# Problem Statement

## What is this system?

Azaion.Loader is a secure resource distribution service for Azaion's edge computing platform. It runs on edge devices (ARM64) to manage the lifecycle of encrypted AI model resources and Docker service images.

## What problem does it solve?

Azaion distributes proprietary AI models and Docker-based services to edge devices deployed in the field. These assets must be:

1. **Protected in transit and at rest** — models and service images are intellectual property that must not be extractable if a device is compromised
2. **Bound to authorized hardware** — decryption keys are derived from the device's hardware fingerprint, preventing resource extraction to unauthorized machines
3. **Efficiently distributed** — large model files are split between an authenticated API (small encrypted part) and a CDN (large part), reducing API bandwidth costs while maintaining security
4. **Self-service deployable** — edge devices need to authenticate, download, decrypt, and load Docker images autonomously via a single unlock workflow

## Who are the users?

- **Edge devices** — autonomous ARM64 systems running Azaion services (drones, companion PCs, ground stations)
- **Operators/Admins** — human users who trigger authentication and unlock via HTTP API
- **Other Azaion services** — co-located containers that call the loader API to fetch model resources

## How does it work (high level)?

1. A client authenticates via `/login` with email/password → the loader obtains a JWT from the Azaion Resource API
2. For resource access: the loader downloads an encrypted "small" part from the API (using a per-user, per-machine key) and a "big" part from CDN, reassembles them, and decrypts with a shared resource key
3. For initial deployment: the `/unlock` endpoint triggers a background workflow that downloads a key fragment, decrypts a pre-deployed encrypted Docker image archive, and loads all service images into the local Docker daemon
4. All security-sensitive logic is compiled as Cython native extensions for IP protection