security: add cargo-fuzz targets and ClusterFuzzLite config

Fuzz targets:
- fuzz_validation: storage key, Docker name, digest, reference validators
- fuzz_docker_manifest: Docker/OCI manifest media type detection

Infrastructure:
- lib.rs exposing validation module and docker_fuzz for fuzz harnesses
- ClusterFuzzLite project config (libfuzzer + ASan)

fuzz/Cargo.toml

@@ -0,0 +1,22 @@
+[package]
+name = "nora-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+nora-registry = { path = "../nora-registry" }
+
+[[bin]]
+name = "fuzz_validation"
+path = "fuzz_targets/fuzz_validation.rs"
+doc = false
+
+[[bin]]
+name = "fuzz_docker_manifest"
+path = "fuzz_targets/fuzz_docker_manifest.rs"
+doc = false

fuzz/fuzz_targets/fuzz_docker_manifest.rs

@@ -0,0 +1,8 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::docker_fuzz::detect_manifest_media_type;
+
+fuzz_target!(|data: &[u8]| {
+    // Fuzz Docker manifest parser — must never panic on any input
+    let _ = detect_manifest_media_type(data);
+});

fuzz/fuzz_targets/fuzz_validation.rs

@@ -0,0 +1,13 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use nora_registry::validation::{
+    validate_digest, validate_docker_name, validate_docker_reference, validate_storage_key,
+};
+
+fuzz_target!(|data: &str| {
+    // Fuzz all validators — they must never panic on any input
+    let _ = validate_storage_key(data);
+    let _ = validate_docker_name(data);
+    let _ = validate_digest(data);
+    let _ = validate_docker_reference(data);
+});