12 independent cryptographic soundness gates wired across the four
Phase-3 verifier bodies:

| Verifier | Gates |
|---|---|
| HyperPlonk-KZG | 2 (sumcheck + permutation term) |
| Halo2-KZG | 1 + two-point batched opening |
| Nova/HyperNova/ProtoStar | 2 (Hadamard + folded-commitment reconstruction) |
| FRI-STARK | 7 (production parity with Plonky3/Winterfell) |

FRI-STARK highlights:
- Structural query-index derivation
- Trace + constraint Merkle path verification
- PoW grinding (sha256 leading-zero target)
- FRI fold chain walk with multi-layer Goldilocks arithmetic
- Out-of-domain quotient consistency
- Per-FRI-layer Merkle authentication

All gates have paired tamper tests. Each attack class surfaces as a
specific OnChainError variant (SumcheckFailed / VerificationFailed /
PairingCheckFailed).

Primitives shipped in-tree:
- mosaic-stark::goldilocks — Fp_2^64-2^32+1 arithmetic
- mosaic-stark::fri — single-layer + multi-layer fold primitives
- mosaic-nova::folding — Hadamard residual + folded-commitment
  reconstruction

Canonical breaking changes from v0.4.1-phase3-soundness:
- Nova proof: +384 B (hadamard_evals + base commitments)
- Halo2 VK: +32 B (omega_fr domain generator)
- FRI-STARK: +fri_layer_openings + fri_layer_auth_paths tail
  buffers; MAX_TAIL_LEN 1 MiB → 32 MiB

Workspace: 378 tests pass, SBF binary 319 KB (30.4% of 1 MB cap).

Phase-2 Groth16 and KZG-PLONK unchanged at v0.2.0-phase2 byte
compatibility.

Remaining work is fixture-bound: external prover CLI integration
(Espresso HyperPlonk, PSE halo2_proofs, sonobe Nova, Plonky3
STARK) for differential testing. Protocol-layer soundness work is
substantively complete.