feat(rust): make PyO3 optional to fix Python 3.14 fuzz linking

- Make pyo3 dependency optional behind 'python' feature flag
- Add rlib crate-type to support both cdylib (Python) and rlib (fuzzing)
- Gate all Python-specific code with #[cfg(feature = "python")]
- Make pure Rust functions (escape_xml, wrap_cdata, etc.) public for fuzzing
- Add comprehensive unit tests for XML utility functions

Fixes linker error with Python 3.14 where PyUnicode_DATA and
PyUnicode_KIND symbols are now inline macros, not exported functions.
Fuzz targets can now build without linking against Python.

Amp-Thread-ID: https://ampcode.com/threads/T-019c0425-ac62-76d8-9d59-4d6aba3edf45
Co-authored-by: Amp <[email protected]>

Author: vinitkumar

rust/Cargo.toml

@@ -7,10 +7,14 @@ license = "Apache-2.0"
 
 [lib]
 name = "json2xml_rs"
-crate-type = ["cdylib"]
+crate-type = ["cdylib", "rlib"]
+
+[features]
+default = ["python"]
+python = ["pyo3/extension-module", "dep:pyo3"]
 
 [dependencies]
-pyo3 = { version = "0.27", features = ["extension-module"] }
+pyo3 = { version = "0.27", optional = true }
 
 [profile.release]
 lto = true

rust/fuzz/Cargo.toml

@@ -0,0 +1,51 @@
+[package]
+name = "json2xml_rs-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[dependencies]
+libfuzzer-sys = "0.4"
+arbitrary = { version = "1", features = ["derive"] }
+
+[dependencies.json2xml_rs]
+path = ".."
+default-features = false
+
+[[bin]]
+name = "fuzz_escape_xml"
+path = "fuzz_targets/fuzz_escape_xml.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "fuzz_wrap_cdata"
+path = "fuzz_targets/fuzz_wrap_cdata.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "fuzz_is_valid_xml_name"
+path = "fuzz_targets/fuzz_is_valid_xml_name.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "fuzz_make_valid_xml_name"
+path = "fuzz_targets/fuzz_make_valid_xml_name.rs"
+test = false
+doc = false
+bench = false
+
+[[bin]]
+name = "fuzz_make_attr_string"
+path = "fuzz_targets/fuzz_make_attr_string.rs"
+test = false
+doc = false
+bench = false

rust/fuzz/corpus/fuzz_escape_xml/71853c6197a6a7f222db0f1978c7cb232b87c5ee

@@ -0,0 +1,2 @@
+
+

rust/fuzz/corpus/fuzz_escape_xml/a70fb6a9415d3c34a9ea5510ba7e3a055d88aef9

@@ -0,0 +1 @@
+�

rust/fuzz/fuzz_targets/fuzz_escape_xml.rs

@@ -0,0 +1,23 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use json2xml_rs::escape_xml;
+
+fuzz_target!(|data: &str| {
+    let result = escape_xml(data);
+    
+    // Verify invariants:
+    // 1. Result should not contain unescaped special chars
+    assert!(!result.contains('&') || result.contains("&") || result.contains(""") 
+            || result.contains("'") || result.contains("<") || result.contains(">"));
+    
+    // 2. Result should be valid (no panics occurred)
+    // 3. If input had no special chars, output equals input
+    if !data.contains('&') && !data.contains('"') && !data.contains('\'') 
+       && !data.contains('<') && !data.contains('>') {
+        assert_eq!(result, data);
+    }
+    
+    // 4. Output length should be >= input length (escaping only adds chars)
+    assert!(result.len() >= data.len());
+});

