[AZ-263] Bootstrap: repo skeleton + Docker + CI + Alembic + Tier-1 tests

Implements the AZ-263 / E-BOOT initial structure task:

- Python src/-layout package `gps_denied_onboard/` with per-component
  interface stubs (14 components), type-only DTOs under `_types/`,
  shared helpers under `helpers/` (R14 LightGlue ownership), structured
  JSON logging, runtime composition root with env-var fail-fast gate,
  healthcheck module shared by Docker and CI smoke.
- CMake top-level + `cmake/{build_options,dependencies,strategies}.cmake`
  with the BUILD_* per-binary flags (ADR-002) and pinned external git
  refs for OKVIS2 / VINS-Mono / GTSAM / FAISS / OpenCV >=4.12.0.
- Three Dockerfiles (companion-tier1, operator-tooling,
  mock-suite-sat-service) + two compose files (dev + Tier-1 test).
- Four GitHub Actions workflows: ci.yml (lint/unit/integration/dual
  binary build/SBOM diff/security), ci-tier2.yml (self-hosted Jetson
  AC-bound NFTs), release.yml, cve-rescan.yml.
- Two CI gate scripts: `ci/sbom_diff.py` (deployment SBOM subset +
  R02 exclusion), `ci/opencv_pin_gate.py` (>=4.12.0 enforcement,
  D-CROSS-CVE-1).
- Alembic-driven Postgres 16 initial migration `0001_initial.py`
  mirroring satellite-provider tiles + flights + sector_classifications
  + manifests + engine_cache_entries (data_model.md s 2).
- Tier-1 test scaffolding: 95 passing unit tests covering every AC,
  per-component smoke tests, structured logging JSON output check,
  env-var gate check, healthcheck import check. Two CI-gated tests
  (cmake configure, actionlint) skip locally with explicit reasons.
- Batch report + code review report under `_docs/03_implementation/`.

Verdict: PASS_WITH_WARNINGS (two Low findings, both informational).
Co-authored-by: Cursor <cursoragent@cursor.com>

pyproject.toml

@@ -0,0 +1,100 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "gps-denied-onboard"
+version = "0.1.0"
+description = "Companion onboard system for GPS-denied UAV navigation"
+readme = "README.md"
+requires-python = ">=3.10,<3.12"
+license = {text = "Proprietary"}
+authors = [{name = "AZAION onboard team"}]
+
+dependencies = [
+    "numpy>=1.26,<2.0",
+    "scipy>=1.11,<2.0",
+    "pyyaml>=6.0",
+    "pydantic>=2.5,<3.0",
+    # OpenCV pin gate enforces >= 4.12.0 (D-CROSS-CVE-1)
+    "opencv-python>=4.12.0",
+    "psycopg[binary]>=3.1",
+    "sqlalchemy>=2.0",
+    "alembic>=1.13",
+    "pymavlink>=2.4",
+    "requests>=2.31",
+    "structlog>=24.1",
+    "click>=8.1",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=7.4",
+    "pytest-cov>=4.1",
+    "pytest-asyncio>=0.23",
+    "ruff>=0.4",
+    "mypy>=1.8",
+    "types-PyYAML",
+    "types-requests",
+]
+inference = [
+    "torch>=2.2",
+    "torchvision>=0.17",
+    "onnxruntime>=1.17",
+    # tensorrt is installed out-of-band on Jetson — not a pip dep
+]
+indexing = [
+    "faiss-cpu>=1.7",
+]
+
+[project.scripts]
+gps-denied-replay = "gps_denied_onboard.cli.replay:main"
+
+[tool.setuptools]
+package-dir = {"" = "src"}
+
+[tool.setuptools.packages.find]
+where = ["src"]
+include = ["gps_denied_onboard*"]
+
+[tool.pytest.ini_options]
+minversion = "7.0"
+testpaths = ["tests"]
+pythonpath = ["src"]
+addopts = [
+    "--strict-markers",
+    "-ra",
+]
+markers = [
+    "tier2: tests that require Jetson hardware (auto-skipped on Tier-1)",
+    "gpu: tests that require an NVIDIA GPU",
+    "docker: tests that require Docker compose services",
+    "ardupilot_sitl: tests that require ArduPilot SITL container",
+    "slow: tests slower than ~5s",
+]
+
+[tool.coverage.run]
+source = ["src/gps_denied_onboard"]
+branch = true
+
+[tool.coverage.report]
+show_missing = true
+skip_covered = false
+
+[tool.ruff]
+line-length = 100
+target-version = "py310"
+src = ["src", "tests"]
+
+[tool.ruff.lint]
+select = ["E", "F", "W", "I", "B", "UP", "RUF"]
+ignore = ["E501"]
+
+[tool.mypy]
+python_version = "3.10"
+strict = true
+warn_unused_ignores = true
+warn_return_any = true
+ignore_missing_imports = true
+mypy_path = "src"
+packages = ["gps_denied_onboard"]