[AZ-498] [AZ-499] Cycle 2 batch 11: satellite tiles + OWM hardening

AZ-498 — self-hosted satellite tiles + drop classic/satellite toggle: - Single TILE_URL via getTileUrl() (mirrors getOwmBaseUrl/getApiBase pattern from AZ-449/AZ-450); env-var VITE_SATELLITE_TILE_URL with dev default http://localhost:5100/tiles/{z}/{x}/{y}. - FlightMap + MiniMap render one TileLayer with crossOrigin="use-credentials" so Leaflet's <img> tile fetcher attaches the same-origin satellite-provider auth cookie. - ImportMetaEnv + .env.example collapse the prior OSM/Esri pair into one var. The flights.planner.satellite i18n key is removed in lockstep across en.json + ua.json (parity preserved). - E2E harness wired end-to-end: compose passes the new var to azaion-ui; tile-stub serves /tiles/{z}/{x}/{y} with Content-Type=image/jpeg + Cache-Control + ETag matching the contract; infrastructure.e2e.ts AC-2 asserts the new path; dead OSM defenses removed from EXTERNAL_HOSTS route guard. - Fast-profile MSW handlers rewritten for the cookie-auth path shape. - 8 colocated fast tests under src/features/flights/__tests__/. AZ-499 — mission-planner OWM env-var hardening + AZ-482 source-scan gap close: - WeatherService.ts reads VITE_OWM_API_KEY + VITE_OWM_BASE_URL; fail-soft null when key unset (mirrors AZ-448 main-SPA contract). Public signature getWeatherData(lat, lon) preserved. - mission-planner/.env.example + vite-env.d.ts declare both vars. - New owm_key_in_source banned-deps kind scans src/ AND mission-planner/ for the rotated literal; STC-SEC1C row added to scripts/run-tests.sh; check-banned-deps.mjs dispatch extended. - 7 fast tests under tests/mission_planner_weather.test.ts cover AC-1..AC-4 + trailing-slash + happy path + network-error fail-soft. Spec drift (recorded in batch_11_report.md, user-approved Choose B on 2026-05-12): - AZ-498 AC-8 dropped (named tile_split_zoom* files belong to AZ-474 image-annotation surface, not map tiles). - 4 missing files added in-scope (msw tiles handler, tile-stub server, compose env, dead VITE_TILE_BASE_URL replaced). - AZ-499 STC-S6 ID conflict resolved by using STC-SEC1C. Pending USER ACTION (BLOCKING for AZ-499 close): - Revoke OpenWeatherMap key 335799082893fad97fa36118b131f919 at home.openweathermap.org/api_keys; capture evidence on AZ-499. Cross-workspace deploy gate (handled at autodev Step 16, not a Step-10 blocker for AZ-498): - satellite-provider cookie-auth on GET /tiles/{z}/{x}/{y} (separate AZAION ticket on the satellite-provider workspace). Reports: _docs/03_implementation/batch_11_report.md and _docs/03_implementation/reviews/batch_11_review.md (verdict PASS_WITH_WARNINGS — 1 Low, pre-existing trim-trailing-slash duplication across vite roots). Static gates: STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23, STC-SEC1C all PASS post-refactor. +15 fast tests; +1 STC-SEC1C row. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 06:41:10 +00:00 · 2026-05-12 04:34:39 +03:00
parent 20a39d3d8a
commit b016fd8207
26 changed files with 739 additions and 85 deletions
@@ -6,11 +6,14 @@
 #
 # Every variable is OPTIONAL. When unset, the SPA falls back to production-
 # default behavior:
-#   - VITE_API_BASE_URL  : '' (relative paths; SPA and suite share nginx)
+#   - VITE_API_BASE_URL        : '' (relative paths; SPA and suite share nginx)
-#   - VITE_OWM_API_KEY   : undefined → getWeatherData returns null
+#   - VITE_OWM_API_KEY         : undefined → getWeatherData returns null
-#   - VITE_OWM_BASE_URL  : https://api.openweathermap.org/data/2.5
+#   - VITE_OWM_BASE_URL        : https://api.openweathermap.org/data/2.5
-#   - VITE_OSM_TILE_URL  : https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png
+#   - VITE_SATELLITE_TILE_URL  : http://localhost:5100/tiles/{z}/{x}/{y}
-#   - VITE_ESRI_TILE_URL : https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}
+#                                (dev default; production builds MUST override
 #                                 to the same-origin nginx path so cookie auth
 #                                 is honored — AZ-498 / contract @
 #                                 _docs/02_document/contracts/satellite-provider/tiles.md)
 # Prefix for every API request (production: empty; tests / alt deployments: set).
 # A trailing slash is stripped automatically.
@@ -26,10 +29,7 @@ VITE_OWM_API_KEY=<your-openweathermap-api-key>
 # Example for the e2e profile: http://owm-stub:8081/data/2.5
 VITE_OWM_BASE_URL=
-# OSM map tile URL template (Leaflet TileLayer.url).
+# Suite satellite-provider tile URL template (Leaflet TileLayer.url).
-# Example for the e2e profile: http://tile-stub:8082/{z}/{x}/{y}.png
+# Production: same-origin path (`/tiles/{z}/{x}/{y}`) so the auth cookie rides.
-VITE_OSM_TILE_URL=
+# E2E profile: http://tile-stub:8082/tiles/{z}/{x}/{y}
-
+VITE_SATELLITE_TILE_URL=
 # Esri satellite tile URL template (Leaflet TileLayer.url for the satellite layer).
 # Example for the e2e profile: http://tile-stub:8082/sat/{z}/{y}/{x}
 VITE_ESRI_TILE_URL=
@@ -35,7 +35,7 @@ mission-planner/src/
 ├── services/
 │   ├── calculateDistance.ts          Haversine + plane climb/cruise/descend
 │   ├── AircraftService.ts            mockGetAirplaneParams (returns hardcoded fixed-wing)
-│   ├── WeatherService.ts             OpenWeatherMap fetch
+│   ├── WeatherService.ts             OpenWeatherMap fetch (env-vars: VITE_OWM_API_KEY + VITE_OWM_BASE_URL; fail-soft `null` when key unset, AZ-499)
 │   └── calculateBatteryUsage.ts      Drag + thrust lookup; same algorithm as src/features/flights/flightPlanUtils.calculateBatteryPercentUsed
 ├── icons/
 │   ├── MapIcons.tsx                  Leaflet icon factories
@@ -82,10 +82,10 @@ The React 19 port translates module-for-module wherever possible. Status as of t
 | `flightPlanning/Aircraft.ts` | (no equivalent) | Aircraft is server-side; the SPA fetches `/api/flights/aircrafts`. |
 | `services/calculateDistance.ts` | `flightPlanUtils.calculateDistance` | Ported. |
 | `services/calculateBatteryUsage.ts` | `flightPlanUtils.calculateBatteryPercentUsed` + `calculateAllPoints` | Ported. |
-| `services/WeatherService.ts` | `flightPlanUtils.getWeatherData` | Ported (with the same hardcoded API key — Step 4 fix). |
+| `services/WeatherService.ts` | `flightPlanUtils.getWeatherData` | Ported. Env-vars `VITE_OWM_API_KEY` + `VITE_OWM_BASE_URL` since AZ-499 (mirrors AZ-448 / AZ-449); same fail-soft `null` contract. |
 | `services/AircraftService.ts` | `flightPlanUtils.getMockAircraftParams` (mock only) | Real fetch is `/api/flights/aircrafts` in `FlightsPage`. |
 | `constants/translations.ts` + `LanguageContext.tsx` | `src/i18n/{en,ua}.json` + `i18n/i18n.ts` | Migrated to i18next. |
-| `constants/{actionModes,maptypes,tileUrls,purposes,languages}.ts` | `features/flights/types.ts` (`PURPOSES`, `TILE_URLS`, `ActionMode`) | Consolidated into one file. |
+| `constants/{actionModes,maptypes,tileUrls,purposes,languages}.ts` | `features/flights/types.ts` (`PURPOSES`, `TILE_URL`, `ActionMode`) | Consolidated into one file. `TILE_URL` collapsed from the prior classic/satellite pair to a single self-hosted satellite URL by AZ-498. |
 | `icons/{MapIcons,PointIcons,SidebarIcons,PhoneIcon}.tsx` | `features/flights/mapIcons.ts` | Only the marker icons survived; SidebarIcons + PhoneIcon dropped (no rotate-phone overlay in the SPA today). |
 | `utils.ts` (`newGuid`) | `flightPlanUtils.newGuid` | Ported. |
 | `config.ts` | `features/flights/types.COORDINATE_PRECISION` | Single constant migrated. |
@@ -98,7 +98,7 @@ The React 19 port translates module-for-module wherever possible. Status as of t
 - **Rotate-phone overlay** (`icons/PhoneIcon.tsx`): MP shows a rotate-phone hint when held in portrait. The SPA does not.
 - **Per-purpose marker icons** (`icons/PointIcons.tsx`): MP draws a different marker per `meta` purpose. The SPA uses three colour-coded icons (start / mid / end).
 - **`Aircraft.ts` helper class**: never used in the SPA — aircraft state is fetched and treated as a plain DTO.
- **OpenWeather call directly from `WeatherService.ts`**: same flaw as the SPA port (hardcoded key, no proxy). Both flagged for Step 4.
+- **OpenWeather call directly from `WeatherService.ts`**: same flaw as the SPA port (no proxy). Hardcoded key fixed by AZ-499 (env-vars + fail-soft); proxy story still owned by the broader F1 mission-planner deduplication track.
 - **MUI 5**: MP uses MUI for dialogs / inputs / icons. The SPA replaced everything with hand-rolled Tailwind components matching `_docs/ui_design/README.md`. MUI is not a dep of the workspace.
