feat(backend): add Flask app factory, audit writer, flat CRUD + CLI (B0.7)

- Flask app factory wires SQLAlchemy / Migrate / Login / SocketIO and
  registers every blueprint. /healthz smoke endpoint included.
- Pydantic 2 DTOs (request/response) for engagement / host / TTP /
  scenario aggregates with from_attributes=True conversion.
- Flat CRUD blueprints under /api/v1/:
  * engagements (list / create / get / put / delete-as-archive)
  * hosts (engagement-scoped CRUD)
  * library/ttps (CRUD; promote requires the lead-only TTP_PROMOTE)
  * scenarios + steps (F3 invariant enforced: host.c2_type must match
    scenario.c2_type at compose time, 400 otherwise).
- @require_perm guards every endpoint per the F11 matrix.
- audit/ writer is hash-chained from v1 (SHA-256 of canonical record
  plus previous hash). The SQL-level write-only role enforcement ships
  in the deploy playbook (idempotent grants run at migration time).
- mimic-cli (click): user create (seeds RT operator/lead with group
  membership), db dump / db restore (manual pg_dump/pg_restore, R-O1).

No orchestrator, no WebSocket, no report generation — those land after
PR1/PR2/PR3.

backend/src/mimic/schemas/__init__.py

@@ -0,0 +1,33 @@
+"""Pydantic 2 request/response DTOs."""
+
+from mimic.schemas.engagement import (
+    EngagementCreate,
+    EngagementRead,
+    EngagementUpdate,
+)
+from mimic.schemas.host import HostCreate, HostRead, HostUpdate
+from mimic.schemas.scenario import (
+    ScenarioCreate,
+    ScenarioRead,
+    ScenarioStepCreate,
+    ScenarioStepRead,
+    ScenarioUpdate,
+)
+from mimic.schemas.ttp import TtpCreate, TtpRead, TtpUpdate
+
+__all__ = [
+    "EngagementCreate",
+    "EngagementRead",
+    "EngagementUpdate",
+    "HostCreate",
+    "HostRead",
+    "HostUpdate",
+    "ScenarioCreate",
+    "ScenarioRead",
+    "ScenarioStepCreate",
+    "ScenarioStepRead",
+    "ScenarioUpdate",
+    "TtpCreate",
+    "TtpRead",
+    "TtpUpdate",
+]