# Security Audit Report (Cycle 13)

**Date**: 2026-06-26
**Scope**: Cycle-13 delta — AZ-1126 (`capturedAt` DateTimeOffset / F-AZ810-2 closure).
**Trigger**: `/autodev` Step 14 — user chose **A) Run security audit**.
**Verdict (cycle-13 delta)**: **PASS** — F-AZ810-2 resolved; 0 new Critical/High/Medium.
**Verdict (cumulative)**: **PASS_WITH_WARNINGS** — D-AZ795-1, D2-cy4 remain open.

## Summary

| Severity | Cycle 13 at audit | Cumulative open |
|----------|-------------------|-----------------|
| Critical | 0 | 0 |
| High | 0 | 0 |
| Medium | 0 | 1 (D2-cy4 test-runtime) |
| Low | 0 new | 1 (D-AZ795-1) |

## OWASP Top 10:2021 (cycle-13 delta)

See `owasp_review_cycle13.md` — A08/A09 improved; all other categories unchanged PASS/N/A.

## Findings

| # | Severity | Category | Location | Title | Status |
|---|----------|----------|----------|-------|--------|
| F-AZ810-2 | Low | Time-handling (A08/A09) | `UavTileMetadata.CapturedAt` | `DateTime` vs `DateTimeOffset` | **RESOLVED** (AZ-1126) |

## Carry-overs (still open)

- **D-AZ795-1** — FluentValidation 12.0.0 → 12.1.1
- **D2-cy4** — test SDK transitive JWT advisory (Moderate, test-runtime only)

## Recommendations

### Immediate
- None blocking cycle 13 ship.

### Short-term
- D-AZ795-1: bump FluentValidation when a coordinated package bump task lands.

### Long-term
- D2-cy4: pin JWT test packages when upstream resolves GHSA-59j7-ghrg-fj52 for 7.0.3 line.

## Artifacts

- `dependency_scan_cycle13.md`
- `static_analysis_cycle13.md`
- `owasp_review_cycle13.md`
- `infrastructure_review_cycle13.md`