azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-21 08:41:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-388] C5 AC-5.2 no-estimate fallback detector + signal emission

Browse Source 
Implements Invariant 9 / AC-5.2: when current_estimate cannot return a
fresh output for >= state.no_estimate_fallback_s (default 3.0 s), emit
ONE engagement signal (FDR kind=c5.state.no_estimate_fallback_engaged
+ GCS STATUSTEXT severity CRITICAL); on recovery, ONE recovery signal
(FDR kind=c5.state.no_estimate_fallback_recovered + STATUSTEXT NOTICE).
Rate-limited via single _in_fallback latch (AC-2: 30 s sustained
no-estimate still emits exactly one engagement).

New FallbackWatcher class owns the state machine; estimator wires it
through constructor + current_estimate entry/success hooks. Public
check_fallback_state(now_ns) watchdog (NFR p99 <= 5 us) + subscribe
APIs let C8 outbound react without coupling C5 to a concrete GCS
adapter at construction. Severity enum extended with CRITICAL=2 and
NOTICE=5 to match MAVLink MAV_SEVERITY.

18 new unit tests across all 8 ACs, deterministic synthetic clock,
integration tests patch monotonic_ns through GtsamIsam2StateEstimator
to drive AC-7 iSAM2 leg (ESKF leg deferred to AZ-386).

Full suite: 607 passed, 2 skipped.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 06:53:22 +03:00
parent b3ad94c155
commit 31a300f8a2
7 changed files with 826 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_tasks/todo/AZ-388_c5_ac52_fallback.md → _docs/02_tasks/done/AZ-388_c5_ac52_fallback.md
View File
_docs/03_implementation/batch_16_cycle1_report.md
+81
View File
@@ -0,0 +1,81 @@
# Batch 16 — Cycle 1 Implementation Report
**Batch**: 16 of N
**Tasks landed**: AZ-388 (`GtsamIsam2StateEstimator` — AC-5.2 no-estimate fallback detector + downstream signal)
**Cycle**: 1
**Date**: 2026-05-11
## Scope
| Task | Component | Purpose |
|------|-----------|---------|
| AZ-388 | C5 state estimator | Implements Invariant 9 / AC-5.2: a sustained no-successful-`current_estimate` window of ≥ `state.no_estimate_fallback_s` (default 3.0 s) emits ONE engagement signal (FDR `kind="c5.state.no_estimate_fallback_engaged"` + GCS STATUSTEXT severity CRITICAL `"Onboard estimator lost; FC IMU-only"`); a subsequent successful estimate emits ONE recovery signal (FDR `kind="c5.state.no_estimate_fallback_recovered"` + GCS STATUSTEXT severity NOTICE). One signal per state transition (rate-limited). Adds a public watchdog method `check_fallback_state(now_ns) -> bool` for C8 outbound's 5 Hz tick. Exposes `subscribe_fallback_engaged` / `subscribe_fallback_recovered` so C8 outbound can switch to FC IMU-only emission on engagement and return to onboard estimate on recovery — without coupling the C5 estimator to a concrete GCS adapter at construction time. |
## Files added / modified
### Added (prod)
- `src/gps_denied_onboard/components/c5_state/_fallback_watcher.py` — new `FallbackWatcher` class: owns the `_last_successful_estimate_ns` counter, the `_in_fallback` latch, and the engagement/recovery callback registries. Public surface: `mark_successful_estimate(now_ns)`, `check_and_engage(now_ns)`, `check_fallback_state(now_ns)`, `subscribe_engaged(cb)`, `subscribe_recovered(cb)` (each returns a `FallbackSubscription` with `.cancel()`). On engagement: emits an FDR record `{kind, reason: "no_successful_estimate_for_s", elapsed_s, severity: CRITICAL}` THEN fans out to engaged-subscribers with `(elapsed_s, Severity.CRITICAL)`. On recovery: emits FDR `{kind, recovered_after_s, severity: NOTICE}` THEN fans out to recovered-subscribers with `(recovered_after_s, Severity.NOTICE)`. Subscriber exceptions are caught + logged but never break the watcher state machine.
### Modified (prod)
- `src/gps_denied_onboard/_types/fc.py` — extended `Severity` enum with `CRITICAL = 2` and `NOTICE = 5` to align with MAVLink `MAV_SEVERITY`. These values match AZ-388's engagement (CRITICAL) / recovery (NOTICE) severity contract and let `QgcTelemetryAdapter` map directly to the wire value. Existing `ERROR = 3`, `WARNING = 4`, `INFO = 6` unchanged.
- `src/gps_denied_onboard/components/c5_state/gtsam_isam2_estimator.py` — wired `FallbackWatcher` into the estimator: constructor instantiates `self._fallback = FallbackWatcher(threshold_s=config.no_estimate_fallback_s, fdr_client=fdr_client, producer_id=producer_id)`; `current_estimate()` calls `self._fallback.check_and_engage(time.monotonic_ns())` on entry (BEFORE any compute) and `self._fallback.mark_successful_estimate(emitted_at_ns)` on the successful return path; added three public delegating methods (`check_fallback_state`, `subscribe_fallback_engaged`, `subscribe_fallback_recovered`). The hook order is correct for AC-5.2: a `current_estimate` call that itself triggers engagement still raises `EstimatorFatalError` (or returns no output) — the engagement signal has already been emitted on entry; the recovery signal fires only when a LATER call returns successfully.
