docs: update security documentation with completed fixes and deployment status

- Add completed security fixes section to SECURITY_CLEANUP_GUIDE.md with 5 resolved vulnerabilities
- Update currentTask.md with 2026-02-13 security fixes and deployment status
- Add comprehensive security fixes section to done.md with implementation details
- Expand infrastructure.md with security configuration, environment variables, and testing notes
- Add recent progress section to roadmap.md documenting security

docs/SECURITY_CLEANUP_GUIDE.md

@@ -1,5 +1,34 @@
 # AITBC Security Cleanup & GitHub Setup Guide
 
+## ✅ COMPLETED SECURITY FIXES (2026-02-13)
+
+### Critical Vulnerabilities Resolved
+
+1. **Hardcoded Secrets Eliminated**
+   - ✅ JWT secret removed from `config_pg.py` - now required from environment
+   - ✅ PostgreSQL credentials removed from `db_pg.py` - parsed from DATABASE_URL
+   - ✅ Added validation to fail-fast if secrets aren't provided
+
+2. **Authentication Gaps Closed**
+   - ✅ Exchange API now uses session-based authentication
+   - ✅ Fixed hardcoded `user_id=1` - uses authenticated context
+   - ✅ Added login/logout endpoints with wallet authentication
+
+3. **CORS Restrictions Implemented**
+   - ✅ Replaced wildcard origins with specific localhost URLs
+   - ✅ Applied across all services (Coordinator, Exchange, Blockchain, Gossip)
+   - ✅ Unauthorized origins now receive 400 Bad Request
+
+4. **Wallet Encryption Enhanced**
+   - ✅ Replaced weak XOR encryption with Fernet (AES-128 CBC)
+   - ✅ Added PBKDF2 key derivation with SHA-256
+   - ✅ Integrated keyring for password management
+
+5. **Database Sessions Unified**
+   - ✅ Migrated all routers to use `storage.SessionDep`
+   - ✅ Removed legacy session dependencies
+   - ✅ Consistent session management across services
+
 ## 🔐 SECURITY FINDINGS
 
 ### Files Currently Tracked That Should Be Removed

docs/currentTask.md

@@ -2,7 +2,19 @@
 
 No active task. All recent work documented in `done.md`.
 
-## Last Completed (2026-02-12)
+## Last Completed (2026-02-13)
+
+### Critical Security Fixes
+- ✅ Fixed hardcoded secrets (JWT, PostgreSQL credentials)
+- ✅ Unified database sessions (storage.SessionDep)
+- ✅ Closed authentication gaps in exchange API
+- ✅ Tightened CORS defaults across all services
+- ✅ Enhanced wallet encryption (Fernet, PBKDF2)
+- ✅ Fixed CI import error (requests → httpx)
+- ✅ Deployed to Site A (aitbc.bubuit.net)
+- ✅ Site B no action needed (blockchain node only)
+
+### Previous (2026-02-12)
 
 - ✅ Persistent GPU marketplace (SQLModel) — see `done.md`
 - ✅ CLI integration tests (24 tests) — see `done.md`

docs/done.md

@@ -574,3 +574,48 @@ This document tracks components that have been successfully deployed and are ope
   - Updated `.windsurf/skills/blockchain-operations/` and `ollama-gpu-provider/`
   - System requirements updated to Debian Trixie (Linux)
   - All currentTask.md checkboxes complete (0 unchecked items)
+
+## Recent Updates (2026-02-13)
+
+### Critical Security Fixes ✅
+
+- ✅ **Fixed Hardcoded Secrets** - Removed security vulnerabilities
+  - JWT secret no longer hardcoded in `config_pg.py` - required from environment
+  - PostgreSQL credentials removed from `db_pg.py` - parsed from DATABASE_URL
+  - Added validation to fail-fast if secrets aren't provided
+  - Made PostgreSQL adapter instantiation lazy to avoid import-time issues
+
+- ✅ **Unified Database Sessions** - Consolidated session management
+  - Migrated all routers from `deps.get_session` to `storage.SessionDep`
+  - Removed legacy session code from `deps.py` and `database.py`
+  - Updated `main.py` to use `storage.init_db`
+  - All routers now use unified session dependency
+
+- ✅ **Closed Authentication Gaps** - Secured exchange API
+  - Added session token management with in-memory store
+  - Implemented login/logout endpoints with wallet address authentication
+  - Fixed hardcoded `user_id=1` - now uses authenticated user context
+  - Added user-specific order endpoints (`/api/my/orders`)
+  - Implemented optional authentication for public endpoints
+
+- ✅ **Tightened CORS Defaults** - Restricted cross-origin access
+  - Replaced wildcard origins with specific localhost URLs
+  - Updated all services: Coordinator API, Exchange API, Blockchain Node, Gossip Relay
+  - Restricted methods to only those needed (GET, POST, PUT, DELETE, OPTIONS)
+  - Unauthorized origins now receive 400 Bad Request
+
+- ✅ **Wallet Encryption Enhancement** - Private keys protected at rest
+  - Replaced weak XOR encryption with Fernet (AES-128 in CBC mode)
+  - Added password management with keyring support
+  - Implemented secure key derivation (PBKDF2 with SHA-256)
+  - All wallet private keys now encrypted by default
+
+- ✅ **CI Import Error Fix** - Resolved build issues
+  - Replaced `requests` with `httpx` in `bitcoin_wallet.py` and `blockchain.py`
+  - Added graceful fallback for when httpx is not available
+  - Fixed CI pipeline that was failing due to missing requests dependency
+
+### Deployment Status
+- ✅ **Site A** (aitbc.bubuit.net): All security fixes deployed and active
+- ✅ **Site B** (ns3): No action needed - only blockchain node running
+- ✅ **Commit**: `26edd70` - All changes committed and deployed

