# Implementation Report: Loader Security Modernization (AZ-181)

**Epic**: AZ-181
**Date**: 2026-04-15
**Total Tasks**: 5 implemented (1 out-of-repo)
**Total Complexity**: 18 points implemented

## Summary

Implemented the loader's security modernization features across 2 batches:

### Batch 1 (10 points)
- **AZ-182** TPM Security Provider — SecurityProvider ABC with TPM/legacy detection, FAPI seal/unseal, graceful fallback
- **AZ-184** Resumable Download Manager — HTTP Range resume, SHA-256 verify, AES-256 decrypt, exponential backoff
- **AZ-187** Device Provisioning Script — provision_devices.sh + runbook

### Batch 2 (8 points)
- **AZ-185** Update Manager — background update loop, version collector, model + Docker image apply, self-update last
- **AZ-186** CI/CD Artifact Publish — shared publish script, Woodpecker pipeline, encryption-compatible with download manager

### Out of Scope
- **AZ-183** Resources Table & Update API — requires implementation in the admin API repository (`admin/`). A mock endpoint was added to `e2e/mocks/mock_api/app.py` for loader testing.

## Test Coverage

| Task | Unit Tests | AC Coverage |
|------|-----------|-------------|
| AZ-182 | 8 tests (1 skip without swtpm) | 6/6 |
| AZ-184 | 8 tests | 5/5 |
| AZ-185 | 10 tests | 6/6 |
| AZ-186 | 8 tests | 5/5 |
| AZ-187 | 5 tests | 5/5 |

## Commits

| Hash | Message |
|------|---------|
| d244799 | [AZ-182][AZ-184][AZ-187] Batch 1 |
| 9a0248a | [AZ-185][AZ-186] Batch 2 |

## Code Review Verdicts

- Batch 1: PASS_WITH_WARNINGS
- Batch 2: PASS_WITH_WARNINGS