azaion/gps-denied-onboard
1
0
Fork 0
mirror of https://github.com/azaion/gps-denied-onboard.git synced 2026-06-22 16:51:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update autodev skill documentation and acceptance criteria

Browse Source 
Enhanced the SKILL.md file to enforce conciseness rules for the state file, specifying acceptable content and file size limits. Updated the autodev state to reflect the transition to the planning phase, including changes to the current step and sub-step details. Revised acceptance criteria to clarify validation requirements and external dependencies, ensuring alignment with the latest research findings. Added a new overlay for Mode B revisions to track changes and decisions made during the assessment process.
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-09 03:10:57 +03:00
parent 846670a5c5
commit c19c76481c
21 changed files with 2354 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/00_research/06_component_fit_matrix/00_summary.md
+1
View File
@@ -33,6 +33,7 @@ This folder replaces the previous monolithic `06_component_fit_matrix.md` (284 l
| [`C7_inference_runtime.md`](C7_inference_runtime.md) | **C7** — On-Jetson inference runtime | **CLOSED at 3/N (batch 1 closed 2026-05-08)** — top-2 documentary leads + mandatory simple-baseline COMPLETE; **Cand 1 RECOMMENDED PRIMARY** | **Cand 1 (RECOMMENDED PRIMARY)**: TensorRT native — JetPack 6.2 bundled TensorRT 10.3 + `IInt8EntropyCalibrator2` + `BuilderFlag.FP16+INT8` mixed-precision + engines built directly on Jetson Orin Nano Super SM 87 (clean Apache-2.0 in TensorRT 10.x; ships with JetPack so zero-effort install; lowest-latency primary path; 2-3× speedup at INT8 vs FP16 per Source #102 YOLO26 evidence); **Cand 2 (interop alternate)**: ONNX Runtime + TensorRT EP — `onnxruntime-gpu` via Jetson AI Lab JP6/CU126 wheel index + `TensorrtExecutionProvider` config + automatic CUDA EP / CPU EP subgraph fallback (clean MIT throughout; cross-architecture portability for replay/SITL on x86 dev hosts; modern-competitive-lead-cross-architecture-portability); **Cand 3 (mandatory simple-baseline)**: pure PyTorch FP16 — `torch.amp.autocast` + `model.half()` + Jetson AI Lab PyTorch 2.5 ARM64 wheel (clean BSD-3-Clause throughout; zero-conversion regression baseline; reference-correctness oracle for accuracy validation of TRT-built engines) | INT8-only candidates marked Experimental until D-C7-1 calibration dataset materializes; matchers (LightGlue, XFeat, XFeat+LighterGlue) are FP16-only — NO INT8 — per D-C7-6 cross-component model-family precision policy due to Source #103 quantization-sensitivity finding |
| [`C8_fc_adapter.md`](C8_fc_adapter.md) | **C8** — MAVLink / MSP2 FC adapter | **CLOSED at 3/N (batch 1 closed 2026-05-08)** — top-1 per FC for ArduPilot + parallel-evaluation per FC for iNav after mid-batch contradiction recovery COMPLETE; **Cand 1 RECOMMENDED PRIMARY for AP, Cand 2 RECOMMENDED PRIMARY for iNav** | **Cand 1 (RECOMMENDED PRIMARY for ArduPilot)**: pymavlink → MAVLink `GPS_INPUT` (msg 232) cooperative-path; `master.mav.gps_input_send(...)