[AZ-291] [AZ-292] [AZ-293] C13 FDR writer chain (batch 6)

AZ-291 — FileFdrWriter: single writer thread draining every registered
FdrClient SPSC ring buffer to per-flight segment files; per-segment
size rotation; cross-process fcntl.flock filelock on flight_root;
ENOSPC degraded mode with rate-capped ERROR logs and one GCS alert.

AZ-292 — FlightHeader/FlightFooter dataclasses + open_flight /
close_flight lifecycle methods; four per-flight monotonic counters
(records_written, records_dropped_overrun, bytes_written,
rollover_count) reported by the footer; flight_id mismatch and
close-without-open are typed errors.

AZ-293 — CapacityCapPolicy (post-rotation hook): walks the flight
directory, drops the oldest CLOSED segment when total > cap (default
64 GiB), emits a kind="segment_rollover" record per drop. Never drops
the currently-open segment or segment 0 alone; cap_misconfigured path
logs ERROR + GCS alert. No config flag disables emission (C13-ST-01).

Schema: bumped fdr_record_schema flight_header / flight_footer payload
key sets to match the AZ-292 task spec (effective 1.0.0 -> 1.1.0; no
prior producer); KNOWN_PAYLOAD_KEYS updated. Added FdrWriterConfig
nested in FdrConfig (segment_size_bytes, batch_size, flight_cap_bytes,
debug_log_per_record).

Tests: 29 new unit tests (8 AC + 1 invariant per task); full suite
323 passed, 2 pre-existing skips, 0 regressions.

Co-authored-by: Cursor <cursoragent@cursor.com>

src/gps_denied_onboard/config/__init__.py

@@ -5,6 +5,7 @@ from gps_denied_onboard.config.schema import (
     Config,
     ConfigError,
     FdrConfig,
+    FdrWriterConfig,
     LogConfig,
     RequiredFieldMissingError,
     RuntimeConfig,
@@ -16,6 +17,7 @@ __all__ = [
     "Config",
     "ConfigError",
     "FdrConfig",
+    "FdrWriterConfig",
     "LogConfig",
     "RequiredFieldMissingError",
     "RuntimeConfig",

src/gps_denied_onboard/config/schema.py

@@ -18,6 +18,7 @@ __all__ = [
     "Config",
     "ConfigError",
     "FdrConfig",
+    "FdrWriterConfig",
     "LogConfig",
     "RequiredFieldMissingError",
     "RuntimeConfig",
@@ -46,6 +47,32 @@ class LogConfig:
     sink: str = "console"
 
 
+@dataclass(frozen=True)
+class FdrWriterConfig:
+    """C13 writer-thread block (E-C13 / AZ-291..AZ-296).
+
+    ``segment_size_bytes`` controls per-segment rotation; the writer
+    closes the current segment and opens the next once a record's
+    serialised size would push the segment past this cap.
+
+    ``batch_size`` bounds the per-producer ``drain(max_records=N)`` call
+    so one slow producer cannot starve others.
+
+    ``flight_cap_bytes`` is the AC-NEW-3 per-flight cap (default 64 GiB
+    exactly). Lowered in tests to exercise the cap policy on small
+    fixtures. There is no flag that disables cap enforcement (verified
+    by C13-ST-01).
+
+    ``debug_log_per_record`` enables a per-record DEBUG log line —
+    OFF by default because a 100 Hz aggregate would flood logs.
+    """
+
+    segment_size_bytes: int = 64 * 1024 * 1024
+    batch_size: int = 64
+    flight_cap_bytes: int = 64 * 1024**3
+    debug_log_per_record: bool = False
+
+
 @dataclass(frozen=True)
 class FdrConfig:
     """Cross-cutting Flight Data Recorder block (E-CC-FDR-CLIENT / AZ-247).
@@ -54,12 +81,15 @@ class FdrConfig:
     ``per_producer_capacity`` carries per-producer overrides keyed by
     producer slug (consumed by AZ-273 ``make_fdr_client``); blocks
     that omit a producer fall back to ``queue_size``.
+
+    ``writer`` is the C13 writer-thread sub-block (AZ-291..AZ-296).
     """
 
     queue_size: int = 4096
     overrun_policy: str = "drop_oldest"
     path: str = "/var/lib/gps-denied/fdr"
     per_producer_capacity: Mapping[str, int] = field(default_factory=dict)
+    writer: FdrWriterConfig = field(default_factory=FdrWriterConfig)
 
 
 @dataclass(frozen=True)