docs: migrate roadmap to structured yaml tasks

docs/roadmap/ROADMAP.yaml

@@ -0,0 +1,62 @@
+version: 1
+updated_at: 2026-03-24
+structure:
+  backlog_dir: docs/roadmap/backlog
+  in_progress_dir: docs/roadmap/in-progress
+  done_dir: docs/roadmap/done
+  blocked_dir: docs/roadmap/blocked
+  cancelled_dir: docs/roadmap/cancelled
+notes:
+  - ROADMAP.md is now a human-readable compatibility index.
+  - One task lives in one YAML file and changes state by moving between status folders.
+  - Priority ordering is maintained here so agents can parse one short file first.
+priority_queue:
+  - SEC-001
+  - SEC-001A
+  - CORE-001D
+  - BT-003B
+  - PORT-003
+  - BT-002
+  - BT-001C
+  - EXEC-001
+  - EXEC-002
+recently_completed:
+  - CORE-001A
+  - CORE-001B
+  - CORE-001C
+  - PORT-004
+  - BT-001A
+  - BT-003A
+states:
+  backlog:
+    - SEC-001
+    - SEC-001A
+    - DATA-002A
+    - DATA-001A
+    - OPS-001
+    - PORT-003
+    - EXEC-001
+    - EXEC-002
+    - BT-002
+    - BT-003
+    - BT-003B
+    - BT-001C
+    - CORE-001D
+  in_progress: []
+  done:
+    - DATA-001
+    - DATA-002
+    - DATA-003
+    - PORT-001
+    - PORT-001A
+    - PORT-002
+    - PORT-004
+    - EXEC-001A
+    - BT-001
+    - BT-001A
+    - BT-003A
+    - CORE-001A
+    - CORE-001B
+    - CORE-001C
+  blocked: []
+  cancelled: []

docs/roadmap/backlog/BT-001C-shared-historical-fixture-provider.yaml

@@ -0,0 +1,14 @@
+id: BT-001C
+title: Shared Historical Fixture/Test Provider Cleanup
+status: backlog
+priority: P2
+effort: S
+depends_on:
+  - BT-001A
+  - BT-003A
+tags: [backtesting, test-infra]
+summary: Centralize deterministic historical fixture logic used by browser-tested backtest UIs.
+acceptance_criteria:
+  - Deterministic historical fixture/provider logic is centralized.
+  - Supported seeded windows are explicit and fail closed outside allowed ranges.
+  - Both /backtests and /event-comparison use the shared deterministic provider.

docs/roadmap/backlog/BT-002-historical-options-snapshots.yaml

@@ -0,0 +1,14 @@
+id: BT-002
+title: Historical Daily Options Snapshot Provider
+status: backlog
+priority: P2
+effort: L
+depends_on:
+  - BT-001
+tags: [backtesting, data]
+summary: Support real daily historical options premiums in backtests.
+acceptance_criteria:
+  - Historical provider abstraction supports point-in-time daily option snapshots.
+  - Backtests can swap synthetic pricing for observed historical premiums.
+  - Contract selection avoids lookahead bias.
+  - Provider/data-quality tradeoffs are documented.

docs/roadmap/backlog/BT-003-selloff-event-report.yaml

@@ -0,0 +1,13 @@
+id: BT-003
+title: Selloff Event Comparison Report
+status: backlog
+priority: P2
+effort: M
+depends_on:
+  - BT-001
+tags: [backtesting, events]
+summary: Rank named strategies across historical selloff events.
+acceptance_criteria:
+  - Event presets define named windows.
+  - Reports rank strategies by survival, max LTV, cost, and final equity.
+  - UI can show unhedged vs hedged path comparisons.

