Bind infrastructure live-entry directory layout

crates/rrt-runtime/src/smp.rs

@@ -3906,12 +3906,14 @@ fn build_infrastructure_asset_trace_report(
         "[this+0x206/+0x20a/+0x20e] route-entry resolver fields".to_string(),
         "[this+0x1e2/+0x1e6/+0x1ea] published anchor triplet".to_string(),
         "child list [this+0x75] under the Infrastructure owner".to_string(),
-        "non-direct live-entry table [collection+0x3c] with 12-byte rows".to_string(),
+        "non-direct live-entry directory [collection+0x3c] with 12-byte rows (payload pointer, previous live id, next live id)".to_string(),
     ];
     let known_bridge_helpers = vec![
         "0x00493be0 tagged 0x38a5/0x38a6/0x38a7 collection load owner".to_string(),
         "0x00455a50 raw vtable slot +0x40 dispatch wrapper with global bridge reset".to_string(),
         "0x00518140 indexed_collection_resolve_live_entry_payload_pointer_by_live_id".to_string(),
+        "0x005181f0 indexed_collection_unlink_non_direct_live_entry".to_string(),
+        "0x00518260 indexed_collection_link_non_direct_live_entry".to_string(),
         "0x00518380 indexed_collection_find_nth_live_entry_id".to_string(),
         "0x00518680 indexed_collection_load_header_bitset_and_non_direct_tables".to_string(),
         "0x005395d0 shared child-attach list owner".to_string(),
@@ -3955,6 +3957,7 @@ fn build_infrastructure_asset_trace_report(
                 "the side-buffer corpus is disjoint from the placed-structure triplet corpus, so a separate child/rebuild family is more plausible than a compact alias".to_string(),
                 "direct disassembly now shows 0x00493be0 opening tag family 0x38a5/0x38a6/0x38a7, reading one shared dword into the owner-local 0x90/0x94 lane, iterating each live collection entry, and dispatching every loaded infrastructure record through 0x0048dcf0 before the later follow-on owners run".to_string(),
                 "direct disassembly now shows 0x00518140 resolving a non-direct live entry through the tombstone bitset and then returning the first dword of a 12-byte row from [collection+0x3c] for the 0x38a5 path".to_string(),
+                "direct disassembly now also shows 0x005181f0/0x00518260 treating the same 12-byte rows as a live-entry directory: dword +0 is the payload pointer, dword +4 is previous live id, and dword +8 is next live id, with collection head/tail caches alongside them".to_string(),
                 "direct disassembly now also shows 0x00493be0 iterating live-entry ordinals through 0x00518380(ordinal, 0), converting each ordinal to a live id, then resolving that live id through 0x00518140 before handing the resulting payload pointer to 0x0048dcf0".to_string(),
                 "direct disassembly now shows 0x00518680 loading the non-direct collection header, tombstone bitset, and live-id-bound-scaled 12-byte tables for the non-direct path before 0x00493be0 starts iterating".to_string(),
                 "local .rdata at 0x005cfd00 now also proves the infrastructure child table uses the shared tagged callback strip directly: slot +0x40 = 0x455fc0, slot +0x48 = 0x455870, and slot +0x4c = 0x455930".to_string(),
@@ -3963,8 +3966,8 @@ fn build_infrastructure_asset_trace_report(
                 "the smaller attach primitive 0x00490a3c no longer looks like the semantic fork by itself: it just allocates one literal Infrastructure child, seeds it through 0x455b70 with caller-provided stem input, attaches it through 0x5395d0, seeds position lanes through 0x539530/0x53a5b0, and optionally caches it as primary child".to_string(),
             ],
             blockers: vec![
-                "which remaining dwords inside the non-direct 12-byte live-entry rows still matter after the first dword resolves the per-entry payload pointer".to_string(),
                 "how the payload streams reached through 0x00518380 -> 0x00518140 align with the embedded 0x55f1 name-pair groups and compact-prefix regimes surfaced by the save-side probe".to_string(),
+                "which tagged values inside each payload stream correspond to the child count, optional primary-child ordinal, and the per-child shared tagged callback sequence consumed by 0x0048dcf0".to_string(),
                 "which restored child fields or grouped rows retain the 0x38a5 embedded name-pair semantics before route/local-runtime follow-ons take over".to_string(),
             ],
         },
@@ -22053,7 +22056,7 @@ mod tests {
         assert!(trace.side_buffer_present);
         assert_eq!(trace.triplet_alignment_overlap_count, 0);
         assert_eq!(trace.known_owner_bridge_fields.len(), 5);
-        assert_eq!(trace.known_bridge_helpers.len(), 10);
+        assert_eq!(trace.known_bridge_helpers.len(), 12);
         assert_eq!(trace.next_owner_questions.len(), 3);
         assert_eq!(trace.candidate_consumer_hypotheses.len(), 3);
         assert_eq!(
@@ -22076,6 +22079,13 @@ mod tests {
                 .iter()
                 .any(|line| line.contains("0x00518380") && line.contains("ordinal"))
         );
+        assert!(
+            trace.candidate_consumer_hypotheses[0]
+                .evidence
+                .iter()
+                .any(|line| line.contains("0x005181f0/0x00518260")
+                    && line.contains("previous live id"))
+        );
         assert_eq!(trace.branches[0].status, "grounded_separate_owner_seam");
         assert_eq!(trace.branches[1].status, "disproved_by_grounded_probe");
     }

