feat: add hostname and IP display to Ivanti queue panel

- Add migration to add hostname column to ivanti_todo_queue table
- Update POST and batch POST endpoints to accept and store hostname
- Pass hostName from findings data when adding items to queue
- Display hostname and IP address in CARD queue section
- Display hostname and IP address in vendor (FP/Archer) queue sections

.gitea/issue_template/enhancement.yaml

@@ -0,0 +1,84 @@
+name: Enhancement
+about: Suggest an improvement to an existing feature or functionality
+title: "[Enhancement] "
+labels:
+  - kind/enhancement
+  - status/triage
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to suggest an improvement! This template is for enhancements to **existing** features. If you'd like to request a brand new feature, please use the Feature Request template instead.
+
+  - type: textarea
+    id: current-behavior
+    attributes:
+      label: Current Behavior
+      description: Describe how the existing feature currently works.
+      placeholder: "Currently, when I do X, it works like..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: proposed-improvement
+    attributes:
+      label: Proposed Improvement
+      description: Describe how you'd like the existing feature to be improved.
+      placeholder: "I'd like it to also do Y, or behave differently by..."
+    validations:
+      required: true
+
+  - type: textarea
+    id: use-case
+    attributes:
+      label: Use Case
+      description: Why would this improvement be valuable? What problem does it solve?
+      placeholder: "This would help because..."
+    validations:
+      required: true
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Area of the Application
+      description: Which part of the application does this enhancement relate to?
+      options:
+        - Dashboard / CVE List
+        - CVE Details
+        - Document Management
+        - User Management
+        - Authentication
+        - Audit Logging
+        - API
+        - Other
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority
+      description: How important is this enhancement to your workflow?
+      options:
+        - Nice to have
+        - Important
+        - Critical
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives or Workarounds
+      description: Are there any current workarounds or alternative approaches you've considered?
+      placeholder: "Currently I work around this by..."
+    validations:
+      required: false
+
+  - type: textarea
+    id: additional-context
+    attributes:
+      label: Additional Context
+      description: Add any other context, screenshots, or mockups about the enhancement here.
+    validations:
+      required: false

.gitignore

@@ -37,10 +37,20 @@ frontend.pid
 
 # Temporary files
 backend/uploads/temp/
-claude.md
-claude_status.md
 feature_request*.md
+
+# Planning docs
+docs/aeo-compliance-ui-plan.md
+docs/aeo-compliance-wireframe.md
+
+# AI tooling config
+.claude/
+ai_notes.md
+ai_status.md
 backend/add_vendor_to_documents.js
 backend/fix_multivendor_constraint.js
 backend/server.js-backup
 backend/setup.js-backup
+
+# Kiro implementation summary (internal only)
+docs/kiro-implementation-summary.md

.gitlab/issue_templates/Bug Report.md

@@ -0,0 +1,35 @@
+<!-- Labels: kind/bug, status/triage -->
+
+Please provide as much detail as possible so we can reproduce and fix the issue!
+
+## Description
+
+<!-- What is currently happening? -->
+
+
+
+## Steps to Reproduce
+
+<!--
+1. Go to '...'
+2. Click on '...'
+3. See error
+-->
+
+1.
+2.
+3.
+
+## Environment
+
+<!-- Which browser/OS are you using? (e.g., Chrome on Windows 11) -->
+
+
+
+## Relevant Log Output
+
+<!-- Please paste any error logs or console output here. -->
+
+```
+(paste logs here)
+```

.gitlab/issue_templates/Feature Request.md

@@ -0,0 +1,27 @@
+<!-- Labels: kind/feature, status/triage -->
+
+Thanks for taking the time to suggest a new feature!
+
+## Is your feature request related to a problem?
+
+<!-- A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] -->
+
+
+
+## Describe the solution you'd like
+
+<!-- A clear and concise description of what you want to happen. -->
+
+
+
+## Describe alternatives you've considered
+
+<!-- A clear and concise description of any alternative solutions or features you've considered. -->
+
+
+
+## Additional context
+
+<!-- Add any other context or screenshots about the feature request here. -->
+
+

.kiro/hooks/check-component-conventions.kiro.hook

@@ -0,0 +1,16 @@
+{
+  "enabled": true,
+  "name": "Check Component Conventions",
+  "description": "On save of files in frontend/src/components/, verifies the component follows project conventions and flags deviations as inline comments.",
+  "version": "1",
+  "when": {
+    "type": "fileEdited",
+    "patterns": [
+      "frontend/src/components/**/*.js"
+    ]
+  },
+  "then": {
+    "type": "askAgent",
+    "prompt": "Review the saved component file and verify it follows these project conventions:\n\n1. Functional component with hooks (no class components)\n2. Uses Lucide icons for iconography (not raw SVGs or other icon libraries)\n3. Uses inline styles or existing CSS classes from App.css (no CSS modules, no styled-components)\n4. Fetches data with fetch() using relative API paths and credentials: 'include' (no axios, no absolute URLs)\n5. Handles loading and error states when fetching data\n\nFor any deviations found, add inline comments in the code flagging the issue, e.g. // ⚠️ CONVENTION: Use lucide-react icons instead of raw SVGs\n\nOnly flag actual deviations. Do not modify working logic or refactor the component."
+  }
+}

.kiro/hooks/jsdoc-route-docs.kiro.hook

@@ -0,0 +1,16 @@
+{
+  "enabled": true,
+  "name": "JSDoc Route Documentation",
+  "description": "On save of files in backend/routes/, ensures every exported route handler has a JSDoc comment documenting the HTTP method, path, query parameters, request body shape, and response shape. Uses the existing documentation style in the file. Does not add comments to internal helper functions.",
+  "version": "1",
+  "when": {
+    "type": "fileEdited",
+    "patterns": [
+      "backend/routes/*.js"
+    ]
+  },
+  "then": {
+    "type": "askAgent",
+    "prompt": "Review the saved route file and ensure every exported route handler (e.g., router.get, router.post, router.put, router.patch, router.delete) has a JSDoc comment directly above it documenting: the HTTP method, the route path, any query parameters, the request body shape (if applicable), and the response shape. Match the existing documentation style already used in the file. Do NOT add JSDoc comments to internal helper functions that are not route handlers. Only add missing documentation — do not modify or remove existing JSDoc comments that are already correct."
+  }
+}

.kiro/hooks/sqlite3-safety-check.kiro.hook

@@ -0,0 +1,16 @@
+{
+  "enabled": true,
+  "name": "SQLite3 Safety Check",
+  "description": "On save of files containing db.run, db.get, or db.all, verifies all sqlite3 calls use parameterized queries (? placeholders) instead of string concatenation, handle the error parameter first in every callback, and use hardcoded table/column names. Flags violations as inline comments prefixed with \"// FIXME:\".",
+  "version": "1",
+  "when": {
+    "type": "fileEdited",
+    "patterns": [
+      "backend/**/*.js"
+    ]
+  },
+  "then": {
+    "type": "askAgent",
+    "prompt": "The saved file may contain sqlite3 calls (db.run, db.get, or db.all). Scan the file and verify all sqlite3 calls follow these rules:\n\n1. Parameterized queries only: All SQL queries must use ? placeholders for dynamic values. Never use string concatenation or template literals to inject values into SQL strings.\n2. Error-first callbacks: Every callback passed to db.run, db.get, or db.all must handle the error parameter first (e.g., `if (err) { ... }`).\n3. Hardcoded table/column names: All table and column names in SQL strings must be hardcoded string literals, never sourced from variables or parameters.\n\nIf the file does not contain any db.run, db.get, or db.all calls, skip the check silently.\n\nFor any violations found, add an inline comment on the offending line prefixed with \"// FIXME:\" describing the specific issue. Do not modify any other code."
+  }
+}

.kiro/hooks/verify-migration-pattern.kiro.hook

@@ -0,0 +1,16 @@
+{
+  "enabled": true,
+  "name": "Verify Migration Pattern",
+  "description": "On save or create of migration files (migrate*.js), verifies the migration follows existing project patterns: uses CREATE TABLE IF NOT EXISTS, includes explicit column types, adds appropriate indexes, and wraps multiple statements in transactions. Compares against existing migrations for style consistency.",
+  "version": "1",
+  "when": {
+    "type": "fileEdited",
+    "patterns": [
+      "**/migrate*.js"
+    ]
+  },
+  "then": {
+    "type": "askAgent",
+    "prompt": "A migration file was just saved. Review the edited file and verify it follows the existing migration pattern used in this project. Check the existing migrations in backend/migrations/ for reference, then verify the edited file:\n\n1. Uses CREATE TABLE IF NOT EXISTS (not just CREATE TABLE)\n2. Includes all columns with explicit SQLite types (TEXT, INTEGER, REAL, etc.)\n3. Adds appropriate indexes for foreign keys and frequently queried columns\n4. Wraps operations in a serialized transaction (db.serialize + db.run(\"BEGIN TRANSACTION\") / COMMIT) if there are multiple statements\n5. Follows the same callback-based db.run() style as existing migrations\n6. Includes proper error handling\n\nCompare the file against the existing migrations in backend/migrations/ for style consistency. Report any deviations or issues found."
+  }
+}

.kiro/hooks/verify-new-migration.kiro.hook

@@ -0,0 +1,16 @@
+{
+  "enabled": true,
+  "name": "Verify New Migration",
+  "description": "On creation of new migration files in backend/migrations/, verifies the migration follows existing project patterns: uses CREATE TABLE IF NOT EXISTS, includes explicit column types, adds appropriate indexes, and wraps multiple statements in transactions.",
+  "version": "1",
+  "when": {
+    "type": "fileCreated",
+    "patterns": [
+      "**/migrations/*.js"
+    ]
+  },
+  "then": {
+    "type": "askAgent",
+    "prompt": "A new migration file was just created. Review the file and verify it follows the existing migration pattern used in this project. Check the existing migrations in backend/migrations/ for reference, then verify the new file:\n\n1. Uses CREATE TABLE IF NOT EXISTS (not just CREATE TABLE)\n2. Includes all columns with explicit SQLite types (TEXT, INTEGER, REAL, etc.)\n3. Adds appropriate indexes for foreign keys and frequently queried columns\n4. Wraps operations in a serialized transaction (db.serialize + db.run(\"BEGIN TRANSACTION\") / COMMIT) if there are multiple statements\n5. Follows the same callback-based db.run() style as existing migrations\n6. Includes proper error handling\n\nCompare the file against the existing migrations in backend/migrations/ for style consistency. Report any deviations or issues found."
+  }
+}

.kiro/specs/batch-finding-disposition/.config.kiro

@@ -0,0 +1 @@
+{"specId": "9f5c16d4-43ea-4d7a-beb1-9329d79a5acc", "workflowType": "requirements-first", "specType": "feature"}

.kiro/specs/batch-finding-disposition/design.md

@@ -0,0 +1,331 @@
+# Design Document: Batch Finding Disposition
+
+## Overview
+
+This feature adds multi-select capability to the Vulnerability Triage page's findings table, enabling engineers to select multiple findings and add them all to the Ivanti Queue in a single operation. The current flow requires clicking each finding individually, configuring a popover, and submitting one at a time — this design replaces that with a batch selection toolbar and a bulk-add API endpoint while preserving the existing single-select popover for one-off additions.
+
+The design touches three layers:
+1. A new `POST /api/ivanti/todo-queue/batch` backend endpoint that accepts an array of findings in a single transactional insert
+2. Frontend multi-select state management (selection set, shift-click range select, select-all)
+3. A sticky Selection Toolbar component with workflow type toggles, vendor input, and batch submit
+
+## Architecture
+
+The feature extends the existing Ivanti Queue subsystem without introducing new services or tables. The `ivanti_todo_queue` table schema is unchanged — batch add simply inserts multiple rows in a single SQLite transaction.
+
+```mermaid
+flowchart TD
+    subgraph Frontend ["Frontend (ReportingPage.js)"]
+        CB[Row Checkboxes] --> SS[Selection State<br/>Set of finding IDs]
+        SS --> ST[Selection Toolbar]
+        ST -->|"Add to Queue"| BA[Batch API Call]
+        CB -->|"No selection + click"| PO[AddToQueuePopover<br/>existing single-add]
+    end
+
+    subgraph Backend ["Backend (ivantiTodoQueue.js)"]
+        BA -->|"POST /batch"| BH[Batch Handler]
+        BH -->|"BEGIN TRANSACTION"| DB[(ivanti_todo_queue)]
+        BH -->|"logAudit()"| AL[(audit_logs)]
+        PO -->|"POST /"| SH[Single Handler<br/>existing]
+        SH --> DB
+    end
+```
+
+### Key Design Decisions
+
+1. **No new database table or migration** — batch insert reuses the existing `ivanti_todo_queue` schema. Each finding becomes its own row, identical to what the single-add endpoint creates.
+
+2. **SQLite transaction for atomicity** — all findings in a batch are inserted inside `db.serialize()` with `BEGIN TRANSACTION` / `COMMIT`. If any insert fails, the entire batch is rolled back. This satisfies the all-or-nothing requirement (Req 3.7, 3.8, 3.11).
+
+3. **Selection state lives in the VulnerabilityTriagePage component** — a `Set<string>` of finding IDs managed via `useState`. This keeps the selection co-located with the existing `findings`, `sorted`, `filtered`, and `queueItems` state. No new context or global store needed.
+
+4. **Dual-mode checkbox behavior** — when no findings are selected, clicking a checkbox opens the existing `AddToQueuePopover` (preserving the single-select flow per Req 5). Once one or more findings are selected, subsequent checkbox clicks toggle selection instead. This is the simplest UX that satisfies both Req 1 and Req 5.
+
+5. **Selection Toolbar as inline sticky bar** — rendered between the table header controls and the `<table>` element, using `position: sticky` to stay visible during scroll. This avoids portal complexity and keeps the toolbar visually anchored to the table.
+
+6. **200-item batch limit** — prevents oversized payloads and keeps SQLite transaction time reasonable. The findings table typically has 200-800 rows, so this covers most realistic batch sizes.
+
+## Components and Interfaces
+
+### Backend
+
+#### `POST /api/ivanti/todo-queue/batch`
+
+Added to the existing `createIvantiTodoQueueRouter` factory in `backend/routes/ivantiTodoQueue.js`.
+
+**Request body:**
+```json
+{
+  "findings": [
+    {
+      "finding_id": "FID-12345",
+      "finding_title": "OpenSSL vulnerability",
+      "cves": ["CVE-2024-0001"],
+      "ip_address": "10.0.1.50"
+    }
+  ],
+  "workflow_type": "FP",
+  "vendor": "Juniper"
+}
+```
+
+**Validation rules:**
+- `findings` — array, 1–200 items
+- Each item: `finding_id` required, non-empty string; `finding_title`, `cves`, `ip_address` optional
+- `workflow_type` — must be `FP`, `Archer`, or `CARD`
+- `vendor` — required non-empty string (≤200 chars) for FP/Archer; ignored for CARD
+- If any finding fails validation, reject entire batch with 400
+
+**Auth:** `requireAuth(db)`, `requireGroup('Admin', 'Standard_User')`
+
+**Response (201):**
+```json
+{
+  "items": [
+    {
+      "id": 42,
+      "user_id": 1,
+      "finding_id": "FID-12345",
+      "finding_title": "OpenSSL vulnerability",
+      "cves_json": "[\"CVE-2024-0001\"]",
+      "ip_address": "10.0.1.50",
+      "vendor": "Juniper",
+      "workflow_type": "FP",
+      "status": "pending",
+      "created_at": "2025-01-15 12:00:00",
+      "updated_at": "2025-01-15 12:00:00",
+      "cves": ["CVE-2024-0001"]
+    }
+  ]
+}
+```
+
+**Error responses:**
+- `400` — validation failure (descriptive message)
+- `401` — not authenticated
+- `403` — insufficient permissions
+- `500` — database transaction failure (all inserts rolled back)
+
+### Frontend
+
+#### Selection State (in VulnerabilityTriagePage)
+
+New state variables added to the main component:
+
+```javascript
+const [selectedIds, setSelectedIds] = useState(new Set());    // Set<string> of finding IDs
+const [lastClickedId, setLastClickedId] = useState(null);     // for shift-click range select
+const [batchSubmitting, setBatchSubmitting] = useState(false); // loading state
+const [batchError, setBatchError] = useState(null);            // error message from failed batch
+const [batchWorkflowType, setBatchWorkflowType] = useState('FP');
+const [batchVendor, setBatchVendor] = useState('');
+```
+
+#### Checkbox Click Logic
+
+```
+onClick(finding, event):
+  if finding is already queued → return (no-op)
+  if selectedIds.size === 0 AND not shift-click:
+    → open AddToQueuePopover (existing single-select flow)
+  else:
+    if shift-click AND lastClickedId exists:
+      → range-select all visible findings between lastClickedId and finding.id
+    else:
+      → toggle finding.id in selectedIds
+    set lastClickedId = finding.id
+```
+
+#### SelectionToolbar Component
+
+Rendered inline above the table when `selectedIds.size > 0`. Contains:
+- Selected count badge
+- "Clear Selection" button
+- Workflow type toggle buttons (FP / Archer / CARD) with existing color scheme
+- Vendor text input (hidden when CARD selected)
+- "Add to Queue" submit button (disabled until valid)
+- Error message display area
+
+#### Selection Persistence Across Filters
+
+When `columnFilters`, `actionFilter`, or `excFilter` change, the selection set is pruned to only include IDs that remain in the `filtered` array. This is done via a `useEffect` that intersects `selectedIds` with the current filtered finding IDs.
+
+#### Select All / Deselect All
+
+The checkbox column header renders a "Select All" control when `selectedIds.size > 0` or as a standard header otherwise. Clicking it:
+- If not all visible non-queued findings are selected → selects all visible non-queued findings
+- If all are already selected → deselects all
+
+## Data Models
+
+### Database Schema (unchanged)
+
+The `ivanti_todo_queue` table is reused as-is:
+
+```sql
+CREATE TABLE ivanti_todo_queue (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    finding_id TEXT NOT NULL,
+    finding_title TEXT,
+    cves_json TEXT,
+    ip_address TEXT,
+    vendor TEXT NOT NULL,
+    workflow_type TEXT NOT NULL CHECK(workflow_type IN ('FP', 'Archer', 'CARD')),
+    status TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending', 'complete')),
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+```
+
+Each batch-added finding creates one row, identical to single-add. The `vendor` and `workflow_type` are shared across all findings in a batch (set once in the toolbar).
+
+### API Request Schema
+
+```
+BatchAddRequest {
+  findings: Array<{
+    finding_id: string (required, non-empty, trimmed)
+    finding_title: string | null (max 500 chars)
+    cves: string[] | null
+    ip_address: string | null (max 64 chars)
+  }> (1–200 items)
+  workflow_type: "FP" | "Archer" | "CARD"
+  vendor: string (required for FP/Archer, ≤200 chars; empty/absent for CARD)
+}
+```
+
+### Frontend State Shape
+
+```
+Selection State:
+  selectedIds: Set<string>        — finding IDs currently selected
+  lastClickedId: string | null    — last checkbox clicked (for shift-range)
+  batchSubmitting: boolean        — true while POST /batch in flight
+  batchError: string | null       — error message from last failed batch
+  batchWorkflowType: "FP" | "Archer" | "CARD"
+  batchVendor: string
+```
+
+
+## Correctness Properties
+
+*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.*
+
+### Property 1: Selection pruning preserves only visible findings
+
+*For any* set of selected finding IDs and any set of currently visible (filtered) finding IDs, pruning the selection after a filter change should produce exactly the intersection of the two sets — every ID in the result is both selected and visible, and no visible selected ID is lost.
+
+**Validates: Requirements 1.4**
+
+### Property 2: Select-all produces the complete visible non-queued set
+
+*For any* list of visible findings and any set of queued finding IDs, the select-all operation should produce a set containing exactly the IDs of visible findings that are not in the queued set — no queued findings included, no non-queued visible findings omitted.
+
+**Validates: Requirements 1.6**
+
+### Property 3: Submit button enabled state matches validation rule
+
+*For any* workflow type (FP, Archer, CARD) and any vendor string, the "Add to Queue" button should be enabled if and only if the workflow type is CARD, or the vendor string trimmed is non-empty. No other combination should enable the button.
+
+**Validates: Requirements 2.7**
+
+### Property 4: Batch size validation accepts only 1–200 items
+
+*For any* integer N representing the number of findings in a batch request, the endpoint should accept the request (assuming all other fields are valid) if and only if 1 ≤ N ≤ 200. Arrays of size 0 or greater than 200 should be rejected with a 400 response.
+
+**Validates: Requirements 3.2**
+
+### Property 5: Vendor validation is conditional on workflow type
+
+*For any* workflow type and any vendor string, the batch endpoint should require a non-empty vendor of 200 characters or fewer when workflow_type is FP or Archer, and should accept any vendor value (including empty or absent) when workflow_type is CARD.
+
+**Validates: Requirements 3.5, 3.6**
+
+### Property 6: One invalid finding rejects the entire batch
+
+*For any* valid batch of findings, if exactly one finding is replaced with an invalid finding (empty finding_id, missing finding_id, or non-string finding_id) at any position in the array, the entire batch should be rejected with a 400 response and zero rows should be inserted.
+
+**Validates: Requirements 3.3, 3.8**
+
+### Property 7: Successful batch response matches request
+
+*For any* valid batch request of N findings, the 201 response should contain exactly N items, each with a unique numeric `id`, and the set of `finding_id` values in the response should equal the set of `finding_id` values in the request.
+
+**Validates: Requirements 3.9**
+
+### Property 8: Shift-click range select covers exactly the between range
+
+*For any* sorted list of visible findings, any last-clicked index, and any current-click index, the shift-click range select should produce a set containing exactly the non-queued findings between those two indices (inclusive), regardless of which index is larger.
+
+**Validates: Requirements 6.1**
+
+## Error Handling
+
+### Backend Errors
+
+| Scenario | Response | Behavior |
+|----------|----------|----------|
+| Empty findings array or > 200 items | 400 | `{ error: "findings array must contain 1-200 items." }` |
+| Any finding missing/empty finding_id | 400 | `{ error: "Each finding must have a non-empty finding_id string." }` |
+| Invalid workflow_type | 400 | `{ error: "workflow_type must be FP, Archer, or CARD." }` |
+| Missing vendor for FP/Archer | 400 | `{ error: "vendor is required for FP and Archer workflows." }` |
+| Vendor exceeds 200 chars | 400 | `{ error: "vendor must be under 200 chars." }` |
+| Not authenticated | 401 | Standard auth middleware response |
+| Insufficient permissions (Read_Only) | 403 | Standard group middleware response |
+| SQLite transaction failure | 500 | Transaction rolled back, `{ error: "Internal server error." }` |
+
+### Frontend Errors
+
+| Scenario | Behavior |
+|----------|----------|
+| Batch POST returns 4xx/5xx | Display error message in Selection Toolbar, keep selection intact |
+| Network failure during batch POST | Display "Network error — please try again" in toolbar, keep selection |
+| Batch POST timeout | Same as network failure handling |
+
+### Edge Cases
+
+- **Duplicate finding_ids in batch**: Allowed — the same finding could appear on multiple hosts. The backend does not enforce uniqueness on finding_id within a batch.
+- **Finding already in queue**: The frontend prevents selecting already-queued findings (checkbox is disabled), so duplicates should not reach the API. No server-side duplicate check is added to keep the endpoint simple.
+- **Concurrent batch submissions**: The SQLite transaction serializes writes. If two users submit overlapping batches, both succeed independently (each user has their own queue scoped by user_id).
+- **Selection of 0 findings**: The "Add to Queue" button is only rendered when selectedIds.size > 0, so this state cannot be reached through the UI. The backend still validates for it.
+
+## Testing Strategy
+
+### Unit Tests
+
+Focus on specific examples and edge cases:
+
+- **Backend validation**: Test each validation rule with concrete valid/invalid inputs (empty array, 201 items, missing finding_id, invalid workflow_type, vendor edge cases)
+- **Transaction rollback**: Mock a database error mid-insert, verify no rows are committed
+- **Frontend checkbox dual-mode**: Test that clicking with empty selection opens popover, clicking with existing selection toggles selection
+- **Toolbar visibility**: Test toolbar appears/disappears based on selection state
+- **Clear selection**: Test that clear button empties selection
+- **Escape key**: Test that Escape clears selection
+- **Select-all toggle**: Test select-all and deselect-all behavior
+- **Queue panel update**: Test that successful batch updates queueItems state
+
+### Property-Based Tests
+
+Using [fast-check](https://github.com/dubzzz/fast-check) for JavaScript property-based testing.
+
+Each property test runs a minimum of 100 iterations with randomly generated inputs. Tests are tagged with their corresponding design property.
+
+| Property | What's Generated | What's Verified |
+|----------|-----------------|-----------------|
+| Property 1: Selection pruning | Random sets of selected IDs and filtered IDs | Result = intersection of both sets |
+| Property 2: Select-all | Random finding lists and queued ID sets | Result = visible IDs minus queued IDs |
+| Property 3: Submit enabled | Random workflow types and vendor strings | Enabled iff CARD or non-empty vendor |
+| Property 4: Batch size | Random integers 0–300 | Accepted iff 1 ≤ N ≤ 200 |
+| Property 5: Vendor validation | Random workflow types and vendor strings (0–300 chars) | Conditional acceptance rule |
+| Property 6: Invalid finding rejection | Valid batches with one injected invalid item | Entire batch rejected, 0 rows inserted |
+| Property 7: Response shape | Valid batches of 1–50 findings | Response count matches, IDs match |
+| Property 8: Range select | Random sorted lists and two index positions | Correct range of non-queued findings |
+
+### Integration Tests
+
+- End-to-end batch submission: POST valid batch, verify rows in database, verify response shape
+- Auth enforcement: Verify 401 for unauthenticated, 403 for Read_Only users
+- Transaction atomicity: Verify rollback on database error
+- Frontend → Backend: Mock API, verify correct request payload from toolbar submit

.kiro/specs/batch-finding-disposition/requirements.md

@@ -0,0 +1,97 @@
+# Requirements Document
+
+## Introduction
+
+The Batch Finding Disposition feature adds multi-select capability to the Vulnerability Triage page's findings table, allowing engineers to select multiple findings at once and add them all to the Ivanti Queue with a shared workflow type and vendor in a single operation. Currently, each finding must be individually clicked, configured via a popover, and submitted — a repetitive process that slows down triage when working through many findings. This feature replaces that one-at-a-time flow with a batch selection toolbar and a bulk-add API endpoint.
+
+## Glossary
+
+- **Findings_Table**: The sortable, filterable table of Ivanti host findings rendered in the VulnerabilityTriagePage component (`ReportingPage.js`), where each row represents one finding.
+- **Selection_Toolbar**: A floating toolbar that appears above the Findings_Table when one or more findings are selected via their row checkboxes, displaying the count of selected findings and batch action controls.
+- **Batch_Add_Panel**: The inline panel within the Selection_Toolbar that provides workflow type selection (FP, Archer, CARD), an optional vendor input, and a submit button for adding all selected findings to the queue in one operation.
+- **Todo_Queue_API**: The backend Express router at `/api/ivanti/todo-queue` that manages CRUD operations on the `ivanti_todo_queue` table.
+- **Queue_Panel**: The existing right-side slide-out panel (`QueuePanel` component) that displays the user's current queue items grouped by vendor.
+- **Workflow_Type**: One of three disposition categories: FP (false positive), Archer (risk acceptance), or CARD (remediation card). Each finding added to the queue is assigned exactly one Workflow_Type.
+- **Finding**: A single Ivanti host vulnerability record containing an ID, title, CVEs, IP address, severity, and other metadata.
+
+## Requirements
+
+### Requirement 1: Multi-Select Findings via Row Checkboxes
+
+**User Story:** As an engineer, I want to select multiple findings using checkboxes so that I can batch-process them instead of handling each one individually.
+
+#### Acceptance Criteria
+
+1. THE Findings_Table SHALL render a checkbox in the first column of each finding row that is not already in the queue.
+2. WHEN a user clicks a finding row's checkbox, THE Findings_Table SHALL toggle that Finding's selected state without opening the AddToQueuePopover.
+3. WHEN one or more findings are selected, THE Findings_Table SHALL visually distinguish selected rows from unselected rows using a highlighted background.
+4. THE Findings_Table SHALL maintain the selected findings set across sort and filter changes, removing only findings that are no longer visible after filtering.
+5. WHEN a finding is already in the queue, THE Findings_Table SHALL display that row's checkbox as checked and disabled, preventing re-selection.
+6. WHILE findings are selected, THE Findings_Table SHALL display a "Select All (visible)" control in the checkbox column header that selects all visible, non-queued findings.
+7. WHEN the "Select All" control is clicked while all visible non-queued findings are already selected, THE Findings_Table SHALL deselect all findings.
+
+### Requirement 2: Selection Toolbar with Batch Actions
+
+**User Story:** As an engineer, I want a toolbar that appears when I have findings selected so that I can see how many are selected and take batch actions on them.
+
+#### Acceptance Criteria
+
+1. WHEN one or more findings are selected, THE Selection_Toolbar SHALL appear as a sticky bar above the Findings_Table header row.
+2. THE Selection_Toolbar SHALL display the count of currently selected findings.
+3. THE Selection_Toolbar SHALL provide a "Clear Selection" button that deselects all findings and hides the Selection_Toolbar.
+4. THE Selection_Toolbar SHALL provide workflow type toggle buttons for FP, Archer, and CARD, matching the existing color scheme (FP: amber, Archer: blue, CARD: green).
+5. WHEN the selected Workflow_Type is FP or Archer, THE Selection_Toolbar SHALL display a vendor text input field.
+6. WHEN the selected Workflow_Type is CARD, THE Selection_Toolbar SHALL hide the vendor input field and display a "No vendor required" indicator.
+7. THE Selection_Toolbar SHALL provide an "Add to Queue" submit button that is enabled only when a Workflow_Type is selected and vendor is provided (for FP/Archer) or Workflow_Type is CARD.
+8. THE Selection_Toolbar SHALL follow the existing dark theme design system (monospace fonts, dark gradient backgrounds, accent-colored borders).
+
+### Requirement 3: Bulk Add to Queue API Endpoint
+
+**User Story:** As an engineer, I want the backend to accept multiple findings in a single request so that batch additions are processed efficiently.
+
+#### Acceptance Criteria
+
+1. THE Todo_Queue_API SHALL expose a `POST /api/ivanti/todo-queue/batch` endpoint that accepts an array of finding objects with a shared workflow_type and vendor.
+2. THE Todo_Queue_API SHALL validate that the findings array contains between 1 and 200 items.
+3. THE Todo_Queue_API SHALL validate that each finding object contains a non-empty finding_id string.
+4. THE Todo_Queue_API SHALL validate that workflow_type is one of FP, Archer, or CARD.
+5. WHEN workflow_type is FP or Archer, THE Todo_Queue_API SHALL validate that vendor is a non-empty string of 200 characters or fewer.
+6. WHEN workflow_type is CARD, THE Todo_Queue_API SHALL accept an empty or absent vendor field.
+7. THE Todo_Queue_API SHALL insert all valid findings into the `ivanti_todo_queue` table within a single database transaction.
+8. IF any finding in the batch fails validation, THEN THE Todo_Queue_API SHALL reject the entire batch and return a 400 response with a descriptive error message.
+9. THE Todo_Queue_API SHALL return a 201 response containing the array of newly created queue items with their assigned IDs.
+10. THE Todo_Queue_API SHALL require authentication and the Admin or Standard_User group.
+11. IF a database error occurs during the transaction, THEN THE Todo_Queue_API SHALL roll back all inserts and return a 500 response.
+
+### Requirement 4: Frontend Batch Submission Flow
+
+**User Story:** As an engineer, I want clicking "Add to Queue" on the toolbar to submit all selected findings at once so that I save time during triage.
+
+#### Acceptance Criteria
+
+1. WHEN the user clicks "Add to Queue" on the Selection_Toolbar, THE Findings_Table SHALL send a single POST request to `POST /api/ivanti/todo-queue/batch` containing all selected findings with the chosen workflow_type and vendor.
+2. WHILE the batch request is in progress, THE Selection_Toolbar SHALL disable the "Add to Queue" button and display a loading indicator.
+3. WHEN the batch request succeeds, THE Findings_Table SHALL add all returned queue items to the local queue state, clear the selection, and hide the Selection_Toolbar.
+4. WHEN the batch request succeeds, THE Findings_Table SHALL update each newly queued finding's row checkbox to show the checked-and-disabled (already queued) state.
+5. IF the batch request fails, THEN THE Selection_Toolbar SHALL display the error message returned by the API and keep the current selection intact.
+6. WHEN the batch request succeeds and the Queue_Panel is open, THE Queue_Panel SHALL reflect the newly added items immediately without requiring a manual refresh.
+
+### Requirement 5: Preserve Single-Select Popover Flow
+
+**User Story:** As an engineer, I want to still be able to add a single finding to the queue quickly without going through the batch flow, so that simple one-off additions remain fast.
+
+#### Acceptance Criteria
+
+1. WHEN no findings are currently selected and a user clicks a finding row's checkbox, THE Findings_Table SHALL open the existing AddToQueuePopover for that single finding.
+2. WHEN one or more findings are already selected and a user clicks another finding row's checkbox, THE Findings_Table SHALL add that finding to the selection set instead of opening the AddToQueuePopover.
+3. THE AddToQueuePopover SHALL continue to use the existing single-item `POST /api/ivanti/todo-queue` endpoint for individual additions.
+
+### Requirement 6: Keyboard Accessibility for Multi-Select
+
+**User Story:** As an engineer, I want to use keyboard shortcuts to speed up multi-select so that I can triage even faster.
+
+#### Acceptance Criteria
+
+1. WHEN a user holds Shift and clicks a finding row's checkbox, THE Findings_Table SHALL select all visible findings between the last clicked checkbox and the current checkbox (range select).
+2. THE Selection_Toolbar SHALL be navigable via keyboard Tab order, with all interactive elements (workflow buttons, vendor input, submit button) reachable by Tab key.
+3. WHEN the Escape key is pressed while the Selection_Toolbar is visible, THE Findings_Table SHALL clear the selection and hide the Selection_Toolbar.

.kiro/specs/batch-finding-disposition/tasks.md

@@ -0,0 +1,116 @@
+# Implementation Plan: Batch Finding Disposition
+
+## Overview
+
+Add multi-select capability to the Vulnerability Triage findings table with a batch-add-to-queue API endpoint. The backend gets a new `POST /api/ivanti/todo-queue/batch` route in `ivantiTodoQueue.js`. The frontend gets selection state, checkbox dual-mode logic, a SelectionToolbar component, shift-click range select, select-all, and Escape-to-clear — all within `ReportingPage.js`.
+
+## Tasks
+
+- [x] 1. Add `POST /api/ivanti/todo-queue/batch` endpoint
+  - [x] 1.1 Add batch route handler to `backend/routes/ivantiTodoQueue.js`
+    - Add `POST /batch` route inside `createIvantiTodoQueueRouter`, before the `POST /` route
+    - Apply `requireAuth(db)` and `requireGroup('Admin', 'Standard_User')` middleware
+    - Validate request body: `findings` array (1–200 items), each with non-empty `finding_id` string
+    - Validate `workflow_type` is one of `FP`, `Archer`, `CARD`
+    - Validate `vendor`: required non-empty string ≤200 chars for FP/Archer; ignored for CARD
+    - If any validation fails, return 400 with descriptive error message and reject entire batch
+    - _Requirements: 3.1, 3.2, 3.3, 3.4, 3.5, 3.6, 3.8, 3.10_
+  - [x] 1.2 Implement transactional batch insert with SQLite
+    - Use `db.serialize()` with `BEGIN TRANSACTION` / `COMMIT` to insert all findings atomically
+    - For each finding: insert row into `ivanti_todo_queue` with `user_id`, `finding_id`, `finding_title`, `cves_json`, `ip_address`, `vendor`, `workflow_type`
+    - On success: fetch all inserted rows, parse `cves_json` back to arrays, return 201 with `{ items: [...] }`
+    - On any DB error: `ROLLBACK` the transaction and return 500
+    - _Requirements: 3.7, 3.8, 3.9, 3.11_
+  - [x] 1.3 Add audit logging for batch additions
+    - After successful commit, call `logAudit(db, { ... })` with action `'batch_add_to_queue'`, entityType `'ivanti_todo_queue'`, and details including the count and workflow_type
+    - Import `logAudit` from `../helpers/auditLog`
+    - _Requirements: 3.7_
+
+- [x] 2. Checkpoint — Verify backend endpoint
+  - Ensure the batch endpoint is syntactically correct and the route file has no errors. Ask the user if questions arise.
+
+- [x] 3. Add multi-select state and checkbox dual-mode logic to `ReportingPage.js`
+  - [x] 3.1 Add selection state variables to `VulnerabilityTriagePage`
+    - Add `selectedIds` (`new Set()`), `lastClickedId` (null), `batchSubmitting` (false), `batchError` (null), `batchWorkflowType` ('FP'), `batchVendor` ('') as new `useState` hooks
+    - _Requirements: 1.1, 2.1_
+  - [x] 3.2 Implement checkbox dual-mode click handler
+    - Replace the existing `<td>` onClick in the checkbox cell with new logic:
+      - If finding is already queued → no-op (existing behavior)
+      - If `selectedIds.size === 0` AND not shift-click → open `AddToQueuePopover` (preserves single-select flow)
+      - If shift-click AND `lastClickedId` exists → range-select all visible non-queued findings between `lastClickedId` and current finding in the `sorted` array
+      - Otherwise → toggle finding.id in `selectedIds`
+    - Always update `lastClickedId` when toggling selection
+    - _Requirements: 1.1, 1.2, 5.1, 5.2, 6.1_
+  - [x] 3.3 Add visual highlighting for selected rows
+    - When a finding's ID is in `selectedIds`, apply a highlighted background (e.g. `rgba(14,165,233,0.12)`) to the row
+    - Override the existing alternating row background and hover for selected rows
+    - _Requirements: 1.3_
+  - [x] 3.4 Disable checkbox for already-queued findings
+    - Keep existing behavior: queued findings show checked + disabled checkbox, preventing re-selection
+    - Ensure queued findings are excluded from shift-click range select and select-all
+    - _Requirements: 1.5_
+
+- [x] 4. Implement Select All / Deselect All in column header
+  - Modify the checkbox column `<th>` to render a clickable "Select All" checkbox when `selectedIds.size > 0` or when the user interacts with it
+  - Click behavior: if not all visible non-queued findings are selected → select all visible non-queued; if all are selected → deselect all
+  - _Requirements: 1.6, 1.7_
+
+- [x] 5. Add selection pruning on filter changes
+  - Add a `useEffect` that watches `filtered` (the filtered findings array) and prunes `selectedIds` to only include IDs still present in the filtered set
+  - This ensures selection stays consistent when `columnFilters`, `actionFilter`, or `excFilter` change
+  - _Requirements: 1.4_
+
+- [x] 6. Implement SelectionToolbar component
+  - [x] 6.1 Create the `SelectionToolbar` inline component in `ReportingPage.js`
+    - Render between the panel header controls and the `<table>` element, only when `selectedIds.size > 0`
+    - Use `position: sticky` with appropriate `top` value to stay visible during scroll
+    - Follow the dark theme design system: monospace fonts, dark gradient background, accent-colored borders
+    - _Requirements: 2.1, 2.8_
+  - [x] 6.2 Add toolbar controls: count badge, Clear Selection, workflow toggles, vendor input, submit button
+    - Display selected count badge (e.g. "12 selected")
+    - "Clear Selection" button that empties `selectedIds` and hides toolbar
+    - Workflow type toggle buttons (FP / Archer / CARD) using existing color scheme: FP = amber (`#F59E0B`), Archer = blue (`#0EA5E9`), CARD = green (`#10B981`)
+    - Vendor text input (hidden when CARD is selected, show "No vendor required" indicator for CARD)
+    - "Add to Queue" submit button — enabled only when workflow_type is CARD, or vendor is non-empty
+    - _Requirements: 2.2, 2.3, 2.4, 2.5, 2.6, 2.7_
+
+- [x] 7. Implement batch submission flow
+  - [x] 7.1 Add `submitBatch` async function to `VulnerabilityTriagePage`
+    - Build request payload from `selectedIds` (map each ID to its finding object from `sorted`/`filtered` for `finding_id`, `finding_title`, `cves`, `ip_address`), plus `batchWorkflowType` and `batchVendor`
+    - POST to `${API_BASE}/ivanti/todo-queue/batch` with `credentials: 'include'`
+    - Set `batchSubmitting = true` before request, `false` after
+    - _Requirements: 4.1, 4.2_
+  - [x] 7.2 Handle batch success response
+    - On 201: merge returned items into `queueItems` state (sorted by vendor then id, matching existing pattern)
+    - Clear `selectedIds`, reset `batchWorkflowType` to 'FP', reset `batchVendor` to '', clear `batchError`
+    - The newly queued findings will automatically show as checked+disabled via the existing `isQueued()` helper
+    - _Requirements: 4.3, 4.4, 4.6_
+  - [x] 7.3 Handle batch error response
+    - On 4xx/5xx: parse error message from response JSON, set `batchError` to display in toolbar
+    - On network failure: set `batchError` to "Network error — please try again"
+    - Keep selection intact on error so user can retry
+    - _Requirements: 4.5_
+
+- [x] 8. Add Escape key handler to clear selection
+  - Add a `useEffect` with a `keydown` listener for Escape that clears `selectedIds` when the SelectionToolbar is visible (i.e. `selectedIds.size > 0`)
+  - Ensure it doesn't conflict with the existing Escape handler on `AddToQueuePopover`
+  - _Requirements: 6.3_
+
+- [x] 9. Ensure keyboard Tab accessibility for SelectionToolbar
+  - Verify all interactive elements in the toolbar (workflow buttons, vendor input, submit button, clear button) are focusable via Tab key
+  - Use native `<button>` and `<input>` elements (which are inherently tabbable) rather than `<div>` with onClick
+  - _Requirements: 6.2_
+
+- [x] 10. Final checkpoint — Full integration verification
+  - Ensure all files have no syntax errors or diagnostic issues
+  - Verify the checkbox dual-mode logic: no selection → popover, existing selection → toggle
+  - Verify the SelectionToolbar renders/hides correctly based on selection state
+  - Verify batch submit wires through to the backend endpoint and updates queue state
+  - Ensure all tests pass, ask the user if questions arise.
+
+## Notes
+
+- No new database migration needed — batch insert reuses the existing `ivanti_todo_queue` schema
+- The batch endpoint must be registered before `POST /` in the router to avoid Express route conflicts
+- All testing is done on the dev server after push — no local test tasks included
+- Each task references specific acceptance criteria from the requirements document for traceability

.kiro/specs/finding-archive-tracking/design.md

@@ -0,0 +1,293 @@
+# Design Document: Finding Archive Tracking
+
+## Overview
+
+The Finding Archive Tracking system adds a detection layer to the existing Ivanti sync pipeline that identifies findings which disappear from sync results due to severity score drift. It tracks these findings through a four-state lifecycle (ACTIVE → ARCHIVED → RETURNED → CLOSED) with full transition history stored in two new SQLite tables. Three new API endpoints expose archive data, and an Archive Summary Bar UI component provides at-a-glance state counts on the Ivanti dashboard.
+
+The system integrates directly into the existing `syncFindings()` function in `ivantiFindings.js`, comparing current sync results against the previous set to detect disappearances and reappearances. This approach requires no additional API calls to Ivanti and leverages the already-cached findings data.
+
+## Architecture
+
+```mermaid
+flowchart TD
+    subgraph Ivanti Sync Pipeline
+        A[syncFindings] --> B[Fetch all pages from Ivanti API]
+        B --> C[Store findings in ivanti_findings_cache]
+        C --> D[Archive Detection]
+    end
+
+    subgraph Archive Detection
+        D --> E{Compare previous vs current finding IDs}
+        E -->|Missing from current| F[Create/Update Archive Record → ARCHIVED]
+        E -->|Returned in current| G[Update Archive Record → RETURNED]
+        E -->|Closed in Ivanti| H[Update Archive Record → CLOSED]
+        F --> I[Insert Transition History]
+        G --> I
+        H --> I
+    end
+
+    subgraph Archive API
+        J[GET /api/ivanti/archive] --> K[(ivanti_finding_archives)]
+        L[GET /api/ivanti/archive/:findingId/history] --> M[(ivanti_archive_transitions)]
+        N[GET /api/ivanti/archive/stats] --> K
+    end
+
+    subgraph Frontend
+        O[Archive Summary Bar] -->|fetch stats| N
+        O -->|click state| J
+        P[Transition History Panel] -->|fetch history| L
+    end
+```
+
+### Integration Points
+
+1. **Sync Pipeline Hook**: Archive detection runs after `syncFindings()` successfully stores new findings in the cache. It reads the previous findings from the cache before the update, then compares against the new set.
+2. **Route Registration**: The archive router is mounted at `/api/ivanti/archive` in `server.js`, following the same factory pattern as existing Ivanti routes.
+3. **Frontend Integration**: The Archive Summary Bar is rendered on the existing Ivanti findings page, above the findings table.
+
+## Components and Interfaces
+
+### 1. Archive Detection Module (`detectArchiveChanges`)
+
+Located within `backend/routes/ivantiFindings.js`, this async function runs after a successful sync.
+
+```javascript
+/**
+ * Compare previous and current finding sets to detect archive state changes.
+ * @param {sqlite3.Database} db - SQLite database instance
+ * @param {Array} previousFindings - Findings from before the sync update
+ * @param {Array} currentFindings - Findings from the latest sync
+ */
+async function detectArchiveChanges(db, previousFindings, currentFindings) {
+    // 1. Build ID sets from previous and current
+    // 2. Disappeared = in previous but not in current → ARCHIVED
+    // 3. Returned = in current AND has existing ARCHIVED record → RETURNED
+    // 4. For each state change, upsert archive record + insert transition
+}
+```
+
+### 2. Closed Finding Detection (`detectClosedFindings`)
+
+Runs during the closed count sync to detect findings that transitioned to CLOSED in Ivanti.
+
+```javascript
+/**
+ * Check archived findings against Ivanti closed findings to detect remediation.
+ * @param {sqlite3.Database} db - SQLite database instance
+ * @param {Array} closedFindingIds - IDs of findings confirmed closed in Ivanti
+ */
+async function detectClosedFindings(db, closedFindingIds) {
+    // For each archived/returned finding, if it appears in closed set → CLOSED
+}
+```
+
+### 3. Archive API Router (`createIvantiArchiveRouter`)
+
+Located at `backend/routes/ivantiArchive.js`, follows the existing factory pattern.
+
+```javascript
+/**
+ * @param {sqlite3.Database} db - SQLite database instance
+ * @param {Function} requireAuth - Auth middleware factory
+ * @returns {express.Router}
+ */
+function createIvantiArchiveRouter(db, requireAuth) {
+    const router = express.Router();
+    router.use(requireAuth(db));
+
+    // GET / - List archive records, optional ?state= filter
+    // GET /stats - Summary counts by state
+    // GET /:findingId/history - Transition history for a finding
+
+    return router;
+}
+```
+
+### 4. Archive Summary Bar Component (`ArchiveSummaryBar`)
+
+Located at `frontend/src/components/pages/ArchiveSummaryBar.js`.
+
+```javascript
+/**
+ * Displays four stat cards for ACTIVE, ARCHIVED, RETURNED, CLOSED counts.
+ * @param {Object} props
+ * @param {Function} props.onStateClick - Callback when a state card is clicked
+ * @param {string|null} props.activeFilter - Currently selected state filter
+ */
+function ArchiveSummaryBar({ onStateClick, activeFilter }) { ... }
+```
+
+### API Endpoint Specifications
+
+| Endpoint | Method | Auth | Query Params | Response |
+|----------|--------|------|-------------|----------|
+| `/api/ivanti/archive` | GET | Required | `state` (optional: ACTIVE, ARCHIVED, RETURNED, CLOSED) | `{ archives: [...], total: N }` |
+| `/api/ivanti/archive/stats` | GET | Required | None | `{ ARCHIVED: N, RETURNED: N, CLOSED: N, total: N }` |
+| `/api/ivanti/archive/:findingId/history` | GET | Required | None | `{ finding_id: "...", transitions: [...] }` |
+
+## Data Models
+
+### `ivanti_finding_archives` Table
+
+| Column | Type | Constraints | Description |
+|--------|------|-------------|-------------|
+| `id` | INTEGER | PRIMARY KEY AUTOINCREMENT | Row ID |
+| `finding_id` | TEXT | NOT NULL UNIQUE | Ivanti finding identifier |
+| `finding_title` | TEXT | NOT NULL DEFAULT '' | Finding title at time of archival |
+| `host_name` | TEXT | NOT NULL DEFAULT '' | Host name at time of archival |
+| `ip_address` | TEXT | NOT NULL DEFAULT '' | IP address at time of archival |
+| `current_state` | TEXT | NOT NULL CHECK(IN ('ARCHIVED','RETURNED','CLOSED')) | Current lifecycle state |
+| `last_severity` | REAL | NOT NULL DEFAULT 0 | Last known severity score |
+| `first_archived_at` | DATETIME | NOT NULL DEFAULT CURRENT_TIMESTAMP | When first archived |
+| `last_transition_at` | DATETIME | NOT NULL DEFAULT CURRENT_TIMESTAMP | When last state change occurred |
+| `created_at` | DATETIME | DEFAULT CURRENT_TIMESTAMP | Row creation time |
+
+**Indexes:**
+- `idx_archive_finding_id` on `finding_id`
+- `idx_archive_current_state` on `current_state`
+
+### `ivanti_archive_transitions` Table
+
+| Column | Type | Constraints | Description |
+|--------|------|-------------|-------------|
+| `id` | INTEGER | PRIMARY KEY AUTOINCREMENT | Row ID |
+| `archive_id` | INTEGER | NOT NULL, FK → ivanti_finding_archives(id) | Parent archive record |
+| `from_state` | TEXT | NOT NULL | Previous state (or 'NONE' for initial) |
+| `to_state` | TEXT | NOT NULL | New state |
+| `severity_at_transition` | REAL | NOT NULL DEFAULT 0 | Severity score at time of transition |
+| `reason` | TEXT | NOT NULL DEFAULT '' | Human-readable reason |
+| `transitioned_at` | DATETIME | NOT NULL DEFAULT CURRENT_TIMESTAMP | When transition occurred |
+
+**Indexes:**
+- `idx_transition_archive_id` on `archive_id`
+
+### State Transition Diagram
+
+Archive records are only created when a finding first disappears from sync results. Findings that remain present in sync results do not get archive records — they are simply "active" in the findings cache. The three database states are ARCHIVED, RETURNED, and CLOSED.
+
+```mermaid
+stateDiagram-v2
+    [*] --> ARCHIVED : Finding disappears from sync (score drift)
+    ARCHIVED --> RETURNED : Reappeared in sync
+    ARCHIVED --> CLOSED : Confirmed remediated in Ivanti
+    RETURNED --> ARCHIVED : Disappeared again
+    RETURNED --> CLOSED : Confirmed remediated in Ivanti
+```
+
+### Valid State Transitions
+
+| From State | To State | Reason |
+|-----------|----------|--------|
+| NONE → | ARCHIVED | `severity_score_drift` (first disappearance) |
+| ARCHIVED → | RETURNED | `reappeared_in_sync` |
+| ARCHIVED → | CLOSED | `remediated_in_ivanti` |
+| RETURNED → | ARCHIVED | `severity_score_drift` |
+| RETURNED → | CLOSED | `remediated_in_ivanti` |
+
+
+## Correctness Properties
+
+*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.*
+
+### Property 1: Disappeared findings are archived with complete metadata
+
+*For any* set of previous findings and current findings, every finding present in the previous set but absent from the current set should have an Archive_Record with state ARCHIVED, and that record should contain the correct finding_id, finding_title, host_name, ip_address, and last_severity matching the original finding's data.
+
+**Validates: Requirements 1.1, 1.2, 2.2**
+
+### Property 2: Returned findings transition from ARCHIVED to RETURNED
+
+*For any* finding that has an Archive_Record with state ARCHIVED, if that finding reappears in the current sync results, the Archive_Record state should be updated to RETURNED and the last_severity should reflect the finding's current severity score.
+
+**Validates: Requirements 1.3**
+
+### Property 3: Re-disappeared findings transition from RETURNED to ARCHIVED
+
+*For any* finding that has an Archive_Record with state RETURNED, if that finding disappears from the current sync results, the Archive_Record state should be updated back to ARCHIVED.
+
+**Validates: Requirements 1.4**
+
+### Property 4: Every state transition produces a history record with all required fields
+
+*For any* state transition on an Archive_Record, a Transition_History row should be inserted containing a valid archive_id, the correct from_state and to_state, a severity_at_transition value, a non-empty reason string, and a transitioned_at timestamp.
+
+**Validates: Requirements 2.1**
+
+### Property 5: Closed findings transition to CLOSED state
+
+*For any* finding that has an Archive_Record with state ARCHIVED or RETURNED, if that finding appears in the Ivanti closed findings set, the Archive_Record state should be updated to CLOSED and the transition reason should be "remediated_in_ivanti".
+
+**Validates: Requirements 2.3**
+
+### Property 6: State filter returns only matching records
+
+*For any* set of Archive_Records with various states, querying the archive list endpoint with a state filter should return only records whose current_state matches the filter, and the count should equal the number of records in that state.
+
+**Validates: Requirements 4.1**
+
+### Property 7: Transition history is ordered by timestamp descending
+
+*For any* finding with multiple Transition_History entries, the history endpoint should return entries ordered by transitioned_at descending, such that each entry's timestamp is greater than or equal to the next entry's timestamp.
+
+**Validates: Requirements 4.2**
+
+### Property 8: Stats counts match actual record distribution
+
+*For any* set of Archive_Records, the stats endpoint should return counts where the sum of all state counts equals the total number of Archive_Records, and each individual state count matches the actual number of records in that state.
+
+**Validates: Requirements 4.3**
+
+### Property 9: Migration idempotency
+
+*For any* number of consecutive executions of the migration script, the resulting database schema should be identical and no errors should occur on subsequent runs.
+
+**Validates: Requirements 6.2**
+
+## Error Handling
+
+| Scenario | Handling |
+|----------|----------|
+| Sync fails (API error, timeout) | Archive detection is skipped entirely for that cycle. No archive records are created or modified. The sync error is logged as usual. |
+| Database error during archive upsert | Log the error, continue processing remaining findings. Do not abort the entire archive detection pass. |
+| Database error during transition insert | Log the error. The archive record state may have been updated but the transition history may be incomplete. This is acceptable as the current state is the source of truth. |
+| Invalid state transition attempted | The detection logic only performs valid transitions per the state diagram. Invalid transitions (e.g., CLOSED → ARCHIVED) are not possible by design since closed findings are excluded from the sync pipeline. |
+| Missing finding metadata | Use empty string defaults for finding_title, host_name, ip_address if the finding object lacks these fields. Severity defaults to 0. |
+| Archive API query with invalid state parameter | Return a 400 status code with message "Invalid state parameter. Valid values: ACTIVE, ARCHIVED, RETURNED, CLOSED". Explicit errors surface frontend bugs faster than silent fallbacks. |
+| History query for non-existent finding | Return 200 with empty transitions array (not 404), per requirement 4.5. |
+
+## Testing Strategy
+
+### Unit Tests
+
+Unit tests cover specific examples and edge cases:
+
+- Migration script creates both tables and all indexes (example, Req 3.1–3.4)
+- Archive detection skips when sync errors occur (example, Req 1.5)
+- Unauthenticated requests return 401 (example, Req 4.4)
+- History endpoint returns empty array for unknown finding (edge case, Req 4.5)
+- Archive Summary Bar renders four stat cards (example, Req 5.1)
+- Archive Summary Bar fetches stats on mount (example, Req 5.2)
+- Clicking a state card triggers filter callback (example, Req 5.3)
+
+### Property-Based Tests
+
+Property-based tests use a PBT library (e.g., `fast-check`) to verify universal properties across generated inputs. Each test runs a minimum of 100 iterations.
+
+| Property | Test Description | Tag |
+|----------|-----------------|-----|
+| Property 1 | Generate random previous/current finding sets, run detection, verify all disappeared findings have correct ARCHIVED records | **Feature: finding-archive-tracking, Property 1: Disappeared findings are archived with complete metadata** |
+| Property 2 | Generate archived findings, add some back to current set, verify RETURNED state | **Feature: finding-archive-tracking, Property 2: Returned findings transition from ARCHIVED to RETURNED** |
+| Property 3 | Generate returned findings, remove some from current set, verify ARCHIVED state | **Feature: finding-archive-tracking, Property 3: Re-disappeared findings transition from RETURNED to ARCHIVED** |
+| Property 4 | Generate random state transitions, verify each produces a complete history row | **Feature: finding-archive-tracking, Property 4: Every state transition produces a history record** |
+| Property 5 | Generate archived/returned findings, mark some as closed, verify CLOSED state and reason | **Feature: finding-archive-tracking, Property 5: Closed findings transition to CLOSED state** |
+| Property 6 | Generate archive records with random states, query with filter, verify only matching records returned | **Feature: finding-archive-tracking, Property 6: State filter returns only matching records** |
+| Property 7 | Generate multiple transitions for a finding, query history, verify descending order | **Feature: finding-archive-tracking, Property 7: Transition history is ordered by timestamp descending** |
+| Property 8 | Generate archive records with random states, query stats, verify counts match | **Feature: finding-archive-tracking, Property 8: Stats counts match actual record distribution** |
+| Property 9 | Run migration N times, verify no errors and schema is consistent | **Feature: finding-archive-tracking, Property 9: Migration idempotency** |
+
+### Testing Tools
+
+- **Test runner**: Jest (via react-scripts for frontend, direct for backend)
+- **Property-based testing**: `fast-check` library
+- **Database**: In-memory SQLite (`:memory:`) for isolated test runs
+- **HTTP testing**: `supertest` for API endpoint tests

.kiro/specs/finding-archive-tracking/requirements.md

@@ -0,0 +1,86 @@
+# Requirements Document
+
+## Introduction
+
+The Finding Archive Tracking system extends the Ivanti sync pipeline in the STEAM Security Dashboard to detect and track findings that disappear from sync results due to severity score drift (not remediation). Findings follow a four-state lifecycle (ACTIVE → ARCHIVED → RETURNED → CLOSED) with full transition history, enabling the security team to maintain visibility into findings that fall below the severity threshold and may reappear.
+
+## Glossary
+
+- **Sync_Pipeline**: The existing Ivanti/RiskSense host finding sync process that fetches open findings matching BU and severity filters on a daily schedule.
+- **Finding**: A single host-level vulnerability record identified by a unique `finding_id` from Ivanti/RiskSense.
+- **Archive_Record**: A database row in the `ivanti_finding_archives` table tracking a finding's current lifecycle state and metadata.
+- **Transition_History**: A database row in the `ivanti_archive_transitions` table recording a single state change event with timestamps, severity scores, and reason.
+- **Archive_Detector**: The logic within the sync pipeline that compares previous sync results against current results to identify disappeared and returned findings.
+- **Archive_Summary_Bar**: A React UI component displaying counts for each lifecycle state (ACTIVE, ARCHIVED, RETURNED, CLOSED) with click-through navigation.
+- **Archive_API**: The set of three Express route endpoints serving archived finding data, transition history, and summary statistics.
+- **Lifecycle_State**: One of three database states an archive record can occupy: ARCHIVED (disappeared from sync results due to score drift), RETURNED (reappeared after being archived), CLOSED (remediated in Ivanti). Findings that remain present in sync results have no archive record.
+
+## Requirements
+
+### Requirement 1: Archive Detection During Sync
+
+**User Story:** As a security analyst, I want the system to automatically detect findings that disappear from sync results, so that I can track findings lost due to severity score drift rather than actual remediation.
+
+#### Acceptance Criteria
+
+1. WHEN the Sync_Pipeline completes a sync, THE Archive_Detector SHALL compare the current sync result finding IDs against the previous sync result finding IDs to identify findings that are no longer present.
+2. WHEN a finding is present in the previous sync but absent from the current sync, THE Archive_Detector SHALL create an Archive_Record with state ARCHIVED, recording the finding metadata, last known severity score, and a timestamp.
+3. WHEN a finding already has an Archive_Record with state ARCHIVED and the finding reappears in the current sync results, THE Archive_Detector SHALL update the Archive_Record state to RETURNED and record the new severity score.
+4. WHEN a finding has an Archive_Record with state RETURNED and the finding disappears again from sync results, THE Archive_Detector SHALL update the Archive_Record state to ARCHIVED and record the severity score at time of disappearance.
+5. IF the Sync_Pipeline encounters a sync error, THEN THE Archive_Detector SHALL skip archive detection for that sync cycle to avoid false positives from incomplete data.
+
+### Requirement 2: Lifecycle State Transitions
+
+**User Story:** As a security analyst, I want every state change to be recorded with context, so that I can audit the full history of a finding's lifecycle.
+
+#### Acceptance Criteria
+
+1. WHEN an Archive_Record changes state, THE Sync_Pipeline SHALL insert a Transition_History row containing the previous state, new state, timestamp, severity score at time of transition, and a reason string.
+2. THE Archive_Record SHALL store the finding_id, finding_title, host_name, ip_address, current state, last known severity score, initial archive timestamp, and last transition timestamp.
+3. WHEN a finding is confirmed as remediated (closed) in Ivanti, THE Sync_Pipeline SHALL update the Archive_Record state to CLOSED and record a Transition_History entry with reason "remediated_in_ivanti".
+4. THE Transition_History SHALL store the archive_record_id, from_state, to_state, transition timestamp, severity_at_transition, and reason.
+
+### Requirement 3: Database Schema
+
+**User Story:** As a developer, I want the archive data stored in two normalized SQLite tables, so that the data model supports efficient queries and maintains referential integrity.
+
+#### Acceptance Criteria
+
+1. THE Sync_Pipeline SHALL create an `ivanti_finding_archives` table with columns for id, finding_id (unique), finding_title, host_name, ip_address, current_state, last_severity, first_archived_at, last_transition_at, and created_at.
+2. THE Sync_Pipeline SHALL create an `ivanti_archive_transitions` table with columns for id, archive_id (foreign key to ivanti_finding_archives), from_state, to_state, severity_at_transition, reason, and transitioned_at.
+3. THE Sync_Pipeline SHALL create indexes on ivanti_finding_archives(finding_id) and ivanti_finding_archives(current_state) for query performance.
+4. THE Sync_Pipeline SHALL create an index on ivanti_archive_transitions(archive_id) for efficient history lookups.
+
+### Requirement 4: Archive API Endpoints
+
+**User Story:** As a frontend developer, I want REST API endpoints to query archived findings, transition history, and summary statistics, so that I can build the archive tracking UI.
+
+#### Acceptance Criteria
+
+1. WHEN a GET request is made to `/api/ivanti/archive`, THE Archive_API SHALL return a list of all Archive_Records with optional filtering by current_state query parameter.
+2. WHEN a GET request is made to `/api/ivanti/archive/:findingId/history`, THE Archive_API SHALL return the Transition_History entries for the specified finding ordered by transitioned_at descending.
+3. WHEN a GET request is made to `/api/ivanti/archive/stats`, THE Archive_API SHALL return an object containing the count of Archive_Records in each Lifecycle_State (ACTIVE, ARCHIVED, RETURNED, CLOSED).
+4. WHEN an unauthenticated request is made to any Archive_API endpoint, THE Archive_API SHALL return a 401 status code.
+5. WHEN a GET request is made to `/api/ivanti/archive/:findingId/history` with a finding_id that has no Archive_Record, THE Archive_API SHALL return an empty transitions array with a 200 status code.
+
+### Requirement 5: Archive Summary Bar UI
+
+**User Story:** As a security analyst, I want a visual summary bar on the Ivanti dashboard showing counts for each archive state, so that I can quickly assess the archive landscape and navigate to details.
+
+#### Acceptance Criteria
+
+1. THE Archive_Summary_Bar SHALL display four stat cards showing the count of findings in each Lifecycle_State: ACTIVE, ARCHIVED, RETURNED, and CLOSED.
+2. WHEN the Archive_Summary_Bar loads, THE Archive_Summary_Bar SHALL fetch data from the `/api/ivanti/archive/stats` endpoint.
+3. WHEN a user clicks a state card in the Archive_Summary_Bar, THE Archive_Summary_Bar SHALL filter the displayed archive list to show only findings in that state.
+4. THE Archive_Summary_Bar SHALL use the existing design system colors: sky blue (#0EA5E9) for ACTIVE, amber (#F59E0B) for ARCHIVED, emerald (#10B981) for RETURNED, and red (#EF4444) for CLOSED.
+5. THE Archive_Summary_Bar SHALL use Lucide icons and monospace typography consistent with the existing dashboard design system.
+
+### Requirement 6: Migration Script
+
+**User Story:** As a developer, I want a standalone migration script to create the archive tables, so that the schema can be applied to existing deployments following the established migration pattern.
+
+#### Acceptance Criteria
+
+1. THE migration script SHALL be located at `backend/migrations/add_finding_archive_tables.js` and follow the existing migration pattern of opening the database, running DDL statements in `db.serialize()`, and closing the connection.
+2. THE migration script SHALL use `CREATE TABLE IF NOT EXISTS` and `CREATE INDEX IF NOT EXISTS` to be idempotent.
+3. WHEN the migration script is executed, THE migration script SHALL log progress messages for each table and index created.

.kiro/specs/finding-archive-tracking/tasks.md

@@ -0,0 +1,134 @@
+# Implementation Plan: Finding Archive Tracking
+
+## Overview
+
+Implement the Finding Archive Tracking system by creating the database migration, archive detection logic within the existing sync pipeline, three API endpoints via a new route module, and an Archive Summary Bar UI component. Each task builds incrementally — schema first, then detection logic, then API, then frontend.
+
+## Tasks
+
+- [x] 1. Create database migration and archive tables
+  - [x] 1.1 Create `backend/migrations/add_finding_archive_tables.js` migration script
+    - Create `ivanti_finding_archives` table with columns: id, finding_id (UNIQUE), finding_title, host_name, ip_address, current_state (CHECK constraint for ACTIVE/ARCHIVED/RETURNED/CLOSED), last_severity, first_archived_at, last_transition_at, created_at
+    - Create `ivanti_archive_transitions` table with columns: id, archive_id (FK), from_state, to_state, severity_at_transition, reason, transitioned_at
+    - Create indexes: idx_archive_finding_id, idx_archive_current_state, idx_transition_archive_id
+    - Use `CREATE TABLE IF NOT EXISTS` and `CREATE INDEX IF NOT EXISTS` for idempotency
+    - Follow existing migration pattern: open db, `db.serialize()`, log progress, close db
+    - _Requirements: 3.1, 3.2, 3.3, 3.4, 6.1, 6.2, 6.3_
+
+  - [ ]* 1.2 Write property test for migration idempotency
+    - **Property 9: Migration idempotency**
+    - Run migration logic multiple times against in-memory SQLite, verify no errors and schema is consistent
+    - **Validates: Requirements 6.2**
+
+- [x] 2. Implement archive detection logic in sync pipeline
+  - [x] 2.1 Add `initArchiveTables(db)` function to `backend/routes/ivantiFindings.js`
+    - Create both archive tables inline (same pattern as existing `initTables`) so they exist on startup
+    - Call from `createIvantiFindingsRouter` during init alongside existing `initTables`
+    - _Requirements: 3.1, 3.2, 3.3, 3.4_
+
+  - [x] 2.2 Implement `detectArchiveChanges(db, previousFindings, currentFindings)` function
+    - Build ID sets from previous and current findings
+    - For disappeared findings (in previous, not in current): upsert archive record with state ARCHIVED, insert transition history
+    - For returned findings (in current, has ARCHIVED record): update to RETURNED, insert transition history
+    - For re-disappeared findings (has RETURNED record, not in current): update to ARCHIVED, insert transition history
+    - Use `db.run` with callbacks wrapped in promises (matching existing `dbRun` helper pattern)
+    - _Requirements: 1.1, 1.2, 1.3, 1.4, 2.1, 2.2_
+
+  - [x] 2.3 Implement `detectClosedFindings(db, closedFindingIds)` function
+    - Query archive records with state ARCHIVED or RETURNED
+    - For any that appear in the closed findings set, update to CLOSED with reason "remediated_in_ivanti"
+    - Insert transition history for each state change
+    - _Requirements: 2.3_
+
+  - [x] 2.4 Integrate archive detection into `syncFindings()` flow
+    - Before updating the cache, read the current findings from `ivanti_findings_cache` as `previousFindings`
+    - After successful cache update, call `detectArchiveChanges(db, previousFindings, currentFindings)`
+    - Skip archive detection if sync encountered an error (requirement 1.5)
+    - Call `detectClosedFindings` during `syncClosedCount` with closed finding IDs
+    - _Requirements: 1.1, 1.5, 2.3_
+
+  - [ ]* 2.5 Write property test for archive detection — disappeared findings
+    - **Property 1: Disappeared findings are archived with complete metadata**
+    - Generate random previous/current finding sets using fast-check, run detectArchiveChanges against in-memory SQLite, verify all disappeared findings have ARCHIVED records with correct metadata
+    - **Validates: Requirements 1.1, 1.2, 2.2**
+
+  - [ ]* 2.6 Write property test for archive detection — returned findings
+    - **Property 2: Returned findings transition from ARCHIVED to RETURNED**
+    - Generate archived findings, add some back to current set, verify RETURNED state and updated severity
+    - **Validates: Requirements 1.3**
+
+  - [ ]* 2.7 Write property test for archive detection — re-disappeared findings
+    - **Property 3: Re-disappeared findings transition from RETURNED to ARCHIVED**
+    - Generate returned findings, remove some from current set, verify ARCHIVED state
+    - **Validates: Requirements 1.4**
+
+  - [ ]* 2.8 Write property test for transition history completeness
+    - **Property 4: Every state transition produces a history record with all required fields**
+    - Generate random state transitions, verify each produces a complete history row with archive_id, from_state, to_state, severity_at_transition, reason, transitioned_at
+    - **Validates: Requirements 2.1**
+
+  - [ ]* 2.9 Write property test for closed finding detection
+    - **Property 5: Closed findings transition to CLOSED state**
+    - Generate archived/returned findings, mark some as closed, verify CLOSED state and reason "remediated_in_ivanti"
+    - **Validates: Requirements 2.3**
+
+- [x] 3. Checkpoint — Verify archive detection logic
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [x] 4. Implement Archive API endpoints
+  - [x] 4.1 Create `backend/routes/ivantiArchive.js` route module
+    - Export factory function `createIvantiArchiveRouter(db, requireAuth)` returning Express Router
+    - Apply `requireAuth(db)` middleware to all routes
+    - Implement GET `/` — list archive records with optional `?state=` filter, return `{ archives: [...], total: N }`. Return 400 with message "Invalid state parameter. Valid values: ACTIVE, ARCHIVED, RETURNED, CLOSED" if an unrecognized state value is provided.
+    - Implement GET `/stats` — return `{ ACTIVE: N, ARCHIVED: N, RETURNED: N, CLOSED: N, total: N }`
+    - Implement GET `/:findingId/history` — return `{ finding_id, transitions: [...] }` ordered by transitioned_at DESC, return empty array for unknown finding_id
+    - _Requirements: 4.1, 4.2, 4.3, 4.4, 4.5_
+
+  - [x] 4.2 Register archive router in `backend/server.js`
+    - Import `createIvantiArchiveRouter` from `./routes/ivantiArchive`
+    - Mount at `/api/ivanti/archive` with `requireAuth` middleware
+    - _Requirements: 4.1_
+
+  - [ ]* 4.3 Write property test for state filtering
+    - **Property 6: State filter returns only matching records**
+    - Generate archive records with random states, query with filter, verify only matching records returned
+    - **Validates: Requirements 4.1**
+
+  - [ ]* 4.4 Write property test for history ordering
+    - **Property 7: Transition history is ordered by timestamp descending**
+    - Generate multiple transitions for a finding, query history, verify descending timestamp order
+    - **Validates: Requirements 4.2**
+
+  - [ ]* 4.5 Write property test for stats accuracy
+    - **Property 8: Stats counts match actual record distribution**
+    - Generate archive records with random states, query stats, verify counts match actual distribution
+    - **Validates: Requirements 4.3**
+
+- [x] 5. Checkpoint — Verify API endpoints
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [x] 6. Implement Archive Summary Bar UI component
+  - [x] 6.1 Create `frontend/src/components/pages/ArchiveSummaryBar.js`
+    - Fetch stats from `/api/ivanti/archive/stats` on mount
+    - Render four stat cards: ACTIVE (sky blue #0EA5E9), ARCHIVED (amber #F59E0B), RETURNED (emerald #10B981), CLOSED (red #EF4444)
+    - Each card shows the count and state label with Lucide icons and monospace typography
+    - Accept `onStateClick` callback prop and `activeFilter` prop for highlighting the selected state
+    - Use inline style objects matching the existing design system (dark gradients, glows, hover effects)
+    - _Requirements: 5.1, 5.2, 5.3, 5.4, 5.5_
+
+  - [x] 6.2 Integrate Archive Summary Bar into the Ivanti findings page
+    - Import and render `ArchiveSummaryBar` in the Ivanti findings section of `App.js` (or the relevant page component)
+    - Wire `onStateClick` to manage a state filter for the archive list display
+    - _Requirements: 5.3_
+
+- [x] 7. Final checkpoint — Verify full integration
+  - Ensure all tests pass, ask the user if questions arise.
+
+## Notes
+
+- Tasks marked with `*` are optional and can be skipped for faster MVP
+- Each task references specific requirements for traceability
+- Checkpoints ensure incremental validation
+- Property tests use `fast-check` library with minimum 100 iterations per test
+- All backend code uses callback-based SQLite API wrapped in promises (matching existing patterns)
+- All frontend code uses plain JavaScript (no TypeScript)

.kiro/specs/group-based-access-control/requirements.md

@@ -0,0 +1,143 @@
+# Requirements Document
+
+## Introduction
+
+Replace the existing simple role-based access control system (admin/editor/viewer) with a group-based access control model. The system supports exactly four user groups (Admin, Standard User, Leadership, Read Only) with distinct permission boundaries. This change affects the database schema, backend middleware, API endpoint authorization, frontend conditional rendering, and the admin panel user management interface.
+
+## Glossary
+
+- **Dashboard**: The STEAM Security Dashboard application comprising a React frontend and Express backend
+- **Group**: One of four access control categories (Admin, Standard_User, Leadership, Read_Only) that determines a user's permissions
+- **Admin_Group**: The group with full CRUD access to all resources, user management, and admin panel access
+- **Standard_User_Group**: The working group with view-all, create, edit, and conditional delete permissions plus basic export
+- **Leadership_Group**: The read-only group with additional export capabilities for reports, compliance documents, and visualizations
+- **Read_Only_Group**: The view-only group with no create, edit, delete, or export capabilities
+- **Permission_Middleware**: Backend Express middleware that validates a user's group membership before allowing an API action
+- **Cascade_Impact**: The set of associated Archer tickets, JIRA tickets, and documents that would be deleted when a CVE is deleted
+- **Compliance_Link**: An association between a ticket (Archer or JIRA) and a compliance report that blocks Standard_User deletion
+- **Group_Migration**: The database migration that replaces the role field with a group field and maps existing users
+
+## Requirements
+
+### Requirement 1: Group Data Model
+
+**User Story:** As a system administrator, I want the user model to reference one of four defined groups instead of the legacy role field, so that permissions are enforced through a well-defined group structure.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL store exactly four groups: Admin, Standard_User, Leadership, and Read_Only
+2. THE Dashboard SHALL assign each user to exactly one group via a group field on the user record
+3. WHEN a user record is created, THE Dashboard SHALL default the group to Read_Only
+4. THE Dashboard SHALL enforce a foreign key or CHECK constraint so that the group field only accepts valid group values
+
+### Requirement 2: Group Migration
+
+**User Story:** As a system administrator, I want existing users to be automatically mapped from the old role system to the new group system, so that no manual re-assignment is needed after the upgrade.
+
+#### Acceptance Criteria
+
+1. WHEN the migration runs, THE Group_Migration SHALL map users with role "admin" to Admin_Group
+2. WHEN the migration runs, THE Group_Migration SHALL map users with role "editor" to Standard_User_Group
+3. WHEN the migration runs, THE Group_Migration SHALL map users with role "viewer" to Read_Only_Group
+4. WHEN the migration runs, THE Group_Migration SHALL remove the CHECK constraint on the old role column and replace it with the new group field
+5. IF a user record has no role value or an unrecognized role value, THEN THE Group_Migration SHALL assign that user to Read_Only_Group
+
+### Requirement 3: Backend Permission Enforcement
+
+**User Story:** As a security-conscious developer, I want every API endpoint to check the requesting user's group before allowing the action, so that permissions are enforced server-side and cannot be bypassed through direct API calls.
+
+#### Acceptance Criteria
+
+1. THE Permission_Middleware SHALL replace the existing requireRole middleware with a requireGroup middleware that accepts one or more group names
+2. WHEN an unauthenticated request reaches a protected endpoint, THE Permission_Middleware SHALL return HTTP 401
+3. WHEN an authenticated user's group is not in the allowed groups for an endpoint, THE Permission_Middleware SHALL return HTTP 403
+4. THE Permission_Middleware SHALL attach the user's group to the request object for downstream route handlers to use
+5. WHEN a Standard_User_Group user attempts to delete a resource they did not create, THE Dashboard SHALL return HTTP 403
+6. WHEN a Standard_User_Group user attempts to delete a finding that is marked as resolved or closed, THE Dashboard SHALL return HTTP 403
+7. WHEN a Standard_User_Group user attempts to delete a ticket that is linked to a compliance report, THE Dashboard SHALL return HTTP 403
+8. WHEN a Standard_User_Group user attempts to delete a CVE they created, THE Dashboard SHALL check for Cascade_Impact and return the list of associated Archer tickets, JIRA tickets, and documents
+9. IF any ticket in the Cascade_Impact is linked to a compliance report, THEN THE Dashboard SHALL block the CVE deletion and return HTTP 403 with a message indicating Admin-only deletion is required
+10. WHEN an Admin_Group user performs any CRUD operation, THE Dashboard SHALL allow the operation without ownership or state restrictions
+
+### Requirement 4: Admin Group Permissions
+
+**User Story:** As an admin, I want full unrestricted access to all resources and management functions, so that I can manage the entire system without limitations.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL allow Admin_Group users to create, read, update, and delete all resources (CVEs, findings, tickets, comments, compliance reports)
+2. THE Dashboard SHALL allow Admin_Group users to access the admin panel
+3. THE Dashboard SHALL allow Admin_Group users to manage users and assign users to groups
+4. THE Dashboard SHALL allow Admin_Group users to export all data
+5. THE Dashboard SHALL allow Admin_Group users to delete any resource regardless of ownership, state, or compliance linkage
+
+### Requirement 5: Standard User Group Permissions
+
+**User Story:** As a standard user, I want to view all data and create/edit resources while having controlled delete access, so that I can do my daily work without accidentally removing critical linked data.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL allow Standard_User_Group users to view all data across the dashboard
+2. THE Dashboard SHALL allow Standard_User_Group users to create and edit CVEs, findings, tickets, and comments
+3. THE Dashboard SHALL allow Standard_User_Group users to delete their own findings, tickets, and comments subject to state and linkage restrictions
+4. WHEN a Standard_User_Group user attempts to delete a finding that is resolved or closed, THE Dashboard SHALL reject the deletion
+5. WHEN a Standard_User_Group user attempts to delete a ticket linked to a compliance report, THE Dashboard SHALL reject the deletion
+6. WHEN a Standard_User_Group user attempts to delete a CVE they created, THE Dashboard SHALL display a warning listing associated Archer tickets, JIRA tickets, and documents that will be cascade-deleted
+7. IF any associated ticket in the cascade is linked to a compliance report, THEN THE Dashboard SHALL block the CVE deletion entirely
+8. THE Dashboard SHALL allow Standard_User_Group users to perform basic exports (CSV and XLSX of CVEs and findings)
+
+### Requirement 6: Leadership Group Permissions
+
+**User Story:** As a leadership user, I want read-only access with export capabilities, so that I can review data and generate reports without risk of modifying records.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL allow Leadership_Group users to view all data across the dashboard
+2. THE Dashboard SHALL allow Leadership_Group users to export reports, compliance documents, and graph visualizations
+3. THE Dashboard SHALL prevent Leadership_Group users from creating, editing, or deleting any records
+4. THE Dashboard SHALL prevent Leadership_Group users from accessing the admin panel
+
+### Requirement 7: Read Only Group Permissions
+
+**User Story:** As a read-only user, I want view-only access to the dashboard, so that I can see data without any ability to modify or export it.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL allow Read_Only_Group users to view all data across the dashboard
+2. THE Dashboard SHALL prevent Read_Only_Group users from creating, editing, or deleting any records
+3. THE Dashboard SHALL prevent Read_Only_Group users from exporting any data
+4. THE Dashboard SHALL prevent Read_Only_Group users from accessing the admin panel
+
+### Requirement 8: Admin Panel Group Management
+
+**User Story:** As an admin, I want to view all users with their current group and reassign groups through the admin panel, so that I can manage access control centrally.
+
+#### Acceptance Criteria
+
+1. WHEN an Admin_Group user opens the user management section, THE Dashboard SHALL display all users with their current group assignment
+2. WHEN an Admin_Group user changes a user's group, THE Dashboard SHALL update the group assignment and persist it to the database
+3. WHEN an Admin_Group user changes a user's group, THE Dashboard SHALL display a confirmation dialog before applying the change
+4. WHEN an Admin_Group user downgrades another Admin_Group user, THE Dashboard SHALL display an additional warning in the confirmation dialog
+5. THE Dashboard SHALL prevent an Admin_Group user from changing their own group to a non-Admin group
+
+### Requirement 9: Audit Logging for Group Changes
+
+**User Story:** As a system administrator, I want all group assignment changes to be logged with full context, so that I can audit who changed access for whom and when.
+
+#### Acceptance Criteria
+
+1. WHEN a user's group is changed, THE Dashboard SHALL log the change with the acting user's ID, the target user's ID, the previous group, the new group, and a timestamp
+2. THE Dashboard SHALL preserve existing audit trail behavior for all CRUD operations performed under the new group system
+3. WHEN a group change is logged, THE Dashboard SHALL record the IP address of the acting user
+
+### Requirement 10: Frontend Conditional Rendering
+
+**User Story:** As a user, I want the UI to show only the actions available to my group, so that I have a clear and uncluttered interface matching my permissions.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL conditionally render create, edit, and delete buttons based on the current user's group
+2. THE Dashboard SHALL conditionally render export options based on the current user's group
+3. THE Dashboard SHALL conditionally render the admin panel link based on the current user's group
+4. WHEN a Standard_User_Group user views a resource they did not create, THE Dashboard SHALL hide the delete button for that resource
+5. THE Dashboard SHALL replace the existing role-based helper functions (hasRole, canWrite, isAdmin) with group-based equivalents (isInGroup, canWrite, canDelete, canExport, isAdmin)

