Add fuzz harness, NIST KAT cross-check, CT measurement scaffold, integration demos

- tests/PostQuantum.FileFormat.Fuzz: console-app harness over the
  DeterministicCborValidator and PqfStreamingPipeline parsers. Targets:
  cbor, header, streaming. PqfFileException and CborValidationException
  are the *expected* result — those count as refusals, not findings. A
  finding is any other exception type from the parser.
- tests/PostQuantum.FileFormat.Kat: NIST FIPS 203 / FIPS 204 KAT cross-
  check. Verifies provider.MlKem1024Decapsulate and provider.MlDsa87Verify
  against the parts the current ICryptoProvider exposes. KAT files
  themselves are fetched on demand (gitignored); the harness fails fast
  and tells the operator where to drop them.
- tests/.../Crypto/RecipientTrialConstantTimeTests.cs: dudect-style
  scaffold measuring AuthenticatedModeDecryptor.ResolveDek with the
  identity matching the first vs last recipient block, computing
  Welch's t. Skipped by default; emits the result to test output. To be
  promoted to a CT regression gate once baseline noise is characterized.
- examples/pqf-{encrypt,decrypt}-dir.sh: tar | pqf pipeline demo so the
  README's "what does adoption look like" question has a concrete answer.
- .sln + InternalsVisibleTo wired up for the new test projects.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: systemslibrarian

.gitignore

@@ -20,3 +20,8 @@ artifacts/
 # OS
 .DS_Store
 Thumbs.db
+
+# NIST KAT vector files (large, fetched on demand by scripts/fetch-nist-kat.sh)
+test-vectors/nist-kat/*.rsp
+test-vectors/nist-kat/*.req
+

PostQuantum.FileFormat.sln

@@ -19,6 +19,10 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostQuantum.FileFormat.Cli"
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostQuantum.FileFormat.Cli.Tests", "tests\PostQuantum.FileFormat.Cli.Tests\PostQuantum.FileFormat.Cli.Tests.csproj", "{88548260-8F40-43FA-84C8-189A71978705}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostQuantum.FileFormat.Fuzz", "tests\PostQuantum.FileFormat.Fuzz\PostQuantum.FileFormat.Fuzz.csproj", "{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostQuantum.FileFormat.Kat", "tests\PostQuantum.FileFormat.Kat\PostQuantum.FileFormat.Kat.csproj", "{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -89,6 +93,30 @@ Global
 		{88548260-8F40-43FA-84C8-189A71978705}.Release|x64.Build.0 = Release|Any CPU
 		{88548260-8F40-43FA-84C8-189A71978705}.Release|x86.ActiveCfg = Release|Any CPU
 		{88548260-8F40-43FA-84C8-189A71978705}.Release|x86.Build.0 = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|x64.Build.0 = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Debug|x86.Build.0 = Debug|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|x64.ActiveCfg = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|x64.Build.0 = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|x86.ActiveCfg = Release|Any CPU
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E}.Release|x86.Build.0 = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|x64.Build.0 = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Debug|x86.Build.0 = Debug|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|Any CPU.Build.0 = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|x64.ActiveCfg = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|x64.Build.0 = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|x86.ActiveCfg = Release|Any CPU
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -99,5 +127,7 @@ Global
 		{4C78B0EC-7483-47FF-96CE-A5906FBCB4CC} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{674EA9E7-286A-4994-8F0F-B6AFBFA67886} = {342A349A-D343-8551-4064-2E2800C39E13}
 		{88548260-8F40-43FA-84C8-189A71978705} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{B1C2D3E4-F5A6-4B7C-8D9E-0F1A2B3C4D5E} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
+		{C2D3E4F5-A6B7-4C8D-9E0F-1A2B3C4D5E6F} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 	EndGlobalSection
 EndGlobal

examples/README.md

@@ -0,0 +1,30 @@
+# PQF integration examples
+
+Small, self-contained scripts that wrap the `pqf` CLI to do something
+useful. None of these are production tooling — they're meant to show
+that PQF composes with familiar Unix pipelines.
+
+If you have a real integration in mind (a backup tool, a mail
+attachment, a database export), open a
+[discussion](https://github.com/systemslibrarian/PostQuantum.FileFormat/discussions)
+— concrete integrations are exactly what moves a format from "interesting
+spec" to "thing people use."
+
+## `pqf-encrypt-dir.sh`
+
+Encrypts an entire directory tree to a single `.pqf` file by piping a
+deterministic tar archive through `pqf encrypt`. Decryption reverses
+the pipeline.
+
+Use it like:
+
+```bash
+./pqf-encrypt-dir.sh   /path/to/dir   out.pqf   alice.pub.pem
+./pqf-decrypt-dir.sh   out.pqf        /path/to/restore   alice.key.json
+```
+
+The script is intentionally short — read it before relying on it. The
+tar layout is `--sort=name --owner=0 --group=0 --numeric-owner --mtime=...`
+so two encryptions of the same tree produce byte-identical plaintext
+inputs, which means re-encryption is reproducible up to PQF's own
+randomness (KEM ciphertexts, AES-GCM nonces, etc.).

examples/pqf-decrypt-dir.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# examples/pqf-decrypt-dir.sh
+#
+# Decrypt a .pqf produced by pqf-encrypt-dir.sh and restore the tree.
+# Uses Authenticated Mode by default so the file signature (when present)
+# and footer are verified before any byte is written to disk.
+#
+# Usage:
+#   pqf-decrypt-dir.sh <in.pqf> <dest-parent-dir> <identity.key.json>
+#
+# `dest-parent-dir` is the directory under which the original tree will
+# be restored — the inner directory name comes from the tar archive.
+
+set -euo pipefail
+
+if [[ $# -ne 3 ]]; then
+    cat >&2 <<'EOF'
+usage: pqf-decrypt-dir.sh <in.pqf> <dest-parent-dir> <identity.key.json>
+EOF
+    exit 2
+fi
+
+IN_PQF="$1"
+DEST_DIR="$2"
+IDENTITY="$3"
+
+mkdir -p "${DEST_DIR}"
+
+TMP_TAR="$(mktemp -t pqf-decrypt-dir-XXXXXX.tar)"
+trap 'rm -f "${TMP_TAR}"' EXIT
+
+pqf decrypt \
+    --in "${IN_PQF}" \
+    --out "${TMP_TAR}" \
+    --identity "${IDENTITY}" \
+    --mode authenticated
+
+tar -C "${DEST_DIR}" -xf "${TMP_TAR}"
+echo "restored to ${DEST_DIR}"

examples/pqf-encrypt-dir.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+#
+# examples/pqf-encrypt-dir.sh
+#
+# Encrypt a whole directory tree to a single .pqf file by piping a
+# deterministically-ordered tar archive into `pqf encrypt`. Optional
+# hybrid signature if --signing-key is provided.
+#
+# Usage:
+#   pqf-encrypt-dir.sh <src-dir> <out.pqf> <recipient-pub.pem> [--signing-key <signer.key.json>]
+#
+# Requirements:
+#   - GNU tar (for --sort=name, --mtime).
+#   - pqf CLI on $PATH (install with `dotnet tool install --global PostQuantum.FileFormat.Cli --prerelease`).
+#
+# Notes:
+#   - The tar layout is deterministic: same tree -> identical tar bytes.
+#     PQF itself still introduces randomness (KEM ciphertexts, AEAD nonces),
+#     so two encryptions of the same tree will produce different .pqf
+#     bytes that decrypt to identical plaintext.
+
+set -euo pipefail
+
+if [[ $# -lt 3 ]]; then
+    cat >&2 <<'EOF'
+usage: pqf-encrypt-dir.sh <src-dir> <out.pqf> <recipient-pub.pem> [--signing-key <signer.key.json>]
+EOF
+    exit 2
+fi
+
+SRC_DIR="$1"; shift
+OUT_PQF="$1"; shift
+RECIPIENT="$1"; shift
+
+SIGN_ARGS=()
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --signing-key)
+            SIGN_ARGS+=(--signing-key "$2")
+            shift 2
+            ;;
+        *)
+            echo "unknown flag: $1" >&2
+            exit 2
+            ;;
+    esac
+done
+
+if [[ ! -d "${SRC_DIR}" ]]; then
+    echo "not a directory: ${SRC_DIR}" >&2
+    exit 1
+fi
+
+# Deterministic tar: stable file order, zero owner/group, fixed mtime.
+TMP_TAR="$(mktemp -t pqf-encrypt-dir-XXXXXX.tar)"
+trap 'rm -f "${TMP_TAR}"' EXIT
+
+tar \
+    --sort=name \
+    --owner=0 --group=0 --numeric-owner \
+    --mtime='1970-01-01 00:00:00 UTC' \
+    -C "$(dirname "${SRC_DIR}")" \
+    -cf "${TMP_TAR}" \
+    "$(basename "${SRC_DIR}")"
+
+pqf encrypt \
+    --in "${TMP_TAR}" \
+    --out "${OUT_PQF}" \
+    --recipient "${RECIPIENT}" \
+    "${SIGN_ARGS[@]}"
+
+echo "wrote ${OUT_PQF}"

