Fix cargo-fuzz install breakage on nightly

[hoffmang9]

Summary

• Keep the current cargo +nightly install cargo-fuzz --locked path for reproducibility.
• Add a fallback to unlocked install when nightly compatibility drift causes the locked install to fail.
• Unblocks Rust fuzzer jobs that currently fail during tool installation rather than project build/test execution.

Test plan

• Inspect failing CI logs from PR 357 and confirm failure occurs in Install cargo-fuzz.
• Validate the workflow diff only changes rust.yml fuzzer install behavior.
• Confirm Run fuzzers (*) jobs pass in CI on this PR.

Made with Cursor

---

Note

Low Risk
Low risk: changes are limited to CI tooling installation behavior and a Python typing annotation, with no runtime/library logic modifications.

Overview
Fixes nightly CI fuzz jobs by making cargo-fuzz installation resilient: keep cargo +nightly install cargo-fuzz --locked for reproducibility, but fall back to an unlocked install if the locked path fails.

Also adds a small typing improvement in setup.py by annotating BUILD_HOOKS as a list[Callable[..., None]] (and importing Callable).

^{Reviewed by Cursor Bugbot for commit a52f824. Bugbot is set up for automated code reviews on this repo. Configure here.}

[hoffmang9]

Root-cause research for the Rust fuzzer CI failures

I investigated the failing Run fuzzers (*) jobs (all failing in Install cargo-fuzz) and confirmed this is an upstream nightly/tooling break, not a project logic regression.

What fails in CI

• cargo +nightly install cargo-fuzz --locked
• Error signature from transitive dependency rustix:
  • attributes starting with \rustc` are reserved for use by the `rustc` compiler`
  • cannot find attribute \rustc_layout_scalar_valid_range_start/end` in this scope`

Upstream confirmation

• Rust regression report with same failure signature and repro against rustix:
  • Regression in nightly-2026-05-04: rustix crate fails to build: attributes starting with rustc are reserved for use by the rustc compiler rust-lang/rust#156510
• That report bisects to a specific upstream Rust change:
  • Rip out rustc_layout_scalar_valid_range_* attribute support rust-lang/rust#155433
  • PR title: Rip out rustc_layout_scalar_valid_range_ attribute support*
• Matching rustix upstream issue with same CI error text:
  • error: attributes starting with rustc are reserved for use by the rustc compiler bytecodealliance/rustix#1620

Why this affects this repository

• The failing step installs cargo-fuzz with --locked.
• cargo-fuzz 0.13.1 lockfile pins rustix = 0.36.5 (verified from upstream cargo-fuzz tag lockfile).
• That locked dependency set is incompatible with current nightly behavior after the upstream Rust change above.

Why this PR fix works

• We still try locked install first for reproducibility.
• If locked fails due nightly/dependency drift, we fall back to unlocked install:
  • cargo +nightly install cargo-fuzz --locked || cargo +nightly install cargo-fuzz
• This keeps preferred behavior when possible while unblocking CI during upstream toolchain transitions.