Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/fuzz-nightly.yml:
- Around line 40-42: The "Install LuaRocks" step currently pipes an external
script into sh (curl ... | sh), which creates a supply-chain risk; change the
step so it first downloads the script (the command invoked in the Install
LuaRocks step), pins a specific commit or tag for the script URL, verifies its
integrity (e.g., compare a checked-in or workflow-provided SHA256 or GPG
signature) and only then executes the verified file, or alternatively vendor a
known-good installer into the repo or use an official action/installer instead
of piping to shell; update the Install LuaRocks step to reference the pinned URL
and add explicit verification before execution.

In @.github/workflows/fuzz.yml:
- Around line 32-34: The GitHub Actions step that installs LuaRocks currently
pipes an external script to sh (the "Install LuaRocks" run step), which is a
supply-chain risk; replace that by either vendoring the apache/apisix
utils/linux-install-luarocks.sh script into this repo and invoking the local
copy, or pin the curl URL to a specific commit SHA (use
raw.githubusercontent.com/.../<commit_sha>/utils/linux-install-luarocks.sh)
before executing it; if you vendor the script, add a short comment in the
workflow referencing the original upstream URL and commit SHA and add a periodic
checklist entry to review upstream updates so the workflow uses a known-good,
auditable script rather than an unpinned remote one.

In `@fuzz/README.md`:
- Around line 85-87: The README's Nightly entry references the GitHub handle
"@jarvis-api7" which is inconsistent with the actual assignee "jarvis9443" used
in .github/workflows/fuzz-nightly.yml; update the README.md Nightly line (the
string "@jarvis-api7") to the correct handle "jarvis9443" (or alternatively
update the workflow to match the README) so both the Nightly description and the
fuzz-nightly.yml assignee are the same.
- Around line 12-15: The markdown link
"../../../qa/lua-resty-openapi-validator-v1.0.3.md" in the README is a broken
relative path; update that link to point to the correct location of the QA
document (use the actual repo-relative path or an absolute URL), or if the QA
doc doesn't exist or is external, remove the link or replace it with a valid URL
and adjust the surrounding text accordingly so the reference no longer 404s.

---

Outside diff comments:
In `@Makefile`:
- Line 10: The .PHONY declaration is missing the fuzz target so Make may treat
the existing fuzz/ directory as an up-to-date target; update the .PHONY line
(the .PHONY declaration that currently lists test test-unit test-conformance
lint dev install clean help) to also include fuzz so the fuzz target always runs
regardless of the fuzz/ directory's existence.

---

Nitpick comments:
In `@fuzz/mutate_fuzz.py`:
- Around line 247-248: The gen_cases function declares max_per_op but never uses
it; either implement per-operation limiting inside gen_cases by counting or
slicing generated cases for each operation (use the function name gen_cases and
the parameter max_per_op to locate where to apply the limit) so no more than
max_per_op cases are returned per op, or remove the max_per_op parameter from
gen_cases and update all call sites that pass that argument to call the new
signature (search for gen_cases(...) calls to update). Ensure whichever path you
take keeps the function signature and callers consistent.
- Around line 351-352: The type hint for run_validator's extra_includes is
currently implicit None; change it to an explicit Optional type (e.g.,
Optional[List[str]]) and ensure typing.Optional (or from typing import Optional,
List) is imported so the signature becomes run_validator(..., extra_includes:
Optional[List[str]] = None, ...); update the function definition and add the
necessary typing import if missing to satisfy PEP 484.
- Around line 370-374: Replace the bare except Exception around the
json.loads(line) call with an except json.JSONDecodeError to avoid swallowing
unrelated errors: locate the try/except that wraps json.loads(line) (which
appends to out) and change the exception handler to only catch
json.JSONDecodeError so malformed JSON lines are skipped while other exceptions
propagate; ensure json is imported where mutate_fuzz.py uses json.loads if not
already.

