clock_curve_math/ct/

monitoring.rs

//! Runtime monitoring for cryptographic operations.
//!
//! This module provides runtime timing monitoring capabilities for detecting
//! timing anomalies in production cryptographic operations. It can help identify
//! potential side-channel vulnerabilities that manifest at runtime.
//!
//! # Features
//!
//! ## Timing Anomaly Detection
//! - Statistical analysis of operation timing
//! - Threshold-based anomaly detection
//! - Configurable monitoring levels
//!
//! ## Performance Impact Control
//! - Minimal overhead in production
//! - Configurable sampling rates
//! - Optional monitoring for debugging
//!
//! ## Alert System
//! - Configurable alert thresholds
//! - Logging of timing anomalies
//! - Integration with monitoring systems
//!
//! # Usage
//!
//! ```ignore
//! use clock_curve_math::ct::monitoring::*;
//!
//! // Monitor a cryptographic operation
//! let result = monitor_operation("scalar_mul", || {
//!     scalar_a.mul(&scalar_b)
//! });
//!
//! // Check for timing anomalies
//! if let Some(anomaly) = result.anomaly {
//!     log::warn!("Timing anomaly detected: {:?}", anomaly);
//! }
//! ```

use core::sync::atomic::{AtomicBool, AtomicUsize, Ordering};
use core::time::Duration;

/// Global monitoring configuration.
static MONITORING_ENABLED: AtomicBool = AtomicBool::new(false);
static SAMPLE_RATE: AtomicUsize = AtomicUsize::new(1000); // Sample every 1000 operations

/// Configuration for runtime cryptographic operation monitoring.
///
/// This struct controls how the monitoring system behaves, including sampling rates,
/// alert thresholds, and performance constraints. Proper configuration balances
/// security monitoring with production performance requirements.
///
/// # Security vs Performance Trade-offs
/// - **Higher sample rates**: Better anomaly detection but increased overhead
/// - **Lower thresholds**: More sensitive detection but higher false positives
/// - **Shorter timeouts**: Faster failure detection but may flag legitimate operations
///
/// # Recommended Settings
/// - **Development**: High sample rate (1-10), low thresholds for testing
/// - **Production**: Low sample rate (100-1000), balanced thresholds for monitoring
/// - **High-security**: Medium sample rate (10-100), strict thresholds
///
/// # Fields
/// - `enabled`: Master switch for all monitoring functionality
/// - `sample_rate`: How often to monitor operations (1 = always, higher = less frequent)
/// - `alert_threshold`: Statistical threshold for anomaly detection (in standard deviations)
/// - `max_variation_percent`: Maximum allowed timing variation as percentage
/// - `timeout`: Maximum allowed duration before timing out an operation
#[derive(Debug, Clone)]
pub struct MonitoringConfig {
    /// Master enable switch for monitoring functionality
    pub enabled: bool,
    /// Sample rate for monitoring (1 = monitor every operation, higher values = less frequent)
    /// Lower values provide better coverage but increase performance overhead
    pub sample_rate: usize,
    /// Statistical threshold for anomaly detection in standard deviations
    /// Values like 2.0-3.0 are typical for detecting significant deviations
    pub alert_threshold: f64,
    /// Maximum allowed timing variation as a percentage of mean execution time
    /// Helps detect systems under load or environmental changes
    pub max_variation_percent: f64,
    /// Maximum allowed duration for any monitored operation
    /// Operations exceeding this timeout trigger immediate alerts
    pub timeout: Duration,
}

impl Default for MonitoringConfig {
    /// Creates a default monitoring configuration optimized for production use.
    ///
    /// The default configuration prioritizes performance while providing basic
    /// monitoring capabilities. Monitoring is disabled by default to avoid
    /// performance impact in production environments.
    ///
    /// # Default Values
    /// - `enabled: false` - Monitoring disabled for performance
    /// - `sample_rate: 1000` - Monitor 1 in 1000 operations
    /// - `alert_threshold: 3.0` - Alert on 3-sigma deviations (99.7% confidence)
    /// - `max_variation_percent: 10.0` - Allow 10% timing variation
    /// - `timeout: 100ms` - Operations should complete within 100 milliseconds
    ///
    /// # Usage
    /// ```ignore
    /// use clock_curve_math::ct::monitoring::MonitoringConfig;
    ///
    /// // Use defaults (monitoring disabled)
    /// let config = MonitoringConfig::default();
    ///
    /// // Enable monitoring for development
    /// let dev_config = MonitoringConfig {
    ///     enabled: true,
    ///     sample_rate: 10, // Monitor more frequently
    ///     ..MonitoringConfig::default()
    /// };
    /// ```
    fn default() -> Self {
        Self {
            enabled: false,
            sample_rate: 1000,
            alert_threshold: 3.0,        // 3 standard deviations
            max_variation_percent: 10.0, // 10% variation allowed
            timeout: Duration::from_millis(100),
        }
    }
}

