Module freshness 

Defense-in-depth: refuse targets whose backing manifest’s signed_at is older than the channel’s freshness window when measured at dispatch reception time.

Restored from a9ff4f43^:crates/nixfleet-agent/src/freshness.rs (D-028) after Phase 7g’s “runtime is now the only loop” destructive cut removed the v0.1 dispatch path that called it. In v0.2 the verify-on-fetch path (manifest_cache::fetch_or_load → verify_artifact) already enforces freshness against a 3600s window at fetch time; this module provides the parametric pure-function form so callers can re-check freshness at OTHER moments in the dispatch lifecycle (the canonical example: longpoll’s handle_dispatch validates the per-rollout manifest is still fresh at the moment of dispatch arrival, closing the TOCTOU between fetch and dispatch when the cache hit was near the freshness edge).

The v0.2 shape is parametric over (signed_at, freshness_window_secs, now) rather than coupled to the deleted EvaluatedTarget type. Callers extract signed_at from a verified manifest and the window from the channel’s declaration.

Enums

FreshnessCheck

Constants

CLOCK_SKEW_SLACK_SECS

LOADBEARING: clock-skew slack added to the freshness window — without it, a manifest signed window seconds ago is rejected the instant the agent’s clock is ahead of the signer’s by 1s.

Functions

check_signed_at

Pure freshness check: compare signed_at against now, allowing the channel’s freshness_window_secs plus CLOCK_SKEW_SLACK_SECS. Returns Fresh if the manifest is within the window (inclusive at the boundary), Stale past it.