docs+src: complete Steps 1-3 outcomes + auth re-sync baseline

This commit captures everything produced during autodev existing-code
Steps 1 (Document), 2 (Architecture Baseline Scan), and 3 (Test Spec),
together with the targeted auth + CORS re-sync triggered on 2026-05-14
when codebase drift was detected at Step 4 entry. None of this work was
previously committed.

Step 1 (Document) — 50+ _docs/02_document/ files: problem, solution,
architecture, system flows, glossary, module-layout, per-component
specs (01..06), modules, deployment, diagrams, data model, FINAL
report, verification log, discovery.

Step 2 (Architecture Baseline) — architecture_compliance_baseline.md.
Verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 2 Low). No
High/Critical findings; auto-chained to Step 3 per existing-code flow.

Step 3 (Test Spec) — _docs/02_document/tests/* (67 scenarios across
blackbox, security, resilience, resource-limit, performance), plus
e2e/docker-compose.test.yml, e2e/seed/run.sh, scripts/run-tests.sh,
scripts/run-performance-tests.sh. Coverage 88% over the active scope
(40 of 45 items covered, 6 RB-deferred, 5 documented-as-uncovered).

Targeted auth + CORS re-sync — replaces the deleted in-house token
issuer with a JWKS-verifier model. AuthController and TokenService
removed; JwtExtensions switched from HS256 symmetric to ES256 over
admin's JWKS. ConfigurationResolver and CorsConfigurationValidator
added under src/Infrastructure/. ADR-002 and ADR-006 retired; SEC-01,
SEC-02, SEC-03 marked Closed. One new testability risk recorded in
architecture.md Open Risks Section 6 (JWKS HTTPS gating).

Source changes:
- src/Auth/JwtExtensions.cs (modified) — ES256, JWKS, alg pinning
- src/Program.cs (modified) — DI wiring for ConfigurationResolver
  and CorsConfigurationValidator
- src/Controllers/AuthController.cs (deleted) — no in-service issuance
- src/Services/TokenService.cs (deleted) — same
- src/Infrastructure/ConfigurationResolver.cs (new)
- src/Infrastructure/CorsConfigurationValidator.cs (new)
- .env.example (new) — required env var documentation
- .gitignore (updated)

Cross-repo coordination: _docs/cross-repo/flights_h1_h2_h3_change_spec
captures the change-spec for downstream services that consumed the now
deleted /auth endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/00_problem/input_data/data_parameters.md

