# Batch Report — Batch 01 cycle 3

**Batch**: 01 (cycle 3)
**Tasks**: AZ-495 (doc-folder convention) + AZ-496 (AspNetCore 8.0.25 bump)
**Date**: 2026-05-12

## Task Results

| Task | Status | Files Modified | Tests | AC Coverage | Issues |
|------|--------|---------------|-------|-------------|--------|
| AZ-495_doc_folder_convention | Done | 4 modified (`_docs/02_document/module-layout.md`, `.cursor/skills/new-task/SKILL.md`, `_docs/03_implementation/reviews/batch_01_cycle2_review.md`, `batch_02_cycle2_review.md`, `_docs/06_metrics/retro_2026-05-11_cycle2.md`) | Manual / convention check (no code paths) | 4/4 ACs covered | 0 blockers |
| AZ-496_bump_aspnetcore_8025 | Done | 5 modified (`SatelliteProvider.Api/SatelliteProvider.Api.csproj`, `_docs/05_security/dependency_scan.md`, `_docs/05_security/security_report.md`, `_docs/02_document/module-layout.md`, `_docs/02_document/architecture.md`, `_docs/02_document/modules/api_program.md`, `_docs/02_document/modules/tests_unit.md`) | Existing suite covers regression (Step 16 final gate) | 5/5 ACs covered | 0 blockers; 1 spec-vs-reality note (see below) |

## AC Test Coverage: All covered (9 of 9 across both tasks)
## Code Review Verdict: pending (this batch report precedes per-batch review)
## Auto-Fix Attempts: 0
## Stuck Agents: None

## What was implemented

### AZ-495 — Doc-folder convention for WebApi

Chose **Option B** (formalize modules-only convention). Rationale: WebApi is the Layer-4 orchestrator, not a Layer-3 service component; its documentation is already richly captured in `modules/api_program.md`; creating a duplicate `components/06_web_api/description.md` would establish two sources of truth.

- `_docs/02_document/module-layout.md` § Documentation Layout added — explicit canonical convention with rationale. Anchors all future WebApi documentation at `modules/api_program.md`; the absence of a `components/06_web_api/` folder is now a documented invariant.
- `.cursor/skills/new-task/SKILL.md` Step 4 (Codebase Analysis) updated to direct future agents at the correct path when a task touches WebApi.
- `_docs/03_implementation/reviews/batch_01_cycle2_review.md` § F1 and `batch_02_cycle2_review.md` § F1 marked **RESOLVED in cycle 3 (AZ-495)** with back-reference.
- `_docs/06_metrics/retro_2026-05-11_cycle2.md` § Decision Items Carried Over updated to mark F1 resolved.

### AZ-496 — Bump AspNetCore.OpenApi + JwtBearer to 8.0.25

- `SatelliteProvider.Api/SatelliteProvider.Api.csproj`: both `Microsoft.AspNetCore.OpenApi` AND `Microsoft.AspNetCore.Authentication.JwtBearer` bumped from `Version="8.0.21"` to `Version="8.0.25"`.
- **Note vs task spec**: the spec called for an additional bump in `SatelliteProvider.Tests/SatelliteProvider.Tests.csproj`. Verification showed `Tests.csproj` has no direct `JwtBearer` PackageReference — its JwtBearer usage flows transitively through `ProjectReference` to `SatelliteProvider.Api`, so the Tests project automatically picks up `8.0.25` once Api.csproj is bumped. The spec was inaccurate on this point; no Tests.csproj edit was made. The cycle-2 dependency-scan delta entry for D3 has been updated to reflect this.
- Dockerfiles (`SatelliteProvider.Api/Dockerfile`, `SatelliteProvider.IntegrationTests/Dockerfile`): both use the floating `mcr.microsoft.com/dotnet/aspnet:8.0` / `:sdk:8.0` / `:runtime:8.0` tags which auto-resolve to ≥ 8.0.25 on rebuild. No Dockerfile edit needed; AC-2 satisfied automatically.
- `_docs/05_security/dependency_scan.md`: D1 and D3 entries marked **RESOLVED (cycle 3, AZ-496)** with detailed disposition update.
- `_docs/05_security/security_report.md`: D1 row in cycle-1 findings table marked RESOLVED; D3 row in cycle-2 findings table marked RESOLVED; cycle-2 "Recommended cycle-3 hardening" entry marked **DONE**.
- `_docs/02_document/module-layout.md` WebApi section, `_docs/02_document/architecture.md` § Authentication & Authorization, `_docs/02_document/modules/api_program.md` Dependencies, `_docs/02_document/modules/tests_unit.md` NuGet: all version-pinning prose updated from `8.0.21` → `8.0.25` with back-reference to AZ-496.

## Open follow-ups (non-blocking)

- **Test suite gate**: AZ-496 AC-3 requires `./scripts/run-tests.sh --full` to pass. Deferred to Step 16 (Final Test Run) per the implement skill's convention. If the patch-level bump regressed anything, this gate catches it; for an 8.0.21 → 8.0.25 patch within the same .NET 8 LTS line, regressions are very unlikely.
- **D2 (Microsoft.NET.Test.Sdk 17.8.0 → 17.9.0+)**: NOT addressed in this batch. Mentioned in AZ-496 spec § Excluded as a separate decision. The cycle-3 dependency-bump backlog now contains only D2 (test-only Low). No immediate action; defer to a future cycle's hardening sweep.
- **Runtime base image pinning policy**: this batch confirmed the floating `8.0` tag works for picking up runtime patches automatically. The trade-off (auto-update vs. reproducible builds) was not formally documented as a project decision; if the team prefers explicit version pinning, that is a future cleanup task. Not in scope of AZ-496.

## Next Batch: AZ-491 (Consolidate JWT test-mint helpers)

AZ-491 is a 3 SP refactor of test infrastructure. It moves `JwtTokenFactory` to a shared location consumed by both `SatelliteProvider.Tests` and `SatelliteProvider.IntegrationTests`, deletes the duplicate `JwtTestHelpers.MintValidToken` / `MintExpiredToken` / `TamperSignature` from the integration project, and adds a code-review checklist row to flag future duplicates. The implementer must pick Option A (new `SatelliteProvider.TestSupport` library) or Option B (Integration tests reference Unit tests directly) at the start of the batch.