Allow Admin scope toggle to filter data via ?teams= param

requireTeam() now respects an optional ?teams= query param from Admin
users as a voluntary scope filter. When the Admin Scope Toggle is set
to 'My Teams', the frontend sends ?teams=STEAM,ACCESS-ENG and the
backend applies the filter. When set to 'All BUs' (no param), Admin
gets the full unfiltered view.

Non-admin users continue to be enforced by their bu_teams assignment
regardless of any query param.

backend/middleware/auth.js

@@ -99,6 +99,8 @@ function requireGroup(...allowedGroups) {
 
 // Require team assignment — enforces team-scoped data access.
 // Admin group bypasses (req.teamScope = null means "no filter").
+// However, if an Admin passes a ?teams= query param (via the scope toggle),
+// it is respected as a voluntary filter.
 // Non-admin users without teams get 403.
 // Non-admin users with teams get req.teamScope = { short: [...], ivanti: [...] }.
 function requireTeam() {
@@ -107,8 +109,19 @@ function requireTeam() {
             return res.status(401).json({ error: 'Authentication required' });
         }
 
-        // Admin bypass — full access to all teams
+        // Admin bypass — but respect optional ?teams= param as voluntary scope
         if (req.user.group === 'Admin') {
+            const teamsParam = req.query?.teams;
+            if (teamsParam) {
+                const teams = teamsParam.split(',').map(t => t.trim()).filter(Boolean);
+                if (teams.length > 0) {
+                    req.teamScope = {
+                        short: teams,
+                        ivanti: teams.map(t => teamToIvanti(t))
+                    };
+                    return next();
+                }
+            }
             req.teamScope = null;
             return next();
         }