Audit fixes

[georgedigkas]

• Pause/unpause access control bypass: get_pause_mut, pausable::pause, and pausable::unpause were public, allowing any user to pause/unpause the bridge via a PTB. Restricted all three to public(package).
• Version compatibility checks never enforced: assert_is_compatible / assert_bridge_is_compatible existed but were never called. Added them to all state-mutating entry points across safe.move, bridge_module.move, and xmn_mint_cap_adapter.move.
• Missing quorum ≤ relayer count check on initialization: bridge::initialize accepted quorum > relayer_count, permanently bricking the bridge. Added assert!(initial_quorum <= public_keys.length(), EQuorumExceedsRelayers).
• Orphaned MintCap from direct de-whitelisting: Calling safe::remove_token_from_whitelist on a mint-burn token left its MintCap permanently stuck. Added a guard rejecting mint-burn tokens and introduced safe::unwhitelist_token (package-internal) for the adapter's cleanup flow.
• Changed 7 mutation functions (add_to_token_config_total_balance, subtract_from_token_config_total_balance, upsert_token_config, set_token_config, increment_batch_deposits, update_batch_last_updated, set_batch_deposits_count) from public to public(package).
• Missing events for config updates: Added BatchTimeoutUpdated, BatchSettleTimeoutUpdated, BatchSizeUpdated events emitted from set_batch_timeout_ms, set_batch_settle_timeout_ms, and set_batch_size (both safe and bridge).
• Tests added to cover the above