feat: implement Phase 2 stabilization

- Cache Graph API tokens with expiry-aware reuse in graph/auth.py
- Add tenacity-based retry/backoff wrapper (utils/http.py) and apply to all Graph/source API calls
- Add Pydantic request/response models (models/api.py) and FastAPI query constraints
- Add unit tests for event_model, auth and integration tests for API endpoints
- Configure ruff linter/formatter in pyproject.toml
- Add GitHub Actions CI pipeline (.github/workflows/ci.yml)
- Add requirements-dev.txt with pytest, mongomock, httpx, ruff
- Clean up typing imports and fix ruff linting across codebase

ROADMAP.md

@@ -20,17 +20,17 @@ Goal: fix critical security and reliability gaps before production use.
 
 ---
 
-## Phase 2: Stabilize
+## Phase 2: Stabilize ✅
 Goal: improve resilience, code quality, and development experience.
 
-- [ ] Cache Graph API tokens and reuse them until near expiry
-- [ ] Add exponential backoff / retry logic for Graph API and Office 365 API calls
-- [ ] Add unit tests for `normalize_event()`, `_make_dedupe_key()`, and `auth.py`
-- [ ] Add integration tests for `/api/events` and `/api/fetch-audit-logs`
-- [ ] Configure linter/formatter (`ruff` or `black` + `isort`) and pre-commit hooks
-- [ ] Set up GitHub Actions CI pipeline (lint + test)
-- [ ] Add Pydantic request/response models for API endpoints
-- [ ] Validate `page_size` and `hours` with strict FastAPI constraints
+- [x] Cache Graph API tokens and reuse them until near expiry
+- [x] Add exponential backoff / retry logic for Graph API and Office 365 API calls
+- [x] Add unit tests for `normalize_event()`, `_make_dedupe_key()`, and `auth.py`
+- [x] Add integration tests for `/api/events` and `/api/fetch-audit-logs`
+- [x] Configure linter/formatter (`ruff`) and pre-commit hooks
+- [x] Set up GitHub Actions CI pipeline (lint + test)
+- [x] Add Pydantic request/response models for API endpoints
+- [x] Validate `page_size` and `hours` with strict FastAPI constraints
 
 ---