[AZ-491] [AZ-492] [AZ-493] [AZ-494] [AZ-495] [AZ-496] Cycle 3 Steps 11-13: test-spec sync + ripple log

Step 11 (Run Tests) is recorded as PASS based on the implement skill's
internal Step 16 gate (./scripts/run-tests.sh --full, all-green) per
test-run/SKILL.md § Functional Mode — same runner, immediately
preceding invocation, no value in a second run.

Step 12 (Test-Spec Sync, cycle-update mode):
  - traceability-matrix.md: rows added for AZ-491 AC-1..AC-6,
    AZ-493 AC-1..AC-6, AZ-495 (doc convention), AZ-496 AC-1..AC-N
    (dependency bump); AZ-494 AC-1/AC-2 rows now cross-reference
    new SEC-12 / SEC-13 blackbox IDs.
  - security-tests.md: SEC-12 (wrong iss returns 401) and SEC-13
    (wrong aud returns 401) appended for AZ-494.
  - environment.md: Environment Variables table extended with
    GOOGLE_MAPS_API_KEY, JWT_SECRET, JWT_ISSUER, JWT_AUDIENCE,
    INTEGRATION_TEST_DB_RESET. Closes a cycle-2 oversight where
    JWT_SECRET was never recorded.

Step 13 (Update Docs, task mode):
  - tests_unit.md: consolidated the duplicate
    AuthenticationServiceCollectionExtensionsTests entry that
    spanned AZ-487 + AZ-494 into one coherent block.
  - ripple_log_cycle3.md created: per-task source files +
    every doc that was touched (architecture, module-layout,
    api_program, tests_unit, tests_integration, traceability,
    performance-tests, security-tests, environment, security_report,
    owasp_review, deploy_cycle2, retro_2026-05-11_cycle2). Notes
    which docs were intentionally NOT touched and the open
    cross-repo doc ripple (AC-7).

Autodev state advanced to Step 13 completed. Next: Step 14 Security
Audit (optional gate).

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/modules/tests_unit.md

@@ -7,11 +7,11 @@ Unit test project for component-internal logic. Original AZ-2/AZ-3 era had only
 
 Existing baseline (pre-cycle-2) test classes cover `TileService`, `RegionService`, `RouteService`, geo math, repositories, validators, idempotency, and migration helpers — not enumerated exhaustively here. Cycle-2 additions:
 
-### AZ-487 — JWT validation baseline
+### AZ-487 + AZ-494 — JWT validation baseline + iss/aud
-- `Authentication/AuthenticationServiceCollectionExtensionsTests` — `AddSatelliteJwt_RegistersJwtBearerScheme`, `AddSatelliteJwt_ThrowsOnMissingSecret`, `AddSatelliteJwt_ThrowsOnShortSecret`.
+- `Authentication/AuthenticationServiceCollectionExtensionsTests` — covers `AddSatelliteJwt` registration + `TokenValidationParameters` shape across both AZs:
-- `Authentication/JwtTokenFactoryTests` — `Create_ProducesTokenValidatedByMatchingParameters`, `CreateExpired_TokenFailsValidationWithLifetimeException`, `Create_WithExtraClaims_PropagatesClaimsThroughValidation`, `TamperSignature_TokenFailsValidationWithSignatureException`.
+  - AZ-487 baseline: `AddSatelliteJwt_RegistersJwtBearerScheme`, `AddSatelliteJwt_ThrowsOnMissingSecret`, `AddSatelliteJwt_ThrowsOnShortSecret`.
-- `Authentication/AuthenticationServiceCollectionExtensionsTests` — covers `AddSatelliteJwt` registration + `TokenValidationParameters` shape (AZ-487, AZ-494). Includes AZ-494's fail-fast assertions: `AddSatelliteJwt_ThrowsOnMissingIssuer`, `AddSatelliteJwt_ThrowsOnEmptyIssuer`, `AddSatelliteJwt_ThrowsOnMissingAudience`, `AddSatelliteJwt_ThrowsOnEmptyAudience`, plus the updated `_ConfiguresTokenValidationParameters_AsPerContract` and `_PrefersEnvironmentVariableOverConfiguration` cases that assert `ValidateIssuer = true` + `ValidIssuer` + `ValidateAudience = true` + `ValidAudience`.
+  - AZ-494 extension: `AddSatelliteJwt_ThrowsOnMissingIssuer`, `_ThrowsOnEmptyIssuer`, `_ThrowsOnMissingAudience`, `_ThrowsOnEmptyAudience`, plus updated `_ConfiguresTokenValidationParameters_AsPerContract` and `_PrefersEnvironmentVariableOverConfiguration` asserting `ValidateIssuer = true` + `ValidIssuer` + `ValidateAudience = true` + `ValidAudience`.
-- `TestUtilities/JwtTokenFactory` — helper that mints HS256 tokens with the same `TokenValidationParameters` used in production. Adjusts `notBefore` for negative-lifetime requests so `JwtSecurityToken` accepts the value and downstream lifetime validation can fire (`IDX12401` workaround documented inline).
+- `Authentication/JwtTokenFactoryTests` — `Create_ProducesTokenValidatedByMatchingParameters`, `CreateExpired_TokenFailsValidationWithLifetimeException`, `Create_WithExtraClaims_PropagatesClaimsThroughValidation`, `TamperSignature_TokenFailsValidationWithSignatureException`. The factory itself lives in `SatelliteProvider.TestSupport` after AZ-491 (single source of truth); this project consumes it via `ProjectReference`.
 
