diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..6e2dc8b
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,27 @@
+# ============================================================
+# clawbot-sql-memory — Memory & Storage Configuration
+# ============================================================
+# SECURITY: This is a TEMPLATE ONLY. Never commit actual .env files.
+# Copy this to .env and fill in your local values.
+
+# SQL Server — Local Development
+SQL_LOCAL_SERVER=10.0.0.110
+SQL_LOCAL_PORT=1433
+SQL_LOCAL_DATABASE=Oblio_Memories
+SQL_LOCAL_USER=your_sql_user
+SQL_LOCAL_PASSWORD=your_sql_password
+
+# SQL Server — Cloud Backup
+SQL_CLOUD_SERVER=SQL5112.site4now.net
+SQL_CLOUD_PORT=1433
+SQL_CLOUD_DATABASE=db_99ba1f_memory4oblio
+SQL_CLOUD_USER=db_99ba1f_memory4oblio_admin
+SQL_CLOUD_PASSWORD=your_cloud_password
+
+# Memory Configuration
+MEMORY_STORE=sql           # Options: sql, file (sql is recommended)
+MEMORY_RETENTION_DAYS=365
+SEMANTIC_SEARCH_ENABLED=true
+
+# Logging
+LOG_LEVEL=INFO
diff --git a/.github/workflows/test-on-pr.yml b/.github/workflows/test-on-pr.yml
index b12053d..b7fc325 100644
--- a/.github/workflows/test-on-pr.yml
+++ b/.github/workflows/test-on-pr.yml
@@ -7,6 +7,20 @@ on:
       - develop
 
 jobs:
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      - name: TruffleHog Secret Scan
+        uses: trufflesecurity/trufflehog@main
+        with:
+          path: ./
+          base: ${{ github.event.repository.default_branch }}
+          head: HEAD
+
   test:
     runs-on: ubuntu-latest
     strategy:
@@ -34,3 +48,11 @@ jobs:
       
       - name: Build
         run: npm run build --if-present
+      
+      - name: Check for .env files
+        run: |
+          if [ -f .env ]; then
+            echo "ERROR: .env file should not be committed"
+            exit 1
+          fi
+          echo "OK: No .env file tracked"