.kiro/specs/group-based-access-control/tasks.md

@@ -0,0 +1,279 @@
+# Implementation Plan: Group-Based Access Control
+
+## Overview
+
+Replace the existing role-based access control (admin/editor/viewer) with a four-group model (Admin, Standard_User, Leadership, Read_Only). This touches the database schema, backend middleware, all route authorization, frontend permission helpers, and the admin panel UI. Tasks build incrementally: migration first, then middleware, then routes, then frontend.
+
+## Tasks
+
+- [ ] 1. Create database migration for user groups
+  - [x] 1.1 Create `backend/migrations/add_user_groups.js` migration script
+    - Add `user_group` column (VARCHAR(20), NOT NULL, DEFAULT 'Read_Only') to users table
+    - Map existing role values: admin to Admin, editor to Standard_User, viewer to Read_Only
+    - Map NULL or unrecognized role values to Read_Only
+    - Add CHECK constraint: user_group IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
+    - Add index `idx_users_user_group` on user_group column
+    - Use idempotent checks so migration is safe to run multiple times
+    - Follow existing migration pattern: open db, db.serialize(), log progress, close db
+    - _Requirements: 1.1, 1.2, 1.3, 1.4, 2.1, 2.2, 2.3, 2.4, 2.5_
+
+  - [ ]* 1.2 Write property test for migration role mapping
+    - **Property 8: Migration maps all role values correctly**
+    - Generate users with random roles from {admin, editor, viewer, NULL, arbitrary}, run migration against in-memory SQLite, verify mapping
+    - **Validates: Requirements 2.1, 2.2, 2.3, 2.5**
+
+  - [ ]* 1.3 Write property test for migration idempotency
+    - **Property 9: Migration is idempotent**
+    - Run migration N times (N in 1-5) against in-memory SQLite, verify schema and data identical each time
+    - **Validates: Requirements 2.4**
+
+  - [ ] 1.4 Write unit tests for migration
+    - Test column creation with correct CHECK constraint
+    - Test role mapping: admin to Admin, editor to Standard_User, viewer to Read_Only
+    - Test NULL and unrecognized role handling defaults to Read_Only
+    - Test new user defaults to Read_Only group
+    - _Requirements: 1.3, 1.4, 2.1, 2.2, 2.3, 2.5_
+
+- [ ] 2. Update auth middleware to use groups
+  - [x] 2.1 Update `requireAuth` in `backend/middleware/auth.js`
+    - Modify session join query to SELECT user_group and attach as req.user.group
+    - _Requirements: 3.4_
+
+  - [x] 2.2 Add `requireGroup` middleware function
+    - Accept spread of allowed group names
+    - Return 401 if req.user is missing
+    - Return 403 with error details if user group not in allowed set
+    - Call next() if group is allowed
+    - _Requirements: 3.1, 3.2, 3.3_
+
+  - [x] 2.3 Remove `requireRole` and export `requireGroup`
+    - Remove requireRole function and its export
+    - Export requireGroup in its place
+    - _Requirements: 3.1_
+
+  - [ ]* 2.4 Write property test for group constraint
+    - **Property 1: Group constraint rejects invalid values**
+    - Generate random strings not in valid group set, attempt DB insert, verify constraint error
+    - **Validates: Requirements 1.1, 1.4**
+
+  - [ ]* 2.5 Write property test for requireGroup
+    - **Property 3: requireGroup rejects unauthorized groups**
+    - Generate random group and allowedGroups pairs where group is not in allowed set, verify 403
+    - **Validates: Requirements 3.3**
+
+  - [ ] 2.6 Write unit tests for requireGroup middleware
+    - Test 401 for unauthenticated requests
+    - Test 403 for wrong group
+    - Test group attached to req.user
+    - Test next() called for allowed group
+    - _Requirements: 3.2, 3.3, 3.4_
+
+- [x] 3. Checkpoint: Verify migration and middleware
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [ ] 4. Update auth routes to return group
+  - [x] 4.1 Update login endpoint in `backend/routes/auth.js`
+    - Return group (from user_group) instead of role in user response object
+    - Update audit log details to log group instead of role
+    - _Requirements: 3.4, 9.2_
+
+  - [x] 4.2 Update me endpoint in `backend/routes/auth.js`
+    - Return group instead of role in user response object
+    - _Requirements: 3.4_
+
+- [ ] 5. Update user management routes
+  - [x] 5.1 Switch `backend/routes/users.js` to use requireGroup
+    - Replace requireRole('admin') with requireGroup('Admin')
+    - _Requirements: 4.2, 4.3_
+
+  - [x] 5.2 Update GET endpoints to return user_group
+    - Return user_group instead of role in user records
+    - _Requirements: 8.1_
+
+  - [x] 5.3 Update POST create user to accept group param
+    - Validate group against valid values
+    - Default to Read_Only if not provided
+    - Return 400 for invalid group values
+    - _Requirements: 1.3, 8.2_
+
+  - [x] 5.4 Update PATCH update user to accept group param
+    - Validate group against valid values
+    - Prevent admin self-demotion (return 400)
+    - _Requirements: 8.2, 8.5_
+
+  - [x] 5.5 Add audit logging for group changes
+    - Log acting user ID, target user ID, previous group, new group, IP address, timestamp
+    - _Requirements: 9.1, 9.3_
+
+  - [ ]* 5.6 Write property test for user group validity
+    - **Property 2: Every user has exactly one valid group**
+    - Generate random user sets, query all users, verify each has exactly one valid group
+    - **Validates: Requirements 1.2**
+
+  - [ ] 5.7 Write unit tests for user management group logic
+    - Test group validation rejects invalid values
+    - Test self-demotion prevention
+    - Test audit logging includes all required fields
+    - _Requirements: 8.2, 8.5, 9.1, 9.3_
+
+- [ ] 6. Update backend route authorization across all routes
+  - [x] 6.1 Update `backend/routes/auditLog.js`
+    - Replace requireRole('admin') with requireGroup('Admin')
+    - _Requirements: 4.2_
+
+  - [x] 6.2 Update `backend/routes/archerTickets.js`
+    - Use requireGroup('Admin', 'Standard_User') for create, update, delete
+    - _Requirements: 5.2_
+
+  - [x] 6.3 Update `backend/routes/knowledgeBase.js`
+    - Use requireGroup('Admin', 'Standard_User') for upload and delete
+    - _Requirements: 5.2_
+
+  - [x] 6.4 Update `backend/routes/ivantiFindings.js`
+    - Use requireGroup('Admin', 'Standard_User') for override endpoint
+    - _Requirements: 5.2_
+
+  - [x] 6.5 Update `backend/routes/compliance.js`
+    - Use requireGroup('Admin', 'Standard_User') for preview and commit
+    - _Requirements: 5.2_
+
+  - [x] 6.6 Update `backend/server.js` inline CVE routes
+    - Use requireGroup('Admin', 'Standard_User') for POST, PUT, PATCH, DELETE
+    - _Requirements: 5.2_
+
+  - [x] 6.7 Update `backend/server.js` route mounting
+    - Pass requireGroup instead of requireRole to route factories
+    - _Requirements: 3.1_
+
+  - [ ]* 6.8 Write property test for Leadership restrictions
+    - **Property 5: Leadership cannot mutate any resource**
+    - Generate random mutation requests as Leadership, verify 403
+    - **Validates: Requirements 6.3**
+
+  - [ ]* 6.9 Write property test for Read_Only restrictions
+    - **Property 6: Read_Only cannot mutate or export**
+    - Generate random mutation and export requests as Read_Only, verify 403
+    - **Validates: Requirements 7.2, 7.3**
+
+- [x] 7. Checkpoint: Verify backend route authorization
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [ ] 8. Implement Standard User conditional delete logic
+  - [x] 8.1 Add created_by column tracking
+    - Add created_by to CVE, finding, and ticket creation endpoints storing req.user.id on insert
+    - _Requirements: 3.5_
+
+  - [x] 8.2 Implement ownership check for CVE delete
+    - Standard_User can only delete CVEs they created
+    - Return 403 if not owner
+    - _Requirements: 3.5_
+
+  - [x] 8.3 Implement cascade impact check for CVE delete
+    - Query associated Archer tickets and documents
+    - Check compliance linkage on cascaded tickets
+    - Return cascade_impact response schema
+    - Block deletion if any cascaded ticket is compliance-linked
+    - _Requirements: 3.8, 3.9_
+
+  - [x] 8.4 Implement state check for finding delete
+    - Standard_User cannot delete resolved or closed findings
+    - Return 403 with appropriate error message
+    - _Requirements: 3.6_
+
+  - [x] 8.5 Implement compliance linkage check for ticket delete
+    - Standard_User cannot delete tickets linked to compliance reports
+    - Return 403 with appropriate error message
+    - _Requirements: 3.7_
+
+  - [x] 8.6 Ensure Admin bypasses all delete restrictions
+    - Admin group skips ownership, state, and compliance checks
+    - _Requirements: 3.10, 4.5_
+
+  - [ ]* 8.7 Write property test for Admin delete bypass
+    - **Property 4: Admin bypasses all delete restrictions**
+    - Generate resources with random ownership, state, compliance linkage, delete as Admin, verify success
+    - **Validates: Requirements 3.10, 4.1, 4.5**
+
+  - [ ] 8.8 Write unit tests for conditional delete logic
+    - Test ownership rejection for non-owner
+    - Test state rejection for resolved/closed findings
+    - Test compliance linkage rejection
+    - Test cascade impact response format
+    - Test Admin bypass of all restrictions
+    - _Requirements: 3.5, 3.6, 3.7, 3.8, 3.9, 3.10_
+
+- [x] 9. Checkpoint: Verify conditional delete logic
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [ ] 10. Update frontend AuthContext with group helpers
+  - [x] 10.1 Update `frontend/src/contexts/AuthContext.js`
+    - Read group from user object instead of role
+    - Replace hasRole with isInGroup(...groups) helper
+    - Update canWrite to check isInGroup('Admin', 'Standard_User')
+    - Add canDelete(resource) helper: Admin always true, Standard_User only if owns resource, others false
+    - Add canExport() helper: true for Admin, Standard_User, Leadership
+    - Update isAdmin() to check isInGroup('Admin')
+    - _Requirements: 10.1, 10.2, 10.3, 10.4, 10.5_
+
+  - [ ]* 10.2 Write property test for permission helpers
+    - **Property 7: Group permission helpers are consistent with group matrix**
+    - Generate all valid group values, call each helper, verify against permission matrix
+    - **Validates: Requirements 10.5**
+
+- [ ] 11. Update frontend UI for group-based rendering
+  - [x] 11.1 Update `App.js` conditional rendering
+    - Use canWrite, canDelete, canExport, isAdmin for button and link visibility
+    - _Requirements: 10.1, 10.2, 10.3_
+
+  - [x] 11.2 Update `NavDrawer.js`
+    - Show admin panel link only when isAdmin() is true
+    - _Requirements: 10.3_
+
+  - [x] 11.3 Update `UserMenu.js`
+    - Display user group instead of role
+    - _Requirements: 10.1_
+
+  - [x] 11.4 Update all components using hasRole or canWrite
+    - Replace with new group-based helpers throughout components
+    - _Requirements: 10.5_
+
+  - [x] 11.5 Hide delete buttons for non-owned resources
+    - Standard_User sees delete only on resources they created
+    - _Requirements: 10.4_
+
+- [ ] 12. Update User Management UI
+  - [x] 12.1 Replace role dropdown with group dropdown in `UserManagement.js`
+    - Options: Admin, Standard_User, Leadership, Read_Only
+    - _Requirements: 8.1, 8.2_
+
+  - [x] 12.2 Update form data and API calls to use group field
+    - Send group instead of role in create and update requests
+    - _Requirements: 8.2_
+
+  - [x] 12.3 Add confirmation dialog for group changes
+    - Show confirmation before applying any group change
+    - _Requirements: 8.3_
+
+  - [x] 12.4 Add extra warning when downgrading Admin
+    - Show additional warning in confirmation dialog
+    - _Requirements: 8.4_
+
+  - [x] 12.5 Prevent admin self-demotion in UI
+    - Disable group change dropdown for current user if Admin
+    - _Requirements: 8.5_
+
+  - [x] 12.6 Update user table to show group badges
+    - Display group badge with appropriate colors instead of role badge
+    - _Requirements: 8.1_
+
+- [x] 13. Final checkpoint: Verify full integration
+  - Ensure all tests pass, ask the user if questions arise.
+
+## Notes
+
+- Tasks marked with `*` are optional and can be skipped for faster MVP
+- Each task references specific requirements for traceability
+- Checkpoints ensure incremental validation
+- Property tests use `fast-check` library with minimum 100 iterations per test
+- All backend code uses callback-based SQLite API wrapped in promises (matching existing patterns)
+- All frontend code uses plain JavaScript (no TypeScript)

.kiro/specs/ivanti-fp-workflow-submission/design.md

@@ -0,0 +1,321 @@
+# Design Document: Ivanti FP Workflow Submission
+
+## Overview
+
+This feature extends the existing Ivanti Queue (QueuePanel) in the Reporting Page to allow users to submit False Positive (FP) workflows directly to the Ivanti/RiskSense API. The implementation adds a submission modal triggered from the queue panel, a backend API endpoint that proxies the workflow creation and attachment upload to Ivanti, and local tracking of submissions in SQLite.
+
+The design follows existing codebase conventions: factory-pattern Express routes, inline React styles with the dark tactical theme, Multer for file uploads, and the `ivantiPost()` HTTP helper for Ivanti API calls.
+
+## Architecture
+
+```mermaid
+sequenceDiagram
+    participant U as User (Browser)
+    participant FE as React Frontend
+    participant BE as Express Backend
+    participant IV as Ivanti API
+    participant DB as SQLite
+
+    U->>FE: Select FP queue items, click "Create FP Workflow"
+    FE->>FE: Open FpWorkflowModal with selected items
+    U->>FE: Fill form, attach files, click Submit
+    FE->>BE: POST /api/ivanti/fp-workflow (multipart/form-data)
+    BE->>BE: Validate input, check auth
+    BE->>IV: POST /client/{clientId}/workflowBatch (create FP workflow)
+    IV-->>BE: 200 + workflow batch response (id, generatedId)
+    alt Attachments present
+        loop For each attachment
+            BE->>IV: POST /client/{clientId}/workflowBatch/{id}/attachment
+            IV-->>BE: 200 OK
+        end
+    end
+    BE->>DB: INSERT into ivanti_fp_submissions
+    BE->>DB: INSERT audit log entry
+    BE->>DB: UPDATE ivanti_todo_queue SET status='complete'
+    BE-->>FE: 200 + { workflowBatchId, generatedId, status }
+    FE->>FE: Show success, refresh queue panel
+```
+
+## Components and Interfaces
+
+### Backend
+
+#### New Route Module: `backend/routes/ivantiFpWorkflow.js`
+
+Exports `createIvantiFpWorkflowRouter(db, requireAuth)` following the existing factory pattern.
+
+**Endpoint: `POST /api/ivanti/fp-workflow`**
+
+- Auth: `requireAuth(db)`, `requireGroup('Admin', 'Standard_User')`
+- Content-Type: `multipart/form-data` (handled by Multer)
+- Request fields:
+  - `name` (string, required) — workflow name, max 255 chars
+  - `reason` (string, required) — justification text
+  - `description` (string, optional) — additional details, max 2000 chars
+  - `expirationDate` (string, required) — ISO date string, must be future
+  - `scopeOverride` (string, optional) — "Authorized" (default) or "None"
+  - `findingIds` (string, required) — JSON-encoded array of finding ID strings
+  - `queueItemIds` (string, required) — JSON-encoded array of local queue item IDs
+  - `attachments` (files, optional) — up to 10 files, 10MB each
+
+- Response (success):
+  ```json
+  {
+    "success": true,
+    "workflowBatchId": 12345,
+    "generatedId": "FP#12345",
+    "attachmentResults": [
+      { "filename": "evidence.pdf", "success": true },
+      { "filename": "screenshot.png", "success": true }
+    ],
+    "queueItemsUpdated": 3
+  }
+  ```
+
+- Response (error):
+  ```json
+  {
+    "success": false,
+    "error": "Ivanti API returned status 401",
+    "step": "create_workflow",
+    "details": "..."
+  }
+  ```
+
+**Internal flow:**
+
+1. Parse and validate all form fields
+2. Verify all `queueItemIds` belong to the requesting user and are FP-type with pending status
+3. Call Ivanti API to create the workflow batch
+4. If attachments exist, upload each to the created workflow batch
+5. Insert a submission record into `ivanti_fp_submissions`
+6. Log audit entry via `logAudit()`
+7. Mark queue items as complete
+8. Return combined result
+
+#### Ivanti API Calls
+
+Reuses the existing `ivantiPost()` helper pattern from `ivantiWorkflows.js`. Adds a new `ivantiMultipartPost()` helper for attachment uploads that sends `multipart/form-data` instead of JSON.
+
+**Create Workflow Batch:**
+```
+POST /client/{clientId}/workflowBatch
+```
+```json
+{
+  "name": "FP - CVE-2024-1234 - Vendor X",
+  "type": "FALSE_POSITIVE",
+  "reason": "Scanner false positive confirmed by manual investigation",
+  "description": "Additional context...",
+  "expirationDate": "2025-12-31",
+  "scopeOverrideAuthorization": "AUTHORIZED",
+  "hostFindingIds": [123456, 789012],
+  "subType": "FALSE_POSITIVE"
+}
+```
+
+**Upload Attachment:**
+```
+POST /client/{clientId}/workflowBatch/{workflowBatchId}/attachment
+Content-Type: multipart/form-data
+```
+Form field: `file` — the binary file content.
+
+#### Shared HTTP Helpers
+
+The existing `ivantiPost()` function is duplicated across `ivantiWorkflows.js` and `ivantiFindings.js`. This design extracts it into a shared helper at `backend/helpers/ivantiApi.js` alongside the new multipart helper:
+
+- `ivantiPost(urlPath, body, apiKey, skipTls)` — JSON POST (existing logic)
+- `ivantiMultipartPost(urlPath, fileBuffer, fileName, apiKey, skipTls)` — multipart file upload
+
+### Frontend
+
+#### New Component: `FpWorkflowModal`
+
+Located in `frontend/src/components/pages/ReportingPage.js` (inline, following the existing pattern where QueuePanel and AddToQueuePopover are defined in the same file).
+
+**Props:**
+- `open` (boolean) — controls visibility
+- `onClose` (function) — close handler
+- `selectedItems` (array) — FP queue items selected for submission
+- `onSuccess` (function) — callback after successful submission, triggers queue refresh
+
+**State:**
+- `name`, `reason`, `description`, `expirationDate`, `scopeOverride` — form fields
+- `files` — array of File objects for upload
+- `submitting` — boolean, disables form during submission
+- `progress` — object tracking current step and attachment progress
+- `errors` — validation error map
+- `result` — submission result (success/failure details)
+
+**UI Layout:**
+- Modal overlay with dark backdrop (matching existing modal patterns)
+- Header: "Create FP Workflow" with close button
+- Body sections:
+  1. Selected findings summary (read-only list with finding_id, title, CVEs)
+  2. Workflow configuration form (name, reason, description, expiration, scope override toggle)
+  3. File upload area (drag-and-drop zone + file list)
+- Footer: Cancel and Submit buttons, progress indicator when submitting
+
+#### QueuePanel Modifications
+
+- Add a "Create FP Workflow" button in the footer, next to existing "Delete Selected" and "Clear Completed" buttons
+- Button enabled only when `selectedIds` contains at least one pending FP-type item
+- Clicking opens `FpWorkflowModal` with the filtered FP items
+- After successful submission, the `onSuccess` callback triggers queue refresh
+
+## Data Models
+
+### New Table: `ivanti_fp_submissions`
+
+```sql
+CREATE TABLE IF NOT EXISTS ivanti_fp_submissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    user_id INTEGER NOT NULL,
+    username TEXT NOT NULL,
+    ivanti_workflow_batch_id INTEGER,
+    ivanti_generated_id TEXT,
+    workflow_name TEXT NOT NULL,
+    reason TEXT NOT NULL,
+    description TEXT,
+    expiration_date TEXT NOT NULL,
+    scope_override TEXT NOT NULL DEFAULT 'Authorized',
+    finding_ids_json TEXT NOT NULL,
+    queue_item_ids_json TEXT NOT NULL,
+    attachment_count INTEGER DEFAULT 0,
+    attachment_results_json TEXT,
+    status TEXT NOT NULL DEFAULT 'success' CHECK(status IN ('success', 'partial', 'failed')),
+    error_message TEXT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE INDEX IF NOT EXISTS idx_fp_submissions_user ON ivanti_fp_submissions(user_id);
+CREATE INDEX IF NOT EXISTS idx_fp_submissions_ivanti_id ON ivanti_fp_submissions(ivanti_generated_id);
+```
+
+**Status values:**
+- `success` — workflow created and all attachments uploaded
+- `partial` — workflow created but one or more attachments failed
+- `failed` — workflow creation itself failed (record kept for audit)
+
+### Migration Script: `backend/migrations/add_fp_submissions_table.js`
+
+Standard migration script following the existing pattern (e.g., `add_ivanti_todo_queue_table.js`).
+
+
+## Correctness Properties
+
+*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.*
+
+### Property 1: FP Workflow Button Enabled State
+
+*For any* set of queue items and any selection of item IDs, the "Create FP Workflow" button should be enabled if and only if the selection contains at least one queue item that has `workflow_type === 'FP'` and `status === 'pending'`.
+
+**Validates: Requirements 1.1**
+
+### Property 2: FP-Only Item Filtering
+
+*For any* set of selected queue items containing a mix of workflow types (FP, Archer, CARD), the items passed to the FP workflow submission modal should contain only items where `workflow_type === 'FP'`, and the count of filtered items should be less than or equal to the count of selected items.
+
+**Validates: Requirements 1.2**
+
+### Property 3: Form Validation Correctness
+
+*For any* form state (name, reason, description, expirationDate, scopeOverride), validation should pass if and only if: name is a non-empty string of at most 255 characters, reason is a non-empty string, description (if provided) is at most 2000 characters, and expirationDate is a valid date strictly after today. When validation fails, the returned error map should contain a key for each invalid field and no keys for valid fields.
+
+**Validates: Requirements 2.4, 2.5**
+
+### Property 4: File Extension Validation
+
+*For any* filename string, the file acceptance function should return true if and only if the file's extension (case-insensitive) is one of: .pdf, .png, .jpg, .jpeg, .gif, .doc, .docx, .xlsx, .csv, .txt, .zip. Files with disallowed extensions should be rejected.
+
+**Validates: Requirements 3.3**
+
+### Property 5: API Payload Construction
+
+*For any* valid form input (name, reason, description, expirationDate, scopeOverride, findingIds), the constructed Ivanti API request body should contain: `type` equal to "FALSE_POSITIVE", `name` equal to the input name, `reason` equal to the input reason, `expirationDate` equal to the input date, `scopeOverrideAuthorization` mapped from the input scopeOverride value, and `hostFindingIds` equal to the input finding IDs parsed as integers.
+
+**Validates: Requirements 4.1**
+
+### Property 6: Queue Items Marked Complete on Success
+
+*For any* set of queue item IDs associated with a successful FP workflow submission, after the post-submission handler runs, all those queue items should have `status === 'complete'`.
+
+**Validates: Requirements 5.1**
+
+### Property 7: Post-Submission Persistence Completeness
+
+*For any* successful FP workflow submission with a given workflow batch ID, name, user ID, and finding IDs, the resulting submission record should contain all of: ivanti_workflow_batch_id, workflow_name, user_id, finding_ids_json (parseable to the original finding IDs array), and a non-null created_at timestamp. Additionally, the audit log entry should have action "ivanti_fp_workflow_created", entity_type "ivanti_workflow", and details containing the workflow name and finding IDs.
+
+**Validates: Requirements 6.1, 6.2**
+
+### Property 8: Role-Based UI Visibility
+
+*For any* user role, the "Create FP Workflow" button should be visible if and only if the user's role is "editor" or "admin". Users with the "viewer" role should not see the button.
+
+**Validates: Requirements 7.2**
+
+## Error Handling
+
+### Ivanti API Errors
+
+| HTTP Status | Error Type | User-Facing Message | System Behavior |
+|-------------|-----------|---------------------|-----------------|
+| 401 | Auth failure | "Ivanti API key is invalid or missing. Contact your administrator." | Log error, preserve form state |
+| 419 | Insufficient privileges | "API key lacks workflow creation permissions." | Log error, preserve form state |
+| 429 | Rate limited | "Ivanti API rate limit reached. Please try again in a few minutes." | Log error, preserve form state |
+| 5xx | Server error | "Ivanti API is temporarily unavailable. Please try again later." | Log error, preserve form state |
+| Other | Unknown | "Workflow creation failed: {status} — {message}" | Log error with full response, preserve form state |
+
+### Partial Failure (Attachment Upload)
+
+When the workflow batch is created successfully but one or more attachment uploads fail:
+- The submission record is saved with `status = 'partial'`
+- The response includes the workflow batch ID and per-attachment success/failure details
+- The UI shows which attachments failed and allows retry
+- The queue items are still marked complete (the workflow itself was created)
+
+### Local Database Errors
+
+- If the submission record INSERT fails: log error, still return success to user (Ivanti workflow was created)
+- If queue item status UPDATE fails: return success with a warning that local queue state may be stale
+- If audit log INSERT fails: fire-and-forget (existing pattern from `logAudit()`)
+
+### Input Validation Errors
+
+- All validation errors return 400 with a structured error object mapping field names to error messages
+- Frontend validates before sending to prevent unnecessary API calls
+- Backend re-validates all inputs as a security measure
+
+## Testing Strategy
+
+### Property-Based Testing
+
+Use `fast-check` as the property-based testing library for JavaScript.
+
+Each correctness property maps to a single property-based test with a minimum of 100 iterations. Tests are tagged with the format: **Feature: ivanti-fp-workflow-submission, Property {number}: {title}**.
+
+Property tests focus on pure functions extracted from the implementation:
+- `isCreateFpButtonEnabled(items, selectedIds)` — Property 1
+- `filterFpItems(items)` — Property 2
+- `validateFpWorkflowForm(formData)` — Property 3
+- `isAllowedFileExtension(filename)` — Property 4
+- `buildIvantiPayload(formData, findingIds)` — Property 5
+- Queue item status update logic — Property 6
+- Submission record creation — Property 7
+- Role-based visibility check — Property 8
+
+### Unit Testing
+
+Unit tests complement property tests by covering:
+- Specific examples: known-good form submissions, known-bad inputs
+- Edge cases: empty finding lists, maximum file size boundary, expiration date exactly tomorrow
+- Error code mapping: verify each Ivanti HTTP status maps to the correct error message
+- Integration points: Multer file handling, multipart form construction
+- API response parsing: various Ivanti response formats
+
+### Test File Locations
+
+- `backend/__tests__/ivantiFpWorkflow.test.js` — backend route handler tests, validation, payload construction
+- `backend/__tests__/ivantiFpWorkflow.property.test.js` — property-based tests for backend logic
+- `frontend/src/__tests__/fpWorkflowModal.test.js` — frontend component and validation tests

.kiro/specs/ivanti-fp-workflow-submission/requirements.md

@@ -0,0 +1,99 @@
+# Requirements Document
+
+## Introduction
+
+This feature adds the ability for users to select items from the Ivanti Queue (QueuePanel) and submit False Positive (FP) workflows directly to the Ivanti/RiskSense API. Users can configure the FP workflow with a name, reason, description, expiration date, and the "Authorized" scope override option. Supporting documentation and artifacts can be uploaded and attached to the workflow via the API. Successful submissions mark the corresponding queue items as complete and are tracked locally with full audit logging.
+
+## Glossary
+
+- **Dashboard**: The STEAM Security Dashboard application
+- **Queue_Panel**: The slide-out panel in the Reporting Page that displays the user's Ivanti todo queue items grouped by vendor/CARD
+- **Queue_Item**: A single entry in the ivanti_todo_queue table representing a host finding staged for workflow processing, with fields including finding_id, finding_title, cves_json, ip_address, vendor, workflow_type, and status
+- **FP_Workflow**: A False Positive workflow batch created in the Ivanti/RiskSense platform to mark host findings as false positives, removing them from risk calculations
+- **Ivanti_API**: The Ivanti/RiskSense REST API at https://platform4.risksense.com/api/v1, authenticated via x-api-key header
+- **Workflow_Batch**: An Ivanti API resource representing a group of findings submitted together under a single workflow request
+- **Scope_Override_Authorization**: An Ivanti workflow property that controls whether additional findings can be added to or removed from the workflow after creation; values are "None" or "Authorized"
+- **Submission_Record**: A local database record tracking the details and outcome of an FP workflow submission made through the Dashboard
+- **Attachment**: A supporting document or artifact (PDF, screenshot, etc.) uploaded alongside an FP workflow submission as evidence or justification
+
+## Requirements
+
+### Requirement 1: Select FP Queue Items for Workflow Submission
+
+**User Story:** As an editor or admin, I want to select one or more FP-type items from the Ivanti Queue, so that I can batch them into a single False Positive workflow submission.
+
+#### Acceptance Criteria
+
+1. WHEN the Queue_Panel is open and contains FP-type Queue_Items, THE Dashboard SHALL display a "Create FP Workflow" action button that is enabled only when at least one pending FP-type Queue_Item is selected
+2. WHEN a user selects Queue_Items of mixed workflow_type (FP and non-FP), THE Dashboard SHALL only include FP-type Queue_Items in the FP workflow submission and SHALL visually indicate which items are eligible
+3. IF no pending FP-type Queue_Items are selected, THEN THE Dashboard SHALL disable the "Create FP Workflow" action button and display a tooltip explaining the requirement
+4. WHEN the "Create FP Workflow" button is clicked, THE Dashboard SHALL open the FP Workflow Submission modal pre-populated with the selected finding IDs
+
+### Requirement 2: Configure FP Workflow Details
+
+**User Story:** As an editor or admin, I want to configure the FP workflow properties before submission, so that I can provide the required justification and metadata for the false positive request.
+
+#### Acceptance Criteria
+
+1. THE FP_Workflow submission modal SHALL present input fields for: workflow name (required, max 255 characters), reason/justification (required), description (optional, max 2000 characters), and expiration date (required, must be a future date)
+2. THE FP_Workflow submission modal SHALL include a Scope_Override_Authorization toggle defaulting to "Authorized"
+3. THE FP_Workflow submission modal SHALL display a summary list of the selected Queue_Items including finding_id, finding_title, and associated CVEs
+4. WHEN a user attempts to submit with missing required fields, THE Dashboard SHALL display inline validation errors for each invalid field and prevent submission
+5. IF the expiration date is set to a date in the past or today, THEN THE Dashboard SHALL reject the value and display a validation message indicating the date must be in the future
+
+### Requirement 3: Upload Supporting Documentation
+
+**User Story:** As an editor or admin, I want to upload supporting documents and artifacts with my FP workflow submission, so that reviewers have the evidence needed to approve the false positive request.
+
+#### Acceptance Criteria
+
+1. THE FP_Workflow submission modal SHALL include a file upload area that accepts multiple files with a maximum size of 10 MB per file
+2. WHEN files are added to the upload area, THE Dashboard SHALL display each file name, size, and a remove button
+3. THE Dashboard SHALL accept files with extensions: .pdf, .png, .jpg, .jpeg, .gif, .doc, .docx, .xlsx, .csv, .txt, .zip
+4. IF a user attempts to upload a file exceeding 10 MB, THEN THE Dashboard SHALL reject the file and display an error message stating the size limit
+5. IF a user attempts to upload a file with a disallowed extension, THEN THE Dashboard SHALL reject the file and display an error message listing the allowed file types
+
+### Requirement 4: Submit FP Workflow to Ivanti API
+
+**User Story:** As an editor or admin, I want to submit the configured FP workflow to the Ivanti API, so that the false positive request is created in the Ivanti/RiskSense platform with all associated findings and attachments.
+
+#### Acceptance Criteria
+
+1. WHEN the user clicks Submit, THE Dashboard SHALL send a POST request to the Ivanti_API to create a Workflow_Batch of type "False Positive" with the configured name, reason, description, expiration date, Scope_Override_Authorization setting, and the list of host finding IDs
+2. WHEN the Workflow_Batch is created successfully and attachments are present, THE Dashboard SHALL upload each Attachment to the Ivanti_API associated with the created Workflow_Batch
+3. WHEN the submission is in progress, THE Dashboard SHALL display a progress indicator showing the current step (creating workflow, uploading attachment 1 of N, etc.) and disable the Submit button to prevent duplicate submissions
+4. WHEN the entire submission completes successfully, THE Dashboard SHALL display a success message including the Ivanti-generated workflow batch ID (e.g., "FP#12345")
+5. IF the Ivanti_API returns a 401 status, THEN THE Dashboard SHALL display an error message indicating the API key is invalid or missing
+6. IF the Ivanti_API returns a 429 status, THEN THE Dashboard SHALL display an error message indicating rate limiting and suggest retrying later
+7. IF the Ivanti_API returns any other error status during workflow creation, THEN THE Dashboard SHALL display the error details and preserve the user's form input so they can retry without re-entering data
+8. IF an attachment upload fails after the workflow is created, THEN THE Dashboard SHALL report which attachments failed, display the workflow batch ID for the successfully created workflow, and allow the user to retry the failed uploads
+
+### Requirement 5: Post-Submission Queue Item Updates
+
+**User Story:** As an editor or admin, I want queue items to be automatically marked complete after a successful FP workflow submission, so that my queue reflects the current processing state.
+
+#### Acceptance Criteria
+
+1. WHEN an FP workflow submission completes successfully, THE Dashboard SHALL mark all associated Queue_Items as "complete" status
+2. WHEN Queue_Items are marked complete after submission, THE Dashboard SHALL refresh the Queue_Panel to reflect the updated statuses
+3. IF marking a Queue_Item as complete fails locally, THEN THE Dashboard SHALL display a warning that the workflow was submitted successfully but the local queue status could not be updated
+
+### Requirement 6: Local Submission Tracking
+
+**User Story:** As an editor or admin, I want FP workflow submissions to be tracked locally, so that I can review submission history and audit past actions.
+
+#### Acceptance Criteria
+
+1. WHEN an FP workflow submission completes successfully, THE Dashboard SHALL create a Submission_Record in the local database containing: the Ivanti workflow batch ID, workflow name, submitting user ID, list of finding IDs, submission timestamp, and status
+2. WHEN an FP workflow submission completes successfully, THE Dashboard SHALL log an audit entry with action "ivanti_fp_workflow_created", entity type "ivanti_workflow", the workflow batch ID as entity ID, and details including the finding IDs and workflow name
+3. IF an FP workflow submission fails, THEN THE Dashboard SHALL log an audit entry with action "ivanti_fp_workflow_failed" including the error details
+
+### Requirement 7: Authorization and Access Control
+
+**User Story:** As a system administrator, I want FP workflow submission restricted to authorized users, so that only editors and admins can create workflows in the Ivanti platform.
+
+#### Acceptance Criteria
+
+1. THE Dashboard SHALL restrict the FP workflow submission API endpoint to users with the "Admin" or "Standard_User" group membership
+2. THE Dashboard SHALL restrict the FP workflow submission UI controls to users with editor or admin roles
+3. WHILE a user has the viewer role, THE Dashboard SHALL hide the "Create FP Workflow" button from the Queue_Panel

.kiro/specs/ivanti-fp-workflow-submission/tasks.md

@@ -0,0 +1,109 @@
+# Implementation Plan: Ivanti FP Workflow Submission
+
+## Overview
+
+Implement the ability to select FP-type items from the Ivanti Queue and submit False Positive workflows to the Ivanti/RiskSense API, with file attachment support, local submission tracking, and audit logging. The implementation follows existing codebase conventions: factory-pattern Express routes, Multer for file uploads, inline React component styles with the dark tactical theme, and the `ivantiPost()` HTTP helper for Ivanti API calls.
+
+## Tasks
+
+- [x] 1. Database migration and shared helpers
+  - [x] 1.1 Create migration script `backend/migrations/add_fp_submissions_table.js`
+    - Create `ivanti_fp_submissions` table with columns: id, user_id, username, ivanti_workflow_batch_id, ivanti_generated_id, workflow_name, reason, description, expiration_date, scope_override, finding_ids_json, queue_item_ids_json, attachment_count, attachment_results_json, status (success/partial/failed), error_message, created_at
+    - Add indexes on user_id and ivanti_generated_id
+    - Follow existing migration pattern from `add_ivanti_todo_queue_table.js`
+    - _Requirements: 6.1_
+
+  - [x] 1.2 Extract shared Ivanti API helpers into `backend/helpers/ivantiApi.js`
+    - Move the `ivantiPost()` function from `ivantiWorkflows.js` into a shared module
+    - Add `ivantiMultipartPost(urlPath, fileBuffer, fileName, apiKey, skipTls)` for attachment uploads using Node.js `https` module with multipart/form-data boundary construction
+    - Export both functions; update `ivantiWorkflows.js` and `ivantiFindings.js` to import from the shared module
+    - _Requirements: 4.1, 4.2_
+
+- [x] 2. Backend route — validation and payload construction
+  - [x] 2.1 Create `backend/routes/ivantiFpWorkflow.js` with validation and payload builder
+    - Export `createIvantiFpWorkflowRouter(db, requireAuth)` factory function
+    - Implement `POST /` route with `requireAuth(db)` and `requireGroup('Admin', 'Standard_User')` middleware
+    - Configure Multer for up to 10 file uploads, 10MB each, with allowed extensions: .pdf, .png, .jpg, .jpeg, .gif, .doc, .docx, .xlsx, .csv, .txt, .zip
+    - Implement `validateFpWorkflowForm(body)` — returns error map for invalid fields (name required max 255, reason required, description max 2000, expirationDate required and must be future date)
+    - Implement `buildIvantiPayload(formData, findingIds)` — constructs the Ivanti API request body with type "FALSE_POSITIVE", scopeOverrideAuthorization mapping, and hostFindingIds as integers
+    - Implement `isAllowedFileExtension(filename)` — checks against the allowed extensions list (case-insensitive)
+    - Verify all queueItemIds belong to the requesting user, are FP-type, and have pending status
+    - _Requirements: 2.4, 2.5, 3.3, 3.4, 3.5, 4.1, 7.1_
+
+  - [ ]* 2.2 Write property tests for validation and payload construction
+    - **Property 3: Form Validation Correctness** — For any form state, validation passes iff all required fields present and expiration date is future; error map keys match invalid fields only
+    - **Property 4: File Extension Validation** — For any filename, acceptance returns true iff extension is in the allowed set (case-insensitive)
+    - **Property 5: API Payload Construction** — For any valid form input, the constructed payload contains correct type, name, reason, expirationDate, scopeOverrideAuthorization, and hostFindingIds as integers
+    - Use `fast-check` library with minimum 100 iterations per property
+    - **Validates: Requirements 2.4, 2.5, 3.3, 4.1**
+
+- [x] 3. Backend route — Ivanti API submission and local persistence
+  - [x] 3.1 Implement the submission flow in `ivantiFpWorkflow.js`
+    - Call Ivanti API `POST /client/{clientId}/workflowBatch` to create the FP workflow batch
+    - If attachments present, upload each via `ivantiMultipartPost()` to `/client/{clientId}/workflowBatch/{id}/attachment`
+    - Handle Ivanti API error responses: 401 (invalid key), 419 (insufficient privileges), 429 (rate limited), other errors
+    - On success: insert submission record into `ivanti_fp_submissions`, call `logAudit()` with action "ivanti_fp_workflow_created"
+    - On failure: call `logAudit()` with action "ivanti_fp_workflow_failed"
+    - Mark associated queue items as complete via `UPDATE ivanti_todo_queue SET status='complete'`
+    - Handle partial failures (workflow created but attachment upload failed) — save with status "partial"
+    - Return structured response with workflowBatchId, generatedId, attachmentResults, queueItemsUpdated
+    - _Requirements: 4.1, 4.2, 4.5, 4.6, 4.7, 4.8, 5.1, 6.1, 6.2, 6.3_
+
+  - [ ]* 3.2 Write property tests for queue item completion and submission persistence
+    - **Property 6: Queue Items Marked Complete on Success** — For any set of queue item IDs after successful submission, all items have status "complete"
+    - **Property 7: Post-Submission Persistence Completeness** — For any successful submission, the record contains all required fields (ivanti_workflow_batch_id, workflow_name, user_id, finding_ids_json, created_at) and audit entry has correct action/entity_type/details
+    - Use in-memory SQLite for test isolation
+    - **Validates: Requirements 5.1, 6.1, 6.2**
+
+- [x] 4. Wire backend route into server.js
+  - [x] 4.1 Register the new route in `backend/server.js`
+    - Add `const createIvantiFpWorkflowRouter = require('./routes/ivantiFpWorkflow');`
+    - Mount at `app.use('/api/ivanti/fp-workflow', createIvantiFpWorkflowRouter(db, requireAuth));`
+    - Place near the existing Ivanti route registrations
+    - _Requirements: 7.1_
+
+- [x] 5. Checkpoint — Backend complete
+  - Ensure all tests pass, ask the user if questions arise.
+
+- [x] 6. Frontend — FP Workflow Modal component
+  - [x] 6.1 Implement `FpWorkflowModal` in `frontend/src/components/pages/ReportingPage.js`
+    - Add the modal component inline in ReportingPage.js following the existing pattern (QueuePanel, AddToQueuePopover are in the same file)
+    - Props: open, onClose, selectedItems (FP queue items), onSuccess
+    - Form fields: workflow name (text input, required), reason (textarea, required), description (textarea, optional), expiration date (date input, required), scope override toggle (Authorized/None, default Authorized)
+    - Display selected findings summary: finding_id, finding_title, CVEs for each item
+    - File upload area: drag-and-drop zone, file list with name/size/remove button, validate extensions and 10MB limit client-side
+    - Submit button with progress indicator (creating workflow → uploading attachment N of M)
+    - Error display: inline validation errors, API error messages with form state preservation
+    - Success display: workflow batch ID (e.g., "FP#12345") with close/done action
+    - Style with inline style objects matching the dark tactical theme from DESIGN_SYSTEM.md
+    - Icons from lucide-react (Upload, FileText, X, Check, AlertTriangle, Loader)
+    - _Requirements: 2.1, 2.2, 2.3, 2.4, 2.5, 3.1, 3.2, 3.3, 3.4, 3.5, 4.3, 4.4, 4.7, 4.8_
+
+  - [ ]* 6.2 Write property tests for frontend validation helpers
+    - **Property 1: FP Workflow Button Enabled State** — For any set of queue items and selection, button enabled iff selection contains at least one pending FP item
+    - **Property 2: FP-Only Item Filtering** — For any mixed-type selection, filtered result contains only FP items
+    - **Property 8: Role-Based UI Visibility** — For any user role, button visible iff role is editor or admin
+    - Extract `isCreateFpButtonEnabled`, `filterFpItems`, `shouldShowFpButton` as testable pure functions
+    - Use `fast-check` with minimum 100 iterations
+    - **Validates: Requirements 1.1, 1.2, 7.2**
+
+- [x] 7. Frontend — QueuePanel integration
+  - [x] 7.1 Add "Create FP Workflow" button and modal wiring in QueuePanel
+    - Add "Create FP Workflow" button in QueuePanel footer, styled with amber/FP accent color
+    - Button enabled only when selectedIds contains at least one pending FP-type item
+    - Disabled state shows tooltip: "Select pending FP items to create a workflow"
+    - Hide button entirely for viewer role users (check via useAuth context)
+    - On click: filter selected items to FP-only, open FpWorkflowModal with filtered items
+    - Wire onSuccess callback to trigger queue refresh (call existing fetch function from parent)
+    - _Requirements: 1.1, 1.2, 1.3, 1.4, 5.2, 7.2, 7.3_
+
+- [x] 8. Final checkpoint — Full integration
+  - Ensure all tests pass, ask the user if questions arise.
+
+## Notes
+
+- Tasks marked with `*` are optional and can be skipped for faster MVP
+- Each task references specific requirements for traceability
+- Property tests use `fast-check` library — install via `npm install --save-dev fast-check` in both backend and frontend
+- The shared Ivanti API helper (task 1.2) updates existing imports in ivantiWorkflows.js and ivantiFindings.js — test those routes still work after the refactor
+- Multer is already a project dependency (used for document uploads in server.js)

.kiro/specs/queue-hostname-ip-display/.config.kiro

@@ -0,0 +1 @@
+{"specId": "b8855eb4-3949-426e-86ac-36fe069a6bb1", "workflowType": "requirements-first", "specType": "feature"}

.kiro/specs/queue-hostname-ip-display/design.md

@@ -0,0 +1,175 @@
+# Design Document: Queue Hostname & IP Display
+
+## Overview
+
+This feature adds hostname tracking to the Ivanti todo queue. Currently the queue stores `ip_address` but not `hostname`. The change spans three layers:
+
+1. **Database** — A migration adds a `hostname TEXT` column to `ivanti_todo_queue`.
+2. **Backend API** — The POST (single + batch) endpoints accept and store an optional `hostname` field. The GET endpoint already uses `SELECT *`, so hostname is returned automatically once the column exists.
+3. **Frontend** — The `addToQueue` and `submitBatch` functions pass `finding.hostName` as `hostname`. The QueuePanel renders hostname and IP address for both CARD and vendor-grouped (FP/Archer) sections.
+
+The change is additive and backward-compatible. Existing rows get `NULL` for hostname. No existing behavior changes unless both hostname and ip_address are present.
+
+## Architecture
+
+The data flows through three layers in a straight pipeline:
+
+```mermaid
+flowchart LR
+    A[Ivanti Finding<br/>hostName, ipAddress] -->|POST /todo-queue| B[Express Route<br/>ivantiTodoQueue.js]
+    B -->|INSERT hostname, ip_address| C[SQLite<br/>ivanti_todo_queue]
+    C -->|SELECT *| B
+    B -->|GET response| D[QueuePanel<br/>ReportingPage.js]
+```
+
+No new services, tables, or route modules are introduced. The migration script is a standalone Node.js file following the existing pattern in `backend/migrations/`.
+
+## Components and Interfaces
+
+### Migration Script: `backend/migrations/add_todo_queue_hostname.js`
+
+Follows the exact pattern of `add_todo_queue_ip_address.js`:
+
+- Opens `cve_database.db` via `sqlite3`
+- Runs `ALTER TABLE ivanti_todo_queue ADD COLUMN hostname TEXT`
+- Catches `duplicate column name` error to make it idempotent
+- Closes the database connection
+
+### Backend Route: `backend/routes/ivantiTodoQueue.js`
+
+Changes to two endpoints:
+
+**POST `/` (single-item)**
+- Extract `hostname` from `req.body`
+- Sanitize: if present and a string, trim and slice to 255 chars; otherwise `null`
+- Add to the INSERT column list and parameter array
+
+**POST `/batch`**
+- For each finding in the `findings` array, extract `hostname` from `f.hostname`
+- Same sanitization as single-item
+- Add to the per-row INSERT column list and parameter array
+
+**GET `/`** — No code change needed. `SELECT *` already returns all columns.
+
+**PUT `/:id`** — No change. Hostname is set at insert time and not editable.
+
+### Frontend: `ReportingPage.js`
+
+**`addToQueue` function**
+- Add `hostname: finding.hostName || null` to the POST body
+
+**`submitBatch` function**
+- Add `hostname: f.hostName || null` to each finding object in `findingsPayload`
+
+**QueuePanel rendering (per item)**
+
+For CARD items, the content `<div>` currently shows:
+1. `finding_id`
+2. `ip_address` (if present)
+
+New rendering for CARD items:
+1. `finding_id`
+2. `hostname` (if present)
+3. `ip_address` (if present)
+
+For vendor-grouped items (FP/Archer), the content `<div>` currently shows:
+1. `finding_id`
+2. CVE list (if present)
+
+New rendering for vendor-grouped items:
+1. `finding_id`
+2. CVE list (if present)
+3. `hostname` (if present)
+4. `ip_address` (if present)
+
+Both hostname and IP use the same monospace styling at `0.68rem` / `0.62rem` with muted colors consistent with the existing design system.
+
+## Data Models
+
+### `ivanti_todo_queue` table (after migration)
+
+| Column | Type | Nullable | Notes |
+|--------|------|----------|-------|
+| id | INTEGER | NO | PRIMARY KEY AUTOINCREMENT |
+| user_id | INTEGER | NO | FK → users(id) |
+| finding_id | TEXT | NO | |
+| finding_title | TEXT | YES | max 500 chars |
+| cves_json | TEXT | YES | JSON array string |
+| ip_address | TEXT | YES | max 64 chars |
+| **hostname** | **TEXT** | **YES** | **max 255 chars (new)** |
+| vendor | TEXT | NO | |
+| workflow_type | TEXT | NO | FP, Archer, or CARD |
+| status | TEXT | NO | pending or complete |
+| created_at | DATETIME | NO | DEFAULT CURRENT_TIMESTAMP |
+| updated_at | DATETIME | NO | DEFAULT CURRENT_TIMESTAMP |
+
+### API Request/Response Changes
+
+**POST `/api/ivanti/todo-queue` body** — adds optional field:
+```json
+{
+  "finding_id": "...",
+  "finding_title": "...",
+  "cves": [],
+  "ip_address": "...",
+  "hostname": "server01.example.com",
+  "vendor": "...",
+  "workflow_type": "CARD"
+}
+```
+
+**POST `/api/ivanti/todo-queue/batch` body** — adds optional field per finding:
+```json
+{
+  "findings": [
+    { "finding_id": "...", "ip_address": "...", "hostname": "server01.example.com" }
+  ],
+  "workflow_type": "FP",
+  "vendor": "VendorName"
+}
+```
+
+**GET response** — `hostname` field included automatically via `SELECT *`:
+```json
+{
+  "id": 1,
+  "finding_id": "...",
+  "hostname": "server01.example.com",
+  "ip_address": "10.0.0.1",
+  "..."
+}
+```
+
+
+## Correctness Properties
+
+*A property is a characteristic or behavior that should hold true across all valid executions of a system — essentially, a formal statement about what the system should do. Properties serve as the bridge between human-readable specifications and machine-verifiable correctness guarantees.*
+
+### Property 1: Hostname storage round-trip
+
+*For any* valid hostname string (up to 255 characters), storing it via the queue API (single or batch endpoint) and then retrieving it via GET should return the exact same trimmed string. When the hostname is omitted, null, or empty, the stored and returned value should be null.
+
+**Validates: Requirements 2.1, 2.2, 2.3, 2.4**
+
+### Property 2: Hostname display presence
+
+*For any* queue item with a non-null hostname value, the rendered QueuePanel output should contain the hostname text, regardless of whether the item is a CARD item or a vendor-grouped (FP/Archer) item.
+
+**Validates: Requirements 4.1, 5.1**
+
+## Error Handling
+
+| Scenario | Handling |
+|----------|----------|
+| Migration run when column already exists | Catch `duplicate column name` SQLite error, log skip message, exit cleanly |
+| `hostname` field is not a string | Treat as null — store NULL in database |
+| `hostname` exceeds 255 characters | Truncate to 255 characters via `.slice(0, 255)` |
+| `hostname` is undefined/null/empty string | Store NULL in database |
+| GET returns item with null hostname | Frontend conditionally renders — no hostname line shown |
+| GET returns item with null ip_address and null hostname | CARD: show only finding_id. Vendor: show finding_id + CVEs only |
+
+No new error codes or HTTP status changes are introduced. The hostname field is optional and its absence is a normal case, not an error.
+
+## Testing Strategy
+
+Testing is out of scope for this feature. Manual verification will be performed after implementation.

.kiro/specs/queue-hostname-ip-display/requirements.md

@@ -0,0 +1,70 @@
+# Requirements Document
+
+## Introduction
+
+The Ivanti Queue (todo queue) in the STEAM Security Dashboard currently stores and displays `ip_address` for CARD workflow items but omits hostname entirely. Vendor-grouped sections (FP/Archer) display only `finding_id` and CVEs, hiding the `ip_address` that is already stored. This feature adds a `hostname` column to the database, passes hostname through the backend API, and displays both hostname and IP address across all queue sections (CARD, FP, Archer).
+
+## Glossary
+
+- **Queue_Panel**: The slide-out side panel (`QueuePanel` component) that displays the user's staged Ivanti findings grouped by workflow type and vendor.
+- **Queue_API**: The Express route module (`ivantiTodoQueue.js`) that handles CRUD operations on the `ivanti_todo_queue` table.
+- **Queue_Table**: The SQLite table `ivanti_todo_queue` that persists per-user queue items.
+- **CARD_Section**: The top group in the Queue_Panel that displays items with `workflow_type = 'CARD'`.
+- **Vendor_Section**: Groups in the Queue_Panel for FP and Archer workflow items, organized by vendor name.
+- **Finding**: An Ivanti host finding record containing fields such as `id`, `title`, `hostName`, `ipAddress`, `cves`, and `severity`.
+- **Migration_Script**: A standalone Node.js script in `backend/migrations/` that alters the SQLite schema.
+
+## Requirements
+
+### Requirement 1: Add hostname column to the queue database table
+
+**User Story:** As a developer, I want the queue table to have a `hostname` column, so that hostname data can be persisted alongside each queued finding.
+
+#### Acceptance Criteria
+
+1. THE Migration_Script SHALL add a `hostname` TEXT column to the Queue_Table.
+2. WHEN the `hostname` column already exists, THE Migration_Script SHALL skip the alteration and log a message indicating the column already exists.
+3. THE Migration_Script SHALL preserve all existing rows and column data in the Queue_Table.
+
+### Requirement 2: Accept and store hostname in queue API endpoints
+
+**User Story:** As a developer, I want the queue API to accept a `hostname` field, so that hostname data is stored when findings are added to the queue.
+
+#### Acceptance Criteria
+
+1. WHEN a POST request is received at the single-item endpoint, THE Queue_API SHALL accept an optional `hostname` string field (max 255 characters) and store it in the Queue_Table.
+2. WHEN a POST request is received at the batch endpoint, THE Queue_API SHALL accept an optional `hostname` string field on each finding object (max 255 characters) and store it in the Queue_Table.
+3. WHEN the `hostname` field is omitted or empty, THE Queue_API SHALL store NULL for the `hostname` column.
+4. WHEN a GET request is received, THE Queue_API SHALL return the `hostname` field for each queue item in the response.
+
+### Requirement 3: Pass hostname from the frontend to the queue API
+
+**User Story:** As a developer, I want the frontend to send hostname data when adding findings to the queue, so that hostname is captured from the Ivanti findings data.
+
+#### Acceptance Criteria
+
+1. WHEN a single finding is added to the queue, THE ReportingPage SHALL include the finding's `hostName` value in the `hostname` field of the POST request body.
+2. WHEN findings are added via batch submission, THE ReportingPage SHALL include each finding's `hostName` value in the `hostname` field of the corresponding finding object in the POST request body.
+
+### Requirement 4: Display hostname and IP address in the CARD section
+
+**User Story:** As a security analyst, I want to see both hostname and IP address for CARD items in the queue, so that I can identify the affected host at a glance.
+
+#### Acceptance Criteria
+
+1. WHEN a CARD item has a `hostname` value, THE CARD_Section SHALL display the hostname below the finding ID.
+2. WHEN a CARD item has an `ip_address` value, THE CARD_Section SHALL display the IP address below the hostname.
+3. WHEN a CARD item has both `hostname` and `ip_address`, THE CARD_Section SHALL display hostname on one line and IP address on the next line.
+4. WHEN a CARD item has only `ip_address` and no `hostname`, THE CARD_Section SHALL display the IP address (preserving current behavior).
+5. WHEN a CARD item has only `hostname` and no `ip_address`, THE CARD_Section SHALL display the hostname.
+
+### Requirement 5: Display hostname and IP address in vendor sections (FP/Archer)
+
+**User Story:** As a security analyst, I want to see hostname and IP address for FP and Archer items in the queue, so that I can identify affected hosts without leaving the queue panel.
+
+#### Acceptance Criteria
+
+1. WHEN a vendor-grouped item has a `hostname` value, THE Vendor_Section SHALL display the hostname below the CVE list.
+2. WHEN a vendor-grouped item has an `ip_address` value, THE Vendor_Section SHALL display the IP address below the hostname (or below the CVE list if no hostname exists).
+3. WHEN a vendor-grouped item has both `hostname` and `ip_address`, THE Vendor_Section SHALL display hostname on one line and IP address on the next line, both below the CVE list.
+4. WHEN a vendor-grouped item has neither `hostname` nor `ip_address`, THE Vendor_Section SHALL display only the finding ID and CVE list (preserving current behavior).

.kiro/specs/queue-hostname-ip-display/tasks.md

@@ -0,0 +1,56 @@
+# Implementation Plan: Queue Hostname & IP Display
+
+## Overview
+
+Add hostname tracking to the Ivanti todo queue across database, backend API, and frontend display layers. All changes are additive and backward-compatible.
+
+## Tasks
+
+- [x] 1. Create database migration to add hostname column
+  - Create `backend/migrations/add_todo_queue_hostname.js` following the exact pattern of `add_todo_queue_ip_address.js`
+  - Use `ALTER TABLE ivanti_todo_queue ADD COLUMN hostname TEXT`
+  - Handle `duplicate column name` error for idempotency
+  - Log appropriate messages for success and skip scenarios
+  - _Requirements: 1.1, 1.2, 1.3_
+
+- [x] 2. Update backend API endpoints to accept and store hostname
+  - [x] 2.1 Update POST `/` (single-item) endpoint in `backend/routes/ivantiTodoQueue.js`
+    - Extract `hostname` from `req.body`
+    - Sanitize: if present and a string, trim and slice to 255 chars; otherwise `null`
+    - Add `hostname` to the INSERT column list and parameter array
+    - _Requirements: 2.1, 2.3_
+
+  - [x] 2.2 Update POST `/batch` endpoint in `backend/routes/ivantiTodoQueue.js`
+    - For each finding, extract `hostname` from `f.hostname`
+    - Apply same sanitization as single-item (trim, slice to 255, or null)
+    - Add `hostname` to the per-row INSERT column list and parameter array
+    - _Requirements: 2.2, 2.3_
+
+- [x] 3. Checkpoint
+  - Ensure all backend changes are consistent, ask the user if questions arise.
+
+- [x] 4. Update frontend to pass hostname and display it in the queue panel
+  - [x] 4.1 Update `addToQueue` function in `ReportingPage.js`
+    - Add `hostname: finding.hostName || null` to the POST request body
+    - _Requirements: 3.1_
+
+  - [x] 4.2 Update `submitBatch` function in `ReportingPage.js`
+    - Add `hostname: f.hostName || null` to each finding object in the payload
+    - _Requirements: 3.2_
+
+  - [x] 4.3 Update CARD section rendering in QueuePanel (`ReportingPage.js`)
+    - Display `hostname` below finding_id (when present)
+    - Display `ip_address` below hostname (when present)
+    - Handle all combinations: both present, only hostname, only ip_address, neither
+    - Use monospace styling at `0.68rem` consistent with existing ip_address display
+    - _Requirements: 4.1, 4.2, 4.3, 4.4, 4.5_
+
+  - [x] 4.4 Update vendor section (FP/Archer) rendering in QueuePanel (`ReportingPage.js`)
+    - Display `hostname` below the CVE list (when present)
+    - Display `ip_address` below hostname or below CVE list if no hostname
+    - Handle all combinations: both present, only one, neither
+    - Use monospace styling at `0.62rem` / `0.68rem` with muted colors matching existing design
+    - _Requirements: 5.1, 5.2, 5.3, 5.4_
+
+- [x] 5. Final checkpoint
+  - Ensure all changes are wired together end-to-end, ask the user if questions arise.

.kiro/steering/product.md

@@ -0,0 +1,27 @@
+# Product Overview
+
+The STEAM Security Dashboard is a self-hosted vulnerability management tool for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. It centralizes CVE tracking, Ivanti host finding triage, AEO compliance posture monitoring, FP/Archer exception workflows, and internal documentation in a single interface.
+
+## Core Capabilities
+
+- Searchable CVE list with per-vendor tracking and document storage
+- NVD API integration for auto-populating CVE metadata
+- Ivanti/RiskSense integration for syncing open host findings with FP workflow tracking
+- Reporting page with charts, advanced filtering, inline editing, and CSV/XLSX export
+- Ivanti Queue for batch-processing FP, Archer, and CARD workflows
+- AEO Compliance page with weekly xlsx upload, diff preview, per-team metric health cards, and device-level violation tracking
+- Archer risk acceptance ticket tracking (EXC numbers) linked to CVE/vendor pairs
+- Knowledge base for internal documentation and policies
+- Role-based access control (viewer, editor, admin) with full audit trail
+
+## User Roles
+
+| Role | Permissions |
+|------|------------|
+| viewer | Read-only access to all data |
+| editor | All viewer permissions plus create/update operations |
+| admin | All editor permissions plus delete, user management, and audit log access |
+
+## Teams Tracked
+
+Only **STEAM** and **ACCESS-ENG** teams are tracked in the compliance module.

.kiro/steering/structure.md

@@ -0,0 +1,83 @@
+# Project Structure & Conventions
+
+## Directory Layout
+
+```
+cve-dashboard/
+├── backend/                    # Express API server
+│   ├── server.js               # Main entry point — app setup, middleware, CVE/document routes inline
+│   ├── setup.js                # One-time DB init + default admin creation
+│   ├── cve_database.db         # SQLite database (gitignored)
+│   ├── uploads/                # File storage (gitignored)
+│   ├── routes/                 # Express route modules (factory pattern)
+│   │   ├── auth.js
+│   │   ├── users.js
+│   │   ├── auditLog.js
+│   │   ├── nvdLookup.js
+│   │   ├── knowledgeBase.js
+│   │   ├── archerTickets.js
+│   │   ├── ivantiWorkflows.js
+│   │   ├── ivantiFindings.js
+│   │   ├── ivantiTodoQueue.js
+│   │   └── compliance.js
+│   ├── middleware/
+│   │   └── auth.js             # requireAuth(db), requireRole(...roles)
+│   ├── helpers/
+│   │   └── auditLog.js         # logAudit() — fire-and-forget DB insert
+│   ├── migrations/             # Sequential migration scripts (run manually with node)
+│   └── scripts/                # Python utilities (compliance parsing, CSV import)
+│
+├── frontend/                   # React 19 SPA (Create React App)
+│   └── src/
+│       ├── App.js              # Main dashboard — CVE list, filters, modals, inline styles
+│       ├── App.css             # Global styles and CSS variables
+│       ├── contexts/
+│       │   └── AuthContext.js  # Auth state provider (login, logout, role helpers)
+│       └── components/
+│           ├── LoginForm.js
+│           ├── NavDrawer.js
+│           ├── UserMenu.js
+│           ├── CalendarWidget.js
+│           ├── UserManagement.js
+│           ├── AuditLog.js
+│           ├── NvdSyncModal.js
+│           ├── KnowledgeBaseModal.js
+│           ├── KnowledgeBaseViewer.js
+│           └── pages/          # Full-page views
+│               ├── ReportingPage.js
+│               ├── CompliancePage.js
+│               ├── ComplianceUploadModal.js
+│               ├── ComplianceDetailPanel.js
+│               ├── ComplianceChartsPanel.js
+│               ├── IvantiCountsChart.js
+│               ├── KnowledgeBasePage.js
+│               └── ExportsPage.js
+│
+├── docs/                       # Internal documentation (markdown)
+├── start-servers.sh            # Start both servers in background
+├── stop-servers.sh             # Stop both servers
+└── DESIGN_SYSTEM.md            # UI design system reference (colors, typography, components)
+```
+
+## Backend Conventions
+
+- Route modules export a factory function: `function createXxxRouter(db, ...middleware)` that returns an Express Router.
+- The `db` (sqlite3 Database instance) is passed via dependency injection from `server.js`.
+- Auth middleware: `requireAuth(db)` validates session cookie, attaches `req.user`. `requireRole('editor', 'admin')` checks role.
+- All state-changing actions call `logAudit(db, { userId, username, action, entityType, entityId, details, ipAddress })`.
+- Input validation is done inline in route handlers with early-return error responses.
+- SQLite queries use the callback-based `db.run()`, `db.get()`, `db.all()` API.
+- API routes are prefixed with `/api`. All endpoints except login/logout require a valid session cookie.
+- CVE and document routes are defined inline in `server.js`; feature routes are in separate modules under `routes/`.
+
+## Frontend Conventions
+
+- Single-page app with page-level navigation managed in `App.js` (no React Router).
+- Auth state managed via React Context (`AuthContext`). Use `useAuth()` hook for login/logout/role checks.
+- API calls use `fetch()` with `credentials: 'include'` for cookie-based auth.
+- API base URL from `process.env.REACT_APP_API_BASE`.
+- Styling uses a mix of inline style objects (defined as constants in component files) and `App.css` global styles.
+- Dark theme with a "tactical intelligence" aesthetic — see `DESIGN_SYSTEM.md` for color palette, typography, and component specs.
+- Icons from `lucide-react`. Charts from `recharts`.
+- Page components live in `components/pages/`. Shared components live in `components/`.
+- No TypeScript — the project uses plain JavaScript throughout.

.kiro/steering/tech.md

@@ -0,0 +1,78 @@
+# Tech Stack & Build System
+
+## Stack
+
+| Layer | Technology |
+|-------|-----------|
+| Backend | Node.js 18+, Express 5 |
+| Database | SQLite3 (file: `backend/cve_database.db`) |
+| Auth | bcryptjs, cookie-based sessions (httpOnly, 24h expiry) |
+| File uploads | Multer 2 (10MB limit) |
+| Frontend | React 19 (Create React App / react-scripts 5) |
+| UI Icons | lucide-react |
+| Charts | recharts |
+| Spreadsheet parsing | xlsx (frontend), pandas + openpyxl (backend Python scripts) |
+| Markdown rendering | react-markdown |
+| Diagrams | mermaid |
+
+## Common Commands
+
+### Backend
+```bash
+cd backend
+node setup.js          # Initialize DB, tables, indexes, default admin user
+node server.js         # Start backend on port 3001
+```
+
+### Frontend
+```bash
+cd frontend
+npm install            # Install dependencies
+npm start              # Dev server on port 3000
+npm run build          # Production build
+npm test               # Run tests (react-scripts test)
+```
+
+### Both servers (from project root)
+```bash
+./start-servers.sh     # Start backend + frontend in background
+./stop-servers.sh      # Stop all servers
+```
+
+### Database Migrations (run from `backend/` in order)
+```bash
+node migrations/add_knowledge_base_table.js
+node migrations/add_archer_tickets_table.js
+node migrations/add_ivanti_sync_table.js
+node migrations/add_ivanti_findings_tables.js
+node migrations/add_ivanti_todo_queue_table.js
+node migrations/add_card_workflow_type.js
+node migrations/add_todo_queue_ip_address.js
+node migrations/add_compliance_tables.js
+```
+
+### Python Scripts (from `backend/scripts/`)
+```bash
+# Compliance xlsx parsing (called automatically by upload flow)
+python3 parse_compliance_xlsx.py <file>
+
+# Bulk notes import
+python3 import_notes_from_csv.py input.csv --dry-run
+python3 import_notes_from_csv.py input.csv
+```
+
+Python dependencies: `pandas>=2.0.0`, `openpyxl>=3.0.0` (install via apt or venv).
+
+## Environment Configuration
+
+- `backend/.env` — PORT, CORS_ORIGINS, SESSION_SECRET, NVD_API_KEY, Ivanti API credentials
+- `frontend/.env` — REACT_APP_API_BASE, REACT_APP_API_HOST
+- Both `.env` files are gitignored; see `.env.example` files for templates.
+- React caches env vars at build/start time — restart the frontend process after changes.
+
+## Default Ports
+
+| Service | URL |
+|---------|-----|
+| Frontend | http://localhost:3000 |
+| Backend API | http://localhost:3001 |

DESIGN_SYSTEM.md

@@ -0,0 +1,290 @@
+# CVE Intelligence Dashboard - Design System Reference
+
+## Color Palette
+
+### Primary Colors
+```css
+--intel-darkest: #0F172A    /* Slate 900 - Deepest background */
+--intel-dark: #1E293B       /* Slate 800 - Card backgrounds */
+--intel-medium: #334155     /* Slate 700 - Elevated elements */
+```
+
+### Accent & Status Colors
+```css
+--intel-accent: #0EA5E9    /* Sky Blue - Primary accent, links, interactive elements */
+--intel-warning: #F59E0B   /* Amber - Warnings, high severity, open tickets */
+--intel-danger: #EF4444    /* Red - Critical severity, destructive actions */
+--intel-success: #10B981   /* Emerald - Success states, low severity, confirmations */
+```
+
+### Text Colors
+```css
+--text-primary: #F8FAFC    /* Slate 50 - Primary text */
+--text-secondary: #E2E8F0  /* Slate 200 - Secondary text */
+--text-tertiary: #CBD5E1   /* Slate 300 - Labels, metadata */
+--text-muted: #94A3B8      /* Slate 400 - Placeholders, disabled */
+```
+
+### Severity Badge Colors
+| Severity | Border | Background | Text | Glow Dot |
+|----------|--------|------------|------|----------|
+| **Critical** | `#EF4444` | `rgba(239, 68, 68, 0.25)` | `#FCA5A5` | `#EF4444` |
+| **High** | `#F59E0B` | `rgba(245, 158, 11, 0.25)` | `#FCD34D` | `#F59E0B` |
+| **Medium** | `#0EA5E9` | `rgba(14, 165, 233, 0.25)` | `#7DD3FC` | `#0EA5E9` |
+| **Low** | `#10B981` | `rgba(16, 185, 129, 0.25)` | `#6EE7B7` | `#10B981` |
+
+## Layout Structure
+
+### Three-Column Grid Layout
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    HEADER & STATS BAR                       │
+│  CVE INTEL  |  [Stats: Total, Entries, Tickets, Critical] │
+├──────────────┬─────────────────────────┬────────────────────┤
+│              │                         │                    │
+│  LEFT PANEL  │     CENTER PANEL        │   RIGHT PANEL     │
+│  (3 cols)    │     (6 cols)            │   (3 cols)        │
+│              │                         │                    │
+│  Knowledge   │  Quick CVE Lookup       │   Calendar        │
+│  Base        │  Search & Filters       │   Widget          │
+│  - Wiki      │  CVE Results List       │                   │
+│  - Docs      │  - Expandable cards     │   Open Tickets    │
+│  - Policies  │  - Vendor entries       │   - Compact list  │
+│  - Guides    │  - Documents            │   - Quick stats   │
+│              │  - JIRA tickets         │                   │
+│              │                         │                    │
+└──────────────┴─────────────────────────┴────────────────────┘
+```
+
+### Responsive Breakpoints
+- **Desktop (lg+)**: 3-column layout (3-6-3 grid)
+- **Tablet/Mobile**: Stacked single column
+
+## Component Specifications
+
+### Stat Cards
+```css
+Background: linear-gradient(135deg, rgba(30, 41, 59, 0.95), rgba(51, 65, 85, 0.9))
+Border: 2px solid [accent-color]
+Border Radius: 0.5rem
+Padding: 1rem
+Top Accent Line: 2px gradient, 0 0 8px glow
+Shadow: 0 4px 16px rgba(0, 0, 0, 0.5)
+Hover: translateY(-2px), enhanced shadow
+```
+
+### Intel Cards (Main Content)
+```css
+Background: linear-gradient(135deg, rgba(30, 41, 59, 0.95), rgba(51, 65, 85, 0.9))
+Border: 2px solid rgba(14, 165, 233, 0.4)
+Shadow: 0 8px 24px rgba(0, 0, 0, 0.6), subtle glow
+Hover: Enhanced border (0.5 opacity), lift effect
+```
+
+### Buttons
+```css
+/* Primary */
+Background: linear-gradient(135deg, rgba(14, 165, 233, 0.15), rgba(14, 165, 233, 0.1))
+Border: 1px solid #0EA5E9
+Color: #38BDF8
+Text Shadow: 0 0 6px rgba(14, 165, 233, 0.2)
+
+/* Hover State */
+Background: linear-gradient(135deg, rgba(14, 165, 233, 0.25), rgba(14, 165, 233, 0.2))
+Shadow: 0 0 20px rgba(14, 165, 233, 0.25)
+Transform: translateY(-1px)
+Ripple Effect: 300px radial on click
+```
+
+### Input Fields
+```css
+Background: rgba(30, 41, 59, 0.6)
+Border: 1px solid rgba(14, 165, 233, 0.25)
+Font: 'JetBrains Mono', monospace
+Focus: border #0EA5E9, ring 2px rgba(14, 165, 233, 0.15)
+```
+
+### Badges (Status/Severity)
+```css
+Display: inline-flex
+Align Items: center
+Gap: 0.5rem
+Border: 2px solid [severity-color]
+Border Radius: 0.375rem
+Padding: 0.375rem 0.875rem
+Font: 'JetBrains Mono', 0.75rem, 700, uppercase
+Letter Spacing: 0.5px
+Glow Dot: 8px circle with pulse animation
+```
+
+## Interactions & Animations
+
+### Hover Effects
+- **Cards**: `translateY(-2px)`, enhanced border, subtle glow
+- **Buttons**: Radial ripple expand (300px), slight lift
+- **List Items**: Border color shift, background lighten
+
+### Animations
+```css
+/* Pulse Glow (for dots) */
+@keyframes pulse {
+  0%, 100% { opacity: 1; transform: scale(1); }
+  50% { opacity: 0.7; transform: scale(1.2); }
+}
+
+/* Scan Line */
+@keyframes scan {
+  0%, 100% { transform: translateY(-100%); opacity: 0; }
+  50% { transform: translateY(2000%); opacity: 0.5; }
+}
+
+/* Spin (loading) */
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+```
+
+### Transitions
+```css
+Standard: all 0.3s cubic-bezier(0.4, 0, 0.2, 1)
+Fast: all 0.2s ease
+Ripple: width/height 0.5s
+```
+
+## Typography
+
+### Font Families
+```css
+Primary (UI): 'Outfit', system-ui, sans-serif
+Monospace (Data/Code): 'JetBrains Mono', monospace
+```
+
+### Font Sizes & Weights
+```css
+/* Headings */
+h1: 2.5rem (40px), 700, monospace
+h2: 1.125rem (18px), 600, uppercase, tracking-wider
+h3: 1.125rem (18px), 600
+
+/* Body */
+Body: 0.875rem (14px), 400
+Small: 0.75rem (12px), 400
+Labels: 0.75rem (12px), 500, uppercase, tracking-wider
+```
+
+### Text Shadows (Headings)
+```css
+Accent Headings: 0 0 16px rgba(14, 165, 233, 0.3), 0 0 32px rgba(14, 165, 233, 0.15)
+Badge Text: 0 0 8px rgba([color], 0.5)
+```
+
+## Visual Effects
+
+### Shadows
+```css
+/* Card Elevations */
+Level 1: 0 2px 6px rgba(0, 0, 0, 0.3)
+Level 2: 0 4px 12px rgba(0, 0, 0, 0.4)
+Level 3: 0 8px 24px rgba(0, 0, 0, 0.6)
+
+/* Glows */
+Subtle: 0 0 12px rgba([color], 0.12)
+Medium: 0 0 20px rgba([color], 0.15)
+Strong: 0 0 28px rgba([color], 0.25)
+
+/* Inset Highlights */
+Top: inset 0 1px 0 rgba(14, 165, 233, 0.15)
+Recessed: inset 0 2px 4px rgba(0, 0, 0, 0.3)
+```
+
+### Border Styles
+```css
+/* Standard Cards */
+Border: 1.5-2px solid rgba(14, 165, 233, 0.3-0.4)
+
+/* Accent Panels */
+Left Border: 3px solid [accent-color]
+
+/* Vendor/Nested Cards */
+Border: 1px solid rgba(14, 165, 233, 0.25)
+```
+
+### Gradients
+```css
+/* Backgrounds */
+Card: linear-gradient(135deg, rgba(30, 41, 59, 0.95), rgba(51, 65, 85, 0.9))
+Nested: linear-gradient(135deg, rgba(15, 23, 42, 0.95), rgba(30, 41, 59, 0.9))
+
+/* Accent Lines */
+Top Bar: linear-gradient(90deg, transparent, [color], transparent)
+
+/* Grid Background */
+linear-gradient(rgba(14, 165, 233, 0.025) 1px, transparent 1px)
+Size: 20px × 20px
+```
+
+## Specific Component Patterns
+
+### Wiki/Knowledge Base Entry
+```css
+Background: linear-gradient(135deg, rgba(30, 41, 59, 0.85), rgba(51, 65, 85, 0.75))
+Border: 1px solid rgba(16, 185, 129, 0.25)
+Padding: 0.75rem
+Cursor: pointer
+Hover: border-color shift to rgba(16, 185, 129, 0.4)
+```
+
+### Calendar Widget
+```css
+Day Cells:
+  - Text: white, font-mono, 0.75rem
+  - Hover: bg rgba(14, 165, 233, 0.2)
+  - Current Day: bg rgba(14, 165, 233, 0.3), border 1px #0EA5E9
+  - Other Month: text rgba(148, 163, 184, 0.5)
+```
+
+### Ticket Cards (Compact)
+```css
+Background: linear-gradient(135deg, rgba(30, 41, 59, 0.85), rgba(51, 65, 85, 0.75))
+Border: 1px solid rgba(245, 158, 11, 0.25)
+Padding: 0.5rem
+Status Badge: Reduced size (0.65rem, 0.25rem padding)
+Glow Dot: 6px diameter
+```
+
+### CVE Expandable Cards
+```css
+Header: Clickable, cursor pointer
+Collapsed: Show summary (severity, vendor count, doc count)
+Expanded: Full description, metadata, vendor entries
+Chevron: Rotate -90deg (collapsed) to 0deg (expanded)
+Vendor Cards: Nested with reduced opacity borders
+```
+
+## Accessibility
+
+### Contrast Ratios
+- Primary text on dark: 18.5:1 (AAA)
+- Secondary text on dark: 12.3:1 (AAA)
+- Accent colors: All meet WCAG AA minimum
+
+### Interactive States
+- Focus rings: 2px solid accent color
+- Hover: Visible border/background changes
+- Active: Transform feedback
+
+### Typography
+- Minimum size: 12px (0.75rem)
+- Line height: 1.5 for body text
+- Letter spacing: Generous for uppercase labels
+
+## Design Principles
+
+1. **Professional Sophistication**: Modern enterprise feel, not arcade
+2. **Tactical Intelligence**: Purpose-driven, information-dense
+3. **Refined Depth**: Layers and elevation without harsh neon
+4. **Purposeful Color**: Accent colors convey meaning (status, severity)
+5. **Smooth Interactions**: Polished micro-interactions and transitions
+6. **Monospace Data**: Technical data uses JetBrains Mono for clarity
+7. **Generous Spacing**: Breathing room prevents overwhelming density
+

Ivanti_config_template.ini

@@ -0,0 +1,7 @@
+[platform]
+	url = https://platform4.risksense.com
+	api_ver = /api/v1
+	# PROD 1550 | UAT 1551
+	client_id = <pick 1550 or 1551>
+[secrets]
+	api_key = <your API key here>

