From b8fd99a5f4bcb991d75698c54d14ea47867b4465 Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Tue, 12 May 2026 19:57:33 +0200
Subject: [PATCH 1/6] feat(m5): test_template + scenario_template CRUD with
 MITRE tags and ordered tests
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Service `app/services/test_templates.py`: CRUD with MITRE tag resolution
  (kind, external_id) → polymorphic join, filters by tactic/technique/
  subtechnique/opsec/tag, `_UNSET` sentinel for partial-update semantics.
- Service `app/services/scenario_templates.py`: ordered test list, reorder
  via full-replace (atomic w.r.t. UNIQUE(position) constraint), soft-delete.
- REST endpoints on /api/v1/test-templates and /scenario-templates with
  pydantic schemas + perm gating (test_template.* and scenario_template.*).
- /diag/reset truncates the 4 new tables before MITRE (FK ordering).
- 19 pytest covering CRUD, MITRE tag merge, soft-delete chaining, perm
  enforcement, and reorder atomicity.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 backend/app/api/diag.py                    |  11 +
 backend/app/api/scenario_templates.py      | 208 +++++++++
 backend/app/api/test_templates.py          | 250 +++++++++++
 backend/app/api/v1.py                      |   4 +
 backend/app/services/scenario_templates.py | 240 ++++++++++
 backend/app/services/test_templates.py     | 395 +++++++++++++++++
 backend/tests/test_templates.py            | 492 +++++++++++++++++++++
 7 files changed, 1600 insertions(+)
 create mode 100644 backend/app/api/scenario_templates.py
 create mode 100644 backend/app/api/test_templates.py
 create mode 100644 backend/app/services/scenario_templates.py
 create mode 100644 backend/app/services/test_templates.py
 create mode 100644 backend/tests/test_templates.py

diff --git a/backend/app/api/diag.py b/backend/app/api/diag.py
index 4fa3880..8dd0e20 100644
--- a/backend/app/api/diag.py
+++ b/backend/app/api/diag.py
@@ -73,6 +73,17 @@ def reset_test_state():
                     "user_groups, settings, groups RESTART IDENTITY CASCADE"
                 )
             )
+            # Template catalogue reset (M5). The MITRE truncate below cascades to
+            # the polymorphic tag join, but the template rows themselves must be
+            # wiped first because `scenario_template_tests.test_template_id` is
+            # ON DELETE RESTRICT.
+            conn.execute(
+                text(
+                    "TRUNCATE scenario_template_tests, scenario_templates, "
+                    "test_template_mitre_tags, test_templates "
+                    "RESTART IDENTITY CASCADE"
+                )
+            )
             # MITRE reference reset — kept in sync with `settings` so a freshly
             # reset stack has `GET /mitre/status` and `GET /mitre/tactics` agree
             # ("no data, no last_sync"). The e2e suite re-syncs via /mitre/sync
diff --git a/backend/app/api/scenario_templates.py b/backend/app/api/scenario_templates.py
new file mode 100644
index 0000000..4481f5d
--- /dev/null
+++ b/backend/app/api/scenario_templates.py
@@ -0,0 +1,208 @@
+"""Scenario-template CRUD + reorder endpoints.
+
+`PUT /<id>/tests` is the reorder/replace endpoint — it takes the full ordered
+list and rewrites the join rows. There's no partial mutation API for the test
+list: the wire contract is simpler and the client (drag-and-drop) already
+holds the full ordering.
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from typing import Any
+
+from flask import Blueprint, jsonify, request
+from pydantic import BaseModel, Field, ValidationError
+
+from app.core.auth_decorators import require_auth, require_perm
+from app.services import scenario_templates as svc
+
+bp = Blueprint("scenario_templates", __name__, url_prefix="/scenario-templates")
+log = logging.getLogger("metamorph.api.scenario_templates")
+
+
+class CreateScenarioPayload(BaseModel):
+    name: str = Field(min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    test_template_ids: list[uuid.UUID] = Field(default_factory=list, max_length=512)
+
+    model_config = {"extra": "forbid"}
+
+
+class UpdateScenarioPayload(BaseModel):
+    name: str | None = Field(default=None, min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+
+    model_config = {"extra": "forbid"}
+
+
+class SetTestsPayload(BaseModel):
+    test_template_ids: list[uuid.UUID] = Field(default_factory=list, max_length=512)
+
+    model_config = {"extra": "forbid"}
+
+
+def _serialize(sc: svc.ScenarioTemplateView) -> dict[str, Any]:
+    return {
+        "id": str(sc.id),
+        "name": sc.name,
+        "description": sc.description,
+        "tests": [
+            {
+                "position": t.position,
+                "test_template_id": str(t.test_template_id),
+                "test_template_name": t.test_template_name,
+                "test_template_deleted": t.test_template_deleted,
+            }
+            for t in sc.tests
+        ],
+        "tests_count": sc.tests_count,
+        "deleted_at": sc.deleted_at.isoformat() if sc.deleted_at else None,
+        "created_at": sc.created_at.isoformat(),
+        "updated_at": sc.updated_at.isoformat(),
+    }
+
+
+def _parse_uuid_or_400(raw: str):
+    try:
+        return uuid.UUID(raw)
+    except ValueError:
+        return None
+
+
+def _pagination_args() -> tuple[int, int] | tuple[None, tuple[int, str]]:
+    try:
+        limit = int(request.args.get("limit", "100"))
+        offset = int(request.args.get("offset", "0"))
+    except ValueError:
+        return None, (400, "invalid_pagination")
+    return max(1, min(limit, 500)), max(0, offset)
+
+
+@bp.get("")
+@require_auth
+@require_perm("scenario_template.read")
+def list_scenario_templates():
+    paging = _pagination_args()
+    if paging[0] is None:
+        return jsonify({"error": paging[1][1]}), paging[1][0]
+    limit, offset = paging
+    q = request.args.get("q") or None
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    items, total = svc.list_scenario_templates(
+        q=q, include_deleted=include_deleted, limit=limit, offset=offset
+    )
+    return jsonify(
+        {
+            "items": [_serialize(it) for it in items],
+            "total": total,
+            "limit": limit,
+            "offset": offset,
+        }
+    )
+
+
+@bp.get("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.read")
+def get_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        view = svc.get_scenario_template(sid, include_deleted=include_deleted)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    return jsonify(_serialize(view))
+
+
+@bp.post("")
+@require_auth
+@require_perm("scenario_template.create")
+def create_scenario_template():
+    try:
+        payload = CreateScenarioPayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.create_scenario_template(
+            name=payload.name,
+            description=payload.description,
+            test_template_ids=payload.test_template_ids,
+        )
+    except svc.UnknownTestTemplate as e:
+        return jsonify({"error": "unknown_test_template", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info(
+        "metamorph.scenario_template.created",
+        extra={"id": str(view.id), "tests": len(view.tests)},
+    )
+    return jsonify(_serialize(view)), 201
+
+
+@bp.patch("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.update")
+def update_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    raw = request.get_json(silent=True) or {}
+    try:
+        payload = UpdateScenarioPayload.model_validate(raw)
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    kwargs: dict[str, Any] = {}
+    if "name" in raw:
+        kwargs["name"] = payload.name
+    if "description" in raw:
+        kwargs["description"] = payload.description
+    try:
+        view = svc.update_scenario_template(sid, **kwargs)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    return jsonify(_serialize(view))
+
+
+@bp.put("/<scenario_id>/tests")
+@require_auth
+@require_perm("scenario_template.update")
+def set_scenario_tests(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        payload = SetTestsPayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.set_scenario_tests(sid, payload.test_template_ids)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except svc.UnknownTestTemplate as e:
+        return jsonify({"error": "unknown_test_template", "message": str(e)}), 400
+    log.info(
+        "metamorph.scenario_template.tests_set",
+        extra={"id": str(sid), "tests": len(view.tests)},
+    )
+    return jsonify(_serialize(view))
+
+
+@bp.delete("/<scenario_id>")
+@require_auth
+@require_perm("scenario_template.delete")
+def soft_delete_scenario_template(scenario_id: str):
+    sid = _parse_uuid_or_400(scenario_id)
+    if sid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        svc.soft_delete_scenario_template(sid)
+    except svc.ScenarioTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    log.info("metamorph.scenario_template.soft_deleted", extra={"id": str(sid)})
+    return jsonify({"ok": True})
diff --git a/backend/app/api/test_templates.py b/backend/app/api/test_templates.py
new file mode 100644
index 0000000..86754f4
--- /dev/null
+++ b/backend/app/api/test_templates.py
@@ -0,0 +1,250 @@
+"""Test-template CRUD endpoints.
+
+Reads gated by `test_template.read`. Writes gated by `test_template.{create,
+update,delete}`. Service layer handles all DB work; this module only validates
+the wire payload and shapes the JSON response.
+"""
+
+from __future__ import annotations
+
+import logging
+import uuid
+from typing import Any
+
+from flask import Blueprint, jsonify, request
+from pydantic import BaseModel, Field, ValidationError
+
+from app.core.auth_decorators import require_auth, require_perm
+from app.services import test_templates as svc
+
+bp = Blueprint("test_templates", __name__, url_prefix="/test-templates")
+log = logging.getLogger("metamorph.api.test_templates")
+
+
+# === Payload schemas ==========================================================
+
+
+class MitreTagIn(BaseModel):
+    kind: str = Field(min_length=1)
+    external_id: str = Field(min_length=1, max_length=16)
+
+    model_config = {"extra": "forbid"}
+
+
+class CreateTestTemplatePayload(BaseModel):
+    name: str = Field(min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    objective: str | None = Field(default=None, max_length=4000)
+    procedure_md: str | None = Field(default=None, max_length=32_000)
+    prerequisites_md: str | None = Field(default=None, max_length=32_000)
+    expected_result_red_md: str | None = Field(default=None, max_length=32_000)
+    expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
+    opsec_level: str = Field(default="medium")
+    tags: list[str] = Field(default_factory=list, max_length=64)
+    expected_iocs: list[str] = Field(default_factory=list, max_length=128)
+    mitre_tags: list[MitreTagIn] = Field(default_factory=list, max_length=64)
+
+    model_config = {"extra": "forbid"}
+
+
+class UpdateTestTemplatePayload(BaseModel):
+    name: str | None = Field(default=None, min_length=1, max_length=255)
+    description: str | None = Field(default=None, max_length=4000)
+    objective: str | None = Field(default=None, max_length=4000)
+    procedure_md: str | None = Field(default=None, max_length=32_000)
+    prerequisites_md: str | None = Field(default=None, max_length=32_000)
+    expected_result_red_md: str | None = Field(default=None, max_length=32_000)
+    expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
+    opsec_level: str | None = None
+    tags: list[str] | None = Field(default=None, max_length=64)
+    expected_iocs: list[str] | None = Field(default=None, max_length=128)
+    mitre_tags: list[MitreTagIn] | None = Field(default=None, max_length=64)
+
+    model_config = {"extra": "forbid"}
+
+
+# === Serializers ==============================================================
+
+
+def _serialize(t: svc.TestTemplateView) -> dict[str, Any]:
+    return {
+        "id": str(t.id),
+        "name": t.name,
+        "description": t.description,
+        "objective": t.objective,
+        "procedure_md": t.procedure_md,
+        "prerequisites_md": t.prerequisites_md,
+        "expected_result_red_md": t.expected_result_red_md,
+        "expected_detection_blue_md": t.expected_detection_blue_md,
+        "opsec_level": t.opsec_level,
+        "tags": list(t.tags),
+        "expected_iocs": list(t.expected_iocs),
+        "mitre_tags": [
+            {"kind": tag.kind, "external_id": tag.external_id, "name": tag.name, "url": tag.url}
+            for tag in t.mitre_tags
+        ],
+        "deleted_at": t.deleted_at.isoformat() if t.deleted_at else None,
+        "created_at": t.created_at.isoformat(),
+        "updated_at": t.updated_at.isoformat(),
+    }
+
+
+def _parse_uuid_or_400(raw: str):
+    try:
+        return uuid.UUID(raw)
+    except ValueError:
+        return None
+
+
+def _pagination_args() -> tuple[int, int] | tuple[None, tuple[int, str]]:
+    try:
+        limit = int(request.args.get("limit", "100"))
+        offset = int(request.args.get("offset", "0"))
+    except ValueError:
+        return None, (400, "invalid_pagination")
+    return max(1, min(limit, 500)), max(0, offset)
+
+
+# === Endpoints ================================================================
+
+
+@bp.get("")
+@require_auth
+@require_perm("test_template.read")
+def list_test_templates():
+    paging = _pagination_args()
+    if paging[0] is None:
+        return jsonify({"error": paging[1][1]}), paging[1][0]
+    limit, offset = paging
+    q = request.args.get("q") or None
+    tactic = request.args.get("tactic") or None
+    technique = request.args.get("technique") or None
+    subtechnique = request.args.get("subtechnique") or None
+    opsec_level = request.args.get("opsec") or None
+    tag = request.args.get("tag") or None
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        items, total = svc.list_test_templates(
+            q=q,
+            tactic=tactic,
+            technique=technique,
+            subtechnique=subtechnique,
+            opsec_level=opsec_level,
+            tag=tag,
+            include_deleted=include_deleted,
+            limit=limit,
+            offset=offset,
+        )
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    return jsonify(
+        {
+            "items": [_serialize(it) for it in items],
+            "total": total,
+            "limit": limit,
+            "offset": offset,
+        }
+    )
+
+
+@bp.get("/<template_id>")
+@require_auth
+@require_perm("test_template.read")
+def get_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    include_deleted = request.args.get("include_deleted", "false").lower() == "true"
+    try:
+        view = svc.get_test_template(tid, include_deleted=include_deleted)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    return jsonify(_serialize(view))
+
+
+@bp.post("")
+@require_auth
+@require_perm("test_template.create")
+def create_test_template():
+    try:
+        payload = CreateTestTemplatePayload.model_validate(request.get_json(silent=True) or {})
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+    try:
+        view = svc.create_test_template(
+            name=payload.name,
+            description=payload.description,
+            objective=payload.objective,
+            procedure_md=payload.procedure_md,
+            prerequisites_md=payload.prerequisites_md,
+            expected_result_red_md=payload.expected_result_red_md,
+            expected_detection_blue_md=payload.expected_detection_blue_md,
+            opsec_level=payload.opsec_level,
+            tags=payload.tags,
+            expected_iocs=payload.expected_iocs,
+            mitre_tags=[svc.MitreTagRef(kind=t.kind, external_id=t.external_id) for t in payload.mitre_tags],
+        )
+    except svc.UnknownMitreTag as e:
+        return jsonify({"error": "unknown_mitre_tag", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info(
+        "metamorph.test_template.created",
+        extra={"id": str(view.id), "template_name": view.name},
+    )
+    return jsonify(_serialize(view)), 201
+
+
+@bp.put("/<template_id>")
+@require_auth
+@require_perm("test_template.update")
+def update_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    raw = request.get_json(silent=True) or {}
+    try:
+        payload = UpdateTestTemplatePayload.model_validate(raw)
+    except ValidationError as e:
+        return jsonify({"error": "invalid_request", "details": e.errors()}), 400
+
+    # Only forward keys actually present in the body — model_validate leaves
+    # missing fields as None and we can't distinguish "explicitly null" from
+    # "omitted". The set of keys in `raw` is the wire-level intent.
+    kwargs: dict[str, Any] = {}
+    for field_name in (
+        "name", "description", "objective", "procedure_md", "prerequisites_md",
+        "expected_result_red_md", "expected_detection_blue_md",
+        "opsec_level", "tags", "expected_iocs",
+    ):
+        if field_name in raw:
+            kwargs[field_name] = getattr(payload, field_name)
+    if "mitre_tags" in raw:
+        kwargs["mitre_tags"] = (
+            [svc.MitreTagRef(kind=t.kind, external_id=t.external_id) for t in (payload.mitre_tags or [])]
+        )
+    try:
+        view = svc.update_test_template(tid, **kwargs)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    except svc.UnknownMitreTag as e:
+        return jsonify({"error": "unknown_mitre_tag", "message": str(e)}), 400
+    except ValueError as e:
+        return jsonify({"error": "invalid_request", "message": str(e)}), 400
+    log.info("metamorph.test_template.updated", extra={"id": str(tid), "fields": sorted(kwargs.keys())})
+    return jsonify(_serialize(view))
+
+
+@bp.delete("/<template_id>")
+@require_auth
+@require_perm("test_template.delete")
+def soft_delete_test_template(template_id: str):
+    tid = _parse_uuid_or_400(template_id)
+    if tid is None:
+        return jsonify({"error": "invalid_id"}), 400
+    try:
+        svc.soft_delete_test_template(tid)
+    except svc.TestTemplateNotFound:
+        return jsonify({"error": "not_found"}), 404
+    log.info("metamorph.test_template.soft_deleted", extra={"id": str(tid)})
+    return jsonify({"ok": True})
diff --git a/backend/app/api/v1.py b/backend/app/api/v1.py
index 3423e2d..6b5379b 100644
--- a/backend/app/api/v1.py
+++ b/backend/app/api/v1.py
@@ -11,7 +11,9 @@ from app.api.health import bp as health_bp
 from app.api.invitations import bp as invitations_bp
 from app.api.mitre import bp as mitre_bp
 from app.api.permissions import bp as permissions_bp
+from app.api.scenario_templates import bp as scenario_templates_bp
 from app.api.setup import bp as setup_bp
+from app.api.test_templates import bp as test_templates_bp
 from app.api.users import bp as users_bp
 
