37 Commits

Author	SHA1	Message	Date
Oleksandr Bezdieniezhnykh	01d7e7d584	Sanitize 400 error messages in GlobalExceptionHandler and validation filters to use static strings. This change improves consistency and prevents leaking internal exception details. Updated tests to reflect new error messages for JSON parsing and bad request scenarios.	2026-06-25 19:02:25 +03:00
Oleksandr Bezdieniezhnykh	7ed780b063	[AZ-1074] [AZ-1075] Cycle 9 closeout: security, tests, metrics ... Resolve F-AZ1074-1/2 (collection caps, generic gRPC internal errors). Standalone integration compose stack, docs, security audit, perf and retro. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-06-25 17:32:14 +03:00
Oleksandr Bezdieniezhnykh	275ee1b554	Add TileProvision configuration and gRPC service for tile delivery ... - Introduced new TileProvision settings in appsettings.json, including MaxTilesPerBatch and ProgressEmitIntervalSeconds. - Configured TileProvisionConfig in Program.cs to bind the new settings. - Added gRPC service for RouteTileDelivery in Program.cs to handle tile delivery requests. - Updated SatelliteProvider.Api.csproj to include Grpc.AspNetCore package and added protobuf file for tile provision. - Enhanced AuthenticationServiceCollectionExtensions to handle JWT token extraction from the Authorization header. - Registered additional services in RouteManagementServiceCollectionExtensions for tile processing. These changes enhance the API's capability to manage tile provisioning and delivery efficiently.	2026-06-23 13:18:59 +03:00
Oleksandr Bezdieniezhnykh	8fca6e0209	[AZ-809] F-AZ809-1: cap geofences.polygons at 50 (security audit) ... Closes the cycle-8 Medium DoS finding. Without the cap, an authenticated caller could submit millions of bbox polygons in a single 500 MiB request (Kestrel global limit) and saturate the FluentValidation allocator on the validator hot path; each polygon is ~90 bytes of JSON, so the body limit is not a useful gate. Realistic use is 1-10 polygons per route — 50 leaves 5x headroom while bounding the worst-case allocation. Layers: - CreateRouteRequestValidator: MaxPolygons = 50 + Must(...) chained before RuleForEach so the count error fires at "geofences.polygons" (not the leaf path). - Unit: Validate_GeofencePolygonsTooMany_FailsCountRule. - Integration: GeofencePolygonsTooMany_Returns400 (51 valid bbox polygons -> HTTP 400 + errors["geofences.polygons"]). - Contract: route-creation.md -> v1.0.1 patch (tightening an existing range). New Inv-10, new geofence-polygons-too-many test case, changelog row. - Test spec: BT-29 sub-case 9b + AZ-809 AC-1b row in the traceability matrix. - Security report: F-AZ809-1 marked RESOLVED in cycle 8; verdict remains PASS_WITH_WARNINGS (Lows + carry-overs unchanged). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-23 15:29:10 +03:00
Oleksandr Bezdieniezhnykh	6207ab7c27	[AZ-808] [AZ-809] [AZ-810] [AZ-811] [AZ-812] Cycle 8 docs sync ... Phase 13 of autodev existing-code flow — document skill in task mode. Targeted updates to system-level docs that the per-batch implementation commits did not already cover. Per-module docs (api_program.md, common_dtos.md, system-flows.md F1/F2/F4) and the 4 new contract docs (region-request.md, route-creation.md, tile-latlon.md, uav-tile-upload.md v1.2.0) were already updated during Step 10 batch commits and were verified-clean here. architecture.md - Bump contracts inventory line to mention uav-tile-upload.md v1.2.0 (was v1.1.0) and add the four cycle-8 contracts (region-request, route-creation, tile-latlon, error-shape) so the contract index in architecture.md is no longer stale relative to the implemented endpoints. - Add new architectural principle "Strict wire-format validation at the API edge (AZ-795 epic, completed across cycles 7-8)" to the Architectural Principles list. Describes the two-layer enforcement (deserializer + FluentValidation), the three approved per-endpoint paths (WithValidation<T> for JSON bodies, UavUploadValidationFilter for multipart, RejectUnknownQueryParams EndpointFilter + WithValidation<TQuery> for query strings), and the no-handler-without-validation rule. ripple_log_cycle8.md - New cycle-8 ripple log following the cycle-7 template. Documents every directly-changed source file, the importer scan results, doc refresh decisions, and the no-ripple component list. - Records the AZ-795 epic posture: cycle 8 closes the per-endpoint rollout. Every public-facing JSON, multipart, and query-param endpoint now goes through one of the three approved paths. The exempt endpoints (GET region/{id}, GET route/{id}, GET tiles/mgrs stub, GET tiles/{z}/{x}/{y}) are listed with justification. State - Advance autodev to Step 14 (Security Audit), sub_step phase 0 awaiting-choice. No production code change; no test code change. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-23 14:32:57 +03:00
Oleksandr Bezdieniezhnykh	ec0eb909a1	[AZ-808] [AZ-809] [AZ-810] [AZ-811] [AZ-812] Cycle 8 test-spec sync ... Phase 12 of autodev existing-code flow — cycle-update mode of the test-spec skill. Append cycle-8 coverage to the documentation suite without rewriting any pre-cycle-8 content. blackbox-tests.md - Add 4 new BT entries (BT-28..BT-31) — one per cycle-8 endpoint: - BT-28: Region request endpoint strict validation + OSM rename (AZ-808 + AZ-812; 11 sub-cases through the new `RegionRequest Validator` + the AZ-795 deserializer infra; sub-case `pos` proves the new `lat`/`lon` names accepted, sub-case `9` proves the old `latitude`/`longitude` rejected by `UnmappedMemberHandling.Disallow`). - BT-29: Create route endpoint nested + cross-field validation (AZ-809; 15 sub-cases covering nested per-point validators, geofence cross-field invariants, and the `createTilesZip` / `requestMaps` cross-field rule; advisory ACs 9 + 10 explicitly NOT tested per spec). - BT-30: UAV upload metadata multipart validation (AZ-810; 14 sub-cases across the three-layer composition: deserializer, FluentValidation, envelope cross-field; documents the unique `errors["metadata"]` vs `errors["metadata.items[i].field"]` key convention for multipart endpoints). - BT-31: GET tiles/latlon query-param validation + unknown-param rejection (AZ-811; 8 sub-cases; sub-cases 4b + 4c prove the novel `UnknownQueryParameterEndpointFilter` rejects both legacy and hostile unknown query keys). traceability-matrix.md - Append 41 AC rows (AZ-808 AC-1..AC-8, AZ-809 AC-1..AC-10, AZ-810 AC-1..AC-9, AZ-811 AC-1..AC-9, AZ-812 AC-1..AC-6). - Update Coverage Summary: cycle-8 row added; Total moves from 126 tests / 75 ACs to 167 tests / 116 ACs. - Add "Coverage shape notes (Cycle 8 ...)" section explaining the multipart enforcement shape (AZ-810), the new query-param filter (AZ-811), the AZ-808 + AZ-812 same-cycle coordination, and the AZ-810 AC-9 process annotation (false-PASS by source tracing → bound to green full-suite re-run after the test-data coord-clamp fix in commit b763da3). - AZ-809 AC-9 + AC-10 marked as `◐ advisory (not tested)` — naming-consistency concerns surfaced for parent-suite team decision. State - Advance autodev to Step 13 (Update Docs), sub_step phase 0 awaiting-invocation. No production code change; no contract change; no test code change. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-23 14:28:17 +03:00