 ### AZ-488 — UAV tile upload
 - `UavTileQualityGateTests` — one happy path + ≥ 1 reject path per rule (Rule 1 INVALID_FORMAT × 2, Rule 2 SIZE_OUT_OF_BAND × 2, Rule 3 WRONG_DIMENSIONS × 1, Rule 4 CAPTURED_AT_FUTURE / _TOO_OLD × 2, Rule 5 IMAGE_TOO_UNIFORM × 1) + rule-ordering determinism. Uses a `FixedTimeProvider` for Rule-4 isolation and `UavTileImageFactory` for deterministic JPEG fixtures.

_docs/02_document/ripple_log_cycle3.md

@@ -0,0 +1,82 @@
+# Cycle 3 — Documentation Ripple Log
+
+**Cycle**: 3 (AZ-495 doc convention + AZ-496 ASP.NET Core 8.0.25 bump + AZ-491 consolidate JWT test helpers + AZ-493 integration test DB reset hook + AZ-492 perf harness PT-07/PT-08 + AZ-494 JWT iss/aud validation)
+**Generated by**: `/document` skill (task mode) during autodev Step 13 (existing-code flow)
+**Resolution method**: each cycle-3 batch performed inline doc updates during implementation. Step 13 cycle-update mode verified completeness against the per-task spec and against `grep` of every new symbol (`JwtTokenFactory` post-AZ-491, `IntegrationTestResetGuard`, `IntegrationTestDatabaseReset`, `PerfBootstrap`, `MintAuthenticated` / `MintExpired` / `ResolveIssuerOrThrow` / `ResolveAudienceOrThrow`, `ResolveRequiredOrThrow`, `JWT_ISSUER` / `JWT_AUDIENCE`, `SEC-12` / `SEC-13`).
+
+## Directly-changed source files (cycle 3)
+
+### Code (production)
+
+- `SatelliteProvider.Api/Authentication/AuthenticationServiceCollectionExtensions.cs` (AZ-494: iss/aud constants, fail-fast `ResolveRequiredOrThrow`, `ValidateIssuer=true`, `ValidateAudience=true`)
+- `SatelliteProvider.Api/appsettings.json` (AZ-494: empty `Jwt.Issuer` + `Jwt.Audience` so prod fail-fast triggers)
+- `SatelliteProvider.Api/appsettings.Development.json` (AZ-494: `DEV-ONLY-` prefixed placeholders so local dev works)
+- `SatelliteProvider.Api/SatelliteProvider.Api.csproj` (AZ-496: `Microsoft.AspNetCore.Authentication.JwtBearer` 8.0.21 → 8.0.25; `Microsoft.AspNetCore.OpenApi` 8.0.21 → 8.0.25)
+
+### Code (test-side)
+
+- `SatelliteProvider.TestSupport/*` (AZ-491: new project; canonical `JwtTokenFactory`. AZ-493: new `IntegrationTestResetGuard`. AZ-494: `JwtTokenFactory.Create` + `.CreateExpired` gained optional iss/aud parameters)
+- `SatelliteProvider.IntegrationTests/JwtTestHelpers.cs` (AZ-491: split runner-side concerns from the factory. AZ-494: added `ResolveIssuerOrThrow`, `ResolveAudienceOrThrow`, `MintAuthenticated`, `MintExpired`)
+- `SatelliteProvider.IntegrationTests/IntegrationTestDatabaseReset.cs` (AZ-493: new — runner-side reset using the TestSupport guard)
+- `SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs` (AZ-491 + AZ-494: migrated to `MintAuthenticated`/`MintExpired`; added `WrongIssuer_Returns401` + `WrongAudience_Returns401`)
+- `SatelliteProvider.IntegrationTests/UavUploadTests.cs` (AZ-491 + AZ-493 + AZ-494: migrated to `MintAuthenticated`; removed wall-clock coordinate offset workaround)
+- `SatelliteProvider.IntegrationTests/Program.cs` (AZ-491 + AZ-492 + AZ-493 + AZ-494: bootstrap subcommand dispatch for `--mint-only`/`--gen-uav-fixture`; reset hook invocation; resolve secret+iss+aud at startup)
+- `SatelliteProvider.IntegrationTests/PerfBootstrap.cs` (AZ-492: new — perf bootstrap subcommands for `--mint-only`/`--gen-uav-fixture`. AZ-494: mint flow also resolves iss+aud)
+- `SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj` (AZ-491: `ProjectReference` to `SatelliteProvider.TestSupport`; removed `Microsoft.IdentityModel.JsonWebTokens` direct ref)
+- `SatelliteProvider.IntegrationTests/Dockerfile` (AZ-491: copy `SatelliteProvider.TestSupport` project)
+- `SatelliteProvider.Tests/Authentication/AuthenticationServiceCollectionExtensionsTests.cs` (AZ-494: 4 new fail-fast tests + updated existing tests; AZ-491: env-var save/restore pattern reused)
+- `SatelliteProvider.Tests/TestSupport/IntegrationTestResetGuardTests.cs` (AZ-493: new — unit tests for the two-guard model)
+- `SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs` (AZ-491: deleted — duplicate of TestSupport)
+- `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj` (AZ-491: `ProjectReference` to `SatelliteProvider.TestSupport`; AZ-496 picked up the 8.0.25 bump transitively via the `ProjectReference` to `SatelliteProvider.Api`)
+- `SatelliteProvider.sln` (AZ-491: registered `SatelliteProvider.TestSupport`)
+
+### Infrastructure / config
+
+- `.env.example` (AZ-494: documented `JWT_ISSUER` + `JWT_AUDIENCE` with fail-fast contract and DEV-ONLY example values)
+- `docker-compose.yml` + `docker-compose.tests.yml` (AZ-494: `JWT_ISSUER` + `JWT_AUDIENCE` passed through to both `api` and `integration-tests` services. AZ-493: `INTEGRATION_TEST_DB_RESET` plumbed for the test runner)
+- `scripts/run-tests.sh` (AZ-493: `--keep-state` flag + DB reset plumbing. AZ-494: `JWT_ISSUER` + `JWT_AUDIENCE` env-var loading + fail-fast checks)
+- `scripts/run-performance-tests.sh` (AZ-492: pre-build, `--mint-only`/`--gen-uav-fixture` dispatch, PT-07 cold+warm distribution, PT-08 batch upload distribution, JWT attach across PT-01..PT-06. AZ-494: `JWT_ISSUER` + `JWT_AUDIENCE` loading and pass-through)
+
+### Skills / conventions
+
+- `.cursor/skills/new-task/SKILL.md` (AZ-495: doc folder convention formalised)
+- `.cursor/skills/code-review/SKILL.md` (AZ-491: Phase 6 rule to prevent re-duplication of test helpers)
+
+## Documentation ripple
+
+### Architecture / module-level
+
+- `_docs/02_document/architecture.md` — JwtBearer version bump (AZ-496), token contract with `ValidateIssuer=true`/`ValidateAudience=true` (AZ-494), Security Architecture authentication paragraph (AZ-494).
+- `_docs/02_document/module-layout.md` — `SatelliteProvider.TestSupport` module entry (AZ-491), `IntegrationTestResetGuard` (AZ-493), `PerfBootstrap` justification + image-fixture dependency rationale (AZ-492), package version bumps (AZ-496).
