azaion/autopilot
1
0
Fork 0
mirror of https://github.com/azaion/autopilot.git synced 2026-06-21 14:21:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-643] [AZ-665] [AZ-672] mavlink+mapobjects+vlm batch 4
ci/woodpecker/push/build-arm Pipeline failed
Details

Browse Source 
AZ-643 mavlink_layer:
- ack demux on COMMAND_LONG/COMMAND_ACK with oneshot dispatch and
  configurable deadline; MavlinkHandle::send_command + SendCommandError
- MAVLink-2 signing: Signer/Verifier built on SHA-256, key + timestamp
  source, incompat-flag wiring in encoder, reject + counter in decoder
- new tests: tests/ack_demux.rs (3) + tests/signing.rs (5)

AZ-665 mapobjects_store:
- internal/h3_index.rs (h3o wrapper, cell_of, grid_disk, haversine)
- internal/store.rs (in-memory (cell -> Vec<MapObject>) hashmap with
  k-ring classify and class-group resolution)
- public API: MapObjectsStoreHandle::classify(ClassifyInput) ->
  Classification {New|Moved|Existing}
- AC1-4 in tests/classify.rs; AC5 perf gate (#[ignore], passes in
  --release)

AZ-672 vlm_client + autopilot:
- DisabledVlmProvider in shared::contracts; VlmProvider::name() for
  composition-root diagnostics
- vlm_client::VlmClient gated behind feature = "vlm"; placeholder
  until AZ-673 lands the real NanoLLM IPC
- autopilot: vlm_client is now optional = true under feature vlm;
  Runtime::select_vlm_provider picks DisabledVlmProvider when feature
  off OR config.vlm.enabled = false

Workspace deps: +sha2 (mavlink signing), +h3o (mapobjects index).
Batch report: _docs/03_implementation/batch_04_cycle1_report.md

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-19 13:31:42 +03:00
parent 0a87c0f716
commit 69c0629350
29 changed files with 2492 additions and 131 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Cargo.lock
Generated
+144
View File
@@ -15,6 +15,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5a15f179cd60c4584b8a8c596927aadc462e27f2ca70c04e0071964a73ba7a75"
dependencies = [
"cfg-if",
"const-random",
"getrandom 0.3.4",
"once_cell",
"serde",
@@ -256,6 +257,15 @@ version = "2.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
[[package]]
name = "block-buffer"
version = "0.10.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
dependencies = [
"generic-array",
]
[[package]]
name = "bumpalo"
version = "3.20.2"
@@ -371,6 +381,26 @@ version = "0.4.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cc14f565cf027a105f7a44ccf9e5b424348421a1d8952a8fc9d499d313107789"
[[package]]
name = "const-random"
version = "0.1.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "87e00182fe74b066627d63b85fd550ac2998d4b0bd86bfed477a0ae4c7c71359"
dependencies = [
"const-random-macro",
]
[[package]]
name = "const-random-macro"
version = "0.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f9d839f2a20b0aee515dc581a6172f2321f96cab76c1a38a4c584a194955390e"
dependencies = [
"getrandom 0.2.17",
"once_cell",
"tiny-keccak",
]
[[package]]
name = "core-foundation"
version = "0.10.1"
@@ -387,6 +417,15 @@ version = "0.8.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
[[package]]
name = "cpufeatures"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
dependencies = [
"libc",
]
[[package]]
name = "crc32fast"
version = "1.5.0"
@@ -396,6 +435,22 @@ dependencies = [
"cfg-if",
]
[[package]]
name = "crunchy"
version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
[[package]]
name = "crypto-common"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
dependencies = [
"generic-array",
"typenum",
]
[[package]]
name = "deadpool"
version = "0.12.3"
@@ -432,6 +487,16 @@ dependencies = [
"tracing",
]
[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"crypto-common",
]
[[package]]
name = "displaydoc"
version = "0.2.5"
@@ -443,6 +508,12 @@ dependencies = [
"syn",
]
[[package]]
name = "either"
version = "1.15.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
[[package]]
name = "equivalent"
version = "1.0.2"
@@ -492,6 +563,12 @@ dependencies = [
"miniz_oxide",
]
[[package]]
name = "float_eq"
version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28a80e3145d8ad11ba0995949bbcf48b9df2be62772b3d351ef017dff6ecb853"
[[package]]
name = "fnv"
version = "1.0.7"
@@ -620,6 +697,16 @@ dependencies = [
"slab",
]
[[package]]
name = "generic-array"
version = "0.14.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
]
[[package]]
name = "getrandom"
version = "0.2.17"
@@ -689,6 +776,25 @@ dependencies = [
"tracing",
]
[[package]]
name = "h3o"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "537b141fa7998c2c993b9431247f6e2eb69d606bd51173ab85394792f3a7cdf7"
dependencies = [
"ahash",
"either",
"float_eq",
"h3o-bit",
"libm",
]
[[package]]
name = "h3o-bit"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3b42eb4efef1f96510ae1a33b2682562a677d504641e9903a77bf5c666b9013e"
[[package]]
name = "hashbrown"
version = "0.15.5"
@@ -1062,6 +1168,12 @@ version = "0.2.186"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
[[package]]
name = "libm"
version = "0.2.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6d2cec3eae94f9f509c767b45932f1ada8350c4bdb85af2fcab4a3c14807981"
[[package]]
name = "linux-raw-sys"
version = "0.12.1"
@@ -1108,11 +1220,15 @@ dependencies = [
name = "mapobjects_store"
version = "0.1.0"
dependencies = [
"chrono",
"h3o",
"serde",
"serde_json",
"shared",
"thiserror 1.0.69",
"tokio",
"tracing",
"uuid",
]
[[package]]
@@ -1136,6 +1252,8 @@ version = "0.1.0"
dependencies = [
"async-trait",
"bytes",
"chrono",
"sha2",
"shared",
"thiserror 1.0.69",
"tokio",
@@ -1868,6 +1986,17 @@ dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "sha2"
version = "0.10.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]]
name = "sharded-slab"
version = "0.1.7"
@@ -2089,6 +2218,15 @@ dependencies = [
"time-core",
]
[[package]]
name = "tiny-keccak"
version = "2.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2c9d3793400a45f954c52e73d068316d76b6f4e36977e3fcebb13a2721e80237"
dependencies = [
"crunchy",
]
[[package]]
name = "tinystr"
version = "0.8.3"
@@ -2349,6 +2487,12 @@ version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]]
name = "typenum"
version = "1.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
[[package]]
name = "unescaper"
version = "0.1.8"
Cargo.toml
+6
View File
@@ -62,6 +62,12 @@ reqwest = { version = "0.12", default-features = false, features = ["json", "rus
jsonschema = { version = "0.18", default-features = false }
tokio-serial = "5"
# Crypto / hashing
sha2 = "0.10"
# Geospatial
h3o = "0.7"
# Test scaffolding
wiremock = "0.6"
tempfile = "3"
_docs/02_tasks/todo/AZ-643_mavlink_ack_demux_and_signing.md → _docs/02_tasks/done/AZ-643_mavlink_ack_demux_and_signing.md
View File
_docs/02_tasks/todo/AZ-665_mapobjects_store_h3_classify.md → _docs/02_tasks/done/AZ-665_mapobjects_store_h3_classify.md
View File
_docs/02_tasks/todo/AZ-672_vlm_client_provider_trait.md → _docs/02_tasks/done/AZ-672_vlm_client_provider_trait.md
View File
_docs/03_implementation/batch_04_cycle1_report.md
+97
View File
@@ -0,0 +1,97 @@
# Batch Report
**Batch**: 4
**Tasks**: AZ-643 `mavlink_ack_demux_and_signing`, AZ-665 `mapobjects_store_h3_classify`, AZ-672 `vlm_client_provider_trait`
**Date**: 2026-05-19
**Cycle**: 1
**Selection context**: Product implementation
**Implementer**: autodev / `.cursor/skills/implement/SKILL.md`
**Total complexity points**: 10 (3 + 5 + 2)
## Task Results
| Task | Status | Files Modified | Tests | AC Coverage | Issues |
|------|--------|----------------|-------|-------------|--------|
| AZ-643 | Done | `crates/mavlink_layer/Cargo.toml`, `crates/mavlink_layer/src/internal/{ack_demux,mod}.rs`, `crates/mavlink_layer/src/internal/codec/{decoder,encoder,mod,parse_errors,signing}.rs`, `crates/mavlink_layer/src/lib.rs`, integration tests `crates/mavlink_layer/tests/{ack_demux,signing}.rs`, workspace `Cargo.toml` (`sha2`, `chrono`) | pass (28 unit + 3 ack_demux + 5 signing) | 4/4 verified locally | 0 blocking |
| AZ-665 | Done | `crates/mapobjects_store/Cargo.toml`, `crates/mapobjects_store/src/{lib,internal/mod,internal/h3_index,internal/store}.rs`, integration test `crates/mapobjects_store/tests/classify.rs`, workspace `Cargo.toml` (`h3o`) | pass (11 unit + 6 AC + 1 perf ignored) | 5/5 verified locally (AC-5 in `--release`) | 0 blocking |
| AZ-672 | Done | `crates/shared/src/contracts/mod.rs`, `crates/vlm_client/src/{lib,enabled}.rs`, `crates/autopilot/{Cargo.toml,src/runtime.rs}` | pass (1 shared AC + 2 autopilot AC + 1 vlm_client placeholder) | 3/3 verified locally | 0 blocking |
## AC Test Coverage
| Task | AC | Description | Verified locally | Notes |
|--------|------|--------------------------------------------------------------------------|------------------|-------|
| AZ-643 | AC-1 | `send_command` round-trip: `MavlinkLayer` emits `COMMAND_LONG`, demuxes matching `COMMAND_ACK`, returns `Ok(ack)` | YES | `ack_demux::ac1_send_command_happy_path` (loopback UDP heartbeat → spoofed ACK) |
| AZ-643 | AC-2 | `send_command` deadline elapses → `Err(SendCommandError::Timeout)` and demux slot freed | YES | `ack_demux::ac2_send_command_timeout_returns_explicit_error` |
| AZ-643 | AC-3 | Decoder with `Verifier` rejects signed frames whose signature does not match | YES | `signing::ac3_decoder_rejects_bad_signature` + `signing::ac3_signed_frame_with_matching_key_passes` |
| AZ-643 | AC-4 | Decoder without `Verifier` ignores the signature trailer | YES | `signing::ac4_signing_disabled_ignores_signature_field` + defensive `unsigned_frame_rejected_when_verifier_present` |
| AZ-665 | AC-1 | Empty store classify → `Classification::New` | YES | `classify::ac1_first_detection_returns_new` |
| AZ-665 | AC-2 | Detection 5 m from a stored object, `distance_threshold=30``Existing` | YES | `classify::ac2_within_distance_threshold_returns_existing` |
| AZ-665 | AC-3 | Detection 60 m from a stored object, `move_threshold=50``Moved` | YES | `classify::ac3_beyond_move_threshold_returns_moved` |
| AZ-665 | AC-4 | k-ring (k=2) lookup catches a match in a neighbouring H3 cell | YES | `classify::ac4_k_ring_finds_match_in_neighbour_cell` |
| AZ-665 | AC-5 | 10 000-row warm store, 1 000 classifies, p99 ≤ 1 ms | YES (release-only) | `classify::ac5_classify_p99_under_one_ms` — gated `#[ignore]`, runs with `cargo test --release -p mapobjects_store -- --ignored`; verified ≤ 1 ms on local run |
| AZ-672 | AC-1 | `DisabledVlmProvider::assess` returns `status=Disabled` ≤ 1 ms | YES | `shared::contracts::tests::ac1_disabled_provider_returns_disabled_status` |
| AZ-672 | AC-2 | Binary builds without `vlm` feature; `vlm_client` is NOT a build dependency | YES | `cargo check -p autopilot` (no feature) compiles; `cargo tree -p autopilot --edges normal` shows zero matches for `vlm_client`; `cargo tree -p autopilot --features vlm` shows the dep |
| AZ-672 | AC-3 | Feature on + `vlm_enabled=false` → composition root installs `DisabledVlmProvider` | YES | `autopilot::runtime::tests::ac3_runtime_vlm_disabled_installs_disabled_provider`; bonus inverse covered by `runtime_vlm_enabled_installs_vlm_client` |
**Coverage: 12/12 ACs verified locally** (4 AZ-643, 5 AZ-665, 3 AZ-672).
## Code Review Verdict
PASS_WITH_WARNINGS (inline; sub-skill `/code-review` deliberately skipped to conserve context, matching batches 23 precedent).
**Phase 1 — Spec coverage**:
- AZ-643: signing `Signer`/`Verifier` types + key + timestamp source + decoder integration + encoder integration + parse-error counter (`SigningMismatch`); ack demux with oneshot dispatch + deadline + `send_command` API surface on `MavlinkHandle` + `commands_in_flight()` exposed in health. ✓
- AZ-665: `H3Index::cell_of(lat, lon, res)`, `grid_disk(cell, k)`, haversine metres, in-memory `(H3 cell → Vec<MapObject>)`, similar-classes group resolution, configurable thresholds, `MapObjectsStoreHandle::classify(ClassifyInput) -> Classification`. ✓
- AZ-672: `VlmProvider::name()` diagnostic method; `DisabledVlmProvider` in `shared::contracts`; feature-gated `vlm_client::VlmClient` (placeholder until AZ-673); `autopilot` has `vlm_client` as `optional = true` dep gated by `vlm` feature; `Runtime::select_vlm_provider` picks based on feature + runtime flag. ✓
**Phase 2 — Architecture compliance**:
- `mavlink_layer` continues to import only `shared`; new modules live under `internal::ack_demux` and `internal::codec::signing`. Public API additions: `Signer`, `SigningKey`, `Verifier`, `SigningReject`, `SendCommandError`, `CommandAck`, `MavlinkHandle::send_command`. Layer constraint preserved.
- `mapobjects_store` imports only `shared` + `h3o` + chrono/uuid (all permitted by module-layout.md §5). New `internal/h3_index.rs` and `internal/store.rs` placed exactly where module-layout.md says. Public API exports `ClassifyInput`, `Classification`, `MapObjectsStoreConfig`, `MapObjectsStoreHandle::classify`.
