Title: feat(vault): implement reentrancy security tests and CEI audit hardening

[ChukwuemekaP1]

Summary
This PR implements comprehensive adversarial security tests for the callora-vault contract, specifically targeting reentrancy and state corruption vectors. While the contract contains Check-Effect-Interaction (CEI) violations (performing external transfers before balance updates), these tests prove that Soroban’s authorization model and our idempotency controls effectively block re-entry attempts.
Key Changes

• Adversarial Testing Suite : Added test_reentrancy.rs featuring:
  • MaliciousToken and MaliciousSettlement mocks that attempt recursive callbacks during execution.
  • Verified that re-entry via deduct() , batch_deduct() , and withdraw() is blocked.
• Bug Fixes & Hardening :
  • Fixed a critical type mismatch in lib.rs where upgrade compared an Address to a Result .
  • Implemented safe i128 parsing for set_price to handle soroban_sdk::String correctly.
  • Standardized SettlementClient generation for cross-contract calls.
• Documentation : Added security rationale comments to sensitive functions in lib.rs for audit transparency. Security Properties Verified
• Recursive deduct() calls are blocked by authorization boundaries.
• Double-spending meta.balance via callback is impossible.
• Batch operations maintain atomicity and balance invariants under attack.
• User-initiated withdrawals cannot be hijacked for re-entry.

closes #344

[drips-wave]

@ChukwuemekaP1 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits