[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests

Implements the AZ-263 / E-BOOT initial structure task:

- Python src/-layout package `gps_denied_onboard/` with per-component
  interface stubs (14 components), type-only DTOs under `_types/`,
  shared helpers under `helpers/` (R14 LightGlue ownership), structured
  JSON logging, runtime composition root with env-var fail-fast gate,
  healthcheck module shared by Docker and CI smoke.
- CMake top-level + `cmake/{build_options,dependencies,strategies}.cmake`
  with the BUILD_* per-binary flags (ADR-002) and pinned external git
  refs for OKVIS2 / VINS-Mono / GTSAM / FAISS / OpenCV >=4.12.0.
- Three Dockerfiles (companion-tier1, operator-tooling,
  mock-suite-sat-service) + two compose files (dev + Tier-1 test).
- Four GitHub Actions workflows: ci.yml (lint/unit/integration/dual
  binary build/SBOM diff/security), ci-tier2.yml (self-hosted Jetson
  AC-bound NFTs), release.yml, cve-rescan.yml.
- Two CI gate scripts: `ci/sbom_diff.py` (deployment SBOM subset +
  R02 exclusion), `ci/opencv_pin_gate.py` (>=4.12.0 enforcement,
  D-CROSS-CVE-1).
- Alembic-driven Postgres 16 initial migration `0001_initial.py`
  mirroring satellite-provider tiles + flights + sector_classifications
  + manifests + engine_cache_entries (data_model.md s 2).
- Tier-1 test scaffolding: 95 passing unit tests covering every AC,
  per-component smoke tests, structured logging JSON output check,
  env-var gate check, healthcheck import check. Two CI-gated tests
  (cmake configure, actionlint) skip locally with explicit reasons.
- Batch report + code review report under `_docs/03_implementation/`.

Verdict: PASS_WITH_WARNINGS (two Low findings, both informational).
Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/03_implementation/batch_01_cycle1_report.md

@@ -0,0 +1,60 @@
+# Batch Report
+
+**Batch**: 1
+**Tasks**: AZ-263 (Initial Structure)
+**Date**: 2026-05-11
+**Cycle**: 1
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|---------------|-------|-------------|--------|
+| AZ-263_initial_structure | Done | ~150 files added (src/, cpp/, docker/, .github/workflows/, ci/, db/, tests/, cmake/, scripts/, top-level config) | 95 passed / 2 env-skipped | 10/10 ACs covered | None blocking |
+
+## AC Test Coverage: All covered
+
+| AC | Test |
+|----|------|
+| AC-1 | `tests/unit/test_ac1_scaffold_layout.py` |
+| AC-2 | `tests/unit/test_types_importable.py` |
+| AC-3 | `tests/unit/test_ac3_compose_files.py` |
+| AC-4 | `tests/unit/test_ac4_workflows.py` |
+| AC-5 | `tests/unit/test_ac5_alembic.py` |
+| AC-6 | `tests/unit/test_healthcheck.py` |
+| AC-7 | `tests/unit/test_logging_smoke.py` |
+| AC-8 | `tests/unit/test_runtime_root_env_gate.py` |
+| AC-9 | `tests/unit/c{1..13}*/test_smoke.py` (14 components) |
+| AC-10 | `tests/unit/test_ac10_ci_gates.py` |
+
+## Code Review Verdict: PASS_WITH_WARNINGS
+
+Report: `_docs/03_implementation/reviews/batch_01_review.md`
+
+Two Low-severity findings, both informational:
+- F1 (Low / Security): plaintext dev DB password in compose — acceptable, dev-only.
+- F2 (Low / Maintainability): CMake configure test gated on `cmake` on PATH — CI installs it.
+
+## Auto-Fix Attempts: 0
+
+(No FAIL verdict; auto-fix not triggered.)
+
+## Stuck Agents: None
+
+## Tracker
+
+- AZ-263 transitioned: In Progress → In Testing (after commit, before next batch).
+
+## Commit
+
+To be created with subject:
+`[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests`
+
+## Next Batch
+
+Batch 2 will pull tasks whose dependencies are now satisfied by AZ-263. Per `_docs/02_tasks/_dependencies_table.md`, the first wave of unblocked tasks is the cross-cutting epic foundation:
+- AZ-266 (E-CC-LOG: log_module)
+- AZ-269 (E-CC-CONF: config_loader)
+- AZ-272 (FDR record schema)
+- AZ-276..AZ-283 (shared helpers)
+
+Capped at 4 tasks for review scope (per `/implement` § 3); the exact selection happens at batch-2 entry once the dependency graph is re-checked.