[AZ-187] Rules & cleanup

Made-with: Cursor

_docs/02_tasks/done/AZ-187_device_provisioning_script.md

@@ -2,9 +2,9 @@
 
 **Task**: AZ-187_device_provisioning_script
 **Name**: Device Provisioning Script
-**Description**: Create a shell script that provisions a Jetson device identity (CompanionPC user) during the fuse/flash pipeline
+**Description**: Interactive shell script that provisions Jetson device identities (CompanionPC users) during the fuse/flash pipeline
 **Complexity**: 2 points
-**Dependencies**: None
+**Dependencies**: AZ-196 (POST /devices endpoint)
 **Component**: DevOps
 **Tracker**: AZ-187
 **Epic**: AZ-181
@@ -15,48 +15,47 @@ Each Jetson needs a unique CompanionPC user account for API authentication. This
 
 ## Outcome
 
-- Single script creates device identity and embeds credentials in the rootfs
-- Integrates into the fuse/flash pipeline between odmfuse.sh and flash.sh
+- Interactive `provision_devices.sh` detects connected Jetsons, registers identities via admin API, and runs fuse/flash pipeline
+- Serial numbers are auto-assigned server-side (azj-0000, azj-0001, ...)
 - Provisioning runbook documents the full end-to-end flow
 
 ## Scope
 
 ### Included
-- provision_device.sh: generate device email (azaion-jetson-{serial}@azaion.com), random 32-char password
-- Call admin API POST /users to create Users row with Role=CompanionPC
-- Write credentials config file to rootfs image (at known path, e.g., /etc/azaion/device.conf)
-- Idempotency: re-running for same serial doesn't create duplicate user
-- Provisioning runbook: step-by-step from unboxing through fusing, flashing, and first boot
+- `provision_devices.sh`: scan USB for Jetsons in recovery mode, interactive device selection, call admin API `POST /devices` for auto-generated serial/email/password, write credentials to rootfs, fuse, flash
+- Configuration via `scripts/.env` (git-ignored), template at `scripts/.env.example`
+- Dependency checks at startup (lsusb, curl, jq, L4T tools, sudo)
+- Provisioning runbook: step-by-step for multi-device manufacturing flow
 
 ### Excluded
 - fTPM provisioning (covered by NVIDIA's ftpm_provisioning.sh)
 - Secure Boot fusing (covered by solution_draft02 Phase 1-2)
 - OS hardening (covered by solution_draft02 Phase 3)
-- Admin API user creation endpoint (assumed to exist)
+- Admin API POST /devices endpoint implementation (AZ-196)
 
 ## Acceptance Criteria
 
-**AC-1: Script creates CompanionPC user**
-Given a new device serial AZJN-0042
-When provision_device.sh is run with serial AZJN-0042
-Then admin API has a new user azaion-jetson-0042@azaion.com with Role=CompanionPC
+**AC-1: Script registers device via POST /devices**
+Given the admin API has the POST /devices endpoint deployed
+When provision_devices.sh is run and a device is selected
+Then the admin API creates a new user with auto-assigned serial (e.g. azj-0000) and Role=CompanionPC
 
 **AC-2: Credentials written to rootfs**
-Given provision_device.sh completed successfully
-When the rootfs image is inspected
-Then /etc/azaion/device.conf contains the email and password
+Given POST /devices returned serial, email, and password
+When the provisioning step completes for a device
+Then `$ROOTFS_DIR/etc/azaion/device.conf` contains the email and password with mode 600
 
 **AC-3: Device can log in after flash**
 Given a provisioned and flashed device boots for the first time
 When the loader reads /etc/azaion/device.conf and calls POST /login
 Then a valid JWT is returned
 
-**AC-4: Idempotent re-run**
-Given provision_device.sh was already run for serial AZJN-0042
-When it is run again for the same serial
-Then no duplicate user is created (existing user is reused or updated)
+**AC-4: Multi-device support**
+Given multiple Jetsons connected in recovery mode
+When provision_devices.sh is run
+Then the user can select individual devices or all, and each is provisioned sequentially
 
 **AC-5: Runbook complete**
 Given the provisioning runbook
-When followed step-by-step on a new Jetson Orin Nano
-Then the device is fully fused, flashed, provisioned, and can communicate with the admin API
+When followed step-by-step on new Jetson Orin Nano devices
+Then the devices are fully fused, flashed, provisioned, and can communicate with the admin API