refactor: update delegatecall usage for safety and clarify function documentation

Author: gfournierPro

contracts/facets/IexecEscrowTokenFacet.sol

@@ -148,8 +148,10 @@ contract IexecEscrowTokenFacet is IexecEscrowToken, IexecTokenSpender, FacetBase
         if (requestorder.requester != sender) revert("caller-must-be-requester");
 
         // Call matchOrders on the IexecPoco1 facet through the diamond
-        // Using delegatecall pattern via address(this)
-        (bool success, bytes memory result) = address(this).call(
+        // Using delegatecall for safety: preserves msg.sender context
+        // Note: matchOrders doesn't use msg.sender, but delegatecall is safer
+        // in case the implementation changes in the future
+        (bool success, bytes memory result) = address(this).delegatecall(
             abi.encodeWithSelector(
                 IexecPoco1.matchOrders.selector,
                 apporder,

contracts/facets/IexecPoco1Facet.sol

@@ -140,6 +140,11 @@ contract IexecPoco1Facet is
     /**
      * Match orders. The requester gets debited.
      *
+     * @notice This function does not use `msg.sender` to determine who pays for the deal.
+     * The sponsor is always set to `_requestorder.requester`, regardless of who calls this function.
+     * This design allows the function to be safely called via delegatecall from other facets
+     * (e.g., IexecEscrowTokenFacet.receiveApproval) without security concerns.
+     *
      * @param _apporder The app order.
      * @param _datasetorder The dataset order.
      * @param _workerpoolorder The workerpool order.