chore(deps): bump tnt-core-bindings to v0.15.0 (Round 4) (#1407)

* chore(deps): bump tnt-core-bindings to v0.15.0 (audit Round 4)

Brings in the tnt-core Round 4 audit hardening pass:

- TWAP-fair subscription billing (Tangle.billSubscription math
  changed; signature preserved; billSubscriptionBatch callers
  are unaffected).
- IStaking gains getCumStakeSeconds for cumulative stake-seconds.
- PaymentLib.ServiceEscrow appends __reservedAggregateCursor and
  subscriptionBaselineStake fields.
- L2SlashingReceiver + Arbitrum/Base/Hyperlane/LayerZero bridge
  receivers are now UUPS upgradeable; deploys must use proxy +
  initialize. Owner reverts use OwnableUnauthorizedAccount.
- ValidatorPodManager moves to share-pool accounting;
  recordBeaconChainEthBalanceUpdate is removed in favor of
  recordBeaconChainDeposit / recordBeaconChainRebase.
- New BeaconRebase event; SharesUpdated and Withdrawal* events
  gain trailing fields.
- Dispute-bond refunds are now pull-pattern via claimDisputeBond
  / pendingDisputeBondRefund (cancelSlash no longer pushes).
- TangleToken.burn / burnFrom revert with BurnDisabled().
- TangleGovernor lowers MAX_PROPOSAL_ACTIONS (50 -> 10) and
  MAX_ACTION_VALUE (100k -> 10k ETH).
- Quote payment ingress and direct ERC20 deposits reject
  fee-on-transfer tokens.
- ArbitrumCrossChainMessenger adds setL2RefundAddress.

Pinned to tnt-core git rev d3db884 (the v0.15.0 merge commit);
TODO comment in Cargo.toml flips this back to crates.io once
tnt-core-bindings 0.15.0 is published.

No call sites in the blueprint workspace touch the removed or
signature-changed APIs (only billSubscriptionBatch is used, in
crates/tangle-extra/src/services/billing.rs, and its signature
is unchanged). `cargo check --workspace` passes; test failures
on this branch (test_application_health_checker, kademlia
discovery, active_services_gauge) reproduce on origin/main and
are unrelated.

* chore(deps): flip tnt-core-bindings 0.15.0 from git rev to crates.io

`tnt-core-bindings 0.15.0` is now on crates.io (published from upstream
tnt-core tag `bindings-v0.15.0`). Switch the workspace dep off the git
rev pin and onto the registry version. Lockfile picks up the registry
artifact (sha 0a35e8238...); zero source changes needed.

Author: drewstone

Cargo.lock

@@ -126,11 +126,11 @@ broken_intra_doc_links = "deny"
 [workspace.dependencies]
 # SDKs (overarching crates that include all other crates)
 blueprint-sdk = { version = "0.2.0-alpha.4", path = "./crates/sdk", default-features = false }
-# tnt-core v0.13.0 binds quotes to the requester address (audit Round 2 economic F1).
-# Upstream tnt-core PRs #124 and #125 land the change. Bindings 0.13.0 is not yet on
-# crates.io, so we pin to the `main` branch in git until the publish lands. Flip this
-# back to a versioned crates.io dep (`"0.13.0"`) once published.
-tnt-core-bindings = { git = "https://github.com/tangle-network/tnt-core", branch = "main" }
+# tnt-core 0.15.0 ships TWAP-fair subscription billing, UUPS-upgradeable L2
+# slashing receivers, share-pool ValidatorPodManager, the dispute-bond pull
+# pattern (cancelSlash no longer auto-refunds), and disabled TangleToken.burn.
+# https://crates.io/crates/tnt-core-bindings/0.15.0
+tnt-core-bindings = "0.15.0"
 
 # Job system
 blueprint-core = { version = "0.2.0-alpha.3", path = "crates/core", default-features = false }