Phase 7 follow-up: header-aware in BG spill, TLS drain, and aggressive inline macros

- bg_spill: link/traverse next at base+1 for C0–C6, base for C7
- lifecycle: drain TLS SLL and fast caches reading next with header-aware offsets
- tiny_alloc_fast_inline: POP/PUSH macros made header-aware to match tls_sll_box rules
- add optional FREE_WRAP_ENTER trace (HAKMEM_FREE_WRAP_TRACE) for early triage

Result: 0xa0/…0099 bogus free logs gone; remaining SIGBUS appears in free path early. Next: instrument early libc fallback or guard invalid pointers during init to pinpoint source.

core/tiny_alloc_fast_inline.h

@@ -49,7 +49,12 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
             if (g_tls_sll_count[(class_idx)] > 0) g_tls_sll_count[(class_idx)]--; \
             (ptr_out) = NULL; \
         } else { \
-            void* _next = *(void**)_head; \
+            /* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \
+            size_t _off = 0; \
+#if HAKMEM_TINY_HEADER_CLASSIDX \
+            _off = ((class_idx) == 7) ? 0 : 1; \
+#endif \
+            void* _next = *(void**)((uint8_t*)_head + _off); \
             g_tls_sll_head[(class_idx)] = _next; \
             if (g_tls_sll_count[(class_idx)] > 0) { \
                 g_tls_sll_count[(class_idx)]--; \
@@ -81,7 +86,12 @@ extern __thread uint32_t g_tls_sll_count[TINY_NUM_CLASSES];
 //     mov    %rsi, g_tls_sll_head(%rdi)
 //
 #define TINY_ALLOC_FAST_PUSH_INLINE(class_idx, ptr) do { \
-    *(void**)(ptr) = g_tls_sll_head[(class_idx)]; \
+    /* Phase 7: header-aware next (C0-C6: base+1, C7: base) */ \
+    size_t _off = 0; \
+#if HAKMEM_TINY_HEADER_CLASSIDX \
+    _off = ((class_idx) == 7) ? 0 : 1; \
+#endif \
+    *(void**)((uint8_t*)(ptr) + _off) = g_tls_sll_head[(class_idx)]; \
     g_tls_sll_head[(class_idx)] = (ptr); \
     g_tls_sll_count[(class_idx)]++; \
 } while(0)