test(backend): add pytest baseline (B0.8)

Unit (SQLite, pure logic):
- test_templating.py: Jinja2 sandbox, regex_extract, strict-undefined,
  sandbox blocks attribute-access escape, output blob 10 MB cap.
- test_password.py: bcrypt hash + verify, empty / malformed handling.
- test_soc_token.py: 256-bit url-safe token + bcrypt verification.
- test_rbac_matrix.py: F11 invariants (lead ⊇ operator, SOC restricted
  to detection + report-read, audit_read & ttp_promote lead-only).
- test_connector_factory.py: register / build / double-register-rejected,
  TaskStatus terminal helper, Mythic mapping vs empty Home mapping.
- test_audit_hash.py: SHA-256 chain helper is deterministic and reacts
  to prev_hash / metadata changes.

Integration scaffold (testcontainers Postgres):
- tests/integration/conftest.py spins up postgres:16-alpine, monkeypatches
  MIMIC_DATABASE_URL, creates a Flask app + db.create_all.
- test_healthz.py: end-to-end smoke through the Flask test client.

38 unit tests pass; ruff clean.

backend/tests/unit/test_soc_token.py

@@ -0,0 +1,27 @@
+"""SOC opaque token generation / verification."""
+
+from __future__ import annotations
+
+from mimic.auth.soc_token import generate_token, verify_token
+
+
+def test_generated_token_verifies() -> None:
+    material = generate_token(rounds=4)
+    assert verify_token(material.plain, material.hashed) is True
+
+
+def test_different_plain_does_not_verify() -> None:
+    material = generate_token(rounds=4)
+    assert verify_token("wrong-token", material.hashed) is False
+
+
+def test_plain_is_url_safe_and_long() -> None:
+    material = generate_token(rounds=4)
+    # 32 random bytes → ~43 url-safe base64 chars.
+    assert len(material.plain) >= 32
+    assert all(c.isalnum() or c in "-_" for c in material.plain)
+
+
+def test_verify_with_empty_values() -> None:
+    assert verify_token("", "$2b$04$abc") is False
+    assert verify_token("token", "") is False