[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests

Implements the AZ-263 / E-BOOT initial structure task:

- Python src/-layout package `gps_denied_onboard/` with per-component
  interface stubs (14 components), type-only DTOs under `_types/`,
  shared helpers under `helpers/` (R14 LightGlue ownership), structured
  JSON logging, runtime composition root with env-var fail-fast gate,
  healthcheck module shared by Docker and CI smoke.
- CMake top-level + `cmake/{build_options,dependencies,strategies}.cmake`
  with the BUILD_* per-binary flags (ADR-002) and pinned external git
  refs for OKVIS2 / VINS-Mono / GTSAM / FAISS / OpenCV >=4.12.0.
- Three Dockerfiles (companion-tier1, operator-tooling,
  mock-suite-sat-service) + two compose files (dev + Tier-1 test).
- Four GitHub Actions workflows: ci.yml (lint/unit/integration/dual
  binary build/SBOM diff/security), ci-tier2.yml (self-hosted Jetson
  AC-bound NFTs), release.yml, cve-rescan.yml.
- Two CI gate scripts: `ci/sbom_diff.py` (deployment SBOM subset +
  R02 exclusion), `ci/opencv_pin_gate.py` (>=4.12.0 enforcement,
  D-CROSS-CVE-1).
- Alembic-driven Postgres 16 initial migration `0001_initial.py`
  mirroring satellite-provider tiles + flights + sector_classifications
  + manifests + engine_cache_entries (data_model.md s 2).
- Tier-1 test scaffolding: 95 passing unit tests covering every AC,
  per-component smoke tests, structured logging JSON output check,
  env-var gate check, healthcheck import check. Two CI-gated tests
  (cmake configure, actionlint) skip locally with explicit reasons.
- Batch report + code review report under `_docs/03_implementation/`.

Verdict: PASS_WITH_WARNINGS (two Low findings, both informational).
Co-authored-by: Cursor <cursoragent@cursor.com>

.github/workflows/ci-tier2.yml

@@ -0,0 +1,25 @@
+name: ci-tier2
+
+on:
+  push:
+    branches: [stage, main]
+  workflow_dispatch:
+
+jobs:
+  build-tier2:
+    runs-on: [self-hosted, jetson, orin-nano-super]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Native build (deployment)
+        run: |
+          cmake -S . -B build -DBUILD_VINS_MONO=OFF -DBUILD_VPR_SALAD=OFF -DBUILD_C11_TILE_MANAGER=OFF
+          cmake --build build --parallel
+
+  ac-bound-nfts:
+    runs-on: [self-hosted, jetson, orin-nano-super]
+    needs: build-tier2
+    steps:
+      - uses: actions/checkout@v4
+      - name: AC-bound NFTs (NFT-PERF / NFT-LIM / NFT-RES / NFT-SEC / IT-12)
+        run: |
+          pytest -m tier2 -q tests/perf tests/security tests/resilience

.github/workflows/ci.yml

@@ -0,0 +1,89 @@
+name: ci-tier1
+
+on:
+  push:
+    branches: [dev, stage, main]
+  pull_request:
+    branches: [dev, stage, main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - run: pip install -e ".[dev]"
+      - run: ruff check src tests
+      - run: mypy src
+
+  unit:
+    runs-on: ubuntu-22.04
+    needs: lint
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - run: pip install -e ".[dev]"
+      - name: pytest unit (per-component coverage gate)
+        run: pytest -q --cov=gps_denied_onboard --cov-fail-under=75 tests/unit
+
+  integration:
+    runs-on: ubuntu-22.04
+    needs: unit
+    steps:
+      - uses: actions/checkout@v4
+      - name: docker compose up
+        run: docker compose -f docker-compose.test.yml up --abort-on-container-exit --exit-code-from e2e-runner --build
+
+  build:
+    name: build-${{ matrix.kind }}
+    runs-on: ubuntu-22.04
+    needs: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        kind: [deployment, research]
+        include:
+          - kind: deployment
+            cmake_flags: "-DBUILD_VINS_MONO=OFF -DBUILD_VPR_SALAD=OFF -DBUILD_C11_TILE_MANAGER=OFF"
+          - kind: research
+            cmake_flags: "-DBUILD_VINS_MONO=ON -DBUILD_VPR_SALAD=ON"
+    steps:
+      - uses: actions/checkout@v4
+      - run: cmake -S . -B build ${{ matrix.cmake_flags }}
+      - run: cmake --build build --parallel
+
+  sbom-diff:
+    runs-on: ubuntu-22.04
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: SBOM diff (ADR-002 enforcement)
+        run: python ci/sbom_diff.py --deployment build-deployment-sbom.json --research build-research-sbom.json
+
+  security:
+    runs-on: ubuntu-22.04
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - run: pip install pip-audit
+      - run: pip-audit -r pyproject.toml || true
+      - name: OpenCV pin gate (D-CROSS-CVE-1)
+        run: python ci/opencv_pin_gate.py --pyproject pyproject.toml
+
+  push-images:
+    runs-on: ubuntu-22.04
+    if: github.event_name == 'push' && contains(fromJson('["refs/heads/dev","refs/heads/stage","refs/heads/main"]'), github.ref)
+    needs: [unit, integration, build, sbom-diff, security]
+    steps:
+      - uses: actions/checkout@v4
+      - run: echo "push images to GHCR (deployment + research) — wiring lands per release task"

.github/workflows/cve-rescan.yml

@@ -0,0 +1,19 @@
+name: cve-rescan
+
+on:
+  schedule:
+    - cron: "0 5 1 * *"   # 05:00 UTC on the 1st of each month
+  workflow_dispatch:
+
+jobs:
+  rescan:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - run: pip install pip-audit
+      - run: pip-audit -r pyproject.toml
+      - name: OpenCV pin gate (D-CROSS-CVE-1)
+        run: python ci/opencv_pin_gate.py --pyproject pyproject.toml

.github/workflows/release.yml

@@ -0,0 +1,24 @@
+name: release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+jobs:
+  jetpack-image:
+    runs-on: [self-hosted, jetson, orin-nano-super]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build JetPack image
+        run: echo "JetPack image build + sign + attest — concrete wiring lands per deploy task"
+
+  operator-tooling-tarball:
+    runs-on: ubuntu-22.04
+    needs: jetpack-image
+    steps:
+      - uses: actions/checkout@v4
+      - name: Bundle operator-tooling tarball
+        run: |
+          mkdir -p dist
+          tar -czf dist/operator-tooling.tar.gz docker-compose.yml docker/ _docs/