[sdk]: reject srcEid=0 in HyperbridgeLzEndpoint to close unregistered-source collision

[royvardhan]

Summary

• onAccept previously gated source authenticity with expectedEid != srcEid only. For any state machine not in _stateMachineToEid, expectedEid defaults to 0; an attacker who occupies the CREATE2 slot of address(this) on that chain can dispatch with srcEid = 0 in the body and bypass the gate, delivering a forged Origin into any non-OApp receiver bound to the endpoint.
• Fix gates the equality check with an explicit expectedEid == 0 reject in onAccept, and rejects lzEid == 0 in setEidMapping to close the misconfiguration variant of the same collision. New InvalidEid() error.
• Adds three fork-free tests in HyperbridgeLzEndpointConfigTest: testRejectZeroEid, testOnAcceptRejectsSrcEidZeroFromUnregisteredSource, testOnAcceptRejectsSrcEidZeroFromDisabledSource. Each fails against the pre-fix contract (verified by temporarily reverting the guard).

Test plan

• forge test --match-contract HyperbridgeLzEndpointConfigTest — 7/7 pass
• Regression check: with the expectedEid == 0 guard removed, the two new onAccept tests fail (revert observed but not UnknownSource — exploit path slips past the gate and reaches lzReceive)
• No changes to outbound send/quote paths — existing OFT flows unaffected