fix: harden auxiliary share-token controls (#FIND-048 #FIND-063 #FIND-070)

[carrion256]

Summary

Remediates Halborn/Nexus governance/audit follow-up findings for auxiliary share-token controls:

• #FIND-048 / Nexus b7bcf2b1-dc11-424a-99b0-d38192cb7e12: clarify and prove share-token burn is a vault-only protocol settlement primitive; owner consent remains enforced at vault withdrawal entrypoints before BurnShares effects are generated, and delegated burns use burn_from allowance semantics.
• #FIND-063 / Nexus 44e4e876-5816-47e7-baed-c830bad19f92: add admin/vault-gated pause/readback controls and fail-closed guards for share-token and Blend adapter state-changing paths.
• #FIND-070 / Nexus c3853d07-893a-4ea3-bffe-9e31d2ea1f70: propagate vault restriction policy to share-token transfers, including muxed recipient handling via MuxedAddress::address().

This stacks on audit/share-token-admin-immutable and keeps broad lifecycle/upgrade policy questions out of scope.

Verification

• RUSTUP_TOOLCHAIN=1.89.0 cargo fmt -p templar-soroban-share-token -p templar-soroban-blend-adapter -- --check
• git diff --check
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/templar-share-token-controls/target cargo test -p templar-soroban-share-token -- --nocapture — 25 passed
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/templar-share-token-controls/target cargo test -p templar-soroban-blend-adapter -- --nocapture — 22 unit + 7 integration passed
• RUSTUP_TOOLCHAIN=1.89.0 CARGO_TARGET_DIR=/data/tmp/templar-share-token-controls/target cargo test -p templar-soroban-runtime withdraw -- --nocapture — withdrawal-filtered runtime tests passed
• post-commit Soroban size-budget-check — 93,961 bytes

Stack

• Base branch: audit/share-token-admin-immutable
• Head branch: audit/share-token-controls-a043-a048-a051

---

This change is 

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 80af6f73-67e0-486c-a609-117be7699242

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch audit/share-token-controls-a043-a048-a051

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fe283e701c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Exempt vault-directed transfers from recipient restrictions

Applying require_unrestricted to the transfer recipient blocks protocol-internal share movements when whitelist mode is enabled and the vault address is not explicitly listed. The vault runtime enqueues TransferShares { from: owner, to: self_id } during withdrawal flow (contract/vault/kernel/src/actions/mod.rs), and the Soroban interpreter executes that as a token transfer; with this new check, a whitelisted user can still fail withdrawals because to is the vault contract, not a listed user. This introduces a functional regression in normal withdrawal processing whenever whitelist restrictions are configured without also adding the vault address.

Useful? React with 👍 / 👎.