 bp = Blueprint("v1", __name__, url_prefix="/api/v1")
@@ -24,3 +26,5 @@ bp.register_blueprint(users_bp)
 bp.register_blueprint(groups_bp)
 bp.register_blueprint(permissions_bp)
 bp.register_blueprint(mitre_bp)
+bp.register_blueprint(test_templates_bp)
+bp.register_blueprint(scenario_templates_bp)
diff --git a/backend/app/services/scenario_templates.py b/backend/app/services/scenario_templates.py
new file mode 100644
index 0000000..968f7ad
--- /dev/null
+++ b/backend/app/services/scenario_templates.py
@@ -0,0 +1,240 @@
+"""CRUD service for `scenario_templates` + their ordered test list.
+
+Re-ordering is implemented as **full delete + re-insert** of the
+`scenario_template_tests` rows. The UNIQUE (scenario_template_id, position)
+constraint makes any naive position-swap fail mid-transaction; wiping the set
+then re-inserting at positions 0..N-1 keeps the operation atomic and obvious.
+
+The same test_template may legitimately appear multiple times in a scenario
+(chained operations), so we key on `(scenario_id, position)`, not
+`(scenario_id, test_template_id)`.
+"""
+
+from __future__ import annotations
+
+import uuid
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from typing import Any
+
+from sqlalchemy import func, or_, select
+from sqlalchemy.orm import Session, selectinload
+
+_UNSET: Any = object()
+
+from app.db.session import session_scope
+from app.models.template import (
+    ScenarioTemplate,
+    ScenarioTemplateTest,
+    TestTemplate,
+)
+
+
+class ScenarioTemplateNotFound(Exception):
+    pass
+
+
+class UnknownTestTemplate(Exception):
+    """Raised when a scenario references a non-existent or soft-deleted test."""
+
+
+@dataclass(frozen=True)
+class ScenarioTestView:
+    position: int
+    test_template_id: uuid.UUID
+    test_template_name: str
+    test_template_deleted: bool
+
+
+@dataclass(frozen=True)
+class ScenarioTemplateView:
+    id: uuid.UUID
+    name: str
+    description: str | None
+    tests: list[ScenarioTestView]
+    tests_count: int
+    deleted_at: datetime | None
+    created_at: datetime
+    updated_at: datetime
+
+
+def _to_view(s: Session, sc: ScenarioTemplate) -> ScenarioTemplateView:
+    test_ids = [link.test_template_id for link in sc.tests]
+    name_by_id: dict[uuid.UUID, tuple[str, bool]] = {}
+    if test_ids:
+        rows = s.scalars(select(TestTemplate).where(TestTemplate.id.in_(test_ids))).all()
+        for row in rows:
+            name_by_id[row.id] = (row.name, row.deleted_at is not None)
+    tests = [
+        ScenarioTestView(
+            position=link.position,
+            test_template_id=link.test_template_id,
+            test_template_name=name_by_id.get(link.test_template_id, ("<missing>", True))[0],
+            test_template_deleted=name_by_id.get(link.test_template_id, ("<missing>", True))[1],
+        )
+        for link in sc.tests
+    ]
+    return ScenarioTemplateView(
+        id=sc.id,
+        name=sc.name,
+        description=sc.description,
+        tests=tests,
+        tests_count=len(tests),
+        deleted_at=sc.deleted_at,
+        created_at=sc.created_at,
+        updated_at=sc.updated_at,
+    )
+
+
+def _base_query():
+    return select(ScenarioTemplate).options(selectinload(ScenarioTemplate.tests))
+
+
+def list_scenario_templates(
+    *,
+    q: str | None = None,
+    include_deleted: bool = False,
+    limit: int = 100,
+    offset: int = 0,
+) -> tuple[list[ScenarioTemplateView], int]:
+    with session_scope() as s:
+        stmt = _base_query().order_by(ScenarioTemplate.name.asc())
+        count_stmt = select(func.count()).select_from(ScenarioTemplate)
+        if not include_deleted:
+            stmt = stmt.where(ScenarioTemplate.deleted_at.is_(None))
+            count_stmt = count_stmt.where(ScenarioTemplate.deleted_at.is_(None))
+        if q:
+            like = f"%{q.lower()}%"
+            cond = or_(
+                func.lower(ScenarioTemplate.name).like(like),
+                func.lower(ScenarioTemplate.description).like(like),
+            )
+            stmt = stmt.where(cond)
+            count_stmt = count_stmt.where(cond)
+        total = s.scalar(count_stmt) or 0
+        rows = s.scalars(stmt.limit(max(1, min(limit, 500))).offset(max(0, offset))).all()
+        return [_to_view(s, sc) for sc in rows], int(total)
+
+
+def get_scenario_template(scenario_id: uuid.UUID, *, include_deleted: bool = False) -> ScenarioTemplateView:
+    with session_scope() as s:
+        sc = s.get(ScenarioTemplate, scenario_id)
+        if sc is None:
+            raise ScenarioTemplateNotFound()
+        if sc.deleted_at is not None and not include_deleted:
+            raise ScenarioTemplateNotFound()
+        return _to_view(s, sc)
+
+
+def _validate_test_ids(s: Session, ids: list[uuid.UUID]) -> None:
+    """Reject unknown or soft-deleted test_template ids before persisting."""
+    if not ids:
+        return
+    found = s.execute(
+        select(TestTemplate.id, TestTemplate.deleted_at).where(TestTemplate.id.in_(ids))
+    ).all()
+    known = {row.id for row in found}
+    deleted = {row.id for row in found if row.deleted_at is not None}
+    missing = set(ids) - known
+    if missing:
+        raise UnknownTestTemplate(f"unknown test_template ids: {sorted(str(m) for m in missing)}")
+    if deleted:
+        raise UnknownTestTemplate(
+            f"cannot reference soft-deleted test_template ids: {sorted(str(d) for d in deleted)}"
+        )
+
+
+def _opt_str(value: str | None) -> str | None:
+    if value is None:
+        return None
+    s = value.strip()
+    return s or None
+
+
+def create_scenario_template(
+    *,
+    name: str,
+    description: str | None = None,
+    test_template_ids: list[uuid.UUID] | None = None,
+) -> ScenarioTemplateView:
+    name_norm = (name or "").strip()
+    if not name_norm:
+        raise ValueError("name is required")
+    ids = list(test_template_ids or [])
+    with session_scope() as s:
+        _validate_test_ids(s, ids)
+        sc = ScenarioTemplate(
+            name=name_norm,
+            description=_opt_str(description),
+        )
+        s.add(sc)
+        s.flush()
+        for position, tid in enumerate(ids):
+            s.add(
+                ScenarioTemplateTest(
+                    scenario_template_id=sc.id,
+                    test_template_id=tid,
+                    position=position,
+                )
+            )
+        s.flush()
+        s.refresh(sc)
+        return _to_view(s, sc)
+
+
+def update_scenario_template(
+    scenario_id: uuid.UUID,
+    *,
+    name: str | None = None,
+    description: Any = _UNSET,
+) -> ScenarioTemplateView:
+    with session_scope() as s:
+        sc = s.get(ScenarioTemplate, scenario_id)
+        if sc is None or sc.deleted_at is not None:
+            raise ScenarioTemplateNotFound()
+        if name is not None:
+            n = name.strip()
+            if not n:
+                raise ValueError("name cannot be empty")
+            sc.name = n
+        if description is not _UNSET:
+            sc.description = _opt_str(description)
+        s.flush()
+        s.refresh(sc)
+        return _to_view(s, sc)
+
+
+def set_scenario_tests(
+    scenario_id: uuid.UUID,
+    test_template_ids: list[uuid.UUID],
+) -> ScenarioTemplateView:
+    """Replace the entire ordered test list. `position` becomes the index."""
+    with session_scope() as s:
+        sc = s.get(ScenarioTemplate, scenario_id)
+        if sc is None or sc.deleted_at is not None:
+            raise ScenarioTemplateNotFound()
+        _validate_test_ids(s, test_template_ids)
+        # Wipe then re-insert. The UNIQUE(position) constraint forbids a
+        # naive UPDATE-swap; full-replace keeps the op atomic + readable.
+        for link in list(sc.tests):
+            s.delete(link)
+        s.flush()
+        for position, tid in enumerate(test_template_ids):
+            s.add(
+                ScenarioTemplateTest(
+                    scenario_template_id=sc.id,
+                    test_template_id=tid,
+                    position=position,
+                )
+            )
+        s.flush()
+        s.refresh(sc)
+        return _to_view(s, sc)
+
+
+def soft_delete_scenario_template(scenario_id: uuid.UUID) -> None:
+    with session_scope() as s:
+        sc = s.get(ScenarioTemplate, scenario_id)
+        if sc is None or sc.deleted_at is not None:
+            raise ScenarioTemplateNotFound()
+        sc.deleted_at = datetime.now(tz=timezone.utc)
diff --git a/backend/app/services/test_templates.py b/backend/app/services/test_templates.py
new file mode 100644
index 0000000..8570894
--- /dev/null
+++ b/backend/app/services/test_templates.py
@@ -0,0 +1,395 @@
+"""CRUD service for `test_templates` + their MITRE tags.
+
+The MITRE tag set is **fully replaced** on every update — partial mutation of
+the join rows would force the API client to track tag UUIDs they never created.
+The polymorphic join (one of `tactic_id` / `technique_id` / `subtechnique_id`
+populated) is owned here: callers pass `(kind, external_id)` tuples and we
+resolve them to the matching MITRE row.
+"""
+
+from __future__ import annotations
+
+import uuid
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from typing import Any, Iterable
+
+from sqlalchemy import func, or_, select
+from sqlalchemy.orm import Session, selectinload
+
+_UNSET: Any = object()
+
+from app.db.session import session_scope
+from app.db.types import MITRE_KINDS, OPSEC_LEVELS
+from app.models.mitre import MitreSubtechnique, MitreTactic, MitreTechnique
+from app.models.template import TestTemplate, TestTemplateMitreTag
+
+
+class TestTemplateNotFound(Exception):
+    pass
+
+
+class UnknownMitreTag(Exception):
+    """Raised when an (kind, external_id) tuple doesn't resolve to a known MITRE row."""
+
+
+@dataclass(frozen=True)
+class MitreTagRef:
+    """Inbound MITRE tag reference. `external_id` is the ATT&CK identifier
+    (TA…/T…/T….…) — we resolve it server-side, the client never sees UUIDs.
+    """
+
+    kind: str  # "tactic" | "technique" | "subtechnique"
+    external_id: str
+
+
+@dataclass(frozen=True)
+class MitreTagView:
+    kind: str
+    external_id: str
+    name: str
+    url: str | None
+
+
+@dataclass(frozen=True)
+class TestTemplateView:
+    id: uuid.UUID
+    name: str
+    description: str | None
+    objective: str | None
+    procedure_md: str | None
+    prerequisites_md: str | None
+    expected_result_red_md: str | None
+    expected_detection_blue_md: str | None
+    opsec_level: str
+    tags: list[str]
+    expected_iocs: list[str]
+    mitre_tags: list[MitreTagView]
+    deleted_at: datetime | None
+    created_at: datetime
+    updated_at: datetime
+
+
+def _validate_opsec(value: str) -> str:
+    if value not in OPSEC_LEVELS:
+        raise ValueError(f"opsec_level must be one of {OPSEC_LEVELS}")
+    return value
+
+
+def _normalize_string_list(values: Iterable[str] | None) -> list[str]:
+    if not values:
+        return []
+    seen: set[str] = set()
+    out: list[str] = []
+    for raw in values:
+        if not isinstance(raw, str):
+            raise ValueError("list items must be strings")
+        v = raw.strip()
+        if not v or v in seen:
+            continue
+        seen.add(v)
+        out.append(v)
+    return out
+
+
+def _resolve_mitre_refs(s: Session, refs: list[MitreTagRef]) -> list[TestTemplateMitreTag]:
+    """Translate `(kind, external_id)` pairs into half-populated join rows.
+
+    Validates that:
+      - `kind` is one of the supported values
+      - each external_id resolves to an existing MITRE row
+      - the combination is unique inside the payload (de-duped silently — same
+        tag twice is a no-op, not an error)
+    """
+    if not refs:
+        return []
+    # Dedupe input
+    deduped: dict[tuple[str, str], MitreTagRef] = {}
+    for ref in refs:
+        if ref.kind not in MITRE_KINDS:
+            raise ValueError(f"mitre tag kind must be one of {MITRE_KINDS}")
+        if not ref.external_id:
+            raise ValueError("mitre tag external_id is required")
+        deduped[(ref.kind, ref.external_id)] = ref
+
+    tactic_ids = {r.external_id for r in deduped.values() if r.kind == "tactic"}
+    technique_ids = {r.external_id for r in deduped.values() if r.kind == "technique"}
+    subtechnique_ids = {r.external_id for r in deduped.values() if r.kind == "subtechnique"}
+
+    tactic_map = {
+        t.external_id: t.id
+        for t in s.scalars(select(MitreTactic).where(MitreTactic.external_id.in_(tactic_ids))).all()
+    }
+    technique_map = {
+        t.external_id: t.id
+        for t in s.scalars(select(MitreTechnique).where(MitreTechnique.external_id.in_(technique_ids))).all()
+    }
+    subtechnique_map = {
+        sb.external_id: sb.id
+        for sb in s.scalars(
+            select(MitreSubtechnique).where(MitreSubtechnique.external_id.in_(subtechnique_ids))
+        ).all()
+    }
+
+    rows: list[TestTemplateMitreTag] = []
+    missing: list[tuple[str, str]] = []
+    for ref in deduped.values():
+        if ref.kind == "tactic":
+            mid = tactic_map.get(ref.external_id)
+            if mid is None:
+                missing.append((ref.kind, ref.external_id))
+                continue
+            rows.append(TestTemplateMitreTag(mitre_kind="tactic", tactic_id=mid))
+        elif ref.kind == "technique":
+            mid = technique_map.get(ref.external_id)
+            if mid is None:
+                missing.append((ref.kind, ref.external_id))
+                continue
+            rows.append(TestTemplateMitreTag(mitre_kind="technique", technique_id=mid))
+        else:
+            mid = subtechnique_map.get(ref.external_id)
+            if mid is None:
+                missing.append((ref.kind, ref.external_id))
+                continue
+            rows.append(TestTemplateMitreTag(mitre_kind="subtechnique", subtechnique_id=mid))
+    if missing:
+        raise UnknownMitreTag(f"unknown MITRE tags: {sorted(missing)}")
+    return rows
+
+
+def _to_view(s: Session, t: TestTemplate) -> TestTemplateView:
+    tag_views: list[MitreTagView] = []
+    for tag in t.mitre_tags:
+        if tag.mitre_kind == "tactic" and tag.tactic_id is not None:
+            row = s.get(MitreTactic, tag.tactic_id)
+            if row is not None:
+                tag_views.append(MitreTagView(kind="tactic", external_id=row.external_id, name=row.name, url=row.url))
+        elif tag.mitre_kind == "technique" and tag.technique_id is not None:
+            row = s.get(MitreTechnique, tag.technique_id)
+            if row is not None:
+                tag_views.append(MitreTagView(kind="technique", external_id=row.external_id, name=row.name, url=row.url))
+        elif tag.mitre_kind == "subtechnique" and tag.subtechnique_id is not None:
+            row = s.get(MitreSubtechnique, tag.subtechnique_id)
+            if row is not None:
+                tag_views.append(
+                    MitreTagView(kind="subtechnique", external_id=row.external_id, name=row.name, url=row.url)
+                )
+    tag_views.sort(key=lambda v: (v.kind, v.external_id))
+    return TestTemplateView(
+        id=t.id,
+        name=t.name,
+        description=t.description,
+        objective=t.objective,
+        procedure_md=t.procedure_md,
+        prerequisites_md=t.prerequisites_md,
+        expected_result_red_md=t.expected_result_red_md,
+        expected_detection_blue_md=t.expected_detection_blue_md,
+        opsec_level=t.opsec_level,
+        tags=list(t.tags or []),
+        expected_iocs=list(t.expected_iocs or []),
+        mitre_tags=tag_views,
+        deleted_at=t.deleted_at,
+        created_at=t.created_at,
+        updated_at=t.updated_at,
+    )
+
+
+def _base_query():
+    return select(TestTemplate).options(selectinload(TestTemplate.mitre_tags))
+
+
+def list_test_templates(
+    *,
+    q: str | None = None,
+    tactic: str | None = None,  # external_id like "TA0006"
+    technique: str | None = None,
+    subtechnique: str | None = None,
+    opsec_level: str | None = None,
+    tag: str | None = None,
+    include_deleted: bool = False,
+    limit: int = 100,
+    offset: int = 0,
+) -> tuple[list[TestTemplateView], int]:
+    with session_scope() as s:
+        stmt = _base_query().order_by(TestTemplate.name.asc())
+        count_stmt = select(func.count()).select_from(TestTemplate)
+        if not include_deleted:
+            stmt = stmt.where(TestTemplate.deleted_at.is_(None))
+            count_stmt = count_stmt.where(TestTemplate.deleted_at.is_(None))
+        if q:
+            like = f"%{q.lower()}%"
+            cond = or_(
+                func.lower(TestTemplate.name).like(like),
+                func.lower(TestTemplate.description).like(like),
+            )
+            stmt = stmt.where(cond)
+            count_stmt = count_stmt.where(cond)
+        if opsec_level:
+            _validate_opsec(opsec_level)
+            stmt = stmt.where(TestTemplate.opsec_level == opsec_level)
+            count_stmt = count_stmt.where(TestTemplate.opsec_level == opsec_level)
+        if tag:
+            stmt = stmt.where(TestTemplate.tags.any(tag))
+            count_stmt = count_stmt.where(TestTemplate.tags.any(tag))
+
+        # MITRE facet: resolve external_id → uuid then filter via join subquery.
+        if tactic or technique or subtechnique:
+            tag_ids: list[uuid.UUID] = []
+            if tactic:
+                tac = s.scalar(select(MitreTactic).where(MitreTactic.external_id == tactic))
+                if tac is None:
+                    return [], 0
+                tag_ids.append(tac.id)
+            if technique:
+                tech = s.scalar(select(MitreTechnique).where(MitreTechnique.external_id == technique))
+                if tech is None:
+                    return [], 0
+                tag_ids.append(tech.id)
+            if subtechnique:
+                sub = s.scalar(select(MitreSubtechnique).where(MitreSubtechnique.external_id == subtechnique))
+                if sub is None:
+                    return [], 0
+                tag_ids.append(sub.id)
+            sub_q = (
+                select(TestTemplateMitreTag.test_template_id)
+                .where(
+                    or_(
+                        TestTemplateMitreTag.tactic_id.in_(tag_ids),
+                        TestTemplateMitreTag.technique_id.in_(tag_ids),
+                        TestTemplateMitreTag.subtechnique_id.in_(tag_ids),
+                    )
+                )
+                .distinct()
+            )
+            stmt = stmt.where(TestTemplate.id.in_(sub_q))
+            count_stmt = count_stmt.where(TestTemplate.id.in_(sub_q))
+
+        total = s.scalar(count_stmt) or 0
+        rows = s.scalars(stmt.limit(max(1, min(limit, 500))).offset(max(0, offset))).all()
+        return [_to_view(s, t) for t in rows], int(total)
+
+
+def get_test_template(template_id: uuid.UUID, *, include_deleted: bool = False) -> TestTemplateView:
+    with session_scope() as s:
+        t = s.get(TestTemplate, template_id)
+        if t is None:
+            raise TestTemplateNotFound()
+        if t.deleted_at is not None and not include_deleted:
+            raise TestTemplateNotFound()
+        return _to_view(s, t)
+
+
+def create_test_template(
+    *,
+    name: str,
+    description: str | None = None,
+    objective: str | None = None,
+    procedure_md: str | None = None,
+    prerequisites_md: str | None = None,
+    expected_result_red_md: str | None = None,
+    expected_detection_blue_md: str | None = None,
+    opsec_level: str = "medium",
+    tags: list[str] | None = None,
+    expected_iocs: list[str] | None = None,
+    mitre_tags: list[MitreTagRef] | None = None,
+) -> TestTemplateView:
+    name_norm = (name or "").strip()
+    if not name_norm:
+        raise ValueError("name is required")
+    _validate_opsec(opsec_level)
+    norm_tags = _normalize_string_list(tags)
+    norm_iocs = _normalize_string_list(expected_iocs)
+    with session_scope() as s:
+        t = TestTemplate(
+            name=name_norm,
+            description=_opt_str(description),
+            objective=_opt_str(objective),
+            procedure_md=procedure_md or None,
+            prerequisites_md=prerequisites_md or None,
+            expected_result_red_md=expected_result_red_md or None,
+            expected_detection_blue_md=expected_detection_blue_md or None,
+            opsec_level=opsec_level,
+            tags=norm_tags,
+            expected_iocs=norm_iocs,
+        )
+        s.add(t)
+        s.flush()
+        if mitre_tags:
+            rows = _resolve_mitre_refs(s, mitre_tags)
+            for row in rows:
+                row.test_template_id = t.id
+                s.add(row)
+        s.flush()
+        s.refresh(t)
+        return _to_view(s, t)
+
+
+def _opt_str(value: str | None) -> str | None:
+    if value is None:
+        return None
+    s = value.strip()
+    return s or None
+
+
+def update_test_template(
+    template_id: uuid.UUID,
+    *,
+    name: str | None = None,
+    description: Any = _UNSET,
+    objective: Any = _UNSET,
+    procedure_md: Any = _UNSET,
+    prerequisites_md: Any = _UNSET,
+    expected_result_red_md: Any = _UNSET,
+    expected_detection_blue_md: Any = _UNSET,
+    opsec_level: str | None = None,
+    tags: Any = _UNSET,
+    expected_iocs: Any = _UNSET,
+    mitre_tags: Any = _UNSET,
+) -> TestTemplateView:
+    with session_scope() as s:
+        t = s.get(TestTemplate, template_id)
+        if t is None or t.deleted_at is not None:
+            raise TestTemplateNotFound()
+        if name is not None:
+            n = name.strip()
+            if not n:
+                raise ValueError("name cannot be empty")
+            t.name = n
+        if description is not _UNSET:
+            t.description = _opt_str(description)
+        if objective is not _UNSET:
+            t.objective = _opt_str(objective)
+        if procedure_md is not _UNSET:
+            t.procedure_md = procedure_md or None
+        if prerequisites_md is not _UNSET:
+            t.prerequisites_md = prerequisites_md or None
+        if expected_result_red_md is not _UNSET:
+            t.expected_result_red_md = expected_result_red_md or None
+        if expected_detection_blue_md is not _UNSET:
+            t.expected_detection_blue_md = expected_detection_blue_md or None
+        if opsec_level is not None:
+            _validate_opsec(opsec_level)
+            t.opsec_level = opsec_level
+        if tags is not _UNSET:
+            t.tags = _normalize_string_list(tags)
+        if expected_iocs is not _UNSET:
+            t.expected_iocs = _normalize_string_list(expected_iocs)
+        if mitre_tags is not _UNSET:
+            for row in list(t.mitre_tags):
+                s.delete(row)
+            s.flush()
+            rows = _resolve_mitre_refs(s, list(mitre_tags or []))
+            for row in rows:
+                row.test_template_id = t.id
+                s.add(row)
+        s.flush()
+        s.refresh(t)
+        return _to_view(s, t)
+
+
+def soft_delete_test_template(template_id: uuid.UUID) -> None:
+    with session_scope() as s:
+        t = s.get(TestTemplate, template_id)
+        if t is None or t.deleted_at is not None:
+            raise TestTemplateNotFound()
+        t.deleted_at = datetime.now(tz=timezone.utc)
diff --git a/backend/tests/test_templates.py b/backend/tests/test_templates.py
new file mode 100644
index 0000000..8b4bc4b
--- /dev/null
+++ b/backend/tests/test_templates.py
@@ -0,0 +1,492 @@
+"""M5 — Template catalogue integration tests.
+
+Covers `test_template` and `scenario_template` CRUD + ordering + perm gating.
+Relies on a minimal MITRE seed (T1059 / TA0001 / T1059.001) so the polymorphic
+tag join can be exercised end-to-end.
+"""
+
+from __future__ import annotations
+
+import json
+import secrets
+
+import pytest
+from sqlalchemy import text
+
+from app.core.install_token import regenerate_install_token
+from app.main import create_app
+from app.services import mitre_seed as mitre_svc
+
+
+def _truncate_all(engine):
+    with engine.begin() as conn:
+        conn.execute(
+            text(
+                "TRUNCATE users, refresh_tokens, invitations, invitation_groups, "
+                "user_groups, group_permissions, permissions, settings, groups, "
+                "scenario_template_tests, scenario_templates, "
+                "test_template_mitre_tags, test_templates, "
+                "mitre_subtechniques, mitre_technique_tactics, mitre_techniques, "
+                "mitre_tactics RESTART IDENTITY CASCADE"
+            )
+        )
+
+
+# Same minimal bundle as in test_mitre.py — keeps tag resolution deterministic
+# without re-pulling the full enterprise STIX bundle.
+_MINIMAL_BUNDLE = {
+    "type": "bundle",
+    "id": "bundle--00000000-0000-0000-0000-000000000002",
+    "spec_version": "2.1",
+    "objects": [
+        {
+            "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--ta0001",
+            "name": "Initial Access",
+            "x_mitre_shortname": "initial-access",
+            "external_references": [
+                {"source_name": "mitre-attack", "external_id": "TA0001"}
+            ],
+        },
+        {
+            "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--ta0002",
+            "name": "Execution",
+            "x_mitre_shortname": "execution",
+            "external_references": [
+                {"source_name": "mitre-attack", "external_id": "TA0002"}
+            ],
+        },
+        {
+            "type": "attack-pattern",
+            "id": "attack-pattern--t1059",
+            "name": "Command and Scripting Interpreter",
+            "kill_chain_phases": [
+                {"kill_chain_name": "mitre-attack", "phase_name": "execution"}
+            ],
+            "external_references": [
+                {"source_name": "mitre-attack", "external_id": "T1059"}
+            ],
+        },
+        {
+            "type": "attack-pattern",
+            "id": "attack-pattern--t1059-001",
+            "name": "PowerShell",
+            "x_mitre_is_subtechnique": True,
+            "external_references": [
+                {"source_name": "mitre-attack", "external_id": "T1059.001"}
+            ],
+        },
+        {
+            "type": "relationship",
+            "id": "relationship--rel1",
+            "relationship_type": "subtechnique-of",
+            "source_ref": "attack-pattern--t1059-001",
+            "target_ref": "attack-pattern--t1059",
+        },
+    ],
+}
+
+
+@pytest.fixture(scope="module")
+def app(db_engine_or_skip, tmp_path_factory):
+    _truncate_all(db_engine_or_skip)
+    bundle_path = tmp_path_factory.mktemp("m5") / "stix.json"
+    bundle_path.write_text(json.dumps(_MINIMAL_BUNDLE))
+    mitre_svc.seed_mitre(source=bundle_path, expected_sha256=None)
+    flask_app = create_app()
+    flask_app.config.update(TESTING=True)
+    return flask_app
+
+
+@pytest.fixture()
+def client(app):
+    return app.test_client()
+
+
+def _unique_email(prefix: str) -> str:
+    return f"{prefix}-{secrets.token_hex(4)}@metamorph.local"
+
+
+@pytest.fixture(scope="module")
+def admin(app):
+    token = regenerate_install_token()
+    email = _unique_email("admin")
+    password = "AdminPass1234!"
+    with app.test_client() as c:
+        r = c.post(
+            "/api/v1/setup",
+            json={"install_token": token, "email": email, "password": password},
+        )
+        assert r.status_code == 201, r.get_data(as_text=True)
+    return {"email": email, "password": password}
+
+
+def _login(client, email: str, password: str) -> str:
+    r = client.post("/api/v1/auth/login", json={"email": email, "password": password})
+    assert r.status_code == 200, r.get_data(as_text=True)
+    return r.get_json()["access_token"]
+
+
+def _bearer(token: str) -> dict[str, str]:
+    return {"Authorization": f"Bearer {token}"}
+
+
+@pytest.fixture()
+def admin_token(client, admin) -> str:
+    return _login(client, admin["email"], admin["password"])
+
+
+# === Reader fixture: an invited user with only `test_template.read` =========
+
+
+def _bootstrap_user_without_perms(client, admin_token: str, prefix: str) -> tuple[str, str]:
+    email = _unique_email(prefix)
+    inv = client.post(
+        "/api/v1/invitations",
+        headers=_bearer(admin_token),
+        json={"email_hint": email},
+    )
+    token = inv.get_json()["token"]
+    password = "ReaderPass1234!"
+    client.post(
+        f"/api/v1/invitations/accept/{token}",
+        json={"email": email, "password": password},
+    )
+    return email, _login(client, email, password)
+
+
+# === test_template CRUD =====================================================
+
+
+def _make_test(client, admin_token: str, **overrides):
+    body = {
+        "name": overrides.pop("name", f"Test {secrets.token_hex(2)}"),
+        "description": overrides.pop("description", "auto"),
+        "objective": "do thing",
+        "procedure_md": "1. step",
+        "expected_result_red_md": "red expectation",
+        "expected_detection_blue_md": "blue expectation",
+        "opsec_level": overrides.pop("opsec_level", "medium"),
+        "tags": overrides.pop("tags", ["fast"]),
+        "expected_iocs": ["evil.exe"],
+        "mitre_tags": overrides.pop("mitre_tags", [{"kind": "technique", "external_id": "T1059"}]),
+        **overrides,
+    }
+    r = client.post("/api/v1/test-templates", headers=_bearer(admin_token), json=body)
+    assert r.status_code == 201, r.get_data(as_text=True)
+    return r.get_json()
+
+
+def test_create_test_template_with_mitre_tags(client, admin_token):
+    body = _make_test(
+        client,
+        admin_token,
+        name="PowerShell exec",
+        mitre_tags=[
+            {"kind": "tactic", "external_id": "TA0002"},
+            {"kind": "technique", "external_id": "T1059"},
+            {"kind": "subtechnique", "external_id": "T1059.001"},
+        ],
+    )
+    assert body["opsec_level"] == "medium"
+    kinds = sorted((t["kind"], t["external_id"]) for t in body["mitre_tags"])
+    assert kinds == [
+        ("subtechnique", "T1059.001"),
+        ("tactic", "TA0002"),
+        ("technique", "T1059"),
+    ]
+
+
+def test_create_test_template_rejects_unknown_mitre(client, admin_token):
+    r = client.post(
+        "/api/v1/test-templates",
+        headers=_bearer(admin_token),
+        json={
+            "name": "Bad",
+            "mitre_tags": [{"kind": "technique", "external_id": "T9999"}],
+        },
+    )
+    assert r.status_code == 400
+    assert r.get_json()["error"] == "unknown_mitre_tag"
+
+
+def test_create_test_template_rejects_bad_opsec(client, admin_token):
+    r = client.post(
+        "/api/v1/test-templates",
+        headers=_bearer(admin_token),
+        json={"name": "Bad", "opsec_level": "burner"},
+    )
+    assert r.status_code == 400
+
+
+def test_list_test_templates_filter_by_tactic(client, admin_token):
+    _make_test(
+        client,
+        admin_token,
+        name="filterable-1",
+        mitre_tags=[{"kind": "tactic", "external_id": "TA0002"}],
+    )
+    r = client.get(
+        "/api/v1/test-templates?tactic=TA0002",
+        headers=_bearer(admin_token),
+    )
+    assert r.status_code == 200
+    body = r.get_json()
+    names = [it["name"] for it in body["items"]]
+    assert "filterable-1" in names
+
+
+def test_list_test_templates_filter_by_opsec(client, admin_token):
+    _make_test(client, admin_token, name="high-opsec", opsec_level="high")
+    r = client.get(
+        "/api/v1/test-templates?opsec=high",
+        headers=_bearer(admin_token),
+    )
+    assert r.status_code == 200
+    names = [it["name"] for it in r.get_json()["items"]]
+    assert "high-opsec" in names
+    assert all(it["opsec_level"] == "high" for it in r.get_json()["items"])
+
+
+def test_list_test_templates_filter_by_tag(client, admin_token):
+    _make_test(client, admin_token, name="tagged-fast", tags=["fast", "phish"])
+    r = client.get(
+        "/api/v1/test-templates?tag=phish",
+        headers=_bearer(admin_token),
+    )
+    assert r.status_code == 200
+    names = [it["name"] for it in r.get_json()["items"]]
+    assert "tagged-fast" in names
+
+
+def test_list_test_templates_search_q(client, admin_token):
+    _make_test(client, admin_token, name="unique-token-azertyuiop")
+    r = client.get(
+        "/api/v1/test-templates?q=AZERTYUIOP",  # case-insensitive
+        headers=_bearer(admin_token),
+    )
+    assert r.status_code == 200
+    names = [it["name"] for it in r.get_json()["items"]]
+    assert "unique-token-azertyuiop" in names
+
+
+def test_update_test_template_replaces_mitre_tags(client, admin_token):
+    body = _make_test(
+        client,
+        admin_token,
+        name="to-update",
+        mitre_tags=[{"kind": "tactic", "external_id": "TA0001"}],
+    )
+    r = client.put(
+        f"/api/v1/test-templates/{body['id']}",
+        headers=_bearer(admin_token),
+        json={"mitre_tags": [{"kind": "technique", "external_id": "T1059"}]},
+    )
+    assert r.status_code == 200, r.get_data(as_text=True)
+    updated = r.get_json()
+    kinds = [(t["kind"], t["external_id"]) for t in updated["mitre_tags"]]
+    assert kinds == [("technique", "T1059")]
+
+
+def test_update_test_template_partial_keeps_unset_fields(client, admin_token):
+    body = _make_test(
+        client,
+        admin_token,
+        name="partial-update",
+        opsec_level="low",
+        tags=["a", "b"],
+    )
+    r = client.put(
+        f"/api/v1/test-templates/{body['id']}",
+        headers=_bearer(admin_token),
+        json={"name": "renamed"},
+    )
+    assert r.status_code == 200
+    updated = r.get_json()
+    assert updated["name"] == "renamed"
+    assert updated["opsec_level"] == "low"  # untouched
+    assert set(updated["tags"]) == {"a", "b"}  # untouched
+
+
+def test_soft_delete_then_list_hides_by_default(client, admin_token):
+    body = _make_test(client, admin_token, name="to-be-deleted")
+    r = client.delete(
+        f"/api/v1/test-templates/{body['id']}", headers=_bearer(admin_token)
+    )
+    assert r.status_code == 200
+    r2 = client.get("/api/v1/test-templates", headers=_bearer(admin_token))
+    names = [it["name"] for it in r2.get_json()["items"]]
+    assert "to-be-deleted" not in names
+    # And reappears with include_deleted=true
+    r3 = client.get(
+        "/api/v1/test-templates?include_deleted=true",
+        headers=_bearer(admin_token),
+    )
+    names3 = [it["name"] for it in r3.get_json()["items"]]
+    assert "to-be-deleted" in names3
+
+
+def test_read_perm_required(client, admin_token):
+    """A user without `test_template.read` gets 403."""
+    _, eve_token = _bootstrap_user_without_perms(client, admin_token, "eve-noperm")
+    r = client.get("/api/v1/test-templates", headers=_bearer(eve_token))
+    assert r.status_code == 403
+
+
+def test_write_perm_required(client, admin_token):
+    """A user with only `test_template.read` cannot create.
+
+    Bootstrap path: create a dedicated group via the admin API, bind only the
+    `test_template.read` perm, then invite a user pre-assigned to that group.
+    """
+    # 1. Create the read-only group + bind the single perm.
+    grp = client.post(
+        "/api/v1/groups",
+        headers=_bearer(admin_token),
+        json={"name": f"tpl-reader-{secrets.token_hex(2)}"},
+    ).get_json()
+    r_set = client.put(
+        f"/api/v1/groups/{grp['id']}/permissions",
+        headers=_bearer(admin_token),
+        json={"codes": ["test_template.read"]},
+    )
+    assert r_set.status_code == 200, r_set.get_data(as_text=True)
+
+    # 2. Invite a user already attached to that group.
+    email = _unique_email("alice-readonly")
+    password = "ReaderPass1234!"
+    inv = client.post(
+        "/api/v1/invitations",
+        headers=_bearer(admin_token),
+        json={"email_hint": email, "group_ids": [grp["id"]]},
+    ).get_json()
+    client.post(
+        f"/api/v1/invitations/accept/{inv['token']}",
+        json={"email": email, "password": password},
+    )
+    token = _login(client, email, password)
+
+    r = client.get("/api/v1/test-templates", headers=_bearer(token))
+    assert r.status_code == 200, r.get_data(as_text=True)
+    r2 = client.post(
+        "/api/v1/test-templates", headers=_bearer(token), json={"name": "X"}
+    )
+    assert r2.status_code == 403
+
+
+# === scenario_template CRUD =================================================
+
+
+def test_create_scenario_with_ordered_tests(client, admin_token):
+    a = _make_test(client, admin_token, name="scn-a")
+    b = _make_test(client, admin_token, name="scn-b")
+    c = _make_test(client, admin_token, name="scn-c")
+    r = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={
+            "name": "phishing-flow",
+            "description": "click → exec → persist",
+            "test_template_ids": [a["id"], b["id"], c["id"]],
+        },
+    )
+    assert r.status_code == 201, r.get_data(as_text=True)
+    body = r.get_json()
+    assert body["tests_count"] == 3
+    assert [t["position"] for t in body["tests"]] == [0, 1, 2]
+    assert [t["test_template_name"] for t in body["tests"]] == ["scn-a", "scn-b", "scn-c"]
+
+
+def test_reorder_scenario_tests(client, admin_token):
+    a = _make_test(client, admin_token, name="reord-a")
+    b = _make_test(client, admin_token, name="reord-b")
+    c = _make_test(client, admin_token, name="reord-c")
+    created = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={
+            "name": "reorder-me",
+            "test_template_ids": [a["id"], b["id"], c["id"]],
+        },
+    ).get_json()
+    # Reverse order.
+    r = client.put(
+        f"/api/v1/scenario-templates/{created['id']}/tests",
+        headers=_bearer(admin_token),
+        json={"test_template_ids": [c["id"], b["id"], a["id"]]},
+    )
+    assert r.status_code == 200
+    after = r.get_json()
+    assert [t["test_template_name"] for t in after["tests"]] == ["reord-c", "reord-b", "reord-a"]
+    # Re-reading via GET yields the same order — confirms persistence.
+    fresh = client.get(
+        f"/api/v1/scenario-templates/{created['id']}", headers=_bearer(admin_token)
+    ).get_json()
+    assert [t["test_template_name"] for t in fresh["tests"]] == ["reord-c", "reord-b", "reord-a"]
+
+
+def test_scenario_rejects_unknown_test_id(client, admin_token):
+    r = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={
+            "name": "bad",
+            "test_template_ids": ["00000000-0000-0000-0000-000000000000"],
+        },
+    )
+    assert r.status_code == 400
+    assert r.get_json()["error"] == "unknown_test_template"
+
+
+def test_scenario_rejects_soft_deleted_test_on_create(client, admin_token):
+    a = _make_test(client, admin_token, name="will-be-deleted")
+    client.delete(f"/api/v1/test-templates/{a['id']}", headers=_bearer(admin_token))
+    r = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={"name": "linked", "test_template_ids": [a["id"]]},
+    )
+    assert r.status_code == 400
+    assert r.get_json()["error"] == "unknown_test_template"
+
+
+def test_scenario_surfaces_soft_deleted_test_after_link(client, admin_token):
+    """Once linked, a test can be soft-deleted without breaking the scenario —
+    the join row stays and the API flags the test as deleted."""
+    a = _make_test(client, admin_token, name="linked-then-deleted")
+    sc = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={"name": "survives", "test_template_ids": [a["id"]]},
+    ).get_json()
+    client.delete(f"/api/v1/test-templates/{a['id']}", headers=_bearer(admin_token))
+    fresh = client.get(
+        f"/api/v1/scenario-templates/{sc['id']}", headers=_bearer(admin_token)
+    ).get_json()
+    assert fresh["tests"][0]["test_template_deleted"] is True
+
+
+def test_scenario_soft_delete(client, admin_token):
+    sc = client.post(
+        "/api/v1/scenario-templates",
+        headers=_bearer(admin_token),
+        json={"name": "doomed-scn"},
+    ).get_json()
+    r = client.delete(
+        f"/api/v1/scenario-templates/{sc['id']}", headers=_bearer(admin_token)
+    )
+    assert r.status_code == 200
+    names = [
+        it["name"]
+        for it in client.get(
+            "/api/v1/scenario-templates", headers=_bearer(admin_token)
+        ).get_json()["items"]
+    ]
+    assert "doomed-scn" not in names
+
+
+def test_scenario_perm_required(client, admin_token):
+    _, eve_token = _bootstrap_user_without_perms(client, admin_token, "scn-eve")
+    r = client.get("/api/v1/scenario-templates", headers=_bearer(eve_token))
+    assert r.status_code == 403
-- 
2.49.1


From 2781ce411755a46dd3074a08b8f46e96a2eaa553 Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Tue, 12 May 2026 19:57:41 +0200
Subject: [PATCH 2/6] feat(m5): admin SPA pages for the template catalogue

- AdminTestsPage with filters (q, tactic, opsec, tag), modal-based CRUD,
  markdown textareas for procedure/result/detection, embedded MitreTagPicker
  for tagging.
- AdminScenariosPage with @dnd-kit/sortable drag-and-drop on the ordered
  test list, two-step save (PATCH metadata + PUT tests), catalogue picker
  excluding soft-deleted items.
- lib/templates.ts typed client + queryKey factory.
- MarkdownField helper (textarea with markdown hint label).
- Layout adds Tests + Scenarios admin nav links; App.tsx routes both
  behind RequireAdmin.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 frontend/package.json                     |   3 +
 frontend/src/App.tsx                      |  18 +
 frontend/src/components/Layout.tsx        |   4 +-
 frontend/src/components/MarkdownField.tsx |  45 +++
 frontend/src/lib/templates.ts             | 136 +++++++
 frontend/src/pages/AdminScenariosPage.tsx | 434 ++++++++++++++++++++++
 frontend/src/pages/AdminTestsPage.tsx     | 403 ++++++++++++++++++++
 7 files changed, 1042 insertions(+), 1 deletion(-)
 create mode 100644 frontend/src/components/MarkdownField.tsx
 create mode 100644 frontend/src/lib/templates.ts
 create mode 100644 frontend/src/pages/AdminScenariosPage.tsx
 create mode 100644 frontend/src/pages/AdminTestsPage.tsx

diff --git a/frontend/package.json b/frontend/package.json
index 1f7e91f..2da9cbc 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -13,6 +13,9 @@
     "format:check": "prettier --check \"src/**/*.{ts,tsx,css,json,html}\""
   },
   "dependencies": {
+    "@dnd-kit/core": "^6.1.0",
+    "@dnd-kit/sortable": "^8.0.0",
+    "@dnd-kit/utilities": "^3.2.2",
     "@fontsource/ibm-plex-sans": "^5.0.20",
     "@fontsource/jetbrains-mono": "^5.0.20",
     "@tanstack/react-query": "^5.51.0",
diff --git a/frontend/src/App.tsx b/frontend/src/App.tsx
index db48353..44f8731 100644
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -6,6 +6,8 @@ import { RequireAdmin } from '@/components/RequireAdmin';
 import { RequireAuth } from '@/components/RequireAuth';
 import { AdminGroupsPage } from '@/pages/AdminGroupsPage';
 import { AdminInvitationsPage } from '@/pages/AdminInvitationsPage';
+import { AdminScenariosPage } from '@/pages/AdminScenariosPage';
+import { AdminTestsPage } from '@/pages/AdminTestsPage';
 import { AdminUsersPage } from '@/pages/AdminUsersPage';
 import { HomePage } from '@/pages/HomePage';
 import { MitrePage } from '@/pages/MitrePage';
@@ -82,6 +84,22 @@ function App() {
                   </RequireAdmin>
                 }
               />
+              <Route
+                path="/admin/tests"
+                element={
+                  <RequireAdmin>
+                    <AdminTestsPage />
+                  </RequireAdmin>
+                }
+              />
+              <Route
+                path="/admin/scenarios"
+                element={
+                  <RequireAdmin>
+                    <AdminScenariosPage />
+                  </RequireAdmin>
+                }
+              />
               <Route path="*" element={<Navigate to="/" replace />} />
             </Route>
           </Routes>
diff --git a/frontend/src/components/Layout.tsx b/frontend/src/components/Layout.tsx
index 0eab999..a9b269b 100644
--- a/frontend/src/components/Layout.tsx
+++ b/frontend/src/components/Layout.tsx
@@ -42,6 +42,8 @@ export function Layout() {
                     {navItem('/admin/users', 'Users')}
                     {navItem('/admin/groups', 'Groups')}
                     {navItem('/admin/invitations', 'Invitations')}
+                    {navItem('/admin/tests', 'Tests')}
+                    {navItem('/admin/scenarios', 'Scenarios')}
                   </>
                 )}
                 <span className="font-mono text-2xs text-text-dim ml-2" data-testid="me-email">
@@ -69,7 +71,7 @@ export function Layout() {
         <Outlet />
 
         <footer className="mt-[60px] py-8 border-t border-border text-center font-mono text-xs text-text-dim">
-          metamorph · M0 bootstrap · M1 db schema · M2 auth · M3 rbac · M4 mitre · design system from tasks/design.md
+          metamorph · M0 bootstrap · M1 db schema · M2 auth · M3 rbac · M4 mitre · M5 templates · design system from tasks/design.md
         </footer>
       </div>
     </div>
diff --git a/frontend/src/components/MarkdownField.tsx b/frontend/src/components/MarkdownField.tsx
new file mode 100644
index 0000000..635793a
--- /dev/null
+++ b/frontend/src/components/MarkdownField.tsx
@@ -0,0 +1,45 @@
+import { useId, type TextareaHTMLAttributes } from 'react';
+
+import { cn } from '@/lib/cn';
+
+interface MarkdownFieldProps extends Omit<TextareaHTMLAttributes<HTMLTextAreaElement>, 'value' | 'onChange'> {
+  label: string;
+  value: string;
+  onChange: (next: string) => void;
+  rows?: number;
+  hint?: string;
+}
+
+/**
+ * Markdown-content textarea. We deliberately keep it textarea-only (no fancy
+ * WYSIWYG editor) — markdown lives well in plain text and the saved blob is
+ * rendered to HTML at display time (M6/M7 mission pages). The label exposes
+ * "markdown" so the user knows the field accepts MD syntax.
+ */
+export function MarkdownField({ label, value, onChange, rows = 6, hint, id, className, ...rest }: MarkdownFieldProps) {
+  const fallbackId = useId();
+  const inputId = id ?? fallbackId;
+  return (
+    <div className="block">
+      <label
+        htmlFor={inputId}
+        className="block font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim"
+      >
+        {label} <span className="text-text-dim/60">· markdown</span>
+      </label>
+      <textarea
+        id={inputId}
+        rows={rows}
+        value={value}
+        onChange={(e) => onChange(e.target.value)}
+        className={cn(
+          'mt-1 w-full rounded-md border border-border bg-bg-card px-3 py-2 font-mono text-xs text-text-bright placeholder:text-text-dim',
+          'focus:border-cyan focus:outline-none',
+          className,
+        )}
+        {...rest}
+      />
+      {hint && <p className="mt-1 font-mono text-2xs text-text-dim">{hint}</p>}
+    </div>
+  );
+}
diff --git a/frontend/src/lib/templates.ts b/frontend/src/lib/templates.ts
new file mode 100644
index 0000000..faabcb8
--- /dev/null
+++ b/frontend/src/lib/templates.ts
@@ -0,0 +1,136 @@
+/**
+ * Shared types + query-key factory for the M5 template catalogue.
+ *
+ * Two resources: `test_templates` (atomic test units) and `scenario_templates`
+ * (ordered lists of tests). Both back the admin pages and feed the M6 mission
+ * wizard.
+ */
+
+import type { MitreTagKind } from './mitre';
+
+export type OpsecLevel = 'low' | 'medium' | 'high';
+
+export interface MitreTagOut {
+  kind: MitreTagKind;
+  external_id: string;
+  name: string;
+  url: string | null;
+}
+
+export interface MitreTagInWire {
+  kind: MitreTagKind;
+  external_id: string;
+}
+
+export interface TestTemplate {
+  id: string;
+  name: string;
+  description: string | null;
+  objective: string | null;
+  procedure_md: string | null;
+  prerequisites_md: string | null;
+  expected_result_red_md: string | null;
+  expected_detection_blue_md: string | null;
+  opsec_level: OpsecLevel;
+  tags: string[];
+  expected_iocs: string[];
+  mitre_tags: MitreTagOut[];
+  deleted_at: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface TestTemplateListResponse {
+  items: TestTemplate[];
+  total: number;
+  limit: number;
+  offset: number;
+}
+
+export interface CreateTestTemplatePayload {
+  name: string;
+  description?: string | null;
+  objective?: string | null;
+  procedure_md?: string | null;
+  prerequisites_md?: string | null;
+  expected_result_red_md?: string | null;
+  expected_detection_blue_md?: string | null;
+  opsec_level?: OpsecLevel;
+  tags?: string[];
+  expected_iocs?: string[];
+  mitre_tags?: MitreTagInWire[];
+}
+
+export type UpdateTestTemplatePayload = Partial<CreateTestTemplatePayload>;
+
+export interface ScenarioTest {
+  position: number;
+  test_template_id: string;
+  test_template_name: string;
+  test_template_deleted: boolean;
+}
+
+export interface ScenarioTemplate {
+  id: string;
+  name: string;
+  description: string | null;
+  tests: ScenarioTest[];
+  tests_count: number;
+  deleted_at: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
+export interface ScenarioTemplateListResponse {
+  items: ScenarioTemplate[];
+  total: number;
+  limit: number;
+  offset: number;
+}
+
+export interface CreateScenarioPayload {
+  name: string;
+  description?: string | null;
+  test_template_ids?: string[];
+}
+
+export interface UpdateScenarioPayload {
+  name?: string;
+  description?: string | null;
+}
+
+export interface SetScenarioTestsPayload {
+  test_template_ids: string[];
+}
+
+export interface TestTemplateFilters {
+  q?: string;
+  tactic?: string;
+  technique?: string;
+  subtechnique?: string;
+  opsec?: OpsecLevel | '';
+  tag?: string;
+}
+
+export const templateKeys = {
+  // Test templates
+  tests: (filters?: TestTemplateFilters) =>
+    ['templates', 'tests', filters ?? {}] as const,
+  test: (id: string) => ['templates', 'tests', id] as const,
+  // Scenario templates
+  scenarios: (q?: string) => ['templates', 'scenarios', q ?? ''] as const,
+  scenario: (id: string) => ['templates', 'scenarios', id] as const,
+};
+
+export function buildTestQueryString(filters: TestTemplateFilters | undefined): string {
+  if (!filters) return '';
+  const params = new URLSearchParams();
+  if (filters.q) params.set('q', filters.q);
+  if (filters.tactic) params.set('tactic', filters.tactic);
+  if (filters.technique) params.set('technique', filters.technique);
+  if (filters.subtechnique) params.set('subtechnique', filters.subtechnique);
+  if (filters.opsec) params.set('opsec', filters.opsec);
+  if (filters.tag) params.set('tag', filters.tag);
+  const s = params.toString();
+  return s ? `?${s}` : '';
+}
diff --git a/frontend/src/pages/AdminScenariosPage.tsx b/frontend/src/pages/AdminScenariosPage.tsx
new file mode 100644
index 0000000..e8c5901
--- /dev/null
+++ b/frontend/src/pages/AdminScenariosPage.tsx
@@ -0,0 +1,434 @@
+import {
+  DndContext,
+  KeyboardSensor,
+  PointerSensor,
+  closestCenter,
+  useSensor,
+  useSensors,
+  type DragEndEvent,
+} from '@dnd-kit/core';
+import {
+  SortableContext,
+  arrayMove,
+  sortableKeyboardCoordinates,
+  useSortable,
+  verticalListSortingStrategy,
+} from '@dnd-kit/sortable';
+import { CSS } from '@dnd-kit/utilities';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { useMemo, useState } from 'react';
+
+import { Alert } from '@/components/ui/Alert';
+import { Button } from '@/components/ui/Button';
+import { Card } from '@/components/ui/Card';
+import { Modal } from '@/components/ui/Modal';
+import { SectionHeader } from '@/components/ui/SectionHeader';
+import { Tag } from '@/components/ui/Tag';
+import { TextField } from '@/components/ui/TextField';
+import {
+  ApiError,
+  apiDelete,
+  apiGet,
+  apiPatch,
+  apiPost,
+  apiPut,
+} from '@/lib/api';
+import {
+  templateKeys,
+  type CreateScenarioPayload,
+  type ScenarioTemplate,
+  type ScenarioTemplateListResponse,
+  type TestTemplate,
+  type TestTemplateListResponse,
+} from '@/lib/templates';
+
+interface FormState {
+  name: string;
+  description: string;
+  test_ids: string[];
+}
+
+function blankForm(): FormState {
+  return { name: '', description: '', test_ids: [] };
+}
+
+function toForm(sc: ScenarioTemplate): FormState {
+  return {
+    name: sc.name,
+    description: sc.description ?? '',
+    test_ids: sc.tests.map((t) => t.test_template_id),
+  };
+}
+
+function useScenarios(q: string) {
+  return useQuery({
+    queryKey: templateKeys.scenarios(q),
+    queryFn: () =>
+      apiGet<ScenarioTemplateListResponse>(
+        `/scenario-templates${q ? `?q=${encodeURIComponent(q)}` : ''}`,
+      ),
+  });
+}
+
+function useTestCatalogue() {
+  return useQuery({
+    queryKey: templateKeys.tests({}),
+    queryFn: () => apiGet<TestTemplateListResponse>('/test-templates?limit=500'),
+  });
+}
+
+interface SortableTestRowProps {
+  id: string;
+  index: number;
+  name: string;
+  onRemove: () => void;
+}
+
+function SortableTestRow({ id, index, name, onRemove }: SortableTestRowProps) {
+  const { attributes, listeners, setNodeRef, transform, transition, isDragging } = useSortable({ id });
+  const style = {
+    transform: CSS.Transform.toString(transform),
+    transition,
+    opacity: isDragging ? 0.5 : 1,
+  };
+  return (
+    <li
+      ref={setNodeRef}
+      style={style}
+      className="flex items-center gap-2 rounded-md border border-border bg-bg-card px-3 py-2"
+      data-testid={`scenario-test-row-${id}`}
+    >
+      <button
+        type="button"
+        {...attributes}
+        {...listeners}
+        className="cursor-grab font-mono text-text-dim hover:text-text-bright active:cursor-grabbing"
+        aria-label={`Drag ${name}`}
+        data-testid={`drag-handle-${id}`}
+      >
+        ☰
+      </button>
+      <span className="font-mono text-2xs text-text-dim w-6">{String(index + 1).padStart(2, '0')}</span>
+      <span className="font-mono text-xs text-text-bright flex-1">{name}</span>
+      <Button variant="ghost" accent="rose" onClick={onRemove} aria-label={`Remove ${name}`}>
+        ✕
+      </Button>
+    </li>
+  );
+}
+
+export function AdminScenariosPage() {
+  const qc = useQueryClient();
+  const [q, setQ] = useState('');
+  const [creating, setCreating] = useState(false);
+  const [editing, setEditing] = useState<ScenarioTemplate | null>(null);
+  const [form, setForm] = useState<FormState>(blankForm());
+  const [error, setError] = useState<string | null>(null);
+
+  const scenarios = useScenarios(q);
+  const catalogue = useTestCatalogue();
+
+  const sensors = useSensors(
+    useSensor(PointerSensor, { activationConstraint: { distance: 5 } }),
+    useSensor(KeyboardSensor, { coordinateGetter: sortableKeyboardCoordinates }),
+  );
+
+  const create = useMutation({
+    mutationFn: (payload: CreateScenarioPayload) =>
+      apiPost<ScenarioTemplate>('/scenario-templates', payload),
+    onSuccess: async () => {
+      setCreating(false);
+      setForm(blankForm());
+      setError(null);
+      await qc.invalidateQueries({ queryKey: ['templates', 'scenarios'] });
+    },
+    onError: (e) => setError(humanError(e)),
+  });
+
+  const updateMeta = useMutation({
+    mutationFn: ({ id, name, description }: { id: string; name: string; description: string | null }) =>
+      apiPatch<ScenarioTemplate>(`/scenario-templates/${id}`, { name, description }),
+  });
+
+  const setTests = useMutation({
+    mutationFn: ({ id, test_template_ids }: { id: string; test_template_ids: string[] }) =>
+      apiPut<ScenarioTemplate>(`/scenario-templates/${id}/tests`, { test_template_ids }),
+  });
+
+  const remove = useMutation({
+    mutationFn: (id: string) => apiDelete<{ ok: boolean }>(`/scenario-templates/${id}`),
+    onSuccess: async () => {
+      await qc.invalidateQueries({ queryKey: ['templates', 'scenarios'] });
+    },
+  });
+
+  function openCreate() {
+    setForm(blankForm());
+    setError(null);
+    setCreating(true);
+  }
+
+  function openEdit(sc: ScenarioTemplate) {
+    setForm(toForm(sc));
+    setError(null);
+    setEditing(sc);
+  }
+
+  function onDragEnd(e: DragEndEvent) {
+    const { active, over } = e;
+    if (!over || active.id === over.id) return;
+    setForm((f) => {
+      const from = f.test_ids.indexOf(String(active.id));
+      const to = f.test_ids.indexOf(String(over.id));
+      if (from < 0 || to < 0) return f;
+      return { ...f, test_ids: arrayMove(f.test_ids, from, to) };
+    });
+  }
+
+  async function submit() {
+    setError(null);
+    if (!form.name.trim()) {
+      setError('Name is required.');
+      return;
+    }
+    try {
+      if (editing) {
+        // Two-step: metadata first, then ordered tests.
+        await updateMeta.mutateAsync({
+          id: editing.id,
+          name: form.name.trim(),
+          description: form.description || null,
+        });
+        await setTests.mutateAsync({ id: editing.id, test_template_ids: form.test_ids });
+      } else {
+        await create.mutateAsync({
+          name: form.name.trim(),
+          description: form.description || null,
+          test_template_ids: form.test_ids,
+        });
+      }
+      await qc.invalidateQueries({ queryKey: ['templates', 'scenarios'] });
+      setEditing(null);
+      setCreating(false);
+    } catch (e) {
+      setError(humanError(e));
+    }
+  }
+
+  const isModalOpen = creating || editing !== null;
+
+  const testNameById = useMemo(() => {
+    const map = new Map<string, string>();
+    catalogue.data?.items.forEach((t) => map.set(t.id, t.name));
+    return map;
+  }, [catalogue.data]);
+
+  // Tests available for inclusion (excluding already-picked + soft-deleted).
+  const availableTests = useMemo<TestTemplate[]>(() => {
+    if (!catalogue.data) return [];
+    const picked = new Set(form.test_ids);
+    return catalogue.data.items.filter((t) => !picked.has(t.id) && !t.deleted_at);
+  }, [catalogue.data, form.test_ids]);
+
+  return (
+    <>
+      <SectionHeader
+        prefix="Admin"
+        highlight="Scenarios"
+        accent="purple"
+        description="Ordered playbooks composed from the test catalogue. Drag rows to reorder; the order is the execution sequence."
+      />
+
+      <div className="mb-6 flex flex-wrap items-end gap-3">
+        <TextField
+          label="Search"
+          value={q}
+          onChange={(e) => setQ(e.target.value)}
+          placeholder="name or description"
+          data-testid="scenarios-search"
+        />
+        <Button accent="purple" onClick={openCreate} data-testid="create-scenario" className="ml-auto">
+          + New scenario
+        </Button>
+      </div>
+
+      {scenarios.isError && <Alert accent="red">Failed to load scenarios.</Alert>}
+
+      <div className="grid gap-3" data-testid="scenarios-list">
+        {scenarios.isLoading && <p className="font-mono text-xs text-text-dim">Loading…</p>}
+        {scenarios.data?.items.map((sc) => (
+          <Card
+            key={sc.id}
+            accent="purple"
+            title={sc.name}
+            sub={sc.description ?? '—'}
+            data-testid={`scenario-row-${sc.id}`}
+          >
+            <div className="flex flex-wrap items-center gap-2">
+              <Tag accent="purple">{sc.tests_count} test{sc.tests_count === 1 ? '' : 's'}</Tag>
+              {sc.tests.slice(0, 4).map((t) => (
+                <Tag key={`${sc.id}:${t.position}`} accent={t.test_template_deleted ? 'rose' : 'cyan'}>
+                  {t.position + 1}. {t.test_template_name}
+                </Tag>
+              ))}
+              {sc.tests.length > 4 && (
+                <Tag accent="yellow">+{sc.tests.length - 4} more</Tag>
+              )}
+              <div className="ml-auto flex gap-2">
+                <Button accent="purple" onClick={() => openEdit(sc)} data-testid={`edit-scenario-${sc.id}`}>
+                  Edit
+                </Button>
+                <Button
+                  accent="rose"
+                  variant="ghost"
+                  onClick={() => {
+                    if (window.confirm(`Soft-delete "${sc.name}"?`)) remove.mutate(sc.id);
+                  }}
+                  data-testid={`delete-scenario-${sc.id}`}
+                >
+                  Delete
+                </Button>
+              </div>
+            </div>
+          </Card>
+        ))}
+        {scenarios.data && scenarios.data.items.length === 0 && !scenarios.isLoading && (
+          <p className="font-mono text-2xs text-text-dim">No scenarios yet.</p>
+        )}
+      </div>
+
+      <Modal
+        open={isModalOpen}
+        title={editing ? `Scenario · ${editing.name}` : 'New scenario template'}
+        accent="purple"
+        onClose={() => {
+          setCreating(false);
+          setEditing(null);
+        }}
+        testid="scenario-template-modal"
+      >
+        {error && <Alert accent="red" className="mb-3">{error}</Alert>}
+        <div className="grid gap-3">
+          <TextField
+            label="Name"
+            value={form.name}
+            onChange={(e) => setForm((f) => ({ ...f, name: e.target.value }))}
+            data-testid="form-scenario-name"
+          />
+          <TextField
+            label="Description"
+            value={form.description}
+            onChange={(e) => setForm((f) => ({ ...f, description: e.target.value }))}
+            data-testid="form-scenario-description"
+          />
+
+          <div>
+            <p className="font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim mb-2">
+              Tests in order ({form.test_ids.length})
+            </p>
+            {form.test_ids.length === 0 ? (
+              <p className="font-mono text-2xs text-text-dim mb-2">No test picked yet.</p>
+            ) : (
+              <DndContext sensors={sensors} collisionDetection={closestCenter} onDragEnd={onDragEnd}>
+                <SortableContext items={form.test_ids} strategy={verticalListSortingStrategy}>
+                  <ol className="grid gap-2 mb-3" data-testid="scenario-tests-ordered">
+                    {form.test_ids.map((id, idx) => (
+                      <SortableTestRow
+                        key={id}
+                        id={id}
+                        index={idx}
+                        name={testNameById.get(id) ?? '<missing>'}
+                        onRemove={() =>
+                          setForm((f) => ({ ...f, test_ids: f.test_ids.filter((t) => t !== id) }))
+                        }
+                      />
+                    ))}
+                  </ol>
+                </SortableContext>
+              </DndContext>
+            )}
+
+            <CataloguePicker
+              tests={availableTests}
+              onAdd={(id) => setForm((f) => ({ ...f, test_ids: [...f.test_ids, id] }))}
+            />
+          </div>
+
+          <div className="flex justify-end gap-2 pt-2">
+            <Button
+              variant="ghost"
+              onClick={() => {
+                setCreating(false);
+                setEditing(null);
+              }}
+            >
+              Cancel
+            </Button>
+            <Button
+              accent="purple"
+              onClick={submit}
+              disabled={create.isPending || updateMeta.isPending || setTests.isPending}
+              data-testid="form-scenario-submit"
+            >
+              {editing ? 'Save' : 'Create'}
+            </Button>
+          </div>
+        </div>
+      </Modal>
+    </>
+  );
+}
+
+interface CataloguePickerProps {
+  tests: TestTemplate[];
+  onAdd: (id: string) => void;
+}
+
+function CataloguePicker({ tests, onAdd }: CataloguePickerProps) {
+  const [q, setQ] = useState('');
+  const filtered = useMemo(() => {
+    const norm = q.trim().toLowerCase();
+    if (!norm) return tests.slice(0, 50);
+    return tests.filter((t) => t.name.toLowerCase().includes(norm)).slice(0, 50);
+  }, [tests, q]);
+
+  return (
+    <div className="rounded-md border border-border bg-bg-card p-3">
+      <p className="font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim mb-2">
+        Add a test from the catalogue
+      </p>
+      <input
+        value={q}
+        onChange={(e) => setQ(e.target.value)}
+        placeholder="Search catalogue…"
+        className="mb-2 w-full rounded-md border border-border bg-bg-base px-3 py-2 font-mono text-xs text-text-bright placeholder:text-text-dim focus:border-cyan focus:outline-none"
+        data-testid="scenario-catalogue-search"
+      />
+      <ul className="max-h-48 overflow-auto grid gap-1" data-testid="scenario-catalogue-list">
+        {filtered.map((t) => (
+          <li key={t.id} className="flex items-center gap-2">
+            <button
+              type="button"
+              onClick={() => onAdd(t.id)}
+              className="flex-1 text-left rounded-sm px-2 py-1 font-mono text-xs text-text-bright hover:bg-bg-base"
+              data-testid={`catalogue-add-${t.id}`}
+            >
+              + {t.name}
+            </button>
+          </li>
+        ))}
+        {filtered.length === 0 && (
+          <li className="font-mono text-2xs text-text-dim">No matching test in the catalogue.</li>
+        )}
+      </ul>
+    </div>
+  );
+}
+
+function humanError(e: unknown): string {
+  if (e instanceof ApiError) {
+    const p = e.payload as { error?: string; message?: string } | null;
+    return p?.message ?? p?.error ?? `HTTP ${e.status}`;
+  }
+  return e instanceof Error ? e.message : 'Unexpected error';
+}
diff --git a/frontend/src/pages/AdminTestsPage.tsx b/frontend/src/pages/AdminTestsPage.tsx
new file mode 100644
index 0000000..ceb7b04
--- /dev/null
+++ b/frontend/src/pages/AdminTestsPage.tsx
@@ -0,0 +1,403 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { useState } from 'react';
+
+import { MarkdownField } from '@/components/MarkdownField';
+import { MitreTagPicker } from '@/components/MitreTagPicker';
+import { Alert } from '@/components/ui/Alert';
+import { Button } from '@/components/ui/Button';
+import { Card } from '@/components/ui/Card';
+import { Modal } from '@/components/ui/Modal';
+import { SectionHeader } from '@/components/ui/SectionHeader';
+import { Tag } from '@/components/ui/Tag';
+import { TextField } from '@/components/ui/TextField';
+import {
+  ApiError,
+  apiDelete,
+  apiGet,
+  apiPost,
+  apiPut,
+} from '@/lib/api';
+import { type MitreTag, type MitreTagKind } from '@/lib/mitre';
+import {
+  buildTestQueryString,
+  templateKeys,
+  type CreateTestTemplatePayload,
+  type OpsecLevel,
+  type TestTemplate,
+  type TestTemplateFilters,
+  type TestTemplateListResponse,
+} from '@/lib/templates';
+
+const OPSEC_LEVELS: OpsecLevel[] = ['low', 'medium', 'high'];
+
+interface FormState {
+  name: string;
+  description: string;
+  objective: string;
+  procedure_md: string;
+  prerequisites_md: string;
+  expected_result_red_md: string;
+  expected_detection_blue_md: string;
+  opsec_level: OpsecLevel;
+  tags: string;
+  expected_iocs: string;
+  mitre_tags: MitreTag[];
+}
+
+function blankForm(): FormState {
+  return {
+    name: '',
+    description: '',
+    objective: '',
+    procedure_md: '',
+    prerequisites_md: '',
+    expected_result_red_md: '',
+    expected_detection_blue_md: '',
+    opsec_level: 'medium',
+    tags: '',
+    expected_iocs: '',
+    mitre_tags: [],
+  };
+}
+
+function toForm(t: TestTemplate): FormState {
+  return {
+    name: t.name,
+    description: t.description ?? '',
+    objective: t.objective ?? '',
+    procedure_md: t.procedure_md ?? '',
+    prerequisites_md: t.prerequisites_md ?? '',
+    expected_result_red_md: t.expected_result_red_md ?? '',
+    expected_detection_blue_md: t.expected_detection_blue_md ?? '',
+    opsec_level: t.opsec_level,
+    tags: t.tags.join(', '),
+    expected_iocs: t.expected_iocs.join(', '),
+    mitre_tags: t.mitre_tags.map((tag) => ({
+      kind: tag.kind as MitreTagKind,
+      id: tag.external_id,
+      external_id: tag.external_id,
+      name: tag.name,
+    })),
+  };
+}
+
+function csvToList(s: string): string[] {
+  return s.split(',').map((x) => x.trim()).filter(Boolean);
+}
+
+function toPayload(form: FormState): CreateTestTemplatePayload {
+  return {
+    name: form.name.trim(),
+    description: form.description || null,
+    objective: form.objective || null,
+    procedure_md: form.procedure_md || null,
+    prerequisites_md: form.prerequisites_md || null,
+    expected_result_red_md: form.expected_result_red_md || null,
+    expected_detection_blue_md: form.expected_detection_blue_md || null,
+    opsec_level: form.opsec_level,
+    tags: csvToList(form.tags),
+    expected_iocs: csvToList(form.expected_iocs),
+    mitre_tags: form.mitre_tags.map((t) => ({ kind: t.kind, external_id: t.external_id })),
+  };
+}
+
+function useTestTemplates(filters: TestTemplateFilters) {
+  return useQuery({
+    queryKey: templateKeys.tests(filters),
+    queryFn: () =>
+      apiGet<TestTemplateListResponse>(`/test-templates${buildTestQueryString(filters)}`),
+  });
+}
+
+export function AdminTestsPage() {
+  const qc = useQueryClient();
+  const [filters, setFilters] = useState<TestTemplateFilters>({});
+  const [editing, setEditing] = useState<TestTemplate | null>(null);
+  const [creating, setCreating] = useState(false);
+  const [form, setForm] = useState<FormState>(blankForm());
+  const [error, setError] = useState<string | null>(null);
+
+  const tests = useTestTemplates(filters);
+
+  const create = useMutation({
+    mutationFn: (payload: CreateTestTemplatePayload) =>
+      apiPost<TestTemplate>('/test-templates', payload),
+    onSuccess: async () => {
+      setCreating(false);
+      setForm(blankForm());
+      setError(null);
+      await qc.invalidateQueries({ queryKey: ['templates', 'tests'] });
+    },
+    onError: (e) => setError(humanError(e)),
+  });
+
+  const update = useMutation({
+    mutationFn: ({ id, payload }: { id: string; payload: CreateTestTemplatePayload }) =>
+      apiPut<TestTemplate>(`/test-templates/${id}`, payload),
+    onSuccess: async () => {
+      setEditing(null);
+      setError(null);
+      await qc.invalidateQueries({ queryKey: ['templates', 'tests'] });
+    },
+    onError: (e) => setError(humanError(e)),
+  });
+
+  const remove = useMutation({
+    mutationFn: (id: string) => apiDelete<{ ok: boolean }>(`/test-templates/${id}`),
+    onSuccess: async () => {
+      await qc.invalidateQueries({ queryKey: ['templates', 'tests'] });
+    },
+  });
+
+  function openCreate() {
+    setForm(blankForm());
+    setError(null);
+    setCreating(true);
+  }
+
+  function openEdit(t: TestTemplate) {
+    setForm(toForm(t));
+    setError(null);
+    setEditing(t);
+  }
+
+  function submit() {
+    const payload = toPayload(form);
+    if (!payload.name) {
+      setError('Name is required.');
+      return;
+    }
+    if (editing) update.mutate({ id: editing.id, payload });
+    else create.mutate(payload);
+  }
+
+  const isModalOpen = creating || editing !== null;
+
+  return (
+    <>
+      <SectionHeader
+        prefix="Admin"
+        highlight="Tests"
+        accent="orange"
+        description="Reusable test units. Each test belongs to a scenario at instantiation time, but the catalogue lives independently."
+      />
+
+      <div className="mb-6 flex flex-wrap items-end gap-3" data-testid="tests-filters">
+        <TextField
+          label="Search"
+          placeholder="name or description"
+          value={filters.q ?? ''}
+          onChange={(e) => setFilters((f) => ({ ...f, q: e.target.value || undefined }))}
+          data-testid="filter-q"
+        />
+        <TextField
+          label="Tactic external_id"
+          placeholder="TA0006"
+          value={filters.tactic ?? ''}
+          onChange={(e) => setFilters((f) => ({ ...f, tactic: e.target.value || undefined }))}
+          data-testid="filter-tactic"
+        />
+        <label className="block">
+          <span className="block font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim">
+            OPSEC
+          </span>
+          <select
+            value={filters.opsec ?? ''}
+            onChange={(e) =>
+              setFilters((f) => ({ ...f, opsec: (e.target.value as OpsecLevel | '') || undefined }))
+            }
+            className="mt-1 rounded-md border border-border bg-bg-card px-3 py-2 font-mono text-xs text-text-bright"
+            data-testid="filter-opsec"
+          >
+            <option value="">— all —</option>
+            {OPSEC_LEVELS.map((lv) => (
+              <option key={lv} value={lv}>{lv}</option>
+            ))}
+          </select>
+        </label>
+        <TextField
+          label="Free tag"
+          placeholder="phish"
+          value={filters.tag ?? ''}
+          onChange={(e) => setFilters((f) => ({ ...f, tag: e.target.value || undefined }))}
+          data-testid="filter-tag"
+        />
+        <Button accent="orange" onClick={openCreate} data-testid="create-test" className="ml-auto">
+          + New test
+        </Button>
+      </div>
+
+      {tests.isError && <Alert accent="red">Failed to load tests.</Alert>}
+
+      <div className="grid gap-3" data-testid="tests-list">
+        {tests.isLoading && <p className="font-mono text-xs text-text-dim">Loading…</p>}
+        {tests.data?.items.map((t) => (
+          <Card
+            key={t.id}
+            accent="orange"
+            title={t.name}
+            sub={t.description ?? '—'}
+            data-testid={`test-row-${t.id}`}
+          >
+            <div className="flex flex-wrap items-center gap-2">
+              <Tag accent={t.opsec_level === 'high' ? 'red' : t.opsec_level === 'low' ? 'green' : 'yellow'}>
+                opsec: {t.opsec_level}
+              </Tag>
+              {t.mitre_tags.map((tag) => (
+                <Tag
+                  key={`${tag.kind}:${tag.external_id}`}
+                  accent={tag.kind === 'tactic' ? 'cyan' : tag.kind === 'technique' ? 'orange' : 'purple'}
+                >
+                  {tag.external_id}
+                </Tag>
+              ))}
+              {t.tags.map((tg) => (
+                <Tag key={tg} accent="cyan">#{tg}</Tag>
+              ))}
+              <div className="ml-auto flex gap-2">
+                <Button accent="orange" onClick={() => openEdit(t)} data-testid={`edit-test-${t.id}`}>
+                  Edit
+                </Button>
+                <Button
+                  accent="rose"
+                  variant="ghost"
+                  onClick={() => {
+                    if (window.confirm(`Soft-delete "${t.name}"?`)) remove.mutate(t.id);
+                  }}
+                  data-testid={`delete-test-${t.id}`}
+                >
+                  Delete
+                </Button>
+              </div>
+            </div>
+          </Card>
+        ))}
+        {tests.data && tests.data.items.length === 0 && !tests.isLoading && (
+          <p className="font-mono text-2xs text-text-dim">No tests match the current filters.</p>
+        )}
+      </div>
+
+      <Modal
+        open={isModalOpen}
+        title={editing ? `Test · ${editing.name}` : 'New test template'}
+        accent="orange"
+        onClose={() => {
+          setCreating(false);
+          setEditing(null);
+        }}
+        testid="test-template-modal"
+      >
+        {error && <Alert accent="red" className="mb-3">{error}</Alert>}
+        <div className="grid gap-3">
+          <TextField
+            label="Name"
+            value={form.name}
+            onChange={(e) => setForm((f) => ({ ...f, name: e.target.value }))}
+            data-testid="form-name"
+          />
+          <TextField
+            label="Description"
+            value={form.description}
+            onChange={(e) => setForm((f) => ({ ...f, description: e.target.value }))}
+            data-testid="form-description"
+          />
+          <TextField
+            label="Objective (1-liner)"
+            value={form.objective}
+            onChange={(e) => setForm((f) => ({ ...f, objective: e.target.value }))}
+          />
+          <MarkdownField
+            label="Procedure"
+            value={form.procedure_md}
+            onChange={(v) => setForm((f) => ({ ...f, procedure_md: v }))}
+            data-testid="form-procedure"
+            hint="Step-by-step playbook. Markdown supported."
+          />
+          <MarkdownField
+            label="Prerequisites"
+            value={form.prerequisites_md}
+            onChange={(v) => setForm((f) => ({ ...f, prerequisites_md: v }))}
+          />
+          <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+            <MarkdownField
+              label="Red — expected result"
+              value={form.expected_result_red_md}
+              onChange={(v) => setForm((f) => ({ ...f, expected_result_red_md: v }))}
+              rows={4}
+            />
+            <MarkdownField
+              label="Blue — expected detection"
+              value={form.expected_detection_blue_md}
+              onChange={(v) => setForm((f) => ({ ...f, expected_detection_blue_md: v }))}
+              rows={4}
+            />
+          </div>
+          <label className="block">
+            <span className="block font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim">
+              OPSEC level
+            </span>
+            <select
+              value={form.opsec_level}
+              onChange={(e) => setForm((f) => ({ ...f, opsec_level: e.target.value as OpsecLevel }))}
+              className="mt-1 rounded-md border border-border bg-bg-card px-3 py-2 font-mono text-xs text-text-bright"
+              data-testid="form-opsec"
+            >
+              {OPSEC_LEVELS.map((lv) => (
+                <option key={lv} value={lv}>{lv}</option>
+              ))}
+            </select>
+          </label>
+          <TextField
+            label="Free tags (comma-separated)"
+            value={form.tags}
+            onChange={(e) => setForm((f) => ({ ...f, tags: e.target.value }))}
+            data-testid="form-tags"
+            hint="e.g. phish, persistence, quick-win"
+          />
+          <TextField
+            label="Expected IOCs (comma-separated)"
+            value={form.expected_iocs}
+            onChange={(e) => setForm((f) => ({ ...f, expected_iocs: e.target.value }))}
+            hint="Indicators the blue team should look for"
+          />
+          <div>
+            <p className="font-mono text-3xs font-semibold uppercase tracking-wider2 text-text-dim mb-1">
+              MITRE ATT&amp;CK tags
+            </p>
+            <MitreTagPicker
+              value={form.mitre_tags}
+              onChange={(next) => setForm((f) => ({ ...f, mitre_tags: next }))}
+            />
+          </div>
+          <div className="flex justify-end gap-2 pt-2">
+            <Button
+              variant="ghost"
+              onClick={() => {
+                setCreating(false);
+                setEditing(null);
+              }}
+            >
+              Cancel
+            </Button>
+            <Button
+              accent="orange"
+              onClick={submit}
+              disabled={create.isPending || update.isPending}
+              data-testid="form-submit"
+            >
+              {editing ? 'Save' : 'Create'}
+            </Button>
+          </div>
+        </div>
+      </Modal>
+    </>
+  );
+}
+
+function humanError(e: unknown): string {
+  if (e instanceof ApiError) {
+    const p = e.payload as { error?: string; message?: string } | null;
+    return p?.message ?? p?.error ?? `HTTP ${e.status}`;
+  }
+  return e instanceof Error ? e.message : 'Unexpected error';
+}
-- 
2.49.1


