Taktflow OpenSOVD -- Engineering Specification

1. Executive Summary

Taktflow OpenSOVD is a general-purpose SOVD diagnostic stack for multi-ECU zonal architectures. It implements the ASAM SOVD v1.1 OpenAPI (ISO 17978-3) wire contract so that every ECU — virtual or physical, regardless of role or zone — becomes addressable via standard HTTP tooling instead of proprietary diagnostic hardware and binary protocols.

The HIL test bench is a minimal 3-ECU setup (CVC central + SC safety + BCM virtual body, per ADR-0023) that covers every architectural code path in the stack. The stack itself is architecture-agnostic within automotive diagnostics and scales to arbitrary ECU counts without code change.

Dimension	UDS (legacy)	SOVD (this system)
Transport	CAN + ISO-TP / DoIP	REST/HTTP over IP
Data format	Binary byte frames	JSON resources
Addressing	Session + service IDs	URL paths (`/sovd/v1/components/{id}/faults`)
Security	Seed/key	HTTPS + mTLS + OAuth
Tooling	Specialized diagnostic tools	Any HTTP client

Current status (2026-04-23): Phase 5 live-hardware work advancing. Software path green end-to-end in Docker SIL; observer dashboard serving live /sovd/v1/components, /faults, /operations, /data, /health, /session, /audit, /gateway/backends plus ws-bridge relay on the bench LAN. STM32G474 CVC firmware flashed and smoke-proven on metal (commit bb5708e). TMS570LC4357 UDS ECU live on bench CAN, and as of 2026-04-23 the TMS570 OTA bulk-data path is HIL-proven end-to-end: session 0x10 02, manifest v1 write (0xF1A0), 0x34/0x36/0x37 download of a 256 B image, on-MCU SHA-256 verify, status transition to COMMITTED, monotonic witness-counter increment, and witness-id read-back all confirmed. CVC OTA feature documentation shipped at docs/firmware/cvc-ota/. Remaining: TMS570 F021 Flash API wiring so the staged image actually reaches flash; CMS / X.509 signature validation (scaffold shipped, chain validator not implemented). See MASTER-PLAN.md for hardening gates.

1.1 Progress Snapshot (2026-04-23)

Area	State	Evidence
Phase 0 Foundation	Done	opensovd-core workspace, CI matrix, ADR-0001
Phase 1 Embedded UDS + DoIP POSIX	Done	Dcm 0x19/0x14/0x31 handlers, DoIp_Posix.c (external firmware repo)
Phase 2 CDA integration + proxy	Done	`integration-tests/phase2_*`, CDA forwards to SOVD server via `cda-comm-doip`
Phase 3 Fault Lib + DFM	Done	`sovd-dfm/` + `sovd-db-sqlite/`, round-trip <100 ms in Docker
Phase 4 SOVD Server + Gateway MVP	Done	All 10+ endpoints live; 32 integration tests green; OpenAPI snapshot gate active
Public VPS SIL — engineering spec + 20 UCs + Grafana	Done	Live at sovd.taktflow-systems.com; `scripts/smoke-public-sil.sh` 20/20 PASS; Grafana anonymous viewer at `/sovd/grafana/` backed by Prometheus + blackbox-exporter probing `/sovd/v1/health`
Phase 5 Stage 1 — Observer dashboard + mTLS	Done	VPS dashboard live same-origin at `/dashboard/` with "How it works" card + cross-nav to spec/Grafana/site; Pi observer nginx with mTLS live at `https://<pi-bench-ip>/` (`observer-nginx` + cert provisioning); UC15/UC16/UC18 extras served from live API, canned data only on error
Phase 5 Stage 1 — MQTT fan-out	WIP	`fault-sink-mqtt` + `ws-bridge` merged; Mosquitto deploy kit on `feat/mqtt-broker-deploy`; rebuild of `sovd-main` with `fault-sink-mqtt` feature pending on VPS
Phase 5 Stage 1 — Live Pi run + Prometheus/Grafana	Done	Pi observer stack all Up: `sovd-main` + `ws-bridge` (systemd), `observer-nginx` + `observer-prometheus` + `observer-grafana` (docker compose); aarch64 cross-compile closed on laptop (`<laptop-user>@<laptop-ip>`) via user-local corepack pnpm; bench topology locked at `docs/deploy/bench-topology.md`
Phase 5 — Bench debug helpers (P5-HIL-10)	Done	`mdd-ui` install steps and `tokio-console` attach procedure for `sovd-main` documented at `opensovd-core/docs/bench/mdd-ui-setup.md` (local debug swap, `RUSTFLAGS="--cfg tokio_unstable"`, guardrails for keeping instrumentation out of Pi/release runs)
Phase 5 — doip-codec fork migration (P5-HIL-08)	Done	PARTIAL migration landed in `taktflow-embedded-production` laptop commit `4a7457b5`: `proxy-doip/` now pins theswiftfox `doip-codec` rev `0dba319` + `doip-definitions` rev `bdeab8c` (same pins as Eclipse CDA). Thin shims preserve `server.rs` public API (DoipHandler + AliveCheck + DiagnosticAck dispatch untouched); 17 tests pass on laptop
Phase 5 — MDD FlatBuffers emitter (P5-HIL-09)	Partial	Minimal `--emit=mdd` added to `tools/odx-gen` (laptop commit `b5a804aa` in `taktflow-embedded-production`) covering root `EcuData` fields `version/ecu_name/revision/metadata/dtcs` with 6 byte-level round-trip tests (20 pass total). Remainder split into sub-unit `P5-HIL-09b`: 80-table schema with 10 unions and cyclic DOP/Param refs needs `flatc`-generated bindings, beyond the 45-min slice budget
Phase 5 — Physical STM32 + TMS570 flash	Smoke done	STM32G474 CVC UDS firmware proven on metal (commit `bb5708e`, `firmware/cvc-uds/`, 16 KB text). TMS570LC4357 UDS ECU proven on metal (commit `a2150ae`, `firmware/tms570-uds/`, tiarmclang big-endian, DCAN1 500 kbps). TMS570 OTA bulk-data path HIL-proven on 2026-04-23 via `isotpsend`/`isotprecv` on bench Pi can0: manifest v1 write, 256 B download over `0x34/0x36/0x37`, SHA-256 verify, `COMMITTED` state, witness-id round-trip.
Phase 6 pre-work (available now)	Done	All 7 P6-PREP units closed: 01 auth profile ADR, 02 integrator-guide skeleton, 03 safety-delta inventory, 04 SIL rate-limit slice, 05 local OTLP tracing spike (visible span proved via Jaeger), 06 local SIL DLT emission spike (feature-gated, `[logging.dlt]` config surface, verifier doc), 07 ADR-0025 CVC OTA scope lock. Former P6-PREP-08 (contribution-readiness + PR sequence pack) archived on 2026-04-20 with the upstream-contribution drop; see docs/contribution/archive/.
Phase 6 — TLS everywhere, OTA, safety case delta, integrator guide	Partial	6 post-entry units (P6-01..06) in MASTER-PLAN; hardening gates track exit. CVC OTA end-to-end is advanced: state machine hardened (input validation, inactivity timeout, witness-replay guard, constant-time hash compare, manifest v1+v2 with monotonic downgrade guard), POSIX unit-test harness at `test/firmware/cvc-uds-ota/`, host-side witness verifier + manifest builders in `sovd-server`, CMS / X.509 signature scaffold (chain validator not yet wired), and a full 8-page feature documentation site at docs/firmware/cvc-ota/. TMS570 OTA path reaches interface parity on metal (2026-04-23 HIL smoke) with flash write / bank-switch stubbed pending F021 Flash API integration. Still open: TLS everywhere, DLT rollout, OTel rollout, HARA/FMEA approval, integrator guide finalization.
Phase 7 — Semantic Interoperability + Extended Vehicle	Scaffolded	ADRs landed: ADR-0026 COVESA/VSS mapping (7-row example table), ADR-0027 Extended Vehicle scope (9 REST endpoints + 6 MQTT topics). Crates scaffolded: `sovd-covesa`, `sovd-extended-vehicle`; semantic schema harness at `sovd-interfaces/schemas/semantic/`; SIL scenario skeletons for VSS DTC list and EV fault log. Pending: HTTP-route mounting in `sovd-server`, actuator-write whitelist, full semantic schema set, MQTT publisher wiring.
Phase 8 — Edge AI/ML Integration	Scaffolded	ADRs landed: ADR-0028 Edge ML scope + lifecycle, ADR-0029 model signing + rollback (CMS/X.509 reusing ADR-0025 PKI with distinct EKU). Crate scaffolded: `sovd-ml` with signed-model verify-before-load harness; dashboard widget `UC21MlInference.svelte`; disabled SIL scenario skeleton for ML inference. Pending: ML inference operation wired into `sovd-server`, hot-swap + rollback proven on Pi HIL, Edge Native deployment boundary.
Phase 9 — Cybersecurity (ISO 21434) + Cert Lifecycle	Superseded by Part II (2026-04-21)	This phase's scope is absorbed into MASTER-PLAN-PART-2-PRODUCTION-GRADE.md: TARA + CAL matrix + R155 evidence live in PROD-9 (§II.6.9 ISO 21434 + UNECE R155 evidence kit); internal CA + rotation + mTLS / OAuth2 live in PROD-5 (§II.6.5 tester-over-HTTP) and PROD-11 (§II.6.11 cloud bridge). The ADR numbers originally placeholdered here (0032, 0033) were reassigned in 2026-04-21: ADR-0032 is Rust codestyle baseline, ADR-0033 is composable transport layers. Phase-9-branded work can continue under those PROD IDs; the Part I "Phase 9" row itself is retained only for historical traceability.
Phase 10 — Ecosystem Integration (pluggable backend, COVESA drift, ML artifact boundary)	Superseded by Part II (2026-04-21)	Pluggable-backend compatibility is already accepted as ADR-0016 (trait seams with feature gates, standalone vs S-CORE defaults). Fault-library parity with upstream is tracked as PROD-16 (§II.6.16 Fault-lib feature parity) and Diagnostic Library app registration as PROD-17 (§II.6.17). The placeholder ADR number for this row (0034) was reassigned 2026-04-21 to ADR-0034 async-first diagnostic runtime. COVESA VSS drift review is captured in PROD-12 (§II.6.12) and PROD-15 (§II.6.15 upstream tracking cadence). No standalone Phase 10 ADR is planned.
Phase 11 — Conformance + Documentation Maturity	Partially superseded by Part II (2026-04-21)	Conformance-suite work (ISO 17978 subset, ISO 20078 Extended Vehicle subset, edge-case/interop) is now tracked under PROD-8 (§II.6.8 full SOVD 1.1 resource coverage) and PROD-10 (§II.6.10 ODX-driven conformance harness). Planned ADR-0035 (ISO 17978 conformance subset) remains the one open ADR number from the v3.0 rewrite and will land alongside PROD-10. Documentation-maturity scope — integrator guide, OEM playbook, repair-shop workflow guide, example walkthroughs (OTA, predictive maintenance, repair-shop session), traceability matrix — stays inside Part I Phase 11 (not duplicated in Part II).
Upstream contribution to Eclipse OpenSOVD	Dropped from scope (2026-04-20)	Internal decision D-01 of the v3.0 master plan. Prior contribution plans archived under docs/contribution/archive/, docs/upstream/archive/, and docs/adr/archive/. The capability scope (all four Eclipse OpenSOVD in-scope buckets plus future-proofing extensions) is retained as an internal deliverable.