docs/roadmap/backlog/BT-003B-event-comparison-drilldown.yaml

@@ -0,0 +1,14 @@
+id: BT-003B
+title: Event Comparison Drilldown
+status: backlog
+priority: P1
+effort: M
+depends_on:
+  - BT-003A
+tags: [backtesting, ui]
+summary: Explain why one ranked strategy beat another on the event comparison page.
+acceptance_criteria:
+  - Selecting a ranked strategy shows daily path details.
+  - UI exposes margin-call days, payoff realized, hedge cost, and final equity.
+  - Worst LTV point and breach dates are highlighted.
+  - Browser test verifies drilldown content updates when selecting a ranked result.

docs/roadmap/backlog/CORE-001D-decimal-boundary-cleanup.yaml

@@ -0,0 +1,15 @@
+id: CORE-001D
+title: External Boundary and Persistence Cleanup for Decimal Unit Types
+status: backlog
+priority: P2
+effort: M
+depends_on:
+  - CORE-001B
+  - CORE-001C
+tags: [core, decimal, persistence]
+summary: Make Decimal/unit-safe values reliable across persistence, APIs, and provider boundaries.
+acceptance_criteria:
+  - Persistence format for unit-safe values is explicit and stable.
+  - Decimal-bearing JSON/API serialization is documented and tested.
+  - Float-heavy integrations have named conversion boundaries.
+  - Remaining raw-float domain hotspots are identified or removed.

docs/roadmap/backlog/DATA-001A-live-overview-price-wiring.yaml

@@ -0,0 +1,15 @@
+id: DATA-001A
+title: Live Overview Price Wiring
+status: backlog
+priority: P0
+effort: S
+depends_on:
+  - DATA-001
+  - PORT-001
+tags: [overview, pricing]
+summary: Use the live price service directly on the overview page.
+acceptance_criteria:
+  - Overview uses live quote data instead of a hardcoded spot.
+  - Source and last-updated metadata are displayed.
+  - Margin-call and LTV values use configured portfolio inputs.
+  - Browser test verifies visible live data metadata.

docs/roadmap/backlog/DATA-002A-lazy-options-loading.yaml

@@ -0,0 +1,15 @@
+id: DATA-002A
+title: Lazy Options Loading
+status: backlog
+priority: P0
+effort: S
+depends_on:
+  - DATA-002
+tags: [options, performance]
+summary: Render the options page fast by loading only the minimum data initially.
+acceptance_criteria:
+  - Initial page load fetches expirations plus one default expiry chain.
+  - Changing expiry fetches only that expiry on demand.
+  - Browser test verifies /options becomes visible quickly with no visible runtime error.
+technical_notes:
+  - Keep initial render fast and move additional data loading behind user selection.

docs/roadmap/backlog/EXEC-001-strategy-builder.yaml

@@ -0,0 +1,13 @@
+id: EXEC-001
+title: Strategy Builder
+status: backlog
+priority: P1
+effort: L
+depends_on:
+  - DATA-003
+tags: [strategies, hedge]
+summary: Build and compare hedge strategies from the product UI.
+acceptance_criteria:
+  - Select strategy type, strikes, and expirations.
+  - Show payoff diagrams and compare cost vs protection.
+  - Store strategy templates for reuse.

docs/roadmap/backlog/EXEC-002-ibkr-order-integration.yaml

@@ -0,0 +1,13 @@
+id: EXEC-002
+title: IBKR Order Integration
+status: backlog
+priority: P2
+effort: L
+depends_on:
+  - EXEC-001
+tags: [broker, execution]
+summary: Execute hedge trades directly from the dashboard.
+acceptance_criteria:
+  - Support IBKR paper trading first.
+  - Preview order, execute, and track status.
+  - Securely store credentials and maintain audit history.

docs/roadmap/backlog/OPS-001-public-caddy-route.yaml

@@ -0,0 +1,15 @@
+id: OPS-001
+title: Public Caddy Route for Lombard Dashboard
+status: backlog
+priority: P1
+effort: S
+depends_on: []
+tags: [ops, deploy, routing]
+summary: Move the production route to public HTTPS at lombard.uncloud.tech.
+acceptance_criteria:
+  - Caddy proxies lombard.uncloud.tech to the deployment container.
+  - HTTPS works with a valid certificate.
+  - Health check succeeds through Caddy.
+  - Deployment docs note that vd1.uncloud.vpn was retired in favor of the public route.
+technical_notes:
+  - Keep public-exposure controls aligned with SEC-001 Turnstile bootstrap protection.

