[AZ-808] [AZ-811] Strict validation on region POST + lat/lon GET

AZ-808: FluentValidation for POST /api/satellite/request
- RegionRequestValidator: id non-empty, lat/lon/sizeMeters/zoomLevel ranges
- RequestRegionRequest: [JsonRequired] on every property, no implicit defaults
- Wired via .WithValidation<RequestRegionRequest>() in MapPost chain
- Unit + integration tests + curl probe script
- New contract: contracts/api/region-request.md v1.0.0

AZ-811: FluentValidation + envelope filter for GET /api/satellite/tiles/latlon
- GetTileByLatLonQuery: nullable record (double?/int?) so the minimal-API
  binder never short-circuits with BadHttpRequestException before filters
- GetTileByLatLonQueryValidator: Cascade(Stop) + NotNull + InclusiveBetween
  per param; missing surfaces as `\`<name>\` is required.`
- RejectUnknownQueryParamsEndpointFilter: reusable IEndpointFilter that
  rejects any query key outside the allowed set with errors[<key>] map;
  catches legacy `?Latitude=` typos and hostile probes (`?debug=1&admin=1`)
- Handler: [AsParameters] GetTileByLatLonQuery + .Value deref post-validator
- Unit (validator + filter) + integration tests + curl probe script
- New contract: contracts/api/tile-latlon.md v1.0.0

Shared hygiene
- Promote AssertErrorsContainsMention from per-test-file private helpers to
  ProblemDetailsAssertions (closes batch-1 Low-severity DRY warning)
- Sync Swagger param descriptions, README, blackbox/security/perf scripts,
  uuidv5 doc with the new lat/lon/zoom query-param names

Docs
- system-flows.md F1/F2 reference the new contracts + validation layers
- modules/api_program.md adds Api/Validators + Api/DTOs sections
- _autodev_state.md: batch 2 of 4 complete; next batch = AZ-809

All smoke tests green (mode=smoke, exit 0). AZ-808 + AZ-811 transitioned
to In Testing on Jira.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs

@@ -0,0 +1,159 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.DTOs;
+using SatelliteProvider.Api.Validators;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-811: unit tests for GetTileByLatLonQueryValidator. One Theory per RuleFor
+// covering boundary + out-of-range. Unknown-query-param rejection is tested
+// at the integration layer (GetTileByLatLonValidationTests) — there's no
+// pure-unit equivalent because the filter runs against HttpContext.Request.Query.
+public class GetTileByLatLonQueryValidatorTests
+{
+    private readonly GetTileByLatLonQueryValidator _validator;
+
+    public GetTileByLatLonQueryValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new GetTileByLatLonQueryValidator();
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(lat, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lat");
+    }
+
+    [Fact]
+    public void Validate_LatNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(null, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert — CascadeMode.Stop ensures NotNull short-circuits the range
+        // rule, so the caller sees only `"\`lat\` is required."` not also the
+        // range error against a null sentinel.
+        result.ShouldHaveValidationErrorFor("lat").WithErrorMessage("`lat` is required.");
+    }
+
+    [Theory]
+    [InlineData(-90.0)]
+    [InlineData(0.0)]
+    [InlineData(47.461747)]
+    [InlineData(90.0)]
+    public void Validate_LatAtOrInsideBounds_Passes(double lat)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(lat, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, lon, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon");
+    }
+
+    [Fact]
+    public void Validate_LonNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, null, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon").WithErrorMessage("`lon` is required.");
+    }
+
+    [Theory]
+    [InlineData(-180.0)]
+    [InlineData(0.0)]
+    [InlineData(37.647063)]
+    [InlineData(180.0)]
+    public void Validate_LonAtOrInsideBounds_Passes(double lon)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, lon, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_ZoomOutOfRange_FailsRangeRule(int zoom)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, zoom);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoom");
+    }
+
+    [Fact]
+    public void Validate_ZoomNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, null);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoom").WithErrorMessage("`zoom` is required.");
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(18)]
+    [InlineData(22)]
+    public void Validate_ZoomAtOrInsideBounds_Passes(int zoom)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, zoom);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("zoom");
+    }
+}

SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs

@@ -0,0 +1,192 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-808: unit tests for RegionRequestValidator. Each RuleFor in the validator
+// has at least one passing case + one failing case. Required-field detection
+// (id / lat / lon / sizeMeters / zoomLevel / stitchTiles) is not unit-tested
+// here because it lives at the deserializer layer (JsonRequired), not the
+// validator — covered by the integration tests (RegionRequestValidationTests).
+public class RegionRequestValidatorTests
+{
+    private readonly RegionRequestValidator _validator;
+
+    public RegionRequestValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new RegionRequestValidator();
+    }
+
+    private static RequestRegionRequest ValidRequest() => new()
+    {
+        Id = Guid.NewGuid(),
+        Lat = 47.461747,
+        Lon = 37.647063,
+        SizeMeters = 200.0,
+        ZoomLevel = 18,
+        StitchTiles = false,
+    };
+
+    [Fact]
+    public void Validate_AllValid_Passes()
+    {
+        // Arrange
+        var request = ValidRequest();
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_IdEmpty_FailsNotEmptyRule()
+    {
+        // Arrange
+        var request = ValidRequest() with { Id = Guid.Empty };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("id")
+            .WithErrorMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    [InlineData(-181.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lat = lat };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-90.0)]
+    [InlineData(0.0)]
+    [InlineData(47.461747)]
+    [InlineData(90.0)]
+    public void Validate_LatAtOrInsideBounds_Passes(double lat)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lat = lat };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lon = lon };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(-180.0)]
+    [InlineData(0.0)]
+    [InlineData(37.647063)]
+    [InlineData(180.0)]
+    public void Validate_LonAtOrInsideBounds_Passes(double lon)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lon = lon };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(99.999)]
+    [InlineData(0.0)]
+    [InlineData(10000.001)]
+    [InlineData(100000.0)]
+    [InlineData(-1.0)]
+    public void Validate_SizeMetersOutOfRange_FailsRangeRule(double sizeMeters)
+    {
+        // Arrange
+        var request = ValidRequest() with { SizeMeters = sizeMeters };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("sizeMeters");
+    }
+
+    [Theory]
+    [InlineData(100.0)]
+    [InlineData(200.0)]
+    [InlineData(5000.0)]
+    [InlineData(10000.0)]
+    public void Validate_SizeMetersAtOrInsideBounds_Passes(double sizeMeters)
+    {
+        // Arrange
+        var request = ValidRequest() with { SizeMeters = sizeMeters };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("sizeMeters");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_ZoomLevelOutOfRange_FailsRangeRule(int zoomLevel)
+    {
+        // Arrange
+        var request = ValidRequest() with { ZoomLevel = zoomLevel };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoomLevel");
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(18)]
+    [InlineData(22)]
+    public void Validate_ZoomLevelAtOrInsideBounds_Passes(int zoomLevel)
+    {
+        // Arrange
+        var request = ValidRequest() with { ZoomLevel = zoomLevel };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("zoomLevel");
+    }
+}

SatelliteProvider.Tests/Validators/RejectUnknownQueryParamsEndpointFilterTests.cs

@@ -0,0 +1,124 @@
+using FluentAssertions;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.Extensions.Primitives;
+using SatelliteProvider.Api.Validators;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-811: unit coverage for the envelope filter that runs ahead of the
+// FluentValidation layer on query-string endpoints. Spec section 5 calls for
+// ≥ 1 unit test on this filter; integration coverage is in
+// SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs.
+public class RejectUnknownQueryParamsEndpointFilterTests
+{
+    private static readonly string[] AllowedKeys = ["lat", "lon", "zoom"];
+
+    [Fact]
+    public async Task Invoke_AllKeysAllowed_DelegatesToNext()
+    {
+        // Arrange
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["zoom"] = "18"
+        });
+        var sentinel = new object();
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(sentinel);
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        result.Should().BeSameAs(sentinel, "the filter must pass through when all query keys are in the allowed set");
+    }
+
+    [Fact]
+    public async Task Invoke_UnknownKey_ReturnsValidationProblemAndDoesNotDelegate()
+    {
+        // Arrange
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["zoom"] = "18",
+            ["debug"] = "1"
+        });
+        var nextCalled = false;
+        EndpointFilterDelegate next = _ =>
+        {
+            nextCalled = true;
+            return ValueTask.FromResult<object?>(new object());
+        };
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        nextCalled.Should().BeFalse("an unknown key must short-circuit the pipeline before the handler runs");
+        var problem = result.Should().BeOfType<ProblemHttpResult>().Subject;
+        problem.StatusCode.Should().Be(StatusCodes.Status400BadRequest);
+        problem.ProblemDetails.Should().BeOfType<HttpValidationProblemDetails>();
+        var validation = (HttpValidationProblemDetails)problem.ProblemDetails;
+        validation.Errors.Should().ContainKey("debug");
+        validation.Errors["debug"][0].Should().Contain("Unknown query parameter");
+    }
+
+    [Fact]
+    public async Task Invoke_LegacyPascalCaseKeys_ReturnsErrorsPerKey()
+    {
+        // Arrange — AZ-811 envelope must catch the exact pre-rename wire format
+        // (`Latitude/Longitude/ZoomLevel`) because case-insensitive lookup against
+        // the allowed set still treats those keys as distinct from `lat/lon/zoom`.
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["Latitude"] = "47.461747",
+            ["Longitude"] = "37.647063",
+            ["ZoomLevel"] = "18"
+        });
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(new object());
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        var problem = result.Should().BeOfType<ProblemHttpResult>().Subject;
+        var validation = (HttpValidationProblemDetails)problem.ProblemDetails;
+        validation.Errors.Should().ContainKey("Latitude");
+        validation.Errors.Should().ContainKey("Longitude");
+        validation.Errors.Should().ContainKey("ZoomLevel");
+    }
+
+    [Fact]
+    public async Task Invoke_KeysAreCaseInsensitiveAgainstAllowedSet()
+    {
+        // Arrange — `Lat` (capital L) is the SAME allowed key as `lat`
+        // (`StringComparer.OrdinalIgnoreCase`). It must pass through.
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["Lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["ZOOM"] = "18"
+        });
+        var sentinel = new object();
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(sentinel);
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        result.Should().BeSameAs(sentinel);
+    }
+
+    private static EndpointFilterInvocationContext BuildContext(IDictionary<string, StringValues> queryParams)
+    {
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Query = new QueryCollection(queryParams.ToDictionary(kv => kv.Key, kv => kv.Value));
+        return new DefaultEndpointFilterInvocationContext(httpContext);
+    }
+}