feat: session key ACL, cargo-fuzz targets, Kani proofs, dApp connector

[Jaydbrown]

Closes #237

---

Closes #238

---

Closes #239

---

Closes #240

---

Summary

Implements four advanced features from the Drips Wave bounty criteria:

1 — Session Key ACL (contracts/invisible_wallet/src/session_key.rs)

A scoped session key system that lets agents and bots authorise a single
transfer(asset=USDC) call without holding a full passkey.

• New SessionKeyAcl struct: target_contract, selector, amount_cap, expiry
• register / revoke / enforce helpers backed by Soroban temporary storage
• __check_auth updated with a third dispatch path: BytesN<32> → session key
• New contract entrypoints: register_session_key, revoke_session_key
• New error variants: SessionKeyExpired = 19, SessionKeyAclViolation = 20
• Tests for every ACL field, expiry boundary, and unregistered key rejection

2 — Cargo-fuzz targets (contracts/fuzz/)

• fuzz_check_auth — drives the parsing layer of __check_auth with arbitrary
  blobs; catches off-by-one, unwrap-on-None, and integer overflow panics
• fuzz_webauthn — drives challenge-binding, origin-extraction, rpIdHash-length,
  and signature-format checks with arbitrary byte inputs
• Weekly CI schedule (.github/workflows/fuzz.yml) with 60 s runs; panics
  automatically open a GitHub issue with crash artifacts

3 — Kani proof harnesses (contracts/invisible_wallet/src/proofs.rs)

Three #[cfg(kani)] #[kani::proof] harnesses guarding security-critical invariants:

Harness	Invariant
proof_low_s_invariant	ECDSA s-value must be ≤ n/2 (low-S)
proof_nonce_monotonicity	Nonce increases by exactly 1 on each auth
proof_session_key_expiry	Keys rejected when now > expiry; valid at now == expiry

Documented in contracts/invisible_wallet/PROOFS.md.

4 — dApp connector (examples/dapp-connector/)

Chrome MV3 extension + reference dApp implementing a window.veil.request() API
modelled on EIP-1193. The dApp sends XDR payloads; the extension signs them in
the background service worker — private material never reaches the page.

Test plan

• cd contracts && cargo test — all existing tests pass; new session key tests pass
• cd contracts/fuzz && cargo fuzz run fuzz_check_auth -- -max_total_time=30 — no panics
• cd contracts/fuzz && cargo fuzz run fuzz_webauthn -- -max_total_time=30 — no panics
• cargo kani --harness proof_low_s_invariant (needs nightly + kani-verifier)
• Load examples/dapp-connector/ as an unpacked Chrome extension, open dapp/index.html, click Connect and Sign

[vercel]

@Jaydbrown is attempting to deploy a commit to the miracle656's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@Jaydbrown Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits