# Batch Report

**Batch**: 11 (Phase B cycle 2, single batch)
**Tasks**: AZ-498 (Satellite-provider tile swap, 5 pts) + AZ-499 (mission-planner OWM env-var hardening + AZ-482 source-scan gap, 2 pts)
**Date**: 2026-05-12
**Cycle**: Phase B feature cycle 2, Step 10 — Implement
**Total complexity**: 7 pts
**Epic**: AZ-497 (`Self-Hosted Satellite Tiles — SPA Integration`)
**Closes** (consumer side): satellite-provider tiles consumer migration; mission-planner OWM hygiene gap
**Depends on**: AZ-450 (tile URL externalization, AZ-498), AZ-448 + AZ-449 (OWM key + base URL externalization, AZ-499), AZ-482 (banned-deps static-check scaffolding, AZ-499)
**Cross-workspace prereq (deploy gate)**: `satellite-provider` cookie-auth on `GET /tiles/{z}/{x}/{y}` (user-filed separately) — gate at autodev Step 16, NOT a Step-10 blocker

## Task Results

| Task | Status | Files Modified / Added | Tests | AC Coverage | Issues |
|------|--------|------------------------|-------|-------------|--------|
| AZ-498_satellite_tile_swap | Done (consumer side) | **Production source (4)**: `src/features/flights/types.ts` (replaced `TILE_URLS` const with `getTileUrl()` + `DEFAULT_SATELLITE_TILE_URL`); `src/features/flights/FlightMap.tsx` (drop `mapType` state + toggle button + `MiniMap mapType` prop; single `<TileLayer crossOrigin="use-credentials">`); `src/features/flights/MiniMap.tsx` (drop `mapType` prop; same `<TileLayer crossOrigin="use-credentials">`); `src/vite-env.d.ts` (replaced `VITE_OSM_TILE_URL`/`VITE_ESRI_TILE_URL` with `VITE_SATELLITE_TILE_URL`). **Configs (1)**: `.env.example` (replaced two tile vars with one + dev-default docstring). **Foundation i18n (2)**: `src/i18n/en.json` + `src/i18n/ua.json` (removed `flights.planner.satellite` key in lockstep — parity preserved). **E2E harness (3)**: `e2e/docker-compose.suite-e2e.yml` (replaced dead `VITE_TILE_BASE_URL` with `VITE_SATELLITE_TILE_URL: "http://tile-stub:8082/tiles/{z}/{x}/{y}"`); `e2e/stubs/tile/server.ts` (rewrote `classify()` for the new `/tiles/{z}/{x}/{y}` shape; serves `Content-Type: image/jpeg` + `Cache-Control` + `ETag`); `e2e/tests/infrastructure.e2e.ts` (AC-2 rewritten to GET `/tiles/1/0/0` + assert headers; removed dead OSM entries from `EXTERNAL_HOSTS` route guard per user choice B). **Fast-profile MSW (1)**: `tests/msw/handlers/tiles.ts` (rewrote handlers from OSM/Esri `.png` shape to satellite-provider `/tiles/{z}/{x}/{y}` shape with cookie-auth headers). **Tests (1 new)**: `src/features/flights/__tests__/satellite_tile.test.tsx` (8 tests covering AC-1, AC-2, AC-3, AC-4 — colocated under 05_flights for STC-ARCH-01 cleanliness). **Docs (2)**: `_docs/02_document/modules/src__features__flights.md` (Tile URL section + module-map row + Findings F7 marked resolved); `_docs/02_document/contracts/satellite-provider/tiles.md` (already drafted in Step 9, no further edit). | **+8 fast tests** (`src/features/flights/__tests__/satellite_tile.test.tsx`); **+1 e2e test rewrite** (infrastructure AC-2). All 8 fast tests PASS locally. STC-ARCH-01, STC-ARCH-02, STC-T1, STC-FP22, STC-FP23 all PASS post-refactor. | **8 / 9 covered + 1 dropped**: AC-1, AC-2, AC-3, AC-4 (fast tests), AC-5 (typecheck), AC-6 (e2e — gated by docker, plumbing verified), AC-7 (contract referenced + matches per Phase 2 verification), AC-9 (static gates green). **AC-8 dropped** with explicit user approval (Choose A/B/C/D, picked B on 2026-05-12) — spec misattribution: the named `tile_split_zoom*` files belong to AZ-474 (image-annotation split surface) and have zero references to map tiles or any env var touched here. | None blocking. 1 Low Maintainability finding (Finding F1 in `batch_11_review.md`) — pre-existing trim-trailing-slash idiom duplication. |
| AZ-499_mission_planner_weather_env | **Done (code) — AC-7 manual deliverable PENDING USER** | **Production source (3)**: `mission-planner/src/services/WeatherService.ts` (env vars + fail-soft `null` when key unset; preserved public signature `getWeatherData(lat, lon)`); `mission-planner/.env.example` (added `VITE_OWM_API_KEY` + `VITE_OWM_BASE_URL` mirroring main `.env.example` style; preserved existing `VITE_SATELLITE_TILE_URL` independently — different vite root); `mission-planner/src/vite-env.d.ts` (added both vars to `ImportMetaEnv`). **Static-check infra (3)**: `tests/security/banned-deps.json` (added `owm_key_in_source` kind: `match: literal`, `scope: src/ + mission-planner/`, `patterns: ["335799082893fad97fa36118b131f919"]`); `scripts/check-banned-deps.mjs` (extended source-tree dispatch to include `owm_key_in_source` alongside `legacy_integrations` / `concurrent_edit_patterns` / `alert_calls` — same code path, same exclusions for tests); `scripts/run-tests.sh` (added `static_check_no_owm_key_in_source` function + `STC-SEC1C` row labeled "no literal OWM key in src/ + mission-planner/"). **Tests (1 new)**: `tests/mission_planner_weather.test.ts` (7 tests covering AC-1, AC-2, AC-3, AC-4 + trailing-slash + happy-path return shape + network-error fail-soft). **Docs (1)**: `_docs/02_document/modules/mission-planner.md` (annotated `WeatherService.ts` row with env-var dependency; updated migration table; updated Findings to mark hardcoded-key resolution by AZ-499). | **+7 fast tests** (`tests/mission_planner_weather.test.ts`); **+1 static check row** (`STC-SEC1C`). All 7 fast tests PASS locally. `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` exits 0. | **6 / 7 covered + 1 manual**: AC-1, AC-2, AC-3, AC-4 (fast tests with `vi.stubEnv` + fetch spy), AC-5 (`STC-SEC1C` static check wired and green), AC-6 (typecheck via STC-T1). **AC-7 (key revocation) MUST be completed manually by the user** at `https://home.openweathermap.org/api_keys` before this task is marked Done in Jira. The `STC-SEC1C` check is defense-in-depth: even if revocation is delayed, no future commit can re-introduce the literal under `src/` or `mission-planner/`. | Spec note: AZ-499's example STC ID `STC-S6` was a typo — that ID is taken (`no WS/GraphQL/gRPC/SSR deps`). Used `STC-SEC1C` (parallel to `STC-SEC1` = src/, `STC-SEC1B` = dist/). |

