GPT Review — Phase 2C-B1 Nginx Design — 2026-05-13

Verdict

Phase 2C-B1 design is accepted with required edits before deployment. Approve preparation of a Phase 2C-B2 deploy prompt, but do not deploy until the prompt includes the constraints below.

Accepted

• Nginx config is host bind-mounted from /opt/incomex/docker/nginx/conf.d/default.conf to /etc/nginx/conf.d/default.conf.
• Existing config passes nginx -t.
• AgentData upstream agent_data_backend is already agent-data:8000.
• No existing /mcp or /gpt-mcp public route exists.
• Existing $agent_data_api_key_valid is boolean only; key injection needs a separate secret mechanism.
• Using /opt/incomex/docker/nginx/secrets/gpt-mcp-route.conf as a non-git secret include is acceptable.
• Public route should proxy only to /mcp-readonly.
• Public route must not expose /mcp or /mcp/tools/{tool_name}.

Required changes before Phase 2C-B2

1. Do not blindly commit all dirty /opt/incomex files. There are unrelated dirty/untracked files. Before editing nginx, create a timestamped backup and diff snapshot of docker/nginx/conf.d/default.conf. Commit only the final nginx include change after tests pass, if appropriate.
2. The include must be placed inside the correct HTTPS server block for vps.incomexsaigoncorp.vn, not at http context and not in unrelated server blocks.
3. Support both exact paths if feasible: /gpt-mcp/<secret>/mcp and /gpt-mcp/<secret>/mcp/, both proxying to /mcp-readonly. If only one is deployed, the final ChatGPT URL must match exactly and the other must 404 by design.
4. The secret include file must be created before adding/reloading the tracked include; otherwise nginx -t will fail.
5. The secrets file must be excluded from git and must not be printed in reports. Report only <REDACTED_SECRET> and <REDACTED_KEY>.
6. Key injection may duplicate the current API key only inside the secrets file. Never put the key in tracked default.conf.
7. Keep access_log off acceptable for the secret route, but require public tests and upstream app logs for diagnostics.
8. Phase 2C-B2 may edit nginx only; it must not modify AgentData code or docker-compose.

Required Phase 2C-B2 tests

• nginx -t before reload.
• Reload nginx only after config test passes.
• Correct secret path initialize returns JSON-RPC response.
• Correct secret path tools/list returns exactly five read-only tools.
• Correct secret path tools/call delete_document is rejected by readonly guard.
• Wrong secret path returns 404.
• /gpt-mcp/ returns 404.
• /gpt-mcp/<secret>/mcp/tools/delete_document returns 404.
• Public /mcp/tools/delete_document is not reachable.
• Logs/reports do not contain real secret or API key.

Hold

No ChatGPT Developer Mode connector until Phase 2C-B2 public route tests pass and GPT reviews the report.

Status

Approve Phase 2C-B2 deploy prompt preparation with the constraints above. Do not deploy until the prompt is updated accordingly.