[DSLLVM] v1.3 Phase 1 COMPLETE: Auto-Fuzz L7 LLM + Telemetry Enforcement

This commit completes DSLLVM v1.3 Phase 1 implementation by adding:

## Feature 1.2: Auto-Fuzz (Completion)

**L7 LLM Integration Tool:**
- dsmil/tools/dsmil-fuzz-gen/dsmil-fuzz-gen.py - Python tool for harness generation
- Generates libFuzzer and AFL++ harnesses from .dsmilfuzz.json
- Optional Layer 7 LLM integration for AI-assisted harness generation
- Offline mode with template-based generation

**CI/CD Integration:**
- dsmil/tools/dsmil-fuzz-gen/ci-templates/gitlab-ci.yml - Full GitLab CI pipeline
- dsmil/tools/dsmil-fuzz-gen/ci-templates/github-actions.yml - GitHub Actions workflow
- Parallel fuzzing, corpus management, crash reporting
- High-priority target extended fuzzing
- Automatic PR comments with fuzz results

**Documentation:**
- dsmil/docs/FUZZ-CICD-INTEGRATION.md - Comprehensive CI/CD integration guide
  - GitLab CI, GitHub Actions, Jenkins, CircleCI
  - Distributed fuzzing, corpus management
  - OSS-Fuzz and Fuzzbench integration
  - 200+ lines of examples

**Key Features:**
- Automatic harness generation: dsmil-fuzz-gen schema.json
- Multi-fuzzer support: libFuzzer, AFL++, Honggfuzz
- Parameter domain extraction from schema
- CI/CD templates ready to use

## Feature 1.3: Telemetry Enforcement (Complete)

**Attributes:**
- DSMIL_SAFETY_CRITICAL(component) - Requires >= 1 telemetry call
- DSMIL_MISSION_CRITICAL - Requires counter + event + error coverage
- DSMIL_TELEMETRY - Mark telemetry provider functions

**Telemetry API:**
- dsmil/include/dsmil_telemetry.h - Complete telemetry API (620+ lines)
  - Counter functions: dsmil_counter_inc/add/get/reset
  - Event functions: dsmil_event_log/severity/msg/structured
  - Performance metrics: dsmil_perf_start/end/latency/throughput
  - Forensics integration: dsmil_forensic_checkpoint/security_event
  - Mission profile integration
  - Telemetry sinks: stdout, syslog, Prometheus

**Enforcement Pass:**
- dsmil/lib/Passes/DsmilTelemetryCheckPass.cpp - Compile-time enforcement
  - Validates safety_critical: >= 1 telemetry call
  - Validates mission_critical: counter + event + error paths
  - Call graph analysis (transitive checking)
  - Compile error on violations

**Documentation:**
- dsmil/docs/TELEMETRY-ENFORCEMENT.md - User guide with examples

**CLI Usage:**
  dsmil-clang -fdsmil-telemetry-check src.c
  # Enforces telemetry requirements

**Integration:**
- Works with mission profiles (telemetry_level enforcement)
- Layer 5 Performance AI integration
- Layer 62 Forensics integration

## Phase 1 Status: COMPLETE ✓

All three Phase 1 features delivered:
1. ✓ Mission Profiles - First-class compile targets
2. ✓ Auto-Fuzz - Automated harness generation + CI/CD
3. ✓ Telemetry - Prevent dark functions

**Files Changed:** 10 new files, 2 modified
**Total Lines:** ~4,800 lines of code/documentation
**Passes Implemented:** 3 (Mission Policy, Fuzz Export, Telemetry Check)
**Tools:** dsmil-fuzz-gen with L7 LLM integration
**CI/CD:** GitLab CI + GitHub Actions templates

## Next Steps (Phase 2)

See DSLLVM-ROADMAP.md for Phase 2 features:
- Operational Stealth Modes
- Threat Signature Embedding
- Blue vs Red Scenario Simulation

## Testing

  # Test telemetry enforcement
  dsmil-clang -fdsmil-telemetry-check test/telemetry_example.c

  # Generate fuzz harnesses
  dsmil-clang -fdsmil-fuzz-export src/network.c
  dsmil-fuzz-gen network.dsmilfuzz.json

## References

- DSLLVM Roadmap: dsmil/docs/DSLLVM-ROADMAP.md
- Previous commit: d56adaf (Phase 1 foundation)

