Enforce CPI Guard for WithdrawExcessLamports on token accounts

[bit2swaz]

Closes #1033

Summary

Add the missing CPI Guard check for token-account WithdrawExcessLamports so CPI execution is blocked consistently with the existing token-account CPI Guard behavior.

What changed

• Added a CPI Guard check in the token-account branch of process_withdraw_excess_lamports
• Returned TokenError::CpiGuardTransferBlocked when WithdrawExcessLamports is invoked via CPI on a CPI-guarded token account
• Added a rust-legacy CPI Guard regression test covering wrapped WithdrawExcessLamports via CPI on a CPI-guarded token account

Why

• Token-account WithdrawExcessLamports was missing the standard CPI Guard check
• The analogous owner-authorized SOL-extraction path UnwrapLamports already blocks CPI with TokenError::CpiGuardTransferBlocked
• This change aligns WithdrawExcessLamports with the existing token-account CPI Guard behavior without changing broader CPI Guard semantics

Scope

• Only the token-account branch of process_withdraw_excess_lamports changed
• Mint behavior remains unchanged
• Multisig behavior remains unchanged

Tests

• Added test_cpi_guard_withdraw_excess_lamports
• Ran test_cpi_guard_withdraw_excess_lamports
• Ran test_cpi_guard_unwrap_lamports
• Ran nearby withdraw-excess success coverage in the program crate:
  • test_withdraw_excess_lamports_from_account
  • test_withdraw_excess_lamports_from_mint
  • test_withdraw_excess_lamports_from_mint_with_no_mint_authority
  • test_withdraw_excess_lamports_from_multisig

[bit2swaz]

this PR accidentally included commits from my previous branch. ive opened a clean replacement PR at #1196. closing this one in favor of the clean branch