fix(mailbox): pub(crate) phase so the owner-trait invariant is compiler-enforced (#507 review)

Codex P2: MailboxSoA.phase was `pub`, so a downstream crate could assign an
arbitrary KanbanColumn directly, bypassing MailboxSoaOwner::try_advance_phase
(the lifecycle-DAG check) and the KanbanMove emission this change centralizes.
The field doc already claims "mutated only via the owner trait" — but `pub`
left that as documentation, not enforcement.

Change `pub phase` -> `pub(crate) phase`. Verified safe across the whole
workspace (cargo check --workspace --all-targets exits 0):
  - the only writer is the in-crate impl MailboxSoaOwner for MailboxSoA<N>
    (advance_phase, mailbox_soa.rs); pub(crate) keeps that working.
  - the soa_view.rs write is on the FakeSoa test double, not MailboxSoA.
  - no external crate reads the field directly; reads go through the
    MailboxSoaView::phase() getter, which is unchanged.
mailbox_soa lib tests (12) + soa_view tests (3) green.

https://claude.ai/code/session_01VysoWJ6vsyg3wEGc5v7T5v

Author: claude

crates/cognitive-shader-driver/src/mailbox_soa.rs

@@ -112,8 +112,12 @@ pub struct MailboxSoA<const N: usize> {
     /// `ActorStatus`; see `.claude/knowledge/orchestration-boundary-v1.md`).
     /// Mutated only via [`MailboxSoaOwner::advance_phase`] /
     /// [`MailboxSoaOwner::try_advance_phase`]; starts at
-    /// [`KanbanColumn::Planning`].
-    pub phase: KanbanColumn,
+    /// [`KanbanColumn::Planning`]. Read it through the
+    /// [`MailboxSoaView::phase`] getter. `pub(crate)` (not `pub`) so the
+    /// "mutated only via the owner trait" invariant is compiler-enforced — a
+    /// downstream crate cannot assign an arbitrary column directly and bypass
+    /// the lifecycle DAG check + `KanbanMove` emission (PR #507 review).
+    pub(crate) phase: KanbanColumn,
 }
 
 /// Default capacity: 1024 rows (4× current BindSpace row count).