[AZ-1113] Cycle 10 closeout: docs, perf harness, security

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 11:11:13 +00:00 · 2026-06-26 10:55:59 +03:00
parent 01d7e7d584
commit c79998bfa7
24 changed files with 600 additions and 46 deletions
@@ -0,0 +1,35 @@
+# Dependency Scan (Cycle 10)
+
+**Date**: 2026-06-25
+**Mode**: Delta scan
+**Scope**: Cycle-10 delta over cycle-9 (`dependency_scan_cycle9.md`). Surface = AZ-1113 (REST 400 error sanitization — no package manifest changes).
+**Method**: `dotnet list SatelliteProvider.sln package --vulnerable --include-transitive`.
+
+## Cycle-10 Package Manifest Diff
+
+| csproj | Cycle 9 baseline | Cycle 10 change |
+|--------|------------------|-----------------|
+| All csproj | unchanged | **+0** packages added or bumped |
+
+## Vulnerable Package Scan (2026-06-25)
+
+| Project | Finding | Severity | Notes |
+|---------|---------|----------|-------|
+| `SatelliteProvider.Api` | none | — | Production runtime — clean |
+| `SatelliteProvider.IntegrationTests` | transitive `Microsoft.IdentityModel.JsonWebTokens` 7.0.3, `System.IdentityModel.Tokens.Jwt` 7.0.3 | Moderate | GHSA-59j7-ghrg-fj52 — **test-runtime only** (pre-existing; unchanged) |
+| `SatelliteProvider.TestSupport` | `System.IdentityModel.Tokens.Jwt` 7.0.3 + transitive JsonWebTokens 7.0.3 | Moderate | test-runtime only — pre-existing |
+
+## Cycle-10 Findings
+
+**No new dependency CVEs.** AZ-1113 is a code-only change (static error strings); no NuGet manifest edits.
+
+## Carry-overs
+
+- **D-AZ795-1** (Low): FluentValidation 12.0.0 → 12.1.1 — still open (explicitly out of AZ-1113 scope)
+- **D2-cy4** (Medium, test-runtime): `Microsoft.NET.Test.Sdk` transitive — still open
+
+## Verdict
+
+**PASS** (cycle-10 delta) — zero new CVEs.
+
+Cumulative: **PASS_WITH_WARNINGS** — D2-cy4 + D-AZ795-1 carry-overs unchanged.