Update from upstream release v1.4.3

[sampras343]

User description

Summary

Sync with a major release.
Details of the changes made and the releases are present can be viewed here

Misc

Resolves https://issues.redhat.com/browse/SECURESIGN-3380
Unblocks and closes https://issues.redhat.com/browse/SECURESIGN-2162

---

PR Type

Enhancement, Bug fix

---

Description

• Major dependency upgrade: Sync with Rekor upstream release v1.4.3, including significant architectural changes and API improvements

• Swag package migration: Migrated from github.com/go-openapi/swag to github.com/go-openapi/swag/conv for pointer/value conversions across all entry types and tests

• Trillian client refactoring: Introduced ClientManager for connection pooling and decoupled log ranges initialization from direct Trillian client dependency

• API context handling: Refactored TrillianClient to accept context.Context as parameter instead of storing it, improving context lifecycle management

• Entry type optimizations: Added custom DecodeEntry() functions for direct JSON unmarshaling without reflection, eliminating goroutine-based concurrent processing in favor of sequential operations across multiple entry types (Rekord, RPM, Alpine, Helm, DSSE, intoto, TUF, JAR, COSE)

• Standard library updates: Migrated from golang.org/x/exp/slices to standard library slices package; replaced homedir.Dir() with os.UserHomeDir()

• Error handling modernization: Updated generated models to use stderrors.As() for type assertions and changed interface{} to any type alias

• Removed deprecated features: Eliminated Redis-based stable checkpoint caching, witness functionality, and the Stable parameter from GetLogInfo API

• CLI improvements: Updated CLI commands for proper context handling and command parameter passing

• Test utilities refactoring: Reorganized test utilities into e2eutil and e2ex509 packages with improved test coverage

---

Diagram Walkthrough

flowchart LR
  A["Upstream v1.4.3"] -->|"Swag package migration"| B["swag/conv API"]
  A -->|"Client architecture"| C["TrillianClientManager"]
  C -->|"Connection pooling"| D["Per-tree gRPC config"]
  A -->|"Entry processing"| E["Custom DecodeEntry functions"]
  E -->|"Optimization"| F["Sequential operations"]
  A -->|"Dependencies"| G["Standard library updates"]
  G -->|"Error handling"| H["stderrors.As pattern"]
  A -->|"Removed features"| I["Checkpoint witness, Redis cache"]

