ci: enforce strict exit codes in workflow tests

- Remove `|| echo "⚠️ ..."` fallbacks that masked failures - Add explicit `exit 1` on port readiness failures and missing test directories - Track port_ready flag in health check loops to fail if services don't start - Replace warning emoji (⚠️) with error emoji (❌) for actual failures - Fix docs-validation to use curated Markdown target list excluding high-noise directories - Update rust-zk-tests paths from gpu_acceleration/research to dev
2026-04-18 11:57:35 +02:00
parent 40698f91fd
commit 23348892b9
34 changed files with 2680 additions and 1445 deletions
--- a/.gitea/workflows/api-endpoint-tests.yml
+++ b/.gitea/workflows/api-endpoint-tests.yml
@@ -44,31 +44,39 @@ jobs:
        run: |
          echo "Waiting for AITBC services..."
          for port in 8000 8001 8003 8006; do
            port_ready=0
            for i in $(seq 1 15); do
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/health" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/api/health" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
-              [ "$i" -eq 15 ] && echo "⚠️ Port $port not ready"
+              [ "$i" -eq 15 ] && echo "❌ Port $port not ready"
              sleep 2
            done
            if [[ $port_ready -ne 1 ]]; then
              exit 1
            fi
          done
      - name: Run API endpoint tests
        run: |
          cd /var/lib/aitbc-workspaces/api-tests/repo
-          venv/bin/python scripts/ci/test_api_endpoints.py || echo "⚠️ Some endpoints unavailable"
+          venv/bin/python scripts/ci/test_api_endpoints.py
          echo "✅ API endpoint tests completed"
      - name: Cleanup
--- a/.gitea/workflows/cli-level1-tests.yml
+++ b/.gitea/workflows/cli-level1-tests.yml
@@ -49,7 +49,7 @@ jobs:
          source venv/bin/activate
          export PYTHONPATH="cli:packages/py/aitbc-sdk/src:packages/py/aitbc-crypto/src:."
-          python3 -c "from core.main import cli; print('✅ CLI imports OK')" || echo "⚠️ CLI import issues"
+          python3 -c "from core.main import cli; print('✅ CLI imports OK')"
      - name: Run CLI tests
        run: |
@@ -59,9 +59,10 @@ jobs:
          if [[ -d "cli/tests" ]]; then
            # Run the CLI test runner that uses virtual environment
-            python3 cli/tests/run_cli_tests.py || echo "⚠️ Some CLI tests failed"
+            python3 cli/tests/run_cli_tests.py
          else
-            echo "⚠️ No CLI tests directory"
+            echo "❌ No CLI tests directory"
            exit 1
          fi
          echo "✅ CLI tests completed"
--- a/.gitea/workflows/docs-validation.yml
+++ b/.gitea/workflows/docs-validation.yml
@@ -5,10 +5,14 @@ on:
    branches: [main, develop]
    paths:
      - 'docs/**'
-      - '**/*.md'
+      - '*.md'
      - '.gitea/workflows/docs-validation.yml'
  pull_request:
    branches: [main, develop]
    paths:
      - 'docs/**'
      - '*.md'
      - '.gitea/workflows/docs-validation.yml'
  workflow_dispatch:
 concurrency:
@@ -42,9 +46,32 @@ jobs:
          echo "=== Linting Markdown ==="
          if command -v markdownlint >/dev/null 2>&1; then
-            markdownlint "docs/**/*.md" "*.md" \
+            shopt -s globstar nullglob
-              --ignore "docs/archive/**" \
+            targets=(
-              --ignore "node_modules/**" || echo "⚠️ Markdown linting warnings"
+              *.md
              docs/*.md
              docs/11_agents/**/*.md
              docs/agent-sdk/**/*.md
              docs/blockchain/**/*.md
              docs/deployment/**/*.md
              docs/development/**/*.md
              docs/general/**/*.md
              docs/governance/**/*.md
              docs/implementation/**/*.md
              docs/infrastructure/**/*.md
              docs/openclaw/**/*.md
              docs/policies/**/*.md
              docs/security/**/*.md
              docs/workflows/**/*.md
            )
            if [[ ${#targets[@]} -eq 0 ]]; then
              echo "⚠️ No curated Markdown targets matched"
            else
              echo "Curated advisory scope: ${#targets[@]} Markdown files"
              echo "Excluded high-noise areas: about, advanced, archive, backend, beginner, completed, expert, intermediate, project, reports, summaries, trail"
              markdownlint "${targets[@]}" --ignore "node_modules/**" || echo "⚠️ Markdown linting warnings in curated docs scope"
            fi
          else
            echo "⚠️ markdownlint not available, skipping"
          fi
--- a/.gitea/workflows/integration-tests.yml
+++ b/.gitea/workflows/integration-tests.yml
@@ -30,19 +30,26 @@ jobs:
          git clone --depth 1 http://gitea.bubuit.net:3000/oib/aitbc.git repo
      - name: Sync systemd files
        if: github.event_name != 'pull_request'
        run: |
          cd /var/lib/aitbc-workspaces/integration-tests/repo
          if [[ -d "systemd" ]]; then
-            echo "Syncing systemd service files..."
+            echo "Linking systemd service files..."
-            for f in systemd/*.service; do
+            if [[ -x /opt/aitbc/scripts/utils/link-systemd.sh ]]; then
-              fname=$(basename "$f")
+              if [[ $EUID -eq 0 ]]; then
-              cp "$f" "/etc/systemd/system/$fname" 2>/dev/null || true
+                /opt/aitbc/scripts/utils/link-systemd.sh
-            done
+              else
-            systemctl daemon-reload
+                sudo /opt/aitbc/scripts/utils/link-systemd.sh
-            echo "✅ Systemd files synced"
+              fi
              echo "✅ Systemd files linked"
            else
              echo "❌ /opt/aitbc/scripts/utils/link-systemd.sh not found"
              exit 1
            fi
          fi
      - name: Start services
        if: github.event_name != 'pull_request'
        run: |
          echo "Starting AITBC services..."
          for svc in aitbc-coordinator-api aitbc-exchange-api aitbc-wallet aitbc-blockchain-rpc aitbc-blockchain-node; do
@@ -58,26 +65,34 @@ jobs:
        run: |
          echo "Waiting for services..."
          for port in 8000 8001 8003 8006; do
            port_ready=0
            for i in $(seq 1 15); do
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/health" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
              # Try alternate paths
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/api/health" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
              code=$(curl -so /dev/null -w '%{http_code}' "http://localhost:$port/" 2>/dev/null) || code=0
              if [ "$code" -gt 0 ] && [ "$code" -lt 600 ]; then
                echo "✅ Port $port ready (HTTP $code)"
                port_ready=1
                break
              fi
-              [ "$i" -eq 15 ] && echo "⚠️ Port $port not ready"
+              [ "$i" -eq 15 ] && echo "❌ Port $port not ready"
              sleep 2
            done
            if [[ $port_ready -ne 1 ]]; then
              exit 1
            fi
          done
      - name: Setup test environment
@@ -97,11 +112,11 @@ jobs:
          # Run existing test suites
          if [[ -d "tests" ]]; then
-            pytest tests/ -x --timeout=30 -q || echo "⚠️ Some tests failed"
+            pytest tests/ -x --timeout=30 -q
          fi
          # Service health check integration
-          python3 scripts/ci/test_api_endpoints.py || echo "⚠️ Some endpoints unavailable"
+          python3 scripts/ci/test_api_endpoints.py
          echo "✅ Integration tests completed"
      - name: Service status report
--- a/.gitea/workflows/js-sdk-tests.yml
+++ b/.gitea/workflows/js-sdk-tests.yml
@@ -56,13 +56,16 @@ jobs:
      - name: Lint
        run: |
          cd /var/lib/aitbc-workspaces/js-sdk-tests/repo/packages/js/aitbc-sdk
-          npm run lint 2>/dev/null && echo "✅ Lint passed" || echo "⚠️ Lint skipped"
+          npm run lint
-          npx prettier --check "src/**/*.ts" 2>/dev/null && echo "✅ Prettier passed" || echo "⚠️ Prettier skipped"
+          echo "✅ Lint passed"
          npx prettier --check "src/**/*.ts"
          echo "✅ Prettier passed"
      - name: Run tests
        run: |
          cd /var/lib/aitbc-workspaces/js-sdk-tests/repo/packages/js/aitbc-sdk
-          npm test 2>/dev/null && echo "✅ Tests passed" || echo "⚠️ Tests skipped"
+          npm test
          echo "✅ Tests passed"
      - name: Cleanup
        if: always()
--- a/.gitea/workflows/package-tests.yml
+++ b/.gitea/workflows/package-tests.yml
@@ -59,12 +59,12 @@ jobs:
          # Install dependencies
          if [[ -f "pyproject.toml" ]]; then
-            pip install -q -e ".[dev]" 2>/dev/null || pip install -q -e . 2>/dev/null || true
+            pip install -q -e ".[dev]" 2>/dev/null || pip install -q -e .
          fi
          if [[ -f "requirements.txt" ]]; then
-            pip install -q -r requirements.txt 2>/dev/null || true
+            pip install -q -r requirements.txt
          fi
-          pip install -q pytest mypy black 2>/dev/null || true
+          pip install -q pytest mypy black
          # Linting
          echo "=== Linting ==="
@@ -76,7 +76,7 @@ jobs:
          # Tests
          echo "=== Tests ==="
          if [[ -d "tests" ]]; then
-            pytest tests/ -q --tb=short || echo "⚠️ Some tests failed"
+            pytest tests/ -q --tb=short
          else
            echo "⚠️ No tests directory found"
          fi
@@ -89,10 +89,11 @@ jobs:
          cd "$WORKSPACE/repo/${{ matrix.package.path }}"
          if [[ -f "pyproject.toml" ]]; then
-            python3 -m venv venv 2>/dev/null || true
+            python3 -m venv venv
            source venv/bin/activate
-            pip install -q build 2>/dev/null || true
+            pip install -q build
-            python -m build 2>/dev/null && echo "✅ Package built" || echo "⚠️ Build failed"
+            python -m build
            echo "✅ Package built"
          fi
      - name: Cleanup
@@ -134,7 +135,7 @@ jobs:
          node --version
          npm --version
-          npm install --legacy-peer-deps 2>/dev/null || npm install 2>/dev/null || true
+          npm install --legacy-peer-deps 2>/dev/null || npm install
          # Fix missing Hardhat dependencies for aitbc-token
          if [[ "${{ matrix.package.name }}" == "aitbc-token" ]]; then
@@ -147,13 +148,15 @@ jobs:
          fi
          # Build
-          npm run build && echo "✅ Build passed" || echo "⚠️ Build failed"
+          npm run build
          echo "✅ Build passed"
          # Lint
          npm run lint 2>/dev/null && echo "✅ Lint passed" || echo "⚠️ Lint skipped"
          # Test
-          npm test && echo "✅ Tests passed" || echo "⚠️ Tests skipped"
+          npm test
          echo "✅ Tests passed"
          echo "✅ ${{ matrix.package.name }} completed"
--- a/.gitea/workflows/python-tests.yml
+++ b/.gitea/workflows/python-tests.yml
@@ -69,8 +69,8 @@ jobs:
          export PYTHONPATH="apps/coordinator-api/src:apps/blockchain-node/src:apps/wallet/src:packages/py/aitbc-crypto/src:packages/py/aitbc-sdk/src:."
