Document the root cause (legacy Mission SQLModel object passed to
JSON-serializing template context) and the rule: never pass SQLModel
objects to template contexts that feed JSON bridges. Always grep ALL
route files when removing deprecated models.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The .skip-if-docs-only rule used changes: with doc file patterns,
but GitLab's changes: matches if ANY listed file changed (not ONLY).
So commits touching both .md and .py files would skip all test jobs.

Fix: replaced with .code-changes-only that uses positive matching --
jobs run when code files change (core/, director/, agent/, shared/,
tests/, ops/, .gitlab-ci.yml, pyproject.toml). Made all cross-rule
needs: dependencies optional so skipped jobs don't block downstream.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Document the GitLab changes: rule gotcha (matches ANY, not ONLY)
and the rule: use positive matching for code paths, not negative
matching for doc paths. Always make cross-rule needs: optional.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Rename 00-EXECUTIVE-SUMMARY.md to lowercase to match the mkdocs.yml
nav entry. The case mismatch caused MkDocs to fail on the Linux CI
runner (case-sensitive filesystem) while working locally on Windows.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Coverage:
- Add .coveragerc with source paths for shared, director, core
- Add unit tests for shared (schemas, topics, time_utils, constants)
  and director (physics, tle_manager) — 136 tests, ~50% coverage
- Enable --cov on all CI test jobs (smoke, physics, campaign,
  integration) with zero extra wall time — coverage piggybacks
  on existing test runs
- Update Makefile test targets to include director coverage

Nav consistency:
- Remove old "// FDS" branding and "Flight Dynamics" title from
  dashboard — rename CSS class fds-container to dashboard-container
- Standardise menu item order across all authenticated pages:
  Dashboard | Members | Stations | Campaigns | Settings | Networks | Admin
- Add org nav links to networks and admin pages (were showing
  a minimal Dashboard+Networks+Admin menu)
- Pass user's default org to networks and admin route handlers
  so the nav template can render org-scoped links

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Remove unused imports and fix import ordering flagged by ruff.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Pre-built CI image (ci/Dockerfile.ci):
- All system deps (libpq, hamlib) + all Python deps pre-installed
- Eliminates pip installs from every lint/test job (~30-90s savings each)
- build-ci-image job rebuilds only when requirements.txt files change

Coverage fix (coverage combine):
- Switch all test jobs from pytest --cov to coverage run --parallel-mode
- New coverage-report job merges .coverage.* files from all test jobs
- Single Cobertura XML for MR diff annotations (was 5 competing reports)
- Enable branch coverage in .coveragerc
- True combined coverage: 53.9% (was reporting naive average)

Job consolidation (8 → 5 test jobs):
- Merge test-smoke + test-campaign + test-physics into test-app
  (all need no services, verified they pass when combined)
- Rename test-agent-hardware → test-agent
- Make test-load manual on MRs, auto on default branch
- Remove .pip-cache template (CI image has everything)

Pipeline improvements:
- Add auto_cancel on new commits (cancels stale pipelines)
- Add FF_USE_FASTZIP for faster artifact compression
- Remove optional: true from build needs (tests gate builds)
- Remove ops/**/* from code-changes-only (ops changes skip tests)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The global CI SECRET_KEY variable conflicted with the test files'
os.environ.setdefault() calls. When both smoke and campaign tests
run in one process, core.config.SECRET_KEY is loaded once with the
smoke test's secret, but the campaign test read the CI env var for
its cookie signer — causing a signature mismatch and 401 errors.

Fix: unset SECRET_KEY in the test-app job so both files' setdefault
produces the same value.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Satellite dish icon in TALOS accent blue (#4dacff) with signal
waves. Added <link rel="icon"> to all 10 HTML templates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Add GET /api/public/network endpoint returning all stations and
  active campaigns across all networks (no auth required)
- Plot ground stations as green circle markers on the map
- Dynamically populate quick-select with active campaign satellites
- Fix satellite name bug: strip TLE line-0 "0 " prefix from tle0
  (SatNOGS returns "0 OBJECT H" instead of the real name)
- Override name with campaign name when a matching campaign exists
- Add station count indicator card in sidebar
- Rename "Quick Select" to "Missions & Satellites"

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Rework public tracker from single-satellite to multi-satellite view:
- Track ALL quick-select + campaign satellites in parallel (fetched
  every 5s via Promise.allSettled)
- Each satellite gets its own colored marker, footprint circle, and
  ground track trail (colors from dashboard campaign palette)
- Click any satellite marker to focus telemetry panel on it
- Map fits bounds to show all satellites on first load
- Status bar shows live satellite count
- Manual NORAD input adds to the tracked set (doesn't replace)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Add streaming-first data pipeline for routing decoded satellite frames
from TALOS agents to external YAMCS mission control instances.

