# Product Spec ## Problem Legacy PHP app lives in temporary path `project/new`. SQL dump lives mixed with app code. There is no ARNES design record for this code. This makes next change work risky and hard to trace. ## Objective Put legacy app in stable ARNES project layout. Keep same code and same behavior for now. Make next work easy to trace, review, and test. ## Users - Primary user: maintainer of legacy PHP app - Secondary user: architect, implementer, reviewer, qa ## Scope v1 - In scope: - document current legacy app structure - define target repo layout - move app code to `project/web/index/new` - move SQL dump to `project/sql/db-25052026.sql` - Out of scope: - auth rewrite - OpenAI secret cleanup - production deploy - feature refactor ## F-002 — Remove secrets and externalize config ### Problem Legacy PHP files still contain API keys, DB credentials, and production URLs. This blocks security approval and makes local setup unsafe. ### Objective Load config from one local source outside versioned code. Keep page behavior the same while removing hard-coded secrets from tracked PHP files. ### Scope - In scope: - one config loader for legacy module - one local config file shape for DB, OpenAI, URLs, and endpoints - replace hard-coded values in tracked PHP files - setup notes for local config - Out of scope: - auth redesign - worker refactor beyond config use - deploy automation ## F-003 — Sanitize SQL dump for safe dev use ### Problem Current SQL dump in repo looks like a production snapshot. It contains sensitive and production-like data. This is unsafe as a tracked development baseline. ### Objective Replace the raw dump in the working tree with a safe development baseline. Keep local development possible for the legacy PHP module. Document how to handle private data outside git. ### Scope - In scope: - define safe SQL baseline strategy - replace current tracked dump with sanitized development dump - document private local dump handling - keep module development possible with synthetic seed data - Out of scope: - production database changes - app logic changes - full OpenCart dataset preservation