Raw SysEvent ABI — must match eBPF side exactly
ABI note: This layout is mirrored in eBPF at
ghostscope-process/ebpf/sysmon-bpf/src/lib.rs. We intentionally keep
two copies for now to avoid entangling the BPF build with the workspace.
Keep repr(C), field order and sizes identical on both sides. Current
layout (8 bytes): { tgid: u32, kind: u32 }.