feat: add Soroban vault operations CLI

[carrion256]

Summary

Adds a new tmplr-soroban-vault CLI crate for deploying and operating Soroban vault deployments through the Stellar CLI.

The CLI includes typed deployment, curator, user, governance, share-token, and Blend adapter operations. It records deployment state in a manifest, reuses uploaded WASM by hash where possible, supports dry-run and machine-readable output modes, and adds a deployment-wide extend-ttl command for every TTL-capable contract in the manifest.

This also adds a Docker operator image at tools/soroban-vault-cli/Dockerfile. The image includes tmplr-soroban-vault, stellar-cli v26, Python for the runtime contractspec-strip step, and Rust toolchains/targets for stellar contract build so operators can run deployment flows from a container.

The curator proxy TTL gap is fixed: the proxy now has its own permissionless extend_ttl entrypoint and refreshes its instance TTL when initialized config is read, matching the 4626 proxy liveness pattern.

The CLI no longer requires or defaults a source account CLI argument. Operators can use the Stellar keystore/default identity via stellar keys use <identity>, or pass a non-secret identity alias/public account with --source-account/SOROBAN_IDENTITY. Explicit source-account overrides are provided to child stellar commands through a redacted STELLAR_ACCOUNT environment override instead of --source-account argv.

The CLI rejects obvious raw secret keys and seed phrases passed to --source-account, redacts source-account environment overrides from dry-run output and errors, zeroizes in-process override buffers after use, and scrubs source-account values from deployment manifests. If raw STELLAR_ACCOUNT is set directly for signing, the CLI refuses to derive admin/caller addresses from it because that Stellar subcommand would require placing the secret in child argv; operators must pass explicit public --admin/--caller values or use a keystore/default identity for that flow.

This update also adds safer operator and automation surfaces:

• Decimal amount flags such as --assets 1.25 --asset-decimals 7, --shares 10 --share-decimals manifest, and curator --amount 1.25 --asset-decimals 7 convert to raw contract units without floating point.
• Raw unit flags remain available for exact machine use, including --assets-raw, --shares-raw, and --amount-raw.
• Public TOML profiles via profile init <name> and --profile <name> can carry network/RPC/passphrase/state/workspace/config-dir/default public admin/caller/operator values without storing secrets.
• completions zsh|bash|fish and man generate shell completions and a roff manpage.
• Dangerous governance submissions for admin rotation, timelock changes, supply queue replacement, and fee updates print semantic old/new context in human mode and require --yes or interactive confirmation; JSON modes remain non-interactive.
• Deployment writes checkpoint the manifest after each artifact upload/reuse decision, contract deploy/import record, asset-token record, and successful initialize, so a failed later initialize leaves enough state to resume/reuse deployed IDs.n- Interactive human runs show a TTY progress bar across WASM upload/reuse, contract deployment/reuse, initialization, and adapter deployment stages; progress rendering is disabled for JSON, JSON-lines, dry-run, and non-TTY output.
• --json now emits a stable envelope with type, ok, network, manifest, commands, tx_hashes, warnings, and command-specific data or structured error.
• --json-lines emits the same newline-delimited envelope shape for automation that consumes long-running flows.
• Structured errors include codes such as missing_manifest_contract, mainnet_guard, secret_in_argv, invalid_args, and command_failed, including JSON parse-error output before clap exits.
• The output envelope schema is checked in at tools/soroban-vault-cli/schema/output.schema.json.
• Successful non-dry-run writes append richer manifest transaction records with timestamp, command/action, target contract/function when known, tx hash when visible, source public address when known, result status, and artifact hash when applicable.

This update also adds operator UX helpers:

• doctor checks Stellar CLI availability, configured network/passphrase/RPC, source identity availability without printing secrets, manifest writability, WASM artifact/build readiness, Docker mount health, and mainnet guard status.
• deploy plan stack and deploy plan adapters emit reuse/deploy/upload/manifest decisions and redacted Stellar command shapes without network writes or manifest changes.
• Governance planning helpers cover plan-accept, plan-submit-set-supply-queue, and plan-submit-set-timelock.
• Governance lifecycle helpers add queue, explain, accept-ready, and submit-and-wait flows with conservative decoding of pending proposal readiness.

Operator impact

• Deploy or import vault stacks and append Blend adapters without redeploying existing components.
• Resume deployments after mid-flow initialize failures using incrementally checkpointed manifest records.n- See visual progress across stack deployment stages in interactive terminals.
• Check local readiness before deployment with doctor.
• Plan deployments and common governance transactions before signing or mutating manifests.
• Run typed curator, user, governance, share-token, and adapter commands without hand-encoding compact payloads.
• Use human-scale decimal amount flags for operator workflows while preserving raw unit flags for scripts.
• Reduce repeated Docker/local flags with non-secret TOML profiles.
• Install shell completions and generate a manpage from the CLI.
• Consume stable JSON/JSON-lines envelopes and checked-in schema from automation.
• Inspect pending governance proposals, accept ready proposals in batches, and submit selected proposal types with wait-and-accept handling.
• Extend TTL across vault, governance, ERC-4626 proxy, curator proxy, share token, and all Blend adapters from one command.
• Report manifest entries skipped by TTL maintenance when they have no deployment-wide TTL entrypoint.
• Build and run a containerized CLI with mounted workspace, Stellar config, deployment state, and build outputs.
• Avoid accidental source-account leakage through shell history, dry-run output, error messages, or manifest persistence.
• Use manifest transaction history as a deployment audit trail for successful write operations.

Validation

• cargo fmt --package templar-curator-proxy-soroban --package templar-soroban-vault-cli --check
• cargo fmt --package templar-soroban-vault-cli --check
• cargo test -p templar-curator-proxy-soroban -- --nocapture (13 unit + 3 integration passed)
• cargo test -p templar-soroban-vault-cli -- --nocapture (45 passed)
• cargo clippy -p templar-curator-proxy-soroban --all-targets -- -D warnings
• cargo clippy -p templar-soroban-vault-cli --all-targets -- -D warnings (exits 0; repo-level unknown lint: clippy::ignore_without_reason warning remains)
• cargo run -q -p templar-soroban-vault-cli -- --json --source-account SC36XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX status (expected exit 2; emits secret_in_argv JSON envelope)
• TEMPLAR_SOROBAN_VAULT_PROFILE_DIR=$(mktemp -d) cargo run -q -p templar-soroban-vault-cli -- profile init testnet
• cargo run -q -p templar-soroban-vault-cli -- completions bash > <tempfile>
• cargo run -q -p templar-soroban-vault-cli -- man > <tempfile>
• docker build --check -f tools/soroban-vault-cli/Dockerfile .
• docker build --network=host -f tools/soroban-vault-cli/Dockerfile -t templar/soroban-vault-cli:codex .
• docker run --rm --network=none templar/soroban-vault-cli:codex --help
• Post-commit hook: Soroban size-budget-check passed (123720 bytes)

---

This change is 

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fe62c1d7-ebef-48ef-9ab5-c6ac26b8583e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/soroban-vault-cli

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}