feat(backend): add §8 data model + Alembic baseline (B0.2, B0.3)

- SQLAlchemy 2 typed mapped classes for every spec §8 aggregate:
  engagement, c2_credential, host, user, group, group_permission,
  user_group, engagement_member, ttp, ttp_version, scenario,
  scenario_step, run, run_step, run_step_cleanup, detection, evidence,
  report, soc_session, audit_log.
- Shared mixins: UuidPkMixin (PG_UUID(as_uuid=True)) + TimestampsMixin.
- StrEnum types covering every spec enum (C2Type, PayloadType, UserType,
  EngagementStatus, HostStatus, TtpSource, RunStatus, RunStepStatus,
  CleanupStatus, DetectionLevel, DetectionSource, EvidenceStatus).
- Alembic baseline migration 202605210001_initial_schema: creates every
  table, enum, index, and idempotent grants for the audit_log
  write-only Postgres role (mimic_audit_writer).
- Audit log carries prev_hash / row_hash from v1 (D-009).
- ttp_version table coexists with run.snapshot_json (D-008,
  overrides H32).

backend/src/mimic/db/base.py

@@ -0,0 +1,59 @@
+"""Declarative base + shared mixins for all ORM models."""
+
+from __future__ import annotations
+
+import uuid
+from datetime import UTC, datetime
+
+from sqlalchemy import DateTime, MetaData, func
+from sqlalchemy.dialects.postgresql import UUID as PG_UUID
+from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
+
+NAMING_CONVENTION = {
+    "ix": "ix_%(column_0_label)s",
+    "uq": "uq_%(table_name)s_%(column_0_name)s",
+    "ck": "ck_%(table_name)s_%(constraint_name)s",
+    "fk": "fk_%(table_name)s_%(column_0_name)s_%(referred_table_name)s",
+    "pk": "pk_%(table_name)s",
+}
+
+
+class Base(DeclarativeBase):
+    """Project-wide declarative base.
+
+    UUID columns are declared explicitly on each model via `PG_UUID(as_uuid=True)`
+    rather than through a `type_annotation_map` — Flask-SQLAlchemy injects its
+    own registry which is incompatible with per-base annotation maps.
+    """
+
+    metadata = MetaData(naming_convention=NAMING_CONVENTION)
+
+
+class UuidPkMixin:
+    """Mixin: UUID v4 primary key generated client-side."""
+
+    id: Mapped[uuid.UUID] = mapped_column(
+        PG_UUID(as_uuid=True),
+        primary_key=True,
+        default=uuid.uuid4,
+    )
+
+
+def _utcnow() -> datetime:
+    return datetime.now(tz=UTC)
+
+
+class TimestampsMixin:
+    """Mixin: `created_at` / `updated_at` columns, UTC timezone-aware."""
+
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        server_default=func.now(),
+        nullable=False,
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        server_default=func.now(),
+        onupdate=_utcnow,
+        nullable=False,
+    )