Clean up ECSM review nits

[MauroToscano]

Stacked on #657.

Summary:

• move test-only field arithmetic behind cfg(test) and centralize the shared 3p R_BYTES constant
• improve ECSM witness assertion context and replace duplicated carry-offset literals with named constants
• clean stale spec/test comments and syscall/executor docs around ECSM aliasing/address assumptions
• add executor ECSM edge-case coverage for scalar bounds, invalid xG, xR aliasing k, and address-overflow variants
• remove stale asm labels and keep workspace member ordering tidy

Out of scope:

• ECSM disk-spill/resource-estimator support remains intentionally separate because it needs a design pass.

Validation:

• cargo fmt --check
• git diff --check
• cargo test -p ecsm --release
• cargo test -p executor --release ecsm
• cargo test -p lambda-vm-prover --release --lib ecsm
• cargo test -p lambda-vm-prover --release --lib ecdas
• cargo test -p lambda-vm-prover --release --lib ec_scalar

[github-actions]

Codex Code Review

No issues found in the PR diff.

I reviewed the ECSM witness changes, shared R_BYTES/carry-offset wiring, VM syscall handling comments/tests, and prover bitwise lookup updates. I did not find concrete security, correctness, significant performance, or simplicity problems in the changed lines.

Verification note: I attempted cargo check -p ecsm and cargo test -p ecsm, but both were blocked because rustup tried to write temp files under read-only /home/runner/.rustup/tmp.

[github-actions]

Benchmark Results for modified programs 🚀

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
head hashmap	105.3 ± 1.9	102.3	108.9	1.00

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
head keccak	105.9 ± 1.5	104.5	109.1	1.00

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
head syscall_commit	76.3 ± 1.5	74.7	78.3	1.00

[claude]

Review: Clean up ECSM review nits

This is a clean refactoring/cleanup PR. No security vulnerabilities, bugs, or performance issues found.

R_BYTES correctness — Verified manually that R_BYTES = 3p: byte 0: 0x2F3=0x8D, byte 1: 0xFC3=0x2F4→0xF4 (carry 2), byte 4: 0xFE*3+2=0xFC, byte 32: carry 0x02. Consolidating the duplicate from ecdas.rs is correct.

Carry offset constants — CARRY_OFFSET_X2=8160, CARRY_OFFSET_YG=16319, etc. are exact renames of pre-existing magic numbers with no value changes. The pub(crate) re-export of R_BYTES in ecdas.rs preserves all internal access (ecdas_tests.rs resolves it correctly).

New tests

• ecsm_syscall_rejects_out_of_range_scalar: uses N_BYTES as scalar (k=N, not in [1,N)). Correct.
• ecsm_syscall_rejects_xg_not_on_curve: P_BYTES[0]=0x2F so xg[0]-=1 is safe (no underflow), yields x=p-1. Correct.
• ecsm_syscall_rejects_address_overflow parameterized cases: 0xFFFF_FFE8+24=2^32 (>=LOW_LIMB, overflow), 0xFFFF_FFF0+31=2^32+15. All correct.
• xR aliasing k allowed by design — load_u256_le(addr_k) executes before store_u256_le(addr_xr) in execution.rs. Correct.

field.rs narrowed to cfg(test) + pub(crate) — Fp has no non-test callers; correct.

LGTM.