feat(fuzz): session 55 — per-system VK fuzz harnesses

Adds 5 new fuzz harnesses targeting the verifying-key parser of
each Phase-2 + Phase-3 system. Mirrors the session-54 proof-bytes
harness pattern but flips the role of the libfuzzer input: the
fuzz_target call swaps `data` into the VK slot while the proof and
public-inputs slots use the scaffold fixtures.

mosaic-fuzz/Cargo.toml — adds 5 new `[[bin]]` entries:
  fuzz_plonk_vk_bytes
  fuzz_hyperplonk_vk_bytes
  fuzz_halo2_vk_bytes
  fuzz_nova_vk_bytes
  fuzz_stark_vk_bytes

5 new fuzz_target files in `fuzz_targets/`, each pinning the same
panic-free invariant on the system-specific VK parser:

- fuzz_plonk_vk_bytes — 744-byte fixed envelope; non-matching
  lengths must surface as `Err(VerifyingKeyLengthMismatch)`.
- fuzz_hyperplonk_vk_bytes — 744-byte fixed envelope; the cross-
  check `vk.num_variables == proof.sumcheck_rounds` adds a second
  dimension the harness can flip.
- fuzz_halo2_vk_bytes — variable-length tail (fixed_commits ‖
  permutation_commits). Empty IC equivalents (zero-length payload)
  and oversized payloads are both expected to be rejected.
- fuzz_nova_vk_bytes — 235-byte fixed envelope plus the 3-way
  `FoldingVariant::from_byte` tag rejection for bytes ∉ {0, 1, 2}.
- fuzz_stark_vk_bytes — 48-byte fixed envelope plus the
  `StarkFieldId::from_byte` 3-way tag rejection plus the
  structural cross-check against the scaffold proof shape.

After session 55 the fuzz harness inventory is 13 targets total:

  Phase-1 (Groth16, 3 original)
    fuzz_groth16_proof_bytes, fuzz_vk_bytes, fuzz_public_inputs

  Phase-2 (KZG-PLONK, 2 new)
    fuzz_plonk_proof_bytes, fuzz_plonk_vk_bytes

  Phase-3 (HyperPlonk + Halo2 + Nova + STARK, 8 new)
    fuzz_hyperplonk_{proof,vk}_bytes
    fuzz_halo2_{proof,vk}_bytes
    fuzz_nova_{proof,vk}_bytes
    fuzz_stark_{proof,vk}_bytes

Run any harness with:
  cargo +nightly fuzz run --fuzz-dir crates/mosaic-fuzz \
    fuzz_<system>_<surface>_bytes -- -max_total_time=300

The remaining audit-pre-req fuzz gaps are:
- Per-system public-input fuzzers (Phase-2 + Phase-3) — the
  groth16 one already exists; the others would be near-trivial
  follow-ups.
- A combined "all three slots" fuzzer that splits the libfuzzer
  input into vk/proof/public_inputs by length-prefix — explores
  the cross-slot interaction surface that single-slot fuzzers
  can't reach.

Local sanity: `cargo check -p mosaic-fuzz --lib` is clean (only
pedantic missing-docs warnings on the fixture struct fields,
inherited from session 54).

Author: kh0ra

crates/mosaic-fuzz/Cargo.toml

@@ -82,5 +82,39 @@ path = "fuzz_targets/fuzz_stark_proof_bytes.rs"
 test = false
 doc = false
 
+# ───────────────────────────────────────────────────────────────────────
+# Session 55 — Per-system VK fuzz harnesses
+# ───────────────────────────────────────────────────────────────────────
+
+[[bin]]
+name = "fuzz_plonk_vk_bytes"
+path = "fuzz_targets/fuzz_plonk_vk_bytes.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_hyperplonk_vk_bytes"
+path = "fuzz_targets/fuzz_hyperplonk_vk_bytes.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_halo2_vk_bytes"
+path = "fuzz_targets/fuzz_halo2_vk_bytes.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_nova_vk_bytes"
+path = "fuzz_targets/fuzz_nova_vk_bytes.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_stark_vk_bytes"
+path = "fuzz_targets/fuzz_stark_vk_bytes.rs"
+test = false
+doc = false
+
 [lints]
 workspace = true

crates/mosaic-fuzz/fuzz_targets/fuzz_halo2_vk_bytes.rs

@@ -0,0 +1,22 @@
+//! Fuzz harness — arbitrary bytes treated as a Halo2-KZG VK.
+//!
+//! Session 55 — Phase-3 VK surface coverage. Halo2's VK has a
+//! variable-length tail (fixed_commits ‖ permutation_commits) so
+//! the harness exercises both the fixed-header parser and the
+//! length-prefixed payload bounds checks. Empty IC equivalents
+//! (zero-length payload) and oversized payloads are both expected
+//! to surface as `Err(VerifyingKeyLengthMismatch)`.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::Halo2Fixtures;
+use mosaic_halo2::Halo2KzgBn254;
+
+fuzz_target!(|data: &[u8]| {
+    let f = Halo2Fixtures::default();
+    let backend = HostBackend::new();
+    let v = Halo2KzgBn254::new(&backend);
+    let _ = ProofSystem::verify(&v, data, &f.proof, &f.public_inputs);
+});

