[AZ-495] [AZ-496] Cycle 3 batch 1: doc convention + AspNetCore 8.0.25

AZ-495 (1 SP): formalize the modules-only documentation convention for the WebApi component. _docs/02_document/module-layout.md now carries an explicit Documentation Layout section anchoring WebApi docs at modules/api_program.md; the components/06_web_api/ folder is intentionally absent. .cursor/skills/new-task/SKILL.md Step 4 directs future agents at the correct path. Cycle-1 + cycle-2 F1 findings in the two batch-review files are marked RESOLVED with back-reference to AZ-495. Cycle-2 retrospective decision-item list F1 updated. AZ-496 (2 SP): bump Microsoft.AspNetCore.OpenApi and JwtBearer in SatelliteProvider.Api.csproj from 8.0.21 to 8.0.25, closing CVE- 2026-26130 (SignalR DoS - not reachable in this app, but the runtime patch is the recommended hardening per cycle-1 D1 + cycle-2 D3). SatelliteProvider.Tests.csproj has no direct JwtBearer reference - it consumes JwtBearer transitively via ProjectReference to Api, so no edit needed there. Dockerfiles use floating mcr.microsoft.com/ dotnet/aspnet:8.0 / sdk:8.0 / runtime:8.0 tags which auto-resolve to >= 8.0.25 on rebuild. Security artifacts (dependency_scan.md, security_report.md) and current-state docs (module-layout.md, architecture.md, modules/api_program.md, modules/tests_unit.md) updated to reflect 8.0.25. Batch report + code review report (verdict PASS_WITH_WARNINGS with 2 Low findings, neither blocking) written under _docs/03_implementation. Test suite gate deferred to Step 16 (Final Test Run) per implement skill convention. Patch-level bump within .NET 8 LTS; regression risk very low. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 07:01:15 +00:00 · 2026-05-12 01:24:48 +03:00
parent 76076cbd90
commit 9cfd80babe
15 changed files with 140 additions and 15 deletions
@@ -136,9 +136,11 @@ The `<task_slug>` is a short kebab-case name derived from the feature descriptio
 1. Read the codebase documentation from DOCUMENT_DIR:
   - `architecture.md` — overall structure (the `## Architecture Vision` H2 is user-confirmed intent and must not be violated by the new task without explicit approval)
   - `glossary.md` — project terminology; reuse the user's vocabulary in task names, AC, and component references
-   - `components/` — component specs
+   - `components/` — component specs (one folder per Layer-3 service component)
   - `modules/` — process-level documentation (Layer-4 WebApi lives in `modules/api_program.md`, not in `components/`; see `module-layout.md` § Documentation Layout — AZ-495)
   - `system-flows.md` — data flows (if exists)
   - `data_model.md` — data model (if exists)
   - When the task touches WebApi (`SatelliteProvider.Api`), the documentation anchor is `modules/api_program.md` — do NOT reference `components/01_web_api/description.md` or any `components/*/web_api*` path; that folder is intentionally absent per the AZ-495 convention.
 2. If research was performed (Step 3), incorporate findings
 3. Analyze and determine:
   - Which existing components are affected
@@ -7,8 +7,8 @@
    </PropertyGroup>
    <ItemGroup>
-        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.21" />
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.25" />
-        <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.21"/>
+        <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="8.0.25"/>
        <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
        <PackageReference Include="Serilog.AspNetCore" Version="8.0.3" />
        <PackageReference Include="Serilog.Sinks.File" Version="6.0.0" />
@@ -25,7 +25,7 @@ The three Layer-3 service components are compile-time siblings: each only refere
 - JWT-validated callers only — every HTTP endpoint requires a valid HS256-signed Bearer token, validated locally against a shared `JWT_SECRET` per the suite-level auth contract (`suite/_docs/10_auth.md`). Issuer/audience are intentionally not validated yet; signature + lifetime + ≥32-byte key are. Per-endpoint permission claims (e.g. `permissions: ["GPS"]` on the UAV upload) layer on top of this baseline.
 **Authentication & Authorization** (AZ-487):
- Validation library: `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.21 (matches the rest of the ASP.NET Core 8 package set).
+- Validation library: `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.25 (matches `Microsoft.AspNetCore.OpenApi` 8.0.25; AZ-496 bumped both packages from 8.0.21 to close the cycle-1 D1 + cycle-2 D3 supply-chain findings).
 - Signing key: read from the `JWT_SECRET` environment variable (preferred) or the `Jwt:Secret` configuration key. Startup fails fast if the resolved secret is unset, empty, or shorter than 32 bytes (HMAC-SHA256 minimum per RFC 2104 §3).
