# Restrictions

## Software Constraints

| Constraint | Value | Source |
|-----------|-------|--------|
| Runtime | .NET 10.0 | All `.csproj` files target `net10.0` |
| Database | PostgreSQL | `DbFactory` uses `UsePostgreSQL()`, Npgsql provider |
| ORM | linq2db 5.4.1 | No Entity Framework, no migration framework |
| Container base | `mcr.microsoft.com/dotnet/aspnet:10.0` | Dockerfile |
| Build platform | ARM64 | Woodpecker CI pipeline labels `platform: arm64` |
| Max upload size | 200 MB | Kestrel `MaxRequestBodySize = 209715200` |

## Environment Constraints

| Constraint | Value | Source |
|-----------|-------|--------|
| Target OS | Linux (Docker) | Dockerfile `DockerDefaultTargetOS=Linux` |
| DB port | 4312 (non-standard) | `env/db/00_install.sh` |
| CORS origins | `admin.azaion.com` (HTTP + HTTPS) | `Program.cs` CORS policy |
| Secrets | Environment variables (`ASPNETCORE_*` prefix) | `env/api/env.ps1`, no secret manager |
| Deployment model | Single container, no orchestration | `deploy.cmd`, Dockerfile |

## Operational Constraints

| Constraint | Value | Source |
|-----------|-------|--------|
| DB connection model | Two connections: reader + admin | `DbFactory` with `Run` / `RunAdmin` |
| Schema management | Manual SQL scripts (no ORM migrations) | `env/db/*.sql` |
| CI/CD | Build-only (no automated tests in pipeline) | `.woodpecker/build-arm.yml` |
| Private registry | `docker.azaion.com` and `localhost:5000` (CI) | `deploy.cmd`, CI config |
| File storage | Local server filesystem | `ResourcesConfig.ResourcesFolder` |

## Security Constraints

| Constraint | Value | Source |
|-----------|-------|--------|
| Authentication | JWT Bearer (HMAC-SHA256) | `Program.cs` auth config |
| Token lifetime | 4 hours | `appsettings.json` JwtConfig |
| Password hashing | SHA-384 (no per-user salt, no key stretching) | `Security.ToHash()` |
| Resource encryption | AES-256-CBC per-user (key from email + password + HW hash) | `Security.GetApiEncryptionKey`, `Security.EncryptTo` |
| Hardware binding | Single device per user, admin reset required | `UserService.CheckHardwareHash` |