[AZ-505] Tile inventory endpoint + HTTP/2 + Leaflet covering index

Production code:
- POST /api/satellite/tiles/inventory (XOR body, 5000-cap,
  most-recent-per-location_hash select, present/absent shaping).
- Kestrel HttpProtocols.Http1AndHttp2 on every listener (AC-5).
- Migration 015 creates tiles_leaflet_path covering index over
  (location_hash, captured_at DESC, updated_at DESC, id DESC)
  INCLUDE (file_path, source); drops superseded idx_tiles_location_hash.
- TileRepository.GetByTileCoordinatesAsync rewired to filter by
  location_hash (Index Only Scan via tiles_leaflet_path).
- TileRepository.GetTilesByLocationHashesAsync added with Npgsql-
  direct ANY($1::uuid[]) binding (Dapper IEnumerable expansion is
  incompatible with the array form).
- Uuidv5.LocationHashForTile centralises the UUIDv5(TileNamespace,
  "{z}/{x}/{y}") formula — single source of truth for the cross-repo
  invariant (gps-denied-onboard parity).

Contracts:
- New: contracts/api/tile-inventory.md v1.0.0.
- Bumped: contracts/data-access/tile-storage.md to v2.0.0 (joint
  ownership by AZ-503-foundation + AZ-505: schema + covering index +
  GetByTileCoordinatesAsync rewrite).

Tests:
- TileInventoryTests covers AC-1, AC-2 (DB-level), AC-4, AC-6.
- Http2MultiplexingTests covers AC-5 (20 concurrent multiplexed GETs
  over h2c via SocketsHttpHandler + AppContext Http2Unencrypted switch).
- LeafletPathIndexOnlyTests covers AC-3 (EXPLAIN (ANALYZE, BUFFERS)
  asserts Index Only Scan over tiles_leaflet_path with heap_blocks=0).

Docs:
- architecture.md, system-flows.md, data_model.md, module-layout.md,
  glossary.md, modules/api_program.md, modules/dataaccess_tile_repository.md,
  components/02_data_access/description.md all updated to reference the
  v2.0.0 tile-storage contract + new tile-inventory contract + AC-7.

Reports:
- batch_01_cycle6_report.md, batch_01_cycle6_review.md,
  implementation_completeness_cycle6_report.md (PASS),
  implementation_report_tile_inventory_cycle6.md.

Task spec moved todo/ -> done/.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/components/02_data_access/description.md

@@ -16,14 +16,17 @@
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
 | `GetByIdAsync` | Guid | `TileEntity?` | Yes | NpgsqlException |
-| `GetByTileCoordinatesAsync` | zoom, x, y | `TileEntity?` (most-recent across sources, AZ-484) | Yes | NpgsqlException |
+| `GetByTileCoordinatesAsync` | zoom, x, y | `TileEntity?` (most-recent across sources/flights, AZ-505 rewired to filter on `location_hash` for `Index Only Scan` against `tiles_leaflet_path`; selection rule unchanged from AZ-484) | Yes | NpgsqlException |
 | `GetTilesByRegionAsync` | lat, lon, sizeM, zoom | `IEnumerable<TileEntity>` (one row per cell via `DISTINCT ON`, AZ-484) | Yes | NpgsqlException |
-| `InsertAsync` | `TileEntity` | Guid (per-source UPSERT, AZ-484) | Yes | NpgsqlException |
+| `GetTilesByLocationHashesAsync` | `IReadOnlyList<Guid>` location hashes | `IReadOnlyDictionary<Guid, TileEntity>` (one row per requested hash via `DISTINCT ON (location_hash)`, AZ-505) | Yes | NpgsqlException |
+| `InsertAsync` | `TileEntity` | Guid (integer-only flight-aware UPSERT, AZ-503-foundation; supersedes the AZ-484 5-column float-based UPSERT) | Yes | NpgsqlException |
 | `UpdateAsync` | `TileEntity` | int | Yes | NpgsqlException |
 | `DeleteAsync` | Guid | int | Yes | NpgsqlException |
 
 `FindExistingTileAsync` was removed by AZ-376 (replaced by direct cell lookups through `GetByTileCoordinatesAsync` + `GetTilesByRegionAsync`).
 
