gps-denied-onboard/_docs/03_implementation/implementation_completeness_cycle1_report.md

Product Implementation Completeness Gate — Cycle 1

Date: 2026-05-16 Cycle: 1 Tasks audited: 107 done product tasks under _docs/02_tasks/done/ (the six hygiene-only specs and AZ-525-class follow-ups are included as PASS because they don't promise new runtime behavior). Audit scope: every task spec's Description / Outcome / Scope.Included / Acceptance Criteria / Non-Functional Requirements / Constraints / Runtime Completeness block against actual source under src/gps_denied_onboard/.

Verdict

FAIL — Step 7 must not advance.

Two product tasks (AZ-332 OKVIS2, AZ-333 VINS-Mono) shipped a Python facade + pybind11 binding skeleton but DID NOT wire the actual upstream estimator (okvis::ThreadedKFVio / vins_estimator::Estimator). The binding compiles and loads, then throws a fatal exception on the first add_frame call. The production-default C1 VioStrategy therefore cannot process a single nav-camera frame on a real binary.

Both task specs explicitly anticipated this split — AZ-332 § Implementation Notes (2026-05-12, batch 23) names the follow-up AZ-332_tier2_validation and states that this gate (Step 15) is the designated creator. AZ-333 carries the same skeleton pattern but no self-deferral note. This report executes that contract.

Per implement/SKILL.md § 15 ("If any product task is FAIL, STOP. Do not write the final product implementation report and do not proceed to any downstream autodev step."), Step 7 stays in_progress; remediation tasks are proposed below; the original task files remain in done/ and do NOT regress to todo/.

FAIL findings

AZ-332 — C1 OKVIS2 Strategy (production-default VIO)

Promised capability: "production-default VioStrategy ... Python facade over the OKVIS2 C++ tightly-coupled keyframe-based VIO core" (AZ-332_c1_okvis2_strategy.md § Description). Runtime Completeness explicitly lists "real per-frame OKVIS2 estimator update; real covariance read from OKVIS2's internal Hessian" as required, and explicitly forbids "a pre-built deterministic-fallback VioOutput while OKVIS2 is 'compiled out'".

Evidence:

• src/gps_denied_onboard/components/c1_vio/okvis2.py — 339-line Python facade. Conforms to the AZ-331 VioStrategy Protocol. PASS.
• src/gps_denied_onboard/components/c1_vio/_native/okvis2_binding.cpp — pybind11 module compiles + loads but _build_estimator() always sets estimator_built_ = false. _drive_estimator() (called on the first add_frame) throws OkvisFatalException("OKVIS2 estimator not yet wired — this binding is the AZ-332 skeleton"). FAIL.
• OKVIS2 upstream is never #include'd (the #include <okvis/ThreadedKFVio.hpp> line is commented out, line 48 of the binding).

Self-documentation: AZ-332 task spec, Implementation Notes (2026-05-12, batch 23) — "This batch — production-quality Python facade ... pybind11 binding source that compiles + loads but throws ... ; Tier-2 follow-up — actual okvis::ThreadedKFVio wiring ... The follow-up task is named AZ-332_tier2_validation and will be created by the Product Implementation Completeness Gate at end-of-cycle (Step 15) per implement/SKILL.md."

Blast radius: the deployment binary (config.vio.strategy = "okvis2", BUILD_OKVIS2=ON) cannot run F3 (Steady-state per-frame estimation) — the first nav-camera frame raises VioFatalError. C5 fusion, C8 outbound, GCS telemetry, mid-flight tile gen all sit on top of this.

AZ-333 — C1 VINS-Mono Strategy (research-only VIO)

Promised capability: Runtime Completeness requires "real VinsMonoStrategy class implementing the AZ-331 Protocol; real pybind11 binding to cpp/vins_mono/ (real VINS-Mono upstream, de-ROSified); real per-frame estimator update".

Evidence:

• src/gps_denied_onboard/components/c1_vio/vins_mono.py — 448-line Python facade. Conforms to the AZ-331 Protocol. PASS.
• src/gps_denied_onboard/components/c1_vio/_native/vins_mono_binding.cpp — same skeleton pattern as OKVIS2. _drive_estimator() throws VinsMonoFatalException("VINS-Mono estimator not yet wired — this binding is the AZ-333 skeleton"). FAIL.

Self-documentation: no explicit Implementation Notes block (unlike AZ-332), but the binding's source comment names "AZ-333's tier2 deliverable bundle".

Blast radius: limited — VINS-Mono is research-only (BUILD_VINS_MONO=ON) and not linked into the deployment binary (ADR-002). The IT-12 comparative-study research binary cannot run today; the deployment binary is unaffected by AZ-333 specifically.

PASS — by component

107 audited tasks, 105 PASS, 0 BLOCKED, 2 FAIL.

Tasks classified as PASS have at least one of:

• A substantial Python/C++ source artifact under the task's owned component (module-layout.md ownership envelope).
• A self-contained pure-Python implementation backed by the named third-party dependency (OpenCV, GTSAM, FAISS, TensorRT, ONNX-Runtime, PyTorch, pymavlink, psycopg, atomicwrites, httpx).
• For "Implementation Notes" tasks (AZ-300 / AZ-301 / AZ-302), the named capability is implemented and the deferral covers either a warm-up optimization, a Tier-2 NVML test skip, or a Tier-2 hot-path perf microbench — none of which materially block runtime behavior.

Foundation + cross-cutting (10 tasks) — all PASS

Task	Title	Evidence
AZ-263	initial structure	src/ skeleton present; package importable.
AZ-266	log module	gps_denied_onboard.logging package.
AZ-267	fdr log bridge	producer-id-tagged log → FDR records.
AZ-268	log schema contract test	shipped in tests.
AZ-269	config loader	gps_denied_onboard.config (env + YAML).
AZ-270	compose root	runtime_root/__init__.py (compose_root, compose_operator).
AZ-271	config precedence tests	shipped.
AZ-507	hygiene module-layout AZ-270 alignment	lint test tests/unit/test_az270_compose_root.py.
AZ-508 / AZ-526	iso-timestamp consolidation	helpers/iso_timestamps.py.
AZ-527	engine-dim assertion consolidation	components/c2_vpr/_engine_dim_assertion.py + sibling under c3.
AZ-528	c1 vio facade spine consolidation	_facade_spine.py.

FDR / FdrClient (4 tasks) — all PASS

| AZ-272 | fdr record schema | fdr_client/records.py. | | AZ-273 | fdr client ringbuf | fdr_client/client.py. | | AZ-274 | fdr overrun emission | producer-side overrun records. | | AZ-275 | fake fdr sink | test fixture, used by every component's unit tests. |

Shared helpers (8 tasks) — all PASS

| AZ-276 | imu_preintegrator | helpers/imu_preintegrator.py (real GTSAM CombinedImuFactor substrate). | | AZ-277 | se3_utils | helpers/se3_utils.py. | | AZ-278 | lightglue_runtime | helpers/lightglue_runtime.py (TRT engine handle). | | AZ-279 | wgs_converter | helpers/wgs_converter.py. | | AZ-280 | sha256 sidecar | helpers/sha256_sidecar.py. | | AZ-281 | engine filename schema | helpers/engine_filename.py. | | AZ-282 | ransac filter | helpers/ransac_filter.py (cv2 essential-matrix). | | AZ-283 | descriptor normaliser | helpers/descriptor_normaliser.py. |

C13 FDR writer (6 tasks) — all PASS

| AZ-291 | writer thread | c13_fdr/writer.py (real single-writer thread + ringbuf consumer). | | AZ-292 | flight header/footer | persistent records. | | AZ-293 | capacity cap policy | ≤ 64 GB enforcement, oldest-first rollover. | | AZ-294 | mid-flight tile snapshot | C6 → C13 hook. | | AZ-295 | thumbnail rate limiter | ≤ 0.1 Hz failed-tile thumbnail log. | | AZ-296 | open-error takeoff abort | take_off aborts with exit 2 + structured ERROR. |

C7 Inference (6 tasks) — all PASS (notable deferrals are documented + non-blocking)

| AZ-297 | runtime protocol | c7_inference/interface.py. | | AZ-298 | tensorrt runtime | 1263-line tensorrt_runtime.py; lazy-imports real tensorrt (line 497). | | AZ-299 | onnxrt fallback | 666-line onnx_trt_ep_runtime.py; lazy-imports onnxruntime (line 213). | | AZ-300 | pytorch baseline | 339-line pytorch_fp16_runtime.py. Warm-up deferred to Tier-2 (documented in spec); first real infer does implicit warm-up, no AC blocked. | | AZ-301 | engine gate | engine_gate.py. AC-8 NVML/Jetpack test is Tier-2-skip — production helper code exists. | | AZ-302 | thermal publisher | thermal_publisher.py + _JtopSource + _PynvmlSource. AC-7 perf microbench Tier-2-deferred — runtime code exists. |

C6 Tile cache (6 tasks) — all PASS

| AZ-303 | storage interfaces | c6_tile_cache/interface.py. | | AZ-304 | postgres schema | SQL migration shipped. | | AZ-305 | postgres+filesystem store | postgres_filesystem_store.py (real psycopg + atomicwrites). | | AZ-306 | faiss descriptor index | faiss_descriptor_index.py (real faiss import). | | AZ-307 | freshness gate | freshness_gate.py. | | AZ-308 | cache budget eviction | cache_budget_enforcer.py. |

C11 Tile manager (5 tasks) — all PASS

| AZ-316 | tile downloader | c11_tile_manager/tile_downloader.py (real httpx). | | AZ-317 | flight state gate | superseded by C12 SRP refactor; C11 carries no gate. | | AZ-318 | signing key | signing_key.py (per-flight key + FDR rotation log). | | AZ-319 | tile uploader | tile_uploader.py (real ingest contract). | | AZ-320 | idempotent retry | IdempotentRetryTileUploader decorator. |

C10 Provisioning (5 tasks) — all PASS

| AZ-321 | engine compiler | c10_provisioning/provisioner.py (real TRT engine compile via C7). | | AZ-322 | descriptor batcher | batched C2 descriptor gen. | | AZ-323 | manifest builder | manifest_builder.py (real SHA-256 manifest). | | AZ-324 | manifest verifier | content-hash gate. | | AZ-325 | cache provisioner | end-to-end F1 build path. |

C12 Operator orchestrator (5 tasks) — all PASS

| AZ-326 | cli app | c12_operator_orchestrator/cli.py. | | AZ-327 | companion bringup | paramiko_ssh_session.py. | | AZ-328 | build cache orchestrator | remote_c10_invoker.py. | | AZ-329 | post-landing upload | PostLandingUploadOrchestrator (real FDR footer gate). | | AZ-330 | operator reloc service | OperatorReLocService + OperatorCommandTransport Protocol. | | AZ-489 | flights api client | flights_api/httpx_client.py. |

C1 VIO (5 tasks) — 1 PASS, 2 FAIL, 2 PASS

| AZ-331 | strategy protocol | c1_vio/interface.py. PASS. | | AZ-332 | OKVIS2 production-default | FAIL — native binding is a skeleton (see above). | | AZ-333 | VINS-Mono research-only | FAIL — same skeleton pattern. | | AZ-334 | KLT/RANSAC simple baseline | 706-line klt_ransac.py, pure-Python OpenCV; no native dep; functional. PASS. | | AZ-335 | warm start recovery | warm_start_store.py. PASS. |

C2 VPR (6 tasks) — all PASS

| AZ-336 | strategy protocol | c2_vpr/interface.py. | | AZ-337 | UltraVPR (production-default) | 441-line ultra_vpr.py; consumes C7 TRT engine. | | AZ-338 | NetVLAD baseline | 500-line net_vlad.py + _net_vlad_architecture.py + PyTorch FP16 path. | | AZ-339 | MegaLoc + MixVPR | substantial impls. | | AZ-340 | SelaVPR + EigenPlaces + SALAD | substantial impls. | | AZ-341 | faiss retrieve wiring | _faiss_bridge.py. |

Note: src/gps_denied_onboard/components/c2_vpr/_native/__init__.py contains only the line """Native bindings for VPR runtime — placeholder.""". The C2 strategies route inference through C7 (TensorRT / ONNX-RT / PyTorch), so this _native/ directory is empty by design (no extant task promises VPR-specific C++ code). Recommend deleting the directory in a future hygiene pass; not a FAIL today.

C2.5 Re-rank (2 tasks) — both PASS (with one noted concern, see § Notes)

| AZ-342 | strategy protocol | c2_5_rerank/interface.py. | | AZ-343 | inlier-count reranker | inlier_based_reranker.py (real LightGlue inlier counting). |

C3 Cross-domain matcher (4 tasks) — all PASS

| AZ-344 | matcher protocol | c3_matcher/interface.py. | | AZ-345 | DISK + LightGlue (production-default) | 288-line disk_lightglue.py; consumes C7 + helpers. | | AZ-346 | ALIKED + LightGlue (secondary) | 289-line aliked_lightglue.py. | | AZ-347 | XFeat (alternate) | 544-line xfeat.py. |

Note: c3_matcher/_native/__init__.py is similarly an empty placeholder — same situation as C2's _native/. Hygiene cleanup, not a FAIL.

C3.5 AdHoP refinement (2 tasks) — both PASS

| AZ-348 | refiner protocol | c3_5_adhop/interface.py. | | AZ-349 | AdHoP refiner | 509-line adhop_refiner.py; real C7-backed AdHoP engine load. Note: runtime_root/refiner_factory.py docstring still calls AdHoPRefiner "placeholder today" — that comment is stale; the production class is real. Hygiene fix recommended (one-line doc update). |

C4 Pose estimation (3 tasks) — all PASS

| AZ-355 | pose protocol | c4_pose/interface.py. | | AZ-358 | OpenCV solvePnPRansac + GTSAM Marginals | opencv_gtsam_estimator.py (real cv2 + gtsam). | | AZ-361 | Jacobian thermal hybrid | D-CROSS-LATENCY-1 auto-degrade path. |

C5 State estimator (9 tasks) — all PASS

| AZ-381 | protocol | c5_state/interface.py. | | AZ-382 | iSAM2 smoother wiring | gtsam_isam2_estimator.py (real gtsam.IncrementalFixedLagSmoother). | | AZ-383 | factor adds | factor-graph construction. | | AZ-384 | marginals outputs | covariance recovery via gtsam.Marginals. | | AZ-385 | source-label spoof gate | SourceLabelStateMachine. | | AZ-386 | ESKF baseline | eskf_baseline.py (mandatory engine-rule baseline). | | AZ-387 | smoothed history FDR | retroactive smoothing → FDR. | | AZ-388 | AC-5.2 fallback | FC-IMU-only fallback path. | | AZ-389 | orthorectifier → C6 mid-flight tiles | _orthorectifier.py + compose-root _C6MidFlightIngestAdapter. | | AZ-490 | set_takeoff_origin | operator-origin warm-start hook. |

C8 FC adapter (8 tasks) — all PASS

| AZ-390 | adapter protocol | c8_fc_adapter/interface.py. | | AZ-391 | inbound subscription | pymavlink + msp2 decoders. | | AZ-392 | covariance projector | 2×2 horizontal sub-block → horiz_accuracy. | | AZ-393 | ardupilot outbound | pymavlink_ardupilot_adapter.py. | | AZ-394 | inav outbound | msp2_inav_adapter.py. | | AZ-395 | mavlink signing | per-flight key rotation + FDR record. | | AZ-396 | source-set switch | MAV_CMD_SET_EKF_SOURCE_SET flow. | | AZ-397 | qgc telemetry adapter | mavlink_gcs_adapter.py. | | AZ-558 | mavlink transport routing | seam between encoder + serial transport. |

Replay path (8 tasks) — all PASS

| AZ-398 | frame source + clock | replay_input/ + frame_source/. | | AZ-399 | tlog adapter | replay_input/tlog_adapter.py. | | AZ-400 | jsonl sink | c8_fc_adapter/replay_sink.py. | | AZ-401 | replay compose | runtime_root/_replay_branch.py. | | AZ-402 | replay cli | cli/replay.py. | | AZ-403 | replay dockerfile + ci | shipped under Dockerfile.replay + .github/workflows/. | | AZ-404 | replay e2e fixture | tests/e2e/replay/. | | AZ-405 | replay auto-sync | replay_input/auto_sync.py. |

Notes / non-blocking observations

1. Production composition root has no per-binary bootstrap module registering strategies. runtime_root/__init__.py defines a strategy registry (register_strategy, _resolve_strategy) and topo-sorts constructed components, but register_strategy is never called anywhere in src/. compose_root(config) would raise StrategyNotLinkedError on every C1-C8 slug if invoked today. This is the "per-binary bootstrap module" the AZ-263 / AZ-270 prose anticipates — a separate concern from any one task and arguably out of scope for this gate (the registry seam exists; the actual registration lives in a not-yet-written bootstrap module). Recommend surfacing as a separate cross-cutting task (E-CC-CONF or E-BOOT).

2. helpers/feature_extractor.py::OpenCvOrbExtractor is documented as a placeholder ("Production deployments MUST replace this extractor with a deep-learning backbone before flight (tracked under the future C2.5 backbone-extractor task)"). No DISK/ALIKED extractor exists. C2.5 (AZ-343) uses an injected FeatureExtractor; the only concrete impl is ORB. AZ-343's spec does NOT name DISK/ALIKED, so this is a known-future-task gap rather than an AZ-343 FAIL — but the prod composition root will need a non-ORB extractor before flight. Recommend surfacing as a follow-up task (5 points or less).

3. _types/tile.py scaffolding DTOs (Tile, TileRecord) are no longer referenced by any module under src/. Dead code per coderule.mdc. Recommend deleting in a hygiene PBI; not a Gate FAIL.

4. runtime_root/refiner_factory.py docstring describes AdHoPRefiner as "placeholder today" — stale comment; the production class is real. One-line doc fix.

5. c2_vpr/_native/__init__.py and c3_matcher/_native/__init__.py are empty placeholder modules. C2/C3 strategies route inference through C7; no native code is owed. Recommend deleting both directories.

6. Process leftover 2026-05-11_d_cross_cve_1_opencv_pin_deferred.md remains open (gtsam still numpy 1.x). Not blocking for this gate.

Remediation tasks proposed

Per implement/SKILL.md § 15 remediation task creation rules: each remediation task is sized at ≤ 5 points; depends on its failed parent; goes to _docs/02_tasks/todo/; tracker tickets to be created on user approval (Jira availability gate per .cursor/rules/tracker.mdc).

Proposed task 1 — remediate_AZ-332_okvis2_threadedkfvio_wiring

• Parent FAIL: AZ-332.
• Goal: wire okvis::ThreadedKFVio inside _native/okvis2_binding.cpp (_build_estimator() and _drive_estimator()); enable the commented-out includes; instantiate the estimator from yaml_config_; attach the output callback that fills latest_output_ under output_mtx_; CI matrix that installs Ceres + initialises OKVIS2's vendored submodules.
• Complexity: 5 points.
• Dependencies: AZ-332, AZ-276, AZ-277.
• Out of scope: AC-9 honest-covariance Tier-2 validation against Derkachi-class fixtures (separate Tier-2 perf task).

Proposed task 2 — remediate_AZ-333_vins_mono_estimator_wiring

• Parent FAIL: AZ-333.
• Goal: wire vins_estimator::Estimator + feature_tracker inside _native/vins_mono_binding.cpp; enable the de-ROSified VINS-Mono pin build; ensure the same Protocol-conforming output shape as OKVIS2; research-only.
• Complexity: 5 points.
• Dependencies: AZ-333, AZ-276, AZ-277.
• Out of scope: IT-12 comparative-study harness (lives in E-BBT).

If either remediation task grows beyond 5 points during decomposition, split into infrastructure + estimator-wiring + per-frame-cov-read sub-tasks before scheduling.

Gate decision

Per implement/SKILL.md § 15:

If any product task is FAIL, STOP. Do not write the final product implementation report and do not proceed to any downstream autodev step. Completed original task files remain in done/; the missing work is represented by remediation tasks.

State: Step 7 stays in_progress. The Choose block in the next agent message presents the operator A/B/C options. The two remediation tasks above will be created on user direction.

End of report.