refactor: remove the TS AVM simulator

[fcarreiro]

Summary

There were two AVM simulator implementations: the pure-TS one and the C++ one. Production and tests already run on the C++ simulator, so this removes the TS AVM simulator and the TS↔C++ comparison/fuzzing harnesses.

The opcode classes are kept (stripped to their encoder surface) so that tests can still build bytecode in TS and execute it with the C++ simulator — they only ever used the opcode constructors + serialization, never execute(). What remains of the encoder is consolidated into a single opcodes.ts (plus the Instruction base). Since the whole encoder is only reachable from tests, all of public/avm/ now lives under avm/testing/.

The Noir SSA/brillig differential fuzzer (brillig-vs-AVM) is kept and re-pointed at the C++ simulator (see below).

Net: ~16k lines removed.

Part of https://linear.app/aztec-labs/issue/A-1291/delete-old-avm-ts-simulator

What's removed

• TS AVM interpreter — AvmSimulator and its execution engine: avm_context, avm_machine_state, avm_execution_environment, avm_gas, the memory runtime helpers, avm_contract_call_result, revert_reason, calldata, debug_fn_name.
• TS public-tx orchestration — the TS PublicTxSimulator (phases/reverts/fee/hint generation), public_tx_context, state_manager/, side_effect_trace, hinting_db_sources, and the TS measured/telemetry simulators.
• Comparison harness — cpp_vs_ts_public_tx_simulator, plus the unused cpp_public_tx_simulator_with_hinted_dbs.
• TS↔C++ differential fuzzer — the C++ avm_differential entry point and the entire JS-backed differential lib (JsSimulator, common/process, FuzzerSimulationRequest/serialize_simulation_request, the CPP-vs-JS compare_simulator_results, and the fuzz_against_ts_simulator loop in fuzz_lib/fuzz.*) that drove the TS simulator over AVM_SIMULATOR_BIN. The AVM_SIMULATOR_BIN plumbing in run_fuzzer.sh is dropped with it.
• TS-specific / execution tests — per-opcode execute() tests, interpreter tests, state-manager/side-effect-trace tests, and the TS PublicTxSimulator test. The AVM-direct apps tests (which ran on the deleted AvmSimulationTester) are not lost: their coverage is restored on the C++ PublicTxSimulationTester (see commit 7).

What's kept (and why)

• The opcode classes, serialization/, the memory-value types (TypeTag/Field/Uint*), addressing encoding, and errors — the encoder surface used by custom_bc.test.ts, opcode_spam.test.ts, minimal_public_tx, and opcode_spammer to construct bytecode that is executed by the C++ simulator. The opcode classes + instruction_impl + addressing_mode are consolidated into one opcodes.ts (the Instruction base stays separate), and the whole surface lives under avm/testing/ since nothing in production imports it.
• All C++ simulators (CppPublicTxSimulator, Telemetry/Dumping variants) and the pure-C++ prover and per-opcode harness fuzzers.
• The tx fuzzer (avm_fuzzer_tx_fuzzer), rebuilt as a pure-C++ coverage fuzzer: fuzz_tx now runs CppSimulator only (catching exceptions into a reverted result so sanitizer/assert failures stay the only crashes). The prover fuzzer and its CPP-vs-CPP compare_cpp_simulator_results (fuzzer_comparison_helper) are untouched — that helper backs the prover, not the deleted JS path.
• The SSA/brillig fuzzer (run_avm_brilling_fuzz.sh → Noir's cargo-fuzz brillig target). It uses avm_simulator_bin.ts as its AVM oracle to compare brillig (ACVM) vs AVM — it is not a TS↔C++ fuzzer. It is restored with AvmFuzzerSimulator now wrapping CppPublicTxSimulator instead of the TS simulator, so it compares brillig against the production AVM. The stdio/msgpack protocol is unchanged, so the cargo-fuzz harness is a drop-in.

A new slim PublicTxSimulatorBase (constructor, world-state/contract-DB handles, config, logger, computeTxHash) is extracted so CppPublicTxSimulator no longer inherits the TS orchestration.

