[2.BF] Synthetic silph::WorkerCtx spawn (round 18 — opt-in landing)

Adds infrastructure to synthesise the silph::WorkerCtx that AUDIT-058/059
identified as never reached by ours' static-init chain (real chain entry
sits in audit-059 round 9's wrong-vtable wedge at sub_82172BA0+0x1E8).
Ctx layout follows round 5's live hexdump from canary:

  +0x00   vtable = 0x8200A1E8
  +0x04   self
  +0x08   intrusive list head -> self
  +0x0C   init flag = 1
  +0x10   packed byte field
  +0x18   2x float ~1.0 (UI rates)
  +0x24   flag = 1
  +0x28..+0x30  3x foreign-arena pointers (left NULL — see below)
  +0x54..+0x84  4x X_KEVENT auto-reset, state=0
  +0x94..+0xC4  4x X_KEVENT manual-reset, state=1 (pre-signaled)
  +0x210..+0x250  4-entry intrusive work-ring, empty

Worker spawn mirrors AUDIT-048's audio-worker pattern in
xaudio_register_render_driver: per-worker allocate_thread_image +
state.scheduler.spawn with r3 = ctx_ptr. Trigger fires at the first
dat/* VFS open (ours' earliest is dat/files.tbl), which is when canary
runs the equivalent chain.

ROUND 18 OUTCOME — opt-in only:

With workers spawned Ready (XENIA_SILPH_SYNTH=1), boot CRASHES at
cycle ~5.5M with PC=0 on hw=1, just after worker_3 (entry 0x825065B8)
spawns. Per task constraints this is STOP-and-report: the ctx fields
+0x28/+0x2C/+0x30 (foreign heap pointers — canary's 0x30057018,
0xBCE25640, 0xBE568F00, distinct arenas per audit-059 round 7) are
left NULL, and the worker bodies plausibly dereference one of them.
Synthesising those is a fresh investigation (round 19+).

With workers spawned Suspended (XENIA_SILPH_SYNTH=suspend), boot
completes normally (11 spawns, VdSwap=1, KeSetEvent=2,
KeReleaseSemaphore=1 — matches default baseline). The ctx remains
materialised in guest memory at the logged VA for downstream probing.

Default (env var unset): no synth, no regression.

Files:
  crates/xenia-kernel/src/silph_synth.rs   (new, 225 LOC)
  crates/xenia-kernel/src/lib.rs           (+1 LOC, register module)
  crates/xenia-kernel/src/exports.rs       (+37 LOC, hook in open_vfs_file)
  crates/xenia-kernel/src/state.rs         (+18 LOC, 4 silph_synth_* fields)

Tests: cargo test --release --workspace = 765 pass / 0 fail.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/xenia-kernel/src/state.rs

@@ -299,6 +299,20 @@ pub struct KernelState {
     pub dump_addrs: Vec<u32>,
     /// `--dump-section=BASE:LEN:PATH` end-of-run snapshot, page-gated by `is_mapped`.
     pub dump_section: Option<(u32, u32, std::path::PathBuf)>,
+    /// AUDIT-2.BF — synthetic silph::WorkerCtx spawn one-shot latch. Set on
+    /// first call to [`crate::silph_synth::spawn_silph_workers`] (triggered
+    /// by the first observation of a load-bearing VFS path such as
+    /// `dat/movie`), then reused — subsequent triggers are no-ops.
+    pub silph_synth_done: bool,
+    /// AUDIT-2.BF — VA of the synthesised silph::WorkerCtx. Zero before the
+    /// first spawn; set to the ctx base by `spawn_silph_workers`. Held on
+    /// the kernel state so future export hooks can find it (no caller does
+    /// yet — placeholder for round 19+ wiring).
+    pub silph_synth_ctx: u32,
+    /// AUDIT-2.BF — kernel handles for the 4 synthetic worker threads.
+    pub silph_synth_handles: [Option<u32>; 4],
+    /// AUDIT-2.BF — `ThreadRef` cache for the 4 synthetic workers.
+    pub silph_synth_refs: [Option<xenia_cpu::ThreadRef>; 4],
 }
 
 impl KernelState {
@@ -369,6 +383,10 @@ impl KernelState {
             lr_trace_writer: None,
             dump_addrs: Vec::new(),
             dump_section: None,
+            silph_synth_done: false,
+            silph_synth_ctx: 0,
+            silph_synth_handles: [None; 4],
+            silph_synth_refs: [None; 4],
         };
         crate::exports::register_exports(&mut state);
         crate::xam::register_exports(&mut state);