refactor(types): add comprehensive type annotations across backend Python codebase

Enable ANN rules in ruff.toml (flake8-annotations) and resolve all 221 violations:

ANN201/ANN202 — return types on 168 public/private functions:
- All 28 FastAPI routers: endpoints annotated with dict/list/specific schema/
  StreamingResponse/FileResponse/JSONResponse as appropriate
- main.py: lifespan→AsyncGenerator[None,None], exception handlers→JSONResponse
- database.py: get_db→Generator[Session,None,None], proxy methods→correct types
- middleware/request_context.py: dispatch→Response with Callable call_next type

ANN001/ANN002/ANN003 — 32 missing argument types:
- seed_demo.py: all db parameters typed as Session
- domain/unit_of_work.py: __aexit__ exc_type/exc_val/exc_tb typed with TracebackType
- services: audit_service user_id→UUID|None, heatmap_service query/model/builder,
  notification_service test→Test, tempo_service test→Test/user→User,
  test_workflow_service test_id→UUID, campaign_crud **fields→object,
  test_crud **fields→object (4 sites)

ANN401 — 16 Any usages resolved:
- Domain entities (campaign/technique/threat_actor/test_entity): replaced Any with
  actual ORM types via TYPE_CHECKING guards to avoid circular imports
- detection_rule_service: test_id/detection_rule_id/evaluator_id→UUID
- score_cache: kept Any with # noqa: ANN401 (genuinely generic cache)
- jira_service/tempo_service: kept Any with # noqa: ANN401 (lazy optional deps)
- d3fend_import_service: _to_str(v: Any) kept with # noqa: ANN401

ANN204/ANN205/ANN206 — special/static/class methods:
- database.py proxy __call__/__getattr__: *args: object/**kwargs: object
- schemas/test.py model_validate: obj→object, **kwargs→object
- sa_technique_repository._int_type→type

All 439 unit tests pass. ruff check app/ → All checks passed!

backend/app/services/audit_service.py

@@ -4,6 +4,7 @@ from __future__ import annotations
 
 import hashlib
 from datetime import datetime, timezone
+from uuid import UUID
 
 from sqlalchemy.orm import Session
 
@@ -35,7 +36,7 @@ def verify_audit_integrity(entry: AuditLog) -> bool:
 
 def log_action(
     db: Session,
-    user_id,
+    user_id: UUID | None,
     action: str,
     entity_type: str | None = None,
     entity_id: str | None = None,

backend/app/services/campaign_crud_service.py

@@ -192,7 +192,7 @@ def update_campaign(
     *,
     updater_id: uuid.UUID,
     updater_role: str,
-    **fields,
+    **fields: object,
 ) -> dict:
     """Update a campaign. Only allowed in draft or active state.
 

backend/app/services/d3fend_import_service.py

@@ -8,6 +8,7 @@ Uses the D3FEND public API:
 
 import logging
 from typing import Any
+from uuid import UUID
 
 import httpx
 from sqlalchemy.orm import Session
@@ -26,7 +27,7 @@ D3FEND_TACTICS = ["Detect", "Harden", "Isolate", "Deceive", "Evict", "Model"]
 # ── Import all D3FEND techniques ─────────────────────────────────────
 
 
-def _to_str(v: Any) -> str:
+def _to_str(v: Any) -> str:  # noqa: ANN401
     """Coerce an RDF value (str, dict with @value, or list) to a plain string."""
     if isinstance(v, dict):
         return v.get("@value", str(v))
@@ -432,7 +433,7 @@ def sync(db: Session) -> dict:
     return summary
 
 
-def get_defenses_for_technique(db: Session, technique_id) -> list[dict]:
+def get_defenses_for_technique(db: Session, technique_id: UUID) -> list[dict]:
     """Get all D3FEND defensive techniques mapped to a given ATT&CK technique."""
     mappings = (
         db.query(DefensiveTechniqueMapping)

backend/app/services/detection_rule_service.py

@@ -10,6 +10,7 @@ from __future__ import annotations
 
 from datetime import datetime
 from typing import Any
+from uuid import UUID
 
 from sqlalchemy.orm import Session
 
@@ -258,11 +259,11 @@ def get_rules_for_test(db: Session, test_id: str) -> dict[str, Any]:
 def evaluate_rule(
     db: Session,
     *,
-    test_id: Any,
-    detection_rule_id: Any,
+    test_id: UUID,
+    detection_rule_id: UUID,
     triggered: bool | None,
     notes: str | None,
-    evaluator_id: Any,
+    evaluator_id: UUID,
 ) -> dict[str, Any]:
     """Save or update the evaluation result for a detection rule on a test.
 

backend/app/services/heatmap_service.py

@@ -10,9 +10,10 @@ no ``db.commit()``.
 from __future__ import annotations
 
 import json
+from collections.abc import Callable
 
 from sqlalchemy import func, or_
-from sqlalchemy.orm import Session
+from sqlalchemy.orm import Query, Session
 
 from app.domain.errors import BusinessRuleViolation, EntityNotFoundError
 from app.models.campaign import Campaign, CampaignTest
@@ -92,11 +93,11 @@ def _build_layer_skeleton(
 
 
 def _apply_filters(
-    query,
-    model,
+    query: Query,  # type: ignore[type-arg]
+    model: type,
     platforms: list[str] | None = None,
     tactics: list[str] | None = None,
-):
+) -> Query:  # type: ignore[type-arg]
     """Apply common platform and tactic filters to a technique query."""
     if platforms:
         platform_filters = [
@@ -470,7 +471,7 @@ class _LayerRegistry:
         self._simple: dict[str, object] = {}
         self._with_id: dict[str, object] = {}
 
-    def register(self, name: str, builder, *, requires_id: bool = False) -> None:
+    def register(self, name: str, builder: Callable[..., dict], *, requires_id: bool = False) -> None:
         target = self._with_id if requires_id else self._simple
         target[name] = builder
 
@@ -513,7 +514,7 @@ LAYER_REGISTRY.register("campaign", build_campaign_layer, requires_id=True)
 SUPPORTED_LAYER_TYPES = LAYER_REGISTRY.supported_types  # snapshot of built-in types
 
 
-def register_layer(name: str, builder, *, requires_id: bool = False) -> None:
+def register_layer(name: str, builder: Callable[..., dict], *, requires_id: bool = False) -> None:
     """Public API to register a new heatmap layer type at import time."""
     LAYER_REGISTRY.register(name, builder, requires_id=requires_id)
 

backend/app/services/jira_service.py

@@ -2,7 +2,7 @@
 
 import logging
 from datetime import datetime
-from typing import Optional
+from typing import Any, Optional
 from uuid import UUID
 
 from sqlalchemy.orm import Session
@@ -20,7 +20,7 @@ logger = logging.getLogger(__name__)
 _jira_client = None
 
 
-def get_jira_client():
+def get_jira_client() -> Any:  # noqa: ANN401  # atlassian.Jira imported lazily from optional dep
     """Return a lazily-initialised Jira client, or raise if disabled."""
     global _jira_client
     if not settings.JIRA_ENABLED:

backend/app/services/notification_service.py

@@ -15,6 +15,7 @@ from sqlalchemy.orm import Session
 
 from app.domain.errors import EntityNotFoundError
 from app.models.notification import Notification
+from app.models.test import Test
 from app.models.user import User
 
 # ---------------------------------------------------------------------------
@@ -157,7 +158,7 @@ def cleanup_old_notifications(db: Session, days: int = 90) -> int:
 # ---------------------------------------------------------------------------
 
 
-def notify_test_state_change(db: Session, test, new_state: str) -> None:
+def notify_test_state_change(db: Session, test: Test, new_state: str) -> None:
     """Dispatch notifications based on a test's new state.
 
     Called by the workflow service after each state transition.

backend/app/services/score_cache.py

@@ -10,12 +10,14 @@ stale data does not persist longer than ``CACHE_TTL`` seconds.
 import time
 from typing import Any, Optional
 
+from sqlalchemy.orm import Session
+
 CACHE_TTL = 300  # 5 minutes
 
 _cache: dict[str, dict[str, Any]] = {}
 
 
-def get(key: str) -> Optional[Any]:
+def get(key: str) -> Optional[Any]:  # noqa: ANN401  # generic cache returns whatever was stored
     """Return cached value if present and not expired, else None."""
     entry = _cache.get(key)
     if entry is None:
@@ -26,7 +28,7 @@ def get(key: str) -> Optional[Any]:
     return entry["data"]
 
 
-def put(key: str, data: Any) -> None:
+def put(key: str, data: Any) -> None:  # noqa: ANN401  # generic cache accepts any serialisable value
     """Store *data* under *key* with the current timestamp."""
     _cache[key] = {"data": data, "ts": time.time()}
 
