From 03a60b8c6be5075156ec3cf2515786f5a04f703d Mon Sep 17 00:00:00 2001
From: Jan Petykiewicz <jan@mpxd.net>
Date: Sat, 18 Apr 2026 17:43:16 -0700
Subject: [PATCH] Exhaust direct region latch writer census

---
 crates/rrt-runtime/src/smp.rs | 3 +++
 docs/rehost-queue.md          | 6 ++++++
 2 files changed, 9 insertions(+)

diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs
index 69325cb..cf55fa6 100644
--- a/crates/rrt-runtime/src/smp.rs
+++ b/crates/rrt-runtime/src/smp.rs
@@ -4371,6 +4371,9 @@ fn build_region_service_trace_report(
     notes.push(
         "Two more apparent offset hits are now ruled out as region false leads: 0x0043a5a0 is a separate constructor under vtable root 0x005ca078 that zeroes its own [this+0x302/+0x316] fields during local object setup, and 0x0045c460/0x0045c8xx is a separate vtable-0x005cb5e8 helper family whose [this+0x316] is a child-array pointer serialized through 0x61a9/0x61aa/0x61ab rather than a region latch.".to_string(),
     );
+    notes.push(
+        "A direct-writer census now narrows the remaining literal offset path further: the other `0x302/0x316` writer bands at 0x0043dd45/0x0043de19/0x0043e0a7/0x0043f5bc all hang off the same non-region 0x005ca078 object family as 0x0043a5a0 through helpers 0x0043af60/0x0043b030, so the only grounded region-owned literal writes left are the constructor 0x00421200 plus the producer/consumer pair 0x00422100 and 0x004358d0.".to_string(),
+    );
     notes.push(
         "The current region seam is strong enough to prove record-envelope ownership, profile subcollection ownership, and the absence of hidden 0x55f3 tail padding on grounded saves.".to_string(),
     );
diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md
index f24e6ea..0bd7c47 100644
--- a/docs/rehost-queue.md
+++ b/docs/rehost-queue.md
@@ -342,6 +342,12 @@ Working rule:
   during local object setup, and `0x0045c460/0x0045c8xx` is a separate vtable-`0x005cb5e8` helper
   family whose `[this+0x316]` is a child-array pointer serialized through `0x61a9/0x61aa/0x61ab`.
   So those offset-collision classes should stay out of the remaining region restore search.
+- The direct writer census is tighter now too: the other apparent `0x302/0x316` writer bands
+  (`0x0043dd45`, `0x0043de19`, `0x0043e0a7`, `0x0043f5bc`) all hang off that same non-region
+  `0x005ca078` family through helpers `0x0043af60` and `0x0043b030`. So the only grounded
+  region-owned literal writes left are the constructor `0x00421200` plus the producer/consumer
+  pair `0x00422100` and `0x004358d0`, which means the remaining region seam should now be treated
+  as an indirect restore/rebuild path rather than another direct offset writer hunt.
 - The checked-in constructor owner `0x00421200`
   `world_region_construct_entry_with_id_class_and_default_marker09_profile_seed` now also grounds
   the initialization side of this family: it clears `[region+0x276]`, `[region+0x302]`,