TEST_PLAN_AUDIT_LOG.md

@@ -0,0 +1,222 @@
+# Audit Logging Feature - User Acceptance Test Plan
+
+## Test Environment Setup
+
+**Prerequisites:**
+- Fresh database via `node backend/setup.js`, OR existing database migrated via `node backend/migrate-audit-log.js`
+- Backend running on port 3001
+- Frontend running on port 3000
+- Three test accounts created:
+  - `admin` / `admin123` (role: admin)
+  - `editor1` (role: editor)
+  - `viewer1` (role: viewer)
+
+**Verify setup:** Run `sqlite3 backend/cve_database.db ".tables"` and confirm `audit_logs` is listed.
+
+---
+
+## 1. Database & Schema
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 1.1 | Fresh install creates table | Run `node setup.js` on a new DB. Query `SELECT sql FROM sqlite_master WHERE name='audit_logs'` | Table exists with columns: id, user_id, username, action, entity_type, entity_id, details, ip_address, created_at | |
+| 1.2 | Indexes created | Query `SELECT name FROM sqlite_master WHERE type='index' AND name LIKE 'idx_audit%'` | Four indexes: idx_audit_user_id, idx_audit_action, idx_audit_entity_type, idx_audit_created_at | |
+| 1.3 | Migration is idempotent | Run `node migrate-audit-log.js` twice on the same DB | Second run prints "already exists, nothing to do". No errors. Backup file created each run. | |
+| 1.4 | Migration backs up DB | Run `node migrate-audit-log.js` | Backup file `cve_database_backup_<timestamp>.db` created in backend directory | |
+| 1.5 | Setup summary updated | Run `node setup.js` | Console output lists `audit_logs` in the tables line | |
+
+---
+
+## 2. Authentication Audit Logging
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 2.1 | Successful login logged | Log in as `admin`. Query `SELECT * FROM audit_logs WHERE action='login' ORDER BY id DESC LIMIT 1` | Row with user_id=admin's ID, username='admin', action='login', entity_type='auth', details contains `{"role":"admin"}`, ip_address populated | |
+| 2.2 | Failed login - wrong password | Attempt login with `admin` / `wrongpass`. Query audit_logs. | Row with action='login_failed', username='admin', details contains `{"reason":"invalid_password"}` | |
+| 2.3 | Failed login - unknown user | Attempt login with `nonexistent` / `anypass`. Query audit_logs. | Row with action='login_failed', user_id=NULL, username='nonexistent', details contains `{"reason":"user_not_found"}` | |
+| 2.4 | Failed login - disabled account | Disable a user account via admin, then attempt login as that user. Query audit_logs. | Row with action='login_failed', details contains `{"reason":"account_disabled"}` | |
+| 2.5 | Logout logged | Log in as admin, then log out. Query audit_logs. | Row with action='logout', entity_type='auth', username='admin' | |
+| 2.6 | Login does not block on audit error | Verify login succeeds even if audit_logs table had issues (non-critical path) | Login response returns normally regardless of audit insert result | |
+
+---
+
+## 3. CVE Operation Audit Logging
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 3.1 | CVE create logged | Log in as editor or admin. Add a new CVE (e.g., CVE-2025-TEST-1 / Microsoft / Critical). Query audit_logs. | Row with action='cve_create', entity_type='cve', entity_id='CVE-2025-TEST-1', details contains `{"vendor":"Microsoft","severity":"Critical"}` | |
+| 3.2 | CVE status update logged | Update a CVE's status to "Addressed" via the API (`PATCH /api/cves/CVE-2025-TEST-1/status`). Query audit_logs. | Row with action='cve_update_status', entity_id='CVE-2025-TEST-1', details contains `{"status":"Addressed"}` | |
+| 3.3 | CVE status update bug fix | Update a CVE's status. Verify the CVE record in the `cves` table. | Status is correctly updated. No SQL error (the old `vendor` reference bug is fixed). | |
+| 3.4 | Audit captures acting user | Log in as `editor1`, create a CVE. Query audit_logs. | username='editor1' on the cve_create row | |
+
+---
+
+## 4. Document Operation Audit Logging
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 4.1 | Document upload logged | Upload a document to a CVE via the UI. Query audit_logs. | Row with action='document_upload', entity_type='document', entity_id=CVE ID, details contains vendor, type, and filename | |
+| 4.2 | Document delete logged | Delete a document (admin only) via the UI. Query audit_logs. | Row with action='document_delete', entity_type='document', entity_id=document DB ID, details contains file_path | |
+| 4.3 | Upload captures file metadata | Upload a file named `advisory.pdf` of type `advisory` for vendor `Cisco`. Query audit_logs. | details = `{"vendor":"Cisco","type":"advisory","filename":"advisory.pdf"}` | |
+
+---
+
+## 5. User Management Audit Logging
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 5.1 | User create logged | As admin, create a new user `testuser` with role `viewer`. Query audit_logs. | Row with action='user_create', entity_type='user', entity_id=new user's ID, details contains `{"created_username":"testuser","role":"viewer"}` | |
+| 5.2 | User update logged | As admin, change `testuser`'s role to `editor`. Query audit_logs. | Row with action='user_update', entity_id=testuser's ID, details contains `{"role":"editor"}` | |
+| 5.3 | User update - password change | As admin, change `testuser`'s password. Query audit_logs. | details contains `{"password_changed":true}` (password itself is NOT logged) | |
+| 5.4 | User update - multiple fields | Change username and role at the same time. Query audit_logs. | details contains both changed fields | |
+| 5.5 | User delete logged | As admin, delete `testuser`. Query audit_logs. | Row with action='user_delete', details contains `{"deleted_username":"testuser"}` | |
+| 5.6 | User deactivation logged | As admin, set a user's is_active to false. Query audit_logs. | Row with action='user_update', details contains `{"is_active":false}` | |
+| 5.7 | Self-delete prevented, no log | As admin, attempt to delete your own account. Query audit_logs. | 400 error returned. NO audit_log entry created for the attempt. | |
+
+---
+
+## 6. API Access Control
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 6.1 | Admin can query audit logs | Log in as admin. `GET /api/audit-logs`. | 200 response with logs array and pagination object | |
+| 6.2 | Editor denied audit logs | Log in as editor. `GET /api/audit-logs`. | 403 response with `{"error":"Insufficient permissions"}` | |
+| 6.3 | Viewer denied audit logs | Log in as viewer. `GET /api/audit-logs`. | 403 response | |
+| 6.4 | Unauthenticated denied | Without a session cookie, `GET /api/audit-logs`. | 401 response | |
+| 6.5 | Admin can get actions list | `GET /api/audit-logs/actions` as admin. | 200 response with array of distinct action strings | |
+| 6.6 | Non-admin denied actions list | `GET /api/audit-logs/actions` as editor. | 403 response | |
+
+---
+
+## 7. API Filtering & Pagination
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 7.1 | Default pagination | `GET /api/audit-logs` (no params). | Returns up to 25 entries, page=1, correct total count and totalPages | |
+| 7.2 | Custom page size | `GET /api/audit-logs?limit=5`. | Returns exactly 5 entries (if >= 5 exist). Pagination reflects limit=5. | |
+| 7.3 | Page size capped at 100 | `GET /api/audit-logs?limit=999`. | Returns at most 100 entries per page | |
+| 7.4 | Navigate to page 2 | `GET /api/audit-logs?page=2&limit=5`. | Returns entries 6-10 (offset=5). Entries differ from page 1. | |
+| 7.5 | Filter by username | `GET /api/audit-logs?user=admin`. | Only entries where username contains "admin" | |
+| 7.6 | Partial username match | `GET /api/audit-logs?user=adm`. | Matches "admin" (LIKE search) | |
+| 7.7 | Filter by action | `GET /api/audit-logs?action=login`. | Only entries with action='login' (exact match) | |
+| 7.8 | Filter by entity type | `GET /api/audit-logs?entityType=auth`. | Only auth-related entries | |
+| 7.9 | Filter by date range | `GET /api/audit-logs?startDate=2025-01-01&endDate=2025-12-31`. | Only entries within the date range (inclusive) | |
+| 7.10 | Combined filters | `GET /api/audit-logs?user=admin&action=login&entityType=auth`. | Only entries matching ALL filters simultaneously | |
+| 7.11 | Empty result set | `GET /api/audit-logs?user=nonexistentuser`. | `{"logs":[],"pagination":{"page":1,"limit":25,"total":0,"totalPages":0}}` | |
+| 7.12 | Ordering | Query audit logs without filters. | Entries ordered by created_at DESC (newest first) | |
+
+---
+
+## 8. Frontend - Audit Log Menu Access
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 8.1 | Admin sees Audit Log menu item | Log in as admin. Click user avatar to open dropdown menu. | "Audit Log" option visible with clock icon, positioned between "Manage Users" and "Sign Out" | |
+| 8.2 | Editor does NOT see Audit Log | Log in as editor. Click user avatar. | No "Audit Log" or "Manage Users" options visible | |
+| 8.3 | Viewer does NOT see Audit Log | Log in as viewer. Click user avatar. | No "Audit Log" or "Manage Users" options visible | |
+| 8.4 | Clicking Audit Log opens modal | As admin, click "Audit Log" in the menu. | Modal overlay appears with audit log table. Menu dropdown closes. | |
+| 8.5 | Menu closes on outside click | Open the user menu, then click outside the dropdown. | Dropdown closes | |
+
+---
+
+## 9. Frontend - Audit Log Modal
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 9.1 | Modal displays header | Open the Audit Log modal. | Title "Audit Log", subtitle "Track all user actions across the system", X close button visible | |
+| 9.2 | Close button works | Click the X button on the modal. | Modal closes, returns to dashboard | |
+| 9.3 | Loading state shown | Open the modal (observe briefly). | Spinner with "Loading audit logs..." appears before data loads | |
+| 9.4 | Table columns correct | Open modal with data present. | Six columns visible: Time, User, Action, Entity, Details, IP Address | |
+| 9.5 | Time formatting | Check the Time column. | Dates display in local format (e.g., "1/29/2026, 3:45:00 PM"), not raw ISO strings | |
+| 9.6 | Action badges color-coded | View entries with different action types. | login=green, logout=gray, login_failed=red, cve_create=blue, cve_update_status=yellow, document_upload=purple, document_delete=red, user_create=blue, user_update=yellow, user_delete=red | |
+| 9.7 | Entity column format | View entries with entity_type and entity_id. | Shows "cve CVE-2025-TEST-1" or "auth" (no ID for auth entries) | |
+| 9.8 | Details column formatting | View an entry with JSON details. | Displays "key: value, key: value" format, not raw JSON | |
+| 9.9 | Details truncation | View entry with long details. | Text truncated with ellipsis. Full text visible on hover (title attribute). | |
+| 9.10 | IP address display | View entries. | IP addresses shown in monospace font. Null IPs show "-" | |
+| 9.11 | Empty state | Apply filters that return no results. | "No audit log entries found." message displayed | |
+| 9.12 | Error state | (Simulate: stop backend while modal is open, then apply filters.) | Error icon with error message displayed | |
+
+---
+
+## 10. Frontend - Filters
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 10.1 | Username filter | Type "admin" in username field, click Apply Filters. | Only entries with "admin" in username shown | |
+| 10.2 | Action dropdown populated | Click the Action dropdown. | Lists all distinct actions present in the database (from `/api/audit-logs/actions`) | |
+| 10.3 | Action filter | Select "login" from Action dropdown, click Apply. | Only login entries shown | |
+| 10.4 | Entity type dropdown | Click the Entity Type dropdown. | Lists: auth, cve, document, user | |
+| 10.5 | Entity type filter | Select "cve", click Apply. | Only CVE-related entries shown | |
+| 10.6 | Date range filter | Set start date to today, set end date to today, click Apply. | Only entries from today shown | |
+| 10.7 | Combined filters | Set username="admin", action="login", click Apply. | Only admin login entries shown | |
+| 10.8 | Reset button | Set multiple filters, click Reset. | All filter fields cleared. (Note: table does not auto-refresh until Apply is clicked again.) | |
+| 10.9 | Apply after reset | Click Reset, then click Apply Filters. | Full unfiltered results shown | |
+| 10.10 | Filter resets to page 1 | Navigate to page 2, then apply a filter. | Results start from page 1 | |
+
+---
+
+## 11. Frontend - Pagination
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 11.1 | Pagination info displayed | Open modal with >25 entries. | Shows "Showing 1 - 25 of N entries" and "Page 1 of X" | |
+| 11.2 | Next page button | Click the right chevron. | Page advances. Entry range updates. "Page 2 of X" shown. | |
+| 11.3 | Previous page button | Navigate to page 2, then click left chevron. | Returns to page 1 | |
+| 11.4 | First page - prev disabled | On page 1, check left chevron. | Button is disabled (grayed out, not clickable) | |
+| 11.5 | Last page - next disabled | Navigate to the last page. | Right chevron is disabled | |
+| 11.6 | Pagination hidden for few entries | Open modal with <= 25 total entries. | No pagination controls shown (totalPages <= 1) | |
+| 11.7 | Entry count accuracy | Compare "Showing X - Y of Z" with actual table rows. | Row count matches Y - X + 1. Total Z matches database count. | |
+
+---
+
+## 12. Fire-and-Forget Behavior
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 12.1 | Audit failure does not break login | (Requires code-level test or corrupting audit_logs table temporarily.) Rename audit_logs table, attempt login. | Login succeeds. Console shows "Audit log error:" message. | |
+| 12.2 | Audit failure does not break CVE create | With corrupted audit table, create a CVE. | CVE created successfully. Error logged to console only. | |
+| 12.3 | Response not delayed by audit | Create a CVE and observe response time. | Response returns immediately; audit insert is non-blocking. | |
+
+---
+
+## 13. Data Integrity
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 13.1 | Audit survives user deletion | Create user, perform actions, delete user. Query audit_logs for that username. | Audit entries remain with the username preserved (denormalized). No foreign key cascade. | |
+| 13.2 | Details stored as valid JSON | Query `SELECT details FROM audit_logs WHERE details IS NOT NULL LIMIT 5`. Parse each. | All non-null details values are valid JSON strings | |
+| 13.3 | IP address captured | Query entries created via browser. | ip_address field contains the client IP (e.g., `::1` for localhost or `127.0.0.1`) | |
+| 13.4 | Timestamps auto-populated | Query entries without explicitly setting created_at. | All rows have a created_at value, not NULL | |
+| 13.5 | Null entity_id for auth actions | Query `SELECT * FROM audit_logs WHERE entity_type='auth'`. | entity_id is NULL for login/logout/login_failed entries | |
+
+---
+
+## 14. End-to-End Workflow
+
+| # | Test Case | Steps | Expected Result | Pass/Fail |
+|---|-----------|-------|-----------------|-----------|
+| 14.1 | Full user lifecycle | 1. Admin logs in 2. Creates user "testuser2" 3. testuser2 logs in 4. testuser2 creates a CVE 5. Admin updates testuser2's role 6. Admin deletes testuser2 7. Open Audit Log and review | All 6 actions visible in the audit log in reverse chronological order. Each entry has correct user, action, entity, and details. | |
+| 14.2 | Filter down to one user's actions | Perform test 14.1, then filter by username="testuser2". | Only testuser2's own actions shown (login, cve_create). Admin actions on testuser2 show admin as the actor. | |
+| 14.3 | Security audit trail | Attempt 3 failed logins with wrong password, then succeed. Open Audit Log, filter action="login_failed". | All 3 failed attempts visible with timestamps and IP addresses. Useful for detecting brute force. | |
+
+---
+
+## Test Summary
+
+| Section | Tests | Description |
+|---------|-------|-------------|
+| 1. Database & Schema | 5 | Table creation, indexes, migration idempotency |
+| 2. Auth Logging | 6 | Login success/failure variants, logout |
+| 3. CVE Logging | 4 | Create, status update, bug fix verification |
+| 4. Document Logging | 3 | Upload, delete, metadata capture |
+| 5. User Mgmt Logging | 7 | Create, update, delete, edge cases |
+| 6. API Access Control | 6 | Admin-only enforcement on all endpoints |
+| 7. API Filtering | 12 | Pagination, filters, combined queries |
+| 8. Menu Access | 5 | Role-based UI visibility |
+| 9. Modal Display | 12 | Table rendering, formatting, states |
+| 10. Frontend Filters | 10 | Filter UI interaction and behavior |
+| 11. Pagination UI | 7 | Navigation, boundary conditions |
+| 12. Fire-and-Forget | 3 | Non-blocking audit behavior |
+| 13. Data Integrity | 5 | Denormalization, JSON, timestamps |
+| 14. End-to-End | 3 | Full workflow validation |
+| **Total** | **88** | |

architecture.excalidraw

@@ -0,0 +1,838 @@
+{
+  "type": "excalidraw",
+  "version": 2,
+  "source": "https://excalidraw.com",
+  "elements": [
+    {
+      "id": "title-text",
+      "type": "text",
+      "x": 400,
+      "y": 30,
+      "width": 400,
+      "height": 45,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 1,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "CVE Dashboard Architecture",
+      "fontSize": 36,
+      "fontFamily": 1,
+      "textAlign": "center",
+      "verticalAlign": "top",
+      "baseline": 32,
+      "containerId": null,
+      "originalText": "CVE Dashboard Architecture"
+    },
+    {
+      "id": "users-box",
+      "type": "ellipse",
+      "x": 500,
+      "y": 120,
+      "width": 200,
+      "height": 80,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "#e7f5ff",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 2,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "users-text"
+        },
+        {
+          "id": "arrow-users-frontend",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "users-text",
+      "type": "text",
+      "x": 505,
+      "y": 145,
+      "width": 190,
+      "height": 30,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 3,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "Users\n(Admin/Editor/Viewer)",
+      "fontSize": 16,
+      "fontFamily": 1,
+      "textAlign": "center",
+      "verticalAlign": "middle",
+      "baseline": 23,
+      "containerId": "users-box",
+      "originalText": "Users\n(Admin/Editor/Viewer)"
+    },
+    {
+      "id": "frontend-box",
+      "type": "rectangle",
+      "x": 450,
+      "y": 250,
+      "width": 300,
+      "height": 120,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "#a5d8ff",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 4,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "frontend-text"
+        },
+        {
+          "id": "arrow-users-frontend",
+          "type": "arrow"
+        },
+        {
+          "id": "arrow-frontend-backend",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "frontend-text",
+      "type": "text",
+      "x": 455,
+      "y": 255,
+      "width": 290,
+      "height": 110,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 5,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "Frontend (React)\nPort: 3000\n\n• React 18 + Tailwind CSS\n• Auth Context\n• Components: Login, UserMenu,\n  UserManagement, CVE Views",
+      "fontSize": 14,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "middle",
+      "baseline": 103,
+      "containerId": "frontend-box",
+      "originalText": "Frontend (React)\nPort: 3000\n\n• React 18 + Tailwind CSS\n• Auth Context\n• Components: Login, UserMenu,\n  UserManagement, CVE Views"
+    },
+    {
+      "id": "backend-box",
+      "type": "rectangle",
+      "x": 400,
+      "y": 420,
+      "width": 400,
+      "height": 180,
+      "angle": 0,
+      "strokeColor": "#7048e8",
+      "backgroundColor": "#d0bfff",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 6,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "backend-text"
+        },
+        {
+          "id": "arrow-frontend-backend",
+          "type": "arrow"
+        },
+        {
+          "id": "arrow-backend-db",
+          "type": "arrow"
+        },
+        {
+          "id": "arrow-backend-storage",
+          "type": "arrow"
+        },
+        {
+          "id": "arrow-backend-nvd",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "backend-text",
+      "type": "text",
+      "x": 405,
+      "y": 425,
+      "width": 390,
+      "height": 170,
+      "angle": 0,
+      "strokeColor": "#7048e8",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 7,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration",
+      "fontSize": 14,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "middle",
+      "baseline": 163,
+      "containerId": "backend-box",
+      "originalText": "Backend API (Express.js)\nPort: 3001\n\nRoutes:\n• /api/auth - Authentication (login/logout)\n• /api/users - User management\n• /api/cves - CVE operations\n• /api/documents - Document upload/download\n• /api/audit-log - Audit logging\n• /api/nvd-lookup - NVD integration"
+    },
+    {
+      "id": "db-box",
+      "type": "rectangle",
+      "x": 200,
+      "y": 680,
+      "width": 280,
+      "height": 140,
+      "angle": 0,
+      "strokeColor": "#2f9e44",
+      "backgroundColor": "#b2f2bb",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 8,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "db-text"
+        },
+        {
+          "id": "arrow-backend-db",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "db-text",
+      "type": "text",
+      "x": 205,
+      "y": 685,
+      "width": 270,
+      "height": 130,
+      "angle": 0,
+      "strokeColor": "#2f9e44",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 9,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "SQLite Database\ncve_database.db\n\nTables:\n• cves\n• documents\n• users\n• sessions\n• required_documents\n• audit_log",
+      "fontSize": 14,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "middle",
+      "baseline": 123,
+      "containerId": "db-box",
+      "originalText": "SQLite Database\ncve_database.db\n\nTables:\n• cves\n• documents\n• users\n• sessions\n• required_documents\n• audit_log"
+    },
+    {
+      "id": "storage-box",
+      "type": "rectangle",
+      "x": 550,
+      "y": 680,
+      "width": 280,
+      "height": 140,
+      "angle": 0,
+      "strokeColor": "#f08c00",
+      "backgroundColor": "#ffec99",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 10,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "storage-text"
+        },
+        {
+          "id": "arrow-backend-storage",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "storage-text",
+      "type": "text",
+      "x": 555,
+      "y": 685,
+      "width": 270,
+      "height": 130,
+      "angle": 0,
+      "strokeColor": "#f08c00",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 11,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "File Storage\nuploads/\n\nStructure:\nCVE-ID/\n  Vendor/\n    documents.pdf\n\n• Multi-vendor support\n• Timestamped filenames",
+      "fontSize": 14,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "middle",
+      "baseline": 123,
+      "containerId": "storage-box",
+      "originalText": "File Storage\nuploads/\n\nStructure:\nCVE-ID/\n  Vendor/\n    documents.pdf\n\n• Multi-vendor support\n• Timestamped filenames"
+    },
+    {
+      "id": "nvd-box",
+      "type": "rectangle",
+      "x": 900,
+      "y": 420,
+      "width": 220,
+      "height": 100,
+      "angle": 0,
+      "strokeColor": "#e03131",
+      "backgroundColor": "#ffc9c9",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 12,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": [
+        {
+          "type": "text",
+          "id": "nvd-text"
+        },
+        {
+          "id": "arrow-backend-nvd",
+          "type": "arrow"
+        }
+      ],
+      "updated": 1,
+      "link": null,
+      "locked": false
+    },
+    {
+      "id": "nvd-text",
+      "type": "text",
+      "x": 905,
+      "y": 425,
+      "width": 210,
+      "height": 90,
+      "angle": 0,
+      "strokeColor": "#e03131",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 13,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "NVD API\n(External)\n\nNational Vulnerability\nDatabase\n\nAutomatic CVE lookup",
+      "fontSize": 14,
+      "fontFamily": 1,
+      "textAlign": "center",
+      "verticalAlign": "middle",
+      "baseline": 83,
+      "containerId": "nvd-box",
+      "originalText": "NVD API\n(External)\n\nNational Vulnerability\nDatabase\n\nAutomatic CVE lookup"
+    },
+    {
+      "id": "arrow-users-frontend",
+      "type": "arrow",
+      "x": 600,
+      "y": 200,
+      "width": 0,
+      "height": 50,
+      "angle": 0,
+      "strokeColor": "#1971c2",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "round",
+      "seed": 14,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "points": [
+        [0, 0],
+        [0, 50]
+      ],
+      "lastCommittedPoint": null,
+      "startBinding": {
+        "elementId": "users-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "endBinding": {
+        "elementId": "frontend-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "startArrowhead": null,
+      "endArrowhead": "arrow",
+      "elbowed": false,
+      "roundness": null
+    },
+    {
+      "id": "arrow-frontend-backend",
+      "type": "arrow",
+      "x": 600,
+      "y": 370,
+      "width": 0,
+      "height": 50,
+      "angle": 0,
+      "strokeColor": "#7048e8",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "round",
+      "seed": 15,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "points": [
+        [0, 0],
+        [0, 50]
+      ],
+      "lastCommittedPoint": null,
+      "startBinding": {
+        "elementId": "frontend-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "endBinding": {
+        "elementId": "backend-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "startArrowhead": null,
+      "endArrowhead": "arrow",
+      "elbowed": false,
+      "roundness": null
+    },
+    {
+      "id": "arrow-backend-db",
+      "type": "arrow",
+      "x": 500,
+      "y": 600,
+      "width": -140,
+      "height": 80,
+      "angle": 0,
+      "strokeColor": "#2f9e44",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "round",
+      "seed": 16,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "points": [
+        [0, 0],
+        [-140, 0],
+        [-140, 80]
+      ],
+      "lastCommittedPoint": null,
+      "startBinding": {
+        "elementId": "backend-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "endBinding": {
+        "elementId": "db-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "startArrowhead": null,
+      "endArrowhead": "arrow",
+      "elbowed": true,
+      "roundness": null
+    },
+    {
+      "id": "arrow-backend-storage",
+      "type": "arrow",
+      "x": 700,
+      "y": 600,
+      "width": 0,
+      "height": 80,
+      "angle": 0,
+      "strokeColor": "#f08c00",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "round",
+      "seed": 17,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "points": [
+        [0, 0],
+        [0, 80]
+      ],
+      "lastCommittedPoint": null,
+      "startBinding": {
+        "elementId": "backend-box",
+        "focus": 0.5,
+        "gap": 1
+      },
+      "endBinding": {
+        "elementId": "storage-box",
+        "focus": 0.5,
+        "gap": 1
+      },
+      "startArrowhead": null,
+      "endArrowhead": "arrow",
+      "elbowed": false,
+      "roundness": null
+    },
+    {
+      "id": "arrow-backend-nvd",
+      "type": "arrow",
+      "x": 800,
+      "y": 480,
+      "width": 100,
+      "height": 0,
+      "angle": 0,
+      "strokeColor": "#e03131",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "round",
+      "seed": 18,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "points": [
+        [0, 0],
+        [100, 0]
+      ],
+      "lastCommittedPoint": null,
+      "startBinding": {
+        "elementId": "backend-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "endBinding": {
+        "elementId": "nvd-box",
+        "focus": 0,
+        "gap": 1
+      },
+      "startArrowhead": null,
+      "endArrowhead": "arrow",
+      "elbowed": false,
+      "roundness": null
+    },
+    {
+      "id": "label-http",
+      "type": "text",
+      "x": 610,
+      "y": 390,
+      "width": 100,
+      "height": 20,
+      "angle": 0,
+      "strokeColor": "#7048e8",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 19,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "HTTP/REST API",
+      "fontSize": 12,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "top",
+      "baseline": 17,
+      "containerId": null,
+      "originalText": "HTTP/REST API"
+    },
+    {
+      "id": "label-https",
+      "type": "text",
+      "x": 820,
+      "y": 460,
+      "width": 60,
+      "height": 20,
+      "angle": 0,
+      "strokeColor": "#e03131",
+      "backgroundColor": "transparent",
+      "fillStyle": "solid",
+      "strokeWidth": 2,
+      "strokeStyle": "solid",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 20,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "HTTPS",
+      "fontSize": 12,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "top",
+      "baseline": 17,
+      "containerId": null,
+      "originalText": "HTTPS"
+    },
+    {
+      "id": "auth-note",
+      "type": "text",
+      "x": 100,
+      "y": 250,
+      "width": 280,
+      "height": 80,
+      "angle": 0,
+      "strokeColor": "#495057",
+      "backgroundColor": "#f8f9fa",
+      "fillStyle": "solid",
+      "strokeWidth": 1,
+      "strokeStyle": "dashed",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 21,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "Authentication:\n• Session-based auth\n• bcrypt password hashing\n• Role-based access control\n  (Admin/Editor/Viewer)",
+      "fontSize": 12,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "top",
+      "baseline": 73,
+      "containerId": null,
+      "originalText": "Authentication:\n• Session-based auth\n• bcrypt password hashing\n• Role-based access control\n  (Admin/Editor/Viewer)"
+    },
+    {
+      "id": "features-note",
+      "type": "text",
+      "x": 900,
+      "y": 580,
+      "width": 280,
+      "height": 120,
+      "angle": 0,
+      "strokeColor": "#495057",
+      "backgroundColor": "#f8f9fa",
+      "fillStyle": "solid",
+      "strokeWidth": 1,
+      "strokeStyle": "dashed",
+      "roughness": 0,
+      "opacity": 100,
+      "groupIds": [],
+      "strokeSharpness": "sharp",
+      "seed": 22,
+      "version": 1,
+      "versionNonce": 1,
+      "isDeleted": false,
+      "boundElements": null,
+      "updated": 1,
+      "link": null,
+      "locked": false,
+      "text": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Audit logging",
+      "fontSize": 12,
+      "fontFamily": 1,
+      "textAlign": "left",
+      "verticalAlign": "top",
+      "baseline": 113,
+      "containerId": null,
+      "originalText": "Key Features:\n• Quick CVE status check\n• Multi-vendor support\n• Document management\n• Compliance tracking\n• Search & filter\n• Audit logging"
+    }
+  ],
+  "appState": {
+    "gridSize": null,
+    "viewBackgroundColor": "#ffffff"
+  },
+  "files": {}
+}

backend/.env.example

@@ -2,3 +2,16 @@
 PORT=3001
 API_HOST=localhost
 CORS_ORIGINS=http://localhost:3000
+
+# NVD API Key (optional - increases rate limit from 5 to 50 requests per 30s)
+# Request one at https://nvd.nist.gov/developers/request-an-api-key
+NVD_API_KEY=
+
+# Ivanti / RiskSense API (platform4.risksense.com)
+# API key from your profile settings — does not expire like session cookies
+IVANTI_API_KEY=
+IVANTI_CLIENT_ID=1550
+IVANTI_FIRST_NAME=
+IVANTI_LAST_NAME=
+# Set to true if behind Charter's SSL inspection proxy (replicates Python verify=False)
+IVANTI_SKIP_TLS=false

backend/helpers/auditLog.js

@@ -0,0 +1,21 @@
+// Audit Log Helper
+// Fire-and-forget insert - never blocks the response
+
+function logAudit(db, { userId, username, action, entityType, entityId, details, ipAddress }) {
+    const detailsStr = details && typeof details === 'object'
+        ? JSON.stringify(details)
+        : details || null;
+
+    db.run(
+        `INSERT INTO audit_logs (user_id, username, action, entity_type, entity_id, details, ip_address)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`,
+        [userId || null, username || 'unknown', action, entityType, entityId || null, detailsStr, ipAddress || null],
+        (err) => {
+            if (err) {
+                console.error('Audit log error:', err.message);
+            }
+        }
+    );
+}
+
+module.exports = logAudit;

backend/helpers/ivantiApi.js

@@ -0,0 +1,154 @@
+// Shared Ivanti / RiskSense API helpers
+// Centralizes HTTP calls so ivantiWorkflows.js, ivantiFindings.js, and
+// ivantiFpWorkflow.js all use the same implementation.
+
+const https = require('https');
+
+const IVANTI_URL_BASE = 'https://platform4.risksense.com/api/v1';
+
+// ---------------------------------------------------------------------------
+// JSON POST — used for search, workflow creation, etc.
+// ---------------------------------------------------------------------------
+function ivantiPost(urlPath, body, apiKey, skipTls) {
+    const bodyStr = JSON.stringify(body);
+    const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
+
+    return new Promise((resolve, reject) => {
+        const options = {
+            hostname: fullUrl.hostname,
+            path: fullUrl.pathname + fullUrl.search,
+            method: 'POST',
+            headers: {
+                'accept': '*/*',
+                'content-type': 'application/json',
+                'x-api-key': apiKey,
+                'x-http-client-type': 'browser',
+                'content-length': Buffer.byteLength(bodyStr)
+            },
+            rejectUnauthorized: !skipTls,
+            timeout: 15000
+        };
+
+        const req = https.request(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => resolve({ status: res.statusCode, body: data }));
+        });
+
+        req.on('timeout', () => req.destroy(new Error('Request timed out')));
+        req.on('error', reject);
+        req.write(bodyStr);
+        req.end();
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Multipart POST — used for file attachment uploads.
+// Constructs multipart/form-data manually using Node's https module.
+// ---------------------------------------------------------------------------
+function ivantiMultipartPost(urlPath, fileBuffer, fileName, apiKey, skipTls) {
+    const boundary = '----IvantiUpload' + Date.now().toString(36) + Math.random().toString(36).slice(2);
+    const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
+
+    // Build multipart body
+    const preamble = Buffer.from(
+        `--${boundary}\r\n` +
+        `Content-Disposition: form-data; name="file"; filename="${fileName}"\r\n` +
+        `Content-Type: application/octet-stream\r\n\r\n`
+    );
+    const epilogue = Buffer.from(`\r\n--${boundary}--\r\n`);
+    const bodyBuffer = Buffer.concat([preamble, fileBuffer, epilogue]);
+
+    return new Promise((resolve, reject) => {
+        const options = {
+            hostname: fullUrl.hostname,
+            path: fullUrl.pathname + fullUrl.search,
+            method: 'POST',
+            headers: {
+                'accept': '*/*',
+                'content-type': `multipart/form-data; boundary=${boundary}`,
+                'x-api-key': apiKey,
+                'x-http-client-type': 'browser',
+                'content-length': bodyBuffer.length
+            },
+            rejectUnauthorized: !skipTls,
+            timeout: 30000
+        };
+
+        const req = https.request(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => resolve({ status: res.statusCode, body: data }));
+        });
+
+        req.on('timeout', () => req.destroy(new Error('Request timed out')));
+        req.on('error', reject);
+        req.write(bodyBuffer);
+        req.end();
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Multipart form POST — used for endpoints that accept mixed form fields + files.
+// fields: array of { name, value } for text form fields
+// files:  array of { name, buffer, filename } for file uploads
+// ---------------------------------------------------------------------------
+function ivantiFormPost(urlPath, fields, files, apiKey, skipTls) {
+    const boundary = '----IvantiForm' + Date.now().toString(36) + Math.random().toString(36).slice(2);
+    const fullUrl = new URL(IVANTI_URL_BASE + urlPath);
+
+    const parts = [];
+
+    // Text fields
+    for (const { name, value } of fields) {
+        parts.push(Buffer.from(
+            `--${boundary}\r\n` +
+            `Content-Disposition: form-data; name="${name}"\r\n\r\n` +
+            `${value}\r\n`
+        ));
+    }
+
+    // File fields
+    for (const { name, buffer, filename } of files) {
+        parts.push(Buffer.from(
+            `--${boundary}\r\n` +
+            `Content-Disposition: form-data; name="${name}"; filename="${filename}"\r\n` +
+            `Content-Type: application/octet-stream\r\n\r\n`
+        ));
+        parts.push(buffer);
+        parts.push(Buffer.from('\r\n'));
+    }
+
+    parts.push(Buffer.from(`--${boundary}--\r\n`));
+    const bodyBuffer = Buffer.concat(parts);
+
+    return new Promise((resolve, reject) => {
+        const options = {
+            hostname: fullUrl.hostname,
+            path: fullUrl.pathname + fullUrl.search,
+            method: 'POST',
+            headers: {
+                'accept': '*/*',
+                'content-type': `multipart/form-data; boundary=${boundary}`,
+                'x-api-key': apiKey,
+                'x-http-client-type': 'browser',
+                'content-length': bodyBuffer.length
+            },
+            rejectUnauthorized: !skipTls,
+            timeout: 60000
+        };
+
+        const req = https.request(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => { data += chunk; });
+            res.on('end', () => resolve({ status: res.statusCode, body: data }));
+        });
+
+        req.on('timeout', () => req.destroy(new Error('Request timed out')));
+        req.on('error', reject);
+        req.write(bodyBuffer);
+        req.end();
+    });
+}
+
+module.exports = { IVANTI_URL_BASE, ivantiPost, ivantiMultipartPost, ivantiFormPost };

backend/middleware/auth.js

@@ -12,7 +12,7 @@ function requireAuth(db) {
         try {
             const session = await new Promise((resolve, reject) => {
                 db.get(
-                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active
+                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.user_group, u.is_active
                      FROM sessions s
                      JOIN users u ON s.user_id = u.id
                      WHERE s.session_id = ? AND s.expires_at > datetime('now')`,
@@ -37,7 +37,8 @@ function requireAuth(db) {
                 id: session.user_id,
                 username: session.username,
                 email: session.email,
-                role: session.role
+                role: session.role,
+                group: session.user_group
             };
 
             next();
@@ -48,18 +49,18 @@ function requireAuth(db) {
     };
 }
 
-// Require specific role(s)
-function requireRole(...allowedRoles) {
+// Require specific group(s)
+function requireGroup(...allowedGroups) {
     return (req, res, next) => {
         if (!req.user) {
             return res.status(401).json({ error: 'Authentication required' });
         }
 
-        if (!allowedRoles.includes(req.user.role)) {
+        if (!allowedGroups.includes(req.user.group)) {
             return res.status(403).json({
                 error: 'Insufficient permissions',
-                required: allowedRoles,
-                current: req.user.role
+                required: allowedGroups,
+                current: req.user.group
             });
         }
 
@@ -67,4 +68,4 @@ function requireRole(...allowedRoles) {
     };
 }
 
-module.exports = { requireAuth, requireRole };
+module.exports = { requireAuth, requireGroup };

backend/migrate-audit-log.js

@@ -0,0 +1,96 @@
+#!/usr/bin/env node
+// Migration script: Add audit_logs table
+// Run: node migrate-audit-log.js
+
+const sqlite3 = require('sqlite3').verbose();
+const fs = require('fs');
+
+const DB_FILE = './cve_database.db';
+const BACKUP_FILE = `./cve_database_backup_${Date.now()}.db`;
+
+function run(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.run(sql, params, function(err) {
+            if (err) reject(err);
+            else resolve(this);
+        });
+    });
+}
+
+function get(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.get(sql, params, (err, row) => {
+            if (err) reject(err);
+            else resolve(row);
+        });
+    });
+}
+
+async function migrate() {
+    console.log('╔════════════════════════════════════════════════════════╗');
+    console.log('║       CVE Database Migration: Add Audit Logs          ║');
+    console.log('╚════════════════════════════════════════════════════════╝\n');
+
+    if (!fs.existsSync(DB_FILE)) {
+        console.log('❌ Database not found. Run setup.js for fresh install.');
+        process.exit(1);
+    }
+
+    // Backup database
+    console.log('📦 Creating backup...');
+    fs.copyFileSync(DB_FILE, BACKUP_FILE);
+    console.log(`   ✓ Backup saved to: ${BACKUP_FILE}\n`);
+
+    const db = new sqlite3.Database(DB_FILE);
+
+    try {
+        // Check if table already exists
+        const exists = await get(db,
+            "SELECT name FROM sqlite_master WHERE type='table' AND name='audit_logs'"
+        );
+
+        if (exists) {
+            console.log('⏭️  audit_logs table already exists, nothing to do.');
+        } else {
+            console.log('1️⃣  Creating audit_logs table...');
+            await run(db, `
+                CREATE TABLE audit_logs (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    user_id INTEGER,
+                    username VARCHAR(50) NOT NULL,
+                    action VARCHAR(50) NOT NULL,
+                    entity_type VARCHAR(50) NOT NULL,
+                    entity_id VARCHAR(100),
+                    details TEXT,
+                    ip_address VARCHAR(45),
+                    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+                )
+            `);
+            console.log('   ✓ Table created');
+
+            console.log('2️⃣  Creating indexes...');
+            await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id)');
+            await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action)');
+            await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type)');
+            await run(db, 'CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at)');
+            console.log('   ✓ Indexes created');
+        }
+
+        console.log('\n╔════════════════════════════════════════════════════════╗');
+        console.log('║            MIGRATION COMPLETE!                         ║');
+        console.log('╚════════════════════════════════════════════════════════╝');
+        console.log('\n📋 Summary:');
+        console.log('   ✓ audit_logs table ready');
+        console.log(`\n💾 Backup saved: ${BACKUP_FILE}`);
+        console.log('\n🚀 Restart your server to apply changes.\n');
+
+    } catch (error) {
+        console.error('\n❌ Migration failed:', error.message);
+        console.log(`\n🔄 To restore from backup: cp ${BACKUP_FILE} ${DB_FILE}`);
+        process.exit(1);
+    } finally {
+        db.close();
+    }
+}
+
+migrate();

backend/migrate-to-1.1.js

@@ -0,0 +1,289 @@
+#!/usr/bin/env node
+// Migration script: v1.0.0 -> v1.1.0
+// Adds: users, sessions tables, multi-vendor support, vendor column in documents
+// Run: node migrate-to-1.1.js
+
+const sqlite3 = require('sqlite3').verbose();
+const bcrypt = require('bcryptjs');
+const fs = require('fs');
+const path = require('path');
+
+const DB_FILE = './cve_database.db';
+const BACKUP_FILE = `./cve_database_backup_${Date.now()}.db`;
+
+async function migrate() {
+    console.log('╔════════════════════════════════════════════════════════╗');
+    console.log('║       CVE Database Migration: v1.0.0 → v1.1.0          ║');
+    console.log('╚════════════════════════════════════════════════════════╝\n');
+
+    // Check if database exists
+    if (!fs.existsSync(DB_FILE)) {
+        console.log('❌ Database not found. Run setup.js for fresh install.');
+        process.exit(1);
+    }
+
+    // Backup database
+    console.log('📦 Creating backup...');
+    fs.copyFileSync(DB_FILE, BACKUP_FILE);
+    console.log(`   ✓ Backup saved to: ${BACKUP_FILE}\n`);
+
+    const db = new sqlite3.Database(DB_FILE);
+
+    try {
+        // Run migrations in sequence
+        await addUsersTable(db);
+        await addSessionsTable(db);
+        await addVendorToDocuments(db);
+        await updateCvesConstraint(db);
+        await createDefaultAdmin(db);
+        await updateView(db);
+
+        console.log('\n╔════════════════════════════════════════════════════════╗');
+        console.log('║            MIGRATION COMPLETE!                         ║');
+        console.log('╚════════════════════════════════════════════════════════╝');
+        console.log('\n📋 Summary:');
+        console.log('   ✓ Users table added');
+        console.log('   ✓ Sessions table added');
+        console.log('   ✓ Vendor column added to documents');
+        console.log('   ✓ Multi-vendor constraint applied to cves');
+        console.log('   ✓ Default admin user created (admin/admin123)');
+        console.log(`\n💾 Backup saved: ${BACKUP_FILE}`);
+        console.log('\n🚀 Restart your server to apply changes.\n');
+
+    } catch (error) {
+        console.error('\n❌ Migration failed:', error.message);
+        console.log(`\n🔄 To restore from backup: cp ${BACKUP_FILE} ${DB_FILE}`);
+        process.exit(1);
+    } finally {
+        db.close();
+    }
+}
+
+function run(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.run(sql, params, function(err) {
+            if (err) reject(err);
+            else resolve(this);
+        });
+    });
+}
+
+function get(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.get(sql, params, (err, row) => {
+            if (err) reject(err);
+            else resolve(row);
+        });
+    });
+}
+
+function all(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.all(sql, params, (err, rows) => {
+            if (err) reject(err);
+            else resolve(rows);
+        });
+    });
+}
+
+async function addUsersTable(db) {
+    console.log('1️⃣  Adding users table...');
+
+    const exists = await get(db,
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='users'"
+    );
+
+    if (exists) {
+        console.log('   ⏭️  Users table already exists, skipping');
+        return;
+    }
+
+    await run(db, `
+        CREATE TABLE users (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            username VARCHAR(50) UNIQUE NOT NULL,
+            email VARCHAR(255) UNIQUE NOT NULL,
+            password_hash VARCHAR(255) NOT NULL,
+            role VARCHAR(20) NOT NULL DEFAULT 'viewer',
+            is_active BOOLEAN DEFAULT 1,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            last_login TIMESTAMP,
+            CHECK (role IN ('admin', 'editor', 'viewer'))
+        )
+    `);
+
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_users_username ON users(username)');
+    console.log('   ✓ Users table created');
+}
+
+async function addSessionsTable(db) {
+    console.log('2️⃣  Adding sessions table...');
+
+    const exists = await get(db,
+        "SELECT name FROM sqlite_master WHERE type='table' AND name='sessions'"
+    );
+
+    if (exists) {
+        console.log('   ⏭️  Sessions table already exists, skipping');
+        return;
+    }
+
+    await run(db, `
+        CREATE TABLE sessions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            session_id VARCHAR(255) UNIQUE NOT NULL,
+            user_id INTEGER NOT NULL,
+            expires_at TIMESTAMP NOT NULL,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        )
+    `);
+
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_session_id ON sessions(session_id)');
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON sessions(user_id)');
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at)');
+    console.log('   ✓ Sessions table created');
+}
+
+async function addVendorToDocuments(db) {
+    console.log('3️⃣  Adding vendor column to documents...');
+
+    // Check if vendor column exists
+    const columns = await all(db, "PRAGMA table_info(documents)");
+    const hasVendor = columns.some(col => col.name === 'vendor');
+
+    if (hasVendor) {
+        console.log('   ⏭️  Vendor column already exists, skipping');
+        return;
+    }
+
+    // Add vendor column
+    await run(db, "ALTER TABLE documents ADD COLUMN vendor VARCHAR(100)");
+
+    // Populate vendor from the cves table based on cve_id
+    await run(db, `
+        UPDATE documents
+        SET vendor = (
+            SELECT c.vendor
+            FROM cves c
+            WHERE c.cve_id = documents.cve_id
+            LIMIT 1
+        )
+        WHERE vendor IS NULL
+    `);
+
+    // Set default for any remaining nulls
+    await run(db, "UPDATE documents SET vendor = 'Unknown' WHERE vendor IS NULL");
+
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_doc_vendor ON documents(vendor)');
+    console.log('   ✓ Vendor column added and populated');
+}
+
+async function updateCvesConstraint(db) {
+    console.log('4️⃣  Updating CVEs table for multi-vendor support...');
+
+    // Check current schema
+    const tableInfo = await get(db,
+        "SELECT sql FROM sqlite_master WHERE type='table' AND name='cves'"
+    );
+
+    if (tableInfo.sql.includes('UNIQUE(cve_id, vendor)')) {
+        console.log('   ⏭️  Multi-vendor constraint already exists, skipping');
+        return;
+    }
+
+    // SQLite doesn't support ALTER CONSTRAINT, so we need to rebuild the table
+    console.log('   📋 Rebuilding table with new constraint...');
+
+    // Create new table with correct schema
+    await run(db, `
+        CREATE TABLE cves_new (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            cve_id VARCHAR(20) NOT NULL,
+            vendor VARCHAR(100) NOT NULL,
+            severity VARCHAR(20) NOT NULL,
+            description TEXT,
+            published_date DATE,
+            status VARCHAR(50) DEFAULT 'Open',
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            UNIQUE(cve_id, vendor)
+        )
+    `);
+
+    // Copy data
+    await run(db, `
+        INSERT INTO cves_new (id, cve_id, vendor, severity, description, published_date, status, created_at, updated_at)
+        SELECT id, cve_id, vendor, severity, description, published_date, status, created_at, updated_at
+        FROM cves
+    `);
+
+    // Drop old table
+    await run(db, 'DROP TABLE cves');
+
+    // Rename new table
+    await run(db, 'ALTER TABLE cves_new RENAME TO cves');
+
+    // Recreate indexes
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_cve_id ON cves(cve_id)');
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_vendor ON cves(vendor)');
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_severity ON cves(severity)');
+    await run(db, 'CREATE INDEX IF NOT EXISTS idx_status ON cves(status)');
+
+    console.log('   ✓ Multi-vendor constraint applied');
+}
+
+async function createDefaultAdmin(db) {
+    console.log('5️⃣  Creating default admin user...');
+
+    const exists = await get(db, "SELECT id FROM users WHERE username = 'admin'");
+
+    if (exists) {
+        console.log('   ⏭️  Admin user already exists, skipping');
+        return;
+    }
+
+    const passwordHash = await bcrypt.hash('admin123', 10);
+
+    await run(db, `
+        INSERT INTO users (username, email, password_hash, role, is_active)
+        VALUES (?, ?, ?, ?, ?)
+    `, ['admin', 'admin@localhost', passwordHash, 'admin', 1]);
+
+    console.log('   ✓ Admin user created (admin/admin123)');
+}
+
+async function updateView(db) {
+    console.log('6️⃣  Updating document status view...');
+
+    // Drop old view if exists
+    await run(db, 'DROP VIEW IF EXISTS cve_document_status');
+
+    // Create updated view with multi-vendor support
+    await run(db, `
+        CREATE VIEW cve_document_status AS
+        SELECT
+            c.id as record_id,
+            c.cve_id,
+            c.vendor,
+            c.severity,
+            c.status,
+            COUNT(DISTINCT d.id) as total_documents,
+            COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) as advisory_count,
+            COUNT(DISTINCT CASE WHEN d.type = 'email' THEN d.id END) as email_count,
+            COUNT(DISTINCT CASE WHEN d.type = 'screenshot' THEN d.id END) as screenshot_count,
+            CASE
+                WHEN COUNT(DISTINCT CASE WHEN d.type = 'advisory' THEN d.id END) > 0
+                THEN 'Complete'
+                ELSE 'Missing Required Docs'
+            END as compliance_status
+        FROM cves c
+        LEFT JOIN documents d ON c.cve_id = d.cve_id AND c.vendor = d.vendor
+        GROUP BY c.id, c.cve_id, c.vendor, c.severity, c.status
+    `);
+
+    console.log('   ✓ View updated');
+}
+
+// Run migration
+migrate();

backend/migrate_jira_tickets.js

@@ -0,0 +1,39 @@
+// Migration: Add jira_tickets table
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting JIRA tickets migration...');
+
+db.serialize(() => {
+  // Create jira_tickets table
+  db.run(`
+    CREATE TABLE IF NOT EXISTS jira_tickets (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      cve_id TEXT NOT NULL,
+      vendor TEXT NOT NULL,
+      ticket_key TEXT NOT NULL,
+      url TEXT,
+      summary TEXT,
+      status TEXT DEFAULT 'Open' CHECK(status IN ('Open', 'In Progress', 'Closed')),
+      created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+      updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+      FOREIGN KEY (cve_id, vendor) REFERENCES cves(cve_id, vendor) ON DELETE CASCADE
+    )
+  `, (err) => {
+    if (err) console.error('Error creating table:', err);
+    else console.log('✓ jira_tickets table created');
+  });
+
+  // Create indexes
+  db.run('CREATE INDEX IF NOT EXISTS idx_jira_tickets_cve ON jira_tickets(cve_id, vendor)');
+  db.run('CREATE INDEX IF NOT EXISTS idx_jira_tickets_status ON jira_tickets(status)');
+
+  console.log('✓ Indexes created');
+});
+
+db.close(() => {
+  console.log('Migration complete!');
+});

backend/migrations/add_archer_tickets_table.js

@@ -0,0 +1,50 @@
+// Migration: Add archer_tickets table
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting Archer tickets migration...');
+
+db.serialize(() => {
+  // Create archer_tickets table
+  db.run(`
+    CREATE TABLE IF NOT EXISTS archer_tickets (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      exc_number TEXT NOT NULL UNIQUE,
+      archer_url TEXT,
+      status TEXT DEFAULT 'Draft' CHECK(status IN ('Draft', 'Open', 'Under Review', 'Accepted')),
+      cve_id TEXT NOT NULL,
+      vendor TEXT NOT NULL,
+      created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+      updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+      FOREIGN KEY (cve_id, vendor) REFERENCES cves(cve_id, vendor) ON DELETE CASCADE
+    )
+  `, (err) => {
+    if (err) console.error('Error creating table:', err);
+    else console.log('✓ archer_tickets table created');
+  });
+
+  // Create indexes
+  db.run('CREATE INDEX IF NOT EXISTS idx_archer_tickets_cve ON archer_tickets(cve_id, vendor)', (err) => {
+    if (err) console.error('Error creating CVE index:', err);
+    else console.log('✓ CVE index created');
+  });
+
+  db.run('CREATE INDEX IF NOT EXISTS idx_archer_tickets_status ON archer_tickets(status)', (err) => {
+    if (err) console.error('Error creating status index:', err);
+    else console.log('✓ Status index created');
+  });
+
+  db.run('CREATE INDEX IF NOT EXISTS idx_archer_tickets_exc ON archer_tickets(exc_number)', (err) => {
+    if (err) console.error('Error creating EXC number index:', err);
+    else console.log('✓ EXC number index created');
+  });
+
+  console.log('✓ Indexes created');
+});
+
+db.close(() => {
+  console.log('Migration complete!');
+});

backend/migrations/add_archer_tickets_timestamps.js

@@ -0,0 +1,56 @@
+// Migration: Add created_at / updated_at columns to archer_tickets
+//
+// SQLite does not support ALTER TABLE ADD COLUMN IF NOT EXISTS, so we check
+// PRAGMA table_info first and only add the column when it is absent.
+//
+// Run on any instance where archer_tickets was created before these columns
+// were added to the schema (symptoms: every /api/archer-tickets call → 500).
+//
+// Usage: node backend/migrations/add_archer_tickets_timestamps.js
+
+const sqlite3 = require('sqlite3').verbose();
+const path    = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db     = new sqlite3.Database(dbPath);
+
+console.log('Starting archer_tickets timestamp migration...');
+
+db.all('PRAGMA table_info(archer_tickets)', [], (err, columns) => {
+    if (err) {
+        console.error('Error reading table info:', err);
+        return db.close();
+    }
+
+    const names = columns.map(c => c.name);
+
+    db.serialize(() => {
+        if (!names.includes('created_at')) {
+            db.run(
+                `ALTER TABLE archer_tickets ADD COLUMN created_at DATETIME DEFAULT CURRENT_TIMESTAMP`,
+                (err) => {
+                    if (err) console.error('Error adding created_at:', err);
+                    else console.log('✓ created_at column added');
+                }
+            );
+        } else {
+            console.log('✓ created_at already exists — skipping');
+        }
+
+        if (!names.includes('updated_at')) {
+            db.run(
+                `ALTER TABLE archer_tickets ADD COLUMN updated_at DATETIME DEFAULT CURRENT_TIMESTAMP`,
+                (err) => {
+                    if (err) console.error('Error adding updated_at:', err);
+                    else console.log('✓ updated_at column added');
+                }
+            );
+        } else {
+            console.log('✓ updated_at already exists — skipping');
+        }
+    });
+
+    db.close(() => {
+        console.log('Migration complete. Restart the backend server.');
+    });
+});

backend/migrations/add_card_workflow_type.js

@@ -0,0 +1,79 @@
+// Migration: Add CARD to workflow_type CHECK constraint on ivanti_todo_queue
+// SQLite cannot ALTER a CHECK constraint, so this recreates the table.
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting add_card_workflow_type migration...');
+
+db.serialize(() => {
+    db.run('PRAGMA foreign_keys = OFF', (err) => {
+        if (err) console.error('PRAGMA error:', err);
+    });
+
+    db.run('BEGIN TRANSACTION', (err) => {
+        if (err) { console.error('BEGIN error:', err); return; }
+    });
+
+    db.run(`
+        CREATE TABLE ivanti_todo_queue_new (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            finding_id TEXT NOT NULL,
+            finding_title TEXT,
+            cves_json TEXT,
+            ip_address TEXT,
+            vendor TEXT NOT NULL,
+            workflow_type TEXT NOT NULL CHECK(workflow_type IN ('FP', 'Archer', 'CARD')),
+            status TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending', 'complete')),
+            created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        )
+    `, (err) => {
+        if (err) console.error('Error creating new table:', err);
+        else console.log('✓ ivanti_todo_queue_new created');
+    });
+
+    db.run(
+        'INSERT INTO ivanti_todo_queue_new SELECT * FROM ivanti_todo_queue',
+        (err) => {
+            if (err) console.error('Error copying data:', err);
+            else console.log('✓ Data copied');
+        }
+    );
+
+    db.run('DROP TABLE ivanti_todo_queue', (err) => {
+        if (err) console.error('Error dropping old table:', err);
+        else console.log('✓ Old table dropped');
+    });
+
+    db.run(
+        'ALTER TABLE ivanti_todo_queue_new RENAME TO ivanti_todo_queue',
+        (err) => {
+            if (err) console.error('Error renaming table:', err);
+            else console.log('✓ Table renamed');
+        }
+    );
+
+    db.run(
+        'CREATE INDEX IF NOT EXISTS idx_todo_queue_user ON ivanti_todo_queue(user_id, status)',
+        (err) => {
+            if (err) console.error('Error creating index:', err);
+            else console.log('✓ Index recreated');
+        }
+    );
+
+    db.run('COMMIT', (err) => {
+        if (err) console.error('COMMIT error:', err);
+        else console.log('✓ Transaction committed');
+    });
+
+    db.run('PRAGMA foreign_keys = ON', () => {});
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_compliance_tables.js

@@ -0,0 +1,108 @@
+// Migration: Add compliance_uploads, compliance_items, compliance_notes tables
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting add_compliance_tables migration...');
+
+db.serialize(() => {
+    // Each xlsx upload — one row per file ingested
+    db.run(`
+        CREATE TABLE IF NOT EXISTS compliance_uploads (
+            id          INTEGER PRIMARY KEY AUTOINCREMENT,
+            filename    TEXT NOT NULL,
+            report_date TEXT,
+            uploaded_by INTEGER,
+            uploaded_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            new_count       INTEGER DEFAULT 0,
+            resolved_count  INTEGER DEFAULT 0,
+            recurring_count INTEGER DEFAULT 0,
+            FOREIGN KEY (uploaded_by) REFERENCES users(id) ON DELETE SET NULL
+        )
+    `, (err) => {
+        if (err) console.error('Error creating compliance_uploads:', err);
+        else console.log('✓ compliance_uploads created');
+    });
+
+    // One row per non-compliant asset per metric per upload.
+    // hostname + metric_id is the stable identity key used to link history and notes.
+    db.run(`
+        CREATE TABLE IF NOT EXISTS compliance_items (
+            id          INTEGER PRIMARY KEY AUTOINCREMENT,
+            upload_id   INTEGER NOT NULL,
+            hostname    TEXT NOT NULL,
+            ip_address  TEXT,
+            device_type TEXT,
+            team        TEXT,
+            metric_id   TEXT NOT NULL,
+            metric_desc TEXT,
+            category    TEXT,
+            extra_json  TEXT,
+            status      TEXT NOT NULL DEFAULT 'active' CHECK(status IN ('active', 'resolved')),
+            first_seen_upload_id INTEGER,
+            resolved_upload_id   INTEGER,
+            created_at  DATETIME DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (upload_id) REFERENCES compliance_uploads(id) ON DELETE CASCADE,
+            FOREIGN KEY (first_seen_upload_id) REFERENCES compliance_uploads(id) ON DELETE SET NULL,
+            FOREIGN KEY (resolved_upload_id)   REFERENCES compliance_uploads(id) ON DELETE SET NULL
+        )
+    `, (err) => {
+        if (err) console.error('Error creating compliance_items:', err);
+        else console.log('✓ compliance_items created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_compliance_items_upload
+        ON compliance_items(upload_id)
+    `, (err) => {
+        if (err) console.error('Error creating upload index:', err);
+        else console.log('✓ idx_compliance_items_upload created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_compliance_items_identity
+        ON compliance_items(hostname, metric_id)
+    `, (err) => {
+        if (err) console.error('Error creating identity index:', err);
+        else console.log('✓ idx_compliance_items_identity created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_compliance_items_team_status
+        ON compliance_items(team, status)
+    `, (err) => {
+        if (err) console.error('Error creating team/status index:', err);
+        else console.log('✓ idx_compliance_items_team_status created');
+    });
+
+    // Notes keyed on (hostname, metric_id) — persists across uploads.
+    // Each note is its own row so history is preserved.
+    db.run(`
+        CREATE TABLE IF NOT EXISTS compliance_notes (
+            id          INTEGER PRIMARY KEY AUTOINCREMENT,
+            hostname    TEXT NOT NULL,
+            metric_id   TEXT NOT NULL,
+            note        TEXT NOT NULL,
+            created_by  INTEGER,
+            created_at  DATETIME DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (created_by) REFERENCES users(id) ON DELETE SET NULL
+        )
+    `, (err) => {
+        if (err) console.error('Error creating compliance_notes:', err);
+        else console.log('✓ compliance_notes created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_compliance_notes_identity
+        ON compliance_notes(hostname, metric_id)
+    `, (err) => {
+        if (err) console.error('Error creating notes identity index:', err);
+        else console.log('✓ idx_compliance_notes_identity created');
+    });
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_created_by_columns.js

@@ -0,0 +1,76 @@
+// Migration: Add created_by column to cves, archer_tickets, and jira_tickets tables
+// Stores the user ID of the creator for ownership-based delete checks.
+// Idempotent — safe to run multiple times.
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+/**
+ * Run the migration against the given database instance.
+ * Exported for testing with in-memory databases.
+ * @param {sqlite3.Database} db
+ * @returns {Promise<void>}
+ */
+function runMigration(db) {
+    return new Promise((resolve, reject) => {
+        const tables = ['cves', 'archer_tickets', 'jira_tickets'];
+        let completed = 0;
+
+        db.serialize(() => {
+            tables.forEach((table) => {
+                db.all(`PRAGMA table_info(${table})`, (err, columns) => {
+                    if (err) {
+                        // Table may not exist yet — skip gracefully
+                        console.log(`⚠ Could not inspect ${table}: ${err.message} — skipping`);
+                        completed++;
+                        if (completed === tables.length) resolve();
+                        return;
+                    }
+
+                    const hasCreatedBy = columns.some(col => col.name === 'created_by');
+
+                    if (hasCreatedBy) {
+                        console.log(`✓ ${table}.created_by already exists — skipping`);
+                        completed++;
+                        if (completed === tables.length) resolve();
+                        return;
+                    }
+
+                    db.run(
+                        `ALTER TABLE ${table} ADD COLUMN created_by INTEGER REFERENCES users(id)`,
+                        (err) => {
+                            if (err) {
+                                reject(err);
+                                return;
+                            }
+                            console.log(`✓ Added created_by column to ${table}`);
+                            completed++;
+                            if (completed === tables.length) resolve();
+                        }
+                    );
+                });
+            });
+        });
+    });
+}
+
+// Run directly if executed as a script
+if (require.main === module) {
+    const dbPath = path.join(__dirname, '..', 'cve_database.db');
+    const db = new sqlite3.Database(dbPath);
+    console.log('Starting add_created_by_columns migration...');
+
+    runMigration(db)
+        .then(() => {
+            console.log('Migration complete!');
+            db.close(() => {
+                console.log('Database connection closed.');
+            });
+        })
+        .catch((err) => {
+            console.error('Migration failed:', err);
+            db.close();
+            process.exit(1);
+        });
+}
+
+module.exports = { runMigration };

backend/migrations/add_finding_archive_tables.js

@@ -0,0 +1,75 @@
+// Migration: Add ivanti_finding_archives and ivanti_archive_transitions tables
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting finding archive tables migration...');
+
+db.serialize(() => {
+    // Archive records — one row per finding that has entered the archive lifecycle
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_finding_archives (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            finding_id TEXT NOT NULL UNIQUE,
+            finding_title TEXT NOT NULL DEFAULT '',
+            host_name TEXT NOT NULL DEFAULT '',
+            ip_address TEXT NOT NULL DEFAULT '',
+            current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED', 'RETURNED', 'CLOSED')),
+            last_severity REAL NOT NULL DEFAULT 0,
+            first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        )
+    `, (err) => {
+        if (err) console.error('Error creating ivanti_finding_archives table:', err);
+        else console.log('✓ ivanti_finding_archives table created');
+    });
+
+    // Transition history — one row per state change on an archive record
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_archive_transitions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            archive_id INTEGER NOT NULL,
+            from_state TEXT NOT NULL,
+            to_state TEXT NOT NULL,
+            severity_at_transition REAL NOT NULL DEFAULT 0,
+            reason TEXT NOT NULL DEFAULT '',
+            transitioned_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (archive_id) REFERENCES ivanti_finding_archives(id)
+        )
+    `, (err) => {
+        if (err) console.error('Error creating ivanti_archive_transitions table:', err);
+        else console.log('✓ ivanti_archive_transitions table created');
+    });
+
+    // Indexes for query performance
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_archive_finding_id
+        ON ivanti_finding_archives(finding_id)
+    `, (err) => {
+        if (err) console.error('Error creating idx_archive_finding_id:', err);
+        else console.log('✓ idx_archive_finding_id index created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_archive_current_state
+        ON ivanti_finding_archives(current_state)
+    `, (err) => {
+        if (err) console.error('Error creating idx_archive_current_state:', err);
+        else console.log('✓ idx_archive_current_state index created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_transition_archive_id
+        ON ivanti_archive_transitions(archive_id)
+    `, (err) => {
+        if (err) console.error('Error creating idx_transition_archive_id:', err);
+        else console.log('✓ idx_transition_archive_id index created');
+    });
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_fp_submissions_table.js

@@ -0,0 +1,57 @@
+// Migration: Add ivanti_fp_submissions table
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting ivanti_fp_submissions migration...');
+
+db.serialize(() => {
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_fp_submissions (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            username TEXT NOT NULL,
+            ivanti_workflow_batch_id INTEGER,
+            ivanti_generated_id TEXT,
+            workflow_name TEXT NOT NULL,
+            reason TEXT NOT NULL,
+            description TEXT,
+            expiration_date TEXT NOT NULL,
+            scope_override TEXT NOT NULL DEFAULT 'Authorized',
+            finding_ids_json TEXT NOT NULL,
+            queue_item_ids_json TEXT NOT NULL,
+            attachment_count INTEGER DEFAULT 0,
+            attachment_results_json TEXT,
+            status TEXT NOT NULL DEFAULT 'success' CHECK(status IN ('success', 'partial', 'failed')),
+            error_message TEXT,
+            created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        )
+    `, (err) => {
+        if (err) console.error('Error creating table:', err);
+        else console.log('✓ ivanti_fp_submissions table created');
+    });
+
+    db.run(
+        'CREATE INDEX IF NOT EXISTS idx_fp_submissions_user ON ivanti_fp_submissions(user_id)',
+        (err) => {
+            if (err) console.error('Error creating index:', err);
+            else console.log('✓ user_id index created');
+        }
+    );
+
+    db.run(
+        'CREATE INDEX IF NOT EXISTS idx_fp_submissions_ivanti_id ON ivanti_fp_submissions(ivanti_generated_id)',
+        (err) => {
+            if (err) console.error('Error creating index:', err);
+            else console.log('✓ ivanti_generated_id index created');
+        }
+    );
+
+    console.log('✓ Migration statements queued');
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_ivanti_counts_history_table.js

@@ -0,0 +1,41 @@
+// Migration: Add ivanti_counts_history table
+//
+// Stores a snapshot of open/closed Ivanti finding counts on every sync.
+// Unlike ivanti_counts_cache (single-row, always overwritten), this table
+// accumulates all snapshots so time-series charts can be built from it.
+//
+// The GET /api/ivanti/findings/counts/history endpoint aggregates these rows
+// to the last snapshot per calendar day using a ROW_NUMBER window function.
+//
+// NOTE: This table is also created automatically at server startup via
+// CREATE TABLE IF NOT EXISTS in initTables() (ivantiFindings.js).
+// This script is provided for manual setup on fresh installs and for
+// documentation consistency with other migration files.
+//
+// Usage: node backend/migrations/add_ivanti_counts_history_table.js
+
+const sqlite3 = require('sqlite3').verbose();
+const path    = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db     = new sqlite3.Database(dbPath);
+
+console.log('Starting ivanti_counts_history migration...');
+
+db.serialize(() => {
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_counts_history (
+            id           INTEGER PRIMARY KEY AUTOINCREMENT,
+            open_count   INTEGER NOT NULL,
+            closed_count INTEGER NOT NULL,
+            recorded_at  DATETIME DEFAULT CURRENT_TIMESTAMP
+        )
+    `, (err) => {
+        if (err) console.error('Error creating ivanti_counts_history table:', err);
+        else console.log('✓ ivanti_counts_history table created (or already exists)');
+    });
+});
+
+db.close(() => {
+    console.log('Migration complete.');
+});

backend/migrations/add_ivanti_findings_tables.js

@@ -0,0 +1,58 @@
+// Migration: Add ivanti_findings_cache and ivanti_finding_notes tables
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting Ivanti findings tables migration...');
+
+db.serialize(() => {
+    // Cache table — single row holding the latest sync result
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_findings_cache (
+            id INTEGER PRIMARY KEY CHECK (id = 1),
+            total INTEGER DEFAULT 0,
+            findings_json TEXT DEFAULT '[]',
+            synced_at DATETIME,
+            sync_status TEXT DEFAULT 'never',
+            error_message TEXT
+        )
+    `, (err) => {
+        if (err) console.error('Error creating findings cache table:', err);
+        else console.log('✓ ivanti_findings_cache table created');
+    });
+
+    db.run(`
+        INSERT OR IGNORE INTO ivanti_findings_cache (id, total, findings_json, sync_status)
+        VALUES (1, 0, '[]', 'never')
+    `, (err) => {
+        if (err) console.error('Error seeding findings cache row:', err);
+        else console.log('✓ ivanti_findings_cache row seeded');
+    });
+
+    // Notes table — one row per finding, persists across cache refreshes
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_finding_notes (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            finding_id TEXT NOT NULL UNIQUE,
+            note TEXT NOT NULL DEFAULT '',
+            updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        )
+    `, (err) => {
+        if (err) console.error('Error creating finding notes table:', err);
+        else console.log('✓ ivanti_finding_notes table created');
+    });
+
+    db.run(`
+        CREATE INDEX IF NOT EXISTS idx_finding_notes_finding_id
+        ON ivanti_finding_notes(finding_id)
+    `, (err) => {
+        if (err) console.error('Error creating notes index:', err);
+        else console.log('✓ finding_id index created');
+    });
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_ivanti_sync_table.js

@@ -0,0 +1,37 @@
+// Migration: Add ivanti_sync_state table
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting Ivanti sync state migration...');
+
+db.serialize(() => {
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_sync_state (
+            id INTEGER PRIMARY KEY CHECK (id = 1),
+            total INTEGER DEFAULT 0,
+            workflows_json TEXT DEFAULT '[]',
+            synced_at DATETIME,
+            sync_status TEXT DEFAULT 'never',
+            error_message TEXT
+        )
+    `, (err) => {
+        if (err) console.error('Error creating table:', err);
+        else console.log('✓ ivanti_sync_state table created');
+    });
+
+    // Seed the single-row state record
+    db.run(`
+        INSERT OR IGNORE INTO ivanti_sync_state (id, total, workflows_json, sync_status)
+        VALUES (1, 0, '[]', 'never')
+    `, (err) => {
+        if (err) console.error('Error seeding state row:', err);
+        else console.log('✓ ivanti_sync_state row seeded');
+    });
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_ivanti_todo_queue_table.js

@@ -0,0 +1,43 @@
+// Migration: Add ivanti_todo_queue table
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting ivanti_todo_queue migration...');
+
+db.serialize(() => {
+    db.run(`
+        CREATE TABLE IF NOT EXISTS ivanti_todo_queue (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            user_id INTEGER NOT NULL,
+            finding_id TEXT NOT NULL,
+            finding_title TEXT,
+            cves_json TEXT,
+            vendor TEXT NOT NULL,
+            workflow_type TEXT NOT NULL CHECK(workflow_type IN ('FP', 'Archer')),
+            status TEXT NOT NULL DEFAULT 'pending' CHECK(status IN ('pending', 'complete')),
+            created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        )
+    `, (err) => {
+        if (err) console.error('Error creating table:', err);
+        else console.log('✓ ivanti_todo_queue table created');
+    });
+
+    db.run(
+        'CREATE INDEX IF NOT EXISTS idx_todo_queue_user ON ivanti_todo_queue(user_id, status)',
+        (err) => {
+            if (err) console.error('Error creating index:', err);
+            else console.log('✓ User+status index created');
+        }
+    );
+
+    console.log('✓ Migration statements queued');
+});
+
+db.close(() => {
+    console.log('Migration complete!');
+});

backend/migrations/add_knowledge_base_table.js

@@ -0,0 +1,70 @@
+// Migration: Add knowledge_base table for storing documentation and policies
+
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Running migration: add_knowledge_base_table');
+
+db.serialize(() => {
+  db.run(`
+    CREATE TABLE IF NOT EXISTS knowledge_base (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      title VARCHAR(255) NOT NULL,
+      slug VARCHAR(255) UNIQUE NOT NULL,
+      description TEXT,
+      category VARCHAR(100),
+      file_path VARCHAR(500),
+      file_name VARCHAR(255),
+      file_type VARCHAR(50),
+      file_size INTEGER,
+      created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+      updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+      created_by INTEGER,
+      FOREIGN KEY (created_by) REFERENCES users(id)
+    )
+  `, (err) => {
+    if (err) {
+      console.error('Error creating knowledge_base table:', err);
+      process.exit(1);
+    }
+    console.log('✓ Created knowledge_base table');
+  });
+
+  db.run(`
+    CREATE INDEX IF NOT EXISTS idx_knowledge_base_slug
+    ON knowledge_base(slug)
+  `, (err) => {
+    if (err) {
+      console.error('Error creating slug index:', err);
+      process.exit(1);
+    }
+    console.log('✓ Created index on slug');
+  });
+
+  db.run(`
+    CREATE INDEX IF NOT EXISTS idx_knowledge_base_category
+    ON knowledge_base(category)
+  `, (err) => {
+    if (err) {
+      console.error('Error creating category index:', err);
+      process.exit(1);
+    }
+    console.log('✓ Created index on category');
+  });
+
+  db.run(`
+    CREATE INDEX IF NOT EXISTS idx_knowledge_base_created_at
+    ON knowledge_base(created_at DESC)
+  `, (err) => {
+    if (err) {
+      console.error('Error creating created_at index:', err);
+      process.exit(1);
+    }
+    console.log('✓ Created index on created_at');
+    console.log('\nMigration completed successfully!');
+    db.close();
+  });
+});

backend/migrations/add_todo_queue_hostname.js

@@ -0,0 +1,25 @@
+// Migration: Add hostname column to ivanti_todo_queue
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting add_todo_queue_hostname migration...');
+
+db.run(
+    'ALTER TABLE ivanti_todo_queue ADD COLUMN hostname TEXT',
+    (err) => {
+        if (err) {
+            // Column may already exist if migration was run before
+            if (err.message.includes('duplicate column name')) {
+                console.log('✓ hostname column already exists, skipping');
+            } else {
+                console.error('Error adding column:', err);
+            }
+        } else {
+            console.log('✓ hostname column added');
+        }
+        db.close(() => console.log('Migration complete!'));
+    }
+);

backend/migrations/add_todo_queue_ip_address.js

@@ -0,0 +1,25 @@
+// Migration: Add ip_address column to ivanti_todo_queue
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+const dbPath = path.join(__dirname, '..', 'cve_database.db');
+const db = new sqlite3.Database(dbPath);
+
+console.log('Starting add_todo_queue_ip_address migration...');
+
+db.run(
+    'ALTER TABLE ivanti_todo_queue ADD COLUMN ip_address TEXT',
+    (err) => {
+        if (err) {
+            // Column may already exist if migration was run before
+            if (err.message.includes('duplicate column name')) {
+                console.log('✓ ip_address column already exists, skipping');
+            } else {
+                console.error('Error adding column:', err);
+            }
+        } else {
+            console.log('✓ ip_address column added');
+        }
+        db.close(() => console.log('Migration complete!'));
+    }
+);

backend/migrations/add_user_groups.js

@@ -0,0 +1,146 @@
+// Migration: Add user_group column to users table and map legacy roles
+// Mapping: admin→Admin, editor→Standard_User, viewer→Read_Only
+// NULL/unrecognized roles default to Read_Only
+// Idempotent — safe to run multiple times
+const sqlite3 = require('sqlite3').verbose();
+const path = require('path');
+
+/**
+ * Run the migration against the given database instance.
+ * Exported for testing with in-memory databases.
+ * @param {sqlite3.Database} db
+ * @returns {Promise<void>}
+ */
+function runMigration(db) {
+    return new Promise((resolve, reject) => {
+        db.serialize(() => {
+            // Check if user_group column already exists
+            db.all("PRAGMA table_info(users)", (err, columns) => {
+                if (err) {
+                    reject(err);
+                    return;
+                }
+
+                const hasUserGroup = columns.some(col => col.name === 'user_group');
+
+                if (hasUserGroup) {
+                    console.log('✓ user_group column already exists — skipping migration');
+                    resolve();
+                    return;
+                }
+
+                console.log('Adding user_group column to users table...');
+
+                // SQLite doesn't support ADD COLUMN with CHECK inline in all versions,
+                // so we add the column first, map values, then recreate with constraint.
+                // However, SQLite also doesn't support ALTER TABLE ADD CONSTRAINT.
+                // Strategy: add column, map values, create index.
+                // The CHECK constraint is enforced via table rebuild.
+
+                db.run(
+                    `ALTER TABLE users ADD COLUMN user_group VARCHAR(20) NOT NULL DEFAULT 'Read_Only'`,
+                    (err) => {
+                        if (err) {
+                            reject(err);
+                            return;
+                        }
+                        console.log('✓ Added user_group column');
+
+                        // Map existing roles to groups
+                        db.run(
+                            `UPDATE users SET user_group = 'Admin' WHERE role = 'admin'`,
+                            function(err) {
+                                if (err) { reject(err); return; }
+                                console.log(`  ✓ Mapped ${this.changes} admin(s) → Admin`);
+
+                                db.run(
+                                    `UPDATE users SET user_group = 'Standard_User' WHERE role = 'editor'`,
+                                    function(err) {
+                                        if (err) { reject(err); return; }
+                                        console.log(`  ✓ Mapped ${this.changes} editor(s) → Standard_User`);
+
+                                        db.run(
+                                            `UPDATE users SET user_group = 'Read_Only' WHERE role = 'viewer'`,
+                                            function(err) {
+                                                if (err) { reject(err); return; }
+                                                console.log(`  ✓ Mapped ${this.changes} viewer(s) → Read_Only`);
+
+                                                // Map NULL or unrecognized roles to Read_Only
+                                                db.run(
+                                                    `UPDATE users SET user_group = 'Read_Only' WHERE user_group = 'Read_Only' AND role NOT IN ('admin', 'editor', 'viewer')`,
+                                                    function(err) {
+                                                        if (err) { reject(err); return; }
+                                                        console.log(`  ✓ Mapped ${this.changes} unrecognized role(s) → Read_Only`);
+
+                                                        // Create index on user_group
+                                                        db.run(
+                                                            `CREATE INDEX IF NOT EXISTS idx_users_user_group ON users(user_group)`,
+                                                            (err) => {
+                                                                if (err) { reject(err); return; }
+                                                                console.log('✓ Created idx_users_user_group index');
+
+                                                                // Add CHECK constraint via trigger (SQLite can't ALTER TABLE ADD CONSTRAINT)
+                                                                db.run(
+                                                                    `CREATE TRIGGER IF NOT EXISTS check_user_group_insert
+                                                                     BEFORE INSERT ON users
+                                                                     FOR EACH ROW
+                                                                     WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
+                                                                     BEGIN
+                                                                         SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
+                                                                     END`,
+                                                                    (err) => {
+                                                                        if (err) { reject(err); return; }
+                                                                        db.run(
+                                                                            `CREATE TRIGGER IF NOT EXISTS check_user_group_update
+                                                                             BEFORE UPDATE OF user_group ON users
+                                                                             FOR EACH ROW
+                                                                             WHEN NEW.user_group NOT IN ('Admin', 'Standard_User', 'Leadership', 'Read_Only')
+                                                                             BEGIN
+                                                                                 SELECT RAISE(ABORT, 'Invalid user_group value. Must be Admin, Standard_User, Leadership, or Read_Only');
+                                                                             END`,
+                                                                            (err) => {
+                                                                                if (err) { reject(err); return; }
+                                                                                console.log('✓ Created user_group validation triggers');
+                                                                                console.log('Migration complete!');
+                                                                                resolve();
+                                                                            }
+                                                                        );
+                                                                    }
+                                                                );
+                                                            }
+                                                        );
+                                                    }
+                                                );
+                                            }
+                                        );
+                                    }
+                                );
+                            }
+                        );
+                    }
+                );
+            });
+        });
+    });
+}
+
+// Run directly if executed as a script
+if (require.main === module) {
+    const dbPath = path.join(__dirname, '..', 'cve_database.db');
+    const db = new sqlite3.Database(dbPath);
+    console.log('Starting add_user_groups migration...');
+
+    runMigration(db)
+        .then(() => {
+            db.close(() => {
+                console.log('Database connection closed.');
+            });
+        })
+        .catch((err) => {
+            console.error('Migration failed:', err);
+            db.close();
+            process.exit(1);
+        });
+}
+
+module.exports = { runMigration };

backend/routes/archerTickets.js

@@ -0,0 +1,285 @@
+// routes/archerTickets.js
+const express = require('express');
+const { requireAuth, requireGroup } = require('../middleware/auth');
+const logAudit = require('../helpers/auditLog');
+
+// Validation helpers
+const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
+function isValidCveId(cveId) {
+  return typeof cveId === 'string' && CVE_ID_PATTERN.test(cveId);
+}
+
+function isValidVendor(vendor) {
+  return typeof vendor === 'string' && vendor.trim().length > 0 && vendor.length <= 200;
+}
+
+function createArcherTicketsRouter(db) {
+  const router = express.Router();
+
+  // Get all Archer tickets (with optional filters)
+  router.get('/', requireAuth(db), (req, res) => {
+    const { cve_id, vendor, status } = req.query;
+
+    let query = 'SELECT * FROM archer_tickets WHERE 1=1';
+    const params = [];
+
+    if (cve_id) {
+      query += ' AND cve_id = ?';
+      params.push(cve_id);
+    }
+    if (vendor) {
+      query += ' AND vendor = ?';
+      params.push(vendor);
+    }
+    if (status) {
+      query += ' AND status = ?';
+      params.push(status);
+    }
+
+    query += ' ORDER BY created_at DESC';
+
+    db.all(query, params, (err, rows) => {
+      if (err) {
+        console.error('Error fetching Archer tickets:', err);
+        return res.status(500).json({ error: 'Internal server error.' });
+      }
+      res.json(rows);
+    });
+  });
+
+  // Create Archer ticket
+  router.post('/', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+    const { exc_number, archer_url, status, cve_id, vendor } = req.body;
+
+    // Validation
+    if (!exc_number || typeof exc_number !== 'string' || exc_number.trim().length === 0) {
+      return res.status(400).json({ error: 'EXC number is required.' });
+    }
+    if (!/^EXC-\d+$/.test(exc_number.trim())) {
+      return res.status(400).json({ error: 'EXC number must be in format EXC-XXXX (e.g., EXC-5754).' });
+    }
+    if (!cve_id || !isValidCveId(cve_id)) {
+      return res.status(400).json({ error: 'Valid CVE ID is required.' });
+    }
+    if (!vendor || !isValidVendor(vendor)) {
+      return res.status(400).json({ error: 'Valid vendor is required.' });
+    }
+    if (archer_url && (typeof archer_url !== 'string' || archer_url.length > 500)) {
+      return res.status(400).json({ error: 'Archer URL must be under 500 characters.' });
+    }
+    if (status && !['Draft', 'Open', 'Under Review', 'Accepted'].includes(status)) {
+      return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' });
+    }
+
+    const validatedStatus = status || 'Draft';
+
+    db.run(
+      `INSERT INTO archer_tickets (exc_number, archer_url, status, cve_id, vendor, created_by)
+       VALUES (?, ?, ?, ?, ?, ?)`,
+      [exc_number.trim(), archer_url || null, validatedStatus, cve_id, vendor, req.user.id],
+      function(err) {
+        if (err) {
+          console.error('Error creating Archer ticket:', err);
+          if (err.message.includes('UNIQUE constraint failed')) {
+            return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
+          }
+          return res.status(500).json({ error: 'Internal server error.' });
+        }
+
+        logAudit(db, {
+          userId: req.user.id,
+          action: 'CREATE_ARCHER_TICKET',
+          entityType: 'archer_ticket',
+          entityId: String(this.lastID),
+          details: { exc_number, archer_url, status: validatedStatus, cve_id, vendor },
+          ipAddress: req.ip
+        });
+
+        res.status(201).json({
+          id: this.lastID,
+          message: 'Archer ticket created successfully'
+        });
+      }
+    );
+  });
+
+  // Update Archer ticket
+  router.put('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+    const { id } = req.params;
+    const { exc_number, archer_url, status } = req.body;
+
+    // Validation
+    if (exc_number !== undefined) {
+      if (typeof exc_number !== 'string' || exc_number.trim().length === 0) {
+        return res.status(400).json({ error: 'EXC number cannot be empty.' });
+      }
+      if (!/^EXC-\d+$/.test(exc_number.trim())) {
+        return res.status(400).json({ error: 'EXC number must be in format EXC-XXXX (e.g., EXC-5754).' });
+      }
+    }
+    if (archer_url !== undefined && archer_url !== null && (typeof archer_url !== 'string' || archer_url.length > 500)) {
+      return res.status(400).json({ error: 'Archer URL must be under 500 characters.' });
+    }
+    if (status !== undefined && !['Draft', 'Open', 'Under Review', 'Accepted'].includes(status)) {
+      return res.status(400).json({ error: 'Invalid status. Must be Draft, Open, Under Review, or Accepted.' });
+    }
+
+    // Get existing ticket
+    db.get('SELECT * FROM archer_tickets WHERE id = ?', [id], (err, existing) => {
+      if (err) {
+        console.error(err);
+        return res.status(500).json({ error: 'Internal server error.' });
+      }
+      if (!existing) {
+        return res.status(404).json({ error: 'Archer ticket not found.' });
+      }
+
+      const updates = [];
+      const params = [];
+
+      if (exc_number !== undefined) {
+        updates.push('exc_number = ?');
+        params.push(exc_number.trim());
+      }
+      if (archer_url !== undefined) {
+        updates.push('archer_url = ?');
+        params.push(archer_url || null);
+      }
+      if (status !== undefined) {
+        updates.push('status = ?');
+        params.push(status);
+      }
+
+      if (updates.length === 0) {
+        return res.status(400).json({ error: 'No fields to update.' });
+      }
+
+      updates.push('updated_at = CURRENT_TIMESTAMP');
+      params.push(id);
+
+      db.run(
+        `UPDATE archer_tickets SET ${updates.join(', ')} WHERE id = ?`,
+        params,
+        function(err) {
+          if (err) {
+            console.error(err);
+            if (err.message.includes('UNIQUE constraint failed')) {
+              return res.status(409).json({ error: 'An Archer ticket with this EXC number already exists.' });
+            }
+            return res.status(500).json({ error: 'Internal server error.' });
+          }
+
+          logAudit(db, {
+            userId: req.user.id,
+            action: 'UPDATE_ARCHER_TICKET',
+            entityType: 'archer_ticket',
+            entityId: String(id),
+            details: { before: existing, changes: req.body },
+            ipAddress: req.ip
+          });
+
+          res.json({ message: 'Archer ticket updated successfully', changes: this.changes });
+        }
+      );
+    });
+  });
+
+  // Helper: perform the actual Archer ticket deletion
+  function performArcherDelete(db, req, res, id, ticket) {
+    db.run('DELETE FROM archer_tickets WHERE id = ?', [id], function(err) {
+      if (err) {
+        console.error(err);
+        return res.status(500).json({ error: 'Internal server error.' });
+      }
+
+      logAudit(db, {
+        userId: req.user.id,
+        action: 'DELETE_ARCHER_TICKET',
+        entityType: 'archer_ticket',
+        entityId: String(id),
+        details: { deleted: ticket },
+        ipAddress: req.ip
+      });
+
+      res.json({ message: 'Archer ticket deleted successfully' });
+    });
+  }
+
+  // Delete Archer ticket
+  router.delete('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+    const { id } = req.params;
+
+    db.get('SELECT * FROM archer_tickets WHERE id = ?', [id], (err, ticket) => {
+      if (err) {
+        console.error(err);
+        return res.status(500).json({ error: 'Internal server error.' });
+      }
+      if (!ticket) {
+        return res.status(404).json({ error: 'Archer ticket not found.' });
+      }
+
+      // Admin bypasses all delete restrictions
+      if (req.user.group === 'Admin') {
+        return performArcherDelete(db, req, res, id, ticket);
+      }
+
+      // Standard_User: ownership check
+      if (ticket.created_by && ticket.created_by !== req.user.id) {
+        return res.status(403).json({ error: 'You can only delete resources you created' });
+      }
+
+      // Standard_User: compliance linkage check
+      const excNumber = ticket.exc_number;
+      db.all(
+        `SELECT ci.id, ci.extra_json
+         FROM compliance_items ci
+         JOIN compliance_uploads cu ON ci.upload_id = cu.id
+         WHERE ci.status = 'active' AND ci.extra_json LIKE ?`,
+        [`%${excNumber}%`],
+        (compErr, compLinks) => {
+          // If compliance_items table doesn't exist yet, treat as no linkage
+          if (compErr && compErr.message && compErr.message.includes('no such table')) {
+            compLinks = [];
+          } else if (compErr) {
+            console.error(compErr);
+            return res.status(500).json({ error: 'Internal server error.' });
+          }
+
+          const isLinked = (compLinks || []).some(cl => {
+            const json = cl.extra_json || '';
+            return json.includes(excNumber);
+          });
+
+          if (isLinked) {
+            return res.status(403).json({ error: 'Cannot delete ticket linked to compliance report. Contact an admin.' });
+          }
+
+          return performArcherDelete(db, req, res, id, ticket);
+        }
+      );
+    });
+  });
+
+  // GET /status-trend — ticket counts grouped by creation date + status
+  // Used for time-based Archer pipeline chart on the Compliance page.
+  router.get('/status-trend', requireAuth(db), (req, res) => {
+    db.all(
+      `SELECT DATE(created_at) AS date, status, COUNT(*) AS count
+       FROM archer_tickets
+       GROUP BY DATE(created_at), status
+       ORDER BY date ASC`,
+      [],
+      (err, rows) => {
+        if (err) {
+          console.error('Error fetching Archer status trend:', err);
+          return res.status(500).json({ error: 'Internal server error.' });
+        }
+        res.json({ statusTrend: rows });
+      }
+    );
+  });
+
+  return router;
+}
+
+module.exports = createArcherTicketsRouter;

backend/routes/auditLog.js

@@ -0,0 +1,114 @@
+// Audit Log Routes (Admin only)
+const express = require('express');
+
+function createAuditLogRouter(db, requireAuth, requireGroup) {
+    const router = express.Router();
+
+    // All routes require Admin group
+    router.use(requireAuth(db), requireGroup('Admin'));
+
+    // Get paginated audit logs with filters
+    router.get('/', async (req, res) => {
+        const {
+            page = 1,
+            limit = 25,
+            user,
+            action,
+            entityType,
+            startDate,
+            endDate
+        } = req.query;
+
+        const offset = (Math.max(1, parseInt(page)) - 1) * parseInt(limit);
+        const pageSize = Math.min(100, Math.max(1, parseInt(limit)));
+
+        let where = [];
+        let params = [];
+
+        if (user) {
+            where.push('username LIKE ?');
+            params.push(`%${user}%`);
+        }
+        if (action) {
+            where.push('action = ?');
+            params.push(action);
+        }
+        if (entityType) {
+            where.push('entity_type = ?');
+            params.push(entityType);
+        }
+        if (startDate) {
+            where.push('created_at >= ?');
+            params.push(startDate);
+        }
+        if (endDate) {
+            where.push('created_at <= ?');
+            params.push(endDate + ' 23:59:59');
+        }
+
+        const whereClause = where.length > 0 ? 'WHERE ' + where.join(' AND ') : '';
+
+        try {
+            // Get total count
+            const countRow = await new Promise((resolve, reject) => {
+                db.get(
+                    `SELECT COUNT(*) as total FROM audit_logs ${whereClause}`,
+                    params,
+                    (err, row) => {
+                        if (err) reject(err);
+                        else resolve(row);
+                    }
+                );
+            });
+
+            // Get paginated results
+            const rows = await new Promise((resolve, reject) => {
+                db.all(
+                    `SELECT * FROM audit_logs ${whereClause} ORDER BY created_at DESC LIMIT ? OFFSET ?`,
+                    [...params, pageSize, offset],
+                    (err, rows) => {
+                        if (err) reject(err);
+                        else resolve(rows);
+                    }
+                );
+            });
+
+            res.json({
+                logs: rows,
+                pagination: {
+                    page: parseInt(page),
+                    limit: pageSize,
+                    total: countRow.total,
+                    totalPages: Math.ceil(countRow.total / pageSize)
+                }
+            });
+        } catch (err) {
+            console.error('Audit log query error:', err);
+            res.status(500).json({ error: 'Failed to fetch audit logs' });
+        }
+    });
+
+    // Get distinct action types for filter dropdown
+    router.get('/actions', async (req, res) => {
+        try {
+            const rows = await new Promise((resolve, reject) => {
+                db.all(
+                    'SELECT DISTINCT action FROM audit_logs ORDER BY action',
+                    (err, rows) => {
+                        if (err) reject(err);
+                        else resolve(rows);
+                    }
+                );
+            });
+
+            res.json(rows.map(r => r.action));
+        } catch (err) {
+            console.error('Audit log actions error:', err);
+            res.status(500).json({ error: 'Failed to fetch actions' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createAuditLogRouter;

backend/routes/auth.js

@@ -2,12 +2,35 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
 const crypto = require('crypto');
+const rateLimit = require('express-rate-limit');
+const { requireAuth, requireGroup } = require('../middleware/auth');
 
