Incomex AI Portal
KB-3395

S185 P9 Production DDL/Collection Readiness Probe Review

8 min read Revision 1
s185p9g6production-ddldirectusreadinessprobe-review

S185 P9 Production DDL/Collection Readiness Probe Review

Date: 2026-04-28 Scope: Read-only review; no production mutation; no DDL/DML execution. Workspace: /Users/nmhuyen/Documents/Manual Deploy/web-test

Step 0 - Foundation

3 cau tuyen ngon

  1. Vinh vien: production gate must be driven by a canonical DDL/seed artifact with immutable SHA evidence, not by memory or ephemeral /tmp paths.
  2. Nham duoc khong: gate pre-checks must whitelist the existing public.fn_tac_log_checker_issue and must assert exact object names/counts so a wrong DDL bundle cannot pass.
  3. 100% tu dong: production execution should be a DOT/scripted gate with verify output captured; manual SQL paste is not acceptable.

9 principles applied

  • SSOT: canonical DDL bundle + manifest SHA must be the single source.
  • DOT 100%: no manual SQL execution proposed in this review.
  • Metadata > code: Directus collection visibility should be registered as collection metadata only after PG tables exist.
  • Assembly First: PG DDL -> Directus introspection/collection meta -> roles/permissions.
  • Khong chac = dung: canonical DDL source is not yet reconciled; production gate remains blocked.

Step 1 - Sources Read

  • .claude/skills/incomex-rules.md: read directly from workspace.
  • search_knowledge("operating rules SSOT"): executed in main process.
  • search_knowledge("hien phap v4.0 constitution"): executed in main process.
  • search_knowledge("P9 G6 production DDL Directus collection registration gate TAC"): executed in main process.
  • search_knowledge("law Directus collection registration existing database introspect production DDL DOT"): executed in main process.
  • knowledge/dev/reports/gpt-review-production-ddl-collection-probe-report-2026-04-28.md: retrieved via get_document.
  • Workspace artifacts checked:
    • g6_artifacts/ddl/g6_execution_bundle.sql
    • g6_artifacts/seed/*.sql
    • g6_artifacts/bin/run_g6.sh

Step 2 - Design Assessment

Verdict: probe is accepted, but production gate is not ready to execute.

Reasons:

  1. Function-name correction is valid. The six G6 functions in local DDL are:
    • fn_tac_uv_compute_derived
    • fn_tac_birth_gate_lu
    • fn_tac_birth_gate_uv
    • fn_tac_enacted_immut
    • fn_tac_pm_consistency
    • fn_tac_pm_enacted_lock
  2. Existing public baseline must whitelist fn_tac_log_checker_issue. Evidence: g6_artifacts/bin/run_g6.sh contains checks excluding and validating fn_tac_log_checker_issue.
  3. Directus registration shape is correct in principle:
    • after PG tables exist, Directus can introspect;
    • Data Studio visibility should use POST /collections with meta only;
    • no schema key for existing tables.
  4. Canonical DDL source remains blocked because local artifact does not match the probe's claimed canonical bundle.

Step 3 - Read-Only Evidence

Local bundle hash

Command:

sha256sum g6_artifacts/ddl/g6_execution_bundle.sql

Output:

bea9bab68502cc2220e07b7500c78f56bb585ea49e03ec9e9d110a41df63ac4c  g6_artifacts/ddl/g6_execution_bundle.sql

Probe claimed canonical SHA:

c23987f29911e92d43d9ab6cb5e4fe77d64547785d98588859dfcc6f02997cad

Conclusion: local DDL artifact is not the same canonical bundle described in the probe.

Local bundle line count

Command:

wc -l g6_artifacts/ddl/g6_execution_bundle.sql

Output:

450 g6_artifacts/ddl/g6_execution_bundle.sql

Probe claimed canonical size:

566 lines / 23,528 bytes

Conclusion: line count mismatch confirms the hash mismatch is substantive.