Phase 1 (schemas + data model):
- StreamCommand, FrameData, MissionEndpoint Pydantic schemas
- Stream MQTT topics (cmd/stream, stream/frames, wildcards)
- MissionLink DB model mapping campaigns to YAMCS endpoints
- Mission link CRUD API (GET/PUT/PATCH/DELETE per campaign)

Phase 2 (stream router):
- MQTT subscriber + UDP forwarder matching phasma-ops convention
  (4-byte frame_id prepend, datagram to YAMCS UdpTmDataLink)
- Integrated into FastAPI lifespan (startup/shutdown)
- In-memory MissionLink cache with TTL + invalidation on CRUD
- MQTT ACL rules for agent stream/# and director stream/# topics

Also adds:
- docs/research/06-phasma-integration.md (architecture decisions)
- 23 new tests (schemas, topics, router routing logic)
- ROADMAP.md v0.5.2 section with 5-phase streaming plan
- CLAUDE.md invariant #8 (TALOS routes frames, YAMCS parses them)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The Campaign.mission_link relationship used "MissionLink | None" as a
string annotation, which SQLAlchemy cannot resolve during mapper
configuration. Changed to plain "MissionLink" (single-valued
relationships are nullable by default) and added overlaps parameter
to MissionLink.campaign to silence the bidirectional copy warning.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- Architecture diagram: add Stream Router, GNU Radio Flowgraph, YAMCS,
  and External Services subgraph with ZMQ/UDP/MQTT data paths
- ER diagram: add MissionLink entity with campaign-to-YAMCS relationship
- Data flow diagram: add full streaming sequence (AOS trigger, flowgraph
  spawn, ZMQ frame collection, MQTT publish, UDP forward to YAMCS, LOS)
- Key Capabilities: add YAMCS integration and streaming architecture
- Technology Stack: add YAMCS and frame streaming entries
- How It Works: add step 5 (data streaming pipeline)
- Project Structure: add stream_router.py, missions route, 12 route modules
- Roadmap: add v0.5.2 completed items, update upcoming section
- Documentation table: add phasma-integration research doc
- Acknowledgments: add YAMCS
- CHANGELOG.md: add v0.5.2 release with all streaming additions
- ARCHITECTURE.md: add Stream Router component, update Agent description

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

When only .md files change, .code-changes-only prevents test jobs from
being created. coverage-report and build-* had non-optional needs on
those test jobs, causing "yaml invalid" pipeline errors.

Fix: make all test job dependencies optional:true in coverage-report,
build-core, build-director, and build-agent. Also add .code-changes-only
to coverage-report so it skips entirely on docs-only commits.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Remove undefined YAMCS_Instance entity reference and quoted relationship
label that broke Mermaid 10.7.0 parsing on GitLab.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Independent code review identified 32 findings (4 critical, 7 high,
12 medium, 9 low). Added as 30 new roadmap items:

- v0.5.3 Code Review Hardening: items 81-100 (thread safety, CORS,
  rate limiting, input sanitization, admin pagination, testing gaps)
- v0.6.0 Infrastructure: items 101-110 (API key hashing, Docker
  non-root, SBOM, API versioning, Alembic migration strategy)
- Escalated item #20 (dependency pinning) from DEFERRED to P0
- Renamed existing v0.5.3 Batch Propagation to v0.5.4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Security:
- Threading.Lock on Director globals and stream router UDP socket (#81, #82)
- Magic link URL removed from logs, startup guard added (#83)
- CORS allow_headers restricted from wildcard to explicit list (#84)
- Session cookie path=/ added (#85)
- Rate limiting extended to admin/public/campaign endpoints (#86)
- Proxy-aware rate limiter reads X-Forwarded-For (#87)
- HTML tag stripping on all user-controlled text fields (#88)
- Migration errors now logged at WARNING (#90)
- Uniform login response prevents account enumeration (#91)

UX:
- Expired/invalid magic links show styled HTML error page with
  "Request New Link" button instead of raw JSON

Correctness:
- Admin pagination with page/per_page query params (#89)
- Station geo coordinate validation (lat/lon/alt bounds) (#92)
- Director BROKER_PORT env var (#93)
- Agent socket cleanup on connection failure (#94)
- asyncio.get_event_loop() replaced with get_running_loop() (#95)
- Agent telemetry publishes to org-scoped topic (#96)

Testing (29 new tests, 328 total):
- Auth security: expired/invalid JWT returns HTML (#98)
- RBAC violations: cross-org access, viewer role enforcement (#99)
- Input validation: HTML stripping, geo bounds, field lengths (#100)
- Stream router: socket lock verification (#97)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

v0.5.0: Performance and data resilience -- background prediction, CelesTrak fallback, PropagatorProtocol

New modules:
- shared/tle_sources.py: CelesTrakClient + TLESourceManager with priority
  cascade (SatNOGS -> CelesTrak -> stale cache) (#41)
- director/propagator.py: PropagatorProtocol interface + SkyfieldPropagator
  adapter for swappable propagation backends (#37)
- director/background_predictor.py: ThreadPoolExecutor-based background
  computation for pass predictions and ground tracks (#36)

Integration:
- Director pass predictions moved off 2Hz loop to background thread (#36)
- TLE manager uses multi-source fallback via TLESourceManager (#41)
- Public satellite tracker uses TLESourceManager for cached lookups (#42)
- Updated test mocks from _satnogs to _tle_sources

Testing (21 new tests, ~349 total):
- TLE source fallback cascade (SatNOGS/CelesTrak/cache) (#41)
- BackgroundPredictor lifecycle (submit/get/cleanup/shutdown) (#36)
- PropagatorProtocol compliance and Skyfield adapter (#37)
- Import checks for 3 new modules
- Physics and station manager tests (#44, #45)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>