feat: document user management system and RBAC implementation

- Update copilot-instructions.md with user model, API routes, and frontend patterns
- Update README.md with RBAC details, user management API, and security sections
- Add user management technical documentation to TECH-CHANGELOG.md
- Bump version to 2025.1.0-alpha.13 with user management changelog entries

README.md

@@ -46,7 +46,11 @@ Data flow summary:
 
 ## 🌟 Key Features
 
-
+- **User Management**: Comprehensive role-based access control (user → editor → admin → superadmin)
+  - Admin panel for user CRUD operations with audit tracking
+  - Self-service password change available to all users
+  - Audit trail: login times, password changes, deactivation history
+  - Soft-delete by default, hard-delete superadmin-only
 - Modern React-based web interface with Syncfusion components
 - Real-time client monitoring and group management
 - Event scheduling with academic period support
@@ -359,6 +363,19 @@ mosquitto_sub -h localhost -t "infoscreen/+/heartbeat" -v
       - `video_volume` (0.0–1.0, default "0.8")
       - `video_muted` ("true"/"false", default "false")
 
+### User Management (Admin+)
+- `GET /api/users` - List all users (role-filtered by user's role)
+- `POST /api/users` - Create new user with username, password (min 6 chars), role, and status
+- `GET /api/users/<id>` - Get user details including audit information (login times, password changes, deactivation)
+- `PUT /api/users/<id>` - Update user (cannot change own role or account status)
+- `PUT /api/users/<id>/password` - Admin password reset (cannot reset own password this way; use `/api/auth/change-password` instead)
+- `DELETE /api/users/<id>` - Delete user permanently (superadmin only; cannot delete self)
+
+### Authentication
+- `POST /api/auth/login` - User login (tracks last login time and failed attempts)
+- `POST /api/auth/logout` - User logout
+- `PUT /api/auth/change-password` - Self-service password change (all authenticated users; requires current password verification)
+
 ### Health & Monitoring
 - `GET /health` - Service health check
 - `GET /api/screenshots/{uuid}.jpg` - Client screenshots
@@ -385,7 +402,7 @@ mosquitto_sub -h localhost -t "infoscreen/+/heartbeat" -v
 - **Notifications**: Toast messages and alerts
  - **Pager**: Used on Programinfo changelog for pagination
  - **Cards (layouts)**: Programinfo sections styled with Syncfusion card classes
- - **SplitButtons**: Header user menu (top-right) using Syncfusion DropDownButton to show current user and role, with actions “Profil” and “Abmelden”.
+ - **SplitButtons**: Header user menu (top-right) using Syncfusion DropDownButton to show current user and role, with actions "Passwort ändern", "Profil", and "Abmelden".
 
 ### Pages Overview
 - **Dashboard**: Card-based overview of all Raumgruppen (room groups) with real-time status monitoring. Features include:
@@ -400,6 +417,14 @@ mosquitto_sub -h localhost -t "infoscreen/+/heartbeat" -v
 - **Groups**: Client group organization
 - **Events**: Schedule management
 - **Media**: File upload and conversion
+- **Users**: Comprehensive user management (admin+ only in menu)
+   - Full CRUD interface with sortable GridComponent (20 per page)
+   - Statistics cards: total, active, inactive user counts
+   - Create, edit, delete, and password reset dialogs
+   - User details modal showing audit information (login times, password changes, deactivation)
+   - Role badges with color coding (user: gray, editor: blue, admin: green, superadmin: red)
+   - Self-protection: cannot modify own account (cannot change role/status or delete self)
+   - Superadmin-only hard delete; other users soft-deactivate
 - **Settings**: Central configuration (tabbed)
    - 📅 Academic Calendar (all users):
       - 📥 Import & Liste: CSV/TXT import combined with holidays list
@@ -413,6 +438,18 @@ mosquitto_sub -h localhost -t "infoscreen/+/heartbeat" -v
 
 ## 🔒 Security & Authentication
 
+- **Role-Based Access Control (RBAC)**: 4-tier hierarchy (user → editor → admin → superadmin) with privilege escalation protection
+  - Admin cannot see, manage, or create superadmin accounts
+  - Admin can create and manage user/editor/admin roles only
+  - Superadmin can manage all roles including other superadmins
+  - Role-gated menu visibility: users only see menu items they have permission for
+- **Account Management**:
+  - Soft-delete by default (deactivated_at, deactivated_by timestamps)
+  - Hard-delete superadmin-only (permanent removal from database)
+  - Self-account protections: cannot change own role/status, cannot delete self via admin panel
+  - Self-service password change available to all authenticated users (requires current password verification)
+  - Admin password reset available for other users (no current password required)
+- **Audit Tracking**: All user accounts track login times, password changes, failed login attempts, and deactivation history
 - **Environment Variables**: Sensitive data via `.env`
 - **SSL/TLS**: HTTPS support with custom certificates
 - **MQTT Security**: Username/password authentication
@@ -423,10 +460,11 @@ mosquitto_sub -h localhost -t "infoscreen/+/heartbeat" -v
 ## 📊 Monitoring & Logging
 
 ### Health Checks
- **Scheduler**: Logging is concise; conversion lookups are cached and logged only once per media.
 - Database: Connection and initialization status
 - MQTT: Pub/sub functionality test
 - Dashboard: Nginx availability
+- **Scheduler**: Logging is concise; conversion lookups are cached and logged only once per media.
+- Dashboard: Nginx availability
 
 ### Logging Strategy
 - **Development**: Docker Compose logs with service prefixes