Vault: add withdraw_to recipient validation and pause-policy documentation

[greatest0fallt1me]

Description

CalloraVault::withdraw_to lets the owner send tracked USDC to an arbitrary to address and is intentionally allowed while paused (emergency recovery), but it performs no recipient validation and the pause-allowed behavior is undocumented at the function level. Add recipient guards and explicit /// documentation of the emergency-withdrawal policy.

Requirements and Context

• Reject to == env.current_contract_address() (sending back into the vault) and optionally to == usdc_token.
• Document at the function level that withdraw/withdraw_to are permitted while paused for recovery, matching the module-level note.
• Confirm CEI ordering relative to the token transfer.
• Must be secure, tested, and documented
• Should be efficient and easy to review

Suggested Execution

1. Fork the repo and create a branch

   git checkout -b bug/vault-withdraw-to-validation

2. Implement changes
   • contracts/vault/src/lib.rs — recipient guard + /// pause policy
   • VAULT_WITHDRAW_COMPLIANCE.md — align documented behavior
3. Test and commit
   • cargo test -p callora-vault
   • Test withdraw_to-while-paused succeeds; self-address rejected
   • Include test output and notes in the PR

Example commit message

fix: validate withdraw_to recipient and document pause policy

Acceptance Criteria

• Self-address (and token-address) recipient rejected
• Pause-allowed behavior documented at function level
• CEI ordering confirmed
• Tests cover paused and invalid-recipient cases

Guidelines

• .rs under contracts/vault/src/, cargo test, /// docs, minimum 95% line coverage, no unwrap() in prod paths
• Clear documentation and inline comments
• Timeframe: 96 hours

[ayomidearegbeshola29-dev]

@ayomidearegbeshola29-dev has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I will like to work on this pls

ℹ️ Repo Maintainers: To accept this application, review their application or assign @ayomidearegbeshola29-dev to this issue.

[drips-wave]

Congratulations, @ayomidearegbeshola29-dev! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @ayomidearegbeshola29-dev: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[drips-wave]

This issue has been completed by @ayomidearegbeshola29-dev as part of the Stellar Wave Program's 5th Wave 🥳

😎 @ayomidearegbeshola29-dev: You earned 200 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.