Fix : Unchecked Witness-Derived Indices Cause Deterministic Prover Panics in RAM and Multiplicity Builders [LA-H]

[ocdbytes]

PR Description

Summary

• Add explicit bounds checks for witness-derived array indices in solve_ram_witness, MultiplicitiesForRange,
  MultiplicitiesForBinOp, and MultiplicitiesForSpread
• Convert SpiceWitnessesSolver::solve, WitnessBuilderSolver::solve, and solve_witness_vec to return
  anyhow::Result<()> instead of panicking
• Propagate structured errors through the full call chain up to prove_with_witness

Motivation

Addresses audit finding Issue H: unchecked witness-derived indices allowed malformed witness values to cause
deterministic out-of-bounds panics in the prover, enabling denial-of-service against proof generation.

Vulnerable sites fixed

Location	Vulnerability
ram.rs — Load/Store	addr.into_bigint().0[0] as usize used to index rt_final/rv_final without bounds check
witness_builder.rs — MultiplicitiesForRange	value as usize used as index into multiplicities without checking value < range_size
witness_builder.rs — MultiplicitiesForBinOp	(lhs << atomic_bits) + rhs used as unchecked table index
witness_builder.rs — MultiplicitiesForSpread	val as usize used as unchecked table index (same pattern, not in audit)