[AZ-809] Strict validation for POST /api/satellite/route

Third concrete child of AZ-795 (cycle 8 batch 3). FluentValidation + [JsonRequired] + UnmappedMemberHandling.Disallow combine to reject every malformed payload at the API boundary with RFC 7807 ValidationProblemDetails. Validators (SatelliteProvider.Api/Validators/, all new) - CreateRouteRequestValidator: id non-empty, name/description length, regionSizeMeters/zoomLevel ranges, points count [2, 500], cross-field createTilesZip => requestMaps. Chains RoutePointValidator (per-point) and GeofencePolygonValidator (per-polygon, guarded by When(Geofences != null)). OverridePropertyName("geofences.polygons") on the geofences chain so FluentValidation's default leaf-only key policy doesn't drop the parent path on deep expressions like req.Geofences!.Polygons. - RoutePointValidator: lat/lon ranges; OverridePropertyName("lat"/"lon") chained AFTER InclusiveBetween (the extension is defined on IRuleBuilderOptions<T, TProperty>, so the generic type is only inferable after the first concrete rule) so error keys match the wire format (`points[i].lat`) rather than the C# property name (`points[i].latitude`). - GeofencePolygonValidator: per-corner range checks via private nested GeoCornerValidator; cross-field NW.Lat > SE.Lat and NW.Lon < SE.Lon invariants emit at errors["geofences.polygons[i].northWest"]. DTOs (SatelliteProvider.Common/DTO/, [JsonRequired] additions only) - CreateRouteRequest: id, name, regionSizeMeters, zoomLevel, points, requestMaps, createTilesZip - RoutePoint: Latitude, Longitude - GeofencePolygon: NorthWest, SouthEast; Geofences: Polygons - GeoPoint: Lat, Lon Tests - Unit: 26 methods total — 16 in CreateRouteRequestValidatorTests, 6 in GeofencePolygonValidatorTests, 4 in RoutePointValidatorTests. Each RuleFor/RuleForEach chain has at least one positive + one negative case. - Integration: CreateRouteValidationTests.cs — 16 methods (happy + 15 failure modes) wired into smoke + full suites. Covers empty body, missing/zero id, empty name, out-of-range regionSizeMeters/zoomLevel, points count < 2, per-point lat/lon out-of-range, geofence invariants, missing requestMaps, cross-field createTilesZip, unknown root field, nested type mismatch. - Manual probe: scripts/probe_route_validation.sh curl-exercises every failure mode end-to-end + happy path. Docs - New contract _docs/02_document/contracts/api/route-creation.md v1.0.0 with nested DTO chain, invariants, per-field test cases table, and advisories on the legacy service-layer RouteValidator + the input/output RoutePoint vs RoutePointDto naming asymmetry. - system-flows.md F4 sequence diagram extended with the validation-filter branch; preconditions + error scenarios reference the new contract. - modules/api_program.md: CreateRoute handler section added; Api/Validators bumped to AZ-808/AZ-809/AZ-811. - modules/common_dtos.md: DTO descriptions updated with [JsonRequired] annotations and constraint summaries. - tests/blackbox-tests.md BT-06/BT-N03/BT-N04/BT-N05 align with the new wire format and named error keys. - tests/security-tests.md SEC-04 references GlobalExceptionHandler's JsonException branch + AZ-353 correlationId. - _docs/03_implementation/batch_03_cycle8_report.md + reviews/batch_03_cycle8_review.md (PASS_WITH_NOTES — F1 Low: OverridePropertyName documented inline, F2 + F3 Info: pre-existing advisories for follow-up). Smoke green (mode=smoke, exit 0). AZ-809 transitioned to In Testing on Jira. Task file moved to _docs/02_tasks/done/. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 08:51:13 +00:00 · 2026-05-22 17:49:48 +03:00
parent 34ee1e0b83
commit 5e056b2334
24 changed files with 1929 additions and 50 deletions
@@ -259,6 +259,10 @@ app.MapGet("/api/satellite/region/{id:guid}", GetRegionStatus)
 app.MapPost("/api/satellite/route", CreateRoute)
    .RequireAuthorization()
    .WithValidation<CreateRouteRequest>()
    .Accepts<CreateRouteRequest>("application/json")
    .Produces<RouteResponse>(StatusCodes.Status200OK)
    .ProducesProblem(StatusCodes.Status400BadRequest)
    .WithOpenApi(op => new(op)
    {
        Summary = "Create a route with intermediate points",
@@ -0,0 +1,90 @@
 using FluentValidation;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Api.Validators;
 // AZ-809: FluentValidation rules for POST /api/satellite/route. Wired
 // through ValidationEndpointFilter<CreateRouteRequest> at endpoint
 // registration time (.WithValidation<CreateRouteRequest>() in Program.cs).
 // Failures are converted to RFC 7807 ValidationProblemDetails per
 // _docs/02_document/contracts/api/error-shape.md v1.0.0.
 //
 // Required-field detection is handled at the deserializer level via
 // [JsonRequired] on CreateRouteRequest, RoutePoint, GeofencePolygon, and
 // GeoPoint, plus JsonSerializerOptions.UnmappedMemberHandling.Disallow
 // (AZ-795 global). This validator covers post-deserialization business
 // rules: non-zero id, name + description length, range checks on size /
 // zoom / points-count, per-point lat/lon ranges (via RoutePointValidator),
 // per-polygon corner ranges + NW-of-SE invariant (via GeofencePolygonValidator),
 // and the cross-field createTilesZip-implies-requestMaps rule.
 public sealed class CreateRouteRequestValidator : AbstractValidator<CreateRouteRequest>
 {
    private const double MinRegionSizeMeters = 100.0;
    private const double MaxRegionSizeMeters = 10000.0;
    private const int MinZoom = 0;
    private const int MaxZoom = 22;
    private const int MinPoints = 2;
    private const int MaxPoints = 500;
    private const int MaxNameLength = 200;
    private const int MaxDescriptionLength = 1000;
    public CreateRouteRequestValidator()
    {
        RuleFor(req => req.Id)
            .NotEmpty()
            .WithMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
        RuleFor(req => req.Name)
            .NotEmpty()
            .WithMessage("`name` is required and must not be empty or whitespace.")
            .MaximumLength(MaxNameLength)
            .WithMessage($"`name` must be at most {MaxNameLength} characters.");
        RuleFor(req => req.Description)
            .MaximumLength(MaxDescriptionLength)
            .When(req => req.Description is not null)
            .WithMessage($"`description` must be at most {MaxDescriptionLength} characters.");
        RuleFor(req => req.RegionSizeMeters)
            .InclusiveBetween(MinRegionSizeMeters, MaxRegionSizeMeters)
            .WithMessage($"`regionSizeMeters` must be between {MinRegionSizeMeters} and {MaxRegionSizeMeters} meters.");
        RuleFor(req => req.ZoomLevel)
            .InclusiveBetween(MinZoom, MaxZoom)
            .WithMessage($"`zoomLevel` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
        RuleFor(req => req.Points)
            .NotNull().WithMessage("`points` is required.")
            .Must(p => p is null || p.Count >= MinPoints)
                .WithMessage($"`points` must contain at least {MinPoints} entries.")
            .Must(p => p is null || p.Count <= MaxPoints)
                .WithMessage($"`points` must contain at most {MaxPoints} entries.");
        RuleForEach(req => req.Points)
            .SetValidator(new RoutePointValidator());
        // Geofences are optional; per-polygon rules apply only when present.
        // FluentValidation's default property-name policy drops the parent
        // chain on deep expressions like `req.Geofences!.Polygons` — it emits
        // only the leaf `polygons`. We OverridePropertyName explicitly so the
        // wire-format error keys match the JSON path callers actually post:
        // `errors["geofences.polygons"]` and `errors["geofences.polygons[i].…"]`.
        When(req => req.Geofences is not null, () =>
        {
            RuleFor(req => req.Geofences!.Polygons)
                .NotNull().WithMessage("`geofences.polygons` is required when `geofences` is present.")
                .NotEmpty().WithMessage("`geofences.polygons` must contain at least 1 polygon when `geofences` is present.")
                .OverridePropertyName("geofences.polygons");
            RuleForEach(req => req.Geofences!.Polygons)
                .SetValidator(new GeofencePolygonValidator())
                .OverridePropertyName("geofences.polygons");
        });
        // Cross-field invariant: cannot zip what wasn't downloaded.
        RuleFor(req => req)
            .Must(req => !(req.CreateTilesZip && !req.RequestMaps))
            .WithName("createTilesZip")
            .WithMessage("`createTilesZip` requires `requestMaps` to be true (can't zip what wasn't downloaded).");
    }
 }
@@ -0,0 +1,72 @@
 using FluentValidation;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Api.Validators;
 // AZ-809: per-polygon validator invoked via RuleForEach on the parent
 // CreateRouteRequest (guarded by When(geofences != null) at the parent).
 // Enforces both corner-point shape and the "NW is north-of and west-of SE"
 // invariant.
 //
 // Error path: errors keys land at `geofences.polygons[i].northWest.lat` etc.
 public sealed class GeofencePolygonValidator : AbstractValidator<GeofencePolygon>
 {
    private const double MinLat = -90.0;
    private const double MaxLat = 90.0;
    private const double MinLon = -180.0;
    private const double MaxLon = 180.0;
    public GeofencePolygonValidator()
    {
        // Both corners must be present. Without them no useful range/cross-field
        // check can run, so short-circuit via .Cascade(CascadeMode.Stop).
        RuleFor(p => p.NorthWest)
            .Cascade(CascadeMode.Stop)
            .NotNull().WithMessage("`northWest` corner is required.")
            .SetValidator(new GeoCornerValidator("northWest")!);
        RuleFor(p => p.SouthEast)
            .Cascade(CascadeMode.Stop)
            .NotNull().WithMessage("`southEast` corner is required.")
            .SetValidator(new GeoCornerValidator("southEast")!);
        // Cross-field invariant: NW must be genuinely north-of (lat greater)
        // AND west-of (lon smaller) SE. Only runs when both corners survived
        // the NotNull check above; FluentValidation skips the rule if either
        // is null (.When(...) guard below).
        RuleFor(p => p)
            .Must(HaveNorthWestActuallyNorthOfSouthEast)
            .When(p => p.NorthWest is not null && p.SouthEast is not null)
            .WithName("northWest")
            .WithMessage("`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE).");
        RuleFor(p => p)
            .Must(HaveNorthWestActuallyWestOfSouthEast)
            .When(p => p.NorthWest is not null && p.SouthEast is not null)
            .WithName("northWest")
            .WithMessage("`northWest.lon` must be less than `southEast.lon` (NW is west-of SE).");
    }
    private static bool HaveNorthWestActuallyNorthOfSouthEast(GeofencePolygon polygon)
        => polygon.NorthWest!.Lat > polygon.SouthEast!.Lat;
    private static bool HaveNorthWestActuallyWestOfSouthEast(GeofencePolygon polygon)
        => polygon.NorthWest!.Lon < polygon.SouthEast!.Lon;
    // Inner per-corner validator. Kept private to this file because the
    // polygon corners are the only consumer; if a sibling endpoint needs
    // point-shape validation, promote and rename.
    private sealed class GeoCornerValidator : AbstractValidator<GeoPoint>
    {
        public GeoCornerValidator(string cornerLabel)
        {
            RuleFor(g => g.Lat)
                .InclusiveBetween(MinLat, MaxLat)
                .WithMessage($"`{cornerLabel}.lat` must be between {MinLat} and {MaxLat}.");
            RuleFor(g => g.Lon)
                .InclusiveBetween(MinLon, MaxLon)
                .WithMessage($"`{cornerLabel}.lon` must be between {MinLon} and {MaxLon}.");
        }
    }
 }
@@ -0,0 +1,40 @@
 using FluentValidation;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Api.Validators;
 // AZ-809: per-point validator invoked via RuleForEach on the parent
 // CreateRouteRequest. Each route waypoint must declare a valid WGS84
 // coordinate; the parent validator checks min/max count of the points
 // collection separately.
 //
 // Error path: errors keys land at `points[i].lat` / `points[i].lon` per
 // FluentValidation's default child-property naming + GlobalValidatorConfig
 // camelCase normalization (matches the wire format set by
 // [JsonPropertyName("lat"|"lon")] on RoutePoint).
 public sealed class RoutePointValidator : AbstractValidator<RoutePoint>
 {
    private const double MinLat = -90.0;
    private const double MaxLat = 90.0;
    private const double MinLon = -180.0;
    private const double MaxLon = 180.0;
    public RoutePointValidator()
    {
        // `RoutePoint.Latitude` is the C# property name but the wire name is
        // `lat` via [JsonPropertyName]. OverridePropertyName chains AFTER the
        // first concrete rule (which provides the `TProperty` for the generic
        // extension) and aligns the FluentValidation error key with the wire
        // format — callers see `errors["points[i].lat"]` matching what they
        // posted rather than the camelCased C# name `latitude`.
