Zero-copy hot path, correctness hardening

gva_ptr: leaf-bounded zero-copy guest reads. gva_sweep redesigned to drive
on it — large-page leaves are lent to the callback while 4K runs stay
buffered, and the run loop is guarded against wrap at the top of the address
space. gva_gpa fetches PTEs zero-copy; optional W32MS_LTO build option folds
the per-fetch call boundary (shipped -O2 default unchanged).

Correctness: subtract-form bounds check (no add overflow), memcpy decode in
place of type-punned wide loads, zero-init PDB name before compare,
PCI-hole-crossing range rejection, single-sourced VA_CANON and USER bounds.
hot/cold attributes audited across the translation and scan path.

CMakeLists.txt

@@ -5,6 +5,8 @@ set(CMAKE_C_STANDARD 17)               # generation B uses no C23 feature
 set(CMAKE_C_STANDARD_REQUIRED ON)
 set(CMAKE_C_EXTENSIONS ON)             # deliberate: strnlen (POSIX) + void* arithmetic (GNU)
 
+option(W32MS_LTO "Enable LTO" OFF)     # build-only; shipped default is -O2, no LTO
+
 # ---- host: VMI core as a static library ---------------------------------
 add_library(w32ms STATIC
         src/gpa.c
@@ -19,6 +21,10 @@ target_include_directories(w32ms
         PUBLIC  ${CMAKE_CURRENT_SOURCE_DIR}/include   # public API: include/*.h
         PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src)       # private: src/include/*.h via "include/..."
 target_compile_options(w32ms PRIVATE -O2 -Wall -Wextra)
+if(W32MS_LTO)
+    target_compile_options(w32ms PRIVATE -flto)
+    target_link_options(w32ms PRIVATE -flto)
+endif()
 
 # ---- host: CLI demonstrator over the library ----------------------------
 add_executable(w32ms_cli src/cli.c)