feat(templates): implement reusable attack templates (#95) (#128)

## Summary

- Add `attack_templates` table with project-scoped CRUD, unique
`(projectId, name)` constraint, `hashTypeId` FK, and `tags` text array
for categorization
- Implement full REST API: list, create, get, update, delete,
instantiate (returns unsaved attack payload), and import (clone template
into current project)
- Add Templates management page with resource name resolution, tags
support, and campaign wizard "Start from Template" picker integration
- Add 20 backend tests covering schema validation,
`extractAttackPayload` logic, auth guards, project-scope enforcement,
and API contract

Closes #95

## Test Plan

- [ ] Create a template via the Templates page -- verify it appears in
the list with correct resource names
- [ ] Edit a template -- verify fields update, unique name constraint
enforced
- [ ] Delete a template -- verify removal from list
- [ ] Open campaign wizard > Step 2 > "Start from Template" -- verify
attack form pre-fills from selected template
- [ ] Verify cross-project template access returns 404
- [ ] Verify viewers can list/view templates but cannot
create/edit/delete
- [ ] Run `just check` -- build, lint, type-check all pass
- [ ] Run `just test-backend` -- 124 tests pass (20 new)
- [ ] Run `just test-frontend` -- 119 tests pass

---------

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>

Author: unclesp1d3r

AGENTS.md

@@ -16,3 +16,7 @@ This file provides AI coding assistants with project context. All substantive do
 - `.kiro/steering/tech.md` contains explicit constraints on what NOT to introduce. Respect these constraints.
 - Prefer mermaid diagrams for architectural or sequence diagrams in documentation.
 - Agents (hashcat workers) are the primary API consumer. Never break the agent API to improve the dashboard experience.
+
+## Agent Rules <!-- tessl-managed -->
+
+@.tessl/RULES.md follow the [instructions](.tessl/RULES.md)

AI_POLICY.md

@@ -0,0 +1,32 @@
+# AI Usage Policy
+
+We build operator-focused security tools. AI coding assistants are part of how we do that. This policy is not anti-AI -- it is pro-accountability.
+
+Think of AI assistance like spellcheck. It catches typos, suggests corrections, and speeds up the mechanical parts of writing. But you are still responsible for your words and their consequences.
+
+## The Rule
+
+**You own every line you submit.** You must be able to explain what
+it does and how it interacts with the rest of the system without asking your AI to explain it back to you.
+
+Everything else follows from that.
+
+## How We Work
+
+- **Disclose your tools.** Note what you used in your PR description -- Claude Code, Copilot, Cursor, whatever. No specific format required.
+
+- **Review AI-generated text before posting.** Issues, discussions, and PR descriptions must reflect your understanding, not a language model's first draft. Read it, cut the filler, make sure it says what you mean.
+
+- **No AI-generated media.** No generated images, logos, audio, or video. Text-based diagrams (ASCII art, Mermaid) and code are acceptable.
+
+- **Unreviewed output gets closed.** Hallucinated APIs, boilerplate that ignores project conventions, suggestions you clearly did not run -- these get closed without review. We are not a QA service for your AI's output.
+
+## Why
+
+Transparent by design means knowing what the code does and why it is there. Tested under pressure means every change was understood by the person who submitted it. AI makes capable engineers faster. It does not replace the understanding that makes contributions trustworthy.
+
+Every pull request is reviewed by a human. Submitting work you do not understand shifts that burden onto maintainers. That is not how we operate.
+
+## New Contributors
+
+Use AI to learn the codebase. Read the code it generates. Run it. Break it. Then submit work that reflects your understanding. We will help you through review -- that deal only works if the code is yours.

CONTRIBUTING.md

@@ -7,6 +7,10 @@
 - **[Testing](./docs/testing.md)** -- test strategy, patterns, bun:test specifics
 - **[Known Gotchas](./GOTCHAS.md)** -- hard-won lessons by domain (TypeScript, Hono, Drizzle, etc.)
 
