Incomex AI Portal
KB-34AD

D28 — Deploy Partial Fix Pack — Agent Prompt (DRAFT)

16 min read Revision 1
dieu28partial-fix-packprompt-driftrev6-patchtargeted-resmokeno-deploydraft

D28 — Deploy Partial Fix Pack — Agent Prompt (DRAFT)

Date: 2026-05-10 Status: DRAFT — chờ GPT/User review trước khi dispatch Audience: Agent claude-go (KB document patch + targeted re-smoke read-only) Predecessor: Stage 2 rev1 PARTIAL_PROMPT_DRIFT (TS=1778397192, image d2db418 deployed) Critical: Targeted prompt-side fix ONLY — KHÔNG redeploy, KHÔNG infra mutation

⚠️ Cảnh báo

Pack này:

  • KHÔNG deploy, KHÔNG restart, KHÔNG build image, KHÔNG modify compose, KHÔNG publish event_outbox, KHÔNG resume P3D.
  • Chỉ patch prompt rev5 → rev6 (KB document update) + targeted re-smoke 1 endpoint (read-only HTTP curl).
  • Production image nuxt-ssr-local:d2db418 đang chạy healthy, KHÔNG thay đổi.

Tham chiếu KB

Stage 2 baseline (PARTIAL_PROMPT_DRIFT):
  knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-and-live-smoke-stage2-execution-report.md

Prompt cần patch (rev5):
  knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md

Fix pack report path (sẽ tạo):
  knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-partial-fix-pack-report.md

GPT directive:
  knowledge/dev/laws/dieu44-trien-khai/reviews/gpt-review-d28-stage2-partial-prompt-drift-and-next-pack-directive-2026-05-10.md

CHECKPOINT đầu prompt cho Agent

Trước khi mutation (KB hoặc HTTP) đầu tiên, Agent PHẢI:

  1. Đọc Stage 2 report rev1 từ KB.
  2. Verify Stage 2 status: 
    phase_status=PARTIAL (Agent classification) hoặc PARTIAL_PROMPT_DRIFT (GPT classification)relations_endpoint_root_cause=PROMPT_URL_DRIFTdiagnostic with ?collection=workflow_steps returned 200 + relation-shape
  3. Đọc rev5 prompt từ KB → có sẵn để patch.
  4. Đọc GPT directive để confirm rev6 scope.

Mismatch any → STOP, không patch.

Phase 0 — Preflight (read-only verify)

0A. Verify production image hiện tại

ssh contabo "docker compose -f /opt/incomex/docker/docker-compose.yml ps nuxt --format '{{.Image}}'"

Expected: nuxt-ssr-local:d2db418. Mismatch → STOP PRODUCTION_IMAGE_DRIFT, không patch rev6 (production state đã thay đổi).

0B. Verify compose image line

ssh contabo "grep -E 'image:.*nuxt-ssr-local' /opt/incomex/docker/docker-compose.yml"

Expected output chứa nuxt-ssr-local:d2db418. Match count = 1.

0C. Verify Stage 2 report state qua agent-data:get_document

Read report path. Verify presence:

phase_status=PARTIAL (hoặc PARTIAL_PROMPT_DRIFT)
production_running_under_d2db418=true (hoặc current_running_image=nuxt-ssr-local:d2db418)
relations_endpoint_smoke=FAIL (verbatim per rev5 spec)
relations_endpoint_root_cause=PROMPT_URL_DRIFT
diag_relations_status=200 (declared diagnostic with ?collection=workflow_steps)
diag_has_relation_shape=true
page routes 18/18 PASS

Mismatch any → STOP STAGE2_BASELINE_DRIFT, không patch.

0D. Verify rev5 prompt hiện tại

Read prompt path. Confirm:

Header line containing "Rev: 5" present
Phase 2E section contains URL template "/api/discovery/relations" (no query param)

Mismatch → STOP PROMPT_BASELINE_DRIFT.

Report all preflight fields. ALL PASS → proceed Phase 1.

Phase 1 — Patch prompt rev5 → rev6 (KB mutation only)

Use agent-data:update_document on:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md

With explicit title="D28 — Deploy + Live Smoke Pack — Agent Prompt (REVIEW DRAFT Rev6)".