Loading

File Walkthrough

	Relevant files
Dependencies	3 files tle_test.go Update swag pointer conversion functions to conv package  pkg/tle/tle_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Replaced all swag.Int64() calls with conv.Pointer(int64()) Replaced all swag.String() calls with conv.Pointer() Updated test data structures to use new pointer conversion functions +57/-57  types.go Update to use standard library slices package                        pkg/types/types.go Updated import from golang.org/x/exp/slices to standard library slices Removed unused log package import +1/-17    verify_test.go Update swag pointer conversion API in verify tests              pkg/verify/verify_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Replaced all swag.Int64() and swag.String() calls with conv.Pointer() function Updated test fixtures to use the new pointer conversion API +19/-19
Enhancement	28 files entries.go Migrate to new swag/conv package and refactor Trillian client usage pkg/api/entries.go Changed import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Removed unused import of trillianclient package Updated logEntryFromLeaf function signature to accept *sharding.LogRanges instead of sharding.LogRanges Replaced swag.String() and swag.Int64() calls with conv.Pointer() throughout the file Updated Trillian client instantiation to use api.trillianClientManager.GetTrillianClient() instead of direct constructor Changed ed25519.PublicKey type assertion from pointer to value type Updated context handling for Trillian client method calls Fixed error handling in retrieveUUIDFromTree to return resp.Err instead of err +40/-29  e2e_test.go Refactor imports and update pointer conversion functions  pkg/types/dsse/v0.0.1/e2e_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Reorganized imports to use e2ex509 and e2eutil packages instead of sigx509 and util Replaced all swag.String() calls with conv.Pointer() Updated all utility function calls to use e2eutil prefix Updated all x509 certificate/key references to use e2ex509 prefix Changed t.Logf() calls to t.Log() for logging +52/-52  trillian_client.go Refactor TrillianClient to pass context as parameter          pkg/trillianclient/trillian_client.go Removed context field from TrillianClient struct Changed NewTrillianClient to private newTrillianClient and return pointer type Updated all public methods to accept context.Context as parameter instead of using stored context Added GetLeavesByRange and GetLeafWithoutProof methods for fetching leaves without proofs Added getStandaloneLeaf helper method for efficient leaf retrieval Removed context timeout creation from individual methods Added GetLeavesByRangeResult field to Response struct Removed CreateAndInitTree function (moved elsewhere) Added //nolint:gosec comments for type conversions +108/-68 api.go Refactor API to use TrillianClientManager for connection handling pkg/api/api.go Removed dial function for gRPC connection setup Replaced logClient and treeID fields with trillianClientManager in API struct Changed logRanges field type from value to pointer Removed checkpointPublishCancel field and related witness functionality Updated NewAPI function to use trillianclient.ClientManager for connection management Changed NewAPI parameter type from uint to int64 Added ActiveTreeID() method to API struct Updated initialization to call ranges.CompleteInitialization() with client manager Removed Redis client and checkpoint publisher setup from ConfigureAPI Updated StopAPI to close trillianClientManager instead of canceling checkpoint publisher +62/-115 upload.go Update CLI upload command for context handling and swag migration cmd/rekor-cli/app/upload.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Modified uploadCmd Run function signature to accept *cobra.Command parameter Changed context initialization from context.Background() to cmd.Context() Updated tryUpload function to accept context parameter Replaced swag.Int64Value() call with conv.Value() Updated loadVerifier call to pass context parameter Updated CreateLogEntryParams instantiation to use WithContext variant +10/-10  entry.go Optimize Rekord v0.0.1 entry processing and update swag API pkg/types/rekord/v0.0.1/entry.go Added custom DecodeEntry() function for direct JSON unmarshaling without reflection Refactored fetchExternalEntities() to remove goroutine-based concurrent processing and use sequential operations Replaced swag package calls with conv.Pointer() and conv.Value() from new API Removed dependencies on govalidator and golang.org/x/sync/errgroup Improved hash validation with explicit length checking instead of regex validation +117/-127 entry.go Optimize RPM v0.0.1 entry processing and update swag