diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 86fb37a..c6bd418 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -61,6 +61,9 @@ jobs:
       - name: Test scalar-only (no AVX2/NEON feature)
         run: cargo test --release --no-default-features
 
+      - name: Test debug scalar-only
+        run: cargo test --no-default-features
+
       - name: Test with test-panic feature
         run: cargo test --features test-panic --release
 
@@ -98,6 +101,7 @@ jobs:
         run: |
           cargo +nightly fuzz run fuzz_parse_eager -- -max_total_time=60
           cargo +nightly fuzz run fuzz_depth -- -max_total_time=60
+          cargo +nightly fuzz run fuzz_ffi_ops -- -max_total_time=60
 
       - name: Run lazy parse fuzz target
         run: cargo +nightly fuzz run fuzz_parse_lazy -- -max_total_time=60
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9f7185f..05008d1 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -153,6 +153,7 @@ Run the PR-length regression guard:
 ```sh
 cargo +nightly fuzz run fuzz_parse_eager -- -max_total_time=60
 cargo +nightly fuzz run fuzz_depth -- -max_total_time=60
+cargo +nightly fuzz run fuzz_ffi_ops -- -max_total_time=60
 cargo +nightly fuzz run fuzz_parse_lazy -- -max_total_time=60
 ```
 
@@ -170,6 +171,11 @@ default depth (`1024`) and the clamped ceiling (`4096`). Accepted boundary
 inputs are also walked through the FFI cursor API to exercise Phase 2 without
 recursive descent.
 
+The `fuzz_ffi_ops` target drives the public FFI surface with arbitrary
+parse/get/cursor/free operation sequences. It focuses on panic-barrier and
+pointer-safety regressions around null docs/cursors, path/key bytes, repeated
+parses/frees, and mixed root/cursor accessors.
+
 The `fuzz_parse_lazy` target compares serde-accepted inputs by reconstructing a
 whole `serde_json::Value` through qjson's public cursor FFI APIs. It normalizes
 numbers through qjson's `f64` getter semantics, with serde_json's
@@ -187,6 +193,7 @@ Before releases, run the same target much longer than the CI guard, for example:
 ```sh
 cargo +nightly fuzz run fuzz_parse_eager -- -max_total_time=3600
 cargo +nightly fuzz run fuzz_depth -- -max_total_time=3600
+cargo +nightly fuzz run fuzz_ffi_ops -- -max_total_time=3600
 cargo +nightly fuzz run fuzz_parse_lazy -- -max_total_time=3600
 ```