` periodic injection at 5 Hz over MAVLink (UART/USB/UDP); FC-side `GPS1_TYPE=14` MAVLink + `EK3_SRC1_POSXY=3` GPS source-set drives EKF3 ingestion via `AP_GPS_MAV` (LGPL-3.0 pymavlink linkable from Apache-2.0 app per LGPL §6; canonical ArduPilot stack); **Cand 2 (RECOMMENDED PRIMARY for iNav)**: `MSP2_SENSOR_GPS` (id 7939 / 0x1F03) via Python MSP V2 implementation YAMSPy or INAV-Toolkit `msp_v2_encode`; `mspGPSReceiveNewData()` direct passthrough; covariance fields `hPosAccuracy/vPosAccuracy/hVelAccuracy` align directly with AP `GPS_INPUT.horiz_accuracy/vert_accuracy/speed_accuracy` (MIT throughout; clean dual-use compatible; locked SQ6 + AC-4.3 transport); **Cand 3 (DEFERRED secondary for iNav)**: UBX impersonation via pyubx2 NAV-PVT — forging u-blox NAV-PVT frames through standard GPS pipeline; iNav-side `gpsMapFixType()` validation gate requires `flags & 0x01 = 1` (gnssFixOK) AND `fixType ∈ {2,3}`; pyubx2 BSD-3-Clause; **does NOT clear user's "significant-improvement-only" bar over Cand 2** (richer protocol surface + AC-NEW-7 forgery posture + stricter validation gate + AP-path field-name divergence outweigh pyubx2 library-maturity advantage). **Mid-batch correction**: I caught a contradiction between my own initial AskQuestion phrasing ("UBX impersonation as ONLY iNav path") and locked SQ6 + AC-4.3 + restrictions.md verdicts (MSP2_SENSOR_GPS as iNav primary); user re-locked scope via `c8_inav_recovery=B` to evaluate both as parallel candidates | (none yet — pymavlink LGPL-3.0 license posture handled via D-C8-3 = (a) bundle-unmodified-with-version-pin per LGPL §6 standard compliance) |
| [`C10_preflight_provisioning.md`](C10_preflight_provisioning.md) | **C10** — Pre-flight cache provisioning (CROSS-COUPLING MINIMAL scope per 2026-05-08 user choice C; operator CLI/desktop tooling, sector classification, freshness schema deferred to Plan-phase) | **CLOSED at 2/N (batch 1 closed 2026-05-08)** — D-C6-3 + D-C7-7 cross-component gates closed; no further C10 batches required at research layer | **D-C6-3 confirmation**: direct `faiss.write_index` / `faiss.read_index` Python API + `python-atomicwrites` + content-hash verification gate at takeoff + manifest-hash-driven rebuild trigger + `IO_FLAG_MMAP_IFC` mmap load (FAISS MIT, atomicwrites MIT throughout); **D-C7-7 confirmation**: hybrid Polygraphy CLI primary for INT8-calibrating builds + `trtexec` for cache-reuse fast rebuilds + direct `IBuilderConfig` Python API for unusual models (LightGlue dynamic shapes) — Polygraphy + TensorRT 10.x Apache-2.0 throughout, calibration corpus per D-C7-1 closure | (none — both candidates Apache-2.0/MIT clean; FAISS "no internal integrity check" warning mitigated by content-hash gate; `trtexec --int8` random-data caveat mitigated by project-side wrapper enforcing `--calib=<existing_cache>` non-empty precondition) |
| [`MODEB_revisions.md`](MODEB_revisions.md) | **Mode B revisions overlay (2026-05-08)** — solution_draft01 assessment | Overlay file with revised candidate-row statuses + new D-Cx-y gates surfaced by Mode B findings F1F20 (Facts #102#113). VINS-Mono license-track-only on D-C1-1 = (a)/(c); KLT+RANSAC re-labelled mandatory simple-baseline (per Mode A C1 Fact #35); UltraVPR Documentary-Lead PRIMARY + MegaLoc Documentary-Lead SECONDARY on BSD/permissive C2 axis (D-C2-11 revised); D-C8-2 downgraded to `Selected with runtime gate` (SITL validation gate before lock); OpenCV pin tightened to ≥4.12.0; new sub-stages added (Top-N inlier re-rank between C2 and C3; AdHoP-conditional refinement between C3 and C4); new gates D-C2-12 (DINOv2-feature matcher), D-C8-9 (MAVLink-2.0 message-signing per FC), D-CROSS-LATENCY-1 (AC-4.1 budget partition), D-CROSS-CVE-1 (dependency security pinning), D-PROJ-1 (camera calibration acquisition), D-PROJ-2 (Suite Sat Service voting-layer contract verification); new tests IT-11 (smoothing-loop look-back), NFT-8 (signing verification), NFT-9 (hot-soak latency distribution). | n/a |
