Add native libFuzzer fuzz harness for Python API, addresses #283

Pivots away from atheris (which lacks Python 3.14 support) to a single
libFuzzer-linked executable that embeds CPython, registers mcrfpy, and
dispatches each iteration to a Python fuzz_one_input(data: bytes) function
loaded from tests/fuzz/fuzz_<target>.py by MCRF_FUZZ_TARGET env var.

libFuzzer instruments the C++ engine code where all #258-#278 bugs live;
Python drives the fuzzing logic via an in-house ByteStream replacement
for atheris.FuzzedDataProvider. Python-level exceptions are caught; only
ASan/UBSan signal real bugs.

CMake
- MCRF_FUZZER=ON builds mcrfpy_fuzz from all src/*.cpp except main.cpp
  plus tests/fuzz/fuzz_common.cpp, linked with -fsanitize=fuzzer,address,
  undefined. Asset+lib post-build copy added so the embedded interpreter
  finds its stdlib and default_font/default_texture load.

Makefile
- fuzz-build builds only mcrfpy_fuzz (fast iterate)
- fuzz loops over six targets setting MCRF_FUZZ_TARGET for each
- fuzz-long TARGET=x SECONDS=n for deep manual runs
- fuzz-repro TARGET=x CRASH=path for crash reproduction
- Shared ASAN_OPTIONS / PYTHONHOME env via FUZZ_ENV define

tests/fuzz
- fuzz_common.cpp: LLVMFuzzerInitialize bootstraps Python, imports target,
  resolves fuzz_one_input. LLVMFuzzerTestOneInput wraps bytes as PyBytes,
  calls target, swallows Python errors.
- fuzz_common.py: ByteStream byte consumer + safe_reset() + EXPECTED_EXCEPTIONS
- Six target stubs (grid_entity, property_types, anim_timer_scene,
  maps_procgen, fov, pathfinding_behavior) to be fleshed out in follow-up
- README with build/run/triage instructions

Verified end-to-end: make fuzz-build produces build-fuzz/mcrfpy_fuzz,
make fuzz FUZZ_SECONDS=3 ran all six targets (~2400-9800 exec/s each,
667-1883 coverage edges), make fuzz-repro loaded and replayed a corpus
input cleanly. No crashes from the stubs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Makefile

@@ -114,12 +114,29 @@ asan-test: asan
 		UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1" \
 		python3 run_tests.py -v --sanitizer
 
-# Fuzzing targets (clang + ASan + libFuzzer + atheris)
+# Fuzzing targets (clang-18 + libFuzzer + ASan + UBSan).
+# Design: ONE instrumented executable `mcrfpy_fuzz` that embeds CPython,
+# registers the mcrfpy module, and dispatches each libFuzzer iteration to
+# a Python `fuzz_one_input(data)` function loaded from the script named by
+# the MCRF_FUZZ_TARGET env var. libFuzzer instruments the C++ engine code
+# where all the #258-#278 bugs live. No atheris dependency.
 FUZZ_TARGETS := grid_entity property_types anim_timer_scene maps_procgen fov pathfinding_behavior
 FUZZ_SECONDS ?= 30
 
+# Shared env for running the fuzz binary. PYTHONHOME points at the build-fuzz
+# copy of the bundled stdlib (post-build copied into build-fuzz/lib/).
+# ASAN_OPTIONS: leak detection disabled because libFuzzer intentionally holds
+# inputs for its corpus; abort_on_error ensures crashes are loud and repro-able.
+define FUZZ_ENV
+MCRF_LIB_DIR=../__lib_debug \
+PYTHONMALLOC=malloc \
+PYTHONHOME=../__lib/Python \
+ASAN_OPTIONS="detect_leaks=0:halt_on_error=1:abort_on_error=1:print_stacktrace=1" \
+UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1"
+endef
+
 fuzz-build:
-	@echo "Building McRogueFace with libFuzzer + ASan (clang-18)..."
+	@echo "Building mcrfpy_fuzz with libFuzzer + ASan (clang-18)..."
 	@mkdir -p build-fuzz
 	@cd build-fuzz && CC=clang-18 CXX=clang++-18 cmake .. \
 		-DCMAKE_BUILD_TYPE=Debug \
@@ -127,11 +144,8 @@ fuzz-build:
 		-DMCRF_SANITIZE_ADDRESS=ON \
 		-DMCRF_SANITIZE_UNDEFINED=ON \
 		-DMCRF_FUZZER=ON \
-		-DCMAKE_EXE_LINKER_FLAGS=-fuse-ld=lld && make -j$(JOBS)
-	@if [ ! -f __lib/Python/Lib/site-packages/atheris/__init__.py ]; then \
-		echo "NOTE: atheris not installed. Run tools/install_atheris.sh"; \
-	fi
-	@echo "Fuzz build complete! Output: build-fuzz/mcrogueface"
+		-DCMAKE_EXE_LINKER_FLAGS=-fuse-ld=lld && make -j$(JOBS) mcrfpy_fuzz
+	@echo "Fuzz build complete! Output: build-fuzz/mcrfpy_fuzz"
 
 fuzz: fuzz-build
 	@for t in $(FUZZ_TARGETS); do \
@@ -141,9 +155,8 @@ fuzz: fuzz-build
 		fi; \
 		echo "=== fuzzing $$t for $(FUZZ_SECONDS)s ==="; \
 		mkdir -p tests/fuzz/corpora/$$t tests/fuzz/crashes; \
-		( cd build-fuzz && MCRF_LIB_DIR=../__lib_debug PYTHONMALLOC=malloc \
-		  ASAN_OPTIONS="detect_leaks=0:halt_on_error=1:abort_on_error=1" \
-		  ./mcrogueface --headless --exec ../tests/fuzz/fuzz_$$t.py -- \
+		( cd build-fuzz && $(FUZZ_ENV) MCRF_FUZZ_TARGET=$$t \
+		  ./mcrfpy_fuzz \
 		    -max_total_time=$(FUZZ_SECONDS) \
 		    -artifact_prefix=../tests/fuzz/crashes/$$t- \
 		    ../tests/fuzz/corpora/$$t ../tests/fuzz/seeds/$$t ) || exit 1; \
@@ -151,10 +164,10 @@ fuzz: fuzz-build
 
 fuzz-long: fuzz-build
 	@test -n "$(TARGET)" || (echo "Usage: make fuzz-long TARGET=<name> SECONDS=<n>"; exit 1)
+	@test -f tests/fuzz/fuzz_$(TARGET).py || (echo "No target: tests/fuzz/fuzz_$(TARGET).py"; exit 1)
 	@mkdir -p tests/fuzz/corpora/$(TARGET) tests/fuzz/crashes
-	@( cd build-fuzz && MCRF_LIB_DIR=../__lib_debug PYTHONMALLOC=malloc \
-	  ASAN_OPTIONS="detect_leaks=0:halt_on_error=1:abort_on_error=1" \
-	  ./mcrogueface --headless --exec ../tests/fuzz/fuzz_$(TARGET).py -- \
+	@( cd build-fuzz && $(FUZZ_ENV) MCRF_FUZZ_TARGET=$(TARGET) \
+	  ./mcrfpy_fuzz \
 	    -max_total_time=$(or $(SECONDS),3600) \
 	    -artifact_prefix=../tests/fuzz/crashes/$(TARGET)- \
 	    ../tests/fuzz/corpora/$(TARGET) ../tests/fuzz/seeds/$(TARGET) )
@@ -162,8 +175,8 @@ fuzz-long: fuzz-build
 fuzz-repro:
 	@test -n "$(TARGET)" || (echo "Usage: make fuzz-repro TARGET=<name> CRASH=<path>"; exit 1)
 	@test -n "$(CRASH)" || (echo "Usage: make fuzz-repro TARGET=<name> CRASH=<path>"; exit 1)
-	@( cd build-fuzz && MCRF_LIB_DIR=../__lib_debug PYTHONMALLOC=malloc \
-	  ./mcrogueface --headless --exec ../tests/fuzz/fuzz_$(TARGET).py -- ../$(CRASH) )
+	@( cd build-fuzz && $(FUZZ_ENV) MCRF_FUZZ_TARGET=$(TARGET) \
+	  ./mcrfpy_fuzz ../$(CRASH) )
 
 clean-fuzz:
 	@echo "Cleaning fuzz build and corpora..."