Safety Mode

Documentation Index

Fetch the complete documentation index at: https://docs.foenix.ai/llms.txt

Use this file to discover all available pages before exploring further.

Safety Mode controls how strictly Foenix validates the PHP code it generates before executing it on your WordPress site. You can set it per session. Each rule below is marked as one of:

• Enforced — checked automatically; code that violates the rule is rejected.
• Guidance — instructions given to the AI model; a careful model will follow them, but they are not blocked at the validator level.

There are three levels: Safe, Balance, Hard.

​

Safe

The most restrictive mode. About 436 PHP and WordPress operations are forbidden. Enforced — blocked operations:

• Code and command execution: eval, create_function, exec, shell_exec, system, passthru
• Direct file I/O: fopen, fread, file_get_contents, file_put_contents, unlink, rmdir, mkdir, chmod, scandir, readdir, opendir
• Superglobals: $_GET, $_POST, $_REQUEST, $_COOKIE, $_SERVER, $_FILES, $GLOBALS
• Direct SQL through $wpdb or PDO — code must use WordPress APIs (wp_insert_post, update_option, WP_Query, etc.)
• Outgoing HTTP: wp_remote_get, wp_remote_post, wp_remote_request, and the rest of the wp_remote_* family
• Encoding / decoding that can hide payloads: base64_decode, unserialize, convert_uudecode, pack
• Reflection: ReflectionClass, ReflectionFunction, ReflectionMethod
• User, role, auth and plugin/theme management: wp_create_user, wp_set_password, activate_plugin, switch_theme, and similar

Guidance — instructions to the model (not blocked by the validator):

• Edit files only inside /wp-content/themes/[current_theme]/ and /wp-content/uploads/
• Do not touch /wp-admin/, /wp-includes/, /wp-content/plugins/, wp-config.php, .htaccess, robots.txt
• No schema changes (CREATE, ALTER, DROP)
• Sanitize all inputs and escape all outputs

Use Safe mode on production sites when you want maximum protection and accept that some tasks may not be possible.

​

Balance

A middle ground. Only the truly dangerous PHP constructs are blocked (about 318 rules). Enforced — blocked operations:

• Code and command execution: eval, create_function, exec, shell_exec, system, passthru
• Low-level file operations that can corrupt the filesystem: fopen, file_put_contents, unlink, rmdir, chmod
• Deserialization: unserialize
• Other PHP functions that can lead to remote code execution or filesystem damage

Allowed in Balance, although Safe blocks them:

• file_get_contents, base64_decode
• Direct $wpdb queries
• Outgoing HTTP via wp_remote_*
• Access to $_GET, $_POST, $_COOKIE, and other superglobals
• print_r, var_dump, echo, mkdir, scandir, ini_set and similar “soft” functions

Guidance — same as Safe, not enforced:

• File path scope (themes and uploads only)
• No schema changes
• Sanitize inputs, escape outputs

Balance is suitable for most development tasks where you need more flexibility than Safe but still want protection against the worst patterns.

​

Hard

No checks. The validator is fully disabled — no list of forbidden functions is applied. The model has the most power and flexibility, but also the highest risk of something breaking. Use with extreme caution on production sites, and only with a fresh backup.

---

​

Which mode to choose