Rule out fixed infrastructure policy row as child header

crates/rrt-runtime/src/smp.rs

@@ -4034,6 +4034,7 @@ fn build_infrastructure_asset_trace_report(
         "[this+0x248] cached primary-child slot".to_string(),
         "[this+0x206/+0x20a/+0x20e] route-entry resolver fields".to_string(),
         "[this+0x1e2/+0x1e6/+0x1ea] published anchor triplet".to_string(),
+        "[this+0x4b/+0x4f/+0x53] companion local triplet lane".to_string(),
         "child list [this+0x75] under the Infrastructure owner".to_string(),
         "non-direct live-entry directory [collection+0x3c] with 12-byte rows (payload pointer, previous live id, next live id)".to_string(),
     ];
@@ -4048,6 +4049,7 @@ fn build_infrastructure_asset_trace_report(
         "0x005395d0 shared child-attach list owner".to_string(),
         "0x00539530 shared position-lane seed helper".to_string(),
         "0x0053a5b0 shared third position-lane seed helper".to_string(),
+        "0x0052e8b0 runtime_object_publish_companion_triplet_lane_4b_4f_53".to_string(),
         "0x00530720 runtime_object_publish_anchor_triplet_and_optionally_rebind_world_cell_handle"
             .to_string(),
         "0x0048e140 / 0x0048e160 / 0x0048e180 route-entry resolver helpers".to_string(),
@@ -4158,6 +4160,7 @@ fn build_infrastructure_asset_trace_report(
                         .map(|summary| summary.dominant_trailing_word_count)
                         .unwrap_or_default()
                 ),
+                "direct disassembly now also shows 0x530720 publishing the first fixed-triplet lane into [this+0x1e2/+0x1e6/+0x1ea], while 0x52e8b0 publishes the second fixed-triplet lane into [this+0x4b/+0x4f/+0x53] and sets bit 0x02".to_string(),
                 "local .rdata at 0x005cfd00 now also proves the infrastructure child table uses the shared tagged callback strip directly: slot +0x40 = 0x455fc0, slot +0x48 = 0x455870, and slot +0x4c = 0x455930".to_string(),
                 "direct disassembly now shows 0x0048a1e0 cloning the first child triplet bands through 0x52e880/0x52e720, destroying the prior child, seeding a new literal Infrastructure child through 0x455b70 with payload seed 0x5c87a8, attaching through 0x5395d0 or 0x53a5d0, and republishing the two bands through 0x52e8b0/0x530720".to_string(),
                 "direct disassembly now also shows the outer owner at 0x0048dcf0 reading a child count plus optional primary-child ordinal from the tagged stream through 0x531150, zeroing [this+0x08], dispatching each fresh child through 0x455a50 -> vtable slot +0x40, culling ordinals above 5, and restoring cached primary-child slot [this+0x248] from the saved ordinal".to_string(),
@@ -4165,7 +4168,7 @@ fn build_infrastructure_asset_trace_report(
             ],
             blockers: vec![
                 "how the payload streams reached through 0x00518380 -> 0x00518140 align with the embedded 0x55f1 name-pair groups and compact-prefix regimes surfaced by the save-side probe".to_string(),
-                "which tagged values inside each payload stream correspond to the child count, optional primary-child ordinal, and the per-child shared tagged callback sequence consumed by 0x0048dcf0".to_string(),
+                "which outer-stream tagged values, outside the now-spoken-for fixed 0x55f2 triplets and short trailing flag bytes, correspond to the child count and optional primary-child ordinal consumed by 0x0048dcf0".to_string(),
                 "which restored child fields or grouped rows retain the 0x38a5 embedded name-pair semantics before route/local-runtime follow-ons take over".to_string(),
             ],
         },
@@ -22946,8 +22949,8 @@ mod tests {
         let trace = build_infrastructure_asset_trace_report(&analysis);
         assert!(trace.side_buffer_present);
         assert_eq!(trace.triplet_alignment_overlap_count, 0);
-        assert_eq!(trace.known_owner_bridge_fields.len(), 5);
-        assert_eq!(trace.known_bridge_helpers.len(), 12);
+        assert_eq!(trace.known_owner_bridge_fields.len(), 6);
+        assert_eq!(trace.known_bridge_helpers.len(), 13);
         assert_eq!(trace.next_owner_questions.len(), 3);
         assert_eq!(trace.candidate_consumer_hypotheses.len(), 3);
         assert_eq!(
@@ -22996,6 +22999,16 @@ mod tests {
                         && (line.contains("six 4-byte lanes") || line.contains("six dword lanes"))
                 })
         );
+        assert!(
+            trace.candidate_consumer_hypotheses[0]
+                .evidence
+                .iter()
+                .any(|line| {
+                    line.contains("0x530720")
+                        && line.contains("0x52e8b0")
+                        && line.contains("[this+0x4b/+0x4f/+0x53]")
+                })
+        );
         assert_eq!(trace.branches[0].status, "grounded_separate_owner_seam");
         assert_eq!(trace.branches[1].status, "disproved_by_grounded_probe");
     }