| [`99_cross_component_gates.md`](99_cross_component_gates.md) | **Cross-component process gates** | Open — Plan-phase Choose blocks raised by C1+C2+C3+C4+C5+C6+C7+C8+C10 closures | D-C1-1 license posture, D-C1-2 Jetson MVE, D-C2-1..11 (VPR retrain/cache/dim), D-C3-1..6 (matcher mitigation/runtime/K-pairs/ALIKED-mode/DISK-weights/XFeat-mode), D-C4-1..4, **D-C5-1..5 (Manual ESKF + GTSAM iSAM2)**, **D-C6-1..7**, **D-C7-1..9**, **D-C8-1..8**, **D-C10-1 (descriptor-cache rebuild trigger — manifest-hash-driven recommended, NEW from Fact #100)**, **D-C10-2 (descriptor-cache atomic-write strategy — `python-atomicwrites` recommended, NEW from Fact #100)**, **D-C10-3 (content-hash verification gate at takeoff load — reject + STATUSTEXT + refuse takeoff recommended, NEW from Fact #100, CROSS-COMPONENT with AC-NEW-7)**, **D-C10-4 (descriptor-cache load path — mmap with `madvise(MADV_WILLNEED)` pre-fault recommended, NEW from Fact #100)**, **D-C10-5 (TensorRT engine-build orchestration tool — hybrid Polygraphy + trtexec + direct API recommended, NEW from Fact #101, CROSS-COMPONENT with C7)**, **D-C10-6 (TensorRT calibration-cache reuse strategy — rebuild-on-calib-corpus-SHA-256-change recommended, NEW from Fact #101, CROSS-COMPONENT with D-C7-1)**, **D-C10-7 (TensorRT engine on-disk filename schema — self-describing `<model>_sm<SM>_jp<JP>_trt<TRT>_<precision>.engine` recommended, NEW from Fact #101)**, **D-C10-8 (TensorRT prebuilt-fallback engine generation venue — reference Jetson at HQ + deployed-Jetson-copy-to-archive recommended, NEW from Fact #101)**, Fact #40 dual-rate camera pipeline | n/a |
---
_docs/00_research/06_component_fit_matrix/99_cross_component_gates.md
+2
View File
@@ -3,6 +3,8 @@
> Mode A Phase 2 — engine Step 7.5 (Component Applicability Gate). Plan-phase Choose blocks raised by C1, C2, C3, C4, C5, C6, C7, C8, and C10 closures. Each gate names its owner and the resolution path. Backing fact cards live in [`../02_fact_cards/`](../02_fact_cards/) by component.
>
> Index: [`00_summary.md`](00_summary.md). Per-component rows: [C1](C1_vio.md), [C2](C2_vpr.md), [C3](C3_matchers.md), [C4](C4_pose_estimation.md), [C5](C5_state_estimator.md), [C6](C6_tile_cache_spatial_index.md), [C7](C7_inference_runtime.md), [C8](C8_fc_adapter.md), [C10](C10_preflight_provisioning.md). C9 dropped per 2026-05-08 restructure — see `../00_question_decomposition.md`.
>
> **Mode B overlay (2026-05-08)**: this file preserves the Mode A audit trail. NEW gates raised by Mode B Solution Assessment of `_docs/01_solution/solution_draft01.md` are catalogued in [`MODEB_revisions.md`](MODEB_revisions.md) — specifically D-C2-12 (DINOv2-feature matcher evaluation), D-C8-2-FALLBACK (companion-driven EKF source switch fallback if SITL validation fails), D-C8-9 (MAVLink-2.0 message-signing per FC), D-CROSS-LATENCY-1 (AC-4.1 latency budget partition strategy), D-CROSS-CVE-1 (dependency security pinning posture), D-PROJ-1 (camera calibration acquisition strategy), D-PROJ-2 (Suite Sat Service voting-layer contract verification). REVISED gates with Mode B evidence: D-C1-1 (VINS-Mono license re-confirmed GPL-3.0 — see Mode B Fact #102), D-C2-11 (UltraVPR + MegaLoc elevated from "deferred to post-research" to "Documentary Lead PRIMARY + SECONDARY" — see Mode B Fact #110), D-C8-2 (downgraded to `Selected with runtime gate` — see Mode B Fact #111). Read [`MODEB_revisions.md`](MODEB_revisions.md) alongside this file for the current gate state.
