feat(web): GET /api/v1/ttp/techniques/{id}/groups — MITRE-tracked groups using a technique

Surfaces the intrusion-set reverse index from the loaded ATT&CK
bundle: given a technique, returns the list of groups MITRE has
documented as using it. Read-only — explicitly NOT an attribution
claim about a DECNET attacker. The frontend pulls this lazily when
the operator expands a technique panel; payload-size cost on every
TTPTagDetailRow makes embedding wasteful for techniques with 50+
documented groups.

- decnet/web/router/ttp/api_get_groups_for_technique.py exposes
  GET /api/v1/ttp/techniques/{technique_id}/groups, response_model
  list[GroupRef]. Same JWT-viewer auth gating as the rest of the
  TTP router. 404 when the technique_id doesn't resolve in the
  bundle.
- Sub-techniques are queried directly (no auto-union with parent)
  to match ATT&CK Navigator semantics; callers that want a broader
  view query the parent themselves.
- tests/ttp/test_groups_for_technique.py covers happy path, 404,
  sub-technique attribution independence, empty-list-on-zero-groups,
  and that responses include mitre_url + aliases.
- tests/web/test_api_attackers.py: fix pre-existing fixture drift
  introduced by a2a61b63 — three TestGetAttackerDetail cases were
  missing AsyncMock for repo.latest_observation_per_primitive,
  causing TypeError on await of MagicMock. The new groups endpoint
  doesn't share code with attacker_detail; this is a drive-by fix
  surfaced by the same suite run.

decnet/web/router/__init__.py

@@ -64,6 +64,7 @@ from .ttp.api_get_by_session import router as ttp_by_session_router
 from .ttp.api_get_rules import router as ttp_rules_router
 from .ttp.api_get_tag_details import router as ttp_tag_details_router
 from .ttp.api_export_navigator import router as ttp_navigator_router
+from .ttp.api_get_groups_for_technique import router as ttp_groups_for_technique_router
 
 api_router = APIRouter(
     # Every route under /api/v1 is auth-guarded (either by an explicit
@@ -189,3 +190,4 @@ api_router.include_router(ttp_by_session_router)
 api_router.include_router(ttp_rules_router)
 api_router.include_router(ttp_tag_details_router)
 api_router.include_router(ttp_navigator_router)
+api_router.include_router(ttp_groups_for_technique_router)

decnet/web/router/ttp/api_get_groups_for_technique.py

@@ -0,0 +1,50 @@
+"""GET /api/v1/ttp/techniques/{technique_id}/groups — MITRE-tracked groups using *technique_id*.
+
+Read-only reverse-index off the loaded ATT&CK STIX bundle. **NOT an
+attribution claim** about a DECNET attacker — given the technique,
+return the list of MITRE-tracked intrusion-sets (groups) documented
+as using it. The frontend pulls this lazily when the operator
+expands a technique panel; payload sizes for large groups (50+ on
+some techniques) make embedding on every TTPTagDetailRow wasteful.
+"""
+from __future__ import annotations
+
+from typing import Any
+
+from fastapi import APIRouter, Depends, HTTPException, status
+
+from decnet.telemetry import traced as _traced
+from decnet.ttp import attack_stix
+from decnet.web.dependencies import require_viewer
+
+router = APIRouter()
+
+
+@router.get(
+    "/ttp/techniques/{technique_id}/groups",
+    tags=["TTP Tagging"],
+    response_model=list[attack_stix.GroupRef],
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        404: {"description": "Unknown technique_id"},
+    },
+)
+@_traced("api.ttp.groups_for_technique")
+async def api_groups_for_technique(
+    technique_id: str,
+    user: dict[str, Any] = Depends(require_viewer),
+) -> list[attack_stix.GroupRef]:
+    """List MITRE-tracked intrusion-sets that use *technique_id*.
+
+    Sub-techniques are queried directly (no auto-union with the
+    parent — matches ATT&CK Navigator semantics). Empty list when
+    the technique exists but has no documented groups; 404 when the
+    technique_id doesn't resolve in the loaded ATT&CK bundle at all.
+    """
+    if not attack_stix.technique_exists(technique_id):
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"unknown technique_id: {technique_id!r}",
+        )
+    return list(attack_stix.groups_using_technique(technique_id))