 - Token contract: `ValidateIssuerSigningKey = true`, `ValidateLifetime = true`, `RequireSignedTokens = true`, `RequireExpirationTime = true`, `ValidateIssuer/Audience = false`, `ClockSkew = 30s`. The 5-minute JwtBearer default is intentionally tightened.
 - Authorization model: every endpoint registered in `Program.cs` is decorated with `.RequireAuthorization()`. AZ-488 adds `permissions`-claim policies on top of this baseline (UAV upload requires `GPS`).
@@ -16,6 +16,16 @@
 5. Tests live in separate projects: `SatelliteProvider.Tests/` (unit) and `SatelliteProvider.IntegrationTests/` (integration).
 6. DI registration per component lives in a `<Component>ServiceCollectionExtensions.cs` adjacent to the component's classes (e.g. `TileDownloaderServiceCollectionExtensions.AddTileDownloader()`).
 ## Documentation Layout (canonical — AZ-495)
 Each Layer-3 service component (`Common`, `DataAccess`, `TileDownloader`, `RegionProcessing`, `RouteManagement`) owns one description file under `_docs/02_document/components/0N_<name>/description.md`. The numeric prefix (`01_common` ... `05_route_management`) matches the architectural-layer order — not the alphabetical order.
 **The WebApi component (`SatelliteProvider.Api`) intentionally does NOT have a `components/*` folder.** Its documentation lives in `_docs/02_document/modules/api_program.md`. The rationale is that WebApi is the orchestrator / entry-point at Layer 4 rather than a Layer-3 service component — its concerns are minimal-API endpoint mapping, DI composition, and middleware chain composition, all of which are documented at module-level alongside the other process-level concerns (`tests_unit.md`, `tests_integration.md`, `migrations.md`). Splitting WebApi documentation into a component-stub plus a module file would create two sources of truth.
 When authoring or reading a task that touches WebApi, use `_docs/02_document/modules/api_program.md` as the documentation anchor. Task-spec templates and the `new-task` / `decompose` skills point at this path; the `components/06_web_api/` folder is intentionally absent and MUST NOT be created.
 The cycle-1 (AZ-487) and cycle-2 (AZ-488) code reviews each surfaced an F1 (Low / Style) finding because task specs referenced the non-existent `components/01_web_api/description.md` path. AZ-495 settles this convention; the finding should not recur.
 ## Per-Component Mapping
 ### Component: Common
@@ -117,7 +127,7 @@
  - `SatelliteProvider.Api/DTOs/UavTileBatchUploadRequest.cs` (added by AZ-488; multipart form binding envelope — kept in WebApi because it depends on `IFormFileCollection` + `[FromForm]`, both API-layer types)
 - **Internal**: (none)
 - **Owns**: `SatelliteProvider.Api/**`
- **PackageReferences (added by AZ-487)**: `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.21 (pinned to the same minor as the existing ASP.NET Core 8 packages).
+- **PackageReferences (added by AZ-487, bumped by AZ-496)**: `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.25 (pinned to the same minor patch as `Microsoft.AspNetCore.OpenApi` 8.0.25; AZ-496 bumped both packages from 8.0.21 → 8.0.25 to close cycle-1 D1 + cycle-2 D3 supply-chain findings).
 - **Imports from**: Common (incl. AZ-488 UAV DTOs + `UavQualityConfig`), DataAccess, TileDownloader (incl. AZ-488 `IUavTileUploadHandler`), RegionProcessing, RouteManagement
 - **Consumed by**: (none — top-level entry point)
@@ -69,7 +69,7 @@ Buffers each `IFormFile` into memory, packages them as `UavUploadFile` records (
 ## Dependencies
 All project references: Common, DataAccess, Services.
-NuGet: `Serilog.AspNetCore`, `Swashbuckle.AspNetCore`, `Microsoft.AspNetCore.OpenApi`, `Microsoft.AspNetCore.Authentication.JwtBearer` (8.0.21, AZ-487), `SixLabors.ImageSharp`, `Newtonsoft.Json`.
+NuGet: `Serilog.AspNetCore`, `Swashbuckle.AspNetCore`, `Microsoft.AspNetCore.OpenApi` (8.0.25, bumped from 8.0.21 by AZ-496), `Microsoft.AspNetCore.Authentication.JwtBearer` (8.0.25, added at 8.0.21 by AZ-487, bumped by AZ-496), `SixLabors.ImageSharp`, `Newtonsoft.Json`.
 ## Consumers
 - HTTP clients (external)
@@ -25,7 +25,7 @@ Existing baseline (pre-cycle-2) test classes cover `TileService`, `RegionService
 ## Dependencies
 - Project references: `SatelliteProvider.Services.TileDownloader`, `SatelliteProvider.Services.RegionProcessing`, `SatelliteProvider.Services.RouteManagement`, `SatelliteProvider.Common`, `SatelliteProvider.DataAccess`, `SatelliteProvider.Api` (for the Authentication tests — added in AZ-487).
- NuGet: xUnit (2.5.3), Moq (4.20.72), FluentAssertions (8.8.0), coverlet.collector (6.0.0), Microsoft.NET.Test.Sdk (17.8.0), Microsoft.Extensions.* (Caching.Memory, Configuration, DI, Logging, Options, Http), `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.21 (added by AZ-487 for the DI + handler tests), `SixLabors.ImageSharp` 3.1.11 (added by AZ-488 for the gate tests).
+- NuGet: xUnit (2.5.3), Moq (4.20.72), FluentAssertions (8.8.0), coverlet.collector (6.0.0), Microsoft.NET.Test.Sdk (17.8.0), Microsoft.Extensions.* (Caching.Memory, Configuration, DI, Logging, Options, Http), `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.25 (consumed transitively via the `ProjectReference` to `SatelliteProvider.Api`; AZ-487 added the dependency at 8.0.21, AZ-496 bumped it to 8.0.25), `SixLabors.ImageSharp` 3.1.11 (added by AZ-488 for the gate tests).
 - `appsettings.json` copied to output (used by Authentication tests for the `Jwt` section binding scenario).
 ## Consumers
@@ -0,0 +1,47 @@
 # Batch Report — Batch 01 cycle 3
 **Batch**: 01 (cycle 3)
 **Tasks**: AZ-495 (doc-folder convention) + AZ-496 (AspNetCore 8.0.25 bump)
 **Date**: 2026-05-12
 ## Task Results
 | Task | Status | Files Modified | Tests | AC Coverage | Issues |
 |------|--------|---------------|-------|-------------|--------|
 | AZ-495_doc_folder_convention | Done | 4 modified (`_docs/02_document/module-layout.md`, `.cursor/skills/new-task/SKILL.md`, `_docs/03_implementation/reviews/batch_01_cycle2_review.md`, `batch_02_cycle2_review.md`, `_docs/06_metrics/retro_2026-05-11_cycle2.md`) | Manual / convention check (no code paths) | 4/4 ACs covered | 0 blockers |
 | AZ-496_bump_aspnetcore_8025 | Done | 5 modified (`SatelliteProvider.Api/SatelliteProvider.Api.csproj`, `_docs/05_security/dependency_scan.md`, `_docs/05_security/security_report.md`, `_docs/02_document/module-layout.md`, `_docs/02_document/architecture.md`, `_docs/02_document/modules/api_program.md`, `_docs/02_document/modules/tests_unit.md`) | Existing suite covers regression (Step 16 final gate) | 5/5 ACs covered | 0 blockers; 1 spec-vs-reality note (see below) |
 ## AC Test Coverage: All covered (9 of 9 across both tasks)
 ## Code Review Verdict: pending (this batch report precedes per-batch review)
 ## Auto-Fix Attempts: 0
 ## Stuck Agents: None
 ## What was implemented
 ### AZ-495 — Doc-folder convention for WebApi
 Chose **Option B** (formalize modules-only convention). Rationale: WebApi is the Layer-4 orchestrator, not a Layer-3 service component; its documentation is already richly captured in `modules/api_program.md`; creating a duplicate `components/06_web_api/description.md` would establish two sources of truth.
 - `_docs/02_document/module-layout.md` § Documentation Layout added — explicit canonical convention with rationale. Anchors all future WebApi documentation at `modules/api_program.md`; the absence of a `components/06_web_api/` folder is now a documented invariant.
 - `.cursor/skills/new-task/SKILL.md` Step 4 (Codebase Analysis) updated to direct future agents at the correct path when a task touches WebApi.
 - `_docs/03_implementation/reviews/batch_01_cycle2_review.md` § F1 and `batch_02_cycle2_review.md` § F1 marked **RESOLVED in cycle 3 (AZ-495)** with back-reference.
 - `_docs/06_metrics/retro_2026-05-11_cycle2.md` § Decision Items Carried Over updated to mark F1 resolved.
 ### AZ-496 — Bump AspNetCore.OpenApi + JwtBearer to 8.0.25
 - `SatelliteProvider.Api/SatelliteProvider.Api.csproj`: both `Microsoft.AspNetCore.OpenApi` AND `Microsoft.AspNetCore.Authentication.JwtBearer` bumped from `Version="8.0.21"` to `Version="8.0.25"`.
 - **Note vs task spec**: the spec called for an additional bump in `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj`. Verification showed `Tests.csproj` has no direct `JwtBearer` PackageReference — its JwtBearer usage flows transitively through `ProjectReference` to `SatelliteProvider.Api`, so the Tests project automatically picks up `8.0.25` once Api.csproj is bumped. The spec was inaccurate on this point; no Tests.csproj edit was made. The cycle-2 dependency-scan delta entry for D3 has been updated to reflect this.
