ci: integrate with OSS-Fuzz for continuous distributed fuzzing

[membphis]

Background

qjson currently runs timed fuzzing weekly (60 seconds per target), which is sufficient for corpus regression but insufficient for discovering deep bugs. OSS-Fuzz provides free continuous distributed fuzzing for open-source projects, running thousands of CPU hours daily.

Production JSON parsers like simdjson and serde_json have found multiple security-relevant bugs through OSS-Fuzz that local fuzzing would never discover.

Goal

Integrate qjson with Google's OSS-Fuzz for continuous, large-scale fuzz testing.

Why OSS-Fuzz

Aspect	Current (local timed fuzz)	OSS-Fuzz
Runtime	60s/target weekly	Continuous, thousands of CPU-hours/day
Hardware	1 GitHub runner	Google distributed cluster
Coverage depth	Shallow exploration	Deep path discovery
Corpus	Manual maintenance	Auto-accumulated, cross-version
Cost	Free	Free (Google-sponsored)

Scope

Integration Steps

1. Create projects/qjson/ in google/oss-fuzz repository
2. Write Dockerfile to build qjson fuzz targets
3. Write project.yaml with project metadata
4. Adapt existing fuzz targets (fuzz_parse_eager, fuzz_parse_lazy, fuzz_depth, fuzz_ffi_ops)
5. Submit PR to google/oss-fuzz, await approval (typically 1-2 weeks)

Requirements for Acceptance

• Open-source with OSI-approved license (Apache-2.0 ✓)
• Active maintenance ✓
• Real user base (API7/APISIX ecosystem ✓)
• Commitment to fix reported vulnerabilities within 90-day disclosure deadline

Acceptance Criteria

• PR submitted to google/oss-fuzz repository
• All 4 existing fuzz targets integrated
• Project approved and running on OSS-Fuzz infrastructure
• ClusterFuzz dashboard accessible to maintainers
• First fuzzing run completes successfully

References

• OSS-Fuzz: https://github.com/google/oss-fuzz
• New project guide: https://google.github.io/oss-fuzz/getting-started/new-project-guide/
• Rust integration: https://google.github.io/oss-fuzz/getting-started/new-project-guide/rust-lang/
• Example Rust project: https://github.com/google/oss-fuzz/tree/master/projects/serde_json

[coderabbitai]

🔗 Related PRs

#43 - test: add cjson and simdjson fixture coverage [merged]
#78 - test(fuzz): add nesting-depth stack-safety target [merged]
#99 - ci: test qjson against OpenResty runtimes [merged]
#141 - test: add FFI grammar corpus [merged]
#144 - test: strengthen lazy phase2 fuzz replay [merged]

---

📝 Issue Planner

_{Check the box below or use the @coderabbitai plan command to generate an implementation plan and prompts that you can use with your favorite coding assistant.}

• Create Plan

---

🧪 Issue enrichment is currently in open beta.

You can configure auto-planning by selecting labels in the issue_enrichment configuration.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

💬 Have feedback or questions? Drop into our discord!