test(backend): add pytest baseline (B0.8)

Unit (SQLite, pure logic):
- test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined,
  sandbox blocks attribute-access escape, output blob 10 MB cap.
- test_password.py: bcrypt hash + verify, empty / malformed handling.
- test_soc_token.py: 256-bit url-safe token + bcrypt verification.
- test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted
  to detection + report-read, audit_read & ttp_promote lead-only).
- test_connector_factory.py: register / build / double-register-rejected,
  TaskStatus terminal helper, Mythic mapping vs empty Home mapping.
- test_audit_hash.py: SHA-256 chain helper is deterministic and reacts
  to prev_hash / metadata changes.

Integration scaffold (testcontainers Postgres):
- tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches
  MIMIC_DATABASE_URL, creates a Flask app + db.create_all.
- test_healthz.py: end-to-end smoke through the Flask test client.

38 unit tests pass; ruff clean.

backend/tests/unit/test_password.py

@@ -0,0 +1,31 @@
+"""Local-auth bcrypt helpers."""
+
+from __future__ import annotations
+
+import pytest
+
+from mimic.auth.password import check_password, hash_password
+
+
+def test_hash_then_check_succeeds() -> None:
+    hashed = hash_password("Sup3rSecret!", rounds=4)
+    assert check_password("Sup3rSecret!", hashed) is True
+
+
+def test_check_rejects_wrong_password() -> None:
+    hashed = hash_password("right", rounds=4)
+    assert check_password("wrong", hashed) is False
+
+
+def test_empty_password_raises() -> None:
+    with pytest.raises(ValueError, match="must not be empty"):
+        hash_password("")
+
+
+def test_check_missing_hash_returns_false() -> None:
+    assert check_password("anything", None) is False
+    assert check_password("anything", "") is False
+
+
+def test_check_invalid_hash_returns_false() -> None:
+    assert check_password("anything", "not-a-bcrypt-hash") is False