feat(audit): Stellar chain module cryptographic audit report and fixes

[Timrossid]

Summary

This PR delivers the independent cryptographic audit of the Stellar chain module (issue #55).

Deliverables

Audit report

\�udits/2026-06-author-stellar-module.md\ — covers every primitive in \src/chains/stellar/:

• 0 Critical, 0 High, 2 Medium, 2 Low, 9 Informational findings
• Cross-references RFC 8032 and noble-curves implementation
• Coordinated disclosure: no Critical/High findings

Findings & Fixes

Finding	Severity	Fix
signWithScalar nonce derivation	Medium	Documented deviation from RFC 8032 (necessary — no seed available)
Missing zero-scalar guard in signWithScalar	Medium	Added range check \scalar ∈ (0, L)\
Missing zero-scalar guard in deriveStealthPrivateScalar	Low	Added guard + skip in scanAnnouncements
Small-order point handling	Low	Graceful via try/catch (DoS only, no fund loss)
All other findings	Info	Verified correct (domain separation, LE encoding, bias, clamping)

Tests

• signWithScalar test vectors (17 tests): determinism, edge cases, scalar=0/L-1, empty/1MB messages, LE encoding, cross-validation with @noble/curves
• Clamping reproducer test in keys.test.ts
• signStellarTransaction cross-validation in spend.test.ts
• E2e signing step added to e2e.test.ts

Files changed

• \src/chains/stellar/scalar.ts\ — scalar range guard in signWithScalar
• \src/chains/stellar/scan.ts\ — skip zero-scalar candidates
• \src/chains/stellar/spend.ts\ — zero-scalar guard in deriveStealthPrivateScalar
• \ est/chains/stellar/signwithscalar-vectors.test.ts\ — new test file (17 test vectors)
• \ est/chains/stellar/keys.test.ts\ — clamping + domain separation reproducer tests
• \ est/chains/stellar/spend.test.ts\ — signStellarTransaction cross-validation
• \ est/chains/stellar/e2e.test.ts\ — signing step included in full flow
• \�udits/2026-06-author-stellar-module.md\ — full audit report

Closes #55

[drips-wave]

@Timrossid Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[truthixify]

The audit doc is solid. 13 findings with right severity tiers, the signWithScalar justification reads correctly, cross-validation tests are concrete. Good XL deliverable.

Same blocker as #88/#89/#91/#92: branch predates view-tag batching landing on develop, so the diff includes those files as conflicts.

git fetch origin
git rebase origin/develop
# during rebase, drop changes to src/chains/stellar/scan.ts, stealth.ts (the view-tag bits), test/chains/stellar/scan.test.ts, test/chains/stellar/bench/scan.bench.ts, docs/chains/stellar-view-tag-batching.md
# keep: audits/2026-06-author-stellar-module.md, test/chains/stellar/signwithscalar-vectors.test.ts, your spend.test.ts/keys.test.ts/e2e.test.ts additions, the scalar.ts 3-line fix, src/chains/stellar/spend.ts changes, the index.ts re-exports
git push --force-with-lease

Once rebased the audit + test fixtures land cleanly.

[truthixify]

Clean merge. The audit report (236 lines), view-tag-batching doc, scalar/scan/spend/stealth fixes, and signWithScalar vectors are exactly what we needed. Bench harness is a nice bonus. Thanks @Timrossid.