Tiny: fix remote sentinel leak → SEGV; add defense-in-depth; PoolTLS: refill-boundary remote drain; build UX help; quickstart docs

Summary
- Fix SEGV root cause in Tiny random_mixed: TINY_REMOTE_SENTINEL leaked from Remote queue into freelist/TLS SLL.
- Clear/guard sentinel at the single boundary where Remote merges to freelist.
- Add minimal defense-in-depth in freelist_pop and TLS SLL pop.
- Silence verbose prints behind debug gates to reduce noise in release runs.
- Pool TLS: integrate Remote Queue drain at refill boundary to avoid unnecessary backend carve/OS calls when possible.
- DX: strengthen build.sh with help/list/verify and add docs/BUILDING_QUICKSTART.md.

Details
- core/superslab/superslab_inline.h: guard head/node against TINY_REMOTE_SENTINEL; sanitize node[0] when splicing local chain; only print diagnostics when debug guard is enabled.
- core/slab_handle.h: freelist_pop breaks on sentinel head (fail-fast under strict).
- core/tiny_alloc_fast_inline.h: TLS SLL pop breaks on sentinel head (rare branch).
- core/tiny_superslab_free.inc.h: sentinel scan log behind debug guard.
- core/pool_refill.c: try pool_remote_pop_chain() before backend carve in pool_refill_and_alloc().
- core/tiny_adaptive_sizing.c: default adaptive logs off; enable via HAKMEM_ADAPTIVE_LOG=1.
- build.sh: add help/list/verify; EXTRA_MAKEFLAGS passthrough; echo pinned flags.
- docs/BUILDING_QUICKSTART.md: add one‑pager for targets/flags/env/perf/strace.

Verification (high level)
- Tiny random_mixed 10k 256/1024: SEGV resolved; runs complete.
- Pool TLS 1T/4T perf: HAKMEM >= system (≈ +0.7% 1T, ≈ +2.9% 4T); syscall counts ~10–13.

Known issues (to address next)
- Tiny random_mixed perf is weak vs system:
  - 1T/500k/256: cycles/op ≈ 240 vs ~47 (≈5× slower), IPC ≈0.92, branch‑miss ≈11%.
  - 1T/500k/1024: cycles/op ≈ 149 vs ~53 (≈2.8× slower), IPC ≈0.82, branch‑miss ≈10.5%.
  - Hypothesis: frequent SuperSlab path for class7 (fast_cap=0), branchy refill/adopt, and hot-path divergence.
- Proposed next steps:
  - Introduce fast_cap>0 for class7 (bounded TLS SLL) and a simpler batch refill.
  - Add env‑gated Remote Side OFF for 1T A/B (reduce side-table and guards).
  - Revisit likely/unlikely and unify adopt boundary sequencing (drain→bind→acquire) for Tiny.

core/tiny_alloc_fast_inline.h

@@ -8,6 +8,7 @@
 
 #include <stddef.h>
 #include "hakmem_build_flags.h"
+#include "tiny_remote.h"  // for TINY_REMOTE_SENTINEL (defense-in-depth)
 
 // External TLS variables (defined in hakmem_tiny.c)
 extern __thread void* g_tls_sll_head[TINY_NUM_CLASSES];
@@ -42,12 +43,19 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
 #define TINY_ALLOC_FAST_POP_INLINE(class_idx, ptr_out) do { \
     void* _head = g_tls_sll_head[(class_idx)]; \
     if (__builtin_expect(_head != NULL, 1)) { \
-        void* _next = *(void**)_head; \
-        g_tls_sll_head[(class_idx)] = _next; \
-        if (g_tls_sll_count[(class_idx)] > 0) { \
-            g_tls_sll_count[(class_idx)]--; \
+        if (__builtin_expect((uintptr_t)_head == TINY_REMOTE_SENTINEL, 0)) { \
+            /* Break the chain defensively if sentinel leaked into TLS SLL */ \
+            g_tls_sll_head[(class_idx)] = NULL; \
+            if (g_tls_sll_count[(class_idx)] > 0) g_tls_sll_count[(class_idx)]--; \
+            (ptr_out) = NULL; \
+        } else { \
+            void* _next = *(void**)_head; \
+            g_tls_sll_head[(class_idx)] = _next; \
+            if (g_tls_sll_count[(class_idx)] > 0) { \
+                g_tls_sll_count[(class_idx)]--; \
+            } \
+            (ptr_out) = _head; \
         } \
-        (ptr_out) = _head; \
     } else { \
         (ptr_out) = NULL; \
     } \