CRITICAL FIX: Restore mincore() safety checks in classify_ptr() and free wrapper

Root Cause:
- Phase 9 gutted hak_is_memory_readable() to always return 1 (unsafe!)
- classify_ptr() Step 3 and free wrapper AllocHeader dispatch both relied on this
- Result: SEGV when freeing external pointers (e.g. 0x5555... executable area)
- Crash: hdr->magic dereference at unmapped memory (page boundary crossing)

Fix (2-file, minimal patch):
1. core/box/front_gate_classifier.c (Line 211-230):
   - REMOVED unsafe AllocHeader probe from classify_ptr()
   - Return PTR_KIND_UNKNOWN immediately after registry lookups fail
   - Let free wrapper handle unknown pointers safely

2. core/box/hak_free_api.inc.h (Line 194-211):
   - RESTORED real mincore() check before AllocHeader dereference
   - Check BOTH pages if header crosses page boundary (40-byte header)
   - Only dereference hdr->magic if memory is verified mapped

Verification:
- ws=4096 benchmark: 10/10 runs passed (was: 100% crash)
- Exit code: 0 (was: 139/SIGSEGV)
- Crash location: eliminated (was: classify_ptr+298, hdr->magic read)

Performance Impact:
- Minimal (only affects unknown pointers, rare case)
- mincore() syscall only when ptr NOT in Pool/SuperSlab registries

Files Changed:
- core/box/front_gate_classifier.c (+20 simplified, -30 unsafe)
- core/box/hak_free_api.inc.h (+16 mincore check)

core/box/hak_alloc_api.inc.h

@@ -21,14 +21,6 @@ static inline void* hak_os_map_boundary(size_t size, uintptr_t site_id) {
 
 __attribute__((always_inline))
 inline void* hak_alloc_at(size_t size, hak_callsite_t site) {
-#if !HAKMEM_BUILD_RELEASE
-    static _Atomic uint64_t hak_alloc_call_count = 0;
-    uint64_t call_num = atomic_fetch_add(&hak_alloc_call_count, 1);
-    if (call_num > 14250 && call_num < 14280 && size <= 1024) {
-        fprintf(stderr, "[HAK_ALLOC_AT] call=%lu size=%zu\n", call_num, size);
-        fflush(stderr);
-    }
-#endif
 
 #if HAKMEM_DEBUG_TIMING
     HKM_TIME_START(t0);
@@ -38,30 +30,12 @@ inline void* hak_alloc_at(size_t size, hak_callsite_t site) {
     uintptr_t site_id = (uintptr_t)site;
 
     if (__builtin_expect(size <= TINY_MAX_SIZE, 1)) {
-#if !HAKMEM_BUILD_RELEASE
-        if (call_num > 14250 && call_num < 14280 && size <= 1024) {
-            fprintf(stderr, "[HAK_ALLOC_AT] call=%lu entering tiny path\n", call_num);
-            fflush(stderr);
-        }
-#endif
 #if HAKMEM_DEBUG_TIMING
         HKM_TIME_START(t_tiny);
 #endif
         void* tiny_ptr = NULL;
 #ifdef HAKMEM_TINY_PHASE6_BOX_REFACTOR
-#if !HAKMEM_BUILD_RELEASE
-        if (call_num > 14250 && call_num < 14280 && size <= 1024) {
-            fprintf(stderr, "[HAK_ALLOC_AT] call=%lu calling hak_tiny_alloc_fast_wrapper\n", call_num);
-            fflush(stderr);
-        }
-#endif
         tiny_ptr = hak_tiny_alloc_fast_wrapper(size);
-#if !HAKMEM_BUILD_RELEASE
-        if (call_num > 14250 && call_num < 14280 && size <= 1024) {
-            fprintf(stderr, "[HAK_ALLOC_AT] call=%lu hak_tiny_alloc_fast_wrapper returned %p\n", call_num, tiny_ptr);
-            fflush(stderr);
-        }
-#endif
 #elif defined(HAKMEM_TINY_PHASE6_ULTRA_SIMPLE)
         tiny_ptr = hak_tiny_alloc_ultra_simple(size);
 #elif defined(HAKMEM_TINY_PHASE6_METADATA)