Update documentation for SWA authentication and implemented frontend

[Copilot]

Documentation was outdated regarding authentication architecture (functions use AuthorizationLevel.Anonymous but are secured by Static Web Apps) and frontend implementation status (Blazor frontend is fully implemented, not "to be implemented").

Updated Documentation

Authentication architecture:

• Documented SWA + Azure AD enforces authentication upstream via staticwebapp.config.json
• Functions use AuthorizationLevel.Anonymous and trust SWA authentication layer
• Added authentication flow: SWA validates → session cookies → Functions trust SWA
• Included Azure AD configuration steps for deployment

Frontend implementation:

• Changed status from "to be implemented" to current state
• Documented Fluent UI components, Markdig rendering, PDF export, interactive visualization

Files updated:

• README.md - Architecture overview, security section, project structure
• Bezalu.ProjectReporting.API/README.md - Security model
• docs/architecture.md - Authentication architecture, data flow
• docs/deployment.md - Azure AD configuration
• docs/frontend.md - Frontend overview, auth behavior

Authentication Flow

User → SWA (validates Azure AD) → API request with SWA cookies → Functions (trust SWA)

The key design: Functions don't need function keys because SWA's authenticated role requirement on /api/* routes provides authentication before requests reach Azure Functions.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

This PR updates documentation to accurately reflect the current authentication architecture (Static Web Apps with Azure AD handles authentication upstream, Azure Functions use AuthorizationLevel.Anonymous) and corrects the frontend implementation status from "to be implemented" to fully implemented with details about the Blazor WebAssembly features.

• Changed frontend documentation from "to be implemented" to describing the fully functional Blazor WebAssembly application with Fluent UI components, Markdig rendering, and PDF export
• Documented the authentication architecture where Static Web Apps enforces Azure AD authentication before requests reach Azure Functions
• Added detailed authentication flow descriptions and Azure AD configuration steps across all documentation files

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
docs/frontend.md	Added authentication section explaining SWA/Azure AD integration, updated key behaviors to reflect authentication requirement, clarified HTTP client behavior with SWA routing
docs/deployment.md	Added Azure AD configuration steps for both integrated and separate deployment scenarios, documented SWA authentication enforcement
docs/architecture.md	Updated data flow to include authentication steps, added new "Authentication Architecture" section explaining the SWA authentication layer
README.md	Updated project overview to reflect three projects including Shared DTOs, changed frontend status from "to be implemented" to implemented with feature details, expanded security section with authentication flow diagram, updated project structure to show all three projects
Bezalu.ProjectReporting.API/README.md	Updated security section to document SWA authentication layer and AuthorizationLevel.Anonymous pattern

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Consider specifying the full path to the configuration file (e.g., "Bezalu.ProjectReporting.Web/staticwebapp.config.json") to help readers locate this file in the project structure.

Suggested change

	- `staticwebapp.config.json` enforces `authenticated` role for `/api/*` routes
	- `Bezalu.ProjectReporting.Web/staticwebapp.config.json` enforces `authenticated` role for `/api/*` routes

[Copilot]

Consider specifying the full path to the configuration file (e.g., "Bezalu.ProjectReporting.Web/staticwebapp.config.json") to help readers locate this file in the project structure.

Suggested change

	- `staticwebapp.config.json` enforces authentication:
	- `Bezalu.ProjectReporting.Web/staticwebapp.config.json` enforces authentication:

[Copilot]

Inconsistent terminology: This line refers to "SWA session cookies" while line 28 refers to "SWA authentication cookies". Consider using consistent terminology throughout the documentation to refer to the same concept.

Suggested change

	- SWA session cookies automatically included in API requests
	- SWA authentication cookies automatically included in API requests

[Copilot]

The documentation states "configured in staticwebapp.config.json" but doesn't specify where this file is located. Consider adding the file path (e.g., "configured in Bezalu.ProjectReporting.Web/staticwebapp.config.json") to help readers locate this configuration file.

Suggested change

	2. Static Web Apps enforces authentication via Azure AD (configured in `staticwebapp.config.json`)
	2. Static Web Apps enforces authentication via Azure AD (configured in `Bezalu.ProjectReporting.Web/staticwebapp.config.json`)

[Copilot]

Consider specifying the full path to the configuration file (e.g., "Configured in Bezalu.ProjectReporting.Web/staticwebapp.config.json") to help readers locate this file in the project structure.

Suggested change

	- Configured in `staticwebapp.config.json`:
	- Configured in `Bezalu.ProjectReporting.Web/staticwebapp.config.json`:

[Copilot]

The phrase "Function AuthorizationLevel.Anonymous" reads awkwardly. Consider rewording to "Azure Functions use AuthorizationLevel.Anonymous" for better clarity and readability.

Suggested change

	- **Function AuthorizationLevel.Anonymous** used because authentication is enforced upstream by SWA.
	- **Azure Functions use AuthorizationLevel.Anonymous** because authentication is enforced upstream by SWA.