# Current session - Active feature: `F-002` — `Remove secrets and externalize config` - Start: `2026-05-25` - Orchestrator: `leader` ## Plan - Write SDD, ADR, and BDD trace for config externalization. - Add one config loader for legacy PHP module. - Remove hard-coded DB and OpenAI secrets from versioned PHP files. - Centralize URLs and external endpoints in local config. - Run `./scripts/verify.sh` and security scan. ## Log - Feature `F-001` is blocked by security gate because secrets remain in repo. - Created follow-up ticket `F-002`. - Switched active work item to `F-002`. - Wrote SDD, ADR, and BDD trace for config externalization. - Added shared config loader and local config template for legacy PHP module. - Removed hard-coded DB and OpenAI secrets from tracked PHP files. - Replaced inline production URLs in tracked PHP files with config lookups. - Ran verify and security scans. - Reviewer, security, QA, and documenter artifacts for `F-002` are on disk. ## Next step - Publish `F-002`. - Create follow-up ticket for SQL dump sanitization.