feat(backend): wire created_by_id, audit log, F11 scope into CRUD (MA4/5/6)

Three follow-ups on the flat CRUD blueprints triggered by code-review +
spec-analyst (MA4, MA5, MA6).

**MA4 — `created_by_id`** — engagements, TTPs and scenarios now record the
creator from `current_user.id` instead of leaving the FK NULL. The new
`api._helpers.current_user_id()` exposes the UUID safely (returns None when
the request is unauthenticated, e.g. during /healthz).

**MA5 — Audit log integration** — `api._helpers.audit_write(...)` wraps the
hash-chained `AuditWriter` and is called after every successful commit in
the 4 blueprints (engagement / host / ttp / scenario incl. step), recording
the actor, action, resource type/id, IP, user agent, and small metadata
(field list, names, engagement scope). F13 "Toute mutation tracée" now
holds end-to-end.

**MA6 — RT operator scope on engagements** — F11 limits RT operators to
"engagements assignés". The previous implementation let them list / read
every engagement and every nested resource. Fix: `is_rt_lead()` short-
circuits the check for RT leads; otherwise a membership probe against
`engagement_member` runs on every list/read and on `_engagement_or_404` in
`hosts.py` and `scenarios.py`. Listings now `JOIN engagement_member` and
filter by `current_user.id`.

`audit_write` casts `db.session` (a `scoped_session` proxy) to the unwrapped
`sqlalchemy.orm.Session` that `AuditWriter` expects; the two are
interchangeable at runtime.

The promotion-perm check on TTPs no longer needs a lazy `flask_login` import
since the decorator scope already brings `current_user` in.

backend/src/mimic/api/engagements.py

@@ -2,12 +2,21 @@
 
 from __future__ import annotations
 
+from uuid import UUID
+
 from flask import Blueprint, abort, jsonify
 from flask.typing import ResponseReturnValue
 from sqlalchemy import select
 
-from mimic.api._helpers import jsonify_model, parse_body, parse_uuid
-from mimic.db.models import Engagement
+from mimic.api._helpers import (
+    audit_write,
+    current_user_id,
+    is_rt_lead,
+    jsonify_model,
+    parse_body,
+    parse_uuid,
+)
+from mimic.db.models import Engagement, EngagementMember
 from mimic.db.types import EngagementStatus
 from mimic.extensions import db
 from mimic.rbac import Permission, require_perm
@@ -16,10 +25,39 @@ from mimic.schemas import EngagementCreate, EngagementRead, EngagementUpdate
 bp = Blueprint("engagements", __name__)
 
 
+def _engagement_or_404(eid: str) -> Engagement:
+    engagement = db.session.get(Engagement, parse_uuid(eid))
+    if engagement is None:
+        abort(404)
+    # MA6: RT operators may only see engagements they're assigned to.
+    if not is_rt_lead():
+        user_id = current_user_id()
+        if user_id is None or not _is_member(engagement.id, user_id):
+            abort(404)
+    return engagement
+
+
+def _is_member(engagement_id: UUID, user_id: UUID) -> bool:
+    stmt = select(EngagementMember).where(
+        EngagementMember.engagement_id == engagement_id,
+        EngagementMember.user_id == user_id,
+    )
+    return db.session.execute(stmt).scalar_one_or_none() is not None
+
+
 @bp.get("")
 @require_perm(Permission.ENGAGEMENT_READ)
 def list_engagements() -> ResponseReturnValue:
     stmt = select(Engagement).order_by(Engagement.created_at.desc())
+    # MA6: RT operators see only their assignments.
+    if not is_rt_lead():
+        user_id = current_user_id()
+        if user_id is None:
+            return jsonify([])
+        stmt = stmt.join(
+            EngagementMember,
+            EngagementMember.engagement_id == Engagement.id,
+        ).where(EngagementMember.user_id == user_id)
     rows = db.session.execute(stmt).scalars().all()
     return jsonify([EngagementRead.model_validate(row).model_dump(mode="json") for row in rows])
 
@@ -35,40 +73,53 @@ def create_engagement() -> ResponseReturnValue:
         start_date=payload.start_date,
         end_date=payload.end_date,
         status=EngagementStatus.DRAFT,
+        created_by_id=current_user_id(),
     )
     db.session.add(engagement)
     db.session.commit()
+    audit_write(
+        action="engagement.create",
+        resource_type="engagement",
+        resource_id=engagement.id,
+        metadata={"client_name": engagement.client_name},
+    )
     return jsonify_model(EngagementRead.model_validate(engagement), status=201)
 
 
 @bp.get("/<eid>")
 @require_perm(Permission.ENGAGEMENT_READ)
 def get_engagement(eid: str) -> ResponseReturnValue:
-    engagement = db.session.get(Engagement, parse_uuid(eid))
-    if engagement is None:
-        abort(404)
+    engagement = _engagement_or_404(eid)
     return jsonify_model(EngagementRead.model_validate(engagement))
 
 
 @bp.put("/<eid>")
 @require_perm(Permission.ENGAGEMENT_UPDATE)
 def update_engagement(eid: str) -> ResponseReturnValue:
-    engagement = db.session.get(Engagement, parse_uuid(eid))
-    if engagement is None:
-        abort(404)
+    engagement = _engagement_or_404(eid)
     payload = parse_body(EngagementUpdate)
-    for field, value in payload.model_dump(exclude_unset=True).items():
+    changes = payload.model_dump(exclude_unset=True)
+    for field, value in changes.items():
         setattr(engagement, field, value)
     db.session.commit()
+    audit_write(
+        action="engagement.update",
+        resource_type="engagement",
+        resource_id=engagement.id,
+        metadata={"fields": sorted(changes.keys())},
+    )
     return jsonify_model(EngagementRead.model_validate(engagement))
 
 
 @bp.delete("/<eid>")
 @require_perm(Permission.ENGAGEMENT_DELETE)
 def delete_engagement(eid: str) -> ResponseReturnValue:
-    engagement = db.session.get(Engagement, parse_uuid(eid))
-    if engagement is None:
-        abort(404)
+    engagement = _engagement_or_404(eid)
     engagement.status = EngagementStatus.ARCHIVED
     db.session.commit()
+    audit_write(
+        action="engagement.archive",
+        resource_type="engagement",
+        resource_id=engagement.id,
+    )
     return "", 204