feat(phase-9): implement MVP polishing and closure

T-032: User management admin panel - backend users router with CRUD, frontend UsersPage with modals

T-033: Audit log viewer - backend audit router with filters/pagination, frontend AuditLogPage

T-034: Global error handling - ErrorBoundary, LoadingSpinner, ErrorMessage, Toast components

T-035: Backend tests - pytest setup with SQLite, tests for health/auth/techniques/tests

T-036: Documentation - Updated README with testing section, created docs/API.md

backend/tests/test_tests.py

@@ -0,0 +1,165 @@
+"""Tests for security test endpoints."""
+
+import pytest
+
+
+@pytest.fixture
+def technique(client, auth_headers):
+    """Create a technique for test association."""
+    response = client.post(
+        "/api/v1/techniques",
+        json={"mitre_id": "T1059", "name": "Test Technique"},
+        headers=auth_headers,
+    )
+    return response.json()
+
+
+def test_create_test_requires_auth(client, technique):
+    """Test that creating a test requires authentication."""
+    response = client.post(
+        "/api/v1/tests",
+        json={
+            "technique_id": technique["id"],
+            "name": "Test Name",
+        },
+    )
+    assert response.status_code == 401
+
+
+def test_create_test_success(client, red_tech_headers, technique):
+    """Test successful test creation."""
+    response = client.post(
+        "/api/v1/tests",
+        json={
+            "technique_id": technique["id"],
+            "name": "My Security Test",
+            "description": "Test description",
+            "platform": "windows",
+        },
+        headers=red_tech_headers,
+    )
+    assert response.status_code == 201
+    data = response.json()
+    assert data["name"] == "My Security Test"
+    assert data["state"] == "draft"
+    assert data["technique_id"] == technique["id"]
+
+
+def test_create_test_nonexistent_technique(client, red_tech_headers):
+    """Test creating a test with non-existent technique fails."""
+    response = client.post(
+        "/api/v1/tests",
+        json={
+            "technique_id": "00000000-0000-0000-0000-000000000000",
+            "name": "Test",
+        },
+        headers=red_tech_headers,
+    )
+    assert response.status_code == 404
+
+
+def test_get_test_by_id(client, red_tech_headers, technique):
+    """Test getting a test by ID."""
+    # Create a test
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Test"},
+        headers=red_tech_headers,
+    )
+    test_id = create_response.json()["id"]
+    
+    # Get it
+    response = client.get(f"/api/v1/tests/{test_id}", headers=red_tech_headers)
+    assert response.status_code == 200
+    assert response.json()["id"] == test_id
+
+
+def test_validate_test(client, auth_headers, red_tech_headers, technique):
+    """Test validating a test updates status correctly."""
+    # Create a test
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Test"},
+        headers=red_tech_headers,
+    )
+    test_id = create_response.json()["id"]
+    
+    # Validate it (requires lead/admin)
+    response = client.post(
+        f"/api/v1/tests/{test_id}/validate",
+        json={"result": "detected"},
+        headers=auth_headers,
+    )
+    assert response.status_code == 200
+    data = response.json()
+    assert data["state"] == "validated"
+    assert data["result"] == "detected"
+    assert data["validated_by"] is not None
+
+
+def test_validate_test_updates_technique_status(client, auth_headers, red_tech_headers, technique):
+    """Test that validating a test recalculates technique status."""
+    # Create and validate a test
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Test"},
+        headers=red_tech_headers,
+    )
+    test_id = create_response.json()["id"]
+    
+    client.post(
+        f"/api/v1/tests/{test_id}/validate",
+        json={"result": "detected"},
+        headers=auth_headers,
+    )
+    
+    # Check technique status was updated
+    response = client.get(
+        f"/api/v1/techniques/{technique['mitre_id']}",
+        headers=auth_headers,
+    )
+    assert response.json()["status_global"] == "validated"
+
+
+def test_reject_test(client, auth_headers, red_tech_headers, technique):
+    """Test rejecting a test."""
+    # Create a test
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Test"},
+        headers=red_tech_headers,
+    )
+    test_id = create_response.json()["id"]
+    
+    # Reject it
+    response = client.post(
+        f"/api/v1/tests/{test_id}/reject",
+        headers=auth_headers,
+    )
+    assert response.status_code == 200
+    assert response.json()["state"] == "rejected"
+
+
+def test_update_test_only_in_draft(client, auth_headers, red_tech_headers, technique):
+    """Test that tests can only be updated when in draft/rejected state."""
+    # Create and validate a test
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Test"},
+        headers=red_tech_headers,
+    )
+    test_id = create_response.json()["id"]
+    
+    client.post(
+        f"/api/v1/tests/{test_id}/validate",
+        json={"result": "detected"},
+        headers=auth_headers,
+    )
+    
+    # Try to update validated test
+    response = client.patch(
+        f"/api/v1/tests/{test_id}",
+        json={"name": "New Name"},
+        headers=red_tech_headers,
+    )
+    assert response.status_code == 400