SpeedyFoxAi/true-recall-gems
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5950fdd09b09b8adb472bd67fa3428667fe69b3c
true-recall-gems/audit_checklist.md

393 lines
14 KiB
Markdown
Raw Normal View History

Update docs: watcher fix, plugin capture fix (2026-02-25) - Fixed watcher stuck on old session bug (restarted service) - Fixed plugin capture 0 exchanges (added extractMessageText for OpenAI content arrays) - Updated README, session.md, function_check.md, audit_checklist.md - Verified: 9 exchanges captured per session
2026-02-25 12:45:27 -06:00
# TrueRecall v2 - Master Audit Checklist (GIT/PUBLIC)
**For:** `.git_projects/true-recall-v2/` (Sanitized Public Directory)
**Version:** 2.2
**Last Updated:** 2026-02-25 10:07 CST
---
## Overview
This checklist validates the **git/public directory** is properly sanitized with placeholders, no credentials, and ready for public release. Use this before every git push.
---
## Recent Fixes (2026-02-25)
| Issue | Status | Fix |
|-------|--------|-----|
| Embedding model mismatch | ✅ Fixed | Changed curator to `snowflake-arctic-embed2` |
| Gems had no vectors | ✅ Fixed | Updated `store_gem()` to use `text` field |
| JSON parsing errors | ✅ Fixed | Simplified extraction prompt |
| Watcher stuck on old session | ✅ **Fixed** | Restarted watcher service |
| Plugin capture 0 exchanges | ✅ **Fixed** | Added `extractMessageText()` for array content |
| Plugin exchanges working | ✅ **Verified** | 9 exchanges extracted per session |
---
## SECTION 1: Pre-Push Security Checks
### 1.1 Critical Security Scan
| # | Check | Command | Expected | Status |
|---|-------|---------|----------|--------|
| 1.1.1 | No hardcoded IPs | `grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ |
| 1.1.2 | No 192.168.x.x | `grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ |
| 1.1.3 | No 172.16-31.x.x | `grep -rE "172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+" --include="*"` | 0 results | ☐ |
| 1.1.4 | No localhost IPs | `grep -rE "127\.0\.0\.[0-9]+" --include="*"` | 0 results | ☐ |
| 1.1.5 | No IPv6 locals | `grep -rE "\[?::1\]?" --include="*"` | 0 results | ☐ |
### 1.2 Credentials Scan
| # | Check | Command | Expected | Status |
|---|-------|---------|----------|--------|
| 1.2.1 | No passwords | `grep -ri "password" --include="*.py" --include="*.md" --include="*.sh"` | 0 results | ☐ |
| 1.2.2 | No tokens | `grep -ri "token" --include="*.py" --include="*.md" --include="*.json"` | 0 results | ☐ |
| 1.2.3 | No API keys | `grep -riE "api[_-]?key|apikey" --include="*"` | 0 results | ☐ |
| 1.2.4 | No secrets | `grep -ri "secret" --include="*.py" --include="*.md"` | 0 results | ☐ |
| 1.2.5 | No private keys | `grep -ri "private.*key\|privkey" --include="*"` | 0 results | ☐ |
| 1.2.6 | No auth strings | `grep -riE "auth[^o]" --include="*.py" --include="*.json"` | 0 results | ☐ |
### 1.3 .git/config Security - CRITICAL
| # | Check | Command | Expected | Status |
|---|-------|---------|----------|--------|
| 1.3.1 | No tokens in URLs | `grep "url = " .git/config` | No `user:token@` pattern | ☐ |
| 1.3.2 | No HTTP auth | `grep "url = " .git/config | grep -v "^http://[^/]*$"` | Clean URLs | ☐ |
| 1.3.3 | HTTPS remotes | `grep "url = " .git/config` | All HTTPS or SSH | ☐ |
| 1.3.4 | Remote sanity | `git remote -v` | 2-3 remotes, no tokens | ☐ |
| **1.3.5** | **⚠️ NO TOKENS IN CREDENTIAL HELPER** | `grep -E "(password|token|ghp_|github_pat)" .git/config` | **MUST BE 0** | ☐ |
| **1.3.6** | **⚠️ NO CREDENTIAL HELPER WITH SECRETS** | `cat .git/config | grep -A5 "\[credential\]"` | **NO HARDCODED PASSWORDS** | ☐ |
**CRITICAL WARNING:** Kimi has accidentally pushed tokens TWICE before. **ALWAYS** verify 1.3.5 and 1.3.6 before pushing!
