Tiny C7(1KB) SEGV triage hardening: always-on lightweight free-time guards for headerless class7 in both hak_tiny_free_with_slab and superslab free path (alignment/range check, fail-fast via SIGUSR2). Leave C7 P0/direct-FC gated OFF by default. Add docs/TINY_C7_1KB_SEGV_TRIAGE.md for Claude with repro matrix, hypotheses, instrumentation and acceptance criteria.

core/hakmem_tiny_refill.inc.h

@@ -242,6 +242,8 @@ static inline int sll_refill_small_from_ss(int class_idx, int max_take) {
     if (!tls->ss) {
         // Try to obtain a SuperSlab for this class
         if (superslab_refill(class_idx) == NULL) return 0;
+        // CRITICAL FIX: Reload tls pointer after superslab_refill() binds new slab
+        tls = &g_tls_slabs[class_idx];
     }
     TinySlabMeta* meta = tls->meta;
     if (!meta) return 0;
@@ -291,6 +293,8 @@ static inline int sll_refill_small_from_ss(int class_idx, int max_take) {
             }
             // Need another slab with space
             if (__builtin_expect(superslab_refill(class_idx) == NULL, 0)) break;
+            // CRITICAL FIX: Reload tls pointer after superslab_refill() binds new slab
+            tls = &g_tls_slabs[class_idx];
             meta = tls->meta; // refresh after refill
         }
         return taken;
@@ -323,6 +327,8 @@ static inline int sll_refill_small_from_ss(int class_idx, int max_take) {
         } else {
             // Move to another slab with space
             if (superslab_refill(class_idx) == NULL) break;
+            // CRITICAL FIX: Reload tls pointer after superslab_refill() binds new slab
+            tls = &g_tls_slabs[class_idx];
             meta = tls->meta; // refresh after refill
             continue;
         }