Add fuzzing support: no-default-features parsing path, pub validators, decrypt/parse split

[stormer78]

We're adding continuous coverage-guided fuzzing (cargo-fuzz) and openvtc-core has lots of
good parse surfaces (config, credentials, message types). A few changes make them cleanly
fuzzable:

1. A parsing-only build that drops hardware/network deps

We build the fuzz targets with --no-default-features to avoid the openpgp-card / PCSC
hardware stack. Please make sure openvtc-core compiles and the parse/validate functions
are reachable with --no-default-features (i.e. the serde models, MessageType,
CredentialKind, DID validation don't transitively require the default hardware/network
features). A dedicated parsing feature that gates exactly the pure surfaces would be ideal.

2. Keep the validators/classifiers pub

We depend on these being public:

• openvtc_core::MessageType: TryFrom<&str>
• openvtc_core::CredentialKind::from_credential(serde_json::Value)
• openvtc_core::config::PublicConfig (Deserialize)
• openvtc_core::messaging::validate_did(&str) — currently may be private; please export
  it (or a small pub validation surface). Our validate_did harness is the only one that
  may fail to build today.

3. Split decrypt from parse for the secured/protected configs

SecuredConfig/ProtectedConfig loading is keyring-decrypt + serde in one step. Please expose
the post-decrypt parse(&[u8]) separately so we can fuzz the deserialization of decrypted
plaintext without needing a keyring or real keys.

4. verify_vrc_proof without a live TDK

messaging::verify_vrc_proof needs a TDK/credential context. A way to verify a VRC against an
injected verifying key (no network, no live TDK) would let us fuzz the proof verifier directly.

5. (Nice to have) #[derive(Arbitrary)] on the config/credential structs + an in-repo fuzz/ workspace.

We have harnesses ready for items reachable today (config parse, message-type, credential-kind)
and will contribute the rest as the hooks land. cargo-fuzz needs nightly; we override the
stable pin for fuzz builds only.

[stormer78]

Reviewed against the current openvtc-core surface. Summary: several asks are already satisfied; items 3 & 4 are small, worthwhile seams; one bit of item 1 framing is off. I'll send a PR for the self-contained wins (2 re-export, 3, 4).

1. --no-default-features parsing build — partly already true

• The only default feature is openpgp-card (hardware/PCSC, all optional). --no-default-features drops exactly that, and the crate already compiles --no-default-features (it's in the CI gate). So the parse/validate fns are reachable today.
• Correction: it does not drop network deps — vta-sdk / affinidi-tdk / affinidi-messaging-* / reqwest are non-optional, so they still compile (just go uncalled — fine for fuzzing parse).
• A dedicated parsing feature "gating exactly the pure surfaces" is a large refactor (making vta-sdk/tdk optional + cfg-gating much of the crate), not a small gate. Suggest we hold on it unless network compile time is the actual blocker.

2. Keep validators pub — essentially already done

• MessageType: TryFrom<&str> ✓ pub. CredentialKind::from_credential ✓ pub (note: takes &serde_json::Value by ref, not by value). PublicConfig ✓ pub + Deserialize.
• messaging::validate_did(&str) is already pub today — the one you flagged as "may be private" isn't.
• Only net change: PublicConfig is at config::public_config::PublicConfig, not config::PublicConfig. I'll add a re-export so your path works.

3. Split decrypt from parse — valid, doing it

ProtectedConfig::load and SecuredConfig's load couple decrypt + serde_json::from_slice. I'll add a standalone parse(&[u8]) (plaintext → serde) that load calls after decrypt, so you can fuzz the deserialization without a keyring.

4. verify_vrc_proof without a live TDK — valid, doing it

Today it ends in tdk.verify_data(...) (TDK resolves the issuer VM + verifies). dtg_credentials::DTGCredential already exposes verify_proof_with_public_key, so I'll add a verify_vrc_proof_with_key(vrc, <verifying key>) that does the issuer/VM-binding checks + key-based verify (no network); the TDK version delegates to it after resolving.

