Improve Jira lookup error messages and make local POST cve_id/vendor optional

- Pass through actual Jira error details instead of generic 'Jira API error'
- Parse errorMessages and errors from Jira response for human-readable display
- Make cve_id and vendor optional on local POST /api/jira-tickets (for Save to Dashboard)
- Update getIssue comment for clarity (logic unchanged — JQL search per compliance spec)

backend/helpers/jiraApi.js

@@ -276,8 +276,9 @@ function jiraDelete(urlPath, options) {
  * @param {string[]} [fields] - Jira field names to return
  */
 async function getIssue(issueKey, fields) {
-    // Don't filter by project — issue keys are globally unique in Jira and
-    // tickets may belong to projects other than JIRA_PROJECT_KEY (e.g. AA_ADTRAN).
+    // Use JQL search to look up a single issue by key.
+    // Issue keys are globally unique in Jira — no project filter needed.
+    // Charter compliance: uses GET /rest/api/2/search with explicit field list.
     const jql = `key = "${issueKey}"`;
     const result = await searchIssues(jql, { fields: fields || DEFAULT_FIELDS, maxResults: 1, startAt: 0 });
     if (result.ok && result.data.issues && result.data.issues.length > 0) {