Validate auth entries before signing (#2530)

### What

The CLI currently relies on the RPC to check that no non-root auths are
included in simulation results. This PR adds an explicit, per-entry
validation step inside `sign_soroban_authorizations` that classifies
every `Address`-credential auth entry against the transaction's host
function before signing. Entries that don't match the host function
exactly require approval. This approval can be bypassed with a `--force`
flag.

Example output:

```
$ stellar contract invoke --source alice --id CA3WF5KPVE2TXQQSOEQPVD3J6GIZ7G74UA2H7BNQMHBQPOON6XV4PHT4 -- diff_auth_sub_auth --addr bob --val "Test" --subcall CAXDPLG2XWFA3LI3SUDG7AIQ7MF7ZJMFBEQYRGTZIGLT7OLZ243IU3FE
ℹ️  Simulating transaction…
⚠️  Authorization entry does not match the current contract call, and needs approval:
  Auth Entry:
    Signer: GCFEAQ5A5BOO4NYTCDN63TF2UX2DS3T3KLNZDHPDPC3IVGCPR37RSRCC
    Invocation:
      Contract: CA3WF5KPVE2TXQQSOEQPVD3J6GIZ7G74UA2H7BNQMHBQPOON6XV4PHT4
      Fn: diff_auth_sub_auth
      Args:
        "1"
        "2"
      Sub-invocation #0:
        Contract: CAXDPLG2XWFA3LI3SUDG7AIQ7MF7ZJMFBEQYRGTZIGLT7OLZ243IU3FE
        Fn: do_auth
        Args:
          "GCFEAQ5A5BOO4NYTCDN63TF2UX2DS3T3KLNZDHPDPC3IVGCPR37RSRCC"
          Test

⚠️  Sign this authorization entry? (y/N)
y
ℹ️  Signing transaction: ebf3db4651a6cd77ed8a9f2782938eaedd1603e4942a9ceab99b467dd8c04f40
🌎 Sending transaction…
✅ Transaction submitted successfully!
"Test"
```

If the CLI is invoked in a non-interactive location and the force flag
is not preset, it will fail:
```
$ echo | stellar contract invoke --source alice --id CA3WF5KPVE2TXQQSOEQPVD3J6GIZ7G74UA2H7BNQMHBQPOON6XV4PHT4 -- diff_auth_sub_auth --addr bob --val "Test" --subcall CAXDPLG2XWFA3LI3SUDG7AIQ7MF7ZJMFBEQYRGTZIGLT7OLZ243IU3FE 
ℹ️  Simulating transaction…
⚠️  Authorization entry does not match the current contract call, and needs approval:
  Auth Entry:
    Signer: GCFEAQ5A5BOO4NYTCDN63TF2UX2DS3T3KLNZDHPDPC3IVGCPR37RSRCC
    Invocation:
      Contract: CA3WF5KPVE2TXQQSOEQPVD3J6GIZ7G74UA2H7BNQMHBQPOON6XV4PHT4
      Fn: diff_auth_sub_auth
      Args:
        "1"
        "2"
      Sub-invocation #0:
        Contract: CAXDPLG2XWFA3LI3SUDG7AIQ7MF7ZJMFBEQYRGTZIGLT7OLZ243IU3FE
        Fn: do_auth
        Args:
          "GCFEAQ5A5BOO4NYTCDN63TF2UX2DS3T3KLNZDHPDPC3IVGCPR37RSRCC"
          Test

❌ error: An authorization entry requires confirmation, but stdin is not interactive. Rerun with --force to sign anyway.
```

### Why

The CLI eagerly signs authorization entries returned from the
user-specified RPC. If an unsafe auth entry is included, the user might
unexpectedly sign for something they did not intend. This check ensures
everything the CLI signs automatically is bound to the exact host
function invocation in the transaction.

Close stellar/stellar-cli-internal#50

### Known limitations

#### `require_auth_for_args` for non-source accounts

The check flags contracts that use `require_auth_for_args(custom_args)`
at the root for non-source accounts. The auth tree's root carries
`custom_args`, not the host function's args, so the strict-match check
fails even though the auth is genuinely rooted at the operation. A
tampered auth entry with the same custom args at root could otherwise be
signed and replayed. Source-account auth via
`SorobanCredentials::SourceAccount` is unaffected.

---------

Co-authored-by: Nando Vieira <me@fnando.com>

Author: mootz12

Cargo.lock

@@ -278,6 +278,7 @@ impl TestEnv {
                 hd_path: None,
                 sign_with_lab: false,
                 sign_with_ledger: false,
+                auto_sign: false,
             },
             fee: None,
             inclusion_fee: None,

FULL_HELP_DOCS.md

@@ -0,0 +1,17 @@
+[package]
+name = "test_auth"
+version = "25.2.0"
+authors = ["Stellar Development Foundation <info@stellar.org>"]
+license = "Apache-2.0"
+edition = "2021"
+publish = false
+
+[lib]
+crate-type = ["cdylib", "rlib"]
+doctest = false
+
+[dependencies]
+soroban-sdk = { workspace = true }
+
+[dev-dependencies]
+soroban-sdk = { workspace = true, features = ["testutils"]}