/// Result of monitoring a cryptographic operation.
#[derive(Debug, Clone)]
pub struct MonitoringResult<T> {
    /// The result of the operation
    pub result: T,
    /// Timing information
    pub timing: TimingInfo,
    /// Detected anomaly (if any)
    pub anomaly: Option<TimingAnomaly>,
}

/// Timing information for an operation.
#[derive(Debug, Clone)]
pub struct TimingInfo {
    /// Duration of the operation
    pub duration: Duration,
    /// Expected duration (from baseline)
    pub expected_duration: Option<Duration>,
    /// Deviation from expected (in standard deviations)
    pub deviation: Option<f64>,
}

/// Detected timing anomaly in a cryptographic operation.
///
/// Represents different types of timing irregularities that may indicate
/// security issues, performance problems, or environmental changes affecting
/// cryptographic operation timing.
///
/// # Anomaly Types
/// - **Timeout**: Operation exceeded maximum allowed duration
/// - **Deviation**: Statistical deviation from expected timing baseline
/// - **HighVariation**: Excessive timing jitter/variation detected
///
/// # Security Implications
/// Timing anomalies can indicate:
/// - Side-channel vulnerabilities (timing leaks)
/// - Performance degradation affecting security margins
/// - Environmental changes (CPU frequency, memory pressure)
/// - Resource contention in shared environments
///
/// # Response Actions
/// Different anomaly types suggest different responses:
/// - **Timeout**: Immediate investigation (possible DoS or hanging operation)
/// - **Deviation**: Statistical monitoring (may indicate side-channel)
/// - **HighVariation**: System health check (environmental factors)
#[derive(Debug, Clone)]
pub enum TimingAnomaly {
    /// Operation exceeded the configured timeout duration.
    ///
    /// The operation took longer than the maximum allowed time, which could
    /// indicate a performance issue, resource exhaustion, or security problem.
    /// This is the most serious anomaly type requiring immediate attention.
    Timeout {
        /// Actual measured duration of the operation
        actual: Duration,
        /// Maximum allowed duration before timeout
        limit: Duration,
    },

    /// Operation timing deviated significantly from statistical baseline.
    ///
    /// The operation's execution time differed from the expected duration
    /// by more than the configured threshold (measured in standard deviations).
    /// This could indicate timing-based side-channel vulnerabilities.
    Deviation {
        /// Statistical deviation from baseline in standard deviations
        /// (e.g., 3.5 means 3.5 standard deviations from mean)
        deviation: f64,
        /// Maximum allowed deviation threshold
        threshold: f64,
    },

    /// Operation exhibited excessive timing variation.
    ///
    /// The operation's timing showed higher variation than allowed,
    /// indicating inconsistent performance that could mask timing attacks
    /// or indicate system instability.
    HighVariation {
        /// Measured timing variation as percentage of mean duration
        variation_percent: f64,
        /// Maximum allowed variation percentage
        max_allowed: f64,
    },
}

/// Monitor a cryptographic operation with timing checks.
///
/// This function executes the operation while monitoring its timing and
/// checking for anomalies. Monitoring is only performed according to the
/// configured sample rate to minimize performance impact.
pub fn monitor_operation<F, T>(operation_name: &str, operation: F) -> MonitoringResult<T>
where
    F: FnOnce() -> T,
{
    if !should_monitor() {
        // Fast path - no monitoring
        return MonitoringResult {
            result: operation(),
            timing: TimingInfo {
                duration: Duration::from_nanos(0),
                expected_duration: None,
                deviation: None,
            },
            anomaly: None,
        };
    }

    // Get baseline timing for this operation type
    let baseline = get_baseline_timing(operation_name);

    // Time the operation
    let start = get_current_time();
    let result = operation();
    let end = get_current_time();
    let duration = end.saturating_sub(start);

    // Check for anomalies
    let anomaly = detect_anomaly(operation_name, duration, &baseline);

    // Update baseline with new measurement
    update_baseline_timing(operation_name, duration);

