feat: deep code audit + testing infrastructure (sparse, expect, host unit tests)

feat: deep code audit + testing infrastructure (sparse, expect, host unit tests)

Deep Code Audit (docs/AUDIT_REPORT.md):
- 18 findings across 4 categories: layer violations, logic/race
  conditions, security vulnerabilities, memory management
- CRITICAL: user_range_ok weak default allows kernel addr access
- CRITICAL: sigreturn allows IOPL escalation via eflags
- CRITICAL: PMM bitmap has no locking (SMP race)
- CRITICAL: file refcount manipulation not atomic
- HIGH: slab allocator hal_mm_phys_to_virt can hit heap VA
- HIGH: execve writes to user stack bypassing copy_to_user
- Full summary table with severity, category, location

Testing Infrastructure:
- make check    — cppcheck + sparse (kernel-oriented semantic checker)
- make analyzer — gcc -fanalyzer (interprocedural analysis)
- make test     — QEMU + expect automated smoke test (19 checks)
- make test-1cpu — single-CPU regression (50s timeout)
- make test-host — 28 host-side unit tests for pure functions
                   (itoa, itoa_hex, atoi, path_normalize, align)
- make test-all — all of the above

Testing Plan (docs/TESTING_PLAN.md):
- Layer 1: Static analysis (cppcheck + sparse + gcc -fanalyzer)
- Layer 2: QEMU + expect automated regression
- Layer 3: QEMU + GDB scripted debugging (future)
- Layer 4: Host-side unit tests for pure functions

All tests passing: 19/19 smoke, 28/28 unit, cppcheck clean.