fix(hir): brand-check typed Number/Boolean prototype .call (#4100)

[proggeramlug]

#4100 residual — typed .call on Number/Boolean prototype methods

#4112 fixed the reflective (as any / computed-key) form of the
Number/Boolean/Symbol/BigInt prototype brand checks, but a residual remained
for the statically-typed member-access form, verified on main:

Number.prototype.valueOf.call({})    // Perry: "[object Object]"   Node: TypeError
Number.prototype.toString.call({})   // Perry: "[object Object]"   Node: TypeError
Boolean.prototype.valueOf.call({})   // Perry: "[object Object]"   Node: TypeError
const v = Number.prototype.valueOf; v.call({})  // same gap

Root cause

try_builtin_prototype_method_apply_call (HIR) folds a typed
<recv>.<method>.call(x) into x.<method>(). That routes through the lenient
codegen fast-path / Object.prototype fallback and never reaches the
brand-check thunk installed by #4112. The as any / computed-key forms aren't
folded, so they already throw correctly.

Fix

Guard the fold (and the const-extracted-local fold in
as_builtin_proto_method_ref) so Number.prototype's
valueOf/toString/toLocaleString and Boolean.prototype's
valueOf/toString stay reflective and hit the thunk — mirroring the existing
Function.prototype.toString guard (#4101).

toFixed/toExponential/toPrecision are deliberately not guarded: the
fold is the correct path for them (their reflective dispatch over-throws on a
valid receiver), and only the brand-checked methods are affected. Symbol/BigInt
have no codegen fold path, so they need no guard.

Verification

• test-files/test_gap_4100_primitive_proto_brand_check.ts extended with the
  typed-.call/.apply, extracted-local, valid-receiver, and toFixed/toExponential
  no-regression cases.
• Byte-identical to node --experimental-strip-types in both auto-optimize and
  PERRY_NO_AUTO_OPTIMIZE modes.
• Array/String/Function .call folds unchanged; cargo test -p perry-hir green.

Closes #4100.