security: address audit findings C-4 through M-8

Critical:
- C-4: Add express-rate-limit to login (20 attempts/15min)
- C-5: Remove default credentials from LoginForm.js
- C-6: Add sandbox attribute to KB document iframe

High:
- H-2: Hard-fail on startup if SESSION_SECRET env var is missing
- H-6: Sanitize filenames in Content-Disposition headers
- H-7: Fix KB upload race condition — move file after DB insert succeeds
- H-8: Generate random admin password in setup.js instead of hardcoded
- H-9: Add rehype-sanitize to ReactMarkdown (requires npm install)

Medium:
- M-4: Fix loose equality (==) to strict (===) in users.js self-checks
- M-5: Add hostname format regex validation in compliance notes
- M-6: Fix vendor trim-before-validate in ivantiTodoQueue.js
- M-7: Sanitize original filename in compliance temp JSON
- M-8: Pull CSP frame-ancestors from CORS_ORIGINS env var

New dependencies needed:
- backend: express-rate-limit (npm install in root)
- frontend: rehype-sanitize (npm install in frontend/)

frontend/src/components/KnowledgeBaseViewer.js

@@ -1,5 +1,6 @@
 import React, { useState, useEffect, useRef } from 'react';
 import ReactMarkdown from 'react-markdown';
+import rehypeSanitize from 'rehype-sanitize';
 import mermaid from 'mermaid';
 import { X, Download, Loader, AlertCircle, FileText, File } from 'lucide-react';
 
@@ -233,6 +234,7 @@ export default function KnowledgeBaseViewer({ article, onClose }) {
             {isMarkdown && (
               <div className="markdown-content">
                 <ReactMarkdown
+                  rehypePlugins={[rehypeSanitize]}
                   components={{
                     code({ inline, className, children }) {
                       const lang = /language-(\w+)/.exec(className || '')?.[1];
@@ -277,6 +279,7 @@ export default function KnowledgeBaseViewer({ article, onClose }) {
             {isPDF && (
               <div className="w-full" style={{ height: '700px' }}>
                 <iframe
+                  sandbox="allow-same-origin"
                   src={`${API_BASE}/knowledge-base/${article.id}/content`}
                   title={article.title}
                   className="w-full h-full rounded"

frontend/src/components/LoginForm.js

@@ -98,12 +98,6 @@ export default function LoginForm() {
                         )}
                     </button>
                 </form>
-
-                <div className="mt-6 pt-6 border-t border-intel-grid">
-                    <p className="text-sm text-gray-500 text-center font-mono">
-                        Default: <span className="text-intel-accent">admin</span> / <span className="text-intel-accent">admin123</span>
-                    </p>
-                </div>
             </div>
         </div>
     );