### Problem
`setcursor()` stores the client-provided `wlr_surface` pointer in
`last_cursor.surface`, but never registers a destroy listener on it.
When the client exits (e.g. closing a launcher like fuzzel), the surface
is destroyed, but `last_cursor.surface` still holds the stale pointer.
If the cursor hide timeout fires while the cursor surface is alive, and
the client then exits, the next mouse movement calls
`handlecursoractivity()`, which passes the dangling pointer to
`wlr_cursor_set_surface()`. This causes a SIGSEGV in `wl_list_insert()`
inside libwayland-server, as the `wl_list` embedded in the destroyed
surface struct has been freed.
A secondary issue exists in `setcursorshape()`: when a client switches
from a custom cursor surface to a shape cursor, `last_cursor.surface` is
set to NULL but the destroy listener (if registered) is not removed,
leaving a dangling listener on the destroyed surface.
The crash only manifests when `cursor_hidden` is true at the moment of
the mouse movement, which is why it is intermittent and difficult to
reproduce.
### Root cause
Confirmed via `coredumpctl debug` and `bt full`:
```
#0 wl_list_insert (libwayland-server.so)
#1 wlr_cursor_set_surface (libwlroots)
#2 handlecursoractivity (mango.c)
#3 motionnotify (mango.c)
#4 motionrelative (mango.c)
#5 wl_signal_emit_mutable
#6 handle_libinput_readable
```
### Fix
- Add a `wl_listener` (`last_cursor_surface_destroy_listener`) that
clears `last_cursor.surface` and removes itself when the surface is
destroyed.
- Initialize the listener's link in `setup()` so `wl_list_empty()`
checks are reliable from the start.
- In `setcursor()`, remove any existing listener before registering a
new one on the incoming surface.
- In `setcursorshape()`, remove the destroy listener when switching to a
shape cursor.
- Add a NULL guard in `handlecursoractivity()` as a safety net.
