Incomex AI Portal
KB-425E

P10D-2C VPS SSOT Activation Path Check (Discovery Only)

6 min read Revision 1
p10dtacvps-ssotdiscoverystop

P10D-2C — VPS SSOT Activation Path Check + Runtime Verify

Date: 2026-04-30 Agent: Claude (control: Nguyens-MacBook-Air, runtime: contabo VPS via SSH) Verdict: DISCOVERY_ONLY_STOP (Option C) Activation status: NOT performed. Phase B and Phase C skipped.

Gate 0 — PASS

Check Result
Control host Nguyens-MacBook-Air.local (nmhuyen)
Runtime host vmi3080463.contaboserver.net
Repo path /opt/incomex/docker/nuxt-repo
Containers up incomex-nuxt, incomex-nginx, incomex-directus, postgres
DB directus/directus

Phase A — Discovery

A1. Repo state

  • Branch: main
  • HEAD: 5ce3437 P10D: add parallel TAC official laws screen ✓ (target commit IS HEAD)
  • Working tree: clean (no dirty files)
  • Remote: origin = https://github.com/Huyen1974/web-test.git (fetch+push)
  • Recent log: 5ce3437 → a281e79 (auto-snapshot 2026-04-19) → 89459f1 → 2991134 → dd0e52b

A2. Divergence (CRITICAL)

## main...origin/main [ahead 4, behind 13]
  • VPS main is 4 ahead of origin/main — 4 commits exist ONLY on VPS, including the target 5ce3437.
  • VPS main is 13 behind — origin has 13 newer commits VPS has never received (DOT-NRM-DRAFT #667, health fixes #662–#666, Đ37 P1 #661, etc.).
  • git fetch --dry-run failed: fatal: could not read Username for 'https://github.com' — VPS has no fetch credentials configured for HTTPS origin.
  • vps-daily-* snapshot tags exist (20260419 → 20260430) pointing at a281e79, confirming VPS-local snapshot regime.

A3. Nuxt runtime wiring

incomex-nuxt  image=nuxt-ssr-local:s174
mounts:
  /opt/incomex/deploys/nuxt-output  →  /app/.output  (rw, bind)

Source compose: /opt/incomex/docker/docker-compose.yml. Image is a prebuilt local Node runtime; the app code (.output/) is supplied entirely by the bind mount, NOT baked into the image. Activation therefore requires replacing the contents of /opt/incomex/deploys/nuxt-output/ with a build that includes 5ce3437.

/opt/incomex/deploys/nuxt-output/ last touched 2026-04-02 16:37 (well before the 5ce3437 commit). Confirms current runtime does NOT contain P10D code.

A4. Deploy path evidence

Found in nuxt-repo/.github/workflows/:

  • deploy-vps.yml — the documented Nuxt deploy pipe.
    • Trigger: workflow_run on Nuxt 3 CI success, branch main; or manual workflow_dispatch.
    • Steps: checkout → pnpm install → pnpm run build (web/) → backup nuxt-outputrsync -avz --delete web/.output/ → /opt/incomex/deploys/nuxt-output/.
    • Active mode: vars.DEPLOY_MODE == 'direct' (rsync, not Artifact Registry).
  • nuxt-ci.yml — upstream CI gate.
  • guard_critical_files.yml — protects deploy-vps.yml from drift.

No local VPS Nuxt build script found. Searched dot/bin/ (only dot-hook-deploy for Directus extensions) and nuxt-repo for nuxt build/pnpm build/deploy-vps/nuxt-output references — only the GitHub Actions workflow contains the build+rsync logic.

A5. Activation option analysis

Option Viable? Reason
A — Local VPS build/deploy ❌ NO No documented command. Image nuxt-ssr-local:s174 was built previously but no script exists in repo for either build or rsync to nuxt-output. Inventing a build invocation = "bịa lệnh" — forbidden.
B — CI pipe ❌ NO CI builds from origin/main, but 5ce3437 is NOT on origin (4-ahead). CI would build origin HEAD 260ed7b and rsync THAT to nuxt-output — overwriting nuxt-output without including the P10D commit. To make CI work, 5ce3437 must reach origin/main first. Push from VPS would either be rejected (non-fast-forward, since VPS is also 13 behind) or require force-push that destroys 13 origin commits — catastrophic, not authorized, and violates Đ41 boundary.
C — STOP ✅ YES Both A and B are unsafe with current evidence.

Phase B — Activate

Skipped. Activation requires either:

  1. A documented local VPS build command (none found), OR
  2. Reconciling the 4-ahead/13-behind divergence between VPS and origin before allowing CI to take over.

Neither precondition is satisfied. No commands run.

Phase C — Runtime verify

Skipped because no activation occurred. Current runtime serves nuxt-output from 2026-04-02 — does NOT contain P10D code.

Risks & next-action options (for User/GPT to decide)

  1. Reconcile divergence first. Decide canonical history: do the 4 VPS-only commits (incl. 5ce3437) need to land on origin? Are the 13 origin commits supposed to come back to VPS? This is a strategic call, not an activation step.
  2. Add a documented VPS-local Nuxt build/deploy script (e.g., dot/bin/dot-nuxt-deploy-local) that builds from VPS nuxt-repo and rsyncs to /opt/incomex/deploys/nuxt-output/ with backup. Once documented, Option A becomes legitimate.
  3. Cherry-pick 5ce3437 to a branch on origin and let CI deploy it — narrowest unblock, but still requires understanding why VPS is 13 behind before trusting CI to overwrite runtime.

Hard-boundary compliance

  • ✅ No git fetch, git pull, git reset, git checkout mutations
  • ✅ No build, no rsync, no container restart, no overwrite of nuxt-output
  • ✅ No Directus/DB mutation
  • ✅ No fabricated commands
  • ✅ STOP triggered exactly when evidence insufficient

Verdict

DISCOVERY_ONLY_STOP — escalate to User/GPT to choose reconciliation strategy (option 1, 2, or 3 above) before any activation attempt.

Back to Knowledge Hub knowledge/dev/laws/dieu38-trien-khai/reports/p10d-2c-vps-ssot-activate-runtime-verify-2026-04-30.md