Improve Team-indeling dashboard UI and cache invalidation

- Replace 'TEAM' label with Type attribute (Business/Enabling/Staf) in team blocks
- Make Type labels larger (text-sm) and brighter colors
- Make SUBTEAM label less bright (indigo-300) and smaller (text-[10px])
- Add 'FTE' suffix to bandbreedte values in header and application blocks
- Add Platform and Connected Device labels to application blocks
- Show Platform FTE and Workloads FTE separately in Platform blocks
- Add spacing between Regiemodel letter and count value
- Add cache invalidation for Team Dashboard when applications are updated
- Enrich team references with Type attribute in getSubteamToTeamMapping

CLAUDE.md

@@ -93,19 +93,41 @@ zira-classificatie-tool/
 │       ├── App.tsx               # Main component with routing
 │       ├── index.css             # Tailwind CSS imports
 │       ├── components/
-│       │   ├── Dashboard.tsx     # Overview statistics
-│       │   ├── ApplicationList.tsx # Search & filter view
-│       │   └── ApplicationDetail.tsx # Edit & AI classify
+│       │   ├── SearchDashboard.tsx    # Main dashboard with CMDB search
+│       │   ├── Dashboard.tsx          # App Component statistics
+│       │   ├── ApplicationList.tsx    # Application overview & filter
+│       │   ├── ApplicationDetail.tsx  # Edit & AI classify
+│       │   ├── TeamDashboard.tsx      # Team FTE dashboard
+│       │   ├── ConfigurationV25.tsx   # FTE configuration
+│       │   └── ReportsDashboard.tsx   # Reports overview
 │       ├── services/api.ts       # API client
 │       ├── stores/
 │       │   ├── searchStore.ts    # Filter state (Zustand)
-│       │   └── navigationStore.ts # Navigation state
+│       │   ├── navigationStore.ts # Navigation state
+│       │   └── authStore.ts      # Authentication state
 │       └── types/index.ts        # TypeScript interfaces
 └── data/
     ├── zira-taxonomy.json
     └── management-parameters.json
 ```
 
+## Navigation Structure
+
+The application uses a hierarchical menu structure:
+
+```
+Dashboard (/)                          # CMDB search page
+│
+├── Application Component (/app-components)
+│   ├── Dashboard (/app-components)           # Statistics & overview
+│   ├── Overzicht (/app-components/overview)  # Application list & filter
+│   └── FTE Config (/app-components/fte-config) # FTE calculation config
+│
+└── Rapporten (/reports)
+    ├── Overzicht (/reports)                  # Reports dashboard
+    └── Team-indeling (/reports/team-dashboard) # Team FTE dashboard
+```
+
 ## Key Domain Concepts
 
 ### ZiRA (Ziekenhuis Referentie Architectuur)
@@ -134,17 +156,21 @@ Dutch hospital reference architecture with 90+ application functions organized i
 ```env
 # Jira Data Center
 JIRA_HOST=https://jira.zuyderland.nl
-JIRA_PAT=<personal_access_token>        # Service account PAT (fallback when OAuth disabled)
 JIRA_SCHEMA_ID=<schema_id>
 
-# Jira OAuth 2.0 (optional - enables user authentication)
-JIRA_OAUTH_ENABLED=false                # Set to 'true' to enable OAuth
+# Jira Authentication Method: 'pat' or 'oauth'
+JIRA_AUTH_METHOD=pat                    # Choose: 'pat' (Personal Access Token) or 'oauth' (OAuth 2.0)
+
+# For PAT authentication (JIRA_AUTH_METHOD=pat)
+JIRA_PAT=<personal_access_token>        # Personal Access Token for Jira API access
+
+# For OAuth 2.0 authentication (JIRA_AUTH_METHOD=oauth)
 JIRA_OAUTH_CLIENT_ID=<oauth_client_id>  # From Jira Application Link
 JIRA_OAUTH_CLIENT_SECRET=<oauth_secret> # From Jira Application Link
 JIRA_OAUTH_CALLBACK_URL=http://localhost:3001/api/auth/callback
 JIRA_OAUTH_SCOPES=READ WRITE
 
-# Session Configuration
+# Session Configuration (required for OAuth)
 SESSION_SECRET=<random_secret_string>   # Change in production!
 
 # Jira Object Type IDs
@@ -179,17 +205,34 @@ FRONTEND_URL=http://localhost:5173
 
 ## Authentication
 
-The application supports two authentication modes:
+The application supports two authentication methods, configured via `JIRA_AUTH_METHOD`:
 
-### 1. Service Account Mode (Default)
-- Uses a single PAT (`JIRA_PAT`) for all Jira API calls
+### 1. Personal Access Token (PAT) Mode (`JIRA_AUTH_METHOD=pat`)
+- **Default mode** - Uses a single PAT for all Jira API calls
 - Users don't need to log in
 - All changes are attributed to the service account
+- Best for: Development, internal tools, or when user attribution isn't required
 
-### 2. OAuth 2.0 Mode
+**Configuration:**
+```env
+JIRA_AUTH_METHOD=pat
+JIRA_PAT=your_personal_access_token
+```
+
+### 2. OAuth 2.0 Mode (`JIRA_AUTH_METHOD=oauth`)
 - Each user logs in with their own Jira credentials
 - API calls are made under the user's account
 - Better audit trail and access control
+- Best for: Production environments where user attribution matters
+
+**Configuration:**
+```env
+JIRA_AUTH_METHOD=oauth
+JIRA_OAUTH_CLIENT_ID=your_client_id
+JIRA_OAUTH_CLIENT_SECRET=your_client_secret
+JIRA_OAUTH_CALLBACK_URL=http://localhost:3001/api/auth/callback
+SESSION_SECRET=your_secure_random_string
+```
 
 ### Setting up OAuth 2.0 (Jira Data Center 8.14+)
 
@@ -199,17 +242,11 @@ The application supports two authentication modes:
    - Set Redirect URL: `http://localhost:3001/api/auth/callback`
    - Note the Client ID and Secret
 
-2. **Configure Environment:**
-   ```env
-   JIRA_OAUTH_ENABLED=true
-   JIRA_OAUTH_CLIENT_ID=your_client_id
-   JIRA_OAUTH_CLIENT_SECRET=your_client_secret
-   JIRA_OAUTH_CALLBACK_URL=http://localhost:3001/api/auth/callback
-   ```
+2. **Configure Environment Variables** (see above)
 
 3. **For Production:**
    - Update callback URL to production domain
-   - Set `SESSION_SECRET` to a random string
+   - Set `SESSION_SECRET` to a cryptographically secure random string
    - Use HTTPS
 
 ## Implementation Notes