diff --git a/docs/rehost-queue.md b/docs/rehost-queue.md index 7d151c3..dc5dc6d 100644 --- a/docs/rehost-queue.md +++ b/docs/rehost-queue.md @@ -12,6 +12,7 @@ This file is the short active queue for the current runtime and reverse-engineer - Keep the periodic-company trace as the main shellless simulation frontier, with the next concrete control-lane pass focused on the ordinary loaded runtime-effect strip `0x00444d92 -> 0x00432f40(kind 8) -> 0x004323a0 -> 0x00431b20`. The checked `rt3_105/maps` compact-dispatch corpus is now exported directly and partially mirrored into the periodic-company trace: `41` maps scanned, `38` with dispatch-strip rows, `318` nondirect rows total, the add-building subset is only `10` grouped occurrences across `7` descriptor keys, and the strongest broader nondirect families are now bounded too at `36` grouped occurrences across `18` maps for `nondirect-ge1e-h0001-0360-0004-0100-0200-p0000-0000-0000-ffff :: [864:4]` plus `27` across `14` maps for the mixed `[-1:4]` cluster. All of those checked rows still lack recovered trigger kind. The packed-state bridge is narrower than that queue head used to allow too: `0x0042db20/0x00430d70` rebuild and serialize only the fixed text bands plus the standalone and grouped row lists, while the metadata band `+0x7ee..+0x80e` is only mirrored by deep-copy helper `0x0042e050`. The active open question is therefore which ordinary loaded rows acquire or bypass the missing trigger-kind control lane before they can reach placed-structure mutation opcodes. + The dispatcher-side caller census is wider in a way that makes the remaining blocker sharper: `0x00432f40` is already driven shelllessly for kinds `1/0/3/2` and then `5/4` from the recurring simulation-maintenance strip `0x0040a220..0x0040a9ac`, for kind `7` from the grounded company-startup family, and for kind `6` from the placed-structure post-create, startup-refresh, and route-entry post-change tails, while `LoadScreen.win` still owns kind `9`. So the missing piece is no longer “find another shellless dispatcher entrypoint.” It is why ordinary loaded rows still fail to present a matching nonzero `[event+0x7ef]` when the later world-entry one-shot at `0x00444d92` requests kind `8`. The largest direct writer table is ruled out now too: `0x004d8ea0` is the shell-side `EventConditions.win` commit helper, where controls `0x4e98..0x4ea2` write `[event+0x7ef] = 0..10` on the currently selected live event, so that seed family does not explain shellless post-load bringup. The broad scenario-name fixup owner is narrower in the same direction: `0x00442c30` really does mutate live event rows after reload, but its grounded trigger-kind writes still only retag `1 -> 5` and `0 -> 2`, while the surrounding event-side branches only patch modifier bytes or nested payload dwords under already-existing kinds. No grounded branch there seeds kind `8`. The metadata-copy helper is ruled out in the same way: `0x0042e050` really does clone `[event+0x7ef]`, but the current whole-binary caller search still finds only the shell-side selected-event clone path `0x004db8b0`, not any shellless post-load or periodic caller. diff --git a/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md b/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md index df62164..00b6436 100644 --- a/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md +++ b/docs/rehost-queue/periodic-company-control-lane-2026-04-21.md @@ -159,6 +159,37 @@ So the current blocker is no longer “is trigger kind really a direct gate?” loaded rows get a nonzero `[event+0x7ef]` that matches the later `0x00432f40(kind 8)` or follow-on `kind 0x0a` service. +## Wider Caller Census + +The collection-wide dispatcher above that gate is broader than the narrow queue head alone: + +- the recurring simulation-maintenance strip at `0x0040a220..0x0040a9ac` already drives: + - kind `1` at `0x0040a276` + - kind `0` at `0x0040a55f` + - kind `3` at `0x0040a6cb` + - kind `2` at `0x0040a7a3` + - kind `5` at `0x0040a930` + - kind `4` at `0x0040a9ac` +- the kind-`7` family is already grounded too: + - `0x00407682` + - `0x0047d293` + - `0x0047d42b` + - `0x0047d6de` +- the kind-`6` family is also wider than one site-local branch: + - placed-structure post-create tail `0x0040f69e` + - build-version-gated startup or roster-refresh tail `0x00428406` + - route-entry post-change sweep `0x004a3eae` +- kind `9` is the `LoadScreen.win` briefing query at `0x004e520b` +- kind `8` still sits only in the late world-entry one-shot at `0x00444d92` + +So the active control-lane question is narrower again: + +- `0x00432f40` is not a missing shellless service entrypoint +- ordinary runtime-effect rows are already swept under many grounded trigger kinds `0..7` plus the + special briefing kind `9` +- the unresolved seam is why ordinary loaded rows still do not present a matching nonzero + `[event+0x7ef]` when that later world-entry kind-`8` sweep runs + ## Reload-Side Boundary The ordinary reload path is narrower in the same negative way now too: