feat: natural language query + production hardening

Features:
- Add /api/ask endpoint for plain-language audit log queries
- Regex-based time/entity extraction (no LLM required for parsing)
- LLM-powered narrative summarisation with OpenAI-compatible APIs
- Graceful fallback to structured bullet lists when LLM is unavailable
- Frontend ask panel with markdown rendering and cited events

Production:
- Harden Dockerfile: non-root user, gunicorn+uvicorn workers
- Add docker-compose.prod.yml with internal networks and health checks
- Add nginx reverse proxy with security headers
- MongoDB no longer exposed externally in production

Tests:
- 29 new tests for ask parsing, query building, and endpoint behaviour
- Fix conftest monkeypatch for routes.ask events collection

Bump version to 1.1.0

backend/config.py

@@ -42,6 +42,13 @@ class Settings(BaseSettings):
     # Alerting
     ALERTS_ENABLED: bool = False
 
+    # LLM / Natural Language Query
+    LLM_API_KEY: str = ""
+    LLM_BASE_URL: str = "https://api.openai.com/v1"
+    LLM_MODEL: str = "gpt-4o-mini"
+    LLM_MAX_EVENTS: int = 50
+    LLM_TIMEOUT_SECONDS: int = 30
+
 
 _settings = Settings()
 
@@ -68,3 +75,9 @@ CORS_ORIGINS = [o.strip() for o in _settings.CORS_ORIGINS.split(",") if o.strip(
 SIEM_ENABLED = _settings.SIEM_ENABLED
 SIEM_WEBHOOK_URL = _settings.SIEM_WEBHOOK_URL
 ALERTS_ENABLED = _settings.ALERTS_ENABLED
+
+LLM_API_KEY = _settings.LLM_API_KEY
+LLM_BASE_URL = _settings.LLM_BASE_URL
+LLM_MODEL = _settings.LLM_MODEL
+LLM_MAX_EVENTS = _settings.LLM_MAX_EVENTS
+LLM_TIMEOUT_SECONDS = _settings.LLM_TIMEOUT_SECONDS