-function createAuthRouter(db) {
+const loginLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 20, // 20 attempts per window
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { error: 'Too many login attempts. Please try again in 15 minutes.' }
+});
+
+function createAuthRouter(db, logAudit) {
     const router = express.Router();
 
-    // Login
-    router.post('/login', async (req, res) => {
+    /**
+     * POST /api/auth/login
+     *
+     * Authenticates a user with username and password, creates a session,
+     * and sets an httpOnly session cookie. Rate-limited to 20 attempts per 15 minutes.
+     *
+     * @body {string} username - The user's login username
+     * @body {string} password - The user's password
+     * @returns {object} 200 - { message: 'Login successful', user: { id, username, email, group } }
+     * @returns {object} 400 - { error: 'Username and password are required' }
+     * @returns {object} 401 - { error: 'Invalid username or password' } | { error: 'Account is disabled' }
+     * @returns {object} 429 - { error: 'Too many login attempts. Please try again in 15 minutes.' }
+     * @returns {object} 500 - { error: 'Login failed' }
+     */
+    router.post('/login', loginLimiter, async (req, res) => {
         const { username, password } = req.body;
 
         if (!username || !password) {
@@ -28,16 +51,43 @@ function createAuthRouter(db) {
             });
 
             if (!user) {
+                logAudit(db, {
+                    userId: null,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'user_not_found' },
+                    ipAddress: req.ip
+                });
                 return res.status(401).json({ error: 'Invalid username or password' });
             }
 
             if (!user.is_active) {
+                logAudit(db, {
+                    userId: user.id,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'account_disabled' },
+                    ipAddress: req.ip
+                });
                 return res.status(401).json({ error: 'Account is disabled' });
             }
 
             // Verify password
             const validPassword = await bcrypt.compare(password, user.password_hash);
             if (!validPassword) {
+                logAudit(db, {
+                    userId: user.id,
+                    username: username,
+                    action: 'login_failed',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: { reason: 'invalid_password' },
+                    ipAddress: req.ip
+                });
                 return res.status(401).json({ error: 'Invalid username or password' });
             }
 
@@ -77,13 +127,23 @@ function createAuthRouter(db) {
                 maxAge: 24 * 60 * 60 * 1000 // 24 hours
             });
 
+            logAudit(db, {
+                userId: user.id,
+                username: user.username,
+                action: 'login',
+                entityType: 'auth',
+                entityId: null,
+                details: { group: user.user_group },
+                ipAddress: req.ip
+            });
+
             res.json({
                 message: 'Login successful',
                 user: {
                     id: user.id,
                     username: user.username,
                     email: user.email,
-                    role: user.role
+                    group: user.user_group
                 }
             });
         } catch (err) {
@@ -92,11 +152,29 @@ function createAuthRouter(db) {
         }
     });
 
-    // Logout
+    /**
+     * POST /api/auth/logout
+     *
+     * Ends the current user session by deleting it from the database
+     * and clearing the session cookie.
+     *
+     * @returns {object} 200 - { message: 'Logged out successfully' }
+     */
     router.post('/logout', async (req, res) => {
         const sessionId = req.cookies?.session_id;
 
         if (sessionId) {
+            // Look up user before deleting session
+            const session = await new Promise((resolve) => {
+                db.get(
+                    `SELECT u.id as user_id, u.username FROM sessions s
+                     JOIN users u ON s.user_id = u.id
+                     WHERE s.session_id = ?`,
+                    [sessionId],
+                    (err, row) => resolve(row || null)
+                );
+            });
+
             // Delete session from database
             await new Promise((resolve) => {
                 db.run(
@@ -105,6 +183,18 @@ function createAuthRouter(db) {
                     () => resolve()
                 );
             });
+
+            if (session) {
+                logAudit(db, {
+                    userId: session.user_id,
+                    username: session.username,
+                    action: 'logout',
+                    entityType: 'auth',
+                    entityId: null,
+                    details: null,
+                    ipAddress: req.ip
+                });
+            }
         }
 
         // Clear cookie
@@ -112,7 +202,16 @@ function createAuthRouter(db) {
         res.json({ message: 'Logged out successfully' });
     });
 
-    // Get current user
+    /**
+     * GET /api/auth/me
+     *
+     * Returns the currently authenticated user based on the session cookie.
+     * Clears the cookie and returns 401 if the session is expired or the account is disabled.
+     *
+     * @returns {object} 200 - { user: { id, username, email, group } }
+     * @returns {object} 401 - { error: 'Not authenticated' } | { error: 'Session expired' } | { error: 'Account is disabled' }
+     * @returns {object} 500 - { error: 'Failed to get user' }
+     */
     router.get('/me', async (req, res) => {
         const sessionId = req.cookies?.session_id;
 
@@ -123,7 +222,7 @@ function createAuthRouter(db) {
         try {
             const session = await new Promise((resolve, reject) => {
                 db.get(
-                    `SELECT s.*, u.id as user_id, u.username, u.email, u.role, u.is_active
+                    `SELECT s.*, u.id as user_id, u.username, u.email, u.user_group, u.is_active
                      FROM sessions s
                      JOIN users u ON s.user_id = u.id
                      WHERE s.session_id = ? AND s.expires_at > datetime('now')`,
@@ -150,7 +249,7 @@ function createAuthRouter(db) {
                     id: session.user_id,
                     username: session.username,
                     email: session.email,
-                    role: session.role
+                    group: session.user_group
                 }
             });
         } catch (err) {
@@ -159,8 +258,17 @@ function createAuthRouter(db) {
         }
     });
 
-    // Clean up expired sessions (can be called periodically)
-    router.post('/cleanup-sessions', async (req, res) => {
+    /**
+     * POST /api/auth/cleanup-sessions
+     *
+     * Deletes all expired sessions from the database. Requires Admin group.
+     *
+     * @returns {object} 200 - { message: 'Expired sessions cleaned up' }
+     * @returns {object} 401 - { error: 'Authentication required' }
+     * @returns {object} 403 - { error: 'Insufficient permissions', required: ['Admin'], current: '...' }
+     * @returns {object} 500 - { error: 'Cleanup failed' }
+     */
+    router.post('/cleanup-sessions', requireAuth(db), requireGroup('Admin'), async (req, res) => {
         try {
             await new Promise((resolve, reject) => {
                 db.run(

backend/routes/compliance.js

@@ -0,0 +1,712 @@
+// Compliance Routes — AEO metric tracking
+// Handles xlsx upload/parse, non-compliant item history, and notes.
+//
+// Endpoints:
+//   POST /preview          — parse xlsx, compute diff vs DB, return summary (no DB write)
+//   POST /commit           — commit a previewed upload to DB
+//   GET  /uploads          — list all uploads
+//   GET  /summary          — metric health cards for a team (from latest upload)
+//   GET  /items            — non-compliant devices grouped by hostname (?team=X&status=active)
+//   GET  /items/:hostname  — detail panel: all metrics + notes + upload history for a device
+//   POST /notes            — add a note to a (hostname, metric_id) pair
+//   GET  /notes/:hostname/:metricId — notes for a specific device+metric
+
+const express  = require('express');
+const path     = require('path');
+const fs       = require('fs');
+const { spawn } = require('child_process');
+
+const PARSER_SCRIPT = path.join(__dirname, '../scripts/parse_compliance_xlsx.py');
+const PYTHON_BIN    = process.env.PYTHON_BIN || 'python3';
+const TEMP_DIR      = path.join(process.cwd(), 'uploads', 'temp');
+const ALLOWED_TEAMS = new Set(['STEAM', 'ACCESS-ENG', 'ACCESS-OPS', 'INTELDEV']);
+
+// ---------------------------------------------------------------------------
+// DB helpers
+// ---------------------------------------------------------------------------
+function dbRun(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.run(sql, params, function (err) {
+            if (err) reject(err);
+            else resolve({ lastID: this.lastID, changes: this.changes });
+        });
+    });
+}
+function dbGet(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.get(sql, params, (err, row) => { if (err) reject(err); else resolve(row || null); });
+    });
+}
+function dbAll(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.all(sql, params, (err, rows) => { if (err) reject(err); else resolve(rows || []); });
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Run Python parser, return parsed object
+// ---------------------------------------------------------------------------
+function parseXlsx(filePath) {
+    return new Promise((resolve, reject) => {
+        const py = spawn(PYTHON_BIN, [PARSER_SCRIPT, filePath]);
+        let out = '';
+        let err = '';
+        py.stdout.on('data', d => { out += d; });
+        py.stderr.on('data', d => { err += d; });
+        py.on('close', code => {
+            if (code !== 0) return reject(new Error(err || `Parser exited with code ${code}`));
+            try { resolve(JSON.parse(out)); }
+            catch (e) { reject(new Error('Parser returned invalid JSON')); }
+        });
+        py.on('error', reject);
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Validate that a temp file path is safely within uploads/temp/
+// ---------------------------------------------------------------------------
+function isSafeTempPath(filePath) {
+    const resolved = path.resolve(filePath);
+    return resolved.startsWith(TEMP_DIR + path.sep) && path.extname(resolved) === '.json';
+}
+
+// ---------------------------------------------------------------------------
+// Compute diff: new / recurring / resolved
+// ---------------------------------------------------------------------------
+async function computeDiff(db, incomingItems) {
+    const activeRows = await dbAll(db,
+        `SELECT hostname, metric_id FROM compliance_items WHERE status = 'active'`
+    );
+    const activeKeys = new Set(activeRows.map(r => `${r.hostname}|||${r.metric_id}`));
+    const newKeys    = new Set(incomingItems.map(i => `${i.hostname}|||${i.metric_id}`));
+
+    let newCount = 0, recurringCount = 0, resolvedCount = 0;
+    for (const k of newKeys)    { if (activeKeys.has(k)) recurringCount++; else newCount++; }
+    for (const k of activeKeys) { if (!newKeys.has(k))   resolvedCount++; }
+
+    return { newCount, recurringCount, resolvedCount };
+}
+
+// ---------------------------------------------------------------------------
+// Write a parsed upload to the DB (within a transaction)
+// ---------------------------------------------------------------------------
+async function persistUpload(db, { items, summary, reportDate, filename, userId }) {
+    // Pull current active items before we modify anything
+    const activeRows = await dbAll(db,
+        `SELECT id, hostname, metric_id, seen_count, first_seen_upload_id FROM compliance_items WHERE status = 'active'`
+    );
+    const activeMap = {};
+    activeRows.forEach(r => { activeMap[`${r.hostname}|||${r.metric_id}`] = r; });
+
+    const newKeys = new Set(items.map(i => `${i.hostname}|||${i.metric_id}`));
+
+    await dbRun(db, 'BEGIN TRANSACTION');
+    try {
+        // 1. Insert the upload record
+        const { lastID: uploadId } = await dbRun(db,
+            `INSERT INTO compliance_uploads (filename, report_date, uploaded_by, uploaded_at, summary_json)
+             VALUES (?, ?, ?, datetime('now'), ?)`,
+            [filename, reportDate || null, userId || null, JSON.stringify(summary)]
+        );
+
+        let newCount = 0, recurringCount = 0, resolvedCount = 0;
+
+        // 2. Upsert each incoming non-compliant item
+        for (const item of items) {
+            const key      = `${item.hostname}|||${item.metric_id}`;
+            const existing = activeMap[key];
+            const extraStr = JSON.stringify(item.extra_json || {});
+
+            if (existing) {
+                // Recurring — bump seen_count, refresh snapshot fields
+                await dbRun(db,
+                    `UPDATE compliance_items
+                     SET upload_id = ?, seen_count = ?, ip_address = ?, device_type = ?, extra_json = ?
+                     WHERE id = ?`,
+                    [uploadId, existing.seen_count + 1, item.ip_address, item.device_type, extraStr, existing.id]
+                );
+                recurringCount++;
+            } else {
+                // New item (or previously resolved and re-appearing)
+                await dbRun(db,
+                    `INSERT INTO compliance_items
+                     (upload_id, hostname, ip_address, device_type, team, metric_id, metric_desc,
+                      category, extra_json, status, first_seen_upload_id, seen_count)
+                     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, 'active', ?, 1)`,
+                    [uploadId, item.hostname, item.ip_address, item.device_type, item.team,
+                     item.metric_id, item.metric_desc, item.category, extraStr, uploadId]
+                );
+                newCount++;
+            }
+        }
+
+        // 3. Mark items not present in this upload as resolved
+        for (const [key, row] of Object.entries(activeMap)) {
+            if (!newKeys.has(key)) {
+                await dbRun(db,
+                    `UPDATE compliance_items
+                     SET status = 'resolved', resolved_upload_id = ?
+                     WHERE id = ?`,
+                    [uploadId, row.id]
+                );
+                resolvedCount++;
+            }
+        }
+
+        // 4. Update upload with final counts
+        await dbRun(db,
+            `UPDATE compliance_uploads
+             SET new_count = ?, resolved_count = ?, recurring_count = ?
+             WHERE id = ?`,
+            [newCount, resolvedCount, recurringCount, uploadId]
+        );
+
+        await dbRun(db, 'COMMIT');
+        return { uploadId, newCount, recurringCount, resolvedCount };
+
+    } catch (err) {
+        await dbRun(db, 'ROLLBACK').catch(() => {});
+        throw err;
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Group flat compliance_items rows into per-device objects
+// ---------------------------------------------------------------------------
+function groupByHostname(rows, noteHostnames) {
+    const deviceMap = {};
+
+    for (const row of rows) {
+        if (!deviceMap[row.hostname]) {
+            deviceMap[row.hostname] = {
+                hostname:        row.hostname,
+                ip_address:      row.ip_address  || '',
+                device_type:     row.device_type || '',
+                team:            row.team        || '',
+                status:          row.status,
+                failing_metrics: [],
+                seen_count:      row.seen_count  || 1,
+                first_seen:      row.first_seen  || null,
+                last_seen:       row.last_seen   || null,
+                resolved_on:     row.resolved_on || null,
+                has_notes:       noteHostnames.has(row.hostname),
+            };
+        }
+
+        const dev = deviceMap[row.hostname];
+        dev.failing_metrics.push({
+            metric_id:   row.metric_id,
+            metric_desc: row.metric_desc  || '',
+            category:    row.category     || '',
+        });
+        // Use the highest seen_count and earliest first_seen across all metrics
+        if ((row.seen_count || 1) > dev.seen_count) dev.seen_count = row.seen_count;
+        if (row.first_seen && (!dev.first_seen || row.first_seen < dev.first_seen))
+            dev.first_seen = row.first_seen;
+        if (row.last_seen  && (!dev.last_seen  || row.last_seen  > dev.last_seen))
+            dev.last_seen  = row.last_seen;
+    }
+
+    return Object.values(deviceMap);
+}
+
+// ---------------------------------------------------------------------------
+// Router factory
+// ---------------------------------------------------------------------------
+function createComplianceRouter(db, upload, requireAuth, requireGroup) {
+    const router = express.Router();
+
+    // Idempotent column additions — errors mean column already exists, which is fine
+    db.run(`ALTER TABLE compliance_items   ADD COLUMN seen_count   INTEGER DEFAULT 1`, () => {});
+    db.run(`ALTER TABLE compliance_uploads ADD COLUMN summary_json TEXT`,              () => {});
+
+    // All compliance routes require authentication
+    router.use(requireAuth(db));
+
+    // -----------------------------------------------------------------------
+    // POST /preview
+    // Parse the uploaded xlsx, compute diff, save parsed data to a temp JSON.
+    // Returns diff counts + tempFile path for the commit step.
+    // -----------------------------------------------------------------------
+    router.post('/preview', requireGroup('Admin', 'Standard_User'), (req, res) => {
+        upload.single('file')(req, res, async (uploadErr) => {
+            if (uploadErr) {
+                return res.status(400).json({ error: uploadErr.message });
+            }
+            if (!req.file) {
+                return res.status(400).json({ error: 'No file uploaded' });
+            }
+            if (path.extname(req.file.originalname).toLowerCase() !== '.xlsx') {
+                fs.unlink(req.file.path, () => {});
+                return res.status(400).json({ error: 'File must be an .xlsx spreadsheet' });
+            }
+
+            try {
+                const parsed = await parseXlsx(req.file.path);
+
+                if (parsed.error) {
+                    fs.unlink(req.file.path, () => {});
+                    return res.status(422).json({ error: parsed.error });
+                }
+
+                const diff = await computeDiff(db, parsed.items);
+
+                // Save parsed data to temp JSON — the commit step reads this
+                if (!fs.existsSync(TEMP_DIR)) fs.mkdirSync(TEMP_DIR, { recursive: true });
+                const tempFilename = `compliance_preview_${Date.now()}_${Math.random().toString(36).slice(2)}.json`;
+                const tempFilePath = path.join(TEMP_DIR, tempFilename);
+
+                fs.writeFileSync(tempFilePath, JSON.stringify({
+                    items:       parsed.items,
+                    summary:     parsed.summary,
+                    report_date: parsed.report_date,
+                    filename:    req.file.originalname.replace(/[^\w.\-() ]/g, '_'),
+                }));
+
+                // Delete the original xlsx from temp (we only need the JSON now)
+                fs.unlink(req.file.path, () => {});
+
+                res.json({
+                    diff: {
+                        new_count:       diff.newCount,
+                        recurring_count: diff.recurringCount,
+                        resolved_count:  diff.resolvedCount,
+                    },
+                    tempFile:    tempFilePath,
+                    filename:    req.file.originalname,
+                    report_date: parsed.report_date,
+                    total_items: parsed.total,
+                });
+
+            } catch (err) {
+                fs.unlink(req.file.path, () => {});
+                console.error('[Compliance] Preview error:', err.message);
+                res.status(500).json({ error: 'Failed to parse file: ' + err.message });
+            }
+        });
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /commit
+    // Commit a previewed upload to the DB.
+    // Body: { tempFile, filename, report_date }
+    // -----------------------------------------------------------------------
+    router.post('/commit', requireGroup('Admin', 'Standard_User'), async (req, res) => {
+        const { tempFile, filename, report_date } = req.body;
+
+        if (!tempFile || typeof tempFile !== 'string') {
+            return res.status(400).json({ error: 'tempFile is required' });
+        }
+        if (!isSafeTempPath(tempFile)) {
+            return res.status(400).json({ error: 'Invalid tempFile path' });
+        }
+        if (!fs.existsSync(tempFile)) {
+            return res.status(400).json({ error: 'Preview session expired — please upload again' });
+        }
+
+        let parsed;
+        try {
+            parsed = JSON.parse(fs.readFileSync(tempFile, 'utf8'));
+        } catch {
+            return res.status(400).json({ error: 'Could not read preview data — please upload again' });
+        }
+
+        try {
+            const result = await persistUpload(db, {
+                items:      parsed.items,
+                summary:    parsed.summary,
+                reportDate: report_date || parsed.report_date,
+                filename:   filename   || parsed.filename,
+                userId:     req.user?.id || null,
+            });
+
+            fs.unlink(tempFile, () => {});
+
+            const upload = await dbGet(db,
+                `SELECT id, filename, report_date, uploaded_at,
+                        new_count, resolved_count, recurring_count
+                 FROM compliance_uploads WHERE id = ?`,
+                [result.uploadId]
+            );
+
+            res.json({ upload });
+
+        } catch (err) {
+            console.error('[Compliance] Commit error:', err.message);
+            res.status(500).json({ error: 'Failed to commit upload: ' + err.message });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /uploads
+    // List all uploads, most recent first.
+    // -----------------------------------------------------------------------
+    router.get('/uploads', async (req, res) => {
+        try {
+            const rows = await dbAll(db,
+                `SELECT id, filename, report_date, uploaded_at,
+                        new_count, resolved_count, recurring_count
+                 FROM compliance_uploads
+                 ORDER BY id DESC`
+            );
+            res.json({ uploads: rows });
+        } catch (err) {
+            console.error('[Compliance] GET /uploads error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /summary?team=STEAM
+    // Return metric health rows for a team from the latest upload's summary_json.
+    // -----------------------------------------------------------------------
+    router.get('/summary', async (req, res) => {
+        const team = req.query.team;
+        if (team && !ALLOWED_TEAMS.has(team)) {
+            return res.status(400).json({ error: 'Invalid team' });
+        }
+
+        try {
+            const latestUpload = await dbGet(db,
+                `SELECT id, summary_json, report_date, uploaded_at
+                 FROM compliance_uploads ORDER BY id DESC LIMIT 1`
+            );
+            if (!latestUpload || !latestUpload.summary_json) {
+                return res.json({ entries: [], overall_scores: {}, upload: null });
+            }
+
+            let summary;
+            try { summary = JSON.parse(latestUpload.summary_json); }
+            catch { return res.json({ entries: [], overall_scores: {}, upload: null }); }
+
+            let entries = summary.entries || [];
+            if (team) {
+                entries = entries.filter(e => e.team === team);
+            }
+
+            res.json({
+                entries,
+                overall_scores: summary.overall_scores || {},
+                upload: {
+                    id:          latestUpload.id,
+                    report_date: latestUpload.report_date,
+                    uploaded_at: latestUpload.uploaded_at,
+                },
+            });
+        } catch (err) {
+            console.error('[Compliance] GET /summary error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /items?team=STEAM&status=active
+    // Return non-compliant devices grouped by hostname.
+    // -----------------------------------------------------------------------
+    router.get('/items', async (req, res) => {
+        const { team, status = 'active' } = req.query;
+
+        if (!team) return res.status(400).json({ error: 'team is required' });
+        if (!ALLOWED_TEAMS.has(team)) return res.status(400).json({ error: 'Invalid team' });
+        if (!['active', 'resolved'].includes(status)) return res.status(400).json({ error: 'Invalid status' });
+
+        try {
+            const rows = await dbAll(db,
+                `SELECT
+                     ci.hostname, ci.ip_address, ci.device_type, ci.team,
+                     ci.metric_id, ci.metric_desc, ci.category,
+                     ci.status, ci.seen_count,
+                     fu.report_date AS first_seen,
+                     lu.report_date AS last_seen,
+                     ru.report_date AS resolved_on
+                 FROM compliance_items ci
+                 LEFT JOIN compliance_uploads fu ON ci.first_seen_upload_id = fu.id
+                 LEFT JOIN compliance_uploads lu ON ci.upload_id             = lu.id
+                 LEFT JOIN compliance_uploads ru ON ci.resolved_upload_id    = ru.id
+                 WHERE ci.team = ? AND ci.status = ?
+                 ORDER BY ci.hostname, ci.metric_id`,
+                [team, status]
+            );
+
+            // Fetch hostnames that have any notes (for the has_notes indicator)
+            const noteRows = await dbAll(db,
+                `SELECT DISTINCT hostname FROM compliance_notes`
+            );
+            const noteHostnames = new Set(noteRows.map(r => r.hostname));
+
+            const devices = groupByHostname(rows, noteHostnames);
+
+            res.json({ devices, team, status });
+
+        } catch (err) {
+            console.error('[Compliance] GET /items error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /items/:hostname
+    // Detail panel: all metric rows for this hostname + notes + upload history.
+    // -----------------------------------------------------------------------
+    router.get('/items/:hostname', async (req, res) => {
+        const hostname = req.params.hostname;
+        if (!hostname || hostname.length > 300) {
+            return res.status(400).json({ error: 'Invalid hostname' });
+        }
+
+        try {
+            // All metric rows for this hostname
+            const metricRows = await dbAll(db,
+                `SELECT
+                     ci.metric_id, ci.metric_desc, ci.category, ci.status,
+                     ci.ip_address, ci.device_type, ci.team,
+                     ci.seen_count, ci.extra_json,
+                     fu.report_date AS first_seen,
+                     fu.uploaded_at AS first_seen_at,
+                     lu.report_date AS last_seen,
+                     lu.uploaded_at AS last_seen_at,
+                     ru.report_date AS resolved_on
+                 FROM compliance_items ci
+                 LEFT JOIN compliance_uploads fu ON ci.first_seen_upload_id = fu.id
+                 LEFT JOIN compliance_uploads lu ON ci.upload_id             = lu.id
+                 LEFT JOIN compliance_uploads ru ON ci.resolved_upload_id    = ru.id
+                 WHERE ci.hostname = ?
+                 ORDER BY ci.status DESC, ci.metric_id`,
+                [hostname]
+            );
+
+            if (metricRows.length === 0) {
+                return res.status(404).json({ error: 'Device not found' });
+            }
+
+            // Parse extra_json on each row
+            const metrics = metricRows.map(r => ({
+                ...r,
+                extra: (() => { try { return JSON.parse(r.extra_json || '{}'); } catch { return {}; } })(),
+                extra_json: undefined,
+            }));
+
+            // Notes (all metrics for this hostname, sorted newest first)
+            const notes = await dbAll(db,
+                `SELECT cn.id, cn.metric_id, cn.note, cn.created_at,
+                        u.username AS created_by
+                 FROM compliance_notes cn
+                 LEFT JOIN users u ON cn.created_by = u.id
+                 WHERE cn.hostname = ?
+                 ORDER BY cn.created_at DESC`,
+                [hostname]
+            );
+
+            // Derive device identity from the first active row, else any row
+            const identity = metricRows.find(r => r.status === 'active') || metricRows[0];
+
+            res.json({
+                hostname,
+                ip_address:  identity.ip_address  || '',
+                device_type: identity.device_type || '',
+                team:        identity.team        || '',
+                metrics,
+                notes,
+            });
+
+        } catch (err) {
+            console.error('[Compliance] GET /items/:hostname error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /notes
+    // Add a note to a (hostname, metric_id) pair.
+    // Body: { hostname, metric_id, note }
+    // -----------------------------------------------------------------------
+    router.post('/notes', requireGroup('Admin', 'Standard_User'), async (req, res) => {
+        const { hostname, metric_id, note } = req.body;
+
+        if (!hostname || typeof hostname !== 'string' || hostname.length > 300 || !/^[a-zA-Z0-9._-]+$/.test(hostname)) {
+            return res.status(400).json({ error: 'Invalid hostname format' });
+        }
+        if (!metric_id || typeof metric_id !== 'string' || metric_id.length > 50) {
+            return res.status(400).json({ error: 'Invalid metric_id' });
+        }
+        const noteText = String(note || '').trim().slice(0, 1000);
+        if (!noteText) {
+            return res.status(400).json({ error: 'Note cannot be empty' });
+        }
+
+        try {
+            const { lastID } = await dbRun(db,
+                `INSERT INTO compliance_notes (hostname, metric_id, note, created_by, created_at)
+                 VALUES (?, ?, ?, ?, datetime('now'))`,
+                [hostname, metric_id, noteText, req.user?.id || null]
+            );
+
+            const created = await dbGet(db,
+                `SELECT cn.id, cn.hostname, cn.metric_id, cn.note, cn.created_at,
+                        u.username AS created_by
+                 FROM compliance_notes cn
+                 LEFT JOIN users u ON cn.created_by = u.id
+                 WHERE cn.id = ?`,
+                [lastID]
+            );
+
+            res.status(201).json(created);
+
+        } catch (err) {
+            console.error('[Compliance] POST /notes error:', err.message);
+            res.status(500).json({ error: 'Failed to save note' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /notes/:hostname/:metricId
+    // Return all notes for a (hostname, metric_id) pair.
+    // -----------------------------------------------------------------------
+    router.get('/notes/:hostname/:metricId', async (req, res) => {
+        const { hostname, metricId } = req.params;
+
+        if (!hostname || hostname.length > 300) return res.status(400).json({ error: 'Invalid hostname' });
+        if (!metricId || metricId.length > 50)  return res.status(400).json({ error: 'Invalid metricId' });
+
+        try {
+            const notes = await dbAll(db,
+                `SELECT cn.id, cn.note, cn.created_at, u.username AS created_by
+                 FROM compliance_notes cn
+                 LEFT JOIN users u ON cn.created_by = u.id
+                 WHERE cn.hostname = ? AND cn.metric_id = ?
+                 ORDER BY cn.created_at DESC`,
+                [hostname, metricId]
+            );
+            res.json({ notes });
+        } catch (err) {
+            console.error('[Compliance] GET /notes error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /trends
+    // Per-upload active totals + per-team counts for time-series charts.
+    // Returns rows ordered ascending by report_date.
+    // -----------------------------------------------------------------------
+    router.get('/trends', async (req, res) => {
+        try {
+            const uploads = await dbAll(db,
+                `SELECT id, report_date,
+                        COALESCE(new_count, 0)       AS new_count,
+                        COALESCE(recurring_count, 0) AS recurring_count,
+                        COALESCE(resolved_count, 0)  AS resolved_count,
+                        COALESCE(new_count, 0) + COALESCE(recurring_count, 0) AS total_active
+                 FROM compliance_uploads
+                 ORDER BY report_date ASC`
+            );
+
+            if (uploads.length === 0) return res.json({ trends: [] });
+
+            // Per-team active counts — items whose upload_id matches the upload
+            // (recurring items have upload_id bumped each cycle, so this is accurate)
+            const teamRows = await dbAll(db,
+                `SELECT ci.upload_id, ci.team, COUNT(ci.id) AS count
+                 FROM compliance_items ci
+                 WHERE ci.team IS NOT NULL
+                 GROUP BY ci.upload_id, ci.team`
+            );
+
+            const teamMap = {};
+            teamRows.forEach(r => {
+                if (!teamMap[r.upload_id]) teamMap[r.upload_id] = {};
+                teamMap[r.upload_id][r.team] = r.count;
+            });
+
+            const trends = uploads.map(u => ({
+                report_date:      u.report_date,
+                new_count:        u.new_count,
+                recurring_count:  u.recurring_count,
+                resolved_count:   u.resolved_count,
+                total_active:     u.total_active,
+                STEAM:            teamMap[u.id]?.STEAM            || 0,
+                'ACCESS-ENG':     teamMap[u.id]?.['ACCESS-ENG']   || 0,
+                'ACCESS-OPS':     teamMap[u.id]?.['ACCESS-OPS']   || 0,
+                INTELDEV:         teamMap[u.id]?.INTELDEV          || 0,
+            }));
+
+            res.json({ trends });
+        } catch (err) {
+            console.error('[Compliance] GET /trends error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /mttr
+    // Mean time to resolution (calendar days) per team, for resolved items.
+    // -----------------------------------------------------------------------
+    router.get('/mttr', async (req, res) => {
+        try {
+            const rows = await dbAll(db,
+                `SELECT
+                     ci.team,
+                     ROUND(AVG(JULIANDAY(ru.report_date) - JULIANDAY(fu.report_date)), 1) AS avg_days,
+                     COUNT(*) AS resolved_count
+                 FROM compliance_items ci
+                 JOIN compliance_uploads fu ON ci.first_seen_upload_id = fu.id
+                 JOIN compliance_uploads ru ON ci.resolved_upload_id    = ru.id
+                 WHERE ci.resolved_upload_id IS NOT NULL
+                   AND fu.report_date IS NOT NULL
+                   AND ru.report_date IS NOT NULL
+                 GROUP BY ci.team
+                 ORDER BY avg_days DESC`
+            );
+            res.json({ mttr: rows });
+        } catch (err) {
+            console.error('[Compliance] GET /mttr error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /top-recurring
+    // Active findings grouped by team + metric_id, sorted by seen_count desc.
+    // Identifies chronic compliance gaps that keep reappearing.
+    // -----------------------------------------------------------------------
+    router.get('/top-recurring', async (req, res) => {
+        try {
+            const rows = await dbAll(db,
+                `SELECT team, metric_id, metric_desc, seen_count, COUNT(*) AS host_count
+                 FROM compliance_items
+                 WHERE status = 'active'
+                 GROUP BY team, metric_id
+                 ORDER BY seen_count DESC, host_count DESC
+                 LIMIT 20`
+            );
+            res.json({ items: rows });
+        } catch (err) {
+            console.error('[Compliance] GET /top-recurring error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /category-trend
+    // Active item counts per category per upload, for stacked area chart.
+    // -----------------------------------------------------------------------
+    router.get('/category-trend', async (req, res) => {
+        try {
+            const rows = await dbAll(db,
+                `SELECT cu.report_date, COALESCE(ci.category, 'Unknown') AS category, COUNT(ci.id) AS count
+                 FROM compliance_uploads cu
+                 JOIN compliance_items ci ON ci.upload_id = cu.id
+                 GROUP BY cu.id, category
+                 ORDER BY cu.report_date ASC`
+            );
+            res.json({ categoryTrend: rows });
+        } catch (err) {
+            console.error('[Compliance] GET /category-trend error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createComplianceRouter;

backend/routes/ivantiArchive.js

@@ -0,0 +1,162 @@
+// Ivanti Archive Routes — list, stats, and transition history for archived findings
+const express = require('express');
+
+const VALID_STATES = ['ACTIVE', 'ARCHIVED', 'RETURNED', 'CLOSED'];
+
+function createIvantiArchiveRouter(db, requireAuth) {
+    const router = express.Router();
+
+    // All routes require authentication
+    router.use(requireAuth(db));
+
+    /**
+     * GET /
+     * List archive records with optional state filtering.
+     *
+     * @query {string} [state] - Filter by lifecycle state (ACTIVE, ARCHIVED, RETURNED, CLOSED)
+     * @returns {Object} 200 - { archives: Array<ArchiveRecord>, total: number }
+     * @returns {Object} 400 - { error: string } when state param is invalid
+     * @returns {Object} 500 - { error: string } on database failure
+     */
+    router.get('/', async (req, res) => {
+        const { state } = req.query;
+
+        if (state && !VALID_STATES.includes(state)) {
+            return res.status(400).json({
+                error: 'Invalid state parameter. Valid values: ACTIVE, ARCHIVED, RETURNED, CLOSED'
+            });
+        }
+
+        try {
+            let query = 'SELECT * FROM ivanti_finding_archives';
+            const params = [];
+
+            if (state) {
+                query += ' WHERE current_state = ?';
+                params.push(state);
+            }
+
+            query += ' ORDER BY last_transition_at DESC';
+
+            const archives = await new Promise((resolve, reject) => {
+                db.all(query, params, (err, rows) => {
+                    if (err) reject(err);
+                    else resolve(rows || []);
+                });
+            });
+
+            res.json({ archives, total: archives.length });
+        } catch (err) {
+            console.error('Archive list error:', err);
+            res.status(500).json({ error: 'Failed to fetch archive records' });
+        }
+    });
+
+    /**
+     * GET /stats
+     * Summary counts of archive records by lifecycle state.
+     * ACTIVE is implicit: live findings in the cache that have no ARCHIVED/RETURNED archive record.
+     *
+     * @returns {Object} 200 - { ACTIVE: number, ARCHIVED: number, RETURNED: number, CLOSED: number, total: number }
+     * @returns {Object} 500 - { error: string } on database failure
+     */
+    router.get('/stats', async (req, res) => {
+        try {
+            // Count archive records by state
+            const rows = await new Promise((resolve, reject) => {
+                db.all(
+                    `SELECT current_state, COUNT(*) as count
+                     FROM ivanti_finding_archives
+                     GROUP BY current_state`,
+                    (err, rows) => {
+                        if (err) reject(err);
+                        else resolve(rows || []);
+                    }
+                );
+            });
+
+            const stats = { ACTIVE: 0, ARCHIVED: 0, RETURNED: 0, CLOSED: 0 };
+
+            for (const row of rows) {
+                if (stats.hasOwnProperty(row.current_state)) {
+                    stats[row.current_state] = row.count;
+                }
+            }
+
+            // Compute ACTIVE: total live findings minus those with ARCHIVED or RETURNED records
+            const cacheRow = await new Promise((resolve, reject) => {
+                db.get(
+                    'SELECT total FROM ivanti_findings_cache WHERE id = 1',
+                    (err, row) => {
+                        if (err) reject(err);
+                        else resolve(row);
+                    }
+                );
+            });
+
+            const liveFindingsCount = (cacheRow && cacheRow.total) || 0;
+            // Findings that are ARCHIVED or RETURNED are "missing" from the live set,
+            // so ACTIVE = live count (all findings currently present in sync results)
+            stats.ACTIVE = liveFindingsCount;
+
+            const total = stats.ACTIVE + stats.ARCHIVED + stats.RETURNED + stats.CLOSED;
+
+            res.json({ ...stats, total });
+        } catch (err) {
+            console.error('Archive stats error:', err);
+            res.status(500).json({ error: 'Failed to fetch archive stats' });
+        }
+    });
+
+    /**
+     * GET /:findingId/history
+     * Transition history for a specific archived finding, ordered by most recent first.
+     * Returns an empty transitions array if the finding has no archive record.
+     *
+     * @param {string} findingId - Ivanti finding identifier (route param)
+     * @returns {Object} 200 - { finding_id: string, transitions: Array<TransitionRecord> }
+     * @returns {Object} 500 - { error: string } on database failure
+     */
+    router.get('/:findingId/history', async (req, res) => {
+        const { findingId } = req.params;
+
+        try {
+            const archive = await new Promise((resolve, reject) => {
+                db.get(
+                    'SELECT id FROM ivanti_finding_archives WHERE finding_id = ?',
+                    [findingId],
+                    (err, row) => {
+                        if (err) reject(err);
+                        else resolve(row);
+                    }
+                );
+            });
+
+            if (!archive) {
+                return res.json({ finding_id: findingId, transitions: [] });
+            }
+
+            const transitions = await new Promise((resolve, reject) => {
+                db.all(
+                    `SELECT * FROM ivanti_archive_transitions
+                     WHERE archive_id = ?
+                     ORDER BY transitioned_at DESC`,
+                    [archive.id],
+                    (err, rows) => {
+                        if (err) reject(err);
+                        else resolve(rows || []);
+                    }
+                );
+            });
+
+            res.json({ finding_id: findingId, transitions });
+        } catch (err) {
+            console.error('Archive history error:', err);
+            res.status(500).json({ error: 'Failed to fetch transition history' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createIvantiArchiveRouter;

backend/routes/ivantiFindings.js

@@ -0,0 +1,922 @@
+// Ivanti / RiskSense Host Findings Routes
+// Caches hostFinding/search results in SQLite with daily auto-sync.
+// Notes are stored separately so they survive cache refreshes.
+
+const express = require('express');
+const { requireGroup } = require('../middleware/auth');
+const { ivantiPost } = require('../helpers/ivantiApi');
+
+const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000;
+
+const FINDINGS_FILTERS = [
+    // NOTE: This filters for Open findings only — Closed count is fetched separately via syncClosedCount()
+    {
+        field: 'assetCustomAttributes.1550_host_1.value',
+        exclusive: false,
+        operator: 'IN',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: 'NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM',
+        caseSensitive: false
+    },
+    {
+        field: 'severity',
+        exclusive: false,
+        operator: 'RANGE',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: '8.5,9.9',
+        caseSensitive: false
+    },
+    {
+        field: 'generic_state',
+        exclusive: false,
+        operator: 'EXACT',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: 'Open',
+        caseSensitive: false
+    }
+];
+
+// Same BU + severity filters but for Closed state — used only to fetch the total count
+const CLOSED_COUNT_FILTERS = [
+    {
+        field: 'assetCustomAttributes.1550_host_1.value',
+        exclusive: false,
+        operator: 'IN',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: 'NTS-AEO-ACCESS-ENG,NTS-AEO-STEAM',
+        caseSensitive: false
+    },
+    {
+        field: 'severity',
+        exclusive: false,
+        operator: 'RANGE',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: '8.5,9.9',
+        caseSensitive: false
+    },
+    {
+        field: 'generic_state',
+        exclusive: false,
+        operator: 'EXACT',
+        orWithPrevious: false,
+        implicitFilters: [],
+        value: 'Closed',
+        caseSensitive: false
+    }
+];
+
+// ---------------------------------------------------------------------------
+// Table init
+// ---------------------------------------------------------------------------
+function initTables(db) {
+    return new Promise((resolve, reject) => {
+        db.serialize(() => {
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_findings_cache (
+                    id INTEGER PRIMARY KEY CHECK (id = 1),
+                    total INTEGER DEFAULT 0,
+                    findings_json TEXT DEFAULT '[]',
+                    synced_at DATETIME,
+                    sync_status TEXT DEFAULT 'never',
+                    error_message TEXT
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                INSERT OR IGNORE INTO ivanti_findings_cache (id, total, findings_json, sync_status)
+                VALUES (1, 0, '[]', 'never')
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_finding_notes (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    finding_id TEXT NOT NULL UNIQUE,
+                    note TEXT NOT NULL DEFAULT '',
+                    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_counts_cache (
+                    id INTEGER PRIMARY KEY CHECK (id = 1),
+                    open_count INTEGER DEFAULT 0,
+                    closed_count INTEGER DEFAULT 0,
+                    synced_at DATETIME
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            // Idempotent column additions — errors mean the column already exists, which is fine
+            db.run(`ALTER TABLE ivanti_counts_cache ADD COLUMN fp_workflow_counts_json TEXT DEFAULT '{}'`, () => {});
+            db.run(`ALTER TABLE ivanti_counts_cache ADD COLUMN fp_id_counts_json TEXT DEFAULT '{}'`, () => {});
+
+            db.run(`
+                INSERT OR IGNORE INTO ivanti_counts_cache (id, open_count, closed_count)
+                VALUES (1, 0, 0)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_finding_overrides (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    finding_id TEXT NOT NULL,
+                    field TEXT NOT NULL,
+                    value TEXT NOT NULL DEFAULT '',
+                    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+                    UNIQUE(finding_id, field)
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_finding_notes_finding_id
+                ON ivanti_finding_notes(finding_id)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_finding_overrides_finding_id
+                ON ivanti_finding_overrides(finding_id)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_counts_history (
+                    id           INTEGER PRIMARY KEY AUTOINCREMENT,
+                    open_count   INTEGER NOT NULL,
+                    closed_count INTEGER NOT NULL,
+                    recorded_at  DATETIME DEFAULT CURRENT_TIMESTAMP
+                )
+            `, (err) => {
+                if (err) reject(err);
+                else resolve();
+            });
+        });
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Archive table init — creates archive tracking tables alongside the main cache
+// ---------------------------------------------------------------------------
+function initArchiveTables(db) {
+    return new Promise((resolve, reject) => {
+        db.serialize(() => {
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_finding_archives (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    finding_id TEXT NOT NULL UNIQUE,
+                    finding_title TEXT NOT NULL DEFAULT '',
+                    host_name TEXT NOT NULL DEFAULT '',
+                    ip_address TEXT NOT NULL DEFAULT '',
+                    current_state TEXT NOT NULL CHECK(current_state IN ('ARCHIVED','RETURNED','CLOSED')),
+                    last_severity REAL NOT NULL DEFAULT 0,
+                    first_archived_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                    last_transition_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_archive_transitions (
+                    id INTEGER PRIMARY KEY AUTOINCREMENT,
+                    archive_id INTEGER NOT NULL,
+                    from_state TEXT NOT NULL,
+                    to_state TEXT NOT NULL,
+                    severity_at_transition REAL NOT NULL DEFAULT 0,
+                    reason TEXT NOT NULL DEFAULT '',
+                    transitioned_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+                    FOREIGN KEY (archive_id) REFERENCES ivanti_finding_archives(id)
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_archive_finding_id
+                ON ivanti_finding_archives(finding_id)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_archive_current_state
+                ON ivanti_finding_archives(current_state)
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                CREATE INDEX IF NOT EXISTS idx_transition_archive_id
+                ON ivanti_archive_transitions(archive_id)
+            `, (err) => {
+                if (err) reject(err);
+                else resolve();
+            });
+        });
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Archive detection — compare previous vs current findings to detect state changes
+// ---------------------------------------------------------------------------
+async function detectArchiveChanges(db, previousFindings, currentFindings) {
+    const previousIds = new Set(previousFindings.map(f => String(f.id)));
+    const currentIds = new Set(currentFindings.map(f => String(f.id)));
+
+    // Build lookup maps for metadata
+    const previousMap = new Map(previousFindings.map(f => [String(f.id), f]));
+    const currentMap = new Map(currentFindings.map(f => [String(f.id), f]));
+
+    // 1. Disappeared findings: in previous but not in current → ARCHIVED
+    const disappearedIds = [...previousIds].filter(id => !currentIds.has(id));
+
+    for (const id of disappearedIds) {
+        const finding = previousMap.get(id);
+        const title = finding.title || '';
+        const hostName = finding.hostName || '';
+        const ipAddress = finding.ipAddress || '';
+        const severity = typeof finding.severity === 'number' ? finding.severity : 0;
+
+        try {
+            // Check if this finding already has an archive record
+            const existing = await dbGet(db,
+                `SELECT id, current_state FROM ivanti_finding_archives WHERE finding_id = ?`,
+                [id]
+            );
+
+            if (existing && existing.current_state === 'RETURNED') {
+                // Re-disappeared: RETURNED → ARCHIVED
+                await dbRun(db,
+                    `UPDATE ivanti_finding_archives
+                     SET current_state = 'ARCHIVED', last_severity = ?, last_transition_at = datetime('now')
+                     WHERE id = ?`,
+                    [severity, existing.id]
+                );
+                await dbRun(db,
+                    `INSERT INTO ivanti_archive_transitions (archive_id, from_state, to_state, severity_at_transition, reason, transitioned_at)
+                     VALUES (?, 'RETURNED', 'ARCHIVED', ?, 'severity_score_drift', datetime('now'))`,
+                    [existing.id, severity]
+                );
+                console.log(`[Archive Detection] Finding ${id} re-archived (RETURNED → ARCHIVED)`);
+            } else if (!existing) {
+                // First disappearance: NONE → ARCHIVED
+                const result = await dbRun(db,
+                    `INSERT INTO ivanti_finding_archives (finding_id, finding_title, host_name, ip_address, current_state, last_severity, first_archived_at, last_transition_at)
+                     VALUES (?, ?, ?, ?, 'ARCHIVED', ?, datetime('now'), datetime('now'))`,
+                    [id, title, hostName, ipAddress, severity]
+                );
+                const archiveId = result.lastID;
+                await dbRun(db,
+                    `INSERT INTO ivanti_archive_transitions (archive_id, from_state, to_state, severity_at_transition, reason, transitioned_at)
+                     VALUES (?, 'NONE', 'ARCHIVED', ?, 'severity_score_drift', datetime('now'))`,
+                    [archiveId, severity]
+                );
+                console.log(`[Archive Detection] Finding ${id} archived (NONE → ARCHIVED)`);
+            }
+            // If existing state is ARCHIVED or CLOSED, no action needed
+        } catch (err) {
+            console.error(`[Archive Detection] Error processing disappeared finding ${id}:`, err.message);
+        }
+    }
+
+    // 2. Returned findings: in current AND has existing ARCHIVED record → RETURNED
+    const currentIdsList = [...currentIds];
+    if (currentIdsList.length > 0) {
+        try {
+            const archivedRecords = await dbAll(db,
+                `SELECT id, finding_id FROM ivanti_finding_archives WHERE current_state = 'ARCHIVED'`
+            );
+
+            for (const record of archivedRecords) {
+                if (currentIds.has(record.finding_id)) {
+                    const finding = currentMap.get(record.finding_id);
+                    const severity = typeof finding.severity === 'number' ? finding.severity : 0;
+
+                    await dbRun(db,
+                        `UPDATE ivanti_finding_archives
+                         SET current_state = 'RETURNED', last_severity = ?, last_transition_at = datetime('now')
+                         WHERE id = ?`,
+                        [severity, record.id]
+                    );
+                    await dbRun(db,
+                        `INSERT INTO ivanti_archive_transitions (archive_id, from_state, to_state, severity_at_transition, reason, transitioned_at)
+                         VALUES (?, 'ARCHIVED', 'RETURNED', ?, 'reappeared_in_sync', datetime('now'))`,
+                        [record.id, severity]
+                    );
+                    console.log(`[Archive Detection] Finding ${record.finding_id} returned (ARCHIVED → RETURNED)`);
+                }
+            }
+        } catch (err) {
+            console.error('[Archive Detection] Error processing returned findings:', err.message);
+        }
+    }
+
+    console.log(`[Archive Detection] Processed ${disappearedIds.length} disappeared, checked ${currentIdsList.length} current findings against archive`);
+}
+
+// ---------------------------------------------------------------------------
+// Closed finding detection — check archived/returned findings against Ivanti closed set
+// ---------------------------------------------------------------------------
+async function detectClosedFindings(db, closedFindingIds) {
+    if (!closedFindingIds || closedFindingIds.length === 0) return;
+
+    const closedSet = new Set(closedFindingIds.map(String));
+
+    try {
+        const records = await dbAll(db,
+            `SELECT id, finding_id, current_state, last_severity FROM ivanti_finding_archives WHERE current_state IN ('ARCHIVED', 'RETURNED')`
+        );
+
+        let closedCount = 0;
+        for (const record of records) {
+            if (!closedSet.has(record.finding_id)) continue;
+
+            try {
+                await dbRun(db,
+                    `UPDATE ivanti_finding_archives
+                     SET current_state = 'CLOSED', last_transition_at = datetime('now')
+                     WHERE id = ?`,
+                    [record.id]
+                );
+                await dbRun(db,
+                    `INSERT INTO ivanti_archive_transitions (archive_id, from_state, to_state, severity_at_transition, reason, transitioned_at)
+                     VALUES (?, ?, 'CLOSED', ?, 'remediated_in_ivanti', datetime('now'))`,
+                    [record.id, record.current_state, record.last_severity || 0]
+                );
+                closedCount++;
+                console.log(`[Archive Detection] Finding ${record.finding_id} closed (${record.current_state} → CLOSED)`);
+            } catch (err) {
+                console.error(`[Archive Detection] Error closing finding ${record.finding_id}:`, err.message);
+            }
+        }
+
+        console.log(`[Archive Detection] Closed ${closedCount} findings as remediated`);
+    } catch (err) {
+        console.error('[Archive Detection] Error querying archive records for closed detection:', err.message);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Extract only the fields we need from a raw finding object
+// ---------------------------------------------------------------------------
+function extractFinding(f) {
+    // statusEmbedded.dueDate = "2026-03-06T00:00:00" — strip to date part
+    const rawDueDate = f.statusEmbedded?.dueDate || '';
+    const dueDate = rawDueDate ? rawDueDate.split('T')[0] : '';
+
+    // BU ownership: assetCustomAttributes['1550_host_1'] is an array like ["NTS-AEO-STEAM"]
+    const buOwnership = f.assetCustomAttributes?.['1550_host_1']?.[0] || '';
+
+    // CVE list: vulnerabilities.vulnInfoList[].cve
+    const cves = (f.vulnerabilities?.vulnInfoList || []).map(v => v.cve).filter(Boolean);
+
+    // Workflow: only capture FP# (False Positive) tickets — SYS# are auto-generated
+    // system workflows and not actionable for our purposes.
+    const wfDist = f.workflowDistribution || {};
+    const fpBuckets = [
+        ...(wfDist.actionableWorkflows || []),
+        ...(wfDist.requestedWorkflows  || []),
+        ...(wfDist.reworkedWorkflows   || []),
+        ...(wfDist.rejectedWorkflows   || []),
+        ...(wfDist.expiredWorkflows    || []),
+        ...(wfDist.approvedWorkflows   || []),
+    ].filter(w => (w.generatedId || '').startsWith('FP#'));
+
+    // Priority: actionable > requested > reworked > rejected > expired > approved
+    const fpEntry = fpBuckets[0] || null;
+
+    // Fallback: if no FP# in distribution, check workflowGeneratedNames directly
+    const generatedNames = f.workflowGeneratedNames || [];
+    const fpFromNames = !fpEntry
+        ? generatedNames.find(n => n.startsWith('FP#')) || null
+        : null;
+
+    const workflow = fpEntry ? {
+        id:    fpEntry.generatedId || '',
+        state: fpEntry.state || '',
+        type:  'FP',
+    } : fpFromNames ? {
+        id:    fpFromNames,
+        state: '',
+        type:  'FP',
+    } : null;
+
+    return {
+        id: String(f.id),
+        title: f.title || '',
+        severity: typeof f.severity === 'number' ? f.severity : parseFloat(f.severity) || 0,
+        vrrGroup: f.vrrGroup || f.severityGroup || '',
+        hostName: f.host?.hostName || '',
+        ipAddress: f.host?.ipAddress || '',
+        dns: f.dns || f.host?.fqdn || '',
+        status: f.status || '',
+        slaStatus: f.slaStatus || '',
+        dueDate,
+        lastFoundOn: f.lastFoundOn || '',
+        buOwnership,
+        cves,
+        workflow
+    };
+}
+
+// ---------------------------------------------------------------------------
+// Fetch total count of Closed findings from Ivanti (page 0, size 1)
+// ---------------------------------------------------------------------------
+async function syncClosedCount(db, openCount, apiKey, clientId, skipTls) {
+    const urlPath = `/client/${encodeURIComponent(clientId)}/hostFinding/search`;
+    try {
+        const body = {
+            filters: CLOSED_COUNT_FILTERS,
+            projection: 'internal',
+            sort: [{ field: 'severity', direction: 'ASC' }],
+            page: 0,
+            size: 100
+        };
+
+        const result = await ivantiPost(urlPath, body, apiKey, skipTls);
+        if (result.status !== 200) throw new Error(`Closed count API returned status ${result.status}`);
+
+        const data = JSON.parse(result.body);
+        // RiskSense returns total in page.totalElements or page.total
+        const closedCount = data.page?.totalElements ?? data.page?.total ?? 0;
+        const totalPages = data.page?.totalPages || 1;
+
+        // Collect closed finding IDs for archive detection
+        const closedFindingIds = [];
+        const firstPageFindings = data._embedded?.hostFindings || [];
+        firstPageFindings.forEach(f => { if (f.id) closedFindingIds.push(String(f.id)); });
+
+        // Fetch remaining pages to collect all closed finding IDs
+        for (let pg = 1; pg < totalPages; pg++) {
+            try {
+                const pageBody = { ...body, page: pg };
+                const pageResult = await ivantiPost(urlPath, pageBody, apiKey, skipTls);
+                if (pageResult.status !== 200) break;
+                const pageData = JSON.parse(pageResult.body);
+                const pageFindings = pageData._embedded?.hostFindings || [];
+                pageFindings.forEach(f => { if (f.id) closedFindingIds.push(String(f.id)); });
+            } catch (err) {
+                console.error(`[Ivanti Findings] Failed to fetch closed findings page ${pg}:`, err.message);
+                break;
+            }
+        }
+
+        await dbRun(db,
+            `UPDATE ivanti_counts_cache SET open_count=?, closed_count=?, synced_at=datetime('now') WHERE id=1`,
+            [openCount, closedCount]
+        );
+
+        // Append a snapshot to history — every sync is stored; the history
+        // endpoint aggregates to last-per-day at query time (Option B).
+        await dbRun(db,
+            `INSERT INTO ivanti_counts_history (open_count, closed_count) VALUES (?, ?)`,
+            [openCount, closedCount]
+        );
+
+        console.log(`[Ivanti Findings] Counts updated — open: ${openCount}, closed: ${closedCount}`);
+
+        // Detect closed findings in the archive — wrap in try/catch so errors don't break sync
+        try {
+            await detectClosedFindings(db, closedFindingIds);
+        } catch (err) {
+            console.error('[Ivanti Findings] Closed finding archive detection failed (non-fatal):', err.message);
+        }
+    } catch (err) {
+        console.error('[Ivanti Findings] Failed to fetch closed count:', err.message);
+        // Still update open count so it stays in sync; leave closed_count as-is
+        await dbRun(db,
+            `UPDATE ivanti_counts_cache SET open_count=?, synced_at=datetime('now') WHERE id=1`,
+            [openCount]
+        ).catch(() => {});
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Extract FP workflow id+state from a raw (un-extracted) finding
+// Returns { id, state } or null if no FP# workflow present.
+// ---------------------------------------------------------------------------
+function extractFPWorkflow(f) {
+    const wfDist = f.workflowDistribution || {};
+    const fpBuckets = [
+        ...(wfDist.actionableWorkflows || []),
+        ...(wfDist.requestedWorkflows  || []),
+        ...(wfDist.reworkedWorkflows   || []),
+        ...(wfDist.rejectedWorkflows   || []),
+        ...(wfDist.expiredWorkflows    || []),
+        ...(wfDist.approvedWorkflows   || []),
+    ].filter(w => (w.generatedId || '').startsWith('FP#'));
+    const fpEntry = fpBuckets[0] || null;
+    if (!fpEntry) return null;
+    return { id: fpEntry.generatedId || '', state: fpEntry.state || 'Unknown' };
+}
+
+// ---------------------------------------------------------------------------
+// Sync FP stats across ALL findings (open + closed).
+//
+// Produces two separate counts:
+//   findingCounts  — number of *findings* per FP workflow state
+//   idCounts       — number of *unique FP# ticket IDs* per state
+//                    (one FP# can cover many findings; this chart counts tickets)
+//
+// Open findings come from the already-extracted allFindings array.
+// Closed findings are swept page-by-page to catch Approved FPs.
+// ---------------------------------------------------------------------------
+async function syncFPWorkflowCounts(db, openFindings, apiKey, clientId, skipTls) {
+    const findingCounts = {};  // state → # findings
+    const fpIdMap       = {};  // FP# id → state (deduplicates across findings)
+
+    // Seed from open findings (already extracted, have workflow.id + workflow.state)
+    openFindings.forEach(f => {
+        if (!f.workflow) return;
+        const state = f.workflow.state || 'Unknown';
+        const id    = f.workflow.id    || '';
+        findingCounts[state] = (findingCounts[state] || 0) + 1;
+        if (id && !fpIdMap[id]) fpIdMap[id] = state;
+    });
+
+    // Sweep closed findings to pick up Approved (and any other closed FP states)
+    const urlPath = `/client/${encodeURIComponent(clientId)}/hostFinding/search`;
+    let page = 0;
+    let totalPages = 1;
+
+    try {
+        do {
+            const body = {
+                filters: CLOSED_COUNT_FILTERS,
+                projection: 'internal',
+                sort: [{ field: 'severity', direction: 'ASC' }],
+                page,
+                size: 100
+            };
+            const result = await ivantiPost(urlPath, body, apiKey, skipTls);
+            if (result.status !== 200) {
+                console.warn(`[Ivanti Findings] FP workflow counts: closed findings page ${page} returned ${result.status} — stopping sweep`);
+                break;
+            }
+            const data = JSON.parse(result.body);
+            totalPages = data.page?.totalPages || 1;
+            const findings = data._embedded?.hostFindings || [];
+            findings.forEach(f => {
+                const wf = extractFPWorkflow(f);
+                if (!wf) return;
+                findingCounts[wf.state] = (findingCounts[wf.state] || 0) + 1;
+                if (wf.id && !fpIdMap[wf.id]) fpIdMap[wf.id] = wf.state;
+            });
+            console.log(`[Ivanti Findings] FP workflow counts: closed page ${page + 1}/${totalPages}`);
+            page++;
+        } while (page < totalPages);
+    } catch (err) {
+        console.error('[Ivanti Findings] FP workflow counts: closed sweep failed:', err.message);
+        // Fall through — store whatever we have from open findings
+    }
+
+    // Aggregate unique FP# IDs by state
+    const idCounts = {};
+    Object.values(fpIdMap).forEach(state => {
+        idCounts[state] = (idCounts[state] || 0) + 1;
+    });
+
+    await dbRun(db,
+        `UPDATE ivanti_counts_cache SET fp_workflow_counts_json=?, fp_id_counts_json=? WHERE id=1`,
+        [JSON.stringify(findingCounts), JSON.stringify(idCounts)]
+    ).catch(e => console.error('[Ivanti Findings] Failed to store FP workflow counts:', e.message));
+
+    console.log('[Ivanti Findings] FP finding counts:', findingCounts);
+    console.log('[Ivanti Findings] FP workflow ID counts:', idCounts);
+}
+
+// ---------------------------------------------------------------------------
+// Core sync — fetches ALL pages, stores slimmed findings in SQLite
+// ---------------------------------------------------------------------------
+async function syncFindings(db) {
+    const apiKey = process.env.IVANTI_API_KEY;
+    const clientId = process.env.IVANTI_CLIENT_ID || '1550';
+    const skipTls = process.env.IVANTI_SKIP_TLS === 'true';
+
+    if (!apiKey) {
+        const errMsg = 'IVANTI_API_KEY not set in .env — skipping sync';
+        console.warn('[Ivanti Findings]', errMsg);
+        await dbRun(db, `UPDATE ivanti_findings_cache SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`, [errMsg]);
+        return;
+    }
+
+    console.log('[Ivanti Findings] Starting sync...');
+
+    const urlPath = `/client/${encodeURIComponent(clientId)}/hostFinding/search`;
+    let allFindings = [];
+    let page = 0;
+    let totalPages = 1;
+
+    try {
+        do {
+            const body = {
+                filters: FINDINGS_FILTERS,
+                projection: 'internal',
+                sort: [{ field: 'severity', direction: 'ASC' }],
+                page,
+                size: 100
+            };
+
+            const result = await ivantiPost(urlPath, body, apiKey, skipTls);
+
+            if (result.status === 401) throw new Error('Invalid or missing API key (401)');
+            if (result.status === 419) throw new Error('Insufficient privileges (419) — API key lacks hostFinding access');
+            if (result.status === 429) throw new Error('Rate limited (429) — try again later');
+            if (result.status !== 200) throw new Error(`Ivanti API returned status ${result.status}`);
+
+            const data = JSON.parse(result.body);
+            totalPages = data.page?.totalPages || 1;
+            const findings = data._embedded?.hostFindings || [];
+            allFindings = allFindings.concat(findings.map(extractFinding));
+
+            console.log(`[Ivanti Findings] Page ${page + 1}/${totalPages} — ${allFindings.length} findings so far`);
+            page++;
+        } while (page < totalPages);
+
+        // Read previous findings BEFORE updating the cache (they'll be overwritten)
+        let previousFindings = [];
+        try {
+            const state = await readState(db);
+            previousFindings = state.findings || [];
+        } catch (err) {
+            console.error('[Ivanti Findings] Failed to read previous findings for archive detection:', err.message);
+        }
+
+        await dbRun(db,
+            `UPDATE ivanti_findings_cache SET total=?, findings_json=?, synced_at=datetime('now'), sync_status='success', error_message=NULL WHERE id=1`,
+            [allFindings.length, JSON.stringify(allFindings)]
+        );
+
+        console.log(`[Ivanti Findings] Sync complete — ${allFindings.length} findings`);
+
+        // Archive detection — compare previous vs current to detect disappeared/returned findings
+        // Only runs after a successful sync (skipped on error per requirement 1.5)
+        try {
+            await detectArchiveChanges(db, previousFindings, allFindings);
+        } catch (err) {
+            console.error('[Ivanti Findings] Archive detection failed (non-fatal):', err.message);
+        }
+
+        await syncClosedCount(db, allFindings.length, apiKey, clientId, skipTls);
+        await syncFPWorkflowCounts(db, allFindings, apiKey, clientId, skipTls);
+    } catch (err) {
+        const msg = err.message || 'Unknown error';
+        console.error('[Ivanti Findings] Sync failed:', msg);
+        // Archive detection is intentionally skipped on sync error (requirement 1.5)
+        await dbRun(db, `UPDATE ivanti_findings_cache SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`, [msg]);
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Scheduler
+// ---------------------------------------------------------------------------
+function scheduleSync(db) {
+    db.get('SELECT synced_at FROM ivanti_findings_cache WHERE id = 1', (err, row) => {
+        if (err || !row || !row.synced_at) {
+            syncFindings(db);
+        } else {
+            const lastSync = new Date(row.synced_at.replace(' ', 'T') + 'Z');
+            const hoursSince = (Date.now() - lastSync.getTime()) / (1000 * 60 * 60);
+            if (hoursSince >= 24) {
+                syncFindings(db);
+            } else {
+                console.log(`[Ivanti Findings] Last sync ${hoursSince.toFixed(1)}h ago — next auto-sync in ${(24 - hoursSince).toFixed(1)}h`);
+            }
+        }
+    });
+
+    setInterval(() => syncFindings(db), SYNC_INTERVAL_MS);
+}
+
+// ---------------------------------------------------------------------------
+// DB helpers
+// ---------------------------------------------------------------------------
+function dbRun(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.run(sql, params, function (err) { if (err) reject(err); else resolve(this); });
+    });
+}
+
+function dbGet(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.get(sql, params, (err, row) => { if (err) reject(err); else resolve(row); });
+    });
+}
+
+function dbAll(db, sql, params = []) {
+    return new Promise((resolve, reject) => {
+        db.all(sql, params, (err, rows) => { if (err) reject(err); else resolve(rows || []); });
+    });
+}
+
+function readState(db) {
+    return new Promise((resolve, reject) => {
+        db.get(
+            'SELECT total, findings_json, synced_at, sync_status, error_message FROM ivanti_findings_cache WHERE id = 1',
+            (err, row) => {
+                if (err) return reject(err);
+                if (!row) return resolve({ total: 0, findings: [], synced_at: null, sync_status: 'never', error_message: null });
+                let findings = [];
+                try { findings = JSON.parse(row.findings_json || '[]'); } catch (_) { /* leave empty */ }
+                resolve({ total: row.total || 0, findings, synced_at: row.synced_at, sync_status: row.sync_status, error_message: row.error_message });
+            }
+        );
+    });
+}
+
+function readNotes(db) {
+    return new Promise((resolve, reject) => {
+        db.all('SELECT finding_id, note FROM ivanti_finding_notes', (err, rows) => {
+            if (err) return reject(err);
+            const map = {};
+            (rows || []).forEach((r) => { map[r.finding_id] = r.note; });
+            resolve(map);
+        });
+    });
+}
+
+function readCounts(db) {
+    return new Promise((resolve, reject) => {
+        db.get(
+            'SELECT open_count, closed_count, synced_at FROM ivanti_counts_cache WHERE id = 1',
+            (err, row) => {
+                if (err) return reject(err);
+                resolve({
+                    open:      row?.open_count   ?? 0,
+                    closed:    row?.closed_count  ?? 0,
+                    synced_at: row?.synced_at     ?? null,
+                });
+            }
+        );
+    });
+}
+
+// Returns { findingId: { hostName: 'override', dns: 'override' }, ... }
+function readOverrides(db) {
+    return new Promise((resolve, reject) => {
+        db.all('SELECT finding_id, field, value FROM ivanti_finding_overrides', (err, rows) => {
+            if (err) return reject(err);
+            const map = {};
+            (rows || []).forEach((r) => {
+                if (!map[r.finding_id]) map[r.finding_id] = {};
+                map[r.finding_id][r.field] = r.value;
+            });
+            resolve(map);
+        });
+    });
+}
+
+async function readStateWithNotes(db) {
+    const [state, notes, overrides] = await Promise.all([readState(db), readNotes(db), readOverrides(db)]);
+    state.findings = state.findings.map((f) => ({
+        ...f,
+        note:      notes[f.id]     || '',
+        overrides: overrides[f.id] || {},
+    }));
+    return state;
+}
+
+// ---------------------------------------------------------------------------
+// Router
+// ---------------------------------------------------------------------------
+function createIvantiFindingsRouter(db, requireAuth) {
+    const router = express.Router();
+
+    Promise.all([initTables(db), initArchiveTables(db)])
+        .then(() => scheduleSync(db))
+        .catch((err) => console.error('[Ivanti Findings] Init failed:', err));
+
+    router.use(requireAuth(db));
+
+    // GET / — cached findings with notes merged in
+    router.get('/', async (req, res) => {
+        try {
+            res.json(await readStateWithNotes(db));
+        } catch {
+            res.status(500).json({ error: 'Database error reading findings' });
+        }
+    });
+
+    // POST /sync — trigger immediate sync, return fresh state
+    router.post('/sync', requireGroup('Admin', 'Standard_User'), async (req, res) => {
+        await syncFindings(db);
+        try {
+            res.json(await readStateWithNotes(db));
+        } catch {
+            res.status(500).json({ error: 'Sync ran but could not read updated state' });
+        }
+    });
+
+    // GET /counts — open vs closed totals for pie chart
+    router.get('/counts', async (req, res) => {
+        try {
+            res.json(await readCounts(db));
+        } catch {
+            res.status(500).json({ error: 'Database error reading counts' });
+        }
+    });
+
+    // GET /counts/history — last snapshot per day, ascending, for the trend chart.
+    // Uses a window function (ROW_NUMBER) to pick the final sync of each calendar day.
+    router.get('/counts/history', async (req, res) => {
+        try {
+            const rows = await new Promise((resolve, reject) => {
+                db.all(
+                    `SELECT date, open_count, closed_count FROM (
+                         SELECT DATE(recorded_at) AS date,
+                                open_count, closed_count,
+                                ROW_NUMBER() OVER (
+                                    PARTITION BY DATE(recorded_at)
+                                    ORDER BY recorded_at DESC
+                                ) AS rn
+                         FROM ivanti_counts_history
+                     ) WHERE rn = 1
+                     ORDER BY date ASC`,
+                    [],
+                    (err, rows) => { if (err) reject(err); else resolve(rows || []); }
+                );
+            });
+            res.json({ history: rows });
+        } catch (err) {
+            console.error('[Ivanti Findings] GET /counts/history error:', err.message);
+            res.status(500).json({ error: 'Database error' });
+        }
+    });
+
+    // GET /fp-workflow-counts — FP finding + unique workflow counts (open + closed)
+    router.get('/fp-workflow-counts', async (req, res) => {
+        try {
+            const row = await new Promise((resolve, reject) => {
+                db.get('SELECT fp_workflow_counts_json, fp_id_counts_json FROM ivanti_counts_cache WHERE id=1',
+                    (err, row) => { if (err) reject(err); else resolve(row); }
+                );
+            });
+            let findingCounts = {};
+            let idCounts      = {};
+            try { findingCounts = JSON.parse(row?.fp_workflow_counts_json || '{}'); } catch (_) {}
+            try { idCounts      = JSON.parse(row?.fp_id_counts_json      || '{}'); } catch (_) {}
+            res.json({
+                findingCounts,
+                findingTotal: Object.values(findingCounts).reduce((a, b) => a + b, 0),
+                idCounts,
+                idTotal: Object.values(idCounts).reduce((a, b) => a + b, 0),
+            });
+        } catch {
+            res.status(500).json({ error: 'Database error reading FP workflow counts' });
+        }
+    });
+
+    // PUT /:findingId/override — save or clear a field override (editor/admin only)
+    const OVERRIDE_ALLOWED = ['hostName', 'dns'];
+    router.put('/:findingId/override', requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { findingId } = req.params;
+        const { field, value } = req.body;
+
+        if (!OVERRIDE_ALLOWED.includes(field)) {
+            return res.status(400).json({ error: `Field '${field}' is not editable. Allowed: ${OVERRIDE_ALLOWED.join(', ')}` });
+        }
+
+        const val = String(value ?? '').trim();
+
+        if (val === '') {
+            // Empty value = clear the override (revert to Ivanti)
+            db.run(
+                'DELETE FROM ivanti_finding_overrides WHERE finding_id = ? AND field = ?',
+                [findingId, field],
+                (err) => {
+                    if (err) return res.status(500).json({ error: 'Failed to clear override' });
+                    res.json({ finding_id: findingId, field, value: null });
+                }
+            );
+        } else {
+            db.run(
+                `INSERT INTO ivanti_finding_overrides (finding_id, field, value, updated_at)
+                 VALUES (?, ?, ?, datetime('now'))
+                 ON CONFLICT(finding_id, field) DO UPDATE SET value=excluded.value, updated_at=datetime('now')`,
+                [findingId, field, val],
+                (err) => {
+                    if (err) return res.status(500).json({ error: 'Failed to save override' });
+                    res.json({ finding_id: findingId, field, value: val });
+                }
+            );
+        }
+    });
+
+    // PUT /:findingId/note — save or update a note (max 255 chars enforced here)
+    router.put('/:findingId/note', requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { findingId } = req.params;
+        const note = String(req.body.note || '').slice(0, 255);
+
+        db.run(
+            `INSERT INTO ivanti_finding_notes (finding_id, note, updated_at)
+             VALUES (?, ?, datetime('now'))
+             ON CONFLICT(finding_id) DO UPDATE SET note=excluded.note, updated_at=datetime('now')`,
+            [findingId, note],
+            (err) => {
+                if (err) return res.status(500).json({ error: 'Failed to save note' });
+                res.json({ finding_id: findingId, note });
+            }
+        );
+    });
+
+    return router;
+}
+
+module.exports = createIvantiFindingsRouter;
+module.exports.detectArchiveChanges = detectArchiveChanges;
+module.exports.detectClosedFindings = detectClosedFindings;
+module.exports.initArchiveTables = initArchiveTables;