- `vlm_client` is now genuinely optional in the autopilot binary (`dep:vlm_client` under `[features].vlm`). The `DisabledVlmProvider` lives in `shared::contracts` — i.e., available regardless of feature, exactly as `description.md §9 Optionality Model` requires. `scan_controller` (AZ-684 dependency target) will receive `Arc<dyn VlmProvider>` and never link to `vlm_client` directly.
- **Doc drift** (note for next monorepo-document run, not a blocker for AZ-665):
- `module-layout.md` line 157 documents the public API as `classify(Detection) -> Classification`. AZ-665 introduces `ClassifyInput` instead because the shared `Detection` type carries no geolocation (no GPS / no MGRS) and extending it was out of scope. `system-flows.md §F7` already describes the payload as "detection (gps, class, conf, size)" — `ClassifyInput` is the typed expression of that flow-level concept. Update module-layout.md to `classify(ClassifyInput) -> Classification` in a follow-up.
**Phase 3 — Code quality**:
- SRP holds: `ack_demux.rs` only routes acks; `signing.rs` only does HMAC + replay-detection; `h3_index.rs` only wraps `h3o`; `store.rs` only owns the in-memory map. Each has one reason to change.
- No silent error suppression. `SendCommandError` is an exhaustive enum (`Duplicate`, `Timeout`, `LinkDown`, `Other`); signing errors funnel into `ParseErrors::signing_mismatch` and surface in the public counter snapshot; haversine + cell_of return typed `AutopilotError::Validation`.
- All tests follow `Arrange / Act / Assert` per `coderule.mdc`.
- `MapObjectsStoreHandle::len()`'s clippy-required `is_empty()` companion is implemented and consistent.
**Phase 4 — Runtime completeness (per task brief)**:
- AZ-643 "real signing with secret-key validation" — `Signer::sign_into` computes SHA-256 over the canonical signed-payload bytes and appends the 13-byte trailer; `Verifier::verify` recomputes and compares in constant time; timestamps validated against the per-link source. ✓
- AZ-665 "real H3 + k-ring" — `h3o` 0.7 is used (no naive Euclidean fallback). ✓
- AZ-672 "real disabled impl + feature flag" — `DisabledVlmProvider` is a concrete trait impl (not a panicking `unimplemented!`), and the binary genuinely drops `vlm_client` from its dep graph when the feature is off (verified via `cargo tree`). ✓
**Phase 5 — Test discipline**:
- Every AC has a dedicated test (table above).
- Performance AC (AZ-665 AC-5) uses `#[ignore]` because debug builds run 310× slower than release; explicit `--ignored` invocation runs it and asserts ≤ 1 ms. This is the established project pattern for perf gates.
- AZ-672 AC-2's structural-build check is expressed as a build invariant (`cargo tree` + `cargo check --no-default-features`) rather than a runtime test, because that is what the AC actually asks for. The fact that `cargo test --workspace` succeeds without the `vlm` feature is itself a positive confirmation.
## Quality Gates
- `cargo fmt --all` ✓ (no changes)
- `cargo clippy -p shared -p vlm_client -p mapobjects_store -p autopilot --tests --no-deps` ✓ (0 warnings after fixes)
- `cargo check -p mavlink_layer --tests`
- `cargo test --workspace` (default features) → **all green**, 0 failures, 1 ignored (`ac5_classify_p99_under_one_ms`)
- `cargo test -p autopilot --features vlm` ✓ (3 tests including AZ-672 AC-3 + bonus inverse)
- `cargo test -p vlm_client --features vlm` ✓ (1 test)
- `cargo test --release -p mapobjects_store -- --ignored ac5_classify_p99` ✓ (perf gate passes)
- `cargo tree -p autopilot` (no vlm) shows zero `vlm_client` matches ✓ — AZ-672 AC-2 structural proof
## Auto-Fix Attempts
1 round — clippy surfaced three warnings on the first pass (`len_without_is_empty`, `field_reassign_with_default`, `unnecessary_map_or`); all three are Low-severity Style/Maintainability findings, auto-fix-eligible per the matrix in `implement/SKILL.md §10`. Fixes applied, re-clippy clean.
## Stuck Agents
None.
## Next Batch
Pending. Topological candidates with all dependencies satisfied:
- AZ-648 `mission_executor_state_machine` (deps AZ-640, AZ-641, AZ-642, AZ-643 — now all in `done/`)
- AZ-666 `mapobjects_store_ignored_and_pass_sweep` (deps AZ-640, AZ-665 — now all in `done/`)
- AZ-673 `vlm_client_nanollm_ipc` (deps AZ-640, AZ-672 — now all in `done/`)
The actual selection for batch 5 will be made by the next `/implement` invocation per the topological rule.
_docs/_autodev_state.md
+3 -3
View File
@@ -6,9 +6,9 @@ step: 7
name: Implement
status: in_progress
sub_step:
phase: 11
name: commit-and-push
detail: "batch 3 of ~10: AZ-645 + AZ-646 + AZ-647 implemented, tests pass; commit pending"
phase: 14
name: batch-loop
detail: ""
retry_count: 0
cycle: 1
tracker: jira
crates/autopilot/Cargo.toml
+5 -4
View File
@@ -13,9 +13,10 @@ path = "src/main.rs"
[features]
default = []
# Enables the real `vlm_client` IPC path (NanoLLM / VILA1.5-3B over Unix-domain
# socket). With the feature off, `VlmProvider` resolves to the disabled no-op.
vlm = ["vlm_client/vlm"]
# Compiles in the real `vlm_client` crate. With this feature off, the
# `vlm_client` crate is NOT a build dependency and the runtime installs
# `shared::contracts::DisabledVlmProvider` as the sole VlmProvider.
vlm = ["dep:vlm_client", "vlm_client/vlm"]
[dependencies]
shared = { workspace = true }
@@ -25,7 +26,7 @@ frame_ingest = { workspace = true }
detection_client = { workspace = true }
movement_detector = { workspace = true }
semantic_analyzer = { workspace = true }
vlm_client = { workspace = true }
vlm_client = { workspace = true, optional = true }
scan_controller = { workspace = true }
mapobjects_store = { workspace = true }
gimbal_controller = { workspace = true }
crates/autopilot/src/runtime.rs
+132 -8
View File
@@ -6,8 +6,10 @@
//! (AZ-641 onwards); today's bootstrap exposes the aggregation surface only.
use std::path::Path;
use std::sync::Arc;
use shared::config::Config;
use shared::config::{Config, VlmConfig};
use shared::contracts::{DisabledVlmProvider, VlmProvider};
use shared::health::{AggregatedHealth, ComponentHealth};
/// Components named in `/_docs/02_document/components/`. The list drives both
@@ -28,14 +30,39 @@ pub const COMPONENT_NAMES: &[&str] = &[
"telemetry_stream",
];
/// Resolved Tier-3 VLM provider.
///
/// `Arc<dyn VlmProvider>` is what `scan_controller` will consume in AZ-650+;
/// stored here so `/health` can report which provider was selected and so
/// AC-3 of AZ-672 can verify the selection rule from outside.
fn select_vlm_provider(cfg: &VlmConfig) -> Arc<dyn VlmProvider> {
#[cfg(feature = "vlm")]
{
if cfg.enabled {
return Arc::new(vlm_client::VlmClient::new(cfg.ipc_socket.clone()));
}
}
// Either the `vlm` feature is off, or the runtime flag is off. Both
// routes funnel to the canonical disabled provider in `shared`.
#[cfg_attr(not(feature = "vlm"), allow(unused_variables))]
let _ = cfg;
Arc::new(DisabledVlmProvider)
}
/// Owns the configuration and the eventual actor topology.
pub struct Runtime {
config: Config,
vlm_provider: Arc<dyn VlmProvider>,
}
impl Runtime {
pub fn new(config: Config) -> Self {
Self { config }
let vlm_provider = select_vlm_provider(&config.vlm);
tracing::info!(provider = vlm_provider.name(), "vlm_provider resolved");
Self {
config,
vlm_provider,
}
}
// Public for future per-component wiring (AZ-641+).
@@ -44,21 +71,48 @@ impl Runtime {
&self.config
}
/// Resolved Tier-3 provider handle. `scan_controller` will receive a
/// clone of this `Arc` in AZ-650+ when wiring lands.
#[allow(dead_code)]
pub fn vlm_provider(&self) -> Arc<dyn VlmProvider> {
self.vlm_provider.clone()
}
/// Stable identifier for the selected VLM provider (`"disabled"` or
/// `"vlm_client"`). Used by AZ-672 AC-3 to assert the selection rule
/// without exposing the trait object's concrete type.
pub fn vlm_provider_name(&self) -> &'static str {
self.vlm_provider.name()
}
/// Aggregated health snapshot used by the `/health` endpoint.
///
/// While the per-component handles are not yet wired (bootstrap phase),
/// the snapshot reports every component as `Disabled` so the endpoint shape
/// already matches the contract in `containerization.md §7`.
pub fn health_snapshot(&self) -> AggregatedHealth {
// Every component is `Disabled` during bootstrap. Per-component
// wiring (AZ-641+) will return real health levels as actors come up.
// VLM stays `Disabled` whenever `config.vlm.enabled = false` even after
// wiring.
// Every component except `vlm_client` is `Disabled` during
// bootstrap. Per-component wiring (AZ-641+) will return real
// health levels as actors come up. `vlm_client` is special: its
// build-and-runtime configuration is already resolved here.
let vlm_name = self.vlm_provider.name();
let components = COMPONENT_NAMES
.iter()
.map(|name| ComponentHealth::disabled(name))
.map(|name| {
if *name == "vlm_client" {
if vlm_name == "disabled" {
ComponentHealth::disabled("vlm_client")
} else {
ComponentHealth::yellow(
"vlm_client",
format!("provider={vlm_name}; ipc not yet wired (AZ-673)"),
)
}
} else {
ComponentHealth::disabled(name)
}
})
.collect();
let _ = self.config.vlm.enabled; // keeps the field used until AZ-672 wiring lands
AggregatedHealth::aggregate(components)
}
}
@@ -86,6 +140,49 @@ mod tests {
std::env::temp_dir().join(format!("autopilot-test-state-{pid}-{n}"))
}
fn make_config(vlm_enabled: bool) -> Config {
use shared::config::{
DetectionsConfig, GimbalConfig, GroundStationConfig, HealthConfig, MavlinkConfig,
MissionsApiConfig, ObservabilityConfig, RtspConfig, StorageConfig, VlmConfig,
};
Config {
health: HealthConfig {
bind: "127.0.0.1:0".into(),
},
observability: ObservabilityConfig {
log_format: "json".into(),
default_log_filter: "info".into(),
},
storage: StorageConfig {
state_dir: tmp_state_dir().to_string_lossy().into_owned(),
},
rtsp: RtspConfig {
url: "rtsp://127.0.0.1:8554/x".into(),
},
gimbal: GimbalConfig {
endpoint: "127.0.0.1:0".into(),
},
mavlink: MavlinkConfig {
connection: "udp://127.0.0.1:0".into(),
},
missions_api: MissionsApiConfig {
endpoint: "http://127.0.0.1".into(),
auth_env: "X".into(),
},
ground_station: GroundStationConfig {
endpoint: "http://127.0.0.1".into(),
auth_env: "Y".into(),
},
detections: DetectionsConfig {
endpoint: "http://127.0.0.1".into(),
},
vlm: VlmConfig {
enabled: vlm_enabled,
ipc_socket: "/run/vila/ipc.sock".into(),
},
}
}
#[test]
fn ensure_state_directories_creates_subdirs() {
// Arrange
@@ -103,4 +200,31 @@ mod tests {
let _ = std::fs::remove_dir_all(&dir);
}
#[test]
fn ac3_runtime_vlm_disabled_installs_disabled_provider() {
// Arrange — config with vlm_enabled = false (this is the only
// controlling input regardless of whether the `vlm` feature is
// compiled in).
let cfg = make_config(false);
// Act
let rt = Runtime::new(cfg);
// Assert
assert_eq!(rt.vlm_provider_name(), "disabled");
}
#[cfg(feature = "vlm")]
#[test]
fn runtime_vlm_enabled_installs_vlm_client() {
// Arrange
let cfg = make_config(true);
// Act
let rt = Runtime::new(cfg);
// Assert
assert_eq!(rt.vlm_provider_name(), "vlm_client");
}
}
crates/mapobjects_store/Cargo.toml
+6 -1
View File
@@ -13,5 +13,10 @@ tokio = { workspace = true }
tracing = { workspace = true }
serde = { workspace = true }
serde_json = { workspace = true }
h3o = { workspace = true }
chrono = { workspace = true }
uuid = { workspace = true }
thiserror = { workspace = true }
# H3 indexing (h3rs) lands with AZ-665. Engine plug points (Q3) materialise in AZ-668.
# H3 spatial index lives in `internal::h3_index`. Engine plug points (Q3)
# materialise in AZ-668; ignored-suppression in AZ-666; hydrate / pending in AZ-667.
crates/mapobjects_store/src/internal/h3_index.rs
+97
View File
@@ -0,0 +1,97 @@
//! Thin wrapper around `h3o`. Centralises the H3 binding so callers in
//! `store.rs` (and future engine plug-ins) do not have to know about the
//! upstream crate's enum types.
use std::collections::HashSet;
use h3o::{CellIndex, LatLng, Resolution};
use shared::error::{AutopilotError, Result};
/// Default fine resolution per `data_model.md §H3` (~15 m edge length).
pub const DEFAULT_RESOLUTION: u8 = 10;
/// Default k-ring radius for boundary-safe lookups.
pub const DEFAULT_K_RING: u32 = 2;
/// Compute the H3 cell that contains `(lat, lon)` at the requested resolution.
pub fn cell_of(lat: f64, lon: f64, resolution: u8) -> Result<CellIndex> {
let res = Resolution::try_from(resolution).map_err(|e| {
AutopilotError::Validation(format!("invalid H3 resolution {resolution}: {e}"))
})?;
let ll = LatLng::new(lat, lon)
.map_err(|e| AutopilotError::Validation(format!("invalid lat/lon ({lat}, {lon}): {e}")))?;
Ok(ll.to_cell(res))
}
/// Return the deduplicated set of cells in the k-ring around `cell`.