1.2 Repository structure — internal monorepo (as of 2026-04-20)

opensovd-core/ is Taktflow-owned — a normal monorepo subdirectory under taktflow-opensovd, no nested .git/. The DFM, Gateway, Server, fault-sink, ws-bridge, observer API, and dashboard here are all originals. classic-diagnostic-adapter/ stays vendored verbatim from Eclipse classic-diagnostic-adapter as a read-only SOVD→UDS/DoIP bridge for legacy ECUs and is never edited inline. Any CDA fixes required for Taktflow behaviour land in separate crates or external patches, keeping CDA's byte-for-byte pins intact for reproducibility. Upstream contribution to Eclipse OpenSOVD was dropped from project scope on 2026-04-20 (decision D-01 of the v3.0 master plan); the tree stays internal.

1.3 Conformance scope

What we verify: the ASAM SOVD v1.1 OpenAPI wire contract published for ISO 17978-3, locked by sovd-interfaces schema snapshots and cargo xtask openapi-dump --check.
What we align with: public scope statements for ISO 17978 Parts 1 and 2 from ASAM/ISO public pages, AUTOSAR EXP_SOVD, the Eclipse OpenSOVD design.md and mvp.md, the public Eclipse OpenSOVD CDA code when behavior is ambiguous, and the local research notes under external/asam-public/iso-17978-research/.
What we do not claim: full normative conformance to ISO 17978 Parts 1 and 2, or paywalled Part 3 prose that has not been acquired yet.

2. System Architecture

2.1 System context

graph TB
    T["<b>Off-board SOVD Tester</b><br/>(laptop / Postman / curl)"]
    F["<b>Fleet / Cloud Operator</b><br/>(future)"]

    T -->|"HTTPS (ASAM v1.1 / ISO 17978-3)"| Stack
    F -->|"HTTPS (future)"| Stack

    subgraph Stack ["Taktflow SOVD Stack -- Pi Gateway Host"]
        GW["sovd-gateway"]
        SRV["sovd-server"]
        DFM["sovd-dfm"]
        CDA["Classic Diagnostic<br/>Adapter (CDA)"]
        PROXY["CAN-to-DoIP<br/>Proxy"]
    end

    Stack -->|"DoIP / TCP"| VE
    Stack -->|"CAN / ISO-TP<br/>(via proxy)"| PE

    VE["<b>Virtual ECU</b><br/>BCM<br/>(POSIX + DoIP)"]
    PE["<b>Physical ECUs</b><br/>CVC + SC<br/>(STM32G4 + TMS570)"]

    style Stack fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px
    style T fill:#fff3e0,stroke:#e65100
    style F fill:#fff3e0,stroke:#e65100
    style VE fill:#e8f5e9,stroke:#2e7d32
    style PE fill:#fce4ec,stroke:#c62828

2.2 Component topology

graph TB
    TESTER["<b>Off-board SOVD Tester</b>"]
    TESTER -->|"HTTPS"| GW

    subgraph PI ["Raspberry Pi Gateway Host (Linux aarch64)"]
        GW["<b>sovd-gateway</b><br/>routing, fan-out,<br/>backend registry"]
        SRV["<b>sovd-server</b><br/>one per ECU view"]
        DFM["<b>sovd-dfm</b><br/>central fault mgr"]
        DB["<b>sovd-db</b><br/>SQLite + WAL"]
        CDA["<b>CDA</b><br/>(upstream)"]
        PROXY["<b>CAN-to-DoIP</b><br/>proxy (Rust)"]

        GW <-->|"in-process"| SRV
        GW -->|"SovdBackend"| DFM
        GW -->|"HTTP"| CDA
        DFM --> DB
        SRV --> DFM
        CDA -->|"UDS / DoIP"| PROXY
    end

    PROXY -->|"SocketCAN<br/>(can0 / vcan0)"| PE
    CDA -->|"DoIP TCP"| VE

    VE["<b>Virtual POSIX ECU</b><br/>BCM"]
    PE["<b>Physical ECUs</b><br/>CVC + SC"]

    style PI fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px
    style TESTER fill:#fff3e0,stroke:#e65100
    style VE fill:#e8f5e9,stroke:#2e7d32
    style PE fill:#fce4ec,stroke:#c62828
    style GW fill:#bbdefb,stroke:#1565c0
    style DFM fill:#bbdefb,stroke:#1565c0
    style DB fill:#c8e6c9,stroke:#2e7d32
    style CDA fill:#ffe0b2,stroke:#e65100

2.3 Crate dependency graph

graph BT
    IF["<b>sovd-interfaces</b><br/>types, traits, errors<br/><i>(leaf -- zero I/O)</i>"]

    DB["sovd-db (SQLite)"] --> IF
    DFM["sovd-dfm"] --> IF
    SRV["sovd-server (Axum)"] --> IF
    CLI["sovd-client"] --> IF
    GW["sovd-gateway"] --> IF
    TR["sovd-tracing"] --> IF

    DFM --> DB

    MAIN["<b>sovd-main</b><br/>binary assembly"] --> SRV
    MAIN --> CLI
    MAIN --> GW
    MAIN --> TR
    MAIN --> DFM

    style IF fill:#fff9c4,stroke:#f9a825,stroke-width:2px
    style MAIN fill:#e1bee7,stroke:#7b1fa2,stroke-width:2px
    style DB fill:#c8e6c9,stroke:#2e7d32

2.4 Protocol hops

Hop	Protocol	Notes
Tester → Gateway/Server	HTTPS (ASAM SOVD v1.1 OpenAPI / ISO 17978-3)	TLS, mTLS, JSON, correlation id
Gateway → Server	in-process fn / async channel	same Tokio runtime
Gateway → DFM	in-process via `SovdBackend` trait	`sovd-interfaces`
Gateway → CDA	HTTP (Axum service)	in-proc or loopback
CDA → ECU (virtual)	DoIP over TCP/13400	POSIX transport
CDA → Pi CAN proxy	DoIP over TCP/13400	Pi translates
Pi proxy → physical ECU	ISO-TP over CAN 500 kbps	SocketCAN
Fault shim → DFM (POSIX)	Unix domain socket	postcard wire format
Fault shim → DFM (STM32)	NvM buffer, gateway sync	SR-4.1 non-blocking
DFM → SQLite	sqlx async driver	WAL mode

2.5 Two request paths — native-SOVD vs CDA-backed

The SOVD server surface supports two request paths side by side. The native-SOVD path speaks JSON/REST end-to-end — no ODX, no UDS, no DoIP — and is the first-class citizen of the stack. The CDA-backed path bridges the same SOVD surface to legacy UDS/DoIP ECUs through an ODX-compiled MDD database. Both paths exit through the same sovd-gateway REST endpoint; the tester cannot tell the difference at the wire level.

graph LR
    TESTER["<b>Tester</b><br/>(HTTP/JSON)"]
    GW["<b>sovd-gateway</b>"]
    SRV["<b>sovd-server</b>"]

