Initial commit: Vault Dashboard for options hedging

- FastAPI + NiceGUI web application
- QuantLib-based Black-Scholes pricing with Greeks
- Protective put, laddered, and LEAPS strategies
- Real-time WebSocket updates
- TradingView-style charts via Lightweight-Charts
- Docker containerization
- GitLab CI/CD pipeline for VPS deployment
- VPN-only access configuration

.gitlab-ci.yml

@@ -0,0 +1,101 @@
+stages:
+  - test
+  - build
+  - deploy
+
+variables:
+  PIP_CACHE_DIR: "$CI_PROJECT_DIR/.cache/pip"
+  PYTHONUNBUFFERED: "1"
+  DOCKER_TLS_CERTDIR: "/certs"
+  IMAGE_TAG: "$CI_COMMIT_SHORT_SHA"
+  APP_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHORT_SHA"
+
+cache:
+  paths:
+    - .cache/pip
+
+.python_setup: &python_setup
+  image: python:3.12-slim
+  before_script:
+    - python -V
+    - python -m pip install --upgrade pip
+    - pip install -r requirements-dev.txt
+
+lint:
+  <<: *python_setup
+  stage: test
+  script:
+    - ruff check app tests scripts
+    - black --check app tests scripts
+
+unit_tests:
+  <<: *python_setup
+  stage: test
+  script:
+    - pytest -q tests
+
+type_check:
+  <<: *python_setup
+  stage: test
+  script:
+    - mypy app scripts --ignore-missing-imports
+
+build_image:
+  stage: build
+  image: docker:27
+  services:
+    - docker:27-dind
+  before_script:
+    - echo "$CI_REGISTRY_PASSWORD" | docker login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" --password-stdin
+  script:
+    - docker build --pull -t "$APP_IMAGE" -t "$CI_REGISTRY_IMAGE:latest" .
+    - docker push "$APP_IMAGE"
+    - |
+      if [ "$CI_COMMIT_BRANCH" = "$CI_DEFAULT_BRANCH" ]; then
+        docker push "$CI_REGISTRY_IMAGE:latest"
+      fi
+    - printf 'APP_IMAGE=%s\nIMAGE_TAG=%s\n' "$APP_IMAGE" "$IMAGE_TAG" > build.env
+  artifacts:
+    reports:
+      dotenv: build.env
+
+security_scan:
+  stage: build
+  image:
+    name: aquasec/trivy:0.61.1
+    entrypoint: [""]
+  needs: ["build_image"]
+  script:
+    - trivy image --exit-code 1 --severity HIGH,CRITICAL --username "$CI_REGISTRY_USER" --password "$CI_REGISTRY_PASSWORD" "$APP_IMAGE"
+
+.deploy_setup: &deploy_setup
+  image: python:3.12-alpine
+  before_script:
+    - apk add --no-cache bash openssh-client curl docker-cli docker-cli-compose
+    - mkdir -p ~/.ssh
+    - chmod 700 ~/.ssh
+    - printf '%s' "$DEPLOY_SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_ed25519
+    - chmod 600 ~/.ssh/id_ed25519
+    - python -V
+
+.deploy_rules: &deploy_rules
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+
+
+deploy_production:
+  <<: *deploy_setup
+  stage: deploy
+  needs: ["build_image", "security_scan"]
+  environment:
+    name: production
+  variables:
+    GIT_STRATEGY: fetch
+  script:
+    - test -n "$DEPLOY_HOST" || (echo "DEPLOY_HOST must be set to a VPN-reachable private address" && exit 1)
+    - bash scripts/deploy.sh
+    - |
+      if [ -n "${EXTERNAL_HEALTHCHECK_URL:-}" ]; then
+        python scripts/healthcheck.py "$EXTERNAL_HEALTHCHECK_URL" --timeout 120 --expect-status ok --expect-environment "${APP_ENV:-production}"
+      fi
+  <<: *deploy_rules