feat(sysctl): typed @sysctl global variables

[congwang-mk]

Summary

Adds a @sysctl("dotted.path") var name: T attribute that turns userspace global variable reads/writes into /proc/sys/... file I/O. The handle is fully imperative — the user controls when each access happens, no auto-apply, no auto-restore — and is rejected at compile time from @xdp / @tc / @probe / @tracepoint / @helper / @kfunc contexts (no filesystem there). Supports integer types, bool, and str(N); the eBPF and kernel-module outputs do not contain sysctl globals.

@sysctl("net.core.somaxconn") var somaxconn: u32
@sysctl("kernel.hostname")    var hostname: str(64)

fn main() -> i32 {
    var was = somaxconn        // → __ks_sysctl_somaxconn_read()
    somaxconn = 4096           // → __ks_sysctl_somaxconn_write(4096)
    hostname = "edge-01"       // → __ks_sysctl_hostname_write("edge-01")
    return 0
}

Spec: SPEC.md §3.3.7. Example: examples/sysctl_demo.ks (verified end-to-end on Linux — read kernel.hostname, format prints, write back). Forward-compatible with a future @sysctl(create=true) for kernel-module-declared sysctls; eBPF cgroup-sysctl interception (BPF_PROG_TYPE_CGROUP_SYSCTL) is intentionally out of scope.

The PR also lands one ancillary fix in the userspace string-assignment template: the strcpy/strncpy template referenced its source three times, which is harmless for plain locals but caused side-effecting sysctl reads to be invoked three times per var s: str(N) = strSysctl. Source is now bound to a __src local first.

Test plan

• dune runtest is green (20 sysctl tests + the rest of the suite, no regressions).
• Compile and run examples/sysctl_demo.ks on a Linux host (requires root for the eBPF stub program; reading kernel.hostname worked on a Pop_OS box during development — sets hostname to edge-01, so revert with sudo hostname <original> afterwards).
• Verify @sysctl access from @xdp / @tc / @probe / @tracepoint / @helper / @kfunc produces the userspace-only compile error.
• Inspect generated *.ebpf.c for any sample with sysctl globals — they must not appear there.

🤖 Generated with Claude Code