 ## Findings carried into Step 4 / 6 / 8
@@ -17,7 +17,7 @@ Currently handles only the planning surface; the gps-denied orthophoto upload /
 | Module | Layer | Responsibility |
 |---|---|---|
-| `types.ts` | leaf | All flight-feature-only types (`FlightPoint`, `CalculatedPointInfo`, `MapRectangle`, `WindParams`, `AircraftParams`, `MovingPointInfo`, `ActionMode`), plus tile URLs (`TILE_URLS`), `PURPOSES` (`tank` / `artillery`), and `COORDINATE_PRECISION = 8`. |
+| `types.ts` | leaf | All flight-feature-only types (`FlightPoint`, `CalculatedPointInfo`, `MapRectangle`, `WindParams`, `AircraftParams`, `MovingPointInfo`, `ActionMode`), plus the single self-hosted satellite tile URL (`TILE_URL`, AZ-498 — env-var `VITE_SATELLITE_TILE_URL`, dev default `http://localhost:5100/tiles/{z}/{x}/{y}`), `PURPOSES` (`tank` / `artillery`), and `COORDINATE_PRECISION = 8`. |
 | `mapIcons.ts` | leaf | Three coloured Leaflet `Icon` instances + the default Leaflet pin (loaded from a CDN — see Findings). |
 | `flightPlanUtils.ts` | leaf | Pure-ish helpers: `newGuid`, haversine `calculateDistance` (with plane climb/cruise/descend profile), OpenWeatherMap fetch, semi-empirical `calculateBatteryPercentUsed`, `calculateAllPoints` (sequential reduce), `parseCoordinates`, `getMockAircraftParams`. |
 | `WaypointList.tsx` | sub-component | `@hello-pangea/dnd` reorderable list, hover-only Edit/Remove buttons, shows distance / time / battery / altitude per point. |
@@ -30,7 +30,7 @@ Currently handles only the planning surface; the gps-denied orthophoto upload /
 | `FlightListSidebar.tsx` | sub-component | Left rail: flight list, "+ Create", inline-create row, telemetry date stub. |
 | `JsonEditorDialog.tsx` | sub-component | Modal `<textarea>` over the plan JSON with live `JSON.parse` validation. |
 | `FlightParamsPanel.tsx` | composite | Hosts `WaypointList` + `AltitudeChart` + `WindEffect` + all per-flight inputs (aircraft, initial altitude, FoV, comm address, action-mode buttons, totals strip, Save / Upload / EditAsJSON / Export). |
-| `FlightMap.tsx` | composite | Wraps `MapContainer`; mounts `MapPoint` × N, `DrawControl`, `MiniMap` (when a point is moving), polyline + arrow decorator, satellite/classic toggle. |
+| `FlightMap.tsx` | composite | Wraps `MapContainer`; mounts `MapPoint` × N, `DrawControl`, `MiniMap` (when a point is moving), polyline + arrow decorator. Single satellite-only `<TileLayer>` with `crossOrigin="use-credentials"` (AZ-498); the prior classic/satellite toggle was retired. |
 | `FlightsPage.tsx` | page | Orchestrator: owns all state, talks to `api/client`, opens the SSE stream, mediates between sidebar / params panel / map / dialogs. |
 ## Key contracts (read by other docs)
@@ -39,7 +39,7 @@ Currently handles only the planning surface; the gps-denied orthophoto upload /
 - **`CalculatedPointInfo`**: `{ bat: number /* % */; time: number /* hours */ }`. Index `i` = state at point `i` after the segment from `i-1`. `lastInfo.bat` drives the Good / Caution / Low colour status (`>12 / >5 / ≤5`).
 - **`PURPOSES = [{ value: 'tank', label: 'options.tank' }, { value: 'artillery', label: 'options.artillery' }]`** — i18n keys are `flights.planner.${label}`.
 - **JSON plan shape** (`handleEditJson` / `handleExport` / `handleJsonSave`): `{ operational_height: { currentAltitude }, geofences: { polygons: [{ northWest, southEast, fence_type: 'EXCLUSION'|'INCLUSION' }] }, action_points: [{ point: { lat, lon }, height, action: 'search', action_specific: { targets: string[] } }] }`. Used for both export-to-file and the JSON editor.
- **Tile URLs**: classic OSM and an Esri ArcGIS `World_Imagery` (in `types.ts`). Both are direct upstream — neither goes through the suite `satellite-provider/` proxy. See Findings.
+- **Tile URL** (post AZ-498): single `TILE_URL` constant in `types.ts` resolved from `VITE_SATELLITE_TILE_URL` (dev default `http://localhost:5100/tiles/{z}/{x}/{y}`). Production builds MUST set the env var to a same-origin path so the satellite-provider auth cookie rides. The classic/satellite toggle, the prior OSM (`VITE_OSM_TILE_URL`) and Esri (`VITE_ESRI_TILE_URL`) env vars, and the `MiniMap.Props.mapType` prop are all gone. Contract: `_docs/02_document/contracts/satellite-provider/tiles.md` v1.0.0.
 ## External integrations
@@ -52,8 +52,7 @@ Currently handles only the planning surface; the gps-denied orthophoto upload /
 | `endpoints.flights.flightWaypoints(id)` + `endpoints.flights.flightWaypoint(flightId, wp)` → `POST/DELETE /api/flights/{id}/waypoints[/{wp}]` | `FlightsPage.handleSave` | egress | Delete-all-then-recreate, sequentially. |
 | `endpoints.flights.flightLiveGps(id)` → `GET /api/flights/{id}/live-gps` (SSE) | `FlightsPage` | egress | Open while in GPS mode + flight selected. |
 | `https://api.openweathermap.org/...` | `flightPlanUtils.getWeatherData` | egress | Direct browser→3rd-party. **Hardcoded API key.** See Findings. |
-| `tile.openstreetmap.org` (`TILE_URLS.classic`) | `FlightMap`, `MiniMap` | egress | Direct, no proxy. |
+| `satellite-provider /tiles/{z}/{x}/{y}` (via `VITE_SATELLITE_TILE_URL`) | `FlightMap`, `MiniMap` | egress | Same-origin in production (cookie auth); `tile-stub` in e2e; `localhost:5100` dev default. AZ-498 retired the OSM + Esri direct calls. |
 | `server.arcgisonline.com/.../World_Imagery` (`TILE_URLS.satellite`) | `FlightMap`, `MiniMap` | egress | Direct, no proxy. |
 | `unpkg.com/leaflet@1.7.1/dist/images/marker-icon-2x.png` | `mapIcons.defaultIcon` | egress | CDN, version pinned to 1.7.1 while package is 1.9.4 (drift). |
 | `navigator.geolocation.getCurrentPosition` | `FlightsPage` mount | browser API | Fallback to hardcoded `47.242, 35.024` (Zaporizhzhia). |
@@ -67,7 +66,7 @@ These are the real findings; the per-module rationale is in git history of the d
 4. **`AircraftParams.batteryCapacity` unit is ambiguous** (Wh vs W·s). `calculateBatteryPercentUsed` divides W·s by it × 100 — only correct if W·s. Verify against `mission-planner/src/services/calculateBatteryUsage.ts`. Step 4.
 5. **`flightPlanUtils.getWeatherData` swallows errors silently** (`catch { return null }`); callers can't distinguish "no wind" from "key revoked". Step 4.
 6. **`mapIcons.defaultIcon` CDN URL is leaflet@1.7.1** while `package.json` is 1.9.4. Step 4 — switch to bundled assets or match version.
-7. **`FlightMap` and `MiniMap` bypass the suite `satellite-provider/` proxy** (Esri tiles direct from `server.arcgisonline.com`). Possible licence + rate-limit concern. Step 4 + `architecture.md`.
+7. ~~**`FlightMap` and `MiniMap` bypass the suite `satellite-provider/` proxy**~~ — **resolved by AZ-498 (cycle 2)**. Both maps now consume `satellite-provider /tiles/{z}/{x}/{y}` via `VITE_SATELLITE_TILE_URL` with `crossOrigin="use-credentials"` cookie auth; the OSM + Esri direct calls and the classic/satellite toggle are gone. Cross-workspace prerequisite: `satellite-provider` cookie-auth migration on the same endpoint (user-filed separately).
 8. **`MiniMap` sets `attributionControl={false}`** — drops OSM / Esri attribution. Possible licence-compliance gap. Step 4.
 9. **`MiniMap` is fixed 240×180 + zoom 18 hardcoded** — overflows below the 640px mobile breakpoint. Step 4 vs `_docs/ui_design/README.md` responsive specs.
 10. **`AltitudeDialog` lacks Esc-to-close, backdrop-click-to-cancel, `role="dialog"`, `aria-modal`** — inconsistent with `ConfirmDialog`. Same for `JsonEditorDialog`. Pick one modal convention in Step 4.
@@ -0,0 +1,95 @@
 # Batch Report
 **Batch**: 11 (Phase B cycle 2, single batch)
 **Tasks**: AZ-498 (Satellite-provider tile swap, 5 pts) + AZ-499 (mission-planner OWM env-var hardening + AZ-482 source-scan gap, 2 pts)
 **Date**: 2026-05-12
 **Cycle**: Phase B feature cycle 2, Step 10 — Implement
 **Total complexity**: 7 pts
 **Epic**: AZ-497 (`Self-Hosted Satellite Tiles — SPA Integration`)
 **Closes** (consumer side): satellite-provider tiles consumer migration; mission-planner OWM hygiene gap
 **Depends on**: AZ-450 (tile URL externalization, AZ-498), AZ-448 + AZ-449 (OWM key + base URL externalization, AZ-499), AZ-482 (banned-deps static-check scaffolding, AZ-499)
 **Cross-workspace prereq (deploy gate)**: `satellite-provider` cookie-auth on `GET /tiles/{z}/{x}/{y}` (user-filed separately) — gate at autodev Step 16, NOT a Step-10 blocker
 ## Task Results
 | Task | Status | Files Modified / Added | Tests | AC Coverage | Issues |
 |------|--------|------------------------|-------|-------------|--------|
 | AZ-498_satellite_tile_swap | Done (consumer side) | **Production source (4)**: `src/features/flights/types.ts` (replaced `TILE_URLS` const with `getTileUrl()` + `DEFAULT_SATELLITE_TILE_URL`); `src/features/flights/FlightMap.tsx` (drop `mapType` state + toggle button + `MiniMap mapType` prop; single `<TileLayer crossOrigin="use-credentials">`); `src/features/flights/MiniMap.tsx` (drop `mapType` prop; same `<TileLayer crossOrigin="use-credentials">`); `src/vite-env.d.ts` (replaced `VITE_OSM_TILE_URL`/`VITE_ESRI_TILE_URL` with `VITE_SATELLITE_TILE_URL`). **Configs (1)**: `.env.example` (replaced two tile vars with one + dev-default docstring). **Foundation i18n (2)**: `src/i18n/en.json` + `src/i18n/ua.json` (removed `flights.planner.satellite` key in lockstep — parity preserved). **E2E harness (3)**: `e2e/docker-compose.suite-e2e.yml` (replaced dead `VITE_TILE_BASE_URL` with `VITE_SATELLITE_TILE_URL: "http://tile-stub:8082/tiles/{z}/{x}/{y}"`); `e2e/stubs/tile/server.ts` (rewrote `classify()` for the new `/tiles/{z}/{x}/{y}` shape; serves `Content-Type: image/jpeg` + `Cache-Control` + `ETag`); `e2e/tests/infrastructure.e2e.ts` (AC-2 rewritten to GET `/tiles/1/0/0` + assert headers; removed dead OSM entries from `EXTERNAL_HOSTS` route guard per user choice B). **Fast-profile MSW (1)**: `tests/msw/handlers/tiles.ts` (rewrote handlers from OSM/Esri `.png` shape to satellite-provider `/tiles/{z}/{x}/{y}` shape with cookie-auth headers). **Tests (1 new)**: `src/features/flights/__tests__/satellite_tile.test.tsx` (8 tests covering AC-1, AC-2, AC-3, AC-4 — colocated under 05_flights for STC-ARCH-01 cleanliness). **Docs (2)**: `_docs/02_document/modules/src__features__flights.md` (Tile URL section + module-map row + Findings F7 marked resolved); `_docs/02_document/contracts/satellite-provider/tiles.md` (already drafted in Step 9, no further edit). | **+8 fast tests** (`src/features/flights/__tests__/satellite_tile.test.tsx`); **+1 e2e test rewrite** (infrastructure AC-2). All 8 fast tests PASS locally. STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23 all PASS post-refactor. | **8 / 9 covered + 1 dropped**: AC-1, AC-2, AC-3, AC-4 (fast tests), AC-5 (typecheck), AC-6 (e2e — gated by docker, plumbing verified), AC-7 (contract referenced + matches per Phase 2 verification), AC-9 (static gates green). **AC-8 dropped** with explicit user approval (Choose A/B/C/D, picked B on 2026-05-12) — spec misattribution: the named `tile_split_zoom*` files belong to AZ-474 (image-annotation split surface) and have zero references to map tiles or any env var touched here. | None blocking. 1 Low Maintainability finding (Finding F1 in `batch_11_review.md`) — pre-existing trim-trailing-slash idiom duplication. |
