feat: comprehensive security testing

[lyon-1050]

Integrates static analysis, property-based fuzzing, and automated vulnerability scanning into the development and CI workflows.

Changes:

• contracts/escrow/src/tests/fuzz.rs — 7 quickcheck property-based tests covering stake validation, escrow balance conservation, no-double-deposit, payout/draw
  token conservation, oracle-only result submission, and timeout bounds
• contracts/escrow/src/tests/mod.rs — registers the new fuzz module
• scripts/security-scan.sh — local scan script running cargo-audit, clippy (deny warnings), fuzz tests, and full test suite; supports --report flag to write
  timestamped results to reports/security/
• .github/workflows/ci.yml — new security job running cargo-audit and clippy with -D warnings, blocking merge on failures
• docs/security-testing.md — documents the framework: tools used, how to run locally, CI behavior, and known mitigations
• CONTRIBUTING.md — links to docs/security-testing.md under the Testing section

Outcome: CI fails automatically if any advisory vulnerabilities or clippy warnings are introduced. Developers can reproduce the full security check locally with
bash scripts/security-scan.sh.
closes #748

[drips-wave]

@lyon-1050 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits