docs: update changelog

CODE_GUIDELINES.md

@@ -84,6 +84,8 @@ lib/
 │   ├── custom_field_value.ex        # Custom field value resource
 │   ├── custom_field.ex   # CustomFieldValue type resource
 │   ├── setting.ex         # Global settings (singleton resource)
+│   ├── group.ex           # Group resource
+│   ├── member_group.ex    # MemberGroup join table resource
 │   └── email.ex           # Email custom type
 ├── membership_fees/        # MembershipFees domain
 │   ├── membership_fees.ex # Domain definition
@@ -149,6 +151,8 @@ lib/
 │   │   ├── membership_fee_type_live/ # Membership fee type LiveViews
 │   │   ├── membership_fee_settings_live.ex # Membership fee settings
 │   │   ├── global_settings_live.ex # Global settings
+│   │   ├── group_live/     # Group management LiveViews
+│   │   ├── import_export_live.ex # CSV import/export LiveView
 │   │   └── contribution_type_live/ # Contribution types (mock-up)
 │   ├── auth_overrides.ex  # AshAuthentication overrides
 │   ├── endpoint.ex        # Phoenix endpoint
@@ -641,7 +645,95 @@ def card(assigns) do
 end
 ```
 
-### 3.3 System Actor Pattern
+### 3.3 CSV Import Configuration
+
+**CSV Import Limits:**
+
+CSV import functionality supports configurable limits to prevent resource exhaustion:
+
+```elixir
+# config/config.exs
+config :mv,
+  csv_import: [
+    max_file_size_mb: 10,  # Maximum file size in megabytes
+    max_rows: 1000          # Maximum number of data rows (excluding header)
+  ]
+```
+
+**Accessing Configuration:**
+
+Use `Mv.Config` helper functions:
+
+```elixir
+# Get max file size in bytes
+max_bytes = Mv.Config.csv_import_max_file_size_bytes()
+
+# Get max file size in megabytes
+max_mb = Mv.Config.csv_import_max_file_size_mb()
+
+# Get max rows
+max_rows = Mv.Config.csv_import_max_rows()
+```
+
+**Best Practices:**
+- Set reasonable limits based on server resources
+- Display limits to users in UI
+- Validate file size before upload
+- Process imports in chunks (default: 200 rows per chunk)
+- Cap error collection (default: 50 errors per import)
+
+### 3.4 Page-Level Authorization
+
+**CheckPagePermission Plug:**
+
+Use `MvWeb.Plugs.CheckPagePermission` for page-level authorization:
+
+```elixir
+# lib/mv_web/router.ex
+defmodule MvWeb.Router do
+  use MvWeb, :router
+  
+  # Add plug to router pipeline
+  pipeline :browser do
+    plug :accepts, ["html"]
+    plug :fetch_session
+    plug :fetch_live_flash
+    plug :put_root_layout, html: {MvWeb.Layouts, :root}
+    plug :protect_from_forgery
+    plug :put_secure_browser_headers
+    plug MvWeb.Plugs.CheckPagePermission  # Page-level authorization
+  end
+end
+```
+
+**Permission Set Route Matrix:**
+
+Routes are mapped to permission sets:
+- `own_data`: Can access `/profile` and `/members/:id` (own linked member only)
+- `read_only`: Can read all data, cannot modify
+- `normal_user`: Can read and modify most data
+- `admin`: Full access to all routes
+
+**Usage in LiveViews:**
+
+```elixir
+# Check page access before mount
+def mount(_params, _session, socket) do
+  actor = current_actor(socket)
+  
+  if MvWeb.Authorization.can_access_page?(actor, "/admin/roles") do
+    {:ok, assign(socket, :roles, load_roles(actor))}
+  else
+    {:ok, redirect(socket, to: ~p"/")}
+  end
+end
+```
+
+**Public Paths:**
+
+Public paths (login, OIDC callbacks) are excluded from permission checks automatically.
+
+### 3.5 System Actor Pattern
 
 **When to Use System Actor:**
 
@@ -726,7 +818,7 @@ Two mechanisms exist for bypassing standard authorization:
 
 **See also:** `docs/roles-and-permissions-architecture.md` (Authorization Bootstrap Patterns section)
 
-### 3.4 Ash Framework
+### 3.6 Ash Framework
 
 **Resource Definition Best Practices:**