gps-denied-onboard/_docs/02_document/components/11_c10_provisioning/tests.md

Test Specification — C10 Pre-flight Cache Provisioning (engines + descriptors + manifest)

Component-scoped. Suite-level coverage in _docs/02_document/tests/*.md. C10 was narrowed in this Plan cycle: it builds model-derived artifacts (TensorRT engines, VPR descriptors, signed Manifest) from an already-populated C6 tile cache. Tile fetch is C11 TileDownloader's concern.

Acceptance Criteria Traceability

AC ID	Acceptance Criterion (one-line)	Test IDs	Coverage
AC-8.3	Imagery pre-loaded onto companion before flight (the manifest gate)	FT-P-15, FT-P-16, C10-IT-01	Covered
AC-NEW-1	Cold-start TTFF <30 s p95 (pre-built engines required)	NFT-PERF-03, C10-IT-02	Covered
D-C10-1	Manifest-hash idempotence on repeated build	C10-IT-03	Covered
D-C10-3	Takeoff content-hash gate refuses mismatch	covered at C7-IT-03; C10-IT-04 asserts the manifest signing path	Covered
D-C10-6	Engine cache hardware-tied (SM 87 / JP 6.2 / TRT 10.3 / FP16)	C7-IT-04, C10-IT-05	Covered
D-C10-7	Engine filename schema enforcement	covered at C7-IT-04	Covered

---

Component-Internal Tests

C10-IT-01: end-to-end build from a pre-populated C6

Summary: given a C6 tile cache populated by C11 TileDownloader (10 GB Derkachi area), C10 produces (a) all required TensorRT engines, (b) the FAISS HNSW index over VPR descriptors, (c) a signed Manifest, in under the operator-tooling time budget.

Traces to: AC-8.3, AC-NEW-1

Description: stage a C6 with the Derkachi corpus already populated; run CacheProvisioner.build_artifacts; assert (a) the engine set under cache_artifacts/engines/ matches the configured model list, (b) descriptor_index.faiss is non-empty and queryable, (c) the Manifest is signed with the operator's signing key and content-hashes every artifact.

Input data: pre-populated C6 (tests/fixtures/c6_populated_derkachi/).

Expected result: all artifacts present + signed Manifest.

Max execution time: 12 min on Tier-1 (CPU TRT compile is slow; Tier-2 takes ~4 min and is the production path).

---

C10-IT-02: ManifestVerifier refuses unsigned / wrong-signature Manifest

Summary: ManifestVerifier.verify rejects a Manifest whose signature doesn't validate against the operator's public key.

Traces to: AC-NEW-1, D-C10-3

Description: build a valid Manifest; copy it; tamper one byte; call verify; assert ManifestSignatureError. Repeat: copy + replace signature with one signed by an unauthorized key; assert ManifestSignatureError.

Input data: valid Manifest + 2 tampered copies.

Expected result: both tampered Manifests rejected.

Max execution time: 5 s.

---

C10-IT-03: idempotence on repeated build

Summary: re-running build_artifacts against an unchanged C6 produces the same Manifest content-hash and skips already-built engines.

Traces to: D-C10-1

Description: run build once; record Manifest content-hash + engine compile timestamps. Re-run with no C6 changes; assert (a) Manifest content-hash unchanged, (b) engines reused (no recompile, asserted via timestamp comparison), (c) total wall-clock < 1 min on Tier-1.

Input data: as C10-IT-01.

Expected result: idempotent — same hash, no recompile.

Max execution time: 90 s (second-run only).

---

C10-IT-04: Manifest covers every shipped artifact

Summary: the Manifest's content-hash table includes every file under cache_artifacts/; an artifact present on disk but missing from the Manifest is a build failure.

Traces to: D-C10-3 (no smuggled artifacts can pass the takeoff gate)

Description: after a successful build, plant an extra file in cache_artifacts/; re-run build_artifacts (or call the build's post-step audit hook); assert build refuses to sign — output ManifestCoverageError listing the orphan file.

Input data: as C10-IT-01 plus an extra file.

Expected result: build fails with ManifestCoverageError.

Max execution time: 60 s.

---

C10-IT-05: Tier-2 hardware-tied engine compile produces SM-87 / JP-6.2 / TRT-10.3 binary

Summary: when run on the bench Jetson, C10 produces engines whose internal TRT metadata reports SM=87, JetPack=6.2, TRT=10.3, precision=FP16.

Traces to: D-C10-6

Description: run build_artifacts on the bench Jetson; for each engine, parse the internal TRT version footer; assert the quadruple matches.

Input data: bench Jetson + Derkachi C6 fixture.

Expected result: all engines tagged correctly.

Max execution time: 6 min on Tier-2.

---

Performance Tests

C10-PT-01: build wall-clock budget on Tier-1 (operator-tooling laptop)

Traces to: operator-tooling UX (no AC trace; an operator-tooling SLO)

Load scenario: full Derkachi corpus (10 GB, ~87 654 tiles).

Expected results:

Metric	Target	Failure Threshold
Cold build wall-clock	≤ 12 min on a developer laptop with NVIDIA GPU	25 min
Warm idempotent re-run	≤ 1 min	3 min

---

Security Tests

C10-ST-01: signing-key path uses operator-controlled key (not a baked-in dev key)

Summary: the build refuses to sign the Manifest if the configured signing-key path points to the baked-in dev key (caught via a hash-list check).

Traces to: defensive (production-key safety)

Test procedure:

1. Configure C10 with the dev-key path that's hard-coded into the dev fixtures.
2. Run build_artifacts.
3. Assert refusal with OperatorKeyRequiredError.

Pass criteria: refusal. Fail criteria: build succeeds with the dev key.

---

Acceptance Tests

Covered transitively via FT-P-15 / FT-P-16 (operator workflow tests).

---

Test Data Management

Data Set	Source	Size
tests/fixtures/c6_populated_derkachi/	C11 TileDownloader build artifact	~10 GB on disk
Operator signing key (test-only)	generated per test run	<1 KB
Dev key (for the negative test)	curated, in-repo	<1 KB

Setup: C11 TileDownloader integration test (under C11) populates C6 once; that artifact is reused. Teardown: per-test temp dirs for cache_artifacts/ build outputs. Data isolation: per-test temp cache_artifacts/.