Construct Soroban auth and footprint natively, simulate only for fee

Auth entries and ledger footprint are now constructed deterministically
in the builder — no untrusted data from external RPC is embedded in the
signed transaction. Only the resource fee estimate comes from Soroban
simulation (when secondary_url is configured), with a conservative
fallback of 100k stroops if unavailable.

SorobanResourceFee is exposed in TxInput so it participates in
GetFeeLimit() and SetGasFeePriority() correctly.

Author: cordialsys-agent

chain/xlm/builder/builder.go

@@ -219,7 +219,7 @@ func (builder TxBuilder) Transfer(args xcbuilder.TransferArgs, input xc.TxInput)
 
 // buildSACTransfer builds an InvokeHostFunction operation that calls the SAC transfer function.
 // The SAC transfer signature is: transfer(from: Address, to: Address, amount: i128)
-// The SAC contract is derived from the token asset code + issuer.
+// All Soroban data (auth, footprint, resources) is constructed natively — no simulation RPC needed.
 func (builder TxBuilder) buildSACTransfer(args xcbuilder.TransferArgs, txInput *TxInput, from xc.Address, to xc.Address) (*xdr.OperationBody, *xdr.SorobanTransactionData, error) {
 	// Derive the SAC contract address from the token asset
 	contract, ok := args.GetContract()
@@ -266,32 +266,99 @@ func (builder TxBuilder) buildSACTransfer(args xcbuilder.TransferArgs, txInput *
 		return nil, nil, fmt.Errorf("failed to create host function: %w", err)
 	}
 
-	// Parse Soroban auth entries from simulation
-	var authEntries []xdr.SorobanAuthorizationEntry
-	for _, authBytes := range txInput.SorobanAuth {
-		var entry xdr.SorobanAuthorizationEntry
-		if err := entry.UnmarshalBinary(authBytes); err != nil {
-			return nil, nil, fmt.Errorf("failed to unmarshal soroban auth entry: %w", err)
-		}
-		authEntries = append(authEntries, entry)
+	// Construct auth entry natively.
+	// For SAC transfer where sender = transaction source, credentials are SOURCE_ACCOUNT
+	// and the invocation is the transfer call with no sub-invocations.
+	contractFn, err := xdr.NewSorobanAuthorizedFunction(
+		xdr.SorobanAuthorizedFunctionTypeSorobanAuthorizedFunctionTypeContractFn,
+		invokeArgs,
+	)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to create authorized function: %w", err)
+	}
+	authEntry := xdr.SorobanAuthorizationEntry{
+		Credentials: xdr.SorobanCredentials{
+			Type: xdr.SorobanCredentialsTypeSorobanCredentialsSourceAccount,
+		},
+		RootInvocation: xdr.SorobanAuthorizedInvocation{
+			Function:       contractFn,
+			SubInvocations: nil,
+		},
 	}
 
 	invokeOp := xdr.InvokeHostFunctionOp{
 		HostFunction: hostFn,
-		Auth:         authEntries,
+		Auth:         []xdr.SorobanAuthorizationEntry{authEntry},
 	}
 
 	opBody, err := xdr.NewOperationBody(xdr.OperationTypeInvokeHostFunction, invokeOp)
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create invoke host function operation: %w", err)
 	}
 
