runtime: real gas-budget enforcement + Wasmtime fuel metering (closes #51)

[proofmancer]

Closes #51.

The v0.3 runtime tracked gas_used per dimension but never aborted on overflow. That caveat is gone. Two layers of metering now compose so a malicious or buggy module cannot starve a node.

What landed

1. Per-dimension gas budgets

The hostcall ABI documented in spec/abi/wasm.md already specified env.gas_consume(dim, amount). The runtime now actually enforces it.

• New gas_budgets: HashMap<u32, u64> on HostState
• New Instance::set_gas_budget(dim, units) API
• env.gas_consume hostcall: returns Err(anyhow!("out of gas: ...")) when gas_used + amount > budget. Wasmtime converts the Err to a trap; the trap propagates as an Instance::call error.
• Dimensions without a budget set stay unmetered (existing callers unchanged).

2. Wasmtime fuel

Enabled in Config::consume_fuel(true) so every WASM instruction tics the fuel counter. Defense against the failure mode where a malicious module spins in a pure-WASM loop and never calls back into a hostcall.

• Instance::set_fuel(units) to set the budget
• Instance::fuel_remaining() to read what's left
• New DEFAULT_FUEL = 10_000_000_000 applied at load time; existing callers see no behavior change

3. Tests

7 new unit tests, all passing:

• gas_consume_without_budget_runs_freely: unmetered call is uncapped
• gas_consume_under_budget_runs_and_records_usage: budget OK -> call succeeds, usage tracked
• gas_consume_over_budget_traps_with_clear_error: budget < amount -> trap with "out of gas" in message, gas_used not incremented
• gas_budget_only_applies_to_set_dimension: budget on dim 1 ignored when call charges dim 0
• fuel_default_is_sufficient_for_counter_module: 100 increment calls fit in DEFAULT_FUEL
• fuel_is_actually_consumed: one call decreases fuel_remaining
• fuel_exhaustion_traps_the_call: zero fuel -> trap

4. Hand-crafted GAS_TEST_WASM constant

The existing counter module doesn't call gas_consume (v0.3 codegen doesn't emit it). Testing budget enforcement requires a module that does. 73 bytes of hand-crafted WASM in lib.rs tests: imports env.gas_consume, exports do_work which calls gas_consume(0, 100) and returns 1.

End-to-end demo

let rt = Runtime::new();
let mut instance = rt.load(GAS_TEST_WASM).unwrap();

instance.set_gas_budget(0, 50);                     // budget 50, charge 100
let err = instance.call("do_work", &[]).unwrap_err();
// "out of gas: dimension 0 budget 50 exceeded (100 > 50)"

instance.set_gas_budget(0, 200);                     // raise the budget
let result = instance.call("do_work", &[]).unwrap();
assert_eq!(result, 1);
assert_eq!(instance.gas_used(0), 100);

What this PR does NOT yet do

Each is its own future issue:

• Cross-engine budget enforcement: the EVM engine has its own REVM-internal gas; nothing unifies the two budgets today. Solved alongside the cross-engine state sharing work (RFC RFC: cross-engine state sharing (one state root across WASM and EVM) #46 / impl Runtime: cross-engine state sharing implementation (one state root across WASM + EVM) #50).
• Auto-charged gas at fn entry: today the codegen doesn't emit gas_consume calls anywhere. A chain that wants per-fn gas accounting either compiles its own calls in or hooks the hostcall layer to charge based on Wasmtime fuel consumed.
• Gas refunds on revert: if a tx reverts, the gas usage stays charged. Standard for most VMs at this layer; the chain transaction layer handles refund semantics.

What unblocks next

• Realistic chain transaction budgets become expressible at the runtime layer
• RFC RFC: cross-engine state sharing (one state root across WASM and EVM) #46 (cross-engine state sharing) implementation can land alongside cross-engine gas