---
_docs/00_research/06_component_fit_matrix/MODEB_revisions.md
+72
View File
@@ -0,0 +1,72 @@
# Component Fit Matrix — Mode B Revisions (2026-05-08)
> Mode B Solution Assessment of `_docs/01_solution/solution_draft01.md`. Revisions to specific candidate-row statuses + new D-Cx-y gates surfaced by Mode B findings F1F20.
>
> Index: [`00_summary.md`](00_summary.md). Mode B fact cards: [`../02_fact_cards/MODEB_addendum.md`](../02_fact_cards/MODEB_addendum.md). Mode B sources: [`../01_source_registry/MODEB_addendum.md`](../01_source_registry/MODEB_addendum.md). Mode B output: [`../../01_solution/solution_draft02.md`](../../01_solution/solution_draft02.md).
>
> The original Mode A row files [`C1_vio.md`](C1_vio.md) ... [`C10_preflight_provisioning.md`](C10_preflight_provisioning.md) + [`99_cross_component_gates.md`](99_cross_component_gates.md) remain canonical. This file overlays revisions; where this file disagrees with the originals, this file wins (the original Mode A files are not retroactively edited so the audit trail is preserved).
---
## Status changes per candidate row
| Component | Candidate | Mode A status (verbatim from row file) | Mode B revised status | Reason |
|---|---|---|---|---|
| **C1** | VINS-Mono | "Selected (mandatory simple-baseline) — fallback if OKVIS2 fails Jetson MVE" + "Security: BSD permissive clean" | **`Selected via VioStrategy interface for comparative study + research/dev builds`**; production-deployed only if D-C1-1-SUB-A resolves to non-(a) AND IT-12 confirms VINS-Mono outperforms OKVIS2; **license corrected from "BSD permissive clean" to "GPL-3.0 (copyleft viral)"** | Fact #102 + 2026-05-08 user directive — Mode A C1 Fact #28 already correctly classified VINS-Mono as GPL-3.0; the BSD label was a Step-8 deliverable-formatting error in solution_draft01. User directive elevates VINS-Mono into the production design as a comparative-study sibling behind a `VioStrategy` interface. Source #122 confirms canonical GPL-3.0; see new D-C1-1-SUB-A below for viral-linkage containment policy. |
| **C1** | KLT+RANSAC homemade fallback | "Selected (project-internal homemade fallback) — used when OKVIS2/VINS-Mono unavailable" | **`Selected (mandatory simple-baseline) — wrapped as `KltRansacVioStrategy` behind VioStrategy interface`** | Mode A C1 Fact #35 + 2026-05-08 user directive: KLT+RANSAC is the engine-required mandatory simple-baseline AND is wrapped as a third `VioStrategy` so the comparative study (IT-12) covers the engine-required baseline alongside OKVIS2 + VINS-Mono. |
| **C1** | (NEW interface) `VioStrategy` interface | n/a | **`Selected (NEW architectural component per 2026-05-08 user directive on A1)`** | NEW: pluggable Strategy/Adapter pattern hosting `Okvis2VioStrategy`, `VinsMonoVioStrategy`, `KltRansacVioStrategy`. Selection is config-driven at startup; FDR (AC-NEW-3) records active strategy `name()` + `license()` per flight. Interface owns "produce `VioOutput` from frame + IMU window per the strategy's algorithm"; per-strategy concerns live in concrete implementations per coderule SRP rule. |
| **C2** | (NEW) UltraVPR (cbbhuxx/UltraVPR, MIT) | n/a (D-C2-11 deferred to post-research) | **`Documentary lead PRIMARY on BSD/permissive C2 axis`**; mandatory Jetson MVE under D-C1-2 / D-C2-4 expanded scope | Fact #110 — RAL 2025 / ICRA 2026 publication; MIT license; **44 Hz on Jetson Orin NX (Orin-Nano-Super-class)**; rotation-invariant (multi-heading aerial flights); unsupervised aerial pretrain (closes D-C2-1 retrain cost); validated on VPAir + UAV-VisLoc datasets. Sources #124. |