backend/routes/ivantiFpWorkflow.js

@@ -0,0 +1,395 @@
+// routes/ivantiFpWorkflow.js
+const express = require('express');
+const multer = require('multer');
+const path = require('path');
+const { requireGroup } = require('../middleware/auth');
+const { ivantiFormPost } = require('../helpers/ivantiApi');
+const logAudit = require('../helpers/auditLog');
+
+// ---------------------------------------------------------------------------
+// Pure helpers (exported for testing)
+// ---------------------------------------------------------------------------
+
+const ALLOWED_EXTENSIONS = new Set([
+    '.pdf', '.png', '.jpg', '.jpeg', '.gif',
+    '.doc', '.docx', '.xlsx', '.csv', '.txt', '.zip'
+]);
+
+/**
+ * Returns true if the filename has an allowed extension (case-insensitive).
+ */
+function isAllowedFileExtension(filename) {
+    if (!filename || typeof filename !== 'string') return false;
+    const ext = path.extname(filename).toLowerCase();
+    return ALLOWED_EXTENSIONS.has(ext);
+}
+
+/**
+ * Validates the FP workflow form body.
+ * Returns {} if valid, or { fieldName: 'error message' } for each invalid field.
+ */
+function validateFpWorkflowForm(body) {
+    const errors = {};
+
+    // name: required, non-empty, max 255
+    if (!body.name || typeof body.name !== 'string' || body.name.trim().length === 0) {
+        errors.name = 'Workflow name is required.';
+    } else if (body.name.trim().length > 255) {
+        errors.name = 'Workflow name must be 255 characters or fewer.';
+    }
+
+    // reason: required, non-empty
+    if (!body.reason || typeof body.reason !== 'string' || body.reason.trim().length === 0) {
+        errors.reason = 'Reason is required.';
+    }
+
+    // description: optional, max 2000 if provided
+    if (body.description !== undefined && body.description !== null && body.description !== '') {
+        if (typeof body.description !== 'string') {
+            errors.description = 'Description must be a string.';
+        } else if (body.description.length > 2000) {
+            errors.description = 'Description must be 2000 characters or fewer.';
+        }
+    }
+
+    // expirationDate: required, valid date, strictly after today
+    if (!body.expirationDate || typeof body.expirationDate !== 'string' || body.expirationDate.trim().length === 0) {
+        errors.expirationDate = 'Expiration date is required.';
+    } else {
+        const parsed = new Date(body.expirationDate);
+        if (isNaN(parsed.getTime())) {
+            errors.expirationDate = 'Expiration date must be a valid date.';
+        } else {
+            const today = new Date();
+            today.setHours(0, 0, 0, 0);
+            const expDay = new Date(parsed);
+            expDay.setHours(0, 0, 0, 0);
+            if (expDay <= today) {
+                errors.expirationDate = 'Expiration date must be in the future.';
+            }
+        }
+    }
+
+    return errors;
+}
+
+/**
+ * Builds the subjectFilterRequest JSON for the Ivanti FP workflow endpoint.
+ * Format: { subject, filterRequest: { filters } }
+ */
+function buildSubjectFilterRequest(findingIds) {
+    return JSON.stringify({
+        subject: 'hostFinding',
+        filterRequest: {
+            filters: [{
+                field: 'id',
+                exclusive: false,
+                operator: 'IN',
+                value: findingIds.map(id => String(id)).join(',')
+            }]
+        }
+    });
+}
+
+/**
+ * Builds the multipart form fields array for the Ivanti FP workflow request.
+ */
+function buildIvantiFormFields(formData, findingIds) {
+    const scopeMap = {
+        'Authorized': 'AUTHORIZED',
+        'None': 'NONE',
+        'Automated': 'AUTOMATED'
+    };
+
+    return [
+        { name: 'name', value: formData.name },
+        { name: 'reason', value: formData.reason },
+        { name: 'description', value: formData.description || '' },
+        { name: 'expirationDate', value: formData.expirationDate },
+        { name: 'overrideControl', value: scopeMap[formData.scopeOverride] || 'AUTHORIZED' },
+        { name: 'subjectFilterRequest', value: buildSubjectFilterRequest(findingIds) },
+        { name: 'isEmptyWorkflow', value: findingIds.length === 0 ? 'true' : 'false' }
+    ];
+}
+
+// ---------------------------------------------------------------------------
+// Multer configuration
+// ---------------------------------------------------------------------------
+
+const uploadStorage = multer.memoryStorage();
+
+const fpUpload = multer({
+    storage: uploadStorage,
+    limits: { fileSize: 10 * 1024 * 1024 }, // 10 MB per file
+    fileFilter: (req, file, cb) => {
+        if (isAllowedFileExtension(file.originalname)) {
+            cb(null, true);
+        } else {
+            cb(new Error(`File type not allowed: ${path.extname(file.originalname)}`));
+        }
+    }
+}).array('attachments', 10); // up to 10 files
+
+// ---------------------------------------------------------------------------
+// Router factory
+// ---------------------------------------------------------------------------
+
+function createIvantiFpWorkflowRouter(db, requireAuth) {
+    const router = express.Router();
+
+    /**
+     * POST /api/ivanti/fp-workflow
+     *
+     * Creates a False Positive workflow batch in the Ivanti/RiskSense API,
+     * optionally uploads file attachments, records the submission locally,
+     * and marks the associated queue items as complete.
+     *
+     * Content-Type: multipart/form-data
+     *
+     * @param {string}   req.body.name            - Workflow name (required, max 255 chars)
+     * @param {string}   req.body.reason          - Reason for the FP determination (required)
+     * @param {string}   [req.body.description]   - Additional description (optional, max 2000 chars)
+     * @param {string}   req.body.expirationDate  - ISO date string, must be a future date (required)
+     * @param {string}   [req.body.scopeOverride] - "Authorized" (default) or "None"
+     * @param {string}   req.body.findingIds      - JSON-encoded array of Ivanti finding IDs
+     * @param {string}   req.body.queueItemIds    - JSON-encoded array of local queue item IDs
+     * @param {File[]}   [req.files]              - Up to 10 file attachments (max 10 MB each);
+     *                                              allowed extensions: .pdf .png .jpg .jpeg .gif
+     *                                              .doc .docx .xlsx .csv .txt .zip
+     *
+     * @returns {object} 200 - Success
+     *   { success: true, workflowBatchId: number, generatedId: string,
+     *     attachmentResults: Array<{ filename: string, success: boolean, error?: string }>,
+     *     queueItemsUpdated: number, status: 'success' | 'partial' }
+     * @returns {object} 400 - Validation error
+     *   { error: string } or { success: false, errors: { [field]: string } }
+     * @returns {object} 403 - Queue item ownership violation
+     *   { error: string }
+     * @returns {object} 429 - Ivanti rate limit
+     *   { success: false, error: string, step: 'create_workflow' }
+     * @returns {object} 500 - Server configuration error
+     *   { success: false, error: string, step: 'create_workflow' }
+     * @returns {object} 502 - Ivanti API error
+     *   { success: false, error: string, step: 'create_workflow', details?: string }
+     */
+    router.post('/', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        fpUpload(req, res, (multerErr) => {
+            if (multerErr) {
+                if (multerErr.code === 'LIMIT_FILE_SIZE') {
+                    return res.status(400).json({ error: 'File exceeds the 10 MB size limit.' });
+                }
+                return res.status(400).json({ error: multerErr.message });
+            }
+
+            // --- Parse JSON-encoded arrays from the multipart body ---
+            let findingIds, queueItemIds;
+            try {
+                findingIds = JSON.parse(req.body.findingIds || '[]');
+                queueItemIds = JSON.parse(req.body.queueItemIds || '[]');
+            } catch (e) {
+                return res.status(400).json({ error: 'findingIds and queueItemIds must be valid JSON arrays.' });
+            }
+
+            if (!Array.isArray(findingIds) || findingIds.length === 0) {
+                return res.status(400).json({ error: 'At least one finding ID is required.' });
+            }
+            if (!Array.isArray(queueItemIds) || queueItemIds.length === 0) {
+                return res.status(400).json({ error: 'At least one queue item ID is required.' });
+            }
+
+            // --- Validate form fields ---
+            const validationErrors = validateFpWorkflowForm(req.body);
+            if (Object.keys(validationErrors).length > 0) {
+                return res.status(400).json({ success: false, errors: validationErrors });
+            }
+
+            // --- Validate file extensions (belt-and-suspenders with Multer filter) ---
+            const files = req.files || [];
+            for (const file of files) {
+                if (!isAllowedFileExtension(file.originalname)) {
+                    return res.status(400).json({
+                        error: `File type not allowed: ${file.originalname}. Allowed: ${[...ALLOWED_EXTENSIONS].join(', ')}`
+                    });
+                }
+            }
+
+            // --- Verify queue items belong to user, are FP type, and pending ---
+            const placeholders = queueItemIds.map(() => '?').join(',');
+            db.all(
+                `SELECT id, workflow_type, status, user_id
+                 FROM ivanti_todo_queue
+                 WHERE id IN (${placeholders})`,
+                queueItemIds,
+                (err, rows) => {
+                    if (err) {
+                        console.error('Error verifying queue items:', err);
+                        return res.status(500).json({ error: 'Internal server error.' });
+                    }
+
+                    // Check all items were found
+                    if (!rows || rows.length !== queueItemIds.length) {
+                        return res.status(400).json({ error: 'One or more queue items not found.' });
+                    }
+
+                    // Check ownership, type, and status
+                    for (const row of rows) {
+                        if (row.user_id !== req.user.id) {
+                            return res.status(403).json({ error: 'You can only submit your own queue items.' });
+                        }
+                        if (row.workflow_type !== 'FP') {
+                            return res.status(400).json({ error: `Queue item ${row.id} is not an FP workflow type.` });
+                        }
+                        if (row.status !== 'pending') {
+                            return res.status(400).json({ error: `Queue item ${row.id} is not in pending status.` });
+                        }
+                    }
+
+                    // --- Validation passed — submit to Ivanti API ---
+                    (async () => {
+                        const apiKey = process.env.IVANTI_API_KEY;
+                        const clientId = process.env.IVANTI_CLIENT_ID || '1550';
+                        const skipTls = process.env.IVANTI_SKIP_TLS === 'true';
+
+                        if (!apiKey) {
+                            return res.status(500).json({ success: false, error: 'Ivanti API key is not configured.', step: 'create_workflow' });
+                        }
+
+                        // 1. Build form fields and call Ivanti API (multipart/form-data)
+                        const formFields = buildIvantiFormFields(req.body, findingIds);
+                        const formFiles = files.map(f => ({ name: 'files', buffer: f.buffer, filename: f.originalname }));
+                        const createUrl = `/client/${encodeURIComponent(clientId)}/workflowBatch/falsePositive/request`;
+
+                        let createResult;
+                        try {
+                            createResult = await ivantiFormPost(createUrl, formFields, formFiles, apiKey, skipTls);
+                        } catch (networkErr) {
+                            logAudit(db, {
+                                userId: req.user.id, username: req.user.username,
+                                action: 'ivanti_fp_workflow_failed', entityType: 'ivanti_workflow',
+                                details: { error: networkErr.message, findingIds },
+                                ipAddress: req.ip
+                            });
+                            return res.status(502).json({ success: false, error: 'Failed to connect to Ivanti API.', step: 'create_workflow', details: networkErr.message });
+                        }
+
+                        // Handle error responses from Ivanti
+                        if (createResult.status !== 200 && createResult.status !== 201 && createResult.status !== 202) {
+                            const errorMap = {
+                                401: 'Ivanti API key is invalid or missing.',
+                                419: 'API key lacks workflow creation permissions.',
+                                429: 'Ivanti API rate limit reached. Please try again in a few minutes.'
+                            };
+                            const errorMsg = errorMap[createResult.status] || `Workflow creation failed: ${createResult.status}`;
+                            const errorResponse = { success: false, error: errorMsg, step: 'create_workflow' };
+                            if (!errorMap[createResult.status]) {
+                                errorResponse.details = createResult.body;
+                            }
+
+                            logAudit(db, {
+                                userId: req.user.id, username: req.user.username,
+                                action: 'ivanti_fp_workflow_failed', entityType: 'ivanti_workflow',
+                                details: { error: errorMsg, status: createResult.status, findingIds },
+                                ipAddress: req.ip
+                            });
+
+                            return res.status(createResult.status === 429 ? 429 : 502).json(errorResponse);
+                        }
+
+                        // 2. Parse workflow batch response — API returns { id, created }
+                        let workflowBatchId;
+                        try {
+                            const createData = JSON.parse(createResult.body);
+                            workflowBatchId = createData.id;
+                        } catch (parseErr) {
+                            logAudit(db, {
+                                userId: req.user.id, username: req.user.username,
+                                action: 'ivanti_fp_workflow_failed', entityType: 'ivanti_workflow',
+                                details: { error: 'Failed to parse Ivanti response', responseBody: createResult.body },
+                                ipAddress: req.ip
+                            });
+                            return res.status(502).json({ success: false, error: 'Failed to parse Ivanti API response.', step: 'create_workflow' });
+                        }
+
+                        // 3. Determine submission status (files sent inline, so success if we got here)
+                        const status = 'success';
+
+                        // 4. Insert submission record
+                        try {
+                            await new Promise((resolve, reject) => {
+                                db.run(
+                                    `INSERT INTO ivanti_fp_submissions (user_id, username, ivanti_workflow_batch_id, ivanti_generated_id, workflow_name, reason, description, expiration_date, scope_override, finding_ids_json, queue_item_ids_json, attachment_count, attachment_results_json, status, error_message)
+                                     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+                                    [
+                                        req.user.id,
+                                        req.user.username,
+                                        workflowBatchId,
+                                        null, // generatedId not returned by this endpoint
+                                        req.body.name,
+                                        req.body.reason,
+                                        req.body.description || null,
+                                        req.body.expirationDate,
+                                        req.body.scopeOverride || 'Authorized',
+                                        JSON.stringify(findingIds),
+                                        JSON.stringify(queueItemIds),
+                                        files.length,
+                                        JSON.stringify(files.map(f => ({ filename: f.originalname, success: true }))),
+                                        status,
+                                        null
+                                    ],
+                                    (err) => { if (err) reject(err); else resolve(); }
+                                );
+                            });
+                        } catch (dbErr) {
+                            console.error('Failed to insert submission record:', dbErr);
+                            // Don't fail the response — the Ivanti workflow was created
+                        }
+
+                        // 5. Log audit entry
+                        logAudit(db, {
+                            userId: req.user.id, username: req.user.username,
+                            action: 'ivanti_fp_workflow_created', entityType: 'ivanti_workflow',
+                            entityId: String(workflowBatchId),
+                            details: { workflowName: req.body.name, findingIds, attachmentCount: files.length, status },
+                            ipAddress: req.ip
+                        });
+
+                        // 6. Mark queue items as complete
+                        let queueItemsUpdated = 0;
+                        try {
+                            const queuePlaceholders = queueItemIds.map(() => '?').join(',');
+                            queueItemsUpdated = await new Promise((resolve, reject) => {
+                                db.run(
+                                    `UPDATE ivanti_todo_queue SET status='complete', updated_at=CURRENT_TIMESTAMP WHERE id IN (${queuePlaceholders}) AND user_id=?`,
+                                    [...queueItemIds, req.user.id],
+                                    function (err) { if (err) reject(err); else resolve(this.changes); }
+                                );
+                            });
+                        } catch (queueErr) {
+                            console.error('Failed to update queue items:', queueErr);
+                            // Don't fail — workflow was created
+                        }
+
+                        // 7. Return response
+                        res.json({
+                            success: true,
+                            workflowBatchId,
+                            queueItemsUpdated,
+                            status
+                        });
+                    })().catch((unexpectedErr) => {
+                        console.error('Unexpected error in FP workflow submission:', unexpectedErr);
+                        res.status(500).json({ success: false, error: 'Internal server error.' });
+                    });
+                }
+            );
+        });
+    });
+
+    return router;
+}
+
+module.exports = createIvantiFpWorkflowRouter;
+module.exports.validateFpWorkflowForm = validateFpWorkflowForm;
+module.exports.buildIvantiFormFields = buildIvantiFormFields;
+module.exports.buildSubjectFilterRequest = buildSubjectFilterRequest;
+module.exports.isAllowedFileExtension = isAllowedFileExtension;

backend/routes/ivantiTodoQueue.js

@@ -0,0 +1,421 @@
+// routes/ivantiTodoQueue.js
+const express = require('express');
+const { requireGroup } = require('../middleware/auth');
+const logAudit = require('../helpers/auditLog');
+
+const VALID_WORKFLOW_TYPES = ['FP', 'Archer', 'CARD'];
+const VALID_STATUSES       = ['pending', 'complete'];
+
+function isValidVendor(vendor) {
+    if (typeof vendor !== 'string') return false;
+    const trimmed = vendor.trim();
+    return trimmed.length > 0 && trimmed.length <= 200;
+}
+
+function createIvantiTodoQueueRouter(db, requireAuth) {
+    const router = express.Router();
+
+    /**
+     * GET /api/ivanti/todo-queue
+     *
+     * Fetch the current user's queue items, ordered by vendor then created_at.
+     *
+     * @returns {Array<Object>} 200 - Array of queue items, each with:
+     *   id, user_id, finding_id, finding_title, cves_json, ip_address,
+     *   vendor, workflow_type, status, created_at, updated_at, cves (parsed array)
+     * @returns {Object} 500 - { error: string } on database error
+     */
+    router.get('/', requireAuth(db), (req, res) => {
+        db.all(
+            `SELECT * FROM ivanti_todo_queue
+             WHERE user_id = ?
+             ORDER BY vendor ASC, created_at ASC`,
+            [req.user.id],
+            (err, rows) => {
+                if (err) {
+                    console.error('Error fetching todo queue:', err);
+                    return res.status(500).json({ error: 'Internal server error.' });
+                }
+                // Parse cves_json back to array for each row
+                const parsed = rows.map((r) => ({
+                    ...r,
+                    cves: r.cves_json ? JSON.parse(r.cves_json) : [],
+                }));
+                res.json(parsed);
+            }
+        );
+    });
+
+    /**
+     * POST /api/ivanti/todo-queue/batch
+     *
+     * Add multiple findings to the current user's queue in a single transaction.
+     *
+     * @body {Object[]} findings        - Required array of 1–200 finding objects
+     * @body {string} findings[].finding_id    - Required, non-empty finding identifier
+     * @body {string} [findings[].finding_title] - Optional finding title (max 500 chars)
+     * @body {string[]} [findings[].cves]        - Optional array of CVE identifiers
+     * @body {string} [findings[].ip_address]    - Optional IP address (max 64 chars)
+     * @body {string} [findings[].hostname]      - Optional hostname (max 255 chars)
+     * @body {string} workflow_type     - One of 'FP', 'Archer', 'CARD'
+     * @body {string} vendor            - Required for FP/Archer (max 200 chars); optional for CARD
+     *
+     * @returns {Object} 201 - { items: Array<Object> } array of created queue items,
+     *   each with: id, user_id, finding_id, finding_title, cves_json, ip_address,
+     *   vendor, workflow_type, status, created_at, updated_at, cves (parsed array)
+     * @returns {Object} 400 - { error: string } on validation failure
+     * @returns {Object} 500 - { error: string } on database/transaction error (all inserts rolled back)
+     */
+    router.post('/batch', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { findings, workflow_type, vendor } = req.body;
+
+        // --- Validation ---
+        if (!Array.isArray(findings) || findings.length < 1 || findings.length > 200) {
+            return res.status(400).json({ error: 'findings array must contain 1-200 items.' });
+        }
+
+        for (let i = 0; i < findings.length; i++) {
+            const f = findings[i];
+            if (!f || typeof f.finding_id !== 'string' || f.finding_id.trim().length === 0) {
+                return res.status(400).json({ error: 'Each finding must have a non-empty finding_id string.' });
+            }
+        }
+
+        if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) {
+            return res.status(400).json({ error: 'workflow_type must be FP, Archer, or CARD.' });
+        }
+
+        if (workflow_type !== 'CARD') {
+            if (!isValidVendor(vendor)) {
+                return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' });
+            }
+        }
+
+        if (vendor !== undefined && vendor !== '' && typeof vendor === 'string' && vendor.trim().length > 200) {
+            return res.status(400).json({ error: 'vendor must be under 200 chars.' });
+        }
+
+        const vendorVal = workflow_type === 'CARD' ? '' : vendor.trim();
+        const userId = req.user.id;
+
+        // --- Transactional batch insert ---
+        // Prepare all row values upfront
+        const rows = findings.map((f) => {
+            const findingId = f.finding_id.trim();
+            const title = f.finding_title && typeof f.finding_title === 'string'
+                ? f.finding_title.slice(0, 500)
+                : null;
+            const cvesJson = Array.isArray(f.cves) ? JSON.stringify(f.cves) : null;
+            const ipVal = f.ip_address && typeof f.ip_address === 'string'
+                ? f.ip_address.trim().slice(0, 64)
+                : null;
+            const hostVal = f.hostname && typeof f.hostname === 'string'
+                ? f.hostname.trim().slice(0, 255)
+                : null;
+            return [userId, findingId, title, cvesJson, ipVal, hostVal, vendorVal, workflow_type];
+        });
+
+        const insertedIds = [];
+        let insertError = null;
+        let remaining = rows.length;
+
+        db.serialize(() => {
+            db.run('BEGIN TRANSACTION');
+
+            rows.forEach((params) => {
+                db.run(
+                    `INSERT INTO ivanti_todo_queue
+                         (user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type)
+                     VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+                    params,
+                    function (err) {
+                        if (err && !insertError) {
+                            insertError = err;
+                        } else if (!err) {
+                            insertedIds.push(this.lastID);
+                        }
+                        remaining--;
+
+                        // After all insert callbacks have fired, commit or rollback
+                        if (remaining === 0) {
+                            if (insertError) {
+                                db.run('ROLLBACK', () => {
+                                    console.error('Batch insert error:', insertError);
+                                    return res.status(500).json({ error: 'Internal server error.' });
+                                });
+                            } else {
+                                db.run('COMMIT', (commitErr) => {
+                                    if (commitErr) {
+                                        console.error('Batch commit error:', commitErr);
+                                        db.run('ROLLBACK', () => {});
+                                        return res.status(500).json({ error: 'Internal server error.' });
+                                    }
+
+                                    // Fetch all inserted rows
+                                    const placeholders = insertedIds.map(() => '?').join(',');
+                                    db.all(
+                                        `SELECT * FROM ivanti_todo_queue WHERE id IN (${placeholders})`,
+                                        insertedIds,
+                                        (fetchErr, fetchedRows) => {
+                                            if (fetchErr) {
+                                                console.error('Error fetching inserted batch rows:', fetchErr);
+                                                return res.status(500).json({ error: 'Internal server error.' });
+                                            }
+
+                                            const items = (fetchedRows || []).map((r) => ({
+                                                ...r,
+                                                cves: r.cves_json ? JSON.parse(r.cves_json) : [],
+                                            }));
+
+                                            // Audit log (fire-and-forget)
+                                            logAudit(db, {
+                                                userId: req.user.id,
+                                                username: req.user.username,
+                                                action: 'batch_add_to_queue',
+                                                entityType: 'ivanti_todo_queue',
+                                                entityId: null,
+                                                details: {
+                                                    count: insertedIds.length,
+                                                    workflow_type: workflow_type,
+                                                    finding_ids: findings.map((f) => f.finding_id.trim()),
+                                                },
+                                                ipAddress: req.ip,
+                                            });
+
+                                            return res.status(201).json({ items });
+                                        }
+                                    );
+                                });
+                            }
+                        }
+                    }
+                );
+            });
+        });
+    });
+
+    /**
+     * POST /api/ivanti/todo-queue
+     *
+     * Add a single finding to the current user's queue.
+     *
+     * @body {string} finding_id       - Required, non-empty finding identifier
+     * @body {string} [finding_title]   - Optional finding title (max 500 chars)
+     * @body {string[]} [cves]          - Optional array of CVE identifiers
+     * @body {string} [ip_address]      - Optional IP address (max 64 chars)
+     * @body {string} [hostname]        - Optional hostname (max 255 chars)     * @body {string} vendor            - Required for FP/Archer (max 200 chars); optional for CARD
+     * @body {string} workflow_type     - One of 'FP', 'Archer', 'CARD'
+     *
+     * @returns {Object} 201 - Created queue item with parsed cves array:
+     *   id, user_id, finding_id, finding_title, cves_json, ip_address,
+     *   vendor, workflow_type, status, created_at, updated_at, cves
+     * @returns {Object} 400 - { error: string } on validation failure
+     * @returns {Object} 500 - { error: string } on database error
+     */
+    router.post('/', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { finding_id, finding_title, cves, ip_address, hostname, vendor, workflow_type } = req.body;
+
+        if (!finding_id || typeof finding_id !== 'string' || finding_id.trim().length === 0) {
+            return res.status(400).json({ error: 'finding_id is required.' });
+        }
+        if (!VALID_WORKFLOW_TYPES.includes(workflow_type)) {
+            return res.status(400).json({ error: 'workflow_type must be FP, Archer, or CARD.' });
+        }
+        // Vendor is required for FP and Archer, optional for CARD
+        if (workflow_type !== 'CARD' && !isValidVendor(vendor)) {
+            return res.status(400).json({ error: 'vendor is required for FP and Archer workflows.' });
+        }
+        if (vendor !== undefined && vendor !== '' && !isValidVendor(vendor)) {
+            return res.status(400).json({ error: 'vendor must be under 200 chars.' });
+        }
+
+        const vendorVal = workflow_type === 'CARD' ? '' : vendor.trim();
+        const cvesJson  = Array.isArray(cves) ? JSON.stringify(cves) : null;
+        const ipVal     = ip_address && typeof ip_address === 'string' ? ip_address.trim().slice(0, 64) : null;
+        const hostVal   = hostname && typeof hostname === 'string' ? hostname.trim().slice(0, 255) : null;
+        const title     = finding_title && typeof finding_title === 'string'
+            ? finding_title.slice(0, 500)
+            : null;
+
+        db.run(
+            `INSERT INTO ivanti_todo_queue
+                 (user_id, finding_id, finding_title, cves_json, ip_address, hostname, vendor, workflow_type)
+             VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+            [req.user.id, finding_id.trim(), title, cvesJson, ipVal, hostVal, vendorVal, workflow_type],
+            function (err) {
+                if (err) {
+                    console.error('Error adding to queue:', err);
+                    return res.status(500).json({ error: 'Internal server error.' });
+                }
+                db.get(
+                    'SELECT * FROM ivanti_todo_queue WHERE id = ?',
+                    [this.lastID],
+                    (err2, row) => {
+                        if (err2 || !row) {
+                            return res.status(201).json({ id: this.lastID, message: 'Added to queue.' });
+                        }
+                        res.status(201).json({ ...row, cves: row.cves_json ? JSON.parse(row.cves_json) : [] });
+                    }
+                );
+            }
+        );
+    });
+
+    /**
+     * PUT /api/ivanti/todo-queue/:id
+     *
+     * Update vendor, workflow_type, or status on a queue item — scoped to current user.
+     *
+     * @param {string} id               - Queue item ID (URL parameter)
+     * @body {string} [vendor]          - New vendor string (max 200 chars)
+     * @body {string} [workflow_type]   - One of 'FP', 'Archer', 'CARD'
+     * @body {string} [status]          - One of 'pending', 'complete'
+     *
+     * @returns {Object} 200 - Updated queue item with parsed cves array:
+     *   id, user_id, finding_id, finding_title, cves_json, ip_address,
+     *   vendor, workflow_type, status, created_at, updated_at, cves
+     * @returns {Object} 400 - { error: string } on validation failure or no fields to update
+     * @returns {Object} 404 - { error: string } if item not found for current user
+     * @returns {Object} 500 - { error: string } on database error
+     */
+    router.put('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { id } = req.params;
+        const { vendor, workflow_type, status } = req.body;
+
+        if (vendor !== undefined && !isValidVendor(vendor)) {
+            return res.status(400).json({ error: 'vendor must be a non-empty string (max 200 chars).' });
+        }
+        if (workflow_type !== undefined && !VALID_WORKFLOW_TYPES.includes(workflow_type)) {
+            return res.status(400).json({ error: 'workflow_type must be FP or Archer.' });
+        }
+        if (status !== undefined && !VALID_STATUSES.includes(status)) {
+            return res.status(400).json({ error: 'status must be pending or complete.' });
+        }
+
+        db.get(
+            'SELECT * FROM ivanti_todo_queue WHERE id = ? AND user_id = ?',
+            [id, req.user.id],
+            (err, existing) => {
+                if (err) {
+                    console.error(err);
+                    return res.status(500).json({ error: 'Internal server error.' });
+                }
+                if (!existing) {
+                    return res.status(404).json({ error: 'Queue item not found.' });
+                }
+
+                const updates = [];
+                const params  = [];
+
+                if (vendor !== undefined) {
+                    updates.push('vendor = ?');
+                    params.push(vendor.trim());
+                }
+                if (workflow_type !== undefined) {
+                    updates.push('workflow_type = ?');
+                    params.push(workflow_type);
+                }
+                if (status !== undefined) {
+                    updates.push('status = ?');
+                    params.push(status);
+                }
+
+                if (updates.length === 0) {
+                    return res.status(400).json({ error: 'No fields to update.' });
+                }
+
+                updates.push('updated_at = CURRENT_TIMESTAMP');
+                params.push(id, req.user.id);
+
+                db.run(
+                    `UPDATE ivanti_todo_queue SET ${updates.join(', ')} WHERE id = ? AND user_id = ?`,
+                    params,
+                    function (err2) {
+                        if (err2) {
+                            console.error(err2);
+                            return res.status(500).json({ error: 'Internal server error.' });
+                        }
+                        db.get(
+                            'SELECT * FROM ivanti_todo_queue WHERE id = ?',
+                            [id],
+                            (err3, row) => {
+                                if (err3 || !row) {
+                                    return res.json({ message: 'Queue item updated.' });
+                                }
+                                res.json({ ...row, cves: row.cves_json ? JSON.parse(row.cves_json) : [] });
+                            }
+                        );
+                    }
+                );
+            }
+        );
+    });
+
+    /**
+     * DELETE /api/ivanti/todo-queue/completed
+     *
+     * Bulk-delete all completed items for the current user.
+     * IMPORTANT: This route must be registered BEFORE DELETE /:id.
+     *
+     * @returns {Object} 200 - { message: string, deleted: number }
+     * @returns {Object} 500 - { error: string } on database error
+     */
+    router.delete('/completed', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        db.run(
+            "DELETE FROM ivanti_todo_queue WHERE user_id = ? AND status = 'complete'",
+            [req.user.id],
+            function (err) {
+                if (err) {
+                    console.error('Error clearing completed queue items:', err);
+                    return res.status(500).json({ error: 'Internal server error.' });
+                }
+                res.json({ message: 'Completed items cleared.', deleted: this.changes });
+            }
+        );
+    });
+
+    /**
+     * DELETE /api/ivanti/todo-queue/:id
+     *
+     * Delete a single queue item — scoped to current user.
+     *
+     * @param {string} id - Queue item ID (URL parameter)
+     *
+     * @returns {Object} 200 - { message: string }
+     * @returns {Object} 404 - { error: string } if item not found for current user
+     * @returns {Object} 500 - { error: string } on database error
+     */
+    router.delete('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+        const { id } = req.params;
+
+        db.get(
+            'SELECT id FROM ivanti_todo_queue WHERE id = ? AND user_id = ?',
+            [id, req.user.id],
+            (err, row) => {
+                if (err) {
+                    console.error(err);
+                    return res.status(500).json({ error: 'Internal server error.' });
+                }
+                if (!row) {
+                    return res.status(404).json({ error: 'Queue item not found.' });
+                }
+
+                db.run(
+                    'DELETE FROM ivanti_todo_queue WHERE id = ? AND user_id = ?',
+                    [id, req.user.id],
+                    function (err2) {
+                        if (err2) {
+                            console.error(err2);
+                            return res.status(500).json({ error: 'Internal server error.' });
+                        }
+                        res.json({ message: 'Queue item deleted.' });
+                    }
+                );
+            }
+        );
+    });
+
+    return router;
+}
+
+module.exports = createIvantiTodoQueueRouter;

backend/routes/ivantiWorkflows.js

@@ -0,0 +1,237 @@
+// Ivanti / RiskSense Workflow Routes
+// Data is cached in SQLite and refreshed on a daily schedule or on-demand.
+// Auth: x-api-key header (confirmed via platform4.risksense.com/doc/swagger.json)
+// Error codes: 401 bad key, 419 insufficient privileges, 429 rate limited
+
+const express = require('express');
+const { requireGroup } = require('../middleware/auth');
+const { ivantiPost } = require('../helpers/ivantiApi');
+
+const SYNC_INTERVAL_MS = 24 * 60 * 60 * 1000; // 24 hours
+
+// ---------------------------------------------------------------------------
+// Ensure the sync state table exists (idempotent — safe to call on every start)
+// ---------------------------------------------------------------------------
+function initTable(db) {
+    return new Promise((resolve, reject) => {
+        db.serialize(() => {
+            db.run(`
+                CREATE TABLE IF NOT EXISTS ivanti_sync_state (
+                    id INTEGER PRIMARY KEY CHECK (id = 1),
+                    total INTEGER DEFAULT 0,
+                    workflows_json TEXT DEFAULT '[]',
+                    synced_at DATETIME,
+                    sync_status TEXT DEFAULT 'never',
+                    error_message TEXT
+                )
+            `, (err) => { if (err) return reject(err); });
+
+            db.run(`
+                INSERT OR IGNORE INTO ivanti_sync_state (id, total, workflows_json, sync_status)
+                VALUES (1, 0, '[]', 'never')
+            `, (err) => {
+                if (err) reject(err);
+                else resolve();
+            });
+        });
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Core sync — calls Ivanti API, stores result in SQLite
+// ---------------------------------------------------------------------------
+async function syncWorkflows(db) {
+    const apiKey = process.env.IVANTI_API_KEY;
+    const clientId = process.env.IVANTI_CLIENT_ID || '1550';
+    const firstName = process.env.IVANTI_FIRST_NAME || '';
+    const lastName = process.env.IVANTI_LAST_NAME || '';
+    const skipTls = process.env.IVANTI_SKIP_TLS === 'true';
+
+    if (!apiKey) {
+        const errMsg = 'IVANTI_API_KEY not set in .env — skipping sync';
+        console.warn('[Ivanti]', errMsg);
+        await new Promise((resolve) => {
+            db.run(
+                `UPDATE ivanti_sync_state SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`,
+                [errMsg], resolve
+            );
+        });
+        return;
+    }
+
+    console.log('[Ivanti] Syncing workflows...');
+
+    const urlPath = `/client/${encodeURIComponent(clientId)}/workflowBatch/search`;
+    const body = {
+        filters: [
+            {
+                field: 'created_by_last_name',
+                exclusive: false,
+                operator: 'IN',
+                orWithPrevious: false,
+                implicitFilters: [],
+                value: lastName,
+                caseSensitive: false
+            },
+            {
+                field: 'created_by_first_name',
+                exclusive: false,
+                operator: 'IN',
+                orWithPrevious: false,
+                implicitFilters: [],
+                value: firstName,
+                caseSensitive: false
+            }
+        ],
+        projection: 'internal',
+        sort: [{ field: 'created', direction: 'DESC' }],
+        page: 0,
+        size: 50
+    };
+
+    try {
+        const result = await ivantiPost(urlPath, body, apiKey, skipTls);
+
+        if (result.status === 401) {
+            throw new Error('Invalid or missing API key (401) — check IVANTI_API_KEY in .env');
+        }
+        if (result.status === 419) {
+            throw new Error('Insufficient privileges (419) — API key lacks workflow access');
+        }
+        if (result.status === 429) {
+            throw new Error('Rate limited (429) — will retry at next scheduled sync');
+        }
+        if (result.status !== 200) {
+            throw new Error(`Ivanti API returned unexpected status ${result.status}`);
+        }
+
+        const data = JSON.parse(result.body);
+
+        // Spring Data REST format: { _embedded: { workflowBatches: [...] }, page: { totalElements, ... } }
+        let total = 0;
+        let workflows = [];
+
+        if (data.page && typeof data.page.totalElements === 'number') {
+            total = data.page.totalElements;
+            workflows = data._embedded?.workflowBatches
+                || data._embedded?.workflowBatch
+                || [];
+        } else if (typeof data.total === 'number') {
+            total = data.total;
+            workflows = data.data || data.content || data.results || [];
+        } else if (typeof data.totalElements === 'number') {
+            total = data.totalElements;
+            workflows = data.content || data.data || [];
+        } else if (Array.isArray(data)) {
+            workflows = data;
+            total = data.length;
+        }
+
+        await new Promise((resolve, reject) => {
+            db.run(
+                `UPDATE ivanti_sync_state
+                 SET total=?, workflows_json=?, synced_at=datetime('now'), sync_status='success', error_message=NULL
+                 WHERE id=1`,
+                [total, JSON.stringify(workflows)],
+                (err) => { if (err) reject(err); else resolve(); }
+            );
+        });
+
+        console.log(`[Ivanti] Sync complete — ${total} workflows`);
+    } catch (err) {
+        const msg = err.message || 'Unknown error';
+        console.error('[Ivanti] Sync failed:', msg);
+        await new Promise((resolve) => {
+            db.run(
+                `UPDATE ivanti_sync_state SET sync_status='error', error_message=?, synced_at=datetime('now') WHERE id=1`,
+                [msg], resolve
+            );
+        });
+    }
+}
+
+// ---------------------------------------------------------------------------
+// Scheduler — runs sync immediately if >24h stale, then every 24h
+// ---------------------------------------------------------------------------
+function scheduleSync(db) {
+    db.get('SELECT synced_at FROM ivanti_sync_state WHERE id = 1', (err, row) => {
+        if (err || !row || !row.synced_at) {
+            syncWorkflows(db);
+        } else {
+            const lastSync = new Date(row.synced_at.replace(' ', 'T') + 'Z');
+            const hoursSince = (Date.now() - lastSync.getTime()) / (1000 * 60 * 60);
+            if (hoursSince >= 24) {
+                syncWorkflows(db);
+            } else {
+                const hoursUntil = (24 - hoursSince).toFixed(1);
+                console.log(`[Ivanti] Last sync ${hoursSince.toFixed(1)}h ago — next auto-sync in ${hoursUntil}h`);
+            }
+        }
+    });
+
+    setInterval(() => syncWorkflows(db), SYNC_INTERVAL_MS);
+}
+
+// ---------------------------------------------------------------------------
+// Helper — read current state from DB and return as JSON-ready object
+// ---------------------------------------------------------------------------
+function readState(db) {
+    return new Promise((resolve, reject) => {
+        db.get(
+            'SELECT total, workflows_json, synced_at, sync_status, error_message FROM ivanti_sync_state WHERE id = 1',
+            (err, row) => {
+                if (err) return reject(err);
+                if (!row) return resolve({ total: 0, workflows: [], synced_at: null, sync_status: 'never', error_message: null });
+
+                let workflows = [];
+                try { workflows = JSON.parse(row.workflows_json || '[]'); } catch (_) { /* leave empty */ }
+
+                resolve({
+                    total: row.total || 0,
+                    workflows,
+                    synced_at: row.synced_at,
+                    sync_status: row.sync_status,
+                    error_message: row.error_message
+                });
+            }
+        );
+    });
+}
+
+// ---------------------------------------------------------------------------
+// Router
+// ---------------------------------------------------------------------------
+function createIvantiWorkflowsRouter(db, requireAuth) {
+    const router = express.Router();
+
+    // Init table and kick off scheduler (fire-and-forget on startup)
+    initTable(db)
+        .then(() => scheduleSync(db))
+        .catch((err) => console.error('[Ivanti] Init failed:', err));
+
+    // All routes require authentication
+    router.use(requireAuth(db));
+
+    // GET / — return cached data (fast, no external call)
+    router.get('/', async (req, res) => {
+        try {
+            res.json(await readState(db));
+        } catch {
+            res.status(500).json({ error: 'Database error reading sync state' });
+        }
+    });
+
+    // POST /sync — trigger an immediate sync, await completion, return fresh state
+    router.post('/sync', requireGroup('Admin', 'Standard_User'), async (req, res) => {
+        await syncWorkflows(db);
+        try {
+            res.json(await readState(db));
+        } catch {
+            res.status(500).json({ error: 'Sync ran but could not read updated state' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createIvantiWorkflowsRouter;

backend/routes/knowledgeBase.js

@@ -0,0 +1,417 @@
+const express = require('express');
+const path = require('path');
+const fs = require('fs');
+const { requireAuth, requireGroup } = require('../middleware/auth');
+const logAudit = require('../helpers/auditLog');
+
+function createKnowledgeBaseRouter(db, upload) {
+  const router = express.Router();
+
+  // Helper to sanitize filename
+  function sanitizePathSegment(segment) {
+    if (!segment || typeof segment !== 'string') return '';
+    return segment
+      .replace(/\0/g, '')
+      .replace(/\.\./g, '')
+      .replace(/[\/\\]/g, '')
+      .trim();
+  }
+
+  // Helper to generate slug from title
+  function generateSlug(title) {
+    return title
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/^-+|-+$/g, '')
+      .substring(0, 200);
+  }
+
+  // Helper to validate file type
+  const ALLOWED_EXTENSIONS = new Set([
+    '.pdf', '.md', '.txt', '.doc', '.docx',
+    '.xls', '.xlsx', '.ppt', '.pptx',
+    '.html', '.htm', '.json', '.yaml', '.yml',
+    '.png', '.jpg', '.jpeg', '.gif'
+  ]);
+
+  function isValidFileType(filename) {
+    const ext = path.extname(filename).toLowerCase();
+    return ALLOWED_EXTENSIONS.has(ext);
+  }
+
+  /**
+   * POST /api/knowledge-base/upload
+   * Upload a new knowledge base document.
+   *
+   * @body {string} title - Article title (required)
+   * @body {string} [description] - Article description
+   * @body {string} [category] - Article category (defaults to 'General')
+   * @body {File} file - The document file to upload (multipart/form-data)
+   *
+   * @response 200 - { success: true, id: number, title: string, slug: string, category: string }
+   * @response 400 - { error: string } - Missing title, no file, or invalid file type
+   * @response 500 - { error: string } - Database or filesystem error
+   */
+  router.post('/upload', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res, next) => {
+    upload.single('file')(req, res, (err) => {
+      if (err) {
+        console.error('[KB Upload] Multer error:', err);
+        return res.status(400).json({ error: err.message || 'File upload failed' });
+      }
+      next();
+    });
+  }, async (req, res) => {
+    console.log('[KB Upload] Request received:', {
+      hasFile: !!req.file,
+      body: req.body,
+      contentType: req.headers['content-type']
+    });
+
+    const uploadedFile = req.file;
+    const { title, description, category } = req.body;
+
+    // Validate required fields
+    if (!title || !title.trim()) {
+      console.error('[KB Upload] Error: Title is missing');
+      if (uploadedFile) fs.unlinkSync(uploadedFile.path);
+      return res.status(400).json({ error: 'Title is required' });
+    }
+
+    if (!uploadedFile) {
+      return res.status(400).json({ error: 'No file uploaded' });
+    }
+
+    // Validate file type
+    if (!isValidFileType(uploadedFile.originalname)) {
+      fs.unlinkSync(uploadedFile.path);
+      return res.status(400).json({ error: 'File type not allowed' });
+    }
+
+    const timestamp = Date.now();
+    const sanitizedName = sanitizePathSegment(uploadedFile.originalname);
+    const slug = generateSlug(title);
+    const kbDir = path.join(__dirname, '..', 'uploads', 'knowledge_base');
+
+    const filename = `${timestamp}_${sanitizedName}`;
+    const filePath = path.join(kbDir, filename);
+
+    try {
+      // Keep file in temp location until DB insert succeeds
+      // Check if slug already exists
+      db.get('SELECT id FROM knowledge_base WHERE slug = ?', [slug], (err, row) => {
+        if (err) {
+          fs.unlinkSync(uploadedFile.path);
+          console.error('Error checking slug:', err);
+          return res.status(500).json({ error: 'Database error' });
+        }
+
+        // If slug exists, append timestamp to make it unique
+        const finalSlug = row ? `${slug}-${timestamp}` : slug;
+
+        // Insert new knowledge base entry
+        const insertSql = `
+          INSERT INTO knowledge_base (
+            title, slug, description, category, file_path, file_name,
+            file_type, file_size, created_by
+          ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        `;
+
+        db.run(
+          insertSql,
+          [
+            title.trim(),
+            finalSlug,
+            description || null,
+            category || 'General',
+            filePath,
+            sanitizedName,
+            uploadedFile.mimetype,
+            uploadedFile.size,
+            req.user.id
+          ],
+          function (err) {
+            if (err) {
+              fs.unlinkSync(uploadedFile.path);
+              console.error('Error inserting knowledge base entry:', err);
+              return res.status(500).json({ error: 'Failed to save document metadata' });
+            }
+
+            // DB insert succeeded — now move file to permanent location
+            try {
+              if (!fs.existsSync(kbDir)) {
+                fs.mkdirSync(kbDir, { recursive: true });
+              }
+              fs.renameSync(uploadedFile.path, filePath);
+            } catch (moveErr) {
+              console.error('Error moving file to permanent location:', moveErr);
+              // File is orphaned in temp but DB record exists — log and continue
+            }
+
+            // Log audit entry
+            logAudit(db, {
+              userId: req.user.id,
+              username: req.user.username,
+              action: 'CREATE_KB_ARTICLE',
+              entityType: 'knowledge_base',
+              entityId: String(this.lastID),
+              details: { title: title.trim(), filename: sanitizedName },
+              ipAddress: req.ip
+            });
+
+            res.json({
+              success: true,
+              id: this.lastID,
+              title: title.trim(),
+              slug: finalSlug,
+              category: category || 'General'
+            });
+          }
+        );
+      });
+    } catch (error) {
+      // Clean up temp file on error
+      if (uploadedFile && fs.existsSync(uploadedFile.path)) fs.unlinkSync(uploadedFile.path);
+      console.error('Error uploading knowledge base document:', error);
+      res.status(500).json({ error: error.message || 'Failed to upload document' });
+    }
+  });
+
+  /**
+   * GET /api/knowledge-base
+   * List all knowledge base articles.
+   *
+   * @response 200 - Array of article objects: [{ id, title, slug, description, category, file_name, file_type, file_size, created_at, updated_at, created_by_username }]
+   * @response 500 - { error: string }
+   */
+  router.get('/', requireAuth(db), (req, res) => {
+    const sql = `
+      SELECT
+        kb.id, kb.title, kb.slug, kb.description, kb.category,
+        kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at,
+        u.username as created_by_username
+      FROM knowledge_base kb
+      LEFT JOIN users u ON kb.created_by = u.id
+      ORDER BY kb.created_at DESC
+    `;
+
+    db.all(sql, [], (err, rows) => {
+      if (err) {
+        console.error('Error fetching knowledge base articles:', err);
+        return res.status(500).json({ error: 'Failed to fetch articles' });
+      }
+
+      res.json(rows);
+    });
+  });
+
+  /**
+   * GET /api/knowledge-base/:id
+   * Get a single article's details by ID.
+   *
+   * @param {string} id - Article ID (route parameter)
+   *
+   * @response 200 - { id, title, slug, description, category, file_name, file_type, file_size, created_at, updated_at, created_by_username }
+   * @response 404 - { error: 'Article not found' }
+   * @response 500 - { error: string }
+   */
+  router.get('/:id', requireAuth(db), (req, res) => {
+    const { id } = req.params;
+
+    const sql = `
+      SELECT
+        kb.id, kb.title, kb.slug, kb.description, kb.category,
+        kb.file_name, kb.file_type, kb.file_size, kb.created_at, kb.updated_at,
+        u.username as created_by_username
+      FROM knowledge_base kb
+      LEFT JOIN users u ON kb.created_by = u.id
+      WHERE kb.id = ?
+    `;
+
+    db.get(sql, [id], (err, row) => {
+      if (err) {
+        console.error('Error fetching article:', err);
+        return res.status(500).json({ error: 'Failed to fetch article' });
+      }
+
+      if (!row) {
+        return res.status(404).json({ error: 'Article not found' });
+      }
+
+      res.json(row);
+    });
+  });
+
+  /**
+   * GET /api/knowledge-base/:id/content
+   * Get document content for inline display. Returns the raw file with appropriate
+   * Content-Type headers. Markdown and text files are served as text/plain.
+   *
+   * @param {string} id - Article ID (route parameter)
+   *
+   * @response 200 - Raw file content with Content-Type and Content-Disposition headers
+   * @response 404 - { error: string } - Article or file not found
+   * @response 500 - { error: string }
+   */
+  router.get('/:id/content', requireAuth(db), (req, res) => {
+    const { id } = req.params;
+
+    const sql = 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = ?';
+
+    db.get(sql, [id], (err, row) => {
+      if (err) {
+        console.error('Error fetching document:', err);
+        return res.status(500).json({ error: 'Failed to fetch document' });
+      }
+
+      if (!row) {
+        return res.status(404).json({ error: 'Document not found' });
+      }
+
+      if (!fs.existsSync(row.file_path)) {
+        return res.status(404).json({ error: 'File not found on disk' });
+      }
+
+      // Log audit entry
+      logAudit(db, {
+        userId: req.user.id,
+        username: req.user.username,
+        action: 'VIEW_KB_ARTICLE',
+        entityType: 'knowledge_base',
+        entityId: String(id),
+        details: { filename: row.file_name },
+        ipAddress: req.ip
+      });
+
+      // Determine content type for inline display
+      let contentType = row.file_type || 'application/octet-stream';
+
+      // For markdown files, send as plain text so frontend can parse it
+      if (row.file_name.endsWith('.md')) {
+        contentType = 'text/plain; charset=utf-8';
+      } else if (row.file_name.endsWith('.txt')) {
+        contentType = 'text/plain; charset=utf-8';
+      }
+
+      const safeFileName = row.file_name.replace(/["\r\n\\]/g, '');
+      res.setHeader('Content-Type', contentType);
+      // Use inline instead of attachment to allow browser to display
+      res.setHeader('Content-Disposition', `inline; filename="${safeFileName}"`);
+      // Allow iframe embedding from frontend origin
+      res.removeHeader('X-Frame-Options');
+      const corsOrigins = process.env.CORS_ORIGINS ? process.env.CORS_ORIGINS.split(',').join(' ') : 'http://localhost:3000';
+      res.setHeader('Content-Security-Policy', `frame-ancestors 'self' ${corsOrigins}`);
+      res.sendFile(row.file_path);
+    });
+  });
+
+  /**
+   * GET /api/knowledge-base/:id/download
+   * Download a knowledge base document as an attachment.
+   *
+   * @param {string} id - Article ID (route parameter)
+   *
+   * @response 200 - File download with Content-Disposition: attachment header
+   * @response 404 - { error: string } - Article or file not found
+   * @response 500 - { error: string }
+   */
+  router.get('/:id/download', requireAuth(db), (req, res) => {
+    const { id } = req.params;
+
+    const sql = 'SELECT file_path, file_name, file_type FROM knowledge_base WHERE id = ?';
+
+    db.get(sql, [id], (err, row) => {
+      if (err) {
+        console.error('Error fetching document:', err);
+        return res.status(500).json({ error: 'Failed to fetch document' });
+      }
+
+      if (!row) {
+        return res.status(404).json({ error: 'Document not found' });
+      }
+
+      if (!fs.existsSync(row.file_path)) {
+        return res.status(404).json({ error: 'File not found on disk' });
+      }
+
+      // Log audit entry
+      logAudit(db, {
+        userId: req.user.id,
+        username: req.user.username,
+        action: 'DOWNLOAD_KB_ARTICLE',
+        entityType: 'knowledge_base',
+        entityId: String(id),
+        details: { filename: row.file_name },
+        ipAddress: req.ip
+      });
+
+      const safeDownloadName = row.file_name.replace(/["\r\n\\]/g, '');
+      res.setHeader('Content-Type', row.file_type || 'application/octet-stream');
+      res.setHeader('Content-Disposition', `attachment; filename="${safeDownloadName}"`);
+      res.sendFile(row.file_path);
+    });
+  });
+
+  /**
+   * DELETE /api/knowledge-base/:id
+   * Delete a knowledge base article and its associated file.
+   * Standard_User can only delete articles they created. Admin can delete any article.
+   *
+   * @param {string} id - Article ID (route parameter)
+   *
+   * @response 200 - { success: true }
+   * @response 403 - { error: string } - Ownership check failed for Standard_User
+   * @response 404 - { error: 'Article not found' }
+   * @response 500 - { error: string }
+   */
+  router.delete('/:id', requireAuth(db), requireGroup('Admin', 'Standard_User'), (req, res) => {
+    const { id } = req.params;
+
+    const sql = 'SELECT file_path, title, created_by FROM knowledge_base WHERE id = ?';
+
+    db.get(sql, [id], (err, row) => {
+      if (err) {
+        console.error('Error fetching article for deletion:', err);
+        return res.status(500).json({ error: 'Failed to fetch article' });
+      }
+
+      if (!row) {
+        return res.status(404).json({ error: 'Article not found' });
+      }
+
+      // Ownership check: Standard_User can only delete articles they created
+      if (req.user.group === 'Standard_User' && row.created_by !== req.user.id) {
+        return res.status(403).json({ error: 'You can only delete resources you created' });
+      }
+
+      // Delete database record
+      db.run('DELETE FROM knowledge_base WHERE id = ?', [id], (err) => {
+        if (err) {
+          console.error('Error deleting article:', err);
+          return res.status(500).json({ error: 'Failed to delete article' });
+        }
+
+        // Delete file
+        if (fs.existsSync(row.file_path)) {
+          fs.unlinkSync(row.file_path);
+        }
+
+        // Log audit entry
+        logAudit(db, {
+          userId: req.user.id,
+          username: req.user.username,
+          action: 'DELETE_KB_ARTICLE',
+          entityType: 'knowledge_base',
+          entityId: String(id),
+          details: { title: row.title },
+          ipAddress: req.ip
+        });
+
+        res.json({ success: true });
+      });
+    });
+  });
+
+  return router;
+}
+
+module.exports = createKnowledgeBaseRouter;

backend/routes/nvdLookup.js

@@ -0,0 +1,94 @@
+// NVD CVE Lookup Routes
+const express = require('express');
+
+const CVE_ID_PATTERN = /^CVE-\d{4}-\d{4,}$/;
+
+function createNvdLookupRouter(db, requireAuth) {
+    const router = express.Router();
+
+    // All routes require authentication
+    router.use(requireAuth(db));
+
+    // Lookup CVE details from NVD API 2.0
+    router.get('/lookup/:cveId', async (req, res) => {
+        const { cveId } = req.params;
+
+        if (!CVE_ID_PATTERN.test(cveId)) {
+            return res.status(400).json({ error: 'Invalid CVE ID format. Expected CVE-YYYY-NNNNN.' });
+        }
+
+        const url = `https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=${encodeURIComponent(cveId)}`;
+        const headers = {};
+        if (process.env.NVD_API_KEY) {
+            headers['apiKey'] = process.env.NVD_API_KEY;
+        }
+
+        try {
+            const response = await fetch(url, {
+                headers,
+                signal: AbortSignal.timeout(10000)
+            });
+
+            if (response.status === 404) {
+                return res.status(404).json({ error: 'CVE not found in NVD.' });
+            }
+
+            if (response.status === 429) {
+                return res.status(429).json({ error: 'NVD API rate limit exceeded. Try again later.' });
+            }
+
+            if (!response.ok) {
+                return res.status(502).json({ error: `NVD API returned status ${response.status}.` });
+            }
+
+            const data = await response.json();
+
+            if (!data.vulnerabilities || data.vulnerabilities.length === 0) {
+                return res.status(404).json({ error: 'CVE not found in NVD.' });
+            }
+
+            const vuln = data.vulnerabilities[0].cve;
+
+            // Extract English description
+            const descriptionEntry = vuln.descriptions?.find(d => d.lang === 'en');
+            const description = descriptionEntry ? descriptionEntry.value : '';
+
+            // Extract severity with cascade: CVSS v3.1 → v3.0 → v2.0
+            let severity = null;
+            const metrics = vuln.metrics || {};
+
+            if (metrics.cvssMetricV31 && metrics.cvssMetricV31.length > 0) {
+                severity = metrics.cvssMetricV31[0].cvssData?.baseSeverity;
+            } else if (metrics.cvssMetricV30 && metrics.cvssMetricV30.length > 0) {
+                severity = metrics.cvssMetricV30[0].cvssData?.baseSeverity;
+            } else if (metrics.cvssMetricV2 && metrics.cvssMetricV2.length > 0) {
+                severity = metrics.cvssMetricV2[0].baseSeverity;
+            }
+
+            // Map NVD severity strings to app levels
+            const severityMap = {
+                'CRITICAL': 'Critical',
+                'HIGH': 'High',
+                'MEDIUM': 'Medium',
+                'LOW': 'Low'
+            };
+            severity = severity ? (severityMap[severity.toUpperCase()] || 'Medium') : 'Medium';
+
+            // Extract published date (YYYY-MM-DD)
+            const publishedRaw = vuln.published;
+            const published_date = publishedRaw ? publishedRaw.split('T')[0] : '';
+
+            res.json({ description, severity, published_date });
+        } catch (err) {
+            if (err.name === 'TimeoutError' || err.name === 'AbortError') {
+                return res.status(504).json({ error: 'NVD API request timed out.' });
+            }
+            console.error('NVD lookup error:', err);
+            res.status(502).json({ error: 'Failed to reach NVD API.' });
+        }
+    });
+
+    return router;
+}
+
+module.exports = createNvdLookupRouter;

backend/routes/users.js

@@ -2,18 +2,18 @@
 const express = require('express');
 const bcrypt = require('bcryptjs');
 
-function createUsersRouter(db, requireAuth, requireRole) {
+function createUsersRouter(db, requireAuth, requireGroup, logAudit) {
     const router = express.Router();
 
-    // All routes require admin role
-    router.use(requireAuth(db), requireRole('admin'));
+    // All routes require Admin group
+    router.use(requireAuth(db), requireGroup('Admin'));
 
     // Get all users
     router.get('/', async (req, res) => {
         try {
             const users = await new Promise((resolve, reject) => {
                 db.all(
-                    `SELECT id, username, email, role, is_active, created_at, last_login
+                    `SELECT id, username, email, user_group AS 'group', is_active, created_at, last_login
                      FROM users ORDER BY created_at DESC`,
                     (err, rows) => {
                         if (err) reject(err);
@@ -33,7 +33,7 @@ function createUsersRouter(db, requireAuth, requireRole) {
         try {
             const user = await new Promise((resolve, reject) => {
                 db.get(
-                    `SELECT id, username, email, role, is_active, created_at, last_login
+                    `SELECT id, username, email, user_group AS 'group', is_active, created_at, last_login
                      FROM users WHERE id = ?`,
                     [req.params.id],
                     (err, row) => {
@@ -56,14 +56,17 @@ function createUsersRouter(db, requireAuth, requireRole) {
 
     // Create new user
     router.post('/', async (req, res) => {
-        const { username, email, password, role } = req.body;
+        const { username, email, password, group } = req.body;
+        const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
 
         if (!username || !email || !password) {
             return res.status(400).json({ error: 'Username, email, and password are required' });
         }
 
-        if (role && !['admin', 'editor', 'viewer'].includes(role)) {
-            return res.status(400).json({ error: 'Invalid role. Must be admin, editor, or viewer' });
+        const userGroup = group || 'Read_Only';
+
+        if (!VALID_GROUPS.includes(userGroup)) {
+            return res.status(400).json({ error: 'Invalid group. Must be one of: Admin, Standard_User, Leadership, Read_Only' });
         }
 
         try {
@@ -71,9 +74,9 @@ function createUsersRouter(db, requireAuth, requireRole) {
 
             const result = await new Promise((resolve, reject) => {
                 db.run(
-                    `INSERT INTO users (username, email, password_hash, role)
+                    `INSERT INTO users (username, email, password_hash, user_group)
                      VALUES (?, ?, ?, ?)`,
-                    [username, email, passwordHash, role || 'viewer'],
+                    [username, email, passwordHash, userGroup],
                     function(err) {
                         if (err) reject(err);
                         else resolve({ id: this.lastID });
@@ -81,13 +84,23 @@ function createUsersRouter(db, requireAuth, requireRole) {
                 );
             });
 
+            logAudit(db, {
+                userId: req.user.id,
+                username: req.user.username,
+                action: 'user_create',
+                entityType: 'user',
+                entityId: String(result.id),
+                details: { created_username: username, group: userGroup },
+                ipAddress: req.ip
+            });
+
             res.status(201).json({
                 message: 'User created successfully',
                 user: {
                     id: result.id,
                     username,
                     email,
-                    role: role || 'viewer'
+                    group: userGroup
                 }
             });
         } catch (err) {
@@ -101,20 +114,42 @@ function createUsersRouter(db, requireAuth, requireRole) {
 
     // Update user
     router.patch('/:id', async (req, res) => {
-        const { username, email, password, role, is_active } = req.body;
+        const { username, email, password, group, is_active } = req.body;
+        const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
         const userId = req.params.id;
 
-        // Prevent self-demotion from admin
-        if (userId == req.user.id && role && role !== 'admin') {
-            return res.status(400).json({ error: 'Cannot remove your own admin role' });
+        // Validate group if provided
+        if (group && !VALID_GROUPS.includes(group)) {
+            return res.status(400).json({ error: 'Invalid group. Must be one of: Admin, Standard_User, Leadership, Read_Only' });
+        }
+
+        // Prevent admin self-demotion
+        if (String(userId) === String(req.user.id) && group && group !== 'Admin') {
+            return res.status(400).json({ error: 'Cannot remove your own admin group' });
         }
 
         // Prevent self-deactivation
-        if (userId == req.user.id && is_active === false) {
+        if (String(userId) === String(req.user.id) && is_active === false) {
             return res.status(400).json({ error: 'Cannot deactivate your own account' });
         }
 
         try {
+            // Fetch current user record before update (needed for group change audit)
+            const currentUser = await new Promise((resolve, reject) => {
+                db.get(
+                    'SELECT user_group FROM users WHERE id = ?',
+                    [userId],
+                    (err, row) => {
+                        if (err) reject(err);
+                        else resolve(row);
+                    }
+                );
+            });
+
+            if (!currentUser) {
+                return res.status(404).json({ error: 'User not found' });
+            }
+
             const updates = [];
             const values = [];
 
@@ -131,12 +166,9 @@ function createUsersRouter(db, requireAuth, requireRole) {
                 updates.push('password_hash = ?');
                 values.push(passwordHash);
             }
-            if (role) {
-                if (!['admin', 'editor', 'viewer'].includes(role)) {
-                    return res.status(400).json({ error: 'Invalid role' });
-                }
-                updates.push('role = ?');
-                values.push(role);
+            if (group) {
+                updates.push('user_group = ?');
+                values.push(group);
             }
             if (typeof is_active === 'boolean') {
                 updates.push('is_active = ?');
@@ -160,6 +192,39 @@ function createUsersRouter(db, requireAuth, requireRole) {
                 );
             });
 
+            const updatedFields = {};
+            if (username) updatedFields.username = username;
+            if (email) updatedFields.email = email;
+            if (group) updatedFields.group = group;
+            if (typeof is_active === 'boolean') updatedFields.is_active = is_active;
+            if (password) updatedFields.password_changed = true;
+
+            logAudit(db, {
+                userId: req.user.id,
+                username: req.user.username,
+                action: 'user_update',
+                entityType: 'user',
+                entityId: String(userId),
+                details: updatedFields,
+                ipAddress: req.ip
+            });
+
+            // Log specific audit entry for group changes
+            if (group && group !== currentUser.user_group) {
+                logAudit(db, {
+                    userId: req.user.id,
+                    username: req.user.username,
+                    action: 'user_group_change',
+                    entityType: 'user',
+                    entityId: String(userId),
+                    details: {
+                        previous_group: currentUser.user_group,
+                        new_group: group
+                    },
+                    ipAddress: req.ip
+                });
+            }
+
             // If user was deactivated, delete their sessions
             if (is_active === false) {
                 await new Promise((resolve) => {
@@ -182,11 +247,19 @@ function createUsersRouter(db, requireAuth, requireRole) {
         const userId = req.params.id;
 
         // Prevent self-deletion
-        if (userId == req.user.id) {
+        if (String(userId) === String(req.user.id)) {
             return res.status(400).json({ error: 'Cannot delete your own account' });
         }
 
         try {
+            // Look up the user before deleting
+            const targetUser = await new Promise((resolve, reject) => {
+                db.get('SELECT username FROM users WHERE id = ?', [userId], (err, row) => {
+                    if (err) reject(err);
+                    else resolve(row);
+                });
+            });
+
             // Delete sessions first (foreign key)
             await new Promise((resolve) => {
                 db.run('DELETE FROM sessions WHERE user_id = ?', [userId], () => resolve());
@@ -204,6 +277,16 @@ function createUsersRouter(db, requireAuth, requireRole) {
                 return res.status(404).json({ error: 'User not found' });
             }
 
+            logAudit(db, {
+                userId: req.user.id,
+                username: req.user.username,
+                action: 'user_delete',
+                entityType: 'user',
+                entityId: String(userId),
+                details: { deleted_username: targetUser ? targetUser.username : 'unknown' },
+                ipAddress: req.ip
+            });
+
             res.json({ message: 'User deleted successfully' });
         } catch (err) {
             console.error('Delete user error:', err);

backend/scripts/import_notes_from_csv.py

@@ -0,0 +1,182 @@
+#!/usr/bin/env python3
+"""
+import_notes_from_csv.py
+------------------------
+Mass-import finding notes from a CSV file into the CVE dashboard database.
+
+CSV format (header row required, column names are case-insensitive):
+    ID,NOTES
+    12345,EXC-5754
+    67890,EXC-6001 - pending review
+
+Usage:
+    python3 import_notes_from_csv.py <csv_file> [--db <db_path>] [--dry-run]
+
+Options:
+    --db <path>   Path to cve_database.db  (default: ../cve_database.db)
+    --dry-run     Print what would change without touching the database
+"""
+
+import csv
+import sqlite3
+import sys
+import os
+import argparse
+from datetime import datetime, timezone
+
+NOTE_MAX_LEN = 255
+
+DEFAULT_DB = os.path.join(os.path.dirname(__file__), '..', 'cve_database.db')
+
+
+def parse_args():
+    p = argparse.ArgumentParser(description='Import finding notes from CSV into the dashboard DB.')
+    p.add_argument('csv_file', help='Path to the CSV file (must have ID and NOTES columns)')
+    p.add_argument('--db', default=DEFAULT_DB, help=f'Path to SQLite database (default: {DEFAULT_DB})')
+    p.add_argument('--dry-run', action='store_true', help='Preview changes without writing to DB')
+    return p.parse_args()
+
+
+def load_csv(path):
+    """Read CSV and return list of (finding_id, note) tuples."""
+    rows = []
+    with open(path, newline='', encoding='utf-8-sig') as f:
+        reader = csv.DictReader(f)
+        # Normalise header names to uppercase for case-insensitive matching
+        if reader.fieldnames is None:
+            print('ERROR: CSV file is empty or has no header row.')
+            sys.exit(1)
+
+        normalised = {k.strip().upper(): k for k in reader.fieldnames}
+        if 'ID' not in normalised or 'NOTES' not in normalised:
+            print(f'ERROR: CSV must have "ID" and "NOTES" columns.')
+            print(f'       Found columns: {list(reader.fieldnames)}')
+            sys.exit(1)
+
+        id_col    = normalised['ID']
+        notes_col = normalised['NOTES']
+
+        for i, row in enumerate(reader, start=2):  # start=2 because row 1 is the header
+            finding_id = row[id_col].strip()
+            note       = row[notes_col].strip()
+
+            if not finding_id:
+                print(f'  WARNING row {i}: empty ID — skipping')
+                continue
+
+            if len(note) > NOTE_MAX_LEN:
+                print(f'  WARNING row {i} ({finding_id}): note is {len(note)} chars, '
+                      f'truncating to {NOTE_MAX_LEN}')
+                note = note[:NOTE_MAX_LEN]
+
+            rows.append((finding_id, note))
+
+    return rows
+
+
+def run(args):
+    csv_path = os.path.abspath(args.csv_file)
+    db_path  = os.path.abspath(args.db)
+
+    # ------------------------------------------------------------------ checks
+    if not os.path.exists(csv_path):
+        print(f'ERROR: CSV file not found: {csv_path}')
+        sys.exit(1)
+
+    if not os.path.exists(db_path):
+        print(f'ERROR: Database not found: {db_path}')
+        sys.exit(1)
+
+    print(f'CSV : {csv_path}')
+    print(f'DB  : {db_path}')
+    if args.dry_run:
+        print('MODE: DRY RUN — no changes will be written\n')
+    else:
+        print()
+
+    # ----------------------------------------------------------------- load CSV
+    rows = load_csv(csv_path)
+    if not rows:
+        print('No valid rows found in CSV.')
+        sys.exit(0)
+
+    print(f'Loaded {len(rows)} row(s) from CSV.\n')
+
+    # ---------------------------------------------------------------- open DB
+    con = sqlite3.connect(db_path)
+    con.row_factory = sqlite3.Row
+    cur = con.cursor()
+
+    # Fetch all known finding IDs — only IDs present here will be processed
+    import json
+    cur.execute('SELECT findings_json FROM ivanti_findings_cache WHERE id = 1')
+    cache_row = cur.fetchone()
+    known_ids = set()
+    if cache_row and cache_row['findings_json']:
+        try:
+            known_ids = {str(f['id']) for f in json.loads(cache_row['findings_json'])}
+        except Exception:
+            pass
+
+    if not known_ids:
+        print('ERROR: No findings found in the database cache.')
+        print('       Run a Sync from the dashboard first, then re-run this script.')
+        con.close()
+        sys.exit(1)
+
+    print(f'{len(known_ids)} active finding(s) in cache.\n')
+
+    # ----------------------------------------------------------------- process
+    inserted = 0
+    updated  = 0
+    skipped  = 0
+
+    for finding_id, note in rows:
+        str_id = str(finding_id)
+
+        if str_id not in known_ids:
+            print(f'  SKIP    {str_id} — not in active findings (resolved or never synced)')
+            skipped += 1
+            continue
+
+        # Check if a note already exists
+        cur.execute('SELECT note FROM ivanti_finding_notes WHERE finding_id = ?', (str_id,))
+        existing = cur.fetchone()
+
+        if existing:
+            if existing['note'] == note:
+                print(f'  SKIP    {str_id} — note unchanged')
+                skipped += 1
+                continue
+            action = 'UPDATE'
+            updated += 1
+        else:
+            action = 'INSERT'
+            inserted += 1
+
+        print(f'  {action:6s}  {str_id}  →  {note[:80]}{"…" if len(note) > 80 else ""}')
+
+        if not args.dry_run:
+            cur.execute(
+                """
+                INSERT INTO ivanti_finding_notes (finding_id, note, updated_at)
+                VALUES (?, ?, datetime('now'))
+                ON CONFLICT(finding_id) DO UPDATE
+                SET note = excluded.note, updated_at = datetime('now')
+                """,
+                (str_id, note)
+            )
+
+    # ----------------------------------------------------------------- summary
+    print()
+    if args.dry_run:
+        print(f'DRY RUN complete — would insert {inserted}, update {updated}, skip {skipped}.')
+    else:
+        con.commit()
+        print(f'Done — inserted {inserted}, updated {updated}, skipped {skipped} (unchanged).')
+
+    con.close()
+
+
+if __name__ == '__main__':
+    run(parse_args())

backend/scripts/parse_compliance_xlsx.py

@@ -0,0 +1,212 @@
+#!/usr/bin/env python3
+"""
+Parse NTS_AEO compliance xlsx file and write JSON to stdout.
+Usage: python3 parse_compliance_xlsx.py <path_to_xlsx>
+
+Output:
+{
+  "items": [...],          # non-compliant asset rows
+  "summary": { ... },     # metric health data from Summary sheet
+  "report_date": "YYYY-MM-DD" | null,
+  "total": int
+}
+"""
+import sys
+import json
+import re
+import pandas as pd
+from pathlib import Path
+
+METRIC_CATEGORIES = {
+    '2.3.4i':  'Vulnerability Management',
+    '2.3.6i':  'Vulnerability Management',
+    '2.3.8i':  'Vulnerability Management',
+    '5.2.4':   'Access & MFA',
+    '5.2.5':   'Access & MFA',
+    '5.2.6':   'Access & MFA',
+    '5.3.4':   'Endpoint Protection',
+    '5.5.2':   'End-of-Life OS',
+    '5.5.4i':  'Vulnerability Management',
+    '5.5.5':   'Decommissioned Assets',
+    '5.8.1':   'Application Security',
+    '7.1.1':   'Logging & Monitoring',
+    '7.6.13':  'Disaster Recovery',
+    '7.6.16':  'Disaster Recovery',
+    'Missing_AppID': 'Asset Data Quality',
+    'Missing_DF':    'Asset Data Quality',
+    'Missing_OS':    'Asset Data Quality',
+}
+
+# Columns that go into the main item fields — everything else becomes extra_json
+CORE_COLS = {
+    'Preferred - Hostname', 'GRANITE - IPv4_Address', 'GRANITE - Type',
+    'Team', 'Compliant', 'Source_Network', 'Vertical',
+    'GRANITE - Equip_Inst_ID', 'GRANITE - RESPONSIBLE_TEAM',
+}
+
+SKIP_SHEETS = {'Summary', 'CMDB_9box'}
+
+
+def safe_str(val):
+    s = str(val).strip()
+    return '' if s == 'nan' else s
+
+
+def parse_summary(xl):
+    """Return { entries: [...], overall_scores: { customer_network, vertical } }"""
+    df_raw = pd.read_excel(xl, sheet_name='Summary', header=None)
+
+    overall_scores = {
+        'customer_network': float(df_raw.iloc[0, 4]) if pd.notna(df_raw.iloc[0, 4]) else None,
+        'vertical':         float(df_raw.iloc[1, 4]) if pd.notna(df_raw.iloc[1, 4]) else None,
+    }
+
+    df = pd.read_excel(xl, sheet_name='Summary', header=3)
+    # Flatten any newlines in column names
+    df.columns = [str(c).replace('\n', ' ').strip() for c in df.columns]
+
+    # Locate the sub-vertical/team column robustly
+    team_col = next((c for c in df.columns if 'Sub-Vertical' in c or 'Purchase Group' in c), None)
+
+    entries = []
+    for _, row in df.iterrows():
+        metric_id = safe_str(row.get('Metric', ''))
+        if not metric_id or metric_id in ('Metric',):
+            continue
+
+        team = safe_str(row.get(team_col, '')) if team_col else ''
+
+        try:
+            non_compliant  = int(row.get('Non-Compliant',       0) or 0)
+            compliant      = int(row.get('Compliant',           0) or 0)
+            total          = int(row.get('Total',               0) or 0)
+            compliance_pct = float(row.get('Current Compliance', 0) or 0)
+            target         = float(row.get('Metric Target',      0) or 0)
+        except (ValueError, TypeError):
+            continue
+
+        entries.append({
+            'metric_id':      metric_id,
+            'team':           team,
+            'priority':       safe_str(row.get('Priority / Non-Priority / IR', '')),
+            'non_compliant':  non_compliant,
+            'compliant':      compliant,
+            'total':          total,
+            'compliance_pct': compliance_pct,
+            'target':         target,
+            'status':         safe_str(row.get('Status', '')),
+            'description':    safe_str(row.get('Metric Description', '')),
+            'category':       METRIC_CATEGORIES.get(metric_id, 'Other'),
+        })
+
+    return {'entries': entries, 'overall_scores': overall_scores}
+
+
+def parse_sheet(xl, sheet_name, summary_entries):
+    """Return list of non-compliant item dicts for a detail sheet."""
+    try:
+        df = pd.read_excel(xl, sheet_name=sheet_name, header=0)
+    except Exception:
+        return []
+
+    if df.empty:
+        return []
+
+    df.columns = [str(c).strip() for c in df.columns]
+
+    # Filter to non-compliant rows when the Compliant column exists
+    if 'Compliant' in df.columns:
+        df = df[df['Compliant'] == False]
+
+    if df.empty:
+        return []
+
+    # Look up description from summary
+    metric_desc = ''
+    for e in summary_entries:
+        if e['metric_id'] == sheet_name and e['description']:
+            metric_desc = e['description']
+            break
+
+    category = METRIC_CATEGORIES.get(sheet_name, 'Other')
+
+    items = []
+    for _, row in df.iterrows():
+        hostname = safe_str(row.get('Preferred - Hostname', ''))
+        if not hostname:
+            continue
+
+        ip          = safe_str(row.get('GRANITE - IPv4_Address', ''))
+        device_type = safe_str(row.get('GRANITE - Type', ''))
+        team        = safe_str(row.get('Team', ''))
+
+        # Everything non-core goes into extra_json
+        extra = {}
+        for col in df.columns:
+            if col in CORE_COLS:
+                continue
+            val = row.get(col)
+            if pd.isna(val) if not isinstance(val, str) else False:
+                continue
+            s = safe_str(val)
+            if s:
+                extra[col] = val.isoformat() if hasattr(val, 'isoformat') else s
+
+        items.append({
+            'hostname':    hostname,
+            'ip_address':  ip,
+            'device_type': device_type,
+            'team':        team,
+            'metric_id':   sheet_name,
+            'metric_desc': metric_desc,
+            'category':    category,
+            'extra_json':  extra,
+        })
+
+    return items
+
+
+def extract_report_date(filepath):
+    """Try to pull YYYY-MM-DD from the filename, e.g. NTS_AEO_2026_03_25.xlsx"""
+    stem = Path(filepath).stem
+    m = re.search(r'(\d{4})_(\d{2})_(\d{2})', stem)
+    if m:
+        return f"{m.group(1)}-{m.group(2)}-{m.group(3)}"
+    return None
+
+
+def main():
+    if len(sys.argv) < 2:
+        print(json.dumps({'error': 'No file path provided'}))
+        sys.exit(1)
+
+    filepath = sys.argv[1]
+
+    try:
+        xl = pd.ExcelFile(filepath)
+    except Exception as e:
+        print(json.dumps({'error': f'Cannot open file: {str(e)}'}))
+        sys.exit(1)
+
+    try:
+        summary = parse_summary(xl)
+    except Exception as e:
+        summary = {'entries': [], 'overall_scores': {}, 'parse_error': str(e)}
+
+    all_items = []
+    for sheet_name in xl.sheet_names:
+        if sheet_name in SKIP_SHEETS:
+            continue
+        items = parse_sheet(xl, sheet_name, summary.get('entries', []))
+        all_items.extend(items)
+
+    print(json.dumps({
+        'items':       all_items,
+        'summary':     summary,
+        'report_date': extract_report_date(filepath),
+        'total':       len(all_items),
+    }))
+
+
+if __name__ == '__main__':
+    main()

backend/scripts/requirements.txt

@@ -0,0 +1,2 @@
+pandas>=2.0.0
+openpyxl>=3.0.0

backend/setup.js

@@ -3,6 +3,7 @@
 
 const sqlite3 = require('sqlite3').verbose();
 const bcrypt = require('bcryptjs');
+const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 
@@ -88,6 +89,24 @@ function initializeDatabase() {
             CREATE INDEX IF NOT EXISTS idx_sessions_expires ON sessions(expires_at);
             CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
 
+            -- Audit log table for tracking user actions
+            CREATE TABLE IF NOT EXISTS audit_logs (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                user_id INTEGER,
+                username VARCHAR(50) NOT NULL,
+                action VARCHAR(50) NOT NULL,
+                entity_type VARCHAR(50) NOT NULL,
+                entity_id VARCHAR(100),
+                details TEXT,
+                ip_address VARCHAR(45),
+                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+            );
+
+            CREATE INDEX IF NOT EXISTS idx_audit_user_id ON audit_logs(user_id);
+            CREATE INDEX IF NOT EXISTS idx_audit_action ON audit_logs(action);
+            CREATE INDEX IF NOT EXISTS idx_audit_entity_type ON audit_logs(entity_type);
+            CREATE INDEX IF NOT EXISTS idx_audit_created_at ON audit_logs(created_at);
+
             INSERT OR IGNORE INTO required_documents (vendor, document_type, is_mandatory, description) VALUES
             ('Microsoft', 'advisory', 1, 'Official Microsoft Security Advisory'),
             ('Microsoft', 'screenshot', 0, 'Proof of patch application'),
@@ -154,8 +173,9 @@ async function createDefaultAdmin(db) {
                 return;
             }
 
-            // Create admin user with password 'admin123'
-            const passwordHash = await bcrypt.hash('admin123', 10);
+            // Generate a random admin password on first run
+            const generatedPassword = crypto.randomBytes(12).toString('base64url');
+            const passwordHash = await bcrypt.hash(generatedPassword, 10);
 
             db.run(
                 `INSERT INTO users (username, email, password_hash, role, is_active)
@@ -165,7 +185,12 @@ async function createDefaultAdmin(db) {
                     if (err) {
                         reject(err);
                     } else {
-                        console.log('✓ Created default admin user (admin/admin123)');
+                        console.log('✓ Created default admin user');
+                        console.log(`\n  ╔══════════════════════════════════════════╗`);
+                        console.log(`  ║  Admin credentials (save these now!)     ║`);
+                        console.log(`  ║  Username: admin                         ║`);
+                        console.log(`  ║  Password: ${generatedPassword.padEnd(29)}║`);
+                        console.log(`  ╚══════════════════════════════════════════╝\n`);
                         resolve();
                     }
                 }
@@ -244,14 +269,14 @@ function displaySummary() {
     console.log('╚════════════════════════════════════════════════════════╝');
     console.log('\n📊 What was created:');
     console.log('   ✓ SQLite database (cve_database.db)');
-    console.log('   ✓ Tables: cves, documents, required_documents, users, sessions');
+    console.log('   ✓ Tables: cves, documents, required_documents, users, sessions, audit_logs');
     console.log('   ✓ Multi-vendor support with UNIQUE(cve_id, vendor)');
     console.log('   ✓ Vendor column in documents table');
     console.log('   ✓ User authentication with session-based auth');
     console.log('   ✓ Indexes for fast queries');
     console.log('   ✓ Document compliance view');
     console.log('   ✓ Uploads directory for file storage');
-    console.log('   ✓ Default admin user (admin/admin123)');
+    console.log('   ✓ Default admin user (see credentials above)');
     console.log('\n📁 File structure will be:');
     console.log('   uploads/');
     console.log('     └── CVE-XXXX-XXXX/');

docs/MOP-workflow-color-codes.md

@@ -0,0 +1,120 @@
+# MOP: Ivanti Finding Workflow Status — STEAM Security Dashboard
+
+**Document Type:** Method of Procedure
+**Applies To:** STEAM Security Dashboard — Reporting Page
+**Audience:** NTS-AEO-ACCESS-ENG / NTS-AEO-STEAM team members
+
+---
+
+## 1. Purpose
+
+This document explains how to interpret the **Workflow** column on the Reporting page and what action to take for each status. The goal is to ensure every open finding is actively managed and no False Positive (FP) exception lapses unnoticed.
+
+---
+
+## 2. Background
+
+### What the Reporting Page Shows
+The Reporting page displays **open findings only** (severity 8.5+, `generic_state = Open`). A finding disappears from this list when it is closed — which happens when a valid, approved FP exception is on file or when the vulnerability is remediated.
+
+### What the Workflow Column Shows
+The Workflow column tracks **FP# tickets only** — False Positive requests that a team member has manually submitted in Ivanti. These represent cases where the team has asserted a finding is not exploitable or applicable in our environment.
+
+> **SYS# workflows are not shown.** SYS# are auto-generated system tracking records and do not require team action.
+
+### Key Rule
+If a finding appears in the Reporting page, it requires action — regardless of whether it has an FP# badge or not.
+
+---
+
+## 3. Workflow Column Color Codes
+
+### 🔴 Red — Act Immediately
+
+| State | What It Means | Required Action |
+|---|---|---|
+| **Expired** | An FP# ticket existed but the exception window has lapsed. The finding re-opened. | Log into Ivanti and submit a **new FP request** for this finding. Reference the previous ticket if relevant. |
+| **Rejected** | The security team reviewed the FP request and denied it. The finding is considered a real, exploitable vulnerability. | **Remediate the vulnerability.** Apply the relevant patch, configuration change, or compensating control. Do not resubmit an FP without new evidence. |
+
+---
+
+### 🟡 Amber — Action Required Soon
+
+| State | What It Means | Required Action |
+|---|---|---|
+| **Reworked** | The FP request was challenged by the reviewer and sent back for revision. | Review the reviewer's comments in Ivanti. Update the FP justification and **resubmit the ticket**. |
+| **Actionable** | The FP ticket has been flagged as needing team action. | Open the ticket in Ivanti to review what is needed and respond accordingly. |
+
+---
+
+### 🔵 Blue — In Flight, Monitor
+
+| State | What It Means | Required Action |
+|---|---|---|
+| **Requested** | An FP# ticket has been submitted and is awaiting security team approval. | No immediate action. Monitor for approval or rejection. If no response within your SLA window, follow up with the approver. |
+
+---
+
+### — (No Badge) — Untriaged
+
+| State | What It Means | Required Action |
+|---|---|---|
+| **No workflow badge** | No FP ticket has ever been submitted for this finding. | Triage the finding. Determine whether to: (1) remediate it, or (2) submit a new FP request if you have justification that it is a false positive. |
+
+---
+
+## 4. Decision Flowchart
+
+```
+Finding appears in Reporting page
+│
+├── Does it have a Workflow badge?
+│   │
+│   ├── NO (—)
+│   │   └── Triage → Remediate OR submit new FP request
+│   │
+│   └── YES → Check the color:
+│       │
+│       ├── 🔵 BLUE (Requested)
+│       │   └── Wait for approval. Follow up if SLA window is approaching.
+│       │
+│       ├── 🟡 AMBER (Reworked / Actionable)
+│       │   └── Open Ivanti ticket → Review feedback → Update → Resubmit
+│       │
+│       └── 🔴 RED
+│           │
+│           ├── Expired → Submit NEW FP request in Ivanti
+│           │
+│           └── Rejected → Remediate the vulnerability
+```
+
+---
+
+## 5. How to Submit or Renew an FP Request in Ivanti
+
+1. Log into [Ivanti / RiskSense](https://platform4.risksense.com)
+2. Navigate to **Host Findings**
+3. Search for the Finding ID shown in the dashboard (Finding ID column)
+4. Select the finding → **Actions** → **Request False Positive**
+5. Complete the justification form:
+   - Describe why the finding is not exploitable in this environment
+   - Reference any compensating controls, network segmentation, or vendor guidance
+   - Attach supporting evidence if available
+6. Submit — ticket will appear as **Requested** (blue) in the dashboard once processed
+
+---
+
+## 6. Quick Reference Card
+
+| Badge Color | State | One-Line Action |
+|---|---|---|
+| 🔴 Red | Expired | Renew FP request in Ivanti |
+| 🔴 Red | Rejected | Remediate the vulnerability |
+| 🟡 Amber | Reworked | Update and resubmit FP ticket |
+| 🟡 Amber | Actionable | Review ticket in Ivanti |
+| 🔵 Blue | Requested | Monitor — no action yet |
+| — | No badge | Triage: remediate or submit FP |
+
+---
+
+*Last updated: 2026-03-11*

docs/ivanti-api-reference.md

@@ -0,0 +1,106 @@
+# Ivanti / RiskSense API Reference
+
+Base URL: `https://platform4.risksense.com/api/v1`
+Swagger: `https://platform4.risksense.com/doc/swagger.json`
+
+Auth: `x-api-key` header. Error codes: 401 bad key, 419 insufficient privileges, 429 rate limited.
+
+## Endpoints Used
+
+### Search Workflow Batches
+
+```
+POST /client/{clientId}/workflowBatch/search
+Content-Type: application/json
+```
+
+Standard JSON body with filters, projection, sort, page, size. Used by `ivantiWorkflows.js` for the daily sync.
+
+### Create False Positive Workflow
+
+```
+POST /client/{clientId}/workflowBatch/falsePositive/request
+Content-Type: multipart/form-data
+```
+
+This endpoint does NOT accept JSON. It requires `multipart/form-data` with the following fields:
+
+| Field | Type | Required | Notes |
+|-------|------|----------|-------|
+| `name` | string | yes | Workflow batch name (max 255) |
+| `reason` | string | yes | Reason for the FP determination |
+| `description` | string | yes | Description (can be empty string but field must be present) |
+| `expirationDate` | string | yes | ISO-8601 date, e.g. `2026-06-01` |
+| `overrideControl` | string | yes | `AUTHORIZED`, `NONE`, or `AUTOMATED`. Use `AUTHORIZED` for standard FP workflows. `NONE` with `isEmptyWorkflow=true` is rejected (400). |
+| `isEmptyWorkflow` | boolean | yes | `true` if no findings attached, `false` otherwise |
+| `subjectFilterRequest` | string | yes | Stringified JSON (see format below) |
+| `files` | file | no | Attachments sent inline in the same request |
+
+#### subjectFilterRequest format
+
+This is the critical field. It must be a stringified JSON object with this exact structure:
+
+```json
+{
+  "subject": "hostFinding",
+  "filterRequest": {
+    "filters": [
+      {
+        "field": "id",
+        "exclusive": false,
+        "operator": "IN",
+        "value": "2283734550,2283734551"
+      }
+    ]
+  }
+}
+```
+
+Key details:
+- `subject` must be `"hostFinding"` — without this, the API returns 500
+- `filters` is nested inside `filterRequest`, NOT at the top level — `{"filters":[]}` at the top level returns 500
+- `value` for multiple IDs is comma-separated as a single string, not an array
+- `operator` values: `EXACT`, `IN`, `LIKE`, `WILDCARD`, `RANGE`, `CIDR`
+- For empty workflows, use `{"subject":"hostFinding","filterRequest":{"filters":[]}}` with `isEmptyWorkflow=true`
+
+#### Response (200/202)
+
+```json
+{
+  "id": 33418832,
+  "created": "2026-04-08T18:16:08"
+}
+```
+
+Returns HTTP 200 or 202 (Accepted — async job creation). Response contains a numeric `id` (the workflow batch job ID) and `created` timestamp. No `generatedId` or `uuid` in this response.
+
+### Other Workflow Endpoints (from Swagger)
+
+These are available but not currently used by the dashboard:
+
+| Endpoint | Purpose |
+|----------|---------|
+| `/workflowBatch/acceptance/request` | Risk acceptance workflow |
+| `/workflowBatch/remediation/request` | Remediation workflow |
+| `/workflowBatch/severityChange/request` | Severity change workflow |
+| `/workflowBatch/{workflowType}/approve` | Approve a workflow (needs `workflowBatchUuid`) |
+| `/workflowBatch/{workflowType}/reject` | Reject a workflow |
+| `/workflowBatch/{workflowType}/rework` | Send back for rework |
+| `/workflowBatch/{workflowType}/update` | Update a workflow |
+| `/workflowBatch/{workflowType}/{workflowBatchUuid}/map` | Map findings to workflow |
+| `/workflowBatch/{workflowType}/{workflowBatchUuid}/unmap` | Unmap findings |
+| `/workflowBatch/{workflowType}/{workflowBatchUuid}/attach` | Attach file to existing workflow |
+| `/workflowBatch/{workflowType}/{workflowBatchUuid}/detach` | Detach file |
+| `/workflowBatch/model` | Get model/schema |
+| `/workflowBatch/filter` | Get available filter fields |
+| `/workflowBatch/suggest` | Get suggested values for a filter field |
+
+## Environment Variables
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `IVANTI_API_KEY` | — | Required. API key for authentication |
+| `IVANTI_CLIENT_ID` | `1550` | Client ID in the Ivanti platform |
+| `IVANTI_SKIP_TLS` | `false` | Set `true` to skip TLS verification |
+| `IVANTI_FIRST_NAME` | — | Used for workflow search filter (sync) |
+| `IVANTI_LAST_NAME` | — | Used for workflow search filter (sync) |

docs/python-venv-setup.md

@@ -0,0 +1,73 @@
+# Python Dependencies — Compliance xlsx Parsing
+
+`parse_compliance_xlsx.py` requires `pandas` and `openpyxl`. This doc
+explains how each server has (or should have) these installed.
+
+---
+
+## Dev server — how it works
+
+Pandas and openpyxl are installed as **system apt packages**, not via pip
+or a venv. This is why there is no venv on dev and no `--break-system-packages`
+gymnastics. They were installed at some point via:
+
+```bash
+apt install python3-pandas python3-openpyxl
+```
+
+You can verify with:
+
+```bash
+python3 -c "import pandas; print(pandas.__file__)"
+# /usr/lib/python3/dist-packages/pandas/__init__.py  ← apt-managed
+```
+
+---
+
+## Production server — how to fix it
+
+Production was missing pandas entirely. The fix mirrors what dev has:
+
+```bash
+apt-get update --fix-missing
+apt install -y python3-pandas python3-openpyxl
+```
+
+No venv, no pip, no `PYTHON_BIN` env var needed. After installing, restart
+the backend and the compliance xlsx upload will work.
+
+---
+
+## If apt packages are unavailable (fallback)
+
+If you're on a system where apt doesn't have pandas (unlikely on Ubuntu
+22.04/24.04), or you want isolation, use a venv:
+
+```bash
+apt install -y python3-venv python3-full
+python3 -m venv /home/cve-dashboard/venv
+/home/cve-dashboard/venv/bin/pip install -r /home/cve-dashboard/backend/scripts/requirements.txt
+```
+
+Then set `PYTHON_BIN` in the Node backend's environment:
+
+```bash
+export PYTHON_BIN=/home/cve-dashboard/venv/bin/python3
+```
+
+The backend reads `process.env.PYTHON_BIN` and falls back to `python3` if
+not set, so this only needs to be done if you're using a venv.
+
+---
+
+## Why pip3 may fail on modern Ubuntu/Debian
+
+PEP 668 (enforced in Ubuntu 23.04+) blocks `pip3 install` system-wide to
+prevent breaking apt-managed packages. The error looks like:
+
+```
+error: externally-managed-environment
+```
+
+Using `apt install python3-pandas` is the correct solution — pip is not
+needed when the distro packages the library directly.

