Add OAuth 2.0 authentication support for Jira Data Center

- Add OAuth 2.0 configuration options in backend env.ts
- Create authService.ts for OAuth flow, token management, and sessions
- Create auth.ts routes for login, callback, logout, and user info
- Update JiraAssets service to use user tokens when OAuth is enabled
- Add cookie-parser for session handling
- Create Login.tsx component with Jira OAuth login button
- Add authStore.ts (Zustand) for frontend auth state management
- Update App.tsx to show login page when OAuth is enabled
- Add user menu with logout functionality
- Document OAuth setup in CLAUDE.md

Supports two modes:
1. Service Account: Uses JIRA_PAT for all requests (default)
2. OAuth 2.0: Each user authenticates with their Jira credentials

CLAUDE.md

@@ -134,9 +134,19 @@ Dutch hospital reference architecture with 90+ application functions organized i
 ```env
 # Jira Data Center
 JIRA_HOST=https://jira.zuyderland.nl
-JIRA_PAT=<personal_access_token>
+JIRA_PAT=<personal_access_token>        # Service account PAT (fallback when OAuth disabled)
 JIRA_SCHEMA_ID=<schema_id>
 
+# Jira OAuth 2.0 (optional - enables user authentication)
+JIRA_OAUTH_ENABLED=false                # Set to 'true' to enable OAuth
+JIRA_OAUTH_CLIENT_ID=<oauth_client_id>  # From Jira Application Link
+JIRA_OAUTH_CLIENT_SECRET=<oauth_secret> # From Jira Application Link
+JIRA_OAUTH_CALLBACK_URL=http://localhost:3001/api/auth/callback
+JIRA_OAUTH_SCOPES=READ WRITE
+
+# Session Configuration
+SESSION_SECRET=<random_secret_string>   # Change in production!
+
 # Jira Object Type IDs
 JIRA_APPLICATION_COMPONENT_TYPE_ID=<type_id>
 JIRA_APPLICATION_FUNCTION_TYPE_ID=<type_id>
@@ -156,14 +166,52 @@ JIRA_ATTR_GOVERNANCE_MODEL=<attr_id>
 JIRA_ATTR_APPLICATION_CLUSTER=<attr_id>
 JIRA_ATTR_APPLICATION_TYPE=<attr_id>
 
-# Claude AI
+# AI Classification
 ANTHROPIC_API_KEY=<claude_api_key>
+OPENAI_API_KEY=<openai_api_key>         # Optional: alternative to Claude
+DEFAULT_AI_PROVIDER=claude              # 'claude' or 'openai'
 
 # Server
 PORT=3001
 NODE_ENV=development
+FRONTEND_URL=http://localhost:5173
 ```
 
+## Authentication
+
+The application supports two authentication modes:
+
+### 1. Service Account Mode (Default)
+- Uses a single PAT (`JIRA_PAT`) for all Jira API calls
+- Users don't need to log in
+- All changes are attributed to the service account
+
+### 2. OAuth 2.0 Mode
+- Each user logs in with their own Jira credentials
+- API calls are made under the user's account
+- Better audit trail and access control
+
+### Setting up OAuth 2.0 (Jira Data Center 8.14+)
+
+1. **Create Application Link in Jira:**
+   - Go to Jira Admin → Application Links
+   - Create a new "Incoming Link"
+   - Set Redirect URL: `http://localhost:3001/api/auth/callback`
+   - Note the Client ID and Secret
+
+2. **Configure Environment:**
+   ```env
+   JIRA_OAUTH_ENABLED=true
+   JIRA_OAUTH_CLIENT_ID=your_client_id
+   JIRA_OAUTH_CLIENT_SECRET=your_client_secret
+   JIRA_OAUTH_CALLBACK_URL=http://localhost:3001/api/auth/callback
+   ```
+
+3. **For Production:**
+   - Update callback URL to production domain
+   - Set `SESSION_SECRET` to a random string
+   - Use HTTPS
+
 ## Implementation Notes
 
 1. **Never commit PAT tokens** - Always use .env files (add to .gitignore)