[pitboss] phase 09: Track J.7 + Track L.7 — OPEN_REDIRECT corpus + redirect-aware adapters

2026-06-27 20:29:39 +02:00 · 2026-05-18 02:32:13 -05:00 · 2026-05-18 02:32:13 -05:00 · b881af5d93
commit b881af5d93
parent 5697763f28
47 changed files with 2592 additions and 32 deletions
--- a/src/dynamic/lang/go.rs
+++ b/src/dynamic/lang/go.rs
@ -513,6 +513,14 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
        return Ok(emit_header_injection_harness(spec));
    }

+    // Phase 09 (Track J.7): OPEN_REDIRECT-sink short-circuit.  The Go
+    // harness models `c.Redirect(http.StatusFound, value)` (and
+    // `http.Redirect`) and records the bound `Location:` value via a
+    // `ProbeKind::Redirect` probe.
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }
+
    let entry_source = read_entry_source(&spec.entry_file);
    let shape = GoShape::detect(spec, &entry_source);
    let main_go = generate_main_go(spec, shape);
@ -680,6 +688,66 @@ func main() {{
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for Go (`gin.Context.Redirect`
+/// / `http.Redirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented redirect shim
+/// that records the bound `Location:` value plus the request's
+/// origin host via a `ProbeKind::Redirect` probe.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let go_mod = generate_go_mod();
+    let source = format!(
+        r##"// Nyx dynamic harness — OPEN_REDIRECT c.Redirect (Phase 09 / Track J.7).
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/signal"
+	"strings"
+	"syscall"
+	"time"
+)
+
+{shim}
+
+func nyxRedirectProbe(location, requestHost string) {{
+	__nyx_emit(map[string]interface{{}}{{
+		"sink_callee": "gin.Context.Redirect",
+		"args": []map[string]interface{{}}{{
+			{{"kind": "String", "value": location}},
+		}},
+		"captured_at_ns": uint64(time.Now().UnixNano()),
+		"payload_id":     os.Getenv("NYX_PAYLOAD_ID"),
+		"kind":           map[string]interface{{}}{{"kind": "Redirect", "location": location, "request_host": requestHost}},
+		"witness":        __nyx_witness("gin.Context.Redirect", []string{{location}}),
+	}})
+}}
+
+func main() {{
+	__nyx_install_crash_guard("gin.Context.Redirect")
+	defer __nyx_recover_crash("gin.Context.Redirect")()
+	payload := os.Getenv("NYX_PAYLOAD")
+	requestHost := "example.com"
+	location := payload
+	nyxRedirectProbe(location, requestHost)
+	fmt.Println("__NYX_SINK_HIT__")
+	body, _ := json.Marshal(map[string]interface{{}}{{"location": location, "request_host": requestHost}})
+	fmt.Println(string(body))
+}}
+"##
+    );
+    HarnessSource {
+        source,
+        filename: "main.go".to_owned(),
+        command: vec!["./nyx_harness".to_owned()],
+        extra_files: vec![("go.mod".to_owned(), go_mod)],
+        entry_subpath: None,
+    }
+}
+
 fn generate_main_go(spec: &HarnessSpec, shape: GoShape) -> String {
    let entry_fn = capitalize_first(&spec.entry_name);
    let pre_call = pre_call_setup(spec);
--- a/src/dynamic/lang/java.rs
+++ b/src/dynamic/lang/java.rs
@ -570,6 +570,9 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
    if spec.expected_cap == crate::labels::Cap::HEADER_INJECTION {
        return Ok(emit_header_injection_harness(spec));
    }
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }

    let entry_source = read_entry_source(&spec.entry_file);
    let shape = JavaShape::detect(spec, &entry_source);
@ -1293,6 +1296,85 @@ public class NyxHarness {{
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for Java
+/// (`HttpServletResponse.sendRedirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented
+/// `response.sendRedirect(value)` shim that records the *unmodified*
+/// `Location:` value plus the request's origin host via a
+/// `ProbeKind::Redirect` probe.  Mirrors the synthetic-harness
+/// pattern used by Phase 03 / 04 / 05 / 06 / 07 / 08.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let source = format!(
+        r#"// Nyx dynamic harness — OPEN_REDIRECT HttpServletResponse.sendRedirect (Phase 09 / Track J.7).
+import java.io.FileWriter;
+import java.io.IOException;
+
+public class NyxHarness {{
+{shim}
+
+    static void nyxRedirectProbe(String location, String requestHost) {{
+        String p = System.getenv("NYX_PROBE_PATH");
+        if (p == null || p.isEmpty()) return;
+        long now = System.nanoTime();
+        String pid = System.getenv("NYX_PAYLOAD_ID");
+        if (pid == null) pid = "";
+        StringBuilder line = new StringBuilder(256);
+        line.append("{{\"sink_callee\":\"HttpServletResponse.sendRedirect\",\"args\":[");
+        line.append("{{\"kind\":\"String\",\"value\":\"");
+        nyxJsonEscape(location, line);
+        line.append("\"}}],");
+        line.append("\"captured_at_ns\":").append(now).append(',');
+        line.append("\"payload_id\":\"");
+        nyxJsonEscape(pid, line);
+        line.append("\",\"kind\":{{\"kind\":\"Redirect\",\"location\":\"");
+        nyxJsonEscape(location, line);
+        line.append("\",\"request_host\":\"");
+        nyxJsonEscape(requestHost, line);
+        line.append("\"}},");
+        line.append("\"witness\":");
+        line.append(nyxWitnessJson("HttpServletResponse.sendRedirect", new String[]{{location}}));
+        line.append("}}\n");
+        try (FileWriter fw = new FileWriter(p, true)) {{
+            fw.write(line.toString());
+        }} catch (IOException e) {{
+            // best-effort
+        }}
+    }}
+
+    public static void main(String[] args) {{
+        String payload = System.getenv("NYX_PAYLOAD");
+        if (payload == null) payload = "";
+        String requestHost = "example.com";
+        String location = payload;
+        nyxRedirectProbe(location, requestHost);
+        System.out.println("__NYX_SINK_HIT__");
+        StringBuilder body = new StringBuilder(64);
+        body.append("{{\"location\":\"");
+        nyxJsonEscape(location, body);
+        body.append("\",\"request_host\":\"");
+        nyxJsonEscape(requestHost, body);
+        body.append("\"}}");
+        System.out.println(body.toString());
+    }}
+}}
+"#
+    );
+    HarnessSource {
+        source,
+        filename: "NyxHarness.java".to_owned(),
+        command: vec![
+            "java".to_owned(),
+            "-cp".to_owned(),
+            ".".to_owned(),
+            "NyxHarness".to_owned(),
+        ],
+        extra_files: Vec::new(),
+        entry_subpath: None,
+    }
+}
+
 /// Public wrapper to detect the shape for a finalised `HarnessSpec`,
 /// reading the entry file from disk.  Exposed so test helpers can pin a
 /// per-fixture shape without round-tripping through [`emit`].
--- a/src/dynamic/lang/js_shared.rs
+++ b/src/dynamic/lang/js_shared.rs
@ -457,6 +457,14 @@ pub fn emit(spec: &HarnessSpec, is_typescript: bool) -> Result<HarnessSource, Un
        return Ok(emit_header_injection_harness(spec));
    }

+    // Phase 09 (Track J.7): OPEN_REDIRECT-sink short-circuit.  The
+    // synthetic harness calls an instrumented `res.redirect` shim
+    // that records the bound `Location:` value via a
+    // `ProbeKind::Redirect` probe.
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }
+
    let entry_source = read_entry_source(&spec.entry_file);
    let shape = JsShape::detect(spec, &entry_source);
    let entry_subpath = entry_subpath_for_shape(shape, is_typescript);
@ -670,6 +678,56 @@ console.log(JSON.stringify({{ name: name, value: value }}));
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for Node (Express
+/// `res.redirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented
+/// `res.redirect(value)` shim that records the bound `Location:`
+/// value plus the request's origin host via a `ProbeKind::Redirect`
+/// probe.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let body = format!(
+        r#"// Nyx dynamic harness — OPEN_REDIRECT res.redirect (Phase 09 / Track J.7).
+{shim}
+
+function nyxRedirectProbe(location, requestHost) {{
+  const p = process.env.NYX_PROBE_PATH;
+  if (!p) return;
+  const rec = {{
+    sink_callee: 'res.redirect',
+    args: [
+      {{ kind: 'String', value: location }},
+    ],
+    captured_at_ns: Number(process.hrtime.bigint()),
+    payload_id: process.env.NYX_PAYLOAD_ID || '',
+    kind: {{ kind: 'Redirect', location: location, request_host: requestHost }},
+    witness: __nyx_witness('res.redirect', [location]),
+  }};
+  try {{
+    require('fs').appendFileSync(p, JSON.stringify(rec) + '\n');
+  }} catch (e) {{
+    // best-effort
+  }}
+}}
+
+const payload = process.env.NYX_PAYLOAD || '';
+const requestHost = 'example.com';
+const location = payload;
+nyxRedirectProbe(location, requestHost);
+console.log('__NYX_SINK_HIT__');
+console.log(JSON.stringify({{ location: location, request_host: requestHost }}));
+"#
+    );
+    HarnessSource {
+        source: body,
+        filename: "harness.js".to_owned(),
+        command: vec!["node".to_owned(), "harness.js".to_owned()],
+        extra_files: Vec::new(),
+        entry_subpath: None,
+    }
+}
+
 /// Phase 26 — Node chain-step harness (shared between JS + TS emitters).
 ///
 /// Splices the Node probe shim ([`probe_shim`]) in front of a minimal
--- a/src/dynamic/lang/php.rs
+++ b/src/dynamic/lang/php.rs
@ -436,6 +436,10 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
    if spec.expected_cap == crate::labels::Cap::HEADER_INJECTION {
        return Ok(emit_header_injection_harness(spec));
    }
+    // Phase 09 (Track J.7): OPEN_REDIRECT-sink short-circuit.
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }

    let entry_source = read_entry_source(&spec.entry_file);
    let shape = PhpShape::detect(spec, &entry_source);
@ -921,6 +925,57 @@ echo json_encode(['name' => $name, 'value' => $value]) . "\n";
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for PHP (`header("Location: …")` /
+/// `Response::redirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented redirect shim
+/// that records the bound `Location:` value plus the request's origin
+/// host via a `ProbeKind::Redirect` probe.  Mirrors the
+/// synthetic-harness pattern used by Phase 03 / 04 / 05 / 06 / 07 / 08.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let body = format!(
+        r#"<?php
+// Nyx dynamic harness — OPEN_REDIRECT Response::redirect (Phase 09 / Track J.7).
+{shim}
+
+function _nyx_redirect_probe(string $location, string $requestHost): void {{
+    $p = getenv('NYX_PROBE_PATH');
+    if ($p === false || $p === '') return;
+    $rec = [
+        'sink_callee'    => 'Response::redirect',
+        'args'           => [
+            ['kind' => 'String', 'value' => $location],
+        ],
+        'captured_at_ns' => (int) hrtime(true),
+        'payload_id'     => (string) (getenv('NYX_PAYLOAD_ID') ?: ''),
+        'kind'           => [
+            'kind' => 'Redirect',
+            'location' => $location,
+            'request_host' => $requestHost,
+        ],
+        'witness'        => __nyx_witness('Response::redirect', [$location]),
+    ];
+    @file_put_contents($p, json_encode($rec) . "\n", FILE_APPEND);
+}}
+
+$payload = (string) (getenv('NYX_PAYLOAD') ?: '');
+$requestHost = 'example.com';
+$location = $payload;
+_nyx_redirect_probe($location, $requestHost);
+echo "__NYX_SINK_HIT__\n";
+echo json_encode(['location' => $location, 'request_host' => $requestHost]) . "\n";
+"#
+    );
+    HarnessSource {
+        source: body,
+        filename: "harness.php".to_owned(),
+        command: vec!["php".to_owned(), "harness.php".to_owned()],
+        extra_files: Vec::new(),
+        entry_subpath: None,
+    }
+}
+
 fn generate_source(spec: &HarnessSpec, shape: PhpShape) -> String {
    let entry_fn = &spec.entry_name;
    let pre_call = build_pre_call(spec, shape);
--- a/src/dynamic/lang/python.rs
+++ b/src/dynamic/lang/python.rs
@ -650,6 +650,16 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
        return Ok(emit_header_injection_harness(spec));
    }

+    // Phase 09 (Track J.7): short-circuit to the open-redirect harness
+    // when the spec's expected cap is OPEN_REDIRECT.  The harness
+    // splices the payload into a synthetic `flask.redirect(value)`
+    // call and records the bound `Location:` value via a
+    // `ProbeKind::Redirect` probe consumed by the
+    // `RedirectHostNotIn` oracle.
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }
+
    let entry_source = read_entry_source(&spec.entry_file);
    let shape = PythonShape::detect(spec, &entry_source);
    let body = generate_for_shape(spec, shape);
@ -1150,6 +1160,70 @@ def _nyx_run():
    sys.stdout.flush()


