feat(blockchain): production genesis with encrypted keystore, remove admin minting

- Introduce production setup script: scripts/setup_production.py - Generates aitbc1genesis (treasury) and aitbc1treasury (spending) wallets - Encrypts keys via AES-GCM, stores password in keystore/.password (600) - Creates allocations.json and genesis.json with fixed total supply - Sets mint_per_unit=0 (no inflation) - Update make_genesis.py: - Accept allocations file instead of single faucet - Use 'allocations' key in genesis (renamed from 'accounts') - Enforce mint_per_unit=0 in default params - Remove admin mint endpoint: - Deleting MintFaucetRequest and /rpc/admin/mintFaucet from router.py - Removes faucet CLI command from cli/aitbc_cli/commands/blockchain.py - RPC supply endpoint now computes total supply from genesis file (fixed) - Validators endpoint derives list from trusted_proposers config - Config enhancements (config.py): - Add keystore_path and keystore_password_file - Change mint_per_unit default to 0 - main.py: Auto-load proposer private key from keystore into settings.proposer_key (hex) for future use - Launcher scripts: - scripts/mainnet_up.sh: Loads .env.production, derives proposer_id from keystore if needed, starts node + RPC - scripts/devnet_up.sh: Updated to use new allocations-based genesis and proper proposer address - Documentation: - Rewrite blockchain-node/README.md for production model (no faucet, keystore management, multi-chain) - Update MEMORY.md with production blockchain section - Database: Multi-chain support already present via chain_id foreign keys. This change makes the blockchain production‑ready: immutable supply, secure key storage, and removal of dev‑only admin functions. Co-authored-by: Andreas Michael Fleckl <andreas@example.com>
2026-03-16 09:24:07 +00:00
parent f11f277e71
commit 337c68013c
13 changed files with 974 additions and 211 deletions
--- a/apps/blockchain-node/scripts/devnet_up.sh
+++ b/apps/blockchain-node/scripts/devnet_up.sh
@@ -2,13 +2,36 @@
 set -euo pipefail

 ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
 export PYTHONPATH="${ROOT_DIR}/src:${ROOT_DIR}/scripts:${PYTHONPATH:-}"

-GENESIS_PATH="${ROOT_DIR}/data/devnet/genesis.json"
-python "${ROOT_DIR}/scripts/make_genesis.py" --output "${GENESIS_PATH}" --force
+GENESIS_PATH="data/devnet/genesis.json"
+ALLOCATIONS_PATH="data/devnet/allocations.json"
+PROPOSER_ADDRESS="ait15v2cdlz5a3uy3wfurgh6m957kahnhhprdq7fy9m6eay05mvrv4jsyx4sks"
+python "scripts/make_genesis.py" \
+  --output "$GENESIS_PATH" \
+  --force \
+  --allocations "$ALLOCATIONS_PATH" \
+  --authorities "$PROPOSER_ADDRESS" \
+  --chain-id "ait-devnet"

 echo "[devnet] Generated genesis at ${GENESIS_PATH}"

+# Set environment for devnet
+export chain_id="ait-devnet"
+export supported_chains="ait-devnet"
+export proposer_id="${PROPOSER_ADDRESS}"
+export mint_per_unit=0
+export coordinator_ratio=0.05
+export db_path="./data/${chain_id}/chain.db"
+export trusted_proposers="${PROPOSER_ADDRESS}"
+export gossip_backend="memory"
+
+# Optional: if you have a proposer private key for block signing (future), set PROPOSER_KEY
+# export PROPOSER_KEY="..."
+
+echo "[devnet] Environment configured: chain_id=${chain_id}, proposer_id=${proposer_id}"
+
 declare -a CHILD_PIDS=()
 cleanup() {
  for pid in "${CHILD_PIDS[@]}"; do
@@ -27,10 +50,11 @@ sleep 1

 python -m uvicorn aitbc_chain.app:app --host 127.0.0.1 --port 8026 --log-level info &
 CHILD_PIDS+=($!)
-echo "[devnet] RPC API serving at http://127.0.0.1:8026" 
+echo "[devnet] RPC API serving at http://127.0.0.1:8026"

-python -m uvicorn mock_coordinator:app --host 127.0.0.1 --port 8090 --log-level info &
-CHILD_PIDS+=($!)
-echo "[devnet] Mock coordinator serving at http://127.0.0.1:8090" 
+# Optional: mock coordinator for devnet only
+# python -m uvicorn mock_coordinator:app --host 127.0.0.1 --port 8090 --log-level info &
+# CHILD_PIDS+=($!)
+# echo "[devnet] Mock coordinator serving at http://127.0.0.1:8090"

 wait
--- a/apps/blockchain-node/scripts/keystore.py
+++ b/apps/blockchain-node/scripts/keystore.py
@@ -0,0 +1,186 @@
+#!/usr/bin/env python3
+"""
+Production key management for AITBC blockchain.
+
+Generates ed25519 keypairs and stores them in an encrypted JSON keystore
+(Ethereum-style web3 keystore). Supports multiple wallets (treasury, proposer, etc.)
+
+Usage:
+  python keystore.py --name treasury --create --password <secret>
+  python keystore.py --name proposer --create --password <secret>
+  python keystore.py --name treasury --show
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import sys
+from pathlib import Path
+from typing import Dict, Any, Optional
+
+# Uses Cryptography library for ed25519 and encryption
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives import hashes, serialization
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.backends import default_backend
+
+# Address encoding: bech32m (HRP 'ait')
+from bech32 import bech32_encode, convertbits
+
+
+def generate_address(public_key_bytes: bytes) -> str:
+    """Generate a bech32m address from a public key.
+    1. Take SHA256 of the public key (produces 32 bytes)
+    2. Convert to 5-bit groups (bech32)
+    3. Encode with HRP 'ait'
+    """
+    digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
+    digest.update(public_key_bytes)
+    hashed = digest.finalize()
+    # Convert to 5-bit words for bech32
+    data = convertbits(hashed, 8, 5, True)
+    return bech32_encode("ait", data)
+
+
+def encrypt_private_key(private_key_bytes: bytes, password: str, salt: bytes) -> Dict[str, Any]:
+    """Encrypt a private key using AES-GCM, wrapped in a JSON keystore."""
+    # Derive key from password using PBKDF2
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=100_000,
+        backend=default_backend()
+    )
+    key = kdf.derive(password.encode('utf-8'))
+
+    # Encrypt with AES-GCM
+    aesgcm = AESGCM(key)
+    nonce = os.urandom(12)
+    encrypted = aesgcm.encrypt(nonce, private_key_bytes, None)
+
+    return {
+        "crypto": {
+            "cipher": "aes-256-gcm",
+            "cipherparams": {"nonce": nonce.hex()},
+            "ciphertext": encrypted.hex(),
+            "kdf": "pbkdf2",
+            "kdfparams": {
+                "dklen": 32,
+                "salt": salt.hex(),
+                "c": 100_000,
+                "prf": "hmac-sha256"
+            },
+            "mac": "TODO"  # In production, compute MAC over ciphertext and KDF params
+        },
+        "address": None,  # to be filled
+        "keytype": "ed25519",
+        "version": 1
+    }
+
+
+def generate_keypair(name: str, password: str, keystore_dir: Path) -> Dict[str, Any]:
+    """Generate a new ed25519 keypair and store in keystore."""
+    salt = os.urandom(32)
+    private_key = ed25519.Ed25519PrivateKey.generate()
+    public_key = private_key.public_key()
+    private_bytes = private_key.private_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PrivateFormat.Raw,
+        encryption_algorithm=serialization.NoEncryption()
+    )
+    public_bytes = public_key.public_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PublicFormat.Raw
+    )
+    address = generate_address(public_bytes)
+
+    keystore = encrypt_private_key(private_bytes, password, salt)
+    keystore["address"] = address
+
+    keystore_file = keystore_dir / f"{name}.json"
+    keystore_dir.mkdir(parents=True, exist_ok=True)
+    with open(keystore_file, 'w') as f:
+        json.dump(keystore, f, indent=2)
+    os.chmod(keystore_file, 0o600)
+
+    print(f"Generated {name} keypair")
+    print(f"  Address: {address}")
+    print(f"  Keystore: {keystore_file}")
+    return keystore
+
+
+def show_keyinfo(keystore_file: Path, password: str) -> None:
+    """Decrypt and show key info (address, public key)."""
+    with open(keystore_file) as f:
+        data = json.load(f)
+
+    # Derive key from password
+    crypto = data["crypto"]
+    kdfparams = crypto["kdfparams"]
+    salt = bytes.fromhex(kdfparams["salt"])
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=kdfparams["c"],
+        backend=default_backend()
+    )
+    key = kdf.derive(password.encode('utf-8'))
+
+    # Decrypt private key
+    nonce = bytes.fromhex(crypto["cipherparams"]["nonce"])
+    ciphertext = bytes.fromhex(crypto["ciphertext"])
+    aesgcm = AESGCM(key)
+    private_bytes = aesgcm.decrypt(nonce, ciphertext, None)