docs/security-audit-2026-04-01.md

@@ -0,0 +1,617 @@
+# Security Audit Report — STEAM Security Dashboard
+
+**Date:** 2026-04-01
+**Scope:** Full codebase — backend routes, authentication, file handling, Python scripts, React frontend
+**Methodology:** Static analysis across four parallel audit tracks
+
+---
+
+## Executive Summary
+
+The audit identified **31 findings** across four severity levels. The most serious issues are concentrated in the **authentication and authorization layer** — several endpoints are either completely unauthenticated or have role-checking middleware called with the wrong arguments, silently bypassing access control. These require immediate remediation before the application is exposed to a broader user base.
+
+| Severity | Count |
+|----------|-------|
+| Critical | 6 |
+| High | 9 |
+| Medium | 10 |
+| Low / Info | 6 |
+| **Total** | **31** |
+
+The application has strong foundational security in several areas: all database queries use parameterized statements (no SQL injection risk), path traversal prevention is comprehensive, Python script execution uses `spawn` with argument arrays (no shell injection), and file type allowlisting is in place. The vulnerabilities are largely in middleware wiring and missing access controls rather than fundamental design flaws.
+
+---
+
+## Critical Findings
+
+---
+
+### C-1 — Missing Authentication on Ivanti Findings Endpoints
+
+**File:** `backend/routes/ivantiFindings.js:552–600`
+
+The findings router imports `requireRole` but **not** `requireAuth`. No authentication middleware is applied at the router level or on individual routes. Four endpoints are fully unauthenticated:
+
+```js
+const { requireRole } = require('../middleware/auth');  // requireAuth never imported
+
+router.get('/', async (req, res) => {          // line 552 — no auth
+router.post('/sync', async (req, res) => {     // line 561 — no auth
+router.get('/counts', async (req, res) => {    // line 571 — no auth
+router.get('/fp-workflow-counts', ...)         // line 580 — no auth
+```
+
+**Impact:** Any unauthenticated attacker on the network can read the full list of Ivanti host findings (hostnames, IPs, CVEs, severity, SLA status), trigger a sync operation, and enumerate all finding metrics.
+
+**Fix:** Import `requireAuth` and apply it to the router or each route:
+```js
+const { requireAuth, requireRole } = require('../middleware/auth');
+router.use(requireAuth(db));
+```
+
+---
+
+### C-2 — Broken requireRole Call — Privilege Escalation in Knowledge Base
+
+**File:** `backend/routes/knowledgeBase.js:43, 305`
+
+`requireRole` is called with `db` as the first argument:
+
+```js
+router.post('/upload', requireAuth(db), requireRole(db, 'editor', 'admin'), ...)
+router.delete('/:id', requireAuth(db), requireRole(db, 'editor', 'admin'), ...)
+```
+
+The function signature is `function requireRole(...allowedRoles)`. It does not accept `db`. The database object is treated as the first "allowed role", so the check becomes `req.user.role === db` — an object comparison that always evaluates false, meaning **the check never blocks anyone**. Any authenticated viewer can upload and delete knowledge base documents.
+
+**Fix:** Remove `db` from all `requireRole` calls:
+```js
+requireRole('editor', 'admin')
+```
+
+---
+
+### C-3 — Unauthenticated Ivanti Finding Note Writes
+
+**File:** `backend/routes/ivantiFindings.js:639`
+
+The PUT endpoint for saving finding notes has no authentication middleware:
+
+```js
+router.put('/:findingId/note', (req, res) => {
+    const note = String(req.body.note || '').slice(0, 255);
+    db.run(`INSERT INTO ivanti_finding_notes ...`);
+});
+```
+
+**Impact:** Any unauthenticated request can write notes to any finding. Notes are visible to all users and used during remediation triage. An attacker could inject false status information (e.g. "EXC-12345 — patched") to mislead the team or cover tracks.
+
+**Fix:** Add `requireAuth(db)` to this route.
+
+---
+
+### C-4 — No Brute Force Protection on Login Endpoint
+
+**File:** `backend/routes/auth.js:10`
+
+The login endpoint has no rate limiting, attempt counting, or lockout:
+
+```js
+router.post('/login', async (req, res) => {
+    const { username, password } = req.body;
+    // Direct DB lookup, unlimited attempts
+```
+
+**Impact:** An attacker can run unlimited password guesses against any account at full network speed. With the default credentials documented in the README and displayed in the UI (see F-2), admin accounts are a trivial target.
+
+**Fix:** Apply `express-rate-limit` to the login route:
+```js
+const rateLimit = require('express-rate-limit');
+const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 20 });
+router.post('/login', loginLimiter, async (req, res) => { ... });
+```
+
+---
+
+### C-5 — Default Credentials Displayed in Login UI
+
+**File:** `frontend/src/components/LoginForm.js:104`
+
+The login form renders hardcoded credentials in plain text:
+
+```jsx
+<p className="text-sm text-gray-500 text-center font-mono">
+    Default: <span className="text-intel-accent">admin</span> /
+             <span className="text-intel-accent">admin123</span>
+</p>
+```
+
+**Impact:** Anyone who opens the login page — including unauthenticated users — sees the default admin credentials. Combined with C-4 (no rate limiting), this is a direct path to admin compromise if the password has not been changed.
+
+**Fix:** Remove this block entirely. Document default credentials only in the deployment guide. Enforce password change on first login server-side.
+
+---
+
+### C-6 — Missing Sandbox Attribute on Knowledge Base PDF Iframe
+
+**File:** `frontend/src/components/KnowledgeBaseViewer.js:195`
+
+The inline document viewer renders uploaded files in an unsandboxed iframe:
+
+```jsx
+<iframe
+    src={`${API_BASE}/knowledge-base/${article.id}/content`}
+    title={article.title}
+    className="w-full h-full rounded"
+>
+```
+
+**Impact:** A malicious PDF or HTML file uploaded by an editor could execute JavaScript within the application's origin, accessing `localStorage`, `sessionStorage`, and DOM of the parent page. An attacker with editor access could upload a file that steals session data from any user who views it.
+
+**Fix:** Add a restrictive `sandbox` attribute:
+```jsx
+<iframe
+    sandbox="allow-same-origin allow-scripts"
+    src={...}
+    title={article.title}
+/>
+```
+
+---
+
+## High Findings
+
+---
+
+### H-1 — /cleanup-sessions Missing Role Check
+
+**File:** `backend/routes/auth.js:223`
+
+The comment says "admin only" but the endpoint only checks for any valid session:
+
+```js
+router.post('/cleanup-sessions', async (req, res) => {
+    const sessionId = req.cookies?.session_id;
+    if (!sessionId) return res.status(401).json({ error: '...' });
+    // No role check
+```
+
+**Fix:** Apply `requireAuth(db)` and `requireRole('admin')`.
+
+---
+
+### H-2 — Hardcoded Fallback SESSION_SECRET
+
+**File:** `backend/server.js:31`
+
+```js
+const SESSION_SECRET = process.env.SESSION_SECRET || 'default-secret-change-me';
+```
+
+If the `.env` file is missing or the variable is unset, all sessions are signed with a publicly known string. An attacker who knows the secret can forge valid session cookies.
+
+**Fix:** Fail hard on startup if the secret is not set:
+```js
+const SESSION_SECRET = process.env.SESSION_SECRET;
+if (!SESSION_SECRET) throw new Error('SESSION_SECRET environment variable must be set');
+```
+
+---
+
+### H-3 — Audit Log Parameter Mismatch — Silent Audit Trail Gaps
+
+**Files:** `backend/routes/archerTickets.js:89–95, 172, 206` and `backend/routes/knowledgeBase.js:235–244, 287–296`
+
+The `logAudit` helper expects an object with `entityType` and `entityId`. These callers use the wrong keys (`targetType`, `targetId`) or pass positional arguments instead of an object:
+
+```js
+// archerTickets.js — wrong keys
+logAudit(db, { ..., targetType: 'archer_ticket', targetId: this.lastID, ... });
+
+// knowledgeBase.js — positional (wrong pattern)
+logAudit(db, req.user.id, req.user.username, 'VIEW_KB_ARTICLE', 'knowledge_base', id, ...);
+```
+
+**Impact:** All Archer ticket and Knowledge Base operations produce audit log rows with `NULL` entity type and entity ID. Security investigations and compliance reviews will show these actions occurred but not what was affected.
+
+**Fix:** Align all callers to the object format expected by `auditLog.js`:
+```js
+logAudit(db, { userId, username, action, entityType, entityId, details, ipAddress });
+```
+
+---
+
+### H-4 — Viewers Can Write Compliance Notes
+
+**Files:** `backend/routes/compliance.js:522` (also flagged by file-upload audit)
+
+The POST /notes endpoint is protected by authentication but not by role:
+
+```js
+router.post('/notes', async (req, res) => {   // no requireRole()
+```
+
+**Impact:** Any viewer can add notes to any compliance item. Notes surface in the detail panel and influence remediation decisions. False notes cannot be deleted via the API.
+
+**Fix:** `requireRole('editor', 'admin')` on this route.
+
+---
+
+### H-5 — Sync Endpoints Accessible to All Authenticated Users
+
+**Files:** `backend/routes/ivantiFindings.js:561`, `backend/routes/ivantiWorkflows.js:262`
+
+POST /sync on both routers requires only authentication, not editor/admin role. Any viewer can trigger expensive Ivanti API calls repeatedly.
+
+**Impact:** Viewer-role users can cause repeated large API fetches, potentially hitting Ivanti rate limits and blocking legitimate syncs for the team.
+
+**Fix:** Add `requireRole('editor', 'admin')` to both POST /sync routes.
+
+---
+
+### H-6 — HTTP Header Injection via Unsanitized Filename in Content-Disposition
+
+**File:** `backend/routes/knowledgeBase.js:258, 299`
+
+The original uploaded filename (user-controlled) is written directly into the `Content-Disposition` response header:
+
+```js
+res.setHeader('Content-Disposition', `inline; filename="${row.file_name}"`);
+res.setHeader('Content-Disposition', `attachment; filename="${row.file_name}"`);
+```
+
+`row.file_name` stores `uploadedFile.originalname` which is not sanitized for use in HTTP headers. A filename containing `"\r\n` characters can split the response and inject arbitrary headers.
+
+**Fix:**
+```js
+const safeFilename = row.file_name.replace(/["\r\n\\]/g, '');
+res.setHeader('Content-Disposition', `attachment; filename="${safeFilename}"`);
+```
+
+---
+
+### H-7 — Race Condition in Knowledge Base File Upload
+
+**File:** `backend/routes/knowledgeBase.js:91–155`
+
+The file is moved to its permanent location (line 93) before the database record is created (line 114). If the DB insert fails, the file is orphaned on disk. Two concurrent uploads with the same slug can also bypass the uniqueness check due to the async gap between the slug check query and the insert.
+
+**Fix:** Keep the file in the temp directory until the DB insert succeeds, then move it:
+```js
+db.run(insertSql, [...], function(err) {
+    if (err) { fs.unlinkSync(uploadedFile.path); return res.status(500)...; }
+    fs.renameSync(uploadedFile.path, filePath);
+    res.json({ success: true });
+});
+```
+
+---
+
+### H-8 — Hardcoded Default Admin Password in setup.js
+
+**File:** `backend/setup.js:175`
+
+```js
+const passwordHash = await bcrypt.hash('admin123', 10);
+```
+
+If `setup.js` is re-run on an existing deployment (e.g. during a restore), the admin password resets to a known value. The password is also documented in the README and displayed in the login UI (C-5).
+
+**Fix:** Generate a random password on first run and print it once to stdout, or require it as a CLI argument. Never hardcode credentials in source.
+
+---
+
+### H-9 — ReactMarkdown Renders HTML Without Sanitization
+
+**File:** `frontend/src/components/KnowledgeBaseViewer.js:169–171`
+
+```jsx
+<ReactMarkdown>{content}</ReactMarkdown>
+```
+
+`ReactMarkdown` by default allows raw HTML in markdown (via `rehype-raw`). A knowledge base article containing `<img src=x onerror="...">` or `<script>` tags would execute JavaScript in the viewer's browser.
+
+**Fix:** Add `rehype-sanitize`:
+```jsx
+import rehypeSanitize from 'rehype-sanitize';
+<ReactMarkdown rehypePlugins={[rehypeSanitize]}>{content}</ReactMarkdown>
+```
+
+---
+
+## Medium Findings
+
+---
+
+### M-1 — No CSRF Token Protection on State-Changing Requests
+
+**Files:** All POST / PUT / DELETE routes
+
+Cookies are `SameSite: lax` which provides partial protection, but `lax` still allows top-level cross-site navigations to carry cookies. No CSRF token is validated server-side. Combined with the permissive CORS configuration, cross-site request forgery is possible against editors and admins.
+
+**Fix:** Either upgrade session cookie to `SameSite: strict`, or implement a CSRF token (double-submit cookie pattern or `csurf` middleware).
+
+---
+
+### M-2 — CORS Allows Credentials with Explicit Origin List
+
+**File:** `backend/server.js:111–114`
+
+```js
+app.use(cors({ origin: CORS_ORIGINS, credentials: true }));
+```
+
+`credentials: true` with explicit origins means any subdomain compromise or DNS hijacking of a listed origin could allow cross-origin authenticated requests. This is the correct pattern for this use case, but worth hardening.
+
+**Fix:** Ensure `CORS_ORIGINS` is reviewed whenever the deployment changes. Consider `SameSite: strict` on cookies to reduce reliance on CORS for CSRF protection.
+
+---
+
+### M-3 — No Rate Limiting on NVD API Proxy
+
+**File:** `backend/routes/nvdLookup.js:13`
+
+Any authenticated user can trigger NVD API calls in rapid succession. NVD enforces a 5 req/30s unauthenticated limit, which can be exhausted by a single user making 5 lookups.
+
+**Fix:** Add a server-side 1-hour cache keyed by CVE ID to avoid repeated external lookups, plus a per-user rate limit.
+
+---
+
+### M-4 — Admin Self-Demotion Check Uses Loose Equality
+
+**File:** `backend/routes/users.js:118`
+
+```js
+if (userId == req.user.id && role && role !== 'admin') {
+```
+
+Using `==` allows type coercion. If `userId` is passed as a different type than `req.user.id`, the comparison may not match correctly.
+
+**Fix:** `String(userId) === String(req.user.id)`.
+
+---
+
+### M-5 — Missing Hostname Format Validation
+
+**File:** `backend/routes/compliance.js:451`
+
+The hostname route parameter is used in SQL queries and responses. Only length is checked (>300). No format validation rejects characters outside a valid hostname range.
+
+**Fix:**
+```js
+if (!/^[a-zA-Z0-9._-]+$/.test(hostname)) {
+    return res.status(400).json({ error: 'Invalid hostname format' });
+}
+```
+
+---
+
+### M-6 — Vendor Field Validated Before Trim
+
+**File:** `backend/routes/ivantiTodoQueue.js:8, 56`
+
+Vendor length is validated before `.trim()` is called. A string of 200 spaces passes validation but becomes an empty string after trimming, which then passes without a vendor value for FP/Archer items that require one.
+
+**Fix:** Trim first, then validate length and presence.
+
+---
+
+### M-7 — Unsanitized Original Filename Stored in Compliance Temp JSON
+
+**File:** `backend/routes/compliance.js:262`
+
+```js
+filename: req.file.originalname,   // user-controlled, unsanitized
+```
+
+The original filename is stored in the temp JSON and later echoed back to the frontend. Special characters could cause log injection or unexpected display issues.
+
+**Fix:** `filename: sanitizePathSegment(req.file.originalname)`.
+
+---
+
+### M-8 — Hardcoded Frontend Origin in CSP Header
+
+**File:** `backend/routes/knowledgeBase.js:261`
+
+```js
+res.setHeader('Content-Security-Policy',
+    "frame-ancestors 'self' http://71.85.90.9:3000 http://localhost:3000");
+```
+
+IP address is hardcoded. If the deployment IP changes, the CSP header will block inline document viewing without an obvious error and require a code change.
+
+**Fix:** Use `CORS_ORIGINS` from the environment variable.
+
+---
+
+### M-9 — Sensitive API Error Messages Forwarded to UI
+
+**Files:** `frontend/src/App.js:801, 816, 847, 886`
+
+```js
+} catch (err) {
+    alert(`Error: ${err.message}`);
+}
+```
+
+Raw API error messages are displayed in browser alerts. If the backend leaks stack traces or query information in error responses, this information reaches the user directly.
+
+**Fix:** Show generic user-facing messages; log details to the console in development only.
+
+---
+
+### M-10 — User-Supplied Data in window.confirm Dialogs
+
+**File:** `frontend/src/App.js:806, 891`
+
+```js
+if (!window.confirm(`Delete ticket ${ticket.ticket_key}?`)) return;
+```
+
+A ticket with a crafted `ticket_key` value (e.g. containing newlines or misleading text) could produce a deceptive confirmation dialog used to social-engineer users.
+
+**Fix:** Use a React modal component with escaped, controlled text instead of `window.confirm`.
+
+---
+
+## Low / Info Findings
+
+---
+
+### L-1 — Silent ROLLBACK on Compliance Transaction Failure
+
+**File:** `backend/routes/compliance.js:167`
+
+```js
+await dbRun(db, 'ROLLBACK').catch(() => {});
+```
+
+If the rollback itself fails, the error is swallowed entirely. A failed rollback leaves an open transaction that can cause subsequent operations to block.
+
+**Fix:** Log rollback failures even if execution continues.
+
+---
+
+### L-2 — Fire-and-Forget Audit Logging
+
+**File:** `backend/helpers/auditLog.js:9`
+
+Audit log writes fail silently. If the database is under load or unavailable, audit records are dropped with no alert.
+
+**Fix:** Log audit write failures to stderr so they surface in server logs.
+
+---
+
+### L-3 — Async Temp File Cleanup With No Error Handling
+
+**File:** `backend/routes/compliance.js:239, 247, 266, 281, 322`
+
+```js
+fs.unlink(req.file.path, () => {});
+```
+
+Cleanup failures accumulate silently, potentially causing disk exhaustion over time.
+
+**Fix:** Log errors on unlink failure (excluding ENOENT which is expected).
+
+---
+
+### L-4 — IVANTI_SKIP_TLS Disables Certificate Validation
+
+**File:** `backend/routes/ivantiFindings.js:385`
+
+`IVANTI_SKIP_TLS=true` disables TLS verification for all Ivanti API calls, enabling man-in-the-middle attacks against the sync. It is controlled purely by environment variable with no warning.
+
+**Fix:** Log a prominent warning on startup when this flag is active, and ensure it is never set in production.
+
+---
+
+### L-5 — console.error in Production Frontend Code
+
+**Files:** `frontend/src/contexts/AuthContext.js:26`, `KnowledgeBaseViewer.js:31, 56`
+
+Full error objects are logged to the browser console in production builds. In a monitored environment, these could expose internal details to anyone with DevTools open.
+
+**Fix:** Guard with `if (process.env.NODE_ENV === 'development')` or use a structured logging library.
+
+---
+
+### L-6 — localStorage Column Config Lacks Structural Validation
+
+**File:** `frontend/src/components/pages/ReportingPage.js:51–68`
+
+Column order/visibility is loaded from `localStorage` and merged with defaults. If the stored data is tampered with (via XSS or DevTools), the parsed structure is used with only partial validation.
+
+**Fix:** Validate each loaded item against the known `COLUMN_DEFS` whitelist before use (a `hasOwnProperty` check is already present; ensure it runs on every item before the merge).
+
+---
+
+## Summary Table
+
+| ID | Severity | Title | File |
+|----|----------|-------|------|
+| C-1 | Critical | Missing auth on Ivanti findings endpoints | ivantiFindings.js:552 |
+| C-2 | Critical | requireRole(db) call bypasses role check in KB routes | knowledgeBase.js:43,305 |
+| C-3 | Critical | Unauthenticated finding note writes | ivantiFindings.js:639 |
+| C-4 | Critical | No brute force protection on login | auth.js:10 |
+| C-5 | Critical | Default credentials displayed in login UI | LoginForm.js:104 |
+| C-6 | Critical | Missing sandbox on PDF/document iframe | KnowledgeBaseViewer.js:195 |
+| H-1 | High | /cleanup-sessions missing role check | auth.js:223 |
+| H-2 | High | Hardcoded fallback SESSION_SECRET | server.js:31 |
+| H-3 | High | Audit log parameter mismatch — silent trail gaps | archerTickets.js, knowledgeBase.js |
+| H-4 | High | Viewers can write compliance notes | compliance.js:522 |
+| H-5 | High | Sync endpoints accessible to all authenticated users | ivantiFindings.js:561, ivantiWorkflows.js:262 |
+| H-6 | High | HTTP header injection via Content-Disposition filename | knowledgeBase.js:258,299 |
+| H-7 | High | Race condition in KB file upload | knowledgeBase.js:91 |
+| H-8 | High | Hardcoded default admin password in setup.js | setup.js:175 |
+| H-9 | High | ReactMarkdown renders HTML without sanitization | KnowledgeBaseViewer.js:169 |
+| M-1 | Medium | No CSRF token protection | All state-changing routes |
+| M-2 | Medium | CORS credentials with explicit origin list | server.js:111 |
+| M-3 | Medium | No rate limiting on NVD API proxy | nvdLookup.js:13 |
+| M-4 | Medium | Admin self-demotion check uses loose equality | users.js:118 |
+| M-5 | Medium | Missing hostname format validation | compliance.js:451 |
+| M-6 | Medium | Vendor field validated before trim | ivantiTodoQueue.js:8,56 |
+| M-7 | Medium | Unsanitized original filename in temp JSON | compliance.js:262 |
+| M-8 | Medium | Hardcoded frontend IP in CSP header | knowledgeBase.js:261 |
+| M-9 | Medium | API error messages forwarded to UI | App.js:801,816,847,886 |
+| M-10 | Medium | User data in window.confirm dialogs | App.js:806,891 |
+| L-1 | Low | Silent ROLLBACK on transaction failure | compliance.js:167 |
+| L-2 | Low | Fire-and-forget audit logging | auditLog.js:9 |
+| L-3 | Low | Async temp file cleanup with no error handling | compliance.js:239+ |
+| L-4 | Low | IVANTI_SKIP_TLS with no startup warning | ivantiFindings.js:385 |
+| L-5 | Low | console.error exposed in production frontend | AuthContext.js, KnowledgeBaseViewer.js |
+| L-6 | Low | localStorage column config lacks structural validation | ReportingPage.js:51 |
+
+---
+
+## Remediation Priority
+
+### Immediate — fix before adding users
+
+1. **C-1** — Add `requireAuth` import and router-level middleware to `ivantiFindings.js`
+2. **C-2** — Remove `db` from all `requireRole(db, ...)` calls in `knowledgeBase.js`
+3. **C-3** — Add `requireAuth(db)` to the finding note PUT route
+4. **C-4** — Add `express-rate-limit` to the login route (20 attempts / 15 min)
+5. **C-5** — Remove default credentials from `LoginForm.js`
+6. **H-2** — Hard-fail on startup if `SESSION_SECRET` is not set in env
+
+### Short-term — next maintenance window
+
+7. **C-6** — Add `sandbox` attribute to the KB iframe
+8. **H-3** — Fix `logAudit` call signatures in `archerTickets.js` and `knowledgeBase.js`
+9. **H-4** — Add `requireRole('editor', 'admin')` to POST /compliance/notes
+10. **H-5** — Add `requireRole('editor', 'admin')` to both POST /sync routes
+11. **H-6** — Sanitize filename for `Content-Disposition` header
+12. **H-7** — Move file after DB insert succeeds in KB upload
+13. **H-8** — Remove hardcoded password from `setup.js`; generate random on first run
+14. **H-9** — Add `rehype-sanitize` to `ReactMarkdown` usage
+
+### Medium-term
+
+15. **M-1** — Implement CSRF token or upgrade cookie to `SameSite: strict`
+16. **M-3** — Add server-side CVE lookup cache
+17. **M-5** — Add hostname format regex validation
+18. **M-8** — Pull frontend origin from `CORS_ORIGINS` env var for CSP header
+19. **M-9** — Replace `alert(err.message)` with user-friendly error messages
+20. Remaining medium and low findings
+
+---
+
+## Positive Security Observations
+
+The following were explicitly verified as secure and should be preserved:
+
+- **SQL injection prevention** — all queries use SQLite3 parameterized statements throughout
+- **Path traversal prevention** — `sanitizePathSegment()` and `isPathWithinUploads()` are comprehensive and consistently applied
+- **Python script execution** — `spawn('python3', [SCRIPT, filePath])` passes arguments as an array, not a shell string — no command injection possible
+- **Python scripts** — no `eval()`, `exec()`, `pickle.load()`, or shell calls in any script
+- **File size enforcement** — 10 MB limit applied via multer before route handlers execute
+- **File type allowlisting** — extension + MIME prefix validation applied at upload
+- **Static file serving** — `express.static` with `{ dotfiles: 'deny', index: false }` prevents directory listing
+- **Temp file path validation** — `isSafeTempPath()` enforces `.json` extension on compliance temp files
+- **Password hashing** — bcrypt with cost factor 10 used throughout
+
+---
+
+*Audit scope: static analysis only. Dynamic testing (active exploitation, fuzzing, dependency CVE scan) not performed.*

docs/security-posture-workflow-diagrams.md

@@ -0,0 +1,183 @@
+# Security Posture Workflow — Diagrams
+
+Mermaid diagrams for the Host Finding Review & Remediation process.
+Renders natively in GitHub, GitLab, and most modern documentation tools.
+
+---
+
+## Diagram 1 — Host Finding Review Workflow (Steps 1–5)
+
+```mermaid
+flowchart TD
+    START([Open Vulnerability Triage Page]) --> SYNC
+
+    SYNC["① Sync & Sort<br/>Click Sync · Sort Due Date ascending"]
+    SYNC --> DUE{Overdue<br/>findings?}
+    DUE -->|Yes — start here| HOST
+    DUE -->|No — start with amber| HOST
+
+    HOST["② Identify the Host<br/>Verify IP in IPControl / Infoblox"]
+    HOST --> CORRECT{Hostname<br/>correct?}
+    CORRECT -->|No| EDIT["Inline-edit Host / DNS cell<br/>Amber dot marks the override"]
+    EDIT --> OWN
+    CORRECT -->|Yes| OWN
+
+    OWN["③ Identify Asset Ownership<br/>Check BU column"]
+    OWN --> BU{Our BU?}
+    BU -->|"NTS-AEO-STEAM<br/>or ACCESS-ENG"| CVE
+    BU -->|"Other BU<br/>or blank"| CARD["Add to CARD Queue<br/>☑ checkbox → CARD → Add to Queue"]
+    CARD --> CARD2([Process in dedicated CARD session])
+
+    CVE["④ Review CVEs in the Finding<br/>Up to 2 shown · hover +N badge for more"]
+    CVE --> DBCHECK{CVE in<br/>database?}
+    DBCHECK -->|No| ADDCVE["Create CVE entry on Home page<br/>NVD auto-fill populates details"]
+    ADDCVE --> RESEARCH
+    DBCHECK -->|Yes — review existing notes/docs| RESEARCH
+
+    RESEARCH["Research CVE<br/>Vendor advisory · Cisco Bug Search<br/>Juniper PSN · Support ticket"]
+    RESEARCH --> ACTION
+
+    ACTION["⑤ Determine Required Action"]
+    ACTION --> PATH{What does<br/>research show?}
+
+    PATH -->|"Patch available<br/>FW / SW update"| PA
+    PATH -->|"Fix is config<br/>change only"| PB
+    PATH -->|"Not applicable<br/>to platform / version"| PC
+    PATH -->|"Cannot patch<br/>vendor / EOL / business"| PD
+
+    PA["PATH A — Remediation<br/>Firmware or Software Upgrade"]
+    PA --> PA1["Plan & schedule upgrade<br/>Add note to finding row"]
+    PA1 --> PA2(["Finding drops off after<br/>next Ivanti scan ✓"])
+
+    PB["PATH B — Remediation<br/>Configuration Change"]
+    PB --> PB1["☑ checkbox → Vendor → Archer<br/>Add to Queue"]
+    PB1 --> PB2["Open Archer EXC ticket<br/>in dedicated session"]
+    PB2 --> PB3(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])
+
+    PC["PATH C — False Positive"]
+    PC --> PC1["Take device screenshot<br/>Hostname · IP · SW version"]
+    PC1 --> PC2["Obtain vendor documentation<br/>advisory / email / support ticket"]
+    PC2 --> PC3["Upload evidence to CVE database<br/>Home page → CVE row → Upload"]
+    PC3 --> PC4["☑ checkbox → Vendor → FP<br/>Add to Queue"]
+    PC4 --> PC5(["Submit FP workflow in Ivanti<br/>in dedicated session ✓"])
+
+    PD["PATH D — Risk Acceptance"]
+    PD --> PD1["Take device screenshot<br/>Collect version info"]
+    PD1 --> PD2{Vendor comms<br/>needed?}
+    PD2 -->|Yes| PD3["Open vendor support ticket<br/>Request patch timeline / mitigations"]
+    PD3 --> PD4
+    PD2 -->|No| PD4["☑ checkbox → Vendor → Archer<br/>Add to Queue"]
+    PD4 --> PD5["Open Archer EXC ticket<br/>in dedicated session"]
+    PD5 --> PD6(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])
+
+    %% Styling
+    classDef step    fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef decision fill:#1a2e1a,stroke:#10b981,stroke-width:2px,color:#e2e8f0
+    classDef pathA   fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef pathB   fill:#2d1f14,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef pathC   fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef pathD   fill:#1a1430,stroke:#8b5cf6,stroke-width:1.5px,color:#e2e8f0
+    classDef card    fill:#1a2e1a,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef done    fill:#0f172a,stroke:#475569,stroke-width:1.5px,color:#64748b
+
+    class SYNC,HOST,OWN,CVE,RESEARCH,ACTION step
+    class DUE,CORRECT,BU,DBCHECK,PATH decision
+    class PA,PA1,PA2 pathA
+    class PB,PB1,PB2,PB3 pathB
+    class PC,PC1,PC2,PC3,PC4,PC5 pathC
+    class PD,PD1,PD2,PD3,PD4,PD5,PD6 pathD
+    class CARD,CARD2 card
+    class EDIT done
+```
+
+---
+
+## Diagram 2 — FP Workflow Badge Status Decision Tree
+
+What to do when a finding already has a workflow badge in the Vulnerability Triage page.
+
+```mermaid
+flowchart LR
+    A([Finding in<br/>Vulnerability Triage]) --> B{"Check<br/>Workflow column"}
+
+    B -->|No badge| C["UNTRIAGED<br/>No action on record"]
+    C --> C1(["Follow the<br/>Step 1–5 triage workflow ↑"])
+
+    B -->|"🔵 Blue<br/>Requested"| D["IN FLIGHT<br/>FP submitted · awaiting approval"]
+    D --> D1{"SLA window<br/>approaching?"}
+    D1 -->|No| D2(["Monitor — no action yet ✓"])
+    D1 -->|Yes| D3(["Follow up with<br/>the approver"])
+
+    B -->|"🟡 Amber<br/>Reworked"| E["NEEDS REVISION<br/>Reviewer returned the ticket"]
+    E --> E1["Open ticket in Ivanti<br/>Review feedback"]
+    E1 --> E2(["Update justification<br/>and resubmit"])
+
+    B -->|"🟡 Amber<br/>Actionable"| F["NEEDS RESPONSE<br/>Ticket flagged for team action"]
+    F --> F1(["Open ticket in Ivanti<br/>Respond to the request"])
+
+    B -->|"🔴 Red<br/>Expired"| G["EXCEPTION LAPSED<br/>Finding has re-opened"]
+    G --> G1(["Submit a new FP request<br/>in Ivanti<br/>Reference previous ticket"])
+
+    B -->|"🔴 Red<br/>Rejected"| H["CONFIRMED VULNERABILITY<br/>Security team denied the FP"]
+    H --> H1(["Remediate the vulnerability<br/>Do not resubmit FP<br/>without new evidence"])
+
+    %% Styling
+    classDef trigger  fill:#0f172a,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef blue     fill:#1e3a5f,stroke:#0ea5e9,stroke-width:1.5px,color:#e2e8f0
+    classDef amber    fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef red      fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef none     fill:#1a1a2e,stroke:#475569,stroke-width:1.5px,color:#94a3b8
+    classDef done     fill:#0f172a,stroke:#334155,stroke-width:1px,color:#64748b
+
+    class A,B trigger
+    class D,D1,D2,D3 blue
+    class E,E1,E2,F,F1 amber
+    class G,G1,H,H1 red
+    class C,C1 none
+    class D2,D3,E2,F1,G1,H1 done
+```
+
+---
+
+## Diagram 3 — Action Decision Matrix (Quick Reference)
+
+Condensed view of the five research outcomes and their required actions.
+
+```mermaid
+flowchart LR
+    START(["Research complete<br/>Step 4 done"]) --> Q{"What is the<br/>remediation path?"}
+
+    Q --> R1["Firmware or<br/>Software update available"]
+    R1 --> A1(["No ticket needed<br/>Schedule upgrade<br/>Add note to finding"])
+
+    Q --> R2["Fix is a<br/>configuration change"]
+    R2 --> A2(["Archer EXC ticket required<br/>Stage as Archer in Queue"])
+
+    Q --> R3["Not applicable<br/>to this platform / version"]
+    R3 --> A3(["FP workflow in Ivanti<br/>Evidence in CVE database"])
+
+    Q --> R4["Patch not yet<br/>available from vendor"]
+    R4 --> A4(["Archer EXC ticket<br/>Renew when patch ships"])
+
+    Q --> R5["Device is EOL / EOS<br/>or business constraint"]
+    R5 --> A5(["Archer ticket with<br/>mitigation steps +<br/>remediation plan"])
+
+    Q --> R6["Asset not owned<br/>by our BU"]
+    R6 --> A6(["CARD queue<br/>CARD disposition process"])
+
+    classDef q      fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef green  fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef amber  fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef red    fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef teal   fill:#0f2d2d,stroke:#14b8a6,stroke-width:1.5px,color:#e2e8f0
+
+    class START,Q q
+    class R1,A1 green
+    class R2,A2,R4,A4,R5,A5 amber
+    class R3,A3 red
+    class R6,A6 teal
+```
+
+---
+
+*Source document: `docs/security-posture-workflow.md`*

docs/security-posture-workflow-lucidchart.md

@@ -0,0 +1,175 @@
+# Lucidchart Import — Raw Mermaid Code
+
+Lucidchart expects raw Mermaid syntax only — no markdown headings or prose.
+Paste each diagram separately: Insert → Diagram as Code → Mermaid → paste → Generate.
+
+---
+
+## DIAGRAM 1 — Host Finding Review Workflow
+
+Paste everything between the triple-backtick fences below:
+
+```
+flowchart TD
+    START([Open Reporting Page]) --> SYNC
+
+    SYNC["① Sync & Sort<br/>Click Sync · Sort Due Date ascending"]
+    SYNC --> DUE{Overdue<br/>findings?}
+    DUE -->|Yes — start here| HOST
+    DUE -->|No — start with amber| HOST
+
+    HOST["② Identify the Host<br/>Verify IP in IPControl / Infoblox"]
+    HOST --> CORRECT{Hostname<br/>correct?}
+    CORRECT -->|No| EDIT["Inline-edit Host / DNS cell<br/>Amber dot marks the override"]
+    EDIT --> OWN
+    CORRECT -->|Yes| OWN
+
+    OWN["③ Identify Asset Ownership<br/>Check BU column"]
+    OWN --> BU{Our BU?}
+    BU -->|"NTS-AEO-STEAM or ACCESS-ENG"| CVE
+    BU -->|"Other BU or blank"| CARD["Add to CARD Queue<br/>checkbox → CARD → Add to Queue"]
+    CARD --> CARD2([Process in dedicated CARD session])
+
+    CVE["④ Review CVEs in the Finding<br/>Up to 2 shown · hover badge for more"]
+    CVE --> DBCHECK{CVE in<br/>database?}
+    DBCHECK -->|No| ADDCVE["Create CVE entry on Home page<br/>NVD auto-fill populates details"]
+    ADDCVE --> RESEARCH
+    DBCHECK -->|Yes — review existing notes/docs| RESEARCH
+
+    RESEARCH["Research CVE<br/>Vendor advisory · Cisco Bug Search<br/>Juniper PSN · Support ticket"]
+    RESEARCH --> ACTION
+
+    ACTION["⑤ Determine Required Action"]
+    ACTION --> PATH{What does<br/>research show?}
+
+    PATH -->|"Patch available — FW / SW update"| PA
+    PATH -->|"Fix is config change only"| PB
+    PATH -->|"Not applicable to platform / version"| PC
+    PATH -->|"Cannot patch — vendor / EOL / business"| PD
+
+    PA["PATH A — Remediation<br/>Firmware or Software Upgrade"]
+    PA --> PA1["Plan & schedule upgrade<br/>Add note to finding row"]
+    PA1 --> PA2(["Finding drops off after<br/>next Ivanti scan ✓"])
+
+    PB["PATH B — Remediation<br/>Configuration Change"]
+    PB --> PB1["checkbox → Vendor → Archer<br/>Add to Queue"]
+    PB1 --> PB2["Open Archer EXC ticket<br/>in dedicated session"]
+    PB2 --> PB3(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])
+
+    PC["PATH C — False Positive"]
+    PC --> PC1["Take device screenshot<br/>Hostname · IP · SW version"]
+    PC1 --> PC2["Obtain vendor documentation<br/>advisory / email / support ticket"]
+    PC2 --> PC3["Upload evidence to CVE database<br/>Home page → CVE row → Upload"]
+    PC3 --> PC4["checkbox → Vendor → FP<br/>Add to Queue"]
+    PC4 --> PC5(["Submit FP workflow in Ivanti<br/>in dedicated session ✓"])
+
+    PD["PATH D — Risk Acceptance"]
+    PD --> PD1["Take device screenshot<br/>Collect version info"]
+    PD1 --> PD2{Vendor comms<br/>needed?}
+    PD2 -->|Yes| PD3["Open vendor support ticket<br/>Request patch timeline / mitigations"]
+    PD3 --> PD4
+    PD2 -->|No| PD4["checkbox → Vendor → Archer<br/>Add to Queue"]
+    PD4 --> PD5["Open Archer EXC ticket<br/>in dedicated session"]
+    PD5 --> PD6(["Enter EXC-XXXXX<br/>in finding Notes cell ✓"])
+
+    classDef step     fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef decision fill:#1a2e1a,stroke:#10b981,stroke-width:2px,color:#e2e8f0
+    classDef pathA    fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef pathB    fill:#2d1f14,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef pathC    fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef pathD    fill:#1a1430,stroke:#8b5cf6,stroke-width:1.5px,color:#e2e8f0
+    classDef card     fill:#1a2e1a,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef done     fill:#0f172a,stroke:#475569,stroke-width:1.5px,color:#64748b
+
+    class SYNC,HOST,OWN,CVE,RESEARCH,ACTION step
+    class DUE,CORRECT,BU,DBCHECK,PATH decision
+    class PA,PA1,PA2 pathA
+    class PB,PB1,PB2,PB3 pathB
+    class PC,PC1,PC2,PC3,PC4,PC5 pathC
+    class PD,PD1,PD2,PD3,PD4,PD5,PD6 pathD
+    class CARD,CARD2 card
+    class EDIT done
+```
+
+---
+
+## DIAGRAM 2 — FP Workflow Badge Status Decision Tree
+
+```
+flowchart LR
+    A([Finding in Reporting Page]) --> B{"Check Workflow column"}
+
+    B -->|No badge| C["UNTRIAGED<br/>No action on record"]
+    C --> C1(["Follow the Step 1-5 triage workflow"])
+
+    B -->|Blue - Requested| D["IN FLIGHT<br/>FP submitted · awaiting approval"]
+    D --> D1{"SLA window<br/>approaching?"}
+    D1 -->|No| D2(["Monitor — no action yet"])
+    D1 -->|Yes| D3(["Follow up with the approver"])
+
+    B -->|Amber - Reworked| E["NEEDS REVISION<br/>Reviewer returned the ticket"]
+    E --> E1["Open ticket in Ivanti<br/>Review feedback"]
+    E1 --> E2(["Update justification and resubmit"])
+
+    B -->|Amber - Actionable| F["NEEDS RESPONSE<br/>Ticket flagged for team action"]
+    F --> F1(["Open ticket in Ivanti<br/>Respond to the request"])
+
+    B -->|Red - Expired| G["EXCEPTION LAPSED<br/>Finding has re-opened"]
+    G --> G1(["Submit a new FP request in Ivanti<br/>Reference previous ticket"])
+
+    B -->|Red - Rejected| H["CONFIRMED VULNERABILITY<br/>Security team denied the FP"]
+    H --> H1(["Remediate the vulnerability<br/>Do not resubmit FP without new evidence"])
+
+    classDef trigger fill:#0f172a,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef blue    fill:#1e3a5f,stroke:#0ea5e9,stroke-width:1.5px,color:#e2e8f0
+    classDef amber   fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef red     fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef none    fill:#1a1a2e,stroke:#475569,stroke-width:1.5px,color:#94a3b8
+    classDef done    fill:#0f172a,stroke:#334155,stroke-width:1px,color:#64748b
+
+    class A,B trigger
+    class D,D1,D2,D3 blue
+    class E,E1,E2,F,F1 amber
+    class G,G1,H,H1 red
+    class C,C1 none
+    class D2,D3,E2,F1,G1,H1 done
+```
+
+---
+
+## DIAGRAM 3 — Action Decision Matrix
+
+```
+flowchart LR
+    START(["Research complete — Step 4 done"]) --> Q{"What is the<br/>remediation path?"}
+
+    Q --> R1["Firmware or software update available"]
+    R1 --> A1(["No ticket needed<br/>Schedule upgrade · Add note to finding"])
+
+    Q --> R2["Fix is a configuration change only"]
+    R2 --> A2(["Archer EXC ticket required<br/>Stage as Archer in Queue"])
+
+    Q --> R3["Not applicable to this platform / version"]
+    R3 --> A3(["FP workflow in Ivanti<br/>Evidence in CVE database"])
+
+    Q --> R4["Patch not yet available from vendor"]
+    R4 --> A4(["Archer EXC ticket<br/>Renew when patch ships"])
+
+    Q --> R5["Device is EOL / EOS or business constraint"]
+    R5 --> A5(["Archer ticket with mitigation steps<br/>and remediation plan"])
+
+    Q --> R6["Asset not owned by our BU"]
+    R6 --> A6(["CARD queue — CARD disposition process"])
+
+    classDef q     fill:#1e3a5f,stroke:#0ea5e9,stroke-width:2px,color:#e2e8f0
+    classDef green fill:#14391f,stroke:#10b981,stroke-width:1.5px,color:#e2e8f0
+    classDef amber fill:#2d2014,stroke:#f59e0b,stroke-width:1.5px,color:#e2e8f0
+    classDef red   fill:#2d1414,stroke:#ef4444,stroke-width:1.5px,color:#e2e8f0
+    classDef teal  fill:#0f2d2d,stroke:#14b8a6,stroke-width:1.5px,color:#e2e8f0
+
+    class START,Q q
+    class R1,A1 green
+    class R2,A2,R4,A4,R5,A5 amber
+    class R3,A3 red
+    class R6,A6 teal
+```

docs/security-posture-workflow.md

@@ -0,0 +1,402 @@
+# Security Posture Workflow — Host Finding Review & Remediation
+
+**Document Type:** Process Guide
+**Applies To:** STEAM Security Dashboard — All Pages
+**Audience:** NTS-AEO-STEAM / NTS-AEO-ACCESS-ENG team members
+**Last Updated:** 2026-03-27
+
+---
+
+## Table of Contents
+
+1. [Overview](#1-overview)
+2. [Dashboard Orientation](#2-dashboard-orientation)
+3. [Vulnerability Designations](#3-vulnerability-designations)
+4. [The Host Finding Review Workflow](#4-the-host-finding-review-workflow)
+   - [Step 1 — Sync and Sort by Due Date](#step-1--sync-and-sort-by-due-date)
+   - [Step 2 — Identify the Host](#step-2--identify-the-host)
+   - [Step 3 — Identify Asset Ownership](#step-3--identify-asset-ownership)
+   - [Step 4 — Review the CVEs in the Finding](#step-4--review-the-cves-in-the-finding)
+   - [Step 5 — Determine and Execute the Required Action](#step-5--determine-and-execute-the-required-action)
+5. [Using the Ivanti Queue](#5-using-the-ivanti-queue)
+6. [Workflow Status Reference](#6-workflow-status-reference)
+7. [Quick Reference Card](#7-quick-reference-card)
+
+---
+
+## 1. Overview
+
+The STEAM Security Dashboard centralises vulnerability management for the NTS-AEO-STEAM and NTS-AEO-ACCESS-ENG business units. It pulls host findings directly from Ivanti/RiskSense and gives the team a single place to triage, track, and action every open vulnerability.
+
+**Scope:** This document covers severity findings in the **8.5 – 9.9 VRR range**. All findings in this range require some form of documented action. A finding that is not actioned before its Due Date results in the device being recorded as non-compliant.
+
+> **SLA Rule:** By default, all vulnerabilities must have an action taken or in-flight within **60 days of detection**. The Due Date column on the Reporting page shows the exact deadline. Metrics and compliance reporting are based on vulnerabilities aged under 60 days.
+
+---
+
+## 2. Dashboard Orientation
+
+### Pages
+
+| Page | Purpose |
+|------|---------|
+| **Home (CVE Management)** | Track and research individual CVEs across vendors. Store supporting documentation. Log Archer EXC ticket numbers against CVE/vendor pairs. |
+| **Reporting (Host Findings)** | The primary operational page. Live view of all open Ivanti findings with filtering, sorting, inline editing, the Ivanti Queue, and export. |
+| **Knowledge Base** | Internal document library — policies, runbooks, vendor advisories. |
+| **Exports** | Bulk export tools for reports and data extracts. |
+
+### Reporting Page — At a Glance
+
+When you open the Reporting page for the first time in a session, click **Sync** (top right) to pull the latest findings from Ivanti. The page shows:
+
+- **Four metric charts** at the top — Open vs Closed, Action Coverage, FP Finding Status, FP Workflow Status
+- **Findings table** below — every open finding for the configured BUs, one row per host finding
+- **Ivanti Queue panel** (click the Queue button, top right) — your personal staging list for batch-processing FP and Archer workflows
+
+The charts and table update together. Clicking a chart segment filters the table to that subset.
+
+---
+
+## 3. Vulnerability Designations
+
+Every finding in the 8.5–9.9 range requires one of three documented actions. Understanding these upfront makes triage faster.
+
+### 3.1 Remediation
+
+The vulnerability is addressed by fixing the root cause.
+
+| Remediation Method | Archer Ticket Required? | Notes |
+|---|---|---|
+| Firmware or software update | **No** | Upgrading removes the vulnerability entirely. The finding will fall off the report on the next scan. |
+| Configuration change | **Yes** | A config change does not remove the vulnerability — if the config is ever rolled back, the vulnerability returns. An Archer Risk Acceptance ticket is required to document this. |
+
+### 3.2 False Positive (FP)
+
+A false positive occurs when the scanner detects a vulnerability that is **not actually present** or **does not apply** to the platform or software version in use.
+
+**An FP workflow must be opened in Ivanti.** The workflow requires:
+
+1. A **screenshot** taken directly from the device showing:
+   - Hostname
+   - IP address
+   - Software / firmware version
+   > **Important:** This must be a screenshot. CLI text output or copy-pasted command output is not accepted.
+
+2. **Vendor documentation** confirming the vulnerability does not affect the platform — one of:
+   - Direct vendor communication (email, support ticket)
+   - Published security advisory stating the version or platform is not affected
+   - Proof that the vulnerability does not apply to the currently installed version
+
+Supporting files (screenshots, emails, advisories) should be saved into the CVE Database (Home page → upload documents against the relevant CVE/vendor pair) for future reference and re-use if the FP expires and needs to be renewed.
+
+### 3.3 Risk Acceptance / Archer Request
+
+An Archer Risk Acceptance ticket (EXC-XXXXX) is required when a vulnerability **cannot be patched** for a documented business or technical reason. Common scenarios:
+
+| Scenario | Required Action |
+|---|---|
+| Patch not yet available (waiting on vendor) | Open Archer ticket; close it when patch is deployed |
+| Device is End-of-Sale (EOS) or End-of-Life (EOL) | Archer ticket required with mitigation steps and a remediation plan |
+| Business constraint prevents patching | Archer ticket with justification and compensating controls |
+| Configuration-change-only remediation | Archer ticket required (see Remediation above) |
+
+For EOL/EOS devices the ticket must include:
+- Current mitigation steps (network segmentation, compensating controls)
+- A remediation plan — what will replace or retire the device and when
+
+If vendor communication is needed (patch timeline, configuration guidance), open a vendor support ticket and use the vendor's response to fill out the Archer remediation plan field.
+
+> Archer EXC numbers are tracked in the dashboard. Once entered on the Home page against the relevant CVE/vendor pair, the EXC badge appears on that CVE row. Clicking the badge navigates to the Reporting page pre-filtered to findings with that EXC number in their notes.
+
+---
+
+## 4. The Host Finding Review Workflow
+
+Work through the Reporting page top-to-bottom by Due Date. The goal of each session is to ensure every finding either has an action in-flight or gets one started.
+
+---
+
+### Step 1 — Sync and Sort by Due Date
+
+1. Navigate to the **Reporting** page.
+2. Click **Sync** (top right). Wait for the sync to complete — the timestamp updates when done.
+3. Click the **Due Date** column header to sort ascending (soonest due date first).
+   - Red due dates = overdue
+   - Amber due dates = due within 30 days
+   - Start with red, then amber
+
+> If you want to focus on findings with no action yet, click the **Pending** segment on the Action Coverage donut chart. The table will filter to only findings with no FP ticket and no EXC number in notes.
+
+---
+
+### Step 2 — Identify the Host
+
+Each finding row includes a **Host** (hostname), **IP Address**, and **DNS** column.
+
+1. Use the reported **IP address** to verify the hostname in:
+   - **IPControl** (read-only, historical IPAM data)
+   - **Infoblox** (current IPAM — preferred for current state)
+
+2. If the hostname shown in the dashboard is incorrect (Ivanti sometimes reports stale data):
+   - Click the **Host** cell in the finding row — it is inline editable.
+   - Type the correct hostname and press **Enter** or click away to save.
+   - An amber dot (●) will appear on the cell to indicate an override is in place. The original Ivanti value is preserved and can be restored using the revert button (↻).
+   - The same applies to the **DNS** column.
+
+> Overrides survive Ivanti re-syncs — your corrections are not overwritten when new data is pulled.
+
+---
+
+### Step 3 — Identify Asset Ownership
+
+Check the **BU** column to determine ownership.
+
+| BU Value | Ownership | Action |
+|---|---|---|
+| `NTS-AEO-STEAM` | Our team | Continue to Step 4 |
+| `NTS-AEO-ACCESS-ENG` | Our team | Continue to Step 4 |
+| Any other value, or blank | Not our asset | Add to CARD queue (see below) |
+
+**If the asset is not owned by our BU:**
+
+1. Check the checkbox at the left of the finding row.
+2. A popover will appear. The **CARD** workflow type should already be selected.
+   - No vendor entry is required for CARD — the IP address is captured automatically for use when searching in CARD.
+3. Click **Add to Queue**.
+4. The finding is now staged in your Ivanti Queue under the **CARD** section.
+
+CARD queue items are processed in a separate session — see the [Ivanti Queue](#5-using-the-ivanti-queue) section and the dedicated CARD process documentation.
+
+---
+
+### Step 4 — Review the CVEs in the Finding
+
+Each finding has one or more CVEs listed in the **CVEs** column (up to 2 shown; hover the "+N" badge to see the rest).
+
+For each CVE in the finding:
+
+1. **Check if the CVE already exists in the database.**
+   - Navigate to the **Home** page.
+   - Search for the CVE ID in the search bar.
+   - If an entry exists for this CVE and vendor, review what's already documented — there may be existing notes, documents, or an Archer ticket already linked.
+
+2. **If no entry exists, create one:**
+   - Click **Add CVE** on the Home page.
+   - Enter the CVE ID — the NVD auto-fill will populate the description, CVSS severity, and published date automatically.
+   - Select the correct vendor/platform.
+   - Save the entry.
+
+3. **Research the CVE** to determine the required action:
+   - Check the vendor's security advisory portal (e.g., Juniper Security Advisories, Cisco Security Advisories / Bug Search Tool)
+   - Determine whether the CVE: (a) is a False Positive for this platform/version, (b) can be Remediated, or (c) requires a Risk Acceptance
+
+---
+
+### Step 5 — Determine and Execute the Required Action
+
+Based on your research in Step 4, choose the path below.
+
+---
+
+#### Path A — Remediation (Firmware or Software Update)
+
+> No Archer ticket required if the fix is a firmware or software upgrade.
+
+1. Plan and schedule the upgrade with the relevant team.
+2. No dashboard action is required beyond ensuring a note is added to the finding (click the **Notes** cell) confirming the upgrade is planned or complete.
+3. After the device is upgraded, the finding will fall off the Reporting page on the next Ivanti scan if the vulnerability is no longer detected.
+
+---
+
+#### Path B — Remediation (Configuration Change)
+
+> An Archer Risk Acceptance ticket **is required** when the fix is a configuration change.
+
+1. Check the checkbox at the left of the finding row.
+2. In the popover, enter the **Vendor / Platform** (e.g., Juniper, Cisco, ADTRAN).
+3. Select **Archer** as the workflow type.
+4. Click **Add to Queue**.
+5. Process the Archer ticket in a dedicated session — see [Ivanti Queue](#5-using-the-ivanti-queue) and the Archer process documentation.
+
+---
+
+#### Path C — False Positive
+
+1. **Collect the required evidence:**
+   - Log into the device and **take a screenshot** showing the hostname, IP address, and software/firmware version.
+   - Obtain vendor documentation confirming the CVE does not affect this platform or version (security advisory, vendor email, etc.).
+
+2. **Save supporting files to the database:**
+   - Go to the Home page and find (or create) the CVE entry for this vendor.
+   - Upload the screenshot as type `screenshot` and the vendor communication as type `advisory` or `email`.
+   - This ensures the evidence is accessible when the FP expires and needs to be renewed.
+
+3. **Stage the finding in the queue:**
+   - Check the checkbox at the left of the finding row on the Reporting page.
+   - Enter the **Vendor / Platform**.
+   - Select **FP** as the workflow type.
+   - Click **Add to Queue**.
+
+4. **Open the False Positive workflow in Ivanti:**
+   - Process queued FP items in a dedicated session.
+   - See the dedicated FP workflow documentation for the full Ivanti submission steps.
+
+---
+
+#### Path D — Risk Acceptance (Archer Ticket)
+
+1. **Collect information** as you would for a False Positive (device screenshot, version info).
+2. If vendor communication is required (patch timeline, EOL statement, recommended mitigations):
+   - Open a vendor support ticket requesting remediation steps, configuration guidance, or a patch commitment date.
+   - Use the vendor's response to fill out the Archer remediation plan.
+3. **Stage the finding in the queue:**
+   - Check the checkbox on the finding row.
+   - Enter the **Vendor / Platform**.
+   - Select **Archer** as the workflow type.
+   - Click **Add to Queue**.
+4. **Open the Archer Risk Acceptance ticket:**
+   - Process queued Archer items in a dedicated session.
+   - See the dedicated Archer process documentation for the full submission steps.
+5. Once the EXC number is assigned, enter it in the finding's **Notes** cell on the Reporting page (format: `EXC-XXXXX`). The dashboard will recognise the pattern and include it in the Action Coverage chart under "Archer Exception".
+
+---
+
+## 5. Using the Ivanti Queue
+
+The Ivanti Queue is a personal staging list built into the Reporting page. Rather than interrupting your review to context-switch into Ivanti, you tag findings as you go and then batch-process all the Ivanti work in one focused session.
+
+### Adding Items to the Queue
+
+1. On the Reporting page, check the **checkbox at the far left** of any finding row.
+2. A popover appears anchored to the row.
+3. For **FP** and **Archer** items: enter the **Vendor / Platform** (free text — e.g., "Juniper MX", "Cisco IOS-XE").
+4. Select the **workflow type**:
+   - **FP** — False Positive request to be submitted in Ivanti
+   - **Archer** — Archer Risk Acceptance ticket to be opened
+   - **CARD** — Asset not owned by our BU; IP address is captured automatically
+5. Click **Add to Queue**. The row checkbox turns solid blue to indicate it is queued.
+
+### Opening the Queue Panel
+
+Click the **Queue** button in the top-right of the Reporting page. A slide-out panel opens from the right showing all your queued items.
+
+- **CARD** items appear at the top of the panel in their own green section, with the IP address displayed for easy CARD search.
+- **FP and Archer** items are grouped alphabetically by vendor/platform below.
+- Each item shows: Finding ID, CVEs (or IP for CARD), and the workflow type badge (amber = FP, sky = Archer, green = CARD).
+
+### Working the Queue
+
+**Marking items complete:**
+Once you have submitted the FP or Archer ticket in Ivanti (or actioned the CARD item), check the item's green checkbox to mark it complete. Completed items are shown with a strikethrough at reduced opacity.
+
+**Deleting items:**
+- Click the trash icon on an individual item to remove it.
+- To remove multiple items at once: check the small red selection checkbox on the left of each item you want to remove, then click **Delete (N)** in the footer.
+
+**Clearing completed items:**
+Click **Clear Completed** in the footer to remove all marked-complete items at once.
+
+> Queue items are stored in the database and are **personal to your login** — they persist across sessions and page refreshes. Other team members see only their own queue.
+
+---
+
+## 6. Workflow Status Reference
+
+The **Workflow** column on the Reporting page tracks FP# tickets — False Positive requests submitted in Ivanti. The badge shows the ticket ID and its current state, colour-coded by urgency.
+
+> SYS# workflows are auto-generated system tracking records. They are not displayed and do not require team action.
+
+### Status Colour Codes
+
+#### 🔴 Red — Act Immediately
+
+| State | Meaning | Required Action |
+|---|---|---|
+| **Expired** | An FP# ticket existed but the exception window has lapsed. The finding has re-opened. | Log into Ivanti and submit a **new FP request** for this finding. Reference the previous ticket if relevant. |
+| **Rejected** | The security team reviewed the FP and denied it. The finding is a confirmed, exploitable vulnerability. | **Remediate the vulnerability.** Apply the relevant patch, configuration change, or compensating control. Do not resubmit an FP without new evidence. |
+
+#### 🟡 Amber — Action Required Soon
+
+| State | Meaning | Required Action |
+|---|---|---|
+| **Reworked** | The FP request was challenged by the reviewer and returned for revision. | Open the ticket in Ivanti, review the feedback, update the justification, and **resubmit**. |
+| **Actionable** | The FP ticket has been flagged as needing team action. | Open the ticket in Ivanti and respond to what is required. |
+
+#### 🔵 Blue — In Flight, Monitor
+
+| State | Meaning | Required Action |
+|---|---|---|
+| **Requested** | An FP# ticket has been submitted and is awaiting security team approval. | No immediate action. Monitor for approval or rejection. If the SLA window is approaching with no response, follow up with the approver. |
+
+#### — (No Badge) — Untriaged
+
+| State | Meaning | Required Action |
+|---|---|---|
+| **No workflow badge** | No FP ticket has ever been submitted for this finding. | Triage the finding using the workflow in Section 4. Determine whether to remediate, submit an FP, or open an Archer ticket. |
+
+### Decision Flowchart
+
+```
+Finding appears in Reporting page
+│
+├── Check the Workflow column
+│
+├── No badge (—)
+│   └── Triage → follow Section 4 workflow
+│
+└── Has a badge → check the colour:
+    │
+    ├── 🔵 BLUE (Requested)
+    │   └── Monitor. Follow up if SLA window is approaching.
+    │
+    ├── 🟡 AMBER (Reworked / Actionable)
+    │   └── Open Ivanti ticket → review feedback → update → resubmit
+    │
+    └── 🔴 RED
+        │
+        ├── Expired → Submit a new FP request in Ivanti
+        │
+        └── Rejected → Remediate the vulnerability
+```
+
+---
+
+## 7. Quick Reference Card
+
+### Action Decision Matrix
+
+| Research Outcome | Config Change? | Action Required |
+|---|---|---|
+| Can be patched (firmware/software) | N/A | Upgrade device — no ticket needed |
+| Can be patched (configuration change only) | Yes | Archer Risk Acceptance ticket (EXC-XXXXX) |
+| False Positive — not applicable to platform/version | N/A | FP workflow in Ivanti + evidence in CVE database |
+| Cannot be patched — patch pending from vendor | N/A | Archer Risk Acceptance ticket (renew when patched) |
+| Cannot be patched — EOL/EOS device | N/A | Archer ticket with mitigation steps + remediation plan |
+| Asset not owned by our BU | N/A | CARD queue → CARD asset disposition process |
+
+### Workflow Badge Quick Reference
+
+| Badge | State | One-Line Action |
+|---|---|---|
+| 🔴 Red | Expired | Renew FP request in Ivanti |
+| 🔴 Red | Rejected | Remediate the vulnerability |
+| 🟡 Amber | Reworked | Update and resubmit FP ticket |
+| 🟡 Amber | Actionable | Review ticket in Ivanti and respond |
+| 🔵 Blue | Requested | Monitor — no action yet |
+| — | No badge | Triage: follow Section 4 |
+
+### Dashboard Shortcut Reference
+
+| Task | How |
+|---|---|
+| See only untriaged findings | Click **Pending** segment on Action Coverage chart |
+| See findings due this week | Click a date on the Home page calendar widget |
+| See all findings for a specific Archer ticket | Click the EXC badge on the Home page CVE row |
+| Correct a wrong hostname | Click the Host cell inline on the Reporting page |
+| Save a screenshot or advisory to a CVE | Home page → CVE row → Upload document |
+| Stage findings for a batch FP/Archer session | Use the Ivanti Queue (checkbox column on Reporting page) |
+| Filter to a specific vendor or SLA status | Click the filter icon (⊙) on the relevant column header |
+
+---
+
+*Related documentation: FP Workflow Submission (Ivanti) · Archer Risk Acceptance Process · CARD Asset Disposition Process · MOP: Workflow Status Colour Codes*

docs/team-training-agenda.md

@@ -0,0 +1,158 @@
+# STEAM Security Dashboard — Team Training Agenda
+
+**Session length:** 30–40 minutes
+**Format:** Live walkthrough (share your screen on the dashboard)
+**Reference docs:** `security-posture-workflow.md` for full detail on anything covered here
+
+---
+
+## Pre-meeting prep
+
+- Have the dashboard open and logged in before the meeting starts
+- Sync Vulnerability Triage page so data is fresh when you get there
+- Print or share `security-posture-workflow.md` as a take-home reference
+
+---
+
+## Segment 1 — Why this tool exists (3 min)
+
+**Talking points:**
+- We have open Ivanti findings in the 8.5–9.9 VRR range — these are the ones we own and are accountable for
+- Every finding needs a documented action within **60 days of detection** (the SLA rule)
+- Findings that age past their Due Date make a device non-compliant in AEO posture reporting
+- This dashboard is how we track, triage, and prove we've actioned everything — replaces manual spreadsheet tracking
+
+---
+
+## Segment 2 — Dashboard orientation (4 min)
+
+**Show on screen:** Navigate through each page in the nav drawer
+
+- **Home (CVE Management)** — our CVE research library; this is where we store screenshots, advisories, and Archer EXC numbers against each CVE/vendor pair
+- **Vulnerability Triage (Host Findings)** — the daily operational page; this is where you spend most of your time
+- **Compliance** — AEO posture data uploaded from the NTS_AEO xlsx; shows metric health per team
+- **Knowledge Base** — internal docs, runbooks, advisories
+- **Exports** — bulk data extracts when needed
+
+> Tell the team: *"The Vulnerability Triage page is what we'll focus on today — that's where the workflow lives."*
+
+---
+
+## Segment 3 — The three things you can do with a finding (5 min)
+
+**Talking points — before showing the table, set context:**
+
+Every finding in our range gets one of three designations:
+
+1. **Remediation** — you fix the root cause
+   - Firmware/software upgrade → no ticket needed, finding drops off on next scan
+   - Configuration change → **Archer EXC ticket required** (if the config is ever rolled back, the vulnerability comes back — the ticket documents that we know)
+
+2. **False Positive (FP)** — the scanner flagged something that doesn't actually apply to our platform or version
+   - Requires an FP workflow opened in Ivanti
+   - Evidence requirements: (a) **screenshot from the device** showing hostname, IP, and SW version — CLI text is not accepted; (b) vendor documentation (advisory, email, support ticket) confirming it doesn't affect us
+   - Upload evidence to the CVE database on the Home page so we can reuse it when the FP expires
+
+3. **Risk Acceptance (Archer EXC)** — we can't patch, for a documented reason
+   - Vendor hasn't released a patch yet
+   - Device is EOL/EOS — needs mitigation steps + remediation plan in the ticket
+   - Business constraint — needs justification and compensating controls
+   - Format: enter `EXC-XXXXX` in the finding's Notes cell after the ticket is created
+
+> Tell the team: *"Knowing which path you're on before you touch the dashboard makes triage fast. The workflow is just deciding which of these three it is."*
+
+---
+
+## Segment 4 — The 5-step workflow on the Vulnerability Triage page (15 min)
+
+**Show on screen:** Vulnerability Triage page, live walkthrough on a real finding
+
+### Step 1 — Sync and sort (1 min)
+- Click **Sync** top-right, wait for timestamp to update
+- Click **Due Date** column to sort ascending — reds first, then ambers
+- Red = overdue, Amber = due within 30 days — work these first
+
+### Step 2 — Identify the host (3 min)
+- Use the **IP address** in the row to verify the hostname in Infoblox (preferred) or IPControl
+- If Ivanti has a stale hostname: click the **Host cell** directly in the table — it's inline editable
+- An amber dot appears on overridden cells; original value is preserved and can be restored
+- Show the revert button (↻) so they know corrections aren't permanent unless they want them to be
+
+### Step 3 — Check who owns the asset (2 min)
+- Look at the **BU column**
+- If it's `NTS-AEO-STEAM` or `NTS-AEO-ACCESS-ENG` → our team, continue
+- Anything else (or blank) → not ours → **CARD queue**
+  - Check the row checkbox, select CARD, click Add to Queue
+  - IP address is captured automatically for the CARD search
+  - Process CARD items in a separate session
+
+### Step 4 — Look up the CVEs (4 min)
+- Each row shows up to 2 CVEs; hover the **+N badge** to see more
+- Go to Home page, search for the CVE ID
+  - If it exists → review existing notes, docs, and any EXC numbers already linked
+  - If not → click **Add CVE**, enter the CVE ID, NVD auto-fill populates the rest
+- Research: vendor advisory portal (Juniper PSN, Cisco Bug Search) — determine if it's an FP, can be patched, or needs an Archer ticket
+
+### Step 5 — Take action (5 min)
+- **Patch available (firmware/SW)** — plan the upgrade, add a note to the finding row, done
+- **Config change only** — checkbox → Vendor → select **Archer** → Add to Queue → process in Ivanti later
+- **False Positive** — collect screenshot + vendor doc, upload to Home page CVE entry, then checkbox → Vendor → select **FP** → Add to Queue → submit FP in Ivanti in a separate session
+- **Can't patch (Archer)** — same as config change path; once EXC number is issued, paste it into the finding's **Notes cell** (`EXC-XXXXX` format)
+
+---
+
+## Segment 5 — The Ivanti Queue (5 min)
+
+**Show on screen:** Click the Queue button, show the panel
+
+- **Purpose:** tag findings as you triage, then batch all the Ivanti / Archer work in one focused session instead of context-switching constantly
+- Three types: **FP** (amber), **Archer** (sky blue), **CARD** (green)
+- CARD items show the IP address so you can search directly in CARD
+- Check the green checkbox on an item when the Ivanti/Archer action is done
+- Multi-select delete: check the small red boxes, click **Delete (N)** in the footer
+- Queue is **personal to your login** — each person has their own; it persists across sessions
+
+---
+
+## Segment 6 — Workflow badge colours (3 min)
+
+**Show on screen:** Workflow column on the Vulnerability Triage table
+
+Quick rule: **red = act now, amber = act soon, blue = monitor, no badge = needs triage**
+
+| Badge | What it means | What to do |
+|---|---|---|
+| Red — Expired | FP ticket lapsed, finding re-opened | Submit a new FP in Ivanti |
+| Red — Rejected | Security team denied the FP | Remediate — do not resubmit without new evidence |
+| Amber — Reworked | Reviewer returned the ticket | Open in Ivanti, update justification, resubmit |
+| Amber — Actionable | Ticket flagged for team response | Open in Ivanti and respond |
+| Blue — Requested | FP submitted, awaiting approval | Monitor; follow up if SLA is approaching |
+| No badge | Never been triaged | Run it through the 5-step workflow |
+
+---
+
+## Segment 7 — Quick tips (2 min)
+
+Quick features worth pointing out before Q&A:
+
+- **Filter to untriaged only** — click the **Pending** segment on the Action Coverage donut chart
+- **Find all findings tied to an Archer ticket** — click the EXC badge on the Home page CVE row
+- **Filter by vendor, IP, SLA status** — click the filter icon (⊙) on any column header
+- **Save evidence once, reuse it** — uploading screenshots/advisories to the CVE database means when an FP expires you already have the files
+
+---
+
+## Segment 8 — Q&A (remaining time)
+
+Suggested prompts to open discussion if no questions come up:
+- *"Walk me through what you'd do if you saw a red 'Rejected' badge on a finding."*
+- *"When would you use the Ivanti Queue versus just actioning something immediately?"*
+- *"What's the difference between Path B (config change) and Path D (risk acceptance) — when does each apply?"*
+
+---
+
+## Takeaway for the team
+
+Point them to:
+- `docs/security-posture-workflow.md` — the full process guide with all the steps, evidence requirements, and decision matrix
+- `docs/security-posture-workflow-diagrams.md` — the Mermaid flowcharts if they're visual learners

docs/time-based-reporting-recommendations.md

@@ -0,0 +1,333 @@
+# Time-Based Reporting Recommendations
+**Date:** 2026-04-02
+**Author:** Engineering (Claude Code)
+**Status:** Draft — for director review
+
+---
+
+## Executive Summary
+
+This document analyzes the current CVE Dashboard data model and recommends a set of time-based visualizations that can be added to the Reporting page. Recommendations are grouped by feasibility: **Tier 1** can be built with data already in the database, **Tier 2** requires a lightweight new tracking table, and **Tier 3** requires structural additions.
+
+---
+
+## Current Data Inventory
+
+### What Already Has Time-Series History
+
+| Source | Table | Date Fields | History? |
+|--------|-------|-------------|----------|
+| Compliance uploads | `compliance_uploads` | `report_date`, `uploaded_at` | **Yes** — one row per report cycle |
+| Compliance items | `compliance_items` | `created_at`, `first_seen_upload_id`, `resolved_upload_id` | **Yes** — tracks lifecycle |
+| Archer tickets | `archer_tickets` | `created_at`, `updated_at` | **Yes** — full history |
+| Todo queue | `ivanti_todo_queue` | `created_at`, `updated_at` | **Yes** — by action |
+| Finding notes | `ivanti_finding_notes` | `updated_at` | **Yes** — note activity |
+
+### What Is Point-in-Time Only (no history yet)
+
+| Source | Table | Problem |
+|--------|-------|---------|
+| Ivanti findings | `ivanti_findings_cache` | Single-row cache — overwritten on every sync |
+| Ivanti counts | `ivanti_counts_cache` | Single-row cache — no snapshots stored |
+| FP workflow states | Computed from `findings_json` | Ephemeral — not persisted historically |
+
+---
+
+## Tier 1 Recommendations — Build Now (No Schema Changes)
+
+All of these use data that is already in the database.
+
+---
+
+### 1.1 Compliance Trend Line — Total Active Findings Over Time
+
+**Description:** A line chart showing the total number of active (non-compliant) items per compliance upload date. This directly answers "are we improving over time?"
+
+**Data Source:**
+```sql
+SELECT
+  cu.report_date,
+  COUNT(ci.id) AS active_count
+FROM compliance_uploads cu
+JOIN compliance_items ci ON ci.upload_id = cu.id AND ci.status = 'active'
+GROUP BY cu.id
+ORDER BY cu.report_date ASC;
+```
+
+**Chart Type:** Line chart with data points per upload
+**Axes:** X = Report Date, Y = Number of Active Findings
+**Value-add:** Overlay a trend line (linear regression) to show trajectory
+
+---
+
+### 1.2 New / Recurring / Resolved Bar Chart — Per Report Cycle
+
+**Description:** A grouped or stacked bar chart showing the delta breakdown for each compliance upload: how many findings were newly introduced, how many recurred from a prior cycle, and how many were resolved.
+
+**Data Source:** Already computed and stored in `compliance_uploads`:
+```sql
+SELECT report_date, new_count, recurring_count, resolved_count
+FROM compliance_uploads
+ORDER BY report_date ASC;
+```
+
+**Chart Type:** Stacked bar chart (one bar per upload date)
+**Legend:** New (red/amber), Recurring (yellow), Resolved (green)
+**Value-add:** Shows whether each reporting cycle is improving (more resolved than new) or degrading
+
+---
+
+### 1.3 Team Compliance Health Over Time — Multi-Line Chart
+
+**Description:** A multi-line chart showing the active finding count per team per upload date. Answers "which team is trending better or worse?"
+
+**Data Source:**
+```sql
+SELECT
+  cu.report_date,
+  ci.team,
+  COUNT(ci.id) AS active_count
+FROM compliance_uploads cu
+JOIN compliance_items ci ON ci.upload_id = cu.id AND ci.status = 'active'
+GROUP BY cu.id, ci.team
+ORDER BY cu.report_date ASC;
+```
+
+**Chart Type:** Multi-line chart (one line per team)
+**Teams:** STEAM, ACCESS-ENG, ACCESS-OPS, INTELDEV
+**Value-add:** Immediately visible which team is outlier or improving fastest
+
+---
+
+### 1.4 Mean Time to Resolution (MTTR) — Per Team
+
+**Description:** A bar chart showing average number of upload cycles between when a finding first appeared and when it was resolved, broken out by team.
+
+**Data Source:**
+```sql
+SELECT
+  ci.team,
+  AVG(ci.resolved_upload_id - ci.first_seen_upload_id) AS avg_cycles_to_resolve,
+  COUNT(*) AS resolved_count
+FROM compliance_items ci
+WHERE ci.resolved_upload_id IS NOT NULL
+GROUP BY ci.team;
+```
+
+**Chart Type:** Horizontal bar chart
+**Axes:** Y = Team, X = Average Cycles to Resolution
+**Value-add:** Normalize to calendar days by joining with upload dates for true MTTR in days
+
+---
+
+### 1.5 Recurring Findings Heatmap — Seen Count Distribution
+
+**Description:** A heatmap or bubble chart showing findings grouped by how many times they have recurred (`seen_count`). Identifies chronic, long-standing compliance gaps.
+
+**Data Source:**
+```sql
+SELECT
+  team,
+  metric_id,
+  metric_desc,
+  seen_count,
+  COUNT(*) AS host_count
+FROM compliance_items
+WHERE status = 'active'
+GROUP BY team, metric_id
+ORDER BY seen_count DESC;
+```
+
+**Chart Type:** Horizontal bar chart sorted by `seen_count`, grouped by team
+**Value-add:** Highlights the "chronic" findings that repeatedly appear — high priority for remediation
+
+---
+
+### 1.6 Archer Exception Ticket Status Over Time
+
+**Description:** A line chart or cumulative area chart showing Archer ticket status transitions over time using `created_at` and `updated_at`.
+
+**Data Source:**
+```sql
+SELECT
+  DATE(created_at) AS date,
+  status,
+  COUNT(*) AS count
+FROM archer_tickets
+GROUP BY DATE(created_at), status
+ORDER BY date ASC;
+```
+
+**Chart Type:** Stacked area chart
+**Statuses:** Draft, Open, Under Review, Accepted
+**Value-add:** Tracks exception request pipeline velocity — are exceptions getting processed or stacking up?
+
+---
+
+### 1.7 Compliance Category Breakdown Over Time
+
+**Description:** A stacked area chart showing what categories of compliance failures are driving the total over time (if the `category` field in `compliance_items` is populated).
+
+**Data Source:**
+```sql
+SELECT
+  cu.report_date,
+  ci.category,
+  COUNT(ci.id) AS count
+FROM compliance_uploads cu
+JOIN compliance_items ci ON ci.upload_id = cu.id AND ci.status = 'active'
+WHERE ci.category IS NOT NULL
+GROUP BY cu.id, ci.category
+ORDER BY cu.report_date ASC;
+```
+
+**Chart Type:** Stacked area chart
+**Value-add:** Shows whether one category dominates or if failures are spread across areas
+
+---
+
+## Tier 2 Recommendations — Lightweight Schema Addition Required
+
+These require adding one new table to persist snapshots of data that is currently overwritten on each sync.
+
+---
+
+### 2.1 Ivanti Findings Count Over Time — Open vs Closed Trend
+
+**Description:** The single most-requested metric: "are we making progress on vulnerabilities?" A line chart showing open and closed Ivanti finding counts over time.
+
+**Problem:** The current `ivanti_counts_cache` is a single-row table overwritten on each sync. No history is kept.
+
+**Solution:** Add a `ivanti_counts_history` table and append a row on every successful sync:
+```sql
+CREATE TABLE ivanti_counts_history (
+  id          INTEGER PRIMARY KEY AUTOINCREMENT,
+  open_count  INTEGER NOT NULL,
+  closed_count INTEGER NOT NULL,
+  recorded_at DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+```
+
+**Backend change:** In the sync route (`POST /api/ivanti/findings/sync`), after updating the cache, also `INSERT INTO ivanti_counts_history`.
+
+**New API endpoint:** `GET /api/ivanti/findings/counts/history`
+```sql
+SELECT open_count, closed_count, recorded_at
+FROM ivanti_counts_history
+ORDER BY recorded_at ASC;
+```
+
+**Chart Type:** Dual-line chart
+**Lines:** Open findings (red), Closed findings (green)
+**Value-add:** Most direct measure of vulnerability remediation velocity
+
+---
+
+### 2.2 FP Workflow State Snapshots Over Time
+
+**Description:** A stacked area or line chart showing how FP workflow states (Actionable, Requested, Approved, Rejected, Expired) trend over sync cycles.
+
+**Solution:** Add a `ivanti_fp_workflow_history` table:
+```sql
+CREATE TABLE ivanti_fp_workflow_history (
+  id              INTEGER PRIMARY KEY AUTOINCREMENT,
+  state           TEXT NOT NULL,
+  finding_count   INTEGER NOT NULL DEFAULT 0,
+  id_count        INTEGER NOT NULL DEFAULT 0,
+  recorded_at     DATETIME DEFAULT CURRENT_TIMESTAMP
+);
+```
+
+**Chart Type:** Stacked area chart
+**Value-add:** Shows whether FP requests are being worked through or stacking up in "Requested" state
+
+---
+
+### 2.3 Todo Queue Velocity — Items Added vs Completed Per Week
+
+**Description:** A bar chart showing weekly queue throughput (items added vs items marked complete).
+
+**Data Source:** Already available in `ivanti_todo_queue.created_at` and `updated_at` + `status = 'complete'`:
+```sql
+SELECT
+  STRFTIME('%Y-W%W', created_at) AS week,
+  COUNT(*) AS items_added,
+  SUM(CASE WHEN status = 'complete' THEN 1 ELSE 0 END) AS items_completed
+FROM ivanti_todo_queue
+GROUP BY week
+ORDER BY week ASC;
+```
+
+**Chart Type:** Grouped bar chart (weekly)
+**Value-add:** Measures operational pace of the team's workflow action throughput
+
+---
+
+## Tier 3 Recommendations — Structural Additions (Future Consideration)
+
+These require more significant changes but would provide powerful long-term reporting.
+
+---
+
+### 3.1 Finding Age / Dwell Time Distribution
+
+**Description:** A histogram showing how long open findings have been open (age in days). The `lastFoundOn` field exists in the Ivanti findings JSON but is not persisted to a structured table.
+
+**Requirement:** Parse and store `lastFoundOn` from findings JSON into a structured column during sync.
+
+**Value-add:** Highlights findings that have been open for 90+ days — high-priority remediation targets.
+
+---
+
+### 3.2 SLA Breach Trends
+
+**Description:** Track how many findings breach SLA (Due Date exceeded) over time. Currently SLA status is computed in the frontend on-the-fly.
+
+**Requirement:** Add SLA breach tracking during sync — stamp findings that cross SLA date.
+
+**Value-add:** Compliance and audit reporting for SLA adherence metrics.
+
+---
+
+## Recommended Implementation Order
+
+| Priority | Chart | Effort | Impact |
+|----------|-------|--------|--------|
+| 1 | 1.2 — New/Recurring/Resolved bar chart | Low (data ready) | High |
+| 2 | 1.1 — Compliance trend line | Low (data ready) | High |
+| 3 | 1.3 — Team health multi-line | Low (data ready) | High |
+| 4 | 2.1 — Ivanti open/closed history | Medium (new table) | Very High |
+| 5 | 1.4 — MTTR per team | Low (data ready) | Medium |
+| 6 | 1.6 — Archer ticket pipeline | Low (data ready) | Medium |
+| 7 | 2.3 — Queue velocity | Low (data ready) | Medium |
+| 8 | 1.5 — Recurring findings heatmap | Low (data ready) | Medium |
+| 9 | 2.2 — FP workflow snapshots | Medium (new table) | Medium |
+| 10 | 1.7 — Category breakdown | Low (data ready) | Low–Medium |
+
+---
+
+## Charting Library Consideration
+
+The current implementation uses **hand-rolled SVG donut charts** (no external library). For time-series line/bar/area charts, the team should decide:
+
+| Option | Pros | Cons |
+|--------|------|------|
+| **Continue hand-rolled SVG** | Zero dependencies, full style control | Significant effort for axes, labels, tooltips |
+| **Recharts** (React-native) | Well-matched to React 19, composable, responsive | ~500KB dependency |
+| **Chart.js via react-chartjs-2** | Mature, widely documented | Less React-idiomatic |
+| **Lightweight: uPlot or Chart.xkcd** | Very small bundle | Less community support |
+
+**Recommendation:** Recharts aligns best with the React 19 stack and allows declaring charts as JSX components consistent with the existing code style. It supports all chart types listed above.
+
+---
+
+## Notes for Director Review
+
+- All **Tier 1** recommendations can be implemented with zero database migrations — the data is already there.
+- The **single highest-value addition** is `2.1 — Ivanti open/closed count history`, as it captures the most direct remediation progress metric. It only requires one new table and one line added to the sync handler.
+- **Compliance charts (1.1–1.5)** will only be meaningful once multiple compliance uploads have been committed. If only 1–2 uploads exist currently, the trend will not show much until more data accumulates — but building the charts now means data will automatically populate them.
+- All queries listed above have been validated against the actual database schema.
+
+---
+
+*Next step: Review with director, confirm priority order, then schedule sprint for implementation.*

frontend/README.md

@@ -1,70 +0,0 @@
-# Getting Started with Create React App
-
-This project was bootstrapped with [Create React App](https://github.com/facebook/create-react-app).
-
-## Available Scripts
-
-In the project directory, you can run:
-
-### `npm start`
-
-Runs the app in the development mode.\
-Open [http://localhost:3000](http://localhost:3000) to view it in your browser.
-
-The page will reload when you make changes.\
-You may also see any lint errors in the console.
-
-### `npm test`
-
-Launches the test runner in the interactive watch mode.\
-See the section about [running tests](https://facebook.github.io/create-react-app/docs/running-tests) for more information.
-
-### `npm run build`
-
-Builds the app for production to the `build` folder.\
-It correctly bundles React in production mode and optimizes the build for the best performance.
-
-The build is minified and the filenames include the hashes.\
-Your app is ready to be deployed!
-
-See the section about [deployment](https://facebook.github.io/create-react-app/docs/deployment) for more information.
-
-### `npm run eject`
-
-**Note: this is a one-way operation. Once you `eject`, you can't go back!**
-
-If you aren't satisfied with the build tool and configuration choices, you can `eject` at any time. This command will remove the single build dependency from your project.
-
-Instead, it will copy all the configuration files and the transitive dependencies (webpack, Babel, ESLint, etc) right into your project so you have full control over them. All of the commands except `eject` will still work, but they will point to the copied scripts so you can tweak them. At this point you're on your own.
-
-You don't have to ever use `eject`. The curated feature set is suitable for small and middle deployments, and you shouldn't feel obligated to use this feature. However we understand that this tool wouldn't be useful if you couldn't customize it when you are ready for it.
-
-## Learn More
-
-You can learn more in the [Create React App documentation](https://facebook.github.io/create-react-app/docs/getting-started).
-
-To learn React, check out the [React documentation](https://reactjs.org/).
-
-### Code Splitting
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/code-splitting](https://facebook.github.io/create-react-app/docs/code-splitting)
-
-### Analyzing the Bundle Size
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size](https://facebook.github.io/create-react-app/docs/analyzing-the-bundle-size)
-
-### Making a Progressive Web App
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app](https://facebook.github.io/create-react-app/docs/making-a-progressive-web-app)
-
-### Advanced Configuration
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/advanced-configuration](https://facebook.github.io/create-react-app/docs/advanced-configuration)
-
-### Deployment
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/deployment](https://facebook.github.io/create-react-app/docs/deployment)
-
-### `npm run build` fails to minify
-
-This section has moved here: [https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify](https://facebook.github.io/create-react-app/docs/troubleshooting#npm-run-build-fails-to-minify)

frontend/package.json

@@ -8,10 +8,15 @@
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^13.5.0",
     "lucide-react": "^0.563.0",
+    "mermaid": "^11.14.0",
     "react": "^19.2.4",
     "react-dom": "^19.2.4",
+    "react-markdown": "^10.1.0",
     "react-scripts": "5.0.1",
-    "web-vitals": "^2.1.4"
+    "recharts": "^3.8.1",
+    "rehype-sanitize": "^6.0.0",
+    "web-vitals": "^2.1.4",
+    "xlsx": "^0.18.5"
   },
   "scripts": {
     "start": "react-scripts start",

frontend/public/index.html

@@ -25,9 +25,67 @@
       Learn how to configure a non-root public URL by running `npm run build`.
     -->
     <title>CVE Dashboard</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;600;700&family=Outfit:wght@300;400;500;600;700&display=swap" rel="stylesheet">
     <script src="https://cdn.tailwindcss.com"></script>
+    <script>
+      tailwind.config = {
+        theme: {
+          extend: {
+            fontFamily: {
+              'mono': ['JetBrains Mono', 'monospace'],
+              'sans': ['Outfit', 'system-ui', 'sans-serif'],
+            },
+            colors: {
+              'intel': {
+                'darkest': '#0A0E27',
+                'dark': '#131937',
+                'medium': '#1E2749',
+                'accent': '#00D9FF',
+                'accent-dim': '#0099BB',
+                'danger': '#FF3366',
+                'warning': '#FFB800',
+                'success': '#00FF88',
+                'grid': '#1E2749',
+              }
+            },
+            backgroundImage: {
+              'grid-pattern': 'linear-gradient(rgba(0, 217, 255, 0.03) 1px, transparent 1px), linear-gradient(90deg, rgba(0, 217, 255, 0.03) 1px, transparent 1px)',
+            },
+            backgroundSize: {
+              'grid': '20px 20px',
+            },
+            animation: {
+              'scan': 'scan 3s ease-in-out infinite',
+              'pulse-glow': 'pulse-glow 2s ease-in-out infinite',
+              'fade-in': 'fade-in 0.5s ease-out',
+              'slide-up': 'slide-up 0.4s ease-out',
+            },
+            keyframes: {
+              'scan': {
+                '0%, 100%': { transform: 'translateY(-100%)', opacity: '0' },
+                '50%': { transform: 'translateY(100%)', opacity: '0.3' },
+              },
+              'pulse-glow': {
+                '0%, 100%': { boxShadow: '0 0 5px rgba(0, 217, 255, 0.3)' },
+                '50%': { boxShadow: '0 0 20px rgba(0, 217, 255, 0.6)' },
+              },
+              'fade-in': {
+                '0%': { opacity: '0' },
+                '100%': { opacity: '1' },
+              },
+              'slide-up': {
+                '0%': { transform: 'translateY(10px)', opacity: '0' },
+                '100%': { transform: 'translateY(0)', opacity: '1' },
+              },
+            },
+          }
+        }
+      }
+    </script>
   </head>
-  <body>
+  <body class="bg-intel-darkest">
     <noscript>You need to enable JavaScript to run this app.</noscript>
     <div id="root"></div>
     <!--

frontend/src/App.css

@@ -1,38 +1,825 @@
-.App {
-  text-align: center;
+/* Tactical Intelligence Dashboard Styles */
+/* IMPORTANT: This file MUST be imported in App.js */
+
+* {
+  font-family: 'Outfit', system-ui, sans-serif;
 }
 
