Refactor task management structure and update documentation

- Changed the directory structure for task specifications to include a dedicated `todo/` folder within `_docs/02_tasks/` for tasks ready for implementation.
- Updated references in various skills and documentation to reflect the new task lifecycle, including changes in the `implementer` and `decompose` skills.
- Enhanced the README and flow documentation to clarify the new task organization and its implications for the implementation process.

These updates improve task management clarity and streamline the implementation workflow.

_docs/02_tasks/done/AZ-157_test_encryption.md

@@ -0,0 +1,102 @@
+# Encryption & Security Tests
+
+**Task**: AZ-157_test_encryption
+**Name**: Encryption & Security Tests
+**Description**: Implement blackbox, security, performance, resilience, and resource tests for AES-256-CBC encryption — roundtrips, key behavior, IV randomness, throughput, size bounds
+**Complexity**: 3 points
+**Dependencies**: AZ-152_test_infrastructure
+**Component**: Blackbox Tests
+**Jira**: AZ-157
+**Epic**: AZ-151
+
+## Problem
+
+The encryption module must correctly encrypt/decrypt data, produce key-dependent ciphertexts with random IVs, handle edge cases, and meet throughput requirements.
+
+## Outcome
+
+- 13 passing pytest tests in `tests/test_encryption.py`
+- Performance test in `tests/performance/test_encryption_perf.py`
+
+## Scope
+
+### Included
+- BT-ENC-01: Encrypt-decrypt roundtrip (1024 random bytes)
+- BT-ENC-02: Encrypt-decrypt roundtrip (ONNX model)
+- BT-ENC-03: Empty input roundtrip
+- BT-ENC-04: Single byte roundtrip
+- BT-ENC-05: Different keys produce different ciphertext
+- BT-ENC-06: Wrong key fails decryption
+- PT-ENC-01: Encryption throughput (10MB ≤ 5s)
+- RT-ENC-01: Decrypt with corrupted ciphertext
+- ST-ENC-01: Random IV (same data, same key → different ciphertexts)
+- ST-ENC-02: Wrong key cannot recover plaintext
+- ST-ENC-03: Model encryption key is deterministic
+- RL-ENC-01: Encrypted output size bounded (≤ N + 32 bytes)
+
+### Excluded
+- Model split tests (separate task)
+
+## Acceptance Criteria
+
+**AC-1: Roundtrip**
+Given 1024 random bytes and key "test-key"
+When encrypt then decrypt
+Then output equals input exactly
+
+**AC-2: Model roundtrip**
+Given azaion.onnx bytes and model encryption key
+When encrypt then decrypt
+Then output equals input exactly
+
+**AC-3: Empty input**
+Given b"" and key
+When encrypt then decrypt
+Then output equals b""
+
+**AC-4: Single byte**
+Given b"\x00" and key
+When encrypt then decrypt
+Then output equals b"\x00"
+
+**AC-5: Key-dependent ciphertext**
+Given same data, keys "key-a" and "key-b"
+When encrypting with each key
+Then ciphertexts differ
+
+**AC-6: Wrong key failure**
+Given encrypted with "key-a"
+When decrypting with "key-b"
+Then output does NOT equal original
+
+**AC-7: Throughput**
+Given 10MB random bytes
+When encrypt + decrypt roundtrip
+Then completes within 5 seconds
+
+**AC-8: Corrupted ciphertext**
+Given randomly modified ciphertext bytes
+When decrypt_to is called
+Then either raises exception or returns non-original bytes
+
+**AC-9: Random IV**
+Given same data, same key, encrypted twice
+When comparing ciphertexts
+Then they differ (random IV)
+
+**AC-10: Model key deterministic**
+Given two calls to get_model_encryption_key()
+When comparing results
+Then identical
+
+**AC-11: Size bound**
+Given N bytes plaintext
+When encrypted
+Then ciphertext size ≤ N + 32 bytes
+
+## Constraints
+
+- ONNX model fixture is session-scoped (77MB, read once)
+- Security tests marked: `@pytest.mark.security`
+- Performance test marked: `@pytest.mark.performance`
+- Resource limit test marked: `@pytest.mark.resource_limit`