rust/fuzz/fuzz_targets/fuzz_is_valid_xml_name.rs

@@ -0,0 +1,33 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use json2xml_rs::is_valid_xml_name;
+
+fuzz_target!(|data: &str| {
+    let result = is_valid_xml_name(data);
+    
+    // Verify invariants:
+    // 1. Empty string is always invalid
+    if data.is_empty() {
+        assert!(!result);
+    }
+    
+    // 2. String starting with digit is invalid
+    if let Some(first) = data.chars().next() {
+        if first.is_ascii_digit() {
+            assert!(!result);
+        }
+    }
+    
+    // 3. String starting with "xml" (case-insensitive) is invalid
+    if data.to_lowercase().starts_with("xml") {
+        assert!(!result);
+    }
+    
+    // 4. String containing spaces is invalid
+    if data.contains(' ') {
+        assert!(!result);
+    }
+    
+    // 5. Function should never panic - reaching here means it didn't
+});

rust/fuzz/fuzz_targets/fuzz_make_attr_string.rs

@@ -0,0 +1,35 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use arbitrary::Arbitrary;
+use json2xml_rs::make_attr_string;
+
+#[derive(Arbitrary, Debug)]
+struct AttrInput {
+    attrs: Vec<(String, String)>,
+}
+
+fuzz_target!(|input: AttrInput| {
+    let result = make_attr_string(&input.attrs);
+    
+    // Verify invariants:
+    // 1. Empty attrs should produce empty string
+    if input.attrs.is_empty() {
+        assert!(result.is_empty());
+        return;
+    }
+    
+    // 2. Result should start with space (for XML formatting)
+    assert!(result.starts_with(' '), "Attribute string should start with space");
+    
+    // 3. Each attribute should produce key="value" format
+    for (key, _value) in &input.attrs {
+        // Key should appear in the result
+        assert!(result.contains(key), "Key '{}' should appear in result", key);
+    }
+    
+    // 4. Values should be escaped (no raw & < > " ' in values)
+    //    The make_attr_string calls escape_xml on values
+    
+    // 5. Function should never panic - reaching here means it didn't
+});

rust/fuzz/fuzz_targets/fuzz_make_valid_xml_name.rs

@@ -0,0 +1,30 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use json2xml_rs::make_valid_xml_name;
+
+fuzz_target!(|data: &str| {
+    let (name, attr) = make_valid_xml_name(data);
+    
+    // Verify invariants:
+    // 1. The returned name must be a valid XML name OR be "key" with an attribute
+    if name != "key" {
+        // If we didn't fall back to "key", the name should be valid
+        // (though it might have been transformed)
+        assert!(!name.is_empty(), "Name should not be empty");
+    }
+    
+    // 2. If attr is Some, name should be "key"
+    if attr.is_some() {
+        assert_eq!(name, "key", "Fallback name should be 'key'");
+        let (attr_name, _attr_value) = attr.unwrap();
+        assert_eq!(attr_name, "name", "Attribute key should be 'name'");
+    }
+    
+    // 3. Purely numeric input should get 'n' prefix
+    if !data.is_empty() && data.chars().all(|c| c.is_ascii_digit()) {
+        assert!(name.starts_with('n'), "Numeric keys should get 'n' prefix");
+    }
+    
+    // 4. Function should never panic - reaching here means it didn't
+});

rust/fuzz/fuzz_targets/fuzz_wrap_cdata.rs

@@ -0,0 +1,21 @@
+#![no_main]
+
+use libfuzzer_sys::fuzz_target;
+use json2xml_rs::wrap_cdata;
+
+fuzz_target!(|data: &str| {
+    let result = wrap_cdata(data);
+    
+    // Verify invariants:
+    // 1. Result must start with CDATA opening
+    assert!(result.starts_with("<![CDATA["));
+    
+    // 2. Result must end with CDATA closing
+    assert!(result.ends_with("]]>"));
+    
+    // 3. The ]]> sequence in input must be properly escaped
+    //    (split into ]]]]><![CDATA[>)
+    
+    // 4. Result should be longer than or equal to input + CDATA wrapper (12 chars)
+    assert!(result.len() >= data.len() + 12);
+});