test(ir): lock error-flow diagnostics before A5.2 extraction (A5.2 scaffolding step 1)

Test-first scaffolding for the path-sensitive error-flow pass
(checkErrorFlow/analyzeFnBody/flowWalk/flowIf/checkCleanupBody) before it
moves into src/ir/error_flow.zig. No compiler change — both examples lock
current behavior.

- 1051-errors-cleanup-closure-boundary (accepted): a closure literal inside a
  `defer` body is its own function boundary — the E1.7 cleanup rule and the
  parser's try/raise ban both stop at the lambda, and E1.8 value-slot liveness
  runs per-boundary. Pins checkCleanupNode's `.lambda` stop + flowExpr's
  `.lambda` recursion. Constructible since issue 0073 (0310).
- 1052-errors-cleanup-transitive-reject (exit 1): the E1.7 cleanup check is
  transitive — bare failables nested in an `if` (both branches), a nested
  block, and a `while` body all reject. Pins checkCleanupNode's recursive arms,
  distinct from 1049's direct-body case.

No .test.zig/.ir: diagnostic-pass altitude (checkErrorFlow/A2.4 precedent) —
the pass returns no fact object and emits no IR.

Gate: zig build, zig build test, run_examples.sh -> 360/0.

examples/1051-errors-cleanup-closure-boundary.sx

@@ -0,0 +1,39 @@
+// A closure literal inside a `defer` / `onfail` body is its OWN function
+// boundary (ERR step E1.7). The cleanup-absorption check stops at the lambda:
+// the E1.7 "no bare failable in cleanup" rule and the parser's `try`/`raise`
+// ban both apply only to the cleanup block itself, not to a closure declared
+// inside it. Within the closure, normal failable rules resume — `try`
+// propagates through the closure's own `!E` channel, and value-slot liveness
+// (E1.8) is analysed per-boundary, so `v` is live under its `if !err` guard.
+//
+// Locks the closure-boundary arms of the error-flow pass (`checkCleanupNode`'s
+// `.lambda` stop + `flowExpr`'s `.lambda` recursion) before A5.2 extracts the
+// pass into its own module. Constructible since issue 0073 (closure literal in
+// a `defer` body no longer segfaults lowering — see 0310).
+
+#import "modules/std.sx";
+
+E :: error { Bad }
+
+failing :: () -> !E { raise error.Bad; }
+recover :: () -> (s32, !E) { return 21; }
+
+work :: () {
+    defer {
+        // Own boundary: `try` is legal here (it would be parser-banned in the
+        // defer body directly), and the bare failable is governed by the
+        // closure's `!E` signature, not the cleanup rule.
+        emit := () -> !E {
+            v, err := recover();
+            if !err { print("defer closure: v={}\n", v); }   // E1.8: live under guard
+            try failing();
+        };
+        emit() catch e print("defer closure: raised\n");
+    }
+    print("body\n");
+}
+
+main :: () -> s32 {
+    work();
+    return 0;
+}

examples/1052-errors-cleanup-transitive-reject.sx

@@ -0,0 +1,36 @@
+// The cleanup-absorption check (ERR step E1.7) is TRANSITIVE: a bare,
+// un-absorbed failable call is rejected no matter how deeply it is nested
+// inside a `defer` / `onfail` body's control flow — through `if` (both
+// branches), nested blocks, and loops. 1049 covers the direct-body case; this
+// pins the recursive arms of `checkCleanupNode` (`.if_expr`, `.block`,
+// `.while_expr`) before A5.2 extracts the pass into its own module.
+//
+// Three bare failables, three rejections; the program never runs (exit 1).
+
+#import "modules/std.sx";
+
+E :: error { Bad }
+
+failing :: () -> !E { raise error.Bad; }
+
+work :: (n: s32) -> !E {
+    defer {
+        if n > 0 {
+            failing();              // REJECTED: nested in the `if` then-branch
+        } else {
+            { failing(); }          // REJECTED: nested block in the else-branch
+        }
+    }
+    onfail {
+        while n > 0 {
+            failing();              // REJECTED: nested in the `while` body
+        }
+    }
+    if n < 0 { raise error.Bad; }
+    return;
+}
+
+main :: () -> s32 {
+    a := work(-1);
+    return 0;
+}

examples/expected/1051-errors-cleanup-closure-boundary.exit

@@ -0,0 +1 @@
+0

examples/expected/1051-errors-cleanup-closure-boundary.stdout

@@ -0,0 +1,3 @@
+body
+defer closure: v=21
+defer closure: raised

examples/expected/1052-errors-cleanup-transitive-reject.exit

@@ -0,0 +1 @@
+1

examples/expected/1052-errors-cleanup-transitive-reject.stderr

@@ -0,0 +1,17 @@
+error: a bare failable call in a `defer` body has nowhere to send its error — the block is already exiting; absorb it locally with `catch` or `or <value>`
+  --> examples/1052-errors-cleanup-transitive-reject.sx:19:13
+   |
+19 |             failing();              // REJECTED: nested in the `if` then-branch
+   |             ^^^^^^^^^
+
+error: a bare failable call in a `defer` body has nowhere to send its error — the block is already exiting; absorb it locally with `catch` or `or <value>`
+  --> examples/1052-errors-cleanup-transitive-reject.sx:21:15
+   |
+21 |             { failing(); }          // REJECTED: nested block in the else-branch
+   |               ^^^^^^^^^
+
+error: a bare failable call in a `onfail` body has nowhere to send its error — the block is already exiting; absorb it locally with `catch` or `or <value>`
+  --> examples/1052-errors-cleanup-transitive-reject.sx:26:13
+   |
+26 |             failing();              // REJECTED: nested in the `while` body
+   |             ^^^^^^^^^