fix: avoid hash collision in caveat context (#3065)

## Description
Someone pointed out to us that if you use a nested list of lists in a
caveat context, it was possible under our current serialization and
hashing logic to have a serialization collision and therefore a dispatch
cache hash collision.

This fixes that by using deterministic proto marshalling of the caveat
context Struct object.

## Changes
* Update `context_hash.go` to use deterministic marshalling
* Propagate the error signature change through the stack
* change `hashableContext` to `hashableContextString` to satisfy the
interface
## Testing
Review

---------

Co-authored-by: Maria Ines Parnisari <maria.ines.parnisari@authzed.com>

Author: tstirrat15

CHANGELOG.md

@@ -22,6 +22,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Upgraded the spanner client, which changed the internal implementation to not use a session pool. This means that the `--datastore-spanner-max-sessions` and `--datastore-spanner-min-sessions` flags are now deprecated and no-op. We also strongly recommend using [Application Default Credentials](https://docs.cloud.google.com/docs/authentication/client-libraries#adc) in favor of a credentials file. (https://github.com/authzed/spicedb/pull/3038)
 - Query Planner: error `"ERROR: index \"pk_relation_tuple\" cannot be used for this query (SQLSTATE 42809)"` returned when using wildcards (https://github.com/authzed/spicedb/pull/3039)
 - Providing one of (`--grpc-tls-cert-path`, `--grpc-tls-key-path`) but not the other is now considered an error state, as both are necessary if you want to use TLS.
+- In a caveat context that uses nested lists of lists, the hashes generated for cache keys could collide because of an issue with the serialization logic. The serialization now uses deterministic protobuf serialization which avoids this issue (https://github.com/authzed/spicedb/pull/3065)
 
 ## [1.51.1] - 2026-04-14
 ### Fixed

internal/dispatch/keys/computed.go

@@ -72,29 +72,37 @@ func expandRequestToKey(req *v1.DispatchExpandRequest, option dispatchCacheKeyHa
 }
 
 // lookupResourcesRequest2ToKey converts a lookup request into a cache key
-func lookupResourcesRequest2ToKey(req *v1.DispatchLookupResources2Request, option dispatchCacheKeyHashComputeOption) DispatchCacheKey {
+func lookupResourcesRequest2ToKey(req *v1.DispatchLookupResources2Request, option dispatchCacheKeyHashComputeOption) (DispatchCacheKey, error) {
+	stableContextString, err := caveats.StableContextStringForHashing(req.Context)
+	if err != nil {
+		return DispatchCacheKey{}, err
+	}
 	return dispatchCacheKeyHash(lookupPrefix, req.Metadata.AtRevision, option,
 		hashableRelationReference{req.ResourceRelation},
 		hashableRelationReference{req.SubjectRelation},
 		hashableIds(req.SubjectIds),
 		hashableOnr{req.TerminalSubject},
-		hashableContext{HashableContext: caveats.HashableContext{Struct: req.Context}}, // NOTE: context is included here because lookup does a single dispatch
+		hashableContextString(stableContextString),
 		hashableCursor{req.OptionalCursor},
 		hashableLimit(req.OptionalLimit),
-	)
+	), nil
 }
 
 // lookupResourcesRequest3ToKey converts a lookup request into a cache key
-func lookupResourcesRequest3ToKey(req *v1.DispatchLookupResources3Request, option dispatchCacheKeyHashComputeOption) DispatchCacheKey {
+func lookupResourcesRequest3ToKey(req *v1.DispatchLookupResources3Request, option dispatchCacheKeyHashComputeOption) (DispatchCacheKey, error) {
+	stableContextString, err := caveats.StableContextStringForHashing(req.Context)
+	if err != nil {
+		return DispatchCacheKey{}, err
+	}
 	return dispatchCacheKeyHash(lookupPrefix, req.Metadata.AtRevision, option,
 		hashableRelationReference{req.ResourceRelation},
 		hashableRelationReference{req.SubjectRelation},
 		hashableIds(req.SubjectIds),
 		hashableOnr{req.TerminalSubject},
-		hashableContext{HashableContext: caveats.HashableContext{Struct: req.Context}}, // NOTE: context is included here because lookup does a single dispatch
+		hashableContextString(stableContextString), // NOTE: context is included here because lookup does a single dispatch
 		hashableCursorSections{req.OptionalCursor},
 		hashableLimit(req.OptionalLimit),
-	)
+	), nil
 }
 
