feat(models): introduce typed digest newtypes for cryptographic hashes

[abraemer]

Summary

• Replace Option<String> hash fields with fixed-size [u8; N] newtypes (Sha1Digest, Md5Digest, Sha256Digest, Sha512Digest, GitSha1) across all model structs, parsers, output formats, and the incremental cache
• Store digests as stack-allocated raw byte arrays with serde hex-string serialization for full JSON compatibility
• Compile-time guarantee that a SHA-1 digest cannot be silently assigned to a SHA-256 field

Performance Impact

Self-scan benchmark (excluding target/reference/.git):

Metric	Baseline	After	Change
Total time	212.44s	180.88s	-14.9%
Scan time	7.76s	6.55s	-15.6%
Throughput	583 MB/s	691 MB/s	+18.5%

The improvement comes from eliminating heap allocations for hash strings (e.g., 20 bytes for SHA-1 vs 65+ bytes for a hex String), enabling Copy semantics throughout the pipeline, and reducing memory pressure.

Changes

• New: src/models/digest.rs — Macro-defined digest types with from_hex, as_hex, from_bytes, as_bytes, Display, Ord, serde hex-string support
• Models: FileInfo, PackageData, ResolvedPackage, Package, FileReference — all hash fields now typed
• Utils: hash.rs returns typed digests directly from crypto crates
• Output: EMPTY_SHA1 string literal → EMPTY_SHA1_DIGEST const; CycloneDX/SPDX/HTML use .as_hex()
• Cache: content_sha256: Sha256Digest
• 20+ parsers: Use DigestType::from_hex().ok() when parsing hash strings from manifests
• 20+ test files: Updated assertions to use typed digest constructors

Golden Test Changes

The newtype migration enforces two invariants that the previous Option<String> did not: valid hexadecimal characters and exact byte-length matching the algorithm. This caused several categories of golden test changes:

1. Placeholder digests replaced with valid values (deno, python, yarn)

Test fixtures contained non-hex placeholder strings like "asserthash", "sdisthash", "test", and "sha512-chalkhash". These were valid as Option<String> but are rejected by the typed newtypes. The fixtures were updated with realistic hex/SRI values and the expected files updated to match the parser output.

Files: deno.lock, pypi.json, yarn-v2-protocol.lock (fixtures + expected)

2. Base64→hex conversion for SRI integrity strings (pnpm)

The pnpm lock parser's parse_integrity function was stripping the sha512- prefix but returning the raw base64 string instead of decoding it. This was invisible when sha512 was Option<String> but is now caught by Sha512Digest::from_hex(). The parser was fixed to use parse_sri (which properly base64-decodes and converts to hex), and the pnpm golden expected files were updated from base64 strings to 128-character hex strings.

Files: pnpm-v5/v6/v9.yaml.expected.json

3. Misassigned algorithm labels (gradle)

The Gradle module metadata file material-1.9.0.module has a sha512 field containing a 64-hex-character (32-byte) hash — the correct length for SHA-256, not SHA-512 (which requires 128 hex / 64 bytes). The parser now detects this mismatch and routes 64-hex-char values from the sha512 field to the sha256 slot. Since the fixture already has an explicit sha256 value, the misassigned hash is discarded and sha512 becomes null. This is the correct behavior: the upstream data labeled a SHA-256 hash as SHA-512.

Files: material-1.9.0.module-expected.json

4. Short/invalid checksums silently dropped (cargo)

The Cargo.lock fixture had a 12-character checksum ("abc123def456") that is too short for SHA-256 (requires 64 hex chars). The parser now routes valid 64-char checksums to sha256 and stores other-length valid hex checksums in extra_data["checksum"] as a fallback. The golden expected file reflects sha256: null with the short checksum preserved in extra_data.

5. SPDX verification code fix

The SPDX package verification code is defined as the SHA-1 hash of concatenated file SHA-1 hex string representations. After the newtype migration, as_bytes() returned raw 20-byte digests instead of 40-byte hex strings, producing incorrect verification codes. Fixed by using as_hex().as_bytes() to hash the hex representation as the SPDX spec requires.

How to Test

cargo build --release
cargo clippy --all-targets --all-features
cargo test

[mstykow]

is it correct that some of these hashes in the golden fixtures became null?

[abraemer]

investigating that

[abraemer]

So this changed because that is actually not a sha512. The value is just wrong in the lock file. So we actually don't know the sha512 value and thus should output null instead of the 256bit value from the lockfile which definitely is not a sha512.