[AZ-271] [AZ-276] [AZ-278] [AZ-282] Finish cross-cutting helpers + relax opencv pin

E-CC-HELPERS closes with the three remaining Layer-1 helpers and
E-CC-CONF closes with the env > YAML > defaults precedence test
gate. All four tickets ship with frozen public surfaces, hermetic
unit tests, and no upward (components.*) imports.

* AZ-271 — tests/unit/shared/config/test_precedence.py (5 ACs + smoke
  test + helper that names the layer in failure messages).
* AZ-282 — helpers/ransac_filter.py: static RansacFilter +
  RansacResult; cv2.setRNGSeed(0) for byte-equal determinism;
  median residual semantics pinned by contract.
* AZ-276 — helpers/imu_preintegrator.py + make_imu_preintegrator;
  GTSAM PreintegratedCombinedMeasurements; strict-monotonic ts_ns
  guard runs before any state mutation. Adjacent hygiene:
  _types/nav.py ImuSample/ImuWindow now use ts_ns:int and the
  spec-mandated ImuBias dataclass.
* AZ-278 — helpers/lightglue_runtime.py: structural R14 fix.
  LightGlueRuntime + non-blocking concurrent-access guard that
  raises rather than serialising. EngineHandle Protocol in
  _types/manifests.py + KeypointSet/CorrespondenceSet in
  _types/matching.py (Protocol surface adds approved by spec).

Dependency conflict (Finding 1, user-approved): gtsam 4.2 (PyPI) is
numpy-1.x-ABI only; opencv-python>=4.12 needs numpy>=2 at runtime.
Resolution: opencv-python pin relaxed to >=4.11.0.86,<4.12. The
D-CROSS-CVE-1 ratchet at ci/opencv_pin_gate.py is held at 4.11.0
with the original 4.12.0 floor restored once a numpy-2-compatible
gtsam wheel ships. Full replay procedure in
_docs/_process_leftovers/2026-05-11_d_cross_cve_1_opencv_pin_deferred.md.

Tests: 294 passed, 2 skipped (cmake/actionlint env-skips,
pre-existing). 43 new tests added for batch 5. Ruff check + format
clean.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/_process_leftovers/2026-05-11_d_cross_cve_1_opencv_pin_deferred.md

@@ -0,0 +1,60 @@
+# D-CROSS-CVE-1 opencv-python pin deferred — gtsam/numpy ABI block
+
+**Recorded**: 2026-05-11T02:55+03:00 (Europe/Kyiv)
+**Status**: deferred-non-user (replay when upstream gtsam wheels target numpy>=2)
+
+## What is blocked
+
+Restoring the `opencv-python>=4.12.0` pin in `pyproject.toml` that
+D-CROSS-CVE-1 originally mandated.
+
+## Why
+
+* `gtsam==4.2` is the only `gtsam` wheel published on PyPI and it is
+  built against the numpy 1.x C ABI. Importing or constructing
+  `gtsam.Pose3(...)` under numpy 2.x SEGFAULTs.
+* `opencv-python>=4.12` runtime-imports require `numpy>=2`.
+* Therefore: keeping `numpy>=1.26,<2.0` (project pin, AZ-263) AND
+  `opencv-python>=4.12` makes the project uninstallable as a working set
+  — the latest opencv-python that supports numpy 1.x is **4.11.0.86**
+  (released 2025-01-16).
+* User decision (Batch 5 of `/autodev`, 2026-05-11): keep numpy at 1.26,
+  loosen opencv to `>=4.11.0.86,<4.12`. CVE gate is recorded here as a
+  follow-up.
+
+## Payload (to be replayed when unblocked)
+
+Change `pyproject.toml`:
+
+```toml
+# opencv-python pin restored to D-CROSS-CVE-1 gate
+"opencv-python>=4.12.0",
+```
+
+Required precondition: a gtsam release (or alternative SE(3) backend)
+that publishes numpy-2-compatible wheels.
+
+## CVE exposure window
+
+opencv-python 4.11.0.86 is in the supported 4.x line and receives
+security patches as of 2025. The specific CVE(s) D-CROSS-CVE-1 cites
+should be re-validated against 4.11.0.86 by the security review team
+before this leftover is closed; if any of those CVE fixes shipped in
+4.12+ only, document them in this entry and gate the replay on the
+gtsam upgrade.
+
+## Replay procedure
+
+1. Confirm a `gtsam` package with numpy-2 wheels is on PyPI **or** swap
+   to an alternative SE(3) backend (`pin3py`, custom C++ binding, etc.)
+   that supports numpy>=2.
+2. Bump `numpy>=2.0,<3.0` and `opencv-python>=4.12.0` simultaneously
+   in `pyproject.toml`.
+3. Run the full test suite to confirm no other ABI regressions.
+4. Delete this leftover.
+
+## Owner
+
+Cross-cutting platform / E-CC-HELPERS team. Until owner is assigned,
+autodev steps that touch `pyproject.toml` pins MUST keep the relaxed
+opencv pin and reference this file.