+## AI Assistance
+
+We accept considerate AI-assisted contributions. Install `tessl install tessl-labs/good-oss-citizen` first. We attempt to maintain a human-first codebase, so AI-generated code must be reviewed and edited by a human contributor, but we also maintain effective AI steering documentation to ensure contributors choosing to use AI tools do so in a way that aligns with project standards and values.
+
 ## Development Setup
 
 ### Prerequisites

packages/backend/src/config/env.ts

@@ -24,6 +24,7 @@ const envSchema = z.object({
 
   // BetterAuth (generate with: openssl rand -base64 32)
   BETTER_AUTH_SECRET: z.string().min(32),
+  BETTER_AUTH_URL: z.string().url().optional(),
 });
 
 export type Env = z.infer<typeof envSchema>;

packages/backend/src/index.ts

@@ -15,6 +15,7 @@ import { getQueueManager, setQueueManager } from './queue/context.js';
 import { QueueManager } from './queue/manager.js';
 import { agentRoutes } from './routes/agent/index.js';
 import { dashboardAgentRoutes } from './routes/dashboard/agents.js';
+import { attackTemplateRoutes } from './routes/dashboard/attack-templates.js';
 import { authRoutes } from './routes/dashboard/auth.js';
 import { campaignRoutes } from './routes/dashboard/campaigns.js';
 import { createEventRoutes } from './routes/dashboard/events.js';
@@ -83,7 +84,7 @@ app.get('/health', async (c) => {
 
 // ─── BetterAuth Handler ──────────────────────────────────────────────
 
-app.on(['POST', 'GET'], '/api/auth/**', async (c) => {
+app.on(['POST', 'GET'], '/api/auth/*', async (c) => {
   try {
     return await auth.handler(c.req.raw);
   } catch (err) {
@@ -102,6 +103,7 @@ app.route('/api/v1/dashboard/projects', projectRoutes);
 app.route('/api/v1/dashboard/agents', dashboardAgentRoutes);
 app.route('/api/v1/dashboard/resources', resourceRoutes);
 app.route('/api/v1/dashboard/hashes', hashRoutes);
+app.route('/api/v1/dashboard/attack-templates', attackTemplateRoutes);
 app.route('/api/v1/dashboard/campaigns', campaignRoutes);
 app.route('/api/v1/dashboard/tasks', taskRoutes);
 app.route('/api/v1/dashboard/stats', statsRoutes);

packages/backend/src/lib/auth.ts

@@ -6,14 +6,15 @@ import { db } from '../db/index.js';
 
 export const auth = betterAuth({
   basePath: '/api/auth',
+  ...(env.BETTER_AUTH_URL ? { baseURL: env.BETTER_AUTH_URL } : {}),
   secret: env.BETTER_AUTH_SECRET,
 
   database: drizzleAdapter(db, {
     provider: 'pg',
     schema: {
-      user: schema.users,
+      users: schema.users,
       session: schema.baSessions,
-      account: schema.baAccounts,
+      ba_accounts: schema.baAccounts,
       verification: schema.baVerifications,
     },
   }),
@@ -42,30 +43,10 @@ export const auth = betterAuth({
 
   user: {
     modelName: 'users',
-    fields: {
-      name: 'name',
-      email: 'email',
-      emailVerified: 'email_verified',
-      image: 'image',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    },
   },
 
   account: {
     modelName: 'ba_accounts',
-    fields: {
-      userId: 'user_id',
-      accountId: 'account_id',
-      providerId: 'provider_id',
-      accessToken: 'access_token',
-      refreshToken: 'refresh_token',
-      accessTokenExpiresAt: 'access_token_expires_at',
-      refreshTokenExpiresAt: 'refresh_token_expires_at',
-      idToken: 'id_token',
-      createdAt: 'created_at',
-      updatedAt: 'updated_at',
-    },
   },
 
   advanced: {