In `@fuzz/README.md`:
- Around line 19-27: The fenced code block that shows the architecture diagram
(the block starting with "mutate_fuzz.py (Python orchestrator)") lacks a
language specifier; update the opening fence from ``` to ```text (or
```plaintext) so linters/renderers recognize it as plain text and the README's
code block renders consistently.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/fuzz-nightly.yml:
- Around line 50-53: The Install Lua dependencies step currently installs
floating versions of jsonschema and lua-resty-radixtree; change the commands to
pin exact versions (e.g. replace `sudo luarocks install jsonschema` and `sudo
luarocks install lua-resty-radixtree` with `sudo luarocks install jsonschema
<version>` and `sudo luarocks install lua-resty-radixtree <version>`) or use
`luarocks install --pin` to produce a lockfile and install from that to make the
nightly job reproducible; update the step that runs these commands (the "Install
Lua dependencies" run block) to include the chosen version strings or the --pin
workflow and commit the generated lockfile.
- Around line 22-23: Ensure FUZZ_BUDGET is validated as a safe numeric value and
quoted when passed to the shell: validate env.FUZZ_BUDGET in the run step (e.g.,
reject or default if it does not match ^[0-9]+$) and call the target with
quoting like make fuzz FUZZ_BUDGET="$FUZZ_BUDGET" so user-controlled
workflow_dispatch.inputs.budget cannot inject shell metacharacters; reference
the FUZZ_BUDGET variable and the make fuzz invocation for where to add the
numeric check and the quoted use.

In `@fuzz/mutate_fuzz.py`:
- Around line 426-432: The spec loaded into variable spec is mutated then passed
to gen_cases before $ref resolution, causing referenced schemas to be collapsed
to fallbacks; resolve all $ref references on spec (e.g., via the same OV/OpenAPI
compile/resolution used by run_validator/ov.compile or your existing resolver)
immediately after mutate(...) and before calling gen_cases(spec, ...), so
gen_cases operates on the fully-resolved spec; ensure the resolver mutates or
returns a resolved spec and use that resolved spec for gen_cases and later
run_validator.
- Around line 423-491: The loop can raise exceptions and currently skips writing
summary.json; wrap the main fuzz loop (the block using crashes_path.open and
iterating while time.time() - t0 < args.budget, which updates rounds, cases_run,
crashes, false_negatives) in a try/finally (or try/except/finally) so that in
the finally block you build the summary dict using the current rounds,
cases_run, t0, crashes, false_negatives and always call
summary_path.write_text(json.dumps(summary, indent=2)) and print it before
exiting; ensure variables referenced (rounds, cases_run, t0, crashes,
false_negatives, crashes_path) are in scope for the finally block and preserve
the same exit code logic (sys.exit(1 if (crashes or false_negatives) else 0)).
- Around line 209-242: sample_value() currently only honors enums inside
_sample_string(), causing integer/number/boolean values to ignore schema["enum"]
and produce invalid samples; fix by checking for schema.get("enum") near the top
of sample_value (after the nullable check and before the type-specific branches)
and, if present, return rng.choice(schema["enum"]) (handling nullability if enum
contains None or schema.get("nullable") is true) so all types respect enum
constraints; keep the existing _sample_string() behavior but remove its
special-case-only enum handling.
- Line 46: Remove "simple" from the ARRAY_STYLES list so m_param_style() no
longer selects an invalid style for query parameters; update the constant
ARRAY_STYLES to only include "form", "pipeDelimited", and "spaceDelimited" and
ensure any references in m_param_style() continue to use that constant for
random selection of query parameter styles.

In `@fuzz/README.md`:
- Around line 18-26: The fenced code block in the README describing the fuzz
orchestrator is unlabeled which triggers markdownlint MD040; update the fence by
adding a language tag (e.g., "text") to the opening triple-backticks around the
mutate_fuzz.py architecture block so the block is labeled (refer to the block
that mentions mutate_fuzz.py, fuzz/seeds/, RUNNER_LUA and the JSONL output) and
re-run lint to confirm the MD040 violation is resolved.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/fuzz-nightly.yml:
- Around line 114-116: The variable existing is being set from the gh issue list
pipeline and ends up containing the string "null" when no issues are returned;
update the jq expression in the assignment to use the fallback operator so null
becomes empty (e.g., change the jq filter '.[0].number' to '.[0].number //
empty') so that existing is an empty string when no issue is found and the
subsequent if [ -n "$existing" ] check behaves correctly.

---

Duplicate comments:
In @.github/workflows/fuzz-nightly.yml:
- Around line 22-23: Validate that the user-provided workflow input for
FUZZ_BUDGET is a positive integer and fail fast if it isn't, then ensure the
value is quoted when passed to the make invocation; specifically, add a step
that checks the workflow_dispatch input (the FUZZ_BUDGET value) matches a
numeric regex (e.g. only digits), set a sanitized variable with that validated
value, and update the make invocation to use the quoted variable (e.g.,
FUZZ_BUDGET="${{ env.SANITIZED_FUZZ_BUDGET }}" or similar) so shell
metacharacters cannot be expanded.
