feat(kernel): KRNBUG-AUDIT-002 — multi-frame guest stack capture at handle creation

Adds `walk_guest_back_chain` (PPC EABI back-chain walker) and a
`record_create_with_stack` audit hook gated on `--trace-handles-focus`.
NtCreateEvent / NtCreateSemaphore / NtCreateTimer / XamTaskSchedule now
route through the new helper so focused handles capture up to 6 stack
frames at allocation time. Diagnostic-only, read-only memory access:
unfocused handles pay one HashSet lookup, focused ones pay six
back-chain dereferences. Lockstep determinism preserved.

End-to-end finding: handles 0x1004 (8-instance pool via static ctor at
0x8280F810), 0x100c (singleton built inside main()), 0x15e0 (singleton
in distinct cluster) are silph-framework dispatcher objects whose
producer code is unreached at -n 500M. The producer hunt now has class
ownership; vtable/RTTI readout is the next step.

Tests: 576 → 581 green. `--stable-digest -n 100M` instructions=100000002
unchanged. Master HEAD prior: 9d45efe.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/xenia-app/src/main.rs

@@ -3207,6 +3207,15 @@ fn dump_thread_diagnostic(kernel: &xenia_kernel::KernelState, quiet: bool) {
                         "     created cycle={} tid={} lr={:#010x} src={}",
                         t.created.cycle, t.created.tid, t.created.lr, t.created.source,
                     );
+                    if !t.created_stack.is_empty() {
+                        println!("     created stack ({} frames):", t.created_stack.len());
+                        for (i, (fp, lr)) in t.created_stack.iter().enumerate() {
+                            println!(
+                                "       [{:>2}] fp={:#010x} lr={:#010x}",
+                                i, fp, lr,
+                            );
+                        }
+                    }
                 }
                 // Producer-class classification. Source strings are stable
                 // labels passed to `record_signal` at the export sites.