Validate Soroban simulation auth before signing

[Sparexonzy95]

Summary

Closes #24

This PR adds a focused security validation layer for Soroban simulation authorization entries before any transaction is assembled and sent to Freighter for signing.

The purpose is to ensure that the dApp does not trust simulation authorization payloads blindly. Before wallet signing, the returned Soroban auth entries are checked against the exact SmartDrop contract action the user intended to perform.

Security rationale

Freighter signing is a sensitive trust boundary. If a compromised or malicious RPC response injects unexpected authorization entries into the simulation result, the user could be asked to sign authorization for behavior that was not intended by the UI flow.

This PR reduces that risk by enforcing strict validation before rpc.assembleTransaction(...) and before Freighter signing.

What changed

• Added validateSimulationAuth(simResult, expected) in src/lib/soroban.ts.

• Added SecurityError for user-facing signing safety failures.

• Validates simResult.result?.auth before transaction assembly/signing.

• Verifies the expected contract ID and contract function name for each authorization entry.

• Rejects missing, malformed, shorter, longer, extra, or unexpected authorization entries.

• Rejects unexpected nested subInvocations() so nested malicious auth payloads cannot bypass root-level validation.

• Integrated validation into:

  • lockAssets
  • unlockAssets
  • setBoost

• Added unit coverage for:

  • injected extra authorization entry
  • expected root authorization containing unexpected nested sub-invocation

Files changed

This PR is intentionally focused on the issue #24 security fix:

• src/lib/soroban.ts
• src/lib/soroban.auth.test.ts
• src/lib/error-handler.ts

Validation

Issue-specific validation passed locally:

npx.cmd vitest run src/lib/soroban.auth.test.ts
git diff --check
git diff --name-only upstream/main --

Result:

• Soroban auth validation tests passed.
• Nested sub-invocation regression test passed.
• Diff check passed.
• The PR diff is limited to the intended security-related files.

Build note

Full npm.cmd run build is currently blocked on upstream/main by pre-existing issues unrelated to this PR, including a Next.js App Router export issue in src/app/farm/page.tsx and existing no-explicit-any lint errors in context/error boundary files.

I verified these failures on pure upstream/main after stashing this PR’s changes, so they are not introduced by this branch.