S164B Report: Hardcode Audit + Guard Vĩnh Viễn

Date: 2026-04-04 | Session: S164B Status: 3 tầng DONE

Tầng ①: Fix hiện tại

• Scripts scanned: 16 (dot-nrm-, dot-doc-, dot-gov-*)
• PG var hardcode: 16 scripts fixed → ${PG_CONTAINER:-postgres} pattern
• IN-list: 1 finding in dot-nrm-verify (status list) → mirrors PG CHECK, kept as safety net
• Entity codes: 0 findings
• Credentials/paths: 0 findings
• S164 scripts: CLEAN after fix

Tầng ②: DOT-SCRIPT-LINT (Guard vĩnh viễn)

• Code: DOT_SCRIPT_LINT | Tier: A | Domain: monitoring.integrity
• Cron: 30 3 * * 0 (weekly Sunday 3:30AM)
• Test run output: 217 findings across ALL dot/bin/ (legacy scripts)
  • PG vars: 84 (legacy scripts not in scope)
  • IN-lists: 45 (review needed)
  • Credentials: 8 (legacy)
  • Localhost: 80 (legacy)
• Guard active: Any new hardcode in scripts → detected weekly → system_issues logged

Tầng ③: Template SSOT

• File: /opt/incomex/dot/bin/TEMPLATE-DOT-SCRIPT
• Rules documented: 8 quy tắc (env vars, LIKE patterns, NOT EXISTS, ON CONFLICT, etc.)
• Executable: yes
• New scripts should copy template → follow rules → DOT-SCRIPT-LINT validates

Verify Results

Check	Expected	Actual	Status
S164 scripts clean	0 hardcode PG vars	0	PASS
DOT-NRM-VERIFY works	Output SQL checks	5P/1F	PASS
DOT-SCRIPT-LINT runs	Real scan output	217 findings (legacy)	PASS
DOT-SCRIPT-LINT registered	dot_tools row	cron, A, active	PASS
Cron active	1 entry	30 3 * * 0	PASS
Template exists	File + executable	Yes	PASS
Total DOT	266	266	PASS

Legacy Hardcode (out of scope)

217 findings in pre-S164 scripts (dot-apr-health, dot-birth-, dot-collection-, etc.). These are NOT blocking but should be addressed in future sessions. DOT-SCRIPT-LINT will continue reporting them weekly until fixed.

Summary

• Tầng ①: 16 scripts fixed (PG vars → env var defaults)
• Tầng ②: DOT-SCRIPT-LINT registered + cron weekly
• Tầng ③: TEMPLATE-DOT-SCRIPT created
• Total DOT: 266