message-format-runtime: Reuse halts_reachable visited buffer via epoch counter

[no-materials]

The catalog verifier called halts_reachable once per message inside verify_code, allocating a fresh vec![false; pcs.len()] every time. For catalogs with many messages this dominates load cost. The memset is O(messages × code_len), so verify time scales superlinearly with message count.

This change introduces a small HaltsScratch workspace that lives for the duration of verify_code. The visited buffer is a generational Vec<u32>: each message bumps an epoch counter and marks visited[idx] = epoch; a slot counts as "visited for the current pass" iff its value equals the current epoch. No memset is needed between messages, and on the (theoretical) u32 wrap, the buffer is re-zeroed and the epoch resets to 1. The DFS work stack is also reused across passes.

Two unit tests cover the correctness boundaries that would otherwise be silent:

• halts_reachable_buffer_is_reset_between_messages : three messages share a single HALT at pc 0. If the visited buffer leaks state across messages, the second and third would falsely report UnterminatedEntry.
• halts_scratch_epoch_sequencing_and_wrap : exercises the epoch increment and the u32 wrap path directly, asserting the buffer is re-zeroed before reuse.

Both tests fail in the buggy variant (verified by temporarily stubbing begin_pass to skip the bump). The full workspace test suite, clippy, and fmt all pass.

Measured on a synthetic catalog where every message back-edges to a shared HALT (criterion, release build):

messages	before	after	speedup
100	21.0 µs	19.3 µs	−3.6%
1,000	264.0 µs	219.0 µs	−13.2%
10,000	4.34 ms	2.77 ms	−36.3%

The improvement scales with message count exactly as expected: per-message O(N) memset work has been collapsed into an O(1) epoch bump, so halts_reachable's contribution to verification went from O(M·N) to O(M·d̄), where d̄ is the average reachable depth from each entry. All p < 0.05.