Fix remaining fuzzer issues: leaks and macOS SDK headers

sqlite-vec.c:
- vec0_free: add loops to free partition, auxiliary, and metadata
  column names (previously leaked on error paths)
- vec0_init: update pNew->numXxxColumns incrementally in the parse
  loop so vec0_free sees correct counts on early goto-error paths
  (previously the counts were only written after the loop, so vec0_free
  would loop 0 times and leak names allocated inside the loop)

fuzz.yaml:
- macOS: pass -isysroot $(xcrun --sdk macosx --show-sdk-path) so
  Xcode clang can find system headers (stdio.h, assert.h, etc.)
- Fix artifact upload paths: libFuzzer writes crash-*/leak-* to
  the cwd (repo root), not tests/fuzz/

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/fuzz.yaml

@@ -55,9 +55,9 @@ jobs:
         with:
           name: fuzz-crashes-linux
           path: |
-            tests/fuzz/crash-*
-            tests/fuzz/leak-*
-            tests/fuzz/timeout-*
+            crash-*
+            leak-*
+            timeout-*
 
   fuzz-macos:
     runs-on: macos-14
@@ -70,9 +70,10 @@ jobs:
         run: make sqlite-vec.h
       - name: Build fuzz targets
         run: |
+          SDK=$(xcrun --sdk macosx --show-sdk-path)
           make -C tests/fuzz all \
             FUZZ_CC=$(xcrun -f clang) \
-            FUZZ_LDFLAGS=""
+            FUZZ_LDFLAGS="-isysroot $SDK"
       - name: Run fuzz targets
         run: |
           DURATION=${{ github.event.inputs.duration || '60' }}
@@ -100,9 +101,9 @@ jobs:
         with:
           name: fuzz-crashes-macos
           path: |
-            tests/fuzz/crash-*
-            tests/fuzz/leak-*
-            tests/fuzz/timeout-*
+            crash-*
+            leak-*
+            timeout-*
 
   fuzz-windows:
     # Best-effort: libFuzzer works on Windows via LLVM but ASAN/UBSAN