From a5598233868e4915ded75357d8b340c1b06fa0da Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Tue, 12 May 2026 19:57:51 +0200
Subject: [PATCH 3/6] test(m5): playwright spec + docs (CHANGELOG, README,
 lessons, testing-m5)

- 4 Playwright tests: API CRUD round-trip, scenario reorder via PUT, SPA
  list + opsec filter, SPA scenario list rendering with ordered tests.
- afterAll restores the stable admin (admin@metamorph.local) per the
  test_admin memory rule.
- CHANGELOG M5 section + Fixed subsections for the LogRecord 'name'
  collision and the React `currentTarget` vs `target` quirk.
- README status bumps to M0-M5.
- tasks/lessons.md captures the new patterns (sentinel pattern for
  partial-update, FK ordering in /diag/reset, dnd-kit stable IDs).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                   |  27 ++++
 README.md                      |   3 +-
 e2e/tests/m5-templates.spec.ts | 253 +++++++++++++++++++++++++++++++++
 tasks/lessons.md               |  12 ++
 tasks/testing-m5.md            | 131 +++++++++++++++++
 tasks/todo.md                  |   2 +-
 6 files changed, 426 insertions(+), 2 deletions(-)
 create mode 100644 e2e/tests/m5-templates.spec.ts
 create mode 100644 tasks/testing-m5.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea2f1a0..37f8628 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,33 @@ All notable changes to this project will be documented here. Format: [Keep a Cha
 
 ## [Unreleased]
 
+### Added — M5 (Test & scenario templates)
+- **CRUD `test_templates`** (`app/services/test_templates.py` + `app/api/test_templates.py`):
+  - Fields: name, description, objective, procedure (markdown), prerequisites (markdown), expected result red, expected detection blue, OPSEC level (`low/medium/high`), free tags (TEXT[]), expected IOCs (TEXT[]).
+  - Polymorphic MITRE tag set (`(kind, external_id)` ↔ exactly one of `tactic_id`/`technique_id`/`subtechnique_id`). The wire payload uses ATT&CK external IDs — server resolves to UUIDs.
+  - Filters: `q` (LIKE on name/description), `tactic`/`technique`/`subtechnique` (joined via subquery on the polymorphic tag table), `opsec`, `tag` (array contains).
+  - REST: `GET /test-templates`, `GET /test-templates/{id}`, `POST /test-templates`, `PUT /test-templates/{id}` (partial, with explicit `_UNSET` sentinel so omitted fields stay untouched), `DELETE /test-templates/{id}` (soft).
+- **CRUD `scenario_templates`** (`app/services/scenario_templates.py` + `app/api/scenario_templates.py`):
+  - Ordered list of test_templates with `position` (UNIQUE `scenario_template_id, position`).
+  - Reorder via full replace: `PUT /scenario-templates/{id}/tests` deletes the join rows and re-inserts at positions `0..N-1` — clean atomic op that respects the UNIQUE constraint without a 2-phase position shuffle.
+  - The same test can appear multiple times (chained operations).
+  - REST: `GET`/`POST`/`PATCH` (metadata) / `DELETE` (soft) on `/scenario-templates`.
+- **Frontend**:
+  - `lib/templates.ts` — typed client + queryKey factory.
+  - `pages/AdminTestsPage.tsx` — list + filters (q, tactic, opsec, tag) + modal with full field set + embedded `<MitreTagPicker>` for tags.
+  - `pages/AdminScenariosPage.tsx` — list + modal with **@dnd-kit/sortable** vertical drag-and-drop on the ordered test list. New deps: `@dnd-kit/core`, `@dnd-kit/sortable`, `@dnd-kit/utilities`.
+  - `components/MarkdownField.tsx` — lean textarea with markdown hint (no heavy editor dep; rendering happens at display time in M7).
+  - Nav adds **Tests** and **Scenarios** links (admin-gated).
+- **/diag/reset** truncates the 4 new tables before the MITRE block — the `scenario_template_tests.test_template_id` FK is `ON DELETE RESTRICT`, so the order matters.
+- **Testing**:
+  - `backend/tests/test_templates.py` — **19 pytest** (create/list/filter by tactic+opsec+tag, MITRE tag resolution + replacement on update, soft-delete, perm gating, scenario create+reorder+delete, soft-deleted test linking semantics).
+  - `e2e/tests/m5-templates.spec.ts` — **4 Playwright** (API CRUD round-trip, scenario reorder, SPA list + opsec filter, SPA scenario list rendering with ordered tests).
+  - `tasks/testing-m5.md`.
+
+### Fixed (M5 implementation)
+- **`LogRecord` key collision**: `log.info(..., extra={"name": ...})` raises `KeyError("Attempt to overwrite 'name' in LogRecord")` because `name` is reserved by Python's stdlib logging. Renamed to `template_name`.
+- **React `currentTarget` null in deferred state updaters**: `onChange={(e) => setX((prev) => ({ ...prev, q: e.currentTarget.value }))}` blanked the page on the first user input because `currentTarget` is cleared after the listener bubble ends, before React invokes the updater. Switched all M5 handlers to `e.target.value`, which persists on the synthetic event.
+
 ### Added — M4 (MITRE ATT&CK Enterprise)
 - **STIX 2.1 parser + upsert** (`app/services/mitre_seed.py`): stdlib-only (`urllib.request` + `hashlib`), pinned to Enterprise v19.0 (`enterprise-attack-19.0.json`, sha256 `df520ea0…`). Parses 25k+ STIX objects → 15 tactics, 222 techniques, 475 sub-techniques in ~1.1 s. Skips revoked + deprecated, resolves sub-technique parents via `relationship[subtechnique-of]` with a `T1003.001 → T1003` dotted-id fallback, copies kill-chain phases into the `mitre_technique_tactics` M2M.
 - **CLI**: `flask metamorph seed-mitre [--source <path|url>] [--checksum-sha256 <hex>] [--skip-checksum]` (`app/cli.py`). `make seed-mitre` wraps it.
diff --git a/README.md b/README.md
index da324e7..59df5d2 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 Collaborative purple-team platform. Red team logs the tests they execute (procedure, command, timestamp); blue team annotates each test with detection evidence (alerts, logs, files). At the end of an engagement, Metamorph generates a standalone reveal.js slide deck classified by MITRE ATT&CK tactic.
 
-> **Status**: M0–M4 delivered (bootstrap → DB schema → auth → RBAC → MITRE ATT&CK reference). See `tasks/spec.md` for the full specification and `tasks/todo.md` for the milestone-by-milestone plan.
+> **Status**: M0–M5 delivered (bootstrap → DB schema → auth → RBAC → MITRE ATT&CK reference → test & scenario templates). See `tasks/spec.md` for the full specification and `tasks/todo.md` for the milestone-by-milestone plan.
 
 ## Stack
 
@@ -11,6 +11,7 @@ Collaborative purple-team platform. Red team logs the tests they execute (proced
 - **Auth (M2+)**: JWT access (1h) + refresh (30d), Argon2id, invite-link enrollment.
 - **RBAC (M3+)**: atomic permissions (31 codes) bundled into custom groups; 3 system groups seeded (`admin` / `redteam` / `blueteam`).
 - **MITRE ATT&CK (M4+)**: Enterprise reference catalogue pinned to v19.0, seedable via `make seed-mitre`.
+- **Template catalogue (M5+)**: reusable `test_templates` (markdown procedure, OPSEC level, free tags, expected IOCs, MITRE tags) + ordered `scenario_templates` with drag-and-drop reordering. Admin pages at `/admin/tests` and `/admin/scenarios`.
 - **Delivery**: docker-compose. TLS termination is expected to be handled by an external reverse proxy in production.
 
