{
  "spec": "LRFS v1.0",
  "spec_section": "LRFS v1.0 §4.1",
  "category": "failure-modes",
  "id": "001-tampered-signature",
  "description": "Signature bytes do not match the canonical input under the declared key and algorithm. Any conformant verifier MUST reject this payload.",
  "inputs": {
    "layers": {
      "llmind:text": "hello world"
    },
    "signing_algorithm": "hmac-sha256",
    "signing_key_hex": "000102030405060708090a0b0c0d0e0f",
    "signature_bytes_hex": "deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
  },
  "expected_outcome": "reject",
  "reason": "Recomputed HMAC-SHA256(canonical_input, key) does not equal signature_bytes_hex. The correct HMAC for this input is verifiable via the reference implementation in scripts/generate-spec-vectors.ts — this vector's signature is intentionally arbitrary. Readers MUST fail verification and MUST NOT return the extracted layers as trusted."
}