loader/_docs/02_document/data_model.md

# Azaion.Loader — Data Model

## Entity Overview

```mermaid
erDiagram
    Credentials {
        str email
        str password
    }
    User {
        str id
        str email
        RoleEnum role
    }
    CDNCredentials {
        str host
        str downloader_access_key
        str downloader_access_secret
        str uploader_access_key
        str uploader_access_secret
    }
    UnlockState {
        str value
    }

    Credentials ||--|| User : "login produces"
    Credentials ||--|| CDNCredentials : "enables download of"
    User ||--|| RoleEnum : "has"
```

## Entity Details

### Credentials (cdef class — credentials.pyx)

| Field    | Type | Source          |
|----------|------|-----------------|
| email    | str  | User input      |
| password | str  | User input      |

In-memory only. Set via `/login` or `/unlock` endpoint.

### User (cdef class — user.pyx)

| Field | Type     | Source             |
|-------|----------|--------------------|
| id    | str      | JWT `nameid` claim (UUID) |
| email | str      | JWT `unique_name` claim   |
| role  | RoleEnum | JWT `role` claim (mapped) |

Created by `ApiClient.set_token()` after JWT decoding.

### RoleEnum (cdef enum — user.pxd)

| Value            | Numeric | Description           |
|------------------|---------|-----------------------|
| NONE             | 0       | No role assigned      |
| Operator         | 10      | Basic operator        |
| Validator        | 20      | Validation access     |
| CompanionPC      | 30      | Companion PC device   |
| Admin            | 40      | Admin access          |
| ResourceUploader | 50      | Can upload resources  |
| ApiAdmin         | 1000    | Full API admin        |

### CDNCredentials (cdef class — cdn_manager.pyx)

| Field                    | Type | Source                        |
|--------------------------|------|-------------------------------|
| host                     | str  | cdn.yaml (encrypted download) |
| downloader_access_key    | str  | cdn.yaml                      |
| downloader_access_secret | str  | cdn.yaml                      |
| uploader_access_key      | str  | cdn.yaml                      |
| uploader_access_secret   | str  | cdn.yaml                      |

Initialized once per `ApiClient.set_credentials()` call.

### UnlockState (str Enum — unlock_state.py)

| Value            | Description                        |
|------------------|------------------------------------|
| idle             | No unlock in progress              |
| authenticating   | Logging in to API                  |
| downloading_key  | Fetching key fragment              |
| decrypting       | Decrypting archive                 |
| loading_images   | Running docker load                |
| ready            | All images loaded                  |
| error            | Unlock failed                      |

Module-level state in `main.py`, protected by `threading.Lock`.

## Persistent Storage

This service has **no database**. All state is in-memory and ephemeral. External persistence:

| Data                  | Location               | Managed By        |
|-----------------------|------------------------|-------------------|
| Encrypted archive     | `/opt/azaion/images.enc` | Pre-deployed    |
| Cached big file parts | `{folder}/{name}.big`  | ApiClient         |
| Log files             | `Logs/log_loader_*.txt`| Loguru            |

## Data Flow Summary

```
User credentials (email, password)
  → ApiClient → login → JWT token → User (id, email, role)
  → ApiClient → load cdn.yaml (encrypted) → CDNCredentials
  → ApiClient → load/upload resources (small via API, big via CDN)
  → binary_split → download key fragment → decrypt archive → docker load
```