Oleksandr Bezdieniezhnykh	490902c80a	[AZ-810] Strict validation for POST /api/satellite/upload metadata ... Adds the per-endpoint child of AZ-795 ("Strict Input Validation Epic") for the UAV upload multipart endpoint. Three new validators land under SatelliteProvider.Api/Validators/: - UavTileBatchMetadataPayloadValidator: items NotNull + NotEmpty + count <= MaxBatchSize + RuleForEach dispatching to the per-item validator. - UavTileMetadataValidator: lat / lon / tileZoom range, tileSizeMeters > 0, capturedAt within [now - MaxAgeDays, now + future-skew]; uses an injectable TimeProvider so unit tests can drive a fixed clock. - UavUploadValidationFilter: IEndpointFilter that reads the multipart `metadata` form field, deserializes it with the strict global JsonSerializerOptions (so UnmappedMemberHandling.Disallow + [JsonRequired] from AZ-795 are honored), runs the FluentValidation chain, and enforces the cross-field `items.Count == files.Count` envelope rule. FluentValidation errors are prefixed with `metadata.` so wire keys look like `errors["metadata.items[0].latitude"]`. [JsonRequired] is added to every non-optional axis on UavTileMetadata and UavTileBatchMetadataPayload; FlightId stays nullable per AZ-503 anonymous-flight semantics. Coverage: 13 unit tests + 16 integration tests + 1 curl probe script exercise the happy path and every failure mode. All 9 ACs covered; no regression in AZ-488 UavUploadTests payloads (traced against the new rules). Documentation: uav-tile-upload.md bumped v1.1.0 -> v1.2.0 with the new validation rules section + 400-shape examples + changelog entry. api_program.md updated to describe the three new validators + filter + the AddTransient<UavUploadValidationFilter>() DI registration. Reports: batch_04_cycle8_report.md + reviews/batch_04_cycle8_review.md record the PASS_WITH_WARNINGS verdict (2 Low DRY-in-tests findings: FixedTimeProvider duplication crossed the cycle-2 "promote to shared" threshold; PostBatch helper duplicated between two integration suites). Both deferred to follow-up PBIs. Task spec archived: _docs/02_tasks/todo/AZ-810... -> done/. Jira: AZ-810 transitioned In Progress -> In Testing. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-23 13:32:19 +03:00
Oleksandr Bezdieniezhnykh	5e056b2334	[AZ-809] Strict validation for POST /api/satellite/route ... Third concrete child of AZ-795 (cycle 8 batch 3). FluentValidation + [JsonRequired] + UnmappedMemberHandling.Disallow combine to reject every malformed payload at the API boundary with RFC 7807 ValidationProblemDetails. Validators (SatelliteProvider.Api/Validators/, all new) - CreateRouteRequestValidator: id non-empty, name/description length, regionSizeMeters/zoomLevel ranges, points count [2, 500], cross-field createTilesZip => requestMaps. Chains RoutePointValidator (per-point) and GeofencePolygonValidator (per-polygon, guarded by When(Geofences != null)). OverridePropertyName("geofences.polygons") on the geofences chain so FluentValidation's default leaf-only key policy doesn't drop the parent path on deep expressions like req.Geofences!.Polygons. - RoutePointValidator: lat/lon ranges; OverridePropertyName("lat"/"lon") chained AFTER InclusiveBetween (the extension is defined on IRuleBuilderOptions<T, TProperty>, so the generic type is only inferable after the first concrete rule) so error keys match the wire format (`points[i].lat`) rather than the C# property name (`points[i].latitude`). - GeofencePolygonValidator: per-corner range checks via private nested GeoCornerValidator; cross-field NW.Lat > SE.Lat and NW.Lon < SE.Lon invariants emit at errors["geofences.polygons[i].northWest"]. DTOs (SatelliteProvider.Common/DTO/, [JsonRequired] additions only) - CreateRouteRequest: id, name, regionSizeMeters, zoomLevel, points, requestMaps, createTilesZip - RoutePoint: Latitude, Longitude - GeofencePolygon: NorthWest, SouthEast; Geofences: Polygons - GeoPoint: Lat, Lon Tests - Unit: 26 methods total — 16 in CreateRouteRequestValidatorTests, 6 in GeofencePolygonValidatorTests, 4 in RoutePointValidatorTests. Each RuleFor/RuleForEach chain has at least one positive + one negative case. - Integration: CreateRouteValidationTests.cs — 16 methods (happy + 15 failure modes) wired into smoke + full suites. Covers empty body, missing/zero id, empty name, out-of-range regionSizeMeters/zoomLevel, points count < 2, per-point lat/lon out-of-range, geofence invariants, missing requestMaps, cross-field createTilesZip, unknown root field, nested type mismatch. - Manual probe: scripts/probe_route_validation.sh curl-exercises every failure mode end-to-end + happy path. Docs - New contract _docs/02_document/contracts/api/route-creation.md v1.0.0 with nested DTO chain, invariants, per-field test cases table, and advisories on the legacy service-layer RouteValidator + the input/output RoutePoint vs RoutePointDto naming asymmetry. - system-flows.md F4 sequence diagram extended with the validation-filter branch; preconditions + error scenarios reference the new contract. - modules/api_program.md: CreateRoute handler section added; Api/Validators bumped to AZ-808/AZ-809/AZ-811. - modules/common_dtos.md: DTO descriptions updated with [JsonRequired] annotations and constraint summaries. - tests/blackbox-tests.md BT-06/BT-N03/BT-N04/BT-N05 align with the new wire format and named error keys. - tests/security-tests.md SEC-04 references GlobalExceptionHandler's JsonException branch + AZ-353 correlationId. - _docs/03_implementation/batch_03_cycle8_report.md + reviews/batch_03_cycle8_review.md (PASS_WITH_NOTES — F1 Low: OverridePropertyName documented inline, F2 + F3 Info: pre-existing advisories for follow-up). Smoke green (mode=smoke, exit 0). AZ-809 transitioned to In Testing on Jira. Task file moved to _docs/02_tasks/done/. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 17:49:48 +03:00
Oleksandr Bezdieniezhnykh	34ee1e0b83	[AZ-808] [AZ-811] Strict validation on region POST + lat/lon GET ... AZ-808: FluentValidation for POST /api/satellite/request - RegionRequestValidator: id non-empty, lat/lon/sizeMeters/zoomLevel ranges - RequestRegionRequest: [JsonRequired] on every property, no implicit defaults - Wired via .WithValidation<RequestRegionRequest>() in MapPost chain - Unit + integration tests + curl probe script - New contract: contracts/api/region-request.md v1.0.0 AZ-811: FluentValidation + envelope filter for GET /api/satellite/tiles/latlon - GetTileByLatLonQuery: nullable record (double?/int?) so the minimal-API binder never short-circuits with BadHttpRequestException before filters - GetTileByLatLonQueryValidator: Cascade(Stop) + NotNull + InclusiveBetween per param; missing surfaces as `\`<name>\` is required.` - RejectUnknownQueryParamsEndpointFilter: reusable IEndpointFilter that rejects any query key outside the allowed set with errors[<key>] map; catches legacy `?Latitude=` typos and hostile probes (`?debug=1&admin=1`) - Handler: [AsParameters] GetTileByLatLonQuery + .Value deref post-validator - Unit (validator + filter) + integration tests + curl probe script - New contract: contracts/api/tile-latlon.md v1.0.0 Shared hygiene - Promote AssertErrorsContainsMention from per-test-file private helpers to ProblemDetailsAssertions (closes batch-1 Low-severity DRY warning) - Sync Swagger param descriptions, README, blackbox/security/perf scripts, uuidv5 doc with the new lat/lon/zoom query-param names Docs - system-flows.md F1/F2 reference the new contracts + validation layers - modules/api_program.md adds Api/Validators + Api/DTOs sections - _autodev_state.md: batch 2 of 4 complete; next batch = AZ-809 All smoke tests green (mode=smoke, exit 0). AZ-808 + AZ-811 transitioned to In Testing on Jira. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 16:29:41 +03:00
