Cardano Updates

Following the merge of CIP-159 PR #1197 (DirectDeposits keyed by
RewardAddress; applyDirectDeposits and applyWithdrawals refactored
through a shared applyToRewards fold) and the agda-sets cleanup
PR #1196 (Conway Equivalence.Map utilities moved into Ledger.Prelude),
this commit updates the Dijkstra CERTS preservation-of-value proofs
to compile against the new APIs.

Main changes:

+  Rename `ApplyWithdrawals-PoV` sub-module to `ApplyToRewards-PoV`,
   since it now houses lemmas for both withdrawals and direct deposits.

+  Add `getCoin-∪ˡ-overwrite` bridge lemma: `getCoin (❴ c , v ❵ ∪ˡ acc)
   ≡ v + getCoin (acc ∣ ❴ c ❵ ᶜ)`.  Encapsulates the
   listing-vs-replacement reconciliation between the new `❴ k , v ❵ ∪ˡ
   acc` form (used by `applyToRewards`) and the equivalent
   complement-restricted form used by the existing decomposition
   reasoning.

+  Factor `split-by-lookup` as a top-level lemma decomposing
   `getCoin acc` along a known lookup result.  Used by both
   `applyOne-pov` (subtraction) and the new `applyOne-pov-add`
   (addition).

+  Add the additive parallel: `applyOne-pov-add`,
   `foldl-applyOne-pov-add`, and `applyDirectDeposits-pov`.  Mirrors
   the existing withdrawal chain, sharing `getCoin-∪ˡ-overwrite` and
   `split-by-lookup`.

+  Strengthen the `setToList-Unique` module parameter with a
   `NetworkId` premise on the map's domain (the assumption no longer
   conflates withdrawals-specifically with general
   `RewardAddress ⇀ Coin` maps).

+  Replace the `∪ˡ-res-lookup-preserve` module parameter (which
   carried a no-longer-needed complement restriction on the right
   operand) with `∪ˡ-lookup-preserve`, stated against the new
   `❴ c , v ❵ ∪ˡ m` form.

+  Add a small top-level helper `∈-dom⇒¬lookup-nothing` to discharge
   the defensive `nothing` case of `foldl-applyOne-pov-add`.

+  Update `POST-CERT-pov` to use the new
   `applyDirectDeposits-pov`; the proof is `sym
   (applyDirectDeposits-pov ...)`.  The CERT-post step's own
   `mapˢ stake (dom dd) ⊆ dom rewards` premise is extracted from the
   pattern rather than threaded as a separate parameter, since the
   pre-CERT* state's `dom rewards` is not preserved across `CERT`
   trace steps (in particular by `DELEG-dereg`).

+  Update `sts-pov` and `CERTS-pov` signatures accordingly: add the
   `DirectDeposits`-`NetworkId` premise, drop the
   membership-of-deposits premise.

The proofs now typecheck on top of master.

After direct-deposit application moved from LEDGER-V/SUBLEDGER-V into the
POST-CERT rule, the Certs preservation-of-value proofs needed to account for
the `getCoin (DirectDepositsOf Γ)` increase that POST-CERT now produces via
`rewards ∪⁺ directDeposits`.

Statement changes:
- POST-CERT-pov:  getCoin s ≡ getCoin s'
              →  getCoin s + getCoin (DirectDepositsOf Γ) ≡ getCoin s'
- sts-pov:        gains a `+ getCoin (DirectDepositsOf Γ)` term on the LHS
- CERTS-pov:      becomes the symmetric "consumed = produced" form
                  getCoin s₁ + getCoin (DirectDepositsOf Γ)
                  ≡ getCoin sₙ + getCoin (WithdrawalsOf Γ)

Structural changes:
- POST-CERT-pov and sts-pov move into the parameterized `Certs-Pov-lemmas`
  sub-module (alongside PRE-CERT-pov), since they now require a fourth
  module parameter:
    indexedSumᵛ'-∪⁺ : ∀ (m m' : Rewards) → getCoin (m ∪⁺ m') ≡ getCoin m + getCoin m'
  This is the natural ∪⁺ analogue of the existing `indexedSumᵛ'-∪` lemma for
  `∪ˡ` on disjoint domains, but unconditional because `∪⁺` adds (rather than
  drops) values at shared keys.  TODO: upstream to agda-sets.
- `Certs-PoV` (in PoV.lagda.md) gains the same parameter and forwards it.

CERT-pov and PRE-CERT-pov are unchanged: the CERT and PRE-CERT rules did
not change in this refactor.

Closes part of #1185.

Now that the file lives at
`src-lib-exts/abstract-set-theory/Axiom/Set/Map/Extra.lagda.md`:

+ Update the top-level module declaration to
  `module abstract-set-theory.Axiom.Set.Map.Extra (th : Theory) where`,
  matching the rest of the abstract-set-theory subtree.
+ Replace `open import Ledger.Prelude` with explicit imports from
  `abstract-set-theory.Prelude` and stdlib modules. `src-lib-exts/`
  cannot depend on `Ledger.Prelude` (upward dependency).
+ Inline the five-line `_≢ᵐ_` definition that previously lived in
  the standalone `Extra.agda`, and delete `Extra.agda`.
+ Convert the file to literate-markdown formatting with brief
  section prose; the module body is otherwise unchanged.
+ Update the single downstream caller
  (`Ledger.Conway.Conformance.Equivalence.Deposits`) to import from
  the new location.

Closes #1194

Co-authored-by: Copilot Autofix powered by AI <[email protected]>

Not strictly necessary, but it highlights a couple of important aspects;
e.g., how it relies on the left-bias of `∪ˡ` (which is why we don't need
the complement restriction... nice!)