DF-0154
KKASSERT-only invariants vanish on production kernels (UAF/queue-corruption risk)
Summary
systimer_add(:148,:201) and systimer_del(:220) guard critical invariants (SYSTF_ONQUEUE, SYSTF_IPIRUNNING, owning-CPU check) with KKASSERT only. Production kernels: these are no-ops. Caller contract violation -> silent UAF/queue corruption instead of loud panic. No in-tree caller violates today.