Commits

1. refactor(simulator): route public tx simulation through the C++ simulator only — extract PublicTxSimulatorBase, re-parent CppPublicTxSimulator, switch every test consumer (shared PublicTxSimulationTester, public-processor / public-tx apps tests, ivc-integration) to the C++ simulator, drop the now-meaningless useCppSimulator flag, and delete the comparison/dead/TS measured+telemetry simulators. Behavior-preserving.
2. refactor(simulator): remove the TS AVM interpreter and orchestration — delete the TS execution stack and orchestration, strip the opcode classes to their encoder surface, and delete the TS-specific/execution tests.
3. chore(bb): remove the TS<->C++ differential AVM fuzzers — delete the avm_differential/tx fuzzer entry points and update run_fuzzer.sh.
4. feat(simulator): restore the SSA/brillig AVM fuzzer on the C++ simulator — re-add avm_simulator_bin.ts / AvmFuzzerSimulator / run_avm_brilling_fuzz.sh, now backed by CppPublicTxSimulator.
5. refactor(bb): drop JsSimulator and rebuild the tx fuzzer on the C++ simulator — remove the JS-backed differential lib (JsSimulator, common/process, FuzzerSimulationRequest, serialize_simulation_request, CPP-vs-JS compare_simulator_results, fuzz_lib/fuzz.*) and the AVM_SIMULATOR_BIN plumbing in run_fuzzer.sh; restore tx.fuzzer.cpp (avm_fuzzer_tx_fuzzer) running CppSimulator only. Keeps fuzz_prover + fuzzer_comparison_helper.
6. refactor(simulator): consolidate AVM opcodes into one file and move test helpers to testing/ — merge the per-category opcode files, instruction_impl, and addressing_mode into one avm/opcodes.ts (keeping Instruction in avm/instruction.ts), and rename avm/fixtures/ → avm/testing/ to match the repo's src/testing/ convention. Imports rewritten; no behavior change.
7. test(simulator): restore dropped AVM apps tests on the C++ simulator — re-add the avm_test cases that were dropped with the AVM-direct tester (unique-contract-class limit: max passes / max+1 reverts, and nested-call exceptional-halt recovery), now driven through PublicTxSimulationTester. Also restores account_proof.json (and its mainnet fetcher) into testing/ — bench.test.ts's storage-proof test reads it but it had been deleted, leaving that test broken. Token coverage was already preserved via tokenTest.
8. refactor(simulator): move the AVM encoder under testing/ (it is test-only) — the entire public/avm encoder surface is only consumed by tests/fixtures (production runs through the C++ NAPI sim, which never touches the TS encoder), so move opcodes.ts/instruction.ts/serialization//avm_memory_types.ts/errors.ts into avm/testing/. Drop the dead avm/index.ts barrel and the unused, now-stale ./public/avm/opcodes package export.
9. test(simulator): drop the 'Cpp' benchmark prefix now that there is one simulator — the Cpp metric prefix only existed to separate the C++ benchmark rows from the (removed) TS rows. With one simulator it's redundant, so benchmark groups go back to Token contract tests / Opcode Spam etc. The setMetricsPrefix grouping API is kept (it's the general per-app grouping, also used by bb-prover proving tests). Benchmark note: the un-prefixed series previously held TS-sim numbers, so the C++ numbers now continue under those names — the historical trend across the cutover is intentionally not apples-to-apples.

Verification

• @aztec/simulator builds; yarn lint simulator clean.
• Kept encoder unit tests pass (avm/serialization/*.test.ts, 12/12).
• Restored apps tests pass on the C++ simulator: avm_test.test.ts 4/4 (incl. the 3 re-added cases), bench.test.ts storage-proof test, and deployments.test.ts 3/3.
• Downstream @aztec/bb-prover and @aztec/ivc-integration type-check (they consume only the kept fixtures).
• The restored fuzzer bin builds, loads its native + world-state deps, and round-trips its msgpack I/O loop; its happy path uses the same CppPublicTxSimulator.simulate() exercised by the passing apps tests.
• No package outside simulator imports any removed symbol.
• The C++ AVM fuzzer changes build and link locally (fuzzing-avm preset, clang-20): avm_fuzzer_tx_fuzzer (rebuilt on CppSimulator) and avm_fuzzer_prover_fuzzer both compile, link, and load as libFuzzer binaries — confirming no dangling references to the removed JsSimulator/process/compare_simulator_results. The avm_differential target is gone as intended. (This is stronger than CI's syntax-only fuzzing-avm gate, which doesn't link.)

Notes for reviewers

• Barretenberg C++ was built locally (commits 3 and 5): the fuzzing-avm preset configures and the affected fuzzers (avm_fuzzer_tx_fuzzer, avm_fuzzer_prover_fuzzer) compile + link cleanly with clang-20. Commit 3 removes the differential fuzzer entry points; commit 5 removes the now-orphaned JS-backed lib and rebuilds the tx fuzzer on CppSimulator. fuzzer_comparison_helper is kept — its compare_cpp_simulator_results backs the (untouched) prover fuzzer, not the deleted JS path.
• A full happy-path run of the SSA/brillig fuzzer needs the cargo-fuzz harness (a nightly Rust + cargo-fuzz toolchain), not run here.
• Some retained data structures (TaggedMemory runtime ops, Addressing.resolve) are now unused by the encoder path and could be slimmed in a later cleanup.

[jeanmon]

Great job and good riddance!
I have only comments related to renaming. I am approving to not block.

[jeanmon]

Cannot we also rename MeasuredCppPublicTxSimulator to just MeasuredPublicTxSimulator?
Only makese sense if we rename CppPublicTxSimulator into PublicTxSImulator which I guess we could. There was a rename of oldPublicTxSImulator into PublicTxSImulatorBase so I would expect it was a preparation for the getting rid of the cpp prefix.

[jeanmon]

Did we port this test suite from somewhere?

[fcarreiro]

Yes — this is the AVM-direct apps suite that used to run on the now-deleted AvmSimulationTester. In this PR it was dropped in commit 2 (removing the TS interpreter + its tests) and restored in commit 7 (test(simulator): restore dropped AVM apps tests on the C++ simulator), now driven through PublicTxSimulationTester so the cases execute on the C++ simulator instead.

[jeanmon]

If we decide to rename CppPublicTxSimulator to PublicTxSimulator, let us also rename the the filename.

[AztecBot]

Flakey Tests

🤖 says: This CI run detected 1 tests that failed, but were tolerated due to a .test_patterns.yml entry.

\033FLAKED\033 (8;;http://ci.aztec-labs.com/9bafb277187edccd�9bafb277187edccd8;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_p2p/multiple_validators_sentinel.parallel.test.ts "collects attestations for all validators on a node" (436s) (code: 0) group:e2e-p2p-epoch-flakes