feat: v4 audit-hardening — _mint NFTs, nonReentrant markDefaulter, default coverage

The v4 audit-hardened source. The live Arbitrum Sepolia deploy was built from
this code, so the repo matches on-chain there. Base Sepolia has NOT been
redeployed to v4 yet (still v2, Manager 0x606f71bd) — a v4 Base redeploy is a
separate, pending step.

- NFTs mint via _mint instead of _safeMint (Pass/Completion/Receipt): removes
  the onERC721Received callback from join/payout/completion so a non-receiver
  participant can't lock payouts.
- markDefaulter gains nonReentrant; CEI + pull-payment preserved throughout.
- Tests proving the tanda always reaches COMPLETED and funds are never trapped:
  majority-default, all-participants-default / full-collapse, and honest-refund
  settlement (new FullLifecycleIntegration.t.sol + EdgeCasesAndFuzz).
- Deploy: fs_permissions for deployments/ JSON writes.
- Broadcast logs: the v4 deploy is Arbitrum Sepolia 421614 (run-latest,
  Manager 0x6887437c). Earlier 421614 runs (v2 0x02532dbe, v3 0xc14ddbe2) and
  all Base Sepolia 84532 runs (latest is v2, 0x606f71bd) are kept as historical
  deploy records of prior versions, not v4 deploys.
- Tanda.flat.sol (audit flatten) + receipt/pass NFT metadata.

forge fmt + build + test all green (91 passed, 0 failed, 0 skipped).
src/legacy/ left frozen (reference-only, untouched).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: GeObts

.gitignore

@@ -18,3 +18,7 @@ docs/
 .env
 .env.*
 !.env.example
+
+# IPFS upload staging folders — content is published to Pinata, not git
+ipfs-pass/
+ipfs-bitso/

Tanda.flat.sol

@@ -0,0 +1,7 @@
+{
+    "name": "Mi Tanda — Recibo Semana 1",
+    "description": "Semana 1 · Patrocinado por Bitso. Recibo on-chain de tu participación en Mi Tanda.",
+    "image": "ipfs://bafybeib5nb7q4jci5trcpnd5y4uryrnxckofc4vgquwaasia7ontnbz7we",
+    "external_url": "https://bitso.com"
+  }
+