        RuleFor(p => p.Latitude)
            .InclusiveBetween(MinLat, MaxLat)
            .WithMessage($"`lat` must be between {MinLat} and {MaxLat}.")
            .OverridePropertyName("lat");
        RuleFor(p => p.Longitude)
            .InclusiveBetween(MinLon, MaxLon)
            .WithMessage($"`lon` must be between {MinLon} and {MaxLon}.")
            .OverridePropertyName("lon");
    }
 }
@@ -4,18 +4,35 @@ namespace SatelliteProvider.Common.DTO;
 public class CreateRouteRequest
 {
    // AZ-809: [JsonRequired] enforces presence at the deserializer; range and
    // shape checks live in `SatelliteProvider.Api/Validators/CreateRouteRequestValidator`.
    // Description and Geofences remain optional. The legacy in-service
    // `RouteValidator` is left in place as defense-in-depth for direct
    // service-layer callers (e.g. unit tests).
    [JsonRequired]
    public Guid Id { get; set; }
    [JsonRequired]
    public string Name { get; set; } = string.Empty;
    public string? Description { get; set; }
    [JsonRequired]
    public double RegionSizeMeters { get; set; }
    [JsonRequired]
    public int ZoomLevel { get; set; }
    [JsonRequired]
    public List<RoutePoint> Points { get; set; } = new();
    [JsonPropertyName("geofences")]
    public Geofences? Geofences { get; set; }
-    public bool RequestMaps { get; set; } = false;
+    [JsonRequired]
-    public bool CreateTilesZip { get; set; } = false;
+    public bool RequestMaps { get; set; }
    [JsonRequired]
    public bool CreateTilesZip { get; set; }
 }
@@ -6,9 +6,11 @@ public class GeoPoint
 {
    const double PRECISION_TOLERANCE = 0.00005;
    [JsonRequired]
    [JsonPropertyName("lat")]
    public double Lat { get; set; }
    [JsonRequired]
    [JsonPropertyName("lon")]
    public double Lon { get; set; }
@@ -4,15 +4,18 @@ namespace SatelliteProvider.Common.DTO;
 public class GeofencePolygon
 {
    [JsonRequired]
    [JsonPropertyName("northWest")]
    public GeoPoint? NorthWest { get; set; }
    [JsonRequired]
    [JsonPropertyName("southEast")]
    public GeoPoint? SouthEast { get; set; }
 }
 public class Geofences
 {
    [JsonRequired]
    [JsonPropertyName("polygons")]
    public List<GeofencePolygon> Polygons { get; set; } = new();
 }
@@ -4,9 +4,11 @@ namespace SatelliteProvider.Common.DTO;
 public class RoutePoint
 {
    [JsonRequired]
    [JsonPropertyName("lat")]
    public double Latitude { get; set; }
    [JsonRequired]
    [JsonPropertyName("lon")]
    public double Longitude { get; set; }
 }
@@ -0,0 +1,511 @@
 using System.Text;
 namespace SatelliteProvider.IntegrationTests;
 // AZ-809: end-to-end coverage for POST /api/satellite/route strict input
 // validation. Each test exercises one rule from the AZ-809 validator triplet
 // (CreateRouteRequestValidator + RoutePointValidator + GeofencePolygonValidator)
 // and asserts the response body conforms to the RFC 7807
 // ValidationProblemDetails contract in `_docs/02_document/contracts/api/error-shape.md`
 // v1.0.0. Required-field detection is enforced at the deserializer layer via
 // [JsonRequired] + UnmappedMemberHandling.Disallow (AZ-795).
 //
 // The route-creation happy path is intentionally `requestMaps=false` here to
 // keep this suite fast; the existing RouteCreationTests.cs exercises the
 // `requestMaps=true` flow (with background F5 processing).
 public static class CreateRouteValidationTests
 {
    private const string RoutePath = "/api/satellite/route";
    public static async Task RunAll(HttpClient httpClient)
    {
        RouteTestHelpers.PrintTestHeader("Test: POST /api/satellite/route strict validation (AZ-809)");
        await HappyPath_Returns200(httpClient);
        // Rule 1: body present
        await EmptyBody_Returns400(httpClient);
        // Rule 2: id required, non-zero Guid (probe-confirmed gap)
        await MissingId_Returns400(httpClient);
        await ZeroGuidId_Returns400(httpClient);
        // Rule 3: name required, length [1, 200]
        await EmptyName_Returns400(httpClient);
        // Rule 5: regionSizeMeters required, [100, 10000]
        await RegionSizeOutOfRange_Returns400(httpClient);
        // Rule 6: zoomLevel required, [0, 22]
        await ZoomLevelOutOfRange_Returns400(httpClient);
        // Rule 7: points required, [2, 500]
        await PointsTooFew_Returns400(httpClient);
        // Rule 8: per-point lat/lon ranges
        await PointLatOutOfRange_Returns400(httpClient);
        await PointLonOutOfRange_Returns400(httpClient);
        // Rule 9: geofence corners + NW-of-SE invariant
        await GeofenceNwLatNotGreaterThanSeLat_Returns400(httpClient);
        // Rule 10/11: requestMaps + createTilesZip required
        await MissingRequestMaps_Returns400(httpClient);
        // Rule 12: cross-field createTilesZip implies requestMaps
        await CreateTilesZipWithoutRequestMaps_Returns400(httpClient);
        // Rule 13: unknown root field rejected
        await UnknownRootField_Returns400(httpClient);
        // Rule 14: type mismatch (per-point lat)
        await PointLatTypeMismatch_Returns400(httpClient);
        Console.WriteLine("✓ Create-route validation tests: PASSED");
    }
    private static async Task HappyPath_Returns200(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 AC-2: well-formed body → HTTP 200 (no background processing — requestMaps=false)");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = BuildValidBody(routeId, requestMaps: false, createTilesZip: false);
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var status = (int)response.StatusCode;
        var bodyText = await response.Content.ReadAsStringAsync();
        // Assert
        if (status != 200)
        {
            throw new Exception($"AZ-809 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
        }
        Console.WriteLine("  ✓ Well-formed body accepted with HTTP 200");
    }
    private static async Task EmptyBody_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 1: empty body → HTTP 400");
        // Act
        var response = await PostJsonAsync(httpClient, "");
        var status = (int)response.StatusCode;
        // Assert
        if (status != 400)
        {
            throw new Exception($"AZ-809 rule 1: expected HTTP 400, got {status}.");
        }
        Console.WriteLine("  ✓ Empty body rejected with HTTP 400");
    }
    private static async Task MissingId_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 2 (probe-confirmed gap): missing `id` → HTTP 400 (no silent zero-Guid coercion)");
        // Arrange — same exact pattern as the AZ-808 probe finding.
        var body = """
            {
              "name": "derkachi-flight-1",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 missing id");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 missing id");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "id", label: "AZ-809 missing id");
        Console.WriteLine("  ✓ Missing `id` rejected with HTTP 400 (no silent coercion)");
    }
    private static async Task ZeroGuidId_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 2: zero-Guid `id` → HTTP 400");
        // Arrange
        var body = BuildValidBody(Guid.Empty, requestMaps: false, createTilesZip: false);
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 zero-Guid id");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 zero-Guid id", expectedErrorPath: "id");
        Console.WriteLine("  ✓ Zero-Guid `id` rejected with errors[\"id\"]");
    }
    private static async Task EmptyName_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 3: empty `name` → HTTP 400");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 empty name");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 empty name", expectedErrorPath: "name");
        Console.WriteLine("  ✓ Empty `name` rejected with errors[\"name\"]");
    }
    private static async Task RegionSizeOutOfRange_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 5: `regionSizeMeters` out of range (100..10000) → HTTP 400");
        // Arrange — same 1M cap-exceeder as AZ-808.
        var routeId = Guid.NewGuid();
        var body = BuildValidBody(routeId, regionSize: 1_000_000, requestMaps: false, createTilesZip: false);
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 regionSize out of range");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 regionSize out of range", expectedErrorPath: "regionSizeMeters");
        Console.WriteLine("  ✓ `regionSizeMeters=1000000` rejected with errors[\"regionSizeMeters\"]");
    }
    private static async Task ZoomLevelOutOfRange_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 6: `zoomLevel` out of range (0..22) → HTTP 400");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = BuildValidBody(routeId, zoom: 30, requestMaps: false, createTilesZip: false);
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 zoomLevel out of range");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 zoomLevel out of range", expectedErrorPath: "zoomLevel");
        Console.WriteLine("  ✓ `zoomLevel=30` rejected with errors[\"zoomLevel\"]");
    }
    private static async Task PointsTooFew_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 7: `points` count < 2 → HTTP 400");
        // Arrange — single point.
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "single-point-route",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 points too few");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 points too few", expectedErrorPath: "points");
        Console.WriteLine("  ✓ `points` count=1 rejected with errors[\"points\"]");
    }
    private static async Task PointLatOutOfRange_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 8: per-point `lat` out of range → HTTP 400 (errors[points[i].lat])");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "out-of-range-lat",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 91.0,  "lon": 36.11 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lat out of range");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lat out of range");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "points[1].lat", label: "AZ-809 point lat out of range");
        Console.WriteLine("  ✓ `points[1].lat=91` rejected with errors[\"points[1].lat\"]");
    }
    private static async Task PointLonOutOfRange_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 8: per-point `lon` out of range → HTTP 400 (errors[points[i].lon])");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "out-of-range-lon",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 181.0 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lon out of range");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lon out of range");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "points[1].lon", label: "AZ-809 point lon out of range");
        Console.WriteLine("  ✓ `points[1].lon=181` rejected with errors[\"points[1].lon\"]");
    }
    private static async Task GeofenceNwLatNotGreaterThanSeLat_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 9: geofence NW.lat <= SE.lat → HTTP 400 (cross-field invariant)");
        // Arrange — NW.lat == SE.lat → NW not north-of SE.
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "inverted-geofence",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "geofences": {
                "polygons": [
                  { "northWest": { "lat": 50.05, "lon": 36.05 },
                    "southEast": { "lat": 50.05, "lon": 36.15 } }
                ]
              },
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 NW lat not > SE lat");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 NW lat not > SE lat");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "northWest", label: "AZ-809 NW lat not > SE lat");
        Console.WriteLine("  ✓ NW.lat <= SE.lat rejected by cross-field invariant");
    }
    private static async Task MissingRequestMaps_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 10: missing `requestMaps` → HTTP 400 (no defaulting)");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "no-requestMaps",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 missing requestMaps");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 missing requestMaps");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "requestMaps", label: "AZ-809 missing requestMaps");
        Console.WriteLine("  ✓ Missing `requestMaps` rejected");
    }
    private static async Task CreateTilesZipWithoutRequestMaps_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 12: `createTilesZip=true` AND `requestMaps=false` → HTTP 400 (cross-field invariant)");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = BuildValidBody(routeId, requestMaps: false, createTilesZip: true);
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 createTilesZip without requestMaps");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 createTilesZip without requestMaps", expectedErrorPath: "createTilesZip");
        Console.WriteLine("  ✓ `createTilesZip=true requestMaps=false` rejected by cross-field invariant");
    }
    private static async Task UnknownRootField_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 13: unknown root field → HTTP 400 (UnmappedMemberHandling.Disallow)");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "with-unknown-field",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "requestMaps": false,
              "createTilesZip": false,
              "debug": "fingerprint-probe"
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 unknown root field");
        // Assert
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 unknown root field");
        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "debug", label: "AZ-809 unknown root field");
        Console.WriteLine("  ✓ Unknown root field `debug` rejected with errors mention");
    }
    private static async Task PointLatTypeMismatch_Returns400(HttpClient httpClient)
    {
        Console.WriteLine();
        Console.WriteLine("AZ-809 rule 14: nested type mismatch (`points[0].lat` as string) → HTTP 400");
        // Arrange
        var routeId = Guid.NewGuid();
        var body = $$"""
            {
              "id": "{{routeId}}",
              "name": "nested-type-mismatch",
              "regionSizeMeters": 1000,
              "zoomLevel": 18,
              "points": [
                { "lat": "fifty", "lon": 36.10 },
                { "lat": 50.11,   "lon": 36.11 }
              ],
              "requestMaps": false,
              "createTilesZip": false
            }
            """;
        // Act
        var response = await PostJsonAsync(httpClient, body);
        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lat type mismatch");
        // Assert — GlobalExceptionHandler converts BadHttpRequestException to
        // ValidationProblemDetails when the inner JsonException's Path is set.
        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lat type mismatch");
        Console.WriteLine("  ✓ `points[0].lat:\"fifty\"` rejected with HTTP 400");
    }
    private static string BuildValidBody(
        Guid routeId,
        double regionSize = 1000.0,
        int zoom = 18,
        bool requestMaps = false,
        bool createTilesZip = false)
    {
        // Lat/lon picked from gps-denied-onboard AZ-777 Phase 2 probe.
        return $$"""
            {
              "id": "{{routeId}}",
              "name": "az-809-integration-test",
              "description": "AZ-809 integration test route",
              "regionSizeMeters": {{regionSize.ToString(System.Globalization.CultureInfo.InvariantCulture)}},
              "zoomLevel": {{zoom}},
              "points": [
                { "lat": 50.10, "lon": 36.10 },
                { "lat": 50.11, "lon": 36.11 }
              ],
              "requestMaps": {{(requestMaps ? "true" : "false")}},
              "createTilesZip": {{(createTilesZip ? "true" : "false")}}
            }
            """;
    }
    private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
    {
        var content = new StringContent(body, Encoding.UTF8, "application/json");
        return httpClient.PostAsync(RoutePath, content);
    }
 }
@@ -143,6 +143,7 @@ class Program
        await RegionFieldRenameTests.RunAll(httpClient);
        await RegionRequestValidationTests.RunAll(httpClient);
        await GetTileByLatLonValidationTests.RunAll(httpClient);
        await CreateRouteValidationTests.RunAll(httpClient);
        await LeafletPathIndexOnlyTests.RunAll(connectionString);
        await MigrationTests.RunAll();
    }
@@ -170,6 +171,7 @@ class Program
        await RegionFieldRenameTests.RunAll(httpClient);
        await RegionRequestValidationTests.RunAll(httpClient);
        await GetTileByLatLonValidationTests.RunAll(httpClient);
        await CreateRouteValidationTests.RunAll(httpClient);
        await LeafletPathIndexOnlyTests.RunAll(connectionString);
        await MigrationTests.RunAll();
    }
@@ -0,0 +1,282 @@
 using FluentValidation.TestHelper;
 using SatelliteProvider.Api.Validators;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Tests.Validators;
 // AZ-809: unit tests for CreateRouteRequestValidator. Each RuleFor /
 // RuleForEach in the root validator has at least one passing case + one
 // failing case. Required-field detection lives at the deserializer layer
 // ([JsonRequired] + UnmappedMemberHandling.Disallow), covered separately
 // at the integration layer in CreateRouteValidationTests.
 public class CreateRouteRequestValidatorTests
 {
    private readonly CreateRouteRequestValidator _validator;
    public CreateRouteRequestValidatorTests()
    {
        GlobalValidatorConfig.ApplyOnce();
        _validator = new CreateRouteRequestValidator();
    }
    private static CreateRouteRequest ValidRequest()
    {
        return new CreateRouteRequest
        {
            Id = Guid.NewGuid(),
            Name = "derkachi-flight-1",
            Description = "AZ-777 Phase 2 seed route",
            RegionSizeMeters = 1000.0,
            ZoomLevel = 18,
            Points = new List<RoutePoint>
            {
                new() { Latitude = 50.10, Longitude = 36.10 },
                new() { Latitude = 50.11, Longitude = 36.11 },
            },
            RequestMaps = true,
            CreateTilesZip = false,
        };
    }
    [Fact]
    public void Validate_AllValid_Passes()
    {
        // Arrange
        var request = ValidRequest();
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldNotHaveAnyValidationErrors();
    }
    [Fact]
    public void Validate_IdEmpty_FailsNotEmptyRule()
    {
        // Arrange — reproduces the 2026-05-22 probe finding (silent zero-Guid).
        var request = ValidRequest();
        request.Id = Guid.Empty;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("id")
            .WithErrorMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
    }
    [Theory]
    [InlineData("")]
    [InlineData("   ")]
    public void Validate_NameMissing_FailsNotEmptyRule(string name)
    {
        // Arrange
        var request = ValidRequest();
        request.Name = name;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("name");
    }
    [Fact]
    public void Validate_NameTooLong_FailsLengthRule()
    {
        // Arrange — name length 201 (cap is 200).
        var request = ValidRequest();
        request.Name = new string('a', 201);
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("name");
    }
    [Fact]
    public void Validate_DescriptionTooLong_FailsLengthRule()
    {
        // Arrange — description length 1001 (cap is 1000).
        var request = ValidRequest();
        request.Description = new string('d', 1001);
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("description");
    }
    [Theory]
    [InlineData(99.999)]
    [InlineData(0.0)]
    [InlineData(10000.001)]
    [InlineData(100000.0)]
    public void Validate_RegionSizeMetersOutOfRange_FailsRangeRule(double size)
    {
        // Arrange
        var request = ValidRequest();
        request.RegionSizeMeters = size;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("regionSizeMeters");
    }
    [Theory]
    [InlineData(-1)]
    [InlineData(23)]
    [InlineData(100)]
    public void Validate_ZoomLevelOutOfRange_FailsRangeRule(int zoom)
    {
        // Arrange
        var request = ValidRequest();
        request.ZoomLevel = zoom;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("zoomLevel");
    }
    [Fact]
    public void Validate_PointsTooFew_FailsCountRule()
    {
        // Arrange — only 1 point; min is 2 (Flow F4 precondition).
        var request = ValidRequest();
        request.Points = new List<RoutePoint>
        {
            new() { Latitude = 50.10, Longitude = 36.10 },
        };
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("points");
    }
    [Fact]
    public void Validate_PointsTooMany_FailsCountRule()
    {
        // Arrange — 501 points; max is 500.
        var request = ValidRequest();
        request.Points = Enumerable
            .Range(0, 501)
            .Select(_ => new RoutePoint { Latitude = 50.10, Longitude = 36.10 })
            .ToList();
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("points");
    }
    [Fact]
    public void Validate_PointLatOutOfRange_FailsChildRule()
    {
        // Arrange — second point's lat is out of range
        var request = ValidRequest();
        request.Points[1].Latitude = 91.0;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("points[1].lat");
    }
    [Fact]
    public void Validate_PointLonOutOfRange_FailsChildRule()
    {
        // Arrange — second point's lon is out of range
        var request = ValidRequest();
        request.Points[1].Longitude = 181.0;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("points[1].lon");
    }
    [Fact]
    public void Validate_GeofencePolygonNwSwapped_FailsChildInvariant()
    {
        // Arrange — NW.Lat <= SE.Lat (NW not north-of SE)
        var request = ValidRequest();
        request.Geofences = new Geofences
        {
            Polygons = new List<GeofencePolygon>
            {
                new()
                {
                    NorthWest = new GeoPoint(50.05, 36.05),
                    SouthEast = new GeoPoint(50.05, 36.15),
                }
            }
        };
        // Act
        var result = _validator.TestValidate(request);
        // Assert — the GeofencePolygonValidator child-validator's `.WithName("northWest")`
        // is prefixed with the RuleForEach path which we OverridePropertyName to
        // "geofences.polygons", producing the full wire path
        // `geofences.polygons[0].northWest`.
        result.ShouldHaveValidationErrorFor("geofences.polygons[0].northWest");
    }
    [Fact]
    public void Validate_GeofencesPresentButEmpty_FailsNotEmptyRule()
    {
        // Arrange — geofences object exists, polygons list is empty
        var request = ValidRequest();
        request.Geofences = new Geofences { Polygons = new List<GeofencePolygon>() };
        // Act
        var result = _validator.TestValidate(request);
        // Assert — OverridePropertyName makes the empty-list rule fire at the
        // wire-format path `geofences.polygons` instead of the leaf-only `polygons`.
        result.ShouldHaveValidationErrorFor("geofences.polygons");
    }
    [Fact]
    public void Validate_CreateTilesZipWithoutRequestMaps_FailsCrossFieldRule()
    {
        // Arrange — cannot zip what wasn't downloaded
        var request = ValidRequest();
        request.RequestMaps = false;
        request.CreateTilesZip = true;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldHaveValidationErrorFor("createTilesZip")
            .WithErrorMessage("`createTilesZip` requires `requestMaps` to be true (can't zip what wasn't downloaded).");
    }
    [Fact]
    public void Validate_CreateTilesZipWithRequestMaps_Passes()
    {
        // Arrange — both true is valid
        var request = ValidRequest();
        request.RequestMaps = true;
        request.CreateTilesZip = true;
        // Act
        var result = _validator.TestValidate(request);
        // Assert
        result.ShouldNotHaveValidationErrorFor("createTilesZip");
    }
 }
@@ -0,0 +1,132 @@
 using FluentValidation.TestHelper;
 using SatelliteProvider.Api.Validators;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Tests.Validators;
 // AZ-809: unit tests for GeofencePolygonValidator. Covers (a) presence of
 // both corners, (b) range checks per corner, and (c) the cross-field
 // invariant `NW north-of SE` AND `NW west-of SE`.
 public class GeofencePolygonValidatorTests
 {
    private readonly GeofencePolygonValidator _validator;
    public GeofencePolygonValidatorTests()
    {
        GlobalValidatorConfig.ApplyOnce();
        _validator = new GeofencePolygonValidator();
    }
    private static GeofencePolygon ValidPolygon() => new()
    {
        NorthWest = new GeoPoint(50.15, 36.05),
        SouthEast = new GeoPoint(50.05, 36.15),
    };
    [Fact]
    public void Validate_AllValid_Passes()
    {
        // Arrange
        var polygon = ValidPolygon();
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldNotHaveAnyValidationErrors();
    }
    [Fact]
    public void Validate_NorthWestNull_FailsNotNullRule()
    {
        // Arrange
        var polygon = ValidPolygon();
        polygon.NorthWest = null;
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("northWest")
            .WithErrorMessage("`northWest` corner is required.");
    }
    [Fact]
    public void Validate_SouthEastNull_FailsNotNullRule()
    {
        // Arrange
        var polygon = ValidPolygon();
        polygon.SouthEast = null;
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("southEast")
            .WithErrorMessage("`southEast` corner is required.");
    }
    [Theory]
    [InlineData(-90.001)]
    [InlineData(90.001)]
    public void Validate_NorthWestLatOutOfRange_FailsRangeRule(double lat)
    {
        // Arrange
        var polygon = ValidPolygon();
        polygon.NorthWest = new GeoPoint(lat, 36.05);
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("northWest.lat");
    }
    [Theory]
    [InlineData(-180.001)]
    [InlineData(180.001)]
    public void Validate_SouthEastLonOutOfRange_FailsRangeRule(double lon)
    {
        // Arrange
        var polygon = ValidPolygon();
        polygon.SouthEast = new GeoPoint(50.05, lon);
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("southEast.lon");
    }
    [Fact]
    public void Validate_NorthWestLatNotGreaterThanSouthEast_FailsInvariant()
    {
        // Arrange — NW.Lat <= SE.Lat → invariant violation
        var polygon = ValidPolygon();
        polygon.NorthWest = new GeoPoint(50.05, 36.05);
        polygon.SouthEast = new GeoPoint(50.05, 36.15);
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("northWest")
            .WithErrorMessage("`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE).");
    }
    [Fact]
    public void Validate_NorthWestLonNotLessThanSouthEast_FailsInvariant()
    {
        // Arrange — NW.Lon >= SE.Lon → invariant violation
        var polygon = ValidPolygon();
        polygon.NorthWest = new GeoPoint(50.15, 36.15);
        polygon.SouthEast = new GeoPoint(50.05, 36.15);
        // Act
        var result = _validator.TestValidate(polygon);
        // Assert
        result.ShouldHaveValidationErrorFor("northWest")
            .WithErrorMessage("`northWest.lon` must be less than `southEast.lon` (NW is west-of SE).");
    }
 }
@@ -0,0 +1,86 @@
 using FluentValidation.TestHelper;
 using SatelliteProvider.Api.Validators;
 using SatelliteProvider.Common.DTO;
 namespace SatelliteProvider.Tests.Validators;
 // AZ-809: unit tests for RoutePointValidator. Lat/lon range checks live on
 // `RoutePoint.Latitude` / `RoutePoint.Longitude` (C# names); the validator's
 // OverridePropertyName aligns FluentValidation error keys with the wire
 // format (`lat` / `lon`) so callers see what they posted.
