test(backend): add pytest baseline (B0.8)

Unit (SQLite, pure logic):
- test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined,
  sandbox blocks attribute-access escape, output blob 10 MB cap.
- test_password.py: bcrypt hash + verify, empty / malformed handling.
- test_soc_token.py: 256-bit url-safe token + bcrypt verification.
- test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted
  to detection + report-read, audit_read & ttp_promote lead-only).
- test_connector_factory.py: register / build / double-register-rejected,
  TaskStatus terminal helper, Mythic mapping vs empty Home mapping.
- test_audit_hash.py: SHA-256 chain helper is deterministic and reacts
  to prev_hash / metadata changes.

Integration scaffold (testcontainers Postgres):
- tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches
  MIMIC_DATABASE_URL, creates a Flask app + db.create_all.
- test_healthz.py: end-to-end smoke through the Flask test client.

38 unit tests pass; ruff clean.

backend/tests/unit/test_rbac_matrix.py

@@ -0,0 +1,55 @@
+"""F11 matrix coverage tests."""
+
+from __future__ import annotations
+
+from mimic.rbac.matrix import GROUP_PERMISSIONS, GroupName, Permission
+
+
+def test_every_group_has_at_least_one_permission() -> None:
+    for group, perms in GROUP_PERMISSIONS.items():
+        assert perms, f"group {group.value} has no permissions"
+
+
+def test_rt_lead_is_superset_of_operator() -> None:
+    lead = GROUP_PERMISSIONS[GroupName.RT_LEAD]
+    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
+    assert operator <= lead
+
+
+def test_soc_cannot_start_runs() -> None:
+    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
+    assert Permission.RUN_START not in soc
+    assert Permission.RUN_CONTROL not in soc
+
+
+def test_only_lead_promotes_ttp() -> None:
+    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
+    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
+    assert Permission.TTP_PROMOTE not in operator
+    assert Permission.TTP_PROMOTE not in soc
+    assert Permission.TTP_PROMOTE in GROUP_PERMISSIONS[GroupName.RT_LEAD]
+
+
+def test_audit_read_lead_only() -> None:
+    for group in (GroupName.RT_OPERATOR, GroupName.SOC_ANALYST):
+        assert Permission.AUDIT_READ not in GROUP_PERMISSIONS[group]
+    assert Permission.AUDIT_READ in GROUP_PERMISSIONS[GroupName.RT_LEAD]
+
+
+def test_only_lead_issues_soc_tokens() -> None:
+    for group in (GroupName.RT_OPERATOR, GroupName.SOC_ANALYST):
+        assert Permission.ENGAGEMENT_SOC_TOKEN_ISSUE not in GROUP_PERMISSIONS[group]
+
+
+def test_operator_cannot_control_run() -> None:
+    operator = GROUP_PERMISSIONS[GroupName.RT_OPERATOR]
+    assert Permission.RUN_START not in operator
+    assert Permission.RUN_CONTROL not in operator
+
+
+def test_soc_can_only_read_report_and_add_detection() -> None:
+    soc = GROUP_PERMISSIONS[GroupName.SOC_ANALYST]
+    assert Permission.DETECTION_ADD in soc
+    assert Permission.REPORT_READ in soc
+    assert Permission.EVIDENCE_ADD not in soc
+    assert Permission.HOST_CRUD not in soc