refactor: extract shared admin-auth and pause-gate helpers

[Baskarayelu]

Summary

Pure refactor extracting the two access-control patterns that were duplicated across the escrow contract into shared module-level helpers, placed next to read_flag/write_flag:

• require_admin(env) -> Address — loads DataKey::Admin, panics NotInitialized (Enforce the documented 256-byte service-description cap in set_service_metadata #3) if unset, calls admin.require_auth(), returns the admin. Replaces the repeated admin-load + auth block in every admin-gated entrypoint.
• ensure_not_paused(env) — panics ContractPaused (Emit structured events on admin, price, and registration state changes #4) when the Paused flag is set. Replaces the inline pause checks.

A short module comment documents the helper pattern (plain fns, called directly, not via Self::) for future contributors.

Closes #29

Pure refactor — no behaviour change

This is a behaviour-preserving cleanup. No public signatures changed and the helpers reproduce the exact prior logic:

• Same error codes everywhere: NotInitialized (Enforce the documented 256-byte service-description cap in set_service_metadata #3) for missing admin, ContractPaused (Emit structured events on admin, price, and registration state changes #4) for paused calls.
• Same order of checks preserved at every call site. In settle and record_usage the pause check stays first; in transfer_service_ownership the pause check stays before caller.require_auth() (its admin load stays manual since it authorizes the caller, not the admin).
• transfer_service_ownership previously read the pause flag via the inline .get(&DataKey::Paused).unwrap_or(false) variant; ensure_not_paused reads the same persistent slot with the same unwrap_or(false) default, so behaviour is identical.
• init keeps its own AlreadyInitialized flow; accept_admin_transfer keeps caller.require_auth().

Security notes

• No authorization check was dropped or weakened. Every admin-gated entrypoint still performs the identical admin load + require_auth, now via the single audited require_admin helper.
• Every pause gate is preserved in its original position; no state-changing entrypoint became reachable while paused.
• Centralising the logic reduces the risk of a future entrypoint silently omitting an admin or pause check.

Tests

Existing suite unchanged and passing. Added two small regression tests confirming the helpers preserve behaviour: set_service_price still panics NotInitialized (#3) before init, and record_usage still panics ContractPaused (#4) while paused.

test result: ok. 53 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

[mikewheeleer]

thanks for this @Baskarayelu — the shared admin-auth + pause-gate cleanup is a good direction 🙌 since you opened it, a batch of feature PRs has landed on main (rate limiting, per-agent blocklist, batched reads, owner-settle, the service registry, etc.), and some of those already introduced helpers like ensure_not_paused/read_flag/write_flag. As a result this now conflicts pretty broadly across lib.rs (15 hunks). Could you rebase onto the latest main and re-apply the require_admin extraction on top? It should be a lot cleaner once it sits on the current helpers, and i'll merge it right away. really appreciate it 🚀