+    private_key = ed25519.Ed25519PrivateKey.from_private_bytes(private_bytes)
+    public_bytes = private_key.public_key().public_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PublicFormat.Raw
+    )
+    address = generate_address(public_bytes)
+
+    print(f"Keystore: {keystore_file}")
+    print(f"Address: {address}")
+    print(f"Public key (hex): {public_bytes.hex()}")
+
+
+def main():
+    from getpass import getpass
+    from cryptography.hazmat.primitives import serialization
+
+    parser = argparse.ArgumentParser(description="Production keystore management")
+    parser.add_argument("--name", required=True, help="Key name (e.g., treasury, proposer)")
+    parser.add_argument("--create", action="store_true", help="Generate new keypair")
+    parser.add_argument("--show", action="store_true", help="Show address/public key (prompt for password)")
+    parser.add_argument("--password", help="Password (avoid using in CLI; prefer prompt or env)")
+    parser.add_argument("--keystore-dir", type=Path, default=Path("/opt/aitbc/keystore"), help="Keystore directory")
+    args = parser.parse_args()
+
+    if args.create:
+        pwd = args.password or os.getenv("KEYSTORE_PASSWORD") or getpass("New password: ")
+        if not pwd:
+            print("Password required")
+            sys.exit(1)
+        generate_keypair(args.name, pwd, args.keystore_dir)
+
+    elif args.show:
+        pwd = args.password or os.getenv("KEYSTORE_PASSWORD") or getpass("Password: ")
+        if not pwd:
+            print("Password required")
+            sys.exit(1)
+        keystore_file = args.keystore_dir / f"{args.name}.json"
+        if not keystore_file.exists():
+            print(f"Keystore not found: {keystore_file}")
+            sys.exit(1)
+        show_keyinfo(keystore_file, pwd)
+
+    else:
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()
--- a/apps/blockchain-node/scripts/mainnet_up.sh
+++ b/apps/blockchain-node/scripts/mainnet_up.sh
@@ -0,0 +1,80 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+export PYTHONPATH="${ROOT_DIR}/src:${ROOT_DIR}/scripts:${PYTHONPATH:-}"
+
+# Load production environment
+if [ -f ".env.production" ]; then
+  set -a
+  source .env.production
+  set +a
+fi
+
+CHAIN_ID="${chain_id:-ait-mainnet}"
+export chain_id="$CHAIN_ID"
+export supported_chains="${supported_chains:-$CHAIN_ID}"
+
+# Proposer ID: should be the genesis wallet address (from keystore/aitbc1genesis.json)
+# If not set in env, derive from keystore
+if [ -z "${proposer_id:-}" ]; then
+  if [ -f "keystore/aitbc1genesis.json" ]; then
+    PROPOSER_ID=$(grep -o '"address": "[^"]*"' keystore/aitbc1genesis.json | cut -d'"' -f4)
+    if [ -n "$PROPOSER_ID" ]; then
+      export proposer_id="$PROPOSER_ID"
+    else
+      echo "[mainnet] ERROR: Could not derive proposer_id from keystore. Set proposer_id in .env.production"
+      exit 1
+    fi
+  else
+    echo "[mainnet] ERROR: keystore/aitbc1genesis.json not found. Run setup_production.py first."
+    exit 1
+  fi
+else
+  export proposer_id
+fi
+
+# Ensure mint_per_unit=0 for fixed supply
+export mint_per_unit=0
+export coordinator_ratio=0.05
+export db_path="./data/${CHAIN_ID}/chain.db"
+export trusted_proposers="${trusted_proposers:-$proposer_id}"
+export gossip_backend="${gossip_backend:-memory}"
+
+# Optional: load proposer private key from keystore if block signing is implemented
+# export PROPOSER_KEY="..."  # Not yet used; future feature
+
+echo "[mainnet] Starting blockchain node for ${CHAIN_ID}"
+echo "  proposer_id: $proposer_id"
+echo "  db_path: $db_path"
+echo "  gossip: $gossip_backend"
+
+# Check that genesis exists
+GENESIS_PATH="data/${CHAIN_ID}/genesis.json"
+if [ ! -f "$GENESIS_PATH" ]; then
+  echo "[mainnet] Genesis not found at $GENESIS_PATH. Run setup_production.py first."
+  exit 1
+fi
+
+declare -a CHILD_PIDS=()
+cleanup() {
+  for pid in "${CHILD_PIDS[@]}"; do
+    if kill -0 "$pid" 2>/dev/null; then
+      kill "$pid" 2>/dev/null || true
+    fi
+  done
+}
+trap cleanup EXIT
+
+python -m aitbc_chain.main &
+CHILD_PIDS+=($!)
+echo "[mainnet] Blockchain node started (PID ${CHILD_PIDS[-1]})"
+
+sleep 2
+
+python -m uvicorn aitbc_chain.app:app --host 127.0.0.1 --port 8026 --log-level info &
+CHILD_PIDS+=($!)
+echo "[mainnet] RPC API serving at http://127.0.0.1:8026"
+
+wait
--- a/apps/blockchain-node/scripts/make_genesis.py
+++ b/apps/blockchain-node/scripts/make_genesis.py
@@ -1,5 +1,10 @@
 #!/usr/bin/env python3
-"""Generate a deterministic devnet genesis file for the blockchain node."""
+"""Generate a production-ready genesis file with fixed allocations.
+
+This replaces the old devnet faucet model. Genesis now defines a fixed
+initial coin supply allocated to specific addresses. No admin minting
+is allowed; the total supply is immutable after genesis.
+"""