    TESTER -->|"HTTPS SOVD"| GW
    GW --> SRV

    subgraph NATIVE ["Native-SOVD path (JSON-only, no ODX)"]
        DFM["sovd-dfm"]
        FL["fault-lib (apps)"]
        COVESA["sovd-covesa (VSS)"]
        XV["sovd-extended-vehicle"]
        ML["sovd-ml"]
        FL -->|IPC| DFM
        SRV --> DFM
        SRV --> COVESA
        SRV --> XV
        SRV --> ML
    end

    subgraph LEGACY ["CDA-backed path (UDS/DoIP via ODX/MDD)"]
        CDA["Classic Diagnostic Adapter"]
        MDD["MDD database<br/>(compiled from ODX)"]
        UDSECU["Legacy UDS ECU"]
        SRV -->|"HTTP"| CDA
        CDA --> MDD
        CDA -->|"UDS / DoIP"| UDSECU
    end

    style NATIVE fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style LEGACY fill:#ffe0b2,stroke:#e65100,stroke-width:2px
    style TESTER fill:#fff3e0,stroke:#e65100
    style GW fill:#bbdefb,stroke:#1565c0
    style SRV fill:#bbdefb,stroke:#1565c0

2.5.1 Comparison

Property	Native-SOVD path	CDA-backed path
Wire to tester	HTTPS / JSON (SOVD REST)	HTTPS / JSON (SOVD REST)
Wire to ECU / app	IPC (Unix domain socket, postcard)	UDS over DoIP (TCP / 13400)
Configuration source	Runtime schema self-describe (SEM-1/2; online capability description — planned PROD-12)	ODX authoring → MDD compile → CDA
Originator	HPC apps / native-SOVD ECU firmware	Legacy ECU responding to UDS request
Crates involved	`sovd-server`, `sovd-gateway`, `sovd-dfm`, `sovd-interfaces`, `fault-lib`, `sovd-covesa`, `sovd-extended-vehicle`, `sovd-ml`	`classic-diagnostic-adapter/*`, `odx-converter` (CI-side only)
Target ECU kind	Zonal HPC (POSIX / Linux / QNX)	Legacy MCU with UDS stack
ODX needed?	No	Yes
Status	Shipped at M3–M4 (DFM, fault-lib, server, gateway); schema / online-description work in P7–P10	Shipped at M4; downstream DoIP patches committed 2026-04-20 (see `classic-diagnostic-adapter/DOWNSTREAM-PATCHES.md`)

2.5.2 When the JSON-only path is the answer

Stakeholders asking for a pure JSON / REST diagnostic surface — no ODX files, no offline authoring step, no UDS translation — are describing the native-SOVD path. It is already the architecture's first-class citizen: every sovd-server instance can serve the SOVD REST surface without a CDA or MDD in the picture, and the bench-fault-injection plane committed in d42cb2f exercises exactly that path end-to-end.

Two capabilities still have to ship before the "no more ODX" story is fully deliverable to a third-party tester:

PROD-12 online capability description — every SOVD resource must self-describe its schema variant-exactly at runtime, so a tester can drive the server using only the schema endpoint. See MASTER-PLAN-PART-2-PRODUCTION-GRADE.md §II.6.12; benchmark: ACTIA IME ships this today.
SEM-1 / SEM-2 semantic schema enforcement — every response envelope validates against a machine-readable semantic schema, and the schemas themselves are discoverable. See MASTER-PLAN §5.5; P7-SEM-03 / P7-SEM-04 in progress.

CDA is not the JSON-native story — it is the transitional bridge that keeps legacy UDS ECUs reachable while zonal architectures migrate to native SOVD. For an OEM fleet fully on a post-ODX HPC, CDA can be disabled at config time and every request goes through the native path.

3. Feature Matrix

3.1 Capability overview

graph LR
    subgraph FAULTS ["Fault Management"]
        F1["List DTCs<br/>(per-component + all)"]
        F2["DTC detail + status"]
        F3["Clear DTCs<br/>(all or by group)"]
        F4["Pagination"]
    end

    subgraph ROUTINES ["Diagnostic Routines"]
        R1["Start routine"]
        R2["Stop routine"]
        R3["Poll status"]
        R4["Routine registry"]
    end

    subgraph COMPONENTS ["Component Management"]
        C1["List components"]
        C2["HW/SW version"]
        C3["DID catalogue"]
        C4["Capability discovery"]
    end

    subgraph FAULT_PIPE ["Fault Pipeline"]
        P1["Fault API<br/>(C shim + Rust)"]
        P2["DFM ingest"]
        P3["Debounce +<br/>op-cycle gating"]
        P4["SQLite persistence"]
    end

    subgraph SECURITY ["Security"]
        S1["mTLS + HTTPS"]
        S2["OAuth2 / OIDC tokens"]
        S3["Audit log"]
        S4["Rate limiting"]
    end

    style FAULTS fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px
    style ROUTINES fill:#fff3e0,stroke:#e65100,stroke-width:2px
    style COMPONENTS fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style FAULT_PIPE fill:#fff9c4,stroke:#f9a825,stroke-width:2px
    style SECURITY fill:#fce4ec,stroke:#c62828,stroke-width:2px

3.2 Feature status matrix

Feature	Requirement	Phase	Status	Verified by
Fault Management
List DTCs per component	FR-1.1	4	Done	Unit + HIL 01
Per-DTC detail	FR-1.2	4	Done	Unit + snapshot
Clear DTCs	FR-1.3	4	Done	HIL 02
Pagination	FR-1.4	4	Done	HIL 07
Multi-component aggregation	FR-1.5	4	Done	Integration
Diagnostic Routines
Start routine	FR-2.1	4	Done	HIL 03
Stop routine	FR-2.2	4	Done	Unit
Poll status	FR-2.3	4	Done	HIL 03
Routine registry	FR-2.4	4	Done	Unit
Component Metadata
List components	FR-3.1	4	Done	HIL 05
HW/SW version	FR-3.2	4	Done	HIL 05
DID catalogue + read	FR-3.3	4	Done	Unit
Capability discovery	FR-3.4	4	Done	Unit
Fault Pipeline
Fault API (C + Rust)	FR-4.1	3	Done	Integration
DFM ingest	FR-4.2	3	Done	DFM roundtrip
Debounce + op-cycle	FR-4.3	3	Done	Unit
SQLite persistence	FR-4.4	3	Done	DFM roundtrip
Catalog version check	FR-4.5	3	Done	Unit
Legacy UDS Compatibility
Virtual ECUs over DoIP	FR-5.1	1-2	Done	CDA smoke
Physical ECUs via proxy	FR-5.2	2	Done	HIL 01-08
CDA configuration	FR-5.3	2	Done	Integration
UDS session mirroring	FR-5.4	2	Done	CDA smoke
UDS security access	FR-5.5	4	Done	Unit
Gateway
Routing table	FR-6.1	4	Done	Integration
Federated hop	FR-6.2	6	Stub	—
Session + Security
Session resource	FR-7.1	4	Done	Unit
Security level	FR-7.2	4-6	Scaffold	—

4. Requirements Summary

4.1 Requirement traceability map

graph LR
    subgraph SOURCES ["Standards + Upstream"]
        ISO17["ISO 17978<br/>(SOVD)"]
        ISO14["ISO 14229<br/>(UDS)"]
        ISO26["ISO 26262<br/>(Safety)"]
        UD["upstream<br/>design.md"]
        MVP["upstream<br/>mvp.md"]
        MP["MASTER-PLAN"]
    end

    subgraph REQS ["Requirements (this project)"]
        FR["FR-1..7<br/>Functional"]
        NFR["NFR-1..6<br/>Non-functional"]
        SR["SR-1..5<br/>Safety"]
        SEC["SEC-1..5<br/>Security"]
        COMP["COMP-1..5<br/>Compliance"]
    end

    subgraph IMPL ["Implementation"]
        CODE["opensovd-core<br/>(16 crates)"]
        CDA_I["CDA<br/>(14 crates)"]
        FL["fault-lib"]
    end

    subgraph VERIFY ["Verification"]
        UT["5,680 unit tests"]
        SNAP["36 snapshots"]
        INT["25 integration<br/>test files"]
        HIL["8 HIL scenarios"]
    end

    ISO17 --> FR
    ISO14 --> FR
    ISO26 --> SR
    UD --> FR
    MVP --> FR
    MP --> NFR

    FR --> CODE
    NFR --> CODE
    SR --> FL
    SEC --> CODE
    COMP --> CODE

    CODE --> UT
    CODE --> SNAP
    CODE --> INT
    CODE --> HIL

    style SOURCES fill:#f5f5f5,stroke:#616161
    style REQS fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px
    style IMPL fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style VERIFY fill:#fff9c4,stroke:#f9a825,stroke-width:2px

4.2 Non-functional requirements

ID	Requirement	Target	Verified by
NFR-1.1	DTC read latency	P99 ≤ 500 ms (Pi, 7 ECUs)	HIL nightly
NFR-1.2	Fault ingest latency	median ≤ 100 ms	Integration
NFR-1.3	Concurrent testers	≥ 2 without cross-contamination	HIL 06
NFR-1.4	Memory footprint	RSS < 200 MB (Pi steady state)	HIL nightly
NFR-2.1	Degraded mode	Serve other ECUs when one fails	HIL 08
NFR-2.2	Auto-reconnect	Recovered backend reintegrated < 5 s	HIL 08
NFR-2.3	No-ECU startup	Server starts with zero backends	Integration
NFR-3.1	DLT tracing	Context ids SOVD, DFM, GW, CDA	Phase 6
NFR-3.2	OpenTelemetry spans	Full request trace	Phase 6
NFR-3.3	Structured logs	JSON + correlation id	Phase 6
NFR-4.1	SIL/HIL/prod parity	Same binary, config-only diff	CI matrix
NFR-4.2	Host OS portability	Linux x86_64/aarch64 + Windows	CI matrix
NFR-5.1	7-ECU MVP	Full topology concurrently	HIL 01
NFR-6.1	CDA style parity	Code idioms match the vendored CDA surface	Phase 4 audit

