[AZ-515] Extract C10 canonical hash helpers to shared module

Cumulative-review F1 (batches 34-36, carried into batch 37): both
manifest_verifier.py (AZ-324) and provisioner.py (AZ-325) imported
leading-underscore privates _aggregate_tile_hash + _compute_manifest_hash
from manifest_builder.py (AZ-323). The helpers encode the trust-chain
formula shared across all three components; the import shape gave
readers no static signal that a refactor would silently break two
modules.

Move the formula into c10_provisioning/_canonical_hash.py:

- TileHashRecord (moved from manifest_builder)
- aggregate_tile_hash (renamed, public)
- compute_manifest_hash (renamed, public)
- TAKEOFF_ORIGIN_DECIMALS constant (moved)

Callers updated to import directly from _canonical_hash. Bodies
unchanged; manifest hashes are byte-for-byte identical.

Tests: c10_provisioning suite 86/86 pass; full project 1370/1370 pass.
Co-authored-by: Cursor <cursoragent@cursor.com>

src/gps_denied_onboard/components/c10_provisioning/provisioner.py

@@ -40,14 +40,13 @@ Cross-component imports: this module never imports
 (``runtime_root.c10_factory.build_cache_provisioner``) wires the real
 C6 store into the same adapter the AZ-323 builder consumes.
 
-The build-identity hash formula matches AZ-323's
-``_compute_manifest_hash`` byte-for-byte; both modules import the
-canonical helper (currently a leading-underscore export from
-``manifest_builder``). Cumulative-review Finding F1 (carryover from
-batches 31–33) tracks promoting the helper to a shared
-``_build_identity`` module so AZ-323 / AZ-324 / AZ-325 share a single
-definition; that hygiene PBI is intentionally deferred — the import
-is documented here so a reader sees the intent.
+The build-identity hash formula matches AZ-323's emitted
+``build.manifest_hash`` byte-for-byte. AZ-323 / AZ-324 / AZ-325 all
+share a single definition by importing :func:`aggregate_tile_hash` and
+:func:`compute_manifest_hash` from
+``components.c10_provisioning._canonical_hash``. Resolves cumulative-
+review Finding F1 (batches 34–36) — the verifier and provisioner used
+to import leading-underscore privates from ``manifest_builder``.
 """
 
 from __future__ import annotations
@@ -89,13 +88,15 @@ from gps_denied_onboard.components.c10_provisioning.interface import (
     BuildRequest,
     FileLockFactory,
 )
+from gps_denied_onboard.components.c10_provisioning._canonical_hash import (
+    TileHashRecord,
+    aggregate_tile_hash,
+    compute_manifest_hash,
+)
 from gps_denied_onboard.components.c10_provisioning.manifest_builder import (
     ManifestBuildInput,
     ManifestBuilder,
-    TileHashRecord,
     TilesByBboxQuery,
-    _aggregate_tile_hash,
-    _compute_manifest_hash,
 )
 from gps_denied_onboard.helpers.engine_filename_schema import (
     EngineFilenameSchema,
@@ -574,9 +575,9 @@ class CacheProvisionerImpl:
             return None
         calibration_sha256 = hashlib.sha256(calibration_bytes).hexdigest()
 
-        tiles_coverage_sha256 = _aggregate_tile_hash(sorted_tiles)
+        tiles_coverage_sha256 = aggregate_tile_hash(sorted_tiles)
 
-        request_hash = _compute_manifest_hash(
+        request_hash = compute_manifest_hash(
             engine_entries=tuple(engine_entries),
             calibration_sha256=calibration_sha256,
             descriptor_index_sha256=descriptor_index_sha256,