[AZ-505] AC-5 fix: enable TLS for HTTP/2 via ALPN

Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener
silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled
... TLS is not enabled"), so AC-5's multiplexed-GET test failed
with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the
fix switches the dev listener to TLS on https://+:8080:

- scripts/run-tests.sh generates a self-signed dev cert idempotently
  (./certs/api.pfx + api.crt) via openssl in an alpine container;
  certs/ is gitignored.
- docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080
  with Kestrel__Certificates__Default__Path bound to the .pfx.
- docker-compose.tests.yml mounts api.crt into the integration-tests
  container's CA store and runs update-ca-certificates so HttpClient
  trusts the cert transparently; default API_URL is now https://api:8080.
- Drop the obsolete Http2UnencryptedSupport AppContext switch from
  Http2MultiplexingTests; ALPN over TLS handles negotiation.

Test-data fixes caught on the post-TLS rerun (independent of the TLS
switch but surfaced together):

- Http2MultiplexingTests: switch slippy coords from (154321, 95812)
  -- which Google Maps returns 404 for -- to (158485, 91707), the
  slippy projection of (47.461747, 37.647063) already exercised by
  JwtIntegrationTests.
- TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to
  Unspecified at the binding site for raw Npgsql seed paths writing
  into tiles.captured_at / created_at / updated_at (TIMESTAMP without
  tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns;
  production goes through Dapper and never hits this code path.
- MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId:
  accept either idx_tiles_location_hash (migration 014) or its
  AZ-505 successor tiles_leaflet_path (migration 015) -- both have
  location_hash as the leading column, which is the AC-9 intent.

Docs updated to reflect the TLS+ALPN path: tile-inventory.md
Non-Goals, modules/api_program.md, module-layout.md, the AZ-505
task spec's Risk 3, and the cycle 6 implementation + completeness
reports. The full integration test suite passes (mode=full, exit 0).

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.IntegrationTests/Http2MultiplexingTests.cs

@@ -3,15 +3,15 @@ using System.Net.Http.Headers;
 
 namespace SatelliteProvider.IntegrationTests;
 
-// AZ-505 AC-5: HTTP/2 multiplexed responses on the dev plaintext endpoint.
+// AZ-505 AC-5: HTTP/2 multiplexed responses.
 //
-// Kestrel is configured with `HttpProtocols.Http1AndHttp2` (Program.cs); the
-// .NET HttpClient supports HTTP/2 over plaintext (h2c, prior-knowledge) when
-// the `System.Net.SocketsHttpHandler.Http2UnencryptedSupport` AppContext switch
-// is on. Browsers cannot use h2c — that's documented in the AZ-505 risk
-// section and in `tile-inventory.md` v1.0.0. This test exercises the
-// programmatic-client path the onboard `TileDownloader` (httpx http2=True)
-// uses in production.
+// Kestrel is configured with `HttpProtocols.Http1AndHttp2` over TLS
+// (docker-compose.yml mounts the dev cert; ASPNETCORE_URLS=https://+:8080).
+// ALPN negotiates HTTP/2 with HTTP/2-capable clients and falls back to
+// HTTP/1.1 for browsers and legacy callers. The integration-tests
+// container trusts the dev cert via /usr/local/share/ca-certificates,
+// so HttpClient negotiates HTTP/2 transparently — no h2c / unencrypted
+// support switch is needed.
 public static class Http2MultiplexingTests
 {
     private const int ConcurrentRequestCount = 20;
@@ -20,11 +20,6 @@ public static class Http2MultiplexingTests
     {
         RouteTestHelpers.PrintTestHeader("Test: HTTP/2 multiplexing on /tiles/{z}/{x}/{y} (AZ-505)");
 
-        // The Http2UnencryptedSupport switch is process-wide on the client.
-        // Setting it more than once is a no-op, so it's safe to call here even
-        // though other tests in the same runner do not need it.
-        AppContext.SetSwitch("System.Net.SocketsHttpHandler.Http2UnencryptedSupport", true);
-
         var apiUri = new Uri(apiUrl);
         using var handler = new SocketsHttpHandler
         {
@@ -48,9 +43,14 @@ public static class Http2MultiplexingTests
         // Pick a single (z, x, y) — caching means all 20 calls hit the same
         // tile, which is exactly what we want: prove the responses come back
         // over HTTP/2 with their CDN-style headers preserved.
+        //
+        // Coords (158485, 91707) at z=18 are the slippy projection of
+        // (47.461747, 37.647063), the same lat/lon JwtIntegrationTests hits
+        // — confirmed to have Google Maps satellite coverage by every prior
+        // cycle's run, so the warmup download is reliable.
         const int z = 18;
-        const int x = 154321;
-        const int y = 95812;
+        const int x = 158485;
+        const int y = 91707;
         var path = $"/tiles/{z}/{x}/{y}";
 
         // Prime the cache with a single warm-up call so the 20 concurrent

SatelliteProvider.IntegrationTests/LeafletPathIndexOnlyTests.cs

@@ -134,7 +134,7 @@ public static class LeafletPathIndexOnlyTests
         var locP = cmd.Parameters.Add("loc", NpgsqlTypes.NpgsqlDbType.Uuid);
 
         const int zoom = 18;
-        var baseTime = DateTime.UtcNow.AddDays(-1);
+        var baseTime = DateTime.SpecifyKind(DateTime.UtcNow.AddDays(-1), DateTimeKind.Unspecified);
         for (var i = 0; i < rowCount; i++)
         {
             var x = 100_000 + (i % 1024);
@@ -171,7 +171,7 @@ public static class LeafletPathIndexOnlyTests
         cmd.Parameters.AddWithValue("lat", 60.5);
         cmd.Parameters.AddWithValue("lon", 30.5);
         cmd.Parameters.AddWithValue("fp", "tiles/leaflet-probe.jpg");
-        cmd.Parameters.AddWithValue("t", DateTime.UtcNow);
+        cmd.Parameters.AddWithValue("t", DateTime.SpecifyKind(DateTime.UtcNow, DateTimeKind.Unspecified));
         cmd.Parameters.AddWithValue("loc", hash);
         await cmd.ExecuteNonQueryAsync();
     }

SatelliteProvider.IntegrationTests/MigrationTests.cs

@@ -232,12 +232,22 @@ public static class MigrationTests
                 $"AZ-503 AC-9: idx_tiles_unique_identity must wrap flight_id in COALESCE so NULL flights collide deterministically. Definition: {newIndex.Def}");
         }
 
-        // A non-unique index on location_hash should also exist so the upcoming AZ-505 covering scan has a starting point.
-        var locationHashIndex = rows.FirstOrDefault(r => string.Equals(r.Name, "idx_tiles_location_hash", StringComparison.Ordinal));
+        // An index whose leading column is `location_hash` must exist so equality lookups
+        // by hash have an index-driven access path. AZ-503 introduced this as
+        // `idx_tiles_location_hash` in migration 014; AZ-505 supersedes it in migration 015
+        // with `tiles_leaflet_path` (a covering index that keeps location_hash as the
+        // leading column and adds ORDER BY columns + INCLUDE projection). Either name
+        // satisfies the AC-9 intent — accept both so the AZ-503 contract remains
+        // verifiable after migration 015 has applied.
+        var locationHashIndex = rows.FirstOrDefault(r =>
+            string.Equals(r.Name, "idx_tiles_location_hash", StringComparison.Ordinal) ||
+            string.Equals(r.Name, "tiles_leaflet_path", StringComparison.Ordinal));
         if (locationHashIndex.Def is null)
         {
             throw new Exception(
-                "AZ-503 AC-9: expected supporting index 'idx_tiles_location_hash' after migration 014, but it is not present.");
+                "AZ-503 AC-9: expected an index keyed by location_hash (either 'idx_tiles_location_hash' from migration 014 " +
+                "or its AZ-505 successor 'tiles_leaflet_path' from migration 015) on tiles, but neither is present. " +
+                $"Found indexes: {string.Join(", ", rows.Select(r => r.Name))}");
         }
 
         Console.WriteLine($"  ✓ New unique index present: {newIndex.Def}");

SatelliteProvider.IntegrationTests/Program.cs

@@ -21,7 +21,7 @@ class Program
             }
         }
 
-        var apiUrl = Environment.GetEnvironmentVariable("API_URL") ?? "http://api:8080";
+        var apiUrl = Environment.GetEnvironmentVariable("API_URL") ?? "https://api:8080";
         var modeEnv = Environment.GetEnvironmentVariable("INTEGRATION_TESTS_MODE")?.Trim().ToLowerInvariant();
         var modeArg = args.FirstOrDefault(a => a.Equals("--smoke", StringComparison.OrdinalIgnoreCase) || a.Equals("--full", StringComparison.OrdinalIgnoreCase));
 

SatelliteProvider.IntegrationTests/TileInventoryTests.cs

@@ -371,7 +371,7 @@ public static class TileInventoryTests
                 lonP.Value = 30.0 + random.NextDouble();
                 sizeP.Value = 200.0;
                 fpP.Value = $"tiles/perf-seed/{i}.jpg";
-                tP.Value = DateTime.UtcNow.AddMinutes(-i);
+                tP.Value = DateTime.SpecifyKind(DateTime.UtcNow.AddMinutes(-i), DateTimeKind.Unspecified);
                 locP.Value = hash;
                 await cmd.ExecuteNonQueryAsync();
             }
@@ -436,7 +436,10 @@ public static class TileInventoryTests
         cmd.Parameters.AddWithValue("lon", 30.0 + coord.TileY * 1e-9);
         cmd.Parameters.AddWithValue("fp", $"tiles/seed/{coord.TileZoom}/{coord.TileX}/{coord.TileY}.jpg");
         cmd.Parameters.AddWithValue("src", source);
-        cmd.Parameters.AddWithValue("t", capturedAt);
+        // schema column is TIMESTAMP (no tz); Npgsql v6+ refuses to bind a
+        // Kind=Utc DateTime into a plain timestamp column. Callers pass UTC
+        // for clarity; normalize Kind here.
+        cmd.Parameters.AddWithValue("t", DateTime.SpecifyKind(capturedAt, DateTimeKind.Unspecified));
         cmd.Parameters.AddWithValue("flight", (object?)flightId ?? DBNull.Value);
         cmd.Parameters.AddWithValue("loc", locationHash);
         await cmd.ExecuteNonQueryAsync();