feat: Implement DefaultCryptoHmac for compliance-aware HMAC operations

- Added DefaultCryptoHmac class implementing ICryptoHmac interface. - Introduced purpose-based HMAC computation methods. - Implemented verification methods for HMACs with constant-time comparison. - Created HmacAlgorithms and HmacPurpose classes for well-known identifiers. - Added compliance profile support for HMAC algorithms. - Included asynchronous methods for HMAC computation from streams.
2025-12-06 00:41:04 +02:00
parent 43c281a8b2
commit f0662dd45f
362 changed files with 8441 additions and 22338 deletions
--- a/docs/risk/formulas.md
+++ b/docs/risk/formulas.md
@@ -1,6 +1,6 @@
-# Risk Formulas (draft outline)
+# Risk Formulas

-> Draft scaffold; fill once 66-003/66-004 inputs (engine rollout notes + factor contract) are available. Keep math examples deterministic with fixed fixtures.
+> Based on `CONTRACT-RISK-SCORING-002` (2025-12-05). Keep math examples deterministic with fixed fixtures.

 ## Purpose
 - Describe how normalized factors combine into a 0–100 risk score with severity bands.
@@ -11,37 +11,49 @@
 - In scope: weighting strategies, aggregation functions, severity thresholds, gating rules, tie-breakers.
 - Out of scope: full API payloads (see `api.md`), factor definitions (see `factors.md`).

-## Formula Building Blocks (to fill)
- Weighted sum / capped contribution
- Max/min guards per factor family
- Threshold gates (e.g., block if exploitability + reachability high)
- Decay/time weighting
- Tenant/asset overrides and imposed rules
+## Formula Building Blocks
+- Weighted sum with per-factor caps; enforce max contribution per family (exploitability, reachability, runtime).
+- Base rule (contract): `raw_score = Σ(signal_value × weight)`, `normalized_score = clamp(raw_score, 0.0, 1.0)`.
+- VEX gate: if `signals.HasVexDenial`, return `0.0` immediately (mitigated finding).
+- CVSS + KEV provider: `score = clamp01((cvss/10) + (kev ? 0.2 : 0))`.
+- Guard rails: hard gates when `(exploit_likelihood >= T1) AND (reachability >= T2)` or when provenance trust below minimum.
+- Decay/time weighting: exponential decay for stale runtime/KEV signals; fresh VEX `not_affected` may down-weight exploit scores.
+- Tenant/asset overrides: additive/override blocks with expiry; always logged in explainability output.
+- Safety: divide-by-zero and null handling must be deterministic and reflected in explain trace.

-## Severity Mapping (outline)
- Proposed bands (example placeholder):
-  - Critical: 90–100
-  - High: 70–89
-  - Medium: 40–69
-  - Low: 1–39
-  - Info: 0
- Final bands pending governance approval; update once PLLG0104 confirms.
+## Severity Mapping
+- Contract levels: `critical`, `high`, `medium`, `low`, `informational` (priority 1–5).
+- Map `normalized_score` to bands per profile policy; include band rationale in explainability payload.

 ## Determinism
 - Stable ordering of factors before aggregation.
- Use fixed precision (e.g., 4 decimals) before severity mapping.
- Hash fixtures and record SHA256 for every example payload.
+- Use fixed precision (e.g., 4 decimals) before severity mapping; round not truncate.
+- Hash fixtures and record SHA256 for every example payload in `docs/risk/samples/formulas/SHA256SUMS`.

 Interim notes: mirror legacy rule — simulation and production must share the exact evaluation codepath; no per-environment divergences. Severity buckets must be deterministic and governed by Authority scopes.

-## Examples (placeholders)
- TBD sample JSON: input factors + output score + contributions table.
- TBD CLI/Console screenshots once telemetry assets provided.
+## Example (contract-aligned)
+```json
+{
+  "finding_id": "f-123",
+  "profile_id": "default-profile",
+  "profile_version": "1.0.0",
+  "raw_score": 0.75,
+  "normalized_score": 0.85,
+  "severity": "high",
+  "signal_values": { "cvss": 7.5, "kev": true, "reachability": 0.9 },
+  "signal_contributions": { "cvss": 0.4, "kev": 0.3, "reachability": 0.3 },
+  "override_applied": "kev-boost",
+  "override_reason": "Known Exploited Vulnerability",
+  "scored_at": "2025-12-05T00:00:02Z"
+}
+```
+- CLI/Console screenshots pending telemetry assets (keep deterministic fixture IDs).

 ## Open Items
- Engine rollout notes for gating/weighting defaults
- Severity band approval
- Sample payloads and UI traces
+- Fixtures for jobs/results and explainability traces.
+- Final per-profile severity thresholds (document once agreed).
+- UI traces for console/CLI explainability views.

 ## References
 - `docs/risk/overview.md`