Zero-copy hot path, correctness hardening

gva_ptr: leaf-bounded zero-copy guest reads. gva_sweep redesigned to drive
on it — large-page leaves are lent to the callback while 4K runs stay
buffered, and the run loop is guarded against wrap at the top of the address
space. gva_gpa fetches PTEs zero-copy; optional W32MS_LTO build option folds
the per-fetch call boundary (shipped -O2 default unchanged).

Correctness: subtract-form bounds check (no add overflow), memcpy decode in
place of type-punned wide loads, zero-init PDB name before compare,
PCI-hole-crossing range rejection, single-sourced VA_CANON and USER bounds.
hot/cold attributes audited across the translation and scan path.

src/profile.c

@@ -53,7 +53,8 @@ static int discover_core(gva_ctx* ctx, uintptr_t cr3, uint64_t sys_ep) {
 
     int pid_off = -1;
     for (int o = 0x80; o + 8 <= name_off; o += 8) {
-        if (*(uint64_t*)(buf + o) != 4) {
+        uint64_t v; memcpy(&v, buf + o, 8);
+        if (v != 4) {
             continue;
         }
         const uint16_t links = (uint16_t)(o + 8);
@@ -70,7 +71,8 @@ static int discover_core(gva_ctx* ctx, uintptr_t cr3, uint64_t sys_ep) {
 
     int dtb_off = -1;
     for (int o = 0x18; o <= 0x60; o += 8) {
-        const uint64_t c = *(uint64_t*)(buf + o) & PFN_MASK;
+        uint64_t v; memcpy(&v, buf + o, 8);
+        const uint64_t c = v & PFN_MASK;
         uint8_t probe;
         if (c && khalf_score(ctx, c) >= 16 && !gva_read(ctx, c, sys_ep, &probe, 1)) {
             dtb_off = o;