[autodev] Update Jetson test environment and satellite-provider integration

- Added `.env.test` to `.gitignore` to exclude test environment variables.
- Enhanced `docker-compose.test.jetson.yml` to include the real satellite-provider .NET service and its PostgreSQL database, replacing the mock service.
- Updated test execution policy to mandate all tests run exclusively on Jetson hardware, deprecating the previous two-tier model.
- Revised documentation in `_docs/LESSONS.md`, `_docs/02_document/tests/environment.md`, and `_docs/04_deploy/ci_cd_pipeline.md` to reflect the new testing strategy and environment setup.
- Improved `run-tests-jetson.sh` script to ensure proper environment variable handling and satellite-provider integration.

This commit aligns the testing framework with production environments, enhancing reliability and coverage.

scripts/run-tests-jetson.sh

@@ -38,6 +38,57 @@ COMPOSE_FILE="docker-compose.test.jetson.yml"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
 
+# AZ-688: the Jetson compose `include:`s ../satellite-provider/docker-compose.yml.
+# That relative path must resolve identically on the Mac (where the workstation
+# clones gps-denied-onboard alongside satellite-provider) and on the Jetson
+# (where this script rsyncs both). REMOTE_SATPROV_DIR is computed as a sibling
+# of REMOTE_DIR so the relative `../satellite-provider` works after `cd`.
+SATPROV_DIR="${REPO_ROOT}/../satellite-provider"
+if [ ! -d "${SATPROV_DIR}" ]; then
+    echo "ERROR: ../satellite-provider not found at ${SATPROV_DIR}" >&2
+    echo "       Clone the sibling repo before running the Jetson harness." >&2
+    exit 67
+fi
+SATPROV_DIR="$(cd "${SATPROV_DIR}" && pwd)"
+
+# .env.test (gitignored) supplies JWT_SECRET / JWT_ISSUER / JWT_AUDIENCE /
+# GOOGLE_MAPS_API_KEY. The upstream satellite-provider compose interpolates
+# `${VAR}` from the docker-compose shell environment, so we must source the
+# file BEFORE building the heredoc.
+ENV_TEST_FILE="${REPO_ROOT}/.env.test"
+if [ ! -f "${ENV_TEST_FILE}" ]; then
+    echo "ERROR: ${ENV_TEST_FILE} not found." >&2
+    echo "       Copy .env.test.example to .env.test and fill in the JWT/GMaps vars." >&2
+    echo "       See _docs/03_implementation/jetson_harness_setup.md for details." >&2
+    exit 68
+fi
+set -o allexport
+# shellcheck disable=SC1090
+source "${ENV_TEST_FILE}"
+set +o allexport
+
+for var in JWT_SECRET JWT_ISSUER JWT_AUDIENCE; do
+    val="${!var:-}"
+    if [ -z "${val}" ]; then
+        echo "ERROR: ${var} not set after sourcing ${ENV_TEST_FILE}." >&2
+        echo "       The real satellite-provider fails fast at startup without all three JWT_* vars." >&2
+        exit 69
+    fi
+done
+
+if [ "${#JWT_SECRET}" -lt 32 ]; then
+    echo "ERROR: JWT_SECRET is ${#JWT_SECRET} bytes; HMAC-SHA256 requires ≥ 32 bytes." >&2
+    exit 70
+fi
+
+# Pre-quote the env vars for safe heredoc injection. `${var@Q}` would be
+# cleaner but it requires bash 4.4+; macOS ships bash 3.2 and we want to
+# stay portable. `printf %q` is in bash 2+.
+JWT_SECRET_Q=$(printf '%q' "${JWT_SECRET}")
+JWT_ISSUER_Q=$(printf '%q' "${JWT_ISSUER}")
+JWT_AUDIENCE_Q=$(printf '%q' "${JWT_AUDIENCE}")
+GOOGLE_MAPS_API_KEY_Q=$(printf '%q' "${GOOGLE_MAPS_API_KEY:-}")
+
 # ----------------------------------------------------------------------
 # Pre-flight
 
@@ -68,10 +119,21 @@ case "${REMOTE_DIR}" in
         ;;
 esac
 
+# AZ-688: place satellite-provider as a sibling of REMOTE_DIR so the
+# compose `include: ../satellite-provider/docker-compose.yml` resolves.
+REMOTE_PARENT_DIR="$(dirname "${REMOTE_DIR}")"
+REMOTE_SATPROV_DIR="${REMOTE_PARENT_DIR}/satellite-provider"
+
 echo "[run-tests-jetson] using ssh alias: ${SSH_ALIAS}"
 echo "[run-tests-jetson] remote dir:      ${REMOTE_DIR}"
+echo "[run-tests-jetson] remote satprov:  ${REMOTE_SATPROV_DIR}"
 echo "[run-tests-jetson] compose file:    ${COMPOSE_FILE}"
 
+# AZ-688: ensure the dev TLS cert exists locally before rsync so the
+# satellite-provider container can mount /app/certs/api.pfx on startup.
+echo "[run-tests-jetson] ensure-dev-cert (local)"
+bash "${SCRIPT_DIR}/ensure-dev-cert.sh"
+
 # ----------------------------------------------------------------------
 # Step 1: sync source
 
@@ -95,7 +157,7 @@ echo "[run-tests-jetson] compose file:    ${COMPOSE_FILE}"
 #
 # Flags note: macOS ships BSD rsync, which doesn't support GNU's
 # `--info=progress2`. Stick to the portable subset.
-echo "[run-tests-jetson] rsync → ${SSH_ALIAS}:${REMOTE_DIR}/"
+echo "[run-tests-jetson] rsync gps-denied-onboard → ${SSH_ALIAS}:${REMOTE_DIR}/"
 rsync -az --delete --stats \
     --exclude=.git/ \
     --exclude='__pycache__/' \
@@ -110,17 +172,44 @@ rsync -az --delete --stats \
     --exclude='*.engine' \
     "${REPO_ROOT}/" "${SSH_ALIAS}:${REMOTE_DIR}/"
 
-# ----------------------------------------------------------------------
-# Step 2: build the e2e-runner image on the Jetson
+# AZ-688: also rsync the sibling satellite-provider repo so the
+# `include:` path resolves on the Jetson. .NET artefacts (bin/, obj/,
+# TestResults/) are excluded; the cert dir is included so the upstream
+# api container can mount /app/certs/api.pfx.
+echo "[run-tests-jetson] rsync satellite-provider → ${SSH_ALIAS}:${REMOTE_SATPROV_DIR}/"
+rsync -az --delete --stats \
+    --exclude=.git/ \
+    --exclude=bin/ \
+    --exclude=obj/ \
+    --exclude=TestResults/ \
+    --exclude=.vs/ \
+    --exclude='*.DotSettings*' \
+    --exclude='*.user' \
+    --exclude=logs/ \
+    --exclude=Content/ \
+    --exclude=.DS_Store \
+    "${SATPROV_DIR}/" "${SSH_ALIAS}:${REMOTE_SATPROV_DIR}/"
 
-# The image MUST be built on the Jetson — see Dockerfile.jetson comment
-# about Tegra-specific libs.
-echo "[run-tests-jetson] docker compose build e2e-runner (on Jetson)"
+# ----------------------------------------------------------------------
+# Step 2: build the e2e-runner + satellite-provider images on the Jetson
+
+# Both images MUST be built on the Jetson — Dockerfile.jetson needs Tegra
+# libs, and the .NET dotnet-sdk image is multi-arch but only the arm64
+# variant is on the Orin.
+echo "[run-tests-jetson] docker compose build (on Jetson)"
+# The compose `include:` resolves the upstream env vars from the shell, so
+# pass JWT_SECRET / JWT_ISSUER / JWT_AUDIENCE / GOOGLE_MAPS_API_KEY through
+# the heredoc as explicit exports. (We can't rely on `ssh -o SendEnv` —
+# the Jetson sshd would have to allow the matching AcceptEnv on its side.)
 # shellcheck disable=SC2087  # we want the heredoc to expand on the local side
 ssh "${SSH_ALIAS}" bash -s <<EOF
 set -euo pipefail
+export JWT_SECRET=${JWT_SECRET_Q}
+export JWT_ISSUER=${JWT_ISSUER_Q}
+export JWT_AUDIENCE=${JWT_AUDIENCE_Q}
+export GOOGLE_MAPS_API_KEY=${GOOGLE_MAPS_API_KEY_Q}
 cd "${REMOTE_DIR}"
-docker compose -f "${COMPOSE_FILE}" build e2e-runner
+docker compose -f "${COMPOSE_FILE}" build e2e-runner satellite-provider
 EOF
 
 # ----------------------------------------------------------------------
@@ -133,6 +222,10 @@ EOF
 echo "[run-tests-jetson] docker compose up e2e-runner (on Jetson)"
 ssh "${SSH_ALIAS}" bash -s <<EOF
 set -euo pipefail
+export JWT_SECRET=${JWT_SECRET_Q}
+export JWT_ISSUER=${JWT_ISSUER_Q}
+export JWT_AUDIENCE=${JWT_AUDIENCE_Q}
+export GOOGLE_MAPS_API_KEY=${GOOGLE_MAPS_API_KEY_Q}
 cd "${REMOTE_DIR}"
 exec docker compose -f "${COMPOSE_FILE}" up \
     --abort-on-container-exit \