feat(reporting): inline editable hostname and DNS with persistent overrides

Backend:
- New ivanti_finding_overrides table (finding_id, field, value) with
  UNIQUE(finding_id, field) — same survival-across-sync pattern as notes
- PUT /api/ivanti/findings/:id/override (editor/admin only) — saves or
  clears a field override; empty value = revert to Ivanti
- Overrides merged into findings at read time via readOverrides()
- Whitelisted fields: hostName, dns

Frontend:
- OverrideCell component — click to edit inline (editor/admin only),
  Enter/blur to save, Escape to cancel
- Amber dot indicator on cells with an active local override
- Hover tooltip shows original Ivanti value when overridden
- RotateCcw button reverts cell back to Ivanti value in one click
- canWrite() gating via useAuth — viewers see the value, can't edit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/routes/ivantiFindings.js

@@ -4,6 +4,7 @@
 
 const express = require('express');
 const https = require('https');
+const { requireRole } = require('../middleware/auth');
 
 const IVANTI_URL_BASE = 'https://platform4.risksense.com/api/v1';
 const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000;
@@ -151,9 +152,25 @@ function initTables(db) {
                 VALUES (1, 0, 0)
             `, (err) => { if (err) return reject(err); });
 
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_finding_overrides (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    finding_id TEXT NOT NULL,
+                    field TEXT NOT NULL,
+                    value TEXT NOT NULL DEFAULT '',
+                    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+                    UNIQUE(finding_id, field)
+                )
+            `, (err) => { if (err) return reject(err); });
+
             db.run(`
                 CREATE INDEX IF NOT EXISTS idx_finding_notes_finding_id
                 ON ivanti_finding_notes(finding_id)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_finding_overrides_finding_id
+                ON ivanti_finding_overrides(finding_id)
             `, (err) => {
                 if (err) reject(err);
                 else resolve();
@@ -395,9 +412,28 @@ function readCounts(db) {
     });
 }
 
+// Returns { findingId: { hostName: 'override', dns: 'override' }, ... }
+function readOverrides(db) {
+    return new Promise((resolve, reject) => {
+        db.all('SELECT finding_id, field, value FROM ivanti_finding_overrides', (err, rows) => {
+            if (err) return reject(err);
+            const map = {};
+            (rows || []).forEach((r) => {
+                if (!map[r.finding_id]) map[r.finding_id] = {};
+                map[r.finding_id][r.field] = r.value;
+            });
+            resolve(map);
+        });
+    });
+}
+
 async function readStateWithNotes(db) {
-    const [state, notes] = await Promise.all([readState(db), readNotes(db)]);
-    state.findings = state.findings.map((f) => ({ ...f, note: notes[f.id] || '' }));
+    const [state, notes, overrides] = await Promise.all([readState(db), readNotes(db), readOverrides(db)]);
+    state.findings = state.findings.map((f) => ({
+        ...f,
+        note:      notes[f.id]     || '',
+        overrides: overrides[f.id] || {},
+    }));
     return state;
 }
 
@@ -441,6 +477,42 @@ function createIvantiFindingsRouter(db, requireAuth) {
         }
     });
 
+    // PUT /:findingId/override — save or clear a field override (editor/admin only)
+    const OVERRIDE_ALLOWED = ['hostName', 'dns'];
+    router.put('/:findingId/override', requireRole('editor', 'admin'), (req, res) => {
+        const { findingId } = req.params;
+        const { field, value } = req.body;
+
+        if (!OVERRIDE_ALLOWED.includes(field)) {
+            return res.status(400).json({ error: `Field '${field}' is not editable. Allowed: ${OVERRIDE_ALLOWED.join(', ')}` });
+        }
+
+        const val = String(value ?? '').trim();
+
+        if (val === '') {
+            // Empty value = clear the override (revert to Ivanti)
+            db.run(
+                'DELETE FROM ivanti_finding_overrides WHERE finding_id = ? AND field = ?',
+                [findingId, field],
+                (err) => {
+                    if (err) return res.status(500).json({ error: 'Failed to clear override' });
+                    res.json({ finding_id: findingId, field, value: null });
+                }
+            );
+        } else {
+            db.run(
+                `INSERT INTO ivanti_finding_overrides (finding_id, field, value, updated_at)
+                 VALUES (?, ?, ?, datetime('now'))
+                 ON CONFLICT(finding_id, field) DO UPDATE SET value=excluded.value, updated_at=datetime('now')`,
+                [findingId, field, val],
+                (err) => {
+                    if (err) return res.status(500).json({ error: 'Failed to save override' });
+                    res.json({ finding_id: findingId, field, value: val });
+                }
+            );
+        }
+    });
+
     // PUT /:findingId/note — save or update a note (max 255 chars enforced here)
     router.put('/:findingId/note', (req, res) => {
         const { findingId } = req.params;