feat(backend): sprint 2 — simulations + MITRE ATT&CK

- Simulation model with full field set (redteam + SOC sides) and cascade delete
- Alembic migration 0002 for simulations table
- simulation_workflow service: PATCH RBAC field-level + auto-transition pending→in_progress + state machine
- mitre service: STIX bundle loader (boot-safe) + ranked search (exact-id > prefix-id > name)
- 7 new API endpoints: list/create/get/patch/delete simulations, transition, MITRE autocomplete
- serialize_simulation added to serializers.py
- Makefile update-mitre target with real curl + optional docker restart
- Dockerfile updated to copy backend/data/ into image
- MITRE enterprise-attack.json bundle committed (~45 MB)
- 67 new tests (total 130 passing), ruff clean, mypy introduces no new errors

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/migrations/versions/0002_add_simulations.py

@@ -0,0 +1,59 @@
+"""add simulations table
+
+Revision ID: 0002
+Revises: 0001
+Create Date: 2026-05-26 00:00:00.000000
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+revision = "0002"
+down_revision = "0001"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "simulations",
+        sa.Column("id", sa.Integer(), primary_key=True),
+        sa.Column("engagement_id", sa.Integer(), nullable=False),
+        sa.Column("name", sa.String(length=255), nullable=False),
+        sa.Column("mitre_technique_id", sa.String(length=32), nullable=True),
+        sa.Column("mitre_technique_name", sa.String(length=255), nullable=True),
+        sa.Column("description", sa.Text(), nullable=True),
+        sa.Column("commands", sa.Text(), nullable=True),
+        sa.Column("prerequisites", sa.Text(), nullable=True),
+        sa.Column("executed_at", sa.DateTime(), nullable=True),
+        sa.Column("execution_result", sa.Text(), nullable=True),
+        sa.Column("log_source", sa.Text(), nullable=True),
+        sa.Column("logs", sa.Text(), nullable=True),
+        sa.Column("soc_comment", sa.Text(), nullable=True),
+        sa.Column("incident_number", sa.String(length=128), nullable=True),
+        sa.Column(
+            "status",
+            sa.Enum("pending", "in_progress", "review_required", "done", name="simulation_status"),
+            nullable=False,
+        ),
+        sa.Column("created_at", sa.DateTime(), nullable=False),
+        sa.Column("updated_at", sa.DateTime(), nullable=True),
+        sa.Column("created_by_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["engagement_id"], ["engagements.id"], ondelete="CASCADE",
+            name="fk_simulations_engagement_id_engagements",
+        ),
+        sa.ForeignKeyConstraint(
+            ["created_by_id"], ["users.id"], ondelete="RESTRICT",
+            name="fk_simulations_created_by_id_users",
+        ),
+    )
+    op.create_index("ix_simulations_engagement_id", "simulations", ["engagement_id"])
+    op.create_index("ix_simulations_created_by_id", "simulations", ["created_by_id"])
+
+
+def downgrade():
+    op.drop_index("ix_simulations_created_by_id", table_name="simulations")
+    op.drop_index("ix_simulations_engagement_id", table_name="simulations")
+    op.drop_table("simulations")
+    sa.Enum(name="simulation_status").drop(op.get_bind(), checkfirst=True)