refactor: remove deploy.cmd and update Dockerfile for health checks

- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/components/01_data_layer/description.md

@@ -29,12 +29,14 @@
 
 ### Entities
 
+> **Cycle 1 (2026-05-13) note** — `DetectionClass` (AZ-513) entity was added. `Resource` (AZ-183) was added then removed in the same cycle (post-cycle-1 revert; security audit F-1 + the OTA delivery model itself was deemed obsolete). The `User.Hardware` column is left in place as a tombstone (nullable, unused) per AZ-197. A UNIQUE INDEX `users_email_uidx` was added on `users.email` (security audit F-3, `env/db/06_users_email_unique.sql`).
+
 ```
 User:
   Id: Guid (PK)
   Email: string (required)
   PasswordHash: string (required)
-  Hardware: string? (optional)
+  Hardware: string? (optional — TOMBSTONED by AZ-197; nullable, unused; no application code reads or writes)
   Role: RoleEnum (required)
   CreatedAt: DateTime (required)
   LastLogin: DateTime? (optional)
@@ -49,7 +51,19 @@ UserQueueOffsets:
   AnnotationsConfirmOffset: ulong
   AnnotationsCommandsOffset: ulong
 
+DetectionClass (AZ-513):
+  Id: int (PK, DB-assigned identity)
+  Name, ShortName, Color: string
+  MaxSizeM: double
+  PhotoMode: string?
+  CreatedAt: DateTime
+
+// Resource entity — REMOVED post-cycle-1 (AZ-183 reverted). The `resources`
+// table no longer exists; see env/db/ for the current migration set.
+
 RoleEnum: None=0, Operator=10, Validator=20, CompanionPC=30, Admin=40, ResourceUploader=50, ApiAdmin=1000
+// ResourceUploader is now data-only — no endpoint policy references it
+// after AZ-183 was reverted.
 ```
 
 ### Configuration POCOs
@@ -69,6 +83,7 @@ ResourcesConfig:
   ResourcesFolder: string
   SuiteInstallerFolder: string
   SuiteStageInstallerFolder: string
+  # EncryptionMasterKey was added by AZ-183 and removed in the post-cycle-1 revert.
 ```
 
 ## 3. External API Specification
@@ -81,23 +96,26 @@ N/A — internal component.
 
 | Query | Frequency | Hot Path | Index Needed |
 |-------|-----------|----------|--------------|
-| `SELECT * FROM users WHERE email = ?` | High | Yes | Yes (email) |
+| `SELECT * FROM users WHERE email = ?` | High | Yes | Yes — UNIQUE INDEX `users_email_uidx` on `email` (security audit F-3, `env/db/06_users_email_unique.sql`) |
 | `SELECT * FROM users` with optional filters | Medium | No | No |
 | `UPDATE users SET ... WHERE email = ?` | Medium | No | No |
-| `INSERT INTO users` | Low | No | No |
+| `INSERT INTO users` | Low | No | No (UNIQUE INDEX above also enforces single-row-per-email atomically) |
 | `DELETE FROM users WHERE email = ?` | Low | No | No |
 
 ### Caching Strategy
 
 | Data | Cache Type | TTL | Invalidation |
 |------|-----------|-----|-------------|
-| User by email | In-memory (LazyCache) | 4 hours | On hardware update, queue offset update, hardware check |
+| User by email | In-memory (LazyCache) | 4 hours | On `UpdateQueueOffsets` (post-AZ-197 — hardware paths gone) |
+
+> The `Resources.Latest.{arch}.{stage}` cache key (added by AZ-183) was removed in the post-cycle-1 revert.
 
 ### Storage Estimates
 
 | Table | Est. Row Count (1yr) | Row Size | Total Size | Growth Rate |
 |-------|---------------------|----------|------------|-------------|
-| `users` | 100–1000 | ~500 bytes | ~500 KB | Low |
+| `users` | 100–1000 web users + 2000–10000 CompanionPC device users (AZ-196 grows this) | ~500 bytes | ~5 MB | Medium (device fleet) |
+| `detection_classes` (AZ-513) | 10–200 | ~250 bytes | ~50 KB | Low |
 
 ### Data Management
 
@@ -116,7 +134,7 @@ N/A — internal component.
 | linq2db | 5.4.1 | ORM for PostgreSQL access |
 | Npgsql | 10.0.1 | PostgreSQL ADO.NET provider |
 | LazyCache | 2.4.0 | In-memory cache with async support |
-| Newtonsoft.Json | 13.0.1 | JSON serialization for UserConfig |
+| Newtonsoft.Json | 13.0.4 | JSON serialization for UserConfig (bumped from 13.0.1 by security audit D-1, GHSA-5crp-9r3c-p9vr) |
 
 **Error Handling Strategy**:
 - `DbFactory.LoadOptions` throws `ArgumentException` on empty connection strings (fail-fast at startup).
@@ -167,7 +185,8 @@ N/A — internal component.
 - `Common/Configs/ResourcesConfig`
 - `Common/Entities/User`
 - `Common/Entities/RoleEnum`
-- `Common/Database/AzaionDb`
+- `Common/Entities/DetectionClass` *(added cycle 1, AZ-513)*
+- `Common/Database/AzaionDb` (now also holds the `DetectionClasses` table; the `Resources` ITable added by AZ-183 was removed in the post-cycle-1 revert)
 - `Common/Database/AzaionDbSchemaHolder`
 - `Common/Database/DbFactory`
 - `Services/Cache`

_docs/02_document/components/02_user_management/description.md

@@ -1,12 +1,14 @@
 # User Management
 
+> **Cycle 1 (2026-05-13) note** — hardware-binding methods (`UpdateHardware`, `CheckHardwareHash`) and `SetHWRequest` were removed by AZ-197; the `ValidateUser` error set now includes `UserDisabled`; `RegisterDevice` was added by AZ-196 to back the new `POST /devices` endpoint. Post-cycle-1 (security audit F-3): `RegisterDevice` now reuses `RegisterUser` for the row insert; the duplicate-row race was closed by adding a UNIQUE INDEX on `users.email` (`env/db/06_users_email_unique.sql`) and translating `Npgsql.PostgresException(SqlState=23505)` to `BusinessException(EmailExists)` inside `RegisterUser`.
+
 ## 1. High-Level Overview
 
-**Purpose**: Full user lifecycle management — registration, credential validation, hardware binding, role changes, account enable/disable, and deletion.
+**Purpose**: Full user lifecycle management — web-user registration, credential validation, role changes, account enable/disable, deletion, plus auto-provisioning of CompanionPC device users.
 
 **Architectural Pattern**: Service layer — stateless business logic operating on the Data Layer through `IDbFactory`.
 
-**Upstream dependencies**: Data Layer (IDbFactory, ICache, User entity), Security & Cryptography (hashing).
+**Upstream dependencies**: Data Layer (IDbFactory, ICache, User entity), Security & Cryptography (hashing), `System.Security.Cryptography.RandomNumberGenerator` (device password entropy).
 
 **Downstream consumers**: Admin API (endpoint handlers), Authentication (GetByEmail).
 
@@ -16,18 +18,19 @@
 
 | Method | Input | Output | Async | Error Types |
 |--------|-------|--------|-------|-------------|
-| `RegisterUser` | `RegisterUserRequest, CancellationToken` | void | Yes | `BusinessException(EmailExists)` |
-| `ValidateUser` | `LoginRequest, CancellationToken` | `User` | Yes | `BusinessException(NoEmailFound, WrongPassword)` |
+| `RegisterUser` | `RegisterUserRequest, CancellationToken` | void | Yes | `BusinessException(EmailExists)` — translated from `PostgresException(23505)` after the F-3 hardening |
+| `RegisterDevice` | `CancellationToken` | `RegisterDeviceResponse` | Yes | `BusinessException(EmailExists)` (propagated from `RegisterUser`) — added by AZ-196, refactored post-audit to call `RegisterUser` end-to-end |
+| `ValidateUser` | `LoginRequest, CancellationToken` | `User` | Yes | `BusinessException(NoEmailFound, WrongPassword, UserDisabled)` |
 | `GetByEmail` | `string? email, CancellationToken` | `User?` | Yes | `ArgumentNullException` |
-| `UpdateHardware` | `string email, string? hardware, CancellationToken` | void | Yes | None |
 | `UpdateQueueOffsets` | `string email, UserQueueOffsets, CancellationToken` | void | Yes | None |
 | `GetUsers` | `string? searchEmail, RoleEnum? searchRole, CancellationToken` | `IEnumerable<User>` | Yes | None |
-| `CheckHardwareHash` | `User, string hardware, CancellationToken` | `string` (hash) | Yes | `BusinessException(HardwareIdMismatch)` |
 | `ChangeRole` | `string email, RoleEnum, CancellationToken` | void | Yes | None |
 | `SetEnableStatus` | `string email, bool, CancellationToken` | void | Yes | None |
 | `RemoveUser` | `string email, CancellationToken` | void | Yes | None |
 
-**Input DTOs**:
+**Removed by AZ-197**: `UpdateHardware`, `CheckHardwareHash`, and the private `UpdateLastLoginDate` helper.
+
+**Input / Output DTOs**:
 ```
 RegisterUserRequest:
   Email: string (required) — validated: min 8 chars, valid email format
@@ -38,9 +41,10 @@ LoginRequest:
   Email: string (required)
   Password: string (required)
 
