Fix: free() invalid pointer crash (partial fix - 0% → 60% success)

**問題:**
- 100% crash rate: "free(): invalid pointer"
- 全実行で glibc abort

**根本原因 (Task agent ultrathink 発見):**
`core/box/hak_free_api.inc.h:84`
```c
if (hdr->magic != HAKMEM_MAGIC) {
    __libc_free(ptr);  // ← BUG! ptr is user pointer (after header)
}
```

**メモリレイアウト:**
```
Allocation: malloc(HEADER_SIZE + size) → returns (raw + HEADER_SIZE)
           [Header][User Data............]
           ^raw    ^ptr

Free: __libc_free(ptr) ← ✗ 間違い！ raw を free すべき
```

**修正内容:**
Line 84: `__libc_free(ptr)` → `free(raw)`
- Header corruption 時に正しいアドレスを free

**効果:**
```
Before: 0/5 success (100% crash)
After:  3/5 success (60% crash)
```

**残存問題:**
- まだ 40% でクラッシュする
- 別のバグが存在（double-free or cross-thread corruption?）
- 次: ASan + Task agent ultrathink で追加調査

**テスト結果:**
```bash
Run 1: 4.19M ops/s ✅
Run 2: 4.19M ops/s ✅
Run 3: crash ❌
Run 4: 4.19M ops/s ✅
Run 5: crash ❌
```

**調査協力:** Task agent (ultrathink mode)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

core/box/hak_free_api.inc.h

@@ -81,7 +81,8 @@ void hak_free_at(void* ptr, size_t size, hak_callsite_t site) {
         AllocHeader* hdr = (AllocHeader*)raw;
         if (hdr->magic != HAKMEM_MAGIC) {
             if (g_invalid_free_log) fprintf(stderr, "[hakmem] ERROR: Invalid magic 0x%X (expected 0x%X)\n", hdr->magic, HAKMEM_MAGIC);
-            if (g_invalid_free_mode) { goto done; } else { extern void __libc_free(void*); __libc_free(ptr); goto done; }
+            // CRITICAL FIX: Free raw (allocated address), not ptr (user pointer after header)
+            if (g_invalid_free_mode) { goto done; } else { free(raw); goto done; }
         }
         if (HAK_ENABLED_CACHE(HAKMEM_FEATURE_BIGCACHE) && hdr->class_bytes >= 2097152) {
             if (hak_bigcache_put(ptr, hdr->size, hdr->alloc_site)) goto done;