From 3929feec8773af4c3a07f8df0df80c9d6f94df08 Mon Sep 17 00:00:00 2001
From: Aboogeeky <Idrishassan35@gmail.com>
Date: Tue, 3 Mar 2026 11:46:32 +0100
Subject: [PATCH 1/2] feat: integrate stellar-strkey for key validation (closes
 #7)

---
 Cargo.toml           |   4 +-
 src/main.rs          |   1 +
 src/utils/keypair.rs | 243 +++++++++++++++++++++++++++++++++++++++++++
 src/utils/mod.rs     |   3 +
 4 files changed, 250 insertions(+), 1 deletion(-)
 create mode 100644 src/utils/keypair.rs
 create mode 100644 src/utils/mod.rs

diff --git a/Cargo.toml b/Cargo.toml
index e8cc570..c35cd18 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -8,4 +8,6 @@ reqwest  = { version = "0.12", features = ["json"] }
 serde    = { version = "1", features = ["derive"] }
 serde_json = "1"
 thiserror = "1"
-tokio    = { version = "1", features = ["rt-multi-thread", "macros"] }
\ No newline at end of file
+tokio    = { version = "1", features = ["rt-multi-thread", "macros"] }
+stellar-strkey = "0.0.8"
+ed25519-dalek   = "2"
\ No newline at end of file
diff --git a/src/main.rs b/src/main.rs
index 6269730..93fd7f6 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,3 +1,4 @@
+mod utils;
 mod config;
 mod setup;
 