 - Dockerfiles (`SatelliteProvider.Api/Dockerfile`, `SatelliteProvider.IntegrationTests/Dockerfile`): both use the floating `mcr.microsoft.com/dotnet/aspnet:8.0` / `:sdk:8.0` / `:runtime:8.0` tags which auto-resolve to ≥ 8.0.25 on rebuild. No Dockerfile edit needed; AC-2 satisfied automatically.
 - `_docs/05_security/dependency_scan.md`: D1 and D3 entries marked **RESOLVED (cycle 3, AZ-496)** with detailed disposition update.
 - `_docs/05_security/security_report.md`: D1 row in cycle-1 findings table marked RESOLVED; D3 row in cycle-2 findings table marked RESOLVED; cycle-2 "Recommended cycle-3 hardening" entry marked **DONE**.
 - `_docs/02_document/module-layout.md` WebApi section, `_docs/02_document/architecture.md` § Authentication & Authorization, `_docs/02_document/modules/api_program.md` Dependencies, `_docs/02_document/modules/tests_unit.md` NuGet: all version-pinning prose updated from `8.0.21` → `8.0.25` with back-reference to AZ-496.
 ## Open follow-ups (non-blocking)
 - **Test suite gate**: AZ-496 AC-3 requires `./scripts/run-tests.sh --full` to pass. Deferred to Step 16 (Final Test Run) per the implement skill's convention. If the patch-level bump regressed anything, this gate catches it; for an 8.0.21 → 8.0.25 patch within the same .NET 8 LTS line, regressions are very unlikely.
 - **D2 (Microsoft.NET.Test.Sdk 17.8.0 → 17.9.0+)**: NOT addressed in this batch. Mentioned in AZ-496 spec § Excluded as a separate decision. The cycle-3 dependency-bump backlog now contains only D2 (test-only Low). No immediate action; defer to a future cycle's hardening sweep.
 - **Runtime base image pinning policy**: this batch confirmed the floating `8.0` tag works for picking up runtime patches automatically. The trade-off (auto-update vs. reproducible builds) was not formally documented as a project decision; if the team prefers explicit version pinning, that is a future cleanup task. Not in scope of AZ-496.
 ## Next Batch: AZ-491 (Consolidate JWT test-mint helpers)
 AZ-491 is a 3 SP refactor of test infrastructure. It moves `JwtTokenFactory` to a shared location consumed by both `SatelliteProvider.Tests` and `SatelliteProvider.IntegrationTests`, deletes the duplicate `JwtTestHelpers.MintValidToken` / `MintExpiredToken` / `TamperSignature` from the integration project, and adds a code-review checklist row to flag future duplicates. The implementer must pick Option A (new `SatelliteProvider.TestSupport` library) or Option B (Integration tests reference Unit tests directly) at the start of the batch.
@@ -13,11 +13,12 @@
 ### Finding Details
-**F1: Task spec referenced a doc path that does not exist in the codebase** (Low / Style)
+**F1: Task spec referenced a doc path that does not exist in the codebase** (Low / Style) — **RESOLVED in cycle 3 (AZ-495)**
 - Location: `_docs/02_document/components/01_web_api/description.md` (referenced; does not exist)
 - Description: The AZ-487 task spec lists `_docs/02_document/components/01_web_api/description.md` as a doc to update. The codebase's component-doc folders are `01_common`, `02_data_access`, `03_tile_downloader`, `04_region_processing`, `05_route_management` — there is no `01_web_api` folder. The WebApi component's documentation lives in `_docs/02_document/modules/api_program.md`.
 - Suggestion: Either (a) create the missing folder with a brief stub that defers to `api_program.md`, or (b) update the task spec for AZ-488 to point at `modules/api_program.md` and acknowledge that WebApi has no `components/*` folder. This batch chose (b) — updated `architecture.md` § Architecture Vision + § Security Architecture and `modules/api_program.md`. Surface to user for a doc-organization decision.
 - Task: AZ-487
 - **Resolution (AZ-495, cycle 3)**: Option B formalized as canonical convention. `_docs/02_document/module-layout.md` § Documentation Layout now explicitly states WebApi has no `components/*` folder; documentation anchor is `modules/api_program.md`. The `.cursor/skills/new-task/SKILL.md` Step 4 (Codebase Analysis) directs future agents at the correct path. Finding will not recur.