### 1.4 File Scan
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 1.4.1 | No .env files | 0 .env files | ☐ |
| 1.4.2 | No .pem files | 0 .pem files | ☐ |
| 1.4.3 | No .key files | 0 .key files | ☐ |
| 1.4.4 | No id_rsa files | 0 id_rsa files | ☐ |
| 1.4.5 | No .p12 files | 0 .p12 files | ☐ |
| 1.4.6 | No .pfx files | 0 .pfx files | ☐ |
---
## SECTION 2: Placeholder Verification
### 2.1 IP Placeholders
| # | Placeholder | Used For | Found? | Status |
|---|-------------|----------|--------|--------|
| 2.1.1 | `<QDRANT_IP>` | Qdrant endpoint | ☐ | ☐ |
| 2.1.2 | `<OLLAMA_IP>` | Ollama endpoint | ☐ | ☐ |
| 2.1.3 | `<REDIS_IP>` | Redis endpoint | ☐ | ☐ |
| 2.1.4 | `<GITEA_IP>` | Gitea server | ☐ | ☐ |
| 2.1.5 | `<GATEWAY_IP>` | OpenClaw gateway | ☐ | ☐ |
### 2.2 Path Placeholders
| # | Placeholder | Used For | Found? | Status |
|---|-------------|----------|--------|--------|
| 2.2.1 | `~/` | Home directory | ☐ | ☐ |
| 2.2.2 | `<OPENCLAW_PATH>` | OpenClaw install | ☐ | ☐ |
| 2.2.3 | `<USER_HOME>` | User home | ☐ | ☐ |
| 2.2.4 | `<SYSTEMD_PATH>` | systemd location | ☐ | ☐ |
### 2.3 Config Placeholders
| # | Placeholder | Used For | Found? | Status |
|---|-------------|----------|--------|--------|
| 2.3.1 | `<API_KEY>` | API key example | ☐ | ☐ |
| 2.3.2 | `<TOKEN>` | Token example | ☐ | ☐ |
| 2.3.3 | `<PASSWORD>` | Password example | ☐ | ☐ |
| 2.3.4 | `<DATE>` | Date example | ☐ | ☐ |
| 2.3.5 | `<TIMESTAMP>` | Timestamp example | ☐ | ☐ |
---
## SECTION 3: File Completeness
### 3.1 Required Files Present
| # | File | Purpose | Status |
|---|------|---------|--------|
| 3.1.1 | `README.md` | Main documentation | ☐ |
| 3.1.2 | `session.md` | Session notes | ☐ |
| 3.1.3 | `checklist.md` | Installation checklist | ☐ |
| 3.1.4 | `curator-prompt.md` | Curation prompt | ☐ |
| 3.1.5 | `install.py` | Installation script | ☐ |
| 3.1.6 | `push-all.sh` | Push script | ☐ |
### 3.2 Scripts Directory
| # | File | Purpose | Status |
|---|------|---------|--------|
| 3.2.1 | `tr-continuous/curator_timer.py` | Timer curator | ☐ |
| 3.2.2 | `tr-continuous/curator_config.json` | Curator config | ☐ |
### 3.3 No Local-Only Files
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 3.3.1 | No debug_curator.py | Not in git | ☐ |
| 3.3.2 | No test_curator.py | Not in git | ☐ |
| 3.3.3 | No migrate_*.py | Not in git | ☐ |
| 3.3.4 | No tr-daily/ | Not in git (archived) | ☐ |
| 3.3.5 | No tr-compact/ | Not in git (concept) | ☐ |
---
## SECTION 4: Script Validation
### 4.1 curator_timer.py
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 4.1.1 | No hardcoded IPs | Uses env vars | ☐ |
| 4.1.2 | No absolute paths | Uses `~/` | ☐ |
| 4.1.3 | Syntax valid | `python3 -m py_compile` passes | ☐ |
| 4.1.4 | Executable bit | `chmod +x` set | ☐ |
| 4.1.5 | Uses placeholders | `<QDRANT_IP>`, `<OLLAMA_IP>` | ☐ |
### 4.2 install.py
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 4.2.1 | No hardcoded IPs | Uses prompts | ☐ |
| 4.2.2 | No absolute paths | Uses defaults | ☐ |
| 4.2.3 | Syntax valid | `python3 -m py_compile` passes | ☐ |
| 4.2.4 | Interactive prompts | Asks for URLs | ☐ |
### 4.3 push-all.sh
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 4.3.1 | No hardcoded paths | Uses `$PWD` | ☐ |
| 4.3.2 | No tokens | Clean script | ☐ |
| 4.3.3 | Syntax valid | `bash -n` passes | ☐ |
| 4.3.4 | Executable bit | `chmod +x` set | ☐ |
---
