KB-33F8

Codex Report - UI 4 Mothers Independent Static Review

11 min read Revision 1
reportui-4mothersstatic-reviewcodex2026-07-02no-false-green

Codex Report - UI 4 Mothers Independent Static Review

Date: 2026-07-02 Agent: Codex Mission: Soi tinh doc lap he UI 4 Me (Incomex) qua HTTP source, dung scope surface contract + self-check. Status: DONE

Checklist 0-6

  • Buoc 0 - Doc skill Incomex va nen tang bat buoc.
  • Buoc 1 - Nhan viec: doc prompt dinh kem, xac dinh 1 mission review tinh.
  • Buoc 2 - Doc OR/Constitution/luat lien quan va thiet ke cach review.
  • Buoc 3 - Fetch day du source qua HTTP, phan tich tinh.
  • Buoc 4 - 2 mu: coder phan tich + reviewer tu soi lai false-green/scale/backend heads.
  • Buoc 5 - Verify bang output that: curl/list/hash/kiem tra tinh.
  • Buoc 6 - Hoan tat report, upload Agent Data, ket luan.

Files/Laws Read

  • Local skill: .claude/skills/incomex-rules.md.
  • KB via search_knowledge: operating rules SSOT; document observed knowledge/dev/ssot/vps/vps-operating-rules.md, Version 1.0, Date 2026-02-28, Active.
  • KB via search_knowledge: hien phap v4.0 constitution; active document observed knowledge/dev/laws/constitution.md, title Hien phap Kien truc He thong Incomex v4.6.3 BAN HANH, revision 44.
  • KB via search_knowledge: foundation principles / UI gate / 4 Mothers / DOT governance; relevant docs observed: knowledge/dev/laws/dieu35-dot-governance-law.md v5.2, 4 Mothers design docs, UI contract/no-false-green docs.
  • HTTP files read from https://vps.incomexsaigoncorp.vn/ui-preview/mcp-writes/: system-manifest.js, guide.html, he-thong-thiet-ke.html, he-thong-dau-noi.html, binding-status.js, entry-engine.js, modit-entry-enhance.js, entry-savemode.js, eco-nav.js, qa-contracts.js, qa-runner.html, web-state.json, web-intent.json.
  • Extra canonical file read because SYS declares it: guide-extra.js.

3 Cau Tuyen Ngon

  1. Vinh vien: Review khong fix vu viec; tim loi contract/QA/dau cho backend khien ngay mai doi label/schema/scale van khong vo.
  2. Nham duoc khong: Chi ket luan tren source fetch bang HTTP + fingerprint/line evidence; khong dua vao tri nho hay local repo.
  3. 100% tu dong: De xuat gate/QA/incremental/fingerprint/server-side threshold de may tu phat hien lech, khong can nguoi nho.

Evidence - HTTP Fetch

200    80117 system-manifest.js
200    16852 guide.html
200    14398 he-thong-thiet-ke.html
200     8326 he-thong-dau-noi.html
200     4996 binding-status.js
200     7605 entry-engine.js
200    24321 modit-entry-enhance.js
200     6310 entry-savemode.js
200    11098 eco-nav.js
200    58144 qa-contracts.js
200    29124 qa-runner.html
200      802 web-state.json
200      346 web-intent.json
200     9073 guide-extra.js
SYS version: manifest v5.2 (+relation_role_kinds + output_field_spec) updated: 2026-07-02
SYS counts: tables 23 surfaces 18 laws 25 dots 8 core_files 11 entry_surfaces 2
backend_map pending: 20 of 20
requirements status: { partial: 7, done: 5, hypothesis: 5 }
QAC active: 51 sentinel: true
QAC info-named: 6
binding-status: tables 23, missing status 0, orphan status 0, pg done 2, wired done 0, tested done 0

Fingerprint note: web-state.json says bytes, but QA uses JS string length + djb2, not real byte count. Using QA algorithm, all state entries matched; guide-extra.js also matched 8500/2789430186.

Understanding Summary

  • Scope is surface contract + UI synchronization + self-check, not backend execution.
  • system-manifest.js is the UI contract SSOT and is append-only; final meta after appends is v5.2.
  • Runtime boundary is clear: read PG -> Directus -> UI; write UI -> DOT/gateway -> PG/event; Kestra only head-wait now.
  • Entry layer is table-first, uses shared EntryEngine, save mode commit/staging, and builder self-declares UI_CONTRACT.
  • QA is append-only with 51 active QAC after retire, cached iframe runner, watchdogs, path/web diff, family/capabilities scans.
  • Backend heads are mostly declared but intentionally pending: backend_map 20/20 pending, PG/wired/tested not in this phase.