docs/roadmap/backlog/PORT-003-historical-ltv-chart.yaml

@@ -0,0 +1,13 @@
+id: PORT-003
+title: Historical LTV Chart
+status: backlog
+priority: P2
+effort: M
+depends_on:
+  - PORT-001
+tags: [portfolio, history, charts]
+summary: Record and display historical LTV snapshots.
+acceptance_criteria:
+  - Store LTV snapshots over time.
+  - Display 7/30/90 day charts with the margin threshold line.
+  - Allow export as CSV.

docs/roadmap/backlog/SEC-001-turnstile-captcha.yaml

@@ -0,0 +1,26 @@
+id: SEC-001
+title: Turnstile CAPTCHA for Public Workspace Bootstrap
+status: backlog
+priority: P0
+effort: M
+depends_on:
+  - PORT-004
+tags:
+  - security
+  - public-exposure
+  - workspace
+summary: >
+  Require Cloudflare Turnstile verification before creating a workspace from the
+  public welcome page on lombard.uncloud.tech.
+acceptance_criteria:
+  - Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
+  - Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
+  - Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
+  - UI shows a clear user-facing retry path when CAPTCHA verification fails.
+  - Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
+  - Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
+technical_notes:
+  - Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
+  - Keep verification in a focused server-side seam such as app/services/turnstile.py.
+  - Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
+  - This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.

docs/roadmap/backlog/SEC-001A-turnstile-config.yaml

@@ -0,0 +1,23 @@
+id: SEC-001A
+title: Turnstile Config, Test Keys, and Deployment Wiring
+status: backlog
+priority: P0
+effort: S
+depends_on:
+  - SEC-001
+tags:
+  - security
+  - config
+  - deploy
+summary: >
+  Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
+  and production deployment.
+acceptance_criteria:
+  - App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
+  - Local/dev defaults can use Cloudflare's documented Turnstile test keys.
+  - Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
+  - Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
+  - Docs explain local vs production key usage and browser-test setup.
+technical_notes:
+  - Secret key must remain server-side only.
+  - Prefer explicit settings validation over silent fallback in production.

docs/roadmap/done/BT-001-synthetic-backtesting.yaml

@@ -0,0 +1,9 @@
+id: BT-001
+title: Synthetic Historical Backtesting
+status: done
+priority: P1
+effort: L
+depends_on:
+  - EXEC-001A
+  - PORT-001
+summary: Synthetic historical backtesting engine ships with deterministic and optional provider-backed paths.

docs/roadmap/done/BT-001A-backtest-ui.yaml

@@ -0,0 +1,10 @@
+id: BT-001A
+title: Backtest Scenario Runner UI
+status: done
+priority: P1
+effort: M
+depends_on:
+  - BT-001
+  - EXEC-001A
+  - PORT-001
+summary: Thin read-only /backtests UI over the synthetic backtest engine.

docs/roadmap/done/BT-003A-event-comparison-ui.yaml

@@ -0,0 +1,9 @@
+id: BT-003A
+title: Event Comparison UI Read Path
+status: done
+priority: P1
+effort: M
+depends_on:
+  - BT-003
+  - BT-001A
+summary: Thin read-only /event-comparison UI over EventComparisonService.

docs/roadmap/done/CORE-001A-decimal-unit-foundation.yaml

@@ -0,0 +1,12 @@
+id: CORE-001A
+title: Decimal Unit Value Object Foundation
+status: done
+priority: P1
+effort: M
+depends_on:
+  - CORE-001
+summary: Introduced Decimal-backed unit-aware domain primitives.
+references:
+  - docs/CORE-001A_DECIMAL_UNITS_ARCHITECTURE.md
+completed_notes:
+  - Added Money, Weight, PricePerWeight, BaseCurrency, and WeightUnit.

