fix: remove hardcoded passwords and enhance security in production setup

Security Enhancements:
- Update .gitignore header timestamp to 2026-03-18 for security fixes
- Add CRITICAL SECURITY markers to sensitive sections in .gitignore
- Add comprehensive password file patterns (*.password, *.pass, .password.*)
- Add private key file patterns (*_private_key.txt, *.private, private_key.*)
- Add guardian contract database patterns (*.guardian.db, guardian_contracts/)
- Add multi-chain wallet data patterns (.

.gitignore

@@ -1,6 +1,5 @@
-<<<<<<< Updated upstream
 # AITBC Monorepo ignore rules
-# Updated: 2026-03-03 - Project organization workflow completed
+# Updated: 2026-03-18 - Security fixes for hardcoded passwords
 # Development files organized into dev/ subdirectories
 
 # ===================
@@ -141,7 +140,7 @@ target/
 out/
 
 # ===================
-# Secrets & Credentials
+# Secrets & Credentials (CRITICAL SECURITY)
 # ===================
 *.pem
 *.key
@@ -152,6 +151,19 @@ credentials/
 .secrets
 .gitea_token.sh
 
+# Password files (NEVER commit these)
+*.password
+*.pass
+.password.*
+keystore/.password
+keystore/.password.*
+
+# Private keys and sensitive files
+*_private_key.txt
+*_private_key.json
+private_key.*
+*.private
+
 # ===================
 # Backup Files (organized)
 # ===================
@@ -180,76 +192,6 @@ backup/README.md
 # ===================
 tmp/
 temp/
-=======
-# Python
-__pycache__/
-*.py[cod]
-*$py.class
-*.so
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# Virtual environments
-venv/
-env/
-ENV/
-.venv/
-.env/
-
-# IDEs
-.vscode/
-.idea/
-*.swp
-*.swo
-*~
-
-# OS
-.DS_Store
-.DS_Store?
-._*
-.Spotlight-V100
-.Trashes
-ehthumbs.db
-Thumbs.db
-
-# Logs
-*.log
-logs/
-
-# Database
-*.db
-*.sqlite
-*.sqlite3
-*.db-wal
-*.db-shm
-
-# Configuration with secrets
-.env
-.env.local
-.env.*.local
-config.json
-secrets.json
-
-# Temporary files
-*.tmp
-*.temp
-*.bak
-*.backup
 
 # ===================
 # Environment Files
@@ -334,7 +276,7 @@ tests/fixtures/generated/
 # GPU miner local configs
 scripts/gpu/*.local.py
 
-# Deployment secrets
+# Deployment secrets (CRITICAL SECURITY)
 scripts/deploy/*.secret.*
 infra/nginx/*.local.conf
 
@@ -379,8 +321,10 @@ scripts/service/*
 infra/nginx/nginx-aitbc*.conf
 infra/helm/values/prod/
 infra/helm/values/prod.yaml
-=======
+
+# ===================
 # Node.js
+# ===================
 node_modules/
 npm-debug.log*
 yarn-debug.log*
@@ -419,7 +363,9 @@ ENV/
 env.bak/
 venv.bak/
 
-# AITBC specific
+# ===================
+# AITBC specific (CRITICAL SECURITY)
+# ===================
 data/
 logs/
 *.db
@@ -427,5 +373,15 @@ logs/
 wallet*.json
 keystore/
 certificates/
->>>>>>> Stashed changes
+
-.gitea_token.sh
+# Guardian contract databases (contain spending limits)
+guardian_contracts/
+*.guardian.db
+
+# Multi-chain wallet data
+.wallets/
+.wallets/*
+
+# Agent protocol data
+.agent_data/
+.agent_data/*