API  pkg/types/rpm/v0.0.1/entry.go Added custom DecodeEntry() function for efficient direct unmarshaling Refactored fetchExternalEntities() to use sequential buffer operations instead of goroutines Replaced swag package calls with conv.Pointer() and conv.Value() Removed govalidator and golang.org/x/sync/errgroup dependencies Improved hash validation with explicit SHA256 length checking +112/-105 entry.go Optimize Alpine v0.0.1 entry processing and update swag API pkg/types/alpine/v0.0.1/entry.go Added custom DecodeEntry() function for optimized unmarshaling with base64 decoding Refactored fetchExternalEntities() to eliminate goroutines and use sequential processing Replaced swag package calls with conv.Pointer() and conv.Value() Removed govalidator and golang.org/x/sync/errgroup dependencies Enhanced hash validation with explicit length checking +113/-104 entry.go Refactor intoto v0.0.2 entry with optimized decoding and updated dependencies pkg/types/intoto/v0.0.2/entry.go Added custom DecodeEntry() function for efficient direct unmarshaling with base64 handling Replaced golang.org/x/exp/slices with standard library slices package Updated imports to use github.com/go-openapi/swag/conv instead of swag Changed log and PKI imports to use internal packages (pkg/internal/log, pkg/pki/pkitypes) Replaced viper configuration with module-level variable maxAttestationSize and setter function Updated all swag.String() calls to conv.Pointer() +141/-16 entry.go Optimize Helm v0.0.1 entry processing and update swag API pkg/types/helm/v0.0.1/entry.go Added custom DecodeEntry() function for optimized unmarshaling with base64 decoding Refactored fetchExternalEntities() to eliminate goroutines and use sequential processing Replaced swag package calls with conv.Pointer() Removed golang.org/x/sync/errgroup dependency Simplified error handling and key/signature verification logic +97/-77  entry.go Refactor DSSE v0.0.1 entry with optimized decoding and updated dependencies pkg/types/dsse/v0.0.1/entry.go Added custom DecodeEntry() function for efficient unmarshaling with base64 handling Updated imports to use github.com/go-openapi/swag/conv instead of swag Changed log and PKI imports to use internal packages (pkg/internal/log, pkg/pki/pkitypes) Replaced all swag.String() calls with conv.Pointer() Updated Verifiers() return type from []pki.PublicKey to []pkitypes.PublicKey +113/-16 entry.go Refactor entry decoding and attestation size handling        pkg/types/intoto/v0.0.1/entry.go Replaced swag package calls with swag/conv for pointer/value conversions Added DecodeEntry function for direct schema decoding without reflection Introduced maxAttestationSize variable with setter function to replace viper config access Changed import from pki.PublicKey to pkitypes.PublicKey Removed unused viper import +82/-19  tlog.go Migrate to client manager and update API utilities              pkg/api/tlog.go Replaced swag.StringValue and swag.BoolValue with conv.Value from swag/conv Removed Redis-based stable checkpoint caching logic Refactored to use trillianClientManager instead of direct client creation Updated tree ID handling to use ActiveTreeID() method and proper validation Simplified context passing and error handling +34/-51  helm_v001_schema.go Modernize error handling with stderrors.As pattern              pkg/generated/models/helm_v001_schema.go Replaced type assertions with stderrors.As() for error type checking Changed interface{} to any type alias Added blank lines after error type checks for readability Updated validation error handling patterns throughout +64/-23  entry.go Add custom decode entry and improve hash validation            pkg/types/hashedrekord/v0.0.1/entry.go Added DecodeEntry function for direct schema decoding with base64 handling Replaced swag.StringValue with conv.Value and swag.String with conv.Pointer Removed govalidator dependency and implemented custom hash validation by length Changed import from pki.PublicKey to pkitypes.PublicKey Updated log import to use internal package +83/-17  ranges.go Decouple log ranges initialization from Trillian client    pkg/sharding/ranges.go Refactored NewLogRanges to remove Trillian client dependency and return pointer Added CompleteInitialization method to populate tree lengths asynchronously Introduced GRPCConfig field to LogRange for per-shard gRPC configuration Renamed updateRange to initializeRange with simplified logic Updated tree ID parsing from strconv.Atoi to strconv.ParseInt +43/-39  entry_test.go Update test utilities to use conv.Pointer                                pkg/types/rekord/v0.0.1/entry_test.go Replaced all swag.String calls with conv.Pointer throughout test cases Updated pointer creation pattern for