          # Test if packages are importable
-          python3 -c "import aitbc_crypto; print('✅ aitbc_crypto imported')" || echo "❌ aitbc_crypto import failed"
+          python3 -c "import aitbc_crypto; print('✅ aitbc_crypto imported')"
-          python3 -c "import aitbc_sdk; print('✅ aitbc_sdk imported')" || echo "❌ aitbc_sdk import failed"
+          python3 -c "import aitbc_sdk; print('✅ aitbc_sdk imported')"
          pytest tests/ \
            apps/coordinator-api/tests/ \
@@ -79,8 +79,7 @@ jobs:
            packages/py/aitbc-crypto/tests/ \
            packages/py/aitbc-sdk/tests/ \
            --tb=short -q --timeout=30 \
-            --ignore=apps/coordinator-api/tests/test_confidential*.py \
+            --ignore=apps/coordinator-api/tests/test_confidential*.py
            || echo "⚠️ Some tests failed"
          echo "✅ Python tests completed"
--- a/.gitea/workflows/rust-zk-tests.yml
+++ b/.gitea/workflows/rust-zk-tests.yml
@@ -4,7 +4,7 @@ on:
  push:
    branches: [main, develop]
    paths:
-      - 'gpu_acceleration/research/gpu_zk_research/**'
+      - 'dev/gpu/gpu_zk_research/**'
      - '.gitea/workflows/rust-zk-tests.yml'
  pull_request:
    branches: [main, develop]
@@ -40,37 +40,40 @@ jobs:
          export CARGO_HOME="$HOME/.cargo"
          export PATH="$CARGO_HOME/bin:$PATH"
-          if ! command -v rustc >/dev/null 2>&1; then
+          if ! command -v rustup >/dev/null 2>&1; then
            echo "Installing Rust..."
            curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
          fi
-          source "$CARGO_HOME/env" 2>/dev/null || true
+          source "$CARGO_HOME/env"
          rustup default stable
          rustc --version
          cargo --version
-          rustup component add rustfmt clippy 2>/dev/null || true
+          rustup component add rustfmt clippy
      - name: Check formatting
        run: |
          export HOME=/root
          export PATH="$HOME/.cargo/bin:$PATH"
          source "$HOME/.cargo/env" 2>/dev/null || true
-          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/gpu_acceleration/research/gpu_zk_research
+          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/dev/gpu/gpu_zk_research
-          cargo fmt -- --check 2>/dev/null && echo "✅ Formatting OK" || echo "⚠️ Format warnings"
+          cargo fmt --all -- --check
          echo "✅ Formatting OK"
      - name: Run Clippy
        run: |
          export HOME=/root
          export PATH="$HOME/.cargo/bin:$PATH"
          source "$HOME/.cargo/env" 2>/dev/null || true
-          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/gpu_acceleration/research/gpu_zk_research
+          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/dev/gpu/gpu_zk_research
-          cargo clippy -- -D warnings 2>/dev/null && echo "✅ Clippy OK" || echo "⚠️ Clippy warnings"
+          cargo clippy --all-targets -- -D warnings
          echo "✅ Clippy OK"
      - name: Build
        run: |
          export HOME=/root
          export PATH="$HOME/.cargo/bin:$PATH"
          source "$HOME/.cargo/env" 2>/dev/null || true
-          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/gpu_acceleration/research/gpu_zk_research
+          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/dev/gpu/gpu_zk_research
          cargo build --release
          echo "✅ Build completed"
@@ -79,8 +82,9 @@ jobs:
          export HOME=/root
          export PATH="$HOME/.cargo/bin:$PATH"
          source "$HOME/.cargo/env" 2>/dev/null || true
-          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/gpu_acceleration/research/gpu_zk_research
+          cd /var/lib/aitbc-workspaces/rust-zk-tests/repo/dev/gpu/gpu_zk_research
-          cargo test && echo "✅ Tests passed" || echo "⚠️ Tests completed with issues"
+          cargo test --all-targets
          echo "✅ Tests passed"
      - name: Cleanup
        if: always()
--- a/.gitea/workflows/security-scanning.yml
+++ b/.gitea/workflows/security-scanning.yml
@@ -41,7 +41,7 @@ jobs:
          python3 -m venv venv
          source venv/bin/activate
-          pip install -q bandit safety pip-audit
+          pip install -q bandit pip-audit
          echo "✅ Security tools installed"
      - name: Python dependency audit
@@ -49,7 +49,7 @@ jobs:
          cd /var/lib/aitbc-workspaces/security-scan/repo
          source venv/bin/activate
          echo "=== Dependency Audit ==="
-          pip-audit -r requirements.txt --desc 2>/dev/null || echo "⚠️ Some vulnerabilities found"
+          pip-audit -r requirements.txt --desc
          echo "✅ Dependency audit completed"
      - name: Bandit security scan
@@ -60,7 +60,7 @@ jobs:
          bandit -r apps/ packages/py/ cli/ \
            -s B101,B311 \
            --severity-level medium \
-            -f txt -q 2>/dev/null || echo "⚠️ Bandit findings"
+            -f txt -q
          echo "✅ Bandit scan completed"
      - name: Check for secrets
@@ -68,8 +68,28 @@ jobs:
          cd /var/lib/aitbc-workspaces/security-scan/repo
          echo "=== Secret Detection ==="
          # Simple pattern check for leaked secrets
-          grep -rn "PRIVATE_KEY\s*=\s*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" && echo "⚠️ Possible secrets found" || echo "✅ No secrets detected"
+          secret_matches=$(mktemp)
-          grep -rn "password\s*=\s*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" | head -5 && echo "⚠️ Possible hardcoded passwords" || echo "✅ No hardcoded passwords"
+          password_matches=$(mktemp)
          grep -RInE "PRIVATE_KEY[[:space:]]*=[[:space:]]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy" > "$secret_matches" || true
          grep -RInE "password[[:space:]]*=[[:space:]]*['\"][^'\"]*['\"]" apps/ packages/ cli/ 2>/dev/null | grep -v "example\|test\|mock\|dummy\|placeholder" > "$password_matches" || true
          if [[ -s "$secret_matches" ]]; then
            echo "❌ Possible secrets found"
            cat "$secret_matches"
            rm -f "$secret_matches" "$password_matches"
            exit 1
          fi
          if [[ -s "$password_matches" ]]; then
            echo "❌ Possible hardcoded passwords"
            head -5 "$password_matches"
            rm -f "$secret_matches" "$password_matches"
            exit 1
          fi
          rm -f "$secret_matches" "$password_matches"
          echo "✅ No hardcoded secrets detected"
      - name: Cleanup
        if: always()
--- a/.gitea/workflows/smart-contract-tests.yml
+++ b/.gitea/workflows/smart-contract-tests.yml
@@ -54,28 +54,44 @@ jobs:
          echo "Node: $(node --version), npm: $(npm --version)"
          # Install
-          npm install --legacy-peer-deps 2>/dev/null || npm install 2>/dev/null || true
+          npm install --legacy-peer-deps 2>/dev/null || npm install
          # Fix missing Hardhat dependencies for aitbc-token
          if [[ "${{ matrix.project.name }}" == "aitbc-token" ]]; then
            echo "Installing missing Hardhat dependencies..."
-            npm install --save-dev "@nomicfoundation/hardhat-ignition@^0.15.16" "@nomicfoundation/ignition-core@^0.15.15" 2>/dev/null || true
+            npm install --no-save "@nomicfoundation/hardhat-ignition@^0.15.16" "@nomicfoundation/ignition-core@^0.15.15"
            # Fix formatting issues
            echo "Fixing formatting issues..."
            npm run format 2>/dev/null || echo "⚠️ Format fix failed"
          fi
          # Compile
          if [[ -f "hardhat.config.js" ]] || [[ -f "hardhat.config.ts" ]]; then
-            npx hardhat compile && echo "✅ Compiled" || echo "⚠️ Compile failed"
+            npx hardhat compile
-            npx hardhat test && echo "✅ Tests passed" || echo "⚠️ Tests failed"
+            echo "✅ Compiled"
            npx hardhat test
            echo "✅ Tests passed"
          elif [[ -f "foundry.toml" ]]; then
-            forge build && echo "✅ Compiled" || echo "⚠️ Compile failed"
+            forge build
-            forge test && echo "✅ Tests passed" || echo "⚠️ Tests failed"
+            echo "✅ Compiled"
            forge test
            echo "✅ Tests passed"
          else
-            npm run build 2>/dev/null || echo "⚠️ No build script"
+            if node -e "const pkg=require('./package.json'); process.exit(pkg.scripts && pkg.scripts.compile ? 0 : 1)"; then
-            npm test 2>/dev/null || echo "⚠️ No test script"
+              npm run compile
              echo "✅ Compiled"
            elif node -e "const pkg=require('./package.json'); process.exit(pkg.scripts && pkg.scripts.build ? 0 : 1)"; then
              npm run build
              echo "✅ Compiled"
            else
              echo "❌ No compile or build script found"
              exit 1
            fi
            if node -e "const pkg=require('./package.json'); process.exit(pkg.scripts && pkg.scripts.test ? 0 : 1)"; then
              npm test
              echo "✅ Tests passed"
            else
              echo "❌ No test script found"
              exit 1
            fi
          fi
          echo "✅ ${{ matrix.project.name }} completed"
@@ -108,19 +124,20 @@ jobs:
            if [[ -d "$project" ]] && [[ -f "$project/package.json" ]]; then
              echo "=== Linting $project ==="
              cd "$project"
-              npm install --legacy-peer-deps 2>/dev/null || npm install 2>/dev/null || true
+              npm install --legacy-peer-deps 2>/dev/null || npm install
              # Fix missing Hardhat dependencies and formatting for aitbc-token
              if [[ "$project" == "packages/solidity/aitbc-token" ]]; then
                echo "Installing missing Hardhat dependencies..."
