feat: add access control protection suite

[makemake-kbo]

No description provided.

[linear]

ENG-2357 feat(credible-std): Add protection suite for RWA/staking/restaking

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[mateo-mro]

PR description is empty. For 4k lines across three new suites we need a writeup: which invariants each suite enforces, why the step-oriented interface shape, which exploits the example assertions are modelled against, and how detection was validated end-to-end.

Main blocker is that the Denaria tests don't actually exercise the assertion — the author even says so in a comment. Rest of the concerns inline.

[mateo-mro]

Name says Reverts, there's no vm.expectRevert, and the comment block above admits the mock can't drive per-fork state so the check never fires. This passes unconditionally — tells us nothing about whether EQUITY_CONSERVATION works. Either wire up a fixture that produces a real pre/post delta, or move it to a proper integration test under the Credible runtime. Delete before merge if neither.

[mateo-mro]

Same story as the stale-accounting test — no vm.expectRevert, the mock doesn't distinguish forks, assertion never runs. If we're claiming this catches the Denaria hack we need a runtime-level test that actually reverts on the exploit path. Right now it's a smoke test dressed up as a regression, which is worse than no test because it gives false confidence.

[mateo-mro]

Both sides of this assertEq are the same expression — always passes. If pinning the selector is the intent, compare against DenariaOperationSafetyAssertion.assertOperationSafety.selector.

[mateo-mro]

Exact equality as the fingerprint is too sharp both ways. It false-positives on a legitimate solo LP (early pool life, quiet market, post-migration) — honest calls will revert for those users. It also misses any wrap that lands a wei short of the cap because of a rounding buffer upstream. Catch the overflow at its source (the int256→uint256 cast site) or widen to >= cap with an explicit solo-LP carve-out. As-is this is both too strict and not strict enough.

[mateo-mro]

All three compat aliases (AaveV3ProtectionSuite, AaveV3OperationSafetyAssertion, AaveV3PostOperationSolvencyAssertion) are introduced in the same PR that creates the file. There's nothing prior to be compatible with — these are dead code on arrival. Drop them; we can always add shims later if an external consumer materialises.

[mateo-mro]

Same as on the Aave file — alias with no prior consumer. Delete.