[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics

Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors).
Standalone integration compose stack, docs, security audit, perf and retro.

Co-authored-by: Cursor <cursoragent@cursor.com>

docker-compose.tests.yml

@@ -1,24 +1,47 @@
 services:
   postgres:
-    extends:
-      file: docker-compose.yml
-      service: postgres
+    image: postgres:16
+    container_name: satellite-provider-postgres
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_DB: satelliteprovider
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
 
   api:
-    extends:
-      file: docker-compose.yml
-      service: api
+    platform: linux/amd64
+    build:
+      context: .
+      dockerfile: SatelliteProvider.Api/Dockerfile
+    container_name: satellite-provider-api
+    environment:
+      - ASPNETCORE_ENVIRONMENT=Development
+      - ASPNETCORE_URLS=https://+:8080
+      - ASPNETCORE_Kestrel__Certificates__Default__Path=/app/certs/api.pfx
+      - ASPNETCORE_Kestrel__Certificates__Default__Password=satellite-dev-cert
+      - ConnectionStrings__DefaultConnection=Host=postgres;Port=5432;Database=satelliteprovider;Username=postgres;Password=postgres
+      - MapConfig__ApiKey=${GOOGLE_MAPS_API_KEY}
+      - JWT_SECRET=${JWT_SECRET}
+      - JWT_ISSUER=${JWT_ISSUER}
+      - JWT_AUDIENCE=${JWT_AUDIENCE}
+    volumes:
+      - ./tiles:/app/tiles
+      - ./ready:/app/ready
+      - ./logs:/app/logs
+      - ./certs/api.pfx:/app/certs/api.pfx:ro
+    depends_on:
+      postgres:
+        condition: service_healthy
 
   integration-tests:
     build:
       context: .
       dockerfile: SatelliteProvider.IntegrationTests/Dockerfile
     container_name: satellite-provider-integration-tests
-    # AZ-505 AC-5: API now serves HTTPS for HTTP/2 via ALPN. The matching
-    # public cert is mounted into /usr/local/share/ca-certificates so the
-    # Dockerfile entrypoint can register it with update-ca-certificates
-    # before tests run. After that every HttpClient trusts it transparently
-    # — no per-test handler shim is required.
     environment:
       - API_URL=https://api:8080
       - INTEGRATION_TESTS_MODE=${INTEGRATION_TESTS_MODE:-full}
@@ -32,8 +55,6 @@ services:
       - ./ready:/app/ready
       - ./tiles:/app/tiles
       - ./certs/api.crt:/usr/local/share/ca-certificates/satellite-provider-dev.crt:ro
-    # AZ-505 AC-5: register the dev CA at runtime so HttpClient trusts the API.
-    # update-ca-certificates picks up everything under /usr/local/share/ca-certificates/.
     entrypoint:
       - /bin/sh
       - -c
@@ -47,4 +68,3 @@ services:
 
 volumes:
   postgres_data:
-