-                npm install --save-dev "@nomicfoundation/hardhat-ignition@^0.15.16" "@nomicfoundation/ignition-core@^0.15.15" 2>/dev/null || true
+                npm install --no-save "@nomicfoundation/hardhat-ignition@^0.15.16" "@nomicfoundation/ignition-core@^0.15.15"
-                
+              fi
-                # Fix formatting issues
+
-                echo "Fixing formatting issues..."
+              if node -e "const pkg=require('./package.json'); process.exit(pkg.scripts && pkg.scripts.lint ? 0 : 1)"; then
-                npm run format 2>/dev/null || echo "⚠️ Format fix failed"
+                npm run lint
                echo "✅ Lint passed"
              else
                echo "⚠️ No lint script for $project, skipping"
              fi
              npm run lint 2>/dev/null && echo "✅ Lint passed" || echo "⚠️ Lint skipped"
              cd /var/lib/aitbc-workspaces/solidity-lint/repo
            fi
          done
--- a/.gitea/workflows/staking-tests.yml
+++ b/.gitea/workflows/staking-tests.yml
@@ -131,7 +131,8 @@ jobs:
          cd /var/lib/aitbc-workspaces/staking-contract/repo/contracts
          echo "🧪 Running staking contract tests..."
-          npx hardhat test test/AgentStaking.test.js || echo "⚠️ Contract tests blocked by compilation errors"
+          npx hardhat compile
          npx hardhat test test/AgentStaking.test.js
          echo "✅ Contract tests completed"
      - name: Cleanup
@@ -141,7 +142,7 @@ jobs:
  run-staking-test-runner:
    runs-on: debian
    timeout-minutes: 25
-    needs: [test-staking-service, test-staking-integration]
+    needs: [test-staking-service, test-staking-integration, test-staking-contract]
    steps:
      - name: Clone repository
--- a/.gitea/workflows/systemd-sync.yml
+++ b/.gitea/workflows/systemd-sync.yml
@@ -57,7 +57,12 @@ jobs:
          echo "=== Found $(ls systemd/*.service 2>/dev/null | wc -l) service files, $errors errors ==="
          if [[ $errors -gt 0 ]]; then
            exit 1
          fi
      - name: Sync service files
        if: github.event_name != 'pull_request'
        run: |
          cd /var/lib/aitbc-workspaces/systemd-sync/repo
@@ -66,11 +71,16 @@ jobs:
          fi
          echo "=== Syncing systemd files ==="
-          for f in systemd/*.service; do
+          if [[ -x /opt/aitbc/scripts/utils/link-systemd.sh ]]; then
-            fname=$(basename "$f")
+            if [[ $EUID -eq 0 ]]; then
-            cp "$f" "/etc/systemd/system/$fname"
+              /opt/aitbc/scripts/utils/link-systemd.sh
-            echo "  ✅ $fname synced"
+            else
-          done
+              sudo /opt/aitbc/scripts/utils/link-systemd.sh
            fi
          else
            echo "⚠️ /opt/aitbc/scripts/utils/link-systemd.sh not found"
            exit 1
          fi
          systemctl daemon-reload
          echo "✅ Systemd daemon reloaded"
--- a/apps/coordinator-api/src/app/services/multi_language/agent_communication.py
+++ b/apps/coordinator-api/src/app/services/multi_language/agent_communication.py
@@ -160,7 +160,6 @@ class MultilingualAgentCommunication:
            domain = self._get_translation_domain(message_type)
            # Check cache first
            f"agent_message:{hashlib.md5(content.encode()).hexdigest()}:{source_lang}:{target_lang}"
            if self.translation_cache:
                cached_result = await self.translation_cache.get(content, source_lang, target_lang, context, domain)
                if cached_result:
--- a/cli/tests/run_cli_tests.py
+++ b/cli/tests/run_cli_tests.py
@@ -11,19 +11,22 @@ def run_cli_test():
    print("🧪 Running CLI Tests with Virtual Environment...")
    # Set up environment
-    cli_dir = Path(__file__).parent.parent
+    cli_dir = Path(__file__).resolve().parent.parent
-    cli_bin = "/opt/aitbc/aitbc-cli"
+    cli_bin = cli_dir.parent / "aitbc-cli"
    def run_command(*args):
        return subprocess.run(
            [str(cli_bin), *args],
            capture_output=True,
            text=True,
            timeout=10,
            cwd=str(cli_dir),
        )
    # Test 1: CLI help command
    print("\n1. Testing CLI help command...")
    try:
-        result = subprocess.run(
+        result = run_command("--help")
            [cli_bin, "--help"],
            capture_output=True,
            text=True,
            timeout=10,
            cwd=str(cli_dir)
        )
        if result.returncode == 0 and "AITBC CLI" in result.stdout:
            print("✅ CLI help command working")
@@ -37,13 +40,7 @@ def run_cli_test():
    # Test 2: CLI list command
    print("\n2. Testing CLI list command...")
    try:
-        result = subprocess.run(
+        result = run_command("wallet", "list")
            [cli_bin, "wallet", "list"],
            capture_output=True,
            text=True,
            timeout=10,
            cwd=str(cli_dir)
        )
        if result.returncode == 0:
            print("✅ CLI list command working")
@@ -57,13 +54,7 @@ def run_cli_test():
    # Test 3: CLI blockchain command
    print("\n3. Testing CLI blockchain command...")
    try:
-        result = subprocess.run(
+        result = run_command("blockchain", "info")
            [cli_bin, "blockchain", "info"],
            capture_output=True,
            text=True,
            timeout=10,
            cwd=str(cli_dir)
        )
        if result.returncode == 0:
            print("✅ CLI blockchain command working")
@@ -77,13 +68,7 @@ def run_cli_test():
    # Test 4: CLI invalid command handling
    print("\n4. Testing CLI invalid command handling...")
    try:
-        result = subprocess.run(
+        result = run_command("invalid-command")
            [cli_bin, "invalid-command"],
            capture_output=True,
            text=True,
            timeout=10,
            cwd=str(cli_dir)
        )
        if result.returncode != 0:
            print("✅ CLI invalid command handling working")
--- a/docs/advanced/02_reference/7_threat-modeling.md
+++ b/docs/advanced/02_reference/7_threat-modeling.md
@@ -2,9 +2,13 @@
 ## Overview
-This document provides a comprehensive threat model for AITBC's privacy-preserving features, focusing on zero-knowledge receipt attestation and confidential transactions. The analysis uses the STRIDE methodology to systematically identify threats and their mitigations.
+This document provides a comprehensive threat model for AITBC's
 privacy-preserving features, focusing on zero-knowledge receipt attestation and
 confidential transactions. The analysis uses the STRIDE methodology to
 systematically identify threats and their mitigations.
 ## Document Version
 - Version: 1.0
 - Date: December 2024
 - Status: Published - Shared with Ecosystem Partners
@@ -12,6 +16,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Scope
 ### In-Scope Components
 1. **ZK Receipt Attestation System**
   - Groth16 circuit implementation
   - Proof generation service
@@ -25,6 +30,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
   - Audit logging infrastructure
 ### Out-of-Scope Components
 - Core blockchain consensus
 - Basic transaction processing
 - Non-confidential marketplace operations
@@ -32,123 +38,136 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Threat Actors
-| Actor | Motivation | Capability | Impact |
+| Actor                   | Motivation                      | Capability                                 | Impact   |
-|-------|------------|------------|--------|
+| ----------------------- | ------------------------------- | ------------------------------------------ | -------- |
-| Malicious Miner | Financial gain, sabotage | Access to mining software, limited compute | High |
+| Malicious Miner         | Financial gain, sabotage        | Access to mining software, limited compute | High     |
-| Compromised Coordinator | Data theft, market manipulation | System access, private keys | Critical |
+| Compromised Coordinator | Data theft, market manipulation | System access, private keys                | Critical |
-| External Attacker | Financial theft, privacy breach | Public network, potential exploits | High |
+| External Attacker       | Financial theft, privacy breach | Public network, potential exploits         | High     |
-| Regulator | Compliance investigation | Legal authority, subpoenas | Medium |
+| Regulator               | Compliance investigation        | Legal authority, subpoenas                 | Medium   |
-| Insider Threat | Data exfiltration | Internal access, knowledge | High |
+| Insider Threat          | Data exfiltration               | Internal access, knowledge                 | High     |
-| Quantum Computer | Break cryptography | Future quantum capability | Future |
+| Quantum Computer        | Break cryptography              | Future quantum capability                  | Future   |
 ## STRIDE Analysis
 ### 1. Spoofing
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                    | Description                     | Likelihood | Impact | Mitigations                                                                            |
-| Proof Forgery | Attacker creates fake ZK proofs | Medium | High | ✅ Groth16 soundness property<br>✅ Verification on-chain<br>⚠️ Trusted setup security |
+| ------------------------- | ------------------------------- | ---------- | ------ | -------------------------------------------------------------------------------------- |
-| Identity Spoofing | Miner impersonates another | Low | Medium | ✅ Miner registration with KYC<br>✅ Cryptographic signatures |
+| Proof Forgery             | Attacker creates fake ZK proofs | Medium     | High   | ✅ Groth16 soundness property<br>✅ Verification on-chain<br>⚠️ Trusted setup security |
-| Coordinator Impersonation | Fake coordinator services | Low | High | ✅ TLS certificates<br>⚠️ DNSSEC recommended |
+| Identity Spoofing         | Miner impersonates another      | Low        | Medium | ✅ Miner registration with KYC<br>✅ Cryptographic signatures                          |
 | Coordinator Impersonation | Fake coordinator services       | Low        | High   | ✅ TLS certificates<br>⚠️ DNSSEC recommended                                           |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                | Description                       | Likelihood | Impact | Mitigations                                        |
-| Key Spoofing | Fake public keys for participants | Medium | High | ✅ HSM-protected keys<br>✅ Certificate validation |
+| --------------------- | --------------------------------- | ---------- | ------ | -------------------------------------------------- |
-| Authorization Forgery | Fake audit authorization | Low | High | ✅ Signed tokens<br>✅ Short expiration times |
