# Traceability Matrix

## Acceptance Criteria Coverage

| AC ID | Acceptance Criterion | Test IDs | Coverage |
|-------|---------------------|----------|----------|
| AC-1 | Health endpoint responds | FT-P-01, FT-P-02, NFT-PERF-01 | Covered |
| AC-2 | Login sets credentials | FT-P-03, NFT-PERF-02, NFT-RES-01 | Covered |
| AC-3 | Login rejects invalid credentials | FT-N-01, FT-N-02 | Covered |
| AC-4 | Resource download returns decrypted bytes | FT-P-04, FT-N-04, NFT-PERF-03, NFT-RES-02 | Covered |
| AC-5 | Resource upload succeeds | FT-P-05, FT-N-03, NFT-RES-LIM-01 | Covered |
| AC-6 | Unlock starts background workflow | FT-P-06, NFT-RES-LIM-02 | Covered |
| AC-7 | Unlock detects already-loaded images | FT-P-07 | Covered |
| AC-8 | Unlock status reports progress | FT-P-08 | Covered |
| AC-9 | Unlock completes full cycle | FT-P-06, NFT-RES-03 | Covered |
| AC-10 | Unlock handles missing archive | FT-N-05 | Covered |
| AC-11 | Resources encrypted at rest | NFT-SEC-02 | Covered |
| AC-12 | Hardware-bound key derivation | NFT-SEC-03 | Covered |
| AC-13 | Binary split prevents single-source compromise | FT-P-04 (split download) | Covered |
| AC-14 | JWT token from trusted API | FT-P-03, NFT-SEC-01 | Covered |
| AC-15 | Auto-retry on expired token | — | NOT COVERED — requires mock API that returns 401 then 200 on retry; complex mock setup |
| AC-16 | Docker images verified | FT-P-07 (checks via unlock) | Covered |
| AC-17 | Logs rotate daily | — | NOT COVERED — operational config, not observable via HTTP API |
| AC-18 | Container builds on ARM64 | — | NOT COVERED — CI pipeline concern, not black-box testable |

## Restrictions Coverage

| Restriction ID | Restriction | Test IDs | Coverage |
|---------------|-------------|----------|----------|
| R-HW-1 | ARM64 architecture | — | NOT COVERED — build/CI concern |
| R-HW-2 | Docker daemon access | FT-P-06, FT-P-07, NFT-RES-03 | Covered |
| R-HW-3 | Hardware fingerprint availability | NFT-SEC-03 | Covered |
| R-SW-1 | Python 3.11 | — | Implicit (test environment uses Python 3.11) |
| R-ENV-1 | RESOURCE_API_URL env var | FT-P-03 (uses configured URL) | Covered |
| R-ENV-2 | IMAGES_PATH env var | FT-P-06, FT-N-05 | Covered |
| R-ENV-3 | API_VERSION env var | FT-P-07 | Covered |
| R-OP-1 | Single instance | NFT-RES-LIM-02 | Covered |

## Coverage Summary

| Category | Total Items | Covered | Not Covered | Coverage % |
|----------|-----------|---------|-------------|-----------|
| Acceptance Criteria | 18 | 15 | 3 | 83% |
| Restrictions | 8 | 6 | 2 | 75% |
| **Total** | **26** | **21** | **5** | **81%** |

## Uncovered Items Analysis

| Item | Reason Not Covered | Risk | Mitigation |
|------|-------------------|------|-----------|
| AC-15 (Auto-retry 401) | Requires complex mock that returns 401 on first call, 200 on retry | Medium — retry logic could silently break | Can be covered with a stateful mock API in integration tests |
| AC-17 (Log rotation) | Operational config, not observable through HTTP API | Low — Loguru config is static | Manual verification of loguru configuration |
| AC-18 (ARM64 build) | CI pipeline concern, not black-box testable | Low — CI pipeline runs on ARM64 runner | Covered by CI pipeline itself |
| R-HW-1 (ARM64) | Build target, not runtime behavior | Low | CI pipeline |
| R-SW-1 (Python 3.11) | Implicit in test environment | Low | Dockerfile specifies Python version |