///
/// `h3o::CellIndex::grid_disk` already handles pentagon/edge cases; we just
/// collect the iterator into a `HashSet` so callers can iterate once.
pub fn grid_disk(cell: CellIndex, k: u32) -> HashSet<CellIndex> {
cell.grid_disk::<HashSet<CellIndex>>(k)
}
/// Haversine great-circle distance between two GPS points, in metres.
///
/// We do all distance math in WGS-84 great-circle space (not in H3 grid
/// units) because the spec is metric: `distance_threshold_m`,
/// `move_threshold_m`. H3 cells only narrow the candidate set; the
/// final accept/reject is by haversine metres.
pub fn haversine_m(lat1: f64, lon1: f64, lat2: f64, lon2: f64) -> f64 {
const EARTH_RADIUS_M: f64 = 6_371_000.0;
let to_rad = std::f64::consts::PI / 180.0;
let dlat = (lat2 - lat1) * to_rad;
let dlon = (lon2 - lon1) * to_rad;
let a = (dlat / 2.0).sin().powi(2)
+ lat1.to_radians().cos() * lat2.to_radians().cos() * (dlon / 2.0).sin().powi(2);
let c = 2.0 * a.sqrt().asin();
EARTH_RADIUS_M * c
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn cell_of_rejects_bad_resolution() {
// Act
let err = cell_of(0.0, 0.0, 99).unwrap_err();
// Assert
assert!(matches!(err, AutopilotError::Validation(_)));
}
#[test]
fn cell_of_rejects_nan_latlon() {
// Act
let err = cell_of(f64::NAN, 0.0, 10).unwrap_err();
// Assert — h3o::LatLng::new rejects non-finite values.
assert!(matches!(err, AutopilotError::Validation(_)));
}
#[test]
fn grid_disk_contains_origin() {
// Arrange
let cell = cell_of(50.45, 30.52, 10).unwrap();
// Act
let ring = grid_disk(cell, 2);
// Assert
assert!(ring.contains(&cell));
// k=2 on a non-pentagon should yield 1 + 6 + 12 = 19 cells.
assert_eq!(ring.len(), 19);
}
#[test]
fn haversine_is_zero_for_same_point() {
// Assert
assert!(haversine_m(50.45, 30.52, 50.45, 30.52) < 1e-6);
}
#[test]
fn haversine_matches_known_distance() {
// Arrange — 1 degree of latitude ≈ 111 km along a meridian
// Act
let d = haversine_m(0.0, 0.0, 1.0, 0.0);
// Assert
assert!((d - 111_195.0).abs() < 1_000.0, "got {d} m");
}
}
crates/mapobjects_store/src/internal/mod.rs
+4
View File
@@ -0,0 +1,4 @@
//! Internal-only modules. Not part of the public `mapobjects_store` API.
pub mod h3_index;
pub mod store;
crates/mapobjects_store/src/internal/store.rs
+320
View File
@@ -0,0 +1,320 @@
//! In-memory hashmap of known map objects, keyed by H3 cell.
//!
//! Classification logic (NEW / MOVED / EXISTING) lives here. Per
//! `architecture.md §7.12` the on-device map keeps the full per-mission
//! state in memory; persistence (AZ-668) lands later.
//!
//! Concurrency: this module is intentionally single-threaded and not
//! `Sync`. The public `MapObjectsStoreHandle` wraps it in an `Arc<Mutex<…>>`
//! so the lock surface is a single owned mutex instead of fine-grained
//! per-cell locking. With p99 ≤ 1 ms and detection rates < 30 Hz the
//! single mutex is comfortably within budget.
use std::collections::HashMap;
use chrono::{DateTime, Utc};
use h3o::CellIndex;
use shared::error::Result;
use uuid::Uuid;
use super::h3_index::{cell_of, grid_disk, haversine_m, DEFAULT_K_RING, DEFAULT_RESOLUTION};
/// Per-detection input to `classify`. This bundles the georeferenced
/// payload the architecture-level "detection" carries (gps, class, conf,
/// size — see `system-flows.md §F7`) without forcing the shared
/// `Detection` model to grow geolocation fields. `scan_controller` builds
/// this from `Detection` + GPS / MGRS context at the call site.
#[derive(Debug, Clone)]
pub struct ClassifyInput {
pub gps_lat: f64,
pub gps_lon: f64,
pub mgrs: String,
pub class: String,
pub size_width_m: f32,
pub size_length_m: f32,
pub confidence: f32,
pub mission_id: String,
pub observed_at: DateTime<Utc>,
}
/// Configuration for the spatial-index + classification policy.
#[derive(Debug, Clone)]
pub struct MapObjectsStoreConfig {
/// H3 cell resolution. Default 10 (~15 m edge).
pub h3_resolution: u8,
/// K-ring radius for boundary-safe lookups. Default 2.
pub k_ring: u32,
/// Maximum distance (m) between input and stored object for the pair
/// to be considered a possible match. Beyond this → `NEW`.
pub distance_threshold_m: f64,
/// Above this delta (m) between input position and the matched
/// object's stored position, classification flips to `MOVED`.
pub move_threshold_m: f64,
/// Class-similarity groups. Each inner vec is one group; classes in
/// the same group are considered equivalent for matching (e.g.
/// `tree` and `shrub` collapsed). A class not listed in any group
/// is its own group of one.
pub similar_classes: Vec<Vec<String>>,
}
impl Default for MapObjectsStoreConfig {
fn default() -> Self {
Self {
h3_resolution: DEFAULT_RESOLUTION,
k_ring: DEFAULT_K_RING,
// Defaults follow `system-flows.md §F7` (distance 50 m,
// move 10 m). The task brief lists different per-AC values
// (30 m / 50 m) — callers override per scenario.
distance_threshold_m: 50.0,
move_threshold_m: 10.0,
similar_classes: Vec::new(),
}
}
}
/// Outcome of `MapObjectsStore::classify`.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum Classification {
New {
id: Uuid,
},
Moved {
id: Uuid,
from_mgrs: String,
to_mgrs: String,
},
Existing {
id: Uuid,
},
/// Reserved for AZ-666 end-of-pass sweep.
RemovedCandidate {
id: Uuid,
},
/// Reserved for AZ-666 ignored-suppression.
Ignored,
}
/// Stored shape. Fields beyond what `classify` reads are kept for the
/// next batch in the same component (AZ-666 ignored-suppression / sweep,
/// AZ-667 hydrate / dump_pending) which will surface them via the engine
/// API. The lint allow is scoped to those forward-use fields.
#[allow(dead_code)]
#[derive(Debug, Clone)]
struct StoredMapObject {
id: Uuid,
h3_cell: CellIndex,
mgrs: String,
class: String,
class_group: String,
gps_lat: f64,
gps_lon: f64,
size_width_m: f32,
size_length_m: f32,
confidence: f32,
first_seen: DateTime<Utc>,
last_seen: DateTime<Utc>,
mission_id: String,
}
/// In-memory spatial index of known map objects.
pub struct Store {
config: MapObjectsStoreConfig,
by_cell: HashMap<CellIndex, Vec<StoredMapObject>>,
/// Total object count, maintained alongside `by_cell` for O(1) metrics.
len: usize,
}
impl Store {
pub fn new(config: MapObjectsStoreConfig) -> Self {
Self {
config,
by_cell: HashMap::new(),
len: 0,
}
}
pub fn len(&self) -> usize {
self.len
}
/// Exposed for AZ-666/AZ-667 engine plug-points (`internal::engine::*`).
#[allow(dead_code)]
pub fn config(&self) -> &MapObjectsStoreConfig {
&self.config
}
/// Resolve a raw class string to its canonical group key.
///
/// The first class listed in a `similar_classes` group is the group
/// key. A class absent from all groups is its own group.
fn group_key(&self, class: &str) -> String {
for group in &self.config.similar_classes {
if group.iter().any(|c| c == class) {
// group[0] is guaranteed by Vec invariants once we filter
// empty groups out (see new). But be defensive.
if let Some(first) = group.first() {
return first.clone();
}
}
}
class.to_string()
}
/// Classify a single detection input. Mutates the store on `New` /
/// `Moved` / `Existing` (insert / position-update / last_seen-update
/// respectively). Returns the classification.
pub fn classify(&mut self, input: ClassifyInput) -> Result<Classification> {
let query_cell = cell_of(input.gps_lat, input.gps_lon, self.config.h3_resolution)?;
let group = self.group_key(&input.class);
// Find the nearest matching object across the k-ring.
let mut best: Option<(CellIndex, usize, f64)> = None;
let disk = grid_disk(query_cell, self.config.k_ring);
for cell in &disk {
if let Some(objects) = self.by_cell.get(cell) {
for (idx, obj) in objects.iter().enumerate() {
if obj.class_group != group {
continue;
}
let d = haversine_m(input.gps_lat, input.gps_lon, obj.gps_lat, obj.gps_lon);
if d > self.config.distance_threshold_m {
continue;
}
if best.is_none_or(|(_, _, prev_d)| d < prev_d) {
best = Some((*cell, idx, d));
}
}
}
}
match best {
Some((cell, idx, delta_m)) if delta_m >= self.config.move_threshold_m => {
// MOVED — update stored position to the new observation.
let bucket = self
.by_cell
.get_mut(&cell)
.expect("cell present during best-match scan");
let obj = &mut bucket[idx];
let from_mgrs = obj.mgrs.clone();
let id = obj.id;
obj.gps_lat = input.gps_lat;
obj.gps_lon = input.gps_lon;
obj.mgrs = input.mgrs.clone();
obj.last_seen = input.observed_at;
obj.confidence = input.confidence;
// If the new GPS sits in a different H3 cell, re-bucket.
if cell != query_cell {
let moved = bucket.remove(idx);
if bucket.is_empty() {
self.by_cell.remove(&cell);
}
self.by_cell
.entry(query_cell)
.or_default()
.push(StoredMapObject {
h3_cell: query_cell,
..moved
});
}
Ok(Classification::Moved {
id,
from_mgrs,
to_mgrs: input.mgrs,
})
}
Some((cell, idx, _)) => {
// EXISTING — just refresh last_seen.
let bucket = self
.by_cell
.get_mut(&cell)
.expect("cell present during best-match scan");
let obj = &mut bucket[idx];
obj.last_seen = input.observed_at;
Ok(Classification::Existing { id: obj.id })
}
None => {
// NEW — insert.
let id = Uuid::new_v4();
let stored = StoredMapObject {
id,
h3_cell: query_cell,
mgrs: input.mgrs.clone(),
class: input.class.clone(),
class_group: group,
gps_lat: input.gps_lat,
gps_lon: input.gps_lon,
size_width_m: input.size_width_m,
size_length_m: input.size_length_m,
confidence: input.confidence,
first_seen: input.observed_at,
last_seen: input.observed_at,
mission_id: input.mission_id.clone(),
};
self.by_cell.entry(query_cell).or_default().push(stored);
self.len += 1;
Ok(Classification::New { id })
}
}
}
}
#[cfg(test)]
mod tests {
use super::*;
fn input(lat: f64, lon: f64, class: &str) -> ClassifyInput {
ClassifyInput {
gps_lat: lat,
gps_lon: lon,
mgrs: format!("MGRS({lat},{lon})"),
class: class.into(),
size_width_m: 1.0,
size_length_m: 1.0,
confidence: 0.9,
mission_id: "m1".into(),
observed_at: Utc::now(),
}
}
#[test]
fn group_key_returns_class_when_unknown() {
// Arrange
let s = Store::new(MapObjectsStoreConfig::default());
// Act + Assert
assert_eq!(s.group_key("tank"), "tank");
}
#[test]
fn group_key_collapses_similar_classes() {
// Arrange
let cfg = MapObjectsStoreConfig {
similar_classes: vec![vec!["tree".into(), "shrub".into()]],
..MapObjectsStoreConfig::default()
};
let s = Store::new(cfg);
// Assert
assert_eq!(s.group_key("tree"), "tree");
assert_eq!(s.group_key("shrub"), "tree");
assert_eq!(s.group_key("rock"), "rock");
}
#[test]
fn empty_store_has_zero_len() {
// Arrange
let s = Store::new(MapObjectsStoreConfig::default());
// Assert
assert_eq!(s.len(), 0);
}
#[test]
fn first_classify_is_new() {
// Arrange
let mut s = Store::new(MapObjectsStoreConfig::default());
// Act
let c = s.classify(input(50.45, 30.52, "tank")).unwrap();
// Assert
assert!(matches!(c, Classification::New { .. }));
assert_eq!(s.len(), 1);
}
}
crates/mapobjects_store/src/lib.rs
+127 -31
View File
@@ -1,30 +1,30 @@
//! `mapobjects_store` — H3-indexed on-device map of detected objects.
//!
//! Real implementation lands in:
//! - AZ-665 `mapobjects_store_h3_classify`
//! - AZ-666 `mapobjects_store_ignored_and_pass_sweep`
//! - AZ-667 `mapobjects_store_hydrate_and_pending`
//! - AZ-668 `mapobjects_store_persistence`
//! AZ-665 ships the spatial index + classify path:
//! - `internal::h3_index` — `h3o` wrapper, cell lookup, k-ring queries,
//! haversine distance.
//! - `internal::store` — in-memory `(H3_cell, class_group) → MapObject`
//! hashmap with `classify(ClassifyInput) → Classification`.
//!
