[AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite

Made-with: Cursor

_docs/02_document/04_verification_log.md

@@ -0,0 +1,115 @@
+# Verification Log
+
+## Summary
+
+| Metric | Count |
+|--------|-------|
+| Total entities verified | 87 |
+| Entities flagged | 0 |
+| Corrections applied | 3 |
+| Remaining gaps | 0 |
+| Completeness score | 27/27 modules (100%) |
+
+## Entity Verification
+
+All class names, method signatures, interfaces, enum values, and endpoints referenced in documentation were cross-referenced against actual source code. No hallucinated entities found.
+
+### Classes & Interfaces Verified
+- `User`, `UserConfig`, `UserQueueOffsets`, `RoleEnum` ✓
+- `BusinessException`, `ExceptionEnum` (all 10 values) ✓
+- `IDbFactory`, `DbFactory`, `AzaionDb`, `AzaionDbSchemaHolder` ✓
+- `IUserService`, `UserService` (all 10 methods) ✓
+- `IAuthService`, `AuthService` (2 methods) ✓
+- `IResourcesService`, `ResourcesService` (5 methods) ✓
+- `ICache`, `MemoryCache` (2 methods) ✓
+- `Security` (5 methods) ✓
+- `BusinessExceptionHandler` ✓
+- All config POCOs (`ConnectionStrings`, `JwtConfig`, `ResourcesConfig`) ✓
+- All request DTOs + validators ✓
+
+### Endpoints Verified
+All 17 endpoints in `Program.cs` match documentation. Routes, HTTP methods, and authorization requirements confirmed.
+
+## Corrections Applied
+
+### Correction 1: `apiUploaderPolicy` is unused dead code
+
+**Document**: `components/05_admin_api/description.md`, `architecture.md`
+
+**Finding**: `apiUploaderPolicy` is defined in `Program.cs` (lines 55-61) and registered via `AddPolicy`, but it is **never applied to any endpoint**. No `RequireAuthorization(apiUploaderPolicy)` call exists in the codebase. It is effectively dead code.
+
+**Action**: Added note in architecture.md and admin API component spec.
+
+### Correction 2: `BusinessExceptionHandler` cross-project namespace
+
+**Document**: `modules/admin_api_business_exception_handler.md`
+
+**Finding**: `BusinessExceptionHandler.cs` resides in the `Azaion.AdminApi` project but declares `namespace Azaion.Common;`. This is an unusual cross-project namespace usage — the class lives in the API project but belongs to the Common namespace.
+
+**Action**: Noted in module doc.
+
+### Correction 3: Missing appsettings discovery
+
+**Document**: `deployment/environment_strategy.md`
+
+**Finding**: `appsettings.json` was not initially read during discovery. It reveals:
+- `ResourcesConfig` defaults: `ResourcesFolder: "Content"`, `SuiteInstallerFolder: "suite"`, `SuiteStageInstallerFolder: "suite-stage"`
+- `JwtConfig`: Issuer `"AzaionApi"`, Audience `"Annotators/OrangePi/Admins"`, TokenLifetimeHours `4`
+- `ConnectionStrings` and `JwtConfig.Secret` are NOT in appsettings — must be provided via environment variables (correct practice for secrets)
+
+**Action**: Updated environment strategy doc.
+
+## Observations (not errors)
+
+### `hardware_hash` column mismatch
+The `users` table DDL includes `hardware_hash varchar(120)` but the application code does not map or use this column. The `User` entity has no `HardwareHash` property. The application stores raw hardware in `hardware` and computes hashes at runtime. The DDL column appears to be a leftover from an earlier design.
+
+### No UNIQUE constraint on `email`
+The DDL (`env/db/02_structure.sql`) does not include a UNIQUE constraint on the `email` column. Uniqueness is enforced at the application level in `UserService.RegisterUser` (check-then-insert pattern), which is susceptible to race conditions.
+
+### Test credentials in source
+`UserServiceTest.cs` contains hardcoded PostgreSQL credentials for a remote database server. These should be in a test configuration file or environment variables.
+
+### JWT Audience reveals system scope
+The JWT audience value `"Annotators/OrangePi/Admins"` reveals that the system serves annotators (operators), OrangePi/CompanionPC devices, and administrators — consistent with the `RoleEnum` definitions.
+
+## Completeness Check
+
+| Module (source file) | Module Doc | Component |
+|---------------------|-----------|-----------|
+| Common/Extensions/EnumExtensions.cs | ✓ | Common Helpers |
+| Common/Extensions/StringExtensions.cs | ✓ | Common Helpers |
+| Common/Extensions/StreamExtensions.cs | ✓ | Common Helpers |
+| Common/Extensions/QueryableExtensions.cs | ✓ | Common Helpers |
+| Common/Entities/RoleEnum.cs | ✓ | 01 Data Layer |
+| Common/Entities/User.cs | ✓ | 01 Data Layer |
+| Common/Configs/ConnectionStrings.cs | ✓ | 01 Data Layer |
+| Common/Configs/JwtConfig.cs | ✓ | 01 Data Layer |
+| Common/Configs/ResourcesConfig.cs | ✓ | 01 Data Layer |
+| Common/Database/AzaionDb.cs | ✓ | 01 Data Layer |
+| Common/Database/AzaionDbSchemaHolder.cs | ✓ | 01 Data Layer |
+| Common/Database/DbFactory.cs | ✓ | 01 Data Layer |
+| Common/BusinessException.cs | ✓ | Common Helpers |
+| Common/Requests/LoginRequest.cs | ✓ | 02 User Management |
+| Common/Requests/RegisterUserRequest.cs | ✓ | 02 User Management |
+| Common/Requests/GetResourceRequest.cs | ✓ | 04 Resource Management |
+| Common/Requests/SetHWRequest.cs | ✓ | 02 User Management |
+| Common/Requests/SetUserQueueOffsetsRequest.cs | ✓ | 02 User Management |
+| Services/Security.cs | ✓ | 03 Auth & Security |
+| Services/Cache.cs | ✓ | 01 Data Layer |
+| Services/UserService.cs | ✓ | 02 User Management |
+| Services/AuthService.cs | ✓ | 03 Auth & Security |
+| Services/ResourcesService.cs | ✓ | 04 Resource Management |
+| AdminApi/BusinessExceptionHandler.cs | ✓ | 05 Admin API |
+| AdminApi/Program.cs | ✓ | 05 Admin API |
+| Test/SecurityTest.cs | ✓ | Tests |
+| Test/UserServiceTest.cs | ✓ | Tests |
+
+All 27 modules are covered. No gaps.
+
+## Consistency Check
+
+- Component docs agree with architecture doc ✓
+- Flow diagrams match component interfaces ✓
+- Data model matches entity definitions ✓
+- Deployment docs match Dockerfile and CI config ✓