Validate contract ID on transaction deserialization

[quietbits]

• fromXDR() and fromJSON() in AssembledTransaction now verify that the
  deserialized transaction's contract address matches the Client's configured
  contractId, throwing a clear error on mismatch.
• Addresses a trust boundary gap where a serialized transaction targeting a
  foreign contract could be silently signed through a Client configured for
  a different contract.
• Updated .gitignore

[Copilot]

Pull request overview

This PR hardens AssembledTransaction deserialization by ensuring a deserialized transaction’s target contract matches the Client/options contractId, preventing cross-contract transaction signing.

Changes:

• Add contract ID validation during AssembledTransaction.fromXDR() and AssembledTransaction.fromJSON().
• Add unit tests covering accept/reject behavior for matching vs. mismatching contract IDs.
• Update .gitignore to exclude local tooling directories.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File	Description
src/contract/assembled_transaction.ts	Adds contract ID checks when reconstructing assembled transactions from XDR/JSON.
test/unit/server/soroban/assembled_transaction.test.ts	Adds tests validating the new deserialization checks.
.gitignore	Ignores .claude/ and .copilot/ directories.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Size Change: +89.5 kB (+0.2%)

Total Size: 45.2 MB

Filename	Size	Change
dist/stellar-sdk-minimal.js	5.98 MB	+14.5 kB (+0.24%)
dist/stellar-sdk-minimal.min.js	5.08 MB	+7.86 kB (+0.15%)
dist/stellar-sdk-no-axios.js	5.98 MB	+14.5 kB (+0.24%)
dist/stellar-sdk-no-axios.min.js	5.08 MB	+7.86 kB (+0.15%)
dist/stellar-sdk-no-eventsource.js	6.23 MB	+14.5 kB (+0.23%)
dist/stellar-sdk-no-eventsource.min.js	5.29 MB	+7.86 kB (+0.15%)
dist/stellar-sdk.js	6.23 MB	+14.5 kB (+0.23%)
dist/stellar-sdk.min.js	5.29 MB	+7.86 kB (+0.15%)

_{compressed-size-action}

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Ryang-21]

I think this fix should target the Client's txFromJson and txFromXdr methods. In that those are were we should be opinionated and enforce validation. I think we could create a static validate function on the AssembledTransaction class that verifies contractIds are the same and the method name is in the spec
Ignore this there is no reason to not have this validation on all AssembledTransaction parsing