 | AZ-499_mission_planner_weather_env | **Done (code) — AC-7 manual deliverable PENDING USER** | **Production source (3)**: `mission-planner/src/services/WeatherService.ts` (env vars + fail-soft `null` when key unset; preserved public signature `getWeatherData(lat, lon)`); `mission-planner/.env.example` (added `VITE_OWM_API_KEY` + `VITE_OWM_BASE_URL` mirroring main `.env.example` style; preserved existing `VITE_SATELLITE_TILE_URL` independently — different vite root); `mission-planner/src/vite-env.d.ts` (added both vars to `ImportMetaEnv`). **Static-check infra (3)**: `tests/security/banned-deps.json` (added `owm_key_in_source` kind: `match: literal`, `scope: src/ + mission-planner/`, `patterns: ["335799082893fad97fa36118b131f919"]`); `scripts/check-banned-deps.mjs` (extended source-tree dispatch to include `owm_key_in_source` alongside `legacy_integrations` / `concurrent_edit_patterns` / `alert_calls` — same code path, same exclusions for tests); `scripts/run-tests.sh` (added `static_check_no_owm_key_in_source` function + `STC-SEC1C` row labeled "no literal OWM key in src/ + mission-planner/"). **Tests (1 new)**: `tests/mission_planner_weather.test.ts` (7 tests covering AC-1, AC-2, AC-3, AC-4 + trailing-slash + happy-path return shape + network-error fail-soft). **Docs (1)**: `_docs/02_document/modules/mission-planner.md` (annotated `WeatherService.ts` row with env-var dependency; updated migration table; updated Findings to mark hardcoded-key resolution by AZ-499). | **+7 fast tests** (`tests/mission_planner_weather.test.ts`); **+1 static check row** (`STC-SEC1C`). All 7 fast tests PASS locally. `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` exits 0. | **6 / 7 covered + 1 manual**: AC-1, AC-2, AC-3, AC-4 (fast tests with `vi.stubEnv` + fetch spy), AC-5 (`STC-SEC1C` static check wired and green), AC-6 (typecheck via STC-T1). **AC-7 (key revocation) MUST be completed manually by the user** at `https://home.openweathermap.org/api_keys` before this task is marked Done in Jira. The `STC-SEC1C` check is defense-in-depth: even if revocation is delayed, no future commit can re-introduce the literal under `src/` or `mission-planner/`. | Spec note: AZ-499's example STC ID `STC-S6` was a typo — that ID is taken (`no WS/GraphQL/gRPC/SSR deps`). Used `STC-SEC1C` (parallel to `STC-SEC1` = src/, `STC-SEC1B` = dist/). |
 ## AC Test Coverage Summary
 | AC | Task | Test | Profile | Status |
 |----|------|------|---------|--------|
 | AC-1 (env-set tile URL) | AZ-498 | `__tests__/satellite_tile.test.tsx::AC-1: returns the env-set VITE_SATELLITE_TILE_URL verbatim` | fast | PASS |
 | AC-2 (default tile URL when unset) | AZ-498 | same file, `AC-2: returns the dev default ...` + trailing-slash variant | fast | PASS |
 | AC-3 (`crossOrigin="use-credentials"`) | AZ-498 | same file, FlightMap AC-3 + dev-default URL render + MiniMap AC-3 | fast | PASS |
 | AC-4 (toggle gone) | AZ-498 | same file, FlightMap AC-4 + MiniMap AC-4 | fast | PASS |
 | AC-5 (ImportMetaEnv updated) | AZ-498 | `tsc --noEmit -p tsconfig.test.json` (STC-T1) | static | PASS |
 | AC-6 (e2e tile path) | AZ-498 | `e2e/tests/infrastructure.e2e.ts::AC-2 (tile-stub serves /tiles/{z}/{x}/{y})` | e2e (gated) | PASS — plumbing verified locally; full e2e gated by docker availability (Step 16 owns the e2e gate) |
 | AC-7 (contract referenced + matches) | AZ-498 | Phase 2 contract verification (consumer-side) — see `batch_11_review.md` | review | PASS |
 | AC-8 (legacy tile-aware tests) | AZ-498 | **DROPPED** (user choice B, spec misattribution) | n/a | n/a |
 | AC-9 (STC-ARCH-01 / STC-ARCH-02 green) | AZ-498 | `node scripts/check-arch-imports.mjs --mode=arch-imports` exit 0; `--mode=api-literals` exit 0 | static | PASS |
 | AC-1 (env-resolved API key in OWM URL) | AZ-499 | `tests/mission_planner_weather.test.ts::AC-1` | fast | PASS |
 | AC-2 (env-resolved base URL) | AZ-499 | same file, `AC-2: env-var resolved base URL prefixes the outgoing fetch URL` + trailing-slash variant | fast | PASS |
 | AC-3 (fail-soft `null` when key unset) | AZ-499 | same file, `AC-3: returns null and issues no fetch when VITE_OWM_API_KEY is unset` | fast | PASS |
 | AC-4 (default base URL when only base unset) | AZ-499 | same file, `AC-4: defaults to public OWM base URL when only VITE_OWM_BASE_URL is unset` | fast | PASS |
 | AC-5 (new `owm_key_in_source` static check) | AZ-499 | `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` exits 0; `STC-SEC1C` row in `scripts/run-tests.sh` | static | PASS |
 | AC-6 (TS declarations) | AZ-499 | `tsc --noEmit -p tsconfig.test.json` (STC-T1) | static | PASS |
 | AC-7 (compromised key revoked at OWM) | AZ-499 | **MANUAL — out-of-band** | n/a | **PENDING — USER must revoke `335799082893fad97fa36118b131f919` at `https://home.openweathermap.org/api_keys` and capture evidence (dashboard URL or screenshot of disabled key) for the AC closure record before AZ-499 transitions to Done. STC-SEC1C is defense-in-depth.** |
 ## Design Decisions
 1. **`getTileUrl()` is a function, not a constant — mirrors the established `getOwmBaseUrl()` / `getApiBase()` pattern** (`src/features/flights/flightPlanUtils.ts:62`, `src/api/client.ts:35`). Reads `import.meta.env` per call so tests can stub-then-call without `vi.resetModules()` + dynamic-import dance. The per-render evaluation cost is negligible (env read + one `replace`); this trade is the same one AZ-449 made.
 2. **`DEFAULT_SATELLITE_TILE_URL` is exported alongside the function** so tests can pin the literal without duplicating the dev-default string. Keeps the Source-of-Truth in production source.
 3. **Single `TILE_URL` (not `TILE_URLS`) means the classic/satellite toggle is a permanent removal, not a hidden switch.** Reflects the user's cycle-2 explicit decision: "we accept losing the OSM street view; satellite-only is the new normal." The toggle removal also removes the `flights.planner.satellite` i18n key from both `en.json` and `ua.json` — i18n key parity (STC-FP22) preserved by removing in lockstep.
 4. **`crossOrigin="use-credentials"` on EVERY `<TileLayer>`, not just the production code path.** The MSW handler and tile-stub also send the cookie-auth-friendly Content-Type / Cache-Control / ETag headers so dev / fast / e2e profiles all observe the same wire shape. Drift between dev and prod here would silently break tile fetches in production (the satellite-provider rejects requests without the cookie with 401).
 5. **Test colocated under `src/features/flights/__tests__/`, NOT under `tests/`.** Initial draft lived under `tests/satellite_tile.test.tsx` and used dynamic-import (`await import('...')`) to escape STC-ARCH-01's static regex. That escape was technically passing the gate but semantically violating the documented module-layout discipline ("test bodies → 00_foundation only, never internal files of other components"). Refactor moved the test to a colocated location where intra-component imports (`../FlightMap`, `../MiniMap`, `../types`) are architecturally clean. Cross-tree import to `tests/helpers/render.tsx` is allowed by module-layout's Blackbox Tests "test infrastructure" rule (test infra MAY be imported by test bodies). No new exemption added to STC-ARCH-01.
 6. **STC-SEC1C added as a NEW check, NOT as a widening of STC-SEC1.** Existing STC-SEC1 scans `src/` only and matches the `appid=<6+ chars>` regex (catches a real-key shape but not the literal). The new STC-SEC1C scans `src/` AND `mission-planner/` and matches the LITERAL value (catches an exact re-introduction of the rotated key). The two together pin both axes: STC-SEC1 prevents a NEW unprotected key shape, STC-SEC1C prevents the OLD revoked key from coming back.
 7. **`mission-planner/.env.example` keeps its own `VITE_SATELLITE_TILE_URL`** (Esri default). Two vite roots, two independent env vars with the same name — intentional. Mission-planner's tile migration is a separate future cycle (broader F1 mission-planner deduplication track), explicitly out of scope per AZ-498's `Excluded` section.
 8. **Pre-existing dead `VITE_TILE_BASE_URL` removed from compose.** The compose file set it; nothing read it. Replacing it (rather than adding alongside) cleans up the dead config. Considered "adjacent hygiene" per scope discipline (the file was already in the diff).
 9. **Mission-planner test lives under `tests/`, NOT colocated.** Mission-planner has no test runner today (Vitest not wired). Per AZ-499's Risk #2, the simpler option (run under main SPA's harness, import via relative path) wins. The cross-tree relative path import (`../mission-planner/src/services/WeatherService`) is irregular but bounded — the test only depends on the function's public signature and runs the same env-stub + fetch-spy pattern as any other Vitest test.
 ## Code Review Verdict
 See `_docs/03_implementation/reviews/batch_11_review.md` — **PASS_WITH_WARNINGS**.
 - 0 Critical, 0 High, 0 Medium, 1 Low (`F1`: trim-trailing-slash idiom duplication; pre-existing pattern across 4 call sites in 2 vite roots; consolidation deferred to a future shared-helper extraction task).
