Fix storage versioning, TTL, and Soroban caps

[carrion256]

Summary

Fixes the storage-versioning-ttl audit cluster:

• A-008 / Nexus 49a0ad1a-499b-4ace-b7b4-ceaca30a5cf3: persists the withdrawal queue through domain-paged storage. Vault state now stores a compact v2 header plus bounded 128-entry wqpage entries, so the queue can use kernel MAX_PENDING = 1024 without exceeding Soroban 64 KiB per-entry limits. The header records pending count, and page reconstruction validates page IDs, ID ranges, sorted uniqueness, count parity, and kernel queue invariants.
• A-009 / Nexus 53cec8fe-3e21-4a50-83e2-67717301b300: extends address-book TTL for live pending/in-flight addresses plus fee recipient and core config mappings without an unbounded address index.
• A-010 / Nexus 3966d571-d2e2-43ba-aff1-def6813725e5: adds compact versioned storage envelopes, rejects pre-header blobs and unsupported versions, and routes persisted blob decodes through explicit storage-kind/version dispatch tables. Governed migrate() validates and rewrites current-version storage before clearing the migration gate.
• A-026 / Nexus a21aac55-d33b-4841-8427-a0466ac23fe7: uses generic paged blob transport for restrictions/policy blobs and raises the one-shot restrictions cap to 3,072 addresses. OFAC-scale lists still need a batched governance update flow because transaction write-byte limits become the binding constraint.
• Covers related informational findings A-011, A-019, A-023, A-024, A-025, and A-030 in the same storage-boundary PR.

Tests

• CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/storage-versioning-ttl cargo fmt --all
• git diff --check
• CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/storage-versioning-ttl cargo test -p templar-soroban-runtime storage_tests -- --nocapture (47 passed)
• CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/storage-versioning-ttl cargo test -p templar-soroban-runtime -- --nocapture (111 unit + 1 blend_e2e + 1 e2e_serialization + 52 integration + 23 property passed)
• CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/storage-versioning-ttl just -f contract/vault/soroban/justfile size-budget-check (deploy wasm 102162 bytes)
• post-commit size-budget-check passed (deploy wasm 102162 bytes)

Halborn Finding IDs

Included for Halborn SSC GitHub remediation detection:

• A-008 / Finding ID 49a0ad1a-499b-4ace-b7b4-ceaca30a5cf3 — Withdraw queue effective cap is about 580, not 1024, due Soroban storage entry size
• A-009 / Finding ID 53cec8fe-3e21-4a50-83e2-67717301b300 — Permissionless TTL extension path does not refresh address-book entries
• A-010 / Finding ID 3966d571-d2e2-43ba-aff1-def6813725e5 — State blobs have no schema version and migrate() does not migrate them
• A-011 / Finding ID e1461d5a-d2e4-4808-993f-f82d403aad43 — cancel_migration() clears the migration flag but cannot roll back the already-swapped WASM
• A-019 / Finding ID 69a8fd3b-1e78-41e0-811c-9b25bfcb906a — deserialize_fees_spec accepts a 113-byte blob with no-growth tag and silently discards 16 trailing bytes
• A-023 / Finding ID e7868ba6-70e0-4082-b2a9-5518e5180d4f — Policy and restrictions decoders accept trailing bytes, unlike state and command codecs
• A-024 / Finding ID be1dbcdd-98f0-4b20-bc58-3cd9ae684e6e — Withdraw queue deserialization does not validate queue invariants or sorted pending-withdrawal IDs
• A-025 / Finding ID 66b6e854-524e-4047-8c9d-503e06c8e470 — compose_policy_state silently constructs default values for missing storage parts
• A-026 / Finding ID a21aac55-d33b-4841-8427-a0466ac23fe7 — Restrictions blob can exceed the Soroban entry-size limit with large blacklist or whitelist sets
• A-030 / Finding ID 0f081249-4cb8-4fbf-bcfe-929d02852e8d — load_vault_bootstrap runs migrate_legacy_paused on every contract call

---

This change is 

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a1f1e859-0f0b-4fd6-93ab-c932a5441a99

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/storage-versioning-ttl

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carrion256]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[carrion256]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.