oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 6 Packages Projects Releases Wiki Activity
Files
bf1e18921ba072bde0e2af6ffb7f0830c079f38d
aitbc/MEMORY.md

116 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# MEMORY.md
## Weekly Summary (2026-03-23 to 2026-03-29)
**Consolidated:** 2026-03-23 21:56 UTC
**Archived:** memory/archive/2026-03/{23}.md
### Key Decisions
- Continued security hardening efforts with ongoing vulnerability monitoring
- Maintained blockchain development focus despite dependency updates
- Preserved synchronization efforts between aitbc and aitbc1 nodes
### Learnings
- Security hardening requires continuous monitoring and updates
- Dependency updates are ongoing but non-critical for core functionality
- Blockchain development benefits from consistent peer review and coordination
### Important Facts
- Python 3.13.5
- Debian Trixie
- aitbc server: 10.1.223.93 (secondary developing node, matrix user: aitbc)
- aitbc1 server: 10.1.223.40 (primary developing node, matrix user: aitbc1)
- Both connected via Redis pub/sub (10.1.223.40:6379)
### Action Items
- Patched critical pickle deserialization bypass with module origin verification
- Hardened Matrix agent configuration (explicit user allowlist, requireMention=true, groupPolicy=allowlist)
- Implemented claim TTL (2 hours) to prevent stale locks
- Integrated vulnerability scanning into dev_heartbeat.py
- Bound blockchain RPC to localhost only (127.0.0.1)
- Tightened wallet file permissions to 600
- Added optional API key middleware to Coordinator API
- Fixed poetry lock file inconsistency and updated mypy dependency
- Committed mempool drain logging change to poa.py
- Restarted services after security hardening
- Monitored 16 outdated packages (coverage, fastapi, jaraco-context, platformdirs, pydantic-core, pytest-asyncio, pytest-cov, python-dotenv, rich, ruff, and others)
- Addressed uncommitted changes in blockchain consensus and RPC modules
## Blockchain Project Status (2026-03-19)
### Servers
- **aitbc** (this server): 10.1.223.93, port 8006 RPC, 8005 P2P
- **aitbc1** (brother): 10.1.223.40, port 8006 RPC
- Both connected via Redis pub/sub (10.1.223.40:6379)
### Current Chain State
- **NOT synchronized** — aitbc at height ~1479, aitbc1 at ~102 (2026-03-19 12:27)
- Both running `ait-mainnet` chain_id
- All genesis accounts (aitbc1genesis, aitbc1treasury) have **0 balance**
- No keystore generated on either server
- Proposer key is dev key `0x00...01` on aitbc
### What's Missing for Gift of 1000 AIT
1. Production genesis not seeded (20M AIT allocation from genesis_prod.yaml never initialized)
2. Chains not synchronized between servers
3. No keystore with decrypted keys
4. No actual AIT tokens exist anywhere
### Code Status (2026-03-19)
- git branch: `aitbc1/7-add-tests-for-aitbc-core-package` (NOT on main or blockchain-production)
- Cherry-picked multi-chain refactor and chain_sync.py onto this branch
- Pushed to `aitbc/sync-chain-changes` (main is protected)
- Service file fixed: combined_main → main
- Services running on aitbc: node (8005), RPC (8006), dev RPC (8025)
## Recent Updates (2026-03-1516)
### Security Hardening
- Fixed critical pickle deserialization bypass (`safe_loads`) with module origin verification and sys.path lock.
- Restricted Matrix agent: explicit user allowlist, requireMention=true, groupPolicy=allowlist.
- Implemented claim TTL (2 hours) to prevent stale locks in multi-agent coordination.
- Integrated vulnerability scanning into `dev_heartbeat.py` (`pip-audit`, `npm audit`).
- Bound blockchain RPC to localhost (127.0.0.1) to reduce exposure.
- Tightened wallet file permissions to 600 (owner read/write only).
- Added optional API key middleware to Coordinator API (`COORDINATOR_API_KEY` env).
### Files Modified
- `/opt/aitbc/apps/coordinator-api/src/app/services/secure_pickle.py`
- `/opt/aitbc/apps/coordinator-api/src/app/main.py`
- `/root/.openclaw/openclaw.json`
- `/opt/aitbc/scripts/claim-task.py`
- `/opt/aitbc/dev/scripts/dev_heartbeat.py`
- `/opt/aitbc/systemd/aitbc-blockchain-rpc.service`
See `/root/.openclaw/workspace/SECURITY_HARDENING_SUMMARY.md` for full details and restart instructions.
## Production Blockchain Preparation (2026-03-16)
### Goals
- Fixed supply genesis with controlled initial allocations (ait-mainnet)
- Encrypted keystore for proposer and treasury accounts
- Removal of dev-only admin mint endpoint
- Multi-chain support (devnet preserved)
### Created Scripts
- `/opt/aitbc/scripts/keystore.py` Generate and encrypt keystore JSON files for accounts using Fernet (AES-128)
- `/opt/aitbc/scripts/init_production_genesis.py` Initialize `ait-mainnet` DB with production allocations
- `/opt/aitbc/scripts/run_production_node.py` Launcher that sets env, initializes DB if empty, starts node
- `/opt/aitbc/SETUP_PRODUCTION.md` Step-by-step guide
### Outstanding Manual Steps
1. Generate keystores for `aitbc1genesis` and `aitbc1treasury` (run keystore.py)
2. Run init script to create the production DB
3. Edit `.env` to set `CHAIN_ID=ait-mainnet` and `PROPOSER_KEY=<hex>`
4. Restart blockchain services
5. Verify RPC endpoints
### Key Differences: Genesis vs Treasury
- **aitbc1genesis**: Proposer key used for block signing in PoA; high authority, rarely spends.
- **aitbc1treasury**: Operational funds for ecosystem rewards, grants, payments; needs to be spendable via wallet daemon.
### Address Format
- Human-readable names (e.g., `aitbc1treasury`) stored as plain strings in the `Account` table.
- Private keys stored encrypted in `/opt/aitbc/keystore/` with 600 perms.
- Transaction signing not yet implemented; will require on-chain public key infrastructure in a future phase.
Reference in New Issue View Git Blame Copy Permalink