KB-67CA
B3-F1c-g VPS dot-dot-health Scheduler Repair — Live Recompile Report
9 min read Revision 1
dieu44p3dbirthb3f1c-gvps-targetedreportrecompilescheduler-repairlive-evidence
B3-F1c-g VPS dot-dot-health Scheduler Repair — Live Recompile Report
Session: B3-F1c-g VPS recompile
Date (UTC): 2026-05-14
Mode: READ LIVE VPS FILE + COMPILE PATCH/ROLLBACK ONLY — no execution
Author: Claude (Opus 4.7, 1M context)
Driver: GPT conditional approval gpt-review-b3-eld-design-and-b3f1c-g-patch-conditional-approval-2026-05-14.md — design pattern approved, live VPS recompile required before execution.
Artifacts produced:
knowledge/dev/laws/dieu44-trien-khai/artifacts/p3d-birth-b3f1c-g-vps-dot-dot-health-scheduler-repair-patch.mdknowledge/dev/laws/dieu44-trien-khai/artifacts/p3d-birth-b3f1c-g-vps-dot-dot-health-scheduler-repair-rollback.md
1. Hard-boundary attestation
| Boundary | Adhered |
|---|---|
| No file modification | YES — VPS source only read via ssh … cat -n / sed -n / wc -l |
| No cron modification | YES — only crontab -l (list, read-only) |
| No PG mutation | YES — no psql, no docker exec |
| No running dot-dot-health | YES — script never executed (not even --help) |
| No sourcing dot-dot-health | YES — never sourced |
| No function invocation | YES |
| No system_issues write | YES |
| No execution | YES — only Read + ssh-cat + grep + ToolSearch + MCP read |
Tools used (all read-only):
find(locate file on local fallback path, succeeded with local-clone path)Read(local clone, for comparative context)ssh root@VPS … cat -n / sed -n / wc -l / crontab -l / ls -la / grep(live VPS, all non-mutating)mcp__agent-data__get_document_for_rewrite(read GPT review)mcp__agent-data__upload_document(write 3 artifacts, the deliverables themselves)
2. Live VPS evidence summary
2.1 Target file
- Path:
/opt/incomex/dot/bin/dot-dot-health - Version: v2.0.0 (Fix25 — generic executor dispatch, 2026-04-21)
- Line count: 555
- Header changelog confirms v1.0.0 (9 hardcoded checks) was retired April 21.
2.2 Divergence from previous artifact (local-clone-based)
vps_differs_from_local_artifact=true
| Aspect | Previous artifact (local v1.0.0) | Live VPS (v2.0.0) |
|---|---|---|
| Line count | 301 | 555 |
| Arg parser | Inline for arg in "$@" loop in main(), no default reject |
Real parse_args() function (lines 164-180) with strict *) exit 2 default |
--local acceptance |
Falls through silently (passed to init_environment) |
Actively rejected with exit 2 |
| Mutation surface | curl POST /items/system_issues direct |
fn_log_issue PG function → system_issues |
| Env source | init_environment from environment.sh (--local/--cloud meaningful) |
env_load from /opt/incomex/secrets/.env.production (SSOT; --local/--cloud semantically vestigial) |
main "$@" line |
300 | 555 (last line) |
The defect is reproduced on live source at lines 164-180. The previous patch (local-clone-based) could not be applied byte-for-byte to VPS.
2.3 Cron entry (confirmed)
0 3 * * * . /opt/incomex/scripts/cron-env.sh && export DIRECTUS_ADMIN_EMAIL DIRECTUS_ADMIN_PASSWORD && /opt/incomex/dot/bin/dot-dot-health --local >> /var/log/incomex/dot-health.log 2>&1
Daily 03:00 UTC. Confirmed --local is passed.
2.4 BASH_SOURCE guard present?
bash_source_guard_present=false — line 555 is bare main "$@". No BASH_SOURCE[0] reference anywhere in the file.
