gps-denied-onboard/_docs/03_implementation/batch_82_report.md

Batch 82 Report — FT-P-15 + FT-P-16 + FT-P-18 cache / offline / no-raw-retention

Batch: 82 Date: 2026-05-17 Context: Test implementation (greenfield Step 10 — Implement Tests) Tasks: AZ-421 (3 cp) — single task covering 3 sub-scenarios Cycle: 1 Verdict: COMPLETE — PASS_WITH_WARNINGS (self-reviewed; see reviews/batch_82_review.md)

Summary

Implements three storage / cache compliance scenarios that share the tile-cache-fixture + FDR-archive observation surface:

• FT-P-15 — Tile manifest schema completeness + 0.5 m/px floor (AC-8.1). Reads FDR cache-self-check record + tile-load-rejected events, validates every entry has CRS, tile_matrix, dimension, m_per_px, capture_date, source, compression; entries below floor must be explicitly rejected.
• FT-P-16 — Offline-only operation (AC-8.3 / RESTRICT-SAT-1). Reads docker network inspect e2e-net + docker inspect <sut> JSON snapshots; asserts e2e-net.Internal == true AND the SUT is attached to that network only. The 0-egress semantic is enforced structurally — no other network is reachable.
• FT-P-18 — No raw nav/AI-camera frame retention (AC-8.5). Walks FDR + tile-cache, probes JPEG dimensions, rejects any file whose extension + dimensions match the nav-camera raw pattern (5472×3648 or 880×720). Extrapolates thumbnail-log size to 8 h and asserts < 1 GB.

AZ-421 — FT-P-15 + FT-P-16 + FT-P-18 (3 cp)

• e2e/runner/helpers/tile_cache_inspector.py (new, ~370 lines): pure-logic evaluators sourced from FDR / docker-inspect / filesystem walks.

  • evaluate_manifest_schema(entries, *, tile_load_rejected_ids, m_per_px_floor) → ManifestSchemaReport (AC-1, AC-2).
  • evaluate_offline_mode(network_inspect, container_inspect) → OfflineModeReport (AC-3).
  • detect_raw_frames(file_specs, *, raw_dimensions, decoded_dimensions, raw_extensions) → RawFrameDetectionReport (AC-4).
  • evaluate_thumbnail_budget(size_bytes, duration_h) → ThumbnailLogBudgetReport (AC-5).
  • walk_files(*roots) — convenience recursive walker.
  • probe_jpeg_dimensions(path) → (w, h) via SOF marker parse, stdlib-only.
  • Module-level constants: CACHE_SELF_CHECK_FDR_KIND, TILE_LOAD_REJECTED_FDR_KIND, MANIFEST_REQUIRED_FIELDS, MANIFEST_M_PER_PX_FLOOR, NAV_CAMERA_RAW_DIMENSIONS, THUMBNAIL_LOG_MAX_SIZE_GB_PER_8H.

• e2e/tests/positive/test_ft_p_15_cache_schema.py (new, ~115 lines): FT-P-15 scenario. Skips on missing fixture; fails loudly on empty cache-self-check record. traces_to(AC-8.1,AC-1,AC-2,AC-6).

• e2e/tests/positive/test_ft_p_16_offline_only.py (new, ~115 lines): FT-P-16 scenario. Skips on missing DOCKER_NETWORK_INSPECT_PATH / DOCKER_CONTAINER_INSPECT_PATH env vars (fixture builder pre-snapshots these because the runner has no docker-socket access). traces_to(AC-8.3,AC-3,AC-6,RESTRICT-SAT-1).

• e2e/tests/positive/test_ft_p_18_no_raw_retention.py (new, ~125 lines): FT-P-18 scenario. Walks FDR + tile-cache once; probes JPEGs; computes replay duration from FDR monotonic_ms span; evaluates AC-4 + AC-5. traces_to(AC-8.5,AC-4,AC-5,AC-6).

• e2e/_unit_tests/helpers/test_tile_cache_inspector.py (new, 43 tests): pure-logic coverage for every evaluator + walker + probe.

• e2e/_unit_tests/test_directory_layout.py (edited): registers runner/helpers/tile_cache_inspector.py and three new scenario test paths.

Tests

Full e2e/_unit_tests/ suite: 793 passed in 139.27 s (baseline 746 → +47 net). Run via python -m pytest e2e/_unit_tests/ from the workspace root. No flakes, no skips outside the pre-existing intentional skips.

Collection check on the three new scenario tests: 18 items (3 tests × 6 (fc_adapter, vio_strategy) combinations). Scenario tests skip locally because E2E_SITL_REPLAY_DIR is unset and the docker-inspect env vars are unset — intended container-vs-host boundary.