5 changes apply (rev5 → rev6)

Change 1 — Header H1 + subtitle

FROM:

# D28 — Deploy + Live Smoke Pack — Agent Prompt (REVIEW DRAFT Rev5)

> **Date: 2026-05-10 | Rev: 5 | service-name rule (docker compose uses service "nuxt", not container_name "incomex-nuxt") + NO_UNDECLARED_SUBSTITUTION + Stage 1 outcome routing**

TO:

# D28 — Deploy + Live Smoke Pack — Agent Prompt (REVIEW DRAFT Rev6)

> **Date: 2026-05-10 | Rev: 6 | Phase 2E URL template fix (?collection=workflow_steps) + Forensic diagnostic discipline + Decision matrix relations split (PROMPT_URL_DRIFT vs SERVER_BREAKAGE)**

Change 2 — Phase 2E URL template

FROM (in 2E section):

STATUS=$(ssh contabo "curl -s -o $RESPFILE -w '%{http_code}' '<base_url>/api/discovery/relations' --max-time 10")

TO:

STATUS=$(ssh contabo "curl -s -o $RESPFILE -w '%{http_code}' '<base_url>/api/discovery/relations?collection=workflow_steps' --max-time 10")

Reasoning note immediately after URL line:

# rev6: endpoint contract (web/server/api/discovery/relations.get.ts lines 25-30)
# requires ?collection=<name>. workflow_steps used as stable, verified collection
# (200 + relation-shape confirmed in Stage 2 diagnostic 2026-05-10).

Change 3 — Add new section "Forensic diagnostic discipline (rev6)"

Insert AFTER section "Service name rule + Substitution discipline (rev5)" và TRƯỚC "Dispatch flag system":

---

## Forensic diagnostic discipline (rev6)

Khi verbatim smoke command FAIL, Agent có thể chạy 1 forensic diagnostic call để phân loại root cause (prompt drift vs server breakage), CHỈ KHI tuân thủ tất cả 5 điều kiện sau:

1. **Verbatim result preserved**: Verbatim FAIL phải giữ nguyên trong official smoke count. Diagnostic KHÔNG được override smoke result.
2. **Labeled clearly**: Diagnostic call phải được label "diagnostic" trong report, KHÔNG phải "smoke pass". Section riêng, separate khỏi smoke pass count.
3. **Read-only**: Diagnostic chỉ được là HTTP GET hoặc read-only DB query. KHÔNG mutation, KHÔNG side effect.
4. **No body/secret/unsafe URL output**: Diagnostic phải tuân thủ log safety pattern (rev3+rev4 — secret scan trước, no body print, temp file chmod 600 + cleanup).
5. **Informs classification, never overrides matrix**: Diagnostic dùng để chọn giữa các classification trong decision matrix (PROMPT_URL_DRIFT vs SERVER_BREAKAGE), NHƯNG không tự ý tạo classification mới ngoài matrix.

Diagnostic call PHẢI được declare trong report:

diagnostic_executed=true|false diagnostic_purpose=<root cause classification | other> diagnostic_url_or_query=<exact URL/query, redacted if env-derived> diagnostic_result=<HTTP status hoặc query result summary> diagnostic_secret_scan=PASS|FAIL_* diagnostic_did_not_override_smoke_count=true diagnostic_classification_outcome=<PROMPT_URL_DRIFT|SERVER_BREAKAGE|INCONCLUSIVE>


CẤM:
- Multiple diagnostic calls cho 1 verbatim FAIL (1 diagnostic là đủ; nhiều = trigger D28_LEAK_INVESTIGATION_PACK style review).
- Diagnostic gây mutation (CRUD, file write outside temp).
- Diagnostic dùng credentials không có trong rev5 standard env.
- Diagnostic được dùng để bypass smoke FAIL → smoke PASS classification.

Vì sao có rule này: Stage 2 rev1 (2026-05-10) Agent đã thực hiện 1 declared diagnostic call để phân loại relations FAIL = PROMPT_URL_DRIFT (không phải SERVER_BREAKAGE). GPT chấp nhận hành vi đó vì verbatim preserved + declared. Rev6 codify để tránh mơ hồ tương lai.

Change 4 — Update decision matrix Phase 3A

FROM:

| Relations endpoint HTTP FAIL | FAIL | Yes (CRITICAL) |

TO:

| Relations endpoint HTTP FAIL — diagnostic confirms PROMPT_URL_DRIFT | PARTIAL_PROMPT_DRIFT | No (prompt fix only, no rollback) |
| Relations endpoint HTTP FAIL — diagnostic confirms SERVER_BREAKAGE | FAIL | Yes (CRITICAL — rollback recommend) |
| Relations endpoint HTTP FAIL — diagnostic INCONCLUSIVE hoặc not run | FAIL | Yes (CRITICAL — conservative) |

Update "Decision matrix sau pack" thêm row:

| PARTIAL_PROMPT_DRIFT | D28_DEPLOY_PARTIAL_FIX_PACK (prompt patch + targeted re-smoke only) |

Change 5 — Future improvement note

Insert AFTER "Stage 1 outcome routing" section, trước "Failure handling matrix":

---

## Future improvements (non-blocking, rev6+ candidate)

1. **Stage 1 0H healthcheck discovery enhancement**: Hiện `grep -A3 'healthcheck:'` có thể miss healthcheck declared trong context khác (nested, multi-line, base image inherit). Stage 2 rev1 (2026-05-10) phát hiện runtime healthy mà Stage 1 0H báo NONE.
   
   Suggested expansion:
   - Thêm `docker inspect <container> --format '{{.State.Health.Status}}'` trong Phase 0H sau khi capture compose ps.
   - Thêm `docker compose config` (normalized YAML, post-merge) thay grep raw file.
   
   Không block dispatch hiện tại. Codify khi có pack tương lai cần Stage 1 0H deep dive.

Verify patch applied

After update_document, re-read prompt:

agent-data:get_document_for_rewrite path=<prompt path>

Verify:

  • Header contains "Rev: 6"
  • Phase 2E contains "?collection=workflow_steps"
  • Section "Forensic diagnostic discipline (rev6)" present
  • Decision matrix has PROMPT_URL_DRIFT vs SERVER_BREAKAGE split
  • Future improvements section present

Patch verification fail → STOP REV6_PATCH_VERIFY_FAIL, retry once. Second fail → BLOCK.

Phase 2 — Targeted re-smoke (read-only, only Phase 2E equivalent)

2A. Single curl với URL mới (rev6)

TS_LOG=$(date +%s)
RESPFILE="/tmp/d28-relations-resmoke-$TS_LOG.txt"

# SINGLE curl với URL rev6 (?collection=workflow_steps)
STATUS=$(ssh contabo "curl -s -o $RESPFILE -w '%{http_code}' \
  '<base_url>/api/discovery/relations?collection=workflow_steps' --max-time 10")
ssh contabo "chmod 600 $RESPFILE"

Base URL: dùng smoke_base_url_mode từ Stage 1 rev3 = PUBLIC_HOST_VIA_NGINX. Agent resolve internally, KHÔNG print full URL.

2B. Secret-scan FIRST (rev4 pattern)

ssh contabo "grep -qi 'token\|secret\|bearer\|password\|authorization' $RESPFILE \
  && echo RESMOKE_SCAN=FAIL || echo RESMOKE_SCAN=PASS"

Branching:

  • SCAN=PASS → body-shape boolean grep + size sanity (no body content print)
  • SCAN=FAIL_FILENAME_FALSE_POSITIVE → status + classification only, NO body grep
  • SCAN=FAIL_SECRET_LEAK_SUSPECTED → STOP, no body grep, alert User CRITICAL

2C. Body-shape verification (only if SCAN=PASS)

ssh contabo "grep -q '\"data\"\|relatedCollection\|entityType' $RESPFILE \
  && echo RESMOKE_HAS_RELATION_SHAPE=true || echo RESMOKE_HAS_RELATION_SHAPE=false"
ssh contabo "wc -c $RESPFILE"

KHÔNG print body content under any branch.

2D. Cleanup

ssh contabo "rm -f $RESPFILE"

2E. Pass criteria

HTTP status = 200
secret_scan = PASS
body_shape (data key OR relation-shape present) = true
→ relations_endpoint_resmoke=PASS

Bất kỳ điều kiện không đạt → relations_endpoint_resmoke=FAIL.

Phase 3 — Decision & report

3A. Decision matrix

relations_endpoint_resmoke next_required_pack
PASS P3D4C2U_RESUME_NOTIFICATION_DISPLAY_PROMPT_REVIEW (P3D resume unblocked)
FAIL D28_RELATIONS_ENDPOINT_INVESTIGATION_PACK (no rollback — production page routes vẫn PASS)

KHÔNG auto-rollback bất kể outcome. Production image d2db418 tiếp tục chạy.

3B. Report template

Path: knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-partial-fix-pack-report.md

phase=PARTIAL_FIX_PACK
prompt_rev_after_patch=6

## Phase 0 preflight
current_running_image=nuxt-ssr-local:d2db418|drift_value
compose_image_line_d2db418=true|false
stage2_report_exists=true|false
stage2_phase_status=PARTIAL|PARTIAL_PROMPT_DRIFT|other
rev5_prompt_baseline_verified=true|false
preflight_status=PASS|BLOCKED_DRIFT

## Phase 1 prompt patch
rev5_to_rev6_applied=true|false
update_document_revision=<KB revision number after patch>
changes_applied:
  - phase_2e_url_template (collection=workflow_steps)
  - forensic_diagnostic_discipline_section_added
  - decision_matrix_relations_split_applied
  - header_rev6_update
  - future_improvement_note_healthcheck_added
patch_verify_pass=true|false
title_metadata_synced_to_rev6=true|false