## SECTION 5: Documentation Quality
### 5.1 README.md
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 5.1.1 | Uses placeholders | `<QDRANT_IP>`, `<OLLAMA_IP>` | ☐ |
| 5.1.2 | No hardcoded paths | `~/` not `/root/` | ☐ |
| 5.1.3 | Clear instructions | Step-by-step | ☐ |
| 5.1.4 | Config examples | Generic examples | ☐ |
| 5.1.5 | Troubleshooting | Common issues listed | ☐ |
### 5.2 session.md
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 5.2.1 | Uses placeholders | `<QDRANT_IP>`, `<OLLAMA_IP>` | ☐ |
| 5.2.2 | No hardcoded paths | `~/` not `/root/` | ☐ |
| 5.2.3 | Current state | Up to date | ☐ |
| 5.2.4 | Validation commands | Generic commands | ☐ |
### 5.3 checklist.md
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 5.3.1 | Uses placeholders | `<QDRANT_IP>`, etc. | ☐ |
| 5.3.2 | Pre-install checks | Generic commands | ☐ |
| 5.3.3 | Post-install validation | Generic commands | ☐ |
| 5.3.4 | Troubleshooting | Common issues | ☐ |
### 5.4 curator-prompt.md
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 5.4.1 | Uses placeholders | `<QDRANT_IP>` | ☐ |
| 5.4.2 | No hardcoded IPs | Placeholders only | ☐ |
| 5.4.3 | Updated architecture | No Redis refs | ☐ |
| 5.4.4 | Correct collection | `memories_tr` not `kimi_memories` | ☐ |
---
## SECTION 6: Git Hygiene
### 6.1 Git Status
| # | Check | Command | Expected | Status |
|---|-------|---------|----------|--------|
| 6.1.1 | Clean working tree | `git status` | No uncommitted changes | ☐ |
| 6.1.2 | No untracked files | `git status` | 0 untracked or added | ☐ |
| 6.1.3 | Proper .gitignore | `cat .gitignore` | Blocks sensitive files | ☐ |
| 6.1.4 | No large files | `find . -size +10M` | 0 large files | ☐ |
### 6.2 Commit Quality
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 6.2.1 | Descriptive message | Clear summary | ☐ |
| 6.2.2 | Atomic changes | One feature per commit | ☐ |
| 6.2.3 | Signed (optional) | GPG signed | ☐ |
### 6.3 Remote Configuration
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 6.3.1 | GitHub remote | Configured | ☐ |
| 6.3.2 | Gitea remote | Configured | ☐ |
| 6.3.3 | GitLab remote | Configured | ☐ |
| 6.3.4 | All clean | No tokens in URLs | ☐ |
---
## SECTION 7: Error Prevention
### 7.1 Common Mistakes
| # | Mistake | Prevention | Check | Status |
|---|---------|------------|-------|--------|
| 7.1.1 | Forgetting to sanitize | Run this checklist | ☐ | ☐ |
| 7.1.2 | Leaving tokens | Scan with grep | ☐ | ☐ |
| 7.1.3 | Hardcoding IPs | Use placeholders | ☐ | ☐ |
| 7.1.4 | Absolute paths | Use `~/` | ☐ | ☐ |
| 7.1.5 | Local-only files | Check 3.3.1-3.3.5 | ☐ | ☐ |
### 7.2 Pre-Push Checklist - MANDATORY
| # | Step | Command | Status |
|---|------|---------|--------|
| **7.2.1** | **🔴 CHECK .git/config FOR TOKENS** | `grep -E "(password|token|ghp_|github_pat)" .git/config` | ☐ **MUST PASS** |
| **7.2.2** | **🔴 VERIFY NO CREDENTIAL HELPER SECRETS** | `cat .git/config | grep -A5 "\[credential\]"` | ☐ **MUST PASS** |
| 7.2.3 | Run security scan | Section 1.1-1.2 | ☐ |
| 7.2.4 | Verify placeholders | Section 2.1-2.3 | ☐ |
| 7.2.5 | Check file completeness | Section 3.1-3.3 | ☐ |
| 7.2.6 | Validate scripts | Section 4.1-4.3 | ☐ |
| 7.2.7 | Review docs | Section 5.1-5.4 | ☐ |
| 7.2.8 | Check git hygiene | Section 6.1-6.3 | ☐ |
---
## SECTION 8: Function Verification (Generic)
### 8.1 Config Validity
| # | File | Check | Expected | Status |
|---|------|-------|----------|--------|
| 8.1.1 | `curator_config.json` | JSON syntax | Valid JSON | ☐ |
