diff --git a/TOOLS.md b/TOOLS.md
index 29b61df..06016ad 100644
--- a/TOOLS.md
+++ b/TOOLS.md
@@ -92,6 +92,15 @@ Skills are shared. Your setup is yours. Keeping them apart means you can update
 - Endpoint: `http://192.168.153.253:9000`
 - Bucket: `zap`
 - Credentials file: `~/.openclaw/credentials/minio-zap.env` (mode `600`)
+- Backup script: `scripts/backup-to-minio.sh`
+- Backup scope: full archive of `~/.openclaw` (tar.gz) + `sha256` + `manifest.txt`
+- Backup schedule: system cron every 6 hours at minute 17
+  - `17 */6 * * * /home/openclaw/.openclaw/workspace/scripts/backup-to-minio.sh >> /home/openclaw/.openclaw/workspace/memory/minio-backup.log 2>&1`
+- Bucket versioning: enabled
+- Lifecycle rule (prefix `workspace-backups/`):
+  - expire noncurrent versions after 90 days
+  - keep 3 newer noncurrent versions
+  - expire delete markers enabled
 
 ### Kubernetes (homelab)
 
diff --git a/memory/2026-03-06.md b/memory/2026-03-06.md
new file mode 100644
index 0000000..88901b5
--- /dev/null
+++ b/memory/2026-03-06.md
@@ -0,0 +1,20 @@
+# 2026-03-06
+
+## Telegram hardening
+- Added Telegram group sender allowlist for commands:
+  - `channels.telegram.groupAllowFrom = ["8367012007"]`
+  - `channels.telegram.groups["*"].allowFrom = ["8367012007"]`
+- Result: security audit critical finding for missing Telegram group allowlist cleared.
+
+## Backups / MinIO
+- Updated `scripts/backup-to-minio.sh` to back up full `~/.openclaw` (not just workspace memory files).
+- Backup now uploads:
+  - `openclaw-<timestamp>.tar.gz`
+  - `openclaw-<timestamp>.tar.gz.sha256`
+  - `manifest.txt`
+- Verified successful full backup upload to `s3://zap/workspace-backups/`.
+- Enabled bucket versioning on `zap`.
+- Added lifecycle rule for `workspace-backups/`:
+  - expire noncurrent versions after 90 days
+  - keep 3 newer noncurrent versions
+  - expire delete markers enabled