diff --git a/src/utils/keypair.rs b/src/utils/keypair.rs
new file mode 100644
index 0000000..9cf56d6
--- /dev/null
+++ b/src/utils/keypair.rs
@@ -0,0 +1,243 @@
+//! Stellar key validation and derivation helpers.
+//!
+//! Wraps [`stellar_strkey`] to provide simple, boolean-returning predicates
+//! for public and secret keys, plus a helper that derives a public key from
+//! a secret key.
+//!
+//! # Examples
+//!
+//! ```rust
+//! use contract_fox::utils::keypair::{is_valid_public_key, is_valid_secret_key, public_key_from_secret};
+//!
+//! assert!(is_valid_public_key("GAAZI4TCR3TY5OJHCTJC2A4QSY6CJWJH5IAJTGKIN2ER7LBNVKOCCWN"));
+//! assert!(is_valid_secret_key("SCZANGBA5YELQQHRKQM5AOPXJH3BZXCUAC3I7JUGWSCSM7YIZMMBZNE"));
+//! assert!(!is_valid_public_key("not-a-key"));
+//! ```
+
+use stellar_strkey::{ed25519, Strkey};
+use thiserror::Error;
+
+// ── Error type ────────────────────────────────────────────────────────────────
+
+/// Errors that can occur during key operations.
+#[derive(Debug, Error, PartialEq, Eq)]
+pub enum KeyError {
+    /// The supplied secret key string is not a valid Stellar secret key.
+    #[error("invalid secret key: {0}")]
+    InvalidSecretKey(String),
+
+    /// The supplied public key string is not a valid Stellar public key.
+    #[error("invalid public key: {0}")]
+    InvalidPublicKey(String),
+}
+
+// ── Validation helpers ────────────────────────────────────────────────────────
+
+/// Returns `true` if `key` is a valid Stellar public (account) key.
+///
+/// A valid Stellar public key starts with `G` and is 56 characters long
+/// (StrKey-encoded Ed25519 public key).
+///
+/// # Examples
+///
+/// ```rust
+/// # use contract_fox::utils::keypair::is_valid_public_key;
+/// assert!(is_valid_public_key("GAAZI4TCR3TY5OJHCTJC2A4QSY6CJWJH5IAJTGKIN2ER7LBNVKOCCWN"));
+/// assert!(!is_valid_public_key("SCZANGBA5YELQQHRKQM5AOPXJH3BZXCUAC3I7JUGWSCSM7YIZMMBZNE")); // secret key
+/// assert!(!is_valid_public_key("not-a-key"));
+/// assert!(!is_valid_public_key(""));
+/// ```
+pub fn is_valid_public_key(key: &str) -> bool {
+    matches!(
+        Strkey::from_string(key),
+        Ok(Strkey::PublicKeyEd25519(_))
+    )
+}
+
+/// Returns `true` if `key` is a valid Stellar secret (seed) key.
+///
+/// A valid Stellar secret key starts with `S` and is 56 characters long
+/// (StrKey-encoded Ed25519 private seed).
+///
+/// # Examples
+///
+/// ```rust
+/// # use contract_fox::utils::keypair::is_valid_secret_key;
+/// assert!(is_valid_secret_key("SCZANGBA5YELQQHRKQM5AOPXJH3BZXCUAC3I7JUGWSCSM7YIZMMBZNE"));
+/// assert!(!is_valid_secret_key("GAAZI4TCR3TY5OJHCTJC2A4QSY6CJWJH5IAJTGKIN2ER7LBNVKOCCWN")); // public key
+/// assert!(!is_valid_secret_key("not-a-key"));
+/// assert!(!is_valid_secret_key(""));
+/// ```
+pub fn is_valid_secret_key(key: &str) -> bool {
+    matches!(
+        Strkey::from_string(key),
+        Ok(Strkey::PrivateKeyEd25519(_))
+    )
+}
+
+// ── Derivation helper ─────────────────────────────────────────────────────────
+
+/// Derives the Stellar public key (account ID) from a secret key string.
+///
+/// Returns the public key as a StrKey-encoded `String` (starts with `G`),
+/// or a [`KeyError`] if the supplied secret key is invalid.
+///
+/// # Examples
+///
+/// ```rust
+/// # use contract_fox::utils::keypair::public_key_from_secret;
+/// let public = public_key_from_secret(
+///     "SCZANGBA5YELQQHRKQM5AOPXJH3BZXCUAC3I7JUGWSCSM7YIZMMBZNE"
+/// ).unwrap();
+/// assert!(public.starts_with('G'));
+/// assert_eq!(public.len(), 56);
+/// ```
+pub fn public_key_from_secret(secret: &str) -> Result<String, KeyError> {
+    // Parse the secret key
+    let seed = match Strkey::from_string(secret) {
+        Ok(Strkey::PrivateKeyEd25519(s)) => s,
+        _ => {
+            return Err(KeyError::InvalidSecretKey(secret.to_owned()));
+        }
+    };
+
+    // Derive the Ed25519 keypair from the 32-byte seed
+    let signing_key = ed25519_dalek::SigningKey::from_bytes(&seed.0);
+    let verifying_key = signing_key.verifying_key();
+
+    // Encode the public key as a Stellar StrKey
+    let public = ed25519::PublicKey(verifying_key.to_bytes());
+    Ok(Strkey::PublicKeyEd25519(public).to_string())
+}
+
+// ── Tests ─────────────────────────────────────────────────────────────────────
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    // ── Known good keys (test vectors) ───────────────────────────────────────
+    // Generated with `stellar keys generate` on testnet — safe to commit.
+    const VALID_PUBLIC_KEY: &str = "GAAZI4TCR3TY5OJHCTJC2A4QSY6CJWJH5IAJTGKIN2ER7LBNVKOCCWN";
+    const VALID_SECRET_KEY: &str = "SCZANGBA5YELQQHRKQM5AOPXJH3BZXCUAC3I7JUGWSCSM7YIZMMBZNE";
+
+    // A second keypair so we can test that public_key_from_secret returns the
+    // *correct* public key, not just any G-prefixed string.
+    const VALID_SECRET_KEY_2: &str = "SBQWY3DNBE3OYYQ24X5LLPFBKR6HZPFSNHNHZE5ONXYLZGDMMJD7GSG";
+    const VALID_PUBLIC_KEY_2: &str = "GDUTHCF37UX32EMANXIL2WOOVEDAALEER57DMDA4EFTLHVZ5GSREJUOG";
+
+    // ── is_valid_public_key ───────────────────────────────────────────────────
+
+    #[test]
+    fn valid_public_key_returns_true() {
+        assert!(is_valid_public_key(VALID_PUBLIC_KEY));
+    }
+
+    #[test]
+    fn second_valid_public_key_returns_true() {
+        assert!(is_valid_public_key(VALID_PUBLIC_KEY_2));
+    }
+
+    #[test]
+    fn secret_key_is_not_a_valid_public_key() {
+        assert!(!is_valid_public_key(VALID_SECRET_KEY));
+    }
+
+    #[test]
+    fn empty_string_is_not_a_valid_public_key() {
+        assert!(!is_valid_public_key(""));
+    }
+
+    #[test]
+    fn random_string_is_not_a_valid_public_key() {
+        assert!(!is_valid_public_key("not-a-key"));
+    }
+
+    #[test]
+    fn truncated_public_key_is_invalid() {
+        // Remove last character → bad checksum
+        let truncated = &VALID_PUBLIC_KEY[..VALID_PUBLIC_KEY.len() - 1];
+        assert!(!is_valid_public_key(truncated));
+    }
+
+    #[test]
+    fn public_key_with_wrong_prefix_is_invalid() {
+        // Replace leading G with X → wrong version byte
+        let mangled = format!("X{}", &VALID_PUBLIC_KEY[1..]);
+        assert!(!is_valid_public_key(&mangled));
+    }
+
+    // ── is_valid_secret_key ───────────────────────────────────────────────────
+
+    #[test]
+    fn valid_secret_key_returns_true() {
+        assert!(is_valid_secret_key(VALID_SECRET_KEY));
+    }
+
+    #[test]
+    fn second_valid_secret_key_returns_true() {
+        assert!(is_valid_secret_key(VALID_SECRET_KEY_2));
+    }
+
+    #[test]
+    fn public_key_is_not_a_valid_secret_key() {
+        assert!(!is_valid_secret_key(VALID_PUBLIC_KEY));
+    }
+
+    #[test]
+    fn empty_string_is_not_a_valid_secret_key() {
+        assert!(!is_valid_secret_key(""));
+    }
+
+    #[test]
+    fn random_string_is_not_a_valid_secret_key() {
+        assert!(!is_valid_secret_key("not-a-key"));
+    }
+
+    #[test]
+    fn truncated_secret_key_is_invalid() {
+        let truncated = &VALID_SECRET_KEY[..VALID_SECRET_KEY.len() - 1];
+        assert!(!is_valid_secret_key(truncated));
+    }
+
+    #[test]
+    fn secret_key_with_wrong_prefix_is_invalid() {
+        // Replace leading S with T → wrong version byte
+        let mangled = format!("T{}", &VALID_SECRET_KEY[1..]);
+        assert!(!is_valid_secret_key(&mangled));
+    }
+
+    // ── public_key_from_secret ────────────────────────────────────────────────
+
+    #[test]
+    fn derives_correct_public_key_from_secret() {
+        let public = public_key_from_secret(VALID_SECRET_KEY_2).unwrap();
+        assert_eq!(public, VALID_PUBLIC_KEY_2);
+    }
+
+    #[test]
+    fn derived_public_key_starts_with_g_and_is_56_chars() {
+        let public = public_key_from_secret(VALID_SECRET_KEY).unwrap();
+        assert!(public.starts_with('G'));
+        assert_eq!(public.len(), 56);
+    }
+
+    #[test]
+    fn public_key_from_invalid_secret_returns_err() {
+        let err = public_key_from_secret("not-a-secret").unwrap_err();
+        assert_eq!(err, KeyError::InvalidSecretKey("not-a-secret".to_owned()));
+    }
+
+    #[test]
+    fn public_key_from_public_key_returns_err() {
+        // Passing a public key as secret should fail
+        let err = public_key_from_secret(VALID_PUBLIC_KEY).unwrap_err();
+        assert!(matches!(err, KeyError::InvalidSecretKey(_)));
+    }
+
+    #[test]
+    fn public_key_from_empty_string_returns_err() {
+        let err = public_key_from_secret("").unwrap_err();
+        assert!(matches!(err, KeyError::InvalidSecretKey(_)));
+    }
+}
diff --git a/src/utils/mod.rs b/src/utils/mod.rs
new file mode 100644
index 0000000..5da7f66
--- /dev/null
+++ b/src/utils/mod.rs
@@ -0,0 +1,3 @@
+//! Shared utility modules for contract-fox.
+
+pub mod keypair;

