refactor: remove deploy.cmd and update Dockerfile for health checks

- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

.env.example

@@ -0,0 +1,46 @@
+# =============================================================================
+# Azaion Admin API — environment variable template
+# Copy to `.env` (git-ignored) and fill in real values for your environment.
+# Production secrets MUST come from the secret manager, not from a checked-in
+# file. See _docs/04_deploy/reports/deploy_status_report.md for the full table.
+# =============================================================================
+
+# ---------- ASP.NET Core runtime --------------------------------------------
+ASPNETCORE_ENVIRONMENT=Development            # Development | Staging | Production
+ASPNETCORE_URLS=http://+:8080                 # Kestrel bind address inside the container
+
+# ---------- Database (PostgreSQL on port 4312 in prod, 5432 in test) --------
+# Two roles: reader (read-only) and admin (read/write). See env/db/01_permissions.sql.
+ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;Username=azaion_reader;Password=CHANGE_ME
+ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME
+
+# ---------- JWT (HMAC-SHA256, 4 h TTL) --------------------------------------
+ASPNETCORE_JwtConfig__Secret=CHANGE_ME_TO_A_RANDOM_STRING_AT_LEAST_32_BYTES
+ASPNETCORE_JwtConfig__Issuer=AzaionApi
+ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
+ASPNETCORE_JwtConfig__TokenLifetimeHours=4
+
+# ---------- Resource storage (filesystem) -----------------------------------
+ASPNETCORE_ResourcesConfig__ResourcesFolder=Content
+ASPNETCORE_ResourcesConfig__SuiteInstallerFolder=suite
+ASPNETCORE_ResourcesConfig__SuiteStageInstallerFolder=suite-stage
+
+# ---------- Container build / image label ------------------------------------
+# Injected at build time as --build-arg CI_COMMIT_SHA=… by Woodpecker.
+# Local builds may leave it unset (Dockerfile defaults to "unknown").
+# CI_COMMIT_SHA=
+
+# ---------- Deploy targets (consumed by scripts/, not by the API process) ---
+DEPLOY_HOST=admin.azaion.com                  # SSH target for scripts/deploy.sh
+DEPLOY_SSH_USER=root                          # SSH user on DEPLOY_HOST
+DEPLOY_CONTAINER_NAME=azaion.api              # Docker container name on the host
+DEPLOY_HOST_PORT=4000                         # Port published on DEPLOY_HOST (mapped to 8080 in container)
+DEPLOY_HOST_CONTENT_DIR=/root/api/content     # Bind-mount for resource files
+DEPLOY_HOST_LOGS_DIR=/root/api/logs           # Bind-mount for Serilog rolling files
+
+# ---------- Container registry ----------------------------------------------
+REGISTRY_HOST=docker.azaion.com               # Private registry; CI may use localhost:5000
+REGISTRY_IMAGE=azaion/admin                   # Image path inside REGISTRY_HOST
+REGISTRY_TAG=dev-arm                          # main→arm, stage→stage-arm, dev→dev-arm
+REGISTRY_USER=                                # CI / scripts only — leave empty in dev .env
+REGISTRY_TOKEN=                               # CI / scripts only — leave empty in dev .env