fix: remove hardcoded passwords and enhance security in production setup

Security Enhancements:
- Update .gitignore header timestamp to 2026-03-18 for security fixes
- Add CRITICAL SECURITY markers to sensitive sections in .gitignore
- Add comprehensive password file patterns (*.password, *.pass, .password.*)
- Add private key file patterns (*_private_key.txt, *.private, private_key.*)
- Add guardian contract database patterns (*.guardian.db, guardian_contracts/)
- Add multi-chain wallet data patterns (.

scripts/deploy/.env.deploy.example

@@ -0,0 +1,36 @@
+# AITBC Deployment Configuration Template
+# Copy this file to .env.deploy and fill in your actual values
+# NEVER commit the actual .env.deploy file with real credentials
+
+# === REQUIRED DEPLOYMENT SETTINGS ===
+CONTAINER_NAME="aitbc"
+CONTAINER_IP="YOUR_CONTAINER_IP"
+PROJECT_DIR="/path/to/your/aitbc"
+SSH_ALIAS="your-ssh-alias"
+SSH_KEY_PATH="/path/to/your/private/key"
+
+# === OPTIONAL SECURITY SETTINGS ===
+# SSH connection timeout (seconds)
+SSH_TIMEOUT=30
+
+# Backup settings
+CREATE_BACKUP=true
+BACKUP_RETENTION_DAYS=7
+
+# Service restart settings
+RESTART_SERVICES=true
+SERVICE_STARTUP_TIMEOUT=60
+
+# === EXAMPLE VALUES ===
+# CONTAINER_NAME="aitbc"
+# CONTAINER_IP="192.168.1.100"
+# PROJECT_DIR="/home/user/aitbc"
+# SSH_ALIAS="user@container-ip"
+# SSH_KEY_PATH="/home/user/.ssh/id_rsa"
+
+# === SECURITY NOTES ===
+# 1. Never commit this file with real credentials
+# 2. Use SSH keys instead of passwords
+# 3. Restrict file permissions: chmod 600 .env.deploy
+# 4. Use SSH config file for complex connection settings
+# 5. Consider using a secrets management system for production

scripts/implement-agent-protocols.sh

@@ -352,7 +352,11 @@ class MessageProtocol:
     
     def _generate_key(self) -> bytes:
         """Generate encryption key"""
-        password = os.environ.get('AITBC_AGENT_PROTOCOL_KEY', b"default-key-change-in-production")
+        # SECURITY FIX: Use environment variable instead of hardcoded default
+        password = os.environ.get('AITBC_AGENT_PROTOCOL_KEY')
+        if not password:
+            raise ValueError("❌ SECURITY: AITBC_AGENT_PROTOCOL_KEY environment variable required")
+        
         salt = os.environ.get('AITBC_AGENT_PROTOCOL_SALT', b"aitbc-salt-agent-protocol")
         if isinstance(password, str):
             password = password.encode()

scripts/setup_production.py

@@ -40,9 +40,19 @@ def main():
     # 1. Keystore directory and password
     run(f"mkdir -p {KEYS_DIR}")
     run(f"chown -R aitbc:aitbc {KEYS_DIR}")
+    
+    # SECURITY FIX: Use environment variable instead of hardcoded password
     if not PASSWORD_FILE.exists():
-        run(f"openssl rand -hex 32 > {PASSWORD_FILE}")
-        run(f"chmod 600 {PASSWORD_FILE}")
+        password = os.environ.get("AITBC_KEYSTORE_PASSWORD")
+        if not password:
+            # Generate secure random password if not provided
+            run(f"openssl rand -hex 32 > {PASSWORD_FILE}")
+            run(f"chmod 600 {PASSWORD_FILE}")
+        else:
+            # Use provided password from environment
+            PASSWORD_FILE.write_text(password)
+            run(f"chmod 600 {PASSWORD_FILE}")
+    
     os.environ["KEYSTORE_PASSWORD"] = PASSWORD_FILE.read_text().strip()
 
     # 2. Generate keystores