docs: update README for group-based access control, security hardening, and current architecture

- Replace role-based docs with group-based (Admin, Standard_User, Leadership, Read_Only)
- Update API reference with correct group requirements and new endpoints (JIRA tickets, archive, todo-queue)
- Remove hardcoded default credentials from installation instructions
- Document SESSION_SECRET as required with generation instructions
- Add new migrations to install sequence (archive, timestamps, counts history, user_groups, created_by)
- Update architecture tree with new files (ivantiArchive, ComplianceChartsPanel, etc.)
- Update security model with rate limiting, sandbox iframe, rehype-sanitize, Content-Disposition sanitization
- Update database schema docs with created_by columns, user_group triggers, cascade deletes
- Fix middleware reference from requireRole to requireGroup
- Remove stale admin123 references throughout

backend/routes/auth.js

@@ -16,7 +16,20 @@ const loginLimiter = rateLimit({
 function createAuthRouter(db, logAudit) {
     const router = express.Router();
 
-    // Login
+    /**
+     * POST /api/auth/login
+     *
+     * Authenticates a user with username and password, creates a session,
+     * and sets an httpOnly session cookie. Rate-limited to 20 attempts per 15 minutes.
+     *
+     * @body {string} username - The user's login username
+     * @body {string} password - The user's password
+     * @returns {object} 200 - { message: 'Login successful', user: { id, username, email, group } }
+     * @returns {object} 400 - { error: 'Username and password are required' }
+     * @returns {object} 401 - { error: 'Invalid username or password' } | { error: 'Account is disabled' }
+     * @returns {object} 429 - { error: 'Too many login attempts. Please try again in 15 minutes.' }
+     * @returns {object} 500 - { error: 'Login failed' }
+     */
     router.post('/login', loginLimiter, async (req, res) => {
         const { username, password } = req.body;
 
@@ -139,7 +152,14 @@ function createAuthRouter(db, logAudit) {
         }
     });
 
-    // Logout
+    /**
+     * POST /api/auth/logout
+     *
+     * Ends the current user session by deleting it from the database
+     * and clearing the session cookie.
+     *
+     * @returns {object} 200 - { message: 'Logged out successfully' }
+     */
     router.post('/logout', async (req, res) => {
         const sessionId = req.cookies?.session_id;
 
@@ -182,7 +202,16 @@ function createAuthRouter(db, logAudit) {
         res.json({ message: 'Logged out successfully' });
     });
 
-    // Get current user
+    /**
+     * GET /api/auth/me
+     *
+     * Returns the currently authenticated user based on the session cookie.
+     * Clears the cookie and returns 401 if the session is expired or the account is disabled.
+     *
+     * @returns {object} 200 - { user: { id, username, email, group } }
+     * @returns {object} 401 - { error: 'Not authenticated' } | { error: 'Session expired' } | { error: 'Account is disabled' }
+     * @returns {object} 500 - { error: 'Failed to get user' }
+     */
     router.get('/me', async (req, res) => {
         const sessionId = req.cookies?.session_id;
 
@@ -229,7 +258,16 @@ function createAuthRouter(db, logAudit) {
         }
     });
 
-    // Clean up expired sessions (admin only)
+    /**
+     * POST /api/auth/cleanup-sessions
+     *
+     * Deletes all expired sessions from the database. Requires Admin group.
+     *
+     * @returns {object} 200 - { message: 'Expired sessions cleaned up' }
+     * @returns {object} 401 - { error: 'Authentication required' }
+     * @returns {object} 403 - { error: 'Insufficient permissions', required: ['Admin'], current: '...' }
+     * @returns {object} 500 - { error: 'Cleanup failed' }
+     */
     router.post('/cleanup-sessions', requireAuth(db), requireGroup('Admin'), async (req, res) => {
         try {
             await new Promise((resolve, reject) => {