security: address audit findings C-4 through M-8

Critical:
- C-4: Add express-rate-limit to login (20 attempts/15min)
- C-5: Remove default credentials from LoginForm.js
- C-6: Add sandbox attribute to KB document iframe

High:
- H-2: Hard-fail on startup if SESSION_SECRET env var is missing
- H-6: Sanitize filenames in Content-Disposition headers
- H-7: Fix KB upload race condition — move file after DB insert succeeds
- H-8: Generate random admin password in setup.js instead of hardcoded
- H-9: Add rehype-sanitize to ReactMarkdown (requires npm install)

Medium:
- M-4: Fix loose equality (==) to strict (===) in users.js self-checks
- M-5: Add hostname format regex validation in compliance notes
- M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js
- M-7: Sanitize original filename in compliance temp JSON
- M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var

New dependencies needed:
- backend: express-rate-limit (npm install in root)
- frontend: rehype-sanitize (npm install in frontend/)

backend/setup.js

@@ -3,6 +3,7 @@
 
 const sqlite3 = require('sqlite3').verbose();
 const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 
@@ -172,8 +173,9 @@ async function createDefaultAdmin(db) {
                 return;
             }
 
-            // Create admin user with password 'admin123'
-            const passwordHash = await bcrypt.hash('admin123', 10);
+            // Generate a random admin password on first run
+            const generatedPassword = crypto.randomBytes(12).toString('base64url');
+            const passwordHash = await bcrypt.hash(generatedPassword, 10);
 
             db.run(
                 `INSERT INTO users (username, email, password_hash, role, is_active)
@@ -183,7 +185,12 @@ async function createDefaultAdmin(db) {
                     if (err) {
                         reject(err);
                     } else {
-                        console.log('✓ Created default admin user (admin/admin123)');
+                        console.log('✓ Created default admin user');
+                        console.log(`\n  ╔══════════════════════════════════════════╗`);
+                        console.log(`  ║  Admin credentials (save these now!)     ║`);
+                        console.log(`  ║  Username: admin                         ║`);
+                        console.log(`  ║  Password: ${generatedPassword.padEnd(29)}║`);
+                        console.log(`  ╚══════════════════════════════════════════╝\n`);
                         resolve();
                     }
                 }
@@ -269,7 +276,7 @@ function displaySummary() {
     console.log('   ✓ Indexes for fast queries');
     console.log('   ✓ Document compliance view');
     console.log('   ✓ Uploads directory for file storage');
-    console.log('   ✓ Default admin user (admin/admin123)');
+    console.log('   ✓ Default admin user (see credentials above)');
     console.log('\n📁 File structure will be:');
     console.log('   uploads/');
     console.log('     └── CVE-XXXX-XXXX/');