Support auth credentials (CAP-71)

[quietbits]

Support delegated Soroban auth credentials (CAP-71)

Protocol 27 (CAP-71) introduced two new Soroban authorization credential
types alongside the legacy SOROBAN_CREDENTIALS_ADDRESS:

• SOROBAN_CREDENTIALS_ADDRESS_V2 — same fields as the legacy type, but
  binds the address into the signed payload.
• SOROBAN_CREDENTIALS_ADDRESS_WITH_DELEGATES — enables delegated signing
  through an account + delegate tree, where every signer commits to the
  top-level address in a shared payload.

Already done (as part of the JS SDK v16 / protocol 27 update)

Defensive handling so the Lab correctly processes whatever simulation
returns has shipped with the SDK v16 upgrade:

• Centralized credential-type classification (isAddressAuthEntry) so
  ADDRESS, ADDRESS_V2, and ADDRESS_WITH_DELEGATES entries are all
  detected as requiring a signature — only source-account credentials are
  treated as envelope-authorized.
• Auth signing flows ("Sign all" / "Sign individually") sign V2 entries
  instead of silently passing them through unsigned.
• Transaction dashboard reads address credentials from the legacy
  (address) and V2 (address_v2) shapes. Delegates entries are
  intentionally left for this issue (see below).
• Unit coverage for the classifier + an e2e regression test for V2
  auth-entry detection.

Note: confirmed against live testnet — protocol 27 is active, but
simulation still returns legacy ADDRESS credentials by default (the SDK's
authV2 flag defaults to false until CAP-71 activation makes V2
mandatory). The work above is forward-compatible for when that default flips.

Remaining (this issue)

Building and signing the new credential types is account-specific policy the
client must drive — simulation never emits the delegates variant on its own.
This is net-new functionality, not a compatibility fix:

• Opt into ADDRESS_V2 — surface authV2: true when signing auth
  entries on CAP-71-activated networks (authorizeEntry / authorizeInvocation).
• Construct delegates entries — UI to wrap an ADDRESS/ADDRESS_V2
  entry into ADDRESS_WITH_DELEGATES with a delegate tree, via
  buildWithDelegatesEntry() (handles sorting/dedup per CAP-71-01).
• Route delegate signatures — sign individual delegate nodes using
  authorizeEntry(..., forAddress), or drive signing externally with the
  shared payload from buildAuthorizationEntryPreimage().
• Display delegate trees — render the delegate structure and per-node
  signature status in the auth-entry / dashboard views. Must parse the
  delegate tree recursively: for accounts that authorize purely via
  delegates, the top-level address_credentials.signature is Void and the
  real signatures live under delegates[*].signature (and nested delegates).
  The current dashboard parser unwraps only the top-level credentials, so
  delegated-only entries would otherwise be silently omitted.
• Decide UX for gating these on network protocol version (only valid on
  protocol 27+ networks).

References

• JS SDK protocol 27 Soroban auth guide
• CAP-71 / CAP-71-01