feat: implement Phase 2 stabilization

- Cache Graph API tokens with expiry-aware reuse in graph/auth.py
- Add tenacity-based retry/backoff wrapper (utils/http.py) and apply to all Graph/source API calls
- Add Pydantic request/response models (models/api.py) and FastAPI query constraints
- Add unit tests for event_model, auth and integration tests for API endpoints
- Configure ruff linter/formatter in pyproject.toml
- Add GitHub Actions CI pipeline (.github/workflows/ci.yml)
- Add requirements-dev.txt with pytest, mongomock, httpx, ruff
- Clean up typing imports and fix ruff linting across codebase

backend/routes/config.py

@@ -1,10 +1,10 @@
-from fastapi import APIRouter
 from config import (
-    AUTH_ENABLED,
-    AUTH_TENANT_ID,
     AUTH_CLIENT_ID,
+    AUTH_ENABLED,
     AUTH_SCOPE,
+    AUTH_TENANT_ID,
 )
+from fastapi import APIRouter
 
 router = APIRouter()
 

backend/routes/events.py

@@ -1,22 +1,24 @@
 import re
-from fastapi import APIRouter, HTTPException, Depends
-from database import events_collection
+
 from auth import require_auth
+from database import events_collection
+from fastapi import APIRouter, Depends, HTTPException, Query
+from models.api import FilterOptionsResponse, PaginatedEventResponse
 
 router = APIRouter(dependencies=[Depends(require_auth)])
 
 
-@router.get("/events")
+@router.get("/events", response_model=PaginatedEventResponse)
 def list_events(
-    service: str = None,
-    actor: str = None,
-    operation: str = None,
-    result: str = None,
-    start: str = None,
-    end: str = None,
-    search: str = None,
-    page: int = 1,
-    page_size: int = 50,
+    service: str | None = None,
+    actor: str | None = None,
+    operation: str | None = None,
+    result: str | None = None,
+    start: str | None = None,
+    end: str | None = None,
+    search: str | None = None,
+    page: int = Query(default=1, ge=1),
+    page_size: int = Query(default=50, ge=1, le=500),
 ):
     filters = []
 
@@ -82,8 +84,8 @@ def list_events(
     }
 
 
-@router.get("/filter-options")
-def filter_options(limit: int = 200):
+@router.get("/filter-options", response_model=FilterOptionsResponse)
+def filter_options(limit: int = Query(default=200, ge=1, le=1000)):
     """
     Provide distinct values for UI filters (best-effort, capped).
     """

backend/routes/fetch.py

@@ -1,12 +1,12 @@
-from fastapi import APIRouter, HTTPException, Depends
-from pymongo import UpdateOne
-
-from database import events_collection
-from graph.audit_logs import fetch_audit_logs
-from sources.unified_audit import fetch_unified_audit
-from sources.intune_audit import fetch_intune_audit
-from models.event_model import normalize_event
 from auth import require_auth
+from database import events_collection
+from fastapi import APIRouter, Depends, HTTPException, Query
+from graph.audit_logs import fetch_audit_logs
+from models.api import FetchAuditLogsResponse
+from models.event_model import normalize_event
+from pymongo import UpdateOne
+from sources.intune_audit import fetch_intune_audit
+from sources.unified_audit import fetch_unified_audit
 
 router = APIRouter(dependencies=[Depends(require_auth)])
 
@@ -40,8 +40,8 @@ def run_fetch(hours: int = 168):
     return {"stored_events": len(normalized), "errors": errors}
 
 
-@router.get("/fetch-audit-logs")
-def fetch_logs(hours: int = 168):
+@router.get("/fetch-audit-logs", response_model=FetchAuditLogsResponse)
+def fetch_logs(hours: int = Query(default=168, ge=1, le=720)):
     try:
         return run_fetch(hours=hours)
     except Exception as exc: