test(fuzz): add coverage for derive_encrypt and key_derivation parsing

[mmorrissette-devolutions]

Summary

Adds fuzz coverage for three untrusted-byte paths in the derive_encrypt and key_derivation modules that previously had no fuzz target.

The derive_encrypt module was entirely unfuzzed, and DerivationParameters deserialization — another public TryFrom<&[u8]> parser of attacker-controllable bytes — had no coverage.

New targets

Target	Path covered
kdf_encrypted_data_deserialization	KdfEncryptedData::try_from(&[u8])
derivation_parameters_deserialization	DerivationParameters::try_from(&[u8])
decrypt_with_password	encrypt_with_password_and_aad → decrypt_with_password_and_aad round-trip

For decrypt_with_password, the Argon2 parameters are clamped (length/lanes/memory/iterations + small salt, same approach as the existing derive_key_argon2 target) so key derivation stays cheap enough for fuzzing — an unclamped Arbitrary value could request billions of iterations and blow the per-target time budget.

The CI action discovers targets via cargo fuzz list, so no workflow change is needed.

Testing

Built and ran all three targets in WSL (nightly + cargo-fuzz 0.13.1), no crashes:

• kdf_encrypted_data_deserialization — 18.6M runs
• derivation_parameters_deserialization — 19.4M runs
• decrypt_with_password — full KDF round-trip, no timeout

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 29a942193b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "Codex (@codex) review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "Codex (@codex) address that feedback".