M5+M7: indirect-dispatch reachability + .rdata string detection

Two MEDIUM milestones bundled (both opportunistic per plan; both small).

## M5 — indirect-dispatch reachability

- `xenia_analysis::indirect`: per-basic-block register tracker over each
  detected function. Recognises the canonical static-vtable pattern
  `lis+addi → lwz off(rA) → mtctr → bcctrl` where rA holds a known M3
  vtable address. Emits one `Xref { kind: IndirectCall }` per resolvable
  bcctrl site.
- PowerPC ABI awareness: `bl`-style calls clobber volatile r0..r12 + ctr
  but preserve non-volatile r13..r31, so a vtable pointer parked in r30/r31
  before a call survives.
- Label-based basic-block boundaries kill register state — bounds
  false-positive risk for jump-IN paths.
- New `XrefKind::IndirectCall` variant (DB tag `'ind_call'`).
- New SQL view `v_indirect_reachability_from_entry` — strict superset of
  `v_reachability_from_entry`, taking `ind_call` edges in the BFS.

Sylpheed yield: 0 edges detected. The binary's 1,001 static lis+addi
references into vtables are nearly all constructor-side vptr writes, not
dispatches; real method dispatch goes through `this->vptr` which requires
alias analysis we explicitly don't do. Documented in SCHEMA.md as the
expected limitation. Three unit tests cover the synthetic-correctness path.

## M7 — string / constant-pool detection

- `xenia_analysis::strings`: scans `.rdata` for runs of ≥ 6 printable
  ASCII bytes (NUL-terminated) and ≥ 6 UTF-16LE code units (basic-plane
  printable ASCII, NUL u16 terminator).
- New `strings(address PK, encoding, length, content)` table + encoding index.
- Implicit cross-ref via existing `xrefs.kind='ref'` rows whose target
  matches a strings.address.

Sylpheed yield: 6,311 ASCII strings (including embedded HLSL shader source
and AS_CB_SURFACE_SWIZZLE_* assertion strings). 9,132 lis+addi sites
cross-reference detected strings — names source PCs near each string in
one query. Four unit tests cover encoding detection, NUL termination, and
short-run rejection.

Tests 626→633 (+3 indirect, +4 strings).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/xenia-analysis/src/sql_views.rs

@@ -30,6 +30,7 @@ pub const ALL_VIEWS: &[(&str, &str)] = &[
     ("v_branch_xrefs", V_BRANCH_XREFS),
     ("v_call_graph", V_CALL_GRAPH),
     ("v_reachability_from_entry", V_REACHABILITY_FROM_ENTRY),
+    ("v_indirect_reachability_from_entry", V_INDIRECT_REACHABILITY_FROM_ENTRY),
     ("v_function_first_instruction", V_FUNCTION_FIRST_INSTRUCTION),
     ("v_imports_called", V_IMPORTS_CALLED),
 ];
@@ -110,6 +111,29 @@ WITH RECURSIVE reach(fn) AS (
 SELECT fn AS addr FROM reach;
 ";
 
+/// Reachability extended over `kind='ind_call'` edges from M5. Strict
+/// superset of `v_reachability_from_entry` — every fn there is also here,
+/// plus any function reached only via a vtable bcctrl whose vtable+slot
+/// the M5 dataflow could resolve. Sample 5 newly-reachable PCs in canary
+/// before trusting widely; the analysis intentionally leaves out alias-
+/// dependent indirect calls (vtable loaded from a `this` field).
+const V_INDIRECT_REACHABILITY_FROM_ENTRY: &str = "
+CREATE OR REPLACE VIEW v_indirect_reachability_from_entry AS
+WITH RECURSIVE reach(fn) AS (
+    SELECT i.function FROM instructions i
+    JOIN labels l ON l.address = i.address
+    WHERE l.name = 'entry_point' AND i.function IS NOT NULL
+    UNION
+    SELECT tgt.function FROM xrefs x
+    JOIN instructions src ON src.address = x.source
+    JOIN instructions tgt ON tgt.address = x.target
+    JOIN reach r ON src.function = r.fn
+    WHERE x.kind IN ('call', 'ind_call', 'j', 'br')
+      AND tgt.function IS NOT NULL
+)
+SELECT fn AS addr FROM reach;
+";
+
 /// Convenience join: each function's first decoded instruction. Useful for
 /// quickly inspecting prologue patterns without computing offsets manually.
 const V_FUNCTION_FIRST_INSTRUCTION: &str = "