| **C2** | (NEW) MegaLoc (gmberton/megaloc, MIT) | n/a (D-C2-11 deferred to post-research) | **`Documentary lead SECONDARY (broader-applicability)`** on BSD/permissive C2 axis; mandatory Jetson MVE | Fact #110 — CVPR 2025 publication; MIT license; SOTA on multiple VPR benchmarks; aerial-validated via AirZoo benchmark (Source #125). Distributed via torch.hub. |
| **C2** | MixVPR | "Selected (mandatory simple-baseline + recommended primary on BSD/permissive track)" | **`Selected (mandatory simple-baseline)`**; demoted from "recommended primary" to "mandatory baseline" — UltraVPR is the new BSD/permissive PRIMARY recommendation | Fact #110 — MixVPR remains valid candidate but UltraVPR's UAV-pretrain + Jetson-runtime evidence dominates on the project's pinned operating context. MixVPR retained as mandatory baseline per Component Option Breadth rule. |
| **C2** | SelaVPR | "Selected (modern-competitive-lead BSD/permissive two-stage) — eligible if D-C2-7 re-rank strategy chosen" | **`Selected (modern-competitive-lead BSD/permissive secondary)` STRENGTHENED** | Fact #113 — XoFTR / SAR-optical benchmark contrarian evidence reinforces foundation-model (DINOv2) backbone preference for cross-domain registration; SelaVPR's DINOv2-L backbone is well-positioned even without aerial retrain. |
| **C8** | pymavlink → MAVLink GPS_INPUT (AP) | "Selected (recommended-primary) for ArduPilot Plane" | **`Selected (recommended-primary) for ArduPilot Plane` + NEW security mitigation requirement: D-C8-9 MAVLink 2.0 message signing on companion ↔ AP wired channel** | Fact #109 — CVE-2026-1579 CVSS 9.8 CRITICAL. ArduPilot supports MAVLink 2.0 message signing (Source #128). Draft01 had no signing-posture decision; Mode B raises D-C8-9 as new gate. |
| **C8** | D-C8-2 = (b) companion-driven `MAV_CMD_SET_EKF_SOURCE_SET` switch | (Recommendation: implicit `Selected` via D-C8-2 = (b) being the recommended pattern) | **`Selected with runtime gate`** per Step 7.5.3 carve-out — runtime gate = SITL validation by IT-3 before lock | Fact #111 — pattern is firmware-supported but no production-deployed precedent; the project will be establishing the canonical pattern itself. Carve-out is for runtime-quality validation, not API capability. |
| **C4** | OpenCV `cv::solvePnPRansac` + GTSAM `Marginals` (D-C4-2 = (b)) | "Selected (mandatory simple-baseline + recommended-primary covariance recovery via GTSAM)" + "OpenCV 4.x" | **`Selected` + dependency pin updated to `OpenCV ≥4.12.0`** per CVE-2025-53644 mitigation | Fact #112 — OpenCV CVE-2025-53644 CVSS 9.8 CRITICAL on 4.10.0 / 4.11.0; fixed in 4.12.0. Single-line pin change with no API break. |
| **C5** | GTSAM iSAM2 (AC-4.5 internal smoothing) | "Selected (modern-competitive-lead-factor-graph + recommended primary path) — couples NATIVELY with C4 GTSAM Marginals via D-C5-5 = (c)" | **`Selected` + AC-4.5 scope clarification: internal smoothing only, NOT FC retroactive correction** | Fact #107 — GTSAM iSAM2 NATIVE look-back refinement value is internal-only; ArduPilot `AP_GPS_MAV` and iNav `mspGPSReceiveNewData()` consume only the latest frame; FC log is forward-time only. AC-4.5 satisfied as "internal estimator refines past + emits corrected current estimate", not as "FC retroactively corrects past flight log". |
