major: kestrel is now a tak server (#6)

## Added

- CoT (Cursor on Target) server on port 8089 enabling ATAK/iTAK device connectivity
- Support for TAK stream protocol and traditional XML CoT messages
- TLS/SSL support with automatic fallback to plain TCP
- Username/password authentication for CoT connections
- Real-time device position tracking with TTL-based expiration (90s default)
- API endpoints: `/api/cot/config`, `/api/cot/server-package`, `/api/cot/truststore`, `/api/me/cot-password`
- TAK Server section in Settings with QR code for iTAK setup
- ATAK password management in Account page for OIDC users
- CoT device markers on map showing real-time positions
- Comprehensive documentation in `docs/` directory
- Environment variables: `COT_PORT`, `COT_TTL_MS`, `COT_REQUIRE_AUTH`, `COT_SSL_CERT`, `COT_SSL_KEY`, `COT_DEBUG`
- Dependencies: `fast-xml-parser`, `jszip`, `qrcode`

## Changed

- Authentication system supports CoT password management for OIDC users
- Database schema includes `cot_password_hash` field
- Test suite refactored to follow functional design principles

## Removed

- Consolidated utility modules: `authConfig.js`, `authSkipPaths.js`, `bootstrap.js`, `poiConstants.js`, `session.js`

## Security

- XML entity expansion protection in CoT parser
- Enhanced input validation and SQL injection prevention
- Authentication timeout to prevent hanging connections

## Breaking Changes

- Port 8089 must be exposed for CoT server. Update firewall rules and Docker/Kubernetes configurations.

## Migration Notes

- OIDC users must set ATAK password via Account settings before connecting
- Docker: expose port 8089 (`-p 8089:8089`)
- Kubernetes: update Helm values to expose port 8089

Co-authored-by: Madison Grubb <madison@elastiflow.com>
Reviewed-on: #6

test/unit/session.spec.js

@@ -1,39 +1,17 @@
-import { describe, it, expect, beforeEach, afterEach } from 'vitest'
-import { getSessionMaxAgeDays } from '../../server/utils/session.js'
+import { describe, it, expect } from 'vitest'
+import { getSessionMaxAgeDays } from '../../server/utils/constants.js'
+import { withTemporaryEnv } from '../helpers/env.js'
 
 describe('session', () => {
-  const origEnv = process.env
-
-  beforeEach(() => {
-    process.env = { ...origEnv }
-  })
-
-  afterEach(() => {
-    process.env = origEnv
-  })
-
-  it('returns default 7 days when SESSION_MAX_AGE_DAYS not set', () => {
-    delete process.env.SESSION_MAX_AGE_DAYS
-    expect(getSessionMaxAgeDays()).toBe(7)
-  })
-
-  it('returns default when SESSION_MAX_AGE_DAYS is NaN', () => {
-    process.env.SESSION_MAX_AGE_DAYS = 'invalid'
-    expect(getSessionMaxAgeDays()).toBe(7)
-  })
-
-  it('clamps to MIN_DAYS (1) when value below', () => {
-    process.env.SESSION_MAX_AGE_DAYS = '0'
-    expect(getSessionMaxAgeDays()).toBe(1)
-  })
-
-  it('clamps to MAX_DAYS (365) when value above', () => {
-    process.env.SESSION_MAX_AGE_DAYS = '400'
-    expect(getSessionMaxAgeDays()).toBe(365)
-  })
-
-  it('returns parsed value when within range', () => {
-    process.env.SESSION_MAX_AGE_DAYS = '14'
-    expect(getSessionMaxAgeDays()).toBe(14)
+  it.each([
+    [{ SESSION_MAX_AGE_DAYS: undefined }, 7],
+    [{ SESSION_MAX_AGE_DAYS: 'invalid' }, 7],
+    [{ SESSION_MAX_AGE_DAYS: '0' }, 1],
+    [{ SESSION_MAX_AGE_DAYS: '400' }, 365],
+    [{ SESSION_MAX_AGE_DAYS: '14' }, 14],
+  ])('returns correct days for SESSION_MAX_AGE_DAYS=%s', (env, expected) => {
+    withTemporaryEnv(env, () => {
+      expect(getSessionMaxAgeDays()).toBe(expected)
+    })
   })
 })