refactor: remove deploy.cmd and update Dockerfile for health checks

- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/modules/common_requests_get_resource.md

@@ -1,27 +1,22 @@
 # Module: Azaion.Common.Requests.GetResourceRequest
 
 ## Purpose
-Request DTOs and validator for resource access endpoints. Contains both `GetResourceRequest` and `CheckResourceRequest`.
+Request DTO and validator for the `POST /resources/get/{dataFolder?}` endpoint. The user's password is supplied per-request so the server can derive the per-user AES encryption key for the response stream.
+
+> **Cycle 1 (2026-05-13) note** — the `Hardware` property and its `BadHardware` validator rule were removed by AZ-197 (admin-side hardware-binding cleanup). The wire-compat policy was "drop entirely" — any client still sending `Hardware` will not see it deserialized. The companion `CheckResourceRequest` was removed along with the `POST /resources/check` endpoint. See `_docs/03_implementation/batch_06_report.md`.
 
 ## Public Interface
 
-### CheckResourceRequest
-| Property | Type | Description |
-|----------|------|-------------|
-| `Hardware` | `string` | Hardware fingerprint to validate |
-
 ### GetResourceRequest
 | Property | Type | Description |
 |----------|------|-------------|
-| `Password` | `string` | User's password (used to derive encryption key) |
-| `Hardware` | `string` | Hardware fingerprint for authorization |
+| `Password` | `string` | User's password (used to derive the encryption key) |
 | `FileName` | `string` | Resource file to retrieve |
 
 ### GetResourceRequestValidator
 | Rule | Constraint | Error Code |
 |------|-----------|------------|
 | `Password` min length | >= 8 chars | `PasswordLengthIncorrect` |
-| `Hardware` not empty | Required | `BadHardware` |
 | `FileName` not empty | Required | `WrongResourceName` |
 
 ## Internal Logic
@@ -32,7 +27,7 @@ Validator uses `BusinessException.GetMessage()` to derive user-facing error mess
 - FluentValidation
 
 ## Consumers
-- `Program.cs` `/resources/get/{dataFolder?}` and `/resources/check` endpoints
+- `Program.cs` `POST /resources/get/{dataFolder?}` endpoint
 
 ## Data Models
 None.
@@ -44,7 +39,8 @@ None.
 None.
 
 ## Security
-Password is sent in the POST body (not URL) to avoid logging in access logs. Hardware fingerprint validates device authorization.
+- Password is sent in the POST body (not URL) to avoid logging in access logs.
+- Per-user encryption key derivation now uses `email + password` only (see `services_security.md`).
 
 ## Tests
-None.
+- `e2e/Azaion.E2E/Tests/ResourceTests.cs` (encrypted download / round-trip) — updated by AZ-197 to stop sending `Hardware`