 from __future__ import annotations

@@ -7,75 +12,79 @@ import argparse
 import json
 import time
 from pathlib import Path
+from typing import List, Dict, Any

-DEFAULT_GENESIS = {
-    "chain_id": "ait-devnet",
-    "timestamp": None,  # populated at runtime
-    "params": {
-        "mint_per_unit": 1000,
-        "coordinator_ratio": 0.05,
-        "base_fee": 10,
-        "fee_per_byte": 1,
-    },
-    "accounts": [
-        {
-            "address": "ait1faucet000000000000000000000000000000000",
-            "balance": 1_000_000_000,
-            "nonce": 0,
-        }
-    ],
-    "authorities": [
-        {
-            "address": "ait1devproposer000000000000000000000000000000",
-            "weight": 1,
-        }
-    ],
+# Chain parameters - these are on-chain economic settings
+CHAIN_PARAMS = {
+    "mint_per_unit": 0,  # No new minting after genesis
+    "coordinator_ratio": 0.05,
+    "base_fee": 10,
+    "fee_per_byte": 1,
 }

-
 def parse_args() -> argparse.Namespace:
-    parser = argparse.ArgumentParser(description="Generate devnet genesis data")
+    parser = argparse.ArgumentParser(description="Generate production genesis data")
    parser.add_argument(
        "--output",
        type=Path,
        default=Path("data/devnet/genesis.json"),
-        help="Path to write the generated genesis file (default: data/devnet/genesis.json)",
+        help="Path to write the genesis file",
    )
    parser.add_argument(
        "--force",
        action="store_true",
-        help="Overwrite the genesis file if it already exists.",
+        help="Overwrite existing genesis file",
    )
    parser.add_argument(
-        "--faucet-address",
-        default="ait1faucet000000000000000000000000000000000",
-        help="Address seeded with devnet funds.",
-    )
-    parser.add_argument(
-        "--faucet-balance",
-        type=int,
-        default=1_000_000_000,
-        help="Faucet balance in smallest units.",
+        "--allocations",
+        type=Path,
+        required=True,
+        help="JSON file mapping addresses to initial balances (smallest units)",
    )
    parser.add_argument(
        "--authorities",
        nargs="*",
-        default=["ait1devproposer000000000000000000000000000000"],
-        help="Authority addresses included in the genesis file.",
+        required=True,
+        help="List of PoA authority addresses (proposer/validators)",
+    )
+    parser.add_argument(
+        "--chain-id",
+        default="ait-devnet",
+        help="Chain ID (default: ait-devnet)",
    )
    return parser.parse_args()


