Part of #64

• Implement default-deny ACLs as a baseline.
• Define granular, least-privilege access rules for groups and services.
• Configure split tunneling and per-group DNS settings.
• Enforce SSO/OIDC for user authentication.
• Establish a process for regular WireGuard key rotation.