chore: code-review cleanups (NITs + filename defense-in-depth test)

- NIT-1: remove dead _technique_names() and _technique_ids() helpers (no callers)
- NIT-2: rename engagement → _engagement in render_engagement_csv signature
- NIT-4: remove duplicate inline User import in test_export_csv_escapes_special_characters
- NIT-5: add comment on _CSV_FORMULA_TRIGGERS explaining \t and \r inclusion
- REUSE: replace custom _html_escape with stdlib html.escape (quote=True default)
- Remove now-unnecessary type: ignore comments on weasyprint (stubs resolve cleanly)
- Add test_export_filename_never_contains_quote_or_crlf defense-in-depth test

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tests/test_export_engagement.py

@@ -136,8 +136,6 @@ def test_export_csv_escapes_special_characters(
     eng = _make_engagement(client, admin_token)
 
     with app.app_context():
-        from backend.app.models import User
-
         admin = User.query.filter_by(username="admin1").first()
         sim = Simulation(
             engagement_id=eng["id"],

backend/tests/test_export_render.py

@@ -247,3 +247,16 @@ def test_render_engagement_csv_does_not_alter_safe_strings(app) -> None:
         cells = _parse_csv_data_row(result)
         assert cells[1] == "Mimikatz LSASS Dump", "safe name must not be modified"
         assert cells[6] == "whoami /all", "safe commands must not be modified"
+
+
+def test_export_filename_never_contains_quote_or_crlf() -> None:
+    """Defense-in-depth: even with malicious engagement names, the filename
+    used in Content-Disposition must never contain header-injection chars."""
+    from types import SimpleNamespace
+
+    from backend.app.services.export import _export_filename
+    evil = SimpleNamespace(id=42, name='evil"name\r\nX-Injected: yes')
+    fname = _export_filename(evil, "md")
+    assert '"' not in fname
+    assert '\r' not in fname
+    assert '\n' not in fname