consistency with new utility functions +20/-20  intoto_v002_schema.go Modernize error handling with stderrors.As pattern              pkg/generated/models/intoto_v002_schema.go Replaced type assertions with stderrors.As() for error type checking Changed interface{} to any type alias Added blank lines after error type checks for readability Updated validation error handling patterns throughout +63/-22  manager.go Add Trillian client manager for connection pooling              pkg/trillianclient/manager.go New file implementing ClientManager for managing Trillian client connections Provides connection pooling and caching with per-tree-ID gRPC configuration support Includes CreateAndInitTree function for tree initialization Implements dial function with TLS configuration options Thread-safe client and connection management with graceful shutdown +218/-0  e2e_test.go Refactor e2e test imports to use utility packages                pkg/types/intoto/e2e_test.go Updated imports to use e2ex509 and e2eutil packages instead of direct imports Changed all utility function calls to use e2eutil prefix Updated test data imports to use e2ex509 for cryptographic materials +31/-31  entry.go Add TUF decode entry and simplify entity fetching                pkg/types/tuf/v0.0.1/entry.go Added DecodeEntry function for direct schema decoding without reflection Simplified fetchExternalEntities by removing errgroup and pipe-based concurrency Replaced swag.String with conv.Pointer for API version setting Removed unused golang.org/x/sync/errgroup import +66/-89  entry.go Add JAR decode entry and improve hash validation                  pkg/types/jar/v0.0.1/entry.go Added DecodeEntry function for direct schema decoding with base64 handling Replaced swag.StringValue with conv.Value and swag.String with conv.Pointer Removed govalidator dependency and implemented custom hash validation by length Added explicit hex decoding validation for hash values +83/-10  jar_v001_schema.go Modernize error handling with stderrors.As pattern              pkg/generated/models/jar_v001_schema.go Replaced type assertions with stderrors.As() for error type checking Changed interface{} to any type alias Updated validation error handling patterns throughout Fixed validation calls to pass actual types instead of wrapped types +52/-19  entry.go Add COSE decode entry and attestation size handling            pkg/types/cose/v0.0.1/entry.go Added DecodeEntry function for direct schema decoding with base64 handling Introduced maxAttestationSize variable with setter function to replace viper config Replaced swag.String with conv.Pointer for API version setting Removed viper import for max attestation size configuration +90/-11  dsse_v001_schema.go Modernize error handling with stderrors.As pattern              pkg/generated/models/dsse_v001_schema.go Replaced type assertions with stderrors.As() for error type checking Changed interface{} to any type alias Updated validation error handling patterns throughout Fixed validation calls to pass actual types instead of wrapped types +52/-19  rekord_v001_schema.go Modernize error handling with stderrors.As pattern              pkg/generated/models/rekord_v001_schema.go Replaced type assertions with stderrors.As() for error type checking Changed interface{} to any type alias Updated validation error handling patterns throughout +51/-18  root.go Update dependencies and add attestation size initialization cmd/rekor-server/app/root.go Updated chi import to use v5 version with new path Replaced homedir.Dir() with os.UserHomeDir() Added new CLI flags for gRPC service config and GCP KMS settings Added initialization calls to set max attestation size for entry types Removed enable_stable_checkpoint flag +13/-4    wrap.go Update format command wrapper signature                                    cmd/rekor-cli/app/format/wrap.go Updated formatCmd function signature to accept *cobra.Command parameter Modified WrapCmd to pass command object to format function +3/-3
Tests	5 files ranges_test.go Refactor log ranges tests and remove Trillian client dependency pkg/sharding/ranges_test.go Reorganized imports and removed unused errors import Updated NewLogRanges function calls to remove trillian.TrillianLogClient parameter Replaced TestUpdateRange with new TestInitializeRange test function Added comprehensive TestCompleteInitialization_Scenarios test with multiple test scenarios Added helper function setupMockServer for mock server setup Updated test assertions to work with new API signatures +221/-57 e2e_test.go Update e2e tests with new swag API and improved test utilities tests/e2e_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Changed testTreeID type from uint to int64 Updated x509 test