fix: sync fuzz targets with actual API

Fuzz targets were written against a different API and never compiled.
Issues fixed:

- ZeroKnowledgeEncryptor::new() returns Result, not Self - unwrap properly
- ByteStorageError is an enum - use matches!() not .contains()
- StorageEnvelope.checksum is [u8; 8] (xxHash3-64), not [u8; 32]
- ByteStorage methods return u64/usize, not f64 for ratios

All 16 fuzz targets now compile and match the actual crate API.

Author: 27Bslash6

fuzz/fuzz_targets/byte_storage_checksum_collision.rs

@@ -1,7 +1,7 @@
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
-use cachekit_core::byte_storage::StorageEnvelope;
+use cachekit_core::byte_storage::{StorageEnvelope, ByteStorageError};
 use arbitrary::Arbitrary;
 
 #[derive(Arbitrary, Debug)]
@@ -55,34 +55,34 @@ fuzz_target!(|test_case: ChecksumTestCase| {
             // If it succeeded, data must be unchanged (flip reverted or no-op)
             // This is only acceptable if flip_mask was 0 or flipped back to original
         }
-        Err(err_msg) => {
-            // Expected: Checksum validation should fail
+        Err(err) => {
+            // Expected: Checksum validation or decompression should fail
             assert!(
-                err_msg.contains("Checksum validation failed") || err_msg.contains("decompression failed"),
-                "Error should indicate checksum or decompression failure: {}",
-                err_msg
+                matches!(err, ByteStorageError::ChecksumMismatch | ByteStorageError::DecompressionFailed),
+                "Error should be checksum or decompression failure: {:?}",
+                err
             );
         }
     }
 
-    // Test with completely wrong checksum
+    // Test with completely wrong checksum (xxHash3-64 = 8 bytes)
     let wrong_checksum_envelope = StorageEnvelope {
         compressed_data: envelope.compressed_data.clone(),
-        checksum: [0xFF; 32], // Wrong checksum
+        checksum: [0xFF; 8], // Wrong checksum
         original_size: envelope.original_size,
         format: envelope.format.clone(),
     };
 
     // Should be rejected unless original checksum happened to be all 0xFF
     match wrong_checksum_envelope.extract() {
         Ok(_) => {
-            // Only acceptable if original checksum was [0xFF; 32]
+            // Only acceptable if original checksum was [0xFF; 8]
         }
-        Err(err_msg) => {
+        Err(err) => {
             assert!(
-                err_msg.contains("Checksum") || err_msg.contains("failed"),
-                "Wrong checksum should be detected: {}",
-                err_msg
+                matches!(err, ByteStorageError::ChecksumMismatch | ByteStorageError::DecompressionFailed),
+                "Wrong checksum should be detected: {:?}",
+                err
             );
         }
     }

fuzz/fuzz_targets/byte_storage_empty_data.rs

@@ -10,8 +10,8 @@ struct EmptyDataTestCase {
     original_size: u32,
     /// Compressed data length (can be 0)
     compressed_len: u8, // 0-255
-    /// Checksum
-    checksum: [u8; 32],
+    /// Checksum (xxHash3-64 = 8 bytes)
+    checksum: [u8; 8],
 }
 
 fuzz_target!(|test_case: EmptyDataTestCase| {

fuzz/fuzz_targets/byte_storage_integer_overflow.rs

@@ -1,7 +1,7 @@
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
-use cachekit_core::byte_storage::StorageEnvelope;
+use cachekit_core::byte_storage::{StorageEnvelope, ByteStorageError};
 use arbitrary::Arbitrary;
 
