validate required fields before hashing relay request params

[nadahalli]

What changed

• SecretsRequestParams.Validate() and CapabilityRequestParams.Validate() reject zero-valued required fields (workflow_id, owner, execution_id, enclave_public_key, plus the type-specific binders).
• Hash() on SecretsResponseResult and CapabilityResponseResult now calls Validate() first and returns ([32]byte, error) so a caller cannot accidentally produce a signature over an unbinding payload.
• Removes omitempty from CapabilityRequestParams.Owner, .ExecutionID, .ReferenceID. These are the per-request fields that establish replay protection; they should always serialize.

Why

mchain0 flagged on smartcontractkit/chainlink#22302 that execution_id and reference_id were optional, so a relay-DON signature could be bound to a less-unique context than the caller believed and replayed across distinct logical requests that differed only in those fields. This PR closes that hole structurally: Hash() returns an error if any field the canonical hash depends on is empty, so signing an unbinding payload becomes impossible by construction.

Validation

• go test ./pkg/capabilities/v2/actions/confidentialrelay/

Downstream

Caller updates land separately:

• sign and aggregate confidential relay responses chainlink#22302 (and stacked aggregate confidential-relay responses by logical hash chainlink#22304) need to bump the chainlink-common dep and handle the new error return from Hash().

[github-actions]

👋 nadahalli, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

⚠️ API Diff Results - github.com/smartcontractkit/chainlink-common

⚠️ Breaking Changes (2)

pkg/capabilities/v2/actions/confidentialrelay.(*CapabilityResponseResult) (1)

• Hash — Type changed:

func(
  CapabilityRequestParams
)
- [32]byte
+ ([32]byte, error)

pkg/capabilities/v2/actions/confidentialrelay.(*SecretsResponseResult) (1)

• Hash — Type changed:

func(
  SecretsRequestParams
)
- [32]byte
+ ([32]byte, error)

✅ Compatible Changes (2)

pkg/capabilities/v2/actions/confidentialrelay.CapabilityRequestParams (1)

• Validate — ➕ Added

pkg/capabilities/v2/actions/confidentialrelay.SecretsRequestParams (1)

• Validate — ➕ Added

---

📄 View full apidiff report

[Copilot]

Pull request overview

This PR hardens confidential relay request/response hashing by validating that all required request fields are non-zero before producing a canonical hash, preventing signatures from being generated over under-binding (replayable) contexts.

Changes:

• Add Validate() methods for SecretsRequestParams and CapabilityRequestParams and make Hash() reject invalid params.
• Change SecretsResponseResult.Hash / CapabilityResponseResult.Hash to return ([32]byte, error) and call Validate() internally.
• Remove omitempty from CapabilityRequestParams.Owner, .ExecutionID, and .ReferenceID to ensure replay-protection fields always serialize.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pkg/capabilities/v2/actions/confidentialrelay/types.go	Adds params validation and makes response hashing return an error when required binding fields are empty; updates JSON tags for capability params.
pkg/capabilities/v2/actions/confidentialrelay/types_test.go	Refactors hash tests to handle the new error return and adds unit tests for validation + invalid-hash rejection.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mchain0]

approving, but minor comments. also I agree with bot suggestions. pls amend