 public class RoutePointValidatorTests
 {
    private readonly RoutePointValidator _validator;
    public RoutePointValidatorTests()
    {
        GlobalValidatorConfig.ApplyOnce();
        _validator = new RoutePointValidator();
    }
    [Theory]
    [InlineData(-90.001)]
    [InlineData(90.001)]
    [InlineData(180.0)]
    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
    {
        // Arrange
        var point = new RoutePoint { Latitude = lat, Longitude = 37.647063 };
        // Act
        var result = _validator.TestValidate(point);
        // Assert
        result.ShouldHaveValidationErrorFor("lat");
    }
    [Theory]
    [InlineData(-90.0)]
    [InlineData(0.0)]
    [InlineData(47.461747)]
    [InlineData(90.0)]
    public void Validate_LatAtOrInsideBounds_Passes(double lat)
    {
        // Arrange
        var point = new RoutePoint { Latitude = lat, Longitude = 37.647063 };
        // Act
        var result = _validator.TestValidate(point);
        // Assert
        result.ShouldNotHaveValidationErrorFor("lat");
    }
    [Theory]
    [InlineData(-180.001)]
    [InlineData(180.001)]
    [InlineData(360.0)]
    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
    {
        // Arrange
        var point = new RoutePoint { Latitude = 47.461747, Longitude = lon };
        // Act
        var result = _validator.TestValidate(point);
        // Assert
        result.ShouldHaveValidationErrorFor("lon");
    }
    [Theory]
    [InlineData(-180.0)]
    [InlineData(0.0)]
    [InlineData(37.647063)]
    [InlineData(180.0)]
    public void Validate_LonAtOrInsideBounds_Passes(double lon)
    {
        // Arrange
        var point = new RoutePoint { Latitude = 47.461747, Longitude = lon };
        // Act
        var result = _validator.TestValidate(point);
        // Assert
        result.ShouldNotHaveValidationErrorFor("lon");
    }
 }
@@ -0,0 +1,213 @@
 # Contract: route-creation
 **Component**: WebApi (`SatelliteProvider.Api`) producing rows via RouteManagement (`SatelliteProvider.Services.RouteManagement`) and feeding the background Route Map Processing flow (Flow F5)
 **Producer task**: AZ-809 — `_docs/02_tasks/done/AZ-809_route_endpoint_validation.md` (validator + this contract)
 **Consumer tasks**: `gps-denied-onboard` AZ-777 Phase 2 (preferred imagery-seeding path — route-based rather than bbox-based)
 **Version**: 1.0.0
 **Status**: frozen
 **Last Updated**: 2026-05-22
 ## Purpose
 Defines the HTTP contract for `POST /api/satellite/route` — the route-onboarding endpoint that stores an ordered set of waypoints, interpolates intermediate points every ~200 m, and (optionally, when `requestMaps=true`) enqueues a region request per route point so background processing pre-fetches map tiles for the entire route corridor. Geofence polygons (optional) restrict which intermediate points get region-requests. Callers poll `GET /api/satellite/route/{id}` until `mapsReady=true` (when `requestMaps=true`) or read the response directly (when `requestMaps=false`).
 This is v1.0.0 — published alongside AZ-809's validator landing. There is no prior contract document; the producer-doc surface before AZ-809 was `modules/api_program.md::CreateRoute Handler` + Flow F4 + Flow F5 only.
 ## Endpoint
 ```
 POST /api/satellite/route
 Content-Type: application/json
 Authorization: Bearer <JWT>
 ```
 The request MUST carry a valid JWT (AZ-487). No `permissions` claim is required. Anonymous requests are rejected with HTTP 401.
 ## Shape
 ### Request body
 ```jsonc
 {
  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
  "name": "derkachi-flight-1",
  "description": "AZ-777 Phase 2 seed route",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "geofences": {
    "polygons": [
      { "northWest": { "lat": 50.15, "lon": 36.05 },
        "southEast": { "lat": 50.05, "lon": 36.15 } }
    ]
  },
  "requestMaps": true,
  "createTilesZip": false
 }
 ```
 Per-field constraints:
 | Field | Type | Required | Description | Constraints |
 |-------|------|----------|-------------|-------------|
 | `id` | UUID | yes (`[JsonRequired]`) | Caller-supplied idempotency key. POSTing twice with the same `id` returns the existing route resource. | Non-zero GUID (validator rejects `00000000-...`). |
 | `name` | string | yes (`[JsonRequired]`) | Human-readable route name (used in produced filenames). | Length `[1, 200]`. Empty/whitespace rejected. |
 | `description` | string | no | Free-text description. | Length `[0, 1000]` when present. |
 | `regionSizeMeters` | number | yes (`[JsonRequired]`) | Side length of the square region requested per route point. | `[100.0, 10000.0]` (aligned with `region-request.md::sizeMeters`). |
 | `zoomLevel` | integer | yes (`[JsonRequired]`) | Slippy-map zoom level for region tiles. | `[0, 22]`. |
 | `points` | array | yes (`[JsonRequired]`) | Ordered waypoints. Server interpolates additional intermediate points every ~200 m between consecutive originals. | Count `[2, 500]`. |
 | `points[i].lat` | number | yes (`[JsonRequired]`) | WGS84 latitude. | `[-90.0, 90.0]`. |
 | `points[i].lon` | number | yes (`[JsonRequired]`) | WGS84 longitude. | `[-180.0, 180.0]`. |
 | `geofences` | object | no | When present, intermediate points outside ALL polygons get filtered before region enqueue. | See nested shape below. |
 | `geofences.polygons` | array | yes (`[JsonRequired]` when `geofences` present) | One or more bbox polygons (NW corner + SE corner). | Non-empty when `geofences` present. |
 | `geofences.polygons[i].northWest` | object | yes (`[JsonRequired]`) | Polygon's northwest corner. | See `GeoPoint` shape. |
 | `geofences.polygons[i].southEast` | object | yes (`[JsonRequired]`) | Polygon's southeast corner. | See `GeoPoint` shape. |
 | `requestMaps` | bool | yes (`[JsonRequired]`) | When `true`, enqueue background region-requests for every route point inside the geofences (or all points if no geofences). | No default — caller must declare intent. |
 | `createTilesZip` | bool | yes (`[JsonRequired]`) | When `true`, AFTER all region tiles are ready, package them into a ZIP at `tilesZipPath`. Requires `requestMaps=true` (can't zip what wasn't downloaded). | No default. Cross-field invariant with `requestMaps`. |
 `GeoPoint` shape (used by `northWest` / `southEast`):
 | Field | Type | Required | Constraints |
 |-------|------|----------|-------------|
 | `lat` | number | yes (`[JsonRequired]`) | `[-90.0, 90.0]`. |
 | `lon` | number | yes (`[JsonRequired]`) | `[-180.0, 180.0]`. |
 Polygon corner cross-field invariant (`GeofencePolygonValidator`):
 - `northWest.lat > southEast.lat` (NW is genuinely north-of SE).
 - `northWest.lon < southEast.lon` (NW is genuinely west-of SE).
 ### Response body (post-AC-2 unchanged from pre-AZ-809)
 ```jsonc
 {
  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
  "name": "derkachi-flight-1",
  "description": "AZ-777 Phase 2 seed route",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "totalDistanceMeters": 132.4,
  "totalPoints": 3,
  "points": [
    { "latitude": 50.10, "longitude": 36.10, "pointType": "original", "sequenceNumber": 0, "segmentIndex": 0, "distanceFromPrevious": null },
    { "latitude": 50.105, "longitude": 36.105, "pointType": "intermediate", "sequenceNumber": 1, "segmentIndex": 0, "distanceFromPrevious": 66.2 },
    { "latitude": 50.11, "longitude": 36.11, "pointType": "original", "sequenceNumber": 2, "segmentIndex": 0, "distanceFromPrevious": 66.2 }
  ],
  "requestMaps": true,
  "mapsReady": false,
  "csvFilePath": null,
  "summaryFilePath": null,
  "stitchedImagePath": null,
  "tilesZipPath": null,
  "createdAt": "2026-05-22T14:00:00Z",
  "updatedAt": "2026-05-22T14:00:00Z"
 }
 ```
 **Advisory AC-10**: The response echoes points as `{"latitude":..,"longitude":..}` (legacy long form) but the request accepts `{"lat":..,"lon":..}` (OSM short form). This input/output asymmetry on the same `RoutePoint` round-trip is documented and intentional for v1.0.0 — fixing it would be a major contract break. A follow-up task can harmonize the response side.
 ### Endpoint summary
 | Method | Path | Request | Response | Status codes |
 |--------|------|---------|----------|--------------|
 | `POST` | `/api/satellite/route` | `CreateRouteRequest` body | `RouteResponse` (route resource snapshot) | 200, 400, 401 |
 ## Error shape
 All `400` responses conform to `_docs/02_document/contracts/api/error-shape.md` v1.0.0. Three sources produce identically-shaped `ValidationProblemDetails` bodies:
 1. **Deserializer envelope** (`UnmappedMemberHandling.Disallow` + `[JsonRequired]`) — rejects missing-required fields and unknown root/nested keys with `errors[<path>]` produced via `GlobalExceptionHandler`'s `JsonException` path.
 2. **`CreateRouteRequestValidator`** — rejects non-zero-Id, name/description length, range checks on size / zoom / points-count, and the cross-field `createTilesZip ⇒ requestMaps` rule.
 3. **`RoutePointValidator` + `GeofencePolygonValidator`** — invoked via `RuleForEach` / `SetValidator`; rejects per-point lat/lon out-of-range, per-polygon corner out-of-range, and the NW-north-of-SE / NW-west-of-SE invariants.
 Example body for a missing-id failure (probe-confirmed pre-AZ-809 silent zero-Guid coercion):
 ```jsonc
 {
  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
  "title": "One or more validation errors occurred.",
  "status": 400,
  "errors": {
    "id": ["The JSON property 'id' is required, but a value was not supplied."]
  }
 }
 ```
 Example body for a nested per-point failure:
 ```jsonc
 {
  "errors": {
    "points[1].lat": ["`lat` must be between -90 and 90."]
  }
 }
 ```
 Example body for a polygon corner invariant failure:
 ```jsonc
 {
  "errors": {
    "geofences.polygons[0].northWest": ["`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE)."]
  }
 }
 ```
 ## Invariants
 - **Inv-1**: `id` is a non-zero GUID, supplied by the caller. Re-POST with the same id returns the existing route (idempotent contract per `IdempotentPostTests`).
 - **Inv-2**: `points` has at least 2 entries (Flow F4 precondition) and at most 500 entries (cap to prevent runaway region-enqueue).
 - **Inv-3**: Every `points[i].lat ∈ [-90, 90]` and `points[i].lon ∈ [-180, 180]`.
 - **Inv-4**: `regionSizeMeters ∈ [100, 10000]` (aligned with `region-request.md::sizeMeters`).
 - **Inv-5**: `zoomLevel ∈ [0, 22]` (slippy-map range, aligned with `region-request.md` Inv-5 and `tile-inventory.md` Inv-8).
 - **Inv-6** (cross-field): `createTilesZip=true ⇒ requestMaps=true` (can't zip what wasn't downloaded).
 - **Inv-7** (per-polygon shape): `northWest` AND `southEast` corners both present.
 - **Inv-8** (per-polygon invariant): `northWest.lat > southEast.lat` AND `northWest.lon < southEast.lon`.
 - **Inv-9**: Unknown root or nested fields → 400 (deserializer's `UnmappedMemberHandling.Disallow`).
 ## Non-Goals
 - **Not covered**: route mutation. No PUT / PATCH endpoint exists; routes are immutable post-creation.
 - **Not covered**: background processing (Flow F5) — Flow F5 docs cover the region enqueue, tile download, ZIP packaging, and `mapsReady` transition.
 - **Not covered**: response field renaming. The input/output naming asymmetry (`points[i].lat` request vs `points[i].latitude` response) is acknowledged in AC-10 advisory and tracked for a future major contract bump.
 - **Not covered**: the legacy `RouteValidator` in `SatelliteProvider.Services.RouteManagement` — it remains as defense-in-depth for direct service-layer callers; its checks are now redundant with this contract but a separate cleanup task should consolidate.
 ## Versioning Rules
 - **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behavior.
 - **Minor (1.x.0)**: Adding an optional field consumers may safely ignore; relaxing a range; supporting a new geofence shape type alongside the existing bbox.
 - **Major (2.0.0)**: Renaming any request or response field; tightening any existing range; harmonizing the response point names to `lat`/`lon` (resolves AC-10); changing the `createTilesZip ⇔ requestMaps` cross-field rule semantics.
 ## Test Cases
 | Case | Input | Expected | Notes |
 |------|-------|----------|-------|
 | happy-path-no-maps | full body with `requestMaps=false` | HTTP 200 + RouteResponse (mapsReady=false, no background processing) | AC-2 |
 | happy-path-with-maps | full body with `requestMaps=true` | HTTP 200; background F5 enqueues regions; `GET /api/satellite/route/{id}` shows `mapsReady=true` within ~20s for a 2-point 132m route at z=18 | AC-2 + existing RouteCreationTests |
 | empty-body | `""` | HTTP 400 | Rule 1 |
 | missing-id | body without `id` | HTTP 400 + `errors[id]` ("required") | Rule 2 (probe-confirmed gap) |
 | zero-guid-id | `"id":"00000000-..."` | HTTP 400 + `errors[id]` ("non-zero GUID") | Rule 2 |
 | empty-name | `"name":""` | HTTP 400 + `errors[name]` | Rule 3 |
 | description-too-long | `"description":<1001 chars>` | HTTP 400 + `errors[description]` | Rule 4 |
 | regionSize-out-of-range | `"regionSizeMeters":1000000` | HTTP 400 + `errors[regionSizeMeters]` | Rule 5 |
 | zoom-out-of-range | `"zoomLevel":30` | HTTP 400 + `errors[zoomLevel]` | Rule 6 |
 | points-too-few | 1-point array | HTTP 400 + `errors[points]` | Rule 7 (Flow F4 precondition) |
 | points-too-many | 501-point array | HTTP 400 + `errors[points]` | Rule 7 (cap) |
 | point-lat-out-of-range | `"points":[..., {"lat":91,..}]` | HTTP 400 + `errors["points[1].lat"]` | Rule 8 |
 | point-lon-out-of-range | `"points":[..., {"lat":..,"lon":181}]` | HTTP 400 + `errors["points[1].lon"]` | Rule 8 |
 | geofence-nw-not-north | NW.lat == SE.lat | HTTP 400 + `errors["geofences.polygons[0].northWest"]` | Rule 9 / Inv-8 |
 | geofence-nw-not-west | NW.lon == SE.lon | HTTP 400 + `errors["geofences.polygons[0].northWest"]` | Rule 9 / Inv-8 |
 | missing-requestMaps | body without `requestMaps` | HTTP 400 + `errors[requestMaps]` | Rule 10 |
 | createTilesZip-without-requestMaps | `"requestMaps":false,"createTilesZip":true` | HTTP 400 + `errors[createTilesZip]` | Rule 12 (cross-field) |
 | unknown-root-field | extra `"debug":"..."` key | HTTP 400 + `errors[debug]` | Rule 13 (`UnmappedMemberHandling.Disallow`) |
 | point-lat-type-mismatch | `"points":[{"lat":"fifty",..}, ..]` | HTTP 400 (nested JSON error) | Rule 14 (`GlobalExceptionHandler`) |
 | auth-anonymous | no Bearer token | HTTP 401 | Standard `.RequireAuthorization()` |
 | idempotent-replay | re-POST same `id` | HTTP 200 (echoes existing resource) | `IdempotentPostTests` AC-2 |
 ## Change Log
 | Version | Date | Change | Author |
 |---------|------|--------|--------|
 | 1.0.0 | 2026-05-22 | Initial contract for `POST /api/satellite/route`. Publishes the FluentValidation surface (CreateRouteRequestValidator + RoutePointValidator + GeofencePolygonValidator) + the 14 rules in AZ-809, including the probe-confirmed missing-id gap and the cross-field `createTilesZip ⇒ requestMaps` invariant. References `error-shape.md` v1.0.0, `region-request.md` v1.0.0 (F5 enqueue path), and Flows F4/F5 (cross-link). | autodev (Step 10, cycle 8) |
@@ -15,7 +15,7 @@ Application entry point. Configures DI container, sets up middleware, defines mi
 | POST | `/api/satellite/upload` | `UploadUavTileBatch` | UAV tile batch upload (AZ-488) — multipart envelope, 5-rule quality gate, per-source UPSERT with `source='uav'`. Requires the `RequiresGpsPermission` policy. |
 | POST | `/api/satellite/request` | `RequestRegion` | Queue region for async tile processing |
 | GET | `/api/satellite/region/{id}` | `GetRegionStatus` | Get region processing status |
-| POST | `/api/satellite/route` | `CreateRoute` | Create route with intermediate points |
+| POST | `/api/satellite/route` | `CreateRoute` | Create route with intermediate points. AZ-809 (cycle 8) added strict pre-handler validation via `WithValidation<CreateRouteRequest>()`: non-zero `id`, name length ∈ \[1, 200\], description length ≤ 1000, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with per-point lat/lon range checks, per-polygon NW-of-SE invariants, and the `createTilesZip ⇒ requestMaps` cross-field rule. Deserializer-layer failures (missing `[JsonRequired]` axes, unknown fields, type mismatches) are caught by `GlobalExceptionHandler` and produce the same RFC 7807 envelope. Contract: `_docs/02_document/contracts/api/route-creation.md` v1.0.0 + `_docs/02_document/contracts/api/error-shape.md` v1.0.0. |
 | GET | `/api/satellite/route/{id}` | `GetRoute` | Get route with all points |
 ### Local Records (defined in Program.cs)
@@ -23,9 +23,11 @@ Application entry point. Configures DI container, sets up middleware, defines mi
 - `DownloadTileResponse` — tile download response
 - `ParameterDescriptionFilter` — Swagger operation filter (AZ-811 cycle 8 trimmed the obsolete `Latitude`/`Longitude`/`ZoomLevel` entries; the surviving `lat`/`lon`/`mgrs`/`squareSideMeters` keys still annotate query-string params)
-### Api/Validators (AZ-795 epic, AZ-811 cycle 8)
+### Api/Validators (AZ-795 epic, AZ-808/AZ-809/AZ-811 cycle 8)
 - `RejectUnknownQueryParamsEndpointFilter` — `IEndpointFilter` parameterized by an allowed-keys set; rejects unknown query-string parameters with RFC 7807 `ValidationProblemDetails`. Apply BEFORE `WithValidation<T>()` so unknown-param errors precede range checks against the bound default value.
 - `GetTileByLatLonQueryValidator` — `AbstractValidator<GetTileByLatLonQuery>` with `lat`/`lon`/`zoom` rules. Each rule chains `Cascade(CascadeMode.Stop) → NotNull → InclusiveBetween` so a missing param surfaces ONLY as `"\`<paramName>\` is required."` (no spurious range error against a null sentinel).
 - `RegionRequestValidator` (AZ-808 cycle 8) — `AbstractValidator<RequestRegionRequest>`. Post-deserialization business rules: non-zero `id`, `lat`/`lon` ranges, `sizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\]. Required-field detection lives at the deserializer layer (`[JsonRequired]` + `UnmappedMemberHandling.Disallow`).
 - `CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator` (AZ-809 cycle 8) — three FluentValidation validators for the route-creation endpoint. The root validator chains `RuleForEach(req => req.Points).SetValidator(new RoutePointValidator())` for per-point checks and `RuleForEach(req => req.Geofences!.Polygons).SetValidator(new GeofencePolygonValidator()).OverridePropertyName("geofences.polygons")` for per-polygon checks. The `OverridePropertyName` on the geofences chain restores the full wire path (`geofences.polygons[i].northWest`) because FluentValidation's default name policy drops the parent on deep expressions like `req.Geofences!.Polygons`. `RoutePointValidator` uses `OverridePropertyName("lat"/"lon")` after each range rule so error keys match the wire format (`lat`/`lon`) rather than the camelCased C# names (`latitude`/`longitude`). The cross-field rule `createTilesZip ⇒ requestMaps` lives on the root via `Must(req => !(req.CreateTilesZip && !req.RequestMaps)).WithName("createTilesZip")`.
 ### Api/DTOs (AZ-811 cycle 8)
 - `GetTileByLatLonQuery` — `record GetTileByLatLonQuery(double? Lat, double? Lon, int? Zoom)` with `[FromQuery(Name="lat"|"lon"|"zoom")]` on each property. Bound via `[AsParameters]` on the `GetTileByLatLon` handler. **Nullable on purpose**: minimal-API binding throws `BadHttpRequestException` for missing non-nullable query params BEFORE endpoint filters run; that short-circuit produces a plain `ProblemDetails` via `GlobalExceptionHandler` with no `errors{}` envelope. Nullable types let binding always succeed so the envelope filter + validator handle the failure surface uniformly per `error-shape.md` v1.0.0. The handler dereferences `.Value` only after the validator filter passes.
@@ -104,7 +106,13 @@ Binds `[AsParameters] GetTileByLatLonQuery` (record with nullable `[FromQuery(Na
 The two filter layers produce identically-shaped ProblemDetails bodies. The `RejectUnknownQueryParamsEndpointFilter` is reusable — register it once per allowed-key set on any future query-string endpoint that needs the same shape-strictness.
 ### RequestRegion Handler
-Validates size (100–10000m), delegates to `IRegionService.RequestRegionAsync`.
+AZ-808 (cycle 8) added strict pre-handler validation via `.WithValidation<RequestRegionRequest>()`: non-zero `id`, `lat`/`lon` ranges, `sizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\]. Missing `[JsonRequired]` axes / unknown root fields are caught at the deserializer layer by `GlobalExceptionHandler`. Post-validation, delegates to `IRegionService.RequestRegionAsync`.
 ### CreateRoute Handler (AZ-809 cycle 8)
 Pre-handler validation via `.WithValidation<CreateRouteRequest>()`. Layered defence:
 1. **Deserializer layer (System.Text.Json + `GlobalExceptionHandler`)** — `[JsonRequired]` markers on `CreateRouteRequest.{Id, Name, RegionSizeMeters, ZoomLevel, Points, RequestMaps, CreateTilesZip}`, on `RoutePoint.{Latitude, Longitude}`, on `Geofences.Polygons`, on `GeofencePolygon.{NorthWest, SouthEast}`, and on `GeoPoint.{Lat, Lon}` catch missing-field payloads; `UnmappedMemberHandling.Disallow` catches unknown root + nested fields; type mismatches surface as `JsonException`. All three surface as HTTP 400 + `ValidationProblemDetails`.
 2. **Validator layer (`CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator`)** — non-zero `id`, name/description length caps, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with per-point range checks (error keys `points[i].lat` / `points[i].lon`), per-polygon corner ranges + `NW.Lat > SE.Lat` + `NW.Lon < SE.Lon` invariants (error keys `geofences.polygons[i].northWest`), and the `createTilesZip ⇒ requestMaps` cross-field rule.
 3. **Handler** — receives a fully-validated `CreateRouteRequest` and delegates to `IRouteService.CreateRouteAsync`. The route service's own legacy `RouteValidator` (in `SatelliteProvider.Services.RouteManagement`) still runs as a defence-in-depth backstop — its checks are now strictly weaker than the validator-layer rules; tracked as an advisory clean-up in `route-creation.md`. Authenticated by `.RequireAuthorization()` (401 before validation runs for anonymous requests).
 ### UploadUavTileBatch Handler (AZ-488)
 Buffers each `IFormFile` into memory, packages them as `UavUploadFile` records (filename, content-type, bytes), and delegates to `IUavTileUploadHandler.HandleAsync`. Envelope-level errors (mismatched batch, oversized batch, malformed metadata) are surfaced as HTTP 400 ProblemDetails; per-item rejects are returned in the HTTP 200 response payload. The endpoint is protected by `.RequireAuthorization(SatellitePermissions.UavUploadPolicy)` so 401 (no token) and 403 (no `GPS` permission) are returned before the handler runs.
@@ -6,9 +6,9 @@ Data transfer objects used across all layers — API requests/responses, inter-s
 ## Public Interface
 ### GeoPoint
-Geographic coordinate with tolerance-based equality.
+Geographic coordinate with tolerance-based equality. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so a polygon corner missing either axis is rejected at the deserializer layer.
- `Lat` (double): latitude, JSON property `"lat"`
+- `Lat` (double, `[JsonRequired]`, JSON: `"lat"`)
- `Lon` (double): longitude, JSON property `"lon"`
+- `Lon` (double, `[JsonRequired]`, JSON: `"lon"`)
 - Constructor: `GeoPoint()`, `GeoPoint(double lat, double lon)`
 - Equality: two points are equal if both coordinates differ by less than `0.00005` (PRECISION_TOLERANCE)
 - Operator overloads: `==`, `!=`
@@ -50,20 +50,27 @@ Response DTO for region status queries.
 - `TilesDownloaded`, `TilesReused` (int), `CreatedAt`, `UpdatedAt` (DateTime)
 ### RoutePoint
-Input point in a route creation request.
+Input point in a route creation request. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so the System.Text.Json deserializer rejects missing-axis payloads with HTTP 400 + `ValidationProblemDetails` via `GlobalExceptionHandler` BEFORE the FluentValidation layer runs.
- `Latitude` (double, JSON: `"lat"`), `Longitude` (double, JSON: `"lon"`)
+- `Latitude` (double, `[JsonRequired]`, JSON: `"lat"`)
 - `Longitude` (double, `[JsonRequired]`, JSON: `"lon"`)
 ### RoutePointDto
 Output point in a route response (includes computed fields).
 - `Latitude`, `Longitude` (double), `PointType` (string: "start"/"end"/"action"/"intermediate")
 - `SequenceNumber`, `SegmentIndex` (int), `DistanceFromPrevious` (double?)
 - **Naming asymmetry**: input wire uses short OSM `lat`/`lon` (`RoutePoint`); response wire uses long `latitude`/`longitude` (`RoutePointDto`). Pre-existing — AZ-809 documented but did not change this. Tracked as a follow-up advisory in `_docs/02_document/contracts/api/route-creation.md`.
