test: stabilize Phase 0 API and workflow tests [FASE-0.4]

Assert INVALID_TRANSITION JSON code on duplicate start, remove sys.modules stubs from T-106 tests, and complete boto3 stubs in integration tests.

backend/tests/test_tests.py

@@ -75,3 +75,45 @@ def test_get_test_by_id(client, auth_headers, technique):
     response = client.get(f"/api/v1/tests/{test_id}", headers=auth_headers)
     assert response.status_code == 200
     assert response.json()["id"] == test_id
+
+
+def test_start_execution_twice_returns_invalid_transition(
+    client, auth_headers, technique, red_tech_user
+):
+    """Invalid workflow transition surfaces domain error JSON (FASE 0.4).
+
+    HttpOnly login cookies take precedence over the Authorization header.
+    Clear cookies before each phase so Bearer tokens match the intended user.
+    """
+    client.cookies.clear()
+    create_response = client.post(
+        "/api/v1/tests",
+        json={"technique_id": technique["id"], "name": "Workflow dup start"},
+        headers=auth_headers,
+    )
+    assert create_response.status_code == 201
+    test_id = create_response.json()["id"]
+
+    rl = client.post(
+        "/api/v1/auth/login",
+        data={"username": "redtech", "password": "redtech123"},
+    )
+    assert rl.status_code == 200
+    red_headers = {"Authorization": f"Bearer {rl.json()['access_token']}"}
+    client.cookies.clear()
+
+    first = client.post(
+        f"/api/v1/tests/{test_id}/start-execution",
+        headers=red_headers,
+    )
+    assert first.status_code == 200
+
+    client.cookies.clear()
+    second = client.post(
+        f"/api/v1/tests/{test_id}/start-execution",
+        headers=red_headers,
+    )
+    assert second.status_code == 400
+    body = second.json()
+    assert body.get("code") == "INVALID_TRANSITION"
+    assert "detail" in body