feat: sprint 1 — auth + CRUD engagements

Ship the first feature end-to-end on the UI: users log in with JWT,
admins manage user accounts, and any authenticated user (per RBAC)
can create, list, view, edit, and delete engagements.

Backend (Flask + SQLAlchemy + SQLite, 63 pytest)
- User / Engagement models, Alembic 0001 initial schema
- argon2 password hashing, JWT bearer (60-min TTL), @login_required
  and @role_required decorators
- 13 API endpoints under /api/*, including last-admin protection on
  DELETE/PATCH user and JSON 404 on unknown /api/* paths
- `flask create-admin` CLI with duplicate / short-password handling

Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest)
- Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind
- LoginPage / EngagementsList / EngagementForm / EngagementDetail /
  UsersAdmin pages with role-aware UI
- Layout, ProtectedRoute, StatusBadge, FormField, LoadingState,
  ErrorState, EmptyState, Toast + provider
- Axios client: Bearer interceptor, 401 → purge + /login + "Session
  expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate>
  for already-authed users, Fragment-keyed admin user rows)

Deployment
- Single multistage Dockerfile (node:20-alpine → python:3.12-slim)
- docker/entrypoint.sh runs `flask db upgrade` before `flask run`
- Makefile: build/start/stop/restart/update/logs/create-admin/
  update-mitre/test-{backend,frontend,e2e}/clean
- .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT
- SQLite at /data/mimic.sqlite on named volume mimic-data

Acceptance suite (Playwright, 36 tests, all 27 ACs)
- e2e/ scaffold with playwright.config + auth/api fixtures
- One spec per user story (us1-bootstrap through us6-deployment)
- Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman)

Docs
- README.md with quick-start and architecture overview
- CHANGELOG.md updated with Sprint 1 deliverables
- pyrightconfig.json so the Python LSP sees backend/.venv and
  resolves the `backend.app.*` absolute imports

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

e2e/fixtures/api.ts

@@ -0,0 +1,171 @@
+/**
+ * Thin axios client used by tests to seed/teardown users and engagements
+ * without going through the UI. The bootstrap admin is created out-of-band
+ * (via `make create-admin`) and logs in once to provision per-suite users.
+ */
+import axios, { AxiosInstance, isAxiosError } from 'axios';
+
+export interface User {
+  id: number;
+  username: string;
+  role: 'admin' | 'redteam' | 'soc';
+  created_at: string | null;
+}
+
+export interface Engagement {
+  id: number;
+  name: string;
+  description: string | null;
+  start_date: string;
+  end_date: string | null;
+  status: 'planned' | 'active' | 'closed';
+  created_at: string | null;
+  created_by: { id: number; username: string } | null;
+}
+
+export type Role = User['role'];
+
+const BASE_URL = process.env.MIMIC_BASE_URL ?? 'http://localhost:5000';
+const BOOTSTRAP_ADMIN_USER = process.env.MIMIC_BOOTSTRAP_USER ?? 'root';
+const BOOTSTRAP_ADMIN_PASS = process.env.MIMIC_BOOTSTRAP_PASS ?? 'rootpass8';
+
+export function makeClient(token?: string): AxiosInstance {
+  return axios.create({
+    baseURL: `${BASE_URL}/api`,
+    headers: token ? { Authorization: `Bearer ${token}` } : undefined,
+    validateStatus: () => true, // tests assert on status themselves
+  });
+}
+
+export async function login(
+  username: string,
+  password: string,
+): Promise<{ token: string; user: User }> {
+  const client = makeClient();
+  const r = await client.post('/auth/login', { username, password });
+  if (r.status !== 200) {
+    throw new Error(`login(${username}) failed: ${r.status} ${JSON.stringify(r.data)}`);
+  }
+  return { token: r.data.access_token as string, user: r.data.user as User };
+}
+
+export async function adminToken(): Promise<string> {
+  const { token } = await login(BOOTSTRAP_ADMIN_USER, BOOTSTRAP_ADMIN_PASS);
+  return token;
+}
+
+/**
+ * Idempotent helper: ensures a user with the given username/role exists and
+ * has the requested password. Returns the user record.
+ *
+ * Strategy:
+ *   - try login: if it succeeds, we're done.
+ *   - else: as admin, list users; if username found, PATCH password+role; else POST.
+ */
+export async function ensureUser(
+  username: string,
+  password: string,
+  role: Role,
+): Promise<User> {
+  try {
+    const { user } = await login(username, password);
+    if (user.role !== role) {
+      const admin = await adminToken();
+      const client = makeClient(admin);
+      const r = await client.patch(`/users/${user.id}`, { role });
+      if (r.status !== 200) throw new Error(`patch role: ${r.status}`);
+      return r.data as User;
+    }
+    return user;
+  } catch {
+    // fall through to admin path
+  }
+  const admin = await adminToken();
+  const client = makeClient(admin);
+  const list = await client.get('/users');
+  if (list.status !== 200) {
+    throw new Error(`list users failed: ${list.status} ${JSON.stringify(list.data)}`);
+  }
+  const existing = (list.data as User[]).find((u) => u.username === username);
+  if (existing) {
+    const r = await client.patch(`/users/${existing.id}`, { password, role });
+    if (r.status !== 200) {
+      throw new Error(`patch user failed: ${r.status} ${JSON.stringify(r.data)}`);
+    }
+    return r.data as User;
+  }
+  const r = await client.post('/users', { username, password, role });
+  if (r.status !== 201) {
+    throw new Error(`create user failed: ${r.status} ${JSON.stringify(r.data)}`);
+  }
+  return r.data as User;
+}
+
+export async function deleteUserByUsername(token: string, username: string): Promise<void> {
+  const client = makeClient(token);
+  const list = await client.get('/users');
+  if (list.status !== 200) return;
+  const u = (list.data as User[]).find((x) => x.username === username);
+  if (!u) return;
+  await client.delete(`/users/${u.id}`);
+}
+
+export async function createEngagement(
+  token: string,
+  payload: Partial<Pick<Engagement, 'name' | 'description' | 'start_date' | 'end_date' | 'status'>>,
+): Promise<Engagement> {
+  const client = makeClient(token);
+  const body = {
+    name: payload.name ?? 'Test Engagement',
+    description: payload.description,
+    start_date: payload.start_date ?? '2026-01-01',
+    end_date: payload.end_date,
+    status: payload.status ?? 'planned',
+  };
+  const r = await client.post('/engagements', body);
+  if (r.status !== 201) {
+    throw new Error(`create engagement failed: ${r.status} ${JSON.stringify(r.data)}`);
+  }
+  return r.data as Engagement;
+}
+
+export async function deleteEngagement(token: string, id: number): Promise<void> {
+  const client = makeClient(token);
+  await client.delete(`/engagements/${id}`);
+}
+
+export async function listEngagements(token: string): Promise<Engagement[]> {
+  const client = makeClient(token);
+  const r = await client.get('/engagements');
+  if (r.status !== 200) {
+    throw new Error(`list engagements failed: ${r.status}`);
+  }
+  return r.data as Engagement[];
+}
+
+export async function deleteAllEngagements(token: string): Promise<void> {
+  const items = await listEngagements(token);
+  await Promise.all(items.map((e) => deleteEngagement(token, e.id)));
+}
+
+export async function waitForHealth(timeoutMs = 30_000): Promise<void> {
+  const deadline = Date.now() + timeoutMs;
+  const client = makeClient();
+  let lastErr: unknown = null;
+  while (Date.now() < deadline) {
+    try {
+      const r = await client.get('/health');
+      if (r.status === 200) return;
+    } catch (e) {
+      lastErr = e;
+    }
+    await new Promise((r) => setTimeout(r, 500));
+  }
+  throw new Error(
+    `backend not healthy after ${timeoutMs}ms: ${
+      isAxiosError(lastErr) ? lastErr.message : String(lastErr)
+    }`,
+  );
+}
+
+export const BASE = BASE_URL;

