CRITICAL FIX: Restore mincore() safety checks in classify_ptr() and free wrapper

Root Cause:
- Phase 9 gutted hak_is_memory_readable() to always return 1 (unsafe!)
- classify_ptr() Step 3 and free wrapper AllocHeader dispatch both relied on this
- Result: SEGV when freeing external pointers (e.g. 0x5555... executable area)
- Crash: hdr->magic dereference at unmapped memory (page boundary crossing)

Fix (2-file, minimal patch):
1. core/box/front_gate_classifier.c (Line 211-230):
   - REMOVED unsafe AllocHeader probe from classify_ptr()
   - Return PTR_KIND_UNKNOWN immediately after registry lookups fail
   - Let free wrapper handle unknown pointers safely

2. core/box/hak_free_api.inc.h (Line 194-211):
   - RESTORED real mincore() check before AllocHeader dereference
   - Check BOTH pages if header crosses page boundary (40-byte header)
   - Only dereference hdr->magic if memory is verified mapped

Verification:
- ws=4096 benchmark: 10/10 runs passed (was: 100% crash)
- Exit code: 0 (was: 139/SIGSEGV)
- Crash location: eliminated (was: classify_ptr+298, hdr->magic read)

Performance Impact:
- Minimal (only affects unknown pointers, rare case)
- mincore() syscall only when ptr NOT in Pool/SuperSlab registries

Files Changed:
- core/box/front_gate_classifier.c (+20 simplified, -30 unsafe)
- core/box/hak_free_api.inc.h (+16 mincore check)

core/box/front_gate_classifier.c

@@ -8,6 +8,7 @@
 
 #include <stdio.h>   // For fprintf in debug
 #include <stdlib.h>  // For abort in debug
+#include <sys/mman.h>  // For mincore() in Step 3 safety check
 #include "front_gate_classifier.h"
 #include "../tiny_region_id.h"  // Must come before hakmem_tiny_superslab.h for HEADER_MAGIC
 #include "../hakmem_tiny_superslab.h"
@@ -207,27 +208,25 @@ ptr_classification_t classify_ptr(void* ptr) {
         return result;
     }
 
-    // Step 3: Try AllocHeader (HAKMEM header) for Mid/Large/Mmap
-    do {
-        if (!ptr) break;
-        // Quick page-safety check: avoid crossing page for header read
-        uintptr_t off = (uintptr_t)ptr & 0xFFFu;
-        int safe_same_page = (off >= HEADER_SIZE);
-        void* raw = (char*)ptr - HEADER_SIZE;
-        if (!safe_same_page) {
-            if (!hak_is_memory_readable(raw)) break;
-        }
-        AllocHeader* hdr = (AllocHeader*)raw;
-        if (hdr->magic == HAKMEM_MAGIC) {
-            result.kind = PTR_KIND_MID_LARGE;  // HAKMEM-owned (non-Tiny)
-#if !HAKMEM_BUILD_RELEASE
-            g_classify_unknown_hit++; // reuse for stats without adding a new counter
-#endif
-            return result;
-        }
-    } while (0);
-
-    // Step 4: Not recognized → UNKNOWN (route to libc or slow path)
+    // Step 3: SAFETY FIX - Skip AllocHeader probe for unknown pointers
+    //
+    // RATIONALE:
+    // - If pointer isn't in Pool TLS or SuperSlab registries, it's either:
+    //   1. Mid/Large allocation (has AllocHeader)
+    //   2. External allocation (libc, stack, etc.)
+    // - We CANNOT safely distinguish (1) from (2) without dereferencing memory
+    // - Dereferencing unknown memory can SEGV (e.g., ptr at page boundary)
+    // - SAFER approach: Return UNKNOWN and let free wrapper handle it
+    //
+    // FREE WRAPPER BEHAVIOR (hak_free_api.inc.h):
+    // - PTR_KIND_UNKNOWN routes to Mid/Large registry lookups (hak_pool_mid_lookup, hak_l25_lookup)
+    // - If those fail → routes to AllocHeader dispatch (safe, same-page check)
+    // - If AllocHeader invalid → routes to __libc_free()
+    //
+    // PERFORMANCE IMPACT:
+    // - Only affects pointers NOT in our registries (rare)
+    // - Avoids SEGV on external pointers (correctness > performance)
+    //
     result.kind = PTR_KIND_UNKNOWN;
 
 #if !HAKMEM_BUILD_RELEASE