[AZ-329] [AZ-330] [AZ-523] [AZ-524] Batch 44 atomic refactor

Implements two new C12 services and rebalances the C11/C12 boundary
in one atomic commit:

* AZ-329 PostLandingUploadOrchestrator — gates C11 upload on the
  `flight_footer` FDR record's `clean_shutdown` field; 4 refusal
  modes; new FdrFooterReader Protocol + LocalFdrFooterReader.
* AZ-330 OperatorReLocService — AC-3.4 visual-loss re-localization
  hint; reuses shared LatLonAlt; OperatorCommandTransport Protocol
  cut (E-C8 owns the future pymavlink concrete); new FDR record
  kind `c12.reloc.requested`; log redaction (lat/lon 5 decimals,
  reason 200 chars).
* AZ-523 C11 internal flight-state gate removed (SRP refactor):
  `confirm_flight_state` / `FlightStateSignal` use /
  `FlightStateNotOnGroundError` deleted from C11; TileUploader
  contract bumped to v2.0.0 (frozen) with migration note; AZ-317
  superseded.
* AZ-524 Package rename `c12_operator_tooling` →
  `c12_operator_orchestrator` across source, tests, pyproject,
  CMake, Dockerfile, compose, CI, runtime-root services class
  (`OperatorOrchestratorServices`) + factory function
  (`build_operator_orchestrator`), logger namespaces, config slug,
  docs, and the E-C12 epic title.

Tests: 1543 passed, 80 skipped (all environment gates). Targeted
AC suite (AZ-329 + AZ-330 + FdrFooterReader): 37 passed. Cold-start
NFR-perf still ≤ 500 ms p99.

Tracker: AZ-317 → Done (superseded); AZ-319 v2.0.0 contract bump
comment; AZ-329/AZ-330 → In Testing; AZ-253 epic renamed; AZ-523
+ AZ-524 created and closed as audit-trail tickets.

See `_docs/03_implementation/batch_44_cycle1_report.md`.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/deployment/deployment_procedures.md

@@ -5,12 +5,12 @@
 
 ## Deployment scope and model
 
-This project does **not** ship a service; it ships an **embedded edge image** plus an **operator-tooling bundle**. The "deployment" patterns from the standard template (blue-green / rolling / canary) are not applicable. Deployment for this project means:
+This project does **not** ship a service; it ships an **embedded edge image** plus an **operator-orchestrator bundle**. The "deployment" patterns from the standard template (blue-green / rolling / canary) are not applicable. Deployment for this project means:
 
 | Artifact | Target | Deployment mechanism |
 |---|---|---|
 | **JetPack image** (`gps-denied-jetpack-<semver>-<sha>.img`) | Production Jetson Orin Nano Super on a UAV | Operator flashes the image onto the Jetson via NVIDIA `sdkmanager` or `Etcher`-style `dd` from the operator workstation |
-| **Operator tooling tarball** | Operator workstation | Operator extracts; `docker compose up -d` brings up `mock-suite-sat-service` (when offline) + `operator-tooling` |
+| **Operator tooling tarball** | Operator workstation | Operator extracts; `docker compose up -d` brings up `mock-suite-sat-service` (when offline) + `operator-orchestrator` |
 | **Tier-1 dev compose** | Developer workstation | Developer runs `docker compose up` from repo root |
 
 **Zero-downtime is not a goal**: a UAV is not in service while it is being re-flashed. The deployment cadence is per-airframe maintenance, not per-request availability.
@@ -25,9 +25,9 @@ Performed once per release on Tier-1 + Tier-2 CI; produces signed artifacts stor
 2. **Tier-1 produces**:
    - `companion-tier1:deployment-<sha>` and `companion-tier1:research-<sha>` Docker images (pushed to registry).
    - `mock-suite-sat-service:<sha>` Docker image.
-   - `operator-tooling:<sha>` Docker image.
+   - `operator-orchestrator:<sha>` Docker image.
    - SBOM artifacts for both binaries (deployment and research).
-   - `operator-tooling-<semver>-<sha>.tar.gz` containing the operator-tooling image + mock-sat image + their compose file + verification script + relevant docs.
+   - `operator-orchestrator-<semver>-<sha>.tar.gz` containing the operator-orchestrator image + mock-sat image + their compose file + verification script + relevant docs.
 3. **Tier-2 produces**:
    - Native deployment-binary build on the self-hosted Jetson runner.
    - SBOM verification: byte-equal (after canonicalization) to Tier-1's deployment-binary SBOM. Mismatch fails the release.
@@ -35,7 +35,7 @@ Performed once per release on Tier-1 + Tier-2 CI; produces signed artifacts stor
 4. **Signing** (Tier-1):
    - Both Docker image manifests are signed with the project's release key.
    - The JetPack image is signed; checksum is published as a separate signed file (`gps-denied-jetpack-<semver>-<sha>.img.sha256.sig`).
-   - The operator-tooling tarball is signed.
+   - The operator-orchestrator tarball is signed.
 5. **Release bucket**: artifacts uploaded; release notes published; the previous release's artifacts retained for at least 90 days for rollback support.
 
 A release fails if any step above fails — including any AC-bound NFT failure on Tier-2 (`ci_cd_pipeline.md` § AC-bound NFTs).
@@ -85,19 +85,19 @@ cosign verify-blob \
 
 sha256sum -c gps-denied-jetpack-<semver>-<sha>.img.sha256
 
-# Verify the operator-tooling tarball.
+# Verify the operator-orchestrator tarball.
 cosign verify-blob \
-  --signature operator-tooling-<semver>-<sha>.tar.gz.sig \
+  --signature operator-orchestrator-<semver>-<sha>.tar.gz.sig \
   --key gps-denied-release-key.pub \
-  operator-tooling-<semver>-<sha>.tar.gz
+  operator-orchestrator-<semver>-<sha>.tar.gz
 ```
 
-### 3. Pre-flight cache build (operator-tooling C12)
+### 3. Pre-flight cache build (operator-orchestrator C12)
 
 Performed on the operator workstation, with `satellite-provider` reachable (locally mirrored or via lab VPN).
 
 ```sh
-docker compose -f operator-tooling-compose.yml up -d
+docker compose -f operator-orchestrator-compose.yml up -d
 # Operator opens http://127.0.0.1:8080
 ```
 
@@ -164,7 +164,7 @@ The first flight on a freshly-deployed airframe is a **commissioning flight**, n
 
 Post first commissioning flight:
 
-- [ ] FDR retrieved and visualized on operator workstation (operator-tooling C12 dashboard, observability.md § 5.1).
+- [ ] FDR retrieved and visualized on operator workstation (operator-orchestrator C12 dashboard, observability.md § 5.1).
 - [ ] AC-NEW-4 statistics for the commissioning flight reviewed; outliers investigated.
 - [ ] No FDR segment drops; no `ContentHashGateFail` events.
 - [ ] Mid-flight tile generation working (post-landing upload — handle that separately).
@@ -172,12 +172,12 @@ Post first commissioning flight:
 
 ## Post-landing tile upload (per-flight, ADR-004)
 
-Per AC-8.4 + ADR-004, mid-flight tile upload to `satellite-provider` is **post-landing only**, and uses the operator-tooling's C11 Tile Manager (`TileUploader` interface; a separate binary, never linked into the airborne image).
+Per AC-8.4 + ADR-004, mid-flight tile upload to `satellite-provider` is **post-landing only**, and uses the operator-orchestrator's C11 Tile Manager (`TileUploader` interface; a separate binary, never linked into the airborne image).
 
 ```sh
 # Operator plugs the companion's NVM into the workstation OR ssh's into the powered-off-then-re-booted Jetson.
-docker compose run operator-tooling \
-  python -m operator_tooling.tilemanager upload \
+docker compose run operator-orchestrator \
+  python -m operator_orchestrator.tilemanager upload \
   --flight-id <uuid> \
   --satellite-provider $SATELLITE_PROVIDER_URL \
   --signing-pubkey-fingerprint <fingerprint>
@@ -210,7 +210,7 @@ When the parent-suite voting layer (D-PROJ-2 design task #2) ships, this flow do
 ### Rollback steps (per-airframe)
 
 1. **Re-flash** the previous release's JetPack image onto the affected Jetson (same procedure as § 4 with the previous artifact).
-2. **Re-stage** the previous release's pre-flight bundle (the operator workstation retains it in the operator-tooling cache for ≥ 30 days).
+2. **Re-stage** the previous release's pre-flight bundle (the operator workstation retains it in the operator-orchestrator cache for ≥ 30 days).
 3. **Re-run** the pre-takeoff readiness gate.
 4. **Confirm** AC-5.2 fallback is still functional (it is FC firmware behavior; rolling back the companion image cannot break it, but verify on the GCS).
 5. **Document** the rollback in the post-mortem template; include FDR snapshots from the offending flight (if any) plus the rollback artifacts versions.