@F-002 @smoke @security @regression Feature: Legacy module reads config from one local source As a maintainer I want secrets and URLs outside tracked PHP files So I can run the legacy module without storing sensitive values in source Scenario: Entry points use shared config helper Given the legacy PHP module has multiple web and CLI entry points When feature F-002 is applied Then tracked PHP files do not contain hard-coded DB credentials And tracked PHP files do not contain hard-coded OpenAI credentials And DB and route values are loaded through a shared config helper Scenario: Local config shape is documented Given a maintainer needs to set local credentials When feature F-002 is applied Then the repo contains a versioned local config example And the repo ignores the real local config file And setup notes explain how to create the local config