Codex Report - UI 4 Mothers Independent Static Review
Codex Report - UI 4 Mothers Independent Static Review
Date: 2026-07-02 Agent: Codex Mission: Soi tinh doc lap he UI 4 Me (Incomex) qua HTTP source, dung scope surface contract + self-check. Status: DONE
Checklist 0-6
- Buoc 0 - Doc skill Incomex va nen tang bat buoc.
- Buoc 1 - Nhan viec: doc prompt dinh kem, xac dinh 1 mission review tinh.
- Buoc 2 - Doc OR/Constitution/luat lien quan va thiet ke cach review.
- Buoc 3 - Fetch day du source qua HTTP, phan tich tinh.
- Buoc 4 - 2 mu: coder phan tich + reviewer tu soi lai false-green/scale/backend heads.
- Buoc 5 - Verify bang output that: curl/list/hash/kiem tra tinh.
- Buoc 6 - Hoan tat report, upload Agent Data, ket luan.
Files/Laws Read
- Local skill:
.claude/skills/incomex-rules.md. - KB via
search_knowledge:operating rules SSOT; document observedknowledge/dev/ssot/vps/vps-operating-rules.md, Version 1.0, Date 2026-02-28, Active. - KB via
search_knowledge:hien phap v4.0 constitution; active document observedknowledge/dev/laws/constitution.md, titleHien phap Kien truc He thong Incomex v4.6.3 BAN HANH, revision 44. - KB via
search_knowledge: foundation principles / UI gate / 4 Mothers / DOT governance; relevant docs observed:knowledge/dev/laws/dieu35-dot-governance-law.mdv5.2, 4 Mothers design docs, UI contract/no-false-green docs. - HTTP files read from
https://vps.incomexsaigoncorp.vn/ui-preview/mcp-writes/:system-manifest.js,guide.html,he-thong-thiet-ke.html,he-thong-dau-noi.html,binding-status.js,entry-engine.js,modit-entry-enhance.js,entry-savemode.js,eco-nav.js,qa-contracts.js,qa-runner.html,web-state.json,web-intent.json. - Extra canonical file read because SYS declares it:
guide-extra.js.
3 Cau Tuyen Ngon
- Vinh vien: Review khong fix vu viec; tim loi contract/QA/dau cho backend khien ngay mai doi label/schema/scale van khong vo.
- Nham duoc khong: Chi ket luan tren source fetch bang HTTP + fingerprint/line evidence; khong dua vao tri nho hay local repo.
- 100% tu dong: De xuat gate/QA/incremental/fingerprint/server-side threshold de may tu phat hien lech, khong can nguoi nho.
Evidence - HTTP Fetch
200 80117 system-manifest.js
200 16852 guide.html
200 14398 he-thong-thiet-ke.html
200 8326 he-thong-dau-noi.html
200 4996 binding-status.js
200 7605 entry-engine.js
200 24321 modit-entry-enhance.js
200 6310 entry-savemode.js
200 11098 eco-nav.js
200 58144 qa-contracts.js
200 29124 qa-runner.html
200 802 web-state.json
200 346 web-intent.json
200 9073 guide-extra.js
SYS version: manifest v5.2 (+relation_role_kinds + output_field_spec) updated: 2026-07-02
SYS counts: tables 23 surfaces 18 laws 25 dots 8 core_files 11 entry_surfaces 2
backend_map pending: 20 of 20
requirements status: { partial: 7, done: 5, hypothesis: 5 }
QAC active: 51 sentinel: true
QAC info-named: 6
binding-status: tables 23, missing status 0, orphan status 0, pg done 2, wired done 0, tested done 0
Fingerprint note: web-state.json says bytes, but QA uses JS string length + djb2, not real byte count. Using QA algorithm, all state entries matched; guide-extra.js also matched 8500/2789430186.
Understanding Summary
- Scope is surface contract + UI synchronization + self-check, not backend execution.
system-manifest.jsis the UI contract SSOT and is append-only; final meta after appends is v5.2.- Runtime boundary is clear: read PG -> Directus -> UI; write UI -> DOT/gateway -> PG/event; Kestra only head-wait now.
- Entry layer is table-first, uses shared
EntryEngine, save mode commit/staging, and builder self-declaresUI_CONTRACT. - QA is append-only with 51 active QAC after retire, cached iframe runner, watchdogs, path/web diff, family/capabilities scans.
- Backend heads are mostly declared but intentionally pending:
backend_map20/20 pending, PG/wired/tested not in this phase.
