1. low: Invalid client input currently returns 500 instead of 400. - In lib.rs (./attestation-provider-server/src/lib.rs:41), bad hex/length errors from input_data parse flow into ServerError. - ServerError::into_response (./attestation-provider-server/src/lib.rs:91) always maps to StatusCode::INTERNAL_SERVER_ERROR. - Result: malformed /attest/{input_data} requests are treated as server faults rather than client faults. 2. low Error details are echoed back to clients. - ServerError::into_response (./attestation-provider-server/src/lib.rs:93) returns format!("{:?}", self.0) in response bodies. - That can expose internals (stack/context strings) to external callers.
