feat(backend): c2 crypto + config CRUD + adapter scaffolding (sprint 8 M1)

- Add Fernet crypto service (MIMIC_ENCRYPTION_KEY env, C2Disabled on absent key)
- Add Alembic migration 0006: c2_config + c2_task tables with cascade FKs
- Add C2Config and C2Task SQLAlchemy models
- Add C2Adapter ABC with dataclasses (C2Health, C2Callback, C2TaskStatus, C2TaskPage)
- Add FakeAdapter (deterministic in-memory, MIMIC_C2_ADAPTER=fake)
- Add MythicAdapter scaffold: test_connection() live, M2+ raise NotImplementedError
- Add decode_response_text() helper for base64/binary Mythic responses
- Add GET/PUT/DELETE/POST-test /api/engagements/<id>/c2-config endpoints
- RBAC: admin+redteam OK, SOC 403; 503 guard when encryption key absent
- Token never returned in API responses; stored Fernet-encrypted only
- 42 new tests (300 total, 258 baseline preserved green)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/c2/mythic.py

@@ -0,0 +1,79 @@
+# Contract pinned from MythicMeta/Mythic_Scripting master @ 2026-06-10 (raw.githubusercontent.com/MythicMeta/Mythic_Scripting/master/mythic/mythic.py)
+"""Mythic 3.x C2 adapter.
+
+M1 implements test_connection() only.
+All other methods raise NotImplementedError("M2") — they land in milestone M2/M3.
+
+Transport: POST https://<host>:7443/graphql
+Header: apitoken: <token>
+Backend: Hasura-proxied Postgres behind nginx.
+"""
+from __future__ import annotations
+
+import requests
+
+from backend.app.services.c2.adapter import (
+    C2Adapter,
+    C2Callback,
+    C2Health,
+    C2TaskPage,
+    C2TaskStatus,
+)
+
+_HEALTH_QUERY = '{ __typename }'
+
+
+class MythicAdapter(C2Adapter):
+    """Real Mythic 3.x adapter using GraphQL over HTTP."""
+
+    def __init__(self, url: str, api_token: str, verify_tls: bool = True) -> None:
+        self._url = url.rstrip("/") + "/graphql"
+        self._token = api_token
+        self._verify = verify_tls
+
+    def _headers(self) -> dict[str, str]:
+        return {
+            "Content-Type": "application/json",
+            "apitoken": self._token,
+        }
+
+    def test_connection(self) -> C2Health:
+        """POST a trivial introspection query to verify reachability and token validity."""
+        try:
+            resp = requests.post(
+                self._url,
+                json={"query": _HEALTH_QUERY},
+                headers=self._headers(),
+                verify=self._verify,
+                timeout=10,
+            )
+            if resp.status_code == 200:
+                return C2Health(ok=True)
+            return C2Health(ok=False, error=f"HTTP {resp.status_code}")
+        except requests.RequestException as exc:
+            return C2Health(ok=False, error=str(exc))
+
+    def list_callbacks(self) -> list[C2Callback]:
+        raise NotImplementedError("M2")
+
+    def create_task(
+        self,
+        callback_display_id: int,
+        command: str,
+        params: str | None = None,
+    ) -> int:
+        raise NotImplementedError("M2")
+
+    def get_task(self, task_display_id: int) -> C2TaskStatus:
+        raise NotImplementedError("M2")
+
+    def get_task_output(self, task_display_id: int) -> str:
+        raise NotImplementedError("M3")
+
+    def list_callback_tasks(
+        self,
+        callback_display_id: int,
+        page: int = 1,
+        page_size: int = 25,
+    ) -> C2TaskPage:
+        raise NotImplementedError("M4")