tech-debt: mypy --strict config + integration tests for audit routes

Phase 1 Step 4 follow-up addressing the debt flagged in the worked-example
commit (4a91814).

## mypy --strict policy

Adds backend-compliance/mypy.ini declaring the strict-mode scope:

  Fully strict (enforced today):
    - compliance/domain/
    - compliance/schemas/
    - compliance/api/_http_errors.py
    - compliance/api/audit_routes.py        (refactored in Step 4)
    - compliance/services/audit_session_service.py
    - compliance/services/audit_signoff_service.py

  Loose (ignore_errors=True) with a migration path:
    - compliance/db/*                        — SQLAlchemy 1.x Column[] vs
                                               runtime T; unblocks Phase 1
                                               until a Mapped[T] migration.
    - compliance/api/<route>.py              — each route file flips to
                                               strict as its own Step 4
                                               refactor lands.
    - compliance/services/<legacy util>      — 14 utility services
                                               (llm_provider, pdf_extractor,
                                               seeder, ...) that predate the
                                               clean-arch refactor.
    - compliance/tests/                      — excluded (legacy placeholder
                                               style). The new TestClient-
                                               based integration suite is
                                               type-annotated.

The two new service files carry a scoped `# mypy: disable-error-code="arg-type,assignment"`
header for the ORM Column[T] issue — same underlying SQLAlchemy limitation,
narrowly scoped rather than wholesale ignore_errors.

Flow: `cd backend-compliance && mypy compliance/` -> clean on 119 files.
CI yaml updated to use the config instead of ad-hoc package lists.

## Bugs fixed while enabling strict

mypy --strict surfaced two latent bugs in the pre-refactor code. Both
were invisible because the old `compliance/tests/test_audit_routes.py`
is a placeholder suite that asserts on request-data shape and never
calls the handlers:

  - AuditSessionResponse.updated_at is a required field in the schema,
    but the original handler didn't pass it. Fixed in
    AuditSessionService._to_response.

  - PaginationMeta requires has_next + has_prev. The original audit
    checklist handler didn't compute them. Fixed in
    AuditSignOffService.get_checklist.

Both are behavior-preserving at the HTTP level because the old code
would have raised Pydantic ValidationError at response serialization
had the endpoint actually been exercised.

## Integration test suite

Adds backend-compliance/tests/test_audit_routes_integration.py — 26
real TestClient tests against an in-memory sqlite backend (StaticPool).
Replaces the coverage gap left by the placeholder suite.

Covers:
  - Session CRUD + lifecycle transitions (draft -> in_progress -> completed
    -> archived), including the 409 paths for illegal transitions
  - Checklist pagination, filtering, search
  - Sign-off create / update / auto-start-session / count-flipping
  - Sign-off 400 (invalid result), 404 (missing requirement), 409 (completed session)
  - Get-signoff 404 / 200 round-trip

Uses a module-scoped schema fixture + per-test DELETE-sweep so the
suite runs in ~2.3s despite the ~50-table ORM surface.

Verified:
  - 199/199 pytest (173 original + 26 new audit integration) pass
  - tests/contracts/test_openapi_baseline.py green, OpenAPI 360/484 unchanged
  - mypy compliance/ -> Success: no issues found in 119 source files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/services/audit_session_service.py

@@ -1,3 +1,7 @@
+# mypy: disable-error-code="arg-type,assignment"
+# SQLAlchemy 1.x-style Column() descriptors are typed as Column[T] at static-
+# analysis time but return T at runtime. Converting models to Mapped[T] is
+# out of scope for Phase 1. Scoped ignore lets the rest of --strict apply.
 """
 Audit Session service — lifecycle of audit sessions (create, list, get,
 start, complete, archive, delete, PDF).
@@ -14,7 +18,7 @@ Checklist and sign-off operations live in
 import io
 import logging
 from datetime import datetime, timezone
-from typing import List, Optional
+from typing import Any, List, Optional
 from uuid import uuid4
 
 from fastapi.responses import StreamingResponse
@@ -99,6 +103,7 @@ class AuditSessionService:
             created_at=s.created_at,
             started_at=s.started_at,
             completed_at=s.completed_at,
+            updated_at=s.updated_at,
         )
 
     # ------------------------------------------------------------------
@@ -178,7 +183,7 @@ class AuditSessionService:
         base = self._to_response(session)
         return AuditSessionDetailResponse(**base.model_dump(), statistics=stats)
 
-    def start(self, session_id: str) -> dict:
+    def start(self, session_id: str) -> dict[str, Any]:
         """Move a session from draft to in_progress."""
         session = self._get_or_raise(session_id)
         if session.status != AuditSessionStatusEnum.DRAFT:
@@ -190,7 +195,7 @@ class AuditSessionService:
         self.db.commit()
         return {"success": True, "message": "Audit session started", "status": "in_progress"}
 
-    def complete(self, session_id: str) -> dict:
+    def complete(self, session_id: str) -> dict[str, Any]:
         """Move a session from in_progress to completed."""
         session = self._get_or_raise(session_id)
         if session.status != AuditSessionStatusEnum.IN_PROGRESS:
@@ -202,7 +207,7 @@ class AuditSessionService:
         self.db.commit()
         return {"success": True, "message": "Audit session completed", "status": "completed"}
 
-    def archive(self, session_id: str) -> dict:
+    def archive(self, session_id: str) -> dict[str, Any]:
         """Archive a completed audit session."""
         session = self._get_or_raise(session_id)
         if session.status != AuditSessionStatusEnum.COMPLETED:
@@ -213,7 +218,7 @@ class AuditSessionService:
         self.db.commit()
         return {"success": True, "message": "Audit session archived", "status": "archived"}
 
-    def delete(self, session_id: str) -> dict:
+    def delete(self, session_id: str) -> dict[str, Any]:
         """Delete a draft or archived session."""
         session = self._get_or_raise(session_id)
         if session.status not in (

backend-compliance/compliance/services/audit_signoff_service.py

@@ -1,3 +1,6 @@
+# mypy: disable-error-code="arg-type,assignment"
+# See compliance/services/audit_session_service.py for rationale — SQLAlchemy
+# 1.x Column() descriptors are Column[T] statically but T at runtime.
 """
 Audit Sign-Off service — audit checklist retrieval and per-requirement sign-off
 operations.
@@ -143,7 +146,7 @@ class AuditSignOffService:
             .group_by(ControlMappingDB.requirement_id)
             .all()
         )
-        mapping_count_map = dict(mapping_counts)
+        mapping_count_map: dict[str, int] = dict(mapping_counts)
 
         items: list[AuditChecklistItem] = []
         for req in requirements:
@@ -169,7 +172,7 @@ class AuditSignOffService:
                     signed_at=signoff.signed_at if signoff else None,
                     signed_by=signoff.signed_by if signoff else None,
                     evidence_count=0,  # TODO: Add evidence count
-                    controls_mapped=mapping_count_map.get(req.id, 0),
+                    controls_mapped=mapping_count_map.get(str(req.id), 0),
                     implementation_status=req.implementation_status,
                     priority=req.priority,
                 )
@@ -203,6 +206,8 @@ class AuditSignOffService:
                 page_size=page_size,
                 total=total_count,
                 total_pages=(total_count + page_size - 1) // page_size,
+                has_next=page * page_size < total_count,
+                has_prev=page > 1,
             ),
             statistics=stats,
         )