-SetHWRequest:
-  Email: string (required, validated: not empty)
-  Hardware: string? (optional — null clears hardware)
+RegisterDeviceResponse (AZ-196):
+  Serial: string ("azj-NNNN", zero-padded)
+  Email: string ("azj-NNNN@azaion.com")
+  Password: string (32-char hex, plaintext, exposed exactly once)
 
 SetUserQueueOffsetsRequest:
   Email: string (required)
@@ -67,7 +71,7 @@ N/A — exposed through Admin API component.
 
 | Data | Cache Type | TTL | Invalidation |
 |------|-----------|-----|-------------|
-| User by email | In-memory (via ICache) | 4 hours | After UpdateHardware, UpdateQueueOffsets, CheckHardwareHash (first login) |
+| User by email | In-memory (via ICache) | 4 hours | After `UpdateQueueOffsets` (only — `UpdateHardware` / `CheckHardwareHash` invalidations are gone with AZ-197) |
 
 ## 5. Implementation Details
 
@@ -89,20 +93,21 @@ N/A — exposed through Admin API component.
 
 | Helper | Purpose | Used By |
 |--------|---------|---------|
-| `Security.ToHash` | Password hashing (SHA-384) | RegisterUser, ValidateUser |
-| `Security.GetHWHash` | Hardware fingerprint hashing | CheckHardwareHash |
+| `Security.ToHash` | Password hashing (SHA-384) | RegisterUser, RegisterDevice, ValidateUser |
+| `RandomNumberGenerator.GetBytes(16)` + `Convert.ToHexString` | 32-char hex device password | RegisterDevice |
 | `QueryableExtensions.WhereIf` | Conditional LINQ filters | GetUsers |
 
 ## 7. Caveats & Edge Cases
 
 **Known limitations**:
 - No pagination on `GetUsers` — returns all matching users.
-- `CheckHardwareHash` auto-stores hardware on first access (no explicit admin approval step).
 - `RemoveUser` is a hard delete, not soft delete.
+- `RegisterDevice` returns the plaintext password to the caller exactly once; if the provisioning script loses it, the device must be re-registered.
+- The `User.Hardware` column is left in place but unused (AZ-197 chose to leave the column nullable rather than ship a migration).
 
 **Potential race conditions**:
 - Concurrent `RegisterUser` calls with the same email: both could pass the existence check before insert. Mitigated by database unique constraint on email (if one exists).
-- `CheckHardwareHash` first-login path: concurrent requests could trigger multiple hardware updates.
+- Concurrent `RegisterDevice` calls: both could read the same "most recent CompanionPC" row and try to claim the same `azj-NNNN` serial. Mitigated by the `users.email` unique constraint — the loser will fail the insert. (Out of cycle-1 scope: a sequence-based serial allocator would eliminate the retry.)
 
 **Performance bottlenecks**:
 - `GetUsers` loads full user objects including `UserConfig` JSON; for large user bases, projection would be more efficient.
@@ -123,5 +128,7 @@ No explicit logging in UserService.
 - `Services/UserService`
 - `Common/Requests/LoginRequest`
 - `Common/Requests/RegisterUserRequest`
-- `Common/Requests/SetHWRequest`
+- `Common/Requests/RegisterDeviceResponse` *(added cycle 1, AZ-196)*
 - `Common/Requests/SetUserQueueOffsetsRequest`
+
+**Removed cycle 1 (AZ-197)**: `Common/Requests/SetHWRequest`

_docs/02_document/components/03_auth_and_security/description.md

@@ -1,14 +1,16 @@
 # Authentication & Security
 
+> **Cycle 1 (2026-05-13) note** — AZ-197 simplified `GetApiEncryptionKey` to `(email, password)` and removed `GetHWHash` outright. The hardware-binding threat model that motivated those primitives is no longer in scope (fTPM-anchored Jetsons + browser SaaS).
+
 ## 1. High-Level Overview
 
-**Purpose**: JWT token creation/validation and cryptographic utilities (password hashing, hardware fingerprint hashing, AES file encryption/decryption).
+**Purpose**: JWT token creation/validation and cryptographic utilities (password hashing, AES file encryption/decryption).
 
