Prepare external audit checklist for smart contracts

[TUPM96]

Closes #1290

Summary

• Added docs/security/external-audit-checklist.md covering the scoped Grainlify smart contracts.
• Inventoried program-escrow, bounty_escrow, and grainlify-core entrypoints with expected access controls and associated error codes.
• Added threat model coverage for reentrancy, oracle-like inputs, fee-drain paths, role drift, storage pagination, and upgrade safety.
• Added a small program-escrow doc pointer and checklist coverage tests so required audit sections do not drift silently.
• Repaired a malformed rate-limit auth test wrapper so src/test.rs can parse past that pre-existing block.

Validation

• git diff --check origin/master..HEAD passes.
• cargo test -p program-escrow is currently blocked by pre-existing compile failures outside this checklist patch, including Soroban symbol/function name length limits, duplicate BatchError discriminants, unresolved ContractError/Error references, and broken test_pagination imports/attributes.
• cargo fmt --check is also blocked by broad pre-existing formatting drift across program-escrow files.

Security notes

• This PR does not disclose or exploit any private vulnerability.
• The checklist tracks the known pre-audit gaps from the issue, including incomplete Draft-state handling and missing/broken test wiring.

[vercel]

@TUPM96 is attempting to deploy a commit to the Jagadeesh B's projects Team on Vercel.

A member of the Team first needs to authorize it.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.