KB-43C4 rev 4
P3D — B3-F1c-f dot-dot-health Hardcode & Auto-scale Audit Prompt (DRAFT — Patched)
8 min read Revision 4
p3dbirth-systemb3f1c-fdot-dot-healthhardcodeauditdraftpatched
P3D — B3-F1c-f dot-dot-health Hardcode & Auto-scale Audit Prompt (DRAFT — Patched)
Date: 2026-05-13 Mode: READ-ONLY AUDIT. No mutation. No execution. No function invocation. Focus: 3 blocking questions + full hardcode classification Zero-trust: schema-first all tables, path discovery, PG discovery, secret/log redaction
Mission
Audit dot-dot-health to determine if wrapper+row path is safe NOW or requires fixes first. Focus: (1) cron viability, (2) jurisdiction compatibility, (3) registry stability.
Hard boundaries
ALLOWED: Read files, read-only PG SELECT, KB report writes
FORBIDDEN: Modify files/cron/PG rows/scheduler, run dot-dot-health, invoke functions, expose secrets
Phase 0 — Discovery (standard zero-trust)
# 0a. Context
hostname
# 0b. dot-dot-health path — ALWAYS discover ALL candidates first
find /opt/incomex -name 'dot-dot-health' -type f 2>/dev/null
# Expected canonical: /opt/incomex/dot/bin/dot-dot-health
# If ZERO candidates → BLOCKED (script missing)
# If exactly ONE → assign as DOT_HEALTH_PATH
# If MULTIPLE → report all, classify canonical vs non-canonical (e.g., .bak, .old, test/)
# If multiple plausible executables → BLOCKED_MULTIPLE_DOT_DOT_HEALTH_CANDIDATES
# 0c. PG access
docker exec postgres psql -U directus -d directus -c "SELECT 1" 2>/dev/null && echo "PG_OK" || echo "PG_FAIL"
# If fail → discover container: docker ps --filter "ancestor=postgres" --format "{{.Names}}"
# If still fail → BLOCKED_PG_ACCESS_UNDISCOVERABLE
# Assign as PG_CMD
# 0d. Schema discovery — dot_tools
$PG_CMD -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_schema='public' AND table_name='dot_tools' ORDER BY ordinal_position"
# If missing → BLOCKED_DOT_TOOLS_SCHEMA_UNMAPPED
# 0e. Schema discovery — system_health_checks
$PG_CMD -c "SELECT column_name, data_type FROM information_schema.columns WHERE table_schema='public' AND table_name='system_health_checks' ORDER BY ordinal_position"
# If missing → BLOCKED_SYSTEM_HEALTH_CHECKS_SCHEMA_UNMAPPED
Gate 0: DOT_HEALTH_PATH confirmed, PG_CMD confirmed, both table schemas mapped. All subsequent queries use CONFIRMED column names only. No SELECT *.
Phase 1 — CRITICAL: Cron viability
1a. Read cron entry
crontab -l 2>/dev/null | grep -i 'dot-dot-health\|dot_health\|dot-health'
# Root crontab — NON-INTERACTIVE only:
sudo -n crontab -l 2>/dev/null | grep -i 'dot-dot-health' || echo "ROOT_CRONTAB_UNAVAILABLE"
# /etc/cron.d/
ls /etc/cron.d/ 2>/dev/null | grep -i dot
If sudo requires password → skip, set root_crontab_access=UNAVAILABLE. Do NOT prompt for password.
1b. Flag compatibility
# Read parse_args / getopts section
grep -n 'getopts\|parse_args\|case.*--\|while.*\$\|shift\|--local\|--dry-run\|usage' $DOT_HEALTH_PATH | head -20
# Read sufficient context around those lines (sed -n 'start,endp')
Determine: Does script accept --local? What happens with unknown flags?
1c. Execution evidence (REDACTED output only)
# Look for cron execution evidence — STRICT REDACTION
# Redact ALL secret-bearing patterns case-insensitively:
# KEY, API_KEY, TOKEN, SECRET, PASSWORD, PGPASSWORD, DATABASE_URL, DB_URL, CONNECTION_STRING
# URL credentials: scheme://user:password@host → scheme://<REDACTED>@host
grep -i 'dot-dot-health\|dot_health' /var/log/syslog /var/log/cron 2>/dev/null | tail -10 \
| sed -E 's/[A-Za-z0-9_]*(KEY|TOKEN|SECRET|PASSWORD|PGPASSWORD|DATABASE_URL|DB_URL|CONNECTION_STRING)[A-Za-z0-9_]*=[^ ]*/\1=<REDACTED>/gi; s|://[^@:]*:[^@]*@|://<REDACTED>@|g'
# If safe redaction cannot be guaranteed → set log_output_redacted=false → status cannot be PASS
1d. Cron reliability conclusion
cron_config_present=true|false
cron_command_parse_compatible=true|false|unknown
cron_success_evidence=FOUND|NOT_FOUND|UNKNOWN
cron_reliable_for_automation=true|false|unknown
If --local is PROVEN unrecognized AND causes script exit → decision MUST be REPAIR_DOT_DOT_HEALTH_SCHEDULER_FIRST.
Phase 2 — Jurisdiction analysis
2a. Script jurisdiction references
grep -n 'jurisdiction\|NRM-LAW\|JURISDICTION' $DOT_HEALTH_PATH
# Read context around assignment
2b. Active jurisdictions (confirmed columns)
SELECT DISTINCT <confirmed_jurisdiction_col>, count(*) AS cnt
FROM system_health_checks
WHERE <confirmed_is_active_col> = true
GROUP BY <confirmed_jurisdiction_col>
ORDER BY <confirmed_jurisdiction_col>;
2c. Assessment
jurisdiction_analysis=CAN_ADD_UNDER_LAW35|MUST_PATCH_SCRIPT|BLOCKED
governance_debt_if_law35=true|false
Phase 3 — Registry drift (confirmed columns)
3a. dot_tools DOT-HEALTH row
SELECT <confirmed_columns> FROM dot_tools
WHERE <confirmed_code_or_name_col> ILIKE '%dot-health%' OR <confirmed_code_or_name_col> ILIKE '%dot-dot%';
Compare with:
file $DOT_HEALTH_PATH
head -3 $DOT_HEALTH_PATH
3b. Birth-related DOTs (confirmed columns)
SELECT <confirmed_columns> FROM dot_tools
WHERE <confirmed_text_cols> ILIKE '%birth%' OR <confirmed_text_cols> ILIKE '%onboard%';
3c. Drift verdict
registry_drift_blocks_wrapper=true|false
Phase 4 — Full hardcode classification
Read ENTIRE $DOT_HEALTH_PATH. For every literal/concrete value, produce a machine-readable table:
| value_or_pattern | source | line_or_location | current_storage | classification | scale_impact | blocks_b3f1c | recommended_action |
|---|
Classifications: SAFE_REVIEWED_CONSTANT, CURRENT_CONTRACT, HARDCODE_RISK, HARDCODE_VIOLATION, SCALE_BREAK_RISK, REGISTRY_DRIFT, NEEDS_DESIGN_DECISION.
SECRET REDACTION: If any line contains passwords/tokens/API keys/DB URLs → report as <REDACTED> in value column. log_output_redacted=true required.
Phase 5 — Decision
Return ONE of:
WRAPPER_AND_ROW_SAFE_AFTER_MINOR_REGISTRY_CLEANUP
WRAPPER_AND_ROW_SAFE_NOW_WITH_KNOWN_DEBT
PATCH_DOT_DOT_HEALTH_FIRST
PATCH_DOT_REGISTRY_FIRST
REPAIR_DOT_DOT_HEALTH_SCHEDULER_FIRST
EXTEND_EXECUTOR_INSTEAD_OF_WRAPPER
CONTINUE_AGENT_DATA_BRIDGE
BLOCKED_NEEDS_DESIGN
Report
knowledge/dev/laws/dieu44-trien-khai/reports/p3d-birth-system-b3f1c-f-dot-dot-health-hardcode-autoscale-audit-report.md
Final fields
b3f1c_f_audit_status=PASS|PARTIAL|BLOCKED
blocked_reason=<none|BLOCKED_PG_ACCESS_UNDISCOVERABLE|BLOCKED_MULTIPLE_DOT_DOT_HEALTH_CANDIDATES|BLOCKED_DOT_TOOLS_SCHEMA_UNMAPPED|BLOCKED_SYSTEM_HEALTH_CHECKS_SCHEMA_UNMAPPED|BLOCKED_CRON_PARSE_INCOMPATIBLE|BLOCKED_CRON_RELIABILITY_UNKNOWN|BLOCKED_NEEDS_DESIGN>
dot_dot_health_path_discovered=true|false
pg_access_discovered=true|false
dot_tools_schema_mapped=true|false
system_health_checks_schema_mapped=true|false
cron_config_present=true|false
cron_command_parse_compatible=true|false|unknown
cron_success_evidence=FOUND|NOT_FOUND|UNKNOWN
cron_reliable_for_automation=true|false|unknown
root_crontab_access=AVAILABLE|UNAVAILABLE|NOT_NEEDED
jurisdiction_analysis=CAN_ADD_UNDER_LAW35|MUST_PATCH_SCRIPT|BLOCKED
governance_debt_if_law35=true|false
registry_drift_blocks_wrapper=true|false
hardcode_violations_count=<number>
hardcode_risks_count=<number>
scale_break_risks_count=<number>
registry_drift_count=<number>
log_output_redacted=true|false
secrets_redacted=true
compiled_from_assumptions=false
no_mutation_performed=true
decision=<one_of_8_options>
next_recommended_action=GPT_REVIEW_B3F1C_F_AUDIT_RESULTS
B3-F1c-f Hardcode & Auto-scale Audit | DRAFT | Patched | 2026-05-13