[AZ-232] Add safety anchor state machine

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/03_implementation/batch_09_cycle1_report.md

@@ -0,0 +1,36 @@
+# Batch Report
+
+**Batch**: 9
+**Tasks**: AZ-232_safety_anchor_state_machine
+**Date**: 2026-05-03
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|----------------|-------|-------------|--------|
+| AZ-232_safety_anchor_state_machine | Done | 4 files | Pass | 4/4 ACs covered | None |
+
+## AC Test Coverage: All covered
+
+| AC Ref | Coverage |
+|--------|----------|
+| AZ-232 AC-1 | `test_vio_state_updates_position_estimate_with_honest_covariance` verifies VIO updates emit source-labelled estimates with honest covariance. |
+| AZ-232 AC-2 | `test_accepted_anchor_corrects_state_and_records_evidence` verifies accepted anchors promote `satellite_anchored` state and record evidence. |
+| AZ-232 AC-3 | `test_blackout_degrades_then_reaches_no_fix_with_monotonic_covariance` verifies monotonic covariance growth and no-fix semantics. |
+| AZ-232 AC-4 | `test_tile_write_eligibility_requires_trusted_low_covariance_pose` verifies conservative tile-write eligibility. |
+
+## Code Review Verdict: PASS
+
+Review report: `_docs/03_implementation/reviews/batch_09_review.md`
+
+## Auto-Fix Attempts: 0
+
+## Stuck Agents: None
+
+## Verification
+
+- `.venv/bin/python -m black --check src tests e2e/replay` passed.
+- `.venv/bin/python -m ruff check src tests e2e/replay` passed.
+- `.venv/bin/python -m pytest` passed: 49 tests.
+
+## Next Batch: All tasks complete

_docs/03_implementation/reviews/batch_09_review.md

@@ -0,0 +1,54 @@
+# Code Review Report
+
+**Batch**: AZ-232_safety_anchor_state_machine
+**Date**: 2026-05-03
+**Verdict**: PASS
+
+## Findings
+
+No findings.
+
+## Review Scope
+
+- Task spec:
+  - `_docs/02_tasks/todo/AZ-232_safety_anchor_state_machine.md`
+- Changed files:
+  - `src/safety_anchor_wrapper/__init__.py`
+  - `src/safety_anchor_wrapper/interfaces.py`
+  - `src/safety_anchor_wrapper/types.py`
+  - `tests/unit/test_safety_anchor_wrapper.py`
+
+## Phase Notes
+
+### Spec Compliance
+
+- AZ-232 AC-1 is covered by `test_vio_state_updates_position_estimate_with_honest_covariance`.
+- AZ-232 AC-2 is covered by `test_accepted_anchor_corrects_state_and_records_evidence`.
+- AZ-232 AC-3 is covered by `test_blackout_degrades_then_reaches_no_fix_with_monotonic_covariance`.
+- AZ-232 AC-4 is covered by `test_tile_write_eligibility_requires_trusted_low_covariance_pose`.
+
+### Code Quality
+
+The safety wrapper owns source-label, covariance, anchor-promotion, degraded-mode, and tile-eligibility decisions without reaching into VIO, Anchor Verification, MAVLink transport, or Tile Manager internals.
+
+### Security Quick-Scan
+
+No network calls, shell execution, dynamic code execution, hardcoded secrets, or credential logging were introduced.
+
+### Performance Scan
+
+State transitions are constant-time and operate on typed DTOs. No per-frame heavy retrieval or matching work was introduced.
+
+### Cross-Task Consistency
+
+The wrapper consumes `VioStatePacket` and `AnchorDecision` outputs from previous batches and emits shared `PositionEstimate` DTOs for MAVLink/GCS integration.
+
+### Architecture Compliance
+
+Imports respect `_docs/02_document/module-layout.md`: Safety And Anchor Wrapper imports shared contracts and does not call Tile Manager directly during anchor acceptance.
+
+## Verification
+
+- `.venv/bin/python -m black --check src tests e2e/replay`
+- `.venv/bin/python -m ruff check src tests e2e/replay`
+- `.venv/bin/python -m pytest`

_docs/_autodev_state.md

@@ -9,6 +9,6 @@ tracker: jira
 sub_step:
   phase: 1
   name: batch-loop
-  detail: "batch 8: AZ-231_anchor_verification_matching"
+  detail: "batch 9: AZ-232_safety_anchor_state_machine"
 retry_count: 0
 cycle: 1