feat(backend): sprint 5 — SimulationTemplate CRUD + instantiation

- SimulationTemplate model + migration 0005 (CREATE TABLE + name index)
- 5 CRUD endpoints under /api/templates (admin|redteam only, SOC 403)
- POST /api/engagements/<eid>/simulations extended with optional template_id
- serialize_template() reusing _enrich_techniques/_enrich_tactics helpers
- IntegrityError → 409 for duplicate name on both POST and PATCH
- 28 new tests (CRUD, RBAC, dedup, instantiation, migration round-trip)
- 221 tests pass; ruff clean; mypy clean

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/simulations.py

@@ -46,6 +46,7 @@ def create_simulation(eid: int):
     if not name:
         return jsonify({"error": "name is required"}), 400
 
+    template_id = data.get("template_id")
     sim = Simulation(
         engagement_id=eid,
         name=name,
@@ -53,6 +54,19 @@ def create_simulation(eid: int):
         created_at=datetime.now(UTC),
         created_by_id=g.current_user.id,
     )
+
+    if template_id is not None:
+        from backend.app.models.simulation_template import SimulationTemplate
+
+        tmpl = db.session.get(SimulationTemplate, template_id)
+        if tmpl is None:
+            return jsonify({"error": "Template not found"}), 404
+        sim.description = tmpl.description
+        sim.commands = tmpl.commands
+        sim.prerequisites = tmpl.prerequisites
+        sim.techniques = list(tmpl.techniques or [])
+        sim.tactic_ids = list(tmpl.tactic_ids or [])
+
     db.session.add(sim)
     db.session.commit()
     return jsonify(serialize_simulation(sim)), 201