diff --git a/.github/oss-fuzz/Dockerfile b/.github/oss-fuzz/Dockerfile
index 5c673787d39..cf6aff150c7 100644
--- a/.github/oss-fuzz/Dockerfile
+++ b/.github/oss-fuzz/Dockerfile
@@ -1,5 +1,20 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
 # OSS-Fuzz build container for the GayHydra decompiler harnesses.
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md.
 
 FROM gcr.io/oss-fuzz-base/base-builder
 
diff --git a/.github/oss-fuzz/README.md b/.github/oss-fuzz/README.md
new file mode 100644
index 00000000000..dff821cc943
--- /dev/null
+++ b/.github/oss-fuzz/README.md
@@ -0,0 +1,25 @@
+# `.github/oss-fuzz/` — staging directory for OSS-Fuzz upstream submission
+
+This directory holds the three files that get copied verbatim to
+`projects/ghidra-decompiler/` in [google/oss-fuzz](https://github.com/google/oss-fuzz):
+
+- [`project.yaml`](project.yaml) — OSS-Fuzz manifest (contacts, sanitizers, engines)
+- [`Dockerfile`](Dockerfile) — build container definition
+- [`build.sh`](build.sh) — harness build script
+
+See [`docs/security/OSS_FUZZ.md`](../../docs/security/OSS_FUZZ.md) for the
+broader integration plan and the in-tree harness sources at
+`Ghidra/Features/Decompiler/src/decompile/cpp/fuzz/`.
+
+## Sync workflow
+
+Files here are kept byte-identical with their upstream counterparts at
+[`google/oss-fuzz/projects/ghidra-decompiler/`](https://github.com/google/oss-fuzz/tree/master/projects/ghidra-decompiler).
+Editing in either location requires copying to the other in the same
+sweep so the two don't drift.
+
+The Google-style `Copyright YYYY Google LLC` Apache 2.0 header on
+`Dockerfile` and `build.sh` is the OSS-Fuzz convention for everything
+under `projects/` — `dpebot`'s `header-check` bot enforces it on every
+PR to google/oss-fuzz. Carrying the same header in-tree keeps the
+`cp`-to-upstream operation a one-step sync rather than a diff-and-fix.
diff --git a/.github/oss-fuzz/build.sh b/.github/oss-fuzz/build.sh
index f9ed200ccbd..6ef92344c47 100644
--- a/.github/oss-fuzz/build.sh
+++ b/.github/oss-fuzz/build.sh
@@ -1,6 +1,21 @@
 #!/bin/bash -eu
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
 # OSS-Fuzz build script for the GayHydra decompiler harnesses.
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md.
 
 CPP_DIR="$SRC/ghidra/Ghidra/Features/Decompiler/src/decompile/cpp"
 FUZZ_DIR="$CPP_DIR/fuzz"
diff --git a/.github/oss-fuzz/project.yaml b/.github/oss-fuzz/project.yaml
index 6971e225586..843ad8ca738 100644
--- a/.github/oss-fuzz/project.yaml
+++ b/.github/oss-fuzz/project.yaml
@@ -1,9 +1,11 @@
-# OSS-Fuzz project manifest.
+# OSS-Fuzz project manifest for GayHydra, a maintained fork of NSA's
+# Ghidra reverse engineering platform. Fuzzes the decompiler's C++
+# parsers (XML + PackedDecode) — first thing user-controlled input
+# hits, historically the source of OOB-read CVEs in Ghidra's
+# decompiler core.
 #
-# To go live: copy this file (plus Dockerfile and build.sh in this
-# directory) to projects/ghidra-decompiler/ in google/oss-fuzz.
-#
-# See docs/security/OSS_FUZZ.md.
+# See https://codeberg.org/CryptoJones/GayHydra/src/branch/master/docs/security/OSS_FUZZ.md
+# for the in-tree harness sources and rationale.
 
 homepage: "https://codeberg.org/CryptoJones/GayHydra"
 main_repo: "https://codeberg.org/CryptoJones/GayHydra"