From 0bb7d44f82215e3e76bbb8c44a0c84062be07715 Mon Sep 17 00:00:00 2001
From: Jan Petykiewicz <jan@mpxd.net>
Date: Sat, 18 Apr 2026 19:36:46 -0700
Subject: [PATCH] Exclude fixed region policy chunk from payload frontier

---
 crates/rrt-runtime/src/smp.rs | 54 +++++++++++++++++++++++++++++++++++
 docs/rehost-queue.md          | 13 +++++----
 2 files changed, 61 insertions(+), 6 deletions(-)

diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs
index 47c821f..05e28f4 100644
--- a/crates/rrt-runtime/src/smp.rs
+++ b/crates/rrt-runtime/src/smp.rs
@@ -13285,6 +13285,39 @@ fn parse_save_region_record_triplet_probe(
         .iter()
         .filter(|entry| !entry.pre_name_prefix_dword_candidates.is_empty())
         .count();
+    let records_with_any_nonzero_policy_reserved_dword = entries
+        .iter()
+        .filter(|entry| {
+            entry
+                .policy_reserved_dwords
+                .iter()
+                .any(|raw_u32| *raw_u32 != 0)
+        })
+        .count();
+    let policy_reserved_nonzero_counts = (0..3)
+        .map(|dword_index| {
+            entries
+                .iter()
+                .filter(|entry| entry.policy_reserved_dwords[dword_index] != 0)
+                .count()
+        })
+        .collect::<Vec<_>>();
+    let unique_nonzero_policy_reserved_triplets = entries
+        .iter()
+        .filter_map(|entry| {
+            let triplet = [
+                entry.policy_reserved_dwords[0],
+                entry.policy_reserved_dwords[1],
+                entry.policy_reserved_dwords[2],
+            ];
+            triplet
+                .iter()
+                .any(|raw_u32| *raw_u32 != 0)
+                .then_some(triplet)
+        })
+        .collect::<BTreeSet<_>>()
+        .into_iter()
+        .collect::<Vec<_>>();
     let unique_pre_name_prefix_lens = entries
         .iter()
         .map(|entry| entry.pre_name_prefix_len)
@@ -13318,6 +13351,13 @@ fn parse_save_region_record_triplet_probe(
                 records_with_prefix_dword_candidates,
                 record_count
             ),
+            format!(
+                "fixed 0x55f2 policy reserved dwords are nonzero on {} of {} decoded region records, with per-word nonzero counts {:?} and unique nonzero triplets {:?}",
+                records_with_any_nonzero_policy_reserved_dword,
+                record_count,
+                policy_reserved_nonzero_counts,
+                unique_nonzero_policy_reserved_triplets
+            ),
             format!(
                 "on grounded saves the 0x55f3 payload is fully consumed by that embedded profile collection: all {} decoded records currently have zero trailing padding beyond the direct profile rows",
                 zero_trailing_padding_record_count
@@ -23925,6 +23965,9 @@ mod tests {
         bytes[cursor + 4..cursor + 8].copy_from_slice(&120.0f32.to_bits().to_le_bytes());
         bytes[cursor + 8..cursor + 12].copy_from_slice(&3.0f32.to_bits().to_le_bytes());
         bytes[cursor + 12..cursor + 16].copy_from_slice(&60.0f32.to_bits().to_le_bytes());
+        bytes[cursor + 16..cursor + 20].copy_from_slice(&0x01020304u32.to_le_bytes());
+        bytes[cursor + 20..cursor + 24].copy_from_slice(&0u32.to_le_bytes());
+        bytes[cursor + 24..cursor + 28].copy_from_slice(&0x05060708u32.to_le_bytes());
         bytes[cursor + 28..cursor + 30].copy_from_slice(&1u16.to_le_bytes());
         cursor += 0x1e;
         bytes[cursor..cursor + 2].copy_from_slice(&SAVE_REGION_RECORD_PROFILE_TAG.to_le_bytes());
@@ -23990,6 +24033,17 @@ mod tests {
             triplet_probe.entries[1].policy_reserved_dword_candidates[2].relative_offset_hex,
             "0xcc"
         );
+        assert_eq!(
+            triplet_probe.entries[1].policy_reserved_dword_candidates[0].raw_u32_hex,
+            "0x01020304"
+        );
+        assert_eq!(
+            triplet_probe.entries[1].policy_reserved_dword_candidates[2].raw_u32_hex,
+            "0x05060708"
+        );
+        assert!(triplet_probe.evidence.iter().any(|line| line.contains(
+            "fixed 0x55f2 policy reserved dwords are nonzero on 1 of 2 decoded region records"
+        )));
     }
 
     #[test]
diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md
index 4788e86..d998b2e 100644
--- a/docs/rehost-queue.md
+++ b/docs/rehost-queue.md
@@ -550,12 +550,13 @@ Working rule:
   dword candidates instead of raw integers only. That gives the next region payload pass a direct
   way to compare both opaque payload bands against the remaining acquisition-side lane shapes
   instead of redoing raw hex inspection by hand.
-- Grounded real-save output already narrows that new probe once further: on `p.gms`, every decoded
-  region triplet currently still has `pre_name_prefix_len = 0` and an empty
-  `pre_name_prefix_dword_candidates` vector, so the remaining acquisition-side payload target does
-  not appear to live in the pre-`0x55f1` band on that save. That shifts the next payload-comparison
-  pass onto the fixed `0x55f2` policy chunk and any later separate body seam, not back onto the
-  pre-name prefix.
+- Grounded real-save output now narrows that new probe two steps further: on both `p.gms` and
+  `q.gms`, every decoded region triplet currently still has `pre_name_prefix_len = 0`, an empty
+  `pre_name_prefix_dword_candidates` vector, and `fixed 0x55f2 policy reserved dwords are nonzero
+  on 0 of 145 decoded region records`. So the remaining acquisition-side payload target does not
+  appear to live in either the pre-`0x55f1` prefix band or the fixed `0x55f2` reserved dword band
+  on grounded ordinary saves. That shifts the next region payload-comparison pass onto later body
+  seams, not back onto the prefix or fixed-policy chunk.
 - The rest of `0x00455fc0` is ruled down further now too: after the `+0x48` callback it only runs
   `0x0052ebd0`, which reads two one-byte generic flags through `0x531150` into base object bytes
   `[this+0x20]`, `[this+0x8d]`, `[this+0x5c..+0x61]`, `[this+0x1ee]`, `[this+0x1fa]`, and