# Non-Functional Tests

**Task**: AZ-290_nonfunctional_tests
**Name**: Non-functional tests: perf, resilience, security, limits
**Complexity**: 3 points
**Dependencies**: AZ-285
**Component**: Blackbox Tests
**Tracker**: AZ-290
**Epic**: AZ-284

## Performance Scenarios (PT-01 through PT-06)

- PT-01: Tile download latency <30s
- PT-02: Cached tile retrieval <500ms
- PT-03/04: Region processing throughput
- PT-05: 5 concurrent regions all complete
- PT-06: Route interpolation <5s

## Resilience Scenarios (RS-01 through RS-06)

- RS-01: API starts with database ready
- RS-02: Migrations run on fresh DB
- RS-03: Region processing handles tile failures
- RS-04: Queue rejects overflow (capacity 1000)
- RS-05: Max 4 concurrent downloads
- RS-06: Route processing completes all regions

## Security Scenarios (SEC-01 through SEC-04)

- SEC-01: SQL injection via coordinates
- SEC-02: Path traversal in tile serving
- SEC-03: Oversized region request
- SEC-04: Malformed JSON

## Resource Limit Scenarios (RL-01 through RL-04)

- RL-01: ZIP ≤ 50MB
- RL-02: Queue capacity 1000
- RL-03: Concurrent download semaphore (4)
- RL-04: Concurrent region processing (20)

## System Under Test Boundary

All tests drive the system via HTTP API or observe Docker container behavior.

## Acceptance Criteria

AC-1: Performance scripts (scripts/run-performance-tests.sh) pass thresholds
AC-2: Resilience tests verify state transitions and resource limits
AC-3: Security tests confirm no injection or traversal vulnerabilities