+if __name__ == "__main__":
+    _nyx_run()
+"#
+    );
+    HarnessSource {
+        source: body,
+        filename: "harness.py".to_owned(),
+        command: vec!["python3".to_owned(), "harness.py".to_owned()],
+        extra_files: Vec::new(),
+        entry_subpath: None,
+    }
+}
+
+/// Phase 09 — Track J.7 open-redirect harness for Python
+/// (`flask.redirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented
+/// `flask.redirect(value)` shim that records the bound `Location:`
+/// value plus the request's origin host via a `ProbeKind::Redirect`
+/// probe.  A vuln payload binding `https://attacker.test/` trips the
+/// [`crate::dynamic::oracle::ProbePredicate::RedirectHostNotIn`]
+/// oracle; the paired benign control redirects to a same-origin
+/// path and leaves the predicate clear.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let probe = probe_shim();
+    let body = format!(
+        r#"#!/usr/bin/env python3
+"""Nyx dynamic harness — OPEN_REDIRECT flask.redirect (Phase 09 / Track J.7)."""
+import json
+import os
+import sys
+import time
+
+{probe}
+
+
+def _nyx_redirect_probe(location, request_host):
+    rec = {{
+        "sink_callee": "flask.redirect",
+        "args": [
+            {{"kind": "String", "value": location}},
+        ],
+        "captured_at_ns": time.time_ns(),
+        "payload_id": os.environ.get("NYX_PAYLOAD_ID", ""),
+        "kind": {{
+            "kind": "Redirect",
+            "location": location,
+            "request_host": request_host,
+        }},
+        "witness": __nyx_witness("flask.redirect", [location]),
+    }}
+    __nyx_emit(rec)
+
+
+def _nyx_run():
+    payload = os.environ.get("NYX_PAYLOAD", "")
+    request_host = "example.com"
+    location = payload
+    _nyx_redirect_probe(location, request_host)
+    print("__NYX_SINK_HIT__", flush=True)
+    sys.stdout.write(json.dumps({{"location": location, "request_host": request_host}}) + "\n")
+    sys.stdout.flush()
+
+
 if __name__ == "__main__":
    _nyx_run()
 "#
--- a/src/dynamic/lang/ruby.rs
+++ b/src/dynamic/lang/ruby.rs
@ -427,6 +427,9 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
    if spec.expected_cap == crate::labels::Cap::HEADER_INJECTION {
        return Ok(emit_header_injection_harness(spec));
    }
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }

    let entry_source = read_entry_source(&spec.entry_file);
    let shape = RubyShape::detect(spec, &entry_source);
@ -670,6 +673,55 @@ STDOUT.flush
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for Ruby
+/// (`Rack::Response#redirect`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented
+/// `response.redirect(value)` shim that records the bound
+/// `Location:` value plus the request's origin host via a
+/// `ProbeKind::Redirect` probe.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let body = format!(
+        r#"# Nyx dynamic harness — OPEN_REDIRECT Rack::Response#redirect (Phase 09 / Track J.7).
+require 'json'
+
+{shim}
+
+def _nyx_redirect_probe(location, request_host)
+  p = ENV['NYX_PROBE_PATH']
+  return if p.nil? || p.empty?
+  rec = {{
+    'sink_callee'    => 'Rack::Response#redirect',
+    'args'           => [
+      {{ 'kind' => 'String', 'value' => location }},
+    ],
+    'captured_at_ns' => Process.clock_gettime(Process::CLOCK_MONOTONIC, :nanosecond),
+    'payload_id'     => ENV['NYX_PAYLOAD_ID'] || '',
+    'kind'           => {{ 'kind' => 'Redirect', 'location' => location, 'request_host' => request_host }},
+    'witness'        => __nyx_witness('Rack::Response#redirect', [location]),
+  }}
+  File.open(p, 'a') {{ |f| f.write(rec.to_json + "\n") }}
+end
+
+payload = ENV['NYX_PAYLOAD'] || ''
+request_host = 'example.com'
+location = payload
+_nyx_redirect_probe(location, request_host)
+STDOUT.puts '__NYX_SINK_HIT__'
+STDOUT.puts JSON.generate({{ 'location' => location, 'request_host' => request_host }})
+STDOUT.flush
+"#
+    );
+    HarnessSource {
+        source: body,
+        filename: "harness.rb".to_owned(),
+        command: vec!["ruby".to_owned(), "harness.rb".to_owned()],
+        extra_files: vec![],
+        entry_subpath: None,
+    }
+}
+
 fn generate_source(spec: &HarnessSpec, shape: RubyShape) -> String {
    let entry_fn = &spec.entry_name;
    let pre_call = build_pre_call(spec);
--- a/src/dynamic/lang/rust.rs
+++ b/src/dynamic/lang/rust.rs
@ -647,6 +647,93 @@ fn main() {{
    }
 }

