# MEMORY.md


## Weekly Summary (2026-03-23 to 2026-03-29)

**Consolidated:** 2026-03-23 21:56 UTC  
**Archived:** memory/archive/2026-03/{23}.md

### Key Decisions
- Continued security hardening efforts with ongoing vulnerability monitoring
- Maintained blockchain development focus despite dependency updates
- Preserved synchronization efforts between aitbc and aitbc1 nodes

### Learnings
- Security hardening requires continuous monitoring and updates
- Dependency updates are ongoing but non-critical for core functionality
- Blockchain development benefits from consistent peer review and coordination

### Important Facts
- Python 3.13.5
- Debian Trixie
- aitbc server: 10.1.223.93 (secondary developing node, matrix user: aitbc)
- aitbc1 server: 10.1.223.40 (primary developing node, matrix user: aitbc1)
- Both connected via Redis pub/sub (10.1.223.40:6379)

### Action Items
- Patched critical pickle deserialization bypass with module origin verification
- Hardened Matrix agent configuration (explicit user allowlist, requireMention=true, groupPolicy=allowlist)
- Implemented claim TTL (2 hours) to prevent stale locks
- Integrated vulnerability scanning into dev_heartbeat.py
- Bound blockchain RPC to localhost only (127.0.0.1)
- Tightened wallet file permissions to 600
- Added optional API key middleware to Coordinator API
- Fixed poetry lock file inconsistency and updated mypy dependency
- Committed mempool drain logging change to poa.py
- Restarted services after security hardening
- Monitored 16 outdated packages (coverage, fastapi, jaraco-context, platformdirs, pydantic-core, pytest-asyncio, pytest-cov, python-dotenv, rich, ruff, and others)
- Addressed uncommitted changes in blockchain consensus and RPC modules

## Blockchain Project Status (2026-03-19)

### Servers
- **aitbc** (this server): 10.1.223.93, port 8006 RPC, 8005 P2P
- **aitbc1** (brother): 10.1.223.40, port 8006 RPC
- Both connected via Redis pub/sub (10.1.223.40:6379)

### Current Chain State
- **NOT synchronized** — aitbc at height ~1479, aitbc1 at ~102 (2026-03-19 12:27)
- Both running `ait-mainnet` chain_id
- All genesis accounts (aitbc1genesis, aitbc1treasury) have **0 balance**
- No keystore generated on either server
- Proposer key is dev key `0x00...01` on aitbc

### What's Missing for Gift of 1000 AIT
1. Production genesis not seeded (20M AIT allocation from genesis_prod.yaml never initialized)
2. Chains not synchronized between servers
3. No keystore with decrypted keys
4. No actual AIT tokens exist anywhere

### Code Status (2026-03-19)
- git branch: `aitbc1/7-add-tests-for-aitbc-core-package` (NOT on main or blockchain-production)
- Cherry-picked multi-chain refactor and chain_sync.py onto this branch
- Pushed to `aitbc/sync-chain-changes` (main is protected)
- Service file fixed: combined_main → main
- Services running on aitbc: node (8005), RPC (8006), dev RPC (8025)

## Recent Updates (2026-03-15–16)

### Security Hardening
- Fixed critical pickle deserialization bypass (`safe_loads`) with module origin verification and sys.path lock.
- Restricted Matrix agent: explicit user allowlist, requireMention=true, groupPolicy=allowlist.
- Implemented claim TTL (2 hours) to prevent stale locks in multi-agent coordination.
- Integrated vulnerability scanning into `dev_heartbeat.py` (`pip-audit`, `npm audit`).
- Bound blockchain RPC to localhost (127.0.0.1) to reduce exposure.
- Tightened wallet file permissions to 600 (owner read/write only).
- Added optional API key middleware to Coordinator API (`COORDINATOR_API_KEY` env).

### Files Modified
- `/opt/aitbc/apps/coordinator-api/src/app/services/secure_pickle.py`
- `/opt/aitbc/apps/coordinator-api/src/app/main.py`
- `/root/.openclaw/openclaw.json`
- `/opt/aitbc/scripts/claim-task.py`
- `/opt/aitbc/dev/scripts/dev_heartbeat.py`
- `/opt/aitbc/systemd/aitbc-blockchain-rpc.service`

See `/root/.openclaw/workspace/SECURITY_HARDENING_SUMMARY.md` for full details and restart instructions.

## Production Blockchain Preparation (2026-03-16)

### Goals
- Fixed supply genesis with controlled initial allocations (ait-mainnet)
- Encrypted keystore for proposer and treasury accounts
- Removal of dev-only admin mint endpoint
- Multi-chain support (devnet preserved)

### Created Scripts
- `/opt/aitbc/scripts/keystore.py` – Generate and encrypt keystore JSON files for accounts using Fernet (AES-128)
- `/opt/aitbc/scripts/init_production_genesis.py` – Initialize `ait-mainnet` DB with production allocations
- `/opt/aitbc/scripts/run_production_node.py` – Launcher that sets env, initializes DB if empty, starts node
- `/opt/aitbc/SETUP_PRODUCTION.md` – Step-by-step guide

### Outstanding Manual Steps
1. Generate keystores for `aitbc1genesis` and `aitbc1treasury` (run keystore.py)
2. Run init script to create the production DB
3. Edit `.env` to set `CHAIN_ID=ait-mainnet` and `PROPOSER_KEY=<hex>`
4. Restart blockchain services
5. Verify RPC endpoints

### Key Differences: Genesis vs Treasury
- **aitbc1genesis**: Proposer key used for block signing in PoA; high authority, rarely spends.
- **aitbc1treasury**: Operational funds for ecosystem rewards, grants, payments; needs to be spendable via wallet daemon.

### Address Format
- Human-readable names (e.g., `aitbc1treasury`) stored as plain strings in the `Account` table.
- Private keys stored encrypted in `/opt/aitbc/keystore/` with 600 perms.
- Transaction signing not yet implemented; will require on-chain public key infrastructure in a future phase.