- Changed current step from 15 (Performance Test) to 9 (New Task) in _docs/_autodev_state.md, reflecting the transition to Cycle 3.
- Updated cycle count from 2 to 3 and modified sub-step details to indicate progress in gathering feature descriptions.
- Added new lessons to _docs/LESSONS.md, emphasizing best practices for API key management, dependency handling, and reporting inline fixes during security audits.
- Enhanced CI/CD pipeline documentation in _docs/02_document/deployment/ci_cd_pipeline.md to include new gates for vulnerability scans and SBOM emissions, along with dependency overrides for transitive dependencies.
- Expanded environment strategy documentation in _docs/02_document/deployment/environment_strategy.md to include the new Google Geocode API key management.
Co-authored-by: Cursor <cursoragent@cursor.com>
AZ-498 — self-hosted satellite tiles + drop classic/satellite toggle:
- Single TILE_URL via getTileUrl() (mirrors getOwmBaseUrl/getApiBase
pattern from AZ-449/AZ-450); env-var VITE_SATELLITE_TILE_URL with
dev default http://localhost:5100/tiles/{z}/{x}/{y}.
- FlightMap + MiniMap render one TileLayer with
crossOrigin="use-credentials" so Leaflet's <img> tile fetcher
attaches the same-origin satellite-provider auth cookie.
- ImportMetaEnv + .env.example collapse the prior OSM/Esri pair into
one var. The flights.planner.satellite i18n key is removed in
lockstep across en.json + ua.json (parity preserved).
- E2E harness wired end-to-end: compose passes the new var to
azaion-ui; tile-stub serves /tiles/{z}/{x}/{y} with
Content-Type=image/jpeg + Cache-Control + ETag matching the
contract; infrastructure.e2e.ts AC-2 asserts the new path; dead
OSM defenses removed from EXTERNAL_HOSTS route guard.
- Fast-profile MSW handlers rewritten for the cookie-auth path shape.
- 8 colocated fast tests under src/features/flights/__tests__/.
AZ-499 — mission-planner OWM env-var hardening + AZ-482 source-scan
gap close:
- WeatherService.ts reads VITE_OWM_API_KEY + VITE_OWM_BASE_URL;
fail-soft null when key unset (mirrors AZ-448 main-SPA contract).
Public signature getWeatherData(lat, lon) preserved.
- mission-planner/.env.example + vite-env.d.ts declare both vars.
- New owm_key_in_source banned-deps kind scans src/ AND
mission-planner/ for the rotated literal; STC-SEC1C row added to
scripts/run-tests.sh; check-banned-deps.mjs dispatch extended.
- 7 fast tests under tests/mission_planner_weather.test.ts cover
AC-1..AC-4 + trailing-slash + happy path + network-error fail-soft.
Spec drift (recorded in batch_11_report.md, user-approved Choose B
on 2026-05-12):
- AZ-498 AC-8 dropped (named tile_split_zoom* files belong to AZ-474
image-annotation surface, not map tiles).
- 4 missing files added in-scope (msw tiles handler, tile-stub
server, compose env, dead VITE_TILE_BASE_URL replaced).
- AZ-499 STC-S6 ID conflict resolved by using STC-SEC1C.
Pending USER ACTION (BLOCKING for AZ-499 close):
- Revoke OpenWeatherMap key 335799082893fad97fa36118b131f919 at
home.openweathermap.org/api_keys; capture evidence on AZ-499.
Cross-workspace deploy gate (handled at autodev Step 16, not a
Step-10 blocker for AZ-498):
- satellite-provider cookie-auth on GET /tiles/{z}/{x}/{y}
(separate AZAION ticket on the satellite-provider workspace).
Reports: _docs/03_implementation/batch_11_report.md and
_docs/03_implementation/reviews/batch_11_review.md (verdict
PASS_WITH_WARNINGS — 1 Low, pre-existing trim-trailing-slash
duplication across vite roots).
