fix: refactor miden-bank tutorial test flow and init guard progression

[Keinberger]

Summary

Fixes security, correctness, and structural issues in the miden-bank tutorial (Parts 0-8) based on feedback from Dominik's review (miden-devrel#126), PhilippGackstatter's audit (docs#203), and internal testing. Rebased onto v14 main after #186 merged.

Closes:#180, 0xMiden/docs#203

Changes

Security

• withdraw(): use active_note::get_sender() instead of accepting depositor as a parameter (prevents impersonation). The note script no longer passes depositor to the bank; the bank derives it internally from the note's cryptographically-bound metadata.
• deposit(): validate balance overflow in integer space via checked_add and a MAX_BALANCE (2^63 − 2^31) ceiling before storing as Felt (prevents modular wraparound at the Goldilocks prime).
• deposit() and withdraw(): fungible-asset guard via asset.value[1].as_canonical_u64() == 0 before reading the amount. Non-fungible assets encode payload data into value[1..3], so this rejects them at the contract boundary.
• withdraw-request-note: enforce the expected v14 storage shape with assert!(storage.len() == 14, ...) (14 items: 4 for the asset encoding, 4 for the serial number, tag, note_type, and 4 for the P2ID script root at indices 10-13).

Correctness

• get_balance(): extend signature to (depositor, asset) so the composite key includes the faucet ID, matching deposit() / withdraw() key construction and isolating balances per depositor per asset type.
• Fix stale method signatures across Parts 0-5 to match the corrected APIs.
• Fix WIT filenames in Part 5 (miden-bank-account not miden_bank-account).
• Add init_test.rs companion test for Part 6 (verifies init flag flip 0 → 1 via the init transaction script).

Tutorial structure

• Defer require_initialized() guard until Part 6 — commented out in Parts 0-5, enabled in Part 6 with an explicit teaching section.
• Part 4: first runnable deposit-flow test (tutorial-created file, no init dependency).
• Part 6: runnable init test against the companion init_test.rs.
• Parts 0-2: rewrite "Try It" sections as optional self-checks.
• Remove no-op Cargo.toml update steps.
• Remove stale troubleshooting block and the auto-slot-assignment claim from Part 0 (slot IDs are derived from hashed slot names, not field declaration order).
• Update index framing (not every part has a MockChain test).

Adapted feedback

Some original feedback items were adapted rather than implemented literally:

• Not every part has a committed companion test. Parts 0-2 are inspection-only by design (setup/conceptual pages). Part 4 uses a tutorial-created test file. Part 5 is a conceptual explanation with no dedicated test.
• I6: Kept "contracts" wording per product decision (briefing suggested "components").
• Init guard: Deferred to Part 6 rather than being active from Part 2. This allows Part 4 to run a deposit test without depending on the init tx script.

[BrianSeong99]

Hey @Keinberger — quick one. The Auth::BasicAuth line at 06-transaction-scripts.md:329 doesn't compile against v0.14.4:

builder.add_existing_basic_faucet(Auth::BasicAuth, "TEST", 10_000_000, Some(10))?;

error[E0533]: expected value, found struct variant `Auth::BasicAuth`

Unit-variant form, but miden-testing 0.14.4 has it as a struct variant. Your shipped init_test.rs:62 already does the right thing — same fix needed in the prose:

Auth::BasicAuth { auth_scheme: AuthSchemeId::Falcon512Poseidon2 }

Plus use miden_client::auth::AuthSchemeId;.

[BrianSeong99]

The cargo command at 04-note-scripts.md:386 and the file title at :262 don't match the shipped test file — prose says part4_deposit_test.rs / test_deposit_flow, shipped file is tests/deposit_test.rs with deposit_test / deposit_exceeds_max_should_fail / deposit_without_init_should_fail.

$ cargo test --package integration --test part4_deposit_test -- --nocapture
error: no test target named `part4_deposit_test` in `integration` package

Either rename the prose to match shipped, or rename the shipped file.

[Keinberger]

Requesting re-review @BrianSeong99