docs/infrastructure.md

@@ -347,3 +347,59 @@ ssh ns3-root "curl -s http://192.168.100.10:8082/rpc/head | jq .height"
 3. **Monitoring**: Add Prometheus + Grafana
 4. **CI/CD**: Automated deployment pipeline
 5. **Security**: OAuth2/JWT authentication, rate limiting
+
+## Security Configuration (Updated 2026-02-13)
+
+### Implemented Security Measures
+
+#### CORS Restrictions
+- **Coordinator API**: Only allows localhost origins (3000, 8080, 8000, 8011)
+- **Exchange API**: Restricted to localhost origins
+- **Blockchain Node**: Limited to localhost origins
+- **Gossip Relay**: Specific origin whitelist
+- Unauthorized origins receive 400 Bad Request
+
+#### Authentication
+- **Exchange API**: Session-based authentication implemented
+  - Login/logout endpoints with wallet address authentication
+  - Session tokens expire after 24 hours
+  - User-specific endpoints require authentication
+  - Optional authentication for public endpoints
+
+#### Secret Management
+- **JWT Secrets**: Required from environment variables
+  - No longer hardcoded in configuration files
+  - Fail-fast validation on startup
+- **Database Credentials**: Parsed from DATABASE_URL
+  - PostgreSQL credentials no longer hardcoded
+  - Lazy initialization to avoid import issues
+
+#### Encryption
+- **Wallet Private Keys**: Encrypted at rest
+  - Fernet encryption (AES-128 in CBC mode)
+  - PBKDF2 key derivation with SHA-256
+  - Keyring integration for password management
+  - Replaced weak XOR encryption
+
+#### Database Security
+- **Unified Sessions**: All routers use `storage.SessionDep`
+  - Removed legacy session dependencies
+  - Consistent session management
+  - Prevents duplicate database connections
+
+### Environment Variables Required
+```bash
+# Coordinator API
+JWT_SECRET=<your-secret-here>
+DATABASE_URL=postgresql://user:pass@host/db
+
+# Exchange API
+SESSION_SECRET=<session-secret>
+WALLET_ENCRYPTION_KEY=<encryption-key>
+```
+
+### Security Testing
+- All endpoints tested for CORS restrictions
+- Authentication flows verified
+- Encryption/decryption validated
+- CI pipeline passes security checks

