Harden miner fulfillment safety and recovery logging

[bitloi]

Closes #19

Summary

• Add timeout margin gate (FULFILLMENT_TIMEOUT_MARGIN_BLOCKS = 3) to prevent new sends when too few blocks remain before swap timeout. Cached sends bypass the margin to allow mark_fulfilled retries.
• Classify terminal mark_fulfilled contract errors (SwapNotFound, InvalidStatus, NotAssignedMiner, MinerNotActive) to stop futile retries.
• Write append-only JSONL recovery log for stuck-funds scenarios (terminal failures and timed-out swaps with sent funds).

Design

The timeout margin gates new fund sends only. Once funds are already sent (cached), all downstream retry paths remain open regardless of proximity to timeout so the miner can still finalize on-chain.

Test plan

• Timeout margin blocks new sends within 3 blocks of deadline
• Cached sends bypass margin and retry mark_fulfilled
• Terminal contract errors halt retries and write recovery entry
• Transient errors (RPC_FAILURE, INSUFFICIENT_BALANCE) allow continued retry
• Stale cache cleanup detects timed-out swaps and logs recovery entry
• Completed swaps cleaned up without false-positive recovery alerts
• Focused simulation tests pass for all edge cases