# Security Audit Report (Cycle 9)

**Date**: 2026-06-25
**Scope**: Cycle-9 delta — AZ-1074 (gRPC RouteTileDelivery service) + AZ-1075 (integration tests) + `SatelliteProvider.GrpcContracts`.
**Trigger**: `/autodev` Step 14 — user chose **A) Run security audit**.
**Verdict (cycle-9 delta, post-follow-up)**: **PASS** — 0 Medium open, 1 Low resolved in follow-up, 0 new Critical/High.
**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — cycle-4/7/8 carry-overs unchanged (D2-cy4, D-AZ795-1, F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2).

## Summary

| Severity | Cycle 9 at audit | Post Step-14 follow-up | Cumulative open |
|----------|------------------|------------------------|-----------------|
| Critical | 0 | 0 | 0 |
| High | 0 | 0 | 0 |
| Medium | 1 (F-AZ1074-1) | **0 — RESOLVED** | 1 (D2-cy4 test-runtime) |
| Low | 1 (F-AZ1074-2) | **0 — RESOLVED** | 5+ (cycle 7–8 carry-overs) |

## OWASP Top 10:2021 (cycle-9 delta)

See `owasp_review_cycle9.md` — all categories PASS or N/A after follow-up.

## Findings

| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| F-AZ1074-1 | Medium | Insecure Design (A04) | `RouteTileDeliveryOrchestrator.ValidateJob` | Unbounded gRPC waypoints/geofences/client_tiles | **RESOLVED** — caps 500/50/5000 |
| F-AZ1074-2 | Low | Information Disclosure (A09) | `RouteTileDeliveryGrpcService` catch-all | `ex.Message` in `DeliveryError` | **RESOLVED** — generic client message |

### F-AZ1074-1 detail (RESOLVED)

Aligned gRPC collection caps with REST: `waypoints ≤ 500`, `geofences ≤ 50`, `client_tiles ≤ 5000`. InvalidArgument via existing `ArgumentException` → `RpcException` mapping.

### F-AZ1074-2 detail (RESOLVED)

Internal errors now return `"An internal error occurred."` on the wire; `LogError` retains full exception.

## Carry-overs (unchanged)

- **F-AZ795-1, F-AZ795-2, F-AZ810-1, F-AZ810-2** — REST information-disclosure / time-handling (cycle 7–8)
- **D-AZ795-1** — FluentValidation 12.0.0 → 12.1.1
- **D2-cy4** — test SDK transitive (Medium, test-runtime only)

## Recommendations

### Immediate
- None blocking cycle 9 ship.

### Short-term (cycle 10+)
- Sanitise REST `GlobalExceptionHandler` + `UavUploadValidationFilter` (F-AZ795-1 / F-AZ810-1) in one ticket.
- Bump FluentValidation 12.0.0 → 12.1.1 (D-AZ795-1).

### Long-term
- Consider `region_size_meters` upper bound on gRPC path (REST uses 10_000 m cap) — advisory parity, not release-blocking.

## Artifacts

- `dependency_scan_cycle9.md`
- `static_analysis_cycle9.md`
- `owasp_review_cycle9.md`
- `infrastructure_review_cycle9.md`