 ## Quickstart
diff --git a/e2e/tests/m5-templates.spec.ts b/e2e/tests/m5-templates.spec.ts
new file mode 100644
index 0000000..8a58963
--- /dev/null
+++ b/e2e/tests/m5-templates.spec.ts
@@ -0,0 +1,253 @@
+import { expect, test, type APIRequestContext, type Page } from '@playwright/test';
+
+/**
+ * M5 — Test + Scenario template catalogue.
+ *
+ * Verifies CRUD on /test-templates and /scenario-templates plus the admin SPA
+ * pages. We do NOT seed the full MITRE bundle here — M4 already covers that
+ * suite. This spec only needs ONE technique resolvable from a STIX-like
+ * shape (we ride on the same `/diag/reset` then re-seed MITRE so tag refs
+ * resolve).
+ */
+
+const ADMIN_EMAIL = `admin-${crypto.randomUUID().slice(0, 8)}@metamorph.local`;
+const ADMIN_PASSWORD = 'AdminPass1234!';
+
+async function resetAndMintToken(request: APIRequestContext): Promise<string> {
+  const r = await request.post('/api/v1/diag/reset');
+  expect(r.status()).toBe(200);
+  return (await r.json()).install_token as string;
+}
+
+async function loginAndGetAccess(
+  request: APIRequestContext,
+  email: string,
+  password: string,
+): Promise<string> {
+  const r = await request.post('/api/v1/auth/login', { data: { email, password } });
+  expect(r.status()).toBe(200);
+  return (await r.json()).access_token as string;
+}
+
+async function loginViaSpa(page: Page, email: string, password: string) {
+  await page.goto('/login');
+  await page.getByLabel(/email/i).fill(email);
+  await page.getByLabel(/password/i).fill(password);
+  await page.getByRole('button', { name: /sign in/i }).click();
+  await expect(page.getByTestId('me-email')).toHaveText(email);
+}
+
+test.describe.configure({ mode: 'serial' });
+
+test.describe('M5 — Template catalogue', () => {
+  test.beforeAll(async ({ request }) => {
+    const installToken = await resetAndMintToken(request);
+    const setup = await request.post('/api/v1/setup', {
+      data: { install_token: installToken, email: ADMIN_EMAIL, password: ADMIN_PASSWORD },
+    });
+    expect(setup.status()).toBe(201);
+    // MITRE re-sync — picker + tag refs rely on the canonical bundle.
+    const access = await loginAndGetAccess(request, ADMIN_EMAIL, ADMIN_PASSWORD);
+    const sync = await request.post('/api/v1/mitre/sync', {
+      headers: { Authorization: `Bearer ${access}` },
+    });
+    expect(sync.status()).toBe(200);
+  });
+
+  test.afterAll(async ({ request }) => {
+    // Restore the stable admin (cf. memory feedback_metamorph_test_admin):
+    // any wipe should leave admin@metamorph.local / AdminPass1234! usable.
+    const installToken = await resetAndMintToken(request);
+    await request.post('/api/v1/setup', {
+      data: {
+        install_token: installToken,
+        email: 'admin@metamorph.local',
+        password: 'AdminPass1234!',
+      },
+    });
+    // Re-seed MITRE so subsequent manual sessions don't see an empty matrix.
+    const access = await loginAndGetAccess(request, 'admin@metamorph.local', 'AdminPass1234!');
+    await request.post('/api/v1/mitre/sync', {
+      headers: { Authorization: `Bearer ${access}` },
+    });
+  });
+
+  // === API smoke ============================================================
+
+  test('CRUD test-templates via API', async ({ request }) => {
+    const access = await loginAndGetAccess(request, ADMIN_EMAIL, ADMIN_PASSWORD);
+    const auth = { Authorization: `Bearer ${access}` };
+
+    // Create
+    const r1 = await request.post('/api/v1/test-templates', {
+      headers: auth,
+      data: {
+        name: 'phish-link',
+        description: 'send a phishing email with tracked link',
+        objective: 'land a click',
+        procedure_md: '1. craft mail\n2. send\n3. await click',
+        opsec_level: 'low',
+        tags: ['phish', 'initial-access'],
+        expected_iocs: ['phish@example.com'],
+        mitre_tags: [
+          { kind: 'tactic', external_id: 'TA0001' },
+          { kind: 'technique', external_id: 'T1566' },
+        ],
+      },
+    });
+    expect(r1.status(), await r1.text()).toBe(201);
+    const created = await r1.json();
+    expect(created.name).toBe('phish-link');
+    expect(created.mitre_tags.length).toBe(2);
+    expect(created.tags).toContain('phish');
+
+    // Update — partial: change opsec only
+    const r2 = await request.put(`/api/v1/test-templates/${created.id}`, {
+      headers: auth,
+      data: { opsec_level: 'high' },
+    });
+    expect(r2.status()).toBe(200);
+    const updated = await r2.json();
+    expect(updated.opsec_level).toBe('high');
+    expect(updated.name).toBe('phish-link'); // untouched
+
+    // List + filter by tactic
+    const r3 = await request.get('/api/v1/test-templates?tactic=TA0001', {
+      headers: auth,
+    });
+    expect(r3.status()).toBe(200);
+    const list = await r3.json();
+    expect(list.items.map((it: { name: string }) => it.name)).toContain('phish-link');
+
+    // Reject unknown MITRE
+    const r4 = await request.post('/api/v1/test-templates', {
+      headers: auth,
+      data: {
+        name: 'bad',
+        mitre_tags: [{ kind: 'technique', external_id: 'T9999' }],
+      },
+    });
+    expect(r4.status()).toBe(400);
+    expect((await r4.json()).error).toBe('unknown_mitre_tag');
+
+    // Soft-delete
+    const r5 = await request.delete(`/api/v1/test-templates/${created.id}`, {
+      headers: auth,
+    });
+    expect(r5.status()).toBe(200);
+    const r6 = await request.get('/api/v1/test-templates', { headers: auth });
+    expect(
+      (await r6.json()).items.map((it: { name: string }) => it.name),
+    ).not.toContain('phish-link');
+  });
+
+  test('Scenario template: create + reorder + soft-delete', async ({ request }) => {
+    const access = await loginAndGetAccess(request, ADMIN_EMAIL, ADMIN_PASSWORD);
+    const auth = { Authorization: `Bearer ${access}` };
+
+    async function mkTest(name: string): Promise<string> {
+      const r = await request.post('/api/v1/test-templates', {
+        headers: auth,
+        data: { name },
+      });
+      expect(r.status()).toBe(201);
+      return (await r.json()).id as string;
+    }
+
+    const a = await mkTest('scn-step-a');
+    const b = await mkTest('scn-step-b');
+    const c = await mkTest('scn-step-c');
+
+    // Create with [a, b, c]
+    const r1 = await request.post('/api/v1/scenario-templates', {
+      headers: auth,
+      data: { name: 'ordered-scenario', test_template_ids: [a, b, c] },
+    });
+    expect(r1.status()).toBe(201);
+    const sc = await r1.json();
+    expect(sc.tests.map((t: { test_template_name: string }) => t.test_template_name)).toEqual([
+      'scn-step-a',
+      'scn-step-b',
+      'scn-step-c',
+    ]);
+
+    // Reorder → [c, a, b]
+    const r2 = await request.put(`/api/v1/scenario-templates/${sc.id}/tests`, {
+      headers: auth,
+      data: { test_template_ids: [c, a, b] },
+    });
+    expect(r2.status()).toBe(200);
+    const after = await r2.json();
+    expect(after.tests.map((t: { test_template_name: string }) => t.test_template_name)).toEqual([
+      'scn-step-c',
+      'scn-step-a',
+      'scn-step-b',
+    ]);
+
+    // Soft-delete the scenario.
+    const r3 = await request.delete(`/api/v1/scenario-templates/${sc.id}`, { headers: auth });
+    expect(r3.status()).toBe(200);
+    const list = await (await request.get('/api/v1/scenario-templates', { headers: auth })).json();
+    expect(list.items.map((it: { name: string }) => it.name)).not.toContain('ordered-scenario');
+  });
+
+  // === SPA smoke ============================================================
+
+  test('SPA — admin sees the test catalogue and can filter', async ({ page, request }) => {
+    // Seed two tests up front via the API — exercise the SPA list + filter
+    // pipeline without fighting the heavy create-modal (covered by API tests).
+    const access = await loginAndGetAccess(request, ADMIN_EMAIL, ADMIN_PASSWORD);
+    const auth = { Authorization: `Bearer ${access}` };
+    await request.post('/api/v1/test-templates', {
+      headers: auth,
+      data: { name: 'spa-list-fast', opsec_level: 'low', tags: ['fast'] },
+    });
+    await request.post('/api/v1/test-templates', {
+      headers: auth,
+      data: { name: 'spa-list-slow', opsec_level: 'high' },
+    });
+
+    await loginViaSpa(page, ADMIN_EMAIL, ADMIN_PASSWORD);
+    await page.goto('/admin/tests');
+
+    await expect(page.getByText('spa-list-fast')).toBeVisible();
+    await expect(page.getByText('spa-list-slow')).toBeVisible();
+
+    await page.getByTestId('filter-opsec').selectOption('high');
+    await expect(page.getByText('spa-list-slow')).toBeVisible();
+    await expect(page.getByText('spa-list-fast')).toBeHidden();
+  });
+
+  test('SPA — scenario list shows ordered tests with their position', async ({ page, request }) => {
+    // Seed a 3-test scenario via the API; the SPA must render the order as
+    // saved. Pointer-event drag is flaky in CI, and the API-level reorder
+    // test already covers the persistence pipeline.
+    const access = await loginAndGetAccess(request, ADMIN_EMAIL, ADMIN_PASSWORD);
+    const auth = { Authorization: `Bearer ${access}` };
+    const ids: string[] = [];
+    for (const name of ['drag-1', 'drag-2', 'drag-3']) {
+      const r = await request.post('/api/v1/test-templates', {
+        headers: auth,
+        data: { name },
+      });
+      ids.push((await r.json()).id);
+    }
+    const scResp = await request.post('/api/v1/scenario-templates', {
+      headers: auth,
+      data: {
+        name: 'spa-rendered-scenario',
+        test_template_ids: [ids[2], ids[0], ids[1]],
+      },
+    });
+    const scId = (await scResp.json()).id;
+
+    await loginViaSpa(page, ADMIN_EMAIL, ADMIN_PASSWORD);
+    await page.goto('/admin/scenarios');
+
+    const card = page.locator(`[data-testid="scenario-row-${scId}"]`);
+    await expect(card).toBeVisible();
+    await expect(card.getByText('1. drag-3')).toBeVisible();
+    await expect(card.getByText('2. drag-1')).toBeVisible();
+    await expect(card.getByText('3. drag-2')).toBeVisible();
+  });
+});
diff --git a/tasks/lessons.md b/tasks/lessons.md
index 4386376..2143545 100644
--- a/tasks/lessons.md
+++ b/tasks/lessons.md
@@ -78,6 +78,18 @@ project: Metamorph
 - **`podman compose stop api` puis `up -d api` casse les dépendances** entre containers (`db` healthy → `api` depends on it) : podman-compose ne résout pas la chaîne de deps quand on cible un seul service. Pour un override d'env, mieux vaut `make down && APP_ENV=test make up`.
 - **`/diag/reset` test-only** : exposer un endpoint qui truncate la DB est tentant pour les e2e mais ouvre une grosse surface en cas de fuite. Compromise actuel : autorisé en `dev` ET `test` (pas en prod), avec un log `WARNING` à chaque appel. Si jamais on déploie une stack dev publique, **désactiver** l'endpoint via env var.
 
+## 2026-05-12 — M5 templates + scenarios
+
+- **`extra={"name": ...}` dans `log.info()` crash silencieusement** — Python's `logging.LogRecord` réserve `name` (le logger name). Coût : 500 sur le POST, message peu parlant (`KeyError: "Attempt to overwrite 'name' in LogRecord"`). Fix : renommer la clé (`template_name`). Liste réservée à éviter : `name`, `msg`, `args`, `levelname`, `levelno`, `pathname`, `filename`, `module`, `funcName`, `created`, `msecs`, `lineno`, `thread`, `threadName`, `process`. Pattern : préfixer les clés extra par l'entité (`template_name`, `group_id`, `user_id` est OK mais `id` aussi est piégeux dans certains setups).
+- **React 18 + `setX((prev) => ({...prev, val: e.currentTarget.value }))` → page blanche au 1er input.** `e.currentTarget` est cleared après la fin du bubble, AVANT que l'updater fonctionnel exécute. Le synthetic event survit (pas de pooling depuis React 17), mais `currentTarget` est setté/cleared par le dispatcher. Fix : `e.target.value` (qui persiste sur le synthetic event), ou capturer `const v = e.currentTarget.value;` avant le `setX`. À garder en tête : tout `onChange` qui passe par un updater fonctionnel doit lire `e.target`, pas `e.currentTarget`.
+- **Sentinel `Any = object()` plutôt que `... (Ellipsis)`** pour les "field unset" optional en service Python. Pyright voit `... = object()` correctement comme `Any`, alors que `description: str | None | object = ...` rend `description.strip()` invalide. Pattern : `_UNSET: Any = object()` au top du module + `description: Any = _UNSET` dans la signature + `if description is not _UNSET: ...`. Net + typecheck-friendly.
+- **Postgres UNIQUE(scenario_id, position) + position-swap = ON CONFLICT pendant l'UPDATE.** Pour réordonner, le pattern naïf (UPDATE position) viole la contrainte sur le 1er swap. Trois options : (a) full delete + re-insert dans la même tx [retenu, atomique + lisible], (b) shift d'offset (UPDATE position = position + 1000 puis renumérotation), (c) deferred constraint. (a) gagne en simplicité — la liste rarement >50 éléments, le coût est négligeable.
+- **`@dnd-kit/sortable` requires `useSortable({ id })` IDs to be unique and stable across renders.** Si on utilise un index numérique comme id, drag-and-drop ne réagit pas. Utiliser `test_template_id` (UUID stable) marche directement.
+- **Frontend deps ajoutés à `package.json` sans `package-lock.json`** : le Dockerfile fait `npm install --no-audit --no-fund` sur fallback. OK pour M5 (3 deps `@dnd-kit/*`). À l'avenir, freeze un lockfile avant M14 pour build reproductibles.
+- **Playwright `getByTestId` est défini par `testIdAttributeName: 'data-testid'`** dans `playwright.config.ts`. Pour qu'un test-id descende sur l'input via TextField, il faut que `...rest` soit spread sur l'input (déjà OK dans `TextField.tsx`). Mais avec un wrapper `<div><label/><input/></div>`, `getByTestId` matche le DIV si le test-id est dessus. Bien le mettre sur l'élément interactif (input/button), pas sur le container.
+- **`/diag/reset` truncate order matters** : `scenario_template_tests.test_template_id` est FK `ON DELETE RESTRICT`, donc il faut truncate `scenario_template_tests` AVANT `test_templates`. Hierarchy : `scenario_template_tests → scenario_templates → test_template_mitre_tags → test_templates → mitre_*`. Maintenant inscrite dans `diag.py`.
+- **Modal embarquant le `MitreTagPicker` complet (15 cols × 50 techniques)** : le picker se charge via `/mitre/matrix` (~94 KB). Affichage instantané, OK. Pour de futurs modals lourds, considérer le lazy-render derrière un toggle ou tab.
+
 <!--
 Template for future entries:
 
diff --git a/tasks/testing-m5.md b/tasks/testing-m5.md
new file mode 100644
index 0000000..15b09af
--- /dev/null
+++ b/tasks/testing-m5.md
@@ -0,0 +1,131 @@
+---
+type: testing
+milestone: M5
+date: "2026-05-12"
+project: Metamorph
+---
+
+# Testing M5 — Templates : tests unitaires & scénarios
+
+## 1. Lancement de la stack
+
+```bash
+make clean
+make up
+make migrate
+make seed-mitre   # tag picker needs the catalogue
+```
+
+> L'admin stable `admin@metamorph.local / AdminPass1234!` est restauré
+> automatiquement par le hook `afterAll` du spec e2e M5 — mais la 1ʳᵉ fois,
+> bootstrappe-le via `/setup` ou laisse les tests faire le travail.
+
+## 2. Tests automatisés
+
+```bash
+make test-api    # 77 tests pytest dont 19 M5 (CRUD, perm, mitre tags, reorder)
+make e2e         # 38 tests Playwright dont 4 M5 (API CRUD + scenario reorder + SPA list/filter)
+```
+
+Rapport HTML : `e2e/playwright-report/`. JUnit : `e2e/playwright-report/junit.xml`.
+
+## 3. Smoke navigateur
+
+### Pré-requis
+- Stack `make up` + admin loggé.
+- MITRE seedé (vérifier via `/mitre`).
+
+### 3.1 Catalogue de tests (`/admin/tests`)
+1. Cliquer **Tests** dans la nav admin → page chargée.
+2. Cliquer **+ New test** → modal s'ouvre avec :
+   - Champs : Name, Description, Objective, Procedure (markdown), Prerequisites, Red expected, Blue expected, OPSEC, Free tags, Expected IOCs.
+   - Sous-section **MITRE ATT&CK tags** : matrice complète, mêmes interactions que `/mitre`.
+3. Remplir au minimum `Name=phish-link`, OPSEC=`low`, ajouter 2 tags MITRE (ex. `TA0001 + T1566`) → **Create** → carte apparaît dans la liste avec chips OPSEC + MITRE.
+4. Cliquer **Edit** sur la carte → modal pré-remplie, modifier OPSEC à `high` → **Save** → la card est repeinte avec l'accent rouge OPSEC.
+5. Filtres en haut :
+   - `Search` (full-text q sur nom/description)
+   - `Tactic external_id` (ex. `TA0001`)
+   - `OPSEC` (select : —all— / low / medium / high)
+   - `Free tag` (mot-clé libre)
+6. Cliquer **Delete** sur une carte → confirm popup → la card disparaît (soft-delete : visible via `?include_deleted=true` côté API).
+
+### 3.2 Catalogue de scénarios (`/admin/scenarios`)
+1. Cliquer **Scenarios** dans la nav admin.
+2. **+ New scenario** → modal.
+   - Champs Name + Description.
+   - Catalogue picker en bas : champ de recherche + liste des tests dispos (max 50).
+3. Cliquer 3 tests dans le catalogue → ils s'empilent dans la liste ordonnée avec leurs indices `01/02/03`.
+4. **Drag-and-drop** : empoigner la poignée `☰` à gauche d'une ligne et glisser vers le haut/bas → la liste se réordonne. La grille met à jour les indices au relâchement.
+5. **Save** → carte apparaît avec un Tag « N tests » + l'aperçu des 4 premiers tests dans l'ordre choisi.
+6. Re-ouvrir Edit → l'ordre est persisté côté serveur (vérifie le numéro 01, 02, 03 dans la modal).
+7. Supprimer un `test_template` dont un scénario dépend (via `/admin/tests`) → la card scénario marque le test en rose dans le résumé (`test_template_deleted: true`).
+
+### 3.3 Permissions
+1. Inviter Bob via Admin > Invitations sans groupe → Bob peut se logger mais reçoit `403` sur `/api/v1/test-templates`.
+2. Lui attacher un groupe avec seulement `test_template.read` → Bob voit `/admin/tests`... non, l'UI gate sur `is_admin`. La perm seule donne l'accès API ; l'UI ne l'expose pas pour les non-admins (par design M5).
+3. Bob tente `POST /api/v1/test-templates` → `403` (manque `test_template.create`).
+
+## 4. Smoke API
+
+### 4.1 Login admin
+
+```bash
+ACCESS=$(curl -sX POST http://localhost:8080/api/v1/auth/login \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"admin@metamorph.local","password":"AdminPass1234!"}' | jq -r .access_token)
+```
+
+### 4.2 Créer un test taggué MITRE
+
+```bash
+curl -sX POST http://localhost:8080/api/v1/test-templates \
+  -H "Authorization: Bearer $ACCESS" \
+  -H 'Content-Type: application/json' \
+  -d '{
+    "name": "lsass-dump",
+    "opsec_level": "high",
+    "tags": ["creds"],
+    "mitre_tags": [
+      {"kind":"technique","external_id":"T1003"},
+      {"kind":"subtechnique","external_id":"T1003.001"}
+    ]
+  }' | jq
+```
+
+### 4.3 Créer un scénario ordonné
+
+```bash
+# Suppose 3 ids: $A $B $C
+curl -sX POST http://localhost:8080/api/v1/scenario-templates \
+  -H "Authorization: Bearer $ACCESS" \
+  -H 'Content-Type: application/json' \
+  -d "{\"name\":\"chained\",\"test_template_ids\":[\"$A\",\"$B\",\"$C\"]}" | jq
+
+# Reorder (full replace)
+curl -sX PUT http://localhost:8080/api/v1/scenario-templates/<scn_id>/tests \
+  -H "Authorization: Bearer $ACCESS" \
+  -H 'Content-Type: application/json' \
+  -d "{\"test_template_ids\":[\"$C\",\"$A\",\"$B\"]}" | jq
+```
+
+### 4.4 Filtre par tactic
+
+```bash
+curl -s "http://localhost:8080/api/v1/test-templates?tactic=TA0006" \
+  -H "Authorization: Bearer $ACCESS" | jq '.items[].name'
+```
+
+## 5. Points de contrôle critiques
+
+- [x] `POST /test-templates` rejette MITRE inconnu avec `400 unknown_mitre_tag`.
+- [x] `POST /test-templates` rejette opsec hors `low/medium/high`.
+- [x] `PUT /test-templates/{id}` partial keeps unset fields.
+- [x] `PUT /test-templates/{id}` avec `mitre_tags` **remplace** la collection (pas d'append).
+- [x] `DELETE /test-templates/{id}` soft-delete (visible avec `?include_deleted=true`).
+- [x] `POST /scenario-templates` rejette test_template inconnu ou soft-deleted.
+- [x] `PUT /scenario-templates/{id}/tests` rewrite atomique (delete + re-insert, contrainte UNIQUE(position) honorée).
+- [x] Un test soft-deleted **après** linking reste référencé : `test_template_deleted: true` sur le scénario.
+- [x] Filtres list: `q`, `tactic`, `technique`, `subtechnique`, `opsec`, `tag` cumulatifs.
+- [x] Perm gating : `test_template.{read,create,update,delete}` + `scenario_template.{read,create,update,delete}`.
+- [x] `/diag/reset` truncate les 4 nouvelles tables (`scenario_template_tests`, `scenario_templates`, `test_template_mitre_tags`, `test_templates`) avant les tables MITRE.
+- [x] UI : drag-and-drop @dnd-kit/sortable réordonne la liste, save persistant.
diff --git a/tasks/todo.md b/tasks/todo.md
index f7be60b..28419e1 100644
--- a/tasks/todo.md
+++ b/tasks/todo.md
@@ -117,7 +117,7 @@ spec: tasks/spec.md
 
 ---
 
-## M5 — Templates : tests unitaires & scénarios ☐
+## M5 — Templates : tests unitaires & scénarios ☑
 
 **But** : admin peut bâtir le catalogue réutilisable.
 
-- 
2.49.1


From ce4bd40551a7a5b10b404acf795cfe5f51070011 Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Tue, 12 May 2026 20:05:00 +0200
Subject: [PATCH 4/6] =?UTF-8?q?fix(m5):=20post-review=20pass=20=E2=80=94?=
 =?UTF-8?q?=20AND=20filter,=20advisory=20lock,=20N+1,=20item=20caps,=20mut?=
 =?UTF-8?q?ation=20cache?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Spec-reviewer + code-reviewer findings applied:

Must-fix
- Filter combinator AND-semantics: tactic+technique+subtechnique now intersect
  (one IN subquery per facet) instead of being pooled into one OR. Reviewers
  flagged both the wrong default semantics and the theoretical UUID-collision
  risk of pooling tactic/technique/sub UUIDs into a shared list across
  three columns.
- Front-end mutation cache hygiene: updateMeta + setTests both
  `onSettled: invalidate` so a partial failure leaves the cache consistent.

Should-fix
- Per-scenario pg_advisory_xact_lock on set_scenario_tests — serialises
  concurrent reorders, mirrors M4 /mitre/sync pattern.
- Backend/front consistency on duplicate tests in a scenario: the
  UNIQUE(scenario_id, position) constraint already allows the same
  test_template multiple times (chained ops), so the catalogue picker no
  longer excludes already-picked items.

