Phase TLS-UNIFY-3: C6 intrusive freelist implementation (完成)

Implement C6 ULTRA intrusive LIFO freelist with ENV gating:
- Single-linked LIFO using next pointer at USER+1 offset
- tiny_next_store/tiny_next_load for pointer access (single source of truth)
- Segment learning via ss_fast_lookup (per-class seg_base/seg_end)
- ENV gate: HAKMEM_TINY_C6_ULTRA_INTRUSIVE_FL (default OFF)
- Counters: c6_ifl_push/pop/fallback in FREE_PATH_STATS

Files:
- core/box/tiny_ultra_tls_box.h: Added c6_head field for intrusive LIFO
- core/box/tiny_ultra_tls_box.c: Pop/push with intrusive branching (case 6)
- core/box/tiny_c6_ultra_intrusive_env_box.h: ENV gate (new)
- core/box/tiny_c6_intrusive_freelist_box.h: L1 pure LIFO (new)
- core/tiny_debug_ring.h: C6_IFL events
- core/box/free_path_stats_box.h/c: c6_ifl_* counters

A/B Test Results (1M iterations, ws=200, 257-512B):
- ENV_OFF (array): 56.6 Mop/s avg
- ENV_ON (intrusive): 57.6 Mop/s avg (+1.8%, within noise)
- Counters verified: c6_ifl_push=265890, c6_ifl_pop=265815, fallback=0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

core/tiny_debug_ring.h

@@ -40,7 +40,11 @@ enum {
     // TLS SLL anomalies (investigation aid, gated by HAKMEM_TINY_SLL_RING)
     TINY_RING_EVENT_TLS_SLL_REJECT = 0x7F10,
     TINY_RING_EVENT_TLS_SLL_SENTINEL = 0x7F11,
-    TINY_RING_EVENT_TLS_SLL_HDR_CORRUPT = 0x7F12
+    TINY_RING_EVENT_TLS_SLL_HDR_CORRUPT = 0x7F12,
+    // C6 Intrusive Freelist (Phase TLS-UNIFY-3)
+    TINY_RING_EVENT_C6_IFL_PUSH = 0x7F20,
+    TINY_RING_EVENT_C6_IFL_POP = 0x7F21,
+    TINY_RING_EVENT_C6_IFL_EMPTY = 0x7F22   // pop miss (empty)
 };
 
 // Function declarations (implementation in tiny_debug_ring.c)