//! Remaining work tracked in:
//! - AZ-666 `mapobjects_store_ignored_and_pass_sweep`
//! - AZ-667 `mapobjects_store_hydrate_and_pending`
//! - AZ-668 `mapobjects_store_persistence`
use std::sync::{Arc, Mutex};
use serde::{Deserialize, Serialize};
use shared::error::{AutopilotError, Result};
use shared::health::ComponentHealth;
use shared::models::detection::Detection;
use shared::models::mapobject::MapObjectsBundle;
use shared::models::poi::Poi;
const NAME: &str = "mapobjects_store";
mod internal;
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "SCREAMING_SNAKE_CASE")]
pub enum Classification {
New,
Moved,
Existing,
RemovedCandidate,
Ignored,
}
pub use internal::store::{Classification, ClassifyInput, MapObjectsStoreConfig};
const NAME: &str = "mapobjects_store";
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
@@ -39,32 +39,64 @@ pub enum SyncState {
PushDeferred,
}
pub struct MapObjectsStore;
/// Owns the in-memory map. Construct once at the composition root and
/// share via the cloneable `MapObjectsStoreHandle`.
pub struct MapObjectsStore {
inner: Arc<Mutex<internal::store::Store>>,
}
impl MapObjectsStore {
pub fn new() -> Self {
Self
pub fn new(config: MapObjectsStoreConfig) -> Self {
Self {
inner: Arc::new(Mutex::new(internal::store::Store::new(config))),
}
}
pub fn handle(&self) -> MapObjectsStoreHandle {
MapObjectsStoreHandle
MapObjectsStoreHandle {
inner: self.inner.clone(),
}
}
}
impl Default for MapObjectsStore {
fn default() -> Self {
Self::new()
Self::new(MapObjectsStoreConfig::default())
}
}
#[derive(Clone, Copy)]
pub struct MapObjectsStoreHandle;
#[derive(Clone)]
pub struct MapObjectsStoreHandle {
inner: Arc<Mutex<internal::store::Store>>,
}
impl MapObjectsStoreHandle {
pub async fn classify(&self, _detection: Detection) -> Result<Classification> {
Err(AutopilotError::NotImplemented(
"mapobjects_store::classify (AZ-665)",
))
/// Classify a georeferenced detection. See `system-flows.md §F7`.
///
/// Sync because the operation is in-memory and the p99 ≤ 1 ms budget
/// (per `description.md §9`) is easier to honour without crossing an
/// async boundary.
pub fn classify(&self, input: ClassifyInput) -> Result<Classification> {
let mut guard = self
.inner
.lock()
.map_err(|_| AutopilotError::Internal("mapobjects_store mutex poisoned".into()))?;
guard.classify(input)
}
/// Total number of MapObjects currently indexed. Useful for tests and
/// health surfaces.
pub fn len(&self) -> Result<usize> {
let guard = self
.inner
.lock()
.map_err(|_| AutopilotError::Internal("mapobjects_store mutex poisoned".into()))?;
Ok(guard.len())
}
/// `true` when the store has no indexed objects. Mirrors `len() == 0`.
pub fn is_empty(&self) -> Result<bool> {
Ok(self.len()? == 0)
}
pub async fn apply_decline(&self, _poi: Poi) -> Result<()> {
@@ -92,17 +124,81 @@ impl MapObjectsStoreHandle {
}
pub fn health(&self) -> ComponentHealth {
ComponentHealth::disabled(NAME)
match self.inner.lock() {
Ok(guard) => {
ComponentHealth::green(NAME).with_detail(format!("indexed_objects={}", guard.len()))
}
Err(_) => ComponentHealth::red(NAME, "mutex poisoned"),
}
}
}
trait HealthDetail {
fn with_detail(self, detail: impl Into<String>) -> Self;
}
impl HealthDetail for ComponentHealth {
fn with_detail(mut self, detail: impl Into<String>) -> Self {
self.detail = Some(detail.into());
self
}
}
#[cfg(test)]
mod tests {
use super::*;
use chrono::Utc;
fn input(lat: f64, lon: f64, class: &str) -> ClassifyInput {
ClassifyInput {
gps_lat: lat,
gps_lon: lon,
mgrs: format!("MGRS({lat},{lon})"),
class: class.into(),
size_width_m: 1.0,
size_length_m: 1.0,
confidence: 0.9,
mission_id: "m1".into(),
observed_at: Utc::now(),
}
}
#[test]
fn it_compiles() {
let h = MapObjectsStore::new().handle();
assert_eq!(h.health().level, shared::health::HealthLevel::Disabled);
fn handle_classify_new_then_existing() {
// Arrange
let store = MapObjectsStore::default();
let h = store.handle();
// Act
let first = h.classify(input(50.45, 30.52, "tank")).unwrap();
let second = h.classify(input(50.45, 30.52, "tank")).unwrap();
// Assert
let new_id = match first {
Classification::New { id } => id,
other => panic!("expected New, got {other:?}"),
};
match second {
Classification::Existing { id } => assert_eq!(id, new_id),
other => panic!("expected Existing, got {other:?}"),
}
assert_eq!(h.len().unwrap(), 1);
}
#[test]
fn health_reports_indexed_count() {
// Arrange
let store = MapObjectsStore::default();
let h = store.handle();
h.classify(input(50.45, 30.52, "tank")).unwrap();
// Act
let health = h.health();
// Assert
assert_eq!(health.level, shared::health::HealthLevel::Green);
assert!(health
.detail
.as_deref()
.unwrap()
.contains("indexed_objects=1"));
}
}
crates/mapobjects_store/tests/classify.rs
+271
View File
@@ -0,0 +1,271 @@
//! AZ-665 — H3 indexing + k-ring classify acceptance tests.
use chrono::Utc;
use mapobjects_store::{Classification, ClassifyInput, MapObjectsStore, MapObjectsStoreConfig};
/// Approximate metres-per-degree of latitude. Good enough at all
/// latitudes for the small per-test offsets used below (560 m).
const M_PER_DEG_LAT: f64 = 111_320.0;
/// Approximate metres-per-degree of longitude at a given latitude.
fn m_per_deg_lon(lat_deg: f64) -> f64 {
M_PER_DEG_LAT * lat_deg.to_radians().cos()
}
/// Shift a base point north by `dn` metres and east by `de` metres.
/// Sufficiently accurate for the < 100 m offsets in these tests.
fn shift_m(base_lat: f64, base_lon: f64, dn_m: f64, de_m: f64) -> (f64, f64) {
let lat = base_lat + dn_m / M_PER_DEG_LAT;
let lon = base_lon + de_m / m_per_deg_lon(base_lat);
(lat, lon)
}
fn input(lat: f64, lon: f64, class: &str) -> ClassifyInput {
ClassifyInput {
gps_lat: lat,
gps_lon: lon,
mgrs: format!("MGRS({lat:.6},{lon:.6})"),
class: class.into(),
size_width_m: 2.0,
size_length_m: 2.0,
confidence: 0.9,
mission_id: "m-az665".into(),
observed_at: Utc::now(),
}
}
const ANCHOR_LAT: f64 = 50.450_000;
const ANCHOR_LON: f64 = 30.520_000;
// ---------------------------------------------------------------------
// AC-1: New detection at unseen MGRS → Classification::New
// ---------------------------------------------------------------------
#[test]
fn ac1_first_detection_returns_new() {
// Arrange
let h = MapObjectsStore::default().handle();
// Act
let c = h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tank")).unwrap();
// Assert
assert!(
matches!(c, Classification::New { .. }),
"expected New, got {c:?}",
);
assert_eq!(h.len().unwrap(), 1);
}
// ---------------------------------------------------------------------
// AC-2: Existing within distance_threshold → Classification::Existing
// distance_threshold_m = 30, move_threshold high enough that
// delta < move_threshold yields Existing.
// ---------------------------------------------------------------------
#[test]
fn ac2_within_distance_threshold_returns_existing() {
// Arrange
let cfg = MapObjectsStoreConfig {
distance_threshold_m: 30.0,
// Anything > distance_threshold guarantees the in-window match
// never flips to Moved.
move_threshold_m: 100.0,
..MapObjectsStoreConfig::default()
};
let store = MapObjectsStore::new(cfg);
let h = store.handle();
let first = h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tank")).unwrap();
let original_id = match first {
Classification::New { id } => id,
other => panic!("setup: expected New, got {other:?}"),
};
// Act — same class, 5 m north of the anchor.
let (lat2, lon2) = shift_m(ANCHOR_LAT, ANCHOR_LON, 5.0, 0.0);
let c = h.classify(input(lat2, lon2, "tank")).unwrap();
// Assert
match c {
Classification::Existing { id } => assert_eq!(id, original_id),
other => panic!("expected Existing, got {other:?}"),
}
assert_eq!(h.len().unwrap(), 1, "no new objects should be inserted");
}
// ---------------------------------------------------------------------
// AC-3: Moved beyond move_threshold → Classification::Moved
// distance_threshold large enough to admit the 60 m candidate.
// ---------------------------------------------------------------------
#[test]
fn ac3_beyond_move_threshold_returns_moved() {
// Arrange
let cfg = MapObjectsStoreConfig {
distance_threshold_m: 100.0,
move_threshold_m: 50.0,
..MapObjectsStoreConfig::default()
};
let store = MapObjectsStore::new(cfg);
let h = store.handle();
let initial = input(ANCHOR_LAT, ANCHOR_LON, "tank");
let from_mgrs = initial.mgrs.clone();
let first = h.classify(initial).unwrap();
let original_id = match first {
Classification::New { id } => id,
other => panic!("setup: expected New, got {other:?}"),
};
// Act — same class, 60 m north of the anchor.
let (lat2, lon2) = shift_m(ANCHOR_LAT, ANCHOR_LON, 60.0, 0.0);
let next = input(lat2, lon2, "tank");
let to_mgrs = next.mgrs.clone();
let c = h.classify(next).unwrap();
// Assert
match c {
Classification::Moved {
id,
from_mgrs: f,
to_mgrs: t,
} => {
assert_eq!(id, original_id);
assert_eq!(f, from_mgrs);
assert_eq!(t, to_mgrs);
}
other => panic!("expected Moved, got {other:?}"),
}
assert_eq!(h.len().unwrap(), 1, "Moved is an update, not an insert");
}
// ---------------------------------------------------------------------
// AC-4: k-ring boundary lookup. A second detection in a *different* H3
// cell (boundary cell) must still match the original because k=2 widens
// the lookup. We pick a delta (~12 m east) that crosses the ~15 m res-10
// cell boundary while staying well within distance_threshold.
// ---------------------------------------------------------------------
#[test]
fn ac4_k_ring_finds_match_in_neighbour_cell() {
// Arrange
let cfg = MapObjectsStoreConfig {
h3_resolution: 10,
k_ring: 2,
distance_threshold_m: 30.0,
move_threshold_m: 100.0,
..MapObjectsStoreConfig::default()
};
let store = MapObjectsStore::new(cfg);
let h = store.handle();
h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tank")).unwrap();
// Act — 12 m east. At res 10 (~15 m edge) this crosses to a
// neighbouring cell with very high probability for arbitrary anchor.
let (lat2, lon2) = shift_m(ANCHOR_LAT, ANCHOR_LON, 0.0, 12.0);
let c = h.classify(input(lat2, lon2, "tank")).unwrap();
// Assert — the k-ring widen must catch it.
assert!(
matches!(c, Classification::Existing { .. }),
"expected Existing (k-ring match), got {c:?}",
);
assert_eq!(h.len().unwrap(), 1);
}
// ---------------------------------------------------------------------
// Class-group similarity widens matching beyond exact-class equality.
// Covers `similar_classes` configuration.
// ---------------------------------------------------------------------
#[test]
fn similar_classes_collapse_to_same_group() {
// Arrange
let cfg = MapObjectsStoreConfig {
distance_threshold_m: 30.0,
move_threshold_m: 100.0,
similar_classes: vec![vec!["tree".into(), "shrub".into()]],
..MapObjectsStoreConfig::default()
};
let store = MapObjectsStore::new(cfg);
let h = store.handle();
h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tree")).unwrap();
// Act — same place, different (but collapsed) class.
let c = h.classify(input(ANCHOR_LAT, ANCHOR_LON, "shrub")).unwrap();
// Assert
assert!(matches!(c, Classification::Existing { .. }), "got {c:?}");
}
#[test]
fn different_classes_do_not_collapse() {
// Arrange
let store = MapObjectsStore::default();
let h = store.handle();
h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tree")).unwrap();
// Act
let c = h.classify(input(ANCHOR_LAT, ANCHOR_LON, "tank")).unwrap();
// Assert — disjoint classes must each get their own row.
assert!(matches!(c, Classification::New { .. }), "got {c:?}");
assert_eq!(h.len().unwrap(), 2);
}
// ---------------------------------------------------------------------
// AC-5: p99 ≤ 1 ms with 10 000 warm objects.
//
// Debug builds are 3-10× slower than release. Gate behind `--ignored`
// so default `cargo test` stays fast and CI explicitly opts in via
// `cargo test --release -- --ignored ac5_classify_p99`. Asserting on a
// debug build would be flaky.
// ---------------------------------------------------------------------
#[test]
#[ignore = "perf-only: run with `cargo test --release -p mapobjects_store -- --ignored`"]
fn ac5_classify_p99_under_one_ms() {
// Arrange — tight match window so seeded points placed on a 30 m grid
// remain distinct rows. 100 × 100 grid → 3 km × 3 km area, 10 000 rows.
let cfg = MapObjectsStoreConfig {
h3_resolution: 10,
k_ring: 2,
distance_threshold_m: 5.0,
move_threshold_m: 100.0,
similar_classes: Vec::new(),
};
let store = MapObjectsStore::new(cfg);
let h = store.handle();
const GRID_STEP_M: f64 = 30.0;
for i in 0..10_000_u32 {
let row = i / 100;
let col = i % 100;
let dn = row as f64 * GRID_STEP_M;
let de = col as f64 * GRID_STEP_M;
let (lat, lon) = shift_m(ANCHOR_LAT, ANCHOR_LON, dn, de);
h.classify(input(lat, lon, "tank")).unwrap();
}
assert_eq!(h.len().unwrap(), 10_000);
// Act — 1 000 classifications at points midway between grid nodes so
// most queries land inside a populated k-ring without matching any
// single row (worst-case lookup cost).
let mut samples = Vec::with_capacity(1_000);
for i in 0..1_000_u32 {
let row = (i / 50) as f64;
let col = (i % 50) as f64;
let dn = row * GRID_STEP_M + GRID_STEP_M / 2.0;
let de = col * GRID_STEP_M + GRID_STEP_M / 2.0;
let (lat, lon) = shift_m(ANCHOR_LAT, ANCHOR_LON, dn, de);
let t0 = std::time::Instant::now();
let _ = h.classify(input(lat, lon, "tank")).unwrap();
samples.push(t0.elapsed());
}
// Assert — p99 ≤ 1 ms.
samples.sort();
let p99 = samples[(samples.len() as f64 * 0.99) as usize];
assert!(
p99 <= std::time::Duration::from_millis(1),
"p99 was {p99:?} (expected ≤1 ms)",
);
}
crates/mavlink_layer/Cargo.toml
+2
View File
@@ -15,6 +15,8 @@ async-trait = { workspace = true }
thiserror = { workspace = true }
bytes = { workspace = true }
tokio-serial = { workspace = true }
sha2 = { workspace = true }
chrono = { workspace = true }
[dev-dependencies]
tokio = { workspace = true, features = ["rt-multi-thread", "macros", "sync", "time", "io-util", "net", "signal", "test-util"] }
crates/mavlink_layer/src/internal/ack_demux.rs
+150
View File
@@ -0,0 +1,150 @@
//! In-flight `COMMAND_LONG` → `COMMAND_ACK` demultiplexer.