docs/beginner/01_getting_started/3_cli.md.backup

@@ -0,0 +1,250 @@
+# AITBC CLI Getting Started Guide
+
+**Complete Command Line Interface Setup and Usage**
+
+## 🚀 **Quick Start**
+
+### Prerequisites
+- Linux system (Debian 13+ recommended)
+- Python 3.13+ installed
+- System access (sudo for initial setup)
+
+### Installation
+```bash
+# 1. Load development environment
+source /opt/aitbc/.env.dev
+
+# 2. Test CLI installation
+aitbc --help
+aitbc version
+
+# 3. Verify services are running
+aitbc-services status
+```
+
+## 🔧 **Development Environment Setup**
+
+### Permission Configuration
+```bash
+# Fix permissions (one-time setup)
+sudo /opt/aitbc/scripts/clean-sudoers-fix.sh
+
+# Test permissions
+/opt/aitbc/scripts/test-permissions.sh
+```
+
+### Environment Variables
+```bash
+# Load development environment
+source /opt/aitbc/.env.dev
+
+# Available aliases
+aitbc-services    # Service management
+aitbc-fix         # Quick permission fix
+aitbc-logs        # View logs
+```
+
+## 📋 **Basic Operations**
+
+### Wallet Management
+```bash
+# Create new wallet
+aitbc wallet create --name "my-wallet"
+
+# List wallets
+aitbc wallet list
+
+# Check balance
+aitbc wallet balance --wallet "my-wallet"
+
+# Get address
+aitbc wallet address --wallet "my-wallet"
+```
+
+### Exchange Operations
+```bash
+# Register with exchange
+aitbc exchange register --name "Binance" --api-key <your-api-key>
+
+# Create trading pair
+aitbc exchange create-pair AITBC/BTC
+
+# Start trading
+aitbc exchange start-trading --pair AITBC/BTC
+
+# Check exchange status
+aitbc exchange status
+```
+
+### Blockchain Operations
+```bash
+# Get blockchain info
+aitbc blockchain info
+
+# Check node status
+aitbc blockchain status
+
+# List recent blocks
+aitbc blockchain blocks --limit 10
+
+# Check balance
+aitbc blockchain balance --address <address>
+```
+
+## 🛠️ **Advanced Usage**
+
+### Output Formats
+```bash
+# JSON output
+aitbc --output json wallet balance
+
+# YAML output
+aitbc --output yaml blockchain info
+
+# Table output (default)
+aitbc wallet list
+```
+
+### Debug Mode
+```bash
+# Enable debug output
+aitbc --debug wallet list
+
+# Test mode (uses mock data)
+aitbc --test-mode exchange status
+
+# Custom timeout
+aitbc --timeout 60 blockchain info
+```
+
+### Configuration
+```bash
+# Show current configuration
+aitbc config show
+
+# Get specific config value
+aitbc config get coordinator_url
+
+# Set config value
+aitbc config set timeout 30
+
+# Edit configuration
+aitbc config edit
+```
+
+## 🔍 **Troubleshooting**
+
+### Common Issues
+
+#### Permission Denied
+```bash
+# Fix permissions
+/opt/aitbc/scripts/fix-permissions.sh
+
+# Test permissions
+/opt/aitbc/scripts/test-permissions.sh
+```
+
+#### Service Not Running
+```bash
+# Check service status
+aitbc-services status
+
+# Restart services
+aitbc-services restart
+
+# View logs
+aitbc-logs
+```
+
+#### Command Not Found
+```bash
+# Check CLI installation
+which aitbc
+
+# Load environment
+source /opt/aitbc/.env.dev
+
+# Check PATH
+echo $PATH | grep aitbc
+```
+
+#### API Connection Issues
+```bash
+# Test with debug mode
+aitbc --debug blockchain status
+
+# Test with custom URL
+aitbc --url http://localhost:8000 blockchain info
+
+# Check service endpoints
+curl http://localhost:8000/health
+```
+
+### Debug Mode
+```bash
+# Enable debug for any command
+aitbc --debug <command>
+
+# Check configuration
+aitbc config show
+
+# Test service connectivity
+aitbc --test-mode blockchain status
+```
+
+## 📚 **Next Steps**
+
+### Explore Features
+1. **Wallet Operations**: Try creating and managing wallets
+2. **Exchange Integration**: Register with exchanges and start trading
+3. **Blockchain Operations**: Explore blockchain features
+4. **Compliance**: Set up KYC/AML verification
+
+### Advanced Topics
+1. **Market Making**: Configure automated trading
+2. **Oracle Integration**: Set up price feeds
+3. **Security**: Implement multi-sig and time-lock
+4. **Development**: Build custom tools and integrations
+
+### Documentation
+- [Complete CLI Reference](../23_cli/README.md)
+- [Testing Procedures](../23_cli/testing.md)
+- [Permission Setup](../23_cli/permission-setup.md)
+- [Exchange Integration](../19_marketplace/exchange_integration.md)
+
+## 🎯 **Tips and Best Practices**
+
+### Development Workflow
+```bash
+# 1. Load environment
+source /opt/aitbc/.env.dev
+
+# 2. Check services
+aitbc-services status
+
+# 3. Test CLI
+aitbc version
+
+# 4. Start development
+aitbc wallet create
+```
+
+### Security Best Practices
+- Use strong passwords for wallet encryption
+- Enable multi-sig for large amounts
+- Keep API keys secure
+- Regular backup of wallets
+- Monitor compliance requirements
+
+### Performance Tips
+- Use appropriate output formats for automation
+- Leverage test mode for development
+- Cache frequently used data
+- Monitor service health
+
+---
+
+**Last Updated**: March 8, 2026  
+**CLI Version**: 0.1.0  
+**Test Coverage**: 67/67 tests passing (100%)

pyproject.toml.backup

@@ -0,0 +1,181 @@
+[tool.pytest.ini_options]
+# Test discovery
+python_files = ["test_*.py", "*_test.py"]
+python_classes = ["Test*"]
+python_functions = ["test_*"]
+
+# Cache directory - prevent root level cache
+cache_dir = "dev/cache/.pytest_cache"
+
+# Test paths to run - include all test directories across the project
+testpaths = [
+    "tests",
+    "apps/blockchain-node/tests",
+    "apps/coordinator-api/tests",
+    "apps/explorer-web/tests",
+    "apps/pool-hub/tests",
+    "apps/wallet-daemon/tests",
+    "apps/zk-circuits/test",
+    "cli/tests",
+    "contracts/test",
+    "packages/py/aitbc-crypto/tests",
+    "packages/py/aitbc-sdk/tests",
+    "packages/solidity/aitbc-token/test",
+    "scripts/test"
+]
+
+# Python path for imports
+pythonpath = [
+    ".",
+    "packages/py/aitbc-crypto/src",
+    "packages/py/aitbc-crypto/tests",
+    "packages/py/aitbc-sdk/src",
+    "packages/py/aitbc-sdk/tests",
+    "apps/coordinator-api/src",
+    "apps/coordinator-api/tests",
+    "apps/wallet-daemon/src",
+    "apps/wallet-daemon/tests",
+    "apps/blockchain-node/src",
+    "apps/blockchain-node/tests",
+    "apps/pool-hub/src",
+    "apps/pool-hub/tests",
+    "apps/explorer-web/src",
+    "apps/explorer-web/tests",
+    "cli",
+    "cli/tests"
+]
+
+# Additional options for local testing
+addopts = [
+    "--verbose",
+    "--tb=short",
+    "--strict-markers",
+    "--disable-warnings",
+    "-ra"
+]
+
+# Custom markers
+markers = [
+    "unit: Unit tests (fast, isolated)",
+    "integration: Integration tests (may require external services)",
+    "slow: Slow running tests",
+    "cli: CLI command tests",
+    "api: API endpoint tests",
+    "blockchain: Blockchain-related tests",
+    "crypto: Cryptography tests",
+    "contracts: Smart contract tests",
+    "e2e: End-to-end tests (full system)",
+    "performance: Performance tests (measure speed/memory)",
+    "security: Security tests (vulnerability scanning)",
+    "gpu: Tests requiring GPU resources",
+    "confidential: Tests for confidential transactions",
+    "multitenant: Multi-tenancy specific tests"
+]
+
+# Environment variables for tests
+env = [
+    "AUDIT_LOG_DIR=/tmp/aitbc-audit",
+    "DATABASE_URL=sqlite:///./test_coordinator.db",
+    "TEST_MODE=true",
+    "SQLITE_DATABASE=sqlite:///./test_coordinator.db"
+]
+
+# Warnings
+filterwarnings = [
+    "ignore::UserWarning",
+    "ignore::DeprecationWarning",
+    "ignore::PendingDeprecationWarning",
+    "ignore::pytest.PytestUnknownMarkWarning",
+    "ignore::pydantic.PydanticDeprecatedSince20",
+    "ignore::sqlalchemy.exc.SADeprecationWarning"
+]
+
+# Asyncio configuration
+asyncio_default_fixture_loop_scope = "function"
+
+# Import mode
+import_mode = "append"
+
+[project]
+name = "aitbc-cli"
+version = "0.1.0"
+description = "AITBC Command Line Interface Tools"
+authors = [
+    {name = "AITBC Team", email = "team@aitbc.net"}
+]
+readme = "cli/README.md"
+license = "MIT"
+requires-python = ">=3.13"
+dependencies = [
+    "click==8.3.1",
+    "httpx==0.28.1",
+    "pydantic==2.12.5",
+    "pyyaml==6.0.3",
+    "rich==13.7.0",
+    "keyring==25.7.0",
+    "cryptography==46.0.5",
+    "click-completion==0.5.2",
+    "tabulate==0.9.0",
+    "colorama==0.4.6",
+    "python-dotenv==1.0.0",
+    "asyncpg==0.31.0",
+    # Dependencies for service module imports (coordinator-api services)
+    "numpy>=1.26.0",
+    "pandas>=2.0.0",
+    "aiohttp>=3.9.0",
+    "fastapi>=0.111.0",
+    "uvicorn[standard]>=0.30.0"
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Operating System :: OS Independent",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+    "Topic :: System :: Distributed Computing",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest==9.0.2",
+    "pytest-asyncio==0.21.1",
+    "pytest-cov==7.0.0",
+    "pytest-mock==3.15.1",
+    "black==24.3.0",
+"isort==8.0.1",
+    "ruff==0.15.5",
+    "mypy==1.8.0",
+    "bandit==1.7.5",
+    "types-requests==2.31.0",
+    "types-setuptools==69.0.0",
+    "types-PyYAML==6.0.12",
+    "sqlalchemy[mypy]==2.0.25"
+]
+
+[project.scripts]
+aitbc = "aitbc_cli.main:cli"
+
+[project.urls]
+Homepage = "https://aitbc.net"
+Repository = "https://github.com/aitbc/aitbc"
+Documentation = "https://docs.aitbc.net"
+
+[build-system]
+requires = ["setuptools>=61.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[tool.setuptools.packages.find]
+where = ["cli", "apps/coordinator-api"]
+include = ["aitbc_cli*", "aitbc*"]
+
+[tool.setuptools.package-dir]
+"aitbc_cli" = "cli/aitbc_cli"
+"aitbc" = "apps/coordinator-api/aitbc"
+
+[dependency-groups]
+dev = [
+    "mypy (>=1.19.1,<2.0.0)"
+]