Oleksandr Bezdieniezhnykh	fcd494f67e	[AZ-812] Region API: rename Latitude/Longitude → Lat/Lon (OSM convention) ... Mirror of AZ-794 (inventory z/x/y rename). RequestRegionRequest.cs renames C# props Latitude→Lat / Longitude→Lon and adds [JsonPropertyName("lat"/"lon")] so the wire format is unambiguous under the AZ-795 strict-parsing stack (UnmappedMemberHandling.Disallow → legacy {"latitude":..,"longitude":..} now returns HTTP 400 instead of silently coercing). Updates all in-repo consumers: API handler (Program.cs), integration tests (Models.cs, RegionTests.cs, IdempotentPostTests.cs, SecurityTests.cs), the performance harness (run-performance-tests.sh PT-03/04/05/07), and module docs (common_dtos.md, api_program.md; system-flows.md F2 already used lat/lon). New RegionFieldRenameTests.cs covers AC-4 both directions (new format → 200, legacy format → 400). Smoke green; no regressions. region-request.md contract doc not bumped here — AZ-808 publishes v1.0.0 directly with the post-rename names per AZ-812 coordination clause. Batch 01 of cycle 8. PASS_WITH_WARNINGS (one Low DRY finding for follow-up test-helper consolidation; details in _docs/03_implementation/reviews/batch_01_cycle8_review.md). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 15:54:53 +03:00
Oleksandr Bezdieniezhnykh	bc04ba7f99	[AZ-794] [AZ-795] [AZ-796] Cycle 7 Steps 12-15 sync (test-spec / docs / security / perf) ... Step 12 (Test-Spec Sync): adds BT-27 for the AZ-796 9-rule validation surface and 12 cycle-7 AC rows + Coverage Summary update to traceability-matrix.md. Step 13 (Update Docs): module-layout + module docs for the new SatelliteProvider.Api/Validators namespace + GlobalExceptionHandler + updated TileInventory DTO; tests_unit + tests_integration document the new InventoryRequestValidatorTests (16 unit tests covering all 9 rules) + TileInventoryValidationTests (16 integration tests) + ProblemDetailsAssertions support; glossary entries for Validation Problem Details / FluentValidation / Unmapped Member Handling; system-flows F8 (Tile Inventory Bulk Lookup) expanded with deserializer + validator gates and a 13-row Validation Surface table; data_parameters § Tile Inventory documents the v2 input schema + constraints; ripple_log_cycle7 captures the doc-side ripple decisions. Step 14 (Security Audit): 5-phase audit ran; verdict PASS_WITH_WARNINGS (3 Low findings — D-AZ795-1 FluentValidation 12.0.0 -> 12.1.1 recommended bump, F-AZ795-1 JsonException.Message leak in 400 detail, F-AZ795-2 BadHttpRequestException.Message leak). No Critical / High; auth runs before validation (confirmed in Program.cs); two NuGet additions (FluentValidation 12.0.0 + .DependencyInjectionExtensions 12.0.0) both CVE-clean. Per-phase reports plus consolidated security_report_cycle7.md. Step 15 (Performance Test): docker compose stack used for perf run, scripts/run-performance-tests.sh exited 0 with 8/8 scenarios PASS (second consecutive clean exit-0); added PT-09 cycle-7 smoke probe (v2 z/x/y schema, 2500-tile all-miss batch) measuring min=27ms median=44ms p95=73ms max=86ms (13.7x under AZ-505 AC-4 1000ms budget). PT-07/08 improvements traced to the cycle-6 TLS handshake-overhead identification, not application-side change. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 11:24:27 +03:00
Oleksandr Bezdieniezhnykh	865dfdb3b9	[AZ-794] [AZ-795] [AZ-796] Strict input validation + z/x/y rename ... AZ-794: rename inventory wire fields tileZoom/tileX/tileY -> z/x/y to match the slippy-map URL convention. Contract bumped to v2.0.0. AZ-795: shared validation infrastructure -- FluentValidation + ValidationEndpointFilter + GlobalValidatorConfig (camelCase paths). GlobalExceptionHandler now converts JsonException (UnmappedMember + JsonRequired) into RFC 7807 ValidationProblemDetails. JSON layer hardened with UnmappedMemberHandling.Disallow + camelCase naming policy. New error-shape.md contract. AZ-796: InventoryRequestValidator covers 9 rules (XOR tiles vs locationHashes, cap 1000, z 0..22, x/y in slippy bounds, hash length/charset). 16 unit tests + 16 integration tests + a manual curl probe script. Adjacent fixes uncovered by the new strict layer: - IdempotentPostTests RoutePoint payload corrected to lat/lon (the DTO has used JsonPropertyName for ages; previously silently ignored under PascalCase fallback). - TileInventoryTests slippy x/y reduced to fit z=18 bounds. - docker-compose.yml host port for Postgres moved 5432 -> 5433 to avoid sibling-project conflict; appsettings.Development + README + AGENTS + architecture + containerization docs aligned. New coderule (suite + repo): API consumer-facing OpenAPI descriptions must not contain task IDs, contract filenames, or version-bump history -- internal change tracking belongs in commits/contract docs/changelogs. Existing offending descriptions in Program.cs cleaned up. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-22 10:02:02 +03:00
Oleksandr Bezdieniezhnykh	5d84d2839e	[AZ-505] Test-spec sync + task-mode doc updates for cycle 6 ... Step 12 (Test-Spec Sync, cycle-update mode): - blackbox-tests.md: append BT-23..BT-26 for AZ-505's new observable behaviors (inventory order/shape; leaflet most-recent via location_hash; HTTP/2 multiplex over TLS+ALPN; request validation). - performance-tests.md: append PT-09 (inventory p95 ≤ 1000ms / 2500 tiles); records cycle-6 measured p95=66ms; documents promotion path to scripts/run-performance-tests.sh if budget ever tightens. - traceability-matrix.md: resolve the 5 AZ-503 deferrals (AC-5/6/9/10/12) by pointing at AZ-505 test names + add 7 AZ-505 AC rows (AC-1..AC-7) + bump totals (90 -> 94 tests, 56/56 -> 63/63 in-scope) + add cycle-6 coverage shape notes (budget relaxation rationale, voting-filter deferral note, TLS+ALPN pivot, NFR propagation). Step 13 (Update Docs, task mode): - common_dtos.md: add 5 new TileInventory DTOs. - common_interfaces.md: add ITileService.GetInventoryAsync. - services_tile_service.md: document TileService.GetInventoryAsync steps + the XOR-validation-in-handler note. - dataaccess_migrator.md: bump migration count 14 -> 15; describe migration 015 (AZ-505 leaflet covering index, lock window, INCLUDE-list trade-off). - system-flows.md: add F7 (Leaflet Tile Serving, AZ-310 + AZ-505 location_hash rewire + TLS+ALPN) and F8 (Tile Inventory Bulk Lookup) with sequence diagrams, validation surface, and AC-4 perf evidence. Update Flow Inventory + Dependencies tables accordingly. - glossary.md: add "Tile Inventory" entry pointing at the v1.0.0 contract. - ripple_log_cycle6.md: new file — exhaustive reverse-dependency analysis confirms zero stale downstream module docs. Advance autodev state from step 11 -> 14 (skipping 12+13 as completed in this commit; auto-chain through Step 14 = Security Audit optional gate). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 22:29:22 +03:00