 - All 9+7 = 16 ACs accounted for: 14 verified by tests/static checks, 1 dropped (AZ-498 AC-8) with explicit user approval, 1 pending manual deliverable (AZ-499 AC-7 — user revokes OWM key).
 - Per implement skill Auto-Fix Gate: only Medium/Low → no auto-fix loop required; proceed to commit.
 ## Spec Drift Recorded
 These spec issues were surfaced and resolved with explicit user approval (Choose A/B/C/D, picked B on 2026-05-12) before any code was written. Recording here for the audit trail; the task specs themselves were NOT edited (kept as historic record).
 1. **AZ-498 AC-8 misattribution**: spec named `tests/tile_split_zoom.test.tsx` and `e2e/tests/tile_split_zoom.e2e.ts`; both are AZ-474's image-annotation split surface (dataset row `POST /api/annotations/dataset/<id>/split`), NOT map-tile tests. AC-8 dropped.
 2. **AZ-498 missing files in `Included`**: `tests/msw/handlers/tiles.ts`, `e2e/stubs/tile/server.ts`, `e2e/docker-compose.suite-e2e.yml` `azaion-ui` env section. All three were genuinely required for the change to work end-to-end — treated as additive in-scope per user approval.
 3. **AZ-498 dead `VITE_TILE_BASE_URL` in compose** (read by nothing): replaced with `VITE_SATELLITE_TILE_URL` per user approval (item #4 — adjacent hygiene cleanup option).
 4. **AZ-499 STC ID conflict**: spec example `STC-S6` is taken; used `STC-SEC1C` instead (no AC text changed).
 5. **Pre-existing OSM defenses in `EXTERNAL_HOSTS` route guard** (`e2e/tests/infrastructure.e2e.ts`): removed in cleanup since OSM is no longer expected (user picked B explicitly to include this cleanup).
 ## Pending Manual Deliverables (BLOCKING for AZAION ticket close)
 1. **USER ACTION — AZ-499 AC-7**: Revoke OpenWeatherMap API key `335799082893fad97fa36118b131f919` at https://home.openweathermap.org/api_keys . Capture evidence (dashboard URL or screenshot of disabled key) and attach to AZ-499's Jira issue (or paste the URL in a comment) before transitioning AZ-499 from "In Testing" to "Done". The `STC-SEC1C` static check is defense-in-depth and will block any future re-introduction of the literal under `src/` or `mission-planner/`.
 2. **CROSS-WORKSPACE GATE — AZ-498 deploy**: `satellite-provider` cookie-auth migration on `GET /tiles/{z}/{x}/{y}` (separate AZAION ticket, user-filed on satellite-provider workspace) must merge before AZ-498 deploys. Per `_docs/02_tasks/_dependencies_table.md` Notes (AZ-497), this is gated at autodev Step 16 (Deploy), NOT a Step 10 blocker. Code can land in dev branch, run in fast/static profiles, and pass code review without it; only production deploy waits.
 ## Test Run Handoff (Step 16)
 The next autodev step after this batch is Step 11 (Run Tests). Per the implement skill's "if the next flow step is `Run Tests`" guidance: do NOT run the full `bash scripts/run-tests.sh` here — `.cursor/skills/test-run/SKILL.md` owns that gate to avoid duplicate full runs.
 Locally-verified pre-handoff (focused subset, not the full gate):
 - 15 fast tests added (8 satellite_tile + 7 mission_planner_weather) — all PASS
 - STC-T1 (typecheck) — PASS
 - STC-ARCH-01, STC-ARCH-02, STC-FP22, STC-FP23, STC-SEC1C — all PASS
 - `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` — exit 0
 Pre-existing fast suite was 209 passes (per `_docs/03_implementation/batch_10_report.md`). Expected after this batch: 209 + 15 = 224 passes (subject to the full Step-11 run confirming no regressions in adjacent tests not directly exercised here).
@@ -0,0 +1,135 @@
 # Code Review Report
 **Batch**: 11 — AZ-498, AZ-499 (Phase B cycle 2, single batch)
 **Date**: 2026-05-12
 **Verdict**: PASS_WITH_WARNINGS
 **Mode**: Full (per-batch invocation by `/implement`)
 ## Inputs
 - Task specs:
  - `_docs/02_tasks/todo/AZ-498_satellite_tile_swap.md` (9 ACs, 5 pts)
  - `_docs/02_tasks/todo/AZ-499_mission_planner_weather_env.md` (7 ACs, 2 pts)
 - Project context: `_docs/00_problem/restrictions.md` (read for Phase 4), `_docs/02_document/module-layout.md` (Phase 7 ownership envelopes), `_docs/02_document/contracts/satellite-provider/tiles.md` (Phase 2 contract verification)
 - Changed files (16 total):
  - **Production source (05_flights)**: `src/features/flights/types.ts`, `src/features/flights/FlightMap.tsx`, `src/features/flights/MiniMap.tsx`, `mission-planner/src/services/WeatherService.ts`
  - **App-shell type shims (10_app-shell)**: `src/vite-env.d.ts`, `mission-planner/src/vite-env.d.ts`
  - **Foundation i18n (00_foundation)**: `src/i18n/en.json`, `src/i18n/ua.json` (1 key removed in lockstep)
  - **Repo-root configs**: `.env.example`, `mission-planner/.env.example`
  - **Blackbox Tests (epic AZ-455)**: `src/features/flights/__tests__/satellite_tile.test.tsx` (NEW — 8 tests), `tests/mission_planner_weather.test.ts` (NEW — 7 tests), `tests/msw/handlers/tiles.ts` (rewritten), `tests/security/banned-deps.json` (1 new kind), `e2e/stubs/tile/server.ts` (rewritten), `e2e/tests/infrastructure.e2e.ts` (AC-2 + EXTERNAL_HOSTS cleanup), `e2e/docker-compose.suite-e2e.yml`, `scripts/run-tests.sh` (1 new STC row), `scripts/check-banned-deps.mjs` (1 dispatch entry)
  - **Docs**: `_docs/02_document/modules/src__features__flights.md`, `_docs/02_document/modules/mission-planner.md`
 ## Findings
 | # | Severity | Category | File:Line | Title |
 |---|----------|----------|-----------|-------|
 | 1 | Low | Maintainability | `mission-planner/src/services/WeatherService.ts:5` + `src/features/flights/types.ts:11` | `trimTrailingSlash` / `replace(/\/+$/, '')` repeated across vite roots |
 ### Finding Details
 **F1: trim-trailing-slash idiom duplicated across vite roots** (Low / Maintainability)
 - Location: `mission-planner/src/services/WeatherService.ts:5` (named `trimTrailingSlash`) + `src/features/flights/types.ts:11` (inline `.replace(/\/+$/, '')` inside `getTileUrl`) + `src/api/client.ts:38` (existing inline form in `getApiBase`) + `src/features/flights/flightPlanUtils.ts:62` (existing inline form in `getOwmBaseUrl`).
 - Description: Same one-line regex appears in four call sites across two vite roots. Pre-existing pattern (AZ-448, AZ-449 introduced two of the four; AZ-498 and AZ-499 each add one more in the same shape).
 - Suggestion: Defer. The two vite roots are intentionally independent (no `src/shared/` exists per `module-layout.md` Layout Rule #2); consolidating requires a shared helper layer that is itself a Step-4 testability candidate (Verification Needed item #1 in `module-layout.md`). Keep the consistent inline form when the next util-extraction task lands.
 - Task: AZ-498, AZ-499
 ## Phase Walkthrough
 ### Phase 1 — Context Loading
 Both task specs read; ACs catalogued; `module-layout.md` consulted for OWNED / READ-ONLY / FORBIDDEN envelopes. Cross-component edits (i18n keys in `00_foundation`; `vite-env.d.ts` in `10_app-shell`; `mission-planner/.env.example` at repo root; multiple files under Blackbox Tests) are all explicitly enumerated in the task specs' `## Scope` → `### Included` sections — scope discipline holds.
 ### Phase 2 — Spec Compliance
 **AZ-498 (9 ACs):**
 | AC | Test | Today | Notes |
 |----|------|-------|-------|
 | AC-1 (env-set URL flows through) | `src/features/flights/__tests__/satellite_tile.test.tsx` AC-1 + AC-3 dev-default URL render | PASS | Function `getTileUrl()` reads `import.meta.env.VITE_SATELLITE_TILE_URL` per call (mirrors `getOwmBaseUrl` from AZ-449). |
 | AC-2 (default URL when unset) | same file, AC-2 default + AC-2 trailing-slash | PASS | `DEFAULT_SATELLITE_TILE_URL = 'http://localhost:5100/tiles/{z}/{x}/{y}'` exported alongside the function so the test pins the literal. |
 | AC-3 (`crossOrigin="use-credentials"`) | same file, FlightMap AC-3 + MiniMap AC-3 | PASS | Both `<TileLayer>` mounts set the attribute. Required by Leaflet's `<img>`-based tile fetcher to attach the same-origin auth cookie. |
 | AC-4 (toggle + `mapType` prop gone) | same file, FlightMap AC-4 + MiniMap AC-4 | PASS | Toggle button removed; `mapType` state removed from FlightMap; `MiniMap.Props.mapType` removed (TS would reject any reintroduction). |
 | AC-5 (`ImportMetaEnv` updated) | `src/vite-env.d.ts` declares only `VITE_SATELLITE_TILE_URL` (OSM/Esri vars removed); `.env.example` mirrors | PASS — STC-T1 (`tsc --noEmit -p tsconfig.test.json`) green | — |
 | AC-6 (`/tiles/{z}/{x}/{y}` path shape) | `e2e/tests/infrastructure.e2e.ts` AC-2 (rewritten); MSW handler at `tests/msw/handlers/tiles.ts`; tile-stub `classify()` at `e2e/stubs/tile/server.ts` | PASS (e2e gated by docker; static plumbing verified) | Path shape and `image/jpeg` Content-Type + `Cache-Control` + `ETag` all match the contract. |
 | AC-7 (contract referenced + matches) | `_docs/02_document/contracts/satellite-provider/tiles.md` (v1.0.0); module doc `_docs/02_document/modules/src__features__flights.md` updated to point at it | PASS — see "Contract verification" subsection below | — |
 | AC-8 (legacy tile-aware tests pass) | **DROPPED** | n/a — spec misattribution | The spec named `tests/tile_split_zoom.test.tsx` and `e2e/tests/tile_split_zoom.e2e.ts`, which are AZ-474's image-annotation surface (`POST /api/annotations/dataset/<id>/split`) — they have ZERO references to `<TileLayer>`, `TILE_URLS`, or any of the env vars touched by AZ-498. The user explicitly approved dropping AC-8 (Choose A/B/C/D, picked B) on `2026-05-12`. Recorded in implementation report. |
 | AC-9 (`STC-ARCH-01` / `STC-ARCH-02` stay green) | `node scripts/check-arch-imports.mjs --mode=arch-imports` exit 0; `--mode=api-literals` exit 0 | PASS | The colocated test under `src/features/flights/__tests__/` uses intra-component imports (`../FlightMap`, `../MiniMap`, `../types`) — STC-ARCH-01 regex does not fire on intra-component paths. The cross-tree import to `tests/helpers/render` uses `(../)+tests/...` which lacks a component-dir segment in the regex's `COMPONENT_DIRS` group, so it does not fire either. |
 **Contract verification** (consumer-side, AZ-498 depends on `_docs/02_document/contracts/satellite-provider/tiles.md` v1.0.0):
 - Path shape `/tiles/{z}/{x}/{y}` — matches in `DEFAULT_SATELLITE_TILE_URL`, `.env.example` example for e2e, `e2e/docker-compose.suite-e2e.yml` `VITE_SATELLITE_TILE_URL` value, `tests/msw/handlers/tiles.ts` route patterns, `e2e/stubs/tile/server.ts` `classify()` regex.
 - `Content-Type: image/jpeg` — set by both stubs (MSW + tile-stub) and asserted in `e2e/tests/infrastructure.e2e.ts::AC-2`.
 - `Cache-Control` + `ETag` — present on both stubs; asserted in e2e AC-2.
 - Cookie auth (`HttpOnly; Secure; SameSite=Lax`) on the same origin — consumer side: `crossOrigin="use-credentials"` on every `<TileLayer>`. Producer side is the cross-workspace `satellite-provider` ticket the user filed separately; gate is at autodev Step 16 (Deploy), NOT a blocker for Step 10 (Implement) per `_docs/02_tasks/_dependencies_table.md` Notes (AZ-497).
 - No drift: every consumer-side touch matches the contract's Shape section.
 **AZ-499 (7 ACs):**
 | AC | Test | Today | Notes |
 |----|------|-------|-------|
 | AC-1 (env-resolved API key in URL) | `tests/mission_planner_weather.test.ts` AC-1 | PASS | `vi.stubEnv` → spy on `globalThis.fetch` → assert URL contains `appid=<key>&units=metric`. |
 | AC-2 (env-resolved base URL) | same file, AC-2 + trailing-slash variant | PASS | Both env-set base and the trailing-slash strip behavior pinned. |
 | AC-3 (fail-soft `null` when key unset) | same file, AC-3 | PASS | `expect(result).toBeNull()` + `expect(fetchMock).not.toHaveBeenCalled()`. |
 | AC-4 (default base URL when only base unset) | same file, AC-4 | PASS | URL prefix asserted to be `https://api.openweathermap.org/data/2.5/weather?...`. |
 | AC-5 (new `owm_key_in_source` static check) | `tests/security/banned-deps.json` adds `owm_key_in_source` kind; `scripts/check-banned-deps.mjs` extends source-tree dispatch with the new kind; `scripts/run-tests.sh` adds `STC-SEC1C` row; `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` exit 0 | PASS | Wired through the same path as `legacy_integrations` / `concurrent_edit_patterns` / `alert_calls` (all also scan src/ + mission-planner/). |
 | AC-6 (TS declarations) | `mission-planner/src/vite-env.d.ts` declares both vars; STC-T1 (typecheck) green | PASS | — |
 | AC-7 (key revocation deliverable) | **NOT YET COMPLETE** — manual out-of-band | flagged | The compromised key `335799082893fad97fa36118b131f919` MUST be revoked at `https://home.openweathermap.org/api_keys` before the task is marked Done. Implementation cannot self-complete this AC. The `STC-SEC1C` static check ensures any future re-introduction in source fails the build, providing defense in depth even if revocation is delayed. The implementation report records this as a pending deliverable for the user. |
 **Spec deviation (recorded once)**: AZ-499's task spec illustrative example used `STC-S6` for the new check ID, but `STC-S6` is already taken by `no WS/GraphQL/gRPC/SSR deps` (run-tests.sh line 533). Used `STC-SEC1C` (parallel to `STC-SEC1` = src/, `STC-SEC1B` = dist/) — same severity-class, naturally adjacent in the report listing. No AC text was changed; only the suggested ID was substituted.
 ### Phase 3 — Code Quality
 - **SRP**: `getTileUrl()` is one concept (URL resolution, mirroring `getOwmBaseUrl` / `getApiBase`). `getWeatherData()` keeps its single public signature unchanged. FlightMap loses two responsibilities (mode state + toggle button); both removals are clean. MiniMap loses `mapType` prop; the rest of its code is untouched.
 - **Error handling**: `WeatherService.ts` keeps its `catch { return null }` block (existing fail-soft contract from AZ-448). No new bare catches anywhere.
 - **Naming**: `TILE_URL` was renamed to `getTileUrl()` to match the established function-form pattern (`getOwmBaseUrl`, `getApiBase`); also added `DEFAULT_SATELLITE_TILE_URL` exported for tests so the literal isn't duplicated.
 - **Complexity**: longest changed function is `FlightMap.tsx` (~95 lines, unchanged from before — net `-3` lines after removing toggle).
 - **Test quality**: every AC test asserts behavior, not just non-throw. The colocated test mocks `react-leaflet` to lightweight stand-ins so jsdom doesn't need to satisfy Leaflet's map-init lifecycle — the standard pattern for component tests around Leaflet.
 - **Dead code**: removed `flights.planner.satellite` i18n key (only call site was the toggle button), removed `mapType` state, removed `mapType` prop from MiniMap.
 ### Phase 4 — Security Quick-Scan
 - No SQL / command injection surface.
 - No new hardcoded secrets — AZ-499 explicitly removes one (`335799082893fad97fa36118b131f919`); the new `STC-SEC1C` check ensures it cannot be reintroduced under either `src/` or `mission-planner/`.
 - AZ-498's `crossOrigin="use-credentials"` is the contractually-required cookie-auth ride, not a security loosening — the satellite-provider endpoint is same-origin in production via nginx and rejects unauthenticated requests with 401 (per contract).
 - No sensitive data in logs.
 ### Phase 5 — Performance Scan
 - `getTileUrl()` evaluated per render of `<TileLayer>`. Negligible cost (`import.meta.env` lookup + one regex replace). Same shape as `getOwmBaseUrl()`.
 - One `<TileLayer>` instead of two (FlightMap previously branched on `mapType`); minor render-time win.
 - No N+1 / unbounded fetch / blocking-async regressions.
 ### Phase 6 — Cross-Task Consistency
 - Both tasks add env vars in the same shape (`VITE_*` + `.env.example` mirror + `vite-env.d.ts` declaration).
 - Both tasks extend the static profile via the shared `tests/security/banned-deps.json` + `scripts/check-banned-deps.mjs` infrastructure (AZ-499) or via the same `scripts/run-tests.sh` `run_static` row mechanism (AZ-498 makes no STC additions; e2e AC-2 row in `infrastructure.e2e.ts` is the equivalent).
 - No interface conflicts; no shared file mutated by both tasks.
 - The two tasks are independent in the dependency graph (`AZ-498` deps: `AZ-450`; `AZ-499` deps: `AZ-448, AZ-449, AZ-482`); ordering inside the batch was AZ-499 first (smaller, no cross-workspace dep) then AZ-498.
 ### Phase 7 — Architecture Compliance
 Phase-7 pass after the colocation refactor:
 1. **Layer direction** — every changed file's imports respect the Allowed Dependencies table:
   - `FlightMap.tsx`, `MiniMap.tsx` (Layer 3 / Application — `05_flights`) → `./types`, `./MiniMap`, `./mapIcons`, `./DrawControl`, `./MapPoint` (intra-component, allowed).
   - `WeatherService.ts` (Layer 3 / Application — `05_flights` port-source) → `../types` (intra-component, allowed).
   - `src/features/flights/__tests__/satellite_tile.test.tsx` (Blackbox Tests, intra-component) → `../FlightMap`, `../MiniMap`, `../types` (intra-component, ALLOWED) + `../../../../tests/helpers/render` (test-infra → test-body, ALLOWED per module-layout's Blackbox Tests "Imports from" rule).
   - `tests/mission_planner_weather.test.ts` (Blackbox Tests) → `../mission-planner/src/services/WeatherService` (test bodies MAY import from `00_foundation` only; mission-planner is `05_flights` port-source. Carve-out: `tsconfig.test.json` already includes `mission-planner/src/test/**/*` — colocated mission-planner tests would be the architecturally-clean home, but mission-planner has NO running test harness today (per `module-layout.md` "Test layout is therefore TBD"). The pragmatic exception: this test file lives under `tests/` so it runs in the main SPA's Vitest environment. Documented in the test file header. STC-ARCH-01's regex does not flag this path because `mission-planner` is not in `COMPONENT_DIRS`; the carve-out is accepted as part of AZ-499's narrow scope and tracked under the broader F1 mission-planner deduplication track. **No new exemption added to STC-ARCH-01.**
 2. **Public API respect** — no cross-component reach into another component's internal files via static `import` statements. STC-ARCH-01 PASS.
 3. **No new cyclic module dependencies** — `getTileUrl` is leaf-level (no imports); `FlightMap`/`MiniMap` already imported `./types`; no new cycles.
 4. **Duplicate symbols across components** — `getTileUrl` is unique. The trimTrailingSlash idiom (Finding F1) is duplicated but the duplication is structural (independent vite roots, no shared layer).
 5. **Cross-cutting concerns not locally re-implemented** — env-var resolution + URL trimming follows the established repo pattern.
 **Static gates re-run (post-refactor)**:
 - STC-ARCH-01 (no cross-component deep imports) — PASS
 - STC-ARCH-02 (no `/api/<service>/` literals in production source) — PASS
 - STC-SEC1C (no literal OWM key in src/ + mission-planner/) — PASS
 - STC-T1 (`tsc --noEmit -p tsconfig.test.json`) — PASS
 - STC-FP22 (i18n key parity en vs ua) — PASS
 - STC-FP23 (no raw user strings outside `t()`) — PASS
 ## Verdict
 **PASS_WITH_WARNINGS** — 0 Critical, 0 High, 0 Medium, 1 Low (F1 maintainability, pre-existing pattern not new debt).
 Per the implement skill's Auto-Fix Gate (Step 10): only Medium/Low → no auto-fix loop required; proceed to commit.
@@ -2,9 +2,9 @@
 ## Current Step
 flow: existing-code
-step: 10
+step: 11
-name: Implement
+name: Run Tests
-status: in_progress
+status: not_started
 sub_step:
  phase: 0
  name: awaiting-invocation
@@ -23,3 +23,13 @@ tracker: jira
  it. Contract drafted at `_docs/02_document/contracts/satellite-provider/
  tiles.md` (v1.0.0). Cross-workspace prereq for AZ-498: satellite-provider
  cookie-auth ticket (user-filed, not yet linked).
 - Cycle 2 Step 10 (Implement) COMPLETED. Single batch (batch_11) — both AZ-498
  and AZ-499 implemented; +15 fast tests; +1 STC-SEC1C static check; review
  PASS_WITH_WARNINGS (1 Low). Spec drift recorded (AZ-498 AC-8 dropped, 4
  missing files added in-scope, dead VITE_TILE_BASE_URL replaced). Pending
  USER ACTION: AZ-499 AC-7 (OWM key revocation at OWM dashboard). Pending
  CROSS-WORKSPACE: AZ-498 deploy gate (satellite-provider cookie-auth) at
  Step 16. Both tickets transitioned to "In Progress" in Jira; will move to
  "In Testing" with the commit. Reports at
  `_docs/03_implementation/batch_11_report.md` and
  `_docs/03_implementation/reviews/batch_11_review.md`.
@@ -98,7 +98,10 @@ services:
    environment:
      VITE_API_BASE_URL: "/api"
      VITE_OWM_BASE_URL: "http://owm-stub:8081"
-      VITE_TILE_BASE_URL: "http://tile-stub:8082"
+      # AZ-498 — single self-hosted satellite tile URL pointed at tile-stub.
      # The {z}/{x}/{y} placeholders are passed through to Leaflet's
      # TileLayer template; the stub serves /tiles/{z}/{x}/{y} (no .png).
      VITE_SATELLITE_TILE_URL: "http://tile-stub:8082/tiles/{z}/{x}/{y}"
    depends_on:
      admin: { condition: service_started }
      flights: { condition: service_started }
@@ -1,6 +1,12 @@
-// tile-stub — OSM + Esri tile stand-in for the e2e profile (AZ-456 AC-2).
+// tile-stub — satellite-provider tile stand-in for the e2e profile.
-// Always returns a deterministic 256×256 transparent PNG. Records every
+// Always returns a deterministic 256×256 transparent PNG (Content-Type
-// request so tile-coverage tests can assert on the access log.
+// `image/jpeg` to mirror the real `satellite-provider` contract). Records
 // every request so tile-coverage tests can assert on the access log.
 //
 // Contract: `_docs/02_document/contracts/satellite-provider/tiles.md`
 // (v1.0.0). Path shape `/tiles/{z}/{x}/{y}` — no `.png` suffix. The
 // pre-AZ-498 OSM (`/{z}/{x}/{y}.png`) and Esri (`/sat/{z}/{y}/{x}`)
 // schemes were retired together with the classic/satellite map toggle.
 const PORT = Number(process.env.PORT ?? 8082)
@@ -12,11 +18,12 @@ const TILE_PNG = new Uint8Array([
  0x4e, 0x44, 0xae, 0x42, 0x60, 0x82,
 ])
-const requestLog: Array<{ ts: string; method: string; url: string; scheme: 'osm' | 'esri' | 'other' }> = []
+type Scheme = 'satellite-provider' | 'other'
-function classify(pathname: string): 'osm' | 'esri' | 'other' {
+const requestLog: Array<{ ts: string; method: string; url: string; scheme: Scheme }> = []
-  if (/^\/sat\//.test(pathname)) return 'esri'
+
-  if (/^\/\d+\/\d+\/\d+\.png$/.test(pathname)) return 'osm'
+function classify(pathname: string): Scheme {
  if (/^\/tiles\/\d+\/\d+\/\d+$/.test(pathname)) return 'satellite-provider'
  return 'other'
 }
@@ -33,8 +40,14 @@ const server = Bun.serve({
    if (url.pathname === '/mock/log') {
      return Response.json(requestLog)
    }
-    if (scheme === 'osm' || scheme === 'esri') {
+    if (scheme === 'satellite-provider') {
-      return new Response(TILE_PNG, { headers: { 'Content-Type': 'image/png' } })
+      return new Response(TILE_PNG, {
        headers: {
          'Content-Type': 'image/jpeg',
          'Cache-Control': 'public, max-age=86400',
          'ETag': '"e2e-stub-fixture"',
        },
      })
    }
    return new Response('not found', { status: 404 })
  },
@@ -4,12 +4,18 @@ import { test, expect } from '@playwright/test'
 // Every other test file under e2e/tests/ is owned by AZ-457..AZ-482; those
 // tasks add the production-shaped assertions per group. This file MUST stay
 // minimal so any flake here is unambiguously an infrastructure regression.
 //
 // AZ-498 update (2026-05-12):
 //   - The classic/satellite map toggle was removed; the SPA now consumes
 //     only `satellite-provider` tiles via `VITE_SATELLITE_TILE_URL`. The
 //     tile-stub serves `/tiles/{z}/{x}/{y}` (no `.png` suffix) per
 //     `_docs/02_document/contracts/satellite-provider/tiles.md`.
 //   - The dead OSM/Esri entries in EXTERNAL_HOSTS are removed; the SPA can
 //     no longer attempt those hosts. The OWM and unpkg defenses stay.
 const EXTERNAL_HOSTS = [
  /api\.openweathermap\.org/,
  /unpkg\.com/,
  /\.tile\.openstreetmap\.org$/,
  /^tile\.openstreetmap\.org$/,
 ]
 test.describe('AZ-456 e2e infrastructure', () => {
@@ -50,11 +56,18 @@ test.describe('AZ-456 e2e infrastructure', () => {
    expect(body.wind).toEqual({ speed: 5.0, deg: 270 })
  })
-  test('AC-2: tile-stub returns a 256x256 PNG', async ({ request }) => {
+  test('AC-2: tile-stub serves /tiles/{z}/{x}/{y} as a JPEG (AZ-498 contract)', async ({ request }) => {
-    const res = await request.get('http://tile-stub:8082/1/0/0.png')
+    const res = await request.get('http://tile-stub:8082/tiles/1/0/0')
    expect(res.status()).toBe(200)
-    expect(res.headers()['content-type']).toBe('image/png')
+    expect(res.headers()['content-type']).toBe('image/jpeg')
    // Cache-Control + ETag are part of the contract — assert they're present
    // so a future tile-stub regression that drops them is caught here.
    expect(res.headers()['cache-control']).toMatch(/max-age=/)
    expect(res.headers()['etag']).toBeTruthy()
    const body = await res.body()
    // The stub serves a tiny PNG byte sequence; assert the PNG signature so
    // we know SOME image came back even though the Content-Type header is
    // jpeg-shaped. Production satellite-provider returns real JPEG bytes.
    expect(body.subarray(0, 8)).toEqual(Buffer.from([0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a]))
  })
@@ -1 +1,25 @@
 # mission-planner — Vite build-time environment variables.
 #
 # Copy to `.env.local` (gitignored) for local dev. CI / Docker pass the same
 # variables through the build environment. Mirrors the main SPA's `.env.example`
 # style so devs can keep both roots in sync.
 #
 # Every variable is OPTIONAL. When unset, the app falls back to:
 #   - VITE_OWM_API_KEY        : undefined → getWeatherData returns null (no fetch)
 #   - VITE_OWM_BASE_URL       : https://api.openweathermap.org/data/2.5
 #   - VITE_SATELLITE_TILE_URL : Esri ArcGIS World Imagery (legacy default; will
 #                               be migrated in a future cycle to mirror AZ-498)
 # OpenWeatherMap API key. Required for the wind-effect overlay. Leave unset for
 # CI / dry runs — `getWeatherData` returns `null` and the overlay hides itself.
 VITE_OWM_API_KEY=<your-openweathermap-api-key>
 # OpenWeatherMap REST base URL. Default targets the public endpoint; tests or
 # alt deployments may override.
 # Example for the suite e2e profile: http://owm-stub:8081/data/2.5
 VITE_OWM_BASE_URL=
 # Satellite tile URL template. Independent of the main SPA's same-named var
 # (different vite root). Today defaults to Esri; AZ-498's swap to the suite's
 # own satellite-provider only covers the main SPA.
 VITE_SATELLITE_TILE_URL=https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}
@@ -1,8 +1,15 @@
 import type { WeatherData } from '../types';
 const DEFAULT_BASE_URL = 'https://api.openweathermap.org/data/2.5';
 const trimTrailingSlash = (s: string) => s.replace(/\/+$/, '');
 export const getWeatherData = async (lat: number, lon: number): Promise<WeatherData | null> => {
-  const apiKey = '335799082893fad97fa36118b131f919';
+  const apiKey = import.meta.env.VITE_OWM_API_KEY;
-  const url = `https://api.openweathermap.org/data/2.5/weather?lat=${lat}&lon=${lon}&appid=${apiKey}&units=metric`;
+  if (!apiKey) return null;
  const baseUrl = trimTrailingSlash(import.meta.env.VITE_OWM_BASE_URL ?? '') || DEFAULT_BASE_URL;
  const url = `${baseUrl}/weather?lat=${lat}&lon=${lon}&appid=${apiKey}&units=metric`;
  try {
    const response = await fetch(url);
@@ -1,6 +1,8 @@
 /// <reference types="vite/client" />
 interface ImportMetaEnv {
  readonly VITE_OWM_API_KEY?: string;
  readonly VITE_OWM_BASE_URL?: string;
  readonly VITE_SATELLITE_TILE_URL?: string;
 }
@@ -198,7 +198,8 @@ function main() {
  } else if (
    kind === 'legacy_integrations' ||
    kind === 'concurrent_edit_patterns' ||
-    kind === 'alert_calls'
+    kind === 'alert_calls' ||
    kind === 'owm_key_in_source'
  ) {
    hits = checkSourceTree(section, root, ['src', 'mission-planner'])