@@ -42,7 +44,7 @@ def invalidate(key: Optional[str] = None) -> None:
 # ── High-level helpers ────────────────────────────────────────────────
 
 
-def get_organization_score_cached(db):
+def get_organization_score_cached(db: Session) -> dict:
     """Cached wrapper around ``calculate_organization_score``."""
     from app.services.scoring_service import calculate_organization_score
 
@@ -55,7 +57,7 @@ def get_organization_score_cached(db):
     return result
 
 
-def get_operational_metrics_cached(db):
+def get_operational_metrics_cached(db: Session) -> dict:
     """Cached wrapper around operational metrics (MTTD, MTTR, efficacy)."""
     from app.services.operational_metrics_service import (
         calculate_alert_fidelity,

backend/app/services/tempo_service.py

@@ -1,18 +1,20 @@
 """Tempo time-tracking integration service."""
 
 import logging
-from typing import Optional
+from typing import Any, Optional
 
 from sqlalchemy.orm import Session
 
 from app.config import settings
 from app.domain.exceptions import InvalidOperationError
 from app.models.jira_link import JiraLink, JiraLinkEntityType
+from app.models.test import Test
+from app.models.user import User
 
 logger = logging.getLogger(__name__)
 
 
-def get_tempo_client():
+def get_tempo_client() -> Any:  # noqa: ANN401  # tempoapiclient.Tempo imported lazily from optional dep
     """Return a Tempo API client, or raise if disabled."""
     if not settings.TEMPO_ENABLED:
         raise InvalidOperationError("Tempo integration is not enabled")
@@ -52,8 +54,8 @@ def log_worklog(
 
 def auto_log_test_worklog(
     db: Session,
-    test,
-    user,
+    test: Test,
+    user: User,
     activity_type: str,
 ) -> Optional[dict]:
     """If the test has a Jira link, log time to Tempo automatically.
@@ -97,7 +99,7 @@ def auto_log_test_worklog(
         return None
 
 
-def _calculate_duration(test, activity_type: str) -> int:
+def _calculate_duration(test: Test, activity_type: str) -> int:
     """Calculate real duration in seconds from the phase timing fields.
 
     Uses the actual start/end timestamps recorded by the workflow buttons,

backend/app/services/test_crud_service.py

@@ -63,7 +63,7 @@ def create_test(
     *,
     technique_id: uuid.UUID,
     creator_id: uuid.UUID,
-    **fields: Any,
+    **fields: object,
 ) -> Test:
     """Create a new test linked to an existing technique.
 
@@ -176,7 +176,7 @@ def update_test(
     *,
     updater_id: uuid.UUID,
     updater_role: str,
-    **fields: Any,
+    **fields: object,
 ) -> Test:
     """Update general test fields (draft or rejected only).
 
@@ -204,7 +204,7 @@ def update_test(
     return test
 
 
-def update_test_red(db: Session, test_id: uuid.UUID, **fields: Any) -> Test:
+def update_test_red(db: Session, test_id: uuid.UUID, **fields: object) -> Test:
     """Update Red Team fields (draft or red_executing only).
 
     Raises BusinessRuleViolation if state not in (draft, red_executing).
@@ -226,7 +226,7 @@ def update_test_red(db: Session, test_id: uuid.UUID, **fields: Any) -> Test:
     return test
 
 
-def update_test_blue(db: Session, test_id: uuid.UUID, **fields: Any) -> Test:
+def update_test_blue(db: Session, test_id: uuid.UUID, **fields: object) -> Test:
     """Update Blue Team fields (blue_evaluating only).
 
     Raises BusinessRuleViolation if state is not blue_evaluating.

backend/app/services/test_workflow_service.py

@@ -13,6 +13,7 @@ session via the Unit of Work pattern.
 """
 
 import logging
+import uuid
 from datetime import datetime
 
 from sqlalchemy.orm import Session
@@ -530,7 +531,7 @@ def handle_remediation_completed(db: Session, test: Test, user: User) -> Test |
     return retest
 
 
-def get_retest_chain(db: Session, test_id) -> list[Test]:
+def get_retest_chain(db: Session, test_id: uuid.UUID) -> list[Test]:
     """Return the full chain of retests for a given test.
 
     Includes the original test and all subsequent retests, ordered