 ### CreateRouteRequest
-API request body for route creation.
+API request body for route creation. AZ-809 (cycle 8) added `[JsonRequired]` to every non-optional axis so missing fields are caught at the deserializer layer (uniform with AZ-808 region-request and AZ-795 inventory).
- `Id` (Guid), `Name` (string), `Description` (string?)
+- `Id` (Guid, `[JsonRequired]`) — caller-supplied idempotency key; non-zero GUID
- `RegionSizeMeters` (double), `ZoomLevel` (int)
+- `Name` (string, `[JsonRequired]`) — length \[1, 200\]
- `Points` (List\<RoutePoint\>), `Geofences` (Geofences?)
+- `Description` (string?) — optional, length ≤ 1000 when present
- `RequestMaps` (bool), `CreateTilesZip` (bool)
+- `RegionSizeMeters` (double, `[JsonRequired]`) — \[100, 10000\]
 - `ZoomLevel` (int, `[JsonRequired]`) — \[0, 22\] slippy-map range
 - `Points` (List\<RoutePoint\>, `[JsonRequired]`) — count ∈ \[2, 500\]
 - `Geofences` (Geofences?) — optional; when present, each polygon validated
 - `RequestMaps` (bool, `[JsonRequired]`) — no default; missing → 400
 - `CreateTilesZip` (bool, `[JsonRequired]`) — no default; cross-field invariant requires `requestMaps=true` when `true`
 ### RouteResponse
 API response for route queries.
@@ -71,12 +78,14 @@ API response for route queries.
 - `MapsReady` (bool), `TilesZipPath` (string?)
 ### GeofencePolygon
-Axis-aligned bounding box defined by NW and SE corners.
+Axis-aligned bounding box defined by NW and SE corners. AZ-809 (cycle 8) marked both corners `[JsonRequired]` so a partially-specified polygon (just `northWest`, no `southEast`, or vice-versa) is rejected at the deserializer layer.
- `NorthWest` (GeoPoint?), `SouthEast` (GeoPoint?)
+- `NorthWest` (GeoPoint?, `[JsonRequired]`, JSON: `"northWest"`)
 - `SouthEast` (GeoPoint?, `[JsonRequired]`, JSON: `"southEast"`)
 - Cross-corner invariants (enforced by `GeofencePolygonValidator`): `NW.Lat > SE.Lat` (NW is north-of SE) and `NW.Lon < SE.Lon` (NW is west-of SE). Equal corners fail both invariants with `errors["geofences.polygons[i].northWest"]`.
 ### Geofences
-Container for multiple geofence polygons.
+Container for multiple geofence polygons. AZ-809 (cycle 8) marked `Polygons` `[JsonRequired]` so an empty `geofences: {}` envelope is rejected.
- `Polygons` (List\<GeofencePolygon\>)
+- `Polygons` (List\<GeofencePolygon\>, `[JsonRequired]`, JSON: `"polygons"`) — at least 1 polygon when `geofences` is present (validator rule, not deserializer rule).
 ### UavTileMetadata (added AZ-488, extended AZ-503)
 Per-tile metadata payload inside a UAV batch upload (`POST /api/satellite/upload`). Indexed-correlated with the multipart `IFormFileCollection`.
@@ -177,12 +177,13 @@ sequenceDiagram
 ### Description
-Client submits a route (ordered waypoints + optional geofence polygons). The service interpolates intermediate points every ~200m and persists the full point set.
+Client submits a route (ordered waypoints + optional geofence polygons). The service interpolates intermediate points every ~200m and persists the full point set. The wire-format contract is `_docs/02_document/contracts/api/route-creation.md` v1.0.0; failure responses follow `error-shape.md` v1.0.0.
 ### Preconditions
- At least 2 waypoints provided
+- JWT in `Authorization: Bearer <token>` validates against the API's signing key, issuer, and audience (`.RequireAuthorization()`).
- Valid geofence polygons (if provided)
+- Request body deserializes successfully: all `[JsonRequired]` axes present (`id`, `name`, `regionSizeMeters`, `zoomLevel`, `points`, `requestMaps`, `createTilesZip`, plus per-point `lat`/`lon`, per-polygon `northWest`/`southEast`, per-corner `lat`/`lon`, `geofences.polygons` when `geofences` present); no unknown root or nested fields (`UnmappedMemberHandling.Disallow`).
 - `CreateRouteRequestValidator` rules pass: non-zero `id`, name length \[1, 200\], description length ≤ 1000, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with each point's lat/lon in range, per-polygon corner ranges + NW-of-SE invariants, `createTilesZip ⇒ requestMaps`.
 ### Sequence Diagram
@@ -190,26 +191,33 @@ Client submits a route (ordered waypoints + optional geofence polygons). The ser
 sequenceDiagram
    participant Client
    participant WebApi
    participant ValidationFilter
    participant RouteService
    participant RouteRepo
    participant GeoUtils
-    Client->>WebApi: POST /api/satellite/route {points, geofences, options}
+    Client->>WebApi: POST /api/satellite/route {id, name, points, geofences?, ...}
    WebApi->>ValidationFilter: .WithValidation<CreateRouteRequest>()
    alt validation fails
        ValidationFilter-->>Client: 400 ValidationProblemDetails (errors{path→msg})
    else validation passes
        WebApi->>RouteService: CreateRoute(request)
        RouteService->>GeoUtils: Interpolate points between waypoints
        GeoUtils-->>RouteService: All points (original + intermediate)
        RouteService->>RouteRepo: InsertRoute(RouteEntity)
        RouteService->>RouteRepo: InsertPoints(RoutePointEntities)
        RouteService-->>WebApi: RouteResponse
-    WebApi-->>Client: 200 OK {route_id, total_points, total_distance}
+        WebApi-->>Client: 200 OK {id, totalPoints, totalDistanceMeters, ...}
    end
 ```
 ### Error Scenarios
 | Error | Where | Detection | Recovery |
 |-------|-------|-----------|----------|
-| Invalid points (< 2) | Validation | Count check | Return 400 |
+| Missing `[JsonRequired]` axis / unknown field / type mismatch | Deserializer | `JsonException` → `GlobalExceptionHandler` | Return 400 `ValidationProblemDetails` (per `error-shape.md` v1.0.0) |
-| DB insert failure | Persist step | Exception | Return 500 |
+| Validator rule violation (range, count, cross-field) | `ValidationEndpointFilter<CreateRouteRequest>` | `CreateRouteRequestValidator` + nested `RoutePointValidator` / `GeofencePolygonValidator` | Return 400 with `errors{path→msg}` map |
 | DB insert failure | Persist step | Exception | Return 500 (sanitised body + correlationId per AZ-353) |
 ---
@@ -37,9 +37,9 @@
 ## BT-06: Simple Route Creation (2 points)
-**Trigger**: POST /api/satellite/route with 2 waypoints (48.276067,37.384458) → (48.270740,37.374029), regionSize=500, zoom=18
+**Trigger**: POST /api/satellite/route with id=`<new-Guid>`, name=`<unique>`, 2 waypoints (48.276067,37.384458) → (48.270740,37.374029), regionSizeMeters=500, zoomLevel=18, requestMaps=false, createTilesZip=false. Post-AZ-809 (cycle 8) every `[JsonRequired]` axis must be present — see `_docs/02_document/contracts/api/route-creation.md` v1.0.0.
-**Expected**: Route created with interpolated intermediate points
+**Expected**: HTTP 200 + route created with interpolated intermediate points.
-**Pass criterion**: totalPoints > 2; every point spacing ≤ 200m; first point type="original"; last point type="original"; intermediates type="intermediate"
+**Pass criterion**: totalPoints > 2; every point spacing ≤ 200m; first point type="original"; last point type="original"; intermediates type="intermediate".
 ## BT-07: Route Retrieval by ID
@@ -98,21 +98,24 @@
 ## BT-N03: Route with < 2 Points
-**Trigger**: POST /api/satellite/route with only 1 point
+**Trigger**: POST /api/satellite/route with only 1 point (post-AZ-809 wire format: `id`/`name`/`regionSizeMeters`/`zoomLevel`/`points`/`requestMaps`/`createTilesZip`).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails` per `error-shape.md` v1.0.0; `errors["points"]` map entry from `CreateRouteRequestValidator`.
-**Pass criterion**: HTTP 400 or validation error message
+**Pass criterion**: HTTP 400; response body `Content-Type: application/problem+json`; `errors["points"]` mentions the `[2, 500]` count constraint.
 **AC trace**: AZ-809 AC-1 (rule 7).
-## BT-N04: Geofence with Invalid Coordinates (0,0)
+## BT-N04: Geofence with Invalid Coordinates (0,0) — superseded by AZ-809
-**Trigger**: POST /api/satellite/route with geofence NW=(0,0) SE=(0,0)
+**Trigger**: POST /api/satellite/route with geofence NW=(0,0) SE=(0,0).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails`. Pre-AZ-809 behavior accepted (0,0) corners but caught the equal-corners case via the legacy `RouteValidator`. Post-AZ-809, `GeofencePolygonValidator` rejects equal corners because BOTH cross-field invariants (`NW.Lat > SE.Lat` and `NW.Lon < SE.Lon`) fail.
-**Pass criterion**: Error message mentioning coordinates cannot be (0,0)
+**Pass criterion**: HTTP 400; `errors["geofences.polygons[0].northWest"]` contains both the lat and lon invariant messages.
 **AC trace**: AZ-809 AC-1 (rule 9, cross-field invariant).
-## BT-N05: Geofence with Inverted Corners
+## BT-N05: Geofence with Inverted Corners — superseded by AZ-809
-**Trigger**: POST /api/satellite/route with geofence NW.lat < SE.lat
+**Trigger**: POST /api/satellite/route with geofence NW.lat < SE.lat (NW south-of SE).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails`. Post-AZ-809 the failure surfaces at `errors["geofences.polygons[0].northWest"]` with message "\`northWest.lat\` must be greater than \`southEast.lat\` (NW is north-of SE)".
-**Pass criterion**: Error message about northWest latitude > southEast latitude
+**Pass criterion**: HTTP 400; named error key matches the wire path; message is the cross-field invariant.
 **AC trace**: AZ-809 AC-1 (rule 9).
 ---
@@ -20,9 +20,9 @@
 ## SEC-04: Malformed JSON in Route Request
-**Trigger**: POST /api/satellite/route with invalid JSON body
+**Trigger**: POST /api/satellite/route with invalid JSON body (truncated `{` or non-JSON text).
-**Expected**: Parse error returned
+**Expected**: HTTP 400 + RFC 7807 `ProblemDetails`. Post-AZ-809 (cycle 8) the failure surfaces via `GlobalExceptionHandler`'s `JsonException` branch (System.Text.Json `JsonReaderException` → `BadHttpRequestException` → 400). No stack trace leaks; correlationId present per AZ-353.
-**Pass criterion**: HTTP 400; error message indicates parsing failure; no crash
+**Pass criterion**: HTTP 400; `Content-Type: application/problem+json`; body matches `error-shape.md` v1.0.0; no internal exception type or stack frame in `detail`.
