IxVM kernel: fix klimbs_to_ctor_form to single-step expansion

`klimbs_to_ctor_form` recursively unfolded a Nat literal `n` into the
full ctor chain `Nat.succ^n(Nat.zero)`. For large `n` the recursion
created O(n) memo entries (one per `klimbs_dec`, one per
`klimbs_normalize`, one per the recursive `klimbs_to_ctor_form` call)
and OOM'd the per-fn function_queries before completing.

Rust's `nat_to_constructor` (src/ix/kernel/whnf.rs:1664-1687) does the
right thing: produce `Nat.succ(Lit(n-1))` — a single ctor wrap whose
predecessor stays a `Lit(Nat)`. Subsequent iota reductions re-trigger
expansion only as needed. Mirror that semantics in Aiur.

`lake exe check '_private.Init.Data.String.Decode.0.ByteArray.utf8DecodeChar?.<bomb>'`
with `ulimit -v 20000000`:
* assemble₂._proof_1:                 OOM → 11_936_582_540 FFT
* assemble₃._proof_3:                 OOM → 11_934_210_486 FFT
* assemble₃._proof_4:                 OOM → 11_968_289_150 FFT
* assemble₄_eq_some_iff_..._proof_1_13: OOM → 8_510_124_580 FFT
* helper₃:                  37_793_684_978 → 16_870_284_540 FFT (-55.4%)

`lake exe check 'ByteArray.utf8DecodeChar?_utf8EncodeChar_append'` with
`ulimit -v 22000000`: passes at 43_544_984_712 FFT (the full theorem,
which was the original UTF-8 blocker).

Tests/Ix/IxVM.lean: 18 small FFT pin increases — every const whose
WHNF path now eagerly synthesizes a `Lit(n-1)` predecessor (one extra
`mk_nat_lit` per ctor-form coercion instead of zero in the old
recursive body that walked the whole chain anyway).

Author: arthurpaulino

Ix/IxVM/Kernel/Primitive.lean

@@ -1267,16 +1267,23 @@ def primitive := ⟦
     }
   }
 
-  -- Convert a KLimbs n into a chain `App(Const(succ), App(Const(succ),
-  -- ... Const(zero)))` for n calls of succ. Used by nat-literal-to-ctor
-  -- coercion in iota.
+  -- Single-step Nat-literal → ctor coercion. Mirrors Rust
+  -- `nat_to_constructor` (src/ix/kernel/whnf.rs:1664-1687):
+  --   0   → `Const(Nat.zero)`
+  --   n+1 → `App(Const(Nat.succ), Lit(Nat(n-1)))`
+  -- The predecessor stays a `Lit`; the iota that asked for this expansion
+  -- only needs to see the head ctor. Subsequent matches re-trigger
+  -- expansion as needed. The previous body unfolded recursively into
+  -- `Nat.succ^n(Nat.zero)`, which OOM'd for large literals (the original
+  -- driver: per-step `klimbs_dec` memo growth, 4M+ entries seen on
+  -- `Init.Data.String.Decode.0.ByteArray.utf8DecodeChar?.assemble₂._proof_1`
+  -- before allocation failure).
   fn klimbs_to_ctor_form(n: KLimbs, zero_idx: G, succ_idx: G) -> KExpr {
     match load(n) {
       ListNode.Nil =>
         store(KExprNode.Const(zero_idx, store(ListNode.Nil))),
       ListNode.Cons(_, _) =>
-        let dec = klimbs_dec(n);
-        let pred = klimbs_to_ctor_form(dec, zero_idx, succ_idx);
+        let pred = mk_nat_lit(klimbs_normalize(klimbs_dec(n)));
         let succ_const = store(KExprNode.Const(succ_idx, store(ListNode.Nil)));
         store(KExprNode.App(succ_const, pred)),
     }

Tests/Ix/IxVM.lean

@@ -120,36 +120,36 @@ private def kernelCheckEntries : List (String × Nat) := [
   ("Eq.rec",                                                             2_575_090),
   ("Nat",                                                                1_857_572),
   ("Nat.add",                                                            12_973_039),
-  ("Nat.add_comm",                                                       54_350_107),
+  ("Nat.add_comm",                                                       54_350_110),
   ("Nat.decEq",                                                          68_538_632),
-  ("Nat.decLe",                                                          191_354_790),
-  ("Nat.sub_le_of_le_add",                                               515_033_220),
+  ("Nat.decLe",                                                          191_354_793),
+  ("Nat.sub_le_of_le_add",                                               515_056_158),
   -- Newly-unlocked targets (level_leq Géran normalize).
   ("Trans.mk",                                                           2_863_374),
-  ("Array.append_assoc",                                                 2_588_113_566),
-  ("Vector.append",                                                      2_661_200_807),
+  ("Array.append_assoc",                                                 2_588_157_538),
+  ("Vector.append",                                                      2_661_244_845),
   -- Primitive reduction theorems (`IxVMPrim`)
   ("IxVMPrim.nat_add_lit",                                               28_083_713),
   ("IxVMPrim.nat_sub_lit",                                               33_755_207),
   ("IxVMPrim.nat_mul_lit",                                               24_642_249),
   ("IxVMPrim.nat_mul_big",                                               24_116_975),
-  ("IxVMPrim.nat_div_lit",                                               367_240_783),
-  ("IxVMPrim.nat_mod_lit",                                               375_936_541),
+  ("IxVMPrim.nat_div_lit",                                               367_262_654),
+  ("IxVMPrim.nat_mod_lit",                                               375_958_446),
   ("IxVMPrim.nat_succ_lit",                                              7_307_039),
   ("IxVMPrim.nat_pred_lit",                                              14_682_236),
-  ("IxVMPrim.nat_gcd_lit",                                               605_481_967),
-  ("IxVMPrim.nat_land_lit",                                              1_019_712_405),
-  ("IxVMPrim.nat_lor_lit",                                               1_020_941_332),
-  ("IxVMPrim.nat_xor_lit",                                               1_029_773_064),
+  ("IxVMPrim.nat_gcd_lit",                                               605_512_664),
+  ("IxVMPrim.nat_land_lit",                                              1_019_743_752),
+  ("IxVMPrim.nat_lor_lit",                                               1_020_972_680),
+  ("IxVMPrim.nat_xor_lit",                                               1_029_804_417),
   ("IxVMPrim.nat_shl_lit",                                               34_843_370),
-  ("IxVMPrim.nat_shr_lit",                                               372_704_905),
+  ("IxVMPrim.nat_shr_lit",                                               372_726_784),
   ("IxVMPrim.nat_beq_lit",                                               24_108_404),
   ("IxVMPrim.nat_ble_lit",                                               22_469_243),
-  ("IxVMPrim.nat_dec_le",                                                198_104_577),
-  ("IxVMPrim.nat_dec_lt",                                                202_076_476),
+  ("IxVMPrim.nat_dec_le",                                                198_104_580),
+  ("IxVMPrim.nat_dec_lt",                                                202_076_479),
   ("IxVMPrim.nat_dec_eq",                                                82_352_518),
-  ("IxVMPrim.str_size_lit",                                              733_871_761),
-  ("IxVMPrim.bv_to_nat_lit",                                             577_337_315),
+  ("IxVMPrim.str_size_lit",                                              733_902_817),
+  ("IxVMPrim.bv_to_nat_lit",                                             577_368_072),
   -- Mutual block + multi-member recursors
   ("IxVMInd.Even",                                                       25_965_406),
   ("IxVMInd.Odd",                                                        25_728_543),
@@ -159,8 +159,8 @@ private def kernelCheckEntries : List (String × Nat) := [
   ("IxVMInd.Tree",                                                       2_634_462),
   ("IxVMInd.Tree.rec",                                                   4_870_642),
   -- Edge cases from prelude
-  ("String.Internal.append",                                             725_384_432),
-  ("_private.Init.Prelude.0.Lean.extractMainModule._unsafe_rec",         1_091_321_972),
+  ("String.Internal.append",                                             725_415_461),
+  ("_private.Init.Prelude.0.Lean.extractMainModule._unsafe_rec",         1_091_354_031),
 ]
 
 private def nameOfString (str : String) : Lean.Name :=

src/aiur/bytecode.rs

@@ -64,10 +64,10 @@ pub enum Op {
   /// Range-check two values into `[0, 256)` via the byte chip. Produces no new
   /// values: its `u8` results alias the two inputs (cf. `AssertEq`).
   U8RangeCheck(ValIdx, ValIdx),
-  /// Unconstrained LE byte-list division-modulo hint. Inputs are two pointers
-  /// to `ByteStream` (= `List<U8>`) values storing the dividend `a` and
-  /// divisor `b` as little-endian byte sequences. Outputs two new pointers to
-  /// `ByteStream` values for the quotient `q` and remainder `r` such that
+  /// Unconstrained `BigUint` division-modulo hint. Inputs are two pointers
+  /// to `KLimbs` (= `List<U64>`) values storing the dividend `a` and divisor
+  /// `b` as little-endian u64 limb chains. Outputs two new pointers to
+  /// `KLimbs` values for the quotient `q` and remainder `r` such that
   /// `q * b + r = a` with `0 ≤ r < b` (when `b > 0`). Computed natively by
   /// the runtime via `num_bigint::BigUint::div_rem`; no in-circuit recursion
   /// and no constraints generated. The caller is responsible for verifying