Oleksandr Bezdieniezhnykh	c74a2339aa	[AZ-505] AC-5 fix: enable TLS for HTTP/2 via ALPN ... Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled ... TLS is not enabled"), so AC-5's multiplexed-GET test failed with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the fix switches the dev listener to TLS on https://+:8080: - scripts/run-tests.sh generates a self-signed dev cert idempotently (./certs/api.pfx + api.crt) via openssl in an alpine container; certs/ is gitignored. - docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080 with Kestrel__Certificates__Default__Path bound to the .pfx. - docker-compose.tests.yml mounts api.crt into the integration-tests container's CA store and runs update-ca-certificates so HttpClient trusts the cert transparently; default API_URL is now https://api:8080. - Drop the obsolete Http2UnencryptedSupport AppContext switch from Http2MultiplexingTests; ALPN over TLS handles negotiation. Test-data fixes caught on the post-TLS rerun (independent of the TLS switch but surfaced together): - Http2MultiplexingTests: switch slippy coords from (154321, 95812) -- which Google Maps returns 404 for -- to (158485, 91707), the slippy projection of (47.461747, 37.647063) already exercised by JwtIntegrationTests. - TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to Unspecified at the binding site for raw Npgsql seed paths writing into tiles.captured_at / created_at / updated_at (TIMESTAMP without tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns; production goes through Dapper and never hits this code path. - MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId: accept either idx_tiles_location_hash (migration 014) or its AZ-505 successor tiles_leaflet_path (migration 015) -- both have location_hash as the leading column, which is the AC-9 intent. Docs updated to reflect the TLS+ALPN path: tile-inventory.md Non-Goals, modules/api_program.md, module-layout.md, the AZ-505 task spec's Risk 3, and the cycle 6 implementation + completeness reports. The full integration test suite passes (mode=full, exit 0). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 22:19:26 +03:00
Oleksandr Bezdieniezhnykh	909f69cb3a	[AZ-505] Tile inventory endpoint + HTTP/2 + Leaflet covering index ... Production code: - POST /api/satellite/tiles/inventory (XOR body, 5000-cap, most-recent-per-location_hash select, present/absent shaping). - Kestrel HttpProtocols.Http1AndHttp2 on every listener (AC-5). - Migration 015 creates tiles_leaflet_path covering index over (location_hash, captured_at DESC, updated_at DESC, id DESC) INCLUDE (file_path, source); drops superseded idx_tiles_location_hash. - TileRepository.GetByTileCoordinatesAsync rewired to filter by location_hash (Index Only Scan via tiles_leaflet_path). - TileRepository.GetTilesByLocationHashesAsync added with Npgsql- direct ANY($1::uuid[]) binding (Dapper IEnumerable expansion is incompatible with the array form). - Uuidv5.LocationHashForTile centralises the UUIDv5(TileNamespace, "{z}/{x}/{y}") formula — single source of truth for the cross-repo invariant (gps-denied-onboard parity). Contracts: - New: contracts/api/tile-inventory.md v1.0.0. - Bumped: contracts/data-access/tile-storage.md to v2.0.0 (joint ownership by AZ-503-foundation + AZ-505: schema + covering index + GetByTileCoordinatesAsync rewrite). Tests: - TileInventoryTests covers AC-1, AC-2 (DB-level), AC-4, AC-6. - Http2MultiplexingTests covers AC-5 (20 concurrent multiplexed GETs over h2c via SocketsHttpHandler + AppContext Http2Unencrypted switch). - LeafletPathIndexOnlyTests covers AC-3 (EXPLAIN (ANALYZE, BUFFERS) asserts Index Only Scan over tiles_leaflet_path with heap_blocks=0). Docs: - architecture.md, system-flows.md, data_model.md, module-layout.md, glossary.md, modules/api_program.md, modules/dataaccess_tile_repository.md, components/02_data_access/description.md all updated to reference the v2.0.0 tile-storage contract + new tile-inventory contract + AC-7. Reports: - batch_01_cycle6_report.md, batch_01_cycle6_review.md, implementation_completeness_cycle6_report.md (PASS), implementation_report_tile_inventory_cycle6.md. Task spec moved todo/ -> done/. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 21:16:37 +03:00
Oleksandr Bezdieniezhnykh	61612044fb	[AZ-503] [AZ-504] Cycle 5 Steps 11-15 sync ... Wrap up cycle 5 verification + documentation: - Steps 10/11 wrap-up reports (implementation_completeness + implementation_report) for the AZ-503-foundation + AZ-504 batch. - Step 12 test-spec sync: AZ-503-foundation/AZ-504 ACs appended; AZ-505 deferred ACs recorded. - Step 13 update-docs: architecture, data-model, glossary, module- layout, uav-tile-upload contract (v1.1.0), DataAccess + Services + Tests module docs synced; new common_uuidv5.md module doc. - Step 14 security audit: PASS_WITH_WARNINGS; 0 new Critical/High; 2 new Low informational (F1 flightId provenance, F2 pgcrypto deploy gap). - Step 15 performance test: PASS_WITH_INFRA_WARNINGS; PT-08 passed twice (AZ-504 fix verified); PT-01/02 failed due to recurring local Docker/colima DNS cold-start (not an app regression). Cycle-3 perf-harness leftover stays OPEN with replay #5 documented. - Autodev state moved to Step 16 (Deploy). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 18:01:27 +03:00
Oleksandr Bezdieniezhnykh	af4219fce6	[AZ-500] Cycle 4 Steps 12-15 sync (test-spec / docs / security / perf) ... Step 12 (Test-Spec Sync) - cycle-update mode - traceability-matrix: 8 AZ-500 AC rows + .NET 10 runtime restriction supersession + Cycle-4 coverage shape note (no new tests; ACs verified by re-running existing 78-test suite + build pipeline + manifest grep) Step 13 (Update Docs) - task mode - FINAL_report, 00_discovery, architecture, module-layout, api_program, tests_unit: .NET 8 -> .NET 10 / C# 12 -> 14 / Swashbuckle 6.6.2 -> 10.1.7 + Microsoft.OpenApi 2.x refactor note in api_program; Serilog.AspNetCore 8.0.3 fallback documented inline per AZ-500 Risk #4 - deployment/{containerization, ci_cd_pipeline}: Docker aspnet/sdk:8.0 -> :10.0 - ripple_log_cycle4: empty import-graph ripple recorded (Program.cs is entry point; ParameterDescriptionFilter only consumed by Program.cs; csproj/global.json/Dockerfile have no import edges) Step 14 (Security Audit) - resume mode - dependency_scan_cycle4: AZ-500 19-package delta scanned; cycle-3 D1+D3 (CVE-2026-26130) closed by major-version bump; cycle-3 D2 (Test.Sdk 17.8.0 NuGet.Frameworks flag) carried over - explicitly out of AZ-500 scope - security_report_cycle4: PASS_WITH_WARNINGS (only carry-over Medium open; AZ-500 introduced 0 new Critical/High); cycle-3 static_analysis/owasp_review/infrastructure_review carried forward unchanged (AZ-500 made no source-level edits to those surfaces) Step 15 (Performance Test) - perf mode, full default-param run - perf_2026-05-12_cycle4: 7 Pass + 1 Unverified (PT-08 hit pre-existing scripts/run-performance-tests.sh:417 grep- pipefail bug, NOT a .NET 10 regression) - PT-07 warm p95 = 301ms (7.7x improvement vs cycle-3 short variant - .NET 10 pipeline + N=20 dilution); cold p95 = 2782ms (-14%); PT-06 90ms (-49%) - AZ-500 NFR (Performance) MET for 7/8 scenarios - Cycle-3 perf-harness leftover updated with replay #3 results; STAYS OPEN per AZ-500 Constraint (deletes only on fully clean run) Recommended follow-up PBIs (out of cycle-4 scope, surfaced for the backlog): - 1 SP fix scripts/run-performance-tests.sh:416-417 grep- pipefail (replace grep -o ... | wc -l with grep -c ... || true) - unblocks PT-08 + closes the cycle-3 perf leftover - 3 SP migrate WithOpenApi(...) callsites to ASP.NET Core 10 minimal-API metadata extensions (clears 8 ASPDEPR002 warnings; recorded in batch_01_cycle4_review.md) - 1 SP Microsoft.OpenApi 2.x nullable cleanup (CS8604 in ParameterDescriptionFilter.cs:25) - 1 SP bump Microsoft.NET.Test.Sdk 17.8.0 -> 17.13.0+ (closes cycle-3 D2 NuGet.Frameworks transitive flag) Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 06:05:29 +03:00