scripts/fetch-nist-kat.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+#
+# scripts/fetch-nist-kat.sh
+#
+# Download NIST KAT vector files for ML-KEM-1024 (FIPS 203) and
+# ML-DSA-87 (FIPS 204) into test-vectors/nist-kat/.
+#
+# The exact URL of each authoritative artifact moves periodically;
+# update the constants below when NIST republishes. The harness in
+# tests/PostQuantum.FileFormat.Kat consumes the resulting .rsp files.
+#
+# This script does NOT vendor the files into the repo — it materializes
+# them into a gitignored directory for the local KAT run.
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+TARGET_DIR="${REPO_ROOT}/test-vectors/nist-kat"
+mkdir -p "${TARGET_DIR}"
+
+# TODO: Pin to specific NIST-published URLs once a stable mirror is
+# selected. Until then, this script intentionally fails fast and tells
+# the operator where to drop the files.
+cat <<'EOF' >&2
+fetch-nist-kat: this script is a placeholder.
+
+To run the KAT harness, place the following files in:
+    test-vectors/nist-kat/
+
+  - ml-kem-1024.rsp   (NIST FIPS 203 KAT response file)
+  - ml-dsa-87.rsp     (NIST FIPS 204 KAT response file)
+
+Once these files are present, run:
+
+    dotnet run --project tests/PostQuantum.FileFormat.Kat
+
+EOF
+exit 1

src/PostQuantum.FileFormat/TestSupport/InternalsVisibleTo.cs

@@ -1,3 +1,4 @@
 using System.Runtime.CompilerServices;
 
 [assembly: InternalsVisibleTo("PostQuantum.FileFormat.TestVectors")]
+[assembly: InternalsVisibleTo("PostQuantum.FileFormat.Fuzz")]

test-vectors/nist-kat/README.md

@@ -0,0 +1,31 @@
+# NIST KAT vectors
+
+This directory is populated on demand by `scripts/fetch-nist-kat.sh` (and
+its PowerShell equivalent). The NIST-published KAT files are not
+committed to this repo because:
+
+1. They are large.
+2. They are authoritative artifacts published by NIST and should be
+   verified against NIST checksums on each fetch rather than mirrored.
+3. We do not want to subtly diverge from the upstream files.
+
+After running the fetch script, this directory should contain at least:
+
+- `ml-kem-1024.rsp` — KAT vectors for FIPS 203 (ML-KEM-1024).
+- `ml-dsa-87.rsp`   — KAT vectors for FIPS 204 (ML-DSA-87).
+
+Run the cross-check harness with:
+
+```bash
+dotnet run --project tests/PostQuantum.FileFormat.Kat
+```
+
+The harness uses the same `ICryptoProvider` the production code uses,
+so a KAT failure is direct evidence of a wrapper-level defect (wrong
+parameter set, byte ordering, mistaken serialization choice).
+
+The KAT harness intentionally calls primitive APIs that may not exist
+on the current `ICryptoProvider` surface (`MlKemDeriveKeyPair`,
+`MlKemDecapsulate`, `MlDsaDeriveKeyPair`, `MlDsaVerify`). Wiring those
+through is the second half of this work item; until then the harness
+acts as a "build-the-surface" forcing function.

tests/PostQuantum.FileFormat.Fuzz/PostQuantum.FileFormat.Fuzz.csproj

@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <!--
+    Fuzz harness for the PQF reader.
+
+    This is a console app, not a test project: it is invoked from CI as
+    `dotnet run -- --time <seconds> --target <header|streaming|cbor>` and
+    treated as a sanity-check fuzz pass. Long-running campaigns happen out
+    of band; OSS-Fuzz integration is tracked separately.
+
+    The harness deliberately targets the *parser* and *refusal paths*:
+      - DeterministicCborValidator.ParseStrict
+      - HeaderCborReader.Parse (via PqfStreamingPipeline.OpenAsync)
+      - PqfStreamingPipeline.OpenAsync (full container)
+
+    A "find" is any input that triggers an exception other than
+    PqfFileException or CborValidationException — i.e. a panic in the
+    parser. PqfFileException is the *correct* result for malformed input;
+    seeing one is the harness doing its job.
+  -->
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <RootNamespace>PostQuantum.FileFormat.Fuzz</RootNamespace>
+    <IsPackable>false</IsPackable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\..\src\PostQuantum.FileFormat\PostQuantum.FileFormat.csproj" />
+  </ItemGroup>
+
+</Project>