feat(auth): port Secp256r1 auth to clientDataJSON-embedding format

Byte-identical with lazorkit-protocol/program/src/auth/secp256r1/. Replaces
the older typeAndFlags format (which reconstructed clientDataJSON server-side
from a single byte at auth_payload[13]) with the format that embeds the full
raw clientDataJSON in the auth payload.

Required for slot-share strategy: a wallet created on either binary
(commercial or foundation) must remain verifiable after binary swap. Both
binaries now share the same auth verification logic + on-chain authority
account layout.

Verification:
- 58/65 vitest E2E tests pass against live validator (up from 12/65 before
  port). The 7 remaining failures are in 08-deferred.test.ts and reflect a
  test-side bug (missing expiryBuf in signedPayload), addressed in P5.3.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: onspeedhp

program/src/auth/secp256r1/introspection.rs

@@ -61,12 +61,18 @@ impl Secp256r1SignatureOffsets {
 }
 
 /// Verify the secp256r1 instruction data contains the expected signature and
-/// public key. This also validates that the secp256r1 precompile offsets point
-/// to the expected locations, ensuring proper data alignment.
+/// public key. Also validates that the secp256r1 precompile offsets point to
+/// the expected locations, ensuring proper data alignment.
+///
+/// The expected precompile message is passed as TWO slices — the
+/// authenticator_data and the clientDataJSON hash — which are concatenated
+/// by the on-chain secp256r1 precompile as its signed message. Accepting
+/// two slices here lets the caller skip a Vec allocation for the concat.
 pub fn verify_secp256r1_instruction_data(
     instruction_data: &[u8],
     expected_pubkey: &[u8; 33],
-    expected_message: &[u8],
+    auth_data: &[u8],
+    client_data_hash: &[u8; 32],
 ) -> Result<(), ProgramError> {
     // Minimum check: must have at least the header and offsets
     if instruction_data.len() < DATA_START {
@@ -111,25 +117,257 @@ pub fn verify_secp256r1_instruction_data(
     if offsets.message_data_offset as usize != MESSAGE_DATA_OFFSET {
         return Err(AuthError::InvalidInstruction.into());
     }
-    if offsets.message_data_size as usize != expected_message.len() {
+    let expected_msg_len = auth_data.len() + client_data_hash.len();
+    if offsets.message_data_size as usize != expected_msg_len {
         return Err(AuthError::InvalidInstruction.into());
     }
 
     // Dynamic length check: instruction must contain the full message
-    if instruction_data.len() < MESSAGE_DATA_OFFSET + expected_message.len() {
+    if instruction_data.len() < MESSAGE_DATA_OFFSET + expected_msg_len {
         return Err(AuthError::InvalidInstruction.into());
     }
 
