telemt · DavidOsipov · Jun 12, 2026 · Jun 8, 2026 · Jun 8, 2026 · Jun 8, 2026
diff --git a/artifacts/active_probing_nightly_observations.json b/artifacts/active_probing_nightly_observations.json
diff --git a/docs/Documentation/FINGERPRINT_GENERATION_PIPELINE.md b/docs/Documentation/FINGERPRINT_GENERATION_PIPELINE.md
@@ -336,6 +336,14 @@ Release-mode suppression of advisory selections is observable via advisory_block
 3. Route matrix hardening: test_tls_route_ech_quic_block_matrix.cpp
 4. Classifier gate shape: test_tls_wire_pattern_distinguisher_contract.cpp
 
+### Real-Corpus Similarity Gates vs Seed-Stress Diagnostics
+
+A real-corpus similarity gate compares generated TLS ClientHello fields against reviewed browser-capture evidence for the same `(family_id, cohort_id, route_lane, evidence_lane)`. These gates consume `test/analysis/fixtures/clienthello/` through generated reviewed baselines and fail closed when exact release-critical evidence is unavailable or mixed. Examples: `TlsReleaseSimilarityUnavailableFailClosed`, `TlsGeneratorFixtureExactFieldsGate`, `TlsGeneratorExtensionCountSimilarity`, `TlsGeneratorWireLengthFixtureGate`, `TlsGeneratorShuffleSimilarity`.
+
+A seed-stress diagnostic exercises runtime variability across deterministic seeds. Seed-stress diagnostics are valuable for detecting degenerate RNG behavior, duplicate wire images, weak GREASE diversity, and pinned shuffle positions, but generated seeds are not independent browser evidence and may not be used as release-facing denominators. Example: `TLS_NightlyWireBaselineMonteCarlo`.
+
+As a rule, self-calibrated generator tests are not real-browser similarity evidence. A test that derives expected wire lengths, extension counts, or envelopes from the generator under test can only prove internal stability. Note that some fixture-derived gates (for example wire length) still admit the builder's documented padding-target entropy as an explicit tolerance; this is bounded by the reviewed catalog, not self-calibrated from the generator.
+
 ---
 
 ## Trust Tiers and Release Gates

diff --git a/docs/Documentation/Lessons_Learnt.md b/docs/Documentation/Lessons_Learnt.md
@@ -319,3 +319,11 @@ All three passed after the test logic was corrected.
 | Existing Chromium shuffle regression tests | `test/stealth/test_tls_extension_order_policy.cpp` |
 | New contract tests from this session | `test/stealth/test_tls_extension_order_template_catalog_contract.cpp` |
 | Fixture-derived Chrome extension-set coverage | `test/stealth/test_tls_corpus_chrome_extension_set_1k.cpp` |
+
+---
+
+## Real-Corpus Similarity Evidence
+
+Self-calibrated generator tests are not real-browser similarity evidence. Release-facing fingerprint claims must use reviewed fixture evidence from real packet captures, disclose the cohort denominator, and fail closed when exact release-critical fields are unavailable or mixed. Seed-stress diagnostics remain useful, but they prove generator diversity and stability rather than similarity to browser dumps.
+
+A practical corollary learned while wiring the fixture-derived wire-length gate: a byte-exact wire-length equality check is the wrong gate, because `TlsHelloBuilder` injects 0..255 bytes of per-build padding-target entropy as an anti-DPI measure. The release gate must bound the generated length to the reviewed catalog with a tolerance derived from that documented entropy budget, not assert a single byte length.
diff --git a/docs/Generated/FINGERPRINT_TRANSPORT_COHERENCE_STATUS.generated.json b/docs/Generated/FINGERPRINT_TRANSPORT_COHERENCE_STATUS.generated.json
@@ -59,7 +59,7 @@
   },
   "notes": "",
   "observation_generated_at_utc": "2026-04-26T00:00:00Z",
-  "observation_input_path": "/tmp/tmpfd8yppnf/transport_observations.json",
+  "observation_input_path": "/tmp/.ctx-mode-q5fBni/tmp4mbn9mor/transport_observations.json",
   "required_metrics": [
     "ttl_bucket_match_rate",
     "syn_option_order_class_match_rate",