Harden `validate_invoice_id_string` against fixed-buffer and charset edge cases

[mikewheeleer]

Description

validate_invoice_id_string copies the invoice String into a fixed [0u8; 32] buffer and validates charset before converting to a Symbol. Audit the bounds handling (length 1..=MAX_INVOICE_ID_STRING_LEN, copy_into_slice, UTF-8 conversion) for any path that could read uninitialized bytes or accept an out-of-charset symbol, and add adversarial tests.

Requirements and context

• Scoped to the LiquiFact escrow Soroban contract.
• Test boundary lengths (0, 1, 32, 33), non-ASCII, and disallowed punctuation; assert each invalid input traps with the documented message.
• Confirm only the first len bytes are validated and that no trailing zero byte from the buffer leaks into the Symbol.
• Invariant: stored invoice symbol is always [A-Za-z0-9_], length 1..=32, and round-trips with off-chain slugs.
• Reference docs/glossary.md and the module rustdoc on invoice identifiers.
• Must be secure, tested, and documented.

Suggested execution

• Fork the repo and create a branch:
  • git checkout -b security/invoice-id-validation
• Implement changes:
  • escrow/src/lib.rs
  • Tests: escrow/src/tests/init.rs
  • Docs: docs/escrow-data-model.md
  • Include rustdoc/NatSpec-style doc comments on public functions
  • Validate security assumptions (auth, overflow, storage TTL, double-spend)

Test and commit

• Run tests: cargo test
• Cover edge cases (zero amounts, overflow, unauthorized callers, double-spend, state-machine misuse)
• Include test output and security notes in the PR

Example commit message

test(escrow): adversarial invoice_id validation cases

Guidelines

• Minimum 95% test coverage on new/changed code
• Clear documentation
• Timeframe: 96 hours from assignment

[teeschima]

@teeschima has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Good day maintainer, please put me on this project. I'd love to work on this project. Thank you. ETA 2HRS

ℹ️ Repo Maintainers: To accept this application, review their application or assign @teeschima to this issue.

[drips-wave]

Congratulations, @teeschima! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @teeschima: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