 #[derive(Arbitrary, Debug)]
@@ -10,8 +10,8 @@ struct OverflowTestCase {
     original_size: u32,
     /// Compressed data size (small to create suspicious ratios)
     compressed_data_len: u8, // 0-255 bytes
-    /// Checksum bytes
-    checksum: [u8; 32],
+    /// Checksum bytes (xxHash3-64 = 8 bytes)
+    checksum: [u8; 8],
     /// Format string
     format_len: u8, // 0-255 for format string length
 }
@@ -40,13 +40,20 @@ fuzz_target!(|test_case: OverflowTestCase| {
             // Decompression succeeded - envelope passed all validation checks
             // This should only happen for valid sizes within limits
         }
-        Err(err_msg) => {
+        Err(err) => {
             // Expected for oversized allocations (u32::MAX, beyond 512MB, etc.)
-            // Verify error message is descriptive
+            // Valid error types for size/validation failures
             assert!(
-                err_msg.contains("Security violation") || err_msg.contains("failed"),
-                "Error message should be descriptive: {}",
-                err_msg
+                matches!(
+                    err,
+                    ByteStorageError::InputTooLarge
+                        | ByteStorageError::DecompressionBomb
+                        | ByteStorageError::DecompressionFailed
+                        | ByteStorageError::ChecksumMismatch
+                        | ByteStorageError::SizeValidationFailed
+                ),
+                "Expected size/validation error, got: {:?}",
+                err
             );
         }
     }

fuzz/fuzz_targets/compression_bomb.rs

@@ -1,7 +1,7 @@
 #![no_main]
 
 use libfuzzer_sys::fuzz_target;
-use cachekit_core::byte_storage::{ByteStorage, StorageEnvelope};
+use cachekit_core::byte_storage::{ByteStorage, ByteStorageError, StorageEnvelope};
 use arbitrary::Arbitrary;
 
 #[derive(Arbitrary, Debug)]
@@ -10,8 +10,8 @@ struct CompressionBombTestCase {
     compressed_size: u16, // 0-65535 bytes
     /// Original size claim (potentially massive for bomb attacks)
     original_size: u32,
-    /// Checksum
-    checksum: [u8; 32],
+    /// Checksum (xxHash3-64 = 8 bytes)
+    checksum: [u8; 8],
     /// Format string length
     format_len: u8,
     /// Actual compressed data pattern (for LZ4 valid/invalid inputs)
@@ -57,37 +57,44 @@ fuzz_target!(|test_case: CompressionBombTestCase| {
             );
         }
         Err(err) => {
-            // Expected for malicious inputs - verify error is descriptive
+            // Expected for malicious inputs - verify error type
             if test_case.original_size as usize > storage.max_uncompressed_size() {
                 assert!(
-                    err.contains("Security violation") || err.contains("too large"),
-                    "Expected size limit error, got: {}",
+                    matches!(
+                        err,
+                        ByteStorageError::InputTooLarge
+                            | ByteStorageError::DecompressionBomb
+                            | ByteStorageError::DecompressionFailed
+                    ),
+                    "Expected size limit error, got: {:?}",
                     err
                 );
             }
         }
     }
 
-    // Property 3: Compression ratio limits enforced (500x max expansion)
+    // Property 3: Compression ratio limits enforced (1000x max expansion)
     if !compressed_data.is_empty() && test_case.original_size > 0 {
-        let claimed_ratio = test_case.original_size as f64 / compressed_data.len() as f64;
+        let claimed_ratio = test_case.original_size as u64 / compressed_data.len() as u64;
 
         if claimed_ratio > storage.max_compression_ratio() {
             // Must reject suspicious ratios (or size limits caught it first)
             assert!(
                 extract_result.is_err(),
-                "Decompression bomb bypassed ratio limit: {:.1}x expansion (1KB -> {}MB)",
-                claimed_ratio,
-                test_case.original_size / (1024 * 1024)
+                "Decompression bomb bypassed ratio limit: {}x expansion",
+                claimed_ratio
             );
 
             if let Err(err) = &extract_result {
                 // Security checks may fail in different order (size limit or ratio limit)
                 assert!(
-                    err.contains("Suspicious compression ratio")
-                        || err.contains("decompression bomb")
-                        || err.contains("too large"), // Size limit caught it first
-                    "Expected security violation error, got: {}",
+                    matches!(
+                        err,
+                        ByteStorageError::DecompressionBomb
+                            | ByteStorageError::InputTooLarge
+                            | ByteStorageError::DecompressionFailed
+                    ),
+                    "Expected security violation error, got: {:?}",
                     err
                 );
             }
@@ -110,10 +117,10 @@ fuzz_target!(|test_case: CompressionBombTestCase| {
 
