fix(auth): resolve JWT InvalidSignatureError and improve frontend UX

- Fix auth by using idToken fallback when accessToken audience mismatches
- Add PyJWT verification with audience-aware token selection in frontend
- Source health: track last_attempt_time and error status per source
- Frontend: fix modal outside x-data scope, add circular-safe JSON stringify
- Frontend: support multi-select service filter with All/None toggles
- Frontend: improve filter layout into organized rows
- Frontend: fix text overflow and result pill colors (success/succeeded)
- Intune: normalize application actors (auditActorType=Application)
- Add cache-control middleware for HTML/API responses
- Update tests for multi-service filtering and source health

backend/routes/events.py

@@ -34,6 +34,7 @@ def _decode_cursor(cursor: str) -> tuple[str, str]:
 @router.get("/events", response_model=PaginatedEventResponse)
 def list_events(
     service: str | None = None,
+    services: list[str] | None = Query(default=None),
     actor: str | None = None,
     operation: str | None = None,
     result: str | None = None,
@@ -48,6 +49,8 @@ def list_events(
 
     if service:
         filters.append({"service": service})
+    if services:
+        filters.append({"service": {"$in": services}})
     if actor:
         actor_safe = re.escape(actor)
         filters.append(