feat: implement group-based access control (Admin, Standard_User, Leadership, Read_Only)

- Add user_group migration and created_by column migration
- Replace requireRole middleware with requireGroup
- Update all backend routes to use group-based authorization
- Add Standard_User conditional delete with ownership, state, and compliance checks
- Add cascade impact check for CVE deletes
- Update AuthContext with group-based permission helpers
- Update all frontend components for group-based rendering
- Update UserManagement UI with group dropdown, confirmation dialogs, self-demotion prevention

backend/routes/ivantiFindings.js

@@ -4,7 +4,7 @@
 
 const express = require('express');
 const https = require('https');
-const { requireRole } = require('../middleware/auth');
+const { requireGroup } = require('../middleware/auth');
 
 const IVANTI_URL_BASE = 'https://platform4.risksense.com/api/v1';
 const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000;
@@ -899,7 +899,7 @@ function createIvantiFindingsRouter(db, requireAuth) {
 
     // PUT /:findingId/override — save or clear a field override (editor/admin only)
     const OVERRIDE_ALLOWED = ['hostName', 'dns'];
-    router.put('/:findingId/override', requireRole('editor', 'admin'), (req, res) => {
+    router.put('/:findingId/override', requireGroup('Admin', 'Standard_User'), (req, res) => {
         const { findingId } = req.params;
         const { field, value } = req.body;