ClusterFuzzLite: add custom containers for Python and JavaScript fuzzing

[WilliamBerryiii]

Summary

Follow-up to #150 / #453. PR #453 delivered Option A (Rust-only ClusterFuzzLite integration) using the project's existing cargo fuzz targets. This issue tracks the deferred scope: extending ClusterFuzzLite coverage to Python and JavaScript workloads in this repo.

Background

PR #453 added:

• .clusterfuzzlite/Dockerfile — Rust-focused build environment
• .clusterfuzzlite/build.sh — copies cargo fuzz artifacts to \$OUT
• .github/workflows/fuzz-pr.yml — PR-gated short fuzz runs

Python and JavaScript fuzzing was deferred to keep PR #453 reviewable and to avoid blocking on harness authoring for languages without existing fuzz targets in-tree.

Proposed Scope

Mirror the Rust .clusterfuzzlite/ pattern per language:

Python

• Custom Dockerfile based on gcr.io/oss-fuzz-base/base-builder-python
• build.sh invoking Atheris harness compilation
• At least one sample Atheris fuzz target covering a representative pure-Python module under scripts/ or equivalent
• Workflow wiring (extend fuzz-pr.yml matrix or add a sibling job)

JavaScript

• Custom Dockerfile based on gcr.io/oss-fuzz-base/base-builder-javascript
• build.sh invoking Jazzer.js harness compilation
• At least one sample Jazzer.js fuzz target covering a representative JS/TS module
• Workflow wiring (extend fuzz-pr.yml matrix or add a sibling job)

Acceptance Criteria

• PR-gated short fuzz runs (≤ 5 min) execute green for both new languages
• Crash artifacts upload via actions/upload-artifact on failure
• Documentation updated alongside .clusterfuzzlite/ (README or inline) describing how to add new harnesses
• Each language has ≥ 1 working harness committed, not just scaffolding

References

• Parent: ci(dynamic-analysis): add cargo-fuzz infrastructure to scheduled CI (soft warning) #150
• Predecessor: feat(build): add multi-language fuzzing infra (CFLite + Codecov flags) #453 (Option A — Rust)
• ClusterFuzzLite docs: https://google.github.io/clusterfuzzlite/