 // lookupSubjectsRequestToKey converts a lookup subjects request into a cache key

internal/dispatch/keys/computed_test.go

@@ -145,7 +145,7 @@ func TestStableCacheKeys(t *testing.T) {
 		{
 			"lookup resources 2",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -154,13 +154,14 @@ func TestStableCacheKeys(t *testing.T) {
 						AtRevision: "1234",
 					},
 				}, computeBothHashes)
+				return key
 			},
-			"f49fbafef9c489abe601",
+			"9884bbb3acd3b3ca1a",
 		},
 		{
 			"lookup resources 2 with zero limit",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -170,13 +171,14 @@ func TestStableCacheKeys(t *testing.T) {
 					},
 					OptionalLimit: 0,
 				}, computeBothHashes)
+				return key
 			},
-			"f49fbafef9c489abe601",
+			"9884bbb3acd3b3ca1a",
 		},
 		{
 			"lookup resources 2 with non-zero limit",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -186,13 +188,14 @@ func TestStableCacheKeys(t *testing.T) {
 					},
 					OptionalLimit: 42,
 				}, computeBothHashes)
+				return key
 			},
-			"ea88adb1c1dfa6ebab01",
+			"dba285cdd9caeef36e",
 		},
 		{
 			"lookup resources 2 with nil context",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -202,13 +205,14 @@ func TestStableCacheKeys(t *testing.T) {
 					},
 					Context: nil,
 				}, computeBothHashes)
+				return key
 			},
-			"f49fbafef9c489abe601",
+			"9884bbb3acd3b3ca1a",
 		},
 		{
 			"lookup resources 2 with empty context",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -221,13 +225,14 @@ func TestStableCacheKeys(t *testing.T) {
 						return v
 					}(),
 				}, computeBothHashes)
+				return key
 			},
-			"f49fbafef9c489abe601",
+			"9884bbb3acd3b3ca1a",
 		},
 		{
 			"lookup resources 2 with context",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -243,13 +248,14 @@ func TestStableCacheKeys(t *testing.T) {
 						return v
 					}(),
 				}, computeBothHashes)
+				return key
 			},
-			"bbd78884eff9edbebd01",
+			"a3dad09ce9d690b78401",
 		},
 		{
 			"lookup resources 2 with different context",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -265,13 +271,14 @@ func TestStableCacheKeys(t *testing.T) {
 						return v
 					}(),
 				}, computeBothHashes)
+				return key
 			},
-			"94d0faa5feaaa4dc17",
+			"f6d4bc92bae9e9d64b",
 		},
 		{
 			"lookup resources 2 with escaped string",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -286,13 +293,14 @@ func TestStableCacheKeys(t *testing.T) {
 						return v
 					}(),
 				}, computeBothHashes)
+				return key
 			},
-			"cdffc895cb9299b9da01",
+			"a0aebfb9a8abd1b802",
 		},
 		{
 			"lookup resources 2 with nested context",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -311,13 +319,14 @@ func TestStableCacheKeys(t *testing.T) {
 						return v
 					}(),
 				}, computeBothHashes)
+				return key
 			},
-			"84d8d38ff9fadbb36d",
+			"8e8ddfd8affeecc918",
 		},
 		{
 			"lookup resources 2 with empty cursor",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -327,13 +336,14 @@ func TestStableCacheKeys(t *testing.T) {
 					},
 					OptionalCursor: &v1.Cursor{},
 				}, computeBothHashes)
+				return key
 			},
-			"f49fbafef9c489abe601",
+			"9884bbb3acd3b3ca1a",
 		},
 		{
 			"lookup resources 2 with non-empty cursor",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -345,13 +355,14 @@ func TestStableCacheKeys(t *testing.T) {
 						Sections: []string{"foo"},
 					},
 				}, computeBothHashes)
+				return key
 			},
-			"f09894c0d9a0b8ff7f",
+			"9e82ddefb6ccbfd6aa01",
 		},
 		{
 			"lookup resources 2 with different cursor",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -363,13 +374,14 @@ func TestStableCacheKeys(t *testing.T) {
 						Sections: []string{"foo", "bar"},
 					},
 				}, computeBothHashes)
+				return key
 			},
-			"badfd7c59cdbcef671",
+			"e593e789a89a9acd13",
 		},
 		{
 			"lookup resources 2 with different terminal subject",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah"},
@@ -381,13 +393,14 @@ func TestStableCacheKeys(t *testing.T) {
 						Sections: []string{"foo", "bar"},
 					},
 				}, computeBothHashes)
+				return key
 			},
-			"8787b685e9cea993a901",
+			"f6cf8df7bdc7959520",
 		},
 		{
 			"lookup resources 2 with different subject IDs",
 			func() DispatchCacheKey {
-				return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+				key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 					ResourceRelation: RR("document", "view"),
 					SubjectRelation:  RR("user", "..."),
 					SubjectIds:       []string{"mariah", "tom"},
@@ -399,8 +412,9 @@ func TestStableCacheKeys(t *testing.T) {
 						Sections: []string{"foo", "bar"},
 					},
 				}, computeBothHashes)
+				return key
 			},
-			"f4d6d884eaa5e4b4ed01",
+			"de839ec8eea2f7bf19",
 		},
 	}
 
