chore: sync .cursor from suite

[AZ-240] Update product implementation and task decomposition processes
- Refined task decomposition steps to ensure implementation tasks are atomic and complexity does not exceed 5 points. - Enhanced the product implementation process with a completeness gate to verify task outcomes against architecture promises before proceeding to testing. - Updated dependencies table to reflect new tasks and their relationships, ensuring all test tasks are linked to product remediation tasks. - Adjusted workflow documentation to clarify entry points for task decomposition and implementation contexts. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-24 13:51:12 +00:00 · 2026-05-05 01:08:48 +03:00 · 2026-05-05 01:02:25 +03:00 · 2026-05-03 19:10:10 +03:00 · 2026-05-03 19:02:13 +03:00 · 2026-05-03 18:49:37 +03:00
221 changed files with 13098 additions and 669 deletions
@@ -0,0 +1,38 @@
 ---
 description: "Standards for creating and maintaining Cursor skills"
 globs: [".cursor/skills/**"]
 ---
 # Skill Building
 ## When To Create A Skill
 - Create a skill for repeatable, bounded workflows that benefit from a reusable process.
 - Do not create a skill for a one-off task, vague goal, or workflow that still needs product decisions.
 - Start small; evolve the skill when repeated use reveals clearer steps, constraints, or checks.
 ## Skill Contract
 - `SKILL.md` must define a clear `name` and a proactive `description` that explains when the skill should be used.
 - State expected inputs, constraints, workflow steps, and final output shape.
 - Make trigger conditions explicit enough that the agent can recognize intent without an exact command.
 - Base instructions on observable project evidence; do not invite fabrication or unsupported assumptions.
 ## Keep The Core Lean
 - Keep `SKILL.md` concise and under the repo's `.cursor/` size guidance.
 - Move detailed standards, examples, and background knowledge into `references/`.
 - Put reusable output shapes in `templates/` or other skill-local assets instead of embedding them in the main instructions.
 - Keep one primary responsibility per skill; use an orchestrator skill only when multiple existing skills must run in a defined order.
 ## Deterministic Work
 - Use scripts for mechanical steps that are repeatable, parameterized, and safer outside the model's reasoning.
 - Scripts must expose explicit inputs, avoid hidden side effects, and fail loudly on errors.
 - Do not use scripts to bypass review, hide destructive behavior, or hardcode secrets.
 ## Quality Proof
 - Include realistic examples, checklists, or eval-style scenarios that define what good output looks like.
 - Cover common failure cases such as missing sections, leftover placeholders, hallucinated facts, unsafe actions, or malformed output.
 - Review skill changes against those checks before treating the skill as ready.
 ## Security Review
 - Treat third-party skills like untrusted code until reviewed.
 - Inspect scripts, dependencies, references, secret handling, network calls, and destructive commands before use.
 - Prefer local, project-scoped assets and dependencies; document any external dependency the skill requires.
@@ -152,15 +152,17 @@ If `_docs/02_tasks/` subfolders have some task files already (e.g., refactoring
 ---
 **Step 6 — Implement Tests**
-Condition (folder fallback): `_docs/02_tasks/todo/` contains task files AND `_dependencies_table.md` exists AND `_docs/03_implementation/implementation_report_tests.md` does not exist.
+Condition (folder fallback): `_docs/02_tasks/todo/` contains test task files AND `_dependencies_table.md` exists AND `_docs/03_implementation/implementation_report_tests.md` does not exist.
 State-driven: reached by auto-chain from Step 5.
-Action: Read and execute `.cursor/skills/implement/SKILL.md`
+Action: Invoke `.cursor/skills/implement/SKILL.md` with task selection context **Test implementation**.
-The implement skill reads test tasks from `_docs/02_tasks/todo/` and implements them.
+The implement skill reads only test tasks from `_docs/02_tasks/todo/` and implements them.
 If `_docs/03_implementation/` has batch reports, the implement skill detects completed tasks and continues.
 For folder fallback, **test task files** means `*_test_infrastructure.md` plus task specs whose `**Component**` or `**Epic**` identifies `Blackbox Tests`.
 ---
 **Step 7 — Run Tests**
@@ -1,6 +1,6 @@
 # Greenfield Workflow
-Workflow for new projects built from scratch. Flows linearly: Problem → Research → Plan → UI Design (if applicable) → Test Spec → Decompose → Implement → Code Testability Revision → Decompose Tests → Implement Tests → Run Tests → Test-Spec Sync → Update Docs → Security Audit (optional) → Performance Test (optional) → Deploy → Retrospective.
+Workflow for new projects built from scratch. Flows linearly: Problem → Research → Plan → UI Design (if applicable) → Test Spec → Decompose → Implement + Product Completeness Gate → Code Testability Revision → Decompose Tests → Implement Tests → Run Tests → Test-Spec Sync → Update Docs → Security Audit (optional) → Performance Test (optional) → Deploy → Retrospective.
 ## Step Reference Table
@@ -11,8 +11,8 @@ Workflow for new projects built from scratch. Flows linearly: Problem → Resear
 | 3 | Plan | plan/SKILL.md | Step 1–6 + Final |
 | 4 | UI Design | ui-design/SKILL.md | Phase 0–8 (conditional — UI projects only) |
 | 5 | Test Spec | test-spec/SKILL.md | Phases 1–4 |
-| 6 | Decompose | decompose/SKILL.md | Step 1–4 |
+| 6 | Decompose | decompose/SKILL.md (implementation task decomposition) | Step 1 + Step 1.5 + Step 2 + Step 4 |
-| 7 | Implement | implement/SKILL.md | (batch-driven, no fixed sub-steps) |
+| 7 | Implement | implement/SKILL.md | Batch loop + Product Implementation Completeness Gate |
 | 8 | Code Testability Revision | refactor/SKILL.md (guided mode) | Phases 0–7 (conditional) |
 | 9 | Decompose Tests | decompose/SKILL.md (tests-only) | Step 1t + Step 3 + Step 4 |
 | 10 | Implement Tests | implement/SKILL.md | (batch-driven, no fixed sub-steps) |
@@ -112,27 +112,36 @@ This step converts the greenfield problem statement, acceptance criteria, soluti
 **Step 6 — Decompose**
 Condition: `_docs/02_document/` contains `architecture.md` AND `_docs/02_document/components/` has at least one component AND `_docs/02_document/tests/traceability-matrix.md` exists AND `_docs/02_tasks/todo/` does not exist or has no implementation task files.
-Action: Read and execute `.cursor/skills/decompose/SKILL.md` in normal implementation mode. Test tasks are intentionally deferred to Step 9 (Decompose Tests) so the first implementation batch stays focused on product functionality.
+Action: Invoke `.cursor/skills/decompose/SKILL.md` for **implementation task decomposition**. The greenfield flow selects the implementation entrypoint before handing off: Bootstrap Structure, Module Layout, Component Task Decomposition, and Cross-Task Verification.
 Do not invoke Blackbox Test Task Decomposition from Step 6. Test tasks are intentionally deferred to Step 9 (Decompose Tests) so the first implementation batch stays focused on product functionality and Step 8 can revise testability before test task files exist.
 If `_docs/02_tasks/` subfolders have some task files already, the decompose skill's resumability handles it.
 ---
 **Step 7 — Implement**
-Condition: `_docs/02_tasks/todo/` contains implementation task files AND `_dependencies_table.md` exists AND `_docs/03_implementation/` does not contain any product `implementation_report_*.md` file.
+Condition: `_docs/02_tasks/todo/` contains implementation task files AND `_dependencies_table.md` exists AND `_docs/03_implementation/` does not contain a valid product implementation report.
-Action: Read and execute `.cursor/skills/implement/SKILL.md`
+Action: Invoke `.cursor/skills/implement/SKILL.md` with task selection context **Product implementation**.
 The implement skill must run its **Product Implementation Completeness Gate** before it writes any final product implementation report. This gate compares completed product task specs, architecture/component promises, and actual source code so scaffold-only implementations cannot advance to Step 8. A final product implementation report without `_docs/03_implementation/implementation_completeness_cycle[N]_report.md` is incomplete and must not be treated as Step 7 completion.
 If `_docs/03_implementation/` has batch reports, the implement skill detects completed tasks and continues. The FINAL report filename is context-dependent — see implement skill documentation for naming convention.
 For folder fallback, **implementation task files** means task specs that are not test-only specs: exclude `*_test_infrastructure.md` and task specs whose `**Component**` or `**Epic**` identifies `Blackbox Tests`.
-For folder fallback, a **product implementation report** is any `_docs/03_implementation/implementation_report_*.md` file except `_docs/03_implementation/implementation_report_tests.md` and refactor reports.
+For folder fallback, a **product implementation report** is any `_docs/03_implementation/implementation_report_*.md` file except `_docs/03_implementation/implementation_report_tests.md` and refactor reports. It is valid for greenfield progression only when:
 - the matching `_docs/03_implementation/implementation_completeness_cycle[N]_report.md` exists,
 - that completeness report does not contain unresolved `FAIL` classifications, and
 - `_docs/02_tasks/todo/` contains no pending implementation task files.
 If a product report exists but any of those validity checks fail, treat product implementation as incomplete and stay in Step 7.
 ---
 **Step 8 — Code Testability Revision**
-Condition (folder fallback): `_docs/03_implementation/` contains a product implementation report AND `_docs/04_refactoring/01-testability-refactoring/testability_assessment.md` does not exist AND `_docs/04_refactoring/01-testability-refactoring/testability_changes_summary.md` does not exist AND `_docs/03_implementation/implementation_report_tests.md` does not exist AND `_docs/02_tasks/todo/` does not contain test task files.
+Condition (folder fallback): `_docs/03_implementation/` contains a valid product implementation report, `_docs/03_implementation/implementation_completeness_cycle[N]_report.md` exists without unresolved `FAIL` classifications, `_docs/04_refactoring/01-testability-refactoring/testability_assessment.md` does not exist, `_docs/04_refactoring/01-testability-refactoring/testability_changes_summary.md` does not exist, `_docs/03_implementation/implementation_report_tests.md` does not exist, and `_docs/02_tasks/todo/` does not contain test task files.
 State-driven: reached by auto-chain from Step 7.
 **Purpose**: verify the newly built code can be exercised by the planned tests before writing the test suite. Greenfield code should be testable by design; this step catches accidental hardcoded paths, singletons, direct external service construction, or other implementation choices that would make meaningful tests impossible.
@@ -184,7 +193,7 @@ Action: Analyze the codebase against the test specs to determine whether the cod
 ---
 **Step 9 — Decompose Tests**
-Condition (folder fallback): `_docs/02_document/tests/traceability-matrix.md` exists AND workspace contains source code files AND `_docs/03_implementation/` contains a product implementation report AND (`_docs/04_refactoring/01-testability-refactoring/testability_assessment.md` exists OR `_docs/04_refactoring/01-testability-refactoring/testability_changes_summary.md` exists) AND (`_docs/02_tasks/todo/` does not exist or has no test task files) AND `_docs/03_implementation/implementation_report_tests.md` does not exist.
+Condition (folder fallback): `_docs/02_document/tests/traceability-matrix.md` exists AND workspace contains source code files AND `_docs/03_implementation/` contains a valid product implementation report AND `_docs/03_implementation/implementation_completeness_cycle[N]_report.md` exists without unresolved `FAIL` classifications AND (`_docs/04_refactoring/01-testability-refactoring/testability_assessment.md` exists OR `_docs/04_refactoring/01-testability-refactoring/testability_changes_summary.md` exists) AND (`_docs/02_tasks/todo/` does not exist or has no test task files) AND `_docs/03_implementation/implementation_report_tests.md` does not exist.
 State-driven: reached by auto-chain from Step 8.
 Action: Read and execute `.cursor/skills/decompose/SKILL.md` in **tests-only mode** (pass `_docs/02_document/tests/` as input). The decompose skill will:
@@ -200,9 +209,9 @@ If `_docs/02_tasks/` subfolders have some task files already, the decompose skil
 Condition (folder fallback): `_docs/02_tasks/todo/` contains test task files AND `_dependencies_table.md` exists AND `_docs/03_implementation/implementation_report_tests.md` does not exist.
 State-driven: reached by auto-chain from Step 9.
-Action: Read and execute `.cursor/skills/implement/SKILL.md`
+Action: Invoke `.cursor/skills/implement/SKILL.md` with task selection context **Test implementation**.
-The implement skill reads test tasks from `_docs/02_tasks/todo/` and implements them.
+The implement skill reads only test tasks from `_docs/02_tasks/todo/` and implements them.
 If `_docs/03_implementation/` has batch reports, the implement skill detects completed test tasks and continues.
@@ -319,7 +328,7 @@ On the next invocation, Flow Resolution rule 1 reads `flow: existing-code` and r
 | UI Design (4, done or skipped) | Auto-chain → Test Spec (5) |
 | Test Spec (5) | Auto-chain → Decompose (6) |
 | Decompose (6) | **Session boundary** — suggest new conversation before Implement |
-| Implement (7) | Auto-chain → Code Testability Revision (8) |
+| Implement (7) | Auto-chain only after Product Implementation Completeness Gate passes → Code Testability Revision (8) |
 | Code Testability Revision (8) | Auto-chain → Decompose Tests (9) |
 | Decompose Tests (9) | **Session boundary** — suggest new conversation before Implement Tests |
 | Implement Tests (10) | Auto-chain → Run Tests (11) |
@@ -110,7 +110,7 @@ Before entering a step from this table for the first time in a session, verify t
 | Flow | Step | Sub-Step | Tracker Action |
 |------|------|----------|----------------|
 | greenfield | Plan | Step 6 — Epics | Create epics for each component |
-| greenfield | Decompose | Step 1 + Step 2 + Step 3 — All tasks | Create ticket per task, link to epic |
+| greenfield | Decompose | Implementation decomposition Step 1 + Step 2 — Product tasks | Create ticket per product task, link to epic |
 | greenfield | Decompose Tests | Step 1t + Step 3 — All test tasks | Create ticket per task, link to epic |
 | existing-code | Decompose Tests | Step 1t + Step 3 — All test tasks | Create ticket per task, link to epic |
 | existing-code | New Task | Step 7 — Ticket | Create ticket per task, link to epic |
@@ -2,8 +2,8 @@
 name: decompose
 description: |
  Decompose planned components into atomic implementable tasks with bootstrap structure plan.
-  4-step workflow: bootstrap structure plan, component task decomposition, blackbox test task decomposition, and cross-task verification.
+  Workflow entrypoints: implementation task decomposition, single component decomposition, and tests-only decomposition.
-  Supports full decomposition (_docs/ structure), single component mode, and tests-only mode.
+  The invoking flow decides which entrypoint to run; this skill executes that selected sequence.
  Trigger phrases:
  - "decompose", "decompose features", "feature decomposition"
  - "task decomposition", "break down components"
@@ -20,7 +20,7 @@ Decompose planned components into atomic, implementable task specs with a bootst
 ## Core Principles
- **Atomic tasks**: each task does one thing; if it exceeds 8 complexity points, split it
+- **Atomic tasks**: each task does one thing; if it exceeds 5 complexity points, split it
 - **Behavioral specs, not implementation plans**: describe what the system should do, not how to build it
 - **Flat structure**: all tasks are tracker-ID-prefixed files in TASKS_DIR — no component subdirectories
 - **Save immediately**: write artifacts to disk after each task; never accumulate unsaved work
@@ -30,14 +30,15 @@ Decompose planned components into atomic, implementable task specs with a bootst
 ## Context Resolution
-Determine the operating mode based on invocation before any other logic runs.
+Resolve the selected entrypoint from the invocation context before any other logic runs. The caller decides whether this is implementation, single component, or tests-only decomposition; this skill only executes the selected sequence.
-**Default** (no explicit input file provided):
+**Implementation task decomposition** (default; selected by flows before invoking this skill):
 - DOCUMENT_DIR: `_docs/02_document/`
 - TASKS_DIR: `_docs/02_tasks/`
 - TASKS_TODO: `_docs/02_tasks/todo/`
 - Reads from: `_docs/00_problem/`, `_docs/01_solution/`, DOCUMENT_DIR
 - Produces only implementation tasks. Blackbox/e2e test task files are produced only when the invoking flow selects tests-only decomposition.
 **Single component mode** (provided file is within `_docs/02_document/` and inside a `components/` subdirectory):
@@ -55,24 +56,24 @@ Determine the operating mode based on invocation before any other logic runs.
 - TESTS_DIR: `DOCUMENT_DIR/tests/`
 - Reads from: `_docs/00_problem/`, `_docs/01_solution/`, TESTS_DIR
-Announce the detected mode and resolved paths to the user before proceeding.
+Announce the selected entrypoint and resolved paths to the user before proceeding.
 ### Step Applicability by Mode
-| Step | File | Default | Single | Tests-only |
+| Step | File | Implementation | Single | Tests-only |
-|------|------|:-------:|:------:|:----------:|
+|------|------|:--------------:|:------:|:----------:|
 | 1 Bootstrap Structure | `steps/01_bootstrap-structure.md` | ✓ | — | — |
 | 1t Test Infrastructure | `steps/01t_test-infrastructure.md` | — | — | ✓ |
 | 1.5 Module Layout | `steps/01-5_module-layout.md` | ✓ | — | — |
 | 2 Task Decomposition | `steps/02_task-decomposition.md` | ✓ | ✓ | — |
-| 3 Blackbox Test Tasks | `steps/03_blackbox-test-decomposition.md` | ✓ | — | ✓ |
+| 3 Blackbox Test Tasks | `steps/03_blackbox-test-decomposition.md` | — | — | ✓ |
 | 4 Cross-Verification | `steps/04_cross-verification.md` | ✓ | — | ✓ |
 ## Input Specification
 ### Required Files
-**Default:**
+**Implementation task decomposition:**
 | File | Purpose |
 |------|---------|
@@ -84,7 +85,7 @@ Announce the detected mode and resolved paths to the user before proceeding.
 | `DOCUMENT_DIR/glossary.md` | Project terminology (confirmed by user in plan Phase 2a.0 or document Step 4.5). Use it to keep task names, component references, and AC wording consistent with the user's vocabulary |
 | `DOCUMENT_DIR/system-flows.md` | System flows from plan skill |
 | `DOCUMENT_DIR/components/[##]_[name]/description.md` | Component specs from plan skill |
-| `DOCUMENT_DIR/tests/` | Blackbox test specs from plan skill |
+| `DOCUMENT_DIR/tests/` | Optional product acceptance context from test-spec skill; do not create test task files from it in this entrypoint |
 **Single component mode:**
@@ -111,7 +112,7 @@ Announce the detected mode and resolved paths to the user before proceeding.
 ### Prerequisite Checks (BLOCKING)
-**Default:**
+**Implementation task decomposition:**
 1. DOCUMENT_DIR contains `architecture.md` and `components/` — **STOP if missing**
 2. Create TASKS_DIR and TASKS_TODO if they do not exist
@@ -145,6 +146,8 @@ TASKS_DIR/
 **Naming convention**: Each task file is initially saved in `TASKS_TODO/` with a temporary numeric prefix (`[##]_[short_name].md`). After creating the work item ticket, rename the file to use the work item ticket ID as prefix (`[TRACKER-ID]_[short_name].md`). For example: `todo/01_initial_structure.md` → `todo/AZ-42_initial_structure.md`.
 If tracker availability fails, follow `.cursor/rules/tracker.mdc` before continuing. Only when the user explicitly chooses `tracker: local` may the numeric prefix remain; in that mode set `Tracker: pending` and `Epic: pending` in the task header and keep the task eligible for later tracker sync.
 ### Save Timing
 | Step | Save immediately after | Filename |
@@ -166,11 +169,11 @@ If TASKS_DIR subfolders already contain task files:
 ## Progress Tracking
-At the start of execution, create a TodoWrite with all applicable steps for the detected mode (see Step Applicability table). Update status as each step/component completes.
+At the start of execution, create a TodoWrite with all applicable steps for the selected entrypoint (see Step Applicability table). Update status as each step/component completes.
 ## Workflow
-### Step 1: Bootstrap Structure Plan (default mode only)
+### Step 1: Bootstrap Structure Plan (implementation mode only)
 Read and follow `steps/01_bootstrap-structure.md`.
@@ -182,25 +185,25 @@ Read and follow `steps/01t_test-infrastructure.md`.
 ---
-### Step 1.5: Module Layout (default mode only)
+### Step 1.5: Module Layout (implementation mode only)
 Read and follow `steps/01-5_module-layout.md`.
 ---
-### Step 2: Task Decomposition (default and single component modes)
+### Step 2: Task Decomposition (implementation and single component modes)
 Read and follow `steps/02_task-decomposition.md`.
 ---
-### Step 3: Blackbox Test Task Decomposition (default and tests-only modes)
+### Step 3: Blackbox Test Task Decomposition (tests-only mode only)
 Read and follow `steps/03_blackbox-test-decomposition.md`.
 ---
-### Step 4: Cross-Task Verification (default and tests-only modes)
+### Step 4: Cross-Task Verification (implementation and tests-only modes)
 Read and follow `steps/04_cross-verification.md`.
@@ -208,7 +211,7 @@ Read and follow `steps/04_cross-verification.md`.
 - **Coding during decomposition**: this workflow produces specs, never code
 - **Over-splitting**: don't create many tasks if the component is simple — 1 task is fine
- **Tasks exceeding 8 points**: split them; no task should be too complex for a single implementer
+- **Tasks exceeding 5 points**: split them; no task should be too complex for a single implementer
 - **Cross-component tasks**: each task belongs to exactly one component
 - **Skipping BLOCKING gates**: never proceed past a BLOCKING marker without user confirmation
 - **Creating git branches**: branch creation is an implementation concern, not a decomposition one
@@ -221,7 +224,7 @@ Read and follow `steps/04_cross-verification.md`.
 | Situation | Action |
 |-----------|--------|
 | Ambiguous component boundaries | ASK user |
-| Task complexity exceeds 8 points after splitting | ASK user |
+| Task complexity exceeds 5 points after splitting | ASK user |
 | Missing component specs in DOCUMENT_DIR | ASK user |
 | Cross-component dependency conflict | ASK user |
 | Tracker epic not found for a component | ASK user for Epic ID |
@@ -233,15 +236,14 @@ Read and follow `steps/04_cross-verification.md`.
 ┌────────────────────────────────────────────────────────────────┐
 │          Task Decomposition (Multi-Mode)                        │
 ├────────────────────────────────────────────────────────────────┤
-│ CONTEXT: Resolve mode (default / single component / tests-only) │
+│ CONTEXT: Invoke the selected entrypoint (implementation / single / tests-only) │
 │                                                                 │
-│ DEFAULT MODE:                                                   │
+│ IMPLEMENTATION TASK DECOMPOSITION:                              │
 │  1.   Bootstrap Structure → steps/01_bootstrap-structure.md     │
 │       [BLOCKING: user confirms structure]                       │
 │  1.5  Module Layout       → steps/01-5_module-layout.md         │
 │       [BLOCKING: user confirms layout]                          │
 │  2.   Component Tasks     → steps/02_task-decomposition.md      │
 │  3.   Blackbox Tests      → steps/03_blackbox-test-decomposition.md │
 │  4.   Cross-Verification  → steps/04_cross-verification.md      │
 │       [BLOCKING: user confirms dependencies]                    │
 │                                                                 │
@@ -26,7 +26,7 @@ For each component (or the single provided component):
 4. Do not create tasks for other components — only tasks for the current component
 5. Each task should be atomic, containing 1 API or a list of semantically connected APIs
 6. Write each task spec using `templates/task.md`
-7. Estimate complexity per task (1, 2, 3, 5, 8 points); no task should exceed 8 points — split if it does
+7. Estimate complexity per task (1, 2, 3, 5 points); no task should exceed 5 points — split if it does
 8. Note task dependencies (referencing tracker IDs of already-created dependency tasks, e.g., `AZ-42_initial_structure`)
 9. **Cross-cutting rule**: if a concern spans ≥2 components (logging, config loading, auth/authZ, error envelope, telemetry, feature flags, i18n), create ONE shared task under the cross-cutting epic. Per-component tasks declare it as a dependency and consume it; they MUST NOT re-implement it locally. Duplicate local implementations are an `Architecture` finding (High) in code-review Phase 7 and a `Maintainability` finding in Phase 6.
 10. **Shared-models / shared-API rule**: classify the task as shared if ANY of the following is true:
@@ -46,7 +46,7 @@ For each component (or the single provided component):
 ## Self-verification (per component)
 - [ ] Every task is atomic (single concern)
- [ ] No task exceeds 8 complexity points
+- [ ] No task exceeds 5 complexity points
 - [ ] Task dependencies reference correct tracker IDs
 - [ ] Tasks cover all interfaces defined in the component spec
 - [ ] No tasks duplicate work from other components
@@ -1,4 +1,4 @@
-# Step 3: Blackbox Test Task Decomposition (default and tests-only modes)
+# Step 3: Blackbox Test Task Decomposition (tests-only mode only)
 **Role**: Professional Quality Assurance Engineer
 **Goal**: Decompose blackbox test specs into atomic, implementable task specs.
@@ -6,7 +6,6 @@
 ## Numbering
 - In default mode: continue sequential numbering from where Step 2 left off.
 - In tests-only mode: start from 02 (01 is the test infrastructure bootstrap from Step 1t).
 ## Steps
@@ -15,10 +14,9 @@
 2. Group related test scenarios into atomic tasks (e.g., one task per test category or per component under test)
 3. Each task should reference the specific test scenarios it implements and the environment/test-data specs
 4. Dependencies:
   - In default mode: blackbox test tasks depend on the component implementation tasks they exercise
   - In tests-only mode: blackbox test tasks depend on the test infrastructure bootstrap task (Step 1t)
 5. Write each task spec using `templates/task.md`
-6. Estimate complexity per task (1, 2, 3, 5, 8 points); no task should exceed 8 points — split if it does
+6. Estimate complexity per task (1, 2, 3, 5 points); no task should exceed 5 points — split if it does
 7. Note task dependencies (referencing tracker IDs of already-created dependency tasks)
 8. **Immediately after writing each task file**: create a work item ticket under the "Blackbox Tests" epic, write the work item ticket ID and Epic ID back into the task header, then rename the file from `todo/[##]_[short_name].md` to `todo/[TRACKER-ID]_[short_name].md`.
@@ -26,8 +24,8 @@
 - [ ] Every scenario from `tests/blackbox-tests.md` is covered by a task
 - [ ] Every scenario from `tests/performance-tests.md`, `tests/resilience-tests.md`, `tests/security-tests.md`, and `tests/resource-limit-tests.md` is covered by a task
- [ ] No task exceeds 8 complexity points
+- [ ] No task exceeds 5 complexity points
- [ ] Dependencies correctly reference the dependency tasks (component tasks in default mode, test infrastructure in tests-only mode)
+- [ ] Dependencies correctly reference the test infrastructure task
 - [ ] Every task has a work item ticket linked to the "Blackbox Tests" epic
 ## Save action
@@ -1,4 +1,4 @@
-# Step 4: Cross-Task Verification (default and tests-only modes)
+# Step 4: Cross-Task Verification (implementation and tests-only modes)
 **Role**: Professional software architect and analyst
 **Goal**: Verify task consistency and produce `_dependencies_table.md`.
@@ -8,7 +8,7 @@
 1. Verify task dependencies across all tasks are consistent
 2. Check no gaps:
-   - In default mode: every interface in `architecture.md` has tasks covering it
+   - In implementation mode: every product interface in `architecture.md` has implementation task coverage
   - In tests-only mode: every test scenario in `traceability-matrix.md` is covered by a task
 3. Check no overlaps: tasks don't duplicate work
 4. Check no circular dependencies in the task graph
@@ -16,9 +16,9 @@
 ## Self-verification
-### Default mode
+### Implementation mode
- [ ] Every architecture interface is covered by at least one task
+- [ ] Every product interface in `architecture.md` is covered by at least one implementation task
 - [ ] No circular dependencies in the task graph
 - [ ] Cross-component dependencies are explicitly noted in affected task specs
 - [ ] `_dependencies_table.md` contains every task with correct dependencies
@@ -28,4 +28,4 @@ Use this template after cross-task verification. Save as `TASKS_DIR/_dependencie
 - Dependencies column lists tracker IDs (e.g., "AZ-43, AZ-44") or "None"
 - No circular dependencies allowed
 - Tasks should be listed in recommended execution order
- The `/implement` skill reads this table to compute parallel batches
+- The `/implement` skill reads this table to compute dependency-aware batches; task execution remains sequential
@@ -11,7 +11,7 @@ Save as `TASKS_DIR/[##]_[short_name].md` initially, then rename to `TASKS_DIR/[T
 **Task**: [TRACKER-ID]_[short_name]
 **Name**: [short human name]
 **Description**: [one-line description of what this task delivers]
-**Complexity**: [1|2|3|5|8] points
+**Complexity**: [1|2|3|5] points
 **Dependencies**: [AZ-43_shared_models, AZ-44_db_migrations] or "None"
 **Component**: [component name for context]
 **Tracker**: [TASK-ID]
@@ -102,8 +102,7 @@ Consumers MUST read that file — not this task spec — to discover the interfa
 - 2 points: Non-trivial, low complexity, minimal coordination
 - 3 points: Multi-step, moderate complexity, potential alignment needed
 - 5 points: Difficult, interconnected logic, medium-high risk
- 8 points: High difficulty, high ambiguity or coordination, multiple components
+- 8+ points: Too complex — split into smaller tasks
 - 13 points: Too complex — split into smaller tasks
 ## Output Guidelines
@@ -25,6 +25,7 @@ For each task the main agent receives a task spec, analyzes the codebase, implem
 - **Dependency-aware ordering**: tasks run only when all their dependencies are satisfied
 - **Batching for review, not parallelism**: tasks are grouped into batches so `/code-review` and commits operate on a coherent unit of work — all tasks inside a batch are still implemented one after the other
 - **Integrated review**: `/code-review` skill runs automatically after each batch
 - **Completeness before testing**: product implementation is not done until code is checked against task outcomes, included scope, architecture/component promises, and unresolved scaffold/native placeholders — not just task AC tests
 - **Auto-start**: batches start immediately — no user confirmation before a batch
 - **Gate on failure**: user confirmation is required only when code review returns FAIL
 - **Commit per batch**: after each batch is confirmed, commit. Ask the user whether to push to remote unless the user previously opted into auto-push for this session.
@@ -32,9 +33,26 @@ For each task the main agent receives a task spec, analyzes the codebase, implem
 ## Context Resolution
 - TASKS_DIR: `_docs/02_tasks/`
- Task files: all `*.md` files in `TASKS_DIR/todo/` (excluding files starting with `_`)
+- Task files: selected `*.md` files in `TASKS_DIR/todo/` (excluding files starting with `_`)
 - Dependency table: `TASKS_DIR/_dependencies_table.md`
 ### Task Selection Context
 The invoking flow decides which task category this run should execute. The implement skill must honor that selected context instead of consuming every file in `todo/`.
 | Context | Selected task files |
 |---------|---------------------|
 | Product implementation | Task specs that are not test-only and not refactoring specs |
 | Test implementation | `*_test_infrastructure.md` plus task specs whose `Component` or `Epic` identifies `Blackbox Tests` |
 | Refactoring | Task specs whose filename or task ID includes `_refactor_` |
 If no explicit context is provided, infer it from the active autodev step:
 - greenfield Step 7 or existing-code Step 10 → Product implementation
 - greenfield Step 10 or existing-code Step 6 → Test implementation
 - refactor Phase 4 → Refactoring
 Unselected task files remain in `TASKS_DIR/todo/` for their later flow step.
 ### Task Lifecycle Folders
 ```
@@ -47,7 +65,7 @@ TASKS_DIR/
 ## Prerequisite Checks (BLOCKING)
-1. `TASKS_DIR/todo/` exists and contains at least one task file — **STOP if missing**
+1. `TASKS_DIR/todo/` exists and contains at least one task file for the selected context — **STOP if missing**
 2. `_dependencies_table.md` exists — **STOP if missing**
 3. At least one task is not yet completed — **STOP if all done**
 4. **Working tree is clean** — run `git status --porcelain`; the output must be empty.
@@ -62,9 +80,9 @@ TASKS_DIR/
 ### 1. Parse
- Read all task `*.md` files from `TASKS_DIR/todo/` (excluding files starting with `_`)
+- Read selected task `*.md` files from `TASKS_DIR/todo/` (excluding files starting with `_`)
 - Read `_dependencies_table.md` — parse into a dependency graph (DAG)
- Validate: no circular dependencies, all referenced dependencies exist
+- Validate: no circular dependencies in the selected task graph, all referenced selected-task dependencies exist or are already completed in `TASKS_DIR/done/`
 ### 2. Detect Progress
@@ -102,7 +120,7 @@ If `_docs/02_document/module-layout.md` is missing or the component is not found
 ### 5. Update Tracker Status → In Progress
-For each task in the batch, transition its ticket status to **In Progress** via the configured work item tracker (see `protocols.md` for tracker detection) before starting work. If `tracker: local`, skip this step.
+For each task in the batch, transition its ticket status to **In Progress** via the configured work item tracker (see `protocols.md` for tracker detection) before starting work. If `tracker: local`, skip this step. If a tracker operation fails unexpectedly, follow `.cursor/rules/tracker.mdc`.
 ### 6. Implement Tasks Sequentially
@@ -188,12 +206,14 @@ Track `auto_fix_attempts` and `escalated_findings` in the batch report for retro
 ### 12. Update Tracker Status → In Testing
-After the batch is committed and pushed, transition the ticket status of each task in the batch to **In Testing** via the configured work item tracker. If `tracker: local`, skip this step.
+After the batch is committed (and pushed if the user approved pushing), transition the ticket status of each task in the batch to **In Testing** via the configured work item tracker. If `tracker: local`, skip this step. If a tracker operation fails unexpectedly, follow `.cursor/rules/tracker.mdc`.
 ### 13. Archive Completed Tasks
 Move each completed task file from `TASKS_DIR/todo/` to `TASKS_DIR/done/`.
 For product implementation, this archive means "batch implementation accepted." The Product Implementation Completeness Gate can still require follow-up remediation tasks before the feature is complete; it does not move original task files back to `todo/`.
 ### 14. Loop
 - Go back to step 2 until all tasks in `todo/` are done
@@ -215,16 +235,70 @@ Move each completed task file from `TASKS_DIR/todo/` to `TASKS_DIR/done/`.
 - **Interaction with Auto-Fix Gate**: Architecture findings (new category from code-review Phase 7) always escalate per the implement auto-fix matrix; they cannot silently auto-fix
 - **Resumability**: if interrupted, the next invocation checks for the latest `cumulative_review_batches_*.md` and computes the changed-file set from batch reports produced after that review
-### 15. Final Test Run
+### 15. Product Implementation Completeness Gate
- After all batches are complete, run the full test suite once
+Run this gate after all **product implementation** tasks are complete and before writing any final product implementation report or allowing autodev to proceed to testability/test decomposition. Skip this gate only when the remaining context is explicitly test implementation or refactoring, as determined by the task files and report filename rules.
- Read and execute `.cursor/skills/test-run/SKILL.md` (detect runner, run suite, diagnose failures, present blocking choices)
+
- Test failures are a **blocking gate** — do not proceed until the test-run skill completes with a user decision
+**Goal**: catch the failure mode where narrow tests validate scaffold behavior while the task's actual outcome, included scope, architecture promise, or named integration remains unimplemented.
- When tests pass, report final summary
+
 Inputs:
 - Completed product task specs from `_docs/02_tasks/done/` for the current cycle
 - `_docs/02_document/architecture.md`
 - `_docs/02_document/system-flows.md`
 - Relevant `_docs/02_document/components/*/description.md` files
 - Current source code under each completed task's ownership envelope
 - Batch reports and code-review reports for the current cycle
 For each completed product task:
 1. Read these sections from the task spec: `Description`, `Outcome`, `Scope / Included`, `Acceptance Criteria`, `Non-Functional Requirements`, `Constraints`, and explicit named technologies or integrations.
 2. Compare those promises against actual source code, not only tests or report prose.
 3. Search the task's owned component files for unresolved implementation markers: `placeholder`, `stub`, `reserved`, `TODO`, `NotImplemented`, `pass`, `deterministic`, `fake`, `mock`, `scaffold`, `native bridge`, and empty native/readme-only integration directories. Ignore test fixtures/mocks only when they are under test-owned paths and not used as production behavior.
 4. Verify that each named runtime dependency in the task promise is either integrated behind the approved boundary or explicitly documented as a blocked prerequisite in the task/report. Examples: if a task promises FAISS, DINOv2, BASALT, LightGlue, OpenCV, RANSAC, a database, cloud service, or hardware SDK, the production code must contain that integration boundary; a deterministic fallback alone is not complete.
 5. Verify tests exercise the real implementation path where local prerequisites exist. Environment-gated tests may skip only with an explicit prerequisite reason; they do not make missing production code complete.
 6. Classify each task:
   - **PASS**: task promises are implemented or explicitly out of scope in the task itself.
   - **BLOCKED**: production code exists but cannot be fully verified due to external hardware/data/license/runtime prerequisites; the blocker is explicit and tests report blocked/skipped with reason.
   - **FAIL**: promised production behavior is missing, only scaffolded, or only represented in tests/reports.
 Save the audit to `_docs/03_implementation/implementation_completeness_cycle[N]_report.md` with:
 - Per-task classification
 - Evidence files/symbols checked
 - Any unresolved scaffold/native placeholders
 - Any named promised technologies not integrated
 - Required remediation task suggestions, each sized to 5 points or less
 Gate:
 - If every product task is `PASS` or `BLOCKED` with explicit prerequisite evidence, continue to Final Test Run.
 - If any product task is `FAIL`, STOP. Do not write the final product implementation report and do not proceed to any downstream autodev step. Completed original task files remain in `done/`; the missing work is represented by remediation tasks. Present a Choose block:
  - A) Create remediation tasks now and return to implementation
  - B) Mark the missing behavior explicitly out of scope in task/docs, then re-run this gate
  - C) Abort for manual correction
 - Recommendation must normally be A unless the user deliberately accepts reduced scope.