     let pubkey_data = &instruction_data
         [PUBKEY_DATA_OFFSET..PUBKEY_DATA_OFFSET + COMPRESSED_PUBKEY_SERIALIZED_SIZE];
-    let message_data =
-        &instruction_data[MESSAGE_DATA_OFFSET..MESSAGE_DATA_OFFSET + expected_message.len()];
-
     if pubkey_data != expected_pubkey {
         return Err(AuthError::InvalidPubkey.into());
     }
-    if message_data != expected_message {
+
+    // Compare the precompile's message area against the two caller-supplied
+    // slices piecewise — no concat, no allocation.
+    let msg_auth = &instruction_data[MESSAGE_DATA_OFFSET..MESSAGE_DATA_OFFSET + auth_data.len()];
+    if msg_auth != auth_data {
+        return Err(AuthError::InvalidMessageHash.into());
+    }
+    let hash_start = MESSAGE_DATA_OFFSET + auth_data.len();
+    let msg_hash = &instruction_data[hash_start..hash_start + client_data_hash.len()];
+    if msg_hash != client_data_hash {
         return Err(AuthError::InvalidMessageHash.into());
     }
     Ok(())
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// Helper: build valid secp256r1 precompile instruction data with the standard layout.
+    fn build_precompile_ix_data(
+        pubkey: &[u8; 33],
+        signature: &[u8; 64],
+        message: &[u8],
+    ) -> Vec<u8> {
+        let total_len = DATA_START + 64 + 33 + 1 + message.len();
+        let mut data = vec![0u8; total_len];
+
+        // Header
+        data[0] = 1; // num_signatures
+        data[1] = 0; // padding
+
+        // Offsets (little-endian)
+        data[2..4].copy_from_slice(&(SIGNATURE_DATA_OFFSET as u16).to_le_bytes());
+        data[4..6].copy_from_slice(&0xFFFFu16.to_le_bytes()); // sig ix index
+        data[6..8].copy_from_slice(&(PUBKEY_DATA_OFFSET as u16).to_le_bytes());
+        data[8..10].copy_from_slice(&0xFFFFu16.to_le_bytes()); // pubkey ix index
+        data[10..12].copy_from_slice(&(MESSAGE_DATA_OFFSET as u16).to_le_bytes());
+        data[12..14].copy_from_slice(&(message.len() as u16).to_le_bytes()); // msg size
+        data[14..16].copy_from_slice(&0xFFFFu16.to_le_bytes()); // msg ix index
+
+        // Data
+        data[SIGNATURE_DATA_OFFSET..SIGNATURE_DATA_OFFSET + 64].copy_from_slice(signature);
+        data[PUBKEY_DATA_OFFSET..PUBKEY_DATA_OFFSET + 33].copy_from_slice(pubkey);
+        // Byte at offset 113 is alignment padding (zero)
+        data[MESSAGE_DATA_OFFSET..MESSAGE_DATA_OFFSET + message.len()]
+            .copy_from_slice(message);
+
+        data
+    }
+
+    #[test]
+    fn test_verify_valid_instruction_data() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_ok());
+    }
+
+    #[test]
+    fn test_verify_variable_length_message() {
+        // Mode 1 messages are authenticatorData(37+) + clientDataJsonHash(32) = 69+ bytes.
+        // We split into the two halves exactly like the caller does post-refactor.
+        let pubkey = [0x03; 33];
+        let signature = [0xCD; 64];
+        let message = [0x22; 69];
+
+        let ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        let auth_data: &[u8] = &message[..37];
+        let client_data_hash: &[u8; 32] = &message[37..].try_into().unwrap();
+        assert!(
+            verify_secp256r1_instruction_data(&ix_data, &pubkey, auth_data, client_data_hash)
+                .is_ok()
+        );
+    }
+
+    #[test]
+    fn test_verify_rejects_wrong_pubkey() {
+        let pubkey = [0x02; 33];
+        let wrong_pubkey = [0x03; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        let err =
+            verify_secp256r1_instruction_data(&ix_data, &wrong_pubkey, &[], &message).unwrap_err();
+        assert_eq!(err, AuthError::InvalidPubkey.into());
+    }
+
+    #[test]
+    fn test_verify_rejects_wrong_message() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+        let wrong_message = [0x22; 32];
+
+        let ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        let err =
+            verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &wrong_message).unwrap_err();
+        assert_eq!(err, AuthError::InvalidMessageHash.into());
+    }
+
+    #[test]
+    fn test_verify_rejects_zero_signatures() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        ix_data[0] = 0; // zero signatures
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_multiple_signatures() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        ix_data[0] = 2; // two signatures
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_cross_instruction_sig_index() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Set signature_instruction_index to 0 instead of 0xFFFF
+        ix_data[4..6].copy_from_slice(&0u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_cross_instruction_pubkey_index() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Set public_key_instruction_index to 1 instead of 0xFFFF
+        ix_data[8..10].copy_from_slice(&1u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_cross_instruction_msg_index() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Set message_instruction_index to 0 instead of 0xFFFF
+        ix_data[14..16].copy_from_slice(&0u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_wrong_pubkey_offset() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Tamper pubkey_offset to point elsewhere
+        ix_data[6..8].copy_from_slice(&200u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_wrong_message_offset() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Tamper message_data_offset
+        ix_data[10..12].copy_from_slice(&50u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_wrong_signature_offset() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Tamper signature_offset
+        ix_data[2..4].copy_from_slice(&100u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_message_size_mismatch() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Set message_data_size to wrong value
+        ix_data[12..14].copy_from_slice(&64u16.to_le_bytes());
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_too_short_data() {
+        let pubkey = [0x02; 33];
+        let message = [0x11; 32];
+
+        // Only 2 bytes — way too short
+        assert!(verify_secp256r1_instruction_data(&[0x01, 0x00], &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_verify_rejects_truncated_message_area() {
+        let pubkey = [0x02; 33];
+        let signature = [0xAB; 64];
+        let message = [0x11; 32];
+
+        let mut ix_data = build_precompile_ix_data(&pubkey, &signature, &message);
+        // Truncate — remove last 10 bytes so message area is incomplete
+        ix_data.truncate(ix_data.len() - 10);
+        assert!(verify_secp256r1_instruction_data(&ix_data, &pubkey, &[], &message).is_err());
+    }
+
+    #[test]
+    fn test_offsets_constants_are_consistent() {
+        assert_eq!(DATA_START, 16); // 2 header + 14 offsets
+        assert_eq!(SIGNATURE_DATA_OFFSET, 16);
+        assert_eq!(PUBKEY_DATA_OFFSET, 16 + 64); // 80
+        assert_eq!(MESSAGE_DATA_OFFSET, 80 + 33 + 1); // 114
+    }
+}