crates/mosaic-fuzz/fuzz_targets/fuzz_hyperplonk_vk_bytes.rs

@@ -0,0 +1,20 @@
+//! Fuzz harness — arbitrary bytes treated as a HyperPlonk-KZG VK.
+//!
+//! Session 55 — Phase-3 VK surface coverage. HyperPlonk's VK is a
+//! fixed 744-byte envelope (4 + 4 + 128 + 8·64 + 3·32). The harness
+//! pins the panic-free invariant on the VK parser plus the structural
+//! cross-check `vk.num_variables == proof.sumcheck_rounds`.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::HyperPlonkFixtures;
+use mosaic_hyperplonk::HyperPlonkKzgBn254;
+
+fuzz_target!(|data: &[u8]| {
+    let f = HyperPlonkFixtures::default();
+    let backend = HostBackend::new();
+    let v = HyperPlonkKzgBn254::new(&backend);
+    let _ = ProofSystem::verify(&v, data, &f.proof, &f.public_inputs);
+});

crates/mosaic-fuzz/fuzz_targets/fuzz_nova_vk_bytes.rs

@@ -0,0 +1,23 @@
+//! Fuzz harness — arbitrary bytes treated as a Nova folding VK.
+//!
+//! Session 55 — Phase-3 VK surface coverage. Nova's VK is a fixed
+//! 235-byte envelope (1 + 2 + 4 + 128 + 3·64 + 32) with a 3-way
+//! variant tag at offset 0. The harness pins:
+//!
+//!   - the `FoldingVariant::from_byte` rejection for tags ∉ {0, 1, 2}
+//!   - the fixed-length envelope check
+//!   - panic-free behaviour on every other adversarial input shape
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::NovaFixtures;
+use mosaic_nova::NovaFolding;
+
+fuzz_target!(|data: &[u8]| {
+    let f = NovaFixtures::default();
+    let backend = HostBackend::new();
+    let v = NovaFolding::new(&backend);
+    let _ = ProofSystem::verify(&v, data, &f.proof, &f.public_inputs);
+});

crates/mosaic-fuzz/fuzz_targets/fuzz_plonk_vk_bytes.rs

@@ -0,0 +1,20 @@
+//! Fuzz harness — arbitrary bytes treated as a KZG-PLONK verifying key.
+//!
+//! Session 55 — Phase-2 VK surface coverage. Pins the panic-free
+//! invariant on PLONK's VK byte-layout parser: a 744-byte fixed
+//! envelope. Any input that doesn't exactly match must surface as
+//! `Err(VerifyingKeyLengthMismatch)` and never panic.
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::PlonkFixtures;
+use mosaic_plonk::PlonkKzgBn254;
+
+fuzz_target!(|data: &[u8]| {
+    let f = PlonkFixtures::default();
+    let backend = HostBackend::new();
+    let v = PlonkKzgBn254::new(&backend);
+    let _ = ProofSystem::verify(&v, data, &f.proof, &f.public_inputs);
+});

crates/mosaic-fuzz/fuzz_targets/fuzz_stark_vk_bytes.rs

@@ -0,0 +1,25 @@
+//! Fuzz harness — arbitrary bytes treated as a FRI-STARK VK.
+//!
+//! Session 55 — Phase-3 VK surface coverage. FRI-STARK's VK is a
+//! fixed 48-byte envelope (1 + 4 + 2 + 1 + 32 + 8) with a 3-way
+//! field-id tag at offset 0. The harness pins:
+//!
+//!   - the `StarkFieldId::from_byte` rejection for tags ∉ {0, 1, 2}
+//!   - the fixed 48-byte envelope check
+//!   - the structural cross-check `vk.{trace_log_height,
+//!     trace_width, log_blowup} == proof.*` against the bench's
+//!     scaffold proof shape
+
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use mosaic_core::{proof_system::ProofSystem, syscall::host::HostBackend};
+use mosaic_fuzz::StarkFixtures;
+use mosaic_stark::FriStark;
+
+fuzz_target!(|data: &[u8]| {
+    let f = StarkFixtures::default();
+    let backend = HostBackend::new();
+    let v = FriStark::new(&backend);
+    let _ = ProofSystem::verify(&v, data, &f.proof, &f.public_inputs);
+});