fix: cap slot range in xmss_key_gen to prevent unbounded memory allocation

[jiayaoqijia]

Fixes #133.

xmss_key_gen previously accepted any (slot_start, slot_end) range up to 2^32 slots, which could allocate tens of GiB for the Merkle tree (each leaf requires a WOTS key generation + hash). A malicious or accidental call with a large range would cause OOM.

This adds a MAX_SLOT_RANGE cap of 1 << 20 (~1M slots, ~32 MiB tree), returning a new XmssKeyGenError::RangeTooLarge error for ranges exceeding this limit. This cap is generous for practical use — with 12-second slots, 1M slots covers ~139 days of validator operation.

Changes:

• Added RangeTooLarge variant to XmssKeyGenError
• Added range check after existing slot_start > slot_end validation
• Added tests for the new error case

[TomWambsgans]

Hi, it's important to allow anyone to use a lifetime arbitrarily big (up to 2^32). Having to switch keys, even once a year, is extremely anoying in practice. With a better implem, we could do it on a constrained memory. But that's not within the current priorities.