Findings - Cau 1

Code Sev Evidence Why it matters Cheap fix
UI4-RED-01 RED qa-runner.html:262-264, 287-292, 341-347 A QAC that hangs >25s becomes [i] warning and __QA_RESULT.ok can stay true if no fail. This is a false-green path for behavior checks. Treat per-check timeout as fail, or compute ok = fail===0 && timeouts===0; keep rerun hint but not green.
UI4-ORG-02 ORANGE qa-runner.html:74-75, 81-85, 99-101; mutating QACs at qa-contracts.js:595-598, 642-644, 720-723 Cached iframe serve() overwrites snapshot keys but does not delete new keys/globals, while f.remove() is no-op for cached frames. Cross-check state can leak. Exact reset: delete keys absent from snapshot; reset known globals (MOLD, UI_CONTRACT if mutated), or require {fresh:true} for mutating checks.
UI4-ORG-03 ORANGE entry-engine.js:52-56, 90-96; proof: two same-label refs both write nguoi_doi_tuong_lien_quan_nhan_vien_id, final row keeps only id=2 Wrapper guard fixes builder flow, but base EntryEngine.saveShape() remains collision-prone if future builder/DOT calls it directly. Move uniqueness guard into EntryEngine.saveShape() or assign immutable field_id at newRef(). Add direct-engine QAC for same-label duplicate.
UI4-ORG-04 ORANGE modit-entry-enhance.js:234-240 Value fields freeze only when raw field has kit/k/key/id; keyless fields still derive column from label, so caption rename can change schema identity. Generate immutable local field id/source column for every value field at creation. Add rename-QAC for keyless field.
UI4-ORG-05 ORANGE system-manifest.js:858-867, qa-contracts.js:753-763 scope_code_spec says JSON structured, but MODUT pseudo-SQL is only [i] and returns pass. Output contract can be green while filter syntax is not machine-safe. Make structured scope_code a hard fail after spec decided; provide legacy adapter only if output mold stores structured form.
UI4-WHT-06 WHITE qa-contracts.js:529-540, qa-runner.html:353-358, web-state.json:3 Fingerprint calls b bytes, but it is JS string length; djb2 is weak. It is deterministic but misleading and not collision-resistant. Use ArrayBuffer.byteLength + WebCrypto SHA-256; keep old djb2 only for migration display.
UI4-WHT-07 WHITE guide.html:224-227 guide-extra.js is after </body></html>. Browsers usually execute it, but it is invalid structure and brittle for parsers/tools. Move loader before </body> or create canonical append loader inside body.

Cau 2 - QA Cost / Optimization

Current model: 5 suites; suiteExtra has 51 active QAC, runs sequentially; loadPage() caches iframe by base URL; watchdog is 25s/check and 120s/suite. Several QACs repeatedly load guide.html and sweep menu/pages separately.

Best optimizations:

  1. Timeout hardening first. Timeout must be non-green. Benefit: removes biggest false-green path. Risk low, difficulty low.
  2. Split declaration vs behavior. Manifest/status/web-state checks can run by one parent fetch/eval, no iframe. Keep iframe only for behavior. Benefit: large speedup and lower flake; difficulty medium.
  3. Page sweep aggregator. Official-UI, Family, Capabilities, Coverage, Eco-nav can load each page once and run multiple probes. Benefit likely 30-60% runtime reduction; risk medium because runner API changes.
  4. Incremental by fingerprint. Map QAC -> dependencies (system-manifest.js, entry-engine.js, page list). Skip unaffected checks for quick runs; keep full nightly. Benefit high when only one file changes; difficulty medium.
  5. Server-side instance QA. Browser checks only pages/surface. Any check over rows/molds/report instances must run SQL/Directus/DOT incrementally by updated_at.

Threshold: if unit under test is a row/instance, or count >100, or needs FK/count/permission correctness, it belongs server-side. With tens of thousands of workflows, browser QA stays O(surface pages); instance correctness must be DOT/SQL/Directus.

Cau 3 - Directus / Kestra Heads

Area Verdict Evidence / Missing
runtime_boundary DAT Clear NO-DIRECT-PG and Kestra-calls-DOT contract at system-manifest.js:20-44.
Kestra heads THIEU before backend Has correlation_id, workflow_run_id, orchestration_state at system-manifest.js:340-343; should add idempotency_key, attempt/retry_count, last_error/error_code, compensation_state, lease/heartbeat, resume_token, event_schema_version.
Directus read/write/filter PARTIAL entry_binding declares Directus collections/fields/items and DOT write at system-manifest.js:645-658; scope_code_spec exists. Missing pagination/cursor, sort, field projection, type coercion, timezone/token semantics, M-N filter mapping, field permission snapshot.
backend_map / DOT-REL RIGHT STRATEGY, NOT CLOSED backend_map exists but 20/20 decisions pending; QAC reports [i] pass at qa-contracts.js:558-565. Before DOT-BIRTH, this must become blocker.
Transaction/audit/versioning SHOULD DECLARE NOW Need multi-table transaction boundary for save_shape, mold/schema versioning, migration path, audit propagation, permission propagation, and event outbox schema/version.

Conclusion

The surface foundation is directionally strong enough to continue design hardening, but not yet strong enough to start backend/DOT-BIRTH safely. Fill the hard gaps first: timeout must be red, iframe reset must be exact, identity/collision protection must live in the base engine, structured scope_code must be enforced, and backend_map decisions must block DOT-BIRTH.

OR/TD/Handoff

  • OR update: Khong can update OR; mission la independent static review, khong thay doi runtime law/ops.
  • TD: No code deployment. Actionable TDs are the findings above.
  • Handoff: Not needed; context sufficient and report uploaded.