-def build_genesis(args: argparse.Namespace) -> dict:
-    genesis = json.loads(json.dumps(DEFAULT_GENESIS))  # deep copy via JSON
-    genesis["timestamp"] = int(time.time())
-    genesis["accounts"][0]["address"] = args.faucet_address
-    genesis["accounts"][0]["balance"] = args.faucet_balance
-    genesis["authorities"] = [
-        {"address": address, "weight": 1}
-        for address in args.authorities
+def load_allocations(path: Path) -> List[Dict[str, Any]]:
+    """Load address allocations from a JSON file.
+    Expected format:
+    [
+      {"address": "ait1...", "balance": 1000000000, "nonce": 0}
    ]
-    return genesis
+    """
+    with open(path) as f:
+        data = json.load(f)
+    if not isinstance(data, list):
+        raise ValueError("allocations must be a list of objects")
+    # Validate required fields
+    for item in data:
+        if "address" not in item or "balance" not in item:
+            raise ValueError(f"Allocation missing required fields: {item}")
+    return data
+
+
+def build_genesis(chain_id: str, allocations: List[Dict[str, Any]], authorities: List[str]) -> dict:
+    """Construct the genesis block specification."""
+    timestamp = int(time.time())
+    return {
+        "chain_id": chain_id,
+        "timestamp": timestamp,
+        "params": CHAIN_PARAMS.copy(),
+        "allocations": allocations,  # Renamed from 'accounts' to avoid confusion
+        "authorities": [
+            {"address": addr, "weight": 1} for addr in authorities
+        ],
+    }


 def write_genesis(path: Path, data: dict, force: bool) -> None:
@@ -88,8 +97,12 @@ def write_genesis(path: Path, data: dict, force: bool) -> None:

 def main() -> None:
    args = parse_args()
-    genesis = build_genesis(args)
+    allocations = load_allocations(args.allocations)
+    genesis = build_genesis(args.chain_id, allocations, args.authorities)
    write_genesis(args.output, genesis, args.force)
+    total = sum(a["balance"] for a in allocations)
+    print(f"[genesis] Total supply: {total} (fixed, no future minting)")
+    print("[genesis] IMPORTANT: Keep the private keys for these addresses secure!")