-	// Parse Soroban transaction data from simulation
-	var sorobanData xdr.SorobanTransactionData
-	if len(txInput.SorobanData) > 0 {
-		if err := sorobanData.UnmarshalBinary(txInput.SorobanData); err != nil {
-			return nil, nil, fmt.Errorf("failed to unmarshal soroban transaction data: %w", err)
-		}
+	// Construct the ledger footprint natively.
+	// SAC transfer touches:
+	//   ReadOnly: SAC contract instance
+	//   ReadWrite: sender's trustline (G-addr balance), receiver's contract data (C-addr balance)
+	fromAccountId, err := xdr.AddressToAccountId(string(from))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse from account: %w", err)
+	}
+	toContractAddr, err := common.ScAddressFromString(string(to))
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse to contract address: %w", err)
+	}
+
+	// SAC contract instance key
+	sacInstanceKey := xdr.LedgerKey{
+		Type: xdr.LedgerEntryTypeContractData,
+		ContractData: &xdr.LedgerKeyContractData{
+			Contract:   contractAddr,
+			Key:        xdr.ScVal{Type: xdr.ScValTypeScvLedgerKeyContractInstance},
+			Durability: xdr.ContractDataDurabilityPersistent,
+		},
+	}
+
+	// Sender's classic trustline (SAC uses TrustLine entries for G-address balances)
+	senderTrustlineKey := xdr.LedgerKey{
+		Type: xdr.LedgerEntryTypeTrustline,
+		TrustLine: &xdr.LedgerKeyTrustLine{
+			AccountId: fromAccountId,
+			Asset:     xdrAsset.ToTrustLineAsset(),
+		},
+	}
+
+	// Receiver's contract balance (SAC uses ContractData for C-address balances)
+	// Key format: Vec[Symbol("Balance"), Address(to)]
+	balanceSym := common.ScValSymbol("Balance")
+	toAddrScVal := xdr.ScVal{Type: xdr.ScValTypeScvAddress, Address: &toContractAddr}
+	balanceVec := xdr.ScVec{balanceSym, toAddrScVal}
+	balanceVecPtr := &balanceVec
+	receiverBalanceKey := xdr.LedgerKey{
+		Type: xdr.LedgerEntryTypeContractData,
+		ContractData: &xdr.LedgerKeyContractData{
+			Contract: contractAddr,
+			Key: xdr.ScVal{
+				Type: xdr.ScValTypeScvVec,
+				Vec:  &balanceVecPtr,
+			},
+			Durability: xdr.ContractDataDurabilityPersistent,
+		},
+	}
+
+	// Conservative resource limits for SAC transfer.
+	// These are upper bounds — unused portions of refundable fees are returned.
+	sorobanData := xdr.SorobanTransactionData{
+		Resources: xdr.SorobanResources{
+			Footprint: xdr.LedgerFootprint{
+				ReadOnly:  []xdr.LedgerKey{sacInstanceKey},
+				ReadWrite: []xdr.LedgerKey{senderTrustlineKey, receiverBalanceKey},
+			},
+			Instructions:  500_000,
+			DiskReadBytes: 2000,
+			WriteBytes:    500,
+		},
+		ResourceFee: xdr.Int64(txInput.SorobanResourceFee),
 	}
 
 	return &opBody, &sorobanData, nil

chain/xlm/client/client.go

@@ -24,6 +24,7 @@ import (
 	"github.com/cordialsys/crosschain/client/errors"
 	txinfo "github.com/cordialsys/crosschain/client/tx_info"
 	xctypes "github.com/cordialsys/crosschain/client/types"
+	"github.com/sirupsen/logrus"
 	"github.com/stellar/go-stellar-sdk/xdr"
 )
 
@@ -108,6 +109,14 @@ func (client *Client) FetchTransferInput(ctx context.Context, args xcbuilder.Tra
 		// Contract addresses require Soroban SAC invocation — skip account existence check.
 		// The builder will use InvokeHostFunction instead of Payment.
 		txInput.DestinationFunded = true
+		// Conservative default resource fee for Soroban SAC transfers.
+		txInput.SorobanResourceFee = 100_000
+		// If Soroban RPC is configured, simulate to get an accurate resource fee.
+		if sorobanUrl := config.SecondaryURL; sorobanUrl != "" {
+			if err := client.estimateSorobanResourceFee(sorobanUrl, args, txInput); err != nil {
+				logrus.WithError(err).Warn("soroban simulation failed, using default resource fee")
+			}
+		}
 	} else {
 		// Check if destination account exists on the network.
 		// Stellar requires CreateAccount for new accounts instead of Payment.
@@ -173,19 +182,6 @@ func (client *Client) FetchTransferInput(ctx context.Context, args xcbuilder.Tra
 	}
 
 	txInput.TransactionActiveTime = config.TransactionActiveTime
-
-	// For Soroban SAC transfers (C-address destinations), simulate the transaction
-	// to get resource fees and authorization entries.
-	if common.IsContractAddress(args.GetTo()) {
-		sorobanUrl := config.SecondaryURL
-		if sorobanUrl == "" {
-			return nil, fmt.Errorf("soroban rpc url is required for contract address transfers (set secondary_url in chain config)")
-		}
-		if err := client.simulateSorobanTransfer(sorobanUrl, args, txInput); err != nil {
-			return nil, fmt.Errorf("soroban simulation failed: %w", err)
-		}
-	}
-
 	return txInput, nil
 }