fix(kona/derive): add over-fill check in BlobSource::load_blobs

[ajsutton]

Summary

BlobSource::load_blobs was missing a post-loop over-fill check. After the blob-pointer fill loop completes, if blob_index < blobs.len() the blob provider returned more blobs than were requested. Previously kona silently discarded the extra blobs. This PR adds a guard that returns ResetError::BlobsOverFill (→ PipelineErrorKind::Reset) in that case, mirroring the op-node reference.

Background

The Go op-node performs this check in fillBlobPointers in blob_data_source.go:

if blobIndex != len(blobs) {
    return fmt.Errorf("got too many blobs")
}

This error is wrapped as NewResetError at the call site, causing the pipeline to reset and retry from a clean state. Kona was missing the over-fill check; under-fill is handled separately via BlobDecodingError::InvalidLength in BlobData::fill().

When Over-fill Can Occur

• Buggy L1 providers: A beacon/blob provider that returns more blobs than requested (not spec-compliant but observed in practice with third-party providers).
• Rare L1 reorg scenarios: The set of blob transactions referenced by an L1 block can shift between the time the hashes are collected and the time the blobs are fetched, resulting in a count mismatch.

Changes

• Add ResetError::BlobsOverFill(usize, usize) variant to pipeline.rs (addresses the over-fill case; under-fill is handled separately via BlobDecodingError::InvalidLength in BlobData::fill()).
• Import ResetError in blobs.rs and add the post-loop check after the fill loop.
• Add should_return_extra_blob flag to TestBlobProvider for testing.
• Add test_load_blobs_overfill_triggers_reset regression test.

Testing

cargo test --package kona-derive sources::blobs

All 12 tests pass, including the new test_load_blobs_overfill_triggers_reset.

Fixes #19363

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.9%. Comparing base (6eb557f) to head (de05125).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #19364      +/-   ##
===========================================
+ Coverage     75.7%    75.9%    +0.1%     
===========================================
  Files          671      477     -194     
  Lines        71228    59985   -11243     
===========================================
- Hits         53974    45529    -8445     
+ Misses       17110    14456    -2654     
+ Partials       144        0     -144     

Flag	Coverage Δ
cannon-go-tests-64	?
contracts-bedrock-tests	?
unit	75.9% <100.0%> (+<0.1%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...kona/crates/protocol/derive/src/errors/pipeline.rs	100.0% <100.0%> (ø)
...t/kona/crates/protocol/derive/src/sources/blobs.rs	89.2% <100.0%> (+1.6%)	⬆️
...es/protocol/derive/src/test_utils/blob_provider.rs	62.5% <ø> (ø)

... and 199 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ajsutton]

Remove references to matching op-node.

Reduce the number and verbosity of comments. No need to explain the same thing multiple times.

[ajsutton]

LGTM. Correct fix matching Go's fillBlobPointers over-fill check.

Two minor notes:

1. PR body inaccuracy: The description says this is "symmetric with the existing BlobsUnderFill variant," but no BlobsUnderFill variant exists. Under-fill is handled inside BlobData::fill() via BlobDecodingError::InvalidLength. The BlobsOverFill name is fine on its own, but the symmetry claim is misleading.

2. Comment line-number references: The comments reference specific Go line numbers (e.g., blob_data_source.go:162). These go stale quickly — consider referencing just the function name (fillBlobPointers) instead.

[theochap]

Looks good, two nits