[AZ-529] [AZ-530] Cycle-2 documentation refresh

Refreshes _docs/02_document/ to reflect the cycle-2 auth-modernization
+ CMMC hardening landings (AZ-531..AZ-538). Authoritative source for
the ripple set is ripple_log_cycle2.md.

Covered:
- architecture.md (section 1 rewritten, ADRs 6-9 added)
- data_model.md (sessions, audit_events, user columns, migrations)
- system-flows.md (F1 rewritten; F11-F17 added; F2/F7/F9 minor)
- module-layout.md (cycle-2 sub-component table)
- diagrams/flows/flow_login.md (dual-token + MFA)
- components/{01_data_layer,03_auth_and_security,05_admin_api}
- modules/ (12 new, 8 modified — full Argon2id/ES256/MFA/refresh
  /mission/session/audit/jwks rollup)
- tests/{blackbox,security,traceability-matrix}

Step 13 (Update Docs) output for cycle 2.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/modules/common_entities_role_enum.md

@@ -3,6 +3,8 @@
 ## Purpose
 Defines the authorization role hierarchy for the system.
 
+> **Cycle 2 (2026-05-14) note** — `Service = 60` added by AZ-535 for service-to-service verifier identities (satellite-provider, gps-denied, ui). Each verifier deployment provisions one `Role=Service` user; the role is gated to read `/sessions/revoked` only (via `revocationReaderPolicy`) and is not valid for any user-facing endpoint.
+
 ## Public Interface
 
 | Enum Value | Int Value | Description |
@@ -10,9 +12,10 @@ Defines the authorization role hierarchy for the system.
 | `None` | 0 | No role assigned |
 | `Operator` | 10 | Annotator access only; can send annotations to queue |
 | `Validator` | 20 | Annotator + dataset explorer; can receive annotations from queue |
-| `CompanionPC` | 30 | Companion PC role |
+| `CompanionPC` | 30 | Companion PC role (UAV / aircraft identities; AZ-533 mission tokens are bound to these via `aircraft_id`) |
 | `Admin` | 40 | Admin role |
-| `ResourceUploader` | 50 | Can upload DLLs and AI models |
+| `ResourceUploader` | 50 | Data-only — `apiUploaderPolicy` was removed in the post-cycle-1 AZ-183 revert. The seed `uploader@azaion.com` user keeps this role for negative-auth tests. |
+| `Service` | 60 | AZ-535 — service-to-service identity for verifiers polling `/sessions/revoked`. NOT valid for any user-facing endpoint. |
 | `ApiAdmin` | 1000 | Full access to all operations |
 
 ## Internal Logic
@@ -24,11 +27,13 @@ None.
 ## Consumers
 - `User.Role` property type
 - `RegisterUserRequest.Role` property type
-- `Program.cs` — authorization policies (`apiAdminPolicy`, `apiUploaderPolicy`)
+- `Program.cs` — authorization policies (`apiAdminPolicy`, `revocationReaderPolicy` cycle 2)
 - `AuthService.CreateToken` — embeds role as claim
-- `AzaionDbSchemaHolder` — maps Role to/from text in DB
+- `AzaionDbSchemaHolder` — maps Role to/from text in DB (text enum → `Enum.Parse(typeof(RoleEnum), v)`; the new `Service` value parses through the existing converter without migration)
 - `UserService.GetUsers` — filters by role
 - `UserService.ChangeRole` — updates user role
+- `MissionTokenService.Issue` — validates `aircraft_id` resolves to a `CompanionPC` user
+- `Program.cs` `IssueDualTokens` — fires `RevokeMissionsForAircraft` when the authenticated user has `Role = CompanionPC`
 
 ## Data Models
 Part of the `User` entity.
@@ -40,7 +45,7 @@ None.
 None.
 
 ## Security
-Core to the RBAC authorization model. `ApiAdmin` has unrestricted access; `ResourceUploader` can upload resources; other roles have endpoint-level restrictions.
+Core to the RBAC authorization model. `ApiAdmin` has unrestricted access; `Service` is narrowly scoped to the `/sessions/revoked` verifier-poll feed; `ResourceUploader` is data-only after AZ-183 was reverted; other roles have endpoint-level restrictions.
 
 ## Tests
 None.