@@ -0,0 +1,92 @@
+# Azaion.Annotations — Input data parameters
+
+> Inventory of every external input the service accepts, with shape, evidence, and validation behavior. Sources: REST DTOs, multipart form fields, env vars, database seed contract.
+
+## REST API inputs
+
+### `POST /annotations`
+
+| Field | Type | Required | Constraint | Evidence |
+|-------|------|----------|-----------|----------|
+| `image_bytes` | `byte[]` (base64-encoded JSON or multipart) | yes | none enforced; sampled by `XxHash3.Hash128` (per RB-04) for id derivation | `Services/AnnotationService.cs` `GenerateAnnotationId(...)` |
+| `mission_id` | `Guid` (post RB-07; today `flight_id`) | yes | foreign-key style, but no FK enforced in schema today | `Entities/AnnotationEntity.cs`, `_docs/02_document/glossary.md` |
+| `media_type` | `MediaType` enum | yes | `Image=10` or `Video=20`; integer wire format | `Models/Wire/MediaType.cs` |
+| `detections` | `Detection[]` | yes (≥0) | each detection: class id, normalised cx/cy/w/h, confidence | `Models/Dto/DetectionDto.cs` |
+| `metadata` | optional payload | no | passes through to row | `AnnotationDto.cs` |
+
+### `PUT /annotations/{id}` and `PATCH /annotations/{id}/status`
+
+Same DTO shape on the body; `id` from path. Status transition values come from the `AnnotationStatus` wire enum: `Pending=10, Accepted=20, Rejected=30, Deleted=40`.
+
+### `DELETE /annotations/{id}`
+
+Path param only. Soft-deletes the row (sets status to `Deleted=40`) and relocates files to `deleted_dir` (per RB-01 + glossary "Soft-delete").
+
+### `GET /annotations` and `/dataset`
+
+Query string filters: `mission_id`, `status`, `class_id`, paging (`offset`, `limit`). Validation is implicit through `[FromQuery]` model binding — no explicit validators visible at controller level.
+
+### `POST /media` and `POST /media/batch`
+
+Multipart form: `IFormFile` / `IFormFileCollection`, `mission_id`, `media_type`. No format whitelist visible at controller layer (verify in Step 14).
+
+### `GET /media/{id}/file`, `GET /media/{id}/thumbnail`
+
+Path param only; returns binary stream.
+
+### Auth endpoints
+
+Annotations no longer hosts `POST /auth/login`, `POST /auth/refresh`, or `POST /auth/register`. Token issuance and refresh are owned by the **admin** service. The only auth-related input on the annotations surface is the `Authorization: Bearer <token>` HTTP header on every non-`/health` request, validated by `JwtBearerHandler` against admin's JWKS:
+
+| Header | Required | Notes |
+|--------|----------|-------|
+| `Authorization` | yes (everywhere except `/health`) | `Bearer <ES256 JWT>` issued by admin; `iss` / `aud` / `exp` / signature all validated; `alg` pinned to `ES256` |
+
+### `/settings/*`
+
+Each controller binds JSON DTOs from `Models/Dto/*` mirroring the `system_settings`, `directory_settings`, `camera_settings`, `user_settings` shapes in `Database/DatabaseMigrator.cs`.
+
+## Database seed inputs (boot-time)
+
+`DatabaseMigrator` issues `ON CONFLICT DO NOTHING` inserts on:
+
+| Table | Seeded rows |
+|-------|-------------|
+| `directory_settings` | one row with default paths |
+| `system_settings` | one row (today still includes `silent_detection`; removal tracked by RB-02) |
+| `detection_classes` | 19 rows (ids 0–18): `ArmorVehicle, Truck, Vehicle, Artillery, Shadow, Trenches, MilitaryMan, TyreTracks, AdditionArmoredTank, Smoke, Plane, Moto, CamouflageNet, CamouflageBranches, Roof, Building, Caponier, Ammo, Protect.Struct` (`Smoke` and `Plane` share color `#000080` — pre-existing data quirk, fixed by RB-06) |
+(There is no `users` table in this service — identity is owned by the admin service.)
+
+Detection class catalog becomes admin-CRUD after RB-06.
+
+## Environment variables (process inputs)
+
+| Name | Required | Default | Purpose |
+|------|----------|---------|---------|
+| `DATABASE_URL` | yes | none — fail-fast (`ConfigurationResolver`) | Postgres connection; URI form auto-converted to Linq2DB form |
+| `JWT_ISSUER` | yes | none — fail-fast | Expected `iss` claim (admin's issuer) |
+| `JWT_AUDIENCE` | yes | none — fail-fast | Expected `aud` claim (this service) |
+| `JWT_JWKS_URL` | yes | none — fail-fast; HTTPS required | Admin's JWKS endpoint for ES256 key resolution |
+| `CorsConfig:AllowedOrigins` | yes (prod, unless `AllowAnyOrigin=true`) | empty | Configured origins for the default CORS policy |
+| `CorsConfig:AllowAnyOrigin` | optional | `false` | Explicit opt-in to permissive CORS (validator blocks empty allow-list in `Production` unless this is set) |
+| `RABBITMQ_HOST` | optional | `127.0.0.1` | stream broker host |
+| `RABBITMQ_STREAM_PORT` | optional | `5552` | stream listener port |
+| `RABBITMQ_PRODUCER_USER` | optional | `azaion_producer` | stream auth user |
+| `RABBITMQ_PRODUCER_PASS` | optional | `producer_pass` | stream auth pass |
+| `AZAION_REVISION` | optional | `unknown` | image build stamp; logged at boot |
+| `ASPNETCORE_URLS` | optional | `http://+:8080` | bind address |
+| `ASPNETCORE_ENVIRONMENT` | optional | `Production` | bound to ASP.NET host |
+
+## Stream consumer wire format
+
+Outbound (this service is producer-only):
+
+- Stream name: `azaion-annotations`
+- Body: gzip(MessagePack(`AnnotationStreamMessage`))
+- Schema fields (post RB-09): `annotation_id`, `operation` (`QueueOperation`), `date_time`, payload — see `_docs/02_document/components/02_annotations-realtime-sync/description.md` and ADR-013.
+
+## Cross-references
+
+- Wire enum table: `_docs/02_document/modules/wire-enums.md`
+- ER diagram: `_docs/02_document/data_model.md`
+- Common error envelope: `_docs/02_document/common-helpers/01_http-error-envelope.md`