fix(safety): correct LS-M-5 status to fixed (already mitigated by reject)

[avrabe]

Summary

Clean-room verification of the backlog item "LS-M-5 multiply-instantiated module support (priority: critical)" found the critical silent-corruption hazard was already closed — meld rejects multiply-instantiated modules at fusion time:

• `Merger::check_no_duplicate_instantiations` (merger.rs) returns `Error::DuplicateModuleInstantiation` the moment a `module_idx` reappears; invoked unconditionally at the top of the merge pipeline (~merger.rs:909) before any index-space merging.
• The resolver has an independent guard (~resolver.rs:2222).

So the corrupt-output path [H-1, H-2, H-3] is unreachable — a multiply-instantiated module produces a loud build error, never a mis-merged module. The loss-scenario entry still read `status: open` — stale bookkeeping.

Changes

• Add `ls_m_5_multiply_instantiated_module_rejected` — gate-convention regression test pinning the reject behavior (the pre-existing `test_duplicate_module_instantiation_rejected` predates the `ls_*` convention)
• Flip LS-M-5 to `status: fixed` with a `fix:` block documenting the detection-and-reject mitigation

Important scoping note

This documents the rejection mitigation. Full per-instance index-space support (fusing a module instantiated twice into two independent function/memory/table spaces) remains a backlog forward feature — a large merger refactor, not required to close the safety hazard since rejection already prevents the unsafe output.

No functional code change; the detection shipped in earlier releases. This PR is safety-case accuracy + a gate-tracked regression test. Rides into the next feature release rather than a standalone tag.

Test plan

• `ls_m_5_multiply_instantiated_module_rejected` passes
• Pre-commit hooks pass
• CI green + LS-N verification gate now finds `ls_m_5_*` for the (newly) `fixed` entry

🤖 Generated with Claude Code

[github-actions]

Mythos delta-pass required

This PR modifies one or more Tier-5 source files (per
scripts/mythos/rank.md):

meld-core/src/merger.rs

Before merge, run the Mythos discover protocol on the
modified Tier-5 files:

1. Follow scripts/mythos/discover.md
   — one fresh agent session per touched Tier-5 file.
2. For each finding, the agent must produce both a Kani
   harness and a failing PoC test (per the protocol's
   "if you cannot produce both, do not report" rule).
3. Attach a comment on this PR with either the findings
   (formatted per discover.md's output schema) or
   NO FINDINGS.
4. Add the mythos-pass-done label to this PR.

Why this gate exists: LS-A-10
(CABI alignment padding in async-lift retptr writeback) was
found by the v0.8.0 pre-release Mythos pass — but it had
lived in the callback emitter since #128, across six
releases. A PR-time gate would have caught it at review
time instead of at the release boundary.

The gate check on this PR will pass once the label is
applied.

[github-actions]

LS-N verification gate

⚠️ 35/37 verified — 2 missing regression tests

	count
Passed (≥1 test, all green)	35
Failed (≥1 test failure)	0
Missing (no ls_*_NN_* test found)	2

_{Approved loss-scenarios.yaml entries are expected to have a
regression test named ls_<letter>_<num>_* (e.g. LS-A-11 →
ls_a_11_*). The gate runs each prefix via cargo test --lib --no-fail-fast and aggregates pass/fail/missing.}

Failed LS entries

(none)

Missing regression tests

• LS-R-13
• LS-M-6

_{Updated automatically by tools/post_verification_comment.py.
Source of truth: safety/stpa/loss-scenarios.yaml.}

[github-actions]

Mythos delta-pass (auto)

✅ NO FINDINGS across 1 Tier-5 file(s)

File	Verdict	Hypothesis
``	✅ NO FINDINGS	—

_{Auto-run via anthropics/claude-code-action@v1
(SHA-pinned) on the touched Tier-5 files, using the
maintainer's Max-plan OAuth token. See
.github/workflows/mythos-auto.yml and
scripts/mythos/discover.md.}