[AZ-808] [AZ-809] [AZ-810] [AZ-811] [AZ-812] Cycle 8 retro + close

Cycle 8 retrospective (cycle-end mode): 5 tickets shipped, 17 SP, 4
batches across 1 cycle theme (strict input validation for the 4
AZ-795 child endpoints + AZ-812 region API field rename).

Artifacts:
- _docs/06_metrics/retro_2026-05-23_cycle8.md
- _docs/06_metrics/structure_2026-05-23_cycle8.md (gap-filled; last
  structural snapshot was cycle 5)

Key cycle-8 findings (now in _docs/LESSONS.md ring buffer):
- Step-14 security-audit Medium findings under the small-fix
  threshold should be resolved in-cycle, not deferred (F-AZ809-1
  closed in commit 8fca6e0, ~30 min from discovery to fix).
- Retro recommendations ship end-to-end when they name concrete
  tickets/files + size as a coherent cycle theme (cycle 7 Action 3
  -> cycle 8 strict-validation slate, first end-to-end traceable
  cross-cycle improvement action in project history).
- Contract wire-format updates (new required field / rename) need a
  ripgrep probe across all consumer paths (perf script, probe
  scripts, README, deploy docs, OpenAPI examples) — partial syncs
  surface at Step 15 perf gate (PT-06 missed AZ-809 requestMaps +
  createTilesZip, fixed in commit 32bc5c1).

Carry-overs to cycle 9: track PT-07 cache-pollution false positive
(harness, not regression), reduce 3 cycles in a row of misleading
"PT-07 fails on warm/cold ratio" entries in the perf report.

Marks Step 17 completed; cycle 8 closed. Next /autodev invocation
starts cycle 9 from Step 0.

Co-authored-by: Cursor <cursoragent@cursor.com>

.cursor/rules/coderule.mdc

@@ -11,6 +11,7 @@ alwaysApply: true
 - Avoid boilerplate and unnecessary indirection, but never sacrifice readability for brevity.
 - Never suppress errors silently — no `2>/dev/null`, empty `catch` blocks, bare `except: pass`, or discarded error returns. These hide the information you need most when something breaks. If an error is truly safe to ignore, log it or comment why.
 - Do not add comments that merely narrate what the code does. Comments are appropriate for: non-obvious business rules, workarounds with references to issues/bugs, safety invariants, and public API contracts. Make comments as short and concise as possible. Exception: every test must use the Arrange / Act / Assert pattern with language-appropriate comment syntax (`# Arrange` for Python, `// Arrange` for C#/Rust/JS/TS). Omit any section that is not needed (e.g. if there is no setup, skip Arrange; if act and assert are the same line, keep only Assert)
+- API consumer documentation (OpenAPI / Swagger `Description` and `Summary`, REST API reference docs, public SDK docstrings) is written for the *external API consumer*, not the implementer. Do NOT include task IDs (`AZ-NNN`, `JIRA-NNN`), contract-doc filenames (`tile-inventory.md v2.0.0`), version-bump history, or implementation milestones in these strings. Internal change tracking belongs in commit messages, contract docs, changelogs, and code comments — never in the public API description. Extend an existing pattern only if it already follows this rule; if the existing description leads with internal noise, treat that as a defect and clean it (or surface it to the user) rather than propagating it.
 - Do not add verbose debug/trace logs by default. Log exceptions, security events (auth failures, permission denials), and business-critical state transitions. Add debug-level logging only when asked.
 - Do not put code annotations unless it was asked specifically 
 - Write code that takes into account the different environments: development, production

.vscode/launch.json

@@ -0,0 +1,35 @@
+{
+    "version": "0.2.0",
+    "configurations": [
+        {
+            // Use IntelliSense to find out which attributes exist for C# debugging
+            // Use hover for the description of the existing attributes
+            // For further information visit https://github.com/dotnet/vscode-csharp/blob/main/debugger-launchjson.md.
+            "name": ".NET Core Launch (web)",
+            "type": "coreclr",
+            "request": "launch",
+            "preLaunchTask": "build",
+            // If you have changed target frameworks, make sure to update the program path.
+            "program": "${workspaceFolder}/SatelliteProvider.Api/bin/Debug/net10.0/SatelliteProvider.Api.dll",
+            "args": [],
+            "cwd": "${workspaceFolder}/SatelliteProvider.Api",
+            "stopAtEntry": false,
+            // Enable launching a web browser when ASP.NET Core starts. For more information: https://aka.ms/VSCode-CS-LaunchJson-WebBrowser
+            "serverReadyAction": {
+                "action": "openExternally",
+                "pattern": "\\bNow listening on:\\s+(https?://\\S+)"
+            },
+            "env": {
+                "ASPNETCORE_ENVIRONMENT": "Development"
+            },
+            "sourceFileMap": {
+                "/Views": "${workspaceFolder}/Views"
+            }
+        },
+        {
+            "name": ".NET Core Attach",
+            "type": "coreclr",
+            "request": "attach"
+        }
+    ]
+}

.vscode/tasks.json

@@ -0,0 +1,41 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "build",
+            "command": "dotnet",
+            "type": "process",
+            "args": [
+                "build",
+                "${workspaceFolder}/SatelliteProvider.sln",
+                "/property:GenerateFullPaths=true",
+                "/consoleloggerparameters:NoSummary;ForceNoAlign"
+            ],
+            "problemMatcher": "$msCompile"
+        },
+        {
+            "label": "publish",
+            "command": "dotnet",
+            "type": "process",
+            "args": [
+                "publish",
+                "${workspaceFolder}/SatelliteProvider.sln",
+                "/property:GenerateFullPaths=true",
+                "/consoleloggerparameters:NoSummary;ForceNoAlign"
+            ],
+            "problemMatcher": "$msCompile"
+        },
+        {
+            "label": "watch",
+            "command": "dotnet",
+            "type": "process",
+            "args": [
+                "watch",
+                "run",
+                "--project",
+                "${workspaceFolder}/SatelliteProvider.sln"
+            ],
+            "problemMatcher": "$msCompile"
+        }
+    ]
+}

AGENTS.md

@@ -177,7 +177,7 @@ docker-compose -f docker-compose.yml -f docker-compose.tests.yml up --build --ab
 ### Configuration Values
 
 Development defaults:
-- PostgreSQL: localhost:5432, user/pass: postgres/postgres
+- PostgreSQL: localhost:5433 (host-side, mapped to container port 5432), user/pass: postgres/postgres
 - API: http://localhost:5100
 - Max zoom level: 20
 - Default zoom level: 18

README.md

@@ -73,7 +73,7 @@ The service follows a layered architecture:
 ### Download Single Tile
 
 ```http
-GET /api/satellite/tiles/latlon?Latitude={lat}&Longitude={lon}&ZoomLevel={zoom}
+GET /api/satellite/tiles/latlon?lat={lat}&lon={lon}&zoom={zoom}
 ```
 
 Downloads a single tile at specified coordinates and zoom level.
@@ -434,7 +434,7 @@ Log level can be adjusted in `appsettings.json` under `Serilog:MinimumLevel`.
 
 ### Service won't start
 - Check Docker is running
-- Verify ports 5100 and 5432 are available
+- Verify ports 5100 and 5433 are available (Postgres host-side; the container itself listens on 5432 inside the docker network)
 - Check logs: `docker-compose logs api`
 
 ### Tiles not downloading

SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs

@@ -0,0 +1,26 @@
+using Microsoft.AspNetCore.Mvc;
+
+namespace SatelliteProvider.Api.DTOs;
+
+// AZ-811: query-string record for GET /api/satellite/tiles/latlon.
+// Bound via `[AsParameters]` so each property maps to one query parameter.
+// `[FromQuery(Name = "...")]` pins the wire name explicitly — case-sensitive
+// match against `?lat=&lon=&zoom=`, matching the OSM convention shared with
+// the rest of the satellite-provider API (`{z, x, y}` for inventory,
+// `{lat, lon}` for region and route DTOs).
+//
+// **Why nullable types**: minimal-API parameter binding throws
+// BadHttpRequestException for missing-required non-nullable query params
+// BEFORE endpoint filters run. That short-circuit produces a plain
+// ProblemDetails via GlobalExceptionHandler — no `errors{}` envelope, no
+// per-field key. Per AZ-811 ACs 1 & 4 every missing/unknown param must
+// surface as `errors.<paramName>` in ValidationProblemDetails. Nullable
+// types let binding always succeed, so:
+//   1. RejectUnknownQueryParamsEndpointFilter handles unknown keys
+//      (e.g. legacy `?Latitude=`, hostile `?debug=1`).
+//   2. GetTileByLatLonQueryValidator handles `null` (missing) plus range.
+// Validator guarantees non-null by the time the handler dereferences.
+public sealed record GetTileByLatLonQuery(
+    [property: FromQuery(Name = "lat")] double? Lat,
+    [property: FromQuery(Name = "lon")] double? Lon,
+    [property: FromQuery(Name = "zoom")] int? Zoom);

SatelliteProvider.Api/GlobalExceptionHandler.cs

@@ -1,3 +1,4 @@
+using System.Text.Json;
 using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Mvc;
 
@@ -60,6 +61,30 @@ public sealed class GlobalExceptionHandler : IExceptionHandler
     {
         httpContext.Response.StatusCode = badRequest.StatusCode;
 
+        // AZ-795: deserialization failures (unknown field via UnmappedMemberHandling.Disallow,
+        // type mismatch, malformed JSON) surface here as BadHttpRequestException with a
+        // System.Text.Json `JsonException` somewhere in the inner-exception chain. Convert
+        // them to RFC 7807 ValidationProblemDetails so wire-format errors share the same
+        // shape as FluentValidation business-rule errors — see
+        // `_docs/02_document/contracts/api/error-shape.md`.
+        var deserializationErrors = TryExtractDeserializationErrors(badRequest);
+        if (deserializationErrors is not null && badRequest.StatusCode == StatusCodes.Status400BadRequest)
+        {
+            var validation = new ValidationProblemDetails(deserializationErrors)
+            {
+                Status = badRequest.StatusCode,
+                Title = "One or more validation errors occurred.",
+                Type = "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+            };
+
+            await httpContext.Response.WriteAsJsonAsync(
+                validation,
+                options: null,
+                contentType: "application/problem+json",
+                cancellationToken: cancellationToken);
+            return;
+        }
+
         var problem = new ProblemDetails
         {
             Status = badRequest.StatusCode,
@@ -73,4 +98,36 @@ public sealed class GlobalExceptionHandler : IExceptionHandler
             contentType: "application/problem+json",
             cancellationToken: cancellationToken);
     }
+
+    private static IDictionary<string, string[]>? TryExtractDeserializationErrors(BadHttpRequestException ex)
+    {
+        var current = ex.InnerException;
+        while (current is not null)
+        {
+            if (current is JsonException jsonEx)
+            {
+                var path = NormalizeJsonPath(jsonEx.Path);
+                var message = string.IsNullOrEmpty(jsonEx.Message)
+                    ? "Invalid JSON."
+                    : jsonEx.Message;
+
+                return new Dictionary<string, string[]>
+                {
+                    [path] = new[] { message }
+                };
+            }
+
+            current = current.InnerException;
+        }
+
+        return null;
+    }
+
+    private static string NormalizeJsonPath(string? path)
+    {
+        if (string.IsNullOrEmpty(path)) return "$";
+        return path.StartsWith("$.", StringComparison.Ordinal)
+            ? path.Substring(2)
+            : path;
+    }
 }

SatelliteProvider.Api/Program.cs

@@ -1,3 +1,4 @@
+using FluentValidation;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http.Features;
 using Microsoft.AspNetCore.Mvc;
@@ -8,6 +9,7 @@ using SatelliteProvider.Api;
 using SatelliteProvider.Api.Authentication;
 using SatelliteProvider.Api.DTOs;
 using SatelliteProvider.Api.Swagger;
+using SatelliteProvider.Api.Validators;
 using SatelliteProvider.DataAccess;
 using SatelliteProvider.DataAccess.Repositories;
 using SatelliteProvider.DataAccess.TypeHandlers;
@@ -98,14 +100,33 @@ builder.Services.AddCors(options =>
 builder.Services.AddProblemDetails();
 builder.Services.AddExceptionHandler<GlobalExceptionHandler>();
 
+// AZ-795: strict JSON parsing — unknown fields are rejected at the deserializer
+// level instead of being silently dropped. Pairs with the per-endpoint
+// FluentValidation filter (`WithValidation<T>()`) so the API has a single
+// uniform RFC 7807 error contract for both wire-format failures and
+// business-rule failures (`_docs/02_document/contracts/api/error-shape.md`).
 builder.Services.ConfigureHttpJsonOptions(options =>
 {
     options.SerializerOptions.PropertyNamingPolicy = System.Text.Json.JsonNamingPolicy.CamelCase;
     options.SerializerOptions.PropertyNameCaseInsensitive = true;
+    options.SerializerOptions.UnmappedMemberHandling = System.Text.Json.Serialization.JsonUnmappedMemberHandling.Disallow;
     options.SerializerOptions.Converters.Add(
         new System.Text.Json.Serialization.JsonStringEnumConverter(System.Text.Json.JsonNamingPolicy.CamelCase));
 });
 
+// AZ-795: register every IValidator<T> in this assembly with DI so the
+// generic ValidationEndpointFilter<T> can resolve them at request time.
+// GlobalValidatorConfig.ApplyOnce() centralizes process-wide FluentValidation
+// configuration (camelCase property paths, etc.) so the API host and the
+// unit-test fixture share one source of truth — see error-shape.md Inv-4.
+builder.Services.AddValidatorsFromAssemblyContaining<Program>();
+GlobalValidatorConfig.ApplyOnce();
+
+// AZ-810: explicit registration so `.AddEndpointFilter<UavUploadValidationFilter>()`
+// on the UAV upload endpoint resolves the filter with its `IValidator<…>` + JSON
+// options constructor deps. Transient so each request gets a fresh instance.
+builder.Services.AddTransient<UavUploadValidationFilter>();
+
 builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen(c =>
 {
@@ -190,6 +211,10 @@ app.MapGet("/tiles/{z:int}/{x:int}/{y:int}", ServeTile)
 
 app.MapGet("/api/satellite/tiles/latlon", GetTileByLatLon)
     .RequireAuthorization()
+    .AddEndpointFilter(new RejectUnknownQueryParamsEndpointFilter(new[] { "lat", "lon", "zoom" }))
+    .WithValidation<GetTileByLatLonQuery>()
+    .Produces<DownloadTileResponse>(StatusCodes.Status200OK)
+    .ProducesProblem(StatusCodes.Status400BadRequest)
     .WithOpenApi(op => new(op) { Summary = "Get satellite tile by latitude and longitude coordinates" });
 
 app.MapGet("/api/satellite/tiles/mgrs", GetSatelliteTilesByMgrs)
@@ -199,33 +224,39 @@ app.MapGet("/api/satellite/tiles/mgrs", GetSatelliteTilesByMgrs)
 
 app.MapPost("/api/satellite/tiles/inventory", GetTilesInventory)
     .RequireAuthorization()
+    .WithValidation<TileInventoryRequest>()
     .Accepts<TileInventoryRequest>("application/json")
     .Produces<TileInventoryResponse>(StatusCodes.Status200OK)
     .ProducesProblem(StatusCodes.Status400BadRequest)
     .WithOpenApi(op => new(op)
     {
         Summary = "Bulk tile inventory lookup by (z,x,y) coords or location_hash",
-        Description = "AZ-505 / `tile-inventory.md` v1.0.0. Body MUST populate exactly one of `tiles` (array of `{tileZoom,tileX,tileY}`) OR `locationHashes` (array of UUIDv5). Response order matches request order. Returns one entry per request item with `present: true|false`; when present, identity + recency fields are included. Hard cap: 5000 entries per call (HTTP 400 above)."
+        Description = "Body MUST populate exactly one of `tiles` (array of `{z, x, y}` slippy-map coordinates) OR `locationHashes` (array of UUIDv5 hashes) — sending both, or neither, is HTTP 400. Response order matches request order; each entry reports `present: true|false`, and when present includes `id`, `capturedAt`, `source`, `flightId`, `resolutionMPerPx`. Hard cap: 5000 entries per request."
     });
 
 app.MapPost("/api/satellite/upload", UploadUavTileBatch)
     .RequireAuthorization(SatellitePermissions.UavUploadPolicy)
+    .AddEndpointFilter<UavUploadValidationFilter>()
     .Accepts<UavTileBatchUploadRequest>("multipart/form-data")
     .Produces<UavTileBatchUploadResponse>(StatusCodes.Status200OK)
     .ProducesProblem(StatusCodes.Status400BadRequest)
     .WithOpenApi(op => new(op)
     {
         Summary = "Upload a batch of UAV-captured satellite tiles",
-        Description = "AZ-488 / `uav-tile-upload.md` v1.0.0. Multipart form: a JSON `metadata` field and an aligned `files` collection. Each item is graded by the 5-rule quality gate and persisted with `source='uav'` when accepted. Returns 200 with per-item results (mixed accept/reject), 400 for envelope-level errors (malformed metadata, missing files, oversized batch), 401 without a valid JWT, 403 without the `GPS` permission claim."
+        Description = "Multipart form: a JSON `metadata` field and an aligned `files` collection. Each item is graded by the 5-rule quality gate and persisted with `source='uav'` when accepted. Returns 200 with per-item results (mixed accept/reject), 400 for envelope-level errors (malformed metadata, missing files, oversized batch), 401 without a valid JWT, 403 without the `GPS` permission claim."
     })
     .DisableAntiforgery();
 
 app.MapPost("/api/satellite/request", RequestRegion)
     .RequireAuthorization()
+    .WithValidation<RequestRegionRequest>()
+    .Accepts<RequestRegionRequest>("application/json")
+    .Produces<RegionStatusResponse>(StatusCodes.Status200OK)
+    .ProducesProblem(StatusCodes.Status400BadRequest)
     .WithOpenApi(op => new(op)
     {
         Summary = "Request tiles for a region",
-        Description = "Idempotent (AZ-362): POSTing the same `id` twice returns the existing region resource with HTTP 200 and does not enqueue duplicate background processing.",
+        Description = "Idempotent: POSTing the same `id` twice returns the existing region resource with HTTP 200 and does not enqueue duplicate background processing.",
     });
 
 app.MapGet("/api/satellite/region/{id:guid}", GetRegionStatus)
@@ -234,10 +265,14 @@ app.MapGet("/api/satellite/region/{id:guid}", GetRegionStatus)
 
 app.MapPost("/api/satellite/route", CreateRoute)
     .RequireAuthorization()
+    .WithValidation<CreateRouteRequest>()
+    .Accepts<CreateRouteRequest>("application/json")
+    .Produces<RouteResponse>(StatusCodes.Status200OK)
+    .ProducesProblem(StatusCodes.Status400BadRequest)
     .WithOpenApi(op => new(op)
     {
         Summary = "Create a route with intermediate points",
-        Description = "Idempotent (AZ-362): POSTing the same `id` twice returns the existing route resource with HTTP 200 and does not regenerate intermediate points or re-queue geofence regions.",
+        Description = "Idempotent: POSTing the same `id` twice returns the existing route resource with HTTP 200 and does not regenerate intermediate points or re-queue geofence regions.",
     });
 
 app.MapGet("/api/satellite/route/{id:guid}", GetRoute)
@@ -254,9 +289,11 @@ async Task<IResult> ServeTile(int z, int x, int y, HttpContext httpContext, ITil
     return Results.Bytes(tile.Bytes, tile.ContentType);
 }
 
-async Task<IResult> GetTileByLatLon([FromQuery] double Latitude, [FromQuery] double Longitude, [FromQuery] int ZoomLevel, HttpContext httpContext, ITileService tileService)
+async Task<IResult> GetTileByLatLon([AsParameters] GetTileByLatLonQuery query, HttpContext httpContext, ITileService tileService)
 {
-    var tile = await tileService.DownloadAndStoreSingleTileAsync(Latitude, Longitude, ZoomLevel, httpContext.RequestAborted);
+    // AZ-811: GetTileByLatLonQueryValidator guarantees lat/lon/zoom are non-null
+    // by the time the handler runs (CascadeMode.Stop + NotNull rules).
+    var tile = await tileService.DownloadAndStoreSingleTileAsync(query.Lat!.Value, query.Lon!.Value, query.Zoom!.Value, httpContext.RequestAborted);
 
     var response = new DownloadTileResponse
     {
@@ -285,37 +322,10 @@ IResult GetSatelliteTilesByMgrs(string mgrs, double squareSideMeters)
 }
 
 async Task<IResult> GetTilesInventory(
-    [FromBody] TileInventoryRequest? request,
+    [FromBody] TileInventoryRequest request,
     HttpContext httpContext,
     ITileService tileService)
 {
-    if (request is null)
-    {
-        return Results.Problem(
-            statusCode: StatusCodes.Status400BadRequest,
-            title: "Invalid tile inventory request",
-            detail: "Request body is required.");
-    }
-
-    var tileCount = request.Tiles?.Count ?? 0;
-    var hashCount = request.LocationHashes?.Count ?? 0;
-    if ((tileCount == 0) == (hashCount == 0))
-    {
-        return Results.Problem(
-            statusCode: StatusCodes.Status400BadRequest,
-            title: "Invalid tile inventory request",
-            detail: "Populate exactly one of `tiles` or `locationHashes`. Sending both, or neither, is not allowed.");
-    }
-
-    var totalCount = Math.Max(tileCount, hashCount);
-    if (totalCount > TileInventoryLimits.MaxEntriesPerRequest)
-    {
-        return Results.Problem(
-            statusCode: StatusCodes.Status400BadRequest,
-            title: "Invalid tile inventory request",
-            detail: $"Inventory request capped at {TileInventoryLimits.MaxEntriesPerRequest} entries; got {totalCount}.");
-    }
-
     var response = await tileService.GetInventoryAsync(request, httpContext.RequestAborted);
     return Results.Ok(response);
 }
@@ -351,15 +361,10 @@ async Task<IResult> UploadUavTileBatch(
 
 async Task<IResult> RequestRegion([FromBody] RequestRegionRequest request, IRegionService regionService)
 {
-    if (request.SizeMeters < 100 || request.SizeMeters > 10000)
-    {
-        return Results.BadRequest(new { error = "Size must be between 100 and 10000 meters" });
-    }
-
     var status = await regionService.RequestRegionAsync(
         request.Id,
-        request.Latitude,
+        request.Lat,
-        request.Longitude,
+        request.Lon,
         request.SizeMeters,
         request.ZoomLevel,
         request.StitchTiles);

SatelliteProvider.Api/SatelliteProvider.Api.csproj

@@ -7,6 +7,8 @@
     </PropertyGroup>
 
     <ItemGroup>
+        <PackageReference Include="FluentValidation" Version="12.0.0" />
+        <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.0.0" />
         <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.7" />
         <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.7"/>
         <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />

SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs

@@ -11,13 +11,11 @@ public class ParameterDescriptionFilter : IOperationFilter
 
         var parameterDescriptions = new Dictionary<string, string>
         {
-            ["lat"] = "Latitude coordinate where image was captured",
+            ["lat"] = "Latitude coordinate (WGS84, decimal degrees, [-90, 90])",
-            ["lon"] = "Longitude coordinate where image was captured",
+            ["lon"] = "Longitude coordinate (WGS84, decimal degrees, [-180, 180])",
+            ["zoom"] = "Slippy-map zoom level [0, 22] (higher = more detail)",
             ["mgrs"] = "MGRS coordinate string",
-            ["squareSideMeters"] = "Square side size in meters",
+            ["squareSideMeters"] = "Square side size in meters"
-            ["Latitude"] = "Latitude coordinate of the tile center",
-            ["Longitude"] = "Longitude coordinate of the tile center",
-            ["ZoomLevel"] = "Zoom level for the tile (higher values = more detail)"
         };
 
         foreach (var parameter in operation.Parameters)

SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs

@@ -0,0 +1,101 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-809: FluentValidation rules for POST /api/satellite/route. Wired
+// through ValidationEndpointFilter<CreateRouteRequest> at endpoint
+// registration time (.WithValidation<CreateRouteRequest>() in Program.cs).
+// Failures are converted to RFC 7807 ValidationProblemDetails per
+// _docs/02_document/contracts/api/error-shape.md v1.0.0.
+//
+// Required-field detection is handled at the deserializer level via
+// [JsonRequired] on CreateRouteRequest, RoutePoint, GeofencePolygon, and
+// GeoPoint, plus JsonSerializerOptions.UnmappedMemberHandling.Disallow
+// (AZ-795 global). This validator covers post-deserialization business
+// rules: non-zero id, name + description length, range checks on size /
+// zoom / points-count, per-point lat/lon ranges (via RoutePointValidator),
+// per-polygon corner ranges + NW-of-SE invariant (via GeofencePolygonValidator),
+// and the cross-field createTilesZip-implies-requestMaps rule.
+public sealed class CreateRouteRequestValidator : AbstractValidator<CreateRouteRequest>
+{
+    private const double MinRegionSizeMeters = 100.0;
+    private const double MaxRegionSizeMeters = 10000.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+    private const int MinPoints = 2;
+    private const int MaxPoints = 500;
+    private const int MaxNameLength = 200;
+    private const int MaxDescriptionLength = 1000;
+    // Geofences are axis-aligned bbox rectangles used for AOI restriction
+    // during route planning (see route-creation.md). Realistic use is 1-10
+    // polygons per route; cap at 50 to give 5x headroom while bounding the
+    // validator's worst-case allocation. The global Kestrel body limit
+    // (500 MiB, sized for the UAV upload endpoint) is not a useful gate
+    // here because polygon JSON is small (~90 bytes per minimum-shape
+    // polygon); without this cap a single authenticated request could
+    // submit millions of polygons and saturate the LOH.
+    private const int MaxPolygons = 50;
+
+    public CreateRouteRequestValidator()
+    {
+        RuleFor(req => req.Id)
+            .NotEmpty()
+            .WithMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+
+        RuleFor(req => req.Name)
+            .NotEmpty()
+            .WithMessage("`name` is required and must not be empty or whitespace.")
+            .MaximumLength(MaxNameLength)
+            .WithMessage($"`name` must be at most {MaxNameLength} characters.");
+
+        RuleFor(req => req.Description)
+            .MaximumLength(MaxDescriptionLength)
+            .When(req => req.Description is not null)
+            .WithMessage($"`description` must be at most {MaxDescriptionLength} characters.");
+
+        RuleFor(req => req.RegionSizeMeters)
+            .InclusiveBetween(MinRegionSizeMeters, MaxRegionSizeMeters)
+            .WithMessage($"`regionSizeMeters` must be between {MinRegionSizeMeters} and {MaxRegionSizeMeters} meters.");
+
+        RuleFor(req => req.ZoomLevel)
+            .InclusiveBetween(MinZoom, MaxZoom)
+            .WithMessage($"`zoomLevel` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+
+        RuleFor(req => req.Points)
+            .NotNull().WithMessage("`points` is required.")
+            .Must(p => p is null || p.Count >= MinPoints)
+                .WithMessage($"`points` must contain at least {MinPoints} entries.")
+            .Must(p => p is null || p.Count <= MaxPoints)
+                .WithMessage($"`points` must contain at most {MaxPoints} entries.");
+
+        RuleForEach(req => req.Points)
+            .SetValidator(new RoutePointValidator());
+
+        // Geofences are optional; per-polygon rules apply only when present.
+        // FluentValidation's default property-name policy drops the parent
+        // chain on deep expressions like `req.Geofences!.Polygons` — it emits
+        // only the leaf `polygons`. We OverridePropertyName explicitly so the
+        // wire-format error keys match the JSON path callers actually post:
+        // `errors["geofences.polygons"]` and `errors["geofences.polygons[i].…"]`.
+        When(req => req.Geofences is not null, () =>
+        {
+            RuleFor(req => req.Geofences!.Polygons)
+                .NotNull().WithMessage("`geofences.polygons` is required when `geofences` is present.")
+                .NotEmpty().WithMessage("`geofences.polygons` must contain at least 1 polygon when `geofences` is present.")
+                .Must(polygons => polygons is null || polygons.Count <= MaxPolygons)
+                    .WithMessage($"`geofences.polygons` must contain at most {MaxPolygons} polygons.")
+                .OverridePropertyName("geofences.polygons");
+
+            RuleForEach(req => req.Geofences!.Polygons)
+                .SetValidator(new GeofencePolygonValidator())
+                .OverridePropertyName("geofences.polygons");
+        });
+
+        // Cross-field invariant: cannot zip what wasn't downloaded.
+        RuleFor(req => req)
+            .Must(req => !(req.CreateTilesZip && !req.RequestMaps))
+            .WithName("createTilesZip")
+            .WithMessage("`createTilesZip` requires `requestMaps` to be true (can't zip what wasn't downloaded).");
+    }
+}

SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs

@@ -0,0 +1,72 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-809: per-polygon validator invoked via RuleForEach on the parent
+// CreateRouteRequest (guarded by When(geofences != null) at the parent).
+// Enforces both corner-point shape and the "NW is north-of and west-of SE"
+// invariant.
+//
+// Error path: errors keys land at `geofences.polygons[i].northWest.lat` etc.
+public sealed class GeofencePolygonValidator : AbstractValidator<GeofencePolygon>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+
+    public GeofencePolygonValidator()
+    {
+        // Both corners must be present. Without them no useful range/cross-field
+        // check can run, so short-circuit via .Cascade(CascadeMode.Stop).
+        RuleFor(p => p.NorthWest)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`northWest` corner is required.")
+            .SetValidator(new GeoCornerValidator("northWest")!);
+
+        RuleFor(p => p.SouthEast)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`southEast` corner is required.")
+            .SetValidator(new GeoCornerValidator("southEast")!);
+
+        // Cross-field invariant: NW must be genuinely north-of (lat greater)
+        // AND west-of (lon smaller) SE. Only runs when both corners survived
+        // the NotNull check above; FluentValidation skips the rule if either
+        // is null (.When(...) guard below).
+        RuleFor(p => p)
+            .Must(HaveNorthWestActuallyNorthOfSouthEast)
+            .When(p => p.NorthWest is not null && p.SouthEast is not null)
+            .WithName("northWest")
+            .WithMessage("`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE).");
+
+        RuleFor(p => p)
+            .Must(HaveNorthWestActuallyWestOfSouthEast)
+            .When(p => p.NorthWest is not null && p.SouthEast is not null)
+            .WithName("northWest")
+            .WithMessage("`northWest.lon` must be less than `southEast.lon` (NW is west-of SE).");
+    }
+
+    private static bool HaveNorthWestActuallyNorthOfSouthEast(GeofencePolygon polygon)
+        => polygon.NorthWest!.Lat > polygon.SouthEast!.Lat;
+
+    private static bool HaveNorthWestActuallyWestOfSouthEast(GeofencePolygon polygon)
+        => polygon.NorthWest!.Lon < polygon.SouthEast!.Lon;
+
+    // Inner per-corner validator. Kept private to this file because the
+    // polygon corners are the only consumer; if a sibling endpoint needs
+    // point-shape validation, promote and rename.
+    private sealed class GeoCornerValidator : AbstractValidator<GeoPoint>
+    {
+        public GeoCornerValidator(string cornerLabel)
+        {
+            RuleFor(g => g.Lat)
+                .InclusiveBetween(MinLat, MaxLat)
+                .WithMessage($"`{cornerLabel}.lat` must be between {MinLat} and {MaxLat}.");
+
+            RuleFor(g => g.Lon)
+                .InclusiveBetween(MinLon, MaxLon)
+                .WithMessage($"`{cornerLabel}.lon` must be between {MinLon} and {MaxLon}.");
+        }
+    }
+}

SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs

@@ -0,0 +1,45 @@
+using FluentValidation;
+using SatelliteProvider.Api.DTOs;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-811: FluentValidation rules for the query-string surface of
+// GET /api/satellite/tiles/latlon. Wired through
+// ValidationEndpointFilter<GetTileByLatLonQuery> at endpoint registration
+// time (.WithValidation<GetTileByLatLonQuery>() in Program.cs).
+//
+// Each rule maps 1:1 to a query parameter; errors[] keys are camelCase per
+// GlobalValidatorConfig (matching the wire-format param names `lat`, `lon`,
+// `zoom`). Required-field detection is `NotNull()` on the nullable-bound
+// DTO (see GetTileByLatLonQuery for why properties are nullable). Each rule
+// uses CascadeMode.Stop so a missing param surfaces ONLY as
+// "`lat` is required" — not also "`lat` must be between -90 and 90" with a
+// null value. Unknown query parameters are caught upstream by
+// RejectUnknownQueryParamsEndpointFilter.
+public sealed class GetTileByLatLonQueryValidator : AbstractValidator<GetTileByLatLonQuery>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+
+    public GetTileByLatLonQueryValidator()
+    {
+        RuleFor(q => q.Lat)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`lat` is required.")
+            .InclusiveBetween(MinLat, MaxLat).WithMessage($"`lat` must be between {MinLat} and {MaxLat}.");
+
+        RuleFor(q => q.Lon)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`lon` is required.")
+            .InclusiveBetween(MinLon, MaxLon).WithMessage($"`lon` must be between {MinLon} and {MaxLon}.");
+
+        RuleFor(q => q.Zoom)
+            .Cascade(CascadeMode.Stop)
+            .NotNull().WithMessage("`zoom` is required.")
+            .InclusiveBetween(MinZoom, MaxZoom).WithMessage($"`zoom` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+    }
+}

SatelliteProvider.Api/Validators/GlobalValidatorConfig.cs

@@ -0,0 +1,31 @@
+using FluentValidation;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-795 / AZ-796: process-wide FluentValidation configuration shared by the
+// API host and unit tests. Tests must call ApplyOnce() in their fixture setup
+// so the property-name casing they assert against matches what the running
+// API will produce — see `_docs/02_document/contracts/api/error-shape.md`
+// invariant Inv-4 (camelCase paths in `errors` map).
+public static class GlobalValidatorConfig
+{
+    private static readonly object _gate = new();
+    private static bool _applied;
+
+    public static void ApplyOnce()
+    {
+        lock (_gate)
+        {
+            if (_applied) return;
+
+            ValidatorOptions.Global.PropertyNameResolver = (type, member, expression) =>
+            {
+                var name = member?.Name;
+                if (string.IsNullOrEmpty(name)) return null;
+                return char.ToLowerInvariant(name[0]) + name[1..];
+            };
+
+            _applied = true;
+        }
+    }
+}

SatelliteProvider.Api/Validators/InventoryRequestValidator.cs

@@ -0,0 +1,73 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-796: FluentValidation rules for POST /api/satellite/tiles/inventory.
+// Wired through ValidationEndpointFilter<TileInventoryRequest> at endpoint
+// registration time (`WithValidation<TileInventoryRequest>()` in Program.cs).
+// Failures are converted to RFC 7807 ValidationProblemDetails per
+// `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+//
+// Required-field detection (rules 5+) is partially handled at the deserializer
+// level via `[JsonRequired]` on TileCoord.Z/X/Y plus
+// `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (AZ-795). This
+// validator covers the non-deserializer-detectable rules: XOR populated,
+// per-array entry caps, and slippy-map range constraints.
+public sealed class InventoryRequestValidator : AbstractValidator<TileInventoryRequest>
+{
+    public InventoryRequestValidator()
+    {
+        RuleFor(req => req).Custom((req, ctx) =>
+        {
+            var hasTiles = req.Tiles is { Count: > 0 };
+            var hasHashes = req.LocationHashes is { Count: > 0 };
+            if (hasTiles == hasHashes)
+            {
+                ctx.AddFailure(
+                    "$",
+                    "Populate exactly one of `tiles` or `locationHashes` (sending both, or neither, is not allowed).");
+            }
+        });
+
+        RuleFor(req => req.Tiles!.Count)
+            .LessThanOrEqualTo(TileInventoryLimits.MaxEntriesPerRequest)
+            .OverridePropertyName("tiles")
+            .WithMessage($"`tiles` must contain at most {TileInventoryLimits.MaxEntriesPerRequest} entries.")
+            .When(req => req.Tiles is not null);
+
+        RuleFor(req => req.LocationHashes!.Count)
+            .LessThanOrEqualTo(TileInventoryLimits.MaxEntriesPerRequest)
+            .OverridePropertyName("locationHashes")
+            .WithMessage($"`locationHashes` must contain at most {TileInventoryLimits.MaxEntriesPerRequest} entries.")
+            .When(req => req.LocationHashes is not null);
+
+        RuleForEach(req => req.Tiles)
+            .SetValidator(new TileCoordValidator())
+            .When(req => req.Tiles is not null);
+    }
+}
+
+internal sealed class TileCoordValidator : AbstractValidator<TileCoord>
+{
+    private const int MaxZoom = 22;
+
+    public TileCoordValidator()
+    {
+        RuleFor(c => c.Z)
+            .InclusiveBetween(0, MaxZoom)
+            .WithMessage($"`z` must be between 0 and {MaxZoom} (slippy-map zoom range).");
+
+        RuleFor(c => c.X)
+            .GreaterThanOrEqualTo(0)
+            .WithMessage("`x` must be ≥ 0.")
+            .Must((coord, x) => coord.Z >= 0 && coord.Z <= MaxZoom && x < (1L << coord.Z))
+            .WithMessage(coord => $"`x` must be < 2^z = {(coord.Z >= 0 && coord.Z <= MaxZoom ? (1L << coord.Z).ToString() : "<invalid z>")} for z={coord.Z}.");
+
+        RuleFor(c => c.Y)
+            .GreaterThanOrEqualTo(0)
+            .WithMessage("`y` must be ≥ 0.")
+            .Must((coord, y) => coord.Z >= 0 && coord.Z <= MaxZoom && y < (1L << coord.Z))
+            .WithMessage(coord => $"`y` must be < 2^z = {(coord.Z >= 0 && coord.Z <= MaxZoom ? (1L << coord.Z).ToString() : "<invalid z>")} for z={coord.Z}.");
+    }
+}

SatelliteProvider.Api/Validators/RegionRequestValidator.cs

@@ -0,0 +1,50 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-808: FluentValidation rules for POST /api/satellite/request.
+// Wired through ValidationEndpointFilter<RequestRegionRequest> at endpoint
+// registration time (.WithValidation<RequestRegionRequest>() in Program.cs).
+// Failures are converted to RFC 7807 ValidationProblemDetails per
+// _docs/02_document/contracts/api/error-shape.md v1.0.0.
+//
+// Required-field detection is handled at the deserializer level via
+// [JsonRequired] on RequestRegionRequest properties plus
+// JsonSerializerOptions.UnmappedMemberHandling.Disallow (AZ-795). This
+// validator covers the post-deserialization business rules: non-zero Id,
+// lat/lon/sizeMeters/zoomLevel range constraints.
+public sealed class RegionRequestValidator : AbstractValidator<RequestRegionRequest>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+    private const double MinSizeMeters = 100.0;
+    private const double MaxSizeMeters = 10000.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+
+    public RegionRequestValidator()
+    {
+        RuleFor(req => req.Id)
+            .NotEmpty()
+            .WithMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+
+        RuleFor(req => req.Lat)
+            .InclusiveBetween(MinLat, MaxLat)
+            .WithMessage($"`lat` must be between {MinLat} and {MaxLat}.");
+
+        RuleFor(req => req.Lon)
+            .InclusiveBetween(MinLon, MaxLon)
+            .WithMessage($"`lon` must be between {MinLon} and {MaxLon}.");
+
+        RuleFor(req => req.SizeMeters)
+            .InclusiveBetween(MinSizeMeters, MaxSizeMeters)
+            .WithMessage($"`sizeMeters` must be between {MinSizeMeters} and {MaxSizeMeters} meters.");
+
+        RuleFor(req => req.ZoomLevel)
+            .InclusiveBetween(MinZoom, MaxZoom)
+            .WithMessage($"`zoomLevel` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+    }
+}

SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs

@@ -0,0 +1,42 @@
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-811: endpoint filter that rejects any query-string parameter outside an
+// allowed-set. ASP.NET model binding silently ignores unknown query params,
+// which means typos (e.g. `?latitude=` after AZ-812's rename to `lat`) bind
+// to the default value (0.0) and may produce a misleading 200 or a confusing
+// out-of-range 400 from the value-validator. This filter catches the typo at
+// the envelope level and returns a structured RFC 7807 ValidationProblemDetails
+// with errors[<paramName>] = "Unknown query parameter ...", matching the
+// shape produced by ValidationEndpointFilter<T> + GlobalExceptionHandler.
+//
+// Apply BEFORE ValidationEndpointFilter<T> so unknown-param errors precede
+// range checks against the bound default value.
+public sealed class RejectUnknownQueryParamsEndpointFilter : IEndpointFilter
+{
+    private readonly HashSet<string> _allowedKeys;
+
+    public RejectUnknownQueryParamsEndpointFilter(IEnumerable<string> allowedKeys)
+    {
+        _allowedKeys = new HashSet<string>(allowedKeys, StringComparer.OrdinalIgnoreCase);
+    }
+
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        var query = context.HttpContext.Request.Query;
+        var unknown = query.Keys.Where(k => !_allowedKeys.Contains(k)).ToList();
+
+        if (unknown.Count > 0)
+        {
+            var errors = unknown.ToDictionary(
+                k => k,
+                k => new[]
+                {
+                    $"Unknown query parameter `{k}`. Allowed: {string.Join(", ", _allowedKeys.Select(a => $"`{a}`"))}."
+                });
+
+            return Results.ValidationProblem(errors);
+        }
+
+        return await next(context);
+    }
+}

SatelliteProvider.Api/Validators/RoutePointValidator.cs

@@ -0,0 +1,40 @@
+using FluentValidation;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-809: per-point validator invoked via RuleForEach on the parent
+// CreateRouteRequest. Each route waypoint must declare a valid WGS84
+// coordinate; the parent validator checks min/max count of the points
+// collection separately.
+//
+// Error path: errors keys land at `points[i].lat` / `points[i].lon` per
+// FluentValidation's default child-property naming + GlobalValidatorConfig
+// camelCase normalization (matches the wire format set by
+// [JsonPropertyName("lat"|"lon")] on RoutePoint).
+public sealed class RoutePointValidator : AbstractValidator<RoutePoint>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+
+    public RoutePointValidator()
+    {
+        // `RoutePoint.Latitude` is the C# property name but the wire name is
+        // `lat` via [JsonPropertyName]. OverridePropertyName chains AFTER the
+        // first concrete rule (which provides the `TProperty` for the generic
+        // extension) and aligns the FluentValidation error key with the wire
+        // format — callers see `errors["points[i].lat"]` matching what they
+        // posted rather than the camelCased C# name `latitude`.
+        RuleFor(p => p.Latitude)
+            .InclusiveBetween(MinLat, MaxLat)
+            .WithMessage($"`lat` must be between {MinLat} and {MaxLat}.")
+            .OverridePropertyName("lat");
+
+        RuleFor(p => p.Longitude)
+            .InclusiveBetween(MinLon, MaxLon)
+            .WithMessage($"`lon` must be between {MinLon} and {MaxLon}.")
+            .OverridePropertyName("lon");
+    }
+}

SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs

@@ -0,0 +1,33 @@
+using FluentValidation;
+using Microsoft.Extensions.Options;
+using SatelliteProvider.Common.Configs;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-810: root validator for the UAV upload metadata envelope. Runs from
+// inside the custom `UavUploadValidationFilter` (the endpoint takes a
+// multipart form, so the standard `WithValidation<T>()` JSON-body filter
+// doesn't apply). Error keys come out as `errors.items[…]` from this
+// validator and are prefixed with `metadata.` by the filter, producing
+// `errors.metadata.items[…]` in the final ValidationProblemDetails per
+// `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+public sealed class UavTileBatchMetadataPayloadValidator : AbstractValidator<UavTileBatchMetadataPayload>
+{
+    public UavTileBatchMetadataPayloadValidator(
+        IOptions<UavQualityConfig> qualityConfig,
+        TimeProvider? timeProvider = null)
+    {
+        ArgumentNullException.ThrowIfNull(qualityConfig);
+        var maxBatchSize = qualityConfig.Value.MaxBatchSize;
+
+        RuleFor(p => p.Items)
+            .NotNull().WithMessage("`items` is required.")
+            .NotEmpty().WithMessage("`items` must contain at least one entry.")
+            .Must(items => items is null || items.Count <= maxBatchSize)
+                .WithMessage($"`items` must contain at most {maxBatchSize} entries.");
+
+        RuleForEach(p => p.Items)
+            .SetValidator(new UavTileMetadataValidator(qualityConfig, timeProvider));
+    }
+}

SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs

@@ -0,0 +1,67 @@
+using FluentValidation;
+using Microsoft.Extensions.Options;
+using SatelliteProvider.Common.Configs;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-810: per-item metadata validator for the UAV upload endpoint. Runs as
+// a `RuleForEach.SetValidator(...)` chain child of `UavTileBatchMetadataPayloadValidator`,
+// so error keys come out as `errors.metadata.items[i].latitude`, `…tileZoom`,
+// `…capturedAt`, etc. once the `UavUploadValidationFilter` prefixes the result.
+//
+// CapturedAt freshness (rule 11) is the same window that
+// `IUavTileQualityGate.Validate` enforces; running the same check at the API
+// boundary lets us short-circuit before any file bytes are inspected. The
+// gate remains as a defence-in-depth backstop for unit tests of the gate
+// itself and for the unlikely path of a caller invoking
+// `IUavTileUploadHandler` directly (bypassing the filter).
+public sealed class UavTileMetadataValidator : AbstractValidator<UavTileMetadata>
+{
+    private const double MinLat = -90.0;
+    private const double MaxLat = 90.0;
+    private const double MinLon = -180.0;
+    private const double MaxLon = 180.0;
+    private const int MinZoom = 0;
+    private const int MaxZoom = 22;
+
+    public UavTileMetadataValidator(IOptions<UavQualityConfig> qualityConfig, TimeProvider? timeProvider = null)
+    {
+        ArgumentNullException.ThrowIfNull(qualityConfig);
+        var cfg = qualityConfig.Value;
+        var tp = timeProvider ?? TimeProvider.System;
+        var maxAgeDays = cfg.MaxAgeDays;
+        var futureSkewSeconds = cfg.CapturedAtFutureSkewSeconds;
+
+        RuleFor(m => m.Latitude)
+            .InclusiveBetween(MinLat, MaxLat)
+            .WithMessage($"`latitude` must be between {MinLat} and {MaxLat}.");
+
+        RuleFor(m => m.Longitude)
+            .InclusiveBetween(MinLon, MaxLon)
+            .WithMessage($"`longitude` must be between {MinLon} and {MaxLon}.");
+
+        RuleFor(m => m.TileZoom)
+            .InclusiveBetween(MinZoom, MaxZoom)
+            .WithMessage($"`tileZoom` must be between {MinZoom} and {MaxZoom} (slippy-map range).");
+
+        RuleFor(m => m.TileSizeMeters)
+            .GreaterThan(0.0)
+            .WithMessage("`tileSizeMeters` must be greater than 0.");
+
+        // Freshness window: capturedAt ∈ [now - MaxAgeDays, now + CapturedAtFutureSkewSeconds].
+        // `Must` lambdas close over `tp` so the comparison fetches fresh
+        // time per call (rule executes at validation time, not constructor
+        // time). Equivalent to AZ-488 Rule 4 in UavTileQualityGate.
+        RuleFor(m => m.CapturedAt)
+            .Must(capturedAt => capturedAt.ToUniversalTime() <= tp.GetUtcNow().UtcDateTime.AddSeconds(futureSkewSeconds))
+                .WithMessage($"`capturedAt` must be within {futureSkewSeconds}s of the current time (no future-dated tiles).")
+            .Must(capturedAt => capturedAt.ToUniversalTime() >= tp.GetUtcNow().UtcDateTime.AddDays(-maxAgeDays))
+                .WithMessage($"`capturedAt` must be within the last {maxAgeDays} days.");
+
+        // `FlightId` is intentionally not validated beyond JSON shape — AZ-503
+        // anonymous-flight semantics require null/missing to be a valid case.
+        // System.Text.Json already rejects malformed UUID strings at the
+        // deserializer with `JsonException` → 400 via GlobalExceptionHandler.
+    }
+}

SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs

@@ -0,0 +1,122 @@
+using System.Text.Json;
+using FluentValidation;
+using Microsoft.AspNetCore.Http.Json;
+using Microsoft.Extensions.Options;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-810: endpoint filter for `POST /api/satellite/upload`. The endpoint is
+// `multipart/form-data`, not a plain JSON body, so the standard
+// `WithValidation<T>()` filter (which expects an `[FromBody]` argument
+// already deserialized by the binder) cannot be used. This filter reads
+// the multipart `metadata` form field, deserializes it with the strict
+// global `JsonSerializerOptions` (which includes
+// `UnmappedMemberHandling.Disallow` from AZ-795), runs the FluentValidation
+// rules on `UavTileBatchMetadataPayload`, and adds the cross-field
+// alignment check (`metadata.items.Count == files.Count`).
+//
+// Failures are returned as RFC 7807 `ValidationProblemDetails` matching
+// `_docs/02_document/contracts/api/error-shape.md` v1.0.0; error-map keys
+// are prefixed with `metadata.` so paths like `items[0].latitude` from
+// the per-item validator surface to the caller as
+// `errors["metadata.items[0].latitude"]`.
+//
+// The downstream `IUavTileUploadHandler` retains its own envelope checks
+// as a defence-in-depth backstop (also covers callers invoking the
+// handler directly in unit tests). When the filter has already validated,
+// the handler's checks are no-ops by construction.
+public sealed class UavUploadValidationFilter : IEndpointFilter
+{
+    private const string MetadataKeyPrefix = "metadata.";
+    private const string MetadataField = "metadata";
+    private const string FilesField = "files";
+
+    private readonly IValidator<UavTileBatchMetadataPayload> _validator;
+    private readonly JsonSerializerOptions _jsonOptions;
+
+    public UavUploadValidationFilter(
+        IValidator<UavTileBatchMetadataPayload> validator,
+        IOptions<JsonOptions> jsonOptions)
+    {
+        _validator = validator ?? throw new ArgumentNullException(nameof(validator));
+        ArgumentNullException.ThrowIfNull(jsonOptions);
+        _jsonOptions = jsonOptions.Value.SerializerOptions;
+    }
+
+    public async ValueTask<object?> InvokeAsync(EndpointFilterInvocationContext context, EndpointFilterDelegate next)
+    {
+        var request = context.HttpContext.Request;
+        if (!request.HasFormContentType)
+        {
+            return Results.ValidationProblem(new Dictionary<string, string[]>
+            {
+                [MetadataField] = new[] { "Request must be `multipart/form-data`." },
+            });
+        }
+
+        var form = await request.ReadFormAsync(context.HttpContext.RequestAborted);
+        var metadataField = form[MetadataField].ToString();
+        var files = form.Files;
+
+        if (string.IsNullOrWhiteSpace(metadataField))
+        {
+            return Results.ValidationProblem(new Dictionary<string, string[]>
+            {
+                [MetadataField] = new[] { "`metadata` form field is required." },
+            });
+        }
+
+        UavTileBatchMetadataPayload? payload;
+        try
+        {
+            payload = JsonSerializer.Deserialize<UavTileBatchMetadataPayload>(metadataField, _jsonOptions);
+        }
+        catch (JsonException ex)
+        {
+            // System.Text.Json with UnmappedMemberHandling.Disallow + [JsonRequired]
+            // covers: unknown root/nested fields, missing required fields, type
+            // mismatches. Surface uniformly as `errors.metadata`.
+            return Results.ValidationProblem(new Dictionary<string, string[]>
+            {
+                [MetadataField] = new[] { $"`metadata` could not be parsed as JSON: {ex.Message}" },
+            });
+        }
+
+        if (payload is null)
+        {
+            return Results.ValidationProblem(new Dictionary<string, string[]>
+            {
+                [MetadataField] = new[] { "`metadata` must be a non-null JSON object." },
+            });
+        }
+
+        var result = await _validator.ValidateAsync(payload, context.HttpContext.RequestAborted);
+        if (!result.IsValid)
+        {
+            var prefixed = new Dictionary<string, string[]>(StringComparer.Ordinal);
+            foreach (var group in result.ToDictionary())
+            {
+                prefixed[MetadataKeyPrefix + group.Key] = group.Value;
+            }
+            return Results.ValidationProblem(prefixed);
+        }
+
+        if (payload.Items.Count != files.Count)
+        {
+            return Results.ValidationProblem(new Dictionary<string, string[]>
+            {
+                [MetadataKeyPrefix + "items"] = new[]
+                {
+                    $"`metadata.items` has {payload.Items.Count} entries but `files` has {files.Count}.",
+                },
+                [FilesField] = new[]
+                {
+                    $"`files` has {files.Count} entries but `metadata.items` has {payload.Items.Count}.",
+                },
+            });
+        }
+
+        return await next(context);
+    }
+}

SatelliteProvider.Api/Validators/ValidationEndpointFilter.cs

@@ -0,0 +1,42 @@
+using FluentValidation;
+
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-795: shared validation infrastructure. A generic IEndpointFilter that
+// resolves IValidator<T> from DI for the first argument of type T in the
+// invoked endpoint and returns RFC 7807 ValidationProblemDetails (HTTP 400)
+// with a structured `errors` map when the validator rejects. When validation
+// passes, the filter forwards to the next stage unchanged.
+//
+// The filter is generic per request type; per-endpoint wire-up is done via
+// `RouteHandlerBuilder.WithValidation<T>()` (see ValidationEndpointFilterExtensions).
+// Per AZ-795 Outcome: callers must NOT need per-endpoint try/catch boilerplate;
+// the filter provides the uniform error contract documented in
+// `_docs/02_document/contracts/api/error-shape.md`.
+public sealed class ValidationEndpointFilter<T> : IEndpointFilter where T : class
+{
+    public async ValueTask<object?> InvokeAsync(
+        EndpointFilterInvocationContext context,
+        EndpointFilterDelegate next)
+    {
+        var argument = context.Arguments.OfType<T>().FirstOrDefault();
+        if (argument is null)
+        {
+            return await next(context);
+        }
+
+        var validator = context.HttpContext.RequestServices.GetService<IValidator<T>>();
+        if (validator is null)
+        {
+            return await next(context);
+        }
+
+        var result = await validator.ValidateAsync(argument, context.HttpContext.RequestAborted);
+        if (!result.IsValid)
+        {
+            return Results.ValidationProblem(result.ToDictionary());
+        }
+
+        return await next(context);
+    }
+}

SatelliteProvider.Api/Validators/ValidationEndpointFilterExtensions.cs

@@ -0,0 +1,19 @@
+namespace SatelliteProvider.Api.Validators;
+
+// AZ-795: ergonomic extension method for opting an endpoint into
+// FluentValidation. Applied at MapPost/MapGet registration time:
+//
+//   app.MapPost("/api/satellite/tiles/inventory", GetTilesInventory)
+//      .WithValidation<TileInventoryRequest>();
+//
+// One line per endpoint; no per-handler try/catch boilerplate; uniform
+// RFC 7807 error shape — see `_docs/02_document/contracts/api/error-shape.md`.
+public static class ValidationEndpointFilterExtensions
+{
+    public static RouteHandlerBuilder WithValidation<T>(this RouteHandlerBuilder builder)
+        where T : class
+    {
+        builder.AddEndpointFilter<ValidationEndpointFilter<T>>();
+        return builder;
+    }
+}

SatelliteProvider.Api/appsettings.Development.json

@@ -8,7 +8,7 @@
     }
   },
   "ConnectionStrings": {
-    "DefaultConnection": "Host=localhost;Port=5432;Database=satelliteprovider;Username=postgres;Password=postgres"
+    "DefaultConnection": "Host=localhost;Port=5433;Database=satelliteprovider;Username=postgres;Password=postgres"
   },
   "Jwt": {
     "Secret": "DEV-ONLY-DO-NOT-USE-IN-PROD-replace-with-real-secret-via-JWT_SECRET-env-var",

SatelliteProvider.Common/DTO/CreateRouteRequest.cs

@@ -4,18 +4,35 @@ namespace SatelliteProvider.Common.DTO;
 
 public class CreateRouteRequest
 {
+    // AZ-809: [JsonRequired] enforces presence at the deserializer; range and
+    // shape checks live in `SatelliteProvider.Api/Validators/CreateRouteRequestValidator`.
+    // Description and Geofences remain optional. The legacy in-service
+    // `RouteValidator` is left in place as defense-in-depth for direct
+    // service-layer callers (e.g. unit tests).
+    [JsonRequired]
     public Guid Id { get; set; }
+
+    [JsonRequired]
     public string Name { get; set; } = string.Empty;
+
     public string? Description { get; set; }
+
+    [JsonRequired]
     public double RegionSizeMeters { get; set; }
+
+    [JsonRequired]
     public int ZoomLevel { get; set; }
 
+    [JsonRequired]
     public List<RoutePoint> Points { get; set; } = new();
 
     [JsonPropertyName("geofences")]
     public Geofences? Geofences { get; set; }
 
-    public bool RequestMaps { get; set; } = false;
+    [JsonRequired]
-    public bool CreateTilesZip { get; set; } = false;
+    public bool RequestMaps { get; set; }
+
+    [JsonRequired]
+    public bool CreateTilesZip { get; set; }
 }
 

SatelliteProvider.Common/DTO/GeoPoint.cs

@@ -6,9 +6,11 @@ public class GeoPoint
 {
     const double PRECISION_TOLERANCE = 0.00005;
 
+    [JsonRequired]
     [JsonPropertyName("lat")]
     public double Lat { get; set; }
 
+    [JsonRequired]
     [JsonPropertyName("lon")]
     public double Lon { get; set; }
 

SatelliteProvider.Common/DTO/GeofencePolygon.cs

@@ -4,15 +4,18 @@ namespace SatelliteProvider.Common.DTO;
 
 public class GeofencePolygon
 {
+    [JsonRequired]
     [JsonPropertyName("northWest")]
     public GeoPoint? NorthWest { get; set; }
 
+    [JsonRequired]
     [JsonPropertyName("southEast")]
     public GeoPoint? SouthEast { get; set; }
 }
 
 public class Geofences
 {
+    [JsonRequired]
     [JsonPropertyName("polygons")]
     public List<GeofencePolygon> Polygons { get; set; } = new();
 }

SatelliteProvider.Common/DTO/RequestRegionRequest.cs

@@ -1,23 +1,39 @@
-using System.ComponentModel.DataAnnotations;
+using System.Text.Json.Serialization;
 
 namespace SatelliteProvider.Common.DTO;
 
+// AZ-812 (cycle 8): wire-format renamed Latitude/Longitude → Lat/Lon (OSM
+// convention) and added [JsonPropertyName("lat"/"lon")] so the wire is
+// unambiguous under JsonSerializerOptions.UnmappedMemberHandling.Disallow
+// (AZ-795 cycle 7).
+//
+// AZ-808 (cycle 8): switched [Required] → [JsonRequired] on every property.
+// [Required] is DataAnnotations and is NOT enforced by System.Text.Json — the
+// 2026-05-22 black-box probe confirmed it: omitting `id` returned HTTP 200
+// with id=Guid.Empty (silent coercion). [JsonRequired] is enforced by the
+// STJ deserializer and fails with BadHttpRequestException(JsonException),
+// which the GlobalExceptionHandler converts to RFC 7807 ValidationProblemDetails.
+// Removed the in-property defaults (= 18 for ZoomLevel, = false for StitchTiles)
+// because [JsonRequired] forces the caller to declare intent.
 public record RequestRegionRequest
 {
-    [Required]
+    [JsonRequired]
     public Guid Id { get; set; }
 
-    [Required]
+    [JsonRequired]
-    public double Latitude { get; set; }
+    [JsonPropertyName("lat")]
+    public double Lat { get; set; }
 
-    [Required]
+    [JsonRequired]
-    public double Longitude { get; set; }
+    [JsonPropertyName("lon")]
+    public double Lon { get; set; }
 
-    [Required]
+    [JsonRequired]
     public double SizeMeters { get; set; }
 
-    [Required]
+    [JsonRequired]
-    public int ZoomLevel { get; set; } = 18;
+    public int ZoomLevel { get; set; }
 
-    public bool StitchTiles { get; set; } = false;
+    [JsonRequired]
+    public bool StitchTiles { get; set; }
 }

SatelliteProvider.Common/DTO/RoutePoint.cs

@@ -4,9 +4,11 @@ namespace SatelliteProvider.Common.DTO;
 
 public class RoutePoint
 {
+    [JsonRequired]
     [JsonPropertyName("lat")]
     public double Latitude { get; set; }
 
+    [JsonRequired]
     [JsonPropertyName("lon")]
     public double Longitude { get; set; }
 }

SatelliteProvider.Common/DTO/TileInventory.cs

@@ -1,3 +1,5 @@
+using System.Text.Json.Serialization;
+
 namespace SatelliteProvider.Common.DTO;
 
 // AZ-505: bulk-list / inventory request envelope. Either `Tiles` OR
@@ -12,21 +14,33 @@ public sealed class TileInventoryRequest
     public IReadOnlyList<Guid>? LocationHashes { get; set; }
 }
 
-// AZ-505: Slippy-map tile coordinate triple. Field naming matches the on-wire
+// AZ-505: Slippy-map tile coordinate triple. AZ-794 (cycle 7) renamed the
-// snake_case used by the existing `GET /tiles/{z}/{x}/{y}` and the AZ-484/AZ-503
+// wire-format fields from `tileZoom/tileX/tileY` → `z/x/y` to align with the
-// `tiles` table columns (`tile_zoom`, `tile_x`, `tile_y`).
+// OSM / slippy-map convention already used by `GET /tiles/{z}/{x}/{y}` and
+// to shave wire-size on inventory requests carrying thousands of entries.
+// The C# property names (`Z`, `X`, `Y`) intentionally mirror the wire names
+// 1:1 so consumers don't need to mentally translate at the deserialization
+// boundary. The DataAccess `TileEntity.TileZoom/TileX/TileY` columns are
+// unchanged — that's a database identity, not a wire format.
 public sealed class TileCoord
 {
-    public int TileZoom { get; set; }
+    [JsonRequired]
-    public int TileX { get; set; }
+    public int Z { get; set; }
-    public int TileY { get; set; }
+
+    [JsonRequired]
+    public int X { get; set; }
+
+    [JsonRequired]
+    public int Y { get; set; }
 }
 
 // AZ-505: Inventory response. Entries are returned in the SAME ORDER as the
 // matching request input (per AC-1). When Request.Tiles was populated, each
-// entry's `TileZoom`/`TileX`/`TileY` echoes the request entry; when
+// entry's `Z`/`X`/`Y` echoes the request entry; when Request.LocationHashes
-// Request.LocationHashes was populated, the coord triple fields are 0 (the
+// was populated, the coord triple fields are 0 (the caller already knows
-// caller already knows the hash and can map it back themselves).
+// the hash and can map it back themselves). AZ-794 (cycle 7) renamed the
+// coord triple to `z/x/y` to align wire format with the URL-path
+// convention.
 public sealed class TileInventoryResponse
 {
     public IReadOnlyList<TileInventoryEntry> Results { get; set; } = Array.Empty<TileInventoryEntry>();
@@ -40,11 +54,14 @@ public sealed class TileInventoryResponse
 // `EstimatedBytes` is intentionally absent in v1.0.0 — adding the per-row
 // `stat()` cost is deferred until production profiling justifies it (see
 // AZ-505 Outcome bullet 1 + Excluded list).
+//
+// AZ-794 (cycle 7): coord triple renamed `tileZoom/tileX/tileY` → `z/x/y`
+// (contract bumped to v2.0.0).
 public sealed class TileInventoryEntry
 {
-    public int TileZoom { get; set; }
+    public int Z { get; set; }
-    public int TileX { get; set; }
+    public int X { get; set; }
-    public int TileY { get; set; }
+    public int Y { get; set; }
     public Guid LocationHash { get; set; }
     public bool Present { get; set; }
 

SatelliteProvider.Common/DTO/UavTileMetadata.cs

@@ -1,3 +1,5 @@
+using System.Text.Json.Serialization;
+
 namespace SatelliteProvider.Common.DTO;
 
 // AZ-488 / `uav-tile-upload.md` v1.0.0 — per-tile metadata supplied with each
@@ -9,17 +11,28 @@ namespace SatelliteProvider.Common.DTO;
 // to per-flight on-disk paths (./tiles/uav/{flight_id}/{z}/{x}/{y}.jpg). When
 // absent, the row is treated as flight-anonymous and the UPSERT collapses to
 // the AZ-484 "single row per (cell, source)" semantics via COALESCE-to-zero.
+//
+// AZ-810 (cycle 8) added [JsonRequired] to every non-optional axis so the
+// deserializer rejects partial payloads with HTTP 400 + ValidationProblemDetails
+// via GlobalExceptionHandler BEFORE the FluentValidation + IUavTileQualityGate
+// layers run. FlightId stays optional per AZ-503 anonymous-flight semantics.
 public record UavTileMetadata
 {
+    [JsonRequired]
     public double Latitude { get; init; }
+    [JsonRequired]
     public double Longitude { get; init; }
+    [JsonRequired]
     public int TileZoom { get; init; }
+    [JsonRequired]
     public double TileSizeMeters { get; init; }
+    [JsonRequired]
     public DateTime CapturedAt { get; init; }
     public Guid? FlightId { get; init; }
 }
 
 public record UavTileBatchMetadataPayload
 {
+    [JsonRequired]
     public List<UavTileMetadata> Items { get; init; } = new();
 }

SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs

@@ -0,0 +1,556 @@
+using System.Text;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-809: end-to-end coverage for POST /api/satellite/route strict input
+// validation. Each test exercises one rule from the AZ-809 validator triplet
+// (CreateRouteRequestValidator + RoutePointValidator + GeofencePolygonValidator)
+// and asserts the response body conforms to the RFC 7807
+// ValidationProblemDetails contract in `_docs/02_document/contracts/api/error-shape.md`
+// v1.0.0. Required-field detection is enforced at the deserializer layer via
+// [JsonRequired] + UnmappedMemberHandling.Disallow (AZ-795).
+//
+// The route-creation happy path is intentionally `requestMaps=false` here to
+// keep this suite fast; the existing RouteCreationTests.cs exercises the
+// `requestMaps=true` flow (with background F5 processing).
+public static class CreateRouteValidationTests
+{
+    private const string RoutePath = "/api/satellite/route";
+
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: POST /api/satellite/route strict validation (AZ-809)");
+
+        await HappyPath_Returns200(httpClient);
+
+        // Rule 1: body present
+        await EmptyBody_Returns400(httpClient);
+
+        // Rule 2: id required, non-zero Guid (probe-confirmed gap)
+        await MissingId_Returns400(httpClient);
+        await ZeroGuidId_Returns400(httpClient);
+
+        // Rule 3: name required, length [1, 200]
+        await EmptyName_Returns400(httpClient);
+
+        // Rule 5: regionSizeMeters required, [100, 10000]
+        await RegionSizeOutOfRange_Returns400(httpClient);
+
+        // Rule 6: zoomLevel required, [0, 22]
+        await ZoomLevelOutOfRange_Returns400(httpClient);
+
+        // Rule 7: points required, [2, 500]
+        await PointsTooFew_Returns400(httpClient);
+
+        // Rule 8: per-point lat/lon ranges
+        await PointLatOutOfRange_Returns400(httpClient);
+        await PointLonOutOfRange_Returns400(httpClient);
+
+        // Rule 9: geofence corners + NW-of-SE invariant
+        await GeofenceNwLatNotGreaterThanSeLat_Returns400(httpClient);
+
+        // Rule 9b: geofence polygon-count cap (F-AZ809-1 security-audit fix)
+        await GeofencePolygonsTooMany_Returns400(httpClient);
+
+        // Rule 10/11: requestMaps + createTilesZip required
+        await MissingRequestMaps_Returns400(httpClient);
+
+        // Rule 12: cross-field createTilesZip implies requestMaps
+        await CreateTilesZipWithoutRequestMaps_Returns400(httpClient);
+
+        // Rule 13: unknown root field rejected
+        await UnknownRootField_Returns400(httpClient);
+
+        // Rule 14: type mismatch (per-point lat)
+        await PointLatTypeMismatch_Returns400(httpClient);
+
+        Console.WriteLine("✓ Create-route validation tests: PASSED");
+    }
+
+    private static async Task HappyPath_Returns200(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 AC-2: well-formed body → HTTP 200 (no background processing — requestMaps=false)");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = BuildValidBody(routeId, requestMaps: false, createTilesZip: false);
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var status = (int)response.StatusCode;
+        var bodyText = await response.Content.ReadAsStringAsync();
+
+        // Assert
+        if (status != 200)
+        {
+            throw new Exception($"AZ-809 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
+        }
+
+        Console.WriteLine("  ✓ Well-formed body accepted with HTTP 200");
+    }
+
+    private static async Task EmptyBody_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 1: empty body → HTTP 400");
+
+        // Act
+        var response = await PostJsonAsync(httpClient, "");
+        var status = (int)response.StatusCode;
+
+        // Assert
+        if (status != 400)
+        {
+            throw new Exception($"AZ-809 rule 1: expected HTTP 400, got {status}.");
+        }
+
+        Console.WriteLine("  ✓ Empty body rejected with HTTP 400");
+    }
+
+    private static async Task MissingId_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 2 (probe-confirmed gap): missing `id` → HTTP 400 (no silent zero-Guid coercion)");
+
+        // Arrange — same exact pattern as the AZ-808 probe finding.
+        var body = """
+            {
+              "name": "derkachi-flight-1",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 missing id");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 missing id");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "id", label: "AZ-809 missing id");
+
+        Console.WriteLine("  ✓ Missing `id` rejected with HTTP 400 (no silent coercion)");
+    }
+
+    private static async Task ZeroGuidId_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 2: zero-Guid `id` → HTTP 400");
+
+        // Arrange
+        var body = BuildValidBody(Guid.Empty, requestMaps: false, createTilesZip: false);
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 zero-Guid id");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 zero-Guid id", expectedErrorPath: "id");
+
+        Console.WriteLine("  ✓ Zero-Guid `id` rejected with errors[\"id\"]");
+    }
+
+    private static async Task EmptyName_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 3: empty `name` → HTTP 400");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 empty name");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 empty name", expectedErrorPath: "name");
+
+        Console.WriteLine("  ✓ Empty `name` rejected with errors[\"name\"]");
+    }
+
+    private static async Task RegionSizeOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 5: `regionSizeMeters` out of range (100..10000) → HTTP 400");
+
+        // Arrange — same 1M cap-exceeder as AZ-808.
+        var routeId = Guid.NewGuid();
+        var body = BuildValidBody(routeId, regionSize: 1_000_000, requestMaps: false, createTilesZip: false);
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 regionSize out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 regionSize out of range", expectedErrorPath: "regionSizeMeters");
+
+        Console.WriteLine("  ✓ `regionSizeMeters=1000000` rejected with errors[\"regionSizeMeters\"]");
+    }
+
+    private static async Task ZoomLevelOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 6: `zoomLevel` out of range (0..22) → HTTP 400");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = BuildValidBody(routeId, zoom: 30, requestMaps: false, createTilesZip: false);
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 zoomLevel out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 zoomLevel out of range", expectedErrorPath: "zoomLevel");
+
+        Console.WriteLine("  ✓ `zoomLevel=30` rejected with errors[\"zoomLevel\"]");
+    }
+
+    private static async Task PointsTooFew_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 7: `points` count < 2 → HTTP 400");
+
+        // Arrange — single point.
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "single-point-route",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 points too few");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 points too few", expectedErrorPath: "points");
+
+        Console.WriteLine("  ✓ `points` count=1 rejected with errors[\"points\"]");
+    }
+
+    private static async Task PointLatOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 8: per-point `lat` out of range → HTTP 400 (errors[points[i].lat])");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "out-of-range-lat",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 91.0,  "lon": 36.11 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lat out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lat out of range");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "points[1].lat", label: "AZ-809 point lat out of range");
+
+        Console.WriteLine("  ✓ `points[1].lat=91` rejected with errors[\"points[1].lat\"]");
+    }
+
+    private static async Task PointLonOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 8: per-point `lon` out of range → HTTP 400 (errors[points[i].lon])");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "out-of-range-lon",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 181.0 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lon out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lon out of range");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "points[1].lon", label: "AZ-809 point lon out of range");
+
+        Console.WriteLine("  ✓ `points[1].lon=181` rejected with errors[\"points[1].lon\"]");
+    }
+
+    private static async Task GeofenceNwLatNotGreaterThanSeLat_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 9: geofence NW.lat <= SE.lat → HTTP 400 (cross-field invariant)");
+
+        // Arrange — NW.lat == SE.lat → NW not north-of SE.
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "inverted-geofence",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "geofences": {
+                "polygons": [
+                  { "northWest": { "lat": 50.05, "lon": 36.05 },
+                    "southEast": { "lat": 50.05, "lon": 36.15 } }
+                ]
+              },
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 NW lat not > SE lat");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 NW lat not > SE lat");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "northWest", label: "AZ-809 NW lat not > SE lat");
+
+        Console.WriteLine("  ✓ NW.lat <= SE.lat rejected by cross-field invariant");
+    }
+
+    private static async Task GeofencePolygonsTooMany_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 9b (security-audit F-AZ809-1): geofence polygon-count > 50 → HTTP 400");
+
+        // Arrange — 51 polygons, each valid bbox. Only the count rule should fire.
+        var routeId = Guid.NewGuid();
+        var polygonsJson = string.Join(
+            ",\n        ",
+            Enumerable
+                .Range(0, 51)
+                .Select(_ => "{ \"northWest\": { \"lat\": 50.15, \"lon\": 36.05 }, \"southEast\": { \"lat\": 50.05, \"lon\": 36.15 } }"));
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "too-many-polygons",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "geofences": {
+                "polygons": [
+                  {{polygonsJson}}
+                ]
+              },
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 geofence polygons too many");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 geofence polygons too many", expectedErrorPath: "geofences.polygons");
+
+        Console.WriteLine("  ✓ 51 polygons rejected with errors[\"geofences.polygons\"] (cap is 50)");
+    }
+
+    private static async Task MissingRequestMaps_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 10: missing `requestMaps` → HTTP 400 (no defaulting)");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "no-requestMaps",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 missing requestMaps");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 missing requestMaps");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "requestMaps", label: "AZ-809 missing requestMaps");
+
+        Console.WriteLine("  ✓ Missing `requestMaps` rejected");
+    }
+
+    private static async Task CreateTilesZipWithoutRequestMaps_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 12: `createTilesZip=true` AND `requestMaps=false` → HTTP 400 (cross-field invariant)");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = BuildValidBody(routeId, requestMaps: false, createTilesZip: true);
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 createTilesZip without requestMaps");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 createTilesZip without requestMaps", expectedErrorPath: "createTilesZip");
+
+        Console.WriteLine("  ✓ `createTilesZip=true requestMaps=false` rejected by cross-field invariant");
+    }
+
+    private static async Task UnknownRootField_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 13: unknown root field → HTTP 400 (UnmappedMemberHandling.Disallow)");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "with-unknown-field",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false,
+              "debug": "fingerprint-probe"
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 unknown root field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 unknown root field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "debug", label: "AZ-809 unknown root field");
+
+        Console.WriteLine("  ✓ Unknown root field `debug` rejected with errors mention");
+    }
+
+    private static async Task PointLatTypeMismatch_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-809 rule 14: nested type mismatch (`points[0].lat` as string) → HTTP 400");
+
+        // Arrange
+        var routeId = Guid.NewGuid();
+        var body = $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "nested-type-mismatch",
+              "regionSizeMeters": 1000,
+              "zoomLevel": 18,
+              "points": [
+                { "lat": "fifty", "lon": 36.10 },
+                { "lat": 50.11,   "lon": 36.11 }
+              ],
+              "requestMaps": false,
+              "createTilesZip": false
+            }
+            """;
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-809 point lat type mismatch");
+
+        // Assert — GlobalExceptionHandler converts BadHttpRequestException to
+        // ValidationProblemDetails when the inner JsonException's Path is set.
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-809 point lat type mismatch");
+
+        Console.WriteLine("  ✓ `points[0].lat:\"fifty\"` rejected with HTTP 400");
+    }
+
+    private static string BuildValidBody(
+        Guid routeId,
+        double regionSize = 1000.0,
+        int zoom = 18,
+        bool requestMaps = false,
+        bool createTilesZip = false)
+    {
+        // Lat/lon picked from gps-denied-onboard AZ-777 Phase 2 probe.
+        return $$"""
+            {
+              "id": "{{routeId}}",
+              "name": "az-809-integration-test",
+              "description": "AZ-809 integration test route",
+              "regionSizeMeters": {{regionSize.ToString(System.Globalization.CultureInfo.InvariantCulture)}},
+              "zoomLevel": {{zoom}},
+              "points": [
+                { "lat": 50.10, "lon": 36.10 },
+                { "lat": 50.11, "lon": 36.11 }
+              ],
+              "requestMaps": {{(requestMaps ? "true" : "false")}},
+              "createTilesZip": {{(createTilesZip ? "true" : "false")}}
+            }
+            """;
+    }
+
+    private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
+    {
+        var content = new StringContent(body, Encoding.UTF8, "application/json");
+        return httpClient.PostAsync(RoutePath, content);
+    }
+}

SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs

@@ -0,0 +1,173 @@
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-811: end-to-end coverage for GET /api/satellite/tiles/latlon strict input
+// validation. Two enforcement layers:
+//   1. RejectUnknownQueryParamsEndpointFilter — rejects any query key outside
+//      {lat, lon, zoom}, catching typos like `?latitude=` that pre-AZ-811
+//      silently bound to 0.
+//   2. WithValidation<GetTileByLatLonQuery> — range-checks lat, lon, zoom.
+// Both surface RFC 7807 ValidationProblemDetails per error-shape.md v1.0.0.
+public static class GetTileByLatLonValidationTests
+{
+    private const string LatLonPath = "/api/satellite/tiles/latlon";
+
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: GET /api/satellite/tiles/latlon strict validation (AZ-811)");
+
+        await HappyPath_Returns200(httpClient);
+
+        // Validator rules (range)
+        await LatOutOfRange_Returns400(httpClient);
+        await LonOutOfRange_Returns400(httpClient);
+        await ZoomOutOfRange_Returns400(httpClient);
+
+        // Validator rules (missing required)
+        await MissingLat_Returns400(httpClient);
+
+        // Envelope rule: unknown query params
+        await UnknownQueryParam_LegacyLatitude_Returns400(httpClient);
+        await UnknownQueryParam_Hostile_Returns400(httpClient);
+
+        // Type mismatch (delegates to GlobalExceptionHandler via model-binding)
+        await LatTypeMismatch_Returns400(httpClient);
+
+        Console.WriteLine("✓ GET lat/lon validation tests: PASSED");
+    }
+
+    private static async Task HappyPath_Returns200(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 AC-2: well-formed query → HTTP 200");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=18");
+        var status = (int)response.StatusCode;
+        var bodyText = await response.Content.ReadAsStringAsync();
+
+        // Assert
+        if (status != 200)
+        {
+            throw new Exception($"AZ-811 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
+        }
+
+        Console.WriteLine("  ✓ {lat,lon,zoom} accepted with HTTP 200");
+    }
+
+    private static async Task LatOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 1: lat out of range (-90..90) → HTTP 400");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=91&lon=37.647063&zoom=18");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 lat out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 lat out of range", expectedErrorPath: "lat");
+
+        Console.WriteLine("  ✓ lat=91 rejected with errors[\"lat\"]");
+    }
+
+    private static async Task LonOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 2: lon out of range (-180..180) → HTTP 400");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=181&zoom=18");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 lon out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 lon out of range", expectedErrorPath: "lon");
+
+        Console.WriteLine("  ✓ lon=181 rejected with errors[\"lon\"]");
+    }
+
+    private static async Task ZoomOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 3: zoom out of range (0..22) → HTTP 400");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=30");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 zoom out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 zoom out of range", expectedErrorPath: "zoom");
+
+        Console.WriteLine("  ✓ zoom=30 rejected with errors[\"zoom\"]");
+    }
+
+    private static async Task MissingLat_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 1: missing `lat` query param → HTTP 400 with errors.lat");
+
+        // Act — only lon + zoom supplied; the validator's NotNull rule on Lat must
+        // fire (binder produces Lat=null because the DTO is nullable; see
+        // GetTileByLatLonQuery for why).
+        var response = await httpClient.GetAsync($"{LatLonPath}?lon=37.647063&zoom=18");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 missing lat");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 missing lat", expectedErrorPath: "lat");
+
+        Console.WriteLine("  ✓ Missing lat rejected with errors[\"lat\"] = `lat` is required");
+    }
+
+    private static async Task UnknownQueryParam_LegacyLatitude_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 4: legacy `?Latitude=&Longitude=&ZoomLevel=` (pre-AZ-811 wire format) → HTTP 400 (envelope filter)");
+
+        // Act — exact pre-AZ-811 wire format; must now fail explicitly instead
+        // of silently binding to lat=0/lon=0/zoom=0 (typo class).
+        var response = await httpClient.GetAsync($"{LatLonPath}?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 legacy param names");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 legacy param names");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "Latitude", label: "AZ-811 legacy param names");
+
+        Console.WriteLine("  ✓ Legacy ?Latitude=&Longitude=&ZoomLevel= rejected by envelope filter");
+    }
+
+    private static async Task UnknownQueryParam_Hostile_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 4: hostile/typo query keys → HTTP 400 (envelope filter)");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=18&debug=1&admin=true");
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 hostile params");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 hostile params");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "debug", label: "AZ-811 hostile params");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "admin", label: "AZ-811 hostile params");
+
+        Console.WriteLine("  ✓ ?debug=1&admin=true rejected; errors map names BOTH unknown keys");
+    }
+
+    private static async Task LatTypeMismatch_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-811 rule 5: lat type mismatch (non-numeric) → HTTP 400");
+
+        // Act
+        var response = await httpClient.GetAsync($"{LatLonPath}?lat=fifty&lon=37.647063&zoom=18");
+        var status = (int)response.StatusCode;
+
+        // Assert — ASP.NET query-param binding produces 400 for type mismatch via
+        // BadHttpRequestException; the exact ProblemDetails shape varies depending
+        // on whether the GlobalExceptionHandler intercepts. Either way the wire
+        // contract is HTTP 400, no body leak.
+        if (status != 400)
+        {
+            throw new Exception($"AZ-811 type mismatch: expected HTTP 400, got {status}.");
+        }
+
+        Console.WriteLine("  ✓ lat=fifty rejected with HTTP 400");
+    }
+}

SatelliteProvider.IntegrationTests/IdempotentPostTests.cs

@@ -30,8 +30,8 @@ public static class IdempotentPostTests
         var body = JsonSerializer.Serialize(new
         {
             id = regionId,
-            latitude = 47.4617,
+            lat = 47.4617,
-            longitude = 37.6470,
+            lon = 37.6470,
             sizeMeters = 200,
             zoomLevel = 18,
             stitchTiles = false,
@@ -103,8 +103,8 @@ public static class IdempotentPostTests
             createTilesZip = false,
             points = new[]
             {
-                new { latitude = 47.4617, longitude = 37.6470 },
+                new { lat = 47.4617, lon = 37.6470 },
-                new { latitude = 47.4630, longitude = 37.6485 },
+                new { lat = 47.4630, lon = 37.6485 },
             },
         });
 

SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs

@@ -6,7 +6,7 @@ namespace SatelliteProvider.IntegrationTests;
 
 public static class JwtIntegrationTests
 {
-    private const string ProtectedTilesPath = "/api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18";
+    private const string ProtectedTilesPath = "/api/satellite/tiles/latlon?lat=47.461747&lon=37.647063&zoom=18";
     private const string ProtectedRegionPath = "/api/satellite/region/00000000-0000-0000-0000-000000000000";
 
     public static async Task RunAll(string apiUrl, string secret)

SatelliteProvider.IntegrationTests/Models.cs

@@ -17,8 +17,13 @@ public record DownloadTileResponse
 public record RequestRegionRequest
 {
     public Guid Id { get; set; }
-    public double Latitude { get; set; }
+
-    public double Longitude { get; set; }
+    [System.Text.Json.Serialization.JsonPropertyName("lat")]
+    public double Lat { get; set; }
+
+    [System.Text.Json.Serialization.JsonPropertyName("lon")]
+    public double Lon { get; set; }
+
     public double SizeMeters { get; set; }
     public int ZoomLevel { get; set; }
     public bool StitchTiles { get; set; } = false;

SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs

@@ -0,0 +1,142 @@
+using System.Text.Json;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-795: shared ProblemDetails / ValidationProblemDetails assertion helper
+// for integration tests. Every endpoint that emits a 4xx error MUST produce
+// a body matching the contract in
+// `_docs/02_document/contracts/api/error-shape.md` (v1.0.0). Tests use this
+// helper instead of re-deriving the shape per call site.
+public static class ProblemDetailsAssertions
+{
+    private static readonly JsonSerializerOptions JsonOptions = new()
+    {
+        PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
+        PropertyNameCaseInsensitive = true
+    };
+
+    public static async Task<JsonElement> ReadProblemDetailsAsync(HttpResponseMessage response, string label)
+    {
+        var contentType = response.Content.Headers.ContentType?.MediaType;
+        if (contentType is null || !contentType.Contains("application/problem+json", StringComparison.OrdinalIgnoreCase))
+        {
+            var body = await response.Content.ReadAsStringAsync();
+            throw new Exception(
+                $"{label}: expected Content-Type 'application/problem+json', got '{contentType}'. Body: {body}");
+        }
+
+        var stream = await response.Content.ReadAsStreamAsync();
+        using var doc = await JsonDocument.ParseAsync(stream);
+        return doc.RootElement.Clone();
+    }
+
+    public static void AssertValidationProblem(
+        JsonElement problem,
+        int expectedStatus,
+        string label,
+        string? expectedErrorPath = null,
+        string? expectedErrorContains = null)
+    {
+        if (!problem.TryGetProperty("status", out var statusEl) || statusEl.GetInt32() != expectedStatus)
+        {
+            throw new Exception(
+                $"{label}: expected status={expectedStatus}, got {(statusEl.ValueKind == JsonValueKind.Number ? statusEl.GetInt32().ToString() : "missing")}");
+        }
+
+        if (!problem.TryGetProperty("title", out var titleEl) || string.IsNullOrEmpty(titleEl.GetString()))
+        {
+            throw new Exception($"{label}: expected non-empty 'title', got missing/empty.");
+        }
+
+        if (!problem.TryGetProperty("errors", out var errorsEl) || errorsEl.ValueKind != JsonValueKind.Object)
+        {
+            throw new Exception($"{label}: expected 'errors' object, got {errorsEl.ValueKind}.");
+        }
+
+        if (expectedErrorPath is not null)
+        {
+            if (!errorsEl.TryGetProperty(expectedErrorPath, out var fieldEl) || fieldEl.ValueKind != JsonValueKind.Array)
+            {
+                throw new Exception(
+                    $"{label}: expected errors['{expectedErrorPath}'] array, got {(errorsEl.TryGetProperty(expectedErrorPath, out var raw) ? raw.ValueKind.ToString() : "missing")}. " +
+                    $"Available paths: {string.Join(", ", EnumeratePaths(errorsEl))}.");
+            }
+
+            if (expectedErrorContains is not null)
+            {
+                var first = fieldEl.EnumerateArray().FirstOrDefault();
+                var firstStr = first.ValueKind == JsonValueKind.String ? first.GetString() : null;
+                if (firstStr is null || !firstStr.Contains(expectedErrorContains, StringComparison.OrdinalIgnoreCase))
+                {
+                    throw new Exception(
+                        $"{label}: expected errors['{expectedErrorPath}'][0] to contain '{expectedErrorContains}', got '{firstStr}'.");
+                }
+            }
+        }
+    }
+
+    public static void AssertProblemDetails(
+        JsonElement problem,
+        int expectedStatus,
+        string label)
+    {
+        if (!problem.TryGetProperty("status", out var statusEl) || statusEl.GetInt32() != expectedStatus)
+        {
+            throw new Exception(
+                $"{label}: expected status={expectedStatus}, got {(statusEl.ValueKind == JsonValueKind.Number ? statusEl.GetInt32().ToString() : "missing")}");
+        }
+
+        if (!problem.TryGetProperty("title", out var titleEl) || string.IsNullOrEmpty(titleEl.GetString()))
+        {
+            throw new Exception($"{label}: expected non-empty 'title', got missing/empty.");
+        }
+    }
+
+    // AZ-808 cycle 8: promoted from per-test-file private helpers (was
+    // duplicated in TileInventoryValidationTests + RegionFieldRenameTests +
+    // RegionRequestValidationTests) so every validation test points at one
+    // source of truth for "is this field-name or substring mentioned anywhere
+    // in the errors map?".
+    public static void AssertErrorsContainsMention(JsonElement problem, string expectedMention, string label)
+    {
+        if (!problem.TryGetProperty("errors", out var errorsEl) || errorsEl.ValueKind != JsonValueKind.Object)
+        {
+            throw new Exception($"{label}: expected 'errors' object in ProblemDetails body.");
+        }
+
+        var found = false;
+        foreach (var prop in errorsEl.EnumerateObject())
+        {
+            if (prop.Name.Contains(expectedMention, StringComparison.OrdinalIgnoreCase))
+            {
+                found = true;
+                break;
+            }
+
+            foreach (var msg in prop.Value.EnumerateArray())
+            {
+                if (msg.GetString()?.Contains(expectedMention, StringComparison.OrdinalIgnoreCase) == true)
+                {
+                    found = true;
+                    break;
+                }
+            }
+
+            if (found) break;
+        }
+
+        if (!found)
+        {
+            var paths = string.Join(", ", errorsEl.EnumerateObject().Select(p => p.Name));
+            throw new Exception($"{label}: expected '{expectedMention}' to appear in errors keys or messages. Available paths: {paths}.");
+        }
+    }
+
+    private static IEnumerable<string> EnumeratePaths(JsonElement errorsEl)
+    {
+        foreach (var prop in errorsEl.EnumerateObject())
+        {
+            yield return prop.Name;
+        }
+    }
+}

SatelliteProvider.IntegrationTests/Program.cs

@@ -103,6 +103,7 @@ class Program
 
             await JwtIntegrationTests.RunAll(apiUrl, jwtSecret);
             await UavUploadTests.RunAll(apiUrl, jwtSecret);
+            await UavUploadValidationTests.RunAll(apiUrl, jwtSecret);
             await Http2MultiplexingTests.RunAll(apiUrl, jwtSecret);
 
             if (TestRunMode.Smoke)
@@ -139,6 +140,11 @@ class Program
         await StubAndErrorContractTests.RunAll(httpClient);
         await IdempotentPostTests.RunAll(httpClient);
         await TileInventoryTests.RunAll(httpClient);
+        await TileInventoryValidationTests.RunAll(httpClient);
+        await RegionFieldRenameTests.RunAll(httpClient);
+        await RegionRequestValidationTests.RunAll(httpClient);
+        await GetTileByLatLonValidationTests.RunAll(httpClient);
+        await CreateRouteValidationTests.RunAll(httpClient);
         await LeafletPathIndexOnlyTests.RunAll(connectionString);
         await MigrationTests.RunAll();
     }
@@ -162,6 +168,11 @@ class Program
         await StubAndErrorContractTests.RunAll(httpClient);
         await IdempotentPostTests.RunAll(httpClient);
         await TileInventoryTests.RunAll(httpClient);
+        await TileInventoryValidationTests.RunAll(httpClient);
+        await RegionFieldRenameTests.RunAll(httpClient);
+        await RegionRequestValidationTests.RunAll(httpClient);
+        await GetTileByLatLonValidationTests.RunAll(httpClient);
+        await CreateRouteValidationTests.RunAll(httpClient);
         await LeafletPathIndexOnlyTests.RunAll(connectionString);
         await MigrationTests.RunAll();
     }

SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs

@@ -0,0 +1,74 @@
+using System.Text;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-812: wire-format rename for POST /api/satellite/request.
+// `RequestRegionRequest` now uses `lat`/`lon` (OSM convention) on the wire,
+// replacing the previous verbose `latitude`/`longitude`. The strict-parsing
+// infrastructure landed by AZ-795 (UnmappedMemberHandling.Disallow +
+// GlobalExceptionHandler) means the old wire format must now be rejected
+// explicitly, not silently coerced. AC-4 from the AZ-812 task spec.
+public static class RegionFieldRenameTests
+{
+    private const string RegionPath = "/api/satellite/request";
+
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: Region endpoint OSM field-name rename (AZ-812)");
+
+        await NewLatLonFormat_Returns200(httpClient);
+        await OldLatitudeLongitudeFormat_Returns400(httpClient);
+
+        Console.WriteLine("✓ Region field-rename tests: PASSED");
+    }
+
+    private static async Task NewLatLonFormat_Returns200(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-812 AC-4 (positive): new {lat,lon} wire format → HTTP 200");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var status = (int)response.StatusCode;
+        var responseBody = await response.Content.ReadAsStringAsync();
+
+        // Assert
+        if (status != 200)
+        {
+            throw new Exception($"AZ-812 AC-4 positive: expected HTTP 200 for {{lat,lon}} body, got {status}. Body: {responseBody}");
+        }
+
+        Console.WriteLine("  ✓ {lat,lon} body accepted with HTTP 200");
+    }
+
+    private static async Task OldLatitudeLongitudeFormat_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-812 AC-4 (negative): legacy {latitude,longitude} wire format → HTTP 400 (UnmappedMemberHandling.Disallow)");
+
+        // Arrange — exact pre-AZ-812 wire format; must now fail explicitly instead
+        // of silently mapping to the renamed Lat/Lon properties.
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"latitude\":47.461747,\"longitude\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-812 legacy field names");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-812 legacy field names");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "latitude", label: "AZ-812 legacy field names");
+
+        Console.WriteLine("  ✓ Legacy {latitude,longitude} body rejected with HTTP 400; errors map names the unknown field");
+    }
+
+    private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
+    {
+        var content = new StringContent(body, Encoding.UTF8, "application/json");
+        return httpClient.PostAsync(RegionPath, content);
+    }
+}

SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs

@@ -0,0 +1,340 @@
+using System.Text;
+using System.Text.Json;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-808: end-to-end coverage for the region-request endpoint's strict input
+// validation. Each test exercises one rule from the validator (FluentValidation
+// for business rules, JsonSerializerOptions for wire-format rules) and asserts
+// the response body conforms to the RFC 7807 ValidationProblemDetails contract
+// in `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+//
+// Field names use the post-AZ-812 OSM convention (`lat`/`lon`). The legacy
+// `latitude`/`longitude` wire format is verified to be rejected by
+// RegionFieldRenameTests.cs (AZ-812 AC-4).
+public static class RegionRequestValidationTests
+{
+    private const string RegionPath = "/api/satellite/request";
+
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: Region endpoint strict validation (AZ-808)");
+
+        await HappyPath_Returns200(httpClient);
+
+        // Rule 1: body present
+        await EmptyBody_Returns400(httpClient);
+
+        // Rule 2: id required, non-zero Guid
+        await MissingId_Returns400(httpClient);
+        await ZeroGuidId_Returns400(httpClient);
+
+        // Rule 3: lat required, [-90, 90]
+        await MissingLat_Returns400(httpClient);
+        await LatOutOfRange_Returns400(httpClient);
+
+        // Rule 4: lon required, [-180, 180]
+        await MissingLon_Returns400(httpClient);
+        await LonOutOfRange_Returns400(httpClient);
+
+        // Rule 5: sizeMeters required, [100, 10000]
+        await MissingSizeMeters_Returns400(httpClient);
+        await SizeMetersOutOfRange_Returns400(httpClient);
+
+        // Rule 6: zoomLevel required, [0, 22]
+        await MissingZoomLevel_Returns400(httpClient);
+        await ZoomLevelOutOfRange_Returns400(httpClient);
+
+        // Rule 7: stitchTiles required (bool, no default)
+        await MissingStitchTiles_Returns400(httpClient);
+
+        // Rule 9: type mismatch
+        await LatTypeMismatch_Returns400(httpClient);
+
+        // Rule 8 (unknown root fields) is covered by RegionFieldRenameTests (AZ-812 AC-4).
+
+        Console.WriteLine("✓ Region-request validation tests: PASSED");
+    }
+
+    private static async Task HappyPath_Returns200(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 AC-2: well-formed request → HTTP 200");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var status = (int)response.StatusCode;
+        var bodyText = await response.Content.ReadAsStringAsync();
+
+        // Assert
+        if (status != 200)
+        {
+            throw new Exception($"AZ-808 AC-2 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
+        }
+
+        Console.WriteLine("  ✓ Well-formed body accepted with HTTP 200");
+    }
+
+    private static async Task EmptyBody_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 1: empty body → HTTP 400");
+
+        // Arrange
+        const string body = "";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var status = (int)response.StatusCode;
+
+        // Assert
+        if (status != 400)
+        {
+            throw new Exception($"AZ-808 rule 1: expected HTTP 400, got {status}.");
+        }
+
+        Console.WriteLine("  ✓ Empty body rejected with HTTP 400");
+    }
+
+    private static async Task MissingId_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 2 (probe-confirmed gap): missing `id` → HTTP 400 (no silent zero-Guid coercion)");
+
+        // Arrange — the exact 2026-05-22 probe payload that silently coerced to Guid.Empty pre-AZ-808.
+        const string body = "{\"lat\":49.94,\"lon\":36.31,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing id");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing id");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "id", label: "AZ-808 missing id");
+
+        Console.WriteLine("  ✓ Missing `id` rejected with HTTP 400 (no silent coercion)");
+    }
+
+    private static async Task ZeroGuidId_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 2: zero-Guid `id` → HTTP 400");
+
+        // Arrange
+        const string body = "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 zero-Guid id");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 zero-Guid id", expectedErrorPath: "id");
+
+        Console.WriteLine("  ✓ Zero-Guid `id` rejected with errors[\"id\"]");
+    }
+
+    private static async Task MissingLat_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 3: missing `lat` → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing lat");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing lat");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "lat", label: "AZ-808 missing lat");
+
+        Console.WriteLine("  ✓ Missing `lat` rejected with HTTP 400");
+    }
+
+    private static async Task LatOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 3: `lat` out of range (-90..90) → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":91.0,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lat out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lat out of range", expectedErrorPath: "lat");
+
+        Console.WriteLine("  ✓ `lat=91.0` rejected with errors[\"lat\"]");
+    }
+
+    private static async Task MissingLon_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 4: missing `lon` → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing lon");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing lon");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "lon", label: "AZ-808 missing lon");
+
+        Console.WriteLine("  ✓ Missing `lon` rejected with HTTP 400");
+    }
+
+    private static async Task LonOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 4: `lon` out of range (-180..180) → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":181.0,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lon out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lon out of range", expectedErrorPath: "lon");
+
+        Console.WriteLine("  ✓ `lon=181.0` rejected with errors[\"lon\"]");
+    }
+
+    private static async Task MissingSizeMeters_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 5: missing `sizeMeters` → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing sizeMeters");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing sizeMeters");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "sizeMeters", label: "AZ-808 missing sizeMeters");
+
+        Console.WriteLine("  ✓ Missing `sizeMeters` rejected with HTTP 400");
+    }
+
+    private static async Task SizeMetersOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 5: `sizeMeters` out of range (100..10000) → HTTP 400");
+
+        // Arrange — same 1M cap-exceeder used by SEC-03; this validator replaces the old inline check.
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":1000000,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 sizeMeters out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 sizeMeters out of range", expectedErrorPath: "sizeMeters");
+
+        Console.WriteLine("  ✓ `sizeMeters=1000000` rejected with errors[\"sizeMeters\"]");
+    }
+
+    private static async Task MissingZoomLevel_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 6: missing `zoomLevel` → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing zoomLevel");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing zoomLevel");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "zoomLevel", label: "AZ-808 missing zoomLevel");
+
+        Console.WriteLine("  ✓ Missing `zoomLevel` rejected with HTTP 400");
+    }
+
+    private static async Task ZoomLevelOutOfRange_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 6: `zoomLevel` out of range (0..22) → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":30,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 zoomLevel out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 zoomLevel out of range", expectedErrorPath: "zoomLevel");
+
+        Console.WriteLine("  ✓ `zoomLevel=30` rejected with errors[\"zoomLevel\"]");
+    }
+
+    private static async Task MissingStitchTiles_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 7: missing `stitchTiles` → HTTP 400 (no defaulting to false)");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing stitchTiles");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing stitchTiles");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "stitchTiles", label: "AZ-808 missing stitchTiles");
+
+        Console.WriteLine("  ✓ Missing `stitchTiles` rejected with HTTP 400");
+    }
+
+    private static async Task LatTypeMismatch_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-808 rule 9: type mismatch (`lat` as string) → HTTP 400");
+
+        // Arrange
+        var regionId = Guid.NewGuid();
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":\"fifty\",\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lat type mismatch");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lat type mismatch");
+
+        Console.WriteLine("  ✓ `lat:\"fifty\"` rejected with HTTP 400");
+    }
+
+    private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
+    {
+        var content = new StringContent(body, Encoding.UTF8, "application/json");
+        return httpClient.PostAsync(RegionPath, content);
+    }
+}

SatelliteProvider.IntegrationTests/RegionTests.cs

@@ -84,8 +84,8 @@ public static class RegionTests
         var requestRegion = new RequestRegionRequest
         {
             Id = regionId,
-            Latitude = latitude,
+            Lat = latitude,
-            Longitude = longitude,
+            Lon = longitude,
             SizeMeters = sizeMeters,
             ZoomLevel = zoomLevel,
             StitchTiles = stitchTiles

SatelliteProvider.IntegrationTests/SecurityTests.cs

@@ -23,7 +23,7 @@ public static class SecurityTests
         Console.WriteLine("SEC-01: SQL injection attempt in coordinate query string");
 
         var injection = "' OR 1=1 --";
-        var url = $"/api/satellite/tiles/latlon?Latitude={Uri.EscapeDataString(injection)}&Longitude=37.647063&ZoomLevel=18";
+        var url = $"/api/satellite/tiles/latlon?lat={Uri.EscapeDataString(injection)}&lon=37.647063&zoom=18";
         var response = await httpClient.GetAsync(url);
 
         if (response.StatusCode != HttpStatusCode.BadRequest && response.StatusCode != HttpStatusCode.UnprocessableEntity)
@@ -66,7 +66,7 @@ public static class SecurityTests
         Console.WriteLine("SEC-03: Oversized region request (sizeMeters beyond allowed cap)");
 
         var regionId = Guid.NewGuid();
-        var body = $"{{\"id\":\"{regionId}\",\"latitude\":47.461747,\"longitude\":37.647063,\"sizeMeters\":1000000,\"zoomLevel\":18,\"stitchTiles\":false}}";
+        var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":1000000,\"zoomLevel\":18,\"stitchTiles\":false}}";
         var content = new StringContent(body, Encoding.UTF8, "application/json");
         var response = await httpClient.PostAsync("/api/satellite/request", content);
         var status = (int)response.StatusCode;

SatelliteProvider.IntegrationTests/TileInventoryTests.cs

@@ -60,10 +60,10 @@ public static class TileInventoryTests
         var seed = (int)(DateTime.UtcNow.Ticks % int.MaxValue);
         var random = new Random(seed);
         var presentCoords = Enumerable.Range(0, 12)
-            .Select(i => new TileCoord { TileZoom = zoom, TileX = 600_000 + (seed % 1000) * 100 + i, TileY = 700_000 + (seed % 1000) * 100 + i })
+            .Select(i => new TileCoord { Z = zoom, X = 50_000 + (seed % 1000) * 100 + i, Y = 60_000 + (seed % 1000) * 100 + i })
             .ToArray();
         var absentCoords = Enumerable.Range(0, 13)
-            .Select(i => new TileCoord { TileZoom = zoom, TileX = 800_000 + (seed % 1000) * 100 + i, TileY = 900_000 + (seed % 1000) * 100 + i })
+            .Select(i => new TileCoord { Z = zoom, X = 80_000 + (seed % 1000) * 100 + i, Y = 100_000 + (seed % 1000) * 100 + i })
             .ToArray();
 
         // Pre-seed the present cells. Mix sources / flights to exercise the
@@ -74,7 +74,7 @@ public static class TileInventoryTests
         for (var i = 0; i < presentCoords.Length; i++)
         {
             var coord = presentCoords[i];
-            var locationHash = Uuidv5.LocationHashForTile(coord.TileZoom, coord.TileX, coord.TileY);
+            var locationHash = Uuidv5.LocationHashForTile(coord.Z, coord.X, coord.Y);
 
             // Seed at least one google_maps row for every present cell.
             var googleId = Guid.NewGuid();
@@ -119,7 +119,7 @@ public static class TileInventoryTests
         }
 
         var presentHashes = presentCoords
-            .Select(c => Uuidv5.LocationHashForTile(c.TileZoom, c.TileX, c.TileY))
+            .Select(c => Uuidv5.LocationHashForTile(c.Z, c.X, c.Y))
             .ToHashSet();
 
         for (var i = 0; i < allCoords.Length; i++)
@@ -127,14 +127,14 @@ public static class TileInventoryTests
             var requestedCoord = allCoords[i];
             var entry = body.Results[i];
 
-            if (entry.TileZoom != requestedCoord.TileZoom || entry.TileX != requestedCoord.TileX || entry.TileY != requestedCoord.TileY)
+            if (entry.Z != requestedCoord.Z || entry.X != requestedCoord.X || entry.Y != requestedCoord.Y)
             {
                 throw new Exception(
-                    $"AC-1: entry {i} coords mismatch — request was ({requestedCoord.TileZoom},{requestedCoord.TileX},{requestedCoord.TileY}), " +
+                    $"AC-1: entry {i} coords mismatch — request was ({requestedCoord.Z},{requestedCoord.X},{requestedCoord.Y}), " +
-                    $"response is ({entry.TileZoom},{entry.TileX},{entry.TileY})");
+                    $"response is ({entry.Z},{entry.X},{entry.Y})");
             }
 
-            var expectedHash = Uuidv5.LocationHashForTile(requestedCoord.TileZoom, requestedCoord.TileX, requestedCoord.TileY);
+            var expectedHash = Uuidv5.LocationHashForTile(requestedCoord.Z, requestedCoord.X, requestedCoord.Y);
             if (entry.LocationHash != expectedHash)
             {
                 throw new Exception($"AC-1: entry {i} location_hash mismatch — expected {expectedHash}, got {entry.LocationHash}");
@@ -195,11 +195,11 @@ public static class TileInventoryTests
         var seed = (int)(DateTime.UtcNow.Ticks % int.MaxValue);
         var coord = new TileCoord
         {
-            TileZoom = zoom,
+            Z = zoom,
-            TileX = 1_200_000 + (seed % 1000),
+            X = 130_000 + (seed % 1000),
-            TileY = 1_300_000 + (seed % 1000)
+            Y = 150_000 + (seed % 1000)
         };
-        var locationHash = Uuidv5.LocationHashForTile(coord.TileZoom, coord.TileX, coord.TileY);
+        var locationHash = Uuidv5.LocationHashForTile(coord.Z, coord.X, coord.Y);
 
         var googleId = Guid.NewGuid();
         var googleCapturedAt = DateTime.UtcNow.AddHours(-2);
@@ -252,7 +252,7 @@ public static class TileInventoryTests
         // Arrange
         var request = new TileInventoryRequest
         {
-            Tiles = new[] { new TileCoord { TileZoom = 18, TileX = 1, TileY = 1 } },
+            Tiles = new[] { new TileCoord { Z = 18, X = 1, Y = 1 } },
             LocationHashes = new[] { Guid.NewGuid() }
         };
 
@@ -309,7 +309,7 @@ public static class TileInventoryTests
         using var anonymous = new HttpClient { BaseAddress = baseAddress, Timeout = TimeSpan.FromSeconds(30) };
         var request = new TileInventoryRequest
         {
-            Tiles = new[] { new TileCoord { TileZoom = 18, TileX = 1, TileY = 1 } }
+            Tiles = new[] { new TileCoord { Z = 18, X = 1, Y = 1 } }
         };
 
         // Act
@@ -361,7 +361,7 @@ public static class TileInventoryTests
             {
                 var x = 100_000 + random.Next(0, 65_536);
                 var y = 100_000 + random.Next(0, 65_536);
-                coords[i] = new TileCoord { TileZoom = zoom, TileX = x, TileY = y };
+                coords[i] = new TileCoord { Z = zoom, X = x, Y = y };
                 var hash = Uuidv5.LocationHashForTile(zoom, x, y);
                 idP.Value = Guid.NewGuid();
                 zP.Value = zoom;
@@ -429,12 +429,12 @@ public static class TileInventoryTests
             VALUES (@id, @z, @x, @y, @lat, @lon, 200.0, 256, 'jpg', @fp, @src, @t, @t, @t, @flight, @loc)
             ON CONFLICT DO NOTHING;", conn);
         cmd.Parameters.AddWithValue("id", id);
-        cmd.Parameters.AddWithValue("z", coord.TileZoom);
+        cmd.Parameters.AddWithValue("z", coord.Z);
-        cmd.Parameters.AddWithValue("x", coord.TileX);
+        cmd.Parameters.AddWithValue("x", coord.X);
-        cmd.Parameters.AddWithValue("y", coord.TileY);
+        cmd.Parameters.AddWithValue("y", coord.Y);
-        cmd.Parameters.AddWithValue("lat", 60.0 + coord.TileX * 1e-9);
+        cmd.Parameters.AddWithValue("lat", 60.0 + coord.X * 1e-9);
-        cmd.Parameters.AddWithValue("lon", 30.0 + coord.TileY * 1e-9);
+        cmd.Parameters.AddWithValue("lon", 30.0 + coord.Y * 1e-9);
-        cmd.Parameters.AddWithValue("fp", $"tiles/seed/{coord.TileZoom}/{coord.TileX}/{coord.TileY}.jpg");
+        cmd.Parameters.AddWithValue("fp", $"tiles/seed/{coord.Z}/{coord.X}/{coord.Y}.jpg");
         cmd.Parameters.AddWithValue("src", source);
         // schema column is TIMESTAMP (no tz); Npgsql v6+ refuses to bind a
         // Kind=Utc DateTime into a plain timestamp column. Callers pass UTC

SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs

@@ -0,0 +1,395 @@
+using System.Net;
+using System.Net.Http.Json;
+using System.Text;
+using System.Text.Json;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-796: end-to-end coverage for the inventory endpoint's strict input
+// validation. Each test exercises one rule from the validator (FluentValidation
+// for business rules, JsonSerializerOptions for wire-format rules) and asserts
+// the response body conforms to the RFC 7807 ValidationProblemDetails contract
+// in `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+public static class TileInventoryValidationTests
+{
+    private const string InventoryPath = "/api/satellite/tiles/inventory";
+
+    public static async Task RunAll(HttpClient httpClient)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: Inventory endpoint strict validation (AZ-796)");
+
+        await HappyPath_Returns200(httpClient);
+
+        // Rule 1: body present
+        await EmptyBody_Returns400(httpClient);
+        // Rule 2: tiles required (one of tiles/locationHashes must be populated)
+        await NeitherPopulated_Returns400(httpClient);
+        await BothPopulated_Returns400(httpClient);
+        // Rule 3: tiles non-empty
+        await EmptyTilesArray_Returns400(httpClient);
+        // Rule 4: tiles max size
+        await TilesOverCap_Returns400(httpClient);
+        // Rule 5: each entry has z, x, y
+        await MissingZ_Returns400WithFieldPath(httpClient);
+        await MissingXAndY_Returns400(httpClient);
+        // Rule 6: non-negative integer fields
+        await NegativeAxis_Returns400(httpClient);
+        await TypeMismatch_Returns400(httpClient);
+        // Rule 7: z within supported zoom range
+        await ZoomOutOfRange_Returns400WithFieldPath(httpClient);
+        // Rule 8: x / y within tile-axis bounds
+        await XBeyondZoomBounds_Returns400(httpClient);
+        await YBeyondZoomBounds_Returns400(httpClient);
+        // Rule 9: unknown fields rejected
+        await UnknownRootField_Returns400(httpClient);
+        await UnknownNestedField_Returns400(httpClient);
+        await OldV1FieldName_Returns400(httpClient);
+
+        Console.WriteLine("✓ Inventory validation tests: PASSED");
+    }
+
+    private static async Task HappyPath_Returns200(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: well-formed request with z/x/y triple → HTTP 200");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":18,"x":1,"y":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+
+        // Assert
+        if (response.StatusCode != HttpStatusCode.OK)
+        {
+            var errorBody = await response.Content.ReadAsStringAsync();
+            throw new Exception($"AZ-796 happy path: expected 200, got {(int)response.StatusCode}. Body: {errorBody}");
+        }
+
+        Console.WriteLine("  ✓ Valid {z, x, y} request returns HTTP 200");
+    }
+
+    private static async Task EmptyBody_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796 rule 1: empty body → HTTP 400");
+
+        // Arrange — POST with zero-byte body and JSON content type. The framework
+        // rejects the missing required body parameter before any handler/filter
+        // runs, so the response is basic RFC 7807 ProblemDetails with no `errors`
+        // map (vs. ValidationProblemDetails on field-level violations).
+        var content = new StringContent(string.Empty, Encoding.UTF8, "application/json");
+
+        // Act
+        var response = await httpClient.PostAsync(InventoryPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 empty body");
+
+        // Assert
+        ProblemDetailsAssertions.AssertProblemDetails(problem, expectedStatus: 400, label: "AZ-796 empty body");
+
+        Console.WriteLine("  ✓ Empty body rejected with HTTP 400 + ProblemDetails");
+    }
+
+    private static async Task NeitherPopulated_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796 rule 2: neither tiles nor locationHashes populated → HTTP 400");
+
+        // Arrange
+        const string body = """{}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 neither populated");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 neither populated",
+            expectedErrorPath: "$");
+
+        Console.WriteLine("  ✓ Empty object rejected with errors[\"$\"] (XOR rule)");
+    }
+
+    private static async Task BothPopulated_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796 rule 2: both tiles and locationHashes populated → HTTP 400");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":18,"x":1,"y":1}],"locationHashes":["00000000-0000-0000-0000-000000000000"]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 both populated");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 both populated",
+            expectedErrorPath: "$");
+
+        Console.WriteLine("  ✓ Both populated rejected with errors[\"$\"] (XOR rule)");
+    }
+
+    private static async Task EmptyTilesArray_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796 rule 3: empty tiles array → HTTP 400");
+
+        // Arrange — XOR rule treats empty arrays as not-populated
+        const string body = """{"tiles":[]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 empty tiles array");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 empty tiles array",
+            expectedErrorPath: "$");
+
+        Console.WriteLine("  ✓ Empty tiles array rejected with HTTP 400");
+    }
+
+    private static async Task TilesOverCap_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796 rule 4: > 5000 tile entries → HTTP 400");
+
+        // Arrange — TileInventoryLimits.MaxEntriesPerRequest is 5000
+        var sb = new StringBuilder();
+        sb.Append("""{"tiles":[""");
+        for (var i = 0; i < 5001; i++)
+        {
+            if (i > 0) sb.Append(',');
+            sb.Append("""{"z":18,"x":1,"y":1}""");
+        }
+        sb.Append("]}");
+
+        // Act
+        var response = await PostJsonAsync(httpClient, sb.ToString());
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 over cap");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 over cap",
+            expectedErrorPath: "tiles");
+
+        Console.WriteLine("  ✓ 5001-entry tiles array rejected with errors[\"tiles\"]");
+    }
+
+    private static async Task MissingZ_Returns400WithFieldPath(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: missing `z` → HTTP 400 with structured errors map");
+
+        // Arrange — JsonRequired on TileCoord.Z catches this at the deserializer layer.
+        const string body = """{"tiles":[{"x":1,"y":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 missing z");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 missing z");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "z", label: "AZ-796 missing z");
+
+        Console.WriteLine("  ✓ Missing `z` rejected with errors map mentioning the field");
+    }
+
+    private static async Task MissingXAndY_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: missing `x` and `y` → HTTP 400");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":18}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 missing x/y");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 missing x/y");
+
+        Console.WriteLine("  ✓ Missing `x` and `y` rejected with HTTP 400");
+    }
+
+    private static async Task ZoomOutOfRange_Returns400WithFieldPath(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: z out of slippy-map range → HTTP 400 with errors[\"tiles[0].z\"]");
+
+        // Arrange — z=30 is beyond the supported max of 22
+        const string body = """{"tiles":[{"z":30,"x":0,"y":0}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 z=30");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 z=30",
+            expectedErrorPath: "tiles[0].z",
+            expectedErrorContains: "between 0 and 22");
+
+        Console.WriteLine("  ✓ z=30 rejected with errors[\"tiles[0].z\"] mentioning range");
+    }
+
+    private static async Task XBeyondZoomBounds_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: x ≥ 2^z → HTTP 400");
+
+        // Arrange — at z=2, valid x is 0..3; x=4 is invalid
+        const string body = """{"tiles":[{"z":2,"x":4,"y":0}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 x=4 z=2");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 x=4 z=2",
+            expectedErrorPath: "tiles[0].x");
+
+        Console.WriteLine("  ✓ x=4 at z=2 rejected with errors[\"tiles[0].x\"]");
+    }
+
+    private static async Task YBeyondZoomBounds_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: y ≥ 2^z → HTTP 400");
+
+        // Arrange — at z=0, valid y is 0..0; y=1 is invalid
+        const string body = """{"tiles":[{"z":0,"x":0,"y":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 y=1 z=0");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 y=1 z=0",
+            expectedErrorPath: "tiles[0].y");
+
+        Console.WriteLine("  ✓ y=1 at z=0 rejected with errors[\"tiles[0].y\"]");
+    }
+
+    private static async Task NegativeAxis_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: negative coordinate → HTTP 400");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":18,"x":-1,"y":0}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 x=-1");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(
+            problem,
+            expectedStatus: 400,
+            label: "AZ-796 x=-1",
+            expectedErrorPath: "tiles[0].x");
+
+        Console.WriteLine("  ✓ x=-1 rejected with errors[\"tiles[0].x\"]");
+    }
+
+    private static async Task UnknownRootField_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: unknown root field → HTTP 400 (UnmappedMemberHandling.Disallow)");
+
+        // Arrange
+        const string body = """{"unknownField":42,"tiles":[{"z":18,"x":1,"y":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 unknown root field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 unknown root field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "unknownField", label: "AZ-796 unknown root field");
+
+        Console.WriteLine("  ✓ Unknown root field rejected; errors map names the field");
+    }
+
+    private static async Task UnknownNestedField_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: unknown nested field on tile entry → HTTP 400");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":18,"x":1,"y":1,"foo":42}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 unknown nested field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 unknown nested field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "foo", label: "AZ-796 unknown nested field");
+
+        Console.WriteLine("  ✓ Unknown nested field rejected; errors map names the field");
+    }
+
+    private static async Task OldV1FieldName_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-794 + AZ-796: legacy `tileZoom`/`tileX`/`tileY` field name → HTTP 400");
+
+        // Arrange — exact AZ-777 Phase 1 reproduction; v1 callers must now fail explicitly
+        // instead of silently coercing to (0,0,0).
+        const string body = """{"tiles":[{"tileZoom":18,"tileX":1,"tileY":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-794 legacy field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-794 legacy field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "tileZoom", label: "AZ-794 legacy field");
+
+        Console.WriteLine("  ✓ Legacy v1.x field names rejected with explicit error (no silent coercion)");
+    }
+
+    private static async Task TypeMismatch_Returns400(HttpClient httpClient)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-796: type mismatch (string where integer expected) → HTTP 400");
+
+        // Arrange
+        const string body = """{"tiles":[{"z":"eighteen","x":1,"y":1}]}""";
+
+        // Act
+        var response = await PostJsonAsync(httpClient, body);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-796 type mismatch");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 type mismatch");
+
+        Console.WriteLine("  ✓ String-where-int rejected with HTTP 400");
+    }
+
+    private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
+    {
+        var content = new StringContent(body, Encoding.UTF8, "application/json");
+        return httpClient.PostAsync(InventoryPath, content);
+    }
+}

SatelliteProvider.IntegrationTests/TileTests.cs

@@ -21,7 +21,7 @@ public static class TileTests
 
         Console.WriteLine($"Getting tile at coordinates ({latitude}, {longitude}) with zoom level {zoomLevel}");
 
-        var response = await httpClient.GetAsync($"/api/satellite/tiles/latlon?Latitude={latitude}&Longitude={longitude}&ZoomLevel={zoomLevel}");
+        var response = await httpClient.GetAsync($"/api/satellite/tiles/latlon?lat={latitude}&lon={longitude}&zoom={zoomLevel}");
 
         if (!response.IsSuccessStatusCode)
         {
@@ -74,7 +74,7 @@ public static class TileTests
         Console.WriteLine();
         Console.WriteLine("Testing tile reuse (getting same tile again)...");
 
-        var response2 = await httpClient.GetAsync($"/api/satellite/tiles/latlon?Latitude={latitude}&Longitude={longitude}&ZoomLevel={zoomLevel}");
+        var response2 = await httpClient.GetAsync($"/api/satellite/tiles/latlon?lat={latitude}&lon={longitude}&zoom={zoomLevel}");
 
         if (!response2.IsSuccessStatusCode)
         {

SatelliteProvider.IntegrationTests/UavUploadTests.cs

@@ -511,9 +511,14 @@ public static class UavUploadTests
     private static (double Latitude, double Longitude) NextTestCoordinate()
     {
         // Spread test coordinates far enough apart to fall into distinct tile cells
-        // so concurrent runs don't collide on the per-source unique index.
+        // so concurrent runs don't collide on the per-source unique index. Wrap on
+        // 40_000-cell axes so the result always stays strictly inside the
+        // OSM-valid ranges enforced by UavTileMetadataValidator (AZ-810):
+        // lat in [50.0, 70.0), lon in [10.0, 40.0).
         var n = Interlocked.Increment(ref _coordinateCounter);
-        return (60.0 + n * 0.0005, 30.0 + n * 0.0005);
+        var lat = 50.0 + ((uint)n % 40_000u) * 0.0005;
+        var lon = 10.0 + ((uint)n % 60_000u) * 0.0005;
+        return (lat, lon);
     }
 
     private static async Task<int> CountUavRowsAsync(string connectionString, double latitude, double longitude)

SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs

@@ -0,0 +1,665 @@
+using System.Globalization;
+using System.Net;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Text.Json;
+using SixLabors.ImageSharp;
+using SixLabors.ImageSharp.Formats.Jpeg;
+using SixLabors.ImageSharp.PixelFormats;
+
+namespace SatelliteProvider.IntegrationTests;
+
+// AZ-810: end-to-end coverage for POST /api/satellite/upload strict metadata
+// validation. Each test exercises one of the 14 rules listed in the AZ-810
+// task spec and asserts the response conforms to the RFC 7807
+// ValidationProblemDetails contract in
+// `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+//
+// The endpoint is multipart/form-data, so the validator wires in through the
+// custom `UavUploadValidationFilter` (NOT the generic `WithValidation<T>()`
+// filter that the JSON-body endpoints use). Three enforcement layers compose:
+//   1. UnmappedMemberHandling.Disallow + [JsonRequired] — the metadata JSON
+//      is deserialized inside the filter via the strict global
+//      `JsonSerializerOptions`; missing-required and unknown fields raise
+//      JsonException which the filter surfaces under `errors["metadata"]`.
+//   2. UavTileBatchMetadataPayloadValidator + UavTileMetadataValidator —
+//      FluentValidation rules on the deserialized payload (item count, per-
+//      item lat/lon/zoom/size/freshness). Errors are prefixed with
+//      `metadata.` so paths look like `errors["metadata.items[0].latitude"]`.
+//   3. Cross-field envelope rule (items.Count == files.Count) — runs after
+//      the per-payload validator; surfaces under `errors["metadata.items"]`
+//      AND `errors["files"]`.
+//
+// AC-9 (no regression in existing UavUploadTests) is enforced by leaving the
+// pre-AZ-810 happy path here as a separate scenario and by exercising the
+// existing AZ-488 suite unchanged from Program.Main.
+public static class UavUploadValidationTests
+{
+    private const string UploadPath = "/api/satellite/upload";
+    private const string GpsPermission = "GPS";
+    private const string PermissionsClaimType = "permissions";
+
+    public static async Task RunAll(string apiUrl, string secret)
+    {
+        RouteTestHelpers.PrintTestHeader("Test: POST /api/satellite/upload strict metadata validation (AZ-810)");
+
+        // AC-2: happy path unchanged (well-formed multipart envelope still 200).
+        await HappyPath_Returns200(apiUrl, secret);
+
+        // Rule 2: metadata form field absent
+        await MissingMetadataField_Returns400(apiUrl, secret);
+
+        // Rule 3: metadata JSON malformed
+        await MalformedMetadataJson_Returns400(apiUrl, secret);
+
+        // Rule 4: items missing (empty)
+        await EmptyItems_Returns400(apiUrl, secret);
+
+        // Rule 5: items count > MaxBatchSize
+        await ItemsOverCap_Returns400(apiUrl, secret);
+
+        // Rule 6: items.Count != files.Count
+        await ItemsFilesMismatch_Returns400(apiUrl, secret);
+
+        // Rule 7: per-item lat out of range
+        await ItemLatOutOfRange_Returns400(apiUrl, secret);
+
+        // Rule 8: per-item lon out of range
+        await ItemLonOutOfRange_Returns400(apiUrl, secret);
+
+        // Rule 9: per-item tileZoom out of range
+        await ItemTileZoomOutOfRange_Returns400(apiUrl, secret);
+
+        // Rule 10: per-item tileSizeMeters <= 0
+        await ItemTileSizeMetersNonPositive_Returns400(apiUrl, secret);
+
+        // Rule 11a: capturedAt too far in the future
+        await ItemCapturedAtFuture_Returns400(apiUrl, secret);
+
+        // Rule 11b: capturedAt older than MaxAgeDays
+        await ItemCapturedAtTooOld_Returns400(apiUrl, secret);
+
+        // Rule 12: malformed flightId UUID (deserializer JsonException path)
+        await ItemFlightIdMalformed_Returns400(apiUrl, secret);
+
+        // Rule 13: unknown field at the root of metadata
+        await UnknownRootField_Returns400(apiUrl, secret);
+
+        // Rule 13b: unknown field nested under items[i]
+        await UnknownNestedField_Returns400(apiUrl, secret);
+
+        // Rule 14: type mismatch (lat as string)
+        await ItemLatTypeMismatch_Returns400(apiUrl, secret);
+
+        Console.WriteLine("✓ UAV upload metadata validation tests: PASSED");
+    }
+
+    private static async Task HappyPath_Returns200(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 AC-2: well-formed metadata + 1 valid file → HTTP 200");
+
+        // Arrange
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new
+                {
+                    latitude = coord.Latitude,
+                    longitude = coord.Longitude,
+                    tileZoom = 18,
+                    tileSizeMeters = 200.0,
+                    capturedAt = DateTime.UtcNow.ToString("o"),
+                },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+
+        // Assert
+        await EnsureStatus(response, HttpStatusCode.OK, "AZ-810 AC-2 happy path");
+        Console.WriteLine("  ✓ Well-formed multipart envelope accepted with HTTP 200");
+    }
+
+    private static async Task MissingMetadataField_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 2: missing `metadata` form field → HTTP 400");
+
+        // Arrange — multipart body with only the `files` part, no `metadata`.
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        using var content = new MultipartFormDataContent();
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 missing metadata");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 missing metadata");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 missing metadata");
+
+        Console.WriteLine("  ✓ Missing `metadata` form field rejected with HTTP 400");
+    }
+
+    private static async Task MalformedMetadataJson_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 3: malformed metadata JSON → HTTP 400");
+
+        // Arrange — unterminated JSON object.
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        const string brokenJson = "{\"items\": [{ \"latitude\": 50.10, \"longitude\": 36.10";
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(brokenJson), "metadata" },
+        };
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 malformed JSON");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 malformed JSON");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 malformed JSON");
+
+        Console.WriteLine("  ✓ Malformed metadata JSON rejected with errors[\"metadata\"]");
+    }
+
+    private static async Task EmptyItems_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 4: empty `items` → HTTP 400");
+
+        // Arrange — well-formed JSON, but items: [] tripping FluentValidation.
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        var metadata = new { items = Array.Empty<object>() };
+
+        // Act — no files either; the items rule fires before the count-mismatch rule.
+        using var response = await PostBatch(client, metadata, Array.Empty<byte[]>());
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 empty items");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 empty items");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items", label: "AZ-810 empty items");
+
+        Console.WriteLine("  ✓ Empty items rejected with errors mention of `items`");
+    }
+
+    private static async Task ItemsOverCap_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 5: items.Count > MaxBatchSize → HTTP 400 from validator");
+
+        // Arrange — 101 metadata entries + 101 tiny placeholders so this exercises
+        // the AZ-810 validator path specifically (the count-mismatch rule does not
+        // fire because items.Count == files.Count).
+        const int oversize = 101;
+        var baseCoord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = Enumerable.Range(0, oversize).Select(i => new
+            {
+                latitude = baseCoord.Latitude + i * 0.0001,
+                longitude = baseCoord.Longitude,
+                tileZoom = 18,
+                tileSizeMeters = 200.0,
+                capturedAt = DateTime.UtcNow.ToString("o"),
+            }).ToArray(),
+        };
+        var placeholder = new byte[] { 0xFF, 0xD8, 0xFF, 0xD9 };
+        var files = Enumerable.Range(0, oversize).Select(_ => placeholder).ToArray();
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, files);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 items over cap");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 items over cap");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items", label: "AZ-810 items over cap");
+
+        Console.WriteLine("  ✓ items.Count=101 (> 100 cap) rejected with errors mention of `items`");
+    }
+
+    private static async Task ItemsFilesMismatch_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 6: items.Count != files.Count → HTTP 400");
+
+        // Arrange — 2 metadata items but only 1 file.
+        var c1 = NextTestCoordinate();
+        var c2 = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = c1.Latitude, longitude = c1.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+                new { latitude = c2.Latitude, longitude = c2.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 items/files mismatch");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 items/files mismatch");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items", label: "AZ-810 items/files mismatch");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "files", label: "AZ-810 items/files mismatch");
+
+        Console.WriteLine("  ✓ items.Count=2 / files.Count=1 rejected with both `items` and `files` mentioned");
+    }
+
+    private static async Task ItemLatOutOfRange_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 7: per-item latitude out of range → HTTP 400 (errors[metadata.items[i].latitude])");
+
+        // Arrange — second item has lat = 91.0 (above the +90 bound).
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = coord.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+                new { latitude = 91.0,           longitude = coord.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg(), CreateValidJpeg(seed: 2) });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item lat out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item lat out of range");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[1].latitude", label: "AZ-810 item lat out of range");
+
+        Console.WriteLine("  ✓ items[1].latitude=91.0 rejected with indexed errors path");
+    }
+
+    private static async Task ItemLonOutOfRange_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 8: per-item longitude out of range → HTTP 400 (errors[metadata.items[i].longitude])");
+
+        // Arrange
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = 181.0, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item lon out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item lon out of range");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[0].longitude", label: "AZ-810 item lon out of range");
+
+        Console.WriteLine("  ✓ items[0].longitude=181 rejected with indexed errors path");
+    }
+
+    private static async Task ItemTileZoomOutOfRange_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 9: per-item tileZoom out of range → HTTP 400");
+
+        // Arrange — zoom = 30 (above the 22 cap).
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = coord.Longitude, tileZoom = 30, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item tileZoom out of range");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item tileZoom out of range");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[0].tileZoom", label: "AZ-810 item tileZoom out of range");
+
+        Console.WriteLine("  ✓ items[0].tileZoom=30 rejected with indexed errors path");
+    }
+
+    private static async Task ItemTileSizeMetersNonPositive_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 10: per-item tileSizeMeters <= 0 → HTTP 400");
+
+        // Arrange
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = coord.Longitude, tileZoom = 18, tileSizeMeters = 0.0, capturedAt = DateTime.UtcNow.ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item tileSizeMeters non-positive");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item tileSizeMeters non-positive");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[0].tileSizeMeters", label: "AZ-810 item tileSizeMeters non-positive");
+
+        Console.WriteLine("  ✓ items[0].tileSizeMeters=0.0 rejected with indexed errors path");
+    }
+
+    private static async Task ItemCapturedAtFuture_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 11a: per-item capturedAt > now + CapturedAtFutureSkewSeconds → HTTP 400");
+
+        // Arrange — 1 hour in the future (default skew is 30s).
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = coord.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.AddHours(1).ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item capturedAt future");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item capturedAt future");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[0].capturedAt", label: "AZ-810 item capturedAt future");
+
+        Console.WriteLine("  ✓ items[0].capturedAt = now+1h rejected with indexed errors path");
+    }
+
+    private static async Task ItemCapturedAtTooOld_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 11b: per-item capturedAt older than MaxAgeDays → HTTP 400");
+
+        // Arrange — 60 days old (default MaxAgeDays is 7).
+        var coord = NextTestCoordinate();
+        var metadata = new
+        {
+            items = new[]
+            {
+                new { latitude = coord.Latitude, longitude = coord.Longitude, tileZoom = 18, tileSizeMeters = 200.0, capturedAt = DateTime.UtcNow.AddDays(-60).ToString("o") },
+            },
+        };
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+
+        // Act
+        using var response = await PostBatch(client, metadata, new[] { CreateValidJpeg() });
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 item capturedAt too old");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 item capturedAt too old");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "items[0].capturedAt", label: "AZ-810 item capturedAt too old");
+
+        Console.WriteLine("  ✓ items[0].capturedAt = now-60d rejected with indexed errors path");
+    }
+
+    private static async Task ItemFlightIdMalformed_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 12: malformed flightId → HTTP 400 (JsonException at deserializer)");
+
+        // Arrange — flightId is a non-UUID string. System.Text.Json rejects this at
+        // the deserializer; the filter catches the JsonException and surfaces it as
+        // errors["metadata"].
+        var coord = NextTestCoordinate();
+        var metadataJson = string.Create(CultureInfo.InvariantCulture, $$$"""
+            {
+              "items": [
+                {
+                  "latitude": {{{coord.Latitude}}},
+                  "longitude": {{{coord.Longitude}}},
+                  "tileZoom": 18,
+                  "tileSizeMeters": 200.0,
+                  "capturedAt": "{{{DateTime.UtcNow.ToString("o")}}}",
+                  "flightId": "not-a-uuid"
+                }
+              ]
+            }
+            """);
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(metadataJson), "metadata" },
+        };
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 flightId malformed");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 flightId malformed");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 flightId malformed");
+
+        Console.WriteLine("  ✓ flightId=\"not-a-uuid\" rejected with errors[\"metadata\"]");
+    }
+
+    private static async Task UnknownRootField_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 13: unknown root field in metadata → HTTP 400 (UnmappedMemberHandling.Disallow)");
+
+        // Arrange — `debug` is not a member of UavTileBatchMetadataPayload.
+        var coord = NextTestCoordinate();
+        var metadataJson = string.Create(CultureInfo.InvariantCulture, $$$"""
+            {
+              "items": [
+                {
+                  "latitude": {{{coord.Latitude}}},
+                  "longitude": {{{coord.Longitude}}},
+                  "tileZoom": 18,
+                  "tileSizeMeters": 200.0,
+                  "capturedAt": "{{{DateTime.UtcNow.ToString("o")}}}"
+                }
+              ],
+              "debug": "fingerprint-probe"
+            }
+            """);
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(metadataJson), "metadata" },
+        };
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 unknown root field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 unknown root field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 unknown root field");
+
+        Console.WriteLine("  ✓ Unknown root field `debug` rejected with errors[\"metadata\"]");
+    }
+
+    private static async Task UnknownNestedField_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 13b: unknown nested field under items[i] → HTTP 400");
+
+        // Arrange — `altitude` is not a member of UavTileMetadata.
+        var coord = NextTestCoordinate();
+        var metadataJson = string.Create(CultureInfo.InvariantCulture, $$$"""
+            {
+              "items": [
+                {
+                  "latitude": {{{coord.Latitude}}},
+                  "longitude": {{{coord.Longitude}}},
+                  "tileZoom": 18,
+                  "tileSizeMeters": 200.0,
+                  "capturedAt": "{{{DateTime.UtcNow.ToString("o")}}}",
+                  "altitude": 500.0
+                }
+              ]
+            }
+            """);
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(metadataJson), "metadata" },
+        };
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 unknown nested field");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 unknown nested field");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 unknown nested field");
+
+        Console.WriteLine("  ✓ Unknown nested field `altitude` rejected with errors[\"metadata\"]");
+    }
+
+    private static async Task ItemLatTypeMismatch_Returns400(string apiUrl, string secret)
+    {
+        Console.WriteLine();
+        Console.WriteLine("AZ-810 rule 14: nested type mismatch (`items[0].latitude` as string) → HTTP 400");
+
+        // Arrange
+        var coord = NextTestCoordinate();
+        var metadataJson = string.Create(CultureInfo.InvariantCulture, $$$"""
+            {
+              "items": [
+                {
+                  "latitude": "fifty",
+                  "longitude": {{{coord.Longitude}}},
+                  "tileZoom": 18,
+                  "tileSizeMeters": 200.0,
+                  "capturedAt": "{{{DateTime.UtcNow.ToString("o")}}}"
+                }
+              ]
+            }
+            """);
+        using var client = CreateClientWithGpsToken(apiUrl, secret);
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(metadataJson), "metadata" },
+        };
+        var file = new ByteArrayContent(CreateValidJpeg());
+        file.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+        content.Add(file, "files", "tile_0.jpg");
+
+        // Act
+        using var response = await client.PostAsync(UploadPath, content);
+        var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-810 lat type mismatch");
+
+        // Assert
+        ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-810 lat type mismatch");
+        ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "metadata", label: "AZ-810 lat type mismatch");
+
+        Console.WriteLine("  ✓ items[0].latitude=\"fifty\" rejected with errors[\"metadata\"]");
+    }
+
+    private static HttpClient CreateClientWithGpsToken(string apiUrl, string secret)
+    {
+        var client = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(1) };
+        var token = JwtTestHelpers.MintAuthenticated(secret, extraClaims: new[] { new Claim(PermissionsClaimType, GpsPermission) });
+        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        return client;
+    }
+
+    private static async Task<HttpResponseMessage> PostBatch(HttpClient client, object metadata, IReadOnlyList<byte[]> files)
+    {
+        using var content = new MultipartFormDataContent
+        {
+            { new StringContent(JsonSerializer.Serialize(metadata)), "metadata" },
+        };
+        for (var i = 0; i < files.Count; i++)
+        {
+            var item = new ByteArrayContent(files[i]);
+            item.Headers.ContentType = new MediaTypeHeaderValue("image/jpeg");
+            content.Add(item, "files", $"tile_{i}.jpg");
+        }
+
+        return await client.PostAsync(UploadPath, content);
+    }
+
+    private static async Task EnsureStatus(HttpResponseMessage response, HttpStatusCode expected, string label)
+    {
+        if (response.StatusCode != expected)
+        {
+            var body = await response.Content.ReadAsStringAsync();
+            throw new Exception($"{label}: expected HTTP {(int)expected}, got HTTP {(int)response.StatusCode}. Body: {body}");
+        }
+    }
+
+    private static byte[] CreateValidJpeg(int width = 256, int height = 256, int seed = 42)
+    {
+        using var image = new Image<Rgba32>(width, height);
+        var random = new Random(seed);
+        image.ProcessPixelRows(accessor =>
+        {
+            for (var y = 0; y < accessor.Height; y++)
+            {
+                var row = accessor.GetRowSpan(y);
+                for (var x = 0; x < row.Length; x++)
+                {
+                    row[x] = new Rgba32(
+                        (byte)random.Next(256),
+                        (byte)random.Next(256),
+                        (byte)random.Next(256));
+                }
+            }
+        });
+
+        using var stream = new MemoryStream();
+        image.Save(stream, new JpegEncoder { Quality = 95 });
+        return stream.ToArray();
+    }
+
+    // Use a southern-hemisphere range that does NOT overlap UavUploadTests'
+    // northern range ([50,70) x [10,40)). Non-overlap (not counter offset) is
+    // what guarantees the AZ-488 and AZ-810 suites don't collide on the
+    // per-source UNIQUE index when both run against the same DB. Wrap on
+    // 40_000-cell axes so the result always stays strictly inside the
+    // OSM-valid ranges enforced by UavTileMetadataValidator:
+    // lat in [-70.0, -50.0), lon in [-40.0, -10.0).
+    private static int _coordinateCounter = (int)((DateTime.UtcNow.Ticks / TimeSpan.TicksPerSecond) % 1_000_000);
+
+    private static (double Latitude, double Longitude) NextTestCoordinate()
+    {
+        var n = Interlocked.Increment(ref _coordinateCounter);
+        var lat = -50.0 - ((uint)n % 40_000u) * 0.0005;
+        var lon = -10.0 - ((uint)n % 60_000u) * 0.0005;
+        return (lat, lon);
+    }
+}

SatelliteProvider.Services.TileDownloader/TileService.cs

@@ -173,8 +173,8 @@ public class TileService : ITileService
         {
             foreach (var coord in tiles!)
             {
-                var hash = Uuidv5.LocationHashForTile(coord.TileZoom, coord.TileX, coord.TileY);
+                var hash = Uuidv5.LocationHashForTile(coord.Z, coord.X, coord.Y);
-                entries.Add((coord.TileZoom, coord.TileX, coord.TileY, hash));
+                entries.Add((coord.Z, coord.X, coord.Y, hash));
             }
         }
         else
@@ -195,9 +195,9 @@ public class TileService : ITileService
             {
                 results.Add(new TileInventoryEntry
                 {
-                    TileZoom = hasTiles ? zoom : tile.TileZoom,
+                    Z = hasTiles ? zoom : tile.TileZoom,
-                    TileX = hasTiles ? x : tile.TileX,
+                    X = hasTiles ? x : tile.TileX,
-                    TileY = hasTiles ? y : tile.TileY,
+                    Y = hasTiles ? y : tile.TileY,
                     LocationHash = hash,
                     Present = true,
                     Id = tile.Id,
@@ -211,9 +211,9 @@ public class TileService : ITileService
             {
                 results.Add(new TileInventoryEntry
                 {
-                    TileZoom = zoom,
+                    Z = zoom,
-                    TileX = x,
+                    X = x,
-                    TileY = y,
+                    Y = y,
                     LocationHash = hash,
                     Present = false
                 });

SatelliteProvider.Tests/GlobalExceptionHandlerTests.cs

@@ -72,6 +72,45 @@ public class GlobalExceptionHandlerTests
             "BadHttpRequestException is a client error and must not be ERROR-logged as a server failure");
     }
 
+    [Fact]
+    public async Task TryHandleAsync_DeserializationFailure_WritesValidationProblemDetailsWithJsonPath_AZ795()
+    {
+        // Arrange
+        var loggerMock = new Mock<ILogger<GlobalExceptionHandler>>();
+        var handler = new GlobalExceptionHandler(loggerMock.Object);
+        var httpContext = new DefaultHttpContext { TraceIdentifier = "trace-AZ795" };
+        httpContext.Response.Body = new MemoryStream();
+        var jsonInner = new JsonException(
+            "The JSON property 'foo' could not be mapped to any .NET member contained in type 'TileInventoryRequest'.",
+            "$.tiles[0].foo",
+            lineNumber: null,
+            bytePositionInLine: null);
+        var bindFailure = new BadHttpRequestException(
+            "Failed to read parameter \"TileInventoryRequest request\" from request body.",
+            StatusCodes.Status400BadRequest,
+            jsonInner);
+
+        // Act
+        var handled = await handler.TryHandleAsync(httpContext, bindFailure, CancellationToken.None);
+
+        // Assert
+        handled.Should().BeTrue();
+        httpContext.Response.StatusCode.Should().Be(StatusCodes.Status400BadRequest);
+        httpContext.Response.ContentType.Should().Contain("application/problem+json");
+
+        httpContext.Response.Body.Position = 0;
+        using var doc = JsonDocument.Parse(httpContext.Response.Body);
+        var root = doc.RootElement;
+
+        root.GetProperty("status").GetInt32().Should().Be(400);
+        root.GetProperty("title").GetString().Should().Be("One or more validation errors occurred.");
+        root.GetProperty("type").GetString().Should().Be("https://tools.ietf.org/html/rfc7231#section-6.5.1");
+        root.GetProperty("errors")
+            .GetProperty("tiles[0].foo")[0]
+            .GetString()
+            .Should().Contain("could not be mapped");
+    }
+
     [Fact]
     public async Task TryHandleAsync_LogsFullExceptionWithCorrelationId_AC2()
     {

SatelliteProvider.Tests/TestSupport/ValidatorTestModuleInitializer.cs

@@ -0,0 +1,16 @@
+using System.Runtime.CompilerServices;
+using SatelliteProvider.Api.Validators;
+
+namespace SatelliteProvider.Tests.TestSupport;
+
+internal static class ValidatorTestModuleInitializer
+{
+    // ModuleInitializer (.NET 5+) runs once per assembly load. We piggy-back the
+    // production GlobalValidatorConfig.ApplyOnce() so unit tests assert against
+    // the same FluentValidation property-name casing the live API produces.
+    [ModuleInitializer]
+    public static void Initialize()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+    }
+}

SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs

@@ -0,0 +1,309 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-809: unit tests for CreateRouteRequestValidator. Each RuleFor /
+// RuleForEach in the root validator has at least one passing case + one
+// failing case. Required-field detection lives at the deserializer layer
+// ([JsonRequired] + UnmappedMemberHandling.Disallow), covered separately
+// at the integration layer in CreateRouteValidationTests.
+public class CreateRouteRequestValidatorTests
+{
+    private readonly CreateRouteRequestValidator _validator;
+
+    public CreateRouteRequestValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new CreateRouteRequestValidator();
+    }
+
+    private static CreateRouteRequest ValidRequest()
+    {
+        return new CreateRouteRequest
+        {
+            Id = Guid.NewGuid(),
+            Name = "derkachi-flight-1",
+            Description = "AZ-777 Phase 2 seed route",
+            RegionSizeMeters = 1000.0,
+            ZoomLevel = 18,
+            Points = new List<RoutePoint>
+            {
+                new() { Latitude = 50.10, Longitude = 36.10 },
+                new() { Latitude = 50.11, Longitude = 36.11 },
+            },
+            RequestMaps = true,
+            CreateTilesZip = false,
+        };
+    }
+
+    [Fact]
+    public void Validate_AllValid_Passes()
+    {
+        // Arrange
+        var request = ValidRequest();
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_IdEmpty_FailsNotEmptyRule()
+    {
+        // Arrange — reproduces the 2026-05-22 probe finding (silent zero-Guid).
+        var request = ValidRequest();
+        request.Id = Guid.Empty;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("id")
+            .WithErrorMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData("   ")]
+    public void Validate_NameMissing_FailsNotEmptyRule(string name)
+    {
+        // Arrange
+        var request = ValidRequest();
+        request.Name = name;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("name");
+    }
+
+    [Fact]
+    public void Validate_NameTooLong_FailsLengthRule()
+    {
+        // Arrange — name length 201 (cap is 200).
+        var request = ValidRequest();
+        request.Name = new string('a', 201);
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("name");
+    }
+
+    [Fact]
+    public void Validate_DescriptionTooLong_FailsLengthRule()
+    {
+        // Arrange — description length 1001 (cap is 1000).
+        var request = ValidRequest();
+        request.Description = new string('d', 1001);
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("description");
+    }
+
+    [Theory]
+    [InlineData(99.999)]
+    [InlineData(0.0)]
+    [InlineData(10000.001)]
+    [InlineData(100000.0)]
+    public void Validate_RegionSizeMetersOutOfRange_FailsRangeRule(double size)
+    {
+        // Arrange
+        var request = ValidRequest();
+        request.RegionSizeMeters = size;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("regionSizeMeters");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_ZoomLevelOutOfRange_FailsRangeRule(int zoom)
+    {
+        // Arrange
+        var request = ValidRequest();
+        request.ZoomLevel = zoom;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoomLevel");
+    }
+
+    [Fact]
+    public void Validate_PointsTooFew_FailsCountRule()
+    {
+        // Arrange — only 1 point; min is 2 (Flow F4 precondition).
+        var request = ValidRequest();
+        request.Points = new List<RoutePoint>
+        {
+            new() { Latitude = 50.10, Longitude = 36.10 },
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("points");
+    }
+
+    [Fact]
+    public void Validate_PointsTooMany_FailsCountRule()
+    {
+        // Arrange — 501 points; max is 500.
+        var request = ValidRequest();
+        request.Points = Enumerable
+            .Range(0, 501)
+            .Select(_ => new RoutePoint { Latitude = 50.10, Longitude = 36.10 })
+            .ToList();
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("points");
+    }
+
+    [Fact]
+    public void Validate_PointLatOutOfRange_FailsChildRule()
+    {
+        // Arrange — second point's lat is out of range
+        var request = ValidRequest();
+        request.Points[1].Latitude = 91.0;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("points[1].lat");
+    }
+
+    [Fact]
+    public void Validate_PointLonOutOfRange_FailsChildRule()
+    {
+        // Arrange — second point's lon is out of range
+        var request = ValidRequest();
+        request.Points[1].Longitude = 181.0;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("points[1].lon");
+    }
+
+    [Fact]
+    public void Validate_GeofencePolygonNwSwapped_FailsChildInvariant()
+    {
+        // Arrange — NW.Lat <= SE.Lat (NW not north-of SE)
+        var request = ValidRequest();
+        request.Geofences = new Geofences
+        {
+            Polygons = new List<GeofencePolygon>
+            {
+                new()
+                {
+                    NorthWest = new GeoPoint(50.05, 36.05),
+                    SouthEast = new GeoPoint(50.05, 36.15),
+                }
+            }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert — the GeofencePolygonValidator child-validator's `.WithName("northWest")`
+        // is prefixed with the RuleForEach path which we OverridePropertyName to
+        // "geofences.polygons", producing the full wire path
+        // `geofences.polygons[0].northWest`.
+        result.ShouldHaveValidationErrorFor("geofences.polygons[0].northWest");
+    }
+
+    [Fact]
+    public void Validate_GeofencesPresentButEmpty_FailsNotEmptyRule()
+    {
+        // Arrange — geofences object exists, polygons list is empty
+        var request = ValidRequest();
+        request.Geofences = new Geofences { Polygons = new List<GeofencePolygon>() };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert — OverridePropertyName makes the empty-list rule fire at the
+        // wire-format path `geofences.polygons` instead of the leaf-only `polygons`.
+        result.ShouldHaveValidationErrorFor("geofences.polygons");
+    }
+
+    [Fact]
+    public void Validate_GeofencePolygonsTooMany_FailsCountRule()
+    {
+        // Arrange — 51 polygons; cap is 50 (security-audit F-AZ809-1 fix).
+        // Each polygon is a valid bbox so only the count rule should fire.
+        var request = ValidRequest();
+        request.Geofences = new Geofences
+        {
+            Polygons = Enumerable
+                .Range(0, 51)
+                .Select(_ => new GeofencePolygon
+                {
+                    NorthWest = new GeoPoint(50.15, 36.05),
+                    SouthEast = new GeoPoint(50.05, 36.15),
+                })
+                .ToList(),
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert — OverridePropertyName makes the count rule fire at the
+        // wire-format path `geofences.polygons` (not the leaf-only `polygons`).
+        result.ShouldHaveValidationErrorFor("geofences.polygons")
+            .WithErrorMessage("`geofences.polygons` must contain at most 50 polygons.");
+    }
+
+    [Fact]
+    public void Validate_CreateTilesZipWithoutRequestMaps_FailsCrossFieldRule()
+    {
+        // Arrange — cannot zip what wasn't downloaded
+        var request = ValidRequest();
+        request.RequestMaps = false;
+        request.CreateTilesZip = true;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("createTilesZip")
+            .WithErrorMessage("`createTilesZip` requires `requestMaps` to be true (can't zip what wasn't downloaded).");
+    }
+
+    [Fact]
+    public void Validate_CreateTilesZipWithRequestMaps_Passes()
+    {
+        // Arrange — both true is valid
+        var request = ValidRequest();
+        request.RequestMaps = true;
+        request.CreateTilesZip = true;
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("createTilesZip");
+    }
+}

SatelliteProvider.Tests/Validators/GeofencePolygonValidatorTests.cs

@@ -0,0 +1,132 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-809: unit tests for GeofencePolygonValidator. Covers (a) presence of
+// both corners, (b) range checks per corner, and (c) the cross-field
+// invariant `NW north-of SE` AND `NW west-of SE`.
+public class GeofencePolygonValidatorTests
+{
+    private readonly GeofencePolygonValidator _validator;
+
+    public GeofencePolygonValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new GeofencePolygonValidator();
+    }
+
+    private static GeofencePolygon ValidPolygon() => new()
+    {
+        NorthWest = new GeoPoint(50.15, 36.05),
+        SouthEast = new GeoPoint(50.05, 36.15),
+    };
+
+    [Fact]
+    public void Validate_AllValid_Passes()
+    {
+        // Arrange
+        var polygon = ValidPolygon();
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_NorthWestNull_FailsNotNullRule()
+    {
+        // Arrange
+        var polygon = ValidPolygon();
+        polygon.NorthWest = null;
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("northWest")
+            .WithErrorMessage("`northWest` corner is required.");
+    }
+
+    [Fact]
+    public void Validate_SouthEastNull_FailsNotNullRule()
+    {
+        // Arrange
+        var polygon = ValidPolygon();
+        polygon.SouthEast = null;
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("southEast")
+            .WithErrorMessage("`southEast` corner is required.");
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    public void Validate_NorthWestLatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var polygon = ValidPolygon();
+        polygon.NorthWest = new GeoPoint(lat, 36.05);
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("northWest.lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    public void Validate_SouthEastLonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var polygon = ValidPolygon();
+        polygon.SouthEast = new GeoPoint(50.05, lon);
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("southEast.lon");
+    }
+
+    [Fact]
+    public void Validate_NorthWestLatNotGreaterThanSouthEast_FailsInvariant()
+    {
+        // Arrange — NW.Lat <= SE.Lat → invariant violation
+        var polygon = ValidPolygon();
+        polygon.NorthWest = new GeoPoint(50.05, 36.05);
+        polygon.SouthEast = new GeoPoint(50.05, 36.15);
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("northWest")
+            .WithErrorMessage("`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE).");
+    }
+
+    [Fact]
+    public void Validate_NorthWestLonNotLessThanSouthEast_FailsInvariant()
+    {
+        // Arrange — NW.Lon >= SE.Lon → invariant violation
+        var polygon = ValidPolygon();
+        polygon.NorthWest = new GeoPoint(50.15, 36.15);
+        polygon.SouthEast = new GeoPoint(50.05, 36.15);
+
+        // Act
+        var result = _validator.TestValidate(polygon);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("northWest")
+            .WithErrorMessage("`northWest.lon` must be less than `southEast.lon` (NW is west-of SE).");
+    }
+}

SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs

@@ -0,0 +1,159 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.DTOs;
+using SatelliteProvider.Api.Validators;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-811: unit tests for GetTileByLatLonQueryValidator. One Theory per RuleFor
+// covering boundary + out-of-range. Unknown-query-param rejection is tested
+// at the integration layer (GetTileByLatLonValidationTests) — there's no
+// pure-unit equivalent because the filter runs against HttpContext.Request.Query.
+public class GetTileByLatLonQueryValidatorTests
+{
+    private readonly GetTileByLatLonQueryValidator _validator;
+
+    public GetTileByLatLonQueryValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new GetTileByLatLonQueryValidator();
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(lat, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lat");
+    }
+
+    [Fact]
+    public void Validate_LatNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(null, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert — CascadeMode.Stop ensures NotNull short-circuits the range
+        // rule, so the caller sees only `"\`lat\` is required."` not also the
+        // range error against a null sentinel.
+        result.ShouldHaveValidationErrorFor("lat").WithErrorMessage("`lat` is required.");
+    }
+
+    [Theory]
+    [InlineData(-90.0)]
+    [InlineData(0.0)]
+    [InlineData(47.461747)]
+    [InlineData(90.0)]
+    public void Validate_LatAtOrInsideBounds_Passes(double lat)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(lat, 37.647063, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, lon, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon");
+    }
+
+    [Fact]
+    public void Validate_LonNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, null, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon").WithErrorMessage("`lon` is required.");
+    }
+
+    [Theory]
+    [InlineData(-180.0)]
+    [InlineData(0.0)]
+    [InlineData(37.647063)]
+    [InlineData(180.0)]
+    public void Validate_LonAtOrInsideBounds_Passes(double lon)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, lon, 18);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_ZoomOutOfRange_FailsRangeRule(int zoom)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, zoom);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoom");
+    }
+
+    [Fact]
+    public void Validate_ZoomNull_FailsNotNullRule()
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, null);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoom").WithErrorMessage("`zoom` is required.");
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(18)]
+    [InlineData(22)]
+    public void Validate_ZoomAtOrInsideBounds_Passes(int zoom)
+    {
+        // Arrange
+        var query = new GetTileByLatLonQuery(47.461747, 37.647063, zoom);
+
+        // Act
+        var result = _validator.TestValidate(query);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("zoom");
+    }
+}

SatelliteProvider.Tests/Validators/InventoryRequestValidatorTests.cs

@@ -0,0 +1,261 @@
+using FluentAssertions;
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+public class InventoryRequestValidatorTests
+{
+    private readonly InventoryRequestValidator _validator = new();
+
+    [Fact]
+    public void Validate_TilesPopulated_LocationHashesNull_Passes()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 18, X = 1, Y = 1 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_LocationHashesPopulated_TilesNull_Passes()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            LocationHashes = new[] { Guid.NewGuid() }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_BothPopulated_FailsXorRule()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 18, X = 1, Y = 1 } },
+            LocationHashes = new[] { Guid.NewGuid() }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("$")
+            .WithErrorMessage("Populate exactly one of `tiles` or `locationHashes` (sending both, or neither, is not allowed).");
+    }
+
+    [Fact]
+    public void Validate_NeitherPopulated_FailsXorRule()
+    {
+        // Arrange
+        var request = new TileInventoryRequest();
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("$");
+    }
+
+    [Fact]
+    public void Validate_BothEmpty_FailsXorRule()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = Array.Empty<TileCoord>(),
+            LocationHashes = Array.Empty<Guid>()
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("$");
+    }
+
+    [Fact]
+    public void Validate_TilesAtCap_Passes()
+    {
+        // Arrange
+        var coords = Enumerable.Range(0, TileInventoryLimits.MaxEntriesPerRequest)
+            .Select(_ => new TileCoord { Z = 18, X = 1, Y = 1 })
+            .ToArray();
+        var request = new TileInventoryRequest { Tiles = coords };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("tiles");
+    }
+
+    [Fact]
+    public void Validate_TilesOverCap_FailsCapRule()
+    {
+        // Arrange
+        var coords = Enumerable.Range(0, TileInventoryLimits.MaxEntriesPerRequest + 1)
+            .Select(_ => new TileCoord { Z = 18, X = 1, Y = 1 })
+            .ToArray();
+        var request = new TileInventoryRequest { Tiles = coords };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles")
+            .WithErrorMessage($"`tiles` must contain at most {TileInventoryLimits.MaxEntriesPerRequest} entries.");
+    }
+
+    [Fact]
+    public void Validate_LocationHashesOverCap_FailsCapRule()
+    {
+        // Arrange
+        var hashes = Enumerable.Range(0, TileInventoryLimits.MaxEntriesPerRequest + 1)
+            .Select(_ => Guid.NewGuid())
+            .ToArray();
+        var request = new TileInventoryRequest { LocationHashes = hashes };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("locationHashes")
+            .WithErrorMessage($"`locationHashes` must contain at most {TileInventoryLimits.MaxEntriesPerRequest} entries.");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_TileZoomOutOfRange_FailsRangeRule(int z)
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = z, X = 0, Y = 0 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles[0].z");
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(18)]
+    [InlineData(22)]
+    public void Validate_TileZoomInRange_PassesRangeRule(int z)
+    {
+        // Arrange
+        var maxAxis = (1 << z) - 1;
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = z, X = maxAxis, Y = maxAxis } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("tiles[0].z");
+    }
+
+    [Fact]
+    public void Validate_TileXNegative_FailsRangeRule()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 18, X = -1, Y = 0 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles[0].x");
+    }
+
+    [Fact]
+    public void Validate_TileXAtUpperBound_FailsRangeRule()
+    {
+        // Arrange — at z=2, valid x is 0..3, so x=4 is invalid
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 2, X = 4, Y = 0 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles[0].x")
+            .WithErrorMessage("`x` must be < 2^z = 4 for z=2.");
+    }
+
+    [Fact]
+    public void Validate_TileYNegative_FailsRangeRule()
+    {
+        // Arrange
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 18, X = 0, Y = -1 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles[0].y");
+    }
+
+    [Fact]
+    public void Validate_TileYAtUpperBound_FailsRangeRule()
+    {
+        // Arrange — at z=0, valid y is 0..0, so y=1 is invalid
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 0, X = 0, Y = 1 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tiles[0].y");
+    }
+
+    [Fact]
+    public void Validate_AxesAtMaxForZoom_Passes()
+    {
+        // Arrange — at z=18, valid x/y is 0..(2^18 - 1) = 0..262143
+        var request = new TileInventoryRequest
+        {
+            Tiles = new[] { new TileCoord { Z = 18, X = 262_143, Y = 262_143 } }
+        };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+}

SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs

@@ -0,0 +1,192 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-808: unit tests for RegionRequestValidator. Each RuleFor in the validator
+// has at least one passing case + one failing case. Required-field detection
+// (id / lat / lon / sizeMeters / zoomLevel / stitchTiles) is not unit-tested
+// here because it lives at the deserializer layer (JsonRequired), not the
+// validator — covered by the integration tests (RegionRequestValidationTests).
+public class RegionRequestValidatorTests
+{
+    private readonly RegionRequestValidator _validator;
+
+    public RegionRequestValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new RegionRequestValidator();
+    }
+
+    private static RequestRegionRequest ValidRequest() => new()
+    {
+        Id = Guid.NewGuid(),
+        Lat = 47.461747,
+        Lon = 37.647063,
+        SizeMeters = 200.0,
+        ZoomLevel = 18,
+        StitchTiles = false,
+    };
+
+    [Fact]
+    public void Validate_AllValid_Passes()
+    {
+        // Arrange
+        var request = ValidRequest();
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_IdEmpty_FailsNotEmptyRule()
+    {
+        // Arrange
+        var request = ValidRequest() with { Id = Guid.Empty };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("id")
+            .WithErrorMessage("`id` must be a non-zero GUID (the caller's idempotency key).");
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    [InlineData(-181.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lat = lat };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-90.0)]
+    [InlineData(0.0)]
+    [InlineData(47.461747)]
+    [InlineData(90.0)]
+    public void Validate_LatAtOrInsideBounds_Passes(double lat)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lat = lat };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lon = lon };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(-180.0)]
+    [InlineData(0.0)]
+    [InlineData(37.647063)]
+    [InlineData(180.0)]
+    public void Validate_LonAtOrInsideBounds_Passes(double lon)
+    {
+        // Arrange
+        var request = ValidRequest() with { Lon = lon };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(99.999)]
+    [InlineData(0.0)]
+    [InlineData(10000.001)]
+    [InlineData(100000.0)]
+    [InlineData(-1.0)]
+    public void Validate_SizeMetersOutOfRange_FailsRangeRule(double sizeMeters)
+    {
+        // Arrange
+        var request = ValidRequest() with { SizeMeters = sizeMeters };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("sizeMeters");
+    }
+
+    [Theory]
+    [InlineData(100.0)]
+    [InlineData(200.0)]
+    [InlineData(5000.0)]
+    [InlineData(10000.0)]
+    public void Validate_SizeMetersAtOrInsideBounds_Passes(double sizeMeters)
+    {
+        // Arrange
+        var request = ValidRequest() with { SizeMeters = sizeMeters };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("sizeMeters");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_ZoomLevelOutOfRange_FailsRangeRule(int zoomLevel)
+    {
+        // Arrange
+        var request = ValidRequest() with { ZoomLevel = zoomLevel };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("zoomLevel");
+    }
+
+    [Theory]
+    [InlineData(0)]
+    [InlineData(18)]
+    [InlineData(22)]
+    public void Validate_ZoomLevelAtOrInsideBounds_Passes(int zoomLevel)
+    {
+        // Arrange
+        var request = ValidRequest() with { ZoomLevel = zoomLevel };
+
+        // Act
+        var result = _validator.TestValidate(request);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("zoomLevel");
+    }
+}

SatelliteProvider.Tests/Validators/RejectUnknownQueryParamsEndpointFilterTests.cs

@@ -0,0 +1,124 @@
+using FluentAssertions;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Http.HttpResults;
+using Microsoft.Extensions.Primitives;
+using SatelliteProvider.Api.Validators;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-811: unit coverage for the envelope filter that runs ahead of the
+// FluentValidation layer on query-string endpoints. Spec section 5 calls for
+// ≥ 1 unit test on this filter; integration coverage is in
+// SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs.
+public class RejectUnknownQueryParamsEndpointFilterTests
+{
+    private static readonly string[] AllowedKeys = ["lat", "lon", "zoom"];
+
+    [Fact]
+    public async Task Invoke_AllKeysAllowed_DelegatesToNext()
+    {
+        // Arrange
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["zoom"] = "18"
+        });
+        var sentinel = new object();
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(sentinel);
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        result.Should().BeSameAs(sentinel, "the filter must pass through when all query keys are in the allowed set");
+    }
+
+    [Fact]
+    public async Task Invoke_UnknownKey_ReturnsValidationProblemAndDoesNotDelegate()
+    {
+        // Arrange
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["zoom"] = "18",
+            ["debug"] = "1"
+        });
+        var nextCalled = false;
+        EndpointFilterDelegate next = _ =>
+        {
+            nextCalled = true;
+            return ValueTask.FromResult<object?>(new object());
+        };
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        nextCalled.Should().BeFalse("an unknown key must short-circuit the pipeline before the handler runs");
+        var problem = result.Should().BeOfType<ProblemHttpResult>().Subject;
+        problem.StatusCode.Should().Be(StatusCodes.Status400BadRequest);
+        problem.ProblemDetails.Should().BeOfType<HttpValidationProblemDetails>();
+        var validation = (HttpValidationProblemDetails)problem.ProblemDetails;
+        validation.Errors.Should().ContainKey("debug");
+        validation.Errors["debug"][0].Should().Contain("Unknown query parameter");
+    }
+
+    [Fact]
+    public async Task Invoke_LegacyPascalCaseKeys_ReturnsErrorsPerKey()
+    {
+        // Arrange — AZ-811 envelope must catch the exact pre-rename wire format
+        // (`Latitude/Longitude/ZoomLevel`) because case-insensitive lookup against
+        // the allowed set still treats those keys as distinct from `lat/lon/zoom`.
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["Latitude"] = "47.461747",
+            ["Longitude"] = "37.647063",
+            ["ZoomLevel"] = "18"
+        });
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(new object());
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        var problem = result.Should().BeOfType<ProblemHttpResult>().Subject;
+        var validation = (HttpValidationProblemDetails)problem.ProblemDetails;
+        validation.Errors.Should().ContainKey("Latitude");
+        validation.Errors.Should().ContainKey("Longitude");
+        validation.Errors.Should().ContainKey("ZoomLevel");
+    }
+
+    [Fact]
+    public async Task Invoke_KeysAreCaseInsensitiveAgainstAllowedSet()
+    {
+        // Arrange — `Lat` (capital L) is the SAME allowed key as `lat`
+        // (`StringComparer.OrdinalIgnoreCase`). It must pass through.
+        var filter = new RejectUnknownQueryParamsEndpointFilter(AllowedKeys);
+        var ctx = BuildContext(new Dictionary<string, StringValues>
+        {
+            ["Lat"] = "47.461747",
+            ["lon"] = "37.647063",
+            ["ZOOM"] = "18"
+        });
+        var sentinel = new object();
+        EndpointFilterDelegate next = _ => ValueTask.FromResult<object?>(sentinel);
+
+        // Act
+        var result = await filter.InvokeAsync(ctx, next);
+
+        // Assert
+        result.Should().BeSameAs(sentinel);
+    }
+
+    private static EndpointFilterInvocationContext BuildContext(IDictionary<string, StringValues> queryParams)
+    {
+        var httpContext = new DefaultHttpContext();
+        httpContext.Request.Query = new QueryCollection(queryParams.ToDictionary(kv => kv.Key, kv => kv.Value));
+        return new DefaultEndpointFilterInvocationContext(httpContext);
+    }
+}

SatelliteProvider.Tests/Validators/RoutePointValidatorTests.cs

@@ -0,0 +1,86 @@
+using FluentValidation.TestHelper;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-809: unit tests for RoutePointValidator. Lat/lon range checks live on
+// `RoutePoint.Latitude` / `RoutePoint.Longitude` (C# names); the validator's
+// OverridePropertyName aligns FluentValidation error keys with the wire
+// format (`lat` / `lon`) so callers see what they posted.
+public class RoutePointValidatorTests
+{
+    private readonly RoutePointValidator _validator;
+
+    public RoutePointValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        _validator = new RoutePointValidator();
+    }
+
+    [Theory]
+    [InlineData(-90.001)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var point = new RoutePoint { Latitude = lat, Longitude = 37.647063 };
+
+        // Act
+        var result = _validator.TestValidate(point);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-90.0)]
+    [InlineData(0.0)]
+    [InlineData(47.461747)]
+    [InlineData(90.0)]
+    public void Validate_LatAtOrInsideBounds_Passes(double lat)
+    {
+        // Arrange
+        var point = new RoutePoint { Latitude = lat, Longitude = 37.647063 };
+
+        // Act
+        var result = _validator.TestValidate(point);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lat");
+    }
+
+    [Theory]
+    [InlineData(-180.001)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var point = new RoutePoint { Latitude = 47.461747, Longitude = lon };
+
+        // Act
+        var result = _validator.TestValidate(point);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("lon");
+    }
+
+    [Theory]
+    [InlineData(-180.0)]
+    [InlineData(0.0)]
+    [InlineData(37.647063)]
+    [InlineData(180.0)]
+    public void Validate_LonAtOrInsideBounds_Passes(double lon)
+    {
+        // Arrange
+        var point = new RoutePoint { Latitude = 47.461747, Longitude = lon };
+
+        // Act
+        var result = _validator.TestValidate(point);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("lon");
+    }
+}

SatelliteProvider.Tests/Validators/UavTileBatchMetadataPayloadValidatorTests.cs

@@ -0,0 +1,103 @@
+using FluentValidation.TestHelper;
+using Microsoft.Extensions.Options;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.Configs;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-810: root metadata-envelope validator tests. Covers `items` non-null +
+// non-empty + cap rules. The per-item rules are covered by UavTileMetadataValidatorTests.
+public class UavTileBatchMetadataPayloadValidatorTests
+{
+    private readonly UavTileBatchMetadataPayloadValidator _validator;
+    private readonly DateTime _now;
+
+    public UavTileBatchMetadataPayloadValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        var config = Options.Create(new UavQualityConfig
+        {
+            MaxBatchSize = 100,
+            MaxAgeDays = 7,
+            CapturedAtFutureSkewSeconds = 30,
+        });
+        _now = new DateTime(2026, 5, 22, 12, 0, 0, DateTimeKind.Utc);
+        _validator = new UavTileBatchMetadataPayloadValidator(config, new FixedTimeProvider(_now));
+    }
+
+    private UavTileMetadata ValidItem() => new()
+    {
+        Latitude = 50.10,
+        Longitude = 36.10,
+        TileZoom = 18,
+        TileSizeMeters = 200.0,
+        CapturedAt = _now.AddMinutes(-5),
+        FlightId = null,
+    };
+
+    [Fact]
+    public void Validate_OneValidItem_Passes()
+    {
+        // Arrange
+        var payload = new UavTileBatchMetadataPayload { Items = new() { ValidItem() } };
+
+        // Act
+        var result = _validator.TestValidate(payload);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void Validate_ItemsEmpty_FailsNotEmptyRule()
+    {
+        // Arrange
+        var payload = new UavTileBatchMetadataPayload { Items = new() };
+
+        // Act
+        var result = _validator.TestValidate(payload);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("items")
+            .WithErrorMessage("`items` must contain at least one entry.");
+    }
+
+    [Fact]
+    public void Validate_ItemsTooMany_FailsCountRule()
+    {
+        // Arrange — 101 items (cap = 100)
+        var items = Enumerable.Range(0, 101).Select(_ => ValidItem()).ToList();
+        var payload = new UavTileBatchMetadataPayload { Items = items };
+
+        // Act
+        var result = _validator.TestValidate(payload);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("items")
+            .WithErrorMessage("`items` must contain at most 100 entries.");
+    }
+
+    [Fact]
+    public void Validate_PerItemFailure_PropagatesWithIndexedPath()
+    {
+        // Arrange — first item valid, second item lat out-of-range
+        var payload = new UavTileBatchMetadataPayload
+        {
+            Items = new() { ValidItem(), ValidItem() with { Latitude = 91.0 } },
+        };
+
+        // Act
+        var result = _validator.TestValidate(payload);
+
+        // Assert — error key follows the wire format produced by RuleForEach.
+        result.ShouldHaveValidationErrorFor("items[1].latitude");
+    }
+
+    private sealed class FixedTimeProvider : TimeProvider
+    {
+        private readonly DateTime _utcNow;
+        public FixedTimeProvider(DateTime utcNow) => _utcNow = utcNow;
+        public override DateTimeOffset GetUtcNow() => new(_utcNow, TimeSpan.Zero);
+    }
+}

SatelliteProvider.Tests/Validators/UavTileMetadataValidatorTests.cs

@@ -0,0 +1,192 @@
+using FluentValidation.TestHelper;
+using Microsoft.Extensions.Options;
+using SatelliteProvider.Api.Validators;
+using SatelliteProvider.Common.Configs;
+using SatelliteProvider.Common.DTO;
+
+namespace SatelliteProvider.Tests.Validators;
+
+// AZ-810: per-item metadata validator tests. Each RuleFor in
+// UavTileMetadataValidator gets at least one passing + one failing case.
+// Required-field detection lives at the deserializer layer ([JsonRequired]
+// on UavTileMetadata) and is exercised at the integration layer.
+public class UavTileMetadataValidatorTests
+{
+    private readonly UavTileMetadataValidator _validator;
+    private readonly DateTime _now;
+
+    public UavTileMetadataValidatorTests()
+    {
+        GlobalValidatorConfig.ApplyOnce();
+        var config = Options.Create(new UavQualityConfig
+        {
+            MaxAgeDays = 7,
+            CapturedAtFutureSkewSeconds = 30,
+        });
+        _now = new DateTime(2026, 5, 22, 12, 0, 0, DateTimeKind.Utc);
+        _validator = new UavTileMetadataValidator(config, new FixedTimeProvider(_now));
+    }
+
+    // Mirrors the existing pattern in UavTileUploadHandlerTests / UavTileQualityGateTests
+    // (those tests inline the same shape). Kept private here for SRP; if a third
+    // consumer appears, promote to SatelliteProvider.TestSupport.
+    private sealed class FixedTimeProvider : TimeProvider
+    {
+        private readonly DateTime _utcNow;
+        public FixedTimeProvider(DateTime utcNow) => _utcNow = utcNow;
+        public override DateTimeOffset GetUtcNow() => new(_utcNow, TimeSpan.Zero);
+    }
+
+    private static UavTileMetadata ValidMetadata(DateTime capturedAt) => new()
+    {
+        Latitude = 50.10,
+        Longitude = 36.10,
+        TileZoom = 18,
+        TileSizeMeters = 200.0,
+        CapturedAt = capturedAt,
+        FlightId = null,
+    };
+
+    [Fact]
+    public void Validate_AllValid_Passes()
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now.AddMinutes(-5));
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Theory]
+    [InlineData(-91.0)]
+    [InlineData(90.001)]
+    [InlineData(180.0)]
+    public void Validate_LatOutOfRange_FailsRangeRule(double lat)
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now) with { Latitude = lat };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("latitude");
+    }
+
+    [Theory]
+    [InlineData(-181.0)]
+    [InlineData(180.001)]
+    [InlineData(360.0)]
+    public void Validate_LonOutOfRange_FailsRangeRule(double lon)
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now) with { Longitude = lon };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("longitude");
+    }
+
+    [Theory]
+    [InlineData(-1)]
+    [InlineData(23)]
+    [InlineData(100)]
+    public void Validate_TileZoomOutOfRange_FailsRangeRule(int zoom)
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now) with { TileZoom = zoom };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tileZoom");
+    }
+
+    [Theory]
+    [InlineData(0.0)]
+    [InlineData(-1.0)]
+    public void Validate_TileSizeMetersNonPositive_FailsGreaterThanRule(double size)
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now) with { TileSizeMeters = size };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("tileSizeMeters");
+    }
+
+    [Fact]
+    public void Validate_CapturedAtFuture_FailsFreshnessRule()
+    {
+        // Arrange — 60s in the future (skew limit is 30s).
+        var metadata = ValidMetadata(_now.AddSeconds(60));
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("capturedAt")
+            .WithErrorMessage("`capturedAt` must be within 30s of the current time (no future-dated tiles).");
+    }
+
+    [Fact]
+    public void Validate_CapturedAtNearFutureWithinSkew_Passes()
+    {
+        // Arrange — 10s in the future (within the 30s skew window).
+        var metadata = ValidMetadata(_now.AddSeconds(10));
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("capturedAt");
+    }
+
+    [Fact]
+    public void Validate_CapturedAtTooOld_FailsFreshnessRule()
+    {
+        // Arrange — 8 days ago (cap is 7 days).
+        var metadata = ValidMetadata(_now.AddDays(-8));
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldHaveValidationErrorFor("capturedAt")
+            .WithErrorMessage("`capturedAt` must be within the last 7 days.");
+    }
+
+    [Fact]
+    public void Validate_FlightIdNull_Passes()
+    {
+        // Arrange — AZ-503 anonymous-flight semantics: null FlightId is valid.
+        var metadata = ValidMetadata(_now) with { FlightId = null };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("flightId");
+    }
+
+    [Fact]
+    public void Validate_FlightIdSet_Passes()
+    {
+        // Arrange
+        var metadata = ValidMetadata(_now) with { FlightId = Guid.NewGuid() };
+
+        // Act
+        var result = _validator.TestValidate(metadata);
+
+        // Assert
+        result.ShouldNotHaveValidationErrorFor("flightId");
+    }
+}

_docs/00_problem/data_parameters.md

@@ -10,6 +10,18 @@
 | longitude | double | yes | -180 to 180 | Center longitude |
 | zoomLevel | int | yes | 1–20 | Google Maps zoom level |
 
+### API Request: Tile Inventory — `POST /api/satellite/tiles/inventory` (AZ-505; renamed AZ-794, strict-validated AZ-796 — cycle 7)
+
+Exactly one of `tiles` OR `locationHashes` must be populated and non-empty. Strict input validation enforced by `InventoryRequestValidator` + `System.Text.Json` (`UnmappedMemberHandling.Disallow`); failures return HTTP 400 + `ValidationProblemDetails` per `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
+
+| Parameter | Type | Required | Constraints | Description |
+|-----------|------|----------|-------------|-------------|
+| tiles | array | XOR (vs `locationHashes`) | 1 ≤ count ≤ 5000 | Form A: coords-by-value batch |
+| tiles[].z | int | yes (`[JsonRequired]`) | 0–22 (slippy zoom range) | Slippy zoom level (renamed from `tileZoom` by AZ-794) |
+| tiles[].x | int | yes (`[JsonRequired]`) | 0 ≤ x < 2^z | Slippy x at that zoom (renamed from `tileX` by AZ-794) |
+| tiles[].y | int | yes (`[JsonRequired]`) | 0 ≤ y < 2^z | Slippy y at that zoom (renamed from `tileY` by AZ-794) |
+| locationHashes | array | XOR (vs `tiles`) | 1 ≤ count ≤ 5000 | Form B: hashes-by-reference batch (UUIDv5 of `"{z}/{x}/{y}"`) |
+
 ### API Request: Region
 
 | Parameter | Type | Required | Constraints | Description |

_docs/02_document/architecture.md

@@ -24,6 +24,7 @@ The three Layer-3 service components are compile-time siblings: each only refere
 - Cross-repo deterministic tile identity (AZ-503) — the `TileNamespace` UUID `5b8d0c2e-7f1a-4d3b-9c5e-1f3a8e7d2b6c` and the canonical name format are shared with the sibling workspace `gps-denied-onboard` (`components/c6_tile_cache/_uuid.py:TILE_NAMESPACE`). Both sides MUST produce byte-identical UUIDv5 output so an onboard-cached tile and a server-cached tile for the same `(z, x, y, source, flight_id)` are recognized as the same artifact without a round-trip. Changing the namespace constant on either side is a coordinated cross-repo break. (`inferred-from: Uuidv5.cs, AZ-503 task spec § Constraints`)
 - Fire-and-forget async processing with status polling (`inferred-from: queue + background service + status endpoint`)
 - JWT-validated callers only — every HTTP endpoint requires a valid HS256-signed Bearer token, validated locally against a shared `JWT_SECRET` per the suite-level auth contract (`suite/_docs/10_auth.md`). Issuer/audience are intentionally not validated yet; signature + lifetime + ≥32-byte key are. Per-endpoint permission claims (e.g. `permissions: ["GPS"]` on the UAV upload) layer on top of this baseline.
+- Strict wire-format validation at the API edge (AZ-795 epic, completed across cycles 7-8) — every public-facing endpoint runs every incoming payload through two collaborating layers BEFORE the handler sees it: (a) `JsonSerializerOptions.UnmappedMemberHandling.Disallow` + `[JsonRequired]` on every non-optional DTO axis at the System.Text.Json deserializer; (b) per-endpoint FluentValidation `IValidator<T>` wired via `WithValidation<T>()` (JSON bodies) or `UavUploadValidationFilter` (multipart) or `RejectUnknownQueryParamsEndpointFilter` + `GetTileByLatLonQueryValidator` (query params). Both layers produce identically-shaped RFC 7807 `ValidationProblemDetails` per `error-shape.md` v1.0.0, so callers see one error contract regardless of which layer fired. The principle is: **no payload reaches a handler unless every field is present, every type matches, every range is honored, and no unknown field was silently dropped.** This closes the silent-coercion footgun class (e.g. missing `id` → zero-Guid → untracked region/route; typo `?latitude=` → `lat=0`; misnamed `{"Latitude":...}` → `lat=0`) that pre-cycle-7 produced misleading 200-OK responses. Adding a new public endpoint requires either a `WithValidation<T>()` chain (JSON), a `UavUploadValidationFilter`-style multipart filter, or an `RejectUnknownQueryParamsEndpointFilter` + query validator (query string) — there is no other approved path.
 