scripts/deploy/.env.deploy.example

@@ -0,0 +1,36 @@
+# AITBC Deployment Configuration Template
+# Copy this file to .env.deploy and fill in your actual values
+# NEVER commit the actual .env.deploy file with real credentials
+
+# === REQUIRED DEPLOYMENT SETTINGS ===
+CONTAINER_NAME="aitbc"
+CONTAINER_IP="YOUR_CONTAINER_IP"
+PROJECT_DIR="/path/to/your/aitbc"
+SSH_ALIAS="your-ssh-alias"
+SSH_KEY_PATH="/path/to/your/private/key"
+
+# === OPTIONAL SECURITY SETTINGS ===
+# SSH connection timeout (seconds)
+SSH_TIMEOUT=30
+
+# Backup settings
+CREATE_BACKUP=true
+BACKUP_RETENTION_DAYS=7
+
+# Service restart settings
+RESTART_SERVICES=true
+SERVICE_STARTUP_TIMEOUT=60
+
+# === EXAMPLE VALUES ===
+# CONTAINER_NAME="aitbc"
+# CONTAINER_IP="192.168.1.100"
+# PROJECT_DIR="/home/user/aitbc"
+# SSH_ALIAS="user@container-ip"
+# SSH_KEY_PATH="/home/user/.ssh/id_rsa"
+
+# === SECURITY NOTES ===
+# 1. Never commit this file with real credentials
+# 2. Use SSH keys instead of passwords
+# 3. Restrict file permissions: chmod 600 .env.deploy
+# 4. Use SSH config file for complex connection settings
+# 5. Consider using a secrets management system for production

scripts/implement-agent-protocols.sh

@@ -352,7 +352,11 @@ class MessageProtocol:
     
     def _generate_key(self) -> bytes:
         """Generate encryption key"""
-        password = os.environ.get('AITBC_AGENT_PROTOCOL_KEY', b"default-key-change-in-production")
+        # SECURITY FIX: Use environment variable instead of hardcoded default
+        password = os.environ.get('AITBC_AGENT_PROTOCOL_KEY')
+        if not password:
+            raise ValueError("❌ SECURITY: AITBC_AGENT_PROTOCOL_KEY environment variable required")
+        
         salt = os.environ.get('AITBC_AGENT_PROTOCOL_SALT', b"aitbc-salt-agent-protocol")
         if isinstance(password, str):
             password = password.encode()

scripts/setup_production.py

@@ -40,9 +40,19 @@ def main():
     # 1. Keystore directory and password
     run(f"mkdir -p {KEYS_DIR}")
     run(f"chown -R aitbc:aitbc {KEYS_DIR}")
+    
+    # SECURITY FIX: Use environment variable instead of hardcoded password
     if not PASSWORD_FILE.exists():
-        run(f"openssl rand -hex 32 > {PASSWORD_FILE}")
+        password = os.environ.get("AITBC_KEYSTORE_PASSWORD")
-        run(f"chmod 600 {PASSWORD_FILE}")
+        if not password:
+            # Generate secure random password if not provided
+            run(f"openssl rand -hex 32 > {PASSWORD_FILE}")
+            run(f"chmod 600 {PASSWORD_FILE}")
+        else:
+            # Use provided password from environment
+            PASSWORD_FILE.write_text(password)
+            run(f"chmod 600 {PASSWORD_FILE}")
+    
     os.environ["KEYSTORE_PASSWORD"] = PASSWORD_FILE.read_text().strip()
 
     # 2. Generate keystores