D28 — Deploy + Live Smoke Stage 1 Preflight Report

Date: 2026-05-10 | Agent: claude-go (VPS SSH read-only) Prompt: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md rev5 Dispatch: RUN_STAGE=1_PREFLIGHT_ONLY (OPTIONAL_WORKFLOW_DISCOVERY=false — default) Predecessor: D28 Deploy Build Verify Pack Report (Tier 1) — phase_status=PASS Revision: 3 — CLEAN re-run under rev5 SERVICE_NAME_RULE + NO_UNDECLARED_SUBSTITUTION; overwrites rev2 supplement entirely

Tier

phase=PREFLIGHT_ONLY
run_stage=1_PREFLIGHT_ONLY
optional_workflow_discovery_flag=false

Phase 0 results (verbatim, no substitution)

0A. HEAD commits verified

git_log_head_5=
  d2db418 D28 Phase 1B: replace 3 hardcoded maps with generated table-maps from table_registry (Option C, E4, host-mjs no-deps; auto-snapshot 0947613 added generator+artifact)
  0947613 auto-snapshot: 2 files (2026-05-10T04:00)
  704ff74 P10D-FIX: normalize publication sidebar labels
  a8408ed P10D-FIX: show publications in laws sidebar
  3d61e02 P10D-FIX: match KB reader layout
head_commits_verified=true
  d2db418_present=true
  0947613_present=true

0B. Build verify PASS report

build_verify_pass_confirmed=true
  source=knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-build-verify-pack-report.md
  fields_verified:
    phase_status=PASS
    build_verify_status=PASS
    typecheck_status=PASS
    image_build_status=PASS (EXIT=0)
    build_status=PASS (EXIT=0)
    server_import_verify=PASS
    client_import_verify=PASS
    ssr_import_verify=PASS

0C. Source tree clean

git_status_porcelain=<empty>
source_tree_clean=true

0D. Production service inspection (rev5 — service name "nuxt")

command_used=docker compose ps nuxt --format 'table {{.Service}}\t{{.Image}}\t{{.State}}'
command_verbatim_executed=true
command_succeeded=true
output:
  SERVICE   IMAGE                 STATE
  nuxt      nuxt-ssr-local:s174   running
current_production_image=nuxt-ssr-local:s174
production_service_running=true

0E. Compose image line discovery

command_used=grep -nE 'image:.*nuxt-ssr-local' /opt/incomex/docker/docker-compose.yml
output=130:    image: nuxt-ssr-local:s174
compose_image_line_number=130
compose_image_match_count=1
compose_image_string=nuxt-ssr-local:s174

0F. Production Dockerfile verify (filtered)

production_dockerfile_path=/opt/incomex/docker/nuxt-repo/web/Dockerfile
dockerfile_exists=DOCKERFILE_OK
dockerfile_filtered_structure_lines=12 (FROM/WORKDIR/COPY/RUN/CMD only — multi-stage builder + production)
multistage=true (builder + production)
base_image_family=node:20-alpine
package_manager_in_dockerfile=pnpm@9 (corepack)
entrypoint=CMD node .output/server/index.mjs
no_raw_print=true (only ^FROM|WORKDIR|COPY|RUN|CMD|ENTRYPOINT lines surfaced; ARG/ENV not printed)

0G. Smoke base URL discovery (rev5 — service name "nuxt", mode only)

command_used=docker compose -f /opt/incomex/docker/docker-compose.yml port nuxt 3000
command_verbatim_executed=true
command_succeeded=true (exit 0, empty stdout — no host port mapping for nuxt)
ports_grep_evidence=
  service "nuxt" has    ports: but no published port (internal only)
  separate "nginx" service exists with    ports: → reverse-proxy fronts nuxt
smoke_base_url_mode=PUBLIC_HOST_VIA_NGINX
smoke_base_url_redacted=https://<host-redacted>
no_full_url_printed=true
no_env_token_printed=true

0H. Health check mechanism

compose_healthcheck_for_nuxt=NONE  (only postgres pg_isready + qdrant tcp; no nuxt entry)
dockerfile_healthcheck_directive=NONE  (NO_HEALTHCHECK_DIRECTIVE)
health_check_mechanism=docker_state_running_only
  note=No service-level liveness probe for nuxt; Phase 1G must rely on `docker compose ps nuxt` State=running poll. nginx upstream timeout becomes the de-facto external indicator.

0I. Backup tag conflict check (TS captured here, ONCE)

TS=1778397192
ts_capture_phase=0I
ts_recomputed_in_stage2=false (forbidden per rev4)
docker_images_query=nuxt-ssr-local:pre-d28-rollback-1778397192
docker_images_output=<empty>
backup_tag_conflict_check=CLEAR
proposed_backup_image_tag=nuxt-ssr-local:pre-d28-rollback-1778397192

0J. Compose backup path conflict check

test_path=/opt/incomex/docker/docker-compose.yml.pre-d28-1778397192
test_result=PATH_CLEAR
compose_backup_path_conflict_check=CLEAR
proposed_compose_backup_path=/opt/incomex/docker/docker-compose.yml.pre-d28-1778397192

0K. Workflow sample ID — DEFAULT SKIPPED_SAFETY (rev4)

optional_workflow_discovery_flag=false
workflow_sample_discovery=SKIPPED_SAFETY
workflow_sample_status=NONE
workflow_tab_smoke=SKIPPED_NO_SAMPLE_ID
no_directus_token_used=true
no_directus_url_printed=true
no_workflow_id_persisted=true

