diff --git a/crates/rrt-runtime/src/smp.rs b/crates/rrt-runtime/src/smp.rs
index 6ce89f9..69325cb 100644
--- a/crates/rrt-runtime/src/smp.rs
+++ b/crates/rrt-runtime/src/smp.rs
@@ -4368,6 +4368,9 @@ fn build_region_service_trace_report(
     notes.push(
         "Direct disassembly now also tightens the severity/source side itself: 0x004cc930 is a selected-region editor helper that writes [region+0x25a] and [region+0x25e] together from one integer input, while 0x00438150 and 0x00442cc0 are fixed-region global reseed/clamp owners over collection 0x0062bae0 that adjust the same mirrored pair for hardcoded region ids.".to_string(),
     );
+    notes.push(
+        "Two more apparent offset hits are now ruled out as region false leads: 0x0043a5a0 is a separate constructor under vtable root 0x005ca078 that zeroes its own [this+0x302/+0x316] fields during local object setup, and 0x0045c460/0x0045c8xx is a separate vtable-0x005cb5e8 helper family whose [this+0x316] is a child-array pointer serialized through 0x61a9/0x61aa/0x61ab rather than a region latch.".to_string(),
+    );
     notes.push(
         "The current region seam is strong enough to prove record-envelope ownership, profile subcollection ownership, and the absence of hidden 0x55f3 tail padding on grounded saves.".to_string(),
     );
diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md
index 82e986c..f24e6ea 100644
--- a/docs/rehost-queue.md
+++ b/docs/rehost-queue.md
@@ -337,6 +337,11 @@ Working rule:
   `0x0062bae0` that adjust the same mirrored pair for hardcoded region ids. So the remaining
   region restore question is no longer “what does `[region+0x25e]` mean?” but “which load/reseed
   seam restores the mirrored severity pair before the producer runs?”
+- Two more direct-hit writer bands are now explicitly ruled out too: `0x0043a5a0` is a separate
+  constructor under vtable root `0x005ca078` that zeroes its own `[this+0x302/+0x316]` fields
+  during local object setup, and `0x0045c460/0x0045c8xx` is a separate vtable-`0x005cb5e8` helper
+  family whose `[this+0x316]` is a child-array pointer serialized through `0x61a9/0x61aa/0x61ab`.
+  So those offset-collision classes should stay out of the remaining region restore search.
 - The checked-in constructor owner `0x00421200`
   `world_region_construct_entry_with_id_class_and_default_marker09_profile_seed` now also grounds
   the initialization side of this family: it clears `[region+0x276]`, `[region+0x302]`,