Tiny C7(1KB) SEGV triage hardening: always-on lightweight free-time guards for headerless class7 in both hak_tiny_free_with_slab and superslab free path (alignment/range check, fail-fast via SIGUSR2). Leave C7 P0/direct-FC gated OFF by default. Add docs/TINY_C7_1KB_SEGV_TRIAGE.md for Claude with repro matrix, hypotheses, instrumentation and acceptance criteria.

core/tiny_superslab_free.inc.h

@@ -77,6 +77,23 @@ static inline void hak_tiny_free_superslab(void* ptr, SuperSlab* ss) {
     }
 #endif // !HAKMEM_BUILD_RELEASE
 
+    // Lightweight guard always-on for class7 (headerless, 1024B): prevent corrupted pointer writes in release
+    if (__builtin_expect(ss->size_class == 7, 0)) {
+        size_t blk = g_tiny_class_sizes[ss->size_class];
+        uint8_t* base = tiny_slab_base_for(ss, slab_idx);
+        uintptr_t delta = (uintptr_t)ptr - (uintptr_t)base;
+        int cap_ok = (meta->capacity > 0) ? 1 : 0;
+        int align_ok = (delta % blk) == 0;
+        int range_ok = cap_ok && (delta / blk) < meta->capacity;
+        if (!align_ok || !range_ok) {
+            uintptr_t aux = tiny_remote_pack_diag(0xA107u, ss_base, ss_size, (uintptr_t)ptr);
+            tiny_debug_ring_record(TINY_RING_EVENT_REMOTE_INVALID, (uint16_t)ss->size_class, ptr, aux);
+            // Fail-fast in class7 to avoid silent SLL/freelist corruption
+            raise(SIGUSR2);
+            return;
+        }
+    }
+
     // Phase 6.23: Same-thread check
     uint32_t my_tid = tiny_self_u32();
     const int debug_guard = g_debug_remote_guard;