AlgoScan

- reject unknown setup names instead of falling back to unsafe test setup
- preserve fixed-width x-coordinate bytes in verifier template inversion

Large circuits (e.g. our 70-public-input DKIM circuit) cannot pass proof +
public inputs as ABI args: 864B proof + 2240B inputs exceeds Algorands

Extend the PuyaPy BN254 verifier generator to support circuits that emit
exactly one BSB22 commitment (gnark custom gate), as produced by gnark's
range-checker for emulated arithmetic (e.g. RSA-2048 + SHA-256). Previously
WritePythonCode rejected any commitment with "custom gates are not supported".

The single-commitment folding mirrors gnark's own audited Solidity PLONK
verifier (backend/plonk/bn254/solidity.go), term for term:
  - bind VK_QCP into the gamma challenge (after Qk, before public inputs)
  - bind the commitment point into the alpha challenge (before [Z])
  - PI += hash_to_field(commitment) * L_{nbPublic+commitIndex}(zeta)
  - fold commitment * qcp(zeta) into the linearised polynomial digest
  - bind VK_QCP + qcp(zeta) into the KZG folding (gamma_kzg) challenge
  - fold VK_QCP into the batch opening accumulation
A hash_to_field subroutine implements RFC 9380 expand_message_xmd(SHA-256),
L=48, reduced mod r (matching the prover's fr.Hash over the uncompressed
commitment). Circuits with >1 commitment remain rejected.

Validated end-to-end on Algorand localnet: a valid single-commitment proof
verifies on-chain and a tampered one is rejected; no regression on
no-commitment circuits.

utils.CompileWithPuyaPy now invokes puyapy directly (instead of
`algokit compile py`) so builds work where puyapy is provided by a Python
>=3.12 virtualenv on PATH.