docs(order-book): match README to widened u128 money math and CEI order in settle_funds

Two README updates to keep prose in sync with the code:

1. Section on integer math:
   The old line claimed only the fee division uses u128. After the
   widening commit, *every* product of two u64 money values is computed
   in u128 and narrowed back via try_into. Also mention the per-fill
   fee_quote <= gross_quote invariant.

2. Section 3.5 (settle_funds):
   Document that unsettled_* are zeroed before the transfer CPIs, not
   after, and explain why (checks-effects-interactions defence). This
   is the README counterpart to the settle_funds CEI commit.

Author: Edward (Mike's bot)

defi/order-book/anchor/README.md

@@ -476,8 +476,10 @@ resting order.
   `OrderBookFull`
 - Integer math throughout: every multiplication uses
   `checked_mul`; every addition on balances uses `checked_add`;
-  fee division uses `u128` to avoid intermediate overflow →
-  `NumericalOverflow`
+  every product of two `u64` money values is computed in `u128`
+  to avoid intermediate overflow and then narrowed back to `u64`
+  with `try_into` → `NumericalOverflow`. After each per-fill fee
+  calculation an invariant check enforces `fee_quote <= gross_quote`.
 
 **Token movements (up front):**
 
@@ -622,6 +624,13 @@ mint checks on token accounts, PDA seeds).
 Both transfers are CPIs to the Token program, signed by the
 `Market` PDA using seeds `["market", base_mint, quote_mint, bump]`.
 
+Order of operations is checks-effects-interactions: the
+`unsettled_*` counters are zeroed *before* the transfer CPIs, then
+the transfers run. Solana CPIs aren't reentrant in the EVM sense,
+but zeroing state first means no future token-program extension or
+transfer hook can observe stale unsettled balances mid-CPI and
+double-withdraw.
+
 **State changes:**
 
 - `market_user.unsettled_base = 0`