 Remediation task creation:
 1. For each `FAIL`, create one or more task specs using `.cursor/skills/decompose/templates/task.md`; each remediation task must be sized at 5 points or less.
 2. Save each task to `_docs/02_tasks/todo/` with a short name prefixed by `remediate_`.
 3. Set **Component** to the failed task's component and set **Dependencies** to the failed task ID plus any remediation prerequisites.
 4. Create or defer tracker tickets using the same tracker rules as decompose/new-task: if tracker is available, create tickets immediately; if the user explicitly chose `tracker: local`, keep numeric prefixes with `Tracker: pending` / `Epic: pending`.
 5. Append the remediation tasks to `_docs/02_tasks/_dependencies_table.md`.
 6. Return to Step 1 (Parse) in **Product implementation** context. The final product implementation report can be written only after remediation tasks complete and this gate reruns without `FAIL`.
 ### 16. Final Test Run
 - After all batches are complete, run the full test suite once unless the invoking flow's immediate next step is `Run Tests`.
 - If the next flow step is `Run Tests`, record a handoff in the final implementation report and let `.cursor/skills/test-run/SKILL.md` own the full-suite gate to avoid duplicate full runs.
 - When this step does run, read and execute `.cursor/skills/test-run/SKILL.md` (detect runner, run suite, diagnose failures, present blocking choices).
 - Test failures are a **blocking gate** — do not proceed until the test-run skill completes with a user decision.
 - When tests pass, report final summary.
 ## Batch Report Persistence
-After each batch completes, save the batch report to `_docs/03_implementation/batch_[NN]_cycle[N]_report.md` for feature implementation (or `batch_[NN]_report.md` for test/refactor runs). Create the directory if it doesn't exist. When all tasks are complete, produce a FINAL implementation report with a summary of all batches. The filename depends on context:
+After each batch completes, save the batch report to `_docs/03_implementation/batch_[NN]_cycle[N]_report.md` for feature implementation (or `batch_[NN]_report.md` for test/refactor runs). Create the directory if it doesn't exist. For product implementation, produce the FINAL implementation report only after the Product Implementation Completeness Gate passes. For test and refactor implementation, produce the FINAL report after all selected tasks complete and the full-suite gate is either run or handed off per Step 16. The filename depends on context:
 - **Test implementation** (tasks from test decomposition): `_docs/03_implementation/implementation_report_tests.md`
 - **Feature implementation**: `_docs/03_implementation/implementation_report_{feature_slug}_cycle{N}.md` where `{feature_slug}` is derived from the batch task names (e.g., `implementation_report_core_api_cycle2.md`) and `{N}` is the current `state.cycle` from `_docs/_autodev_state.md`. If `state.cycle` is absent (pre-migration), default to `cycle1`.
@@ -266,6 +340,7 @@ After each batch, produce a structured report:
 | Same task rewritten 3+ times without green tests | Mark Blocked, continue batch, escalate at batch end |
 | Task blocked on external dependency (not in task list) | Report and skip |
 | File ownership violated (task wrote outside OWNED) | ASK user |
 | Product completeness gate finds missing promised implementation | STOP — create remediation tasks or get explicit user scope reduction |
 | Test failure after final test run | Delegate to test-run skill — blocking gate |
 | All tasks complete | Report final summary, suggest final commit |
 | `_dependencies_table.md` missing | STOP — run `/decompose` first |
@@ -283,4 +358,5 @@ Each batch commit serves as a rollback checkpoint. If recovery is needed:
 - Never start a task whose dependencies are not yet completed
 - Never run tasks in parallel and never spawn subagents — see `.cursor/rules/no-subagents.mdc`
 - If a task is flagged as stuck, stop working on it and report — do not let it loop indefinitely
- Always run the full test suite after all batches complete (step 15)
+- Always run the Product Implementation Completeness Gate before final product reports
 - Always run or hand off the full test suite after all batches complete (step 16)
@@ -282,7 +282,7 @@ Present using the Choose format for each decision that has meaningful alternativ
   - Update **Epic** field: `[EPIC-ID]`
 3. Rename the file from `[##]_[short_name].md` to `[TICKET-ID]_[short_name].md`
-If the work item tracker is not authenticated or unavailable (`tracker: local`):
+If the work item tracker is not authenticated or unavailable, follow `.cursor/rules/tracker.mdc` before continuing. Only if the user explicitly chooses `tracker: local`:
 - Keep the numeric prefix
 - Set **Tracker** to `pending`
 - Set **Epic** to `pending`
@@ -337,7 +337,7 @@ After the user chooses **Done**:
 | Research skill hits a blocker | Follow research skill's own escalation rules |
 | Codebase analysis reveals conflicting architectures | **ASK** user which pattern to follow |
 | Complexity exceeds 5 points | **WARN** user and suggest splitting into multiple tasks |
-| Work item tracker MCP unavailable | **WARN**, continue with local-only task files |
+| Work item tracker MCP unavailable | Follow `.cursor/rules/tracker.mdc`; do not continue in local mode unless the user explicitly chooses it |
 ## Trigger Conditions
@@ -58,4 +58,4 @@ Do NOT create minimal epics with just a summary and short description. The epic
 8. **Create "Blackbox Tests" epic** — this epic will parent the blackbox test tasks created by the `/decompose` skill. It covers implementing the test scenarios defined in `tests/`.
-**Save action**: Epics created via the configured tracker MCP. Also saved locally in `epics.md` with ticket IDs. If `tracker: local`, save locally only.
+**Save action**: Epics created via the configured tracker MCP. Also saved locally in `epics.md` with ticket IDs. If tracker availability fails, follow `.cursor/rules/tracker.mdc`; only if the user explicitly chooses `tracker: local`, save locally only with pending tracker markers.
@@ -133,4 +133,4 @@ Link to architecture.md and relevant component spec.]
  - `component` — a normal per-component epic
  - `cross-cutting` — a shared concern that spans ≥2 components
  - `tests` — the blackbox-tests epic (always exactly one)
- Complexity points for child issues follow the project standard: 1, 2, 3, 5, 8. Do not create issues above 5 points — split them.
+- Complexity points for child issues follow the project standard: 1, 2, 3, 5. Do not create issues above 5 points — split them.
@@ -59,7 +59,7 @@ Create REFACTOR_DIR and RUN_DIR if missing. If a RUN_DIR with the same name alre
 Both modes produce `RUN_DIR/list-of-changes.md` (template: `templates/list-of-changes.md`). Both modes then convert that file into task files in TASKS_DIR during Phase 2.
-**Guided mode cleanup**: after `RUN_DIR/list-of-changes.md` is created from the input file, delete the original input file to avoid duplication.
+**Guided mode cleanup**: after `RUN_DIR/list-of-changes.md` is created from the input file, delete the original input file only if it lives outside `RUN_DIR`. If the provided file is already the canonical `RUN_DIR/list-of-changes.md`, keep it as the audit record.
 ## Workflow
@@ -81,10 +81,10 @@ Both modes produce `RUN_DIR/list-of-changes.md` (template: `templates/list-of-ch
 - "refactor [specific target]" → skip phase 1 if docs exist
 - Default → all phases
-**Testability-run specifics** (guided mode invoked by autodev existing-code flow Step 4):
+**Testability-run specifics** (guided mode invoked by autodev existing-code Step 4 or greenfield Step 8):
 - Run name is `01-testability-refactoring`.
 - Phase 3 (Safety Net) is skipped by design — no tests exist yet. Compensating control: the `list-of-changes.md` gate in Phase 1 must be reviewed and approved by the user before Phase 4 runs.
- Scope is MINIMAL and surgical; reject change entries that drift into full refactor territory (see existing-code flow Step 4 for allowed/disallowed lists). Flagged entries go to `RUN_DIR/deferred_to_refactor.md` for Step 8 (optional full refactor) consideration.
+- Scope is MINIMAL and surgical; reject change entries that drift into full refactor territory (see the invoking flow's testability step for allowed/disallowed lists). Flagged entries go to `RUN_DIR/deferred_to_refactor.md` for the next optional full-refactor step or backlog consideration.
 - After Phase 4 (Execution) completes, write `RUN_DIR/testability_changes_summary.md` as Phase 4.5. Format: one bullet per applied change.
  ```markdown
  # Testability Changes Summary ({{run_name}})
@@ -74,7 +74,7 @@ Create a work item tracker epic for this refactoring run:
 1. Epic name: the RUN_DIR name (e.g., `01-testability-refactoring`)
 2. Create the epic via configured tracker MCP
 3. Record the Epic ID — all tasks in 2d will be linked under this epic
-4. If tracker unavailable, use `PENDING` placeholder and note for later
+4. If tracker is unavailable, follow `.cursor/rules/tracker.mdc`; only use `PENDING` placeholders if the user explicitly chooses `tracker: local`
 ## 2d. Task Decomposition
@@ -10,7 +10,7 @@
   - All `[TRACKER-ID]_refactor_*.md` files are present
   - Each task file has valid header fields (Task, Name, Description, Complexity, Dependencies)
 2. Verify `TASKS_DIR/_dependencies_table.md` includes the refactoring tasks
-3. Verify all tests pass (safety net from Phase 3 is green)
+3. Verify all tests pass (safety net from Phase 3 is green), unless this is a testability run where Phase 3 was intentionally skipped
 4. If any check fails, go back to the relevant phase to fix
 ## 4b. Delegate to Implement Skill
@@ -23,7 +23,7 @@ The implement skill will:
 3. Compute execution batches for the refactoring tasks
 4. Implement tasks sequentially in topological order (no subagents, no parallelism)
 5. Run code review after each batch
-6. Commit and push per batch
+6. Commit per batch and push only when the user approved pushing
 7. Update work item ticket status
 Do NOT modify, skip, or abbreviate any part of the implement skill's workflow. The refactor skill is delegating execution, not optimizing it.
@@ -47,7 +47,7 @@ After the implement skill completes:
 For each successfully completed refactoring task:
 1. Transition the work item ticket status to **Done** via the configured tracker MCP
-2. If tracker unavailable, note the pending status transitions in `RUN_DIR/execution_log.md`
+2. If tracker is unavailable, follow `.cursor/rules/tracker.mdc`; if the user explicitly chose `tracker: local`, note the pending status transitions in `RUN_DIR/execution_log.md`
 For any failed or blocked tasks, leave their status as-is (the implement skill already set them to In Testing or blocked).
@@ -22,7 +22,7 @@ test-run has two modes. The caller passes the mode explicitly; if missing, defau
 | Mode | Scope | Typical caller | Input artifacts |
 |------|-------|---------------|-----------------|
 | `functional` (default) | Unit / integration / blackbox tests — correctness | autodev Steps that verify after Implement Tests or Implement | `scripts/run-tests.sh`, `_docs/02_document/tests/environment.md`, `_docs/02_document/tests/blackbox-tests.md` |
-| `perf` | Performance / load / stress / soak tests — latency, throughput, error-rate thresholds | autodev greenfield Step 9, existing-code Step 15 (pre-deploy) | `scripts/run-performance-tests.sh`, `_docs/02_document/tests/performance-tests.md`, AC thresholds in `_docs/00_problem/acceptance_criteria.md` |
+| `perf` | Performance / load / stress / soak tests — latency, throughput, error-rate thresholds | autodev greenfield Step 15, existing-code Step 15 (pre-deploy) | `scripts/run-performance-tests.sh`, `_docs/02_document/tests/performance-tests.md`, AC thresholds in `_docs/00_problem/acceptance_criteria.md` |
 Direct user invocation (`/test-run`) defaults to `functional`. If the user says "perf tests", "load test", "performance", or passes a performance scenarios file, run `perf` mode.
@@ -95,7 +95,7 @@ Examples:
 File: `expected_results/image_01_detections.json`
-```json
+```json
 {
  "input": "image_01.jpg",
  "expected": {
@@ -119,7 +119,7 @@ File: `expected_results/image_01_detections.json`
    ]
  }
 }
-```
+```
 ```
 ---
@@ -0,0 +1,27 @@
 .git
 .github
 .cursor
 _docs
 .venv
 __pycache__
 .pytest_cache
 .ruff_cache
 .mypy_cache
 .env
 .env.*
 *.pem
 *.key
 *.secret
 data/input/*
 data/cache/*
 data/fdr/*
 data/test-results/*
 *.tlog
 *.ulg
 *.bag
 *.mcap
 *.cbor
 *.parquet
 *.mp4
 *.mov
 *.avi
@@ -0,0 +1,10 @@
 GPSD_ENV=development
 GPSD_CONFIG_DIR=./config/development
 GPSD_CACHE_DIR=./data/cache
 GPSD_FDR_DIR=./data/fdr
 GPSD_DATABASE_URL=postgresql://gpsd:gpsd@localhost:5432/gpsd
 GPSD_MAVLINK_URL=udp:127.0.0.1:14550
 GPSD_CAMERA_SOURCE=./data/input
 GPSD_SIGNING_KEY_REF=test-key-ref
 GPSD_MAX_FDR_BYTES=104857600
 GPSD_LOG_LEVEL=info
@@ -0,0 +1,43 @@
 name: CI
 on:
  pull_request:
  push:
    branches:
      - dev
 jobs:
  python-quality:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
      - name: Install
        run: |
          python -m pip install --upgrade pip
          python -m pip install -e ".[dev]"
      - name: Format check
        run: python -m black --check src tests
      - name: Lint
        run: python -m ruff check src tests
      - name: Unit tests
        run: python -m pytest tests/unit
  replay-compose-smoke:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Validate compose files
        run: |
          docker compose -f docker-compose.yml config
          docker compose -f docker-compose.test.yml config
      - name: Collect artifact placeholders
        run: mkdir -p data/test-results e2e/reports
      - uses: actions/upload-artifact@v4
        with:
          name: replay-evidence-placeholders
          path: |
            data/test-results
            e2e/reports
@@ -1 +1,42 @@
 .DS_Store
 .venv/
 __pycache__/
 *.py[cod]
 .pytest_cache/
 .ruff_cache/
 .mypy_cache/
 .coverage
 htmlcov/
 *.egg-info/
 .env
 .env.*
 !.env.example
 *.pem
 *.key
 *.secret
 data/input/*
 data/cache/*
 data/fdr/*
 data/test-results/*
 data/expected/*
 !data/input/.gitkeep
 !data/cache/.gitkeep
 !data/fdr/.gitkeep
 !data/test-results/.gitkeep
 !data/expected/.gitkeep
 *.tlog
 *.ulg
 *.bag
 *.mcap
 *.cbor
 *.parquet
 *.mp4
 *.mov
 *.avi
 *.jpg
 *.jpeg
 *.png
 !_docs/00_problem/input_data/**
@@ -0,0 +1,22 @@
 # GPS-Denied Onboard Runtime
 Scaffold for the Jetson-hosted GPS-denied localization runtime, replay harness, and
 deployment evidence paths.
 The project uses a Python `src/` layout for orchestration code. Native bridge
 placeholders live inside the owning component folders rather than in a shared
 native tree.
 Generated mission data, FDR payloads, cache payloads, and raw frame dumps are kept
 out of git unless they are explicitly curated test fixtures.
 ## Local Development
 ```bash
 python3 -m venv .venv
 source .venv/bin/activate
 python -m pip install -e ".[dev]"
 python -m pytest
 ```
 Local replay infrastructure is described in `docker-compose.yml`; CI and black-box
 test infrastructure are described in `docker-compose.test.yml`.
@@ -2,9 +2,9 @@
 ## Scope
-`coordinates.csv` is the current source of truth for the provided nadir image set. It gives expected WGS84 frame-center coordinates for `AD000001.jpg` through `AD000060.jpg`.
+`coordinates.csv` is the current source of truth for the provided still-image nadir set. It gives expected WGS84 frame-center coordinates for `AD000001.jpg` through `AD000060.jpg`.
-This data is sufficient for black-box frame-center geolocation tests against still images. It is not sufficient for final BASALT VIO, IMU-fusion, blackout, spoofing, or flight-controller tests because synchronized IMU/attitude/airspeed/altitude and ground-truth trajectory are not present in this sample set.
+This data is sufficient for black-box frame-center geolocation tests against still images. The Derkachi representative fixture in `input_data/flight_derkachi/` adds cropped nadir video plus synchronized `SCALED_IMU2` and `GLOBAL_POSITION_INT` telemetry. It is sufficient for fixture validation, video/telemetry synchronization, replay, latency, VIO smoke tests, and trajectory comparison against the tlog GPS path. It is not sufficient by itself for final production accuracy because raw camera calibration, lens distortion, and exact camera-to-body calibration are still pending.
 ## Pass / Fail Rules
@@ -15,6 +15,8 @@ This data is sufficient for black-box frame-center geolocation tests against sti
 ## Input To Expected Output Map
 ### Still-Image Frame Centers
 | Input image | Expected latitude | Expected longitude | Primary threshold | Stretch threshold |
 |-------------|-------------------|--------------------|-------------------|-------------------|
 | AD000001.jpg | 48.275292 | 37.385220 | <= 50 m | <= 20 m |
@@ -78,9 +80,18 @@ This data is sufficient for black-box frame-center geolocation tests against sti
 | AD000059.jpg | 48.255481 | 37.356501 | <= 50 m | <= 20 m |
 | AD000060.jpg | 48.256246 | 37.357485 | <= 50 m | <= 20 m |
 ### Representative Derkachi Video/IMU Fixture
 | Input fixture | Expected validation result | Threshold |
 |---------------|----------------------------|-----------|
 | `flight_derkachi/data_imu.csv` | Telemetry CSV has required `timestamp(ms)`, `Time`, `SCALED_IMU2.*`, and `GLOBAL_POSITION_INT.*` columns; non-empty rows are monotonic from `Time=0.0` to `489.9` | 0 missing required columns; 0 decreasing timestamps; 4,900 nonblank rows |
 | `flight_derkachi/flight_derkachi.mp4` | Video stream is readable as cropped nadir footage for replay | H.264, 880 x 720, 30 fps, approximately 490.07 s |
 | Video/telemetry alignment | Video has 14,700 frames and telemetry has 4,900 rows | Exactly 3 video frames per telemetry row; duration delta <=250 ms |
 | Derkachi trajectory comparison | Replay output can be compared to `GLOBAL_POSITION_INT.lat`, `GLOBAL_POSITION_INT.lon`, `GLOBAL_POSITION_INT.alt`, `GLOBAL_POSITION_INT.relative_alt`, velocity, and heading | Thresholds are calibration-gated; use for smoke/relative trajectory validation until intrinsics and camera-to-body calibration are pinned |
 ## Known Gaps
- No synchronized IMU, attitude, airspeed, altitude, or timestamp stream is present for these images.
+- The still-image set has expected WGS84 centers but no synchronized IMU, attitude, airspeed, altitude, or timestamp stream.
- No ground-truth trajectory exists beyond per-image center coordinates.
+- The Derkachi fixture has synchronized video, IMU, and GPS trajectory, but no raw camera calibration, lens distortion, exact camera-to-body transform, attitude, or airspeed columns.
- The sample cadence is slower than the target 3 fps runtime profile.
+- The still-image sample cadence is slower than the target 3 fps runtime profile; the Derkachi video is 30 fps and must be sampled to target replay cadence for runtime tests.
- Final acceptance requires additional public and representative datasets with synchronized camera/IMU/ground truth.
+- Final production acceptance requires camera calibration and representative datasets with synchronized camera/IMU plus ground-truth trajectory.
@@ -0,0 +1,14 @@
 # Derkachi Representative Flight Fixture
 ## Files
 | File | Description | Observed Metadata |
 |------|-------------|-------------------|
 | `flight_derkachi.mp4` | Cropped nadir flight footage for replay | H.264, 880 x 720, 30 fps, about 490.07 s |
 | `data_imu.csv` | Flight-controller telemetry trace exported from the tlog | 4,900 rows at 10 Hz from `Time=0.0` to `489.9`; includes `SCALED_IMU2` and `GLOBAL_POSITION_INT` trajectory fields |
 ## Test Use
 Use this fixture for video/telemetry synchronization checks, representative replay smoke tests, VIO hot-path latency, frame-drop accounting, and trajectory comparison against `GLOBAL_POSITION_INT`. The video and telemetry align at exactly three video frames per telemetry row. Camera intrinsics, lens distortion, raw camera resolution, and exact camera-to-body calibration are still unknown, so this fixture is not sufficient by itself for final production camera calibration or satellite-anchor accuracy claims.
 For the test recording, the rotating camera was mechanically fixed in a downward/nadir orientation. Treat the MP4 as a cleaned/cropped replay fixture rather than the raw camera feed.
@@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:9acb97042fc648301d73d3c0fe7d80f7e3e2697000c0d33afa8a7b7a74a20005
 size 282207328
@@ -1,2 +1,2 @@
 We have a wing-type UAV with a fixed downward navigation camera that can take photos 3 times per second. The authoritative navigation-camera spec is defined in `restrictions.md` as the ADTi 20MP 20L V1, APS-C sensor, about 5472 x 3648 px; older higher-resolution references are superseded. Also plane has flight controller with IMU. During the plane flight, we know GPS coordinates initially. During the flight, GPS could be disabled or spoofed. We need to determine the GPS of the centers of the next frame from the camera. And also the coordinates of the center of any object in these photos. We can use an external satellite provider for ground checks on the existing photos. So, before the flight, UAV's operator should upload the satellite photos to the plane's companion PC. 
-The real world examples are in input_data folder, but the distance between each photo is way bigger than it will be from a real plane. On that particular example photos were taken 1 photo per 2-3 seconds. But in real-world scenario frames would appear within the interval no more than 500ms. We also don't have IMU data for the test. For now we have to search for the public data for that in internet. We've tried to record that with Mavic 3 Pro Mini, but failed, cause of the closed system if DJI.
+The real world examples are in input_data folder, but the original still-image set has a much larger distance between photos than the target aircraft will have. On that particular example photos were taken 1 photo per 2-3 seconds. But in real-world scenario frames would appear within the interval no more than 500ms. Additional representative data is available in `input_data/flight_derkachi/`: cropped nadir flight footage plus synchronized `SCALED_IMU2` and `GLOBAL_POSITION_INT` telemetry. This supports video/telemetry synchronization, replay, latency, VIO smoke tests, and trajectory comparison against the tlog GPS path. Camera intrinsics, lens distortion, raw camera feed parameters, and exact camera-to-body calibration are still pending, so final production accuracy claims remain gated on calibration data or a separately surveyed representative dataset.
@@ -46,7 +46,7 @@
 ## Sensors & Integration
 - High-rate **IMU** data is available from the flight controller via MAVLink.
- The provided sample imagery does **not** include synchronized IMU or ground-truth pose. Prototype validation may use public datasets or synthetic IMU injection, but final acceptance claims require synchronized navigation-camera frames, FC IMU/attitude/airspeed/altitude, emitted MAVLink messages, and ground-truth trajectory from a representative flight or replay rig.
+- The original still-image sample does **not** include synchronized IMU or ground-truth pose. The Derkachi representative fixture adds cropped nadir video plus synchronized `SCALED_IMU2` and `GLOBAL_POSITION_INT` telemetry, which is enough for replay, synchronization, latency, VIO smoke tests, and trajectory comparison against the tlog GPS path. Final production acceptance still requires camera intrinsics, lens distortion, exact camera-to-body calibration, and representative synchronized navigation-camera frames, FC IMU/attitude/airspeed/altitude, emitted MAVLink messages, and ground-truth trajectory from a representative flight or replay rig.
 - The system communicates with the flight controller via MAVLink. Telemetry plumbing uses **MAVSDK**; the `GPS_INPUT` injection path is implemented via **pymavlink**, since MAVSDK does not expose a native `GPS_INPUT` API.
 - **Autopilot target: ArduPilot only** (with `GPS1_TYPE=14` for MAVLink GPS injection). PX4 is out of scope for the build; if it ever returns to scope it will use `VISION_POSITION_ESTIMATE`, not `GPS_INPUT`. (See `_docs/00_research/00_ac_assessment.md` Q-1.)
 - The system outputs WGS84 GPS coordinates to the flight controller as a replacement for the real GPS module (MAVLink GPS_INPUT, AC-4.3).
@@ -25,7 +25,7 @@
 | Constraint Area | Binding Constraint |
 |-----------------|-------------------|
 | Camera | ADTi 20MP 20L V1, APS-C, ~5472 x 3648, fixed nadir, no gimbal stabilization. |
-| Sensors | FC IMU/attitude/airspeed/altitude available over MAVLink; sample data lacks synchronized IMU. |
+| Sensors | FC IMU/attitude/airspeed/altitude available over MAVLink; original still-image sample lacks synchronized IMU, while Derkachi replay data now provides synchronized IMU and `GLOBAL_POSITION_INT` trajectory. |
 | Reference imagery | Offline cache only, 0.5 m/px minimum and 0.3 m/px ideal, freshness gates, no in-flight provider fetch. |
 | Runtime | Jetson Orin Nano Super, CUDA/TensorRT available, 25 W thermal envelope. |
 | Autopilot | ArduPilot only, v1 emits `GPS_INPUT` only; ODOMETRY intentionally disabled. |
@@ -21,7 +21,7 @@ Image quality + calibration + orthorectification
        +--> Tile path: new COG tile + quality/provenance sidecar --> manifest update --> post-flight Satellite Service sync
 ```
-Heavy retrieval and local matching are not steady-state per-frame dependencies. They run on cold start, VO failure, sharp turns, disconnected segments, covariance growth, stale-anchor age, or operator-assisted relocalization.
+Heavy local retrieval and local matching are not steady-state per-frame dependencies. They run on cold start, VO failure, sharp turns, disconnected segments, covariance growth, stale-anchor age, or operator-assisted relocalization, using only preloaded cache/index data during flight.
 ## Architecture
@@ -42,7 +42,7 @@ Heavy retrieval and local matching are not steady-state per-frame dependencies.
 BASALT does not replace the project-owned safety logic. The wrapper remains responsible for satellite anchor acceptance, confidence calibration, source labels, blackout/spoofing modes, tile-write eligibility, and MAVLink `GPS_INPUT` semantics.
-### Satellite Retrieval And Anchor Verification
+### Satellite Service And Anchor Verification
 | Solution | Tools | Pinned Mode/Config | Fit |
 |----------|-------|--------------------|-----|
@@ -50,16 +50,16 @@ BASALT does not replace the project-owned safety logic. The wrapper remains resp
 | SuperPoint+LightGlue | SuperPoint, LightGlue | Same matcher with SuperPoint features | License-gated benchmark/fallback only. |
 | Classical SIFT/ORB | OpenCV | Handcrafted features + homography | Regression/fallback baseline. |
-The VPR index is built over ground-footprint-sized chunks with overlap and a multi-scale descriptor set. VPR is invoked only on relocalization triggers or covariance/anchor-age growth; normal flight uses BASALT VIO plus wrapper propagation.
+The Satellite Service component imports mission cache/index packages before flight, uploads generated-tile packages after landing, and serves local VPR queries during flight. The VPR index is built over ground-footprint-sized chunks with overlap and a multi-scale descriptor set. VPR is invoked only on relocalization triggers or covariance/anchor-age growth; normal flight uses BASALT VIO plus wrapper propagation. No satellite-provider or Satellite Service network calls are allowed mid-flight.
-### Cache And Tile Lifecycle
+### Tile Manager
 | Solution | Tools | Pinned Mode/Config | Fit |
 |----------|-------|--------------------|-----|
 | COG tile objects + PostgreSQL/PostGIS manifest + signed JSON sidecars | GDAL COG, PostgreSQL/PostGIS, signed JSON sidecars, FAISS index files | Service tiles and generated tiles are write-new COG objects; active version selected by PostGIS-backed manifest | Selected. Fits geospatial raster access, provenance, spatial/freshness queries, and write-new tile lifecycle. |
 | PMTiles | PMTiles | Read-only archive snapshot | Rejected for live cache because in-flight tile generation needs mutable write-new objects. |
-Service-source tiles and generated tiles carry CRS, capture date, source, m/px, freshness, quality score, sidecar hashes, and descriptor references. Stale tiles are rejected or down-confidence weighted.
+Service-source tiles and generated tiles carry CRS, capture date, source, m/px, freshness, quality score, sidecar hashes, and descriptor references. The Tile Manager also orthorectifies eligible nadir frames into generated COG tiles. Stale tiles are rejected or down-confidence weighted.
 ### MAVLink Integration
@@ -96,7 +96,7 @@ The system emits per-frame estimates locally and downsampled status to QGroundCo
 - DINOv2 descriptor fidelity: compare PyTorch/ONNX/TensorRT embeddings and retrieval rankings before accepting optimized engines.
 - FAISS CPU index tests: top-K recall, query latency, index size, save/load behavior on Jetson ARM64.
 - LightGlue extractor matrix: ALIKED vs DISK vs SIFT/ORB vs SuperPoint benchmark; SuperPoint excluded from production unless legal approves.
- COG cache lifecycle: write-new generated tile, update manifest, verify active version and rollback.
+- Tile Manager: orthorectify eligible nadir frames into write-new generated tiles, update manifest, verify active version and rollback.
 - `GPS_INPUT` SITL: validate fix type, `horiz_accuracy`, velocity fields, ignore flags, `EK3_SRC1_*` parameters, QGC behavior.
 - Security gates: stale tile, mismatched tile hash, low inlier ratio, impossible velocity jump, and spoofed GPS during blackout.
@@ -2,7 +2,7 @@
 ## Executive Summary
-The solution planning phase decomposed the GPS-denied onboard localization service into 9 implementation components, 2 cross-cutting foundation epics, a bootstrap epic, and a blackbox-test epic. The architecture centers on a Jetson-hosted hot path using camera ingest, BASALT VIO, and a project-owned safety/anchor wrapper, with triggered satellite retrieval and ALIKED/DISK-LightGlue anchor verification against an offline PostgreSQL/PostGIS-backed cache.
+The solution planning phase decomposed the GPS-denied onboard localization service into 8 runtime implementation components, 2 cross-cutting foundation epics, a bootstrap epic, and separate e2e/blackbox test epics. The architecture centers on a Jetson-hosted hot path using camera ingest, BASALT VIO, and a project-owned safety/anchor wrapper, with triggered Satellite Service candidate retrieval and ALIKED/DISK-LightGlue anchor verification against an offline PostgreSQL/PostGIS-backed cache.
 Jira epics were created in project `AZ` from AZ-206 through AZ-218. Total estimated effort across epics is approximately 87-141 story points, with large work intentionally decomposed into child tasks of 2, 3, or 5 points where possible.
@@ -23,32 +23,32 @@ The system is a trigger-based hybrid estimator. Normal flight uses camera ingest
 | # | Component | Purpose | Dependencies | Epic |
 |---|-----------|---------|--------------|------|
 | 01 | Camera Ingest And Calibration | Ingest frames, validate calibration, detect total occlusion before VIO | Bootstrap, shared geometry/time, config/errors | AZ-209 |
-| 02 | BASALT VIO Adapter | Wrap BASALT relative VIO and emit replaceable state DTOs | Camera, MAVLink telemetry, shared helpers | AZ-213 |
+| 02 | VIO Adapter | Wrap the selected relative VIO backend and emit replaceable state DTOs | Camera, MAVLink telemetry, shared helpers | AZ-213 |
 | 03 | Safety And Anchor Wrapper | Own localization state, covariance, anchors, blackout/failsafe, output semantics | Camera, MAVLink, VIO, anchor verification | AZ-216 |
-| 04 | Satellite Retrieval | Retrieve VPR candidates from cache descriptors and FAISS | Camera, cache lifecycle, shared helpers | AZ-214 |
+| 04 | Satellite Service | Sync Satellite Service cache/upload packages and retrieve local VPR candidates from cache descriptors and FAISS | Camera, Tile Manager, shared helpers | AZ-214 |
-| 05 | Anchor Verification | Verify retrieved candidates with learned matching and RANSAC | Retrieval, camera, cache lifecycle | AZ-215 |
+| 05 | Anchor Verification | Verify retrieved candidates with learned matching and RANSAC | Satellite Service, camera, Tile Manager | AZ-215 |
-| 06 | Cache And Tile Lifecycle | Manage COGs, PostGIS manifests, sidecars, freshness, generated tiles | Bootstrap, shared helpers, config/errors | AZ-211 |
+| 06 | Tile Manager | Manage COGs, PostGIS manifests, sidecars, freshness, and orthorectified generated tiles | Bootstrap, shared helpers, config/errors | AZ-211 |
 | 07 | MAVLink And GCS Integration | Consume FC telemetry and emit v1 `GPS_INPUT`/QGC status | Bootstrap, config/errors | AZ-210 |
 | 08 | FDR And Observability | Record bounded replayable evidence and status | Bootstrap, config/errors, runtime DTOs | AZ-212 |
-| 09 | Validation Harness | Drive blackbox, public replay, SITL, Jetson, and release evidence tests | All runtime components | AZ-217 |
+| Test | E2E Test Suite | Separate black-box replay, SITL, Jetson, and release evidence tests; not onboard runtime | All runtime components | AZ-217 |
 **Implementation order**:
 1. Bootstrap and cross-cutting foundations: AZ-206, AZ-207, AZ-208.
 2. Independent adapters/stores: AZ-209, AZ-210, AZ-211, AZ-212.
 3. Estimation/relocalization: AZ-213, AZ-214, AZ-215.
 4. Safety orchestration: AZ-216.
-5. Validation and blackbox test implementation: AZ-217, AZ-218.
+5. Separate e2e/blackbox test implementation: AZ-217, AZ-218.
 ## System Flows
 | Flow | Description | Key Components |
 |------|-------------|----------------|
-| Pre-flight cache preparation | Validate offline cache, sidecars, descriptors, and indexes | Cache lifecycle, retrieval |
+| Pre-flight cache preparation | Validate offline cache, sidecars, descriptors, and indexes | Satellite Service, Tile Manager |
 | Normal frame processing | Route usable frames through BASALT; route total occlusion to IMU-only degraded path | Camera, BASALT, safety, MAVLink, FDR |
-| Satellite relocalization | Retrieve and verify cache candidates, then accept/reject anchors | Safety, retrieval, anchor verification, cache |
+| Satellite relocalization | Retrieve and verify cache candidates, then accept/reject anchors | Safety, Satellite Service, anchor verification, Tile Manager |
 | Visual blackout / spoofing | Propagate IMU-only from last trusted state and fail safe at thresholds | Camera, safety, MAVLink, QGC, FDR |
-| Generated tile lifecycle | Write generated COG candidates only under covariance/quality gates | Safety, cache, FDR |
+| Generated tile lifecycle | Write generated COG candidates only under covariance/quality gates | Safety, Tile Manager, FDR |
-| Post-flight sync and audit | Package generated tiles and FDR evidence | Cache, FDR, Satellite Service |
+| Post-flight sync and audit | Package generated tiles and FDR evidence | Tile Manager, FDR, Satellite Service |
 | Validation replay | Exercise runtime through public interfaces | Validation harness, all runtime components |
 See `system-flows.md` for full diagrams and details.
@@ -72,14 +72,14 @@ See `risk_mitigations.md` for the full register.
 | Component | Integration | Performance | Security | Acceptance | AC Coverage |
 |-----------|-------------|-------------|----------|------------|-------------|
 | Camera Ingest And Calibration | 3 | 1 | 1 | 2 | 7 ACs |
-| BASALT VIO Adapter | 4 | 1 | 1 | 1 | 8 ACs |
+| VIO Adapter | 4 | 1 | 1 | 1 | 8 ACs |
 | Safety And Anchor Wrapper | 7 | 1 | 1 | 3 | 15 ACs |
-| Satellite Retrieval | 4 | 2 | 1 | 1 | 10 ACs |
+| Satellite Service | 4 | 2 | 1 | 1 | 10 ACs |
 | Anchor Verification | 2 | 1 | 2 | 1 | 9 ACs |
-| Cache And Tile Lifecycle | 4 | 1 | 3 | 1 | 10 ACs |
+| Tile Manager | 4 | 1 | 3 | 1 | 10 ACs |
 | MAVLink And GCS Integration | 6 | 2 | 1 | 1 | 10 ACs |
 | FDR And Observability | 6 | 1 | 1 | 1 | 11 ACs |
-| Validation Harness | 9 | 2 | 1 | 2 | All AC groups |
+| E2E Test Suite | 9 | 2 | 1 | 2 | All AC groups |
 **Overall acceptance criteria coverage**: 39 / 39 acceptance criteria covered (100%).  
 **Restrictions coverage**: 10 / 10 restriction groups covered (100%).
@@ -93,13 +93,13 @@ See `risk_mitigations.md` for the full register.
 | 3 | AZ-208: Cross-Cutting: Runtime Configuration And Errors | Shared helper | S-M / 3-5 pts | AZ-206 |
 | 4 | AZ-209: Camera Ingest And Calibration | Component 01 | M / 5-8 pts | AZ-206, AZ-207, AZ-208 |
 | 5 | AZ-210: MAVLink And GCS Integration | Component 07 | M / 5-8 pts | AZ-206, AZ-208 |
-| 6 | AZ-211: Cache And Tile Lifecycle | Component 06 | L / 8-13 pts | AZ-206, AZ-207, AZ-208 |
+| 6 | AZ-211: Tile Manager | Component 06 | L / 8-13 pts | AZ-206, AZ-207, AZ-208 |
 | 7 | AZ-212: FDR And Observability | Component 08 | M-L / 5-8 pts | AZ-206, AZ-208 |
-| 8 | AZ-213: BASALT VIO Adapter | Component 02 | L / 8-13 pts | AZ-209, AZ-210 |
+| 8 | AZ-213: VIO Adapter | Component 02 | L / 8-13 pts | AZ-209, AZ-210 |
-| 9 | AZ-214: Satellite Retrieval | Component 04 | L / 8-13 pts | AZ-209, AZ-211 |
+| 9 | AZ-214: Satellite Service | Component 04 | L / 8-13 pts | AZ-209, AZ-211 |
 | 10 | AZ-215: Anchor Verification | Component 05 | L / 8-13 pts | AZ-214, AZ-209, AZ-211 |
 | 11 | AZ-216: Safety And Anchor Wrapper | Component 03 | XL / 13-21 pts | AZ-209, AZ-210, AZ-213, AZ-215 |
-| 12 | AZ-217: Validation Harness | Component 09 | L / 8-13 pts | Component epics |
+| 12 | AZ-217: E2E Test Suite | Separate test support | L / 8-13 pts | Component epics |
 | 13 | AZ-218: Blackbox Tests | System tests | L / 8-13 pts | AZ-217, component epics |
 **Total estimated effort**: 87-141 story points.
@@ -7,18 +7,18 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 ### Components / Responsibilities
 - Camera ingest/calibration: load frames, apply intrinsics/extrinsics, validate image quality.
