[AZ-507] [AZ-323] [AZ-324] C10 Manifest build + verify + AZ-270 hygiene

AZ-507: codify cross-component import rule. Added _types/inference_errors.py shim re-exporting EngineBuildError + CalibrationCacheError from c7_inference; narrowed C10 EngineCompiler's except Exception to the two typed errors so unknown exceptions propagate (AC-3). Rewrote module-layout.md "Imports from" sections for 9 components + added Rule 9; appended an architecture.md ADR-009 note explaining why components must go through _types/*. AZ-323: ManifestBuilder + Ed25519ManifestSigner. Canonical JSON via orjson OPT_SORT_KEYS+OPT_INDENT_2, atomic-write Manifest.json + sha sidecar + .sig via AZ-280, operator-key fingerprint allowlist gate (C10-ST-01), ADR-010 takeoff_origin + flight_id baked into Manifest AND manifest_hash so re-planned routes change the cache identity (AC-15/AC-16). 20 unit tests cover all 16 ACs. AZ-324: ManifestVerifierImpl. Fail-closed Steps A-D: Manifest.json sidecar self-hash, Ed25519 trust-key set, schema parse with absolute/.. path rejection + takeoff_origin in-bbox check, stream SHA-256 per artifact with multi-failure accumulation. Operator mode re-derives tiles_coverage_sha256 from C6; airborne mode trusts the signed aggregate. 19 unit tests cover all 17 ACs. Composition root: c10_factory.build_manifest_builder + build_manifest_verifier + c6_tile_metadata_store_to_tiles_query adapter (the one place that legitimately imports both C6 and C10 without violating the AZ-270 lint). Dependency: pinned cryptography>=43.0,<46.0 in pyproject.toml. Tests: 1300 passed, 80 skipped (env-only), ruff clean for all AZ-323/324 files. AZ-306 (FAISS) intentionally deferred to batch 35 — needs C++ pybind11 toolchain not present in this environment. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 21:11:13 +00:00 · 2026-05-13 02:37:14 +03:00
parent 6ca8d78190
commit e2bebefdfc
20 changed files with 3406 additions and 26 deletions
@@ -52,6 +52,10 @@ from gps_denied_onboard._types.inference import (
    OptimizationProfile,
    PrecisionMode,
 )
+from gps_denied_onboard._types.inference_errors import (
+    CalibrationCacheError,
+    EngineBuildError,
+)
 from gps_denied_onboard._types.manifests import HostCapabilities
 from gps_denied_onboard.helpers.engine_filename_schema import (
    EngineFilenameSchema,
@@ -275,14 +279,14 @@ class EngineCompiler:
            entry = self._runtime.compile_engine(
                backbone.onnx_path, build_config
            )
-        except Exception as exc:
-            # The C7 InferenceRuntime contract scopes exceptions to its
-            # `RuntimeError` family (`EngineBuildError`,
-            # `CalibrationCacheError`, ...). The c10 layer is forbidden
-            # from importing the c7 errors module (architecture rule
-            # AC-6 / test_az270_compose_root.test_ac6); we catch the
-            # broader `Exception` and dispatch by class name in the log
-            # payload. Re-raising preserves the original type.
+        except (EngineBuildError, CalibrationCacheError) as exc:
+            # AZ-507 narrowed the catch to the documented C7 typed-error
+            # envelope (`_types/inference_errors.py` re-exports
+            # `EngineBuildError` + `CalibrationCacheError` from
+            # `c7_inference.errors` without violating the AZ-270 lint).
+            # Unknown exceptions intentionally propagate unhandled — they
+            # are programmer errors, not C7 contract failures, and must
+            # not be swallowed under a structured "compile.error" log.
            self._log.error(
                "c10.engine.compile.error",
                extra={