[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics

Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/05_security/owasp_review_cycle9.md

@@ -0,0 +1,22 @@
+# OWASP Top 10 Review (Cycle 9)
+
+**Date**: 2026-06-25
+**Framework**: OWASP Top 10:2021
+**Scope**: Cycle-9 gRPC delta (AZ-1074/AZ-1075)
+
+| Category | Status (cycle-9 delta) | Notes |
+|----------|------------------------|-------|
+| A01 — Broken Access Control | **PASS** | `[Authorize]` on gRPC service; anonymous calls rejected (integration tests cover JWT baseline) |
+| A02 — Cryptographic Failures | **N/A** | TLS via Kestrel dev cert / production ingress — unchanged pattern from AZ-505 |
+| A03 — Injection | **PASS** | No new string-built SQL; tile coords validated before expand |
+| A04 — Insecure Design | **PASS (post-follow-up)** | F-AZ1074-1 unbounded collections **resolved** — caps aligned with REST |
+| A05 — Security Misconfiguration | **PASS** | gRPC message size limits set; test compose no longer publishes DB port to host |
+| A06 — Vulnerable Components | **PASS_WITH_WARNINGS** | New Grpc.AspNetCore 2.71.0 clean; D-AZ795-1 + D2-cy4 carry-overs |
+| A07 — Auth Failures | **PASS** | Same JWT contract as REST; gRPC metadata `Authorization: Bearer` |
+| A08 — Data Integrity Failures | **N/A** | No CI/CD or signing changes |
+| A09 — Logging Failures | **PASS_WITH_WARNINGS** | F-AZ1074-2 **resolved**; F-AZ795-1/F-AZ795-2 REST carry-overs still open |
+| A10 — SSRF | **N/A** | No URL inputs in gRPC contract |
+
+## Verdict
+
+**PASS_WITH_WARNINGS** cumulative (REST carry-overs). Cycle-9 delta: **PASS** after Step-14 follow-up fixes.