fix: validate adapter asset observations

[carrion256]

Fixed Findings

• Local ID: A-033
• Nexus ID: bc013b77-b8a9-4b9a-867a-228152a95c3b
• Title: Adapter-reported external assets can be inflated cumulatively or deflated to zero
• Fix commit: e16b8b3bbf6db66f1ecbb2077165c5a33043e71e

Root Cause

The Soroban runtime accepted adapter-reported external asset observations at the generic sync boundary. That made the kernel try to enforce aggregate external-asset movement without enough market-policy context: cumulative inflation could be accepted through reported market totals, while legitimate market decreases could be rejected by a broad no-decrease heuristic.

Fix Summary

• Move adapter observation validation from the generic kernel sync path into the Soroban runtime policy boundary.
• For supply allocations, derive and validate the expected observed market total from the current principal plus the supplied amount.
• For refresh callbacks, validate reported market principals against policy caps before syncing kernel state.
• Allow legitimate adapter-reported decreases during refresh instead of treating all aggregate decreases as malicious.
• Stage policy principal updates only after validation, preventing failed validation/sync from leaving mutated in-memory policy state.
• Keep kernel SyncExternalAssets focused on operation-state and total-assets consistency.

Verification

Passed locally on branch audit/adapter-accounting-a033:

CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo fmt --all -- --check
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 git diff --check
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-soroban-runtime --features testutils complete_supply_allocation -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-soroban-runtime --features testutils complete_refresh -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-vault-kernel sync_external_assets -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-vault-kernel --lib -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-soroban-runtime --features testutils --lib -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 cargo test -p templar-soroban-runtime --features testutils --test property_tests -- --nocapture
CARGO_INCREMENTAL=0 CARGO_TARGET_DIR=/data/projects/templar/contracts/.shared-target/a033 just -f contract/vault/soroban/justfile size-budget-check

Size gate passed: runtime deploy WASM 95801 bytes <= 131072 bytes.

---

This change is 

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b1eeae8d-8920-4aa1-944e-f08b85e681a6

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/adapter-accounting-a033

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carrion256]

Superseded by #431, which consolidates the tracker-defined adapter-accounting-and-blend-admin boundary for A-032/A-033/A-034/A-035/A-060. Closing this split draft so auditors have one adapter follow-up PR to review.

[carrion256]

Closed as superseded by #431 consolidated adapter-accounting-and-blend-admin PR.