fix(auth): resolve JWT InvalidSignatureError and improve frontend UX

- Fix auth by using idToken fallback when accessToken audience mismatches
- Add PyJWT verification with audience-aware token selection in frontend
- Source health: track last_attempt_time and error status per source
- Frontend: fix modal outside x-data scope, add circular-safe JSON stringify
- Frontend: support multi-select service filter with All/None toggles
- Frontend: improve filter layout into organized rows
- Frontend: fix text overflow and result pill colors (success/succeeded)
- Intune: normalize application actors (auditActorType=Application)
- Add cache-control middleware for HTML/API responses
- Update tests for multi-service filtering and source health

backend/routes/fetch.py

@@ -31,12 +31,13 @@ def run_fetch(hours: int = 168):
         try:
             since = get_watermark(source_key)
             result = fn(since=since) if since else fn(hours=window)
-            set_watermark(source_key, now)
+            set_watermark(source_key, now, status="healthy")
             track_fetch(source_key, len(result))
             return result
         except Exception as exc:
             errors.append(f"{label}: {exc}")
             track_fetch_error(source_key)
+            set_watermark(source_key, now, status="error")
             return []
         finally:
             track_fetch_duration(source_key, time.time() - start_time)