security: implement tickets #28-#35 + architecture decision #30

#28 - TOTP rate limiting (verifyTotp): added totpRateLimiter (10 req/30s),
  throws TOO_MANY_REQUESTS before DB hit; 16 unit tests including rate-limit
  exceeded + userId key isolation.

#29 - /api/reports/allocations role check: only ADMIN/MANAGER/CONTROLLER may
  access; returns 403 otherwise; 9 unit tests (401 unauthenticated, 403 for
  USER/VIEWER, 200 for allowed roles + xlsx format).

#31 - pgAdmin credentials moved out of docker-compose.yml into env vars;
  PGADMIN_PASSWORD is now required (:?) to prevent accidental plaintext
  exposure in committed files.

#34 - Server-side HTML sanitization for comment bodies via stripHtml():
  strips all tags + decodes safe entities before persistence; 16 unit tests
  covering passthrough, injection patterns, entity decoding.

#35 - MFA setup prompt banner (MfaPromptBanner): shown to ADMIN/MANAGER users
  without TOTP enabled; user-scoped localStorage snooze (7 days); links to
  /account/security; accessibility role=alert; 7 structural unit tests.

#33 - Auth anomaly alerting cron (/api/cron/auth-anomaly-check): detects
  HIGH_GLOBAL_FAILURE_RATE and CONCENTRATED_FAILURES in 30-minute window;
  CRITICAL notification to ADMINs; fail-closed via verifyCronSecret;
  10 unit tests.

#32 - MFA enforcement policy: added requireMfaForRoles field to SystemSettings
  schema + Prisma migration; auth.ts blocks login with MFA_REQUIRED_SETUP
  signal if role is enforced but TOTP not set up; signin page redirects to
  /account/security?mfa_required=1; settings schema + view model updated;
  11 unit tests.

#30 - API keys architecture decision documented in LEARNINGS.md; no code
  written — product decision required before implementation.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/router/settings-support.ts

@@ -65,6 +65,7 @@ export const settingsUpdateInputSchema = z.object({
   imageProvider: z.enum(["dalle", "gemini"]).optional(),
   vacationDefaultDays: z.number().int().min(0).max(365).optional(),
   timelineUndoMaxSteps: z.number().int().min(1).max(200).optional(),
+  requireMfaForRoles: z.array(z.enum(["ADMIN", "MANAGER", "CONTROLLER", "USER", "VIEWER"])).nullable().optional(),
 });
 
 export type SettingsUpdateInput = z.infer<typeof settingsUpdateInputSchema>;
@@ -104,6 +105,7 @@ export function buildSystemSettingsViewModel(input: {
     imageProvider?: string | null;
     vacationDefaultDays?: number | null;
     timelineUndoMaxSteps?: number | null;
+    requireMfaForRoles?: unknown;
   } | null | undefined;
   runtimeSettings: {
     azureOpenAiApiKey?: string | null;
@@ -150,6 +152,7 @@ export function buildSystemSettingsViewModel(input: {
     imageProvider: settings?.imageProvider ?? "dalle",
     vacationDefaultDays: settings?.vacationDefaultDays ?? 28,
     timelineUndoMaxSteps: settings?.timelineUndoMaxSteps ?? 50,
+    requireMfaForRoles: (settings?.requireMfaForRoles as string[] | null | undefined) ?? null,
   };
 }
 
@@ -196,6 +199,7 @@ export function buildSettingsUpdatePayload(input: SettingsUpdateInput): {
   if (input.imageProvider !== undefined) data.imageProvider = input.imageProvider;
   if (input.vacationDefaultDays !== undefined) data.vacationDefaultDays = input.vacationDefaultDays;
   if (input.timelineUndoMaxSteps !== undefined) data.timelineUndoMaxSteps = input.timelineUndoMaxSteps;
+  if (input.requireMfaForRoles !== undefined) data.requireMfaForRoles = input.requireMfaForRoles ?? null;
 
   return { data, ignoredSecretFields };
 }