+/// Phase 09 — Track J.7 open-redirect harness for Rust
+/// (`axum::response::Redirect::to`).
+///
+/// Reads `NYX_PAYLOAD`, calls a synthetic instrumented
+/// `Redirect::to(value)` shim that records the bound `Location:`
+/// value plus the request's origin host via a `ProbeKind::Redirect`
+/// probe.  Std-only — no `Cargo.toml` dependencies beyond the
+/// always-pinned `libc`.
+pub fn emit_open_redirect_harness(_spec: &HarnessSpec) -> HarnessSource {
+    let shim = probe_shim();
+    let cargo_toml = generate_cargo_toml(Cap::OPEN_REDIRECT);
+    let main_rs = format!(
+        r##"//! Nyx dynamic harness — OPEN_REDIRECT Redirect::to (Phase 09 / Track J.7).
+use std::env;
+use std::fs::OpenOptions;
+use std::io::Write;
+use std::time::{{SystemTime, UNIX_EPOCH}};
+
+{shim}
+
+fn nyx_json_escape(s: &str) -> String {{
+    let mut out = String::with_capacity(s.len() + 2);
+    for c in s.chars() {{
+        match c {{
+            '"' => out.push_str("\\\""),
+            '\\' => out.push_str("\\\\"),
+            '\n' => out.push_str("\\n"),
+            '\r' => out.push_str("\\r"),
+            '\t' => out.push_str("\\t"),
+            c if (c as u32) < 0x20 => {{
+                out.push_str(&format!("\\u{{:04x}}", c as u32));
+            }}
+            c => out.push(c),
+        }}
+    }}
+    out
+}}
+
+fn nyx_redirect_probe(location: &str, request_host: &str) {{
+    let p = match env::var("NYX_PROBE_PATH") {{ Ok(s) => s, Err(_) => return }};
+    if p.is_empty() {{ return; }}
+    let now = SystemTime::now().duration_since(UNIX_EPOCH).map(|d| d.as_nanos() as u64).unwrap_or(0);
+    let pid = env::var("NYX_PAYLOAD_ID").unwrap_or_default();
+    let mut line = String::new();
+    line.push_str("{{\"sink_callee\":\"Redirect::to\",\"args\":[");
+    line.push_str("{{\"kind\":\"String\",\"value\":\"");
+    line.push_str(&nyx_json_escape(location));
+    line.push_str("\"}}],");
+    line.push_str("\"captured_at_ns\":");
+    line.push_str(&now.to_string());
+    line.push_str(",\"payload_id\":\"");
+    line.push_str(&nyx_json_escape(&pid));
+    line.push_str("\",\"kind\":{{\"kind\":\"Redirect\",\"location\":\"");
+    line.push_str(&nyx_json_escape(location));
+    line.push_str("\",\"request_host\":\"");
+    line.push_str(&nyx_json_escape(request_host));
+    line.push_str("\"}},\"witness\":{{}}}}\n");
+    if let Ok(mut f) = OpenOptions::new().create(true).append(true).open(&p) {{
+        let _ = f.write_all(line.as_bytes());
+    }}
+}}
+
+fn main() {{
+    let payload = env::var("NYX_PAYLOAD").unwrap_or_default();
+    let request_host = "example.com";
+    let location = &payload;
+    nyx_redirect_probe(location, request_host);
+    println!("__NYX_SINK_HIT__");
+    let mut body = String::new();
+    body.push_str("{{\"location\":\"");
+    body.push_str(&nyx_json_escape(location));
+    body.push_str("\",\"request_host\":\"");
+    body.push_str(&nyx_json_escape(request_host));
+    body.push_str("\"}}");
+    println!("{{body}}", body = body);
+}}
+"##
+    );
+    HarnessSource {
+        source: main_rs,
+        filename: "src/main.rs".into(),
+        command: vec!["target/release/nyx_harness".into()],
+        extra_files: vec![("Cargo.toml".into(), cargo_toml)],
+        entry_subpath: Some("src/entry.rs".into()),
+    }
+}
+
 fn read_entry_source(entry_file: &str) -> String {
    let candidates = [PathBuf::from(entry_file), PathBuf::from(".").join(entry_file)];
    for path in &candidates {
@ -667,6 +754,14 @@ pub fn emit(spec: &HarnessSpec) -> Result<HarnessSource, UnsupportedReason> {
        return Ok(emit_header_injection_harness(spec));
    }

+    // Phase 09 (Track J.7): OPEN_REDIRECT-sink short-circuit.  The
+    // Rust harness models an `axum`-style `Redirect::to(value)` shim
+    // that records the bound `Location:` value via a
+    // `ProbeKind::Redirect` probe.
+    if spec.expected_cap == crate::labels::Cap::OPEN_REDIRECT {
+        return Ok(emit_open_redirect_harness(spec));
+    }
+
    let shape = detect_shape(spec);

    // Generic + LibfuzzerTarget accept Param(0)/EnvVar; richer shapes