Author: claude

dsmil/docs/FUZZ-CICD-INTEGRATION.md

@@ -0,0 +1,171 @@
+# DSLLVM Telemetry Enforcement Guide
+
+**Version:** 1.3.0
+**Feature:** Minimum Telemetry Enforcement (Phase 1, Feature 1.3)
+**SPDX-License-Identifier:** Apache-2.0 WITH LLVM-exception
+
+## Overview
+
+Telemetry enforcement prevents "dark functions" - critical code paths with zero forensic trail. DSLLVM enforces compile-time telemetry requirements for safety-critical and mission-critical functions, ensuring observability for:
+
+- **Layer 5 Performance AI**: Optimization feedback
+- **Layer 62 Forensics**: Post-incident analysis
+- **Mission compliance**: Telemetry level enforcement
+
+## Enforcement Levels
+
+### Safety-Critical (`DSMIL_SAFETY_CRITICAL`)
+
+**Requirement**: At least ONE telemetry call
+**Use Case**: Important functions requiring basic observability
+
+```c
+DSMIL_SAFETY_CRITICAL("crypto")
+DSMIL_LAYER(3)
+void ml_kem_encapsulate(const uint8_t *pk, uint8_t *ct) {
+    dsmil_counter_inc("ml_kem_calls");  // ✓ Satisfies requirement
+    // ... crypto operations ...
+}
+```
+
+### Mission-Critical (`DSMIL_MISSION_CRITICAL`)
+
+**Requirement**: BOTH counter AND event telemetry + error path coverage
+**Use Case**: Critical functions requiring comprehensive observability
+
+```c
+DSMIL_MISSION_CRITICAL
+DSMIL_LAYER(8)
+int detect_threat(const uint8_t *pkt, size_t len, float *score) {
+    dsmil_counter_inc("threat_detection_calls");  // Counter required
+    dsmil_event_log("threat_detection_start");    // Event required
+
+    int result = analyze(pkt, len, score);
+
+    if (result < 0) {
+        dsmil_event_log("threat_detection_error");  // Error path logged
+        return result;
+    }
+
+    dsmil_event_log("threat_detection_complete");
+    return 0;
+}
+```
+
+## Telemetry API
+
+### Counter Telemetry
+
+```c
+// Increment counter (atomic, thread-safe)
+void dsmil_counter_inc(const char *counter_name);
+
+// Add value to counter
+void dsmil_counter_add(const char *counter_name, uint64_t value);
+```
+
+**Use for**: Call frequency, item counts, resource usage
+
+### Event Telemetry
+
+```c
+// Simple event (INFO severity)
+void dsmil_event_log(const char *event_name);
+
+// Event with severity
+void dsmil_event_log_severity(const char *event_name,
+                              dsmil_event_severity_t severity);
+
+// Event with message
+void dsmil_event_log_msg(const char *event_name,
+                         dsmil_event_severity_t severity,
+                         const char *message);
+```
+
+**Use for**: State transitions, errors, security events
+
+### Performance Metrics
+
+```c
+void *timer = dsmil_perf_start("operation_name");
+// ... operation ...
+dsmil_perf_end(timer);
+```
+
+**Use for**: Latency measurement, performance optimization
+
+## Compilation
+
+```bash
+# Enforce telemetry requirements (default)
+dsmil-clang -fdsmil-telemetry-check src.c -o app
+
+# Warn only
+dsmil-clang -mllvm -dsmil-telemetry-check-mode=warn src.c
+
+# Disable
+dsmil-clang -mllvm -dsmil-telemetry-check-mode=disabled src.c
+```
+
+## Mission Profile Integration
+
+Mission profiles enforce telemetry levels:
+
+- `border_ops`: minimal (counter-only acceptable)
+- `cyber_defence`: full (comprehensive required)
+- `exercise_only`: verbose (all telemetry enabled)
+
+```bash
+dsmil-clang -fdsmil-mission-profile=cyber_defence \
+            -fdsmil-telemetry-check src.c
+```
+
+## Common Violations
+
+### Missing Telemetry
+
+```c
+// ✗ VIOLATION
+DSMIL_SAFETY_CRITICAL
+void critical_op() {
+    // No telemetry calls!
+}
+```
+
+**Error:**
+```
+ERROR: Function 'critical_op' is marked dsmil_safety_critical
+       but has no telemetry calls
+```
+
+### Missing Counter (Mission-Critical)
+
+```c
+// ✗ VIOLATION
+DSMIL_MISSION_CRITICAL
+int mission_op() {
+    dsmil_event_log("start");  // Event only, no counter!
+    return do_work();
+}
+```
+
+**Error:**
+```
+ERROR: Function 'mission_op' is marked dsmil_mission_critical
+       but has no counter telemetry (dsmil_counter_inc/add required)
+```
+
+## Best Practices
+
+1. **Add telemetry early**: At function entry
+2. **Log errors**: All error paths need telemetry
+3. **Use descriptive names**: `"ml_kem_calls"` not `"calls"`
+4. **Component prefix**: `"crypto.ml_kem_calls"` for routing
+5. **Avoid PII**: Don't log sensitive data
+
+## References
+
+- **API Header**: `dsmil/include/dsmil_telemetry.h`
+- **Attributes**: `dsmil/include/dsmil_attributes.h`
+- **Check Pass**: `dsmil/lib/Passes/DsmilTelemetryCheckPass.cpp`
+- **Roadmap**: `dsmil/docs/DSLLVM-ROADMAP.md`

