# Product Spec ## Problem Legacy PHP app lives in temporary path `project/new`. SQL dump lives mixed with app code. There is no ARNES design record for this code. This makes next change work risky and hard to trace. ## Objective Put legacy app in stable ARNES project layout. Keep same code and same behavior for now. Make next work easy to trace, review, and test. ## Users - Primary user: maintainer of legacy PHP app - Secondary user: architect, implementer, reviewer, qa ## Scope v1 - In scope: - document current legacy app structure - define target repo layout - move app code to `project/web/index/new` - move SQL dump to `project/sql/db-25052026.sql` - Out of scope: - auth rewrite - OpenAI secret cleanup - production deploy - feature refactor ## F-002 — Remove secrets and externalize config ### Problem Legacy PHP files still contain API keys, DB credentials, and production URLs. This blocks security approval and makes local setup unsafe. ### Objective Load config from one local source outside versioned code. Keep page behavior the same while removing hard-coded secrets from tracked PHP files. ### Scope - In scope: - one config loader for legacy module - one local config file shape for DB, OpenAI, URLs, and endpoints - replace hard-coded values in tracked PHP files - setup notes for local config - Out of scope: - auth redesign - worker refactor beyond config use - deploy automation