fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3):
- Replace hardcoded admin credentials with secure auto-generation (seed.py)
- Enforce SECRET_KEY configuration, fail in production if missing (config.py)
- Add Zip Slip and Zip Bomb protection to all ZIP import services

High/Medium (4-9):
- Add 50MB file size limit and extension whitelist to evidence uploads
- Configure CORS origins via environment variable instead of hardcoded
- Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend)
- Add rate limiting (5/min) on login endpoint via slowapi
- Replace generic dict payloads with Pydantic schemas (mass assignment)

Medium (10-17):
- Check is_active on login to prevent disabled users from authenticating
- Sanitize exception messages in API responses (system, data_sources)
- Escape LIKE wildcards in all ilike search filters across 8 routers
- Run Docker container as non-root user (appuser)
- Make MINIO_SECURE configurable via environment variable
- Add password complexity policy (12+ chars, upper/lower/digit/special)
- Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min
- Replace xml.etree with defusedxml to prevent Billion Laughs attacks

Low (18-20):
- Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.)
- Disable Swagger UI/ReDoc/OpenAPI in production
- Restrict /health endpoint to internal networks via Nginx ACL

Also: rewrite install.sh as interactive wizard for guided deployment,
fix test-from-template validation error (technique_id UUID vs MITRE ID)

.env.example

@@ -1,24 +1,44 @@
 # =============================================================================
 # Aegis Environment Variables
 # =============================================================================
-# Copy this file to .env and fill in the values
+# Copy this file to .env and fill in the values BEFORE deploying.
+#
+# Generate secure random values with:
+#   openssl rand -hex 32        (for SECRET_KEY)
+#   openssl rand -base64 18     (for passwords)
 # =============================================================================
 
 # ── Database ─────────────────────────────────────────────────────────────────
 DB_USER=postgres
-DB_PASSWORD=change-me-in-production
+DB_PASSWORD=              # REQUIRED — set a strong password
 DB_NAME=attackdb
 
 # ── Security ─────────────────────────────────────────────────────────────────
-# IMPORTANT: Generate a strong random key for production
-# Example: openssl rand -hex 32
-SECRET_KEY=change-me-in-production-use-a-long-random-string
+# REQUIRED in production — the app will refuse to start without it.
+# Generate with:  openssl rand -hex 32
+SECRET_KEY=
+
 TOKEN_EXPIRE_MINUTES=60
 
+# ── Initial Admin Account ────────────────────────────────────────────────────
+# If ADMIN_PASSWORD is empty, a random password is auto-generated and
+# printed to the backend container logs on first startup.
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=
+
 # ── MinIO Object Storage ─────────────────────────────────────────────────────
 MINIO_ACCESS_KEY=minioadmin
-MINIO_SECRET_KEY=change-me-in-production
+MINIO_SECRET_KEY=         # REQUIRED — set a strong password
 MINIO_BUCKET=evidence
+MINIO_SECURE=false        # Set to true if MinIO is behind TLS
+
+# ── CORS ──────────────────────────────────────────────────────────────────────
+# Comma-separated list of allowed frontend origins
+CORS_ORIGINS=https://your-domain.com
 
 # ── Frontend ─────────────────────────────────────────────────────────────────
 FRONTEND_PORT=80
+
+# ── Environment flag ─────────────────────────────────────────────────────────
+# Set to "production" for production deployments (enforces SECRET_KEY, etc.)
+AEGIS_ENV=production