autopilot/_docs/00_problem/restrictions.md

Restrictions

Externally imposed constraints the system MUST satisfy. Design choices — even frozen ones — live in _docs/02_document/architecture.md, not here. (Audited against .cursor/rules/artifact-srp.mdc.)

Hardware (fixed at the suite level — autopilot does not choose)

• Compute device: Jetson Orin Nano Super (aarch64), 67 TOPS INT8, 8 GB shared LPDDR5. Tier 1 detection consumes ~2 GB of that, leaving ~6 GB for everything autopilot owns.
• Primary camera: ViewPro A40. 1080p (1920×1080), 40× optical zoom, f=4.25–170 mm, Sony 1/2.8" CMOS (IMX462LQR), HDMI or IP output at 1080p 30/60 fps. The A40's vendor control protocol is the only way to drive its pan/tilt/zoom — autopilot must speak it.
• Alternative camera: ViewPro Z40K (higher cost; the system must remain compatible).
• Thermal sensor (640×512, NETD ≤50 mK) may be added later; the system must not assume it is present today.
• 40× optical zoom traversal takes 1–2 s wall-clock. Any sub-2-second zoom-out → zoom-in product behaviour must account for this physical floor.

Operational

• Flight altitude: 600–1000 m.
• All seasons in scope: winter snow, spring mud, summer vegetation, autumn. Winter-first-only is rejected (frozen 2026-05-06).
• All terrain types in scope: forest, open field, urban edges, mixed terrain.
• The operator/Ground-Station radio link is a modem with intermittent reliability — the system must tolerate degradation and full loss mid-flight.

Software environment (externally imposed)

• The chosen onboard inference path must run on Jetson Orin Nano Super within the 6 GB residual RAM budget (after Tier 1).
• Models use FP16 precision (frozen 2026-05-06; INT8 is rejected for MVP). Applies to every model loaded onto Jetson.
• No cloud egress for inference. Any model larger than the in-binary footprint must run locally on the same Jetson, not in the cloud. Network calls for inference are forbidden.
• Tier 1 (YOLO) and any local large model with GPU memory pressure share the Jetson GPU — only one of them may execute at any wall-clock instant. (This is a hardware-resource fact; how the system serialises them is design.)
• The mission file format is the shared mission-schema artefact owned jointly by autopilot and the missions service. Autopilot MUST consume that schema; it cannot fork it.

Suite-level architectural splits (autopilot does not own these decisions)

• Tier 1 primitive object detection runs in the sibling ../detections service. Autopilot consumes its output; autopilot does NOT host Tier 1.
• Mission state (waypoints, region, etc.) comes from the missions service. Autopilot does not author missions.
• Central map of previously-detected objects lives in missions (extension /missions/{id}/mapobjects). Autopilot reconciles with it pre-flight and post-flight; in-flight, autopilot is authoritative for its mission's area.
• GPS coordinates come from a separate GPS-denied service (../gps-denied-onboard / ../gps-denied-desktop). Autopilot does NOT implement GPS-denied algorithms.
• Operator browser UI is owned by the Ground Station. Autopilot pushes the data; it does NOT render the UI.
• Annotation tooling + model training live in separate repos (../annotations, ../ai-training). Autopilot does NOT own them.

Reliability & Safety obligations (mandatory)

These are existence-of-the-rule constraints. The specific numeric thresholds (RTL grace, drift bound, retry count) are measured success criteria and live in acceptance_criteria.md.

• Pre-flight self-test (BIT) MUST gate takeoff. The airframe must not take off until every dependency the mission needs is verifiably healthy or the operator has explicitly accepted a known degraded state (e.g. cached MapObjects fallback).
• Lost operator-link failsafe MUST be deterministic and bounded. Loss of the operator/Ground-Station radio link cannot result in undefined behaviour. The eventual outcome must be a known mission-safe state (RTL by default, configurable per mission).
• Airframe MAVLink link loss MUST surface health-red immediately and defer behaviour to the autopilot stack on the airframe (ArduPilot / PX4).
• Battery / fuel thresholds MUST trigger pre-defined safety behaviour (RTL above a soft floor; land-now below a hard floor). Only operator override may bypass.
• Geofence enforcement MUST be symmetric — both INCLUSION and EXCLUSION polygons honoured.
• Operator commands MUST be authenticated, signed, and replay-protected. Modem-link encryption alone is not sufficient. (Threat model + open scheme choice live in security_approach.md.)
• On-device storage MUST be bounded. Persistent-store full is a takeoff-blocker; mid-flight eviction policy is mandatory.
• No silent error swallowing. Every dependency state MUST surface through a health endpoint.
• Wall-clock MUST be bound to GPS time once GPS is locked, or NTP at boot. Forensic timestamping of operator commands depends on this.
• MAVLink command surface MUST conform to whatever ArduPilot/PX4 actually accepts (SITL is the conformance reference). Inventing MAVLink semantics is not permitted.

Out of scope — see problem.md → "What this system is NOT for"

Scope-exclusion statements are owned by problem.md. Not duplicated here.