feat(backend): c2 callbacks + execute endpoints (sprint 8 M2)

- Add C2Error exception to adapter ABC
- Add promote_to_in_progress() helper to simulation_workflow (pending→in_progress)
- Flesh out MythicAdapter: list_callbacks() (GraphQL query) + create_task() (mutation)
- Expand FakeAdapter to 3 deterministic callbacks; switch task store to per-instance
- Add GET /api/engagements/<id>/c2/callbacks — lists active callbacks via adapter
- Add POST /api/simulations/<id>/c2/execute — issues tasks, stores C2Task rows,
  auto-transitions pending→in_progress, blocks on done (409)
- Both endpoints: SOC=403, 503 no-key, 502 adapter error, sanitized error messages
- Add requests-mock==1.12.1 to requirements.txt
- 42 new tests (342 total, 300 M1 baseline preserved green)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/c2.py

@@ -1,13 +1,15 @@
-"""C2 config endpoints for engagements.
+"""C2 endpoints — config CRUD and execution.
 
-All four endpoints:
+All endpoints:
 - Require admin or redteam role (SOC → 403).
 - Return 503 when MIMIC_ENCRYPTION_KEY is not set.
 - Never include the cleartext API token in any response.
+- Adapter errors → 502 with sanitized message (no URL or token in body).
 """
 from __future__ import annotations
 
 from datetime import UTC, datetime
+from urllib.parse import urlparse
 
 from flask import Blueprint, jsonify, request
 
@@ -15,10 +17,15 @@ from backend.app.auth import role_required
 from backend.app.extensions import db
 from backend.app.models import Engagement
 from backend.app.models.c2_config import C2Config
+from backend.app.models.c2_task import C2Task, C2TaskSource
+from backend.app.models.simulation import Simulation, SimulationStatus
+from backend.app.services.c2.adapter import C2Error
 from backend.app.services.c2.factory import get_adapter
 from backend.app.services.crypto import C2Disabled, decrypt, encrypt
+from backend.app.services.simulation_workflow import promote_to_in_progress
 
 c2_bp = Blueprint("c2", __name__, url_prefix="/api/engagements")
+sims_c2_bp = Blueprint("sims_c2", __name__, url_prefix="/api/simulations")
 
 _503_BODY = {"error": "C2 disabled: MIMIC_ENCRYPTION_KEY not set"}
 
@@ -70,6 +77,11 @@ def upsert_c2_config(eid: int):
     url = (data.get("url") or "").strip()
     if not url:
         return jsonify({"error": "url is required"}), 400
+    parsed = urlparse(url)
+    if parsed.scheme != "https":
+        return jsonify({"error": "url must use https"}), 400
+    if not parsed.hostname:
+        return jsonify({"error": "url must contain a hostname"}), 400
 
     verify_tls = data.get("verify_tls", True)
     if not isinstance(verify_tls, bool):
@@ -154,3 +166,134 @@ def test_c2_config(eid: int):
     )
     health = adapter.test_connection()
     return jsonify({"ok": health.ok, "error": health.error}), 200
+
+
+# ---------------------------------------------------------------------------
+# M2 — callbacks listing + execute
+# ---------------------------------------------------------------------------
+
+
+def _load_adapter_for_engagement(engagement: Engagement):
+    """Decrypt token and return adapter, or return a (response, status) error tuple."""
+    cfg: C2Config | None = engagement.c2_config
+    if cfg is None:
+        return None, (jsonify({"error": "C2 config not found"}), 404)
+    try:
+        api_token = decrypt(cfg.api_token_encrypted)
+    except ValueError:
+        return None, (jsonify({"error": "Stored token is corrupt"}), 500)
+    adapter = get_adapter(url=cfg.url, api_token=api_token, verify_tls=cfg.verify_tls)
+    return adapter, None
+
+
+@c2_bp.get("/<int:eid>/c2/callbacks")
+@role_required("admin", "redteam")
+def list_callbacks(eid: int):
+    guard = _crypto_guard()
+    if guard is not None:
+        return guard
+
+    engagement = db.session.get(Engagement, eid)
+    if engagement is None:
+        return jsonify({"error": "Engagement not found"}), 404
+
+    adapter, err = _load_adapter_for_engagement(engagement)
+    if err is not None:
+        return err
+
+    try:
+        callbacks = adapter.list_callbacks()
+    except C2Error as exc:
+        return jsonify({"error": str(exc)}), 502
+
+    return jsonify({
+        "callbacks": [
+            {
+                "display_id": cb.display_id,
+                "active": cb.active,
+                "host": cb.host,
+                "user": cb.user,
+                "domain": cb.domain,
+                "last_checkin": cb.last_checkin,
+            }
+            for cb in callbacks
+        ]
+    }), 200
+
+
+@sims_c2_bp.post("/<int:sid>/c2/execute")
+@role_required("admin", "redteam")
+def execute_simulation(sid: int):
+    guard = _crypto_guard()
+    if guard is not None:
+        return guard
+
+    sim = db.session.get(Simulation, sid)
+    if sim is None:
+        return jsonify({"error": "Simulation not found"}), 404
+
+    # Done is terminal — block execution.
+    if sim.status == SimulationStatus.DONE:
+        return jsonify({"error": "simulation is done — reopen first"}), 409
+
+    data = request.get_json(silent=True) or {}
+    callback_display_id = data.get("callback_display_id")
+    commands = data.get("commands")
+
+    if not isinstance(callback_display_id, int):
+        return jsonify({"error": "callback_display_id must be an integer"}), 400
+    if not isinstance(commands, list) or len(commands) == 0:
+        return jsonify({"error": "commands must be a non-empty list"}), 400
+    for cmd in commands:
+        if not isinstance(cmd, str):
+            return jsonify({"error": "each command must be a string"}), 400
+
+    engagement = db.session.get(Engagement, sim.engagement_id)
+    if engagement is None:
+        return jsonify({"error": "Engagement not found"}), 404
+
+    adapter, err = _load_adapter_for_engagement(engagement)
+    if err is not None:
+        return err
+
+    created_tasks = []
+    try:
+        for command in commands:
+            mythic_id = adapter.create_task(
+                callback_display_id=callback_display_id,
+                command=command,
+            )
+            task = C2Task(
+                simulation_id=sid,
+                mythic_task_display_id=mythic_id,
+                callback_display_id=callback_display_id,
+                command=command,
+                params=None,
+                status="submitted",
+                completed=False,
+                source=C2TaskSource.MIMIC,
+                created_at=datetime.now(UTC),
+            )
+            db.session.add(task)
+            created_tasks.append(task)
+    except C2Error as exc:
+        db.session.rollback()
+        return jsonify({"error": str(exc)}), 502
+
+    # Auto-transition pending → in_progress (no-op for other statuses).
+    promote_to_in_progress(sim)
+
+    db.session.commit()
+
+    return jsonify({
+        "tasks": [
+            {
+                "id": t.id,
+                "mythic_task_display_id": t.mythic_task_display_id,
+                "command": t.command,
+                "status": t.status,
+                "completed": t.completed,
+            }
+            for t in created_tasks
+        ]
+    }), 200