| **All C-rows** | (cross-cutting) | (no AC-4.1 latency partition) | **NEW cross-cutting D-CROSS-LATENCY-1: AC-4.1 latency budget partition strategy** | Fact #103 — draft01's own runtime math (~140-420 ms p95) exceeds AC-4.1 (400 ms) at upper end with no slack reservation. Recommendation: hybrid K=3 default + auto-degrade to K=2 + Jacobian-covariance under thermal throttle. |
---
## Architecture-level additions (new sub-stages absent from solution_draft01)
| Sub-stage | Position in pipeline | Recommended candidate | Source |
|---|---|---|---|
| **Top-N inlier-based re-rank** (was promised by SQ2 Decision 3 but absent from solution_draft01) | Between C2 (VPR top-K) and C3 (matcher) | Thin wrapper around C3 matcher's RANSAC inlier counter; rank top-K candidates by inlier count from a single-pair LightGlue / XFeat invocation per candidate; output top-N ⊆ top-K for full-depth C3 matching | Fact #108; SQ2 Decision 3; Mode A SQ2 Source #38#42 |
| **AdHoP-conditional refinement** (was promised by SQ2 Decision 2 but absent from solution_draft01) | Between C3 (matcher) and C4 (PnP) | OrthoLoC AdHoP method-agnostic perspective preconditioning per Mode A SQ2 Source #40; invoked only when initial reprojection error exceeds a threshold; worst-case 2× C3 latency when triggered | Fact #108; SQ2 Decision 2; Mode A SQ2 Source #40 |
---
## New cross-component / project-level Plan-phase gates (overlay onto `99_cross_component_gates.md`)
| Gate | Owner | Resolution path |
|---|---|---|
| **D-C1-1 (REVISED with Fact #102 evidence)** license-track posture | User | No change to gate; evidence updated — VINS-Mono is GPL-3.0 (not BSD as draft01 listed); C1 BSD/permissive-track lead remains OKVIS2 (per Mode A C1 Fact #31 unchanged) |
| **D-C1-1-SUB-A (LOCKED 2026-05-08 by User to option (a)) — VINS-Mono GPL-3.0 viral-linkage containment policy** | User (locked); Plan-phase implements | Production binary built with `BUILD_VINS_MONO=OFF` → only `Okvis2VioStrategy` + `KltRansacVioStrategy` linked → BSD-clean. Research/dev binary built with `BUILD_VINS_MONO=ON` → all three strategies linked → enables IT-12 comparative study + docs report. CI publishes both binaries; production CI job verifies via SBOM dump that no `vins_mono` GPL-3.0 symbol is present. CMake spec: `option(BUILD_VINS_MONO "Include VINS-Mono GPL-3.0 VioStrategy implementation; production builds MUST set OFF" OFF)`. Plan-phase scope: CMake flag + CI pipeline split (~1 day engineering). Options (b) process-isolation IPC and (c) accept D-C1-1 = (a) GPL-3.0 entire binary considered and rejected — see solution_draft02 § C1 D-C1-1-SUB-A locked-verdict table for trade-off rationale. |
| **D-C2-11 (REVISED with Fact #110 evidence)** UltraVPR + MegaLoc evaluation as Documentary Lead candidates | User + Plan-phase architect | (a) elevate UltraVPR to Documentary Lead PRIMARY on BSD/permissive C2 axis; (b) elevate MegaLoc to Documentary Lead SECONDARY (broader-applicability); (c) preserve closed pre-screen (5/5: MixVPR + SALAD + SelaVPR + NetVLAD + EigenPlaces) as fallback. Mandatory Jetson MVE under D-C1-2 / D-C2-4 expanded scope. |
| **D-C2-12 (NEW from Mode B Fact #113)** DINOv2-backbone feature-extractor evaluation for cross-domain matching | Plan-phase architect + C3 owner | Plan-phase decision: defer to Jetson MVE phase; potentially closes D-C3-1 retrain cost via DINOv2-feature-based matcher (e.g., DINOv2 + LightGlue or DINOv2 + paired matcher) without requiring D-C2-1 aerial retrain. Carryforward research item. |
