feat: add reproducible build and attestation pipeline for stellar con…

[Amarjeet325]

Description

This PR implements the reproducible build attestation pipeline to ensure that the Wasm deployed on the Stellar network can be mathematically proven to match a specific commit in this repository.

Resolves #19

Changes Included

• Pinned Toolchain: Added rust-toolchain.toml to pin the Rust version and wasm32-unknown-unknown target.
• Deterministic Docker Build: Added a Dockerfile based on debian:bookworm-slim (pinned by sha256) and a build.sh script to cleanly compile and optimize the Stellar contracts.
• Attestation Generation: The build process now outputs an attestation.json manifest containing the Git commit hash, toolchain versions, and the SHA256 hashes of the resulting Wasm files.
• CI Pipeline: Added .github/workflows/stellar-attestation.yml to automatically build the container on new version tags, sign the attestation using Sigstore/Cosign (keyless OIDC), and publish the artifacts to GitHub Releases.
• Verification Script: Added a Node.js verification script (pnpm verify:stellar-deployment) that fetches the on-chain Wasm hash via the Stellar RPC and compares it to the published attestation.
• Threat Model: Added THREAT_MODEL.md outlining the exact security guarantees and limitations of this pipeline.

How to Verify

1. Checkout this branch and navigate to contracts/stellar.
2. Run pnpm install.
3. Test the verification script locally (you can mock an attestation.json or run against a test deployment):

   pnpm verify:stellar-deployment --contract wraith-names --id <CONTRACT_ID> --network futurenet --commit <COMMIT_HASH>

[drips-wave]

@Amarjeet325 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[Amarjeet325]

Hello @truthixify, please recheck my PR and close it.....#19

[truthixify]

The reproducible-build deliverables are exactly what issue #19 asked for: pinned toolchain, the Dockerfile, the build script, a verify.js for offline verification, and the THREAT_MODEL.md. This is the kind of audit-grade pipeline we need before mainnet.

Blocker: your branch is off pre-develop main, so the diff currently removes social-recovery test snapshots and the property-test harness from wraith-names. Net 15,912 line deletions. Could you rebase?

git fetch origin
git rebase origin/develop
git push --force-with-lease

After the rebase, the diff should only show your additions under stellar/build/ plus the stellar/package.json edit. Thanks @Amarjeet325.

[truthixify]

Rebase is clean, just your 7 build/attestation files plus the CI workflow. Pinned toolchain, Dockerfile, build.sh, verify.js, threat model doc, all there. Merging. Thanks @Amarjeet325.