start over again

_docs/02_document/tests/security-tests.md

@@ -1,77 +0,0 @@
-# Security Tests
-
-### NFT-SEC-01: Signed Cache Manifest Enforcement
-
-**Summary**: Validate that unsigned or tampered cache manifests cannot produce trusted anchors.
-
-**Traces to**: AC-8.2, AC-8.3, AC-NEW-4, AC-NEW-7
-
-| Step | Consumer Action | Expected Response |
-|------|-----------------|-------------------|
-| 1 | Provide valid signed manifest | System accepts cache fixture if all freshness and resolution checks pass |
-| 2 | Provide unsigned manifest | System rejects cache fixture and logs security event |
-| 3 | Provide hash-mismatched tile sidecar | System rejects affected tile and emits no trusted anchor from it |
-
-**Pass criteria**: 0 unsigned or hash-mismatched fixtures produce `satellite_anchored` output or trusted generated tile promotion.
-
----
-
-### NFT-SEC-02: Cache Poisoning Write Gate
-
-**Summary**: Validate that generated onboard tiles are not written or promoted when parent-pose covariance is too weak.
-
-**Traces to**: AC-8.4, AC-NEW-7
-
-| Step | Consumer Action | Expected Response |
-|------|-----------------|-------------------|
-| 1 | Replay generated tile candidate with parent sigma <=3 m | Tile may be written as candidate with full quality metadata |
-| 2 | Replay candidate with parent sigma in (3 m, 5 m] | Tile is marked lower trust per sidecar policy |
-| 3 | Replay candidate with parent sigma >5 m | Tile is not eligible for write/promotion |
-
-**Pass criteria**: Tile trust level and write eligibility match AC-NEW-7; no over-threshold tile becomes trusted basemap.
-
----
-
-### NFT-SEC-03: MAVLink Source And Spoofing Rejection
-
-**Summary**: Validate that spoofed real-GPS measurements and unauthorized MAVLink sources do not override trusted estimator state.
-
-**Traces to**: AC-3.5, AC-4.3, AC-NEW-2, AC-NEW-8
-
-| Step | Consumer Action | Expected Response |
-|------|-----------------|-------------------|
-| 1 | Inject spoofed `GPS_RAW_INT` during normal visual operation | Estimator rejects inconsistent GPS based on FC health and visual/satellite consistency |
-| 2 | Inject spoofed GPS during visual blackout | Spoofed GPS remains excluded until health and visual consistency gates pass |
-| 3 | Inject MAVLink messages from unauthorized source ID | Message is ignored and security/status event is logged |
-
-**Pass criteria**: No unauthorized or spoofed input causes a confident position estimate; promotion/demotion status is visible to QGC and FDR.
-
----
-
-### NFT-SEC-04: No In-Flight Satellite Provider Access
-
-**Summary**: Validate that the runtime system does not call commercial or Suite satellite services during flight.
-
-**Traces to**: AC-8.1, AC-8.3, Restrictions Satellite Imagery
-
-| Step | Consumer Action | Expected Response |
-|------|-----------------|-------------------|
-| 1 | Run replay with network blocked | System continues using local cache |
-| 2 | Run replay requiring missing tile | System reports degraded/relocalization-needed status, not an external fetch |
-
-**Pass criteria**: 0 outbound satellite-provider or Suite Service calls during runtime; missing cache data produces controlled degraded behavior.
-
----
-
-### NFT-SEC-INFRA: Invalid Cache No-Fetch Smoke
-
-**Summary**: Validate that the replay harness treats untrusted cache fixtures as a successful security rejection, not as a trusted anchor.
-
-**Traces to**: AZ-236 AC-2, AZ-236 AC-3, AZ-233 Security NFR
-
-| Step | Consumer Action | Expected Response |
-|------|-----------------|-------------------|
-| 1 | Run replay with `cache_variant=stale` | Satellite cache stub marks the manifest untrusted and records no network fetch |
-| 2 | Inspect replay evidence | Scenario reports `pass`, `source_label=untrusted_cache_rejected`, and `GPS_INPUT.fix_type=0` |
-
-**Pass criteria**: The invalid cache smoke scenario passes only when the untrusted fixture is rejected and no external satellite-provider or Suite service network fetch is attempted.