feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only)

- Add user_group migration and created_by column migration
- Replace requireRole middleware with requireGroup
- Update all backend routes to use group-based authorization
- Add Standard_User conditional delete with ownership, state, and compliance checks
- Add cascade impact check for CVE deletes
- Update AuthContext with group-based permission helpers
- Update all frontend components for group-based rendering
- Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention

backend/middleware/auth.js

@@ -12,7 +12,7 @@ function requireAuth(db) {
         try {
             const session = await new Promise((resolve, reject) => {
                 db.get(
-                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active
+                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.is_active
                      FROM sessions s
                      JOIN users u ON s.user_id = u.id
                      WHERE s.session_id = ? AND s.expires_at > datetime('now')`,
@@ -37,7 +37,8 @@ function requireAuth(db) {
                 id: session.user_id,
                 username: session.username,
                 email: session.email,
-                role: session.role
+                role: session.role,
+                group: session.user_group
             };
 
             next();
@@ -48,18 +49,18 @@ function requireAuth(db) {
     };
 }
 
-// Require specific role(s)
-function requireRole(...allowedRoles) {
+// Require specific group(s)
+function requireGroup(...allowedGroups) {
     return (req, res, next) => {
         if (!req.user) {
             return res.status(401).json({ error: 'Authentication required' });
         }
 
-        if (!allowedRoles.includes(req.user.role)) {
+        if (!allowedGroups.includes(req.user.group)) {
             return res.status(403).json({
                 error: 'Insufficient permissions',
-                required: allowedRoles,
-                current: req.user.role
+                required: allowedGroups,
+                current: req.user.group
             });
         }
 
@@ -67,4 +68,4 @@ function requireRole(...allowedRoles) {
     };
 }
 
-module.exports = { requireAuth, requireRole };
+module.exports = { requireAuth, requireGroup };