Add ScreenConnect-parity features (high + medium)

Viewer:
- Toolbar: Ctrl+Alt+Del, clipboard paste, monitor picker, file transfer, chat, WoL buttons
- Multi-monitor: agent sends monitor_list on connect, viewer can switch via dropdown
- Clipboard sync: agent polls local clipboard → sends to viewer; viewer paste → agent sets remote clipboard
- File transfer panel: drag-drop upload to agent, directory browser, download files from remote
- Chat panel: bidirectional text chat forwarded through relay

Agent:
- Multi-monitor capture with set_monitor/set_quality message handlers
- exec_key_combo for Ctrl+Alt+Del and arbitrary combos
- Clipboard polling via pyperclip (both directions)
- File upload/download/list_files with base64 chunked protocol
- Attended mode (--attended): zenity/kdialog/PowerShell consent dialog before accepting stream
- Auto-update: heartbeat checks version, downloads new binary and exec-replaces self (Linux)
- Reports MAC address on registration (for WoL)

Relay:
- Forwards monitor_list, clipboard_content, file_chunk, file_list, chat_message agent→viewer
- Session recording: when RECORDING_DIR env set, saves JPEG frames as .remrec files
- ALLOWED_ORIGINS CORS now set from NEXT_PUBLIC_APP_URL in docker-compose

Database:
- groups table (id, name, description, created_by)
- machines: group_id, mac_address, notes, tags text[]
- Migration 0003 applied

Dashboard:
- Machines page: search, tag filter, group filter, inline notes/tags/rename editing
- MachineCard: inline tag management, group picker, notes textarea
- Admin page: new Groups tab (create/list/delete groups)
- API: PATCH /api/machines/[id] (name, notes, tags, groupId)
- API: GET/POST/DELETE /api/groups
- API: POST /api/machines/wol (broadcast magic packet)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

app/api/groups/route.ts

@@ -0,0 +1,44 @@
+import { auth } from '@/auth'
+import { db } from '@/lib/db'
+import { groups } from '@/lib/db/schema'
+import { eq } from 'drizzle-orm'
+import { NextRequest, NextResponse } from 'next/server'
+
+type AuthUser = { id: string; role?: string }
+
+export async function GET() {
+  const authSession = await auth()
+  if (!authSession?.user?.id) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+
+  const list = await db.select().from(groups).orderBy(groups.name)
+  return NextResponse.json({ groups: list })
+}
+
+export async function POST(request: NextRequest) {
+  const authSession = await auth()
+  if (!authSession?.user?.id) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  const u = authSession.user as AuthUser
+  if (u.role !== 'admin') return NextResponse.json({ error: 'Admin only' }, { status: 403 })
+
+  const { name, description } = await request.json()
+  if (!name?.trim()) return NextResponse.json({ error: 'Name required' }, { status: 400 })
+
+  const [group] = await db.insert(groups).values({
+    name: String(name).slice(0, 100),
+    description: description ? String(description).slice(0, 500) : null,
+    createdBy: u.id,
+  }).returning()
+
+  return NextResponse.json({ group })
+}
+
+export async function DELETE(request: NextRequest) {
+  const authSession = await auth()
+  if (!authSession?.user?.id) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  const u = authSession.user as AuthUser
+  if (u.role !== 'admin') return NextResponse.json({ error: 'Admin only' }, { status: 403 })
+
+  const { id } = await request.json()
+  await db.delete(groups).where(eq(groups.id, id))
+  return NextResponse.json({ success: true })
+}