//!
//! Each outbound `COMMAND_LONG` registers a one-shot waiter keyed by
//! `command_id`. The inbound message pump (`MavlinkLayer::process_decoder_event`)
//! looks up the waiter on every `COMMAND_ACK` and resolves it. Unmatched acks
//! are logged but do not break the link. Timeouts are enforced by the caller's
//! `send_command` future; on timeout the waiter is removed so the map cannot
//! leak.
use std::collections::HashMap;
use std::sync::Mutex;
use tokio::sync::oneshot;
use super::codec::messages::CommandAck;
#[derive(Debug, Default)]
pub struct AckDemux {
waiters: Mutex<HashMap<u16, oneshot::Sender<CommandAck>>>,
}
#[derive(Debug)]
pub enum AckDemuxRegister {
/// Caller now owns this receiver; the demux owns the matching sender.
Receiver(oneshot::Receiver<CommandAck>),
/// A waiter for `command_id` is already in flight; refuse to register a
/// second one.
Duplicate,
}
impl AckDemux {
pub fn new() -> Self {
Self {
waiters: Mutex::new(HashMap::new()),
}
}
/// Register a waiter for the given `command_id`. Returns the receiver end
/// of the oneshot channel; the demux holds the sender until the matching
/// ack arrives, the caller times out, or the entry is force-cleared.
pub fn register(&self, command_id: u16) -> AckDemuxRegister {
let (tx, rx) = oneshot::channel();
let mut guard = self.waiters.lock().expect("ack demux mutex poisoned");
if guard.contains_key(&command_id) {
return AckDemuxRegister::Duplicate;
}
guard.insert(command_id, tx);
AckDemuxRegister::Receiver(rx)
}
/// Deliver an inbound ack to its waiter. Returns `true` if a waiter was
/// resolved; `false` if the ack did not match any in-flight command (the
/// caller may log this for visibility but must not treat it as fatal).
pub fn dispatch(&self, ack: CommandAck) -> bool {
let waiter = {
let mut guard = self.waiters.lock().expect("ack demux mutex poisoned");
guard.remove(&ack.command)
};
match waiter {
Some(tx) => tx.send(ack).is_ok(),
None => false,
}
}
/// Forget the waiter for `command_id` without resolving it. Used by the
/// caller's timeout path so the map cannot leak.
pub fn forget(&self, command_id: u16) {
let mut guard = self.waiters.lock().expect("ack demux mutex poisoned");
guard.remove(&command_id);
}
/// Number of currently-in-flight commands. Exposed via `MavlinkHandle::health`.
pub fn in_flight(&self) -> usize {
let guard = self.waiters.lock().expect("ack demux mutex poisoned");
guard.len()
}
}
#[cfg(test)]
mod tests {
use super::*;
fn ack(command: u16, result: u8) -> CommandAck {
CommandAck { command, result }
}
#[tokio::test]
async fn register_then_dispatch_resolves_waiter() {
// Arrange
let demux = AckDemux::new();
let rx = match demux.register(20) {
AckDemuxRegister::Receiver(rx) => rx,
AckDemuxRegister::Duplicate => panic!("expected fresh registration"),
};
// Act
let dispatched = demux.dispatch(ack(20, 0));
let got = rx.await.expect("waiter must be resolved");
// Assert
assert!(dispatched);
assert_eq!(got.command, 20);
assert_eq!(got.result, 0);
assert_eq!(demux.in_flight(), 0);
}
#[tokio::test]
async fn duplicate_registration_is_refused() {
// Arrange
let demux = AckDemux::new();
let _rx = demux.register(20);
// Act
let again = demux.register(20);
// Assert
assert!(matches!(again, AckDemuxRegister::Duplicate));
}
#[tokio::test]
async fn dispatch_without_waiter_returns_false() {
// Arrange
let demux = AckDemux::new();
// Act
let dispatched = demux.dispatch(ack(20, 0));
// Assert
assert!(!dispatched);
}
#[tokio::test]
async fn forget_removes_entry_without_resolving() {
// Arrange
let demux = AckDemux::new();
let rx = match demux.register(20) {
AckDemuxRegister::Receiver(rx) => rx,
_ => panic!("expected receiver"),
};
// Act
demux.forget(20);
let dispatched = demux.dispatch(ack(20, 0));
// Assert: dropping the sender closes the receiver
assert!(!dispatched);
assert_eq!(demux.in_flight(), 0);
assert!(rx.await.is_err());
}
}
crates/mavlink_layer/src/internal/codec/decoder.rs
+64
View File
@@ -8,6 +8,7 @@
use super::crc::frame_crc;
use super::messages::{crc_extra_for_id, MavlinkMessage};
use super::parse_errors::{ParseErrorKind, ParseErrors};
use super::signing::Verifier;
use super::{HEADER_LEN, INCOMPAT_FLAG_SIGNED, MAVLINK_V2_STX, MAX_PAYLOAD, SIGNATURE_LEN};
#[derive(Debug, Clone, PartialEq)]
@@ -37,6 +38,21 @@ pub enum DecoderEvent {
expected: u8,
actual: u8,
},
/// A signed frame's trailer did not match the configured verifier, or a
/// signing-required link received an unsigned frame.
SigningMismatch {
msg_id: u32,
seq: u8,
reason: SigningReject,
},
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SigningReject {
/// `incompat_flags` bit 0 was set but the signature trailer did not verify.
BadSignature,
/// A verifier is configured but the inbound frame was unsigned.
Unsigned,
}
#[derive(Debug)]
@@ -46,6 +62,7 @@ pub struct Decoder {
pub errors: ParseErrors,
/// Last sequence number per (sysid, compid).
last_seq: std::collections::HashMap<(u8, u8), u8>,
verifier: Option<Verifier>,
}
impl Default for Decoder {
@@ -60,9 +77,27 @@ impl Decoder {
buf: Vec::with_capacity(4 * 1024),
errors: ParseErrors::new(),
last_seq: std::collections::HashMap::new(),
verifier: None,
}
}
/// Construct a decoder that validates the MAVLink-2 signing trailer on
/// inbound frames. Mismatched signatures are surfaced as
/// [`DecoderEvent::SigningMismatch`] and counted via
/// [`ParseErrorKind::SigningMismatch`].
pub fn with_verifier(verifier: Verifier) -> Self {
Self {
buf: Vec::with_capacity(4 * 1024),
errors: ParseErrors::new(),
last_seq: std::collections::HashMap::new(),
verifier: Some(verifier),
}
}
pub fn signing_enabled(&self) -> bool {
self.verifier.is_some()
}
/// Push raw bytes into the decoder and drain any complete events.
pub fn feed(&mut self, bytes: &[u8]) -> Vec<DecoderEvent> {
self.buf.extend_from_slice(bytes);
@@ -147,6 +182,35 @@ impl Decoder {
}
}
if let Some(verifier) = &self.verifier {
let is_signed = incompat & INCOMPAT_FLAG_SIGNED != 0;
if !is_signed {
self.errors.record(ParseErrorKind::SigningMismatch);
events.push(DecoderEvent::SigningMismatch {
msg_id,
seq,
reason: SigningReject::Unsigned,
});
self.buf.drain(..total_frame);
continue;
}
let body_end = HEADER_LEN + payload_len + 2;
let trailer_start = body_end;
let trailer_end = trailer_start + SIGNATURE_LEN;
let frame_until_crc = &self.buf[..body_end];
let trailer = &self.buf[trailer_start..trailer_end];
if !verifier.verify(frame_until_crc, trailer) {
self.errors.record(ParseErrorKind::SigningMismatch);
events.push(DecoderEvent::SigningMismatch {
msg_id,
seq,
reason: SigningReject::BadSignature,
});
self.buf.drain(..total_frame);
continue;
}
}
let payload = &self.buf[HEADER_LEN..HEADER_LEN + payload_len];
match MavlinkMessage::decode(msg_id, payload) {
Ok(message) => {
crates/mavlink_layer/src/internal/codec/encoder.rs
+36 -4
View File
@@ -1,19 +1,23 @@
//! MAVLink v2 frame encoder.
//!
//! The encoder owns the per-link outbound `tx_seq` counter and is the single
//! place that lays down the wire bytes.
//! place that lays down the wire bytes. When configured with a [`Signer`],
//! it appends the 13-byte MAVLink-2 signing trailer and sets the `incompat`
//! flag accordingly (AZ-643).
use std::sync::atomic::{AtomicU8, Ordering};
use super::crc::frame_crc;
use super::messages::MavlinkMessage;
use super::{HEADER_LEN, MAVLINK_V2_STX};
use super::signing::Signer;
use super::{HEADER_LEN, INCOMPAT_FLAG_SIGNED, MAVLINK_V2_STX};
#[derive(Debug)]
pub struct Encoder {
sysid: u8,
compid: u8,
tx_seq: AtomicU8,
signer: Option<Signer>,
}
impl Encoder {
@@ -22,6 +26,17 @@ impl Encoder {
sysid,
compid,
tx_seq: AtomicU8::new(0),
signer: None,
}
}
/// Construct an encoder that signs every outbound frame.
pub fn with_signer(sysid: u8, compid: u8, signer: Signer) -> Self {
Self {
sysid,
compid,
tx_seq: AtomicU8::new(0),
signer: Some(signer),
}
}
@@ -33,10 +48,16 @@ impl Encoder {
self.compid
}
pub fn signing_enabled(&self) -> bool {
self.signer.is_some()
}
/// Encode `msg` into a self-contained MAVLink v2 frame on the wire.
///
/// Trailing-zero payload bytes are truncated per the MAVLink spec. Each
/// call advances the per-link tx sequence counter by 1 with wrap-around.
/// If the encoder was constructed with a [`Signer`], the 13-byte signing
/// trailer is appended and `incompat_flags` bit 0 is set.
pub fn encode(&self, msg: &MavlinkMessage) -> Vec<u8> {
let mut full_payload = Vec::with_capacity(64);
msg.encode_payload(&mut full_payload);
@@ -45,13 +66,20 @@ impl Encoder {
let msg_id = msg.msg_id();
let seq = self.tx_seq.fetch_add(1, Ordering::Relaxed);
let mut frame = Vec::with_capacity(HEADER_LEN + payload_len + 2);
let incompat_flags = if self.signer.is_some() {
INCOMPAT_FLAG_SIGNED
} else {
0
};
let trailer_len = if self.signer.is_some() { 13 } else { 0 };
let mut frame = Vec::with_capacity(HEADER_LEN + payload_len + 2 + trailer_len);
frame.push(MAVLINK_V2_STX);
// Body that the CRC covers begins here.
let body_start = frame.len();
frame.push(payload_len as u8);
frame.push(0); // incompat_flags (no signing in this task — AZ-643)
frame.push(incompat_flags);
frame.push(0); // compat_flags
frame.push(seq);
frame.push(self.sysid);
@@ -64,6 +92,10 @@ impl Encoder {
let crc = frame_crc(&frame[body_start..], msg.crc_extra());
frame.extend_from_slice(&crc.to_le_bytes());
if let Some(signer) = &self.signer {
signer.sign_into(&mut frame);
}
frame
}
}
crates/mavlink_layer/src/internal/codec/mod.rs
+2
View File
@@ -9,6 +9,7 @@ pub mod decoder;
pub mod encoder;
pub mod messages;
pub mod parse_errors;
pub mod signing;
pub use decoder::{Decoder, DecoderEvent};
pub use encoder::Encoder;
@@ -18,6 +19,7 @@ pub use messages::{
MissionItemReached, MissionRequestInt, MissionSetCurrent, SetMode, StatusText, SysStatus,
};
pub use parse_errors::{ParseErrorKind, ParseErrors};
pub use signing::{Signer, SigningKey, Verifier};
/// MAVLink v2 frame start byte.
pub const MAVLINK_V2_STX: u8 = 0xFD;
crates/mavlink_layer/src/internal/codec/parse_errors.rs
+12 -1
View File
@@ -14,6 +14,8 @@ pub enum ParseErrorKind {
SequenceGap,
/// Message-specific payload decode failed (e.g. enum out of range).
InvalidPayload,
/// MAVLink-2 signing trailer did not match the verifier's secret + timestamp policy.
SigningMismatch,
}
#[derive(Debug, Default)]
@@ -23,6 +25,7 @@ pub struct ParseErrors {
unknown_id: AtomicU64,
sequence_gap: AtomicU64,
invalid_payload: AtomicU64,
signing_mismatch: AtomicU64,
}
impl ParseErrors {
@@ -37,6 +40,7 @@ impl ParseErrors {
ParseErrorKind::UnknownId => &self.unknown_id,
ParseErrorKind::SequenceGap => &self.sequence_gap,
ParseErrorKind::InvalidPayload => &self.invalid_payload,
ParseErrorKind::SigningMismatch => &self.signing_mismatch,
};
cell.fetch_add(1, Ordering::Relaxed);
}
@@ -48,6 +52,7 @@ impl ParseErrors {
unknown_id: self.unknown_id.load(Ordering::Relaxed),
sequence_gap: self.sequence_gap.load(Ordering::Relaxed),
invalid_payload: self.invalid_payload.load(Ordering::Relaxed),
signing_mismatch: self.signing_mismatch.load(Ordering::Relaxed),
}
}
}
@@ -59,11 +64,17 @@ pub struct ParseErrorsSnapshot {
pub unknown_id: u64,
pub sequence_gap: u64,
pub invalid_payload: u64,
pub signing_mismatch: u64,
}
impl ParseErrorsSnapshot {
pub fn total(&self) -> u64 {
self.crc + self.truncated + self.unknown_id + self.sequence_gap + self.invalid_payload
self.crc
+ self.truncated
+ self.unknown_id
+ self.sequence_gap
+ self.invalid_payload
+ self.signing_mismatch
}
}
crates/mavlink_layer/src/internal/codec/signing.rs
+280
View File
@@ -0,0 +1,280 @@
//! MAVLink v2 message signing (per the MAVLink spec).