Oleksandr Bezdieniezhnykh	813136326f	[AZ-500] .NET 8 -> .NET 10 migration ... Coordinated cross-cutting bump: 9 csproj TFMs net8.0 -> net10.0; global.json sdk.version 8.0.0 -> 10.0.0; all Dockerfiles + scripts/ + .woodpecker on mcr.microsoft.com/dotnet/{sdk,aspnet,runtime}:10.0; all Microsoft.AspNetCore.* (8.0.25) and Microsoft.Extensions.* (9.0.10) packages -> 10.0.7. Serilog.AspNetCore retained at 8.0.3 (10.0.0 requires Serilog.Sinks.File >= 7.0.0; out of AZ-500 scope per "no unrelated package bumps") -- documented in AGENTS.md. Swashbuckle 9.x bumped to 10.1.7 to track Microsoft.OpenApi 2.x; Program.cs + ParameterDescriptionFilter.cs refactored for the 2.x namespace (Microsoft.OpenApi), OpenApiSecuritySchemeReference, JsonSchemaType enum, and IOpenApiSchema dictionary properties. Fixed implicit AC-5 prereq: scripts/run-performance-tests.sh PERF_DLL path bin/Release/ net8.0 -> net10.0. Docs sync: architecture.md + AGENTS.md. ACs verified: AC-1..AC-4 + AC-7 + AC-8 by grep + build; AC-6 by ./scripts/run-tests.sh --full (271/271 unit tests + full integration suite green); AC-5 short bootstrap-smoke (PERF_REPEAT_COUNT=2 PERF_UAV_BATCH_SIZE=2) succeeded at the bootstrap step (no exit 3), PT-01..PT-07 PASS. PT-08 surfaced a pre-existing grep-pipefail bug in run-performance-tests.sh:417 -- not an SDK problem; recorded as follow-up in the perf-cycle3 leftover. Code review verdict: PASS_WITH_WARNINGS (2 Medium deferred per scope discipline: WithOpenApi ASPDEPR002 deprecation x8, CS8604 nullable in ParameterDescriptionFilter.cs; both targeted at follow-up PBIs). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 05:28:01 +03:00
Oleksandr Bezdieniezhnykh	e42bf62152	[AZ-491] [AZ-492] [AZ-493] [AZ-494] [AZ-495] [AZ-496] Cycle 3 Steps 11-13: test-spec sync + ripple log ... Step 11 (Run Tests) is recorded as PASS based on the implement skill's internal Step 16 gate (./scripts/run-tests.sh --full, all-green) per test-run/SKILL.md § Functional Mode — same runner, immediately preceding invocation, no value in a second run. Step 12 (Test-Spec Sync, cycle-update mode): - traceability-matrix.md: rows added for AZ-491 AC-1..AC-6, AZ-493 AC-1..AC-6, AZ-495 (doc convention), AZ-496 AC-1..AC-N (dependency bump); AZ-494 AC-1/AC-2 rows now cross-reference new SEC-12 / SEC-13 blackbox IDs. - security-tests.md: SEC-12 (wrong iss returns 401) and SEC-13 (wrong aud returns 401) appended for AZ-494. - environment.md: Environment Variables table extended with GOOGLE_MAPS_API_KEY, JWT_SECRET, JWT_ISSUER, JWT_AUDIENCE, INTEGRATION_TEST_DB_RESET. Closes a cycle-2 oversight where JWT_SECRET was never recorded. Step 13 (Update Docs, task mode): - tests_unit.md: consolidated the duplicate AuthenticationServiceCollectionExtensionsTests entry that spanned AZ-487 + AZ-494 into one coherent block. - ripple_log_cycle3.md created: per-task source files + every doc that was touched (architecture, module-layout, api_program, tests_unit, tests_integration, traceability, performance-tests, security-tests, environment, security_report, owasp_review, deploy_cycle2, retro_2026-05-11_cycle2). Notes which docs were intentionally NOT touched and the open cross-repo doc ripple (AC-7). Autodev state advanced to Step 13 completed. Next: Step 14 Security Audit (optional gate). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 02:57:45 +03:00
Oleksandr Bezdieniezhnykh	f979e18811	[AZ-494] Enable JWT iss/aud validation with fail-fast startup ... Option B per user decision: production ships with empty Jwt.Issuer / Jwt.Audience in appsettings.json so the API process refuses to start unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development ships with grep-friendly DEV-ONLY- placeholders so local + docker flows keep working unchanged. AuthenticationServiceCollectionExtensions flips ValidateIssuer + ValidateAudience to true and wires ValidIssuer / ValidAudience via a new ResolveRequiredOrThrow helper that all three required values (secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired gain optional iss / aud parameters (default null) so existing call sites compile unchanged. JwtTestHelpers adds MintAuthenticated / MintExpired wrappers that resolve iss + aud from env, plus ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken + Program.cs JWT bootstrap migrated to the new surface so the perf harness and the integration runner both validate against the same contract. Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2 negative integration scenarios (WrongIssuer_Returns401, WrongAudience_Returns401), and re-tags every existing integration mint site via MintAuthenticated. Compose, .env.example, run-tests.sh, run-performance-tests.sh all load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET. Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7 (cross-repo suite/_docs/10_auth.md write) deferred — outside this workspace; tracked in deploy_cycle2.md R3 follow-up. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 02:28:48 +03:00
Oleksandr Bezdieniezhnykh	080441db5d	[AZ-492] Cycle 3 batch 4: perf harness PT-07 + PT-08 + JWT-attach ... Drains all three deferred perf-harness items in one batch: - PT-01..PT-06 now carry Authorization: Bearer minted via the canonical SatelliteProvider.TestSupport.JwtTokenFactory (AZ-491) — no third copy of JWT logic in the shell. - PT-07 implemented as cold + warm dual-pass distribution (N=20 each), reports p50/p95 for both passes and fails if warm p95 >= cold p95. - PT-08 implemented as 20-batch upload distribution with batch p95 gated at the AZ-488 2000 ms target; per-item gate cost reported as derived proxy (batch_p95 / batch_size). New SatelliteProvider.IntegrationTests/PerfBootstrap.cs adds two CLI short-circuit subcommands (--mint-only and --gen-uav-fixture <path>) invoked by the shell so the perf script never inlines the JWT or JPEG-fixture logic. The dispatch sits at the top of Program.cs Main and runs before any HTTP / DB / readiness setup. performance-tests.md PT-07 + PT-08 flip from Deferred to Implemented. traceability-matrix.md PT-07 + PT-08 rows move from recorded to covered (PT-08 partial due to per-item proxy — flagged Low in batch-4 review). _docs/_process_leftovers/2026-05-11_perf-pt07-harness.md deleted; the leftovers directory is now empty. Closes cycle-2 retro Action 2; LESSONS.md [process] rule about Deferred NFRs remains in force as a guardrail. Also includes the previously-uncommitted cumulative review report for cycle-3 batches 01-03 (generated at the end of batch 3 but not staged). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 01:52:25 +03:00
Oleksandr Bezdieniezhnykh	745f4840e6	[AZ-493] Cycle 3 batch 3: integration test DB-reset hook ... AZ-493 (2 SP): replace the cycle-2 wallclock-seeded _coordinateCounter workaround with a proper Postgres state-reset hook that runs at integration test runner startup, eliminating the per-source-unique-index collision risk that the persistent docker-compose Postgres volume introduced post-AZ-484. The reset is split into two surfaces: * SatelliteProvider.TestSupport.IntegrationTestResetGuard - pure static class, I/O-free, unit-tested. Two independent guards: (a) ASPNETCORE_ENVIRONMENT must equal "Testing", (b) DB_CONNECTION_STRING Host must be in the allowed-host list (postgres, localhost, 127.0.0.1). Failure of either guard surfaces a structured operator-friendly InvalidOperationException. * SatelliteProvider.IntegrationTests.IntegrationTestDatabaseReset - instance class owning the Npgsql side effects. Calls the guard then runs TRUNCATE TABLE route_regions, route_points, routes, regions, tiles RESTART IDENTITY CASCADE inside a single Npgsql transaction. Spec-vs-reality: the task spec prescribed "DB name contains _test" as Guard 2; the actual compose file uses Database=satelliteprovider and DB rename is gated on user confirmation per coderule.mdc. Substituted a Host allowlist as the equivalent guard (intent identical: reject remote / production hosts). Recorded as Low/Spec-Gap in the review. Program.cs adds --keep-state CLI flag and INTEGRATION_KEEP_STATE env var (1/true) opt-outs so a developer can inspect leftover state when debugging. Startup banner shows which path executed. docker-compose.tests.yml gets ASPNETCORE_ENVIRONMENT=Testing + passthrough for INTEGRATION_KEEP_STATE. scripts/run-tests.sh wires the --keep-state flag through to compose. UavUploadTests._coordinateCounter wallclock seed is retained as defense-in-depth (per the task spec's implementer choice). The reset is the primary isolation path; the seed is the belt-and-suspenders fallback for --keep-state runs. 8 new unit tests in SatelliteProvider.Tests/TestSupport/ IntegrationTestResetGuardTests.cs cover Production/Staging/missing-env throw, allowed-host case-insensitivity, disallowed-host rejection with representative prod hostnames, and the AllowedHosts contract. tests_integration.md gains a Reliability section that documents the hook, the two guards, the truncate order, and the three opt-out forms. module-layout.md TestSupport entry extended with the new pure guard and the explicit "Npgsql stays in IntegrationTests" boundary. Test-suite gate (AC-6) deferred to Step 16 Final Test Run per implement skill convention. Per-batch review verdict: PASS_WITH_WARNINGS with 1 Low (spec-vs-reality on Guard 2, non-blocking). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 01:38:42 +03:00
Oleksandr Bezdieniezhnykh	c396740644	[AZ-491] Cycle 3 batch 2: consolidate JWT test-mint helpers into TestSupport ... AZ-491 (3 SP): eliminate the cycle-2 duplicate of JWT-minting logic that existed in both SatelliteProvider.Tests/TestUtilities/ JwtTokenFactory.cs (unit-side) and SatelliteProvider.IntegrationTests/ JwtTestHelpers.cs (integration-side), where the same Expires < NotBefore bug needed parallel fixes in commits f64d0d7 + 11b7074. Option A chosen: new SatelliteProvider.TestSupport class library (no test framework) holds the canonical JwtTokenFactory.Create / CreateExpired / TamperSignature. Both Tests and IntegrationTests consume it via ProjectReference; production projects (Api, Common, DataAccess, Services.*) cannot depend on it. The notBefore-shift workaround is preserved with an inline regression-prevention comment back-referencing the cycle-2 fix commits. SatelliteProvider.IntegrationTests/JwtTestHelpers.cs is stripped to runner-only concerns: ResolveSecretOrThrow, AttachDefaultAuthorization, and the DefaultSubject = "integration-tests" constant. Call sites in Program.cs, JwtIntegrationTests.cs, and UavUploadTests.cs (10 sites) switched to JwtTokenFactory.* with JwtTestHelpers.DefaultSubject explicitly passed for the runner subject - behavior parity preserved. Dockerfile for IntegrationTests gets the new TestSupport csproj in its pre-restore COPY layer. Api Dockerfile unchanged (TestSupport is NOT a production dependency). A new code-review SKILL.md Phase 6 checklist row flags near-identical helper logic across test projects as a Medium / Maintainability finding with explicit cycle-2 retro back-reference, so this whole pattern stops at one occurrence. module-layout.md adds a TestSupport Shared/Cross-Cutting entry documenting the production-isolation invariant. tests_unit.md + tests_integration.md updated to describe the consolidated layout. sln updated. Test-suite gate (AC-2 + AC-3) deferred to Step 16 Final Test Run per implement-skill convention. Per-batch review verdict: PASS_WITH_WARNINGS with 1 Low (pre-existing 7.0.3 version pin preserved verbatim from cycle-2 IntegrationTests csproj for parity; not blocking; deferred bump). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 01:32:24 +03:00
Oleksandr Bezdieniezhnykh	9cfd80babe	[AZ-495] [AZ-496] Cycle 3 batch 1: doc convention + AspNetCore 8.0.25 ... AZ-495 (1 SP): formalize the modules-only documentation convention for the WebApi component. _docs/02_document/module-layout.md now carries an explicit Documentation Layout section anchoring WebApi docs at modules/api_program.md; the components/06_web_api/ folder is intentionally absent. .cursor/skills/new-task/SKILL.md Step 4 directs future agents at the correct path. Cycle-1 + cycle-2 F1 findings in the two batch-review files are marked RESOLVED with back-reference to AZ-495. Cycle-2 retrospective decision-item list F1 updated. AZ-496 (2 SP): bump Microsoft.AspNetCore.OpenApi and JwtBearer in SatelliteProvider.Api.csproj from 8.0.21 to 8.0.25, closing CVE- 2026-26130 (SignalR DoS - not reachable in this app, but the runtime patch is the recommended hardening per cycle-1 D1 + cycle-2 D3). SatelliteProvider.Tests.csproj has no direct JwtBearer reference - it consumes JwtBearer transitively via ProjectReference to Api, so no edit needed there. Dockerfiles use floating mcr.microsoft.com/ dotnet/aspnet:8.0 / sdk:8.0 / runtime:8.0 tags which auto-resolve to >= 8.0.25 on rebuild. Security artifacts (dependency_scan.md, security_report.md) and current-state docs (module-layout.md, architecture.md, modules/api_program.md, modules/tests_unit.md) updated to reflect 8.0.25. Batch report + code review report (verdict PASS_WITH_WARNINGS with 2 Low findings, neither blocking) written under _docs/03_implementation. Test suite gate deferred to Step 16 (Final Test Run) per implement skill convention. Patch-level bump within .NET 8 LTS; regression risk very low. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 01:24:48 +03:00
Oleksandr Bezdieniezhnykh	e3cd388577	[AZ-487] [AZ-488] docs: cycle 2 doc sync (task mode) ... Step 13 (Update Docs) for cycle 2. Most cross-cutting docs were already updated during Step 10 (architecture.md, glossary.md, components/03_tile_downloader, modules/api_program.md, data_model.md, contracts/api/uav-tile-upload.md). This commit completes the remaining module-level + module-layout updates and writes the cycle-2 ripple log. * modules/common_configs.md: + UavQualityConfig section and appsettings-section row (UavQuality). * modules/common_dtos.md: + UavTileMetadata, UavTileBatchMetadataPayload, UavTileBatchUploadResponse, UavTileUploadResultItem, UavTileUploadStatus, UavTileRejectReasons (closed enumeration v1.0.0). * module-layout.md: refresh Common (+ UavQualityConfig + UAV DTOs), TileDownloader (+ UavTileQualityGate, UavTileUploadHandler, + SixLabors.ImageSharp 3.1.11 PackageReference), and WebApi (+ Authentication/*, DTOs/UavTileBatchUploadRequest, + JwtBearer 8.0.21 PackageReference). Updates the "Last Updated" stamp to cycle 2. * modules/tests_unit.md: replace the obsolete "only a dummy test" description; add cycle-2 AZ-487 / AZ-488 test classes (AuthenticationServiceCollectionExtensionsTests, JwtTokenFactoryTests, UavTileQualityGateTests, UavTileUploadHandlerTests, UavTileFilePathTests, PermissionsRequirementTests) + new ProjectReference / package references. * modules/tests_integration.md: + JwtIntegrationTests, UavUploadTests (incl. wall-clock-seeded coordinate counter rationale from the Step 11 fix), and the StubAndErrorContractTests update for the removed 501 stub. * ripple_log_cycle2.md (new): cycle-2 reverse-dependency scan results showing every importer of the new symbols resolves inside the three already-updated components (WebApi, TileDownloader, Common). No unexpected ripple, no heuristic fallback needed. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 00:04:05 +03:00