 **F2: Dev-only JWT secret placeholder is committed** (Low / Security)
 - Location: `SatelliteProvider.Api/appsettings.Development.json`
@@ -0,0 +1,63 @@
 # Code Review Report — Batch 01 cycle 3
 **Batch**: 01 (cycle 3) — AZ-495 (doc-folder convention) + AZ-496 (AspNetCore 8.0.25 bump)
 **Date**: 2026-05-12
 **Verdict**: PASS_WITH_WARNINGS
 ## Findings
 | # | Severity | Category | File:Line | Title |
 |---|----------|----------|-----------|-------|
 | 1 | Low | Spec-Gap | `_docs/02_tasks/done/AZ-496_bump_aspnetcore_8025.md` § Scope > Included | Task spec asserted Tests.csproj had a direct JwtBearer reference; verification showed it did not |
 | 2 | Low | Style | `SatelliteProvider.Api/SatelliteProvider.Api.csproj:11` | Inconsistent whitespace before `/>` between adjacent `PackageReference` lines (pre-existing) |
 ### Finding Details
 **F1: Task spec asserted Tests.csproj had a direct JwtBearer reference; verification showed it did not** (Low / Spec-Gap)
 - Location: `_docs/02_tasks/done/AZ-496_bump_aspnetcore_8025.md` § Scope > Included (3rd bullet) and § AC-1 (text "across both csprojs")
 - Description: The AZ-496 task spec listed `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` as carrying a direct `Microsoft.AspNetCore.Authentication.JwtBearer` `PackageReference` at 8.0.21. Reading the actual csproj showed it does not — JwtBearer is consumed transitively via `ProjectReference` to `SatelliteProvider.Api`. Bumping Api.csproj therefore propagates 8.0.25 to Tests automatically; no edit to Tests.csproj was needed.
 - Suggestion: The batch report § "What was implemented" already documents this discovery and notes that AC-1's "across both csprojs" wording is partially satisfied (only one csproj had the direct reference; Tests is satisfied transitively). The cycle-2 D3 cycle-3 resolution row in `dependency_scan.md` was updated to reflect the same. No code action required. For future PBI authoring: when asserting a package reference exists in a project, read the csproj before encoding the assertion into AC text. This is the same class of "task spec drift from reality" as the cycle-1+2 F1 finding that AZ-495 just closed — different surface, same root cause.
 - Task: AZ-496
 **F2: Inconsistent whitespace before `/>` between adjacent `PackageReference` lines** (Low / Style — pre-existing, not introduced by this batch)
 - Location: `SatelliteProvider.Api/SatelliteProvider.Api.csproj:10-16`
 - Description: The two lines bumped by AZ-496 use slightly different whitespace before the self-closing tag (`" />` vs `"/>`). This was pre-existing and was not introduced by this batch — the bump preserved each line's local style. Mentioned for completeness because the bumped lines are right next to each other and the inconsistency stands out.
 - Suggestion: Defer. Not in scope for AZ-496 (pure version-bump task); per `coderule.mdc` "Pre-existing lint errors should only be fixed if they're in the modified area" applies but the modification here was the smallest possible (version-string only). A future `dotnet format`-style sweep across all csprojs would be the right place to normalize whitespace.
 - Task: AZ-496 (pre-existing, not blocking)
 ## Phase-by-Phase Summary
 | Phase | Result | Notes |
 |-------|--------|-------|
 | 1. Context Loading | OK | Both task specs read; changed-file set well-bounded (csproj + docs only) |
 | 2. Spec Compliance | OK | AZ-495 all 4 ACs verifiable; AZ-496 ACs 1+2+4 verified at code level, ACs 3+5 deferred to Step 16 final test gate (standard implement-skill convention) |
 | 3. Code Quality | OK (N/A) | No C# / executable code changes; no SOLID / complexity / dead-code concerns |
 | 4. Security Quick-Scan | OK | AZ-496 *reduces* attack surface (closes CVE-2026-26130 SignalR DoS, even though not reachable in this app) |
 | 5. Performance Scan | OK (N/A) | No performance-affecting changes |
 | 6. Cross-Task Consistency | OK | AZ-495 and AZ-496 each touch `_docs/02_document/module-layout.md` but in different sections (AZ-495 added "Documentation Layout"; AZ-496 updated the WebApi PackageReferences line) — no merge conflict, no contradictory prose |
 | 7. Architecture Compliance | OK | No component-boundary changes; no new ProjectReferences; no new cross-component imports; no cyclic dependencies introduced |
 ## Baseline Delta
 | Class | Count | Notes |
 |-------|-------|-------|
 | Carried over | 0 | Architecture compliance baseline (cycle 1) showed 0 Architecture findings; this batch did not introduce any new ones |
 | Resolved | 0 | No Architecture-class baseline entries existed; nothing to resolve in this category |
 | Newly introduced | 0 | — |
 Two non-architecture cycle-2 carry-overs were resolved by this batch:
 - Cycle-1 + cycle-2 F1 (doc-path drift, Low / Style) — resolved by AZ-495
 - Cycle-1 D1 + cycle-2 D3 (Microsoft.AspNetCore 8.0.21 patch line, Medium + Low / Supply Chain) — resolved by AZ-496
 These are tracked in `dependency_scan.md` and `security_report.md`; they do not appear in the Architecture baseline so they do not show up in this delta table.