4.3 Safety requirements

ID	Requirement	Enforcement
SR-1.1	No SOVD path modifies ASIL-D code without HARA delta	PR gate: safety-engineer sign-off
SR-1.2	opensovd-core holds zero ASIL allocation	No ASIL library linkage
SR-2.1	MISRA C:2012 clean on new embedded code	cppcheck/coverity CI gate
SR-3.1	Motor self-test interlock (stationary only)	ECU firmware NRC 0x22
SR-3.2	Brake check interlock (test mode only)	ECU firmware session check
SR-4.1	Fault API is non-blocking	< 10 µs on STM32
SR-4.2	DFM failure does not propagate to safety functions	NvM buffering on STM32
SR-5.1	DoIP transport isolation	Separate task, bounded stack, rate-limited

4.4 Security requirements

ID	Requirement	Phase
SEC-1.1	TLS on all external endpoints	6
SEC-2.1	mTLS client certificate authentication	6
SEC-2.2	OAuth2/OIDC bearer token authorization	4 scaffold, 6 full
SEC-3.1	Audit log for privileged operations	4
SEC-4.1	Session timeout (default 30 s)	4
SEC-5.1	Rate limiting (20 rps default)	6
SEC-5.2	Input validation + size limits (64 KiB)	4

5. Safety Boundary

graph TB
    subgraph QM ["QM Domain (no ASIL allocation)"]
        direction TB
        GW["SOVD Gateway"]
        SRV["SOVD Server"]
        DFM["DFM"]
        DB[("Diagnostic DB")]
        FS["FaultSink (IPC)"]

        GW --> SRV --> DFM --> DB
        DFM --> FS
    end

    BOUNDARY["---- Safety Boundary ----<br/><i>Fault Library API is the ONLY crossing point.<br/>Data flows one direction: firmware -> SOVD. Never SOVD -> firmware.</i>"]

    subgraph SAFETY ["Safety-Critical Domain (ASIL-D)"]
        direction TB
        CDA_S["CDA (UDS/DoIP)"]
        FL["Fault Library API<br/>(FaultShim_Report)"]
        ECU_S["Physical ECU"]
        FW["Firmware (ASIL-D)"]

        CDA_S --> ECU_S
        FW --> FL
    end

    FS -->|"fault data<br/>(one-way)"| FL
    GW -->|"diagnostic request"| CDA_S

    style QM fill:#e8f5e9,stroke:#2e7d32,stroke-width:2px
    style SAFETY fill:#fce4ec,stroke:#c62828,stroke-width:2px
    style BOUNDARY fill:#fff9c4,stroke:#f9a825,stroke-width:3px,stroke-dasharray: 5 5
    style FL fill:#ffcdd2,stroke:#c62828,stroke-width:2px

Boundary rules:

No SOVD path modifies ASIL-D firmware without HARA delta (SR-1.1)
opensovd-core links against zero ASIL-rated libraries (SR-1.2)
Fault Library API is the single crossing point
Fault data flows one direction: firmware → SOVD, never reverse
Routine interlocks enforced in firmware, not SOVD (SR-3.x)

6. State Machines

6.1 DTC lifecycle

stateDiagram-v2
    [*] --> Pending : FaultShim_Report received

    Pending --> Confirmed : debounce threshold met
    Pending --> Suppressed : operation cycle excludes fault
    Pending --> [*] : aging timeout

    Confirmed --> Cleared : POST .../faults/clear or UDS 0x14
    Confirmed --> Confirmed : additional occurrence (count++)

    Suppressed --> Pending : operation cycle ends

    Cleared --> Pending : same fault re-reported
    Cleared --> [*] : no recurrence

    note right of Confirmed
        Visible to SOVD GET.
        Persisted in SQLite.
    end note

State	Visible via SOVD	Persisted	Description
Pending	No	In-memory	Below debounce threshold
Confirmed	Yes	SQLite	Active DTC, reported to testers
Suppressed	No	In-memory	Excluded by operation cycle
Cleared	No	Tombstone	Cleared by tester or UDS

6.2 Operation cycle

stateDiagram-v2
    [*] --> Idle : system boot

    Idle --> Running : start_cycle (REST or IPC)
    Running --> Evaluating : stop_cycle
    Running --> Running : faults ingested

    Evaluating --> Idle : evaluation complete

Kind	Trigger	Description
Ignition	ECU power events via Fault Shim IPC	Standard automotive power cycle
Driving	Vehicle speed > 0 via platform DID	Motion-dependent faults
Tester	REST POST .../operation-cycles/start	Manual diagnostic session

7. Use Case Catalog (UC1–UC20)

This section mirrors the canonical catalog at docs/USE-CASES.md. The five MVP flows (UC1–UC5) have full sequence diagrams below; the extended capability-showcase set (UC6–UC20) is summarized in the traceability table in §7.5. Every UC ID is stable and referenced from requirements, tests, ADR-0024 dashboard widgets, and HIL scenarios.

7.1 UC1 — Read DTCs (FR-1.1, FR-1.5)

sequenceDiagram
    participant T as Tester
    participant GW as sovd-gateway
    participant CDA as CDA
    participant PX as Proxy
    participant ECU as CVC (STM32)

    T->>+GW: GET /sovd/v1/components/cvc/faults
    GW->>+CDA: route("cvc") -> CdaBackend
    CDA->>+PX: DoIP -> UDS 0x19
    PX->>+ECU: CAN ISO-TP
    ECU-->>-PX: UDS response 0x59
    PX-->>-CDA: DoIP response
    CDA-->>-GW: JSON DTC list
    GW-->>-T: 200 OK

7.2 UC2 — Report fault via Fault API (FR-4.1)

sequenceDiagram
    participant SWC as Firmware (ASIL-B)
    participant SHIM as FaultShim
    participant DFM as DFM Pipeline
    participant DB as SQLite

    SWC->>SHIM: FaultShim_Report(fid, severity, meta)
    Note over SWC,SHIM: Non-blocking, returns immediately
    SHIM->>DFM: Unix socket / NvM buffer
    DFM->>DFM: Debounce -> OpCycle -> DtcLifecycle
    DFM->>DB: persist DTC
    Note over DB: Visible via GET within 100 ms

7.3 UC3 — Clear DTCs (FR-1.3)

sequenceDiagram
    participant T as Tester
    participant AUTH as Auth + Audit
    participant GW as Gateway
    participant CDA as CDA
    participant ECU as ECU

    T->>+AUTH: POST .../faults/clear
    AUTH->>AUTH: mTLS + token + audit log
    AUTH->>+GW: authorized
    GW->>+CDA: CdaBackend
    CDA->>+ECU: UDS 0x14 (ClearDTC)
    ECU-->>-CDA: 0x54 (success)
    CDA-->>-GW: OK
    GW-->>-AUTH: OK
    AUTH-->>-T: 204 No Content

7.4 UC5 — Trigger routine with safety interlock (FR-2.1, SR-3.1)

sequenceDiagram
    participant T as Tester
    participant GW as Gateway
    participant CDA as CDA
    participant ECU as ECU

    T->>+GW: POST .../operations/motor_self_test/start
    GW->>+CDA: CdaBackend
    CDA->>+ECU: UDS 0x31 01 (RoutineControl)

    alt vehicle not stationary
        ECU-->>CDA: NRC 0x22 ConditionsNotCorrect
        CDA-->>GW: error
        GW-->>T: 409 Conflict (safety interlock)
    else preconditions met
        ECU-->>-CDA: 0x71 01 (accepted)
        CDA-->>-GW: accepted
        GW-->>-T: 202 Accepted
    end

7.5 Full traceability matrix (UC × REQ × Test × Dashboard)

One row per use case. UC1–UC5 are the MVP set diagrammed above; UC6–UC20 are the extended capability-showcase set exposed by the Phase 5 observer dashboard per ADR-0024. Complete traceability (UC × REQ × Test × Source × Widget) lives in tools/traceability/ per COMP-4.1; this table is a convenience index.