docs/roadmap/done/CORE-001B-overview-hedge-unit-migration.yaml

@@ -0,0 +1,9 @@
+id: CORE-001B
+title: Overview and Hedge Migration to Unit-Safe Types
+status: done
+priority: P1
+effort: M
+depends_on:
+  - CORE-001A
+  - PORT-001A
+summary: Overview and hedge calculations now route through shared Decimal/unit-backed math.

docs/roadmap/done/CORE-001C-backtest-event-unit-migration.yaml

@@ -0,0 +1,10 @@
+id: CORE-001C
+title: Backtests and Event Comparison Migration to Unit-Safe Types
+status: done
+priority: P1
+effort: M
+depends_on:
+  - CORE-001A
+  - BT-001
+  - BT-003A
+summary: Historical-unit materialization now uses explicit typed asset quantity and price seams.

docs/roadmap/done/DATA-001-live-price-feed.yaml

@@ -0,0 +1,10 @@
+id: DATA-001
+title: Live Price Feed Integration
+status: done
+priority: P0
+effort: M
+depends_on: []
+summary: Live quote service integrated with visible metadata and cache behavior.
+completed_notes:
+  - Added app/services/price_feed.py.
+  - Overview and dependent pages can consume live quote metadata.

docs/roadmap/done/DATA-002-options-chain.yaml

@@ -0,0 +1,10 @@
+id: DATA-002
+title: Options Chain Data
+status: done
+priority: P0
+effort: L
+depends_on:
+  - DATA-001
+summary: Live options chain data integrated with caching and page wiring.
+completed_notes:
+  - Options page uses live chain data and runtime service registry.

docs/roadmap/done/DATA-003-greeks-calculation.yaml

@@ -0,0 +1,10 @@
+id: DATA-003
+title: Greeks Calculation
+status: done
+priority: P1
+effort: M
+depends_on:
+  - DATA-002
+summary: Real option Greeks are calculated and displayed.
+completed_notes:
+  - Added live Greeks calculation and Vega display.

docs/roadmap/done/EXEC-001A-named-strategy-templates.yaml

@@ -0,0 +1,8 @@
+id: EXEC-001A
+title: Named Strategy Templates
+status: done
+priority: P1
+effort: M
+depends_on:
+  - DATA-003
+summary: Named reusable strategy templates are available to live and backtest flows.

docs/roadmap/done/PORT-001-portfolio-state.yaml

@@ -0,0 +1,10 @@
+id: PORT-001
+title: Portfolio State Management
+status: done
+priority: P0
+effort: M
+depends_on:
+  - DATA-001
+summary: Configurable persisted portfolio state with validation.
+completed_notes:
+  - Added PortfolioConfig and file-backed persistence.

docs/roadmap/done/PORT-001A-collateral-entry-basis.yaml

@@ -0,0 +1,10 @@
+id: PORT-001A
+title: Collateral Entry Basis in Settings
+status: done
+priority: P1
+effort: M
+depends_on:
+  - PORT-001
+summary: Settings support canonical weight/value entry basis handling.
+completed_notes:
+  - Entry price, weight, and value basis now normalize consistently.

docs/roadmap/done/PORT-002-alert-notifications.yaml

@@ -0,0 +1,8 @@
+id: PORT-002
+title: Alert Notifications
+status: done
+priority: P1
+effort: M
+depends_on:
+  - PORT-001
+summary: Alert status and history are persisted and visible in product UI.

docs/roadmap/done/PORT-004-workspace-persistence.yaml

@@ -0,0 +1,12 @@
+id: PORT-004
+title: Hashed Workspace Persistence
+status: done
+priority: P0
+effort: L
+depends_on:
+  - PORT-001
+summary: Workspace-scoped URLs and server-side persistence now drive the product state model.
+completed_notes:
+  - / is a welcome/bootstrap page.
+  - Workspace routes exist for overview, settings, hedge, backtests, and event comparison.
+  - Cookie stores only workspace_id.