| **D-C8-2 (REVISED with Fact #111)** companion-driven `MAV_CMD_SET_EKF_SOURCE_SET` ownership pattern | Plan-phase architect + AC-NEW-2 owner | Recommendation unchanged ((b) companion publishes to source-set 2 + auto-switches FC), but **status downgraded to `Selected with runtime gate`** per Step 7.5.3 carve-out — runtime gate = ArduPilot Plane SITL validation by IT-3 (Spoofing-promotion latency) before lock. NEW sub-decision **D-C8-2-FALLBACK** if SITL validation fails: (a) operator-manual RC aux switch option 90 with relaxed AC-NEW-2 wording; (b) operator-warning STATUSTEXT instead of automated switch; (c) escalate to ArduPilot dev community. |
| **D-C8-9 (NEW from Mode B Fact #109)** MAVLink 2.0 message signing posture per FC | Plan-phase architect + security owner | Plan-phase decision: (a) signing on ALL MAVLink channels (over-engineered for the wired companion link); (b) signing on companion ↔ AP wired channel only; (c) accept unsigned default (rejected per CVE-2026-1579 Critical CVSS); (d) **(RECOMMENDED) hybrid: signing on companion ↔ AP wired channel + per-flight key rotation**. Cross-FC asymmetry: iNav has no signing option (Source #129) — explicit residual risk; propose iNav firmware feature-request as Plan-phase carryforward. NEW NFT-8 — MAVLink message-signing verification: SBOM dump confirms passkey configuration for AP signing channel. |
| **D-CROSS-LATENCY-1 (NEW from Mode B Fact #103)** AC-4.1 latency budget partition strategy | Plan-phase architect + project bring-up team | Plan-phase decision: (a) tighten K=3 to K=2 to recover ~30-60 ms; (b) drop GTSAM `Marginals` from RUNTIME path and use Jacobian-covariance per D-C4-2 = (a) to recover ~20-60 ms; (c) accept budget overrun and validate at Jetson MVE that p95 lands under 400 ms in practice; (d) **(RECOMMENDED) hybrid: K=3 default + auto-degrade to K=2 + Jacobian-covariance under thermal throttle**. **Validation gate**: Jetson MVE measurement of full p95+p99 distribution under hot-soak NFT-3 conditions (25 W @ +50 °C for 8 h) before lock. |
| **D-CROSS-CVE-1 (NEW from Mode B Fact #112)** dependency security pinning posture | Plan-phase architect + security owner | Plan-phase decision: (a) **(RECOMMENDED)** lock to specific patched versions of all CVE-affected dependencies (OpenCV ≥4.12.0; FAISS — no CVEs; GTSAM — no CVEs; TensorRT 10.3 in JetPack 6.2 — no CVE-applicable since not using TRT-LLM 0.x; pymavlink — no CVEs published in repo at access time 2026-05-08); (b) maintain a project SBOM with monthly CVE re-scan; (c) automate pinning via dependabot or equivalent. Recommendation: (a) + (b). |
| **D-PROJ-1 (NEW from Mode B Fact #104)** Camera calibration acquisition strategy | User + project bring-up team | Plan-phase decision: (a) checkerboard calibration on a pre-deployment ADTi 20MP 20L V1 nav-camera unit (~1-2 days engineering + lab access); (b) photogrammetric self-calibration from first ~50 deployment frames over known landmarks (~2-3 days plus runtime support code; degrades first-mission accuracy); (c) request manufacturer's factory-calibration data sheet from ADTi (low cost if available; risk: vendor may not publish per-unit calibration); (d) **(RECOMMENDED) hybrid**: factory data sheet + ground-truth checkerboard refinement on each deployed unit. **CRITICAL Plan-phase gate**: hard prerequisite for AC-1.1/1.2 frame-center-accuracy validation; Test Spec greenfield Step 5 cannot lock end-to-end accuracy fixtures without it. |
