feat: supplementary groups + credential syscalls — setgroups/getgroups/RLIMIT

Kernel (3 files, 32 lines):
- Context.groups: Vec<u32> — supplementary group storage
- CallerCtx.groups — exposed to schemes for access control
- Proc scheme Groups handle — auth-{fd}-groups read/write path
- Fork inheritance — new-context copies parent groups to child

Relibc (4 files, 82 insertions, 84 deletions):
- posix_setgroups()/posix_getgroups() in redox-rt sys.rs
- DynamicProcInfo.groups cache in lib.rs
- setgroups() real impl via thr_fd.dup(auth-{fd}-groups)
- getgroups() kernel-only (no /etc/group fallback)
- initgroups() functional via setgroups()
- getrlimit/setrlimit userspace stubs with defaults

Patches:
- local/patches/kernel/P4-supplementary-groups.patch
- local/patches/relibc/P4-setgroups-getgroups.patch

Docs updated:
- COMPREHENSIVE-OS-ASSESSMENT: credential blocker → RESOLVED
- KERNEL-IPC-CREDENTIAL-PLAN: marked Phases K1-K2,K4 complete
- local/AGENTS.md: credential gap section → RESOLVED

Unblocks: polkit, dbus-daemon, logind, sudo/su, redbear-authd

recipes/core/kernel/recipe.toml

@@ -1,6 +1,6 @@
 [source]
 git = "https://gitlab.redox-os.org/redox-os/kernel.git"
-patches = ["redox.patch", "P0-canary.patch", "P1-memory-map-overflow.patch"]
+patches = ["redox.patch", "P0-canary.patch", "P1-memory-map-overflow.patch", "../../../local/patches/kernel/P4-supplementary-groups.patch"]
 
 [build]
 template = "custom"

recipes/core/relibc/recipe.toml

@@ -41,6 +41,7 @@ patches = [
     "../../../local/patches/relibc/P3-sysv-ipc.patch",
     "../../../local/patches/relibc/P3-sysv-sem-impl.patch",
     "../../../local/patches/relibc/P3-sysv-shm-impl.patch",
+    "../../../local/patches/relibc/P4-setgroups-getgroups.patch",
 ]
 
 [build]