Findings - Cau 1
| Code | Sev | Evidence | Why it matters | Cheap fix |
|---|---|---|---|---|
| UI4-RED-01 | RED | qa-runner.html:262-264, 287-292, 341-347 |
A QAC that hangs >25s becomes [i] warning and __QA_RESULT.ok can stay true if no fail. This is a false-green path for behavior checks. |
Treat per-check timeout as fail, or compute ok = fail===0 && timeouts===0; keep rerun hint but not green. |
| UI4-ORG-02 | ORANGE | qa-runner.html:74-75, 81-85, 99-101; mutating QACs at qa-contracts.js:595-598, 642-644, 720-723 |
Cached iframe serve() overwrites snapshot keys but does not delete new keys/globals, while f.remove() is no-op for cached frames. Cross-check state can leak. |
Exact reset: delete keys absent from snapshot; reset known globals (MOLD, UI_CONTRACT if mutated), or require {fresh:true} for mutating checks. |
| UI4-ORG-03 | ORANGE | entry-engine.js:52-56, 90-96; proof: two same-label refs both write nguoi_doi_tuong_lien_quan_nhan_vien_id, final row keeps only id=2 |
Wrapper guard fixes builder flow, but base EntryEngine.saveShape() remains collision-prone if future builder/DOT calls it directly. |
Move uniqueness guard into EntryEngine.saveShape() or assign immutable field_id at newRef(). Add direct-engine QAC for same-label duplicate. |
| UI4-ORG-04 | ORANGE | modit-entry-enhance.js:234-240 |
Value fields freeze only when raw field has kit/k/key/id; keyless fields still derive column from label, so caption rename can change schema identity. |
Generate immutable local field id/source column for every value field at creation. Add rename-QAC for keyless field. |
| UI4-ORG-05 | ORANGE | system-manifest.js:858-867, qa-contracts.js:753-763 |
scope_code_spec says JSON structured, but MODUT pseudo-SQL is only [i] and returns pass. Output contract can be green while filter syntax is not machine-safe. |
Make structured scope_code a hard fail after spec decided; provide legacy adapter only if output mold stores structured form. |
| UI4-WHT-06 | WHITE | qa-contracts.js:529-540, qa-runner.html:353-358, web-state.json:3 |
Fingerprint calls b bytes, but it is JS string length; djb2 is weak. It is deterministic but misleading and not collision-resistant. |
Use ArrayBuffer.byteLength + WebCrypto SHA-256; keep old djb2 only for migration display. |
| UI4-WHT-07 | WHITE | guide.html:224-227 |
guide-extra.js is after </body></html>. Browsers usually execute it, but it is invalid structure and brittle for parsers/tools. |
Move loader before </body> or create canonical append loader inside body. |
Cau 2 - QA Cost / Optimization
Current model: 5 suites; suiteExtra has 51 active QAC, runs sequentially; loadPage() caches iframe by base URL; watchdog is 25s/check and 120s/suite. Several QACs repeatedly load guide.html and sweep menu/pages separately.
Best optimizations:
- Timeout hardening first. Timeout must be non-green. Benefit: removes biggest false-green path. Risk low, difficulty low.
- Split declaration vs behavior. Manifest/status/web-state checks can run by one parent fetch/eval, no iframe. Keep iframe only for behavior. Benefit: large speedup and lower flake; difficulty medium.
- Page sweep aggregator. Official-UI, Family, Capabilities, Coverage, Eco-nav can load each page once and run multiple probes. Benefit likely 30-60% runtime reduction; risk medium because runner API changes.
- Incremental by fingerprint. Map QAC -> dependencies (
system-manifest.js,entry-engine.js, page list). Skip unaffected checks for quick runs; keep full nightly. Benefit high when only one file changes; difficulty medium. - Server-side instance QA. Browser checks only pages/surface. Any check over rows/molds/report instances must run SQL/Directus/DOT incrementally by
updated_at.
Threshold: if unit under test is a row/instance, or count >100, or needs FK/count/permission correctness, it belongs server-side. With tens of thousands of workflows, browser QA stays O(surface pages); instance correctness must be DOT/SQL/Directus.
Cau 3 - Directus / Kestra Heads
| Area | Verdict | Evidence / Missing |
|---|---|---|
runtime_boundary |
DAT | Clear NO-DIRECT-PG and Kestra-calls-DOT contract at system-manifest.js:20-44. |
| Kestra heads | THIEU before backend | Has correlation_id, workflow_run_id, orchestration_state at system-manifest.js:340-343; should add idempotency_key, attempt/retry_count, last_error/error_code, compensation_state, lease/heartbeat, resume_token, event_schema_version. |
| Directus read/write/filter | PARTIAL | entry_binding declares Directus collections/fields/items and DOT write at system-manifest.js:645-658; scope_code_spec exists. Missing pagination/cursor, sort, field projection, type coercion, timezone/token semantics, M-N filter mapping, field permission snapshot. |
backend_map / DOT-REL |
RIGHT STRATEGY, NOT CLOSED | backend_map exists but 20/20 decisions pending; QAC reports [i] pass at qa-contracts.js:558-565. Before DOT-BIRTH, this must become blocker. |
| Transaction/audit/versioning | SHOULD DECLARE NOW | Need multi-table transaction boundary for save_shape, mold/schema versioning, migration path, audit propagation, permission propagation, and event outbox schema/version. |
Conclusion
The surface foundation is directionally strong enough to continue design hardening, but not yet strong enough to start backend/DOT-BIRTH safely. Fill the hard gaps first: timeout must be red, iframe reset must be exact, identity/collision protection must live in the base engine, structured scope_code must be enforced, and backend_map decisions must block DOT-BIRTH.
OR/TD/Handoff
- OR update: Khong can update OR; mission la independent static review, khong thay doi runtime law/ops.
- TD: No code deployment. Actionable TDs are the findings above.
- Handoff: Not needed; context sufficient and report uploaded.