Comment by DhirajKadam27

Good questions.

The .txt file is never executed directly. We pass the text to our system, generate backend code in PHP from it, and save that as a separate file. When someone calls the API, they’re actually hitting the generated .php endpoint behind the scenes, not the text file.

Right now this is a beta, so security hardening is still in progress. The plan is to run generated APIs in a restricted environment, isolate them from the main system, and limit filesystem and external operations. Those guardrails aren’t fully in place yet.

At the moment, this is best suited for simple prototypes, internal tools, and basic APIs. We’re intentionally starting there and pushing the limits gradually as we tighten security and execution boundaries, with the long-term goal of supporting more serious and eventually enterprise-level use cases.