dsmil/docs/TELEMETRY-ENFORCEMENT.md

@@ -300,6 +300,115 @@
 
 /** @} */
 
+/**
+ * @defgroup DSMIL_TELEMETRY Telemetry Enforcement Attributes (v1.3)
+ * @{
+ */
+
+/**
+ * @brief Mark function as safety-critical requiring telemetry
+ * @param component Optional component identifier for telemetry routing
+ *
+ * Safety-critical functions must emit telemetry events to prevent "dark
+ * functions" with zero forensic trail. The compiler enforces that at least
+ * one telemetry call exists in the function body or its callees.
+ *
+ * Telemetry requirements:
+ * - At least one dsmil_counter_inc() or dsmil_event_log() call
+ * - No dead code paths without telemetry
+ * - Integrated with Layer 5 Performance AI and Layer 62 Forensics
+ *
+ * Example:
+ * @code
+ * DSMIL_SAFETY_CRITICAL("crypto")
+ * DSMIL_LAYER(3)
+ * DSMIL_DEVICE(30)
+ * void ml_kem_1024_encapsulate(const uint8_t *pk, uint8_t *ct, uint8_t *ss) {
+ *     dsmil_counter_inc("ml_kem_encapsulate_calls");  // Satisfies requirement
+ *     // ... crypto operations ...
+ *     dsmil_event_log("ml_kem_success");
+ * }
+ * @endcode
+ *
+ * @note Compile-time error if no telemetry calls found
+ * @note Use with mission profiles for telemetry level enforcement
+ */
+#define DSMIL_SAFETY_CRITICAL(component) \
+    __attribute__((dsmil_safety_critical(component)))
+
+/**
+ * @brief Simpler safety-critical annotation without component
+ */
+#define DSMIL_SAFETY_CRITICAL_SIMPLE \
+    __attribute__((dsmil_safety_critical))
+
+/**
+ * @brief Mark function as mission-critical requiring full telemetry
+ *
+ * Mission-critical functions require comprehensive telemetry including:
+ * - Entry/exit logging
+ * - Performance metrics
+ * - Error conditions
+ * - Security events
+ *
+ * Stricter than DSMIL_SAFETY_CRITICAL:
+ * - Requires both counter and event telemetry
+ * - All error paths must be logged
+ * - Performance metrics required for optimization
+ *
+ * Example:
+ * @code
+ * DSMIL_MISSION_CRITICAL
+ * DSMIL_LAYER(8)
+ * DSMIL_DEVICE(80)
+ * int detect_threat(const uint8_t *packet, size_t len, float *score) {
+ *     dsmil_counter_inc("threat_detection_calls");
+ *     dsmil_event_log("threat_detection_start");
+ *
+ *     int result = analyze_packet(packet, len, score);
+ *
+ *     if (result < 0) {
+ *         dsmil_event_log("threat_detection_error");
+ *         dsmil_counter_inc("threat_detection_errors");
+ *         return result;
+ *     }
+ *
+ *     if (*score > 0.8) {
+ *         dsmil_event_log("high_threat_detected");
+ *         dsmil_counter_inc("high_threats");
+ *     }
+ *
+ *     dsmil_event_log("threat_detection_complete");
+ *     return 0;
+ * }
+ * @endcode
+ *
+ * @note Enforced by mission profiles with telemetry_level >= "full"
+ * @note Violations are compile-time errors
+ */
+#define DSMIL_MISSION_CRITICAL \
+    __attribute__((dsmil_mission_critical))
+
+/**
+ * @brief Mark function as telemetry provider (exempted from checks)
+ *
+ * Functions that implement telemetry infrastructure itself should be
+ * marked to avoid circular enforcement.
+ *
+ * Example:
+ * @code
+ * DSMIL_TELEMETRY
+ * void dsmil_counter_inc(const char *counter_name) {
+ *     // Telemetry implementation
+ *     // No telemetry requirement on this function
+ * }
+ * @endcode
+ */
+#define DSMIL_TELEMETRY \
+    __attribute__((dsmil_telemetry))
+
+/** @} */
+
 /**
  * @defgroup DSMIL_MEMORY Memory and Performance Attributes
  * @{