Fix: Restore headers in box_carve_and_push_with_freelist()

Root cause identified by Task exploration agent:
- box_carve_and_push_with_freelist() pops blocks from slab
  freelist without restoring headers before pushing to TLS SLL
- Freelist blocks have stale data at offset 0
- When popped from TLS SLL, header validation fails
- Error: [TLS_SLL_HDR_RESET] cls=1 got=0x00 expect=0xa1

Fix applied:
1. Added HEADER_MAGIC restoration before tls_sll_push()
   in box_carve_and_push_with_freelist() (carve_push_box.c:193-198)
2. Added tiny_region_id.h include for HEADER_MAGIC definition

Results:
- 20 threads: Header corruption ELIMINATED ✓
- 4 threads: Still shows 1 corruption (partial fix)
- Suggests multiple freelist pop paths exist

Additional work needed:
- Check hakmem_tiny_alloc_new.inc freelist pops
- Verify all freelist → TLS SLL paths write headers

Reference:
Same pattern as tiny_superslab_alloc.inc.h:159-169 (correct impl)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/box/carve_push_box.c

@@ -7,6 +7,7 @@
 #include "../hakmem_tiny_config.h"  // TINY_NUM_CLASSES
 #include "../hakmem_tiny_superslab.h" // ss_active_add(), SuperSlab
 #include "../hakmem_tiny_integrity.h" // HAK_CHECK_CLASS_IDX
+#include "../tiny_region_id.h"      // HEADER_MAGIC, HEADER_CLASS_MASK
 #include "carve_push_box.h"
 #include "capacity_box.h"           // box_cap_has_room()
 #include "tls_sll_box.h"            // tls_sll_push()
@@ -190,6 +191,13 @@ uint32_t box_carve_and_push_with_freelist(int class_idx, uint32_t want) {
         meta->freelist = tiny_next_read(class_idx, p);
         meta->used++;
 
+        // CRITICAL FIX: Restore header BEFORE pushing to TLS SLL
+        // Freelist blocks may have stale data at offset 0
+        // (same fix as in tiny_superslab_alloc.inc.h:159-169)
+#if HAKMEM_TINY_HEADER_CLASSIDX
+        *(uint8_t*)p = HEADER_MAGIC | (class_idx & HEADER_CLASS_MASK);
+#endif
+
         if (!tls_sll_push(class_idx, p, sll_cap)) {
             // Rollback
             tiny_next_write(class_idx, p, meta->freelist);

core/box/carve_push_box.d

@@ -13,10 +13,10 @@ core/box/carve_push_box.o: core/box/carve_push_box.c \
  core/box/../hakmem_tiny_superslab_constants.h \
  core/box/../hakmem_tiny_config.h core/box/../hakmem_tiny_superslab.h \
  core/box/../hakmem_tiny_integrity.h core/box/../hakmem_tiny.h \
- core/box/carve_push_box.h core/box/capacity_box.h core/box/tls_sll_box.h \
- core/box/../hakmem_build_flags.h core/box/../tiny_remote.h \
  core/box/../tiny_region_id.h core/box/../tiny_box_geometry.h \
  core/box/../ptr_track.h core/box/../hakmem_super_registry.h \
+ core/box/carve_push_box.h core/box/capacity_box.h core/box/tls_sll_box.h \
+ core/box/../hakmem_build_flags.h core/box/../tiny_remote.h \
  core/box/../ptr_track.h core/box/../ptr_trace.h \
  core/box/../box/tiny_next_ptr_box.h core/hakmem_tiny_config.h \
  core/tiny_nextptr.h core/hakmem_build_flags.h core/tiny_region_id.h \
@@ -45,15 +45,15 @@ core/box/../hakmem_tiny_config.h:
 core/box/../hakmem_tiny_superslab.h:
 core/box/../hakmem_tiny_integrity.h:
 core/box/../hakmem_tiny.h:
+core/box/../tiny_region_id.h:
+core/box/../tiny_box_geometry.h:
+core/box/../ptr_track.h:
+core/box/../hakmem_super_registry.h:
 core/box/carve_push_box.h:
 core/box/capacity_box.h:
 core/box/tls_sll_box.h:
 core/box/../hakmem_build_flags.h:
 core/box/../tiny_remote.h:
-core/box/../tiny_region_id.h:
-core/box/../tiny_box_geometry.h:
-core/box/../ptr_track.h:
-core/box/../hakmem_super_registry.h:
 core/box/../ptr_track.h:
 core/box/../ptr_trace.h:
 core/box/../box/tiny_next_ptr_box.h: