Add stateless PoR verification (verify_stateless + aggregate_root)

[wilfreddenton]

Note

Medium Risk
Changes the shared prove/verify preprocessing and introduces an alternate verification path with weaker off-ledger file binding; correctness relies on SNARK + valid-root checks and new equivalence tests.

Overview
Adds stateless PoR verification for hosts that store the file registry on-chain instead of an in-memory FileLedger. Public entry points are verify_stateless (valid aggregated roots only) and aggregate_root / aggregate_root_from_files so a contract can recompute the current ledger root in canonical file_id order.

Verification is refactored around a LedgerView trait (FileLedger vs StatelessLedger). Shared logic lives in verify_with; stateless mode skips per-file rc registry checks (callers enforce registration) but still checks multi-file proof.ledger_root against the valid-root set and runs the same SNARK path.

Plan::make_plan now takes AggInputs: prove uses AggInputs::Ledger (indices + root from the live tree); verify uses AggInputs::Proof (SNARK-bound ledger_root, aggregated_tree_depth, ledger_indices). Challenge-derived fields and build_z0_primary are unified so prover and verifier stay aligned.

Integration tests assert stateless verify matches ledger verify for single- and multi-file proofs and that missing roots reject multi-file proofs.

^{Reviewed by Cursor Bugbot for commit 114bf3e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[codspeed-hq]

Merging this PR will not alter performance

✅ 13 untouched benchmarks
⏩ 13 skipped benchmarks¹

---

_{Comparing feat/stateless-verify (114bf3e) with main (fe9f977)}

Footnotes

1. 13 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[adamkrellenstein]

Superseded by #50, which reconciles this stateless-verification work with the constant-size proof (#44) into the kontor-crypto 0.3.0 model. The AggInputs / LedgerView / verify_stateless abstraction from this PR is carried forward there, re-pointed at the append-only ledger indices.