# fuzz/ — cargo-fuzz harness directory (placeholder) **Status:** placeholder. Not yet a cargo-fuzz project — just the directory. ADR-0007 abolished the first-party SIP parser (the original reason this directory was pre-paved), so the original `sip_parser` / `sdp_parser` fuzz targets are gone from the plan. The hostile-byte surfaces that *do* exist post-0007, and that the harnesses here will eventually target, are: - **Tap protocol frames** (`crates/rutster-tap/src/protocol.rs`) — the WS framing between the core and an external brain. This is hostility surface #1 today: a brain is an untrusted process and its frames cross the FOB boundary. Slice-2 ships this surface without a fuzzer; the harness should land as soon as third-party brains exist (P6 of the 2026-07-03 adversarial review — the protocol should also carry an auth field by then). - **RTP packets at the str0m input** (slice-1's `rtc_session.rs` media ingress) — every byte str0m hands us is potentially hostile before str0m validates it; fuzz at the str0m-RtcSession boundary, not str0m internally. - **Opus decoder inputs** (`crates/rutster-media` codec boundary) — a malicious or malformed RTP payload hits the Opus decoder. Fuzz the decoded-PCM contract (finite-length, sane amplitude range), not the decoder internals. - **Provider media-fork framing** (spearhead step 5, post-ADR-0007) — the rented transport's media-fork delivers bytes that the CPaaS framed; that framing is the post-0007 equivalent of the SIP/SDP parser surface. Lands with step 5. Slice 1 says "the browser is trusted" for the WebRTC ingress, which is correct for the *signaling* surface (str0m validates SDP). But the media plane accepts RTP from any peer that completed ICE, which makes the RTP/Opus surfaces above hostile-by-default regardless of signaling trust. If you're populating this directory, replace it with: - `fuzz/Cargo.toml` — cargo-fuzz manifest. - `fuzz/fuzz_targets/tap_protocol.rs` — fuzz the tap protocol frame decoder. - `fuzz/fuzz_targets/rtp_packet.rs` — fuzz the str0m-RtcSession RTP input. - `fuzz/fuzz_targets/opus_payload.rs` — fuzz the Opus→PCM decoder boundary. - A CI job running a short fuzz burst on each PR. The hot-path "drop + observe, don't crash" policy (ARCHITECTURE.md Media plane; slice-4 spec §3.6) is what the harnesses assert against: throw arbitrary bytes at the surface, assert it returns an error or drops silently — never panics. A dropped packet must not terminate the peer.