+| Key Spoofing          | Fake public keys for participants | Medium     | High   | ✅ HSM-protected keys<br>✅ Certificate validation |
 | Authorization Forgery | Fake audit authorization          | Low        | High   | ✅ Signed tokens<br>✅ Short expiration times      |
 ### 2. Tampering
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                    | Description                         | Likelihood | Impact   | Mitigations                                                            |
-| Circuit Modification | Malicious changes to circom circuit | Low | Critical | ✅ Open-source circuits<br>✅ Circuit hash verification |
+| ------------------------- | ----------------------------------- | ---------- | -------- | ---------------------------------------------------------------------- |
-| Proof Manipulation | Altering proofs during transmission | Medium | High | ✅ End-to-end encryption<br>✅ On-chain verification |
+| Circuit Modification      | Malicious changes to circom circuit | Low        | Critical | ✅ Open-source circuits<br>✅ Circuit hash verification                |
-| Setup Parameter Poisoning | Compromise trusted setup | Low | Critical | ⚠️ Multi-party ceremony needed<br>⚠️ Secure destruction of toxic waste |
+| Proof Manipulation        | Altering proofs during transmission | Medium     | High     | ✅ End-to-end encryption<br>✅ On-chain verification                   |
 | Setup Parameter Poisoning | Compromise trusted setup            | Low        | Critical | ⚠️ Multi-party ceremony needed<br>⚠️ Secure destruction of toxic waste |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                | Description                       | Likelihood | Impact | Mitigations                                                     |
-| Data Tampering | Modify encrypted transaction data | Medium | High | ✅ AES-GCM authenticity<br>✅ Immutable audit logs |
+| --------------------- | --------------------------------- | ---------- | ------ | --------------------------------------------------------------- |
-| Key Substitution | Swap public keys in transit | Low | High | ✅ Certificate pinning<br>✅ HSM key validation |
+| Data Tampering        | Modify encrypted transaction data | Medium     | High   | ✅ AES-GCM authenticity<br>✅ Immutable audit logs              |
-| Access Control Bypass | Override authorization checks | Low | High | ✅ Role-based access control<br>✅ Audit logging of all changes |
+| Key Substitution      | Swap public keys in transit       | Low        | High   | ✅ Certificate pinning<br>✅ HSM key validation                 |
 | Access Control Bypass | Override authorization checks     | Low        | High   | ✅ Role-based access control<br>✅ Audit logging of all changes |
 ### 3. Repudiation
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                     | Description                       | Likelihood | Impact | Mitigations                                                 |
-| Denial of Proof Generation | Miner denies creating proof | Low | Medium | ✅ On-chain proof records<br>✅ Signed proof metadata |
+| -------------------------- | --------------------------------- | ---------- | ------ | ----------------------------------------------------------- |
-| Receipt Denial | Party denies transaction occurred | Medium | Medium | ✅ Immutable blockchain ledger<br>✅ Cryptographic receipts |
+| Denial of Proof Generation | Miner denies creating proof       | Low        | Medium | ✅ On-chain proof records<br>✅ Signed proof metadata       |
 | Receipt Denial             | Party denies transaction occurred | Medium     | Medium | ✅ Immutable blockchain ledger<br>✅ Cryptographic receipts |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                | Description                   | Likelihood | Impact | Mitigations                                                  |
-| Access Denial | User denies accessing data | Low | Medium | ✅ Comprehensive audit logs<br>✅ Non-repudiation signatures |
+| --------------------- | ----------------------------- | ---------- | ------ | ------------------------------------------------------------ |
-| Key Generation Denial | Deny creating encryption keys | Low | Medium | ✅ HSM audit trails<br>✅ Key rotation logs |
+| Access Denial         | User denies accessing data    | Low        | Medium | ✅ Comprehensive audit logs<br>✅ Non-repudiation signatures |
 | Key Generation Denial | Deny creating encryption keys | Low        | Medium | ✅ HSM audit trails<br>✅ Key rotation logs                  |
 ### 4. Information Disclosure
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat               | Description                           | Likelihood | Impact   | Mitigations                                                           |
-| Witness Extraction | Extract private inputs from proof | Low | Critical | ✅ Zero-knowledge property<br>✅ No knowledge of witness |
+| -------------------- | ------------------------------------- | ---------- | -------- | --------------------------------------------------------------------- |
-| Setup Parameter Leak | Expose toxic waste from trusted setup | Low | Critical | ⚠️ Secure multi-party setup<br>⚠️ Parameter destruction |
+| Witness Extraction   | Extract private inputs from proof     | Low        | Critical | ✅ Zero-knowledge property<br>✅ No knowledge of witness              |
-| Side-Channel Attacks | Timing/power analysis | Low | Medium | ✅ Constant-time implementations<br>⚠️ Needs hardware security review |
+| Setup Parameter Leak | Expose toxic waste from trusted setup | Low        | Critical | ⚠️ Secure multi-party setup<br>⚠️ Parameter destruction               |
 | Side-Channel Attacks | Timing/power analysis                 | Low        | Medium   | ✅ Constant-time implementations<br>⚠️ Needs hardware security review |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                 | Description                     | Likelihood | Impact   | Mitigations                                               |
-| Private Key Extraction | Steal keys from HSM | Low | Critical | ✅ HSM security controls<br>✅ Hardware tamper resistance |
+| ---------------------- | ------------------------------- | ---------- | -------- | --------------------------------------------------------- |
-| Decryption Key Leak | Expose DEKs | Medium | High | ✅ Per-transaction DEKs<br>✅ Encrypted key storage |
+| Private Key Extraction | Steal keys from HSM             | Low        | Critical | ✅ HSM security controls<br>✅ Hardware tamper resistance |
-| Metadata Analysis | Infer data from access patterns | Medium | Medium | ✅ Access logging<br>⚠️ Differential privacy needed |
+| Decryption Key Leak    | Expose DEKs                     | Medium     | High     | ✅ Per-transaction DEKs<br>✅ Encrypted key storage       |
 | Metadata Analysis      | Infer data from access patterns | Medium     | Medium   | ✅ Access logging<br>⚠️ Differential privacy needed       |
 ### 5. Denial of Service
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat               | Description                 | Likelihood | Impact | Mitigations                                                   |
-| Proof Generation DoS | Overwhelm proof service | High | Medium | ✅ Rate limiting<br>✅ Queue management<br>⚠️ Need monitoring |
+| -------------------- | --------------------------- | ---------- | ------ | ------------------------------------------------------------- |
-| Verification Spam | Flood verification contract | High | High | ✅ Gas costs limit spam<br>⚠️ Need circuit optimization |
+| Proof Generation DoS | Overwhelm proof service     | High       | Medium | ✅ Rate limiting<br>✅ Queue management<br>⚠️ Need monitoring |
 | Verification Spam    | Flood verification contract | High       | High   | ✅ Gas costs limit spam<br>⚠️ Need circuit optimization       |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat             | Description                  | Likelihood | Impact | Mitigations                                    |
-| Key Exhaustion | Deplete HSM key slots | Medium | Medium | ✅ Key rotation<br>✅ Resource monitoring |
+| ------------------ | ---------------------------- | ---------- | ------ | ---------------------------------------------- |
-| Database Overload | Saturate with encrypted data | High | Medium | ✅ Connection pooling<br>✅ Query optimization |
+| Key Exhaustion     | Deplete HSM key slots        | Medium     | Medium | ✅ Key rotation<br>✅ Resource monitoring      |
-| Audit Log Flooding | Fill audit storage | Medium | Medium | ✅ Log rotation<br>✅ Storage monitoring |
+| Database Overload  | Saturate with encrypted data | High       | Medium | ✅ Connection pooling<br>✅ Query optimization |
 | Audit Log Flooding | Fill audit storage           | Medium     | Medium | ✅ Log rotation<br>✅ Storage monitoring       |
 ### 6. Elevation of Privilege
 #### ZK Receipt Attestation
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                 | Description               | Likelihood | Impact   | Mitigations                                         |
-| Setup Privilege | Gain trusted setup access | Low | Critical | ⚠️ Multi-party ceremony<br>⚠️ Independent audits |
+| ---------------------- | ------------------------- | ---------- | -------- | --------------------------------------------------- |
-| Coordinator Compromise | Full system control | Medium | Critical | ✅ Multi-sig controls<br>✅ Regular security audits |
+| Setup Privilege        | Gain trusted setup access | Low        | Critical | ⚠️ Multi-party ceremony<br>⚠️ Independent audits    |
 | Coordinator Compromise | Full system control       | Medium     | Critical | ✅ Multi-sig controls<br>✅ Regular security audits |
 #### Confidential Transactions
-| Threat | Description | Likelihood | Impact | Mitigations |
+
-|--------|-------------|------------|--------|-------------|
+| Threat                    | Description              | Likelihood | Impact   | Mitigations                                                  |
-| HSM Takeover | Gain HSM admin access | Low | Critical | ✅ HSM access controls<br>✅ Dual authorization |
+| ------------------------- | ------------------------ | ---------- | -------- | ------------------------------------------------------------ |
-| Access Control Escalation | Bypass role restrictions | Medium | High | ✅ Principle of least privilege<br>✅ Regular access reviews |
+| HSM Takeover              | Gain HSM admin access    | Low        | Critical | ✅ HSM access controls<br>✅ Dual authorization              |
 | Access Control Escalation | Bypass role restrictions | Medium     | High     | ✅ Principle of least privilege<br>✅ Regular access reviews |
 ## Risk Matrix
-| Threat | Likelihood | Impact | Risk Level | Priority |
+| Threat                   | Likelihood | Impact   | Risk Level | Priority |
