feat: allow zero teeImageHash in dev multiproof mode

[robriks]

Summary

• Set teeImageHash to zero in local-tee.json, matching nitro-enclave local mode's B256::ZERO default (no real PCR0 measurement in dev)
• Move the teeImageHash != bytes32(0) require in _assertValidMultiproofInput into the production-only branch, so dev multiproof deployments can use a zero image hash

Context

This is PR 1 in a 5-PR sequence (PRIV-1982) to stand up a fully functional L3 appchain devnet running in dev multiproof mode.

The end goal is just devnet up-l3 bringing up the full multiproof stack automatically — L1 anvil, L3 sequencer/batcher, nitro-local TEE prover, proposer (creating + auto-resolving games), and challenger (bond lifecycle) — with deposits and withdrawals working end-to-end.

Why this PR is needed

The on-chain AggregateVerifier recomputes the TEE journal using CONFIG_HASH and TEE_IMAGE_HASH (both set at deploy time from deploy config values). The enclave computes the same values and signs them into the journal. These must match exactly, or every proof verification fails.

teeImageHash: In local mode (no real AWS Nitro enclave), tee_image_hash = B256::ZERO. The full verification chain works with zero: enclave signs journal with zero → AggregateVerifier recomputes with zero → DevTEEProverRegistry.addDevSigner(signer, 0) registers with zero → TEEVerifier checks signerImageHash[signer] == imageId → 0 == 0 ✓. The only blocker was _assertValidMultiproofInput requiring non-zero teeImageHash unconditionally — this PR moves that check into the production branch.

multiproofConfigHash: Left as a non-zero placeholder (0x00...01) in local-tee.json. The config hash is chain-specific — it's keccak256(PerChainConfig::marshal_binary()) which includes chain ID, genesis hashes, and contract addresses. Since local-tee.json deploys to an ephemeral Anvil chain (L2 chain 901), no pre-computed hash is correct. The real devnet's config hash (for chain 84538453) will be set in the base repo deploy config template (PR3), either hardcoded or computed dynamically once joe/fetch-rollup-config merges.

What this unblocks

With the zero teeImageHash allowed in dev mode, the subsequent PRs can wire everything together:

• PR 2 (base): Proposer --direct-prover-rpc flag to talk directly to nitro-local, plus auto-resolve after game creation
• PR 3 (base): Devnet deploy config template parameterization and CONTRACTS_COMMIT bump
• PR 4 (base): Docker Compose services for nitro-local, base-proposer, base-challenger
• PR 5 (base): Challenger TEE-only mode (skip ZK dispute paths)

Test plan

• forge build compiles successfully
• All 8 SystemDeploy_Test tests pass, including test_deploy_devMultiproof_succeeds and test_deploy_devMultiproof_onProductionChain_reverts
• No changes to SystemDeploy.t.sol — tests use independent constants (teeImageHash = bytes32(uint256(1))) and are unaffected

[linear]

PRIV-1982