[autodev] Step 13 partial: c10/c11/c12/c13 cycle-1 doc sync

Batch 4 of the cycle-1 component-doc sync. For each of C10 (provisioning), C11 (tilemanager), C12 (operator_orchestrator), and C13 (fdr): - Append "Cycle-1 operational reality" paragraph to § 1 documenting the actual cycle-1 wiring path: - C10: operator-side / cross-tier; NOT in _STRATEGY_REGISTRY; composed via runtime_root/c10_factory.py with six per-service factories; reuses C7 InferenceRuntime for engine compile; AZ-323 Ed25519 signer + C10ManifestConfig signing-mode gate; AZ-324 ManifestVerifierImpl with airborne/operator modes; AZ-507 c6 cuts kept in c10_factory; AZ-687 N/A. - C11: operator-workstation-only; airborne build target excludes source tree (ADR-004 / AC-8.4); composed via runtime_root/c11_factory.py with three per-service factories; distinct FdrClient producer_ids for signing_key + tile_uploader; AZ-320 IdempotentRetryTileUploader wraps by default; AZ-507 keeps c6 surfaces caller-injected; AZ-687 N/A. - C12: operator-workstation CLI binary; airborne build excludes source tree (ADR-004 + Principle #9); composed via runtime_root/c12_factory.py; OperatorOrchestratorServices dataclass aggregates AZ-326/327/328/329/330/489 services with sibling fields defaulting to None; AZ-507 cuts via RemoteCacheProvisionerInvoker + TileDownloaderCut/UploaderCut; AZ-687 N/A. - C13: airborne infrastructure; pre_constructed[c13_fdr] seeded FIRST via make_fdr_client(AIRBORNE_MAIN_PRODUCER_ID, config) (AZ-619 Phase A); per-producer _CACHE gives AC-619.2 singleton; AZ-274 drop-oldest overrun policy wired at construction; c1_vio / c5_state require it, c2_5/c3/c3_5/c4 optional; AZ-687 guard explicitly does NOT apply — seed runs before any block presence check so replay binaries still write FDR. Also bump _docs/_process_leftovers/2026-05-11_d_cross_cve_1_opencv_pin_deferred.md replay timestamp to 17:18 (start of this /autodev invocation); gtsam==4.2.1 still requires numpy<2.0.0 so the relaxed opencv pin remains in effect. Update _docs/_autodev_state.md sub_step.detail to record batch 4/~5 done; next batch is the 8 helpers under common-helpers/. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 09:41:13 +00:00 · 2026-05-19 17:25:53 +03:00
parent 76f460c88a
commit 12aba8139f
6 changed files with 13 additions and 5 deletions
@@ -6,6 +6,8 @@

 **Architectural Pattern**: single concrete `FileFdrWriter` behind a `FdrWriter` interface. Single writer thread fed by lock-free in-process queues from every component. Lossy on writer-thread overrun **only by logging the rollover event**, never silently.

+**Cycle-1 operational reality**: C13 is **airborne infrastructure** seeded as the very first slot of `build_pre_constructed` — `constructed["c13_fdr"] = make_fdr_client(AIRBORNE_MAIN_PRODUCER_ID, config)` (AZ-619 Phase A, where `AIRBORNE_MAIN_PRODUCER_ID = "airborne_main"`). The `make_fdr_client(producer_id, config)` factory in `fdr_client/client.py` carries a process-level `_CACHE` keyed by `producer_id`, so any later `make_fdr_client("airborne_main", config)` call in the same process returns the SAME `FdrClient` instance — that's the AC-619.2 cross-component singleton guarantee. Per-component callers can also obtain their OWN per-producer FdrClient via `make_fdr_client("<their_slug>", config)`: C11 uses `"c11_tile_manager.signing_key"` (AZ-318) and `"c11_tile_manager.tile_uploader"` (AZ-319), C6's `freshness_gate.py` uses its own producer, etc. — each entry in the cache is a distinct `SpscRingBuffer` consumer side. Per-producer capacity comes from `config.fdr.per_producer_capacity[producer_id]` (override) or `config.fdr.queue_size` (default), rounded UP to the next power of two and clipped to `MIN_CAPACITY`. The drop-oldest overrun policy (AZ-274 `default_overrun_policy`) is wired automatically at `FdrClient` construction time; AZ-274 also routes the dropped record through the `on_overrun` hook so the rollover-log event is emitted exactly once per overrun, never silently. Required-key relationship: `c1_vio` and `c5_state` list `c13_fdr` in `AIRBORNE_REQUIRED_PRE_CONSTRUCTED_KEYS` (missing raises `AirborneBootstrapError`); `c2_5_rerank`, `c3_matcher`, `c3_5_adhop`, and `c4_pose` read it via `constructed.get("c13_fdr")` (optional — silently passes `None` to the wrapper, which is the documented contract for "FDR off" test fixtures). AZ-687 replay-mode guard does NOT apply to C13: the slot is seeded unconditionally before any `_replay_omits_component_block(...)` check — a replay binary still writes FDR (TlogDerivedClock-stamped) so post-flight analysis tools can drain the queue.
+
 **Upstream dependencies**: every component publishes to C13 via in-process pub/sub (drop-oldest-with-rollover-log on overrun).

 **Downstream consumers**: