diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f54e06616f76..3d7c22dd41ad 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,11 @@ on:
     tags-ignore:
       - '**'
 
+# Explicitly set minimal permissions for security
+# Workflows should only have the permissions they need
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.event_name != 'pull_request' && github.run_id || github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/etherscan-apiv2.yml b/.github/workflows/etherscan-apiv2.yml
index aafbae1be5bb..469103c9a6bf 100644
--- a/.github/workflows/etherscan-apiv2.yml
+++ b/.github/workflows/etherscan-apiv2.yml
@@ -53,6 +53,9 @@ jobs:
       - name: Fetch Etherscan API data
         # Only run if API key is configured
         if: ${{ secrets.ETHERSCAN_API_KEY != '' }}
+        env:
+          # Store API key in environment variable for safer handling
+          ETHERSCAN_API_KEY: ${{ secrets.ETHERSCAN_API_KEY }}
         run: |
           echo "Fetching data from Etherscan API..."
           mkdir -p data/etherscan
@@ -97,9 +100,10 @@ jobs:
           # Build API URL without the key
           api_url="${BASE_URL}?module=${ENDPOINT}&action=${ACTION}${PARAMS}"
 
-          # Make request with API key from secret
-          # Key is only exposed during curl execution, not in logs
-          curl -s "${api_url}&apikey=${{ secrets.ETHERSCAN_API_KEY }}" \
+          # Make request with API key from environment variable
+          # This is safer than inline secret substitution
+          # GitHub automatically masks the ETHERSCAN_API_KEY in logs
+          curl -s "${api_url}&apikey=${ETHERSCAN_API_KEY}" \
             -o data/etherscan/latest.json || {
             echo '{"status":"0","message":"API request failed"}' \
               > data/etherscan/latest.json
diff --git a/.github/workflows/wiki-management.yml b/.github/workflows/wiki-management.yml
index a36e12261e8a..be497d14f614 100644
--- a/.github/workflows/wiki-management.yml
+++ b/.github/workflows/wiki-management.yml
@@ -17,14 +17,20 @@ on:
       - 'wiki/**'
   workflow_dispatch:
 
+# Use minimal permissions principle
+# Each job can override if it needs more permissions
 permissions:
   contents: read
-  pull-requests: write
+  pull-requests: write  # Required for validate-wiki job to comment on PRs
 
 jobs:
   validate-wiki:
     name: 'Validate Wiki Content'
     runs-on: ubuntu-latest
+    # This job needs to read content and comment on PRs
+    permissions:
+      contents: read
+      pull-requests: write
     
     steps:
       - name: Checkout repository
@@ -169,6 +175,9 @@ jobs:
       
       - name: Comment on PR (if applicable)
         if: github.event_name == 'pull_request'
+        # This step requires pull-requests: write permission which is granted at the workflow level.
+        # Note: Permissions can only be set at workflow or job level, not at step level.
+        # This job inherits pull-requests: write from the workflow-level permissions.
         uses: actions/github-script@v7
         with:
           script: |
@@ -223,6 +232,9 @@ jobs:
   check-security:
     name: 'Security Check'
     runs-on: ubuntu-latest
+    # This job only reads content
+    permissions:
+      contents: read
     
     steps:
       - name: Checkout repository
@@ -260,6 +272,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [validate-wiki, check-security]
     if: always()
+    # This job only writes to job summary
+    permissions:
+      contents: read
     
     steps:
       - name: Create summary
diff --git a/.gitignore b/.gitignore
index 6facb7aa6801..740c290bd284 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,85 +1,279 @@
-# Ignored files
+# Ignored files - Using Safe Practices
+# This .gitignore follows security best practices to prevent committing sensitive data
 
-# Private keys
+# ============================================================================
+# SECURITY: Private Keys and Certificates
+# ============================================================================
+# Never commit private keys, certificates, or cryptographic material
 *.pem
 *.key
 *.p12
 *.pfx
 *.crt
 *.der
+*.cer
+*.ca-bundle
+*.ca-cert
+*.keystore
+*.jks
+*.truststore
 id_rsa
 id_dsa
+id_ecdsa
+id_ed25519
 *.pub
+*.gpg
+*.pgp
+*.asc
 
-# Environment files
+# ============================================================================
+# SECURITY: Environment and Configuration Files
+# ============================================================================
+# Environment variables often contain secrets, API keys, passwords
 .env
+.env.*
 .env.local
 .env.*.local
+.env.development
+.env.production
+.env.staging
+.env.test
 *.secret
+*.secrets
+.envrc
 
-# Sensitive configuration
+# Sensitive configuration files
 config.json
 secrets.json
 credentials.json
 auth.json
+*.config.json
+*.credentials.json
+application-secrets.yml
+application-secrets.yaml
+secrets.yml
+secrets.yaml
 
-# Private documentation
+# ============================================================================
+# SECURITY: Private Documentation and Notes
+# ============================================================================
+# Personal or private documentation should not be committed
 /docs/private/
 /doc/private/
 *.private.md
+*.confidential.md
+PRIVATE_*
+CONFIDENTIAL_*
 
-# Database files
+# ============================================================================
+# SECURITY: Database Files
+# ============================================================================
+# Database files may contain sensitive user data
 *.db
 *.sqlite
 *.sqlite3
+*.db-shm
+*.db-wal
+*.mdb
+*.accdb
 
-# Wallet files
+# ============================================================================
+# SECURITY: Wallet Files and Blockchain Data
+# ============================================================================
+# Bitcoin wallet files contain private keys - never commit these
 wallet.dat
 *.wallet
+*wallet*.dat
+peers.dat
+banlist.dat
+anchors.dat
+fee_estimates.dat
+mempool.dat
+blocks/
+chainstate/
+indexes/
 
-# Logs
+# ============================================================================
+# SECURITY: Logs
+# ============================================================================
+# Log files may contain sensitive information
 *.log
+*.log.*
 logs/
+log/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
 
-# API Keys and tokens
+# ============================================================================
+# SECURITY: API Keys, Tokens, and Credentials
+# ============================================================================
+# API keys, tokens, and authentication credentials
 *.apikey
 apikeys/
 tokens/
 *.token
+.api-keys
+.credentials
+bearer-token
+oauth-token
+jwt-token
 
-# Backup files
+# Cloud provider credentials
+.aws/
+.azure/
+.gcp/
+google-credentials.json
+gcloud-service-key.json
+serviceAccount.json
+
+# CI/CD secrets (should use secure secrets management)
+.circleci/local-config.yml
+.travis/secrets.json
+
+# ============================================================================
+# SECURITY: Backup and Temporary Files
+# ============================================================================
+# Backup files may contain sensitive historical data
 *.backup
 *.bak
+*.old
+*.orig
+*.save
+*~
 *.swp
 *.swo
-*~
+.*.swp
+.*.swo
 
-# Personal notes
+# ============================================================================
+# SECURITY: Personal Notes and TODOs
+# ============================================================================
+# Personal notes might contain sensitive information
 notes.txt
 TODO.txt
+todo.txt
+NOTES.txt
 *.personal
+*.private
+scratch.txt
 
-# Test data with sensitive info
+# ============================================================================
+# SECURITY: Test Data with Sensitive Information
+# ============================================================================
 testnet_wallet.dat
 regtest_wallet.dat
+test-wallet.dat
+*.test.wallet
 
-# Build artifacts (may contain paths or sensitive info)
+# ============================================================================
+# BUILD: Artifacts and Output Directories
+# ============================================================================
+# Build artifacts may contain embedded paths or configuration
 build/
 dist/
+out/
+target/
 *.o
 *.a
 *.so
+*.so.*
 *.dylib
 *.dll
 *.exe
+*.app
+*.dmg
+*.pkg
+*.deb
+*.rpm
 
-# IDE and editor files
+# ============================================================================
+# IDE: Editor and IDE Configuration Files
+# ============================================================================
+# IDE files may contain local paths and preferences
 .vscode/
 .idea/
 *.sublime-*
+*.sublime-project
+*.sublime-workspace
+.project
+.classpath
+.settings/
+.metadata/
+*.iml
+*.ipr
+*.iws
+
+# OS-specific files
 .DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db
+desktop.ini
 
-# Temporary files
+# ============================================================================
+# TEMPORARY: Temporary and Cache Files
+# ============================================================================
 tmp/
 temp/
-*.tmp
\ No newline at end of file
+*.tmp
+*.temp
+.cache/
+.pytest_cache/
+__pycache__/
+*.pyc
+*.pyo
+.tox/
+
+# ============================================================================
+# DEPENDENCIES: Package Manager Files
+# ============================================================================
+# Dependencies should be reinstalled, not committed
+node_modules/
+bower_components/
+vendor/
+.bundle/
+
+# Lock files tracking:
+# Lock files ensure reproducible builds across environments
+# Generally RECOMMENDED to commit lock files for:
+# - Applications (ensures consistent deployments)
+# - Production projects
+# Optionally exclude for:
+# - Libraries (to test against latest compatible versions)
+# Uncomment the appropriate lines below based on your project needs:
+# package-lock.json
+# yarn.lock
+# Gemfile.lock
+# composer.lock
+
+# ============================================================================
+# DOCUMENTATION: Build Output
+# ============================================================================
+# Generated documentation
+docs/_build/
+docs/.buildinfo
+site/
+_site/
+
+# ============================================================================
+# MISCELLANEOUS: Other Files to Ignore
+# ============================================================================
+# Coverage reports
+coverage/
+.coverage
+.nyc_output/
+htmlcov/
+
+# Profile data
+*.prof
+*.pprof
+
+# Core dumps
+core
+core.*
+
+# End of .gitignore
\ No newline at end of file
diff --git a/README.md b/README.md
index cfabb7f6723b..8b76120ca92d 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,10 @@
 Bitcoin Core integration/staging tree
 =====================================
 
+[![CI](https://github.com/kushmanmb-org/bitcoin/actions/workflows/ci.yml/badge.svg)](https://github.com/kushmanmb-org/bitcoin/actions/workflows/ci.yml)
+[![Etherscan API Integration](https://github.com/kushmanmb-org/bitcoin/actions/workflows/etherscan-apiv2.yml/badge.svg)](https://github.com/kushmanmb-org/bitcoin/actions/workflows/etherscan-apiv2.yml)
+[![Wiki Management](https://github.com/kushmanmb-org/bitcoin/actions/workflows/wiki-management.yml/badge.svg)](https://github.com/kushmanmb-org/bitcoin/actions/workflows/wiki-management.yml)
+
 https://bitcoincore.org
 
 For an immediately usable, binary version of the Bitcoin Core software, see