[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes

Security audit (5 phases) → reports under _docs/05_security/. AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts. AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via package.json overrides in both roots; clean reinstall clears all bun audit advisories. Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44, NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report. Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7). 229 PASS / 13 SKIP / 0 FAIL on static + fast suites. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-22 04:11:10 +00:00 · 2026-05-12 05:31:11 +03:00
parent b016fd8207
commit f7dd6c98d8
32 changed files with 1833 additions and 502 deletions
@@ -2,8 +2,8 @@

 ## Current Step
 flow: existing-code
-step: 11
-name: Run Tests
+step: 15
+name: Performance Test
 status: not_started
 sub_step:
  phase: 0
@@ -14,22 +14,12 @@ cycle: 2
 tracker: jira

 ## Notes
- Cycle 1 (Phase B) CLOSED. Retro: `_docs/06_metrics/retro_2026-05-12.md`
-  (+ `structure_2026-05-12.md`). Lessons appended to `_docs/LESSONS.md`.
-  Steps 14, 15, 16 SKIPPED (character-identical structural refactor); no
-  auth/wire/perf/deploy-relevant surface changed.
- Cycle 2 Step 9 (New Task) COMPLETED. Epic AZ-497 created; Stories AZ-498
-  (tile swap, 5 pts) + AZ-499 (mission-planner OWM hardening, 2 pts) under
-  it. Contract drafted at `_docs/02_document/contracts/satellite-provider/
-  tiles.md` (v1.0.0). Cross-workspace prereq for AZ-498: satellite-provider
-  cookie-auth ticket (user-filed, not yet linked).
- Cycle 2 Step 10 (Implement) COMPLETED. Single batch (batch_11) — both AZ-498
-  and AZ-499 implemented; +15 fast tests; +1 STC-SEC1C static check; review
-  PASS_WITH_WARNINGS (1 Low). Spec drift recorded (AZ-498 AC-8 dropped, 4
-  missing files added in-scope, dead VITE_TILE_BASE_URL replaced). Pending
-  USER ACTION: AZ-499 AC-7 (OWM key revocation at OWM dashboard). Pending
-  CROSS-WORKSPACE: AZ-498 deploy gate (satellite-provider cookie-auth) at
-  Step 16. Both tickets transitioned to "In Progress" in Jira; will move to
-  "In Testing" with the commit. Reports at
-  `_docs/03_implementation/batch_11_report.md` and
-  `_docs/03_implementation/reviews/batch_11_review.md`.
+- Cycle 2 Step 14 CLOSED. Audit: `_docs/05_security/` (5 reports). Verdict:
+  FAIL (1 HIGH F-SAST-1, 1 HIGH F-DEP-1, 7 MED, 2 LOW). User chose A —
+  fixed both HIGH inline (AZ-501 Google key, AZ-502 Vite/PostCSS).
+  Implementation report: `_docs/03_implementation/batch_12_report.md`.
+  Static + fast: 229 PASS / 13 SKIP / 0 FAIL. Both tickets transitioned to
+  "In Progress" in Jira. PENDING USER: AZ-501 AC-6 (Google key revocation
+  at Google Cloud Console) + AZ-499 AC-7 (OWM key revocation, carried from
+  earlier). PENDING CROSS-WORKSPACE: AZ-498 deploy gate (Step 16).
+  Phase B follow-ups deferred: F-INF-1..F-INF-5 in security audit report.