feat(contracts): add signer nonce invalidation mechanism

[ScriptedBro]

Summary

This PR adds a signer nonce invalidation mechanism in credence_delegation so users can proactively invalidate outstanding delegated signatures after key compromise.

What Changed

• Added bounded nonce-range invalidation helper in contracts/credence_delegation/src/nonce.rs.
• Added public contract entrypoint:
  • invalidate_nonce_range(identity, new_nonce) in contracts/credence_delegation/src/lib.rs.
• Enforced security constraints for invalidation:
  • Caller authentication (identity.require_auth()).
  • Strictly monotonic nonce progression (new_nonce > current_nonce).
  • Bounded batch invalidation (MAX_NONCE_INVALIDATION_SPAN = 10_000) for predictable gas usage.
• Emitted nonce_invalidated event with (from_nonce, to_nonce) for indexers/monitoring.

Tests

Added and validated coverage in contracts/credence_delegation/src/test_domain_separation.rs for:

• Partial invalidation and continued use of fresh nonce.
• Full invalidation and rejection of previously valid stale payloads.
• Max-range bound enforcement.
• Monotonicity enforcement.

Test command run:

cargo test -p credence_delegation

Result: 40 passed; 0 failed.

Issue

Closes #136
Closes #136

[drips-wave]

@ScriptedBro Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits