feat: Implement DefaultCryptoHmac for compliance-aware HMAC operations
- Added DefaultCryptoHmac class implementing ICryptoHmac interface. - Introduced purpose-based HMAC computation methods. - Implemented verification methods for HMACs with constant-time comparison. - Created HmacAlgorithms and HmacPurpose classes for well-known identifiers. - Added compliance profile support for HMAC algorithms. - Included asynchronous methods for HMAC computation from streams.
This commit is contained in:
StellaOps Bot
@@ -1,6 +1,6 @@
|
||||
# Risk API (draft outline)
|
||||
# Risk API
|
||||
|
||||
> Draft scaffold; populate once 67-001 explainability outputs and API publishing workflow are available. Keep examples deterministic; include ETags and error payloads when provided.
|
||||
> Based on `CONTRACT-RISK-SCORING-002` (2025-12-05). Examples are frozen in `docs/risk/samples/api/risk-api-samples.json` with hashes in `SHA256SUMS`. Keep ETags and error payloads deterministic.
|
||||
|
||||
## Purpose
|
||||
- Document risk-related endpoints for profile management, simulation, scoring results, explainability retrieval, and export.
|
||||
@@ -10,32 +10,32 @@
|
||||
- In scope: endpoint list, methods, request/response schemas, auth/tenancy headers, rate limits, feature flags, error model.
|
||||
- Out of scope: console/UI workflow details (see `explainability.md`).
|
||||
|
||||
## Endpoint Outline (placeholders)
|
||||
- `GET /api/risk/profiles` — list profiles (filters by tenant, status).
|
||||
- `POST /api/risk/profiles` — create/update; includes DSSE/attestation fields.
|
||||
- `POST /api/risk/simulations` — run simulation with fixture set; supports dry-run.
|
||||
- `GET /api/risk/results/{id}` — retrieve scored results + explainability link.
|
||||
- `GET /api/risk/explain/{id}` — fetch explainability payload.
|
||||
- `GET /api/risk/export/{id}` — export bundle (JSON/CSV) with hash manifest.
|
||||
- Feature flags: `<pending>`
|
||||
## Endpoints (v1)
|
||||
- `POST /api/v1/risk/jobs` — submit scoring job (body: job request); returns `202` with `job_id` and `status` (`queued`). Sample: `risk-api-samples.json#submit_job_request`.
|
||||
- `GET /api/v1/risk/jobs/{job_id}` — job status + results array (sample: `get_job_status`).
|
||||
- `GET /api/v1/risk/explain/{job_id}` — explainability payload (sample references `../explain/explain-trace.json`).
|
||||
- `GET /api/v1/risk/profiles` — list profiles (tenant-filtered); include `profile_hash`, `version`, `etag`.
|
||||
- `POST /api/v1/risk/profiles` — create/update profile with DSSE/attestation metadata; returns `201` with `etag`.
|
||||
- `POST /api/v1/risk/simulations` — dry-run scoring with fixtures; returns explain + contributions without persisting results.
|
||||
- `GET /api/v1/risk/export/{job_id}` — export bundle (JSON + CSV + manifest) for auditors.
|
||||
- Feature flags: `risk.jobs`, `risk.explain`, `risk.simulations`, `risk.export` (toggle exposure per tenant).
|
||||
|
||||
## Auth & Tenancy
|
||||
- Required headers: `X-Stella-Tenant`, `X-Stella-Scope`, auth tokens (PAT/OAuth2) — confirm once schema published.
|
||||
- Imposed rule reminder must be present on every page.
|
||||
- Required headers: `X-Stella-Tenant`, `Authorization: Bearer <token>`, optional `X-Stella-Scope` for imposed rule reminders.
|
||||
- Imposed rule reminder must be present in responses where tenant-bound resources are returned.
|
||||
|
||||
## Error Model (pending)
|
||||
- Standard error envelope: code, message, correlation_id, severity, remediation.
|
||||
- Rate limit headers and retry guidance.
|
||||
## Error Model
|
||||
- Envelope: `code`, `message`, `correlation_id`, `severity`, `remediation`.
|
||||
- Rate-limit headers: `Retry-After`, `X-RateLimit-Remaining` (document values in SDKs).
|
||||
|
||||
## Determinism & Offline Posture
|
||||
- Provide sample requests/responses under `docs/risk/samples/`; include SHA256 table.
|
||||
- No live dependencies; use frozen fixtures.
|
||||
- Samples: `docs/risk/samples/api/risk-api-samples.json` (hashes in `SHA256SUMS`); explain sample reused via relative reference.
|
||||
- No live dependencies; use frozen fixtures. Keep ordering of fields stable in docs and samples.
|
||||
|
||||
## Open Items
|
||||
- API publishing workflow outputs
|
||||
- Final endpoint list and field names
|
||||
- Error/code catalog
|
||||
- SDK generator targets and examples
|
||||
- Add ETag examples for profile list/create once generators emit them.
|
||||
- Populate error/code catalog and SDK targets once available.
|
||||
- Align feature flag names with deployment config.
|
||||
|
||||
## References
|
||||
- `docs/risk/overview.md`
|
||||
|
||||
Reference in New Issue
Block a user