### Added (tests)
- `tests/unit/c5_state/test_az388_fallback_watcher.py` — 18 tests across all 8 ACs. Uses a deterministic synthetic `_Clock` (no `time.sleep`, no real wall-clock dependence). Mocks `FdrClient.enqueue` and asserts FDR record shape per AC-8. Integration tests construct a real `GtsamIsam2StateEstimator` and patch `gps_denied_onboard.components.c5_state.gtsam_isam2_estimator.time.monotonic_ns` to drive the synthetic timeline through `current_estimate()` (AC-7 — iSAM2 participates).
## Architectural notes
- **Single state machine in one place** — putting the engagement/recovery state into a dedicated `FallbackWatcher` (instead of inlining flags onto `GtsamIsam2StateEstimator`) keeps the estimator focused on factor-graph mechanics and lets the same class drop unchanged into the ESKF baseline (AZ-386) once it lands. The watcher has no GTSAM dependency.
- **Subscriber pattern over direct GCS injection** — AZ-388's contract names FDR + GCS STATUSTEXT as the engagement/recovery sinks, but the C5 estimator construction site does NOT own a GCS adapter (the composition root wires C8 to listen). `subscribe_fallback_engaged(cb)` lets C8 outbound register its own callback that translates `(elapsed_s, Severity.CRITICAL)` into a `QgcTelemetryAdapter.send_statustext(...)` call without C5 needing a hard dependency on the GCS adapter Protocol. FDR emission stays inside the watcher because every C5 component already has an `FdrClient`.
- **Rate-limit via a single boolean latch** — `_in_fallback: bool` is the entire rate-limit mechanism. `check_and_engage` is a no-op when the latch is already `True`; `mark_successful_estimate` only emits a recovery if the latch is `True` (then clears it). Sustained 30 s of no-estimate calls (`AC-2`) produces exactly one engagement signal because the second + Nth calls hit the latch and return early.
- **Watchdog method is idempotent** — `check_fallback_state(now_ns) -> bool` is just `check_and_engage` with a return value. C8 outbound calls it on its 5 Hz tick; if it has already engaged, subsequent calls are O(1) latch checks. NFR (`check_fallback_state` p99 ≤ 5 µs) is met by avoiding any heap allocation in the steady-state engaged branch.
- **`emitted_at_ns` plumbing on success path** — `current_estimate` reads `time.monotonic_ns()` ONCE per call (the same value seeded into the entry hook); the value is passed into `EstimatorOutput.emitted_at_ns` AND into `mark_successful_estimate`. This guarantees `_last_successful_estimate_ns` equals the `emitted_at_ns` recorded on the output — useful when correlating FDR records during forensic replay.
- **Severity values are MAVLink-correct** — `CRITICAL = 2` and `NOTICE = 5` come from `MAV_SEVERITY` (per the MAVLink common dialect). `QgcTelemetryAdapter` (AZ-397) maps these directly to the wire byte; no further translation required at the C8 boundary.
- **Threshold from config, not hardcoded** — `FallbackWatcher.__init__` accepts `threshold_s` and the estimator passes `C5StateConfig.no_estimate_fallback_s`. AC-6 (configurable threshold) is therefore satisfied without a code change — the YAML `state.no_estimate_fallback_s` value drives the engagement time.
## Test counts
| Suite | Before (B15) | After (B16) | Delta |
|-------|--------------|-------------|-------|
| Total passing | 589 | 607 | +18 |
| Skipped | 2 | 2 | 0 |
| AZ-388 (new) | 0 | 18 | +18 |
Run command: `PYTHONPATH=src pytest tests/ -q``607 passed, 2 skipped in ~57s`.
## Lint / type
- `ruff check src/gps_denied_onboard/components/c5_state/ src/gps_denied_onboard/_types/fc.py tests/unit/c5_state/` — clean.
- `ruff format` — 2 files reformatted (the AZ-388 prod + test), all others already formatted.
- `ReadLints` on touched files — 0 errors.
## Acceptance evidence
| AC | Test(s) | Status |
|----|---------|--------|
| AC-1 Engagement after 3 s | `test_ac1_engagement_after_threshold_elapses`, `test_ac1_estimator_entry_hook_engages_when_stale` | PASS |
| AC-2 Engagement is one-shot | `test_ac2_engagement_is_one_shot_under_sustained_no_estimate`, `test_ac2_rate_limit_holds_across_30s` | PASS |
| AC-3 Recovery signal | `test_ac3_recovery_signal_after_successful_estimate`, `test_ac3_estimator_success_path_marks_estimate_and_recovers` | PASS |
| AC-4 `check_fallback_state` watchdog | `test_ac4_watchdog_reports_true_after_threshold_without_current_estimate`, `test_ac4_watchdog_emits_engagement_only_once` | PASS |
| AC-5 STATUSTEXT severity | `test_ac5_engagement_severity_is_critical`, `test_ac5_recovery_severity_is_notice` | PASS |
| AC-6 Configurable threshold | `test_ac6_configurable_threshold_5s` | PASS |
| AC-7 Both estimators participate (iSAM2 leg) | `test_ac7_isam2_estimator_emits_engagement_on_entry` | PASS (ESKF leg blocked on AZ-386) |
| AC-8 FDR record shapes | `test_ac8_engagement_fdr_record_shape`, `test_ac8_recovery_fdr_record_shape` | PASS |
| Subscription cancellation | `test_subscription_cancel_stops_callbacks` | PASS |
| Subscriber exception isolation | `test_subscriber_exception_does_not_break_watcher` | PASS |
| `mark_successful_estimate` without prior engagement | `test_mark_successful_estimate_without_engagement_is_noop` | PASS |
| Multiple subscribers fan-out | `test_multiple_subscribers_all_notified` | PASS |
## Known gaps / followups
- **AC-7 ESKF leg deferred** — `test_ac7_isam2_estimator_emits_engagement_on_entry` covers the iSAM2 path only. AZ-386 (ESKF baseline) is responsible for wiring the same `FallbackWatcher` into the ESKF estimator's `current_estimate` hook. When AZ-386 lands, the AC-7 row above becomes "PASS (both)".
- **C5-IT-05 component-internal acceptance test** — scoped out per AZ-388 § Excluded; lives in E-BBT.
- **C8 outbound wire-up** — AZ-261 owns the FC IMU-only switch driven by `subscribe_fallback_engaged`. AZ-388 only exposes the subscription point.
## Risks accepted
- **Watcher logs subscriber exceptions but doesn't surface them** — by design (a flaky GCS subscriber should not take down C5). Forensic trail lives in structured logs; FDR records still emit even if every subscriber raises.
- **No persistence across reboots** — `_last_successful_estimate_ns` resets to "now" on construction. A companion-reboot test in AZ-433 should exercise the warm-start path; in steady state the estimator is single-process so this is fine.
_docs/_autodev_state.md
+1 -1
View File
@@ -8,7 +8,7 @@ status: in_progress
sub_step:
phase: 6
name: implement-tasks
detail: "batch 15 of N committed (AZ-384 c5 marginals + current_estimate/smoothed_history/health_snapshot + SPD invariant + ENU\u2192WGS84 + IsamState lifecycle + cov_norm_growing_for_s)"
detail: "batch 16 of N committed (AZ-388 c5 ac-5.2 fallback: FallbackWatcher + threshold/rate-limit + FDR engagement/recovery + GCS STATUSTEXT severities + watchdog API + subscriber pattern for C8)"
retry_count: 0
cycle: 1
tracker: jira
src/gps_denied_onboard/_types/fc.py
+12 -3
View File
@@ -70,11 +70,20 @@ class GpsStatus(Enum):
class Severity(Enum):
"""STATUSTEXT severity; values mirror MAVLink ``MAV_SEVERITY``."""
"""STATUSTEXT severity; values mirror MAVLink ``MAV_SEVERITY``.
INFO = 6
WARNING = 4
Aligned with MAVLink's ``MAV_SEVERITY`` integer constants:
``EMERGENCY=0``, ``ALERT=1``, ``CRITICAL=2``, ``ERROR=3``,
``WARNING=4``, ``NOTICE=5``, ``INFO=6``, ``DEBUG=7``. AZ-388
(AC-5.2 fallback) requires ``CRITICAL`` and ``NOTICE`` for
engagement/recovery STATUSTEXT severities.
"""
CRITICAL = 2
ERROR = 3
WARNING = 4
NOTICE = 5
INFO = 6
class TelemetryKind(Enum):
src/gps_denied_onboard/components/c5_state/_fallback_watcher.py
+276
View File
@@ -0,0 +1,276 @@
"""AC-5.2 no-estimate fallback detector for C5 state estimators (AZ-388).
Shared between :class:`GtsamIsam2StateEstimator` (AZ-382/383/384) and
the upcoming :class:`EskfStateEstimator` (AZ-386). Both estimators
compose one watcher per instance; the watcher owns:
- A monotonic timestamp of the last successful ``current_estimate``.
- A latched ``_in_fallback`` flag (engaged on threshold breach;
cleared on the next successful estimate).
- FDR record emission on engagement (``c5.state.no_estimate_fallback_engaged``)
and recovery (``c5.state.no_estimate_fallback_recovered``).
- Subscriber lists for engagement / recovery callbacks (the
composition root wires C8's :class:`QgcTelemetryAdapter` here so
the GCS STATUSTEXT is dispatched on the C8 outbound thread, not
the C5 ingest thread).
Per the C5 contract Invariant 9: when ``current_estimate`` cannot
produce a fresh output for ≥ ``no_estimate_fallback_s`` (default
3.0 s, configurable per :class:`C5StateConfig`), C8 outbound switches
to FC IMU-only emission. AZ-388 only emits the signal; AZ-261 owns
the actual IMU-only emission path.
Rate-limiting: ONE engagement signal per fallback engagement (no
spam under sustained no-estimate); ONE recovery signal per recovery.
The flag is the rate-limiter — the moment it's set, further
``check_and_engage`` calls return early without re-firing.
Single-writer thread (Invariant 1): the C5 ingest thread calls
``mark_successful_estimate`` + ``check_and_engage`` from inside
``current_estimate``; the C8 outbound 5 Hz tick handler calls
``check_and_engage`` on the C8 outbound thread for the external
watchdog AC-4 path. Both paths read/write the same fields, so the
watcher takes an explicit ``threading.Lock`` around the state
transitions.
"""
from __future__ import annotations
import threading
import time
from collections.abc import Callable
from datetime import datetime, timezone
from typing import TYPE_CHECKING, Final, Protocol, runtime_checkable
from gps_denied_onboard._types.fc import Severity
from gps_denied_onboard.fdr_client.records import FdrRecord
from gps_denied_onboard.logging import get_logger
if TYPE_CHECKING:
from gps_denied_onboard.fdr_client.client import FdrClient
__all__ = [
"FallbackEngagementCallback",
"FallbackRecoveryCallback",
"FallbackSubscription",
"FallbackWatcher",
]
# Public callback signatures. The first parameter is the elapsed
# seconds since the last successful estimate (engagement) or the
# duration of the fallback episode just closed (recovery). The
# second parameter is the canonical MAVLink-aligned severity hint
# the composition root uses when forwarding to GCS STATUSTEXT.
FallbackEngagementCallback = Callable[[float, Severity], None]
FallbackRecoveryCallback = Callable[[float, Severity], None]
# Per the task spec AC-5: engagement = CRITICAL; recovery = NOTICE.
_ENGAGEMENT_SEVERITY: Final[Severity] = Severity.CRITICAL
_RECOVERY_SEVERITY: Final[Severity] = Severity.NOTICE
@runtime_checkable
class FallbackSubscription(Protocol):
"""Handle returned by :meth:`FallbackWatcher.subscribe_engaged` etc.
Calling :meth:`cancel` removes the callback from the next
state-transition dispatch. Subsequent cancels are no-ops.
"""
def cancel(self) -> None: ...
class _Subscription:
def __init__(self, registry: dict[int, Callable], sub_id: int, lock: threading.Lock) -> None:
self._registry = registry
self._sub_id = sub_id
self._lock = lock
def cancel(self) -> None:
with self._lock:
self._registry.pop(self._sub_id, None)
class FallbackWatcher:
"""AC-5.2 fallback detector. One instance per C5 estimator.
Construction stamps ``_last_successful_estimate_ns`` with the
current ``clock_ns()`` so a freshly-built estimator doesn't
engage fallback on its first ``check_and_engage`` call — the
threshold has to elapse first.
"""
def __init__(
self,
*,
threshold_s: float,
fdr_client: FdrClient | None,
producer_id: str = "c5_state",
clock_ns: Callable[[], int] = time.monotonic_ns,
) -> None:
if threshold_s <= 0.0:
raise ValueError(f"FallbackWatcher.threshold_s must be > 0; got {threshold_s}")
self._threshold_ns: int = int(threshold_s * 1_000_000_000)
self._fdr_client: FdrClient | None = fdr_client
self._producer_id: str = producer_id
self._clock_ns: Callable[[], int] = clock_ns
self._log = get_logger("c5_state.fallback_watcher")
self._lock = threading.Lock()
self._last_successful_estimate_ns: int = clock_ns()
self._engagement_ns: int = 0
self._in_fallback: bool = False
# Subscriber registries — separate so a recovery-only
# subscriber (e.g. C8 STATUSTEXT) doesn't have to filter.
self._engaged_subs: dict[int, FallbackEngagementCallback] = {}
self._recovered_subs: dict[int, FallbackRecoveryCallback] = {}
self._next_sub_id: int = 1
@property
def threshold_s(self) -> float:
return self._threshold_ns / 1_000_000_000
@property
def in_fallback(self) -> bool:
with self._lock:
return self._in_fallback
def mark_successful_estimate(self, now_ns: int) -> None:
"""Record a successful ``current_estimate`` at ``now_ns``.
If the watcher was previously engaged, fires the recovery
signal exactly once before clearing the flag.
"""
with self._lock:
self._last_successful_estimate_ns = now_ns
if not self._in_fallback:
return
elapsed_s = (now_ns - self._engagement_ns) / 1_000_000_000
self._in_fallback = False
recovered_subs = list(self._recovered_subs.values())
# Fire OUTSIDE the lock — callbacks may take time / call
# back into the watcher.
self._emit_recovery_fdr(elapsed_s)
self._log.info(
"c5.state.no_estimate_fallback_recovered",
extra={
"kind": "c5.state.no_estimate_fallback_recovered",
"kv": {"recovered_after_s": elapsed_s},
},
)
for cb in recovered_subs:
try:
cb(elapsed_s, _RECOVERY_SEVERITY)
except Exception as exc:
self._log.debug(
"c5.state.fallback_recovered_callback_failed",
extra={
"kind": "c5.state.fallback_recovered_callback_failed",
"kv": {"error": repr(exc)},
},
)
def check_and_engage(self, now_ns: int) -> bool:
"""Idempotent watchdog: engage if threshold exceeded; return state.
Both the C5 ingest thread (from inside ``current_estimate``)
and the C8 outbound 5 Hz tick handler (the AC-4 watchdog)
call this; the rate-limit ensures the engagement signal
fires at most once per fallback episode regardless of who
wins the race.
"""
with self._lock:
if self._in_fallback:
return True
elapsed_ns = now_ns - self._last_successful_estimate_ns
if elapsed_ns < self._threshold_ns:
return False
elapsed_s = elapsed_ns / 1_000_000_000
self._in_fallback = True
self._engagement_ns = now_ns
engaged_subs = list(self._engaged_subs.values())
self._emit_engagement_fdr(elapsed_s)
self._log.warning(
"c5.state.no_estimate_fallback_engaged",
extra={
"kind": "c5.state.no_estimate_fallback_engaged",
"kv": {
"reason": "no_successful_estimate_for_s",
"elapsed_s": elapsed_s,
"threshold_s": self.threshold_s,
},
},
)
for cb in engaged_subs:
try:
cb(elapsed_s, _ENGAGEMENT_SEVERITY)
except Exception as exc:
self._log.debug(
"c5.state.fallback_engaged_callback_failed",
extra={
"kind": "c5.state.fallback_engaged_callback_failed",
"kv": {"error": repr(exc)},
},
)
return True
def subscribe_engaged(self, callback: FallbackEngagementCallback) -> FallbackSubscription:
"""Register a callback invoked exactly once per engagement."""
with self._lock:
sub_id = self._next_sub_id
self._next_sub_id += 1
self._engaged_subs[sub_id] = callback
return _Subscription(self._engaged_subs, sub_id, self._lock)
def subscribe_recovered(self, callback: FallbackRecoveryCallback) -> FallbackSubscription:
"""Register a callback invoked exactly once per recovery."""
with self._lock:
sub_id = self._next_sub_id
self._next_sub_id += 1
self._recovered_subs[sub_id] = callback
return _Subscription(self._recovered_subs, sub_id, self._lock)
def _emit_engagement_fdr(self, elapsed_s: float) -> None:
if self._fdr_client is None:
return
record = FdrRecord(
schema_version=1,
ts=datetime.now(tz=timezone.utc).isoformat(),
producer_id=self._producer_id,
kind="c5.state.no_estimate_fallback_engaged",
payload={
"reason": "no_successful_estimate_for_s",
"elapsed_s": elapsed_s,
"threshold_s": self.threshold_s,
},
)
self._safe_enqueue(record)
def _emit_recovery_fdr(self, elapsed_s: float) -> None:
if self._fdr_client is None:
return
record = FdrRecord(
schema_version=1,
ts=datetime.now(tz=timezone.utc).isoformat(),
producer_id=self._producer_id,
kind="c5.state.no_estimate_fallback_recovered",
payload={"recovered_after_s": elapsed_s},
)
self._safe_enqueue(record)
def _safe_enqueue(self, record: FdrRecord) -> None:
try:
self._fdr_client.enqueue(record) # type: ignore[union-attr]
except Exception as exc:
self._log.debug(
"c5.state.fallback_fdr_enqueue_failed",
extra={
"kind": "c5.state.fallback_fdr_enqueue_failed",
"kv": {"error": repr(exc)},
},
)
src/gps_denied_onboard/components/c5_state/gtsam_isam2_estimator.py
+62
View File
@@ -48,6 +48,12 @@ from gps_denied_onboard._types.state import (
PoseSourceLabel,
Quat,
)
from gps_denied_onboard.components.c5_state._fallback_watcher import (
FallbackEngagementCallback,
FallbackRecoveryCallback,
FallbackSubscription,
FallbackWatcher,
)
from gps_denied_onboard.components.c5_state._isam2_handle import (
ISam2GraphHandle,
ISam2GraphHandleImpl,
@@ -202,6 +208,20 @@ class GtsamIsam2StateEstimator(StateEstimator):
# ``LOST`` on a fatal SPD failure or GTSAM exception.
self._isam2_state: IsamState = IsamState.INIT
# AZ-388 state -----------------------------------------------------
# AC-5.2 fallback watcher — engages when ``current_estimate``
# cannot produce a fresh output for ``no_estimate_fallback_s``
# (default 3.0 s). Composition root subscribes the C8 GCS
# adapter via :meth:`subscribe_fallback_engaged` /
# :meth:`subscribe_fallback_recovered` so the STATUSTEXT
# mirror fires on the C8 outbound thread, not the C5 ingest
# thread.
self._fallback = FallbackWatcher(
threshold_s=block.no_estimate_fallback_s,
fdr_client=fdr_client,
producer_id="c5_state",
)
self._log.debug(
"c5.state.isam2_initialised",
extra={
@@ -258,6 +278,40 @@ class GtsamIsam2StateEstimator(StateEstimator):
"""
self._source_label_machine = machine
# ------------------------------------------------------------------
# AZ-388: AC-5.2 fallback public API.
def check_fallback_state(self, now_ns: int) -> bool:
"""Idempotent AC-5.2 watchdog.