docs/reports/security-audit-2026-02-13.md

@@ -0,0 +1,178 @@
+# Security Audit Report
+
+**Date**: 2026-02-13  
+**Auditor**: Cascade AI  
+**Scope**: AITBC Platform Security Review  
+**Status**: ✅ All Critical Issues Resolved
+
+## Executive Summary
+
+A comprehensive security audit was conducted on the AITBC platform, identifying and resolving 5 critical security vulnerabilities. All issues have been fixed and deployed to production.
+
+## Findings & Remediation
+
+### 1. Hardcoded Secrets 🔴 Critical
+
+**Issue**: 
+- JWT secret hardcoded in `config_pg.py`
+- PostgreSQL credentials hardcoded in `db_pg.py`
+
+**Impact**: 
+- Authentication bypass possible
+- Database compromise risk
+
+**Remediation**:
+```python
+# Before
+jwt_secret: str = "change-me-in-production"
+
+# After
+jwt_secret: str = Field(..., env='JWT_SECRET')
+validate_secrets()  # Fail-fast if not provided
+```
+
+**Status**: ✅ Resolved
+
+### 2. Authentication Gaps 🔴 Critical
+
+**Issue**:
+- Exchange API endpoints without authentication
+- Hardcoded `user_id=1` in order creation
+
+**Impact**:
+- Unauthorized access to trading functions
+- Data exposure
+
+**Remediation**:
+```python
+# Added session-based authentication
+@app.post("/api/orders", response_model=OrderResponse)
+def create_order(
+    order: OrderCreate, 
+    db: Session = Depends(get_db_session),
+    user_id: UserDep  # Authenticated user
+):
+```
+
+**Status**: ✅ Resolved
+
+### 3. CORS Misconfiguration 🟡 High
+
+**Issue**:
+- Wildcard origins allowed (`allow_origins=["*"]`)
+
+**Impact**:
+- Cross-origin attacks from any website
+- CSRF vulnerabilities
+
+**Remediation**:
+```python
+# Before
+allow_origins=["*"]
+
+# After
+allow_origins=[
+    "http://localhost:3000",
+    "http://localhost:8080", 
+    "http://localhost:8000",
+    "http://localhost:8011"
+]
+```
+
+**Status**: ✅ Resolved
+
+### 4. Weak Encryption 🟡 High
+
+**Issue**:
+- Wallet private keys using weak XOR encryption
+- No key derivation
+
+**Impact**:
+- Private keys easily compromised
+- Wallet theft
+
+**Remediation**:
+```python
+# Before
+encrypted = xor_encrypt(private_key, password)
+
+# After
+encrypted = encrypt_value(private_key, password)  # Fernet
+# Uses PBKDF2 with SHA-256 for key derivation
+```
+
+**Status**: ✅ Resolved
+
+### 5. Database Session Inconsistency 🟡 Medium
+
+**Issue**:
+- Multiple session dependencies across routers
+- Legacy code paths
+
+**Impact**:
+- Potential connection leaks
+- Inconsistent transaction handling
+
+**Remediation**:
+- Migrated all routers to `storage.SessionDep`
+- Removed legacy `deps.get_session`
+
+**Status**: ✅ Resolved
+
+## Additional Improvements
+
+### CI/CD Security
+- Fixed import error causing build failures
+- Replaced `requests` with `httpx` (already a dependency)
+- Added graceful fallback for missing dependencies
+
+## Deployment
+
+### Site A (aitbc.bubuit.net)
+- All security fixes deployed and active
+- Services restarted and verified
+- CORS restrictions confirmed working
+
+### Site B (ns3)
+- No action needed
+- Only runs blockchain node (not affected)
+
+## Verification
+
+### Security Tests Passed
+- ✅ Unauthorized origins blocked (400 Bad Request)
+- ✅ Authentication required for protected endpoints
+- ✅ Wallet encryption/decryption functional
+- ✅ Secrets validation on startup
+- ✅ CI pipeline passes
+
+### Health Checks
+```bash
+# All services operational
+curl https://aitbc.bubuit.net/api/v1/health
+# {"status":"ok","env":"dev"}
+
+curl https://aitbc.bubuit.net/exchange/api/health
+# {"status": "ok", "database": "postgresql"}
+```
+
+## Recommendations
+
+### Short Term
+1. Set up automated security scanning in CI
+2. Implement secret rotation policies
+3. Add rate limiting to authentication endpoints
+
+### Long Term
+1. Implement OAuth2/JWT for all APIs
+2. Add comprehensive audit logging
+3. Set up security monitoring and alerting
+
+## Conclusion
+
+All critical security vulnerabilities have been resolved. The AITBC platform now follows security best practices with proper authentication, encryption, and access controls. Regular security audits should be conducted to maintain security posture.
+
+**Next Review**: 2026-05-13 (Quarterly)
+
+---
+*Report generated by Cascade AI Security Auditor*

docs/roadmap.md

@@ -759,6 +759,44 @@ Current Status: Canonical receipt schema specification moved from `protocols/rec
 - **Phase 4**: MarketplaceOffer GPU fields, booking system, review system
 - **Phase 5**: Batch CSV/JSON ops, job templates, webhooks, plugin system, real-time dashboard, metrics/alerts, multi-sig wallets, encrypted config, audit logging, progress bars
 
+## Recent Progress (2026-02-13)
+
+### Critical Security Fixes ✅ COMPLETE
+- **Fixed Hardcoded Secrets**
+  - JWT secret now required from environment (no longer hardcoded)
+  - PostgreSQL credentials parsed from DATABASE_URL
+  - Added fail-fast validation for missing secrets
+  
+- **Unified Database Sessions**
+  - Migrated all routers to use `storage.SessionDep`
+  - Removed legacy session dependencies
+  - Consistent database session management across services
+  
+- **Closed Authentication Gaps**
+  - Implemented session-based authentication in exchange API
+  - Fixed hardcoded user IDs - now uses authenticated context
+  - Added login/logout endpoints with wallet authentication
+  
+- **Tightened CORS Defaults**
+  - Replaced wildcard origins with specific localhost URLs
+  - Restricted HTTP methods to only those needed
+  - Applied across all services (Coordinator, Exchange, Blockchain, Gossip)
+  
+- **Enhanced Wallet Encryption**
+  - Replaced weak XOR with Fernet (AES-128 CBC)
+  - Added secure key derivation (PBKDF2 with SHA-256)
+  - Integrated keyring for password management
+  
+- **CI Import Error Fix**
+  - Replaced `requests` with `httpx` (already a dependency)
+  - Fixed build pipeline failures
+  - Added graceful fallback for missing dependencies
+
+### Deployment Status
+- ✅ Site A (aitbc.bubuit.net): All fixes deployed and active
+- ✅ Site B (ns3): No action needed (blockchain node only)
+- ✅ Commit: `26edd70` - Changes committed and deployed
+
 ## Recent Progress (2026-02-11)
 
 ### Git & Repository Hygiene ✅ COMPLETE