# Feature and safety checklist

## Included

- [x] Deployable PHP application with no Composer dependency.
- [x] Dedicated private web interface.
- [x] Multiple target-project profiles.
- [x] Staging and production URL metadata.
- [x] Strict project-root filesystem boundary.
- [x] Protected secret/path names.
- [x] File listing and focused reads.
- [x] Recursive code search.
- [x] Git status, diff, and recent log tools.
- [x] PHP syntax validation.
- [x] OpenAI Responses API function-calling loop.
- [x] Exact-block replacement proposals.
- [x] Complete-file create/replace proposals.
- [x] Human diff review and Apply/Reject.
- [x] Optional direct auto-apply for staging only.
- [x] Source SHA-256 stale-change detection.
- [x] Backup before every applied change.
- [x] Atomic file replacement.
- [x] Optional automatic Git commit.
- [x] Direct production edits blocked by default.
- [x] Production deployment unavailable to the AI.
- [x] Fixed, allow-listed manual deployment command.
- [x] Exact deployment confirmation phrase.
- [x] Audit logging and request throttling.
- [x] cPanel, SSH/Codex, security, and architecture documentation.
- [x] Installation and health-check scripts.
- [x] Automated self-tests and validation report.

## Deliberately excluded from v0.1.0

- [ ] Arbitrary AI shell access from the browser panel.
- [ ] Secret or `.env` reading.
- [ ] Automatic database migrations.
- [ ] Production auto-editing.
- [ ] File deletion tool.
- [ ] Binary/image editing.
- [ ] cPanel File Manager UI injection, which normally requires host/WHM-level plugin privileges.

No existing target-application functionality is removed by installing this panel. It operates beside the target project and changes target files only after a proposal is approved or staging auto-apply is explicitly enabled.