Verifications (consolidated)

head_commits_verified=true
build_verify_pass_confirmed=true
source_tree_clean=true
current_production_image=nuxt-ssr-local:s174
proposed_new_image_tag=nuxt-ssr-local:d2db418
proposed_backup_image_tag=nuxt-ssr-local:pre-d28-rollback-1778397192
proposed_compose_backup_path=/opt/incomex/docker/docker-compose.yml.pre-d28-1778397192
production_service_running=true
production_dockerfile_path=/opt/incomex/docker/nuxt-repo/web/Dockerfile
compose_image_line_number=130
compose_image_match_count=1
smoke_base_url_mode=PUBLIC_HOST_VIA_NGINX
health_check_mechanism=docker_state_running_only
workflow_sample_discovery=SKIPPED_SAFETY
workflow_sample_status=NONE
workflow_tab_smoke=SKIPPED_NO_SAMPLE_ID
backup_tag_conflict_check=CLEAR
compose_backup_path_conflict_check=CLEAR

Service name binding (rev5)

compose_service_name=nuxt
container_name=incomex-nuxt
service_name_rule_applied=true
undeclared_substitution_used=false
drift_detected=false
drift_phase=N/A
drift_command=N/A
drift_error=N/A
drift_resolution=N/A

Evidence:

0D used verbatim docker compose ps nuxt → succeeded.
0G used verbatim docker compose ... port nuxt 3000 → succeeded.
No command was substituted, retried with alternate name, or worked-around.
container_name incomex-nuxt referenced only as alias context (NOT used in any docker compose <verb> invocation).

Mutations performed in Stage 1

deploy_executed=false
smoke_executed=false
image_tag_created=false
backup_image_tag_created=false
compose_modified=false
container_restarted=false
file_writes_outside_temp=0

Hard boundary attestation (Stage 1, 18 flags)

no_deploy=true
no_smoke=true
no_image_tag_created=true
no_backup_image_tag_created=true
no_compose_modified=true
no_container_restarted=true
no_file_writes_outside_temp=true
no_directus_mutation=true
no_pg_mutation=true
no_publish_event_outbox=true
no_table_registry_mutation=true
no_docker_tag=true
no_docker_build=true
no_docker_run=true
no_docker_up=true
no_docker_restart=true
no_docker_logs=true
no_undeclared_substitution=true

Additional rev4/rev5 attestations:

no_overwrite_backup_tag=true
no_overwrite_backup_file=true
no_print_compose_diff_raw=true (no diff produced this stage)
no_stage2_recompute_backup_timestamp=N/A_stage1
no_relations_body_grep_before_scan=N/A_stage1
no_workflow_discovery_required_for_stage1_pass=true
no_print_env_token_url=true
no_print_http_body=true
no_head_dockerfile_raw=true (filtered grep only, ARG/ENV excluded)
no_secret_in_code_or_log=true

Status

preflight_status=PASS
status=AWAITING_DEPLOY_APPROVAL

Stage 2 dispatch requirements

required_dispatch_flag=RUN_STAGE=2_DEPLOY_AND_SMOKE
required_approval_phrase=APPROVE D28 DEPLOY: I authorize deploying commits d2db418 + 0947613 as image nuxt-ssr-local:d2db418 to production with brief service interruption, using rollback image nuxt-ssr-local:pre-d28-rollback-1778397192 and compose backup /opt/incomex/docker/docker-compose.yml.pre-d28-1778397192.

Stage 2 agent MUST:

Read this report verbatim and verify service_name_rule_applied=true + undeclared_substitution_used=false + drift_detected=false (STAGE1_NOT_REV5_CLEAN STOP otherwise).
Load STAGE1_NEW_IMAGE_TAG, STAGE1_BACKUP_IMAGE_TAG, STAGE1_COMPOSE_BACKUP_PATH, STAGE1_CURRENT_PRODUCTION_IMAGE from this report.
NEVER recompute TS=$(date +%s) for backup tag/path purposes (rev4).
Use compose service name nuxt for all docker compose <verb> invocations (rev5).

Notes & deviations

Verbatim command success at 0D + 0G. Both rev5 service-name-rule commands (docker compose ps nuxt, docker compose ... port nuxt 3000) executed successfully on first attempt. No "no such service" error → SERVICE_NAME_RULE empirically validated as binding for this compose file.
rev2 supplement superseded. Previous Stage 1 rev2 (TS=1778394987) recorded undeclared substitution at 0D + 0G. This rev3 baseline (TS=1778397192) replaces it entirely. The old TS is NOT carried forward; old proposed_backup_image_tag/proposed_compose_backup_path values are abandoned. Stage 2 MUST bind to this report's TS.
No healthcheck for nuxt. Neither compose nor Dockerfile defines a healthcheck for the nuxt service. Phase 1G readiness will be inferred from docker compose ps nuxt State=running only. Acceptable per prompt's 60-second poll provision; no spec change required.
0G mode = PUBLIC_HOST_VIA_NGINX. Service nuxt exposes no host port (port command returned empty); nginx reverse-proxy fronts it. Phase 2 smoke will hit external host through nginx. Full URL not surfaced (mode-only per rev5 NO_PRINT_ENV_TOKEN_URL).
0K SKIPPED_SAFETY (default). OPTIONAL_WORKFLOW_DISCOVERY flag absent → workflow sample discovery and Phase 2 workflow tab smoke both deliberately skipped. Stage 1 PASS does not depend on this step (rev4 NO_WORKFLOW_DISCOVERY_REQUIRED_FOR_STAGE1_PASS=true).
No substitution events recorded. Every command in Phase 0 was the verbatim command from the rev5 prompt. No fall-through, no service-name swap, no path swap, no env-name swap. NO_UNDECLARED_SUBSTITUTION attested true.