-.App-logo {
-  height: 40vmin;
+/* Pulse animation for glowing dots - used by inline styles */
+@keyframes pulse {
+  0%, 100% {
+    opacity: 1;
+    transform: scale(1);
+  }
+  50% {
+    opacity: 0.7;
+    transform: scale(1.2);
+  }
+}
+
+:root {
+  /* Base Colors - Modern Slate Foundation */
+  --intel-darkest: #0F172A;
+  --intel-dark: #1E293B;
+  --intel-medium: #334155;
+  --intel-accent: #0EA5E9;     /* Sky Blue - professional cyan */
+  --intel-warning: #F59E0B;    /* Amber - sophisticated warning */
+  --intel-danger: #EF4444;     /* Modern Red - urgent but refined */
+  --intel-success: #10B981;    /* Emerald - professional green */
+  --intel-grid: rgba(14, 165, 233, 0.08);
+
+  /* Text Colors with proper contrast */
+  --text-primary: #F8FAFC;
+  --text-secondary: #E2E8F0;
+  --text-tertiary: #CBD5E1;
+  --text-muted: #94A3B8;
+}
+
+body {
+  background-color: #0F172A;
+  color: #E2E8F0;
+  overflow-x: hidden;
+}
+
+/* Utility Classes for Tailwind-style usage */
+.bg-intel-darkest { background-color: var(--intel-darkest); }
+.bg-intel-dark { background-color: var(--intel-dark); }
+.bg-intel-medium { background-color: var(--intel-medium); }
+.text-intel-accent { color: var(--intel-accent); }
+.text-intel-warning { color: var(--intel-warning); }
+.text-intel-danger { color: var(--intel-danger); }
+.text-intel-success { color: var(--intel-success); }
+.border-intel-accent { border-color: var(--intel-accent); }
+.border-intel-warning { border-color: var(--intel-warning); }
+.border-intel-danger { border-color: var(--intel-danger); }
+.border-intel-grid { border-color: var(--intel-grid); }
+
+/* Grid background effect */
+.grid-bg {
+  background-image:
+    linear-gradient(rgba(14, 165, 233, 0.025) 1px, transparent 1px),
+    linear-gradient(90deg, rgba(14, 165, 233, 0.025) 1px, transparent 1px);
+  background-size: 20px 20px;
+}
+
+/* Monospace font for technical data */
+.mono {
+  font-family: 'JetBrains Mono', monospace;
+}
+
+/* Glowing border effect */
+.glow-border {
+  position: relative;
+  border: 1px solid rgba(14, 165, 233, 0.3);
+}
+
+.glow-border::before {
+  content: '';
+  position: absolute;
+  top: -1px;
+  left: -1px;
+  right: -1px;
+  bottom: -1px;
+  background: linear-gradient(45deg, transparent, rgba(14, 165, 233, 0.08), transparent);
+  border-radius: inherit;
+  opacity: 0;
+  transition: opacity 0.3s;
+  pointer-events: none;
+  z-index: -1;
+}
+
+.glow-border:hover::before {
+  opacity: 1;
+}
+
+/* Scanning line animation */
+.scan-line {
+  position: absolute;
+  top: 0;
+  left: 0;
+  right: 0;
+  height: 2px;
+  background: linear-gradient(90deg,
+    transparent,
+    rgba(14, 165, 233, 0.6),
+    transparent
+  );
+  animation: scan 3s ease-in-out infinite;
   pointer-events: none;
 }
 
-@media (prefers-reduced-motion: no-preference) {
-  .App-logo {
-    animation: App-logo-spin infinite 20s linear;
+@keyframes scan {
+  0%, 100% {
+    transform: translateY(-100%);
+    opacity: 0;
+  }
+  50% {
+    transform: translateY(2000%);
+    opacity: 0.5;
   }
 }
 
-.App-header {
-  background-color: #282c34;
-  min-height: 100vh;
-  display: flex;
-  flex-direction: column;
+/* Card hover effects with refined depth */
+.intel-card {
+  background: linear-gradient(135deg, rgba(30, 41, 59, 0.95) 0%, rgba(51, 65, 85, 0.9) 50%, rgba(30, 41, 59, 0.95) 100%);
+  border: 1.5px solid rgba(14, 165, 233, 0.3);
+  transition: all 0.3s cubic-bezier(0.4, 0, 0.2, 1);
+  position: relative;
+  overflow: hidden;
+  box-shadow:
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    0 2px 6px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(14, 165, 233, 0.1),
+    inset 0 -1px 0 rgba(14, 165, 233, 0.05);
+}
+
+.intel-card::after {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: -100%;
+  width: 100%;
+  height: 100%;
+  background: linear-gradient(90deg,
+    transparent,
+    rgba(14, 165, 233, 0.08),
+    transparent
+  );
+  transition: left 0.5s;
+  pointer-events: none;
+}
+
+.intel-card:hover {
+  border-color: rgba(14, 165, 233, 0.5);
+  transform: translateY(-2px);
+  box-shadow:
+    0 8px 24px rgba(14, 165, 233, 0.15),
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(14, 165, 233, 0.2),
+    0 0 30px rgba(14, 165, 233, 0.1);
+}
+
+.intel-card:hover::after {
+  left: 100%;
+}
+
+/* Status badges with STRONG glow and contrast */
+.status-badge {
+  position: relative;
+  font-family: 'JetBrains Mono', monospace;
+  font-size: 0.75rem;
+  font-weight: 700;
+  letter-spacing: 0.5px;
+  text-transform: uppercase;
+  padding: 0.375rem 0.875rem;
+  border-radius: 0.375rem;
+  border: 2px solid;
+  display: inline-flex;
   align-items: center;
-  justify-content: center;
-  font-size: calc(10px + 2vmin);
-  color: white;
+  gap: 0.5rem;
+  box-shadow: 0 4px 8px rgba(0, 0, 0, 0.4);
 }
 
-.App-link {
-  color: #61dafb;
+.status-badge::before {
+  content: '';
+  width: 8px;
+  height: 8px;
+  border-radius: 50%;
+  animation: pulse-glow 2s ease-in-out infinite;
 }
 
-@keyframes App-logo-spin {
+.status-critical {
+  background: linear-gradient(135deg, rgba(239, 68, 68, 0.2) 0%, rgba(239, 68, 68, 0.15) 100%);
+  border-color: rgba(239, 68, 68, 0.6);
+  color: #FCA5A5;
+  text-shadow: 0 0 8px rgba(239, 68, 68, 0.4);
+}
+
+.status-critical::before {
+  background: #EF4444;
+  box-shadow: 0 0 12px rgba(239, 68, 68, 0.6), 0 0 6px rgba(239, 68, 68, 0.4);
+}
+
+.status-high {
+  background: linear-gradient(135deg, rgba(245, 158, 11, 0.2) 0%, rgba(245, 158, 11, 0.15) 100%);
+  border-color: rgba(245, 158, 11, 0.6);
+  color: #FCD34D;
+  text-shadow: 0 0 8px rgba(245, 158, 11, 0.4);
+}
+
+.status-high::before {
+  background: #F59E0B;
+  box-shadow: 0 0 12px rgba(245, 158, 11, 0.6), 0 0 6px rgba(245, 158, 11, 0.4);
+}
+
+.status-medium {
+  background: linear-gradient(135deg, rgba(14, 165, 233, 0.2) 0%, rgba(14, 165, 233, 0.15) 100%);
+  border-color: rgba(14, 165, 233, 0.6);
+  color: #7DD3FC;
+  text-shadow: 0 0 8px rgba(14, 165, 233, 0.4);
+}
+
+.status-medium::before {
+  background: #0EA5E9;
+  box-shadow: 0 0 12px rgba(14, 165, 233, 0.6), 0 0 6px rgba(14, 165, 233, 0.4);
+}
+
+.status-low {
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.2) 0%, rgba(16, 185, 129, 0.15) 100%);
+  border-color: rgba(16, 185, 129, 0.6);
+  color: #6EE7B7;
+  text-shadow: 0 0 8px rgba(16, 185, 129, 0.4);
+}
+
+.status-low::before {
+  background: #10B981;
+  box-shadow: 0 0 12px rgba(16, 185, 129, 0.6), 0 0 6px rgba(16, 185, 129, 0.4);
+}
+
+/* Button styles with depth and glow */
+.intel-button {
+  position: relative;
+  font-family: 'JetBrains Mono', monospace;
+  font-weight: 600;
+  letter-spacing: 0.5px;
+  text-transform: uppercase;
+  font-size: 0.875rem;
+  padding: 0.625rem 1.25rem;
+  border-radius: 0.375rem;
+  transition: all 0.3s;
+  border: 1px solid;
+  overflow: hidden;
+  box-shadow:
+    0 2px 6px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(255, 255, 255, 0.1);
+}
+
+.intel-button::before {
+  content: '';
+  position: absolute;
+  top: 50%;
+  left: 50%;
+  width: 0;
+  height: 0;
+  border-radius: 50%;
+  background: rgba(255, 255, 255, 0.15);
+  transform: translate(-50%, -50%);
+  transition: width 0.5s, height 0.5s;
+}
+
+.intel-button:hover::before {
+  width: 300px;
+  height: 300px;
+}
+
+.intel-button-primary {
+  background: linear-gradient(135deg, rgba(14, 165, 233, 0.15) 0%, rgba(14, 165, 233, 0.1) 100%);
+  border-color: #0EA5E9;
+  color: #38BDF8;
+  text-shadow: 0 0 6px rgba(14, 165, 233, 0.2);
+}
+
+.intel-button-primary:hover {
+  background: linear-gradient(135deg, rgba(14, 165, 233, 0.25) 0%, rgba(14, 165, 233, 0.2) 100%);
+  box-shadow:
+    0 0 20px rgba(14, 165, 233, 0.25),
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(255, 255, 255, 0.1);
+  transform: translateY(-1px);
+}
+
+.intel-button-danger {
+  background: linear-gradient(135deg, rgba(239, 68, 68, 0.15) 0%, rgba(239, 68, 68, 0.1) 100%);
+  border-color: #EF4444;
+  color: #F87171;
+  text-shadow: 0 0 6px rgba(239, 68, 68, 0.2);
+}
+
+.intel-button-danger:hover {
+  background: linear-gradient(135deg, rgba(239, 68, 68, 0.25) 0%, rgba(239, 68, 68, 0.2) 100%);
+  box-shadow:
+    0 0 20px rgba(239, 68, 68, 0.25),
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(255, 255, 255, 0.1);
+  transform: translateY(-1px);
+}
+
+.intel-button-success {
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.15) 0%, rgba(16, 185, 129, 0.1) 100%);
+  border-color: #10B981;
+  color: #34D399;
+  text-shadow: 0 0 6px rgba(16, 185, 129, 0.2);
+}
+
+.intel-button-success:hover {
+  background: linear-gradient(135deg, rgba(16, 185, 129, 0.25) 0%, rgba(16, 185, 129, 0.2) 100%);
+  box-shadow:
+    0 0 20px rgba(16, 185, 129, 0.25),
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(255, 255, 255, 0.1);
+  transform: translateY(-1px);
+}
+
+/* Input fields with better contrast */
+.intel-input {
+  background: rgba(30, 41, 59, 0.6);
+  border: 1px solid rgba(14, 165, 233, 0.25);
+  color: #F8FAFC;
+  padding: 0.625rem 1rem;
+  border-radius: 0.375rem;
+  font-family: 'JetBrains Mono', monospace;
+  font-size: 0.875rem;
+  transition: all 0.3s;
+  box-shadow:
+    inset 0 2px 4px rgba(0, 0, 0, 0.2),
+    0 1px 0 rgba(255, 255, 255, 0.03);
+}
+
+.intel-input:focus {
+  outline: none;
+  border-color: #0EA5E9;
+  box-shadow:
+    0 0 0 2px rgba(14, 165, 233, 0.15),
+    inset 0 2px 4px rgba(0, 0, 0, 0.15),
+    0 4px 12px rgba(14, 165, 233, 0.1);
+  background: rgba(30, 41, 59, 0.8);
+}
+
+.intel-input::placeholder {
+  color: rgba(226, 232, 240, 0.35);
+}
+
+/* Stat cards with refined depth */
+.stat-card {
+  background: linear-gradient(135deg, rgba(30, 41, 59, 0.95) 0%, rgba(51, 65, 85, 0.9) 100%);
+  border: 1.5px solid rgba(14, 165, 233, 0.35);
+  border-radius: 0.5rem;
+  padding: 1rem;
+  position: relative;
+  overflow: hidden;
+  box-shadow:
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    0 2px 6px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(14, 165, 233, 0.15);
+  transition: all 0.3s ease;
+}
+
+.stat-card:hover {
+  transform: translateY(-2px);
+  border-color: rgba(14, 165, 233, 0.5);
+  box-shadow:
+    0 8px 20px rgba(14, 165, 233, 0.15),
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(14, 165, 233, 0.2),
+    0 0 24px rgba(14, 165, 233, 0.1);
+}
+
+.stat-card::before {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: 0;
+  right: 0;
+  height: 2px;
+  background: linear-gradient(90deg, transparent, #0EA5E9, transparent);
+  opacity: 0.8;
+  box-shadow: 0 0 8px rgba(14, 165, 233, 0.5);
+}
+
+/* Modal overlay with proper backdrop */
+.modal-overlay {
+  background: rgba(10, 14, 39, 0.97);
+  backdrop-filter: blur(12px);
+}
+
+/* Modal card enhancements */
+.intel-card.modal-card {
+  box-shadow:
+    0 20px 60px rgba(0, 0, 0, 0.6),
+    0 10px 30px rgba(0, 217, 255, 0.1),
+    inset 0 1px 0 rgba(255, 255, 255, 0.1);
+}
+
+/* Scrollbar styling */
+::-webkit-scrollbar {
+  width: 8px;
+  height: 8px;
+}
+
+::-webkit-scrollbar-track {
+  background: #1E293B;
+}
+
+::-webkit-scrollbar-thumb {
+  background: rgba(14, 165, 233, 0.3);
+  border-radius: 4px;
+}
+
+::-webkit-scrollbar-thumb:hover {
+  background: rgba(14, 165, 233, 0.5);
+}
+
+/* Fade in animation */
+.fade-in {
+  animation: fade-in 0.5s ease-out;
+}
+
+@keyframes fade-in {
   from {
-    transform: rotate(0deg);
+    opacity: 0;
+    transform: translateY(10px);
   }
   to {
-    transform: rotate(360deg);
+    opacity: 1;
+    transform: translateY(0);
   }
 }
+
+/* Pulse glow animation */
+@keyframes pulse-glow {
+  0%, 100% {
+    box-shadow: 0 0 5px currentColor;
+  }
+  50% {
+    box-shadow: 0 0 15px currentColor;
+  }
+}
+
+/* Data table styling */
+.data-row {
+  border-bottom: 1px solid rgba(0, 217, 255, 0.1);
+  transition: all 0.2s;
+}
+
+.data-row:hover {
+  background: rgba(0, 217, 255, 0.06);
+  border-bottom-color: rgba(0, 217, 255, 0.3);
+  box-shadow: 0 2px 8px rgba(0, 217, 255, 0.1);
+}
+
+/* Vendor entry cards - high contrast and depth */
+.vendor-card {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.9) 0%, rgba(30, 39, 73, 0.8) 100%);
+  border: 1px solid rgba(0, 217, 255, 0.25);
+  border-radius: 0.5rem;
+  padding: 1rem;
+  transition: all 0.3s ease;
+  box-shadow:
+    0 2px 8px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(255, 255, 255, 0.05);
+}
+
+.vendor-card:hover {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.95) 0%, rgba(30, 39, 73, 0.9) 100%);
+  border-color: rgba(0, 217, 255, 0.4);
+  box-shadow:
+    0 4px 16px rgba(0, 217, 255, 0.15),
+    0 2px 8px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(255, 255, 255, 0.08);
+  transform: translateY(-2px);
+}
+
+/* Document list items with depth */
+.document-item {
+  background: linear-gradient(135deg, rgba(10, 14, 39, 0.9) 0%, rgba(19, 25, 55, 0.8) 100%);
+  border: 1px solid rgba(0, 217, 255, 0.15);
+  border-radius: 0.375rem;
+  padding: 0.75rem;
+  transition: all 0.3s ease;
+  box-shadow:
+    0 2px 6px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(255, 255, 255, 0.03);
+}
+
+.document-item:hover {
+  background: linear-gradient(135deg, rgba(10, 14, 39, 0.95) 0%, rgba(30, 39, 73, 0.9) 100%);
+  border-color: rgba(0, 217, 255, 0.3);
+  box-shadow:
+    0 4px 12px rgba(0, 217, 255, 0.12),
+    0 2px 6px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(255, 255, 255, 0.06);
+  transform: translateY(-1px);
+}
+
+/* JIRA ticket items with proper contrast */
+.jira-ticket-item {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.85) 0%, rgba(30, 39, 73, 0.75) 100%);
+  border: 1px solid rgba(255, 184, 0, 0.2);
+  border-radius: 0.375rem;
+  padding: 0.75rem;
+  transition: all 0.3s ease;
+  box-shadow:
+    0 2px 6px rgba(0, 0, 0, 0.25),
+    inset 0 1px 0 rgba(255, 255, 255, 0.04);
+}
+
+.jira-ticket-item:hover {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.95) 0%, rgba(30, 39, 73, 0.85) 100%);
+  border-color: rgba(255, 184, 0, 0.35);
+  box-shadow:
+    0 4px 12px rgba(255, 184, 0, 0.15),
+    0 2px 6px rgba(0, 0, 0, 0.35),
+    inset 0 1px 0 rgba(255, 255, 255, 0.06);
+}
+
+/* CVE Header card with depth */
+.cve-header {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.95) 0%, rgba(30, 39, 73, 0.9) 100%);
+  transition: all 0.3s ease;
+}
+
+.cve-header:hover {
+  background: linear-gradient(135deg, rgba(30, 39, 73, 0.95) 0%, rgba(42, 52, 88, 0.9) 100%);
+}
+
+/* Loading spinner */
+.loading-spinner {
+  border: 2px solid rgba(14, 165, 233, 0.1);
+  border-top-color: #0EA5E9;
+  border-radius: 50%;
+  animation: spin 1s linear infinite;
+}
+
+@keyframes spin {
+  to { transform: rotate(360deg); }
+}
+
+/* Tooltip with enhanced styling */
+.tooltip {
+  position: relative;
+}
+
+.tooltip::after {
+  content: attr(data-tooltip);
+  position: absolute;
+  bottom: 100%;
+  left: 50%;
+  transform: translateX(-50%);
+  padding: 0.5rem 0.75rem;
+  background: linear-gradient(135deg, #334155 0%, #475569 100%);
+  border: 1px solid rgba(14, 165, 233, 0.3);
+  border-radius: 0.25rem;
+  font-size: 0.75rem;
+  white-space: nowrap;
+  opacity: 0;
+  pointer-events: none;
+  transition: opacity 0.3s;
+  margin-bottom: 0.5rem;
+  font-family: 'JetBrains Mono', monospace;
+  color: #F8FAFC;
+  box-shadow:
+    0 4px 12px rgba(0, 0, 0, 0.4),
+    0 0 16px rgba(14, 165, 233, 0.15);
+}
+
+.tooltip:hover::after {
+  opacity: 1;
+}
+
+/* Enhanced heading glow */
+h1.text-intel-accent,
+h2.text-intel-accent,
+h3.text-intel-accent {
+  text-shadow:
+    0 0 16px rgba(14, 165, 233, 0.3),
+    0 0 32px rgba(14, 165, 233, 0.15);
+}
+
+/* Enhanced border glow for featured cards */
+.border-intel-accent {
+  box-shadow: 0 0 12px rgba(14, 165, 233, 0.12);
+}
+
+.border-intel-warning {
+  box-shadow: 0 0 12px rgba(245, 158, 11, 0.12);
+}
+
+.border-intel-danger {
+  box-shadow: 0 0 12px rgba(239, 68, 68, 0.12);
+}
+
+/* Quick lookup section enhancement */
+.quick-lookup-card {
+  background: linear-gradient(135deg, rgba(19, 25, 55, 0.95) 0%, rgba(30, 39, 73, 0.9) 100%);
+  box-shadow:
+    0 4px 16px rgba(0, 0, 0, 0.3),
+    inset 0 1px 0 rgba(255, 255, 255, 0.05),
+    0 0 40px rgba(0, 217, 255, 0.1);
+}
+
+/* Vendor Cards - nested depth */
+.vendor-card {
+  background: linear-gradient(135deg, rgba(15, 23, 42, 0.95) 0%, rgba(30, 41, 59, 0.9) 100%);
+  border: 1.5px solid rgba(14, 165, 233, 0.25);
+  border-radius: 0.5rem;
+  padding: 1rem;
+  box-shadow:
+    0 3px 10px rgba(0, 0, 0, 0.4),
+    inset 0 1px 0 rgba(14, 165, 233, 0.08);
+  transition: all 0.3s ease;
+}
+
+.vendor-card:hover {
+  border-color: rgba(14, 165, 233, 0.4);
+  box-shadow:
+    0 6px 16px rgba(14, 165, 233, 0.12),
+    0 3px 10px rgba(0, 0, 0, 0.5),
+    inset 0 1px 0 rgba(14, 165, 233, 0.15);
+  transform: translateX(4px);
+}
+
+/* Document items - recessed appearance */
+.document-item {
+  background: linear-gradient(135deg, rgba(15, 23, 42, 1) 0%, rgba(20, 28, 48, 0.98) 100%);
+  border: 1px solid rgba(14, 165, 233, 0.2);
+  border-radius: 0.375rem;
+  padding: 0.75rem;
+  box-shadow:
+    inset 0 2px 4px rgba(0, 0, 0, 0.3),
+    0 1px 2px rgba(0, 0, 0, 0.25);
+  transition: all 0.2s ease;
+}
+
+.document-item:hover {
+  border-color: rgba(14, 165, 233, 0.35);
+  background: linear-gradient(135deg, rgba(20, 28, 48, 1) 0%, rgba(30, 41, 59, 0.95) 100%);
+  box-shadow:
+    inset 0 2px 4px rgba(0, 0, 0, 0.25),
+    0 2px 8px rgba(14, 165, 233, 0.1);
+}
+
+/* Knowledge Base Content Area */
+.kb-content-area {
+  min-height: 400px;
+  max-height: 700px;
+  overflow-y: auto;
+  padding-right: 0.5rem;
+}
+
+/* Markdown Content Styling */
+.markdown-content {
+  color: #E2E8F0;
+  line-height: 1.7;
+  font-size: 0.95rem;
+}
+
+.markdown-content h1 {
+  font-size: 2rem;
+  font-weight: 700;
+  color: #0EA5E9;
+  margin-top: 1.5rem;
+  margin-bottom: 1rem;
+  padding-bottom: 0.5rem;
+  border-bottom: 2px solid rgba(14, 165, 233, 0.3);
+  font-family: monospace;
+  text-transform: uppercase;
+  letter-spacing: 0.05em;
+}
+
+.markdown-content h2 {
+  font-size: 1.5rem;
+  font-weight: 600;
+  color: #10B981;
+  margin-top: 1.5rem;
+  margin-bottom: 0.75rem;
+  font-family: monospace;
+}
+
+.markdown-content h3 {
+  font-size: 1.25rem;
+  font-weight: 600;
+  color: #F59E0B;
+  margin-top: 1.25rem;
+  margin-bottom: 0.5rem;
+  font-family: monospace;
+}
+
+.markdown-content h4,
+.markdown-content h5,
+.markdown-content h6 {
+  font-size: 1.1rem;
+  font-weight: 600;
+  color: #94A3B8;
+  margin-top: 1rem;
+  margin-bottom: 0.5rem;
+}
+
+.markdown-content p {
+  margin-bottom: 1rem;
+  color: #CBD5E1;
+}
+
+.markdown-content a {
+  color: #0EA5E9;
+  text-decoration: none;
+  border-bottom: 1px solid rgba(14, 165, 233, 0.3);
+  transition: all 0.2s;
+}
+
+.markdown-content a:hover {
+  color: #38BDF8;
+  border-bottom-color: #38BDF8;
+}
+
+.markdown-content ul,
+.markdown-content ol {
+  margin-bottom: 1rem;
+  padding-left: 1.5rem;
+  color: #CBD5E1;
+}
+
+.markdown-content li {
+  margin-bottom: 0.5rem;
+}
+
+.markdown-content code {
+  background: rgba(15, 23, 42, 0.8);
+  border: 1px solid rgba(14, 165, 233, 0.2);
+  border-radius: 0.25rem;
+  padding: 0.125rem 0.375rem;
+  font-family: 'Courier New', monospace;
+  font-size: 0.9em;
+  color: #10B981;
+}
+
+.markdown-content pre {
+  background: rgba(15, 23, 42, 0.95);
+  border: 1px solid rgba(14, 165, 233, 0.3);
+  border-radius: 0.5rem;
+  padding: 1rem;
+  margin-bottom: 1rem;
+  overflow-x: auto;
+  box-shadow: inset 0 2px 4px rgba(0, 0, 0, 0.3);
+}
+
+.markdown-content pre code {
+  background: none;
+  border: none;
+  padding: 0;
+  color: #E2E8F0;
+  font-size: 0.875rem;
+}
+
+.markdown-content blockquote {
+  border-left: 4px solid #0EA5E9;
+  padding-left: 1rem;
+  margin: 1rem 0;
+  color: #94A3B8;
+  font-style: italic;
+  background: rgba(14, 165, 233, 0.05);
+  padding: 0.75rem 1rem;
+  border-radius: 0.25rem;
+}
+
+.markdown-content table {
+  width: 100%;
+  border-collapse: collapse;
+  margin-bottom: 1rem;
+  font-size: 0.9rem;
+}
+
+.markdown-content th,
+.markdown-content td {
+  border: 1px solid rgba(14, 165, 233, 0.2);
+  padding: 0.5rem 0.75rem;
+  text-align: left;
+}
+
+.markdown-content th {
+  background: rgba(14, 165, 233, 0.1);
+  color: #0EA5E9;
+  font-weight: 600;
+  font-family: monospace;
+}
+
+.markdown-content td {
+  color: #CBD5E1;
+}
+
+.markdown-content tr:hover {
+  background: rgba(14, 165, 233, 0.05);
+}
+
+.markdown-content hr {
+  border: none;
+  border-top: 1px solid rgba(14, 165, 233, 0.2);
+  margin: 2rem 0;
+}
+
+.markdown-content img {
+  max-width: 100%;
+  height: auto;
+  border-radius: 0.5rem;
+  border: 1px solid rgba(14, 165, 233, 0.3);
+  margin: 1rem 0;
+}
+
+.markdown-content strong {
+  color: #F8FAFC;
+  font-weight: 600;
+}
+
+.markdown-content em {
+  color: #CBD5E1;
+  font-style: italic;
+}

frontend/src/components/AuditLog.js

@@ -0,0 +1,307 @@
+import React, { useState, useEffect, useCallback } from 'react';
+import { X, Loader, AlertCircle, ChevronLeft, ChevronRight, Search } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const ACTION_BADGES = {
+    login:              { bg: 'bg-green-100',  text: 'text-green-800' },
+    logout:             { bg: 'bg-gray-100',   text: 'text-gray-800' },
+    login_failed:       { bg: 'bg-red-100',    text: 'text-red-800' },
+    cve_create:         { bg: 'bg-blue-100',   text: 'text-blue-800' },
+    cve_update_status:  { bg: 'bg-yellow-100', text: 'text-yellow-800' },
+    document_upload:    { bg: 'bg-purple-100',  text: 'text-purple-800' },
+    document_delete:    { bg: 'bg-red-100',    text: 'text-red-800' },
+    user_create:        { bg: 'bg-blue-100',   text: 'text-blue-800' },
+    user_update:        { bg: 'bg-yellow-100', text: 'text-yellow-800' },
+    user_delete:        { bg: 'bg-red-100',    text: 'text-red-800' },
+    cve_edit:           { bg: 'bg-orange-100', text: 'text-orange-800' },
+    cve_delete:         { bg: 'bg-red-100',    text: 'text-red-800' },
+    cve_nvd_sync:       { bg: 'bg-green-100',  text: 'text-green-800' },
+};
+
+const ENTITY_TYPES = ['auth', 'cve', 'document', 'user'];
+
+export default function AuditLog({ onClose }) {
+    const [logs, setLogs] = useState([]);
+    const [loading, setLoading] = useState(true);
+    const [error, setError] = useState(null);
+    const [actions, setActions] = useState([]);
+    const [pagination, setPagination] = useState({ page: 1, limit: 25, total: 0, totalPages: 0 });
+
+    // Filters
+    const [userFilter, setUserFilter] = useState('');
+    const [actionFilter, setActionFilter] = useState('');
+    const [entityTypeFilter, setEntityTypeFilter] = useState('');
+    const [startDate, setStartDate] = useState('');
+    const [endDate, setEndDate] = useState('');
+
+    const fetchLogs = useCallback(async (page = 1) => {
+        setLoading(true);
+        setError(null);
+        try {
+            const params = new URLSearchParams({ page, limit: 25 });
+            if (userFilter) params.append('user', userFilter);
+            if (actionFilter) params.append('action', actionFilter);
+            if (entityTypeFilter) params.append('entityType', entityTypeFilter);
+            if (startDate) params.append('startDate', startDate);
+            if (endDate) params.append('endDate', endDate);
+
+            const response = await fetch(`${API_BASE}/audit-logs?${params}`, {
+                credentials: 'include'
+            });
+            if (!response.ok) throw new Error('Failed to fetch audit logs');
+            const data = await response.json();
+            setLogs(data.logs);
+            setPagination(data.pagination);
+        } catch (err) {
+            setError(err.message);
+        } finally {
+            setLoading(false);
+        }
+    }, [userFilter, actionFilter, entityTypeFilter, startDate, endDate]);
+
+    const fetchActions = async () => {
+        try {
+            const response = await fetch(`${API_BASE}/audit-logs/actions`, {
+                credentials: 'include'
+            });
+            if (response.ok) {
+                const data = await response.json();
+                setActions(data);
+            }
+        } catch (err) {
+            // Non-critical, ignore
+        }
+    };
+
+    useEffect(() => {
+        fetchLogs(1);
+        fetchActions();
+    }, [fetchLogs]);
+
+    const formatDate = (dateStr) => {
+        if (!dateStr) return '-';
+        return new Date(dateStr).toLocaleString();
+    };
+
+    const formatDetails = (details) => {
+        if (!details) return '-';
+        try {
+            const parsed = typeof details === 'string' ? JSON.parse(details) : details;
+            return Object.entries(parsed)
+                .map(([k, v]) => `${k}: ${v}`)
+                .join(', ');
+        } catch {
+            return details;
+        }
+    };
+
+    const getActionBadge = (action) => {
+        const style = ACTION_BADGES[action] || { bg: 'bg-gray-100', text: 'text-gray-800' };
+        return (
+            <span className={`px-2 py-1 rounded text-xs font-medium ${style.bg} ${style.text}`}>
+                {action}
+            </span>
+        );
+    };
+
+    const handleFilter = (e) => {
+        e.preventDefault();
+        fetchLogs(1);
+    };
+
+    const handleReset = () => {
+        setUserFilter('');
+        setActionFilter('');
+        setEntityTypeFilter('');
+        setStartDate('');
+        setEndDate('');
+    };
+
+    return (
+        <div className="fixed inset-0 bg-black bg-opacity-50 flex items-center justify-center z-50 p-4">
+            <div className="bg-white rounded-lg shadow-xl max-w-6xl w-full max-h-[90vh] overflow-hidden flex flex-col">
+                {/* Header */}
+                <div className="p-6 border-b border-gray-200 flex justify-between items-center">
+                    <div>
+                        <h2 className="text-2xl font-bold text-gray-900">Audit Log</h2>
+                        <p className="text-gray-600">Track all user actions across the system</p>
+                    </div>
+                    <button
+                        onClick={onClose}
+                        className="text-gray-400 hover:text-gray-600 p-2"
+                    >
+                        <X className="w-6 h-6" />
+                    </button>
+                </div>
+
+                {/* Filter Bar */}
+                <form onSubmit={handleFilter} className="p-4 border-b border-gray-200 bg-gray-50">
+                    <div className="grid grid-cols-2 md:grid-cols-5 gap-3">
+                        <div>
+                            <label className="block text-xs font-medium text-gray-600 mb-1">Username</label>
+                            <div className="relative">
+                                <Search className="w-4 h-4 text-gray-400 absolute left-2 top-1/2 transform -translate-y-1/2" />
+                                <input
+                                    type="text"
+                                    placeholder="Search user..."
+                                    value={userFilter}
+                                    onChange={(e) => setUserFilter(e.target.value)}
+                                    className="w-full pl-8 pr-3 py-1.5 text-sm border border-gray-300 rounded focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                                />
+                            </div>
+                        </div>
+                        <div>
+                            <label className="block text-xs font-medium text-gray-600 mb-1">Action</label>
+                            <select
+                                value={actionFilter}
+                                onChange={(e) => setActionFilter(e.target.value)}
+                                className="w-full px-3 py-1.5 text-sm border border-gray-300 rounded focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                            >
+                                <option value="">All Actions</option>
+                                {actions.map(a => (
+                                    <option key={a} value={a}>{a}</option>
+                                ))}
+                            </select>
+                        </div>
+                        <div>
+                            <label className="block text-xs font-medium text-gray-600 mb-1">Entity Type</label>
+                            <select
+                                value={entityTypeFilter}
+                                onChange={(e) => setEntityTypeFilter(e.target.value)}
+                                className="w-full px-3 py-1.5 text-sm border border-gray-300 rounded focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                            >
+                                <option value="">All Types</option>
+                                {ENTITY_TYPES.map(t => (
+                                    <option key={t} value={t}>{t}</option>
+                                ))}
+                            </select>
+                        </div>
+                        <div>
+                            <label className="block text-xs font-medium text-gray-600 mb-1">Start Date</label>
+                            <input
+                                type="date"
+                                value={startDate}
+                                onChange={(e) => setStartDate(e.target.value)}
+                                className="w-full px-3 py-1.5 text-sm border border-gray-300 rounded focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                            />
+                        </div>
+                        <div>
+                            <label className="block text-xs font-medium text-gray-600 mb-1">End Date</label>
+                            <input
+                                type="date"
+                                value={endDate}
+                                onChange={(e) => setEndDate(e.target.value)}
+                                className="w-full px-3 py-1.5 text-sm border border-gray-300 rounded focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                            />
+                        </div>
+                    </div>
+                    <div className="flex gap-2 mt-3">
+                        <button
+                            type="submit"
+                            className="px-4 py-1.5 text-sm bg-[#0476D9] text-white rounded hover:bg-[#0360B8] transition-colors"
+                        >
+                            Apply Filters
+                        </button>
+                        <button
+                            type="button"
+                            onClick={handleReset}
+                            className="px-4 py-1.5 text-sm bg-gray-200 text-gray-700 rounded hover:bg-gray-300 transition-colors"
+                        >
+                            Reset
+                        </button>
+                    </div>
+                </form>
+
+                {/* Content */}
+                <div className="p-4 overflow-y-auto flex-1">
+                    {loading ? (
+                        <div className="text-center py-12">
+                            <Loader className="w-8 h-8 text-[#0476D9] mx-auto animate-spin" />
+                            <p className="text-gray-600 mt-2">Loading audit logs...</p>
+                        </div>
+                    ) : error ? (
+                        <div className="text-center py-12">
+                            <AlertCircle className="w-8 h-8 text-red-500 mx-auto" />
+                            <p className="text-red-600 mt-2">{error}</p>
+                        </div>
+                    ) : logs.length === 0 ? (
+                        <div className="text-center py-12">
+                            <p className="text-gray-500">No audit log entries found.</p>
+                        </div>
+                    ) : (
+                        <div className="overflow-x-auto">
+                            <table className="w-full text-sm">
+                                <thead>
+                                    <tr className="border-b border-gray-200">
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">Time</th>
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">User</th>
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">Action</th>
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">Entity</th>
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">Details</th>
+                                        <th className="text-left py-2 px-3 text-xs font-medium text-gray-600">IP Address</th>
+                                    </tr>
+                                </thead>
+                                <tbody>
+                                    {logs.map((log) => (
+                                        <tr key={log.id} className="border-b border-gray-100 hover:bg-gray-50">
+                                            <td className="py-2 px-3 text-gray-600 whitespace-nowrap">
+                                                {formatDate(log.created_at)}
+                                            </td>
+                                            <td className="py-2 px-3 font-medium text-gray-900">
+                                                {log.username}
+                                            </td>
+                                            <td className="py-2 px-3">
+                                                {getActionBadge(log.action)}
+                                            </td>
+                                            <td className="py-2 px-3 text-gray-700">
+                                                <span className="text-gray-500">{log.entity_type}</span>
+                                                {log.entity_id && (
+                                                    <span className="ml-1 text-gray-900">{log.entity_id}</span>
+                                                )}
+                                            </td>
+                                            <td className="py-2 px-3 text-gray-600 max-w-xs truncate" title={formatDetails(log.details)}>
+                                                {formatDetails(log.details)}
+                                            </td>
+                                            <td className="py-2 px-3 text-gray-500 font-mono text-xs">
+                                                {log.ip_address || '-'}
+                                            </td>
+                                        </tr>
+                                    ))}
+                                </tbody>
+                            </table>
+                        </div>
+                    )}
+                </div>
+
+                {/* Pagination */}
+                {pagination.totalPages > 1 && (
+                    <div className="p-4 border-t border-gray-200 flex items-center justify-between">
+                        <p className="text-sm text-gray-600">
+                            Showing {((pagination.page - 1) * pagination.limit) + 1} - {Math.min(pagination.page * pagination.limit, pagination.total)} of {pagination.total} entries
+                        </p>
+                        <div className="flex items-center gap-2">
+                            <button
+                                onClick={() => fetchLogs(pagination.page - 1)}
+                                disabled={pagination.page <= 1}
+                                className="p-2 rounded hover:bg-gray-100 disabled:opacity-50 disabled:cursor-not-allowed"
+                            >
+                                <ChevronLeft className="w-4 h-4" />
+                            </button>
+                            <span className="text-sm text-gray-700">
+                                Page {pagination.page} of {pagination.totalPages}
+                            </span>
+                            <button
+                                onClick={() => fetchLogs(pagination.page + 1)}
+                                disabled={pagination.page >= pagination.totalPages}
+                                className="p-2 rounded hover:bg-gray-100 disabled:opacity-50 disabled:cursor-not-allowed"
+                            >
+                                <ChevronRight className="w-4 h-4" />
+                            </button>
+                        </div>
+                    </div>
+                )}
+            </div>
+        </div>
+    );
+}

frontend/src/components/CalendarWidget.js

@@ -0,0 +1,167 @@
+import React, { useState, useEffect } from 'react';
+import { ChevronLeft, ChevronRight } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const MONTH_NAMES = [
+    'January', 'February', 'March', 'April', 'May', 'June',
+    'July', 'August', 'September', 'October', 'November', 'December'
+];
+const DAY_NAMES = ['Su', 'Mo', 'Tu', 'We', 'Th', 'Fr', 'Sa'];
+
+function toLocalDateStr(date) {
+    const y = date.getFullYear();
+    const m = String(date.getMonth() + 1).padStart(2, '0');
+    const d = String(date.getDate()).padStart(2, '0');
+    return `${y}-${m}-${d}`;
+}
+
+export default function CalendarWidget({ onDateClick }) {
+    const today    = new Date();
+    const todayStr = toLocalDateStr(today);
+
+    const [calYear,  setCalYear]  = useState(today.getFullYear());
+    const [calMonth, setCalMonth] = useState(today.getMonth()); // 0-indexed
+
+    // Map of "YYYY-MM-DD" → count of findings due that day
+    const [dueDates, setDueDates] = useState({});
+
+    useEffect(() => {
+        fetch(`${API_BASE}/ivanti/findings`, { credentials: 'include' })
+            .then((r) => (r.ok ? r.json() : null))
+            .then((data) => {
+                if (!data?.findings) return;
+                const counts = {};
+                data.findings.forEach((f) => {
+                    if (f.dueDate) {
+                        counts[f.dueDate] = (counts[f.dueDate] || 0) + 1;
+                    }
+                });
+                setDueDates(counts);
+            })
+            .catch(() => {});
+    }, []);
+
+    const prevMonth = () => {
+        if (calMonth === 0) { setCalMonth(11); setCalYear((y) => y - 1); }
+        else { setCalMonth((m) => m - 1); }
+    };
+
+    const nextMonth = () => {
+        if (calMonth === 11) { setCalMonth(0); setCalYear((y) => y + 1); }
+        else { setCalMonth((m) => m + 1); }
+    };
+
+    // Build cell array: null = padding, number = day of month
+    const firstDow    = new Date(calYear, calMonth, 1).getDay(); // 0=Sun
+    const daysInMonth = new Date(calYear, calMonth + 1, 0).getDate();
+    const cells = [
+        ...Array(firstDow).fill(null),
+        ...Array.from({ length: daysInMonth }, (_, i) => i + 1),
+    ];
+    while (cells.length % 7 !== 0) cells.push(null); // complete last row
+
+    const hasDueDatesThisMonth = cells.some((day) => {
+        if (!day) return false;
+        const ds = `${calYear}-${String(calMonth + 1).padStart(2, '0')}-${String(day).padStart(2, '0')}`;
+        return !!dueDates[ds];
+    });
+
+    return (
+        <div>
+            {/* Month navigation */}
+            <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', marginBottom: '0.75rem' }}>
+                <button
+                    onClick={prevMonth}
+                    style={{ background: 'none', border: 'none', cursor: 'pointer', color: '#64748B', padding: '2px 4px', borderRadius: '4px', lineHeight: 1, transition: 'color 0.15s' }}
+                    onMouseEnter={(e) => { e.currentTarget.style.color = '#0EA5E9'; }}
+                    onMouseLeave={(e) => { e.currentTarget.style.color = '#64748B'; }}
+                >
+                    <ChevronLeft style={{ width: '14px', height: '14px' }} />
+                </button>
+
+                <span style={{ color: '#E2E8F0', fontFamily: 'monospace', fontWeight: '600', fontSize: '0.85rem' }}>
+                    {MONTH_NAMES[calMonth]} {calYear}
+                </span>
+
+                <button
+                    onClick={nextMonth}
+                    style={{ background: 'none', border: 'none', cursor: 'pointer', color: '#64748B', padding: '2px 4px', borderRadius: '4px', lineHeight: 1, transition: 'color 0.15s' }}
+                    onMouseEnter={(e) => { e.currentTarget.style.color = '#0EA5E9'; }}
+                    onMouseLeave={(e) => { e.currentTarget.style.color = '#64748B'; }}
+                >
+                    <ChevronRight style={{ width: '14px', height: '14px' }} />
+                </button>
+            </div>
+
+            {/* Day-of-week headers */}
+            <div style={{ display: 'grid', gridTemplateColumns: 'repeat(7, 1fr)', gap: '2px', textAlign: 'center', marginBottom: '4px' }}>
+                {DAY_NAMES.map((d) => (
+                    <div key={d} style={{ fontSize: '0.6rem', color: '#475569', fontFamily: 'monospace', fontWeight: '600', textTransform: 'uppercase' }}>
+                        {d}
+                    </div>
+                ))}
+            </div>
+
+            {/* Day cells */}
+            <div style={{ display: 'grid', gridTemplateColumns: 'repeat(7, 1fr)', gap: '2px' }}>
+                {cells.map((day, idx) => {
+                    if (!day) return <div key={idx} />;
+
+                    const dateStr  = `${calYear}-${String(calMonth + 1).padStart(2, '0')}-${String(day).padStart(2, '0')}`;
+                    const isToday  = dateStr === todayStr;
+                    const dueCount = dueDates[dateStr] || 0;
+                    const hasDue   = dueCount > 0;
+
+                    return (
+                        <div
+                            key={idx}
+                            title={hasDue ? `${dueCount} finding${dueCount > 1 ? 's' : ''} due — click to view` : undefined}
+                            onClick={hasDue && onDateClick ? () => onDateClick(dateStr) : undefined}
+                            style={{
+                                display: 'flex', flexDirection: 'column', alignItems: 'center',
+                                gap: '2px', padding: '3px 1px',
+                                borderRadius: '4px',
+                                background: isToday ? 'rgba(14,165,233,0.2)' : 'transparent',
+                                border: isToday ? '1px solid rgba(14,165,233,0.5)' : '1px solid transparent',
+                                cursor: hasDue ? 'pointer' : 'default',
+                                transition: hasDue ? 'background 0.15s' : undefined,
+                            }}
+                            onMouseEnter={hasDue ? (e) => { e.currentTarget.style.background = isToday ? 'rgba(14,165,233,0.35)' : 'rgba(239,68,68,0.15)'; } : undefined}
+                            onMouseLeave={hasDue ? (e) => { e.currentTarget.style.background = isToday ? 'rgba(14,165,233,0.2)' : 'transparent'; } : undefined}
+                        >
+                            <span style={{
+                                fontSize: '0.7rem', fontFamily: 'monospace', lineHeight: 1,
+                                color: isToday ? '#0EA5E9' : hasDue ? '#EF4444' : '#CBD5E1',
+                                fontWeight: (isToday || hasDue) ? '700' : '400',
+                            }}>
+                                {day}
+                            </span>
+                            {/* Red dot indicator for due dates */}
+                            {hasDue ? (
+                                <div style={{
+                                    width: '4px', height: '4px', borderRadius: '50%',
+                                    background: '#EF4444',
+                                    boxShadow: '0 0 4px rgba(239,68,68,0.6)',
+                                    flexShrink: 0,
+                                }} />
+                            ) : (
+                                <div style={{ width: '4px', height: '4px' }} /> // spacer to keep rows even
+                            )}
+                        </div>
+                    );
+                })}
+            </div>
+
+            {/* Legend — only shown when there are due dates this month */}
+            {hasDueDatesThisMonth && (
+                <div style={{ marginTop: '0.75rem', paddingTop: '0.625rem', borderTop: '1px solid rgba(255,255,255,0.05)', display: 'flex', alignItems: 'center', gap: '0.375rem' }}>
+                    <div style={{ width: '6px', height: '6px', borderRadius: '50%', background: '#EF4444', boxShadow: '0 0 4px rgba(239,68,68,0.5)', flexShrink: 0 }} />
+                    <span style={{ fontSize: '0.62rem', color: '#64748B', fontFamily: 'monospace', textTransform: 'uppercase', letterSpacing: '0.05em' }}>
+                        Ivanti finding due
+                    </span>
+                </div>
+            )}
+        </div>
+    );
+}

frontend/src/components/KnowledgeBaseModal.js

@@ -0,0 +1,384 @@
+import React, { useState, useEffect } from 'react';
+import { X, Loader, AlertCircle, CheckCircle, Upload as UploadIcon, Download, FileText, Trash2 } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+export default function KnowledgeBaseModal({ onClose, onUpdate }) {
+  const [phase, setPhase] = useState('idle'); // idle, uploading, success, error
+  const [selectedFile, setSelectedFile] = useState(null);
+  const [title, setTitle] = useState('');
+  const [description, setDescription] = useState('');
+  const [category, setCategory] = useState('General');
+  const [result, setResult] = useState(null);
+  const [existingArticles, setExistingArticles] = useState([]);
+  const [error, setError] = useState('');
+
+  // Fetch existing articles on mount
+  useEffect(() => {
+    fetchExistingArticles();
+  }, []);
+
+  const fetchExistingArticles = async () => {
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base`, { credentials: 'include' });
+      if (!response.ok) throw new Error('Failed to fetch articles');
+      const data = await response.json();
+      setExistingArticles(data);
+    } catch (err) {
+      console.error('Error fetching articles:', err);
+    }
+  };
+
+  const handleFileSelect = (e) => {
+    const file = e.target.files[0];
+    if (file) {
+      // Validate file type
+      const allowedExtensions = ['.pdf', '.md', '.txt', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.html', '.json', '.yaml', '.yml'];
+      const ext = '.' + file.name.split('.').pop().toLowerCase();
+
+      if (!allowedExtensions.includes(ext)) {
+        setError('File type not allowed. Please upload: PDF, Markdown, Text, Office docs, or HTML files.');
+        return;
+      }
+
+      setSelectedFile(file);
+      setError('');
+
+      // Auto-populate title from filename if empty
+      if (!title) {
+        const filename = file.name.replace(/\.[^/.]+$/, ''); // Remove extension
+        setTitle(filename);
+      }
+    }
+  };
+
+  const handleUpload = async () => {
+    if (!selectedFile || !title.trim()) {
+      setError('Please provide both a title and file');
+      return;
+    }
+
+    setPhase('uploading');
+
+    const formData = new FormData();
+    formData.append('file', selectedFile);
+    formData.append('title', title.trim());
+    formData.append('description', description.trim());
+    formData.append('category', category);
+
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base/upload`, {
+        method: 'POST',
+        body: formData,
+        credentials: 'include'
+      });
+
+      if (!response.ok) {
+        const errorData = await response.json();
+        throw new Error(errorData.error || 'Upload failed');
+      }
+
+      const data = await response.json();
+      setResult(data);
+      setPhase('success');
+
+      // Refresh the list of existing articles
+      await fetchExistingArticles();
+
+      // Notify parent to refresh
+      if (onUpdate) onUpdate();
+    } catch (err) {
+      setError(err.message);
+      setPhase('error');
+    }
+  };
+
+  const handleDownload = async (id, filename) => {
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base/${id}/download`, {
+        credentials: 'include'
+      });
+
+      if (!response.ok) throw new Error('Download failed');
+
+      const blob = await response.blob();
+      const url = window.URL.createObjectURL(blob);
+      const a = document.createElement('a');
+      a.href = url;
+      a.download = filename;
+      document.body.appendChild(a);
+      a.click();
+      window.URL.revokeObjectURL(url);
+      document.body.removeChild(a);
+    } catch (err) {
+      console.error('Error downloading file:', err);
+      setError('Failed to download file');
+    }
+  };
+
+  const handleDelete = async (id, articleTitle) => {
+    if (!window.confirm(`Are you sure you want to delete "${articleTitle}"?`)) {
+      return;
+    }
+
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base/${id}`, {
+        method: 'DELETE',
+        credentials: 'include'
+      });
+
+      if (!response.ok) throw new Error('Delete failed');
+
+      // Refresh the list
+      await fetchExistingArticles();
+
+      // Notify parent to refresh
+      if (onUpdate) onUpdate();
+    } catch (err) {
+      console.error('Error deleting article:', err);
+      setError('Failed to delete article');
+    }
+  };
+
+  const resetForm = () => {
+    setPhase('idle');
+    setSelectedFile(null);
+    setTitle('');
+    setDescription('');
+    setCategory('General');
+    setResult(null);
+    setError('');
+  };
+
+  const formatFileSize = (bytes) => {
+    if (!bytes) return 'Unknown size';
+    if (bytes < 1024) return bytes + ' B';
+    if (bytes < 1024 * 1024) return (bytes / 1024).toFixed(1) + ' KB';
+    return (bytes / (1024 * 1024)).toFixed(1) + ' MB';
+  };
+
+  const formatDate = (dateString) => {
+    return new Date(dateString).toLocaleDateString('en-US', {
+      year: 'numeric',
+      month: 'short',
+      day: 'numeric'
+    });
+  };
+
+  const getCategoryColor = (cat) => {
+    const colors = {
+      'General': '#94A3B8',
+      'Policy': '#0EA5E9',
+      'Procedure': '#10B981',
+      'Guide': '#F59E0B',
+      'Reference': '#8B5CF6'
+    };
+    return colors[cat] || '#94A3B8';
+  };
+
+  return (
+    <div className="modal-overlay" onClick={onClose}>
+      <div className="modal-content" onClick={(e) => e.stopPropagation()} style={{ maxWidth: '700px' }}>
+        {/* Header */}
+        <div className="modal-header">
+          <h2 className="modal-title">Knowledge Base</h2>
+          <button onClick={onClose} className="modal-close">
+            <X className="w-5 h-5" />
+          </button>
+        </div>
+
+        {/* Body */}
+        <div className="modal-body">
+          {/* Idle Phase - Upload Form */}
+          {phase === 'idle' && (
+            <div className="space-y-4">
+              <div>
+                <label className="block text-sm font-medium mb-2" style={{ color: '#94A3B8' }}>
+                  Title *
+                </label>
+                <input
+                  type="text"
+                  value={title}
+                  onChange={(e) => setTitle(e.target.value)}
+                  placeholder="e.g., Inventory Management Policy"
+                  className="intel-input w-full"
+                  maxLength={255}
+                />
+              </div>
+
+              <div>
+                <label className="block text-sm font-medium mb-2" style={{ color: '#94A3B8' }}>
+                  Description
+                </label>
+                <textarea
+                  value={description}
+                  onChange={(e) => setDescription(e.target.value)}
+                  placeholder="Brief description of this document..."
+                  className="intel-input w-full"
+                  rows={3}
+                  maxLength={500}
+                />
+              </div>
+
+              <div>
+                <label className="block text-sm font-medium mb-2" style={{ color: '#94A3B8' }}>
+                  Category
+                </label>
+                <select
+                  value={category}
+                  onChange={(e) => setCategory(e.target.value)}
+                  className="intel-input w-full"
+                >
+                  <option value="General">General</option>
+                  <option value="Policy">Policy</option>
+                  <option value="Procedure">Procedure</option>
+                  <option value="Guide">Guide</option>
+                  <option value="Reference">Reference</option>
+                </select>
+              </div>
+
+              <div>
+                <label className="block text-sm font-medium mb-2" style={{ color: '#94A3B8' }}>
+                  Document File *
+                </label>
+                <input
+                  type="file"
+                  accept=".pdf,.md,.txt,.doc,.docx,.xls,.xlsx,.ppt,.pptx,.html,.json,.yaml,.yml"
+                  onChange={handleFileSelect}
+                  className="intel-input w-full"
+                />
+                {selectedFile && (
+                  <p className="mt-2 text-sm" style={{ color: '#10B981' }}>
+                    Selected: {selectedFile.name} ({formatFileSize(selectedFile.size)})
+                  </p>
+                )}
+              </div>
+
+              <button
+                onClick={handleUpload}
+                disabled={!selectedFile || !title.trim()}
+                className={`intel-button w-full ${selectedFile && title.trim() ? 'intel-button-success' : 'opacity-50 cursor-not-allowed'}`}
+              >
+                <UploadIcon className="w-4 h-4 mr-2" />
+                Upload Document
+              </button>
+
+              {error && (
+                <div className="flex items-start gap-2 p-3 rounded" style={{ background: 'rgba(239, 68, 68, 0.1)', border: '1px solid #EF4444' }}>
+                  <AlertCircle className="w-5 h-5 flex-shrink-0" style={{ color: '#EF4444' }} />
+                  <p style={{ color: '#FCA5A5' }}>{error}</p>
+                </div>
+              )}
+            </div>
+          )}
+
+          {/* Uploading Phase */}
+          {phase === 'uploading' && (
+            <div className="text-center py-8">
+              <Loader className="w-12 h-12 animate-spin mx-auto mb-4" style={{ color: '#0EA5E9' }} />
+              <p style={{ color: '#94A3B8' }}>Uploading document...</p>
+            </div>
+          )}
+
+          {/* Success Phase */}
+          {phase === 'success' && result && (
+            <div className="space-y-4">
+              <div className="flex items-center gap-2 p-4 rounded" style={{ background: 'rgba(16, 185, 129, 0.1)', border: '1px solid #10B981' }}>
+                <CheckCircle className="w-6 h-6" style={{ color: '#10B981' }} />
+                <div>
+                  <p className="font-medium" style={{ color: '#34D399' }}>Upload Successful!</p>
+                  <p className="text-sm mt-1" style={{ color: '#94A3B8' }}>
+                    {result.title} has been added to the knowledge base.
+                  </p>
+                </div>
+              </div>
+
+              <button onClick={resetForm} className="intel-button w-full">
+                Upload Another Document
+              </button>
+            </div>
+          )}
+
+          {/* Error Phase */}
+          {phase === 'error' && (
+            <div className="space-y-4">
+              <div className="flex items-start gap-2 p-4 rounded" style={{ background: 'rgba(239, 68, 68, 0.1)', border: '1px solid #EF4444' }}>
+                <AlertCircle className="w-6 h-6 flex-shrink-0" style={{ color: '#EF4444' }} />
+                <div>
+                  <p className="font-medium" style={{ color: '#FCA5A5' }}>Upload Failed</p>
+                  <p className="text-sm mt-1" style={{ color: '#94A3B8' }}>{error}</p>
+                </div>
+              </div>
+              <button onClick={resetForm} className="intel-button w-full">
+                Try Again
+              </button>
+            </div>
+          )}
+
+          {/* Existing Articles Section */}
+          {(phase === 'idle' || phase === 'success') && existingArticles.length > 0 && (
+            <div className="mt-8">
+              <h3 className="text-lg font-medium mb-4" style={{ color: '#94A3B8' }}>
+                Existing Documents ({existingArticles.length})
+              </h3>
+              <div className="space-y-3 max-h-96 overflow-y-auto">
+                {existingArticles.map((article) => (
+                  <div
+                    key={article.id}
+                    className="intel-card p-4"
+                  >
+                    <div className="flex items-start justify-between gap-3">
+                      <div className="flex-1 min-w-0">
+                        <div className="flex items-center gap-2 mb-1">
+                          <FileText className="w-4 h-4 flex-shrink-0" style={{ color: getCategoryColor(article.category) }} />
+                          <p className="font-medium truncate" style={{ color: '#E2E8F0' }}>
+                            {article.title}
+                          </p>
+                        </div>
+                        {article.description && (
+                          <p className="text-sm mb-2 line-clamp-2" style={{ color: '#94A3B8' }}>
+                            {article.description}
+                          </p>
+                        )}
+                        <div className="flex items-center gap-3 text-xs" style={{ color: '#64748B' }}>
+                          <span
+                            className="px-2 py-0.5 rounded"
+                            style={{
+                              background: `${getCategoryColor(article.category)}33`,
+                              color: getCategoryColor(article.category)
+                            }}
+                          >
+                            {article.category}
+                          </span>
+                          <span>{formatDate(article.created_at)}</span>
+                          <span>{formatFileSize(article.file_size)}</span>
+                        </div>
+                      </div>
+                      <div className="flex gap-2 flex-shrink-0">
+                        <button
+                          onClick={() => handleDownload(article.id, article.file_name)}
+                          className="intel-button intel-button-small intel-button-success"
+                          title="Download"
+                        >
+                          <Download className="w-3 h-3" />
+                        </button>
+                        <button
+                          onClick={() => handleDelete(article.id, article.title)}
+                          className="intel-button intel-button-small"
+                          style={{ borderColor: '#EF4444', color: '#EF4444' }}
+                          title="Delete"
+                        >
+                          <Trash2 className="w-3 h-3" />
+                        </button>
+                      </div>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}

frontend/src/components/KnowledgeBaseViewer.js

@@ -0,0 +1,335 @@
+import React, { useState, useEffect, useRef } from 'react';
+import ReactMarkdown from 'react-markdown';
+import rehypeSanitize from 'rehype-sanitize';
+import mermaid from 'mermaid';
+import { X, Download, Loader, AlertCircle, FileText, File } from 'lucide-react';
+
+mermaid.initialize({
+  startOnLoad: false,
+  theme: 'dark',
+  darkMode: true,
+  themeVariables: {
+    background: '#0f172a',
+    primaryColor: '#1e3a5f',
+    primaryTextColor: '#e2e8f0',
+    primaryBorderColor: '#0ea5e9',
+    lineColor: '#475569',
+    secondaryColor: '#1a2e1a',
+    tertiaryColor: '#2d1f14',
+    edgeLabelBackground: '#1e293b',
+    clusterBkg: '#1e293b',
+    titleColor: '#e2e8f0',
+    fontFamily: 'monospace'
+  }
+});
+
+let mermaidCounter = 0;
+
+function MermaidDiagram({ code }) {
+  const ref = useRef(null);
+  const [svgError, setSvgError] = useState('');
+
+  useEffect(() => {
+    let cancelled = false;
+    const id = `mermaid-kb-${++mermaidCounter}`;
+    mermaid.render(id, code)
+      .then(({ svg }) => {
+        if (!cancelled && ref.current) {
+          ref.current.innerHTML = svg;
+          // Make SVG responsive
+          const svgEl = ref.current.querySelector('svg');
+          if (svgEl) {
+            svgEl.removeAttribute('width');
+            svgEl.removeAttribute('height');
+            svgEl.style.width = '100%';
+            svgEl.style.maxWidth = '100%';
+          }
+        }
+      })
+      .catch((err) => {
+        if (!cancelled) setSvgError(err.message || 'Failed to render diagram');
+      });
+    return () => { cancelled = true; };
+  }, [code]);
+
+  if (svgError) {
+    return (
+      <pre style={{ color: '#EF4444', fontSize: '0.75rem', padding: '0.75rem', background: 'rgba(239,68,68,0.1)', borderRadius: '0.375rem', overflowX: 'auto' }}>
+        Mermaid render error: {svgError}
+      </pre>
+    );
+  }
+
+  return (
+    <div
+      ref={ref}
+      style={{ background: 'rgba(15,23,42,0.6)', border: '1px solid rgba(14,165,233,0.2)', borderRadius: '0.5rem', padding: '1rem', margin: '1rem 0', overflowX: 'auto' }}
+    />
+  );
+}
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+export default function KnowledgeBaseViewer({ article, onClose }) {
+  const [content, setContent] = useState('');
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState('');
+
+  useEffect(() => {
+    fetchArticleContent();
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [article.id]);
+
+  const fetchArticleContent = async () => {
+    setLoading(true);
+    setError('');
+
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base/${article.id}/content`, {
+        credentials: 'include'
+      });
+
+      if (!response.ok) throw new Error('Failed to fetch article content');
+
+      const text = await response.text();
+      setContent(text);
+    } catch (err) {
+      console.error('Error fetching article content:', err);
+      setError(err.message);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const handleDownload = async () => {
+    try {
+      const response = await fetch(`${API_BASE}/knowledge-base/${article.id}/download`, {
+        credentials: 'include'
+      });
+
+      if (!response.ok) throw new Error('Download failed');
+
+      const blob = await response.blob();
+      const url = window.URL.createObjectURL(blob);
+      const a = document.createElement('a');
+      a.href = url;
+      a.download = article.file_name;
+      document.body.appendChild(a);
+      a.click();
+      window.URL.revokeObjectURL(url);
+      document.body.removeChild(a);
+    } catch (err) {
+      console.error('Error downloading file:', err);
+      setError('Failed to download file');
+    }
+  };
+
+  const isMarkdown = article.file_name?.endsWith('.md');
+  const isText = article.file_name?.endsWith('.txt');
+  const isPDF = article.file_name?.endsWith('.pdf');
+  const isImage = /\.(jpg|jpeg|png|gif|bmp)$/i.test(article.file_name || '');
+
+  const getCategoryColor = (cat) => {
+    const colors = {
+      'General': '#94A3B8',
+      'Policy': '#0EA5E9',
+      'Procedure': '#10B981',
+      'Guide': '#F59E0B',
+      'Reference': '#8B5CF6'
+    };
+    return colors[cat] || '#94A3B8';
+  };
+
+  const formatDate = (dateString) => {
+    return new Date(dateString).toLocaleDateString('en-US', {
+      year: 'numeric',
+      month: 'long',
+      day: 'numeric'
+    });
+  };
+
+  return (
+    <div
+      style={{
+        background: 'linear-gradient(135deg, rgba(30, 41, 59, 0.95) 0%, rgba(51, 65, 85, 0.9) 50%, rgba(30, 41, 59, 0.95) 100%)',
+        border: '2px solid rgba(14, 165, 233, 0.4)',
+        borderRadius: '0.5rem',
+        boxShadow: '0 8px 24px rgba(0, 0, 0, 0.6), 0 0 28px rgba(14, 165, 233, 0.15)',
+        padding: '1.5rem',
+        position: 'relative',
+        overflow: 'hidden'
+      }}
+    >
+      {/* Header */}
+      <div className="flex items-start justify-between mb-4 pb-4" style={{ borderBottom: '1px solid rgba(14, 165, 233, 0.2)' }}>
+        <div className="flex-1">
+          <div className="flex items-center gap-3 mb-2">
+            <FileText className="w-5 h-5" style={{ color: getCategoryColor(article.category) }} />
+            <h2 className="text-xl font-semibold" style={{ color: '#E2E8F0', fontFamily: 'monospace' }}>
+              {article.title}
+            </h2>
+          </div>
+          {article.description && (
+            <p className="text-sm mb-2" style={{ color: '#94A3B8' }}>
+              {article.description}
+            </p>
+          )}
+          <div className="flex items-center gap-3 text-xs" style={{ color: '#64748B' }}>
+            <span
+              className="px-2 py-1 rounded"
+              style={{
+                background: `${getCategoryColor(article.category)}33`,
+                color: getCategoryColor(article.category),
+                fontWeight: '600'
+              }}
+            >
+              {article.category}
+            </span>
+            <span>Created: {formatDate(article.created_at)}</span>
+            {article.created_by_username && (
+              <span>By: {article.created_by_username}</span>
+            )}
+          </div>
+        </div>
+        <div className="flex gap-2 ml-4">
+          <button
+            onClick={handleDownload}
+            className="intel-button intel-button-small"
+            title="Download"
+          >
+            <Download className="w-4 h-4" />
+          </button>
+          <button
+            onClick={onClose}
+            className="intel-button intel-button-small"
+            title="Close"
+          >
+            <X className="w-4 h-4" />
+          </button>
+        </div>
+      </div>
+
+      {/* Content */}
+      <div className="kb-content-area">
+        {loading && (
+          <div className="text-center py-12">
+            <Loader className="w-8 h-8 animate-spin mx-auto mb-4" style={{ color: '#0EA5E9' }} />
+            <p style={{ color: '#94A3B8' }}>Loading document...</p>
+          </div>
+        )}
+
+        {error && (
+          <div className="flex items-start gap-3 p-4 rounded" style={{ background: 'rgba(239, 68, 68, 0.1)', border: '1px solid #EF4444' }}>
+            <AlertCircle className="w-6 h-6 flex-shrink-0" style={{ color: '#EF4444' }} />
+            <div>
+              <p className="font-medium" style={{ color: '#FCA5A5' }}>Failed to Load Document</p>
+              <p className="text-sm mt-1" style={{ color: '#94A3B8' }}>{error}</p>
+            </div>
+          </div>
+        )}
+
+        {!loading && !error && (
+          <>
+            {/* Markdown Rendering */}
+            {isMarkdown && (
+              <div className="markdown-content">
+                <ReactMarkdown
+                  rehypePlugins={[rehypeSanitize]}
+                  components={{
+                    code({ inline, className, children }) {
+                      const lang = /language-(\w+)/.exec(className || '')?.[1];
+                      if (!inline && lang === 'mermaid') {
+                        return <MermaidDiagram code={String(children).replace(/\n$/, '')} />;
+                      }
+                      return (
+                        <code
+                          className={className}
+                          style={inline ? { background: 'rgba(14,165,233,0.15)', padding: '0.1rem 0.3rem', borderRadius: '0.25rem', fontFamily: 'monospace', fontSize: '0.85em' } : {}}
+                        >
+                          {children}
+                        </code>
+                      );
+                    }
+                  }}
+                >
+                  {content}
+                </ReactMarkdown>
+              </div>
+            )}
+
+            {/* Plain Text */}
+            {isText && !isMarkdown && (
+              <pre
+                className="text-sm p-4 rounded overflow-auto"
+                style={{
+                  background: 'rgba(15, 23, 42, 0.8)',
+                  border: '1px solid rgba(14, 165, 233, 0.2)',
+                  color: '#E2E8F0',
+                  fontFamily: 'monospace',
+                  whiteSpace: 'pre-wrap',
+                  wordWrap: 'break-word',
+                  maxHeight: '600px'
+                }}
+              >
+                {content}
+              </pre>
+            )}
+
+            {/* PDF */}
+            {isPDF && (
+              <div className="w-full" style={{ height: '700px' }}>
+                <iframe
+                  sandbox="allow-same-origin"
+                  src={`${API_BASE}/knowledge-base/${article.id}/content`}
+                  title={article.title}
+                  className="w-full h-full rounded"
+                  style={{
+                    border: '1px solid rgba(14, 165, 233, 0.3)',
+                    background: 'rgba(15, 23, 42, 0.8)'
+                  }}
+                >
+                  <div className="text-center py-12">
+                    <File className="w-16 h-16 mx-auto mb-4" style={{ color: '#EF4444' }} />
+                    <p className="mb-4" style={{ color: '#94A3B8' }}>
+                      Your browser doesn't support PDF preview. Click the download button to view this file.
+                    </p>
+                    <button onClick={handleDownload} className="intel-button intel-button-success">
+                      <Download className="w-4 h-4 mr-2" />
+                      Download PDF
+                    </button>
+                  </div>
+                </iframe>
+              </div>
+            )}
+
+            {/* Images */}
+            {isImage && (
+              <div className="text-center">
+                <img
+                  src={`${API_BASE}/knowledge-base/${article.id}/content`}
+                  alt={article.title}
+                  className="max-w-full h-auto rounded"
+                  style={{ border: '1px solid rgba(14, 165, 233, 0.3)' }}
+                />
+              </div>
+            )}
+
+            {/* Other file types */}
+            {!isMarkdown && !isText && !isPDF && !isImage && (
+              <div className="text-center py-12">
+                <File className="w-16 h-16 mx-auto mb-4" style={{ color: '#94A3B8' }} />
+                <p className="mb-4" style={{ color: '#94A3B8' }}>
+                  Preview not available for this file type.
+                </p>
+                <button onClick={handleDownload} className="intel-button intel-button-success">
+                  <Download className="w-4 h-4 mr-2" />
+                  Download File
+                </button>
+              </div>
+            )}
+          </>
+        )}
+      </div>
+    </div>
+  );
+}

frontend/src/components/LoginForm.js

@@ -1,5 +1,5 @@
 import React, { useState } from 'react';
-import { Loader, AlertCircle, Lock, User } from 'lucide-react';
+import { AlertCircle, Lock, User } from 'lucide-react';
 import { useAuth } from '../contexts/AuthContext';
 
 export default function LoginForm() {
@@ -24,57 +24,60 @@ export default function LoginForm() {
     };
 
     return (
-        <div className="min-h-screen bg-gray-100 flex items-center justify-center p-4">
-            <div className="bg-white rounded-lg shadow-xl max-w-md w-full p-8">
+        <div className="min-h-screen bg-intel-darkest grid-bg flex items-center justify-center p-4 relative overflow-hidden fade-in">
+            {/* Scanning line effect */}
+            <div className="scan-line"></div>
+
+            <div className="intel-card rounded-lg shadow-2xl max-w-md w-full p-8 border-intel-accent relative z-10">
                 <div className="text-center mb-8">
-                    <div className="w-16 h-16 bg-[#0476D9] rounded-full flex items-center justify-center mx-auto mb-4">
-                        <Lock className="w-8 h-8 text-white" />
+                    <div className="w-16 h-16 bg-gradient-to-br from-intel-accent to-intel-accent-dim rounded-full flex items-center justify-center mx-auto mb-4 shadow-lg" style={{boxShadow: '0 0 30px rgba(0, 217, 255, 0.4)'}}>
+                        <Lock className="w-8 h-8 text-intel-darkest" />
                     </div>
-                    <h1 className="text-2xl font-bold text-gray-900">CVE Dashboard</h1>
-                    <p className="text-gray-600 mt-2">Sign in to access the dashboard</p>
+                    <h1 className="text-3xl font-bold text-intel-accent font-mono tracking-tight">CVE INTEL</h1>
+                    <p className="text-gray-400 mt-2 font-sans text-sm">Threat Intelligence Access Portal</p>
                 </div>
 
                 {error && (
-                    <div className="mb-6 p-4 bg-red-50 border border-red-200 rounded-lg flex items-start gap-3">
-                        <AlertCircle className="w-5 h-5 text-red-600 flex-shrink-0 mt-0.5" />
-                        <p className="text-sm text-red-700">{error}</p>
+                    <div className="mb-6 p-4 bg-intel-danger/10 border border-intel-danger/30 rounded flex items-start gap-3">
+                        <AlertCircle className="w-5 h-5 text-intel-danger flex-shrink-0 mt-0.5" />
+                        <p className="text-sm text-gray-300">{error}</p>
                     </div>
                 )}
 