 ---
@@ -0,0 +1,67 @@
 # Batch Report
 **Batch**: 03 (cycle 8)
 **Tasks**: AZ-809 (POST /api/satellite/route strict validation)
 **Date**: 2026-05-22
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|---------------|-------|-------------|--------|
 | AZ-809_route_endpoint_validation | Done | 18 files (8 new) | smoke pass (mode=smoke, exit 0); 16 integration tests + 26 validator unit tests added | 9/9 ACs covered | 1 Low (in-flight `OverridePropertyName` on deep expression — root-caused, documented, captured as advisory) |
 ## AC Test Coverage (9/9 ACs)
 | AC | Coverage |
 |----|----------|
 | AC-1 | All 14 documented rules enforced. Deserializer: missing `[JsonRequired]` axes (`id`, `name`, `regionSizeMeters`, `zoomLevel`, `points`, `requestMaps`, `createTilesZip`, per-point `lat`/`lon`, per-polygon `northWest`/`southEast`, per-corner `lat`/`lon`, `geofences.polygons`) + unknown-field rejection + type-mismatch. FluentValidation: non-zero `id`, name+description length, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\], per-point lat/lon ranges, per-polygon NW-of-SE invariants, cross-field `createTilesZip ⇒ requestMaps`. Each rule has at least one positive + one negative integration test. |
 | AC-2 | Happy path: `CreateRouteValidationTests.HappyPath_Returns200` (well-formed body, requestMaps=false → no background side effects) returns HTTP 200. Smoke green. |
 | AC-3 | Wired via `.WithValidation<CreateRouteRequest>()` + `.Accepts<>` + `.Produces<>` + `.ProducesProblem(400)` in `Program.cs` MapPost chain. |
 | AC-4 | `[JsonRequired]` added to every non-optional axis on `CreateRouteRequest`, `RoutePoint`, `Geofences`, `GeofencePolygon`, `GeoPoint`. Tested by `EmptyBody_Returns400`, `MissingId_Returns400`, `MissingRequestMaps_Returns400`, and the nested type-mismatch `PointsLatTypeMismatch_Returns400`. |
 | AC-5 | Unit tests in `SatelliteProvider.Tests/Validators/` — `CreateRouteRequestValidatorTests.cs` (16 methods), `RoutePointValidatorTests.cs` (4 methods), `GeofencePolygonValidatorTests.cs` (6 methods). Cover each rule with positive + negative cases. |
 | AC-6 | Integration tests `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` — 16 methods covering happy path + 15 failure modes (one per rule); all green in smoke. |
 | AC-7 | New contract `_docs/02_document/contracts/api/route-creation.md` v1.0.0 published. References `error-shape.md` v1.0.0 + the nested DTO chain. Documents the `RoutePoint` (input `lat`/`lon`) vs `RoutePointDto` (output `latitude`/`longitude`) naming asymmetry as an advisory. |
 | AC-8 | Probe script `scripts/probe_route_validation.sh` covers happy + each failure mode via `curl`. |
 | AC-9 | `CreateRouteRequestValidator` chains `RoutePointValidator` (via `RuleForEach`) and `GeofencePolygonValidator` (via `RuleForEach` inside `When(Geofences is not null)`). Cross-field invariants on the root (`createTilesZip ⇒ requestMaps`) and per-polygon (`NW.Lat > SE.Lat`, `NW.Lon < SE.Lon`). Defence-in-depth: the legacy `RouteValidator` in `SatelliteProvider.Services.RouteManagement` still runs in the service layer as a backstop; advisory clean-up documented in `route-creation.md`. |
 ## Code Review Verdict: PASS_WITH_NOTES
 See `_docs/03_implementation/reviews/batch_03_cycle8_review.md` for the single Low finding (deep-expression `OverridePropertyName`, root-caused and documented inline).
 ## Auto-Fix Attempts: 1 (mid-batch)
 - Initial `RoutePointValidator` used `OverridePropertyName("lat")` BEFORE `.InclusiveBetween()`. Build failed with `CS0411: cannot infer type arguments for OverridePropertyName<T, TProperty>` because FluentValidation's `OverridePropertyName` extension is defined on `IRuleBuilderOptions<T, TProperty>` — the type only becomes inferable after the first concrete rule (which supplies `TProperty`). Reordered to chain after `InclusiveBetween().WithMessage(...).OverridePropertyName(...)`. Documented in-file so the chain order is not "simplified" by a future reader.
 - Initial `CreateRouteRequestValidator` used `RuleFor(req => req.Geofences!.Polygons)` and `RuleForEach(req => req.Geofences!.Polygons)` without `OverridePropertyName`. Smoke run unit tests failed: error keys came out as `polygons` and `polygons[0].northWest` (leaf-only), not the full wire path `geofences.polygons` / `geofences.polygons[0].northWest`. Root cause: FluentValidation's default property-name policy drops the parent on deep member expressions. Fix: chain `.OverridePropertyName("geofences.polygons")` on both `RuleFor` and `RuleForEach` rules; documented inline. Smoke re-run after fix: all green.
 ## Stuck Agents: None
 ## Files Modified
 ### AZ-809 (route-creation validator)
 | Path | Kind |
 |------|------|
 | `SatelliteProvider.Common/DTO/CreateRouteRequest.cs` | `[JsonRequired]` on id/name/regionSizeMeters/zoomLevel/points/requestMaps/createTilesZip |
 | `SatelliteProvider.Common/DTO/RoutePoint.cs` | `[JsonRequired]` on Latitude/Longitude |
 | `SatelliteProvider.Common/DTO/GeofencePolygon.cs` | `[JsonRequired]` on NorthWest/SouthEast in `GeofencePolygon`; `[JsonRequired]` on `Polygons` in `Geofences` |
 | `SatelliteProvider.Common/DTO/GeoPoint.cs` | `[JsonRequired]` on Lat/Lon |
 | `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` | **NEW** — root validator with `RuleForEach` chaining + `OverridePropertyName` on the geofences chain |
 | `SatelliteProvider.Api/Validators/RoutePointValidator.cs` | **NEW** — per-point lat/lon range; `OverridePropertyName("lat"/"lon")` aligns error keys with the wire format |
 | `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` | **NEW** — per-polygon corner range checks + NW-of-SE invariants |
 | `SatelliteProvider.Api/Program.cs` | `.WithValidation<CreateRouteRequest>()` + `.Accepts<>` + `.Produces<>` + `.ProducesProblem(400)` on the route POST endpoint |
 | `SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs` | **NEW** — 16 unit tests |
 | `SatelliteProvider.Tests/Validators/RoutePointValidatorTests.cs` | **NEW** — 4 unit tests |
 | `SatelliteProvider.Tests/Validators/GeofencePolygonValidatorTests.cs` | **NEW** — 6 unit tests |
 | `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` | **NEW** — 16 integration tests (happy + 15 failure modes) |
 | `SatelliteProvider.IntegrationTests/Program.cs` | Wired into smoke + full suites |
 | `scripts/probe_route_validation.sh` | **NEW** — curl probes for every failure mode + happy path |
 | `_docs/02_document/contracts/api/route-creation.md` | **NEW** v1.0.0 — contract doc with nested DTO chain + test-cases table |
 | `_docs/02_document/modules/api_program.md` | CreateRoute handler + Api/Validators (added AZ-809 section) |
 | `_docs/02_document/modules/common_dtos.md` | DTO descriptions updated with `[JsonRequired]` annotations |
 | `_docs/02_document/system-flows.md` | F4 (Route Creation) sequence diagram + Preconditions + Error Scenarios |
 | `_docs/02_document/tests/blackbox-tests.md` | BT-06 wire format clarification; BT-N03/BT-N04/BT-N05 references AZ-809 + error-shape contract |
 | `_docs/02_document/tests/security-tests.md` | SEC-04 references AZ-809 + GlobalExceptionHandler path |
 ## Tracker
 - AZ-809: To Do → In Progress (batch 3 start) → **In Testing** (post-smoke).
 ## Next Batch
 Batch 4: AZ-810 — UAV upload metadata validator (multipart envelope). The envelope shape is different from batch 2/3 (multipart vs JSON body), so the validator wiring is via the existing per-item `IUavTileQualityGate` + a new envelope-level FluentValidation rule set on `UavTileBatchMetadataPayload`. Defer non-trivial design choices (whether to keep the cycle-2 in-handler envelope checks as-is or migrate them) to the implementation step.
@@ -0,0 +1,134 @@
 # Code Review Report
 **Batch**: 03 (cycle 8)
 **Tasks**: AZ-809 (POST /api/satellite/route strict validation)
 **Date**: 2026-05-22
 **Verdict**: PASS_WITH_NOTES
 ## Findings
 | # | Severity | Category | File:Line | Title |
 |---|----------|----------|-----------|-------|
 | 1 | Low | API alignment | `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs:68-77` | `OverridePropertyName` is required on deep expressions because FluentValidation drops the parent path on `req.Geofences!.Polygons` |
 | 2 | Info | Defence-in-depth | `SatelliteProvider.Services.RouteManagement/RouteValidator.cs` (existing) | Service-layer `RouteValidator` is now strictly weaker than the cycle-8 `CreateRouteRequestValidator` and could be deleted, but is retained as a defence-in-depth backstop |
 | 3 | Info | Wire-shape asymmetry | `SatelliteProvider.Common/DTO/RoutePoint.cs` (input) vs `SatelliteProvider.Common/DTO/RoutePointDto.cs` (output) | The input wire uses short OSM `lat`/`lon`; the response wire uses long `latitude`/`longitude`. Pre-existing — AZ-809 documented but did not unify |
 ### Finding Details
 **F1: `OverridePropertyName` is mandatory on the geofences chain** (Low / API alignment)
 - Location: `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs:68-77` and `SatelliteProvider.Api/Validators/RoutePointValidator.cs:30-40`.
 - Description: FluentValidation's default property-name policy drops the parent on deep member expressions like `req => req.Geofences!.Polygons`. Without `OverridePropertyName("geofences.polygons")`, the error keys emitted are leaf-only (`polygons`, `polygons[0].northWest`) instead of the full wire path the spec mandates (`geofences.polygons`, `geofences.polygons[0].northWest`). The fix lives in code AND in a comment explaining WHY; without the comment a future reader would "simplify" the rule chain and silently break wire compatibility. Same pattern applies to `RoutePointValidator` where C# property `Latitude` must surface as wire `lat` — handled by `OverridePropertyName` chained AFTER the first concrete rule (a generic-type-inference quirk: the extension is defined on `IRuleBuilderOptions<T, TProperty>`, which only becomes inferable after the first `.InclusiveBetween()` etc.).
 - Suggestion: NONE — rationale captured in code comments AND in `api_program.md::Api/Validators` so the next reader cannot break it by accident.
 - Task: AZ-809
 **F2: Service-layer `RouteValidator` retained as defence-in-depth** (Info / Defence-in-depth)
 - Location: `SatelliteProvider.Services.RouteManagement/RouteValidator.cs`.
 - Description: The pre-cycle-8 service-layer validator (`RouteValidator`) covered approximately the same surface as the new `CreateRouteRequestValidator` (id non-empty, points count ≥ 2, geofence corner sanity). Now that the API layer rejects every invalid request before the service runs, `RouteValidator` is strictly redundant for HTTP-driven paths. It is, however, also called from the route processing service (background queue) where some bypass path could in principle smuggle an invalid payload — keeping it as a backstop costs ~30 lines and one extra unit-test pass. Removal is tracked as an advisory in `route-creation.md` ("Validator Cleanup Advisory") so the next cycle can decide whether to consolidate.
 - Suggestion: Defer to a follow-up PBI. Do NOT delete in this batch.
 - Task: AZ-809
 **F3: Input/output naming asymmetry on route points** (Info / Wire-shape asymmetry)
 - Location: `SatelliteProvider.Common/DTO/RoutePoint.cs` (input) vs `SatelliteProvider.Common/DTO/RoutePointDto.cs` (output).
 - Description: Request points use `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]`; response points serialize the underlying C# `Latitude`/`Longitude` properties verbatim. This asymmetry existed before cycle 8. AZ-809 documents it in `route-creation.md` v1.0.0 and `common_dtos.md`, but does not unify because changing the response wire would be a breaking change to existing clients of `GET /api/satellite/route/{id}`. Tracked as an advisory.
 - Suggestion: Open a successor PBI to consider unifying via a `lat`/`lon` rename on `RoutePointDto` (would be a v2.0.0 of `route-creation.md`).
 - Task: AZ-809
 ## Phase Summary
 | Phase | Outcome |
 |-------|---------|
 | 1. Context Loading | Read AZ-809 spec, `_docs/02_document/contracts/api/region-request.md` (batch-2 pattern), `_docs/02_document/contracts/api/error-shape.md` (failure shape), and the cycle-7 + cycle-8 (batch-2) validation infra. The route endpoint differs from batch-2 endpoints because it has nested DTOs (RoutePoint, Geofences/GeofencePolygon/GeoPoint) requiring child validators. |
 | 2. Spec Compliance | All 9 ACs ✓. New `CreateRouteRequestValidator` covers the 14 documented rules across deserializer-layer + validator-layer. Nested `RoutePointValidator` + `GeofencePolygonValidator` co-validators wired via `RuleForEach.SetValidator(...)`. Cross-field invariants enforced at both the root (`createTilesZip ⇒ requestMaps`) and per-polygon (`NW.Lat > SE.Lat`, `NW.Lon < SE.Lon`). New contract `route-creation.md` v1.0.0 published. 16 integration tests + 26 unit tests cover happy path + each rule + missing-required + type-mismatch + cross-field. Probe script exercises every failure mode via `curl`. |
 | 3. Code Quality | Mechanical patterns followed; three new validators are minimal and SRP-clean. The `OverridePropertyName` requirement on deep expressions (F1) is non-obvious and was discovered via failing unit tests + diagnostic instrumentation; the workaround is captured in both code comments and module docs so it cannot be silently regressed. `RoutePointValidator` and `GeofencePolygonValidator` are file-private — inner `GeoCornerValidator` is nested inside `GeofencePolygonValidator` because the polygon corners are its only consumer; if a future sibling endpoint needs point-shape validation, the spec says to promote and rename. |
 | 4. Security | Validators run BEFORE any DB work (route persistence, intermediate-point computation, queue enqueue). The cross-field invariants prevent NaN-geometry payloads from reaching the GeoUtils interpolator (which is not designed for NW=SE corners). No SQL injection vectors, no hardcoded secrets, no PII in logs. JWT auth retained on the endpoint. Probe script tests `?debug=1` / extra root fields → all rejected. |
 | 5. Performance | Validators run synchronously against in-memory record fields — negligible cost (microseconds) vs the route's interpolation pass + DB inserts. Even worst-case `points.Count = 500` with all `geofences.polygons.Count` runs ~500 microsecond. No N+1, no blocking I/O. |
 | 6. Cross-Task Consistency | Uses the same `ValidationEndpointFilter<T>` infra from cycle 7 + batch-2 of cycle 8 and the shared `ProblemDetailsAssertions.AssertErrorsContainsMention`. Error keys follow the same camelCase JSON-path policy (`points[i].lat`, `geofences.polygons[i].northWest`) per `error-shape.md` v1.0.0 Inv-4. All produce identically-shaped `ValidationProblemDetails` bodies. |
 | 7. Architecture Compliance | Route DTOs live in `SatelliteProvider.Common/DTO/` (shared with the service layer + integration tests). Validators co-located with the API at `SatelliteProvider.Api/Validators/`. No layering violations. The service-layer `RouteValidator` retention is documented as defence-in-depth (F2). No cycles, no public-API bypasses, no ADR breaches. |
 ## Files Reviewed
 ### AZ-809 (route-creation validator)
 - `SatelliteProvider.Common/DTO/CreateRouteRequest.cs` — `[JsonRequired]` on every non-optional axis. Removed implicit defaults so callers cannot rely on them.
