CRITICAL FIX: Restore mincore() safety checks in classify_ptr() and free wrapper

Root Cause:
- Phase 9 gutted hak_is_memory_readable() to always return 1 (unsafe!)
- classify_ptr() Step 3 and free wrapper AllocHeader dispatch both relied on this
- Result: SEGV when freeing external pointers (e.g. 0x5555... executable area)
- Crash: hdr->magic dereference at unmapped memory (page boundary crossing)

Fix (2-file, minimal patch):
1. core/box/front_gate_classifier.c (Line 211-230):
   - REMOVED unsafe AllocHeader probe from classify_ptr()
   - Return PTR_KIND_UNKNOWN immediately after registry lookups fail
   - Let free wrapper handle unknown pointers safely

2. core/box/hak_free_api.inc.h (Line 194-211):
   - RESTORED real mincore() check before AllocHeader dereference
   - Check BOTH pages if header crosses page boundary (40-byte header)
   - Only dereference hdr->magic if memory is verified mapped

Verification:
- ws=4096 benchmark: 10/10 runs passed (was: 100% crash)
- Exit code: 0 (was: 139/SIGSEGV)
- Crash location: eliminated (was: classify_ptr+298, hdr->magic read)

Performance Impact:
- Minimal (only affects unknown pointers, rare case)
- mincore() syscall only when ptr NOT in Pool/SuperSlab registries

Files Changed:
- core/box/front_gate_classifier.c (+20 simplified, -30 unsafe)
- core/box/hak_free_api.inc.h (+16 mincore check)

core/tiny_alloc_fast.inc.h

@@ -612,11 +612,11 @@ static inline void* tiny_alloc_fast(size_t size) {
     if (__builtin_expect(g_tls_sll_enable && !s_front_direct_alloc, 1)) {
         // For classes 0..3 keep ultra-inline POP; for >=4 use safe Box POP to avoid UB on bad heads.
         if (class_idx <= 3) {
-#if defined(HAKMEM_TINY_INLINE_SLL) && HAKMEM_TINY_AGGRESSIVE_INLINE
-            // Experimental: Use inline SLL pop macro (enable via HAKMEM_TINY_INLINE_SLL=1)
+#if HAKMEM_TINY_INLINE_SLL
+            // Experimental: Inline SLL pop (A/B only, requires HAKMEM_TINY_INLINE_SLL=1)
             TINY_ALLOC_FAST_POP_INLINE(class_idx, ptr);
 #else
-            // Default: Safe Box API (bypasses inline SLL when Front-Direct)
+            // Default: Safe Box API (Box TLS-SLL) for all standard builds
             ptr = tiny_alloc_fast_pop(class_idx);
 #endif
         } else {
@@ -656,11 +656,11 @@ static inline void* tiny_alloc_fast(size_t size) {
             // Skip SLL retry if Front-Direct OR SLL disabled
             if (__builtin_expect(g_tls_sll_enable && !s_front_direct_alloc, 1)) {
                 if (class_idx <= 3) {
-#if defined(HAKMEM_TINY_INLINE_SLL) && HAKMEM_TINY_AGGRESSIVE_INLINE
-                    // Experimental: Use inline SLL pop macro (enable via HAKMEM_TINY_INLINE_SLL=1)
+#if HAKMEM_TINY_INLINE_SLL
+                    // Experimental: Inline SLL pop (A/B only, requires HAKMEM_TINY_INLINE_SLL=1)
                     TINY_ALLOC_FAST_POP_INLINE(class_idx, ptr);
 #else
-                    // Default: Safe Box API (bypasses inline SLL when Front-Direct)
+                    // Default: Safe Box API (Box TLS-SLL) for all standard builds
                     ptr = tiny_alloc_fast_pop(class_idx);
 #endif
                 } else {