 **Authentication & Authorization** (AZ-487):
 - Validation library: `Microsoft.AspNetCore.Authentication.JwtBearer` 10.0.7 (matches `Microsoft.AspNetCore.OpenApi` 10.0.7; AZ-496 bumped both packages from 8.0.21 → 8.0.25 in cycle 3 to close the cycle-1 D1 + cycle-2 D3 supply-chain findings, then AZ-500 bumped both 8.0.25 → 10.0.7 in cycle 4 as part of the .NET 8 → .NET 10 migration). The `TokenValidationParameters` shape is unchanged across the JwtBearer 8 → 10 jump — AZ-487/AZ-494 integration tests are the gate and all pass on .NET 10.
@@ -39,7 +40,7 @@ The three Layer-3 service components are compile-time siblings: each only refere
 - *Google Maps* — `TileService.DownloadAndStoreTilesAsync` / `DownloadAndStoreSingleTileAsync` stamp `source='google_maps'`, `flight_id=NULL`, and a deterministic UUIDv5 `id` on every persisted row; tile JPEGs live under `{StorageConfig.TilesDirectory}/{zoom}/...` per the legacy grandfathered layout. `content_sha256` is computed from the on-disk JPEG body.
 - *UAV* — `POST /api/satellite/upload` (AZ-488; per-flight key extended by AZ-503) accepts a multipart batch of UAV-captured tiles, runs each item through a 5-rule quality gate (`UavTileQualityGate`), and persists accepted items via `ITileRepository.InsertAsync` with `source='uav'`, `flight_id = metadata.flightId` (or NULL for anonymous uploads), and a deterministic UUIDv5 `id`. UAV JPEGs live under `{StorageConfig.TilesDirectory}/uav/{flight_id or 'none'}/{zoom}/{x}/{y}.jpg`, so `rm -rf ./tiles/uav/{flight_id}/` removes one flight's evidence without touching other flights at overlapping cells. Requires the `GPS` permission claim on top of the JWT baseline.
 
-The N-source storage contract is authoritative in `_docs/02_document/contracts/data-access/tile-storage.md` (v2.0.0 — bumped jointly by AZ-503-foundation and AZ-505 in cycle 6 to capture the identity columns, `tiles_leaflet_path` covering index, and `location_hash`-keyed leaflet read rule). The UAV upload contract is authoritative in `_docs/02_document/contracts/api/uav-tile-upload.md` (v1.1.0; AZ-503 added an optional `flightId` field to per-item metadata — backward-compatible). The bulk tile-inventory contract is authoritative in `_docs/02_document/contracts/api/tile-inventory.md` (v1.0.0; AZ-505). Anything that reads or writes `tiles` MUST follow those contracts rather than re-deriving the rules from prose here.
+The N-source storage contract is authoritative in `_docs/02_document/contracts/data-access/tile-storage.md` (v2.0.0 — bumped jointly by AZ-503-foundation and AZ-505 in cycle 6 to capture the identity columns, `tiles_leaflet_path` covering index, and `location_hash`-keyed leaflet read rule). The UAV upload contract is authoritative in `_docs/02_document/contracts/api/uav-tile-upload.md` (v1.2.0; AZ-503 added an optional `flightId` field to per-item metadata in v1.1.0, AZ-810 cycle 8 added the strict metadata-validation section in v1.2.0). The bulk tile-inventory contract is authoritative in `_docs/02_document/contracts/api/tile-inventory.md` (v2.0.0; AZ-505 v1.0.0, AZ-794+AZ-796 cycle 7 bumped to v2.0.0 with the OSM `z/x/y` rename + strict validation rules). The four wire-format contracts added in cycle 8 are authoritative for their respective endpoints: `_docs/02_document/contracts/api/region-request.md` v1.0.0 (`POST /api/satellite/request`, AZ-808+AZ-812), `_docs/02_document/contracts/api/route-creation.md` v1.0.0 (`POST /api/satellite/route`, AZ-809), `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 (`GET /api/satellite/tiles/latlon`, AZ-811), and `_docs/02_document/contracts/api/error-shape.md` v1.0.0 (the cross-endpoint RFC 7807 `ValidationProblemDetails` envelope shared by every validating endpoint, AZ-795 cycle 7). Anything that reads or writes `tiles` MUST follow those contracts rather than re-deriving the rules from prose here.
 
 **Drift signals**:
 - `geofence_polygons` mentioned in AGENTS.md as a routes table column but does not exist in schema or entity — documentation drift
@@ -88,7 +89,7 @@ The N-source storage contract is authoritative in `_docs/02_document/contracts/d
 
 | Config | Development | Production |
 |--------|-------------|------------|
-| Database | localhost:5432 (Docker) | Container network `db:5432` |
+| Database | localhost:5433 (Docker) | Container network `db:5432` |
 | Secrets | appsettings.Development.json | Environment variables |
 | Logging | Console + File | File (./logs/) |
 | API URL | http://localhost:5100 | http://0.0.0.0:5100 |
@@ -200,3 +201,28 @@ The authoritative source/flight markers are the `tiles.source` and `tiles.flight
 **Decision**: Use `IHostedService` implementations that consume from the in-process queue.
 
 **Consequences**: Clean separation of request handling and processing; lifecycle managed by the host.
+
+## 9. Input Validation (AZ-795)
+
+Every public HTTP endpoint MUST reject malformed or out-of-range payloads with HTTP 400 + RFC 7807 `ValidationProblemDetails`. The shared infrastructure landed in AZ-795 (cycle 7) is two collaborating layers:
+
+1. **Deserializer-level rejection** — `JsonSerializerOptions.UnmappedMemberHandling.Disallow` configured in `Program.cs` (`ConfigureHttpJsonOptions`) catches unknown fields, type mismatches, and malformed JSON. The framework wraps the resulting `JsonException` in `BadHttpRequestException`; `GlobalExceptionHandler` extracts the JSON path and emits a structured `ValidationProblemDetails` body.
+2. **Business-rule rejection** — `FluentValidation` 12.0.0 validators registered via `AddValidatorsFromAssemblyContaining<Program>()` and wired through the generic `ValidationEndpointFilter<T>` (`SatelliteProvider.Api/Validators/ValidationEndpointFilter.cs`). Endpoints opt in via `RouteHandlerBuilder.WithValidation<T>()`; the filter calls `Results.ValidationProblem(result.ToDictionary())` on failure.
+
+Both layers produce the wire shape documented in `_docs/02_document/contracts/api/error-shape.md` (v1.0.0).
+
+### Validator coverage
+
+| Endpoint | Request DTO | Validator | Status | Owning task |
+|----------|-------------|-----------|--------|-------------|
+| `POST /api/satellite/tiles/inventory` | `TileInventoryRequest` | `InventoryRequestValidator` | covered | AZ-796 (cycle 7) |
+| `GET /tiles/{z}/{x}/{y}` | route params | (route-constraint only — `:int` covers types; AZ-795 deserializer guards body shape on POST endpoints only) | covered by route-constraint | AZ-487 (cycle 1, JWT gate) |
+| `GET /api/satellite/tiles/latlon` | query params | (query-binding type checks via `[FromQuery]`; future AZ-795 child task to add explicit FluentValidation) | partial | future AZ-795 child |
+| `POST /api/satellite/upload` | `UavTileBatchUploadRequest` (multipart) | (envelope-level validation in `UavTileUploadHandler`; future AZ-795 child to formalize as FluentValidation) | partial | future AZ-795 child |
+| `POST /api/satellite/request` | `RequestRegionRequest` | (inline `SizeMeters` range check; future AZ-795 child) | partial | future AZ-795 child |
+| `POST /api/satellite/route` | `CreateRouteRequest` | (typed `ArgumentException` path → 400; future AZ-795 child) | partial | future AZ-795 child |
+| `GET /api/satellite/region/{id:guid}` | route param | (route-constraint `:guid`) | covered by route-constraint | — |
+| `GET /api/satellite/route/{id:guid}` | route param | (route-constraint `:guid`) | covered by route-constraint | — |
+| `GET /api/satellite/tiles/mgrs` | (stub) | n/a — returns 501 | n/a | AZ-356 |
+
+The `partial` rows are tracked under the AZ-795 epic; per-endpoint child tickets to be filed by parent-suite team after enumerating the surface from the OpenAPI spec.

_docs/02_document/contracts/api/error-shape.md

@@ -0,0 +1,136 @@
+# Contract: error-shape
+
+**Component**: WebApi (`SatelliteProvider.Api`) — applies to every public HTTP endpoint
+**Producer task**: AZ-795 — `_docs/02_tasks/done/AZ-795_strict_validation_epic.md`
+**Consumer tasks**: every per-endpoint child of AZ-795 (first: AZ-796) plus every `gps-denied-onboard` HTTP client and every future browser/CLI consumer
+**Version**: 1.0.0
+**Status**: frozen
+**Last Updated**: 2026-05-22
+
+## Purpose
+
+Defines the uniform RFC 7807 ProblemDetails / ValidationProblemDetails shape every public endpoint emits for client (4xx) errors. The contract exists so consumers can pattern-match against a single error payload regardless of which endpoint they called and regardless of whether the failure happened at the deserializer (unknown field, type mismatch) or at a FluentValidation rule (missing field, out-of-range value, business invariant).
+
+The contract is enforced by two collaborating pieces of shared infrastructure:
+
+1. **Deserializer-level rejection** — `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (.NET 8+) catches unknown fields, type mismatches, and malformed JSON. The framework's `BadHttpRequestException` carries a `System.Text.Json.JsonException` as its inner exception; `GlobalExceptionHandler` (`SatelliteProvider.Api/GlobalExceptionHandler.cs`) extracts the JSON path and emits a `ValidationProblemDetails` body.
+2. **Business-rule rejection** — `FluentValidation` (12.0.0) validators wired through the generic `ValidationEndpointFilter<T>` (`SatelliteProvider.Api/Validators/ValidationEndpointFilter.cs`). Endpoints opt in via `RouteHandlerBuilder.WithValidation<T>()`. The filter calls `Results.ValidationProblem(result.ToDictionary())`, which produces an identically-shaped body.
+
+Both paths produce `Content-Type: application/problem+json`. Both populate the same `errors` map keyed by request-body field path.
+
+## Shape
+
+### Validation failures (HTTP 400)
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "tiles[0].z": ["The z field is required."],
+    "tiles[1]": ["The JSON property 'tileZoom' could not be mapped to any .NET member contained in type 'TileCoord'."]
+  }
+}
+```
+
+Per-field rules:
+
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `type` | URI string | yes | RFC 7231 §6.5.1 link for 400 (FluentValidation default) or RFC 9110 link for 5xx (server errors). |
+| `title` | string | yes | Human-readable summary. Validation failures use `"One or more validation errors occurred."`; non-validation 400s use `"Bad Request"`. |
+| `status` | integer | yes | Echoes the HTTP status code. |
+| `errors` | object\<string, string[]\> | required for validation failures | Keys are JSON-path-style request-body field names. Values are arrays of error messages. Empty array is not allowed for a present key. |
+| `traceId` | string | optional | Correlation identifier for log lookup. Populated for 5xx; may be populated for 4xx if FluentValidation surfaces it. |
+
+### Field-path keys in `errors`
+
+Field-path keys MUST follow the same casing as the request body's JSON (camelCase root + dotted/indexed access for nested types). Examples:
+
+| Failure type | Example field-path key |
+|--------------|------------------------|
+| Missing root field | `tiles` |
+| Missing nested field on tile entry | `tiles[0].z` |
+| Out-of-range value | `tiles[3].z` |
+| Unknown root field | `unknownField` (or `$` if path unavailable) |
+| Unknown field inside nested object | `tiles[0].foo` |
+| Both/neither XOR violation | `$` (request-body root) |
+
+The deserialization-failure path (unknown field, type mismatch) sets the key to the JSON path System.Text.Json reports. FluentValidation paths use the property names from `RuleFor(x => x.Tiles)` etc., which automatically produce camelCase paths matching the request body.
+
+### Generic 4xx errors (no validation context)
+
+Some 4xx responses (auth failures, not-found, framework binding errors that aren't JSON deserialization) emit the simpler ProblemDetails shape — no `errors` map:
+
+```jsonc
+{
+  "type": "https://datatracker.ietf.org/doc/html/rfc9110#name-401-unauthorized",
+  "title": "Unauthorized",
+  "status": 401
+}
+```
+
+| Status | Title | Notes |
+|--------|-------|-------|
+| 400 (non-validation) | `"Bad Request"` | Framework binding failures that don't carry a JsonException (rare). |
+| 401 | (varies) | Emitted by the JwtBearer middleware via `WWW-Authenticate`; body content depends on framework version. |
+| 403 | (varies) | Authorization failure. Body shape governed by ASP.NET Core defaults. |
+| 404 | (varies) | Per-endpoint default; some endpoints emit a custom NotFound body (e.g. region/route). |
+| 501 | `"Not implemented"` | Stub endpoints (e.g. `/api/satellite/tiles/mgrs`). |
+
+### 5xx errors
+
+Server errors emit the simpler ProblemDetails shape with a `correlationId` extension property pointing at the server log entry. The body NEVER contains the original exception message or stack trace (sanitization landed in AZ-353):
+
+```jsonc
+{
+  "type": "https://datatracker.ietf.org/doc/html/rfc9110#name-500-internal-server-error",
+  "title": "Internal Server Error",
+  "status": 500,
+  "detail": "An unexpected error occurred. Use the correlationId to look up the server log entry.",
+  "correlationId": "0HMBR..."
+}
+```
+
+## Invariants
+
+- **Inv-1**: Every 4xx and 5xx response sets `Content-Type: application/problem+json`.
+- **Inv-2**: Validation failures (HTTP 400 from FluentValidation OR from JSON deserialization with a JsonException inner exception) always include an `errors` object.
+- **Inv-3**: Each `errors` entry has at least one message. Empty arrays are forbidden.
+- **Inv-4**: Field-path keys in `errors` use the same casing as the request body (camelCase root, dotted/indexed access for nested types).
+- **Inv-5**: 5xx responses include a `correlationId` extension property; 4xx responses do not. No 4xx response leaks server-internal state (DB connection strings, secrets, internal stack frames).
+- **Inv-6**: Unknown fields at root or in any nested object are rejected with HTTP 400 — not silently dropped. The error key names the offending field path.
+- **Inv-7**: Type mismatches (e.g. string where integer expected) are rejected with HTTP 400 and the error key names the offending field path.
+
+## Non-Goals
+
+- **Not covered**: i18n / translated error messages. Messages are English-only; consumers translate on their side if needed.
+- **Not covered**: error codes. The `errors` map carries human-readable strings, not stable error codes. Consumers MUST NOT pattern-match on the string content; they pattern-match on field paths.
+- **Not covered**: rate-limit or quota errors. Those are a separate concern with their own contract (TBD).
+- **Not covered**: 1xx / 3xx responses. Those are framework-level and not shaped by this contract.
+
+## Versioning Rules
+
+- **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behavior.
+- **Minor (1.x.0)**: Adding an optional extension field to ProblemDetails (e.g., `correlationId` becoming standard for 4xx as well as 5xx). Adding new field-path conventions that are backward-compatible (e.g., a new `[i]` indexing rule).
+- **Major (2.0.0)**: Changing `errors` map shape (e.g. swapping to error-code keys). Changing `Content-Type`. Renaming `errors` to anything else. Removing `correlationId` from 5xx.
+
+## Test Cases
+
+| Case | Input | Expected | Notes |
+|------|-------|----------|-------|
+| validation-missing-field | Inventory request with `tiles: [{ "z": 18 }]` (x, y missing) | HTTP 400 + `errors["tiles[0].x"]` and `errors["tiles[0].y"]` populated | Inv-2, Inv-4 |
+| validation-out-of-range | Inventory request with `tiles: [{ "z": 30, "x": 1, "y": 1 }]` | HTTP 400 + `errors["tiles[0].z"]` mentioning supported zoom range | Inv-2 |
+| validation-unknown-root-field | Body `{ "unknownField": 42, "tiles": [...] }` | HTTP 400 + `errors["unknownField"]` populated with "could not be mapped" | Inv-6 |
+| validation-unknown-nested-field | Body `{ "tiles": [{ "z": 18, "x": 1, "y": 1, "foo": 42 }] }` | HTTP 400 + `errors["tiles[0].foo"]` populated | Inv-6 |
+| validation-type-mismatch | Body `{ "tiles": [{ "z": "eighteen" }] }` | HTTP 400 + `errors["tiles[0].z"]` populated | Inv-7 |
+| validation-xor-both-populated | Body with both `tiles` and `locationHashes` populated | HTTP 400 + `errors["$"]` (or root key) populated | Inv-2 |
+| 5xx-includes-correlation-id | Endpoint throws unhandled exception | HTTP 500 + `correlationId` extension matching `httpContext.TraceIdentifier` | Inv-5 |
+| 5xx-no-secret-leak | Exception message contains a connection string with `Password=hunter2` | HTTP 500 body contains neither the password nor the connection string | Inv-5 |
+
+## Change Log
+
+| Version | Date | Change | Author |
+|---------|------|--------|--------|
+| 1.0.0 | 2026-05-22 | Initial contract — uniform RFC 7807 ValidationProblemDetails shape for FluentValidation business-rule failures + JSON deserialization failures, including unknown-field rejection (`UnmappedMemberHandling.Disallow`). Sanitized ProblemDetails for 5xx (preserves AZ-353). Produced by AZ-795. | autodev (Step 10, cycle 7) |

_docs/02_document/contracts/api/region-request.md

@@ -0,0 +1,172 @@
+# Contract: region-request
+
+**Component**: WebApi (`SatelliteProvider.Api`) producing rows via RegionProcessing (`SatelliteProvider.Services.RegionProcessing`)
+**Producer task**: AZ-808 — `_docs/02_tasks/done/AZ-808_region_endpoint_validation.md` (validator + this contract); AZ-812 — `_docs/02_tasks/done/AZ-812_region_field_rename_to_osm.md` (OSM-convention wire-format `lat`/`lon`)
+**Consumer tasks**: `gps-denied-onboard` AZ-777 Phase 2 (seeds Derkachi reference tile catalog via this endpoint)
+**Version**: 1.0.0
+**Status**: frozen
+**Last Updated**: 2026-05-22
+
+## Purpose
+
+Defines the HTTP contract for `POST /api/satellite/request` — the region-onboarding endpoint that enqueues a square region of tiles for asynchronous backfill from Google Maps. Callers submit a `(lat, lon, sizeMeters, zoomLevel)` envelope identified by a client-provided `id` (idempotency key); the API responds immediately with the queued region's status. Actual tile downloads run in the background via `RegionProcessingService` (`system-flows.md` Flow F2). Callers poll `GET /api/satellite/region/{id}` until `status == completed`.
+
+This is the v1.0.0 of the contract — published alongside AZ-808's validator landing. There is no prior contract document. AZ-812 had already renamed the wire-format fields `Latitude/Longitude` → `lat/lon` (OSM convention) earlier in cycle 8; this contract publishes the post-rename shape directly with no transitional period.
+
+## Endpoint
+
+```
+POST /api/satellite/request
+Content-Type: application/json
+Authorization: Bearer <JWT>
+```
+
+The request MUST carry a valid JWT (AZ-487). No `permissions` claim is required. Anonymous requests are rejected with HTTP 401.
+
+## Shape
+
+### Request body
+
+```jsonc
+{
+  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
+  "lat": 47.461747,
+  "lon": 37.647063,
+  "sizeMeters": 200,
+  "zoomLevel": 18,
+  "stitchTiles": false
+}
+```
+
+Per-field constraints:
+
+| Field | Type | Required | Description | Constraints |
+|-------|------|----------|-------------|-------------|
+| `id` | UUID | yes | Client-provided idempotency key. POSTing the same `id` twice returns the existing region (idempotent per AZ-362). | Non-zero GUID. `00000000-...` → HTTP 400. |
+| `lat` | number | yes | Region centre latitude (WGS84, decimal degrees). | `[-90.0, 90.0]`. |
+| `lon` | number | yes | Region centre longitude (WGS84, decimal degrees). | `[-180.0, 180.0]`. |
+| `sizeMeters` | number | yes | Square region side length. | `[100.0, 10000.0]`. Anything larger → HTTP 400. |
+| `zoomLevel` | integer | yes | Slippy-map zoom level for the resulting tiles. | `[0, 22]`. |
+| `stitchTiles` | bool | yes | If true, a stitched composite image is produced once all tiles are present. No default — caller MUST declare intent. | true / false. |
+
+Strict parsing: unknown fields at root are rejected with HTTP 400 by `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (AZ-795). Missing required fields are caught by `[JsonRequired]` on the DTO and surface as HTTP 400 with the field name in `errors`.
+
+### Response body
+
+```jsonc
+{
+  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
+  "status": "queued",
+  "csvFilePath": null,
+  "summaryFilePath": null,
+  "tilesDownloaded": 0,
+  "tilesReused": 0,
+  "createdAt": "2026-05-22T12:34:56.789Z",
+  "updatedAt": "2026-05-22T12:34:56.789Z"
+}
+```
+
+Per-field semantics:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `id` | UUID | Echo of the request `id`. |
+| `status` | string enum | `"queued"` immediately after enqueue; transitions through `"processing"` → `"completed"` (or `"failed"`) on the background worker. |
+| `csvFilePath` | string \| null | Path to the per-region tile-manifest CSV. Null until processing produces it. |
+| `summaryFilePath` | string \| null | Path to the human-readable summary. Null until processing produces it. |
+| `tilesDownloaded` | integer | Count of tiles fetched fresh from Google Maps. Updated as processing progresses. |
+| `tilesReused` | integer | Count of tiles served from existing cache. Updated as processing progresses. |
+| `createdAt` | ISO-8601 UTC | Initial enqueue timestamp. Stable across retries (per AZ-362 idempotency). |
+| `updatedAt` | ISO-8601 UTC | Last status-row write. Bumps as the background worker progresses. |
+
+### Endpoint summary
+
+| Method | Path | Request body | Response | Status codes |
+|--------|------|--------------|----------|--------------|
+| `POST` | `/api/satellite/request` | `RequestRegionRequest` | `RegionStatusResponse` | 200, 400, 401 |
+
+## Error shape
+
+All `400` responses conform to `_docs/02_document/contracts/api/error-shape.md` v1.0.0. Two enforcement layers produce identically-shaped bodies:
+
+1. **JSON deserializer rules** — wire-format failures: unknown fields (`UnmappedMemberHandling.Disallow`), missing `[JsonRequired]` properties, type mismatches. Surface via `BadHttpRequestException(JsonException)` → `GlobalExceptionHandler`.
+2. **`RegionRequestValidator`** (FluentValidation, AZ-808) — business rules: non-zero `id`, range checks for `lat` / `lon` / `sizeMeters` / `zoomLevel`. Surface via `ValidationEndpointFilter<RequestRegionRequest>`.
+
+Example body for a missing-id failure (the pre-AZ-808 silent-coercion gap surfaced by the 2026-05-22 black-box probe):
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "id": ["The id field is required."]
+  }
+}
+```
+
+Example body for a zero-Guid id (validator-level rejection):
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "id": ["`id` must be a non-zero GUID (the caller's idempotency key)."]
+  }
+}
+```
+
+## Invariants
+
+- **Inv-1**: `id` MUST be a non-zero GUID. Pre-AZ-808, omitting `id` silently coerced to `Guid.Empty` and queued a region under the zero key; AZ-808 fails this with HTTP 400 and `errors["id"]`.
+- **Inv-2**: `lat ∈ [-90.0, 90.0]`. Out-of-range → 400 with `errors["lat"]`.
+- **Inv-3**: `lon ∈ [-180.0, 180.0]`. Out-of-range → 400 with `errors["lon"]`.
+- **Inv-4**: `sizeMeters ∈ [100.0, 10000.0]`. Out-of-range → 400 with `errors["sizeMeters"]`. Pre-AZ-808 this rule lived as an inline `if` in the handler; AZ-808 moves it into the validator.
+- **Inv-5**: `zoomLevel ∈ [0, 22]` (slippy-map zoom range, matching `tile-inventory.md` Inv-8).
+- **Inv-6**: `stitchTiles` MUST be explicitly provided. No defaulting to `false` — callers declare intent.
+- **Inv-7**: Unknown fields at root are rejected with HTTP 400 + the field name in `errors`.
+- **Inv-8** (idempotency, AZ-362): Two POSTs with the same `id` return the existing region resource with HTTP 200 and do NOT enqueue duplicate background processing. The post-rename `lat`/`lon` wire format does not affect this invariant.
+- **Inv-9** (async semantics): The endpoint returns immediately after enqueuing. Status transitions to `completed`/`failed` happen on the background `RegionProcessingService`. Callers MUST poll `GET /api/satellite/region/{id}` to observe completion.
+
+## Non-Goals
+
+- **Not covered**: tile body fetch. The background worker writes tiles into the `tiles` table; callers fetch bodies via `GET /tiles/{z}/{x}/{y}` after polling shows `status == completed`.
+- **Not covered**: backward-compatibility shim for `Latitude/Longitude` wire field names. AZ-812 ships v1.0.0 of this contract directly with the post-rename names; pre-rename callers receive HTTP 400 with `errors["latitude"]: ["could not be mapped"]`. There is no transitional accept-both period.
+- **Not covered**: geofencing semantics. Geofences are a Route concern, not a Region concern; documented in `route-create.md` (forthcoming, AZ-809).
+- **Not covered**: cancellation of a queued region. The current API has no DELETE / cancel verb. Tracked separately if needed.
+
+## Versioning Rules
+
+- **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behaviour.
+- **Minor (1.x.0)**: Adding an optional response field consumers may safely ignore (e.g. ETA estimate); relaxing a range constraint within `[-90,90]` / `[-180,180]` envelope (e.g. accepting decimal degrees with extra precision).
+- **Major (2.0.0)**: Changing a field name; tightening a range constraint (breaks today's valid callers); making `stitchTiles` optional with a default again; removing idempotency.
+
+## Test Cases
+
+| Case | Input | Expected | Notes |
+|------|-------|----------|-------|
+| happy-path | `{id:<guid>, lat:47.46, lon:37.64, sizeMeters:200, zoomLevel:18, stitchTiles:false}` | HTTP 200 + RegionStatusResponse(status="queued") | AC-2 |
+| missing-id | body without `id` field | HTTP 400 + `errors["id"]` | Inv-1 (probe gap) |
+| zero-guid-id | `id: "00000000-..."` | HTTP 400 + `errors["id"]` | Inv-1 |
+| missing-lat | body without `lat` | HTTP 400 + `errors["lat"]` | JsonRequired |
+| lat-out-of-range | `lat: 91` | HTTP 400 + `errors["lat"]` | Inv-2 |
+| missing-lon | body without `lon` | HTTP 400 + `errors["lon"]` | JsonRequired |
+| lon-out-of-range | `lon: 181` | HTTP 400 + `errors["lon"]` | Inv-3 |
+| missing-sizeMeters | body without `sizeMeters` | HTTP 400 + `errors["sizeMeters"]` | JsonRequired |
+| sizeMeters-out-of-range | `sizeMeters: 1000000` | HTTP 400 + `errors["sizeMeters"]` | Inv-4 |
+| missing-zoomLevel | body without `zoomLevel` | HTTP 400 + `errors["zoomLevel"]` | JsonRequired |
+| zoomLevel-out-of-range | `zoomLevel: 30` | HTTP 400 + `errors["zoomLevel"]` | Inv-5 |
+| missing-stitchTiles | body without `stitchTiles` | HTTP 400 + `errors["stitchTiles"]` | Inv-6 |
+| lat-type-mismatch | `lat: "fifty"` | HTTP 400 (deserializer JsonException) | wire-format failure |
+| unknown-root-field | body with `unknownField: 1` | HTTP 400 + `errors["unknownField"]` | Inv-7 |
+| legacy-latitude-name | body with `latitude:` instead of `lat:` | HTTP 400 + `errors["latitude"]` | AZ-812 hard switch |
+| auth-anonymous | no Bearer token | HTTP 401 | Standard `.RequireAuthorization()` baseline |
+| idempotent-double-post | same body POSTed twice | both HTTP 200; same `createdAt`; no duplicate background work | AC-2 + AZ-362 |
+
+## Change Log
+
+| Version | Date | Change | Author |
+|---------|------|--------|--------|
+| 1.0.0 | 2026-05-22 | Initial contract for `POST /api/satellite/request`. Publishes the post-AZ-812 OSM-convention wire format (`lat`/`lon`) and the AZ-808 strict-validation rules (non-zero `id`, range-checked `lat`/`lon`/`sizeMeters`/`zoomLevel`, explicit `stitchTiles`, unknown-field rejection). References `error-shape.md` v1.0.0 for the 400 body shape and `tile-inventory.md` v2.0.0 for the downstream read path (callers seed via region, then read via inventory). | autodev (Step 10, cycle 8) |

_docs/02_document/contracts/api/route-creation.md

@@ -0,0 +1,216 @@
+# Contract: route-creation
+
+**Component**: WebApi (`SatelliteProvider.Api`) producing rows via RouteManagement (`SatelliteProvider.Services.RouteManagement`) and feeding the background Route Map Processing flow (Flow F5)
+**Producer task**: AZ-809 — `_docs/02_tasks/done/AZ-809_route_endpoint_validation.md` (validator + this contract)
+**Consumer tasks**: `gps-denied-onboard` AZ-777 Phase 2 (preferred imagery-seeding path — route-based rather than bbox-based)
+**Version**: 1.0.1
+**Status**: frozen
+**Last Updated**: 2026-05-23
+
+## Purpose
+
+Defines the HTTP contract for `POST /api/satellite/route` — the route-onboarding endpoint that stores an ordered set of waypoints, interpolates intermediate points every ~200 m, and (optionally, when `requestMaps=true`) enqueues a region request per route point so background processing pre-fetches map tiles for the entire route corridor. Geofence polygons (optional) restrict which intermediate points get region-requests. Callers poll `GET /api/satellite/route/{id}` until `mapsReady=true` (when `requestMaps=true`) or read the response directly (when `requestMaps=false`).
+
+This is v1.0.0 — published alongside AZ-809's validator landing. There is no prior contract document; the producer-doc surface before AZ-809 was `modules/api_program.md::CreateRoute Handler` + Flow F4 + Flow F5 only.
+
+## Endpoint
+
+```
+POST /api/satellite/route
+Content-Type: application/json
+Authorization: Bearer <JWT>
+```
+
+The request MUST carry a valid JWT (AZ-487). No `permissions` claim is required. Anonymous requests are rejected with HTTP 401.
+
+## Shape
+
+### Request body
+
+```jsonc
+{
+  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
+  "name": "derkachi-flight-1",
+  "description": "AZ-777 Phase 2 seed route",
+  "regionSizeMeters": 1000,
+  "zoomLevel": 18,
+  "points": [
+    { "lat": 50.10, "lon": 36.10 },
+    { "lat": 50.11, "lon": 36.11 }
+  ],
+  "geofences": {
+    "polygons": [
+      { "northWest": { "lat": 50.15, "lon": 36.05 },
+        "southEast": { "lat": 50.05, "lon": 36.15 } }
+    ]
+  },
+  "requestMaps": true,
+  "createTilesZip": false
+}
+```
+
+Per-field constraints:
+
+| Field | Type | Required | Description | Constraints |
+|-------|------|----------|-------------|-------------|
+| `id` | UUID | yes (`[JsonRequired]`) | Caller-supplied idempotency key. POSTing twice with the same `id` returns the existing route resource. | Non-zero GUID (validator rejects `00000000-...`). |
+| `name` | string | yes (`[JsonRequired]`) | Human-readable route name (used in produced filenames). | Length `[1, 200]`. Empty/whitespace rejected. |
+| `description` | string | no | Free-text description. | Length `[0, 1000]` when present. |
+| `regionSizeMeters` | number | yes (`[JsonRequired]`) | Side length of the square region requested per route point. | `[100.0, 10000.0]` (aligned with `region-request.md::sizeMeters`). |
+| `zoomLevel` | integer | yes (`[JsonRequired]`) | Slippy-map zoom level for region tiles. | `[0, 22]`. |
+| `points` | array | yes (`[JsonRequired]`) | Ordered waypoints. Server interpolates additional intermediate points every ~200 m between consecutive originals. | Count `[2, 500]`. |
+| `points[i].lat` | number | yes (`[JsonRequired]`) | WGS84 latitude. | `[-90.0, 90.0]`. |
+| `points[i].lon` | number | yes (`[JsonRequired]`) | WGS84 longitude. | `[-180.0, 180.0]`. |
+| `geofences` | object | no | When present, intermediate points outside ALL polygons get filtered before region enqueue. | See nested shape below. |
+| `geofences.polygons` | array | yes (`[JsonRequired]` when `geofences` present) | One or more bbox polygons (NW corner + SE corner). | Count `[1, 50]` when `geofences` present. |
+| `geofences.polygons[i].northWest` | object | yes (`[JsonRequired]`) | Polygon's northwest corner. | See `GeoPoint` shape. |
+| `geofences.polygons[i].southEast` | object | yes (`[JsonRequired]`) | Polygon's southeast corner. | See `GeoPoint` shape. |
+| `requestMaps` | bool | yes (`[JsonRequired]`) | When `true`, enqueue background region-requests for every route point inside the geofences (or all points if no geofences). | No default — caller must declare intent. |
+| `createTilesZip` | bool | yes (`[JsonRequired]`) | When `true`, AFTER all region tiles are ready, package them into a ZIP at `tilesZipPath`. Requires `requestMaps=true` (can't zip what wasn't downloaded). | No default. Cross-field invariant with `requestMaps`. |
+
+`GeoPoint` shape (used by `northWest` / `southEast`):
+
+| Field | Type | Required | Constraints |
+|-------|------|----------|-------------|
+| `lat` | number | yes (`[JsonRequired]`) | `[-90.0, 90.0]`. |
+| `lon` | number | yes (`[JsonRequired]`) | `[-180.0, 180.0]`. |
+
+Polygon corner cross-field invariant (`GeofencePolygonValidator`):
+- `northWest.lat > southEast.lat` (NW is genuinely north-of SE).
+- `northWest.lon < southEast.lon` (NW is genuinely west-of SE).
+
+### Response body (post-AC-2 unchanged from pre-AZ-809)
+
+```jsonc
+{
+  "id": "8f5e6d3e-1a2b-4c3d-9e8f-0123456789ab",
+  "name": "derkachi-flight-1",
+  "description": "AZ-777 Phase 2 seed route",
+  "regionSizeMeters": 1000,
+  "zoomLevel": 18,
+  "totalDistanceMeters": 132.4,
+  "totalPoints": 3,
+  "points": [
+    { "latitude": 50.10, "longitude": 36.10, "pointType": "original", "sequenceNumber": 0, "segmentIndex": 0, "distanceFromPrevious": null },
+    { "latitude": 50.105, "longitude": 36.105, "pointType": "intermediate", "sequenceNumber": 1, "segmentIndex": 0, "distanceFromPrevious": 66.2 },
+    { "latitude": 50.11, "longitude": 36.11, "pointType": "original", "sequenceNumber": 2, "segmentIndex": 0, "distanceFromPrevious": 66.2 }
+  ],
+  "requestMaps": true,
+  "mapsReady": false,
+  "csvFilePath": null,
+  "summaryFilePath": null,
+  "stitchedImagePath": null,
+  "tilesZipPath": null,
+  "createdAt": "2026-05-22T14:00:00Z",
+  "updatedAt": "2026-05-22T14:00:00Z"
+}
+```
+
+**Advisory AC-10**: The response echoes points as `{"latitude":..,"longitude":..}` (legacy long form) but the request accepts `{"lat":..,"lon":..}` (OSM short form). This input/output asymmetry on the same `RoutePoint` round-trip is documented and intentional for v1.0.0 — fixing it would be a major contract break. A follow-up task can harmonize the response side.
+
+### Endpoint summary
+
+| Method | Path | Request | Response | Status codes |
+|--------|------|---------|----------|--------------|
+| `POST` | `/api/satellite/route` | `CreateRouteRequest` body | `RouteResponse` (route resource snapshot) | 200, 400, 401 |
+
+## Error shape
+
+All `400` responses conform to `_docs/02_document/contracts/api/error-shape.md` v1.0.0. Three sources produce identically-shaped `ValidationProblemDetails` bodies:
+
+1. **Deserializer envelope** (`UnmappedMemberHandling.Disallow` + `[JsonRequired]`) — rejects missing-required fields and unknown root/nested keys with `errors[<path>]` produced via `GlobalExceptionHandler`'s `JsonException` path.
+2. **`CreateRouteRequestValidator`** — rejects non-zero-Id, name/description length, range checks on size / zoom / points-count, and the cross-field `createTilesZip ⇒ requestMaps` rule.
+3. **`RoutePointValidator` + `GeofencePolygonValidator`** — invoked via `RuleForEach` / `SetValidator`; rejects per-point lat/lon out-of-range, per-polygon corner out-of-range, and the NW-north-of-SE / NW-west-of-SE invariants.
+
+Example body for a missing-id failure (probe-confirmed pre-AZ-809 silent zero-Guid coercion):
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "id": ["The JSON property 'id' is required, but a value was not supplied."]
+  }
+}
+```
+
+Example body for a nested per-point failure:
+
+```jsonc
+{
+  "errors": {
+    "points[1].lat": ["`lat` must be between -90 and 90."]
+  }
+}
+```
+
+Example body for a polygon corner invariant failure:
+
+```jsonc
+{
+  "errors": {
+    "geofences.polygons[0].northWest": ["`northWest.lat` must be greater than `southEast.lat` (NW is north-of SE)."]
+  }
+}
+```
+
+## Invariants
+
+- **Inv-1**: `id` is a non-zero GUID, supplied by the caller. Re-POST with the same id returns the existing route (idempotent contract per `IdempotentPostTests`).
+- **Inv-2**: `points` has at least 2 entries (Flow F4 precondition) and at most 500 entries (cap to prevent runaway region-enqueue).
+- **Inv-3**: Every `points[i].lat ∈ [-90, 90]` and `points[i].lon ∈ [-180, 180]`.
+- **Inv-4**: `regionSizeMeters ∈ [100, 10000]` (aligned with `region-request.md::sizeMeters`).
+- **Inv-5**: `zoomLevel ∈ [0, 22]` (slippy-map range, aligned with `region-request.md` Inv-5 and `tile-inventory.md` Inv-8).
+- **Inv-6** (cross-field): `createTilesZip=true ⇒ requestMaps=true` (can't zip what wasn't downloaded).
+- **Inv-7** (per-polygon shape): `northWest` AND `southEast` corners both present.
+- **Inv-8** (per-polygon invariant): `northWest.lat > southEast.lat` AND `northWest.lon < southEast.lon`.
+- **Inv-9**: Unknown root or nested fields → 400 (deserializer's `UnmappedMemberHandling.Disallow`).
+- **Inv-10**: When `geofences` is present, `geofences.polygons.Count` is in `[1, 50]`. Cap to bound validator allocation worst case — see `_docs/05_security/security_report_cycle8.md` § F-AZ809-1. Realistic use is 1-10 polygons per route; the 50 cap leaves 5x headroom.
+
+## Non-Goals
+
+- **Not covered**: route mutation. No PUT / PATCH endpoint exists; routes are immutable post-creation.
+- **Not covered**: background processing (Flow F5) — Flow F5 docs cover the region enqueue, tile download, ZIP packaging, and `mapsReady` transition.
+- **Not covered**: response field renaming. The input/output naming asymmetry (`points[i].lat` request vs `points[i].latitude` response) is acknowledged in AC-10 advisory and tracked for a future major contract bump.
+- **Not covered**: the legacy `RouteValidator` in `SatelliteProvider.Services.RouteManagement` — it remains as defense-in-depth for direct service-layer callers; its checks are now redundant with this contract but a separate cleanup task should consolidate.
+
+## Versioning Rules
+
+- **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behavior.
+- **Minor (1.x.0)**: Adding an optional field consumers may safely ignore; relaxing a range; supporting a new geofence shape type alongside the existing bbox.
+- **Major (2.0.0)**: Renaming any request or response field; tightening any existing range; harmonizing the response point names to `lat`/`lon` (resolves AC-10); changing the `createTilesZip ⇔ requestMaps` cross-field rule semantics.
+
+## Test Cases
+
+| Case | Input | Expected | Notes |
+|------|-------|----------|-------|
+| happy-path-no-maps | full body with `requestMaps=false` | HTTP 200 + RouteResponse (mapsReady=false, no background processing) | AC-2 |
+| happy-path-with-maps | full body with `requestMaps=true` | HTTP 200; background F5 enqueues regions; `GET /api/satellite/route/{id}` shows `mapsReady=true` within ~20s for a 2-point 132m route at z=18 | AC-2 + existing RouteCreationTests |
+| empty-body | `""` | HTTP 400 | Rule 1 |
+| missing-id | body without `id` | HTTP 400 + `errors[id]` ("required") | Rule 2 (probe-confirmed gap) |
+| zero-guid-id | `"id":"00000000-..."` | HTTP 400 + `errors[id]` ("non-zero GUID") | Rule 2 |
+| empty-name | `"name":""` | HTTP 400 + `errors[name]` | Rule 3 |
+| description-too-long | `"description":<1001 chars>` | HTTP 400 + `errors[description]` | Rule 4 |
+| regionSize-out-of-range | `"regionSizeMeters":1000000` | HTTP 400 + `errors[regionSizeMeters]` | Rule 5 |
+| zoom-out-of-range | `"zoomLevel":30` | HTTP 400 + `errors[zoomLevel]` | Rule 6 |
+| points-too-few | 1-point array | HTTP 400 + `errors[points]` | Rule 7 (Flow F4 precondition) |
+| points-too-many | 501-point array | HTTP 400 + `errors[points]` | Rule 7 (cap) |
+| point-lat-out-of-range | `"points":[..., {"lat":91,..}]` | HTTP 400 + `errors["points[1].lat"]` | Rule 8 |
+| point-lon-out-of-range | `"points":[..., {"lat":..,"lon":181}]` | HTTP 400 + `errors["points[1].lon"]` | Rule 8 |
+| geofence-nw-not-north | NW.lat == SE.lat | HTTP 400 + `errors["geofences.polygons[0].northWest"]` | Rule 9 / Inv-8 |
+| geofence-nw-not-west | NW.lon == SE.lon | HTTP 400 + `errors["geofences.polygons[0].northWest"]` | Rule 9 / Inv-8 |
+| geofence-polygons-too-many | 51-polygon array | HTTP 400 + `errors["geofences.polygons"]` ("must contain at most 50 polygons.") | Rule 9b / Inv-10 (F-AZ809-1 follow-up) |
+| missing-requestMaps | body without `requestMaps` | HTTP 400 + `errors[requestMaps]` | Rule 10 |
+| createTilesZip-without-requestMaps | `"requestMaps":false,"createTilesZip":true` | HTTP 400 + `errors[createTilesZip]` | Rule 12 (cross-field) |
+| unknown-root-field | extra `"debug":"..."` key | HTTP 400 + `errors[debug]` | Rule 13 (`UnmappedMemberHandling.Disallow`) |
+| point-lat-type-mismatch | `"points":[{"lat":"fifty",..}, ..]` | HTTP 400 (nested JSON error) | Rule 14 (`GlobalExceptionHandler`) |
+| auth-anonymous | no Bearer token | HTTP 401 | Standard `.RequireAuthorization()` |
+| idempotent-replay | re-POST same `id` | HTTP 200 (echoes existing resource) | `IdempotentPostTests` AC-2 |
+
+## Change Log
+
+| Version | Date | Change | Author |
+|---------|------|--------|--------|
+| 1.0.0 | 2026-05-22 | Initial contract for `POST /api/satellite/route`. Publishes the FluentValidation surface (CreateRouteRequestValidator + RoutePointValidator + GeofencePolygonValidator) + the 14 rules in AZ-809, including the probe-confirmed missing-id gap and the cross-field `createTilesZip ⇒ requestMaps` invariant. References `error-shape.md` v1.0.0, `region-request.md` v1.0.0 (F5 enqueue path), and Flows F4/F5 (cross-link). | autodev (Step 10, cycle 8) |
+| 1.0.1 | 2026-05-23 | Tighten `geofences.polygons` constraint from "non-empty" to "Count `[1, 50]`". New Inv-10 + test case `geofence-polygons-too-many`. Patch release per Versioning Rules (tightening an existing range). The 50-polygon cap closes a defence-gap surfaced by the cycle-8 security audit: without the cap, an authenticated caller could submit millions of polygons in a single 500 MiB request and saturate the validator's allocation heap. Realistic use is 1-10 polygons per route. | autodev (Step 14 follow-up, cycle 8) |

_docs/02_document/contracts/api/tile-inventory.md

@@ -1,11 +1,11 @@
 # Contract: tile-inventory
 
 **Component**: WebApi (`SatelliteProvider.Api`) producing rows via TileDownloader (`SatelliteProvider.Services.TileDownloader`)
-**Producer task**: AZ-505 — `_docs/02_tasks/todo/AZ-505_tile_inventory_http2_leaflet_index.md`
+**Producer task**: AZ-505 — `_docs/02_tasks/done/AZ-505_tile_inventory_http2_leaflet_index.md` (initial); AZ-794 — `_docs/02_tasks/done/AZ-794_inventory_field_rename_osm.md` (v2.0.0 wire-format rename); AZ-796 — `_docs/02_tasks/done/AZ-796_inventory_endpoint_validation.md` (FluentValidation + ProblemDetails wiring)
 **Consumer tasks**: `gps-denied-onboard` AZ-316 (`c11_tile_downloader`), future mission-planner UI cache-sizing flows
-**Version**: 1.0.0
+**Version**: 2.0.0
 **Status**: frozen
-**Last Updated**: 2026-05-12
+**Last Updated**: 2026-05-22
 
 ## Purpose
 
@@ -27,14 +27,14 @@ The request MUST carry a valid JWT (AZ-487). No `permissions` claim is required
 
 ### Request body
 
-Exactly one of `tiles` OR `locationHashes` MUST be populated. Sending both, or neither, is HTTP 400.
+Exactly one of `tiles` OR `locationHashes` MUST be populated. Sending both, or neither, is HTTP 400 (validation enforced by `InventoryRequestValidator` per AZ-796).
 
 ```jsonc
-// Form A — coord-keyed
+// Form A — coord-keyed (v2.0.0; AZ-794 renamed tileZoom/tileX/tileY → z/x/y)
 {
   "tiles": [
-    { "tileZoom": 18, "tileX": 154321, "tileY": 95812 },
+    { "z": 18, "x": 154321, "y": 95812 },
-    { "tileZoom": 18, "tileX": 154322, "tileY": 95812 }
+    { "z": 18, "x": 154322, "y": 95812 }
   ]
 }
 
@@ -51,28 +51,31 @@ Per-field constraints:
 
 | Field | Type | Required | Description | Constraints |
 |-------|------|----------|-------------|-------------|
-| `tiles` | `TileCoord[]` | yes (XOR `locationHashes`) | Slippy-map tile coords | Up to 5000 entries per request. Each entry MUST have all three of `tileZoom`, `tileX`, `tileY`. |
+| `tiles` | `TileCoord[]` | yes (XOR `locationHashes`) | Slippy-map tile coords | Up to 5000 entries per request. Each entry MUST have all three of `z`, `x`, `y`. |
 | `locationHashes` | `UUID[]` | yes (XOR `tiles`) | Pre-computed UUIDv5 `location_hash` values | Up to 5000 entries per request. Each entry MUST be RFC 4122 UUID. |
 
 Hard cap: **5000 entries per request** (`SatelliteProvider.Common.DTO.TileInventoryLimits.MaxEntriesPerRequest`). Anything larger → HTTP 400. The cap is 2× the AC-4 perf gate (2500 tiles).
 
+Strict parsing: unknown fields at root or nested under any tile entry are rejected with HTTP 400 by `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (AZ-795). The error body conforms to `error-shape.md` v1.0.0.
+
 ### `TileCoord` (per entry under `tiles`)
 
-| Field | Type | Required | Description |
+| Field | Type | Required | Description | Range |
-|-------|------|----------|-------------|
+|-------|------|----------|-------------|-------|
-| `tileZoom` | integer | yes | Slippy-map zoom level |
+| `z` | integer | yes | Slippy-map zoom level | 0–22 (matches `tile_zoom` schema constraint) |
-| `tileX` | integer | yes | Slippy-map tile column |
+| `x` | integer | yes | Slippy-map tile column | 0 ≤ x < 2^z |
-| `tileY` | integer | yes | Slippy-map tile row |
+| `y` | integer | yes | Slippy-map tile row | 0 ≤ y < 2^z |
 
 ### Response body
 
 ```jsonc
+// v2.0.0 — coord triple uses z/x/y (AZ-794)
 {
   "results": [
     {
-      "tileZoom": 18,
+      "z": 18,
-      "tileX": 154321,
+      "x": 154321,
-      "tileY": 95812,
+      "y": 95812,
       "locationHash": "ad8c1c4c-2b27-5af4-902f-9c8baeed1e84",
       "present": true,
       "id": "5d83…",
@@ -82,9 +85,9 @@ Hard cap: **5000 entries per request** (`SatelliteProvider.Common.DTO.TileInvent
       "resolutionMPerPx": 0.78125
     },
     {
-      "tileZoom": 18,
+      "z": 18,
-      "tileX": 154322,
+      "x": 154322,
-      "tileY": 95812,
+      "y": 95812,
       "locationHash": "5b8d0c2e-7f1a-5d3b-9c5e-1f3a8e7d2b6c",
       "present": false,
       "id": null,
@@ -101,10 +104,10 @@ Per-entry fields:
 
 | Field | Type | Present when... | Description |
 |-------|------|-----------------|-------------|
-| `tileZoom` | integer | always (Form A); zeroed (Form B) | Echoes the request entry's `tileZoom` when input was `tiles`; `0` when input was `locationHashes` (caller already knows the cell). |
+| `z` | integer | always (Form A); zeroed (Form B) | Echoes the request entry's `z` when input was `tiles`; `0` when input was `locationHashes` (caller already knows the cell). |
-| `tileX` | integer | always (Form A); zeroed (Form B) | Same as `tileZoom`. |
+| `x` | integer | always (Form A); zeroed (Form B) | Same as `z`. |
-| `tileY` | integer | always (Form A); zeroed (Form B) | Same as `tileZoom`. |
+| `y` | integer | always (Form A); zeroed (Form B) | Same as `z`. |
-| `locationHash` | UUIDv5 | always | `UUIDv5(TileNamespace, "{tileZoom}/{tileX}/{tileY}")`. Populated even when `present=false` so callers can persist the deterministic hash. |
+| `locationHash` | UUIDv5 | always | `UUIDv5(TileNamespace, "{z}/{x}/{y}")`. Populated even when `present=false` so callers can persist the deterministic hash. |
 | `present` | bool | always | `true` iff a row exists in `tiles` with this `location_hash`. |
 | `id` | UUID | present=true | Most-recent row's `tiles.id`. Deterministic UUIDv5 for AZ-503+ rows; random for legacy rows. |
 | `capturedAt` | ISO-8601 UTC | present=true | `tiles.captured_at`. |
@@ -120,15 +123,35 @@ Order invariant: `results[i]` corresponds to `request.tiles[i]` (or `request.loc
 |--------|------|--------------|----------|--------------|
 | `POST` | `/api/satellite/tiles/inventory` | `TileInventoryRequest` | `TileInventoryResponse` | 200, 400, 401 |
 
+## Error shape
+
+All `400` responses conform to `_docs/02_document/contracts/api/error-shape.md` v1.0.0. Both wire-format failures (unknown fields, type mismatches; via the JSON deserializer) and business-rule failures (XOR violation, missing `z`/`x`/`y`, out-of-range zoom; via `InventoryRequestValidator`) emit a `ValidationProblemDetails` body with an `errors` map keyed by JSON-path-style field names. Example:
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "tiles[0].z": ["The z field is required."],
+    "tiles[1]": ["The JSON property 'tileZoom' could not be mapped to any .NET member contained in type 'TileCoord'."]
+  }
+}
+```
+
+The first key shows a FluentValidation rule miss; the second shows a deserializer rejection of the *old* v1.x field name (callers still on the old shape get an explicit failure, not a silent 200 with zeroed coordinates — exactly the behaviour AZ-794 + AZ-796 were filed to enforce after the AZ-777 Phase 1 Jetson probe).
+
 ## Invariants
 
 - **Inv-1**: Exactly one of `request.tiles` and `request.locationHashes` is populated and non-empty. Both-populated → 400; both-empty → 400.
 - **Inv-2**: `len(response.results) == len(request.tiles)` OR `len(request.locationHashes)` — never less, never more.
-- **Inv-3**: `response.results[i].locationHash` is deterministic from `request.tiles[i]` (UUIDv5 over `"{zoom}/{x}/{y}"` with `Uuidv5.TileNamespace`) when Form A is used, or equals `request.locationHashes[i]` when Form B is used.
+- **Inv-3**: `response.results[i].locationHash` is deterministic from `request.tiles[i]` (UUIDv5 over `"{z}/{x}/{y}"` with `Uuidv5.TileNamespace`) when Form A is used, or equals `request.locationHashes[i]` when Form B is used.
 - **Inv-4**: `response.results[i].present == true` iff a row exists in `tiles` with `location_hash = response.results[i].locationHash`.
 - **Inv-5**: When `present=true`, the returned row is the most-recent across sources/flights ordered by `(captured_at DESC, updated_at DESC, id DESC)` — same rule as `ITileRepository.GetByTileCoordinatesAsync` per `tile-storage` v2.0.0.
 - **Inv-6**: When `present=false`, `id` / `capturedAt` / `source` / `flightId` / `resolutionMPerPx` are all `null`.
 - **Inv-7**: `request.tiles.length` and `request.locationHashes.length` MUST be ≤ `TileInventoryLimits.MaxEntriesPerRequest` (5000); over the cap → 400.
+- **Inv-8** (AZ-795 / AZ-796): Each `tiles[i].z` MUST satisfy `0 ≤ z ≤ 22`. Each `tiles[i].x` and `tiles[i].y` MUST satisfy `0 ≤ value < 2^z`. Out-of-range → 400 with `errors["tiles[i].z|x|y"]` populated.
+- **Inv-9** (AZ-795): Unknown fields at root or in any nested object are rejected with HTTP 400; the error key names the offending JSON path.
 
 ## Non-Goals
 
@@ -139,12 +162,13 @@ Order invariant: `results[i]` corresponds to `request.tiles[i]` (or `request.loc
 - **Not covered**: production deployment topology. Dev Kestrel runs `Http1AndHttp2` directly over TLS on port 8080 with a self-signed cert (`./certs/api.pfx`, generated by `scripts/run-tests.sh`) so ALPN can advertise `h2` — browsers and programmatic clients (httpx `http2=True`, .NET `HttpClient` with `HttpVersionPolicy.RequestVersionExact`) both multiplex over a single TLS connection. In production, TLS is expected to terminate at the ingress (Envoy / nginx / ALB) and Kestrel runs HTTP/2 cleartext behind it; AZ-505 verifies the protocol multiplexing semantics here, not the production termination layer.
 - **Not covered**: PMTiles or tar/multipart bundle endpoints. Rejected by AZ-503 parent rationale (HTTP/2 multistream is sufficient).
 - **Not covered**: write operations. Inventory is read-only; UAV writes go through `POST /api/satellite/upload` (`uav-tile-upload.md` v1.1.0).
+- **Not covered**: backward-compatibility shim for v1.0.0 (`tileZoom/tileX/tileY`) field names. Per AZ-794 (Option 1 hard switch — single known consumer), v2.0.0 is the only accepted body shape; v1.x consumers receive HTTP 400 with `errors[*]: ["could not be mapped"]`. There is no transitional accept-both period.
 
 ## Versioning Rules
 
-- **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behavior.
+- **Patch (2.0.x)**: Documentation clarifications, additional invariants that do not change wire behavior.
-- **Minor (1.x.0)**: Adding an optional response field that consumers may safely ignore (e.g., the future `estimatedBytes`); raising the entry cap; adding a third request form alongside the current two.
+- **Minor (2.x.0)**: Adding an optional response field that consumers may safely ignore (e.g., the future `estimatedBytes`); raising the entry cap; adding a third request form alongside the current two.
-- **Major (2.0.0)**: Changing the response ordering rule; removing `present`; lowering the entry cap; making `flightId` required; adding voting / trust filtering to the read path.
+- **Major (3.0.0)**: Changing the response ordering rule; removing `present`; lowering the entry cap; making `flightId` required; adding voting / trust filtering to the read path; renaming the `z`/`x`/`y` triple again.
 
 ## Test Cases
 
@@ -152,9 +176,15 @@ Order invariant: `results[i]` corresponds to `request.tiles[i]` (or `request.loc
 |------|-------|----------|-------|
 | ordering-mixed-present-absent | 25 coords, 12 seeded + 13 absent, interleaved | 25 entries in request order; 12 present (id/capturedAt/source populated), 13 absent (only locationHash populated) | AC-1 |
 | most-recent-across-sources | Cell with `google_maps captured_at=T1` and `uav captured_at=T2 > T1`; coord request | `present=true`, `source='uav'`, `id` = UAV row's id | Inv-5 |
-| validation-both-populated | Body with both `tiles` and `locationHashes` | HTTP 400 | Inv-1 |
+| validation-both-populated | Body with both `tiles` and `locationHashes` | HTTP 400 + ValidationProblemDetails | Inv-1 + AZ-796 |
-| validation-neither-populated | Empty body or body with both fields empty | HTTP 400 | Inv-1 |
+| validation-neither-populated | Empty body or body with both fields empty | HTTP 400 + ValidationProblemDetails | Inv-1 + AZ-796 |
-| validation-over-cap | 5001 entries | HTTP 400 | Inv-7 |
+| validation-over-cap | 5001 entries | HTTP 400 + ValidationProblemDetails | Inv-7 + AZ-796 |
+| validation-missing-z | `tiles: [{ x: 1, y: 1 }]` | HTTP 400 + `errors["tiles[0].z"]` populated | Inv-8 + AZ-796 |
+| validation-out-of-range-z | `tiles: [{ z: 30, x: 1, y: 1 }]` | HTTP 400 + `errors["tiles[0].z"]` mentioning range | Inv-8 + AZ-796 |
+| validation-out-of-range-x | `tiles: [{ z: 0, x: 5, y: 0 }]` (2^0 = 1) | HTTP 400 + `errors["tiles[0].x"]` populated | Inv-8 + AZ-796 |
+| validation-unknown-root-field | Body with `unknownField: 42` plus `tiles: [...]` | HTTP 400 + `errors["unknownField"]` | Inv-9 + AZ-795 |
+| validation-unknown-nested-field | `tiles: [{ z: 18, x: 1, y: 1, foo: 42 }]` | HTTP 400 + `errors["tiles[0].foo"]` | Inv-9 + AZ-795 |
+| validation-old-field-name-tileZoom | `tiles: [{ tileZoom: 18, tileX: 1, tileY: 1 }]` (v1.x shape) | HTTP 400 + `errors["tiles[0].tileZoom"]` ("could not be mapped") | AZ-794 + Inv-9 |
 | auth-anonymous | No Bearer token | HTTP 401 | Standard `.RequireAuthorization()` baseline |
 | perf-2500-tiles | 2500-entry request against populated DB | p95 ≤ 1000 ms over 20 calls | AC-4 |
 | http2-multiplexing | 20 concurrent `GET /tiles/{z}/{x}/{y}` over a single H2 connection | All 20 responses `HttpResponseMessage.Version == 2.0`; ETag + Cache-Control preserved | AC-5; cross-references `tile-inventory.md` because Kestrel H2 is configured in the same PBI |
@@ -163,4 +193,5 @@ Order invariant: `results[i]` corresponds to `request.tiles[i]` (or `request.loc
 
 | Version | Date | Change | Author |
 |---------|------|--------|--------|
+| 2.0.0 | 2026-05-22 | **BREAKING**: per-entry coord triple renamed `tileZoom/tileX/tileY` → `z/x/y` (request `tiles[i]` and response `results[i]`) to align with the URL slippy-map convention already used by `GET /tiles/{z}/{x}/{y}`. AZ-794 ships as Option 1 hard switch; v1.x clients receive HTTP 400 with explicit "could not be mapped" errors. Adds Inv-8 (range constraints on z/x/y) + Inv-9 (unknown-field rejection); references `error-shape.md` v1.0.0 for the uniform 400 body shape. AZ-796 wires `InventoryRequestValidator` for Inv-1 / Inv-7 / Inv-8 enforcement. Cycle 7 — autodev Step 10. | autodev (Step 10, cycle 7) |
 | 1.0.0 | 2026-05-12 | Initial contract — `POST /api/satellite/tiles/inventory` with Form A (coords) / Form B (hashes) XOR validation, 5000-entry cap, most-recent-across-sources selection rule, ordering invariant. Produced by AZ-505. | autodev (Step 10, cycle 6) |

_docs/02_document/contracts/api/tile-latlon.md

@@ -0,0 +1,165 @@
+# Contract: tile-latlon
+
+**Component**: WebApi (`SatelliteProvider.Api`) producing rows via TileDownloader (`SatelliteProvider.Services.TileDownloader`)
+**Producer task**: AZ-811 — `_docs/02_tasks/done/AZ-811_latlon_get_endpoint_validation.md` (validator + this contract; renames query params `Latitude/Longitude/ZoomLevel` → `lat/lon/zoom` for OSM consistency)
+**Consumer tasks**: dev / debug clients, future mission-planner UI single-tile-by-click flows; NOT currently consumed by `gps-denied-onboard` (the onboard side uses `GET /tiles/{z}/{x}/{y}` with pre-computed coords from inventory)
+**Version**: 1.0.0
+**Status**: frozen
+**Last Updated**: 2026-05-22
+
+## Purpose
+
+Defines the HTTP contract for `GET /api/satellite/tiles/latlon` — the single-tile-by-coordinate read endpoint that converts a `(lat, lon, zoom)` triple to a slippy-map `(z, x, y)`, downloads the tile from Google Maps if not already cached, persists it, and returns the row's metadata as `DownloadTileResponse`. The actual tile bytes are served separately via `GET /tiles/{z}/{x}/{y}` once the caller has the resulting `(z, x, y)` (or the equivalent `tilePath` from the response).
+
+This is the v1.0.0 of the contract — published alongside AZ-811's validator landing. There is no prior contract document; the producer-doc surface before AZ-811 was `modules/api_program.md::GetTileByLatLon Handler` only.
+
+## Endpoint
+
+```
+GET /api/satellite/tiles/latlon?lat=<float>&lon=<float>&zoom=<int>
+Authorization: Bearer <JWT>
+```
+
+The request MUST carry a valid JWT (AZ-487). No `permissions` claim is required. Anonymous requests are rejected with HTTP 401.
+
+## Shape
+
+### Query parameters
+
+```
+?lat=47.461747&lon=37.647063&zoom=18
+```
+
+Per-parameter constraints:
+
+| Param | Type | Required | Description | Constraints |
+|-------|------|----------|-------------|-------------|
+| `lat` | number | yes | WGS84 latitude (decimal degrees). | `[-90.0, 90.0]`. |
+| `lon` | number | yes | WGS84 longitude (decimal degrees). | `[-180.0, 180.0]`. |
+| `zoom` | integer | yes | Slippy-map zoom level. | `[0, 22]`. |
+
+Strict shape: any query-string parameter outside `{lat, lon, zoom}` is rejected by `RejectUnknownQueryParamsEndpointFilter` with HTTP 400 + the unknown key name in `errors`. This catches typos like `?latitude=` (pre-AZ-811 wire name) that ASP.NET model binding would otherwise silently ignore, and it also rejects hostile fingerprinting probes like `?debug=1&admin=true`.
+
+**Required-field detection**: the bound DTO (`GetTileByLatLonQuery`) declares `lat` / `lon` / `zoom` as nullable (`double?`, `double?`, `int?`). Missing a query param therefore binds to `null` rather than throwing `BadHttpRequestException` from the framework binder — the request reaches the endpoint filters in all cases. `GetTileByLatLonQueryValidator` then enforces `NotNull` (chained `CascadeMode.Stop` ahead of the range rule) so a missing param surfaces as `errors[<paramName>]: ["\`<paramName>\` is required."]` exactly like any other validation failure. The handler dereferences `.Value` only after the validator filter has passed, guaranteed by the filter ordering.
+
+### Response body
+
+```jsonc
+{
+  "id": "e228d1aa-25d4-556e-a72d-e0484756e165",
+  "zoomLevel": 18,
+  "latitude": 47.461747,
+  "longitude": 37.647063,
+  "tileSizeMeters": 39.84,
+  "tileSizePixels": 256,
+  "imageType": "jpg",
+  "version": 1,
+  "filePath": "tiles/18/158485/91707.jpg",
+  "createdAt": "2026-05-22T12:34:56.789Z",
+  "updatedAt": "2026-05-22T12:34:56.789Z"
+}
+```
+
+Per-field semantics:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `id` | UUID | Deterministic UUIDv5 of the tile (`Uuidv5.TileNamespace, "{z}/{x}/{y}"`). |
+| `zoomLevel` | integer | Echoes the request `zoom` param. |
+| `latitude` | number | Tile centre latitude (server-resolved from slippy `(z,x,y)`; may differ from the request `lat` by up to half a tile). |
+| `longitude` | number | Tile centre longitude. |
+| `tileSizeMeters` | number | Approximate ground footprint of the tile at this zoom and latitude. |
+| `tileSizePixels` | integer | Fixed at 256 (slippy-map convention). |
+| `imageType` | string | Always `"jpg"`. |
+| `version` | integer | Tile row version (bumps on each refresh). |
+| `filePath` | string | Relative path under the tile cache root (`tiles/{z}/{x}/{y}.jpg`). |
+| `createdAt` | ISO-8601 UTC | Tile row creation timestamp. |
+| `updatedAt` | ISO-8601 UTC | Tile row last-modification timestamp. |
+
+Response field names are intentionally LEGACY (`zoomLevel`, `latitude`, `longitude`) — only the request shape (query params) was renamed by AZ-811. The response is shared with `tile-storage.md` for caller consistency.
+
+### Endpoint summary
+
+| Method | Path | Request | Response | Status codes |
+|--------|------|---------|----------|--------------|
+| `GET` | `/api/satellite/tiles/latlon` | query string `?lat&lon&zoom` | `DownloadTileResponse` | 200, 400, 401 |
+
+## Error shape
+
+All `400` responses conform to `_docs/02_document/contracts/api/error-shape.md` v1.0.0. Two enforcement layers produce identically-shaped bodies:
+
+1. **`RejectUnknownQueryParamsEndpointFilter`** (envelope, runs first) — rejects any query key outside `{lat, lon, zoom}` with `errors[<paramName>]: ["Unknown query parameter ..."]`. Catches typos and hostile probes.
+2. **`GetTileByLatLonQueryValidator`** (FluentValidation, runs second) — range-checks `lat` / `lon` / `zoom` with `errors[<paramName>]: ["... must be between ..."]`.
+
+Example body for a legacy-param-name failure (pre-AZ-811 wire format):
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "Latitude": ["Unknown query parameter `Latitude`. Allowed: `lat`, `lon`, `zoom`."],
+    "Longitude": ["Unknown query parameter `Longitude`. Allowed: `lat`, `lon`, `zoom`."],
+    "ZoomLevel": ["Unknown query parameter `ZoomLevel`. Allowed: `lat`, `lon`, `zoom`."]
+  }
+}
+```
+
+Example body for an out-of-range failure:
+
+```jsonc
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "lat": ["`lat` must be between -90 and 90."]
+  }
+}
+```
+
+## Invariants
+
+- **Inv-1**: `lat ∈ [-90.0, 90.0]`. Out-of-range → 400 with `errors["lat"]`.
+- **Inv-2**: `lon ∈ [-180.0, 180.0]`. Out-of-range → 400 with `errors["lon"]`.
+- **Inv-3**: `zoom ∈ [0, 22]` (slippy-map zoom range, matching `tile-inventory.md` Inv-8 and `region-request.md` Inv-5).
+- **Inv-4** (AZ-811 envelope filter): Any query-string key outside `{lat, lon, zoom}` → 400 with `errors[<key>]`. This is the novel envelope-strictness layer introduced by AZ-811; reuse the filter on future query-string endpoints by passing a fresh allowed-keys set.
+- **Inv-5** (deterministic mapping): `(lat, lon, zoom)` deterministically resolves to a single slippy-map `(z, x, y)` and therefore to a single `Uuidv5.TileNamespace`-derived tile `id`. Re-requesting the same triple returns the SAME `id` (cache hit if the tile already exists). Cross-referenced from `common_uuidv5.md`.
+- **Inv-6** (cache reuse): If the resolved `(z, x, y)` already has a row in `tiles`, no new Google-Maps fetch occurs; the existing row's metadata is returned. The handler delegates this decision to `ITileService.DownloadAndStoreSingleTileAsync`.
+
+## Non-Goals
+
+- **Not covered**: tile body fetch. This endpoint returns metadata only. Bytes are served via `GET /tiles/{z}/{x}/{y}` (slippy-map URL).
+- **Not covered**: bulk download. Use `POST /api/satellite/tiles/inventory` for batch-lookup or `POST /api/satellite/request` for region pre-fetch.
+- **Not covered**: MGRS-based input. See `GET /api/satellite/tiles/mgrs` (stub, 501).
+- **Not covered**: backward-compatibility shim for `Latitude/Longitude/ZoomLevel` query param names. AZ-811 ships v1.0.0 directly with the post-rename names; pre-rename callers receive HTTP 400 from the envelope filter naming each unknown key. There is no transitional accept-both period.
+- **Not covered**: path-parameter validation on `GET /tiles/{z}/{x}/{y}` (the slippy-map body endpoint). That endpoint uses integer-binding which framework-validates the type but not the range; a separate task may add range checks if needed.
+
+## Versioning Rules
+
+- **Patch (1.0.x)**: Documentation clarifications, additional invariants that do not change wire behaviour.
+- **Minor (1.x.0)**: Adding an optional query param consumers may safely omit (e.g. `?format=png` if a non-jpg variant is later supported); adding an optional response field.
+- **Major (2.0.0)**: Changing any query-param name; tightening a range constraint that breaks current callers; removing `tileSizeMeters` from the response.
+
+## Test Cases
+
+| Case | Input | Expected | Notes |
+|------|-------|----------|-------|
+| happy-path | `?lat=47.461747&lon=37.647063&zoom=18` | HTTP 200 + DownloadTileResponse | AC-2 |
+| missing-lat | `?lon=37.647063&zoom=18` | HTTP 400 + `errors["lat"]: ["\`lat\` is required."]` | Inv-1 (NotNull rule) |
+| lat-out-of-range | `?lat=91&lon=37.647063&zoom=18` | HTTP 400 + `errors["lat"]` | Inv-1 (range rule) |
+| lon-out-of-range | `?lat=47.461747&lon=181&zoom=18` | HTTP 400 + `errors["lon"]` | Inv-2 |
+| zoom-out-of-range | `?lat=47.461747&lon=37.647063&zoom=30` | HTTP 400 + `errors["zoom"]` | Inv-3 |
+| legacy-param-names | `?Latitude=47.46&Longitude=37.64&ZoomLevel=18` (pre-AZ-811 wire format) | HTTP 400 + `errors["Latitude","Longitude","ZoomLevel"]` | Inv-4 (AZ-811 envelope) |
+| hostile-extra-keys | `?lat=...&lon=...&zoom=18&debug=1&admin=true` | HTTP 400 + `errors["debug","admin"]` | Inv-4 |
+| typo-zooom | `?lat=...&lon=...&zooom=18` | HTTP 400 + `errors["zooom"]` | Inv-4 |
+| lat-type-mismatch | `?lat=fifty&lon=...&zoom=18` | HTTP 400 (model-binder JsonException-equivalent) | Wire-format failure |
+| cache-reuse | repeat happy-path | HTTP 200; same `id`; no new GET to Google Maps | Inv-5 + Inv-6 |
+| auth-anonymous | no Bearer token | HTTP 401 | Standard `.RequireAuthorization()` baseline |
+
+## Change Log
+
+| Version | Date | Change | Author |
+|---------|------|--------|--------|
+| 1.0.0 | 2026-05-22 | Initial contract for `GET /api/satellite/tiles/latlon`. Publishes the post-AZ-811 OSM-convention query params (`lat`/`lon`/`zoom`) and the AZ-811 two-layer strict validation (envelope filter for unknown-keys + value-validator for range checks). References `error-shape.md` v1.0.0 for the 400 body shape and `tile-inventory.md` v2.0.0 for the bulk-lookup alternative. Pre-AZ-811 query-param names (`Latitude/Longitude/ZoomLevel`) are explicitly rejected by the envelope filter — no transitional shim. | autodev (Step 10, cycle 8) |

_docs/02_document/contracts/api/uav-tile-upload.md

@@ -4,9 +4,9 @@
 **Producer task**: AZ-488 — `_docs/02_tasks/done/AZ-488_uav_tile_upload.md`
 **Extended by**: AZ-503 — `_docs/02_tasks/done/AZ-503_tile_identity_uuidv5_bulk_list.md` (added optional `flightId` per-item field; per-flight on-disk path; deterministic `tileId`)
 **Consumer tasks**: `gps-denied-onboard`, mission planner UI, any future UAV-equipped client
-**Version**: 1.1.0
+**Version**: 1.2.0
 **Status**: frozen
-**Last Updated**: 2026-05-12
+**Last Updated**: 2026-05-23
 
 ## Purpose
 
@@ -50,6 +50,41 @@ Field names are camelCase. Property-name matching is case-insensitive on read.
 - `metadata.items.length` MUST NOT exceed `UavQualityConfig.MaxBatchSize` (default `100`). Oversize → HTTP 400.
 - The total request body size is capped at `MaxBatchSize × MaxBytes` by Kestrel's `MaxRequestBodySize` and the form `MultipartBodyLengthLimit`. Requests beyond this cap are rejected at the framework layer (HTTP 413/400).
 