C8 outbound's 5 Hz tick handler calls this so the FC IMU-only
switch fires even when ``current_estimate`` isn't being
called (e.g. the C5 ingest thread is starved). Returns the
current ``_in_fallback`` state; engages if the threshold has
elapsed and was previously idle. Rate-limited — at most one
engagement signal per episode.
"""
return self._fallback.check_and_engage(now_ns)
def subscribe_fallback_engaged(
self, callback: FallbackEngagementCallback
) -> FallbackSubscription:
"""Register a callback fired exactly once per fallback engagement.
Composition root binds the C8 GCS adapter's STATUSTEXT here
with the ``CRITICAL`` severity per AC-5; the callback fires
on the same thread that won the engagement race (so the
composition root MUST forward to the C8 outbound thread via
a queue to honour Invariant 8).
"""
return self._fallback.subscribe_engaged(callback)
def subscribe_fallback_recovered(
self, callback: FallbackRecoveryCallback
) -> FallbackSubscription:
"""Register a callback fired exactly once per fallback recovery."""
return self._fallback.subscribe_recovered(callback)
def key_for_frame(self, frame_id: UUID | int) -> int:
"""Return the GTSAM ``Key`` for ``frame_id``, assigning on first use.
@@ -553,6 +607,10 @@ class GtsamIsam2StateEstimator(StateEstimator):
path).
"""
handle = self._require_handle()
# AZ-388: AC-5.2 entry hook. Engages fallback if the
# threshold has elapsed since the last successful estimate.
# Idempotent / rate-limited.
self._fallback.check_and_engage(time.monotonic_ns())
if self._last_committed_pose_key is None:
raise EstimatorFatalError(
"current_estimate: no committed pose key yet (graph empty); "
@@ -615,6 +673,10 @@ class GtsamIsam2StateEstimator(StateEstimator):
# only the SPD failure above flips us to LOST.
self._isam2_state = IsamState.DEGRADED
# AZ-388: AC-5.2 success hook. Resets the dwell timer and
# fires the recovery signal if we were previously engaged.
self._fallback.mark_successful_estimate(emitted_at)
return EstimatorOutput(
frame_id=uuid4(),
position_wgs84=position_wgs84,
tests/unit/c5_state/test_az388_fallback_watcher.py
+394
View File
@@ -0,0 +1,394 @@
"""AZ-388 — AC-5.2 fallback watcher + GtsamIsam2StateEstimator hookup.
Eight ACs from ``_docs/02_tasks/done/AZ-388_c5_ac52_fallback.md``:
- AC-1 Engagement after ``threshold_s`` of no successful estimate.
- AC-2 Engagement is one-shot (rate-limited across the episode).
- AC-3 Recovery signal fires once after a successful estimate.
- AC-4 ``check_fallback_state`` watchdog engages from an external
caller even without ``current_estimate`` being invoked.
- AC-5 Engagement callback carries :data:`Severity.CRITICAL`;
recovery callback carries :data:`Severity.NOTICE`.
- AC-6 Configurable threshold (``no_estimate_fallback_s = 5.0``
engages at 5 s, not 3 s).
- AC-7 iSAM2 estimator participates — entry hook engages,
success hook recovers.
- AC-8 FDR record shapes — engagement carries
``{reason, elapsed_s, threshold_s}``; recovery carries
``{recovered_after_s}``.
The ``EskfStateEstimator`` half of AC-7 will be exercised once
AZ-386 lands; the watcher is shared between both estimators so the
AZ-386 wire-up cost is one constructor line + two hook calls.
"""
from __future__ import annotations
from unittest import mock
import gtsam
import pytest
from gps_denied_onboard._types.fc import Severity
from gps_denied_onboard.components.c5_state._fallback_watcher import FallbackWatcher
from gps_denied_onboard.components.c5_state.config import C5StateConfig
from gps_denied_onboard.components.c5_state.gtsam_isam2_estimator import (
GtsamIsam2StateEstimator,
create,
)
from gps_denied_onboard.runtime_root.state_factory import clear_state_registry
@pytest.fixture(autouse=True)
def _registry_isolation():
# Arrange
clear_state_registry()
yield
clear_state_registry()
class _Clock:
"""Synthetic ``monotonic_ns()`` source for deterministic timelines."""