| **D-PROJ-2 (NEW from Mode B Fact #105)** Suite Sat Service voting-layer contract verification | User + parent-suite Satellite Service team | Plan-phase decision: (a) verify Suite Service voting layer is documented + scheduled for the deployment timeframe; (b) draft the contract from the onboard side and propose to the Suite Service team; (c) build a project-internal multi-flight aggregator as stop-gap (~2-3 weeks engineering, cross-suite scope creep); (d) accept that AC-NEW-7 Service-side validation is best-effort and document the gap. **(RECOMMENDED) (a) verify + (b) draft in parallel** — contract definition is small (per-tile quality metadata schema + voting threshold spec). **CRITICAL cross-suite gate**: requires coordination with parent-suite Satellite Service team before AC-NEW-7 NFT-5 can pass with end-to-end evidence. |
---
## Testing Strategy additions
| Test ID | Purpose | New for Mode B? |
|---|---|---|
| **IT-11 — Smoothing-loop look-back accuracy** | Validate GTSAM iSAM2's smoothed past-keyframe poses against ground-truth at smoothing convergence (independent of FC-side consumption). FDR (AC-NEW-3) MUST log smoothed past-frame estimates so post-mission analysis can verify AC-4.5. | NEW (Fact #107) |
| **NFT-8 — MAVLink message-signing verification** | SBOM dump confirms passkey configuration for AP signing channel; iNav side documents the unsignable-link as accepted residual risk per D-C8-9. | NEW (Fact #109) |
| **NFT-9 — Hot-soak latency distribution** (extends NFT-3) | Measure end-to-end p95 + p99 latency distribution under hot-soak NFT-3 conditions (25 W @ +50 °C for 8 h); validate D-CROSS-LATENCY-1 hybrid degradation behaves correctly (K=3 → K=2 + Jacobian-covariance under thermal throttle). | NEW (Fact #103) |
| **IT-1 (revised)** | Pipeline smoke now must clarify which datasets exercise which AC subsets per `_docs/00_problem/input_data/expected_results/results_report.md` § Known Gaps: still-image set is for AC-1.1/1.2 frame-center geolocation accuracy ONLY; Derkachi video is for runtime cadence + VIO + replay; neither is sufficient by itself for end-to-end AC-4.1 latency validation under production cadence + altitude + calibration. | Revised (clarify dataset purpose mapping) |
| **IT-12 — VIO comparative study** | Replay same flight footage through all three `VioStrategy` implementations (`Okvis2VioStrategy`, `VinsMonoVioStrategy`, `KltRansacVioStrategy`) in the research/dev build; emit side-by-side AC-1.3 / AC-2.1a / AC-NEW-4 / AC-4.1 / AC-4.2 / SBOM table; published to `_docs/02_document/vio-comparative-study.md`; production-selection gate for D-C1-1-SUB-A. | NEW (2026-05-08 user directive on A1) |
---
## Editing rules (preservation of audit trail)
1. The original Mode A row files (`C1_vio.md` through `C10_preflight_provisioning.md`) and `99_cross_component_gates.md` are NOT retroactively edited — they preserve the Mode A audit trail.
2. Where this Mode B revisions file disagrees with the originals, this file wins. Future Mode B / Plan-phase consumers should read this overlay file alongside the original row files.
3. New Plan-phase decisions raised by Mode B (D-C2-12, D-C8-9, D-CROSS-LATENCY-1, D-CROSS-CVE-1, D-PROJ-1, D-PROJ-2) are catalogued here and in `solution_draft02.md` § Open decisions. Future Mode B / Plan-phase invocations should append to either this file or its sibling `99_cross_component_gates.md` (preferred for Plan-phase consumption) — not modify entries written here.