fix: remove Blend adapter admin shortcuts

[carrion256]

Fixed Findings

• A-034 / Nexus 76f200c7-618d-4fd1-bff3-109530b96144 — Admin-only Blend adapter shortcuts can desynchronize vault accounting.

Root Cause

The Blend adapter exposed admin-only supply_balance and withdraw_to_vault entrypoints. Those methods could mutate the adapter's managed Blend position directly, bypassing the vault allocation lifecycle that owns external-asset accounting.

Fix

• Removed the public supply_balance entrypoint.
• Removed the public withdraw_to_vault entrypoint.
• Added a regression guard proving those public admin shortcut declarations are not present.
• Kept vault-routed adapter position changes (supply, withdraw, total_assets) intact.

Fix commit: b98f7f753334d4b796dc160a3610f61d26db8e65

Verification

RED evidence:

cargo test -p templar-soroban-blend-adapter admin_accounting_shortcuts_are_not_public_entrypoints -- --nocapture
# failed before deletion on: assertion failed: !BLEND_ADAPTER_SOURCE.contains("pub fn supply_balance(")

GREEN / regression evidence:

cargo fmt --all -- --check
git diff --check
cargo test -p templar-soroban-blend-adapter -- --nocapture
cargo test -p templar-soroban-runtime --features testutils --lib -- --nocapture
cargo test -p templar-soroban-runtime --features testutils --test property_tests -- --nocapture
just -f contract/vault/soroban/justfile size-budget-check

Results:

• templar-soroban-blend-adapter: 20 unit tests + 7 integration tests passed.
• templar-soroban-runtime --lib: 103 tests passed.
• property_tests: 23 tests passed.
• Runtime deploy WASM: 93961 bytes, under 131072 byte budget.
• Commit hook reran size-budget-check and passed at 93961 bytes.

---

This change is 

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 49c5e16f-7c6b-4292-b5f9-bec16e650058

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/adapter-admin-shortcuts-a034

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[carrion256]

Superseded by #431, which consolidates the tracker-defined adapter-accounting-and-blend-admin boundary for A-032/A-033/A-034/A-035/A-060. Closing this split draft so auditors have one adapter follow-up PR to review.

[carrion256]

Closed as superseded by #431 consolidated adapter-accounting-and-blend-admin PR.