- BASALT VIO adapter: produce relative camera+IMU motion from synchronized nav frames and FC IMU.
+- VIO adapter: produce relative camera+IMU motion from synchronized nav frames and FC IMU.
 - Safety/anchor wrapper: own covariance calibration, source labels, degraded modes, anchor fusion, and `GPS_INPUT`.
- Satellite retrieval: retrieve VPR chunks from offline descriptor indexes.
+- Satellite Service: sync mission cache packages before flight, upload generated-tile packages after flight, and serve local VPR candidate retrieval from the offline cache.
 - Anchor verification: run local matching/RANSAC and reject unsafe anchors.
- Cache/tile lifecycle: manage COGs, manifests, freshness, generated tiles, and sync metadata.
+- Tile Manager: manage COGs, manifests, freshness/provenance, orthorectified generated tiles, and local tile metadata.
 - MAVLink/GCS integration: consume FC telemetry and emit `GPS_INPUT`/QGC status.
 - FDR/observability: record replayable mission evidence under storage caps.
 - Validation harness: run still-image, public dataset, SITL, Jetson, and representative replay tests.
 ### Principles / Non-Negotiables
- No in-flight satellite-provider calls; runtime uses offline cache only.
+- No in-flight satellite-provider or Satellite Service calls; runtime uses offline cache only.
 - BASALT is a VIO component, not the safety authority.
 - Confidence must be honest; covariance must grow in degraded modes.
 - Heavy VPR/local matching is trigger-based, not per-frame.
@@ -33,7 +33,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 **System boundaries**:
- In scope: onboard localization runtime, offline cache consumption, BASALT VIO integration, satellite anchor verification, MAVLink output, QGC status, FDR, generated tile metadata, validation harness.
+- In scope: onboard localization runtime, offline cache consumption, BASALT VIO integration, satellite anchor verification, MAVLink output, QGC status, FDR, generated tile metadata, and a separate e2e/black-box test suite.
 - Out of scope: upstream commercial satellite-provider sourcing, Satellite Service ingest implementation, AI mission-camera detection itself, PX4 support, raw-frame retention as a normal operating mode.
 **External systems**:
@@ -42,7 +42,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 |--------|------------------|-----------|---------|
 | ArduPilot Plane FC | MAVLink | Inbound/Outbound | FC telemetry in, `GPS_INPUT` and status out |
 | QGroundControl | MAVLink telemetry | Outbound | Downsampled operator status and failsafe messages |
-| Azaion Suite Satellite Service | Offline file/cache sync | Inbound before flight, outbound after landing | Provides cache and receives generated tiles |
+| Azaion Suite Satellite Service | Offline file/cache sync | Inbound before flight, outbound after landing | Provides mission cache packages and receives generated-tile packages; never called mid-flight |
 | Public/replay datasets | File/rosbag/fixture | Inbound to validation | De-risk BASALT, VPR, and anchor logic |
 ## 2. Technology Stack
@@ -97,12 +97,12 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 |--------|-------------|--------------------|
 | FrameRecord | Navigation-camera frame metadata, total-occlusion status, and processing status | Camera ingest/calibration |
 | TelemetrySample | FC IMU, attitude, airspeed, altitude, GPS health | MAVLink/GCS integration |
-| VioState | BASALT-relative pose/velocity/bias output and quality metadata | BASALT VIO adapter |
+| VioState | Backend-relative pose/velocity/bias output and quality metadata | VIO adapter |
 | PositionEstimate | WGS84 estimate, covariance, source label, fix type, anchor age | Safety/anchor wrapper |
-| VprChunk | Retrieval unit over cache imagery and descriptors | Satellite retrieval |
+| VprChunk | Retrieval unit over cache imagery and descriptors | Satellite Service |
 | AnchorCandidate | Retrieved tile/chunk with local-match and RANSAC evidence | Anchor verification |
-| CacheTile | COG tile plus manifest and sidecar metadata | Cache/tile lifecycle |
+| CacheTile | COG tile plus manifest and sidecar metadata | Tile Manager |
-| GeneratedTile | In-flight orthorectified tile with trust/provenance metadata | Cache/tile lifecycle |
+| GeneratedTile | In-flight orthorectified tile with trust/provenance metadata | Tile Manager |
 | FdrSegment | Bounded replayable log segment | FDR/observability |
 **Data flow summary**:
@@ -117,11 +117,11 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 | From | To | Protocol | Pattern | Notes |
 |------|----|----------|---------|-------|
-| Camera ingest/calibration | BASALT VIO adapter | In-process queue or shared frame bus | Streaming | Timestamp discipline is critical |
+| Camera ingest/calibration | VIO adapter | In-process queue or shared frame bus | Streaming | Timestamp discipline is critical |
-| MAVLink telemetry | BASALT VIO adapter | In-process telemetry buffer | Streaming | IMU/attitude/altitude sync |
+| MAVLink telemetry | VIO adapter | In-process telemetry buffer | Streaming | IMU/attitude/altitude sync |
-| BASALT VIO adapter | Safety/anchor wrapper | Typed state messages | Streaming | Wrapper calibrates confidence |
+| VIO adapter | Safety/anchor wrapper | Typed state messages | Streaming | Wrapper calibrates confidence |
-| Safety/anchor wrapper | Satellite retrieval | Command | Triggered request | Only on relocalization conditions |
+| Safety/anchor wrapper | Satellite Service | Command | Triggered local request | Uses only preloaded cache/index data during flight |
-| Satellite retrieval | Anchor verification | Candidate list | Request-response | Dynamic top-K |
+| Satellite Service | Anchor verification | Candidate list | Request-response | Dynamic top-K |
 | Anchor verification | Safety/anchor wrapper | Anchor decision | Request-response | Includes MRE/inliers/provenance |
 | Safety/anchor wrapper | MAVLink/GCS integration | Position/status DTO | Streaming | `GPS_INPUT` emitted frame-by-frame |
 | Safety/anchor wrapper | FDR/observability | Append-only events | Streaming | Bounded segments |
@@ -132,7 +132,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 |-----------------|----------|------|--------------|
 | ArduPilot Plane | MAVLink | Source/system ID allowlist | Degrade/failsafe; never trust spoofed GPS blindly |
 | QGroundControl | MAVLink | FC telemetry path | Downsampled status may be delayed but local FDR remains authoritative |
-| Satellite Service | Offline cache files | Signed manifests/sidecars | Missing/stale cache causes degraded mode, not network fetch |
+| Azaion Suite Satellite Service | Offline package sync | Signed manifests/sidecars | Missing/stale cache causes degraded mode, not mid-flight network fetch |
 | Public datasets | File/rosbag | License constraints | Not final acceptance unless representative and license-compatible |
 ## 6. Non-Functional Requirements
@@ -157,7 +157,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 **Data protection**:
 - At rest: FDR and cache sidecars should be integrity protected; mission secrets/signing keys are not stored in code.
- In transit: no in-flight satellite-provider network dependency; MAVLink link security depends on FC/GCS deployment.
+- In transit: no in-flight satellite-provider or Satellite Service network dependency; MAVLink link security depends on FC/GCS deployment.
 **Audit logging**:
@@ -204,7 +204,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 1. JSON-only manifest — simpler, but weak for query/update scale, spatial search, and consistency.
 2. Embedded single-file metadata DB — efficient for small deployments, but rejected because the project will use PostgreSQL/PostGIS.
-**Consequences**: The cache lifecycle component owns PostgreSQL migrations, PostGIS indexes, signature checks, and sidecar/db consistency.
+**Consequences**: The Tile Manager owns PostgreSQL migrations, PostGIS indexes, signature checks, generated-tile orthorectification metadata, and sidecar/db consistency.
 ### ADR-004: FDR Format
@@ -234,7 +234,7 @@ Build a Jetson-hosted onboard localization pipeline for fixed-wing GPS-denied fl
 ### ADR-005: Public Dataset Strategy
-**Context**: Current project sample data lacks synchronized IMU and ground-truth trajectory.
+**Context**: The original still-image sample lacks synchronized IMU and ground-truth trajectory. The Derkachi fixture adds cropped nadir video synchronized with IMU and `GLOBAL_POSITION_INT` trajectory, but camera intrinsics, distortion, and camera-to-body calibration remain pending.
 **Decision**: Prioritize MUN-FRL for synchronized nadir camera + IMU + GNSS/ground truth; use ALTO for aerial localization/VPR and long nadir trajectories; investigate Kagaru/EPFL for fixed-wing/farmland relevance; use EuRoC/UZH FPV only as VIO proxies if license-compatible.
@@ -2,7 +2,7 @@
 ## Purpose
-Shared geospatial and camera-geometry utilities used by camera ingest, safety wrapper, cache lifecycle, anchor verification, and validation.
+Shared geospatial and camera-geometry utilities used by camera ingest, safety wrapper, Tile Manager, anchor verification, and validation.
 ## Responsibilities
@@ -26,5 +26,5 @@ Shared geospatial and camera-geometry utilities used by camera ingest, safety wr
 | Camera ingest/calibration | Footprint and calibration sanity checks |
 | Safety/anchor wrapper | Distance/covariance/unit conversion |
 | Anchor verification | Pixel-to-ground error reporting |
-| Cache/tile lifecycle | Tile footprint metadata |
+| Tile Manager | Tile footprint metadata |
 | Validation harness | Error thresholds and reports |
@@ -23,7 +23,7 @@ Shared timestamp validation and alignment utilities for frame, IMU, telemetry, F
 | Component | Usage |
 |-----------|-------|
 | Camera ingest/calibration | Frame ordering and timestamp metadata |
-| BASALT VIO adapter | IMU/frame synchronization |
+| VIO adapter | IMU/frame synchronization |
 | MAVLink/GCS integration | Telemetry timestamp normalization |
 | FDR/observability | Segment ordering |
 | Validation harness | Fixture validation |
@@ -8,7 +8,7 @@
 **Upstream dependencies**: Navigation camera, camera calibration files.
-**Downstream consumers**: BASALT VIO adapter, satellite retrieval, anchor verification, cache/tile lifecycle, FDR.
+**Downstream consumers**: VIO adapter, Satellite Service, anchor verification, Tile Manager, FDR.
 ## 2. Internal Interfaces
@@ -82,7 +82,7 @@ ImageQualityReport:
 | Helper | Purpose | Used By |
 |--------|---------|---------|
-| `geo_geometry_helper` | Coordinate transforms, GSD, WGS84/local conversions | Camera ingest, safety wrapper, cache lifecycle |
+| `geo_geometry_helper` | Coordinate transforms, GSD, WGS84/local conversions | Camera ingest, safety wrapper, Tile Manager |
 ## 6. Caveats & Edge Cases
@@ -98,9 +98,9 @@ ImageQualityReport:
 **Must be implemented after**: none.
-**Can be implemented in parallel with**: cache/tile lifecycle, MAVLink/GCS integration.
+**Can be implemented in parallel with**: Tile Manager, MAVLink/GCS integration.
-**Blocks**: BASALT VIO adapter, anchor verification, generated tile lifecycle.
+**Blocks**: VIO adapter, anchor verification, generated tile lifecycle.
 ## 8. Logging Strategy
@@ -58,7 +58,7 @@
 **Max execution time**: 100 ms per frame.
-**Dependencies**: Cache lifecycle test double.
+**Dependencies**: Tile Manager test double.
 ## Performance Tests
@@ -110,7 +110,7 @@
 | Step | Action | Expected Result |
 |------|--------|-----------------|
 | 1 | Feed a calibrated normal frame | Occlusion status is `clear` |
-| 2 | Process quality gate | Frame is emitted to BASALT adapter |
+| 2 | Process quality gate | Frame is emitted to VIO adapter |
 ---
@@ -1,14 +1,14 @@
-# BASALT VIO Adapter
+# VIO Adapter
 ## 1. High-Level Overview
-**Purpose**: Wrap BASALT as a replaceable relative VIO component that consumes calibrated frames and FC IMU data, then emits relative pose/velocity/bias state and tracking quality.
+**Purpose**: Wrap the selected relative VIO backend as a replaceable component that consumes calibrated frames and FC IMU data, then emits relative pose/velocity/bias state and tracking quality.
 **Architectural Pattern**: Adapter / anti-corruption layer.
 **Upstream dependencies**: Camera ingest/calibration, MAVLink telemetry stream.
-**Downstream consumers**: Safety/anchor wrapper, validation harness, FDR.
+**Downstream consumers**: Safety/anchor wrapper, FDR, separate e2e test suite.
 ## 2. Internal Interfaces
@@ -48,14 +48,14 @@ No persistent production data ownership. Reads calibration/config at startup and
 ## 4. Implementation Details
-**State Management**: Owns BASALT runtime state and resets only through explicit wrapper command.
+**State Management**: Owns selected VIO backend runtime state and resets only through explicit wrapper command.
 **Key Dependencies**:
 | Library | Purpose |
 |---------|---------|
-| BASALT | Relative visual-inertial odometry |
+| BASALT | Current selected relative visual-inertial odometry backend |
-| Eigen/Sophus or BASALT native math stack | Pose and transform representation |
+| Eigen/Sophus or backend-native math stack | Pose and transform representation |
 **Error Handling Strategy**:
 - Tracking loss is surfaced to the safety/anchor wrapper, not hidden.
@@ -66,7 +66,7 @@ No persistent production data ownership. Reads calibration/config at startup and
 **Known limitations**:
 - BASALT has no special fixed-wing nadir mode; validation must prove fit under low-parallax/planar terrain.
- BASALT covariance/confidence output is not the product authority; wrapper calibration is required.
+- Backend covariance/confidence output is not the product authority; wrapper calibration is required.
 **Performance bottlenecks**:
 - Native VIO runtime and image resolution can exceed Jetson budget if not tuned.
@@ -75,7 +75,7 @@ No persistent production data ownership. Reads calibration/config at startup and
 **Must be implemented after**: Camera ingest/calibration, MAVLink telemetry DTO definitions.
-**Can be implemented in parallel with**: satellite retrieval, cache lifecycle.
+**Can be implemented in parallel with**: Satellite Service, Tile Manager.
 **Blocks**: Safety/anchor wrapper final integration.
@@ -83,7 +83,7 @@ No persistent production data ownership. Reads calibration/config at startup and
 | Log Level | When | Example |
 |-----------|------|---------|
-| ERROR | BASALT initialization fails | `basalt_init_failed reason=...` |
+| ERROR | VIO backend initialization fails | `vio_init_failed reason=...` |
 | WARN | Tracking quality drops | `vio_tracking_degraded quality=...` |
 | INFO | VIO reset/reinitialized | `vio_reset cause=...` |
@@ -1,4 +1,4 @@
-# Test Specification — BASALT VIO Adapter
+# Test Specification — VIO Adapter
 ## Acceptance Criteria Traceability
@@ -17,13 +17,13 @@
 ### IT-01: Public Dataset VIO Replay
-**Summary**: Verify BASALT adapter produces relative motion for synchronized camera/IMU replay.
+**Summary**: Verify the VIO adapter produces relative motion for synchronized camera/IMU replay.
 **Traces to**: AC-2.1a, AC-2.2
-**Input data**: MUN-FRL preferred slice, or representative synchronized nav-camera + IMU + ground truth.
+**Input data**: Derkachi cropped nadir video + `SCALED_IMU2` + `GLOBAL_POSITION_INT`, MUN-FRL preferred slice, or representative synchronized nav-camera + IMU + ground truth.
-**Expected result**: VO registration succeeds for >95% of normal usable frames; frame-to-frame MRE <1.0 px where ground-truth/feature evaluation supports it.
+**Expected result**: VO registration succeeds for >95% of normal usable frames; frame-to-frame MRE <1.0 px where ground-truth/feature evaluation supports it. Derkachi runs are accepted as calibration-limited until intrinsics, distortion, and camera-to-body transform are pinned.
 **Max execution time**: Dataset-dependent; report per-frame latency.
@@ -53,7 +53,7 @@
 **Traces to**: AC-3.1
-**Input data**: Replay segment with synthetic ±20° tilt and up to 350 m apparent outlier.
+**Input data**: Replay segment with synthetic +/-20 degree tilt and up to 350 m apparent outlier.
 **Expected result**: Adapter either tracks with quality metadata or emits `TrackingLost`; it never hides a failure as high-quality VIO.
@@ -67,7 +67,7 @@
 **Traces to**: AC-3.2, AC-3.4
-**Input data**: <5% overlap sequence with heading change <70°.
+**Input data**: <5% overlap sequence with heading change <70 degrees.
 **Expected result**: Adapter emits low tracking quality or `TrackingLost` within the loss window, allowing relocalization trigger.
@@ -75,14 +75,14 @@
 ## Performance Tests
-### PT-01: BASALT Adapter Runtime Budget
+### PT-01: VIO Adapter Runtime Budget
 **Summary**: Verify VIO processing does not consume the full <400 ms system p95 budget.
 **Traces to**: AC-4.1, AC-4.2
 **Load scenario**:
- Input: synchronized public/representative replay.
+- Input: Derkachi synchronized replay and public/representative replay.
 - Duration: 30 minutes plus release long-run slice.
 - Target: Jetson Orin Nano Super.
@@ -130,8 +130,9 @@
 | Data Set | Description | Source | Size |
 |----------|-------------|--------|------|
 | `derkachi_video_telemetry` | Cropped nadir MP4 + synchronized IMU and `GLOBAL_POSITION_INT` trajectory | Project fixture | ~282 MB video + CSV |
 | `public_nadir_vio_candidates` | MUN-FRL/ALTO/Kagaru/EPFL slices | Public pinned fixtures | Dataset-dependent |
-| `representative_sync_replay` | Target camera + FC IMU + ground truth | Project collection | TBD |
+| `representative_sync_replay` | Target camera + FC IMU + calibrated ground truth | Project collection | TBD |
 **Setup procedure**: Pin calibration/extrinsics and mount read-only synchronized replay data.
@@ -6,9 +6,9 @@
 **Architectural Pattern**: Stateful coordinator / safety facade.
-**Upstream dependencies**: BASALT VIO adapter, anchor verification, MAVLink telemetry, camera quality reports.
+**Upstream dependencies**: VIO adapter, anchor verification, MAVLink telemetry, camera quality reports.
-**Downstream consumers**: MAVLink/GCS integration, FDR, cache/tile lifecycle, validation harness.
+**Downstream consumers**: MAVLink/GCS integration, FDR, Tile Manager, separate e2e test suite.
 ## 2. Internal Interfaces
@@ -73,7 +73,7 @@ No direct tile/image storage ownership. Writes all decisions to FDR via observab
 - Never emit optimistic accuracy when confidence is degraded.
 - On total occlusion or visual blackout, do not call VIO for that frame; propagate from the last trusted state with IMU-only dynamics, set `source_label=dead_reckoned`, and grow covariance monotonically.
 - If covariance or blackout thresholds exceed AC limits, emit no-fix/failsafe semantics.
- Treat cache freshness and provenance as evidence carried by `AnchorDecision`; do not call the cache lifecycle component directly during anchor acceptance.
+- Treat cache freshness and provenance as evidence carried by `AnchorDecision`; do not call the Tile Manager directly during anchor acceptance.
 ## 5. Caveats & Edge Cases
@@ -1,21 +1,23 @@
-# Satellite Retrieval
+# Satellite Service
 ## 1. High-Level Overview
-**Purpose**: Convert a query frame and prior state into ranked satellite/cache VPR chunk candidates using DINOv2-VLAD descriptors and FAISS.
+**Purpose**: Own the onboard boundary to the suite Satellite Service: import pre-flight mission cache packages, upload generated-tile packages after flight, and convert query frames into ranked local VPR candidates using preloaded DINOv2-VLAD descriptors and FAISS.
-**Architectural Pattern**: Query service / retrieval index adapter.
+**Architectural Pattern**: Offline sync gateway + local retrieval index adapter.
-**Upstream dependencies**: Camera ingest/calibration, cache/tile lifecycle, safety/anchor wrapper.
+**Upstream dependencies**: Camera ingest/calibration, Tile Manager, safety/anchor wrapper, Azaion Suite Satellite Service before/after flight.
 **Downstream consumers**: Anchor verification, FDR.
 ## 2. Internal Interfaces
-### Interface: `CandidateRetriever`
+### Interface: `SatelliteService`
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
 | `import_mission_cache` | `CacheImportRequest` | `CacheImportResult` | Yes | `SyncUnavailable`, `PackageInvalid` |
 | `upload_generated_tiles` | `GeneratedTileUploadRequest` | `GeneratedTileUploadResult` | Yes | `SyncUnavailable`, `PackageRejected` |
 | `retrieve` | `RetrievalRequest` | `RetrievalResult` | Yes | `IndexUnavailable`, `DescriptorFailed` |
 | `load_index` | `IndexLoadRequest` | `IndexStatus` | No | `ManifestInvalid`, `IndexUnavailable` |
@@ -49,11 +51,12 @@ VprCandidate:
 | Query | Frequency | Hot Path | Index Needed |
 |-------|-----------|----------|--------------|
 | Top-K FAISS search | Triggered only | No steady-state | FAISS index |
 | Import/export package sync | Pre-flight / post-flight only | No mid-flight | Package manifest and sidecar hashes |
 | Load chunk metadata | Per candidate | No | PostgreSQL/PostGIS spatial and chunk indexes |
 ## 4. Implementation Details
-**State Management**: Holds loaded descriptor model and FAISS index handles.
+**State Management**: Holds loaded descriptor model and FAISS index handles; tracks pre-flight import and post-flight upload package status.
 **Key Dependencies**:
@@ -61,16 +64,19 @@ VprCandidate:
 |---------|---------|
 | DINOv2 / ONNX / TensorRT candidate path | Query descriptor extraction |
 | FAISS CPU | Top-K retrieval |
 | Satellite Service client | Pre-flight cache import and post-flight generated-tile upload |
 **Error Handling Strategy**:
 - If descriptor extraction or index load fails, return no candidates and trigger degraded mode.
 - Optimized engines are allowed only after descriptor-fidelity tests pass.
 - Network/package sync failures are allowed only before takeoff or after landing; during flight, the component must never call a satellite provider or suite service.
 ## 5. Caveats & Edge Cases
 **Known limitations**:
 - VPR result is only a candidate, never an accepted fix.
 - Cross-domain retrieval can be wrong under seasonal, lighting, or terrain ambiguity.
 - External Satellite Service availability cannot be part of the mid-flight localization safety case.
 **Performance bottlenecks**:
 - Descriptor extraction on Jetson must be trigger-limited and profiled separately from BASALT.
@@ -1,4 +1,4 @@
-# Test Specification — Satellite Retrieval
+# Test Specification — Satellite Service
 ## Acceptance Criteria Traceability
@@ -31,7 +31,7 @@
 ---
-### IT-02: Sharp-Turn Retrieval Trigger
+### IT-02: Sharp-Turn Local Retrieval Trigger
 **Summary**: Verify sharp-turn state requests candidates rather than relying on frame-to-frame VO.
@@ -39,7 +39,7 @@
 **Input data**: Wrapper relocalization request with sharp-turn/loss reason.
-**Expected result**: Retrieval returns bounded top-K candidates based on sector/covariance policy.
+**Expected result**: Satellite Service returns bounded top-K candidates from preloaded local indexes based on sector/covariance policy.
 **Max execution time**: 2 seconds per query.
@@ -126,6 +126,25 @@
 **Pass criteria**: 0 stale candidates without explicit stale/down-confidence metadata.
 ---
 ### ST-02: No Mid-Flight Satellite Service Calls
 **Summary**: Verify relocalization never performs satellite-provider or suite Satellite Service network calls during flight.
 **Traces to**: AC-8.3, R-SAT-01
 **Attack vector**: Runtime attempts to fetch missing cache/index data over the network during relocalization.
 **Test procedure**:
 1. Disable external network access during a replay scenario.
 2. Trigger relocalization against preloaded cache fixtures.
 3. Inspect network call logs and Satellite Service client telemetry.
 **Expected behavior**: Retrieval uses only mounted local cache/index data; missing data produces degraded/no-candidate behavior, not a network fetch.
 **Pass criteria**: 0 mid-flight Satellite Service or satellite-provider calls.
 ## Acceptance Tests
 ### AT-01: Relocalization Candidate Returned
@@ -6,7 +6,7 @@
 **Architectural Pattern**: Validation pipeline.
-**Upstream dependencies**: Satellite retrieval, camera ingest/calibration, cache/tile lifecycle.
+**Upstream dependencies**: Satellite Service, camera ingest/calibration, Tile Manager.
 **Downstream consumers**: Safety/anchor wrapper, FDR.
@@ -74,9 +74,9 @@ AnchorDecision:
 ## 6. Dependency Graph
-**Must be implemented after**: satellite retrieval candidate DTOs, cache tile access.
+**Must be implemented after**: Satellite Service candidate DTOs, Tile Manager tile access.
-**Can be implemented in parallel with**: BASALT VIO adapter.
+**Can be implemented in parallel with**: VIO adapter.
 **Blocks**: accepted satellite-anchor path.
@@ -1,23 +1,24 @@
-# Cache And Tile Lifecycle
+# Tile Manager
 ## 1. High-Level Overview
-**Purpose**: Manage offline service-source tiles, manifests, descriptor metadata, freshness/provenance checks, generated tile writes, and post-flight sync packaging.
+**Purpose**: Manage local tiles: service-source COGs, manifests, descriptor metadata, freshness/provenance checks, nadir-image orthorectification into generated tiles, generated tile writes, and post-flight package preparation.
 **Architectural Pattern**: Repository + policy gate.
 **Upstream dependencies**: Satellite Service cache packages, safety/anchor wrapper, camera ingest/calibration.
-**Downstream consumers**: Satellite retrieval, anchor verification, FDR, post-flight sync.
+**Downstream consumers**: Satellite Service, anchor verification, FDR, post-flight sync.
 ## 2. Internal Interfaces
-### Interface: `CacheRepository`
+### Interface: `TileManager`
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
 | `validate_cache` | `CacheValidationRequest` | `CacheValidationReport` | No | `ManifestInvalid`, `SignatureInvalid` |
 | `get_tile_window` | `TileWindowRequest` | `TileWindow` | No | `TileUnavailable`, `TileRejected` |
 | `orthorectify_frame` | `TileGenerationRequest` | `GeneratedTileCandidate` | Yes | `TileWriteRejected`, `FrameNotUsable` |
 | `write_generated_tile` | `GeneratedTileRequest` | `GeneratedTileRecord` | Yes | `TileWriteRejected`, `StorageFull` |
 | `package_sync` | `SyncPackageRequest` | `SyncPackage` | Yes | `PackageFailed` |
@@ -26,7 +27,7 @@
 | Query | Frequency | Hot Path | Index Needed |
 |-------|-----------|----------|--------------|
 | Tile by footprint/time/freshness | Per retrieval/anchor | Yes during relocalization | Spatial/time indexes |
-| Descriptor metadata by chunk | Per retrieval | Yes during relocalization | Chunk ID index |
+| Descriptor metadata by chunk | Per Satellite Service retrieval | Yes during relocalization | Chunk ID index |
 | Generated tile by mission/sector | Post-flight | No | Mission ID index |
 ### Caching Strategy
@@ -53,6 +54,7 @@
 |---------|---------|
 | PostgreSQL + PostGIS | Manifest, spatial metadata, freshness queries, and generated-tile metadata |
 | GDAL/rasterio candidate | COG read/write |
 | OpenCV/GDAL geometry utilities | Nadir-frame orthorectification into generated COG tiles |
 | Cryptographic hash/signature library | Sidecar validation |
 **Error Handling Strategy**:
@@ -75,7 +77,7 @@
 **Can be implemented in parallel with**: camera ingest, MAVLink integration.
-**Blocks**: satellite retrieval, anchor verification, generated tile lifecycle.
+**Blocks**: Satellite Service retrieval, anchor verification, generated tile lifecycle.
 ## 7. Logging Strategy
@@ -1,4 +1,4 @@
-# Test Specification — Cache And Tile Lifecycle
+# Test Specification — Tile Manager
 ## Acceptance Criteria Traceability
@@ -47,7 +47,7 @@
 ### IT-03: Generated Tile Write
-**Summary**: Verify generated tiles are written only when pose and frame quality gates pass.
+**Summary**: Verify nadir frames are orthorectified and written as generated tiles only when pose and frame quality gates pass.
 **Traces to**: AC-8.4
@@ -111,7 +111,7 @@
 ### ST-02: Raw Frame Persistence Check
-**Summary**: Verify cache lifecycle persists tiles, not raw frames.
+**Summary**: Verify Tile Manager persists tiles, not raw frames.
 **Traces to**: AC-8.5
@@ -149,7 +149,7 @@
 | Step | Action | Expected Result |
 |------|--------|-----------------|
-| 1 | Write generated candidate tile | COG + sidecar + PostGIS manifest row created |
+| 1 | Orthorectify and write generated candidate tile | COG + sidecar + PostGIS manifest row created |
 | 2 | Package post-flight sync | Manifest delta includes trust level and parent covariance |
 | 3 | Inspect package | No tile is marked trusted basemap by onboard runtime |
@@ -8,7 +8,7 @@
 **Upstream dependencies**: ArduPilot Plane FC, safety/anchor wrapper.
-**Downstream consumers**: BASALT VIO adapter, safety/anchor wrapper, QGC, FDR.
+**Downstream consumers**: VIO adapter, safety/anchor wrapper, QGC, FDR.
 ## 2. Internal Interfaces
@@ -52,7 +52,7 @@ No persistent data ownership; telemetry and emitted packets are mirrored to FDR.
 **Must be implemented after**: position estimate DTO and MAVLink output contract.
-**Can be implemented in parallel with**: cache lifecycle, camera ingest.
+**Can be implemented in parallel with**: Tile Manager, camera ingest.
 **Blocks**: SITL integration and production FC output.
@@ -1,86 +0,0 @@
 # Validation Harness
 ## 1. High-Level Overview
 **Purpose**: Drive black-box replay, public dataset, SITL, Jetson, and representative validation through the runtime's public interfaces.
 **Architectural Pattern**: Test harness / scenario runner.
 **Upstream dependencies**: Test data fixtures, public datasets, SITL, Jetson environment.
 **Downstream consumers**: CI/CD pipeline, release evidence review.
 ## 2. Internal Interfaces
 ### Interface: `ScenarioRunner`
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
 | `run_scenario` | `ScenarioRequest` | `ScenarioReport` | Yes | `FixtureInvalid`, `RuntimeFailed`, `ThresholdFailed` |
 | `validate_fixture` | `FixtureRequest` | `FixtureValidationReport` | No | `FixtureInvalid` |
 **Input DTOs**:
 ```yaml
 ScenarioRequest:
  scenario_id: string
  execution_environment: enum(replay, sitl, jetson, representative)
  fixture_paths: list[string]
 ```
 **Output DTOs**:
 ```yaml
 ScenarioReport:
  scenario_id: string
  result: enum(pass, fail, blocked)
  metrics: object
  artifacts: list[path]
  failure_reason: string optional
 ```
 ## 3. Data Access Patterns
 Reads versioned fixtures and writes reports. Does not import runtime internals.
 ## 4. Implementation Details
 **State Management**: Per-run temporary directories and report aggregation.
 **Key Dependencies**:
 | Library | Purpose |
 |---------|---------|
 | pytest or equivalent | Test orchestration |
 | pymavlink/log parser | SITL and output validation |
 | Docker/compose runner | Replay/SITL environment |
 **Error Handling Strategy**:
 - Fixture gaps are reported as blocked, not passed.
 - Threshold failures include metrics and artifacts.
 ## 5. Caveats & Edge Cases
 **Known limitations**:
 - Public datasets are not final acceptance evidence unless representative and license-compatible.
 - Missing synchronized target data remains a final acceptance blocker.
 ## 6. Dependency Graph
 **Must be implemented after**: public interfaces are defined.
 **Can be implemented in parallel with**: runtime components using mocks/fixtures only after interfaces are stable.
 **Blocks**: CI/release gates.
 ## 7. Logging Strategy
 | Log Level | When | Example |
 |-----------|------|---------|
 | ERROR | Runtime/test process fails | `scenario_failed id=... reason=...` |
 | WARN | Fixture blocked | `fixture_blocked missing=...` |
 | INFO | Scenario complete | `scenario_complete id=... result=pass` |
 **Log format**: Test report CSV/Markdown plus structured runner logs.
 **Log storage**: `test-results/`.
@@ -1,232 +0,0 @@
 # Test Specification — Validation Harness
 ## Acceptance Criteria Traceability
 | AC ID | Acceptance Criterion | Test IDs | Coverage |
 |-------|---------------------|----------|----------|
 | AC-1.1 through AC-1.4 | Position accuracy, drift, confidence | IT-01, AT-01 | Covered |
 | AC-2.1a/b, AC-2.2 | VO and satellite registration | IT-02, IT-03 | Covered |
 | AC-3.1 through AC-3.5 | Resilience edge cases | IT-04, IT-05 | Covered |
 | AC-4.1 through AC-4.5 | Latency, memory, MAVLink streaming | PT-01, IT-06 | Covered |
 | AC-5.1 through AC-5.3 | Startup/failsafe/reboot | IT-07 | Covered |
 | AC-6.1 through AC-6.3 | QGC/GCS/WGS84 | IT-06 | Covered |
 | AC-7.1, AC-7.2 | Object coordinate contract | IT-08 | Covered at system boundary |
 | AC-8.1 through AC-8.6 | Offline cache, freshness, tiles, VPR | IT-03, IT-09, ST-01 | Covered |
 | AC-NEW-1 through AC-NEW-8 | Cold start, spoofing, FDR, false-position, thermal, freshness, poisoning, blackout | IT-05, IT-07, PT-02, ST-01, AT-02 | Covered |
 ## Blackbox Tests
 ### IT-01: Still-Image Accuracy Runner
 **Summary**: Verify project still-image replay reports frame-center accuracy.
 **Traces to**: AC-1.1, AC-1.2, AC-1.4
 **Input data**: Project mapped images and `expected_results/results_report.md`.
 **Expected result**: Report includes per-image error, aggregate 50 m/20 m pass rates, covariance, source label, and anchor age.
 **Max execution time**: 15 minutes.
 ---
 ### IT-02: Public VIO Replay Runner
 **Summary**: Verify public/representative synchronized data can drive BASALT/wrapper tests.
 **Traces to**: AC-1.3, AC-2.1a, AC-2.2
 **Input data**: MUN-FRL preferred slice or representative synchronized dataset.
 **Expected result**: Runner validates trajectory, VIO registration, latency, and covariance calibration.
 **Max execution time**: Dataset-dependent.
 ---
 ### IT-03: Satellite Anchor Replay Runner
 **Summary**: Verify VPR and anchor verification test scenarios are executable.
 **Traces to**: AC-2.1b, AC-2.2, AC-8.1, AC-8.2, AC-8.6
 **Input data**: ALTO/AerialVL/representative aerial localization fixture plus cache.
 **Expected result**: Runner reports retrieval recall, MRE, accepted/rejected anchors, and freshness behavior.
 **Max execution time**: Dataset-dependent.
 ---
 ### IT-04: Outlier/Sharp-Turn/Disconnected Runner
 **Summary**: Verify resilience scenarios are executable and reported.
 **Traces to**: AC-3.1, AC-3.2, AC-3.3, AC-3.4
 **Input data**: Synthetic and public disconnected-segment fixtures.
 **Expected result**: Runner validates relocalization and records degraded-mode timelines.
 **Max execution time**: 30 minutes.
 ---
 ### IT-05: Blackout And Spoofing Runner
 **Summary**: Verify total blackout plus spoofing scenarios can be driven through SITL/replay.
 **Traces to**: AC-3.5, AC-NEW-2, AC-NEW-8
 **Input data**: Plane SITL spoofing scenario with 5 s, 15 s, and 35 s blackout windows.
 **Expected result**: Runner measures <=400 ms mode switch, <3 s promotion, monotonic covariance, and failsafe thresholds.
 **Max execution time**: 30 minutes.
 ---
 ### IT-06: MAVLink/QGC Contract Runner
 **Summary**: Verify MAVLink output and GCS status assertions are automated.
 **Traces to**: AC-4.3, AC-4.4, AC-4.5, AC-6.1, AC-6.2, AC-6.3
 **Input data**: Plane SITL, QGC observer/log parser, position fixtures.
 **Expected result**: Runner validates v1 GPS_INPUT-only output, WGS84 coordinates, status rate, and command ingress.
 **Max execution time**: 60 minutes.
 ---
 ### IT-07: Startup/Reboot Runner
 **Summary**: Verify cold-start and reboot scenarios are measurable.
 **Traces to**: AC-5.1, AC-5.2, AC-5.3, AC-NEW-1
 **Input data**: 50 cold-start runs and companion reboot trace.
 **Expected result**: First valid `GPS_INPUT` <30 s p95; reboot reinitializes from FC state.
 **Max execution time**: Runset-dependent.
 ---
 ### IT-08: Object Coordinate Contract Runner
 **Summary**: Verify AI-camera object coordinate request contract at system boundary.
 **Traces to**: AC-7.1, AC-7.2
 **Input data**: Frame-center estimate, object pixel/angle fixture, gimbal angle, altitude.
 **Expected result**: Output coordinate includes frame-center-consistent accuracy and maneuvering-flight projection error bound.
 **Max execution time**: 5 minutes.
 ---
 ### IT-09: Cache And Tile Lifecycle Runner
 **Summary**: Verify cache, generated tiles, and storage tests are executable.
 **Traces to**: AC-8.3, AC-8.4, AC-8.5, AC-NEW-6, AC-NEW-7
 **Input data**: Cache integrity fixtures, generated tile scenarios, PostGIS manifest.
 **Expected result**: Runner validates cache load, tile write gates, no raw-frame retention, stale rejection, and poisoning budget evidence.
 **Max execution time**: Dataset-dependent.
 ## Performance Tests
 ### PT-01: End-To-End Release Gate Runner
 **Summary**: Verify performance and resource tests can run in the proper environment.
 **Traces to**: AC-4.1, AC-4.2, AC-NEW-5
 **Load scenario**:
 - Environments: replay, Jetson hardware, SITL.
 - Duration: smoke, nightly, and release-gate profiles.
 | Metric | Target | Failure Threshold |
 |--------|--------|-------------------|
 | End-to-end p95 | <400 ms | >=400 ms |
 | Memory | <8 GB | >=8 GB |
 | Thermal throttle | 0 events in release gate | Any throttle event |
 ---
 ### PT-02: FDR/Storage Runner
 **Summary**: Verify 8-hour storage/endurance test orchestration.
 **Traces to**: AC-NEW-3
 | Metric | Target | Failure Threshold |
 |--------|--------|-------------------|
 | FDR cap | <=64 GB | >64 GB |
 | Rollover logging | Complete | Missing rollover event |
 ## Security Tests
 ### ST-01: Security Fixture Runner
 **Summary**: Verify stale/tampered cache, spoofed MAVLink, and false-anchor scenarios are automated.
 **Traces to**: AC-NEW-4, AC-NEW-6, AC-NEW-7
 **Attack vector**: Cache tampering, stale imagery, spoofed GPS, impossible anchors.
 **Test procedure**:
 1. Load each security fixture.
 2. Run scenario through public runtime interfaces.
 3. Validate output labels, FDR, and rejection reasons.
 **Expected behavior**: No tampered/stale/spoofed input produces a trusted false fix.
 **Pass criteria**: 0 accepted unsafe anchors or spoofed GPS promotions outside gates.
 ## Acceptance Tests
 ### AT-01: Traceability Completeness Report
 **Summary**: Verify every AC has executable or explicitly blocked test coverage.
 **Traces to**: All ACs
 | Step | Action | Expected Result |
 |------|--------|-----------------|
 | 1 | Read traceability matrix | All ACs mapped to tests |
 | 2 | Run fixture validation | Missing public/representative data is reported as blocked, not passed |
 ---
 ### AT-02: Release Evidence Bundle
 **Summary**: Verify release evidence can be assembled.
 **Traces to**: AC-NEW-1 through AC-NEW-8
 | Step | Action | Expected Result |
 |------|--------|-----------------|
 | 1 | Run release profile | Reports, tlogs, FDR summaries, cache reports are produced |
 | 2 | Collate artifacts | Bundle contains pass/fail status and residual blockers |
 ## Test Data Management
 | Data Set | Description | Source | Size |
 |----------|-------------|--------|------|
 | `project_60_still_images` | Frame-center geolocation smoke | Project data | Project size |
 | `public_dataset_slices` | MUN-FRL/ALTO/Kagaru/EPFL/AerialVL as licensed | Public pinned fixtures | Dataset-dependent |
 | `sitl_scenarios` | Plane spoofing/failsafe traces | Generated | Small |
 | `security_fixtures` | Stale/tampered/cache poisoning cases | Generated | Small |
 **Setup procedure**: Create isolated run directory, restore PostgreSQL schema, mount fixtures read-only, and start requested environment.
 **Teardown procedure**: Stop environments, archive reports, drop run schema, and delete temp volumes.
 **Data isolation strategy**: Unique run ID, schema, ports, cache staging directory, and FDR directory per scenario.
@@ -0,0 +1,51 @@
 # Contract: Config Errors Telemetry
 **Component**: shared/config, shared/errors, shared/telemetry
 **Producer task**: AZ-222 — AZ-222_runtime_config_errors_telemetry.md
 **Consumer tasks**: AZ-223, AZ-224, AZ-225, AZ-226, AZ-227, AZ-228, AZ-229, AZ-230, AZ-231, AZ-232
 **Version**: 1.0.0
 **Status**: draft
 **Last Updated**: 2026-05-03
 ## Purpose
 Defines shared runtime configuration, error/result envelope, health, and telemetry metadata behavior consumed by all runtime components.
 ## Shape
 | Contract | Required Behavior |
 |----------|-------------------|
 | Runtime profile | environment-specific settings loaded and validated before use |
 | Error envelope | component, category, message, cause, retryability, severity |
 | Health event | liveness/readiness status, dependency state, timestamp, component |
 | Metrics labels | bounded component/action/status labels suitable for runtime reports |
 ## Invariants
 - Missing required production settings fail startup or readiness loudly.
 - Errors are returned or logged with component and category; no silent suppression.
 - Secrets are referenced, not serialized into FDR, logs, or metrics.
 ## Non-Goals
 - Does not define component-specific business errors.
 - Does not replace FDR payload schemas.
 ## Versioning Rules
 - Removing required config keys or error categories requires a major version bump.
 - Adding optional health fields or metrics labels requires a minor version bump.
 ## Test Cases
 | Case | Input | Expected | Notes |
 |------|-------|----------|-------|
 | missing-required-prod | production profile missing cache dir | readiness/startup failure | Clear error category |
 | secret-value | signing key ref present | only key ref logged | No secret leakage |
 | component-error | component reports dependency failure | structured envelope emitted | FDR-safe |
 ## Change Log
 | Version | Date | Change | Author |
 |---------|------|--------|--------|
 | 1.0.0 | 2026-05-03 | Initial contract | autodev |
@@ -0,0 +1,52 @@
 # Contract: Geometry And Time Sync Helpers
 **Component**: shared/geo_geometry, shared/time_sync
 **Producer task**: AZ-221 — AZ-221_shared_geometry_time_sync.md
 **Consumer tasks**: AZ-223, AZ-225, AZ-226, AZ-228, AZ-230, AZ-231, AZ-232
 **Version**: 1.0.0
 **Status**: draft
 **Last Updated**: 2026-05-03
 ## Purpose
 Defines shared geospatial and timestamp helper behavior used by runtime components to avoid duplicated math and inconsistent frame/IMU alignment.
 ## Shape
 | API Area | Shape | Errors |
 |----------|-------|--------|
 | Coordinate conversion | WGS84/local tangent conversions and distance calculations | invalid CRS, missing origin |
 | Camera footprint | intrinsics/extrinsics/attitude/altitude to footprint and GSD | invalid calibration, missing altitude |
 | Homography metrics | homography/covariance conversions and MRE support | invalid geometry |
 | Time sync | monotonic checks, frame-to-IMU window selection, replay ordering | timestamp mismatch, gap/jitter exceeded |
 ## Invariants
 - Helpers are deterministic for the same calibration, pose, and timestamp inputs.
 - Time helpers report gaps/jitter instead of silently dropping samples.
 - Geometry helpers do not decide safety policy; callers decide degrade/reject behavior.
 ## Non-Goals
 - No VIO state estimation.
 - No MAVLink parsing beyond normalized timestamp fields.
 - No tile freshness or cache policy decisions.
 ## Versioning Rules
 - Breaking changes to units, coordinate frames, or timestamp semantics require a major version bump.
 - New helper outputs may be added as optional fields in minor versions.
 ## Test Cases
 | Case | Input | Expected | Notes |
 |------|-------|----------|-------|
 | valid-wgs84-local | known WGS84 point and origin | round-trip within tolerance | Uses representative coordinates |
 | frame-imu-window | frame timestamp plus IMU samples | correct aligned window | Includes gap metrics |
 | invalid-calibration | missing intrinsics/extrinsics | explicit error | No silent fallback |
 ## Change Log
 | Version | Date | Change | Author |
 |---------|------|--------|--------|
 | 1.0.0 | 2026-05-03 | Initial contract | autodev |
@@ -0,0 +1,56 @@
 # Contract: Runtime Shared Contracts
 **Component**: shared/contracts
 **Producer task**: AZ-220 — AZ-220_shared_runtime_contracts.md
 **Consumer tasks**: AZ-223, AZ-224, AZ-225, AZ-226, AZ-227, AZ-228, AZ-229, AZ-230, AZ-231, AZ-232
 **Version**: 1.0.0
 **Status**: draft
 **Last Updated**: 2026-05-03
 ## Purpose
 Defines the shared runtime DTO/event contract surface that component implementations consume instead of inventing local shapes.
 ## Shape
 | Contract | Required Fields / Methods | Consumers |
 |----------|---------------------------|-----------|
 | `FramePacket` | frame ID, timestamp, image reference, calibration ID, occlusion, quality, normalization hint | camera, VIO, Satellite Service, Anchor Verification, Tile Manager, FDR |
 | `TelemetrySample` | timestamp, IMU, attitude, altitude, airspeed, GPS health | MAVLink, VIO, safety wrapper, FDR |
 | `VioStatePacket` | timestamp, relative pose, velocity, bias, tracking quality, covariance hint | VIO, safety wrapper, FDR |
 | `PositionEstimate` | WGS84 coordinates, covariance, source label, fix type, horizontal accuracy, anchor age | safety wrapper, MAVLink, Tile Manager, FDR |
 | `VprCandidate` | chunk ID, tile ID, score, footprint, freshness status | Satellite Service, Anchor Verification, FDR |
 | `AnchorDecision` | candidate ID, acceptance result, estimated pose, inliers, MRE, rejection reason | Anchor Verification, safety wrapper, FDR |
 | `CacheTileRecord` | tile ID, CRS, meters per pixel, capture date, signature/hash, trust level | Tile Manager, Satellite Service, Anchor Verification |
 | `FdrEvent` | event type, timestamp, component, severity, payload reference, mission/run ID | all runtime components |
 ## Invariants
 - Timestamps are normalized to a shared monotonic nanosecond representation before cross-component use.
 - Confidence fields must not under-report known uncertainty.
 - Raw frame payloads are referenced, not persisted in shared DTOs.
 - Generated tile and anchor records must carry provenance/freshness metadata.
 ## Non-Goals
 - Does not prescribe internal classes or storage implementation.
 - Does not define e2e test runner-only report schemas.
 ## Versioning Rules
 - Removing or renaming a field requires a major version bump.
 - Adding optional telemetry or diagnostic fields requires a minor version bump.
 ## Test Cases
 | Case | Input | Expected | Notes |
 |------|-------|----------|-------|
 | valid-frame | frame with timestamp, calibration, quality | accepted by consumers | Includes normalization hint |
 | invalid-time | non-monotonic timestamp | rejected or marked invalid | Time-sync contract decides details |
 | stale-anchor | anchor decision with stale freshness | rejected/down-confidenced | Safety wrapper must not accept blindly |
 ## Change Log
 | Version | Date | Change | Author |
 |---------|------|--------|--------|
 | 1.0.0 | 2026-05-03 | Initial contract | autodev |
@@ -8,16 +8,16 @@ This model defines system-level runtime, cache, telemetry, and validation data.
 | Entity | Purpose | Storage / Transport | Owner |
 |--------|---------|---------------------|-------|
-| MissionProfile | Operational area, sector type, route shape, altitude band, cache budget | Mission config file | Cache/tile lifecycle |
+| MissionProfile | Operational area, sector type, route shape, altitude band, cache budget | Mission config file | Tile Manager |
 | CameraCalibration | Intrinsics, distortion, lens, fixed extrinsics, capture settings | Versioned calibration file | Camera ingest/calibration |
 | FrameRecord | Per-frame metadata, timestamp, total-occlusion/blackout state, image quality, processing status | PostgreSQL/FDR event; replay fixture | Camera ingest/calibration |
 | TelemetrySample | FC IMU, attitude, altitude, airspeed, GPS health | MAVLink stream; FDR event | MAVLink/GCS integration |
-| VioState | BASALT relative state, velocity, bias, tracking quality | Internal DTO; FDR event | BASALT VIO adapter |
+| VioState | Backend-relative state, velocity, bias, tracking quality | Internal DTO; FDR event | VIO adapter |
 | PositionEstimate | WGS84 output, covariance, source label, anchor age, fix type | MAVLink DTO; FDR event | Safety/anchor wrapper |
-| VprChunk | Retrieval footprint and descriptor metadata | PostgreSQL/PostGIS manifest + descriptor files | Satellite retrieval |
+| VprChunk | Retrieval footprint and descriptor metadata | PostgreSQL/PostGIS manifest + descriptor files | Satellite Service |
 | AnchorCandidate | Top-K retrieval result and local verification metrics | Internal DTO; FDR event | Anchor verification |
-| CacheTile | Service-source or generated COG tile metadata | PostgreSQL/PostGIS manifest + signed JSON sidecar | Cache/tile lifecycle |
+| CacheTile | Service-source or generated COG tile metadata | PostgreSQL/PostGIS manifest + signed JSON sidecar | Tile Manager |
-| GeneratedTile | In-flight tile candidate with trust/provenance metadata | COG + sidecar + FDR event | Cache/tile lifecycle |
+| GeneratedTile | In-flight tile candidate with trust/provenance metadata | COG + sidecar + FDR event | Tile Manager |
 | FdrSegment | Bounded append-only mission evidence segment | PostgreSQL event index + CBOR segment payloads | FDR/observability |
 | ValidationRun | Replay/test run metadata and outcomes | CSV/Markdown/test artifacts | Validation harness |
@@ -3,18 +3,18 @@
 ```mermaid
 flowchart LR
    camera[01 Camera Ingest And Calibration]
-    vio[02 BASALT VIO Adapter]
+    vio[02 VIO Adapter]
    wrapper[03 Safety And Anchor Wrapper]
-    retrieval[04 Satellite Retrieval]
+    retrieval[04 Satellite Service]
    verify[05 Anchor Verification]
-    cache[06 Cache And Tile Lifecycle]
+    cache[06 Tile Manager]
    mav[07 MAVLink And GCS Integration]
    fdr[08 FDR And Observability]
-    tests[09 Validation Harness]
+    tests[[Separate E2E Test Suite]]
    navCam[[Nav Camera]] --> camera
    fc[[ArduPilot Plane FC]] --> mav
-    satSvc[[Satellite Service]] --> cache
+    satSvc[[Azaion Suite Satellite Service]] --> retrieval
    datasets[[Replay/Public Datasets]] --> tests
    camera --> vio
@@ -42,5 +42,5 @@ flowchart LR
    tests --> cache
    mav --> qgc[[QGroundControl]]
    mav --> fc
-    cache --> satSvc
+    retrieval --> satSvc
 ```
@@ -1,18 +1,18 @@
-# Flow: Cache And Generated Tile Lifecycle
+# Flow: Tile Manager And Generated Tile Lifecycle
 ```mermaid
 flowchart TD
-    preflight([Pre-flight cache sync]) --> validate[06 Validate manifest signatures hashes freshness]
+    preflight([Pre-flight Satellite Service sync]) --> validate[06 Tile Manager validates manifest signatures hashes freshness]
    validate --> cacheOk{Cache valid?}
    cacheOk -->|No| block[Block cache usage and report]
-    cacheOk -->|Yes| load[04 Load descriptor metadata and FAISS index]
+    cacheOk -->|Yes| load[04 Satellite Service loads local descriptor metadata and FAISS index]
    load --> flight([Flight runtime])
    flight --> eligibility[03 Tile write eligibility check]
    eligibility --> eligible{Covariance and quality pass?}
    eligible -->|No| noWrite[Do not write generated tile]
-    eligible -->|Yes| write[06 Write COG + signed JSON sidecar]
+    eligible -->|Yes| write[06 Orthorectify frame and write COG + signed JSON sidecar]
    write --> fdr[08 Record tile-write audit]
    fdr --> postflight([Post-flight])
    postflight --> package[06 Package generated tiles + manifest delta]
-    package --> sync[[Satellite Service ingest]]
+    package --> sync[[Post-flight Satellite Service upload]]
 ```
@@ -7,7 +7,7 @@ flowchart TD
    occlusion -->|Yes| imuOnly[03 IMU-only dead_reckoned propagation]
    occlusion -->|No| frameOk{Frame usable for VIO?}
    frameOk -->|No| degrade[03 Safety wrapper degraded mode]
-    frameOk -->|Yes| vio[02 BASALT VIO adapter]
+    frameOk -->|Yes| vio[02 VIO adapter]
    telemetry[07 MAVLink telemetry] --> vio
    vio --> healthy{VIO healthy?}
    healthy -->|Yes| wrap[03 Covariance calibration + source label]
@@ -15,14 +15,14 @@
 | 3 | AZ-208 | Cross-Cutting: Runtime Configuration And Errors | cross-cutting | AZ-206 | S-M / 3-5 pts |
 | 4 | AZ-209 | Camera Ingest And Calibration | component | AZ-206, AZ-207, AZ-208 | M / 5-8 pts |
 | 5 | AZ-210 | MAVLink And GCS Integration | component | AZ-206, AZ-208 | M / 5-8 pts |
-| 6 | AZ-211 | Cache And Tile Lifecycle | component | AZ-206, AZ-207, AZ-208 | L / 8-13 pts |
+| 6 | AZ-211 | Tile Manager | component | AZ-206, AZ-207, AZ-208 | L / 8-13 pts |
 | 7 | AZ-212 | FDR And Observability | component | AZ-206, AZ-208 | M-L / 5-8 pts |
-| 8 | AZ-213 | BASALT VIO Adapter | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-210 | L / 8-13 pts |
+| 8 | AZ-213 | VIO Adapter | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-210 | L / 8-13 pts |
-| 9 | AZ-214 | Satellite Retrieval | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-211 | L / 8-13 pts |
+| 9 | AZ-214 | Satellite Service | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-211 | L / 8-13 pts |
 | 10 | AZ-215 | Anchor Verification | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-211, AZ-214 | L / 8-13 pts |
 | 11 | AZ-216 | Safety And Anchor Wrapper | component | AZ-206, AZ-207, AZ-208, AZ-209, AZ-210, AZ-213, AZ-215 | XL / 13-21 pts |
-| 12 | AZ-217 | Validation Harness | component | AZ-206, AZ-207, AZ-208, component epics | L / 8-13 pts |
+| 12 | AZ-217 | E2E Test Suite | test-support | component epics | L / 8-13 pts |
-| 13 | AZ-218 | Blackbox Tests | blackbox-tests | AZ-206, AZ-217, component epics | L / 8-13 pts |
+| 13 | AZ-218 | Blackbox Tests | blackbox-tests | AZ-217, component epics | L / 8-13 pts |
 ## Component Mapping
@@ -33,14 +33,14 @@
 | `common-helpers/02_helper_time_sync.md` | AZ-207 |
 | Runtime config, error contracts, health checks | AZ-208 |
 | `components/01_camera_ingest_calibration/` | AZ-209 |
-| `components/02_basalt_vio_adapter/` | AZ-213 |
+| `components/02_vio_adapter/` | AZ-213 |
 | `components/03_safety_anchor_wrapper/` | AZ-216 |
 | `components/04_satellite_retrieval/` | AZ-214 |
 | `components/05_anchor_verification/` | AZ-215 |
 | `components/06_cache_tile_lifecycle/` | AZ-211 |
 | `components/07_mavlink_gcs_integration/` | AZ-210 |
 | `components/08_fdr_observability/` | AZ-212 |
-| `components/09_validation_harness/` | AZ-217 |
+| `tests/e2e-test-suite.md`, `tests/blackbox-tests.md`, `tests/environment.md` | AZ-217 |
 | System blackbox/performance/resilience/security/resource tests | AZ-218 |
 ## Epic Relationship Diagram
@@ -52,13 +52,13 @@ flowchart TD
    config[AZ-208 Runtime Configuration And Errors]
    camera[AZ-209 Camera Ingest]
    mavlink[AZ-210 MAVLink And GCS]
-    cache[AZ-211 Cache And Tile Lifecycle]
+    cache[AZ-211 Tile Manager]
    fdr[AZ-212 FDR And Observability]
-    vio[AZ-213 BASALT VIO Adapter]
+    vio[AZ-213 VIO Adapter]
-    retrieval[AZ-214 Satellite Retrieval]
+    retrieval[AZ-214 Satellite Service]
    anchor[AZ-215 Anchor Verification]
    safety[AZ-216 Safety And Anchor Wrapper]
-    validation[AZ-217 Validation Harness]
+    validation[AZ-217 E2E Test Suite]
    blackbox[AZ-218 Blackbox Tests]
    bootstrap --> geo
@@ -96,9 +96,14 @@ flowchart TD
    safety --> fdr
    camera --> fdr
    cache --> fdr
    validation --> blackbox
    safety --> validation
    fdr --> validation
    camera --> validation
    mavlink --> validation
    retrieval --> validation
    anchor --> validation
    cache --> validation
    validation --> blackbox
 ```
 ## Cross-Cutting Ownership
@@ -117,13 +122,13 @@ flowchart TD
 - AZ-208 — Cross-Cutting: Runtime Configuration And Errors
 - AZ-209 — Camera Ingest And Calibration
 - AZ-210 — MAVLink And GCS Integration
- AZ-211 — Cache And Tile Lifecycle
+- AZ-211 — Tile Manager
 - AZ-212 — FDR And Observability
- AZ-213 — BASALT VIO Adapter
+- AZ-213 — VIO Adapter
- AZ-214 — Satellite Retrieval
+- AZ-214 — Satellite Service
 - AZ-215 — Anchor Verification
 - AZ-216 — Safety And Anchor Wrapper
- AZ-217 — Validation Harness
+- AZ-217 — E2E Test Suite
 - AZ-218 — Blackbox Tests
 ## Tracker Notes
@@ -0,0 +1,243 @@
 # Module Layout
 **Language**: mixed (Python orchestration + C++ native vision bridges)
 **Layout Convention**: src-layout
 **Root**: `src/`
 **Last Updated**: 2026-05-03
 ## Layout Rules
 1. Each product component owns one top-level directory under `src/`.
 2. Shared contracts and cross-cutting helpers live under `src/shared/`.
 3. Native hot-path or third-party bridge code lives inside the owning component folder under `native/`.
 4. Public API surface per component is limited to `__init__.py`, `types.py`, and `interfaces.py` unless a component entry lists another public file.
 5. Tests live under `tests/` by test type and component; implementation tasks must not place tests inside the component tree unless a later test task explicitly changes this layout.
 ## Per-Component Mapping
 ### Component: Camera Ingest And Calibration
 - **Epic**: AZ-209
 - **Directory**: `src/camera_ingest_calibration/`
 - **Technologies**: Python, OpenCV 4.x, camera SDK/V4L2/GigE adapter boundary, calibration files, shared geometry/time helpers
 - **Public API**:
  - `src/camera_ingest_calibration/__init__.py`
  - `src/camera_ingest_calibration/types.py`
  - `src/camera_ingest_calibration/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/camera_ingest_calibration/internal/*`
  - `src/camera_ingest_calibration/_*.py`
 - **Owns (exclusive write during implementation)**: `src/camera_ingest_calibration/**`
 - **Imports from**: shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: VIO Adapter, Satellite Service, Anchor Verification, Tile Manager, FDR And Observability
 ### Component: VIO Adapter
 - **Epic**: AZ-213
 - **Directory**: `src/vio_adapter/`
 - **Native Directory**: `src/vio_adapter/native/`
 - **Technologies**: Python adapter, C++ native bridge, BASALT as current backend, Eigen/Sophus or backend-native math stack, OpenCV 4.x, shared time-sync contracts
 - **Public API**:
  - `src/vio_adapter/__init__.py`
  - `src/vio_adapter/types.py`
  - `src/vio_adapter/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/vio_adapter/internal/*`
  - `src/vio_adapter/_*.py`
  - `src/vio_adapter/native/**`
 - **Owns (exclusive write during implementation)**:
  - `src/vio_adapter/**`
 - **Imports from**: Camera Ingest And Calibration, MAVLink And GCS Integration, shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: Safety And Anchor Wrapper, FDR And Observability
 ### Component: Safety And Anchor Wrapper
 - **Epic**: AZ-216
 - **Directory**: `src/safety_anchor_wrapper/`
 - **Technologies**: Python state machine, OpenCV geometry helpers, covariance/gating logic, shared DTO contracts, MAVLink output DTOs
 - **Public API**:
  - `src/safety_anchor_wrapper/__init__.py`
  - `src/safety_anchor_wrapper/types.py`
  - `src/safety_anchor_wrapper/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/safety_anchor_wrapper/internal/*`
  - `src/safety_anchor_wrapper/_*.py`
 - **Owns (exclusive write during implementation)**: `src/safety_anchor_wrapper/**`
 - **Imports from**: VIO Adapter, Anchor Verification, MAVLink And GCS Integration, Camera Ingest And Calibration, shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: MAVLink And GCS Integration, Tile Manager, FDR And Observability
 ### Component: Satellite Service
 - **Epic**: AZ-214
 - **Directory**: `src/satellite_service/`
 - **Native Directory**: `src/satellite_service/native/`
 - **Technologies**: Python service adapter, DINOv2-VLAD descriptors, ONNX/TensorRT candidate path, CPU FAISS, offline package sync client
 - **Public API**:
  - `src/satellite_service/__init__.py`
  - `src/satellite_service/types.py`
  - `src/satellite_service/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/satellite_service/internal/*`
  - `src/satellite_service/_*.py`
  - `src/satellite_service/native/**`
 - **Owns (exclusive write during implementation)**:
  - `src/satellite_service/**`
 - **Imports from**: Camera Ingest And Calibration, Tile Manager, Safety And Anchor Wrapper, shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: Anchor Verification, FDR And Observability
 - **Network invariant**: external Satellite Service sync is allowed only pre-flight or post-flight; no mid-flight satellite-provider or suite-service calls.
 ### Component: Anchor Verification
 - **Epic**: AZ-215
 - **Directory**: `src/anchor_verification/`
 - **Native Directory**: `src/anchor_verification/native/`
 - **Technologies**: Python validation pipeline, ALIKED/DISK + LightGlue, OpenCV RANSAC/USAC, SIFT/ORB baseline, native feature-matching bridge
 - **Public API**:
  - `src/anchor_verification/__init__.py`
  - `src/anchor_verification/types.py`
  - `src/anchor_verification/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/anchor_verification/internal/*`
  - `src/anchor_verification/_*.py`
  - `src/anchor_verification/native/**`
 - **Owns (exclusive write during implementation)**:
  - `src/anchor_verification/**`
 - **Imports from**: Satellite Service, Camera Ingest And Calibration, Tile Manager, shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: Safety And Anchor Wrapper, FDR And Observability
 ### Component: Tile Manager
 - **Epic**: AZ-211
 - **Directory**: `src/tile_manager/`
 - **Technologies**: Python repository/policy layer, PostgreSQL/PostGIS, GDAL/rasterio COG handling, signed JSON sidecars, OpenCV/GDAL orthorectification, hash/signature validation
 - **Public API**:
  - `src/tile_manager/__init__.py`
  - `src/tile_manager/types.py`
  - `src/tile_manager/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/tile_manager/internal/*`
  - `src/tile_manager/_*.py`
 - **Owns (exclusive write during implementation)**:
  - `src/tile_manager/**`
  - `migrations/postgresql/cache_*.sql`
  - `migrations/seed/cache_*`
 - **Imports from**: Camera Ingest And Calibration, Safety And Anchor Wrapper, shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: Satellite Service, Anchor Verification, FDR And Observability
 ### Component: MAVLink And GCS Integration
 - **Epic**: AZ-210
 - **Directory**: `src/mavlink_gcs_integration/`
 - **Technologies**: Python, MAVSDK telemetry subscriptions, pymavlink `GPS_INPUT` emission, MAVLink/QGC status messages
 - **Public API**:
  - `src/mavlink_gcs_integration/__init__.py`
  - `src/mavlink_gcs_integration/types.py`
  - `src/mavlink_gcs_integration/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/mavlink_gcs_integration/internal/*`
  - `src/mavlink_gcs_integration/_*.py`
 - **Owns (exclusive write during implementation)**: `src/mavlink_gcs_integration/**`
 - **Imports from**: Safety And Anchor Wrapper, shared/contracts, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: VIO Adapter, Safety And Anchor Wrapper, FDR And Observability
 ### Component: FDR And Observability
 - **Epic**: AZ-212
 - **Directory**: `src/fdr_observability/`
 - **Technologies**: Python append/export layer, PostgreSQL event index, CBOR segment payloads, optional Parquet export, structured logging/health events
 - **Public API**:
  - `src/fdr_observability/__init__.py`
  - `src/fdr_observability/types.py`
  - `src/fdr_observability/interfaces.py`
 - **Internal (do NOT import from other components)**:
  - `src/fdr_observability/internal/*`
  - `src/fdr_observability/_*.py`
 - **Owns (exclusive write during implementation)**:
  - `src/fdr_observability/**`
  - `migrations/postgresql/fdr_*.sql`
  - `migrations/seed/fdr_*`
 - **Imports from**: shared/contracts, shared/time_sync, shared/config, shared/errors, shared/telemetry
 - **Consumed by**: all runtime components
 ## Shared / Cross-Cutting
 ### shared/contracts
 - **Epic**: AZ-206
 - **Directory**: `src/shared/contracts/`
 - **Technologies**: Python typed DTOs, schema/contract definitions, Markdown API-contract documents
 - **Purpose**: Shared DTOs, protocol shapes, schemas, and public contract exports.
 - **Owned by**: initial structure and shared-contract tasks under AZ-206.
 - **Consumed by**: all components.
 ### shared/geo_geometry
 - **Epic**: AZ-207
 - **Directory**: `src/shared/geo_geometry/`
 - **Technologies**: Python geometry utilities, OpenCV 4.x, WGS84/local-frame math, homography/covariance conversions
 - **Purpose**: WGS84/local conversions, GSD, camera footprint projection, homography/covariance unit conversion, and distance calculations.
 - **Owned by**: shared geometry task under AZ-207.
 - **Consumed by**: Camera Ingest And Calibration, Safety And Anchor Wrapper, Anchor Verification, Tile Manager.
 ### shared/time_sync
 - **Epic**: AZ-207
 - **Directory**: `src/shared/time_sync/`
 - **Technologies**: Python timestamp utilities, monotonic-clock validation, MAVLink/camera timestamp normalization, replay ordering checks
 - **Purpose**: Monotonic timestamp checks, frame-to-IMU alignment, clock-domain metadata, replay ordering, and gap/jitter metrics.
 - **Owned by**: time-sync task under AZ-207.
 - **Consumed by**: Camera Ingest And Calibration, VIO Adapter, MAVLink And GCS Integration, FDR And Observability.
 ### shared/config
 - **Epic**: AZ-208
 - **Directory**: `src/shared/config/`
 - **Technologies**: Python configuration loader, environment variables, `.env.example`, startup readiness validation
 - **Purpose**: Runtime profile loading, environment validation, typed settings, and startup readiness inputs.
 - **Owned by**: runtime configuration task under AZ-208.
 - **Consumed by**: all runtime components.
 ### shared/errors
 - **Epic**: AZ-208
 - **Directory**: `src/shared/errors/`
 - **Technologies**: Python exception/result envelope types, shared error categories, fail-fast helpers
 - **Purpose**: Error categories, result envelopes, fail-fast helpers, and non-silent exception contracts.
 - **Owned by**: runtime error contract task under AZ-208.
 - **Consumed by**: all components.
 ### shared/telemetry
 - **Epic**: AZ-208
 - **Directory**: `src/shared/telemetry/`
 - **Technologies**: Python structured logging, metrics labels, health event DTOs, FDR-safe telemetry metadata
 - **Purpose**: Structured logging, metrics labels, health event shapes, and FDR-safe event metadata helpers.
 - **Owned by**: observability/config contract task under AZ-208.
 - **Consumed by**: all components.
 ## Allowed Dependencies (layering)
 Read top-to-bottom; an upper layer may import from a lower layer but never the reverse.
 | Layer | Components | May import from |
 |-------|------------|-----------------|
 | 4. Runtime Output / Coordination | Safety And Anchor Wrapper, MAVLink And GCS Integration, FDR And Observability | 1, 2, 3 public interfaces |
 | 3. Perception / Satellite Anchor | VIO Adapter, Satellite Service, Anchor Verification | 1, 2 public interfaces |
 | 2. Data Ingest / Persistence | Camera Ingest And Calibration, Tile Manager | 1 |
 | 1. Shared / Foundation | shared/contracts, shared/geo_geometry, shared/time_sync, shared/config, shared/errors, shared/telemetry | none |
 Violations of this table are Architecture findings in code-review Phase 7 and are High severity.
 ## Out-of-Product E2E Test Suite
 The e2e replay/SITL/Jetson validation suite is not a product component and must not receive Step 6 product implementation tasks. It owns test-support artifacts under `tests/blackbox/**`, `tests/e2e/**`, `e2e/replay/**`, and `e2e/reports/**`, and it exercises the runtime only through public file, MAVLink, cache, status, and FDR interfaces.
 - **Technologies**: Python, pytest-style runner, Docker/compose, pymavlink/log parser, ArduPilot Plane SITL, QGC observer/log parser, CSV/Markdown reports
 ## Self-Verification
 - Every runtime component under `_docs/02_document/components/` has a mapping entry.
 - Cross-cutting epics AZ-206, AZ-207, and AZ-208 have shared ownership entries.
 - Layering covers all components and keeps shared code at the bottom.
 - Component-owned paths do not overlap; native bridge paths live inside the component that owns them.
 - Paths follow the project `src/` layout already confirmed by `AZ-219_initial_structure`.
@@ -4,12 +4,12 @@
 | Check | Result | Notes |
 |-------|--------|-------|
-| Single Responsibility | Pass | Components each own one primary concern: ingest, VIO, safety, retrieval, verification, cache, MAVLink, FDR, validation |
+| Single Responsibility | Pass | Components each own one primary concern: ingest, VIO, safety, Satellite Service sync/retrieval, verification, Tile Manager storage/generation, MAVLink, FDR, validation |
 | Dumb Code / Smart Data | Pass | Complex behavior is mostly expressed through DTOs, mode labels, covariance fields, manifests, and gates |
-| Interface Consistency | Pass with fix | Safety wrapper no longer directly depends on cache lifecycle for anchor acceptance; cache freshness/provenance travels through `AnchorDecision` |
+| Interface Consistency | Pass with fix | Safety wrapper no longer directly depends on Tile Manager for anchor acceptance; cache freshness/provenance travels through `AnchorDecision` |
 | Circular Dependencies | Pass with caution | Runtime flow is acyclic at component ownership level; MAVLink remains a bidirectional protocol adapter but owns no localization policy |
 | Missing Interactions | Pass | Pre-VIO occlusion, IMU-only blackout, relocalization, tile writes, FDR, and SITL validation are all represented |
-| Security Considerations | Pass | Signed cache sidecars, source/system ID checks, spoofing rejection, and no in-flight satellite-provider access are covered |
+| Security Considerations | Pass | Signed cache sidecars, source/system ID checks, spoofing rejection, and no in-flight satellite-provider or Satellite Service access are covered |
 | Performance Bottlenecks | Pass | Jetson latency, VPR/local matching, FDR append pressure, PostgreSQL availability, and thermal limits are identified |
 | API Contracts | Pass | Core DTO handoffs are documented: `FramePacket`, `VioStatePacket`, `AnchorDecision`, `PositionEstimate`, `FdrEvent` |
@@ -35,13 +35,13 @@
 | ID | Risk | Category | Probability | Impact | Score | Mitigation | Owner | Status |
 |----|------|----------|-------------|--------|-------|------------|-------|--------|
 | R01 | ADTi 20MP 20L V1 public specs conflict with planning assumptions for resolution, FPS, lens, interface, and temperature | Technical / External | Medium | High | High | Pin manufacturer datasheet and exact lens/interface before implementation; make camera calibration/spec task a bootstrap blocker | Camera ingest/calibration | Mitigated by gate |
-| R02 | BASALT may underperform or lose tracking on nadir fixed-wing low-parallax terrain | Technical | Medium | High | High | Public replay with MUN-FRL/ALTO/Kagaru/EPFL where applicable, representative target replay, OpenVINS reference comparison, Kimera backup path | BASALT VIO adapter | Mitigated by validation |
+| R02 | BASALT may underperform or lose tracking on nadir fixed-wing low-parallax terrain | Technical | Medium | High | High | Public replay with MUN-FRL/ALTO/Kagaru/EPFL where applicable, representative target replay, OpenVINS reference comparison, Kimera backup path | VIO adapter | Mitigated by validation |
 | R03 | BASALT confidence/covariance may under-report real error | Safety | Medium | High | High | Wrapper owns covariance calibration; compare against ground truth, satellite residuals, and OpenVINS reference; never emit optimistic `horiz_accuracy` | Safety/anchor wrapper | Mitigated by wrapper design |
 | R04 | Total occlusion detector may false-negative and feed unusable frames into VIO | Safety / Technical | Medium | High | High | Conservative pre-VIO occlusion gate, FDR status, tests for total blackout, and fallback to IMU-only `dead_reckoned` mode | Camera ingest/calibration | Mitigated by spec/test |
 | R05 | IMU-only blackout propagation could be trusted too long | Safety | Medium | High | High | Monotonic covariance growth, `dead_reckoned` label, `fix_type=0`/`horiz_accuracy=999.0` when >30 s or covariance >500 m | Safety/anchor wrapper | Mitigated by AC gate |
-| R06 | DINOv2-VLAD + ALIKED/DISK-LightGlue exceeds Jetson latency/memory budget | Performance | Medium | High | High | Trigger-only execution, CPU FAISS first, top-K caps, model profiling, TensorRT only after fidelity checks | Satellite retrieval / Anchor verification | Mitigated by profiling gates |
+| R06 | DINOv2-VLAD + ALIKED/DISK-LightGlue exceeds Jetson latency/memory budget | Performance | Medium | High | High | Trigger-only execution, CPU FAISS first, top-K caps, model profiling, TensorRT only after fidelity checks | Satellite Service / Anchor verification | Mitigated by profiling gates |
-| R07 | PostgreSQL/PostGIS local DB is unavailable or too heavy for onboard runtime | Technical / Operational | Medium | High | High | Run local onboard PostgreSQL, health-check before flight, keep large payloads in files, fail mission cache validation if DB unavailable | Cache lifecycle / FDR | Mitigated by deployment gates |
+| R07 | PostgreSQL/PostGIS local DB is unavailable or too heavy for onboard runtime | Technical / Operational | Medium | High | High | Run local onboard PostgreSQL, health-check before flight, keep large payloads in files, fail mission cache validation if DB unavailable | Tile Manager / FDR | Mitigated by deployment gates |
-| R08 | Generated tile cache poisoning corrupts future anchors | Security / Safety | Low | High | Medium | Sigma gate, provenance sidecars, post-flight Satellite Service voting, no direct promotion to trusted basemap | Cache/tile lifecycle | Mitigated by policy |
+| R08 | Generated tile cache poisoning corrupts future anchors | Security / Safety | Low | High | Medium | Sigma gate, provenance sidecars, post-flight Satellite Service voting, no direct promotion to trusted basemap | Tile Manager | Mitigated by policy |
 | R09 | Public datasets do not cover final target terrain or commercial license needs | External / Schedule | Medium | Medium | Medium | Use public data for de-risking only; representative synchronized target data remains mandatory for acceptance | Validation harness | Mitigated by acceptance rule |
 | R10 | MAVLink `GPS_INPUT` parameters or Plane behavior differs from assumptions | Integration | Medium | High | High | Plane SITL release gate with production parameters, spoofing/failsafe tests, raw field validation with pymavlink | MAVLink/GCS integration | Mitigated by SITL gate |
 | R11 | FDR appends or PostgreSQL indexing interferes with hot-path latency | Performance | Medium | Medium | Medium | Append asynchronously, use CBOR payload segments for high-volume data, keep PostgreSQL as event index/query surface | FDR/observability | Mitigated by design |
@@ -55,7 +55,7 @@
 **Trigger conditions**: Manufacturer documentation or hardware testing contradicts assumed FPS, interface, temperature, or lens characteristics.
-**Affected components**: Camera ingest/calibration, BASALT VIO adapter, validation harness, deployment procedures.
+**Affected components**: Camera ingest/calibration, VIO adapter, separate e2e test suite, deployment procedures.
 **Mitigation strategy**:
 1. Make camera specification verification a bootstrap task.
@@ -76,7 +76,7 @@
 **Trigger conditions**: Public or representative replay shows high drift, frequent tracking loss, or poor initialization.
-**Affected components**: BASALT VIO adapter, safety/anchor wrapper, validation harness.
+**Affected components**: VIO adapter, safety/anchor wrapper, separate e2e test suite.
 **Mitigation strategy**:
 1. Run MUN-FRL first for synchronized nadir camera + IMU + ground truth.
@@ -87,7 +87,7 @@
 **Residual risk after mitigation**: Medium.
-**Documents updated**: `architecture.md`, `components/02_basalt_vio_adapter/description.md`, `tests/test-data.md`.
+**Documents updated**: `architecture.md`, `components/02_vio_adapter/description.md`, `tests/test-data.md`.
 ---
@@ -118,7 +118,7 @@
 **Trigger conditions**: Lens cover, cloud/whiteout, decode failure, underexposure/overexposure, or textureless frame reaches VIO as usable.
-**Affected components**: Camera ingest/calibration, safety/anchor wrapper, BASALT VIO adapter.
+**Affected components**: Camera ingest/calibration, safety/anchor wrapper, VIO adapter.
 **Mitigation strategy**:
 1. Camera ingest exposes `OcclusionReport` and sets `usable_for_vio=false` for total occlusion/blackout.
@@ -160,7 +160,7 @@
 **Trigger conditions**: Relocalization exceeds p95 latency, memory budget, or causes thermal throttling.
-**Affected components**: Satellite retrieval, anchor verification, validation harness.
+**Affected components**: Satellite Service, anchor verification, separate e2e test suite.
 **Mitigation strategy**:
 1. Keep VPR/local matching trigger-based.
@@ -181,7 +181,7 @@
 **Trigger conditions**: Local DB does not start, DB files corrupt, DB consumes too much memory/I/O, or migrations fail.
-**Affected components**: Cache/tile lifecycle, FDR/observability, deployment procedures.
+**Affected components**: Tile Manager, FDR/observability, deployment procedures.
 **Mitigation strategy**:
 1. Require local onboard PostgreSQL health check before flight.
@@ -202,7 +202,7 @@
 **Trigger conditions**: Generated tile is promoted despite high parent covariance, stale source, bad sidecar, or inconsistent overlap voting.
-**Affected components**: Cache/tile lifecycle, safety/anchor wrapper, Satellite Service integration.
+**Affected components**: Tile Manager, safety/anchor wrapper, Satellite Service integration.
 **Mitigation strategy**:
 1. Require tile-write sigma gates.
@@ -223,7 +223,7 @@
 **Trigger conditions**: MUN-FRL/ALTO/Kagaru/EPFL slices are unavailable, unrepresentative, or license-incompatible for acceptance.
-**Affected components**: Validation harness, BASALT VIO adapter, anchor verification.
+**Affected components**: Validation harness, VIO adapter, anchor verification.
 **Mitigation strategy**:
 1. Use public datasets for de-risking only.
@@ -244,7 +244,7 @@
 **Trigger conditions**: Plane SITL rejects or mishandles emitted `GPS_INPUT`, or QGC status is insufficient.
-**Affected components**: MAVLink/GCS integration, safety/anchor wrapper, validation harness.
+**Affected components**: MAVLink/GCS integration, safety/anchor wrapper, separate e2e test suite.
 **Mitigation strategy**:
 1. Use pymavlink for exact `GPS_INPUT` field control.
@@ -262,7 +262,7 @@
 | Risk ID | Document Modified | Change Description |
 |---------|-------------------|--------------------|
 | R04 | `components/01_camera_ingest_calibration/description.md` | Added explicit `detect_occlusion`, `OcclusionReport`, and pre-VIO bypass behavior |
-| R04/R05 | `components/03_safety_anchor_wrapper/description.md` | Added `propagate_imu_only`, `total_occlusion`, monotonic covariance behavior, and no direct cache lifecycle dependency |
+| R04/R05 | `components/03_safety_anchor_wrapper/description.md` | Added `propagate_imu_only`, `total_occlusion`, monotonic covariance behavior, and no direct Tile Manager dependency |
 | R07 | `data_model.md` | Replaced embedded DB references with PostgreSQL/PostGIS structured metadata and CBOR FDR payload segments |
 | R07 | `architecture.md` | Added PostgreSQL/PostGIS ADR and FDR storage decision |
 | R05 | `tests/blackbox-tests.md` / `tests/resilience-tests.md` | Made total occlusion and IMU-only blackout behavior explicit |
@@ -4,19 +4,19 @@
 | # | Flow Name | Trigger | Primary Components | Criticality |
 |---|-----------|---------|--------------------|-------------|
-| F1 | Pre-flight cache preparation | Operator sync before mission | Satellite Service, cache/tile lifecycle, satellite retrieval | High |
+| F1 | Pre-flight cache preparation | Operator sync before mission | Satellite Service, Tile Manager | High |
-| F2 | Normal frame processing | Navigation frame + FC telemetry | Camera ingest, BASALT VIO adapter, safety/anchor wrapper, MAVLink, FDR | High |
+| F2 | Normal frame processing | Navigation frame + FC telemetry | Camera ingest, VIO adapter, safety/anchor wrapper, MAVLink, FDR | High |
-| F3 | Satellite relocalization | Cold start, VO failure, sharp turn, covariance growth, stale anchor | Satellite retrieval, anchor verification, safety/anchor wrapper | High |
+| F3 | Satellite relocalization | Cold start, VO failure, sharp turn, covariance growth, stale anchor | Satellite Service, anchor verification, safety/anchor wrapper | High |
 | F4 | Visual blackout / spoofing degraded mode | Image-quality failure and GPS health failure | Camera ingest, MAVLink telemetry, safety/anchor wrapper, QGC, FDR | Critical |
-| F5 | Generated tile lifecycle | High-confidence pose + usable frame | Camera ingest, safety/anchor wrapper, cache/tile lifecycle, FDR | Medium |
+| F5 | Generated tile lifecycle | High-confidence pose + usable frame | Camera ingest, safety/anchor wrapper, Tile Manager, FDR | Medium |
-| F6 | Post-flight sync and audit | Landing / operator offload | Cache/tile lifecycle, Satellite Service, FDR | Medium |
+| F6 | Post-flight sync and audit | Landing / operator offload | Tile Manager, Satellite Service, FDR | Medium |
-| F7 | Validation replay | Test harness invocation | Validation harness, system runtime, public datasets, SITL | High |
+| F7 | E2E validation replay | Test-suite invocation | Separate e2e test suite, system runtime, public datasets, SITL | High |
 ## Flow Dependencies
 | Flow | Depends On | Shares Data With |
 |------|------------|------------------|
-| F1 | Satellite Service cache export | F2, F3, F5 |
+| F1 | Satellite Service cache export and Tile Manager validation | F2, F3, F5 |
 | F2 | F1 for cache availability; FC telemetry | F3, F4, F5, FDR |
 | F3 | F1 cache/index; F2 state estimate | F2, F5 |
 | F4 | F2 telemetry and quality signals | F2, QGC/FDR |
@@ -30,7 +30,7 @@
 ### Description
-Before flight, the Satellite Service provides an offline cache for the operational area, including COG tiles, manifests, sidecars, VPR chunks, descriptors, and FAISS index files.
+Before flight, the Satellite Service imports an offline cache package for the operational area, including COG tiles, manifests, sidecars, VPR chunks, descriptors, and FAISS index files. No Satellite Service or satellite-provider calls are allowed during flight.
 ### Preconditions
@@ -44,23 +44,22 @@ Before flight, the Satellite Service provides an offline cache for the operation
 sequenceDiagram
    participant Operator
    participant SatelliteService
-    participant CacheLifecycle
+    participant TileManager
    participant SatelliteRetrieval
    Operator->>SatelliteService: Request mission cache
-    SatelliteService-->>CacheLifecycle: COG tiles + manifests + sidecars
+    SatelliteService-->>TileManager: COG tiles + manifests + sidecars
-    CacheLifecycle->>CacheLifecycle: Verify signatures, hashes, freshness, resolution
+    TileManager->>TileManager: Verify signatures, hashes, freshness, resolution
-    CacheLifecycle->>SatelliteRetrieval: Load VPR chunks + FAISS index
+    TileManager-->>SatelliteService: Local cache/index ready
-    CacheLifecycle-->>Operator: Cache validation report
+    TileManager-->>Operator: Cache validation report
 ```
 ### Data Flow
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Satellite Service | Cache lifecycle | Tiles and metadata | COG + PostgreSQL/PostGIS manifest + signed JSON sidecars |
+| 1 | Satellite Service | Tile Manager | Tiles and metadata | COG + PostgreSQL/PostGIS manifest + signed JSON sidecars |
-| 2 | Cache lifecycle | Satellite retrieval | Descriptor/index files | FAISS index + descriptor sidecars |
+| 2 | Tile Manager | Satellite Service | Descriptor/index readiness | FAISS index + descriptor sidecars |
-| 3 | Cache lifecycle | Operator/FDR | Validation report | Markdown/CSV/log |
+| 3 | Tile Manager | Operator/FDR | Validation report | Markdown/CSV/log |
 ### Error Scenarios
@@ -74,7 +73,7 @@ sequenceDiagram
 | Metric | Target | Notes |
 |--------|--------|-------|
-| Runtime network calls | 0 | No in-flight provider calls |
+| Runtime network calls | 0 | No in-flight Satellite Service or provider calls |
 | Cache load | Within cold-start budget contribution | Exact threshold set during implementation |
 ---
@@ -83,12 +82,12 @@ sequenceDiagram
 ### Description
-During normal flight, the system processes each navigation frame and FC telemetry sample. The camera component first checks for total occlusion/blackout. Usable frames go to BASALT VIO; total-occlusion frames bypass VIO and send the wrapper into IMU-only degraded propagation.
+During normal flight, the system processes each navigation frame and FC telemetry sample. The camera component first checks for total occlusion/blackout. Usable frames go to the VIO adapter; total-occlusion frames bypass VIO and send the wrapper into IMU-only degraded propagation.
 ### Preconditions
 - Camera calibration/extrinsics are loaded.
- BASALT and wrapper are initialized.
+- VIO adapter and wrapper are initialized.
 - FC telemetry stream is healthy.
 ### Sequence Diagram
@@ -116,9 +115,9 @@ sequenceDiagram
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Camera ingest | BASALT adapter or safety wrapper | Frame metadata, image, occlusion status | Frame DTO / DegradationSignal |
+| 1 | Camera ingest | VIO adapter or safety wrapper | Frame metadata, image, occlusion status | Frame DTO / DegradationSignal |
-| 2 | FC telemetry | BASALT adapter | IMU/attitude/altitude | MAVLink-derived telemetry DTO |
+| 2 | FC telemetry | VIO adapter | IMU/attitude/altitude | MAVLink-derived telemetry DTO |
-| 3 | BASALT adapter | Safety wrapper | Relative VIO state | VioState DTO |
+| 3 | VIO adapter | Safety wrapper | Relative VIO state | VioState DTO |
 | 4 | Safety wrapper | MAVLink output | WGS84 estimate | `GPS_INPUT` |
 | 5 | Safety wrapper | FDR | Inputs/outputs/audit | FDR segment event |
@@ -126,9 +125,9 @@ sequenceDiagram
 | Error | Where | Detection | Recovery |
 |-------|-------|-----------|----------|
-| Total occlusion / blackout | Camera ingest | Occlusion status, exposure/texture/decode checks | Bypass BASALT, enter IMU-only `dead_reckoned` propagation |
+| Total occlusion / blackout | Camera ingest | Occlusion status, exposure/texture/decode checks | Bypass VIO, enter IMU-only `dead_reckoned` propagation |
-| Frame unreadable | Camera ingest | Decode/quality failure | Mark visual signal degraded and bypass BASALT for that frame |
+| Frame unreadable | Camera ingest | Decode/quality failure | Mark visual signal degraded and bypass VIO for that frame |
-| VIO quality low | BASALT adapter | Tracking/completion metrics | Trigger relocalization or dead reckoning |
+| VIO quality low | VIO adapter | Tracking/completion metrics | Trigger relocalization or dead reckoning |
 | Covariance grows | Safety wrapper | Covariance threshold | Degrade fix type/source label |
 ### Performance Expectations
@@ -157,14 +156,14 @@ When the state becomes uncertain or disconnected, the system retrieves satellite
 ```mermaid
 sequenceDiagram
    participant SafetyWrapper
-    participant SatelliteRetrieval
+    participant SatelliteService
    participant AnchorVerification
-    participant CacheLifecycle
+    participant TileManager
    participant FDR
-    SafetyWrapper->>SatelliteRetrieval: Relocalization request
+    SafetyWrapper->>SatelliteService: Relocalization request
-    SatelliteRetrieval->>CacheLifecycle: Read candidate chunk metadata
+    SatelliteService->>TileManager: Read candidate chunk metadata
-    SatelliteRetrieval-->>AnchorVerification: Top-K candidates
+    SatelliteService-->>AnchorVerification: Top-K candidates
    AnchorVerification->>AnchorVerification: ALIKED/DISK+LightGlue + RANSAC
    AnchorVerification-->>SafetyWrapper: Accepted/rejected anchor
    SafetyWrapper->>SafetyWrapper: Mahalanobis + freshness + provenance gates
@@ -175,8 +174,8 @@ sequenceDiagram
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Safety wrapper | Satellite retrieval | Query frame and prior/covariance | Relocalization DTO |
+| 1 | Safety wrapper | Satellite Service | Query frame and prior/covariance | Relocalization DTO |
-| 2 | Satellite retrieval | Anchor verification | Top-K chunks | Candidate list |
+| 2 | Satellite Service | Anchor verification | Top-K chunks from local cache/index | Candidate list |
 | 3 | Anchor verification | Safety wrapper | MRE, inliers, homography, provenance | AnchorDecision DTO |
 ### Error Scenarios
@@ -184,7 +183,7 @@ sequenceDiagram
 | Error | Where | Detection | Recovery |
 |-------|-------|-----------|----------|
 | No good candidate | Retrieval/verification | Low score or failed RANSAC | Continue degraded and request GCS hint after threshold |
-| Stale candidate | Cache lifecycle | Capture date gate | Reject/down-confidence |
+| Stale candidate | Tile Manager | Capture date gate | Reject/down-confidence |
 | Implausible anchor | Safety wrapper | Mahalanobis/impossible velocity gate | Reject and log |
 ### Performance Expectations
@@ -259,17 +258,17 @@ When pose confidence is strong enough, the system orthorectifies navigation imag
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Safety wrapper | Cache lifecycle | Pose/covariance + frame metadata | TileGenerationRequest |
+| 1 | Safety wrapper | Tile Manager | Pose/covariance + frame metadata | TileGenerationRequest |
-| 2 | Cache lifecycle | Local storage | Generated COG + sidecar | COG + signed JSON |
+| 2 | Tile Manager | Local storage | Orthorectified generated COG + sidecar | COG + signed JSON |
-| 3 | Cache lifecycle | FDR | Tile write event | FDR event |
+| 3 | Tile Manager | FDR | Tile write event | FDR event |
 ### Error Scenarios
 | Error | Where | Detection | Recovery |
 |-------|-------|-----------|----------|
 | Parent covariance too high | Safety wrapper | Sigma gate | Do not write tile |
-| Duplicate sector | Cache lifecycle | Spatial deduplication | Keep latest/highest-quality tile |
+| Duplicate sector | Tile Manager | Spatial deduplication | Keep latest/highest-quality tile |
-| Sidecar write failure | Cache lifecycle | I/O error | Log and do not mark tile eligible |
+| Sidecar write failure | Tile Manager | I/O error | Log and do not mark tile eligible |
 ---
@@ -277,13 +276,13 @@ When pose confidence is strong enough, the system orthorectifies navigation imag
 ### Description
-After landing, generated tiles and FDR evidence are exported for Satellite Service ingest and incident analysis.
+After landing, generated tiles and FDR evidence are exported through Satellite Service sync for ingest and incident analysis.
 ### Data Flow
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Cache lifecycle | Satellite Service | Generated tile package | COG + sidecar + manifest delta |
+| 1 | Tile Manager | Satellite Service | Generated tile package | COG + sidecar + manifest delta |
 | 2 | FDR | Operator/audit tools | Mission replay evidence | Segmented logs + optional Parquet export |
 ### Error Scenarios
@@ -299,7 +298,7 @@ After landing, generated tiles and FDR evidence are exported for Satellite Servi
 ### Description
-The validation harness runs deterministic still-image, public dataset, SITL, Jetson, and representative replay scenarios against public interfaces.
+The separate e2e test suite runs deterministic still-image, public dataset, SITL, Jetson, and representative replay scenarios against public interfaces.
 ### Preconditions
@@ -310,9 +309,9 @@ The validation harness runs deterministic still-image, public dataset, SITL, Jet
 | Step | From | To | Data | Format |
 |------|------|----|------|--------|
-| 1 | Validation harness | Runtime | Images/telemetry/cache fixtures | File/stream/MAVLink |
+| 1 | E2E test suite | Runtime | Images/telemetry/cache fixtures | File/stream/MAVLink |
-| 2 | Runtime | Validation harness | GPS_INPUT/FDR/status | MAVLink/log files |
+| 2 | Runtime | E2E test suite | GPS_INPUT/FDR/status | MAVLink/log files |
-| 3 | Validation harness | Reports | Pass/fail metrics | CSV/Markdown |
+| 3 | E2E test suite | Reports | Pass/fail metrics | CSV/Markdown |
 ### Performance Expectations
@@ -52,33 +52,38 @@
 ---
-### FT-P-03: BASALT VIO Replay With Public Synchronized Data
+### FT-P-03: BASALT VIO Replay With Synchronized Video/Telemetry
-**Summary**: Validate that BASALT + safety/anchor wrapper can process synchronized camera/IMU data and produce trajectory estimates with calibrated confidence.
+**Summary**: Validate that BASALT + safety/anchor wrapper can process synchronized nadir video, IMU, and trajectory telemetry and produce frame-by-frame estimates with honest confidence.
 **Traces to**: AC-1.3, AC-2.1a, AC-2.2, AC-4.1, AC-4.2
 **Category**: VO / IMU Propagation
 **Preconditions**:
- Public synchronized dataset slice is pinned during implementation. Strongest candidates: MUN-FRL, ALTO, EPFL fixed-wing, Kagaru; EuRoC/UZH FPV are proxy-only.
+- Derkachi replay fixture is mounted from `input_data/flight_derkachi/`.
- Ground-truth trajectory or frame poses are available.
+- `flight_derkachi.mp4` is readable as cropped nadir video: 880 x 720, 30 fps, approximately 490.07 s.
 - `data_imu.csv` contains monotonic 10 Hz `Time`, `timestamp(ms)`, `SCALED_IMU2.*`, and `GLOBAL_POSITION_INT.*` fields for 4,900 rows.
 - Camera intrinsics, lens distortion, and camera-to-body transform are either pinned or the run is marked as calibration-limited.
 - Public synchronized dataset slice remains useful for calibrated final comparison. Strongest candidates: MUN-FRL, ALTO, EPFL fixed-wing, Kagaru; EuRoC/UZH FPV are proxy-only.
-**Input data**: `public_nadir_vio_candidates`
+**Input data**: `derkachi_video_telemetry`, `public_nadir_vio_candidates`
 | Step | Consumer Action | Expected System Response |
 |------|-----------------|--------------------------|
-| 1 | Replay synchronized camera and IMU stream | System emits frame-by-frame `vo_extrapolated` or `satellite_anchored` estimates |
+| 1 | Validate Derkachi video/telemetry alignment | Harness accepts the fixture only if MP4 duration and CSV duration differ by <=250 ms and there are exactly 3 video frames per telemetry row |
-| 2 | Compare output trajectory to dataset ground truth | Error and covariance calibration are reported per segment |
+| 2 | Replay synchronized video frames and IMU stream | System emits frame-by-frame `vo_extrapolated` or `satellite_anchored` estimates without batching |
-| 3 | Compare against OpenVINS reference replay | BASALT + wrapper does not materially under-report uncertainty relative to error |
+| 3 | Compare output trajectory to `GLOBAL_POSITION_INT` lat/lon/alt/heading | Error, covariance, source label, and anchor age are reported per segment |
 | 4 | Compare calibrated public/representative replay against ground truth when available | BASALT + wrapper does not materially under-report uncertainty relative to error |
 | 5 | Compare against OpenVINS reference replay when available | BASALT + wrapper does not materially under-report uncertainty relative to error |
-**Expected outcome**: VO registration succeeds for >95% of normal overlapping frames in dataset-supported normal segments; VO homography MRE is <1.0 px where homography validation is applicable.
+**Expected outcome**: Derkachi replay is accepted as a synchronized representative fixture and produces continuous estimates for >95% of normal overlapping frames. Absolute geolocation and covariance pass/fail thresholds are calibration-gated until camera intrinsics, distortion, and camera-to-body transform are pinned. For calibrated datasets, VO homography MRE is <1.0 px where homography validation is applicable.
 **Max execution time**: Dataset-dependent, but replay must report per-frame latency.
 ---
-### FT-P-04: Satellite Retrieval And Anchor Verification
+### FT-P-04: Satellite Service And Anchor Verification
 **Summary**: Validate that relocalization uses global retrieval plus local verification and emits only verified satellite anchors.
@@ -0,0 +1,81 @@
 # E2E Test Suite
 ## Scope
 The e2e test suite is separate test tooling, not part of the onboard runtime. It drives black-box replay, public dataset, SITL, Jetson, and representative validation through public runtime interfaces only.
 ## Purpose
 - Feed navigation frames, telemetry traces, cache manifests, and fault triggers into the system under test.
 - Validate emitted coordinates, confidence fields, MAVLink `GPS_INPUT`, QGC status, FDR, and generated-tile evidence.
 - Produce release evidence without importing runtime internals.
 ## Ownership
 - **Epic**: AZ-217 (E2E Test Suite / test-support work, not product runtime)
 - **Owns**:
  - `tests/blackbox/**`
  - `tests/e2e/**`
  - `e2e/replay/**`
  - `e2e/reports/**`
 - **Does not own**:
  - `src/**`
  - runtime component internals
  - production deployment code
 ## Public Interfaces Under Test
 | Interface | Protocol / Contract |
 |-----------|---------------------|
 | Navigation frames | Ordered image/video replay with timestamps |
 | FC telemetry | MAVLink replay or generated stream |
 | Satellite cache | Local COG + manifest + descriptor fixtures |
 | GPS output | MAVLink `GPS_INPUT` |
 | Operator status | QGC-visible MAVLink status |
 | FDR | Filesystem/database-backed evidence outputs |
 ## Runner Contract
 | Method | Input | Output | Error Types |
 |--------|-------|--------|-------------|
 | `run_scenario` | `ScenarioRequest` | `ScenarioReport` | `FixtureInvalid`, `RuntimeFailed`, `ThresholdFailed` |
 | `validate_fixture` | `FixtureRequest` | `FixtureValidationReport` | `FixtureInvalid` |
 ```yaml
 ScenarioRequest:
  scenario_id: string
  execution_environment: enum(replay, sitl, jetson, representative)
  fixture_paths: list[string]
 ScenarioReport:
  scenario_id: string
  result: enum(pass, fail, blocked)
  metrics: object
  artifacts: list[path]
  failure_reason: string optional
 ```
 ## Scenario Coverage
 | Scenario | Purpose | Evidence |
 |----------|---------|----------|
 | Still-image accuracy runner | Verify project still-image replay reports frame-center accuracy | Per-image error, aggregate pass rates, covariance, source label, anchor age |
 | Synchronized VIO replay runner | Verify Derkachi and public/representative synchronized data drive BASALT/wrapper tests | Fixture alignment, trajectory comparison, VIO registration, latency, covariance calibration |
 | Satellite anchor replay runner | Verify VPR and anchor verification scenarios are executable | Retrieval recall, MRE, accepted/rejected anchors, freshness behavior |
 | Outlier/sharp-turn/disconnected runner | Verify relocalization resilience scenarios are executable | Degraded-mode timelines and relocalization outcomes |
 | Blackout and spoofing runner | Verify total blackout plus spoofing through SITL/replay | Mode-switch timing, covariance growth, failsafe thresholds |
 | MAVLink/QGC contract runner | Verify MAVLink output and GCS status assertions | `GPS_INPUT`, WGS84 coordinates, status rate, command ingress |
 | Startup/reboot runner | Verify cold-start and companion reboot scenarios | First valid `GPS_INPUT` p95 and FC-state reinitialization |
 | Object coordinate contract runner | Verify AI-camera object coordinate request at system boundary | Frame-center-consistent coordinate accuracy and projection bound |
 | Tile Manager runner | Verify cache, generated tiles, and storage tests | Cache load, tile write gates, no raw-frame retention, stale rejection, poisoning evidence |
 ## Release Evidence
 The suite assembles CSV, Markdown, MAVLink tlogs, FDR summaries, cache validation reports, and pass/fail metadata into release evidence bundles. Missing public or representative data is reported as `blocked`, not `passed`.
 ## Non-Responsibilities
 - No onboard flight logic.
 - No direct estimator, BASALT, wrapper, or tile-manager imports.
 - No mutation of runtime internal state.
 - No production service APIs.
@@ -10,7 +10,7 @@
 | Environment | Purpose | Required for |
 |-------------|---------|--------------|
-| Local replay workstation | Fast still-image and dataset replay validation | Frame-center geolocation, satellite retrieval, stale-tile rejection |
+| Local replay workstation | Fast still-image and dataset replay validation | Frame-center geolocation, Satellite Service local retrieval, stale-tile rejection |
 | Jetson Orin Nano Super | Production-like latency, memory, thermal, and TensorRT/ONNX profiling | AC-4.1, AC-4.2, AC-NEW-1, AC-NEW-5 |
 | ArduPilot Plane SITL + QGroundControl | MAVLink `GPS_INPUT`, spoofing, failsafe, and GCS status validation | AC-4.3, AC-5.2, AC-NEW-2, AC-NEW-8 |
 | Representative flight/replay rig | Final acceptance evidence with synchronized nav camera, FC IMU/attitude/airspeed/altitude, MAVLink logs, and ground truth | Final AC signoff |
@@ -38,6 +38,7 @@
 |--------|------------|---------|
 | input-data | `/data/input` | `_docs/00_problem/input_data/` and public dataset slices |
 | expected-results | `/data/expected` | `_docs/00_problem/input_data/expected_results/` |
 | derkachi-replay | `/data/input/flight_derkachi` | Cropped nadir MP4 plus synchronized IMU and `GLOBAL_POSITION_INT` trajectory |
 | satellite-cache | `/cache/satellite` | COG tiles, manifests, descriptor index fixtures |
 | fdr-output | `/fdr` | Flight-data-recorder outputs for validation |
@@ -98,6 +99,7 @@
 Use Docker or local host replay for deterministic, reproducible tests that do not require physical Jetson hardware:
 - Still-image frame-center geolocation.
 - Derkachi synchronized video/telemetry replay, including alignment and VIO smoke checks.
 - Satellite-cache freshness and integrity fixtures.
 - FAISS descriptor/index behavior.
 - Public dataset replay where GPU/hardware timing is not the assertion.
@@ -25,23 +25,25 @@
 ### NFT-PERF-02: BASALT + Wrapper Replay Latency
-**Summary**: Validate relative VIO hot-path latency using synchronized public or representative camera/IMU data.
+**Summary**: Validate relative VIO hot-path latency using synchronized Derkachi video/telemetry and public or representative camera/IMU data.
 **Traces to**: AC-2.1a, AC-4.1, AC-4.2
 **Metric**: Per-frame VIO latency, completion rate, and memory usage.
 **Preconditions**:
- MUN-FRL/ALTO/EPFL/Kagaru or representative synchronized dataset slice is pinned.
+- Derkachi `flight_derkachi.mp4` and `data_imu.csv` are mounted and pass fixture validation.
- OpenVINS reference replay is available for comparison.
+- MUN-FRL/ALTO/EPFL/Kagaru or another representative synchronized dataset slice is pinned for calibrated final comparison.
 - OpenVINS reference replay is available for comparison when the dataset supports it.
 | Step | Consumer Action | Measurement |
 |------|-----------------|-------------|
-| 1 | Replay synchronized camera/IMU stream through BASALT + wrapper | Measure per-frame processing time |
+| 1 | Replay Derkachi video at target 3 fps and stress rates from the 30 fps source | Measure per-frame processing time, dropped frames, and telemetry alignment |
-| 2 | Compare emitted trajectory against ground truth | Measure completion rate and error distribution |
+| 2 | Replay synchronized camera/IMU stream through BASALT + wrapper | Measure VIO processing time and completion rate |
-| 3 | Monitor memory | Track CPU/GPU shared memory peak |
+| 3 | Compare emitted trajectory against Derkachi `GLOBAL_POSITION_INT` and calibrated dataset ground truth where available | Measure completion rate and error distribution |
 | 4 | Monitor memory | Track CPU/GPU shared memory peak |
-**Pass criteria**: Normal-frame VO registration >95%; p95 processing latency <400 ms for the hot path; memory <8 GB shared.
+**Pass criteria**: Normal-frame VO registration >95% on calibration-supported segments; p95 processing latency <400 ms for the hot path; memory <8 GB shared; Derkachi replay maintains stable 3-video-frames-per-telemetry-row alignment with <=10% dropped frames under sustained target-rate replay.
 **Duration**: Dataset-dependent; at least one normal segment and one challenging segment.
@@ -7,6 +7,7 @@
 | `project_60_still_images` | 60 nadir images with WGS84 frame-center coordinates from `coordinates.csv`; height 400 m | FT-P-01, FT-P-02, FT-N-01, NFT-PERF-01 | Mounted from `_docs/00_problem/input_data/` | Read-only |
 | `project_gmaps_reference_subset` | Google Maps reference images available for the first sample frames | FT-P-02, FT-N-01 | Mounted from `_docs/00_problem/input_data/` | Read-only |
 | `expected_frame_centers` | Expected lat/lon and thresholds derived from `coordinates.csv` | FT-P-01, FT-P-02 | `_docs/00_problem/input_data/expected_results/results_report.md` | Read-only |
 | `derkachi_video_telemetry` | Cropped nadir MP4 synchronized with IMU and `GLOBAL_POSITION_INT` trajectory: 880 x 720, 30 fps, ~490.07 s; telemetry 10 Hz, 4,900 rows | FT-P-03, NFT-PERF-02, NFT-RES-02 | Mounted from `_docs/00_problem/input_data/flight_derkachi/` | Read-only |
 | `public_nadir_vio_candidates` | MUN-FRL, ALTO, EPFL fixed-wing, Kagaru, AerialVL/VPAir slices, EuRoC/UZH FPV proxy slices | FT-P-03, FT-P-04, NFT-PERF-02, NFT-RES-02 | Downloaded or mounted by replay harness; exact files pinned during implementation | Reset fixture volume |
 | `sitl_spoofing_scenarios` | Generated ArduPilot Plane SITL GPS loss/spoofing traces | FT-N-02, NFT-RES-01, NFT-SEC-03 | Generated by test harness | Discard generated logs after report |
 | `cache_integrity_fixtures` | Fresh, stale, unsigned, hash-mismatched, and low-resolution cache manifests | FT-N-03, NFT-SEC-01, NFT-SEC-02 | Mounted fixture volume | Read-only |
@@ -36,6 +37,7 @@ Every replay test uses read-only fixture mounts and writes results to a fresh `t
 | `coordinates.csv` | `_docs/00_problem/input_data/coordinates.csv` | Machine-readable expected frame centers | FT-P-01, FT-P-02 |
 | `data_parameters.md` | `_docs/00_problem/input_data/data_parameters.md` | Height 400 m and camera model | FT-P-01, NFT-PERF-01 |
 | `AD000001_gmaps.png`, `AD000002_gmaps.png` | `_docs/00_problem/input_data/` | Reference map screenshots for sample sanity checks | FT-P-02 |
 | `flight_derkachi/flight_derkachi.mp4` + `flight_derkachi/data_imu.csv` | `_docs/00_problem/input_data/flight_derkachi/` | Cropped nadir video synchronized with IMU and `GLOBAL_POSITION_INT` GPS trajectory | FT-P-03, NFT-PERF-02, NFT-RES-02 |
 | Public dataset slices | External fixture paths pinned during implementation | Synchronized camera/IMU/GNSS/ground truth where available | FT-P-03, FT-P-04, NFT-PERF-02, NFT-RES-02 |
 ## Expected Results Mapping
@@ -44,7 +46,7 @@ Every replay test uses read-only fixture mounts and writes results to a fresh `t
 |------------------|------------|-----------------|-------------------|-----------|------------------------|
 | FT-P-01 | `AD000001.jpg` ... `AD000060.jpg` | Output WGS84 frame center per mapped row; >=80% within 50 m, >=50% within 20 m | Haversine distance threshold + aggregate pass rate | 50 m primary, 20 m stretch | `input_data/expected_results/results_report.md` |
 | FT-P-02 | Same 60 images + map references where present | Output includes source label, covariance semi-major axis, and anchor age for every emitted estimate | Required-field validation + geolocation threshold | Required fields present; geolocation thresholds as above | `input_data/expected_results/results_report.md` |
-| FT-P-03 | Public synchronized VIO dataset slice | BASALT + wrapper emits trajectory with calibrated covariance and no optimistic under-reporting | Dataset ground-truth trajectory comparison | Dataset-specific threshold pinned at implementation; must support AC-1/AC-2 signoff only after representative data | Public dataset ground truth |
+| FT-P-03 | `derkachi_video_telemetry` plus public synchronized VIO dataset slice when available | BASALT + wrapper emits trajectory with calibrated covariance and no optimistic under-reporting | Compare Derkachi output to `GLOBAL_POSITION_INT` trajectory for smoke/relative validation; compare public/representative calibrated runs to ground truth for final accuracy | Derkachi threshold is calibration-gated; final threshold is dataset-specific and pinned after camera calibration | `data_imu.csv` trajectory plus public dataset ground truth |
 | FT-P-04 | AerialVL/ALTO/VPAir-style aerial localization slice | Satellite retrieval returns candidate chunks and local verification produces accepted/rejected anchors | Georeference error + MRE + source-label checks | AC-1.1/1.2 and AC-2.2 thresholds where dataset supports them | Public dataset ground truth/reference map |
 | FT-N-01 | Low-texture/repetitive frames from sample or public data | System emits degraded confidence or rejects anchor rather than confident false fix | Source label and covariance threshold | No `satellite_anchored` label unless gates pass | Fixture-specific |
 | FT-N-02 | Plane SITL GPS spoof/loss trace | Spoofed GPS rejected; system promotes own estimate within <3 s when trigger conditions are met | Event timing and MAVLink field checks | <3 s promotion; blackout thresholds from AC-NEW-8 | Generated SITL trace |
@@ -64,7 +66,9 @@ Every replay test uses read-only fixture mounts and writes results to a fresh `t
 |-----------|------------|------------------|--------------------------|
 | Image frame | Existing file, readable image, expected timestamp/order metadata if sequence replay | Missing image, corrupt image, unsupported resolution | Mark estimate unavailable/degraded, log error, continue if possible |
 | Expected coordinate | Valid WGS84 latitude/longitude | Out-of-range lat/lon, missing row | Reject test fixture before replay |
 | Video/telemetry pair | MP4 duration matches telemetry duration, frame-to-telemetry ratio is stable, timestamps are monotonic | Duration drift >250 ms, missing trajectory columns, non-monotonic timestamps | Reject fixture before replay |
 | IMU trace | Monotonic timestamps, angular rate/accel fields, calibrated units | Non-monotonic timestamps, missing samples | Reject fixture or enter degraded mode depending scenario |
 | GPS trajectory trace | Valid WGS84 lat/lon, altitude, velocity, and heading fields | Out-of-range lat/lon, impossible altitude, missing `GLOBAL_POSITION_INT` columns | Reject trajectory comparison while allowing pure video replay if applicable |
 | Cache tile manifest | CRS, m/px, capture date, source, hashes, signature/provenance | Stale, unsigned, hash mismatch, low resolution | Reject or down-confidence per AC-8.2 and AC-NEW-6 |
 | MAVLink output | Valid `GPS_INPUT` fields and fix type/accuracy semantics | Missing `horiz_accuracy`, impossible fix type | Fail test; output contract violated |
@@ -74,13 +78,13 @@ Every replay test uses read-only fixture mounts and writes results to a fresh `t
 |------------------|-------|---------------------|--------------------------|-----------------|---------------------------|---------------------|
 | FT-P-01 | Input/output | 60 project images + `coordinates.csv` | WGS84 center per image with 50 m / 20 m thresholds | Yes | Yes | Keep |
 | FT-P-02 | Input/output | 60 project images + output schema expectations | Required confidence/source-label fields and thresholds | Yes | Yes | Keep |
-| FT-P-03 | Input/output | Public or representative synchronized camera/IMU dataset | Dataset ground truth and calibrated covariance checks | Accepted as required external fixture | Accepted as dataset ground truth | Keep with acquisition task |
+| FT-P-03 | Input/output | Derkachi synchronized video/IMU/GPS fixture; public or calibrated representative dataset for final accuracy | Derkachi `GLOBAL_POSITION_INT` trajectory for smoke/relative validation; calibrated ground truth for final covariance checks | Yes for Derkachi; public/calibrated dataset still useful for final signoff | Yes for Derkachi GPS trajectory; calibrated camera thresholds pending | Keep with calibration gate |
 | FT-P-04 | Input/output | Public aerial localization or project cache fixture | Georeference, MRE, and source-label checks | Accepted as required external fixture | Accepted as dataset/reference-map ground truth | Keep with acquisition task |
 | FT-N-01 | Behavioral/input-output | Ambiguous low-texture/repetitive frames | 0 confident false anchors | Accepted as project/public fixture | Yes | Keep |
 | FT-N-02 | Behavioral | Generated Plane SITL spoof/blackout trace | Timing and MAVLink field thresholds from AC-NEW-8 | Generated by test harness | Yes | Keep |
 | FT-N-03 | Behavioral/input-output | Cache integrity fixtures | 0 trusted anchors from stale/invalid tiles | Generated fixture | Yes | Keep |
 | NFT-PERF-01 | Input/output | 60 project images | p95 latency and drop-rate thresholds | Yes | Yes | Keep |
-| NFT-PERF-02 | Input/output | Public/representative synchronized camera/IMU dataset | VO registration, latency, memory thresholds | Accepted as required external fixture | Yes | Keep with acquisition task |
+| NFT-PERF-02 | Input/output | Derkachi synchronized video/IMU/GPS fixture; public/representative synchronized camera/IMU dataset | VO registration, latency, memory thresholds | Yes for Derkachi | Yes | Keep with calibration gate |
 | NFT-PERF-03 | Behavioral/input-output | Precomputed descriptor/cache fixture | Trigger-path latency and MRE thresholds | Generated fixture | Yes | Keep |
 | NFT-PERF-04 | Behavioral | Cold-start harness and cache fixture | <30 s p95 over 50 runs | Generated by test harness | Yes | Keep |
 | NFT-RES-* | Behavioral | Fault triggers and generated traces | AC-defined timing/status thresholds | Generated by test harness | Yes | Keep |
@@ -90,6 +94,7 @@ Every replay test uses read-only fixture mounts and writes results to a fresh `t
 **Coverage after validation**: 49/49 AC and restriction groups remain covered. No tests were removed.
 **Acquisition tasks required downstream**:
 - Pin camera intrinsics, lens distortion, raw camera feed parameters, and camera-to-body mounting transform for the Derkachi fixture or future representative recordings.
 - Pin and download at least one strong synchronized nadir camera + IMU + ground-truth dataset, preferably MUN-FRL or ALTO, with EPFL fixed-wing and Kagaru as fixed-wing/farmland candidates.
 - Pin license-compatible VPR/localization datasets for satellite anchor tests; VPAir and UZH FPV have non-commercial restrictions and must not be used for commercial acceptance unless license terms allow it.
 - Create generated fixtures for Plane SITL spoofing, stale cache manifests, signed/unsigned manifests, FDR load, and thermal/resource monitoring during implementation.
@@ -54,7 +54,7 @@
 | R-SAT-01 | Offline-only Satellite Service cache, no in-flight provider fetch | NFT-SEC-04 | Covered |
 | R-SAT-02 | Cache resolution/freshness/metadata conventions | FT-N-03, NFT-RES-LIM-03 | Covered |
 | R-HW-01 | Jetson Orin Nano Super 8 GB / 25 W | NFT-RES-LIM-01, NFT-RES-LIM-02 | Covered |
-| R-SENSOR-01 | FC IMU available; sample data lacks synchronized IMU | FT-P-03, NFT-PERF-02 | Covered through public/representative dataset plan |
+| R-SENSOR-01 | FC IMU available; original still-image sample lacks synchronized IMU; Derkachi fixture provides video/IMU/GPS trajectory but calibration is pending | FT-P-03, NFT-PERF-02 | Covered through Derkachi representative replay plus public/calibrated dataset plan |
 | R-MAV-01 | MAVLink, ArduPilot only, GPS_INPUT via pymavlink | FT-N-02, NFT-SEC-03 | Covered |
 | R-GCS-01 | QGroundControl supported GCS | FT-N-02, NFT-SEC-03 | Covered |
 | R-SAFETY-01 | False-position, cold-start, spoofing, and failsafe constraints | FT-N-01, FT-N-02, NFT-PERF-04, NFT-RES-01 | Covered |
@@ -76,5 +76,6 @@
 ## Data Coverage Caveats
 - Current project data fully supports still-image frame-center checks for 60 mapped images.
- Current project data does not contain synchronized IMU or ground-truth trajectory for BASALT VIO validation.
+- Derkachi project data supports synchronized video/IMU/GPS trajectory replay for FT-P-03 and NFT-PERF-02.
- Phase 3 must validate public dataset acquisition before FT-P-03, FT-P-04, and NFT-PERF-02 can remain in the executable test plan.
+- Derkachi project data is calibration-limited: raw camera intrinsics, lens distortion, and camera-to-body transform are still required before final absolute accuracy thresholds can be treated as production acceptance.
 - Phase 3 must validate camera calibration inputs and public/calibrated dataset acquisition before FT-P-03, FT-P-04, and NFT-PERF-02 can be used for final signoff.
@@ -0,0 +1,49 @@
 # Dependencies Table
 **Date**: 2026-05-04
 **Total Tasks**: 24
 **Total Complexity Points**: 108
 **Lessons applied**: No `_docs/LESSONS.md` file exists; no prior estimation or dependency lessons were available.
 | Task | Name | Complexity | Dependencies | Epic |
 |------|------|------------|--------------|------|
 | AZ-219 | initial_structure | 5 | None | AZ-206 |
 | AZ-220 | shared_runtime_contracts | 3 | AZ-219 | AZ-206 |
 | AZ-221 | shared_geometry_time_sync | 3 | AZ-219, AZ-220 | AZ-207 |
 | AZ-222 | runtime_config_errors_telemetry | 3 | AZ-219, AZ-220 | AZ-208 |
 | AZ-223 | camera_ingest_calibration | 5 | AZ-220, AZ-221, AZ-222 | AZ-209 |
 | AZ-224 | mavlink_gcs_gateway | 3 | AZ-220, AZ-222 | AZ-210 |
 | AZ-225 | tile_manager_cache_manifest | 5 | AZ-220, AZ-221, AZ-222 | AZ-211 |
 | AZ-226 | generated_tile_orthorectification | 5 | AZ-223, AZ-225 | AZ-211 |
 | AZ-227 | fdr_event_recorder | 5 | AZ-220, AZ-222 | AZ-212 |
 | AZ-228 | vio_adapter | 5 | AZ-221, AZ-222, AZ-223, AZ-224 | AZ-213 |
 | AZ-229 | satellite_service_sync | 3 | AZ-222, AZ-225, AZ-226 | AZ-214 |
 | AZ-230 | satellite_service_vpr_retrieval | 5 | AZ-223, AZ-225, AZ-229 | AZ-214 |
 | AZ-231 | anchor_verification_matching | 5 | AZ-223, AZ-225, AZ-230 | AZ-215 |
 | AZ-232 | safety_anchor_state_machine | 5 | AZ-223, AZ-224, AZ-227, AZ-228, AZ-231 | AZ-216 |
 | AZ-240 | native_vio_backend_integration | 5 | AZ-228 | AZ-213 |
 | AZ-241 | real_satellite_vpr_descriptor_retrieval | 5 | AZ-230 | AZ-214 |
 | AZ-242 | real_anchor_feature_matching_ransac | 5 | AZ-231, AZ-241 | AZ-215 |
 | AZ-233 | test_infrastructure | 5 | AZ-240, AZ-241, AZ-242 | AZ-218 |
 | AZ-234 | replay_geolocation_confidence_tests | 3 | AZ-233 | AZ-218 |
 | AZ-235 | vio_replay_performance_tests | 5 | AZ-233, AZ-240 | AZ-218 |
 | AZ-236 | satellite_anchor_cache_tests | 5 | AZ-233, AZ-241, AZ-242 | AZ-218 |
 | AZ-237 | mavlink_blackout_spoofing_tests | 5 | AZ-233 | AZ-218 |
 | AZ-238 | cold_start_restart_tests | 5 | AZ-233 | AZ-218 |
 | AZ-239 | jetson_resource_endurance_tests | 5 | AZ-233 | AZ-218 |
 ## Verification Notes
 - No task exceeds 5 complexity points.
 - Test implementation tasks are appended under Blackbox Tests (AZ-218); the test infrastructure bootstrap now depends on the product remediation tasks so tests do not validate scaffold behavior.
 - The graph is acyclic: product foundations precede adapters/stores, then VIO/retrieval/matching, then safety wrapper orchestration; remediation tasks close native VIO, real VPR, and real matching gaps before affected blackbox tests run.
 ## Test Coverage Verification
 - AZ-234 covers FT-P-01, FT-P-02, and NFT-PERF-01.
 - AZ-235 covers FT-P-03 and NFT-PERF-02 after AZ-240 provides the real native VIO path.
 - AZ-236 covers FT-P-04, FT-N-01, FT-N-03, NFT-PERF-03, NFT-RES-04, NFT-SEC-01, NFT-SEC-02, NFT-SEC-04, and NFT-RES-LIM-03 after AZ-241 and AZ-242 provide real VPR retrieval and anchor matching.
 - AZ-237 covers FT-N-02, NFT-RES-01, and NFT-SEC-03.
 - AZ-238 covers NFT-RES-02, NFT-RES-03, NFT-PERF-04, and NFT-RES-LIM-05.
 - AZ-239 covers NFT-RES-LIM-01, NFT-RES-LIM-02, and NFT-RES-LIM-04.
 - All traceability-matrix AC and restriction groups remain covered by at least one test task.
@@ -16,14 +16,16 @@ project-root/
 ├── src/
 │   ├── __init__.py
 │   ├── camera_ingest_calibration/
-│   ├── basalt_vio_adapter/
+│   ├── vio_adapter/
 │   │   └── native/
 │   ├── safety_anchor_wrapper/
-│   ├── satellite_retrieval/
+│   ├── satellite_service/
 │   │   └── native/
 │   ├── anchor_verification/
-│   ├── cache_tile_lifecycle/
+│   │   └── native/
 │   ├── tile_manager/
 │   ├── mavlink_gcs_integration/
 │   ├── fdr_observability/
 │   ├── validation_harness/
 │   ├── shared/
 │   │   ├── contracts/
 │   │   ├── geo_geometry/
@@ -31,10 +33,6 @@ project-root/
 │   │   ├── config/
 │   │   ├── errors/
 │   │   └── telemetry/
 │   └── native/
 │       ├── basalt_bridge/
 │       ├── feature_matching/
 │       └── tensor_rt/
 ├── migrations/
 │   ├── postgresql/
 │   └── seed/
@@ -43,7 +41,8 @@ project-root/
 │   ├── integration/
 │   ├── blackbox/
 │   ├── fixtures/
-│   └── sitl/
+│   ├── sitl/
 │   └── e2e/
 ├── e2e/
 │   ├── replay/
 │   └── reports/
@@ -74,7 +73,7 @@ project-root/
 ### Layout Rationale
-The runtime is organized directly under `src/` because this repository already represents the GPS-denied onboard system. Component directories live at the source root, with native bridges isolated under `src/native/` for BASALT, feature matching, and TensorRT-sensitive paths. Shared contracts, geometry, time-sync, configuration, error envelopes, and telemetry DTOs are centralized so component tasks consume a single public interface instead of duplicating cross-cutting logic.
+The runtime is organized directly under `src/` because this repository already represents the GPS-denied onboard system. Component directories live at the source root, and native bridges stay inside the component folder that owns the backend or hot path. Shared contracts, geometry, time-sync, configuration, error envelopes, and telemetry DTOs are centralized so component tasks consume a single public interface instead of duplicating cross-cutting logic.
 The scaffold separates runtime source, migrations, tests, deployment assets, configuration, and mutable data. Production runs on Jetson hardware, while Docker/compose is used for replay, SITL, and deterministic CI environments.
@@ -84,29 +83,28 @@ The scaffold separates runtime source, migrations, tests, deployment assets, con
 | DTO Name | Used By Components | Fields Summary |
 |----------|--------------------|----------------|
-| `FramePacket` | Camera ingest, BASALT VIO, satellite retrieval, anchor verification, cache lifecycle, FDR | Frame ID, timestamp, image reference, calibration ID, occlusion status, quality metrics |
+| `FramePacket` | Camera ingest, BASALT VIO, Satellite Service, anchor verification, Tile Manager, FDR | Frame ID, timestamp, image reference, camera calibration ID, occlusion status, quality metrics |
-| `TelemetrySample` | MAVLink/GCS, BASALT VIO, safety wrapper, FDR, validation harness | Timestamp, IMU, attitude, airspeed, altitude, GPS health |
+| `TelemetrySample` | MAVLink/GCS, BASALT VIO, safety wrapper, FDR, e2e tests | Timestamp, IMU, attitude, airspeed, altitude, GPS health |
-| `VioStatePacket` | BASALT VIO, safety wrapper, FDR, validation harness | Timestamp, relative pose, velocity, bias, tracking quality, covariance hint |
+| `VioStatePacket` | BASALT VIO, safety wrapper, FDR, e2e tests | Timestamp, relative pose, velocity, bias, tracking quality, covariance hint |
-| `PositionEstimate` | Safety wrapper, MAVLink/GCS, cache lifecycle, FDR, validation harness | WGS84 coordinates, covariance semi-major axis, source label, fix type, horizontal accuracy, anchor age |
+| `PositionEstimate` | Safety wrapper, MAVLink/GCS, Tile Manager, FDR, e2e tests | WGS84 coordinates, covariance semi-major axis, source label, fix type, horizontal accuracy, anchor age |
-| `VprCandidate` | Satellite retrieval, anchor verification, FDR | Chunk ID, tile ID, score, footprint, freshness status |
+| `VprCandidate` | Satellite Service, anchor verification, FDR | Chunk ID, tile ID, score, footprint, freshness status |
 | `AnchorDecision` | Anchor verification, safety wrapper, FDR | Candidate ID, acceptance result, estimated pose, inliers, MRE, rejection reason |
-| `CacheTileRecord` | Cache lifecycle, satellite retrieval, anchor verification, FDR | Tile ID, type, CRS, meters per pixel, capture date, signature/hash status, trust level |
+| `CacheTileRecord` | Tile Manager, Satellite Service, anchor verification, FDR | Tile ID, type, CRS, meters per pixel, capture date, signature/hash status, trust level |
-| `FdrEvent` | All runtime components, validation harness | Event type, timestamp, component, severity, payload reference, mission/run ID |
+| `FdrEvent` | All runtime components, e2e tests | Event type, timestamp, component, severity, payload reference, mission/run ID |
-| `ScenarioReport` | Validation harness, CI/CD, release evidence | Scenario ID, result, metrics, artifacts, failure reason |
+| `ScenarioReport` | Separate e2e test suite, CI/CD, release evidence | Scenario ID, result, metrics, artifacts, failure reason |
 ### Component Interfaces
 | Component | Interface | Methods | Exposed To |
 |-----------|-----------|---------|------------|
-| Camera ingest/calibration | `FrameProvider` | `next_frame`, `detect_occlusion`, `classify_quality` | BASALT VIO, satellite retrieval, anchor verification, cache lifecycle |
+| Camera ingest/calibration | `FrameProvider` | `next_frame`, `detect_occlusion`, `classify_quality` | VIO Adapter, Satellite Service, anchor verification, Tile Manager |
-| BASALT VIO adapter | `VioAdapter` | `initialize`, `process`, `health` | Safety wrapper, validation harness |
+| VIO adapter | `VioAdapter` | `initialize`, `process`, `health` | Safety wrapper, e2e tests |
-| Safety/anchor wrapper | `LocalizationStateMachine` | `update_vio`, `consider_anchor`, `degrade`, `propagate_imu_only`, `tile_write_eligibility` | MAVLink/GCS, cache lifecycle, FDR, validation harness |
+| Safety/anchor wrapper | `LocalizationStateMachine` | `update_vio`, `consider_anchor`, `degrade`, `propagate_imu_only`, `tile_write_eligibility` | MAVLink/GCS, Tile Manager, FDR, e2e tests |
-| Satellite retrieval | `CandidateRetriever` | `load_index`, `retrieve` | Safety wrapper, anchor verification |
+| Satellite Service | `SatelliteService` | `import_mission_cache`, `load_index`, `retrieve`, `upload_generated_tiles` | Safety wrapper, anchor verification, Tile Manager |
 | Anchor verification | `AnchorVerifier` | `verify`, `benchmark_matcher` | Safety wrapper, FDR |
-| Cache/tile lifecycle | `CacheRepository` | `validate_cache`, `get_tile_window`, `write_generated_tile`, `package_sync` | Satellite retrieval, anchor verification, post-flight sync |
+| Tile Manager | `TileManager` | `validate_cache`, `get_tile_window`, `orthorectify_frame`, `write_generated_tile`, `package_sync` | Satellite Service, anchor verification, post-flight sync |
 | MAVLink/GCS integration | `MavlinkGateway` | `subscribe_telemetry`, `emit_gps_input`, `emit_status` | BASALT VIO, safety wrapper, QGC, FDR |
-| FDR/observability | `FlightRecorder` | `append_event`, `rollover`, `export` | All runtime components, validation harness |
+| FDR/observability | `FlightRecorder` | `append_event`, `rollover`, `export` | All runtime components, e2e tests |
 | Validation harness | `ScenarioRunner` | `validate_fixture`, `run_scenario` | CI/CD, release evidence review |
 ## CI/CD Pipeline
@@ -115,7 +113,7 @@ The scaffold separates runtime source, migrations, tests, deployment assets, con
 | Format / lint | Enforce code style and static quality | Every PR and push to `dev` |
 | Unit tests | Validate component-local behavior and shared contracts | Every PR and push to `dev` |
 | Replay black-box smoke | Run deterministic still-image/cache/SITL subsets | Every PR |
-| Cache/security fixture tests | Validate signed manifests, stale-tile rejection, no provider calls | Every PR |
+| Cache/security fixture tests | Validate signed manifests, stale-tile rejection, and no mid-flight provider/Satellite Service calls | Every PR |
 | Plane SITL spoof/failsafe | Validate ArduPilot Plane `GPS_INPUT`, failsafe, spoofing promotion | Nightly and release candidate |
 | Public dataset replay | Exercise VIO, retrieval, and anchor behavior against pinned public slices | Nightly and release candidate |
 | Jetson latency/resource tests | Measure p95 latency, memory, cold start, TensorRT/ONNX fidelity | Release candidate |
@@ -175,14 +173,13 @@ tests/
 ├── unit/
 │   ├── shared/
 │   ├── camera_ingest_calibration/
-│   ├── basalt_vio_adapter/
+│   ├── vio_adapter/
 │   ├── safety_anchor_wrapper/
-│   ├── satellite_retrieval/
+│   ├── satellite_service/
 │   ├── anchor_verification/
-│   ├── cache_tile_lifecycle/
+│   ├── tile_manager/
 │   ├── mavlink_gcs_integration/
 │   ├── fdr_observability/
 │   └── validation_harness/
 ├── integration/
 │   ├── contracts/
 │   ├── cache_postgis/
@@ -200,10 +197,14 @@ tests/
 │   ├── satellite_cache/
 │   ├── telemetry/
 │   └── public_dataset_slices/
-└── sitl/
+├── sitl/
-    ├── plane_gps_input/
+│   ├── plane_gps_input/
-    ├── spoofing_promotion/
+│   ├── spoofing_promotion/
-    └── failsafe/
+│   └── failsafe/
 └── e2e/
    ├── replay/
    ├── reports/
    └── release_evidence/
 ```
 ### Test Configuration Notes
@@ -241,10 +242,10 @@ Each deployable service exposes `/health/live`, `/health/ready`, and `/metrics`
 | 3 | Runtime configuration and error handling | Prevent duplicated config/error behavior across components |
 | 4 | Camera ingest/calibration | Produces the frame and occlusion signals required by VIO, anchor, cache, and tests |
 | 5 | MAVLink/GCS integration | Supplies FC telemetry DTOs and validates `GPS_INPUT` output contract early |
-| 6 | Cache/tile lifecycle | Owns PostGIS cache manifest, sidecars, COG access, and freshness gates |
+| 6 | Tile Manager | Owns PostGIS cache manifest, sidecars, COG access, freshness gates, and generated-tile orthorectification |
 | 7 | FDR/observability | Provides audit path for all components and validation reports |
-| 8 | BASALT VIO adapter | Depends on frame and telemetry contracts, blocks wrapper integration |
+| 8 | VIO adapter | Depends on frame and telemetry contracts, blocks wrapper integration |
-| 9 | Satellite retrieval | Depends on cache schema and frame DTOs, feeds anchor verification |
+| 9 | Satellite Service | Depends on tile schema and frame DTOs, feeds anchor verification, and handles pre-flight/post-flight package sync |
 | 10 | Anchor verification | Depends on retrieval candidates and cache tile access |
 | 11 | Safety/anchor wrapper | Consumes VIO, anchor, camera degradation, MAVLink, and FDR contracts |
 | 12 | Validation harness | Uses public interfaces once contracts and runtime components are stable |
@@ -0,0 +1,78 @@
 # Shared Runtime Contracts
 **Task**: AZ-220_shared_runtime_contracts
 **Name**: Shared Runtime Contracts
 **Description**: Define the shared DTO and event contract surface used across the onboard runtime.
 **Complexity**: 3 points
 **Dependencies**: AZ-219_initial_structure
 **Component**: Bootstrap / Shared Contracts
 **Tracker**: AZ-220
 **Epic**: AZ-206
 ## Problem
 Runtime components need common shapes for frames, telemetry, VIO state, position estimates, candidates, anchors, cache tiles, and FDR events.
 ## Outcome
 - Components consume one documented shared contract surface.
 - Cross-component DTO drift is prevented before implementation begins.
 ## Scope
 ### Included
 - Shared runtime DTO names, fields, invariants, versioning rules, and contract tests.
 - Public contract document for consumers.
 ### Excluded
 - Component-specific algorithms.
 - E2E runner-only report schemas.
 ## Acceptance Criteria
 **AC-1: Shared contract exists**
 Given runtime components need common DTOs
 When the shared contracts are implemented
 Then each runtime component can import or reference the same contract surface.
 **AC-2: Contract validation exists**
 Given a malformed shared DTO
 When validation runs
 Then the input is rejected with a structured error.
 ## Non-Functional Requirements
 **Compatibility**
 - Contract changes follow documented versioning rules.
 **Reliability**
 - Invalid or missing required fields are not silently ignored.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | DTO construction for valid minimal values | Accepted |
 | AC-2 | Missing required timestamp or ID | Rejected with structured error |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Runtime started with contract consumers | Public interfaces exchange typed records | No component-specific duplicate shape required | Compatibility |
 ## Constraints
 - Contracts are shared API surface and must be consumed through documented public modules.
 - Raw frame payloads are referenced, not retained in shared DTOs.
 ## Risks & Mitigation
 **Risk 1: Contract drift**
 - *Risk*: Consumers create local incompatible DTOs.
 - *Mitigation*: Contract file is required dependency for consuming tasks.
 ## Contract
 This task produces/implements the contract at `_docs/02_document/contracts/shared/runtime_contracts.md`.
 Consumers MUST read that file — not this task spec — to discover the interface.
@@ -0,0 +1,78 @@
 # Shared Geometry And Time Sync
 **Task**: AZ-221_shared_geometry_time_sync
 **Name**: Shared Geometry And Time Sync
 **Description**: Provide shared geospatial and timestamp helper behavior for runtime components.
 **Complexity**: 3 points
 **Dependencies**: AZ-219_initial_structure, AZ-220_shared_runtime_contracts
 **Component**: Shared Geometry And Time Sync
 **Tracker**: AZ-221
 **Epic**: AZ-207
 ## Problem
 Camera, VIO, Tile Manager, Satellite Service, Anchor Verification, safety, and FDR need consistent coordinate, footprint, homography, and timestamp behavior.
 ## Outcome
 - Shared helpers provide deterministic geometry and time-sync behavior.
 - Components do not duplicate geospatial or timestamp alignment logic.
 ## Scope
 ### Included
 - WGS84/local conversions, distance/GSD helpers, footprint projection, homography/covariance conversion support.
 - Monotonic timestamp checks, frame-to-IMU window selection, replay ordering, gap/jitter metrics.
 ### Excluded
 - VIO estimation.
 - Cache policy and safety degrade decisions.
 ## Acceptance Criteria
 **AC-1: Geometry helpers are deterministic**
 Given the same calibration, attitude, altitude, and coordinates
 When geometry helpers run
 Then they return repeatable footprint and metric outputs.
 **AC-2: Time-sync violations are explicit**
 Given frame and telemetry timestamps with a gap or mismatch
 When alignment runs
 Then the result reports the violation instead of dropping data silently.
 ## Non-Functional Requirements
 **Performance**
 - Helpers are suitable for hot-path use under the system latency budget.
 **Reliability**
 - Invalid calibration, CRS, or timestamp inputs fail explicitly.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | WGS84/local round-trip | Error within tolerance |
 | AC-2 | Non-monotonic timestamps | Explicit mismatch result |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Derkachi/replay frame metadata | Footprint and ordering evidence | Deterministic helper outputs in reports | Performance |
 ## Constraints
 - Shared helpers do not own policy decisions.
 - Timestamp units must match the shared runtime contract.
 ## Risks & Mitigation
 **Risk 1: Coordinate-frame confusion**
 - *Risk*: Components interpret helper outputs differently.
 - *Mitigation*: Contract documents units, frames, and error semantics.
 ## Contract
 This task produces/implements the contract at `_docs/02_document/contracts/shared/geometry_time_sync.md`.
 Consumers MUST read that file — not this task spec — to discover the interface.
@@ -0,0 +1,80 @@
 # Runtime Config Errors And Telemetry
 **Task**: AZ-222_runtime_config_errors_telemetry
 **Name**: Runtime Config Errors And Telemetry
 **Description**: Provide shared configuration, error envelope, health, and telemetry behavior for runtime components.
 **Complexity**: 3 points
 **Dependencies**: AZ-219_initial_structure, AZ-220_shared_runtime_contracts
 **Component**: Runtime Configuration And Errors
 **Tracker**: AZ-222
 **Epic**: AZ-208
 ## Problem
 Runtime components need common configuration loading, readiness validation, error handling, and telemetry metadata.
 ## Outcome
 - Environment profiles are validated before runtime use.
 - Errors and health events are structured and FDR-safe.
 - Secrets are referenced without leaking into logs or reports.
 ## Scope
 ### Included
 - Runtime profile validation.
 - Shared error/result envelopes.
 - Health and metrics metadata.
 ### Excluded
 - Component-specific business logic.
 - FDR storage implementation.
 ## Acceptance Criteria
 **AC-1: Required settings are validated**
 Given a production profile is missing a required setting
 When startup/readiness validation runs
 Then the component reports a structured failure.
 **AC-2: Errors are not silent**
 Given a dependency failure occurs
 When a component reports it
 Then the error includes component, category, severity, and retryability.
 ## Non-Functional Requirements
 **Reliability**
 - Missing configuration and dependency failures are never silently ignored.
 **Compatibility**
 - Error categories and config keys follow the contract versioning rules.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Missing production cache dir | Readiness failure |
 | AC-2 | Dependency error envelope | Structured fields present |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Invalid env profile | Runtime readiness | Service refuses ready state | Reliability |
 ## Constraints
 - Secrets must not be serialized into logs, FDR, or metrics.
 - Error handling must not use silent suppression.
 ## Risks & Mitigation
 **Risk 1: Environment-specific behavior drifts**
 - *Risk*: Development and production profiles behave differently in unsafe ways.
 - *Mitigation*: Profile validation is shared and tested.
 ## Contract
 This task produces/implements the contract at `_docs/02_document/contracts/shared/config_errors_telemetry.md`.
 Consumers MUST read that file — not this task spec — to discover the interface.
@@ -0,0 +1,89 @@
 # Camera Ingest Calibration And Frame Quality
 **Task**: AZ-223_camera_ingest_calibration
 **Name**: Camera Ingest Calibration And Frame Quality
 **Description**: Ingest navigation frames, attach calibration/timestamp metadata, classify quality, detect occlusion, and provide north-up normalization hints.
 **Complexity**: 5 points
 **Dependencies**: AZ-220_shared_runtime_contracts, AZ-221_shared_geometry_time_sync, AZ-222_runtime_config_errors_telemetry
 **Component**: Camera Ingest And Calibration
 **Tracker**: AZ-223
 **Epic**: AZ-209
 ## Problem
 Downstream VIO, retrieval, anchor verification, Tile Manager, and FDR need trustworthy frame metadata and quality decisions before using image data.
 ## Outcome
 - Replay and live-source frames are exposed with timestamps, calibration ID, quality, occlusion, and normalization hints.
 - Total occlusion/blackout frames are marked unusable for VIO and anchor paths.
 ## Scope
 ### Included
 - Frame source abstraction for replay/live camera boundary.
 - Calibration metadata loading and validation.
 - Quality and occlusion reports.
 - North-up/orthorectification hints as metadata, not unconditional frame mutation.
 ### Excluded
 - Tile writing and generated COG persistence.
 - BASALT processing.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Usable frame packet emitted**
 Given a valid replay frame and calibration
 When the frame is ingested
 Then a frame packet includes timestamp, calibration ID, quality report, occlusion report, and normalization hint.
 **AC-2: Blackout bypass signal emitted**
 Given an unreadable, covered, or total-occlusion frame
 When quality classification runs
 Then the frame is marked unusable for VIO and anchor matching.
 **AC-3: Raw frames are not retained**
 Given normal runtime operation
 When a frame is processed
 Then only allowed metadata/references are retained outside explicit fixture/test paths.
 ## Non-Functional Requirements
 **Performance**
 - Frame preprocessing must fit within the system p95 latency budget.
 **Reliability**
 - Missing calibration blocks production readiness.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid frame with calibration | Frame packet contains required metadata |
 | AC-2 | Total occlusion input | `usable_for_vio=false` and `usable_for_anchor=false` |
 | AC-3 | Processed frame cleanup | No raw-frame persistence |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Derkachi replay fixture | Frame/telemetry alignment | Accepted frame packets are timestamped | Performance |
 | AC-2 | Blackout fixture | Occlusion handling | Visual path degrades safely | Reliability |
 ## Constraints
 - Do not rotate every frame in ingest; emit normalization hints for downstream use.
 - ADTi hardware assumptions remain blocked until exact specs are verified.
 ## Risks & Mitigation
 **Risk 1: False-negative occlusion**
 - *Risk*: Bad frames enter VIO or matching.
 - *Mitigation*: Conservative occlusion gate and explicit quality flags.
@@ -0,0 +1,84 @@
 # MAVLink GCS Gateway
 **Task**: AZ-224_mavlink_gcs_gateway
 **Name**: MAVLink GCS Gateway
 **Description**: Subscribe to FC telemetry, emit `GPS_INPUT`, and publish QGC-visible status/failsafe messages.
 **Complexity**: 3 points
 **Dependencies**: AZ-220_shared_runtime_contracts, AZ-222_runtime_config_errors_telemetry
 **Component**: MAVLink And GCS Integration
 **Tracker**: AZ-224
 **Epic**: AZ-210
 ## Problem
 The runtime needs a strict protocol boundary for ArduPilot Plane telemetry in and GPS-denied estimates/status out.
 ## Outcome
 - FC telemetry is normalized into shared samples.
 - `GPS_INPUT` is emitted only from validated position estimates.
 - QGC status is rate-limited and safety-relevant.
 ## Scope
 ### Included
 - Telemetry subscription behavior.
 - `GPS_INPUT` field validation and emission result.
 - QGC status/failsafe message emission.
 ### Excluded
 - Safety policy and covariance calculation.
 - SITL test runner implementation.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Telemetry sample emitted**
 Given a valid FC telemetry stream
 When the gateway subscribes
 Then normalized telemetry samples are available to consumers.
 **AC-2: Invalid GPS_INPUT is rejected**
 Given a malformed or unsafe position estimate
 When emission is requested
 Then no invalid `GPS_INPUT` packet is emitted.
 **AC-3: Operator status is rate-limited**
 Given repeated mode changes or warnings
 When status is emitted
 Then QGC-visible messages stay within the configured rate.
 ## Non-Functional Requirements
 **Reliability**
 - Connection loss is surfaced to wrapper/FDR.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Telemetry normalization | Shared sample emitted |
 | AC-2 | Invalid fix type/accuracy | Emission rejected |
 | AC-3 | Status burst | Rate limit enforced |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | Plane SITL | `GPS_INPUT` output | Fields match ArduPilot expectations | Reliability |
 ## Constraints
 - v1 emits `GPS_INPUT` only.
 - Do not hide MAVLink disconnects or invalid output errors.
 ## Risks & Mitigation
 **Risk 1: ArduPilot parameter mismatch**
 - *Risk*: Plane ignores or mishandles emitted estimates.
 - *Mitigation*: SITL validation remains a release gate.
@@ -0,0 +1,89 @@
 # Tile Manager Cache Manifest
 **Task**: AZ-225_tile_manager_cache_manifest
 **Name**: Tile Manager Cache Manifest
 **Description**: Validate local cache manifests, signed sidecars, tile freshness, and spatial/descriptor metadata access.
 **Complexity**: 5 points
 **Dependencies**: AZ-220_shared_runtime_contracts, AZ-221_shared_geometry_time_sync, AZ-222_runtime_config_errors_telemetry
 **Component**: Tile Manager
 **Tracker**: AZ-225
 **Epic**: AZ-211
 ## Problem
 The runtime must trust only preloaded offline cache tiles with valid signatures, hashes, freshness, resolution, and spatial metadata.
 ## Outcome
 - Mission cache validation blocks invalid cache usage.
 - Tile windows and descriptor metadata are queryable through local PostGIS-backed metadata.
 - Stale or tampered tiles cannot become trusted anchor inputs.
 ## Scope
 ### Included
 - Cache package validation.
 - Signed sidecar/hash/freshness checks.
 - Tile window and descriptor metadata lookup.
 - Cache validation report events.
 ### Excluded
 - Satellite Service package transfer.
 - Generated tile orthorectification/write-back.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Valid cache activates**
 Given a cache package with valid manifests, sidecars, hashes, freshness, and spatial coverage
 When cache validation runs
 Then the cache becomes available to retrieval and anchor paths.
 **AC-2: Invalid cache is rejected**
 Given a stale, unsigned, or hash-mismatched tile
 When validation runs
 Then the tile is rejected and an auditable reason is recorded.
 **AC-3: Tile metadata is queryable**
 Given a candidate footprint or chunk ID
 When a consumer requests tile metadata
 Then the Tile Manager returns a valid local record or explicit rejection.
 ## Non-Functional Requirements
 **Performance**
 - Indexed tile lookups meet relocalization-path latency needs.
 **Reliability**
 - Local PostgreSQL/PostGIS unavailability blocks mission cache activation.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid fixture | Cache available |
 | AC-2 | Tampered sidecar | Tile rejected |
 | AC-3 | Chunk metadata lookup | Correct record or explicit error |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | Stale/unsigned fixtures | Cache security gate | No invalid tile reaches retrieval | Reliability |
 ## Constraints
 - Runtime never fetches satellite data mid-flight.
 - Large imagery/descriptors stay as files, not DB blobs.
 ## Risks & Mitigation
 **Risk 1: Cache poisoning**
 - *Risk*: Bad cache entries influence anchor decisions.
 - *Mitigation*: Signature, hash, freshness, and provenance gates are mandatory.
@@ -0,0 +1,88 @@
 # Generated Tile Orthorectification And Sync Package
 **Task**: AZ-226_generated_tile_orthorectification
 **Name**: Generated Tile Orthorectification And Sync Package
 **Description**: Convert eligible nadir frames into generated orthorectified COG tiles and prepare post-flight sync packages.
 **Complexity**: 5 points
 **Dependencies**: AZ-223_camera_ingest_calibration, AZ-225_tile_manager_cache_manifest
 **Component**: Tile Manager
 **Tracker**: AZ-226
 **Epic**: AZ-211
 ## Problem
 Generated tiles must be written only when pose, frame quality, and provenance gates make them safe to retain for post-flight Satellite Service review.
 ## Outcome
 - Eligible nadir frames can become generated COG candidates with sidecars.
 - Unsafe or over-confident tile writes are rejected.
 - Post-flight generated-tile packages carry enough metadata for Satellite Service ingest/voting.
 ## Scope
 ### Included
 - Orthorectification request handling.
 - Generated COG + sidecar metadata creation.
 - Covariance/quality gates and trust level assignment.
 - Sync package preparation.
 ### Excluded
 - Satellite Service upload transport.
 - Promotion to trusted basemap onboard.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 ## Acceptance Criteria
 **AC-1: Eligible frame writes generated tile**
 Given a high-confidence pose and usable frame
 When tile generation runs
 Then a generated COG candidate and sidecar are staged.
 **AC-2: Unsafe frame is rejected**
 Given high covariance or unusable frame quality
 When tile generation runs
 Then no trusted tile is written.
 **AC-3: Sync package is auditable**
 Given generated candidate tiles exist
 When a package is prepared
 Then it includes manifest delta, sidecars, parent covariance, and trust level.
 ## Non-Functional Requirements
 **Reliability**
 - Generated tiles are never promoted directly to trusted basemap onboard.
 **Performance**
 - Tile generation must not block localization output.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid tile request | COG + sidecar staged |
 | AC-2 | Covariance too high | Write rejected |
 | AC-3 | Package creation | Required metadata present |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | Poisoning fixture | Generated tile gate | No direct trusted promotion | Reliability |
 ## Constraints
 - Tile Manager performs generated tile writes; camera ingest only provides metadata/hints.
 - Missing sidecars make generated tiles ineligible for upload.
 ## Risks & Mitigation
 **Risk 1: Misaligned generated tile**
 - *Risk*: Wrong pose creates harmful future anchor data.
 - *Mitigation*: Parent covariance, frame quality, and post-flight validation gates.
@@ -0,0 +1,88 @@
 # FDR Event Recorder And Export Surface
 **Task**: AZ-227_fdr_event_recorder
 **Name**: FDR Event Recorder And Export Surface
 **Description**: Record bounded replayable mission evidence and expose exportable post-flight summaries.
 **Complexity**: 5 points
 **Dependencies**: AZ-220_shared_runtime_contracts, AZ-222_runtime_config_errors_telemetry
 **Component**: FDR And Observability
 **Tracker**: AZ-227
 **Epic**: AZ-212
 ## Problem
 The system needs compact, bounded, queryable evidence for estimates, inputs, health, anchors, tile writes, and safety transitions.
 ## Outcome
 - Runtime components can append structured FDR events.
 - Storage rollover and health behavior are explicit.
 - Post-flight exports are available for analysis and release evidence.
 ## Scope
 ### Included
 - Append event behavior.
 - PostgreSQL event index and CBOR segment payload contract.
 - Rollover and storage-full handling.
 - Export request/result behavior.
 ### Excluded
 - Component-specific event payload generation.
 - E2E report collation.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Events are appendable**
 Given a valid FDR event
 When a component appends it
 Then metadata is indexed and payload is stored within bounds.
 **AC-2: Storage pressure is handled**
 Given segment or storage limits are reached
 When append continues
 Then rollover or critical status behavior is explicit.
 **AC-3: Export produces evidence**
 Given a completed run
 When export is requested
 Then queryable evidence and optional analytics artifacts are produced.
 ## Non-Functional Requirements
 **Performance**
 - FDR appends must not block hot-path localization.
 **Reliability**
 - Append failures are surfaced to callers and health state.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid event append | Indexed metadata and payload reference |
 | AC-2 | Rollover threshold | Rollover event recorded |
 | AC-3 | Export request | Evidence artifact produced |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | 8-hour synthetic load | FDR cap and rollover | <=64 GB or explicit rollover evidence | Performance |
 ## Constraints
 - Raw frames are not retained by default.
 - Secrets are not logged in FDR payloads.
 ## Risks & Mitigation
 **Risk 1: FDR affects latency**
 - *Risk*: Append pressure slows localization.
 - *Mitigation*: Bounded segments and async-friendly append semantics.
@@ -0,0 +1,90 @@
 # VIO Adapter
 **Task**: AZ-228_vio_adapter
 **Name**: VIO Adapter
 **Description**: Wrap the selected relative VIO backend as a replaceable component with health and error behavior.
 **Complexity**: 5 points
 **Dependencies**: AZ-221_shared_geometry_time_sync, AZ-222_runtime_config_errors_telemetry, AZ-223_camera_ingest_calibration, AZ-224_mavlink_gcs_gateway
 **Component**: VIO Adapter
 **Tracker**: AZ-228
 **Epic**: AZ-213
 ## Problem
 The safety wrapper needs relative VIO state from calibrated frames and FC IMU without inheriting backend-specific internals.
 ## Outcome
 - Backend initialization, processing, and health behavior are exposed through a replaceable adapter.
 - Tracking loss and timestamp mismatch are explicit.
 - The adapter never emits WGS84 coordinates or safety decisions.
 ## Scope
 ### Included
 - Initialization and runtime health.
 - Frame + IMU processing behavior.
 - Relative pose/velocity/bias output and quality metadata.
 - Native bridge boundary.
 ### Excluded
 - Absolute anchor fusion and covariance authority.
 - Satellite matching fallback implementation.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: VIO state emitted**
 Given synchronized frame and IMU samples
 When processing succeeds
 Then a relative VIO state packet with tracking quality is emitted.
 **AC-2: Timestamp mismatch is explicit**
 Given frame/IMU timestamps are inconsistent
 When processing is requested
 Then the adapter rejects the packet with a timestamp mismatch error.
 **AC-3: Health is observable**
 Given initialization or tracking quality changes
 When health is requested
 Then the adapter reports current VIO readiness and degradation state.
 ## Non-Functional Requirements
 **Performance**
 - Adapter processing must be profiled against Jetson latency/memory limits.
 **Reliability**
 - Backend failures are surfaced, not hidden.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid synchronized packet | VIO state emitted |
 | AC-2 | Bad timestamp window | Explicit error |
 | AC-3 | Tracking loss | Health reports degraded |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Derkachi/public replay | Relative VIO path | Continuous estimates where data supports it | Performance |
 ## Constraints
 - BASALT remains the current selected backend, but package and folder names must stay backend-neutral.
 - The VIO adapter is not the safety authority.
 - GPL VIO dependencies remain reference-only unless explicitly approved.
 ## Risks & Mitigation
 **Risk 1: Nadir fixed-wing fit**
 - *Risk*: The selected VIO backend underperforms on low-parallax terrain.
 - *Mitigation*: Representative replay and reference comparisons gate acceptance.
@@ -0,0 +1,87 @@
 # Satellite Service Sync Boundary
 **Task**: AZ-229_satellite_service_sync
 **Name**: Satellite Service Sync Boundary
 **Description**: Import mission cache packages before flight and upload generated-tile packages after flight.
 **Complexity**: 3 points
 **Dependencies**: AZ-222_runtime_config_errors_telemetry, AZ-225_tile_manager_cache_manifest, AZ-226_generated_tile_orthorectification
 **Component**: Satellite Service
 **Tracker**: AZ-229
 **Epic**: AZ-214
 ## Problem
 The onboard runtime needs a clear boundary for Satellite Service package exchange without allowing mid-flight network calls.
 ## Outcome
 - Pre-flight cache packages can be imported and handed to Tile Manager validation.
 - Post-flight generated-tile packages can be uploaded/retried.
 - Mid-flight provider or Satellite Service calls are explicitly blocked.
 ## Scope
 ### Included
 - Pre-flight import behavior.
 - Post-flight generated-tile upload behavior.
 - Package status and retry/error reporting.
 ### Excluded
 - In-flight retrieval ranking.
 - Tile manifest validation and generated tile creation.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Pre-flight package import succeeds**
 Given a valid Satellite Service mission cache package
 When import runs before flight
 Then the package is available for Tile Manager validation.
 **AC-2: Post-flight upload is auditable**
 Given a generated-tile package exists after landing
 When upload runs
 Then success, rejection, or retryable failure is recorded.
 **AC-3: Mid-flight network calls are blocked**
 Given the runtime is in flight mode
 When cache data is missing
 Then the component does not call a satellite provider or suite service.
 ## Non-Functional Requirements
 **Reliability**
 - Upload failures retain packages for retry.
 **Security**
 - Signing credentials are never logged.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid import package | Package ready for validation |
 | AC-2 | Upload unavailable | Retryable failure recorded |
 | AC-3 | Flight-mode missing data | No network call |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-3 | Network disabled in replay | Relocalization missing data | Degraded/no-candidate behavior, no fetch | Security |
 ## Constraints
 - No in-flight Satellite Service or satellite-provider network dependency.
 - Package sync is before takeoff or after landing only.
 ## Risks & Mitigation
 **Risk 1: Boundary confusion**
 - *Risk*: Retrieval code starts fetching provider data mid-flight.
 - *Mitigation*: Flight-mode invariant is acceptance-tested.
@@ -0,0 +1,89 @@
 # Satellite Service Local VPR Retrieval
 **Task**: AZ-230_satellite_service_vpr_retrieval
 **Name**: Satellite Service Local VPR Retrieval
 **Description**: Retrieve local VPR candidates from preloaded descriptors and FAISS indexes.
 **Complexity**: 5 points
 **Dependencies**: AZ-223_camera_ingest_calibration, AZ-225_tile_manager_cache_manifest, AZ-229_satellite_service_sync
 **Component**: Satellite Service
 **Tracker**: AZ-230
 **Epic**: AZ-214
 ## Problem
 Relocalization needs ranked satellite/cache candidates, but retrieval must be trigger-based and use only local preloaded cache/index data.
 ## Outcome
 - DINOv2-VLAD descriptor extraction and CPU FAISS top-K candidate retrieval are available.
 - Candidate freshness and dynamic top-K policy are carried forward.
 - No-candidate/index failures produce degraded behavior rather than unsafe anchors.
 ## Scope
 ### Included
 - Index load/readiness behavior.
 - Query descriptor and top-K candidate retrieval.
 - Freshness tagging and retrieval result metadata.
 - Descriptor fidelity gate for optimized engines.
 ### Excluded
 - Local matching/RANSAC.
 - In-flight network fetches.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Index loads before retrieval**
 Given a valid local descriptor/index package
 When index loading runs
 Then retrieval readiness is reported.
 **AC-2: Top-K candidates returned**
 Given a relocalization request and loaded local index
 When retrieval runs
 Then bounded candidates include tile/chunk IDs, scores, footprints, and freshness status.
 **AC-3: Missing candidates degrade safely**
 Given no valid candidates or index failure
 When retrieval runs
 Then the result is explicit no-candidate/degraded behavior.
 ## Non-Functional Requirements
 **Performance**
 - Retrieval is trigger-based and profiled against Jetson limits.
 **Security**
 - Retrieval never performs mid-flight provider calls.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid index | Ready status |
 | AC-2 | Query frame | Candidate list with freshness |
 | AC-3 | Missing index | Explicit degraded/no-candidate result |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | Public/cache fixture | VPR recall and top-K policy | Correct candidate bounds and freshness | Performance |
 ## Constraints
 - Retrieval is not per-frame steady-state work.
 - TensorRT/ONNX path is accepted only after descriptor-fidelity tests pass.
 ## Risks & Mitigation
 **Risk 1: Trigger path exceeds Jetson budget**
 - *Risk*: Descriptor extraction or FAISS query is too slow.
 - *Mitigation*: CPU-first FAISS, bounded top-K, and profiling gates.
@@ -0,0 +1,88 @@
 # Anchor Verification Matching And Geometry Gates
 **Task**: AZ-231_anchor_verification_matching
 **Name**: Anchor Verification Matching And Geometry Gates
 **Description**: Verify retrieved candidates with ALIKED/DISK + LightGlue and geometric safety gates.
 **Complexity**: 5 points
 **Dependencies**: AZ-223_camera_ingest_calibration, AZ-225_tile_manager_cache_manifest, AZ-230_satellite_service_vpr_retrieval
 **Component**: Anchor Verification
 **Tracker**: AZ-231
 **Epic**: AZ-215
 ## Problem
 VPR candidates are not trusted fixes; they require local feature matching, RANSAC geometry, provenance checks, and measurable rejection evidence.
 ## Outcome
 - Anchor candidates are accepted or rejected with MRE, inlier count, homography, freshness/provenance, and reason metadata.
 - Matcher profiles can be benchmarked without making learned matching a per-frame VIO hot path.
 ## Scope
 ### Included
 - ALIKED/DISK + LightGlue matching profile behavior.
 - SIFT/ORB baseline profile.
 - OpenCV RANSAC/USAC geometry checks.
 - Anchor decision output and rejection reasons.
 ### Excluded
 - VPR retrieval ranking.
 - Safety wrapper anchor fusion.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Candidate verification emits evidence**
 Given retrieved candidates and a usable frame
 When verification runs
 Then each result includes acceptance state, MRE, inlier count, and rejection/acceptance reason.
 **AC-2: Unsafe candidates are rejected**
 Given low inliers, high MRE, stale provenance, or geometry failure
 When verification runs
 Then no accepted anchor decision is emitted for that candidate.
 **AC-3: Matcher benchmark is reportable**
 Given configured matcher profiles
 When benchmark runs
 Then profile runtime and quality metrics are reported.
 ## Non-Functional Requirements
 **Performance**
 - Learned matching is trigger-based and profiled separately from BASALT.
 **Reliability**
 - SuperPoint is excluded from production unless legal approval exists.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Valid matching fixture | Evidence fields present |
 | AC-2 | Bad geometry fixture | Rejected decision |
 | AC-3 | Benchmark profiles | Metrics emitted |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Aerial/cache fixture | Anchor verification path | Accepted anchors meet MRE/inlier gates | Performance |
 ## Constraints
 - ALIKED/DISK + LightGlue supplies correspondences, not full VIO.
 - Anchor verification does not decide final safety fusion.
 ## Risks & Mitigation
 **Risk 1: False anchor acceptance**
 - *Risk*: Cross-domain match looks plausible but is wrong.
 - *Mitigation*: Geometry, freshness, provenance, and downstream Mahalanobis gates.
@@ -0,0 +1,97 @@
 # Safety Anchor State Machine
 **Task**: AZ-232_safety_anchor_state_machine
 **Name**: Safety Anchor State Machine
 **Description**: Own authoritative localization state, confidence, anchor fusion, degraded modes, tile-write eligibility, and MAVLink output semantics.
 **Complexity**: 5 points
 **Dependencies**: AZ-223_camera_ingest_calibration, AZ-224_mavlink_gcs_gateway, AZ-227_fdr_event_recorder, AZ-228_vio_adapter, AZ-231_anchor_verification_matching
 **Component**: Safety And Anchor Wrapper
 **Tracker**: AZ-232
 **Epic**: AZ-216
 ## Problem
 The product needs one safety authority that converts VIO, telemetry, camera quality, and anchor evidence into honest localization outputs and degraded/failsafe behavior.
 ## Outcome
 - Wrapper updates localization state from VIO and anchors.
 - Covariance grows honestly in degraded modes.
 - `GPS_INPUT` semantics, source labels, and tile-write eligibility are controlled by the wrapper.
 ## Scope
 ### Included
 - VIO update handling.
 - Anchor acceptance/rejection integration.
 - IMU-only degraded propagation.
 - Covariance/source-label/fix-type behavior.
 - Tile-write eligibility decisions.
 ### Excluded
 - VIO backend internals.
 - MAVLink transport implementation.
 - Generated tile writing.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: VIO state updates position estimate**
 Given valid VIO state and telemetry context
 When the wrapper processes the update
 Then it emits an estimate with source label and honest covariance.
 **AC-2: Accepted anchor can correct state**
 Given an anchor decision that passes safety gates
 When the wrapper considers it
 Then the state may become `satellite_anchored` with recorded evidence.
 **AC-3: Blackout degrades safely**
 Given total visual blackout or tracking loss
 When degraded propagation runs
 Then covariance grows monotonically and failsafe/no-fix semantics occur at thresholds.
 **AC-4: Tile-write eligibility is conservative**
 Given a frame and current estimate
 When tile eligibility is requested
 Then only sufficiently trusted poses are eligible for generated tile writes.
 ## Non-Functional Requirements
 **Safety**
 - Confidence must not be optimistic relative to known error/covariance.
 **Reliability**
 - State invariant violations are surfaced and recorded.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Healthy VIO update | Estimate emitted |
 | AC-2 | Accepted/rejected anchors | State updates only on accepted evidence |
 | AC-3 | Blackout thresholds | `dead_reckoned` then no-fix/failsafe |
 | AC-4 | Tile eligibility | Covariance/quality gates enforced |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-3 | Blackout + spoofing SITL | Degraded behavior | QGC/FDR/fix fields match thresholds | Safety |
 ## Constraints
 - The VIO backend is not the safety authority.
 - The wrapper does not call Tile Manager directly during anchor acceptance; freshness/provenance arrives through anchor evidence.
 ## Risks & Mitigation
 **Risk 1: Over-trusted dead reckoning**
 - *Risk*: IMU-only propagation is believed for too long.
 - *Mitigation*: Monotonic covariance growth and no-fix/failsafe thresholds.
@@ -0,0 +1,163 @@
 # Test Infrastructure
 **Task**: AZ-233_test_infrastructure
 **Name**: Test Infrastructure
 **Description**: Scaffold the blackbox and e2e test project: runner, deterministic fixtures, isolated replay/SITL environment, reporting, and external dependency stubs.
 **Complexity**: 5 points
 **Dependencies**: AZ-240_native_vio_backend_integration, AZ-241_real_satellite_vpr_descriptor_retrieval, AZ-242_real_anchor_feature_matching_ransac
 **Component**: Blackbox Tests
 **Tracker**: AZ-233
 **Epic**: AZ-218
 ## Test Project Folder Layout
 ```text
 e2e/
 ├── replay/
 │   ├── run_replay.py
 │   ├── scenarios/
 │   └── reports/
 ├── fixtures/
 │   ├── cache/
 │   ├── mavlink/
 │   ├── telemetry/
 │   └── expected/
 ├── tests/
 │   ├── test_still_image_replay.py
 │   ├── test_vio_replay.py
 │   ├── test_satellite_anchor.py
 │   ├── test_blackout_spoofing.py
 │   ├── test_resource_limits.py
 │   └── test_security_gates.py
 ├── mocks/
 │   ├── satellite_cache_stub/
 │   ├── ardupilot_sitl/
 │   └── qgc_observer/
 └── reports/
 ```
 ### Layout Rationale
 The test project keeps blackbox/e2e runner code outside product runtime internals. Scenario definitions, fixtures, mocks, and reports are separated so tests can reset state between runs and produce release evidence without importing private component modules.
 Test implementation starts only after remediation tasks AZ-240, AZ-241, and AZ-242 close the native VIO, real satellite VPR, and real anchor matching gaps found during autodev verification.
 ## Mock Services
 | Mock Service | Replaces | Interfaces | Behavior |
 |-------------|----------|------------|----------|
 | `satellite_cache_stub` | Offline Azaion Suite Satellite Service cache package | Local COG/manifest/descriptor fixture volume | Serves preloaded valid, stale, unsigned, hash-mismatched, and low-resolution cache fixtures; never performs network fetches during flight-mode tests. |
 | `ardupilot_sitl` | ArduPilot Plane flight controller | MAVLink telemetry and `GPS_INPUT` receiving path | Emits generated IMU, attitude, GPS health, spoofing, and failsafe traces; records injected `GPS_INPUT` for assertions. |
 | `qgc_observer` | QGroundControl status consumer | MAVLink/tlog parser | Records downsampled `STATUSTEXT`, status, and failsafe messages for rate and content assertions. |
 ### Mock Control API
 Each mock or runner fixture must expose deterministic scenario controls for normal replay, stale cache, missing cache, spoofed GPS, blackout, restart, and resource-load modes. Recorded interactions must be queryable after each test run for assertions.
 ## Docker Test Environment
 ### `docker-compose.test.yml` Structure
 | Service | Image / Build | Purpose | Depends On |
 |---------|---------------|---------|------------|
 | `gps-denied-service` | Project runtime image or local package mount | System under test | `satellite-cache-stub` |
 | `replay-consumer` | Python replay/test harness | Feeds frames, telemetry, cache data, and faults | `gps-denied-service`, mock services |
 | `satellite-cache-stub` | Fixture volume/service | Provides offline cache manifests, sidecars, descriptors, and generated invalid variants | none |
 | `ardupilot-plane-sitl` | SITL container or local process wrapper | Validates `GPS_INPUT`, spoofing, and failsafe behavior | `gps-denied-service` |
 | `qgc-observer` | MAVLink log parser | Verifies GCS-visible status output | `ardupilot-plane-sitl` |
 ### Networks and Volumes
 - `replay-net`: connects the runtime, replay consumer, and satellite-cache stub.
 - `sitl-net`: connects the runtime, ArduPilot Plane SITL, and QGC observer.
 - `input-data`: read-only mount for `_docs/00_problem/input_data/`.
 - `expected-results`: read-only mount for expected coordinate and report fixtures.
 - `derkachi-replay`: read-only mount for `flight_derkachi.mp4` and `data_imu.csv`.
 - `satellite-cache`: fixture cache volume with valid and invalid manifests.
 - `fdr-output`: fresh per-run output volume for FDR and report artifacts.
 ## Test Runner Configuration
 **Framework**: Python pytest-style replay harness.
 **Entry point**: `run-blackbox-replay` or equivalent pytest command that executes scenario groups and writes reports.
 **Reports**: CSV summary plus FDR validation Markdown.
 ### Fixture Strategy
 | Fixture | Scope | Purpose |
 |---------|-------|---------|
 | `project_60_still_images` | session | Provides 60 nadir images and expected WGS84 centers. |
 | `derkachi_video_telemetry` | session | Provides synchronized video, IMU, and `GLOBAL_POSITION_INT` replay data. |
 | `cache_integrity_fixtures` | function | Provides valid, stale, unsigned, hash-mismatched, and low-resolution cache variants. |
 | `sitl_spoofing_scenarios` | function | Provides generated GPS loss/spoofing and blackout traces. |
 | `public_nadir_vio_candidates` | optional/session | Provides public or representative synchronized datasets when available. |
 ## Test Data Fixtures
 | Data Set | Source | Format | Used By |
 |----------|--------|--------|---------|
 | `project_60_still_images` | `_docs/00_problem/input_data/` | JPG + metadata | Still-image accuracy, confidence, latency smoke |
 | `expected_frame_centers` | `_docs/00_problem/input_data/coordinates.csv` and expected-results report | CSV/Markdown | Geolocation assertions |
 | `derkachi_video_telemetry` | `_docs/00_problem/input_data/flight_derkachi/` | MP4 + CSV | VIO replay, latency, resilience |
 | `cache_integrity_fixtures` | generated fixture volume | COG/manifest/sidecar/index fixtures | Cache freshness, poisoning, no-fetch tests |
 | `sitl_spoofing_scenarios` | generated by SITL harness | MAVLink/tlog traces | Spoofing, blackout, failsafe, GCS status |
 | `public_nadir_vio_candidates` | pinned external fixtures | dataset-specific | Final VIO and satellite-anchor validation |
 ### Data Isolation
 Every run uses read-only input fixtures and fresh run-scoped output directories. FDR, generated tiles, tlogs, and reports are written only to per-run output volumes. Mock state and generated fixtures are reset before each scenario group.
 ## Test Reporting
 **Format**: CSV summary and Markdown evidence report.
 **Output paths**: `test-results/blackbox-report.csv` and `test-results/fdr-validation-summary.md`.
 **Required columns**: Test ID, test name, input dataset, execution time, result, error distance, source label, covariance 95% semi-major, `GPS_INPUT.fix_type`, and error message.
 ## Acceptance Criteria
 **AC-1: Test environment starts**
 Given the Docker/replay test environment
 When the test stack starts
 Then the runtime, replay consumer, cache fixture, SITL, and observer services are reachable or report a clear blocked prerequisite.
 **AC-2: External dependency stubs are deterministic**
 Given a scenario config for cache, MAVLink, QGC, or fixture behavior
 When the replay consumer executes it
 Then mocks produce repeatable responses and expose recorded interactions for assertions.
 **AC-3: Test runner executes scenario groups**
 Given valid fixtures and a running test environment
 When the test runner starts
 Then it discovers and executes blackbox, performance, resilience, security, and resource-limit scenario groups.
 **AC-4: Reports are generated**
 Given a completed or blocked test run
 When reporting finishes
 Then CSV and Markdown evidence files are written with the required columns, metrics, artifact paths, and blocked-prerequisite reasons.
 ## Non-Functional Requirements
 **Reliability**
 - Missing hardware, public datasets, calibration, or SITL prerequisites are reported as `blocked`, not `passed`.
 **Security**
 - Fixture stubs must not access external satellite-provider or Suite service networks during in-flight test scenarios.
 **Data Isolation**
 - No test may mutate source fixtures or write FDR/generated-tile artifacts outside run-scoped output paths.
 ## Constraints
 - The test suite must use public runtime boundaries only: navigation frames, telemetry, offline cache, MAVLink output, QGC status, and FDR outputs.
 - The suite must not import private estimator, BASALT, wrapper, or tile-manager internals.
 - Hardware-specific Jetson gates remain release-gate tests and may be skipped or blocked in ordinary local replay.
 ## Risks & Mitigation
 **Risk 1: Environment prerequisites hide real failures**
 - *Risk*: Missing hardware, calibration, or datasets could be treated as success.
 - *Mitigation*: Report unavailable prerequisites as `blocked` with explicit artifact evidence.
 **Risk 2: Fixture mutation contaminates later runs**
 - *Risk*: Generated FDR, cache, or SITL output changes expected input fixtures.
 - *Mitigation*: Use read-only fixture mounts and fresh run-scoped output volumes for every execution.
@@ -0,0 +1,88 @@
 # Replay Geolocation And Confidence Tests
 **Task**: AZ-234_replay_geolocation_confidence_tests
 **Name**: Replay Geolocation And Confidence Tests
 **Description**: Implement blackbox tests for still-image geolocation, confidence/source-label output, and replay latency smoke.
 **Complexity**: 3 points
 **Dependencies**: AZ-233_test_infrastructure
 **Component**: Blackbox Tests
 **Tracker**: AZ-234
 **Epic**: AZ-218
 ## Problem
 The project needs deterministic blackbox evidence that the 60-image replay path emits WGS84 frame-center estimates with required confidence fields and latency metrics.
 ## Outcome
 - Still-image replay reports per-frame coordinate error and aggregate threshold results.
 - Every emitted estimate includes covariance, source label, and anchor-age fields.
 - Replay smoke latency and dropped-frame metrics are captured in the shared report format.
 ## Scope
 ### Included
 - FT-P-01 Still-Image Frame Center Geolocation.
 - FT-P-02 Position Confidence Output Contract.
 - NFT-PERF-01 Per-Frame Latency On Project Still Images.
 - CSV and Markdown evidence output for these scenarios.
 ### Excluded
 - Synchronized VIO video/IMU replay.
 - Satellite-anchor VPR/local matching.
 - Jetson-only release-gate profiling.
 ## Acceptance Criteria
 **AC-1: Still-image coordinates are validated**
 Given the 60-image project fixture and expected frame-center coordinates
 When the replay test runs
 Then per-frame WGS84 error is reported and aggregate 50 m / 20 m thresholds are evaluated.
 **AC-2: Confidence output contract is validated**
 Given emitted position estimates from the replay
 When the test inspects public output fields
 Then each estimate includes WGS84 coordinates, 95% covariance semi-major axis, source label, and anchor age.
 **AC-3: Replay latency is measured**
 Given the still-image replay runs at the configured smoke rate
 When processing completes
 Then capture-to-output latency and dropped-frame rate are recorded with pass/fail or blocked status.
 ## Non-Functional Requirements
 **Performance**
 - Replay smoke evidence includes p50/p95/p99 latency and dropped-frame rate.
 **Reliability**
 - Missing or invalid expected-coordinate fixtures fail fixture validation before scenario execution.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Expected-coordinate loader validation | Invalid coordinates are rejected before replay |
 | AC-2 | Report field validation | Missing confidence/source fields fail the scenario |
 | AC-3 | Latency metric aggregation | p50/p95/p99 and dropped-frame metrics are emitted |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | `project_60_still_images`, `expected_frame_centers` | FT-P-01 | >=80% within 50 m and >=50% within 20 m or explicit failure | Reliability |
 | AC-2 | Same replay output | FT-P-02 | 100% of emitted estimates include required confidence fields | Reliability |
 | AC-3 | Replay smoke run | NFT-PERF-01 | Latency and drop-rate metrics are recorded | Performance |
 ## Constraints
 - Tests must use public replay input and output artifacts only.
 - Input fixtures must be mounted read-only.
 - Blocked prerequisites must be reported as `blocked`, not `passed`.
 ## Risks & Mitigation
 **Risk 1: Calibration limits are mistaken for product failure**
 - *Risk*: Fixture limits can make absolute accuracy inconclusive.
 - *Mitigation*: Report the fixture source and threshold basis with each failure.
@@ -0,0 +1,89 @@
 # VIO Replay Performance Tests
 **Task**: AZ-235_vio_replay_performance_tests
 **Name**: VIO Replay Performance Tests
 **Description**: Implement synchronized video/IMU replay tests for VIO output, covariance evidence, and replay performance metrics.
 **Complexity**: 5 points
 **Dependencies**: AZ-233_test_infrastructure, AZ-240_native_vio_backend_integration
 **Component**: Blackbox Tests
 **Tracker**: AZ-235
 **Epic**: AZ-218
 ## Problem
 The runtime needs blackbox evidence that synchronized navigation video and flight-controller telemetry can drive VIO/wrapper output with honest confidence and measurable performance.
 This test task must run after AZ-240 so it validates the real native VIO path rather than the deterministic scaffold.
 ## Outcome
 - Derkachi video/telemetry fixture alignment is validated before replay.
 - Synchronized replay produces frame-by-frame output or a clear blocked/failure reason.
 - Latency, completion rate, memory, trajectory comparison, and calibration-gated checks are reported.
 ## Scope
 ### Included
 - FT-P-03 BASALT VIO Replay With Synchronized Video/Telemetry.
 - NFT-PERF-02 BASALT + Wrapper Replay Latency.
 - Public/representative dataset prerequisite reporting.
 ### Excluded
 - Satellite-anchor local verification.
 - SITL spoofing/failsafe scenarios.
 - Thermal/endurance release gates.
 ## Acceptance Criteria
 **AC-1: Replay fixture alignment is validated**
 Given the Derkachi MP4 and telemetry CSV
 When fixture validation runs
 Then duration, frame-to-telemetry ratio, and timestamp monotonicity are verified before replay.
 **AC-2: Synchronized replay emits estimates**
 Given a valid synchronized video/IMU replay fixture
 When replay executes
 Then estimates are emitted frame-by-frame with source labels, covariance, and segment evidence.
 **AC-3: VIO performance evidence is reported**
 Given replay completed or blocked
 When reporting finishes
 Then latency, completion rate, memory, and calibration/public-dataset prerequisite status are written.
 ## Non-Functional Requirements
 **Performance**
 - Reports include per-frame latency and memory metrics where the environment can measure them.
 **Reliability**
 - Calibration-gated absolute accuracy checks must be marked explicitly instead of silently passing.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Video/telemetry validator | Invalid duration or timestamp alignment blocks replay |
 | AC-2 | Replay result parser | Missing per-frame confidence fields fail the scenario |
 | AC-3 | Calibration gate reporting | Missing calibration/public data is reported as blocked |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | `derkachi_video_telemetry` | FT-P-03 fixture validation | Fixture accepted only when alignment rules pass | Reliability |
 | AC-2 | Valid synchronized replay | FT-P-03 output | Continuous estimates for normal overlapping segments or explicit degradation | Reliability |
 | AC-3 | Replay performance run | NFT-PERF-02 | Latency, completion rate, and memory evidence are recorded | Performance |
 ## Constraints
 - Tests must not import BASALT/OpenVINS/Kimera internals directly.
 - Public/representative datasets are optional prerequisites and may produce blocked results.
 - Raw input video and telemetry fixtures remain read-only.
 ## Risks & Mitigation
 **Risk 1: Hardware or dataset prerequisites are unavailable**
 - *Risk*: The scenario cannot produce final accuracy evidence locally.
 - *Mitigation*: Emit blocked results with exact missing prerequisite and continue other scenario groups.
@@ -0,0 +1,102 @@
 # Satellite Anchor Cache Tests
 **Task**: AZ-236_satellite_anchor_cache_tests
 **Name**: Satellite Anchor Cache Tests
 **Description**: Implement blackbox, security, and performance tests for satellite-anchor retrieval, local verification, cache integrity, and no in-flight external access.
 **Complexity**: 5 points
 **Dependencies**: AZ-233_test_infrastructure, AZ-241_real_satellite_vpr_descriptor_retrieval, AZ-242_real_anchor_feature_matching_ransac
 **Component**: Blackbox Tests
 **Tracker**: AZ-236
 **Epic**: AZ-218
 ## Problem
 Satellite anchors and cache fixtures are safety-critical: invalid, stale, poisoned, or externally fetched data must not become trusted localization output.
 This test task must run after AZ-241 and AZ-242 so it validates real local VPR retrieval and real anchor feature matching rather than scaffold evidence gates.
 ## Outcome
 - Accepted anchors include retrieval, matching, geometry, freshness, and provenance evidence.
 - Invalid/stale/poisoned cache fixtures cannot produce trusted anchors or trusted generated tiles.
 - No in-flight Satellite Service or provider access occurs when cache data is missing.
 ## Scope
 ### Included
 - FT-P-04 Satellite Service And Anchor Verification.
 - FT-N-01 Repetitive Or Low-Texture Imagery.
 - FT-N-03 Invalid Or Stale Satellite Cache.
 - NFT-PERF-03 Relocalization Trigger Path Latency.
 - NFT-RES-04 Tile Cache Freshness Degradation.
 - NFT-SEC-01 Signed Cache Manifest Enforcement.
 - NFT-SEC-02 Cache Poisoning Write Gate.
 - NFT-SEC-04 No In-Flight Satellite Provider Access.
 - NFT-RES-LIM-03 Satellite Cache Storage Budget.
 ### Excluded
 - VIO synchronized replay.
 - MAVLink spoofing/failsafe behavior.
 - Jetson thermal endurance.
 ## Acceptance Criteria
 **AC-1: Verified anchors include evidence**
 Given a valid local cache/index fixture and relocalization trigger
 When retrieval and verification run
 Then accepted anchors include candidate IDs, scores, MRE, inliers, covariance, and tile provenance.
 **AC-2: Unsafe candidates are rejected**
 Given low-texture, stale, unsigned, hash-mismatched, or low-resolution fixtures
 When anchor/cache tests run
 Then no invalid candidate emits a trusted `satellite_anchored` estimate or trusted generated tile.
 **AC-3: No in-flight external access occurs**
 Given flight-mode replay with missing cache data
 When relocalization is requested
 Then the system reports degraded/no-candidate behavior without satellite-provider or Suite service network calls.
 **AC-4: Cache and trigger-path metrics are reported**
 Given cache and relocalization scenarios complete
 When reporting finishes
 Then latency, MRE, trust level, freshness, and storage-budget evidence are written.
 ## Non-Functional Requirements
 **Security**
 - Invalid cache data must not be trusted or promoted.
 **Performance**
 - Trigger-path latency and bounded top-K behavior are measured.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Anchor evidence parser | Required evidence fields are present |
 | AC-2 | Invalid cache fixture generator | Stale/unsigned/hash-mismatched fixtures are produced deterministically |
 | AC-3 | Network-block assertion | Unexpected external calls fail the scenario |
 | AC-4 | Cache metrics report | Latency, freshness, and storage metrics are present |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Public/cache fixture | FT-P-04 | Accepted anchors meet MRE/evidence requirements | Performance |
 | AC-2 | Ambiguous and invalid cache fixtures | FT-N-01, FT-N-03, NFT-SEC-01, NFT-SEC-02 | 0 unsafe trusted outputs | Security |
 | AC-3 | Network-blocked flight-mode replay | NFT-SEC-04 | Missing cache causes degraded behavior, not fetch | Security |
 | AC-4 | Relocalization/cache runs | NFT-PERF-03, NFT-RES-04, NFT-RES-LIM-03 | Metrics and storage evidence are recorded | Performance |
 ## Constraints
 - Tests must use local preloaded cache/index fixtures only.
 - External network access during flight-mode scenarios is a failure.
 - VPAir and UZH FPV licensing must be respected before use as commercial acceptance evidence.
 ## Risks & Mitigation
 **Risk 1: Dataset licensing blocks final anchor evidence**
 - *Risk*: Public dataset terms prevent commercial acceptance use.
 - *Mitigation*: Mark dataset-specific checks blocked and keep generated cache fixtures for deterministic security coverage.
@@ -0,0 +1,94 @@
 # MAVLink Blackout Spoofing Tests
 **Task**: AZ-237_mavlink_blackout_spoofing_tests
 **Name**: MAVLink Blackout Spoofing Tests
 **Description**: Implement SITL/replay tests for visual blackout, spoofed GPS, MAVLink source validation, degraded covariance, no-fix thresholds, and QGC status.
 **Complexity**: 5 points
 **Dependencies**: AZ-233_test_infrastructure
 **Component**: Blackbox Tests
 **Tracker**: AZ-237
 **Epic**: AZ-218
 ## Problem
 The system must prove that spoofed GPS and unauthorized MAVLink messages cannot override estimator state during visual blackout or degraded operation.
 ## Outcome
 - Blackout and spoofing traces drive visible degraded-mode transitions.
 - Covariance, `GPS_INPUT`, QGC status, and FDR evidence match the safety thresholds.
 - Unauthorized MAVLink sources are rejected and recorded.
 ## Scope
 ### Included
 - FT-N-02 GPS Spoofing During Total Visual Blackout.
 - NFT-RES-01 Total Visual Blackout With GPS Spoofing.
 - NFT-SEC-03 MAVLink Source And Spoofing Rejection.
 ### Excluded
 - Still-image geolocation accuracy.
 - Satellite-anchor cache poisoning.
 - Cold-start and restart trials.
 ## Acceptance Criteria
 **AC-1: Blackout transitions to dead reckoning**
 Given a replay/SITL trace with total camera blackout and spoofed GPS
 When the scenario runs
 Then the system enters `dead_reckoned` mode within the required frame or timing threshold.
 **AC-2: Degraded output thresholds are enforced**
 Given blackout continues beyond configured thresholds
 When estimates are emitted
 Then covariance grows monotonically and `GPS_INPUT` fields degrade to no-fix/failsafe values at the specified limits.