Nice-to-have
- N+1 eradicated in test_template view rendering: _to_views_batch
  builds {uuid → MitreRow} maps in 3 queries up-front; list endpoint
  now issues 4 queries total regardless of list size.
- Wire-level item length caps on tags (64) and expected_iocs (255)
  via Annotated[str, StringConstraints(...)] — returns 400 instead of
  bubbling up StringDataRightTruncation.
- 4 new pytest covering the AND-filter, extra="forbid" rejection,
  empty mitre_tags clearing, and the 65-char tag cap. Total now
  81 pytest + 38 e2e pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                               |   9 +
 backend/app/api/test_templates.py          |  17 +-
 backend/app/services/scenario_templates.py |  16 +-
 backend/app/services/test_templates.py     | 188 ++++++++++++++++-----
 backend/tests/test_templates.py            |  75 ++++++++
 frontend/src/pages/AdminScenariosPage.tsx  |  16 +-
 tasks/testing-m5.md                        |   2 +-
 7 files changed, 267 insertions(+), 56 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 37f8628..614e350 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,15 @@ All notable changes to this project will be documented here. Format: [Keep a Cha
 - **`LogRecord` key collision**: `log.info(..., extra={"name": ...})` raises `KeyError("Attempt to overwrite 'name' in LogRecord")` because `name` is reserved by Python's stdlib logging. Renamed to `template_name`.
 - **React `currentTarget` null in deferred state updaters**: `onChange={(e) => setX((prev) => ({ ...prev, q: e.currentTarget.value }))}` blanked the page on the first user input because `currentTarget` is cleared after the listener bubble ends, before React invokes the updater. Switched all M5 handlers to `e.target.value`, which persists on the synthetic event.
 
+### Fixed (post-M5 review pass — spec-reviewer + code-reviewer)
+- **Filter combinator was OR, not AND** (`backend/app/services/test_templates.py:235`): `?tactic=TA0002&technique=T1059` returned templates matching *either* facet instead of *both*. Pre-fix also pooled all three UUIDs into a shared `IN` list across three columns, theoretically allowing a UUID collision to match across kinds. Refactored to one IN-subquery per facet, ANDed together via repeated `WHERE id IN (...)`.
+- **Concurrent reorder race on `set_scenario_tests`** (`backend/app/services/scenario_templates.py:207`): two parallel reorders on the same scenario could deadlock on the `UNIQUE(scenario_id, position)` constraint under READ COMMITTED. Added a per-scenario `pg_advisory_xact_lock(0x5C3, hash(scenario_id))` mirroring the M4 `/mitre/sync` pattern; different scenarios don't contend.
+- **N+1 on `_to_view` MITRE resolution** (`backend/app/services/test_templates.py:160`): rendering K templates with ~T tags each fired up to K×T `s.get(...)` calls. Added `_to_views_batch` that pre-builds `{uuid → MitreRow}` maps in 3 queries and feeds them to per-template view assembly; `list_test_templates` now issues 4 queries total regardless of list size.
+- **Wire-level item length cap on `tags` / `expected_iocs`** (`backend/app/api/test_templates.py:18-21`): the DB columns are `ARRAY(String(64))` / `ARRAY(String(255))` but the API layer only capped the LIST length, not item strings — long inputs hit the driver with `StringDataRightTruncation`. Added `Annotated[str, StringConstraints(...)]` types so the API returns 400 with a clean validation error.
+- **Front-end mutation cache hygiene** (`frontend/src/pages/AdminScenariosPage.tsx:148-156`): `updateMeta` and `setTests` mutations are run sequentially in `submit()`; on partial failure (metadata saved but reorder failed) the cache stayed stale. Both mutations now `onSettled: invalidate` so whatever step landed is reflected without manual refresh.
+- **Backend vs front-end consistency on duplicate tests in a scenario** (`frontend/src/pages/AdminScenariosPage.tsx:227-231`): the backend allows the same `test_template` to appear multiple times (chained ops; the UNIQUE constraint is `(scenario_id, position)` not `(scenario_id, test_template_id)`), but the catalogue picker was filtering out already-picked items. Removed the filter — only soft-deleted tests are excluded now.
+- **Test coverage closure** (`backend/tests/test_templates.py`): +4 pytest (tactic+technique AND-semantics, `extra="forbid"` rejection, empty `mitre_tags` explicit clear, 65-char tag length cap → 400). Total backend now 23 M5 tests + 39 elsewhere = 81 pass.
+
 ### Added — M4 (MITRE ATT&CK Enterprise)
 - **STIX 2.1 parser + upsert** (`app/services/mitre_seed.py`): stdlib-only (`urllib.request` + `hashlib`), pinned to Enterprise v19.0 (`enterprise-attack-19.0.json`, sha256 `df520ea0…`). Parses 25k+ STIX objects → 15 tactics, 222 techniques, 475 sub-techniques in ~1.1 s. Skips revoked + deprecated, resolves sub-technique parents via `relationship[subtechnique-of]` with a `T1003.001 → T1003` dotted-id fallback, copies kill-chain phases into the `mitre_technique_tactics` M2M.
 - **CLI**: `flask metamorph seed-mitre [--source <path|url>] [--checksum-sha256 <hex>] [--skip-checksum]` (`app/cli.py`). `make seed-mitre` wraps it.
diff --git a/backend/app/api/test_templates.py b/backend/app/api/test_templates.py
index 86754f4..8f18b55 100644
--- a/backend/app/api/test_templates.py
+++ b/backend/app/api/test_templates.py
@@ -12,11 +12,18 @@ import uuid
 from typing import Any
 
 from flask import Blueprint, jsonify, request
-from pydantic import BaseModel, Field, ValidationError
+from pydantic import BaseModel, Field, StringConstraints, ValidationError
+from typing import Annotated
 
 from app.core.auth_decorators import require_auth, require_perm
 from app.services import test_templates as svc
 
+# Tag and IOC entries are stored as PG ARRAY(String(N)). Cap items at the wire
+# layer so over-sized inputs return 400 with a useful message rather than the
+# bare StringDataRightTruncation from the driver.
+TagStr = Annotated[str, StringConstraints(min_length=1, max_length=64)]
+IocStr = Annotated[str, StringConstraints(min_length=1, max_length=255)]
+
 bp = Blueprint("test_templates", __name__, url_prefix="/test-templates")
 log = logging.getLogger("metamorph.api.test_templates")
 
@@ -40,8 +47,8 @@ class CreateTestTemplatePayload(BaseModel):
     expected_result_red_md: str | None = Field(default=None, max_length=32_000)
     expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
     opsec_level: str = Field(default="medium")
-    tags: list[str] = Field(default_factory=list, max_length=64)
-    expected_iocs: list[str] = Field(default_factory=list, max_length=128)
+    tags: list[TagStr] = Field(default_factory=list, max_length=64)
+    expected_iocs: list[IocStr] = Field(default_factory=list, max_length=128)
     mitre_tags: list[MitreTagIn] = Field(default_factory=list, max_length=64)
 
     model_config = {"extra": "forbid"}
@@ -56,8 +63,8 @@ class UpdateTestTemplatePayload(BaseModel):
     expected_result_red_md: str | None = Field(default=None, max_length=32_000)
     expected_detection_blue_md: str | None = Field(default=None, max_length=32_000)
     opsec_level: str | None = None
-    tags: list[str] | None = Field(default=None, max_length=64)
-    expected_iocs: list[str] | None = Field(default=None, max_length=128)
+    tags: list[TagStr] | None = Field(default=None, max_length=64)
+    expected_iocs: list[IocStr] | None = Field(default=None, max_length=128)
     mitre_tags: list[MitreTagIn] | None = Field(default=None, max_length=64)
 
     model_config = {"extra": "forbid"}
diff --git a/backend/app/services/scenario_templates.py b/backend/app/services/scenario_templates.py
index 968f7ad..d137545 100644
--- a/backend/app/services/scenario_templates.py
+++ b/backend/app/services/scenario_templates.py
@@ -17,7 +17,7 @@ from dataclasses import dataclass
 from datetime import datetime, timezone
 from typing import Any
 
-from sqlalchemy import func, or_, select
+from sqlalchemy import func, or_, select, text
 from sqlalchemy.orm import Session, selectinload
 
 _UNSET: Any = object()
@@ -208,8 +208,20 @@ def set_scenario_tests(
     scenario_id: uuid.UUID,
     test_template_ids: list[uuid.UUID],
 ) -> ScenarioTemplateView:
-    """Replace the entire ordered test list. `position` becomes the index."""
+    """Replace the entire ordered test list. `position` becomes the index.
+
+    Acquires a per-scenario advisory lock to serialise concurrent reorders.
+    Without it, two parallel `PUT /scenario-templates/{id}/tests` calls would
+    race on the wipe-then-insert sequence and deadlock on the UNIQUE(position)
+    constraint under READ COMMITTED. Mirrors the M4 pattern on /mitre/sync.
+    """
     with session_scope() as s:
+        # Lock keyed on the scenario UUID — different scenarios don't block
+        # each other. Two-int form: high-32 = constant, low-32 = hash of UUID.
+        s.execute(
+            text("SELECT pg_advisory_xact_lock(:n, :m)"),
+            {"n": 0x5C3, "m": hash(scenario_id) & 0xFFFFFFFF},
+        )
         sc = s.get(ScenarioTemplate, scenario_id)
         if sc is None or sc.deleted_at is not None:
             raise ScenarioTemplateNotFound()
diff --git a/backend/app/services/test_templates.py b/backend/app/services/test_templates.py
index 8570894..8702e78 100644
--- a/backend/app/services/test_templates.py
+++ b/backend/app/services/test_templates.py
@@ -157,24 +157,122 @@ def _resolve_mitre_refs(s: Session, refs: list[MitreTagRef]) -> list[TestTemplat
     return rows
 
 
+def _resolve_mitre_views(s: Session, tags: list[TestTemplateMitreTag]) -> list[MitreTagView]:
+    """Batch-resolve polymorphic MITRE FKs into MitreTagViews in 3 queries
+    total — one per kind — regardless of how many tags or templates the
+    caller is rendering.
+    """
+    tactic_ids = {t.tactic_id for t in tags if t.mitre_kind == "tactic" and t.tactic_id is not None}
+    technique_ids = {t.technique_id for t in tags if t.mitre_kind == "technique" and t.technique_id is not None}
+    sub_ids = {t.subtechnique_id for t in tags if t.mitre_kind == "subtechnique" and t.subtechnique_id is not None}
+
+    tactic_map: dict[uuid.UUID, MitreTactic] = {}
+    technique_map: dict[uuid.UUID, MitreTechnique] = {}
+    sub_map: dict[uuid.UUID, MitreSubtechnique] = {}
+    if tactic_ids:
+        tactic_map = {row.id: row for row in s.scalars(select(MitreTactic).where(MitreTactic.id.in_(tactic_ids))).all()}
+    if technique_ids:
+        technique_map = {
+            row.id: row
+            for row in s.scalars(select(MitreTechnique).where(MitreTechnique.id.in_(technique_ids))).all()
+        }
+    if sub_ids:
+        sub_map = {
+            row.id: row
+            for row in s.scalars(select(MitreSubtechnique).where(MitreSubtechnique.id.in_(sub_ids))).all()
+        }
+
+    views: list[MitreTagView] = []
+    for tag in tags:
+        if tag.mitre_kind == "tactic" and tag.tactic_id in tactic_map:
+            row_t = tactic_map[tag.tactic_id]
+            views.append(MitreTagView(kind="tactic", external_id=row_t.external_id, name=row_t.name, url=row_t.url))
+        elif tag.mitre_kind == "technique" and tag.technique_id in technique_map:
+            row_te = technique_map[tag.technique_id]
+            views.append(MitreTagView(kind="technique", external_id=row_te.external_id, name=row_te.name, url=row_te.url))
+        elif tag.mitre_kind == "subtechnique" and tag.subtechnique_id in sub_map:
+            row_sb = sub_map[tag.subtechnique_id]
+            views.append(MitreTagView(kind="subtechnique", external_id=row_sb.external_id, name=row_sb.name, url=row_sb.url))
+    views.sort(key=lambda v: (v.kind, v.external_id))
+    return views
+
+
+def _to_views_batch(s: Session, templates: list[TestTemplate]) -> list[TestTemplateView]:
+    """List-level batcher: one bulk MITRE resolve for all templates' tags.
+
+    For a list of K templates with ~T tags each, this issues 3 queries total
+    (one per MITRE kind) instead of 3K. We build (kind, uuid) → row maps
+    once, then assemble each template's view in memory.
+    """
+    tactic_ids: set[uuid.UUID] = set()
+    technique_ids: set[uuid.UUID] = set()
+    sub_ids: set[uuid.UUID] = set()
+    for t in templates:
+        for tag in t.mitre_tags:
+            if tag.mitre_kind == "tactic" and tag.tactic_id is not None:
+                tactic_ids.add(tag.tactic_id)
+            elif tag.mitre_kind == "technique" and tag.technique_id is not None:
+                technique_ids.add(tag.technique_id)
+            elif tag.mitre_kind == "subtechnique" and tag.subtechnique_id is not None:
+                sub_ids.add(tag.subtechnique_id)
+
+    tactic_map: dict[uuid.UUID, MitreTactic] = (
+        {row.id: row for row in s.scalars(select(MitreTactic).where(MitreTactic.id.in_(tactic_ids))).all()}
+        if tactic_ids
+        else {}
+    )
+    technique_map: dict[uuid.UUID, MitreTechnique] = (
+        {row.id: row for row in s.scalars(select(MitreTechnique).where(MitreTechnique.id.in_(technique_ids))).all()}
+        if technique_ids
+        else {}
+    )
+    sub_map: dict[uuid.UUID, MitreSubtechnique] = (
+        {row.id: row for row in s.scalars(select(MitreSubtechnique).where(MitreSubtechnique.id.in_(sub_ids))).all()}
+        if sub_ids
+        else {}
+    )
+
+    def _views_for(tags: list[TestTemplateMitreTag]) -> list[MitreTagView]:
+        out: list[MitreTagView] = []
+        for tag in tags:
+            if tag.mitre_kind == "tactic" and tag.tactic_id in tactic_map:
+                row_t = tactic_map[tag.tactic_id]
+                out.append(MitreTagView(kind="tactic", external_id=row_t.external_id, name=row_t.name, url=row_t.url))
+            elif tag.mitre_kind == "technique" and tag.technique_id in technique_map:
+                row_te = technique_map[tag.technique_id]
+                out.append(MitreTagView(kind="technique", external_id=row_te.external_id, name=row_te.name, url=row_te.url))
+            elif tag.mitre_kind == "subtechnique" and tag.subtechnique_id in sub_map:
+                row_sb = sub_map[tag.subtechnique_id]
+                out.append(MitreTagView(kind="subtechnique", external_id=row_sb.external_id, name=row_sb.name, url=row_sb.url))
+        out.sort(key=lambda v: (v.kind, v.external_id))
+        return out
+
+    views: list[TestTemplateView] = []
+    for t in templates:
+        views.append(
+            TestTemplateView(
+                id=t.id,
+                name=t.name,
+                description=t.description,
+                objective=t.objective,
+                procedure_md=t.procedure_md,
+                prerequisites_md=t.prerequisites_md,
+                expected_result_red_md=t.expected_result_red_md,
+                expected_detection_blue_md=t.expected_detection_blue_md,
+                opsec_level=t.opsec_level,
+                tags=list(t.tags or []),
+                expected_iocs=list(t.expected_iocs or []),
+                mitre_tags=_views_for(list(t.mitre_tags)),
+                deleted_at=t.deleted_at,
+                created_at=t.created_at,
+                updated_at=t.updated_at,
+            )
+        )
+    return views
+
+
 def _to_view(s: Session, t: TestTemplate) -> TestTemplateView:
-    tag_views: list[MitreTagView] = []
-    for tag in t.mitre_tags:
-        if tag.mitre_kind == "tactic" and tag.tactic_id is not None:
-            row = s.get(MitreTactic, tag.tactic_id)
-            if row is not None:
-                tag_views.append(MitreTagView(kind="tactic", external_id=row.external_id, name=row.name, url=row.url))
-        elif tag.mitre_kind == "technique" and tag.technique_id is not None:
-            row = s.get(MitreTechnique, tag.technique_id)
-            if row is not None:
-                tag_views.append(MitreTagView(kind="technique", external_id=row.external_id, name=row.name, url=row.url))
-        elif tag.mitre_kind == "subtechnique" and tag.subtechnique_id is not None:
-            row = s.get(MitreSubtechnique, tag.subtechnique_id)
-            if row is not None:
-                tag_views.append(
-                    MitreTagView(kind="subtechnique", external_id=row.external_id, name=row.name, url=row.url)
-                )
-    tag_views.sort(key=lambda v: (v.kind, v.external_id))
+    tag_views = _resolve_mitre_views(s, list(t.mitre_tags))
     return TestTemplateView(
         id=t.id,
         name=t.name,
@@ -232,41 +330,43 @@ def list_test_templates(
             stmt = stmt.where(TestTemplate.tags.any(tag))
             count_stmt = count_stmt.where(TestTemplate.tags.any(tag))
 
-        # MITRE facet: resolve external_id → uuid then filter via join subquery.
-        if tactic or technique or subtechnique:
-            tag_ids: list[uuid.UUID] = []
-            if tactic:
-                tac = s.scalar(select(MitreTactic).where(MitreTactic.external_id == tactic))
-                if tac is None:
-                    return [], 0
-                tag_ids.append(tac.id)
-            if technique:
-                tech = s.scalar(select(MitreTechnique).where(MitreTechnique.external_id == technique))
-                if tech is None:
-                    return [], 0
-                tag_ids.append(tech.id)
-            if subtechnique:
-                sub = s.scalar(select(MitreSubtechnique).where(MitreSubtechnique.external_id == subtechnique))
-                if sub is None:
-                    return [], 0
-                tag_ids.append(sub.id)
-            sub_q = (
+        # MITRE facets: each provided facet (tactic, technique, subtechnique) is
+        # AND-combined — a template tagged BOTH `TA0006` AND `T1003` matches a
+        # query with `?tactic=TA0006&technique=T1003`, but a template tagged
+        # only `TA0006` does NOT. Each facet matches strictly its own column
+        # (no cross-column UUID collision risk).
+        def _facet_subquery(column, mitre_id: uuid.UUID):
+            return (
                 select(TestTemplateMitreTag.test_template_id)
-                .where(
-                    or_(
-                        TestTemplateMitreTag.tactic_id.in_(tag_ids),
-                        TestTemplateMitreTag.technique_id.in_(tag_ids),
-                        TestTemplateMitreTag.subtechnique_id.in_(tag_ids),
-                    )
-                )
+                .where(column == mitre_id)
                 .distinct()
             )
+
+        if tactic:
+            tac = s.scalar(select(MitreTactic).where(MitreTactic.external_id == tactic))
+            if tac is None:
+                return [], 0
+            sub_q = _facet_subquery(TestTemplateMitreTag.tactic_id, tac.id)
+            stmt = stmt.where(TestTemplate.id.in_(sub_q))
+            count_stmt = count_stmt.where(TestTemplate.id.in_(sub_q))
+        if technique:
+            tech = s.scalar(select(MitreTechnique).where(MitreTechnique.external_id == technique))
+            if tech is None:
+                return [], 0
+            sub_q = _facet_subquery(TestTemplateMitreTag.technique_id, tech.id)
+            stmt = stmt.where(TestTemplate.id.in_(sub_q))
+            count_stmt = count_stmt.where(TestTemplate.id.in_(sub_q))
+        if subtechnique:
+            sub = s.scalar(select(MitreSubtechnique).where(MitreSubtechnique.external_id == subtechnique))
+            if sub is None:
+                return [], 0
+            sub_q = _facet_subquery(TestTemplateMitreTag.subtechnique_id, sub.id)
             stmt = stmt.where(TestTemplate.id.in_(sub_q))
             count_stmt = count_stmt.where(TestTemplate.id.in_(sub_q))
 
         total = s.scalar(count_stmt) or 0
         rows = s.scalars(stmt.limit(max(1, min(limit, 500))).offset(max(0, offset))).all()
-        return [_to_view(s, t) for t in rows], int(total)
+        return _to_views_batch(s, list(rows)), int(total)
 
 
 def get_test_template(template_id: uuid.UUID, *, include_deleted: bool = False) -> TestTemplateView:
diff --git a/backend/tests/test_templates.py b/backend/tests/test_templates.py
index 8b4bc4b..dc623f0 100644
--- a/backend/tests/test_templates.py
+++ b/backend/tests/test_templates.py
@@ -490,3 +490,78 @@ def test_scenario_perm_required(client, admin_token):
     _, eve_token = _bootstrap_user_without_perms(client, admin_token, "scn-eve")
     r = client.get("/api/v1/scenario-templates", headers=_bearer(eve_token))
     assert r.status_code == 403
+
+
+# === Post-review fixes ======================================================
+
+
+def test_list_filter_combines_facets_with_and_semantics(client, admin_token):
+    """A template tagged only `TA0002` is NOT in `?tactic=TA0002&technique=T1059`.
+
+    Pre-fix the OR-combined query would return it. AND-combined semantics
+    (one IN subquery per facet) restrict the set to templates matching ALL
+    requested facets.
+    """
+    a = _make_test(
+        client,
+        admin_token,
+        name="and-tactic-only",
+        mitre_tags=[{"kind": "tactic", "external_id": "TA0002"}],
+    )
+    b = _make_test(
+        client,
+        admin_token,
+        name="and-both-tags",
+        mitre_tags=[
+            {"kind": "tactic", "external_id": "TA0002"},
+            {"kind": "technique", "external_id": "T1059"},
+        ],
+    )
+    r = client.get(
+        "/api/v1/test-templates?tactic=TA0002&technique=T1059",
+        headers=_bearer(admin_token),
+    )
+    assert r.status_code == 200
+    names = [it["name"] for it in r.get_json()["items"]]
+    assert "and-both-tags" in names
+    assert "and-tactic-only" not in names
+    _ = a, b  # silence unused vars from linter
+
+
+def test_create_test_template_rejects_extra_fields(client, admin_token):
+    """`model_config = {"extra": "forbid"}` — unknown fields must 400."""
+    r = client.post(
+        "/api/v1/test-templates",
+        headers=_bearer(admin_token),
+        json={"name": "extra-test", "rogue_field": "smuggled"},
+    )
+    assert r.status_code == 400
+
+
+def test_update_test_template_explicit_empty_mitre_clears(client, admin_token):
+    """`PUT { mitre_tags: [] }` is an explicit clear, not a no-op."""
+    body = _make_test(
+        client,
+        admin_token,
+        name="clear-tags",
+        mitre_tags=[{"kind": "technique", "external_id": "T1059"}],
+    )
+    assert len(body["mitre_tags"]) == 1
+    r = client.put(
+        f"/api/v1/test-templates/{body['id']}",
+        headers=_bearer(admin_token),
+        json={"mitre_tags": []},
+    )
+    assert r.status_code == 200
+    assert r.get_json()["mitre_tags"] == []
+
+
+def test_tag_item_length_capped_at_64(client, admin_token):
+    """Individual `tags` items must be ≤ 64 chars at the wire layer."""
+    long_tag = "x" * 65
+    r = client.post(
+        "/api/v1/test-templates",
+        headers=_bearer(admin_token),
+        json={"name": "long-tag", "tags": [long_tag]},
+    )
+    assert r.status_code == 400
diff --git a/frontend/src/pages/AdminScenariosPage.tsx b/frontend/src/pages/AdminScenariosPage.tsx
index e8c5901..ed0f18c 100644
--- a/frontend/src/pages/AdminScenariosPage.tsx
+++ b/frontend/src/pages/AdminScenariosPage.tsx
@@ -145,14 +145,19 @@ export function AdminScenariosPage() {
     onError: (e) => setError(humanError(e)),
   });
 
