[security] Create pre-audit security checklist for CommitmentPool

[MarvyNwaokobia]

What needs to be done

Create a security checklist at docs/security-checklist.md covering
every known attack vector for ZK-based commitment pools.

Checklist items to document and verify

Re-entrancy

• Nullifier marked spent BEFORE token transfer in withdraw()
• No external calls before state changes

Access control

• Admin functions require admin.require_auth()
• No functions callable by arbitrary addresses that modify state

ZK soundness assumptions

• Proof malleability: does the verifier reject non-canonical proofs?
• Trusted setup: document the ceremony requirements and status
• Completeness: can a valid note always produce a valid proof?

Merkle tree

• Can a duplicate commitment cause issues?
• Tree overflow: what happens at capacity?
• Root history: does withdraw accept stale roots?

Integer safety

• All i128 arithmetic checked for overflow
• Amount zero: is a zero-amount deposit/withdrawal handled?

Denial of service

• Can an attacker fill the tree with junk commitments?
• Gas limits on verification

Definition of done

• docs/security-checklist.md created with all items
• Each item marked as SAFE, RISK, or TODO with explanation
• At least 3 items result in new issues filed

Estimated time

Half day

Required knowledge

Smart contract security, Soroban. ZK knowledge helpful but not required.