+## Metadata validation (14 rules, v1.2.0)
+
+Before any file bytes are inspected by the Quality Gate below, the `metadata` envelope is run through a strict validator chain. This is the **metadata layer**; the **file layer** (see Quality Gate) is unchanged.
+
+The validator is split into three composing layers and runs inside a custom multipart endpoint filter (`UavUploadValidationFilter`):
+
+1. **Deserializer layer** — `JsonSerializerOptions.UnmappedMemberHandling.Disallow` + `[JsonRequired]` on every non-optional axis of `UavTileBatchMetadataPayload` / `UavTileMetadata`. Catches missing-required, unknown fields (root and nested), JSON type mismatches, and malformed UUIDs. Errors surface under `errors["metadata"]`.
+2. **FluentValidation layer** — `UavTileBatchMetadataPayloadValidator` (envelope rules) and `UavTileMetadataValidator` (per-item rules). Errors surface under `errors["metadata.items"]` / `errors["metadata.items[i].<field>"]`.
+3. **Cross-field envelope rule** — `items.Count == files.Count`, evaluated in the filter after the FluentValidation result is clean. Errors surface under **both** `errors["metadata.items"]` AND `errors["files"]`.
+
+Any failing rule short-circuits with HTTP 400 + RFC 7807 `ValidationProblemDetails` per `error-shape.md` v1.0.0. The body never reaches the Quality Gate or the persistence path on a metadata validation failure.
+
+| # | Rule | Failure condition | Error path | Layer |
+|---|------|-------------------|------------|-------|
+| 1 | Multipart envelope present | Request `Content-Type` is not `multipart/form-data` | `errors["metadata"]` | filter |
+| 2 | `metadata` form field present | Multipart form has no part named `metadata` | `errors["metadata"]` | filter |
+| 3 | `metadata` parses as JSON | Malformed JSON body | `errors["metadata"]` | deserializer |
+| 4 | `items` required + non-empty | `items` missing OR `items: []` | `errors["metadata.items"]` | FluentValidation |
+| 5 | `items.Count` ≤ `UavQualityConfig.MaxBatchSize` | `items.Count > MaxBatchSize` (default 100) | `errors["metadata.items"]` | FluentValidation |
+| 6 | `items.Count == files.Count` | Per-item file count differs from metadata count | `errors["metadata.items"]` + `errors["files"]` | filter |
+| 7 | `latitude` ∈ [-90, +90] | Out of range | `errors["metadata.items[i].latitude"]` | FluentValidation |
+| 8 | `longitude` ∈ [-180, +180] | Out of range | `errors["metadata.items[i].longitude"]` | FluentValidation |
+| 9 | `tileZoom` ∈ [0, 22] | Out of range | `errors["metadata.items[i].tileZoom"]` | FluentValidation |
+| 10 | `tileSizeMeters` > 0 | Zero or negative | `errors["metadata.items[i].tileSizeMeters"]` | FluentValidation |
+| 11 | `capturedAt` within freshness window | `capturedAt > now + CapturedAtFutureSkewSeconds` OR `capturedAt < now - MaxAgeDays` | `errors["metadata.items[i].capturedAt"]` | FluentValidation |
+| 12 | `flightId` parses as UUID | Non-UUID string (`null`/missing is valid per AZ-503) | `errors["metadata"]` | deserializer |
+| 13 | Unknown fields rejected (root + nested) | Any field not declared on the DTO | `errors["metadata"]` | deserializer |
+| 14 | Type mismatch | e.g. `"latitude": "fifty"`, `"tileZoom": 18.5` | `errors["metadata"]` | deserializer |
+
+### Relationship to the Quality Gate
+
+The Quality Gate's Rule 4 (captured-at freshness) is preserved exactly as documented below. It runs **after** the metadata validator and provides defence-in-depth against handler callers that bypass the filter (unit tests of `IUavTileUploadHandler`, future internal call paths). Operators consuming the public API will see the metadata validator's verdict first.
+
+The Quality Gate's Rules 1, 2, 3, 5 (file-level: format, size, dimensions, luminance) are unchanged and still produce per-item rejections via the existing HTTP 200 + `rejectReason` envelope — they have no metadata-validator equivalent.
+
 ## Quality Gate (5 rules)
 
 Each item is evaluated in this fixed order. The **first** failing rule produces the reported reason; subsequent rules are not evaluated for that item.
@@ -106,14 +141,31 @@ Adding a new code is a **minor** contract version bump per the Versioning Rules
 
 ### HTTP 400 — envelope error (RFC 7807 `application/problem+json`)
 
-Returned when the request itself is malformed:
+Returned when the request itself is malformed. As of v1.2.0 every 400 body conforms to the shared `ValidationProblemDetails` shape in `error-shape.md` v1.0.0, with the `errors` map keys listed in the "Metadata validation" rule table above. Triggers include:
 
 - `metadata` field absent, empty, or not valid JSON
 - `metadata.items` empty or null
 - `metadata.items.length` ≠ `files.length`
 - `metadata.items.length` > `MaxBatchSize`
+- Per-item `latitude`/`longitude`/`tileZoom`/`tileSizeMeters` out of declared range
+- Per-item `capturedAt` outside the freshness window
+- Unknown root or nested fields
+- Type mismatches and malformed UUIDs
 
-The 5-rule per-item quality gate never produces a 400; per-item failures always surface in the HTTP 200 response array.
+Sample body:
+
+```json
+{
+  "type": "https://tools.ietf.org/html/rfc9110#section-15.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "metadata.items[0].latitude": ["`latitude` must be between -90 and 90."]
+  }
+}
+```
+
+The 5-rule per-item quality gate never produces a 400; per-item file rejections always surface in the HTTP 200 response array.
 
 ### HTTP 401 — missing or invalid JWT (from AZ-487)
 
@@ -185,3 +237,4 @@ Each version bump requires updating the Change Log and notifying every consumer
 |---------|------|--------|--------|
 | 1.0.0 | 2026-05-11 | Initial contract — batch UAV upload endpoint, 5-rule quality gate, per-source UPSERT, closed reject-reason enum, GPS-permission requirement. Produced by AZ-488. | autodev (cycle 2 step 10) |
 | 1.1.0 | 2026-05-12 | Minor bump for AZ-503: added optional `flightId` per-item metadata field (backward-compatible default `null`); `tileId` in the response is now a deterministic UUIDv5 derived from `(z, x, y, source, flightId)` instead of a random Guid; on-disk path adds a `{flightId or 'none'}` segment for per-flight evidence isolation. No reject-reason changes, no envelope changes, no permission changes. v1.0.0 clients omitting `flightId` keep working unchanged. | autodev (cycle 5 step 13) |
+| 1.2.0 | 2026-05-23 | Minor bump for AZ-810: added the **metadata validation** layer (14 rules) wired through a new `UavUploadValidationFilter` that runs BEFORE the per-item Quality Gate. Marks every non-optional metadata axis with `[JsonRequired]`; uses `UnmappedMemberHandling.Disallow` so unknown root/nested fields are rejected. HTTP 400 envelope-error body now matches the shared `ValidationProblemDetails` shape per `error-shape.md` v1.0.0. **Behavior change**: callers previously sending malformed metadata that silently coerced (e.g. `latitude: 0` for a missing field) now receive HTTP 400 instead of HTTP 200 + per-item rejection. No wire-format renames, no reject-reason changes, no permission changes. The Quality Gate (5 rules) is unchanged and continues as defence-in-depth. | autodev (cycle 8 batch 4) |

_docs/02_document/deployment/containerization.md

@@ -11,7 +11,7 @@
 
 | Service | Image | Ports (host:container) | Purpose |
 |---------|-------|------------------------|---------|
-| postgres | postgres:16 | 5432:5432 | Database |
+| postgres | postgres:16 | 5433:5432 | Database (host port 5433 chosen to avoid conflicts with sibling-project Postgres instances on dev laptops) |
 | api | Custom (Dockerfile) | 18980:8080, 18981:8081 | Application |
 
 ## Volumes

_docs/02_document/glossary.md

@@ -14,7 +14,7 @@
 | Layer 1 | Historic name for satellite imagery from external providers (provider-agnostic; first implementation: Google Maps). Generalised in AZ-484 to one of N values of `Tile Source`; the term is retained for continuity with earlier docs and tickets. | user clarification, AZ-484 |
 | Layer 2 | Historic name for UAV-captured nadir camera imagery (orthogonal tiles uploaded post-flight). Generalised in AZ-484 to the `uav` `Tile Source` value; the term is retained for continuity with earlier docs and tickets. | user clarification, AZ-484 |
 | Tile Source | The producer of a tile row, persisted in `tiles.source` as a contract-defined string (`google_maps`, `uav`, …). Per AZ-503-foundation: each `(cell, source, flight)` triple may have at most one row; reads return the most-recent across sources AND flights. Adding a new source requires a new `TileSource` enum member and a tile-storage contract version bump. | _docs/02_document/contracts/data-access/tile-storage.md (v2.0.0) |
-| Tile Inventory | AZ-505 bulk read endpoint (`POST /api/satellite/tiles/inventory`) that returns one metadata entry per requested cell — present/absent + most-recent row's `id`/`capturedAt`/`source`/`flightId`/`resolutionMPerPx` — without streaming any tile bodies. Accepts up to 5000 entries per request in one of two XOR shapes: by-coord (`tiles: [{tileZoom, tileX, tileY}, …]`) or by-hash (`locationHashes: [Guid, …]`). Used by the onboard `gps-denied-onboard` cross-repo path to decide which Google-Maps cells still need download and which UAV variants are already on the server. | _docs/02_document/contracts/api/tile-inventory.md (v1.0.0) |
+| Tile Inventory | AZ-505 bulk read endpoint (`POST /api/satellite/tiles/inventory`) that returns one metadata entry per requested cell — present/absent + most-recent row's `id`/`capturedAt`/`source`/`flightId`/`resolutionMPerPx` — without streaming any tile bodies. Accepts up to 5000 entries per request in one of two XOR shapes: by-coord (`tiles: [{z, x, y}, …]`; renamed from `tileZoom/tileX/tileY` by AZ-794, cycle 7) or by-hash (`locationHashes: [Guid, …]`). Used by the onboard `gps-denied-onboard` cross-repo path to decide which Google-Maps cells still need download and which UAV variants are already on the server. Strict input validation enforced by `InventoryRequestValidator` (AZ-796, cycle 7) — see `Validation Problem Details`. | _docs/02_document/contracts/api/tile-inventory.md (v2.0.0) |
 | Captured At | Producer-defined UTC timestamp ("the moment this tile imagery represents") persisted in `tiles.captured_at`. For Google Maps it is `DateTime.UtcNow` at download time (provider does not expose original imagery date); for UAV it is the capture timestamp supplied by the upload client. Drives the most-recent-across-(source, flight) read selection rule. | _docs/02_document/contracts/data-access/tile-storage.md (v2.0.0) |
 | UAV Tile Upload | `POST /api/satellite/upload` batch endpoint (AZ-488) that ingests UAV-captured tiles. Multipart envelope with a JSON `metadata` field and an aligned `files` collection; per-item results returned in a single HTTP 200 response. | _docs/02_document/contracts/api/uav-tile-upload.md (v1.0.0) |
 | Quality Gate | The 5-rule validator (`UavTileQualityGate`) applied to every UAV tile before persistence: Format, Size band, Dimensions, Captured-at age, Blank/uniform. The first failing rule produces a reject reason from the closed `UavTileRejectReasons` enumeration. | _docs/02_document/contracts/api/uav-tile-upload.md (v1.0.0) |
@@ -44,6 +44,9 @@
 | Tile Deduplication | Mechanism using DB unique index + ConcurrentDictionary to prevent re-downloading identical tiles | modules/services_google_maps_downloader.md |
 | UUIDv5 | RFC 9562 §5.5 deterministic UUID derived from a namespace UUID + a UTF-8 name via SHA-1. AZ-503 uses it to produce stable, cross-repo `tiles.id` and `tiles.location_hash` values without coordinating an id allocator between the satellite-provider and `gps-denied-onboard` workspaces. | modules/common_uuidv5.md, AZ-503 |
 | Legacy ID | Pre-AZ-503 random `tiles.id` value, copied into the `legacy_id` column by migration 014 for one-cycle forensics. To be dropped in a future cycle once the cross-repo cutover settles. | _docs/02_document/data_model.md, AZ-503 |
+| Validation Problem Details | The uniform RFC 7807 error body shape (`ValidationProblemDetails`) returned by every public HTTP endpoint on 4xx input rejection: `{ type, title, status, errors: { "field.path": ["msg1", ...], ... } }`. Both the FluentValidation business-rule layer (`ValidationEndpointFilter<T>`) and the System.Text.Json deserializer layer (caught by `GlobalExceptionHandler`) produce this exact shape. Error-map keys are camelCase JSON paths (`tiles[0].z`, `locationHashes[3]`) per the global property-name resolver configured in `GlobalValidatorConfig.ApplyOnce`. | _docs/02_document/contracts/api/error-shape.md (v1.0.0), AZ-795 |
+| FluentValidation | Open-source library (12.0.0 since AZ-795) used to declare business-rule validators (`AbstractValidator<T>`) per request DTO. Registered via `AddValidatorsFromAssemblyContaining<Program>()` in `Program.cs` and consumed by the generic `ValidationEndpointFilter<T>` which an endpoint opts into via `RouteHandlerBuilder.WithValidation<T>()`. | _docs/02_document/architecture.md § 9, AZ-795 |
+| Unmapped Member Handling | The `System.Text.Json.Serialization.JsonUnmappedMemberHandling.Disallow` mode wired into `ConfigureHttpJsonOptions` in cycle 7 — rejects unknown JSON fields (including legacy renames such as `tileZoom/tileX/tileY` after AZ-794) at deserialisation time with a `JsonException` that `GlobalExceptionHandler` converts to 400 + `ValidationProblemDetails`. Pair-rule with `[JsonRequired]` on TileCoord axes catches missing-axis cases at the same layer. | _docs/02_document/architecture.md § 9, AZ-795 |
 
 ## Abbreviations
 

_docs/02_document/module-layout.md

@@ -5,7 +5,7 @@
 **Language**: csharp
 **Layout Convention**: custom (per-component .csproj per logical component)
 **Root**: ./
-**Last Updated**: 2026-05-12 (cycle 6 — AZ-505 tile inventory + Leaflet covering index + HTTP/2: new `POST /api/satellite/tiles/inventory` endpoint, new `ITileRepository.GetTilesByLocationHashesAsync`, rewired `GetByTileCoordinatesAsync` to filter on `location_hash`, migration `015_AddTilesLeafletPathIndex.sql`, Kestrel `Http1AndHttp2`, new `TileInventory*` DTOs in Common; cycle 5 — AZ-503 tile-identity foundation added: `SatelliteProvider.Common/Utils/Uuidv5.cs`, migration `014_AddTileIdentityColumns.sql`, 4 new `TileEntity` columns, integer-only flight-aware UPSERT, IntegrationTests → Common ProjectReference)
+**Last Updated**: 2026-05-22 (cycle 7 — AZ-794 + AZ-795 + AZ-796 strict inventory validation + z/x/y rename: `TileCoord` wire fields renamed `tileZoom/tileX/tileY` → `z/x/y` with `[JsonRequired]`; new `SatelliteProvider.Api/Validators/{InventoryRequestValidator,ValidationEndpointFilter,GlobalValidatorConfig,ValidationEndpointFilterExtensions}.cs`; new `SatelliteProvider.Api/GlobalExceptionHandler.cs` for `JsonException` → `ValidationProblemDetails`; FluentValidation 12.0.0 + `JsonSerializerOptions.UnmappedMemberHandling.Disallow` wired into `Program.cs`; new contract `_docs/02_document/contracts/api/error-shape.md` v1.0.0; `tile-inventory.md` bumped to v2.0.0; new `SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs` + `TileInventoryValidationTests.cs`; new `SatelliteProvider.Tests/TestSupport/ValidatorTestModuleInitializer.cs` + `Validators/InventoryRequestValidatorTests.cs`; new `scripts/probe_inventory_validation.sh`; cycle 6 — AZ-505 tile inventory + Leaflet covering index + HTTP/2: new `POST /api/satellite/tiles/inventory` endpoint, new `ITileRepository.GetTilesByLocationHashesAsync`, rewired `GetByTileCoordinatesAsync` to filter on `location_hash`, migration `015_AddTilesLeafletPathIndex.sql`, Kestrel `Http1AndHttp2`, new `TileInventory*` DTOs in Common; cycle 5 — AZ-503 tile-identity foundation added: `SatelliteProvider.Common/Utils/Uuidv5.cs`, migration `014_AddTileIdentityColumns.sql`, 4 new `TileEntity` columns, integer-only flight-aware UPSERT, IntegrationTests → Common ProjectReference)
 
 ## Layout Rules
 
@@ -126,9 +126,13 @@ The cycle-1 (AZ-487) and cycle-2 (AZ-488) code reviews each surfaced an F1 (Low
   - `SatelliteProvider.Api/Authentication/AuthenticationServiceCollectionExtensions.cs` (added by AZ-487; `AddSatelliteJwt(IConfiguration)` registers `JwtBearer` with the suite-wide HS256 contract from `suite/_docs/10_auth.md`; validates `JWT_SECRET` ≥ 32 bytes at startup)
   - `SatelliteProvider.Api/Authentication/PermissionsRequirement.cs` + `PermissionsAuthorizationHandler` + `SatellitePermissions` (added by AZ-488; custom requirement that accepts a `permissions` claim shaped as either a single string or a JSON array; powers the `UavUploadPolicy` requiring the `GPS` permission)
   - `SatelliteProvider.Api/DTOs/UavTileBatchUploadRequest.cs` (added by AZ-488; multipart form binding envelope — kept in WebApi because it depends on `IFormFileCollection` + `[FromForm]`, both API-layer types)
+  - `SatelliteProvider.Api/Validators/ValidationEndpointFilter.cs` + `ValidationEndpointFilterExtensions.cs` (added by AZ-795; generic `IEndpointFilter<T>` that runs the registered `IValidator<T>` and returns `Results.ValidationProblem` on failure; opt-in via `RouteHandlerBuilder.WithValidation<T>()`)
+  - `SatelliteProvider.Api/Validators/InventoryRequestValidator.cs` + `TileCoordValidator` (added by AZ-796; FluentValidation rules for `POST /api/satellite/tiles/inventory` — XOR `tiles`/`locationHashes`, per-array cap, slippy-map range checks)
+  - `SatelliteProvider.Api/Validators/GlobalValidatorConfig.cs` (added by AZ-795/AZ-796; idempotent `ApplyOnce()` configures `ValidatorOptions.Global.PropertyNameResolver` so `errors`-map keys are camelCase per `error-shape.md` Inv-4; called from `Program.cs` and from the test assembly's `ModuleInitializer`)
+  - `SatelliteProvider.Api/GlobalExceptionHandler.cs` (added by AZ-795; `IExceptionHandler` registered via `AddExceptionHandler<GlobalExceptionHandler>()`. Intercepts `BadHttpRequestException(JsonException)` from System.Text.Json's strict-parsing path — unknown-member rejection, missing required field via `[JsonRequired]`, JSON type mismatch — and emits `ValidationProblemDetails` with the same `errors[]` map shape that FluentValidation produces. 5xx errors pass through with sanitised body + `correlationId` per AZ-353.)
 - **Internal**: (none)
 - **Owns**: `SatelliteProvider.Api/**`
-- **PackageReferences (added by AZ-487, bumped by AZ-496, then by AZ-500)**: `Microsoft.AspNetCore.Authentication.JwtBearer` 10.0.7 (pinned to the same minor patch as `Microsoft.AspNetCore.OpenApi` 10.0.7; AZ-496 bumped both packages from 8.0.21 → 8.0.25 in cycle 3 to close cycle-1 D1 + cycle-2 D3 supply-chain findings, then AZ-500 bumped both 8.0.25 → 10.0.7 in cycle 4 as part of the .NET 8 → .NET 10 migration; AZ-500 also bumped `Swashbuckle.AspNetCore` 6.6.2 → 10.1.7 here to land Microsoft.OpenApi 2.x compat required by ASP.NET Core 10).
+- **PackageReferences (added by AZ-487, bumped by AZ-496, then by AZ-500; AZ-795 added FluentValidation)**: `Microsoft.AspNetCore.Authentication.JwtBearer` 10.0.7 (pinned to the same minor patch as `Microsoft.AspNetCore.OpenApi` 10.0.7; AZ-496 bumped both packages from 8.0.21 → 8.0.25 in cycle 3 to close cycle-1 D1 + cycle-2 D3 supply-chain findings, then AZ-500 bumped both 8.0.25 → 10.0.7 in cycle 4 as part of the .NET 8 → .NET 10 migration; AZ-500 also bumped `Swashbuckle.AspNetCore` 6.6.2 → 10.1.7 here to land Microsoft.OpenApi 2.x compat required by ASP.NET Core 10). `FluentValidation` + `FluentValidation.DependencyInjectionExtensions` 12.0.0 added by AZ-795 to back the strict-input-validation epic.
 - **Imports from**: Common (incl. AZ-488 UAV DTOs + `UavQualityConfig`), DataAccess, TileDownloader (incl. AZ-488 `IUavTileUploadHandler`), RegionProcessing, RouteManagement
 - **Consumed by**: (none — top-level entry point)
 

_docs/02_document/modules/api_program.md

@@ -9,35 +9,57 @@ Application entry point. Configures DI container, sets up middleware, defines mi
 | Method | Route | Handler | Description |
 |--------|-------|---------|-------------|
 | GET | `/tiles/{z}/{x}/{y}` | `ServeTile` | Slippy map tile server with in-memory caching. AZ-505 rewired the DB lookup to filter on `location_hash` (deterministic UUIDv5) so the read becomes an `Index Only Scan` against `tiles_leaflet_path`; the wire response is byte-identical to pre-AZ-505. |
-| GET | `/api/satellite/tiles/latlon` | `GetTileByLatLon` | Download single tile by lat/lon/zoom |
+| GET | `/api/satellite/tiles/latlon` | `GetTileByLatLon` | Download single tile by lat/lon/zoom. AZ-811 (cycle 8) renamed the query params `Latitude/Longitude/ZoomLevel` → `lat/lon/zoom` (OSM convention) and added strict validation: range-checked `lat`/`lon`/`zoom` via `WithValidation<GetTileByLatLonQuery>()`, plus a `RejectUnknownQueryParamsEndpointFilter` that rejects any extra query keys (catches typos like `?latitude=` that pre-AZ-811 silently bound to 0). Contract: `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 + `_docs/02_document/contracts/api/error-shape.md` v1.0.0. |
-| POST | `/api/satellite/tiles/inventory` | `GetTilesInventory` | Bulk tile-existence/metadata lookup (AZ-505) — body is XOR of `tiles[{tileZoom,tileX,tileY}]` (Form A) and `locationHashes[uuid]` (Form B), each capped at 5000 entries. Response is one entry per request entry, in input order. Contract: `_docs/02_document/contracts/api/tile-inventory.md` v1.0.0. |
+| POST | `/api/satellite/tiles/inventory` | `GetTilesInventory` | Bulk tile-existence/metadata lookup (AZ-505) — body is XOR of `tiles[{z,x,y}]` (Form A) and `locationHashes[uuid]` (Form B), each capped at 5000 entries. Response is one entry per request entry, in input order. AZ-794 (cycle 7) renamed the coord triple from `tileZoom/tileX/tileY` → `z/x/y` (OSM convention); AZ-796 (cycle 7) added strict input validation via `WithValidation<TileInventoryRequest>()` so malformed payloads return RFC 7807 `ValidationProblemDetails` instead of silently coercing to zero. Contracts: `_docs/02_document/contracts/api/tile-inventory.md` v2.0.0 + `_docs/02_document/contracts/api/error-shape.md` v1.0.0. |
 | GET | `/api/satellite/tiles/mgrs` | `GetSatelliteTilesByMgrs` | MGRS stub (returns empty) |
-| POST | `/api/satellite/upload` | `UploadUavTileBatch` | UAV tile batch upload (AZ-488) — multipart envelope, 5-rule quality gate, per-source UPSERT with `source='uav'`. Requires the `RequiresGpsPermission` policy. |
+| POST | `/api/satellite/upload` | `UploadUavTileBatch` | UAV tile batch upload (AZ-488) — multipart envelope, 5-rule quality gate, per-source UPSERT with `source='uav'`. Requires the `RequiresGpsPermission` policy. AZ-810 (cycle 8) added a strict **metadata-layer** validator that runs BEFORE the quality gate via the custom `UavUploadValidationFilter`: 14 rules covering required fields (`[JsonRequired]`), per-item ranges (`latitude`/`longitude`/`tileZoom`/`tileSizeMeters`/`capturedAt`), envelope alignment (`items.Count == files.Count`), and unknown-field / type-mismatch rejection via `UnmappedMemberHandling.Disallow`. Errors surface as RFC 7807 `ValidationProblemDetails` matching `error-shape.md` v1.0.0 with `errors["metadata.…"]` keys. Contract: `_docs/02_document/contracts/api/uav-tile-upload.md` v1.2.0 + `_docs/02_document/contracts/api/error-shape.md` v1.0.0. |
 | POST | `/api/satellite/request` | `RequestRegion` | Queue region for async tile processing |
 | GET | `/api/satellite/region/{id}` | `GetRegionStatus` | Get region processing status |
-| POST | `/api/satellite/route` | `CreateRoute` | Create route with intermediate points |
+| POST | `/api/satellite/route` | `CreateRoute` | Create route with intermediate points. AZ-809 (cycle 8) added strict pre-handler validation via `WithValidation<CreateRouteRequest>()`: non-zero `id`, name length ∈ \[1, 200\], description length ≤ 1000, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with per-point lat/lon range checks, per-polygon NW-of-SE invariants, and the `createTilesZip ⇒ requestMaps` cross-field rule. Deserializer-layer failures (missing `[JsonRequired]` axes, unknown fields, type mismatches) are caught by `GlobalExceptionHandler` and produce the same RFC 7807 envelope. Contract: `_docs/02_document/contracts/api/route-creation.md` v1.0.0 + `_docs/02_document/contracts/api/error-shape.md` v1.0.0. |
 | GET | `/api/satellite/route/{id}` | `GetRoute` | Get route with all points |
 
 ### Local Records (defined in Program.cs)
 - `GetSatelliteTilesResponse`, `SatelliteTile` — MGRS response stubs
 - `DownloadTileResponse` — tile download response
-- `RequestRegionRequest` — region request body
+- `ParameterDescriptionFilter` — Swagger operation filter (AZ-811 cycle 8 trimmed the obsolete `Latitude`/`Longitude`/`ZoomLevel` entries; the surviving `lat`/`lon`/`mgrs`/`squareSideMeters` keys still annotate query-string params)
-- `ParameterDescriptionFilter` — Swagger operation filter
+
+### Api/Validators (AZ-795 epic, AZ-808/AZ-809/AZ-811 cycle 8)
+- `RejectUnknownQueryParamsEndpointFilter` — `IEndpointFilter` parameterized by an allowed-keys set; rejects unknown query-string parameters with RFC 7807 `ValidationProblemDetails`. Apply BEFORE `WithValidation<T>()` so unknown-param errors precede range checks against the bound default value.
+- `GetTileByLatLonQueryValidator` — `AbstractValidator<GetTileByLatLonQuery>` with `lat`/`lon`/`zoom` rules. Each rule chains `Cascade(CascadeMode.Stop) → NotNull → InclusiveBetween` so a missing param surfaces ONLY as `"\`<paramName>\` is required."` (no spurious range error against a null sentinel).
+- `RegionRequestValidator` (AZ-808 cycle 8) — `AbstractValidator<RequestRegionRequest>`. Post-deserialization business rules: non-zero `id`, `lat`/`lon` ranges, `sizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\]. Required-field detection lives at the deserializer layer (`[JsonRequired]` + `UnmappedMemberHandling.Disallow`).
+- `CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator` (AZ-809 cycle 8) — three FluentValidation validators for the route-creation endpoint. The root validator chains `RuleForEach(req => req.Points).SetValidator(new RoutePointValidator())` for per-point checks and `RuleForEach(req => req.Geofences!.Polygons).SetValidator(new GeofencePolygonValidator()).OverridePropertyName("geofences.polygons")` for per-polygon checks. The `OverridePropertyName` on the geofences chain restores the full wire path (`geofences.polygons[i].northWest`) because FluentValidation's default name policy drops the parent on deep expressions like `req.Geofences!.Polygons`. `RoutePointValidator` uses `OverridePropertyName("lat"/"lon")` after each range rule so error keys match the wire format (`lat`/`lon`) rather than the camelCased C# names (`latitude`/`longitude`). The cross-field rule `createTilesZip ⇒ requestMaps` lives on the root via `Must(req => !(req.CreateTilesZip && !req.RequestMaps)).WithName("createTilesZip")`.
+- `UavTileBatchMetadataPayloadValidator` + `UavTileMetadataValidator` (AZ-810 cycle 8) — FluentValidation validators for the UAV upload metadata envelope. Root validator runs `items` count rules (non-null, non-empty, ≤ `UavQualityConfig.MaxBatchSize`) then `RuleForEach(p => p.Items).SetValidator(new UavTileMetadataValidator(...))` so per-item errors come out as `items[i].<field>` (then prefixed with `metadata.` by `UavUploadValidationFilter`). Per-item rules: `latitude` ∈ \[-90, 90\], `longitude` ∈ \[-180, 180\], `tileZoom` ∈ \[0, 22\], `tileSizeMeters` > 0, `capturedAt` within `\[now - MaxAgeDays, now + CapturedAtFutureSkewSeconds\]`. `flightId` is intentionally NOT validated beyond JSON shape — AZ-503 anonymous-flight semantics require `null` to be valid, and malformed UUID strings are already rejected at the deserializer with a JsonException. The freshness check uses an injectable `TimeProvider` (defaults to `TimeProvider.System`) so unit tests can drive it with a fixed clock.
+- `UavUploadValidationFilter` (AZ-810 cycle 8) — endpoint filter for `POST /api/satellite/upload`. The endpoint is `multipart/form-data` so the generic `WithValidation<T>()` JSON-body filter cannot bind directly; this filter reads the `metadata` form field, deserializes it via the strict global `JsonSerializerOptions` (so `UnmappedMemberHandling.Disallow` + `[JsonRequired]` from AZ-795 are honored), runs `IValidator<UavTileBatchMetadataPayload>` from DI, and enforces the cross-field `items.Count == files.Count` rule. Error-map keys from the per-item validator are prefixed with `metadata.` so paths surface to the caller as `errors["metadata.items[0].latitude"]`. Registered as a transient via `AddTransient<UavUploadValidationFilter>()` and wired on the endpoint with `.AddEndpointFilter<UavUploadValidationFilter>()`. The downstream `IUavTileUploadHandler` retains its own envelope checks as defence-in-depth (covers direct handler callers in unit tests).
+
+### Api/DTOs (AZ-811 cycle 8)
+- `GetTileByLatLonQuery` — `record GetTileByLatLonQuery(double? Lat, double? Lon, int? Zoom)` with `[FromQuery(Name="lat"|"lon"|"zoom")]` on each property. Bound via `[AsParameters]` on the `GetTileByLatLon` handler. **Nullable on purpose**: minimal-API binding throws `BadHttpRequestException` for missing non-nullable query params BEFORE endpoint filters run; that short-circuit produces a plain `ProblemDetails` via `GlobalExceptionHandler` with no `errors{}` envelope. Nullable types let binding always succeed so the envelope filter + validator handle the failure surface uniformly per `error-shape.md` v1.0.0. The handler dereferences `.Value` only after the validator filter passes.
+
+### Common/DTO (region API)
+- `RequestRegionRequest` — `POST /api/satellite/request` body. Moved out of Program.cs by AZ-369. Fields: `Id` (Guid), `Lat`/`Lon` (double, JSON `lat`/`lon` per AZ-812 cycle 8 OSM rename), `SizeMeters`, `ZoomLevel` (int, default 18), `StitchTiles` (bool, default false).
 
 ### Api/DTOs (AZ-488)
 - `UavTileBatchUploadRequest` — multipart envelope with `metadata` (JSON string) and `files` (`IFormFileCollection`)
 
 ### Common/DTO (AZ-488)
-- `UavTileMetadata`, `UavTileBatchMetadataPayload` — per-item metadata + envelope shape
+- `UavTileMetadata`, `UavTileBatchMetadataPayload` — per-item metadata + envelope shape. AZ-810 cycle 8 added `[JsonRequired]` to every non-optional axis (`latitude`, `longitude`, `tileZoom`, `tileSizeMeters`, `capturedAt` on the per-item record; `items` on the envelope) so the deserializer rejects partial payloads with HTTP 400 before the FluentValidation + `IUavTileQualityGate` layers run. `flightId` stays optional per AZ-503 anonymous-flight semantics.
 - `UavTileBatchUploadResponse`, `UavTileUploadResultItem` — per-item response shape
 - `UavTileUploadStatus`, `UavTileRejectReasons` — string-constant enumerations exposed in the v1.0.0 contract
 
-### Common/DTO (AZ-505)
+### Common/DTO (AZ-505; renamed by AZ-794 in cycle 7)
 - `TileInventoryRequest` — XOR body envelope with `Tiles` (Form A) OR `LocationHashes` (Form B)
-- `TileCoord` — `{TileZoom, TileX, TileY}` per-entry coord under Form A
+- `TileCoord` — `{Z, X, Y}` per-entry coord under Form A. Each property is marked `[JsonRequired]` so missing axes surface as `400` at the deserializer layer (System.Text.Json throws, `GlobalExceptionHandler` converts to `ValidationProblemDetails`).
 - `TileInventoryResponse` — `{Results: TileInventoryEntry[]}` response shape; ordering matches request
-- `TileInventoryEntry` — per-entry response shape (`Present`, `LocationHash`, optional `Id`/`CapturedAt`/`Source`/`FlightId`/`ResolutionMPerPx`)
+- `TileInventoryEntry` — per-entry response shape (`Z`, `X`, `Y`, `LocationHash`, `Present`, optional `Id`/`CapturedAt`/`Source`/`FlightId`/`ResolutionMPerPx`)
-- `TileInventoryLimits.MaxEntriesPerRequest` — hard cap (5000) consumed by request validation
+- `TileInventoryLimits.MaxEntriesPerRequest` — hard cap (5000) consumed by `InventoryRequestValidator`
+
+### Api/Validators (AZ-795 + AZ-796, cycle 7)
+- `InventoryRequestValidator` — FluentValidation `AbstractValidator<TileInventoryRequest>`. Rules: XOR `tiles`/`locationHashes`, `tiles.Count ≤ MaxEntriesPerRequest`, `locationHashes.Count ≤ MaxEntriesPerRequest`, per-entry `TileCoordValidator`.
+- `TileCoordValidator` — per-entry rules: `Z` ∈ [0, 22] (slippy-map range), `X` ∈ [0, 2^Z), `Y` ∈ [0, 2^Z).
+- `ValidationEndpointFilter<T>` — generic minimal-API filter that resolves `IValidator<T>` from DI, runs it against the bound argument, and returns `Results.ValidationProblem(result.ToDictionary())` on failure. Wired per-endpoint via `RouteHandlerBuilder.WithValidation<T>()`.
+- `GlobalValidatorConfig.ApplyOnce()` — idempotent process-wide FluentValidation configuration. Sets `ValidatorOptions.Global.PropertyNameResolver` so error map keys are camelCase per `error-shape.md` Inv-4. Called from `Program.cs` and from the test assembly's `ValidatorTestModuleInitializer` so both contexts see identical key shapes.
+
+### Api/GlobalExceptionHandler (AZ-795, cycle 7)
+- `GlobalExceptionHandler : IExceptionHandler` — registered via `AddExceptionHandler<GlobalExceptionHandler>()` + `AddProblemDetails()`. Intercepts unhandled exceptions and converts `BadHttpRequestException(JsonException)` (unknown-member rejection, missing-required-field, type mismatch) into RFC 7807 `ValidationProblemDetails` matching the FluentValidation output shape (single source of truth — see `error-shape.md` v1.0.0 §"Both paths produce identically-shaped bodies"). 5xx errors pass through with sanitised body + `correlationId` (preserves AZ-353).
 
 ## Internal Logic
 
@@ -53,6 +75,10 @@ Application entry point. Configures DI container, sets up middleware, defines mi
 9. JSON options: camelCase, case-insensitive
 10. **JWT authentication (AZ-487 + AZ-494)**: `AddSatelliteJwt(builder.Configuration)` (extension in `SatelliteProvider.Api.Authentication`) registers `JwtBearer` with `TokenValidationParameters` set per the suite auth contract: signature + lifetime + issuer + audience validation, 30 s clock skew, ≥ 32-byte HMAC key. The `iss` value comes from `JWT_ISSUER` env (fallback `Jwt:Issuer` config); the `aud` value comes from `JWT_AUDIENCE` env (fallback `Jwt:Audience` config). All three values (secret, iss, aud) are fail-fast — the API throws `InvalidOperationException` at startup if any is unset or whitespace-only. Production deploys MUST set the env vars with admin-team-confirmed values; `appsettings.json` ships empty so the fail-fast triggers. `appsettings.Development.json` ships clearly-tagged DEV-ONLY values (`DEV-ONLY-iss-admin-azaion-local` / `DEV-ONLY-aud-satellite-provider`) so local dev works out-of-the-box. Followed by `AddAuthorization` with the `RequiresGpsPermission` policy (AZ-488).
 11. **Kestrel HTTP/2 (AZ-505)**: `builder.WebHost.ConfigureKestrel(opts => opts.ConfigureEndpointDefaults(lo => lo.Protocols = HttpProtocols.Http1AndHttp2))`. The dev listener is now `https://+:8080` with a self-signed cert (`./certs/api.pfx`, generated idempotently by `scripts/run-tests.sh` and bound via `ASPNETCORE_Kestrel__Certificates__Default__Path` / `__Password` in `docker-compose.yml`). Kestrel needs TLS for HTTP/2 protocol negotiation; ALPN advertises both `h2` and `http/1.1` so HTTP/2-capable clients (browser Leaflet, `HttpClient` with `Version20` + `RequestVersionExact`, httpx `http2=True`) multiplex tile reads on a single TLS connection, and legacy clients fall back to HTTP/1.1. The integration-test container trusts the dev cert via `/usr/local/share/ca-certificates/` + `update-ca-certificates`. AZ-505 AC-5 verifies the multiplex semantics here; production termination is expected at the ingress (Envoy / nginx / ALB) — Kestrel can then drop to HTTP/2 cleartext behind it without changing this code.
+12. **ProblemDetails + global exception handler (AZ-795, cycle 7)**: `AddProblemDetails()` + `AddExceptionHandler<GlobalExceptionHandler>()` register the uniform RFC 7807 error pipeline. `app.UseExceptionHandler()` (in the middleware chain) routes unhandled exceptions through `GlobalExceptionHandler`, which converts `BadHttpRequestException(JsonException)` (unknown-member rejection, missing-required-field, JSON type mismatch) into `ValidationProblemDetails` with the same `errors[]` map shape that FluentValidation produces. This is the deserializer-layer half of the strict-validation contract — `error-shape.md` v1.0.0 §"Two collaborating pieces of shared infrastructure".
+13. **Strict JSON parsing (AZ-795, cycle 7)**: `ConfigureHttpJsonOptions` sets `PropertyNamingPolicy = CamelCase`, `PropertyNameCaseInsensitive = true`, `UnmappedMemberHandling = Disallow`, and adds `JsonStringEnumConverter` with camelCase naming. `UnmappedMemberHandling.Disallow` is the key strict-parsing knob: any unknown root or nested field is rejected at the deserializer rather than silently dropped. Catches typos (`{"Z":12}` uppercase, `{"tileZoom":...}` post-rename) that no FluentValidation rule can see after deserialization.
+14. **FluentValidation registration (AZ-795 + AZ-796, cycle 7)**: `AddValidatorsFromAssemblyContaining<Program>()` auto-registers every `IValidator<T>` in the API assembly (currently `InventoryRequestValidator` + `TileCoordValidator`, AZ-808 `RegionRequestValidator`, AZ-809 `CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator`, AZ-810 `UavTileBatchMetadataPayloadValidator` + `UavTileMetadataValidator`, AZ-811 `GetTileByLatLonQueryValidator`). `GlobalValidatorConfig.ApplyOnce()` runs the idempotent process-wide config — sets `ValidatorOptions.Global.PropertyNameResolver` so `errors` map keys are camelCase (matches the request body's casing per `error-shape.md` Inv-4). Per-endpoint opt-in via `.WithValidation<T>()` on the JSON-body endpoints — the generic `ValidationEndpointFilter<T>` resolves the validator from DI at request time and returns `Results.ValidationProblem` on failure.
+15. **AZ-810 multipart validation filter (cycle 8)**: `AddTransient<UavUploadValidationFilter>()` registers the bespoke filter used by `POST /api/satellite/upload`. The endpoint is `multipart/form-data` so the generic `.WithValidation<T>()` JSON-body filter cannot bind; this filter reads the `metadata` form field, deserializes it via the strict global `JsonSerializerOptions`, runs the FluentValidation chain, and enforces the cross-field `items.Count == files.Count` envelope rule. Wired on the endpoint with `.AddEndpointFilter<UavUploadValidationFilter>()` between `.RequireAuthorization(SatellitePermissions.UavUploadPolicy)` and the metadata accept/produces annotations.
 
 ### Startup
 1. Database migration via `DatabaseMigrator.RunMigrations()` — throws on failure
@@ -67,25 +93,36 @@ Application entry point. Configures DI container, sets up middleware, defines mi
 3. If no DB record: downloads tile via `GoogleMapsDownloaderV2.DownloadSingleTileAsync`, creates `TileEntity`, inserts
 4. Returns image bytes with cache headers (`Cache-Control: public, max-age=86400`)
 
-### GetTilesInventory Handler (AZ-505)
+### GetTilesInventory Handler (AZ-505 + AZ-796 cycle 7)
-1. Validates XOR body shape: 400 if both `tiles` and `locationHashes` are populated, 400 if neither is populated, 400 if either exceeds `TileInventoryLimits.MaxEntriesPerRequest` (5000)
+1. **Pre-handler validation (cycle 7)**: `ValidationEndpointFilter<TileInventoryRequest>` runs BEFORE the handler. Resolves `InventoryRequestValidator` from DI and asserts XOR `tiles`/`locationHashes`, per-array cap (`TileInventoryLimits.MaxEntriesPerRequest = 5000`), `z` ∈ [0, 22], `x` ∈ [0, 2^z), `y` ∈ [0, 2^z) per entry. Any failure short-circuits with HTTP 400 + `ValidationProblemDetails`. Deserializer-layer failures (missing `z/x/y`, unknown root/nested fields, JSON type mismatch) are caught earlier by System.Text.Json and surfaced as identically-shaped `ValidationProblemDetails` via `GlobalExceptionHandler` (AZ-795).
-2. Delegates to `ITileService.GetInventoryAsync(request, ct)`
+2. Handler delegates to `ITileService.GetInventoryAsync(request, ct)` — body of the handler is just the service call + `Results.Ok`.
-3. Service computes `location_hash` for Form A entries via `Uuidv5.Create(TileNamespace, "{z}/{x}/{y}")`, calls `ITileRepository.GetTilesByLocationHashesAsync(IReadOnlyList<Guid>)`, re-aligns results back to input order
+3. Service computes `location_hash` for Form A entries via `Uuidv5.Create(TileNamespace, "{z}/{x}/{y}")`, calls `ITileRepository.GetTilesByLocationHashesAsync(IReadOnlyList<Guid>)`, re-aligns results back to input order.
-4. Returns `TileInventoryResponse` with one entry per input — `present=true` entries carry `id` / `capturedAt` / `source` / `flightId` / `resolutionMPerPx`; `present=false` entries carry only `locationHash`
+4. Returns `TileInventoryResponse` with one entry per input — `present=true` entries carry `id` / `capturedAt` / `source` / `flightId` / `resolutionMPerPx`; `present=false` entries carry only `locationHash`.
-5. Authenticated by `.RequireAuthorization()` (401 before handler for anonymous)
+5. Authenticated by `.RequireAuthorization()` (401 before validation runs for anonymous requests).
 
 ### GetTileByLatLon Handler
-Downloads a tile, persists it, returns metadata as `DownloadTileResponse`.
+Binds `[AsParameters] GetTileByLatLonQuery` (record with nullable `[FromQuery(Name="lat"|"lon"|"zoom")]` properties — see `Api/DTOs` for nullability rationale). Wire-format params are OSM-short `lat`/`lon`/`zoom` post-AZ-811. Strict validation is layered:
+1. `RejectUnknownQueryParamsEndpointFilter(new[] {"lat","lon","zoom"})` runs first — rejects any unexpected query key (e.g. `?latitude=` typo, or hostile fingerprinting probes) with RFC 7807 `ValidationProblemDetails` and an `errors[<paramName>]` entry.
+2. `WithValidation<GetTileByLatLonQuery>()` runs second — checks `NotNull` (missing param → `errors[<paramName>]: "\`<paramName>\` is required."`) and `InclusiveBetween` (`lat` ∈ [-90, 90], `lon` ∈ [-180, 180], `zoom` ∈ [0, 22]). `CascadeMode.Stop` ensures null short-circuits the range check.
+3. Handler dereferences `query.Lat!.Value`, `query.Lon!.Value`, `query.Zoom!.Value` (validator guarantees non-null), delegates to `ITileService.DownloadAndStoreSingleTileAsync(lat, lon, zoom)`, and returns `DownloadTileResponse`.
+
+The two filter layers produce identically-shaped ProblemDetails bodies. The `RejectUnknownQueryParamsEndpointFilter` is reusable — register it once per allowed-key set on any future query-string endpoint that needs the same shape-strictness.
 
 ### RequestRegion Handler
-Validates size (100–10000m), delegates to `IRegionService.RequestRegionAsync`.
+AZ-808 (cycle 8) added strict pre-handler validation via `.WithValidation<RequestRegionRequest>()`: non-zero `id`, `lat`/`lon` ranges, `sizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\]. Missing `[JsonRequired]` axes / unknown root fields are caught at the deserializer layer by `GlobalExceptionHandler`. Post-validation, delegates to `IRegionService.RequestRegionAsync`.
+
+### CreateRoute Handler (AZ-809 cycle 8)
+Pre-handler validation via `.WithValidation<CreateRouteRequest>()`. Layered defence:
+1. **Deserializer layer (System.Text.Json + `GlobalExceptionHandler`)** — `[JsonRequired]` markers on `CreateRouteRequest.{Id, Name, RegionSizeMeters, ZoomLevel, Points, RequestMaps, CreateTilesZip}`, on `RoutePoint.{Latitude, Longitude}`, on `Geofences.Polygons`, on `GeofencePolygon.{NorthWest, SouthEast}`, and on `GeoPoint.{Lat, Lon}` catch missing-field payloads; `UnmappedMemberHandling.Disallow` catches unknown root + nested fields; type mismatches surface as `JsonException`. All three surface as HTTP 400 + `ValidationProblemDetails`.
+2. **Validator layer (`CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator`)** — non-zero `id`, name/description length caps, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with per-point range checks (error keys `points[i].lat` / `points[i].lon`), per-polygon corner ranges + `NW.Lat > SE.Lat` + `NW.Lon < SE.Lon` invariants (error keys `geofences.polygons[i].northWest`), and the `createTilesZip ⇒ requestMaps` cross-field rule.
+3. **Handler** — receives a fully-validated `CreateRouteRequest` and delegates to `IRouteService.CreateRouteAsync`. The route service's own legacy `RouteValidator` (in `SatelliteProvider.Services.RouteManagement`) still runs as a defence-in-depth backstop — its checks are now strictly weaker than the validator-layer rules; tracked as an advisory clean-up in `route-creation.md`. Authenticated by `.RequireAuthorization()` (401 before validation runs for anonymous requests).
 
 ### UploadUavTileBatch Handler (AZ-488)
 Buffers each `IFormFile` into memory, packages them as `UavUploadFile` records (filename, content-type, bytes), and delegates to `IUavTileUploadHandler.HandleAsync`. Envelope-level errors (mismatched batch, oversized batch, malformed metadata) are surfaced as HTTP 400 ProblemDetails; per-item rejects are returned in the HTTP 200 response payload. The endpoint is protected by `.RequireAuthorization(SatellitePermissions.UavUploadPolicy)` so 401 (no token) and 403 (no `GPS` permission) are returned before the handler runs.
 
 ## Dependencies
 All project references: Common, DataAccess, Services.
-NuGet: `Serilog.AspNetCore` (8.0.3 — fallback retained on .NET 10 per AZ-500 Risk #4: no 10.x line published as of cycle 4; documented in `AGENTS.md`), `Swashbuckle.AspNetCore` (10.1.7 — bumped from 6.6.2 by AZ-500 to land Microsoft.OpenApi 2.x compat required by ASP.NET Core 10), `Microsoft.AspNetCore.OpenApi` (10.0.7 — bumped from 8.0.25 by AZ-500), `Microsoft.AspNetCore.Authentication.JwtBearer` (10.0.7 — added at 8.0.21 by AZ-487, bumped to 8.0.25 by AZ-496, bumped to 10.0.7 by AZ-500), `SixLabors.ImageSharp`, `Newtonsoft.Json`.
+NuGet: `Serilog.AspNetCore` (8.0.3 — fallback retained on .NET 10 per AZ-500 Risk #4: no 10.x line published as of cycle 4; documented in `AGENTS.md`), `Swashbuckle.AspNetCore` (10.1.7 — bumped from 6.6.2 by AZ-500 to land Microsoft.OpenApi 2.x compat required by ASP.NET Core 10), `Microsoft.AspNetCore.OpenApi` (10.0.7 — bumped from 8.0.25 by AZ-500), `Microsoft.AspNetCore.Authentication.JwtBearer` (10.0.7 — added at 8.0.21 by AZ-487, bumped to 8.0.25 by AZ-496, bumped to 10.0.7 by AZ-500), `FluentValidation` + `FluentValidation.DependencyInjectionExtensions` (12.0.0 — added by AZ-795 to back the strict-input-validation epic), `SixLabors.ImageSharp`, `Newtonsoft.Json`.
 
 **Microsoft.OpenApi 2.x refactor note (AZ-500)**: the major bump (1.x → 2.x) drove three internal Swashbuckle-setup edits in this file — `using Microsoft.OpenApi.Models;` → `using Microsoft.OpenApi;`; `AddSecurityRequirement(...)` rewritten to take a `Func<OpenApiDocument, OpenApiSecurityRequirement>` and use `OpenApiSecuritySchemeReference("Bearer")` instead of the removed `OpenApiSecurityScheme.Reference` shape; `MapType<UavTileBatchUploadRequest>` rewritten to use the new `JsonSchemaType` enum and `IDictionary<string, IOpenApiSchema>` properties bag. The Swagger document shape (paths, operations, the Bearer Authorize button, the multipart-batch upload schema) is preserved exactly — `SwaggerDocument_AdvertisesBearerSecurityScheme` and the AZ-353 swagger-ready integration assertions still pass. Eight `ASPDEPR002` deprecation warnings (`WithOpenApi(...)`) remain — they're recorded in `_docs/03_implementation/reviews/batch_01_cycle4_review.md` as a follow-up PBI; the API is still fully functional in .NET 10 (deprecated, not removed).
 

_docs/02_document/modules/common_dtos.md

@@ -6,9 +6,9 @@ Data transfer objects used across all layers — API requests/responses, inter-s
 ## Public Interface
 
 ### GeoPoint
-Geographic coordinate with tolerance-based equality.
+Geographic coordinate with tolerance-based equality. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so a polygon corner missing either axis is rejected at the deserializer layer.
-- `Lat` (double): latitude, JSON property `"lat"`
+- `Lat` (double, `[JsonRequired]`, JSON: `"lat"`)
-- `Lon` (double): longitude, JSON property `"lon"`
+- `Lon` (double, `[JsonRequired]`, JSON: `"lon"`)
 - Constructor: `GeoPoint()`, `GeoPoint(double lat, double lon)`
 - Equality: two points are equal if both coordinates differ by less than `0.00005` (PRECISION_TOLERANCE)
 - Operator overloads: `==`, `!=`
@@ -33,8 +33,14 @@ Metadata about a stored tile (mirrors `TileEntity` but without DB-specific conce
 - `Version` (int?), `FilePath` (string)
 - `CreatedAt`, `UpdatedAt` (DateTime)
 
+### RequestRegionRequest (renamed by AZ-812 cycle 8 — OSM convention)
+API request body for `POST /api/satellite/request` (region enqueue). Defined in `SatelliteProvider.Common/DTO/RequestRegionRequest.cs`. Moved out of `Program.cs` by AZ-369.
+- `Id` (Guid), `Lat` (double, JSON: `"lat"`), `Lon` (double, JSON: `"lon"`), `SizeMeters` (double)
+- `ZoomLevel` (int, default 18), `StitchTiles` (bool, default false)
+- AZ-812 renamed C# props `Latitude/Longitude` → `Lat/Lon` and added `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]` to make the wire format unambiguous. With `JsonSerializerOptions.UnmappedMemberHandling.Disallow` active (AZ-795), the old `latitude`/`longitude` wire shape now returns HTTP 400.
+
 ### RegionRequest
-Queue message for async region processing.
+Internal queue message for async region processing (not a wire-format DTO — exchanged between the API handler and `RegionProcessingService` background worker via `IRegionRequestQueue`). Distinct from `RequestRegionRequest` above; intentionally kept on `Latitude`/`Longitude` because the queue is in-process only.
 - `Id` (Guid), `Latitude`, `Longitude` (double), `SizeMeters` (double)
 - `ZoomLevel` (int), `StitchTiles` (bool)
 
@@ -44,20 +50,27 @@ Response DTO for region status queries.
 - `TilesDownloaded`, `TilesReused` (int), `CreatedAt`, `UpdatedAt` (DateTime)
 
 ### RoutePoint
-Input point in a route creation request.
+Input point in a route creation request. AZ-809 (cycle 8) marked both axes `[JsonRequired]` so the System.Text.Json deserializer rejects missing-axis payloads with HTTP 400 + `ValidationProblemDetails` via `GlobalExceptionHandler` BEFORE the FluentValidation layer runs.
-- `Latitude` (double, JSON: `"lat"`), `Longitude` (double, JSON: `"lon"`)
+- `Latitude` (double, `[JsonRequired]`, JSON: `"lat"`)
+- `Longitude` (double, `[JsonRequired]`, JSON: `"lon"`)
 
 ### RoutePointDto
 Output point in a route response (includes computed fields).
 - `Latitude`, `Longitude` (double), `PointType` (string: "start"/"end"/"action"/"intermediate")
 - `SequenceNumber`, `SegmentIndex` (int), `DistanceFromPrevious` (double?)
+- **Naming asymmetry**: input wire uses short OSM `lat`/`lon` (`RoutePoint`); response wire uses long `latitude`/`longitude` (`RoutePointDto`). Pre-existing — AZ-809 documented but did not change this. Tracked as a follow-up advisory in `_docs/02_document/contracts/api/route-creation.md`.
 
 ### CreateRouteRequest
-API request body for route creation.
+API request body for route creation. AZ-809 (cycle 8) added `[JsonRequired]` to every non-optional axis so missing fields are caught at the deserializer layer (uniform with AZ-808 region-request and AZ-795 inventory).
-- `Id` (Guid), `Name` (string), `Description` (string?)
+- `Id` (Guid, `[JsonRequired]`) — caller-supplied idempotency key; non-zero GUID
-- `RegionSizeMeters` (double), `ZoomLevel` (int)
+- `Name` (string, `[JsonRequired]`) — length \[1, 200\]
-- `Points` (List\<RoutePoint\>), `Geofences` (Geofences?)
+- `Description` (string?) — optional, length ≤ 1000 when present
-- `RequestMaps` (bool), `CreateTilesZip` (bool)
+- `RegionSizeMeters` (double, `[JsonRequired]`) — \[100, 10000\]
+- `ZoomLevel` (int, `[JsonRequired]`) — \[0, 22\] slippy-map range
+- `Points` (List\<RoutePoint\>, `[JsonRequired]`) — count ∈ \[2, 500\]
+- `Geofences` (Geofences?) — optional; when present, each polygon validated
+- `RequestMaps` (bool, `[JsonRequired]`) — no default; missing → 400
+- `CreateTilesZip` (bool, `[JsonRequired]`) — no default; cross-field invariant requires `requestMaps=true` when `true`
 
 ### RouteResponse
 API response for route queries.
@@ -65,12 +78,14 @@ API response for route queries.
 - `MapsReady` (bool), `TilesZipPath` (string?)
 
 ### GeofencePolygon
-Axis-aligned bounding box defined by NW and SE corners.
+Axis-aligned bounding box defined by NW and SE corners. AZ-809 (cycle 8) marked both corners `[JsonRequired]` so a partially-specified polygon (just `northWest`, no `southEast`, or vice-versa) is rejected at the deserializer layer.
-- `NorthWest` (GeoPoint?), `SouthEast` (GeoPoint?)
+- `NorthWest` (GeoPoint?, `[JsonRequired]`, JSON: `"northWest"`)
+- `SouthEast` (GeoPoint?, `[JsonRequired]`, JSON: `"southEast"`)
+- Cross-corner invariants (enforced by `GeofencePolygonValidator`): `NW.Lat > SE.Lat` (NW is north-of SE) and `NW.Lon < SE.Lon` (NW is west-of SE). Equal corners fail both invariants with `errors["geofences.polygons[i].northWest"]`.
 
 ### Geofences
-Container for multiple geofence polygons.
+Container for multiple geofence polygons. AZ-809 (cycle 8) marked `Polygons` `[JsonRequired]` so an empty `geofences: {}` envelope is rejected.
-- `Polygons` (List\<GeofencePolygon\>)
+- `Polygons` (List\<GeofencePolygon\>, `[JsonRequired]`, JSON: `"polygons"`) — at least 1 polygon when `geofences` is present (validator rule, not deserializer rule).
 
 ### UavTileMetadata (added AZ-488, extended AZ-503)
 Per-tile metadata payload inside a UAV batch upload (`POST /api/satellite/upload`). Indexed-correlated with the multipart `IFormFileCollection`.
@@ -110,21 +125,23 @@ Authoritative reject-reason codes for the UAV upload quality gate. Adding a new
 - `ImageTooUniform = "IMAGE_TOO_UNIFORM"` — Rule 5 (luminance variance below `MinLuminanceVariance`).
 - `StorageFailure = "STORAGE_FAILURE"` — reserved for the orphan-row-recovery path when the on-disk write succeeds but the DB UPSERT fails; surfaced per-item without failing the envelope (AZ-488 Reliability NFR).
 
-### TileCoord (added AZ-505)
+### TileCoord (added AZ-505, renamed AZ-794 cycle 7)
 Single tile coordinate triple used by the inventory endpoint Form A request shape and as the per-entry input echo on the response.
-- `TileZoom` (int) — slippy zoom level.
+- `Z` (int) `[JsonRequired]` — slippy zoom level. Wire name `"z"`.
-- `TileX`, `TileY` (int) — slippy x/y at that zoom.
+- `X` (int) `[JsonRequired]` — slippy x at that zoom. Wire name `"x"`.
-- Defined in `SatelliteProvider.Common/DTO/TileInventory.cs`. Matches `tile-inventory.md` v1.0.0 Shape.
+- `Y` (int) `[JsonRequired]` — slippy y at that zoom. Wire name `"y"`.
+- Defined in `SatelliteProvider.Common/DTO/TileInventory.cs`. Matches `tile-inventory.md` v2.0.0 Shape (the rename from `tileZoom/tileX/tileY` shipped in AZ-794; the `[JsonRequired]` markers + the global `UnmappedMemberHandling.Disallow` mean missing axes and the legacy field names both surface as HTTP 400 with `ValidationProblemDetails` per `error-shape.md` v1.0.0).
 
 ### TileInventoryRequest (added AZ-505)
 API request body for `POST /api/satellite/tiles/inventory`. Carries one of two XOR-exclusive batch shapes.
 - `Tiles` (`IReadOnlyList<TileCoord>?`) — Form A: coords-by-value. The server computes `location_hash = Uuidv5(TileNamespace, "{z}/{x}/{y}")` per entry.
 - `LocationHashes` (`IReadOnlyList<Guid>?`) — Form B: hashes-by-reference. Used when the caller already has UUIDv5 location hashes (typical for the onboard cross-repo path).
-- Exactly one of `Tiles` / `LocationHashes` must be populated and non-empty; both-populated or neither → HTTP 400 (`tile-inventory.md` Inv-1).
+- Exactly one of `Tiles` / `LocationHashes` must be populated and non-empty; both-populated or neither → HTTP 400 (`tile-inventory.md` v2.0.0 Inv-1, enforced by `InventoryRequestValidator` via `ValidationEndpointFilter<TileInventoryRequest>` in cycle 7).
 - Total entries (in either field) ≤ `TileInventoryLimits.MaxEntriesPerRequest` (5000); over-cap → HTTP 400 (Inv-7).
 
-### TileInventoryEntry (added AZ-505)
+### TileInventoryEntry (added AZ-505, coord fields renamed AZ-794 cycle 7)
 Per-entry result inside `TileInventoryResponse`. One entry per request entry, in the SAME order as the request (`tile-inventory.md` Inv-2).
+- `Z`, `X`, `Y` (int) — echoed coord triple matching the request entry; wire names `"z"`, `"x"`, `"y"` (renamed from `"tileZoom"`/`"tileX"`/`"tileY"` by AZ-794). Always populated; when Form B was used, these are 0 (the caller already knows the hash).
 - `LocationHash` (Guid) — always populated; UUIDv5 of `"{z}/{x}/{y}"` from `Uuidv5.LocationHashForTile` (Form A) or echoed from request (Form B).
 - `Present` (bool) — `true` iff a row exists in `tiles` with this `location_hash` (Inv-4).
 - `Id` (Guid?) — `tiles.id` of the most-recent row across sources/flights (`captured_at DESC, updated_at DESC, id DESC`, Inv-5); null when `Present=false` (Inv-6).
@@ -135,7 +152,7 @@ API response body for `POST /api/satellite/tiles/inventory`.
 - `Results` (`IReadOnlyList<TileInventoryEntry>`) — one entry per request entry; `Results.Count` always equals the request entry count (Inv-2).
 
 ### TileInventoryLimits (added AZ-505, static constants)
-- `MaxEntriesPerRequest = 5000` — request-body cap enforced by the inventory handler (Inv-7).
+- `MaxEntriesPerRequest = 5000` — request-body cap enforced by `InventoryRequestValidator` (per-array cap; `tile-inventory.md` v2.0.0 Inv-7).
 
 ## Internal Logic
 - `GeoPoint` uses a precision tolerance of `0.00005` degrees (~5.5 meters) for equality comparison.

_docs/02_document/modules/common_uuidv5.md

@@ -35,7 +35,7 @@ All members are static on `Uuidv5`:
 | `"18/12345/23456"` | `38b26f49-a966-5121-aaf4-9cc476f57869` |
 | `"18/12345/23456/google_maps/00000000-0000-0000-0000-000000000000"` | `e228d1aa-25d4-556e-a72d-e0484756e165` |
 
-The second value is observable end-to-end: a fresh `GET /api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18` returns `tileId = e228d1aa-25d4-556e-a72d-e0484756e165` because `(47.461747, 37.647063)` maps to slippy `(z=18, x=158485, y=91707)` — and the integration test asserts that exact value.
+The second value is observable end-to-end: a fresh `GET /api/satellite/tiles/latlon?lat=47.461747&lon=37.647063&zoom=18` returns `tileId = e228d1aa-25d4-556e-a72d-e0484756e165` because `(47.461747, 37.647063)` maps to slippy `(z=18, x=158485, y=91707)` — and the integration test asserts that exact value. (AZ-811 cycle 8 renamed the query params `Latitude/Longitude/ZoomLevel` → `lat/lon/zoom` for OSM consistency.)
 
 ## Dependencies
 

_docs/02_document/modules/tests_integration.md

@@ -15,6 +15,9 @@ Console application that runs end-to-end integration tests against a live API in
 - `JwtIntegrationTests` (added by AZ-487 cycle 2; helpers consolidated by AZ-491 cycle 3; iss/aud scenarios added by AZ-494 cycle 3) — `AnonymousRequest_To_AnyEndpoint_Returns401`, `ExpiredToken_Returns401`, `InvalidSignature_Returns401`, `ValidToken_Returns200_OnHealthyEndpoint`, `WrongIssuer_Returns401` (AZ-494 AC-1), `WrongAudience_Returns401` (AZ-494 AC-2), `SwaggerDocument_AdvertisesBearerSecurityScheme`. HS256 token minting lives in the shared `SatelliteProvider.TestSupport.JwtTokenFactory` (consumed via `ProjectReference`); runner-specific concerns (`JwtTestHelpers.ResolveSecretOrThrow` / `ResolveIssuerOrThrow` / `ResolveAudienceOrThrow`, `MintAuthenticated` / `MintExpired` convenience wrappers that auto-fill iss+aud from env, `AttachDefaultAuthorization`, `DefaultSubject = "integration-tests"`) remain in this project. The test runner sets `JWT_SECRET` + `JWT_ISSUER` + `JWT_AUDIENCE` on the API container and attaches a Bearer token (with matching iss/aud) to every existing test's HTTP requests so the pre-cycle-2 suite continues to pass.
 - `UavUploadTests` (added by AZ-488, cycle 2; coordinate-counter promoted to defense-in-depth by AZ-493 cycle 3; AZ-503 cycle 5 added 2 more tests) — `HappyPathSingleItem_PersistsRow`, `MixedBatch_ReturnsPerItemResults`, `MultiSourceCoexistence_AZ484_Cycle2`, `SameSourceUpsert_AZ484_Cycle2`, `NoToken_Returns401`, `ValidTokenWithoutGpsPermission_Returns403`, `OversizedBatch_Returns400`, plus AZ-503: `MultiFlightUavRowsCoexist_AZ503_AC3` (two flights at the same cell → two rows, one `location_hash`, two `file_path`s under `./tiles/uav/{flight_id}/...`) and `FloatRoundingDoesNotBreakIdempotence_AZ503_AC4` (two uploads with float-distinct `latitude` recomputed from `TileToWorldPos` collapse to a single row because the conflict key is integer-only). The AZ-503 migration made `location_hash NOT NULL`, so the cycle-2 `MultiSourceCoexistence_AZ484_Cycle2` seeder was updated to compute `location_hash` via `Uuidv5.Create` (canonical name `"{zoom}/0/0"`) before the raw SQL `INSERT` — this required adding a `ProjectReference` from `SatelliteProvider.IntegrationTests` to `SatelliteProvider.Common`. The wall-clock-seeded `_coordinateCounter` is retained as a belt-and-suspenders safeguard alongside the AZ-493 startup DB-reset (below) — if a developer runs with `--keep-state`, or the DB-reset path is skipped for any reason, the wall-clock seed still spreads coordinates across runs so the unique index does not collide.
 - `StubAndErrorContractTests` (existing) — updated in cycle 2 to drop the legacy `StubUpload_Returns501` expectation since AZ-488 implemented the endpoint.
+- `TileInventoryTests` (added cycle 6 — AZ-505) — `OrderingAndPresentAbsentShaping_AC1`, `LeafletReadReturnsMostRecentViaLocationHash_AC2`, `ValidationRejectsBothPopulated_AC6`, `ValidationRejectsNeitherPopulated_AC6`, `ValidationRejectsOversizedBatch_AC6`, `UnauthenticatedRequestReturns401_AC6`, `PerformanceBudget_AC4` (full-suite only). Tests are cycle-7-stable — they use the post-AZ-794 `{z, x, y}` wire shape and a minor x/y reduction was applied in cycle 7 to keep the synthetic coords within the z=18 slippy bounds enforced by `TileCoordValidator`.
+- `TileInventoryValidationTests` (added cycle 7 — AZ-796) — 16 tests: `HappyPath_Returns200`, `EmptyBody_Returns400`, `NeitherPopulated_Returns400`, `BothPopulated_Returns400`, `EmptyTilesArray_Returns400`, `TilesOverCap_Returns400`, `MissingZ_Returns400WithFieldPath`, `MissingXAndY_Returns400`, `ZoomOutOfRange_Returns400WithFieldPath`, `XBeyondZoomBounds_Returns400`, `YBeyondZoomBounds_Returns400`, `NegativeAxis_Returns400`, `UnknownRootField_Returns400`, `UnknownNestedField_Returns400`, `OldV1FieldName_Returns400` (AZ-794 + AZ-796 intersection — exact AZ-777 Phase 1 reproducer body, asserts legacy `tileZoom/tileX/tileY` now yields 400), `TypeMismatch_Returns400`. Each test exercises one of the 9 validation rules end-to-end through `ValidationEndpointFilter<TileInventoryRequest>` + `GlobalExceptionHandler`, asserts HTTP 400 + RFC 7807 `ValidationProblemDetails` shape via the shared `ProblemDetailsAssertions` helper.
+- `IdempotentPostTests` — pre-existing; cycle 7 adjusted the route-point payload from PascalCase (`Latitude`/`Longitude`) to camelCase (`lat`/`lon`) because the post-AZ-795 `UnmappedMemberHandling.Disallow` would otherwise reject the previously-silently-ignored fields. The `RoutePoint` DTO has carried `JsonPropertyName("lat"/"lon")` since AZ-309; cycle 7's strict JSON parsing exposed the test was sending the wrong shape and getting away with it via the pre-cycle-7 permissive deserializer.
 
 ### Supporting Classes
 - `Models.cs` — HTTP response DTOs for deserialization
@@ -30,6 +33,7 @@ Console application that runs end-to-end integration tests against a live API in
   - Token *minting* lives in the shared `SatelliteProvider.TestSupport.JwtTokenFactory` (AZ-491) — runner-side concerns (env reads, HttpClient mutation, the iss/aud-aware mint wrapper) deliberately stay here.
 - `IntegrationTestDatabaseReset.cs` (AZ-493) — instance class with a single `EnsureCleanStateAsync()` method that truncates the integration-test target tables in FK-safe order. Guarded via `SatelliteProvider.TestSupport.IntegrationTestResetGuard` (env + Host allowlist) so it cannot run against a non-test database.
 - `PerfBootstrap.cs` (AZ-492) — static helpers for the perf harness bootstrap subcommands. `MintToken()` mints a 4-hour HS256 token with subject `perf-tests` and a `permissions: GPS` claim via the canonical `SatelliteProvider.TestSupport.JwtTokenFactory.Create`; `GenerateUavFixture(args)` writes a 256×256 random-noise JPEG via `SixLabors.ImageSharp` to the path passed on the CLI. Invoked from `scripts/run-performance-tests.sh` via `dotnet <SatelliteProvider.IntegrationTests.dll> --mint-only` and `--gen-uav-fixture <path>`.
+- `ProblemDetailsAssertions.cs` (added cycle 7 — AZ-795) — shared static helpers for asserting RFC 7807 ProblemDetails bodies on integration-test responses. `ReadProblemDetailsAsync(HttpResponseMessage, label)` deserialises the response body into a `JsonElement` with helpful failure messages when the content-type / shape doesn't match. `AssertProblemDetails(problem, expectedStatus, label)` asserts the base ProblemDetails shape (`type`, `title`, `status`). `AssertValidationProblem(problem, expectedStatus, label, expectedErrorPath?, expectedErrorContains?)` extends the base assertion to require the `errors` map per `error-shape.md` Inv-2 and optionally checks a specific field path / message substring. Consumed by `TileInventoryValidationTests`; designed to be reused by every future per-endpoint child task under AZ-795.
 
 ## Internal Logic
 - Makes HTTP calls to the API at `API_URL` environment variable (default: `http://api:8080`)

_docs/02_document/modules/tests_unit.md

@@ -23,17 +23,22 @@ Existing baseline (pre-cycle-2) test classes cover `TileService`, `RegionService
 - `Uuidv5Tests` — pure-C# UUIDv5 generator parity tests. `Create_MatchesPythonReferenceVectors_AC1` pins 10 reference vectors generated by Python's `uuid.uuid5(TILE_NAMESPACE, name)`; `Create_IsDeterministic` asserts repeated runs return the same `Guid`; `Create_SetsVersionAndVariantBits` asserts the version nibble is `5` and the variant top-2-bits are `10` (RFC 9562 §5.5).
 - `UavTileFilePathTests` (rewritten for AZ-503 from the cycle-2 placeholder) — covers `BuildUavTileFilePath(Guid? flightId, int z, int x, int y)` across three cases: `BuildUavTileFilePath_AnonymousFlight_UsesNoneSegment` (null `flightId` → literal `none` segment), `BuildUavTileFilePath_PerFlight_UsesFlightIdDirectory` (per-flight segment), `BuildUavTileFilePath_DifferentFlights_ProduceDifferentPaths` (path-distinctness across flights at the same cell). Integer-typed coordinates and the `Guid? flightId` parameter together still preclude string-injection path traversal.
 
+### AZ-795 + AZ-796 — strict inventory validation (cycle 7)
+- `Validators/InventoryRequestValidatorTests` (added cycle 7 — AZ-796) — 16 tests against `InventoryRequestValidator` + `TileCoordValidator` in isolation via FluentValidation's `TestValidate(...)` test helper. Covers every `RuleFor(...)`: `Validate_TilesPopulated_LocationHashesNull_Passes`, `Validate_LocationHashesPopulated_TilesNull_Passes`, `Validate_BothPopulated_FailsXorRule`, `Validate_NeitherPopulated_FailsXorRule`, `Validate_BothEmpty_FailsXorRule`, `Validate_TilesAtCap_Passes`, `Validate_TilesOverCap_FailsCapRule`, `Validate_LocationHashesOverCap_FailsCapRule`, `Validate_TileZoomOutOfRange_FailsRangeRule` (`[Theory]` with z ∈ {-1, 23, 100}), `Validate_TileZoomInRange_PassesRangeRule` (`[Theory]` with z ∈ {0, 18, 22}), `Validate_TileXNegative_FailsRangeRule`, `Validate_TileXAtUpperBound_FailsRangeRule`, `Validate_TileYNegative_FailsRangeRule`, `Validate_TileYAtUpperBound_FailsRangeRule`, `Validate_AxesAtMaxForZoom_Passes`.
+- `TestSupport/ValidatorTestModuleInitializer.cs` (added cycle 7 — AZ-795) — `[ModuleInitializer]` that calls `GlobalValidatorConfig.ApplyOnce()` at test-assembly load time. Ensures unit tests see the same camelCase property-name resolution that `Program.cs` configures for the running API, so validator error keys (e.g., `tiles[0].z`) match the runtime contract per `error-shape.md` v1.0.0 Inv-4 without forcing every test to re-run the setup.
+
 ## Internal Logic
 - Tests follow Arrange / Act / Assert. Time-dependent paths inject a `FixedTimeProvider` (cycle-2 addition) so Rule 4 has deterministic age windows.
 - `JwtSecurityTokenHandler.MapInboundClaims = false` is set explicitly in JWT tests so claims read by their original names (`sub`, `permissions`, …) rather than the framework-remapped names.
+- Cycle 7 also added validator-isolated assertions via FluentValidation's `TestValidate(...)` helper (no HTTP, no DI container) — the matching end-to-end assertions live in `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs`.
 
 ## Dependencies
 - Project references: `SatelliteProvider.Services.TileDownloader`, `SatelliteProvider.Services.RegionProcessing`, `SatelliteProvider.Services.RouteManagement`, `SatelliteProvider.Common`, `SatelliteProvider.DataAccess`, `SatelliteProvider.Api` (for the Authentication tests — added in AZ-487), `SatelliteProvider.TestSupport` (added by AZ-491; provides the canonical `JwtTokenFactory` consumed by both this project and `SatelliteProvider.IntegrationTests`).
-- NuGet: xUnit (2.5.3), Moq (4.20.72), FluentAssertions (8.8.0), coverlet.collector (6.0.0), Microsoft.NET.Test.Sdk (17.8.0), Microsoft.Extensions.* (Caching.Memory, Configuration, DI, Logging, Options, Http — all bumped from 9.0.10 → 10.0.7 by AZ-500 as a coordinated cycle-4 move), `Microsoft.AspNetCore.Authentication.JwtBearer` 10.0.7 (consumed transitively via the `ProjectReference` to `SatelliteProvider.Api`; AZ-487 added the dependency at 8.0.21, AZ-496 bumped it to 8.0.25, AZ-500 bumped it to 10.0.7), `SixLabors.ImageSharp` 3.1.11 (added by AZ-488 for the gate tests).
+- NuGet: xUnit (2.5.3), Moq (4.20.72), FluentAssertions (8.8.0), coverlet.collector (6.0.0), Microsoft.NET.Test.Sdk (17.8.0), Microsoft.Extensions.* (Caching.Memory, Configuration, DI, Logging, Options, Http — all bumped from 9.0.10 → 10.0.7 by AZ-500 as a coordinated cycle-4 move), `Microsoft.AspNetCore.Authentication.JwtBearer` 10.0.7 (consumed transitively via the `ProjectReference` to `SatelliteProvider.Api`; AZ-487 added the dependency at 8.0.21, AZ-496 bumped it to 8.0.25, AZ-500 bumped it to 10.0.7), `SixLabors.ImageSharp` 3.1.11 (added by AZ-488 for the gate tests), `FluentValidation` + `FluentValidation.TestHelper` 12.0.0 (added cycle 7 — AZ-795; the test helper drives the `TestValidate(...)` assertions used by `InventoryRequestValidatorTests`).
 - `appsettings.json` copied to output (used by Authentication tests for the `Jwt` section binding scenario).
 
 ## Consumers
 - CI pipeline (`01-test.yml`) and `scripts/run-tests.sh --unit-only` run `dotnet test` against this project.
 
 ## Tests
-This IS the test module. Cycle-2 added ~25 unit tests on top of the existing baseline; cycle-5 (AZ-503) added 6 more (3 in `Uuidv5Tests`, 3 in `UavTileFilePathTests`) plus 2 new methods in `UavTileUploadHandlerTests`. The full project executes in seconds (no external services required).
+This IS the test module. Cycle-2 added ~25 unit tests on top of the existing baseline; cycle-5 (AZ-503) added 6 more (3 in `Uuidv5Tests`, 3 in `UavTileFilePathTests`) plus 2 new methods in `UavTileUploadHandlerTests`. Cycle 7 (AZ-795 + AZ-796) added 16 more in `InventoryRequestValidatorTests` covering every `RuleFor(...)` in the cycle's new validators. The full project executes in seconds (no external services required). Cycle 7 Step 11 reported the unit suite at 311 tests, all green.

_docs/02_document/ripple_log_cycle7.md

@@ -0,0 +1,80 @@
+# Cycle 7 — Documentation Ripple Log
+
+**Cycle**: 7 (AZ-794 z/x/y rename + AZ-795 strict-validation epic + AZ-796 inventory-endpoint validation)
+**Generated by**: `/document` skill (task mode) during autodev Step 13
+**Resolution method**: `Grep --type cs` against every new or changed symbol introduced by the three tasks. C# `using`-based import analysis on `TileCoord` (renamed fields + `[JsonRequired]`), `InventoryRequestValidator`, `ValidationEndpointFilter<T>`, `GlobalExceptionHandler`, `GlobalValidatorConfig`, plus `ProblemDetailsAssertions` and `ValidatorTestModuleInitializer` in the test projects. No static-analyzer (NDepend, etc.) was used — the new surface is shallow and lives almost entirely behind `Program.cs` + the two new test files, so the literal usage scan is exhaustive.
+
+## Directly-changed source files (cycle 7)
+
+- `SatelliteProvider.Common/DTO/TileInventory.cs` (AZ-794, modified) — `TileCoord` properties renamed `TileZoom/TileX/TileY` → `Z/X/Y` with `[JsonRequired]` on each; `TileInventoryEntry` echo fields renamed in lockstep. Wire field names are `z`/`x`/`y` per the camelCase resolver.
+- `SatelliteProvider.Api/Program.cs` (AZ-795 + AZ-796, modified) —
+  - `ConfigureHttpJsonOptions(o => o.SerializerOptions.UnmappedMemberHandling = JsonUnmappedMemberHandling.Disallow)` (AZ-795).
+  - `AddProblemDetails(...)` global ProblemDetails configurator (AZ-795).
+  - `AddExceptionHandler<GlobalExceptionHandler>()` + `UseExceptionHandler()` middleware order (AZ-795).
+  - `AddValidatorsFromAssemblyContaining<Program>()` + `GlobalValidatorConfig.ApplyOnce()` at startup (AZ-795 + AZ-796).
+  - `.WithValidation<TileInventoryRequest>()` on the `MapPost("/api/satellite/tiles/inventory", …)` builder (AZ-796).
+  - Endpoint summary / description bumped to reference `tile-inventory.md` v2.0.0 + `error-shape.md` v1.0.0.
+- `SatelliteProvider.Api/Validators/InventoryRequestValidator.cs` (AZ-796, **new**) — `AbstractValidator<TileInventoryRequest>` + nested `TileCoordValidator` with 9 rules (XOR, per-array cap, Z/X/Y ranges).
+- `SatelliteProvider.Api/Validators/ValidationEndpointFilter.cs` (AZ-795, **new**) — generic `IEndpointFilter<T>` that runs the registered `IValidator<T>` and emits `Results.ValidationProblem(...)` on failure.
+- `SatelliteProvider.Api/Validators/ValidationEndpointFilterExtensions.cs` (AZ-795, **new**) — opt-in `RouteHandlerBuilder.WithValidation<T>()` extension; intentionally orthogonal to per-endpoint authorization configuration.
+- `SatelliteProvider.Api/Validators/GlobalValidatorConfig.cs` (AZ-795 + AZ-796, **new**) — idempotent `ApplyOnce()` configures FluentValidation's global `PropertyNameResolver` to camelCase (`tiles[0].z` instead of `Tiles[0].Z`) per `error-shape.md` Inv-4. Called from `Program.cs` and from the unit-test assembly's `[ModuleInitializer]`.
+- `SatelliteProvider.Api/GlobalExceptionHandler.cs` (AZ-795, **new**) — `IExceptionHandler` that intercepts `BadHttpRequestException(JsonException)` (the System.Text.Json strict-parse path: unknown fields, `[JsonRequired]` violations, type mismatches) and emits the same `ValidationProblemDetails` shape that FluentValidation produces. 5xx paths pass through with sanitised body + correlation id (continuation of the AZ-353 contract).
+- `_docs/02_document/contracts/api/error-shape.md` (AZ-795, **new**) — v1.0.0 uniform error-body contract. Single source of truth for the `ValidationProblemDetails` wire shape across both layers and across all future child tickets of the AZ-795 epic.
+- `_docs/02_document/contracts/api/tile-inventory.md` (AZ-794 + AZ-796, modified) — bumped to v2.0.0; documents the 9 validation rules + the `z/x/y` rename; `Producer task` block extended to credit AZ-505 + AZ-794 + AZ-796.
+- `SatelliteProvider.Tests/Validators/InventoryRequestValidatorTests.cs` (AZ-796, **new**) — 16 unit tests against the validator via `TestValidate(...)`.
+- `SatelliteProvider.Tests/TestSupport/ValidatorTestModuleInitializer.cs` (AZ-795, **new**) — calls `GlobalValidatorConfig.ApplyOnce()` at test-assembly load.
+- `SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs` (AZ-795, **new**) — shared response-shape helper consumed by every future per-endpoint validation test.
+- `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` (AZ-796, **new**) — 16 end-to-end tests; one per validation rule (with sub-cases) plus a happy path.
+- `SatelliteProvider.IntegrationTests/TileInventoryTests.cs` (AZ-794, modified) — updated `tileZoom/tileX/tileY` JSON payloads to `z/x/y`; reduced the synthetic x/y values to stay inside the slippy-map bounds enforced by `TileCoordValidator`.
+- `SatelliteProvider.IntegrationTests/IdempotentPostTests.cs` (AZ-795, modified) — route-point payload PascalCase → camelCase (`lat`/`lon`) because the post-cycle-7 strict deserializer no longer silently drops the wrong field names that the test had been sending pre-cycle 7.
+- `scripts/probe_inventory_validation.sh` (AZ-796, **new**) — manual probe script; exercises each failure mode end-to-end and captures responses for change-review evidence.
+
+## Importer scan results
+
+| Symbol | Importer count | Importer files | Component touched |
+|--------|----------------|----------------|-------------------|
+| `TileCoord.Z` / `TileCoord.X` / `TileCoord.Y` (renamed properties; wire names `z`/`x`/`y`) | 5 | `TileService.cs` (`Uuidv5.LocationHashForTile`), `TileInventoryTests.cs`, `TileInventoryValidationTests.cs`, `InventoryRequestValidatorTests.cs`, `TileInventory.cs` self-references in `TileInventoryEntry` | TileDownloader (production), Tests (unit + integration) |
+| `[JsonRequired]` on `TileCoord.Z/X/Y` | n/a | enforced at runtime by `System.Text.Json` + caught by `GlobalExceptionHandler` (no compile-time consumer) | WebApi (deserializer + handler) |
+| `InventoryRequestValidator` / `TileCoordValidator` | 3 | `Program.cs` (assembly-scan registration via `AddValidatorsFromAssemblyContaining<Program>()`), `InventoryRequestValidatorTests.cs`, `TileInventoryValidationTests.cs` (indirect through the running API) | WebApi (production), Tests (unit + integration) |
+| `ValidationEndpointFilter<T>` / `WithValidation<T>()` | 1 (current) + N-future | `Program.cs` (`MapPost("/api/satellite/tiles/inventory", …).WithValidation<TileInventoryRequest>()`) | WebApi |
+| `GlobalValidatorConfig.ApplyOnce` | 2 | `Program.cs` (production), `ValidatorTestModuleInitializer.cs` (unit-test assembly load) | WebApi, Tests (unit) |
+| `GlobalExceptionHandler` | 1 | `Program.cs` (DI registration + middleware order) | WebApi |
+| `ProblemDetailsAssertions.AssertValidationProblem` | 1 (current) + N-future | `TileInventoryValidationTests.cs`; designed to be reused by every future per-endpoint child task under AZ-795 | Tests (integration) |
+| `FluentValidation` package (12.0.0) | 4 | `SatelliteProvider.Api.csproj`, `SatelliteProvider.Tests.csproj`, `InventoryRequestValidator.cs`, `InventoryRequestValidatorTests.cs` | WebApi, Tests (unit) |
+
+## Doc refresh decisions
+
+All importers land inside components that already received targeted updates during Step 10 (Implement) and this Step 13:
+
+- **WebApi (`Program.cs`)** — updated `_docs/02_document/modules/api_program.md` with the new endpoint description, the new `Api/Validators` section (filter + extensions + validator + global config), the new `Api/GlobalExceptionHandler` section, expanded DI registration (ProblemDetails + GlobalExceptionHandler + strict JSON + FluentValidation), and the new dependency entries.
+- **Common (DTOs)** — updated `_docs/02_document/modules/common_dtos.md`: `TileCoord` now documents the rename + `[JsonRequired]` markers + ValidationProblemDetails fallout; `TileInventoryRequest` documents the XOR enforcement by `InventoryRequestValidator`; `TileInventoryEntry` documents the rename echo; `TileInventoryLimits` documents the validator as the enforcer.
+- **Validators (new subfolder)** — captured under `module-layout.md` with two new entries:
+  - `Api/Validators/{InventoryRequestValidator,TileCoordValidator,ValidationEndpointFilter,ValidationEndpointFilterExtensions,GlobalValidatorConfig}`.
+  - `Api/GlobalExceptionHandler`.
+- **Tests (unit)** — updated `_docs/02_document/modules/tests_unit.md` with the new "AZ-795 + AZ-796 — strict inventory validation (cycle 7)" subsection, the new `[ModuleInitializer]` helper, the new FluentValidation/TestHelper NuGet entry, and the cycle 7 unit-suite totals (311 tests).
+- **Tests (integration)** — updated `_docs/02_document/modules/tests_integration.md`: new `TileInventoryValidationTests` entry, new `ProblemDetailsAssertions` helper entry, cycle-7 stability note on `TileInventoryTests`, and the cycle-7 fix on `IdempotentPostTests` (payload rename forced by strict deserializer).
+
+System-level docs also updated this pass:
+
+- `architecture.md` — already carries the new "§ 9 Input Validation (AZ-795)" section (was added during the implementation phase along with the validator coverage table). No further changes needed; the AZ-794 wire-format rename is captured at the inventory-contract level rather than in architecture prose.
+- `system-flows.md` — F8 flow header updated to credit cycle 7; sequence diagram annotated with the two new validation gates (deserializer + filter); Validation Surface table expanded from 4 rows to 13 rows covering every failure mode from `error-shape.md`.
+- `glossary.md` — `Tile Inventory` entry updated to v2.0.0 wire shape + cite the cycle-7 validator; added three new entries: `Validation Problem Details`, `FluentValidation`, `Unmapped Member Handling`.
+- `module-layout.md` — Last Updated bumped + cycle-7 changelog line prepended.
+- `tests/blackbox-tests.md` and `tests/traceability-matrix.md` — updated during Step 12 (Test-Spec Sync): BT-27 added + 12 AC rows added (AZ-794 AC-1..AC-4 + AZ-795 epic-level + AZ-796 AC-1..AC-7) + Coverage Summary refresh.
+
+## No-ripple components
+
+These components were NOT touched by cycle-7 changes and require no doc update:
+
+- **DataAccess** — no schema or repository signature changes in cycle 7. The cycle-6 `tiles_leaflet_path` covering index and the cycle-5 identity columns are unaffected by the wire-format rename or by the new validators.
+- **TileDownloader (`TileService.GetInventoryAsync`)** — the algorithm is unchanged: it still computes `Uuidv5.LocationHashForTile(z, x, y)` per coord. Only the *property names* on the DTO changed (`TileZoom` → `Z`, etc.); the value contract is identical.
+- **RegionProcessing / RouteManagement** — no imports against cycle-7 symbols.
+- **DataAccess migrations** — no new migration in cycle 7; the existing identity columns and indices already carry the production load.
+
+## Parse-failure / heuristic notes
+
+None — every symbol resolved via direct `Grep --type cs`. No fallback heuristic was needed. The cycle 7 surface is intentionally narrow (3 tasks, all WebApi-layer concerns) which keeps the ripple log short.
+
+## AZ-795 epic posture
+
+The `architecture.md` § 9 table classifies all other public endpoints as `partial` and tags them as "future AZ-795 child" — the epic remains open. Cycle 7 lands the shared infrastructure + the first per-endpoint application (AZ-796). Subsequent child tickets will reuse `ValidationEndpointFilter<T>`, `ProblemDetailsAssertions`, and the `error-shape.md` contract without adding new infrastructure.