-|--------|------------|--------|------------|----------|
+| ------------------------ | ---------- | -------- | ---------- | -------- |
-| Trusted Setup Compromise | Low | Critical | HIGH | 1 |
+| Trusted Setup Compromise | Low        | Critical | HIGH       | 1        |
-| HSM Compromise | Low | Critical | HIGH | 1 |
+| HSM Compromise           | Low        | Critical | HIGH       | 1        |
-| Proof Forgery | Medium | High | HIGH | 2 |
+| Proof Forgery            | Medium     | High     | HIGH       | 2        |
-| Private Key Extraction | Low | Critical | HIGH | 2 |
+| Private Key Extraction   | Low        | Critical | HIGH       | 2        |
-| Information Disclosure | Medium | High | MEDIUM | 3 |
+| Information Disclosure   | Medium     | High     | MEDIUM     | 3        |
-| DoS Attacks | High | Medium | MEDIUM | 3 |
+| DoS Attacks              | High       | Medium   | MEDIUM     | 3        |
-| Side-Channel Attacks | Low | Medium | LOW | 4 |
+| Side-Channel Attacks     | Low        | Medium   | LOW        | 4        |
-| Repudiation | Low | Medium | LOW | 4 |
+| Repudiation              | Low        | Medium   | LOW        | 4        |
 ## Implemented Mitigations
 ### ZK Receipt Attestation
 - ✅ Groth16 soundness and zero-knowledge properties
 - ✅ On-chain verification prevents tampering
 - ✅ Open-source circuit code for transparency
@@ -156,6 +175,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 - ✅ Comprehensive audit logging
 ### Confidential Transactions
 - ✅ AES-256-GCM provides confidentiality and authenticity
 - ✅ HSM-backed key management prevents key extraction
 - ✅ Role-based access control with time restrictions
@@ -166,6 +186,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Recommended Future Improvements
 ### Short Term (1-3 months)
 1. **Trusted Setup Ceremony**
   - Implement multi-party computation (MPC) setup
   - Engage independent auditors
@@ -182,6 +203,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
   - Fuzzing of circuit implementations
 ### Medium Term (3-6 months)
 1. **Advanced Privacy**
   - Differential privacy for metadata
   - Secure multi-party computation
@@ -198,6 +220,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
   - Regulatory audit tools
 ### Long Term (6-12 months)
 1. **Formal Verification**
   - Formal proofs of circuit correctness
   - Verified smart contract deployments
@@ -211,24 +234,28 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Security Controls Summary
 ### Preventive Controls
 - Cryptographic guarantees (ZK proofs, encryption)
 - Access control mechanisms
 - Secure key management
 - Network security (TLS, certificates)
 ### Detective Controls
 - Comprehensive audit logging
 - Real-time monitoring
 - Anomaly detection
 - Security incident response
 ### Corrective Controls
 - Key rotation procedures
 - Incident response playbooks
 - Backup and recovery
 - System patching processes
 ### Compensating Controls
 - Insurance for cryptographic risks
 - Legal protections
 - Community oversight
@@ -236,23 +263,25 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Compliance Mapping
-| Regulation | Requirement | Implementation |
+| Regulation | Requirement           | Implementation                      |
-|------------|-------------|----------------|
+| ---------- | --------------------- | ----------------------------------- |
-| GDPR | Right to encryption | ✅ Opt-in confidential transactions |
+| GDPR       | Right to encryption   | ✅ Opt-in confidential transactions |
-| GDPR | Data minimization | ✅ Selective disclosure |
+| GDPR       | Data minimization     | ✅ Selective disclosure             |
-| SEC 17a-4 | Audit trail | ✅ Immutable logs |
+| SEC 17a-4  | Audit trail           | ✅ Immutable logs                   |
-| MiFID II | Transaction reporting | ✅ ZK proof verification |
+| MiFID II   | Transaction reporting | ✅ ZK proof verification            |
-| PCI DSS | Key management | ✅ HSM-backed keys |
+| PCI DSS    | Key management        | ✅ HSM-backed keys                  |
 ## Incident Response
 ### Security Event Classification
 1. **Critical** - HSM compromise, trusted setup breach
 2. **High** - Large-scale data breach, proof forgery
 3. **Medium** - Single key compromise, access violation
 4. **Low** - Failed authentication, minor DoS
 ### Response Procedures
 1. Immediate containment
 2. Evidence preservation
 3. Stakeholder notification
@@ -276,6 +305,7 @@ This document provides a comprehensive threat model for AITBC's privacy-preservi
 ## Acknowledgments
 This threat model was developed with input from:
 - AITBC Security Team
 - External Security Consultants
 - Community Security Researchers
@@ -283,4 +313,5 @@ This threat model was developed with input from:
 ---
-*This document is living and will be updated as new threats emerge and mitigations are implemented.*
+_This document is living and will be updated as new threats emerge and
 mitigations are implemented._
--- a/docs/beginner/02_project/2_roadmap.md
+++ b/docs/beginner/02_project/2_roadmap.md
--- a/docs/beginner/02_project/5_done.md
+++ b/docs/beginner/02_project/5_done.md
--- a/docs/completed/cli/cli-checklist.md
+++ b/docs/completed/cli/cli-checklist.md
--- a/docs/expert/01_issues/On-Chain_Model_Marketplace.md
+++ b/docs/expert/01_issues/On-Chain_Model_Marketplace.md
--- a/docs/policies/BRANCH_PROTECTION.md
+++ b/docs/policies/BRANCH_PROTECTION.md
@@ -2,7 +2,8 @@
 ## Overview
-This document outlines the recommended branch protection settings for the AITBC repository to ensure code quality, security, and collaboration standards.
+This document outlines the recommended branch protection settings for the AITBC
 repository to ensure code quality, security, and collaboration standards.
 ## GitHub Branch Protection Settings
@@ -14,11 +15,13 @@ Navigate to: `Settings > Branches > Branch protection rules`
 **Branch name pattern**: `main`
-**Require status checks to pass before merging**
+##### Require status checks to pass before merging
 - ✅ Require branches to be up to date before merging
 - ✅ Require status checks to pass before merging
-**Required status checks**
+##### Required status checks
 - ✅ Lint (ruff)
 - ✅ Check .env.example drift
 - ✅ Test (pytest)
@@ -34,22 +37,28 @@ Navigate to: `Settings > Branches > Branch protection rules`
 - ✅ security-scanning / trivy
 - ✅ security-scanning / ossf-scorecard
-**Require pull request reviews before merging**
+##### Require pull request reviews before merging
 - ✅ Require approvals
  - **Required approving reviews**: 2
 - ✅ Dismiss stale PR approvals when new commits are pushed
 - ✅ Require review from CODEOWNERS
 - ✅ Require review from users with write access in the target repository
- ✅ Limit the number of approvals required (2) - **Do not allow users with write access to approve their own pull requests**
+- ✅ Limit the number of approvals required (2)
  - **Do not allow users with write access to approve their own pull
    requests**
 ##### Restrict pushes
 **Restrict pushes**
 - ✅ Limit pushes to users who have write access in the repository
 - ✅ Do not allow force pushes
-**Restrict deletions**
+##### Restrict deletions
 - ✅ Do not allow users with write access to delete matching branches
-**Require signed commits**
+##### Require signed commits
 - ✅ Require signed commits (optional, for enhanced security)
 ### Develop Branch Protection
@@ -57,6 +66,7 @@ Navigate to: `Settings > Branches > Branch protection rules`
 **Branch name pattern**: `develop`
 **Settings** (same as main, but with fewer required checks):
 - Require status checks to pass before merging
 - Required status checks: Lint, Test, Check .env.example drift
 - Require pull request reviews before merging (1 approval)
@@ -67,26 +77,39 @@ Navigate to: `Settings > Branches > Branch protection rules`
 ### Continuous Integration Checks
-| Status Check | Description | Workflow |
+- **`Lint (ruff)`**: Python code linting. Workflow:
-|-------------|-------------|----------|
+  `.github/workflows/ci.yml`
-| `Lint (ruff)` | Python code linting | `.github/workflows/ci.yml` |
+- **`Check .env.example drift`**: Configuration drift detection. Workflow:
-| `Check .env.example drift` | Configuration drift detection | `.github/workflows/ci.yml` |
+  `.github/workflows/ci.yml`
-| `Test (pytest)` | Python unit tests | `.github/workflows/ci.yml` |
+- **`Test (pytest)`**: Python unit tests. Workflow:
-| `contracts-ci / Lint` | Solidity linting | `.github/workflows/contracts-ci.yml` |
+  `.github/workflows/ci.yml`
-| `contracts-ci / Slither Analysis` | Solidity security analysis | `.github/workflows/contracts-ci.yml` |
+- **`contracts-ci / Lint`**: Solidity linting. Workflow:
-| `contracts-ci / Compile` | Smart contract compilation | `.github/workflows/contracts-ci.yml` |
+  `.github/workflows/contracts-ci.yml`
-| `contracts-ci / Test` | Smart contract tests | `.github/workflows/contracts-ci.yml` |
+- **`contracts-ci / Slither Analysis`**: Solidity security analysis.
-| `dotenv-check / dotenv-validation` | .env.example format validation | `.github/workflows/dotenv-check.yml` |
+  Workflow: `.github/workflows/contracts-ci.yml`
-| `dotenv-check / dotenv-security` | .env.example security check | `.github/workflows/dotenv-check.yml` |
+- **`contracts-ci / Compile`**: Smart contract compilation. Workflow:
-| `security-scanning / bandit` | Python security scanning | `.github/workflows/security-scanning.yml` |
+  `.github/workflows/contracts-ci.yml`
-| `security-scanning / codeql` | CodeQL analysis | `.github/workflows/security-scanning.yml` |
+- **`contracts-ci / Test`**: Smart contract tests. Workflow:
-| `security-scanning / safety` | Dependency vulnerability scan | `.github/workflows/security-scanning.yml` |
+  `.github/workflows/contracts-ci.yml`
-| `security-scanning / trivy` | Container security scan | `.github/workflows/security-scanning.yml` |
+- **`dotenv-check / dotenv-validation`**: `.env.example` format validation.
-| `security-scanning / ossf-scorecard` | OSSF Scorecard analysis | `.github/workflows/security-scanning.yml` |
+  Workflow: `.github/workflows/dotenv-check.yml`
 - **`dotenv-check / dotenv-security`**: `.env.example` security check.
  Workflow: `.github/workflows/dotenv-check.yml`
 - **`security-scanning / bandit`**: Python security scanning. Workflow:
  `.github/workflows/security-scanning.yml`
 - **`security-scanning / codeql`**: CodeQL analysis. Workflow:
  `.github/workflows/security-scanning.yml`
 - **`security-scanning / safety`**: Dependency vulnerability scan. Workflow:
  `.github/workflows/security-scanning.yml`
 - **`security-scanning / trivy`**: Container security scan. Workflow:
  `.github/workflows/security-scanning.yml`
 - **`security-scanning / ossf-scorecard`**: OSSF Scorecard analysis.