                 // Ratio must be within limits (for non-empty compressed data)
                 if !compressed_data.is_empty() {
-                    let actual_ratio = decompressed.len() as f64 / compressed_data.len() as f64;
+                    let actual_ratio = decompressed.len() as u64 / compressed_data.len() as u64;
                     assert!(
                         actual_ratio <= storage.max_compression_ratio(),
-                        "retrieve() bypassed ratio limit: {:.1}x",
+                        "retrieve() bypassed ratio limit: {}x",
                         actual_ratio
                     );
                 }
@@ -130,7 +137,7 @@ fuzz_target!(|test_case: CompressionBombTestCase| {
     // Defense-in-depth: Size limits prevent 1KB -> 10GB attacks
 
     // SUCCESS: All compression bomb attack vectors blocked
-    // - Extreme ratios rejected (500x limit)
+    // - Extreme ratios rejected (1000x limit)
     // - Oversized outputs rejected (512MB limit)
     // - Malformed LZ4 data handled gracefully
     // - No panics, crashes, or memory exhaustion

fuzz/fuzz_targets/encryption_aad_injection.rs

@@ -19,7 +19,10 @@ fuzz_target!(|data: &[u8]| {
 
     let (plaintext, aad) = rest.split_at(rest.len() / 2);
 
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Encrypt with potentially malicious AAD
     // AAD can contain: nulls, control chars, Unicode, empty, long strings

fuzz/fuzz_targets/encryption_large_payload.rs

@@ -20,7 +20,10 @@ fuzz_target!(|data: &[u8]| {
     let (key, plaintext) = data.split_at(32);
     let aad = b"large_payload_test";
 
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Test encryption → decryption roundtrip
     let start = std::time::Instant::now();

fuzz/fuzz_targets/encryption_nonce_reuse.rs

@@ -21,7 +21,10 @@ fuzz_target!(|data: &[u8]| {
     let (key, plaintext) = data.split_at(32);
     let aad = b"fuzz_test_aad";
 
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Encrypt same plaintext multiple times
     let mut ciphertexts = HashSet::new();

fuzz/fuzz_targets/encryption_roundtrip.rs

@@ -10,24 +10,25 @@ fuzz_target!(|data: &[u8]| {
     }
 
     // Create encryptor
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Generate deterministic key and AAD from input
     // (In real usage, keys come from key derivation)
-    let key = if data.len() >= 32 {
+    let key: &[u8] = if data.len() >= 32 {
         &data[0..32]
     } else {
         // Pad with zeros if input too short
-        let mut padded = [0u8; 32];
-        padded[..data.len()].copy_from_slice(data);
-        return; // Skip fuzzing with padded keys - focus on real data
+        return; // Skip fuzzing with short keys - focus on real data
     };
 
     let aad = b"fuzz_test_aad";
     let plaintext = if data.len() > 32 {
         &data[32..]
     } else {
-        b"test_plaintext"
+        b"test_plaintext" as &[u8]
     };
 
     // Test encryption (should not panic on any input)

fuzz/fuzz_targets/encryption_truncated_ciphertext.rs

@@ -15,7 +15,10 @@ fuzz_target!(|data: &[u8]| {
     let (key, plaintext) = data.split_at(32);
     let aad = b"test_aad";
 
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Create valid ciphertext
     let ciphertext = match encryptor.encrypt_aes_gcm(plaintext, key, aad) {

fuzz/fuzz_targets/integration_layered_security.rs

@@ -21,7 +21,10 @@ fuzz_target!(|data: &[u8]| {
     }
 
     let aad = b"layered_test";
-    let encryptor = ZeroKnowledgeEncryptor::new();
+    let encryptor = match ZeroKnowledgeEncryptor::new() {
+        Ok(e) => e,
+        Err(_) => return, // Skip if encryptor creation fails
+    };
 
     // Step 1: Create ByteStorage envelope (compression + checksum)
     let envelope = match StorageEnvelope::new(plaintext.to_vec(), "msgpack".to_string()) {