UC	Title	Primary REQ	Primary Test	Dashboard Widget
UC1	Read DTCs	FR-1.1	`hil_sovd_01_read_faults_all.yaml`	`UC01DtcList.svelte`
UC2	Report fault	FR-4.1	`phase3_dfm_sqlite_roundtrip.rs`	`UC11FaultPipeline.svelte`
UC3	Clear DTCs	FR-1.3	`hil_sovd_02_clear_faults.yaml`	`UC03ClearFaults.svelte`
UC4	Reach UDS ECU via CDA	FR-5.1, FR-5.2	`phase2_cda_ecusim_smoke.rs`	`UC14CdaTopology.svelte`
UC5	Trigger routine	FR-2.1	`hil_sovd_03_operation_execution.yaml`	`UC06Operations.svelte`
UC6	Start / stop / poll routine	FR-2.1–2.3	same as UC5	`UC06Operations.svelte`
UC7	Routine catalog discovery	FR-2.4	unit tests	`UC07RoutineCatalog.svelte`
UC8	List components w/ capability badges	FR-3.1, FR-3.4	`hil_sovd_05_components_metadata.yaml`	`UC08ComponentCards.svelte`
UC9	HW / SW version	FR-3.2	`hil_sovd_05_components_metadata.yaml`	`UC09HwSwVersion.svelte`
UC10	Read data identifier (DID)	FR-3.3	unit tests	`UC10LiveDidReads.svelte`
UC11	Fault pipeline visualization	FR-4.x	`phase3_dfm_sqlite_roundtrip.rs`	`UC11FaultPipeline.svelte`
UC12	Operation cycle state	FR-4.3	opcycle-taktflow unit tests	`UC12OperationCycle.svelte`
UC13	DTC lifecycle visualization	§6.1 (this doc)	DtcLifecycle unit tests	`UC13DtcLifecycle.svelte`
UC14	CDA topology view	FR-5.1, FR-5.2	manual during HIL	`UC14CdaTopology.svelte`
UC15	Session management	FR-7.1, SEC-4.1	unit tests	`UC15Session.svelte`
UC16	Audit log	SEC-3.1, ADR-0014	manual audit sink check	`UC16AuditLog.svelte`
UC17	Safety boundary indicator	SR-1.x, SR-4.x	DFM crash/recovery test	`UC17SafetyBoundary.svelte`
UC18	Gateway routing + fan-out	FR-6.x, NFR-2.x	`phase4_sovd_gateway_cda_ecusim_bench.rs`	`UC18GatewayRouting.svelte`
UC19	Historical trends	NFR-3.x	Grafana live on HIL	`UC19Historical.svelte`
UC20	Concurrent tester support	NFR-1.3	`hil_sovd_06_concurrent_testers.yaml`	`UC20ConcurrentTesters.svelte`
UC21	OTA initiate (CVC)	FR-8.1	`hil_sovd_21_ota_initiate.yaml` (Phase 6)	`UC21OtaInitiate.svelte`
UC22	OTA progress	FR-8.5	`hil_sovd_22_ota_progress.yaml` (Phase 6)	`UC22OtaProgress.svelte`
UC23	OTA abort + rollback	FR-8.4	`hil_sovd_23_ota_rollback.yaml` (Phase 6)	`UC23OtaRollback.svelte`

How to add a new use case: pick the next free UC ID (UC21+), write the entry in docs/USE-CASES.md, add the row here, and — if it's an MVP flow — add a sequence diagram to ARCHITECTURE.md §6 and mirror it above.

8. API Surface

8.1 REST endpoints (ASAM SOVD v1.1 OpenAPI / ISO 17978-3)

Method	Endpoint	Description	Req
GET	`/sovd/v1/components`	List all components	FR-3.1
GET	`/sovd/v1/components/{id}`	Component detail (HW/SW version)	FR-3.2
GET	`/sovd/v1/components/{id}/faults`	List DTCs (status-mask, pagination)	FR-1.1
GET	`/sovd/v1/components/{id}/faults/{dtc}`	Single DTC detail	FR-1.2
POST	`/sovd/v1/components/{id}/faults/clear`	Clear DTCs	FR-1.3
GET	`/sovd/v1/faults`	Aggregated DTCs across all components	FR-1.5
GET	`/sovd/v1/components/{id}/operations`	Routine catalogue	FR-2.4
POST	`/sovd/v1/components/{id}/operations/{rid}/start`	Start routine	FR-2.1
POST	`/sovd/v1/components/{id}/operations/{rid}/stop`	Stop routine	FR-2.2
GET	`/sovd/v1/components/{id}/operations/{rid}/status`	Poll routine status	FR-2.3
GET	`/sovd/v1/components/{id}/data`	List DIDs	FR-3.3
GET	`/sovd/v1/components/{id}/data/{did}`	Read single DID	FR-3.3
POST	`/sovd/v1/sessions`	Create session	FR-7.1
GET	`/sovd/v1/health`	Liveness check	—

8.2 Middleware stack

flowchart TD
    REQ["Incoming HTTPS request"] --> M1
    M1["Tracing<br/><i>correlation id + OTLP span</i>"] --> M2
    M2["Authentication<br/><i>TLS cert + bearer token</i>"] --> M3
    M3["Rate limiting<br/><i>per-IP, 20 rps default</i>"] --> M4
    M4["Audit logging<br/><i>privileged ops only</i>"] --> M5
    M5["Body validation<br/><i>size + schema</i>"] --> HANDLER
    HANDLER["Route handler"] --> BACKEND["SovdBackend trait dispatch"]

    style REQ fill:#fff3e0,stroke:#e65100
    style HANDLER fill:#bbdefb,stroke:#1565c0
    style BACKEND fill:#bbdefb,stroke:#1565c0

8.3 OpenAPI contract

The API schema is snapshot-locked to ASAM SOVD v1.1 OpenAPI (ISO 17978-3). Any schema change is detected by cargo xtask openapi-dump --check and fails CI.

36 golden JSON snapshot files verify wire format stability
Schema regeneration is a PR gate

9. Deployment Topologies

9.1 Topology comparison

Aspect	SIL (Docker Compose)	HIL (Pi bench)	Production
Host	Linux x86_64	Raspberry Pi aarch64	Pi aarch64
ECUs	POSIX containers (DoIP)	Physical STM32 + virtual	Physical + virtual
CAN bus	vcan0 (virtual)	can0 (500 kbps real)	can0 (real)
TLS	Optional (localhost)	Optional	mTLS enforced
DLT	Local viewer	Local viewer	Cloud collector
Binary	Same artifact	Same artifact	Same artifact

9.2 HIL test bench

graph LR
    subgraph DEV ["Dev Host (Windows)"]
        STL["3x ST-LINK"]
        XDS["1x XDS110"]
        GS["GS_USB (CAN)"]
    end

    subgraph PI ["Raspberry Pi (gateway host)"]
        SM["sovd-main"]
        SIM["ecu-sim"]
        PX["can-to-doip proxy"]
    end

    subgraph HW ["Physical ECUs (2)"]
        CVC["CVC STM32G474RE
(central)"]
        SC["SC TMS570LC43x
(safety)"]
    end

    DEV -->|"SSH"| PI
    DEV -->|"ST-LINK / XDS110 (flash)"| HW
    PI -->|"can0 (500 kbps)"| HW

    style DEV fill:#fff3e0,stroke:#e65100,stroke-width:2px
    style PI fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px
    style HW fill:#fce4ec,stroke:#c62828,stroke-width:2px

10. Test Strategy

10.1 Test pyramid

graph TB
    subgraph PYRAMID ["Test Pyramid"]
        direction TB
        HIL["<b>Level 5: HIL</b><br/>8 scenarios on physical bench"]
        INT["<b>Level 4: Integration</b><br/>25 test files, real backends"]
        OA["<b>Level 3: OpenAPI Contract</b><br/>schema locked to ASAM v1.1"]
        SNAP["<b>Level 2: Snapshot</b><br/>36 golden JSON files"]
        UNIT["<b>Level 1: Unit + Async</b><br/>5,680 tests"]
    end

    HIL ~~~ INT ~~~ OA ~~~ SNAP ~~~ UNIT

    style HIL fill:#fce4ec,stroke:#c62828,stroke-width:2px
    style INT fill:#fff3e0,stroke:#e65100
    style OA fill:#fff9c4,stroke:#f9a825
    style SNAP fill:#e8f5e9,stroke:#2e7d32
    style UNIT fill:#e8f4fd,stroke:#1a73e8,stroke-width:2px

10.2 HIL scenario matrix

#	Scenario	Validates
01	Read faults (all ECUs)	Full fault read path, P99 latency
02	Clear faults	DTC clear SOVD → UDS → CAN
03	Operation execution	Routine trigger + status polling
04	CAN bus-off	Fault detection and recovery
05	Components metadata	ECU HW/SW versions via SOVD
06	Concurrent testers	Multi-client concurrent access
07	Large fault list	Pagination under high fault count
08	Error handling	Invalid requests, timeouts, error codes

10.3 CI pipeline

Gate	Command	Enforcement
Format	`cargo +nightly fmt -- --check`	Hard fail
Clippy	`cargo clippy --all-targets -- -D warnings`	Hard fail
License	`cargo deny check`	Hard fail
Unit + integration tests	`cargo test --locked`	Hard fail
OpenAPI	`cargo xtask openapi-dump --check`	Hard fail
Feature matrix	`--all-features`, `--no-default-features`, `--features mbedtls`	Hard fail
Platforms	Linux x86_64, Windows x86_64	Hard fail

11. Component Catalogue

11.1 opensovd-core workspace (16 crates)

Crate	Purpose	Req
`sovd-interfaces`	Trait + type contracts. Zero I/O.	All FR
`sovd-server`	Axum HTTP server, OpenAPI via utoipa	FR-1.x, FR-2.x, FR-3.x
`sovd-gateway`	Federated routing, parallel fan-out	FR-1.5, FR-6.x
`sovd-dfm`	Diagnostic Fault Manager	FR-4.x
`sovd-db-sqlite`	SQLite persistence, WAL, migrations	FR-4.4
`sovd-db-score`	S-CORE KV backend (placeholder)	—
`fault-sink-unix`	Unix socket IPC, postcard wire format	FR-4.1, FR-4.2
`fault-sink-lola`	S-CORE LoLa shared-memory (placeholder)	—
`opcycle-taktflow`	In-process operation cycle state machine	FR-4.3
`opcycle-score-lifecycle`	S-CORE lifecycle subscriber (placeholder)	—
`sovd-tracing`	DLT + OTLP subscriber configuration	NFR-3.x
`sovd-main`	Binary entry point, TOML config loader	—
`sovd-client`	HTTP client (skeleton)	FR-6.2
`xtask`	`cargo xtask openapi-dump [--check]`	COMP-1.1
`integration-tests`	End-to-end test suite	All

11.2 Supporting components

Component	Language	Lines	Purpose
`classic-diagnostic-adapter/`	Rust	~68k	SOVD-to-UDS/DoIP bridge (vendored verbatim from upstream, 14 crates)
`fault-lib/`	Rust	~600	Framework-agnostic fault API, `#![forbid(unsafe_code)]`
`dlt-tracing-lib/`	Rust	~1.9k	Rust tracing subscriber for COVESA DLT
`odx-converter/`	Kotlin	~4.2k	ODX (.pdx) to MDD binary format converter

12. Design Principles

Rust-first. Async (Tokio), memory-safe, #![forbid(unsafe_code)] where possible. Clippy pedantic + deny enforced in CI.
Trait boundaries, not frameworks. sovd-interfaces defines all contracts with zero I/O. Implementations are swappable.
Spec-locked API surface. OpenAPI schema snapshot-tested against ASAM SOVD v1.1 OpenAPI (ISO 17978-3).
Internal engineering deliverable. Taktflow OpenSOVD is not contributed upstream; the tree is internal. Prior upstream-contribution plans archived under docs/contribution/archive/ per decision D-01 (2026-04-20). See ADR-0007 (archived) for historical context.
Owned core, vendored bridge. opensovd-core/ is Taktflow-owned; classic-diagnostic-adapter/ stays vendored verbatim from Eclipse and is never edited inline — CDA modifications land in separate Taktflow crates or external patches.
Isolation over integration on the safety axis. Fault Library is the ONLY boundary between QM and ASIL-D.

13. Standards Compliance

Standard	Relevance
ISO 17978 (SOVD)	Part 3 OpenAPI wire contract verified; Parts 1/2 aligned from public sources, full normative conformance not yet claimed.
ISO 14229 (UDS)	Legacy diagnostic protocol via CDA bridge.
ISO 26262	Safety lifecycle. OpenSOVD is QM; firmware is ASIL-D.
ISO 13400 (DoIP)	Diagnostic transport over IP.
ISO 15765-2 (ISO-TP)	CAN transport protocol.
MISRA C:2012	Embedded C coding standard for safety-critical code.
ASAM MCD-2D (ODX)	Diagnostic data exchange format.
Automotive SPICE	Process assessment; L2-3 traceability required.
Apache-2.0	License. REUSE/SPDX compliance enforced.

14. Professional Development Story

This section pulls the engineering narrative into the same browser document as the system specification so the product story, requirement flowdown, architecture, implementation seams, and verification model can be read end-to-end in one place.

14.1 Purpose and End-to-End Chain

This part explains the professional engineering story of the repo:

why the use cases exist
how use cases become formal requirements
how the architecture realizes those requirements
how ADRs constrain the design
how code is split across crates and runtime components
how tests and phase gates prove the system

It complements, but does not replace, the canonical source documents:

USE-CASES.md for the capability catalog
REQUIREMENTS.md for numbered contractual requirements
ARCHITECTURE.md for arc42 design and runtime views
DEVELOPMENT-STORY.md for the narrative bridge document
MASTER-PLAN.md for delivery phases, gates, and risks

OpenSOVD is being built as a professional diagnostic product line, not just as a collection of services:

stakeholder need -> use case -> requirement -> architecture -> ADR -> implementation -> verification -> phase exit -> release evidence

14.2 Starting Point: Why the Product Exists

The project starts from a business and engineering problem:

legacy diagnostics are expressed as UDS services over CAN, ISO-TP, and DoIP
those flows are difficult to consume from modern tools, cloud workflows, and multi-ECU zonal platforms
Taktflow wants the same underlying ECU diagnostics exposed through ASAM SOVD v1.1 OpenAPI / ISO 17978-3 without breaking the existing safety lifecycle

So the real problem is not "invent an API." The actual product obligation is to keep legacy UDS and existing firmware behavior intact, add a modern REST diagnostic surface, and preserve safety boundaries plus internal engineering discipline (ADR hygiene, ASPICE traceability, ISO 21434 cybersecurity case, conformance testing).

14.3 Development Flow

Stage	Professional role	Primary artifact
Use cases	Define customer-visible and observer-visible behavior	docs/USE-CASES.md
Requirements	Turn behavior into formal, testable obligations across FR, NFR, SR, SEC, and COMP classes	docs/REQUIREMENTS.md
Architecture	Assign those obligations to runtime building blocks and collaborations	docs/ARCHITECTURE.md
ADRs	Freeze major decisions before they disappear into implementation detail	docs/adr/
Implementation	Follow architecture seams instead of convenience-only module boundaries	`sovd-server`, `sovd-gateway`, `sovd-dfm`, CDA, proxy, fault sinks
Verification	Convert design intent into engineering evidence	unit, integration, SIL, HIL, and phase gates
Delivery phases	Control maturity order and exit criteria across the program	MASTER-PLAN.md

Implementation follows the architecture seams:

sovd-interfaces owns pure contracts and shared types
sovd-server owns the SOVD REST surface
sovd-gateway owns routing and fan-out
sovd-dfm owns fault ingest, debounce, operation-cycle gating, and DTC state
sovd-db-sqlite owns persistence
fault-sink-* owns transport from firmware-side fault reports into DFM
CDA owns UDS and DoIP adaptation for legacy ECUs
the Pi proxy owns CAN ISO-TP bridging for physical CAN-only ECUs

14.4 How Use Cases, Requirements, and Architecture Fit Together

The most useful professional reading path is to follow one use case through the full chain rather than reading each document in isolation.

14.4.1 UC1 -- Read DTCs via SOVD

Layer	Story
Use case	A tester wants `GET /sovd/v1/components/{id}/faults` and expects JSON DTCs, not raw UDS bytes.
Requirements	`FR-1.1` defines per-component DTC listing, `FR-1.5` defines cross-component aggregation, and `NFR-1.1` defines the latency target.
Architecture	`sovd-gateway` routes by component id, `sovd-server` serves the resource, DFM handles native DTC state, and CDA handles legacy UDS-backed ECUs.
Implementation	`sovd-server` handlers, `SovdBackend` dispatch, DFM query path, CDA integration, and the optional Pi proxy path for physical ECUs.
Verification	Unit tests, integration tests, and `hil_sovd_01_read_faults_all.yaml`.

14.4.2 UC2 -- Report Fault via Fault API

Layer	Story
Use case	An ECU-side software component reports a fault without blocking its time-critical path.
Requirements	`FR-4.1`, `FR-4.2`, and `FR-4.3` define the reporting path; `NFR-1.2` sets visibility latency; `SR-4.1` and `SR-4.2` protect the safety boundary.
Architecture	Faults cross exactly one boundary through the Fault Library into DFM. DFM owns debounce, operation-cycle gating, DTC lifecycle, and persistence.
Implementation	C shim on embedded, Rust-side sink, DFM pipeline, and SQLite storage.
Verification	`phase3_dfm_sqlite_roundtrip.rs` plus unit coverage on debounce and lifecycle logic.

14.4.3 UC3 -- Clear DTCs

Layer	Story
Use case	An authenticated tester clears fault memory for a component.
Requirements	`FR-1.3` defines the functional operation; `SEC-2.1`, `SEC-2.2`, and `SEC-3.1` add authentication, authorization, and auditability.
Architecture	Auth middleware sits in front of the route, Gateway resolves the backend, CDA maps to UDS `0x14` where needed, and the audit sink records the operation.
Implementation	Auth module, route handler, backend clear path, audit sink, and CDA clear-fault translation.
Verification	`hil_sovd_02_clear_faults.yaml` plus audit checks.

14.4.4 UC4 -- Reach a Legacy UDS ECU Through SOVD

Layer	Story
Use case	A tester addresses one SOVD endpoint and does not need to care whether the ECU is virtual DoIP or physical CAN-only hardware.
Requirements	`FR-5.1` covers the virtual DoIP path, `FR-5.2` the physical proxy path, `FR-5.3` CDA configuration, and `FR-5.4` session mirroring.
Architecture	Gateway chooses the CDA backend, CDA speaks DoIP, and the Pi proxy adapts DoIP to CAN ISO-TP for physical ECUs.
Implementation	CDA integration, proxy server, SocketCAN, route configuration, and backend wiring.
Verification	`phase2_cda_ecusim_smoke.rs`, HIL captures, and HIL fault-read scenarios.

14.4.5 UC5 -- Trigger a Diagnostic Routine

Layer	Story
Use case	A tester starts a routine such as motor self-test and polls until completion.
Requirements	`FR-2.1` to `FR-2.3` define start, stop, and status; `SR-3.1` and `SR-3.2` define safety interlocks; `FR-5.5` requires UDS security mirroring on locked paths.
Architecture	SOVD route to auth to gateway to CDA to UDS `0x31`; firmware enforces runtime preconditions and returns the correct failure mode.
Implementation	Operation handlers, session and security checks, CDA routine translation, ECU routine handlers, and async execution state.
Verification	`hil_sovd_03_operation_execution.yaml` and supporting unit tests.

The professional mapping is consistent across all five MVP flows:

the use case defines the externally meaningful story
the requirement turns that story into a precise obligation
the architecture assigns responsibility to the correct runtime elements
the code follows those structural seams
the test proves the story in the intended topology

14.5 The Phase Story: How the Product Is Built Professionally

Phase	Purpose	Professional meaning
0 -- Foundation	Align toolchains, workspace conventions, and monorepo discipline	Control the engineering environment before adding features
1 -- Embedded UDS + DoIP POSIX	Expose the minimum legacy diagnostic substrate SOVD will rely on	Do not design the facade before the substrate is viable
2 -- CDA integration + CAN-to-DoIP proxy	Prove the path to both virtual and physical ECUs	Retire topology risk early
3 -- Fault Library + DFM	Make fault ingest and DTC state real instead of mocked	Establish the central diagnostic data model before claiming the full REST surface
4 -- SOVD Server + Gateway	Expose the ASAM SOVD MVP surface and make the five MVP use cases work in Docker	Only expose the customer-facing contract after data and adapter paths are solid
5 -- End-to-end demo + HIL	Prove the same stories on real Taktflow hardware	Hardware remains the real integration truth beyond Docker success
6 -- Hardening	Complete production-grade transport security, observability, performance controls, and release readiness	Separate MVP behavior from full product hardening

14.6 Where Each Document Fits

Document	Professional role in the story
MASTER-PLAN.md	Program-level delivery story, phases, risks, gates, staffing, and milestones
USE-CASES.md	Customer-visible and observer-visible behavior catalog
REQUIREMENTS.md	Formal engineering contract and test basis
ARCHITECTURE.md	Technical realization strategy and runtime collaboration
TRADE-STUDIES.md	Option analysis before committing to a direction
docs/adr/	Frozen design decisions with rationale
TEST-STRATEGY.md	Verification approach and test-layer responsibilities
SAFETY-CONCEPT.md	Safety boundary and QM versus ASIL discipline
security-concept.md	Security control model and deferred hardening items
SYSTEM-SPECIFICATION.md	Single-file executive engineering reference in Markdown form

14.7 How to Read One Feature End-to-End

Find the use case in USE-CASES.md.
Open the linked requirement IDs in REQUIREMENTS.md.
Open the linked runtime view in ARCHITECTURE.md.
Check the relevant ADRs that constrain the design.
Locate the implementation crate or service named in the architecture.
Open the referenced integration or HIL test that verifies the flow.
Check the phase and exit criteria in MASTER-PLAN.md.

14.8 What Makes This Story Professional

it starts from stakeholder-visible use cases, not internal modules
it expresses those use cases as numbered requirements
it separates functional, non-functional, safety, security, and compliance demands
it uses architecture as realization, not as marketing
it records major decisions in ADRs before burying them in code
it aligns implementation boundaries with architectural boundaries
it verifies the system at unit, integration, SIL, and HIL levels
it uses phase exits and milestones instead of declaring everything done at once
it preserves the safety boundary instead of treating diagnostics as a free-for-all
it keeps internal quality bars (ADR hygiene, ASPICE traceability, conformance suites) aligned with the same engineering-spec discipline an upstream contribution would have required

Bottom line: use cases define the meaningful stories, requirements turn them into obligations, architecture assigns those obligations to runtime elements, ADRs freeze the key choices, implementation follows those seams, verification proves the result, and phase gates make the maturity story explicit.

15. Related Documents

Document	Description
ARCHITECTURE.md	Full arc42 architecture with detailed views
REQUIREMENTS.md	Complete FR/NFR/SR/SEC/COMP with acceptance criteria
docs/DEVELOPMENT-STORY.md	Narrative bridge from use case to requirements, architecture, implementation, verification, and phase gates
USE-CASES.md	Canonical UC1–UC20 catalog (source of truth for §7 above)
SAFETY-CONCEPT.md	Safety boundary, failure containment, MISRA
docs/security-concept.md	Security control model, route protection, auditability, and deferred hardening items
TEST-STRATEGY.md	Test levels, CI pipeline, coverage
docs/TRADE-STUDIES.md	Legacy single-file record of trade studies TS-01 through TS-18 (programming language, HTTP framework, DFM persistence, fault wire format, auth, license, etc.)
docs/trade-studies/	Per-study folder for newer trade studies. Current: TS-19 sovd-client transport stack (reqwest vs. hyper+tower, trait vs. concrete, industry-SDK evidence table). Convention documented in docs/trade-studies/README.md.
MASTER-PLAN-PART-2-PRODUCTION-GRADE.md	Part II of the master plan — production grade (M10 → in-vehicle release). 20 PROD capabilities (PROD-1 … PROD-20) covering automotive HPC port, fleet OTA, tester-over-HTTP auth, edge ML productization, ISO 21434 + R155 evidence, cloud bridge, AUTOSAR AP interop, Diagnostic & Fault Libraries, and the sovd-client SDK. Open-question register Q-PROD-1 … Q-PROD-11b pending OEM answers. See §17 below for the customer-facing summary.
DEPLOYMENT-GUIDE.md	SIL/HIL/production deployment
DEVELOPER-GUIDE.md	Build, run, and test instructions
GLOSSARY.md	Domain terminology
docs/adr/	34 accepted Architecture Decision Records (ADR-0001 … ADR-0034). Three landed 2026-04-21: ADR-0032 Rust codestyle baseline, ADR-0033 composable transport layers, ADR-0034 async-first diagnostic runtime. One still planned: ADR-0035 ISO 17978 conformance subset (pairs with PROD-10). One archived: ADR-0007.

16. Revision History

Rev	Date	Author	Change
1.0	2026-04-16	SOVD workstream	Initial consolidated specification
1.1	2026-04-17	SOVD workstream	Section 7 expanded to the full UC1–UC20 catalog with traceability matrix; mirrors new `docs/USE-CASES.md`.
1.2	2026-04-17	SOVD workstream	Renamed the browser deliverable to `ENGINEERING-SPECIFICATION.html` and merged the standalone development story into Section 14.
1.3	2026-04-17	SOVD workstream	Added UC21–UC23 OTA firmware update per ADR-0025; bumped ADR count to 25.
1.4	2026-04-19	SOVD workstream	Added §1.1 progress snapshot (phase status table through 2026-04-19), §1.2 repository structure note reflecting the 2026-04-19 flatten (opensovd-core owned by Taktflow, CDA stays vendored); renumbered Conformance scope to 1.3; updated current-status paragraph; HIL bench Pi ground-truth captured as `<pi-user>@<pi-bench-ip>` (Ubuntu 24.04.4 LTS aarch64).
1.5	2026-04-19	SOVD workstream	Refreshed §1.1 progress snapshot: Public VPS SIL (20/20 UCs + Grafana) done; Phase 5 Stage 1 observer dashboard + mTLS done (VPS same-origin dashboard with cross-nav + Pi observer nginx mTLS at <pi-bench-ip>); Phase 5 Stage 1 Pi Prometheus + Grafana done (full observer stack Up on Pi, aarch64 cross-compile closed on laptop); added Phase 6 pre-work row (P6-PREP-07 ADR-0025 scope-lock closed); added Upstream Phase 2 + Phase 3 planned rows aligned with Eclipse OpenSOVD project proposal months 13–18 and 19–24.
1.6	2026-04-19	SOVD workstream	Progress snapshot catch-up: added dedicated row for Phase 5 bench debug helpers (P5-HIL-10 mdd-ui + tokio-console) closed; refreshed Phase 6 pre-work evidence to reflect 5 of 8 P6-PREP units closed today (01 auth, 02 integrator-guide skeleton, 03 safety-delta, 07 ADR-0025 scope lock, 08 contribution-readiness) and called out the 3 pending (04 rate-limit, 05 OTEL blocked on local Jaeger collector, 06 DLT).
1.7	2026-04-19	SOVD workstream	Progress snapshot: P6-PREP-04 SIL rate-limit slice + P6-PREP-05 local OTLP tracing spike both closed. OTEL spike verified against a local Jaeger all-in-one container (trace ID `fd8e19d9...c5c`). 7 of 8 P6-PREP units now done; only 06 DLT emission spike pending.
1.8	2026-04-19	SOVD workstream	Progress snapshot: Phase 6 pre-work now complete (all 8 P6-PREP units done, including 06 local SIL DLT spike with feature-gated `[logging.dlt]` surface). P5-HIL-08 doip-codec fork migration closed in cross-repo `taktflow-embedded-production` (laptop commit `4a7457b5`); `proxy-doip` now pins the same theswiftfox revisions Eclipse CDA uses, with thin shims preserving `server.rs`. Added explicit closed row for each repo-only Phase 5 milestone.
1.9	2026-04-19	SOVD workstream	Progress snapshot: P5-HIL-09 MDD FlatBuffers emitter landed as partial in `taktflow-embedded-production` laptop commit `b5a804aa`. Minimal emitter covers root `EcuData` fields with 6 byte-level round-trip tests; remainder split into `P5-HIL-09b` (80-table CDA schema with 10 unions and cyclic DOP/Param refs requires `flatc`-generated bindings beyond the 45-min slice budget).
2.0	2026-04-19	SOVD workstream	Upstream Phase 2 + Phase 3 scaffolded. Four ADRs landed (ADR-0026 COVESA/VSS mapping, ADR-0027 Extended Vehicle scope + pub/sub, ADR-0028 Edge ML scope + lifecycle, ADR-0029 ML model signing + rollback), pilot OEM playbook skeleton, Phase 2 upstream discussion pack with 9 isolated open questions, and ISO/DIS 17978-1.2 compliance gap-analysis skeleton. 7 of 15 combined UP2+UP3 units closed; remaining 8 are crate scaffolds and scenario tests that unblock after Phase 6 complete.
3.2	2026-04-23	SOVD workstream	OTA feature maturity pass. CVC OTA state machine hardened (input validation, inactivity timeout, witness-replay guard, constant-time hash compare, manifest v1+v2 with monotonic downgrade guard); POSIX unit-test harness at `test/firmware/cvc-uds-ota/` with 19 cases; host-side CMS signature scaffold + witness verifier + manifest builders landed in `sovd-server`. TMS570 OTA state machine brought to interface parity with CVC and HIL-proven on live hardware on 2026-04-23 (manifest v1, `0x34/0x36/0x37` download of 256 B, SHA-256 verify, `COMMITTED`, witness-id round-trip); flash write / bank-switch stubbed pending F021 Flash API integration. Full 8-page feature documentation site published at docs/firmware/cvc-ota/. §1.1 Phase 5 row updated from "Not started" to "Smoke done" for STM32 + TMS570 flash; Phase 6 row updated from "Blocked on P5 HIL green" to "Partial" reflecting OTA advancement.
3.1	2026-04-21	SOVD workstream	Part II absorption + ADR number reconciliation. Three ADRs landed and superseded their v3.0 placeholder slots: ADR-0032 = Rust codestyle baseline (not cybersecurity profile); ADR-0033 = composable transport layers (not cert lifecycle); ADR-0034 = async-first diagnostic runtime (not S-CORE backend compat). Only ADR-0035 (ISO 17978 conformance) remains planned, paired with PROD-10. §1.1 Progress Snapshot: Phase 9 marked "Superseded by Part II" (scope flows to PROD-5 / PROD-9 / PROD-11); Phase 10 same ("Superseded by Part II" — pluggable-backend covered by ADR-0016 + PROD-16, COVESA drift by PROD-12 / PROD-15); Phase 11 "Partially superseded" (conformance work to PROD-8 / PROD-10; doc-maturity stays Part I). §15 Related Documents updated: `docs/trade-studies/` folder with TS-19 sovd-client transport stack added; MASTER-PLAN-PART-2 pointer added. New §17 "Part II — Production Roadmap" added for customer-facing summary of PROD-1 … PROD-20 + open-question register Q-PROD-1 … Q-PROD-11b. §15 ADR count updated from "31 accepted / 4 planned" to "34 accepted / 1 planned / 1 archived".
3.0	2026-04-20	SOVD workstream	Scope realignment release. Decision D-01 drops upstream contribution to Eclipse OpenSOVD; prior plans archived under `docs/contribution/archive/`, `docs/upstream/archive/`, `docs/adr/archive/` (ADR-0007 archived). Master plan rewritten (v3.0) in Vector-Informatik manual style with reference-time planning (phase- and milestone-relative anchors only, absolute dates preserved for past facts), all four Eclipse OpenSOVD in-scope capability buckets (Core SOVD, Security & Compliance, Documentation & Testing, Ecosystem Integration) and four future-proofing extensions (Semantic Interoperability, Edge AI/ML, Extended Vehicle, ISO 21434 + cert lifecycle) expanded into per-feature specifications. Introduced six new phases P6 through P11 with bounded execution units. New ADRs flagged as planned: ADR-0032 cybersecurity profile, ADR-0033 cert lifecycle, ADR-0034 S-CORE backend compatibility, ADR-0035 ISO 17978 conformance subset. This spec updated to match: progress-snapshot table rewritten to list phases P6/P7/P8/P9/P10/P11 explicitly, upstream-contribution row marked Dropped, design-principle wording updated, NFR-6.1 relabelled "CDA style parity", 1.2 repository-structure note rewritten.