Per-area test counts (this batch):

File	Tests added
test_tile_cache_inspector.py (new)	43
test_directory_layout.py (edited)	4 (4 path entries)
test_no_sut_imports.py (no edit; broader walk)	implicit +1 module covered
Total	+47

Acceptance Criteria Verification

AC	Status	Evidence
AC-1 — manifest schema completeness	✓	test_ft_p_15_cache_schema + 12 test_evaluate_manifest_schema_*
AC-2 — m/px ≥ 0.5 floor (or rejected)	✓	Same scenario; below-floor-with-rejection / without-rejection unit tests
AC-3 — offline operation (no non-e2e-net egress)	✓	test_ft_p_16_offline_only + 7 test_evaluate_offline_mode_*
AC-4 — no raw-frame retention	✓	test_ft_p_18_no_raw_retention + 9 test_detect_raw_frames_* + 5 test_probe_jpeg_dimensions_*
AC-5 — thumbnail log < 1 GB / 8 h	✓	Same scenario; 7 test_evaluate_thumbnail_budget_*
AC-6 — parameterisation	✓	6 param IDs per scenario; 18 total items collected

Code Review Verdict

PASS_WITH_WARNINGS (no Critical, no High; 3 Low notes — see reviews/batch_82_review.md).

Auto-Fix Attempts

0 (no auto-fix-eligible findings).

Stuck Agents

None.

Notable Decisions

• Single task in batch 82. AZ-421 internally covers 3 sub-scenarios (FT-P-15 / 16 / 18) — the task spec itself groups them because they share the tile-cache-fixture + FDR observation surface. Pulling AZ-422/423/427 in would have produced 7 test files + multiple new helpers in one batch, exceeding the recent empirical scope per batch (1–2 sub-scenarios). AZ-422 / AZ-423 / AZ-427 land as their own batches.
• AC-3 (offline-only) is enforced structurally, not by packet count. The spec says "all egress to non-e2e-net destinations is 0". With e2e-net.Internal == true and the SUT attached only to e2e-net, the packet count is provably 0 by Docker's network policy — there is literally no other network the SUT can reach. Checking the docker-inspect snapshots is cheaper and more reliable than per-packet counters.
• JPEG SOF dimension probe is stdlib-only. Loading every JPEG through OpenCV / Pillow just to read (width, height) would decode pixel data we discard. The 30-line SOF parser reads ≤16 bytes per segment hop and terminates in <30 hops on real JPEGs.
• The probe_jpeg_dimensions returns None on truncation / non-JPEG / OSError — does NOT raise. The downstream detect_raw_frames explicitly treats None as "dimension unknown ≠ raw frame match" (documented). This avoids the test failing on every directory walk that happens to contain a corrupt JPEG, while still surfacing real raw-frame retention.
• Docker inspect via env-var indirection. The e2e-runner container does not have docker-socket access (an intentional security boundary). The fixture builder must docker network inspect e2e-net > /e2e-results/net.json + docker inspect gps-denied-onboard > /e2e-results/sut.json before the runner starts, and the runner reads those snapshots through env vars. This is the same pattern AZ-420 used for gcs_tlog_<host>.tlog (fixture-builder responsibility).

Production Dependencies (forward-look)

FT-P-15 / FT-P-16 / FT-P-18 transitively depend on:

• FDR cache-self-check record at SUT cold-start — the SUT's C6 tile-cache loader must emit one record carrying every manifest entry it loaded. (Cross-checked against the FDR schema documented in _docs/02_document/components/c6_* — slot is reserved; no producer wires it yet.)
• FDR tile-load-rejected events — for entries below the m/px floor (or otherwise rejected by the freshness gate). Reserved same way.
• Docker compose e2e-net attribute internal: true — owned by AZ-406. Already wired per the existing compose file.
• Fixture builder snapshots of docker inspect (AZ-595).

Tests fail loudly when fixture data is missing rather than silently skipping — the "tests as gates" pattern.

Out of Scope (deferred)

• DNS blackhole defense-in-depth — owned by NFT-SEC-05 (AZ-437).
• Cache-poisoning safety — owned by NFT-SEC-01 (AZ-436).
• Stale-tile rejection on aged source tiles — owned by FT-N-05 (AZ-427).
• The fixture builder's actual cache-self-check FDR synthesis + docker-inspect JSON capture — owned by AZ-595.

Next Batch

Batch 83 candidates from _docs/02_tasks/todo/ (20 remaining): AZ-422 (FT-P-17 + FT-N-06 mid-flight tiles, 3 cp), AZ-423 (FT-P-19 sat reloc, 3 cp), AZ-427 (FT-N-05 stale-tile rejection, 2 cp). Topo-order leader is AZ-422. Pick at next /autodev invocation.