e2e/fixtures/auth.ts

@@ -0,0 +1,67 @@
+/**
+ * Playwright auth helpers: log in via the API once per role, hydrate
+ * localStorage so subsequent page.goto() lands inside the SPA already
+ * authenticated.
+ *
+ * Avoids the per-test cost of driving the LoginPage form just to land on
+ * /engagements. The actual UI login flow IS exercised in us2-login.spec.ts.
+ */
+import { type BrowserContext, type Page } from '@playwright/test';
+import { BASE, login, type Role, type User } from './api';
+
+export interface Session {
+  token: string;
+  user: User;
+}
+
+/**
+ * Inject token into localStorage so the SPA's bootstrap hook picks it up
+ * as if the user had already logged in. The frontend stores the JWT under
+ * `mimic.token` (see frontend/src/api/client.ts).
+ */
+export async function seedTokenInStorage(
+  context: BrowserContext,
+  token: string,
+): Promise<void> {
+  await context.addInitScript((t) => {
+    try {
+      window.localStorage.setItem('mimic.token', t);
+    } catch {
+      /* storage might not exist on about:blank — harmless */
+    }
+  }, token);
+}
+
+export async function clearAuthStorage(context: BrowserContext): Promise<void> {
+  await context.addInitScript(() => {
+    try {
+      window.localStorage.removeItem('mimic.token');
+    } catch {
+      /* noop */
+    }
+  });
+}
+
+/**
+ * Log in as the given role and return both the API session and a helper
+ * that prepares a Page with the auth token already seeded.
+ */
+export async function loginAs(
+  context: BrowserContext,
+  username: string,
+  password: string,
+): Promise<Session> {
+  const session = await login(username, password);
+  await seedTokenInStorage(context, session.token);
+  return session;
+}
+
+/**
+ * Convenience: navigate to a path on a page that's already had its
+ * context seeded with a token.
+ */
+export async function gotoApp(page: Page, path = '/engagements'): Promise<void> {
+  await page.goto(`${BASE}${path}`);
+}
+
+export type { Role };