chore: harden price CI and dependencies

[islandbitcoin]

Summary

• Add PR/push CI coverage for realtime/history checks, unit tests, CodeQL v3, Docker build checks, dependency audit, and gitleaks secret scanning.
• Upgrade vulnerable runtime dependencies and keep production dependency audit at zero high/critical findings.
• Update ibex-client usage for v3 auth config while preserving legacy env fallback.
• Make custom YAML config path configurable via YAML_CONFIG_PATH and document local/deploy workflows.
• Freeze Docker installs and normalize Dockerfile style.

Verification

• source ~/.nvm/nvm.sh && nvm use 20 >/dev/null && yarn install --frozen-lockfile
• yarn realtime tsc-check
• yarn history tsc-check
• yarn realtime eslint-check
• yarn history eslint-check
• yarn realtime ci:test:unit
• yarn history ci:test:unit
• yarn realtime build
• yarn history build
• yarn audit:prod:high
• docker build -f ./realtime/Dockerfile -t price-realtime:ci .
• docker build -f ./history/Dockerfile -t price-history:ci .
• git diff --check

Notes

• Realtime unit tests still print the existing Redis ECONNREFUSED/open-handle warning after passing.
• package-lock.json was already deleted in the local working tree before this work; it is intentionally not included in this PR.
• Deployments/charts should eventually move from legacy IBEX env names to IBEX_CLIENT_ID, IBEX_CLIENT_SECRET, and IBEX_ENVIRONMENT. This PR keeps legacy fallback to avoid a coordinated cutover.