fix(mcu): MCU-A5 — gate Idq health-window during PA calibration walk

The boot-time Idq calibration walks DAC_val from 126 down toward the
1.680 A target. Mid-walk readings sit well above the 2.5 A overcurrent
threshold by design, and a channel that hits the safety_counter timeout
(50 iters) can be left above the window. Without a gate, the next
checkSystemHealth() pass would trip ERROR_RF_PA_OVERCURRENT and route
straight into Emergency_Stop, killing the system mid-bringup.

Added a `pa_calibration_in_progress` flag set TRUE around both DAC1 and
DAC2 cal walks. checkSystemHealth's Idq window short-circuits while the
flag is set; bias-fault and overcurrent thresholds remain fully active
once the walk completes, so any genuinely stuck-high channel surfaces on
the very next health pass and routes through the normal handler.

Other health checks (lock, comm, temperature, watchdog) stay live during
cal — no behavioural change to anything except the Idq window.

Added test_mcu_a5_pa_cal_gate (7 cases): mid-walk masking, post-cal
re-arming, stuck-high channel surfacing after gate clears, bias-fault
gating, PowerAmplifier=false short-circuit, and a pre-fix regression
case showing the buggy path would have tripped overcurrent mid-walk.
MCU regression now 79/79.

9_Firmware/9_1_Microcontroller/9_1_3_C_Cpp_Code/main.cpp

@@ -639,6 +639,17 @@ static SystemError_t last_error = ERROR_NONE;
 static uint32_t error_count = 0;
 static bool system_emergency_state = false;
 
+/* MCU-A5: gate that suppresses Idq overcurrent / bias-fault evaluation in
+ * checkSystemHealth while the boot-time PA calibration walk is running.
+ * The walk starts each channel at DAC_val=126 and steps DOWN; the early
+ * iterations sit well above the 2.5 A overcurrent threshold by design,
+ * and a channel that hits the safety-counter timeout (50 iters) can be
+ * left at >2.5 A. Without this gate, the next periodic health check
+ * trips ERROR_RF_PA_OVERCURRENT → Emergency_Stop. Set TRUE around the
+ * cal loops; checkSystemHealth treats overcurrent/bias as advisory while
+ * set. Temperature, comm, and lock checks remain fully active. */
+static volatile bool pa_calibration_in_progress = false;
+
 // Error handler function
 SystemError_t checkSystemHealth(void) {
     SystemError_t current_error = ERROR_NONE;
@@ -755,7 +766,12 @@ SystemError_t checkSystemHealth(void) {
     }
 
     // 7. Check RF Power Amplifier Current
-    if (PowerAmplifier) {
+    //    MCU-A5: skip the Idq window while pa_calibration_in_progress is set.
+    //    The cal walk starts at DAC_val=126 (well into overcurrent) and steps
+    //    DOWN to the 1.68 A target; mid-walk readings are not a fault. A
+    //    channel left high by the safety-counter timeout is logged separately
+    //    and surfaces on the next post-cal health check.
+    if (PowerAmplifier && !pa_calibration_in_progress) {
         for (int i = 0; i < 16; i++) {
             if (Idq_reading[i] > 2.5f) {
                 current_error = ERROR_RF_PA_OVERCURRENT;
@@ -2030,6 +2046,8 @@ int main(void)
 		  DIAG("PA", "  ADC2 ch%d: raw=%d Idq=%.3fA", channel, adc2_readings[channel], Idq_reading[channel+8]);
 	  }
 
+	  /* MCU-A5: gate Idq health-check window across both DAC1 + DAC2 cal walks. */
+	  pa_calibration_in_progress = true;
 	  DIAG("PA", "Starting Idq calibration loop for DAC1 channels 0-7 (target=1.680A)");
 	  for (uint8_t channel = 0; channel < 8; channel++){
 	      uint8_t safety_counter = 0;
@@ -2069,6 +2087,10 @@ int main(void)
 	      DIAG("PA", "  DAC2 ch%d calibrated: DAC_val=%d Idq=%.3fA iters=%d",
 	           channel, DAC_val, Idq_reading[channel+8], safety_counter);
 	  }
+	  /* MCU-A5: cal walks complete -- re-arm Idq health checks. Any channel
+	   * left out-of-window by safety_counter timeout will surface on the
+	   * next checkSystemHealth pass and route through the normal handler. */
+	  pa_calibration_in_progress = false;
 	  DIAG("PA", "PA IDQ calibration sequence COMPLETE");
   }
 

9_Firmware/9_1_Microcontroller/tests/Makefile

@@ -68,6 +68,7 @@ TESTS_STANDALONE := test_bug12_pa_cal_loop_inverted \
                     test_bug16_runradar_shadows_globals \
                     test_mcu_a1_cooling_hysteresis \
                     test_mcu_a7_emergency_persist \
+                    test_mcu_a5_pa_cal_gate \
                     test_gap3_iwdg_config \
                     test_gap3_temperature_max \
                     test_gap3_idq_periodic_reread \
@@ -167,6 +168,9 @@ test_mcu_a1_cooling_hysteresis: test_mcu_a1_cooling_hysteresis.c
 test_mcu_a7_emergency_persist: test_mcu_a7_emergency_persist.c
 	$(CC) $(CFLAGS) $< -o $@
 
+test_mcu_a5_pa_cal_gate: test_mcu_a5_pa_cal_gate.c
+	$(CC) $(CFLAGS) $< -o $@
+
 # Gap-3 safety tests -- mock-only (needs spy log for GPIO sequence)
 test_gap3_emergency_stop_rails: test_gap3_emergency_stop_rails.c $(MOCK_OBJS)
 	$(CC) $(CFLAGS) $(INCLUDES) $< $(MOCK_OBJS) -o $@

9_Firmware/9_1_Microcontroller/tests/test_mcu_a5_pa_cal_gate.c

@@ -0,0 +1,113 @@
+/*******************************************************************************
+ * test_mcu_a5_pa_cal_gate.c
+ *
+ * MCU-A5: the boot-time PA Idq calibration walks DAC_val from 126 down,
+ * so mid-walk Idq readings sit well above the 2.5 A overcurrent threshold
+ * by design. A channel that hits the safety-counter timeout (50 iters) can
+ * also be left above the window. Without a "calibration in progress" gate,
+ * the next checkSystemHealth() pass would trip ERROR_RF_PA_OVERCURRENT and
+ * Emergency_Stop the whole system.
+ *
+ * Production fix adds a `pa_calibration_in_progress` flag set TRUE around
+ * the cal walks and consulted by checkSystemHealth's Idq window. This test
+ * replays the walk + post-cal completion path against the gated check and
+ * asserts:
+ *   - mid-walk overcurrent readings do NOT trip while the gate is set
+ *   - bias-low readings do NOT trip while the gate is set
+ *   - same readings DO trip once the gate is cleared
+ *   - converged-in-window readings pass either way
+ ******************************************************************************/
+#include <assert.h>
+#include <stdbool.h>
+#include <stdio.h>
+
+typedef enum {
+    ERR_NONE,
+    ERR_OVERCURRENT,
+    ERR_BIAS,
+} Err_t;
+
+/* Replays the post-fix gated Idq window from main.cpp:checkSystemHealth */
+static Err_t check_idq(const float idq[16], bool power_amplifier, bool cal_in_progress)
+{
+    if (!power_amplifier || cal_in_progress) return ERR_NONE;
+    for (int i = 0; i < 16; i++) {
+        if (idq[i] > 2.5f) return ERR_OVERCURRENT;
+        if (idq[i] < 0.1f) return ERR_BIAS;
+    }
+    return ERR_NONE;
+}
+
+int main(void)
+{
+    printf("=== MCU-A5: PA-cal gate suppresses Idq window during walk ===\n");
+
+    /* Mid-walk: every channel sitting at the DAC=126 starting current
+     * (~3.5 A typical for the QPA2962 family). */
+    float idq_midwalk[16];
+    for (int i = 0; i < 16; i++) idq_midwalk[i] = 3.5f;
+
+    /* Converged: every channel at the 1.680 A target (well inside window). */
+    float idq_converged[16];
+    for (int i = 0; i < 16; i++) idq_converged[i] = 1.680f;
+
+    /* Mixed: ch5 left high by safety_counter timeout, others converged. */
+    float idq_stuck_high[16];
+    for (int i = 0; i < 16; i++) idq_stuck_high[i] = 1.680f;
+    idq_stuck_high[5] = 2.85f;
+
+    /* Bias fault: ch9 at 0.05 A (below 0.1 A floor). */
+    float idq_bias_fault[16];
+    for (int i = 0; i < 16; i++) idq_bias_fault[i] = 1.680f;
+    idq_bias_fault[9] = 0.05f;
+
+    /* 1. Mid-walk readings while cal IS in progress -> no trip. */
+    printf("  Test 1: mid-walk 3.5 A with cal gate SET ... ");
+    assert(check_idq(idq_midwalk, true, true) == ERR_NONE);
+    printf("ERR_NONE, PASS\n");
+
+    /* 2. Same readings with cal gate CLEARED -> overcurrent. */
+    printf("  Test 2: mid-walk 3.5 A with cal gate CLEAR ... ");
+    assert(check_idq(idq_midwalk, true, false) == ERR_OVERCURRENT);
+    printf("ERR_OVERCURRENT, PASS\n");
+
+    /* 3. Converged readings -> no trip whether gate is set or clear. */
+    printf("  Test 3: converged 1.68 A regardless of gate ... ");
+    assert(check_idq(idq_converged, true, true)  == ERR_NONE);
+    assert(check_idq(idq_converged, true, false) == ERR_NONE);
+    printf("ERR_NONE both, PASS\n");
+
+    /* 4. Stuck-high channel after cal completes (gate clears) MUST trip
+     * — this is exactly the "advisory surfaces post-cal" behaviour the
+     * fix preserves. */
+    printf("  Test 4: ch5 stuck high 2.85 A surfaces post-cal ... ");
+    assert(check_idq(idq_stuck_high, true, true)  == ERR_NONE);
+    assert(check_idq(idq_stuck_high, true, false) == ERR_OVERCURRENT);
+    printf("masked during cal, trips after, PASS\n");
+
+    /* 5. Bias fault is also gated during cal (early walk reads can dip
+     * low) and surfaces after. */
+    printf("  Test 5: ch9 bias 0.05 A surfaces post-cal ... ");
+    assert(check_idq(idq_bias_fault, true, true)  == ERR_NONE);
+    assert(check_idq(idq_bias_fault, true, false) == ERR_BIAS);
+    printf("masked during cal, trips after, PASS\n");
+
+    /* 6. PA disabled -> no trip whether or not gate is set (preserves
+     * existing PowerAmplifier guard). */
+    printf("  Test 6: PowerAmplifier=false short-circuits check ... ");
+    assert(check_idq(idq_midwalk, false, false) == ERR_NONE);
+    assert(check_idq(idq_midwalk, false, true)  == ERR_NONE);
+    printf("ERR_NONE, PASS\n");
+
+    /* 7. Pre-fix regression — the buggy path had no gate parameter. With
+     * mid-walk readings of 3.5 A it would unconditionally trip
+     * ERR_OVERCURRENT mid-cal, leading to Emergency_Stop. Fix prevents
+     * by allowing cal_in_progress=true to mask. */
+    printf("  Test 7: pre-fix would have tripped mid-walk ... ");
+    /* "pre-fix" === call with cal_in_progress=false during the walk */
+    assert(check_idq(idq_midwalk, true, false) == ERR_OVERCURRENT);
+    printf("buggy path = trip, fixed path masks, PASS\n");
+
+    printf("\n=== MCU-A5: ALL TESTS PASSED ===\n\n");
+    return 0;
+}