Deprecate balance storage in favor of share-based accounting model

[BernardOnuh]

closes #195 - Add optional circuit breaker for large single withdrawals

Summary

This PR introduces an optional withdrawal circuit breaker that allows the protocol owner to limit the maximum amount withdrawable in a single transaction.

The feature is disabled by default (0 value) to preserve existing behaviour. When enabled, withdrawals exceeding the configured threshold are rejected before any state changes occur.

Motivation

A compromised wallet, exploit, or abnormal market event could otherwise withdraw a significant percentage of protocol TVL in a single transaction.

The circuit breaker provides an additional risk-management layer while remaining fully configurable by protocol administrators.

Changes

New Configuration

• Added max_withdrawal_per_tx
• Optional support for max_withdrawal_per_ledger
• Default value: 0 (disabled)

Withdrawal Protection

Applied checks to:

• withdraw()
• withdraw_all()

Access Control

• Owner/admin can update limits.
• Non-owner updates are rejected.

Errors

Added withdrawal limit violation errors for clear failure reporting.

Testing

Added tests covering:

• Withdrawal below limit succeeds.
• Withdrawal equal to limit succeeds.
• Withdrawal above limit fails.
• withdraw_all() respects limits.
• Disabled limit (0) allows unrestricted withdrawals.
• Owner configuration updates.
• Unauthorized configuration attempts.

Security Considerations

• Checks are executed before state mutations.
• withdraw_all() cannot bypass restrictions.
• Default configuration remains backward compatible.
• Feature is opt-in and upgrade-safe.

Acceptance Criteria

• Owner-configured withdrawal limit added.
• Zero value disables restriction.
• Limits enforced in withdraw() and withdraw_all().
• Boundary tests implemented.
• Backward compatibility maintained.