Remove restrictive systemd security settings across multiple services and add ProtectSystem=no for SQLite WAL mode compatibility

- Remove ProtectSystem=strict and ReadWritePaths from agent-daemon, gpu, learning, marketplace, modality-optimization, monitor, multimodal, and openclaw services
- Add ProtectSystem=no to coordinator-api, exchange-api, and explorer services to allow database writes for SQLite WAL mode
- Retain NoNewPrivileges and ProtectHome security settings across all services

systemd/aitbc-agent-daemon.service

@@ -29,9 +29,7 @@ StandardError=journal
 # Security settings
 NoNewPrivileges=true
 PrivateTmp=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/var/lib/aitbc/data /var/lib/aitbc/keystore
 
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-coordinator-api.service

@@ -14,5 +14,8 @@ RestartSec=5
 StandardOutput=journal
 StandardError=journal
 
+# Allow database writes for SQLite WAL mode
+ProtectSystem=no
+
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-exchange-api.service

@@ -16,5 +16,8 @@ StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=aitbc-exchange-api
 
+# Allow database writes for SQLite WAL mode
+ProtectSystem=no
+
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-explorer.service

@@ -15,5 +15,8 @@ StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=aitbc-explorer
 
+# Allow database writes for SQLite WAL mode
+ProtectSystem=no
+
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-gpu.service

@@ -32,9 +32,7 @@ SyslogIdentifier=aitbc-marketplace
 
 # Production security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/var/lib/aitbc/data/marketplace /var/log/aitbc/marketplace
 
 # Production performance
 LimitNOFILE=65536

systemd/aitbc-learning.service

@@ -24,9 +24,7 @@ SyslogIdentifier=aitbc-adaptive-learning
 
 # Security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/home/oib/aitbc/apps/coordinator-api
 
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-marketplace.service

@@ -34,9 +34,7 @@ SyslogIdentifier=aitbc-marketplace-production
 
 # Production security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/var/lib/aitbc/data/marketplace /var/log/aitbc/production/marketplace
 
 # Production performance
 LimitNOFILE=65536

systemd/aitbc-modality-optimization.service

@@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-modality-optimization
 
 # Security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv
 
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-monitor.service

@@ -26,9 +26,7 @@ SyslogIdentifier=aitbc-monitor
 
 # Production security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/var/lib/aitbc/data /var/log/aitbc
 
 # Production performance
 LimitNOFILE=65536

systemd/aitbc-multimodal.service

@@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-multimodal
 
 # Security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv
 
 [Install]
 WantedBy=multi-user.target

systemd/aitbc-openclaw.service

@@ -25,9 +25,7 @@ SyslogIdentifier=aitbc-openclaw-enhanced
 
 # Security
 NoNewPrivileges=true
-ProtectSystem=strict
 ProtectHome=true
-ReadWritePaths=/opt/aitbc/apps/coordinator-api /opt/aitbc/venv
 
 [Install]
 WantedBy=multi-user.target