Extract page_ops, add protected_vector_indices and server FWHT policy, improve CI and proof-pack

[arty-kk]

Motivation

• Consolidate repeated page-level utilities into a single page_ops module to reduce duplication and clarify responsibilities.
• Allow callers to mark specific vectors as protected when building resident plans and stores, and ensure payload integrity is enforced for materialized pages.
• Make server-side vector decompression respect a configurable default preference for the native FWHT implementation.
• Simplify CI and proof-pack generation by moving grouped checks into a make ci-check target and parameterizing evidence output paths.

Description

• Added a new hyperquant/page_ops.py with hash_page, relative_rms, max_abs_error, top_rank_factors, quantize_page_int8, and protected_mask functions and replaced in-place implementations in context_codec.py and resident_tier.py with calls into this module.
• Added protected_vector_indices support end-to-end: API model (ResidentPlanRequest), create_app request handling, ContextCodec.compress and resident-tier builders/readers now accept and apply protected indices via the protected_mask logic.
• Strengthened resident-tier manifest and payload verification by requiring payload_sha256 for materialized pages and validating it on open/read, and improved decoding by factoring _decode_page and tightening error messages.
• Added server-side default policy VECTOR_PREFER_NATIVE_FWHT_DEFAULT usage in the API so /v1/vector/decompress will prefer native FWHT only when both the server default and envelope indicate it.
• Improved scripts/build_proof_pack.py to accept --output-dir, make displayed paths relative to repository or evidence dir, and use the parameterized evidence directory throughout.
• Reworked CI workflow and Makefile to use a single make ci-check target that runs compile checks, native build smoke test, pytest -q, python -m build, and an optional lightweight proof-pack generation controlled by an environment flag.
• Added unit tests tests/test_page_ops.py, expanded tests/test_resident_tier.py and tests/test_api.py to cover the new page ops, protected indices, payload hash enforcement, and server FWHT policy.

Testing

• Ran the test suite with pytest -q, including new tests tests/test_page_ops.py and updated API/resident tests, and all tests passed.
• Executed the CI smoke sequence via make ci-check, which ran python -m compileall, the native FWHT build, pytest -q, and python -m build, and the checks completed successfully.
• Verified proof-pack generation pathing and SHA manifest updates by running python scripts/build_proof_pack.py --skip-tests --iterations 1 --warmup 0 --slice-iterations 1 --output-dir <tmpdir>, which produced expected artifacts and hash manifest.

---

Codex Task