major: kestrel is now a tak server (#6)

## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6

test/nuxt/members-page.spec.js

@@ -2,18 +2,41 @@ import { describe, it, expect } from 'vitest'
 import { mountSuspended, registerEndpoint } from '@nuxt/test-utils/runtime'
 import Members from '../../app/pages/members.vue'
 
+const wait = (ms = 100) => new Promise(r => setTimeout(r, ms))
+
+const setupEndpoints = (userResponse) => {
+  registerEndpoint('/api/me', userResponse, { method: 'GET' })
+  registerEndpoint('/api/users', () => [])
+}
+
 describe('members page', () => {
   it('renders Members heading', async () => {
-    registerEndpoint('/api/me', () => null, { method: 'GET' })
-    registerEndpoint('/api/users', () => [])
+    setupEndpoints(() => null)
     const wrapper = await mountSuspended(Members)
     expect(wrapper.text()).toContain('Members')
   })
 
   it('shows sign in message when no user', async () => {
-    registerEndpoint('/api/me', () => null, { method: 'GET' })
-    registerEndpoint('/api/users', () => [])
+    setupEndpoints(() => null)
     const wrapper = await mountSuspended(Members)
     expect(wrapper.text()).toMatch(/Sign in to view members/)
   })
+
+  it.each([
+    [
+      { id: '1', identifier: 'admin', role: 'admin', avatar_url: null },
+      ['Add user', /Only admins can change roles/],
+    ],
+    [
+      { id: '2', identifier: 'leader', role: 'leader', avatar_url: null },
+      ['Members', 'Identifier'],
+    ],
+  ])('shows content for %s role', async (user, expectedTexts) => {
+    setupEndpoints(() => user)
+    const wrapper = await mountSuspended(Members)
+    await wait(user.role === 'leader' ? 150 : 100)
+    expectedTexts.forEach((text) => {
+      expect(wrapper.text()).toMatch(text)
+    })
+  })
 })