smartcontract: verify access pass belongs to payer on multicast group subscribe

[snormore]

Summary of Changes

• SubscribeMulticastGroup now validates that the access pass provided belongs to the payer (accesspass.user_payer == payer); unauthorized payors receive Unauthorized (error 22)
• Foundation allowlist members are exempt and may use any access pass on behalf of a user
• globalstate is now a required account in the non-onchain-allocation path when 6+ accounts are provided; the 5-account layout is preserved as a backward-compatible fallback (payer must equal access pass owner in that case)
• SDK and CLI updated to always pass globalstate in SubscribeMulticastGroup calls

Diff Breakdown

Category	Files	Lines (+/-)	Net
Core logic	2	+44 / -13	+31
Tests	4	+158 / -2	+156
Docs/config	2	+2 / -1	+1

Heavily test-weighted change: the core logic addition is modest; the bulk is new and updated integration tests covering the new auth check.

Key files (click to expand)

• smartcontract/programs/doublezero-serviceability/src/processors/multicastgroup/subscribe.rs — added payer-vs-access-pass ownership check; refactored account layout to accept globalstate in the non-onchain path; moved globalstate PDA validation earlier
• smartcontract/programs/doublezero-serviceability/tests/multicastgroup_subscribe_test.rs — added test_subscribe_unauthorized_payer_rejected, test_subscribe_unauthorized_payer_rejected_without_globalstate; updated foundation admin tests to add callers to the allowlist before subscribing; added globalstate to all subscribe instruction account lists
• smartcontract/programs/doublezero-serviceability/tests/user_onchain_allocation_test.rs — added globalstate account to all SubscribeMulticastGroup calls throughout onchain allocation tests
• smartcontract/sdk/rs/src/commands/multicastgroup/subscribe.rs — moved globalstate before the optional onchain-allocation accounts; updated unit test expectations
• smartcontract/programs/doublezero-serviceability/tests/create_subscribe_user_test.rs — added globalstate to subscribe calls in publisher lifecycle tests
• smartcontract/sdk/rs/src/commands/user/delete.rs — updated mock expectations to include globalstate in subscribe account lists

Testing Verification

• test_subscribe_unauthorized_payer_rejected: a non-foundation payer using someone else's access pass receives Unauthorized (Custom(22))
• test_subscribe_unauthorized_payer_rejected_without_globalstate: same rejection occurs in the 5-account backward-compat layout when payer ≠ access pass owner
• test_subscribe_foundation_admin_payer_differs_from_user_owner and test_unsubscribe_foundation_admin_payer_differs_from_user_owner: foundation admins added to the allowlist can subscribe/unsubscribe on behalf of users
• All existing multicastgroup_subscribe_test, user_onchain_allocation_test, and create_subscribe_user_test integration tests pass