refactor: remove deploy.cmd and update Dockerfile for health checks

- Deleted the deploy.cmd script as it was no longer needed.
- Updated Dockerfile to include curl for health checks and added a non-root user for improved security.
- Modified health check command to use curl for better reliability.
- Adjusted docker-compose.test.yml to reflect changes in health check configuration.
- Cleaned up appsettings.json and removed unused configuration properties.
- Removed Resource entity and related requests from the codebase as part of the architectural shift.
- Updated documentation to reflect the removal of hardware binding and related endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

secrets/.sops.yaml

@@ -0,0 +1,28 @@
+# sops creation rules — see https://github.com/getsops/sops
+#
+# Each rule routes a path-regex to one or more age recipients (public keys).
+# The matching age PRIVATE key lives outside the repo at /etc/azaion/age.key
+# on the deploy host and is consumed by `scripts/deploy.sh` via
+# `SOPS_AGE_KEY_FILE`.
+#
+# Onboarding a new operator:
+#   1. They generate `age-keygen -o ~/.config/sops/age/keys.txt`
+#   2. Their public key is appended below as an additional age recipient on the
+#      relevant rule.
+#   3. Run `sops updatekeys secrets/<env>.env` to re-encrypt the file with the
+#      new recipient list.
+#   4. Commit the updated `.sops.yaml` AND the updated encrypted file in the
+#      same commit. NEVER commit the private key.
+#
+# Cycle 1 placeholder: the recipient values below are the literal string
+# `REPLACE_WITH_AGE_PUBLIC_KEY` so the file is reviewable but no real key is
+# leaked. The first deploy MUST replace these before encrypting any real
+# secret. The deploy script will fail loudly if it cannot decrypt.
+
+creation_rules:
+  - path_regex: secrets/staging\.env$
+    age:
+      - REPLACE_WITH_AGE_PUBLIC_KEY_FOR_STAGING
+  - path_regex: secrets/production\.env$
+    age:
+      - REPLACE_WITH_AGE_PUBLIC_KEY_FOR_PRODUCTION

secrets/README.md

@@ -0,0 +1,57 @@
+# `secrets/` — sops + age secret material
+
+This folder holds **per-environment** runtime configuration for the Admin API.
+
+| File | Tracked | Encrypted | Loaded by |
+|------|---------|-----------|-----------|
+| `.sops.yaml` | yes | n/a | sops itself (resolves recipients) |
+| `staging.public.env` | yes | no | `scripts/_lib.sh` → `set -a; .` (loaded BEFORE the encrypted overlay) |
+| `production.public.env` | yes | no | same |
+| `staging.env` | yes (after first encryption) | **yes** (sops + age) | `scripts/deploy.sh` decrypts to a tempfile then sources it |
+| `production.env` | yes (after first encryption) | **yes** (sops + age) | same |
+| age private key | **never tracked** | n/a | lives at `/etc/azaion/age.key` on the deploy host (mode 0400) |
+
+## First-time bootstrap on a fresh host
+
+```bash
+# 1. Install sops + age on the host
+sudo apt-get install -y sops age
+
+# 2. Generate the host's age keypair
+sudo install -d -m 0700 /etc/azaion
+sudo age-keygen -o /etc/azaion/age.key
+sudo chmod 0400 /etc/azaion/age.key
+sudo grep '^# public key:' /etc/azaion/age.key
+# → copy the public key string
+
+# 3. On a developer machine, replace the placeholder in `secrets/.sops.yaml`
+#    with the public key from step 2 (for the matching environment), then
+#    encrypt the env file:
+#       sops --encrypt --age <public-key> secrets/staging.env > secrets/staging.enc.tmp
+#       mv secrets/staging.enc.tmp secrets/staging.env
+#    Commit `.sops.yaml` and the encrypted file together.
+
+# 4. Sanity-check on the host:
+SOPS_AGE_KEY_FILE=/etc/azaion/age.key sops -d secrets/staging.env | head
+```
+
+## Rotation
+
+See `_docs/04_deploy/environment_strategy.md` §3 for the per-secret rotation cadence and procedure.
+
+## What goes where
+
+- **Public env (staging.public.env / production.public.env)** — anything that is NOT a secret: hostname, port, container name, JWT issuer/audience, resource folder names. Reviewable in PRs.
+- **Encrypted env (staging.env / production.env)** — DB connection strings (with passwords), `JwtConfig__Secret`, `REGISTRY_USER`, `REGISTRY_TOKEN`, anything else sensitive. NEVER readable in plain text outside the host.
+
+## Schema (variables that MUST be in the encrypted file)
+
+```
+ASPNETCORE_ConnectionStrings__AzaionDb=Host=...;Port=4312;Database=azaion;Username=azaion_reader;Password=...
+ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=...;Port=4312;Database=azaion;Username=azaion_admin;Password=...
+ASPNETCORE_JwtConfig__Secret=<>= 32 random bytes>
+REGISTRY_USER=<registry account>
+REGISTRY_TOKEN=<registry token>
+```
+
+The deploy script will fail-fast if any of the first three are missing once the container starts.

secrets/production.public.env

@@ -0,0 +1,20 @@
+# Plain-text overlay for production — committed; safe to read.
+# Loaded BEFORE the sops-decrypted overlay; secret values stay encrypted.
+
+ASPNETCORE_ENVIRONMENT=Production
+ASPNETCORE_URLS=http://+:8080
+
+ASPNETCORE_JwtConfig__Issuer=AzaionApi
+ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
+ASPNETCORE_JwtConfig__TokenLifetimeHours=4
+ASPNETCORE_ResourcesConfig__ResourcesFolder=Content
+ASPNETCORE_ResourcesConfig__SuiteInstallerFolder=suite
+ASPNETCORE_ResourcesConfig__SuiteStageInstallerFolder=suite-stage
+
+DEPLOY_CONTAINER_NAME=azaion.api
+DEPLOY_HOST_PORT=4000
+DEPLOY_HOST_CONTENT_DIR=/root/api/content
+DEPLOY_HOST_LOGS_DIR=/root/api/logs
+
+REGISTRY_HOST=docker.azaion.com
+REGISTRY_IMAGE=azaion/admin

secrets/staging.public.env

@@ -0,0 +1,23 @@
+# Plain-text overlay for staging — committed; safe to read.
+# Loaded BEFORE the sops-decrypted overlay; secret values stay encrypted.
+
+ASPNETCORE_ENVIRONMENT=Staging
+ASPNETCORE_URLS=http://+:8080
+
+# Idempotent appsettings overrides — these match production for parity.
+ASPNETCORE_JwtConfig__Issuer=AzaionApi
+ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
+ASPNETCORE_JwtConfig__TokenLifetimeHours=4
+ASPNETCORE_ResourcesConfig__ResourcesFolder=Content
+ASPNETCORE_ResourcesConfig__SuiteInstallerFolder=suite
+ASPNETCORE_ResourcesConfig__SuiteStageInstallerFolder=suite-stage
+
+# Deploy-host plumbing.
+DEPLOY_CONTAINER_NAME=azaion.api
+DEPLOY_HOST_PORT=4000
+DEPLOY_HOST_CONTENT_DIR=/root/api/content
+DEPLOY_HOST_LOGS_DIR=/root/api/logs
+
+# Registry. REGISTRY_USER / REGISTRY_TOKEN come from the encrypted overlay.
+REGISTRY_HOST=docker.azaion.com
+REGISTRY_IMAGE=azaion/admin