[AZ-181] Final impl report

Made-with: Cursor

_docs/03_implementation/implementation_report_security_modernization.md

@@ -0,0 +1,44 @@
+# Implementation Report: Loader Security Modernization (AZ-181)
+
+**Epic**: AZ-181
+**Date**: 2026-04-15
+**Total Tasks**: 5 implemented (1 out-of-repo)
+**Total Complexity**: 18 points implemented
+
+## Summary
+
+Implemented the loader's security modernization features across 2 batches:
+
+### Batch 1 (10 points)
+- **AZ-182** TPM Security Provider — SecurityProvider ABC with TPM/legacy detection, FAPI seal/unseal, graceful fallback
+- **AZ-184** Resumable Download Manager — HTTP Range resume, SHA-256 verify, AES-256 decrypt, exponential backoff
+- **AZ-187** Device Provisioning Script — provision_device.sh + runbook
+
+### Batch 2 (8 points)
+- **AZ-185** Update Manager — background update loop, version collector, model + Docker image apply, self-update last
+- **AZ-186** CI/CD Artifact Publish — shared publish script, Woodpecker pipeline, encryption-compatible with download manager
+
+### Out of Scope
+- **AZ-183** Resources Table & Update API — requires implementation in the admin API repository (`admin/`). A mock endpoint was added to `e2e/mocks/mock_api/app.py` for loader testing.
+
+## Test Coverage
+
+| Task | Unit Tests | AC Coverage |
+|------|-----------|-------------|
+| AZ-182 | 8 tests (1 skip without swtpm) | 6/6 |
+| AZ-184 | 8 tests | 5/5 |
+| AZ-185 | 10 tests | 6/6 |
+| AZ-186 | 8 tests | 5/5 |
+| AZ-187 | 5 tests | 5/5 |
+
+## Commits
+
+| Hash | Message |
+|------|---------|
+| d244799 | [AZ-182][AZ-184][AZ-187] Batch 1 |
+| 9a0248a | [AZ-185][AZ-186] Batch 2 |
+
+## Code Review Verdicts
+
+- Batch 1: PASS_WITH_WARNINGS
+- Batch 2: PASS_WITH_WARNINGS