Static gates: STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23,
STC-SEC1C all PASS post-refactor. +15 fast tests; +1 STC-SEC1C row.
Co-authored-by: Cursor <cursoragent@cursor.com>
Phase B cycle 1 was a structural refactor only: F4 (barrel imports +
STC-ARCH-01) and F7 (endpoint builders + STC-ARCH-02). This commit
brings docs in line with source after the cycle, no code changes.
Module docs (12 consumers): swap every /api/<service>/... literal in
code snippets and integration tables for the matching endpoints.*
builder; note the barrel import migration in Dependencies.
New module doc: src__api__endpoints.md (public surface, F4 barrel
re-export note, STC-ARCH-02 enforcement, contract-test reference).
Architecture compliance baseline: mark F4 + F7 CLOSED with commit
hashes (23746ec, 8a461a2).
01_api-transport component description: add endpoints.ts + barrel to
Internal Interfaces, close the F7 caveat, extend Module Inventory.
ripple_log_cycle1.md: Task Step 0.5 reverse-dep analysis records the
import-graph closure (no extra docs needed beyond the direct set).
Carry-over reports landed alongside the docs:
- test_run_report_phase_b_cycle1.md (Step 11 outcome)
- implementation_report_refactor_phase_b_cycle1.md (cycle summary)
State file: trimmed to the autodev <30-line target; Steps 14 + 15
recorded as SKIPPED with rationale (no security or perf surface
changed in this cycle); pointer moved to Step 16 (Deploy).
Co-authored-by: Cursor <cursoragent@cursor.com>
Closes architecture baseline finding F4. Every component now exposes
its Public API through `src/<component>/index.ts`; cross-component
imports go through the barrel. `scripts/check-arch-imports.mjs` plus
`STC-ARCH-01` in the static profile enforce the rule; tests in
`tests/architecture_imports.test.ts` cover AC-4/AC-5 + 2 exemption
cases. One F3-pending exemption (`classColors`) is documented in 5
places (barrel, consumer, script, doc, test) to avoid a circular
import.
Phase B cycle 1 batch 1 of 2 (epic AZ-447). Batch 2 is AZ-486
(endpoint builders) — blocked on this commit landing.
Co-authored-by: Cursor <cursoragent@cursor.com>
Split the "Imports from" entry for the Blackbox Tests cross-cutting
component into two cases:
- Test bodies (*.test.{ts,tsx}, *.spec.{ts,tsx}, e2e specs) keep the
strict "00_foundation only / src/types only" rule per black-box
discipline (P9 / environment.md).
- Test infrastructure (tests/setup.ts, tests/msw/**, tests/helpers/**,
tests/fixtures/**, e2e/playwright.config.ts, e2e/stubs/**, etc.) MAY
import testability-purpose production accessors from any layer
(e.g. setToken on 01_api-transport, AuthProvider on 02_auth, i18n
on 00_foundation) — these helpers ARE the production-equivalent
composition root for tests.
Surfaced during AZ-456 self-review when render.tsx / auth.ts /
navigate.ts had to import production accessors that the task spec
explicitly mandated. The original rule was unambiguous-but-incomplete;
the doc now matches the practical reality without weakening the
black-box discipline for test bodies themselves.
Co-authored-by: Cursor <cursoragent@cursor.com>
Adds a cross-cutting "Blackbox Tests" entry to
_docs/02_document/module-layout.md so the implement skill's Step 4
(file ownership) can resolve OWNED / READ-ONLY / FORBIDDEN globs for
every AZ-455 test task (AZ-456..AZ-482). Owns: tests/**, e2e/**,
**/*.{test,spec}.{ts,tsx}, vitest.config.ts, test sections of
package.json, scripts/run-tests.sh + run-performance-tests.sh
(extension only). Imports from src/types/index.ts only (P9 black-box
discipline). Advances Step 6 sub_step to phase 1 (parse).
Co-authored-by: Cursor <cursoragent@cursor.com>
Oleksandr Bezdieniezhnykh