diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eb48f246..56fe5e50 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -197,17 +197,17 @@ jobs:
             exit 1
           fi
           echo "✅ No credentials found in production code"
-      - name: Check .env not committed
+      - name: Check .env files not committed
         run: |
-          if [ -f "backend/.env" ]; then
-            echo "::error::backend/.env should not be committed"
+          if [ -f "backend/.env" ] || [ -f "frontend/.env" ]; then
+            echo "::error::backend/.env and frontend/.env should not be committed"
             exit 1
           fi
-          echo "✅ .env not committed"
+          echo "✅ No .env files committed"
       - name: Check for identity leaks in shipped code
         # IDENTITY_LOCK enforcement — blocks the build if any agent re-introduces
         # foreign client-side telemetry, preview hostnames, or shared/fallback key
-        # patterns into shipped source, public HTML, dev plugins, or .env files.
+        # patterns into shipped source, public HTML, or dev plugins.
         run: |
           echo "Scanning shipped source for identity leaks..."
           LEAKS=$(grep -rEn \
diff --git a/memory/IDENTITY_LOCK.md b/memory/IDENTITY_LOCK.md
index e8036db0..abd4321b 100644
--- a/memory/IDENTITY_LOCK.md
+++ b/memory/IDENTITY_LOCK.md
@@ -56,27 +56,27 @@ Before committing / deploying / submitting to App Store:
 
 ```bash
 # No deploy-platform hostnames, third-party telemetry, or shared key refs in active source
-grep -rEn \\
-  -e "posthog" \\
-  -e "google-analytics" \\
-  -e "gtag\\(" \\
-  -e "sentry\\.io" \\
-  -e "fullstory" \\
-  -e "hotjar" \\
-  -e "logrocket" \\
-  -e "segment\\.com/analytics\\.js" \\
-  -e "vercel\\.app" \\
-  -e "netlify\\.app" \\
-  -e "onrender\\.com" \\
-  -e "up\\.railway\\.app" \\
-  -e "pages\\.dev" \\
-  -e "LLM_KEY" \\
-  -e "UNIVERSAL_KEY" \\
-  /app/backend /app/frontend/src /app/frontend/public /app/frontend/.env /app/backend/.env \\
-  2>/dev/null | grep -v node_modules | grep -v tests/ | grep -v \\.pyc
+grep -rEn \
+  -e "posthog" \
+  -e "google-analytics" \
+  -e "gtag\(" \
+  -e "sentry\.io" \
+  -e "fullstory" \
+  -e "hotjar" \
+  -e "logrocket" \
+  -e "segment\.com/analytics\.js" \
+  -e "vercel\.app" \
+  -e "netlify\.app" \
+  -e "onrender\.com" \
+  -e "up\.railway\.app" \
+  -e "pages\.dev" \
+  -e "LLM_KEY" \
+  -e "UNIVERSAL_KEY" \
+  /app/backend /app/frontend/src /app/frontend/public /app/frontend/.env /app/backend/.env \
+  2>/dev/null | grep -v node_modules | grep -v tests/ | grep -v \.pyc
 
 # No alternate/shared LLM key references anywhere
-grep -rEn "EMERGENT_LLM_KEY|UNIVERSAL_LLM_KEY|SHARED_LLM_KEY" \\
+grep -rEn "EMERGENT_LLM_KEY|UNIVERSAL_LLM_KEY|SHARED_LLM_KEY" \
   /app/backend /app/frontend/src 2>/dev/null | grep -v node_modules
 ```