margin: add place_reduce_only_market_order_and_repay_loan

[tonylee08]

Addresses the DeepBook Margin v5 UX issues raised by Deeptrade. Issues #1–#6 and #8/#9/#10 are all covered.

Summary

Exit / close path (#1, #4, #5, #6)

• Adds pool_proxy::place_reduce_only_market_order_and_repay_loan: an atomic close that places a reduce-only market order, repays the loan with the proceeds, then enforces the monotonic invariant on the net (post-repay) state. A swap alone only lowers the oracle-valued ratio, so repaying first is what lets a danger-zone manager wind down.
• The reduce-only quantity check is a direction guard, not a size cap: a bid requires base (short-side) debt, an ask requires quote (long-side) debt and sells up to gross base held. There is no debt-relative size cap — the earlier net-debt / round-up bid cap (reduce_only_bid_cap) was removed: over-covering a short converts quote into base, which for a base-denominated debt is price-invariant, so it can't raise ratio-exposure; and the cap was bypassable anyway (stacking orders in one PTB). The direction guard blocks the only exposure-increasing misuse (a long bidding to grow its long).

Opening floor (#2)

• New per-pool min_open_risk_ratio, strictly between liquidation and min_borrow; the post-trade check on opening orders (place_limit_order_v2 / place_market_order_v2) uses it so a max-leverage open can absorb its own spread. Derived-default (midpoint) + optional admin dynamic-field override that self-heals if a risk-param change strands it. Borrow gate stays at min_borrow.

Closing API

• Adds pool_proxy::place_market_order_and_repay_loan — the everyday close/deleverage tool. Places a market order, repays the debt side, then gates on the net-state monotonic check (post-repay risk_ratio >= the pre-trade ratio; a full repay clears the debt → risk_ratio MAX → skipped). The monotonic gate — rather than the min_open floor — lets a danger-band position improve partially without having to reach min_open (e.g. lift 1.12 → 1.15). Safe because a market (taker) fill settles immediately, so the check reflects the true final state: any exposure-increasing trade aborts, any deleveraging trade is allowed at any size, so no quantity cap is needed. Requires margin trading enabled; reduce-only entries remain for the disabled mode.
• Adds pool_proxy::place_reduce_only_limit_order_and_repay_loan — the limit sibling of the reduce-only market-and-repay: it repays the debt with the settled taker fills before the net-state monotonic check, so a crossing reduce-only limit (whose taker portion pays the spread) deleverages instead of aborting place_reduce_only_limit_order_v2's swap-only monotonic check. The resting remainder just locks balance (ratio unchanged). For price-bounded reduces in the danger band.
• The monotonic gate's abort code is ERiskRatioMustNotWorsen (renamed from EReduceOnlyMustImproveRiskRatio, value 7 unchanged) since it is now shared by the reduce-only entries and the non-reduce-only market and-repay.

TP/SL execution (#8, #9, #10)

• Adds margin_manager::execute_conditional_orders_v3: takes the margin pools as &mut and, after each market-type conditional fill, repays the loan with the proceeds, then gates on net (post-repay) risk_ratio >= pre-fill ratio. This lets a stop-loss fire in the liquidation..min_borrow danger band (the v2 borrow-floor gate rejects a swap-only fill there) and the order executes and is removed instead of looping the bot. v2 is unchanged.
• The repay owner check moves from the internal repay into the public repay_base/repay_quote wrappers so the permissionless executor can deleverage (safe: repay only moves the manager's own funds against its own debt). Shared collect/place/finalize helpers back both v2 and v3.
• Self-match-aware price bounds. The conditional market-order price-bound pre-check simulates the fill against the whole book (get_quote_quantity_out), but execution uses the order's self_matching_option; with cancel_maker, execution cancels the manager's own resting maker orders and can then fill deeper into worse liquidity — so a fill could settle outside the oracle bounds the pre-check approved. Added a post-execution check (in the shared place_triggered_orders): after a triggered market order fills, the actual executed price (cumulative_quote / executed) is re-verified against the same oracle bounds, aborting EFillOutsidePriceBounds otherwise. Limit fills are already bounded by their own limit price.
• Pool Updates #9 (TTL) is doc-only: a market conditional order has no expiry, so it is the "until cancelled" stop; only a limit conditional's placed order is clamped to max_order_ttl_ms. Documented on add_conditional_order.

Key decisions

• Upgrade-compatible. No existing public signature or stored struct (RiskRatios) changed: min_open is a derived default + dynamic-field override, and the deleveraging executor is a new _v3 rather than a &mut change to v2. New functions / dynamic fields are the additive levers.
• Reduce-only is a direction guard, not a size cap. Over-covering a short is price-invariant and the cap was bypassable, so the direction guard (a short can only bid, a long can only ask) is the load-bearing protection — it also bounds any self-trade leak to a single ~5%-band conversion, so a manager can't be ratcheted below risk_ratio 1.0 without real price movement (proven by an adversarial test suite).
• Monotonic vs min_open. Opening orders gate on min_open (a floor); close/deleverage orders gate on monotonic (improve-or-hold). Monotonic is airtight for a market order (immediate fill == final state); for a limit, the resting remainder is protected by the direction guard + the price band, not the monotonic check.
• Conditional deleverage is permissionless but safe: repay can't extract value, and the price-bound check is now enforced on the actual fill, so a self-matching market order can't settle outside the oracle bounds.

Test plan

• sui move test --gas-limit 100000000000 in packages/deepbook_margin — 362 passed
• sui move test --gas-limit 100000000000 in packages/margin_liquidation — 16 passed
• bunx prettier-move on all modified .move files
• Close/exit + bid-cap relaxation: reduce_only_and_repay_bid_over_net_debt_fully_closes (over-cover fully closes), *_bid_requires_base_debt / *_ask_requires_quote_debt (direction guard, both sides), gross-ask boundary, swap-only-fails-vs-and-repay, danger-zone close
• Open floor: borrow-at-floor adverse fill succeeds; strict-override aborts; setter band + default-midpoint
• Closing API: place_market_order_and_repay_loan_fully_closes_long, ..._overbuys_short_past_debt, ..._partial_close_below_min_open_ok, ..._worsening_aborts, ..._aborts_when_pool_disabled, reduce_only_limit_and_repay_partial_taker_fill_repays
• Adversarial (no manager → risk_ratio < 1.0 without price movement): resting_fill_from_danger_band_cannot_go_underwater, reduce_only_limit_resting_fill_at_band_edge_bounded_and_solvent, market_and_repay_empty_book_aborts, resting_order_by_itself_is_ratio_neutral
• Owner gate: test_repay_base_fails_non_owner (non-owner repay rejected)
• TP/SL v3: execute_conditional_orders_v3_stop_loss_deleverages_in_danger_band + paired execute_conditional_orders_v2_stop_loss_aborts_in_danger_band
• TP/SL price bounds: tpsl_cancel_maker_self_match_cannot_bypass_price_bounds (a cancel_maker market sell can't settle outside the oracle bounds even when the manager's own bid distorts the pre-check)