upgraded migrations, admin dry-runs, and strategy watermarks

[DokaIzk]

Pull Request

📋 Description

Adds upgrade storage migration/version hooks, admin key rotation handover events, per-strategy performance watermarks for fee integrity, and backend dry-run previews for high-impact admin maintenance actions.

🔗 Type of Change

• 🐛 Bug fix
• ✨ New feature
• ⚠️ Breaking change
• 📚 Documentation update
• 🔒 Security improvement

---

🔒 SECURITY REVIEW

• Access Control: migration, upgrade, and admin rotation paths require admin/pending-admin authorization
• Input Validation: migration targets and fee/risk bounds are validated
• State Integrity: storage versioning and strategy watermarks are tracked on-chain
• Admin Safety: backend high-impact endpoints now support dry-run previews before mutation

---

📝 Testing

• Added/updated contract tests for migration guards, admin handover, cancellation, and strategy watermarks
• Added backend dry-run test coverage
• cargo build -p vault passes
• WASM release build passes
• Full CI has existing unrelated blockers in backend parsing, contract stale tests, schema drift, and frontend audit findings

---

🚀 Deployment Notes

No manual migration step is required beyond invoking the new storage migration hook during upgrade flows. Backend dry-run responses are additive and non-breaking.

---

✅ Summary

Implemented safer upgrade/admin operations, strategy fee watermark tracking, and admin dry-run previews while keeping the changes scoped to runtime behavior and focused tests.

Closes #559
Closes #635
Closes #640
Closes #641

[drips-wave]

@DokaIzk Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits