# Security Tests

### NFT-SEC-01: Signed Cache Manifest Enforcement

**Summary**: Validate that unsigned or tampered cache manifests cannot produce trusted anchors.

**Traces to**: AC-8.2, AC-8.3, AC-NEW-4, AC-NEW-7

| Step | Consumer Action | Expected Response |
|------|-----------------|-------------------|
| 1 | Provide valid signed manifest | System accepts cache fixture if all freshness and resolution checks pass |
| 2 | Provide unsigned manifest | System rejects cache fixture and logs security event |
| 3 | Provide hash-mismatched tile sidecar | System rejects affected tile and emits no trusted anchor from it |

**Pass criteria**: 0 unsigned or hash-mismatched fixtures produce `satellite_anchored` output or trusted generated tile promotion.

---

### NFT-SEC-02: Cache Poisoning Write Gate

**Summary**: Validate that generated onboard tiles are not written or promoted when parent-pose covariance is too weak.

**Traces to**: AC-8.4, AC-NEW-7

| Step | Consumer Action | Expected Response |
|------|-----------------|-------------------|
| 1 | Replay generated tile candidate with parent sigma <=3 m | Tile may be written as candidate with full quality metadata |
| 2 | Replay candidate with parent sigma in (3 m, 5 m] | Tile is marked lower trust per sidecar policy |
| 3 | Replay candidate with parent sigma >5 m | Tile is not eligible for write/promotion |

**Pass criteria**: Tile trust level and write eligibility match AC-NEW-7; no over-threshold tile becomes trusted basemap.

---

### NFT-SEC-03: MAVLink Source And Spoofing Rejection

**Summary**: Validate that spoofed real-GPS measurements and unauthorized MAVLink sources do not override trusted estimator state.

**Traces to**: AC-3.5, AC-4.3, AC-NEW-2, AC-NEW-8

| Step | Consumer Action | Expected Response |
|------|-----------------|-------------------|
| 1 | Inject spoofed `GPS_RAW_INT` during normal visual operation | Estimator rejects inconsistent GPS based on FC health and visual/satellite consistency |
| 2 | Inject spoofed GPS during visual blackout | Spoofed GPS remains excluded until health and visual consistency gates pass |
| 3 | Inject MAVLink messages from unauthorized source ID | Message is ignored and security/status event is logged |

**Pass criteria**: No unauthorized or spoofed input causes a confident position estimate; promotion/demotion status is visible to QGC and FDR.

---

### NFT-SEC-04: No In-Flight Satellite Provider Access

**Summary**: Validate that the runtime system does not call commercial or Suite satellite services during flight.

**Traces to**: AC-8.1, AC-8.3, Restrictions Satellite Imagery

| Step | Consumer Action | Expected Response |
|------|-----------------|-------------------|
| 1 | Run replay with network blocked | System continues using local cache |
| 2 | Run replay requiring missing tile | System reports degraded/relocalization-needed status, not an external fetch |

**Pass criteria**: 0 outbound satellite-provider or Suite Service calls during runtime; missing cache data produces controlled degraded behavior.

---

### NFT-SEC-INFRA: Invalid Cache No-Fetch Smoke

**Summary**: Validate that the replay harness treats untrusted cache fixtures as a successful security rejection, not as a trusted anchor.

**Traces to**: AZ-236 AC-2, AZ-236 AC-3, AZ-233 Security NFR

| Step | Consumer Action | Expected Response |
|------|-----------------|-------------------|
| 1 | Run replay with `cache_variant=stale` | Satellite cache stub marks the manifest untrusted and records no network fetch |
| 2 | Inspect replay evidence | Scenario reports `pass`, `source_label=untrusted_cache_rejected`, and `GPS_INPUT.fix_type=0` |

**Pass criteria**: The invalid cache smoke scenario passes only when the untrusted fixture is rejected and no external satellite-provider or Suite service network fetch is attempted.