 ## Verdict Logic
 - 0 Critical, 0 High, 0 Medium, 2 Low findings → **PASS_WITH_WARNINGS**
 - No blocking issues. Both Low findings are documentation drift (F1) and pre-existing style (F2), neither blocks commit per the implement skill's auto-fix gate.
 ## Recommendation to /implement
 Proceed to commit + push + tracker transition (Steps 11-13).
@@ -15,11 +15,12 @@
 ### Finding Details
-**F1: Task spec referenced a doc path that does not exist in the codebase** (Low / Style)
+**F1: Task spec referenced a doc path that does not exist in the codebase** (Low / Style) — **RESOLVED in cycle 3 (AZ-495)**
 - Location: `_docs/02_document/components/01_web_api/description.md` (referenced; does not exist)
 - Description: The AZ-488 task spec § Scope > Documentation lists `_docs/02_document/components/01_web_api/description.md` as a doc to update. The component-doc folders are `01_common`, `02_data_access`, `03_tile_downloader`, `04_region_processing`, `05_route_management` — there is no `01_web_api` folder. This finding was first reported in batch 01 cycle 2 (AZ-487 F1) and is unchanged. WebApi's documentation lives in `_docs/02_document/modules/api_program.md` and has been updated there.
 - Suggestion: Carry-over from batch 01 — needs an explicit operator decision: (a) create the missing folder with a stub that defers to `api_program.md`, or (b) update the documentation conventions to acknowledge WebApi lives in `modules/`. No change in this batch beyond updating `modules/api_program.md` and `components/03_tile_downloader/description.md`.
 - Task: AZ-488 (carried over from AZ-487)
 - **Resolution (AZ-495, cycle 3)**: Option B formalized as canonical convention. `_docs/02_document/module-layout.md` § Documentation Layout now explicitly states WebApi has no `components/*` folder; documentation anchor is `modules/api_program.md`. The `.cursor/skills/new-task/SKILL.md` Step 4 (Codebase Analysis) directs future agents at the correct path. Finding will not recur.
 **F2: `JpegMagicBytes` declared as mutable `byte[]` instead of `ReadOnlySpan<byte>` static** (Low / Maintainability)
 - Location: `SatelliteProvider.Services.TileDownloader/UavTileQualityGate.cs:23`
@@ -37,7 +37,7 @@
 | # | Severity | Package | Version | Advisory | Disposition |
 |---|----------|---------|---------|----------|-------------|
-| D1 | Medium (production-risk: **Low**, exposure: not reachable) | Microsoft.AspNetCore.OpenApi → ASP.NET Core 8 runtime | 8.0.21 | [CVE-2026-26130](https://github.com/dotnet/aspnetcore/security/advisories/GHSA-4vgm-c2wm-63mw) — SignalR DoS via unbounded buffer | **Not exploitable in this app**: codebase grep for `SignalR\|MapHub\|UseSignalR\|HubConnection` returns zero hits. Runtime patch still recommended. Upgrade `Microsoft.AspNetCore.OpenApi` to `8.0.25` (or current 8.0.x patch) and redeploy on a runtime ≥ 8.0.25 to remove the vulnerable code paths from the deployed image. |
+| D1 | Medium (production-risk: **Low**, exposure: not reachable) | Microsoft.AspNetCore.OpenApi → ASP.NET Core 8 runtime | 8.0.21 | [CVE-2026-26130](https://github.com/dotnet/aspnetcore/security/advisories/GHSA-4vgm-c2wm-63mw) — SignalR DoS via unbounded buffer | **RESOLVED (cycle 3, AZ-496)**: Bumped to `8.0.25` in `SatelliteProvider.Api.csproj`. Runtime base image already uses the floating `mcr.microsoft.com/dotnet/aspnet:8.0` tag which auto-resolves to ≥ 8.0.25, so deployed image automatically picks up the patched runtime on next build. Original disposition reproduced for traceability: **Not exploitable in this app** (codebase grep for `SignalR\|MapHub\|UseSignalR\|HubConnection` returns zero hits); the bump is hygiene rather than active-CVE closure. |
 | D2 | Low (test-only) | Microsoft.NET.Test.Sdk | 17.8.0 | [CVE-2022-30184](https://github.com/microsoft/vstest/issues/4409) via transitive `NuGet.Frameworks <6.2.1` — information disclosure (CVSS 5.5) | **Not exploitable in production**: package is `IsTestProject=true` only; never shipped. Upgrade to `Microsoft.NET.Test.Sdk` ≥ 17.9.0 (which dropped the `NuGet.Frameworks` dependency entirely) the next time the test project's deps are touched. |
 ## Cross-version sanity (per `coderule.mdc`: keep dependency versions consistent)
@@ -65,11 +65,12 @@
