Skip to content

feat(validate): implement cryptographic provenance validation (HMAC, …#14

Open
aryanyk wants to merge 1 commit intoc2siorg:mainfrom
aryanyk:feat/validate-provenance
Open

feat(validate): implement cryptographic provenance validation (HMAC, …#14
aryanyk wants to merge 1 commit intoc2siorg:mainfrom
aryanyk:feat/validate-provenance

Conversation

@aryanyk
Copy link
Copy Markdown

@aryanyk aryanyk commented Mar 21, 2026

This PR implements cryptographic provenance validation strictly within the Validate stage of the pipeline.

Issue : #13

Scope:

  • internal/crypto (HMAC + nonce)
  • internal/pipeline/validate.go
  • pkg/riskcontext/context.go
  • unit tests

Features:

  • Payload-bound HMAC verification
  • Nonce replay protection
  • Execution ID binding
  • Expiry validation
  • Short-circuit BLOCK on failure
  • Emits provenance_trust and provenance_flags into RiskContext

Out of Scope:

  • No changes to transport layer
  • No SDK modifications
  • No scan/aggregate/policy changes

This aligns with pipeline boundaries defined in architecture.md and keeps provenance as a deterministic signal for downstream stages.

@aryanyk
feat(validate): implement cryptographic provenance validation (HMAC, …
092571f 
…nonce, expiry, execution binding)

- Added HMAC verification helpers
- Implemented nonce replay protection with TTL
- Enforced execution_id binding and expiry validation
- Short-circuit BLOCK on validation failure
- Emitted provenance_trust and provenance_flags in RiskContext
- Scoped strictly to validate stage
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aryanyk