# Security model

## Trust boundary

The PHP process runs as the cPanel account and therefore may have filesystem rights beyond the selected project. This application compensates by resolving every agent path against one configured project root and rejecting traversal, protected names, paths outside the root, binary files, large files, and symbolic-link write targets.

A compromised cPanel account can bypass application-level restrictions. Protect cPanel, SSH, the developer domain, and the OpenAI API key with the same care as production credentials.

## Default safeguards

- password authentication with `password_hash`/`password_verify`;
- secure, HTTP-only, SameSite session cookies;
- CSRF validation for tool and write actions;
- login throttling and chat rate limiting;
- no secret-file tool;
- no arbitrary terminal command tool;
- no delete-file tool;
- no database tool;
- review-required proposals;
- source hash check before applying;
- backup before writing;
- atomic rename;
- PHP syntax validation;
- direct production Apply blocked;
- deployment excluded from the model's tool list;
- exact deployment confirmation phrase;
- JSONL audit log.

## Files that must remain outside the web root

- `config/config.php`;
- `storage/`;
- OpenAI or Codex credentials;
- target application `.env` files;
- SSH keys;
- database dumps and backups.

## Additional hardening

- protect `developer.example.com` using cPanel Directory Privacy;
- allow only your IP where practical;
- enable two-factor authentication on cPanel and OpenAI;
- use a dedicated cPanel account for high-value production applications;
- use a separate staging database user with limited permissions;
- rotate the API key after suspected exposure;
- inspect audit logs and Git history;
- keep production deploy disabled except when needed;
- keep PHP and the application dependencies patched.

## API key handling

The browser never receives the OpenAI API key. The key is read only by server-side PHP. The example supports an environment variable or `config/config.php`, which is outside `public/`. Never insert the key into JavaScript, HTML, a Git commit, a support ticket, or a chat prompt.

## Limitations

The model will receive source-code excerpts and tool results that it needs to complete requests. Do not use the panel on repositories containing secrets in normal source files. Access controls reduce accidental or model-initiated access but do not replace proper secret separation.