utilities import path to pkg/pki/x509/e2ex509 Added import for trillianclient package Replaced swag.String() calls with conv.Pointer() Updated test dial logic to use trillianclient.TestDial() instead of api.TestDial() Added new test case TestGetLogProofInvalidShard() for invalid shard handling Fixed error logging calls from t.Errorf(err.Error()) to t.Error(err) +47/-27  entry_test.go Update intoto v0.0.2 entry tests with new swag API              pkg/types/intoto/v0.0.2/entry_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Replaced all swag.String() calls with conv.Pointer() throughout test cases Updated test fixtures and assertions to use new pointer conversion API +28/-28  e2e_test.go Update e2e server tests with refactored utility imports    cmd/rekor-server/e2e_test.go Updated utility imports from pkg/util to pkg/util/e2eutil Replaced all utility function calls with e2eutil prefix Fixed error logging from t.Errorf(err.Error()) to t.Error(err) Fixed formatting in docker command call +38/-39  entry_test.go Update hashedrekord v0.0.1 entry tests with new swag API  pkg/types/hashedrekord/v0.0.1/entry_test.go Updated import from github.com/go-openapi/swag to github.com/go-openapi/swag/conv Replaced all swag.String() calls with conv.Pointer() in test cases Updated test fixtures and model initialization to use new pointer conversion API +32/-32
Bug fix	1 files get_log_info_parameters.go Remove deprecated Stable parameter from GetLogInfo API      pkg/generated/client/tlog/get_log_info_parameters.go Removed import of github.com/go-openapi/swag package Removed Stable field from GetLogInfoParams struct Removed default value initialization for Stable parameter in SetDefaults() method +1/-48
Additional files	101 files build.yml +8/-4      codeql-analysis.yml +9/-5      cut-release.yml +2/-0      main.yml +40/-24  validate-release.yml +7/-5      verify.yml +5/-5      .golangci.yml +3/-0      .goreleaser.yml +8/-10    CHANGELOG.md +97/-0    Dockerfile +2/-2      Dockerfile.pubsub-emulator +1/-1      Dockerfile.trillian-log-server +2/-2      Dockerfile.trillian-log-signer +2/-2      get.go +6/-7      log_info.go +17/-17  log_proof.go +2/-2      root.go +8/-3      search.go +8/-8      state.go +1/-2      verify.go +5/-6      get_e2e_test.go +5/-5      loginfo_e2e_test.go +4/-4      logproof_e2e_test.go +3/-3      verify_e2e_test.go +3/-3      serve.go +2/-2      docker-compose.backfill-test.yml +1/-0      docker-compose.debug.yml +0/-3      docker-compose.test.yml +1/-0      docker-compose.yml +0/-6      go.mod +125/-118 go.sum +299/-226 go.mod +23/-24  go.sum +46/-100 openapi.yaml +0/-6      error.go +2/-1      index.go +2/-2      public_key.go +2/-2      new_entry.go +1/-1      create_log_entry_responses.go +6/-5      entries_client.go +32/-12  get_log_entry_by_index_responses.go +4/-3      get_log_entry_by_uuid_responses.go +4/-3      search_log_query_responses.go +6/-5      index_client.go +8/-3      search_index_responses.go +5/-4      get_public_key_responses.go +4/-3      pubkey_client.go +8/-3      get_log_info_responses.go +4/-3      get_log_proof_responses.go +5/-4      tlog_client.go +16/-6    alpine_schema.go +1/-1      alpine_v001_schema.go +38/-13  cose_schema.go +1/-1      cose_v001_schema.go +39/-14  dsse_schema.go +1/-1      hashedrekord_schema.go +1/-1      hashedrekord_v001_schema.go +50/-17  helm_schema.go +1/-1      intoto_schema.go +1/-1      intoto_v001_schema.go +39/-14  jar_schema.go +1/-1      log_entry.go +44/-15  log_info.go +13/-4    rekord_schema.go +1/-1      rfc3161_schema.go +1/-1      rfc3161_v001_schema.go +13/-4    rpm_schema.go +1/-1      rpm_v001_schema.go +38/-13  search_index.go +15/-6    search_log_query.go +14/-5    tuf_schema.go +1/-1      tuf_v001_schema.go +28/-11  configure_rekor_server.go +11/-6    embedded_spec.go +0/-18    create_log_entry.go +1/-0      create_log_entry_parameters.go +5/-3      get_log_entry_by_index.go +1/-0      get_log_entry_by_index_parameters.go +1/-3      get_log_entry_by_index_responses.go +1/-1      get_log_entry_by_uuid.go +1/-0      get_log_entry_by_uuid_parameters.go +1/-2      get_log_entry_by_uuid_responses.go +1/-1      get_log_entry_by_uuid_urlbuilder.go +1/-1      search_log_query.go +1/-0      search_log_query_parameters.go +5/-3      search_index.go +1/-0      search_index_parameters.go +5/-3      get_public_key.go +1/-0      get_public_key_parameters.go +1/-3      rekor_server_api.go +33/-4    get_log_info.go +1/-0      get_log_info_parameters.go +3/-50    get_log_info_urlbuilder.go +0/-18    get_log_proof.go +1/-0      get_log_proof_parameters.go +5/-5      server.go +14/-15  logger.go +36/-0    log.go +3/-1      minisign_e2e_test.go +17/-17  pki.go +3/-17    Additional files not shown

