ERR/E5.1: reject closure-value into bare function-pointer slot

A closure VALUE (a pre-bound variable) flowing into a bare (T)->U slot
was passed unsoundly: the bare ABI calls fn_ptr(ctx, args) with no env
channel, so the closure's underlying fn (which takes an env slot) had its
env dropped and args shifted — UB for a matching ABI, a wrong-tuple read
for the non-failable->failable widening (returned -1), and a segfault when
the closure captured.

coerceToType now rejects a .closure -> .function coercion with a
diagnostic pointing at the idiom (pass the literal directly, which gets
the static adapter, or type the parameter Closure(...) so the env is
carried). Closure LITERALS are unaffected — lowerLambda pre-adapts them to
a .function-typed value before coercion.

Regression: 1045-errors-closure-var-bare-slot-reject.sx.

examples/1045-errors-closure-var-bare-slot-reject.sx

@@ -0,0 +1,27 @@
+// A closure VALUE (a pre-bound variable) cannot be passed into a bare
+// function-pointer slot `(...) -> ...` (ERR E5.1). The bare ABI calls
+// `fn_ptr(ctx, args)` with no env channel, so a closure's environment can't be
+// carried — passing one is unsound (drops env / shifts args / segfaults on a
+// capturing closure). Only a closure LITERAL crosses this boundary (lowerLambda
+// emits a static adapter); a variable is rejected with a pointer to the idiom.
+//
+// The fix for these is either to pass the literal directly, or to type the
+// parameter `Closure(...)` so the environment is carried (the idiomatic form).
+
+#import "modules/std.sx";
+
+E :: error { Z }
+
+bare  :: (cb: (s64) -> s64, n: s64) -> s64 { return cb(n); }
+baref :: (cb: (s64) -> (s64, !E), n: s64) -> s64 { return cb(n) catch e -1; }
+
+main :: () -> s32 {
+    inc := closure((x: s64) -> s64 => x + 1);          // capture-free closure var
+    base := 100;
+    add := closure((x: s64) -> s64 => x + base);       // CAPTURING closure var
+
+    _ := bare(inc, 9);          // reject: closure value → bare slot
+    _ := baref(inc, 9);         // reject: also the ∅-widening crossing
+    _ := bare(add, 9);          // reject: capturing closure → bare slot
+    return 0;
+}

examples/expected/1045-errors-closure-var-bare-slot-reject.exit

@@ -0,0 +1 @@
+1

examples/expected/1045-errors-closure-var-bare-slot-reject.stderr

@@ -0,0 +1,17 @@
+error: a closure value cannot be passed as a bare function-pointer `(...) -> ...` — its environment can't be carried across the bare ABI; pass the closure literal directly at the call site, or declare the parameter type as `Closure(...)`
+  --> /Users/agra/projects/sx/examples/1045-errors-closure-var-bare-slot-reject.sx:23:10
+   |
+23 |     _ := bare(inc, 9);          // reject: closure value → bare slot
+   |          ^^^^^^^^^^^^
+
+error: a closure value cannot be passed as a bare function-pointer `(...) -> ...` — its environment can't be carried across the bare ABI; pass the closure literal directly at the call site, or declare the parameter type as `Closure(...)`
+  --> /Users/agra/projects/sx/examples/1045-errors-closure-var-bare-slot-reject.sx:24:10
+   |
+24 |     _ := baref(inc, 9);         // reject: also the ∅-widening crossing
+   |          ^^^^^^^^^^^^^
+
+error: a closure value cannot be passed as a bare function-pointer `(...) -> ...` — its environment can't be carried across the bare ABI; pass the closure literal directly at the call site, or declare the parameter type as `Closure(...)`
+  --> /Users/agra/projects/sx/examples/1045-errors-closure-var-bare-slot-reject.sx:25:10
+   |
+25 |     _ := bare(add, 9);          // reject: capturing closure → bare slot
+   |          ^^^^^^^^^^^^

examples/expected/1045-errors-closure-var-bare-slot-reject.stdout

@@ -0,0 +1 @@
+

src/ir/lower.zig

@@ -15364,6 +15364,24 @@ pub const Lowering = struct {
             return self.builder.boxAny(val, src_ty);
         }
 
+        // Closure VALUE → bare function-pointer slot: not soundly representable.
+        // A bare `(T) -> U` slot is called as `fn_ptr(ctx, args)` with NO env
+        // arg, but a closure's underlying fn takes an env slot — so passing a
+        // closure value's fn_ptr drops the env and shifts the args (UB for a
+        // matching ABI, a wrong-tuple read for ∅-widening, a segfault when the
+        // closure captures). Only a closure LITERAL can cross this boundary,
+        // via the static adapter `lowerLambda` emits (so a literal arrives here
+        // already typed `.function`). Reject the variable case loudly.
+        if (!src_ty.isBuiltin() and !dst_ty.isBuiltin()) {
+            if (self.module.types.get(src_ty) == .closure and self.module.types.get(dst_ty) == .function) {
+                if (self.diagnostics) |d| {
+                    const cs = self.builder.current_span;
+                    d.addFmt(.err, ast.Span{ .start = cs.start, .end = cs.end }, "a closure value cannot be passed as a bare function-pointer `(...) -> ...` — its environment can't be carried across the bare ABI; pass the closure literal directly at the call site, or declare the parameter type as `Closure(...)`", .{});
+                }
+                return val;
+            }
+        }
+
         // Tuple → Tuple element-wise coercion (e.g. a `(s64, s64)` literal
         // flowing into a `(s32, s32)` slot — the multi-value failable success
         // tuple). Same arity, at least one differing field (src_ty == dst_ty