Skip to content

Releases: Soneso/stellar-php-sdk

v1.10.0 Protocol 27 (CAP-71) authorization support

Choose a tag to compare

@christian-rogobete christian-rogobete released this 18 Jun 22:53

Version 1.10.0 adds the Protocol 27 (CAP-71) Soroban authorization API on top of the XDR definitions adopted in 1.9.8: the new authorization credential types and delegated account authorization. All additions are additive and backward compatible; the legacy SOROBAN_CREDENTIALS_ADDRESS credential remains the default.

Protocol 27 authorization

  • SorobanCredentials now supports the V2 (ADDRESS_V2) and delegated (ADDRESS_WITH_DELEGATES) credential arms alongside the existing source-account and ADDRESS arms, with forAddressCredentialsV2 and forAddressWithDelegates factories.
  • New types: SorobanAddressCredentialsWithDelegates, SorobanDelegateSignature, and SorobanDelegateDescriptor, plus a SorobanAuthorizationEntry::withDelegates tree builder.
  • SorobanAuthorizationEntry::sign() accepts an optional forAddress to target a top-level or delegate node.
  • AssembledTransaction and SEP-45 web auth support the new credential arms.

The new arms are valid only on Protocol 27 and later.

Source compatibility

The SorobanCredentials constructor's first parameter was renamed from $addressCredentials to $credentialType (now int|SorobanAddressCredentials). Positional callers are unaffected; callers using the named argument addressCredentials: should switch to credentialType: or the forAddressCredentials() factory. The XDR types XdrSorobanCredentialsType, XdrEnvelopeType, and XdrHashIDPreimage gain new cases for the V2 and delegated arms; any exhaustive match/switch over them needs a default arm.

Compatibility matrices

Regenerated for 1.10.0. Horizon and all 20 SEP matrices remain at 100%. The RPC matrix notes the upstream simulateTransaction useUpgradedAuth parameter, which is intentionally not yet implemented: stellar-rpc server support for it has not shipped. It will be added once the server side is released.

Documentation

The Soroban guide and agent skill cover the V2 and delegated authorization flow.

Installation

composer require soneso/stellar-php-sdk

References

  • Protocol 27 authorization: #94
  • Protocol 27 XDR (shipped in 1.9.8): #90

v1.9.8 - Maintenance Release

Choose a tag to compare

@christian-rogobete christian-rogobete released this 11 Jun 17:38

Summary

This release adopts the Protocol 27 XDR definitions (CAP-0071 Soroban delegated
authorization), extends the XDR generator with SEP-51 JSON round-trip tests, and
ships a collection of fixes, hardening, performance and test improvements from a
multi-perspective review of the SDK core.

Protocol 27 XDR definitions (#90)

Adopts the CAP-0071 delegated Soroban authorization types from upstream
stellar/stellar-xdr: credential types SOROBAN_CREDENTIALS_ADDRESS_V2 and
SOROBAN_CREDENTIALS_ADDRESS_WITH_DELEGATES, envelope type
ENVELOPE_TYPE_SOROBAN_AUTHORIZATION_WITH_ADDRESS, and the new
SorobanDelegateSignature and SorobanAddressCredentialsWithDelegates structs.
The change is additive and backward compatible; existing credential types remain
valid. High-level APIs for delegated authorization will follow in a later
release.

The XDR test generator now also emits SEP-51 JSON round-trip and negative tests
for all XDR types, raising the SDK's unit test coverage above 92%.

SDK review improvements (#92)

Fixes:

  • KeyPair: signed payload signature hints (CAP-40) failed for payloads shorter
    than 4 bytes; key construction now validates that keys are exactly 32 bytes.
  • Memo: ids above PHP_INT_MAX (full unsigned 64-bit range) previously failed to
    decode and could not be created. Memo::id now also accepts unsigned decimal
    strings, and getIdAsString provides a uniform string representation.
  • Asset: Asset::TYPE_POOL_SHARE was misspelled and could never match the
    asset type string Horizon returns; corrected to liquidity_pool_shares.

SEP services:

  • SEP-01: currencyFromUrl accepts an optional HTTP client, like fromDomain.
  • SEP-02: resolveStellarAddress uses the provided HTTP client for the
    stellar.toml fetch as well.
  • SEP-07: signature verification is independent of the signature's URL encoding.
  • SEP-10: challenge transactions without time bounds are rejected, as required
    by the spec.
  • SEP-31: a transaction_info_needed error response without a fields key is
    tolerated.

Soroban contract client:

  • ClientOptions, InstallRequest and DeployRequest accept an optional
    preconfigured SorobanServer, enabling custom HTTP client configuration.
  • Transaction status polling queries immediately after submission and retries
    with exponential backoff instead of always sleeping three seconds first.

Performance and CI:

  • Shared BigInteger constants, cached endianness probe, optimized XDR codec hot
    paths, and line-based SSE streaming.
  • PHPStan static analysis (level 6) and a composer audit dependency gate run
    on every push and pull request.

Tests:

  • SorobanClient is now unit tested with mocked RPC responses; error-path unit
    tests added for SEP-10, federation, SEP-31 and stellar.toml loading; the unit
    suite runs fully offline.

Other

  • Update XDR definitions to upstream 55a00d9
  • SEP-45: the Soroban RPC server used for the signature expiration lookup can
    be injected via setSorobanServer() (bbe49ca)
  • Bump pinned GitHub Actions (checkout v6.0.3, setup-php 2.37.2, codecov-action
    v6.0.2, claude-code-action v1.0.144) and Dependabot updates (#86, #87, #88)

v1.9.7 SEP-51 (XDR-JSON) support

Choose a tag to compare

@christian-rogobete christian-rogobete released this 06 May 19:15

Summary

This release adds SEP-51 (XDR-JSON) encoding to the XDR type system.

SEP-51 (XDR-JSON) encoding (#85)

Stellar XDR is a compact binary format. SEP-51 specifies a canonical JSON encoding for XDR types so they can be inspected, logged, or moved through JSON-based tooling. Every generated XDR class now has toJsonValue/fromJsonValue (PHP value form) and toJson/fromJson (JSON string form) methods. See docs/sep/sep-51.md for details.

Compatibility matrices update

Horizon, RPC and SEP matrices regenerated. New SEP-51 matrix added.

CI improvements

  • Bump actions/upload-pages-artifact to v5.0.0 (#81)
  • Bump SCF-Public-Goods-Maintenance/pg-atlas-sbom-action (#82)
  • Bump anthropics/claude-code-action to v1.0.114 (#83)
  • Bump actions/cache to v5.0.5 (#84)
  • Bump actions/setup-python to v6.2.0

Other

v1.9.6 - Maintenance Release

Choose a tag to compare

@christian-rogobete christian-rogobete released this 03 Apr 22:43

Summary

This release replaces the monolithic TxRep implementation with generated methods, switches from the paragonie/sodium_compat polyfill to PHP's native ext-sodium extension, and adds CI improvements including a Claude Code review workflow.

Generated TxRep serialization (#78)

The hand-written TxRep.php has been replaced with generated toTxRep()/fromTxRep() methods distributed across XDR type classes. The XDR code generator now produces TxRep methods for enums, structs, unions, and typedefs reachable from TransactionEnvelope. Wrapper classes override generated methods where compact formatting is needed (accounts, assets, signer keys). TxRep.php is reduced to a thin facade handling envelope-level concerns.

Replace paragonie/sodium_compat with native ext-sodium (#77)

All Ed25519 operations in KeyPair and StrKey now use PHP's native ext-sodium functions instead of the paragonie/sodium_compat polyfill. Intermediate key material is zeroed with sodium_memzero() after extraction. The ext-sodium requirement is added to composer.json; paragonie/sodium_compat is removed.

CI improvements

  • Add Claude Code review workflow for PR analysis (ac4493d)
  • Harden CI workflows and add upstream XDR update check (66243fc)
  • Bump codecov/codecov-action (30a34c6)

Other

  • Update XDR definitions to upstream 61657d9
  • Update SEP-53 documentation examples for CryptoException changes

v1.9.5 Agent Skill, Security Hardening & Auto-generated XDR Types

Choose a tag to compare

@christian-rogobete christian-rogobete released this 11 Mar 22:00

Summary

This release brings three major improvements to the Stellar PHP SDK: an agent skill for AI coding agents, security hardening across the entire codebase, and machine-generated XDR types from canonical Stellar .x definitions.

AI agent skill (#70)

Adds an Agent Skill that teaches AI coding agents how to build Stellar applications using the SDK. Compatible with any agent that supports the Agent Skills open standard (Claude Code, Codex CLI, Cursor, Gemini CLI, and others).

Security hardening (#71)

Comprehensive security audit and hardening of the SDK. Key changes include constant-time checksum comparison, HTTPS enforcement on all service constructors and URLs, path injection prevention on user-supplied identifiers, strict base64 decoding, PSR-3 logging replacing raw print() output, and CryptoException instead of silent null returns from signing methods. SEP-7 signature handling and SEP-10 time bounds validation were also improved.

Breaking changes:

  • KeyPair::sign(), signDecorated(), and signMessage() now throw CryptoException instead of returning null when called without a private key
  • SorobanServer::$enableLogging replaced by setLogger(LoggerInterface) (PSR-3)
  • All service constructors now require HTTPS URLs (localhost exempt for development)

Auto-generated XDR types (#72)

The ~309 hand-written XDR type definitions have been replaced with machine-generated PHP code produced by a Ruby-based code generator that reads Stellar's canonical .x XDR definition files. This adds 133 new XDR types, extracts hand-maintained helper methods into 34 wrapper classes, and adds 1,013 auto-generated round-trip unit tests. The generator lives at tools/xdr-generator/ and a CI workflow ensures generated code stays in sync with the .x definitions.

Breaking changes:

  • SorobanContractInfo::envInterfaceVersion replaced by envMetaProtocol and envMetaPreRelease
  • Low-level XDR type changes — see the PR for details

Other

  • Added compatibility matrix generators for Horizon, RPC, and SEP coverage tracking

v1.9.4 - Maintenance Release

Choose a tag to compare

@christian-rogobete christian-rogobete released this 21 Feb 19:07

Maintenance release with bug fixes and documentation corrections.