//!
//! When signing is enabled, outbound frames carry a 13-byte trailer:
//! `link_id(1) || timestamp(6, LE) || signature(6)` and have the `incompat_flags`
//! bit 0 set. Inbound signed frames are validated against the configured
//! secret key; mismatched signatures are rejected by the decoder.
//!
//! Algorithm: `signature = first 6 bytes of SHA-256(secret_key(32) || frame(1+9+payload+2) || link_id(1) || timestamp_le(6))`
//! where `frame` is the full pre-signature MAVLink-2 frame (STX through CRC).
//!
//! Timestamp epoch: 2015-01-01T00:00:00Z, granularity 10 μs (per the spec).
use std::sync::atomic::{AtomicU64, Ordering};
use chrono::{TimeZone, Utc};
use sha2::{Digest, Sha256};
use super::SIGNATURE_LEN;
/// Length of the truncated signature within the trailer.
pub const SIGNATURE_BYTES: usize = 6;
/// Length of the signing key in bytes.
pub const SIGNING_KEY_LEN: usize = 32;
/// Length of the per-frame timestamp field within the trailer.
pub const TIMESTAMP_LEN: usize = 6;
/// MAVLink-2 signing epoch — `2015-01-01T00:00:00Z`.
fn mavlink_epoch_unix_micros() -> i64 {
Utc.with_ymd_and_hms(2015, 1, 1, 0, 0, 0)
.single()
.expect("2015-01-01 is a valid date")
.timestamp_micros()
}
/// 32-byte symmetric signing key shared with the link peer.
#[derive(Clone)]
pub struct SigningKey([u8; SIGNING_KEY_LEN]);
impl SigningKey {
pub fn new(bytes: [u8; SIGNING_KEY_LEN]) -> Self {
Self(bytes)
}
pub fn as_bytes(&self) -> &[u8; SIGNING_KEY_LEN] {
&self.0
}
}
impl std::fmt::Debug for SigningKey {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
// Never log key bytes (security gate).
f.debug_struct("SigningKey")
.field("len", &SIGNING_KEY_LEN)
.finish()
}
}
/// Monotonic 48-bit timestamp source used by the outbound signer.
///
/// Resolution is 10 μs since the MAVLink epoch (2015-01-01 UTC). The source
/// is strictly monotonic: if wall-clock time goes backwards (NTP step), the
/// next stamp is `last + 1` so timestamps still increase per the spec.
#[derive(Debug)]
pub struct TimestampSource {
last: AtomicU64,
}
impl TimestampSource {
pub fn new() -> Self {
Self {
last: AtomicU64::new(0),
}
}
/// Return the next 6-byte timestamp value to embed in a signed frame.
pub fn next(&self) -> u64 {
let now_us = Utc::now().timestamp_micros();
let candidate = compute_timestamp(now_us);
loop {
let prev = self.last.load(Ordering::Relaxed);
let next = candidate.max(prev + 1) & 0x0000_FFFF_FFFF_FFFF;
match self
.last
.compare_exchange(prev, next, Ordering::Relaxed, Ordering::Relaxed)
{
Ok(_) => return next,
Err(_) => continue,
}
}
}
}
impl Default for TimestampSource {
fn default() -> Self {
Self::new()
}
}
fn compute_timestamp(now_unix_micros: i64) -> u64 {
let delta_us = now_unix_micros - mavlink_epoch_unix_micros();
if delta_us <= 0 {
return 0;
}
(delta_us / 10) as u64
}
/// Outbound signer. Produces the 13-byte signing trailer for a frame.
#[derive(Debug)]
pub struct Signer {
key: SigningKey,
link_id: u8,
timestamps: TimestampSource,
}
impl Signer {
pub fn new(key: SigningKey, link_id: u8) -> Self {
Self {
key,
link_id,
timestamps: TimestampSource::new(),
}
}
pub fn link_id(&self) -> u8 {
self.link_id
}
/// Append the 13-byte signing trailer to `frame`. Caller must have already
/// set `incompat_flags` bit 0 (the `INCOMPAT_FLAG_SIGNED` bit) **before**
/// calling this — the trailer hash covers the bytes as-emitted.
///
/// `frame` must contain `[STX, header(9), payload, crc_lo, crc_hi]` and
/// nothing else when this is called.
pub fn sign_into(&self, frame: &mut Vec<u8>) {
let timestamp = self.timestamps.next();
let timestamp_le = timestamp_to_bytes(timestamp);
let signature = compute_signature(self.key.as_bytes(), frame, self.link_id, &timestamp_le);
frame.push(self.link_id);
frame.extend_from_slice(&timestamp_le);
frame.extend_from_slice(&signature);
}
}
/// Inbound verifier. Returns `true` when the trailer matches the secret +
/// frame body; `false` otherwise.
#[derive(Debug, Clone)]
pub struct Verifier {
key: SigningKey,
}
impl Verifier {
pub fn new(key: SigningKey) -> Self {
Self { key }
}
/// Verify the 13-byte trailer against `frame_until_crc` (the bytes
/// `[STX..crc_hi]` inclusive). `trailer` must be exactly 13 bytes.
pub fn verify(&self, frame_until_crc: &[u8], trailer: &[u8]) -> bool {
if trailer.len() != SIGNATURE_LEN {
return false;
}
let link_id = trailer[0];
let mut timestamp_le = [0u8; TIMESTAMP_LEN];
timestamp_le.copy_from_slice(&trailer[1..1 + TIMESTAMP_LEN]);
let want_sig = &trailer[1 + TIMESTAMP_LEN..];
let got_sig =
compute_signature(self.key.as_bytes(), frame_until_crc, link_id, &timestamp_le);
constant_time_eq(want_sig, &got_sig)
}
}
fn compute_signature(
key: &[u8; SIGNING_KEY_LEN],
frame_until_crc: &[u8],
link_id: u8,
timestamp_le: &[u8; TIMESTAMP_LEN],
) -> [u8; SIGNATURE_BYTES] {
let mut hasher = Sha256::new();
hasher.update(key);
hasher.update(frame_until_crc);
hasher.update([link_id]);
hasher.update(timestamp_le);
let digest = hasher.finalize();
let mut out = [0u8; SIGNATURE_BYTES];
out.copy_from_slice(&digest[..SIGNATURE_BYTES]);
out
}
fn timestamp_to_bytes(ts: u64) -> [u8; TIMESTAMP_LEN] {
let bytes = ts.to_le_bytes();
let mut out = [0u8; TIMESTAMP_LEN];
out.copy_from_slice(&bytes[..TIMESTAMP_LEN]);
out
}
#[inline]
fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
if a.len() != b.len() {
return false;
}
let mut diff = 0u8;
for (x, y) in a.iter().zip(b.iter()) {
diff |= x ^ y;
}
diff == 0
}
#[cfg(test)]
mod tests {
use super::*;
fn fixed_key() -> SigningKey {
let mut k = [0u8; SIGNING_KEY_LEN];
for (i, b) in k.iter_mut().enumerate() {
*b = i as u8;
}
SigningKey::new(k)
}
#[test]
fn signature_round_trip_validates() {
// Arrange
let key = fixed_key();
let signer = Signer::new(key.clone(), 7);
let verifier = Verifier::new(key);
let mut frame: Vec<u8> = vec![
0xFD, 0x09, 0x01, 0x00, 0x00, 0x01, 0xBE, 0x00, 0x00, 0x00, // header
0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF, 0x11, 0x22, 0x33, // payload
0x12, 0x34, // crc
];
let body_end = frame.len();
// Act
signer.sign_into(&mut frame);
// Assert
assert_eq!(frame.len() - body_end, SIGNATURE_LEN);
let trailer = frame[body_end..].to_vec();
assert!(verifier.verify(&frame[..body_end], &trailer));
}
#[test]
fn tampered_trailer_fails_verification() {
// Arrange
let signer = Signer::new(fixed_key(), 0);
let verifier = Verifier::new(fixed_key());
let mut frame: Vec<u8> = vec![
0xFD, 0x00, 0x01, 0x00, 0x05, 0x01, 0xBE, 0x00, 0x00, 0x00, 0x00, 0x00,
];
let body_end = frame.len();
signer.sign_into(&mut frame);
// Flip one bit in the signature region.
*frame.last_mut().unwrap() ^= 0x01;
// Act
let ok = verifier.verify(&frame[..body_end], &frame[body_end..]);
// Assert
assert!(!ok);
}
#[test]
fn timestamps_are_strictly_monotonic() {
// Arrange
let src = TimestampSource::new();
// Act
let a = src.next();
let b = src.next();
let c = src.next();
// Assert
assert!(b > a);
assert!(c > b);
}
}
crates/mavlink_layer/src/internal/mod.rs
+1
View File
@@ -1,3 +1,4 @@
pub mod ack_demux;
pub mod codec;
pub mod heartbeat;
pub mod retry;
crates/mavlink_layer/src/lib.rs
+146 -11
View File
@@ -12,7 +12,7 @@
//! from `internal::codec`.
//!
//! Real implementation tasks: AZ-641 (transport + heartbeat), AZ-642 (codec),
//! AZ-643 (ack demux + signing — future).
//! AZ-643 (ack demux + signing).
mod internal;
@@ -27,11 +27,14 @@ use shared::contracts::MavlinkSink;
use shared::error::{AutopilotError, Result};
use shared::health::ComponentHealth;
pub use internal::ack_demux::{AckDemux, AckDemuxRegister};
pub use internal::codec::decoder::SigningReject;
pub use internal::codec::{
Attitude, CommandAck, CommandLong, Decoder, DecoderEvent, Encoder, ExtendedSysState,
GlobalPositionInt, Heartbeat, MavlinkMessage, MavlinkParseError, MissionAck, MissionClearAll,
MissionCount, MissionCurrent, MissionItemInt, MissionItemReached, MissionRequestInt,
MissionSetCurrent, ParseErrorKind, ParseErrors, SetMode, StatusText, SysStatus,
MissionSetCurrent, ParseErrorKind, ParseErrors, SetMode, Signer, SigningKey, StatusText,
SysStatus, Verifier,
};
pub use internal::heartbeat::LinkEvent;
pub use internal::uri::{ConnectionUri, DEFAULT_SERIAL_BAUD};
@@ -62,7 +65,7 @@ impl MavlinkConnection {
}
}
/// Tunables for the MAVLink actor. Defaults follow AZ-641 §NFR.
/// Tunables for the MAVLink actor. Defaults follow AZ-641 §NFR + AZ-643 §AC.
#[derive(Debug, Clone)]
pub struct MavlinkLayerOptions {
pub connection: MavlinkConnection,
@@ -76,9 +79,17 @@ pub struct MavlinkLayerOptions {
pub reconnect_cap: Duration,
/// Base delay for the open-loop exponential backoff.
pub reconnect_base: Duration,
/// MAVLink-2 signing flag; plumbed through to health, not enforced here
/// (AZ-643 owns the signing path).
pub signing_enabled: bool,
/// Default deadline for `send_command` if the caller passes `None`.
pub command_ack_deadline: Duration,
/// MAVLink-2 signing config; `None` disables signing on this link.
pub signing: Option<SigningOptions>,
}
/// Signing configuration for a MAVLink-2 link.
#[derive(Debug, Clone)]
pub struct SigningOptions {
pub key: SigningKey,
pub link_id: u8,
}
impl MavlinkLayerOptions {
@@ -90,9 +101,14 @@ impl MavlinkLayerOptions {
link_timeout: Duration::from_millis(internal::heartbeat::DEFAULT_LINK_TIMEOUT_MS),
reconnect_cap: Duration::from_secs(5),
reconnect_base: Duration::from_millis(100),
signing_enabled: false,
command_ack_deadline: Duration::from_secs(1),
signing: None,
}
}
pub fn signing_enabled(&self) -> bool {
self.signing.is_some()
}
}
#[derive(Debug, Clone)]
@@ -117,6 +133,9 @@ struct LinkState {
inbound: broadcast::Sender<InboundMessage>,
connected: AtomicBool,
signing_enabled: bool,
verifier: Option<Verifier>,
ack_demux: Arc<AckDemux>,
command_ack_deadline: Duration,
}
/// Long-running actor that owns the transport, reconnect loop, and codec.
