 
-// ── analyze ─────────────────────────────────────────────────────────────
-
 #[test]
 fn analyze_known_token_valid_calldata() {
     let calldata = transfer_calldata(RECIPIENT, U256::from(100u64));
@@ -128,8 +126,6 @@ fn analyze_empty_calldata_returns_none() {
     assert!(TokenTransfer::analyze(&ctx(DAI, Bytes::new())).is_none());
 }
 
-// ── evaluate ────────────────────────────────────────────────────────────
-
 #[tokio::test]
 async fn evaluate_rejects_nonzero_eth_value() {
     let db = db::create_test_pool().await;
@@ -412,7 +408,39 @@ async fn try_find_grant_unknown_token_returns_none() {
     assert!(found.is_none());
 }
 
-// ── find_all_grants ──────────────────────────────────────────────────────
+proptest::proptest! {
+    #[test]
+    fn volume_limits_order_does_not_affect_hash(
+        raw_limits in proptest::collection::vec(
+            (proptest::prelude::any::<u64>(), 1i64..=86400),
+            0..8,
+        ),
+        seed in proptest::prelude::any::<u64>(),
+    ) {
+        use rand::{SeedableRng, seq::SliceRandom};
+        use sha2::Digest;
+        use crate::crypto::integrity::hashing::Hashable;
+
+        let limits: Vec<VolumeRateLimit> = raw_limits
+            .iter()
+            .map(|(max_vol, window_secs)| VolumeRateLimit {
+                max_volume: U256::from(*max_vol),
+                window: Duration::seconds(*window_secs),
+            })
+            .collect();
+
+        let mut shuffled = limits.clone();
+        shuffled.shuffle(&mut rand::rngs::StdRng::seed_from_u64(seed));
+
+        let mut h1 = sha2::Sha256::new();
+        Settings { token_contract: DAI, target: None, volume_limits: limits }.hash(&mut h1);
+
+        let mut h2 = sha2::Sha256::new();
+        Settings { token_contract: DAI, target: None, volume_limits: shuffled }.hash(&mut h2);
+
+        proptest::prop_assert_eq!(h1.finalize(), h2.finalize());
+    }
+}
 
 #[tokio::test]
 async fn find_all_grants_empty_db() {

server/crates/arbiter-server/src/grpc/common/outbound.rs

@@ -8,7 +8,7 @@ use arbiter_proto::proto::{
         EvalViolation as ProtoEvalViolation, GasLimitExceededViolation, NoMatchingGrantError,
         PolicyViolationsError, SpecificMeaning as ProtoSpecificMeaning,
         TokenInfo as ProtoTokenInfo, TransactionEvalError as ProtoTransactionEvalError,
-        eval_violation::Kind as ProtoEvalViolationKind,
+        eval_violation as proto_eval_violation, eval_violation::Kind as ProtoEvalViolationKind,
         specific_meaning::Meaning as ProtoSpecificMeaningKind,
         transaction_eval_error::Kind as ProtoTransactionEvalErrorKind,
     },
@@ -79,6 +79,12 @@ impl Convert for EvalViolation {
             EvalViolation::InvalidTransactionType => {
                 ProtoEvalViolationKind::InvalidTransactionType(())
             }
+            EvalViolation::MismatchingChainId { expected, actual } => {
+                ProtoEvalViolationKind::ChainIdMismatch(proto_eval_violation::ChainIdMismatch {
+                    expected,
+                    actual,
+                })
+            }
         };
 
         ProtoEvalViolation { kind: Some(kind) }
@@ -108,7 +114,7 @@ impl Convert for VetError {
                         violations: violations.into_iter().map(Convert::convert).collect(),
                     })
                 }
-                PolicyError::Database(_)| PolicyError::Integrity(_) => {
+                PolicyError::Database(_) | PolicyError::Integrity(_) => {
                     return EvmSignTransactionResult::Error(ProtoEvmError::Internal.into());
                 }
             },

server/crates/arbiter-server/src/main.rs

@@ -10,6 +10,7 @@ use tracing::info;
 const PORT: u16 = 50051;
 
 #[tokio::main]
+#[mutants::skip]
 async fn main() -> anyhow::Result<()> {
     aws_lc_rs::default_provider().install_default().unwrap();