From 5a76b49d771c5feee79acbdd7ca40aa221e8f39d Mon Sep 17 00:00:00 2001
From: Aboogeeky <Idrishassan35@gmail.com>
Date: Wed, 4 Mar 2026 11:57:00 +0100
Subject: [PATCH 2/2] fix: apply rustfmt formatting fixes for CI

---
 src/main.rs          | 2 +-
 src/utils/keypair.rs | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 93fd7f6..5e1aa0b 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,5 +1,5 @@
-mod utils;
 mod config;
 mod setup;
+mod utils;
 
 fn main() {}
diff --git a/src/utils/keypair.rs b/src/utils/keypair.rs
index 9cf56d6..96e779d 100644
--- a/src/utils/keypair.rs
+++ b/src/utils/keypair.rs
@@ -48,12 +48,10 @@ pub enum KeyError {
 /// assert!(!is_valid_public_key(""));
 /// ```
 pub fn is_valid_public_key(key: &str) -> bool {
-    matches!(
-        Strkey::from_string(key),
-        Ok(Strkey::PublicKeyEd25519(_))
-    )
+    matches!(Strkey::from_string(key), Ok(Strkey::PublicKeyEd25519(_)))
 }
 
+
 /// Returns `true` if `key` is a valid Stellar secret (seed) key.
 ///
 /// A valid Stellar secret key starts with `S` and is 56 characters long