Update autodev state and lessons documentation

- Changed current step from 15 (Performance Test) to 9 (New Task) in _docs/_autodev_state.md, reflecting the transition to Cycle 3.
- Updated cycle count from 2 to 3 and modified sub-step details to indicate progress in gathering feature descriptions.
- Added new lessons to _docs/LESSONS.md, emphasizing best practices for API key management, dependency handling, and reporting inline fixes during security audits.
- Enhanced CI/CD pipeline documentation in _docs/02_document/deployment/ci_cd_pipeline.md to include new gates for vulnerability scans and SBOM emissions, along with dependency overrides for transitive dependencies.
- Expanded environment strategy documentation in _docs/02_document/deployment/environment_strategy.md to include the new Google Geocode API key management.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/03_implementation/deploy_planning_sync_cycle2.md

@@ -0,0 +1,41 @@
+# Cycle 2 Step 16 — Deploy Planning Sync (planning-only)
+
+**Date**: 2026-05-12
+**Cycle**: 2 (autodev Step 16)
+**Outcome**: Planning sync completed; **prod cutover deferred** (see leftovers).
+**Decision basis**: user skipped the structured choice; agent defaulted to option B
+(planning-only) because option A required unverifiable cross-workspace state and
+option C would have lost the planning information.
+
+## What was synced
+
+| Document | Cycle 2 delta captured |
+|----------|------------------------|
+| `_docs/02_document/deployment/environment_strategy.md` | Section 2: new row for `VITE_GOOGLE_GEOCODE_KEY` (AZ-501, mission-planner) mirroring the OWM-mission-planner row. Section 3: `mission-planner/.env.example` now lists three env vars (OWM pair + tile URL + new Google key). Section 5: mission-planner local-dev bullet updated with the new key + reminder that committed-then-removed literals must still be revoked at the upstream dashboards. |
+| `_docs/02_document/deployment/ci_cd_pipeline.md` | Section 2 (Missing steps): `bun audit --severity high` row added with rationale (linked to F-INF-1 from the cycle 2 security audit) and explicit notes against re-introducing the AZ-502 advisories. New §2a "Dependency overrides (AZ-502, cycle 2)": documents the `vite >=6.4.2` and `postcss >=8.5.10` `overrides` block in both `package.json`s, why it exists, and the maintenance rule for removing it safely. |
+| `_docs/02_document/deployment/containerization.md` | No changes — Vite 6.4.2 upgrade does not affect the Dockerfile or the runtime image. |
+| `_docs/02_document/deployment/observability.md` | No changes — cycle 2 added no client-telemetry surface. |
+
+## What was NOT done (deferred)
+
+Three pieces of work could not complete this cycle. Each is recorded in
+`_docs/_process_leftovers/2026-05-12_az-498-deploy-and-key-revocations.md` with a full
+replay procedure:
+
+| ID | Item | Reason | Owner |
+|----|------|--------|-------|
+| L-AZ-498-DEPLOY | UI tile-swap prod cutover | Cross-workspace gate: satellite-provider cookie-auth migration on `GET /tiles/{z}/{x}/{y}` must merge + deploy first. Deploying the UI side alone produces a broken map. | Cross-workspace + user |
+| L-AZ-499-OWM-REVOKE | OWM key revocation at owm dashboard | Manual third-party-console action; cannot be automated from CI. AZ-499 AC-7 / AC-42 pending evidence attachment. | User |
+| L-AZ-501-GOOGLE-REVOKE | Google Geocode key revocation at Google Cloud Console | Same reason as above. AZ-501 AC-6 / AC-43 pending evidence attachment. | User |
+
+## Verification
+
+- Read-after-write check: each modified deployment doc was re-read in this session;
+  the new content is present and the surrounding sections are intact.
+- No source-code changes — this is a documentation-only step.
+- No pipeline / Docker / nginx changes — those are deferred to the Phase B follow-ups
+  F-INF-1..F-INF-5 already tracked in `_docs/05_security/infrastructure_review.md`.
+
+## Auto-chain
+
+→ Step 17 (Retrospective) for cycle 2.