[AZ-809] Strict validation for POST /api/satellite/route

Third concrete child of AZ-795 (cycle 8 batch 3). FluentValidation +
[JsonRequired] + UnmappedMemberHandling.Disallow combine to reject every
malformed payload at the API boundary with RFC 7807 ValidationProblemDetails.

Validators (SatelliteProvider.Api/Validators/, all new)
- CreateRouteRequestValidator: id non-empty, name/description length,
  regionSizeMeters/zoomLevel ranges, points count [2, 500], cross-field
  createTilesZip => requestMaps. Chains RoutePointValidator (per-point)
  and GeofencePolygonValidator (per-polygon, guarded by When(Geofences != null)).
  OverridePropertyName("geofences.polygons") on the geofences chain so
  FluentValidation's default leaf-only key policy doesn't drop the parent
  path on deep expressions like req.Geofences!.Polygons.
- RoutePointValidator: lat/lon ranges; OverridePropertyName("lat"/"lon")
  chained AFTER InclusiveBetween (the extension is defined on
  IRuleBuilderOptions<T, TProperty>, so the generic type is only
  inferable after the first concrete rule) so error keys match the
  wire format (`points[i].lat`) rather than the C# property name
  (`points[i].latitude`).
- GeofencePolygonValidator: per-corner range checks via private nested
  GeoCornerValidator; cross-field NW.Lat > SE.Lat and NW.Lon < SE.Lon
  invariants emit at errors["geofences.polygons[i].northWest"].

DTOs (SatelliteProvider.Common/DTO/, [JsonRequired] additions only)
- CreateRouteRequest: id, name, regionSizeMeters, zoomLevel, points,
  requestMaps, createTilesZip
- RoutePoint: Latitude, Longitude
- GeofencePolygon: NorthWest, SouthEast; Geofences: Polygons
- GeoPoint: Lat, Lon

Tests
- Unit: 26 methods total — 16 in CreateRouteRequestValidatorTests, 6 in
  GeofencePolygonValidatorTests, 4 in RoutePointValidatorTests. Each
  RuleFor/RuleForEach chain has at least one positive + one negative case.
- Integration: CreateRouteValidationTests.cs — 16 methods (happy + 15
  failure modes) wired into smoke + full suites. Covers empty body,
  missing/zero id, empty name, out-of-range regionSizeMeters/zoomLevel,
  points count < 2, per-point lat/lon out-of-range, geofence invariants,
  missing requestMaps, cross-field createTilesZip, unknown root field,
  nested type mismatch.
- Manual probe: scripts/probe_route_validation.sh curl-exercises every
  failure mode end-to-end + happy path.

Docs
- New contract _docs/02_document/contracts/api/route-creation.md v1.0.0
  with nested DTO chain, invariants, per-field test cases table, and
  advisories on the legacy service-layer RouteValidator + the
  input/output RoutePoint vs RoutePointDto naming asymmetry.
- system-flows.md F4 sequence diagram extended with the validation-filter
  branch; preconditions + error scenarios reference the new contract.
- modules/api_program.md: CreateRoute handler section added; Api/Validators
  bumped to AZ-808/AZ-809/AZ-811.
- modules/common_dtos.md: DTO descriptions updated with [JsonRequired]
  annotations and constraint summaries.
- tests/blackbox-tests.md BT-06/BT-N03/BT-N04/BT-N05 align with the new
  wire format and named error keys.
- tests/security-tests.md SEC-04 references GlobalExceptionHandler's
  JsonException branch + AZ-353 correlationId.
- _docs/03_implementation/batch_03_cycle8_report.md + reviews/batch_03_cycle8_review.md
  (PASS_WITH_NOTES — F1 Low: OverridePropertyName documented inline,
  F2 + F3 Info: pre-existing advisories for follow-up).

Smoke green (mode=smoke, exit 0). AZ-809 transitioned to In Testing on Jira.
Task file moved to _docs/02_tasks/done/.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/modules/common_dtos.md

@@ -6,9 +6,9 @@ Data transfer objects used across all layers — API requests/responses, inter-s
 ## Public Interface
 
 ### GeoPoint
-Geographic coordinate with tolerance-based equality.
-- `Lat` (double): latitude, JSON property `"lat"`
-- `Lon` (double): longitude, JSON property `"lon"`
+Geographic coordinate with tolerance-based equality. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so a polygon corner missing either axis is rejected at the deserializer layer.
+- `Lat` (double, `[JsonRequired]`, JSON: `"lat"`)
+- `Lon` (double, `[JsonRequired]`, JSON: `"lon"`)
 - Constructor: `GeoPoint()`, `GeoPoint(double lat, double lon)`
 - Equality: two points are equal if both coordinates differ by less than `0.00005` (PRECISION_TOLERANCE)
 - Operator overloads: `==`, `!=`
@@ -50,20 +50,27 @@ Response DTO for region status queries.
 - `TilesDownloaded`, `TilesReused` (int), `CreatedAt`, `UpdatedAt` (DateTime)
 
