[AZ-809] F-AZ809-1: cap geofences.polygons at 50 (security audit)

Closes the cycle-8 Medium DoS finding. Without the cap, an
authenticated caller could submit millions of bbox polygons in a
single 500 MiB request (Kestrel global limit) and saturate the
FluentValidation allocator on the validator hot path; each polygon
is ~90 bytes of JSON, so the body limit is not a useful gate.

Realistic use is 1-10 polygons per route — 50 leaves 5x headroom
while bounding the worst-case allocation.

Layers:
- CreateRouteRequestValidator: MaxPolygons = 50 + Must(...) chained
  before RuleForEach so the count error fires at "geofences.polygons"
  (not the leaf path).
- Unit: Validate_GeofencePolygonsTooMany_FailsCountRule.
- Integration: GeofencePolygonsTooMany_Returns400 (51 valid bbox
  polygons -> HTTP 400 + errors["geofences.polygons"]).
- Contract: route-creation.md -> v1.0.1 patch (tightening an
  existing range). New Inv-10, new geofence-polygons-too-many
  test case, changelog row.
- Test spec: BT-29 sub-case 9b + AZ-809 AC-1b row in the
  traceability matrix.
- Security report: F-AZ809-1 marked RESOLVED in cycle 8; verdict
  remains PASS_WITH_WARNINGS (Lows + carry-overs unchanged).

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs

@@ -49,6 +49,9 @@ public static class CreateRouteValidationTests
         // Rule 9: geofence corners + NW-of-SE invariant
         await GeofenceNwLatNotGreaterThanSeLat_Returns400(httpClient);
 
+        // Rule 9b: geofence polygon-count cap (F-AZ809-1 security-audit fix)
+        await GeofencePolygonsTooMany_Returns400(httpClient);
+
         // Rule 10/11: requestMaps + createTilesZip required
         await MissingRequestMaps_Returns400(httpClient);
 
@@ -360,6 +363,48 @@ public static class CreateRouteValidationTests
         Console.WriteLine("  ✓ NW.lat <= SE.lat rejected by cross-field invariant");
     }
 
+    private static async Task GeofencePolygonsTooMany_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 9b (security-audit F-AZ809-1): geofence polygon-count > 50 → HTTP 400");
+
+        // Arrange — 51 polygons, each valid bbox. Only the count rule should fire.
+        var routeId = Guid.NewGuid();
+        var polygonsJson = string.Join(
+            ",\n        ",
+            Enumerable
+                .Range(0, 51)
+                .Select(_ => "{ \"northWest\": { \"lat\": 50.15, \"lon\": 36.05 }, \"southEast\": { \"lat\": 50.05, \"lon\": 36.15 } }"));
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "too-many-polygons",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "geofences": {
+                "polygons": [
+                  {{polygonsJson}}
+                ]
+              },
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 geofence polygons too many");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 geofence polygons too many", expectedErrorPath: "geofences.polygons");
+
+        Console.WriteLine("  ✓ 51 polygons rejected with errors[\"geofences.polygons\"] (cap is 50)");
+    }
+
     private static async Task MissingRequestMaps_Returns400(HttpClient httpClient)
     {
         Console.WriteLine();