chore(soroban): feature address-validation

[licette32]

Summary

Rejects vault configurations where address roles overlap in ways that
defeat the accountability mechanism:

• creator == success_destination: creator recovers funds regardless of outcome
• creator == failure_destination: creator recovers funds on non-completion too
• verifier == creator: no independent validation of the milestone

Note: the Stellar zero-address (GAAA...WHF) is not detectable at contract
level in no_std environments. These role-overlap checks cover the
"obviously invalid placeholder" cases that are enforceable on-chain.

Changes

src/lib.rs

• New error variant: InvalidAddress = 11
• Three validations added in create_vault before token transfer
• Rustdoc updated with new rules and rationale

tests/create_vault.rs

• test_creator_as_success_destination_rejected
• test_creator_as_failure_destination_rejected
• test_verifier_same_as_creator_rejected
• test_all_distinct_addresses_accepted

vesting.md and README.md

• New constraints documented with UX/security rationale

Test results

18 passed, 0 failed

Coverage

Pending tarpaulin — will update once complete.

Security notes

All validations run before any state mutation or token transfer.
No new dependencies.

Closes #125

[drips-wave]

@licette32 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits