v86: defer V86-mode VBE disable; add DOS-box probe scenario (#359)

Rebuilds libv86.js from felixrieseberg/v86@windows95-base, which now
carries vga-defer-vbe-disable-v86: when a windowed DOS VM's vgabios
writes dispi[4]=0, Win9x's VDD passes that through (it doesn't know
about ports 1CE/1CF) while virtualising the rest of the mode-set, so
v86 used to drop out of LFB rendering with the legacy registers still
holding SVGA values and the screen turned to planar garbage. The fix
defers the disable until a legacy attribute-mode write actually
reaches the hardware.

debug-harness: WIN95_PROBE_DOSBOX=1 opens command from Run, types
dir, optionally Alt+Enters (WIN95_PROBE_DOSBOX_ALTENTER=1).
WIN95_PROBE_VGATRACE=1 wraps the VGA io.ports[] entries (not the
VGAScreen methods, which are captured by-value at registration) and
dumps [port, op, value, eip+VM/PE/CPL] tuples to
/tmp/win95-vgatrace.json — that EIP/mode column is what pinned the
leak on V86-mode vgabios at C000:2C8x.

.claude/skills/probe-win95/SKILL.md

@@ -37,7 +37,13 @@ WIN95_SMB_SHARE="$HOME/Downloads" \
 ```
 
 `WIN95_PROBE_SCRIPT='HOST/HOST'` types `\\HOST\HOST` into Start → Run on
-desktop. `/` → `\` substitution (env var / shell quoting, pragmatism). The
+desktop. `WIN95_PROBE_DOSBOX=1` instead opens `command`, types `dir`,
+and (with `WIN95_PROBE_DOSBOX_ALTENTER=1`) toggles fullscreen — this is
+the regression scenario for the windowed-DOS-box VBE leak.
+`WIN95_PROBE_VGATRACE=1` wraps the VGA I/O ports at the `io.ports[]`
+layer and writes `[port, op, value, "eip VMPE cplN"]` tuples to
+`/tmp/win95-vgatrace.json` every tick (heavy — can hit 1M entries during
+boot). `/` → `\` substitution (env var / shell quoting, pragmatism). The
 harness drives it via XT scancodes — Win95 doesn't have Win+R (Win98+
 only), so the sequence is Esc, Esc, Ctrl+Esc, R, backslashes + text,
 Enter.

.claude/skills/update-v86/SKILL.md

@@ -23,7 +23,7 @@ fallbacks, no fetching from copy.sh.
 ## The fork branch
 
 v86 should be checked out on **`felixrieseberg/v86:windows95-base`**.
-That branch merges three feature branches, each upstreamable on its own:
+That branch merges four feature branches, each upstreamable on its own:
 
 - **`electron-renderer-fs-loader`** (PR #1540) — `src/lib.js` uses
   `require("fs")` instead of `await import("node:fs/promises")`. Dynamic
@@ -40,6 +40,13 @@ That branch merges three feature branches, each upstreamable on its own:
   (VBADOS VBMOUSE) can read absolute cursor position and track the host
   cursor 1:1 without pointer lock. Consumes the `mouse-absolute` bus
   event that `MouseAdapter` already emits.
+- **`vga-defer-vbe-disable-v86`** — `src/vga.js` defers `dispi[4]=0`
+  written from V86 mode until a legacy attribute-mode write reaches the
+  hardware. Win9x's VDD virtualises ports 3B0–3DF for a windowed DOS VM
+  but not 1CE/1CF, so vgabios's VBE-disable leaks through while the rest
+  of its mode-set is captured into the VM's virtual register file —
+  without this the screen turns to planar garbage the moment you open a
+  DOS box.
 
 ## Prerequisites