Sessions 21-26 lift five duplicated patterns from the four
Phase-3 verifiers into mosaic-zk-primitives:

  field::fr_from_be_bytes_reduced     — keccak digest → Fr
  field::fr_be_from_u64               — const u64 → Fr BE bytes
  transcript::derive_fr_challenge     — one-shot Fiat-Shamir
  msm::verify_two_pair_pairing        — BN254 2-pair identity check
  msm::commitment_minus_scalar_g1     — KZG C - y·G1 step

Plus session 23: Nova proof canonical gains a dedicated w_eval
slot (+32 B) replacing the scaffold public_inputs[0] fallback.

Tests: 234 passing across halo2 58 / hyperplonk 64 / nova 44 /
plonk 17 / zk-primitives 51. +12 new unit tests + 1 new tamper
test introduced in sessions 21-26.