Background
Phase 3 of the Sprint B4 re-scoping (split out of closed #246). Submits the project to OSS-Fuzz upstream. Blocked on Phase 2 (B2 #244 + B3 #245 closed, 6 fuzz targets live, ClusterFuzzLite green nightly).
Spec: docs/superpowers/specs/2026-04-30-test-strategy-improvements-design.md, §7.1.
Scope
In-tree oss-fuzz/ scaffolding
Create oss-fuzz/ directory mirroring what the upstream PR will reference:
oss-fuzz/oss-fuzz-build.sh — port of .clusterfuzzlite/build.sh, ensures every fuzz target in fuzz/fuzz_targets/ is built and its seed corpus zipped to $OUT.oss-fuzz/oss-fuzz-Dockerfile.fragment — referenced from the upstream Dockerfile.
Rationale: gives maintainers one place to edit when targets are added/renamed; prevents drift between OSS-Fuzz upstream and this repo.
SECURITY.md update
Add a "Reporting fuzz-discovered crashes" subsection covering:
- OSS-Fuzz crashes go to the
auto_ccs list (randomparity@gmail.com).
- 90-day OSS-Fuzz disclosure clock; how it composes with the existing 90-day fix target in
SECURITY.md.
- That the source of the bug (OSS-Fuzz vs. private report) is unambiguous from the advisory metadata.
Upstream PR to google/oss-fuzz
Create projects/rusty-imap-mcp/ upstream containing:
project.yaml — homepage + main_repo = this repo; auto_ccs: [randomparity@gmail.com]; vendor_ccs: []; language: rust; sanitizers: [address]; fuzzing_engines: [libfuzzer].Dockerfile — FROM gcr.io/oss-fuzz-base/base-builder-rust; clones this repo; sources oss-fuzz/oss-fuzz-Dockerfile.fragment.build.sh — sources oss-fuzz/oss-fuzz-build.sh.
Done criteria (from spec §7.3)
Notes
- ClusterFuzzLite stays in
.github/workflows/fuzz.yml regardless of OSS-Fuzz upstream acceptance — OSS-Fuzz adds the upstream-managed corpus + reviewer pipeline on top, it does not replace CFL.
- Blocked on Phase 2 completion.
Background
Phase 3 of the Sprint B4 re-scoping (split out of closed #246). Submits the project to OSS-Fuzz upstream. Blocked on Phase 2 (B2 #244 + B3 #245 closed, 6 fuzz targets live, ClusterFuzzLite green nightly).
Spec:
docs/superpowers/specs/2026-04-30-test-strategy-improvements-design.md, §7.1.Scope
In-tree
oss-fuzz/scaffoldingCreate
oss-fuzz/directory mirroring what the upstream PR will reference:oss-fuzz/oss-fuzz-build.sh— port of.clusterfuzzlite/build.sh, ensures every fuzz target infuzz/fuzz_targets/is built and its seed corpus zipped to$OUT.oss-fuzz/oss-fuzz-Dockerfile.fragment— referenced from the upstreamDockerfile.Rationale: gives maintainers one place to edit when targets are added/renamed; prevents drift between OSS-Fuzz upstream and this repo.
SECURITY.mdupdateAdd a "Reporting fuzz-discovered crashes" subsection covering:
auto_ccslist (randomparity@gmail.com).SECURITY.md.Upstream PR to
google/oss-fuzzCreate
projects/rusty-imap-mcp/upstream containing:project.yaml—homepage+main_repo= this repo;auto_ccs: [randomparity@gmail.com];vendor_ccs: [];language: rust;sanitizers: [address];fuzzing_engines: [libfuzzer].Dockerfile—FROM gcr.io/oss-fuzz-base/base-builder-rust; clones this repo; sourcesoss-fuzz/oss-fuzz-Dockerfile.fragment.build.sh— sourcesoss-fuzz/oss-fuzz-build.sh.Done criteria (from spec §7.3)
oss-fuzz/oss-fuzz-build.shandoss-fuzz/oss-fuzz-Dockerfile.fragmentcommitted in-treeSECURITY.md"Reporting fuzz-discovered crashes" subsection addedgoogle/oss-fuzzwith all three filesNotes
.github/workflows/fuzz.ymlregardless of OSS-Fuzz upstream acceptance — OSS-Fuzz adds the upstream-managed corpus + reviewer pipeline on top, it does not replace CFL.