[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests

Implements the AZ-263 / E-BOOT initial structure task:

- Python src/-layout package `gps_denied_onboard/` with per-component
  interface stubs (14 components), type-only DTOs under `_types/`,
  shared helpers under `helpers/` (R14 LightGlue ownership), structured
  JSON logging, runtime composition root with env-var fail-fast gate,
  healthcheck module shared by Docker and CI smoke.
- CMake top-level + `cmake/{build_options,dependencies,strategies}.cmake`
  with the BUILD_* per-binary flags (ADR-002) and pinned external git
  refs for OKVIS2 / VINS-Mono / GTSAM / FAISS / OpenCV >=4.12.0.
- Three Dockerfiles (companion-tier1, operator-tooling,
  mock-suite-sat-service) + two compose files (dev + Tier-1 test).
- Four GitHub Actions workflows: ci.yml (lint/unit/integration/dual
  binary build/SBOM diff/security), ci-tier2.yml (self-hosted Jetson
  AC-bound NFTs), release.yml, cve-rescan.yml.
- Two CI gate scripts: `ci/sbom_diff.py` (deployment SBOM subset +
  R02 exclusion), `ci/opencv_pin_gate.py` (>=4.12.0 enforcement,
  D-CROSS-CVE-1).
- Alembic-driven Postgres 16 initial migration `0001_initial.py`
  mirroring satellite-provider tiles + flights + sector_classifications
  + manifests + engine_cache_entries (data_model.md s 2).
- Tier-1 test scaffolding: 95 passing unit tests covering every AC,
  per-component smoke tests, structured logging JSON output check,
  env-var gate check, healthcheck import check. Two CI-gated tests
  (cmake configure, actionlint) skip locally with explicit reasons.
- Batch report + code review report under `_docs/03_implementation/`.

Verdict: PASS_WITH_WARNINGS (two Low findings, both informational).
Co-authored-by: Cursor <cursoragent@cursor.com>

docker/companion-tier1.Dockerfile

@@ -0,0 +1,55 @@
+# Tier-1 companion image — multi-stage.
+#
+# Per `_docs/02_document/deployment/containerization.md` § Component Dockerfiles.
+# Concrete deps land with the consuming component tasks; bootstrap (AZ-263)
+# ships the multi-stage skeleton + healthcheck wiring.
+
+# Stage 1: system deps -------------------------------------------------------
+FROM ubuntu:22.04 AS system-deps
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        build-essential \
+        cmake \
+        git \
+        libpq-dev \
+        python3.10 \
+        python3.10-venv \
+        python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Stage 2: python deps -------------------------------------------------------
+FROM system-deps AS python-deps
+WORKDIR /opt/gps-denied
+COPY pyproject.toml ./
+RUN python3 -m venv /opt/venv \
+    && /opt/venv/bin/pip install --upgrade pip \
+    && /opt/venv/bin/pip install --no-cache-dir -e ".[dev]"
+ENV PATH="/opt/venv/bin:${PATH}"
+
+# Stage 3: native build ------------------------------------------------------
+FROM python-deps AS cpp-build
+WORKDIR /opt/gps-denied
+COPY . .
+RUN cmake -S . -B build -DBUILD_TESTING=OFF \
+    && cmake --build build --parallel
+
+# Stage 4: runtime -----------------------------------------------------------
+FROM ubuntu:22.04 AS runtime
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        python3.10 \
+        libpq5 \
+    && rm -rf /var/lib/apt/lists/*
+COPY --from=python-deps /opt/venv /opt/venv
+COPY --from=cpp-build /opt/gps-denied/build /opt/gps-denied/build
+COPY --from=cpp-build /opt/gps-denied/src /opt/gps-denied/src
+ENV PATH="/opt/venv/bin:${PATH}"
+ENV PYTHONPATH="/opt/gps-denied/src"
+WORKDIR /opt/gps-denied
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=15s --retries=3 \
+    CMD python3 -m gps_denied_onboard.healthcheck || exit 1
+
+ENTRYPOINT ["python3", "-m", "gps_denied_onboard.runtime_root"]

docker/db-init/01_seed.sql.example

@@ -0,0 +1,12 @@
+-- docker/db-init/01_seed.sql.example
+--
+-- Template only. The real seed lives under tests/fixtures/seed-db.sql and is
+-- mounted into the db service via docker-compose.test.yml when running
+-- integration tests.
+
+-- Example: insert a single googlemaps tile row so a smoke connection test
+-- can verify the schema is in place.
+-- INSERT INTO tiles (zoom_level, tile_x, tile_y, latitude, longitude,
+--                    tile_size_meters, tile_size_pixels, capture_timestamp,
+--                    source)
+-- VALUES (15, 0, 0, 50.0, 30.0, 300.0, 1024, now(), 'googlemaps');

docker/mock-suite-sat-service.Dockerfile

@@ -0,0 +1,15 @@
+# Mock satellite-provider service — bootstrap placeholder.
+#
+# The full implementation of the D-PROJ-2 ingest contract lands once the
+# parent-suite design is finalised. This image exists so docker-compose can
+# wire the dev/test stack today.
+
+FROM python:3.10-slim
+WORKDIR /app
+COPY tests/fixtures/mock-suite-sat-service/ /app/
+RUN pip install --no-cache-dir fastapi uvicorn
+
+EXPOSE 5100
+HEALTHCHECK --interval=5s --timeout=2s --retries=3 \
+    CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:5100/healthz').read()" || exit 1
+ENTRYPOINT ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "5100"]

docker/operator-tooling.Dockerfile

@@ -0,0 +1,22 @@
+# Operator-tooling image — installs C11 + C12 + healthcheck.
+# Per `_docs/02_document/deployment/containerization.md`.
+
+FROM python:3.10-slim AS runtime
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        libpq5 \
+        curl \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/gps-denied
+COPY pyproject.toml ./
+RUN pip install --no-cache-dir -e ".[dev]"
+
+COPY src ./src
+ENV PYTHONPATH="/opt/gps-denied/src"
+
+HEALTHCHECK --interval=10s --timeout=3s --start-period=10s --retries=3 \
+    CMD python3 -m gps_denied_onboard.healthcheck || exit 1
+
+ENTRYPOINT ["python3", "-m", "gps_denied_onboard.runtime_root"]