  } else if (kind === 'destructive_surfaces') {
@@ -214,6 +214,16 @@ if [ "$RUN_STATIC" = "true" ]; then
    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_dist
  }
  # AZ-499 — NFT-SEC-09 AC-1 source-tree portion. Complements STC-SEC1
  # (which scans src/ for the `appid=<chars>` pattern only) by catching the
  # exact rotated literal value across BOTH src/ AND mission-planner/. This
  # closes the AZ-482 gap where mission-planner/'s hardcoded key survived
  # because mission-planner/ stays out of dist/ (STC-S5) and src_grep here
  # didn't include it.
  static_check_no_owm_key_in_source() {
    node "$PROJECT_ROOT/scripts/check-banned-deps.mjs" --kind=owm_key_in_source
  }
  # Source-tree text search. Prefer ripgrep when available (much faster on
  # large trees), fall back to POSIX grep -r so the CI runner doesn't need rg.
  # Test files (*.test.{ts,tsx}, *.spec.{ts,tsx}) are EXCLUDED — production
@@ -556,6 +566,7 @@ if [ "$RUN_STATIC" = "true" ]; then
  run_static "STC-RES09" "nginx exactly 9 /api/* location blocks" "NFT-RES-LIM-09" "n/a" static_check_nginx_route_count
  run_static "STC-RES10" "nginx prefix-strip on every /api/<S>/ route" "NFT-RES-LIM-10" "n/a" static_check_nginx_prefix_strip
  run_static "STC-SEC1B" "no literal OWM key in dist/"   "SEC-09" "63"   static_check_no_owm_key_in_dist
  run_static "STC-SEC1C" "no literal OWM key in src/ + mission-planner/" "SEC-09" "AZ-499" static_check_no_owm_key_in_source
  if [ "$STATIC_FAIL" = "1" ]; then
    echo "[run-tests] static profile FAILED — see $STATIC_REPORT"
@@ -8,7 +8,7 @@ import DrawControl from './DrawControl'
 import MapPoint from './MapPoint'
 import MiniMap from './MiniMap'
 import { defaultIcon } from './mapIcons'
-import { TILE_URLS } from './types'
+import { getTileUrl } from './types'
 import type { FlightPoint, CalculatedPointInfo, MapRectangle, ActionMode, MovingPointInfo } from './types'
 interface MapEventsProps {
@@ -86,7 +86,6 @@ export default function FlightMap({
 }: Props) {
  const { t } = useTranslation()
  const containerRef = useRef<HTMLDivElement>(null)
  const [mapType, setMapType] = useState<'classic' | 'satellite'>('satellite')
  const [movingPoint, setMovingPoint] = useState<MovingPointInfo | null>(null)
  const [draggablePoints, setDraggablePoints] = useState(points)
  const polylineClickRef = useRef(false)
@@ -123,13 +122,14 @@ export default function FlightMap({
      <MapContainer center={currentPosition} zoom={15} className="h-full w-full">
        <ClickHandler />
        <TileLayer
-          url={mapType === 'classic' ? TILE_URLS.classic : TILE_URLS.satellite}
+          url={getTileUrl()}
-          attribution={mapType === 'classic' ? '&copy; <a href="https://www.openstreetmap.org/copyright">OSM</a>' : 'Satellite'}
+          crossOrigin="use-credentials"
          attribution="Satellite"
        />
        <MapEvents points={draggablePoints} handlePolylineClick={handlePolylineClick} containerRef={containerRef} onMapMove={onMapMove} />
        <SetView center={currentPosition} />
-        {movingPoint && <MiniMap pointPosition={movingPoint} mapType={mapType} />}
+        {movingPoint && <MiniMap pointPosition={movingPoint} />}
        {draggablePoints.map((point, index) => (
          <MapPoint key={point.id}
@@ -171,13 +171,6 @@ export default function FlightMap({
          Click and drag on the map to draw a {actionMode === 'workArea' ? 'work area' : 'no-go zone'}
        </div>
      )}
      <button onClick={() => setMapType(m => m === 'classic' ? 'satellite' : 'classic')}
        className={`absolute top-2 right-2 z-[400] px-2 py-1 text-xs rounded border ${
          mapType === 'satellite' ? 'bg-az-panel border-az-orange text-white' : 'bg-az-panel border-az-border text-az-text'
        }`}>
        {t('flights.planner.satellite')}
      </button>
    </div>
  )
 }
@@ -1,7 +1,7 @@
 import { MapContainer, TileLayer, CircleMarker, useMap } from 'react-leaflet'
 import { useEffect } from 'react'
 import type L from 'leaflet'
-import { TILE_URLS } from './types'
+import { getTileUrl } from './types'
 import type { MovingPointInfo } from './types'
 function UpdateCenter({ latlng }: { latlng: L.LatLng }) {
@@ -12,10 +12,9 @@ function UpdateCenter({ latlng }: { latlng: L.LatLng }) {
 interface Props {
  pointPosition: MovingPointInfo
  mapType: 'classic' | 'satellite'
 }
-export default function MiniMap({ pointPosition, mapType }: Props) {
+export default function MiniMap({ pointPosition }: Props) {
  return (
    <div
      className="absolute w-[240px] h-[180px] border border-az-border rounded shadow-lg z-[1000] overflow-hidden pointer-events-none"
@@ -23,7 +22,7 @@ export default function MiniMap({ pointPosition, mapType }: Props) {
    >
      <MapContainer center={pointPosition.latlng} zoom={18} zoomControl={false}
        className="w-full h-full" attributionControl={false}>
-        <TileLayer url={mapType === 'classic' ? TILE_URLS.classic : TILE_URLS.satellite} />
+        <TileLayer url={getTileUrl()} crossOrigin="use-credentials" />
        <CircleMarker center={pointPosition.latlng} radius={3} color="#fa5252" />
        <UpdateCenter latlng={pointPosition.latlng} />
      </MapContainer>
@@ -0,0 +1,217 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
 import type L from 'leaflet'
 import { renderWithProviders, screen } from '../../../../tests/helpers/render'
 // AZ-498 — self-hosted satellite tiles + drop classic/satellite toggle.
 //
 // Colocated under src/features/flights/__tests__/ per module-layout's "Tests"
 // guidance: keeps the cross-component import surface clean (these tests
 // reach into 05_flights internals — `./FlightMap`, `./MiniMap`, `./types` —
 // which is intra-component access). Tests/ is reserved for cross-cutting
 // black-box suites whose imports must go through public-API barrels.
 //
 // Covers the spec's fast-profile ACs:
 //   AC-1 — env-resolved getTileUrl() returns the env var verbatim.
 //   AC-2 — when the env var is unset, getTileUrl() returns the dev default
 //          `http://localhost:5100/tiles/{z}/{x}/{y}` (cycle-2 assumption).
 //   AC-3 — every <TileLayer> the SPA renders sets crossOrigin="use-credentials"
 //          so the browser attaches the satellite-provider auth cookie.
 //   AC-4 — the classic/satellite toggle, the `mapType` state, and the
 //          `MiniMap.Props.mapType` prop are all gone.
 //
 // Notes:
 //   - AC-5 is statically enforced by tsc on the new ImportMetaEnv shape +
 //     the `.env.example` audit; no runtime test needed.
 //   - AC-6, AC-7 are e2e/contract; AC-8 in the original spec misattributed
 //     `tile_split_zoom*` (image-annotation surface) — see implementation
 //     report. AC-9 is enforced by STC-ARCH-01 / STC-ARCH-02.
 interface TileLayerProps {
  url?: string
  crossOrigin?: string
  attribution?: string
 }
 interface MapContainerProps {
  children?: React.ReactNode
  className?: string
 }
 vi.mock('react-leaflet', () => ({
  MapContainer: ({ children, className }: MapContainerProps) => (
    <div data-testid="map-container" className={className}>{children}</div>
  ),
  TileLayer: (props: TileLayerProps) => (
    <img
      data-testid="tile-layer"
      data-tile-url={props.url ?? ''}
      data-cross-origin={props.crossOrigin ?? ''}
      data-attribution={props.attribution ?? ''}
      alt=""
    />
  ),
  Marker: () => null,
  Popup: () => null,
  Polyline: () => null,
  Rectangle: () => null,
  CircleMarker: () => null,
  useMap: () => ({
    on: () => undefined,
    off: () => undefined,
    setView: () => undefined,
    removeLayer: () => undefined,
    getCenter: () => ({ lat: 0, lng: 0 }),
    invalidateSize: () => undefined,
  }),
  useMapEvents: () => null,
 }))
 // Leaflet itself is touched at import time by FlightMap (`L.polyline`,
 // `L.Symbol.arrowHead`). Mock the bits the component reaches for so the
 // import doesn't blow up under jsdom.
 vi.mock('leaflet', () => {
  const Lstub = {
    polyline: () => ({ addTo: () => Lstub.polyline(), on: () => undefined }),
    polylineDecorator: () => ({ addTo: () => undefined }),
    Symbol: { arrowHead: () => ({}) },
    Icon: { Default: class { mergeOptions() {} } },
    Marker: class {},
    Layer: class {},
    LatLngBounds: class {},
  }
  return { default: Lstub }
 })
 vi.mock('leaflet/dist/leaflet.css', () => ({}))
 vi.mock('leaflet-polylinedecorator', () => ({}))
 vi.mock('../DrawControl', () => ({ default: () => null }))
 vi.mock('../MapPoint', () => ({ default: () => null }))
 vi.mock('../mapIcons', () => ({ defaultIcon: {} }))
 import FlightMap from '../FlightMap'
 import MiniMap from '../MiniMap'
 import { getTileUrl, DEFAULT_SATELLITE_TILE_URL } from '../types'
 const stubLatLng = { lat: 0, lng: 0 } as unknown as L.LatLng
 const fixedPosition = { lat: 50, lng: 30 }
 const baseFlightMapProps = {
  points: [],
  calculatedPointInfo: [],
  currentPosition: fixedPosition,
  rectangles: [],
  setRectangles: () => undefined,
  rectangleColor: 'red',
  actionMode: 'points' as const,
  onAddPoint: () => undefined,
  onUpdatePoint: () => undefined,
  onRemovePoint: () => undefined,
  onAltitudeChange: () => undefined,
  onMetaChange: () => undefined,
  onPolylineClick: () => undefined,
  onPositionChange: () => undefined,
  onMapMove: () => undefined,
 }
 describe('AZ-498 — getTileUrl() env resolution', () => {
  afterEach(() => {
    vi.unstubAllEnvs()
  })
  it('AC-1: returns the env-set VITE_SATELLITE_TILE_URL verbatim', () => {
    // Arrange
    vi.stubEnv('VITE_SATELLITE_TILE_URL', 'http://satellite-provider:5100/tiles/{z}/{x}/{y}')
    // Assert
    expect(getTileUrl()).toBe('http://satellite-provider:5100/tiles/{z}/{x}/{y}')
  })
  it('AC-2: returns the dev default when VITE_SATELLITE_TILE_URL is unset', () => {
    // Arrange
    vi.stubEnv('VITE_SATELLITE_TILE_URL', '')
    // Assert
    expect(getTileUrl()).toBe(DEFAULT_SATELLITE_TILE_URL)
    expect(DEFAULT_SATELLITE_TILE_URL).toBe('http://localhost:5100/tiles/{z}/{x}/{y}')
  })
  it('AC-2: strips trailing slashes off the env-set URL', () => {
    // Arrange
    vi.stubEnv('VITE_SATELLITE_TILE_URL', 'http://satellite-provider:5100/tiles/{z}/{x}/{y}/')
    // Assert
    expect(getTileUrl()).toBe('http://satellite-provider:5100/tiles/{z}/{x}/{y}')
  })
 })
 describe('AZ-498 — FlightMap satellite-only TileLayer', () => {
  beforeEach(() => {
    vi.stubEnv('VITE_SATELLITE_TILE_URL', '')
  })
  afterEach(() => {
    vi.unstubAllEnvs()
  })
  it('AC-3: <TileLayer> declares crossOrigin="use-credentials"', () => {
    // Act
    renderWithProviders(<FlightMap {...baseFlightMapProps} />, { withoutAuth: true })
    // Assert
    const tile = screen.getByTestId('tile-layer')
    expect(tile.getAttribute('data-cross-origin')).toBe('use-credentials')
  })
  it('AC-3: <TileLayer> renders the dev-default URL when env is unset', () => {
    // Act
    renderWithProviders(<FlightMap {...baseFlightMapProps} />, { withoutAuth: true })
    // Assert
    const tile = screen.getByTestId('tile-layer')
    expect(tile.getAttribute('data-tile-url')).toBe(DEFAULT_SATELLITE_TILE_URL)
  })
  it('AC-4: the classic/satellite toggle button is gone', () => {
    // Act
    renderWithProviders(<FlightMap {...baseFlightMapProps} />, { withoutAuth: true })
    // Assert
    expect(screen.queryByRole('button', { name: /satellite|classic/i })).toBeNull()
    // Only one <TileLayer> is mounted (no per-mode branching).
