feat: add ClusterFuzzLite fuzzing configuration

Add comprehensive fuzzing infrastructure:
- cargo-fuzz configuration
- ClusterFuzzLite Docker build
- PR fuzzing workflow (5 min)
- Weekly batch fuzzing (30 min)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Author: Jonathan D.A. Jewell

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,5 @@
+FROM gcr.io/oss-fuzz-base/base-builder-rust
+RUN apt-get update && apt-get install -y make autoconf automake libtool
+COPY . $SRC/project
+WORKDIR $SRC/project
+COPY .clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -0,0 +1,5 @@
+#!/bin/bash -eu
+
+cd $SRC/project
+cargo +nightly fuzz build --release
+cp fuzz/target/*/release/fuzz_* $OUT/

.clusterfuzzlite/project.yaml

@@ -0,0 +1,4 @@
+language: rust
+sanitizers:
+  - address
+  - undefined

.github/workflows/cflite_batch.yml

@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: ClusterFuzzLite Batch
+on:
+  schedule:
+    - cron: '0 0 * * 0'
+permissions: read-all
+jobs:
+  BatchFuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+        with:
+          sanitizer: ${{ matrix.sanitizer }}
+          language: rust
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 1800
+          sanitizer: ${{ matrix.sanitizer }}
+          mode: batch
+          output-sarif: true
+      - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        if: always()
+        with:
+          sarif_file: vulnerabilities.sarif

.github/workflows/cflite_pr.yml

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: PMPL-1.0-or-later
+name: ClusterFuzzLite PR
+on:
+  pull_request:
+    paths:
+      - '**/*.rs'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined]
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+      - uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+        with:
+          sanitizer: ${{ matrix.sanitizer }}
+          language: rust
+      - uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 300
+          sanitizer: ${{ matrix.sanitizer }}
+          mode: code-change
+          output-sarif: true
+      - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3
+        if: always()
+        with:
+          sarif_file: vulnerabilities.sarif

fuzz/Cargo.toml

@@ -0,0 +1,20 @@
+[package]
+name = "fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+
+[dependencies.conative-gating]
+path = ".."
+
+[[bin]]
+name = "fuzz_main"
+path = "fuzz_targets/fuzz_main.rs"
+test = false
+doc = false

fuzz/fuzz_targets/fuzz_main.rs

@@ -0,0 +1,8 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    // TODO: Customize fuzzing logic for this repo
+    // Example: parse input, test functions, etc.
+    let _ = std::str::from_utf8(data);
+});