fix: address all 11 review items for group-based access control

Bugs fixed:
- knowledgeBase.js: logAudit calls converted from positional args to object signature
- archerTickets.js: targetType/targetId renamed to entityType/entityId
- server.js: single CVE delete now has cascade/compliance check for Standard_User

Unprotected endpoints secured:
- ivantiTodoQueue.js: POST/PUT/DELETE now require Admin or Standard_User
- ivantiFindings.js: PUT note and POST sync now require Admin or Standard_User
- compliance.js: POST notes now requires Admin or Standard_User
- ivantiWorkflows.js: POST sync now requires Admin or Standard_User
- auth.js: cleanup-sessions now requires Admin via requireAuth + requireGroup

Additional fixes:
- ExportsPage.js: canExport() guard blocks Read_Only users
- knowledgeBase.js: Standard_User delete checks created_by ownership
- Migration: added INSERT/UPDATE triggers to enforce valid user_group values

backend/routes/auth.js

@@ -2,6 +2,7 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
 const crypto = require('crypto');
+const { requireAuth, requireGroup } = require('../middleware/auth');
 
 function createAuthRouter(db, logAudit) {
     const router = express.Router();
@@ -220,12 +221,7 @@ function createAuthRouter(db, logAudit) {
     });
 
     // Clean up expired sessions (admin only)
-    router.post('/cleanup-sessions', async (req, res) => {
-        // Basic auth check - require a valid session to call this
-        const sessionId = req.cookies?.session_id;
-        if (!sessionId) {
-            return res.status(401).json({ error: 'Authentication required' });
-        }
+    router.post('/cleanup-sessions', requireAuth(db), requireGroup('Admin'), async (req, res) => {
         try {
             await new Promise((resolve, reject) => {
                 db.run(