fix: block-based whitelist entry expiry

[matthias-wright]

Builds on #393.

Replace the wall-clock expiresAt field on the sentinel whitelistKey ABI with keyExpiresAtBlock.
The whitelist entry's validity is now specified in canonical block height instead of SystemTime::now(), which is host-OS-controlled and therefore untrusted in TEEs.

Changes:

• ABI rename expiresAt → keyExpiresAtBlock (u64 block number).
• Whitelist::add(addr, key_expires_at_block), is_authorized(addr, current_block), evict_expired(current_block) are now strict-less block comparisons.
• New CurrentBlockFn = Arc<dyn Fn() -> u64 + Send + Sync> injected into SignatureAuthConfig; the node builder wires it from the provider's best_block_number. The middleware reads it per request and threads current_block into the whitelist checks.
• Removed SystemTime/UNIX_EPOCH from signature_auth_layer.rs and transaction.rs; the sentinel handler now compares key_expires_at_block against the same head used for the envelope expiry check.

This is the updated shim contract that represents the ABI for whitelist and revoke actions:

contract RpcShim {
    function whitelistKey(
        address target,
        uint64 expiresAt,
        bytes32 recentBlockHash,
        uint64 expiresAtBlock,
        bytes32 validatorId,
        uint64 nonce
    ) external {}

    function revokeKey(
        address target,
        bytes32 recentBlockHash,
        uint64 expiresAtBlock,
        bytes32 validatorId,
        uint64 nonce
    ) external {}
}

[github-actions]

Changes ops whitelist from time-based to block-based expiry with enhanced sentinel transaction validation.

Phase 2

• crates/seismic/rpc/src/eth/transaction.rs:1862-1908 — The send_raw_transaction_sync method inlines the upstream default implementation with a comment to "keep in sync with upstream." This creates maintenance debt if the upstream receipt-waiting strategy changes, but there's no obvious alternative given Rust's trait method override limitations.

LGTM. The transition from Unix timestamps to block numbers eliminates TEE host clock manipulation risks, and the comprehensive sentinel transaction validation (validator ID binding, canonical chain checks, nonce-based replay protection) significantly strengthens the ops whitelist security model. The extensive test coverage demonstrates the edge cases are well-considered.