 **AC-3: Spoofed or unauthorized MAVLink inputs are rejected**
 Given spoofed real-GPS measurements or unauthorized MAVLink source IDs
 When messages arrive during normal or blackout operation
 Then no confident position estimate is produced from those inputs.
 **AC-4: Operator and FDR evidence is visible**
 Given degraded-mode transitions occur
 When reporting completes
 Then QGC status and FDR evidence show promotion, demotion, blackout, and failsafe events at expected rates.
 ## Non-Functional Requirements
 **Safety**
 - Spoofed GPS must not be promoted during blackout without the documented recovery gates.
 **Reliability**
 - Missing SITL prerequisites are reported as blocked with exact setup evidence.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Scenario trigger builder | Blackout and spoofing events are generated deterministically |
 | AC-2 | Threshold assertion logic | Fix type, covariance, and `horiz_accuracy` thresholds are checked |
 | AC-3 | MAVLink source filter assertion | Unauthorized source messages fail the scenario |
 | AC-4 | Status/FDR parser | Expected status events and rates are validated |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | SITL or replay spoofing trace | FT-N-02, NFT-RES-01 | Dead-reckoned transition within timing threshold | Safety |
 | AC-2 | Continued blackout | FT-N-02, NFT-RES-01 | Monotonic covariance and no-fix/failsafe fields | Safety |
 | AC-3 | Unauthorized/spoofed MAVLink messages | NFT-SEC-03 | No confident estimate from bad source | Safety |
 | AC-4 | QGC/FDR outputs | FT-N-02, NFT-SEC-03 | Status and evidence are visible and rate-limited | Reliability |
 ## Constraints
 - ArduPilot Plane SITL is the authoritative autopilot target.
 - v1 asserts `GPS_INPUT` output and intentional absence of ODOMETRY.
 - Tests must not depend on Mission Planner or PX4 behavior.
 ## Risks & Mitigation
 **Risk 1: SITL setup varies by environment**
 - *Risk*: Local runs may not have SITL installed or configured.
 - *Mitigation*: Report blocked prerequisites clearly and keep replay-level assertions runnable where possible.
@@ -0,0 +1,95 @@
 # Cold Start Restart Tests
 **Task**: AZ-238_cold_start_restart_tests
 **Name**: Cold Start Restart Tests
 **Description**: Implement tests for cold start, companion restart, sharp-turn/disconnected relocalization, and first-fix resource spikes.
 **Complexity**: 5 points
 **Dependencies**: AZ-233_test_infrastructure
 **Component**: Blackbox Tests
 **Tracker**: AZ-238
 **Epic**: AZ-218
 ## Problem
 The test suite must prove that the runtime recovers from disconnected visual segments and companion restarts without hiding missing prerequisites or unsafe degraded behavior.
 ## Outcome
 - Sharp-turn/disconnected-segment scenarios trigger relocalization or explicit degraded output.
 - Companion restart scenarios measure first valid output timing and FDR evidence.
 - Cold-start trials record first-fix latency and resource spikes.
 ## Scope
 ### Included
 - NFT-RES-02 Sharp Turn And Disconnected Segment Relocalization.
 - NFT-RES-03 Companion Computer Restart Mid-Flight.
 - NFT-PERF-04 Cold Boot Time To First Fix.
 - NFT-RES-LIM-05 Cold Start Resource Spike.
 ### Excluded
 - Long thermal endurance.
 - FDR 8-hour rollover load.
 - Cache poisoning and no-fetch security tests.
 ## Acceptance Criteria
 **AC-1: Disconnected segments trigger relocalization**
 Given a sharp-turn or disconnected segment fixture
 When replay reaches the low-overlap transition
 Then relocalization is requested and the system either reconnects via verified anchor or reports degraded status.
 **AC-2: Companion restart recovery is measured**
 Given a replay/SITL mission in progress
 When the GPS-denied service is restarted
 Then first valid output timing, FC-state handoff behavior, and FDR restart evidence are recorded.
 **AC-3: Cold-start trials report first-fix timing**
 Given cold-start conditions and local cache/index prerequisites
 When 50 trials run or are blocked
 Then the p95 time-to-first-fix result or exact blocked prerequisite is reported.
 **AC-4: Cold-start resource spikes are captured**
 Given initialization begins
 When engines/indexes/cache are loaded
 Then peak memory and initialization-stage timing are recorded where measurable.
 ## Non-Functional Requirements
 **Reliability**
 - Missing calibration, public datasets, or hardware prerequisites must not be treated as passing.
 **Performance**
 - First-fix timing and peak memory are reported with percentile summaries where enough trials run.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Relocalization trigger assertion | Missing-position thresholds trigger request checks |
 | AC-2 | Restart report parser | Restart and first-output events are present |
 | AC-3 | Trial aggregation | p95 first-fix summary or blocked reason is emitted |
 | AC-4 | Resource metric parser | Peak memory and stage timings are captured |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Sharp-turn/disconnected replay | NFT-RES-02 | Verified relocalization or degraded evidence | Reliability |
 | AC-2 | Mission restart trace | NFT-RES-03 | First valid output and FDR restart evidence | Reliability |
 | AC-3 | Cold-start harness | NFT-PERF-04 | p95 first fix <30 s or blocked prerequisite | Performance |
 | AC-4 | Cold-start resource monitoring | NFT-RES-LIM-05 | Peak memory <8 GB or blocked/failure evidence | Performance |
 ## Constraints
 - Restart tests must preserve fixture read-only guarantees.
 - Trial loops must be bounded and report partial results if interrupted.
 - Hardware-only assertions must be clearly marked when not runnable locally.
 ## Risks & Mitigation
 **Risk 1: Long cold-start trials are expensive**
 - *Risk*: Full 50-run evidence may not be practical on every PR.
 - *Mitigation*: Support smoke mode for PRs and full mode for release gates, with clear report labels.
@@ -0,0 +1,94 @@
 # Jetson Resource Endurance Tests
 **Task**: AZ-239_jetson_resource_endurance_tests
 **Name**: Jetson Resource Endurance Tests
 **Description**: Implement release-gate resource and endurance tests for Jetson memory, thermal/power behavior, and FDR rollover.
 **Complexity**: 5 points
 **Dependencies**: AZ-233_test_infrastructure
 **Component**: Blackbox Tests
 **Tracker**: AZ-239
 **Epic**: AZ-218
 ## Problem
 Release readiness requires hardware/resource evidence that cannot be proven by ordinary unit tests or short local replay runs.
 ## Outcome
 - Jetson memory and thermal/power metrics are captured where hardware is available.
 - FDR 8-hour synthetic load verifies rollover, storage cap, and retained payload classes.
 - Hardware-only prerequisites are reported as blocked when not available.
 ## Scope
 ### Included
 - NFT-RES-LIM-01 Jetson Memory Budget.
 - NFT-RES-LIM-02 Thermal And Power Envelope.
 - NFT-RES-LIM-04 Flight Data Recorder Rollover.
 ### Excluded
 - Still-image replay accuracy.
 - Satellite anchor/cache security tests.
 - Cold-start first-fix trials.
 ## Acceptance Criteria
 **AC-1: Jetson memory budget is measured**
 Given Jetson hardware or equivalent production target is available
 When sustained replay and trigger-path workload runs
 Then CPU/GPU shared memory, process RSS, CUDA allocations, and OOM/throttle status are recorded.
 **AC-2: Thermal and power endurance is validated or blocked**
 Given thermal test prerequisites are available
 When the sustained 25 W workload runs
 Then throttle flags, temperatures, clocks, and latency are recorded for the required duration; otherwise the run reports blocked prerequisites.
 **AC-3: FDR rollover is validated**
 Given an 8-hour synthetic mission load
 When FDR output reaches rollover conditions
 Then storage remains within the cap, rollover is logged, and no payload class is silently dropped.
 **AC-4: Evidence artifacts are complete**
 Given resource/endurance scenarios complete or block
 When reporting finishes
 Then metrics, duration, environment, status, and artifact paths are written.
 ## Non-Functional Requirements
 **Performance**
 - Resource evidence must include duration and sampling interval.
 **Reliability**
 - Hardware-unavailable results are `blocked`, not `passed`.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Resource metric parser | Memory and throttle fields are present |
 | AC-2 | Blocked prerequisite reporter | Missing hardware/thermal setup records blocked status |
 | AC-3 | FDR rollover report parser | Storage, rollover, and payload-class fields are validated |
 | AC-4 | Evidence manifest writer | Artifact paths and run metadata are present |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Jetson/prod-equivalent hardware | NFT-RES-LIM-01 | Peak memory <8 GB or explicit failure | Performance |
 | AC-2 | Thermal/power test setup | NFT-RES-LIM-02 | No throttle over required duration or blocked/failure | Performance |
 | AC-3 | Synthetic 8-hour mission load | NFT-RES-LIM-04 | FDR cap and rollover behavior are evidenced | Reliability |
 | AC-4 | Resource/endurance reports | All included scenarios | Complete artifact manifest and status | Reliability |
 ## Constraints
 - These tests are release-gate oriented and may be skipped or blocked in ordinary PR mode.
 - Raw frames must not be retained during FDR load tests.
 - Resource tests must not write outside run-scoped output directories.
 ## Risks & Mitigation
 **Risk 1: Hardware gates are unavailable during local development**
 - *Risk*: Developers cannot run full evidence locally.
 - *Mitigation*: Support blocked status and separate PR smoke mode from release-gate execution.
@@ -0,0 +1,95 @@
 # Native VIO Backend Integration
 **Task**: AZ-240_native_vio_backend_integration
 **Name**: Native VIO Backend Integration
 **Description**: Replace the deterministic VIO placeholder path with a real native backend integration boundary for representative replay.
 **Complexity**: 5 points
 **Dependencies**: AZ-228_vio_adapter
 **Component**: VIO Adapter
 **Tracker**: AZ-240
 **Epic**: AZ-213
 ## Problem
 The current VIO adapter satisfies the public contract with deterministic scaffold behavior, but it does not exercise a real native VIO backend for synchronized replay.
 ## Outcome
 - A production-capable native VIO bridge is available behind the existing `VioBackend` protocol.
 - Backend-specific setup remains isolated from the public VIO adapter boundary.
 - Existing timestamp mismatch, tracking-loss, health, and no-WGS84-authority behavior is preserved.
 ## Scope
 ### Included
 - Native/backend bridge implementation behind `VioBackend`.
 - Backend initialization and runtime failure mapping into explicit health/error states.
 - Replay-driven relative pose, velocity, bias, tracking quality, and covariance output.
 - Tests that prove the real backend path is selected when configured.
 ### Excluded
 - Absolute WGS84 authority or safety fusion.
 - Satellite-anchor fallback logic.
 - Direct test imports of backend internals.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/components/02_vio_adapter/description.md`
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/geometry_time_sync.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 ## Acceptance Criteria
 **AC-1: Native backend path emits VIO state**
 Given synchronized replay frames and telemetry
 When VIO processing runs with the native backend enabled
 Then the adapter emits a relative VIO state packet from the native path.
 **AC-2: Backend failures are explicit**
 Given backend initialization or runtime failure
 When VIO processing or health reporting runs
 Then the adapter surfaces an explicit error and degraded or failed health state.
 **AC-3: Existing safety boundaries remain intact**
 Given timestamp mismatch, low tracking quality, or successful native output
 When the adapter returns a result
 Then degraded behavior, tracking quality, and absence of WGS84 authority remain intact.
 ## Non-Functional Requirements
 **Performance**
 - Replay execution must expose latency and memory metrics for later Jetson profiling gates.
 **Reliability**
 - Backend failures must not be hidden behind deterministic fallback success.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Configured native backend path | Native estimate is used, not deterministic fallback |
 | AC-2 | Backend init/runtime failure | Explicit error and degraded/failed health |
 | AC-3 | Timestamp/quality boundaries | Existing degraded/no-WGS84 behavior preserved |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Derkachi or representative synchronized replay | Native VIO replay path | Relative estimates are emitted or blocked with a real prerequisite reason | Performance |
 ## Constraints
 - Keep backend-specific dependencies behind the `vio_adapter` native boundary.
 - Do not make the VIO adapter the safety or WGS84 authority.
 - If required native packages are unavailable locally, tests must skip or block with explicit prerequisite evidence rather than passing through the deterministic fallback.
 ## Risks & Mitigation
 **Risk 1: Native dependency unavailable in local CI**
 - *Risk*: The real backend cannot run on all developer machines.
 - *Mitigation*: Provide dependency-gated tests that fail only when the backend is configured but broken, and report blocked prerequisites for full replay gates.
@@ -0,0 +1,95 @@
 # Real Satellite VPR Descriptor Retrieval
 **Task**: AZ-241_real_satellite_vpr_descriptor_retrieval
 **Name**: Real Satellite VPR Descriptor Retrieval
 **Description**: Replace the tuple-similarity satellite retrieval scaffold with the real local descriptor/index retrieval path promised by the Satellite Service design.
 **Complexity**: 5 points
 **Dependencies**: AZ-230_satellite_service_vpr_retrieval
 **Component**: Satellite Service
 **Tracker**: AZ-241
 **Epic**: AZ-214
 ## Problem
 The current Satellite Service can load in-memory descriptor records and rank them with local tuple similarity, but it does not yet integrate the real offline descriptor/index retrieval path.
 ## Outcome
 - Local mission cache descriptor/index packages can be loaded by the runtime retrieval path.
 - Retrieval uses the selected CPU FAISS/DINOv2-VLAD-compatible boundary where available.
 - Freshness filtering, bounded top-K output, descriptor-fidelity checks, and no in-flight network behavior remain intact.
 ## Scope
 ### Included
 - Local descriptor/index package loading from the offline cache boundary.
 - Real local VPR retrieval implementation behind the public Satellite Service API.
 - Explicit degraded/no-candidate/index failure behavior.
 - Tests that distinguish the real retrieval path from the current tuple-similarity scaffold.
 ### Excluded
 - Local feature matching, RANSAC, or anchor acceptance.
 - In-flight provider or Suite service calls.
 - TensorRT/ONNX optimization unless descriptor-fidelity gates are in place.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/components/04_satellite_retrieval/description.md`
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/contracts/shared/config_errors_telemetry.md`
 - `_docs/02_document/components/06_cache_tile_lifecycle/description.md`
 ## Acceptance Criteria
 **AC-1: Real local index readiness is reported**
 Given a valid local descriptor/index package
 When the Satellite Service loads the package
 Then readiness reflects the real local index and loaded record count.
 **AC-2: Real top-K retrieval returns candidates**
 Given a relocalization request and loaded local index
 When retrieval runs
 Then bounded candidates come from the real local descriptor/index path with scores, footprints, and freshness state.
 **AC-3: Missing or invalid indexes degrade safely**
 Given missing, corrupt, incompatible, or empty local index data
 When retrieval runs
 Then the result is explicit degraded/no-candidate behavior without unsafe anchors or network calls.
 ## Non-Functional Requirements
 **Performance**
 - Retrieval remains trigger-based and exposes latency metrics for Jetson profiling.
 **Security**
 - Retrieval must not perform in-flight provider or Suite service calls.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Real index package load | Ready status references loaded real index data |
 | AC-2 | Query against fixture index | Candidates come from the real retrieval path |
 | AC-3 | Missing/corrupt index | Explicit degraded/no-candidate result |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-2 | Public/cache fixture with descriptor index | VPR recall and top-K policy | Candidate bounds, freshness, and latency evidence are reported | Performance |
 ## Constraints
 - Use only local preloaded cache/index data during flight-mode retrieval.
 - Keep optional optimized engines behind descriptor-fidelity gates.
 - Missing native/index prerequisites must be reported as blocked, not silently passed by the scaffold path.
 ## Risks & Mitigation
 **Risk 1: Heavy native/index dependencies do not run in ordinary CI**
 - *Risk*: The real retrieval path needs packages or data unavailable in local CI.
 - *Mitigation*: Keep fast contract tests for package parsing and dependency-gated integration tests for real index execution.
@@ -0,0 +1,94 @@
 # Real Anchor Feature Matching And RANSAC
 **Task**: AZ-242_real_anchor_feature_matching_ransac
 **Name**: Real Anchor Feature Matching And RANSAC
 **Description**: Replace the precomputed evidence gate-only scaffold with real local feature matching and geometry verification behind the Anchor Verification boundary.
 **Complexity**: 5 points
 **Dependencies**: AZ-231_anchor_verification_matching, AZ-241_real_satellite_vpr_descriptor_retrieval
 **Component**: Anchor Verification
 **Tracker**: AZ-242
 **Epic**: AZ-215
 ## Problem
 The current Anchor Verification component can classify precomputed `MatchEvidence`, but it does not yet run real feature extraction, matching, homography estimation, or RANSAC/USAC geometry checks.
 ## Outcome
 - Approved matcher profiles can compute correspondence evidence from frame imagery and candidate tile data.
 - Geometry verification produces inliers, MRE, homography/provenance, runtime, and rejection reasons.
 - Existing safety gates continue to reject unsafe candidates before any anchor is trusted.
 ## Scope
 ### Included
 - Matcher bridge for approved ALIKED/DISK + LightGlue and SIFT/ORB baseline profiles where dependencies are available.
 - Homography and RANSAC/USAC evidence generation from local imagery/tile fixtures.
 - Integration with existing `GeometryGatedAnchorVerifier` decision output.
 - Benchmark reporting from actual matching paths.
 ### Excluded
 - VPR candidate ranking.
 - Safety wrapper fusion/promotion policy.
 - Per-frame steady-state VIO hot path execution.
 ## Dependencies
 ### Document Dependencies
 - `_docs/02_document/components/05_anchor_verification/description.md`
 - `_docs/02_document/contracts/shared/runtime_contracts.md`
 - `_docs/02_document/components/04_satellite_retrieval/description.md`
 ## Acceptance Criteria
 **AC-1: Matching path computes evidence**
 Given a usable frame and fresh candidate tile
 When anchor verification runs
 Then matcher evidence is computed from local imagery and includes inliers, MRE, homography, provenance, and runtime.
 **AC-2: Unsafe candidates are rejected**
 Given low inliers, high reprojection error, stale or untrusted provenance, or geometry failure
 When verification runs
 Then no accepted anchor decision is emitted for that candidate.
 **AC-3: Real matcher benchmark is reportable**
 Given configured matcher profiles and fixture inputs
 When benchmark runs
 Then runtime and quality metrics are reported from actual matching paths.
 ## Non-Functional Requirements
 **Performance**
 - Learned matching remains trigger-based and benchmarked separately from the VIO hot path.
 **Reliability**
 - Missing matcher dependencies or fixture data must be explicit blocked prerequisites, not passing scaffold behavior.
 ## Unit Tests
 | AC Ref | What to Test | Required Outcome |
 |--------|--------------|------------------|
 | AC-1 | Fixture matching path | Evidence is computed from imagery/tile input |
 | AC-2 | Bad geometry/provenance | Candidate is rejected with reason |
 | AC-3 | Matcher benchmark | Runtime and quality metrics come from real path |
 ## Blackbox Tests
 | AC Ref | Initial Data/Conditions | What to Test | Expected Behavior | NFR References |
 |--------|-------------------------|--------------|-------------------|----------------|
 | AC-1 | Aerial/cache fixture pair | Anchor verification path | Accepted anchors meet MRE/inlier gates with real evidence | Performance |
 ## Constraints
 - Keep native feature extraction and RANSAC acceleration under `anchor_verification`.
 - Do not trust precomputed evidence in production paths without provenance checks.
 - SuperPoint or other legally restricted models remain excluded unless explicitly approved.
 ## Risks & Mitigation
 **Risk 1: False anchor acceptance**
 - *Risk*: Real cross-domain matching can produce plausible but unsafe geometry.
 - *Mitigation*: Preserve freshness, provenance, inlier, MRE, and downstream safety gates; add negative fixtures for low-texture and stale-cache cases.
@@ -0,0 +1,41 @@
 # Batch Report
 **Batch**: 1
 **Tasks**: AZ-219_initial_structure
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-219_initial_structure | Done | 98 files | Pass | 7/7 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AC-1 | `test_scaffold_paths_cover_runtime_test_and_evidence_layout` verifies source, tests, migrations, deployment, configuration, data, CI, and compose scaffold paths. |
 | AC-2 | `test_runtime_component_public_modules_are_importable` and `test_shared_contract_locations_are_importable` verify public component and shared contract namespaces. |
 | AC-3 | `test_scaffold_paths_cover_runtime_test_and_evidence_layout` verifies compose, env template, and migration paths; compose config validation passed. |
 | AC-4 | `test_scaffold_paths_cover_runtime_test_and_evidence_layout` verifies `.github/workflows/ci.yml`; the workflow defines format, lint, unit test, compose config, and artifact placeholder jobs. |
 | AC-5 | `test_scaffold_paths_cover_runtime_test_and_evidence_layout` verifies unit, integration, black-box, fixture, SITL, and e2e runner paths. |
 | AC-6 | `test_scaffold_paths_cover_runtime_test_and_evidence_layout` verifies deployment scripts and evidence report paths. |
 | AC-7 | `test_ignore_rules_exclude_runtime_payloads_and_secrets` verifies secrets, raw frames, cache/FDR payloads, and test result artifacts are ignored. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_01_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 5 tests.
 - `docker compose -f docker-compose.yml config` passed.
 - `docker compose -f docker-compose.test.yml config` passed.
 ## Next Batch: AZ-220_shared_runtime_contracts
@@ -0,0 +1,34 @@
 # Batch Report
 **Batch**: 2
 **Tasks**: AZ-220_shared_runtime_contracts
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-220_shared_runtime_contracts | Done | 8 files | Pass | 2/2 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AC-1 | `test_runtime_dtos_accept_valid_minimal_values` verifies the shared DTO contract surface can be imported and constructed. |
 | AC-2 | `test_missing_required_timestamp_is_rejected_with_structured_error`, `test_raw_frame_retention_is_rejected`, `test_position_accuracy_cannot_under_report_covariance`, and `test_accepted_anchor_requires_estimated_pose` verify malformed DTOs are rejected with structured Pydantic validation errors. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_02_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 11 tests.
 ## Next Batch: AZ-221_shared_geometry_time_sync, AZ-222_runtime_config_errors_telemetry
@@ -0,0 +1,37 @@
 # Batch Report
 **Batch**: 3
 **Tasks**: AZ-221_shared_geometry_time_sync, AZ-222_runtime_config_errors_telemetry
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-221_shared_geometry_time_sync | Done | 5 files | Pass | 2/2 ACs covered | None |
 | AZ-222_runtime_config_errors_telemetry | Done | 7 files | Pass | 2/2 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-221 AC-1 | `test_wgs84_local_round_trip_is_deterministic` verifies deterministic WGS84/local conversion and metric output. |
 | AZ-221 AC-2 | `test_non_monotonic_timestamps_return_explicit_violation` and `test_time_window_reports_gap_instead_of_dropping_silently` verify explicit time-sync violation results. |
 | AZ-222 AC-1 | `test_missing_production_cache_dir_returns_readiness_failure` verifies missing production settings produce a structured readiness failure. |
 | AZ-222 AC-2 | `test_dependency_error_envelope_has_required_structured_fields` verifies dependency errors include component, category, severity, and retryability. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_03_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 17 tests.
 ## Next Batch: AZ-223_camera_ingest_calibration, AZ-224_mavlink_gcs_gateway, AZ-225_tile_manager_cache_manifest, AZ-227_fdr_event_recorder
@@ -0,0 +1,47 @@
 # Batch Report
 **Batch**: 4
 **Tasks**: AZ-223_camera_ingest_calibration, AZ-224_mavlink_gcs_gateway, AZ-225_tile_manager_cache_manifest, AZ-227_fdr_event_recorder
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-223_camera_ingest_calibration | Done | 4 files | Pass | 3/3 ACs covered | None |
 | AZ-224_mavlink_gcs_gateway | Done | 4 files | Pass | 3/3 ACs covered | None |
 | AZ-225_tile_manager_cache_manifest | Done | 4 files | Pass | 3/3 ACs covered | None |
 | AZ-227_fdr_event_recorder | Done | 4 files | Pass | 3/3 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-223 AC-1 | `test_valid_frame_packet_contains_metadata_reports_and_normalization_hint` verifies timestamp, calibration, quality, occlusion, and normalization metadata. |
 | AZ-223 AC-2 | `test_total_occlusion_marks_frame_unusable_for_vio_and_anchor` verifies blackout frames are unavailable for visual paths. |
 | AZ-223 AC-3 | `test_raw_frame_payload_retention_is_rejected` verifies raw frame payload retention is rejected. |
 | AZ-224 AC-1 | `test_telemetry_subscription_emits_normalized_sample` verifies normalized shared telemetry samples. |
 | AZ-224 AC-2 | `test_invalid_gps_input_estimate_is_rejected_without_emission` verifies unsafe `GPS_INPUT` requests are rejected without emission. |
 | AZ-224 AC-3 | `test_operator_status_messages_are_rate_limited_by_text` verifies QGC-visible status rate limiting. |
 | AZ-225 AC-1 | `test_valid_cache_manifest_activates_trusted_records` verifies valid cache activation. |
 | AZ-225 AC-2 | `test_tampered_or_stale_tile_is_rejected_with_auditable_reason` verifies hash and freshness rejection reasons. |
 | AZ-225 AC-3 | `test_tile_metadata_lookup_returns_record_or_explicit_rejection` verifies trusted metadata lookup and explicit rejection. |
 | AZ-227 AC-1 | `test_valid_event_append_indexes_metadata_and_payload_reference` verifies event metadata and payload references are stored within bounds. |
 | AZ-227 AC-2 | `test_rollover_threshold_records_explicit_rollover_result` verifies rollover is explicit. |
 | AZ-227 AC-3 | `test_export_request_produces_queryable_evidence_artifacts` verifies export evidence and analytics references. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_04_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 29 tests.
 ## Next Batch: AZ-226_generated_tile_orthorectification
@@ -0,0 +1,35 @@
 # Batch Report
 **Batch**: 5
 **Tasks**: AZ-226_generated_tile_orthorectification
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-226_generated_tile_orthorectification | Done | 4 files | Pass | 3/3 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-226 AC-1 | `test_eligible_frame_stages_generated_cog_and_sidecar` verifies generated COG and sidecar staging for eligible frames. |
 | AZ-226 AC-2 | `test_high_covariance_generated_tile_write_is_rejected` verifies unsafe high-covariance writes are rejected and not packaged. |
 | AZ-226 AC-3 | `test_sync_package_includes_manifest_delta_sidecar_covariance_and_trust_level` verifies sync package audit metadata. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_05_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 32 tests.
 ## Next Batch: AZ-228_vio_adapter, AZ-229_satellite_service_sync
@@ -0,0 +1,39 @@
 # Batch Report
 **Batch**: 6
 **Tasks**: AZ-228_vio_adapter, AZ-229_satellite_service_sync
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-228_vio_adapter | Done | 4 files | Pass | 3/3 ACs covered | None |
 | AZ-229_satellite_service_sync | Done | 4 files | Pass | 3/3 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-228 AC-1 | `test_valid_synchronized_packet_emits_vio_state` verifies synchronized frame/IMU processing emits a relative VIO state packet. |
 | AZ-228 AC-2 | `test_timestamp_mismatch_is_explicit_validation_error` verifies timestamp mismatch is rejected with an explicit error. |
 | AZ-228 AC-3 | `test_tracking_loss_degrades_health_without_emitting_absolute_position` verifies health reports degraded tracking state. |
 | AZ-229 AC-1 | `test_pre_flight_import_returns_package_for_tile_manager_validation` verifies mission cache packages are exposed for Tile Manager validation. |
 | AZ-229 AC-2 | `test_post_flight_upload_records_retryable_failure_for_audit` verifies upload outcomes are auditable and retryable failures retain packages. |
 | AZ-229 AC-3 | `test_in_flight_sync_is_blocked_without_calling_network_boundary` verifies in-flight sync is blocked before network/uploader calls. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_06_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 38 tests.
 ## Next Batch: AZ-230_satellite_service_vpr_retrieval
@@ -0,0 +1,35 @@
 # Batch Report
 **Batch**: 7
 **Tasks**: AZ-230_satellite_service_vpr_retrieval
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-230_satellite_service_vpr_retrieval | Done | 4 files | Pass | 3/3 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-230 AC-1 | `test_valid_local_index_load_reports_ready_status` verifies local index loading reports readiness and record count. |
 | AZ-230 AC-2 | `test_loaded_index_returns_bounded_candidates_with_freshness` verifies bounded top-K candidate output with tile/chunk IDs, score, footprint, and freshness. |
 | AZ-230 AC-3 | `test_missing_index_degrades_with_explicit_no_candidate_result` verifies missing index produces explicit degraded behavior. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_07_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 42 tests.
 ## Next Batch: AZ-231_anchor_verification_matching
@@ -0,0 +1,35 @@
 # Batch Report
 **Batch**: 8
 **Tasks**: AZ-231_anchor_verification_matching
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-231_anchor_verification_matching | Done | 4 files | Pass | 3/3 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-231 AC-1 | `test_candidate_verification_emits_acceptance_evidence` verifies accepted decisions include MRE, inliers, homography, and reason metadata. |
 | AZ-231 AC-2 | `test_unsafe_candidate_is_rejected_with_reason` verifies unsafe/stale candidates are rejected without estimated pose. |
 | AZ-231 AC-3 | `test_matcher_benchmark_reports_profile_runtime_and_quality_metrics` verifies matcher profile runtime and quality metrics are reportable. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_08_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 45 tests.
 ## Next Batch: AZ-232_safety_anchor_state_machine
@@ -0,0 +1,36 @@
 # Batch Report
 **Batch**: 9
 **Tasks**: AZ-232_safety_anchor_state_machine
 **Date**: 2026-05-03
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|----------------|-------|-------------|--------|
 | AZ-232_safety_anchor_state_machine | Done | 4 files | Pass | 4/4 ACs covered | None |
 ## AC Test Coverage: All covered
 | AC Ref | Coverage |
 |--------|----------|
 | AZ-232 AC-1 | `test_vio_state_updates_position_estimate_with_honest_covariance` verifies VIO updates emit source-labelled estimates with honest covariance. |
 | AZ-232 AC-2 | `test_accepted_anchor_corrects_state_and_records_evidence` verifies accepted anchors promote `satellite_anchored` state and record evidence. |
 | AZ-232 AC-3 | `test_blackout_degrades_then_reaches_no_fix_with_monotonic_covariance` verifies monotonic covariance growth and no-fix semantics. |
 | AZ-232 AC-4 | `test_tile_write_eligibility_requires_trusted_low_covariance_pose` verifies conservative tile-write eligibility. |
 ## Code Review Verdict: PASS
 Review report: `_docs/03_implementation/reviews/batch_09_review.md`
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## Verification
 - `.venv/bin/python -m black --check src tests e2e/replay` passed.
 - `.venv/bin/python -m ruff check src tests e2e/replay` passed.
 - `.venv/bin/python -m pytest` passed: 49 tests.
 ## Next Batch: All tasks complete
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	e7eaefff8b	chore: sync .cursor from suite	2026-05-05 01:08:48 +03:00
Oleksandr Bezdieniezhnykh	827d4fe644	[AZ-240] Update product implementation and task decomposition processes - Refined task decomposition steps to ensure implementation tasks are atomic and complexity does not exceed 5 points. - Enhanced the product implementation process with a completeness gate to verify task outcomes against architecture promises before proceeding to testing. - Updated dependencies table to reflect new tasks and their relationships, ensuring all test tasks are linked to product remediation tasks. - Adjusted workflow documentation to clarify entry points for task decomposition and implementation contexts. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-05 01:02:25 +03:00
Oleksandr Bezdieniezhnykh	9fb9e4a349	[AZ-232] Add safety anchor state machine Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 19:10:10 +03:00
Oleksandr Bezdieniezhnykh	7819ae7a38	[AZ-231] Add anchor verification gates Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 19:02:13 +03:00
Oleksandr Bezdieniezhnykh	07fb9535a9	[AZ-230] Add local VPR retrieval boundary Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 18:49:37 +03:00
Oleksandr Bezdieniezhnykh	087f4dba27	[AZ-228] [AZ-229] Add VIO and satellite sync boundaries Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 18:31:04 +03:00
Oleksandr Bezdieniezhnykh	2db50bc124	[AZ-226] Add generated tile staging Keep generated tiles auditable and untrusted onboard while preserving covariance, quality, and sidecar metadata for post-flight sync. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 18:10:25 +03:00
Oleksandr Bezdieniezhnykh	e86084da6b	[AZ-223] [AZ-224] [AZ-225] [AZ-227] Add runtime gateways Implement the first runtime component boundaries around the shared contracts so downstream batches can consume typed frame, MAVLink, tile, and FDR behavior with focused tests and batch evidence. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 18:01:13 +03:00
Oleksandr Bezdieniezhnykh	aab11e488e	chore: sync .cursor skills from suite	2026-05-03 17:43:26 +03:00
Oleksandr Bezdieniezhnykh	c3650d979d	[AZ-221] [AZ-222] Add shared runtime helpers Provide deterministic geometry/time-sync helpers and structured config, error, health, and telemetry primitives for downstream runtime components. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 14:01:04 +03:00
Oleksandr Bezdieniezhnykh	5156453224	[AZ-220] Add shared runtime contract models Implement the shared DTO contract surface with validation so runtime components consume one public model set instead of duplicating shapes. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 13:22:50 +03:00
Oleksandr Bezdieniezhnykh	72a9df6b57	[AZ-219] [AZ-228] Generalize VIO component layout Keep VIO package and native bridge paths backend-neutral so BASALT remains an implementation choice rather than a component boundary. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 12:41:54 +03:00
Oleksandr Bezdieniezhnykh	79997e39ac	[AZ-219] Scaffold onboard runtime project Add the initial source, test, infrastructure, CI, configuration, and evidence-path scaffold so dependent implementation tasks have stable package and runtime boundaries. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-03 12:41:54 +03:00
Oleksandr Bezdieniezhnykh	dd9afe2797	Refactor documentation to replace the Validation Harness with a separate E2E Test Suite, updating references throughout various documents. Adjust the autodev state to reflect the transition from the Decompose phase to the Implement phase, and revise the architecture documentation to clarify system boundaries and component relationships. Enhance risk mitigation documentation to specify affected components and update the component overview diagram accordingly.	2026-05-03 12:41:53 +03:00
Oleksandr Bezdieniezhnykh	5bf2dbd85f	Update autodev state documentation to reflect progress in the Decompose phase, changing the current step from 5 to 6. Revise sub-step details to indicate a shift to phase 2, focusing on module layout for the Satellite Service and Tile Manager, and awaiting confirmation before product task decomposition. Additionally, enhance problem documentation to clarify the original still-image sample limitations and introduce the Derkachi representative fixture for improved data validation. Update references to the Tile Manager and Satellite Service throughout the documentation for consistency.	2026-05-03 12:41:52 +03:00
`@@ -58,4 +58,4 @@ Do NOT create minimal epics with just a summary and short description. The epic`

	8. Create "Blackbox Tests" epic — this epic will parent the blackbox test tasks created by the `/decompose` skill. It covers implementing the test scenarios defined in `tests/`.	8. Create "Blackbox Tests" epic — this epic will parent the blackbox test tasks created by the `/decompose` skill. It covers implementing the test scenarios defined in `tests/`.

	Save action: Epics created via the configured tracker MCP. Also saved locally in `epics.md` with ticket IDs. If `tracker: local`, save locally only.	Save action: Epics created via the configured tracker MCP. Also saved locally in `epics.md` with ticket IDs. If tracker availability fails, follow `.cursor/rules/tracker.mdc`; only if the user explicitly chooses `tracker: local`, save locally only with pending tracker markers.
`@@ -1,2 +1,2 @@`
	We have a wing-type UAV with a fixed downward navigation camera that can take photos 3 times per second. The authoritative navigation-camera spec is defined in `restrictions.md` as the ADTi 20MP 20L V1, APS-C sensor, about 5472 x 3648 px; older higher-resolution references are superseded. Also plane has flight controller with IMU. During the plane flight, we know GPS coordinates initially. During the flight, GPS could be disabled or spoofed. We need to determine the GPS of the centers of the next frame from the camera. And also the coordinates of the center of any object in these photos. We can use an external satellite provider for ground checks on the existing photos. So, before the flight, UAV's operator should upload the satellite photos to the plane's companion PC.	We have a wing-type UAV with a fixed downward navigation camera that can take photos 3 times per second. The authoritative navigation-camera spec is defined in `restrictions.md` as the ADTi 20MP 20L V1, APS-C sensor, about 5472 x 3648 px; older higher-resolution references are superseded. Also plane has flight controller with IMU. During the plane flight, we know GPS coordinates initially. During the flight, GPS could be disabled or spoofed. We need to determine the GPS of the centers of the next frame from the camera. And also the coordinates of the center of any object in these photos. We can use an external satellite provider for ground checks on the existing photos. So, before the flight, UAV's operator should upload the satellite photos to the plane's companion PC.
	`The real world examples are in input_data folder, but the distance between each photo is way bigger than it will be from a real plane. On that particular example photos were taken 1 photo per 2-3 seconds. But in real-world scenario frames would appear within the interval no more than 500ms. We also don't have IMU data for the test. For now we have to search for the public data for that in internet. We've tried to record that with Mavic 3 Pro Mini, but failed, cause of the closed system if DJI.`	The real world examples are in input_data folder, but the original still-image set has a much larger distance between photos than the target aircraft will have. On that particular example photos were taken 1 photo per 2-3 seconds. But in real-world scenario frames would appear within the interval no more than 500ms. Additional representative data is available in `input_data/flight_derkachi/`: cropped nadir flight footage plus synchronized `SCALED_IMU2` and `GLOBAL_POSITION_INT` telemetry. This supports video/telemetry synchronization, replay, latency, VIO smoke tests, and trajectory comparison against the tlog GPS path. Camera intrinsics, lens distortion, raw camera feed parameters, and exact camera-to-body calibration are still pending, so final production accuracy claims remain gated on calibration data or a separately surveyed representative dataset.