 - `SatelliteProvider.Common/DTO/RoutePoint.cs` — `[JsonRequired]` on Latitude/Longitude.
 - `SatelliteProvider.Common/DTO/GeofencePolygon.cs` — `[JsonRequired]` on `NorthWest`/`SouthEast` in `GeofencePolygon`; `[JsonRequired]` on `Polygons` in `Geofences`.
 - `SatelliteProvider.Common/DTO/GeoPoint.cs` — `[JsonRequired]` on Lat/Lon (used by `GeofencePolygon` corners).
 - `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` — **NEW** — 7 root rules (id non-empty + 4 range rules + points count + cross-field) plus `RuleForEach(req => req.Points).SetValidator(...)` and `RuleForEach(req => req.Geofences!.Polygons).SetValidator(...).OverridePropertyName(...)` for nested chains.
 - `SatelliteProvider.Api/Validators/RoutePointValidator.cs` — **NEW** — `OverridePropertyName("lat"/"lon")` chained AFTER `.InclusiveBetween()` so the type parameter is inferable.
 - `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` — **NEW** — `CascadeMode.Stop` + `NotNull` + nested `GeoCornerValidator` for per-corner ranges; cross-field `Must` rules `.WithName("northWest")` for the invariant errors.
 - `SatelliteProvider.Api/Program.cs` (lines around `MapPost("/api/satellite/route", ...)`) — added `.WithValidation<CreateRouteRequest>()`, `.Accepts<>`, `.Produces<>`, `.ProducesProblem()`.
 - `SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs` — **NEW** — Theory + Fact coverage for each rule, positive and negative; 16 methods. Diagnostic-led: two assertions were converted from `polygons` / `polygons[0].northWest` to `geofences.polygons` / `geofences.polygons[0].northWest` after `OverridePropertyName` was added.
 - `SatelliteProvider.Tests/Validators/RoutePointValidatorTests.cs` — **NEW** — 4 methods (lat/lon range, positive + negative).
 - `SatelliteProvider.Tests/Validators/GeofencePolygonValidatorTests.cs` — **NEW** — 6 methods incl. NotNull on corners, range on corners, NW-of-SE invariants.
 - `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` — **NEW** — Happy + empty body + missing/zero GUID + 4 out-of-range + insufficient-points + per-point lat/lon out-of-range + geofence invariant + missing-requestMaps + cross-field createTilesZip + unknown-root + nested type-mismatch = 16 methods.
 - `SatelliteProvider.IntegrationTests/Program.cs` — wired `CreateRouteValidationTests.RunAll` into smoke + full suites.
 - `scripts/probe_route_validation.sh` — **NEW** — curl probes for every failure mode + happy path.
 - `_docs/02_document/contracts/api/route-creation.md` — **NEW** — v1.0.0 contract (no prior version existed). Includes the nested DTO chain + invariants + per-field test cases table + advisory on the legacy `RouteValidator` + the input/output naming asymmetry.
 - `_docs/02_document/modules/api_program.md` — `CreateRoute Handler` section added; `Api/Validators` section bumped to AZ-808/AZ-809/AZ-811.
 - `_docs/02_document/modules/common_dtos.md` — `CreateRouteRequest`/`RoutePoint`/`Geofences`/`GeofencePolygon`/`GeoPoint` descriptions updated with `[JsonRequired]` markers and constraint summaries.
 - `_docs/02_document/system-flows.md::F4` — sequence diagram extended with the validation-filter branch; preconditions + error scenarios reference the new contract.
 - `_docs/02_document/tests/blackbox-tests.md::BT-06/BT-N03/BT-N04/BT-N05` — triggers and pass criteria align with the new wire format + named error keys.
 - `_docs/02_document/tests/security-tests.md::SEC-04` — references `GlobalExceptionHandler`'s JsonException branch + AZ-353 correlationId.
 ## Test Evidence
 `./scripts/run-tests.sh --smoke` (`integration-tests` container exit code 0):
 ```
 Test: POST /api/satellite/route strict validation (AZ-809)
 ==========================================================
 AZ-809 AC-2: well-formed body → HTTP 200 (no background processing — requestMaps=false)
  ✓ Well-formed body accepted with HTTP 200
 AZ-809 rule 1: empty body → HTTP 400
  ✓ Empty body rejected with HTTP 400
 AZ-809 rule 2 (probe-confirmed gap): missing `id` → HTTP 400 (no silent zero-Guid coercion)
  ✓ Missing `id` rejected with HTTP 400 (no silent coercion)
 AZ-809 rule 2: zero-Guid `id` → HTTP 400
  ✓ Zero-Guid `id` rejected with errors["id"]
 AZ-809 rule 3: empty `name` → HTTP 400
  ✓ Empty `name` rejected with errors["name"]
 AZ-809 rule 5: `regionSizeMeters` out of range (100..10000) → HTTP 400
  ✓ `regionSizeMeters=1000000` rejected with errors["regionSizeMeters"]
 AZ-809 rule 6: `zoomLevel` out of range (0..22) → HTTP 400
  ✓ `zoomLevel=30` rejected with errors["zoomLevel"]
 AZ-809 rule 7: `points` count < 2 → HTTP 400
  ✓ `points` count=1 rejected with errors["points"]
 AZ-809 rule 8: per-point `lat` out of range → HTTP 400 (errors[points[i].lat])
  ✓ `points[1].lat=91` rejected with errors["points[1].lat"]
 AZ-809 rule 8: per-point `lon` out of range → HTTP 400 (errors[points[i].lon])
  ✓ `points[1].lon=181` rejected with errors["points[1].lon"]
 AZ-809 rule 9: geofence NW.lat <= SE.lat → HTTP 400 (cross-field invariant)
  ✓ NW.lat <= SE.lat rejected by cross-field invariant
 AZ-809 rule 10: missing `requestMaps` → HTTP 400 (no defaulting)
  ✓ Missing `requestMaps` rejected
 AZ-809 rule 12: `createTilesZip=true` AND `requestMaps=false` → HTTP 400 (cross-field invariant)
  ✓ `createTilesZip=true requestMaps=false` rejected by cross-field invariant
 AZ-809 rule 13: unknown root field → HTTP 400 (UnmappedMemberHandling.Disallow)
  ✓ Unknown root field `debug` rejected with errors mention
 AZ-809 rule 14: nested type mismatch (`points[0].lat` as string) → HTTP 400
  ✓ `points[0].lat:"fifty"` rejected with HTTP 400
 ✓ Create-route validation tests: PASSED
 ```
 `=== All tests passed (mode=smoke) ===` — no regressions in cycle-7 inventory or batch-1/batch-2 cycle-8 (AZ-812/AZ-808/AZ-811) tests, no regressions in the migration/leaflet/route/tile/security suites.
 ## Verdict Logic
 - No Critical, no High, no Medium findings.
 - 1 Low finding (F1) — the `OverridePropertyName` requirement is captured in code comments + module docs; not a regression, but worth flagging so it cannot be silently regressed.
 - 2 Info findings (F2 defence-in-depth retention, F3 input/output naming asymmetry) — both pre-existing, documented as advisories for a follow-up PBI.
 - **PASS_WITH_NOTES**.
@@ -8,7 +8,7 @@ status: in_progress
 sub_step:
  phase: 7
  name: batch-loop
-  detail: "batch 2 of 4 complete (AZ-808 + AZ-811 In Testing); next: batch 3 = AZ-809 route validator"
+  detail: "batch 3 of 4 complete (AZ-809 In Testing); next: batch 4 = AZ-810 UAV upload metadata validator"
 retry_count: 0
 cycle: 8
 tracker: jira
@@ -0,0 +1,194 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # Manual end-to-end probe for POST /api/satellite/route strict validation
 # (AZ-809). Each failure call should return HTTP 400 with an
 # `application/problem+json` body. The happy path should return HTTP 200.
 #
 # Two enforcement layers:
 #   1. UnmappedMemberHandling.Disallow + [JsonRequired] — deserializer rejects
 #      missing-required and unknown fields with errors via GlobalExceptionHandler.
 #   2. WithValidation<CreateRouteRequest> — runs CreateRouteRequestValidator +
 #      RoutePointValidator + GeofencePolygonValidator (range, count, cross-field).
 #
 # Usage:
 #   API_URL=https://localhost:8080 JWT="<bearer-token>" ./scripts/probe_route_validation.sh
 API_URL="${API_URL:-https://localhost:8080}"
 JWT="${JWT:-}"
 ENDPOINT="${API_URL%/}/api/satellite/route"
 if [[ -z "${JWT}" ]]; then
    echo "ERROR: set JWT env var to a bearer token. Mint one via:"
    echo "  dotnet run --project SatelliteProvider.IntegrationTests -- --mint-only"
    exit 2
 fi
 curl_args=(-sS -k -H "Authorization: Bearer ${JWT}" -H "Content-Type: application/json")
 probe() {
    local label="$1"
    local body="$2"
    local expected_status="$3"
    echo "----- ${label} (expecting HTTP ${expected_status}) -----"
    local response
    response=$(curl "${curl_args[@]}" -X POST -d "${body}" "${ENDPOINT}" -w "\nHTTP_STATUS=%{http_code}\n")
    echo "${response}"
    local actual_status
    actual_status=$(echo "${response}" | tail -n 1 | sed 's/HTTP_STATUS=//')
    if [[ "${actual_status}" != "${expected_status}" ]]; then
        echo "FAIL: expected HTTP ${expected_status}, got ${actual_status}"
        return 1
    fi
    echo "OK: HTTP ${expected_status}"
    echo
 }
 route_id=$(uuidgen | tr '[:upper:]' '[:lower:]')
 probe "happy-path-no-maps" '{
  "id": "'"${route_id}"'",
  "name": "probe-route-1",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 200
 # Rule 2: missing id (probe-confirmed gap)
 probe "missing-id" '{
  "name": "probe-missing-id",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 2: zero-Guid id
 probe "zero-guid-id" '{
  "id": "00000000-0000-0000-0000-000000000000",
  "name": "probe-zero-id",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 3: empty name
 probe "empty-name" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 7: points too few (1)
 probe "points-too-few" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-1-point",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 8: nested point lat out of range
 probe "point-lat-out-of-range" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-point-lat",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 91.0,  "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 9: geofence NW not north-of SE (cross-field invariant)
 probe "geofence-nw-not-north" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-geofence-inverted",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "geofences": {
    "polygons": [
      { "northWest": { "lat": 50.05, "lon": 36.05 },
        "southEast": { "lat": 50.05, "lon": 36.15 } }
    ]
  },
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 # Rule 12: cross-field createTilesZip without requestMaps
 probe "createTilesZip-without-requestMaps" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-cross-field",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": true
 }' 400
 # Rule 13: unknown root field
 probe "unknown-root-field" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-unknown",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": 50.10, "lon": 36.10 },
    { "lat": 50.11, "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false,
  "debug": "fingerprint-probe"
 }' 400
 # Rule 14: nested type mismatch
 probe "point-lat-type-mismatch" '{
  "id": "'$(uuidgen | tr '[:upper:]' '[:lower:]')'",
  "name": "probe-type-mismatch",
  "regionSizeMeters": 1000,
  "zoomLevel": 18,
  "points": [
    { "lat": "fifty", "lon": 36.10 },
    { "lat": 50.11,   "lon": 36.11 }
  ],
  "requestMaps": false,
  "createTilesZip": false
 }' 400
 echo "All probes passed."