[AZ-1113] Cycle 10 closeout: docs, perf harness, security

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 09:51:14 +00:00 · 2026-06-26 10:55:59 +03:00
parent 01d7e7d584
commit c79998bfa7
24 changed files with 600 additions and 46 deletions
@@ -22,7 +22,7 @@

 **Trigger**: POST /api/satellite/route with invalid JSON body (truncated `{` or non-JSON text).
 **Expected**: HTTP 400 + RFC 7807 `ProblemDetails`. Post-AZ-809 (cycle 8) the failure surfaces via `GlobalExceptionHandler`'s `JsonException` branch (System.Text.Json `JsonReaderException` → `BadHttpRequestException` → 400). No stack trace leaks; correlationId present per AZ-353.
-**Pass criterion**: HTTP 400; `Content-Type: application/problem+json`; body matches `error-shape.md` v1.0.0; no internal exception type or stack frame in `detail`.
+**Pass criterion**: HTTP 400; `Content-Type: application/problem+json`; body matches `error-shape.md` v1.0.1; response body does NOT contain `System.` substring; no internal exception type or stack frame in `detail`.

 ---

@@ -102,3 +102,33 @@ The pre-AZ-487 assumption "no authentication" is superseded by these scenarios.
 **Pass criterion**: status == 401 AND response body contains no `iss` / `aud` value or internal exception detail.
 **AC trace**: AZ-494 AC-2.

+---
+
+## Cycle 10 — AZ-1113 REST 400 error message sanitization
+
+Extends Inv-5 (`error-shape.md` v1.0.1) to deserializer/binding 400 paths that previously echoed raw `JsonException` / `BadHttpRequestException` text. The 5xx sanitization from AZ-353 is unchanged.
+
+## SEC-14: Deserializer 400 `errors[]` Values Are Static (No Framework Type Leak)
+
+**Trigger**: Authenticated `POST /api/satellite/tiles/inventory` with body `{"tiles":[{"z":18,"x":1,"y":1,"foo":42}]}` (unknown nested field per `UnmappedMemberHandling.Disallow`).
+**Expected**: HTTP 400 + `ValidationProblemDetails`; `errors["tiles[0].foo"][0]` equals `"The field value is invalid."` per `error-shape.md` v1.0.1 §Information disclosure.
+**Pass criterion**: HTTP 400; response body does NOT contain `System.`; does NOT contain `.NET member`; does NOT echo raw `JsonException.Message`.
+**AC trace**: AZ-1113 AC-1.
+**Test method**: `TileInventoryValidationTests.UnknownNestedField_Returns400` (integration); `GlobalExceptionHandlerTests.TryHandleAsync_DeserializationFailure_WritesValidationProblemDetailsWithJsonPath_AZ795` (unit).
+
+## SEC-15: Non-JSON `BadHttpRequestException` `detail` Is Static
+
+**Trigger**: Authenticated `GET /api/satellite/tiles/latlon?lat=fifty&lon=37.64&zoom=18` (query binding failure without inner `JsonException`).
+**Expected**: HTTP 400 + RFC 7807 `ProblemDetails`; `detail` is `"The request could not be processed."` per `error-shape.md` v1.0.1.
+**Pass criterion**: HTTP 400; `detail` does NOT contain `Latitude` or other framework bind-failure text from `BadHttpRequestException.Message`.
+**AC trace**: AZ-1113 AC-2.
+**Test method**: `GetTileByLatLonValidationTests.LatTypeMismatch_Returns400` (integration); `GlobalExceptionHandlerTests.TryHandleAsync_BadHttpRequestExceptionWithoutJson_UsesStaticDetail` (unit).
+
+## SEC-16: UAV Upload Metadata Parse Error Does Not Leak Exception Message
+
+**Trigger**: Authenticated `POST /api/satellite/upload` with `metadata` form field `{not valid json` (malformed JSON).
+**Expected**: HTTP 400 + `errors["metadata"]` equals `` `metadata` could not be parsed as JSON. `` per `error-shape.md` v1.0.1.
+**Pass criterion**: HTTP 400; full response body does NOT contain `System.` substring.
+**AC trace**: AZ-1113 AC-3 (filter); AC-4 (handler defense-in-depth via unit test).
+**Test method**: `UavUploadValidationTests.MetadataNotAnObject_Returns400` (integration); `UavTileUploadHandlerTests.HandleAsync_InvalidMetadataJson_ReturnsEnvelopeError` (unit).
+