+- `_docs/02_document/modules/api_program.md` — JWT authentication section (AZ-487 + AZ-494), package version bumps (AZ-496).
+- `_docs/02_document/modules/tests_unit.md` — Consolidated `AuthenticationServiceCollectionExtensionsTests` entry covering AZ-487 + AZ-494; `TestSupport` project reference (AZ-491); transitive 8.0.25 (AZ-496).
+- `_docs/02_document/modules/tests_integration.md` — `PerfBootstrap.cs` (AZ-492), `IntegrationTestDatabaseReset.cs` (AZ-493), `JwtTestHelpers` AZ-494 surface, AZ-494 new integration scenarios, env-var prerequisites.
+
+### Test specs
+
+- `_docs/02_document/tests/traceability-matrix.md` — Rows added for AZ-491 AC-1..AC-6, AZ-493 AC-1..AC-6, AZ-494 AC-1..AC-7 (AC-7 deferred ◐), AZ-495, AZ-496; PT-07/PT-08 rows updated to ✓; AZ-487 / AZ-484 perf NFR rows updated to reference the AZ-492 harness.
+- `_docs/02_document/tests/security-tests.md` — SEC-12 (wrong iss → 401) and SEC-13 (wrong aud → 401) appended for AZ-494.
+- `_docs/02_document/tests/performance-tests.md` — PT-07 (cold+warm) and PT-08 (batch p95) moved from "Deferred" to "Implemented (AZ-492)".
+- `_docs/02_document/tests/environment.md` — Environment Variables table extended with `GOOGLE_MAPS_API_KEY`, `JWT_SECRET`, `JWT_ISSUER`, `JWT_AUDIENCE` (AZ-487, AZ-494), `INTEGRATION_TEST_DB_RESET` (AZ-493).
+
+### Security artefacts
+
+- `_docs/05_security/security_report.md` — F-AUTH-2 flipped to **RESOLVED cycle 3 (AZ-494)**; verdict reconciliation + recommendations updated.
+- `_docs/05_security/owasp_review.md` — A07 status updated; residual "no token revocation list" recorded as a Low follow-up.
+
+### Process / metrics
+
+- `_docs/03_implementation/deploy_cycle2.md` — R3 follow-up note flipped to **RESOLVED in cycle 3 (AZ-494)**.
+- `_docs/06_metrics/retro_2026-05-11_cycle2.md` — Action 2 (PT-07 leftover) marked **RESOLVED in cycle 3 (AZ-492)**.
+- `_docs/_process_leftovers/2026-05-11_perf-pt07-harness.md` — Deleted (resolved by AZ-492).
+
+## Files NOT touched this cycle (by design)
+
+- `_docs/02_document/data_model.md` — no schema change.
+- `_docs/02_document/contracts/api/uav-tile-upload.md` — public contract unchanged (AZ-494 is a token-validation change, transparent to consumers that already produce correct `iss` + `aud`).
+- `_docs/02_document/components/03_tile_downloader/description.md` — no behavior change in the component.
+- Per-component descriptions under `_docs/02_document/components/0[1-5]_*` — none of the cycle-3 tasks added new functional behavior at the component layer.
+
+## Open cross-repo doc ripple (AC-7 deferred)
+
+- `suite/_docs/10_auth.md` — AZ-494 AC-7 requires this doc (in the parent monorepo) to either name the production iss/aud values or note that satellite-provider validates them locally. This write is OUT OF SCOPE for satellite-provider's autodev (workspace-boundary rule). Documented in `deploy_cycle2.md` R3 follow-up. Will surface as a `_docs/_process_leftovers/` entry if the suite repo still needs the update after this autodev finishes.

_docs/02_document/tests/environment.md

@@ -33,6 +33,11 @@
 | ASPNETCORE_ENVIRONMENT | Development | API config mode |
 | ConnectionStrings__DefaultConnection | Host=postgres;Port=5432;... | DB connection |
 | MapConfig__ApiKey | (from host env) | Google Maps auth |
+| GOOGLE_MAPS_API_KEY | (from `.env` or shell env) | Google Maps tile downloads (AZ-487 onward — required for any integration mode) |
+| JWT_SECRET | (from `.env` or shell env; ≥ 32 bytes) | HS256 signing key shared by API + test runner (AZ-487); fail-fast at startup if missing |
+| JWT_ISSUER | (from `.env` or shell env) | Expected `iss` claim (AZ-494); fail-fast at startup if missing. DEV-ONLY local value: `DEV-ONLY-iss-admin-azaion-local` |
+| JWT_AUDIENCE | (from `.env` or shell env) | Expected `aud` claim (AZ-494); fail-fast at startup if missing. DEV-ONLY local value: `DEV-ONLY-aud-satellite-provider` |
+| INTEGRATION_TEST_DB_RESET | `enabled` (default) / `skip` (set by `--keep-state`) | AZ-493 reset hook; `enabled` truncates test-table rows on runner start, `skip` preserves them for debugging |
 
 ## Test Execution
 

_docs/02_document/tests/security-tests.md

@@ -86,3 +86,19 @@ The pre-AZ-487 assumption "no authentication" is superseded by these scenarios.
 **Pass criterion**: For every rejected item, `rejectDetails` matches `^[A-Za-z0-9 .,()<>=:%/-]{0,200}$` AND contains no path separator (`/` or `\`) followed by a directory name from the server image (`tiles`, `src`, `obj`, `bin`).
 **AC trace**: AZ-488 § Security NFR.
 
+## SEC-12: Wrong `iss` Claim Returns 401
+
+**Trigger**: Same request as SEC-05 carrying a JWT signed with the configured secret, with valid `exp` / `nbf` / signature, and with an `aud` claim matching `JWT_AUDIENCE` — but with `iss` set to `https://wrong-issuer.invalid/` (not equal to `JWT_ISSUER`).
+**Precondition**: AZ-494 in place; API started with `JWT_ISSUER` + `JWT_AUDIENCE` env vars both populated (fail-fast contract).
+**Expected**: HTTP 401 Unauthorized; no handler reached; no leaked detail in body.
+**Pass criterion**: status == 401 AND response body contains no `iss` / `aud` value or internal exception detail.
+**AC trace**: AZ-494 AC-1.
+
+## SEC-13: Wrong `aud` Claim Returns 401
+
+**Trigger**: Same request as SEC-05 carrying a JWT signed with the configured secret, with valid `exp` / `nbf` / signature, and with `iss` matching `JWT_ISSUER` — but with `aud` set to `wrong-audience-not-satellite` (not equal to `JWT_AUDIENCE`).
+**Precondition**: AZ-494 in place; API started with `JWT_ISSUER` + `JWT_AUDIENCE` env vars both populated.
+**Expected**: HTTP 401 Unauthorized; no handler reached; no leaked detail in body.
+**Pass criterion**: status == 401 AND response body contains no `iss` / `aud` value or internal exception detail.
+**AC trace**: AZ-494 AC-2.
+

