true-recall-gems/audit_checklist.md

TrueRecall v2 - Master Audit Checklist (GIT/PUBLIC)

For: .git_projects/true-recall-v2/ (Sanitized Public Directory)
Version: 2.2
Last Updated: 2026-02-25 10:07 CST

---

Overview

This checklist validates the git/public directory is properly sanitized with placeholders, no credentials, and ready for public release. Use this before every git push.

---

Recent Fixes (2026-02-25)

Issue	Status	Fix
Embedding model mismatch	✅ Fixed	Changed curator to snowflake-arctic-embed2
Gems had no vectors	✅ Fixed	Updated store_gem() to use text field
JSON parsing errors	✅ Fixed	Simplified extraction prompt
Watcher stuck on old session	✅ Fixed	Restarted watcher service
Plugin capture 0 exchanges	✅ Fixed	Added extractMessageText() for array content
Plugin exchanges working	✅ Verified	9 exchanges extracted per session

---

SECTION 1: Pre-Push Security Checks

1.1 Critical Security Scan

#	Check	Command	Expected	Status
1.1.1	No hardcoded IPs	grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*"	0 results	☐
1.1.2	No 192.168.x.x	grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*"	0 results	☐
1.1.3	No 172.16-31.x.x	`grep -rE "172.(1[6-9]	2[0-9]	3[01]).[0-9]+.[0-9]+" --include="*"`
1.1.4	No localhost IPs	grep -rE "127\.0\.0\.[0-9]+" --include="*"	0 results	☐
1.1.5	No IPv6 locals	grep -rE "\[?::1\]?" --include="*"	0 results	☐

1.2 Credentials Scan

#	Check	Command	Expected	Status
1.2.1	No passwords	grep -ri "password" --include="*.py" --include="*.md" --include="*.sh"	0 results	☐
1.2.2	No tokens	grep -ri "token" --include="*.py" --include="*.md" --include="*.json"	0 results	☐
1.2.3	No API keys	`grep -riE "api[_-]?key	apikey" --include="*"`	0 results
1.2.4	No secrets	grep -ri "secret" --include="*.py" --include="*.md"	0 results	☐
1.2.5	No private keys	grep -ri "private.*key|privkey" --include="*"	0 results	☐
1.2.6	No auth strings	grep -riE "auth[^o]" --include="*.py" --include="*.json"	0 results	☐

1.3 .git/config Security - CRITICAL

#	Check	Command	Expected	Status
1.3.1	No tokens in URLs	grep "url = " .git/config	No user:token@ pattern	☐
1.3.2	No HTTP auth	`grep "url = " .git/config	grep -v "^http://[^/]*$"`	Clean URLs
1.3.3	HTTPS remotes	grep "url = " .git/config	All HTTPS or SSH	☐
1.3.4	Remote sanity	git remote -v	2-3 remotes, no tokens	☐
1.3.5	⚠️ NO TOKENS IN CREDENTIAL HELPER	`grep -E "(password	token	ghp_
1.3.6	⚠️ NO CREDENTIAL HELPER WITH SECRETS	`cat .git/config	grep -A5 "[credential]"`	NO HARDCODED PASSWORDS

CRITICAL WARNING: Kimi has accidentally pushed tokens TWICE before. ALWAYS verify 1.3.5 and 1.3.6 before pushing!

1.4 File Scan

#	Check	Expected	Status
1.4.1	No .env files	0 .env files	☐
1.4.2	No .pem files	0 .pem files	☐
1.4.3	No .key files	0 .key files	☐
1.4.4	No id_rsa files	0 id_rsa files	☐
1.4.5	No .p12 files	0 .p12 files	☐
1.4.6	No .pfx files	0 .pfx files	☐

---

SECTION 2: Placeholder Verification

2.1 IP Placeholders

#	Placeholder	Used For	Found?	Status
2.1.1	<QDRANT_IP>	Qdrant endpoint	☐	☐
2.1.2	<OLLAMA_IP>	Ollama endpoint	☐	☐
2.1.3	<REDIS_IP>	Redis endpoint	☐	☐
2.1.4	<GITEA_IP>	Gitea server	☐	☐
2.1.5	<GATEWAY_IP>	OpenClaw gateway	☐	☐

2.2 Path Placeholders

#	Placeholder	Used For	Found?	Status
2.2.1	~/	Home directory	☐	☐
2.2.2	<OPENCLAW_PATH>	OpenClaw install	☐	☐
2.2.3	<USER_HOME>	User home	☐	☐
2.2.4	<SYSTEMD_PATH>	systemd location	☐	☐