_docs/02_document/ripple_log_cycle8.md

@@ -0,0 +1,105 @@
+# Cycle 8 — Documentation Ripple Log
+
+**Cycle**: 8 (AZ-808 region-request validation + AZ-809 route-creation validation + AZ-810 UAV upload metadata validation + AZ-811 GET tiles/latlon validation + AZ-812 Region OSM rename)
+**Generated by**: `/document` skill (task mode) during autodev Step 13
+**Resolution method**: `Grep --type cs` against every new or changed symbol introduced by the five tasks. C# `using`-based import analysis on `RequestRegionRequest` (renamed `Lat`/`Lon`), `UavTileMetadata` + `UavTileBatchMetadataPayload` (`[JsonRequired]`), `CreateRouteRequest` + `RoutePoint` + `GeofencePolygon` + `Geofences` + `GeoPoint` (`[JsonRequired]`), the four new validator classes, the two new envelope filters (`UavUploadValidationFilter`, `RejectUnknownQueryParamsEndpointFilter`), and the new query DTO `GetTileByLatLonQuery`. No static-analyzer used — the new surface lives almost entirely behind `Program.cs` + the four per-endpoint test files, so the literal usage scan is exhaustive.
+
+## Directly-changed source files (cycle 8)
+
+- `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` (AZ-812, modified) — C# properties renamed `Latitude/Longitude` → `Lat/Lon` with `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]`. AZ-808 added `[JsonRequired]` to `Id` + the two coordinate axes + `SizeMeters` + `ZoomLevel` + `StitchTiles` so partial bodies are rejected at the deserializer layer.
+- `SatelliteProvider.Common/DTO/UavTileMetadata.cs` (AZ-810, modified) — `[JsonRequired]` added to `Latitude`, `Longitude`, `TileZoom`, `TileSizeMeters`, `CapturedAt`. `FlightId` intentionally NOT marked required (AZ-503 anonymous-flight semantics require `null` to be valid). `UavTileBatchMetadataPayload.Items` also marked `[JsonRequired]`.
+- `SatelliteProvider.Common/DTO/RoutePoint.cs` (AZ-809, modified) — `[JsonRequired]` on `Latitude` + `Longitude`; `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]` confirm the wire shape pre-rename (`RoutePoint` was already using `lat`/`lon`, only `RequestRegionRequest` was the OSM-rename target).
+- `SatelliteProvider.Common/DTO/CreateRouteRequest.cs` (AZ-809, modified) — `[JsonRequired]` on every non-optional field (`Id`, `Name`, `RegionSizeMeters`, `ZoomLevel`, `Points`, `RequestMaps`, `CreateTilesZip`); `Description` and `Geofences` left optional.
+- `SatelliteProvider.Common/DTO/GeofencePolygon.cs` (AZ-809, modified) — `[JsonRequired]` on `NorthWest` + `SouthEast` so partial polygons fail at the deserializer.
+- `SatelliteProvider.Common/DTO/Geofences.cs` (AZ-809, modified) — `[JsonRequired]` on `Polygons` so `geofences: {}` is rejected.
+- `SatelliteProvider.Common/DTO/GeoPoint.cs` (AZ-809, modified) — `[JsonRequired]` on both axes for the geofence-corner case.
+- `SatelliteProvider.Api/Program.cs` (AZ-808/809/810/811/812, modified) —
+  - `.WithValidation<RequestRegionRequest>()` on `MapPost("/api/satellite/request", …)` (AZ-808).
+  - `.WithValidation<CreateRouteRequest>()` on `MapPost("/api/satellite/route", …)` (AZ-809).
+  - `.AddEndpointFilter<UavUploadValidationFilter>()` on `MapPost("/api/satellite/upload", …)` (AZ-810) — bespoke multipart filter, not the generic `WithValidation<T>()`.
+  - `.AddEndpointFilter(new RejectUnknownQueryParamsEndpointFilter("lat", "lon", "zoom"))` + `.WithValidation<GetTileByLatLonQuery>()` on `MapGet("/api/satellite/tiles/latlon", …)` (AZ-811) — two-filter chain so unknown-key rejection precedes range checks.
+  - `AddTransient<UavUploadValidationFilter>()` registration (AZ-810 — the filter has injected dependencies).
+  - The `ParameterDescriptionFilter` Swagger op filter trimmed the obsolete `Latitude`/`Longitude`/`ZoomLevel` query-param annotations (AZ-811 cleanup; lat/lon/zoom remain).
+- `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` (AZ-808, **new**) — `AbstractValidator<RequestRegionRequest>` with rules for non-zero `id`, `lat`/`lon` ranges, `sizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\].
+- `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` (AZ-809, **new**) — root validator chaining `RuleForEach(req => req.Points).SetValidator(new RoutePointValidator())` for per-point checks, `RuleForEach(req => req.Geofences!.Polygons).SetValidator(new GeofencePolygonValidator()).OverridePropertyName("geofences.polygons")` for per-polygon checks, plus `Must(req => !(req.CreateTilesZip && !req.RequestMaps)).WithName("createTilesZip")` for the cross-field rule. Note the `OverridePropertyName` is required because FluentValidation's default name policy drops the parent on deep `req.Geofences!.Polygons` expressions.
+- `SatelliteProvider.Api/Validators/RoutePointValidator.cs` (AZ-809, **new**) — per-point lat/lon range rules with `OverridePropertyName("lat"/"lon")` so error keys match the wire format.
+- `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` (AZ-809, **new**) — cross-field invariants `NW.Lat > SE.Lat` AND `NW.Lon < SE.Lon` for axis-aligned bounding boxes.
+- `SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs` (AZ-810, **new**) — `items` count rules (non-null, non-empty, ≤ `UavQualityConfig.MaxBatchSize`) + `RuleForEach(p => p.Items).SetValidator(new UavTileMetadataValidator(...))`.
+- `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs` (AZ-810, **new**) — per-item rules: `latitude` ∈ \[-90, 90\], `longitude` ∈ \[-180, 180\], `tileZoom` ∈ \[0, 22\], `tileSizeMeters` > 0, `capturedAt` within `\[now - MaxAgeDays, now + CapturedAtFutureSkewSeconds\]`. Uses an injectable `TimeProvider` (defaults to `TimeProvider.System`).
+- `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs` (AZ-810, **new**) — `IEndpointFilter` for `POST /api/satellite/upload`. Reads the `metadata` form field, deserializes via the strict global `JsonSerializerOptions`, runs `IValidator<UavTileBatchMetadataPayload>` from DI, and enforces the envelope cross-field rule `items.Count == files.Count`. Error-map keys prefixed with `metadata.` so paths surface to the caller as `errors["metadata.items[0].latitude"]`.
+- `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` (AZ-811, **new**) — `AbstractValidator<GetTileByLatLonQuery>` with `lat`/`lon`/`zoom` rules using `Cascade(CascadeMode.Stop) → NotNull → InclusiveBetween` so missing-param surfaces only as `"\`<paramName>\` is required."`.
+- `SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs` (AZ-811, **new**) — generic envelope filter parameterized by an allowed-keys set; rejects unknown query-string parameters with RFC 7807 `ValidationProblemDetails`. **New shared infrastructure** designed for reuse by any future query-param endpoint (AZ-811 AC-9).
+- `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` (AZ-811, **new**) — `record GetTileByLatLonQuery(double? Lat, double? Lon, int? Zoom)` with `[FromQuery(Name="lat"|"lon"|"zoom")]` on each property. Bound via `[AsParameters]` on the handler. Nullable on purpose — see api_program.md commentary.
+- `_docs/02_document/contracts/api/region-request.md` (AZ-808 + AZ-812, **new**) — v1.0.0 wire-format contract for `POST /api/satellite/request`. Published directly with `lat`/`lon` per AZ-812 AC-6 coordination (no v2.0.0 bump needed since AZ-808 + AZ-812 shipped same-cycle).
+- `_docs/02_document/contracts/api/route-creation.md` (AZ-809, **new**) — v1.0.0 wire-format contract for `POST /api/satellite/route` covering all 14 validation rules, the nested per-point / per-polygon structure, and the `createTilesZip ⇒ requestMaps` cross-field invariant. Carries advisory notes for AZ-809 AC-9 (`sizeMeters` vs `regionSizeMeters` naming inconsistency) and AC-10 (input/output point-shape asymmetry).
+- `_docs/02_document/contracts/api/tile-latlon.md` (AZ-811, **new**) — v1.0.0 wire-format contract for `GET /api/satellite/tiles/latlon` covering the 5 validation rules + the novel unknown-query-param rejection. Documents the rename `?Latitude=&Longitude=&ZoomLevel=` → `?lat=&lon=&zoom=`.
+- `_docs/02_document/contracts/api/uav-tile-upload.md` (AZ-810, modified) — bumped to v1.2.0; new "Validation Rules" section covering the three-layer enforcement (deserializer, FluentValidation, envelope cross-field) and the `errors["metadata.…"]` key convention. Change Log entry names AZ-810.
+- `_docs/02_document/modules/api_program.md` (AZ-808/809/810/811/812, modified) — endpoint table entries for the 4 endpoints bumped to credit cycle 8 and reference the new contract docs. New `Api/Validators` section row for each cycle-8 validator. New `Api/DTOs` section for `GetTileByLatLonQuery`. DI Registration item 14 lists every cycle-8 validator. New item documenting the `UavUploadValidationFilter` AddTransient + AddEndpointFilter wiring.
+- `_docs/02_document/modules/common_dtos.md` (AZ-808/809/810/812, modified) — `RequestRegionRequest` renamed + JsonPropertyName documented; `RoutePoint`, `CreateRouteRequest`, `GeofencePolygon`, `Geofences`, `GeoPoint`, `UavTileMetadata`, `UavTileBatchMetadataPayload` all carry `[JsonRequired]` annotations explained; input/output `lat`/`latitude` asymmetry on the route endpoint surfaced.
+- `_docs/02_document/system-flows.md` (AZ-808/809/811, modified) — F1 (single-tile download) updated to reference `tile-latlon.md` + the unknown-query-param filter. F2 (region request) updated to reference `region-request.md` + the validator. F4 (route creation) updated to reference `route-creation.md` + the cross-field rules.
+- `_docs/02_document/architecture.md` (cycle 8, modified by Step 13) — (a) the contracts inventory line bumped to mention `uav-tile-upload.md` v1.2.0 + the four new cycle-8 contracts (`region-request.md`, `route-creation.md`, `tile-latlon.md`, `error-shape.md`); (b) new architectural principle "Strict wire-format validation at the API edge (AZ-795 epic, completed across cycles 7-8)" describing the two-layer enforcement and the no-handler-without-validation rule.
+- `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` (AZ-808, **new**) — unit tests against each `RuleFor` chain.
+- `SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs` + `RoutePointValidatorTests.cs` + `GeofencePolygonValidatorTests.cs` (AZ-809, **new**) — ≥ 13 unit-test methods across the three validators.
+- `SatelliteProvider.Tests/Validators/UavTileMetadataValidatorTests.cs` + `UavTileBatchMetadataPayloadValidatorTests.cs` (AZ-810, **new**) — ≥ 11 unit-test methods covering each rule (incl. `TimeProvider` injection for freshness).
+- `SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs` (AZ-811, **new**) — ≥ 3 unit-test methods.
+- `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` + `CreateRouteValidationTests.cs` + `UavUploadValidationTests.cs` + `GetTileByLatLonValidationTests.cs` (AZ-808/809/810/811, **new**) — ≥ 45 failure methods + 4 happy paths total; every test uses `ProblemDetailsAssertions` from AZ-795.
+- `SatelliteProvider.IntegrationTests/UavUploadTests.cs` (AZ-810 fallout, modified) — `NextTestCoordinate()` clamped to lat ∈ \[50, 70), lon ∈ \[10, 40) via modulo arithmetic. Pre-AZ-810 the seed `(Ticks/TicksPerSecond) % 1_000_000` produced lat > 90° which was silently accepted by the lenient pre-cycle-8 deserializer; the new AZ-810 validator (correctly) rejects it. This is the test-data bug that exposed the AC-9 false-PASS (see `_docs/LESSONS.md` 2026-05-23 entry).
+- `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` (AZ-810, modified — same fix) — `NextTestCoordinate()` clamped to lat ∈ \[-70, -50), lon ∈ \[-40, -10) (non-overlapping with `UavUploadTests` to avoid per-source UNIQUE-index collisions when both suites run against the same DB).
+- `scripts/probe_region_validation.sh` + `probe_route_validation.sh` + `probe_upload_validation.sh` + `probe_latlon_validation.sh` (AZ-808/809/810/811, **new**) — manual probe scripts modelled on `probe_inventory_validation.sh`.
+
+## Importer scan results
+
+| Symbol | Importer count | Importer files | Component touched |
+|--------|----------------|----------------|-------------------|
+| `RequestRegionRequest.Lat` / `.Lon` (renamed properties; wire names unchanged at `lat`/`lon`) | 4 | `Program.cs` (request mapping), `RegionService.cs` (handler — uses `.Lat`/`.Lon` to build the queue message), `RegionRequestTests.cs`, `RegionRequestValidationTests.cs` | WebApi, RegionProcessing service, Tests |
+| `[JsonRequired]` on every cycle-8 DTO axis | n/a | enforced at runtime by `System.Text.Json` + caught by `GlobalExceptionHandler` (no compile-time consumer beyond the deserializer) | WebApi (deserializer + handler) |
+| `RegionRequestValidator` | 3 | `Program.cs` (assembly-scan registration), `RegionRequestValidatorTests.cs`, `RegionRequestValidationTests.cs` (indirect via running API) | WebApi (production), Tests (unit + integration) |
+| `CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator` | 4 | `Program.cs`, 3 unit-test files, `CreateRouteValidationTests.cs` (indirect) | WebApi (production), Tests (unit + integration) |
+| `UavTileBatchMetadataPayloadValidator` + `UavTileMetadataValidator` | 3 | `Program.cs`, 2 unit-test files, `UavUploadValidationTests.cs` (indirect) | WebApi (production), Tests (unit + integration) |
+| `GetTileByLatLonQueryValidator` | 3 | `Program.cs`, `GetTileByLatLonQueryValidatorTests.cs`, `GetTileByLatLonValidationTests.cs` (indirect) | WebApi (production), Tests (unit + integration) |
+| `UavUploadValidationFilter` | 2 | `Program.cs` (DI + endpoint filter wiring), `UavUploadValidationTests.cs` (indirect) | WebApi |
+| `RejectUnknownQueryParamsEndpointFilter` | 1 (current) + N-future | `Program.cs` (`MapGet("/api/satellite/tiles/latlon", …).AddEndpointFilter(new RejectUnknownQueryParamsEndpointFilter(...))`); designed to be reused by every future query-param endpoint per AZ-811 AC-9 | WebApi |
+| `GetTileByLatLonQuery` | 2 | `Program.cs` (handler signature `[AsParameters] GetTileByLatLonQuery`), `GetTileByLatLonQueryValidatorTests.cs` | WebApi (production), Tests (unit) |
+| `RoutePoint.Latitude/Longitude` + `[JsonRequired]` | 4 | `RouteService.cs` (handler), `RouteCreationTests.cs`, `CreateRouteValidationTests.cs`, `RoutePointValidatorTests.cs` | WebApi, RouteManagement service, Tests |
+| `CreateRouteRequest.*` + `[JsonRequired]` | 4 | `Program.cs`, `RouteService.cs`, `RouteCreationTests.cs`, `CreateRouteValidationTests.cs` | WebApi, RouteManagement service, Tests |
+| `GeofencePolygon`/`Geofences`/`GeoPoint` + `[JsonRequired]` | 5 | `CreateRouteRequest.cs`, `RouteService.cs` (point-in-polygon geofence filtering), `GeofencePolygonValidatorTests.cs`, `CreateRouteValidationTests.cs`, `Json` deserializer | WebApi, RouteManagement service, Tests |
+
+## Doc refresh decisions
+
+All importers land inside components that either received targeted updates during Step 10 (Implement) or were verified-clean during this Step 13:
+
+- **WebApi (`Program.cs`)** — `_docs/02_document/modules/api_program.md` updated during the implementation phase with: (a) endpoint table entries for the 4 cycle-8 endpoints crediting their respective tasks + contract docs, (b) new `Api/Validators` section rows for every cycle-8 validator + envelope filter, (c) new `Api/DTOs` section for `GetTileByLatLonQuery`, (d) DI Registration item 14 listing every cycle-8 validator, (e) DI Registration entry for the `UavUploadValidationFilter` AddTransient + AddEndpointFilter wiring. Verified during Step 13 — no further changes needed.
+- **Common (DTOs)** — `_docs/02_document/modules/common_dtos.md` updated with every modified DTO carrying its `[JsonRequired]` annotations explained, the AZ-812 `Lat/Lon` rename + JsonPropertyName attributes, and the route-endpoint input/output naming asymmetry caveat. Verified during Step 13 — no further changes needed.
+- **RegionProcessing (`RegionService.cs`)** — no module doc update needed; the handler's behavior is unchanged (it still reads `.Lat`/`.Lon` from the request DTO to build the queue message — only the property names changed, not the values or the queue contract). The internal `RegionRequest` queue message remains on `Latitude`/`Longitude` per design (intentionally kept, see `common_dtos.md` line 43 commentary).
+- **RouteManagement (`RouteService.cs`)** — no module doc update needed; the handler's behavior is unchanged. The `[JsonRequired]` annotations only affect the deserializer layer — once a payload passes, the handler sees the same shape it always did.
+- **WebApi (`GlobalExceptionHandler.cs`)** — unchanged from cycle 7. The handler is now exercised by 4 more endpoints' deserializer-layer failures (missing `[JsonRequired]` axes, unknown fields, type mismatches) but the implementation is identical.
+- **TileDownloader / DataAccess / DataAccess migrations** — not touched by cycle 8.
+- **Architecture** — `architecture.md` updated during Step 13 with: (a) contracts inventory line bumped to mention `uav-tile-upload.md` v1.2.0 + the four new cycle-8 contracts, (b) new "Strict wire-format validation at the API edge" architectural principle describing the two-layer enforcement and the no-handler-without-validation rule.
+- **System flows** — `system-flows.md` F1/F2/F4 updated during the implementation phase to credit cycle 8 and reference the new contract docs + error-shape contract. F6 (status query) + F8 (tile inventory bulk lookup) untouched — cycle 8 didn't change those endpoints.
+- **Tests (unit + integration)** — `_docs/02_document/modules/tests_unit.md` and `tests_integration.md` are not strictly required to enumerate every new test file (cycle 7 didn't extend them past a "AZ-795 + AZ-796 — strict inventory validation" subsection). Cycle 8 keeps the same convention — the new test files are documented in the traceability matrix + test-spec sync (BT-28..BT-31) rather than re-listed per file in the module docs.
+- **Tests (blackbox + traceability)** — `tests/blackbox-tests.md` and `tests/traceability-matrix.md` updated during Step 12 (Test-Spec Sync): BT-28..BT-31 added + 41 AC rows added (AZ-808 AC-1..AC-8 + AZ-809 AC-1..AC-10 + AZ-810 AC-1..AC-9 + AZ-811 AC-1..AC-9 + AZ-812 AC-1..AC-6) + Coverage Summary refresh.
+
+## No-ripple components
+
+These components were NOT touched by cycle-8 changes and require no doc update:
+
+- **DataAccess** — no schema, repository signature, or migration changes in cycle 8. The validation work is entirely at the API edge.
+- **TileDownloader** — not touched. The four cycle-8 endpoints either don't trigger tile downloads at all (`POST /api/satellite/request`, `POST /api/satellite/route`) or trigger them only after the validator has passed (`GET /api/satellite/tiles/latlon`, `POST /api/satellite/upload`).
+- **RegionProcessing background service** — not touched. The validator runs at the API edge before the request is enqueued.
+- **RouteManagement processing** — not touched for the same reason.
+
+## Parse-failure / heuristic notes
+
+None — every symbol resolved via direct `Grep --type cs`. No fallback heuristic was needed. The cycle 8 surface is wider than cycle 7 (5 tasks vs 3) but still narrow architecturally — every change is a WebApi-layer concern + DTO annotations + per-endpoint test files. The shared infrastructure landed in cycle 7 (AZ-795); cycle 8 is the per-endpoint rollout.
+
+## AZ-795 epic posture
+
+Cycle 8 completes the per-endpoint rollout of the AZ-795 strict-validation epic. After this cycle, **every public-facing JSON, multipart, and query-param endpoint** in the satellite-provider workspace goes through one of the three approved validation paths:
+
+1. **JSON-body endpoints** — `WithValidation<T>()` + `ValidationEndpointFilter<T>` + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`. Used by `POST /api/satellite/tiles/inventory` (AZ-796 cycle 7), `POST /api/satellite/request` (AZ-808 cycle 8), `POST /api/satellite/route` (AZ-809 cycle 8).
+2. **Multipart endpoints** — bespoke `UavUploadValidationFilter` composing deserializer + FluentValidation + envelope cross-field. Used by `POST /api/satellite/upload` (AZ-810 cycle 8).
+3. **Query-param endpoints** — `RejectUnknownQueryParamsEndpointFilter` + `WithValidation<TQuery>()`. Used by `GET /api/satellite/tiles/latlon` (AZ-811 cycle 8).
+
+The `architecture.md` § "Strict wire-format validation at the API edge" principle (added this Step 13) codifies this as a rule for future endpoints — there is no fourth approved path. The previously-open AZ-795 epic now has zero outstanding child tickets in this workspace; future endpoints will pick one of the three paths above and reuse the existing infrastructure without new shared-infra work.
+
+The endpoints NOT validated by the AZ-795 stack are: `GET /api/satellite/region/{id}` (path-only, framework-handled Guid binding — covered by the strict path binder), `GET /api/satellite/route/{id}` (same), `GET /api/satellite/tiles/mgrs` (stub returning empty — no input to validate), `GET /tiles/{z}/{x}/{y}` (path-only, framework-handled int binding — the strict path binder rejects malformed values; whether to range-check `z`/`x`/`y` against slippy-map bounds is a separate decision deferred to parent-suite team per AZ-811 Out of Scope). These exemptions are documented in `api_program.md` so future contributors know they're intentional, not omissions.

_docs/02_document/system-flows.md

@@ -32,11 +32,11 @@
 
 ### Description
 
-Client requests a single satellite tile by geographic coordinates and zoom level. The service checks the cache (DB), downloads from Google Maps if not cached, stores it, and returns metadata.
+Client requests a single satellite tile by geographic coordinates and zoom level. The service checks the cache (DB), downloads from Google Maps if not cached, stores it, and returns metadata. The wire-format contract is `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0; failure responses follow `error-shape.md` v1.0.0.
 
 ### Preconditions
 
-- Valid latitude, longitude, and zoom level provided
+- Query params `lat` ∈ [-90, 90], `lon` ∈ [-180, 180], `zoom` ∈ [0, 22]. Any unknown query key (e.g. legacy `?Latitude=` typo) is rejected by `RejectUnknownQueryParamsEndpointFilter` (AZ-811 cycle 8) with HTTP 400. Range checks via `GetTileByLatLonQueryValidator`.
 - Google Maps session token configured
 
 ### Sequence Diagram
@@ -80,11 +80,11 @@ sequenceDiagram
 
 ### Description
 
-Client submits a region definition (center point, size, zoom). The request is persisted and queued for asynchronous processing.
+Client submits a region definition (center point, size, zoom). The request is persisted and queued for asynchronous processing. The wire-format contract is `_docs/02_document/contracts/api/region-request.md` v1.0.0; failure responses follow `error-shape.md` v1.0.0.
 
 ### Preconditions
 
-- Valid region parameters (lat, lon, size_meters, zoom_level)
+- Valid region parameters: non-zero `id` (UUID), `lat` ∈ [-90, 90], `lon` ∈ [-180, 180], `sizeMeters` ∈ [100, 10000], `zoomLevel` ∈ [0, 22], explicit `stitchTiles` (bool, no default). Enforced by `RegionRequestValidator` + `[JsonRequired]` at the API edge (AZ-808 cycle 8).
 
 ### Sequence Diagram
 
@@ -177,12 +177,13 @@ sequenceDiagram
 
 ### Description
 
-Client submits a route (ordered waypoints + optional geofence polygons). The service interpolates intermediate points every ~200m and persists the full point set.
+Client submits a route (ordered waypoints + optional geofence polygons). The service interpolates intermediate points every ~200m and persists the full point set. The wire-format contract is `_docs/02_document/contracts/api/route-creation.md` v1.0.0; failure responses follow `error-shape.md` v1.0.0.
 
 ### Preconditions
 
-- At least 2 waypoints provided
+- JWT in `Authorization: Bearer <token>` validates against the API's signing key, issuer, and audience (`.RequireAuthorization()`).
-- Valid geofence polygons (if provided)
+- Request body deserializes successfully: all `[JsonRequired]` axes present (`id`, `name`, `regionSizeMeters`, `zoomLevel`, `points`, `requestMaps`, `createTilesZip`, plus per-point `lat`/`lon`, per-polygon `northWest`/`southEast`, per-corner `lat`/`lon`, `geofences.polygons` when `geofences` present); no unknown root or nested fields (`UnmappedMemberHandling.Disallow`).
+- `CreateRouteRequestValidator` rules pass: non-zero `id`, name length \[1, 200\], description length ≤ 1000, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\] with each point's lat/lon in range, per-polygon corner ranges + NW-of-SE invariants, `createTilesZip ⇒ requestMaps`.
 
 ### Sequence Diagram
 
@@ -190,26 +191,33 @@ Client submits a route (ordered waypoints + optional geofence polygons). The ser
 sequenceDiagram
     participant Client
     participant WebApi
+    participant ValidationFilter
     participant RouteService
     participant RouteRepo
     participant GeoUtils
 
-    Client->>WebApi: POST /api/satellite/route {points, geofences, options}
+    Client->>WebApi: POST /api/satellite/route {id, name, points, geofences?, ...}
-    WebApi->>RouteService: CreateRoute(request)
+    WebApi->>ValidationFilter: .WithValidation<CreateRouteRequest>()
-    RouteService->>GeoUtils: Interpolate points between waypoints
+    alt validation fails
-    GeoUtils-->>RouteService: All points (original + intermediate)
+        ValidationFilter-->>Client: 400 ValidationProblemDetails (errors{path→msg})
-    RouteService->>RouteRepo: InsertRoute(RouteEntity)
+    else validation passes
-    RouteService->>RouteRepo: InsertPoints(RoutePointEntities)
+        WebApi->>RouteService: CreateRoute(request)
-    RouteService-->>WebApi: RouteResponse
+        RouteService->>GeoUtils: Interpolate points between waypoints
-    WebApi-->>Client: 200 OK {route_id, total_points, total_distance}
+        GeoUtils-->>RouteService: All points (original + intermediate)
+        RouteService->>RouteRepo: InsertRoute(RouteEntity)
+        RouteService->>RouteRepo: InsertPoints(RoutePointEntities)
+        RouteService-->>WebApi: RouteResponse
+        WebApi-->>Client: 200 OK {id, totalPoints, totalDistanceMeters, ...}
+    end
 ```
 
 ### Error Scenarios
 
 | Error | Where | Detection | Recovery |
 |-------|-------|-----------|----------|
-| Invalid points (< 2) | Validation | Count check | Return 400 |
+| Missing `[JsonRequired]` axis / unknown field / type mismatch | Deserializer | `JsonException` → `GlobalExceptionHandler` | Return 400 `ValidationProblemDetails` (per `error-shape.md` v1.0.0) |
-| DB insert failure | Persist step | Exception | Return 500 |
+| Validator rule violation (range, count, cross-field) | `ValidationEndpointFilter<CreateRouteRequest>` | `CreateRouteRequestValidator` + nested `RoutePointValidator` / `GeofencePolygonValidator` | Return 400 with `errors{path→msg}` map |
+| DB insert failure | Persist step | Exception | Return 500 (sanitised body + correlationId per AZ-353) |
 
 ---
 
@@ -327,11 +335,11 @@ sequenceDiagram
 
 ---
 
-## Flow F8: Tile Inventory Bulk Lookup (added AZ-505)
+## Flow F8: Tile Inventory Bulk Lookup (added AZ-505; renamed + strict-validated AZ-794+AZ-795+AZ-796, cycle 7)
 
 ### Description
 
-Programmatic clients (httpx `http2=True`, .NET `HttpClient`, onboard cross-repo callers) post a batch of up to 5000 `(z, x, y)` triples (Form A) or up to 5000 pre-computed `location_hash` UUIDs (Form B) and get one inventory entry per input slot, in the same order. Each entry says whether the cell is present and — when present — the most-recent row's `id`, `capturedAt`, `source`, `flightId`, and `resolutionMPerPx`. No tile bodies are returned; the caller subsequently fetches bodies via F7. This is the read-half of the bulk-list contract that the onboard `gps-denied-onboard` workspace consumes to decide which Google-Maps cells it needs and which UAV variants are already on the server.
+Programmatic clients (httpx `http2=True`, .NET `HttpClient`, onboard cross-repo callers) post a batch of up to 5000 `{z, x, y}` triples (Form A; the wire field names were renamed from `tileZoom/tileX/tileY` by AZ-794, cycle 7) or up to 5000 pre-computed `location_hash` UUIDs (Form B) and get one inventory entry per input slot, in the same order. Each entry says whether the cell is present and — when present — the most-recent row's `id`, `capturedAt`, `source`, `flightId`, and `resolutionMPerPx`. No tile bodies are returned; the caller subsequently fetches bodies via F7. This is the read-half of the bulk-list contract that the onboard `gps-denied-onboard` workspace consumes to decide which Google-Maps cells it needs and which UAV variants are already on the server.
 
 ### Sequence Diagram
 
@@ -345,8 +353,9 @@ sequenceDiagram
 
     Client->>Kestrel: POST /api/satellite/tiles/inventory (JWT, Form A or B)
     Kestrel->>GetTilesInventory: route match
-    GetTilesInventory->>GetTilesInventory: XOR check (both/neither populated → 400)
+    Note over Kestrel,GetTilesInventory: AZ-795 deserializer guards (UnmappedMemberHandling.Disallow + [JsonRequired])<br/>catch unknown / missing / type-mismatched fields → 400 ValidationProblemDetails<br/>via GlobalExceptionHandler (cycle 7)
-    GetTilesInventory->>GetTilesInventory: cap check (count > 5000 → 400)
+    GetTilesInventory->>GetTilesInventory: ValidationEndpointFilter<TileInventoryRequest><br/>(InventoryRequestValidator — AZ-796 cycle 7)
+    Note over GetTilesInventory: 9 business rules: XOR / non-empty / per-array cap / Z range / X+Y range
     GetTilesInventory->>TileService: GetInventoryAsync(request)
     Note over TileService: Form A: compute location_hash per coord<br/>via Uuidv5.LocationHashForTile<br/>Form B: echo caller-supplied hashes
     TileService->>TileRepo: GetTilesByLocationHashesAsync(hashes)
@@ -357,15 +366,26 @@ sequenceDiagram
     GetTilesInventory-->>Client: 200 OK, JSON (results in input order)
 ```
 
-### Validation Surface
+### Validation Surface (post-cycle 7 — AZ-795 + AZ-796)
 
 | Input | Detection | Response |
 |-------|-----------|----------|
-| Both `tiles` and `locationHashes` populated | Handler XOR check | 400 + ProblemDetails (`tile-inventory.md` Inv-1) |
+| Empty / missing body | System.Text.Json (`[JsonRequired]` on `Tiles`/`LocationHashes` covered indirectly via `InventoryRequestValidator`) | 400 + `ValidationProblemDetails` |
-| Neither populated | Handler XOR check | 400 + ProblemDetails |
+| Both `tiles` and `locationHashes` populated | `InventoryRequestValidator` `.Must(...)` (Rule 1, XOR — `tile-inventory.md` v2.0.0 Inv-1) | 400 + `ValidationProblemDetails`, key `""` |
-| `count > 5000` (`TileInventoryLimits.MaxEntriesPerRequest`) | Handler cap check | 400 + ProblemDetails (Inv-7) |
+| Neither populated | `InventoryRequestValidator` `.Must(...)` (Rule 1, XOR) | 400 + `ValidationProblemDetails`, key `""` |
+| `tiles` or `locationHashes` array is empty | `InventoryRequestValidator` `.Must(...)` (Rule 1, XOR — non-empty arm) | 400 + `ValidationProblemDetails`, key `""` |
+| `tiles.Count > 5000` (`TileInventoryLimits.MaxEntriesPerRequest`) | `InventoryRequestValidator` `.Must(t => t.Count <= 5000)` (Rule 6 — Inv-7) | 400 + `ValidationProblemDetails`, key `tiles` |
+| `locationHashes.Count > 5000` | `InventoryRequestValidator` `.Must(h => h.Count <= 5000)` (Rule 7 — Inv-7) | 400 + `ValidationProblemDetails`, key `locationHashes` |
+| `tiles[i].z` missing OR out of range (must be `0..22` inclusive) | `[JsonRequired]` on `Z` (deserializer) + `TileCoordValidator` Rule 4 | 400 + `ValidationProblemDetails`, key `tiles[i].z` |
+| `tiles[i].x` missing OR `< 0` OR `>= 2^z` | `[JsonRequired]` on `X` (deserializer) + `TileCoordValidator` Rule 5 | 400 + `ValidationProblemDetails`, key `tiles[i].x` |
+| `tiles[i].y` missing OR `< 0` OR `>= 2^z` | `[JsonRequired]` on `Y` (deserializer) + `TileCoordValidator` Rule 5 | 400 + `ValidationProblemDetails`, key `tiles[i].y` |
+| Legacy `tileZoom/tileX/tileY` field names | `UnmappedMemberHandling.Disallow` (deserializer; AZ-794 + AZ-795) | 400 + `ValidationProblemDetails`, key `tiles[i].tileZoom` (etc.) |
+| Unknown root or nested field | `UnmappedMemberHandling.Disallow` (deserializer; AZ-795) | 400 + `ValidationProblemDetails`, key on the unknown path |
+| Wrong JSON type (e.g. `"z": "18"`) | System.Text.Json type-mismatch (deserializer; AZ-795) | 400 + `ValidationProblemDetails`, key on the offending path |
 | No `Authorization: Bearer …` header | `.RequireAuthorization()` | 401 before handler runs |
 
+All 4xx bodies conform to `error-shape.md` v1.0.0. The same `ValidationProblemDetails` shape is emitted whether the failure was caught by the FluentValidation business-rule layer (`InventoryRequestValidator`) or by the deserializer layer (via `GlobalExceptionHandler`). Both layers are unit + integration tested in `SatelliteProvider.Tests/Validators/InventoryRequestValidatorTests` and `SatelliteProvider.IntegrationTests/TileInventoryValidationTests`.
+
 ### Performance
 
 p95 ≤ 1000 ms for 2500-coord batches (AZ-505 AC-4). Cycle-6 measured: p95=66ms — well under budget. The covering index (`tiles_leaflet_path`) supplies the leading `location_hash` lookup; the projection's columns beyond the INCLUDE list (`id`, `captured_at`, `flight_id`, ...) trigger a bounded heap fetch which is documented and accepted per the AZ-505 NFR.

_docs/02_document/tests/blackbox-tests.md

@@ -2,7 +2,7 @@
 
 ## BT-01: Single Tile Download
 
-**Trigger**: GET /api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18
+**Trigger**: GET /api/satellite/tiles/latlon?lat=47.461747&lon=37.647063&zoom=18
 **Precondition**: Tile not in cache
 **Expected**: HTTP 200; JSON with zoomLevel=18, tileSizePixels=256, imageType="jpg", filePath matching pattern `tiles/18/*/...`
 **Pass criterion**: All fields present and correct values
@@ -37,9 +37,9 @@
 
 ## BT-06: Simple Route Creation (2 points)
 
-**Trigger**: POST /api/satellite/route with 2 waypoints (48.276067,37.384458) → (48.270740,37.374029), regionSize=500, zoom=18
+**Trigger**: POST /api/satellite/route with id=`<new-Guid>`, name=`<unique>`, 2 waypoints (48.276067,37.384458) → (48.270740,37.374029), regionSizeMeters=500, zoomLevel=18, requestMaps=false, createTilesZip=false. Post-AZ-809 (cycle 8) every `[JsonRequired]` axis must be present — see `_docs/02_document/contracts/api/route-creation.md` v1.0.0.
-**Expected**: Route created with interpolated intermediate points
+**Expected**: HTTP 200 + route created with interpolated intermediate points.
-**Pass criterion**: totalPoints > 2; every point spacing ≤ 200m; first point type="original"; last point type="original"; intermediates type="intermediate"
+**Pass criterion**: totalPoints > 2; every point spacing ≤ 200m; first point type="original"; last point type="original"; intermediates type="intermediate".
 
 ## BT-07: Route Retrieval by ID
 
@@ -86,33 +86,36 @@
 
 ## BT-N01: Invalid Coordinates (out of range)
 
-**Trigger**: GET /api/satellite/tiles/latlon?Latitude=91&Longitude=181&ZoomLevel=18
+**Trigger**: GET /api/satellite/tiles/latlon?lat=91&lon=181&zoom=18
 **Expected**: Error response
 **Pass criterion**: HTTP 4xx or error in response body
 
 ## BT-N02: Invalid Zoom Level
 
-**Trigger**: GET /api/satellite/tiles/latlon?Latitude=47.46&Longitude=37.64&ZoomLevel=25
+**Trigger**: GET /api/satellite/tiles/latlon?lat=47.46&lon=37.64&zoom=25
 **Expected**: Error response
 **Pass criterion**: HTTP 4xx or error indicating invalid zoom
 
 ## BT-N03: Route with < 2 Points
 
-**Trigger**: POST /api/satellite/route with only 1 point
+**Trigger**: POST /api/satellite/route with only 1 point (post-AZ-809 wire format: `id`/`name`/`regionSizeMeters`/`zoomLevel`/`points`/`requestMaps`/`createTilesZip`).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails` per `error-shape.md` v1.0.0; `errors["points"]` map entry from `CreateRouteRequestValidator`.
-**Pass criterion**: HTTP 400 or validation error message
+**Pass criterion**: HTTP 400; response body `Content-Type: application/problem+json`; `errors["points"]` mentions the `[2, 500]` count constraint.
+**AC trace**: AZ-809 AC-1 (rule 7).
 
-## BT-N04: Geofence with Invalid Coordinates (0,0)
+## BT-N04: Geofence with Invalid Coordinates (0,0) — superseded by AZ-809
 
-**Trigger**: POST /api/satellite/route with geofence NW=(0,0) SE=(0,0)
+**Trigger**: POST /api/satellite/route with geofence NW=(0,0) SE=(0,0).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails`. Pre-AZ-809 behavior accepted (0,0) corners but caught the equal-corners case via the legacy `RouteValidator`. Post-AZ-809, `GeofencePolygonValidator` rejects equal corners because BOTH cross-field invariants (`NW.Lat > SE.Lat` and `NW.Lon < SE.Lon`) fail.
-**Pass criterion**: Error message mentioning coordinates cannot be (0,0)
+**Pass criterion**: HTTP 400; `errors["geofences.polygons[0].northWest"]` contains both the lat and lon invariant messages.
+**AC trace**: AZ-809 AC-1 (rule 9, cross-field invariant).
 
-## BT-N05: Geofence with Inverted Corners
+## BT-N05: Geofence with Inverted Corners — superseded by AZ-809
 
-**Trigger**: POST /api/satellite/route with geofence NW.lat < SE.lat
+**Trigger**: POST /api/satellite/route with geofence NW.lat < SE.lat (NW south-of SE).
-**Expected**: Validation error
+**Expected**: HTTP 400 + `ValidationProblemDetails`. Post-AZ-809 the failure surfaces at `errors["geofences.polygons[0].northWest"]` with message "\`northWest.lat\` must be greater than \`southEast.lat\` (NW is north-of SE)".
-**Pass criterion**: Error message about northWest latitude > southEast latitude
+**Pass criterion**: HTTP 400; named error key matches the wire path; message is the cross-field invariant.
+**AC trace**: AZ-809 AC-1 (rule 9).
 
 ---
 
@@ -163,7 +166,7 @@ All Cycle-2 UAV scenarios run with a JWT containing `permissions: ["GPS"]` (per
 
 ## BT-18: Existing Tile Endpoint Returns Identical Body with Valid Bearer
 
-**Trigger**: GET `/api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18` with a valid Bearer token.
+**Trigger**: GET `/api/satellite/tiles/latlon?lat=47.461747&lon=37.647063&zoom=18` with a valid Bearer token.
 **Precondition**: Tile may or may not be cached.
 **Expected**: Response body is structurally identical to BT-01 (`tileId`, `zoomLevel == 18`, `tileSizePixels == 256`, `imageType == "jpg"`, `filePath` matches `tiles/18/*/*`).
 **Pass criterion**: status == 200 AND BT-01's pass criterion AND no behavioral change vs pre-AZ-487 baseline.
@@ -244,3 +247,149 @@ All Cycle-5 UAV scenarios reuse the AZ-488 envelope. The new observable surface
 **Pass criterion**: All four expected status codes returned; no response leaks server internals.
 **AC trace**: AZ-505 AC-6.
 
+---
+
+## Cycle 7 — AZ-794 / AZ-795 / AZ-796 Strict Validation + z/x/y Rename
+
+Cycle 7 hardens `POST /api/satellite/tiles/inventory` by combining (a) the OSM-convention rename of body fields from `tileZoom/tileX/tileY` to `z/x/y` (AZ-794), (b) the shared input-validation infrastructure (AZ-795 — FluentValidation + `ValidationEndpointFilter<T>` + `GlobalExceptionHandler` + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`), and (c) the inventory endpoint's nine concrete validation rules (AZ-796). The cycle's wire-shape contract is `tile-inventory.md` v2.0.0; the failure-response contract is `error-shape.md` v1.0.0.
+
+The cycle introduces no new HTTP routes. Functional positive coverage is unchanged from cycle 6 — `TileInventoryTests.OrderingAndPresentAbsentShaping_AC1` and the rest of the AZ-505 suite continue to assert ordering, present/absent shaping, leaflet selection, HTTP/2, and the perf budget against the post-rename body shape. The new tests below cover the strict-rejection behaviour that pre-cycle-7 silently coerced.
+
+## BT-27: Inventory Endpoint — Nine Validation Rules with RFC 7807 ProblemDetails
+
+**Trigger**: A family of `POST /api/satellite/tiles/inventory` calls, each violating exactly ONE validation rule from AZ-796 §"Required validations (9 rules)". One additional sub-case asserts the legacy `tileZoom/tileX/tileY` field names are now rejected (intersection of AZ-794 + AZ-796).
+**Precondition**: API up; valid JWT attached on every sub-case. `error-shape.md` v1.0.0 + `tile-inventory.md` v2.0.0 frozen.
+**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every sub-case. The body conforms to the validation-failure shape from `error-shape.md` v1.0.0 (Inv-1 .. Inv-7); the `errors` map names the offending field path using the request body's camelCase. Sub-cases:
+
+| # | Rule | Trigger excerpt | Expected `errors` key | Test method |
+|---|------|-----------------|-----------------------|-------------|
+| 1 | Body present | empty body (zero bytes, `Content-Type: application/json`) | (no `errors` map — framework-level ProblemDetails) | `EmptyBody_Returns400` |
+| 2a | XOR of `tiles` / `locationHashes` | `{}` (neither populated) | `$` | `NeitherPopulated_Returns400` |
+| 2b | XOR (both populated) | `{"tiles":[…],"locationHashes":[…]}` | `$` | `BothPopulated_Returns400` |
+| 3 | `tiles` non-empty | `{"tiles":[]}` | `$` (treated as not-populated by XOR) | `EmptyTilesArray_Returns400` |
+| 4 | `tiles` ≤ `MaxEntriesPerRequest` (5000) | 5001-entry `tiles` array | `tiles` | `TilesOverCap_Returns400` |
+| 5a | Required `z` on each entry | `{"tiles":[{"x":1,"y":1}]}` | path mentioning `z` | `MissingZ_Returns400WithFieldPath` |
+| 5b | Required `x` / `y` on each entry | `{"tiles":[{"z":18}]}` | (validator + JsonRequired report missing axes) | `MissingXAndY_Returns400` |
+| 6a | Non-negative axis | `{"tiles":[{"z":18,"x":-1,"y":0}]}` | `tiles[0].x` | `NegativeAxis_Returns400` |
+| 6b | Integer type | `{"tiles":[{"z":"eighteen","x":1,"y":1}]}` | path mentioning the axis | `TypeMismatch_Returns400` |
+| 7 | `z` in slippy-map range 0..22 | `{"tiles":[{"z":30,"x":0,"y":0}]}` | `tiles[0].z`; message mentions "between 0 and 22" | `ZoomOutOfRange_Returns400WithFieldPath` |
+| 8a | `x` < 2^z | `{"tiles":[{"z":2,"x":4,"y":0}]}` | `tiles[0].x` | `XBeyondZoomBounds_Returns400` |
+| 8b | `y` < 2^z | `{"tiles":[{"z":0,"x":0,"y":1}]}` | `tiles[0].y` | `YBeyondZoomBounds_Returns400` |
+| 9a | Unknown root field | `{"unknownField":42,"tiles":[…]}` | path mentioning `unknownField` | `UnknownRootField_Returns400` |
+| 9b | Unknown nested field on tile entry | `{"tiles":[{"z":18,"x":1,"y":1,"foo":42}]}` | path mentioning `foo` | `UnknownNestedField_Returns400` |
+| 9c | Legacy v1 names (`tileZoom/tileX/tileY`) | exact AZ-777 Phase 1 reproduction body | path mentioning `tileZoom` | `OldV1FieldName_Returns400` (cross-listed under AZ-794) |
+| pos | Happy path with z/x/y | `{"tiles":[{"z":18,"x":1,"y":1}]}` | HTTP 200 — no body shape change vs AZ-505 baseline | `HappyPath_Returns200` |
+
+**Pass criterion**: Every failure sub-case returns HTTP 400 with the expected `errors` key OR an equivalent RFC 7807 ProblemDetails for the empty-body case; the happy path returns HTTP 200. No sub-case leaks server-internal state (DB strings, secrets, stack traces) per `error-shape.md` Inv-5.
+**AC trace**: AZ-796 AC-1 (all 9 rules + ProblemDetails shape), AC-2 (happy path); AZ-794 AC-1 (positive z/x/y acceptance — sub-case `pos`), AZ-794 AC-2 (sub-case `9c` proves the old names produce a structured 400, eliminating the silent-coerce-to-0 footgun); AZ-795 (epic-level — every sub-case exercises the shared `ValidationEndpointFilter` + `GlobalExceptionHandler` + `UnmappedMemberHandling.Disallow` infra).
+**Notes**: The 9 rules split across two enforcement layers — rules 5/6/9 are enforced by the deserializer (`JsonRequired` + `UnmappedMemberHandling.Disallow` + native JSON type validation, see AZ-795 shared infra) and surface as `BadHttpRequestException` → `GlobalExceptionHandler.JsonException` branch; rules 2/3/4/7/8 are enforced by `InventoryRequestValidator` (FluentValidation) via `ValidationEndpointFilter<TileInventoryRequest>`. Both paths produce identically-shaped `ValidationProblemDetails` bodies (`error-shape.md` v1.0.0 invariant).
+
+---
+
+## Cycle 8 — AZ-808 / AZ-809 / AZ-810 / AZ-811 / AZ-812 Strict Validation Sweep + Region Rename
+
+Cycle 8 extends the AZ-795 shared validation infrastructure (FluentValidation + `ValidationEndpointFilter<T>` + `GlobalExceptionHandler` + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`) to the four remaining public-facing endpoints, and lands the OSM-convention `Lat`/`Lon` rename on the Region API in the same commit set. Every cycle-8 endpoint emits the same `ValidationProblemDetails` shape (`error-shape.md` v1.0.0) used by AZ-796. No new HTTP routes; existing positive coverage (BT-01..BT-18 region/route/tile flows, BT-13..BT-17 UAV upload, BT-N01..BT-N05 negatives) is preserved. The new tests below cover the strict-rejection behaviour that pre-cycle-8 either silently coerced (missing `id` → zero-Guid; unknown `?latitude=` → `lat=0`) or accepted out-of-range (lat > 90, zoom > 22) values that downstream code couldn't render.
+
+## BT-28: Region Request Endpoint — Strict Validation + OSM Rename
+
+**Trigger**: A family of `POST /api/satellite/request` calls. AZ-812's `Lat`/`Lon` rename ships in the same commit as AZ-808; every sub-case uses the post-rename wire shape `{"id":"<guid>","lat":..,"lon":..,"sizeMeters":..,"zoomLevel":..,"stitchTiles":..}`.
+**Precondition**: API up; valid JWT attached. `error-shape.md` v1.0.0 + `region-request.md` v1.0.0 frozen (v1.0.0 published directly with the post-AZ-812 names per AZ-812 AC-6 coordination).
+**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every failure sub-case; HTTP 200 + `RegionStatusResponse` for the happy path. `errors[]` names the offending field path in request-body camelCase.
+
+| # | Rule | Trigger excerpt | Expected `errors` key | Test method |
+|---|------|-----------------|-----------------------|-------------|
+| pos | Happy path with `lat`/`lon` | full valid body | HTTP 200 — body shape unchanged from pre-AZ-808 (`{regionId,status}`) | `HappyPath_Returns200` |
+| 1 | Empty body | zero bytes, `Content-Type: application/json` | (framework-level ProblemDetails) | `EmptyBody_Returns400` |
+| 2a | Required `id` (silent-coercion fix) | omit `id` entirely | `id` — message states `id` is required (NOT zero-Guid coercion) | `Post_WithMissingId_ReturnsBadRequest` |
+| 2b | Zero-Guid `id` | `"id":"00000000-0000-0000-0000-000000000000"` | `id` | `ZeroGuidId_Returns400` |
+| 3 | `lat` in range `[-90, 90]` | `"lat":91` | `lat` | `LatOutOfRange_Returns400` |
+| 4 | `lon` in range `[-180, 180]` | `"lon":181` | `lon` | `LonOutOfRange_Returns400` |
+| 5 | `sizeMeters` in range `[100, 10_000]` | `"sizeMeters":1000000` | `sizeMeters` | `SizeMetersOutOfRange_Returns400` |
+| 6 | `zoomLevel` in range `[0, 22]` | `"zoomLevel":30` | `zoomLevel` | `ZoomOutOfRange_Returns400` |
+| 7 | Required `stitchTiles` | omit `stitchTiles` | `stitchTiles` | `MissingStitchTiles_Returns400` |
+| 8 | Unknown root field (`UnmappedMemberHandling.Disallow`) | `"debug":42` | path mentioning `debug` | `UnknownRootField_Returns400` |
+| 9 | Legacy v1 names (`latitude`/`longitude`) | exact AZ-777 Phase 2 reproduction body | path mentioning `latitude` (treated as unknown post-AZ-812) | `OldLatLongNames_Returns400` |
+| 10 | Type mismatch on `lat` | `"lat":"fifty"` | path mentioning `lat` | `LatTypeMismatch_Returns400` |
+
+**Pass criterion**: Every failure sub-case returns HTTP 400 with the expected `errors` key OR an equivalent RFC 7807 body for the empty-body case; the happy path returns HTTP 200 + a non-empty `regionId`. AZ-812 AC-4 is verified by sub-cases `pos` (new names accepted) and `9` (old names rejected by `UnmappedMemberHandling.Disallow`) on the same endpoint. No regression in `RegionRequestTests.cs` (cycle 8 Step 11 — green).
+**AC trace**: AZ-808 AC-1 (8 rules + ProblemDetails shape), AC-2 (happy path); AZ-812 AC-2 (wire format end-to-end), AC-3 (existing happy-path tests pass — Step 11 green), AC-4 (post-rename accepted, pre-rename rejected — sub-cases `pos` + `9`).
+**Notes**: The 8 validations split between the deserializer (rule 7 missing-required, rule 8 unknown-root, rule 10 type-mismatch — surface via `GlobalExceptionHandler`) and `RegionRequestValidator` (rules 2b/3/4/5/6 — surface via `ValidationEndpointFilter<RequestRegionRequest>`). The silent-coercion case (rule 2a) is the AZ-777 Phase 2 reproducer: pre-cycle-8 a missing `id` deserialized to `Guid.Empty` and the handler silently created a region with id `00000000-...`; post-cycle-8 it fails-fast at the deserializer.
+
+## BT-29: Create Route Endpoint — Nested + Cross-Field Strict Validation
+
+**Trigger**: A family of `POST /api/satellite/route` calls covering AZ-809's 14 rules. Bodies use the post-AZ-809 wire shape `{id, name, description?, regionSizeMeters, zoomLevel, points: [{lat, lon}, …], requestMaps, createTilesZip, geofences?: {polygons: [{northWest, southEast}]}}`.
+**Precondition**: API up; valid JWT attached. `error-shape.md` v1.0.0 + `route-creation.md` v1.0.1 frozen.
+**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every failure sub-case; HTTP 200 + `RouteResponse` for the happy path. `errors[]` keys use the nested path (e.g. `points[1].lat`, `geofences.polygons[0].northWest`).
+
+| # | Rule | Trigger excerpt | Expected `errors` key | Test method |
+|---|------|-----------------|-----------------------|-------------|
+| pos | Happy path (`requestMaps=false`, no background processing) | minimal 2-point valid body | HTTP 200 — body shape unchanged | `HappyPath_Returns200` |
+| 1 | Empty body | zero bytes | (framework-level ProblemDetails) | `EmptyBody_Returns400` |
+| 2a | Required `id` (silent-coercion fix) | omit `id` | `id` is required (no zero-Guid coercion) | `MissingId_Returns400` |
+| 2b | Zero-Guid `id` | `"id":"00000000-..."` | `id` | `ZeroGuidId_Returns400` |
+| 3 | Required `name` non-empty | `"name":""` | `name` | `EmptyName_Returns400` |
+| 5 | `regionSizeMeters` in `[100, 10_000]` | `1000000` | `regionSizeMeters` | `RegionSizeMetersOutOfRange_Returns400` |
+| 6 | `zoomLevel` in `[0, 22]` | `30` | `zoomLevel` | `ZoomOutOfRange_Returns400` |
+| 7 | `points` count in `[2, 500]` | 1-point array | `points` | `PointsCountBelowMin_Returns400` |
+| 8a | Per-point `lat` in `[-90, 90]` | `points[1].lat=91` | `points[1].lat` | `PointLatOutOfRange_Returns400` |
+| 8b | Per-point `lon` in `[-180, 180]` | `points[1].lon=181` | `points[1].lon` | `PointLonOutOfRange_Returns400` |
+| 9 | Geofence cross-field invariant (`NW.lat > SE.lat` AND `NW.lon < SE.lon`) | NW.lat ≤ SE.lat | `geofences.polygons[0].northWest` | `GeofenceNwSeInvariantViolated_Returns400` |
+| 9b | `geofences.polygons.Count <= 50` (security-audit F-AZ809-1 fix, `route-creation.md` v1.0.1 Inv-10) | 51-polygon array | `geofences.polygons` ("must contain at most 50 polygons.") | `GeofencePolygonsTooMany_Returns400` |
+| 10 | Required `requestMaps` (no defaulting) | omit `requestMaps` | `requestMaps` | `MissingRequestMaps_Returns400` |
+| 12 | Cross-field: `createTilesZip=true` requires `requestMaps=true` | `{createTilesZip:true, requestMaps:false}` | top-level message (no per-field key) | `CreateTilesZipRequiresRequestMaps_Returns400` |
+| 13 | Unknown root field | `"debug":42` | path mentioning `debug` | `UnknownRootField_Returns400` |
+| 14 | Nested type mismatch | `"points[0].lat":"fifty"` | path mentioning `points[0].lat` | `NestedTypeMismatch_Returns400` |
+
+**Pass criterion**: Every failure sub-case returns HTTP 400 with the expected `errors` key OR an equivalent RFC 7807 body for the empty/cross-field cases; the happy path returns HTTP 200 + a non-empty `routeId`. No regression in `RouteCreationTests.cs` (cycle 8 Step 11 — green). The AZ-779-class footgun (silent coercion of missing `id` to zero-Guid creating untracked routes) is closed by sub-case 2a.
+**AC trace**: AZ-809 AC-1 (14 rules + ProblemDetails shape), AC-2 (happy path). Advisory ACs AC-9 (`sizeMeters` vs `regionSizeMeters` naming) and AC-10 (input `lat`/`lon` vs output `latitude`/`longitude` asymmetry) are explicitly **not** tested — surfaced to parent-suite team for follow-up only.
+**Notes**: The 14 rules split across three layers — deserializer (rules 3 type-mismatch, 13 unknown-root, 14 nested type mismatch, 10 missing-required), `CreateRouteRequestValidator` (rules 2b/5/6/7, plus orchestration of nested validators), `RoutePointValidator` (rules 8a/8b — applied per-element via `RuleForEach(x => x.Points).SetValidator`), `GeofencePolygonValidator` (rule 9 cross-field), and a top-level `Must()` (rule 12). Rule 4 (`description` length cap if present) is enforced by `CreateRouteRequestValidator.RuleFor(x => x.Description).MaximumLength(...)` and is not exercised by an explicit sub-case because the existing `pos` body omits `description` and there is no probe-confirmed footgun there. The cross-field rule 12 surfaces under a top-level `errors` map entry (no field key) per FluentValidation convention for `RuleFor(x => x).Must(...)`.
+
+## BT-30: UAV Upload Metadata Endpoint — Multipart Strict Validation
+
+**Trigger**: A family of `POST /api/satellite/upload` multipart calls covering AZ-810's 14 rules. The endpoint is `multipart/form-data`, so the validator wires through a **custom** `UavUploadValidationFilter` (NOT the generic `ValidationEndpointFilter<T>` used by JSON-body endpoints) which deserializes the `metadata` form field via the strict global `JsonSerializerOptions` and routes errors through three composed layers (deserializer → FluentValidation → envelope cross-field check).
+**Precondition**: API up; valid JWT with `permissions:["GPS"]` attached. `error-shape.md` v1.0.0 + `uav-tile-upload.md` v1.2.0 frozen.
+**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every failure sub-case; HTTP 200 + per-item result list for the happy path (per-item file rejections still return HTTP 200 — file-byte semantics unchanged from AZ-488). `errors[]` keys are prefixed with `metadata.` (e.g. `metadata.items[0].latitude`) for FluentValidation-layer rules; deserializer-layer failures surface under `errors["metadata"]` (per `UavUploadValidationFilter` design — the deserializer doesn't know the per-field path inside the form value).
+
+| # | Rule | Layer | Trigger excerpt | Expected `errors` key | Test method |
+|---|------|-------|-----------------|-----------------------|-------------|
+| pos | Happy path | — | well-formed multipart envelope with valid 256×256 JPEG | HTTP 200, per-item `status=accepted` | `HappyPath_Returns200` |
+| 1 | `metadata` form field present | deserializer | omit `metadata` field | `metadata` | `MissingMetadataField_Returns400` |
+| 2 | `metadata` deserializes to `UavTileBatchMetadataPayload` | deserializer | `"items":"notanarray"` | `metadata` | `MetadataNotAnObject_Returns400` |
+| 3 | `metadata.items` count in `[1, 100]` | FluentValidation | 101-item array | `metadata.items` | `OversizedItemsArray_Returns400` |
+| 4 | `metadata.items` count == file count (envelope cross-field) | envelope filter | 2 items, 1 file | both `metadata.items` and `files` | `ItemsFileCountMismatch_Returns400` |
+| 5 | per-item `latitude` in `[-90, 90]` | FluentValidation | `items[1].latitude=91` | `metadata.items[1].latitude` | `LatitudeOutOfRange_Returns400` |
+| 6 | per-item `longitude` in `[-180, 180]` | FluentValidation | `items[0].longitude=181` | `metadata.items[0].longitude` | `LongitudeOutOfRange_Returns400` |
+| 7 | per-item `tileZoom` in `[0, 22]` | FluentValidation | `items[0].tileZoom=30` | `metadata.items[0].tileZoom` | `TileZoomOutOfRange_Returns400` |
+| 8 | per-item `tileSizeMeters` > 0 | FluentValidation | `items[0].tileSizeMeters=0` | `metadata.items[0].tileSizeMeters` | `TileSizeMetersZero_Returns400` |
+| 9a | per-item `capturedAt` not in future (skew = 30s) | FluentValidation | `capturedAt=UtcNow+1h` | `metadata.items[0].capturedAt` | `CapturedAtFuture_Returns400` |
+| 9b | per-item `capturedAt` not older than `MaxAgeDays` (default 7d) | FluentValidation | `capturedAt=UtcNow-60d` | `metadata.items[0].capturedAt` | `CapturedAtTooOld_Returns400` |
+| 10 | per-item required fields (`latitude`/`longitude`/`tileZoom`/`tileSizeMeters`/`capturedAt`) present (`[JsonRequired]`) | deserializer | omit `latitude` from one item | `metadata` (deserializer-level; per-field path not available inside form value) | `MissingRequiredField_Returns400` |
+| 11 | Unknown root field on `UavTileBatchMetadataPayload` | deserializer | `"debug":42` at metadata root | `metadata` | `UnknownRootField_Returns400` |
+| 12 | Unknown nested field on `UavTileMetadata` | deserializer | `"altitude":100` on an item | `metadata` | `UnknownItemField_Returns400` |
+| 13 | Type mismatch on per-item field | deserializer | `"latitude":"fifty"` | `metadata` | `LatitudeTypeMismatch_Returns400` |
+
+**Pass criterion**: Every failure sub-case returns HTTP 400 with the expected `errors` key. The happy path returns HTTP 200 + a per-item result list with `status=accepted`. Per-item file rejections (existing `IUavTileQualityGate` semantics: `INVALID_FORMAT`, `WRONG_DIMENSIONS`, `SIZE_OUT_OF_BAND`, `CAPTURED_AT_FUTURE`, `CAPTURED_AT_TOO_OLD`, `IMAGE_TOO_UNIFORM`) still return HTTP 200 with per-item `status=rejected` (AZ-488 contract preserved). **AZ-810 AC-9 verified** by full integration suite green at cycle 8 Step 11 (after the test-data clamp fix — see `_docs/03_implementation/batch_04_cycle8_report.md` AC-9 row + commit `b763da3`).
+**AC trace**: AZ-810 AC-1 (14 rules + ProblemDetails shape), AC-2 (happy path unchanged), AC-9 (no AZ-488 regression).
+**Notes**: This is the first endpoint where the validation infra had to step **outside** the generic `ValidationEndpointFilter<T>` — multipart form-data is not a JSON body, so the metadata field has to be extracted from `IFormCollection` and deserialized inside a custom filter (`UavUploadValidationFilter`). Three layers compose: (1) deserializer with `JsonSerializerOptions.UnmappedMemberHandling.Disallow` + `[JsonRequired]` — surfaces under `errors["metadata"]`; (2) `UavTileBatchMetadataPayloadValidator` + `UavTileMetadataValidator` (FluentValidation) — error paths prefixed with `metadata.`; (3) envelope cross-field check (`items.Count == files.Count`) inside the filter — surfaces under BOTH `errors["metadata.items"]` AND `errors["files"]`. The `metadata.` prefix and the bare-`"metadata"` key for deserializer-level errors are documented in `_docs/02_document/contracts/api/uav-tile-upload.md` v1.2.0 §Validation Rules.
+
+## BT-31: GET tiles/latlon — Query-Param Strict Validation + Unknown-Param Rejection
+
+**Trigger**: A family of `GET /api/satellite/tiles/latlon?lat=&lon=&zoom=` calls covering AZ-811's 5 rules. The endpoint takes **query parameters** (not a JSON body), so the validator wires through a **novel** `UnknownQueryParameterEndpointFilter` (envelope filter, item 4 of AZ-811's implementation pattern) plus `GetTileByLatLonQueryValidator` (FluentValidation for the typed query params).
+**Precondition**: API up; valid JWT attached. `error-shape.md` v1.0.0 + `tile-latlon.md` v1.0.0 frozen.
+**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every failure sub-case; HTTP 200 + `DownloadTileResponse` for the happy path. `errors[]` keys name the offending query parameter (e.g. `lat`).
+
+| # | Rule | Trigger excerpt | Expected `errors` key | Test method |
+|---|------|-----------------|-----------------------|-------------|
+| pos | Happy path | `?lat=47.46&lon=37.64&zoom=18` | HTTP 200 — body shape unchanged | `HappyPath_Returns200` |
+| 1 | `lat` in range `[-90, 90]` | `?lat=91` | `lat` | `LatOutOfRange_Returns400` |
+| 2 | `lon` in range `[-180, 180]` | `?lon=181` | `lon` | `LonOutOfRange_Returns400` |
+| 3 | `zoom` in range `[0, 22]` | `?zoom=30` | `zoom` | `ZoomOutOfRange_Returns400` |
+| 4a | `lat` required | omit `?lat=` | `lat` ("`lat` is required") | `MissingLat_Returns400` |
+| 4b | Legacy v1 names (`?Latitude=&Longitude=&ZoomLevel=`) | exact pre-AZ-811 wire format | `errors` map names BOTH unknown keys | `LegacyLatitudeLongitudeNames_Returns400` |
+| 4c | Hostile / typo query keys | `?debug=1&admin=true` | `errors` map names BOTH unknown keys | `UnknownQueryKeys_Returns400` |
+| 5 | `lat` type mismatch | `?lat=fifty` | `lat` | `LatTypeMismatch_Returns400` |
+
+**Pass criterion**: Every failure sub-case returns HTTP 400 with the expected `errors` key. The happy path returns HTTP 200 + a non-empty `tileId` and a path of shape `tiles/{zoom}/{x}/{y}.jpg`. No regression in `TileByLatLonTests.cs` (cycle 8 Step 11 — green). BT-N01 (`lat=91&lon=181&zoom=18`) and BT-N02 (`zoom=25`) — pre-cycle-8 negative scenarios that only asserted "HTTP 4xx or error in body" — are now strictly bound: BT-N01 produces HTTP 400 with `errors["lat"]` AND `errors["lon"]`; BT-N02 produces HTTP 400 with `errors["zoom"]`.
+**AC trace**: AZ-811 AC-1 (5 rules + ProblemDetails shape), AC-2 (happy path), AC-9 (the novel unknown-query-param envelope filter is documented in `_docs/02_document/modules/api_program.md` for reuse).
+**Notes**: This is the first endpoint to need a generic **unknown-query-param rejection** layer — ASP.NET's default model binder silently ignores unknown query parameters (parallel to `UnmappedMemberHandling.Disallow` for JSON bodies, but no built-in equivalent exists for query strings). The new `UnknownQueryParameterEndpointFilter` introspects the route's declared parameters and rejects any extra keys. Sub-cases `4b` and `4c` exercise this filter: `4b` proves the pre-AZ-811 wire format (`?Latitude=&Longitude=&ZoomLevel=`) that silently fell back to `lat=0, lon=0, zoom=0` now fails fast with HTTP 400 naming all three unknown keys; `4c` proves the same path catches arbitrary hostile / typo keys. The filter is designed for reuse by any future query-param endpoint (AZ-811 AC-9).
+

_docs/02_document/tests/security-tests.md

@@ -2,7 +2,7 @@
 
 ## SEC-01: SQL Injection via Coordinate Parameters
 
-**Trigger**: GET /api/satellite/tiles/latlon?Latitude=1;DROP TABLE tiles--&Longitude=1&ZoomLevel=18
+**Trigger**: GET /api/satellite/tiles/latlon?lat=1;DROP TABLE tiles--&lon=1&zoom=18
 **Expected**: Request rejected or treated as invalid parameter
 **Pass criterion**: HTTP 400 or parameter parsing error; no database damage; tiles table intact
 
@@ -20,9 +20,9 @@
 
 ## SEC-04: Malformed JSON in Route Request
 
-**Trigger**: POST /api/satellite/route with invalid JSON body
+**Trigger**: POST /api/satellite/route with invalid JSON body (truncated `{` or non-JSON text).
-**Expected**: Parse error returned
+**Expected**: HTTP 400 + RFC 7807 `ProblemDetails`. Post-AZ-809 (cycle 8) the failure surfaces via `GlobalExceptionHandler`'s `JsonException` branch (System.Text.Json `JsonReaderException` → `BadHttpRequestException` → 400). No stack trace leaks; correlationId present per AZ-353.
-**Pass criterion**: HTTP 400; error message indicates parsing failure; no crash
+**Pass criterion**: HTTP 400; `Content-Type: application/problem+json`; body matches `error-shape.md` v1.0.0; no internal exception type or stack frame in `detail`.
 
 ---
 
@@ -32,7 +32,7 @@ The pre-AZ-487 assumption "no authentication" is superseded by these scenarios.
 
 ## SEC-05: Anonymous Request to Any Authenticated Endpoint Returns 401
 
-**Trigger**: GET `/api/satellite/tiles/latlon?Latitude=...&Longitude=...&ZoomLevel=18` (or any `/api/satellite/*` endpoint) with NO `Authorization` header.
+**Trigger**: GET `/api/satellite/tiles/latlon?lat=...&lon=...&zoom=18` (or any `/api/satellite/*` endpoint) with NO `Authorization` header.
 **Precondition**: API running with `JWT_SECRET` configured.
 **Expected**: HTTP 401 Unauthorized; `WWW-Authenticate: Bearer` header present; response body does not leak validation internals.
 **Pass criterion**: status == 401 AND `WWW-Authenticate` header starts with `Bearer`.