## Phase 2 re-smoke
url_used=<base>/api/discovery/relations?collection=workflow_steps
http_status=
body_size_bytes=
secret_scan=PASS|FAIL_FILENAME_FALSE_POSITIVE|FAIL_SECRET_LEAK_SUSPECTED
body_shape_has_data_or_relation_shape=true|false (only if SCAN=PASS)
body_grepped_after_scan=true|false
temp_file_removed=true
relations_endpoint_resmoke=PASS|FAIL

## Hard boundaries
no_deploy=true
no_container_restart=true
no_image_build=true
no_compose_modification=true
no_directus_mutation=true
no_pg_mutation=true
no_table_registry_mutation=true
no_publish_event_outbox=true
no_smoke_event_outbox_route=true
no_p3d_resume=true
no_auto_rollback=true
no_print_http_body=true
no_print_secret=true

## Decision
phase_status=PASS|FAIL|BLOCKED_DRIFT
next_required_pack=P3D4C2U_RESUME_NOTIFICATION_DISPLAY_PROMPT_REVIEW|D28_RELATIONS_ENDPOINT_INVESTIGATION_PACK

## State preserved
production_image_unchanged=nuxt-ssr-local:d2db418
page_routes_smoke_unchanged=18/18 PASS (from Stage 2)
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=true_after_this_pack_passes (or false_until_investigation if FAIL)

Hard boundaries (13 NO_*)

NO_DEPLOY=true
NO_CONTAINER_RESTART=true
NO_IMAGE_BUILD=true
NO_COMPOSE_MODIFICATION=true
NO_DIRECTUS_MUTATION=true
NO_PG_MUTATION=true
NO_TABLE_REGISTRY_MUTATION=true
NO_PUBLISH_EVENT_OUTBOX=true
NO_SMOKE_EVENT_OUTBOX_ROUTE=true
NO_P3D_RESUME=true
NO_AUTO_ROLLBACK=true
NO_PRINT_HTTP_BODY=true
NO_PRINT_SECRET=true

Plus inherited rev5 boundaries vẫn apply (NO_UNDECLARED_SUBSTITUTION, NO_HARDCODE_IMAGE_TAG, etc.).

Mutations explicitly allowed

1. agent-data:update_document on prompt path (rev5 → rev6 patch)
2. agent-data:upload_document on report path (this pack's report)
3. ssh curl read-only HTTP GET on Phase 2 re-smoke URL
4. ssh temp file write/scan/cleanup in /tmp/ (chmod 600 + remove)

CẤM ngoài 4 cái trên. Đặc biệt CẤM:

  • docker tag, build, run, up, restart, stop, exec, logs
  • compose file edit
  • Directus / PG / table_registry mutation
  • File write outside /tmp/

Self-check (10 items)

# Câu hỏi Phải đạt
1 Verified production image = nuxt-ssr-local:d2db418? yes
2 Verified compose line vẫn d2db418? yes
3 Verified Stage 2 report exists + PARTIAL/PARTIAL_PROMPT_DRIFT? yes
4 Patched rev5 → rev6 với 5 changes (URL + diagnostic discipline + matrix split + header + future note)? yes
5 Patch verify đọc lại confirm rev6 content present? yes
6 Re-smoke URL = ?collection=workflow_steps? yes
7 Log safety branching applied (scan first, no body print)? yes
8 Re-smoke status code, secret scan, body shape recorded? yes
9 next_required_pack quyết định đúng theo decision matrix? yes
10 Report uploaded KB đúng path? yes

Trạng thái khi soạn fix pack này

stage2_outcome=PARTIAL_PROMPT_DRIFT (GPT classification 2026-05-10)
production_image_running=nuxt-ssr-local:d2db418 (deployed Stage 2)
page_routes_smoke=18/18 PASS (Stage 2 evidence)
relations_endpoint_root_cause=PROMPT_URL_DRIFT (forensic-confirmed)
diagnostic_with_collection_param=200 + relation-shape (Stage 2 evidence)

prompt_current_rev=5 (will become 6 after Phase 1)
prompt_rev6_required=true (per GPT directive 2026-05-10)
fix_pack_status=DRAFT_AWAITING_GPT_USER_REVIEW

build_verify_status=PASS
generated_map_commits=0947613,d2db418
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false_until_partial_fix_passes

Sau khi fix pack PASS

Tiếp theo dispatch:

P3D4C2U_RESUME_NOTIFICATION_DISPLAY_PROMPT_REVIEW

Pack đó sẽ:

  • Publish tbl_event_outbox (status: draft → published)
  • Resume P3D notification display
  • Verify Nuxt UI hiển thị đúng

KHÔNG phải scope của fix pack này. Fix pack chỉ unblock điều kiện cho P3D resume.

D28 Deploy Partial Fix Pack | Draft awaiting GPT/User review | rev5 prompt → rev6 patch + Phase 2E targeted re-smoke | 2026-05-10