fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3):
- Replace hardcoded admin credentials with secure auto-generation (seed.py)
- Enforce SECRET_KEY configuration, fail in production if missing (config.py)
- Add Zip Slip and Zip Bomb protection to all ZIP import services

High/Medium (4-9):
- Add 50MB file size limit and extension whitelist to evidence uploads
- Configure CORS origins via environment variable instead of hardcoded
- Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend)
- Add rate limiting (5/min) on login endpoint via slowapi
- Replace generic dict payloads with Pydantic schemas (mass assignment)

Medium (10-17):
- Check is_active on login to prevent disabled users from authenticating
- Sanitize exception messages in API responses (system, data_sources)
- Escape LIKE wildcards in all ilike search filters across 8 routers
- Run Docker container as non-root user (appuser)
- Make MINIO_SECURE configurable via environment variable
- Add password complexity policy (12+ chars, upper/lower/digit/special)
- Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min
- Replace xml.etree with defusedxml to prevent Billion Laughs attacks

Low (18-20):
- Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.)
- Disable Swagger UI/ReDoc/OpenAPI in production
- Restrict /health endpoint to internal networks via Nginx ACL

Also: rewrite install.sh as interactive wizard for guided deployment,
fix test-from-template validation error (technique_id UUID vs MITRE ID)

backend/app/routers/data_sources.py

@@ -7,8 +7,10 @@ including sync triggers, enable/disable toggles, and statistics.
 
 import logging
 from datetime import datetime
+from typing import Optional
 
 from fastapi import APIRouter, Depends, HTTPException, status
+from pydantic import BaseModel
 from sqlalchemy.orm import Session
 
 from app.database import get_db
@@ -17,6 +19,17 @@ from app.models.user import User
 from app.models.data_source import DataSource
 from app.services.audit_service import log_action
 
+
+# ---------------------------------------------------------------------------
+# Pydantic schemas for request validation
+# ---------------------------------------------------------------------------
+
+class DataSourceUpdate(BaseModel):
+    """Payload for updating a data source — only allowed fields."""
+    is_enabled: Optional[bool] = None
+    sync_frequency: Optional[str] = None
+    config: Optional[dict] = None
+
 logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/data-sources", tags=["data-sources"])
@@ -90,29 +103,26 @@ def list_data_sources(
 @router.patch("/{source_id}")
 def update_data_source(
     source_id: str,
-    body: dict,
+    body: DataSourceUpdate,
     db: Session = Depends(get_db),
     current_user: User = Depends(require_role("admin")),
 ):
     """Update a data source (enable/disable, change config).
 
     **Requires** the ``admin`` role.
-
-    Body fields (all optional):
-    - ``is_enabled`` (bool)
-    - ``sync_frequency`` (str)
-    - ``config`` (dict)
     """
     ds = db.query(DataSource).filter(DataSource.id == source_id).first()
     if not ds:
         raise HTTPException(status_code=404, detail="Data source not found")
 
-    if "is_enabled" in body:
-        ds.is_enabled = bool(body["is_enabled"])
-    if "sync_frequency" in body:
-        ds.sync_frequency = body["sync_frequency"]
-    if "config" in body:
-        ds.config = body["config"]
+    update_data = body.model_dump(exclude_unset=True)
+
+    if "is_enabled" in update_data:
+        ds.is_enabled = update_data["is_enabled"]
+    if "sync_frequency" in update_data:
+        ds.sync_frequency = update_data["sync_frequency"]
+    if "config" in update_data:
+        ds.config = update_data["config"]
 
     db.commit()
 
@@ -122,7 +132,7 @@ def update_data_source(
         action="update_data_source",
         entity_type="data_source",
         entity_id=str(ds.id),
-        details={"updates": body},
+        details={"updates": update_data},
     )
 
     return {"message": "Data source updated", "id": str(ds.id)}
@@ -156,14 +166,14 @@ def sync_data_source(
     try:
         summary = handler(db)
     except Exception as exc:
-        logger.error("Sync failed for %s: %s", ds.name, exc)
+        logger.error("Sync failed for %s: %s", ds.name, exc, exc_info=True)
         ds.last_sync_status = "error"
         ds.last_sync_at = datetime.utcnow()
         ds.last_sync_stats = {"error": str(exc)}
         db.commit()
         raise HTTPException(
             status_code=500,
-            detail=f"Sync failed: {str(exc)}",
+            detail=f"Sync failed for '{ds.display_name}'. Check server logs for details.",
         )
 
     # Update DS record (the handler may already have done this,
@@ -222,7 +232,7 @@ def sync_all_data_sources(
                 "stats": summary,
             })
         except Exception as exc:
-            logger.error("Sync failed for %s: %s", ds.name, exc)
+            logger.error("Sync failed for %s: %s", ds.name, exc, exc_info=True)
             ds.last_sync_status = "error"
             ds.last_sync_at = datetime.utcnow()
             ds.last_sync_stats = {"error": str(exc)}
@@ -230,7 +240,7 @@ def sync_all_data_sources(
             results.append({
                 "source": ds.name,
                 "status": "error",
-                "detail": str(exc),
+                "detail": "Sync failed. Check server logs for details.",
             })
 
     log_action(