core/host: in_range helper + 13-module migration + 12 more tests (29 total)

Three coordinated changes that build on the host_kernel_at_least
landed in 1571b88:

1. core/host gains skeletonkey_host_kernel_in_range(h, lo..., hi...)
   — a [lo, hi) bounded-interval check for modules that want the
   'vulnerable window' semantics directly. Implemented in terms of
   host_kernel_at_least (so the comparison logic stays in one place).
   No module uses it yet; available for new modules that want it.

2. 13 modules migrated off the manual
        if (v->major < X || (v->major == X && v->minor < Y)) { ... }
   pattern onto
        if (!skeletonkey_host_kernel_at_least(ctx->host, X, Y, 0)) { ... }
   One-line replacements, mechanical, no behavior change.

   Migrated: af_packet2, dirty_pipe, fuse_legacy, netfilter_xtcompat,
   nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf, overlayfs,
   overlayfs_setuid, ptrace_traceme, stackrot, vmwgfx. The repo now
   has zero manual 'v->major < X' patterns — every predates-check
   reads the same way.

3. tests/test_detect.c expanded from 17 to 29 cases. Adds:

   Above-fix coverage on h_kernel_6_12 (10 modules previously
   untested): af_packet, af_packet2, af_unix_gc, netfilter_xtcompat,
   nft_set_uaf, nft_fwd_dup, nft_payload, stackrot, sequoia, vmwgfx.

   Ancient-kernel predates coverage on h_kernel_4_4 (2 more cases):
   nft_set_uaf (introduced 5.1), stackrot (introduced 6.1).

   Detect-path test coverage now spans most of the corpus that
   has a testable host-fingerprint gate. Untested modules from
   here on are either userspace bugs whose detect() doesn't gate
   on host fields (pwnkit, sudo_samedit, sudoedit_editor),
   entrybleed (sysfs-direct, no host gate), or the copy_fail_family
   bridge (no ctx->host integration yet).

Verification: Linux (docker gcc:latest, non-root user): 29/29 pass.
macOS (local): 31-module build clean, suite reports 'skipped —
Linux-only' as designed.

core/host.c

@@ -252,6 +252,14 @@ bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
 	return h->kernel.patch >= patch;
 }
 
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+				      int lo_M, int lo_m, int lo_p,
+				      int hi_M, int hi_m, int hi_p)
+{
+	return  skeletonkey_host_kernel_at_least(h, lo_M, lo_m, lo_p) &&
+	       !skeletonkey_host_kernel_at_least(h, hi_M, hi_m, hi_p);
+}
+
 void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json)
 {
 	if (json || h == NULL) return;

core/host.h

@@ -103,4 +103,25 @@ void skeletonkey_host_print_banner(const struct skeletonkey_host *h, bool json);
 bool skeletonkey_host_kernel_at_least(const struct skeletonkey_host *h,
                                       int major, int minor, int patch);
 
+/* True iff h->kernel is in [lo, hi). Useful for "vulnerable range"
+ * gates where the simple `kernel_range_is_patched` backport model
+ * doesn't apply — e.g. a feature added in X.Y and removed/superseded
+ * in W.Z, or a per-module "vulnerable only on these specific kernel
+ * lines" check.
+ *
+ * Equivalent to:
+ *   host_kernel_at_least(h, lo...) && !host_kernel_at_least(h, hi...)
+ *
+ * For "predates the bug" alone use host_kernel_at_least directly; the
+ * `in_range` form is for the bounded interval case.
+ *
+ * Example:
+ *   if (host_kernel_in_range(h, 5, 8, 0,  5, 17, 0))
+ *       // kernel 5.8 ≤ K < 5.17 — vulnerable window per the mainline
+ *       // introduction/fix dates (ignoring stable backports)
+ */
+bool skeletonkey_host_kernel_in_range(const struct skeletonkey_host *h,
+                                      int lo_major, int lo_minor, int lo_patch,
+                                      int hi_major, int hi_minor, int hi_patch);
+
 #endif /* SKELETONKEY_HOST_H */