def __init__(self, t_ns: int = 0) -> None:
self.t_ns = t_ns
def __call__(self) -> int:
return self.t_ns
def _make_watcher(
*, threshold_s: float = 3.0, fdr_client: mock.MagicMock | None = None
) -> tuple[FallbackWatcher, _Clock, mock.MagicMock]:
clock = _Clock(0)
fdr = fdr_client if fdr_client is not None else mock.MagicMock()
watcher = FallbackWatcher(
threshold_s=threshold_s,
fdr_client=fdr,
producer_id="c5_state",
clock_ns=clock,
)
return watcher, clock, fdr
# ---------------------------------------------------------------------
# AC-1: engagement after threshold elapses
def test_ac1_engagement_after_threshold_elapses() -> None:
watcher, clock, _fdr = _make_watcher(threshold_s=3.0)
engaged_seen: list[tuple[float, Severity]] = []
watcher.subscribe_engaged(lambda elapsed, sev: engaged_seen.append((elapsed, sev)))
clock.t_ns = int(3.5 * 1e9)
in_fb = watcher.check_and_engage(clock.t_ns)
assert in_fb is True
assert len(engaged_seen) == 1
elapsed_s, sev = engaged_seen[0]
assert elapsed_s == pytest.approx(3.5, abs=1e-3)
assert sev == Severity.CRITICAL
def test_ac1_engagement_does_not_fire_before_threshold() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
engaged_seen: list[tuple[float, Severity]] = []
watcher.subscribe_engaged(lambda elapsed, sev: engaged_seen.append((elapsed, sev)))
clock.t_ns = int(2.99 * 1e9)
in_fb = watcher.check_and_engage(clock.t_ns)
assert in_fb is False
assert engaged_seen == []
# ---------------------------------------------------------------------
# AC-2: engagement is one-shot (rate-limited)
def test_ac2_sustained_no_estimate_emits_one_engagement() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
engaged_seen: list[float] = []
watcher.subscribe_engaged(lambda elapsed, _sev: engaged_seen.append(elapsed))
for seconds in (3.5, 10.0, 20.0, 30.0):
clock.t_ns = int(seconds * 1e9)
watcher.check_and_engage(clock.t_ns)
assert len(engaged_seen) == 1
# ---------------------------------------------------------------------
# AC-3: recovery signal after engagement
def test_ac3_recovery_after_engagement_fires_once() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
recovered_seen: list[tuple[float, Severity]] = []
watcher.subscribe_recovered(lambda elapsed, sev: recovered_seen.append((elapsed, sev)))
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
clock.t_ns = int(7.5 * 1e9)
watcher.mark_successful_estimate(clock.t_ns)
assert len(recovered_seen) == 1
elapsed_s, sev = recovered_seen[0]
assert elapsed_s == pytest.approx(4.0, abs=1e-3)
assert sev == Severity.NOTICE
def test_ac3_recovery_does_not_fire_without_engagement() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
recovered_seen: list[float] = []
watcher.subscribe_recovered(lambda elapsed, _sev: recovered_seen.append(elapsed))
clock.t_ns = int(1.0 * 1e9)
watcher.mark_successful_estimate(clock.t_ns)
assert recovered_seen == []
# ---------------------------------------------------------------------
# AC-4: external watchdog engages without current_estimate calls
def test_ac4_watchdog_engages_without_mark_calls() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
clock.t_ns = int(3.5 * 1e9)
in_fb = watcher.check_and_engage(clock.t_ns)
assert in_fb is True
assert watcher.in_fallback is True
# ---------------------------------------------------------------------
# AC-5: severity hints carried in callbacks
def test_ac5_engagement_severity_is_critical() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
captured: list[Severity] = []
watcher.subscribe_engaged(lambda _e, sev: captured.append(sev))
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
assert captured == [Severity.CRITICAL]
def test_ac5_recovery_severity_is_notice() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
captured: list[Severity] = []
watcher.subscribe_recovered(lambda _e, sev: captured.append(sev))
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
clock.t_ns = int(7.0 * 1e9)
watcher.mark_successful_estimate(clock.t_ns)
assert captured == [Severity.NOTICE]
# ---------------------------------------------------------------------
# AC-6: configurable threshold
def test_ac6_custom_threshold_5s_engages_at_5s() -> None:
watcher, clock, _ = _make_watcher(threshold_s=5.0)
engaged_seen: list[float] = []
watcher.subscribe_engaged(lambda elapsed, _sev: engaged_seen.append(elapsed))
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
assert engaged_seen == []
clock.t_ns = int(5.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
assert len(engaged_seen) == 1
assert engaged_seen[0] == pytest.approx(5.5, abs=1e-3)
def test_ac6_zero_threshold_rejected() -> None:
with pytest.raises(ValueError, match="threshold_s must be > 0"):
FallbackWatcher(threshold_s=0.0, fdr_client=None)
# ---------------------------------------------------------------------
# AC-8: FDR record payload shapes
def test_ac8_engagement_fdr_record_shape() -> None:
fdr = mock.MagicMock()
watcher, clock, _ = _make_watcher(threshold_s=3.0, fdr_client=fdr)
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
fdr.enqueue.assert_called_once()
record = fdr.enqueue.call_args.args[0]
assert record.kind == "c5.state.no_estimate_fallback_engaged"
