Holocene-D: Pending safe promotion only after full L1 block derivation

[sebastianst]

I proposer to change derivation so that the pending safe head is only promoted to safe after all batches have been fully derived from any given L1 block (not only from a single span batch). Otherwise nodes that restart mid-way through derivation can be made to chain split by a malicious batcher, although the setup for such a scenario is not trivial. It could only happen with explicit malicious intent, and would only affect nodes that accidentally restarted mid-way through derivation from a given L1 block.

The background is that with Holocene, overlapping singular batches, even if coming from a span batch, are not checked to match the existing safe chain. Past batches are simply fast-dropped. Before holocene, the span batch checks would fetch all overlapping L2 blocks fully and match that the batches' content (transactions, L1 origin, ...) match the blocks' content.

I beliebe that even pre-Holocene, this can be exploited with singular batches in two closely following batcher transactions, because past singular batches are also fast dropped (details following soon).

• Action test showing mid-way derivation restart exploit pre-Holocene

This change fixes another issue of the current Holocene derivation. Currently, if a batch in a span batch is invalid, or the payload derived from it is invalid, the remaining channel is dropped, so derivation might never processes a batch with the IsLastInSpan boolean set to true, so the pending safe head would fail to be promoted to safe, even though it can already be considered safe, as no backwards- invalidation occurs. (fixed separately in #12724)

It should also be noted that with this change, pending safe would have a slightly different meaning post-Holocene. Pre-Holocene, the pending safe was pending in the sense that it may well be reverted by a later invalid batch causing a revert of the full span batch. This is not the case any more with Holocene. Pending safe becomes more of an implementation detail to protect against inconsistent state from mid-way derivation restarts. In Holocene, a pending safe block can already be considered safe because backwards-invalidation got removed with Holocene. So for the purpose of fault proofs, a single block derivation that outputs a pending safe head can already be taken as safe.