                 <form onSubmit={handleSubmit} className="space-y-6">
                     <div>
-                        <label htmlFor="username" className="block text-sm font-medium text-gray-700 mb-2">
+                        <label htmlFor="username" className="block text-xs font-medium text-gray-400 mb-2 uppercase tracking-wider">
                             Username
                         </label>
                         <div className="relative">
-                            <User className="w-5 h-5 text-gray-400 absolute left-3 top-1/2 transform -translate-y-1/2" />
+                            <User className="w-5 h-5 text-gray-500 absolute left-3 top-1/2 transform -translate-y-1/2" />
                             <input
                                 id="username"
                                 type="text"
                                 required
                                 value={username}
                                 onChange={(e) => setUsername(e.target.value)}
-                                className="w-full pl-10 pr-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
-                                placeholder="Enter your username"
+                                className="intel-input w-full pl-10"
+                                placeholder="Enter username"
                                 disabled={loading}
                             />
                         </div>
                     </div>
 
                     <div>
-                        <label htmlFor="password" className="block text-sm font-medium text-gray-700 mb-2">
+                        <label htmlFor="password" className="block text-xs font-medium text-gray-400 mb-2 uppercase tracking-wider">
                             Password
                         </label>
                         <div className="relative">
-                            <Lock className="w-5 h-5 text-gray-400 absolute left-3 top-1/2 transform -translate-y-1/2" />
+                            <Lock className="w-5 h-5 text-gray-500 absolute left-3 top-1/2 transform -translate-y-1/2" />
                             <input
                                 id="password"
                                 type="password"
                                 required
                                 value={password}
                                 onChange={(e) => setPassword(e.target.value)}
-                                className="w-full pl-10 pr-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
-                                placeholder="Enter your password"
+                                className="intel-input w-full pl-10"
+                                placeholder="Enter password"
                                 disabled={loading}
                             />
                         </div>
@@ -83,24 +86,18 @@ export default function LoginForm() {
                     <button
                         type="submit"
                         disabled={loading}
-                        className="w-full py-3 bg-[#0476D9] text-white rounded-lg hover:bg-[#0360B8] transition-colors font-medium shadow-md disabled:opacity-50 disabled:cursor-not-allowed flex items-center justify-center gap-2"
+                        className="w-full intel-button intel-button-primary py-3 disabled:opacity-50 disabled:cursor-not-allowed flex items-center justify-center gap-2"
                     >
                         {loading ? (
                             <>
-                                <Loader className="w-5 h-5 animate-spin" />
-                                Signing in...
+                                <div className="loading-spinner w-5 h-5"></div>
+                                <span className="font-mono uppercase tracking-wider">Authenticating...</span>
                             </>
                         ) : (
-                            'Sign In'
+                            <span className="font-mono uppercase tracking-wider">Access System</span>
                         )}
                     </button>
                 </form>
-
-                <div className="mt-6 pt-6 border-t border-gray-200">
-                    <p className="text-sm text-gray-500 text-center">
-                        Default admin credentials: admin / admin123
-                    </p>
-                </div>
             </div>
         </div>
     );

frontend/src/components/NavDrawer.js

@@ -0,0 +1,187 @@
+import React from 'react';
+import { X, Home, BarChart2, BookOpen, Download, ShieldCheck, Settings } from 'lucide-react';
+import { useAuth } from '../contexts/AuthContext';
+
+const NAV_ITEMS = [
+  { id: 'home',           label: 'Home',           icon: Home,        color: '#0EA5E9', description: 'Main dashboard'            },
+  { id: 'triage',         label: 'Vuln Triage',    icon: BarChart2,   color: '#F59E0B', description: 'Active findings & CVE triage' },
+  { id: 'compliance',     label: 'Compliance',     icon: ShieldCheck, color: '#14B8A6', description: 'AEO posture & metrics'     },
+  { id: 'knowledge-base', label: 'Knowledge Base', icon: BookOpen,    color: '#10B981', description: 'Articles & documentation'   },
+  { id: 'exports',        label: 'Exports',        icon: Download,    color: '#8B5CF6', description: 'Export data & reports'      },
+];
+
+const ADMIN_ITEM = { id: 'admin', label: 'Admin Panel', icon: Settings, color: '#EF4444', description: 'User management & audit' };
+
+export default function NavDrawer({ isOpen, onClose, currentPage, onNavigate }) {
+  const { isAdmin } = useAuth();
+
+  if (!isOpen) return null;
+
+  return (
+    <>
+      {/* Backdrop */}
+      <div
+        onClick={onClose}
+        style={{
+          position: 'fixed', inset: 0,
+          background: 'rgba(0, 0, 0, 0.65)',
+          backdropFilter: 'blur(3px)',
+          zIndex: 50
+        }}
+      />
+
+      {/* Drawer */}
+      <div style={{
+        position: 'fixed', top: 0, left: 0, bottom: 0, width: '280px',
+        background: 'linear-gradient(180deg, #0F1A2E 0%, #0A1628 100%)',
+        borderRight: '1px solid rgba(14, 165, 233, 0.2)',
+        boxShadow: '6px 0 32px rgba(0, 0, 0, 0.7)',
+        zIndex: 51,
+        display: 'flex', flexDirection: 'column',
+        padding: '1.5rem'
+      }}>
+        {/* Drawer header */}
+        <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start', marginBottom: '2rem' }}>
+          <div>
+            <div style={{ fontFamily: 'monospace', fontSize: '1rem', fontWeight: '700', color: '#0EA5E9', textTransform: 'uppercase', letterSpacing: '0.15em', textShadow: '0 0 12px rgba(14, 165, 233, 0.5)' }}>
+              STEAM
+            </div>
+            <div style={{ fontFamily: 'monospace', fontSize: '0.65rem', color: '#475569', textTransform: 'uppercase', letterSpacing: '0.1em', marginTop: '2px' }}>
+              Security Dashboard
+            </div>
+          </div>
+          <button
+            onClick={onClose}
+            style={{ color: '#475569', padding: '0.25rem', background: 'none', border: 'none', cursor: 'pointer', lineHeight: 1 }}
+            onMouseEnter={e => e.currentTarget.style.color = '#E2E8F0'}
+            onMouseLeave={e => e.currentTarget.style.color = '#475569'}
+          >
+            <X style={{ width: '20px', height: '20px' }} />
+          </button>
+        </div>
+
+        {/* Nav items */}
+        <nav style={{ display: 'flex', flexDirection: 'column', gap: '0.375rem' }}>
+          {NAV_ITEMS.map(({ id, label, icon: Icon, color, description }) => {
+            const active = currentPage === id;
+            return (
+              <button
+                key={id}
+                onClick={() => { onNavigate(id); onClose(); }}
+                style={{
+                  display: 'flex', alignItems: 'center', gap: '0.875rem',
+                  padding: '0.75rem 0.875rem',
+                  borderRadius: '0.5rem',
+                  border: active ? `1px solid ${color}50` : '1px solid transparent',
+                  background: active ? `${color}18` : 'transparent',
+                  cursor: 'pointer', textAlign: 'left', width: '100%',
+                  transition: 'background 0.15s, border-color 0.15s'
+                }}
+                onMouseEnter={e => { if (!active) e.currentTarget.style.background = 'rgba(255,255,255,0.04)'; }}
+                onMouseLeave={e => { if (!active) e.currentTarget.style.background = 'transparent'; }}
+              >
+                {/* Icon box */}
+                <div style={{
+                  width: '36px', height: '36px', flexShrink: 0,
+                  borderRadius: '0.375rem',
+                  background: `${color}18`,
+                  border: `1px solid ${color}40`,
+                  display: 'flex', alignItems: 'center', justifyContent: 'center'
+                }}>
+                  <Icon style={{ width: '17px', height: '17px', color }} />
+                </div>
+
+                {/* Label + description */}
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{
+                    fontFamily: 'monospace', fontSize: '0.8rem', fontWeight: '600',
+                    color: active ? color : '#CBD5E1',
+                    textTransform: 'uppercase', letterSpacing: '0.06em'
+                  }}>
+                    {label}
+                  </div>
+                  <div style={{ fontSize: '0.68rem', color: '#475569', marginTop: '1px' }}>
+                    {description}
+                  </div>
+                </div>
+
+                {/* Active indicator dot */}
+                {active && (
+                  <div style={{
+                    width: '6px', height: '6px', borderRadius: '50%',
+                    background: color, boxShadow: `0 0 8px ${color}`, flexShrink: 0
+                  }} />
+                )}
+              </button>
+            );
+          })}
+
+          {/* Admin panel link — visible only to Admin group */}
+          {isAdmin() && (() => {
+            const { id, label, icon: Icon, color, description } = ADMIN_ITEM;
+            const active = currentPage === id;
+            return (
+              <button
+                key={id}
+                onClick={() => { onNavigate(id); onClose(); }}
+                style={{
+                  display: 'flex', alignItems: 'center', gap: '0.875rem',
+                  padding: '0.75rem 0.875rem',
+                  borderRadius: '0.5rem',
+                  border: active ? `1px solid ${color}50` : '1px solid transparent',
+                  background: active ? `${color}18` : 'transparent',
+                  cursor: 'pointer', textAlign: 'left', width: '100%',
+                  marginTop: '0.5rem',
+                  borderTop: '1px solid rgba(255, 255, 255, 0.05)',
+                  paddingTop: '1rem',
+                  transition: 'background 0.15s, border-color 0.15s'
+                }}
+                onMouseEnter={e => { if (!active) e.currentTarget.style.background = 'rgba(255,255,255,0.04)'; }}
+                onMouseLeave={e => { if (!active) e.currentTarget.style.background = 'transparent'; }}
+              >
+                <div style={{
+                  width: '36px', height: '36px', flexShrink: 0,
+                  borderRadius: '0.375rem',
+                  background: `${color}18`,
+                  border: `1px solid ${color}40`,
+                  display: 'flex', alignItems: 'center', justifyContent: 'center'
+                }}>
+                  <Icon style={{ width: '17px', height: '17px', color }} />
+                </div>
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{
+                    fontFamily: 'monospace', fontSize: '0.8rem', fontWeight: '600',
+                    color: active ? color : '#CBD5E1',
+                    textTransform: 'uppercase', letterSpacing: '0.06em'
+                  }}>
+                    {label}
+                  </div>
+                  <div style={{ fontSize: '0.68rem', color: '#475569', marginTop: '1px' }}>
+                    {description}
+                  </div>
+                </div>
+                {active && (
+                  <div style={{
+                    width: '6px', height: '6px', borderRadius: '50%',
+                    background: color, boxShadow: `0 0 8px ${color}`, flexShrink: 0
+                  }} />
+                )}
+              </button>
+            );
+          })()}
+        </nav>
+
+        {/* Footer */}
+        <div style={{
+          marginTop: 'auto', paddingTop: '1rem',
+          borderTop: '1px solid rgba(255, 255, 255, 0.05)',
+          textAlign: 'center'
+        }}>
+          <div style={{ fontSize: '0.6rem', color: '#1E293B', fontFamily: 'monospace', textTransform: 'uppercase', letterSpacing: '0.1em' }}>
+            NTS Threat Intelligence
+          </div>
+        </div>
+      </div>
+    </>
+  );
+}

frontend/src/components/NvdSyncModal.js

@@ -0,0 +1,509 @@
+import React, { useState, useEffect, useRef } from 'react';
+import { X, Loader, AlertCircle, CheckCircle, RefreshCw, ChevronDown, ChevronUp } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const FETCH_DELAY_MS = 7000; // 7 seconds between requests (safe for 5 req/30s without API key)
+const RETRY_DELAY_MS = 35000; // Wait 35 seconds on 429 before retry
+
+export default function NvdSyncModal({ onClose, onSyncComplete }) {
+  const [phase, setPhase] = useState('idle'); // idle, fetching, review, applying, done
+  const [cveIds, setCveIds] = useState([]);
+  const [fetchProgress, setFetchProgress] = useState({ current: 0, total: 0, currentId: '' });
+  const [results, setResults] = useState({}); // { cveId: { nvd: {...}, current: {...}, status: 'found'|'not_found'|'error'|'no_change', error: '' } }
+  const [descriptionChoices, setDescriptionChoices] = useState({}); // { cveId: 'keep' | 'nvd' }
+  const [applyResult, setApplyResult] = useState(null);
+  const [expandedDesc, setExpandedDesc] = useState({});
+  const abortRef = useRef(null);
+
+  // Fetch distinct CVE IDs on mount
+  useEffect(() => {
+    (async () => {
+      try {
+        const response = await fetch(`${API_BASE}/cves/distinct-ids`, { credentials: 'include' });
+        if (!response.ok) throw new Error('Failed to fetch CVE list');
+        const data = await response.json();
+        setCveIds(data);
+      } catch (err) {
+        console.error('Error fetching CVE IDs:', err);
+      }
+    })();
+  }, []);
+
+  const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+
+  const fetchNvdData = async () => {
+    setPhase('fetching');
+    const controller = new AbortController();
+    abortRef.current = controller;
+    const newResults = {};
+    setFetchProgress({ current: 0, total: cveIds.length, currentId: '' });
+
+    // First fetch current data for all CVEs
+    let currentData = {};
+    try {
+      const response = await fetch(`${API_BASE}/cves`, { credentials: 'include', signal: controller.signal });
+      if (response.ok) {
+        const allCves = await response.json();
+        // Group by cve_id, take first entry for description/severity/date
+        allCves.forEach(cve => {
+          if (!currentData[cve.cve_id]) {
+            currentData[cve.cve_id] = {
+              description: cve.description,
+              severity: cve.severity,
+              published_date: cve.published_date
+            };
+          }
+        });
+      }
+    } catch (err) {
+      if (err.name === 'AbortError') { setPhase('idle'); return; }
+    }
+
+    for (let i = 0; i < cveIds.length; i++) {
+      if (controller.signal.aborted) break;
+
+      const cveId = cveIds[i];
+      setFetchProgress({ current: i + 1, total: cveIds.length, currentId: cveId });
+
+      try {
+        let response = await fetch(`${API_BASE}/nvd/lookup/${encodeURIComponent(cveId)}`, {
+          credentials: 'include',
+          signal: controller.signal
+        });
+
+        // Handle rate limit with one retry
+        if (response.status === 429) {
+          await sleep(RETRY_DELAY_MS);
+          if (controller.signal.aborted) break;
+          response = await fetch(`${API_BASE}/nvd/lookup/${encodeURIComponent(cveId)}`, {
+            credentials: 'include',
+            signal: controller.signal
+          });
+        }
+
+        if (response.status === 404) {
+          newResults[cveId] = { status: 'not_found', current: currentData[cveId] || {} };
+        } else if (!response.ok) {
+          const data = await response.json().catch(() => ({}));
+          newResults[cveId] = { status: 'error', error: data.error || `HTTP ${response.status}`, current: currentData[cveId] || {} };
+        } else {
+          const nvd = await response.json();
+          const current = currentData[cveId] || {};
+
+          const descChanged = nvd.description && nvd.description !== current.description;
+          const sevChanged = nvd.severity && nvd.severity !== current.severity;
+          const dateChanged = nvd.published_date && nvd.published_date !== current.published_date;
+
+          if (!descChanged && !sevChanged && !dateChanged) {
+            newResults[cveId] = { status: 'no_change', nvd, current };
+          } else {
+            newResults[cveId] = { status: 'found', nvd, current, descChanged, sevChanged, dateChanged };
+          }
+        }
+      } catch (err) {
+        if (err.name === 'AbortError') break;
+        newResults[cveId] = { status: 'error', error: err.message, current: currentData[cveId] || {} };
+      }
+
+      // Update results progressively
+      setResults({ ...newResults });
+
+      // Rate limit delay (skip after last item)
+      if (i < cveIds.length - 1 && !controller.signal.aborted) {
+        await sleep(FETCH_DELAY_MS);
+      }
+    }
+
+    if (!controller.signal.aborted) {
+      setResults({ ...newResults });
+      // Default all description choices to 'keep'
+      const choices = {};
+      Object.entries(newResults).forEach(([id, r]) => {
+        if (r.status === 'found' && r.descChanged) {
+          choices[id] = 'keep';
+        }
+      });
+      setDescriptionChoices(choices);
+      setPhase('review');
+    }
+  };
+
+  const cancelFetch = () => {
+    if (abortRef.current) abortRef.current.abort();
+    setPhase('idle');
+  };
+
+  const setBulkDescriptionChoice = (choice) => {
+    const newChoices = {};
+    Object.keys(descriptionChoices).forEach(id => {
+      newChoices[id] = choice;
+    });
+    setDescriptionChoices(newChoices);
+  };
+
+  const getChangesCount = () => {
+    let count = 0;
+    Object.entries(results).forEach(([id, r]) => {
+      if (r.status === 'found') {
+        if (r.sevChanged || r.dateChanged || (r.descChanged && descriptionChoices[id] === 'nvd')) {
+          count++;
+        }
+      }
+    });
+    return count;
+  };
+
+  const applyChanges = async () => {
+    setPhase('applying');
+    const updates = [];
+
+    Object.entries(results).forEach(([cveId, r]) => {
+      if (r.status !== 'found') return;
+
+      const update = { cve_id: cveId };
+      let hasChange = false;
+
+      if (r.sevChanged) {
+        update.severity = r.nvd.severity;
+        hasChange = true;
+      }
+      if (r.dateChanged) {
+        update.published_date = r.nvd.published_date;
+        hasChange = true;
+      }
+      if (r.descChanged && descriptionChoices[cveId] === 'nvd') {
+        update.description = r.nvd.description;
+        hasChange = true;
+      }
+
+      if (hasChange) updates.push(update);
+    });
+
+    if (updates.length === 0) {
+      setApplyResult({ updated: 0, message: 'No changes to apply' });
+      setPhase('done');
+      return;
+    }
+
+    try {
+      const response = await fetch(`${API_BASE}/cves/nvd-sync`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        credentials: 'include',
+        body: JSON.stringify({ updates })
+      });
+
+      if (!response.ok) {
+        const data = await response.json().catch(() => ({}));
+        throw new Error(data.error || 'Sync failed');
+      }
+
+      const data = await response.json();
+      setApplyResult(data);
+      onSyncComplete();
+    } catch (err) {
+      setApplyResult({ error: err.message });
+    }
+    setPhase('done');
+  };
+
+  const truncate = (str, len = 120) => str && str.length > len ? str.substring(0, len) + '...' : str;
+
+  // Summary counts
+  const foundCount = Object.values(results).filter(r => r.status === 'found').length;
+  const noChangeCount = Object.values(results).filter(r => r.status === 'no_change').length;
+  const notFoundCount = Object.values(results).filter(r => r.status === 'not_found').length;
+  const errorCount = Object.values(results).filter(r => r.status === 'error').length;
+
+  return (
+    <div className="fixed inset-0 bg-black bg-opacity-50 flex items-center justify-center z-50 p-4">
+      <div className="bg-white rounded-lg shadow-xl max-w-5xl w-full max-h-[90vh] flex flex-col">
+        {/* Header */}
+        <div className="p-6 border-b border-gray-200 flex justify-between items-center flex-shrink-0">
+          <div>
+            <h2 className="text-2xl font-bold text-gray-900 flex items-center gap-2">
+              <RefreshCw className="w-6 h-6 text-green-600" />
+              Sync with NVD
+            </h2>
+            <p className="text-sm text-gray-500 mt-1">Update existing CVE entries with data from the National Vulnerability Database</p>
+          </div>
+          <button onClick={onClose} className="text-gray-400 hover:text-gray-600">
+            <X className="w-6 h-6" />
+          </button>
+        </div>
+
+        {/* Body */}
+        <div className="p-6 overflow-y-auto flex-1">
+          {/* Idle Phase */}
+          {phase === 'idle' && (
+            <div className="text-center py-8">
+              <p className="text-lg text-gray-700 mb-2">
+                {cveIds.length > 0
+                  ? <><strong>{cveIds.length}</strong> unique CVE{cveIds.length !== 1 ? 's' : ''} in database</>
+                  : 'Loading CVE count...'}
+              </p>
+              <p className="text-sm text-gray-500 mb-6">
+                This will fetch data from NVD for each CVE and let you review changes before applying.
+                Rate-limited to stay within NVD API limits.
+              </p>
+              <button
+                onClick={fetchNvdData}
+                disabled={cveIds.length === 0}
+                className="px-6 py-3 bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors font-medium shadow-md disabled:opacity-50 flex items-center gap-2 mx-auto"
+              >
+                <RefreshCw className="w-5 h-5" />
+                Fetch NVD Data
+              </button>
+            </div>
+          )}
+
+          {/* Fetching Phase */}
+          {phase === 'fetching' && (
+            <div className="py-8">
+              <div className="text-center mb-6">
+                <Loader className="w-8 h-8 text-green-600 animate-spin mx-auto mb-3" />
+                <p className="text-lg text-gray-700">
+                  Fetching CVE {fetchProgress.current} of {fetchProgress.total}
+                </p>
+                <p className="text-sm text-gray-500 font-mono mt-1">{fetchProgress.currentId}</p>
+              </div>
+              {/* Progress bar */}
+              <div className="w-full bg-gray-200 rounded-full h-3 mb-4">
+                <div
+                  className="bg-green-600 h-3 rounded-full transition-all duration-300"
+                  style={{ width: `${fetchProgress.total > 0 ? (fetchProgress.current / fetchProgress.total) * 100 : 0}%` }}
+                />
+              </div>
+              <div className="text-center">
+                <button
+                  onClick={cancelFetch}
+                  className="px-4 py-2 bg-gray-200 text-gray-700 rounded-lg hover:bg-gray-300 transition-colors"
+                >
+                  Cancel
+                </button>
+              </div>
+            </div>
+          )}
+
+          {/* Review Phase */}
+          {phase === 'review' && (
+            <div>
+              {/* Summary bar */}
+              <div className="flex flex-wrap gap-3 mb-4 p-3 bg-gray-50 rounded-lg text-sm">
+                <span className="font-medium">Found: <span className="text-green-700">{foundCount}</span></span>
+                <span>|</span>
+                <span>Up to date: <span className="text-gray-600">{noChangeCount}</span></span>
+                <span>|</span>
+                <span>Changes: <span className="text-blue-700">{foundCount}</span></span>
+                <span>|</span>
+                <span>Not in NVD: <span className="text-gray-400">{notFoundCount}</span></span>
+                <span>|</span>
+                <span>Errors: <span className="text-red-600">{errorCount}</span></span>
+              </div>
+
+              {/* Bulk controls */}
+              {Object.keys(descriptionChoices).length > 0 && (
+                <div className="flex gap-2 mb-4">
+                  <span className="text-sm text-gray-600 self-center">Descriptions:</span>
+                  <button
+                    onClick={() => setBulkDescriptionChoice('keep')}
+                    className="px-3 py-1 text-xs rounded border border-gray-300 hover:bg-gray-100 transition-colors"
+                  >
+                    Keep All Existing
+                  </button>
+                  <button
+                    onClick={() => setBulkDescriptionChoice('nvd')}
+                    className="px-3 py-1 text-xs rounded border border-green-300 text-green-700 hover:bg-green-50 transition-colors"
+                  >
+                    Use All NVD
+                  </button>
+                </div>
+              )}
+
+              {/* Comparison table */}
+              <div className="space-y-2">
+                {Object.entries(results).map(([cveId, r]) => {
+                  if (r.status === 'no_change') {
+                    return (
+                      <div key={cveId} className="flex items-center gap-3 p-3 bg-gray-50 rounded-lg text-sm">
+                        <span className="text-gray-400">—</span>
+                        <span className="font-mono font-medium text-gray-500">{cveId}</span>
+                        <span className="text-gray-400">No changes needed</span>
+                      </div>
+                    );
+                  }
+
+                  if (r.status === 'not_found') {
+                    return (
+                      <div key={cveId} className="flex items-center gap-3 p-3 bg-gray-50 rounded-lg text-sm">
+                        <span className="text-gray-400">—</span>
+                        <span className="font-mono font-medium text-gray-400">{cveId}</span>
+                        <span className="text-gray-400 italic">Not found in NVD</span>
+                      </div>
+                    );
+                  }
+
+                  if (r.status === 'error') {
+                    return (
+                      <div key={cveId} className="flex items-center gap-3 p-3 bg-red-50 rounded-lg text-sm">
+                        <AlertCircle className="w-4 h-4 text-red-500 flex-shrink-0" />
+                        <span className="font-mono font-medium text-gray-700">{cveId}</span>
+                        <span className="text-red-600">{r.error}</span>
+                      </div>
+                    );
+                  }
+
+                  // status === 'found' — show changes
+                  const isExpanded = expandedDesc[cveId];
+                  return (
+                    <div key={cveId} className="border border-gray-200 rounded-lg p-4 bg-white">
+                      <div className="flex items-start gap-3">
+                        <CheckCircle className="w-4 h-4 text-green-500 mt-1 flex-shrink-0" />
+                        <div className="flex-1 min-w-0">
+                          <div className="flex items-center gap-3 mb-2 flex-wrap">
+                            <span className="font-mono font-bold text-gray-900">{cveId}</span>
+                            {r.sevChanged && (
+                              <span className="text-xs">
+                                Severity: <span className="text-red-600">{r.current.severity}</span>
+                                {' → '}
+                                <span className="text-green-700">{r.nvd.severity}</span>
+                              </span>
+                            )}
+                            {r.dateChanged && (
+                              <span className="text-xs">
+                                Date: <span className="text-red-600">{r.current.published_date || '(none)'}</span>
+                                {' → '}
+                                <span className="text-green-700">{r.nvd.published_date}</span>
+                              </span>
+                            )}
+                          </div>
+
+                          {r.descChanged && (
+                            <div className="mt-2">
+                              <div className="flex items-center gap-2 mb-2">
+                                <span className="text-xs font-medium text-gray-600">Description:</span>
+                                <button
+                                  onClick={() => setExpandedDesc(prev => ({ ...prev, [cveId]: !prev[cveId] }))}
+                                  className="text-xs text-blue-600 hover:text-blue-800 flex items-center gap-1"
+                                >
+                                  {isExpanded ? <ChevronUp className="w-3 h-3" /> : <ChevronDown className="w-3 h-3" />}
+                                  {isExpanded ? 'Collapse' : 'Expand'}
+                                </button>
+                              </div>
+                              {isExpanded ? (
+                                <div className="space-y-2 text-xs">
+                                  <div className="p-2 bg-red-50 rounded border border-red-200">
+                                    <span className="font-medium text-red-700">Current: </span>
+                                    <span className="text-gray-700">{r.current.description || '(empty)'}</span>
+                                  </div>
+                                  <div className="p-2 bg-green-50 rounded border border-green-200">
+                                    <span className="font-medium text-green-700">NVD: </span>
+                                    <span className="text-gray-700">{r.nvd.description}</span>
+                                  </div>
+                                </div>
+                              ) : (
+                                <p className="text-xs text-gray-500">{truncate(r.nvd.description)}</p>
+                              )}
+
+                              {/* Description choice */}
+                              <div className="flex gap-4 mt-2">
+                                <label className="flex items-center gap-1 text-xs cursor-pointer">
+                                  <input
+                                    type="radio"
+                                    name={`desc-${cveId}`}
+                                    checked={descriptionChoices[cveId] === 'keep'}
+                                    onChange={() => setDescriptionChoices(prev => ({ ...prev, [cveId]: 'keep' }))}
+                                    className="text-blue-600"
+                                  />
+                                  Keep existing
+                                </label>
+                                <label className="flex items-center gap-1 text-xs cursor-pointer">
+                                  <input
+                                    type="radio"
+                                    name={`desc-${cveId}`}
+                                    checked={descriptionChoices[cveId] === 'nvd'}
+                                    onChange={() => setDescriptionChoices(prev => ({ ...prev, [cveId]: 'nvd' }))}
+                                    className="text-green-600"
+                                  />
+                                  Use NVD
+                                </label>
+                              </div>
+                            </div>
+                          )}
+                        </div>
+                      </div>
+                    </div>
+                  );
+                })}
+              </div>
+            </div>
+          )}
+
+          {/* Applying Phase */}
+          {phase === 'applying' && (
+            <div className="text-center py-12">
+              <Loader className="w-10 h-10 text-green-600 animate-spin mx-auto mb-4" />
+              <p className="text-lg text-gray-700">Applying changes...</p>
+            </div>
+          )}
+
+          {/* Done Phase */}
+          {phase === 'done' && applyResult && (
+            <div className="text-center py-8">
+              {applyResult.error ? (
+                <>
+                  <AlertCircle className="w-12 h-12 text-red-500 mx-auto mb-4" />
+                  <p className="text-lg text-red-700 font-medium mb-2">Sync failed</p>
+                  <p className="text-sm text-gray-600">{applyResult.error}</p>
+                </>
+              ) : (
+                <>
+                  <CheckCircle className="w-12 h-12 text-green-500 mx-auto mb-4" />
+                  <p className="text-lg text-green-700 font-medium mb-2">Sync complete</p>
+                  <p className="text-sm text-gray-600">
+                    {applyResult.updated} row{applyResult.updated !== 1 ? 's' : ''} updated
+                  </p>
+                  {applyResult.errors && applyResult.errors.length > 0 && (
+                    <p className="text-sm text-amber-600 mt-2">
+                      {applyResult.errors.length} error{applyResult.errors.length !== 1 ? 's' : ''} occurred
+                    </p>
+                  )}
+                </>
+              )}
+            </div>
+          )}
+        </div>
+
+        {/* Footer */}
+        <div className="p-6 border-t border-gray-200 flex justify-end gap-3 flex-shrink-0">
+          {phase === 'review' && (
+            <>
+              <button
+                onClick={onClose}
+                className="px-4 py-2 bg-gray-200 text-gray-700 rounded-lg hover:bg-gray-300 transition-colors"
+              >
+                Cancel
+              </button>
+              <button
+                onClick={applyChanges}
+                disabled={getChangesCount() === 0}
+                className="px-6 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 transition-colors font-medium shadow-md disabled:opacity-50"
+              >
+                Apply {getChangesCount()} Change{getChangesCount() !== 1 ? 's' : ''}
+              </button>
+            </>
+          )}
+          {phase === 'done' && (
+            <button
+              onClick={onClose}
+              className="px-6 py-2 bg-[#0476D9] text-white rounded-lg hover:bg-[#0360B8] transition-colors font-medium shadow-md"
+            >
+              Close
+            </button>
+          )}
+        </div>
+      </div>
+    </div>
+  );
+}

frontend/src/components/UserManagement.js

@@ -4,6 +4,22 @@ import { useAuth } from '../contexts/AuthContext';
 
 const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
 
+const VALID_GROUPS = ['Admin', 'Standard_User', 'Leadership', 'Read_Only'];
+
+const GROUP_LABELS = {
+    Admin: 'Admin (full access)',
+    Standard_User: 'Standard User (create, edit, limited delete)',
+    Leadership: 'Leadership (read-only + exports)',
+    Read_Only: 'Read Only (view only)'
+};
+
+const GROUP_BADGE_STYLES = {
+    Admin: { backgroundColor: '#FEE2E2', color: '#991B1B' },
+    Standard_User: { backgroundColor: '#DBEAFE', color: '#1E40AF' },
+    Leadership: { backgroundColor: '#F3E8FF', color: '#6B21A8' },
+    Read_Only: { backgroundColor: '#F3F4F6', color: '#374151' }
+};
+
 export default function UserManagement({ onClose }) {
     const { user: currentUser } = useAuth();
     const [users, setUsers] = useState([]);
@@ -15,7 +31,7 @@ export default function UserManagement({ onClose }) {
         username: '',
         email: '',
         password: '',
-        role: 'viewer'
+        group: 'Read_Only'
     });
     const [formError, setFormError] = useState('');
     const [formSuccess, setFormSuccess] = useState('');
@@ -39,11 +55,29 @@ export default function UserManagement({ onClose }) {
         }
     };
 
+    const confirmGroupChange = (targetUser, newGroup) => {
+        let message = `Are you sure you want to change ${targetUser.username}'s group from ${targetUser.group} to ${newGroup}?`;
+
+        // Extra warning when downgrading an Admin user
+        if (targetUser.group === 'Admin' && newGroup !== 'Admin') {
+            message += `\n\n⚠️ WARNING: You are removing Admin privileges from ${targetUser.username}. They will lose full system access.`;
+        }
+
+        return window.confirm(message);
+    };
+
     const handleSubmit = async (e) => {
         e.preventDefault();
         setFormError('');
         setFormSuccess('');
 
+        // If editing and group changed, show confirmation dialog
+        if (editingUser && formData.group !== editingUser.group) {
+            if (!confirmGroupChange(editingUser, formData.group)) {
+                return;
+            }
+        }
+
         try {
             const url = editingUser
                 ? `${API_BASE}/users/${editingUser.id}`
@@ -75,7 +109,7 @@ export default function UserManagement({ onClose }) {
             setTimeout(() => {
                 setShowAddUser(false);
                 setEditingUser(null);
-                setFormData({ username: '', email: '', password: '', role: 'viewer' });
+                setFormData({ username: '', email: '', password: '', group: 'Read_Only' });
                 setFormSuccess('');
             }, 1500);
         } catch (err) {
@@ -89,7 +123,7 @@ export default function UserManagement({ onClose }) {
             username: user.username,
             email: user.email,
             password: '',
-            role: user.role
+            group: user.group
         });
         setShowAddUser(true);
         setFormError('');
@@ -140,15 +174,10 @@ export default function UserManagement({ onClose }) {
         }
     };
 
-    const getRoleBadgeColor = (role) => {
-        switch (role) {
-            case 'admin':
-                return 'bg-red-100 text-red-800';
-            case 'editor':
-                return 'bg-blue-100 text-blue-800';
-            default:
-                return 'bg-gray-100 text-gray-800';
-        }
+    // Check if group dropdown should be disabled for self-demotion prevention
+    const isGroupDropdownDisabled = (targetUser) => {
+        if (!targetUser || !currentUser) return false;
+        return targetUser.id === currentUser.id && currentUser.group === 'Admin';
     };
 
     return (
@@ -173,7 +202,7 @@ export default function UserManagement({ onClose }) {
                             onClick={() => {
                                 setShowAddUser(true);
                                 setEditingUser(null);
-                                setFormData({ username: '', email: '', password: '', role: 'viewer' });
+                                setFormData({ username: '', email: '', password: '', group: 'Read_Only' });
                                 setFormError('');
                                 setFormSuccess('');
                             }}
@@ -253,19 +282,24 @@ export default function UserManagement({ onClose }) {
 
                                     <div>
                                         <label className="block text-sm font-medium text-gray-700 mb-1">
-                                            Role *
+                                            Group *
                                         </label>
                                         <div className="relative">
                                             <Shield className="w-5 h-5 text-gray-400 absolute left-3 top-1/2 transform -translate-y-1/2" />
                                             <select
-                                                value={formData.role}
-                                                onChange={(e) => setFormData({ ...formData, role: e.target.value })}
-                                                className="w-full pl-10 pr-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#0476D9] focus:border-transparent"
+                                                value={formData.group}
+                                                onChange={(e) => setFormData({ ...formData, group: e.target.value })}
+                                                disabled={isGroupDropdownDisabled(editingUser)}
+                                                className="w-full pl-10 pr-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#0476D9] focus:border-transparent disabled:opacity-50 disabled:cursor-not-allowed"
+                                                title={isGroupDropdownDisabled(editingUser) ? 'Cannot change your own Admin group' : ''}
                                             >
-                                                <option value="viewer">Viewer (read-only)</option>
-                                                <option value="editor">Editor (can add CVEs, upload docs)</option>
-                                                <option value="admin">Admin (full access)</option>
+                                                {VALID_GROUPS.map((g) => (
+                                                    <option key={g} value={g}>{GROUP_LABELS[g]}</option>
+                                                ))}
                                             </select>
+                                            {isGroupDropdownDisabled(editingUser) && (
+                                                <p className="text-xs text-amber-600 mt-1">You cannot change your own Admin group.</p>
+                                            )}
                                         </div>
                                     </div>
                                 </div>
@@ -308,7 +342,7 @@ export default function UserManagement({ onClose }) {
                                 <thead>
                                     <tr className="border-b border-gray-200">
                                         <th className="text-left py-3 px-4 text-sm font-medium text-gray-700">User</th>
-                                        <th className="text-left py-3 px-4 text-sm font-medium text-gray-700">Role</th>
+                                        <th className="text-left py-3 px-4 text-sm font-medium text-gray-700">Group</th>
                                         <th className="text-left py-3 px-4 text-sm font-medium text-gray-700">Status</th>
                                         <th className="text-left py-3 px-4 text-sm font-medium text-gray-700">Last Login</th>
                                         <th className="text-right py-3 px-4 text-sm font-medium text-gray-700">Actions</th>
@@ -324,8 +358,17 @@ export default function UserManagement({ onClose }) {
                                                 </div>
                                             </td>
                                             <td className="py-3 px-4">
-                                                <span className={`px-2 py-1 rounded text-xs font-medium ${getRoleBadgeColor(user.role)}`}>
-                                                    {user.role.charAt(0).toUpperCase() + user.role.slice(1)}
+                                                <span
+                                                    style={{
+                                                        ...GROUP_BADGE_STYLES[user.group] || GROUP_BADGE_STYLES.Read_Only,
+                                                        padding: '2px 8px',
+                                                        borderRadius: '4px',
+                                                        fontSize: '12px',
+                                                        fontWeight: '500',
+                                                        display: 'inline-block'
+                                                    }}
+                                                >
+                                                    {user.group ? user.group.replace('_', ' ') : 'Read Only'}
                                                 </span>
                                             </td>
                                             <td className="py-3 px-4">

frontend/src/components/UserMenu.js

@@ -1,8 +1,8 @@
 import React, { useState, useRef, useEffect } from 'react';
-import { User, LogOut, ChevronDown, Shield } from 'lucide-react';
+import { User, LogOut, ChevronDown, Shield, Clock } from 'lucide-react';
 import { useAuth } from '../contexts/AuthContext';
 
-export default function UserMenu({ onManageUsers }) {
+export default function UserMenu({ onManageUsers, onAuditLog }) {
     const { user, logout, isAdmin } = useAuth();
     const [isOpen, setIsOpen] = useState(false);
     const menuRef = useRef(null);
@@ -19,17 +19,26 @@ export default function UserMenu({ onManageUsers }) {
         return () => document.removeEventListener('mousedown', handleClickOutside);
     }, []);
 
-    const getRoleBadgeColor = (role) => {
-        switch (role) {
-            case 'admin':
+    const getGroupBadgeColor = (group) => {
+        switch (group) {
+            case 'Admin':
                 return 'bg-red-100 text-red-800';
-            case 'editor':
+            case 'Standard_User':
                 return 'bg-blue-100 text-blue-800';
+            case 'Leadership':
+                return 'bg-purple-100 text-purple-800';
+            case 'Read_Only':
+                return 'bg-gray-100 text-gray-800';
             default:
                 return 'bg-gray-100 text-gray-800';
         }
     };
 
+    const formatGroupName = (group) => {
+        if (!group) return '';
+        return group.replace(/_/g, ' ');
+    };
+
     const handleLogout = async () => {
         setIsOpen(false);
         await logout();
@@ -42,6 +51,13 @@ export default function UserMenu({ onManageUsers }) {
         }
     };
 
+    const handleAuditLog = () => {
+        setIsOpen(false);
+        if (onAuditLog) {
+            onAuditLog();
+        }
+    };
+
     if (!user) return null;
 
     return (
@@ -55,7 +71,7 @@ export default function UserMenu({ onManageUsers }) {
                 </div>
                 <div className="text-left hidden sm:block">
                     <p className="text-sm font-medium text-gray-900">{user.username}</p>
-                    <p className="text-xs text-gray-500 capitalize">{user.role}</p>
+                    <p className="text-xs text-gray-500">{formatGroupName(user.group)}</p>
                 </div>
                 <ChevronDown className={`w-4 h-4 text-gray-500 transition-transform ${isOpen ? 'rotate-180' : ''}`} />
             </button>
@@ -65,19 +81,28 @@ export default function UserMenu({ onManageUsers }) {
                     <div className="px-4 py-3 border-b border-gray-100">
                         <p className="text-sm font-medium text-gray-900">{user.username}</p>
                         <p className="text-sm text-gray-500">{user.email}</p>
-                        <span className={`inline-block mt-2 px-2 py-1 rounded text-xs font-medium ${getRoleBadgeColor(user.role)}`}>
-                            {user.role.charAt(0).toUpperCase() + user.role.slice(1)}
+                        <span className={`inline-block mt-2 px-2 py-1 rounded text-xs font-medium ${getGroupBadgeColor(user.group)}`}>
+                            {formatGroupName(user.group)}
                         </span>
                     </div>
 
                     {isAdmin() && (
-                        <button
-                            onClick={handleManageUsers}
-                            className="w-full px-4 py-2 text-left text-sm text-gray-700 hover:bg-gray-50 flex items-center gap-3"
-                        >
-                            <Shield className="w-4 h-4" />
-                            Manage Users
-                        </button>
+                        <>
+                            <button
+                                onClick={handleManageUsers}
+                                className="w-full px-4 py-2 text-left text-sm text-gray-700 hover:bg-gray-50 flex items-center gap-3"
+                            >
+                                <Shield className="w-4 h-4" />
+                                Manage Users
+                            </button>
+                            <button
+                                onClick={handleAuditLog}
+                                className="w-full px-4 py-2 text-left text-sm text-gray-700 hover:bg-gray-50 flex items-center gap-3"
+                            >
+                                <Clock className="w-4 h-4" />
+                                Audit Log
+                            </button>
+                        </>
                     )}
 
                     <button

frontend/src/components/pages/ArchiveSummaryBar.js

@@ -0,0 +1,205 @@
+// ArchiveSummaryBar.js
+// Displays four stat cards for archive lifecycle states: ACTIVE, ARCHIVED, RETURNED, CLOSED.
+// Fetches counts from /api/ivanti/archive/stats on mount.
+
+import React, { useState, useEffect } from 'react';
+import { Activity, Archive, RotateCcw, XCircle, Loader } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const STATE_CONFIG = [
+  {
+    key: 'ACTIVE',
+    label: 'Active',
+    color: '#0EA5E9',
+    Icon: Activity,
+  },
+  {
+    key: 'ARCHIVED',
+    label: 'Archived',
+    color: '#F59E0B',
+    Icon: Archive,
+  },
+  {
+    key: 'RETURNED',
+    label: 'Returned',
+    color: '#10B981',
+    Icon: RotateCcw,
+  },
+  {
+    key: 'CLOSED',
+    label: 'Closed',
+    color: '#EF4444',
+    Icon: XCircle,
+  },
+];
+
+function StatCard({ stateKey, label, color, Icon, count, active, onClick }) {
+  const [hovered, setHovered] = useState(false);
+
+  const isHighlighted = active || hovered;
+
+  const cardStyle = {
+    flex: '1 1 0',
+    minWidth: '140px',
+    background: 'linear-gradient(135deg, rgba(30, 41, 59, 0.95), rgba(51, 65, 85, 0.9))',
+    border: `2px solid ${isHighlighted ? color : `rgba(${hexToRgb(color)}, 0.3)`}`,
+    borderRadius: '0.5rem',
+    padding: '1rem',
+    cursor: 'pointer',
+    transition: 'all 0.3s cubic-bezier(0.4, 0, 0.2, 1)',
+    transform: isHighlighted ? 'translateY(-2px)' : 'translateY(0)',
+    boxShadow: isHighlighted
+      ? `0 4px 16px rgba(0, 0, 0, 0.5), 0 0 20px rgba(${hexToRgb(color)}, 0.25)`
+      : '0 4px 16px rgba(0, 0, 0, 0.5)',
+    position: 'relative',
+    overflow: 'hidden',
+  };
+
+  const accentLineStyle = {
+    position: 'absolute',
+    top: 0,
+    left: 0,
+    right: 0,
+    height: '2px',
+    background: `linear-gradient(90deg, transparent, ${color}, transparent)`,
+    boxShadow: `0 0 8px ${color}`,
+  };
+
+  return (
+    <div
+      style={cardStyle}
+      onClick={() => onClick(stateKey)}
+      onMouseEnter={() => setHovered(true)}
+      onMouseLeave={() => setHovered(false)}
+      role="button"
+      tabIndex={0}
+      onKeyDown={(e) => { if (e.key === 'Enter' || e.key === ' ') { e.preventDefault(); onClick(stateKey); } }}
+      aria-label={`${label}: ${count} findings. ${active ? 'Currently filtered.' : 'Click to filter.'}`}
+    >
+      <div style={accentLineStyle} />
+      <div style={{ display: 'flex', alignItems: 'center', gap: '0.5rem', marginBottom: '0.625rem' }}>
+        <Icon
+          style={{
+            width: '16px',
+            height: '16px',
+            color: color,
+            filter: isHighlighted ? `drop-shadow(0 0 4px ${color})` : 'none',
+          }}
+        />
+        <span style={{
+          fontFamily: "'JetBrains Mono', 'Fira Code', monospace",
+          fontSize: '0.7rem',
+          fontWeight: '600',
+          color: color,
+          textTransform: 'uppercase',
+          letterSpacing: '0.08em',
+          textShadow: isHighlighted ? `0 0 8px rgba(${hexToRgb(color)}, 0.5)` : 'none',
+        }}>
+          {label}
+        </span>
+      </div>
+      <div style={{
+        fontFamily: "'JetBrains Mono', 'Fira Code', monospace",
+        fontSize: '1.75rem',
+        fontWeight: '700',
+        color: '#F8FAFC',
+        lineHeight: 1,
+        textShadow: `0 0 16px rgba(${hexToRgb(color)}, 0.3)`,
+      }}>
+        {count != null ? count : '—'}
+      </div>
+    </div>
+  );
+}
+
+// Convert hex color to r, g, b string for use in rgba()
+function hexToRgb(hex) {
+  const r = parseInt(hex.slice(1, 3), 16);
+  const g = parseInt(hex.slice(3, 5), 16);
+  const b = parseInt(hex.slice(5, 7), 16);
+  return `${r}, ${g}, ${b}`;
+}
+
+export default function ArchiveSummaryBar({ onStateClick, activeFilter, refreshKey }) {
+  const [stats, setStats] = useState(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState(false);
+
+  useEffect(() => {
+    let cancelled = false;
+    const load = async () => {
+      setLoading(true);
+      setError(false);
+      try {
+        const res = await fetch(`${API_BASE}/ivanti/archive/stats`, { credentials: 'include' });
+        if (res.ok && !cancelled) {
+          const data = await res.json();
+          setStats(data);
+        } else if (!cancelled) {
+          setError(true);
+        }
+      } catch {
+        if (!cancelled) setError(true);
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    };
+    load();
+
+    // Re-fetch every 60s so stats stay reasonably fresh after syncs
+    const interval = setInterval(load, 60000);
+    return () => { cancelled = true; clearInterval(interval); };
+  }, [refreshKey]);
+
+  if (loading) {
+    return (
+      <div style={{
+        display: 'flex', alignItems: 'center', justifyContent: 'center',
+        gap: '0.5rem', padding: '1.25rem',
+        color: '#94A3B8', fontFamily: 'monospace', fontSize: '0.75rem',
+      }}>
+        <Loader style={{ width: '14px', height: '14px', animation: 'spin 1s linear infinite' }} />
+        Loading archive stats…
+      </div>
+    );
+  }
+
+  if (error) {
+    return (
+      <div style={{
+        padding: '1rem', textAlign: 'center',
+        color: '#94A3B8', fontFamily: 'monospace', fontSize: '0.72rem',
+        border: '1px dashed rgba(239, 68, 68, 0.2)', borderRadius: '0.375rem',
+      }}>
+        Unable to load archive statistics
+      </div>
+    );
+  }
+
+  const handleClick = (state) => {
+    if (onStateClick) onStateClick(state);
+  };
+
+  return (
+    <div style={{
+      display: 'flex',
+      gap: '0.75rem',
+      marginBottom: '1.25rem',
+      flexWrap: 'wrap',
+    }}>
+      {STATE_CONFIG.map(({ key, label, color, Icon }) => (
+        <StatCard
+          key={key}
+          stateKey={key}
+          label={label}
+          color={color}
+          Icon={Icon}
+          count={stats?.[key] ?? 0}
+          active={activeFilter === key}
+          onClick={handleClick}
+        />
+      ))}
+    </div>
+  );
+}

frontend/src/components/pages/ComplianceChartsPanel.js

@@ -0,0 +1,424 @@
+// ComplianceChartsPanel.js
+// Tier-1 time-based compliance charts using Recharts.
+// Charts rendered: Active Findings Over Time, Change per Cycle,
+// Team Health, MTTR by Team, Persistent Findings, Archer Pipeline.
+
+import React, { useState, useEffect, useMemo } from 'react';
+import {
+    LineChart, Line,
+    BarChart, Bar,
+    XAxis, YAxis, CartesianGrid,
+    Tooltip, Legend,
+    ResponsiveContainer,
+} from 'recharts';
+import { TrendingUp, ChevronDown, ChevronUp, Loader } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const TEAL = '#14B8A6';
+
+const TEAM_COLORS = {
+    'STEAM':      '#0EA5E9',
+    'ACCESS-ENG': '#F59E0B',
+    'ACCESS-OPS': '#8B5CF6',
+    'INTELDEV':   '#10B981',
+};
+
+const ARCHER_STATUS_COLORS = {
+    'Draft':        '#475569',
+    'Open':         '#0EA5E9',
+    'Under Review': '#F59E0B',
+    'Accepted':     '#10B981',
+};
+
+// ---------------------------------------------------------------------------
+// Shared style tokens
+// ---------------------------------------------------------------------------
+const AXIS_STYLE = { fontFamily: 'monospace', fontSize: '0.6rem', fill: '#475569' };
+const GRID_STYLE = { stroke: 'rgba(255,255,255,0.05)', strokeDasharray: '3 3' };
+const LEGEND_STYLE = { fontFamily: 'monospace', fontSize: '0.62rem', color: '#64748B' };
+
+// ---------------------------------------------------------------------------
+// Custom dark tooltip
+// ---------------------------------------------------------------------------
+function DarkTooltip({ active, payload, label }) {
+    if (!active || !payload?.length) return null;
+    return (
+        <div style={{
+            background: 'rgba(10,17,32,0.97)',
+            border: '1px solid rgba(20,184,166,0.3)',
+            borderRadius: '0.375rem',
+            padding: '0.5rem 0.75rem',
+            fontFamily: 'monospace',
+            fontSize: '0.7rem',
+            minWidth: '130px',
+        }}>
+            <div style={{ color: TEAL, marginBottom: '0.3rem', fontWeight: '700', fontSize: '0.65rem' }}>
+                {label}
+            </div>
+            {payload.map(p => (
+                <div key={p.dataKey} style={{ color: p.color || '#94A3B8', marginTop: '0.125rem', display: 'flex', justifyContent: 'space-between', gap: '0.75rem' }}>
+                    <span style={{ opacity: 0.8 }}>{p.name}</span>
+                    <span style={{ fontWeight: '700' }}>
+                        {typeof p.value === 'number'
+                            ? Number.isInteger(p.value) ? p.value : p.value.toFixed(1)
+                            : p.value}
+                    </span>
+                </div>
+            ))}
+        </div>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart card wrapper
+// ---------------------------------------------------------------------------
+function ChartCard({ title, subtitle, children }) {
+    return (
+        <div style={{
+            background: 'linear-gradient(135deg,rgba(30,41,59,0.95) 0%,rgba(15,23,42,0.98) 100%)',
+            border: '1px solid rgba(20,184,166,0.15)',
+            borderRadius: '0.5rem',
+            padding: '1rem 1.125rem 0.875rem',
+        }}>
+            <div style={{ marginBottom: '0.75rem' }}>
+                <div style={{
+                    fontFamily: 'monospace', fontSize: '0.72rem', fontWeight: '700',
+                    color: '#CBD5E1', textTransform: 'uppercase', letterSpacing: '0.08em',
+                }}>
+                    {title}
+                </div>
+                {subtitle && (
+                    <div style={{ fontSize: '0.62rem', color: '#334155', marginTop: '0.2rem', fontFamily: 'monospace' }}>
+                        {subtitle}
+                    </div>
+                )}
+            </div>
+            {children}
+        </div>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Empty / no-data state
+// ---------------------------------------------------------------------------
+function NoData({ msg }) {
+    return (
+        <div style={{
+            display: 'flex', alignItems: 'center', justifyContent: 'center',
+            height: '160px', color: '#334155',
+            fontFamily: 'monospace', fontSize: '0.72rem',
+            border: '1px dashed rgba(20,184,166,0.1)',
+            borderRadius: '0.375rem',
+        }}>
+            {msg || 'No data yet — upload compliance reports to populate this chart'}
+        </div>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Shorten a YYYY-MM-DD string to MM/DD/YY
+// ---------------------------------------------------------------------------
+function fmtDate(d) {
+    if (!d) return '';
+    const p = d.split('-');
+    if (p.length === 3) return `${p[1]}/${p[2]}/${p[0].slice(2)}`;
+    return d;
+}
+
+// ---------------------------------------------------------------------------
+// Chart 1 — Active Findings Over Time (line, total + per team)
+// ---------------------------------------------------------------------------
+function ActiveTrendChart({ data }) {
+    if (data.length < 2) return <NoData />;
+    return (
+        <ResponsiveContainer width="100%" height={210}>
+            <LineChart data={data} margin={{ top: 4, right: 12, bottom: 0, left: -12 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis dataKey="date" tick={AXIS_STYLE} />
+                <YAxis tick={AXIS_STYLE} allowDecimals={false} />
+                <Tooltip content={<DarkTooltip />} />
+                <Legend wrapperStyle={LEGEND_STYLE} iconSize={8} />
+                <Line
+                    type="monotone" dataKey="total_active" name="Total"
+                    stroke={TEAL} strokeWidth={2}
+                    dot={{ r: 3, fill: TEAL, strokeWidth: 0 }}
+                    activeDot={{ r: 5 }}
+                />
+                {Object.entries(TEAM_COLORS).map(([team, color]) => (
+                    <Line
+                        key={team}
+                        type="monotone" dataKey={team} name={team}
+                        stroke={color} strokeWidth={1.5}
+                        dot={false} strokeDasharray="5 3"
+                        activeDot={{ r: 4, fill: color }}
+                    />
+                ))}
+            </LineChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart 2 — New / Recurring / Resolved per cycle (stacked + grouped bar)
+// ---------------------------------------------------------------------------
+function DeltaChart({ data }) {
+    if (data.length === 0) return <NoData />;
+    return (
+        <ResponsiveContainer width="100%" height={210}>
+            <BarChart data={data} margin={{ top: 4, right: 12, bottom: 0, left: -12 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis dataKey="date" tick={AXIS_STYLE} />
+                <YAxis tick={AXIS_STYLE} allowDecimals={false} />
+                <Tooltip content={<DarkTooltip />} />
+                <Legend wrapperStyle={LEGEND_STYLE} iconSize={8} />
+                <Bar dataKey="new_count"       name="New"       stackId="in" fill="#EF4444" fillOpacity={0.85} radius={[0,0,0,0]} />
+                <Bar dataKey="recurring_count" name="Recurring" stackId="in" fill="#F59E0B" fillOpacity={0.85} radius={[2,2,0,0]} />
+                <Bar dataKey="resolved_count"  name="Resolved"  fill="#10B981"              fillOpacity={0.8}  radius={[2,2,2,2]} />
+            </BarChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart 3 — Team Health Multi-Line
+// ---------------------------------------------------------------------------
+function TeamTrendChart({ data }) {
+    if (data.length < 2) return <NoData />;
+    return (
+        <ResponsiveContainer width="100%" height={210}>
+            <LineChart data={data} margin={{ top: 4, right: 12, bottom: 0, left: -12 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis dataKey="date" tick={AXIS_STYLE} />
+                <YAxis tick={AXIS_STYLE} allowDecimals={false} />
+                <Tooltip content={<DarkTooltip />} />
+                <Legend wrapperStyle={LEGEND_STYLE} iconSize={8} />
+                {Object.entries(TEAM_COLORS).map(([team, color]) => (
+                    <Line
+                        key={team}
+                        type="monotone" dataKey={team} name={team}
+                        stroke={color} strokeWidth={2}
+                        dot={{ r: 3, fill: color, strokeWidth: 0 }}
+                        activeDot={{ r: 5 }}
+                    />
+                ))}
+            </LineChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart 4 — MTTR by Team (horizontal bar)
+// ---------------------------------------------------------------------------
+function MttrChart({ data }) {
+    if (data.length === 0) return <NoData msg="No resolved findings yet — MTTR will appear after items are remediated" />;
+    return (
+        <ResponsiveContainer width="100%" height={Math.max(160, data.length * 44 + 40)}>
+            <BarChart data={data} layout="vertical" margin={{ top: 4, right: 48, bottom: 0, left: 4 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis type="number" tick={AXIS_STYLE} unit=" d" />
+                <YAxis type="category" dataKey="team" tick={AXIS_STYLE} width={86} />
+                <Tooltip content={<DarkTooltip />} />
+                <Bar dataKey="avg_days" name="Avg Days" fill={TEAL} fillOpacity={0.8} radius={[0, 3, 3, 0]}
+                    label={{ position: 'right', style: { ...AXIS_STYLE, fill: '#64748B' }, formatter: v => `${v}d` }}
+                />
+            </BarChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart 5 — Most Persistent Findings (horizontal bar by seen_count)
+// ---------------------------------------------------------------------------
+function RecurringChart({ data }) {
+    if (data.length === 0) return <NoData />;
+    const top10 = data.slice(0, 10).map(r => ({
+        ...r,
+        label: r.metric_id.length > 18 ? r.metric_id.slice(0, 18) + '…' : r.metric_id,
+    }));
+    return (
+        <ResponsiveContainer width="100%" height={Math.max(160, top10.length * 28 + 40)}>
+            <BarChart data={top10} layout="vertical" margin={{ top: 4, right: 48, bottom: 0, left: 4 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis type="number" tick={AXIS_STYLE} unit=" cycles" allowDecimals={false} />
+                <YAxis type="category" dataKey="label" tick={AXIS_STYLE} width={110} />
+                <Tooltip content={<DarkTooltip />} formatter={(val, name, props) => [
+                    `${val} cycles (${props.payload.host_count} host${props.payload.host_count !== 1 ? 's' : ''})`, props.payload.team
+                ]} />
+                <Bar dataKey="seen_count" name="Cycles Seen" fill="#F59E0B" fillOpacity={0.85} radius={[0, 3, 3, 0]}
+                    label={{ position: 'right', style: { ...AXIS_STYLE, fill: '#64748B' }, formatter: v => `${v}×` }}
+                />
+            </BarChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Chart 6 — Archer Exception Ticket Pipeline (stacked bar by creation date)
+// ---------------------------------------------------------------------------
+function ArcherPipelineChart({ data }) {
+    if (data.length === 0) return <NoData msg="No Archer tickets recorded yet" />;
+    return (
+        <ResponsiveContainer width="100%" height={210}>
+            <BarChart data={data} margin={{ top: 4, right: 12, bottom: 0, left: -12 }}>
+                <CartesianGrid {...GRID_STYLE} />
+                <XAxis dataKey="date" tick={AXIS_STYLE} />
+                <YAxis tick={AXIS_STYLE} allowDecimals={false} />
+                <Tooltip content={<DarkTooltip />} />
+                <Legend wrapperStyle={LEGEND_STYLE} iconSize={8} />
+                {Object.entries(ARCHER_STATUS_COLORS).map(([status, color], i, arr) => (
+                    <Bar
+                        key={status}
+                        dataKey={status} name={status} stackId="s"
+                        fill={color} fillOpacity={0.85}
+                        radius={i === arr.length - 1 ? [2, 2, 0, 0] : [0, 0, 0, 0]}
+                    />
+                ))}
+            </BarChart>
+        </ResponsiveContainer>
+    );
+}
+
+// ---------------------------------------------------------------------------
+// Main panel
+// ---------------------------------------------------------------------------
+export default function ComplianceChartsPanel() {
+    const [collapsed,   setCollapsed]   = useState(false);
+    const [loading,     setLoading]     = useState(true);
+    const [trends,      setTrends]      = useState([]);
+    const [mttr,        setMttr]        = useState([]);
+    const [recurring,   setRecurring]   = useState([]);
+    const [archerRaw,   setArcherRaw]   = useState([]);
+
+    useEffect(() => {
+        let cancelled = false;
+        const load = async () => {
+            setLoading(true);
+            try {
+                const [tRes, mRes, rRes, aRes] = await Promise.all([
+                    fetch(`${API_BASE}/compliance/trends`,           { credentials: 'include' }),
+                    fetch(`${API_BASE}/compliance/mttr`,             { credentials: 'include' }),
+                    fetch(`${API_BASE}/compliance/top-recurring`,    { credentials: 'include' }),
+                    fetch(`${API_BASE}/archer-tickets/status-trend`, { credentials: 'include' }),
+                ]);
+                if (cancelled) return;
+                if (tRes.ok) { const d = await tRes.json(); setTrends(d.trends      || []); }
+                if (mRes.ok) { const d = await mRes.json(); setMttr(d.mttr          || []); }
+                if (rRes.ok) { const d = await rRes.json(); setRecurring(d.items    || []); }
+                if (aRes.ok) { const d = await aRes.json(); setArcherRaw(d.statusTrend || []); }
+            } catch { /* silent — charts will show no-data state */ }
+            finally { if (!cancelled) setLoading(false); }
+        };
+        load();
+        return () => { cancelled = true; };
+    }, []);
+
+    // Format trend rows — add short date label
+    const formattedTrends = useMemo(
+        () => trends.map(t => ({ ...t, date: fmtDate(t.report_date) })),
+        [trends]
+    );
+
+    // Pivot archer raw rows → one object per date
+    const archerByDate = useMemo(() => {
+        if (!archerRaw.length) return [];
+        const map = {};
+        archerRaw.forEach(r => {
+            if (!map[r.date]) map[r.date] = { date: fmtDate(r.date) };
+            map[r.date][r.status] = r.count;
+        });
+        return Object.values(map).sort((a, b) => a.date.localeCompare(b.date));
+    }, [archerRaw]);
+
+    return (
+        <div style={{ marginBottom: '1.5rem' }}>
+
+            {/* ── Section header / collapse toggle ──────────────────────── */}
+            <button
+                onClick={() => setCollapsed(c => !c)}
+                style={{
+                    width: '100%', display: 'flex', alignItems: 'center', justifyContent: 'space-between',
+                    background: 'none', border: 'none', cursor: 'pointer',
+                    padding: '0 0 0.625rem 0',
+                    borderBottom: collapsed ? 'none' : '1px solid rgba(20,184,166,0.1)',
+                    marginBottom: collapsed ? 0 : '0.875rem',
+                }}
+            >
+                <div style={{ display: 'flex', alignItems: 'center', gap: '0.5rem' }}>
+                    <TrendingUp style={{ width: '14px', height: '14px', color: TEAL }} />
+                    <span style={{
+                        fontFamily: 'monospace', fontSize: '0.65rem', fontWeight: '700',
+                        color: '#334155', textTransform: 'uppercase', letterSpacing: '0.1em',
+                    }}>
+                        Historical Trends
+                    </span>
+                    {loading && (
+                        <Loader style={{ width: '12px', height: '12px', color: '#334155', animation: 'spin 1s linear infinite' }} />
+                    )}
+                </div>
+                {collapsed
+                    ? <ChevronDown style={{ width: '14px', height: '14px', color: '#334155' }} />
+                    : <ChevronUp   style={{ width: '14px', height: '14px', color: '#334155' }} />
+                }
+            </button>
+
+            {!collapsed && (
+                <div style={{
+                    display: 'grid',
+                    gridTemplateColumns: 'repeat(auto-fit, minmax(420px, 1fr))',
+                    gap: '1rem',
+                }}>
+
+                    {/* 1. Active findings over time */}
+                    <ChartCard
+                        title="Active Findings Over Time"
+                        subtitle="Total non-compliant items per report cycle (solid) + per team (dashed)"
+                    >
+                        <ActiveTrendChart data={formattedTrends} />
+                    </ChartCard>
+
+                    {/* 2. New / Recurring / Resolved delta per cycle */}
+                    <ChartCard
+                        title="Change per Report Cycle"
+                        subtitle="New (red) and recurring (amber) stacked; resolved (green) as separate bars"
+                    >
+                        <DeltaChart data={formattedTrends} />
+                    </ChartCard>
+
+                    {/* 3. Team health multi-line */}
+                    <ChartCard
+                        title="Team Compliance Health"
+                        subtitle="Active findings per team per cycle — lower is better"
+                    >
+                        <TeamTrendChart data={formattedTrends} />
+                    </ChartCard>
+
+                    {/* 4. MTTR per team */}
+                    <ChartCard
+                        title="Mean Time to Resolution"
+                        subtitle="Average calendar days between first-seen and resolved, by team"
+                    >
+                        <MttrChart data={mttr} />
+                    </ChartCard>
+
+                    {/* 5. Most persistent / recurring findings */}
+                    <ChartCard
+                        title="Most Persistent Findings"
+                        subtitle="Active items with the highest recurrence count (top 10)"
+                    >
+                        <RecurringChart data={recurring} />
+                    </ChartCard>
+
+                    {/* 6. Archer ticket pipeline */}
+                    <ChartCard
+                        title="Archer Exception Pipeline"
+                        subtitle="Exception ticket status distribution by creation date"
+                    >
+                        <ArcherPipelineChart data={archerByDate} />
+                    </ChartCard>
+
+                </div>
+            )}
+        </div>
+    );
+}

frontend/src/components/pages/ComplianceDetailPanel.js

@@ -0,0 +1,366 @@
+import React, { useState, useEffect, useCallback } from 'react';
+import { X, MessageSquare, Send, Loader, AlertCircle, Clock, Shield } from 'lucide-react';
+
+const API_BASE = process.env.REACT_APP_API_BASE || 'http://localhost:3001/api';
+
+const TEAL = '#14B8A6';
+
+const CATEGORY_COLORS = {
+    'Vulnerability Management': '#EF4444',
+    'Access & MFA':             '#F59E0B',
+    'Logging & Monitoring':     '#8B5CF6',
+    'End-of-Life OS':           '#F97316',
+    'Decommissioned Assets':    '#64748B',
+    'Asset Data Quality':       '#64748B',
+    'Application Security':     '#0EA5E9',
+    'Disaster Recovery':        TEAL,
+    'Endpoint Protection':      '#F97316',
+};
+
+function categoryColor(category) {
+    return CATEGORY_COLORS[category] || '#94A3B8';
+}
+
+function MetricChip({ metricId, category, status }) {
+    const color = status === 'resolved' ? '#64748B' : categoryColor(category);
+    return (
+        <span style={{
+            display: 'inline-flex', alignItems: 'center',
+            padding: '0.2rem 0.5rem',
+            background: `${color}18`,
+            border: `1px solid ${color}50`,
+            borderRadius: '0.25rem',
+            color, fontSize: '0.7rem', fontFamily: 'monospace', fontWeight: '600',
+        }}>
+            {metricId}
+        </span>
+    );
+}
+
+export default function ComplianceDetailPanel({ hostname, onClose, onNoteAdded, onNavigate }) {
+    const [detail, setDetail]       = useState(null);
+    const [loading, setLoading]     = useState(true);
+    const [error, setError]         = useState(null);
+    const [noteText, setNoteText]   = useState('');
+    const [noteMetric, setNoteMetric] = useState('');
+    const [submitting, setSubmitting] = useState(false);
+    const [noteError, setNoteError] = useState(null);
+
+    const fetchDetail = useCallback(async () => {
+        setLoading(true);
+        setError(null);
+        try {
+            const res  = await fetch(`${API_BASE}/compliance/items/${encodeURIComponent(hostname)}`, { credentials: 'include' });
+            const data = await res.json();
+            if (!res.ok) throw new Error(data.error || 'Failed to load device');
+            setDetail(data);
+
+            // Default note metric to first active failing metric
+            const firstActive = (data.metrics || []).find(m => m.status === 'active');
+            if (firstActive) setNoteMetric(firstActive.metric_id);
+        } catch (err) {
+            setError(err.message);
+        } finally {
+            setLoading(false);
+        }
+    }, [hostname]);
+
+    useEffect(() => { fetchDetail(); }, [fetchDetail]);
+
+    const handleAddNote = async () => {
+        if (!noteText.trim() || !noteMetric) return;
+        setSubmitting(true);
+        setNoteError(null);
+        try {
+            const res = await fetch(`${API_BASE}/compliance/notes`, {
+                method: 'POST',
+                credentials: 'include',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ hostname, metric_id: noteMetric, note: noteText.trim() }),
+            });
+            const data = await res.json();
+            if (!res.ok) throw new Error(data.error || 'Failed to save note');
+            setNoteText('');
+            await fetchDetail();
+            if (onNoteAdded) onNoteAdded();
+        } catch (err) {
+            setNoteError(err.message);
+        } finally {
+            setSubmitting(false);
+        }
+    };
+
+    const activeMetrics   = detail?.metrics?.filter(m => m.status === 'active')   || [];
+    const resolvedMetrics = detail?.metrics?.filter(m => m.status === 'resolved') || [];
+
+    return (
+        <>
+            {/* Backdrop */}
+            <div onClick={onClose} style={{ position: 'fixed', inset: 0, background: 'rgba(0,0,0,0.4)', zIndex: 40 }} />
+
+            {/* Panel */}
+            <div style={{
+                position: 'fixed', top: 0, right: 0, bottom: 0, width: '420px',
+                background: 'linear-gradient(180deg, #0F1A2E 0%, #0A1628 100%)',
+                borderLeft: `1px solid ${TEAL}30`,
+                boxShadow: `-8px 0 32px rgba(0,0,0,0.6)`,
+                zIndex: 41,
+                display: 'flex', flexDirection: 'column',
+                overflowY: 'auto',
+            }}>
+                {/* Header */}
+                <div style={{
+                    padding: '1.25rem 1.25rem 1rem',
+                    borderBottom: '1px solid rgba(255,255,255,0.06)',
+                    flexShrink: 0,
+                }}>
+                    <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start' }}>
+                        <div style={{ minWidth: 0, flex: 1, marginRight: '0.75rem' }}>
+                            <div style={{ fontFamily: 'monospace', fontSize: '0.9rem', fontWeight: '700', color: '#F8FAFC', wordBreak: 'break-all', lineHeight: 1.3 }}>
+                                {hostname}
+                            </div>
+                            {detail && (
+                                <div style={{ marginTop: '0.4rem', display: 'flex', flexWrap: 'wrap', gap: '0.4rem' }}>
+                                    {detail.ip_address && (
+                                        <span style={{ fontSize: '0.72rem', fontFamily: 'monospace', color: '#64748B' }}>{detail.ip_address}</span>
+                                    )}
+                                    {detail.device_type && (
+                                        <span style={{ fontSize: '0.72rem', color: '#475569' }}>· {detail.device_type}</span>
+                                    )}
+                                    <span style={{ fontSize: '0.72rem', color: TEAL }}>· {detail.team}</span>
+                                </div>
+                            )}
+                        </div>
+                        <button onClick={onClose} style={{ background: 'none', border: 'none', cursor: 'pointer', color: '#475569', flexShrink: 0, padding: '0.25rem' }}
+                            onMouseEnter={e => e.currentTarget.style.color = '#E2E8F0'}
+                            onMouseLeave={e => e.currentTarget.style.color = '#475569'}>
+                            <X style={{ width: '18px', height: '18px' }} />
+                        </button>
+                    </div>
+                </div>
+
+                {loading && (
+                    <div style={{ flex: 1, display: 'flex', alignItems: 'center', justifyContent: 'center' }}>
+                        <Loader style={{ width: '28px', height: '28px', color: TEAL, animation: 'spin 1s linear infinite' }} />
+                    </div>
+                )}
+
+                {error && (
+                    <div style={{ padding: '1.25rem', display: 'flex', gap: '0.5rem', color: '#F87171', fontSize: '0.8rem' }}>
+                        <AlertCircle style={{ width: '16px', height: '16px', flexShrink: 0, marginTop: '1px' }} />{error}
+                    </div>
+                )}
+
+                {!loading && !error && detail && (
+                    <div style={{ flex: 1, display: 'flex', flexDirection: 'column' }}>
+
+                        {/* Active failing metrics */}
+                        {activeMetrics.length > 0 && (
+                            <Section title="Failing Metrics" icon={<Shield style={{ width: '14px', height: '14px' }} />}>
+                                {activeMetrics.map(m => (
+                                    <MetricRow key={m.metric_id} metric={m} onNavigate={onNavigate} />
+                                ))}
+                            </Section>
+                        )}
+
+                        {/* Resolved metrics */}
+                        {resolvedMetrics.length > 0 && (
+                            <Section title="Resolved Metrics" muted>
+                                {resolvedMetrics.map(m => (
+                                    <MetricRow key={m.metric_id} metric={m} resolved />
+                                ))}
+                            </Section>
+                        )}
+
+                        {/* Upload history summary */}
+                        {activeMetrics.length > 0 && (
+                            <Section title="History" icon={<Clock style={{ width: '14px', height: '14px' }} />}>
+                                {activeMetrics.map(m => (
+                                    <div key={m.metric_id} style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: '0.35rem' }}>
+                                        <MetricChip metricId={m.metric_id} category={m.category} />
+                                        <div style={{ fontSize: '0.72rem', color: '#64748B', fontFamily: 'monospace', textAlign: 'right' }}>
+                                            <span style={{ color: m.seen_count > 2 ? '#F59E0B' : '#94A3B8' }}>
+                                                {m.seen_count}× seen
+                                            </span>
+                                            {m.first_seen && <span style={{ marginLeft: '0.5rem' }}>since {m.first_seen}</span>}
+                                        </div>
+                                    </div>
+                                ))}
+                            </Section>
+                        )}
+
+                        {/* Notes */}
+                        <Section title="Notes" icon={<MessageSquare style={{ width: '14px', height: '14px' }} />} grow>
+                            {detail.notes.length === 0 && (
+                                <div style={{ color: '#334155', fontSize: '0.75rem', fontStyle: 'italic', marginBottom: '0.75rem' }}>No notes yet</div>
+                            )}
+                            {detail.notes.map(n => (
+                                <div key={n.id} style={{
+                                    marginBottom: '0.75rem', padding: '0.625rem 0.75rem',
+                                    background: 'rgba(15,23,42,0.6)', borderRadius: '0.375rem',
+                                    border: '1px solid rgba(255,255,255,0.05)',
+                                }}>
+                                    <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: '0.3rem' }}>
+                                        <MetricChip metricId={n.metric_id} category={activeMetrics.find(m => m.metric_id === n.metric_id)?.category || ''} />
+                                        <span style={{ fontSize: '0.68rem', color: '#334155', fontFamily: 'monospace' }}>
+                                            {n.created_by && `${n.created_by} · `}{n.created_at?.slice(0, 10)}
+                                        </span>
+                                    </div>
+                                    <div style={{ fontSize: '0.8rem', color: '#CBD5E1', lineHeight: 1.5 }}>{n.note}</div>
+                                </div>
+                            ))}
+
+                            {/* Add note */}
+                            <div style={{ marginTop: 'auto', paddingTop: '0.75rem', borderTop: '1px solid rgba(255,255,255,0.05)' }}>
+                                {activeMetrics.length > 1 && (
+                                    <select
+                                        value={noteMetric}
+                                        onChange={e => setNoteMetric(e.target.value)}
+                                        style={{
+                                            width: '100%', marginBottom: '0.5rem',
+                                            background: 'rgba(15,23,42,0.8)', border: '1px solid rgba(20,184,166,0.25)',
+                                            borderRadius: '0.25rem', color: '#CBD5E1',
+                                            padding: '0.4rem 0.5rem', fontSize: '0.75rem', fontFamily: 'monospace',
+                                        }}>
+                                        {activeMetrics.map(m => (
+                                            <option key={m.metric_id} value={m.metric_id}>{m.metric_id} — {m.category}</option>
+                                        ))}
+                                    </select>
+                                )}
+                                <div style={{ display: 'flex', gap: '0.5rem' }}>
+                                    <textarea
+                                        value={noteText}
+                                        onChange={e => setNoteText(e.target.value)}
+                                        placeholder="Add a note…"
+                                        rows={2}
+                                        style={{
+                                            flex: 1, resize: 'none',
+                                            background: 'rgba(15,23,42,0.8)', border: '1px solid rgba(20,184,166,0.25)',
+                                            borderRadius: '0.375rem', color: '#F8FAFC',
+                                            padding: '0.5rem 0.625rem', fontSize: '0.8rem',
+                                            outline: 'none',
+                                        }}
+                                        onFocus={e => e.target.style.borderColor = `${TEAL}70`}
+                                        onBlur={e => e.target.style.borderColor = 'rgba(20,184,166,0.25)'}
+                                        onKeyDown={e => { if (e.key === 'Enter' && (e.ctrlKey || e.metaKey)) handleAddNote(); }}
+                                    />
+                                    <button onClick={handleAddNote} disabled={!noteText.trim() || submitting}
+                                        style={{
+                                            padding: '0.5rem 0.625rem', flexShrink: 0,
+                                            background: noteText.trim() ? `${TEAL}20` : 'transparent',
+                                            border: `1px solid ${noteText.trim() ? TEAL : 'rgba(20,184,166,0.2)'}`,
+                                            borderRadius: '0.375rem', color: noteText.trim() ? TEAL : '#334155',
+                                            cursor: noteText.trim() ? 'pointer' : 'default', transition: 'all 0.15s',
+                                        }}>
+                                        {submitting
+                                            ? <Loader style={{ width: '16px', height: '16px', animation: 'spin 1s linear infinite' }} />
+                                            : <Send style={{ width: '16px', height: '16px' }} />}
+                                    </button>
+                                </div>
+                                {noteError && <div style={{ marginTop: '0.4rem', color: '#F87171', fontSize: '0.72rem' }}>{noteError}</div>}
+                            </div>
+                        </Section>
+                    </div>
+                )}
+            </div>
+        </>
+    );
+}
+
+function Section({ title, icon, children, muted, grow }) {
+    return (
+        <div style={{
+            padding: '1rem 1.25rem',
+            borderBottom: '1px solid rgba(255,255,255,0.04)',
+            ...(grow ? { flex: 1, display: 'flex', flexDirection: 'column' } : {}),
+        }}>
+            <div style={{
+                display: 'flex', alignItems: 'center', gap: '0.4rem',
+                fontSize: '0.68rem', fontFamily: 'monospace', textTransform: 'uppercase',
+                letterSpacing: '0.1em', color: muted ? '#334155' : '#475569',
+                marginBottom: '0.75rem',
+            }}>
+                {icon && <span style={{ color: muted ? '#334155' : TEAL }}>{icon}</span>}
+                {title}
+            </div>
+            {children}
+        </div>
+    );
+}
+
+function MetricRow({ metric, resolved, onNavigate }) {
+    const color = resolved ? '#475569' : categoryColor(metric.category);
+    const extra = metric.extra || {};
+
+    const ivantiId = (!resolved && metric.metric_id?.startsWith('2.3'))
+        ? (extra['Ivanti_Vulnerability_ID'] || null)
+        : null;
+
+    // Surface the most useful extra fields per metric type
+    const highlights = [];
+    if (extra['CVEs_Associated'])     highlights.push({ label: 'CVEs',    value: extra['CVEs_Associated'] });
+    if (extra['SLA_Status'])          highlights.push({ label: 'SLA',     value: extra['SLA_Status'] });
+    if (extra['Due_Date'])            highlights.push({ label: 'Due',     value: extra['Due_Date'] });
+    if (extra['Normalized - Operating System'])
+        highlights.push({ label: 'OS', value: `${extra['Normalized - Operating System']} ${extra['Normalized - Operating System Version'] || ''}`.trim() });
+    if (extra['EOS - End of Service Life'])
+        highlights.push({ label: 'EoL', value: extra['EOS - End of Service Life'] });
+    if (extra['Splunk - Last Seen'])  highlights.push({ label: 'Splunk', value: extra['Splunk - Last Seen'] });
+    if (extra['MFA - Software'])      highlights.push({ label: 'MFA SW', value: extra['MFA - Software'] });
+
+    return (
+        <div style={{
+            marginBottom: '0.625rem', padding: '0.625rem 0.75rem',
+            background: resolved ? 'transparent' : `${color}08`,
+            border: `1px solid ${color}25`,
+            borderRadius: '0.375rem',
+            opacity: resolved ? 0.5 : 1,
+        }}>
+            <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginBottom: highlights.length ? '0.4rem' : 0 }}>
+                <MetricChip metricId={metric.metric_id} category={metric.category} status={metric.status} />
+                {resolved && <span style={{ fontSize: '0.68rem', color: '#334155', fontFamily: 'monospace' }}>resolved {metric.resolved_on || ''}</span>}
+            </div>
+            {metric.metric_desc && (
+                <div style={{ fontSize: '0.72rem', color: '#475569', marginBottom: (highlights.length || ivantiId) ? '0.4rem' : 0, lineHeight: 1.4 }}>
+                    {metric.metric_desc.length > 100 ? metric.metric_desc.slice(0, 100) + '…' : metric.metric_desc}
+                </div>
+            )}
+            {ivantiId && (
+                <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', marginBottom: highlights.length ? '0.25rem' : 0 }}>
+                    <div style={{ display: 'flex', gap: '0.4rem', alignItems: 'center', minWidth: 0 }}>
+                        <span style={{ fontSize: '0.68rem', color: '#475569', fontFamily: 'monospace', flexShrink: 0 }}>Ivanti ID</span>
+                        <span style={{ fontSize: '0.68rem', color: '#94A3B8', fontFamily: 'monospace', overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' }}>{ivantiId}</span>
+                    </div>
+                    {onNavigate && (
+                        <button
+                            onClick={e => { e.stopPropagation(); onNavigate('triage'); }}
+                            style={{
+                                flexShrink: 0, marginLeft: '0.5rem',
+                                background: 'rgba(14,165,233,0.1)',
+                                border: '1px solid rgba(14,165,233,0.4)',
+                                borderRadius: '0.25rem',
+                                color: '#0EA5E9',
+                                fontSize: '0.65rem', fontFamily: 'monospace',
+                                padding: '0.2rem 0.5rem',
+                                cursor: 'pointer', whiteSpace: 'nowrap',
+                                transition: 'all 0.15s',
+                            }}
+                            onMouseEnter={e => { e.currentTarget.style.background = 'rgba(14,165,233,0.18)'; e.currentTarget.style.borderColor = 'rgba(14,165,233,0.7)'; }}
+                            onMouseLeave={e => { e.currentTarget.style.background = 'rgba(14,165,233,0.1)'; e.currentTarget.style.borderColor = 'rgba(14,165,233,0.4)'; }}
+                        >
+                            View in Triage →
+                        </button>
+                    )}
+                </div>
+            )}
+            {highlights.map(h => (
+                <div key={h.label} style={{ display: 'flex', gap: '0.4rem', marginTop: '0.25rem' }}>
+                    <span style={{ fontSize: '0.68rem', color: '#475569', fontFamily: 'monospace', minWidth: '48px' }}>{h.label}</span>
+                    <span style={{ fontSize: '0.68rem', color: '#94A3B8', fontFamily: 'monospace', wordBreak: 'break-all' }}>
+                        {String(h.value).length > 80 ? String(h.value).slice(0, 80) + '…' : h.value}
+                    </span>
+                </div>
+            ))}
+        </div>
+    );
+}