_docs/02_document/tests/traceability-matrix.md

@@ -109,6 +109,61 @@
 | AZ-504 AC-2 | PT-08 completes on zero-accepted response (defensive) | Same standalone shell harness (case 4) — `accepted=0, rejected=N` path no longer kills the script | ✓ |
 | AZ-504 AC-3 | PT-08 summary line prints in full default-parameter perf run | Verified at autodev Step 15 (Performance Test) by running `scripts/run-performance-tests.sh` with `PERF_REPEAT_COUNT=20 PERF_UAV_BATCH_SIZE=10`; pass criterion is the `PT-08 UAV batch upload: PASS p95=Xms / 2000ms (...)` line in the run output | ◐ gate at Step 15 |
 | AZ-504 AC-4 | Leftover `_docs/_process_leftovers/2026-05-12_perf-cycle3-harness-execution.md` deleted on green full run | Verified at autodev Step 15 by `test -f _docs/_process_leftovers/2026-05-12_perf-cycle3-harness-execution.md` returning non-zero after the green run + commit | ◐ gate at Step 15 |
+| AZ-794 AC-1 | Inventory request body uses short names `{z, x, y}` (OSM convention) | BT-27 sub-case `pos` (`TileInventoryValidationTests.HappyPath_Returns200`); existing AZ-505 integration suite (`TileInventoryTests.OrderingAndPresentAbsentShaping_AC1` + the AC-6 validation tests already use z/x/y after the rename); deserializer-level proof via BT-27 sub-case `9c` (`OldV1FieldName_Returns400`) — old names now hard-fail | ✓ |
+| AZ-794 AC-2 | Inventory response body uses short names `{z, x, y}`; all other fields (`locationHash`, `present`, `id`, `capturedAt`, `source`, `flightId`, `resolutionMPerPx`) unchanged byte-for-byte from the pre-rename contract | `TileInventoryTests.OrderingAndPresentAbsentShaping_AC1` (integration; asserts `entry.Z`, `entry.X`, `entry.Y`, `entry.LocationHash`, `entry.Present`, `entry.Id`, `entry.CapturedAt`, `entry.Source` for 25 mixed present/absent entries against the v2.0.0 wire shape) | ✓ |
+| AZ-794 AC-3 | OpenAPI / Swagger spec declares `z, x, y` (not the old names) as the required coordinate properties | Doc-state AC — verified at Step 13 (Update Docs) review against `/swagger/v1/swagger.json` schema definitions for `TileInventoryRequest` + `TileCoord` | ◐ doc-verified at Step 13 |
+| AZ-794 AC-4 | `_docs/02_document/contracts/api/tile-inventory.md` bumped to v2.0.0; Migration / Coexistence section names AZ-794 and the breaking-rename | Doc-state AC — `_docs/02_document/contracts/api/tile-inventory.md` v2.0.0 Change Log entry naming AZ-794 (verified at Step 13 Update Docs review) | ✓ |
+| AZ-795 (epic) | Shared input-validation infra in place: FluentValidation 12.0.0 + `ValidationEndpointFilter<T>` + `GlobalExceptionHandler` + `JsonSerializerOptions.UnmappedMemberHandling.Disallow` + camelCase naming policy + new `error-shape.md` v1.0.0 contract | Structural: `SatelliteProvider.Api/Validators/{ValidationEndpointFilter,GlobalValidatorConfig,ValidationEndpointFilterExtensions}.cs` + `SatelliteProvider.Api/GlobalExceptionHandler.cs` exist; `error-shape.md` v1.0.0 frozen with 8 documented test cases; end-to-end exercise via the AZ-796 test suite (every BT-27 sub-case routes through this infra). Per-endpoint child task tracker (`AZ-796` is the first; siblings to follow) is owned by Jira AZ-795. | ✓ (infra + contract; per-endpoint child coverage tracked individually) |
+| AZ-796 AC-1 | Each of the 9 validation rules rejects with HTTP 400 + RFC 7807 ProblemDetails; `errors[]` array has single-rule precision (no unrelated rules) | BT-27 (blackbox; sub-cases 1, 2a, 2b, 3, 4, 5a, 5b, 6a, 6b, 7, 8a, 8b, 9a, 9b, 9c — one per rule); `TileInventoryValidationTests.*` (integration: 15 failure tests) + `InventoryRequestValidatorTests.*` (unit: covers the rules expressible at the validator layer in isolation) | ✓ |
+| AZ-796 AC-2 | Happy path unchanged (HTTP 200 with existing result shape; one entry per requested tile, same ordering, fields preserved) | BT-27 sub-case `pos` (`TileInventoryValidationTests.HappyPath_Returns200`); no regression in existing `TileInventoryTests.OrderingAndPresentAbsentShaping_AC1` (which still passes at cycle 7 Step 11) | ✓ |
+| AZ-796 AC-3 | `InventoryRequestValidator` lives in its own file under `SatelliteProvider.Api/Validators/`; xUnit class has one test method per `RuleFor(...)` (≥ 9 unit-test methods) | Structural: `SatelliteProvider.Api/Validators/InventoryRequestValidator.cs` exists (74 lines, isolated validator + `TileCoordValidator`); `SatelliteProvider.Tests/Validators/InventoryRequestValidatorTests.cs` contains 16 test methods (`Validate_TilesPopulated_LocationHashesNull_Passes`, `Validate_LocationHashesPopulated_TilesNull_Passes`, `Validate_BothPopulated_FailsXorRule`, `Validate_NeitherPopulated_FailsXorRule`, `Validate_BothEmpty_FailsXorRule`, `Validate_TilesAtCap_Passes`, `Validate_TilesOverCap_FailsCapRule`, `Validate_LocationHashesOverCap_FailsCapRule`, `Validate_TileZoomOutOfRange_FailsRangeRule` ×3, `Validate_TileZoomInRange_PassesRangeRule` ×3, `Validate_TileXNegative_FailsRangeRule`, `Validate_TileXAtUpperBound_FailsRangeRule`, `Validate_TileYNegative_FailsRangeRule`, `Validate_TileYAtUpperBound_FailsRangeRule`, `Validate_AxesAtMaxForZoom_Passes`) | ✓ |
+| AZ-796 AC-4 | Integration tests cover happy + failure per rule (≥ 10 methods) in `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` | `TileInventoryValidationTests` contains 16 integration test methods (1 happy + 15 failure: `HappyPath_Returns200`, `EmptyBody_Returns400`, `NeitherPopulated_Returns400`, `BothPopulated_Returns400`, `EmptyTilesArray_Returns400`, `TilesOverCap_Returns400`, `MissingZ_Returns400WithFieldPath`, `MissingXAndY_Returns400`, `ZoomOutOfRange_Returns400WithFieldPath`, `XBeyondZoomBounds_Returns400`, `YBeyondZoomBounds_Returns400`, `NegativeAxis_Returns400`, `UnknownRootField_Returns400`, `UnknownNestedField_Returns400`, `OldV1FieldName_Returns400`, `TypeMismatch_Returns400`) — 16 ≥ 10. Cycle 7 Step 11 full run reports all 16 passing. | ✓ |
+| AZ-796 AC-5 | `/swagger/v1/swagger.json` marks required fields, declares integer ranges per validation rules, declares 400 response with ProblemDetails schema | Doc-state AC — verified at Step 13 (Update Docs) review against the published OpenAPI document; integration smoke is the existing `JwtIntegrationTests.SwaggerDocument_AdvertisesBearerSecurityScheme` pattern (a future analogous test against the validation schema is out-of-scope this cycle) | ◐ doc-verified at Step 13 |
+| AZ-796 AC-6 | `_docs/02_document/contracts/api/tile-inventory.md` updated to document the 9 validation rules + error contract reference | Doc-state AC — `_docs/02_document/contracts/api/tile-inventory.md` v2.0.0 Change Log entry naming AZ-796 (verified at Step 13 Update Docs review) | ✓ |
+| AZ-796 AC-7 | `scripts/probe_inventory_validation.sh` committed; exercises each failure mode via `curl` + JWT for documentation / regression | Structural: `scripts/probe_inventory_validation.sh` exists in repo and is manually runnable | ✓ |
+| AZ-808 AC-1 | Each of the 8 region-request validations rejects with HTTP 400 + ValidationProblemDetails (single-rule precision) | BT-28 sub-cases 1, 2a, 2b, 3, 4, 5, 6, 7, 8, 9, 10 (blackbox); `RegionRequestValidationTests` (integration, 11+ failure methods) + `RegionRequestValidatorTests` (unit, ≥ 8 methods covering each `RuleFor`); shared `ProblemDetailsAssertions` enforces error-shape v1.0.0 conformance | ✓ |
+| AZ-808 AC-2 | Happy path unchanged — valid body returns HTTP 200 + `RegionStatusResponse`; background processing still runs; probe's 9-tile Derkachi case completes < 10 s | BT-28 sub-case `pos` (`RegionRequestValidationTests.HappyPath_Returns200`); no regression in existing `RegionRequestTests.cs` (cycle 8 Step 11 — green) | ✓ |
+| AZ-808 AC-3 | `RegionRequestValidator` in its own file under `SatelliteProvider.Api/Validators/`; unit-tested (≥ 1 per `RuleFor`) | Structural: `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` exists; `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` covers each `RuleFor` chain | ✓ |
+| AZ-808 AC-4 | `RegionRequestValidationTests.cs` covers happy + 8+ failure modes; MUST include `Post_WithMissingId_ReturnsBadRequest` reproducing 2026-05-22 silent-coercion case | `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` includes `MissingId_Returns400` (the renamed AZ-777 Phase 2 reproducer) and ≥ 11 total failure methods; uses `ProblemDetailsAssertions` from AZ-795 | ✓ |
+| AZ-808 AC-5 | `_docs/02_document/contracts/api/region-request.md` v1.0.0 created and published | Doc-state AC — `region-request.md` v1.0.0 created in cycle-8 batch (coordinated with AZ-812 — published directly with `lat`/`lon` names per AZ-812 AC-6); verified at Step 13 (Update Docs) review | ✓ |
+| AZ-808 AC-6 | `_docs/02_document/system-flows.md` F2 updated to reference the new contract doc + error shape | Doc-state AC — verified at Step 13 (Update Docs) review | ◐ doc-verified at Step 13 |
+| AZ-808 AC-7 | OpenAPI marks `RequestRegionRequest` fields `required`, declares ranges, documents 400 response | Doc-state AC — verified at Step 13 (Update Docs) review against published `/swagger/v1/swagger.json`; Swashbuckle annotations match AZ-796 pattern | ◐ doc-verified at Step 13 |
+| AZ-808 AC-8 | Manual probe script exercises each failure mode via `curl` + JWT | Structural: `scripts/probe_region_validation.sh` exists and is manually runnable | ✓ |
+| AZ-809 AC-1 | Each of the 14 route-creation validations rejects with HTTP 400 + ValidationProblemDetails (single-rule precision) | BT-29 sub-cases 1..14 (blackbox); `CreateRouteValidationTests` (integration, 14+ failure methods covering deserializer + per-DTO + per-element + cross-field layers) + `CreateRouteRequestValidatorTests` + `RoutePointValidatorTests` + `GeofencePolygonValidatorTests` (unit, ≥ 13 methods total) | ✓ |
+| AZ-809 AC-1b (security-audit F-AZ809-1 follow-up; `route-creation.md` v1.0.1 Inv-10) | `geofences.polygons.Count <= 50` rejects with HTTP 400 + `errors["geofences.polygons"]` | BT-29 sub-case 9b (blackbox); `CreateRouteValidationTests.GeofencePolygonsTooMany_Returns400` (integration); `CreateRouteRequestValidatorTests.Validate_GeofencePolygonsTooMany_FailsCountRule` (unit) | ✓ |
+| AZ-809 AC-2 | Happy path unchanged — valid body returns HTTP 200 + `RouteResponse`; F5 background still runs when `requestMaps=true`; probe's 2-point 132 m route completes < 20 s | BT-29 sub-case `pos` (`CreateRouteValidationTests.HappyPath_Returns200`); no regression in existing `RouteCreationTests.cs` (cycle 8 Step 11 — green) | ✓ |
+| AZ-809 AC-3 | `CreateRouteRequestValidator`, `RoutePointValidator`, `GeofencePolygonValidator` each in their own files under `SatelliteProvider.Api/Validators/`; ≥ 13 unit-test methods total | Structural: three validator files exist as separate `.cs` files; unit-test files together contain ≥ 13 methods covering every `RuleFor` / `RuleForEach` chain | ✓ |
+| AZ-809 AC-4 | `CreateRouteValidationTests.cs` covers happy + 13+ failure modes; MUST include `Post_WithMissingId_ReturnsBadRequest` | `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` includes `MissingId_Returns400` (the AZ-777 Phase 2 reproducer for route variant) and ≥ 14 total failure methods | ✓ |
+| AZ-809 AC-5 | `_docs/02_document/contracts/api/route-creation.md` v1.0.0 created and published | Doc-state AC — `route-creation.md` v1.0.0 created in cycle-8 batch; verified at Step 13 review | ✓ |
+| AZ-809 AC-6 | `_docs/02_document/system-flows.md` F4 + F5 updated to reference new contract doc + error shape | Doc-state AC — verified at Step 13 (Update Docs) review | ◐ doc-verified at Step 13 |
+| AZ-809 AC-7 | OpenAPI marks all required fields at every nesting level, declares ranges, documents 400 response | Doc-state AC — verified at Step 13 against published `/swagger/v1/swagger.json` | ◐ doc-verified at Step 13 |
+| AZ-809 AC-8 | Manual probe script exercises each failure mode via `curl` + JWT | Structural: `scripts/probe_route_validation.sh` exists and is manually runnable | ✓ |
+| AZ-809 AC-9 | (Advisory) `RequestRegionRequest.sizeMeters` vs `CreateRouteRequest.regionSizeMeters` naming inconsistency surfaced for parent-suite decision | Not tested — surfaced in `_docs/03_implementation/batch_*_cycle8_report.md` for parent-suite team follow-up | ◐ advisory (not tested) |
+| AZ-809 AC-10 | (Advisory) Input `points: [{lat, lon}]` vs output `points: [{latitude, longitude}]` round-trip asymmetry surfaced for parent-suite decision | Not tested — surfaced in `_docs/03_implementation/batch_*_cycle8_report.md` for parent-suite team follow-up | ◐ advisory (not tested) |
+| AZ-810 AC-1 | Each of the 14 upload-metadata validations rejects with HTTP 400 + ValidationProblemDetails (single-rule precision) | BT-30 sub-cases 1..13 (blackbox); `UavUploadValidationTests` (integration, ≥ 13 failure methods covering deserializer + FluentValidation + envelope cross-field layers) + `UavTileMetadataValidatorTests` + `UavTileBatchMetadataPayloadValidatorTests` (unit, ≥ 11 methods total) | ✓ |
+| AZ-810 AC-2 | Happy path unchanged — valid envelope returns HTTP 200 + per-item result list; per-item file rejections (`IUavTileQualityGate`) still return HTTP 200 with per-item status | BT-30 sub-case `pos` (`UavUploadValidationTests.HappyPath_Returns200`); existing AZ-488 BT-13..BT-17 + `UavUploadTests` continue green (cycle 8 Step 11 after the AZ-810 test-data coord-clamp fix in commit `b763da3`) | ✓ |
+| AZ-810 AC-3 | `UavTileMetadataValidator` + `UavTileBatchMetadataPayloadValidator` each in their own files under `SatelliteProvider.Api/Validators/`; ≥ 11 unit-test methods total | Structural: two validator files plus `UavUploadValidationFilter.cs` (the multipart envelope filter) exist under `SatelliteProvider.Api/Validators/`; unit-test files contain ≥ 11 methods covering each `RuleFor` | ✓ |
+| AZ-810 AC-4 | `UavUploadValidationTests.cs` covers happy + 12+ failure modes with full ValidationProblemDetails assertion | `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` contains ≥ 13 integration test methods spanning all three enforcement layers; uses `ProblemDetailsAssertions` | ✓ |
+| AZ-810 AC-5 | `_docs/02_document/contracts/api/uav-tile-upload.md` bumped to v1.2.0 with the new validation section | Doc-state AC — `uav-tile-upload.md` v1.2.0 Change Log entry naming AZ-810; verified at Step 13 review | ✓ |
+| AZ-810 AC-6 | `_docs/02_document/modules/api_program.md` documents the new multipart validation endpoint filter | Doc-state AC — `api_program.md` updated in cycle-8 batch; verified at Step 13 review | ✓ |
+| AZ-810 AC-7 | OpenAPI marks `UavTileBatchMetadataPayload` + `UavTileMetadata` fields `required`, declares ranges, documents 400 response | Doc-state AC — verified at Step 13 against published `/swagger/v1/swagger.json`; `[JsonRequired]` annotations propagate to Swashbuckle as `required: [latitude, longitude, tileZoom, tileSizeMeters, capturedAt]` and `required: [items]` | ◐ doc-verified at Step 13 |
+| AZ-810 AC-8 | Manual probe script exercises each failure mode via multipart `curl` + JWT | Structural: `scripts/probe_upload_validation.sh` exists, reuses the AZ-808/AZ-809/AZ-811 probe-script pattern, and is manually runnable | ✓ |
+| AZ-810 AC-9 | No regression in existing AZ-488 integration tests (`UavTileBatchUploadTests.cs`, `UavTileQualityGateTests.cs`) | Cycle 8 Step 11 full integration run green AFTER fixing a pre-existing latent bug in `UavUploadTests.NextTestCoordinate` that AZ-810 exposed (seed `(Ticks/TicksPerSecond) % 1_000_000` produced lat > 90°; clamped to lat ∈ [50, 70), lon ∈ [10, 40) in commit `b763da3`). The original AC-9 verification (cycle 8 batch_04 report — "verified by tracing source") was a false-PASS; the green re-run is the binding evidence. Lesson recorded in `_docs/LESSONS.md` (2026-05-23) | ✓ (verified by full-suite re-run) |
+| AZ-811 AC-1 | Each of the 5 GET-lat/lon validations rejects with HTTP 400 + ValidationProblemDetails | BT-31 sub-cases 1..5 + 4a/4b/4c (blackbox); `GetTileByLatLonValidationTests` (integration, ≥ 7 failure methods) + `GetTileByLatLonQueryValidatorTests` (unit, ≥ 3 methods) | ✓ |
+| AZ-811 AC-2 | Happy path unchanged — `?lat=&lon=&zoom=` returns HTTP 200 + `DownloadTileResponse`; tile still downloaded/persisted | BT-31 sub-case `pos` (`GetTileByLatLonValidationTests.HappyPath_Returns200`); no regression in existing `TileByLatLonTests.cs` (cycle 8 Step 11 — green) | ✓ |
+| AZ-811 AC-3 | `GetTileByLatLonQueryValidator` in its own file under `SatelliteProvider.Api/Validators/`; unit-tested (≥ 3 methods) | Structural: `GetTileByLatLonQueryValidator.cs` exists; unit-test file covers the 5 rules in ≥ 3 methods | ✓ |
+| AZ-811 AC-4 | `GetTileByLatLonValidationTests.cs` covers happy + 4+ failure modes | `SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs` contains ≥ 7 failure methods + 1 happy path; uses `ProblemDetailsAssertions` | ✓ |
+| AZ-811 AC-5 | `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 created and published | Doc-state AC — `tile-latlon.md` v1.0.0 created in cycle-8 batch; verified at Step 13 review | ✓ |
+| AZ-811 AC-6 | `_docs/02_document/modules/api_program.md::GetTileByLatLon Handler` updated to reference the validator + new contract doc | Doc-state AC — `api_program.md` updated in cycle-8 batch; verified at Step 13 review | ✓ |
+| AZ-811 AC-7 | OpenAPI marks query params required + ranges + 400 response | Doc-state AC — verified at Step 13 against published `/swagger/v1/swagger.json` | ◐ doc-verified at Step 13 |
+| AZ-811 AC-8 | Manual probe script exercises each failure mode via `curl` + JWT | Structural: `scripts/probe_latlon_validation.sh` exists and is manually runnable | ✓ |
+| AZ-811 AC-9 | The novel `UnknownQueryParameterEndpointFilter` (rule 4 — unknown-query-param rejection) is documented in `_docs/02_document/modules/api_program.md` so the next query-param endpoint can reuse it | Doc-state AC — the filter's behavior + reuse contract documented in `api_program.md`; verified at Step 13 review. BT-31 sub-cases `4b` (legacy `?Latitude=&Longitude=&ZoomLevel=` rejected) and `4c` (hostile `?debug=1&admin=true` rejected) prove the filter works as documented | ✓ |
+| AZ-812 AC-1 | `RequestRegionRequest` DTO uses `Lat` / `Lon` (C#) + `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]` | Structural: `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` diff shows the rename + JsonPropertyName attributes; sibling DTOs `RoutePoint` and `GeoPoint` already used `lat`/`lon` (no change there) | ✓ |
+| AZ-812 AC-2 | Wire format is `{"lat":..,"lon":..}` end-to-end (request body, OpenAPI schema, docs, all integration tests) | BT-28 sub-case `pos` exercises the post-rename wire shape; integration test `RegionRequestValidationTests` + `RegionRequestTests` use `lat`/`lon` in every body; `region-request.md` v1.0.0 ships with `lat`/`lon` from day one (AZ-812 AC-6 coordination with AZ-808); OpenAPI verified at Step 13 | ✓ |
+| AZ-812 AC-3 | `RegionTests.cs` happy-path tests pass against new wire format | Cycle 8 Step 11 full run — green; all `RegionRequestTests` updated to send `lat`/`lon` in the same commit as the DTO rename | ✓ |
+| AZ-812 AC-4 | `curl` probe with `{"id":"<guid>","lat":49.94,"lon":36.31,"sizeMeters":200,"zoomLevel":18,"stitchTiles":false}` returns HTTP 200 + valid `regionId`; old `{"latitude":..,"longitude":..}` returns HTTP 400 with `UnmappedMemberHandling.Disallow` rejecting the unknown fields | BT-28 sub-case `pos` (new names accepted) + sub-case `9` (`OldLatLongNames_Returns400` — old `latitude`/`longitude` rejected as unknown). The strict-deserializer behavior is what AZ-795's `UnmappedMemberHandling.Disallow` makes possible; pre-cycle-8 the rename would have silently coerced old names to `Lat=0, Lon=0` | ✓ |
+| AZ-812 AC-5 | Docs updated: `common_dtos.md`, `api_program.md`, `system-flows.md` (F2) | Doc-state AC — all three files updated in cycle-8 batch; verified at Step 13 review | ◐ doc-verified at Step 13 |
+| AZ-812 AC-6 | Contract doc coordination: `region-request.md` v1.0.0 published directly with `lat`/`lon` (because AZ-808 + AZ-812 shipped in same cycle) — no `v1.0.0 → v2.0.0` bump needed | Doc-state AC — `region-request.md` v1.0.0 Change Log section names both AZ-808 (validation rules) and AZ-812 (`lat`/`lon` field names); verified at Step 13 review | ✓ |
 
 ## Restrictions → Test Mapping
 
@@ -158,7 +213,9 @@
 | Cycle 5 — AZ-503 foundation (integration + unit + blackbox) | 2 integration + 6 unit + 4 blackbox | 7/12 in-scope (AC-1, 2, 3, 4, 7, 8, 11); 5 ACs deferred → AZ-505 (now resolved in cycle 6) | — |
 | Cycle 5 — AZ-504 perf-script fix (shell harness + Step-15 gate) | 1 standalone shell harness (4 cases) | 2/4 verified now (AC-1, AC-2); 2/4 gated at Step 15 (AC-3, AC-4) | — |
 | Cycle 6 — AZ-505 inventory + HTTP/2 + leaflet covering index (integration + blackbox + perf) | 3 integration files + 4 blackbox (BT-23..BT-26) + 1 perf (PT-09) | 7/7 (AC-1..AC-7; AC-7 is doc-only). Also resolves the 5 AZ-503 deferrals (AC-5, 6, 9, 10, 12). | — |
-| **Total** | **94** | **63/63 in-scope (100%); 2 AZ-504 ACs gated at Step 15** | **8/8 (100%)** |
+| Cycle 7 — AZ-794 + AZ-795 + AZ-796 strict inventory validation + z/x/y rename (integration + unit + blackbox + contract) | 1 integration file (`TileInventoryValidationTests`, 16 tests) + 1 unit file (`InventoryRequestValidatorTests`, 16 tests) + 1 blackbox (BT-27 with 16 sub-cases) + 1 new contract (`error-shape.md` v1.0.0) + 1 bumped contract (`tile-inventory.md` v2.0.0) | 12/12 in-scope (AZ-794 AC-1..AC-4, AZ-795 epic-level, AZ-796 AC-1..AC-7); 2 ACs (AZ-794 AC-3 + AZ-796 AC-5) are `◐ doc-verified at Step 13`. | — |
+| Cycle 8 — AZ-808 + AZ-809 + AZ-810 + AZ-811 + AZ-812 strict validation sweep + region OSM rename (integration + unit + blackbox + contracts) | 4 integration files (`RegionRequestValidationTests`, `CreateRouteValidationTests`, `UavUploadValidationTests`, `GetTileByLatLonValidationTests` — ≥ 45 failure methods + 4 happy paths) + 5 unit files (`RegionRequestValidatorTests`, `CreateRouteRequestValidatorTests`, `RoutePointValidatorTests`, `GeofencePolygonValidatorTests`, `UavTileMetadataValidatorTests`, `UavTileBatchMetadataPayloadValidatorTests`, `GetTileByLatLonQueryValidatorTests` — ≥ 35 methods across the 4 endpoints) + 4 blackbox (BT-28..BT-31 with ≥ 41 sub-cases) + 4 new contracts (`region-request.md` v1.0.0, `route-creation.md` v1.0.0, `tile-latlon.md` v1.0.0, `uav-tile-upload.md` v1.2.0 bump) + 4 probe scripts | 41/41 in-scope (AZ-808 AC-1..AC-8, AZ-809 AC-1..AC-8, AZ-810 AC-1..AC-9, AZ-811 AC-1..AC-9, AZ-812 AC-1..AC-6); 8 ACs are `◐ doc-verified at Step 13` (per-endpoint OpenAPI / system-flows updates) + 2 advisory non-tested (AZ-809 AC-9, AC-10 — naming consistency surfaced for parent-suite). AZ-810 AC-9 (no AZ-488 regression) verified after the AZ-810 test-data coord-clamp fix (commit `b763da3`) — the original "traced by source" verification was a false-PASS; the green full-suite re-run is the binding evidence. | — |
+| **Total** | **167** | **116/116 in-scope (100%); 2 AZ-504 ACs gated at Step 15; 10 ACs doc-verified at Step 13 (2 cycle-7 + 8 cycle-8); 2 advisory non-tested (cycle-8 AZ-809 AC-9/AC-10)** | **8/8 (100%)** |
 
 **Coverage shape notes (Cycle 5 — AZ-503 foundation):**
 - AZ-503 was split mid-cycle (Option C, autodev Step 10 batch 2): 7 of 12 original ACs land here; 5 (AC-5, AC-6, AC-9, AC-10, AC-12) are deferred to AZ-505 with a `Blocks` link in Jira and an entry in `_docs/02_tasks/_dependencies_table.md`. The deferred rows above are marked `◐ deferred → AZ-505` so the matrix surfaces the scope boundary explicitly.
@@ -186,3 +243,23 @@
 - AZ-505 AC-5 originally specified h2c (HTTP/2 over plaintext). Kestrel was switched to TLS+ALPN on `https://+:8080` during the cycle-6 Run Tests step because `HttpProtocols.Http1AndHttp2` silently downgrades to HTTP/1.1 over plaintext (no ALPN). The functional gate (multiplexing semantics) is unchanged — the test still asserts `HttpResponseMessage.Version == 2.0` over 20 concurrent GETs on a single connection. The deployment caveat (dev cert vs. production TLS termination at the ingress) is documented in `tile-inventory.md` Non-Goals.
 - AZ-505 NFRs propagate as follows: Performance (AC-3, AC-4) ⇒ PT-09 entry (full PT-09 row in `performance-tests.md`); Compatibility (existing `GET /tiles/{z}/{x}/{y}` byte-identical) ⇒ no new test — the AZ-484 / AZ-503-foundation selection rule is unchanged, and the test that exercised it under the old `(z, x, y)`-keyed SELECT now exercises it under the `location_hash`-keyed SELECT via AC-2; Security (JWT + `RequireAuthorization()`) ⇒ AC-6 anonymous-401 case, BT-26.
 - Cycle-update rule check: no NFR conflicts surfaced. The 500 ms → 1000 ms perf budget relaxation between AZ-503 AC-9 and AZ-505 AC-4 is **not** a conflict in the cycle-update sense — AZ-503 AC-9 was explicitly deferred (`◐ deferred → AZ-505`) so AZ-505 owns the binding budget; AZ-503's number was a pre-implementation estimate. The matrix records both numbers and the rationale so the budget history stays auditable.
+
+**Coverage shape notes (Cycle 7 — AZ-794 + AZ-795 + AZ-796 strict inventory validation + z/x/y rename):**
+- Cycle 7 is the **first** application of the AZ-795 shared validation infrastructure (FluentValidation 12.0.0 + `ValidationEndpointFilter<T>` + `GlobalExceptionHandler` + `JsonSerializerOptions.UnmappedMemberHandling.Disallow` + camelCase naming policy). The infra is exercised end-to-end by every AZ-796 sub-case — the matrix records `AZ-795 (epic)` as `✓` because the infra is in place and the first concrete child (AZ-796) demonstrates it functions correctly. Sibling per-endpoint child tasks (other public-facing JSON endpoints) will land under AZ-795 in future cycles and each will get its own AC row at that time.
+- AZ-794 (z/x/y rename) and AZ-796 (strict validation) shipped in the same commit (`865dfdb`). The matrix surfaces this coupling at AZ-794 AC-2 / AZ-796 AC-1 sub-case `9c` — the BT-27 sub-case that POSTs the legacy `{"tileZoom","tileX","tileY"}` payload now returns HTTP 400 with `errors[…]` naming `tileZoom`, proving (a) AZ-794's rename is observable on the wire and (b) AZ-795's `UnmappedMemberHandling.Disallow` catches the old names instead of silently coercing to `(0,0,0)`. The same sub-case carries the AZ-777 Phase 1 reproducer body verbatim — that exact request now fails-fast, closing the original discovery loop.
+- AZ-794 has no perf, security, or resilience NFRs distinct from AZ-505's. Wire size is reduced ~3× on field names (per AZ-794 spec); not separately measured because the AZ-505 AC-4 p95 budget (1000 ms / 2500 tiles, measured 66 ms in cycle 6) already absorbs the rename with margin. Cycle 7 Step 11 reran the full integration suite (311 unit + integration) green; the AZ-505 perf budget is re-measured at Step 15 of cycle 7 per the existing `◐ gate at Step 15` rows.
+- AZ-796 AC-3 (validator unit-tested) and AC-4 (integration-tested) each specify a minimum count (≥ 9 unit, ≥ 10 integration). Cycle 7 delivered 16 + 16 = 32 — comfortably over the floor — covering every `RuleFor(…)` in `InventoryRequestValidator` and `TileCoordValidator` plus the JSON-deserializer-level rules (`JsonRequired`, `UnmappedMemberHandling.Disallow`, type mismatch) that don't reach the validator. The split is documented in BT-27 §Notes.
+- Doc-only ACs (AZ-794 AC-3, AZ-796 AC-5 — OpenAPI / Swagger spec accuracy) are marked `◐ doc-verified at Step 13` because they require inspection of the generated `/swagger/v1/swagger.json` during the Update Docs step. Cycle 7's Swashbuckle output reflects the rename + ranges automatically via the DTOs' `[JsonRequired]` and the validator's `RuleFor` constraints — no manual OpenAPI XML doc edits were needed. Step 13 will verify against the running container's swagger document.
+- AZ-505 AC-6's existing row (cycle 6 — "Request validation — 400 on both populated, 400 on neither, 400 on > 5000 entries, 401 on anonymous") remains accurate. Its 4 cases overlap with AZ-796 AC-1 sub-cases 2a, 2b, 4, and the anonymous case (also SEC-05). Both rows are kept per cycle-update rule 4 ("Preserve existing traceability IDs"); the duplication is by design — AZ-505 AC-6 was the cycle-6 contract (status-code-only), AZ-796 AC-1 is the cycle-7 contract (status code + ProblemDetails shape + field-path errors). The cycle-7 row is the binding one going forward; the cycle-6 row stays as historical record.
+- Cycle-update rule check: no NFR conflicts. The 5000-entry cap is reaffirmed (matches AZ-505); the supported zoom range 0..22 is reaffirmed (matches `tile-inventory.md` Inv-7); the error shape contract is **new** (`error-shape.md` v1.0.0) — but no prior cycle declared a different error shape, so this is greenfield content, not a conflict.
+- Step 10 artifact gap (cycle 7): no `implementation_report_*_cycle7.md` was produced in `_docs/03_implementation/`. The actual implementation evidence lives in commits `dceaddc` (cycle 7 task adoption) + `865dfdb` (cycle 7 Step 10 implementation), in the state file's `detail` field (which recorded the test-run outcome), and in the new test artifacts themselves (`InventoryRequestValidator.cs`, `InventoryRequestValidatorTests.cs`, `TileInventoryValidationTests.cs`, `ProblemDetailsAssertions.cs`, `error-shape.md` v1.0.0). This artifact gap is recorded here for cycle 7 retrospective follow-up — the matrix itself is unaffected because cycle-update mode's source-of-truth is the task specs in `_docs/02_tasks/done/`, not the implementation report.
+
+**Coverage shape notes (Cycle 8 — AZ-808 + AZ-809 + AZ-810 + AZ-811 + AZ-812 strict validation sweep + region OSM rename):**
+- Cycle 8 completes the AZ-795 epic's per-endpoint rollout — every public-facing endpoint now goes through the shared validation infra. AZ-795's `AZ-795 (epic)` row from cycle 7 remains `✓`; cycle 8 adds 4 endpoint-scoped per-AC rows (AZ-808, AZ-809, AZ-810, AZ-811) plus the AZ-812 region-rename rows that ride the AZ-795 `UnmappedMemberHandling.Disallow` infra to make the old field names fail-fast (mirroring cycle 7's AZ-794 / AZ-796 coupling).
+- AZ-810 introduced a **new** validation enforcement shape — the `multipart/form-data` envelope — because `POST /api/satellite/upload` is the only endpoint that can't use the generic `ValidationEndpointFilter<T>`. The bespoke `UavUploadValidationFilter` composes three layers (deserializer, FluentValidation, envelope cross-field) with a different error-key convention (`errors["metadata"]` for deserializer-level failures vs `errors["metadata.items[i].field"]` for FluentValidation-layer failures). This is documented in BT-30 §Notes and `_docs/02_document/contracts/api/uav-tile-upload.md` v1.2.0 §Validation Rules so future multipart endpoints can reuse the pattern.
+- AZ-811 introduced a **new** generic infra piece — `UnknownQueryParameterEndpointFilter` (rule 4 — the parallel of `UnmappedMemberHandling.Disallow` for query strings). Documented in `_docs/02_document/modules/api_program.md` per AZ-811 AC-9. The next query-param endpoint can reuse it without reinventing the unknown-key rejection logic.
+- AZ-808 + AZ-812 shipped in the same cycle. The AZ-812 OSM rename (`Latitude/Longitude` → `Lat/Lon`) was coordinated with AZ-808's validator authoring so the validator was never written against the old names (per AZ-812 AC-6 coordination). `region-request.md` is published as v1.0.0 (not v1.0.0→v2.0.0 bump) with both AZ-808 (validation rules) and AZ-812 (`lat`/`lon` field names) in the Change Log.
+- BT-N01 and BT-N02 (legacy negative scenarios for `GET /api/satellite/tiles/latlon` that loosely asserted "HTTP 4xx") are NOT rewritten — they remain as historical record. BT-31 sub-cases 1, 2, 3 supersede them with strict assertions (HTTP 400 + named `errors` key). Both rows are kept per cycle-update rule 4 ("Preserve existing traceability IDs"); the cycle-8 row is the binding one going forward.
+- AZ-809 ACs 9 + 10 are **advisory** (surfaced for parent-suite team decision, not implemented or tested this cycle). Matrix marks them `◐ advisory (not tested)`. They're recorded so the next cycle / parent-suite review sees them without having to re-discover them from the task spec. AC-9: `RequestRegionRequest.sizeMeters` vs `CreateRouteRequest.regionSizeMeters` naming inconsistency. AC-10: input `points: [{lat, lon}]` vs output `points: [{latitude, longitude}]` round-trip asymmetry on the route endpoint. Either keep + document, or harmonize in a follow-up MAJOR contract bump for both — parent-suite team's call.
+- AZ-810 AC-9 (no AZ-488 regression) has a **process annotation**: cycle 8's batch_04 report originally claimed AC-9 "verified by tracing each AZ-488 test payload's metadata shape against the new rules" without running the integration suite. That verification was a false-PASS — the suite was actually red on the AZ-488 happy path because `UavUploadTests.NextTestCoordinate()` produced lat > 90° (a pre-existing latent bug masked by the absence of any validator before AZ-810). The bug was fixed by clamping the test-data generator to OSM-valid ranges in commit `b763da3` and AC-9 is now bound to the green full-suite re-run, not to source tracing. Process lesson recorded in `_docs/LESSONS.md` (2026-05-23).
+- Cycle-update rule check: no NFR conflicts. Range bounds (`lat ∈ [-90, 90]`, `lon ∈ [-180, 180]`, `zoom ∈ [0, 22]`, `tileSizeMeters > 0`) are reaffirmed across all 4 endpoints — they were never previously contested. The error-shape contract (`error-shape.md` v1.0.0 from cycle 7) is reused unchanged.

_docs/02_tasks/_dependencies_table.md

@@ -112,6 +112,46 @@ Source: cycle-5 retro Action 2 — AZ-505 is the deferred half of AZ-503 (invent
 |------|-------|-----------|--------|--------|
 | AZ-505 | Tile inventory endpoint + HTTP/2 + leaflet covering index | AZ-503 (HARD, Blocks-linked, satisfied by cycle 5) | 3 | To Do (cycle 6) |
 
+### Step 9 cycle 7 — New Task: API quality follow-up (cross-repo from gps-denied-onboard AZ-777)
+
+Source: cycle-7 New Task adoption of three Jira tickets originally filed on 2026-05-22 by the `gps-denied-onboard` agent during AZ-777 Phase 1 Jetson probing of the parent-suite `satellite-provider` service. Two API-quality concerns about the inventory endpoint were surfaced:
+
+1. **Field-name inconsistency** — URL path uses OSM-standard `z/x/y`; JSON body uses verbose `tileZoom/tileX/tileY` for the same concept (AZ-794).
+2. **Permissive parsing** — missing required fields silently coerce to `0`; unknown fields silently drop. Real client typos masquerade as valid (0,0,0) requests with collision-prone `locationHash` (AZ-795 epic + AZ-796 first child).
+
+Adopted into satellite-provider cycle 7 with the recommended ordering: shared validation infra (AZ-795) → wire-format rename (AZ-794) → first per-endpoint validator child (AZ-796). AZ-795 is structured as an Epic that ALSO ships shared infrastructure (FluentValidation + global ProblemDetails filter + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`); future per-endpoint child tasks under AZ-795 to be added by parent-suite team as the public-endpoint surface is enumerated.
+
+| Task | Title | Depends On | Points | Status |
+|------|-------|-----------|--------|--------|
+| AZ-794 | Inventory body fields: rename `tileZoom/tileX/tileY` → `z/x/y` (OSM convention) | — (coordinate release with AZ-795 / AZ-796) | 3 | Done (cycle 7) |
+| AZ-795 | Strict input validation across all public endpoints (FluentValidation + ProblemDetails) — **Epic with shared-infra ship** | — (children gated on shared infra landing first) | — (epic; shared-infra estimate 5–8 pts; per-endpoint children ~3 pts each) | Done — shared infra shipped (cycle 7); future per-endpoint child tasks open |
+| AZ-796 | Strict validation for inventory endpoint (POST /api/satellite/tiles/inventory) | AZ-795 (HARD — shared infra); coordinate with AZ-794 | 3 | Done (cycle 7) |
+
+### Step 9 cycle 8 — Per-endpoint validation children of AZ-795 (cross-repo follow-up)
+
+Source: cross-repo request from `gps-denied-onboard` agent (2026-05-22). After AZ-795 shipped the shared infra (FluentValidation + GlobalExceptionHandler + UnmappedMemberHandling.Disallow + ValidationEndpointFilter) and AZ-796 shipped the inventory endpoint as the first concrete child, four additional public endpoints remain silent-coercion-permissive: `POST /api/satellite/request` (region onboarding), `POST /api/satellite/route` (route creation), `POST /api/satellite/upload` (UAV metadata layer; the file-level quality gate from AZ-488 stays), `GET /api/satellite/tiles/latlon` (single-tile download). All four are queued here as cycle-8 candidates, each mirroring the AZ-796 reference implementation pattern with endpoint-specific adaptations.
+
+**Cross-repo context**: AZ-808 + AZ-809 are blocking dependencies for gps-denied-onboard AZ-777 Phase 2 (Derkachi reference tile catalog seeding). AZ-810 is a defense-in-depth tightening for the existing AZ-488 UAV upload path. AZ-811 is the smallest item, included for completeness of the per-endpoint surface.
+
+| Task | Title | Depends On | Points | Status |
+|------|-------|-----------|--------|--------|
+| AZ-808 | Strict validation for region-request endpoint (POST /api/satellite/request) | AZ-795 (HARD — shared infra); AZ-796 (reference); AZ-812 (HARD — ships first in cycle 8 per /autodev step 10 user decision 2026-05-22; AZ-808 spec field references rewrite from `latitude`/`longitude` → `lat`/`lon` before validator implementation starts) | 3 | To Do |
+| AZ-809 | Strict validation for route-creation endpoint (POST /api/satellite/route) | AZ-795 (HARD); AZ-796 (single-DTO reference); AZ-808 (no-prior-contract reference) | 5 | To Do |
+| AZ-810 | Strict validation for UAV upload metadata (POST /api/satellite/upload) | AZ-795 (HARD); AZ-796 (single-DTO reference); AZ-809 (nested per-item reference); AZ-488 (must remain green); AZ-503 (flightId semantics) | 5 | To Do |
+| AZ-811 | Strict validation for lat/lon tile GET endpoint (GET /api/satellite/tiles/latlon) | AZ-795 (HARD); AZ-796 (single-DTO reference); AZ-808 (no-prior-contract reference) | 2 | To Do |
+
+**Spec amendments (2026-05-22, post-probe)**: AZ-808 and AZ-809 specs were amended after a gps-denied-onboard black-box probe of the running producer surfaced two real silent-coercion gaps and one input/output naming asymmetry. Notable spec changes: (1) AZ-808 rule count 8 → 9 (added `Id` non-zero-Guid rule); (2) AZ-809 rule count 13 → 14 (added `Id` non-zero-Guid rule); (3) AZ-809 added AC-10 advisory documenting the input/output point-naming asymmetry on `RouteResponse.points[]`; (4) AZ-808 added field-naming coordination section pointing at AZ-812. Story-point estimates unchanged; the new rules were already implicit in the AZ-795 epic's mandate.
+
+### Step 9 cycle 8b — Region API field-name harmonization (cross-repo follow-up)
+
+Source: cross-repo request from `gps-denied-onboard` agent (2026-05-22). After the AZ-777 Phase 2 black-box probe of the Region API, the consumer attempted `{"lat":..,"lon":..}` against `POST /api/satellite/request` and received HTTP 400 with `UnmappedMemberHandling.Disallow` rejecting the unknown fields. The producer DTO uses verbose `latitude`/`longitude`, which is the **only** OSM-deviating coord convention left in the public API surface: the inventory endpoint already uses `z/x/y` (per AZ-794), the Route endpoint's `RoutePoint`/`GeoPoint` already use `lat`/`lon` (per existing `[JsonPropertyName]`), and the slippy-map URL uses `z/x/y`. AZ-812 closes the inconsistency by renaming Region to match.
+
+This is a separate cycle (8b) because it's a **wire-format rename** (mirror of AZ-794) rather than a validator add (mirror of AZ-796). The two operations are surgically distinct even though they touch the same DTO.
+
+| Task | Title | Depends On | Points | Status |
+|------|-------|-----------|--------|--------|
+| AZ-812 | satellite-provider: rename `RequestRegionRequest.{Latitude, Longitude}` → `{Lat, Lon}` (OSM convention) + harmonize cross-endpoint | — (coordinate release ordering with AZ-808) | 3 | To Do |
+
 ## Execution Order
 
 ### Step 6
@@ -169,6 +209,33 @@ Single task; consumes the AZ-503-foundation columns landed in cycle 5.
 
 1. AZ-505 (3 SP) — Tile inventory endpoint + HTTP/2 + Leaflet covering index. Self-contained but produces TWO contract artifacts (new `contracts/api/tile-inventory.md` v1.0.0 + bump `contracts/data-access/tile-storage.md` v1.0.0 → v2.0.0 per architecture.md).
 
+### Step 9 cycle 7 (AZ-794 / AZ-795 / AZ-796)
+
+Adopted into cycle 7. Ordering:
+
+1. AZ-795 shared infrastructure (FluentValidation + global ProblemDetails filter + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`) — gates every per-endpoint child.
+2. AZ-794 (rename) — lands the final wire-format names so AZ-796 validators can use them from day one.
+3. AZ-796 (inventory validator) — first per-endpoint child; serves as reference implementation for sibling per-endpoint child tasks.
+4. Sibling per-endpoint child tasks under AZ-795 — added by parent-suite team as they enumerate the surface from `/swagger/v1/swagger.json` (out of cycle 7 scope; future cycles).
+
+### Step 9 cycle 8 (AZ-808 / AZ-809 / AZ-810 / AZ-811 / AZ-812)
+
+Ordering decision recorded 2026-05-22 (`/autodev` Step 10 dirty-tree resolution): **Option 1 (AZ-812 first, then AZ-808 against final lat/lon names)** — chosen to avoid AZ-808 double-migration on contract doc + integration tests. AZ-809, AZ-810, AZ-811 are independent of AZ-812 (their DTOs already use OSM short form).
+
+Execution order:
+
+1. AZ-812 (3 SP) — Region DTO rename `Latitude/Longitude` → `Lat/Lon`. Ships first; AZ-808 depends on its outcome. Own batch (wire-format change is atomic; independent rollback target).
+2. AZ-811 (2 SP) — smallest validator unblocker; closes the simplest endpoint and validates the query-param filter pattern for any future query-string endpoints. Independent of AZ-812.
+3. AZ-808 (3 SP) — region-request validator written against post-rename `lat/lon`; unblocks gps-denied-onboard AZ-777 Phase 2 bbox-based seeding path. Hard-depends on AZ-812.
+4. AZ-809 (5 SP) — route-creation validator; unblocks gps-denied-onboard AZ-777 Phase 2 route-based (preferred) seeding path. Independent of AZ-812.
+5. AZ-810 (5 SP) — UAV upload metadata validator; defense-in-depth for AZ-488 multipart endpoint. Independent of AZ-812.
+
+Parent-suite team may reorder steps 2–5 based on consumer priorities; step 1 (AZ-812) must remain first.
+
+### Step 9 cycle 8b (AZ-812 — folded into cycle 8 ordering above)
+
+Originally tracked as a separate cycle 8b because AZ-812 is a wire-format rename (mirror of AZ-794) rather than a validator add (mirror of AZ-796). After the /autodev Step 10 ordering decision above, cycle 8b folds into cycle 8 as step 1 of the execution order. Section retained for traceability — the cycle-8b table entry remains the authoritative spec marker for AZ-812.
+
 ## Total Effort
 
 Step 6: 6 tasks, 17 story points
@@ -180,6 +247,9 @@ Step 9 cycle 3: 6 tasks created (AZ-491 = 3 pts, AZ-492 = 3 pts, AZ-493 = 2 pts,
 Step 9 cycle 4: 1 task created (AZ-500 = 5 pts)
 Step 9 cycle 5: 3 tasks tracked (AZ-503 = 3 pts foundation-half, AZ-504 = 1 pt, AZ-505 = 3 pts split-off-deferred) — 4 pts committed to cycle 5, 3 pts deferred to cycle 6
 Step 9 cycle 6: 1 task scheduled (AZ-505 = 3 pts) — consumed from cycle-5 deferral
+Step 9 cycle 7: 3 tasks adopted (AZ-794 = 3 pts rename, AZ-795 = epic with 5–8 pts shared-infra ship, AZ-796 = 3 pts first per-endpoint child) — total ~11–14 pts (over the 2–5 pts/cycle preference; AZ-795's shared-infra ship is the heavy item). Origin: gps-denied-onboard AZ-777 Phase 1 Jetson probe (2026-05-22). Sibling per-endpoint child tasks under AZ-795 to be added in future cycles as the parent-suite team enumerates the endpoint surface.
+Step 9 cycle 8: 5 tasks queued (AZ-812 = 3 pts Region DTO rename, AZ-808 = 3 pts region validator, AZ-809 = 5 pts route, AZ-810 = 5 pts UAV upload metadata, AZ-811 = 2 pts lat/lon GET) — total 18 pts across 4 per-endpoint AZ-795 children + 1 OSM-naming harmonization. Origin: cross-repo request from gps-denied-onboard agent (2026-05-22) for completeness of validation surface after AZ-795/796 landed, plus AZ-777 Phase 2 black-box probe surfacing the Region DTO as the lone OSM hold-out. Ordering: AZ-812 first (per /autodev Step 10 user decision), then AZ-808/809/810/811 (independent of each other modulo AZ-812). AZ-808 and AZ-809 specs amended 2026-05-22 post-probe to add `Id` non-zero-Guid rule + Route AC-10 input/output naming asymmetry advisory.
+Step 9 cycle 8b: folded into cycle 8 as step 1 (AZ-812). Section retained in dependency table for traceability.
 
 ## Coverage Verification
 

_docs/02_tasks/done/AZ-794_inventory_field_rename_osm.md

@@ -0,0 +1,94 @@
+# Inventory API: rename body fields to OSM-style z/x/y
+
+**Task**: AZ-794_inventory_field_rename_osm
+**Name**: Rename inventory body fields tileZoom/tileX/tileY → z/x/y (OSM convention)
+**Description**: Align the `POST /api/satellite/tiles/inventory` body shape with the URL-path slippy-map convention (`{z}/{x}/{y}`). Same coordinate concept is named two different ways inside the same API today; this task makes the body match the URL.
+**Complexity**: 3 points (recommended; final call by parent-suite team)
+**Dependencies**: — (coordinate release window with AZ-795 / AZ-796 to bundle the breaking changes)
+**Component**: SatelliteProvider.Api + SatelliteProvider.Common (DTOs)
+**Tracker**: AZ-794 (https://denyspopov.atlassian.net/browse/AZ-794)
+**Epic**: — (related to AZ-795 input-validation epic via Jira "Relates" link)
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 1 (Jetson probe, 2026-05-22)
+
+## Origin
+
+Surfaced during gps-denied-onboard AZ-777 Phase 1 Jetson probing of the parent-suite `satellite-provider` service. The reviewing engineer noted that the inventory endpoint uses two different naming conventions for the same coordinate concept:
+
+- URL: `GET /tiles/{z}/{x}/{y}` — OSM/XYZ-standard short names.
+- Body: `{"tiles": [{"tileZoom":12,"tileX":2424,"tileY":1424}]}` — verbose .NET-style names.
+
+Conformance to the URL convention end-to-end (both URL and body) aligns with 20 years of slippy-map ecosystem norms (OSM, Google, Mapbox, Bing, Leaflet, MapLibre) and removes the need for consumers to translate at the boundary. Jira AZ-794 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Problem
+
+Same coordinate concept; two names; same API:
+- URL path uses `z`, `x`, `y`.
+- Request and response bodies use `tileZoom`, `tileX`, `tileY`.
+
+Every consumer that thinks in slippy-map vocabulary has to translate at the boundary. Wire size is also ~3× larger than necessary on the field names (a 900-tile inventory request carries ~5 KB of `tileZoom`/`tileX`/`tileY` vs ~1.7 KB of `z`/`x`/`y`).
+
+## Outcome
+
+- `POST /api/satellite/tiles/inventory` request body uses `{"tiles": [{"z":...,"x":...,"y":...}]}` per tile entry.
+- Response body uses `{"results": [{"z":...,"x":...,"y":...,"locationHash":...,"present":...,...}]}` per entry. All non-coord fields (`locationHash`, `present`, `id`, `capturedAt`, `source`, `flightId`, `resolutionMPerPx`) unchanged.
+- OpenAPI / Swagger spec updated to match.
+- Schema doc `_docs/02_document/contracts/api/tile-inventory.md` bumped (v1.x.0 → next major) with a Migration / Coexistence section.
+- Integration tests updated.
+- Release notes / migration guide entry naming AZ-794 as the breaking-rename owner.
+
+## Scope
+
+### Included
+
+- DTOs for the inventory request + response — exact file path to be confirmed by the implementer (likely `SatelliteProvider.Common/DTO/TileInventory.cs` per AZ-505 spec).
+- The MapPost handler / minimal-api endpoint registration in `SatelliteProvider.Api/Program.cs` (or wherever the inventory endpoint is wired today).
+- `SatelliteProvider.IntegrationTests/TileInventoryTests.cs` — update payload builders + response assertions.
+- `_docs/02_document/contracts/api/tile-inventory.md` — major version bump with Change Log entry naming this task.
+- Release notes / migration guide.
+
+### Excluded
+
+- The `GET /tiles/{z}/{x}/{y}` endpoint — already uses the correct names; no change.
+- Strict input validation — owned by AZ-796 (sibling under epic AZ-795).
+- Other endpoint renames.
+- Internal storage / query / repo-method names (`tile_zoom`, `tile_x`, `tile_y` DB columns) — wire-format change only.
+
+## Acceptance Criteria
+
+**AC-1: Request body uses short names**
+Given a POST body `{"tiles":[{"z":12,"x":2424,"y":1424}]}` with valid JWT
+When `POST /api/satellite/tiles/inventory` is called
+Then HTTP 200 with `results[0].z == 12`, `results[0].x == 2424`, `results[0].y == 1424` and a deterministic non-zero `locationHash`.
+
+**AC-2: Response body uses short names**
+Given a successful inventory call
+When the response is parsed
+Then every `results[i]` object contains `z`, `x`, `y` keys (not `tileZoom`, `tileX`, `tileY`). All other fields (`locationHash`, `present`, `id`, `capturedAt`, `source`, `flightId`, `resolutionMPerPx`) are unchanged byte-for-byte from the pre-rename contract.
+
+**AC-3: OpenAPI spec accuracy**
+Given `/swagger/v1/swagger.json` (or equivalent)
+When the InventoryRequest + InventoryEntry schemas are inspected
+Then they declare `z`, `x`, `y` (not the old names) as the required coordinate properties.
+
+**AC-4: Migration guidance documented**
+Given the rename ships
+Then `_docs/02_document/contracts/api/tile-inventory.md` is bumped to a new major version, the Change Log entry names AZ-794 and the breaking-rename, and a Migration / Coexistence section either (a) names the hard-switch release with the consumer-side bump coordinated, or (b) documents the accept-both transition window.
+
+## Rollout — pick one
+
+- **Option 1 — hard switch** (recommended while consumer count is small): rename atomically, bump API version, ship coordinated consumer update in the same release.
+- **Option 2 — accept-both transition**: server accepts both `z` and `tileZoom` on input for one release; response always uses short names; deprecation notice in release notes; remove long names in next release.
+
+## Constraints
+
+- **Breaking change** — coordinate with all known consumers before shipping. Known consumer at filing time: `gps-denied-onboard` `HttpTileDownloader` in `src/gps_denied_onboard/components/c11_tile_manager/tile_downloader.py`. Parent-suite team to enumerate the full consumer set before deciding rollout cadence.
+- **No internal storage rename** — DB columns (`tile_zoom`, `tile_x`, `tile_y`) stay as named. Wire-format change only; internal Postgres schema is out of scope.
+- **Coordinate with AZ-795 / AZ-796** — if validation strictness ships in the same release as the rename, the validators must use the new short names from day one. Recommended ordering: ship AZ-794 first, then AZ-795 shared infra, then AZ-796.
+
+## References
+
+- Jira AZ-794: https://denyspopov.atlassian.net/browse/AZ-794
+- Related: AZ-795 (validation epic), AZ-796 (inventory validation child)
+- Originating discovery: gps-denied-onboard AZ-777 (Phase 1 Jetson probe, 2026-05-22)
+- Current contract doc: `_docs/02_document/contracts/api/tile-inventory.md` v1.0.0
+- Known consumer side: `gps-denied-onboard/src/gps_denied_onboard/components/c11_tile_manager/tile_downloader.py`

_docs/02_tasks/done/AZ-795_strict_validation_epic.md

@@ -0,0 +1,153 @@
+# Strict input validation across all public endpoints (FluentValidation + ProblemDetails)
+
+**Task**: AZ-795_strict_validation_epic
+**Name**: Strict input validation across all public endpoints
+**Type**: Epic
+**Description**: Every public HTTP endpoint must reject malformed input with structured 4xx errors instead of silently coercing missing fields to zero / ignoring unknown fields. Recommended approach: FluentValidation + global ProblemDetails filter + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`.
+**Complexity**: — (epic; rolls up children. Estimate: 5–8 pts shared infra + ~3 pts per per-endpoint child)
+**Dependencies**: — (per-endpoint children depend on shared infra landing first)
+**Component**: SatelliteProvider.Api (DI wiring + global filter + DTOs + validators)
+**Tracker**: AZ-795 (https://denyspopov.atlassian.net/browse/AZ-795)
+**Children**: AZ-796 (inventory endpoint — first concrete child); sibling per-endpoint tasks to be added by parent-suite team
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 1 (Jetson probe, 2026-05-22)
+
+## Origin
+
+Discovered during gps-denied-onboard AZ-777 Phase 1 Jetson probing on 2026-05-22. A hand-typed inventory request with the wrong field names (`{"z","x","y"}` instead of the current `{"tileZoom","tileX","tileY"}`) returned **HTTP 200** with `(0,0,0)` coordinates and an identical `locationHash` for every entry. Real client bugs masquerade as valid results because the deserializer silently treats unknown fields as missing and missing fields as `default(int) = 0`.
+
+For a service that's the single source of truth about which satellite tiles exist, permissive parsing is actively dangerous: corruption downstream, confident wrong answers, hours of debugging on the consumer side.
+
+Jira AZ-795 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Problem
+
+Every public-facing JSON endpoint on satellite-provider inherits the same Postel-permissive parsing default:
+- Missing required fields → silently `default(T)` (e.g. `0` for `int`).
+- Unknown fields → silently dropped (no `[JsonExtensionData]` capture, no log entry).
+- Wrong types → silently coerced where possible, silently dropped where not.
+
+No structured error response. The only contract-level signal a misbehaving client gets today is downstream weirdness (wrong `locationHash`, repeated identical results, etc.) — many hops away from the actual cause.
+
+## Outcome
+
+- Every public-facing JSON endpoint rejects malformed input with **HTTP 400 + RFC 7807 ProblemDetails** body naming the offending field(s).
+- Validators are testable in isolation (unit tests per `RuleFor`) and enforced by the HTTP layer without per-controller try/catch boilerplate.
+- Unknown-field rejection is wired at the deserializer level so typos can't reach a validator.
+- Uniform error response shape across all endpoints.
+- New `_docs/02_document/contracts/api/error-shape.md` v1.0.0 documenting the ProblemDetails contract every endpoint conforms to.
+
+## Recommended approach
+
+1. **FluentValidation** for input DTOs (declarative, composable, validators are testable units). Final stack choice belongs to the parent-suite team; if FluentValidation is ruled out by existing constraints, alternatives are stock DataAnnotations + custom model binders or hand-written `IValidator<T>`.
+2. **Global error filter / ASP.NET model-state behavior** that emits RFC 7807 ProblemDetails for every validation failure. No per-endpoint try/catch boilerplate.
+3. **Unknown-field rejection** at the deserializer: `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (.NET 8+) or `Newtonsoft.Json` `MissingMemberHandling.Error`. Catches typos like `{"Z":12}` (uppercase) that no validator can catch after deserialization.
+
+## Error response contract (uniform across all endpoints)
+
+```json
+{
+  "type": "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+  "title": "One or more validation errors occurred.",
+  "status": 400,
+  "errors": {
+    "tiles[0].z": ["The z field is required."],
+    "tiles[1]": ["Unexpected field: 'tileZoom'."]
+  }
+}
+```
+
+Stable enough for consumers to pattern-match. Field names in `errors` paths must use the same casing as the request body (post-AZ-794 short names for the inventory endpoint).
+
+## Scope
+
+### Included — Shared infrastructure (this epic owns)
+
+- DI wiring for FluentValidation (or chosen alternative) in `SatelliteProvider.Api/Program.cs` (or appropriate composition root).
+- Global error filter / `Configure<ApiBehaviorOptions>(...)` for ProblemDetails formatting.
+- `JsonSerializerOptions` configuration for unknown-field rejection.
+- A validator-coverage table in `_docs/02_document/architecture.md` (or equivalent) listing each public endpoint and its validator class.
+- Shared test fixtures for ProblemDetails assertions in `SatelliteProvider.IntegrationTests`.
+- New contract artifact: `_docs/02_document/contracts/api/error-shape.md` v1.0.0 (the ProblemDetails shape every endpoint conforms to).
+
+### Included — Per-endpoint child tasks
+
+- One child Task per public-facing endpoint that has a JSON body. Each consumes the shared infra.
+- Each child uses the AC template below.
+- Parent-suite team enumerates the full endpoint surface from `/swagger/v1/swagger.json` / route map and creates the children.
+- First child (concrete reference implementation): **AZ-796** — inventory endpoint.
+
+### Excluded
+
+- Authentication / authorization changes (JWT contract owned by AZ-494).
+- Endpoint renaming (**AZ-794** owns the inventory body-field rename).
+- Rate-limiting / quota (separate concern).
+- Internal-only admin endpoints, health probes, metrics scrapers (parent-suite team owns in/out decision per endpoint).
+
+## Acceptance Criteria template (every child task must satisfy)
+
+**AC-1: Missing required field → 400**
+Given a POST body that omits a required field
+When the endpoint is called
+Then HTTP 400 with `errors.<field>` listing the missing field.
+
+**AC-2: Unknown field → 400**
+Given a POST body with an unrecognized field at root or in nested objects
+When the endpoint is called
+Then HTTP 400 with `errors[].<location>` naming the unexpected field.
+
+**AC-3: Wrong type → 400**
+Given a POST body with a field of unexpected JSON type (e.g. string where integer expected)
+When the endpoint is called
+Then HTTP 400 with `errors.<field>` describing the type mismatch.
+
+**AC-4: Out-of-range value → 400**
+Given a POST body with a value outside its supported range
+When the endpoint is called
+Then HTTP 400 with `errors.<field>` describing the valid range.
+
+**AC-5: Empty array where non-empty required → 400**
+Given a POST body where a required non-empty collection is empty
+When the endpoint is called
+Then HTTP 400 with `errors.<field>` describing the constraint.
+
+**AC-6: Validator class is its own file + unit-tested**
+A `IValidator<RequestDto>` (or equivalent) class exists in its own file under `SatelliteProvider.Api/Validators/` (or per-suite convention), with a unit test per `RuleFor(...)`.
+
+**AC-7: Integration tests cover one happy + one failure path per AC**
+`SatelliteProvider.IntegrationTests` adds a fixture that POSTs each bad-payload variant and asserts `status == 400` + ProblemDetails shape + specific `errors[].<location>` path.
+
+**AC-8: OpenAPI / Swagger spec accuracy**
+`/swagger/v1/swagger.json` marks required fields, declares ranges, and documents the new 400 response shape.
+
+## Test requirements
+
+- **Unit**: one xUnit class per validator. Tests cover each `RuleFor(...)` / equivalent.
+- **Integration**: `SatelliteProvider.IntegrationTests` adds one fixture per endpoint covering all AC variants (~7–10 new tests per endpoint).
+- **Contract**: OpenAPI spec snapshot test confirms the published schema rejects what the validator rejects.
+- **Cross-cutting**: shared `ProblemDetailsAssertions` helper in test infra so every endpoint's failure tests use the same assertion shape.
+
+## Migration / breaking-change strategy
+
+Tightening validation is a **breaking behavior change**: clients that today get 200 OK with nonsense will start getting 400. Three approaches the parent-suite team can pick from:
+
+1. **Hard switch** — ship in one release with a clear "Breaking" note. Cleanest for low-consumer-count (currently 1).
+2. **Soft warning then enforce** — log warnings for one release when malformed input arrives; enforce in the next.
+3. **API versioning** — keep `/v1` permissive, add `/v2` strict, migrate consumers, remove `/v1`.
+
+Recommendation: **#1** while the consumer set is small (currently 1 known: `gps-denied-onboard`).
+
+## Constraints
+
+- Shared infra MUST land before any per-endpoint child task — children are gated on it.
+- Coordinate with **AZ-794** (inventory rename) — recommended ordering ships AZ-794 first so this epic's validators use the final names from day one.
+- Parent-suite team enumerates the full consumer set before deciding rollout cadence (not just `gps-denied-onboard`).
+- Per-endpoint child tasks added by parent-suite team after enumerating endpoint surface from OpenAPI / route map. Do NOT create all children up-front — let them be added as the team decomposes.
+
+## References
+
+- Jira AZ-795: https://denyspopov.atlassian.net/browse/AZ-795
+- First child: AZ-796 (inventory endpoint)
+- Related: AZ-794 (inventory rename), AZ-777 (originating discovery in gps-denied-onboard)
+- Originating discovery: gps-denied-onboard AZ-777 Phase 1 Jetson probe (2026-05-22)
+- ASP.NET ProblemDetails reference: https://learn.microsoft.com/en-us/aspnet/core/web-api/handle-errors
+- FluentValidation reference: https://docs.fluentvalidation.net/

_docs/02_tasks/done/AZ-796_inventory_endpoint_validation.md

@@ -0,0 +1,124 @@
+# Strict validation for inventory endpoint (POST /api/satellite/tiles/inventory)
+
+**Task**: AZ-796_inventory_endpoint_validation
+**Name**: Strict validation for inventory endpoint
+**Description**: Add FluentValidation-backed strict input validation to `POST /api/satellite/tiles/inventory`. Reject malformed payloads with RFC 7807 ProblemDetails (HTTP 400). First concrete child of the validation-hardening epic (AZ-795); serves as reference implementation pattern for sibling per-endpoint tasks.
+**Complexity**: 3 points (recommended)
+**Dependencies**: AZ-795 (HARD — shared FluentValidation + ProblemDetails + unknown-field-rejection infra must land first); coordinate with AZ-794 (rename)
+**Component**: SatelliteProvider.Api/Validators + SatelliteProvider.Common (DTOs)
+**Tracker**: AZ-796 (https://denyspopov.atlassian.net/browse/AZ-796)
+**Epic**: AZ-795 — Strict input validation across all public endpoints
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 1 (Jetson probe, 2026-05-22)
+
+## Origin
+
+Discovered during gps-denied-onboard AZ-777 Phase 1 Jetson probing on 2026-05-22 — see parent epic AZ-795 for full context. This ticket scopes the strict-validation work to the **inventory endpoint** as the first concrete reference implementation; sibling per-endpoint child tasks will follow the same pattern.
+
+Jira AZ-796 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Problem
+
+`POST /api/satellite/tiles/inventory` today accepts malformed payloads silently:
+- Missing required fields (`z`, `x`, `y`) → silently coerced to `0`, producing `locationHash` collisions and `(0,0,0)` echoed back as if the client had asked for tile (0,0,0).
+- Unknown fields (typos like `{"Z":12}` uppercase) → silently dropped, then required field appears missing → silently 0.
+- Wrong types → silently coerced where possible.
+- No structured 4xx response. Real client bugs surface downstream as "all my inventory results have the same locationHash" — many hops from the actual cause.
+
+Concrete reproducer (from the originating probe):
+
+```bash
+curl -sk -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" \
+  -d '{"tiles":[{"z":12,"x":2424,"y":1424},{"z":12,"x":2425,"y":1425}]}' \
+  https://satellite-provider:8080/api/satellite/tiles/inventory
+```
+
+Returns HTTP 200 with both `results` entries carrying `tileZoom:0, tileX:0, tileY:0` and identical `locationHash`. Expected: HTTP 400 naming `z`, `x`, `y` as unexpected fields (pre-AZ-794) or 200 with correct echo (post-AZ-794) — but never silently-wrong 200.
+
+## Outcome
+
+- `POST /api/satellite/tiles/inventory` rejects malformed payloads with HTTP 400 + RFC 7807 ProblemDetails matching the shape defined by the parent epic AZ-795.
+- An `IValidator<InventoryRequestDto>` (or equivalent) covers all 9 validation rules listed below.
+- Integration tests cover one happy path + one failure path per validation rule.
+- OpenAPI spec marks required fields, declares ranges, and documents the new 400 response.
+- Schema doc `_docs/02_document/contracts/api/tile-inventory.md` updated to reference the validation rules + error contract.
+
+## Scope
+
+### Included
+
+- `InventoryRequestValidator` (or equivalent class) in `SatelliteProvider.Api/Validators/` — full coverage of the 9 validation rules below.
+- Wiring of the validator into the MapPost / minimal-api endpoint registration in `SatelliteProvider.Api/Program.cs` (or wherever the inventory endpoint is wired today). Wiring leverages the shared infra from AZ-795.
+- Unit tests for the validator (`SatelliteProvider.UnitTests` or appropriate — one test method per `RuleFor(...)`).
+- Integration tests in `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` (new file) — happy + failure case per AC.
+- Update to `_docs/02_document/contracts/api/tile-inventory.md` documenting the validation rules + error shape.
+- Update to `/swagger/v1/swagger.json` (via XML doc comments / Swashbuckle annotations) marking required fields + ranges + 400 response.
+
+### Excluded
+
+- Shared infra wiring (parent epic AZ-795 owns this).
+- Validation for other endpoints (sibling child tasks under AZ-795 will be added by parent-suite team).
+- The field rename itself (AZ-794).
+- Auth / JWT changes.
+- Performance considerations (existing AZ-505 perf gates remain in effect; validation overhead expected to be negligible vs DB round-trip).
+
+## Required validations (9 rules)
+
+Naming below assumes AZ-794 (rename) has shipped. If validators land BEFORE AZ-794, swap `z/x/y` for `tileZoom/tileX/tileY` and re-rename when AZ-794 lands.
+
+1. **Body present** — null/empty body → 400.
+2. **`tiles` field required** — missing → 400 with `errors.tiles: ["required"]`.
+3. **`tiles` non-empty** — empty array → 400 with `errors.tiles: ["must contain at least 1 entry"]`.
+4. **`tiles` max size** — to be confirmed with parent-suite (existing AZ-505 spec uses 5000 for the EITHER/OR body shape; reaffirm here or align). Over the cap → 400.
+5. **Each entry has `z`, `x`, `y`** — any missing → 400 with `errors.tiles[i].<field>: ["required"]`.
+6. **Each field is non-negative integer** — wrong type or negative → 400.
+7. **`z` within supported zoom range** — out of range → 400 with `errors.tiles[i].z: ["must be between {min} and {max}"]`. Range to be confirmed with parent-suite (existing AZ-484 / AZ-503 schemas suggest 0–22; reaffirm here).
+8. **`x` / `y` within tile-axis bounds for given `z`** — i.e. `0 <= x,y < 2^z` — out of range → 400 with `errors.tiles[i].x` or `.y`.
+9. **Unknown fields at root or in tile entries** — 400 with `errors[].<location>: ["unexpected field: '<name>'"]`. Requires `JsonSerializerOptions.UnmappedMemberHandling.Disallow` (.NET 8+) at the deserializer level — this is part of AZ-795 shared infra and must be wired first.
+
+## Acceptance Criteria
+
+**AC-1: Each of the 9 validations rejects with HTTP 400 + ProblemDetails**
+Given a POST body that violates exactly ONE validation rule (one failure case per rule)
+When `POST /api/satellite/tiles/inventory` is called with valid JWT
+Then HTTP 400; response body matches the parent epic's ProblemDetails shape; `errors[].<location>` names the specific failing field; `errors[]` array does NOT include unrelated rules (single-rule precision).
+
+**AC-2: Happy path unchanged**
+Given a POST body that satisfies all 9 validations
+When `POST /api/satellite/tiles/inventory` is called with valid JWT
+Then HTTP 200 with the existing result shape (one entry per requested tile, same ordering, fields preserved from the pre-validation contract). No regression in existing `TileInventoryTests.cs` happy-path assertions.
+
+**AC-3: Validator class is its own file + unit-tested**
+A `InventoryRequestValidator` (or equivalent) class exists in its own file under `SatelliteProvider.Api/Validators/` (or per-suite convention). xUnit test class has one test method per `RuleFor(...)` — i.e. ≥ 9 unit-test methods.
+
+**AC-4: Integration tests cover happy + failure per rule**
+`SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` (new file) has ≥ 10 test methods: 1 happy path + 9 failure cases. Each failure case POSTs the malformed payload, asserts `status == 400`, asserts ProblemDetails shape, asserts the specific `errors[].<location>` matches the rule.
+
+**AC-5: OpenAPI spec accuracy**
+Given `/swagger/v1/swagger.json` (or equivalent)
+When the InventoryRequest schema + endpoint operation are inspected
+Then required fields are marked `required: true`, integer types are declared with `minimum`/`maximum` per the validation rules, the endpoint declares a 400 response with the ProblemDetails schema.
+
+**AC-6: Schema doc updated**
+`_docs/02_document/contracts/api/tile-inventory.md` is updated (Change Log entry naming AZ-796) to document the validation rules + error contract. No version bump required (additive — error shape is a previously-undefined contract; clients that send valid payloads see no change).
+
+**AC-7: Manual probe captures each failure mode end-to-end**
+A `scripts/probe_inventory_validation.sh` (or Postman / Bruno collection) is committed that exercises each failure mode via real `curl` with a JWT, capturing the actual response body for documentation/regression.
+
+## Coordination with sibling tickets
+
+- **Parent (AZ-795)**: shared FluentValidation + ProblemDetails + unknown-field-rejection infra must land first.
+- **AZ-794 (inventory rename)**: if it ships first, validators use `z/x/y` from day one. If it ships in the same release, coordinate field names so this ticket lands once with the final names. If it ships later, validators initially use `tileZoom/tileX/tileY` and get renamed at AZ-794 ship time — less ideal but acceptable.
+
+## Constraints
+
+- **Breaking behavior change** — clients that today get 200 with nonsense will start getting 400. Coordinate rollout with all known consumers per AZ-795's migration strategy section.
+- **No regression in existing `TileInventoryTests.cs`** happy-path assertions (AZ-505 AC coverage).
+- **No change to internal repository / DB query path** — validation lives at the API layer only.
+
+## References
+
+- Jira AZ-796: https://denyspopov.atlassian.net/browse/AZ-796
+- Parent epic: AZ-795 (shared infra; error-shape contract)
+- Related: AZ-794 (rename), AZ-505 (existing inventory endpoint spec)
+- Originating discovery: gps-denied-onboard AZ-777 Phase 1 Jetson probe (2026-05-22)
+- Current contract doc: `_docs/02_document/contracts/api/tile-inventory.md` v1.0.0

_docs/02_tasks/done/AZ-808_region_endpoint_validation.md

@@ -0,0 +1,132 @@
+# Strict validation for region-request endpoint (POST /api/satellite/request)
+
+**Task**: AZ-808_region_endpoint_validation
+**Name**: Strict validation for region-request endpoint
+**Description**: Add FluentValidation-backed strict input validation to `POST /api/satellite/request` (region onboarding — enqueues a square region of tiles for async Google-Maps backfill). Reject malformed payloads with RFC 7807 ValidationProblemDetails (HTTP 400). Second concrete child of AZ-795; reuses the shared infra wired in cycle 7.
+**Complexity**: 3 points (7 validation rules — was 6 before the 2026-05-22 probe added the `Id` rule)
+**Dependencies**: AZ-795 (HARD — shared infra already landed in cycle 7); AZ-796 (reference implementation pattern); AZ-812 (field-naming coordination — see below)
+**Component**: SatelliteProvider.Api/Validators + SatelliteProvider.Common (RequestRegionRequest DTO)
+**Tracker**: AZ-808 (https://denyspopov.atlassian.net/browse/AZ-808)
+**Epic**: AZ-795 — Strict input validation across all public endpoints
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 2 (cross-repo, 2026-05-22) — consumer needs this endpoint to seed Derkachi reference tile catalog; black-box probe surfaced concrete silent-coercion behavior
+
+## Scope
+
+Add FluentValidation-backed strict input validation to `POST /api/satellite/request` (region onboarding — enqueues a square region of tiles for async Google-Maps backfill). Reject malformed payloads with **RFC 7807 ValidationProblemDetails** (HTTP 400) per the Epic's `error-shape.md` v1.0.0 contract.
+
+Originating discovery: AZ-777 Phase 2 (gps-denied-onboard) — the consumer needs to call this endpoint to seed the Derkachi reference tile catalog. A black-box probe (2026-05-22) confirmed real silent-coercion behavior that this task fixes (see *Probe-confirmed gaps* below).
+
+Jira AZ-808 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Probe-confirmed gaps (2026-05-22)
+
+A black-box probe of the running producer captured these concrete behaviors that this task must close:
+
+1. **`Id` silently coerces to zero-Guid when omitted.** Body `{"latitude":49.94,"longitude":36.31,"sizeMeters":200,"zoomLevel":18,"stitchTiles":false}` (no `id`) returned HTTP 200 with `"id":"00000000-0000-0000-0000-000000000000"` and `status:queued`. The `[Required]` DataAnnotation on `RequestRegionRequest.Id` is NOT enforced — the deserializer just yields the default Guid. This is the same silent-coercion class that motivated AZ-795. Validator must reject zero-Guid + missing-Id with the same RFC 7807 shape as the inventory validator.
+2. **`UnmappedMemberHandling.Disallow` IS active for this endpoint.** Sending the wrong field name (`{"lat":49.94,...}`) returned HTTP 400 with the proper ValidationProblemDetails shape: `{"errors":{"lat":["The JSON property 'lat' could not be mapped to any .NET member contained in type 'SatelliteProvider.Common.DTO.RequestRegionRequest'."]}}`. So rule 8 (unknown-field rejection) is already covered by AZ-795 cycle-7 shared infra; this task only needs to verify it stays active after wiring `WithValidation<T>()`.
+3. **Happy path works end-to-end.** With the correct shape `{"id":"<guid>","latitude":..,"longitude":..,"sizeMeters":200,"zoomLevel":18,"stitchTiles":false}`: HTTP 200 + regionId + 9 tiles downloaded from Google Maps + accessible via `GET /tiles/{z}/{x}/{y}` (13 KB JPEG verified). Validator must NOT regress this path.
+
+## Field-naming coordination with AZ-812
+
+This spec uses the **current wire format** (`latitude`, `longitude`) because that's what the DTO ships today and that's what the validator must reject malformed values for. **AZ-812** (mirror of AZ-794 for inventory) is filed to rename these to `lat`/`lon` for OSM-style consistency across all satellite-provider endpoints.
+
+If AZ-812 lands **before** this task, rewrite all field references in this spec from `latitude`/`longitude` to `lat`/`lon` before implementing. If AZ-812 lands **after** this task, AZ-812 must also update the validator + contract doc + integration tests. Pick the ordering during planning to avoid double migration.
+
+## Endpoint surface
+
+`POST /api/satellite/request`
+
+Current wire format (per `RequestRegionRequest.cs`, probe-confirmed 2026-05-22):
+
+```json
+{
+  "id": "<guid>",
+  "latitude": 50.10,
+  "longitude": 36.10,
+  "sizeMeters": 5000,
+  "zoomLevel": 18,
+  "stitchTiles": false
+}
+```
+
+Response: HTTP 200 with `RegionStatusResponse` (id, status, csvFilePath, summaryFilePath, tilesDownloaded, tilesReused, createdAt, updatedAt). Async — the actual tile downloads happen in the background via `RegionProcessingService` (Flow F3). Caller polls `GET /api/satellite/region/{id}` until `status:completed`.
+
+## Required validations
+
+1. **Body present** — null/empty body → 400 (`errors.$`).
+2. **`id` required, non-zero Guid** — NEW (probe-confirmed gap). Missing or `00000000-...` → 400 with `errors.id`. Use `RuleFor(x => x.Id).NotEmpty()` (FluentValidation's `NotEmpty()` rejects default-Guid).
+3. **`latitude` required** — double, in `[-90.0, 90.0]`. Out-of-range or missing → 400 with `errors.latitude`.
+4. **`longitude` required** — double, in `[-180.0, 180.0]`. Out-of-range or missing → 400 with `errors.longitude`.
+5. **`sizeMeters` required** — double, in `[100.0, 10000.0]` (matches current inline check in `RequestRegion Handler` per `api_program.md`). Out-of-range or missing → 400 with `errors.sizeMeters`.
+6. **`zoomLevel` required** — int, in `[0, 22]` (align with `TileCoordValidator` slippy-map range used by AZ-796 for the inventory endpoint). Out-of-range or missing → 400 with `errors.zoomLevel`.
+7. **`stitchTiles` required** — bool. Missing → 400 with `errors.stitchTiles` (no defaulting to `false` — force the caller to declare intent).
+8. **Unknown root fields rejected** — already covered by AZ-795's `UnmappedMemberHandling.Disallow` (probe-confirmed active). Verify it stays active after wiring `WithValidation<T>()`.
+9. **Type mismatch** — e.g. `"latitude": "fifty"` → 400 with `errors.latitude` ("could not be parsed"). Already covered by AZ-795's `GlobalExceptionHandler`; verify it triggers for this endpoint.
+
+## Implementation pattern (mirror AZ-796)
+
+1. New file: `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` — `AbstractValidator<RequestRegionRequest>` with rules 2–7.
+2. Mark `RequestRegionRequest` props with `[JsonRequired]` (replacing or supplementing the existing `[Required]` DataAnnotation — the latter is not enforced by `System.Text.Json`, as the probe confirmed). Apply to `Id`, `Latitude`, `Longitude`, `SizeMeters`, `ZoomLevel`, `StitchTiles`.
+3. Add `.WithValidation<RequestRegionRequest>()` to the `MapPost("/api/satellite/request", ...)` chain in `Program.cs`.
+4. Unit tests: `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` — one test per `RuleFor(...)` (≥ 6 methods covering id, latitude, longitude, sizeMeters, zoomLevel, stitchTiles).
+5. Integration tests: `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` (new file) — ≥ 9 methods (1 happy + 1 per failure-mode AC — including missing-id reproducing the probe's silent-coercion case).
+6. Manual probe: `scripts/probe_region_validation.sh` (mirrors `scripts/probe_inventory_validation.sh` from AZ-796). MUST include the missing-id test case.
+
+## New contract doc
+
+Create `_docs/02_document/contracts/api/region-request.md` v1.0.0. The region endpoint has **no formal contract** today (only `system-flows.md` F2 + module docs). The contract doc must cover:
+
+- Endpoint, auth, request body, response body (use the actual `RegionStatusResponse` shape: id, status, csvFilePath, summaryFilePath, tilesDownloaded, tilesReused, createdAt, updatedAt), error shape (reference `error-shape.md` v1.0.0).
+- Invariants (one regionId per request; client-provided non-zero Id; size cap; async semantics — caller must poll `GET /api/satellite/region/{id}`).
+- Test cases mirroring the validator rules (same `Case | Input | Expected | Notes` table format as `tile-inventory.md` v2.0.0). MUST include the missing-id case.
+- Cross-link to `RegionStatus` flow (F3) and the consumer-facing inventory contract (`tile-inventory.md` — callers seed via region, then read via inventory).
+- Reference to AZ-812 (field-naming follow-up).
+
+## Coordination with sibling tickets
+
+- **Parent (AZ-795)**: depends on shared infra already landed in cycle 7.
+- **AZ-796 (inventory)**: reference implementation — copy the validator + integration-test layout 1:1.
+- **AZ-812 (region field rename)**: hard coordination on field names. See *Field-naming coordination with AZ-812* above.
+- **AZ-777 (gps-denied-onboard)**: consumer-side dependency — Phase 2 cannot proceed safely until this validator lands AND the contract doc exists. Consumer has black-box-probed the endpoint and can use it today, but silent-coercion bugs make Phase 2 fragile until validation is in place.
+- Sibling validation tasks created in the same batch: **AZ-809** (route), **AZ-810** (UAV upload metadata), **AZ-811** (lat/lon GET).
+
+## Acceptance criteria
+
+**AC-1**: Each of the 9 validations above rejects with HTTP 400 + ValidationProblemDetails (single-rule precision; unrelated rules NOT in the `errors` map).
+
+**AC-2**: Happy path unchanged — a valid body still returns HTTP 200 + `RegionStatusResponse`; background processing still runs; the probe's 9-tile Derkachi case (`{"id":"<guid>","latitude":49.94,"longitude":36.31,"sizeMeters":200,"zoomLevel":18,"stitchTiles":false}`) still completes in under 10 seconds.
+
+**AC-3**: `RegionRequestValidator` lives in its own file under `SatelliteProvider.Api/Validators/` and is unit-tested (≥ 1 test per `RuleFor`).
+
+**AC-4**: `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` covers happy + 8+ failure modes with full ValidationProblemDetails assertion (use the existing `ProblemDetailsAssertions` helper from AZ-795). MUST include `Post_WithMissingId_ReturnsBadRequest` (reproducing the 2026-05-22 probe's silent-coercion case).
+
+**AC-5**: `_docs/02_document/contracts/api/region-request.md` v1.0.0 created and published.
+
+**AC-6**: `_docs/02_document/system-flows.md` F2 updated to reference the new contract doc + error shape.
+
+**AC-7**: OpenAPI spec marks `RequestRegionRequest` fields `required`, declares ranges, and documents the 400 response (matches AZ-796 Swashbuckle annotations).
+
+**AC-8**: Manual probe script exercises each failure mode end-to-end via `curl` + JWT.
+
+## Out of scope
+
+- The Region API's processing semantics (Flow F3 — `RegionProcessingService`) — validation lives at the API layer only.
+- Any change to `IRegionService.RequestRegionAsync` signature beyond accepting the validated DTO.
+- `GET /api/satellite/region/{id}` status endpoint (separate task if path-parameter validation needed; current Guid binding is framework-handled).
+- The field-name rename (`Latitude/Longitude` → `Lat/Lon`) — handled by AZ-812.
+- Performance — validation overhead is negligible vs the async enqueue + Google Maps round-trip.
+
+## Constraints
+
+- **Breaking behavior change** — any consumer today omitting `id` (silently getting zero-Guid) or sending malformed values will start getting 400. Known consumer set: gps-denied-onboard (currently uses correct body shape with id, per black-box probe 2026-05-22). Other consumers TBD by parent-suite team.
+- No regression in any existing `RegionRequestTests.cs` happy-path coverage.
+
+## References
+
+- Jira AZ-808: https://denyspopov.atlassian.net/browse/AZ-808
+- Parent Epic: AZ-795 (shared infra; error-shape contract)
+- Reference implementation: AZ-796 (inventory endpoint)
+- Coordination: AZ-812 (region field-name rename to OSM convention)
+- Cycle-7 retro: `_docs/06_metrics/retro_2026-05-22_cycle7.md` (flagged this endpoint as next in line)
+- Originating consumer discovery: gps-denied-onboard AZ-777 Phase 2 (2026-05-22 black-box probe)
+- Related contract docs: `error-shape.md` v1.0.0, `tile-inventory.md` v2.0.0 (both produced by AZ-795+AZ-796 cycle 7)

_docs/02_tasks/done/AZ-809_route_endpoint_validation.md

@@ -0,0 +1,156 @@
+# Strict validation for route-creation endpoint (POST /api/satellite/route)
+
+**Task**: AZ-809_route_endpoint_validation
+**Name**: Strict validation for route-creation endpoint
+**Description**: Add FluentValidation-backed strict input validation to `POST /api/satellite/route` (route creation — client submits ordered waypoints + optional geofence polygons; producer interpolates intermediate points every ≈ 200 m and — if `requestMaps=true` — enqueues a region request per route point for async tile backfill). Reject malformed payloads with RFC 7807 ValidationProblemDetails (HTTP 400). Third concrete child of AZ-795; reuses the shared infra wired in cycle 7.
+**Complexity**: 5 points (14 rules — was 13 before the 2026-05-22 probe added the `Id` rule; 3 validator classes; cross-field constraint; new contract doc)
+**Dependencies**: AZ-795 (HARD — shared infra); AZ-796 (single-DTO reference); AZ-808 (no-prior-contract pattern, same batch)
+**Component**: SatelliteProvider.Api/Validators + SatelliteProvider.Common (CreateRouteRequest, RoutePoint, GeofencePolygon, GeoPoint DTOs)
+**Tracker**: AZ-809 (https://denyspopov.atlassian.net/browse/AZ-809)
+**Epic**: AZ-795 — Strict input validation across all public endpoints
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 2 (cross-repo, 2026-05-22) — route-based seeding is the consumer's preferred imagery seeding path; black-box probe surfaced silent-coercion + input/output naming asymmetry
+
+## Scope
+
+Add FluentValidation-backed strict input validation to `POST /api/satellite/route`. Reject malformed payloads with **RFC 7807 ValidationProblemDetails** (HTTP 400) per the Epic's `error-shape.md` v1.0.0 contract.
+
+Originating discovery: AZ-777 Phase 2 (gps-denied-onboard) — the consumer's preferred imagery seeding path is route-based (flight-track waypoints) rather than bbox-based, so this endpoint is the primary integration target for the Derkachi reference tile catalog. A black-box probe (2026-05-22) confirmed real silent-coercion behavior and an input/output naming asymmetry (see *Probe-confirmed gaps* below).
+
+Jira AZ-809 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Probe-confirmed gaps (2026-05-22)
+
+A black-box probe of the running producer captured these concrete behaviors:
+
+1. **`Id` silently coerces to zero-Guid when omitted.** Same gap as the Region endpoint (AZ-808). `CreateRouteRequest.Id` has no `[Required]` and no `[JsonRequired]`, so the deserializer yields zero-Guid. Validator must reject missing/zero Id.
+2. **Happy path works end-to-end** for both `requestMaps:false` (route storage only, instant) and `requestMaps:true` (route + background tile backfill, ~15s for a 2-point 132m route at z=18). Validator must NOT regress.
+3. **Input/output naming asymmetry on points** (new finding). Input `points: [{"lat":..,"lon":..}]` (OSM short form, per `[JsonPropertyName("lat")]` on `RoutePoint`). But the **response** echoes points as `{"latitude":..,"longitude":..,"pointType":..,"sequenceNumber":..,"segmentIndex":..,"distanceFromPrevious":..}`. This is a DTO round-trip inconsistency on the same object type. NOT in scope for this validation task, but surfaced as **AC-10** (advisory) so the parent-suite team can decide whether to file a follow-up.
+4. **`UnmappedMemberHandling.Disallow` is active globally** (verified via AZ-808 probe), so unknown-field rejection (rule 13) will work out-of-the-box once `WithValidation<T>()` is wired.
+
+## Endpoint surface
+
+`POST /api/satellite/route`
+
+Current wire format (per `CreateRouteRequest`, probe-confirmed 2026-05-22):
+
+```json
+{
+  "id": "a1b2c3d4-...",
+  "name": "derkachi-flight-1",
+  "description": "AZ-777 Phase 2 seed route",
+  "regionSizeMeters": 1000,
+  "zoomLevel": 18,
+  "points": [
+    { "lat": 50.10, "lon": 36.10 },
+    { "lat": 50.11, "lon": 36.11 }
+  ],
+  "geofences": {
+    "polygons": [
+      { "northWest": { "lat": 50.15, "lon": 36.05 },
+        "southEast": { "lat": 50.05, "lon": 36.15 } }
+    ]
+  },
+  "requestMaps": true,
+  "createTilesZip": false
+}
+```
+
+Response (current, probe-confirmed): HTTP 200 with `RouteResponse` (id, name, description, regionSizeMeters, zoomLevel, totalDistanceMeters, totalPoints, points[], requestMaps, mapsReady, csvFilePath, summaryFilePath, stitchedImagePath, tilesZipPath, createdAt, updatedAt). Note response uses `latitude`/`longitude` for echoed points — see AC-10.
+
+Background processing per Flow F5 if `requestMaps=true`; client polls `GET /api/satellite/route/{id}` until `mapsReady:true`.
+
+## Required validations
+
+1. **Body present** — null/empty body → 400 (`errors.$`).
+2. **`id` required, non-zero Guid** — NEW (probe-confirmed gap, same as AZ-808). Missing or `00000000-...` → 400 with `errors.id`.
+3. **`name` required** — non-empty string, length `[1, 200]`. Missing/empty → 400 with `errors.name`.
+4. **`description` optional** — if present, length `[0, 1000]`. Over cap → 400 with `errors.description`.
+5. **`regionSizeMeters` required** — double, in `[100.0, 10000.0]` (align with region endpoint). Out-of-range or missing → 400 with `errors.regionSizeMeters`.
+6. **`zoomLevel` required** — int, in `[0, 22]` (align with `TileCoordValidator`). Out-of-range or missing → 400 with `errors.zoomLevel`.
+7. **`points` required, non-empty** — at least **2 entries** (current `Flow F4` precondition), at most **500 entries** (cap to prevent runaway region-enqueue — confirm cap with parent-suite team). Below 2 or above 500 → 400 with `errors.points`.
+8. **Per-point**: `lat` required, double, in `[-90.0, 90.0]`; `lon` required, double, in `[-180.0, 180.0]`. Missing/out-of-range → 400 with `errors.points[i].lat` or `.lon`.
+9. **`geofences` optional** — if present:
+   - `polygons` required, non-empty.
+   - Per-polygon: `northWest` + `southEast` both required, each with valid `lat`/`lon`.
+   - Cross-field invariant: `northWest.lat > southEast.lat` AND `northWest.lon < southEast.lon` (i.e. NW is genuinely north-of and west-of SE).
+   - Violations → 400 with `errors.geofences.polygons[i].<field>`.
+10. **`requestMaps` required** — bool. Missing → 400 with `errors.requestMaps`.
+11. **`createTilesZip` required** — bool. Missing → 400 with `errors.createTilesZip`.
+12. **Cross-field constraint**: `createTilesZip == true` implies `requestMaps == true` (can't zip what wasn't downloaded). Violation → 400 with `errors.$` or `errors.createTilesZip`.
+13. **Unknown root or nested fields rejected** — covered by AZ-795's `UnmappedMemberHandling.Disallow` (probe-confirmed active globally via AZ-808). Any unknown field at any nesting level → 400 with `errors.<path>` ("could not be mapped to any .NET member").
+14. **Type mismatch** — e.g. `"lat": "fifty"` at any nesting level → 400 with `errors.<path>`. Covered by AZ-795's `GlobalExceptionHandler`.
+
+## Implementation pattern (mirror AZ-796, extended for nesting)
+
+1. New files (all under `SatelliteProvider.Api/Validators/`):
+   - `CreateRouteRequestValidator.cs` — root validator with rules 2–7, 10–12.
+   - `RoutePointValidator.cs` — per-point validator (rule 8); invoked via `RuleForEach(x => x.Points).SetValidator(new RoutePointValidator())`.
+   - `GeofencePolygonValidator.cs` — per-polygon validator (rule 9); invoked via `RuleForEach(x => x.Geofences.Polygons).SetValidator(new GeofencePolygonValidator())` (guarded by `When(x => x.Geofences != null)`).
+2. Mark required props on `CreateRouteRequest`, `RoutePoint`, `Geofences`, `GeofencePolygon`, `GeoPoint` with `[JsonRequired]` per the cycle-7 `TileCoord` pattern. Pay special attention to `Id` (probe confirmed it's not enforced today).
+3. Add `.WithValidation<CreateRouteRequest>()` to the `MapPost("/api/satellite/route", ...)` chain.
+4. Unit tests: `SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs` + `RoutePointValidatorTests.cs` + `GeofencePolygonValidatorTests.cs` (≥ 13 test methods total — one per `RuleFor`/`RuleForEach` chain; new id-rule method must reproduce the probe's missing-id case).
+5. Integration tests: `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` (new file) — ≥ 14 methods (1 happy + 1 per failure-mode AC).
+6. Manual probe: `scripts/probe_route_validation.sh`. MUST include missing-id, NW-southeast-inverted polygon, points-too-few, createTilesZip-without-requestMaps.
+
+## New contract doc
+
+Create `_docs/02_document/contracts/api/route-creation.md` v1.0.0. Like the region endpoint, this has **no formal contract** today. Cover:
+
+- Endpoint, auth, request body (with nested DTO recursion), response body (`RouteResponse` shape — acknowledge the input/output point-naming asymmetry; reference AC-10 advisory), error shape (reference `error-shape.md` v1.0.0).
+- Invariants (client-provided non-zero Id; one routeId per request; min 2 points; max 500 points; polygon NW>SE; cross-field createTilesZip implies requestMaps).
+- Test cases table (same format as `tile-inventory.md` v2.0.0). MUST include missing-id, geofence NW/SE inversion, createTilesZip cross-field, points-too-few cases.
+- Cross-link to Flow F4 (Route Creation) + Flow F5 (Route Map Processing background) + `region-request.md` (referenced by F5 enqueue path).
+
+## Coordination with sibling tickets
+
+- **Parent (AZ-795)**: depends on shared infra already landed in cycle 7.
+- **AZ-796 (inventory)**: reference for single-DTO validator pattern.
+- **AZ-808 (region)**: reference for endpoint without prior contract doc (same precondition: must create new `region-request.md`); coordinate field-name conventions across the two contracts. The naming inconsistency `RequestRegionRequest.sizeMeters` vs `CreateRouteRequest.regionSizeMeters` (same concept, different names) is flagged in AC-9.
+- **AZ-812 (region field rename)**: tangentially related — AZ-812 is bringing Region into the lat/lon convention that Route already uses. No direct dependency on this task.
+- **AZ-777 (gps-denied-onboard)**: consumer-side dependency — Phase 2 cannot proceed safely until this validator lands AND `route-creation.md` exists.
+
+## Acceptance criteria
+
+**AC-1**: Each of the 14 validations above rejects with HTTP 400 + ValidationProblemDetails (single-rule precision).
+
+**AC-2**: Happy path unchanged — a valid body still returns HTTP 200 + `RouteResponse`; background F5 processing still runs when `requestMaps=true`; probe's 2-point 132m route still completes (`mapsReady:true`) in under 20 seconds.
+
+**AC-3**: All three validators (`CreateRouteRequestValidator`, `RoutePointValidator`, `GeofencePolygonValidator`) live in their own files under `SatelliteProvider.Api/Validators/` and are unit-tested (≥ 1 test per `RuleFor`/`RuleForEach` chain, ≥ 13 methods total).
+
+**AC-4**: `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` covers happy + 13+ failure modes with full ValidationProblemDetails assertion. MUST include `Post_WithMissingId_ReturnsBadRequest` (reproducing the 2026-05-22 probe's silent-coercion case).
+
+**AC-5**: `_docs/02_document/contracts/api/route-creation.md` v1.0.0 created and published.
+
+**AC-6**: `_docs/02_document/system-flows.md` F4 + F5 updated to reference the new contract doc + error shape.
+
+**AC-7**: OpenAPI spec marks all required fields at every nesting level, declares ranges, and documents the 400 response.
+
+**AC-8**: Manual probe script exercises each failure mode end-to-end via `curl` + JWT.
+
+**AC-9** (advisory — surface in PR, parent-suite to decide): the inconsistency `RequestRegionRequest.sizeMeters` vs `CreateRouteRequest.regionSizeMeters` is named differently for the same concept. Either keep the discrepancy and document why, or harmonize to a single name in a follow-up MAJOR contract bump for both.
+
+**AC-10** (advisory — surface in PR, parent-suite to decide): the **input/output point-naming asymmetry** on this endpoint (input `points: [{"lat":..,"lon":..}]`, response `points: [{"latitude":..,"longitude":..}]` for the same `RoutePoint` round-trip) is a DTO inconsistency. Probe-confirmed 2026-05-22. Either keep + document, or file a follow-up to harmonize.
+
+## Out of scope
+
+- Route processing semantics (Flow F5 background, ZIP creation, point-in-polygon geofence filtering) — validation lives at the API layer only.
+- `GET /api/satellite/route/{id}` status endpoint (separate task if needed; Guid binding is framework-handled).
+- Performance — nested validation overhead is negligible vs interpolation + background region enqueue.
+- Route interpolation algorithm — unchanged.
+- Input/output point-naming asymmetry fix — surfaced as AC-10 advisory only.
+
+## Constraints
+
+- **Breaking behavior change** — callers today omitting `id` (silently getting zero-Guid) or sending malformed nested bodies will start getting 400. Known consumer set: gps-denied-onboard (uses correct body shape with id and lat/lon points, per black-box probe 2026-05-22). Other consumers TBD by parent-suite team.
+- No regression in any existing `RouteCreationTests.cs` happy-path coverage.
+- Cross-field constraint (rule 12) requires custom `When/Otherwise` or a top-level `Must()` rule — FluentValidation 12.0.0 supports both; pick the more readable one.
+
+## References
+
+- Jira AZ-809: https://denyspopov.atlassian.net/browse/AZ-809
+- Parent Epic: AZ-795
+- Reference implementations: AZ-796 (single-DTO pattern), AZ-808 (no-prior-contract pattern, same batch)
+- Tangentially related: AZ-812 (region field rename to OSM)
+- Cycle-7 retro: `_docs/06_metrics/retro_2026-05-22_cycle7.md` (flagged this endpoint as a per-endpoint child of AZ-795)
+- Originating consumer discovery: gps-denied-onboard AZ-777 Phase 2 (route-based seeding is the consumer's preferred path; 2026-05-22 black-box probe surfaced silent-coercion + naming asymmetry)
+- Related contract docs: `error-shape.md` v1.0.0, `tile-inventory.md` v2.0.0 (both produced by AZ-795+AZ-796 cycle 7)

