KB-52EF
S169B Fix C1 Regression + Scanner Blind Spots Report
3 min read Revision 1
reports169bfixregressionscanner
S169B — Fix C1 Regression + Scanner Blind Spots
Date: 2026-03-26 PR: https://github.com/Huyen1974/web-test/pull/639 — MERGED 2026-03-26T14:44:54Z Status: DONE — deployed + verified on production
Assembly Gate
- Q0: Fix existing PG functions — đúng tầng PG
- Q1-Q4: Sửa fn_validate_dot_origin + verify_counts. KHÔNG tạo mới
- Q5: fn_validate_dot_origin áp dụng cho ALL managed collections via existing triggers
Fix 1: fn_validate_dot_origin — Whitelist BEFORE pipe check
- Array constant
_whitelist := ARRAY['DIRECTUS', 'LEGACY', 'MIGRATION'] IF NEW._dot_origin = ANY(_whitelist) THEN RETURN NEW— checked BEFORE pipe parsing- TODO TD-411: move to dot_origin_whitelist table for meta-driven approach
- Evidence: INSERT INTO dot_tools(code, name) -> _dot_origin = 'DIRECTUS' (NOT SUSPECT)
Fix 2: verify_counts() — Phantom + NULL detection (dynamic)
- Phantom:
meta_catalog WHERE registry_collection NOT IN (SELECT tablename FROM pg_tables WHERE schemaname='public')-> status PHANTOM - NULL registry:
meta_catalog WHERE identity_class='managed' AND (registry_collection IS NULL OR '')-> status NULL_REGISTRY - Both checks fully dynamic — no hardcoded table names
- Evidence: Injected phantom -> detected. Injected NULL -> detected.
Dual-Trigger Verification
- ON-DEMAND:
SELECT * FROM verify_counts()— tested directly - CRON: scanner-counts.sh uses
WHERE status != 'OK'— catches PHANTOM + NULL_REGISTRY - ops-smoke workflow: success
- Health Check workflow: success
Deploy
- Auto-deploy via CI/CD: Deploy to VPS workflow success at 14:47
- Post-Deploy E2E: success
- Container: Up 11 hours (healthy)
- Health: {"status":"healthy"}
Self-Check
| # | Muc | DAT |
|---|---|---|
| 1 | fn_validate_dot_origin whitelist truoc pipe? | YES |
| 2 | Entity tables accept DEFAULT DIRECTUS? | YES |
| 3 | Phantom meta_catalog detected? | YES |
| 4 | NULL registry detected? | YES |
| 5 | Runner pass rate khong giam? | YES (22/23 OK, 1 pre-existing CAT-023) |
| 6 | CI GREEN, merged, deployed, verified? | YES |
| 8 | Whitelist KHONG hardcode IF...IN? (array + TODO TD-411) | YES |
| 9 | Phantom/NULL check dynamic via pg_tables? | YES |
| 10 | verify_counts() ON-DEMAND? | YES |
| 11 | verify_counts() CRON path? | YES |
| 12 | All scripts dual-trigger capable? | YES |
Hardcode con lai can TD-411
- fn_validate_dot_origin: whitelist dung array constant. Can chuyen sang dot_origin_whitelist table.
Files changed
- sql/s169b_fix_c1_regression.sql — migration (new)
- dot/bin/dot-schema-dot-origin-ensure — source-of-truth updated
Production Verify
- curl https://vps.incomexsaigoncorp.vn/api/health -> healthy
- SELECT cat_code, status FROM verify_counts() -> 22 OK, 1 MISMATCH (pre-existing CAT-023)