Improve Jira lookup error messages and make local POST cve_id/vendor optional

- Pass through actual Jira error details instead of generic 'Jira API error'
- Parse errorMessages and errors from Jira response for human-readable display
- Make cve_id and vendor optional on local POST /api/jira-tickets (for Save to Dashboard)
- Update getIssue comment for clarity (logic unchanged — JQL search per compliance spec)

backend/routes/jiraTickets.js

@@ -126,8 +126,24 @@ function createJiraTicketsRouter() {
             if (result.rateLimited) {
                 return res.status(429).json({ error: 'Jira rate limit exceeded. Try again later.' });
             }
+            // Build a meaningful error message from Jira's response
+            let errorMsg = result.status === 404 ? 'Issue not found in Jira.' : 'Jira API error.';
+            if (result.body) {
+                try {
+                    const parsed = typeof result.body === 'string' ? JSON.parse(result.body) : result.body;
+                    if (parsed.errorMessages && parsed.errorMessages.length > 0) {
+                        errorMsg = parsed.errorMessages.join('; ');
+                    } else if (parsed.errors && Object.keys(parsed.errors).length > 0) {
+                        errorMsg = Object.values(parsed.errors).join('; ');
+                    }
+                } catch (_) {
+                    if (typeof result.body === 'string' && result.body.length < 300) {
+                        errorMsg = result.body;
+                    }
+                }
+            }
             return res.status(result.status === 404 ? 404 : 502).json({
-                error: result.status === 404 ? 'Issue not found in Jira.' : 'Jira API error.',
+                error: errorMsg,
                 details: result.body
             });
         } catch (err) {