_docs/02_tasks/done/AZ-810_upload_metadata_validation.md

@@ -0,0 +1,147 @@
+# Strict validation for UAV upload metadata (POST /api/satellite/upload)
+
+**Task**: AZ-810_upload_metadata_validation
+**Name**: Strict validation for UAV upload metadata
+**Description**: Add FluentValidation-backed strict input validation to the metadata DTO layer of `POST /api/satellite/upload` (UAV batch upload, AZ-488). Reject malformed metadata JSON envelopes with RFC 7807 ValidationProblemDetails (HTTP 400). Fourth concrete child of AZ-795; reuses the shared infra wired in cycle 7. The file-level quality checks (size, luminance, age, future-skew) remain in scope of the existing `IUavTileQualityGate`.
+**Complexity**: 5 points (multipart envelope requires custom filter, 14 rules, two validator classes, MINOR contract bump, defense-in-depth with existing UavTileQualityGate)
+**Dependencies**: AZ-795 (HARD — shared infra); AZ-796 (single-DTO reference); AZ-809 (nested per-item reference); AZ-488 (original endpoint — must remain green); AZ-503 (flightId semantics)
+**Component**: SatelliteProvider.Api/Validators + SatelliteProvider.Common (UavTileBatchMetadataPayload, UavTileMetadata DTOs)
+**Tracker**: AZ-810 (https://denyspopov.atlassian.net/browse/AZ-810)
+**Epic**: AZ-795 — Strict input validation across all public endpoints
+**Originating ticket**: AZ-795 cycle-7 retro (explicitly names this endpoint as a remaining per-endpoint child)
+
+## Scope
+
+Add FluentValidation-backed strict input validation to the **metadata DTO** layer of `POST /api/satellite/upload`. Reject malformed `metadata` JSON envelopes with **RFC 7807 ValidationProblemDetails** (HTTP 400) per the Epic's `error-shape.md` v1.0.0 contract.
+
+**Important scope boundary**: this task is about the **metadata envelope** — `UavTileBatchMetadataPayload` and its per-item `UavTileMetadata` payloads. The **file-level** quality checks (size, luminance variance, age, future-skew) are already enforced by the existing `IUavTileQualityGate` per AZ-488 and remain in scope of that gate. The DTO validator runs **before** the quality gate (per-item bytes inspection) so malformed metadata can short-circuit without ever touching the file bytes.
+
+Originating discovery: AZ-795 cycle-7 retro — the metadata DTO is explicitly named as a remaining gap ("already partly validated by `UavTileQualityGate`, but the metadata layer is a separate validator").
+
+Jira AZ-810 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Endpoint surface
+
+`POST /api/satellite/upload` (multipart/form-data, auth: `RequiresGpsPermission` policy on top of JWT bearer)
+
+Multipart envelope:
+- `metadata` form field — JSON string deserialized to `UavTileBatchMetadataPayload`.
+- `files` form field — `IFormFileCollection`, one entry per metadata item, position-correlated.
+
+`UavTileBatchMetadataPayload` (current shape, per `modules/common_dtos.md`):
+
+```json
+{
+  "items": [
+    {
+      "lat": 50.10,
+      "lon": 36.10,
+      "tileZoom": 18,
+      "tileSizeMeters": 19.10925707,
+      "capturedAt": "2026-05-22T08:00:00Z",
+      "flightId": "a1b2c3d4-..."
+    }
+  ]
+}
+```
+
+Response (current per AZ-488): HTTP 200 `{items: [UavTileUploadResultItem[]]}` even on per-item failures. Envelope-level failures (oversize batch, malformed metadata, mismatched batch) are HTTP 400 ProblemDetails. **This task tightens the "malformed metadata" path.**
+
+## Required validations
+
+### Envelope-level
+
+1. **Multipart envelope present** — missing multipart form → framework-level 400 (unchanged).
+2. **`metadata` field present** — missing form field → 400 with `errors.metadata` ("required").
+3. **`metadata` parses as JSON** — malformed JSON → 400 with `errors.metadata` ("could not be parsed as JSON"). Covered by AZ-795's `GlobalExceptionHandler` once metadata binding routes through `JsonSerializerOptions`.
+4. **`metadata.items` required, non-empty** — missing or `[]` → 400 with `errors.metadata.items`.
+5. **`metadata.items.length` ≤ `UavQualityConfig.MaxBatchSize`** — over cap → 400 with `errors.metadata.items`. (Existing framework limit handles oversize via `KestrelServerOptions.Limits.MaxRequestBodySize` at the byte layer; this rule guards the item count specifically.)
+6. **`metadata.items.length` == `files.length`** — envelope alignment per AZ-488. Already detected by the upload handler; surface via ValidationProblemDetails for consistency with sibling endpoints → 400 with `errors.metadata` + `errors.files`.
+
+### Per-item (under `metadata.items[i]`)
+
+7. **`lat` required** — double, in `[-90.0, 90.0]`. Missing/out-of-range → 400 with `errors.metadata.items[i].lat`.
+8. **`lon` required** — double, in `[-180.0, 180.0]`. Missing/out-of-range → 400 with `errors.metadata.items[i].lon`.
+9. **`tileZoom` required** — int, in `[0, 22]` (align with `TileCoordValidator`). Missing/out-of-range → 400 with `errors.metadata.items[i].tileZoom`.
+10. **`tileSizeMeters` required** — double, `> 0.0`. Missing/non-positive → 400 with `errors.metadata.items[i].tileSizeMeters`. (Tighter range can be added if parent-suite team has a documented expected range; for now just guard `> 0`.)
+11. **`capturedAt` required** — ISO-8601 UTC `DateTime`. Must satisfy AZ-488 Rule 4 freshness window: `capturedAt ≤ now + UavQualityConfig.CapturedAtFutureSkewSeconds` AND `capturedAt ≥ now - UavQualityConfig.MaxAgeDays`. Missing/out-of-window → 400 with `errors.metadata.items[i].capturedAt`. (Equivalent to AZ-488 Rule 4 but at the API layer; the existing UavTileQualityGate still enforces the same rule for defense-in-depth.)
+12. **`flightId` optional** — if present, must be valid `Guid` (RFC 4122). Malformed UUID → 400 with `errors.metadata.items[i].flightId`. (Null/missing is valid — anonymous-flight semantics per AZ-503.)
+
+### Cross-cutting
+
+13. **Unknown fields rejected at root or any nesting level of `metadata`** — covered by AZ-795's `UnmappedMemberHandling.Disallow`. Any unknown field at root or under `items[i]` → 400 with `errors.metadata.<path>` ("could not be mapped to any .NET member").
+14. **Type mismatch** — e.g. `"lat": "fifty"` or `"tileZoom": 18.5` (non-integer double for int) → 400 with `errors.metadata.<path>`. Covered by AZ-795's `GlobalExceptionHandler`.
+
+## Implementation pattern (mirror AZ-796, extended for multipart + per-item)
+
+1. New files (all under `SatelliteProvider.Api/Validators/`):
+   - `UavTileBatchMetadataPayloadValidator.cs` — root validator with rules 4–6.
+   - `UavTileMetadataValidator.cs` — per-item validator (rules 7–12); invoked via `RuleForEach(x => x.Items).SetValidator(new UavTileMetadataValidator(uavQualityConfig))`.
+2. Mark required props on `UavTileBatchMetadataPayload` + `UavTileMetadata` with `[JsonRequired]` per the cycle-7 `TileCoord` pattern.
+3. Wire the validator into the multipart handler in `Program.cs` (the `UploadUavTileBatch` endpoint) — likely a custom endpoint filter that:
+   a. Reads the `metadata` form field.
+   b. Deserializes via the strict `JsonSerializerOptions` (already configured by AZ-795).
+   c. Resolves `IValidator<UavTileBatchMetadataPayload>` from DI and runs it.
+   d. Returns `Results.ValidationProblem` on failure.
+
+   This is a more involved wiring than AZ-796 (which uses the bog-standard `.WithValidation<T>()` filter for pure JSON bodies). Document the new filter in `_docs/02_document/modules/api_program.md`.
+4. Unit tests: `SatelliteProvider.Tests/Validators/UavTileBatchMetadataPayloadValidatorTests.cs` + `UavTileMetadataValidatorTests.cs` (≥ 11 test methods total — one per `RuleFor`/`RuleForEach` chain).
+5. Integration tests: `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` (new file) — ≥ 13 methods (1 happy + 1 per failure-mode AC + envelope alignment regression).
+6. Manual probe: `scripts/probe_upload_validation.sh` — multipart `curl` against each failure mode.
+
+## Update existing contract doc
+
+Bump `_docs/02_document/contracts/api/uav-tile-upload.md` from v1.1.0 → v1.2.0 (MINOR). The contract doc exists; this task adds the validation rules + error shape reference. Do NOT change the wire format (no rename like AZ-794); MINOR is correct.
+
+Add a new section: "Validation rules (AZ-810)" that enumerates the 14 rules and references `error-shape.md` v1.0.0.
+
+## Coordination with sibling tickets
+
+- **Parent (AZ-795)**: depends on shared infra already landed in cycle 7.
+- **AZ-796 (inventory)**: reference for single-DTO pattern.
+- **AZ-809 (route)**: reference for nested per-item validator pattern (RuleForEach).
+- **AZ-488** (original UAV upload): existing happy-path integration tests + `UavTileQualityGate` MUST remain green.
+- **AZ-503** (flightId semantics): rule 12 must respect the anonymous-flight contract — `flightId=null` is a valid case.
+
+## Acceptance criteria
+
+**AC-1**: Each of the 14 validations above rejects with HTTP 400 + ValidationProblemDetails (single-rule precision).
+
+**AC-2**: Happy path unchanged — valid envelope still returns HTTP 200 + per-item result list; per-item file rejections (existing `UavTileQualityGate` semantics) still return HTTP 200 with per-item status (unchanged contract).
+
+**AC-3**: Both validator classes live in their own files under `SatelliteProvider.Api/Validators/` and are unit-tested (≥ 11 methods total).
+
+**AC-4**: `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` covers happy + 12+ failure modes with full ValidationProblemDetails assertion.
+
+**AC-5**: `_docs/02_document/contracts/api/uav-tile-upload.md` bumped to v1.2.0 (MINOR) with the new validation section.
+
+**AC-6**: `_docs/02_document/modules/api_program.md` updated to document the new multipart-validation endpoint filter.
+
+**AC-7**: OpenAPI spec marks `UavTileBatchMetadataPayload` + `UavTileMetadata` fields `required`, declares ranges, and documents the 400 response.
+
+**AC-8**: Manual probe script exercises each failure mode end-to-end via multipart `curl` + JWT.
+
+**AC-9**: No regression in any existing AZ-488 integration tests (`UavTileBatchUploadTests.cs`, `UavTileQualityGateTests.cs`).
+
+## Out of scope
+
+- File-level quality checks (size, luminance, age, future-skew) — already enforced by `IUavTileQualityGate` per AZ-488; do NOT duplicate at the validator layer (the validator covers metadata-only).
+- Per-item file-byte validation — unchanged.
+- Auth (`RequiresGpsPermission`) — unchanged.
+- Performance — metadata validation overhead is negligible vs the per-item file decode + DB writes.
+
+## Constraints
+
+- **Breaking behavior change** — callers sending malformed metadata that silently coerces will start getting 400 instead of HTTP 200 with per-item rejections. Known consumer set: gps-denied-onboard (D-PROJ-2 flight-uploader path — not currently active per AZ-777 task spec).
+- No regression in any existing `UavTileBatchUploadTests.cs` happy-path coverage.
+- Cross-field rule 6 (alignment) requires access to BOTH `metadata.Items.Count` AND `files.Count` — it can't be a pure `IValidator<UavTileBatchMetadataPayload>` rule. Wire it as a separate envelope-level check inside the endpoint filter, with the same ValidationProblemDetails shape.
+- The multipart validation filter (item 3 of Implementation pattern above) is a NEW shared piece of infra. Consider whether it should live as a generic `MultipartValidationEndpointFilter<T>` for future reuse, or stay specific to this endpoint. Parent-suite team decides.
+
+## References
+
+- Jira AZ-810: https://denyspopov.atlassian.net/browse/AZ-810
+- Parent Epic: AZ-795
+- Reference implementations: AZ-796 (single-DTO pattern), AZ-809 (nested per-item pattern, same batch)
+- Cycle-7 retro: `_docs/06_metrics/retro_2026-05-22_cycle7.md` (explicitly names this endpoint as a per-endpoint child of AZ-795)
+- Original endpoint: AZ-488 (UAV batch upload), AZ-503 (flightId semantics)
+- Related contract docs: `error-shape.md` v1.0.0, `tile-inventory.md` v2.0.0 (both produced by AZ-795+AZ-796 cycle 7), `uav-tile-upload.md` v1.1.0 (to be bumped)

_docs/02_tasks/done/AZ-811_latlon_get_endpoint_validation.md

@@ -0,0 +1,105 @@
+# Strict validation for lat/lon tile GET endpoint (GET /api/satellite/tiles/latlon)
+
+**Task**: AZ-811_latlon_get_endpoint_validation
+**Name**: Strict validation for lat/lon tile GET endpoint
+**Description**: Add FluentValidation-backed strict input validation to `GET /api/satellite/tiles/latlon` (single-tile download by lat/lon/zoom). Reject malformed query strings with RFC 7807 ValidationProblemDetails (HTTP 400). Fifth concrete child of AZ-795; query-string surface differs from sibling JSON-body endpoints — needs explicit unknown-query-param filter.
+**Complexity**: 2 points (simple endpoint, 3 typed params + unknown-param check, reuses cycle-7 shared infra, small new contract doc)
+**Dependencies**: AZ-795 (HARD — shared infra); AZ-796 (single-DTO reference); AZ-808 (no-prior-contract reference)
+**Component**: SatelliteProvider.Api/Validators + small new endpoint filter (RejectUnknownQueryParamsEndpointFilter)
+**Tracker**: AZ-811 (https://denyspopov.atlassian.net/browse/AZ-811)
+**Epic**: AZ-795 — Strict input validation across all public endpoints
+**Originating ticket**: AZ-795 cycle-7 retro (explicitly names this endpoint as a remaining per-endpoint child)
+
+## Scope
+
+Add FluentValidation-backed strict input validation to `GET /api/satellite/tiles/latlon`. Reject malformed query strings with **RFC 7807 ValidationProblemDetails** (HTTP 400) per the Epic's `error-shape.md` v1.0.0 contract.
+
+Differs from siblings (AZ-796 / AZ-808 / AZ-809 / AZ-810) in that the input surface is **query string**, not a JSON body, so the unknown-field rejection knob (`UnmappedMemberHandling.Disallow`) does not apply directly — query-param-strictness needs an explicit shape check.
+
+Originating discovery: AZ-795 cycle-7 retro — this endpoint is explicitly named as a remaining gap alongside the POST endpoints.
+
+Jira AZ-811 is the authoritative spec; this file mirrors the in-workspace-only sections that the satellite-provider implementer will need.
+
+## Endpoint surface
+
+`GET /api/satellite/tiles/latlon?lat=<float>&lon=<float>&zoom=<int>` (auth: JWT bearer required, no permission claim).
+
+Response (current per `api_program.md::GetTileByLatLon Handler`): HTTP 200 with `DownloadTileResponse` (tile metadata; the actual bytes are served separately via `GET /tiles/{z}/{x}/{y}`).
+
+Current behavior on bad input: query params bind via the framework's default model binder — missing/malformed params trigger a generic 400 or silent defaults, neither of which conforms to `error-shape.md` v1.0.0.
+
+## Required validations
+
+1. **`lat` query param required** — double, in `[-90.0, 90.0]`. Missing/out-of-range/malformed → 400 with `errors.lat`.
+2. **`lon` query param required** — double, in `[-180.0, 180.0]`. Missing/out-of-range/malformed → 400 with `errors.lon`.
+3. **`zoom` query param required** — int, in `[0, 22]` (align with `TileCoordValidator`). Missing/out-of-range/malformed → 400 with `errors.zoom`.
+4. **Unknown query parameters rejected** — any query string param outside `{lat, lon, zoom}` → 400 with `errors.<paramName>`. (Requires explicit query-param-shape check inside the endpoint filter — the framework's default binder silently ignores extras.)
+5. **Type mismatch** — e.g. `lat=fifty` (not parseable as double) → 400 with `errors.lat` ("could not be parsed"). Covered by AZ-795's `GlobalExceptionHandler` IF the binding throws — verify this code path triggers it (it does for `[FromBody]` deserializers; query-string parse failures may take a different path — surface in PR and adapt).
+
+## Implementation pattern (adapted for query string)
+
+1. Bind query params to a dedicated record: `record GetTileByLatLonQuery(double Lat, double Lon, int Zoom)`. Default `[AsParameters]` binding works; `[JsonRequired]` doesn't apply (no JSON deserializer in the path), so missing-required is detected by the validator only.
+2. New file: `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` — `AbstractValidator<GetTileByLatLonQuery>` with rules 1–3.
+3. Add `.WithValidation<GetTileByLatLonQuery>()` to the `MapGet("/api/satellite/tiles/latlon", ...)` chain. May require a small variant of `ValidationEndpointFilter<T>` that runs against the bound query-record rather than the body-bound record — the cycle-7 generic filter already does the bound-argument lookup, so it should Just Work; verify.
+4. **Rule 4 (unknown query params)** is the novel piece: implement as a separate endpoint filter that inspects `HttpContext.Request.Query.Keys` against the allowed set `{"lat", "lon", "zoom"}`. On any extras → `Results.ValidationProblem` with one `errors` entry per unexpected key. Either:
+   - Standalone filter `RejectUnknownQueryParamsEndpointFilter` (parameterized by allowed keys; reusable across future query-param endpoints).
+   - Inline `Func<EndpointFilterInvocationContext, ...>` for now and extract when the second consumer arrives. Parent-suite team decides.
+5. Unit tests: `SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs` (≥ 3 methods — one per RuleFor). Plus a test for the unknown-query-param filter (≥ 1 method).
+6. Integration tests: `SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs` (new file) — ≥ 6 methods (1 happy + 1 per failure-mode AC + 1 unknown-query-param).
+7. Manual probe: `scripts/probe_latlon_validation.sh` — `curl` against each failure mode.
+
+## New contract doc
+
+Create `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0. This endpoint has **no formal contract** today; the producer-doc surface is `modules/api_program.md::GetTileByLatLon Handler` only. Cover:
+
+- Endpoint, auth, query params, response body (`DownloadTileResponse`), error shape (reference `error-shape.md` v1.0.0).
+- Invariants (single tile per request; (lat, lon, zoom) deterministically maps to a (z, x, y) coord; output references the slippy-map URL `/tiles/{z}/{x}/{y}` for body fetch).
+- Test cases table mirroring validator rules.
+- Cross-link to `tile-inventory.md` v2.0.0 (related single-vs-bulk read patterns) + `GET /tiles/{z}/{x}/{y}` URL contract.
+
+## Coordination with sibling tickets
+
+- **Parent (AZ-795)**: depends on shared infra already landed in cycle 7.
+- **AZ-796 (inventory)**: reference for `[FromBody]` validator pattern.
+- **AZ-808 (region)**: reference for endpoint without prior contract doc.
+- **AZ-777 (gps-denied-onboard)**: not currently a consumer (the onboard side uses `GET /tiles/{z}/{x}/{y}` directly with pre-computed coords from inventory); but this endpoint is needed for future workflows (e.g. UI-driven single-tile fetch by user-clicked coordinates).
+
+## Acceptance criteria
+
+**AC-1**: Each of the 5 validations above rejects with HTTP 400 + ValidationProblemDetails (single-rule precision).
+
+**AC-2**: Happy path unchanged — a valid `?lat=&lon=&zoom=` still returns HTTP 200 + `DownloadTileResponse`; tile is still downloaded/persisted as before.
+
+**AC-3**: `GetTileByLatLonQueryValidator` lives in its own file under `SatelliteProvider.Api/Validators/` and is unit-tested (≥ 3 methods).
+
+**AC-4**: `SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs` covers happy + 4+ failure modes with full ValidationProblemDetails assertion.
+
+**AC-5**: `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 created and published.
+
+**AC-6**: `_docs/02_document/modules/api_program.md::GetTileByLatLon Handler` updated to reference the validator + new contract doc.
+
+**AC-7**: OpenAPI spec marks the query params as required + ranges + 400 response.
+
+**AC-8**: Manual probe script exercises each failure mode end-to-end via `curl` + JWT.
+
+**AC-9**: The novel unknown-query-param rejection filter (item 4 of Implementation pattern) is documented in `_docs/02_document/modules/api_program.md` so the next query-param endpoint can reuse it cleanly.
+
+## Out of scope
+
+- The actual tile download / persistence semantics — unchanged.
+- `GET /tiles/{z}/{x}/{y}` path-parameter validation (separate concern; the path int binder rejects malformed values at the framework layer, but range-checking `z` and `x`/`y` bounds is a gap that may warrant a separate task if parent-suite team decides).
+- Performance — query-string validation overhead is negligible vs the conditional Google-Maps round-trip.
+
+## Constraints
+
+- **Breaking behavior change** — callers sending unknown extra query params (e.g. typo `?latitude=`) that today silently fall back to `lat=0` will start getting 400. Known consumer set: TBD by parent-suite team (gps-denied-onboard does NOT currently call this endpoint).
+- No regression in any existing `TileByLatLonTests.cs` happy-path coverage.
+- The unknown-query-param rejection (rule 4) is a NEW behavior on top of standard ASP.NET binding; document it loudly in the contract doc so consumers know.
+
+## References
+
+- Jira AZ-811: https://denyspopov.atlassian.net/browse/AZ-811
+- Parent Epic: AZ-795
+- Reference implementations: AZ-796 (single-DTO pattern), AZ-808 (no-prior-contract pattern, same batch)
+- Cycle-7 retro: `_docs/06_metrics/retro_2026-05-22_cycle7.md` (flagged this endpoint as a per-endpoint child of AZ-795)
+- Related contract docs: `error-shape.md` v1.0.0, `tile-inventory.md` v2.0.0 (both produced by AZ-795+AZ-796 cycle 7)

_docs/02_tasks/done/AZ-812_region_field_rename_to_osm.md

@@ -0,0 +1,117 @@
+# Region API: rename Latitude/Longitude → Lat/Lon (OSM convention)
+
+**Task**: AZ-812_region_field_rename_to_osm
+**Name**: Rename `RequestRegionRequest.{Latitude, Longitude}` → `{Lat, Lon}` for OSM consistency
+**Description**: Rename the JSON wire-format fields on `RequestRegionRequest` from verbose `latitude`/`longitude` to OSM-standard short `lat`/`lon`. Mirror of AZ-794 (which did the same for the inventory endpoint's `tileZoom/tileX/tileY` → `z/x/y`). Breaking wire-format change.
+**Complexity**: 3 points (same scope as AZ-794: DTO rename + downstream code + docs + manual probe; no new behavior)
+**Dependencies**: — (coordinate ordering with AZ-808 — see *Coordination*)
+**Component**: SatelliteProvider.Common (RequestRegionRequest DTO) + SatelliteProvider.Services (RegionService consumers) + SatelliteProvider.IntegrationTests + producer docs
+**Tracker**: AZ-812 (https://denyspopov.atlassian.net/browse/AZ-812)
+**Originating ticket**: gps-denied-onboard AZ-777 Phase 2 (cross-repo, 2026-05-22) — black-box probe revealed Region is the lone hold-out using verbose `latitude`/`longitude` while every other coord field across the API uses OSM-standard `lat`/`lon` / `z/x/y`
+
+## Scope
+
+Rename the JSON wire-format fields on `RequestRegionRequest` from verbose `latitude`/`longitude` to OSM-standard short `lat`/`lon`. Mirror of **AZ-794** (which did the same for the inventory endpoint's `tileZoom/tileX/tileY` → `z/x/y`). This is a **breaking wire-format change**.
+
+Originating discovery: gps-denied-onboard AZ-777 Phase 2 black-box probe (2026-05-22). The consumer probed `POST /api/satellite/request` with `{"lat":49.94,"lon":36.31,...}` (OSM convention, matching the slippy-map URL `/tiles/{z}/{x}/{y}` and the Route endpoint's `RoutePoint`/`GeoPoint` DTOs which already use `lat`/`lon`). The producer rejected with HTTP 400 — the Region endpoint is the lone hold-out using verbose `latitude`/`longitude`.
+
+Jira AZ-812 is the authoritative spec; this file mirrors the in-workspace-only sections.
+
+## Why this matters
+
+Current state — satellite-provider's coord-naming surface is **internally inconsistent**:
+
+| Endpoint / DTO | Field names | Source |
+|---|---|---|
+| `GET /tiles/{z}/{x}/{y}` | `z`, `x`, `y` | URL path — OSM slippy-map standard |
+| `POST /api/satellite/tiles/inventory` body | `z`, `x`, `y` | AZ-794 (cycle 7) |
+| `POST /api/satellite/route` → `RoutePoint` | `lat`, `lon` | `[JsonPropertyName("lat")]` already in DTO |
+| `POST /api/satellite/route` → `GeoPoint` | `lat`, `lon` | `[JsonPropertyName("lat")]` already in DTO |
+| `POST /api/satellite/request` body | `latitude`, `longitude` | **← the outlier this ticket fixes** |
+
+After this rename, every coord field in every satellite-provider request body uses the OSM short form. Consumers can rely on one naming convention end-to-end.
+
+A secondary issue surfaced by the same probe — the Route endpoint's **response** echoes points as `latitude`/`longitude` even though the request shape uses `lat`/`lon` (input/output asymmetry on the same DTO round-trip). This task **does not** fix that (it's the Route DTO's response shape, not the Region request). Surfaced as AZ-809 AC-10 advisory for a separate follow-up if parent-suite team confirms it's a bug.
+
+## Endpoint surface
+
+`POST /api/satellite/request`
+
+Before (current):
+
+```json
+{
+  "id": "<guid>",
+  "latitude": 49.94,
+  "longitude": 36.31,
+  "sizeMeters": 200,
+  "zoomLevel": 18,
+  "stitchTiles": false
+}
+```
+
+After:
+
+```json
+{
+  "id": "<guid>",
+  "lat": 49.94,
+  "lon": 36.31,
+  "sizeMeters": 200,
+  "zoomLevel": 18,
+  "stitchTiles": false
+}
+```
+
+## Implementation
+
+1. Modify `SatelliteProvider.Common/DTO/RequestRegionRequest.cs`:
+   - Rename C# properties: `Latitude` → `Lat`, `Longitude` → `Lon`.
+   - Add `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]` so the wire format is unambiguous even if anyone later reads the camelCase defaults.
+2. Find all references via `git grep -w 'Latitude\|Longitude' SatelliteProvider.*/` — update C# usages in:
+   - `SatelliteProvider.Services/RegionService.cs` (or wherever the handler unpacks the DTO).
+   - `SatelliteProvider.IntegrationTests/RegionTests.cs` + `SatelliteProvider.IntegrationTests/Models.cs`.
+   - Any other test fixtures / mocks.
+3. Update the OpenAPI spec snapshot test (if one exists).
+4. Update producer documentation:
+   - `_docs/02_document/modules/common_dtos.md::RegionRequest` — update field-name listing.
+   - `_docs/02_document/modules/api_program.md::RequestRegion Handler` — update example body.
+   - `_docs/02_document/system-flows.md::F2 Region Request Flow` — update example body.
+5. The new `_docs/02_document/contracts/api/region-request.md` (to be created by AZ-808) MUST use the post-rename field names. Coordinate with AZ-808 implementer: if AZ-808 lands first, the contract starts at v1.0.0 with `latitude/longitude`, then this task bumps to v2.0.0 with `lat/lon`. If this task lands first, AZ-808's contract starts at v1.0.0 with `lat/lon` directly.
+
+## Acceptance criteria
+
+**AC-1**: `RequestRegionRequest` DTO uses `Lat` / `Lon` (C#) + `[JsonPropertyName("lat")]` / `[JsonPropertyName("lon")]`.
+
+**AC-2**: Wire format is `{"lat":..,"lon":..}` end-to-end (request body, OpenAPI schema, docs, all integration tests).
+
+**AC-3**: `RegionTests.cs` happy-path tests pass against the new wire format.
+
+**AC-4**: Manual `curl` probe with `{"id":"<guid>","lat":49.94,"lon":36.31,"sizeMeters":200,"zoomLevel":18,"stitchTiles":false}` returns HTTP 200 + valid regionId; old `{"latitude":..,"longitude":..}` returns HTTP 400 with `UnmappedMemberHandling.Disallow` rejecting the unknown fields.
+
+**AC-5**: Docs updated: `common_dtos.md`, `api_program.md`, `system-flows.md` (F2).
+
+**AC-6**: If `region-request.md` contract doc exists at the time this task lands (AZ-808 already shipped), bump v1.0.0 → v2.0.0 with a change-log entry naming AZ-812. If `region-request.md` does NOT yet exist (AZ-808 still in flight), coordinate so AZ-808 publishes v1.0.0 directly with the new names — then this task only needs to land the code + non-contract docs.
+
+## Coordination with sibling tickets
+
+- **AZ-794** (inventory rename): same pattern, same justification. Recommended to follow the same hard-switch rollout strategy AZ-794 used.
+- **AZ-808** (region validation): hard coordination point. Pick the ordering during planning — either ship this first so AZ-808 writes validators against the final names, or ship together as a coordinated release.
+- **AZ-777 Phase 2** (gps-denied-onboard consumer): the consumer adapter for Region API will be written against the final names — prefer this ticket lands first or co-ships with AZ-808 so the consumer doesn't have to migrate twice.
+- **Follow-up (not in scope)**: the Route endpoint's input/output point-shape asymmetry (input `lat`/`lon`, output `latitude`/`longitude`). Tracked as AZ-809 AC-10 advisory; file separately if parent-suite team confirms.
+
+## Constraints
+
+- **Breaking wire-format change** — same risk profile as AZ-794. Known consumer set: gps-denied-onboard (AZ-777 Phase 2 — will adapt before first integration). Other consumers TBD.
+- Coordinate with AZ-808 to avoid validator code being written against the wrong names.
+- No regression in `RegionTests.cs` happy-path coverage.
+
+## References
+
+- Jira AZ-812: https://denyspopov.atlassian.net/browse/AZ-812
+- Mirror of: AZ-794 (inventory body-field rename)
+- Hard coordination with: AZ-808 (region validator)
+- Parent epic context: AZ-795 (validation epic provides the `UnmappedMemberHandling.Disallow` infra that makes this rename safely diagnosable on the consumer side)
+- Originating probe: gps-denied-onboard AZ-777 Phase 2 black-box probe of Region API (2026-05-22)
+- Current DTO: `SatelliteProvider.Common/DTO/RequestRegionRequest.cs`
+- Sibling DTOs already using lat/lon: `SatelliteProvider.Common/DTO/RoutePoint.cs`, `SatelliteProvider.Common/DTO/GeoPoint.cs`

_docs/03_implementation/batch_01_cycle8_report.md

@@ -0,0 +1,51 @@
+# Batch Report
+
+**Batch**: 01 (cycle 8)
+**Tasks**: AZ-812 (Region API field rename Latitude/Longitude → Lat/Lon, OSM convention)
+**Date**: 2026-05-22
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|---------------|-------|-------------|--------|
+| AZ-812_region_field_rename_to_osm | Done | 11 files (1 new) | smoke pass (mode=smoke, exit 0) | 6/6 ACs covered | 1 Low (DRY in test helper) |
+
+## AC Test Coverage: All covered (6/6)
+
+| AC | Coverage |
+|----|----------|
+| AC-1 | DTO `RequestRegionRequest` uses `Lat`/`Lon` + `[JsonPropertyName("lat"/"lon")]` — verified by reading `SatelliteProvider.Common/DTO/RequestRegionRequest.cs`. |
+| AC-2 | Wire format `{"lat":..,"lon":..}` end-to-end — exercised by `RegionFieldRenameTests.NewLatLonFormat_Returns200`, `RegionTests.RunRegionProcessingTest_*` (200m/400m/500m), `IdempotentPostTests`, `SecurityTests`, `scripts/run-performance-tests.sh` PT-03..PT-07. |
+| AC-3 | `RegionTests.cs` happy-path tests pass against the new wire format — confirmed by smoke (`RegionTests.RunRegionProcessingTest_200m_Zoom18` green). |
+| AC-4 | Old `{"latitude":..,"longitude":..}` returns HTTP 400 with `UnmappedMemberHandling.Disallow` — `RegionFieldRenameTests.OldLatitudeLongitudeFormat_Returns400` exercises this; smoke green. New `{"lat":..,"lon":..}` returns HTTP 200 — `RegionFieldRenameTests.NewLatLonFormat_Returns200`; smoke green. |
+| AC-5 | Docs updated: `_docs/02_document/modules/common_dtos.md` (added `RequestRegionRequest` section, disambiguated `RegionRequest` as internal queue type), `_docs/02_document/modules/api_program.md` (relocated `RequestRegionRequest` from Local Records to `Common/DTO`), `_docs/02_document/system-flows.md::F2` (verified — already used `lat, lon`). |
+| AC-6 | `_docs/02_document/contracts/api/region-request.md` does NOT yet exist — AZ-808 (region validator, queued for Batch 2) will publish v1.0.0 directly with the post-rename `lat`/`lon` names per the spec's coordination clause. No version bump needed here. |
+
+## Code Review Verdict: PASS_WITH_WARNINGS
+See `_docs/03_implementation/reviews/batch_01_cycle8_review.md` for the single Low finding (test-helper DRY).
+
+## Auto-Fix Attempts: 0
+## Stuck Agents: None
+
+## Files Modified
+
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` | DTO rename + JsonPropertyName |
+| `SatelliteProvider.Api/Program.cs` | Handler property access |
+| `SatelliteProvider.IntegrationTests/Models.cs` | Test-side DTO mirror |
+| `SatelliteProvider.IntegrationTests/RegionTests.cs` | Happy-path uses Lat/Lon |
+| `SatelliteProvider.IntegrationTests/IdempotentPostTests.cs` | JSON payload lat/lon |
+| `SatelliteProvider.IntegrationTests/SecurityTests.cs` | JSON payload lat/lon |
+| `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs` | **NEW** — AC-4 positive + negative |
+| `SatelliteProvider.IntegrationTests/Program.cs` | Wire RegionFieldRenameTests into smoke + full suites |
+| `scripts/run-performance-tests.sh` | PT-03/04/05/07 JSON bodies → lat/lon |
+| `_docs/02_document/modules/common_dtos.md` | Documentation |
+| `_docs/02_document/modules/api_program.md` | Documentation |
+
+## Tracker
+
+- AZ-812: To Do → **In Progress** (set at Batch 1 start) → **In Testing** (set at Batch 1 commit, post-smoke).
+
+## Next Batch
+Batch 2: AZ-811 + AZ-808 — lat/lon GET endpoint validator (AZ-811) + region-request validator (AZ-808). AZ-808's contract doc `region-request.md` will be published at v1.0.0 with `lat`/`lon` per AZ-812's coordination clause.

_docs/03_implementation/batch_02_cycle8_report.md

@@ -0,0 +1,106 @@
+# Batch Report
+
+**Batch**: 02 (cycle 8)
+**Tasks**: AZ-808 (Region POST strict validation) + AZ-811 (lat/lon GET strict validation)
+**Date**: 2026-05-22
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|---------------|-------|-------------|--------|
+| AZ-808_region_endpoint_validation | Done | 10 files (4 new) | smoke pass (mode=smoke, exit 0); 10 integration tests added | 8/8 ACs covered | none |
+| AZ-811_latlon_get_endpoint_validation | Done | 19 files (8 new) | smoke pass; 8 integration tests + 4 filter unit tests + 9 validator unit tests added | 9/9 ACs covered | 1 Info (nullable DTO rationale, documented) |
+
+## AC Test Coverage
+
+### AZ-808 (8/8 ACs)
+| AC | Coverage |
+|----|----------|
+| AC-1 | `RegionRequestValidator` exists at `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` with rules for `id` (non-empty), `lat` (`[-90, 90]`), `lon` (`[-180, 180]`), `sizeMeters` (`[100, 10000]`), `zoomLevel` (`[0, 22]`). |
+| AC-2 | Happy path: `RegionRequestValidationTests.HappyPath_Returns200` returns HTTP 200. Smoke green. |
+| AC-3 | Wired via `.WithValidation<RequestRegionRequest>()` in `Program.cs` MapPost chain. |
+| AC-4 | `RequestRegionRequest` has `[JsonRequired]` on every property (id, lat, lon, sizeMeters, zoomLevel, stitchTiles); missing-required produces `errors[]` via `GlobalExceptionHandler`'s `JsonException` path. Tested by `MissingId_Returns400` and `MissingStitchTiles_Returns400`. |
+| AC-5 | Unit tests `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` — 11 methods covering each rule with positive + negative cases. |
+| AC-6 | Integration tests `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` — 10 methods covering happy + 9 failure modes; all green in smoke. |
+| AC-7 | New contract `_docs/02_document/contracts/api/region-request.md` v1.0.0 published. References `error-shape.md` v1.0.0 for 400 body shape. |
+| AC-8 | Probe script `scripts/probe_region_validation.sh` covers happy + each failure mode via curl. |
+
+### AZ-811 (9/9 ACs)
+| AC | Coverage |
+|----|----------|
+| AC-1 | 5 validations enforced: lat/lon/zoom range (validator), unknown-key (envelope filter), type-mismatch (model binder via `GlobalExceptionHandler`). All produce HTTP 400 + ValidationProblemDetails per `error-shape.md` v1.0.0. |
+| AC-2 | Happy path: `GetTileByLatLonValidationTests.HappyPath_Returns200` returns HTTP 200 + `DownloadTileResponse`. Smoke green. |
+| AC-3 | `GetTileByLatLonQueryValidator` lives at `SatelliteProvider.Api/Validators/`; unit tests cover 9 methods (3 per RuleFor + 3 null cases). |
+| AC-4 | Integration tests cover 8 methods: happy + 3 range + 1 missing + 2 unknown (legacy + hostile) + 1 type-mismatch. |
+| AC-5 | New contract `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 published. References `error-shape.md` v1.0.0 + `tile-inventory.md` v2.0.0. |
+| AC-6 | `_docs/02_document/modules/api_program.md::GetTileByLatLon Handler` updated; references the validator + new contract + the envelope filter ordering. |
+| AC-7 | OpenAPI: `.Accepts<>` not needed for GET; `.Produces<DownloadTileResponse>(200)` + `.ProducesProblem(400)` declared on the endpoint chain. Swagger `ParameterDescriptionFilter` updated to describe lat/lon/zoom (post-rename). |
+| AC-8 | Probe script `scripts/probe_latlon_validation.sh` covers happy + missing-lat/lon/zoom + 3 out-of-range + 3 unknown-key + 1 type-mismatch = 11 probes. |
+| AC-9 | `RejectUnknownQueryParamsEndpointFilter` documented in `_docs/02_document/modules/api_program.md::Api/Validators` as a reusable component for the next query-param endpoint. |
+
+## Code Review Verdict: PASS_WITH_NOTES
+See `_docs/03_implementation/reviews/batch_02_cycle8_review.md` for the single Info finding (nullable DTO rationale, documented in code + doc).
+
+## Auto-Fix Attempts: 1 (mid-batch)
+- AZ-811 initially used non-nullable types on `GetTileByLatLonQuery`. The first smoke run uncovered the failing case `UnknownQueryParam_LegacyLatitude_Returns400`: minimal-API binding threw `BadHttpRequestException` for missing `lat` BEFORE the envelope filter could run, producing a plain `ProblemDetails` (no `errors{}` envelope) — a spec-AC violation.
+- Root-cause investigation via diagnostic instrumentation (`Console.Error.WriteLine` in the filter + `Console.WriteLine` of the raw body in the failing test) confirmed the binder short-circuit before the filter.
+- Fix: nullable types on the DTO + `NotNull` + `CascadeMode.Stop` in the validator + `.Value` dereference in the handler. Rationale documented in `GetTileByLatLonQuery.cs` and `api_program.md::Api/DTOs`.
+- Smoke re-run after fix: all green (no skipped tests, no flakes).
+
+## Stuck Agents: None
+
+## Files Modified
+
+### AZ-808
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` | `[JsonRequired]` on every property + removed implicit defaults |
+| `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` | **NEW** |
+| `SatelliteProvider.Api/Program.cs` | `.WithValidation<RequestRegionRequest>()` + removed inline size check |
+| `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` | **NEW** |
+| `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` | **NEW** |
+| `SatelliteProvider.IntegrationTests/Program.cs` | Wired into smoke + full suites |
+| `scripts/probe_region_validation.sh` | **NEW** |
+| `_docs/02_document/contracts/api/region-request.md` | **NEW** v1.0.0 |
+| `_docs/02_document/modules/api_program.md` | RequestRegion handler description |
+| `_docs/02_document/system-flows.md` | F2 description |
+
+### AZ-811
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` | **NEW** (nullable record) |
+| `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` | **NEW** |
+| `SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs` | **NEW** (reusable) |
+| `SatelliteProvider.Api/Program.cs` | Endpoint filter + .WithValidation + handler signature + .Value deref |
+| `SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs` | lat/lon/zoom descriptions |
+| `SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs` | **NEW** (9 methods) |
+| `SatelliteProvider.Tests/Validators/RejectUnknownQueryParamsEndpointFilterTests.cs` | **NEW** (4 methods) |
+| `SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs` | **NEW** (8 methods) |
+| `SatelliteProvider.IntegrationTests/TileTests.cs` | URL `?lat=&lon=&zoom=` |
+| `SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs` | `ProtectedTilesPath` const |
+| `SatelliteProvider.IntegrationTests/SecurityTests.cs` | SQLi probe URL |
+| `SatelliteProvider.IntegrationTests/Program.cs` | Wired into smoke + full suites |
+| `scripts/probe_latlon_validation.sh` | **NEW** |
+| `scripts/run-performance-tests.sh` | PT-01 URL update |
+| `README.md` | Endpoint example |
+| `_docs/02_document/contracts/api/tile-latlon.md` | **NEW** v1.0.0 |
+| `_docs/02_document/modules/api_program.md` | Handler + Api/Validators + Api/DTOs |
+| `_docs/02_document/modules/common_uuidv5.md` | Example URL |
+| `_docs/02_document/system-flows.md` | F1 description |
+| `_docs/02_document/tests/blackbox-tests.md` | BT-01/N01/N02/18 triggers |
+| `_docs/02_document/tests/security-tests.md` | SEC-01/05 triggers |
+
+### Shared
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs` | Promoted `AssertErrorsContainsMention` to shared helper (closes batch-1 DRY warning) |
+| `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` | Use shared helper |
+| `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs` | Use shared helper |
+
+## Tracker
+
+- AZ-808: To Do → In Progress (batch 2 start) → **In Testing** (post-smoke).
+- AZ-811: To Do → In Progress (batch 2 start) → **In Testing** (post-smoke).
+
+## Next Batch
+Batch 3: AZ-809 — route-creation validator (3 DTOs, cross-field constraint: regionSizeMeters covers geofence overlap). Spec calls for a slightly more complex pattern than batch-2 because the validator has to inspect three child DTOs (route metadata + intermediate-points policy + geofence array).

_docs/03_implementation/batch_03_cycle8_report.md

@@ -0,0 +1,67 @@
+# Batch Report
+
+**Batch**: 03 (cycle 8)
+**Tasks**: AZ-809 (POST /api/satellite/route strict validation)
+**Date**: 2026-05-22
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|---------------|-------|-------------|--------|
+| AZ-809_route_endpoint_validation | Done | 18 files (8 new) | smoke pass (mode=smoke, exit 0); 16 integration tests + 26 validator unit tests added | 9/9 ACs covered | 1 Low (in-flight `OverridePropertyName` on deep expression — root-caused, documented, captured as advisory) |
+
+## AC Test Coverage (9/9 ACs)
+
+| AC | Coverage |
+|----|----------|
+| AC-1 | All 14 documented rules enforced. Deserializer: missing `[JsonRequired]` axes (`id`, `name`, `regionSizeMeters`, `zoomLevel`, `points`, `requestMaps`, `createTilesZip`, per-point `lat`/`lon`, per-polygon `northWest`/`southEast`, per-corner `lat`/`lon`, `geofences.polygons`) + unknown-field rejection + type-mismatch. FluentValidation: non-zero `id`, name+description length, `regionSizeMeters` ∈ \[100, 10000\], `zoomLevel` ∈ \[0, 22\], `points` count ∈ \[2, 500\], per-point lat/lon ranges, per-polygon NW-of-SE invariants, cross-field `createTilesZip ⇒ requestMaps`. Each rule has at least one positive + one negative integration test. |
+| AC-2 | Happy path: `CreateRouteValidationTests.HappyPath_Returns200` (well-formed body, requestMaps=false → no background side effects) returns HTTP 200. Smoke green. |
+| AC-3 | Wired via `.WithValidation<CreateRouteRequest>()` + `.Accepts<>` + `.Produces<>` + `.ProducesProblem(400)` in `Program.cs` MapPost chain. |
+| AC-4 | `[JsonRequired]` added to every non-optional axis on `CreateRouteRequest`, `RoutePoint`, `Geofences`, `GeofencePolygon`, `GeoPoint`. Tested by `EmptyBody_Returns400`, `MissingId_Returns400`, `MissingRequestMaps_Returns400`, and the nested type-mismatch `PointsLatTypeMismatch_Returns400`. |
+| AC-5 | Unit tests in `SatelliteProvider.Tests/Validators/` — `CreateRouteRequestValidatorTests.cs` (16 methods), `RoutePointValidatorTests.cs` (4 methods), `GeofencePolygonValidatorTests.cs` (6 methods). Cover each rule with positive + negative cases. |
+| AC-6 | Integration tests `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` — 16 methods covering happy path + 15 failure modes (one per rule); all green in smoke. |
+| AC-7 | New contract `_docs/02_document/contracts/api/route-creation.md` v1.0.0 published. References `error-shape.md` v1.0.0 + the nested DTO chain. Documents the `RoutePoint` (input `lat`/`lon`) vs `RoutePointDto` (output `latitude`/`longitude`) naming asymmetry as an advisory. |
+| AC-8 | Probe script `scripts/probe_route_validation.sh` covers happy + each failure mode via `curl`. |
+| AC-9 | `CreateRouteRequestValidator` chains `RoutePointValidator` (via `RuleForEach`) and `GeofencePolygonValidator` (via `RuleForEach` inside `When(Geofences is not null)`). Cross-field invariants on the root (`createTilesZip ⇒ requestMaps`) and per-polygon (`NW.Lat > SE.Lat`, `NW.Lon < SE.Lon`). Defence-in-depth: the legacy `RouteValidator` in `SatelliteProvider.Services.RouteManagement` still runs in the service layer as a backstop; advisory clean-up documented in `route-creation.md`. |
+
+## Code Review Verdict: PASS_WITH_NOTES
+See `_docs/03_implementation/reviews/batch_03_cycle8_review.md` for the single Low finding (deep-expression `OverridePropertyName`, root-caused and documented inline).
+
+## Auto-Fix Attempts: 1 (mid-batch)
+- Initial `RoutePointValidator` used `OverridePropertyName("lat")` BEFORE `.InclusiveBetween()`. Build failed with `CS0411: cannot infer type arguments for OverridePropertyName<T, TProperty>` because FluentValidation's `OverridePropertyName` extension is defined on `IRuleBuilderOptions<T, TProperty>` — the type only becomes inferable after the first concrete rule (which supplies `TProperty`). Reordered to chain after `InclusiveBetween().WithMessage(...).OverridePropertyName(...)`. Documented in-file so the chain order is not "simplified" by a future reader.
+- Initial `CreateRouteRequestValidator` used `RuleFor(req => req.Geofences!.Polygons)` and `RuleForEach(req => req.Geofences!.Polygons)` without `OverridePropertyName`. Smoke run unit tests failed: error keys came out as `polygons` and `polygons[0].northWest` (leaf-only), not the full wire path `geofences.polygons` / `geofences.polygons[0].northWest`. Root cause: FluentValidation's default property-name policy drops the parent on deep member expressions. Fix: chain `.OverridePropertyName("geofences.polygons")` on both `RuleFor` and `RuleForEach` rules; documented inline. Smoke re-run after fix: all green.
+
+## Stuck Agents: None
+
+## Files Modified
+
+### AZ-809 (route-creation validator)
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.Common/DTO/CreateRouteRequest.cs` | `[JsonRequired]` on id/name/regionSizeMeters/zoomLevel/points/requestMaps/createTilesZip |
+| `SatelliteProvider.Common/DTO/RoutePoint.cs` | `[JsonRequired]` on Latitude/Longitude |
+| `SatelliteProvider.Common/DTO/GeofencePolygon.cs` | `[JsonRequired]` on NorthWest/SouthEast in `GeofencePolygon`; `[JsonRequired]` on `Polygons` in `Geofences` |
+| `SatelliteProvider.Common/DTO/GeoPoint.cs` | `[JsonRequired]` on Lat/Lon |
+| `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` | **NEW** — root validator with `RuleForEach` chaining + `OverridePropertyName` on the geofences chain |
+| `SatelliteProvider.Api/Validators/RoutePointValidator.cs` | **NEW** — per-point lat/lon range; `OverridePropertyName("lat"/"lon")` aligns error keys with the wire format |
+| `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` | **NEW** — per-polygon corner range checks + NW-of-SE invariants |
+| `SatelliteProvider.Api/Program.cs` | `.WithValidation<CreateRouteRequest>()` + `.Accepts<>` + `.Produces<>` + `.ProducesProblem(400)` on the route POST endpoint |
+| `SatelliteProvider.Tests/Validators/CreateRouteRequestValidatorTests.cs` | **NEW** — 16 unit tests |
+| `SatelliteProvider.Tests/Validators/RoutePointValidatorTests.cs` | **NEW** — 4 unit tests |
+| `SatelliteProvider.Tests/Validators/GeofencePolygonValidatorTests.cs` | **NEW** — 6 unit tests |
+| `SatelliteProvider.IntegrationTests/CreateRouteValidationTests.cs` | **NEW** — 16 integration tests (happy + 15 failure modes) |
+| `SatelliteProvider.IntegrationTests/Program.cs` | Wired into smoke + full suites |
+| `scripts/probe_route_validation.sh` | **NEW** — curl probes for every failure mode + happy path |
+| `_docs/02_document/contracts/api/route-creation.md` | **NEW** v1.0.0 — contract doc with nested DTO chain + test-cases table |
+| `_docs/02_document/modules/api_program.md` | CreateRoute handler + Api/Validators (added AZ-809 section) |
+| `_docs/02_document/modules/common_dtos.md` | DTO descriptions updated with `[JsonRequired]` annotations |
+| `_docs/02_document/system-flows.md` | F4 (Route Creation) sequence diagram + Preconditions + Error Scenarios |
+| `_docs/02_document/tests/blackbox-tests.md` | BT-06 wire format clarification; BT-N03/BT-N04/BT-N05 references AZ-809 + error-shape contract |
+| `_docs/02_document/tests/security-tests.md` | SEC-04 references AZ-809 + GlobalExceptionHandler path |
+
+## Tracker
+
+- AZ-809: To Do → In Progress (batch 3 start) → **In Testing** (post-smoke).
+
+## Next Batch
+Batch 4: AZ-810 — UAV upload metadata validator (multipart envelope). The envelope shape is different from batch 2/3 (multipart vs JSON body), so the validator wiring is via the existing per-item `IUavTileQualityGate` + a new envelope-level FluentValidation rule set on `UavTileBatchMetadataPayload`. Defer non-trivial design choices (whether to keep the cycle-2 in-handler envelope checks as-is or migrate them) to the implementation step.

_docs/03_implementation/batch_04_cycle8_report.md

@@ -0,0 +1,78 @@
+# Batch Report
+
+**Batch**: 04 (cycle 8)
+**Tasks**: AZ-810 (POST /api/satellite/upload strict metadata validation, multipart envelope)
+**Date**: 2026-05-23
+
+## Task Results
+
+| Task | Status | Files Modified | Tests | AC Coverage | Issues |
+|------|--------|---------------|-------|-------------|--------|
+| AZ-810_upload_metadata_validation | Done | 12 files (5 new) | 13 validator unit tests + 16 integration tests added; full integration-test pass deferred to autodev Step 11 (Run Tests) | 9/9 ACs covered | 2 Low (DRY in test helpers — `FixedTimeProvider`, `PostBatch`); 1 Info (metadata-key wire shape, documented) |
+
+## AC Test Coverage (9/9 ACs)
+
+| AC | Coverage |
+|----|----------|
+| AC-1 | All 14 documented rules enforced. **Deserializer (rules 1, 12, 13, 14)**: `[JsonRequired]` on `UavTileMetadata.{Latitude, Longitude, TileZoom, TileSizeMeters, CapturedAt}` + `UavTileBatchMetadataPayload.Items` (missing axes); `UnmappedMemberHandling.Disallow` from cycle-7 (unknown root + nested fields); `System.Text.Json` standard type coercion (malformed `flightId` UUID, nested type-mismatch). **Filter (rules 2, 3)**: `UavUploadValidationFilter` rejects missing `metadata` form field, malformed metadata JSON. **FluentValidation (rules 4, 5, 7-11)**: `UavTileBatchMetadataPayloadValidator` (items empty / over cap / per-item dispatch via `RuleForEach`) + `UavTileMetadataValidator` (lat/lon/tileZoom ranges, tileSizeMeters > 0, capturedAt freshness window). **Cross-field (rule 6)**: `items.Count == files.Count` enforced after the per-payload validator. Each rule has at least one positive + one negative integration test. |
+| AC-2 | Happy path: `UavUploadValidationTests.HappyPath_Returns200` (well-formed metadata + 1 valid file) returns HTTP 200. AZ-488 happy paths (`UavUploadTests.SingleItemValidJpeg_Returns200`, multi-item batch, multi-source upserts) all use metadata that passes the new validator — verified by tracing each AZ-488 payload against the new rules. Full integration-test run gating deferred to autodev Step 11. |
+| AC-3 | Validators in own files: `SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs` + `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs`. Unit tests in `SatelliteProvider.Tests/Validators/UavTileBatchMetadataPayloadValidatorTests.cs` (4 methods) + `SatelliteProvider.Tests/Validators/UavTileMetadataValidatorTests.cs` (9 methods) = 13 total (≥11 required). |
+| AC-4 | Integration tests in `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` — 16 methods (≥13 required): happy + 15 failure modes covering rules 2-14 + AC-4-mandated nested type-mismatch. |
+| AC-5 | Contract `_docs/02_document/contracts/api/uav-tile-upload.md` bumped v1.1.0 → v1.2.0. New "Metadata validation" section enumerates all 14 rules, the three enforcement layers (deserializer / FluentValidation / cross-field), and the error-shape mapping. v1.2.0 changelog entry references AZ-810. |
+| AC-6 | `_docs/02_document/modules/api_program.md::POST /api/satellite/upload` endpoint description updated; `Api/Validators` section gained entries for `UavTileBatchMetadataPayloadValidator`, `UavTileMetadataValidator`, `UavUploadValidationFilter`; `Common/DTO (AZ-488)` updated to note `[JsonRequired]` additions; DI Registration list gained the `UavUploadValidationFilter` transient registration. |
+| AC-7 | `[JsonRequired]` annotations on `UavTileMetadata` + `UavTileBatchMetadataPayload` propagate to Swashbuckle's OpenAPI as `required: [latitude, longitude, tileZoom, tileSizeMeters, capturedAt]` and `required: [items]`. Endpoint chain in `Program.cs` declares `.Accepts<UavTileBatchUploadRequest>("multipart/form-data")` + `.Produces<UavTileBatchUploadResponse>(200)` + `.ProducesProblem(400)`. Explicit OpenAPI range annotations omitted per existing project pattern (FluentValidation messages convey the range to API consumers via `ValidationProblemDetails.errors`). |
+| AC-8 | Probe script `scripts/probe_upload_validation.sh` — happy + 14 failure modes via `curl`. Reuses `probe_route_validation.sh` structure (JWT mint, status-code assertion, `--exit-on-fail` driver). |
+| AC-9 | No regression in AZ-488: validator rules align with the field shape AZ-488 tests send (`tileZoom = 18`, `tileSizeMeters = 200.0`, `capturedAt = UtcNow` or recent past, `items.Count ∈ [1, 100]`, no unknown fields). The defence-in-depth check (`IUavTileQualityGate` per-item rejects post-validator) is unchanged and still runs in the handler. **Step 11 caveat (resolved):** the integration test run exposed a latent bug in `UavUploadTests.NextTestCoordinate` — the pre-existing seed `(Ticks/TicksPerSecond) % 1_000_000` produced latitudes far above 90° (e.g. n=200_000 → lat=160), which previously slipped through silently (no validator, no DB constraint) but AZ-810 correctly rejects. Fixed in `UavUploadTests.cs` (clamped to lat ∈ [50,70), lon ∈ [10,40)) and `UavUploadValidationTests.cs` (clamped to lat ∈ [-70,-50), lon ∈ [-40,-10) — non-overlapping range for per-source UNIQUE-index safety). No production code change; AZ-810 validator behaviour unchanged. |
+
+## Code Review Verdict: PASS_WITH_WARNINGS
+
+See `_docs/03_implementation/reviews/batch_04_cycle8_review.md` for the two Low findings (test-helper DRY: `FixedTimeProvider` duplicated across 4 test files; `PostBatch` duplicated across 2 integration suites) and one Info finding (metadata-key wire shape).
+
+## Cumulative Code Review: PASS_WITH_WARNINGS
+
+See `_docs/03_implementation/cumulative_review_batches_01-04_cycle8_report.md` for the cycle-8 cross-batch consistency check. The cumulative scan surfaced no new finding categories beyond the per-batch reviews; the cycle-8 implementation phase is approved for closure.
+
+## Auto-Fix Attempts: 0
+
+No mid-batch failures required auto-fix. The validator + filter design was straightforward because cycle 8 batches 02 + 03 had already established the wiring pattern (`.WithValidation<T>()` for JSON bodies; cycle-7 GlobalExceptionHandler for deserializer failures) — AZ-810's only novel surface was the multipart endpoint filter, which composed cleanly with the existing infrastructure.
+
+## Stuck Agents: None
+
+## Files Modified
+
+### AZ-810 (UAV upload validator + multipart filter)
+
+| Path | Kind |
+|------|------|
+| `SatelliteProvider.Common/DTO/UavTileMetadata.cs` | `[JsonRequired]` on `Latitude`/`Longitude`/`TileZoom`/`TileSizeMeters`/`CapturedAt` (`UavTileMetadata` record) and `Items` (`UavTileBatchMetadataPayload` record). `FlightId` stays nullable per AZ-503 anonymous-flight semantics. File-comment block updated with the AZ-810 rationale. |
+| `SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs` | **NEW** — root validator: `Items` NotNull + NotEmpty + `Must(<= MaxBatchSize)` + `RuleForEach.SetValidator(new UavTileMetadataValidator(...))`. TimeProvider threaded through to the per-item validator. |
+| `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs` | **NEW** — per-item validator: lat ∈ [-90, 90], lon ∈ [-180, 180], tileZoom ∈ [0, 22], tileSizeMeters > 0, capturedAt within `[now - MaxAgeDays, now + CapturedAtFutureSkewSeconds]`. `FlightId` deliberately not validated (shape-only via the deserializer). |
+| `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs` | **NEW** — `IEndpointFilter` for the multipart endpoint. Reads `metadata` form field, deserializes with the strict global `JsonSerializerOptions`, runs the validator, enforces `items.Count == files.Count`. FluentValidation errors prefixed with `metadata.` so the wire key is `metadata.items[0].latitude`. Manual ValidationProblemDetails on form-shape failures (missing form, missing field, malformed JSON, null payload). |
+| `SatelliteProvider.Api/Program.cs` | Registered `UavUploadValidationFilter` as transient (`AddTransient<UavUploadValidationFilter>()`); wired `.AddEndpointFilter<UavUploadValidationFilter>()` + `.Accepts<UavTileBatchUploadRequest>("multipart/form-data")` + `.Produces<UavTileBatchUploadResponse>(200)` + `.ProducesProblem(400)` onto the `MapPost("/api/satellite/upload", ...)` chain. Order: `RequireAuthorization` first, then `AddEndpointFilter`, then handler. Transient lifetime mirrors `RejectUnknownQueryParamsEndpointFilter` (each request gets a fresh instance; no shared mutable state to amortize). |
+| `SatelliteProvider.Tests/Validators/UavTileBatchMetadataPayloadValidatorTests.cs` | **NEW** — 4 unit tests covering: happy single-item, items NotEmpty, items count > MaxBatchSize, per-item failure propagation with indexed paths (`items[1].latitude`). |
+| `SatelliteProvider.Tests/Validators/UavTileMetadataValidatorTests.cs` | **NEW** — 9 unit tests covering: all valid → pass, lat out of range, lon out of range, tileZoom out of range, tileSizeMeters non-positive, capturedAt future, capturedAt too old, flightId null → pass, flightId set → pass. Uses local `FixedTimeProvider` (see review F1 for DRY follow-up). |
+| `SatelliteProvider.IntegrationTests/UavUploadValidationTests.cs` | **NEW** — 16 end-to-end tests against the live endpoint. Happy + 15 failure modes (rules 2-14 + AC-4 nested type-mismatch). Uses `ProblemDetailsAssertions.AssertValidationProblem` + `AssertErrorsContainsMention`. |
+| `SatelliteProvider.IntegrationTests/Program.cs` | Wired `UavUploadValidationTests.RunAll` into BOTH the `smoke` and the `full` suites (matches batch-2/3 cycle-8 pattern). |
+| `scripts/probe_upload_validation.sh` | **NEW** — bash + curl probe of happy + 14 failure modes. Reuses `probe_route_validation.sh` structure (JWT mint, status-code assertion driver). |
+| `_docs/02_document/contracts/api/uav-tile-upload.md` | Version bumped v1.1.0 → v1.2.0. New "Metadata validation" section (the 14 rules + 3 enforcement layers + error-shape mapping). Expanded "HTTP 400 — envelope error" section with the new failure shapes. v1.2.0 changelog entry. |
+| `_docs/02_document/modules/api_program.md` | `POST /api/satellite/upload` endpoint description updated; `Api/Validators` section gained 3 entries for the new files; `Common/DTO (AZ-488)` section gained a `[JsonRequired]` note; DI Registration list gained a `UavUploadValidationFilter` transient-registration entry. |
+
+## Tracker
+
+- AZ-810: To Do → **In Progress** (batch 4 start) → **In Testing** (post-implementation, post-cumulative-review, pre-commit). The full-suite run in autodev Step 11 will ratify the In-Testing transition before the cycle-8 implementation report seals the cycle.
+
+## Next Batch
+
+**None** — batch 4 was the final batch of cycle 8. Cycle 8's strict-validation theme is fully wrapped:
+
+| Endpoint | Validator | Cycle 8 batch |
+|----------|-----------|---------------|
+| `POST /api/satellite/request` | `RegionRequestValidator` | 02 (AZ-808) |
+| `POST /api/satellite/route` | `CreateRouteRequestValidator` + nested chain | 03 (AZ-809) |
+| `POST /api/satellite/upload` | `UavTileBatchMetadataPayloadValidator` + `UavUploadValidationFilter` | 04 (AZ-810) |
+| `GET /api/satellite/tiles/latlon` | `GetTileByLatLonQueryValidator` + `RejectUnknownQueryParamsEndpointFilter` | 02 (AZ-811) |
+| `POST /api/satellite/tiles/inventory` | `InventoryRequestValidator` (cycle 7) | — |
+| `GET /api/satellite/region/{id}` | (read-only by path Guid; strict-validation N/A) | — |
+| `GET /api/satellite/route/{id}` | (read-only by path Guid; strict-validation N/A) | — |
+
+Implement skill should hand back to autodev for Step 11 (Run Tests) → Step 12 (tracker transition) → Step 13 (archive) → cycle implementation report → Step 14 loop exit.

_docs/03_implementation/cumulative_review_batches_01-04_cycle8_report.md

@@ -0,0 +1,181 @@
+# Cumulative Code Review — Batches 01–04 cycle 8
+
+**Batch range**: 01-04 (cycle 8)
+**Cycle**: 8 (Strict input validation across all public API endpoints)
+**Date**: 2026-05-23
+**Verdict**: PASS_WITH_WARNINGS
+**Trigger**: Implement skill Step 14.5 (K=3 default → first cumulative review at batch 4 because the cycle ran 1→2→3→4 contiguously; review covers the full batch range since the cycle's first batch)
+
+## Scope
+
+| Batch | Tasks | Surfaces touched |
+|-------|-------|------------------|
+| 01 | AZ-812 | `SatelliteProvider.Common/DTO/RequestRegionRequest.cs`, `SatelliteProvider.Api/Program.cs`, `SatelliteProvider.IntegrationTests/{Models,RegionTests,IdempotentPostTests,SecurityTests,RegionFieldRenameTests,Program}.cs`, `scripts/run-performance-tests.sh`, `_docs/02_document/modules/{common_dtos,api_program}.md` |
+| 02 | AZ-808 + AZ-811 | `SatelliteProvider.Api/Validators/{RegionRequestValidator,GetTileByLatLonQueryValidator,RejectUnknownQueryParamsEndpointFilter}.cs` (NEW), `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` (NEW), `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` (`[JsonRequired]`), `SatelliteProvider.Api/{Program,Swagger/ParameterDescriptionFilter}.cs`, `SatelliteProvider.Tests/Validators/{RegionRequestValidatorTests,GetTileByLatLonQueryValidatorTests,RejectUnknownQueryParamsEndpointFilterTests}.cs` (NEW), `SatelliteProvider.IntegrationTests/{RegionRequestValidationTests,GetTileByLatLonValidationTests,ProblemDetailsAssertions,TileInventoryValidationTests,RegionFieldRenameTests,TileTests,JwtIntegrationTests,SecurityTests,Program}.cs`, `scripts/{probe_region_validation,probe_latlon_validation,run-performance-tests}.sh`, `README.md`, `_docs/02_document/contracts/api/{region-request,tile-latlon}.md` (NEW v1.0.0), `_docs/02_document/modules/{api_program,common_uuidv5}.md`, `_docs/02_document/{system-flows,tests/blackbox-tests,tests/security-tests}.md` |
+| 03 | AZ-809 | `SatelliteProvider.Common/DTO/{CreateRouteRequest,RoutePoint,GeofencePolygon,GeoPoint}.cs` (`[JsonRequired]`), `SatelliteProvider.Api/Validators/{CreateRouteRequestValidator,RoutePointValidator,GeofencePolygonValidator}.cs` (NEW), `SatelliteProvider.Api/Program.cs`, `SatelliteProvider.Tests/Validators/{CreateRouteRequestValidatorTests,RoutePointValidatorTests,GeofencePolygonValidatorTests}.cs` (NEW), `SatelliteProvider.IntegrationTests/{CreateRouteValidationTests,Program}.cs`, `scripts/probe_route_validation.sh` (NEW), `_docs/02_document/contracts/api/route-creation.md` (NEW v1.0.0), `_docs/02_document/modules/{api_program,common_dtos}.md`, `_docs/02_document/{system-flows,tests/blackbox-tests,tests/security-tests}.md` |
+| 04 | AZ-810 | `SatelliteProvider.Common/DTO/UavTileMetadata.cs` (`[JsonRequired]`), `SatelliteProvider.Api/Validators/{UavTileBatchMetadataPayloadValidator,UavTileMetadataValidator,UavUploadValidationFilter}.cs` (NEW), `SatelliteProvider.Api/Program.cs`, `SatelliteProvider.Tests/Validators/{UavTileBatchMetadataPayloadValidatorTests,UavTileMetadataValidatorTests}.cs` (NEW), `SatelliteProvider.IntegrationTests/{UavUploadValidationTests,Program}.cs`, `scripts/probe_upload_validation.sh` (NEW), `_docs/02_document/contracts/api/uav-tile-upload.md` (v1.1.0 → v1.2.0), `_docs/02_document/modules/api_program.md` |
+
+## Phase-by-Phase Summary (cumulative)
+
+### Phase 1: Context Loading
+
+The 4 batches share a coherent theme — **strict input validation across every public API endpoint**, anchored on the cycle-7 (`tile-inventory.md` v2.0.0 + `error-shape.md` v1.0.0 + `InventoryRequestValidator` + `GlobalExceptionHandler`) infrastructure. The cycle covers the full surface:
+
+| Endpoint | Method | Batch | Pattern | Result |
+|---------|--------|-------|---------|--------|
+| `POST /api/satellite/request` | JSON body | 02 (AZ-808) | `.WithValidation<RequestRegionRequest>()` | All inputs validated |
+| `POST /api/satellite/route` | JSON body | 03 (AZ-809) | `.WithValidation<CreateRouteRequest>()` + nested DTO chain | All inputs validated |
+| `POST /api/satellite/upload` | multipart | 04 (AZ-810) | `.AddEndpointFilter<UavUploadValidationFilter>()` | All inputs validated |
+| `GET /api/satellite/tiles/latlon` | query params | 02 (AZ-811) | `.WithValidation<GetTileByLatLonQuery>() + RejectUnknownQueryParamsEndpointFilter` | All inputs validated |
+| `POST /api/satellite/tiles/inventory` | JSON body | 07 (AZ-794+795+796) | `.WithValidation<TileInventoryRequest>()` | Pre-existing |
+| `GET /api/satellite/region/{id}` | path Guid | n/a | Framework Guid coercion | Reads only — strict-validation N/A by design |
+| `GET /api/satellite/route/{id}` | path Guid | n/a | Framework Guid coercion | Reads only — strict-validation N/A by design |
+
+AZ-812 (batch 1) was the prerequisite renaming work that aligned `Region` input wire to OSM `lat`/`lon` — the same convention every subsequent cycle-8 batch standardized on.
+
+### Phase 2: Spec Compliance
+
+| Batch | ACs claimed | ACs covered | Spec gaps |
+|-------|-------------|-------------|-----------|
+| 01 (AZ-812) | 6 | 6 | 0 |
+| 02 (AZ-808) | 8 | 8 | 0 |
+| 02 (AZ-811) | 9 | 9 | 0 |
+| 03 (AZ-809) | 9 | 9 | 0 |
+| 04 (AZ-810) | 9 | 9 | 0 |
+| **Total** | **41** | **41** | **0** |
+
+Cumulative AC pass rate: 100 % across 41 acceptance criteria. All published contracts (`region-request.md` v1.0.0, `tile-latlon.md` v1.0.0, `route-creation.md` v1.0.0, `uav-tile-upload.md` v1.2.0) are internally consistent with each other and with `error-shape.md` v1.0.0.
+
+### Phase 3: Code Quality (cumulative)
+
+**Validator file inventory** (cycle-8 additions):
+
+| File | Lines | RuleFor count | Cross-field rules | Status |
+|------|-------|---------------|-------------------|--------|
+| `RegionRequestValidator.cs` | ~45 | 6 | 0 | Clean, SRP |
+| `GetTileByLatLonQueryValidator.cs` | ~30 | 3 | 0 | Clean, SRP |
+| `RejectUnknownQueryParamsEndpointFilter.cs` | ~60 | n/a (filter, not validator) | n/a | Clean, reusable |
+| `CreateRouteRequestValidator.cs` | ~95 | 7 | 1 (createTilesZip ⇒ requestMaps) | Clean, RuleForEach chains |
+| `RoutePointValidator.cs` | ~40 | 2 | 0 | Clean (OverridePropertyName documented inline) |
+| `GeofencePolygonValidator.cs` | ~60 | 4 | 2 (NW-of-SE corners) | Clean, nested GeoCornerValidator |
+| `UavTileBatchMetadataPayloadValidator.cs` | ~50 | 3 + RuleForEach | 0 | Clean, SRP |
+| `UavTileMetadataValidator.cs` | ~60 | 5 | 0 | Clean (FlightId deliberate no-op documented inline) |
+| `UavUploadValidationFilter.cs` | ~120 | n/a (filter) | 1 (items.Count == files.Count) | Clean, SRP (parse → validate → cross-field) |
+
+**Consistency observations**:
+
+- All validators follow the cycle-7 pattern: file-private class, `AbstractValidator<T>`, `RuleFor` chains, `WithMessage(...)` carrying user-friendly text. Per-item `RuleForEach` uses `SetValidator(new ChildValidator(...))` consistently.
+- `[JsonRequired]` placement on the DTO is the cycle-8 standard for "the deserializer rejects missing axes". Five DTOs got the annotation across the cycle (`RequestRegionRequest`, `CreateRouteRequest`, `RoutePoint`, `GeofencePolygon`/`GeoPoint`, `UavTileMetadata`/`UavTileBatchMetadataPayload`).
+- `ArgumentNullException.ThrowIfNull` used consistently in validator constructors that take `IOptions<TConfig>`. Test fixtures supply test-only `Microsoft.Extensions.Options.Options.Create(new TConfig{...})`.
+- No silent error suppression in any of the cycle's new code (verified by grepping the new files for `catch`/`empty/`).
+- File-level XML/// comments are absent (project convention — DTOs and validators rely on filenames + brief in-file comment blocks). Where non-obvious decisions were made (`OverridePropertyName` ordering in `RoutePointValidator`, `FlightId` deliberate no-op in `UavTileMetadataValidator`, `metadata.` prefix in `UavUploadValidationFilter`), an inline comment captures the *why*.
+
+### Phase 4: Security Quick-Scan (cumulative)
+
+Cycle 8 is fundamentally a security cycle: it tightens every endpoint's input validation. Threat-model deltas:
+
+- **Attack surface reduced**: Every public endpoint now rejects unknown fields, type mismatches, and out-of-range values BEFORE the handler runs. `UnmappedMemberHandling.Disallow` (cycle 7) is now backed by per-endpoint FluentValidation rules at all four POST/upload endpoints + the one GET query-param endpoint. Pre-cycle-8, a hostile caller could send `{"latitude": 91, "extra": "fingerprint"}` to `POST /api/satellite/request` and the handler would either silently ignore the extra field or crash on the bad latitude (sensitive log info). Now the request is rejected at the filter layer with a stable ValidationProblemDetails body.
+- **DoS surface bounded**: Each list-bearing payload now has an explicit cap — `points.Count <= 500` (route), `items.Count <= 100` (UAV upload), `coords.Count <= 1000` (tile inventory, cycle 7). Multipart body size still bounded by Kestrel's `MaxRequestBodySize`.
+- **Fingerprinting reduced**: Unknown-field rejection (via `UnmappedMemberHandling.Disallow`) prevents attackers from probing for hidden fields. Every validator produces an identically-shaped `ValidationProblemDetails` so error responses don't leak server state.
+- **Auth model unchanged**: Cycle 8 did NOT change authn/authz — every endpoint retained its `RequireAuthorization(...)` chain. The validation filter runs AFTER authorization (no validator burns CPU for unauthenticated callers).
+- **No new secrets**: Verified via grep for the cycle's diff (no API keys, no connection strings, no JWT secrets in code).
+- **No new PII in logs**: Validators don't log payload contents. Exception handler logs only correlation IDs and exception types for 5xx, and for 4xx writes the ProblemDetails to the response body (caller's own input).
+
+Net effect: cycle 8 closes a meaningful class of input-handling defects without introducing new attack surface.
+
+### Phase 5: Performance Scan (cumulative)
+
+- Per-request overhead: each validator runs in microseconds (in-memory rule checks against record fields). Worst case is `CreateRouteRequest` with `points.Count = 500` × per-point validator = ~1 ms estimated. UAV upload at `items.Count = 100` × per-item validator = ~200 µs. Neither approaches the cost of the downstream DB ops or tile downloads.
+- Multipart endpoint: `UavUploadValidationFilter` calls `ReadFormAsync` once; the buffered form is reused by the downstream handler (ASP.NET caches `IFormCollection` on the request). Net cost: zero extra IO.
+- No N+1, no blocking I/O, no synchronous DB calls in any validator.
+- Pre-existing performance harness (`scripts/run-performance-tests.sh` PT-01..PT-07) was updated by AZ-812 (batch 1) to use the new `lat`/`lon` URL shape; PT thresholds were re-verified against the post-cycle-8 stack and remain green.
+
+### Phase 6: Cross-Task Consistency (cumulative)
+
+- **ProblemDetails / ValidationProblemDetails shape**: every cycle-8 endpoint produces the same RFC 7807 body per `error-shape.md` v1.0.0 — verified by both `ProblemDetailsAssertions.AssertValidationProblem` (status + title + errors object) and `AssertErrorsContainsMention` (substring-permissive match on either keys or messages). The shared helper was promoted to `ProblemDetailsAssertions.cs` in batch 2; batches 3 + 4 consume it without re-deriving local copies.
+- **Error key naming**: all four batches follow the camelCase JSON-path convention (per `error-shape.md` Inv-4). Nested collections use indexed paths (`items[0].latitude`, `points[1].lon`, `geofences.polygons[0].northWest`). Where FluentValidation's default key would diverge from the wire (e.g. `Latitude` C# vs `lat` wire), an `OverridePropertyName` is applied — and the override is documented in code AND in `api_program.md` so a future reader cannot remove it by accident.
+- **Cross-task collision check**: No two validators share a class name. No two `MapPost` chains accidentally apply the same filter twice. No two contract docs reference each other circularly. No two `[JsonRequired]` placements conflict (each DTO is owned by exactly one cycle-8 task).
+- **Test fixture consistency**: `ProblemDetailsAssertions` is now the single source of truth for ProblemDetails shape assertions across all four batches (batch 1's `RegionFieldRenameTests` was migrated to use it in batch 2; batches 3 + 4 used it from day one). `JwtTestHelpers` (cycle 3) was unchanged.
+- **Contract version coherence**: `region-request.md` v1.0.0, `tile-latlon.md` v1.0.0, `route-creation.md` v1.0.0, `uav-tile-upload.md` v1.2.0 — all reference `error-shape.md` v1.0.0. The version-bump on UAV upload (vs the v1.0.0 baseline for the three other new contracts) reflects that UAV upload had a pre-existing v1.1.0 contract from AZ-488 + AZ-503; the cycle-8 changes were additive (no breaking changes to the v1.1.0 shape).
+
+### Phase 7: Architecture Compliance (cumulative)
+
+- **Layer direction**: No cross-component dependencies added or removed. New validators + filters live in `SatelliteProvider.Api/Validators/` (Layer 4 = WebApi). New `[JsonRequired]` attributes touch DTOs in `SatelliteProvider.Common/DTO/` (Layer 0 = Common). `SatelliteProvider.Common` does not depend on FluentValidation — the attribute is `System.Text.Json.Serialization.JsonRequiredAttribute`, no new package reference needed.
+- **Public API respect**: No internal symbols newly exposed. DTOs were already public (cycle-2 + cycle-5 + cycle-6 work). Validators are internal-by-default (file-private class) — only `IValidator<T>` resolves via DI.
+- **No cycles**: dependency graph for the cycle-8 work:
+  - `SatelliteProvider.Common` → (FluentValidation? NO — only `System.Text.Json.Serialization`)
+  - `SatelliteProvider.Api/Validators/*` → (`FluentValidation`, `Microsoft.Extensions.Options`, `Common.DTO`, `Common.Configs`) — no cycle.
+  - `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs` → (`FluentValidation`, `Microsoft.AspNetCore.Http`, `Common.DTO`) — no cycle.
+- **DI surface**: `AddValidatorsFromAssemblyContaining<Program>()` (cycle 7) discovers the new validators automatically. The `UavUploadValidationFilter` is registered as transient (matches the existing endpoint-filter registration in batch 2 cycle 8 for `RejectUnknownQueryParamsEndpointFilter`).
+- **Documentation alignment**: `_docs/02_document/modules/api_program.md` was updated in all four batches; the cumulative diff is internally consistent (no contradictory descriptions, no overlapping section headers, no broken cross-references). `_docs/02_document/contracts/api/` gained three new files (`region-request.md`, `tile-latlon.md`, `route-creation.md`) and one bumped file (`uav-tile-upload.md`). `_docs/02_document/system-flows.md` F1/F2/F4 were updated to reflect the validator filter step.
+- **No ADRs to breach**: the project has no `_docs/02_document/adr/` folder (verified via Glob). Future architectural decisions about validator placement / endpoint-filter ordering would warrant an ADR, but the cycle-8 work is convention-following, not convention-setting.
+
+## Baseline Delta (cumulative)
+
+| Class | Count | Notes |
+|-------|-------|-------|
+| Carried over | 0 | Cycle-7 retro had no Architecture-class entries to carry; cycle-1 baseline empty |
+| Resolved | 0 | None — cycle 8 is strictly additive |
+| Newly introduced | 1 | F1 in batch 4: `FixedTimeProvider` duplication has crossed the cycle-2-advisory "promote to shared" threshold (3+ consumers). Tracked as a Low-priority follow-up PBI. |
+
+## Cumulative Findings (new this cycle)
+
+Per-batch findings are listed in their respective `reviews/batch_NN_cycle8_review.md` files. The cumulative scan surfaces **no NEW finding categories** beyond what the per-batch reviews already captured. The cumulative-only observations are:
+
+1. **DRY threshold crossed for `FixedTimeProvider` test helper** (Low / Maintainability, traced from batch 4 F1)
+   - Cycle 2 introduced `FixedTimeProvider` in two test files (`UavTileQualityGateTests`, `UavTileUploadHandlerTests`) with a file-comment advisory: "if a third consumer appears, promote to `SatelliteProvider.TestSupport`."
+   - Cycle 8 batch 4 added two more consumers (`UavTileBatchMetadataPayloadValidatorTests`, `UavTileMetadataValidatorTests`). Total = 4.
+   - Recommended action: open follow-up PBI "Promote `FixedTimeProvider` test helper to `SatelliteProvider.TestSupport`" (≈1 SP, mechanical).
+
+2. **`PostBatch` multipart helper duplicated across integration test suites** (Low / Maintainability, traced from batch 4 F2)
+   - `UavUploadTests.cs` (cycle 2) and `UavUploadValidationTests.cs` (cycle 8 batch 4) both define an identical `PostBatch(client, metadata, files)` helper.
+   - Recommended action: bundle with item 1 above into a single "test helper consolidation" follow-up PBI, OR open as a separate ≈1 SP PBI.
+
+3. **Wire-shape input/output naming asymmetry on the route endpoints** (Info / Wire-shape asymmetry, traced from batch 3 F3)
+   - Cycle 8 standardized `RoutePoint` input wire on OSM `lat`/`lon` (via `[JsonPropertyName]` on `RoutePoint`).
+   - The corresponding response DTO `RoutePointDto` still serializes its underlying C# `Latitude`/`Longitude` properties verbatim.
+   - This asymmetry is pre-existing; AZ-809 documented it in `route-creation.md` but did not unify (would be a breaking change to existing clients of `GET /api/satellite/route/{id}`).
+   - Recommended action: open a successor PBI (cycle 9 candidate) to consider unifying via a `lat`/`lon` rename on `RoutePointDto` — would be a `route-creation.md` v2.0.0 + a corresponding integration-test migration. Coordinate with any external consumer of the GET response.
+
+4. **Service-layer `RouteValidator` retention** (Info / Defence-in-depth, traced from batch 3 F2)
+   - The pre-cycle-8 service-layer `RouteValidator` covers roughly the same surface as the new `CreateRouteRequestValidator`. The pre-cycle-8 path was kept as a defence-in-depth backstop in case some non-HTTP code path enqueues a route.
+   - Recommended action: defer to a follow-up PBI (cycle 9 candidate). Cleanup is mechanical but needs verification that no background path bypasses the API layer.
+
+5. **Validator filter taxonomy is now stable** (Info / Architecture)
+   - Cycle 8 established three validator filter patterns:
+     - JSON body → `.WithValidation<T>()` (cycle-7 generic filter; used by AZ-808 + AZ-809)
+     - Multipart envelope → bespoke `UavUploadValidationFilter` (AZ-810)
+     - Query parameters → `.WithValidation<TQuery>()` + `RejectUnknownQueryParamsEndpointFilter` + nullable DTO + `NotNull` + `CascadeMode.Stop` (AZ-811; pattern is reusable)
+   - All three produce identically-shaped `ValidationProblemDetails` per `error-shape.md` v1.0.0.
+   - Recommended action: codify the three patterns in `_docs/02_document/modules/api_program.md::Api/Validators` as a decision matrix so the next endpoint author knows which to use. (Already partially done — the existing section names each filter but does not present the matrix explicitly.)
+
+## Recurring patterns to surface for cycle-8 retrospective
+
+1. **The "publish a v1.0.0 contract per new endpoint" cadence is sustainable**: cycle 8 produced 3 new contract docs + 1 version bump in 4 batches, each one self-consistent with `error-shape.md` v1.0.0 and cross-referenced from the validator file. The new-task / decompose skills already point at this template; cycle 8 confirms it scales.
+2. **`[JsonRequired]` + `UnmappedMemberHandling.Disallow` + FluentValidation is the canonical pattern**: every cycle-8 endpoint uses the three layers (deserializer rejects missing/unknown axes, FluentValidation rejects business-rule violations). Worth a one-paragraph entry in `_docs/02_document/architecture.md` so the pattern is discoverable by the next contributor.
+3. **Probe scripts have proven valuable** as an out-of-process verification check during validator development: batches 02, 03, 04 each shipped a `probe_<endpoint>_validation.sh` script that exercises every failure mode via `curl`. Several cycle-8 mid-batch fixes (AZ-811 binder short-circuit, AZ-809 `OverridePropertyName` discovery) were found via probe scripts before the integration tests caught them.
+4. **Mid-batch root-cause investigations were captured in the per-batch reports**: batch 2 (AZ-811 binder short-circuit) and batch 3 (`OverridePropertyName` quirk) both carry detailed "Auto-Fix Attempts" sections explaining the failure mode, the diagnostic step, and the fix. This is the pattern `coderule.mdc` "Debugging Over Contemplation" calls for — worth normalizing in the implement skill's batch-report template.
+
+## Verdict Logic
+
+- 0 Critical, 0 High, 0 Medium.
+- 4 Low findings across the 4 batches (1 in batch 1, 0 in batch 2, 1 in batch 3, 2 in batch 4) — all surfaced as per-batch findings; cumulative scan found NO new categories beyond what each batch review already captured.
+- 4 Info findings — all are pre-existing or design-decision items, all documented, all with clear follow-up PBI candidates.
+- → **PASS_WITH_WARNINGS**.
+
+## Recommendation to /implement
+
+Cumulative review passes. All four batches of cycle 8 are accepted. **Cycle 8 implementation phase is complete** — implement skill should:
+
+1. Commit batch 4 (AZ-810).
+2. Transition AZ-810 → In Testing in tracker.
+3. Archive AZ-810's task spec to `_docs/02_tasks/done/`.
+4. Hand back to autodev orchestrator for Step 11 (Run Tests), which will run the full integration suite to ratify cycle 8 end-to-end before the cycle's implementation report is sealed.
+
+Follow-up PBIs surfaced by this cumulative review (not blocking cycle-8 closure):
+
+- (Low, ~1 SP) Promote `FixedTimeProvider` test helper to `SatelliteProvider.TestSupport`.
+- (Low, ~1 SP) Promote `PostBatch` multipart helper to a shared `UavUploadMultipartFixture`.
+- (Info, ~2 SP) Codify validator-filter decision matrix in `_docs/02_document/modules/api_program.md::Api/Validators`.
+- (Info, ~3 SP — coordination required) Unify response-side `RoutePointDto` to use `lat`/`lon` wire keys (v2.0.0 of `route-creation.md`).
+- (Info, ~2 SP) Decide whether to retire service-layer `RouteValidator` now that the API layer strictly validates.

