fix: resolve 20 security vulnerabilities from comprehensive audit

Critical (1-3):
- Replace hardcoded admin credentials with secure auto-generation (seed.py)
- Enforce SECRET_KEY configuration, fail in production if missing (config.py)
- Add Zip Slip and Zip Bomb protection to all ZIP import services

High/Medium (4-9):
- Add 50MB file size limit and extension whitelist to evidence uploads
- Configure CORS origins via environment variable instead of hardcoded
- Migrate JWT storage from localStorage to HttpOnly cookies (frontend+backend)
- Add rate limiting (5/min) on login endpoint via slowapi
- Replace generic dict payloads with Pydantic schemas (mass assignment)

Medium (10-17):
- Check is_active on login to prevent disabled users from authenticating
- Sanitize exception messages in API responses (system, data_sources)
- Escape LIKE wildcards in all ilike search filters across 8 routers
- Run Docker container as non-root user (appuser)
- Make MINIO_SECURE configurable via environment variable
- Add password complexity policy (12+ chars, upper/lower/digit/special)
- Implement JWT token revocation via in-memory blacklist + reduce TTL to 15min
- Replace xml.etree with defusedxml to prevent Billion Laughs attacks

Low (18-20):
- Add security headers to Nginx (CSP, X-Frame-Options, HSTS-ready, etc.)
- Disable Swagger UI/ReDoc/OpenAPI in production
- Restrict /health endpoint to internal networks via Nginx ACL

Also: rewrite install.sh as interactive wizard for guided deployment,
fix test-from-template validation error (technique_id UUID vs MITRE ID)

backend/app/services/sigma_import_service.py

@@ -81,10 +81,50 @@ def _download_zip(url: str = SIGMA_ZIP_URL) -> bytes:
     return content
 
 
+def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
+    """Extract *zip_bytes* into *dest* with Zip Slip and Zip Bomb protection.
+
+    Raises :class:`ValueError` if any member tries to escape the target
+    directory (path traversal / Zip Slip) or if the archive exceeds the
+    safety limits.
+    """
+    # Maximum uncompressed size: 500 MB — prevents zip-bomb DoS
+    _MAX_UNCOMPRESSED_SIZE = 500 * 1024 * 1024
+    # Maximum number of entries
+    _MAX_ENTRIES = 50_000
+
+    dest_path = Path(dest).resolve()
+
+    with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
+        entries = zf.infolist()
+
+        if len(entries) > _MAX_ENTRIES:
+            raise ValueError(
+                f"ZIP archive contains {len(entries)} entries "
+                f"(limit: {_MAX_ENTRIES}) — possible zip bomb"
+            )
+
+        total_size = sum(info.file_size for info in entries)
+        if total_size > _MAX_UNCOMPRESSED_SIZE:
+            raise ValueError(
+                f"ZIP uncompressed size {total_size / (1024 * 1024):.0f} MB "
+                f"exceeds limit of {_MAX_UNCOMPRESSED_SIZE / (1024 * 1024):.0f} MB"
+            )
+
+        for member in entries:
+            target = (dest_path / member.filename).resolve()
+            if not target.is_relative_to(dest_path):
+                raise ValueError(
+                    f"Zip Slip detected — member '{member.filename}' "
+                    f"resolves outside target directory"
+                )
+
+        zf.extractall(dest)
+
+
 def _extract_zip(zip_bytes: bytes, dest: str) -> Path:
     """Extract *zip_bytes* into *dest* and return the path to rules/ dir."""
-    with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
-        zf.extractall(dest)
+    _safe_extract_zip(zip_bytes, dest)
     rules_dir = Path(dest) / _ZIP_ROOT_PREFIX / "rules"
     if not rules_dir.is_dir():
         raise FileNotFoundError(