#![no_main]
use libfuzzer_sys::fuzz_target;
use soliton::streaming::stream_decrypt_init;

const FUZZ_KEY: [u8; 32] = [0x42; 32];

fuzz_target!(|data: &[u8]| {
    // Fuzz the random-access decrypt path (decrypt_chunk_at) with adversarial
    // (index, chunk) pairs. Exercises index-derived nonce/AAD construction,
    // tag-byte validation, and framing guards through the random-access API
    // which skips the sequential state guards (next_index, finalized).
    if data.len() < 26 + 8 {
        return;
    }
    let header: [u8; 26] = data[..26].try_into().unwrap();
    let rest = &data[26..];

    let dec = match stream_decrypt_init(&FUZZ_KEY, &header, b"fuzz-at-aad") {
        Ok(d) => d,
        Err(_) => return,
    };

    // Each iteration: consume 8 bytes as u64 index, then up to 2048 bytes as chunk.
    let mut cursor = 0;
    while cursor + 8 < rest.len() {
        let index = u64::from_be_bytes(rest[cursor..cursor + 8].try_into().unwrap());
        cursor += 8;
        let chunk_end = (cursor + 2048).min(rest.len());
        let chunk_data = &rest[cursor..chunk_end];
        cursor = chunk_end;

        let _ = dec.decrypt_chunk_at(index, chunk_data);
    }
});