Hardening round 2: healthcheck, audit anchor, return_4h, exec config, signals

Sei interventi MEDIA priorità sul sistema. 323 test pass, mypy strict
pulito, ruff clean.

1. Docker HEALTHCHECK + cerbero-bite healthcheck:
   - nuovo subcommand che esce 0 se kill_switch=0 e last_health_check
     entro --max-staleness-s (default 600s);
   - HEALTHCHECK direttiva nel Dockerfile (60s interval, 5s timeout,
     start_period 120s, retries 3);
   - healthcheck definition nel docker-compose.yml.

2. Audit hash chain anti-truncation:
   - migration 0002: nuova colonna system_state.last_audit_hash;
   - AuditLog accetta callback on_append, dependencies.py la wire al
     repository.set_last_audit_hash;
   - Orchestrator.boot verifica che il tail file matcha l'anchor
     persistito; mismatch → kill switch CRITICAL.

3. return_4h bootstrap da deribit get_historical:
   - quando dvol_history è vuoto _fetch_return_4h cade su
     deribit.historical_close (1h candle 4h fa);
   - alert LOW se anche il fallback fallisce.

4. execution.environment + execution.eur_to_usd in strategy.yaml:
   - ExecutionConfig promosso a typed schema con i due campi
     consumati al boot;
   - CLI start preferisce i valori da config; CLI flag overridano
     solo quando differenti dai default.

5. Cycle correlation ID:
   - structlog.contextvars.bind_contextvars in run_entry/run_monitor/
     run_health propaga cycle_id e cycle nei log strutturati.

6. SIGTERM/SIGINT clean shutdown:
   - run_forever installa loop.add_signal_handler per SIGTERM e
     SIGINT; il segnale set()ta un asyncio.Event che termina il
     blocco principale, scheduler.shutdown e ctx.aclose finalizzano.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/cerbero_bite/state/migrations/0002_audit_anchor.sql

@@ -0,0 +1,8 @@
+-- 0002_audit_anchor.sql — store the latest audit chain hash inside
+-- system_state so a truncation of the audit log file can be detected
+-- at boot (the file would still verify on its own, but the recorded
+-- anchor would not match the file's tail hash).
+
+ALTER TABLE system_state ADD COLUMN last_audit_hash TEXT;
+
+PRAGMA user_version = 2;

src/cerbero_bite/state/models.py

@@ -152,3 +152,4 @@ class SystemStateRecord(BaseModel):
     last_kelly_calib: datetime | None = None
     config_version: str
     started_at: datetime
+    last_audit_hash: str | None = None

src/cerbero_bite/state/repository.py

@@ -414,6 +414,7 @@ class Repository:
         row = conn.execute("SELECT * FROM system_state WHERE id = 1").fetchone()
         if row is None:
             return None
+        keys = row.keys()
         return SystemStateRecord(
             id=int(row["id"]),
             kill_switch=int(row["kill_switch"]),
@@ -423,6 +424,18 @@ class Repository:
             last_kelly_calib=_dec_dt(row["last_kelly_calib"]),
             config_version=row["config_version"],
             started_at=_dec_dt_required(row["started_at"]),
+            last_audit_hash=(
+                row["last_audit_hash"] if "last_audit_hash" in keys else None
+            ),
+        )
+
+    def set_last_audit_hash(
+        self, conn: sqlite3.Connection, *, hex_hash: str
+    ) -> None:
+        """Store the most recent audit chain hash. Called by AuditLog after append."""
+        conn.execute(
+            "UPDATE system_state SET last_audit_hash = ? WHERE id = 1",
+            (hex_hash,),
         )
 
     def set_kill_switch(