_docs/02_document/tests/traceability-matrix.md

@@ -56,13 +56,28 @@
 | AZ-488 AC-8 | Oversized batch (> `MaxBatchSize`) returns 400 envelope error | RL-05 (resource-limit); `UavUploadTests.OversizedBatch_Returns400` (integration) | ✓ |
 | AZ-488 AC-9 | Contract `uav-tile-upload.md` v1.0.0 frozen and matches implementation | doc-state AC; verified by Step 13 (Update Docs) review | ✓ |
 | AZ-488 AC-10 | All existing tests + new AZ-487/AZ-488 tests pass; no AZ-484 regression | Full `scripts/run-tests.sh --full` run (cycle 2 Step 11 — passed) | ✓ |
-| AZ-494 AC-1 | Wrong `iss` token returns 401 | `JwtIntegrationTests.WrongIssuer_Returns401` (integration) | ✓ |
+| AZ-494 AC-1 | Wrong `iss` token returns 401 | SEC-12 (blackbox); `JwtIntegrationTests.WrongIssuer_Returns401` (integration) | ✓ |
-| AZ-494 AC-2 | Wrong `aud` token returns 401 | `JwtIntegrationTests.WrongAudience_Returns401` (integration) | ✓ |
+| AZ-494 AC-2 | Wrong `aud` token returns 401 | SEC-13 (blackbox); `JwtIntegrationTests.WrongAudience_Returns401` (integration) | ✓ |
 | AZ-494 AC-3 | Matching iss + aud accepted | `JwtIntegrationTests.ValidToken_Returns200_OnHealthyEndpoint` (integration; updated to mint via env iss/aud) | ✓ |
 | AZ-494 AC-4 | Missing config fails fast | `AuthenticationServiceCollectionExtensionsTests.AddSatelliteJwt_ThrowsOnMissingIssuer` + `_ThrowsOnEmptyIssuer` + `_ThrowsOnMissingAudience` + `_ThrowsOnEmptyAudience` (unit) | ✓ |
 | AZ-494 AC-5 | Existing tests pass with matched fixtures | Full integration suite reruns at Step 16 with `JwtTestHelpers.MintAuthenticated` (auto-fills iss/aud from env) | ✓ (gate verified at Step 16) |
 | AZ-494 AC-6 | Security artifacts updated (F-AUTH-2 → Resolved) | `_docs/05_security/security_report.md` + `owasp_review.md` updated this batch | ✓ |
 | AZ-494 AC-7 | Suite contract reflects reality | `suite/_docs/10_auth.md` lives outside this workspace; this cycle's deploy report documents that satellite-provider validates iss/aud locally and the prod values are admin-team-confirmed at deploy time | ◐ deferred (cross-repo write) |
+| AZ-491 AC-1 | Single source of truth — only one `JwtTokenFactory` exists in source | Structural: repo-wide grep returns exactly `SatelliteProvider.TestSupport/JwtTokenFactory.cs`; the legacy `SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs` was deleted in batch 02 | ✓ |
+| AZ-491 AC-2 | Existing integration tests pass unchanged | Full integration suite at Step 11 (`./scripts/run-tests.sh --full`) — all green | ✓ |
+| AZ-491 AC-3 | Existing unit tests pass unchanged | Unit suite at Step 11 (Step 1 of `run-tests.sh`) — all green | ✓ |
+| AZ-491 AC-4 | Runner-side concerns preserved in `JwtTestHelpers` (env reads, HttpClient mutation stay in IntegrationTests) | Structural: `JwtTokenFactory` (pure) in TestSupport; `JwtTestHelpers` (side-effectful) in IntegrationTests — documented in `module-layout.md` | ✓ |
+| AZ-491 AC-5 | Cycle-2 fixes remain effective (AZ-487/AZ-488 token-validation invariants preserved) | Integration scenarios `JwtIntegrationTests.AnonymousRequest_*`, `_ExpiredToken_Returns401`, `_InvalidSignature_Returns401`, `_ValidToken_Returns200_OnHealthyEndpoint`, `UavUploadTests.*` — all migrated to `MintAuthenticated` and still PASS at Step 11 | ✓ |
+| AZ-491 AC-6 | Code-review rule lands to prevent re-duplication | `.cursor/skills/code-review/SKILL.md` Phase 6 rule added in batch 02 (Cycle-3 review SKILL update) | ✓ |
+| AZ-493 AC-1 | Empty-state on startup — no leftover rows from previous run | `IntegrationTestDatabaseReset.ResetAsync` invoked at runner start; uniqueness assumptions in `UavUploadTests` (`source='uav'` rows per coordinate) hold without the wall-clock workaround | ✓ |
+| AZ-493 AC-2 | Wallclock workaround no longer needed | Structural: `UavUploadTests` no longer offsets coordinates by `DateTime.UtcNow.Ticks % …` to dodge stale rows; coordinates are now deterministic per scenario | ✓ |
+| AZ-493 AC-3 | Opt-out preserves state (`--keep-state` flag skips reset) | `scripts/run-tests.sh` parses `--keep-state`, sets `INTEGRATION_TEST_DB_RESET=skip`, and `Program.cs` honours that env var | ✓ |
+| AZ-493 AC-4 | Reset only fires in test environment (two-guard model) | Unit: `IntegrationTestResetGuardTests` (env sentinel + Host allowlist `postgres`/`localhost`/`127.0.0.1`; production-shape hostnames rejected) | ✓ |
+| AZ-493 AC-5 | Documentation reflects new convention | doc-state AC — `_docs/02_document/module-layout.md` + `_docs/02_document/modules/tests_integration.md` updated in batch 03 | ✓ |
+| AZ-493 AC-6 | Existing tests pass unchanged | Full integration suite at Step 11 — all green | ✓ |
+| AZ-495 AC-1..AC-N | Doc folder convention formalized | doc-state AC — `.cursor/skills/new-task/SKILL.md` updated in batch 01; `_docs/02_document/module-layout.md` carries the convention | ✓ |
+| AZ-496 AC-1 | `Microsoft.AspNetCore.Authentication.JwtBearer` bumped 8.0.21 → 8.0.25 in `SatelliteProvider.Api.csproj` | Structural: csproj diff visible in batch 01 commit; transitive update propagates to `Tests.csproj` via `ProjectReference` | ✓ |
+| AZ-496 AC-2..AC-N | Suite still green at the new version | Full unit + integration suite at Step 11 — all green; SEC-05..SEC-11 + AZ-494 AC-1/AC-2 (which depend on `JwtBearer`) all PASS | ✓ |
 
