fix(tanda): auto-complete on defaulter pruning; full-collapse handler

Critical correctness fix surfaced by edge-case testing.

Bug: when future-slot defaulter pruning drove payoutOrder.length below
currentCycle, the tanda became stuck in ACTIVE. The next triggerPayout
would access payoutOrder[currentCycle-1] out-of-bounds and revert with
a Solidity Panic(0x32). Funds (insurance pool, contributions, survivor's
would-be payout) were permanently locked with no recovery path.

Fix has two pieces, both routed through _completeTanda for consistency:

1. markDefaulter auto-complete trigger
   When pruning drives payoutOrder.length below currentCycle, the
   contract auto-completes in the same transaction. Defensive
   payoutOrderAssigned guard prevents premature completion in the
   pre-VRF window.

2. _completeTanda zero-active branch
   Early-return into new _fullCollapse helper when activeParticipantCount
   is zero. Sweeps the entire token balance to treasury (lender-of-last-
   resort rule). Forfeits all prior pendingWithdrawals and insurance
   balances. No Completion NFTs minted. FullCollapse event emitted.

Also fixes a related stranded-funds bug: the existing slash-pool guard
'slashedPool > 0 && activeParticipantCount > 0' silently stranded the
slash pool when natural completion happened with zero actives. Routing
all zero-active completions through _fullCollapse handles both entry
points uniformly.

Tests:
- Renamed and rewrote test_KNOWN_BUG_allFutureSlotDefaulters_triggersOOB
  to test_allFutureSlotDefaulters_autoCompletes. Asserts exact survivor
  breakdown: 475 cycle-1 payout + 20 insurance refund + 100 excess
  contribution refund + 38 slash share = 633 USDC.
- New test_fullCollapse_allDefaulters_everythingToTreasury: 5 marks,
  final mark triggers full collapse, treasury sweeps full 550 USDC
  balance, all prior credits wiped, contract drains to zero.

85 tests pass, 0 regressions. Existing test_defaulter_pastSlot_keptInOrder
unchanged — confirms the Case 4 'inactive recipient at current slot'
scenario considered during design is unreachable by construction.

CLAUDE.md: new 'Auto-completion on defaulter pruning' subsection
documenting both the partial-survival and full-collapse paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: GeObts

CLAUDE.md

@@ -99,6 +99,15 @@ Defensive: a balance assertion checks `balanceOf(this) >= totalPendingCredits +
 
 Honest participants get their own insurance back plus a pro-rata share of defaulters' forfeited insurance — a real cash reward for staying paid up. Defaulters lose only their accumulated premiums (not their past contributions, which were already cycled through).
 
+### Auto-completion on defaulter pruning
+
+`markDefaulter` auto-completes the tanda when pruning drives `payoutOrder.length < currentCycle`. Without this, future-slot pruning could shrink `payoutOrder` below the next index `triggerPayout` would read, causing an out-of-bounds panic and locking the tanda in ACTIVE forever. Two sub-paths, both inside `_completeTanda`:
+
+- **Partial survival** (`activeParticipantCount > 0`): normal completion runs — surviving actives get insurance refund, excess-contribution refund (for cycles they pre-paid that won't run), slash-pool 95/2/3 share, and Completion NFTs.
+- **Full collapse** (`activeParticipantCount == 0`): every participant defaulted. Platform is lender-of-last-resort — the entire token balance sweeps to treasury via `_fullCollapse`. All prior `pendingWithdrawals` (including past cycle-recipient credits not yet withdrawn) and insurance balances are zeroed and absorbed into the treasury credit. No Completion NFTs minted. `FullCollapse(treasury, amount)` event emitted.
+
+`_completeTanda` routes both call sites (existing natural completion via `triggerPayout`, and the new `markDefaulter` auto-complete) through the same early-return branch on `activeParticipantCount == 0`, so any future code path that produces a zero-active completion gets correct full-collapse semantics for free.
+
 ## Tanda privacy & scheduled start
 
 ### Scheduled start

src/Tanda.sol

@@ -292,6 +292,11 @@ contract Tanda is ITanda, Initializable, ReentrancyGuardUpgradeable, EIP712Upgra
         uint256 totalPool, uint256 perActiveParticipant, uint256 treasuryShare, uint256 creatorShare, uint256 dust
     );
     event TandaCompleted(uint256 completionTimestamp);
+    /// @notice Emitted when a tanda completes via full collapse — every
+    ///         participant defaulted, no honest survivors. The treasury
+    ///         absorbs the entire remaining token balance; all prior
+    ///         pendingWithdrawals and insurance balances are forfeited.
+    event FullCollapse(address indexed treasury, uint256 amount);
     event Withdrawn(address indexed claimant, uint256 amount);
 
