[AZ-513] [AZ-196] [AZ-183] Add /classes CRUD, /devices, fleet OTA

AZ-513: POST/PATCH/DELETE /classes for detection-class CRUD; new
DetectionClass entity, schema, DTOs, IDetectionClassService. Unblocks
ui/AZ-512.

AZ-196: POST /devices auto-assigns sequential azj-NNNN serial+email
+password and inserts a CompanionPC user. Returns plaintext credentials
for the provisioning script.

AZ-183: Resources table + POST /get-update + POST /resources/publish
for fleet OTA. Per-resource encryption_key column AES-256-CBC encrypted
at rest with ResourcesConfig.EncryptionMasterKey; ICache wraps the
per-(arch,stage) latest-versions lookup and is invalidated on publish.

Adds IDbFactory.RunAdmin<T> overload for write-and-return.

Backfills _docs/02_document/module-layout.md to satisfy the implement
skill's File Ownership prerequisite (the _docs/ artifact set predates
the Step 1.5 module-layout addition).

Code review: PASS_WITH_WARNINGS — see
_docs/03_implementation/reviews/batch_05_review.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Common/Requests/CreateDetectionClassRequest.cs

@@ -0,0 +1,24 @@
+using FluentValidation;
+
+namespace Azaion.Common.Requests;
+
+public class CreateDetectionClassRequest
+{
+    public string  Name      { get; set; } = null!;
+    public string  ShortName { get; set; } = null!;
+    public string  Color     { get; set; } = null!;
+    public double  MaxSizeM  { get; set; }
+    public string? PhotoMode { get; set; }
+}
+
+public class CreateDetectionClassValidator : AbstractValidator<CreateDetectionClassRequest>
+{
+    public CreateDetectionClassValidator()
+    {
+        RuleFor(r => r.Name).NotEmpty().MaximumLength(120);
+        RuleFor(r => r.ShortName).NotEmpty().MaximumLength(20);
+        RuleFor(r => r.Color).NotEmpty().MaximumLength(20);
+        RuleFor(r => r.MaxSizeM).GreaterThan(0);
+        RuleFor(r => r.PhotoMode!).MaximumLength(20).When(r => r.PhotoMode != null);
+    }
+}

Azaion.Common/Requests/GetUpdateRequest.cs

@@ -0,0 +1,35 @@
+using FluentValidation;
+
+namespace Azaion.Common.Requests;
+
+public class GetUpdateRequest
+{
+    public string Architecture { get; set; } = null!;
+    public string DevStage     { get; set; } = null!;
+
+    /// <summary>
+    /// Map of <c>resource_name → currently-installed-version</c>. Resources missing
+    /// from the map are treated as "device has no version of this resource yet" and
+    /// will be returned in the response if any version exists server-side.
+    /// </summary>
+    public Dictionary<string, string> CurrentVersions { get; set; } = new();
+}
+
+public class GetUpdateValidator : AbstractValidator<GetUpdateRequest>
+{
+    public GetUpdateValidator()
+    {
+        RuleFor(r => r.Architecture).NotEmpty().MaximumLength(40);
+        RuleFor(r => r.DevStage).NotEmpty().MaximumLength(40);
+    }
+}
+
+public class ResourceUpdateItem
+{
+    public string ResourceName  { get; set; } = null!;
+    public string Version       { get; set; } = null!;
+    public string CdnUrl        { get; set; } = null!;
+    public string Sha256        { get; set; } = null!;
+    public string EncryptionKey { get; set; } = null!;
+    public long   SizeBytes     { get; set; }
+}

Azaion.Common/Requests/PublishResourceRequest.cs

@@ -0,0 +1,30 @@
+using FluentValidation;
+
+namespace Azaion.Common.Requests;
+
+public class PublishResourceRequest
+{
+    public string ResourceName  { get; set; } = null!;
+    public string DevStage      { get; set; } = null!;
+    public string Architecture  { get; set; } = null!;
+    public string Version       { get; set; } = null!;
+    public string CdnUrl        { get; set; } = null!;
+    public string Sha256        { get; set; } = null!;
+    public string EncryptionKey { get; set; } = null!;
+    public long   SizeBytes     { get; set; }
+}
+
+public class PublishResourceValidator : AbstractValidator<PublishResourceRequest>
+{
+    public PublishResourceValidator()
+    {
+        RuleFor(r => r.ResourceName).NotEmpty().MaximumLength(120);
+        RuleFor(r => r.DevStage).NotEmpty().MaximumLength(40);
+        RuleFor(r => r.Architecture).NotEmpty().MaximumLength(40);
+        RuleFor(r => r.Version).NotEmpty().MaximumLength(40);
+        RuleFor(r => r.CdnUrl).NotEmpty().MaximumLength(500);
+        RuleFor(r => r.Sha256).NotEmpty().MaximumLength(128);
+        RuleFor(r => r.EncryptionKey).NotEmpty();
+        RuleFor(r => r.SizeBytes).GreaterThan(0);
+    }
+}

Azaion.Common/Requests/RegisterDeviceResponse.cs

@@ -0,0 +1,8 @@
+namespace Azaion.Common.Requests;
+
+public class RegisterDeviceResponse
+{
+    public string Serial   { get; set; } = null!;
+    public string Email    { get; set; } = null!;
+    public string Password { get; set; } = null!;
+}

Azaion.Common/Requests/UpdateDetectionClassRequest.cs

@@ -0,0 +1,24 @@
+using FluentValidation;
+
+namespace Azaion.Common.Requests;
+
+public class UpdateDetectionClassRequest
+{
+    public string?  Name      { get; set; }
+    public string?  ShortName { get; set; }
+    public string?  Color     { get; set; }
+    public double?  MaxSizeM  { get; set; }
+    public string?  PhotoMode { get; set; }
+}
+
+public class UpdateDetectionClassValidator : AbstractValidator<UpdateDetectionClassRequest>
+{
+    public UpdateDetectionClassValidator()
+    {
+        RuleFor(r => r.Name!).NotEmpty().MaximumLength(120).When(r => r.Name != null);
+        RuleFor(r => r.ShortName!).NotEmpty().MaximumLength(20).When(r => r.ShortName != null);
+        RuleFor(r => r.Color!).NotEmpty().MaximumLength(20).When(r => r.Color != null);
+        RuleFor(r => r.MaxSizeM!.Value).GreaterThan(0).When(r => r.MaxSizeM != null);
+        RuleFor(r => r.PhotoMode!).MaximumLength(20).When(r => r.PhotoMode != null);
+    }
+}