 ### New findings
-#### D3 — `Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21` shares the same 8.0.21 patch line as the D1-flagged OpenApi package (Low — production-risk: **Low**, exposure: not reachable)
+#### D3 — `Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21` shares the same 8.0.21 patch line as the D1-flagged OpenApi package (Low — production-risk: **Low**, exposure: not reachable) — **RESOLVED (cycle 3, AZ-496)**
 - **Location**: `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (added by AZ-487)
 - **Detail**: D1 already recommends bumping `Microsoft.AspNetCore.OpenApi` to 8.0.25 because the underlying ASP.NET Core 8.0.21 runtime ships CVE-2026-26130 (SignalR DoS, not reachable in this app). Pinning a second package in the same 8.0.21 family in cycle 2 raises the cost of *not* doing the bump: every additional package implicitly hardcodes the runtime expectation. Cycle 1 disposition (`Not exploitable — no SignalR use`) still applies; cycle 2 escalation here is purely about consistency and operator clarity.
 - **Disposition**: Same as D1 — bump *both* `Microsoft.AspNetCore.OpenApi` AND the new `Microsoft.AspNetCore.Authentication.JwtBearer` reference to the latest 8.0.x patch in a single PR. No separate Jira needed; fold into the D1 hardening task.
 - **Resolution (cycle 3, AZ-496)**: Both packages bumped to `8.0.25` in `SatelliteProvider.Api.csproj`. `SatelliteProvider.Tests.csproj` does NOT have a direct `JwtBearer` reference — its JwtBearer usage flows transitively through the `ProjectReference` to `SatelliteProvider.Api`, so the Tests project automatically picks up `8.0.25` as well. No separate edit to Tests.csproj required.
 #### F-DEPS-UAV — ImageSharp decode now runs on attacker-controlled JPEG bytes (Medium — exposure increase, not a new CVE)
@@ -42,7 +42,7 @@ The two **N/A (with caveat)** entries (A01, A07) reflect the documented architec
 | S2 | Medium   | A02 — Misconfiguration | `docker-compose.yml:6-7,30`                             | Weak Postgres credentials in compose (mirrors S1)                                    |
 | S3 | Low      | A06 — Insecure Design  | `SatelliteProvider.Api/Program.cs:169,207,237`          | Latitude/longitude inputs not range-validated at API boundary                        |
 | S4 | Medium   | A06 — Insecure Design  | `.env` (workspace root)                                 | Apparent real Google Maps API key on developer filesystem; no `.env.example`         |
-| D1 | Medium   | A03 — Supply Chain     | `SatelliteProvider.Api.csproj` — `Microsoft.AspNetCore.OpenApi 8.0.21` | CVE-2026-26130 SignalR DoS (not reachable in this app — codebase has zero SignalR use) |
+| D1 | Medium   | A03 — Supply Chain     | `SatelliteProvider.Api.csproj` — `Microsoft.AspNetCore.OpenApi 8.0.21` | CVE-2026-26130 SignalR DoS (not reachable in this app — codebase has zero SignalR use) — **RESOLVED cycle 3 (AZ-496): bumped to 8.0.25** |
 | D2 | Low      | A03 — Supply Chain     | `SatelliteProvider.Tests.csproj` — `Microsoft.NET.Test.Sdk 17.8.0` | CVE-2022-30184 transitive via `NuGet.Frameworks <6.2.1` (test-only)                  |
 | I1 | Low      | A02 — Misconfiguration | `SatelliteProvider.Api/Dockerfile`                      | Container runs as root (no `USER` directive)                                          |
 | I2 | Low      | A02 — Misconfiguration | `SatelliteProvider.Api/Program.cs`                      | No security headers middleware                                                        |
@@ -138,7 +138,7 @@ AZ-487 introduced a JWT validation baseline (HS256, `JWT_SECRET` env var, `.Requ
 | F-UAV-1    | Medium        | A03 — Supply Chain (exposure)            | `Services.TileDownloader/UavTileQualityGate.cs:60-95`                   | ImageSharp decode now runs on attacker-controlled JPEGs (mitigations OK)    |
 | F-UAV-2    | Low           | A07 — AuthN claim parsing                 | `Authentication/PermissionsRequirement.cs:84-111`                       | `JsonDocument.Parse` on signature-validated claim values (bounded by header cap) |
