[codex] Prepare auth signing for Protocol 27

[kalepail]

Summary

• Validate the Protocol 27 auth changes against @stellar/stellar-sdk@16.0.0-rc.1.
• Explicitly admit @stellar/stellar-sdk@16.0.0-rc.1 in the package peer ranges for RC consumers.
• Prefer the SDK's canonical buildAuthorizationEntryPreimage() helper when available, while preserving the fallback behavior for older SDKs.
• Keep shared Soroban address credential handling for legacy ADDRESS plus Protocol 27 ADDRESS_V2 and ADDRESS_WITH_DELEGATES arms.
• Update WebAuthn, multi-signer, wallet/external signer, and funding auth paths to use shared credential helpers instead of assuming credentials().address().
• Remove the demo's direct @stellar/stellar-base dependency and align the demo with the v16 RC package layout.
• Normalize signature expiration ledgers before XDR serialization and reject invalid ranges before mutating auth entries.

Context

Protocol 27 / CAP-0071 adds address-bound Soroban auth payloads via ENVELOPE_TYPE_SOROBAN_AUTHORIZATION_WITH_ADDRESS and introduces ADDRESS_V2 plus ADDRESS_WITH_DELEGATES credential types. Legacy ADDRESS remains valid during Protocol 27, but clients that inspect or sign auth entries should stop assuming every address credential uses the legacy arm.

The v16.0.0 RC of the Stellar JS SDK now exposes the relevant Protocol 27 auth surface, including regenerated CAP-71 XDR, buildAuthorizationEntryPreimage(), and buildWithDelegatesEntry(). This PR now validates against that RC directly and compares the kit's generated auth preimages with the SDK helper for legacy ADDRESS, ADDRESS_V2, and ADDRESS_WITH_DELEGATES entries.

Validation

• pnpm install
• pnpm exec tsc --noEmit --pretty false
• pnpm test --run
• pnpm run build
• pnpm run build:demo

[kalepail]

Initial review follow-up:

The first review found two issues that are now addressed:

• Hand-built auth entries should not automatically switch to ADDRESS_V2 just because a future SDK exposes that factory. ADDRESS_V2 now requires explicit opt-in.
• P27 credential arms must not be signed with legacy auth bytes when address-bound preimage support is unavailable. These paths now fail closed with a clear SDK-support error.

Validation after this fix:

• pnpm test --run
• pnpm run build

[kalepail]

Protocol 27 hardening follow-up:

Additional review found and fixed several compatibility and migration concerns:

• Widened Stellar SDK dependency and peer ranges so the package does not block the future SDK release that exposes Protocol 27 helpers.
• Collapsed signature payload construction through the shared preimage helper to avoid duplicate feature-probe logic.
• Moved expiration mutation after P27 preimage capability validation.
• Added explicit invalid credential-version rejection for JavaScript callers.
• Fail closed for ADDRESS_WITH_DELEGATES in WebAuthn signing, fundWallet, wallet address signing, and multi-signer signing until delegate-tree SDK support is available.
• Improved too-old-SDK errors for ADDRESS_V2 and ADDRESS_WITH_DELEGATES accessors.

Deferred intentionally:

• Native ADDRESS_WITH_DELEGATES support should be added once the SDK exposes delegated-entry helpers.
• Positive ADDRESS_V2 / ADDRESS_WITH_DELEGATES byte-vector tests should be added once the SDK exposes real P27 fixtures.

Validation:

• pnpm install
• pnpm test --run
• pnpm run build
• git diff --check

[kalepail]

Expiration normalization follow-up:

A related Protocol 27 auth review highlighted that fallback signature expiration ledgers can become fractional before XDR serialization. This PR now applies the same hardening:

• Added normalizeSignatureExpirationLedger().
• Routed auth preimage construction, WebAuthn signing, wallet signer preimages, and kit-level calculated expirations through it.
• Added regression tests for fractional expiration rounding and non-finite expiration rejection without mutating the entry.

Validation:

• pnpm test --run src/kit/auth-payload.test.ts
• pnpm test --run
• pnpm run build
• git diff --check

[kalepail]

Final Protocol 27 auth review summary:

The PR matches the intended Protocol 27 auth split:

• Legacy ADDRESS keeps the legacy Soroban authorization envelope.
• ADDRESS_V2 and ADDRESS_WITH_DELEGATES use the address-bound envelope when the SDK exposes that surface.
• WebAuthn, wallet/external signing, multi-signer, and fundWallet paths no longer assume credentials().address().
• Unsupported delegate credential signing paths return or throw explicitly rather than writing signatures into the wrong slot.

Additional coverage added:

• normalizeSignatureExpirationLedger() rejects negative and over-u32 expiration ledgers before auth-entry mutation.
• Regression tests cover negative and oversized expiration values.

Validation:

• pnpm test --run src/kit/auth-payload.test.ts
• pnpm test --run
• pnpm run build
• git diff --check

[kalepail]

Stellar SDK v16 RC validation update:

• Upgraded the workspace validation target to @stellar/stellar-sdk@16.0.0-rc.1.
• Switched auth preimage construction to prefer the SDK's canonical buildAuthorizationEntryPreimage() helper when present.
• Added positive Protocol 27 coverage comparing kit-generated preimages with the SDK helper for legacy ADDRESS, ADDRESS_V2, and ADDRESS_WITH_DELEGATES entries.
• Removed the demo's direct @stellar/stellar-base dependency and updated demo bundler config for the merged v16 SDK package layout.
• Fixed demo TypeScript globals so the demo build passes with the RC.

Validation:

• pnpm install
• pnpm exec tsc --noEmit --pretty false
• pnpm test --run
• pnpm run build
• pnpm run build:demo

[kalepail]

Additional RC readiness pass:

• Scanned the codebase against the v16 RC migration notes for direct @stellar/stellar-base imports, deep SDK imports, removed SDK subpaths, default SDK imports, old auth helper signatures, and affected transaction/server APIs. No additional code migrations were needed.
• Explicitly included 16.0.0-rc.1 in the root package and bindings peer ranges so prerelease SDK consumers are admitted cleanly.
• Cleaned up an invalid demo CSS selector surfaced by the production build.

Validation:

• pnpm install
• pnpm exec tsc --noEmit --pretty false
• pnpm test --run
• pnpm run build
• pnpm run build:demo

[kalepail]

Adversarial review follow-up:

• Fixed a mixed passkey + delegated-wallet multi-signer path where the wallet signer placeholder could be written to an earlier auth-entry clone if passkey signing returned a replacement entry. The manager now reacquires credentials from the current signed entry before updating the final AuthPayload.
• Added regression coverage for a passkey signer plus delegated wallet signer where signAuthEntry() returns a cloned auth entry.
• Aligned indexer/demo with the SDK RC pin so its manifest matches the workspace's @stellar/stellar-sdk@16.0.0-rc.1 validation target.

Validation:

• pnpm install
• pnpm exec tsc --noEmit --pretty false
• pnpm test --run
• pnpm run build
• pnpm run build:demo
• pnpm --filter indexer-demo build
• git diff --check