security: audit and document arithmetic overflow/saturation strategy

[Baskarayelu]

Summary

Makes the escrow contract's integer-arithmetic policy explicit and tested, without changing any production behaviour.

• Added concise // rationale comments at every arithmetic site in contracts/escrow/src/lib.rs (per-pair usage, TotalUsageByAgent, TotalRequestsAllTime, and the compute_billing / settle billing multiplications). Code is byte-for-byte behaviourally identical — saturating_* operations are unchanged.
• Added docs/escrow/arithmetic.md documenting which sites saturate and why, what a saturated value MEANS to downstream consumers (an out-of-band signal of a stuck settlement loop / accounting anomaly, never a silent wrap), and noting that overflow-checks = true on the release profile is a defense-in-depth backstop for any non-saturating +/* added later.
• Added boundary tests in contracts/escrow/src/test.rs proving the documented behaviour.

Closes #24

Security notes

• The policy never permits wrapping arithmetic on accounting state. Hot-path writes (record_usage) saturate so a single agent can never panic-wedge the metering loop; read/settle paths return a clamped sentinel so the off-chain settlement loop can detect and react to an anomaly rather than the host trapping.
• price is validated >= 0 and requests is u32, so billing multiplicands are non-negative and the only reachable boundary is i128::MAX.
• overflow-checks = true (release) remains as a forward-looking backstop: a future plain +/* on an overflow-capable path will trap instead of silently wrapping.
• New tests cover: per-pair usage saturates at u32::MAX; per-agent lifetime usage saturates at u32::MAX; compute_billing saturates at i128::MAX; zero-price billing is 0; settle of an unused pair returns 0.

Test result

test result: ok. 56 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out