 **Architectural Pattern**: Service + static utility — `AuthService` is a DI-managed service for JWT operations; `Security` is a static class for cryptographic primitives.
 
 **Upstream dependencies**: Data Layer (JwtConfig, IUserService for GetByEmail), ASP.NET Core (IHttpContextAccessor).
 
-**Downstream consumers**: Admin API (token creation on login, current user resolution), User Management (password hashing, hardware hashing), Resource Management (encryption key derivation, stream encryption).
+**Downstream consumers**: Admin API (token creation on login, current user resolution), User Management (password hashing for both web users and provisioned devices), Resource Management (encryption key derivation, stream encryption).
 
 ## 2. Internal Interfaces
 
@@ -24,11 +26,12 @@
 | Method | Input | Output | Description |
 |--------|-------|--------|-------------|
 | `ToHash` | `string` | `string` (Base64) | SHA-384 hash |
-| `GetHWHash` | `string hardware` | `string` (Base64) | Salted hardware hash |
-| `GetApiEncryptionKey` | `string email, string password, string? hwHash` | `string` (Base64) | Derives AES encryption key |
+| `GetApiEncryptionKey` | `string email, string password` | `string` (Base64) | Derives the per-user AES encryption key string. **Signature simplified by AZ-197** (`hardwareHash` parameter removed). |
 | `EncryptTo` | `Stream input, Stream output, string key, CancellationToken` | void | AES-256-CBC encrypt stream |
 | `DecryptTo` | `Stream encrypted, Stream output, string key, CancellationToken` | void | AES-256-CBC decrypt stream |
 
+**Removed by AZ-197**: `GetHWHash(string hardware)` — no remaining callers in the post-cycle-1 codebase.
+
 ## 3. External API Specification
 
 N/A — exposed through Admin API.
@@ -62,11 +65,13 @@ None — `Security` itself is a utility consumed by other components.
 ## 7. Caveats & Edge Cases
 
 **Known limitations**:
-- Password hashing uses SHA-384 without per-user salt or key stretching. Not resistant to rainbow table attacks.
-- Hardware and encryption key salts are hardcoded constants.
+- Password hashing uses SHA-384 without per-user salt or key stretching. Not resistant to rainbow table attacks. (Unchanged by cycle 1.)
+- The encryption-key salt is a hardcoded constant. (`Security.GetApiEncryptionKey` body — see `services_security.md`.)
 - `GetCurrentUserEmail` assumes `ClaimTypes.Name` is always present; accessing a missing key would throw `KeyNotFoundException`.
 - AES encryption prepends IV as first 16 bytes — consumers must know this format.
 
+**Removed in cycle 1**: hardware fingerprint hashing was a known weakness (static salt, no rotation); deleting it via AZ-197 also removed that attack surface.
+
 **Performance bottlenecks**:
 - Large file encryption loads encrypted output into `MemoryStream` before sending — high memory usage for large files.
 

_docs/02_document/components/04_resource_management/description.md

@@ -1,12 +1,14 @@
 # Resource Management
 
+> **Cycle 1 (2026-05-13) note** — AZ-197 removed the `Hardware` field from `GetResourceRequest` and removed `CheckResourceRequest` and `POST /resources/check` entirely. AZ-183 introduced an OTA update path (`POST /get-update`, `POST /resources/publish`, `IResourceUpdateService`, `Resource` entity, `resources` table, `ResourcesConfig.EncryptionMasterKey`) but it was reverted later the same day after the security audit (finding F-1) — the OTA delivery model itself was deemed obsolete. The component is now back to filesystem-backed storage only.
+
 ## 1. High-Level Overview
 
-**Purpose**: Server-side file storage management — upload, list, download (with per-user AES encryption), folder clearing, and installer distribution.
+**Purpose**: filesystem-backed storage — upload, list, download (per-user AES-encrypted), folder clearing, installer distribution. Owned by `IResourcesService`.
 
-**Architectural Pattern**: Service layer — filesystem operations with encryption applied at the service boundary.
+**Architectural Pattern**: a single service over the local filesystem. No DB access, no cache.
 
-**Upstream dependencies**: Data Layer (ResourcesConfig), Authentication & Security (encryption via Security.EncryptTo).
+**Upstream dependencies**: Data Layer (`ResourcesConfig`), Authentication & Security (encryption via `Security.EncryptTo`).
 
 **Downstream consumers**: Admin API (resource endpoints).
 
@@ -22,15 +24,15 @@
 | `ListResources` | `string? dataFolder, string? search, CancellationToken` | `IEnumerable<string>` | Yes | `DirectoryNotFoundException` |
 | `ClearFolder` | `string? dataFolder` | void | No | None |
 
-**Input DTOs**:
+**Input DTO**:
 ```
-GetResourceRequest:
+GetResourceRequest (post-AZ-197):
   Password: string (required, min 8 chars)
-  Hardware: string (required, not empty)
   FileName: string (required, not empty)
+  // Hardware field removed by AZ-197.
 
-CheckResourceRequest:
-  Hardware: string (required)
+// CheckResourceRequest — REMOVED by AZ-197.
+// GetUpdateRequest, PublishResourceRequest — added by AZ-183, removed in the post-cycle-1 revert.
 ```
 
 ## 3. External API Specification
@@ -39,17 +41,21 @@ N/A — exposed through Admin API.
 
 ## 4. Data Access Patterns
 
-No database access. All operations are filesystem-based.
+`ResourcesService` is filesystem-only — no DB access, no cache.
+
+| Source | Service | Pattern |
+|--------|---------|---------|
+| Filesystem (`ResourcesConfig.ResourcesFolder`) | `ResourcesService` | Direct read/write/delete |
 
 ### Storage Estimates
 
-Resources are stored as flat files in configured directories. Size depends on uploaded content (AI models, DLLs, installers — potentially hundreds of MB per file).
+- **Filesystem**: AI models, DLLs, installers — potentially hundreds of MB per file.
 
 ## 5. Implementation Details
 
-**State Management**: Stateless — reads/writes directly to filesystem.
+**State Management**: stateless — reads/writes directly to filesystem.
 
-**Key Dependencies**: None beyond BCL (System.IO).
+**Key Dependencies**: none beyond BCL (System.IO).
 
 **Error Handling Strategy**:
 - `SaveResource` throws `BusinessException(NoFileProvided)` for null uploads.
@@ -61,13 +67,13 @@ Resources are stored as flat files in configured directories. Size depends on up
 
 | Helper | Purpose | Used By |
 |--------|---------|---------|
-| `Security.EncryptTo` | AES stream encryption | GetEncryptedResource |
-| `Security.GetApiEncryptionKey` | Key derivation | Admin API (before calling GetEncryptedResource) |
+| `Security.EncryptTo` | AES stream encryption | `GetEncryptedResource` |
+| `Security.GetApiEncryptionKey(email, password)` | Per-user key derivation (post-AZ-197 — no hardware component) | Admin API (before calling `GetEncryptedResource`) |
 
 ## 7. Caveats & Edge Cases
 
-**Known limitations**:
-- No path traversal protection: `dataFolder` parameter is concatenated directly with `ResourcesFolder`. A malicious `dataFolder` like `../../etc` could access arbitrary filesystem paths.
+**Known limitations** (security-audit findings):
+- **F-2 (High)** — no path traversal protection: `dataFolder` parameter is concatenated directly with `ResourcesFolder`. A malicious `dataFolder` like `../../etc` could access arbitrary filesystem paths. Filed as separate ticket.
 - `SaveResource` deletes existing file before writing — no versioning or backup.
 - `GetEncryptedResource` loads the entire encrypted file into a `MemoryStream` — memory-intensive for large files.
 - `ListResources` wraps a synchronous `DirectoryInfo.GetFiles` in `Task.FromResult` — not truly async.
@@ -90,11 +96,11 @@ Resources are stored as flat files in configured directories. Size depends on up
 |-----------|------|---------|
 | INFO | Successful file save | `Resource {data.FileName} Saved Successfully` |
 
-**Log format**: String interpolation via Serilog.
+**Log format**: string interpolation via Serilog (security audit F-12 hygiene item: convert to structured form).
 
-**Log storage**: Console + rolling file (via Serilog configured in Program.cs).
+**Log storage**: console + rolling file (via Serilog configured in Program.cs).
 