Oleksandr Bezdieniezhnykh	98cdcd17c1	[AZ-487] [AZ-488] docs: cycle 2 test-spec sync ... Append cycle 2 entries to test-spec artifacts (cycle-update mode): * security-tests.md: SEC-05..SEC-09 (AZ-487 JWT 401/403/parity) + SEC-10..SEC-11 (AZ-488 permission + reject-detail leak hygiene). * blackbox-tests.md: BT-13..BT-17 (UAV happy / mixed / multi-source coexistence / same-source UPSERT / rule-ordering) + BT-18 (existing endpoints parity with Bearer token). * resource-limit-tests.md: RL-05..RL-07 (MaxBatchSize, per-item MaxBytes, Kestrel/Form envelope cap). * performance-tests.md: untouched (PT-08 already landed with AZ-488 as Deferred — see _docs/_process_leftovers/2026-05-11_perf-pt07-harness). * traceability-matrix.md: append AC rows for AZ-487 AC-1..AC-8 and AZ-488 AC-1..AC-10 + AC-7a..AC-7e; annotate "No authentication" restriction as superseded by AZ-487+AZ-488; add NFR rows (perf, security, reliability, compatibility) for both tasks; refresh totals (78 tests; 47/47 ACs; 8/8 restrictions). Coverage shape: AZ-487 AC-7 (Swagger Authorize) and the perf NFRs are recorded but not actively measured this commit (manual UI smoke + deferred PT-08 harness, respectively). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-12 00:00:14 +03:00
Oleksandr Bezdieniezhnykh	1802d32107	[AZ-488] UAV tile batch upload + 5-rule quality gate ... Replaces the 501 stub at POST /api/satellite/upload with a multipart batch endpoint that ingests UAV-captured tiles, runs each item through a 5-rule quality gate, and persists accepted tiles via the AZ-484 multi-source storage path with source='uav'. Quality gate (in fixed order, first failure wins): JPEG format (content-type + magic), size band 5 KiB-5 MiB, exact 256x256 dimensions, captured-at age (no future >30 s skew, no older than 7 days), luminance variance on 32x32 downsample. Closed reject-reason enumeration in v1.0.0 contract. Authorization: custom PermissionsRequirement / PermissionsAuthorization Handler that reads the JWT `permissions` claim (tolerates both repeated-string and JSON-array shapes). Endpoint protected by RequiresGpsPermission policy; 401 without token, 403 without GPS perm. Persistence: file-first to ./tiles/uav/{z}/{x}/{y}.jpg, then ITileRepository.InsertAsync UPSERT (per-source UPSERT contract from AZ-484). Per-item failures reported in response without aborting the batch. Kestrel MaxRequestBodySize and FormOptions limits set to MaxBatchSize x MaxBytes (default 100 x 5 MiB = 500 MiB). New frozen contract: _docs/02_document/contracts/api/uav-tile-upload.md v1.0.0. PT-08 NFR added to performance-tests.md as Deferred (harness work tracked in PT-07 leftover, per AZ-488 § Risk 4). Tests: 11 quality-gate unit tests, 5 handler unit tests, 3 file-path unit tests, 12 permission-handler unit tests, 7 integration tests (AC-1..AC-6, AC-8). All 253 unit tests + smoke integration suite green. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 23:50:49 +03:00
Oleksandr Bezdieniezhnykh	96cd3c4495	[AZ-487] JWT validation baseline (HS256, all endpoints) ... Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail fast at startup). Every minimal-API endpoint now carries .RequireAuthorization(); the middleware chain is UseExceptionHandler -> UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization -> endpoints. Swagger UI gets a Bearer security definition so the Authorize button works. Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers (integration) mint deterministic tokens against the same secret; the integration test runner attaches a default Bearer token to its shared HttpClient so existing tests continue to exercise protected endpoints. JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests covers AC-5 (missing/empty/short secret fail-fast) plus env-var precedence; JwtTokenFactoryTests covers AC-6 (claims pass through the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses). docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to the api and integration-tests containers, with a >=32-byte guard. .env.example documents the required keys; .env stays gitignored. Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced in _docs/03_implementation/reviews/batch_01_cycle2_review.md). Cross-component coordination: gps-denied-onboard and the mission planner UI must attach Bearer tokens before this lands in dev. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 23:06:23 +03:00
Oleksandr Bezdieniezhnykh	51b572108a	[AZ-484] Cycle 1 Steps 12-16: docs, security, perf, deploy report ... Captures the post-implementation autodev gates for AZ-484 multi-source tile storage: - Step 12 (Test-Spec Sync): added 7 AC rows (AZ-484 AC-1..AC-7) and a PT-07 NFR row to traceability-matrix.md; added PT-07 scenario to performance-tests.md. - Step 13 (Update Docs): refreshed data_model.md (tiles columns + indexes + selection rule + UPSERT contract + migrations 012/013), module-layout.md (Common/Enums section with L-001 guidance, DataAccess imports-from now lists 6 sites), 6 module / component docs to reflect the new repo signatures, source/captured_at fields, and Dapper enum bypass workaround. ripple_log_cycle1.md records zero out-of-scope ripple. - Step 14 (Security Audit): PASS_WITH_WARNINGS - 0 Critical, 0 High, 5 Medium, 5 Low. AZ-484 itself added zero new findings. Hardening items (Postgres default creds, .env in build context, GMaps key rotation, ASP.NET Core 8.0.21 -> 8.0.25, rate limiter) recorded for separate tickets. - Step 15 (Performance Test): all PT-01..PT-07 scenarios Unverified (non-blocking); PT-07 baseline-comparison harness deferred to a leftover for next cycle. - Step 16 (Deploy): cycle deploy report covering migration safety, rollback path, post-deploy verification, security caveats. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 10:03:05 +03:00
Oleksandr Bezdieniezhnykh	e9d6db077c	[AZ-484] Fix multi-source tile reads: drop Dapper enum handler ... Two integration-test failures uncovered after the initial commit: 1) GetTilesByRegionAsync outer ORDER BY referenced 'updated_at' but the inner DISTINCT ON subquery aliased it to 'UpdatedAt' (Postgres folds to 'updatedat'). DISTINCT ON already guarantees one row per (latitude, longitude, ...) so the third tiebreak was unreachable; removed it. 2) Dapper 2.1.35 silently bypasses SqlMapper.TypeHandler<T> for enum types during read deserialization (Dapper issue #259). The TileSourceTypeHandler worked for writes but reads fell through to Enum.TryParse, which cannot map 'google_maps' to GoogleMaps. Pivoted: TileEntity.Source is now a string (the wire value). TileSource enum stays as the public producer surface in Common.Enums; TileSourceConverter (Common.Enums) provides ToWireValue / FromWireValue / IsValidWireValue at the boundary. TileSourceTypeHandler deleted; registration removed from DapperEnumTypeHandlers.RegisterAll. tile-storage.md Inv-5 amended to document the storage choice. _docs/LESSONS.md L-001 records the Dapper bypass for future cycles. Full suite passes (213 unit + integration suite incl. AZ-484 AC-1..AC-5, security SEC-01..SEC-04, AZ-356/362/357). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 06:44:34 +03:00
