feat(token): implement two-step ownership transfer pattern

[ACodehunter]

Summary

Implements a secure two-step ownership transfer pattern for the token contract as specified in Issue #14. This prevents permanent loss of admin access due to typos or incorrect addresses.

Problem

The current transfer_ownership() function immediately transfers admin rights in a single step. If the new address is incorrect (typo, wrong key), the admin role is irrecoverably lost.

Solution

Implemented a two-step ownership transfer pattern:

1. propose_owner(new_admin) - Current admin proposes a new admin
2. accept_ownership() - Pending admin accepts the transfer
3. cancel_transfer() - Current admin can cancel a pending transfer
4. pending_owner() - Read-only function to check pending transfers

Changes

Contract Updates (lib.rs)

• New Storage Key: DataKey::PendingAdmin
• New Functions:
  • propose_owner(): Propose new admin (admin-only)
  • accept_ownership(): Accept pending transfer (pending admin only)
  • cancel_transfer(): Cancel pending transfer (admin-only)
  • pending_owner(): Query pending admin address
• Deprecated: transfer_ownership() marked with deprecation notice in docs

Events (events.rs)

• emit_ownership_proposed(): Emitted when admin is proposed
• emit_ownership_accepted(): Emitted when transfer is accepted
• emit_ownership_cancelled(): Emitted when transfer is cancelled

Tests (test.rs)

Added 5 comprehensive tests:

1. ✅ Happy path: propose → accept → new admin can mint
2. ✅ Accept without proposal fails: Panics with no pending transfer
3. ✅ Cancel transfer: Clears pending admin
4. ✅ Cancel without proposal fails: Panics with no pending transfer
5. ✅ Double propose: Updates pending admin (second proposal overrides first)

Acceptance Criteria

• ✅ New DataKey::PendingAdmin storage key
• ✅ propose_owner, accept_ownership, cancel_transfer, pending_owner functions
• ✅ Only the pending admin can accept
• ✅ Only the current admin can propose or cancel
• ✅ Events emitted for propose, accept, and cancel
• ✅ Minimum 5 tests covering happy path, unauthorized accept, cancel, double-propose
• ✅ Backward compatibility: old transfer_ownership() still works (deprecated)

Security Benefits

• Typo Protection: Admin can verify the correct address before transfer
• Recovery: Mistakes can be cancelled before acceptance
• Confirmation: New admin must actively accept, confirming they have the correct keys
• Transparency: Pending transfers are publicly queryable

Migration Path

Existing code using transfer_ownership() will continue to work. New code should use:

// Instead of:
contract.transfer_ownership(&new_admin);

// Use:
contract.propose_owner(&new_admin);
// Then new_admin calls:
contract.accept_ownership();

Closes #14

[drips-wave]

@ACodehunter Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[p3ris0n]

@ACodehunter please fix issues