| 8.1.2 | `curator_config.json` | Required keys | All present | ☐ |
| 8.1.3 | `curator_config.json` | Value types | Correct types | ☐ |
### 8.2 Script Syntax
| # | File | Check | Command | Status |
|---|------|-------|---------|--------|
| 8.2.1 | `curator_timer.py` | Python syntax | `python3 -m py_compile` | ☐ |
| 8.2.2 | `install.py` | Python syntax | `python3 -m py_compile` | ☐ |
| 8.2.3 | `push-all.sh` | Bash syntax | `bash -n push-all.sh` | ☐ |
### 8.3 Documentation Links
| # | Check | Expected | Status |
|---|-------|----------|--------|
| 8.3.1 | Internal links valid | All `#section` work | ☐ |
| 8.3.2 | No broken references | No `TODO` or `FIXME` | ☐ |
| 8.3.3 | Consistent formatting | Same style throughout | ☐ |
---
## SECTION 9: Comparison with Local
### 9.1 Sync Status
| # | Check | Local | Git | Match? |
|---|-------|-------|-----|--------|
| 9.1.1 | README structure | Same | Same | ☐ |
| 9.1.2 | session structure | Same | Same | ☐ |
| 9.1.3 | checklist structure | Same | Same | ☐ |
| 9.1.4 | Config structure | Same | Same | ☐ |
### 9.2 Content Differences
| # | Check | Local (Real) | Git (Placeholder) | Expected |
|---|-------|--------------|-------------------|----------|
| 9.2.1 | Qdrant IP | 10.0.0.40 | `<QDRANT_IP>` | ✅ |
| 9.2.2 | Ollama IP | 10.0.0.10 | `<OLLAMA_IP>` | ✅ |
| 9.2.3 | Paths | /root/... | ~/... | ✅ |
| 9.2.4 | Usernames | rob | rob or generic | ✅ |
---
## SECTION 10: Final Review
### 10.1 Sign-Off
| # | Reviewer | Date | Notes | Signature |
|---|----------|------|-------|-----------|
| 10.1.1 | Security scan | | | |
| 10.1.2 | Sanitization | | | |
| 10.1.3 | Functionality | | | |
| 10.1.4 | Documentation | | | |
### 10.2 Ready to Push - MANDATORY CHECKS
| # | Check | Status |
|---|-------|--------|
| **10.2.1** | **🔴 .git/config contains NO tokens** (Section 1.3.5-1.3.6) | ☐ **MUST PASS** |
| **10.2.2** | **🔴 No credential helper with secrets** (Section 7.2.1-7.2.2) | ☐ **MUST PASS** |
| 10.2.3 | All Section 1 checks passed | ☐ |
| 10.2.4 | All Section 2 checks passed | ☐ |
| 10.2.5 | All Section 3 checks passed | ☐ |
| 10.2.6 | All Section 4 checks passed | ☐ |
| 10.2.7 | All Section 5 checks passed | ☐ |
| 10.2.8 | All Section 6 checks passed | ☐ |
| 10.2.9 | All Section 7 checks passed | ☐ |
### 10.3 Push Command
```bash
# After all checks pass:
cd ~/.openclaw/workspace/.git_projects/true-recall-v2
./push-all.sh "Your descriptive commit message"
```
---
## Quick Reference: Security Scan Commands
```bash
# Scan for private IPs
grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*"
grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*"
grep -rE "172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+" --include="*"
# Scan for credentials
grep -ri "password\|token\|secret\|api.?key" --include="*"
# Scan for absolute paths
grep -rE "/(root|home)/[a-z]+" --include="*"
# Check .git/config
cat .git/config | grep url
# Find sensitive files
find . -name "*.pem" -o -name "*.key" -o -name ".env*" -o -name "id_rsa"
```
---
## Emergency: Found Sensitive Data
If you find sensitive data after pushing:
1. **Immediately** revoke the exposed credential
2. Remove from git history: `git filter-branch` or BFG Repo-Cleaner
3. Force push to all remotes
4. Notify affected parties
---
*This checklist is for GIT/PUBLIC directory validation only.*
*For local development checks, see `audit_checklist.md` in `.local_projects/true-recall-v2/`*
Reference in New Issue Copy Permalink