    MonitoringResult {
        result,
        timing: TimingInfo {
            duration,
            expected_duration: baseline.mean_duration,
            deviation: anomaly.as_ref().and_then(|a| match a {
                TimingAnomaly::Deviation { deviation, .. } => Some(*deviation),
                _ => None,
            }),
        },
        anomaly,
    }
}

/// Monitor a cryptographic operation with custom configuration.
pub fn monitor_operation_with_config<F, T>(
    operation_name: &str,
    config: &MonitoringConfig,
    operation: F,
) -> MonitoringResult<T>
where
    F: FnOnce() -> T,
{
    if !config.enabled || !should_monitor_with_rate(config.sample_rate) {
        return MonitoringResult {
            result: operation(),
            timing: TimingInfo {
                duration: Duration::from_nanos(0),
                expected_duration: None,
                deviation: None,
            },
            anomaly: None,
        };
    }

    let baseline = get_baseline_timing(operation_name);
    let start = get_current_time();
    let result = operation();
    let end = get_current_time();
    let duration = end.saturating_sub(start);

    let anomaly = detect_anomaly_with_config(operation_name, duration, &baseline, config);
    update_baseline_timing(operation_name, duration);

    MonitoringResult {
        result,
        timing: TimingInfo {
            duration,
            expected_duration: baseline.mean_duration,
            deviation: anomaly.as_ref().and_then(|a| match a {
                TimingAnomaly::Deviation { deviation, .. } => Some(*deviation),
                _ => None,
            }),
        },
        anomaly,
    }
}

/// Enable runtime monitoring globally.
///
/// Activates timing monitoring for all cryptographic operations that use
/// the monitoring functions. When enabled, operations will be periodically
/// sampled and checked for timing anomalies based on the configured sample rate.
///
/// # Performance Impact
/// Enabling monitoring adds overhead to cryptographic operations, though the
/// impact is minimized through sampling. The exact overhead depends on the
/// sample rate and the complexity of monitored operations.
///
/// # Security Benefits
/// - Detects timing-based side-channel vulnerabilities in production
/// - Identifies performance regressions that could indicate security issues
/// - Provides early warning of environmental changes affecting security
///
/// # Thread Safety
/// This function is thread-safe and can be called from any thread.
pub fn enable_monitoring() {
    MONITORING_ENABLED.store(true, Ordering::Relaxed);
}

/// Disable runtime monitoring globally.
///
/// Deactivates timing monitoring to minimize performance overhead in production
/// environments where monitoring is not required. When disabled, monitoring
/// functions will execute operations without timing checks.
///
/// # Use Cases
/// - Production deployments where performance is critical
/// - Development environments needing maximum speed
/// - Situations where monitoring overhead is unacceptable
///
/// # Security Considerations
/// Disabling monitoring removes the ability to detect timing anomalies that
/// could indicate side-channel vulnerabilities. Use with caution.
///
/// # Thread Safety
/// This function is thread-safe and can be called from any thread.
pub fn disable_monitoring() {
    MONITORING_ENABLED.store(false, Ordering::Relaxed);
}

/// Set the global monitoring sample rate.
///
/// Controls how frequently operations are monitored. A sample rate of 1 means
/// every operation is monitored, while higher values mean less frequent monitoring.
/// The sample rate affects both performance overhead and anomaly detection coverage.
///
/// # Parameters
/// * `rate` - Sample rate (1 = monitor every operation, higher = less frequent)
///
/// # Performance vs Security Trade-off
/// - **Rate = 1**: Maximum security coverage, highest performance impact
/// - **Rate = 100**: Good balance for development, moderate overhead
/// - **Rate = 1000**: Minimal production overhead, basic monitoring coverage
///
/// # Examples
/// ```ignore
/// use clock_curve_math::ct::monitoring::set_sample_rate;
///
/// // Monitor every 100th operation (good for development)
/// set_sample_rate(100);
///
/// // Monitor every 1000th operation (good for production)
/// set_sample_rate(1000);
/// ```
///
/// # Thread Safety
/// This function is thread-safe and can be called from any thread.
pub fn set_sample_rate(rate: usize) {
    SAMPLE_RATE.store(rate, Ordering::Relaxed);
}

