[AZ-197] Remove hardware ID binding from resource flow

Sealed-Jetson + SaaS architecture eliminates the credential-reuse-across-
machines threat that motivated hardware fingerprint binding. The binding's
only remaining effect was a real production failure mode on legitimate
hardware events.

Production:
- Drop PUT /users/hardware/set and POST /resources/check.
- Simplify POST /resources/get/{dataFolder?} (no Hardware field).
- Remove CheckHardwareHash, UpdateHardware, Security.GetHWHash.
- GetApiEncryptionKey signature: (email, password) — no hardwareHash.
- Drop SetHWRequest DTO and Hardware property from GetResourceRequest.
- Remove HardwareIdMismatch (40) and BadHardware (45) ExceptionEnum
  entries; numeric codes left as a gap, not for reuse.

Wire-compat policy: drop entirely (no Loader; no in-flight legacy
clients). Stale callers will see 404s, which is the right loud failure.

Tombstones:
- User.Hardware DB column kept (nullable, unused) — separate cleanup
  ticket for the migration per workspace "no rename without confirmation".
- User.LastLogin is now never written by app code (only writer was inside
  the deleted CheckHardwareHash); flagged in batch_06_review for a future
  ticket.

Tests:
- Delete e2e HardwareBindingTests (165 lines) and Azaion.Test
  UserServiceTest (sole test was CheckHardwareHashTest).
- Drop Hardware payloads + /resources/check preconditions from e2e
  ResourceTests, SecurityTests, ResilienceTests; drop hardwareId arg
  from Azaion.Test SecurityTest.
- Add SecurityTests.Hardware_endpoints_are_removed_AZ_197 (AC-2 regression
  asserting both removed routes return 404).

Docs:
- architecture.md: System Context note, ADR-003 new key formula, ADR-004
  retired with rationale.
- diagrams/flows/flow_hardware_check.md: tombstoned.

Also archives the four batch-1+batch-2 task files into _docs/02_tasks/done/
(file moves were missed by the batch_05 commit).

Code review: PASS — see _docs/03_implementation/reviews/batch_06_review.md.

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Services/UserService.cs

@@ -14,10 +14,8 @@ public interface IUserService
     Task<RegisterDeviceResponse> RegisterDevice(CancellationToken ct = default);
     Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default);
     Task<User?> GetByEmail(string? email, CancellationToken ct = default);
-    Task UpdateHardware(string email, string? hardware = null, CancellationToken ct = default);
     Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default);
     Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken ct = default);
-    Task<string> CheckHardwareHash(User user, string hardware, CancellationToken ct = default);
     Task ChangeRole(string email, RoleEnum newRole, CancellationToken ct = default);
     Task SetEnableStatus(string email, bool isEnabled, CancellationToken ct = default);
     Task RemoveUser(string email, CancellationToken ct = default);
@@ -119,16 +117,6 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
         });
 
 
-    public async Task UpdateHardware(string email, string? hardware = null, CancellationToken ct = default)
-    {
-        await dbFactory.RunAdmin(async db =>
-        {
-            await db.Users.UpdateAsync(x => x.Email == email,
-                u => new User { Hardware = hardware }, token: ct);
-        });
-        cache.Invalidate(User.GetCacheKey(email));
-    }
-
     public async Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default)
     {
         await dbFactory.RunAdmin(async db =>
@@ -155,35 +143,6 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
                     u => u.Role == searchRole)
                 .ToListAsync(token: ct));
 
-    public async Task<string> CheckHardwareHash(User user, string hardware, CancellationToken ct = default)
-    {
-        var requestHWHash = Security.GetHWHash(hardware);
-
-        //For the new users Hardware would be empty, fill it with actual hardware on the very first request
-        if (string.IsNullOrEmpty(user.Hardware))
-        {
-            await UpdateHardware(user.Email, hardware, ct);
-            cache.Invalidate(User.GetCacheKey(user.Email));
-            await UpdateLastLoginDate(user, ct);
-            return requestHWHash;
-        }
-
-        var userHWHash = Security.GetHWHash(user.Hardware);
-        if (userHWHash != requestHWHash)
-            throw new BusinessException(ExceptionEnum.HardwareIdMismatch);
-        await UpdateLastLoginDate(user, ct);
-        return userHWHash;
-    }
-
-    private async Task UpdateLastLoginDate(User user, CancellationToken ct = default)
-    {
-        await dbFactory.RunAdmin(async db =>
-            await db.Users.UpdateAsync(x => x.Email == user.Email, u => new User
-            {
-                LastLogin = DateTime.UtcNow
-            }, ct));
-    }
-
     public async Task ChangeRole(string email, RoleEnum newRole, CancellationToken ct = default)
     {
         await dbFactory.RunAdmin(async db =>