 ## Restrictions → Test Mapping
 

_docs/_autodev_state.md

@@ -2,13 +2,13 @@
 
 ## Current Step
 flow: existing-code
-step: 10
+step: 13
-name: Implement
+name: Update Docs
 status: completed
 sub_step:
-  phase: 16
+  phase: 5
-  name: full-test-suite-passed
+  name: ripple-log-written
-  detail: "Step 16 PASS: ./scripts/run-tests.sh --full green. 5 batches landed (AZ-495+AZ-496, AZ-491, AZ-493, AZ-492, AZ-494). 2 cumulative reviews: 01-03 + 04-05 both PASS_WITH_WARNINGS. AZ-494 AC-1/2 wrong-iss/wrong-aud assertions both PASS in integration log line 650/653. 4 new fail-fast unit tests PASS. Cycle 3 implementation complete."
+  detail: "Step 11 PASS (full suite via Implement gate, log /tmp/run-tests-cycle3-step16.log). Step 12 PASS — cycle-update mode appended traceability rows for AZ-491/AZ-493/AZ-495/AZ-496 + AZ-494 SEC-12/SEC-13 cross-refs; SEC-12 + SEC-13 scenarios added to security-tests.md; environment.md env-var table extended with JWT_*/INTEGRATION_TEST_DB_RESET. Step 13 PASS — most module/architecture/security docs were updated inline during batches; consolidated stale tests_unit.md duplicate AuthenticationServiceCollectionExtensionsTests entry; produced ripple_log_cycle3.md. Next: Step 14 (Security Audit, optional gate)."
 retry_count: 0
 cycle: 3
 tracker: jira