feat: Add Array.scan{l,r,lM,rM}

[cmlsharp]

• Depends on: feat: add List.scanlM/scanrM #1588

This PR adds the Array equivalents of List.scan{l,r,L,R}. It was originally part of #1581.

• This PR provides both reference and efficient versions of Array.scanlM and Array.scanrM, and then defines Array.scanl and Array.scanr in terms of them. This is identical to how the standard library currently handles Array.fold*.
• Unlike the standard library, this PR attempts to make minimal use of unsafe in the implementations of the efficient versions. It defines an assumption (as Array.size_fits_usize) as well as an unsafe proof of this assumption (as Array.unsafe_size_fits_usize). These are currently public definitions. I could make them private, but they seem useful for writing other 'efficient' array functions.
• Array.scanlM is proven to be equivalent to its efficient implementation under the assumption that Array.size_fits_usize holds. The efficient version of Array.scanrM additionally uses this assumption when constructing the proofs for the bounds checks.
• I do not have a proof that the efficient version of Array.scanrM is equivalent to its efficient version under Array.size_fits_usize. It should be possible, but the structure of these two implementations differ more, so the proof is more difficult. With Array.scanlM the only difference between the implementations was the use of USize or Nat for the index, whereas the Array.scanrM reference implementation builds the array, then reverses it and the efficient implementation iterates over the array in reverse.

[cmlsharp]

The simpNF linter is not a fan of lemmas that do not specify the optional arguments (in particular start and stop). I did not manually write these because the standard library lemmas for Array.foldl/Array.foldr do not do this and I think it kind of clutters up the lemma definition. Should I make this change?

[cmlsharp]

WIP

[cmlsharp]

awaiting-review

[cmlsharp]

(as mentioned above this is failing ci currently because the simpNF seems to want me to manually specify the start and stop default arguments on the LHS of every theorem. I'm unsure if this lint should somehow be disabled, or whether it is preferable to include these default args in every theorem statement)