[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes

Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/00_problem/security_approach.md

@@ -159,14 +159,33 @@ Source: `src/api/sse.ts`; `ADR-008`; `architecture.md` § 7.
      `flights/` so no key ever reaches the browser (preferred; per
      `architecture.md` § Architecture Vision Open Questions item 8).
 
+### Hardcoded Google Geocode API key — discovered cycle 2 audit (AZ-501)
+
+- **File**: `mission-planner/src/config.ts:2` (originally — extracted to
+  `mission-planner/src/services/GeocodeService.ts` by AZ-501).
+- **Production-bundle exposure**: NONE. `mission-planner/` is a port-source
+  not built into `dist/` (`AC-31` / `STC-S5`).
+- **Git-history exposure**: HIGH — same threat class as the OWM key.
+- **Closed cycle 2** by AZ-501: env-resolved via `VITE_GOOGLE_GEOCODE_KEY`,
+  fail-soft + single `console.warn` when unset, defended by `STC-SEC1D`
+  (literal scan across `src/` + `mission-planner/`). The `/document` Step 6e
+  retrospective missed this because mission-planner/ was treated as out-of-
+  scope (port-source) — the security audit (`_docs/05_security/`) caught it
+  via a broader source-tree grep, demonstrating the value of a separate
+  audit pass.
+- **Manual deliverable PENDING USER**: revoke the key at the Google Cloud
+  Console (AZ-501 AC-6).
+
 ### Other secrets
 
-- **No other hardcoded keys** in `src/` per Grep audit at Step 4.
+- **No other hardcoded keys** in `src/` per Grep audit at Step 4 +
+  cycle-2 security-audit (`_docs/05_security/static_analysis.md`).
 - Suite service URLs are not secrets (they are docker-network hostnames).
 - The bearer is the only sensitive value in browser memory, and it is
   short-lived.
 
-Source: P10; `architecture.md` § Architecture Vision; finding (security).
+Source: P10; `architecture.md` § Architecture Vision; finding (security);
+`_docs/05_security/security_report.md` F-SAST-1.
 
 ---
 
@@ -304,8 +323,10 @@ pipeline today".
 | Annotation save body missing `Source`, `WaypointId`, wrong `time` field | AC-05 | Step 4 |
 | `X-Refresh-Token` not sent on long-video detect (#29) | — | Step 4 |
 | Numeric enum drift (`AnnotationStatus`, `MediaStatus`, `Affiliation`, `CombatReadiness`) | AC-04 | Step 4 (P9 alignment) |
-| No CSP / hardening headers in `nginx.conf` | — | Step 6 — track at suite level |
-| No vulnerability scan / SBOM / image signing in CI | — | Phase B |
+| No CSP / hardening headers in `nginx.conf` | — | Step 6 — track at suite level (cycle-2 audit F-INF-2 → Phase B) |
+| No vulnerability scan / SBOM / image signing in CI | — | Phase B (cycle-2 audit F-INF-3 / F-INF-4) |
+| Vite ≤ 6.4.1 + PostCSS < 8.5.10 — published CVEs (HIGH/MOD) | AC-44 | Closed cycle 2 by AZ-502 (`bun update vite` + `package.json` overrides) |
+| Hardcoded Google Geocode API key in `mission-planner/` port-source | AC-43 | Closed cycle 2 by AZ-501; manual key revocation PENDING USER |
 
 ---