feat: isolate Bernstein-Yang impl from Pippenger rewrite

[iakovenkos]

Adds a variable-time safegcd inverse (Bernstein-Yang '19) for 254-bit prime fields and wires field::invert() to dispatch to it at runtime, keeping Fermat for constexpr contexts and 256-bit moduli (secp256k1/r1). Includes the WASM 9x29 kernel, a differential fuzzer vs Fermat, and unit tests exercising the WASM kernel on x86_64.

Extracted from 758407a without the surrounding Pippenger refactor.

[ledwards2225]

BrowserStack wasm-bench A/B — PR vs merge-train/barretenberg merge-base

Paired in-session A/B (PR↔base interleaved on the same physical BrowserStack device, alternating order, drop pair 1 as warmup), N=10 pairs per target. iPhone runs as two same-model sessions (one all-PR, one all-base, 6 runs each, position-paired by run index) because iOS Safari refuses to allocate a second WebAssembly.Memory({shared:true}) in one tab.

• PR head: 53c15af2bc50f1141efaa3b7c17f4dd7c27511a4 (si/isolate-bernstein-yang-impl)
• Merge-base: ae4f1646f77 ("fix(ci): harden Chonk refresh post-action (fix(ci): harden Chonk refresh post-action #23419)")
• Flow: ecdsar1+transfer_1_recursions+sponsored_fpc · pinned inputs 5d17cc1cfa051b60
• Build: wasm-threads preset, -DENABLE_WASM_BENCH=ON, AVM off — same on both sides
• Wasm md5 (uncompressed): base 710010a9e40c53acc14572e9b3b2f278, PR afa40ffa25d49d3688cdd6e7a42feb68

Target	N	PR median ms	Base median ms	Δ median %	95% CI %	Distinguishable from 0?
Pixel 9 Pro XL · Chrome	10	23 276	24 363	−5.13%	[−7.46, −1.53]	✓
iPhone 15 Pro · Safari †	6	18 907	19 728	−6.18%	[−8.07, −1.51]	✓
macOS Sequoia · Chrome 148	10	11 009	11 484	−3.59%	[−8.20, −2.38]	✓
Galaxy S25 Ultra · Chrome	10	10 182	10 636	−3.14%	[−10.29, +3.93]	✗

Three of four targets clear zero with a bootstrap 95% CI on the paired median Δ% (2000 resamples). Real 3–6% Chonk end-to-end speedup from the Bernstein-Yang inverse on the targets that resolved. Galaxy point estimate is in the same direction; the Snapdragon 8 Elite scheduler is noisy enough that the CI straddles zero at N=10, so I'm not claiming a sign — bumping N to ~25 would likely resolve it.

All 56 proofs verified (proofFieldCount=2630, verificationKeyBytes=4576). crossOriginIsolated=true, sharedArrayBuffer=true on every run.

[ledwards2225]

LGTM. Pushed a few minor cleanups and ran the fuzzer for ~4 hours as a sanity check.