Phase 1: API core — all endpoints, query service, CPF masking

- Neo4j query service: CypherLoader + parameterized executor
- Entity endpoints: /entity/{cpf_or_cnpj} lookup + /entity/{id}/connections
- Search endpoint: /search with fulltext index, pagination, type filtering
- Graph endpoint: /graph/{entity_id} with depth/type filtering, nodes + edges
- CPF masking middleware: scans responses, masks non-PEP CPFs, preserves CNPJ
- Pydantic models: EntityResponse, SearchResponse, GraphResponse with source attribution
- 5 .cypher query files (never inline Cypher)
- 58 unit tests passing (ruff + mypy + pytest clean)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

api/tests/unit/test_entity.py

@@ -0,0 +1,33 @@
+import pytest
+from httpx import AsyncClient
+
+
+@pytest.mark.anyio
+async def test_entity_lookup_rejects_invalid_format(client: AsyncClient) -> None:
+    response = await client.get("/api/v1/entity/abc")
+    assert response.status_code == 400
+    assert "Invalid CPF or CNPJ" in response.json()["detail"]
+
+
+@pytest.mark.anyio
+async def test_entity_lookup_rejects_short_number(client: AsyncClient) -> None:
+    response = await client.get("/api/v1/entity/12345")
+    assert response.status_code == 400
+
+
+@pytest.mark.anyio
+async def test_entity_lookup_rejects_15_digits(client: AsyncClient) -> None:
+    response = await client.get("/api/v1/entity/123456789012345")
+    assert response.status_code == 400
+
+
+@pytest.mark.anyio
+async def test_connections_rejects_invalid_depth(client: AsyncClient) -> None:
+    response = await client.get("/api/v1/entity/test-id/connections?depth=5")
+    assert response.status_code == 422
+
+
+@pytest.mark.anyio
+async def test_connections_rejects_zero_depth(client: AsyncClient) -> None:
+    response = await client.get("/api/v1/entity/test-id/connections?depth=0")
+    assert response.status_code == 422