feat(phase-35): Jira + Tempo integration with internal worklogs

Full Jira/Tempo pipeline: link Aegis entities to Jira issues, auto-sync
status hourly, log time internally with integrity hashing, and optionally
push worklogs to Tempo.

- 1.1 JiraLink model + Worklog model: Alembic migration b020 with indexes,
  enums (jiralinkentitytype, jirasyncdirection), and integrity_hash column
- 1.2 Jira service: atlassian-python-api wrapper with lazy singleton client,
  search/create/sync operations, feature-flagged via JIRA_ENABLED
- 1.3 Jira router: CRUD endpoints for /jira/links, /jira/search,
  /jira/create-issue with audit logging and entity-to-issue auto-creation
- 1.4 Tempo service: worklog push via tempo-api-python-client, auto-log from
  test completions when TEMPO_ENABLED, graceful fallback on failure
- 1.5 Worklog service + router: immutable internal time records with SHA-256
  integrity hash, CRUD at /worklogs, /worklogs/{id}/verify endpoint
- 1.6 Frontend: JiraLinkPanel component (search, link, sync, unlink) and
  WorklogTimeline component (timeline view, manual log form) integrated into
  TestDetailPage sidebar, CampaignDetailPage grid, TechniqueDetailPage
- 1.7 Jira sync job: APScheduler hourly job syncs all links from Jira,
  registered in background scheduler alongside existing jobs

backend/app/jobs/jira_sync_job.py

@@ -0,0 +1,37 @@
+"""Scheduled job — syncs all Jira links hourly."""
+
+import logging
+
+from app.config import settings
+from app.database import SessionLocal
+from app.models.jira_link import JiraLink
+from app.services import jira_service
+
+logger = logging.getLogger(__name__)
+
+
+def sync_all_jira_links() -> None:
+    """Pull latest status from Jira for every stored link.
+
+    Silently skips if ``JIRA_ENABLED`` is ``False``.  Individual link
+    failures are logged but do not abort the rest of the batch.
+    """
+    if not settings.JIRA_ENABLED:
+        return
+
+    db = SessionLocal()
+    try:
+        links = db.query(JiraLink).all()
+        synced = 0
+        for link in links:
+            try:
+                jira_service.sync_jira_to_aegis(db, link)
+                synced += 1
+            except Exception as e:
+                logger.warning("Jira sync failed for link %s: %s", link.id, e)
+        db.commit()
+        logger.info("Jira sync completed: %d/%d links updated", synced, len(links))
+    except Exception:
+        logger.exception("Jira sync batch job failed")
+    finally:
+        db.close()

backend/app/jobs/mitre_sync_job.py

@@ -20,6 +20,7 @@ from app.services.intel_service import scan_intel
 from app.services.notification_service import cleanup_old_notifications
 from app.services.snapshot_service import create_snapshot, cleanup_old_snapshots
 from app.services.campaign_scheduler_service import check_and_run_recurring_campaigns
+from app.jobs.jira_sync_job import sync_all_jira_links
 
 logger = logging.getLogger(__name__)
 
@@ -164,9 +165,17 @@ def start_scheduler() -> None:
         name="Recurring campaigns check (daily)",
         replace_existing=True,
     )
+    scheduler.add_job(
+        sync_all_jira_links,
+        trigger="interval",
+        hours=1,
+        id="jira_sync",
+        name="Jira link sync (hourly)",
+        replace_existing=True,
+    )
     scheduler.start()
     logger.info(
         "Background scheduler started — mitre_sync (24h), intel_scan (7d), "
         "notification_cleanup (24h), weekly_snapshot (Sundays 00:00), "
-        "recurring_campaigns (daily)"
+        "recurring_campaigns (daily), jira_sync (1h)"
     )