feat: add audit events and runtime state snapshots to database

- Introduced new tables for audit events and runtime state snapshots in the database schema.
- Created data classes for AuditRecord and RuntimeStateRecord to represent the new entities.
- Implemented AuditRepository and RuntimeStateRepository for inserting and retrieving records.
- Enhanced the dashboard to include an audit trail section, displaying recent audit events.
- Added tests for the new audit repository and runtime lifecycle functionalities.
- Updated settings validation to ensure proper configuration for alerting features.
- Integrated alert notifications across various components, including execution sequencer and loss limits.

CHANGELOG.md

@@ -1,14 +1,27 @@
+# Changelog
+
 ## [Unreleased] - 2026-06-01
 
 ### Added
 
 - Added stop-condition risk controls for abnormal source/apply latency and repeated execution failures.
 - Added a new stop-conditions guard and integration in market feed processing.
+- Added multi-channel alerting infrastructure with Telegram, Discord webhook, and SMTP channel clients.
+- Added alert configuration settings for severity threshold, category routing, and dedup cooldown.
+- Added dashboard alert status surfacing with configured channels and last-send delivery outcome.
+- Added append-only `audit_events` schema plus repository support for insert/query of recent audit records.
+- Added dashboard audit fragment and protected API endpoint for recent audit entries.
+- Added runtime lifecycle manager with startup recovery and graceful shutdown orchestration.
+- Added `runtime_state_snapshots` persistence for control flags, open trade count, and last known balances.
+- Added CI security gates for dependency auditing (`pip-audit --strict`) and a repository/worktree secret scan script.
+- Added strict settings validators for auth pairing, Kraken credential pairing, alert severity bounds, and key-scope policy.
 
 ### Changed
 
 - Live execution path now auto-activates the kill switch when configured stop conditions are breached.
 - Added configuration env keys for stop-condition thresholds.
+- WebSocket client now emits system alerts for disconnect/reconnect and heartbeat staleness timeout events.
+- Added explicit Kraken API key permission configuration (`KRAKEN_API_KEY_PERMISSIONS`) and docs for least-privilege key usage.
 
 ### Removed
 
@@ -27,3 +40,13 @@
 - Added dashboard controls for start/stop, config edits, and manual kill-switch triggering via HTMX POST forms.
 - Added Alpine.js interactivity and a Chart.js opportunity trend panel to the dashboard.
 - Added optional HTTP Basic authentication for dashboard routes, fragments, streams, and control endpoints.
+- Added alert wiring for dashboard control actions, execution success/failure, and threshold breaches in risk guards.
+- Added unit/integration tests covering alert notifier behavior and alert emission paths.
+- Added critical system alert emission when live opportunity executor raises an unhandled exception.
+- Added WebSocket and market-feed tests for system-event alerting paths.
+- Added notifier status snapshot tracking and protected alert-status API endpoint for operational visibility.
+- Added audit event writes for dashboard controls and detector/risk/execution decision points.
+- Added tests for audit repository and dashboard audit route coverage.
+- Added startup restart safety guard that halts execution when open trades are detected after restart.
+- Added lifecycle tests for snapshot persistence, worker draining, recovery restore, and startup reconciliation hook.
+- Added unit coverage for security-related settings validation paths.