+`GetTilesByLocationHashesAsync` is intentionally NOT routed through Dapper. Npgsql binds `uuid[]` parameters to `ANY($1::uuid[])` queries as a single array column, while Dapper's parameter expander rewrites any `IEnumerable` parameter to a comma-separated list of scalar placeholders, producing `ANY((@p0, @p1, ...))` — which is invalid SQL. The method uses `NpgsqlCommand` with an explicit `NpgsqlParameter` typed `Array | Uuid`, and maps results manually from `NpgsqlDataReader`. This is the documented escape hatch for array-binding hot paths.
+
 ### Interface: IRegionRepository
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
@@ -57,9 +60,10 @@
 ### Queries
 | Query | Frequency | Hot Path | Index Needed |
 |-------|-----------|----------|--------------|
-| GetByTileCoordinatesAsync (tile lookup) | Very High | Yes | `(tile_zoom, tile_x, tile_y)` |
+| GetByTileCoordinatesAsync (tile lookup, leaflet hot path) | Very High | Yes | `tiles_leaflet_path` covering index — `(location_hash, captured_at DESC, updated_at DESC, id DESC) INCLUDE (file_path, source)` (AZ-505). Target plan: `Index Only Scan` with `Heap Fetches = 0` after `VACUUM ANALYZE`. |
+| GetTilesByLocationHashesAsync (bulk inventory, AZ-505) | High | Yes | `tiles_leaflet_path` leading column. Inventory returns more columns than the INCLUDE list, so a bounded heap fetch is expected; AC-4 budget (≤ 1000 ms p95 / 2500 tiles) absorbs it. |
 | GetTilesByRegionAsync (spatial) | High | Yes | `(latitude, longitude, tile_zoom)` |
-| InsertAsync (tile per-source upsert) | High | Yes | Composite unique on `(tile_zoom, tile_x, tile_y, tile_size_meters, source, COALESCE(flight_id, '00000000-0000-0000-0000-000000000000'::uuid))` (AZ-503: `idx_tiles_unique_identity`; supersedes the AZ-484 float-based `idx_tiles_unique_location_source`) |
+| InsertAsync (tile per-source-per-flight upsert) | High | Yes | Composite unique on `(tile_zoom, tile_x, tile_y, tile_size_meters, source, COALESCE(flight_id, '00000000-0000-0000-0000-000000000000'::uuid))` (AZ-503-foundation: `idx_tiles_unique_identity`; supersedes the AZ-484 float-based `idx_tiles_unique_location_source`) |
 | GetByStatusAsync (region polling) | Medium | No | `(status)` |
 | GetRoutesWithPendingMapsAsync | Low | No | `(request_maps, maps_ready)` |
 
@@ -92,7 +96,7 @@
 - TileRepository.InsertAsync uses an integer-only, flight-aware UPSERT pattern (AZ-503; supersedes the AZ-484 5-column float-based UPSERT). Same-source same-flight re-inserts overwrite and refresh `captured_at`/`location_hash`/`content_sha256`; different sources or different flights at the same cell coexist as separate rows. `id` is intentionally NOT overwritten on conflict so it stays deterministic per AZ-503 AC-2.
 - `TileEntity.Source` is stored as a plain `string` (not the `TileSource` enum) due to Dapper issue #259 — see `_docs/LESSONS.md` L-001. Conversion happens via `SatelliteProvider.Common.Enums.TileSourceConverter`
 - AZ-503 deterministic identity: `id` is `Uuidv5(TileNamespace, "{z}/{x}/{y}/{source}/{flight_id or zero-uuid}")` and `location_hash` is `Uuidv5(TileNamespace, "{z}/{x}/{y}")`. The cross-repo `TileNamespace` constant lives in `SatelliteProvider.Common.Utils.Uuidv5` and MUST match `gps-denied-onboard/components/c6_tile_cache/_uuid.py:TILE_NAMESPACE`.
-- The frozen v1.0.0 `tile-storage` contract (`_docs/02_document/contracts/data-access/`) is the AZ-484-era spec for read-side selection invariants; the AZ-503 write-side schema change is documented inline in `dataaccess_models.md` and `dataaccess_tile_repository.md`. A v2.0.0 contract bump is deferred to AZ-505 (when the `POST /api/satellite/tiles/inventory` endpoint freezes the new identity surface for external consumers).
+- The `tile-storage` contract (`_docs/02_document/contracts/data-access/tile-storage.md`) was bumped to v2.0.0 jointly by AZ-503-foundation (identity columns + integer UPSERT, cycle 5) and AZ-505 (covering index `tiles_leaflet_path` + `location_hash`-keyed reads + bulk inventory, cycle 6). The frozen v2.0.0 spec is the authoritative read-side / write-side / index contract for external consumers; the per-method shape table above mirrors it for in-component readers.
 - No soft-delete; `DeleteAsync` is a hard delete
 
 ## 8. Dependency Graph