feat(p3_stream): LS-R-11 precise stream type-mismatch + fuzz layer-2 fix

[avrabe]

Summary

Closes the LS-R-11 follow-up from v0.12.0. Restores check (i) of #142 that was withdrawn from PR #188 after the Mythos delta-pass auto-scan correctly identified a false-positive path in the role-list heuristic.

LS-R-11: precise stream type-mismatch via stream-typed-import filter

Walks each fusion connection's `resolved_imports`; if at least one edge declares a `stream` reference in its component-level `ComponentTypeRef` signature (Func params/results, Type aliases, or Instance exports — recursing through `ComponentValType::List`, `Option`, `Result`, `Record`, `Variant`, `Tuple`, `FixedSizeList`), the role-list pair check is applied. Sync-only connections with unrelated streams on each side are now correctly skipped — the exact false positive the Mythos auto-scan caught.

New `StreamValidationIssue::TypeMismatch` enum variant, routed into the same `Error::StreamValidation` batched reporting added in v0.12.0.

5 new regression tests:

• `ls_r_11_stream_typed_import_with_mismatched_roles_raises` — TP: function import of stream resolved to export with stream roles
• `ls_r_11_sync_only_connection_with_unrelated_streams_does_not_raise` — Mythos finding's former false positive must NOT raise
• `stream_typed_import_with_matching_types_does_not_raise` — negative control
• `stream_elements_in_typeref_walks_func_param` — walker unit test
• `stream_elements_in_typeref_returns_empty_for_sync_func` — walker unit test

`safety/stpa/loss-scenarios.yaml`: LS-R-11 flipped from `open` to `approved` with the fix block documenting both the two-stage approach and the precision boundary.

Bundled: fuzz workflow layer-2 against #168

Adds `CARGO_BUILD_TARGET: x86_64-unknown-linux-gnu` to the fuzz workflow env. v0.12.0's RUSTFLAGS fix (#189) closed the sanitizer-vs-crt-static path, but PR #188 follow-up CI surfaced a second drift mode: drifted runners have `[build] target = "x86_64-unknown-linux-musl"` in their cargo config, so libfuzzer-sys's build.rs tried to invoke `x86_64-linux-musl-g++` and failed with `ToolNotFound`. Workflow-env precedence overrides the config-derived default; harmless no-op on clean runners.

Precision boundary (documented)

The filter knows a connection carries SOME stream but the mismatch decision still uses the role-list multiset — a fully precise per-edge implementation needs export-side type-graph walking via `component_func_defs`, which is kept on the backlog. A `stream` hidden inside an aliased composite type via `ComponentValType::Type(idx)` is also not chased. Both limits documented in:

• `p3_stream.rs` module comment
• LS-R-11 `fix:` block in `loss-scenarios.yaml`
• The new CHANGELOG `[Unreleased]` entry

Test plan

• 5 new regression tests green (`p3_stream::tests::ls_r_11_`, `stream_typed_`, `stream_elements_in_typeref_*`)
• All 276 meld-core lib tests pass
• Pre-commit hooks pass (fmt + clippy + test)
• CI green on this PR (full matrix + Mythos delta-pass re-scan of p3_stream.rs + resolver.rs)

🤖 Generated with Claude Code

[github-actions]

Mythos delta-pass required

This PR modifies one or more Tier-5 source files (per
scripts/mythos/rank.md):

meld-core/src/p3_stream.rs
meld-core/src/resolver.rs

Before merge, run the Mythos discover protocol on the
modified Tier-5 files:

1. Follow scripts/mythos/discover.md
   — one fresh agent session per touched Tier-5 file.
2. For each finding, the agent must produce both a Kani
   harness and a failing PoC test (per the protocol's
   "if you cannot produce both, do not report" rule).
3. Attach a comment on this PR with either the findings
   (formatted per discover.md's output schema) or
   NO FINDINGS.
4. Add the mythos-pass-done label to this PR.

Why this gate exists: LS-A-10
(CABI alignment padding in async-lift retptr writeback) was
found by the v0.8.0 pre-release Mythos pass — but it had
lived in the callback emitter since #128, across six
releases. A PR-time gate would have caught it at review
time instead of at the release boundary.

The gate check on this PR will pass once the label is
applied.

[github-actions]

LS-N verification gate

⚠️ 35/36 verified — 1 missing regression tests

	count
Passed (≥1 test, all green)	35
Failed (≥1 test failure)	0
Missing (no ls_*_NN_* test found)	1

_{Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11 →
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.}

Failed LS entries

(none)

Missing regression tests

• LS-R-13

_{Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.}

[github-actions]

Mythos delta-pass (auto)

✅ NO FINDINGS across 2 Tier-5 file(s)

File	Verdict	Hypothesis
``	✅ NO FINDINGS	—
``	✅ NO FINDINGS	—

_{Auto-run via anthropics/claude-code-action@v1
(SHA-pinned) on the touched Tier-5 files, using the
maintainer's Max-plan OAuth token. See
.github/workflows/mythos-auto.yml and
scripts/mythos/discover.md.}