feat(contract): add 24-hour grace period for proof disputes

[GazzyLee]

Summary

Introduces a mandatory 24-hour cooling-off period between proof verification and fund release to allow community members time to dispute fraudulent proofs before funds become irreversibly claimable.

Motivation

Previously, verify_and_release atomically verified proof and transferred funds in a single transaction, leaving zero window for dispute. This change splits the flow into two steps with a configurable grace period, aligning with the issue requirement to protect donors against fraudulent claims.

Changes

Contract logic (lib.rs)

• Split verify_and_release into two entry points:
  • verify_proof — Oracle-only; validates the proof hash, transitions project to Verified, records last_proof_time
  • claim_funds — Permissionless; callable by anyone after the 24h grace period has elapsed; deducts protocol fee and transfers funds to creator, transitions to Completed
• Added GRACE_PERIOD: u64 = 86_400 constant (24 hours in seconds)

Types (types.rs)

• Added Verified variant to ProjectStatus enum (FSM: Active → Verified → Completed)
• Added last_proof_time: u64 field to ProjectState and Project

Errors (errors.rs)

• Added GracePeriodActive = 34 — returned when claim_funds is called before the grace period elapses

Events (events.rs)

• Added FundsClaimed event (topic: fnd_clm) emitted on successful fund claim

Storage (storage.rs)

• Updated save_project / load_project / maybe_load_project to persist last_proof_time

Invariants (invariants_checker.rs)

• Added Verified to valid status transitions in check_inv7_status_transition

Tests

• New test_grace_period.rs with 9 targeted tests:
  • test_verify_proof_sets_verified_status_and_timestamp
  • test_claim_funds_after_grace_period_succeeds
  • test_claim_funds_before_grace_period_fails
  • test_claim_funds_one_second_before_grace_period_fails
  • test_claim_funds_on_funding_project_fails
  • test_claim_funds_on_completed_project_fails
  • test_verify_proof_twice_fails
  • test_expire_verified_project_fails
  • test_claim_funds_permissionless
• All existing tests updated to use the new two-step flow
• 117 tests passing

Pre-existing fixes (bundled)

• Fixed duplicate error discriminants in errors.rs (codes 28/29 were each used twice)
• Fixed missing categories argument in ~35 register_project test calls
• Fixed missing get_super_admin import in invariants_checker.rs

Migration notes

• Breaking: verify_and_release no longer exists. Callers must use verify_proof followed by claim_funds (after 24h).
• Backend oracle code in backend/oracle/ references verify_and_release and will need a follow-up update.

Closes #125

[drips-wave]

@GazzyLee Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits

[ayomideadeniran]

Thanks for the PR! This is currently under review and I will get back to you shortly.