feat(02-05): rewrite ci.yml with per-marker jobs + ac-traceability gate

Replaces single 'test' job with 6 jobs per TEST-02 + AC-06:
- lint: ruff check (scripts/ added to scope)
- test-unit: pytest -m unit (Py3.11 + Py3.12 matrix)
- test-integration: pytest -m integration (Py3.11)
- test-blackbox: pytest -m blackbox (PR-only, Py3.11)
- ac-traceability: regenerate + git diff --exit-code + --check
- docker-build: build smoke test (needs test-unit + test-integration)

ac-traceability gate fails on: stale committed matrix, non-deferred orphan
AC, or unknown AC ID referenced in any test.

.github/workflows/ci.yml

@@ -16,65 +16,116 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
-
       - name: Install ruff
         run: pip install --no-cache-dir "ruff>=0.9"
-
       - name: Check style and imports
-        run: ruff check src/ tests/
+        run: ruff check src/ tests/ scripts/
 
   # ---------------------------------------------------------------------------
-  # Unit tests — fast, no SITL, no GPU
+  # Phase 2 / TEST-02 — per-marker test jobs.
+  # `--strict-markers` is already set globally in pyproject.toml [tool.pytest.ini_options].addopts.
   # ---------------------------------------------------------------------------
-  test:
+  test-unit:
-    name: Test (Python ${{ matrix.python-version }})
+    name: Test (unit) Py${{ matrix.python-version }}
     runs-on: ubuntu-latest
     needs: lint
     strategy:
       fail-fast: false
       matrix:
         python-version: ["3.11", "3.12"]
-
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
-
       - name: Install system deps (OpenCV headless)
         run: |
           sudo apt-get update -qq
           sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0
-
       - name: Install package + dev extras
         run: pip install --no-cache-dir -e ".[dev]"
+      - name: Run unit tests
+        run: python -m pytest tests/ -m unit -q --tb=short
 
-      - name: Run unit tests (excluding SITL integration)
+  test-integration:
-        run: |
+    name: Test (integration) Py3.11
-          python -m pytest tests/ \
+    runs-on: ubuntu-latest
-            --ignore=tests/test_sitl_integration.py \
+    needs: lint
-            -q \
+    steps:
-            --tb=short
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+      - run: sudo apt-get update -qq && sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0
+      - run: pip install --no-cache-dir -e ".[dev]"
+      - name: Run integration tests
+        run: python -m pytest tests/ -m integration -q --tb=short
+
+  test-blackbox:
+    name: Test (blackbox) Py3.11
+    runs-on: ubuntu-latest
+    needs: lint
+    if: github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+      - run: sudo apt-get update -qq && sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0
+      - run: pip install --no-cache-dir -e ".[dev]"
+      - name: Run blackbox tests
+        run: python -m pytest tests/ -m blackbox -q --tb=short
 
   # ---------------------------------------------------------------------------
-  # Docker build smoke test — verify image builds successfully
+  # Phase 2 / AC-06 — AC traceability drift gate.
+  # Two-step: (1) regenerate + git diff, (2) --check orphan/unknown.
+  # ---------------------------------------------------------------------------
+  ac-traceability:
+    name: AC traceability (matrix drift + orphan check)
+    runs-on: ubuntu-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+          cache: pip
+      - run: sudo apt-get update -qq && sudo apt-get install -y --no-install-recommends libgl1 libglib2.0-0
+      - run: pip install --no-cache-dir -e ".[dev]"
+      - name: Regenerate AC-TRACEABILITY.md
+        run: python scripts/gen_ac_traceability.py
+      - name: Fail if committed matrix is stale
+        run: |
+          if ! git diff --exit-code .planning/AC-TRACEABILITY.md; then
+            echo "::error::.planning/AC-TRACEABILITY.md is stale. Run scripts/gen_ac_traceability.py and commit the result."
+            exit 1
+          fi
+      - name: Fail on orphan ACs or unknown AC IDs in tests
+        run: python scripts/gen_ac_traceability.py --check
+      - name: Upload matrix as artifact
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: ac-traceability
+          path: .planning/AC-TRACEABILITY.md
+
+  # ---------------------------------------------------------------------------
+  # Docker build smoke test
   # ---------------------------------------------------------------------------
   docker-build:
     name: Docker build smoke test
     runs-on: ubuntu-latest
-    needs: test
+    needs: [test-unit, test-integration]
     steps:
       - uses: actions/checkout@v4
-
       - name: Build Docker image
         run: docker build -t gps-denied-onboard:ci .
-
       - name: Health smoke test (container start)
         run: |
           docker run -d --name smoke -p 8000:8000 gps-denied-onboard:ci