feat(anchors): validate canonical asset-issuer per anchor (USDC issuer match)

[Olorunfemi20]

Summary

Validates that each anchor settles the canonical asset issuer it is registered to, rather than a look-alike asset that merely reuses a trusted code such as USDC under an impostor issuer. Implements B056.

The anchor registry (constants/anchors.ts) records each anchor's canonical assetIssuer (USDC anchors use USDC_ISSUER). This change compares that canonical issuer against the issuer the anchor actually advertises for the same asset code in its resolved stellar.toml [[CURRENCIES]], and flags any mismatch.

Changes

lib/stellar/anchors.ts

• Add validateAnchorAssetIssuer(anchor, currencies) — a pure, synchronous comparison returning match / mismatch / missing plus the expected and advertised issuers. Exported (with AnchorIssuerStatus / AnchorIssuerValidation) for reuse by the app, the nightly validator, and tests.
• Wire a non-fatal warning into discoverAnchorsForCorridor: a resolved anchor advertising a look-alike issuer is logged loudly but not dropped, since the registry's canonical issuer still governs downstream SEP-38 identifiers. Only a true mismatch warns; a missing issuer does not.

scripts/validate-anchors.mjs

• parseAnchors now also extracts assetCode and assetIssuer (inline literal or a USDC_ISSUER reference) from the registry source.
• Add parseCurrencies, resolveExpectedIssuer, and validateIssuer helpers (dependency-free TOML scanning, mirroring the lib logic).
• The nightly run prints an "Asset-issuer validation" section and emits a ::warning:: listing any anchors that advertise a look-alike issuer. This is kept entirely separate from the degraded health ledger.

Acceptance criteria

A mismatched issuer is flagged in validate-anchors.

Met: validateIssuer / validateAnchorAssetIssuer return mismatch when an anchor advertises a different issuer for its asset code, and the script surfaces it as a ::warning::. A missing or absent issuer is reported distinctly (missing / unverifiable) and is not treated as a false positive.

Testing

• tests/anchors-issuer.spec.ts — unit tests for validateAnchorAssetIssuer (match / mismatch / missing / other-code isolation).
• tests/validate-anchors.spec.mjs — added coverage for parseAnchors asset fields, parseCurrencies, resolveExpectedIssuer, and validateIssuer.
• npm run typecheck, eslint --max-warnings 0, and prettier --check pass on the changed files.
• Verified end-to-end against live anchor TOMLs: MoneyGram and nTokens report MATCH against their canonical issuers; anchors that publish no USDC currency report MISSING (correctly, not a mismatch).

Closes #489

[vercel]

@Olorunfemi20 is attempting to deploy a commit to the ezedikeevan's projects Team on Vercel.

A member of the Team first needs to authorize it.

[drips-wave]

@Olorunfemi20 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[ezedike-evan]

CI workflows haven't triggered for this PR yet. Please push an empty commit or close and reopen to re-trigger GitHub Actions and wait for check (node 20) and check (node 22) to go green before this can merge.