Bug Fixes

  • SEP-08: Fix RegulatedAssetsService constructor not assigning $tomlData to public property
  • SEP-08: Fix TypeError when approval server omits optional action_method field (now defaults to GET per spec)
  • SEP-08: Fix RegulatedAssetsService constructor rejecting explicit $network parameter
  • SEP-30: Make identity role nullable in SEP30ResponseIdentity to match spec
  • Soroban: Fix needsNonInvokerSigningBy() throwing on non-invoke operations (e.g. RestoreFootprintOperation)

Documentation

  • Fix SEP38Asset PHPDoc type for $buyDeliveryMethods
  • Add deposit-exchange and withdrawal-exchange to SEP24Transaction::$kind docstring
  • Correct SEP-06 funding_method deprecation note to reflect actual SDK support
  • Remove incorrect base64_encode() from SEP-09 file upload examples
  • Fix WebAuthForContracts::setUseFormUrlEncoded() docblock stating wrong default
  • Fix WebAuthForContracts::jwtToken() callback signature PHPDoc

Other

  • Switch README badges from Poser to Shields.io

v1.9.3 - Maintenance release

Choose a tag to compare

@christian-rogobete christian-rogobete released this 10 Feb 13:25

What's changed

Documentation

  • New SDK documentation covering quick start, getting started, SDK usage, Soroban, and 18 SEP guides
  • Redirect stubs for old example files to preserve external links

Breaking changes

  • Removed DeploySACWithSourceAccountHostFunction which used an invalid FROM_ADDRESS + STELLAR_ASSET combination no longer accepted by the network per CAP-0046-06. Use DeploySACWithAssetHostFunction instead. (#67)

Improvements

  • Added funding_methods field support to SEP31ReceiveAssetInfo for SEP-0031 cross-border payments

Bug fixes

  • Fixed incorrect variable comparison in InvokeHostFunctionOperation::fromXdrOperation() for the FROM_ASSET preimage check (#67)
  • Made ext-pcntl optional in composer.json to allow easier SDK installation on Windows (#65, #68)
  • Converted FederationTest unit tests to use mocked HTTP responses instead of live network calls (#67)

Upgrade notes

If you are using DeploySACWithSourceAccountHostFunction, switch to DeploySACWithAssetHostFunction. The removed class produced transactions that silently failed on the network.

v1.9.2 SEP-53 support

Choose a tag to compare

@christian-rogobete christian-rogobete released this 03 Feb 16:01

Summary

  • Implements support for SEP-53 (Sign and Verify Messages) on KeyPair with signMessage() and verifyMessage() methods
  • Adds unit tests covering all spec test vectors, base64/hex encoding round-trips, failure cases, and edge cases
  • Documentation: examples/sep-0053-sign-verify-messages.md
  • Signatures match all three SEP-53 spec test vectors (ASCII, Japanese, binary)
  • Cross-SDK interoperability: signatures are compatible with Java, and Python SDK implementations
  • No breaking changes to existing API

v1.9.1 RPC v25.0.0 support

Choose a tag to compare

@christian-rogobete christian-rogobete released this 06 Jan 20:22

Features

  • Add RPC v25.0.0 response fields to getLatestLedger:
    • closeTime: Unix timestamp when the ledger closed
    • headerXdr: Base64-encoded ledger header XDR
    • metadataXdr: Base64-encoded ledger close metadata XDR

Dependencies

  • Update paragonie/sodium_compat from ^1.17|^2.0 to ^2.5.0

v1.9.0 - SEP-45 Support

Choose a tag to compare

@christian-rogobete christian-rogobete released this 18 Dec 12:28

Release Notes

This release adds client-side support for SEP-45 (Web Authentication for Contract Accounts).

New Features

SEP-45: Web Authentication for Contract Accounts

New WebAuthForContracts class enabling authentication for Soroban smart contract accounts (C... addresses):

  • fromDomain() factory method for automatic stellar.toml configuration
  • Manual configuration via constructor for custom setups
  • jwtToken() method for complete authentication flow
  • Step-by-step methods for granular control: getChallenge(), decodeAuthorizationEntries(), validateChallenge(), signAuthorizationEntries(), sendSignedChallenge()
  • Automatic signature expiration calculation via Soroban RPC
  • Client domain verification with local keypair or remote signing callback
  • Support for contracts without signature requirements

Security Validations

  • Contract address matching against WEB_AUTH_CONTRACT_ID
  • Function name verification (web_auth_verify)
  • Sub-invocation rejection
  • Server signature verification
  • Server and client entry presence verification
  • Account, home domain, and web auth domain validation
  • Nonce consistency across all entries
  • Network passphrase validation

Bug Fixes

  • Fixed httpClient not being passed to StellarToml::fromDomain() in SEP-10

Documentation

  • Added examples/sep-0045-webauth-contracts.md with usage examples

Links