Add permission checks and upload limit config fix

[tdat314]

Summary

This PR adds a few small access-control/security-related cleanup items:

• Adds the existing User.can('edit data') middleware to destructive incident/group routes.
• Fixes the attachment upload middleware to import upload limits from the existing group config file.
• Adds an access-control documentation folder for working notes and planning.

Rationale

I started with small, reviewable changes rather than jumping directly into the broader access-control implementation. The route changes use the existing authorization pattern already present elsewhere in the codebase. The upload limit change keeps the middleware aligned with the same config source used by the model/routes/controllers.

Scope

This PR does not implement the full team/group-scoped access-control model. It is intended as an initial hardening and planning step.

Potential impact

Users or integrations without edit data permission will no longer be able to clear tags or delete incident/group records through these routes.

verification

• Reviewed the diff to confirm the backend changes are limited to the route and upload middleware files.
• Confirmed destructive incident/group routes now include User.can('edit data').
• Confirmed the upload middleware now imports attachment limits from backend/config/models/groupConfigs.js.

[tdat314]

I added one additional small backend cleanup after the initial route hardening: the upload middleware now imports attachment limits from the existing group config file. I also added the access-control docs folder/notes as a place to collect the broader team/group-scope plan separately from implementation.