feat: ResolvedSigner — typed signer resolution with cached classification

[0xLeo-sqds]

What

New ResolvedSigner Anchor account type that replaces raw AccountInfo for all signer/creator fields in async instructions. Provides type-safe signer classification and key resolution with OnceCell caching.

Why

Every V2 instruction that stores or emits a signer key had to manually call resolve_canonical_key() — scattered across 16 instructions, each doing its own classification scan of the signers list. Session keys needed resolution to parent keys, external signers needed classification for crypto verification. The pattern was error-prone (/// CHECK boilerplate, forgotten resolution calls, double classification in validate + handler).

How it works

ResolvedSigner wraps an AccountInfo with two OnceCells:

resolve(consensus)  → classifies signer (native/session/external), caches ClassifiedSigner + resolved key
classified()        → returns cached &ClassifiedSigner for verify_classified_signer
resolved_key()      → returns cached &Pubkey for storage/events

The Accounts trait is implemented manually — no owner check, no AccountNotInitialized guard (external signers can have 0 lamports). Anchor's CPI/client module boilerplate lives in instructions/mod.rs as direct mod declarations (required for Anchor's derive macro to find them as siblings).

verify_classified_signer is extracted from verify_signer on the Consensus trait. It accepts a pre-classified &ClassifiedSigner and skips the signer list scan entirely — goes straight to crypto verification, nonce/counter updates, and permission checks.

Changes

• state/resolved_signer.rs — the type: OnceCell-backed resolve/classified/resolved_key, manual Anchor trait impls, Bumps type
• interface/consensus_trait.rs — ClassifiedSigner gets Clone + resolved_key(), verify_classified_signer extracted, resolve_canonical_key renamed to resolve_signer_key
• 16 async instructions — AccountInfo → ResolvedSigner, verify_signer → resolve + verify_classified_signer, handler resolve_signer_key → resolved_key()
• 3 sync instructions — rename only (resolve_canonical_key → resolve_signer_key)
• utils/context_validation.rs — variable renames (canonical_key → resolved_key)
• instructions/mod.rs — Anchor CPI/client boilerplate modules

What doesn't change

• smart_account_create (creator: Signer, no consensus account)
• use_spending_limit (signer: Signer, not consensus-based)
• increment_account_index V1 (signer: Signer, native only)
• transaction_buffer_close creator stays AccountInfo (Anchor's close = creator needs it)
• Sync instructions don't use ResolvedSigner (signers come from remaining_accounts)
• Wire format is identical — ResolvedSigner consumes 1 account from the slice, same as AccountInfo

Test plan

• anchor build -- --features=testing compiles clean
• Standalone test: create + close buffer via V2 with ResolvedSigner passes
• Full test suite: zero regressions (33 failures = 30 pre-existing + 3 expected increment_account_index)