fix: resolve 13 important issues from code review

I1: Add graceful shutdown (SIGTERM/SIGINT) to all 5 background services
I2: Fix Dockerfile healthcheck to use curl on /metrics endpoint
I3: Fix StreamConsumer.ensure_group() to only catch BUSYGROUP errors
I4: Fix SimulatedBroker to reject orders with insufficient cash/shares
I5: Move ORM attribute access inside DB session context in trades routes
I6: Add Redis-based rate limiting (10 req/min/IP) on all auth endpoints
I8: Prevent backtest background task garbage collection
I9: Use Numeric(16,6) instead of Float for financial columns in migration
I10: Add index on trades.created_at for time-range queries
I11: Bind infrastructure ports to 127.0.0.1 in docker-compose
I12: Add migrations init service; all app services depend on it
I13: Fix user enumeration in login_begin (return options for non-existent users)

services/api_gateway/routes/backtest.py

@@ -17,6 +17,9 @@ logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/api/backtest", tags=["backtest"])
 
+# Store references to background tasks to prevent garbage collection
+_background_tasks: set[asyncio.Task] = set()
+
 
 class BacktestRequest(BaseModel):
     """Request body for starting a new backtest."""
@@ -56,8 +59,10 @@ async def run_backtest(
         }),
     )
 
-    # Launch background task
-    asyncio.create_task(_run_backtest_task(run_id, body, redis))
+    # Launch background task (stored in set to prevent GC)
+    task = asyncio.create_task(_run_backtest_task(run_id, body, redis))
+    _background_tasks.add(task)
+    task.add_done_callback(_background_tasks.discard)
 
     return {"run_id": run_id, "status": "running"}