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: New critical actions (adding leaves, retrieving entries by index/UUID, client acquisition) are not consistently accompanied by structured audit logging of action, actor, outcome, and timestamp. Referred Code return nil, handleRekorAPIError(params, http.StatusInternalServerError, err, failedToGenerateCanonicalEntry) } tc, err := api.trillianClientManager.GetTrillianClient(api.ActiveTreeID()) if err != nil { return nil, handleRekorAPIError(params, http.StatusInternalServerError, err, trillianUnexpectedResult) } resp := tc.AddLeaf(ctx, leaf) // this represents overall GRPC response state (not the results of insertion into the log) if resp.Status != codes.OK { return nil, handleRekorAPIError(params, http.StatusInternalServerError, fmt.Errorf("grpc error: %w", resp.Err), trillianUnexpectedResult) } // this represents the results of inserting the proposed leaf into the log; status is nil in success path insertionStatus := resp.GetAddResult.QueuedLeaf.Status if insertionStatus != nil { switch insertionStatus.Code { case int32(code.Code_OK): case int32(code.Code_ALREADY_EXISTS), int32(code.Code_FAILED_PRECONDITION): existingUUID := hex.EncodeToString(rfc6962.DefaultHasher.HashLeaf(leaf)) ... (clipped 104 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Error propagation: New trillian client acquisition and RPC calls add error paths where returned errors are wrapped but consistency of context (operation and identifiers) varies and some branches return raw resp.Err without added context. Referred Code for i, hash := range searchHashes { var results map[int64]*trillian.GetEntryAndProofResponse for _, shard := range api.logRanges.AllShards() { tc, err := api.trillianClientManager.GetTrillianClient(shard) if err != nil { return handleRekorAPIError(params, http.StatusInternalServerError, err, trillianCommunicationError) } resp := tc.GetLeafAndProofByHash(httpReqCtx, hash) switch resp.Status { case codes.OK: leafResult := resp.GetLeafAndProofResult if leafResult != nil && leafResult.Leaf != nil { if results == nil { results = map[int64]*trillian.GetEntryAndProofResponse{} } results[shard] = resp.GetLeafAndProofResult } case codes.NotFound: // do nothing here, do not throw 404 error continue default: ... (clipped 128 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix incorrect struct return type In retrieveUUIDFromTree, return a zero-value models.LogEntry{} instead of nil on error to fix a compile error, as models.LogEntry is a struct. pkg/api/entries.go [756-758] if err != nil { - return nil, fmt.Errorf("getting log client for tree %d: %w", tid, err) + return models.LogEntry{}, fmt.Errorf("getting log client for tree %d: %w", tid, err) } Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a compile error introduced in the PR where nil is returned for a struct type, and provides the correct fix.	High
	Add hex decoding validation for hash Add a check to verify that the hash string is a valid hex encoding before checking its length, preventing potential downstream errors from malformed but correctly-sized inputs. pkg/types/hashedrekord/v0.0.1/entry.go [234-251] + if _, err := hex.DecodeString(conv.Value(hash.Value)); err != nil { + return nil, nil, &types.InputValidationError{Err: fmt.Errorf("invalid value for hash: %w", err)} + } + var alg crypto.Hash switch conv.Value(hash.Algorithm) { case models.HashedrekordV001SchemaDataHashAlgorithmSha384: if len(*hash.Value) != crypto.SHA384.Size()*2 { return nil, nil, &types.InputValidationError{Err: errors.New("invalid value for hash")} } alg = crypto.SHA384 case models.HashedrekordV001SchemaDataHashAlgorithmSha512: if len(*hash.Value) != crypto.SHA512.Size()*2 { return nil, nil, &types.InputValidationError{Err: errors.New("invalid value for hash")} } alg = crypto.SHA512 default: if len(*hash.Value) != crypto.SHA256.Size()*2 { return nil, nil, &types.InputValidationError{Err: errors.New("invalid value for hash")} } alg = crypto.SHA256 } [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that the new validation logic only checks hash length and not its hex format, which could lead to downstream errors. This is a valid improvement for robustness.	Medium
General	Preserve proof data in response In GetLeafAndProofByHash, preserve the getProofResult from the initial proof fetch by adding it to the final response object before returning. pkg/trillianclient/trillian_client.go [209-219] leafIndex := proofs[0].LeafIndex // fetch the leaf without re-requesting a proof (since we already have it) leafOnlyResp := t.getStandaloneLeaf(ctx, leafIndex, hash, proofs[0], proofResp.getProofResult.SignedLogRoot) if leafOnlyResp.Err != nil { return &Response{ Status: status.Code(leafOnlyResp.Err), Err: leafOnlyResp.Err, } } +// Preserve the original getProofResult in the final response +leafOnlyResp.getProofResult = proofResp.getProofResult return leafOnlyResp [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: The suggestion correctly points out that potentially useful information from an intermediate response is being discarded, and proposes a reasonable fix to preserve it, improving the function's completeness.	Low
More