[AZ-501] [AZ-502] Cycle 2 Step 14 security audit + inline fixes

Security audit (5 phases) → reports under _docs/05_security/.

AZ-501 (F-SAST-1, HIGH): Externalize hardcoded Google Geocode key
from mission-planner/src/config.ts to VITE_GOOGLE_GEOCODE_KEY via
new GeocodeService.ts; fail-soft warn when unset; STC-SEC1D static
deny-list gate; +5 unit tests in tests/mission_planner_geocode.test.ts.

AZ-502 (F-DEP-1, HIGH): Force vite>=6.4.2 and postcss>=8.5.10 via
package.json overrides in both roots; clean reinstall clears all
bun audit advisories.

Test-spec sync (Step 12) + Update Docs (Step 13) deltas: AC-43, AC-44,
NFT-SEC-09b, FT-P-61, FT-N-17, ripple log, batch_12 report.

Pending user actions: revoke Google + OWM keys (AC-6 / AZ-499 AC-7).

229 PASS / 13 SKIP / 0 FAIL on static + fast suites.

Co-authored-by: Cursor <cursoragent@cursor.com>

tests/security/banned-deps.json

@@ -90,6 +90,14 @@
       "335799082893fad97fa36118b131f919"
     ]
   },
+  "google_key_in_source": {
+    "ac": "AZ-501 (F-SAST-1) — Google Geocode API key not present in source tree",
+    "scope": "src/ and mission-planner/ (production sources; tests excluded)",
+    "match": "literal",
+    "patterns": [
+      "AIzaSyAhvDeYukuyWVrQYbRhuv91bsi_jj5_Iys"
+    ]
+  },
   "alert_calls": {
     "ac": "NFT-SEC-07 (AZ-466 AC-5) — no alert() in production source",
     "scope": "src/ and mission-planner/ (production sources; tests excluded)",