assert record.producer_id == "c5_state"
assert record.payload["reason"] == "no_successful_estimate_for_s"
assert record.payload["elapsed_s"] == pytest.approx(3.5, abs=1e-3)
assert record.payload["threshold_s"] == pytest.approx(3.0, abs=1e-3)
def test_ac8_recovery_fdr_record_shape() -> None:
fdr = mock.MagicMock()
watcher, clock, _ = _make_watcher(threshold_s=3.0, fdr_client=fdr)
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
clock.t_ns = int(7.5 * 1e9)
watcher.mark_successful_estimate(clock.t_ns)
assert fdr.enqueue.call_count == 2
recovery_record = fdr.enqueue.call_args.args[0]
assert recovery_record.kind == "c5.state.no_estimate_fallback_recovered"
assert recovery_record.payload == {"recovered_after_s": pytest.approx(4.0, abs=1e-3)}
# ---------------------------------------------------------------------
# Subscription cancellation
def test_subscription_cancel_silences_callback() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
seen: list[float] = []
handle = watcher.subscribe_engaged(lambda elapsed, _sev: seen.append(elapsed))
handle.cancel()
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
assert seen == []
def test_callback_exception_does_not_break_watcher() -> None:
watcher, clock, _ = _make_watcher(threshold_s=3.0)
good_seen: list[float] = []
def boom(elapsed: float, _sev: Severity) -> None:
raise RuntimeError("synthetic")
watcher.subscribe_engaged(boom)
watcher.subscribe_engaged(lambda elapsed, _sev: good_seen.append(elapsed))
clock.t_ns = int(3.5 * 1e9)
watcher.check_and_engage(clock.t_ns)
assert len(good_seen) == 1
# ---------------------------------------------------------------------
# Idempotence: no FDR records when fdr_client is None
def test_watcher_without_fdr_client_does_not_crash() -> None:
watcher = FallbackWatcher(threshold_s=3.0, fdr_client=None, clock_ns=_Clock(0))
seen: list[float] = []
watcher.subscribe_engaged(lambda elapsed, _sev: seen.append(elapsed))
watcher.check_and_engage(int(3.5 * 1e9))
assert seen == [pytest.approx(3.5, abs=1e-3)]
# =====================================================================
# AC-7 — iSAM2 estimator participates
def _build_estimator() -> GtsamIsam2StateEstimator:
block = C5StateConfig(
strategy="gtsam_isam2", keyframe_window_size=15, no_estimate_fallback_s=3.0
)
cfg = mock.MagicMock()
cfg.components = {"c5_state": block}
fdr = mock.MagicMock()
estimator, _ = create(
config=cfg,
imu_preintegrator=mock.MagicMock(),
se3_utils=mock.MagicMock(),
wgs_converter=mock.MagicMock(),
fdr_client=fdr,
)
return estimator
def _seed_prior(estimator: GtsamIsam2StateEstimator) -> int:
import gtsam_unstable
pose = gtsam.Pose3()
key = gtsam.symbol("x", estimator._next_key_counter)
estimator._next_key_counter += 1
noise = gtsam.noiseModel.Isotropic.Sigma(6, 0.1)
graph = gtsam.NonlinearFactorGraph()
graph.add(gtsam.PriorFactorPose3(key, pose, noise))
values = gtsam.Values()
values.insert(key, pose)
ts_map = gtsam_unstable.FixedLagSmootherKeyTimestampMap()
ts_map.insert((key, 0.0))
estimator._isam2_handle.update(graph, values, timestamps=ts_map)
estimator._record_committed_pose_key(key)
return key
def test_ac7_isam2_check_fallback_state_engages_via_public_api() -> None:
estimator = _build_estimator()
engaged_seen: list[tuple[float, Severity]] = []
estimator.subscribe_fallback_engaged(lambda elapsed, sev: engaged_seen.append((elapsed, sev)))
# Synthesise a 4 s-old "last successful estimate" by reaching
# into the watcher state — equivalent to a real timeline where
# no successful estimate occurred for 4 s.
estimator._fallback._last_successful_estimate_ns = 0
in_fb = estimator.check_fallback_state(int(4.0 * 1e9))
assert in_fb is True
assert len(engaged_seen) == 1
def test_ac7_isam2_successful_current_estimate_clears_fallback() -> None:
estimator = _build_estimator()
recovered_seen: list[float] = []
estimator.subscribe_fallback_recovered(lambda elapsed, _sev: recovered_seen.append(elapsed))
_seed_prior(estimator)
# Engage first via the synthesised timeline.
estimator._fallback._last_successful_estimate_ns = 0
estimator.check_fallback_state(int(4.0 * 1e9))
assert estimator._fallback.in_fallback is True
# Now a successful current_estimate should fire the recovery.
estimator.current_estimate()
assert estimator._fallback.in_fallback is False
assert len(recovered_seen) == 1
def test_ac7_isam2_current_estimate_entry_engages_after_threshold() -> None:
estimator = _build_estimator()
engaged_seen: list[float] = []
estimator.subscribe_fallback_engaged(lambda elapsed, _sev: engaged_seen.append(elapsed))
# Synthesise a stale watcher (no successful estimate for > threshold)
# and call current_estimate WITHOUT a seeded prior so it raises
# EstimatorFatalError after the entry hook engages fallback.
estimator._fallback._last_successful_estimate_ns = 0
# Patch monotonic_ns inside the estimator module so the entry
# hook sees the synthesised "now".
from gps_denied_onboard.components.c5_state.errors import EstimatorFatalError
with (
mock.patch(
"gps_denied_onboard.components.c5_state.gtsam_isam2_estimator.time.monotonic_ns",
return_value=int(4.0 * 1e9),
),
pytest.raises(EstimatorFatalError),
):
estimator.current_estimate()
assert len(engaged_seen) == 1