test(backend): add pytest baseline (B0.8)

Unit (SQLite, pure logic):
- test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined,
  sandbox blocks attribute-access escape, output blob 10 MB cap.
- test_password.py: bcrypt hash + verify, empty / malformed handling.
- test_soc_token.py: 256-bit url-safe token + bcrypt verification.
- test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted
  to detection + report-read, audit_read & ttp_promote lead-only).
- test_connector_factory.py: register / build / double-register-rejected,
  TaskStatus terminal helper, Mythic mapping vs empty Home mapping.
- test_audit_hash.py: SHA-256 chain helper is deterministic and reacts
  to prev_hash / metadata changes.

Integration scaffold (testcontainers Postgres):
- tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches
  MIMIC_DATABASE_URL, creates a Flask app + db.create_all.
- test_healthz.py: end-to-end smoke through the Flask test client.

38 unit tests pass; ruff clean.

backend/tests/integration/conftest.py

@@ -0,0 +1,50 @@
+"""Integration-level fixtures: testcontainers Postgres + Flask app + db session.
+
+NF-state: SQLite is reserved for pure-logic unit tests; anything touching
+constraints, RBAC role grants, or audit-log SQL behavior must run on a real
+Postgres via testcontainers (spec H38).
+"""
+
+from __future__ import annotations
+
+from collections.abc import Iterator
+
+import pytest
+
+try:
+    from testcontainers.postgres import PostgresContainer
+except ImportError:  # pragma: no cover
+    PostgresContainer = None  # type: ignore[assignment]
+
+
+@pytest.fixture(scope="session")
+def postgres_dsn() -> Iterator[str]:
+    if PostgresContainer is None:
+        pytest.skip("testcontainers not installed")
+    with PostgresContainer("postgres:16-alpine") as pg:
+        url = pg.get_connection_url().replace(
+            "postgresql+psycopg2", "postgresql+psycopg"
+        )
+        yield url
+
+
+@pytest.fixture
+def app(postgres_dsn: str, monkeypatch: pytest.MonkeyPatch):
+    monkeypatch.setenv("MIMIC_DATABASE_URL", postgres_dsn)
+    monkeypatch.setenv("MIMIC_ENV", "testing")
+    monkeypatch.setenv("MIMIC_SECRET_KEY", "test-not-real")
+
+    from mimic.app import create_app  # noqa: PLC0415  (must follow env mutation)
+    from mimic.extensions import db  # noqa: PLC0415
+
+    application = create_app()
+    with application.app_context():
+        db.create_all()
+        yield application
+        db.session.remove()
+        db.drop_all()
+
+
+@pytest.fixture
+def client(app):
+    return app.test_client()

backend/tests/integration/test_healthz.py

@@ -0,0 +1,13 @@
+"""End-to-end smoke test: Flask app + Postgres testcontainer."""
+
+from __future__ import annotations
+
+import pytest
+
+pytestmark = pytest.mark.integration
+
+
+def test_healthz_returns_ok(client) -> None:
+    response = client.get("/healthz")
+    assert response.status_code == 200
+    assert response.get_json() == {"status": "ok"}