/// Check if monitoring should be performed based on global configuration.
///
/// Determines whether the current operation should be monitored based on
/// the global monitoring enable flag and sample rate. This function is
/// called frequently and must be highly optimized.
///
/// # Returns
/// `true` if monitoring should be performed, `false` if the operation
/// should execute without monitoring overhead.
///
/// # Performance
/// This function uses atomic operations and is designed to be fast
/// when monitoring is disabled (the common production case).
fn should_monitor() -> bool {
    if !MONITORING_ENABLED.load(Ordering::Relaxed) {
        return false;
    }

    should_monitor_with_rate(SAMPLE_RATE.load(Ordering::Relaxed))
}

/// Check if monitoring should be performed with a specific sample rate.
///
/// Implements sampling-based monitoring where only a fraction of operations
/// are monitored to reduce performance overhead while maintaining statistical
/// coverage for anomaly detection.
///
/// # Parameters
/// * `sample_rate` - How often to monitor (1 = always, higher = less frequent)
///
/// # Algorithm
/// Uses a global counter that increments atomically for each check.
/// When `counter % sample_rate == 0`, monitoring is performed.
/// This ensures even sampling distribution over time.
///
/// # Returns
/// `true` if this operation should be monitored, `false` otherwise
///
/// # Thread Safety
/// Uses atomic operations to ensure correct behavior in multi-threaded environments.
fn should_monitor_with_rate(sample_rate: usize) -> bool {
    if sample_rate <= 1 {
        return true; // Monitor every operation
    }

    static COUNTER: AtomicUsize = AtomicUsize::new(0);
    let count = COUNTER.fetch_add(1, Ordering::Relaxed);
    count % sample_rate == 0
}

/// Get current time (architecture-dependent implementation).
#[cfg(feature = "std")]
fn get_current_time() -> std::time::Instant {
    std::time::Instant::now()
}

#[cfg(not(feature = "std"))]
fn get_current_time() -> core::time::Duration {
    // Fallback for no_std - not accurate but provides basic functionality
    // In a real implementation, this would use a hardware timer
    core::time::Duration::from_nanos(0)
}

/// Statistical baseline timing data for an operation type.
///
/// Maintains running statistics about the expected execution time for a
/// specific cryptographic operation. Used to detect timing anomalies by
/// comparing new measurements against historical performance data.
///
/// # Statistical Properties
/// - Tracks mean execution time and variance
/// - Uses Welford's online algorithm for numerical stability
/// - Maintains sample count for statistical confidence
///
/// # Fields
/// - `mean_duration`: Expected execution time (None until first sample)
/// - `variance`: Statistical variance in execution times
/// - `sample_count`: Number of measurements collected
///
/// # Usage in Anomaly Detection
/// - Requires minimum samples (typically 10+) for reliable statistics
/// - Uses standard deviation analysis for threshold detection
/// - Accounts for natural timing variation in real systems
///
/// # Memory Management
/// Stored in a fixed-size hash table for simplicity. In production,
/// this would typically use a more scalable data structure.
#[derive(Debug, Clone)]
struct BaselineTiming {
    /// Mean execution duration (None until first measurement collected)
    mean_duration: Option<Duration>,
    /// Statistical variance of execution times (for anomaly detection)
    variance: f64,
    /// Number of timing samples collected (affects statistical confidence)
    sample_count: usize,
}

impl Default for BaselineTiming {
    /// Creates a new baseline timing with no measurements.
    ///
    /// Initializes a baseline timing structure representing the state before
    /// any measurements have been collected. This is the starting state for
    /// new operation types that haven't been monitored yet.
    ///
    /// # Initial State
    /// - `mean_duration: None` - No baseline established yet
    /// - `variance: 0.0` - Zero variance initially
    /// - `sample_count: 0` - No samples collected
    ///
    /// The baseline will be populated as operations are monitored and
    /// timing measurements are collected over time.
    fn default() -> Self {
        Self {
            mean_duration: None,
            variance: 0.0,
            sample_count: 0,
        }
    }
}

// Global storage for baseline timings using thread-safe static
// Note: This simplified implementation uses atomic operations for thread safety
// In production, consider using a proper concurrent hash map
use core::sync::atomic::AtomicU64;

static BASELINE_MEAN_STORAGE: [AtomicU64; 16] = [
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
];

static BASELINE_VARIANCE_STORAGE: [AtomicU64; 16] = [
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
    AtomicU64::new(0),
];

static BASELINE_SAMPLE_STORAGE: [AtomicUsize; 16] = [
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
    AtomicUsize::new(0),
];