 | F-UAV-3    | Informational | A06 — Insecure Design (info-disclosure)  | `Services.TileDownloader/UavTileQualityGate.cs`                         | Reject reasons disclose gate structure (accepted UX trade-off; documented in contract) |
-| D3         | Low           | A03 — Supply Chain                       | `SatelliteProvider.Api.csproj` (new JwtBearer 8.0.21)                   | Shares D1 patch line; same remediation                                       |
+| D3         | Low           | A03 — Supply Chain                       | `SatelliteProvider.Api.csproj` (new JwtBearer 8.0.21)                   | Shares D1 patch line; same remediation — **RESOLVED cycle 3 (AZ-496): bumped to 8.0.25 alongside OpenApi** |
 | F-DEPS-UAV | Medium        | A03 — Supply Chain (exposure)            | new ImageSharp call site in TileDownloader                              | Documented in dependency_scan.md cycle-2 delta                              |
 ### Verdict reconciliation
@@ -156,7 +156,7 @@ AZ-487 introduced a JWT validation baseline (HS256, `JWT_SECRET` env var, `.Requ
 - **Pre-deploy gate (operational, NOT code)**: `deploy/SKILL.md` must verify `JWT_SECRET` is set to a ≥ 32-byte value distinct from the DEV-ONLY placeholder. Cycle-2 deploys without this verification step are gated.
 - **Coordinate with admin team**: confirm expected `iss`/`aud` values; flip `ValidateIssuer` / `ValidateAudience` to `true` as soon as those values land. Track under AZ-487 § Constraints follow-up.
- **Bump 8.0.x ASP.NET Core packages together**: the next D1 hardening commit must bump both `Microsoft.AspNetCore.OpenApi` AND `Microsoft.AspNetCore.Authentication.JwtBearer` to ≥ 8.0.25.
+- **Bump 8.0.x ASP.NET Core packages together** — **DONE cycle 3 (AZ-496)**: both `Microsoft.AspNetCore.OpenApi` and `Microsoft.AspNetCore.Authentication.JwtBearer` bumped to `8.0.25` in `SatelliteProvider.Api.csproj`. Runtime base image uses floating `mcr.microsoft.com/dotnet/aspnet:8.0` so the deployed runtime auto-picks up the matching patch on next build.
 - **ImageSharp subscribe-and-bump policy**: add to the runbook — patch within 7 days of any `SixLabors.ImageSharp` GHSA. Reconsider sandboxing if the upload endpoint is exposed beyond the trust boundary documented in architecture.md § 7.
 - **Cycle-2 hardening backlog (Low priority)**:
  - Pass `JsonDocumentOptions { MaxDepth = 8 }` and a max-claim-length check to `PermissionsAuthorizationHandler.TryReadJsonArray`.
@@ -174,7 +174,7 @@ This is NOT a recommendation to never accept user-overrides on SP cap — the cy
 These are not part of the top-3 improvement actions because they're 1-turn decisions, not multi-cycle initiatives:
- **F1 (cycle 1 + cycle 2 carry)**: `_docs/02_document/components/01_web_api/description.md` doesn't exist. Choose: (a) create stub folder that defers to `modules/api_program.md`, (b) formalize "WebApi has no `components/*` folder" in the module-layout doc and update all task spec templates to point at `modules/api_program.md`. Recommendation: (b) — `modules/api_program.md` is already the de-facto canonical location.
+- **F1 (cycle 1 + cycle 2 carry)** — **RESOLVED in cycle 3 (AZ-495)**: `_docs/02_document/components/01_web_api/description.md` doesn't exist. Choose: (a) create stub folder that defers to `modules/api_program.md`, (b) formalize "WebApi has no `components/*` folder" in the module-layout doc and update all task spec templates to point at `modules/api_program.md`. Recommendation: (b) — `modules/api_program.md` is already the de-facto canonical location. Resolution: chose Option B; `_docs/02_document/module-layout.md` § Documentation Layout and `.cursor/skills/new-task/SKILL.md` Step 4 updated to anchor WebApi documentation at `modules/api_program.md`; cycle-2 batch-review F1 entries explicitly marked resolved with back-reference to AZ-495.
 - **R2 (cycle 2 security report)**: confirm with admin team the expected `iss` / `aud` values for production JWT tokens; flip `ValidateIssuer` / `ValidateAudience` to `true` in a small follow-up PBI when the values are known.
 - **R3 (cycle 2 deploy report)**: coordinate with `gps-denied-onboard` and mission-planner-UI teams to attach Bearer tokens BEFORE promoting cycle-2 image past `dev`.