2.3 Config Placeholders

#	Placeholder	Used For	Found?	Status
2.3.1	<API_KEY>	API key example	☐	☐
2.3.2	<TOKEN>	Token example	☐	☐
2.3.3	<PASSWORD>	Password example	☐	☐
2.3.4	<DATE>	Date example	☐	☐
2.3.5	<TIMESTAMP>	Timestamp example	☐	☐

---

SECTION 3: File Completeness

3.1 Required Files Present

#	File	Purpose	Status
3.1.1	README.md	Main documentation	☐
3.1.2	session.md	Session notes	☐
3.1.3	checklist.md	Installation checklist	☐
3.1.4	curator-prompt.md	Curation prompt	☐
3.1.5	install.py	Installation script	☐
3.1.6	push-all.sh	Push script	☐

3.2 Scripts Directory

#	File	Purpose	Status
3.2.1	tr-continuous/curator_timer.py	Timer curator	☐
3.2.2	tr-continuous/curator_config.json	Curator config	☐

3.3 No Local-Only Files

#	Check	Expected	Status
3.3.1	No debug_curator.py	Not in git	☐
3.3.2	No test_curator.py	Not in git	☐
3.3.3	No migrate_*.py	Not in git	☐
3.3.4	No tr-daily/	Not in git (archived)	☐
3.3.5	No tr-compact/	Not in git (concept)	☐

---

SECTION 4: Script Validation

4.1 curator_timer.py

#	Check	Expected	Status
4.1.1	No hardcoded IPs	Uses env vars	☐
4.1.2	No absolute paths	Uses ~/	☐
4.1.3	Syntax valid	python3 -m py_compile passes	☐
4.1.4	Executable bit	chmod +x set	☐
4.1.5	Uses placeholders	<QDRANT_IP>, <OLLAMA_IP>	☐

4.2 install.py

#	Check	Expected	Status
4.2.1	No hardcoded IPs	Uses prompts	☐
4.2.2	No absolute paths	Uses defaults	☐
4.2.3	Syntax valid	python3 -m py_compile passes	☐
4.2.4	Interactive prompts	Asks for URLs	☐

4.3 push-all.sh

#	Check	Expected	Status
4.3.1	No hardcoded paths	Uses $PWD	☐
4.3.2	No tokens	Clean script	☐
4.3.3	Syntax valid	bash -n passes	☐
4.3.4	Executable bit	chmod +x set	☐

---

SECTION 5: Documentation Quality

5.1 README.md

#	Check	Expected	Status
5.1.1	Uses placeholders	<QDRANT_IP>, <OLLAMA_IP>	☐
5.1.2	No hardcoded paths	~/ not /root/	☐
5.1.3	Clear instructions	Step-by-step	☐
5.1.4	Config examples	Generic examples	☐
5.1.5	Troubleshooting	Common issues listed	☐

5.2 session.md

#	Check	Expected	Status
5.2.1	Uses placeholders	<QDRANT_IP>, <OLLAMA_IP>	☐
5.2.2	No hardcoded paths	~/ not /root/	☐
5.2.3	Current state	Up to date	☐
5.2.4	Validation commands	Generic commands	☐

5.3 checklist.md

#	Check	Expected	Status
5.3.1	Uses placeholders	<QDRANT_IP>, etc.	☐
5.3.2	Pre-install checks	Generic commands	☐
5.3.3	Post-install validation	Generic commands	☐
5.3.4	Troubleshooting	Common issues	☐

5.4 curator-prompt.md

#	Check	Expected	Status
5.4.1	Uses placeholders	<QDRANT_IP>	☐
5.4.2	No hardcoded IPs	Placeholders only	☐
5.4.3	Updated architecture	No Redis refs	☐
5.4.4	Correct collection	memories_tr not kimi_memories	☐

---

SECTION 6: Git Hygiene

6.1 Git Status

#	Check	Command	Expected	Status
6.1.1	Clean working tree	git status	No uncommitted changes	☐
6.1.2	No untracked files	git status	0 untracked or added	☐
6.1.3	Proper .gitignore	cat .gitignore	Blocks sensitive files	☐
6.1.4	No large files	find . -size +10M	0 large files	☐

6.2 Commit Quality

#	Check	Expected	Status
6.2.1	Descriptive message	Clear summary	☐
6.2.2	Atomic changes	One feature per commit	☐
6.2.3	Signed (optional)	GPG signed	☐

6.3 Remote Configuration

#	Check	Expected	Status
6.3.1	GitHub remote	Configured	☐
6.3.2	Gitea remote	Configured	☐
6.3.3	GitLab remote	Configured	☐
6.3.4	All clean	No tokens in URLs	☐

---

SECTION 7: Error Prevention

7.1 Common Mistakes

#	Mistake	Prevention	Check	Status
7.1.1	Forgetting to sanitize	Run this checklist	☐	☐
7.1.2	Leaving tokens	Scan with grep	☐	☐
7.1.3	Hardcoding IPs	Use placeholders	☐	☐
7.1.4	Absolute paths	Use ~/	☐	☐
7.1.5	Local-only files	Check 3.3.1-3.3.5	☐	☐

7.2 Pre-Push Checklist - MANDATORY

#	Step	Command	Status
7.2.1	🔴 CHECK .git/config FOR TOKENS	`grep -E "(password	token
7.2.2	🔴 VERIFY NO CREDENTIAL HELPER SECRETS	`cat .git/config	grep -A5 "[credential]"`
7.2.3	Run security scan	Section 1.1-1.2	☐
7.2.4	Verify placeholders	Section 2.1-2.3	☐
7.2.5	Check file completeness	Section 3.1-3.3	☐
7.2.6	Validate scripts	Section 4.1-4.3	☐
7.2.7	Review docs	Section 5.1-5.4	☐
7.2.8	Check git hygiene	Section 6.1-6.3	☐

---

SECTION 8: Function Verification (Generic)

8.1 Config Validity

#	File	Check	Expected	Status
8.1.1	curator_config.json	JSON syntax	Valid JSON	☐
8.1.2	curator_config.json	Required keys	All present	☐
8.1.3	curator_config.json	Value types	Correct types	☐

8.2 Script Syntax

#	File	Check	Command	Status
8.2.1	curator_timer.py	Python syntax	python3 -m py_compile	☐
8.2.2	install.py	Python syntax	python3 -m py_compile	☐
8.2.3	push-all.sh	Bash syntax	bash -n push-all.sh	☐

8.3 Documentation Links

#	Check	Expected	Status
8.3.1	Internal links valid	All #section work	☐
8.3.2	No broken references	No TODO or FIXME	☐
8.3.3	Consistent formatting	Same style throughout	☐

---

SECTION 9: Comparison with Local

9.1 Sync Status

#	Check	Local	Git	Match?
9.1.1	README structure	Same	Same	☐
9.1.2	session structure	Same	Same	☐
9.1.3	checklist structure	Same	Same	☐
9.1.4	Config structure	Same	Same	☐

9.2 Content Differences

#	Check	Local (Real)	Git (Placeholder)	Expected
9.2.1	Qdrant IP	10.0.0.40	<QDRANT_IP>	✅
9.2.2	Ollama IP	10.0.0.10	<OLLAMA_IP>	✅
9.2.3	Paths	/root/...	~/...	✅
9.2.4	Usernames	rob	rob or generic	✅

---

SECTION 10: Final Review

10.1 Sign-Off

#	Reviewer	Date	Notes	Signature
10.1.1	Security scan
10.1.2	Sanitization
10.1.3	Functionality
10.1.4	Documentation

10.2 Ready to Push - MANDATORY CHECKS

#	Check	Status
10.2.1	🔴 .git/config contains NO tokens (Section 1.3.5-1.3.6)	☐ MUST PASS
10.2.2	🔴 No credential helper with secrets (Section 7.2.1-7.2.2)	☐ MUST PASS
10.2.3	All Section 1 checks passed	☐
10.2.4	All Section 2 checks passed	☐
10.2.5	All Section 3 checks passed	☐
10.2.6	All Section 4 checks passed	☐
10.2.7	All Section 5 checks passed	☐
10.2.8	All Section 6 checks passed	☐
10.2.9	All Section 7 checks passed	☐

10.3 Push Command

# After all checks pass:
cd ~/.openclaw/workspace/.git_projects/true-recall-v2
./push-all.sh "Your descriptive commit message"

---

Quick Reference: Security Scan Commands

# Scan for private IPs
grep -rE "10\.[0-9]+\.[0-9]+\.[0-9]+" --include="*"
grep -rE "192\.168\.[0-9]+\.[0-9]+" --include="*"
grep -rE "172\.(1[6-9]|2[0-9]|3[01])\.[0-9]+\.[0-9]+" --include="*"

# Scan for credentials
grep -ri "password\|token\|secret\|api.?key" --include="*"

# Scan for absolute paths
grep -rE "/(root|home)/[a-z]+" --include="*"

# Check .git/config
cat .git/config | grep url

# Find sensitive files
find . -name "*.pem" -o -name "*.key" -o -name ".env*" -o -name "id_rsa"

---

Emergency: Found Sensitive Data

If you find sensitive data after pushing:

1. Immediately revoke the exposed credential
2. Remove from git history: git filter-branch or BFG Repo-Cleaner
3. Force push to all remotes
4. Notify affected parties

---

This checklist is for GIT/PUBLIC directory validation only. For local development checks, see audit_checklist.md in .local_projects/true-recall-v2/