# Acceptance Criteria Measurable, design-independent success criteria. Implementation choices (specific models, libraries, components, algorithms) belong in `_docs/01_solution/` and `_docs/02_document/`, NOT here. (Audited against `.cursor/rules/artifact-srp.mdc`.) Every criterion below is observable through the system's external behaviour and can be evaluated by a black-box test. ## Latency - Primitive (Tier 1) object detection — per-frame end-to-end on the deployed compute device: **≤100 ms** at 1280 px input. - Semantic confirmation (Tier 2) over a single ROI: **≤200 ms**. - Deep semantic confirmation (Tier 3 / VLM, when enabled): **≤5 s** per ROI. - Camera zoom transition (medium → high): **≤2 s** wall-clock, including the physical zoom traversal. - Decision-to-movement latency (internal scan-control decision → camera physically moving): **≤500 ms**. - Movement candidate enqueue: **≤1 s** during the wide-area sweep; **≤1.5 s** during the zoomed-in inspection (accommodating gimbal slew). - Zoom-out → zoom-in transition (POI detected → ROI fully zoomed): **≤2 s** wall-clock. - Operator command → action: **≤500 ms** from operator click to outbound command (modem RTT excluded). ## Throughput / Rate - POI rate surfaced to the operator: **≤5 POIs / minute** (hard cap; frozen 2026-05-06). - Position telemetry rate: **≥1 Hz**, target **10 Hz**. - Sustained camera frame-rate floor: **≥10 fps**. Below this, zoom-in transitions MUST be suppressed and overall health MUST surface yellow. ## Detection Quality (Behaviour as observed at the system boundary. Model identity, training data, and label catalogue live in `_docs/02_document/architecture.md` and the `../ai-training` repo.) - New target classes (black entrances, branch piles, footpaths, roads, trees, tree blocks): per-class **precision ≥80%** AND **recall ≥80%**. - Existing-class regression: per-class precision and recall MUST NOT degrade by more than ±2 percentage points against the documented baseline. - Concealed-position recall (initial gate, accepting high false-positive rate): **≥60%**. - Concealed-position precision (initial gate, operators filter): **≥20%**. - Footpath recall: **≥70%**. ## Movement Detection Behaviour - Small moving point/cluster candidates that are not yet classifiable MUST be detected during the wide-area sweep and enqueued for zoomed inspection within **≤1 s**. - Movement detection MUST continue during the zoomed-in inspection (a moving target that appears inside a held POI must not be lost), with enqueue within **≤1.5 s**. - Stable objects (trees, houses, roads, terrain) MUST NOT be treated as moving solely because the camera platform itself moves. - A configurable per-zoom-band false-positive budget MUST be honoured (the system must not flood the operator with false candidates by ignoring its own threshold). ## Scan & Camera Control Behaviour - The wide-area sweep MUST cover the planned route with a left-right gimbal pattern at wide or light/medium zoom. - Transition from sweep to detailed inspection MUST complete within **≤2 s** of POI detection (including physical zoom). - During detailed inspection the system MUST keep the target locked while the airframe flies, pan to keep features visible, hold endpoints up to **2 s** for deep analysis, and return to the sweep after analysis or a configurable per-POI timeout (default **5 s/POI**). - After operator confirmation, target-follow mode MUST keep the target within the **centre 25%** of the frame while visible. - Gimbal commands MUST achieve **≤500 ms** decision-to-movement latency with visibly smooth transitions. - The POI queue MUST be ordered by confidence × proximity to current camera × age factor (relative ranking, not absolute formula). ## Operator Workflow - The decision window surfaced to the operator MUST scale linearly with confidence: **40% confidence → 30 s; 100% confidence → 120 s**. Below 40% confidence, the POI MUST NOT be surfaced at all. - Operator-decline MUST result in a persistent ignored-item entry for the matching `(MGRS cell, class group)` so the same target is not re-surfaced. - Timeout (no operator response within the window) MUST NOT create an ignored-item entry (forget, do not blacklist). - A new detection whose `(MGRS cell, class group)` matches an existing ignored-item MUST NOT be surfaced. - Operator confirmation MUST result in (a) a middle waypoint inserted into the mission and (b) a transition to target-follow mode. - A replayed or unsigned operator command MUST be rejected with a logged security warning; system state MUST NOT change. ## Reliability & Safety - Pre-flight self-test MUST pass (every dependency healthy OR explicit operator acknowledgement of a known degraded state) before takeoff is permitted. - Loss of operator/Ground-Station radio link MUST trigger a known mission-safe outcome within a deterministic, configurable grace window (default **30 s grace → RTL**). - Loss of airframe command link MUST surface health red immediately and defer to the airframe autopilot's own failsafe. - Battery at or below the configured **RTL floor** (e.g. 25%) MUST trigger RTL automatically; battery at or below the **hard floor** (e.g. 15%) MUST trigger land-now. Only an authenticated operator command may override. - MAVLink command exhaustion (bounded retry with exponential backoff fails through max-retry) MUST flip the airframe-link health to red. - Wall-clock drift greater than **200 ms** versus GPS or NTP source MUST surface health yellow. - Geofence INCLUSION and EXCLUSION violations MUST both result in waypoint refusal + RTL. ## Resources & Data - Combined RSS on the deployed compute device, for everything autopilot owns onboard (excluding Tier 1), MUST stay within **≤6 GB**. - Tier 1 per-frame latency MUST NOT degrade by more than **±5 ms** when autopilot's own onboard workload is running concurrently. ## Map Reconciliation (with the central area-level map) - Pre-flight map pull for a **30 km × 30 km** mission area: **≤30 s** wall-clock. Cache-fallback on timeout is acceptable only with explicit operator acknowledgement. - Post-flight pass diff push for a **60-minute** mission: **≤2 min** wall-clock. Failure MUST persist the pending diff to durable on-device storage with bounded retry. ## Acceptance Gates (project-level) - A hardware/replay benchmark suite MUST pass before product implementation begins. Specifically: every latency criterion above MUST be measured on the deployed compute device, not on a developer workstation. - Per-season dataset coverage MUST be demonstrated before MVP sign-off (winter, spring, summer, autumn). - MAVLink command surface MUST pass SITL conformance against ArduPilot. ## Q-tagged criteria (depend on open architecture decisions) These criteria are real and measurable; their tolerance ranges may sharpen once the linked open question resolves. The questions are tracked in `_docs/02_document/architecture.md §8`. - Movement detection false-positive rate at zoomed-in inspection — depends on **Q14** (classical-CV adequacy vs learned-CV fallback). - MapObjects conflict resolution behaviour — depends on **Q8** (append-only log + projection rules). - Operator-command authentication conformance — depends on **Q9** (signing scheme). - Airframe MAVLink-2 message signing — depends on **Q6**. - Per-season flight-test gates — depends on **Q13**.