test(decompiler): Rec 34 #34-9 — fuzz_ipc_schema harness for the FlatBuffers IPC decoders

[CryptoJones]

Closes #226.

With the worker-side schema codecs complete (#34-4..#34-6), the v1 IPC
decoders are the new attacker-facing parse surface — the FlatBuffers replacement
for the marshal/XML parsers that fuzz_marshal / fuzz_xml already cover. This
adds the in-tree libFuzzer harness for them (Rec 13 fuzz set).

What it does. fuzz_ipc_schema.cc feeds one fuzzer buffer to every
decode_*_request / decode_*_response across the four codec headers (request,
response, lifecycle, config) and relies on the verify-before-read property: any
input — null, garbage, or truncated — must return false rather than read out of
bounds or trip a sanitizer.

Build shape. Header-only — the codecs are inline over the vendored
FlatBuffers runtime, so the target links no decompiler object files.
Makefile.fuzz gains a FLATBUF_INCLUDE path and the fuzz_ipc_schema rule;
the fuzz README and docs/security/OSS_FUZZ.md harness + seed tables gain its
row.

In-tree only. The OSS-Fuzz upstream submission was rejected
(google/oss-fuzz#15545: forks of
Ghidra are not a structural fit), so the harness stands on its own and runs
locally / via our own CI.

Test-only and inert. Nothing in the production decompiler links the harness;
no CI workflow or the main/unit build compiles cpp/fuzz/.

Test plan

• Harness compiles clean under g++ (full object codegen; -fsyntax-only and -c both clean)
• Ran a throwaway driver over 200k+ malformed inputs (empty, all single bytes, OOB root offset, truncation ramps, random buffers) under g++ -fsanitize=address,undefined — zero findings
• :cppRaiiAudit green (228 protected files clean; the new file is correctly out of the audit's non-recursive cpp-root scope)
• CI green on both forges (clang/libFuzzer build of the target is a local/own-CI step; not gated by the existing workflows)

Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/