docs/control-loop-atlas/runtime-roots-camera-and-support-families.md

@@ -2928,9 +2928,11 @@ The low helper strip beneath that shared family is tighter now too: `0x0052ecd0`
   ordinal-to-live-id-to-payload-pointer walk through `0x00518380(ordinal, 0)` then
   `0x00518140(live_id)`. That narrows the remaining infrastructure mapping problem further:
   the first dword of each `12`-byte live-entry row is already spoken for as the per-entry payload
-  pointer, so the next unknowns are which remaining dwords in that row still matter and how the
-  payload streams they point to align with the save-side `0x55f1` name-pair groups and compact
-  prefix regimes.
+  pointer, and `0x005181f0/0x00518260` now also read as the live-entry unlink/link owners that use
+  the same rows as `(payload pointer, previous live id, next live id)` directory triplets. So the
+  next unknowns are no longer inside that row layout itself; they are in the payload streams those
+  rows point at, and how those streams align with the save-side `0x55f1` name-pair groups and
+  compact prefix regimes.
   The child loader family is explicit now too: local `.rdata` at `0x005cfd00` proves the
   `Infrastructure` child vtable uses the shared tagged callback strip directly, with
   `+0x40 = 0x00455fc0`, `+0x48 = 0x00455870`, and `+0x4c = 0x00455930`. So the remaining

docs/rehost-queue.md

@@ -60,10 +60,12 @@ Working rule:
   while `0x00518680` loads that non-direct table family before `0x00493be0` starts iterating, and
   `0x00493be0` itself now reads as an ordinal-to-live-id-to-payload-pointer walk through
   `0x00518380(ordinal, 0)` then `0x00518140(live_id)`. So the next infrastructure question is no
-  longer “which row owns the payload pointer?” but which remaining dwords in those `12`-byte
-  live-entry rows still matter after the first dword resolves the per-entry payload pointer, and
+  longer “which row owns the payload pointer?”. Direct disassembly of `0x005181f0/0x00518260` now
+  also treats those `12`-byte rows as a live-entry directory with
+  `(payload pointer, previous live id, next live id)`, so the next infrastructure question is only
   how those payload streams align with the embedded `0x55f1` name-pair groups and compact-prefix
-  regimes.
+  regimes, and which tagged values inside each payload stream become the child count, optional
+  primary-child ordinal, and per-child callback sequence that `0x0048dcf0` consumes.
 - The child loader identity is closed now too: local `.rdata` at `0x005cfd00` proves the
   `Infrastructure` child vtable uses the shared tagged callback strip directly, with
   `+0x40 = 0x00455fc0`, `+0x48 = 0x00455870`, and `+0x4c = 0x00455930`. So the remaining