<!-- SPDX-License-Identifier: CC-BY-SA-4.0 -->
<!-- Copyright 2026 Saro -->

# KIP-0024: Byte-Path Fixture Freeze

Milestone 18 stabilizes deterministic byte-path fixtures before the project adds protocol-feature corpus work or broader wire-shape generation. Milestone 19 builds on this fixture layer with [KIP-0025](KIP-0025-protocol-feature-corpus.md).

The goal is to make future byte-path drift visible without storing raw payloads, raw encoded bytes, ciphertext, secrets, keys, nonce bases, auth tags, proof material, or destination data.

## Purpose

Milestone 17 proved that local adapter/runtime/carrier output can move through a deterministic byte encoder, bounded byte pipe, decoder, sequence checker, and receiver-side reconstruction model. Milestone 18 freezes safe summaries of that path so future changes can be compared against known baselines.

```text
profile seed
  -> compiled profile
  -> local adapter scenario
  -> runtime session
  -> proxysem + carrier + security metadata
  -> byte transport encoder
  -> deterministic byte pipe
  -> byte transport decoder
  -> receiver reconstruction
  -> safe fixture summary
  -> generated/interpreted parity check
```

## Fixture Manifest

`internal/fixtures` defines a versioned manifest with:

- fixture schema version
- deterministic generation timestamp
- fixture set name
- profile seed list
- scenario list
- backend version
- payload/secret hygiene flags
- fixture entries
- safe byte-path summaries
- optional malformed corpus metadata
- optional performance baseline buckets

The committed golden set lives in:

```text
testdata/fixtures/bytepath-golden.json
```

The seed set is:

```text
12345
12346
12347
```

The scenario set is:

```text
byte_single_flow_echo
byte_many_small_flows
byte_large_flow_fragmented
byte_mixed_flows
byte_reset_isolation
byte_corruption_rejection
byte_replay_rejection
```

## Safe Hashes

Fixture entries include:

- `summary_hash`
- `trace_hash`
- `byte_shape_hash`

These hashes are computed over safe, normalized metadata. They are not hashes of raw payloads or raw encoded byte streams.

## Malformed Byte Corpus

`testdata/fixtures/malformed-byte-corpus.json` stores metadata for malformed-input regression cases, including expected reject buckets. The actual malformed byte sequences are constructed deterministically by tests and gates.

Covered cases include:

- empty input
- truncated header
- unknown frame kind
- oversized frame
- oversized payload
- invalid length field
- trailing invalid bytes
- invalid fragment metadata
- duplicate or missing fragments
- oversized reassembly
- sequence replay
- old or future sequence
- post-close/post-reset data
- corrupted checksum
- invalid or oversized metadata
- random bounded noise

## Generated And Interpreted Parity

`internal/byteparity` compares interpreted and generated byte-path summaries for:

- profile ID
- scenario name
- frame count
- fragment count
- reassembly result
- sequence rejection result
- malformed rejection result
- corruption rejection result
- replay rejection result
- backpressure bucket
- runtime stream mapping count
- target error/reset count
- sink completion
- payload/secret hygiene

Semantic drift fails. Safe byte-shape differences are reported separately so generated specialization can be inspected without being confused with semantic failure.

## Fixture Drift Detection

`kcheck fixtures verify` reloads the committed golden manifest, regenerates the deterministic fixture set, and compares hashes. Unexpected drift fails.

`kcheck fixtures compare` compares two manifests and reports added, removed, changed, semantic-drift, and byte-shape-drift entries.

## Performance Baseline Buckets

`testdata/fixtures/performance-baseline.json` stores broad warning-only buckets for:

- byte frame encode/decode
- byte pipe write/read
- local adapter scenario
- byte transport quick audit
- fixture verification

These are intentionally broad to avoid flaky exact timing thresholds.

## Trace Hygiene Rules

Fixture and parity outputs must not contain:

- raw payloads
- raw encoded or decoded bytes
- ciphertext or plaintext dumps
- auth tags
- nonce bases
- secrets or derived keys
- client/server write keys
- proof material
- private keys
- session secrets

The hardening trace hygiene scanner includes fixture manifests, parity reports, malformed byte corpus metadata, and generated fixture outputs.

## Audit Gates

`kcheck bytepath` reports:

- `fixture_bytepath_drift`
- `bytepath_fixture_stability`
- `bytepath_generated_interpreted_parity`
- `bytepath_malformed_corpus`
- `bytepath_regression_baselines`
- `bytepath_fixture_trace_hygiene`
- `bytepath_performance_baseline`

The default quick audit also includes the required bytepath gates.

## Commands

Generate the byte-path golden manifest:

```bash
go run ./cmd/kcheck fixtures generate --out testdata/fixtures/bytepath-golden.json --force
```

Verify committed fixtures:

```bash
go run ./cmd/kcheck fixtures verify
```

Compare manifests:

```bash
go run ./cmd/kcheck fixtures compare --old testdata/fixtures/bytepath-golden.json --new testdata/fixtures/bytepath-golden.json
```

Run bytepath audit:

```bash
go run ./cmd/kcheck bytepath --quick
go run ./cmd/kcheck bytepath --full --out testdata/audit/bytepath.json
```

## Generated Backend Parity

Generated modules include:

```text
protocol/bytepath_fixture_test.go
protocol/bytepath_parity_test.go
```

The generated source scanner checks for bytepath fixture constants and tests. `kcheck codegen --quick` includes `bytepath_fixture_generated_backend_parity`.

## Limitations

The fixtures freeze local deterministic byte-path metadata only. They do not prove real-world transport behavior, undetectability, or production readiness. They do not store or evaluate raw packet captures. Future wire-shape work needs a separate corpus and review.

## Next Milestone

Milestone 19 adds a protocol-feature corpus and wire-shape evaluation baselines using these byte-path fixtures as stable regression anchors. The next step is a wire-shape generation prototype that consumes those baselines.