Oleksandr Bezdieniezhnykh	687d6bdd5b	[AZ-484] Multi-source tile storage: source + captured_at ... Add per-source tile rows to support multi-provider imagery (Google Maps + future UAV). Migration 013 (transactional) introduces source/captured_at columns, backfills existing rows to (source='google_maps', captured_at=created_at), and replaces the 4-column unique index with a 5-column index that includes source. TileRepository: - ColumnList includes source + captured_at - GetByTileCoordinatesAsync returns most-recent row across sources (ORDER BY captured_at DESC, updated_at DESC, id DESC) - GetTilesByRegionAsync uses DISTINCT ON to pick the most-recent tile per cell, restoring caller-facing row order - Insert/Update upsert on the new 5-column conflict key TileSource enum lives in Common.Enums. Snake_case wire format (google_maps, uav) is enforced by a focused TileSourceTypeHandler because the generic ToLowerInvariant pattern would emit "googlemaps", violating contract v1.0.0. TileService stamps Source=GoogleMaps + CapturedAt=UtcNow on every new tile. Tile-storage contract is now frozen at v1.0.0. AC coverage 7/7. New unit + integration tests cover all ACs; existing 200 unit + 5 smoke tests preserved. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 06:21:59 +03:00
Oleksandr Bezdieniezhnykh	5ba58b6c8d	[AZ-484] [AZ-483] Add task spec + tile-storage v1.0.0 contract draft ... Step-9 (new-task) cycle 1 artifacts for the AZ-483 multi-source tile storage epic. AZ-485 (UAV upload + quality gate) deferred to a future Step-9 loop and recorded as planned in the dependencies table. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 06:05:06 +03:00
Oleksandr Bezdieniezhnykh	08451df027	[AZ-350] Close 03-code-quality-refactoring: Phase 6+7 + FINAL_report ... Phase 6 (Verification): smoke run green (format gate + 200/200 unit + integration smoke). verification_report.md captures metric deltas vs Phase 0 baseline; all 5 ACs met, all 4 constraints honored, 0 regressions. Phase 7 (Documentation): - module-layout.md: corrected DataAccess->Common dependency (was mistakenly documented as "Imports from: (none)" by prior AZ-315 baseline; csproj reference + 7 import sites have actually been there since AZ-309). - architecture_compliance_baseline.md: F5 entry revised to reflect the actual layering invariant (one-way: Common MUST NOT import from DataAccess, but DataAccess MAY import from Common). - 00_discovery.md: added "Updates Since Baseline" section enumerating the AZ-309 split + AZ-350 27-change run + AZ-372 tooling additions; original tree kept as a 2026-05-10 snapshot. FINAL_report: complete run summary (10 batches, 27 tasks, 3 K=3 cumulative reviews, baseline->final metric table, remaining items, lessons learned). Autodev state: advance Step 8 -> Step 9 (New Task); sub_step reset to phase 0 awaiting-invocation. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 05:23:35 +03:00
Oleksandr Bezdieniezhnykh	7c37636fdf	[AZ-373] Refactor C20: drop MapsVersion from new writes (option a) ... - Stop writing "downloaded_YYYY-MM-DD" into tiles.maps_version: new rows bind @MapsVersion to NULL via TileService.BuildTileEntity. - Retain the tiles.maps_version column (coderule.mdc forbids unprompted column drops); pre-existing rows keep their values for forensics. - Remove MapsVersion property from DownloadTileResponse (API wire shape) and TileMetadata (internal DTO); OpenAPI schema regenerates from the DTO via Swashbuckle. - Add 3 AC tests in TileServiceTests covering the captured-entity write (AC-1) and the DTO/wire-shape removal (AC-2). - Update integration-test local DTO + console output; refresh docs in common_dtos.md, services_tile_service.md, data_model.md. - Archive AZ-373 task file: todo/ -> done/. 174 unit + 5 smoke pass. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 04:05:40 +03:00
Oleksandr Bezdieniezhnykh	23ab05766d	[AZ-370] Refactor C17: status / point-type enums + AC RT2 update ... Replaces bare strings with two enums in Common/Enums/: RegionStatus { Queued, Processing, Completed, Failed } RoutePointType { Start, End, Action, Intermediate } Adds a Dapper EnumStringTypeHandler<T> (DataAccess/TypeHandlers/) that round-trips enums to/from lowercase strings, registered once at startup via DapperEnumTypeHandlers.RegisterAll(). DataAccess now references Common (project ref) so entities can carry the enum types. Sites converted: RegionService (5), RouteProcessingService (3), RoutePointGraphBuilder (4), entity Status/PointType columns. Log message and summary file format preserved via .ToLowerInvariant(). API JSON contract preserved by adding JsonStringEnumConverter with JsonNamingPolicy.CamelCase to the http JSON options — single-word enum members serialize to the same lowercase strings as before. DTO renamed: Common.DTO.RegionStatus -> RegionStatusResponse to free the RegionStatus name for the new enum (forced by the task's explicit enum name); the renamed DTO has no public-API impact at the JSON wire level. Stale doc references updated. AC RT2 in _docs/00_problem/acceptance_criteria.md now lists all 4 point types (start/end/action/intermediate). Tests: 171 / 171 unit + 5 / 5 smoke green (was 141 + 5; +30 new tests covering type handler round-trip, set/parse, unknown-value rejection, idempotent registration, and the AC RT2 doc check). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-11 03:55:22 +03:00
Oleksandr Bezdieniezhnykh	6b373082c8	[AZ-315] Sync architecture docs after coupling refactor ... Phase C of architecture coupling refactor (epic AZ-309). Closes the last baseline finding (F5 — DataAccess incorrectly documented as importing Common) and synchronizes the rest of _docs/02_document/ with the post-split project layout from AZ-312/313/314: - module-layout.md: per-component sections for the three new csprojs with explicit ProjectReferences and the no-cross-sibling-reference invariant the split enforces. - architecture.md: components and internal-communication tables updated to show calls flow through Common interfaces. - architecture_compliance_baseline.md: F1..F5 marked Resolved with task IDs and commit refs; baseline summary now 0 findings. - diagrams/components.md, components/03_tile_downloader/description.md, modules/{common_interfaces,services_tile_service, services_google_maps_downloader,tests_unit}.md updated for the split, RateLimitException relocation, and new ITileService methods. Documentation-only batch — no code, no tests, no build changes. Epic AZ-309 complete (6 tasks across 3 batches). Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-10 07:25:21 +03:00
Oleksandr Bezdieniezhnykh	b0fffa6d42	[AZ-284] Autodev baseline + testability refactor ... Phase A baseline outputs from /autodev (Steps 1-5): - Problem & solution docs (_docs/00_problem, _docs/01_solution) - Codebase documentation (_docs/02_document) incl. architecture, module-layout, glossary, system-flows, baseline compliance scan - Test specs (blackbox, performance, resilience, security, resource, traceability matrix) - Test task decomposition (_docs/02_tasks/todo): AZ-285..AZ-290 - Testability refactor (_docs/04_refactoring/01-testability-refactoring): - TC-01 Move DownloadedTileInfoV2 + new ExistingTileInfo to Common.DTO - TC-02 Replace dead ISatelliteDownloader API with real signatures - TC-03 GoogleMapsDownloaderV2 implements ISatelliteDownloader - TC-04 TileService depends on ISatelliteDownloader (mockable) - TC-05 DI + endpoints use ISatelliteDownloader - Test runner scripts (scripts/run-tests.sh, run-performance-tests.sh) - Autodev state pointer (_docs/_autodev_state.md) Prepares the codebase for AZ-285..AZ-290 unit/integration test work. Co-authored-by: Cursor <cursoragent@cursor.com>	2026-05-10 04:44:08 +03:00