feat: Replace C FFI with rust-bindgen

[samuelburnham]

Replaces the C FFI with automatically generated Rust bindings to lean.h using https://github.com/rust-lang/rust-bindgen, which bypasses the C indirection and allows Rust to call the internal Lean FFI functions directly without having to manually emulate the C datatype layout in Rust.

The bindings are contained in a new lean-ffi crate, which also defines Rust wrapper types around the low-level *const c_void type exposed by Bindgen. These help to clarify type intent and encapsulation on the Rust side. Updated documentation can be found at docs/ffi.md.

The bindgen approach was inspired by @lenianiva's reverse FFI example.

Note

The rust-lint CI job was merged with rust-test due to significant overlap and quick execution time, as we now need a Lean install in the Rust jobs to run bindgen. Therefore the branch protection rule needs to be updated before merge

[arthurpaulino]

There are non-trivial trade-offs at stake on this PR.

The ergonomic Rust types that mimic the memory layout of Lean objects are gone. But at least we don't need to keep the synchronization by hand, which is more principled.

The layer that abstracts unsafe operations is gone. Maybe we can redefine it in terms of this new API later.

Also, docs/ffi.md needs to be completely rewritten. Or deleted, if we no longer bother explaining our FFI infrastructure since it's now a straightforward Lean -> Rust dependency.

[arthurpaulino]

This patch is superb! Truly amazing work 🎉

I've left my last batch of comments. Also, docs/ffi.md needs to be either rewritten or deleted.

[arthurpaulino]

This is beautiful!
Maybe docs/ffi.md (or portions of it) can become the README for the lean-ffi crate.
But I'm already approving the diff as-is.