Code Review: BoundedVec addition

The crate rename and BoundedVec implementation look well-structured overall, with good test coverage (unit, serde, borsh, and schema tests). A few items to consider:

Potential issue: iter_mut can break invariants (low severity for now)

iter_mut() on BoundedVec cannot change the length, so the bounded invariant is preserved. However, worth noting for future maintainers that if the invariant ever depends on element values (not just count), iter_mut would be a bypass vector. For the current use case (length-only bounds), this is fine.

witnesses::possibly_empty doesn't validate U > 0 (minor)

witnesses::possibly_empty::<U>() at bounded_vec.rs:73 accepts U = 0, which would create a type that can only hold an empty vec. This is technically valid but may be surprising. The non_empty witness correctly validates L > 0 and L <= U. Consider adding a compile-time check U > 0 in possibly_empty if a zero-capacity vector is never intended, or document this edge case explicitly.

hex_serde length calculation could overflow for large U (minor)

At bounded_vec.rs:799-800, (L * 2) as u32 and (U * 2) as u32 will silently truncate if L or U exceed u32::MAX / 2. This only affects abi schema generation (not runtime correctness), and the bounds would need to be astronomically large, so it's not practically exploitable. Still, per CONTRIBUTING.md's safe arithmetic guidelines, u32::try_from(L.checked_mul(2)?) would be more defensive.

No blocking issues found. Good test coverage, clean crate rename, and the witness pattern provides solid compile-time safety.

✅