Edge Invariant Traceability Matrix¶

Scope: AutonomyOps ADK Edge Capability — INV-01 through INV-13 Authority: Workplan v0.7 §2 (invariants) + §6 (enforcement matrix) Last updated: 2026-03-01

All FI tests are in edge/fi/ (//go:build integration) and edge/ci/tests/. CI guardrails run on every PR via .github/workflows/edge-fi.yml and Makefile targets.

Matrix¶

Inv	Description	Code Modules	Runtime Enforcement	CI Guardrail	FI Tests
INV-01	No Shared State	`edge/storage/localstore.go` (local-root path check) · `edge/config/startup.go` (startup abort on out-of-root path)	Startup: path resolved against `$EDGE_LOCAL_ROOT`; out-of-root → abort	`edge/ci/scan_prohibited` — rejects NFS/CIFS/cluster-FS volume types in manifests and image layers	(scan-only; no FI scenario required)
INV-02	No Convergence Tracking	(architectural prohibition — no implementation)	N/A — structurally absent from codebase	`edge/ci/scan_prohibited` — prohibited symbols: `raft`, `paxos`, `gossip_convergence`, `vector_clock`, `crdt`, `anti_entropy`, etc.	(scan-only)
INV-03	No Leader Election	(architectural prohibition — no implementation)	N/A — structurally absent	`edge/ci/scan_prohibited` — prohibited election/nomination patterns; code-review checklist sign-off	(scan-only)
INV-04	Disk Ceiling	`edge/storage/localstore.go` (ceiling check, `WithDiskUsedFunc`) · `edge/eviction/local.go` · `edge/storage/recovery.go`	After every `Write`+`fsync`: kernel `statfs` check; `ErrCeilingExceeded` on breach; synchronous eviction when within threshold	`make edge-fi-go` → `go test -tags integration ./fi/...`	FI-C1-01 `TestFI_DiskCeiling_ErrCeilingExceeded` · FI-C2-01 `TestFI_DiskCeiling_ConcurrentWritesAtBoundary` · FI-C2-02 `TestFI_DiskCeiling_EvictionFailure_WriteRejectedCleanly`
INV-05	Platform Assurance Binding	`edge/assurance/assurance.go` · `edge/config/cgroup_linux.go` · `edge/config/cgroup_other.go`	Startup: cgroup v2 probe; absent → `LogAssuranceReduced()` warning + `edge.assurance.reduced` log; high-durability mode refused	`make edge-fi-go`	FI-C1-05 `TestFI_Assurance_HighDurabilityUnavailable` · `TestFI_Assurance_ReducedEnvelopeLogged`
INV-06	Local-Only Activation	`edge/scheduler/local.go` · `edge/scheduler/scheduler.go`	Activation functions accept only local-state params; no remote identifiers in function signatures	Code review checklist; `edge/ci/scan_prohibited` (remote-state call patterns)	(structural; no dedicated FI scenario)
INV-07	Bounded Memory	`edge/storage/localstore.go` · `edge/transport/transport.go` (pool-bounded transfer buffers) · `edge/quota/localquota.go`	cgroup v2 memory controller (when present); load shed on inbound when approaching ceiling	Code review; cgroup v2 validated by INV-05 path	(covered structurally + INV-05 FI)
INV-08	Idempotent Segment Receive	`edge/index/localindex.go` · `edge/storage/localstore.go`	Segment ID checked against local index before write; duplicate silently discarded; no peer coordination	`edge/storage/store_test.go` · `edge/index/localindex_test.go` (unit)	(unit-test coverage; no injection scenario required)
INV-09	Authorization Boundary	`edge/transport/tcptls.go` (mTLS) · `edge/transport/crl.go` (CRL) · `edge/transport/conn.go`	mTLS handshake required before segment exchange; CRL/OCSP checked locally; revoked cert → `ErrCertRevoked` / connection closed	`make edge-fi-go`	FI-C3-02 `TestFI_Transport_RevokedCert_Rejected` · `TestFI_Transport_ValidCert_Passes` · `TestFI_Transport_ExpiredCert_Rejected`
INV-10	Mission-Layer Decoupling	`edge/` (no imports of `adk/runtime`, `adk/policy`, `adk/orchestrator`)	Compile-time import isolation; no IPC / shared socket / shared env	`edge/ci/scan_dependencies` (import-graph check) · `make edge-fi-go` + `make edge-fi-shell`	FI-C1-03 `TestFI_MissionProcessKill_RelayUnaffected` · `TestFI_MissionDecoupled_NoMissionImport` · Shell: `FI-C1-03_mission_kill.sh`
INV-11	Deterministic Relay	`edge/scheduler/local.go` (lexicographic tie-breaking) · `edge/segment/segment.go`	No PRNG in relay path; segment/peer selection via deterministic comparator	`edge/ci/scan_prohibited` (random/PRNG call in relay path)	(structural; no injection scenario)
INV-12	Bounded Retry	`edge/retry/retry.go` (`Tracker`, `RetryExhausted` terminal state)	`RecordAttempt()` monotonically increments; reaching `MaxRetryCount` → terminal `EXHAUSTED`; no reset on reconnect or timer expiry	`make edge-fi-go` · `make edge-fi-shell`	FI-C4-01 `TestFI_RetryExhaustion_TerminalState` · `TestFI_RetryCount_Monotonic` · FI-C4-02 (noincrmt mode in shell probe) · FI-C4-03 `TestFI_RetryExhausted_NoBeyondWindow` · Shell: `FI-C4-01_retry_exhaustion.sh`
INV-13	Bounded Per-Peer Ingest Quota	`edge/quota/localquota.go` (`LocalEnforcer`, rolling-window token bucket)	Per-peer bucket checked on every ingest; `ErrQuotaExceeded` + `edge.quota.exceeded` log on breach; session remains open	`make edge-fi-go`	FI-C3-03 `TestFI_Quota_EnforcedPerPeer` · `TestFI_Quota_PeerIsolation`

CI Guardrail Summary¶

Guardrail	Trigger	Tool / Target	Failure Mode
Prohibited symbol scan	Every PR, `make edge-ci-scan`	`ci/scan_prohibited/main.go`	Build-breaking; no override
Dependency graph check	Every PR	`ci/scan_dependencies/main.go`	Build-breaking; enforces INV-01, INV-02, INV-10
Go integration tests (FI)	Every PR, `make edge-fi-go`	`go test -tags integration -timeout 120s ./fi/...`	Build-breaking; covers INV-04, INV-05, INV-09, INV-10, INV-12, INV-13
Shell tests (no-root)	Every PR, `make edge-fi-shell`	`edge/ci/tests/run_all.sh --no-root-tests`	Build-breaking; covers INV-10, INV-12 (shell)
Shell tests (root / CAP_NET_ADMIN)	Nightly or labeled runners	`edge/ci/tests/run_all.sh` (full)	Non-blocking on root-absent runners; waiver logged in SKIP

FI Test Coverage by Invariant¶

Inv	Go FI Test(s)	Shell FI Test(s)	Gaps / Notes
INV-04	`TestFI_DiskCeiling_ErrCeilingExceeded` `TestFI_DiskCeiling_LowUsagePasses` `TestFI_DiskCeiling_ConcurrentWritesAtBoundary` `TestFI_DiskCeiling_EvictionFailure_WriteRejectedCleanly`	`FI-C1-01_disk_full.sh` (root — loop device)	Loop-device test skipped on non-root runners; Go tests cover invariant fully
INV-05	`TestFI_Assurance_HighDurabilityUnavailable` `TestFI_Assurance_ReducedEnvelopeLogged`	—	cgroup v2 absent test always passes on non-cgroup runners
INV-09	`TestFI_Transport_RevokedCert_Rejected` `TestFI_Transport_ValidCert_Passes` `TestFI_Transport_ExpiredCert_Rejected`	—	TLS alert from server seen as `"remote error: tls: bad certificate"` on client; assertion accepts both sentinel and string match
INV-10	`TestFI_MissionProcessKill_RelayUnaffected` `TestFI_MissionDecoupled_NoMissionImport`	`FI-C1-03_mission_kill.sh`	Uses `sleep 3600` as mission stub; `edge/ci/scan_dependencies` enforces import isolation
INV-12	`TestFI_RetryExhaustion_TerminalState` `TestFI_RetryCount_Monotonic` `TestFI_RetryExhausted_NoBeyondWindow`	`FI-C4-01_retry_exhaustion.sh` (modes: exhaust, noincrmt, persist, monotonic)	Shell probe builds inline Go binary; optional `tc netem` partition needs root
INV-13	`TestFI_Quota_EnforcedPerPeer` `TestFI_Quota_PeerIsolation`	—	Rolling-window enforcement; peer isolation verified via second peer unaffected assertion

Waiver Policy¶

Tests covering build-breaking invariants (INV-04, INV-05, INV-09, INV-10, INV-12, INV-13) that are skipped or failing require a signed architectural waiver committed to edge/waivers/ before the revision may merge to main. SKIP is allowed only for tests requiring root or CAP_NET_ADMIN on non-root runners, and only when the invariant is fully covered by an equivalent Go-level test.

Generated from workplan v0.7 §2–§6. Update this file whenever a new invariant, FI test, or CI guardrail is added.