feat: generate mitigation recommendations

[leoneperdigao]

Description

Generate actionable, prioritized mitigation recommendations for each quantum-vulnerable component identified in the assessment. Recommendations include specific PQC migration paths, hybrid transition strategies, and effort estimates.

Tasks

• For each vulnerable component, recommend a specific PQC migration path:
  • RSA/ECC signatures -> ML-DSA (FIPS 204) or SLH-DSA (FIPS 205)
  • RSA/ECC key exchange -> ML-KEM (FIPS 203)
  • DH/ECDH -> ML-KEM or hybrid X25519+ML-KEM
  • AES-128 -> AES-256
  • SHA-256 (long-term use) -> SHA-384 or SHA3-256
• Generate prioritized migration plan based on:
  • Risk score from assessment engine
  • Mosca's inequality urgency classification
  • Dependency ordering (migrate foundations first)
• Suggest hybrid approaches for transition period:
  • X25519+ML-KEM-768 for key exchange
  • ECDSA+ML-DSA for dual signatures
  • Hybrid TLS configurations
• Estimate migration effort per component:
  • Low: configuration change only (e.g., increase key size)
  • Medium: library update with API compatibility
  • High: protocol change or architecture modification
  • Critical: fundamental redesign required
• Reference authoritative migration guidelines:
  • NIST SP 800-131A Rev 2
  • NSA CNSA 2.0 suite and timelines
  • IETF PQC integration drafts

References

• CNSA 2.0 — Commercial National Security Algorithm Suite
• NIST SP 800-131A Rev 2
• Depends on: assessment engine (feat: implement quantum vulnerability assessment engine #4), timeline estimator (feat: add quantum threat timeline estimator #7)