  Workflow: `.github/workflows/security-scanning.yml`
 ### Additional Checks for Feature Branches
 For feature branches, consider requiring:
 - `comprehensive-tests / unit-tests`
 - `comprehensive-tests / integration-tests`
 - `comprehensive-tests / api-tests`
@@ -94,7 +117,8 @@ For feature branches, consider requiring:
 ## CODEOWNERS Integration
-The branch protection should be configured to require review from CODEOWNERS. This ensures that:
+The branch protection should be configured to require review from CODEOWNERS.
 This ensures that:
 1. **Domain experts review relevant changes**
 2. **Security team reviews security-sensitive files**
@@ -208,7 +232,9 @@ jobs:
        run: python scripts/focused_dotenv_linter.py --check
      - name: Test (pytest)
-        run: poetry run pytest --cov=aitbc_cli --cov-report=term-missing --cov-report=xml
+        run: >-
          poetry run pytest --cov=aitbc_cli --cov-report=term-missing
          --cov-report=xml
 ```
 ## Security Best Practices
@@ -386,6 +412,9 @@ New team members should be trained on:
 ## Conclusion
-Proper branch protection configuration ensures code quality, security, and collaboration standards. By implementing these settings, the AITBC repository maintains high standards while enabling efficient development workflows.
+Proper branch protection configuration ensures code quality, security, and
 collaboration standards. By implementing these settings, the AITBC repository
 maintains high standards while enabling efficient development workflows.
-Regular review and updates to branch protection settings ensure they remain effective as the project evolves.
+Regular review and updates to branch protection settings ensure they remain
 effective as the project evolves.
--- a/docs/policies/CLI_TRANSLATION_SECURITY_POLICY.md
+++ b/docs/policies/CLI_TRANSLATION_SECURITY_POLICY.md
@@ -2,12 +2,16 @@
 ## 🔐 Security Overview
-This document outlines the comprehensive security policy for CLI translation functionality in the AITBC platform, ensuring that translation services never compromise security-sensitive operations.
+This document outlines the comprehensive security policy for CLI translation
 functionality in the AITBC platform, ensuring that translation services never
 compromise security-sensitive operations.
 ## ⚠️ Security Problem Statement
 ### Identified Risks
-1. **API Dependency**: Translation services rely on external APIs (OpenAI, Google, DeepL)
+
 1. **API Dependency**: Translation services rely on external APIs (OpenAI,
   Google, DeepL)
 2. **Network Failures**: Translation unavailable during network outages
 3. **Data Privacy**: Sensitive command data sent to third-party services
 4. **Command Injection**: Risk of translated commands altering security context
@@ -15,6 +19,7 @@ This document outlines the comprehensive security policy for CLI translation fun
 6. **Audit Trail**: Loss of original command intent in translation
 ### Security-Sensitive Operations
 - **Agent Strategy Commands**: `aitbc agent strategy --aggressive`
 - **Wallet Operations**: `aitbc wallet send --to 0x... --amount 100`
 - **Deployment Commands**: `aitbc deploy --production`
@@ -26,48 +31,63 @@ This document outlines the comprehensive security policy for CLI translation fun
 ### Security Levels
 #### 🔴 CRITICAL (Translation Disabled)
-**Commands**: `agent`, `strategy`, `wallet`, `sign`, `deploy`, `genesis`, `transfer`, `send`, `approve`, `mint`, `burn`, `stake`
+
 **Commands**: `agent`, `strategy`, `wallet`, `sign`, `deploy`, `genesis`,
 `transfer`, `send`, `approve`, `mint`, `burn`, `stake`
 **Policy**:
 - ✅ Translation: **DISABLED**
 - ✅ External APIs: **BLOCKED**
 - ✅ User Consent: **REQUIRED**
 - ✅ Fallback: **Original text only**
-**Rationale**: These commands handle sensitive operations where translation could compromise security or financial transactions.
+**Rationale**: These commands handle sensitive operations where translation
 could compromise security or financial transactions.
 #### 🟠 HIGH (Local Translation Only)
-**Commands**: `config`, `node`, `chain`, `marketplace`, `swap`, `liquidity`, `governance`, `vote`, `proposal`
+
 **Commands**: `config`, `node`, `chain`, `marketplace`, `swap`, `liquidity`,
 `governance`, `vote`, `proposal`
 **Policy**:
 - ✅ Translation: **LOCAL ONLY**
 - ✅ External APIs: **BLOCKED**
 - ✅ User Consent: **REQUIRED**
 - ✅ Fallback: **Local dictionary**
-**Rationale**: Important operations that benefit from localization but don't require external services.
+**Rationale**: Important operations that benefit from localization but don't
 require external services.
 #### 🟡 MEDIUM (Fallback Mode)
-**Commands**: `balance`, `status`, `monitor`, `analytics`, `logs`, `history`, `simulate`, `test`
+
 **Commands**: `balance`, `status`, `monitor`, `analytics`, `logs`, `history`,
 `simulate`, `test`
 **Policy**:
 - ✅ Translation: **EXTERNAL WITH LOCAL FALLBACK**
 - ✅ External APIs: **ALLOWED**
 - ✅ User Consent: **NOT REQUIRED**
 - ✅ Fallback: **Local translation on failure**
-**Rationale**: Standard operations where translation enhances user experience but isn't critical.
+**Rationale**: Standard operations where translation enhances user experience
 but isn't critical.
 #### 🟢 LOW (Full Translation)
 **Commands**: `help`, `version`, `info`, `list`, `show`, `explain`
 **Policy**:
 - ✅ Translation: **FULL CAPABILITIES**
 - ✅ External APIs: **ALLOWED**
 - ✅ User Consent: **NOT REQUIRED**
 - ✅ Fallback: **External retry then local**
-**Rationale**: Informational commands where translation improves accessibility without security impact.
+**Rationale**: Informational commands where translation improves
 accessibility without security impact.
 ## 🔧 Implementation Details
@@ -107,15 +127,26 @@ HIGH_POLICY = {
 ### Local Translation System
-For security-sensitive operations, a local translation system provides basic localization:
+For security-sensitive operations, a local translation system provides basic
 localization:
 ```python
 LOCAL_TRANSLATIONS = {
    "help": {"es": "ayuda", "fr": "aide", "de": "hilfe", "zh": "帮助"},
    "error": {"es": "error", "fr": "erreur", "de": "fehler", "zh": "错误"},
    "success": {"es": "éxito", "fr": "succès", "de": "erfolg", "zh": "成功"},
-    "wallet": {"es": "cartera", "fr": "portefeuille", "de": "börse", "zh": "钱包"},
+    "wallet": {
-    "transaction": {"es": "transacción", "fr": "transaction", "de": "transaktion", "zh": "交易"}
+        "es": "cartera",
        "fr": "portefeuille",
        "de": "börse",
        "zh": "钱包"
    },
    "transaction": {
        "es": "transacción",
        "fr": "transaction",
        "de": "transaktion",
        "zh": "交易"
    }
 }
 ```
@@ -237,7 +268,10 @@ from aitbc_cli.security import get_translation_security_report
 report = get_translation_security_report()
 print(f"Total security checks: {report['security_summary']['total_checks']}")
-print(f"Critical operations: {report['security_summary']['by_security_level']['critical']}")
+print(
    f"Critical operations: "
    f"{report['security_summary']['by_security_level']['critical']}"
 )
 print(f"Recommendations: {report['recommendations']}")
 ```
@@ -333,7 +367,8 @@ def handle_security_incident(incident_type: str):
 ### Key Performance Indicators
- **Translation Success Rate**: Percentage of successful translations by security level
+- **Translation Success Rate**: Percentage of successful translations by
  security level
 - **Fallback Usage Rate**: How often local fallback is used
 - **API Response Time**: External API performance metrics
 - **Security Violations**: Attempts to bypass security policies
@@ -356,24 +391,32 @@ def get_security_metrics():
 ### Planned Security Features
-1. **Machine Learning Detection**: AI-powered detection of sensitive command patterns
+1. **Machine Learning Detection**: AI-powered detection of sensitive command
-2. **Dynamic Policy Adjustment**: Automatic security level adjustment based on context
+   patterns
 2. **Dynamic Policy Adjustment**: Automatic security level adjustment based on
   context
 3. **Zero-Knowledge Translation**: Privacy-preserving translation protocols
 4. **Blockchain Auditing**: Immutable audit trail on blockchain
-5. **Multi-Factor Authentication**: Additional security for sensitive translations
+5. **Multi-Factor Authentication**: Additional security for sensitive
   translations
 ### Research Areas
-1. **Federated Learning**: Local translation models without external dependencies
+1. **Federated Learning**: Local translation models without external
-2. **Quantum-Resistant Security**: Future-proofing against quantum computing threats
+   dependencies
 2. **Quantum-Resistant Security**: Future-proofing against quantum computing
   threats
 3. **Behavioral Analysis**: User behavior patterns for anomaly detection
 4. **Cross-Platform Security**: Consistent security across all CLI platforms
 ---
-**Security Policy Status**: ✅ **IMPLEMENTED**  
+- **Security Policy Status**: ✅ **IMPLEMENTED**
-**Last Updated**: March 3, 2026  
+- **Last Updated**: March 3, 2026
-**Next Review**: March 17, 2026  
+- **Next Review**: March 17, 2026
-**Security Level**: 🔒 **HIGH** - Comprehensive protection for sensitive operations  
+- **Security Level**: 🔒 **HIGH** - Comprehensive protection for sensitive
  operations
-This security policy ensures that CLI translation functionality never compromises security-sensitive operations while providing appropriate localization capabilities for non-critical commands.
+This security policy ensures that CLI translation functionality never
 compromises security-sensitive operations while providing appropriate
 localization capabilities for non-critical commands.
--- a/docs/policies/DOTENV_DISCIPLINE.md
+++ b/docs/policies/DOTENV_DISCIPLINE.md
@@ -2,7 +2,9 @@
 ## 🎯 Problem Solved
-Having a `.env.example` file is good practice, but without automated checking, it can drift from what the application actually uses. This creates silent configuration issues where:
+Having a `.env.example` file is good practice, but without automated
 checking, it can drift from what the application actually uses. This creates
 silent configuration issues where:
 - New environment variables are added to code but not documented
 - Old variables remain in `.env.example` but are no longer used
@@ -14,28 +16,35 @@ Having a `.env.example` file is good practice, but without automated checking, i
 ### **Focused Dotenv Linter**
 Created a sophisticated linter that:
 - **Scans all code** for actual environment variable usage
 - **Filters out script variables** and non-config variables
 - **Compares with `.env.example`** to find drift
- **Auto-fixes missing variables** in `.env.example
+- **Auto-fixes missing variables** in `.env.example`
 - **Validates format** and security of `.env.example`
 - **Integrates with CI/CD** to prevent drift
 ### **Key Features**
 #### **Smart Variable Detection**
 - Scans Python files for `os.environ.get()`, `os.getenv()`, etc.