docs/control-loop-atlas/runtime-roots-camera-and-support-families.md

@@ -2960,6 +2960,12 @@ The low helper strip beneath that shared family is tighter now too: `0x0052ecd0`
   is no longer whether `0x55f2` is a fixed-format child lane; it is which of those two dword
   triplets correspond to the later child-count / primary-child restore state and which only seed
   published anchor or position bands.
+  That split is now explicit too: direct disassembly of `0x00530720/0x0052e8b0` shows the first
+  restored triplet landing in `[this+0x1e2/+0x1e6/+0x1ea]` while the second lands in
+  `[this+0x4b/+0x4f/+0x53]`, with the companion setter forcing bit `0x02`. So the remaining
+  infrastructure question is no longer whether the fixed `0x55f2` row hides the child count or
+  saved primary-child ordinal at all. Those values now have to live outside the fixed row, most
+  likely in the surrounding payload-stream header or compact-prefix regime above `0x0048dcf0`.
   The child loader family is explicit now too: local `.rdata` at `0x005cfd00` proves the
   `Infrastructure` child vtable uses the shared tagged callback strip directly, with
   `+0x40 = 0x00455fc0`, `+0x48 = 0x00455870`, and `+0x4c = 0x00455930`. So the remaining

docs/rehost-queue.md

@@ -109,6 +109,13 @@ Working rule:
   asset row. So the next infrastructure question is no longer whether `0x55f2` is a fixed-format
   child lane; it is which of those two dword triplets correspond to child-count / primary-child
   restore state and which only seed published anchor or position bands.
+- That split is tighter now too: direct disassembly of `0x00530720/0x0052e8b0` shows the first
+  fixed `0x55f2` triplet landing in `[this+0x1e2/+0x1e6/+0x1ea]` and the second in
+  `[this+0x4b/+0x4f/+0x53]`, with the companion setter also forcing bit `0x02`. So the next
+  infrastructure question is no longer whether the fixed `0x55f2` row hides the child count or
+  primary-child ordinal at all; those outer-header values now have to live outside the fixed row,
+  most likely in the surrounding payload-stream header or compact-prefix regime above
+  `0x0048dcf0`.
 - Reconstruct the save-side region record body on top of the newly corrected non-direct tagged
   region seam (`0x5209/0x520a/0x520b`, stride hint `0x06`, `Marker09` record stems) now that the
   `0x55f3` payload is known to be fully consumed by the embedded profile collection on grounded
@@ -251,6 +258,9 @@ Working rule:
   matching `0x00455870/0x00455930` helper seam. That means the next pass can focus on which of the
   two restored dword triplets actually bridge into child-count / primary-child state instead of
   rediscovering the fixed `0x55f2` row shape.
+- The infrastructure trace now also carries the deeper `0x00530720/0x0052e8b0` bridge, so the next
+  pass can focus on the outer payload-stream header and compact-prefix regimes instead of revisiting
+  the fixed `0x55f2` six-dword row.
 - That same trace now also ranks those consumers into explicit hypotheses, so the next
   infrastructure pass should start with the attach/rebuild strip instead of treating all
   candidate owners as equally likely.