+  // updateMeta and setTests both invalidate on success so a partial failure
+  // (metadata saved, reorder rejected) still leaves the cache consistent
+  // with whichever step landed.
   const updateMeta = useMutation({
     mutationFn: ({ id, name, description }: { id: string; name: string; description: string | null }) =>
       apiPatch<ScenarioTemplate>(`/scenario-templates/${id}`, { name, description }),
+    onSettled: () => qc.invalidateQueries({ queryKey: ['templates', 'scenarios'] }),
   });
 
   const setTests = useMutation({
     mutationFn: ({ id, test_template_ids }: { id: string; test_template_ids: string[] }) =>
       apiPut<ScenarioTemplate>(`/scenario-templates/${id}/tests`, { test_template_ids }),
+    onSettled: () => qc.invalidateQueries({ queryKey: ['templates', 'scenarios'] }),
   });
 
   const remove = useMutation({
@@ -223,12 +228,15 @@ export function AdminScenariosPage() {
     return map;
   }, [catalogue.data]);
 
-  // Tests available for inclusion (excluding already-picked + soft-deleted).
+  // Tests offered for inclusion. The same test_template MAY appear multiple
+  // times in a scenario (chained operations are a real purple-team pattern,
+  // cf. `scenario_template_tests` UNIQUE on `(scenario_id, position)`, not
+  // on `test_template_id`). So we do NOT exclude already-picked items —
+  // only soft-deleted ones, which the backend would reject.
   const availableTests = useMemo<TestTemplate[]>(() => {
     if (!catalogue.data) return [];
-    const picked = new Set(form.test_ids);
-    return catalogue.data.items.filter((t) => !picked.has(t.id) && !t.deleted_at);
-  }, [catalogue.data, form.test_ids]);
+    return catalogue.data.items.filter((t) => !t.deleted_at);
+  }, [catalogue.data]);
 
   return (
     <>
diff --git a/tasks/testing-m5.md b/tasks/testing-m5.md
index 15b09af..89103ee 100644
--- a/tasks/testing-m5.md
+++ b/tasks/testing-m5.md
@@ -23,7 +23,7 @@ make seed-mitre   # tag picker needs the catalogue
 ## 2. Tests automatisés
 
 ```bash
-make test-api    # 77 tests pytest dont 19 M5 (CRUD, perm, mitre tags, reorder)
+make test-api    # 81 tests pytest dont 23 M5 (CRUD, perm, mitre tags, reorder, AND-semantics, extra="forbid", item caps, empty-clear)
 make e2e         # 38 tests Playwright dont 4 M5 (API CRUD + scenario reorder + SPA list/filter)
 ```
 
-- 
2.49.1


From 873aa3774a4e69b15b596a6bccc9a7dc93a2e940 Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Wed, 13 May 2026 08:31:13 +0200
Subject: [PATCH 5/6] fix(m5): modal layout for the test-template editor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The +New test modal capped at max-w-2xl rendered the 15-column MITRE matrix
in a 672px frame with no height cap, so the matrix spilled to the right of
the dialog, the form bottom dropped below the viewport, and neither scroll
direction worked — buttons were unreachable.

- Modal: add a `size` prop (default 2xl, back-compat) with a `7xl` preset.
  Cap height at calc(100vh-2rem), make the header sticky, and wrap children
  in a min-w-0 flex-1 overflow-y-auto body so tall content scrolls inside.
- MitreTagPicker: move overflow-x-auto from the grid itself to a dedicated
  scroller wrapper, and add `min-w-0` so the constraint propagates from the
  modal body. The grid's 1680px intrinsic min-width previously prevented
  the parent's overflow-x-auto from kicking in.
- AdminTestsPage: switch the form layout from `grid gap-3` to `flex flex-col
  gap-3 min-w-0` and set the modal size to 7xl. The CSS Grid form was
  propagating min-width: auto to all its items, which let the picker drag
  the body past the modal width.
- AdminScenariosPage: bump the modal to size 3xl for breathing room around
  the catalogue picker.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                               |  6 ++++
 frontend/src/components/MitreTagPicker.tsx | 15 +++++++---
 frontend/src/components/ui/Modal.tsx       | 35 +++++++++++++++++++---
 frontend/src/pages/AdminScenariosPage.tsx  |  1 +
 frontend/src/pages/AdminTestsPage.tsx      |  3 +-
 5 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 614e350..661d8d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,12 @@ All notable changes to this project will be documented here. Format: [Keep a Cha
 - **`LogRecord` key collision**: `log.info(..., extra={"name": ...})` raises `KeyError("Attempt to overwrite 'name' in LogRecord")` because `name` is reserved by Python's stdlib logging. Renamed to `template_name`.
 - **React `currentTarget` null in deferred state updaters**: `onChange={(e) => setX((prev) => ({ ...prev, q: e.currentTarget.value }))}` blanked the page on the first user input because `currentTarget` is cleared after the listener bubble ends, before React invokes the updater. Switched all M5 handlers to `e.target.value`, which persists on the synthetic event.
 
+### Fixed (post-M5 UI — modal layout for the test-template editor)
+- **Modal box capped its width at `max-w-2xl` and had no vertical scroll** (`frontend/src/components/ui/Modal.tsx`): opening **+ New test** rendered the 15-column MITRE matrix inside a 672 px frame with no height cap, so the matrix spilled to the right and the form bottom dropped below the viewport — buttons unreachable, no scroll. Added a `size` prop (default `2xl` for back-compat), `max-h-[calc(100vh-2rem)]` + `flex flex-col` on the dialog, and an inner `min-w-0 flex-1 overflow-y-auto` body so the header stays pinned while the form scrolls inside the modal.
+- **MITRE matrix overflow-x failed to scroll inside the modal body** (`frontend/src/components/MitreTagPicker.tsx`): `overflow-x-auto` sat directly on the grid element, but the grid's intrinsic min-width (`15 × minmax(7rem, …)` = 1680 px) prevented it from shrinking below its content, so the grid spilled outside its parent instead of scrolling. Wrapped the grid in a dedicated `overflow-x-auto rounded min-w-0 w-full` scroller and added `min-w-0` to the picker root so the constraint propagates from the modal body. The grid now scrolls horizontally inside the modal.
+- **`grid gap-3` form layout in the test-template modal propagated `min-width: auto`** (`frontend/src/pages/AdminTestsPage.tsx`): each grid item refused to shrink below its widest child, so the picker dragged the form (and the body) past the modal width. Switched the form to `flex flex-col gap-3 min-w-0`, which breaks the propagation while preserving vertical spacing.
+- **Test-template modal now uses `size="7xl"`** and the scenario-template modal `size="3xl"` to match their content density.
+
 ### Fixed (post-M5 review pass — spec-reviewer + code-reviewer)
 - **Filter combinator was OR, not AND** (`backend/app/services/test_templates.py:235`): `?tactic=TA0002&technique=T1059` returned templates matching *either* facet instead of *both*. Pre-fix also pooled all three UUIDs into a shared `IN` list across three columns, theoretically allowing a UUID collision to match across kinds. Refactored to one IN-subquery per facet, ANDed together via repeated `WHERE id IN (...)`.
 - **Concurrent reorder race on `set_scenario_tests`** (`backend/app/services/scenario_templates.py:207`): two parallel reorders on the same scenario could deadlock on the `UNIQUE(scenario_id, position)` constraint under READ COMMITTED. Added a per-scenario `pg_advisory_xact_lock(0x5C3, hash(scenario_id))` mirroring the M4 `/mitre/sync` pattern; different scenarios don't contend.
diff --git a/frontend/src/components/MitreTagPicker.tsx b/frontend/src/components/MitreTagPicker.tsx
index 4a51fef..e6312bc 100644
--- a/frontend/src/components/MitreTagPicker.tsx
+++ b/frontend/src/components/MitreTagPicker.tsx
@@ -83,7 +83,7 @@ export function MitreTagPicker({ value, onChange, className }: MitreTagPickerPro
   }
 
   return (
-    <div className={cn('rounded-lg border border-border bg-bg-card p-4', className)} data-testid="mitre-tag-picker">
+    <div className={cn('rounded-lg border border-border bg-bg-card p-4 min-w-0', className)} data-testid="mitre-tag-picker">
       {/* Selection chips */}
       {value.length > 0 && (
         <div className="mb-3 flex flex-wrap items-center gap-1" data-testid="mitre-selected">
@@ -132,9 +132,15 @@ export function MitreTagPicker({ value, onChange, className }: MitreTagPickerPro
           aria-label="MITRE ATT&CK matrix"
           /* `minmax(7rem, 1fr)` ensures every cell is wide enough for the
            * longest single word in MITRE names (no mid-word breaks), and
-           * stretches to fill the container otherwise. Horizontal scroll only
-           * kicks in on narrow viewports below ~1680px. */
-          className="grid gap-px bg-border rounded overflow-x-auto"
+           * stretches to fill the container otherwise. The wrapper scrolls
+           * horizontally — placing `overflow-x-auto` on the grid itself fails
+           * because the grid's intrinsic min-width (15 × 7rem) prevents it
+           * from shrinking below its parent, so the grid spills out instead
+           * of scrolling. */
+          className="overflow-x-auto rounded min-w-0 w-full"
+        >
+        <div
+          className="grid gap-px bg-border"
           style={{
             gridTemplateColumns: `repeat(${matrix.data.tactics.length}, minmax(7rem, 1fr))`,
           }}
@@ -276,6 +282,7 @@ export function MitreTagPicker({ value, onChange, className }: MitreTagPickerPro
             );
           })}
         </div>
+        </div>
       )}
 
       <p className="mt-3 font-sans text-[11px] text-text-dim">
diff --git a/frontend/src/components/ui/Modal.tsx b/frontend/src/components/ui/Modal.tsx
index 0bdc464..99d4a17 100644
--- a/frontend/src/components/ui/Modal.tsx
+++ b/frontend/src/components/ui/Modal.tsx
@@ -4,6 +4,20 @@ import { Button } from '@/components/ui/Button';
 import { SectionHeader } from '@/components/ui/SectionHeader';
 import { type Accent } from '@/lib/cn';
 
+type ModalSize = 'md' | 'lg' | 'xl' | '2xl' | '3xl' | '4xl' | '5xl' | '6xl' | '7xl';
+
+const SIZE_CLASS: Record<ModalSize, string> = {
+  md: 'max-w-md',
+  lg: 'max-w-lg',
+  xl: 'max-w-xl',
+  '2xl': 'max-w-2xl',
+  '3xl': 'max-w-3xl',
+  '4xl': 'max-w-4xl',
+  '5xl': 'max-w-5xl',
+  '6xl': 'max-w-6xl',
+  '7xl': 'max-w-7xl',
+};
+
 interface ModalProps {
   open: boolean;
   title: string;
@@ -12,14 +26,27 @@ interface ModalProps {
   children: ReactNode;
   /** Optional name to give the dialog role for screen readers / Playwright. */
   testid?: string;
+  /** Max-width preset. Defaults to `2xl` to keep historical behavior. */
+  size?: ModalSize;
 }
 
 /**
  * Centered modal with a backdrop. Closes on Escape and on backdrop click.
  * The accessible name comes from the SectionHeader's `highlight`, so the dialog
  * can be located via `getByRole('dialog', { name: ... })`.
+ *
+ * The dialog caps its height at the viewport and scrolls its body internally,
+ * so tall content (MITRE matrix, long forms) never escapes the viewport.
  */
-export function Modal({ open, title, accent = 'cyan', onClose, children, testid }: ModalProps) {
+export function Modal({
+  open,
+  title,
+  accent = 'cyan',
+  onClose,
+  children,
+  testid,
+  size = '2xl',
+}: ModalProps) {
   const ref = useRef<HTMLDivElement>(null);
 
   useEffect(() => {
@@ -47,15 +74,15 @@ export function Modal({ open, title, accent = 'cyan', onClose, children, testid
         aria-modal="true"
         aria-label={title}
         data-testid={testid}
-        className="w-full max-w-2xl rounded-lg border border-border bg-bg-base p-6 shadow-2xl"
+        className={`flex w-full ${SIZE_CLASS[size]} max-h-[calc(100vh-2rem)] flex-col rounded-lg border border-border bg-bg-base shadow-2xl`}
       >
-        <div className="flex items-start justify-between gap-4">
+        <div className="flex shrink-0 items-start justify-between gap-4 border-b border-border px-6 pt-6 pb-2">
           <SectionHeader prefix="Edit" highlight={title} accent={accent} className="mt-0 mb-4" />
           <Button variant="ghost" onClick={onClose} aria-label="Close dialog">
             ✕
           </Button>
         </div>
-        {children}
+        <div className="min-w-0 flex-1 overflow-y-auto px-6 py-4">{children}</div>
       </div>
     </div>
   );
diff --git a/frontend/src/pages/AdminScenariosPage.tsx b/frontend/src/pages/AdminScenariosPage.tsx
index ed0f18c..8c9d6bd 100644
--- a/frontend/src/pages/AdminScenariosPage.tsx
+++ b/frontend/src/pages/AdminScenariosPage.tsx
@@ -309,6 +309,7 @@ export function AdminScenariosPage() {
         open={isModalOpen}
         title={editing ? `Scenario · ${editing.name}` : 'New scenario template'}
         accent="purple"
+        size="3xl"
         onClose={() => {
           setCreating(false);
           setEditing(null);
diff --git a/frontend/src/pages/AdminTestsPage.tsx b/frontend/src/pages/AdminTestsPage.tsx
index ceb7b04..29f89aa 100644
--- a/frontend/src/pages/AdminTestsPage.tsx
+++ b/frontend/src/pages/AdminTestsPage.tsx
@@ -281,6 +281,7 @@ export function AdminTestsPage() {
         open={isModalOpen}
         title={editing ? `Test · ${editing.name}` : 'New test template'}
         accent="orange"
+        size="7xl"
         onClose={() => {
           setCreating(false);
           setEditing(null);
@@ -288,7 +289,7 @@ export function AdminTestsPage() {
         testid="test-template-modal"
       >
         {error && <Alert accent="red" className="mb-3">{error}</Alert>}
-        <div className="grid gap-3">
+        <div className="flex flex-col gap-3 min-w-0">
           <TextField
             label="Name"
             value={form.name}
-- 
2.49.1


From a7e5bc030fa5efab8836410fbdc6243d0dc54da1 Mon Sep 17 00:00:00 2001
From: Knacky <knckydev@gmail.com>
Date: Wed, 13 May 2026 09:29:27 +0200
Subject: [PATCH 6/6] =?UTF-8?q?fix(m5):=20scenario=20reorder=20500=20?=
 =?UTF-8?q?=E2=80=94=20wrong=20pg=5Fadvisory=5Fxact=5Flock=20overload?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Editing a scenario and saving (with or without changes) returned 500:
  function pg_advisory_xact_lock(smallint, bigint) does not exist

Postgres only ships (int4, int4) and (bigint) variants. The two-arg call
passed `m = hash(uuid) & 0xFFFFFFFF` which can reach 2^32-1, so psycopg
promoted it to bigint and no overload matched.

Switched to the single-arg bigint form. While there, replaced Python's
built-in hash() with hashlib.blake2b(...) — the built-in is randomised
per process via PYTHONHASHSEED, so gunicorn workers were computing
different lock keys for the same scenario and the lock wasn't actually
serialising across workers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                               |  4 ++++
 backend/app/services/scenario_templates.py | 13 ++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 661d8d5..dd72e11 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,10 @@ All notable changes to this project will be documented here. Format: [Keep a Cha
 - **`LogRecord` key collision**: `log.info(..., extra={"name": ...})` raises `KeyError("Attempt to overwrite 'name' in LogRecord")` because `name` is reserved by Python's stdlib logging. Renamed to `template_name`.
 - **React `currentTarget` null in deferred state updaters**: `onChange={(e) => setX((prev) => ({ ...prev, q: e.currentTarget.value }))}` blanked the page on the first user input because `currentTarget` is cleared after the listener bubble ends, before React invokes the updater. Switched all M5 handlers to `e.target.value`, which persists on the synthetic event.
 
+### Fixed (post-M5 — scenario reorder 500 + cross-worker lock correctness)
+- **`PUT /scenario-templates/{id}/tests` returned 500** (`backend/app/services/scenario_templates.py:218`): the two-argument form `pg_advisory_xact_lock(:n, :m)` failed with `function pg_advisory_xact_lock(smallint, bigint) does not exist`. Postgres only provides `(int4, int4)` and `(bigint)` overloads — psycopg promoted `m = hash(uuid) & 0xFFFFFFFF` (up to 2^32-1) to bigint and there's no matching overload. Switched to the single-argument bigint form with `CAST(:key AS bigint)`.
+- **Cross-worker lock was a no-op** (same site): Python's built-in `hash()` is randomised per process via `PYTHONHASHSEED`, so each gunicorn worker computed a different key for the same `scenario_id`, and concurrent reorders on different workers acquired independent locks — defeating the serialisation. Replaced with `blake2b(scenario_id.bytes, digest_size=8)` interpreted as a signed int64. Stable, deterministic, fits in `bigint`.
+
 ### Fixed (post-M5 UI — modal layout for the test-template editor)
 - **Modal box capped its width at `max-w-2xl` and had no vertical scroll** (`frontend/src/components/ui/Modal.tsx`): opening **+ New test** rendered the 15-column MITRE matrix inside a 672 px frame with no height cap, so the matrix spilled to the right and the form bottom dropped below the viewport — buttons unreachable, no scroll. Added a `size` prop (default `2xl` for back-compat), `max-h-[calc(100vh-2rem)]` + `flex flex-col` on the dialog, and an inner `min-w-0 flex-1 overflow-y-auto` body so the header stays pinned while the form scrolls inside the modal.
 - **MITRE matrix overflow-x failed to scroll inside the modal body** (`frontend/src/components/MitreTagPicker.tsx`): `overflow-x-auto` sat directly on the grid element, but the grid's intrinsic min-width (`15 × minmax(7rem, …)` = 1680 px) prevented it from shrinking below its content, so the grid spilled outside its parent instead of scrolling. Wrapped the grid in a dedicated `overflow-x-auto rounded min-w-0 w-full` scroller and added `min-w-0` to the picker root so the constraint propagates from the modal body. The grid now scrolls horizontally inside the modal.
diff --git a/backend/app/services/scenario_templates.py b/backend/app/services/scenario_templates.py
index d137545..258a023 100644
--- a/backend/app/services/scenario_templates.py
+++ b/backend/app/services/scenario_templates.py
@@ -12,6 +12,7 @@ The same test_template may legitimately appear multiple times in a scenario
 
 from __future__ import annotations
 
+import hashlib
 import uuid
 from dataclasses import dataclass
 from datetime import datetime, timezone
@@ -217,10 +218,16 @@ def set_scenario_tests(
     """
     with session_scope() as s:
         # Lock keyed on the scenario UUID — different scenarios don't block
-        # each other. Two-int form: high-32 = constant, low-32 = hash of UUID.
+        # each other. Single bigint form so we don't have to juggle int32
+        # signed ranges. blake2b is used instead of Python's built-in hash()
+        # because the latter is randomised per-process (PYTHONHASHSEED), so
+        # two gunicorn workers would compute different keys for the same
+        # scenario and the lock wouldn't serialise across them.
+        digest = hashlib.blake2b(scenario_id.bytes, digest_size=8).digest()
+        lock_key = int.from_bytes(digest, "big", signed=True)
         s.execute(
-            text("SELECT pg_advisory_xact_lock(:n, :m)"),
-            {"n": 0x5C3, "m": hash(scenario_id) & 0xFFFFFFFF},
+            text("SELECT pg_advisory_xact_lock(CAST(:key AS bigint))"),
+            {"key": lock_key},
         )
         sc = s.get(ScenarioTemplate, scenario_id)
         if sc is None or sc.deleted_at is not None:
-- 
2.49.1