feat(transforms): mask hardcoded constants to defeat bytecode-grep detection and error selector randomization

[g4titanx]

Summary

This PR hardens azoth against static constant detection by adding ConstantMask to the default transform pipeline. The new pass rewrites eligible runtime and deployment literals so sensitive constants no longer appear as raw bytecode, including ERC-20 selectors, event topics, timeout literals, custom-error selectors, addresses, and fixture constants.

It also moves revert-selector handling into StringObfuscate, fixes related transform/finalization edge cases, and adds an e2e audit over the real escrow bytecode.

Key Changes

• Adds ConstantMask and enables it in the default pipeline.
• Reconstructs eligible constants at runtime from seed-varied shares instead of emitting direct PUSH literals.
• Masks wide init/deployment literals so constants are not left greppable in deployment calldata.
• Rewrites external call selector stores with decoy selector words plus byte patches.
• Randomizes custom-error and Error(string) selectors in StringObfuscate.
• Adds real escrow constant audit coverage for raw matches, shifted selector forms, direct selector-byte patches, and simple constant-folder recovery.
• Fixes immutable placeholder handling so constructor-patched values still deploy correctly after masking.
• Fixes PushSplit subtraction-chain semantics and orphan jump remapping regressions exposed by the full escrow flow.