# Device Provisioning Script

**Task**: AZ-187_device_provisioning_script
**Name**: Device Provisioning Script
**Description**: Interactive shell script that provisions Jetson device identities (CompanionPC users) during the fuse/flash pipeline
**Complexity**: 2 points
**Dependencies**: AZ-196 (POST /devices endpoint)
**Component**: DevOps
**Tracker**: AZ-187
**Epic**: AZ-181

## Problem

Each Jetson needs a unique CompanionPC user account for API authentication. This must be automated as part of the manufacturing/flash process so that provisioning 50+ devices is not manual.

## Outcome

- Interactive `provision_devices.sh` detects connected Jetsons, registers identities via admin API, and runs fuse/flash pipeline
- Serial numbers are auto-assigned server-side (azj-0000, azj-0001, ...)
- Provisioning runbook documents the full end-to-end flow

## Scope

### Included
- `provision_devices.sh`: scan USB for Jetsons in recovery mode, interactive device selection, call admin API `POST /devices` for auto-generated serial/email/password, write credentials to rootfs, fuse, flash
- Configuration via `scripts/.env` (git-ignored), template at `scripts/.env.example`
- Dependency checks at startup (lsusb, curl, jq, L4T tools, sudo)
- Provisioning runbook: step-by-step for multi-device manufacturing flow

### Excluded
- fTPM provisioning (covered by NVIDIA's ftpm_provisioning.sh)
- Secure Boot fusing (covered by solution_draft02 Phase 1-2)
- OS hardening (covered by solution_draft02 Phase 3)
- Admin API POST /devices endpoint implementation (AZ-196)

## Acceptance Criteria

**AC-1: Script registers device via POST /devices**
Given the admin API has the POST /devices endpoint deployed
When provision_devices.sh is run and a device is selected
Then the admin API creates a new user with auto-assigned serial (e.g. azj-0000) and Role=CompanionPC

**AC-2: Credentials written to rootfs**
Given POST /devices returned serial, email, and password
When the provisioning step completes for a device
Then `$ROOTFS_DIR/etc/azaion/device.conf` contains the email and password with mode 600

**AC-3: Device can log in after flash**
Given a provisioned and flashed device boots for the first time
When the loader reads /etc/azaion/device.conf and calls POST /login
Then a valid JWT is returned

**AC-4: Multi-device support**
Given multiple Jetsons connected in recovery mode
When provision_devices.sh is run
Then the user can select individual devices or all, and each is provisioned sequentially

**AC-5: Runbook complete**
Given the provisioning runbook
When followed step-by-step on new Jetson Orin Nano devices
Then the devices are fully fused, flashed, provisioned, and can communicate with the admin API