apollo_mempool: use saturating_sub for n_stuck_txs accounting (#14560)

Replace the two unchecked `n_stuck_txs -=` subtractions in
decrement_stuck_txs_if_gap_account and remove_from_accounts_with_gap with
saturating_sub. Guards against a latent underflow that would panic under
overflow-checked builds and silently wrap the MEMPOOL_STUCK_TXS gauge in
release.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: matanl-starkware

crates/apollo_mempool/src/mempool.rs

@@ -922,15 +922,16 @@ impl Mempool {
 
     fn decrement_stuck_txs_if_gap_account(&mut self, address: ContractAddress, n: usize) {
         if self.accounts_with_gap.contains(&address) {
-            self.n_stuck_txs -= n;
+            self.n_stuck_txs = self.n_stuck_txs.saturating_sub(n);
         }
     }
 
     // Removes address from the gap-account set and deducts its remaining pool txs from
     // n_stuck_txs. No-op if the address was not tracked.
     fn remove_from_accounts_with_gap(&mut self, address: ContractAddress) {
         if self.accounts_with_gap.swap_remove(&address) {
-            self.n_stuck_txs -= self.tx_pool.n_txs_for_address(address);
+            self.n_stuck_txs =
+                self.n_stuck_txs.saturating_sub(self.tx_pool.n_txs_for_address(address));
         }
     }