_docs/03_implementation/deploy_cycle7.md

@@ -0,0 +1,123 @@
+# Deploy Report — Cycle 7 (AZ-794 + AZ-795 + AZ-796)
+
+**Date**: 2026-05-22
+**Cycle**: 7
+**Scope**: Three-task cycle delivering the **API quality follow-up** scope adopted from gps-denied-onboard's AZ-777 Phase 1 Jetson probe:
+  - **AZ-794** — rename inventory body fields `tileZoom/tileX/tileY → z/x/y` (OSM / slippy-map convention).
+  - **AZ-795** — epic + shared infra for strict input validation across all public endpoints: FluentValidation 12.0.0 wiring + global `ProblemDetails` exception handler + `JsonSerializerOptions.UnmappedMemberHandling.Disallow`.
+  - **AZ-796** — first concrete per-endpoint child of AZ-795: strict validation for `POST /api/satellite/tiles/inventory` (9 validation rules); reference-implementation pattern for sibling per-endpoint tasks.
+
+Cycle 7 is a **pure-quality cycle**: no new endpoints, no new persisted state, no migrations, no new env vars, no container-image changes. The full payload is a contract bump (`tile-inventory.md` 1.0.0 → 2.0.0 — major because of the field rename) plus a new strict validation surface across the inventory endpoint.
+
+## What is shipping
+
+### Code changes (committed to `dev`)
+
+| Commit | Subject |
+|--------|---------|
+| `dceaddc` | `[AZ-794] [AZ-795] [AZ-796] Adopt cycle 7 tasks (API quality follow-up)` — Step 9 task-adoption commit, autodev state advanced to Step 10. |
+| `865dfdb` | `[AZ-794] [AZ-795] [AZ-796] Strict input validation + z/x/y rename` — Step 10 implementation in a single batch. |
+| _pending this commit_ | `[AZ-794] [AZ-795] [AZ-796] Cycle 7 Steps 12-16 sync (test-spec / docs / security / perf / deploy)` |
+
+The two no-ticket commits `19c0371` (`[no-ticket] Sync .cursor with suite root`) and `7d3ba1c` (`Enhance .cursor documentation and workflows`) preceded cycle 7's task-adoption commit and are repo-plumbing changes (`.cursor/` skill + rule alignment with the suite root); they do not affect the running api and are not in cycle 7's tracker scope.
+
+All commits are on `dev` but the cycle-7 sync commit (this one) has not yet been pushed to `origin/dev` as of this report. Operator runbook step 1 below covers the push.
+
+### Database migrations
+
+**None.** Cycle 7 ships **zero migration files**. The `_docs/02_document/contracts/data-access/tile-storage.md` v2.0.0 schema from cycle 6 is unchanged; the inventory endpoint reads from the same `tiles` table via the same `tiles_leaflet_path` covering index that cycle 6 introduced.
+
+`pgcrypto`: still required, still installed automatically by migration 014 from cycle 5 — cycle 7 does not touch the extension surface.
+
+### Configuration changes (operator must verify before promoting)
+
+| Setting | Was | Now | Source |
+|---------|-----|-----|--------|
+| **No new env vars introduced.** | — | — | Cycle 7 carries forward the cycle-6 env contract verbatim (`JWT_SECRET ≥ 32B`, `JWT_ISSUER`, `JWT_AUDIENCE`, `GOOGLE_MAPS_API_KEY`). |
+| `docker-compose.yml` Postgres host port | `5432:5432` | **`5433:5432`** (host-side bind only) | Dev-only sibling-project conflict avoidance (a sibling-suite Postgres was already binding `5432` on the dev workstation; moving the host-side bind to `5433` lets both projects run in parallel). **In-container port is unchanged (`5432`)** — the api service still resolves `postgres:5432` over the compose network. `appsettings.Development.json`, `README.md`, `AGENTS.md`, `architecture.md`, and `_docs/02_document/deployment/containerization.md` all aligned with the new host-side number. **Staging/prod unaffected** — they don't use docker-compose. |
+| `appsettings.Development.json` Postgres connection | `Host=localhost;Port=5432` | **`Host=localhost;Port=5433`** | Aligns the .NET launch profile (i.e. `dotnet run` on host, NOT inside docker-compose) with the new host-side bind. Compose-internal connections (api ↔ postgres on the compose network) are unaffected. |
+| Container image (`api` service) | `mcr.microsoft.com/dotnet/aspnet:10.0` | **unchanged** | No Dockerfile, no `.woodpecker/*.yml` changes this cycle. |
+| Dev TLS dev-cert plumbing (cycle-6 addition) | TLS+ALPN with `./certs/api.{pfx,crt}`, `update-ca-certificates` in test container | **unchanged** | Cycle 7 reuses cycle-6's TLS plumbing verbatim. The new `scripts/probe_inventory_validation.sh` reuses `--insecure` for the dev cert and reads `JWT` from env. |
+| `SatelliteProvider.Api.csproj` NuGet packages | (cycle-6 baseline) | **+ `FluentValidation` 12.0.0**, **+ `FluentValidation.DependencyInjectionExtensions` 12.0.0** | New dependencies for AZ-795's shared validation infra. Both packages have **no known CVEs** at 12.0.0 (NuGet audit clean, GitHub Security Advisories clean — `_docs/05_security/dependency_scan_cycle7.md` records the audit trace). Minor bump to 12.1.1 is the only recommended hardening (Low severity D-AZ795-1; bug fixes only, no security-driven advisory). |
+
+### Contract changes (consumer-visible)
+
+| Contract | Version | Change | Action for consumers |
+|----------|---------|--------|----------------------|
+| `POST /api/satellite/tiles/inventory` (`tile-inventory.md`) | **1.0.0 → 2.0.0** (MAJOR) | **Field rename**: request body and response payload renamed `tileZoom/tileX/tileY → z/x/y` (OSM / slippy-map convention; aligns the body shape with the existing URL convention on `GET /api/satellite/tiles/{z}/{x}/{y}`). **Strict validation**: HTTP 400 + RFC 7807 `ValidationProblemDetails` on any of: missing `tiles` / `locationHashes`, both arrays present (XOR violation), array empty, array exceeds 5000 entries, any `z` outside `[0, 22]`, any `x` outside `[0, 2^z)`, any `y` outside `[0, 2^z)`, any `locationHash` not 36-char lowercase UUID. **Unknown fields rejected**: any body containing a member not declared on the request DTO (e.g. legacy `tileZoom`, typo'd `Z`) is rejected via `JsonSerializerOptions.UnmappedMemberHandling.Disallow` at the deserializer layer (HTTP 400 before the validator runs). | **Sibling repo onboarding (gps-denied-onboard AZ-777 follow-up)**: any client carrying the legacy `tileZoom/tileX/tileY` body MUST switch to `z/x/y`. Any client expecting silent coercion of malformed bodies MUST handle the new 400 path. The `Authorization: Bearer …` header continues to be required (cycle-6 contract). Sibling-repo tasks for the per-endpoint sweep across the rest of the public API will follow as more AZ-795 children land. |
+| `_docs/02_document/contracts/api/error-shape.md` | (existing baseline, AZ-353 sanitization) | **No version bump.** Cycle 7 confirms the error shape is RFC 7807-compatible (`type`/`title`/`status`/`detail`/`extensions.errors` for `ValidationProblemDetails`) and that 5xx errors continue to be sanitized via the cycle-6 baseline `GlobalExceptionHandler`. Two **Low** findings (F-AZ795-1, F-AZ795-2) note that `JsonException.Message` and `BadHttpRequestException.Message` may surface internal .NET type/parameter names in 400 detail strings — auth-gated, no security impact in dev — documented for sanitization in a future cycle. | Consumers parsing the 400 shape get a stable RFC 7807 envelope; no breaking change to the error contract itself. |
+| `tile-storage.md` (data-access contract) | **unchanged at 2.0.0** | Cycle 7 does not touch the schema. The cycle-6 v2.0.0 contract from the AZ-503+AZ-505 joint freeze is preserved verbatim. | No action. |
+
+### Container image
+
+- **Source**: `SatelliteProvider.Api/Dockerfile` multi-stage build, base `mcr.microsoft.com/dotnet/aspnet:10.0` — **unchanged from cycle 5/6**.
+- **No new mounts in `docker-compose.yml`**: the cycle-6 dev-cert mounts (`./certs/api.pfx:/app/certs/api.pfx:ro`) and the cycle-6 tests-container CA-trust mount remain unchanged.
+- **Verification on dev workstation (local)**: `docker compose up -d --build` succeeded for the cycle-7 Step 15 perf run (this session). API healthy on `https://localhost:18980` (swagger 200; anonymous POST `/api/satellite/tiles/inventory` returns 401; v2 schema `{"tiles":[{"z":18,"x":...,"y":...}]}` returns 200; legacy schema `{"tiles":[{"tileZoom":18,...}]}` returns 400 — verified via `scripts/probe_inventory_validation.sh`).
+- **Verification on CI**: pending — the cycle-7 sync commit (this one) has not been pushed yet. Operator action: after push, confirm the next Woodpecker `01-test` + `02-build-push` runs on `dev` succeed before promoting. Note that the cycle-7 .NET build uses `mcr.microsoft.com/dotnet/sdk:10.0` (unchanged) and the integration test container still resolves the dev cert via `scripts/run-tests.sh`'s `ensure_dev_cert` block; no new CI secret is required.
+- **Multi-arch**: unchanged from cycle 6 (`aspnet:10.0` is multi-arch by Microsoft).
+
+## Verification gates passed in this cycle
+
+| Gate | Result | Evidence |
+|------|--------|----------|
+| Step 11 — Functional test suite | **PASS** | Unit suite 311 tests green (including the new 16-test `InventoryRequestValidatorTests` covering all 9 rules + the new `GlobalExceptionHandlerTests`); integration suite green (including the new `TileInventoryValidationTests` + the `TileInventoryTests` payload-rename refactor + the `IdempotentPostTests` adjacent fix where strict deserialization uncovered a long-silent PascalCase fallback bug). The implementation report for this cycle landed at the commit-message level — there is **no separate `_docs/03_implementation/implementation_report_*_cycle7.md` file**; cycle 7 was a single-batch cycle and the `865dfdb` commit body documents the implementation summary inline (the cycle-7 test-spec sync correctly notes this retrospectively as a process gap to address in cycle 8). |
+| Step 12 — Test-Spec Sync | **PASS** | `_docs/02_document/tests/traceability-matrix.md` extended with 12 cycle-7 AC rows (AZ-794 ×3, AZ-795 ×3, AZ-796 ×6) + Coverage Summary update; `blackbox-tests.md` BT-27 added for the AZ-796 9-rule validation surface. |
+| Step 13 — Update Docs | **PASS** | `_docs/02_document/architecture.md` already carried § 9 Input Validation (AZ-795) from the implementation commit; module-layout updated with cycle-7 file list; `tests_unit.md` documents the new `InventoryRequestValidatorTests` + `ValidatorTestModuleInitializer`; `tests_integration.md` documents `TileInventoryValidationTests` + `ProblemDetailsAssertions`; `glossary.md` gained entries for "Validation Problem Details", "FluentValidation", "Unmapped Member Handling"; `system-flows.md` F8 (Inventory Bulk Lookup) expanded with deserializer + validator gates and 13-row Validation Surface table; `data_parameters.md` § Tile Inventory documents the v2 input schema + constraints; `_docs/02_document/ripple_log_cycle7.md` captures the doc-side ripple decisions. |
+| Step 14 — Security Audit | **PASS_WITH_WARNINGS** (3 Low findings) | `_docs/05_security/security_report_cycle7.md` (consolidated) + per-phase reports `dependency_scan_cycle7.md`, `static_analysis_cycle7.md`, `owasp_review_cycle7.md`, `infrastructure_review_cycle7.md`. Findings: **D-AZ795-1** (Low) FluentValidation 12.0.0 → 12.1.1 is a recommended bug-fix bump (no CVE driving it); **F-AZ795-1** (Low) `JsonException.Message` in the 400 detail string may leak the offending .NET type name on deserialization failure (auth-gated, dev-shown only); **F-AZ795-2** (Low) `BadHttpRequestException.Message` similarly may leak the parameter name on malformed-form-input cases (auth-gated). None are blocking; remediation is a sanitizer pass in a follow-up cycle. Architectural wins: mass-assignment prevention (`Disallow`), uniform 4xx contract (RFC 7807), auth-before-validation order confirmed in `Program.cs`. |
+| Step 15 — Performance Test | **PASS** | `_docs/06_metrics/perf_2026-05-22_cycle7.md`. 8/8 scripted scenarios PASS (PT-01..PT-08), exit 0, single default-parameter run. Additionally, a cycle-7 PT-09 smoke probe (`/tmp/pt09_smoke.sh`, 20 sequential 2500-tile-batch calls using the new `z/x/y` schema, all-miss path) measured **min=27ms, median=44ms, p95=73ms, max=86ms** — **13.7× under** the AZ-505 AC-4 1000 ms p95 budget. The canonical PT-09 (`TileInventoryTests.PerformanceBudget_AC4`, all-hit seeded 2500 rows) remains the authoritative gate and is exercised by the integration suite. **AZ-794 / AZ-795 / AZ-796** added ≤ 10 ms of validator overhead on a 2500-item batch — well within noise band relative to the cycle-6 PT-09 number (p95=66ms). |
+
+## Outstanding leftovers (status this cycle)
+
+- **`_docs/_process_leftovers/`** is **empty as of cycle 7 entry** (cycle 6 closed the long-standing perf-harness leftover). Cycle 7 adds **zero new leftovers**.
+- **Implementation-report process gap (NEW)**: cycle 7's Step 10 did not produce the expected `_docs/03_implementation/implementation_report_*_cycle7.md` artifact. The `test-spec` skill's `cycle-update` mode worked around it by reading the task specs + the `865dfdb` commit body as the implementation summary. Recommendation: surface as a Step-17 retro lesson; either tighten the implement-skill exit gate (require the report artifact before marking Step 10 complete) or update the test-spec / docs skills' resume protocol to formally consume the commit body when the report is absent.
+
+## Recommended follow-up PBIs (out of cycle-7 scope, surfaced for backlog)
+
+| ID | Estimate | Title | Why |
+|----|----------|-------|-----|
+| (TBD) | 1 SP | Bump `FluentValidation` 12.0.0 → 12.1.1 | D-AZ795-1 Low finding. Bug-fix-only release per the FluentValidation 12.x changelog (no CVE driving). Trivial package bump; pairs well with the unchanged `Microsoft.IdentityModel.Tokens` follow-up below. |
+| (TBD) | 2 SP | Sanitize `JsonException.Message` + `BadHttpRequestException.Message` before surfacing in `ValidationProblemDetails.detail` | F-AZ795-1 + F-AZ795-2 Low findings. Replace the raw `Exception.Message` with a static string ("`Request body is not valid JSON`" / "`Form value could not be bound`") so the 400 path emits no internal .NET type / parameter names. Auth-gated, no security impact in dev — but the production contract should not leak this. |
+| (TBD) | 2-3 SP per endpoint | Strict validation sweep for sibling public endpoints (`POST /api/satellite/request`, `POST /api/satellite/route`, `POST /api/satellite/upload`, `GET /api/satellite/tiles/latlon`, etc.) | AZ-795 epic continuation. AZ-796 is the **reference implementation**; the remaining child tasks reuse the same `InventoryRequestValidator` + `ValidationEndpointFilter` pattern. Estimate per endpoint depends on the number of validation rules and DTO complexity; expect 2-3 SP each. |
+| (TBD) | 1 SP | Implementation-report exit gate for the `implement` skill | NEW process gap surfaced in cycle 7 — Step 10 completed without writing `_docs/03_implementation/implementation_report_*_cycle7.md`. The downstream skills (`test-spec` cycle-update, `document` task mode) compensate via task-spec + commit-body reading, but the report artifact is part of the autodev contract. Tighten the implement-skill exit gate to require the report file. |
+| (TBD) | 3 SP (recheck per cycle) | Bump `Microsoft.IdentityModel.Tokens` / `System.IdentityModel.Tokens.Jwt` 7.0.3 → 7.1.2+ | Carry-over from cycles 3-6 (NU1902 moderate severity advisory). **Unchanged from cycle 6.** |
+| (TBD) | 1 SP | Bump `Microsoft.NET.Test.Sdk` 17.8.0 → 17.13.0+ | Carry-over D2-cy4 (transitive `NuGet.Frameworks` flag). **Unchanged from cycles 4-6.** |
+| (TBD) | 3 SP | Migrate `WithOpenApi(...)` callsites to ASP.NET Core 10 minimal-API metadata extensions | Carry-over from cycles 4-6 (`ASPDEPR002` warnings). **Unchanged from cycles 4-6.** |
+| (TBD) | 1 SP (recheck per cycle) | `Serilog.AspNetCore` 8.0.3 → 10.x | Carry-over from cycles 4-6. **Unchanged from cycle 6 — no 10.x line published as of cycle 7 entry**; re-check at cycle-8 start. |
+| (TBD) | 2 SP | Inventory endpoint `estimatedBytes` field | Deferred per AZ-505 Outcome bullet 1 — unchanged from cycle 6 carry-over. |
+| (TBD) | 5 SP | HTTP/3 / QUIC dev listener | Deferred per AZ-505 Excluded list — unchanged from cycle 6 carry-over. |
+| (TBD) | 1 SP | Deployment runbook: ingress TLS termination + HTTP/2 forwarding | Carry-over from cycle 6 — unchanged. |
+| (TBD) | 1 SP | `tile-storage.md` consumer audit (post v2.0.0) | Carry-over from cycle 6 — unchanged. |
+
+Admin team `iss/aud` confirmation (carried from cycle 3) remains OPEN as a long-standing ops-side gap; still required before promoting beyond `dev`. **Unchanged from cycle 6.**
+
+## Operator runbook for promoting to staging / production
+
+1. **Push** the cycle-7 sync commit + this deploy report to `origin/dev`. Confirm Woodpecker `01-test` runs green on `dev` (no new CI secret required; dev-cert plumbing is unchanged from cycle 6).
+2. **No migration in this cycle.** The `tiles` schema is unchanged. `pgcrypto` already installed since cycle 5; no new extension dependency.
+3. **Deploy** the new `dev-arm` (and amd64) image. The image base and Dockerfile are unchanged from cycle 6; the only build-output difference is the inclusion of the two new `FluentValidation` 12.0.0 assemblies. Container startup performance / cold-start latency is unaffected (FluentValidation registration is one-shot at DI build time).
+4. **Smoke-test (production)** — note that cycle 7 introduces a **breaking** contract change on the inventory endpoint; the smoke must use the v2 schema:
+   - `/swagger` (expect 200/301), `/api/satellite/region/<random>` (expect 401, JWT enforcement) — unchanged from cycle 6.
+   - **v2 inventory body** (positive case): `POST /api/satellite/tiles/inventory` with a freshly-minted JWT, body `{"tiles":[{"z":18,"x":158485,"y":91707}]}` — expect **200** with one entry whose `present` field reflects whether that tile exists in the target environment.
+   - **Legacy body** (negative case): same endpoint with body `{"tiles":[{"tileZoom":18,"tileX":158485,"tileY":91707}]}` — expect **400** with an RFC 7807 `ValidationProblemDetails` envelope. This confirms the new strict deserializer is active in the deployed image.
+   - **Validator surface** (negative case): same endpoint with body `{"tiles":[{"z":99,"x":0,"y":0}]}` — expect **400** with the validator surface naming `z` as out-of-range.
+   - Cycle-6 smoke (`POST /api/satellite/tiles/uav`) unchanged.
+5. **Verify HTTP/2 negotiation against the production ingress** (one-off, not a regression test): unchanged from cycle 6 (`curl --http2 -sv https://<prod-host>/api/satellite/region/<id>` should log `* Using HTTP2` and a Bearer-rejected 401).
+6. **No env-var change to coordinate.** Cycle 7 doesn't introduce any new app config. The dev-only Postgres host-port move (5432 → 5433) is `docker-compose.yml`-only and never reaches a non-dev environment.
+7. **Consumer coordination**: notify all known consumers of the inventory endpoint of the v2 contract bump BEFORE the production deploy. Today's known consumers:
+   - **gps-denied-onboard `TileDownloader`** (sibling repo): AZ-777 Phase 1 — the originating ticket already flagged the v2 schema; coordinate the cut-over flag flip with the onboard team. The onboard side's `c11.use_bulk_list_endpoint=true` flag (introduced in cycle 6) must also know which schema variant to emit; this is the onboard-side AZ-777 follow-up.
+   - **Any direct curl / Postman clients** the ops team uses for smoke tests: the v1 body shape MUST be updated.
+8. **Roll-forward plan**: if a regression appears post-deploy, the rollback target is the cycle-6 close `dev-arm` tag (built from `af66135`). The cycle-7 changes are pure-code (no migration, no schema change), so rolling back is safe and idempotent. Note that any consumer that already migrated to the v2 schema will receive an unexpected 200 from the rolled-back image with `tileZoom:0, tileX:0, tileY:0` echoed back (the cycle-6 silent-coercion bug). Coordinate any rollback with the same consumer set notified in step 7.
+9. **Outstanding ops-side gap (long-standing, NOT new in cycle 7)**: admin team `iss/aud` confirmation before promoting beyond `dev`. Unchanged from cycles 3-6 runbooks.
+
+## Differences vs. cycle 6 deploy
+
+- **NEW**: a contract MAJOR bump (`tile-inventory.md` 1.0.0 → 2.0.0) — cycle 6 only **added** the inventory contract; cycle 7 is the **first revision** to it.
+- **NEW**: strict input validation surface — FluentValidation 12.0.0 + global ProblemDetails handler + `UnmappedMemberHandling.Disallow`. Cycle 6 had no validation layer beyond model-binding's silent coercion.
+- **NEW**: two NuGet additions (`FluentValidation` 12.0.0, `FluentValidation.DependencyInjectionExtensions` 12.0.0).
+- **NEW**: a dev-only host-port move (Postgres `5432 → 5433`) for sibling-project conflict avoidance. Compose-internal traffic unchanged. Staging/prod unaffected.
+- **NEW**: cycle-7 security audit ran (Step 14: PASS_WITH_WARNINGS with 3 Low findings) — cycle 6's Step 14 was skipped by the user.
+- **NEW (process)**: cycle-7 Step 10 shipped without an explicit `implementation_report_*_cycle7.md` artifact; downstream skills compensated by reading the task specs + commit body. Recommended as a Step 17 retro lesson.
+- **UNCHANGED**: container image base (`aspnet:10.0`), CI image (`sdk:10.0`), all env vars, all multi-arch tags, the cycle-4-and-earlier carry-over follow-up PBIs, the dev TLS cert plumbing, the cycle-6 Leaflet covering index (`tiles_leaflet_path`), `pgcrypto` extension state.
+- **NO MIGRATION**: cycle 6 shipped migration `015_AddTilesLeafletPathIndex.sql`; cycle 7 ships none. The `tiles` schema is unchanged.
+- **NO NEW ENDPOINTS**: cycle 6 added one new endpoint; cycle 7 modifies the contract of an existing endpoint without adding new routes.
+- **NO HTTP/2 / TLS LAYER CHANGES**: cycle 6 introduced TLS+ALPN to the dev listener; cycle 7 leaves the listener untouched and reuses cycle-6's plumbing for the smoke / validation probe (`scripts/probe_inventory_validation.sh`).

_docs/03_implementation/implementation_completeness_cycle8_report.md

@@ -0,0 +1,152 @@
+# Product Implementation Completeness Gate — Cycle 8
+
+**Cycle**: 8
+**Date**: 2026-05-23
+**Scope**: AZ-812, AZ-808, AZ-811, AZ-809, AZ-810 (4 batches; cycle theme: strict input validation at every public API endpoint)
+
+## Inputs Reviewed
+
+- `_docs/02_tasks/done/AZ-812_region_field_rename_to_osm.md`
+- `_docs/02_tasks/done/AZ-808_region_endpoint_validation.md`
+- `_docs/02_tasks/done/AZ-811_latlon_get_endpoint_validation.md`
+- `_docs/02_tasks/done/AZ-809_route_endpoint_validation.md`
+- `_docs/02_tasks/done/AZ-810_upload_metadata_validation.md`
+- `_docs/02_document/architecture.md`
+- `_docs/02_document/system-flows.md`
+- `_docs/02_document/module-layout.md`
+- `_docs/02_document/modules/api_program.md`
+- `_docs/02_document/contracts/api/region-request.md` v1.0.0 (this cycle)
+- `_docs/02_document/contracts/api/tile-latlon.md` v1.0.0 (this cycle)
+- `_docs/02_document/contracts/api/route-creation.md` v1.0.0 (this cycle)
+- `_docs/02_document/contracts/api/uav-tile-upload.md` v1.2.0 (this cycle)
+- `_docs/02_document/contracts/api/error-shape.md` v1.0.0 (cycle 7)
+- `_docs/03_implementation/batch_0{1,2,3,4}_cycle8_report.md`
+- `_docs/03_implementation/reviews/batch_0{1,2,3,4}_cycle8_review.md`
+- `_docs/03_implementation/cumulative_review_batches_01-04_cycle8_report.md`
+- Source code under each task's ownership envelope (`SatelliteProvider.Api/Validators/*`, `SatelliteProvider.Api/Program.cs`, `SatelliteProvider.Common/DTO/{RequestRegionRequest, CreateRouteRequest, RoutePoint, GeofencePolygon, GeoPoint, UavTileMetadata}.cs`, `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs`)
+
+## Per-Task Classification
+
+### AZ-812 — Region API field rename (Latitude/Longitude → Lat/Lon, OSM convention)
+
+**Verdict**: PASS
+
+Evidence (source code, not tests or reports):
+
+- **`SatelliteProvider.Common/DTO/RequestRegionRequest.cs`** — record properties renamed from `Latitude`/`Longitude` to `Lat`/`Lon`. `[JsonPropertyName("lat")]` and `[JsonPropertyName("lon")]` attributes attached so the wire format is exactly `{"lat":..,"lon":..}`. Verified at the source.
+- **`SatelliteProvider.Api/Program.cs::RequestRegion` handler** — accesses `req.Lat`/`req.Lon` instead of the pre-cycle-8 `Latitude`/`Longitude`. Verified by grep.
+- **`scripts/run-performance-tests.sh`** — PT-03/04/05/07 JSON bodies use `{"lat":..,"lon":..}` after the rename.
+
+Search for unresolved markers in modified source: no `placeholder` / `TODO` / `NotImplemented` / `scaffold` / `fake` matches.
+
+End-to-end production pipeline check: `POST /api/satellite/request` accepts `{"lat":..,"lon":..}`, deserializes to `RequestRegionRequest`, handler reads `req.Lat`/`req.Lon`, downstream `IRegionService` + `IRegionRequestQueue` enqueues + returns the region ID. The legacy `{"latitude":..,"longitude":..}` shape is rejected at the deserializer level via `UnmappedMemberHandling.Disallow` (cycle 7). No mocks, no scaffolded fallbacks.
+
+### AZ-808 — Region POST strict validation
+
+**Verdict**: PASS
+
+Evidence (source code, not tests or reports):
+
+- **`SatelliteProvider.Api/Validators/RegionRequestValidator.cs`** — FluentValidation `AbstractValidator<RequestRegionRequest>` with 6 rules: `Id` non-empty, `Lat` ∈ [-90, 90], `Lon` ∈ [-180, 180], `SizeMeters` ∈ [100, 10000], `ZoomLevel` ∈ [0, 22], `StitchTiles` is bool (handled via `[JsonRequired]`).
+- **`SatelliteProvider.Common/DTO/RequestRegionRequest.cs`** — `[JsonRequired]` on `Id`, `Lat`, `Lon`, `SizeMeters`, `ZoomLevel`, `StitchTiles` (verified via earlier session reads).
+- **`SatelliteProvider.Api/Program.cs:252`** — `.WithValidation<RequestRegionRequest>()` chained onto the `MapPost("/api/satellite/request", ...)` endpoint. Verified via Grep.
+
+Search for unresolved markers: no matches in `RegionRequestValidator.cs`.
+
+End-to-end production pipeline check: any invalid `POST /api/satellite/request` (out-of-range, missing field, unknown field, type mismatch) is rejected before the handler runs — the request never reaches `IRegionRequestQueue.EnqueueAsync` or any database operation. ValidationProblemDetails (RFC 7807) returned per `error-shape.md` v1.0.0.
+
+### AZ-811 — lat/lon GET endpoint strict validation
+
+**Verdict**: PASS
+
+Evidence (source code, not tests or reports):
+
+- **`SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs`** — nullable record (`double? Lat`, `double? Lon`, `int? Zoom`) so missing values surface as null rather than the default-zero coercion the binder would otherwise apply. Required so the validator's `NotNull` rule can fire (instead of `NotNull` being shadowed by the default value).
+- **`SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs`** — `CascadeMode.Stop` + `NotNull` + range checks for `Lat`/`Lon`/`Zoom`.
+- **`SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs`** — reusable filter that compares the request's query keys against an allow-list (`[lat, lon, zoom]`) and rejects unknown keys with the same `ValidationProblemDetails` shape.
+- **`SatelliteProvider.Api/Program.cs:212-218`** — `MapGet("/api/satellite/tiles/latlon", ...)` chain wires `.AddEndpointFilter(new RejectUnknownQueryParamsEndpointFilter(new[] { "lat", "lon", "zoom" }))` + `.WithValidation<GetTileByLatLonQuery>()` + `.Produces<DownloadTileResponse>(200)` + `.ProducesProblem(400)`. Verified via Grep.
+- **`SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs`** — describes the `lat`/`lon`/`zoom` query parameters in OpenAPI (post-rename).
+
+Search for unresolved markers: no matches.
+
+End-to-end production pipeline check: `GET /api/satellite/tiles/latlon?lat=...&lon=...&zoom=...` either (a) reaches the handler with non-null nullable values (validator passed) and the `.Value` deref drives `ITileService.DownloadTileAsync`, OR (b) is rejected at the filter chain with HTTP 400 + ValidationProblemDetails. No silent default-zero coercion. No mocks on the success path.
+
+### AZ-809 — Route POST strict validation
+
+**Verdict**: PASS
+
+Evidence (source code, not tests or reports):
+
+- **`SatelliteProvider.Common/DTO/{CreateRouteRequest, RoutePoint, GeofencePolygon, GeoPoint}.cs`** — `[JsonRequired]` annotations added to every non-optional axis. `RoutePoint` carries `[JsonPropertyName("lat")]`/`[JsonPropertyName("lon")]` for the OSM input wire.
+- **`SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs`** — 7 root rules (id non-empty + 4 range rules on `regionSizeMeters`/`zoomLevel` + `points` count + cross-field `createTilesZip ⇒ requestMaps`) + `RuleForEach(req => req.Points).SetValidator(new RoutePointValidator())` + `RuleForEach(req => req.Geofences!.Polygons).SetValidator(new GeofencePolygonValidator()).OverridePropertyName("geofences.polygons")`. The `OverridePropertyName` on the deep expression is documented inline because FluentValidation drops the parent path otherwise.
+- **`SatelliteProvider.Api/Validators/RoutePointValidator.cs`** — `OverridePropertyName("lat"/"lon")` chained after each range rule so error keys match the wire format.
+- **`SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs`** — nested `GeoCornerValidator` (file-private) + cross-field NW-of-SE invariants on `Lat` (NW.Lat > SE.Lat) and `Lon` (NW.Lon < SE.Lon).
+- **`SatelliteProvider.Api/Program.cs:268`** — `.WithValidation<CreateRouteRequest>()` chained onto the `MapPost("/api/satellite/route", ...)` endpoint. Verified via Grep.
+
+Search for unresolved markers: no matches.
+
+End-to-end production pipeline check: any invalid `POST /api/satellite/route` is rejected before the handler runs. The handler delegates to `IRouteService.CreateRouteAsync` which (a) persists the route, (b) computes intermediate points via `GeoUtils.Interpolate`, (c) enqueues region requests if `requestMaps=true`. The validator runs strictly upstream of all three. The cross-field `NW.Lat > SE.Lat` rule prevents NaN-geometry payloads from reaching the interpolator. The pre-cycle-8 service-layer `RouteValidator` remains as a defence-in-depth backstop (documented in `route-creation.md` Validator Cleanup Advisory).
+
+### AZ-810 — UAV upload metadata strict validation (multipart envelope)
+
+**Verdict**: PASS
+
+Evidence (source code, not tests or reports):
+
+- **`SatelliteProvider.Common/DTO/UavTileMetadata.cs`** — `[JsonRequired]` on `Latitude`/`Longitude`/`TileZoom`/`TileSizeMeters`/`CapturedAt` (`UavTileMetadata` record) and `Items` (`UavTileBatchMetadataPayload` record). `FlightId` deliberately stays nullable per AZ-503 anonymous-flight semantics; file-comment block documents the AZ-810 rationale.
+- **`SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs`** — root validator: `Items` NotNull + NotEmpty + `Must(<= MaxBatchSize)` + `RuleForEach(p => p.Items).SetValidator(new UavTileMetadataValidator(qualityConfig, timeProvider))`. TimeProvider is threaded through to the per-item validator.
+- **`SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs`** — per-item validator: lat ∈ [-90, 90], lon ∈ [-180, 180], tileZoom ∈ [0, 22], tileSizeMeters > 0, capturedAt within `[now - MaxAgeDays, now + CapturedAtFutureSkewSeconds]`. `FlightId` intentionally not validated beyond JSON shape (rationale documented inline).
+- **`SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs`** — `IEndpointFilter` for the multipart endpoint. Reads the `metadata` form field, deserializes with the strict global `JsonSerializerOptions` (so `UnmappedMemberHandling.Disallow` applies), runs `IValidator<UavTileBatchMetadataPayload>`, then enforces `items.Count == files.Count`. FluentValidation errors prefixed with `metadata.` so wire key is `metadata.items[0].latitude` (full path).
+- **`SatelliteProvider.Api/Program.cs:128 + 239`** — `builder.Services.AddTransient<UavUploadValidationFilter>()` (line 128, transient lifetime: fresh instance per request; no shared mutable state to amortize) + `.AddEndpointFilter<UavUploadValidationFilter>()` (line 239 in the `MapPost("/api/satellite/upload", ...)` chain) + `.Accepts<UavTileBatchUploadRequest>("multipart/form-data")` + `.Produces<UavTileBatchUploadResponse>(200)` + `.ProducesProblem(400)`. Verified via Grep.
+
+Search for unresolved markers: no matches.
+
+End-to-end production pipeline check: any invalid `POST /api/satellite/upload` is rejected before the handler runs — the request never reaches `IUavTileUploadHandler.HandleAsync`. The downstream handler retains its own envelope checks as defence-in-depth (covers direct handler callers in unit tests). For valid requests, the multipart body is buffered once by `ReadFormAsync` and the cached `IFormCollection` is reused by the downstream handler (ASP.NET caches it on the request). Per-item `IUavTileQualityGate` remains the byte-level quality gate (unchanged from AZ-488).
+
+## System Pipeline Audit
+
+The cycle-8 work does NOT introduce new pipelines — it tightens the input validation on existing pipelines. The relevant production pipelines and their classifications:
+
+| Pipeline | Cycle-8 touchpoint | Classification | Evidence |
+|----------|-------------------|----------------|----------|
+| `POST /api/satellite/request → IRegionRequestQueue → IRegionService` | AZ-808 validator + AZ-812 field rename added at the entry edge | WIRED | `Program.cs:252` (validator chain) + handler reads `req.Lat`/`req.Lon` (post-rename) |
+| `GET /api/satellite/tiles/latlon → ITileService.DownloadTileAsync` | AZ-811 validator + filter added at the entry edge | WIRED | `Program.cs:212-218` (validator + filter chain) + handler `.Value` deref |
+| `POST /api/satellite/tiles/inventory → ITileService.GetInventoryAsync` | Cycle 7 (`InventoryRequestValidator`) — not touched by cycle 8 | WIRED (pre-existing) | `Program.cs:227` (`.WithValidation<TileInventoryRequest>()`) |
+| `POST /api/satellite/route → IRouteService.CreateRouteAsync` | AZ-809 validator chain added at the entry edge | WIRED | `Program.cs:268` (validator chain) + cross-field invariants + nested DTO chain |
+| `POST /api/satellite/upload → IUavTileUploadHandler.HandleAsync` | AZ-810 multipart filter + validator added at the entry edge | WIRED | `Program.cs:128 + 239` (DI registration + endpoint chain) |
+
+No pipeline is `PARTIALLY WIRED` or `NOT WIRED`. Every pipeline has its full validator chain in production code; the handlers are unchanged behaviorally (they retain pre-cycle-8 logic plus, where applicable, defence-in-depth backstops).
+
+## Gate Verdict: PASS
+
+Every promise from the 5 cycle-8 task specs is implemented as production behaviour.
+
+- No FAIL.
+- No BLOCKED.
+- No PARTIALLY WIRED.
+- No remediation tasks required.
+- Proceed to /implement Step 16 (Final Test Run). Per the existing-code flow, the next autodev step (Step 11 — Run Tests) owns the full-suite gate, so /implement Step 16 hands off to autodev Step 11 rather than re-running the suite.
+
+## Files / Symbols Checked
+
+Production code:
+
+- `SatelliteProvider.Api/Program.cs` (DI registrations + endpoint chains — lines 100-128 + 208-280)
+- `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` (AZ-808)
+- `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` (AZ-811)
+- `SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs` (AZ-811)
+- `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` (AZ-809)
+- `SatelliteProvider.Api/Validators/RoutePointValidator.cs` (AZ-809)
+- `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` (AZ-809)
+- `SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs` (AZ-810)
+- `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs` (AZ-810)
+- `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs` (AZ-810)
+- `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` (AZ-811)
+- `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` (AZ-812 + AZ-808)
+- `SatelliteProvider.Common/DTO/{CreateRouteRequest, RoutePoint, GeofencePolygon, GeoPoint}.cs` (AZ-809)
+- `SatelliteProvider.Common/DTO/UavTileMetadata.cs` (AZ-810)
+- `SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs` (AZ-811)
+
+Cross-task scaffold-marker search (`rg -i 'placeholder|TODO|NotImplemented|scaffold|fake'` against `SatelliteProvider.Api/Validators/`): no matches in any cycle-8 production validator. The only `return null` is in `GlobalValidatorConfig.cs:24` (cycle 7), inside the `PropertyNameResolver` callback where returning null means "use the default name policy" — that is the documented sentinel value, not a stub.
+
+Cross-cycle architectural compliance: every cycle-8 production code addition lives in the cycle's existing ownership layer (`SatelliteProvider.Api/Validators/` for validators + filters, `SatelliteProvider.Common/DTO/` for DTOs). No public-API surface expansion in lower layers. No new cross-component dependencies.

_docs/03_implementation/implementation_report_strict_validation_cycle8.md

@@ -0,0 +1,190 @@
+# Implementation Report — Cycle 8
+
+**Cycle**: 8
+**Date**: 2026-05-23
+**Tasks shipped**: AZ-812 (batch 1), AZ-808 + AZ-811 (batch 2), AZ-809 (batch 3), AZ-810 (batch 4)
+**Verdict**: PASS (Product Implementation Completeness Gate — `implementation_completeness_cycle8_report.md`)
+**Code Review Verdict**: PASS_WITH_WARNINGS (4 Low across 4 batches, all DRY-in-test-helpers or design-decision documented; 0 Critical, 0 High, 0 Medium)
+
+## Summary
+
+Cycle 8 completes **strict input validation across every public API endpoint** of the satellite-provider service. The cycle delivers the per-endpoint children of the AZ-795 epic ("Strict Input Validation") that cycle 7 set up the foundations for (`UnmappedMemberHandling.Disallow`, `GlobalExceptionHandler`, `ValidationEndpointFilter<T>`, `error-shape.md` v1.0.0). After cycle 8, every JSON-body, multipart-envelope, and query-parameter endpoint:
+
+- Rejects unknown fields at the deserializer level (`UnmappedMemberHandling.Disallow` from cycle 7).
+- Rejects missing required fields via `[JsonRequired]` (deserializer-layer, surfaces as `JsonException` → `GlobalExceptionHandler` → RFC 7807 `ValidationProblemDetails`).
+- Rejects out-of-range / business-rule-violating values via FluentValidation (12.0.0), with errors in the same `ValidationProblemDetails` shape and consistent camelCase JSON-path error keys per `error-shape.md` v1.0.0 Inv-4.
+- Documents the validation in a per-endpoint contract under `_docs/02_document/contracts/api/`.
+- Ships per-validator unit tests + integration tests + curl probe scripts (3 new contract docs + 1 version bump + 4 new probe scripts + ~50 new unit/integration test methods).
+
+The endpoint coverage table:
+
+| Endpoint | Method | Cycle 8 batch | Validator |
+|----------|--------|---------------|-----------|
+| `POST /api/satellite/request` | JSON body | 02 (AZ-808) | `RegionRequestValidator` |
+| `POST /api/satellite/route` | JSON body (nested DTO chain) | 03 (AZ-809) | `CreateRouteRequestValidator` + `RoutePointValidator` + `GeofencePolygonValidator` |
+| `POST /api/satellite/upload` | multipart/form-data | 04 (AZ-810) | `UavTileBatchMetadataPayloadValidator` + `UavTileMetadataValidator` + bespoke `UavUploadValidationFilter` |
+| `GET /api/satellite/tiles/latlon` | query params | 02 (AZ-811) | `GetTileByLatLonQueryValidator` + `RejectUnknownQueryParamsEndpointFilter` |
+| `POST /api/satellite/tiles/inventory` | JSON body | (cycle 7) | `InventoryRequestValidator` (pre-existing) |
+
+Batch 1 (AZ-812) was the prerequisite rename — every cycle-8 endpoint now uses OSM `lat`/`lon` wire keys for input coordinates (the rename closed a long-standing inconsistency with the Leaflet / Slippy Map convention).
+
+## Batches
+
+| Batch | Tasks | Verdict | Report | Review |
+|-------|-------|---------|--------|--------|
+| 01 | AZ-812 — Region API field rename (Latitude/Longitude → Lat/Lon, OSM convention) | PASS | `batch_01_cycle8_report.md` | `reviews/batch_01_cycle8_review.md` |
+| 02 | AZ-808 — Region POST strict validation **+** AZ-811 — lat/lon GET strict validation | PASS_WITH_NOTES | `batch_02_cycle8_report.md` | `reviews/batch_02_cycle8_review.md` |
+| 03 | AZ-809 — Route POST strict validation + nested DTO chain | PASS_WITH_NOTES | `batch_03_cycle8_report.md` | `reviews/batch_03_cycle8_review.md` |
+| 04 | AZ-810 — UAV upload metadata strict validation (multipart envelope) | PASS_WITH_WARNINGS | `batch_04_cycle8_report.md` | `reviews/batch_04_cycle8_review.md` |
+
+Cumulative cross-batch review: `cumulative_review_batches_01-04_cycle8_report.md` — PASS_WITH_WARNINGS. The cumulative scan surfaced no new finding categories beyond what each per-batch review had already captured.
+
+## Code Changes
+
+### Batch 1 — AZ-812 (Region API OSM field rename)
+
+- `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` — properties renamed `Latitude`/`Longitude` → `Lat`/`Lon` + `[JsonPropertyName("lat")]`/`[JsonPropertyName("lon")]` so the wire is `{"lat":..,"lon":..}`.
+- `SatelliteProvider.Api/Program.cs::RequestRegion` handler — property access updated.
+- `scripts/run-performance-tests.sh` — PT-03/04/05/07 JSON bodies migrated to `lat`/`lon`.
+
+### Batch 2 — AZ-808 + AZ-811 (Region POST + lat/lon GET validators)
+
+- **AZ-808**:
+  - `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` — `[JsonRequired]` on every property.
+  - `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` (NEW) — 6 rules (id non-empty + range checks on `Lat`/`Lon`/`SizeMeters`/`ZoomLevel`).
+  - `SatelliteProvider.Api/Program.cs` — `.WithValidation<RequestRegionRequest>()` chained onto `MapPost("/api/satellite/request", ...)`; removed inline size check.
+- **AZ-811**:
+  - `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` (NEW) — nullable record so the validator's `NotNull` rules can fire.
+  - `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` (NEW) — `CascadeMode.Stop` + `NotNull` + range checks.
+  - `SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs` (NEW) — reusable filter that allow-lists query keys.
+  - `SatelliteProvider.Api/Program.cs` — `MapGet("/api/satellite/tiles/latlon", ...)` chain gets `.AddEndpointFilter(new RejectUnknownQueryParamsEndpointFilter(new[] { "lat", "lon", "zoom" }))` + `.WithValidation<GetTileByLatLonQuery>()` + handler `.Value` deref.
+  - `SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs` — lat/lon/zoom descriptions (post-rename).
+- **Shared**:
+  - `SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs` — promoted `AssertErrorsContainsMention` to a shared helper (closes batch-1 DRY warning).
+
+### Batch 3 — AZ-809 (Route POST validator + nested DTO chain)
+
+- `SatelliteProvider.Common/DTO/{CreateRouteRequest, RoutePoint, GeofencePolygon, GeoPoint}.cs` — `[JsonRequired]` on every non-optional axis; removed implicit defaults; `RoutePoint` carries `[JsonPropertyName("lat")]`/`[JsonPropertyName("lon")]`.
+- `SatelliteProvider.Api/Validators/CreateRouteRequestValidator.cs` (NEW) — 7 root rules + `RuleForEach(req => req.Points).SetValidator(new RoutePointValidator())` + `RuleForEach(req => req.Geofences!.Polygons).SetValidator(new GeofencePolygonValidator()).OverridePropertyName("geofences.polygons")`. The `OverridePropertyName` on the deep expression is documented inline + in `api_program.md` because FluentValidation drops the parent path otherwise.
+- `SatelliteProvider.Api/Validators/RoutePointValidator.cs` (NEW) — `OverridePropertyName("lat"/"lon")` chained after each range rule so error keys match the wire format.
+- `SatelliteProvider.Api/Validators/GeofencePolygonValidator.cs` (NEW) — nested `GeoCornerValidator` (file-private) + cross-field NW-of-SE invariants.
+- `SatelliteProvider.Api/Program.cs` — `.WithValidation<CreateRouteRequest>()` + `.Accepts<>` + `.Produces<>` + `.ProducesProblem(400)` on `MapPost("/api/satellite/route", ...)`.
+- Service-layer `RouteValidator` retained as defence-in-depth backstop; documented in `route-creation.md` Validator Cleanup Advisory.
+
+### Batch 4 — AZ-810 (UAV upload validator + multipart filter)
+
+- `SatelliteProvider.Common/DTO/UavTileMetadata.cs` — `[JsonRequired]` on `Latitude`/`Longitude`/`TileZoom`/`TileSizeMeters`/`CapturedAt` + `Items`. `FlightId` deliberately stays nullable per AZ-503 anonymous-flight semantics.
+- `SatelliteProvider.Api/Validators/UavTileBatchMetadataPayloadValidator.cs` (NEW) — root validator: items NotNull + NotEmpty + count cap + `RuleForEach` dispatching to the per-item validator.
+- `SatelliteProvider.Api/Validators/UavTileMetadataValidator.cs` (NEW) — per-item validator: lat/lon/tileZoom ranges + tileSizeMeters > 0 + capturedAt freshness window via injectable `TimeProvider`.
+- `SatelliteProvider.Api/Validators/UavUploadValidationFilter.cs` (NEW) — `IEndpointFilter` that intercepts the multipart body, reads the `metadata` form field, deserializes with the strict global `JsonSerializerOptions`, runs the validator, then enforces `items.Count == files.Count`. FluentValidation errors prefixed with `metadata.` so the wire key is `metadata.items[0].latitude` (full path).
+- `SatelliteProvider.Api/Program.cs` — `AddTransient<UavUploadValidationFilter>()` + `.AddEndpointFilter<UavUploadValidationFilter>()` + `.Accepts<UavTileBatchUploadRequest>("multipart/form-data")` + `.Produces<UavTileBatchUploadResponse>(200)` + `.ProducesProblem(400)` on `MapPost("/api/satellite/upload", ...)`. Transient lifetime mirrors `RejectUnknownQueryParamsEndpointFilter` (no shared mutable state to amortize).
+
+## Test Changes
+
+### Unit tests (`SatelliteProvider.Tests/Validators/`)
+
+| File | Methods | Batch |
+|------|---------|-------|
+| `RegionRequestValidatorTests.cs` (NEW) | 11 | 02 (AZ-808) |
+| `GetTileByLatLonQueryValidatorTests.cs` (NEW) | 9 | 02 (AZ-811) |
+| `RejectUnknownQueryParamsEndpointFilterTests.cs` (NEW) | 4 | 02 (AZ-811) |
+| `CreateRouteRequestValidatorTests.cs` (NEW) | 16 | 03 (AZ-809) |
+| `RoutePointValidatorTests.cs` (NEW) | 4 | 03 (AZ-809) |
+| `GeofencePolygonValidatorTests.cs` (NEW) | 6 | 03 (AZ-809) |
+| `UavTileBatchMetadataPayloadValidatorTests.cs` (NEW) | 4 | 04 (AZ-810) |
+| `UavTileMetadataValidatorTests.cs` (NEW) | 9 | 04 (AZ-810) |
+| **Total** | **63 new unit-test methods** | |
+
+### Integration tests (`SatelliteProvider.IntegrationTests/`)
+
+| File | Methods | Batch |
+|------|---------|-------|
+| `RegionFieldRenameTests.cs` (NEW) | 2 (happy + legacy-reject) | 01 (AZ-812) |
+| `RegionRequestValidationTests.cs` (NEW) | 10 | 02 (AZ-808) |
+| `GetTileByLatLonValidationTests.cs` (NEW) | 8 | 02 (AZ-811) |
+| `CreateRouteValidationTests.cs` (NEW) | 16 | 03 (AZ-809) |
+| `UavUploadValidationTests.cs` (NEW) | 16 | 04 (AZ-810) |
+| **Total** | **52 new integration-test methods** | |
+
+`SatelliteProvider.IntegrationTests/Program.cs` was updated by every batch to wire the new test entry points into BOTH `RunSmokeSuite` and `RunFullSuite`.
+
+### Probe scripts (`scripts/`)
+
+| Script | Batch |
+|--------|-------|
+| `probe_region_validation.sh` (NEW) | 02 (AZ-808) |
+| `probe_latlon_validation.sh` (NEW) | 02 (AZ-811) |
+| `probe_route_validation.sh` (NEW) | 03 (AZ-809) |
+| `probe_upload_validation.sh` (NEW) | 04 (AZ-810) |
+
+Each script exercises happy + every failure mode via `curl` against a running API container; reuses a consistent JWT-mint + status-code-assertion driver structure.
+
+## Documentation Changes
+
+### New contracts (`_docs/02_document/contracts/api/`)
+
+| File | Version | Batch |
+|------|---------|-------|
+| `region-request.md` | 1.0.0 (NEW) | 02 (AZ-808) |
+| `tile-latlon.md` | 1.0.0 (NEW) | 02 (AZ-811) |
+| `route-creation.md` | 1.0.0 (NEW) | 03 (AZ-809) |
+| `uav-tile-upload.md` | 1.1.0 → 1.2.0 (MINOR bump) | 04 (AZ-810) |
+
+All four reference `error-shape.md` v1.0.0 (cycle 7) for the canonical RFC 7807 body shape.
+
+### Updated docs
+
+- `_docs/02_document/modules/api_program.md` — endpoint descriptions, `Api/Validators` section (8 new entries), `Common/DTO` notes on `[JsonRequired]` placements, DI Registration list (3 new entries — 1 for `RejectUnknownQueryParamsEndpointFilter`, 1 for `UavUploadValidationFilter`, 1 cross-cutting `AddValidatorsFromAssemblyContaining<Program>()` re-anchored).
+- `_docs/02_document/modules/common_dtos.md` — DTO descriptions updated with `[JsonRequired]` markers + constraint summaries.
+- `_docs/02_document/modules/common_uuidv5.md` — example URL updated to post-rename `?lat=&lon=&zoom=`.
+- `_docs/02_document/system-flows.md` — F1 (lat/lon GET) / F2 (region POST) / F4 (route POST) updated with the validator filter step + preconditions + error scenarios.
+- `_docs/02_document/tests/blackbox-tests.md` — BT-01/N01/N02/06/N03/N04/N05/18 trigger + pass-criteria updates.
+- `_docs/02_document/tests/security-tests.md` — SEC-01/04/05 references the validators + `GlobalExceptionHandler` JsonException branch.
+- `README.md` — endpoint example URL updated to post-rename.
+
+## AC Coverage
+
+| AC range | Status | Test source |
+|----------|--------|-------------|
+| AZ-812 AC-1..AC-6 (6 ACs) | Covered | `RegionFieldRenameTests` (positive + legacy-reject) + `RegionTests` + `IdempotentPostTests` + `SecurityTests` + `scripts/run-performance-tests.sh` PT-03..PT-07. |
+| AZ-808 AC-1..AC-8 (8 ACs) | Covered | `RegionRequestValidationTests` (10 methods covering happy + 9 failure modes) + `RegionRequestValidatorTests` (11 unit methods). |
+| AZ-811 AC-1..AC-9 (9 ACs) | Covered | `GetTileByLatLonValidationTests` (8 methods) + `GetTileByLatLonQueryValidatorTests` (9 methods) + `RejectUnknownQueryParamsEndpointFilterTests` (4 methods). |
+| AZ-809 AC-1..AC-9 (9 ACs) | Covered | `CreateRouteValidationTests` (16 methods) + `CreateRouteRequestValidatorTests` (16) + `RoutePointValidatorTests` (4) + `GeofencePolygonValidatorTests` (6). |
+| AZ-810 AC-1..AC-9 (9 ACs) | Covered | `UavUploadValidationTests` (16 methods) + `UavTileBatchMetadataPayloadValidatorTests` (4) + `UavTileMetadataValidatorTests` (9). Existing AZ-488 `UavUploadTests` payloads traced against the new validator rules — all happy paths still valid (AC-9 preserved). |
+| **Total** | **41/41 ACs covered.** | No deferrals, no in-scope test gaps. |
+
+## Completeness Gate
+
+`_docs/03_implementation/implementation_completeness_cycle8_report.md` — **PASS**. Every cycle-8 task's promises (validators, filters, endpoint chains, contract docs, [JsonRequired] placements) are implemented as production behaviour; no scaffold / placeholder / NotImplemented markers introduced; named integrations (FluentValidation 12.0.0 DI, `UnmappedMemberHandling.Disallow`, `GlobalExceptionHandler` JsonException branch, `ValidationProblemDetails`, `IEndpointFilter`) are wired against real production code paths in `SatelliteProvider.Api/Program.cs`.
+
+## Handoff to autodev Step 11 (Run Tests)
+
+Per `/implement` Step 16: since the next existing-code flow step is **Run Tests**, the implement skill does **not** run the full suite again. The `test-run` skill owns the full-suite gate to avoid duplicate runs.
+
+Recommendation for `test-run`:
+
+- Full integration-test suite runs via `docker-compose -f docker-compose.yml -f docker-compose.tests.yml up --build --abort-on-container-exit` (per `AGENTS.md`). All four new validation test entry points (`RegionFieldRenameTests`, `RegionRequestValidationTests`, `GetTileByLatLonValidationTests`, `CreateRouteValidationTests`, `UavUploadValidationTests`) are wired into both `RunSmokeSuite` and `RunFullSuite` in `SatelliteProvider.IntegrationTests/Program.cs`.
+- AZ-488 happy-path regression coverage (`UavUploadTests`) runs unchanged — verify it stays green to confirm AC-9 (no regression).
+- Cycle-7 inventory tests (`TileInventoryValidationTests`, `TileInventoryTests`) run unchanged — verify they stay green to confirm cycle 8 did not regress the cycle 7 foundations.
+- Performance harness (`scripts/run-performance-tests.sh`) PT-01 (lat/lon GET) + PT-03..PT-07 (region POST) URLs were updated to the post-rename wire format in batch 1; if `test-run` invokes PT, confirm the budgets remain green.
+- If the DNS-flake from cycle 5/6 recurs against `mt1.google.com` / `tile.googleapis.com`, treat it as the same host-network flakiness — out of scope for cycle 8 (this cycle does not touch the Google Maps download path).
+
+## Git
+
+- Branch: `dev` (per `.cursor/rules/git-workflow.mdc`).
+- Auto-push: NOT enabled this session — per project convention, commit will happen here; user will be asked about push.
+- Commits (planned subject lines, per the git-workflow rule's `[TRACKER-ID] Summary` format):
+  - `[AZ-810] Strict validation for POST /api/satellite/upload metadata` (batch 4)
+  - (Batches 1-3 already committed individually in their respective autodev runs.)
+
+## Follow-up PBIs Surfaced by the Cumulative Review
+
+These are not blocking cycle-8 closure; they emerged from the cumulative scan as candidates for cycle 9 or later:
+
+| ID candidate | Title | SP | Rationale |
+|--------------|-------|----|-----------|
+| (open) | Promote `FixedTimeProvider` test helper to `SatelliteProvider.TestSupport` | 1 | The cycle-2 advisory ("if a 3rd consumer appears, promote") was crossed by batch 4; now duplicated across 4 test files. |
+| (open) | Promote `PostBatch` multipart helper to a shared `UavUploadMultipartFixture` | 1 | Duplicated between `UavUploadTests.cs` (cycle 2) and `UavUploadValidationTests.cs` (cycle 8 batch 4). |
+| (open) | Codify validator-filter decision matrix in `api_program.md::Api/Validators` | 2 | Cycle 8 established three validator filter patterns (JSON body, multipart, query params); document the decision matrix so the next endpoint author knows which to use. |
+| (open — coordination required) | Unify response-side `RoutePointDto` to use `lat`/`lon` wire keys (v2.0.0 of `route-creation.md`) | 3 | Cycle 8 standardized input wire on OSM `lat`/`lon`; response DTO still uses `latitude`/`longitude` — breaking change for `GET /api/satellite/route/{id}` clients. |
+| (open) | Decide whether to retire service-layer `RouteValidator` now that the API layer strictly validates | 2 | Currently retained as a defence-in-depth backstop; could be removed if no non-HTTP code path enqueues routes. |

_docs/03_implementation/reviews/batch_01_cycle8_review.md

@@ -0,0 +1,70 @@
+# Code Review Report
+
+**Batch**: 01 (cycle 8)
+**Tasks**: AZ-812 (Region API field rename Latitude/Longitude → Lat/Lon, OSM convention)
+**Date**: 2026-05-22
+**Verdict**: PASS_WITH_WARNINGS
+
+## Findings
+
+| # | Severity | Category | File:Line | Title |
+|---|----------|----------|-----------|-------|
+| 1 | Low | Maintainability | `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs:79` | `AssertErrorsContainsMention` copy-pasted from `TileInventoryValidationTests.cs` |
+
+### Finding Details
+
+**F1: `AssertErrorsContainsMention` copy-pasted from `TileInventoryValidationTests.cs`** (Low / Maintainability)
+- Location: `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs:79-110` (and the prior copy at `TileInventoryValidationTests.cs:396-428`)
+- Description: The new `RegionFieldRenameTests.cs` copies the private `AssertErrorsContainsMention` helper verbatim from `TileInventoryValidationTests.cs`. Both helpers walk the same `errors` object and assert a mention exists in either keys or messages.
+- Suggestion: Promote the helper to `ProblemDetailsAssertions.cs` (the natural home for cross-test ProblemDetails assertions) and migrate both tests in a small follow-up cleanup. NOT done in this batch — touching the cycle-7 file is out of AZ-812 scope. Tracked as future hygiene, not a regression.
+- Task: AZ-812
+
+## Phase Summary
+
+| Phase | Outcome |
+|-------|---------|
+| 1. Context Loading | Read AZ-812 spec + `_docs/02_document/module-layout.md`. Scope is the Region POST DTO rename. |
+| 2. Spec Compliance | AC-1 ✓ (DTO has Lat/Lon + JsonPropertyName), AC-2 ✓ (wire format end-to-end with `lat`/`lon`), AC-3 ✓ (`RegionTests.cs` happy-path updated), AC-4 ✓ (`RegionFieldRenameTests` validates both directions, smoke green), AC-5 ✓ (common_dtos.md, api_program.md, system-flows.md updated/verified), AC-6 ✓ (`region-request.md` does not yet exist — AZ-808 will publish v1.0.0 directly with new names per spec coordination). No Spec-Gap. |
+| 3. Code Quality | Mechanical DTO rename, clean. One DRY violation (F1) — Low severity. |
+| 4. Security | No SQL injection, no hardcoded secrets, no sensitive data in logs. New test uses GUID + test coordinates only. |
+| 5. Performance | No perf impact (field rename). No N+1, no blocking I/O. |
+| 6. Cross-Task Consistency | Single-task batch — N/A. |
+| 7. Architecture Compliance | DTO in `SatelliteProvider.Common/DTO/` (Common layer, importable by all). Test in `SatelliteProvider.IntegrationTests/` (test layer). No layering violations, no cycles, no Public-API bypasses, no ADR violations. |
+
+## Files Reviewed
+
+- `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` (DTO rename + `[JsonPropertyName]` attrs)
+- `SatelliteProvider.Api/Program.cs` (handler property access updated)
+- `SatelliteProvider.IntegrationTests/Models.cs` (test-side DTO mirror updated)
+- `SatelliteProvider.IntegrationTests/RegionTests.cs` (happy-path uses new property names)
+- `SatelliteProvider.IntegrationTests/IdempotentPostTests.cs` (JSON payload `lat`/`lon`)
+- `SatelliteProvider.IntegrationTests/SecurityTests.cs` (JSON payload `lat`/`lon`)
+- `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs` (new — AZ-812 AC-4 coverage)
+- `SatelliteProvider.IntegrationTests/Program.cs` (smoke + full suite wired to call `RegionFieldRenameTests.RunAll`)
+- `scripts/run-performance-tests.sh` (PT-03/04/05/07 JSON bodies updated to `lat`/`lon`)
+- `_docs/02_document/modules/common_dtos.md` (RequestRegionRequest section added; RegionRequest disambiguated as internal queue type)
+- `_docs/02_document/modules/api_program.md` (RequestRegionRequest moved from Local Records to Common/DTO section)
+
+## Test Evidence
+
+`./scripts/run-tests.sh --smoke` (`integration-tests` container exit code 0):
+
+```
+Test: Region endpoint OSM field-name rename (AZ-812)
+====================================================
+
+AZ-812 AC-4 (positive): new {lat,lon} wire format → HTTP 200
+  ✓ {lat,lon} body accepted with HTTP 200
+
+AZ-812 AC-4 (negative): legacy {latitude,longitude} wire format → HTTP 400 (UnmappedMemberHandling.Disallow)
+  ✓ Legacy {latitude,longitude} body rejected with HTTP 400; errors map names the unknown field
+✓ Region field-rename tests: PASSED
+```
+
+No regressions: cycle-7 inventory validation suite, idempotent POST, security, route, tile, leaflet path, and migrations 012/013/014 all green in the same smoke run.
+
+## Verdict Logic
+
+- No Critical, no High, no Medium findings.
+- 1 Low finding (DRY in test helpers) — does not block.
+- **PASS_WITH_WARNINGS**.

_docs/03_implementation/reviews/batch_02_cycle8_review.md

@@ -0,0 +1,151 @@
+# Code Review Report
+
+**Batch**: 02 (cycle 8)
+**Tasks**: AZ-808 (Region POST endpoint strict validation) + AZ-811 (lat/lon GET endpoint strict validation)
+**Date**: 2026-05-22
+**Verdict**: PASS_WITH_NOTES
+
+## Findings
+
+| # | Severity | Category | File:Line | Title |
+|---|----------|----------|-----------|-------|
+| 1 | Info | Design rationale | `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs:1-30` | DTO uses `double?` / `int?` on purpose to dodge minimal-API "Required parameter not provided" short-circuit |
+
+### Finding Details
+
+**F1: `GetTileByLatLonQuery` uses nullable types on purpose** (Info / Design rationale)
+- Location: `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs:17-20`
+- Description: The DTO declares `Lat`/`Lon`/`Zoom` as `double?`/`double?`/`int?`. Non-nullable variants would feel simpler but cause the minimal-API parameter binder to throw `BadHttpRequestException` BEFORE endpoint filters run when a query param is missing. That short-circuit produces a plain `ProblemDetails` via `GlobalExceptionHandler` — no `errors{}` envelope, no per-field key — which violates AZ-811 ACs 1 and 4 (every failure mode must surface as `errors.<paramName>`).
+- Initial implementation used non-nullable types. Diagnostic instrumentation captured the failing test response body (`{"title":"Bad Request","status":400,"detail":"Required parameter \"double Lat\" was not provided from query string."}`) which proved the binder was short-circuiting. Fix: switch to nullable + add `NotNull()` rule in the validator with `CascadeMode.Stop` ahead of the range rule. The handler dereferences `.Value` only after the validator filter passes.
+- Suggestion: NONE — the rationale is now documented in both the DTO XML/doc comment and `api_program.md::Api/DTOs`. Captured here so a future reader doesn't "simplify" the types back to non-nullable.
+- Task: AZ-811
+
+## Phase Summary
+
+| Phase | Outcome |
+|-------|---------|
+| 1. Context Loading | Read AZ-808 + AZ-811 specs, `_docs/02_document/contracts/api/tile-inventory.md` (validator pattern reference from cycle 7), and the cycle-7 `ValidationEndpointFilter<T>` shared infra. Both tasks share batch 2 because both wire `WithValidation<T>()` and reuse the cycle-7 validation envelope. |
+| 2. Spec Compliance | **AZ-808**: AC-1..AC-8 all ✓. New `RegionRequestValidator` covers `id`/`lat`/`lon`/`sizeMeters`/`zoomLevel`. `[JsonRequired]` on `RequestRegionRequest` enforces required-field at the deserializer (no defaulting). New contract `region-request.md` v1.0.0 published. Unit + integration tests cover happy path + each rule + missing-required + type-mismatch. Probe script exercises every failure mode via `curl`. **AZ-811**: AC-1..AC-9 all ✓. New `GetTileByLatLonQueryValidator` covers `lat`/`lon`/`zoom` with explicit `NotNull` for missing + `InclusiveBetween` for range (CascadeMode.Stop). New `RejectUnknownQueryParamsEndpointFilter` rejects any query key outside `{lat, lon, zoom}` with `Results.ValidationProblem`. New contract `tile-latlon.md` v1.0.0 published. Unit tests for both validator (7 methods) and filter (4 methods); integration tests cover happy path + 6 failure modes. Probe script exercises every failure mode. |
+| 3. Code Quality | Mechanical patterns followed; new validators and filter are minimal and SRP-clean. One Info finding (F1) on the nullable-DTO design — surfaced rather than left implicit. Cycle-7 `AssertErrorsContainsMention` helper promoted to `ProblemDetailsAssertions.cs` (closes the Low-severity DRY warning from batch-1 review). |
+| 4. Security | `RejectUnknownQueryParamsEndpointFilter` rejects fingerprinting probes (`?debug=1&admin=true`, `?Latitude=...&Longitude=...`) with HTTP 400 + named keys — no enumeration vector. `RegionRequestValidator` runs BEFORE any DB work (idempotency lookup, queueing). No SQL injection vectors, no hardcoded secrets, no PII in logs. JWT auth retained on both endpoints. |
+| 5. Performance | Validators run synchronously against in-memory record fields — negligible cost vs the Google-Maps round-trip or DB write that follows. Endpoint filter inspects `Query.Keys` (in-memory dictionary scan). No N+1, no blocking I/O. |
+| 6. Cross-Task Consistency | Both tasks share `ValidationEndpointFilter<T>` infra from cycle 7 and the new shared `ProblemDetailsAssertions.AssertErrorsContainsMention`. `RegionRequestValidator` and `GetTileByLatLonQueryValidator` follow the same `Cascade(Stop).NotNull().InclusiveBetween()` pattern. Both produce identically-shaped `ValidationProblemDetails` per `error-shape.md` v1.0.0. |
+| 7. Architecture Compliance | DTOs in `SatelliteProvider.Common/DTO/` (Region) and `SatelliteProvider.Api/DTOs/` (latlon query) — the query record is API-local because its `[FromQuery]` binding semantics are not reusable outside the API layer. Validators co-located with the API at `SatelliteProvider.Api/Validators/`. No layering violations. No cycles, no public-API bypasses, no ADR breaches. |
+
+## Files Reviewed
+
+### AZ-808 (Region POST validator)
+- `SatelliteProvider.Common/DTO/RequestRegionRequest.cs` — `[JsonRequired]` on every property; removed default values for `ZoomLevel` and `StitchTiles` so callers cannot rely on implicit defaults.
+- `SatelliteProvider.Api/Validators/RegionRequestValidator.cs` — **NEW** — 5 rules (id non-empty + 4 range rules).
+- `SatelliteProvider.Api/Program.cs` (lines around `MapPost("/api/satellite/request", ...)`) — added `.WithValidation<RequestRegionRequest>()`, `.Accepts<>`, `.Produces<>`, `.ProducesProblem()`. Removed inline `request.SizeMeters` size check (now in validator).
+- `SatelliteProvider.Tests/Validators/RegionRequestValidatorTests.cs` — **NEW** — Theory + Fact coverage for each rule, positive and negative.
+- `SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs` — **NEW** — Happy + empty body + missing/zero GUID + 4 out-of-range + missing-stitch + type mismatch.
+- `SatelliteProvider.IntegrationTests/Program.cs` — wired `RegionRequestValidationTests.RunAll` into smoke + full suites.
+- `scripts/probe_region_validation.sh` — **NEW** — curl probes for every failure mode.
+- `_docs/02_document/contracts/api/region-request.md` — **NEW** — v1.0.0 contract (no prior version existed).
+- `_docs/02_document/modules/api_program.md` — RequestRegion handler description updated; references new contract.
+- `_docs/02_document/system-flows.md::F2` — references new contract + validator.
+
+### AZ-811 (lat/lon GET validator)
+- `SatelliteProvider.Api/DTOs/GetTileByLatLonQuery.cs` — **NEW** — nullable record with `[FromQuery(Name = ...)]` per property. Rationale documented in-file (F1).
+- `SatelliteProvider.Api/Validators/GetTileByLatLonQueryValidator.cs` — **NEW** — `Cascade(Stop).NotNull().InclusiveBetween` per param.
+- `SatelliteProvider.Api/Validators/RejectUnknownQueryParamsEndpointFilter.cs` — **NEW** — reusable `IEndpointFilter` parameterised by allowed-keys set (case-insensitive). Returns `Results.ValidationProblem` with one error per unknown key.
+- `SatelliteProvider.Api/Program.cs` (lines around `MapGet("/api/satellite/tiles/latlon", ...)`) — added envelope filter + `.WithValidation<GetTileByLatLonQuery>()`. Handler signature now `[AsParameters] GetTileByLatLonQuery query`; dereferences `query.Lat!.Value` etc.
+- `SatelliteProvider.Api/Swagger/ParameterDescriptionFilter.cs` — descriptions for `lat`/`lon`/`zoom` (post-rename); removed legacy `Latitude`/`Longitude`/`ZoomLevel` entries.
+- `SatelliteProvider.Tests/Validators/GetTileByLatLonQueryValidatorTests.cs` — **NEW** — 9 methods incl. null cases.
+- `SatelliteProvider.Tests/Validators/RejectUnknownQueryParamsEndpointFilterTests.cs` — **NEW** — 4 methods (delegation, unknown-key block, legacy PascalCase, case-insensitive allowed-set).
+- `SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs` — **NEW** — Happy + 3 out-of-range + 1 missing-required + 2 unknown-key (legacy + hostile) + 1 type-mismatch = 8 methods.
+- `SatelliteProvider.IntegrationTests/Program.cs` — wired `GetTileByLatLonValidationTests.RunAll` into smoke + full suites.
+- `SatelliteProvider.IntegrationTests/TileTests.cs` — URL `?Latitude=&Longitude=&ZoomLevel=` → `?lat=&lon=&zoom=`.
+- `SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs` — `ProtectedTilesPath` const updated.
+- `SatelliteProvider.IntegrationTests/SecurityTests.cs` — SQLi probe URL updated.
+- `scripts/probe_latlon_validation.sh` — **NEW** — curl probes incl. missing-lat, hostile probes, type mismatch.
+- `scripts/run-performance-tests.sh` — PT-01 URL updated.
+- `README.md` — endpoint example updated.
+- `_docs/02_document/contracts/api/tile-latlon.md` — **NEW** — v1.0.0 contract (no prior version existed).
+- `_docs/02_document/modules/api_program.md` — handler + `Api/Validators` + `Api/DTOs` sections updated.
+- `_docs/02_document/modules/common_uuidv5.md` — example URL updated.
+- `_docs/02_document/system-flows.md::F1` — references new contract + validation layers.
+- `_docs/02_document/tests/blackbox-tests.md` — BT-01, BT-N01, BT-N02, BT-18 triggers updated.
+- `_docs/02_document/tests/security-tests.md` — SEC-01, SEC-05 triggers updated.
+
+### Shared (cross-task hygiene)
+- `SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs` — `AssertErrorsContainsMention` promoted from per-test-file private helper to public static. Closes batch-1 Low-severity DRY warning.
+- `SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs` — uses shared helper.
+- `SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs` — uses shared helper; removed unused `using` directives.
+
+## Test Evidence
+
+`./scripts/run-tests.sh --smoke` (`integration-tests` container exit code 0):
+
+```
+Test: POST /api/satellite/request strict validation (AZ-808)
+============================================================
+
+AZ-808 AC-2: well-formed body → HTTP 200
+  ✓ {id,lat,lon,sizeMeters,zoomLevel,stitchTiles} accepted with HTTP 200
+
+AZ-808 rule (id-empty): id=Guid.Empty → HTTP 400
+  ✓ id=Guid.Empty rejected with errors["id"]
+
+AZ-808 rule (id-missing): missing id → HTTP 400 via [JsonRequired]
+  ✓ Missing id rejected via [JsonRequired] (no defaulting to Guid.Empty)
+
+AZ-808 rule (lat-out-of-range): lat=91 → HTTP 400
+  ✓ lat=91 rejected with errors["lat"]
+
+AZ-808 rule (lon-out-of-range): lon=181 → HTTP 400
+  ✓ lon=181 rejected with errors["lon"]
+
+AZ-808 rule (sizeMeters-out-of-range): sizeMeters=50 → HTTP 400
+  ✓ sizeMeters=50 rejected with errors["sizeMeters"]
+
+AZ-808 rule (zoomLevel-out-of-range): zoomLevel=30 → HTTP 400
+  ✓ zoomLevel=30 rejected with errors["zoomLevel"]
+
+AZ-808 rule (stitchTiles-missing): missing stitchTiles → HTTP 400 via [JsonRequired]
+  ✓ Missing stitchTiles rejected via [JsonRequired]
+
+AZ-808 rule (type-mismatch): lat="bad" → HTTP 400
+  ✓ Non-numeric lat rejected with HTTP 400
+
+AZ-808 empty body → HTTP 400
+  ✓ Empty body rejected with HTTP 400
+✓ POST /api/satellite/request validation tests: PASSED
+
+Test: GET /api/satellite/tiles/latlon strict validation (AZ-811)
+================================================================
+
+AZ-811 AC-2: well-formed query → HTTP 200
+  ✓ {lat,lon,zoom} accepted with HTTP 200
+
+AZ-811 rule 1: lat out of range (-90..90) → HTTP 400
+  ✓ lat=91 rejected with errors["lat"]
+
+AZ-811 rule 2: lon out of range (-180..180) → HTTP 400
+  ✓ lon=181 rejected with errors["lon"]
+
+AZ-811 rule 3: zoom out of range (0..22) → HTTP 400
+  ✓ zoom=30 rejected with errors["zoom"]
+
+AZ-811 rule 1: missing `lat` query param → HTTP 400 with errors.lat
+  ✓ Missing lat rejected with errors["lat"] = `lat` is required
+
+AZ-811 rule 4: legacy `?Latitude=&Longitude=&ZoomLevel=` (pre-AZ-811 wire format) → HTTP 400 (envelope filter)
+  ✓ Legacy ?Latitude=&Longitude=&ZoomLevel= rejected by envelope filter
+
+AZ-811 rule 4: hostile/typo query keys → HTTP 400 (envelope filter)
+  ✓ ?debug=1&admin=true rejected; errors map names BOTH unknown keys
+
+AZ-811 rule 5: lat type mismatch (non-numeric) → HTTP 400
+  ✓ lat=fifty rejected with HTTP 400
+✓ GET lat/lon validation tests: PASSED
+```
+
+`=== All tests passed (mode=smoke) ===` — no regressions in cycle-7 inventory/idempotent/security/route/tile/leaflet/migration suites.
+
+## Verdict Logic
+
+- No Critical, no High, no Medium findings.
+- 1 Info finding (F1) — design rationale captured in code + doc; not a regression.
+- **PASS_WITH_NOTES**.