/// Simple hash function to map operation names to indices.
fn operation_name_hash(name: &str) -> usize {
    let mut hash = 0usize;
    for byte in name.bytes() {
        hash = hash.wrapping_mul(31).wrapping_add(byte as usize);
    }
    hash % 16 // Fit into our fixed-size array
}

/// Get baseline timing statistics for an operation type.
///
/// Retrieves the current baseline timing data for a specific operation,
/// which includes mean duration, variance, and sample count. This baseline
/// is used to detect timing anomalies by comparing new measurements against
/// historical performance.
///
/// # Parameters
/// * `operation_name` - Identifier for the operation type
///
/// # Returns
/// Current baseline timing statistics for the operation
///
/// # Implementation Notes
/// Uses thread-safe atomic operations for concurrent access.
/// In production, this would typically use a proper concurrent hash map.
fn get_baseline_timing(operation_name: &str) -> BaselineTiming {
    let index = operation_name_hash(operation_name);

    // Reconstruct BaselineTiming from atomic storage
    let mean_ns = BASELINE_MEAN_STORAGE[index].load(Ordering::Relaxed);
    let variance_bits = BASELINE_VARIANCE_STORAGE[index].load(Ordering::Relaxed);
    let sample_count = BASELINE_SAMPLE_STORAGE[index].load(Ordering::Relaxed);

    // Convert stored values back to BaselineTiming
    let mean_duration = if mean_ns > 0 {
        Some(Duration::from_nanos(mean_ns))
    } else {
        None
    };

    // Reconstruct f64 from bits (simplified - in practice would need proper serialization)
    let variance = f64::from_bits(variance_bits);

    BaselineTiming {
        mean_duration,
        variance,
        sample_count,
    }
}

/// Update baseline timing statistics with a new measurement.
///
/// Incorporates a new timing measurement into the running statistics for
/// an operation type. Uses thread-safe atomic operations to maintain
/// mean and variance estimates without storing all historical measurements.
///
/// # Parameters
/// * `operation_name` - Identifier for the operation type
/// * `duration` - Measured duration of the latest operation execution
///
/// # Algorithm
/// - Uses atomic operations for thread-safe updates
/// - Simplified statistical tracking compared to full Welford's algorithm
/// - Suitable for monitoring purposes where exact precision is less critical than thread safety
///
/// # Performance
/// O(1) time complexity with atomic operations, suitable for concurrent monitoring.
fn update_baseline_timing(operation_name: &str, duration: Duration) {
    let index = operation_name_hash(operation_name);
    let duration_ns = duration.as_nanos() as u64;

    // Update sample count atomically
    let old_count = BASELINE_SAMPLE_STORAGE[index].fetch_add(1, Ordering::Relaxed);
    let new_count = old_count + 1;

    // Update mean using atomic operations (simplified running average)
    let old_mean = BASELINE_MEAN_STORAGE[index].load(Ordering::Relaxed);
    if old_mean == 0 {
        // First measurement
        BASELINE_MEAN_STORAGE[index].store(duration_ns, Ordering::Relaxed);
    } else {
        // Running average: new_mean = (old_mean * old_count + duration) / new_count
        let new_mean =
            ((old_mean as u128 * old_count as u128) + duration_ns as u128) / new_count as u128;
        BASELINE_MEAN_STORAGE[index].store(new_mean as u64, Ordering::Relaxed);
    }

    // For variance, we use a simplified approach - store the variance as bits
    // In practice, this would need more sophisticated atomic statistical tracking
    // For now, we store a placeholder variance (could be improved with better atomic math)
    let variance_placeholder = (duration_ns as f64 * 0.1).to_bits(); // Simplified variance estimate
    BASELINE_VARIANCE_STORAGE[index].store(variance_placeholder, Ordering::Relaxed);
}

/// Detect timing anomalies using default monitoring configuration.
///
/// Checks if a measured duration deviates significantly from the expected
/// baseline timing for an operation. Uses default configuration thresholds
/// for anomaly detection.
///
/// # Parameters
/// * `operation_name` - Identifier for the operation (for logging)
/// * `duration` - Measured execution duration
/// * `baseline` - Statistical baseline for this operation type
///
/// # Returns
/// `Some(anomaly)` if a timing anomaly is detected, `None` if timing is normal
fn detect_anomaly(
    operation_name: &str,
    duration: Duration,
    baseline: &BaselineTiming,
) -> Option<TimingAnomaly> {
    detect_anomaly_with_config(
        operation_name,
        duration,
        baseline,
        &MonitoringConfig::default(),
    )
}

