[AZ-319] C11 HttpTileUploader (post-landing upload path)

Lands the production HttpTileUploader composing AZ-317's gate, AZ-318's per-flight signing, and consumer-side cuts over c6 storage. Implements the full upload flow: gate ON_GROUND -> start_session -> enumerate pending -> per-batch multipart POST with Ed25519 signing -> mark_uploaded on ack -> end_session in finally. Honours Retry-After (RFC 7231 int + HTTP-date), exponential backoff on 5xx, fail-fast on TLS/401/403. Adds C11Config block, three FDR kinds (tile.queued, tile.rejected, batch.complete), and the build_tile_uploader composition-root factory. Cross-component access to c6 stays Protocol-cut (AZ-507 / AZ-270). Tests: 17 new unit tests covering AC-1..AC-14 plus throughput NFR; AZ-272 schema fixtures for the three new FDR kinds. Full unit suite: 1404 passed. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 20:01:12 +00:00 · 2026-05-13 06:13:36 +03:00
parent cde237e236
commit 610e8a743c
15 changed files with 2461 additions and 24 deletions
@@ -205,6 +205,61 @@ KNOWN_PAYLOAD_KEYS: Final[dict[str, frozenset[str]]] = {
    "c11.upload.signature_rejected": frozenset(
        {"flight_id", "tile_id", "fingerprint", "observed_at_iso"}
    ),
+    # AZ-319 / E-C11: emitted by ``HttpTileUploader._process_response``
+    # for every pending tile the satellite-provider acknowledged with
+    # a non-rejected ``IngestStatus`` (queued / duplicate / superseded).
+    # ``flight_id`` is the active session UUID, ``tile_id`` is the
+    # canonical tile string id, ``fingerprint`` is the per-flight
+    # public-key fingerprint (correlates back to
+    # ``c11.upload.session.key.public``), ``batch_uuid`` is the
+    # provider-assigned batch correlation id, and ``status`` is the
+    # raw ``IngestStatus`` enum value.
+    "c11.upload.tile.queued": frozenset(
+        {
+            "flight_id",
+            "tile_id",
+            "fingerprint",
+            "batch_uuid",
+            "status",
+            "observed_at_iso",
+        }
+    ),
+    # AZ-319 / E-C11: emitted when the ``satellite-provider`` ingest
+    # endpoint reports a tile-level rejection inside an otherwise
+    # accepted batch (HTTP 200 / 202 with per-tile statuses). This
+    # is the per-tile, non-security rejection record; security-driven
+    # rejections also raise ``c11.upload.signature_rejected`` via the
+    # key manager.
+    "c11.upload.tile.rejected": frozenset(
+        {
+            "flight_id",
+            "tile_id",
+            "fingerprint",
+            "batch_uuid",
+            "rejection_reason",
+            "observed_at_iso",
+        }
+    ),
+    # AZ-319 / E-C11: emitted exactly once per
+    # ``upload_pending_tiles`` invocation, at end-of-call, regardless
+    # of outcome. ``outcome`` is the ``UploadOutcome`` enum string
+    # (success / partial / failure); ``total_attempted`` /
+    # ``total_queued`` / ``total_rejected`` summarise per-tile
+    # disposition; ``retry_count`` is the total transient retries
+    # observed across all batches in the session.
+    "c11.upload.batch.complete": frozenset(
+        {
+            "flight_id",
+            "fingerprint",
+            "batch_uuid",
+            "outcome",
+            "total_attempted",
+            "total_queued",
+            "total_rejected",
+            "retry_count",
+            "observed_at_iso",
+        }
+    ),
 }

 KNOWN_KINDS: Final[frozenset[str]] = frozenset(KNOWN_PAYLOAD_KEYS.keys())