claude: better review instructions

.claude/commands/openroad-issue.md

@@ -442,15 +442,29 @@ Levers that reduce time-to-fix:
 - **Align with ongoing work**: if the maintainer has open PRs touching
   the same area, reference them. Your fix might get absorbed.
 
-### 13. Save for human review
+### 13. Security review and handoff
 
-Save the issue file locally. **Do not run `gh issue create`** — the human
-posts issues to upstream repos.
+NEVER push or post automatically. The user pushes and posts.
+
+Before handing off to the user, review what you're about to publish:
+
+- No absolute paths from the local machine (e.g. /home/username/...)
+- No private repository URLs (internal repos)
+- No credentials, tokens, or API keys
+- No private email addresses beyond what's already public in git history
+- No internal project names or codenames that aren't public
+- References only to public issues (e.g. The-OpenROAD-Project/OpenROAD#9862,
+  not Org/secretrepo#172)
+- Patch files don't contain paths or content from private repos
+
+Save the issue .md emphemral file to tmp/ for the user to review:
 
 ```bash
 cp issue.md docs/issues/<slug>.md
 ```
 
+The user decides when and how to post.
+
 ### 14. Unblock yourself with the fix
 
 Filing quality issues isn't charity — it's self-interest with a time