- Around line 42-47: The workflow currently downloads and builds the LUAROCKS
tarball without integrity verification; change the steps around LUAROCKS_VER so
the job first fetches the tarball and its checksum or signature (use the repo's
.sha256/.sha512 or .asc signature), verify the archive (e.g., sha256sum -c
against the pinned checksum or gpg --verify against a trusted key) and only if
verification succeeds proceed to tar xzf, cd "luarocks-${LUAROCKS_VER}",
./configure --with-lua=$OPENRESTY_PREFIX/luajit and make build && sudo make
install; fail the job on checksum/signature mismatch so unverified archives are
never built/installed.
- Around line 63-66: The Install Lua dependencies step currently installs
floating versions of jsonschema and lua-resty-radixtree; change it to install
exact pinned versions or switch to a lockfile-driven install. Update the
commands that install jsonschema and lua-resty-radixtree to include precise
version specifiers (pin known-good versions) or replace the step with a luarocks
lockfile install flow (using a generated luarocks.lock and invoking luarocks to
install from it). Ensure you modify the "Install Lua dependencies" step to
reference the rock names jsonschema and lua-resty-radixtree with those pinned
versions or the lockfile-based installation command.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@fuzz/mutate_fuzz.py`:
- Around line 304-305: The code builds path_params from only operation-level
parameters (path_params = {p["name"]: p for p in (op.get("parameters") or [])
...}) but ignores path-item parameters; update the parameter collection to merge
path-item and operation-level parameters so path_params includes parameters from
both sources (e.g., combine path_item.get("parameters") and op.get("parameters")
before filtering), deduplicate by name+in, and then use that merged path_params
wherever the generator uses path_params (the blocks around the existing
path_params assignment and the later logic at lines ~323-346) so “positive”
requests include required path-item params as well.
- Around line 189-212: The resolver resolve_refs (and its inner helper _resolve)
currently follows $ref links without tracking which ref targets have been
visited, causing RecursionError on cyclical refs; update _resolve to accept and
propagate a visited set (e.g., visited_refs) and, when encountering a "$ref"
string, compute a stable key for the target (the ref string or the resolved path
parts) and check visited_refs before descending—if already visited, return the
node as-is (or a shallow copy) to break the cycle; otherwise add the key to
visited_refs before recursing into the resolved target and remove it after
returning so other branches remain unaffected.
- Around line 416-421: The code currently swallows JSON parsing errors in the
loop over r.stdout (for line in r.stdout.splitlines(): ... except Exception:
pass), which can hide malformed validator output; update the loop to catch
json.JSONDecodeError specifically, record the offending line(s) (e.g., add to a
parse_errors list or append raw lines to out_errors), and include that condition
when deciding failure: change the final check that uses r.returncode and out (if
r.returncode != 0 and not out) to also fail when parse_errors is non-empty
(e.g., if r.returncode != 0 or not out or parse_errors), and log the
parse_errors with context so malformed lines are visible (reference
variables/functions: r, r.stdout, r.returncode, out, json.loads).

---

Duplicate comments:
In @.github/workflows/fuzz-nightly.yml:
- Around line 63-66: The workflow installs floating LuaRocks packages in the
"Install Lua dependencies" step; replace the two commands that currently run
"sudo luarocks install jsonschema" and "sudo luarocks install
lua-resty-radixtree" with pinned installs (explicit version strings or exact
rockspecs) or reference workflow variables (e.g., JSONSCHEMA_VERSION and
RADIXTREE_VERSION) and use them like "sudo luarocks install jsonschema
<version>" and "sudo luarocks install lua-resty-radixtree <version>" so nightly
runs are deterministic; update the step commands and add corresponding
variables/inputs for the chosen versions.

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@fuzz/mutate_fuzz.py`:
- Around line 491-495: The validation is using the original spec variable while
generated cases come from the transformed resolved spec, which can cause
mismatches; update the call to run_validator to pass resolved instead of spec so
the oracle matches the generated positive cases—i.e., after calling
resolve_refs(spec) and gen_cases(resolved,...), call run_validator(resolved,
cases, args.deps, args.lib, args.include) (referencing resolve_refs, gen_cases,
run_validator, spec, resolved).
- Around line 429-437: The current parsing loop in mutate_fuzz.py collects valid
JSON lines into out but drops information when there are malformed lines if any
valid lines exist; update the post-loop logic (the block handling r.stdout, out,
bad_lines and the subsequent if r.returncode checks) so that whenever bad_lines
> 0 you also append or merge an additional result entry documenting the
malformed JSONL (e.g.,
{"phase":"subprocess_malformed_lines","bad_lines":bad_lines,"stderr":"malformed
validator JSONL output"}) instead of only emitting when out is empty; keep
existing valid parsed entries but ensure the malformed-lines entry is always
added when bad_lines > 0 so mixed output is not silently ignored.