     // ─────────────────────────────────────────────────────────────────────
@@ -609,12 +614,22 @@ contract Tanda is ITanda, Initializable, ReentrancyGuardUpgradeable, EIP712Upgra
     ///         is moved to `slashedPool`, and (if their slot in
     ///         `payoutOrder` is still pending) it is removed via O(n)
     ///         left-shift.
+    /// @dev    If pruning drives `payoutOrder.length < currentCycle`
+    ///         (no remaining cycles can pay out), the tanda
+    ///         auto-completes in the same transaction via
+    ///         `_completeTanda`. With surviving actives, normal
+    ///         completion runs; with zero actives, full collapse
+    ///         sweeps the entire token balance to treasury
+    ///         (`FullCollapse` event). Defensive: the
+    ///         `payoutOrderAssigned` guard prevents auto-completion
+    ///         in the (unreachable in practice) window before the
+    ///         VRF callback assigns the payout order.
     /// @custom:reverts WrongTandaState           if not ACTIVE.
     /// @custom:reverts NotParticipant            if `participant` isn't in the tanda.
     /// @custom:reverts AlreadyMarkedDefaulter    if already inactive.
     /// @custom:reverts NotDefaulter              if `paidUntilCycle >= currentCycle`.
     /// @custom:reverts GracePeriodNotExpired     if called before deadline + grace.
-    /// @custom:emits   ParticipantDefaulted.
+    /// @custom:emits   ParticipantDefaulted, plus TandaCompleted or FullCollapse if auto-completion fires.
     function markDefaulter(address participant) external onlyInState(TandaState.ACTIVE) {
         uint256 idxPlus1 = addressToParticipantIndex[participant];
         if (idxPlus1 == 0) revert NotParticipant();
@@ -650,6 +665,16 @@ contract Tanda is ITanda, Initializable, ReentrancyGuardUpgradeable, EIP712Upgra
         // the participant as reputation evidence; only its `isDefaulted`
         // flag flips.
         IMitandaPassNFT(passNFT).markDefaulted(participant, tandaId);
+
+        // Auto-complete: pruning may have driven `payoutOrder.length`
+        // below `currentCycle`, meaning no payouts remain. Without this,
+        // the next `triggerPayout` would access `payoutOrder[currentCycle-1]`
+        // out of bounds and the tanda would be stuck in ACTIVE forever.
+        // The `payoutOrderAssigned` clause prevents auto-completion in
+        // the (in-practice unreachable) window before VRF callback fires.
+        if (payoutOrderAssigned && payoutOrder.length < currentCycle) {
+            _completeTanda();
+        }
     }
 
     /// @dev Remove `participantIndex` from `payoutOrder` IF its slot is
@@ -741,10 +766,23 @@ contract Tanda is ITanda, Initializable, ReentrancyGuardUpgradeable, EIP712Upgra
         return true;
     }
 
+    /// @dev Two completion paths:
+    ///      1. Normal (`activeParticipantCount > 0`): refund insurance
+    ///         and excess contributions to actives, distribute slash
+    ///         pool 95/2/3, mint Completion NFTs.
+    ///      2. Full collapse (`activeParticipantCount == 0`): every
+    ///         participant defaulted. Existing pendingWithdrawals and
+    ///         insurance balances are forfeited; the entire token
+    ///         balance sweeps to treasury. No Completion NFTs minted.
     function _completeTanda() internal {
+        if (activeParticipantCount == 0) {
+            _fullCollapse();
+            return;
+        }
+
         state = TandaState.COMPLETED;
         _refundActiveParticipants();
-        if (slashedPool > 0 && activeParticipantCount > 0) {
+        if (slashedPool > 0) {
             _distributeSlashPool();
         }
         emit TandaCompleted(block.timestamp);
@@ -768,6 +806,40 @@ contract Tanda is ITanda, Initializable, ReentrancyGuardUpgradeable, EIP712Upgra
         IMitandaCompletionNFT(completionNFT).batchMint(actives, tandaId);
     }
 
+    /// @dev Full-collapse settlement: every participant defaulted.
+    ///      Platform is lender-of-last-resort — the entire token
+    ///      balance (including any pendingWithdrawals that were
+    ///      credited but never withdrawn) sweeps to treasury. All
+    ///      prior credits and insurance balances are zeroed.
+    function _fullCollapse() internal {
+        address treasuryAddr = ITandaManager(manager).treasury();
+
+        // Zero every per-address credit and insurance balance — full
+        // collapse forfeits every existing claim. The token balance
+        // is the only thing that matters; credits are rebuilt from it.
+        uint256 n = participants.length;
+        for (uint256 i = 0; i < n; i++) {
+            address p = participants[i].addr;
+            delete pendingWithdrawals[p];
+            delete insuranceBalance[p];
+        }
+        delete pendingWithdrawals[creator];
+        delete pendingWithdrawals[treasuryAddr];
+
+        // Sweep entire token balance to treasury.
+        uint256 sweepable = IERC20(token).balanceOf(address(this));
+        pendingWithdrawals[treasuryAddr] = sweepable;
+        totalPendingCredits = sweepable;
+
+        slashedPool = 0;
+        totalInsuranceReserve = 0;
+
+        state = TandaState.COMPLETED;
+
+        emit FullCollapse(treasuryAddr, sweepable);
+        // No Completion NFTs minted — by definition nobody completed honestly.
+    }
+
     /// @dev Refund each active participant's insurance balance + any
     ///      contribution paid for cycles that didn't run.
     function _refundActiveParticipants() internal {