Kurdistan

Protocol compiler for adversarial networks

Production-grade polymorphic relay transport compiler in development.

Kurdistan generates profile-specific relay transport implementations with generated state machines, framing, scheduling, padding, probing behavior, multi-stream semantics, source-code backends, adversarial audits, mutation testing, and regression gates.

View on GitHub Read the docs See roadmap
compiler output profile-specific transport
state machinesgenerated
frame grammarvaried
schedulerprofile-bound
streamsflow-controlled
runtimesession-aware
adapter boundarycontract-checked
local adapterdeterministic
byte fixturesfrozen
wire featuresbaselined
wire shapesgenerated
wire evaluationdataset-ready
host detectionmodeled
relay fleetlifecycle-modeled
hardeninggate-driven

What is Kurdistan?

Kurdistan is a censorship resistance and anti-censorship networking research project focused on polymorphic relay transport generation.

Instead of defining one stable relay transport protocol, Kurdistan compiles private transport profiles. A profile controls first contact, state transitions, wire grammar, semantic mapping, scheduling, padding, probing behavior, stream lifecycle, and error handling.

The current system includes both an interpreted runtime and a generated source backend. That makes it possible to compare shared-runtime behavior against profile-specific Go modules while preserving payload-free traces for analysis.

Why this exists

Fixed protocol families can accumulate recognizable fingerprints. Kurdistan studies protocol fingerprint diversity as a compiler problem.

The long-term motivation is resilient communication in adversarial networks and censored environments, including heavily filtered countries such as Iran. Kurdistan is built for censorship-resistant networking research, pluggable transport research, traffic analysis resistance research, and controlled experiments around internet censorship.

Core capabilities

Compiler, runtime, source generation, and audit layers designed to make protocol collapse visible.

Generated protocols

Deterministic profile generation for first contact, FSM paths, framing, semantic mapping, and probing behavior.

Frame diversity

Profile-specific frame grammar choices for length modes, type modes, fragmentation, padding placement, and limits.

Scheduler and padding

Generated scheduler policies, padding strategies, invalid-input behavior, and malformed-frame responses.

Multi-stream relay transport

Stream IDs, flow-control windows, close/reset behavior, backpressure, and priority scheduling.

Generated source backend

kgen emits profile-specific Go modules with generated constants, tables, tests, and trace tools.

Adversarial audits

Black-box clustering, mutation testing, fixed-signature gates, stream collapse scanning, and regression reports.

Runtime sessions

Role validation, lifecycle transitions, compatibility negotiation, secure channel setup, in-memory links, and safe traces.

Adapter interface

Bounded ingress/egress contracts, flow lifecycle, capability checks, runtime mapping, backpressure, and safe summaries.

Local adapter prototype

Memory ingress/egress adapters, deterministic source and sink models, runtime integration, sequence checks, and safe traces.

Byte transport harness

Deterministic byte frames, fragmentation, bounded local pipe, sequence integrity, corruption rejection, and payload-free traces.

Byte-path fixtures

Golden byte-path summaries, malformed byte corpus metadata, fixture drift gates, and generated/interpreted parity checks.

Wire-feature baselines

Abstract protocol-feature corpus, first-N packet-shape model, safe feature vectors, corpus comparison, and collapse gates.

Wire-shape generator

Deterministic policy sampling, profile integration, bytepath application, expected feature matching, and fixture baselines.

Wire evaluation datasets

Payload-free CSV/JSONL exports, deterministic splits, synthetic controls, drift checks, and classifier-readiness reports.

Host detection resistance

Synthetic host observations, timeline windows, confidence scoring, resistance metrics, collapse controls, and fixture drift gates.

Relay fleet lifecycle

Synthetic relay states, profile assignment, churn schedules, migration events, burn-risk scoring, collapse controls, and fixture drift gates.

Hardening gates

Invariant registry, API misuse tests, panic-safety wrappers, resource bounds, trace hygiene, generated parity, and readiness checks.

Architecture

A compiler-centered proxy transport architecture with generated transports as the core research layer.

Local application / future packet source
Adapter ingress/egress interface
Stable internal relay semantics
Kurdistan generated transport
Carrier abstraction
Remote relay model

Roadmap

The next workstream moves Kurdistan from deterministic ingress prototypes toward adaptive runtime modeling.

M28Generated transport bundle compiler
M29Path racing and short-lived scoring harness
M30Continuous health monitoring and failover model
M31Carrier-family design reviews
M32Safe measurement-client design and privacy review
M33Local proxy egress and relay bridge model
M34End-to-end local proxy pipeline
M35Production integration readiness review
M36Android client architecture review

Research focus

Protocol generation as a path toward stronger relay transport diversity.

censorship resistance anti-censorship networking pluggable transport research protocol fingerprint diversity traffic analysis resistance research Iran internet censorship

Documentation links

Start with the README and audit snapshot, then review the latest KIPs.

README.md STATUS.md ROADMAP.md License Copyright Notice KIP-0014: Multi-stream lab semantics KIP-0015: Multi-stream adversarial testing KIP-0016: Lab proxy semantics KIP-0017: Carrier abstraction modeling KIP-0018: Production security prerequisites KIP-0019: Runtime session architecture KIP-0020: Implementation hardening KIP-0021: Adapter interface architecture KIP-0022: Deterministic local adapter prototype KIP-0023: Deterministic byte transport harness KIP-0024: Byte-path fixture freeze KIP-0025: Protocol feature corpus KIP-0026: Wire-shape generator prototype KIP-0027: Wire evaluation datasets KIP-0028: Host-based detection resistance KIP-0029: Relay churn and fleet lifecycle KIP-0030: Concrete local proxy ingress design review KIP-0031: Deterministic local proxy ingress prototype KIP-0032: Proxy ingress adversarial hardening KIP-0033: Adaptive path model and candidate taxonomy Pre-adapter readiness matrix

License

Kurdistan uses separate licenses for source code and documentation.

Source code

GNU Affero General Public License v3.0 or later (AGPL-3.0-or-later).

Documentation

Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).

Copyright

Copyright 2026 Saro. Preserve copyright and license notices when using or modifying the project.

Adaptive runtime direction

The current implementation centers on generated profiles, source-code backends, multi-stream semantics, proxy-semantics modeling, carrier abstraction, security prerequisites, runtime session architecture, implementation hardening, adapter interface contracts, a deterministic local adapter prototype, a deterministic byte transport harness, byte-path fixture freeze, protocol-feature corpus, wire-shape baselines, the wire-shape generator prototype, wire evaluation datasets, host-based detection resistance, relay fleet lifecycle modeling, concrete local proxy ingress design review, deterministic local proxy ingress prototyping, proxy ingress adversarial hardening, adaptive path modeling, and adversarial audits. The next roadmap phase is generated transport bundle compilation, followed by path racing and short-lived scoring.

View on GitHub