Fix downgrade freed borrow outputs

[p51lee]

Summary

This PR improves the pointer rewriter’s handling of freshly owned local return values.

When a local helper returns a newly owned allocation and the caller later frees or consumes it, the rewriter can now preserve that value as Box / Option<Box> instead of downgrading the flow back to raw pointers. C-exposed functions remain raw at the exported ABI boundary.

Against the latest origin/master (99cd730), the branch reduces pointer-stage unsafe findings by 11 occurrences.

Change Summary

Change area	What changed	Improvement type	Before -> After
Owned local returns	Preserve owned local call results as Box / Option<Box> when the caller consumes or frees the allocation.	Count	ptr = make(); free(ptr) -> buf = make(); drop(buf.take())
Local callee summaries	Distinguish borrow-only, returned, freed, and escaping raw-parameter behavior.	Count	borrow-only wrapper forces owner raw -> owner can remain boxed
Returned borrowed aliases	Track returned aliases that are later freed so boxed owners are not moved into separately freed alias paths.	Correctness	boxed owner + freed alias -> owner stays raw where needed
C-exposed outputs	Keep owning returns raw only for configured C-exposed functions or unsupported consumers.	ABI safety	extern "C" -> Option<Box<[T]>> -> extern "C" -> *mut T

Unsafe reductions by kind

Unsafe kind	Baseline	This branch	Δ
free	83	75	-8
malloc	28	26	-2
as_ref	296	295	-1

The corpus reductions come from cJSON_lib and charinbuf_lib, where temporary returned buffers now remain boxed and are cleaned up with Rust ownership instead of malloc / free.

rdg_genstdout_lib changes in the opposite direction for FIO_createFilename_fromOutDir: it is listed in c_exposed_fns, so the exported extern "C" function must return *mut i8. The previous Option<Box<[i8]>> return passed vectors by platform-specific ABI accident, but Rust still warns that it is not FFI-safe. The ideal future shape is a boxed FIO_createFilename_fromOutDir_internal(...) -> Option<Box<[i8]>> plus a raw C wrapper; this PR keeps the exported ABI correct, even though that internal-wrapper split is still future work.