 - Scans config files for `${VAR}` and `$VAR` patterns
 - Scans shell scripts for `export VAR=` and `VAR=` patterns
 - Filters out script variables, system variables, and internal variables
 #### **Comprehensive Coverage**
 - **Python files**: `*.py` across the entire project
 - **Config files**: `pyproject.toml`, `*.yml`, `*.yaml`, `Dockerfile`, etc.
 - **Shell scripts**: `*.sh`, `*.bash`, `*.zsh`
 - **CI/CD files**: `.github/workflows/*.yml`
 #### **Intelligent Filtering**
 - Excludes common script variables (`PID`, `VERSION`, `DEBUG`, etc.)
 - Excludes system variables (`PATH`, `HOME`, `USER`, etc.)
 - Excludes external tool variables (`NODE_ENV`, `DOCKER_HOST`, etc.)
@@ -61,7 +70,7 @@ python scripts/focused_dotenv_linter.py --check
 ### **Output Example**
-```
+```text
 🔍 Focused Dotenv Linter for AITBC
 ==================================================
 📄 Found 111 variables in .env.example
@@ -140,28 +149,37 @@ Created `.github/workflows/dotenv-check.yml` with:
 ### **Workflow Triggers**
 The dotenv check runs on:
 - **Push** to any branch (when relevant files change)
 - **Pull Request** (when relevant files change)
 - **File patterns**: `.env.example`, `*.py`, `*.yml`, `*.toml`, `*.sh`
 ## 📊 Benefits Achieved
 ### ✅ **Prevents Silent Drift**
 - **Automated Detection**: Catches drift as soon as it's introduced
 - **CI/CD Integration**: Prevents merging with configuration issues
 - **Developer Feedback**: Clear reports on what's missing/unused
 ### ✅ **Maintains Documentation**
 - **Always Up-to-Date**: `.env.example` reflects actual usage
 - **Comprehensive Coverage**: All environment variables documented
 - **Clear Organization**: Logical grouping and naming
 ### ✅ **Improves Developer Experience**
 - **Easy Discovery**: Developers can see all required variables
 - **Auto-Fix**: One-command fix for missing variables
 - **Validation**: Format and security checks
 ### ✅ **Enhanced Security**
 - **No Secrets**: Ensures `.env.example` contains only placeholders
 - **Security Scanning**: Detects potential actual secrets
 - **Best Practices**: Enforces good naming conventions
@@ -210,7 +228,8 @@ r'([A-Z_][A-Z0-9_]*)='
 ```bash
 # Checks for actual secrets vs placeholders
-if grep -i "password=" .env.example | grep -v -E "(your-|placeholder|change-)"; then
+if grep -i "password=" .env.example \
  | grep -v -E "(your-|placeholder|change-)"; then
  echo "❌ Potential actual secrets found!"
  exit 1
 fi
@@ -219,13 +238,16 @@ fi
 ## 📈 Statistics
 ### **Current State**
 - **Variables in .env.example**: 111
 - **Actual variables used**: 124
 - **Missing variables**: 13 (auto-fixed)
 - **Unused variables**: 0
 - **Coverage**: 89.5%
 ### **Historical Tracking**
 - **Before linter**: 14 variables, 357 missing
 - **After linter**: 111 variables, 13 missing
 - **Improvement**: 693% increase in coverage
@@ -233,12 +255,15 @@ fi
 ## 🔮 Future Enhancements
 ### **Planned Features**
 - **Environment-specific configs**: `.env.development`, `.env.production`
 - **Type validation**: Validate variable value formats
 - **Dependency tracking**: Track which variables are required together
 - **Documentation generation**: Auto-generate config documentation
 ### **Advanced Validation**
 - **URL validation**: Ensure RPC URLs are properly formatted
 - **File path validation**: Check if referenced paths exist
 - **Value ranges**: Validate numeric variables have reasonable ranges
@@ -277,7 +302,9 @@ The dotenv configuration discipline ensures:
 ✅ **Security**: Ensures no actual secrets in documentation
 ✅ **Maintainability**: Clean, organized, and up-to-date configuration
-This discipline prevents the common problem of configuration drift and ensures that `.env.example` always accurately reflects what the application actually needs.
+This discipline prevents the common problem of configuration drift and ensures
 that `.env.example` always accurately reflects what the application actually
 needs.
 ---
--- a/scripts/blockchain-communication-test.sh
+++ b/scripts/blockchain-communication-test.sh
@@ -7,11 +7,14 @@
 set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
 # Configuration
 GENESIS_IP="10.1.223.40"
 FOLLOWER_IP="<aitbc1-ip>"  # Replace with actual IP
 PORT=8006
-CLI_PATH="/opt/aitbc/aitbc-cli"
+CLI_PATH="${CLI_PATH:-${REPO_ROOT}/aitbc-cli}"
 LOG_DIR="/var/log/aitbc"
 LOG_FILE="${LOG_DIR}/blockchain-communication-test.log"
 MONITOR_LOG="${LOG_DIR}/blockchain-monitor.log"
--- a/scripts/testing/test_workflow.sh
+++ b/scripts/testing/test_workflow.sh
@@ -2,17 +2,22 @@
 # Test Updated Workflow Scripts
 echo "=== Testing Updated Workflow Scripts ==="
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 WORKFLOW_DIR="${REPO_ROOT}/scripts/workflow"
 CLI_PATH="${REPO_ROOT}/aitbc-cli"
 echo "1. Testing wallet creation script..."
-/opt/aitbc/scripts/workflow/04_create_wallet.sh
+"${WORKFLOW_DIR}/04_create_wallet.sh"
 echo ""
 echo "2. Testing final verification script..."
-export WALLET_ADDR=$(/opt/aitbc/aitbc-cli wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
+export WALLET_ADDR=$("$CLI_PATH" wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
-/opt/aitbc/scripts/workflow/06_final_verification.sh
+"${WORKFLOW_DIR}/06_final_verification.sh"
 echo ""
 echo "3. Testing transaction manager script..."
-/opt/aitbc/scripts/workflow/09_transaction_manager.sh
+"${WORKFLOW_DIR}/09_transaction_manager.sh"
 echo ""
 echo "✅ All script tests completed!"
--- a/scripts/training/master_training_launcher.sh
+++ b/scripts/training/master_training_launcher.sh
@@ -10,8 +10,7 @@ set -e
 # Training configuration
 TRAINING_PROGRAM="OpenClaw AITBC Mastery Training"
-CLI_PATH="/opt/aitbc/aitbc-cli"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 SCRIPT_DIR="/opt/aitbc/scripts/training"
 LOG_DIR="/var/log/aitbc"
 WALLET_NAME="openclaw-trainee"
--- a/scripts/training/openclaw_cross_node_comm.sh
+++ b/scripts/training/openclaw_cross_node_comm.sh
@@ -7,11 +7,14 @@
 set -e
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 # Configuration
 GENESIS_IP="10.1.223.40"
 FOLLOWER_IP="<aitbc1-ip>"  # To be replaced during live training
 PORT=8006
-CLI_PATH="/opt/aitbc/aitbc-cli"
+CLI_PATH="${CLI_PATH:-${REPO_ROOT}/aitbc-cli}"
 # Colors for output
 RED='\033[0;31m'
--- a/scripts/training/stage4_marketplace_economics.sh
+++ b/scripts/training/stage4_marketplace_economics.sh
@@ -10,7 +10,6 @@ set -e
 # Training configuration
 TRAINING_STAGE="Stage 4: Marketplace & Economic Intelligence"
 CLI_PATH="/opt/aitbc/aitbc-cli"
 LOG_FILE="/var/log/aitbc/training_stage4.log"
 WALLET_NAME="openclaw-trainee"
 WALLET_PASSWORD="trainee123"
--- a/scripts/training/stage5_expert_automation.sh
+++ b/scripts/training/stage5_expert_automation.sh
@@ -10,7 +10,6 @@ set -e
 # Training configuration
 TRAINING_STAGE="Stage 5: Expert Operations & Automation"
 CLI_PATH="/opt/aitbc/aitbc-cli"
 LOG_FILE="/var/log/aitbc/training_stage5.log"
 WALLET_NAME="openclaw-trainee"
 WALLET_PASSWORD="trainee123"
@@ -176,7 +175,7 @@ advanced_scripting() {
    print_status "Advanced Automation Scripting"
    print_status "Creating custom automation script..."
-    cat > /tmp/openclaw_automation.py << 'EOF'
+    cat > /tmp/openclaw_automation.py <<EOF
 #!/usr/bin/env python3
 """
 OpenClaw Advanced Automation Script
@@ -191,6 +190,7 @@ import logging
 # Setup logging
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger(__name__)
 CLI_PATH = "${CLI_PATH}"
 def run_command(cmd):
    """Execute AITBC CLI command and return result"""
@@ -207,13 +207,13 @@ def automated_job_submission():
    logger.info("Starting automated job submission...")
    # Submit inference job
-    success, output, error = run_command("/opt/aitbc/aitbc-cli ai submit --prompt 'Automated analysis'")
+    success, output, error = run_command(f"{CLI_PATH} ai submit --prompt 'Automated analysis'")
    if success:
        logger.info(f"Job submitted successfully: {output}")
        # Monitor job completion
        time.sleep(5)
-        success, output, error = run_command("/opt/aitbc/aitbc-cli ai list --status completed")
+        success, output, error = run_command(f"{CLI_PATH} ai list --status completed")
        logger.info(f"Job monitoring result: {output}")
    else:
        logger.error(f"Job submission failed: {error}")
@@ -223,14 +223,14 @@ def automated_marketplace_monitoring():
    logger.info("Starting marketplace monitoring...")