17. Part II — Production Roadmap

Part I (sections 1–16 above, milestones M0–M10) covers the bench → conformance → docs-maturity path. Part II extends the plan to in-vehicle production release (M10 → M12) and lives in MASTER-PLAN-PART-2-PRODUCTION-GRADE.md (Draft 0.7 as of 2026-04-21). The summary below is a customer-facing index of that document — the plan file is authoritative.

17.1 Milestones

Milestone	Phase	Exit criterion
M11 — First-vehicle drop	P12 — Vehicle HPC bring-up	Taktflow binary boots on target HPC in a prototype vehicle; `GET /sovd/v1/components` round-trips over in-vehicle Ethernet; CDA reads UDS from every legacy ECU; edge ML advisory end-to-end on target HPC.
—	P13 — Production rails	Pilot VIN set OTA-rolled through the OEM backend; HTTP/2 live; cloud bridge operational; ISO 21434 + R155 evidence review-ready.
M12 — Production release gate	P14 — Safety release + homologation	OEM production release gate passed; R155 + R156 evidence accepted; type-approval artifacts filed for target markets.

17.2 Production capabilities (PROD-1 … PROD-20)

ID	Capability	Anchor
PROD-1	Automotive HPC target port	§II.6.1
PROD-2	Production packaging + release artifacts	§II.6.2
PROD-3	Safety partitioning integration contract	§II.6.3
PROD-4	Fleet OTA rails (Uptane-aligned, UNECE R156)	§II.6.4
PROD-5	Tester-over-HTTP production surface (OAuth2 / mTLS / scoped roles)	§II.6.5
PROD-6	Edge AI/ML productization	§II.6.6
PROD-7	HTTP/2 transport	§II.6.7
PROD-8	Full SOVD 1.1 resource coverage	§II.6.8
PROD-9	ISO 21434 + UNECE R155 evidence kit	§II.6.9
PROD-10	ODX-driven conformance harness (pairs with planned ADR-0035)	§II.6.10
PROD-11	Cloud bridge / fleet broker pattern	§II.6.11
PROD-12	Online capability description completeness	§II.6.12
PROD-13	ODX authoring loop-closure	§II.6.13
PROD-14	AUTOSAR AP `ara::diag` interop profile (differentiator)	§II.6.14
PROD-15	Upstream tracking + merge cadence	§II.6.15
PROD-16	Fault-lib feature parity (debounce / enabling conditions / aging / IPC retry)	§II.6.16
PROD-17	Diagnostic Library — framework-agnostic app registration (S-CORE ↔ OpenSOVD interface)	§II.6.17
PROD-18	Fault Library — framework-agnostic fault API for apps (with C FFI)	§II.6.18
PROD-19	`sovd-client` typed SDK (hyper+tower, entity navigators, no domain trait; per ADR-0033 and ADR-0034)	§II.6.19
PROD-20	UDS → SOVD ingress proxy	§II.6.20

17.3 Open questions pending OEM answers (Q-PROD-*)

ID	Question (short form)	Blocks
Q-PROD-1	Production HPC target SoC + OS (NXP S32G / Renesas R-Car / Orin / Snapdragon Ride / EyeQ / Adaptive AUTOSAR on POSIX)	PROD-1/2/6, P12
Q-PROD-2	Safety partitioning — QM-only with T1 wrapping, or OEM deliverable includes ASIL split	PROD-3, P12
Q-PROD-3	Regulatory scope — UNECE R155 / R156 carried by Taktflow or by T1 / OEM	PROD-9
Q-PROD-4	Fleet rollout model — Taktflow owns staged rollout or OEM routes OTA through existing platform	PROD-4, P13
Q-PROD-5	Tester-over-HTTP scopes (OEM engineering / dealer / workshop / 3rd-party OBD / public API)	PROD-5, PROD-9
Q-PROD-6	Cloud bridge pattern (reverse tunnel / broker mTLS / private APN / federated OEM VPN)	PROD-11, P13
Q-PROD-7	ODX authoring tool target (Softing DTS.venice / Vector CANdelaStudio / internal)	PROD-13
Q-PROD-8	Upstream tracking strategy (continuous merge / periodic re-vendor / mirror-fork / frozen fork)	PROD-15
Q-PROD-9	ODX-converter production posture (CI-only JVM / JVM in vehicle / port to Rust)	PROD-13, P13
Q-PROD-10c	Auth model (OAuth2 / mTLS / static token / mixed)	PROD-19, PROD-5
Q-PROD-10d	Streaming transport (SSE / WebSocket)	PROD-19.3, PROD-10
Q-PROD-10e	`sovd-interfaces` as public crate (crates.io) — design-for-publication from start per user direction 2026-04-21	PROD-19
Q-PROD-10f	`SovdClient` trait fate (delete vs. retain as design doc). Non-blocking per ADR-0033.	PROD-19.1
Q-PROD-11	Upstream opensovd-core (`inc/liebherr` branch) posture — absorb as second vendored subtree, cherry-pick patterns, reference-only, or wait for upstream merge strategy	PROD-15/17/19
Q-PROD-11b	Audit of the six presumed-vendored upstream dirs (`opensovd/`, `classic-diagnostic-adapter/`, `odx-converter/`, `uds2sovd-proxy/`, `cpp-bindings/`, `dlt-tracing-lib/`). Only `fault-lib/` confirmed vendored.	PROD-13/14, Part I §5.1.5

17.4 Design-OSS posture (2026-04-21)

Per user direction 2026-04-21, all design artifacts (ADRs, trade studies, plan sections) are authored publish-safe from the first draft. Upstream code contribution to Eclipse OpenSOVD stays dropped (Decision D-01, retained from v3.0); the design itself is genuinely open. The sovd-client SDK (PROD-19) is the customer-facing Rust consumer API and is designed for external consumption from the start — the hyper+tower / entity-navigator / no-domain-trait shape matches what every mainstream production Rust SDK (AWS, Azure, GCP, Kubernetes, GitHub, sqlx) ships. Evidence and rationale: TS-19.

Taktflow OpenSOVD — Engineering Specification