refactor(pep8): enforce full PEP8 compliance across backend Python codebase

- ruff.toml: select E/W/F/I/N rules, line-length=120, drop legacy ignores
- Auto-fix: sort 82 import blocks (isort), remove 29 unused imports,
  strip 6 trailing-whitespace blank lines in docstrings
- main.py: move setup_logging and settings imports to top (E402)
- errors.py: noqa N818 on DDD exception names (96 call sites, safe)
- intel_service.py: noqa N817 for universal ET alias
- atomic/elastic/sigma import services: move _MAX_UNCOMPRESSED_SIZE and
  _MAX_ENTRIES to module level (N806)
- compliance_import_service.py: move SAMPLE_CONTROLS / CIS_CONTROLS to
  module level; wrap long description strings (N806 + E501)
- snapshot_service.py: move STATUS_ORDER dict to module level (N806)
- sigma_import_service.py: remove dead dedup_key expression (F841)
- threat_actor_import_service.py: remove dead stix_to_actor expression (F841)
- data_source.py, seed_demo.py, campaign_scheduler_service.py,
  lolbas_import_service.py: wrap lines exceeding 120 chars (E501)
- d3fend_import_service.py: per-file E501 ignore (data file with long strings)

All 439 unit tests pass. ruff check app/ → All checks passed!

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/sigma_import_service.py

@@ -35,8 +35,8 @@ import requests as _requests
 import yaml
 from sqlalchemy.orm import Session
 
-from app.models.detection_rule import DetectionRule
 from app.models.data_source import DataSource
+from app.models.detection_rule import DetectionRule
 from app.services.audit_service import log_action
 
 logger = logging.getLogger(__name__)
@@ -52,6 +52,10 @@ SIGMA_ZIP_URL = (
 _DOWNLOAD_TIMEOUT = 300
 _ZIP_ROOT_PREFIX = "sigma-master"
 
+# Safety limits for ZIP extraction — prevent zip-bomb DoS
+_MAX_UNCOMPRESSED_SIZE = 500 * 1024 * 1024  # 500 MB
+_MAX_ENTRIES = 50_000
+
 # Regex to extract MITRE ATT&CK technique IDs from Sigma tags
 # e.g. "attack.t1059.001" → "T1059.001"
 _ATTACK_TAG_RE = re.compile(r"attack\.(t\d{4}(?:\.\d{3})?)", re.IGNORECASE)
@@ -88,11 +92,6 @@ def _safe_extract_zip(zip_bytes: bytes, dest: str) -> None:
     directory (path traversal / Zip Slip) or if the archive exceeds the
     safety limits.
     """
-    # Maximum uncompressed size: 500 MB — prevents zip-bomb DoS
-    _MAX_UNCOMPRESSED_SIZE = 500 * 1024 * 1024
-    # Maximum number of entries
-    _MAX_ENTRIES = 50_000
-
     dest_path = Path(dest).resolve()
 
     with zipfile.ZipFile(io.BytesIO(zip_bytes)) as zf:
@@ -290,11 +289,8 @@ def sync(db: Session) -> dict:
     skipped = 0
 
     for item in parsed_rules:
-        # Dedup key: source_id (relative path). A rule file may produce
-        # multiple entries (one per technique), but we deduplicate by
-        # source_id so re-runs are safe.  For multi-technique rules we
-        # only skip if the exact same source_id is already present.
-        dedup_key = f"{item['source_id']}::{item['mitre_technique_id']}"
+        # Deduplicate by source_id: one rule file may map to multiple techniques,
+        # but we skip insertion if this source_id was already imported.
         if item["source_id"] in existing_ids:
             skipped += 1
             continue