## AC Test Coverage Summary

| AC | Task | Test | Profile | Status |
|----|------|------|---------|--------|
| AC-1 (env-set tile URL) | AZ-498 | `__tests__/satellite_tile.test.tsx::AC-1: returns the env-set VITE_SATELLITE_TILE_URL verbatim` | fast | PASS |
| AC-2 (default tile URL when unset) | AZ-498 | same file, `AC-2: returns the dev default ...` + trailing-slash variant | fast | PASS |
| AC-3 (`crossOrigin="use-credentials"`) | AZ-498 | same file, FlightMap AC-3 + dev-default URL render + MiniMap AC-3 | fast | PASS |
| AC-4 (toggle gone) | AZ-498 | same file, FlightMap AC-4 + MiniMap AC-4 | fast | PASS |
| AC-5 (ImportMetaEnv updated) | AZ-498 | `tsc --noEmit -p tsconfig.test.json` (STC-T1) | static | PASS |
| AC-6 (e2e tile path) | AZ-498 | `e2e/tests/infrastructure.e2e.ts::AC-2 (tile-stub serves /tiles/{z}/{x}/{y})` | e2e (gated) | PASS — plumbing verified locally; full e2e gated by docker availability (Step 16 owns the e2e gate) |
| AC-7 (contract referenced + matches) | AZ-498 | Phase 2 contract verification (consumer-side) — see `batch_11_review.md` | review | PASS |
| AC-8 (legacy tile-aware tests) | AZ-498 | **DROPPED** (user choice B, spec misattribution) | n/a | n/a |
| AC-9 (STC-ARCH-01 / STC-ARCH-02 green) | AZ-498 | `node scripts/check-arch-imports.mjs --mode=arch-imports` exit 0; `--mode=api-literals` exit 0 | static | PASS |
| AC-1 (env-resolved API key in OWM URL) | AZ-499 | `tests/mission_planner_weather.test.ts::AC-1` | fast | PASS |
| AC-2 (env-resolved base URL) | AZ-499 | same file, `AC-2: env-var resolved base URL prefixes the outgoing fetch URL` + trailing-slash variant | fast | PASS |
| AC-3 (fail-soft `null` when key unset) | AZ-499 | same file, `AC-3: returns null and issues no fetch when VITE_OWM_API_KEY is unset` | fast | PASS |
| AC-4 (default base URL when only base unset) | AZ-499 | same file, `AC-4: defaults to public OWM base URL when only VITE_OWM_BASE_URL is unset` | fast | PASS |
| AC-5 (new `owm_key_in_source` static check) | AZ-499 | `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` exits 0; `STC-SEC1C` row in `scripts/run-tests.sh` | static | PASS |
| AC-6 (TS declarations) | AZ-499 | `tsc --noEmit -p tsconfig.test.json` (STC-T1) | static | PASS |
| AC-7 (compromised key revoked at OWM) | AZ-499 | **MANUAL — out-of-band** | n/a | **PENDING — USER must revoke `335799082893fad97fa36118b131f919` at `https://home.openweathermap.org/api_keys` and capture evidence (dashboard URL or screenshot of disabled key) for the AC closure record before AZ-499 transitions to Done. STC-SEC1C is defense-in-depth.** |

## Design Decisions

1. **`getTileUrl()` is a function, not a constant — mirrors the established `getOwmBaseUrl()` / `getApiBase()` pattern** (`src/features/flights/flightPlanUtils.ts:62`, `src/api/client.ts:35`). Reads `import.meta.env` per call so tests can stub-then-call without `vi.resetModules()` + dynamic-import dance. The per-render evaluation cost is negligible (env read + one `replace`); this trade is the same one AZ-449 made.

2. **`DEFAULT_SATELLITE_TILE_URL` is exported alongside the function** so tests can pin the literal without duplicating the dev-default string. Keeps the Source-of-Truth in production source.

3. **Single `TILE_URL` (not `TILE_URLS`) means the classic/satellite toggle is a permanent removal, not a hidden switch.** Reflects the user's cycle-2 explicit decision: "we accept losing the OSM street view; satellite-only is the new normal." The toggle removal also removes the `flights.planner.satellite` i18n key from both `en.json` and `ua.json` — i18n key parity (STC-FP22) preserved by removing in lockstep.

4. **`crossOrigin="use-credentials"` on EVERY `<TileLayer>`, not just the production code path.** The MSW handler and tile-stub also send the cookie-auth-friendly Content-Type / Cache-Control / ETag headers so dev / fast / e2e profiles all observe the same wire shape. Drift between dev and prod here would silently break tile fetches in production (the satellite-provider rejects requests without the cookie with 401).

5. **Test colocated under `src/features/flights/__tests__/`, NOT under `tests/`.** Initial draft lived under `tests/satellite_tile.test.tsx` and used dynamic-import (`await import('...')`) to escape STC-ARCH-01's static regex. That escape was technically passing the gate but semantically violating the documented module-layout discipline ("test bodies → 00_foundation only, never internal files of other components"). Refactor moved the test to a colocated location where intra-component imports (`../FlightMap`, `../MiniMap`, `../types`) are architecturally clean. Cross-tree import to `tests/helpers/render.tsx` is allowed by module-layout's Blackbox Tests "test infrastructure" rule (test infra MAY be imported by test bodies). No new exemption added to STC-ARCH-01.

6. **STC-SEC1C added as a NEW check, NOT as a widening of STC-SEC1.** Existing STC-SEC1 scans `src/` only and matches the `appid=<6+ chars>` regex (catches a real-key shape but not the literal). The new STC-SEC1C scans `src/` AND `mission-planner/` and matches the LITERAL value (catches an exact re-introduction of the rotated key). The two together pin both axes: STC-SEC1 prevents a NEW unprotected key shape, STC-SEC1C prevents the OLD revoked key from coming back.

7. **`mission-planner/.env.example` keeps its own `VITE_SATELLITE_TILE_URL`** (Esri default). Two vite roots, two independent env vars with the same name — intentional. Mission-planner's tile migration is a separate future cycle (broader F1 mission-planner deduplication track), explicitly out of scope per AZ-498's `Excluded` section.

8. **Pre-existing dead `VITE_TILE_BASE_URL` removed from compose.** The compose file set it; nothing read it. Replacing it (rather than adding alongside) cleans up the dead config. Considered "adjacent hygiene" per scope discipline (the file was already in the diff).

9. **Mission-planner test lives under `tests/`, NOT colocated.** Mission-planner has no test runner today (Vitest not wired). Per AZ-499's Risk #2, the simpler option (run under main SPA's harness, import via relative path) wins. The cross-tree relative path import (`../mission-planner/src/services/WeatherService`) is irregular but bounded — the test only depends on the function's public signature and runs the same env-stub + fetch-spy pattern as any other Vitest test.

## Code Review Verdict

See `_docs/03_implementation/reviews/batch_11_review.md` — **PASS_WITH_WARNINGS**.

- 0 Critical, 0 High, 0 Medium, 1 Low (`F1`: trim-trailing-slash idiom duplication; pre-existing pattern across 4 call sites in 2 vite roots; consolidation deferred to a future shared-helper extraction task).
- All 9+7 = 16 ACs accounted for: 14 verified by tests/static checks, 1 dropped (AZ-498 AC-8) with explicit user approval, 1 pending manual deliverable (AZ-499 AC-7 — user revokes OWM key).
- Per implement skill Auto-Fix Gate: only Medium/Low → no auto-fix loop required; proceed to commit.

## Spec Drift Recorded

These spec issues were surfaced and resolved with explicit user approval (Choose A/B/C/D, picked B on 2026-05-12) before any code was written. Recording here for the audit trail; the task specs themselves were NOT edited (kept as historic record).

1. **AZ-498 AC-8 misattribution**: spec named `tests/tile_split_zoom.test.tsx` and `e2e/tests/tile_split_zoom.e2e.ts`; both are AZ-474's image-annotation split surface (dataset row `POST /api/annotations/dataset/<id>/split`), NOT map-tile tests. AC-8 dropped.
2. **AZ-498 missing files in `Included`**: `tests/msw/handlers/tiles.ts`, `e2e/stubs/tile/server.ts`, `e2e/docker-compose.suite-e2e.yml` `azaion-ui` env section. All three were genuinely required for the change to work end-to-end — treated as additive in-scope per user approval.
3. **AZ-498 dead `VITE_TILE_BASE_URL` in compose** (read by nothing): replaced with `VITE_SATELLITE_TILE_URL` per user approval (item #4 — adjacent hygiene cleanup option).
4. **AZ-499 STC ID conflict**: spec example `STC-S6` is taken; used `STC-SEC1C` instead (no AC text changed).
5. **Pre-existing OSM defenses in `EXTERNAL_HOSTS` route guard** (`e2e/tests/infrastructure.e2e.ts`): removed in cleanup since OSM is no longer expected (user picked B explicitly to include this cleanup).

## Pending Manual Deliverables (BLOCKING for AZAION ticket close)

1. **USER ACTION — AZ-499 AC-7**: Revoke OpenWeatherMap API key `335799082893fad97fa36118b131f919` at https://home.openweathermap.org/api_keys . Capture evidence (dashboard URL or screenshot of disabled key) and attach to AZ-499's Jira issue (or paste the URL in a comment) before transitioning AZ-499 from "In Testing" to "Done". The `STC-SEC1C` static check is defense-in-depth and will block any future re-introduction of the literal under `src/` or `mission-planner/`.

2. **CROSS-WORKSPACE GATE — AZ-498 deploy**: `satellite-provider` cookie-auth migration on `GET /tiles/{z}/{x}/{y}` (separate AZAION ticket, user-filed on satellite-provider workspace) must merge before AZ-498 deploys. Per `_docs/02_tasks/_dependencies_table.md` Notes (AZ-497), this is gated at autodev Step 16 (Deploy), NOT a Step 10 blocker. Code can land in dev branch, run in fast/static profiles, and pass code review without it; only production deploy waits.

## Test Run Handoff (Step 16)

The next autodev step after this batch is Step 11 (Run Tests). Per the implement skill's "if the next flow step is `Run Tests`" guidance: do NOT run the full `bash scripts/run-tests.sh` here — `.cursor/skills/test-run/SKILL.md` owns that gate to avoid duplicate full runs.

Locally-verified pre-handoff (focused subset, not the full gate):
- 15 fast tests added (8 satellite_tile + 7 mission_planner_weather) — all PASS
- STC-T1 (typecheck) — PASS
- STC-ARCH-01, STC-ARCH-02, STC-FP22, STC-FP23, STC-SEC1C — all PASS
- `node scripts/check-banned-deps.mjs --kind=owm_key_in_source` — exit 0

Pre-existing fast suite was 209 passes (per `_docs/03_implementation/batch_10_report.md`). Expected after this batch: 209 + 15 = 224 passes (subject to the full Step-11 run confirming no regressions in adjacent tests not directly exercised here).