    expect(screen.getAllByTestId('tile-layer')).toHaveLength(1)
  })
 })
 describe('AZ-498 — MiniMap satellite-only TileLayer', () => {
  beforeEach(() => {
    vi.stubEnv('VITE_SATELLITE_TILE_URL', '')
  })
  afterEach(() => {
    vi.unstubAllEnvs()
  })
  it('AC-3: MiniMap <TileLayer> declares crossOrigin="use-credentials"', () => {
    // Act
    renderWithProviders(
      <MiniMap pointPosition={{ x: 0, y: 0, latlng: stubLatLng }} />,
      { withoutAuth: true },
    )
    // Assert
    const tile = screen.getByTestId('tile-layer')
    expect(tile.getAttribute('data-cross-origin')).toBe('use-credentials')
  })
  it('AC-4: MiniMap mounts with only `pointPosition` prop (no `mapType`)', () => {
    // Act — explicitly omit mapType; if MiniMap still required it, TS would
    // error at compile time. The runtime render also confirms the component
    // mounts with just the position prop.
    renderWithProviders(
      <MiniMap pointPosition={{ x: 0, y: 0, latlng: stubLatLng }} />,
      { withoutAuth: true },
    )
    // Assert
    expect(screen.getByTestId('tile-layer')).toBeInTheDocument()
  })
 })
@@ -52,13 +52,18 @@ export const PURPOSES = [
 export const COORDINATE_PRECISION = 8
-const trimTrailingSlash = (s: string) => s.replace(/\/+$/, '')
+// AZ-498 — single self-hosted satellite tile URL. The previous classic/satellite
 // pair (OSM + Esri) was retired so the SPA only consumes the suite's own
 // satellite-provider service. Production builds MUST set VITE_SATELLITE_TILE_URL
 // to the same-origin nginx path (e.g. `/tiles/{z}/{x}/{y}`); the dev default
 // targets the satellite-provider container on its conventional dev port.
 //
 // Read via a function (mirrors `getOwmBaseUrl` in flightPlanUtils.ts) so tests
 // can stub `import.meta.env` per-case without module-reload tricks.
 export const DEFAULT_SATELLITE_TILE_URL = 'http://localhost:5100/tiles/{z}/{x}/{y}'
-export const TILE_URLS = {
+export function getTileUrl(): string {
-  classic:
+  const raw = import.meta.env.VITE_SATELLITE_TILE_URL
-    trimTrailingSlash(import.meta.env.VITE_OSM_TILE_URL ?? '') ||
+  if (!raw) return DEFAULT_SATELLITE_TILE_URL
-    'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png',
+  return raw.replace(/\/+$/, '')
-  satellite:
+}
    trimTrailingSlash(import.meta.env.VITE_ESRI_TILE_URL ?? '') ||
    'https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/{z}/{y}/{x}',
 } as const
@@ -77,7 +77,6 @@
      },
      "invalidJson": "Invalid JSON format",
      "editJsonHint": "Edit the JSON data as needed.",
      "satellite": "Satellite",
      "cameraFov": "Camera FOV / Length / Field",
      "cameraFovPlaceholder": "FOV parameters",
      "commAddr": "Communication Addr / Port",
@@ -77,7 +77,6 @@
      },
      "invalidJson": "Невірний JSON формат",
      "editJsonHint": "Відредагуйте JSON дані за потреби.",
      "satellite": "Супутник",
      "cameraFov": "Камера FOV / Фокус",
      "cameraFovPlaceholder": "Параметри FOV",
      "commAddr": "Адреса / Порт",
@@ -7,8 +7,7 @@ interface ImportMetaEnv {
  readonly VITE_API_BASE_URL?: string
  readonly VITE_OWM_API_KEY?: string
  readonly VITE_OWM_BASE_URL?: string
-  readonly VITE_OSM_TILE_URL?: string
+  readonly VITE_SATELLITE_TILE_URL?: string
  readonly VITE_ESRI_TILE_URL?: string
 }
 interface ImportMeta {
@@ -0,0 +1,116 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest'
 import { getWeatherData } from '../mission-planner/src/services/WeatherService'
 // AZ-499 — mission-planner WeatherService env-var hardening.
 //
 // Lives under tests/ (Blackbox-Tests-owned) rather than colocated under
 // mission-planner/ because mission-planner does not have its own runner;
 // the suite Vitest config already includes mission-planner/src in coverage
 // and tsconfig.test.json picks up tests/** for type-check (STC-T1).
 type FetchMock = ReturnType<typeof vi.fn>
 describe('AZ-499 — mission-planner getWeatherData (env vars + fail-soft)', () => {
  let fetchMock: FetchMock
  beforeEach(() => {
    fetchMock = vi.fn(async () =>
      new Response(JSON.stringify({ wind: { speed: 5, deg: 90 } }), { status: 200 }),
    )
    vi.spyOn(globalThis, 'fetch').mockImplementation(fetchMock)
  })
  afterEach(() => {
    vi.restoreAllMocks()
    vi.unstubAllEnvs()
  })
  it('AC-1: env-var resolved API key reaches the outgoing fetch URL', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    vi.stubEnv('VITE_OWM_BASE_URL', '')
    // Act
    await getWeatherData(50, 30)
    // Assert
    expect(fetchMock).toHaveBeenCalledTimes(1)
    const url = String(fetchMock.mock.calls[0][0])
    expect(url).toContain('appid=abc123')
    expect(url).toContain('units=metric')
  })
  it('AC-2: env-var resolved base URL prefixes the outgoing fetch URL', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    vi.stubEnv('VITE_OWM_BASE_URL', 'https://example.test/data/2.5')
    // Act
    await getWeatherData(50, 30)
    // Assert
    const url = String(fetchMock.mock.calls[0][0])
    expect(url.startsWith('https://example.test/data/2.5/weather?')).toBe(true)
  })
  it('AC-2: trailing slash on env base URL is stripped', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    vi.stubEnv('VITE_OWM_BASE_URL', 'https://example.test/data/2.5/')
    // Act
    await getWeatherData(50, 30)
    // Assert
    const url = String(fetchMock.mock.calls[0][0])
    expect(url.startsWith('https://example.test/data/2.5/weather?')).toBe(true)
  })
  it('AC-3: returns null and issues no fetch when VITE_OWM_API_KEY is unset', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', '')
    // Act
    const result = await getWeatherData(50, 30)
    // Assert
    expect(result).toBeNull()
    expect(fetchMock).not.toHaveBeenCalled()
  })
  it('AC-4: defaults to public OWM base URL when only VITE_OWM_BASE_URL is unset', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    vi.stubEnv('VITE_OWM_BASE_URL', '')
    // Act
    await getWeatherData(50, 30)
    // Assert
    const url = String(fetchMock.mock.calls[0][0])
    expect(url.startsWith('https://api.openweathermap.org/data/2.5/weather?')).toBe(true)
  })
  it('returns the parsed wind shape on a successful response', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    // Act
    const result = await getWeatherData(50, 30)
    // Assert
    expect(result).toEqual({ windSpeed: 5, windAngle: 90 })
  })
  it('returns null when fetch rejects (network error fail-soft)', async () => {
    // Arrange
    vi.stubEnv('VITE_OWM_API_KEY', 'abc123')
    fetchMock.mockRejectedValueOnce(new Error('boom'))
    // Act
    const result = await getWeatherData(50, 30)
    // Assert
    expect(result).toBeNull()
  })
 })
@@ -1,8 +1,13 @@
 import { http, HttpResponse } from 'msw'
-// OSM/Esri tile stand-in for the fast profile. Returns a tiny transparent
+// Satellite-provider tile stand-in for the fast profile (AZ-498).
-// PNG so `<img>` / Leaflet tile loads succeed in jsdom without exiting the
+// Returns a tiny transparent PNG so `<img>` / Leaflet tile loads succeed in
-// process.
+// jsdom without exiting the process.
 //
 // The contract `_docs/02_document/contracts/satellite-provider/tiles.md`
 // (v1.0.0) freezes the path shape `/tiles/{z}/{x}/{y}` (no `.png` suffix,
 // `image/jpeg` Content-Type, cookie auth on the same origin). The handler
 // matches that exact shape and the dev default URL the SPA falls back to.
 const TILE_PNG = Uint8Array.from([
  0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0x00, 0x00, 0x00, 0x0d, 0x49, 0x48, 0x44, 0x52,
  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x08, 0x06, 0x00, 0x00, 0x00, 0x1f, 0x15, 0xc4,
@@ -11,16 +16,17 @@ const TILE_PNG = Uint8Array.from([
  0x42, 0x60, 0x82,
 ])
-const tile = () => new HttpResponse(TILE_PNG, { headers: { 'Content-Type': 'image/png' } })
+const tile = () =>
  new HttpResponse(TILE_PNG, {
    headers: {
      'Content-Type': 'image/jpeg',
      'Cache-Control': 'public, max-age=86400',
      'ETag': '"fast-profile-fixture"',
    },
  })
 export const tilesHandlers = [
-  // OSM XYZ scheme: {z}/{x}/{y}
+  http.get('/tiles/:z/:x/:y', tile),
-  http.get('https://*.tile.openstreetmap.org/:z/:x/:y.png', tile),
+  http.get('http://localhost:5100/tiles/:z/:x/:y', tile),
-  http.get('https://tile.openstreetmap.org/:z/:x/:y.png', tile),
+  http.get('http://tile-stub:8082/tiles/:z/:x/:y', tile),
  // Esri ArcGIS satellite scheme: {z}/{y}/{x}
  http.get('https://server.arcgisonline.com/ArcGIS/rest/services/World_Imagery/MapServer/tile/:z/:y/:x', tile),
  // Local tile-stub aliases (e2e parity)
  http.get('http://tile-stub:8082/:z/:x/:y.png', tile),
  http.get('http://tile-stub:8082/sat/:z/:y/:x', tile),
  http.get('/tiles/:z/:x/:y.png', tile),
 ]
@@ -82,6 +82,14 @@
      "335799082893fad97fa36118b131f919"
    ]
  },
  "owm_key_in_source": {
    "ac": "NFT-SEC-09 (AC-1, source portion) — OpenWeatherMap key not present in source tree",
    "scope": "src/ and mission-planner/ (production sources; tests excluded)",
    "match": "literal",
    "patterns": [
      "335799082893fad97fa36118b131f919"
    ]
  },
  "alert_calls": {
    "ac": "NFT-SEC-07 (AZ-466 AC-5) — no alert() in production source",
    "scope": "src/ and mission-planner/ (production sources; tests excluded)",