[AZ-294] [AZ-295] [AZ-296] Finish C13: tile snapshot + record-kind policy + takeoff abort

AZ-294: MidFlightTileSnapshotSink writes orthorectified tile JPEGs
atomically to flight_root/<flight_id>/tiles/<tile_id>.jpg, emits a
kind="mid_flight_tile_snapshot" pointer record, and evicts the oldest
tile when the per-flight 64 MiB cap is exceeded. Adds optional
frame_id to the snapshot payload (fdr_record_schema bump).

AZ-295: RecordKindPolicy with two paired gates:
- enforce_or_raise (producer-side) raises RawFrameWriteForbiddenError
  for raw_nav_frame / raw_ai_cam_frame at the call site, defending
  AC-8.5 / RESTRICT-UAV-4.
- gate_for_writer (writer-side) tumbling-window rate-caps
  failed_tile_thumbnail records at <= 0.1 Hz; over-cap drops are
  coalesced into kind="overrun" records with the originating
  producer slug.

AZ-296: take_off() composition-root sequence with strict ordering
(writer.__init__ -> start -> open_flight -> fc_adapter.__init__ ->
fc_adapter.open). On FdrOpenError, logs ERROR record, calls
writer.stop(), prints the documented FATAL line to stderr, and
sys.exit(EXIT_FDR_OPEN_FAILURE=2). composition_root_protocol bumped
to v1.1.0 with the new constants + takeoff-sequence section.

29 new tests; full suite 356 passed / 2 skipped / 0 failures.
No new dependencies (stdlib only).

Co-authored-by: Cursor <cursoragent@cursor.com>

src/gps_denied_onboard/components/c13_fdr/writer.py

@@ -39,6 +39,10 @@ from gps_denied_onboard.components.c13_fdr.errors import (
     FdrWriterError,
 )
 from gps_denied_onboard.components.c13_fdr.headers import FlightFooter, FlightHeader
+from gps_denied_onboard.components.c13_fdr.record_kind_policy import (
+    GateDecision,
+    RecordKindPolicy,
+)
 from gps_denied_onboard.config import FdrWriterConfig
 from gps_denied_onboard.fdr_client.client import FdrClient
 from gps_denied_onboard.fdr_client.records import (
@@ -91,6 +95,7 @@ class FileFdrWriter:
         gcs_alert: Callable[[str], None],
         *,
         on_rotation: Callable[[FileFdrWriter, int], None] | None = None,
+        record_kind_policy: RecordKindPolicy | None = None,
         drain_sleep_s: float = _DEFAULT_DRAIN_SLEEP_S,
     ) -> None:
         self._flight_root = Path(flight_root)
@@ -99,6 +104,7 @@ class FileFdrWriter:
         self._fdr_clients = tuple(fdr_clients)
         self._gcs_alert = gcs_alert
         self._on_rotation = on_rotation
+        self._record_kind_policy = record_kind_policy
         self._drain_sleep_s = drain_sleep_s
 
         # Filesystem state.
@@ -383,6 +389,10 @@ class FileFdrWriter:
         batch = client.drain(max_records=self._config.batch_size)
         for record in batch:
             self._observe_overrun_record(record)
+            if self._record_kind_policy is not None:
+                decision = self._record_kind_policy.gate_for_writer(record)
+                if decision is GateDecision.DROP:
+                    continue
             try:
                 self._append_record(record)
             except OSError as exc:
@@ -390,8 +400,21 @@ class FileFdrWriter:
                 # Continue dequeuing producer buffers so they don't grow
                 # unboundedly even in degraded mode (AC-5 part d).
                 continue
+        self._emit_pending_policy_overrun()
         return len(batch)
 
+    def _emit_pending_policy_overrun(self) -> None:
+        if self._record_kind_policy is None:
+            return
+        overrun = self._record_kind_policy.drain_pending_overrun()
+        if overrun is None:
+            return
+        self._observe_overrun_record(overrun)
+        try:
+            self._append_record(overrun)
+        except OSError as exc:
+            self._handle_write_failure(exc)
+
     def _observe_overrun_record(self, record: FdrRecord) -> None:
         if record.kind != OVERRUN_KIND:
             return