# Boundary & Risk Card Project: promptfoo/promptfoo ## Doramagic Trial Decision Current decision: ready for pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and rollback. ## What The User Can Do Now - Read the Human Manual first to understand purpose and main workflows. - Copy the Prompt Preview for a pre-install trial. This checks interaction feel, not real execution. - Test the official Quick Start command in an isolated environment before using a primary machine. ## What Not To Do Yet - Do not treat Prompt Preview output as an actual project run. - Do not treat metadata-only validation as sandbox install validation. - Do not write unverified capabilities as supported, tested, or safe to install. - Do not provide production data, private files, real secrets, or primary configuration directories on first use. ## Pre-install Checklist - Host AI match: claude, chatgpt - Official install entry state: official entry found - Verification location: temporary directory, temporary host, or container required - Rollback readiness: required - API keys, network access, file writes, or host configuration changes: treat as high risk until confirmed - Install command, actual output, and failure logs: must be recorded ## Current Blockers - No blockers. ## Project-specific Pitfalls - Installation risk requires verification (medium): Upgrade or migration may change expected behavior: 0.121.8 - Installation risk requires verification (medium): Upgrade or migration may change expected behavior: code-scan-action: 0.1.6 - Configuration risk requires verification (medium): May increase setup, validation, or first-run risk for the user. - Configuration risk requires verification (medium): Upgrade or migration may change expected behavior: 0.121.15 - Configuration risk requires verification (medium): Developers may misconfigure credentials, environment, or host setup: Per-test-case `repeat` option to control how many times individual tests run ## Risk And Permission Notes - no_demo: medium ## Evidence Gaps - No structured evidence gaps found.