Update stellar-strkey to 0.0.18

[leighmcculloch]

What

Bump the stellar-strkey workspace dependency from 0.0.16 to 0.0.18. This change targets the stellar-strkey release line for protocol 28. The workspace-direct crates now resolve to strkey 0.0.18, while published transitive consumers pinned to ^0.0.16 (sep5, soroban-sdk, stellar-rpc-client) and the transitive 0.0.13 via stellar-xdr remain unchanged, so the lockfile carries three strkey nodes.

Why

Adopt the latest stellar-strkey release for the protocol 28 line. Version 0.0.17 replaced the single catch-all DecodeError::Invalid variant with a set of specific variants, so the two hex-fallback code paths in contract_id_from_str (in soroban-spec-tools and soroban-cli) were updated to map their failures to DecodeError::InvalidPayloadLength, preserving the prior single-error behavior. It also redacts private keys behind Unredacted, so the CLI's secret-printing paths and tests now use .as_unredacted(), and removes positional input for the embedded strkey encode/decode commands in favour of stdin.

0.0.18 specifically fixes the bug that blocked the 0.0.17 bump: the embedded strkey encode command rejected owned JSON keys when deserializing Decoded<Strkey>, failing the strkey integration test. stellar/rs-stellar-strkey#125 fixes it.

Known limitations

N/A

---

Protocol 28 coordination

⚠️ This change targets versions of software that will ship for Protocol 28, and should not be merged unless this repository is ready to accept Protocol 28 changes.

This is one of a coordinated set of PRs bumping stellar-strkey to 0.0.18 across the Protocol 28 component stack. It is preferred that all Protocol 28 releases of these components depend on the same version of stellar-strkey:

• Update stellar-strkey to 0.0.18 rs-stellar-xdr#547
• Update stellar-strkey to 0.0.18 rs-soroban-env#1694
• Update stellar-strkey to 0.0.18 rs-soroban-sdk#1913
• Update stellar-strkey to 0.0.18 rs-stellar-rpc-client#99
• Update stellar-strkey to 0.0.18 #2614

stellar-strkey 0.0.18 raises the minimum supported Rust version to 1.87 and updates/adds transitive dependencies (heapless 0.9, zeroize), so MSRV and supply-chain policy (cargo-deny / cackle) updates may be required in some repositories before CI is green.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​stellar-strkey@​0.0.18

View full report

[Copilot]

✅ Ready to approve

The dependency bump is consistently applied, required call sites/tests are updated for the new redaction/stdin behaviors, and no correctness issues were identified in the changed regions.

Note: this review does not count toward required approvals for merging.

Pull request overview

Bumps the workspace stellar-strkey dependency to 0.0.18 (Protocol 28 line) and updates the CLI/spec tooling glue code and tests to match upstream API/CLI behavior changes (more specific decode errors, secret redaction via Unredacted, and strkey encode/decode reading from stdin).

Changes:

• Update workspace dependency to stellar-strkey = 0.0.18 (and refresh Cargo.lock for new transitive graph).
• Adjust hex-fallback contract ID parsing to map failures to DecodeError::InvalidPayloadLength.
• Update secret-key printing/serialization and tests to use .as_unredacted(), and update strkey integration tests to pass input via stdin.

File summaries

File	Description
cmd/soroban-cli/src/utils.rs	Updates contract ID hex-fallback error mapping for new stellar-strkey decode error variants.
cmd/soroban-cli/src/config/secret.rs	Ensures secret-key serialization and assertions use unredacted formatting.
cmd/soroban-cli/src/config/key.rs	Updates key round-trip test to serialize secret keys using .as_unredacted().
cmd/soroban-cli/src/commands/network/root_account/secret.rs	Prints root account secret key using .as_unredacted() to avoid redaction.
cmd/soroban-cli/src/commands/keys/secret.rs	Prints identity secret key using .as_unredacted() to avoid redaction.
cmd/crates/soroban-test/tests/it/strkey.rs	Updates strkey encode/decode integration tests to provide input via stdin (no positional input).
cmd/crates/soroban-test/src/lib.rs	Updates test helper output to use .as_unredacted() for secret key display.
cmd/crates/soroban-spec-tools/src/utils.rs	Mirrors CLI contract ID parsing error mapping changes in shared spec tools.
Cargo.toml	Bumps workspace stellar-strkey dependency to 0.0.18.
Cargo.lock	Records new stellar-strkey 0.0.18 node and transitive dependency updates (incl. additional heapless version).

Copilot's findings

• Files reviewed: 9/10 changed files
• Comments generated: 0

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d20a12a9af

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate strkey command docs for stdin input

This bump changes the embedded strkey encode/decode CLI to read its payload from stdin (the updated integration tests now use .write_stdin(...), matching the v0.0.18 upstream examples), but the checked-in help docs still advertise positional arguments at FULL_HELP_DOCS.md:4412 and FULL_HELP_DOCS.md:4422. Since the README links users to that generated file, anyone following the release docs will run stellar strkey decode <STRKEY> / encode <JSON>, which no longer matches the command behavior; please regenerate FULL_HELP_DOCS.md with this dependency bump.

Useful? React with 👍 / 👎.