CEK-safe native call boundary: apply-cek + eval-error? marker

Native functions (NativeFn/VmClosure) called through the CEK evaluator
can now have their Eval_errors caught by guard/handler-bind. The fix is
at the exact OCaml↔CEK boundary in continue-with-call:

- sx_runtime.ml: sx_apply_cek wraps native calls, returns error marker
  dict {__eval_error__: true, message: "..."} instead of raising
- sx_runtime.ml: is_eval_error predicate checks for the marker
- spec/evaluator.sx: continue-with-call callable branch uses apply-cek,
  detects error markers, converts to raise-eval CEK state
- transpiler.sx: apply-cek and eval-error? emit cases added

No mutable flags, no re-entry risk. Errors flow through the CEK handler
chain naturally. 2798/2800 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

hosts/ocaml/lib/sx_runtime.ml

@@ -67,6 +67,28 @@ let () = Sx_primitives._sx_call_fn := sx_call
 let sx_apply f args_list =
   sx_call f (sx_to_list args_list)
 
+(** CEK-safe apply — catches Eval_error from native fns and returns an error
+    marker dict instead of raising.  The CEK evaluator checks for this and
+    converts to a raise-eval state so guard/handler-bind can intercept it.
+    Non-native calls (lambda, continuation) delegate to sx_apply unchanged. *)
+let sx_apply_cek f args_list =
+  match f with
+  | NativeFn _ | VmClosure _ ->
+    (try sx_apply f args_list
+     with Eval_error msg ->
+       let d = Hashtbl.create 3 in
+       Hashtbl.replace d "__eval_error__" (Bool true);
+       Hashtbl.replace d "message" (String msg);
+       Dict d)
+  | _ -> sx_apply f args_list
+
+(** Check if a value is an eval-error marker from sx_apply_cek. *)
+let is_eval_error v =
+  match v with
+  | Dict d -> (match Hashtbl.find_opt d "__eval_error__" with
+    | Some (Bool true) -> true | _ -> false)
+  | _ -> false
+
 (** Mutable append — add item to a list ref or accumulator.
     In transpiled code, lists that get appended to are mutable refs. *)
 let sx_append_b lst item =