5. #[derive(Arbitrary)] + in-repo fuzz/ — additive, yours to land

Happy to feature-gate Arbitrary on the config/credential structs if useful. Suggest keeping fuzz/ out of the default workspace members (nightly-only) and ensuring cargo deny covers/excludes libfuzzer-sys/arbitrary. Since you have the harnesses, I'll land the hooks (2–4) and leave the fuzz workspace to your contribution.

[stormer78]

PR #125 implements items 2–4: the PublicConfig re-export, ProtectedConfig::parse/SecuredConfig::parse (decrypt/parse split), and verify_vrc_proof_with_key (issuer-key-injected, no TDK) — all with tests, no dep change. validate_did etc. were already pub. Items 1 (parsing feature) and 5 (fuzz/ workspace + #[derive(Arbitrary)]) are left as discussed — ping me if you want the Arbitrary derives feature-gated.

[stormer78]

Reviewed PR #125 against main — items 2, 3, 4 are exactly what the harnesses need, thanks:

• 2 ✓ PublicConfig re-exported at config::PublicConfig; MessageType: TryFrom<&str>, CredentialKind::from_credential(&Value), messaging::validate_did confirmed pub.
• 3 ✓ ProtectedConfig::parse(&[u8]) / SecuredConfig::parse(&[u8]) give us the keyring-free deserialization seam — harnesses added on our side.
• 4 ✓ verify_vrc_proof_with_key(vrc, &key) lets us fuzz proof verification with no live TDK.

Item 1 (dedicated parsing feature): agreed, not worth it. --no-default-features already compiles and reaches every parse/validate fn; the non-optional vta-sdk/tdk/reqwest deps just sit uncalled, which is fine for fuzzing. No refactor needed — please leave as-is.

Item 5: yes please — the feature-gated #[derive(Arbitrary)] on the config/credential structs would be valuable for structure-aware fuzzing. The fuzz/ workspace stays our contribution. Once the Arbitrary derives land we'll wire the structure-aware targets and this can close.

One small follow-up from our end: a verify_vrc_proof_with_key harness needs a constructed VRC + keypair, so that target comes after the Arbitrary work rather than now.

[stormer78]

Final hook landed in #126: a feature-gated #[derive(Arbitrary)] on the self-contained parse surfaces — PublicConfig (+ ConfigProtectionType/Logs/LogMessage/LogFamily), MessageType, CredentialKind — behind a new off-by-default arbitrary feature (arbitrary = ["dep:arbitrary", "chrono/arbitrary"]). No change to the default or --no-default-features dep graph; cargo deny clean. CI now also builds the exact fuzz shape (--no-default-features --features arbitrary) and runs an Unstructured→PublicConfig→serde round-trip seam test so it can't bitrot.

ProtectedConfig is left out by design — it cascades into foreign VRC/credential types that don't implement Arbitrary, consistent with the VRC harness landing after the derives.

Status of all five asks:

• 1 (parsing feature) — closed as agreed; --no-default-features already reaches every parse/validate fn, no refactor.
• 2 (pub validators + PublicConfig re-export) — done, feat(core): fuzzing hooks — config re-export, decrypt/parse split, key-injected VRC verify (#124) #125.
• 3 (decrypt/parse split) — done, feat(core): fuzzing hooks — config re-export, decrypt/parse split, key-injected VRC verify (#124) #125.
• 4 (verify_vrc_proof_with_key) — done, feat(core): fuzzing hooks — config re-export, decrypt/parse split, key-injected VRC verify (#124) #125.
• 5 (Arbitrary derives) — done, feat(core): feature-gated Arbitrary derives on parse-surface types (#124) #126. The fuzz/ workspace + structure-aware targets remain the fuzz team's contribution to wire on top.

Closing — the openvtc-core seams are all in place. Reopen or file a follow-up if the structure-aware targets surface a struct that still needs a derive.