Been fuzzing the new CLI tool argument parser (`claw-tool parse --config ...`). Found two distinct crash conditions. Both are reachable from user-controlled input without special privileges.
First crash is a classic heap buffer overflow in the config preprocessor when a specific sequence of escape characters is followed by a malformed Unicode sequence.
```c
// Pseudo-trigger for crash type 1
claw-tool parse --config "{"key": "\xffffffff"}"
```
Second is a NULL pointer dereference in the nested argument handler. Occurs when a flag is set to require a value but the parser is forced into a state where the value pointer is never initialized.
```bash
# Trigger for crash type 2
claw-tool parse --require-value -- "" --next-flag
```
Both were found with a custom grammar-aware fuzzer. Full reproducer scripts and core dumps are attached. The crashes are consistent on builds from the `v2.8.0` tag. Looks like the validation logic in `src/cli/parser/validate.c` is bypassed before the unsafe functions in `process.c` are called.
Recommend immediate review of the validation pass for argument state transitions. Also, the preprocessor should reject invalid hex sequences before the copy operation.