 ## Modules Covered
 - `Services/ResourcesService`
-- `Common/Requests/GetResourceRequest` (includes CheckResourceRequest)
-- `Common/Configs/ResourcesConfig`
+- `Common/Requests/GetResourceRequest` (post-AZ-197 — no `CheckResourceRequest`, no `Hardware` field)
+- `Common/Configs/ResourcesConfig` (the `EncryptionMasterKey` field added by AZ-183 was removed in the post-cycle-1 revert)

_docs/02_document/components/05_admin_api/description.md

@@ -22,6 +22,8 @@ Converts `BusinessException` to HTTP 409 JSON response: `{ ErrorCode: int, Messa
 
 ## 3. External API Specification
 
+> **Cycle 1 (2026-05-13) note** — endpoints below reflect the post-cycle-1 surface (AZ-513 Detection Classes CRUD, AZ-196 device auto-provisioning, AZ-197 hardware-binding removal). AZ-183 (OTA) shipped in cycle 1 but was reverted later the same day after the security audit (finding F-1) — the OTA delivery model itself was deemed obsolete. For per-endpoint cycle origins see `modules/admin_api_program.md`.
+
 ### Authentication
 | Endpoint | Method | Auth | Description |
 |----------|--------|------|-------------|
@@ -31,29 +33,41 @@ Converts `BusinessException` to HTTP 409 JSON response: `{ ErrorCode: int, Messa
 | Endpoint | Method | Auth | Description |
 |----------|--------|------|-------------|
 | `/users` | POST | ApiAdmin | Creates a new user |
+| `/devices` | POST | ApiAdmin | **AZ-196**: provisions a CompanionPC device user (returns serial + email + plaintext password once) |
 | `/users/current` | GET | Authenticated | Returns current user |
 | `/users` | GET | ApiAdmin | Lists users (optional email/role filters) |
-| `/users/hardware/set` | PUT | ApiAdmin | Sets user hardware |
 | `/users/queue-offsets/set` | PUT | Authenticated | Updates queue offsets |
 | `/users/{email}/set-role/{role}` | PUT | ApiAdmin | Changes user role |
 | `/users/{email}/enable` | PUT | ApiAdmin | Enables user |
 | `/users/{email}/disable` | PUT | ApiAdmin | Disables user |
 | `/users/{email}` | DELETE | ApiAdmin | Removes user |
 
+**Removed by AZ-197**: `PUT /users/hardware/set` (Hardware-binding feature deleted)
+
 ### Resource Management
 | Endpoint | Method | Auth | Description |
 |----------|--------|------|-------------|
 | `/resources/{dataFolder?}` | POST | Authenticated | Uploads a file (up to 200 MB) |
 | `/resources/list/{dataFolder?}` | GET | Authenticated | Lists files |
 | `/resources/clear/{dataFolder?}` | POST | ApiAdmin | Clears folder |
-| `/resources/get/{dataFolder?}` | POST | Authenticated | Downloads encrypted resource |
+| `/resources/get/{dataFolder?}` | POST | Authenticated | Downloads encrypted resource (key derived from `email + password` only — no Hardware) |
 | `/resources/get-installer` | GET | Authenticated | Downloads production installer |
 | `/resources/get-installer/stage` | GET | Authenticated | Downloads staging installer |
-| `/resources/check` | POST | Authenticated | Validates hardware |
+
+**Removed by AZ-197**: `POST /resources/check` (was the hardware-binding side-effect probe).
+**Removed in post-cycle-1 revert**: `POST /get-update` and `POST /resources/publish` (AZ-183 reverted — security audit F-1; OTA delivery model itself obsolete).
+
+### Detection Classes
+| Endpoint | Method | Auth | Description |
+|----------|--------|------|-------------|
+| `/classes` | POST | ApiAdmin | **AZ-513**: creates a detection class |
+| `/classes/{id:int}` | PATCH | ApiAdmin | **AZ-513**: partial-merge update of a detection class |
+| `/classes/{id:int}` | DELETE | ApiAdmin | **AZ-513**: deletes a detection class |
 
 ### Authorization Policies
 - **apiAdminPolicy**: requires `ApiAdmin` role (used on most admin endpoints)
-- **apiUploaderPolicy**: requires `ResourceUploader` or `ApiAdmin` role (**defined but never applied to any endpoint — dead code**)
+
+> The `apiUploaderPolicy` was added by AZ-183 and removed in the post-cycle-1 revert along with the OTA endpoints it guarded. `RoleEnum.ResourceUploader` remains as data only.
 
 ### CORS
 - Allowed origins: `https://admin.azaion.com`, `http://admin.azaion.com`