smartcontract: detect orphaned ResourceExtension accounts in resource verify

[elitegreg]

Summary

• Extend `doublezero resource verify` to detect `ResourceExtension` accounts on-chain whose PDA does not correspond to any currently-expected resource type (global singleton or per-device extension for a live device/prefix). These accumulate when devices are deleted or a device's `dz_prefixes` list shrinks.
• With `--fix`, propose closing each orphan in the existing y/N confirmation flow and close via a new `CloseResourceByPubkeyCommand`.
• Global singletons `VrfIds` and `AdminGroupBits` — not currently verified against usage — are still recognized as legitimate, not flagged as orphans.

Design notes

• The on-chain `process_closeaccount_resource_extension` only needs the resource account + owner + globalstate, so for orphans (whose `ResourceType` can no longer be derived from live state) we bypass `GetResourceCommand` and pass pubkey/owner directly. Existing `CloseResourceCommand` now delegates to `CloseResourceByPubkeyCommand`.
• Expected-PDA set is built from loaded state: 8 globals + `TunnelIds(device, 0)` and `DzPrefixBlock(device, i)` for `i in 0..device.dz_prefixes.len()` per device. Anything else in `resource_extensions` is an orphan.
• Closing requires foundation allowlist membership — failures surface with the same `FAILED: ...` shape used elsewhere in the fix flow.

Testing Verification

• 4 new unit tests in `verify.rs`:
  • Orphan detection when a device is deleted (dangling `TunnelIds`).
  • Orphan detection when `dz_prefixes` shrinks (stale `DzPrefixBlock(device, i>=len)`).
  • `VrfIds` / `AdminGroupBits` globals present but not verified — confirmed not flagged.
  • Report output contains the new "Orphaned resource extensions" section with the orphan PDA and `associated_with` pubkey.