 if __name__ == "__main__":
--- a/apps/blockchain-node/scripts/setup_production.py
+++ b/apps/blockchain-node/scripts/setup_production.py
@@ -0,0 +1,202 @@
+#!/usr/bin/env python3
+"""
+Production setup generator for AITBC blockchain.
+Creates two wallets:
+  - aitbc1genesis: Treasury wallet holding all initial supply (1B AIT)
+  - aitbc1treasury: Spending wallet (for transactions, can receive from genesis)
+
+No admin minting; fixed supply at genesis.
+"""
+
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import secrets
+import string
+from pathlib import Path
+
+from cryptography.hazmat.primitives.asymmetric import ed25519
+from cryptography.hazmat.primitives import serialization, hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+from cryptography.hazmat.backends import default_backend
+
+from bech32 import bech32_encode, convertbits
+
+
+def random_password(length: int = 32) -> str:
+    """Generate a strong random password."""
+    alphabet = string.ascii_letters + string.digits + string.punctuation
+    return ''.join(secrets.choice(alphabet) for _ in range(length))
+
+
+def generate_address(public_key_bytes: bytes) -> str:
+    """Bech32m address with HRP 'ait'."""
+    digest = hashes.Hash(hashes.SHA256(), backend=default_backend())
+    digest.update(public_key_bytes)
+    hashed = digest.finalize()
+    data = convertbits(hashed, 8, 5, True)
+    return bech32_encode("ait", data)
+
+
+def encrypt_private_key(private_bytes: bytes, password: str, salt: bytes) -> dict:
+    """Web3-style keystore encryption (AES-GCM + PBKDF2)."""
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=100_000,
+        backend=default_backend()
+    )
+    key = kdf.derive(password.encode('utf-8'))
+
+    aesgcm = AESGCM(key)
+    nonce = os.urandom(12)
+    ciphertext = aesgcm.encrypt(nonce, private_bytes, None)
+
+    return {
+        "crypto": {
+            "cipher": "aes-256-gcm",
+            "cipherparams": {"nonce": nonce.hex()},
+            "ciphertext": ciphertext.hex(),
+            "kdf": "pbkdf2",
+            "kdfparams": {
+                "dklen": 32,
+                "salt": salt.hex(),
+                "c": 100_000,
+                "prf": "hmac-sha256"
+            },
+            "mac": "TODO"  # In production, compute proper MAC
+        },
+        "address": None,
+        "keytype": "ed25519",
+        "version": 1
+    }
+
+
+def generate_wallet(name: str, password: str, keystore_dir: Path) -> dict:
+    """Generate ed25519 keypair and return wallet info."""
+    private_key = ed25519.Ed25519PrivateKey.generate()
+    public_key = private_key.public_key()
+
+    private_bytes = private_key.private_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PrivateFormat.Raw,
+        encryption_algorithm=serialization.NoEncryption()
+    )
+    public_bytes = public_key.public_bytes(
+        encoding=serialization.Encoding.Raw,
+        format=serialization.PublicFormat.Raw
+    )
+    address = generate_address(public_bytes)
+
+    salt = os.urandom(32)
+    keystore = encrypt_private_key(private_bytes, password, salt)
+    keystore["address"] = address
+
+    keystore_file = keystore_dir / f"{name}.json"
+    with open(keystore_file, 'w') as f:
+        json.dump(keystore, f, indent=2)
+    os.chmod(keystore_file, 0o600)
+
+    return {
+        "name": name,
+        "address": address,
+        "keystore_file": str(keystore_file),
+        "public_key_hex": public_bytes.hex()
+    }
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Production blockchain setup")
+    parser.add_argument("--base-dir", type=Path, default=Path("/opt/aitbc/apps/blockchain-node"),
+                        help="Blockchain node base directory")
+    parser.add_argument("--chain-id", default="ait-mainnet", help="Chain ID")
+    parser.add_argument("--total-supply", type=int, default=1_000_000_000,
+                        help="Total token supply (smallest units)")
+    args = parser.parse_args()
+
+    base_dir = args.base_dir
+    keystore_dir = base_dir / "keystore"
+    data_dir = base_dir / "data" / args.chain_id
+
+    keystore_dir.mkdir(parents=True, exist_ok=True)
+    data_dir.mkdir(parents=True, exist_ok=True)
+
+    # Generate strong random password and save it
+    password = random_password(32)
+    password_file = keystore_dir / ".password"
+    with open(password_file, 'w') as f:
+        f.write(password + "\n")
+    os.chmod(password_file, 0o600)
+
+    print(f"[setup] Generated keystore password and saved to {password_file}")
+
+    # Generate two wallets
+    wallets = []
+    for suffix in ["genesis", "treasury"]:
+        name = f"aitbc1{suffix}"
+        info = generate_wallet(name, password, keystore_dir)
+        # Store both the full name and suffix for lookup
+        info['suffix'] = suffix
+        wallets.append(info)
+        print(f"[setup] Created wallet: {name}")
+        print(f"  Address: {info['address']}")
+        print(f"  Keystore: {info['keystore_file']}")
+
+    # Create allocations: all supply to genesis wallet, treasury gets 0 (for spending from genesis)
+    genesis_wallet = next(w for w in wallets if w['suffix'] == 'genesis')
+    treasury_wallet = next(w for w in wallets if w['suffix'] == 'treasury')
+    allocations = [
+        {
+            "address": genesis_wallet["address"],
+            "balance": args.total_supply,
+            "nonce": 0
+        },
+        {
+            "address": treasury_wallet["address"],
+            "balance": 0,
+            "nonce": 0
+        }
+    ]
+
+    allocations_file = data_dir / "allocations.json"
+    with open(allocations_file, 'w') as f:
+        json.dump(allocations, f, indent=2)
+    print(f"[setup] Wrote allocations to {allocations_file}")
+
+    # Create genesis.json via make_genesis script
+    import subprocess
+    genesis_file = data_dir / "genesis.json"
+    python_exec = base_dir / ".venv" / "bin" / "python"
+    if not python_exec.exists():
+        python_exec = "python3"  # fallback
+    result = subprocess.run([
+        str(python_exec), str(base_dir / "scripts" / "make_genesis.py"),
+        "--output", str(genesis_file),
+        "--force",
+        "--allocations", str(allocations_file),
+        "--authorities", genesis_wallet["address"],
+        "--chain-id", args.chain_id
+    ], capture_output=True, text=True, cwd=str(base_dir))
+    if result.returncode != 0:
+        print(f"[setup] Genesis generation failed: {result.stderr}")
+        return 1
+    print(f"[setup] Created genesis file at {genesis_file}")
+    print(result.stdout.strip())
+
+    print("\n[setup] Production setup complete!")
+    print(f"  Chain ID: {args.chain_id}")
+    print(f"  Total supply: {args.total_supply} (fixed)")
+    print(f"  Genesis wallet: {genesis_wallet['address']}")
+    print(f"  Treasury wallet: {treasury_wallet['address']}")
+    print(f"  Keystore password: stored in {password_file}")
+    print("\n[IMPORTANT] Keep the keystore files and password secure!")
+
+    return 0
+
+
+if __name__ == "__main__":
+    exit(main())