fix(backend): sprint 5 post-review — name fallback, isinstance guards, 400 tests

- create_simulation: name falls back to template.name when template_id provided
  and name is absent/empty (AC-27.1)
- templates POST/PATCH: isinstance(list) check on technique_ids/tactic_ids
  before resolving, returns 400 with clear message
- 5 new tests: unknown technique_id → 400 (POST+PATCH), unknown tactic_id → 400
  (POST+PATCH), name fallback to template.name
- mypy: merged template branch into if/else to eliminate union-attr false positives

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/simulations.py

@@ -43,17 +43,7 @@ def create_simulation(eid: int):
 
     data = request.get_json(silent=True) or {}
     name = (data.get("name") or "").strip()
-    if not name:
-        return jsonify({"error": "name is required"}), 400
-
     template_id = data.get("template_id")
-    sim = Simulation(
-        engagement_id=eid,
-        name=name,
-        status=SimulationStatus.PENDING,
-        created_at=datetime.now(UTC),
-        created_by_id=g.current_user.id,
-    )
 
     if template_id is not None:
         from backend.app.models.simulation_template import SimulationTemplate
@@ -61,11 +51,30 @@ def create_simulation(eid: int):
         tmpl = db.session.get(SimulationTemplate, template_id)
         if tmpl is None:
             return jsonify({"error": "Template not found"}), 404
+        if not name:
+            name = tmpl.name
+        sim = Simulation(
+            engagement_id=eid,
+            name=name,
+            status=SimulationStatus.PENDING,
+            created_at=datetime.now(UTC),
+            created_by_id=g.current_user.id,
+        )
         sim.description = tmpl.description
         sim.commands = tmpl.commands
         sim.prerequisites = tmpl.prerequisites
         sim.techniques = list(tmpl.techniques or [])
         sim.tactic_ids = list(tmpl.tactic_ids or [])
+    else:
+        if not name:
+            return jsonify({"error": "name is required"}), 400
+        sim = Simulation(
+            engagement_id=eid,
+            name=name,
+            status=SimulationStatus.PENDING,
+            created_at=datetime.now(UTC),
+            created_by_id=g.current_user.id,
+        )
 
     db.session.add(sim)
     db.session.commit()

backend/app/api/templates.py

@@ -40,6 +40,8 @@ def create_template():
     tactic_ids_val: list[str] = []
 
     if "technique_ids" in data:
+        if not isinstance(data["technique_ids"], list):
+            return jsonify({"error": "technique_ids must be a list"}), 400
         if not mitre_svc.mitre_loaded:
             return jsonify({"error": "mitre bundle not loaded"}), 503
         resolved, err = _resolve_technique_ids(data["technique_ids"])
@@ -48,6 +50,8 @@ def create_template():
         techniques = resolved or []
 
     if "tactic_ids" in data:
+        if not isinstance(data["tactic_ids"], list):
+            return jsonify({"error": "tactic_ids must be a list"}), 400
         resolved_ta, err = _resolve_tactic_ids(data["tactic_ids"])
         if err is not None:
             return err
@@ -108,6 +112,8 @@ def update_template(tid: int):
             setattr(tmpl, field, data[field])
 
     if "technique_ids" in data:
+        if not isinstance(data["technique_ids"], list):
+            return jsonify({"error": "technique_ids must be a list"}), 400
         if not mitre_svc.mitre_loaded:
             return jsonify({"error": "mitre bundle not loaded"}), 503
         resolved, err = _resolve_technique_ids(data["technique_ids"])
@@ -116,6 +122,8 @@ def update_template(tid: int):
         tmpl.techniques = resolved
 
     if "tactic_ids" in data:
+        if not isinstance(data["tactic_ids"], list):
+            return jsonify({"error": "tactic_ids must be a list"}), 400
         resolved_ta, err = _resolve_tactic_ids(data["tactic_ids"])
         if err is not None:
             return err