From 1739c934559fb61dd8ef16843aa80209f1bce6a2 Mon Sep 17 00:00:00 2001
From: root <root@epyc-OpenCalwKimmi.home.com>
Date: Tue, 24 Feb 2026 21:01:52 -0600
Subject: [PATCH] docs: Add Security & Privacy Review section to checklist

- Pre-commit checks for IPs, tokens, passwords, paths
- Placeholder replacement guide
- File review checklist
---
 checklist.md | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/checklist.md b/checklist.md
index e813485..7176cfe 100644
--- a/checklist.md
+++ b/checklist.md
@@ -167,6 +167,41 @@ sudo journalctl -u mem-qdrant-watcher -f
 
 ---
 
+## Security & Privacy Review (Pre-Commit)
+
+### Before Committing to Git
+
+| Check | Command | What to Look For |
+|-------|---------|------------------|
+| **Internal IPs** | `grep -rE "(10\.[0-9]+\.[0-9]+\.[0-9]+\|192\.168\.[0-9]+\.[0-9]+\|172\.(1[6-9]\|2[0-9]\|3[01])\.[0-9]+\.[0-9]+)"` | Private network addresses |
+| **Passwords/Tokens** | `grep -riE "(password|token|secret|api.?key)"` | Hardcoded credentials |
+| **SSH Keys** | `grep -rE "(BEGIN.*PRIVATE KEY|ssh-rsa|ssh-ed25519)"` | Private keys |
+| **Absolute Paths** | `grep -rE "(/root/|/home/[a-z]+/|\.ssh/)"` | System-specific paths |
+| **Timestamps** | `grep -rE "[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}"` | Non-project dates/times |
+| **Usernames** | `grep -riE "(user: [a-z]+\|username: [a-z]+)"` | System usernames |
+
+### Replace With Placeholders
+
+| Found | Replace With |
+|-------|--------------|
+| `10.0.0.x` | `<QDRANT_IP>` or `<OLLAMA_IP>` |
+| `192.168.x.x` | `<LOCAL_NETWORK_IP>` |
+| `/root/.openclaw/` | `~/.openclaw/` or `<OPENCLAW_PATH>` |
+| `/home/username/` | `~/` or `<USER_HOME>` |
+| Real tokens | `<TOKEN>` or `<API_KEY>` |
+| Specific dates | `<DATE>` or `<TIMESTAMP>` |
+
+### Files to Review
+
+- [ ] All `.py` files
+- [ ] All `.md` files
+- [ ] All `.json` files
+- [ ] All `.sh` files
+- [ ] Any log files (should be in `.gitignore`)
+- [ ] Any config files with paths
+
+---
+
 ## Sign-off
 
 | Check | Status | Date |