@@ -140,13 +159,30 @@ impl MavlinkLayer {
let (tx, rx) = mpsc::channel(OUTBOUND_CHAN_CAP);
let (inbound_tx, _inbound_rx) = broadcast::channel(INBOUND_CHAN_CAP);
let (watchdog, _link_rx) = InboundWatchdog::new(options.link_timeout.as_millis() as u64);
let encoder = match &options.signing {
Some(sign) => Encoder::with_signer(
options.sysid,
options.compid,
Signer::new(sign.key.clone(), sign.link_id),
),
None => Encoder::new(options.sysid, options.compid),
};
let verifier = options
.signing
.as_ref()
.map(|s| Verifier::new(s.key.clone()));
let state = Arc::new(LinkState {
encoder: Encoder::new(options.sysid, options.compid),
encoder,
parse_errors: Arc::new(ParseErrors::new()),
watchdog,
inbound: inbound_tx,
connected: AtomicBool::new(false),
signing_enabled: options.signing_enabled,
signing_enabled: options.signing.is_some(),
verifier,
ack_demux: Arc::new(AckDemux::new()),
command_ack_deadline: options.command_ack_deadline,
});
let layer = Self {
options,
@@ -214,7 +250,10 @@ impl MavlinkLayer {
transport: &mut dyn Transport,
shutdown: &mut watch::Receiver<bool>,
) -> LinkOutcome {
let mut decoder = Decoder::new();
let mut decoder = match self.state.verifier.clone() {
Some(v) => Decoder::with_verifier(v),
None => Decoder::new(),
};
let mut heartbeat_tick = tokio::time::interval(heartbeat_period());
heartbeat_tick.set_missed_tick_behavior(tokio::time::MissedTickBehavior::Skip);
let mut watchdog_tick = tokio::time::interval(Duration::from_millis(200));
@@ -293,6 +332,17 @@ impl MavlinkLayer {
if matches!(message, MavlinkMessage::Heartbeat(_)) {
self.state.watchdog.note_inbound_heartbeat();
}
if let MavlinkMessage::CommandAck(ack) = &message {
let matched = self.state.ack_demux.dispatch(*ack);
if !matched {
tracing::debug!(
component = NAME,
command = ack.command,
result = ack.result,
"command_ack with no in-flight waiter"
);
}
}
let _ = self.state.inbound.send(InboundMessage {
sysid,
compid,
@@ -340,6 +390,22 @@ impl MavlinkLayer {
"mavlink sequence gap"
);
}
DecoderEvent::SigningMismatch {
msg_id,
seq,
reason,
} => {
self.state
.parse_errors
.record(ParseErrorKind::SigningMismatch);
tracing::warn!(
component = NAME,
msg_id,
seq,
?reason,
"mavlink signing rejected"
);
}
}
}
}
@@ -363,6 +429,20 @@ enum LinkOutcome {
TransportLost(String),
}
/// Errors returned by `MavlinkHandle::send_command`.
#[derive(Debug, thiserror::Error)]
pub enum SendCommandError {
/// The configured ack deadline elapsed without a matching `COMMAND_ACK`.
#[error("command ack timeout after {0:?}")]
Timeout(Duration),
/// A waiter for the same `command_id` is already in flight on this link.
#[error("duplicate command in flight (command_id={0})")]
Duplicate(u16),
/// The outbound channel is closed (link shutting down).
#[error("mavlink send_command channel closed: {0}")]
ChannelClosed(String),
}
impl MavlinkHandle {
/// Send a typed MAVLink message — encoded with the actor's sysid/compid
/// and the next outbound sequence number.
@@ -385,6 +465,51 @@ impl MavlinkHandle {
})
}
/// Send a `COMMAND_LONG` and resolve when the matching `COMMAND_ACK`
/// arrives, or return [`SendCommandError::Timeout`] if `deadline` elapses
/// first.
///
/// `deadline = None` uses [`MavlinkLayerOptions::command_ack_deadline`].
/// Retry policy (if any) is the caller's concern (AZ-643 §Scope: caller
/// owns the retry decision).
pub async fn send_command(
&self,
cmd: CommandLong,
deadline: Option<Duration>,
) -> std::result::Result<CommandAck, SendCommandError> {
let command_id = cmd.command;
let rx = match self.state.ack_demux.register(command_id) {
AckDemuxRegister::Receiver(rx) => rx,
AckDemuxRegister::Duplicate => {
return Err(SendCommandError::Duplicate(command_id));
}
};
if let Err(e) = self
.outbound_tx
.send(OutboundItem::Message(MavlinkMessage::CommandLong(cmd)))
.await
{
// Channel closed — drop the waiter to keep the map clean.
self.state.ack_demux.forget(command_id);
return Err(SendCommandError::ChannelClosed(e.to_string()));
}
let wall = deadline.unwrap_or(self.state.command_ack_deadline);
match tokio::time::timeout(wall, rx).await {
Ok(Ok(ack)) => Ok(ack),
Ok(Err(_recv_err)) => {
// Sender was dropped (forget called elsewhere); treat as timeout
// for the caller's safety. Map is already clean.
Err(SendCommandError::Timeout(wall))
}
Err(_elapsed) => {
self.state.ack_demux.forget(command_id);
Err(SendCommandError::Timeout(wall))
}
}
}
pub fn subscribe_inbound(&self) -> broadcast::Receiver<InboundMessage> {
self.state.inbound.subscribe()
}
@@ -397,15 +522,25 @@ impl MavlinkHandle {
self.state.parse_errors.snapshot()
}
/// Currently in-flight `COMMAND_LONG` requests awaiting ack.
pub fn commands_in_flight(&self) -> usize {
self.state.ack_demux.in_flight()
}
pub fn signing_enabled(&self) -> bool {
self.state.signing_enabled
}
pub fn health(&self) -> ComponentHealth {
let connected = self.state.connected.load(Ordering::Relaxed);
let age = self.state.watchdog.last_inbound_age_ms();
let detail = format!(
"connected={connected} last_heartbeat_age_ms={} signing_enabled={} outbound={} parse_errors={}",
"connected={connected} last_heartbeat_age_ms={} signing_enabled={} outbound={} parse_errors={} commands_in_flight={}",
age.map(|m| m.to_string()).unwrap_or_else(|| "none".into()),
self.state.signing_enabled,
self.state.watchdog.outbound_total(),
self.parse_errors().total(),
self.commands_in_flight(),
);
if !connected {
ComponentHealth::red(NAME, detail)
crates/mavlink_layer/tests/ack_demux.rs
+194
View File
@@ -0,0 +1,194 @@
//! AZ-643 — ack-demux integration tests (AC-1 happy path, AC-2 timeout).
//!
//! A fake UDP peer either acks immediately or stays silent; the autopilot side
//! issues `send_command(...)` and asserts on the resolution.
use std::time::Duration;
use tokio::net::UdpSocket;
use tokio::sync::watch;
use tokio::time::timeout;
use mavlink_layer::{
CommandAck, CommandLong, Decoder, DecoderEvent, Encoder, Heartbeat, MavlinkConnection,
MavlinkLayer, MavlinkLayerOptions, MavlinkMessage, SendCommandError,
};
const MAV_CMD_NAV_RETURN_TO_LAUNCH: u16 = 20;
const MAV_RESULT_ACCEPTED: u8 = 0;
const SHORT_TIMEOUT_MS: u64 = 250;
fn options_for(uri: String, link_timeout_ms: u64) -> MavlinkLayerOptions {
let mut o = MavlinkLayerOptions::new(MavlinkConnection::new(uri));
o.link_timeout = Duration::from_millis(link_timeout_ms);
o.reconnect_base = Duration::from_millis(50);
o.reconnect_cap = Duration::from_millis(200);
// Keep the ack deadline tight so AC-2 finishes fast.
o.command_ack_deadline = Duration::from_millis(500);
o
}
async fn drain_first_heartbeat_addr(peer: &UdpSocket) -> std::net::SocketAddr {
let mut buf = vec![0u8; 1024];
let (_, layer_addr) = timeout(Duration::from_secs(2), peer.recv_from(&mut buf))
.await
.expect("first heartbeat must arrive")
.expect("udp recv_from");
layer_addr
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn ac1_send_command_happy_path() {
// Arrange: a peer that acks any inbound COMMAND_LONG promptly.
let peer = UdpSocket::bind("127.0.0.1:0").await.expect("bind peer");
let peer_addr = peer.local_addr().expect("peer addr").to_string();
let (_shutdown_tx, shutdown_rx) = watch::channel(false);
let (layer, handle) =
MavlinkLayer::new(options_for(format!("udp://{peer_addr}"), SHORT_TIMEOUT_MS));
tokio::spawn(layer.run(shutdown_rx));
// Capture the layer's source address from its first heartbeat.
let layer_addr = drain_first_heartbeat_addr(&peer).await;
let peer_enc = Encoder::new(2, 1);
// Peer task: on every inbound COMMAND_LONG, reply with COMMAND_ACK.
let peer_arc = std::sync::Arc::new(peer);
let peer_for_task = peer_arc.clone();
tokio::spawn(async move {
let mut dec = Decoder::new();
let mut buf = vec![0u8; 2048];
loop {
let n = match peer_for_task.recv(&mut buf).await {
Ok(n) => n,
Err(_) => return,
};
for ev in dec.feed(&buf[..n]) {
if let DecoderEvent::Message {
message: MavlinkMessage::CommandLong(cl),
..
} = ev
{
let ack = peer_enc.encode(&MavlinkMessage::CommandAck(CommandAck {
command: cl.command,
result: MAV_RESULT_ACCEPTED,
}));
let _ = peer_for_task.send_to(&ack, layer_addr).await;
}
}
}
});
// Act: call send_command and await resolution.
let cmd = CommandLong {
param1: 0.0,
param2: 0.0,
param3: 0.0,
param4: 0.0,
param5: 0.0,
param6: 0.0,
param7: 0.0,
command: MAV_CMD_NAV_RETURN_TO_LAUNCH,
target_system: 1,
target_component: 1,
confirmation: 0,
};
let ack = timeout(Duration::from_secs(2), handle.send_command(cmd, None))
.await
.expect("ack must arrive within 2 s")
.expect("send_command must succeed");
// Assert: ack matches and in-flight map is clear.
assert_eq!(ack.command, MAV_CMD_NAV_RETURN_TO_LAUNCH);
assert_eq!(ack.result, MAV_RESULT_ACCEPTED);
assert_eq!(
handle.commands_in_flight(),
0,
"in-flight map must be drained"
);
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn ac2_send_command_timeout_returns_explicit_error() {
// Arrange: a peer that NEVER acks.
let peer = UdpSocket::bind("127.0.0.1:0").await.expect("bind peer");
let peer_addr = peer.local_addr().expect("peer addr").to_string();
let (_shutdown_tx, shutdown_rx) = watch::channel(false);
let (layer, handle) =
MavlinkLayer::new(options_for(format!("udp://{peer_addr}"), SHORT_TIMEOUT_MS));
tokio::spawn(layer.run(shutdown_rx));
// Pull the layer's first heartbeat just so the link is open.
let _ = drain_first_heartbeat_addr(&peer).await;
let cmd = CommandLong {
param1: 0.0,
param2: 0.0,
param3: 0.0,
param4: 0.0,
param5: 0.0,
param6: 0.0,
param7: 0.0,
command: MAV_CMD_NAV_RETURN_TO_LAUNCH,
target_system: 1,
target_component: 1,
confirmation: 0,
};
// Act
let result = handle
.send_command(cmd, Some(Duration::from_millis(300)))
.await;
// Assert
match result {
Err(SendCommandError::Timeout(d)) => {
assert_eq!(d, Duration::from_millis(300));
}
other => panic!("expected Timeout, got {other:?}"),
}
assert_eq!(
handle.commands_in_flight(),
0,
"in-flight map must be cleared on timeout (no leaks)"
);
}
/// Defensive coverage: a stray COMMAND_ACK without a matching waiter must not
/// crash the link or leak entries.
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn unmatched_ack_is_dropped_without_side_effect() {
// Arrange
let peer = UdpSocket::bind("127.0.0.1:0").await.expect("bind peer");
let peer_addr = peer.local_addr().expect("peer addr").to_string();
let (_shutdown_tx, shutdown_rx) = watch::channel(false);
let (layer, handle) =
MavlinkLayer::new(options_for(format!("udp://{peer_addr}"), SHORT_TIMEOUT_MS));
tokio::spawn(layer.run(shutdown_rx));
let layer_addr = drain_first_heartbeat_addr(&peer).await;
// Act: send a HEARTBEAT (to keep watchdog happy) and a stray COMMAND_ACK.
let peer_enc = Encoder::new(2, 1);
let hb = peer_enc.encode(&MavlinkMessage::Heartbeat(Heartbeat {
custom_mode: 0,
mavtype: 2,
autopilot: 3,
base_mode: 0,
system_status: 4,
mavlink_version: 3,
}));
peer.send_to(&hb, layer_addr).await.unwrap();
let stray = peer_enc.encode(&MavlinkMessage::CommandAck(CommandAck {
command: MAV_CMD_NAV_RETURN_TO_LAUNCH,
result: MAV_RESULT_ACCEPTED,
}));
peer.send_to(&stray, layer_addr).await.unwrap();
// Give the layer a beat to process.
tokio::time::sleep(Duration::from_millis(150)).await;
// Assert
assert_eq!(handle.commands_in_flight(), 0);
let snap = handle.parse_errors();
assert_eq!(snap.signing_mismatch, 0);
assert_eq!(snap.crc, 0);
}
crates/mavlink_layer/tests/signing.rs
+236
View File
@@ -0,0 +1,236 @@
//! AZ-643 — MAVLink-2 signing integration tests (AC-3 rejection, AC-4 disabled).
use std::time::Duration;
use tokio::net::UdpSocket;
use tokio::sync::watch;
use tokio::time::timeout;
use mavlink_layer::{
Decoder, DecoderEvent, Encoder, Heartbeat, MavlinkConnection, MavlinkLayer,
MavlinkLayerOptions, MavlinkMessage, Signer, SigningKey, SigningReject, Verifier,
};
fn options_for(uri: String) -> MavlinkLayerOptions {
let mut o = MavlinkLayerOptions::new(MavlinkConnection::new(uri));
o.link_timeout = Duration::from_millis(500);
o.reconnect_base = Duration::from_millis(50);
o.reconnect_cap = Duration::from_millis(200);
o
}
fn fixed_key(b: u8) -> SigningKey {
let mut k = [0u8; 32];
for (i, byte) in k.iter_mut().enumerate() {
*byte = b.wrapping_add(i as u8);
}
SigningKey::new(k)
}
#[test]
fn ac3_decoder_rejects_bad_signature() {
// Arrange: build a signed frame, then flip one bit in the signature trailer.
let signer = Signer::new(fixed_key(0x10), 5);
let encoder = Encoder::with_signer(1, 191, signer);
let _ = encoder; // signing is exercised through encode()
// Use a separate signer-on-encoder to produce a signed frame for the test.
let local_signer = Encoder::with_signer(1, 191, Signer::new(fixed_key(0x10), 5));
let mut frame = local_signer.encode(&MavlinkMessage::Heartbeat(Heartbeat {
custom_mode: 0,
mavtype: 2,
autopilot: 3,
base_mode: 0,
system_status: 4,
mavlink_version: 3,
}));
let last = frame.len() - 1;
frame[last] ^= 0x01;
// Act: feed it to a decoder with the matching verifier.
let mut dec = Decoder::with_verifier(Verifier::new(fixed_key(0x10)));
let events = dec.feed(&frame);
// Assert
let rejected = events.iter().find(|e| {
matches!(
e,
DecoderEvent::SigningMismatch {
reason: SigningReject::BadSignature,
..
}
)
});
assert!(
rejected.is_some(),
"expected SigningMismatch event, got {events:?}"
);
assert_eq!(dec.errors.snapshot().signing_mismatch, 1);
// The HEARTBEAT must NOT have been emitted as a Message.
let emitted = events
.iter()
.any(|e| matches!(e, DecoderEvent::Message { .. }));
assert!(!emitted, "rejected frame must not surface as Message");
}
#[test]
fn ac3_signed_frame_with_matching_key_passes() {
// Arrange
let encoder = Encoder::with_signer(1, 191, Signer::new(fixed_key(0xAB), 9));
let frame = encoder.encode(&MavlinkMessage::Heartbeat(Heartbeat {
custom_mode: 0,
mavtype: 2,
autopilot: 3,
base_mode: 0,
system_status: 4,
mavlink_version: 3,
}));
// Act
let mut dec = Decoder::with_verifier(Verifier::new(fixed_key(0xAB)));
let events = dec.feed(&frame);
// Assert
let mut got_message = false;
let mut got_mismatch = false;
for ev in &events {
match ev {
DecoderEvent::Message {
message: MavlinkMessage::Heartbeat(_),
..
} => got_message = true,
DecoderEvent::SigningMismatch { .. } => got_mismatch = true,
_ => {}
}
}
assert!(
got_message,
"valid signed heartbeat must surface as Message"
);
assert!(!got_mismatch, "valid signature must not trigger mismatch");
assert_eq!(dec.errors.snapshot().signing_mismatch, 0);
}
#[test]
fn ac4_signing_disabled_ignores_signature_field() {
// Arrange: build BOTH a signed frame and an unsigned frame.
let signed_enc = Encoder::with_signer(1, 191, Signer::new(fixed_key(0x33), 1));
let unsigned_enc = Encoder::new(1, 191);
let hb = MavlinkMessage::Heartbeat(Heartbeat {
custom_mode: 0,
mavtype: 2,
autopilot: 3,
base_mode: 0,
system_status: 4,
mavlink_version: 3,
});
let signed_frame = signed_enc.encode(&hb);
let unsigned_frame = unsigned_enc.encode(&hb);
// Act: feed both into a Decoder with NO verifier (signing disabled).
let mut dec = Decoder::new();
let signed_events = dec.feed(&signed_frame);
let unsigned_events = dec.feed(&unsigned_frame);
// Assert: both surface as Message, signing_mismatch counter stays at 0.
let signed_ok = signed_events.iter().any(|e| {
matches!(
e,
DecoderEvent::Message {
message: MavlinkMessage::Heartbeat(_),
..
}
)
});
let unsigned_ok = unsigned_events.iter().any(|e| {
matches!(
e,
DecoderEvent::Message {
message: MavlinkMessage::Heartbeat(_),
..
}
)
});
assert!(signed_ok, "with verifier=None, signed frames must decode");
assert!(
unsigned_ok,
"with verifier=None, unsigned frames must decode"
);
assert_eq!(
dec.errors.snapshot().signing_mismatch,
0,
"signing_mismatch counter must stay at 0 in disabled mode"
);
}
#[test]
fn unsigned_frame_rejected_when_verifier_present() {
// Defensive coverage: per the MAVLink spec, with signing enabled the
// decoder rejects unsigned frames. AC-3 only specifies the bad-signature
// case, but the spec-consistent behaviour is to reject both.
let unsigned_enc = Encoder::new(1, 191);
let frame = unsigned_enc.encode(&MavlinkMessage::Heartbeat(Heartbeat {
custom_mode: 0,
mavtype: 2,
autopilot: 3,
base_mode: 0,
system_status: 4,
mavlink_version: 3,
}));
let mut dec = Decoder::with_verifier(Verifier::new(fixed_key(0x44)));
let events = dec.feed(&frame);
assert!(events.iter().any(|e| matches!(
e,
DecoderEvent::SigningMismatch {
reason: SigningReject::Unsigned,
..
}
)));
assert_eq!(dec.errors.snapshot().signing_mismatch, 1);
}
#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
async fn signing_enabled_layer_reports_via_health() {
// Arrange: a layer with signing on, plus a peer that captures the frames.
let peer = UdpSocket::bind("127.0.0.1:0").await.expect("bind peer");
let peer_addr = peer.local_addr().expect("peer addr").to_string();
let (_shutdown_tx, shutdown_rx) = watch::channel(false);
let mut opts = options_for(format!("udp://{peer_addr}"));
opts.signing = Some(mavlink_layer::SigningOptions {
key: fixed_key(0x55),
link_id: 3,
});
let (layer, handle) = MavlinkLayer::new(opts);
tokio::spawn(layer.run(shutdown_rx));
// Act: wait for one heartbeat so we have at least one signed frame.
let mut buf = vec![0u8; 1024];
let n = timeout(Duration::from_secs(2), peer.recv(&mut buf))
.await
.expect("heartbeat must arrive within 2 s")
.expect("udp recv");
// Assert: incompat_flags bit 0 (signed) is set on the outbound frame.
assert!(n >= 10, "frame too short");
assert!(
handle.signing_enabled(),
"signing_enabled() must reflect config"
);
assert_eq!(
buf[2] & 0x01,
0x01,
"outbound frame must have INCOMPAT_FLAG_SIGNED set when signing is enabled"
);
let detail = handle.health().detail.unwrap_or_default();
assert!(
detail.contains("signing_enabled=true"),
"health detail must surface signing_enabled=true; got {detail:?}"
);
assert!(
detail.contains("commands_in_flight=0"),
"health detail must surface commands_in_flight; got {detail:?}"
);
}
crates/shared/src/contracts/mod.rs
+63 -3
View File
@@ -28,12 +28,44 @@ pub trait MavlinkSink: Send + Sync {
async fn send_raw(&self, msg: Vec<u8>) -> Result<()>;
}
/// Tier-3 visual-language-model provider. Default impl in `vlm_client` returns
/// `VlmAssessment { status: Disabled, label: Inconclusive, ... }` when the
/// `vlm` feature is off, satisfying the optionality contract.
/// Tier-3 visual-language-model provider.
///
/// The default impl `DisabledVlmProvider` (also in this module) returns
/// `VlmAssessment { status: Disabled, label: Inconclusive, ... }` and is
/// the only path available when the binary is built without the `vlm`
/// feature, or when `config.vlm.enabled = false` at runtime. The real
/// IPC path lives in the optional `vlm_client` crate.
#[async_trait]
pub trait VlmProvider: Send + Sync {
async fn assess(&self, roi: Vec<u8>, prompt: String) -> Result<VlmAssessment>;
/// Diagnostic name for the resolved provider. Used by the runtime
/// composition root for `/health` and tracing. Implementations
/// should return a stable kebab-case identifier; the default value
/// is `"unknown"`.
fn name(&self) -> &'static str {
"unknown"
}
}
/// Zero-sized `VlmProvider` that always returns `VlmAssessment::disabled()`.
///
/// Available regardless of the `vlm` Cargo feature — `scan_controller` and
/// the composition root depend only on `VlmProvider`, never on the
/// optional `vlm_client` crate, so the binary can install this even when
/// `vlm_client` is not compiled in.
#[derive(Debug, Default, Clone, Copy)]
pub struct DisabledVlmProvider;
#[async_trait]
impl VlmProvider for DisabledVlmProvider {
async fn assess(&self, _roi: Vec<u8>, _prompt: String) -> Result<VlmAssessment> {
Ok(VlmAssessment::disabled())
}
fn name(&self) -> &'static str {
"disabled"
}
}
/// Operator-command dispatch. Implemented by `operator_bridge`, fed by the
@@ -42,3 +74,31 @@ pub trait VlmProvider: Send + Sync {
pub trait OperatorCommandSink: Send + Sync {
async fn dispatch(&self, command: OperatorCommand) -> Result<()>;
}
#[cfg(test)]
mod tests {
use super::*;
use crate::models::vlm::VlmStatus;
#[tokio::test]
async fn ac1_disabled_provider_returns_disabled_status() {
// Arrange
let p = DisabledVlmProvider;
// Act
let start = std::time::Instant::now();
let result = p
.assess(Vec::new(), String::new())
.await
.expect("disabled path is infallible");
let elapsed = start.elapsed();
// Assert
assert_eq!(result.status, VlmStatus::Disabled);
assert!(
elapsed <= std::time::Duration::from_millis(1),
"expected ≤1 ms, got {elapsed:?}",
);
assert_eq!(p.name(), "disabled");
}
}
crates/vlm_client/src/enabled.rs
+78
View File
@@ -0,0 +1,78 @@
//! Feature-gated entry point. Compiled only when `--features vlm` is on.
//!
//! AZ-672 installs the trait + a placeholder constructor; the real IPC
//! body lands in AZ-673 (`vlm_client_nanollm_ipc`). Until then `assess`
//! returns `VlmAssessment::disabled()` so the runtime can be wired
//! end-to-end without a working NanoLLM peer.
use async_trait::async_trait;
use shared::contracts::VlmProvider;
use shared::error::Result;
use shared::health::ComponentHealth;
use shared::models::vlm::VlmAssessment;
use super::PROVIDER_NAME;
#[derive(Debug, Clone)]
pub struct VlmClient {
ipc_socket: String,
}
impl VlmClient {
/// Construct the feature-enabled client. Until AZ-673 lands, the
/// returned instance still answers `assess` with the disabled
/// no-op assessment — the difference vs `DisabledVlmProvider` is
/// that this socket address has been validated and the IPC
/// connection will be established here in AZ-673.
pub fn new(ipc_socket: impl Into<String>) -> Self {
Self {
ipc_socket: ipc_socket.into(),
}
}
pub fn ipc_socket(&self) -> &str {
&self.ipc_socket
}
pub fn health(&self) -> ComponentHealth {
// Until AZ-673 connects, we surface yellow with the configured
// socket so the operator sees the build *did* enable VLM but
// the IPC peer is not yet wired.
ComponentHealth::yellow(PROVIDER_NAME, format!("ipc_pending: {}", self.ipc_socket))
}
}
#[async_trait]
impl VlmProvider for VlmClient {
async fn assess(&self, _roi: Vec<u8>, _prompt: String) -> Result<VlmAssessment> {
// Real IPC call lands in AZ-673. Returning disabled keeps the
// runtime end-to-end exercisable until that task completes.
Ok(VlmAssessment::disabled())
}
fn name(&self) -> &'static str {
PROVIDER_NAME
}
}
#[cfg(test)]
mod tests {
use super::*;
use shared::models::vlm::VlmStatus;
#[tokio::test]
async fn placeholder_assess_returns_disabled_until_az_673() {
// Arrange
let c = VlmClient::new("/run/vila/ipc.sock");
// Act
let r = c
.assess(Vec::new(), String::new())
.await
.expect("placeholder path is infallible");
// Assert
assert_eq!(r.status, VlmStatus::Disabled);
assert_eq!(c.name(), "vlm_client");
assert_eq!(c.ipc_socket(), "/run/vila/ipc.sock");
}
}
crates/vlm_client/src/lib.rs
+16 -65
View File
@@ -1,72 +1,23 @@
//! `vlm_client` — optional Tier 3 NanoLLM/VILA Visual-Language-Model client.
//!
//! Default impl (`feature = "vlm"` OFF) returns `VlmAssessment::disabled()`.
//! Real IPC path lands in:
//! - AZ-672 `vlm_client_provider_trait`
//! With the `vlm` Cargo feature **off**, this crate exports nothing
//! beyond a constant noting the disabled state. The composition root
//! installs `shared::contracts::DisabledVlmProvider` in that case and
//! never references `vlm_client::VlmClient`.
//!
//! With the `vlm` feature **on**, `VlmClient` is the real NanoLLM IPC
//! client. The IPC plumbing itself lands in:
//! - AZ-673 `vlm_client_nanollm_ipc`
//! - AZ-674 `vlm_client_schema_and_model_version`
//!
//! AZ-672 only wires the trait contract + feature flag.
use async_trait::async_trait;
#[cfg(feature = "vlm")]
mod enabled;
use shared::contracts::VlmProvider;
use shared::error::Result;
use shared::health::ComponentHealth;
use shared::models::vlm::VlmAssessment;
#[cfg(feature = "vlm")]
pub use enabled::VlmClient;
const NAME: &str = "vlm_client";
#[derive(Debug, Clone, Default)]
pub struct VlmClient {
enabled: bool,
}
impl VlmClient {
/// Construct the no-op `VlmClient`. Returns `VlmAssessment::disabled()`
/// from every `assess()` call.
pub fn with_default() -> Self {
Self { enabled: false }
}
#[cfg(feature = "vlm")]
pub fn enabled() -> Self {
Self { enabled: true }
}
pub fn health(&self) -> ComponentHealth {
if self.enabled {
ComponentHealth::green(NAME)
} else {
ComponentHealth::disabled(NAME)
}
}
}
#[async_trait]
impl VlmProvider for VlmClient {
async fn assess(&self, _roi: Vec<u8>, _prompt: String) -> Result<VlmAssessment> {
// Disabled path always returns the documented no-op assessment.
// The real path lands in AZ-673.
Ok(VlmAssessment::disabled())
}
}
#[cfg(test)]
mod tests {
use super::*;
#[tokio::test]
async fn default_impl_returns_disabled_assessment() {
// Arrange
let c = VlmClient::with_default();
// Act
let result = c
.assess(Vec::new(), String::new())
.await
.expect("disabled path is infallible");
// Assert
assert_eq!(result.status, shared::models::vlm::VlmStatus::Disabled);
assert_eq!(result.label, shared::models::vlm::VlmLabel::Inconclusive);
}
}
/// Stable name used by tracing + `/health` to identify this crate's
/// build-time configuration. Mirrors `VlmProvider::name()`.
pub const PROVIDER_NAME: &str = "vlm_client";