fix(cdb): A6.P1 — v1 dry-run lessons + v2 prep tooling

Dry-run of scenario 1 (retail-v1-broken-offsets.log preserved as
audit trail) surfaced three issues with the v1 cdb script:

1. STACK-ARG OFFSETS WRONG: BP actions used arbitrary registers
   (@edx, @edi) to read function args, but __thiscall puts non-this
   args on the stack ([esp+N] after the return address). All 12 BP5
   "adjust_sphere" hits printed Nx=0.0 Ny=0.0 ... — fields not read.
   Fixed by writing a type dumper (a6-types-dump.cdb + runner) that
   uses cdb's `dt` command against the loaded PDB to get authoritative
   struct offsets. v2 probe script (to be written next) will use
   double-indirect reads (dwo(poi(@esp+N)+offset)) with correct
   offsets from the dump.

2. TEE-OBJECT UTF-16 ENCODING: PowerShell's default Tee-Object writes
   UTF-16 LE with BOM, making logs unparseable by grep without
   conversion. Runner now uses Out-File -Encoding ASCII. Sacrifices
   live console echo; use `Get-Content -Tail 50 -Wait` in a separate
   shell if live monitoring is needed.

3. BP6 SYMBOL NOT FOUND: `acclient!CTransition::validate_walkable`
   doesn't exist in the PDB. Decomp at line 272811 has
   `CTransition::check_walkable` — likely the actual name. To be
   verified + fixed in v2.

The BP hit-count distribution from v1 is still meaningful diagnostic
data (14,318 transitional_insert + 16,558 find_collisions + 40
set_contact_plane + 12 adjust_sphere + 1 step_up + 1 set_collide in
a 2-second walk through the inn doorway). Preserved as a baseline
sanity-check the v2 distribution can be diffed against.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tools/cdb/a6-probe-runner.ps1

@@ -48,7 +48,12 @@ Write-Host "Attaching cdb to acclient.exe with scenario tag '$ScenarioTag'..."
 Write-Host "Log: $logPath"
 Write-Host "(cdb auto-detaches at 50K total hits; or press Ctrl-Break to interrupt.)"
 
-& $cdbExe -pn acclient.exe -cf $tempScript 2>&1 | Tee-Object -FilePath $logPath
+# Capture cdb output to ASCII (not Tee-Object's default UTF-16 LE).
+# We sacrifice live console echo for greppable output — A6.P2 analysis
+# parses these logs by line and the UTF-16 BOM/NULs make every grep
+# pattern unmatch. Use `Get-Content $logPath -Tail 50 -Wait` in a
+# separate shell if live monitoring is needed.
+& $cdbExe -pn acclient.exe -cf $tempScript 2>&1 | Out-File -FilePath $logPath -Encoding ASCII
 
 Remove-Item $tempScript -ErrorAction SilentlyContinue
 

tools/cdb/a6-types-dump-runner.ps1

@@ -0,0 +1,37 @@
+# Phase A6.P1 type-dumper runner — 2026-05-21
+#
+# Attaches cdb to live retail acclient.exe, dumps the 8 struct types A6's
+# probe needs (Plane, CSphere, Position, CPolygon, SPHEREPATH, CTransition,
+# COLLISIONINFO, OBJECTINFO), and exits cleanly via qd. No breakpoints set,
+# no retail lag. ~5 seconds total.
+#
+# Output: tools/cdb/a6-types-dump.txt (ASCII)
+#
+# Prerequisites:
+#   1. Retail acclient.exe v11.4186 running (any state — login screen, world,
+#      doesn't matter — as long as the binary + PDB are loaded).
+#   2. cdb.exe at the standard Windows Kits path.
+
+$cdbExe = "C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe"
+if (-not (Test-Path $cdbExe)) {
+    Write-Error "cdb.exe not found at $cdbExe."
+    exit 1
+}
+
+$scriptPath = Join-Path $PSScriptRoot "a6-types-dump.cdb"
+if (-not (Test-Path $scriptPath)) {
+    Write-Error "a6-types-dump.cdb not found at $scriptPath."
+    exit 1
+}
+
+$outputPath = Join-Path $PSScriptRoot "a6-types-dump.txt"
+
+Write-Host "Attaching cdb to acclient.exe to dump struct types..."
+Write-Host "Output: $outputPath"
+
+# Capture cdb output to a regular file via Out-File (ASCII, not Tee-Object's UTF-16).
+& $cdbExe -pn acclient.exe -cf $scriptPath 2>&1 | Out-File -FilePath $outputPath -Encoding ASCII
+
+Write-Host ""
+Write-Host "Type dump complete. Output saved to $outputPath"
+Write-Host "Lines: $((Get-Content $outputPath).Count)"

tools/cdb/a6-types-dump.cdb

@@ -0,0 +1,50 @@
+$$
+$$ Phase A6.P1 type dumper — authoritative struct offsets from PDB
+$$
+$$ Dumps the layouts of the 6 retail types A6's probe BPs need to read:
+$$   - CPolygon (BP5 — adjust_sphere_to_plane)
+$$   - CSphere (BP5)
+$$   - Plane (BP5, BP7)
+$$   - SPHEREPATH (BP2, BP3, BP5, BP6)
+$$   - CTransition (BP1, BP2, BP6)
+$$   - COLLISIONINFO (BP7)
+$$   - Position (containing struct in several of the above)
+$$   - OBJECTINFO (BP2 — walkable_z)
+$$
+$$ No breakpoints. Just dt + qd. Run once before authoring v2 probe.
+$$ Usage: .\tools\cdb\a6-types-dump-runner.ps1
+$$
+
+.sympath C:\Users\erikn\source\repos\acdream\refs
+.symopt+ 0x40
+.reload /f acclient.exe
+
+.printf "\n===== Type dump for A6.P1 cdb script offset derivation =====\n\n"
+
+.printf "=== Plane ===\n"
+dt -v acclient!Plane
+
+.printf "\n=== CSphere ===\n"
+dt -v acclient!CSphere
+
+.printf "\n=== Position ===\n"
+dt -v acclient!Position
+
+.printf "\n=== CPolygon ===\n"
+dt -v acclient!CPolygon
+
+.printf "\n=== SPHEREPATH ===\n"
+dt -v acclient!SPHEREPATH
+
+.printf "\n=== CTransition ===\n"
+dt -v acclient!CTransition
+
+.printf "\n=== COLLISIONINFO ===\n"
+dt -v acclient!COLLISIONINFO
+
+.printf "\n=== OBJECTINFO ===\n"
+dt -v acclient!OBJECTINFO
+
+.printf "\n===== Done =====\n"
+
+qd