 ### RoutePoint
-Input point in a route creation request.
-- `Latitude` (double, JSON: `"lat"`), `Longitude` (double, JSON: `"lon"`)
+Input point in a route creation request. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so the System.Text.Json deserializer rejects missing-axis payloads with HTTP 400 + `ValidationProblemDetails` via `GlobalExceptionHandler` BEFORE the FluentValidation layer runs.
+- `Latitude` (double, `[JsonRequired]`, JSON: `"lat"`)
+- `Longitude` (double, `[JsonRequired]`, JSON: `"lon"`)
 
 ### RoutePointDto
 Output point in a route response (includes computed fields).
 - `Latitude`, `Longitude` (double), `PointType` (string: "start"/"end"/"action"/"intermediate")
 - `SequenceNumber`, `SegmentIndex` (int), `DistanceFromPrevious` (double?)
+- **Naming asymmetry**: input wire uses short OSM `lat`/`lon` (`RoutePoint`); response wire uses long `latitude`/`longitude` (`RoutePointDto`). Pre-existing — AZ-809 documented but did not change this. Tracked as a follow-up advisory in `_docs/02_document/contracts/api/route-creation.md`.
 
 ### CreateRouteRequest
-API request body for route creation.
-- `Id` (Guid), `Name` (string), `Description` (string?)
-- `RegionSizeMeters` (double), `ZoomLevel` (int)
-- `Points` (List\<RoutePoint\>), `Geofences` (Geofences?)
-- `RequestMaps` (bool), `CreateTilesZip` (bool)
+API request body for route creation. AZ-809 (cycle 8) added `[JsonRequired]` to every non-optional axis so missing fields are caught at the deserializer layer (uniform with AZ-808 region-request and AZ-795 inventory).
+- `Id` (Guid, `[JsonRequired]`) — caller-supplied idempotency key; non-zero GUID
+- `Name` (string, `[JsonRequired]`) — length \[1, 200\]
+- `Description` (string?) — optional, length ≤ 1000 when present
+- `RegionSizeMeters` (double, `[JsonRequired]`) — \[100, 10000\]
+- `ZoomLevel` (int, `[JsonRequired]`) — \[0, 22\] slippy-map range
+- `Points` (List\<RoutePoint\>, `[JsonRequired]`) — count ∈ \[2, 500\]
+- `Geofences` (Geofences?) — optional; when present, each polygon validated
+- `RequestMaps` (bool, `[JsonRequired]`) — no default; missing → 400
+- `CreateTilesZip` (bool, `[JsonRequired]`) — no default; cross-field invariant requires `requestMaps=true` when `true`
 
 ### RouteResponse
 API response for route queries.
@@ -71,12 +78,14 @@ API response for route queries.
 - `MapsReady` (bool), `TilesZipPath` (string?)
 
 ### GeofencePolygon
-Axis-aligned bounding box defined by NW and SE corners.
-- `NorthWest` (GeoPoint?), `SouthEast` (GeoPoint?)
+Axis-aligned bounding box defined by NW and SE corners. AZ-809 (cycle 8) marked both corners `[JsonRequired]` so a partially-specified polygon (just `northWest`, no `southEast`, or vice-versa) is rejected at the deserializer layer.
+- `NorthWest` (GeoPoint?, `[JsonRequired]`, JSON: `"northWest"`)
+- `SouthEast` (GeoPoint?, `[JsonRequired]`, JSON: `"southEast"`)
+- Cross-corner invariants (enforced by `GeofencePolygonValidator`): `NW.Lat > SE.Lat` (NW is north-of SE) and `NW.Lon < SE.Lon` (NW is west-of SE). Equal corners fail both invariants with `errors["geofences.polygons[i].northWest"]`.
 
 ### Geofences
-Container for multiple geofence polygons.
-- `Polygons` (List\<GeofencePolygon\>)
+Container for multiple geofence polygons. AZ-809 (cycle 8) marked `Polygons` `[JsonRequired]` so an empty `geofences: {}` envelope is rejected.
+- `Polygons` (List\<GeofencePolygon\>, `[JsonRequired]`, JSON: `"polygons"`) — at least 1 polygon when `geofences` is present (validator rule, not deserializer rule).
 
 ### UavTileMetadata (added AZ-488, extended AZ-503)
 Per-tile metadata payload inside a UAV batch upload (`POST /api/satellite/upload`). Indexed-correlated with the multipart `IFormFileCollection`.