fix: bind keyed-collection keys into the SSZ state root

[matthias-wright]

Builds on #293 (which builds on #292 and #291).

Addresses #257.

The SSZ tree committed validator_accounts and added_validators as value-only positional lists, so the BTreeMap keys were not bound by the state root. Two states differing only in a map key produced the same root, and validator-account proofs bound a value without binding the pubkey it belongs to.

Changes:

• validator_accounts: add node_pubkey as a 9th field; per-validator subtree grows 8 → 16 leaves (depth 3 → 4). Threaded the map key through set_validator_fields and update_/insert_validator_at_slot; rebuild_validators iterates by (key, account); set_account passes the pubkey.
• added_validators: add epoch as a 3rd per-item field; subtree grows 2 → 4 leaves (depth 1 → 2). rebuild_added_validators carries the epoch through the flatten.
• Generalized the whole-item proof gindex from a hardcoded subtree depth to top_gindex << (sd - log_block + 1) (log_block = fields_per_item.ilog2()), so it adapts to the new depths.

A field/whole-item proof's branch now includes the key, so the proof self-binds identity. ValidatorAccount::hash_tree_root no longer equals the per-validator subtree root (the root now includes the node pubkey).

[evonide]

LGTM! This commits the validator_accounts pubkey key and the added_validators epoch key together with their values so key-only changes now alter the SSZ state root. The widened proof layout and gindex updates also look consistent with the tests.

Small non-blocking follow-up: it would be useful to expose the new key leaves through ssz_tree_key.rs and clean up stale proof-layout comments so proof consumers can request and reason about the committed key fields directly.

[matthias-wright]

Update(c8e8cab):

• Expose committed key leaves in ssz_tree_key