    # Check marketplace status
-    success, output, error = run_command("/opt/aitbc/aitbc-cli market list")
+    success, output, error = run_command(f"{CLI_PATH} market list")
    if success:
        logger.info(f"Marketplace status: {output}")
        # Simple trading logic - place buy order for low-priced items
        if "test-item" in output:
-            success, output, error = run_command("/opt/aitbc/aitbc-cli market buy --item test-item --price 25")
+            success, output, error = run_command(f"{CLI_PATH} market buy --item test-item --price 25")
            logger.info(f"Buy order placed: {output}")
    else:
        logger.error(f"Marketplace monitoring failed: {error}")
--- a/scripts/training/training_lib.sh
+++ b/scripts/training/training_lib.sh
@@ -6,12 +6,15 @@
 # Version: 1.0
 # Last Updated: 2026-04-02
 TRAINING_LIB_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${TRAINING_LIB_DIR}/../.." && pwd)"
 # ============================================================================
 # CONFIGURATION
 # ============================================================================
 # Default configuration (can be overridden)
-export CLI_PATH="${CLI_PATH:-/opt/aitbc/aitbc-cli}"
+export CLI_PATH="${CLI_PATH:-${REPO_ROOT}/aitbc-cli}"
 export LOG_DIR="${LOG_DIR:-/var/log/aitbc}"
 export WALLET_NAME="${WALLET_NAME:-openclaw-trainee}"
 export WALLET_PASSWORD="${WALLET_PASSWORD:-trainee123}"
--- a/scripts/workflow/04_create_wallet.sh
+++ b/scripts/workflow/04_create_wallet.sh
@@ -4,33 +4,37 @@
 set -e  # Exit on any error
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 CLI_PATH="${REPO_ROOT}/aitbc-cli"
 echo "=== AITBC Wallet Creation (Enhanced CLI) ==="
 echo "1. Pre-creation verification..."
 echo "=== Current wallets on aitbc ==="
-/opt/aitbc/aitbc-cli wallet list
+"$CLI_PATH" wallet list
 echo "2. Creating new wallet on aitbc..."
-/opt/aitbc/aitbc-cli wallet create aitbc-user $(cat /var/lib/aitbc/keystore/.password)
+"$CLI_PATH" wallet create aitbc-user $(cat /var/lib/aitbc/keystore/.password)
 # Get wallet address using CLI
-WALLET_ADDR=$(/opt/aitbc/aitbc-cli wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
+WALLET_ADDR=$("$CLI_PATH" wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
 echo "New wallet address: $WALLET_ADDR"
 # Verify wallet was created successfully using CLI
 echo "3. Post-creation verification..."
 echo "=== Updated wallet list ==="
-/opt/aitbc/aitbc-cli wallet list | grep aitbc-user || echo "Wallet not found in list"
+"$CLI_PATH" wallet list | grep aitbc-user || echo "Wallet not found in list"
 echo "=== New wallet details ==="
-/opt/aitbc/aitbc-cli wallet balance aitbc-user
+"$CLI_PATH" wallet balance aitbc-user
 echo "=== All wallets summary ==="
-/opt/aitbc/aitbc-cli wallet list
+"$CLI_PATH" wallet list
 echo "4. Cross-node verification..."
 echo "=== Network status (local) ==="
-/opt/aitbc/aitbc-cli network status 2>/dev/null || echo "Network status not available"
+"$CLI_PATH" network status 2>/dev/null || echo "Network status not available"
 echo "✅ Wallet created successfully using enhanced CLI!"
 echo "Wallet name: aitbc-user"
--- a/scripts/workflow/06_final_verification.sh
+++ b/scripts/workflow/06_final_verification.sh
@@ -4,6 +4,10 @@
 set -e  # Exit on any error
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 CLI_PATH="${REPO_ROOT}/aitbc-cli"
 echo "=== AITBC Multi-Node Blockchain Final Verification ==="
 # Get wallet address (source from wallet creation script)
@@ -34,18 +38,18 @@ echo "Height difference: $HEIGHT_DIFF blocks"
 # Check wallet balance using CLI
 echo "2. Checking aitbc wallet balance..."
 echo "=== aitbc wallet balance (local) ==="
-BALANCE=$(/opt/aitbc/aitbc-cli wallet balance aitbc-user 2>/dev/null | grep "Balance:" | awk '{print $2}' || echo "0")
+BALANCE=$("$CLI_PATH" wallet balance aitbc-user 2>/dev/null | grep "Balance:" | awk '{print $2}' || echo "0")
 echo $BALANCE AIT
 # Get blockchain information using CLI
 echo "3. Blockchain information..."
 echo "=== Chain Information ==="
-/opt/aitbc/aitbc-cli blockchain info
+"$CLI_PATH" blockchain info
 # Network health check using CLI
 echo "4. Network health check..."
 echo "=== Network Status (local) ==="
-/opt/aitbc/aitbc-cli network status 2>/dev/null || echo "Network status not available"
+"$CLI_PATH" network status 2>/dev/null || echo "Network status not available"
 # Service status
 echo "5. Service status..."
--- a/scripts/workflow/09_transaction_manager.sh
+++ b/scripts/workflow/09_transaction_manager.sh
@@ -4,6 +4,10 @@
 echo "=== AITBC Transaction Manager ==="
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 CLI_PATH="${REPO_ROOT}/aitbc-cli"
 # Configuration
 GENESIS_WALLET="aitbc1genesis"
 TARGET_WALLET="aitbc-user"
@@ -21,7 +25,7 @@ fi
 # Get wallet addresses
 echo "2. Getting wallet addresses..."
 GENESIS_ADDR=$(cat /var/lib/aitbc/keystore/aitbc1genesis.json | jq -r '.address')
-TARGET_ADDR=$(/opt/aitbc/aitbc-cli wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
+TARGET_ADDR=$("$CLI_PATH" wallet balance aitbc-user 2>/dev/null | grep "Address:" | awk '{print $2}' || echo "")
 echo "Genesis address: $GENESIS_ADDR"
 echo "Target address: $TARGET_ADDR"
@@ -92,7 +96,7 @@ else
  # Try alternative method using CLI
  echo "7. Trying alternative CLI method..."
  PASSWORD=$(cat $PASSWORD_FILE)
-  /opt/aitbc/aitbc-cli wallet send $GENESIS_WALLET $TARGET_ADDR $AMOUNT $PASSWORD
+  "$CLI_PATH" wallet send $GENESIS_WALLET $TARGET_ADDR $AMOUNT $PASSWORD
 fi
 # Final verification
--- a/tests/integration/integration_test.sh
+++ b/tests/integration/integration_test.sh
@@ -3,7 +3,9 @@
 echo "=== AITBC Integration Tests ==="
-CLI_CMD="/opt/aitbc/aitbc-cli"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 CLI_CMD="${REPO_ROOT}/aitbc-cli"
 # Test 1: Basic connectivity
 echo "1. Testing connectivity..."
@@ -12,24 +14,24 @@ ssh -i ~/.ssh/id_ed25519_aitbc -o StrictHostKeyChecking=no root@aitbc1 'curl -s
 # Test 2: Wallet operations
 echo "2. Testing wallet operations..."
-$CLI_CMD wallet list >/dev/null && echo "✅ Wallet list works" || echo "❌ Wallet list failed"
+"$CLI_CMD" wallet list >/dev/null && echo "✅ Wallet list works" || echo "❌ Wallet list failed"
 # Test 3: Transaction operations
 echo "3. Testing transactions..."
 # Create test wallet
-$CLI_CMD wallet create test-integration --password-file /var/lib/aitbc/keystore/.password >/dev/null && echo "✅ Wallet creation works" || echo "❌ Wallet creation failed"
+"$CLI_CMD" wallet create test-integration --password-file /var/lib/aitbc/keystore/.password >/dev/null && echo "✅ Wallet creation works" || echo "❌ Wallet creation failed"
 # Test 4: Blockchain operations
 echo "4. Testing blockchain operations..."
-$CLI_CMD blockchain info >/dev/null && echo "✅ Chain info works" || echo "❌ Chain info failed"
+"$CLI_CMD" blockchain info >/dev/null && echo "✅ Chain info works" || echo "❌ Chain info failed"
 # Test 5: Enterprise CLI operations
 echo "5. Testing enterprise CLI operations..."
-$CLI_CMD market list >/dev/null && echo "✅ Marketplace CLI works" || echo "❌ Marketplace CLI failed"
+"$CLI_CMD" market list >/dev/null && echo "✅ Marketplace CLI works" || echo "❌ Marketplace CLI failed"
 # Test 6: Mining operations
 echo "6. Testing mining operations..."
-$CLI_CMD mining status >/dev/null && echo "✅ Mining operations work" || echo "❌ Mining operations failed"
+"$CLI_CMD" mining status >/dev/null && echo "✅ Mining operations work" || echo "❌ Mining operations failed"
 # Test 7: AI services
 echo "7. Testing AI services..."
--- a/tests/production/test_error_handling.py
+++ b/tests/production/test_error_handling.py
@@ -5,6 +5,10 @@ Test error handling improvements in AITBC services
 import pytest
 import subprocess
 import time
 from pathlib import Path
 CLI_BIN = Path(__file__).resolve().parents[2] / "aitbc-cli"
 class TestServiceErrorHandling:
@@ -126,7 +130,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_help_command(self):
        """Test CLI help command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "--help"],
+            [str(CLI_BIN), "--help"],
            capture_output=True,
            text=True
        )
@@ -136,7 +140,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_system_command(self):
        """Test CLI system command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "system", "status"],
+            [str(CLI_BIN), "system", "status"],
            capture_output=True,
            text=True
        )
@@ -146,7 +150,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_chain_command(self):
        """Test CLI chain command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "blockchain", "info"],
+            [str(CLI_BIN), "blockchain", "info"],
            capture_output=True,
            text=True
        )
@@ -156,7 +160,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_network_command(self):
        """Test CLI network command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "network", "status"],
+            [str(CLI_BIN), "network", "status"],
            capture_output=True,
            text=True
        )
@@ -166,7 +170,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_wallet_command(self):
        """Test CLI wallet command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "wallet", "--help"],
+            [str(CLI_BIN), "wallet", "--help"],
            capture_output=True,
            text=True
        )
@@ -176,7 +180,7 @@ class TestCLIComprehensiveTesting:
    def test_cli_marketplace_list_command(self):
        """Test CLI marketplace list command works"""
        result = subprocess.run(
-            ["/opt/aitbc/aitbc-cli", "market", "list"],
+            [str(CLI_BIN), "market", "list"],
            capture_output=True,
            text=True
        )