autopilot

mirror of https://github.com/azaion/autopilot.git synced 2026-06-21 16:01:10 +00:00

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	c4eff40dbc	[AZ-680] [AZ-681] operator_bridge command dispatch + safety lane Add the operator-command dispatcher behind a typed CommandAck: 60 s per-command-id idempotency cache, surfaced-POI registry with unknown_poi_id + expired gates, BIT-degraded ack severity check, and SafetyOverride forwarding to mission_executor with structured audit log (redacts signature + session_token). Cross-layer wiring goes through three new traits in shared::contracts (ScanCommandRouter, MissionSafetyRouter, BitReportSeverityLookup) so operator_bridge stays free of direct scan_controller / mission_executor imports. scan_controller::ScanControllerHandle implements the scan router; a new mission_executor::SafetyDispatchHandle wraps the BIT ack channel + battery monitor handle and implements the safety router; BitControllerHandle gains a bounded (16-entry) report-severity cache for the lookup trait. scan_controller also picks up ConfirmPoi handling: PoiQueue::confirm removes the entry and SubmitOutcome::Confirmed carries the typed (target_mgrs, target_class) hint for AZ-684/AZ-686 downstream. Tests: 9 new integration tests in operator_bridge/tests/dispatcher.rs cover AZ-680 AC-1..AC-5 + AZ-681 AC-1..AC-4. scan_controller adds 2 ConfirmPoi tests. All modified-crate suites green; one pre-existing mission_executor state-machine test flake (already documented in _docs/_process_leftovers) updated to note ac1 also affected. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-20 17:32:59 +03:00
Oleksandr Bezdieniezhnykh	ccf929af69	[AZ-676] [AZ-677] [AZ-678] [AZ-679] telemetry+operator foundation Batch 15 ships the four foundation tickets sitting on top of AZ-675 (gRPC server) and AZ-667 (mapobjects_store hydrate): * AZ-676: telemetry_stream video path (rtsp_forward + bytes_inline) with ai_locked atomic + session counter, SubscribeVideo RPC. * AZ-677: MapObjects snapshot-on-subscribe + diff broadcast + reconnect-resync (StartThen stream-prepend pattern). * AZ-678: HmacOperatorValidator with per-session monotonic seq, in-process session registry + TTL, constant-time HMAC compare, rejection-reason counters, sliding 60 s sig-failure red-health gate. Trait OperatorCommandValidator in shared::contracts::operator_auth. * AZ-679: PoiSurfaceMapper produces OperatorPoiEvent per architecture §7.10; PoiDequeued events on rotate/age-out/complete; pushed via new TelemetrySink::push_operator_event extension on Topic::OperatorEvent. Cross-task wiring: TelemetrySink trait extended with push_operator_event; OperatorBridge gets optional builder methods with_telemetry_sink / with_validator (composition root wires in AZ-680). Workspace deps: hmac = "0.12"; per-crate adds bytes, serde_json, parking_lot, chrono, uuid, sha2, thiserror. Tests: 14/14 ACs verified locally (4 + 3 + 5 + 3 by AC) plus 6 supporting unit tests + 7 integration tests + 2 shared serde roundtrips. cargo clippy clean on touched crates. Cumulative review for batches 13-15 produced; verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 4 Low — all carry-overs or deferred-producer notes for AZ-680/AZ-684). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-20 16:18:40 +03:00
Oleksandr Bezdieniezhnykh	4c63829ccd	[AZ-654] [AZ-655] [AZ-656] gimbal_controller primitives + monotonic clock fix (batch 11) ci/woodpecker/push/build-arm Pipeline failed Details AZ-654 SweepEngine: pendulum default, Raster/LawnMower variants reserved and explicitly NotImplemented (no silent fallback per AC-3). Time injected via next_step(now) for deterministic dwell tests. AZ-655 PlanExecutor: linear yaw/pitch interpolation between PanGoals with self-throttle (default 50 ms); stats expose commands_emitted/dropped_to_throttle counters. PanGoal/PanPlan added to shared::models::gimbal (spec drift: data_model.md §PanPlan flagged for next doc sync). AZ-656 CentreOnTarget: zoom-aware proportional control loop (correction ~ 1/zoom); target_lost debounced — fires once per loss streak, resets on bbox return. Also fixes the misleadingly-named monotonic_ns() helper introduced by AZ-653 that used SystemTime::now(): GimbalController now owns a shared::clock::MonoClock and stamps GimbalState::ts_monotonic_ns via clock.elapsed_ns(). AZ-656 AC-2 forced the correction; integration test verifies the fix end-to-end. 58/58 gimbal_controller tests green (47 unit + 7 AZ-653 integration + 4 new batch_11 integration). Workspace test suite green this run. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 20:21:00 +03:00
Oleksandr Bezdieniezhnykh	e56d428753	[AZ-649] [AZ-674] [AZ-667] telemetry + vlm schema + mapobjects hydrate batch 6 AZ-649 mission_executor telemetry forwarding: - shared::models::telemetry::UavTelemetry canonical model - TelemetryForwarder with atomic ArcSwap snapshot + 3 lossy tokio::sync::broadcast channels (MissionExecutor, ScanController, MavlinkUplink) + per-consumer drop counters - MavlinkProjection::from_mavlink for HEARTBEAT/GLOBAL_POSITION_INT/ ATTITUDE/SYS_STATUS - spawn_mavlink_pump bridges mavlink_layer into the forwarder at the binary edge AZ-674 vlm_client schema validation + model_version tracking: - AssessmentParser owns schema validation + model-version state - wire::read_response_raw splits raw bytes from parsing so invalid payloads can be logged size-capped - VlmStatus gains an Inconclusive variant; exhaustive-match test guards downstream consumers - VlmPipelineStatus mirrors the new variant in shared::models::poi AZ-667 mapobjects_store hydrate + pending logs + cascade: - SyncState enum aligned with description.md (FreshBoot, Synced, CachedFallback, Degraded, Failed) - Store::hydrate(MapObjectsBundle) replaces in-memory map atomically; freshness=Stale -> CachedFallback - classify() + end_of_pass append MapObjectObservation events to pending_observations (New/Moved/Existing/RemovedCandidate) - apply_decline + LocalAppended ignored items append to pending_ignored - drain_pending() returns and clears both logs - cascade_mission(id) purges by_cell + IgnoredSet + pending logs - Health surface reports sync_state, pending_obs, pending_ign Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 17:40:43 +03:00
Oleksandr Bezdieniezhnykh	69c0629350	[AZ-643] [AZ-665] [AZ-672] mavlink+mapobjects+vlm batch 4 ci/woodpecker/push/build-arm Pipeline failed Details AZ-643 mavlink_layer: - ack demux on COMMAND_LONG/COMMAND_ACK with oneshot dispatch and configurable deadline; MavlinkHandle::send_command + SendCommandError - MAVLink-2 signing: Signer/Verifier built on SHA-256, key + timestamp source, incompat-flag wiring in encoder, reject + counter in decoder - new tests: tests/ack_demux.rs (3) + tests/signing.rs (5) AZ-665 mapobjects_store: - internal/h3_index.rs (h3o wrapper, cell_of, grid_disk, haversine) - internal/store.rs (in-memory (cell -> Vec<MapObject>) hashmap with k-ring classify and class-group resolution) - public API: MapObjectsStoreHandle::classify(ClassifyInput) -> Classification {New\|Moved\|Existing} - AC1-4 in tests/classify.rs; AC5 perf gate (#[ignore], passes in --release) AZ-672 vlm_client + autopilot: - DisabledVlmProvider in shared::contracts; VlmProvider::name() for composition-root diagnostics - vlm_client::VlmClient gated behind feature = "vlm"; placeholder until AZ-673 lands the real NanoLLM IPC - autopilot: vlm_client is now optional = true under feature vlm; Runtime::select_vlm_provider picks DisabledVlmProvider when feature off OR config.vlm.enabled = false Workspace deps: +sha2 (mavlink signing), +h3o (mapobjects index). Batch report: _docs/03_implementation/batch_04_cycle1_report.md Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 13:31:42 +03:00
Oleksandr Bezdieniezhnykh	0a87c0f716	[AZ-645] [AZ-646] [AZ-647] mission_client: middle-waypoint POST + mapobjects pull/push ci/woodpecker/push/build-arm Pipeline failed Details Batch 3 of greenfield Step 7 — mission_client epic AZ-638 close-out. AZ-645 (Middle-waypoint POST) - post_middle_waypoint(mission_id, &Mission) -> Result<MissionUpdateAck, PostError> - Bounded retry (default 3 attempts) shared with the rest of missions_api - Health: last_middle_waypoint_post_status (ok/error) AZ-646 (Pre-flight MapObjects pull) - pull_mapobjects(mission_id) -> Result<MapObjectsBundle, PullError> - Schema-validated against bundled shared/contracts/mapobjects-bundle.json - Typed errors: Unreachable / SchemaInvalid / MaxRetriesExceeded / Internal - Health: mapobjects_pull_state, last_mapobjects_pull_ts AZ-647 (Post-flight push + durable disk queue) - push_mapobjects_diff(mission_id, MapObjectsDiff) -> PushReport - recover_pending_pushes() -> Vec<PushReport> for crash recovery - Write-ahead atomic-rename persistence under ${state_dir}/mapobjects_push/ - Per-endpoint independent retry: observations + ignored_items - Partial success rewrites the disk file with only the failing portion - Health: mapobjects_push_pending, last_push_ts, per-endpoint last error Infrastructure - Schemas: shared/contracts/mapobjects-{bundle,observations,ignored}.json - Restructured schema/ into mission.rs + mapobjects.rs sub-modules - New mapobjects_sync/ (pull, push, queue) - workspace dep tempfile=3; mission_client dev-deps add tempfile + chrono Tests - 12/12 ACs verified locally (4 AZ-645 + 4 AZ-646 + 5 AZ-647) - mission_client suite: 15 unit + 18 integration = 33 tests pass - AZ-646 AC-4 proxy: 1000-object + 1000-ignored bundle within 30s - AZ-647 AC-5 proxy: 5000-obs + 500-ignored push within 2min Code review verdict: PASS_WITH_WARNINGS (inline). Cumulative review (K=3 trigger) PASS_WITH_WARNINGS — full report in _docs/03_implementation/cumulative_review_batches_01-03_cycle1_report.md. Open follow-ups (non-blocking): - module-layout.md: rename push_mapobjects -> push_mapobjects_diff (Step 13) - ExponentialBackoff still duplicated across crates; promote to shared::retry when the third caller lands (likely detection_client AZ-660/661) - state_dir default is relative; composition root must override Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 12:54:15 +03:00
Oleksandr Bezdieniezhnykh	740bf37d76	[AZ-641] [AZ-642] [AZ-644] mavlink transport + codec + mission pull Lands the second batch under epic AZ-626's implementation plan. mavlink_layer (AZ-641 + AZ-642): - Hand-rolled MAVLink v2 codec covering the §7.7 surface: HEARTBEAT, SYS_STATUS, SET_MODE, ATTITUDE, GLOBAL_POSITION_INT, MISSION_* (7), COMMAND_LONG, COMMAND_ACK, EXTENDED_SYS_STATE, STATUSTEXT (17 total). - Streaming decoder demuxes arbitrary-sized byte arrivals, drops malformed frames with typed parse-error counters (crc/truncated/unknown_id/seq_gap), and surfaces sequence gaps without hard-failing the link. - Encoder tracks the per-link tx_seq counter and applies the MAVLink v2 trailing-zero payload truncation rule. - UDP and POSIX-serial transports behind a single async Transport trait; the run loop owns transport open with bounded exponential backoff (2 s serial / 5 s UDP cap) and a tokio::select! per-link read+write loop. - 1 Hz outbound HEARTBEAT scheduler + inbound-heartbeat watchdog that fires LinkUp / LinkLost on a broadcast channel and feeds health detail (connected, last_heartbeat_age_ms, signing_enabled, parse_errors). mission_client (AZ-644): - HTTPS GET /missions/{id} over rustls (no OpenSSL on the airframe). - Bundled JSON Schema (crates/shared/contracts/mission-schema.json, draft-07, additionalProperties:false) validates every response; schema-invalid bodies surface as FetchError::SchemaInvalid with a 1 KiB sample of the raw body for offline analysis. - Transient failures (timeout, 5xx, 429) retry with bounded exponential backoff up to MissionClientOptions.max_attempts (default 5); permanent failures (4xx, malformed URL) abort immediately. - Health surface mirrors AC-1's contract: last_fetch_ts, fetch_errors_total, schema_version, connection_state. Caught and fixed before commit (NOT a code-review finding — caught by the unit test that hand-computed CRC("123456789")): the hand-rolled X.25 CRC accumulator was operating in u16 throughout. The MAVLink C reference declares `tmp` as uint8_t, which silently truncates the shifted-in bits. Round-trip tests passed (encoder and decoder shared the bug); a real MAVLink peer would have rejected every frame. Fixed by mirroring the C reference: `let mut tmp: u8 = …; tmp ^= tmp.wrapping_shl(4);`. Added a regression test asserting CRC("123456789") == 0x6F91 against pymavlink's reference value (NOT the textbook 0x29B1 — MAVLink uses a byte-wise variant, not the bit-reflected CCITT). AC verification (full detail in _docs/03_implementation/batch_02_cycle1_report.md): AZ-641: AC-1 + AC-3 + AC-4 verified via UDP loopback integration tests; AC-2 (serial) requires a socat pty pair and runs in the SITL/CI tier (test exists as #[ignore]-marked stub). AZ-642: AC-1 + AC-2 + AC-3 verified via exhaustive codec round-trip and decoder negative-path tests; AC-4 (SITL round-trip) requires ArduPilot SITL — the CRC fix above means the codec is now wire-correct, ready for the sitl-conformance Woodpecker stage. AZ-644: all four ACs verified via wiremock-driven integration tests. Workspace gates green: - cargo check --workspace clean - cargo check --workspace --no-default-features clean - cargo fmt --all -- --check clean - cargo clippy --workspace --all-targets -- -D warnings clean - cargo test --workspace pass (1 expected ignore) Layering invariants from module-layout.md hold: mavlink_layer and mission_client are Layer 2 actors importing only `shared`; no sibling Layer-2 imports; MavlinkHandle implements shared::contracts::MavlinkSink. Jira: AZ-641, AZ-642, AZ-644 transitioned To Do → In Progress at batch start; the matching In Testing transitions follow this commit. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 12:29:49 +03:00
Oleksandr Bezdieniezhnykh	a1ce3a6903	[AZ-640] Bootstrap Rust workspace, CI/Docker, observability scaffold ci/woodpecker/push/build-arm Pipeline failed Details Lands the first task of the implementation epic AZ-626: a cargo workspace with 14 crates (shared + autopilot binary + 12 component crates), a multi-stage Dockerfile + dev/test compose stacks, a Woodpecker CI pipeline, the on-airframe systemd unit with flight-gate wiring, three environment TOML configs, and the canonical entity catalogue from data_model.md as `shared::models`. Per-AC verification (full detail in _docs/03_implementation/batch_01_cycle1_report.md): - AC-1 cargo check --workspace clean - AC-2 cargo test --workspace passes; per-crate it_compiles() <0.01 s - AC-6 cargo build/test --no-default-features clean; VlmClient default impl returns VlmAssessment::disabled() - AC-9 tracing-subscriber emits JSON logs with ts/level/target/fields - AC-10 runtime::ensure_state_directories creates mapobjects/, audit/, pending_pushes/ under storage.state_dir Deferred to external infra (artifacts written, verification re-runs in CI and in downstream tasks): - AC-3 Woodpecker runner; CI yml in place - AC-4 docker-compose mocks land with AZ-660/AZ-644/AZ-675 - AC-5 SITL conformance lands with AZ-641/AZ-648/AZ-652 - AC-7 aarch64 cross-compile via cargo-zigbuild stage - AC-8 systemd unit (Linux + systemd host) Layering invariants from module-layout.md hold: shared (L1) imports nothing; Layer 2 actor crates import only shared; Layer 3 coordinators (operator_bridge, mission_executor) import only their documented Layer 2 deps; Layer 4 (scan_controller) imports its documented Layer 2 + Layer 3 deps; the autopilot binary (L5) is the only consumer of every component. cargo fmt --all --check + cargo clippy --all-targets -- -D warnings both clean. Jira AZ-640 transitioned to In Progress at the start of this batch; the matching In Testing transition follows this commit. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-19 11:52:40 +03:00

8 Commits