feat: SprintFund Core V2 - Security fixes and governance improvements

[Mosas2000]

Summary

Major contract upgrade addressing 12 security vulnerabilities and governance improvements.

Security Fixes

• Contract: No access control on execute-proposal allows anyone to trigger execution #11: Restrict execute-proposal to proposer only
• Contract: Users can vote multiple times on the same proposal by overwriting previous vote #12: Prevent double voting (track votes per user per proposal)
• Contract: Quadratic voting cost is checked but never deducted from stake #13: Deduct quadratic vote cost from stake balance
• Contract: No minimum quorum requirement for proposal execution #15: Add minimum quorum requirement (10% participation)
• Contract: withdraw-stake has no lockup period or active-proposal check #18: Add stake lockup period after voting (~1 day)

Governance Improvements

• Contract: No proposal deadline or expiration mechanism #14: Add proposal deadline/expiration (~3 days voting)
• Contract: No upper bound validation on proposal funding amount #16: Add max proposal amount validation (1000 STX cap)
• Contract: execute-proposal sends funds from contract balance without ensuring contract has sufficient funds #17: Add treasury management with balance tracking
• Contract: No event emission for off-chain indexing #20: Add event emissions for off-chain indexing
• Contract: No admin functions for DAO parameter updates #21: Add admin functions (min stake, ownership transfer)
• Contract: No mechanism to cancel or update a proposal #25: Add proposal cancellation by proposer
• Feature: Add multi-signature or time-lock on high-value proposals #86: Add timelock for high-value 100 STX)proposals (

Testing

• 40 unit tests covering all new features and security measures
• All tests passing

Documentation

• Migration guide for users, proposers, and integrators

Resolves #11, #12, #13, #14, #15, #16, #17, #18, #20, #21, #25, #86