@@ -474,19 +488,20 @@ var generatorFuncs = map[string]generatorFunc{
 		subjectRelation *core.RelationReference,
 		metadata *v1.ResolverMeta,
 	) (DispatchCacheKey, []string) {
-		return lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
-				ResourceRelation: resourceRelation,
-				SubjectRelation:  subjectRelation,
-				SubjectIds:       subjectIds,
-				TerminalSubject:  ONR(subjectRelation.Namespace, subjectIds[0], subjectRelation.Relation),
-				Metadata:         metadata,
-			}, computeBothHashes), []string{
-				resourceRelation.Namespace,
-				resourceRelation.Relation,
-				subjectRelation.Namespace,
-				subjectIds[0],
-				subjectRelation.Relation,
-			}
+		key, _ := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+			ResourceRelation: resourceRelation,
+			SubjectRelation:  subjectRelation,
+			SubjectIds:       subjectIds,
+			TerminalSubject:  ONR(subjectRelation.Namespace, subjectIds[0], subjectRelation.Relation),
+			Metadata:         metadata,
+		}, computeBothHashes)
+		return key, []string{
+			resourceRelation.Namespace,
+			resourceRelation.Relation,
+			subjectRelation.Namespace,
+			subjectIds[0],
+			subjectRelation.Relation,
+		}
 	},
 
 	// Expand.
@@ -616,7 +631,7 @@ func TestComputeOnlyStableHash(t *testing.T) {
 }
 
 func TestComputeContextHash(t *testing.T) {
-	result := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
+	result, err := lookupResourcesRequest2ToKey(&v1.DispatchLookupResources2Request{
 		ResourceRelation: RR("document", "view"),
 		SubjectRelation:  RR("user", "..."),
 		SubjectIds:       []string{"mariah"},
@@ -640,5 +655,6 @@ func TestComputeContextHash(t *testing.T) {
 		}(),
 	}, computeBothHashes)
 
-	require.Equal(t, "81aab1c790f0be947d", hex.EncodeToString(result.StableSumAsBytes()))
+	require.NoError(t, err)
+	require.Equal(t, "e49efdc8e1d99daca601", hex.EncodeToString(result.StableSumAsBytes()))
 }

internal/dispatch/keys/hasher_common.go

@@ -4,7 +4,6 @@ import (
 	"sort"
 	"strconv"
 
-	"github.com/authzed/spicedb/pkg/caveats"
 	core "github.com/authzed/spicedb/pkg/proto/core/v1"
 	v1 "github.com/authzed/spicedb/pkg/proto/dispatch/v1"
 	"github.com/authzed/spicedb/pkg/tuple"
@@ -95,8 +94,8 @@ func (hc hashableCursorSections) AppendToHash(hasher hasherInterface) {
 	}
 }
 
-type hashableContext struct{ caveats.HashableContext }
+type hashableContextString string
 
-func (hc hashableContext) AppendToHash(hasher hasherInterface) {
-	hc.HashableContext.AppendToHash(hasher)
+func (hc hashableContextString) AppendToHash(hasher hasherInterface) {
+	hasher.WriteString(string(hc))
 }

internal/dispatch/keys/keys.go

@@ -44,11 +44,11 @@ type Handler interface {
 type baseKeyHandler struct{}
 
 func (b baseKeyHandler) LookupResources2CacheKey(_ context.Context, req *v1.DispatchLookupResources2Request) (DispatchCacheKey, error) {
-	return lookupResourcesRequest2ToKey(req, computeBothHashes), nil
+	return lookupResourcesRequest2ToKey(req, computeBothHashes)
 }
 
 func (b baseKeyHandler) LookupResources3CacheKey(_ context.Context, req *v1.DispatchLookupResources3Request) (DispatchCacheKey, error) {
-	return lookupResourcesRequest3ToKey(req, computeBothHashes), nil
+	return lookupResourcesRequest3ToKey(req, computeBothHashes)
 }
 
 func (b baseKeyHandler) LookupSubjectsCacheKey(_ context.Context, req *v1.DispatchLookupSubjectsRequest) (DispatchCacheKey, error) {
@@ -64,11 +64,19 @@ func (b baseKeyHandler) CheckDispatchKey(_ context.Context, req *v1.DispatchChec
 }
 
 func (b baseKeyHandler) LookupResources2DispatchKey(_ context.Context, req *v1.DispatchLookupResources2Request) ([]byte, error) {
-	return lookupResourcesRequest2ToKey(req, computeOnlyStableHash).StableSumAsBytes(), nil
+	hash, err := lookupResourcesRequest2ToKey(req, computeOnlyStableHash)
+	if err != nil {
+		return nil, err
+	}
+	return hash.StableSumAsBytes(), nil
 }
 
 func (b baseKeyHandler) LookupResources3DispatchKey(_ context.Context, req *v1.DispatchLookupResources3Request) ([]byte, error) {
-	return lookupResourcesRequest3ToKey(req, computeOnlyStableHash).StableSumAsBytes(), nil
+	hash, err := lookupResourcesRequest3ToKey(req, computeOnlyStableHash)
+	if err != nil {
+		return nil, err
+	}
+	return hash.StableSumAsBytes(), nil
 }
 
 func (b baseKeyHandler) LookupSubjectsDispatchKey(_ context.Context, req *v1.DispatchLookupSubjectsRequest) ([]byte, error) {