[AZ-808] [AZ-811] Strict validation on region POST + lat/lon GET

AZ-808: FluentValidation for POST /api/satellite/request
- RegionRequestValidator: id non-empty, lat/lon/sizeMeters/zoomLevel ranges
- RequestRegionRequest: [JsonRequired] on every property, no implicit defaults
- Wired via .WithValidation<RequestRegionRequest>() in MapPost chain
- Unit + integration tests + curl probe script
- New contract: contracts/api/region-request.md v1.0.0

AZ-811: FluentValidation + envelope filter for GET /api/satellite/tiles/latlon
- GetTileByLatLonQuery: nullable record (double?/int?) so the minimal-API
  binder never short-circuits with BadHttpRequestException before filters
- GetTileByLatLonQueryValidator: Cascade(Stop) + NotNull + InclusiveBetween
  per param; missing surfaces as `\`<name>\` is required.`
- RejectUnknownQueryParamsEndpointFilter: reusable IEndpointFilter that
  rejects any query key outside the allowed set with errors[<key>] map;
  catches legacy `?Latitude=` typos and hostile probes (`?debug=1&admin=1`)
- Handler: [AsParameters] GetTileByLatLonQuery + .Value deref post-validator
- Unit (validator + filter) + integration tests + curl probe script
- New contract: contracts/api/tile-latlon.md v1.0.0

Shared hygiene
- Promote AssertErrorsContainsMention from per-test-file private helpers to
  ProblemDetailsAssertions (closes batch-1 Low-severity DRY warning)
- Sync Swagger param descriptions, README, blackbox/security/perf scripts,
  uuidv5 doc with the new lat/lon/zoom query-param names

Docs
- system-flows.md F1/F2 reference the new contracts + validation layers
- modules/api_program.md adds Api/Validators + Api/DTOs sections
- _autodev_state.md: batch 2 of 4 complete; next batch = AZ-809

All smoke tests green (mode=smoke, exit 0). AZ-808 + AZ-811 transitioned
to In Testing on Jira.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs

@@ -0,0 +1,45 @@
+using FluentValidation;
+using SatelliteProvider.Api.DTOs;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-811: FluentValidation rules for the query-string surface of
+// GET /api/satellite/tiles/latlon. Wired through
+// ValidationEndpointFilter<GetTileByLatLonQuery> at endpoint registration
+// time (.WithValidation<GetTileByLatLonQuery>() in Program.cs).
+//
+// Each rule maps 1:1 to a query parameter; errors[] keys are camelCase per
+// GlobalValidatorConfig (matching the wire-format param names `lat`, `lon`,
+// `zoom`). Required-field detection is `NotNull()` on the nullable-bound
+// DTO (see GetTileByLatLonQuery for why properties are nullable). Each rule
+// uses CascadeMode.Stop so a missing param surfaces ONLY as
+// "`lat` is required" — not also "`lat` must be between -90 and 90" with a
+// null value. Unknown query parameters are caught upstream by
+// RejectUnknownQueryParamsEndpointFilter.
+public sealed class GetTileByLatLonQueryValidator : AbstractValidator<GetTileByLatLonQuery>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+
+    public GetTileByLatLonQueryValidator()
+    {
+        RuleFor(q => q.Lat)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`lat` is required.")
+            .InclusiveBetween(MinLat, MaxLat).WithMessage($"`lat` must be between {MinLat} and {MaxLat}.");
+
+        RuleFor(q => q.Lon)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`lon` is required.")
+            .InclusiveBetween(MinLon, MaxLon).WithMessage($"`lon` must be between {MinLon} and {MaxLon}.");
+
+        RuleFor(q => q.Zoom)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`zoom` is required.")
+            .InclusiveBetween(MinZoom, MaxZoom).WithMessage($"`zoom` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+    }
+}

SatelliteProvider.Api/Validators/RegionRequestValidator.cs

@@ -0,0 +1,50 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-808: FluentValidation rules for POST /api/satellite/request.
+// Wired through ValidationEndpointFilter<RequestRegionRequest> at endpoint
+// registration time (.WithValidation<RequestRegionRequest>() in Program.cs).
+// Failures are converted to RFC 7807 ValidationProblemDetails per
+// _docs/02_document/contracts/api/error-shape.md v1.0.0.
+//
+// Required-field detection is handled at the deserializer level via
+// [JsonRequired] on RequestRegionRequest properties plus
+// JsonSerializerOptions.UnmappedMemberHandling.Disallow (AZ-795). This
+// validator covers the post-deserialization business rules: non-zero Id,
+// lat/lon/sizeMeters/zoomLevel range constraints.
+public sealed class RegionRequestValidator : AbstractValidator<RequestRegionRequest>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+    private const double MinSizeMeters = 100.0;
+    private const double MaxSizeMeters = 10000.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+
+    public RegionRequestValidator()
+    {
+        RuleFor(req => req.Id)
+            .NotEmpty()
+            .WithMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+
+        RuleFor(req => req.Lat)
+            .InclusiveBetween(MinLat, MaxLat)
+            .WithMessage($"`lat` must be between {MinLat} and {MaxLat}.");
+
+        RuleFor(req => req.Lon)
+            .InclusiveBetween(MinLon, MaxLon)
+            .WithMessage($"`lon` must be between {MinLon} and {MaxLon}.");
+
+        RuleFor(req => req.SizeMeters)
+            .InclusiveBetween(MinSizeMeters, MaxSizeMeters)
+            .WithMessage($"`sizeMeters` must be between {MinSizeMeters} and {MaxSizeMeters} meters.");
+
+        RuleFor(req => req.ZoomLevel)
+            .InclusiveBetween(MinZoom, MaxZoom)
+            .WithMessage($"`zoomLevel` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+    }
+}

SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs

@@ -0,0 +1,42 @@
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-811: endpoint filter that rejects any query-string parameter outside an
+// allowed-set. ASP.NET model binding silently ignores unknown query params,
+// which means typos (e.g. `?latitude=` after AZ-812's rename to `lat`) bind
+// to the default value (0.0) and may produce a misleading 200 or a confusing
+// out-of-range 400 from the value-validator. This filter catches the typo at
+// the envelope level and returns a structured RFC 7807 ValidationProblemDetails
+// with errors[<paramName>] = "Unknown query parameter ...", matching the
+// shape produced by ValidationEndpointFilter<T> + GlobalExceptionHandler.
+//
+// Apply BEFORE ValidationEndpointFilter<T> so unknown-param errors precede
+// range checks against the bound default value.
+public sealed class RejectUnknownQueryParamsEndpointFilter : IEndpointFilter
+{
+    private readonly HashSet<string> _allowedKeys;
+
+    public RejectUnknownQueryParamsEndpointFilter(IEnumerable<string> allowedKeys)
+    {
+        _allowedKeys = new HashSet<string>(allowedKeys, StringComparer.OrdinalIgnoreCase);
+    }
+
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        var query = context.HttpContext.Request.Query;
+        var unknown = query.Keys.Where(k => !_allowedKeys.Contains(k)).ToList();
+
+        if (unknown.Count > 0)
+        {
+            var errors = unknown.ToDictionary(
+                k => k,
+                k => new[]
+                {
+                    $"Unknown query parameter `{k}`. Allowed: {string.Join(", ", _allowedKeys.Select(a => $"`{a}`"))}."
+                });
+
+            return Results.ValidationProblem(errors);
+        }
+
+        return await next(context);
+    }
+}