run  3: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  4: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  5: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  6: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  7: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  8: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run  9: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1
run 10: rc=+1 | leak=1 cb_planted=1 cmd_planted=1 ace_full=1

# edu-escape FULL ACE pass rates (10 runs)
#   leak        : 10/10  (100%)
#   cb_planted  : 10/10  (100%)
#   cmd_planted : 10/10  (100%)
#   ace_full    : 10/10  (100%)
#   timeout     :  0/10  (0%)
# decision: FULL ACE (tier iv): the host QEMU process executed the attacker-chosen action system("echo edu-ace > /tmp/edu_ace_marker") in 10/10 ASLR runs -- marker file created, gadget addr leak-derived, cmd guest-planted. Reproducible.