Seed dry-run hashes

Command:

sha256sum g6_artifacts/seed/*.sql

Output:

1f707c4d23901990462c0ad2121849e0cc58bd07b32f9802630e571c9bc09cc3  g6_artifacts/seed/seed-tac-birth-gate-config.sql
f3860099c55f5c848525ac35e78410735401bc7b75a8a2cc50cbf8b1f7a3b793  g6_artifacts/seed/seed-tac-cs-lifecycle.sql
f71158717a05d8edacf79ba7574f6b9afecfb89691eb2b6933a8e14e4af31dac  g6_artifacts/seed/seed-tac-lu-lifecycle.sql
1c928c993f66cc68fd8d7252328916fd1eb71b8d9380b693489c63564daf923e  g6_artifacts/seed/seed-tac-pub-lifecycle.sql
4b9f27937009ebc705bf09aa9b37dac372506a3e6f9173f72310be690f53774c  g6_artifacts/seed/seed-tac-publication-type.sql
9412966e89253caa11ca52217578b2b45599987cc908218d00fa965619b2bd57  g6_artifacts/seed/seed-tac-review-state.sql
d5a3d167572e087ab38a31629b42bdb21a2e41088c1129d01ede3fcce08b77d4  g6_artifacts/seed/seed-tac-section-type.sql
4f7b9682e1d5b8a0bd3540f9b2ffcfa9f6a7628f6e166547d1bad26529f2e573  g6_artifacts/seed/seed-tac-uv-lifecycle.sql

These match the dry-run seed hashes listed in the probe. They still need production retarget (p9_g6_dryrun. -> public.) and new hashes.

Seed schema qualification

Command:

rg -n "p9_g6_dryrun\." g6_artifacts/seed/*.sql

Evidence summary:

All 8 seed files contain p9_g6_dryrun.* schema qualification in comments and INSERT targets.

Conclusion: production seed candidates must be generated and hashed separately.

Step 4 - Two-Hat Review

Hat 1 - Coder view

Do not execute production DDL from current local g6_artifacts/ddl/g6_execution_bundle.sql as if it were the canonical action-log bundle. It has a different hash and line count.

Required patch for gate design v0.2:

  1. Replace wrong function names with the six exact G6 names.
  2. Pre-check public.fn_tac_* must expect exactly one whitelisted existing function before Gate A: fn_tac_log_checker_issue.
  3. Post-check after Gate A must expect seven public fn_tac_* functions: existing checker issue function + six TAC functions.
  4. Generate production DDL candidate from the reconciled canonical source only.
  5. Generate production seed candidates by retargeting all eight seed files to public, then compute new SHA-256 manifest.
  6. Gate B Directus collection registration must use meta only for existing tables.

Hat 2 - Reviewer view

Production readiness remains blocked until one of these is true:

  1. VPS /tmp/g6_run4_20260428_041121/ddl/g6_execution_bundle.sql exists and its SHA equals c23987f29911e92d43d9ab6cb5e4fe77d64547785d98588859dfcc6f02997cad.
  2. The canonical DDL is regenerated from approved KB sources and a new production candidate SHA is established.

The local artifact bea9... may still be useful as an implementation reference, but it cannot serve as canonical evidence for the probe's claimed G6 run #4 bundle.

Step 5 - Production Verify

No production verify was executed in this review. Scope was read-only local + KB probe review.

Production PASS criteria for the next execution gate must paste real outputs:

  • sha256sum of canonical dry-run source and production retargeted candidate.
  • PG pre-check output showing public tac_* tables = 0 and whitelisted fn_tac_log_checker_issue = 1.
  • PG post-check output showing 14 tables, 17 FK, 5 UNIQUE, 115 CHECK, 41 indexes, 7 fn_tac_* including the whitelist, and 6 triggers.
  • Directus collection list or Items API output for all 14 tac_* collections.

Step 6 - Report / Decision

Status: BLOCKED for production execution.

Accepted from probe:

  • Corrected function inventory.
  • Public baseline whitelist.
  • Seed retarget requirement.
  • Directus meta-only collection registration for existing tables.

New evidence added:

  • Local DDL bundle hash/line count does not match probe's canonical action-log bundle.

Next action:

  1. Perform read-only VPS check for /tmp/g6_run4_20260428_041121/ddl/g6_execution_bundle.sql.
  2. If present and SHA matches, persist it outside /tmp and derive production candidate from it.
  3. If absent or mismatched, regenerate canonical DDL from approved KB design, then compute and record a new production manifest.