/// Detect timing anomalies with custom configuration and thresholds.
///
/// Performs comprehensive anomaly detection by checking multiple criteria:
/// - Timeout violations (operations taking too long)
/// - Statistical deviations from baseline (using standard deviations)
/// - High timing variation (excessive jitter in execution times)
///
/// # Parameters
/// * `_operation_name` - Identifier for the operation (currently unused)
/// * `duration` - Measured execution duration
/// * `baseline` - Statistical baseline for comparison
/// * `config` - Monitoring configuration with thresholds
///
/// # Returns
/// `Some(anomaly)` if any anomaly condition is met, `None` if timing appears normal
///
/// # Detection Criteria
/// 1. **Timeout**: Duration exceeds configured maximum
/// 2. **Deviation**: Statistical deviation exceeds alert threshold
/// 3. **Variation**: Timing variation exceeds maximum allowed percentage
///
/// # Statistical Analysis
/// Uses z-score analysis for deviation detection when sufficient samples exist.
/// Requires at least 10 samples for reliable statistical analysis.
fn detect_anomaly_with_config(
    _operation_name: &str,
    duration: Duration,
    baseline: &BaselineTiming,
    config: &MonitoringConfig,
) -> Option<TimingAnomaly> {
    // Check for timeout
    if duration > config.timeout {
        return Some(TimingAnomaly::Timeout {
            actual: duration,
            limit: config.timeout,
        });
    }

    // Check for deviation from baseline
    if let Some(mean_duration) = baseline.mean_duration {
        if baseline.sample_count > 10 {
            // Need enough samples for statistical analysis
            let duration_ns = duration.as_nanos() as f64;
            let mean_ns = mean_duration.as_nanos() as f64;
            // Simple approximation of square root for no_std
            let std_dev = if baseline.variance > 0.0 {
                let x = baseline.variance;
                let mut y = 1.0;
                // Babylonian method approximation
                for _ in 0..10 {
                    y = (y + x / y) * 0.5;
                }
                y
            } else {
                0.0
            };

            if std_dev > 0.0 {
                let deviation = (duration_ns - mean_ns) / std_dev;
                if deviation.abs() > config.alert_threshold {
                    return Some(TimingAnomaly::Deviation {
                        deviation,
                        threshold: config.alert_threshold,
                    });
                }
            }

            // Check for high variation
            if baseline.sample_count > 1 {
                let variation_percent = (std_dev / mean_ns) * 100.0;
                if variation_percent > config.max_variation_percent {
                    return Some(TimingAnomaly::HighVariation {
                        variation_percent,
                        max_allowed: config.max_variation_percent,
                    });
                }
            }
        }
    }

    None
}

#[cfg(test)]
mod tests {
    use super::*;

    /// Test basic monitoring operation functionality.
    ///
    /// Verifies that the monitoring wrapper functions correctly execute
    /// operations and return results. Since monitoring is disabled by default,
    /// this test ensures the fast path (no monitoring) works correctly.
    #[test]
    fn test_monitor_operation_basic() {
        let result = monitor_operation("test_op", || 42);
        assert_eq!(result.result, 42);
        // Monitoring is disabled by default, so no anomaly should be detected
        assert!(result.anomaly.is_none());
    }

    #[test]
    fn test_enable_monitoring() {
        enable_monitoring();
        assert!(MONITORING_ENABLED.load(Ordering::Relaxed));

        disable_monitoring();
        assert!(!MONITORING_ENABLED.load(Ordering::Relaxed));
    }

    /// Test sample rate configuration functionality.
    ///
    /// Verifies that the global sample rate can be set and retrieved correctly.
    /// The sample rate controls how frequently operations are monitored,
    /// affecting both security coverage and performance overhead.
    #[test]
    fn test_sample_rate() {
        set_sample_rate(10);
        assert_eq!(SAMPLE_RATE.load(Ordering::Relaxed), 10);
    }

    /// Test operation name hashing functionality.
    ///
    /// Verifies that the operation name hashing function produces consistent
    /// results for identical inputs and that hash values fit within the
    /// expected range for the baseline storage array.
    #[test]
    fn test_operation_name_hash() {
        let hash1 = operation_name_hash("test");
        let hash2 = operation_name_hash("test");
        let _hash3 = operation_name_hash("different");

        assert_eq!(hash1, hash2);
        assert!(hash1 < 16); // Should fit in our array
        // hash3 might be the same or different depending on the hash function
    }
}