2.5 Live mutation pathways inventoried
| Function | Mutation | DRY_RUN guarded? |
|---|---|---|
log_issue (l.55-66) → fn_log_issue |
system_issues INSERT |
YES (l.145, l.156) |
precheck → run_pg_rw "SELECT 1" / normative_registry SELECT |
PG read only | N/A |
verify_all → run_pg_rw for system_health_checks |
PG read only | N/A |
env_load |
reads /opt/incomex/secrets/.env.production |
N/A |
--dry-run is provably non-mutating to system_issues, but per hard boundary "No running dot-dot-health" it remains excluded from the verification plan.
3. Repair decision (re-confirmed against live source)
Selected: ADD_LOCAL_NOOP_FLAG
Re-validated:
- §3.7 multi-DOT convention preserved.
- Live
parse_argshas explicit*) exit 2strict reject — adding a--local|--cloud) shift ;;case before the default is the minimal correct closure. - Both
--localand--cloudaccepted symmetrically for legacy[--cloud|--local]usage convention. - Plus: BASH_SOURCE safe-source guard at line 555 (the v2.0.0 mutation pathway
main → parse_args → precheck → verify_all → log_issue → fn_log_issue → system_issues INSERTis exactly what the source-time guard prevents).
4. Patch composition (compiled, not applied)
| Hunk | Live VPS lines | Change | +/- |
|---|---|---|---|
| H1 — parse_args no-op | 164-180 (insertion after l.173, before l.174) | Add --local|--cloud) shift ;; # no-op: legacy DOT scheduler convention (env loaded from SSOT, Đ33 §14) |
+1 / -0 |
| H2 — safe source guard | 555 | Replace main "$@" with if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then main "$@"; fi |
+3 / -1 |
Net: +4 lines, -1 line. Zero logic deletion. Zero behavior change on documented paths (--help, --dry-run, --verbose, --only-check).
5. Verification plan compiled (NON-MUTATING)
Compiled in patch artifact §6:
- V1
bash -n— proven non-mutating (parse-only). - V2
sed -n '164,181p'+grep— read-only. - V3
tail -5+grep— read-only. - V4
--help— PROVEN non-mutating on live source:parse_argsruns first and matches--help|-h)→usage; exit 0beforeprecheck/env_load/run_pg_rw/log_issue. - V5
--local --help— combined-flag end-to-end validation; same non-mutation proof as V4 + validates H1's no-op case.
Excluded with stated reasons:
- V6 bare
--localand--local --dry-run— bare hitslog_issue(mutating); dry-run skipslog_issuebut still does env_load + PG reads + runs builtins. Per hard boundary "No running dot-dot-health", excluded.
6. Rollback compilation
Three independent paths in rollback artifact:
- R1 restore from
.bak.b3f1c-g.<UTC-timestamp>(recommended) - R2 reverse-apply unified diff
- R3
git revertin/opt/incomex/dot
Per-hunk independent rollback documented (both partial reverts re-open distinct defects — clearly flagged "not recommended").
Cron stays untouched in all rollback paths; rollback returns the system to the pre-patch failure mode (cron exit 2 at 03:00 UTC). Caller must schedule a follow-up if rolling back.
7. Open items for GPT review
- Patch is now byte-accurate against live VPS source — addresses GPT review's primary execution blocker.
- Cron behavior on success — confirm acceptable to leave the cron line emitting
--localindefinitely as a vestigial flag. If a future cleanup wants to drop it, do that in a synchronized cron-edit PR after this patch lands. - Per-hunk commit granularity — single commit covering both hunks is fine for revert simplicity. If reviewer prefers separate commits (one per hunk), the patch artifact's hunks are independent.
- VPS-host git commit step — included in patch §7 step 4 per memory
feedback_git_commit_after_vps_edit.md. - Post-apply observation window — natural cron tick at next 03:00 UTC; monitor via
tail -f /var/log/incomex/dot-health.log(read-only). If reviewer prefers an explicit one-shot trigger, that must be re-authorized. - Optional H3 (usage doc update) — deferred. The
usage()heredoc still won't mention--local/--cloud. Acceptable because they're explicitly no-op compatibility flags. Reviewer can request inclusion if preferred.
8. Final status block
b3f1c_g_vps_patch_compile_status=PASS
vps_file_read=true
vps_differs_from_local_artifact=true
local_flag_currently_accepted=false
local_flag_patch_needed=true
bash_source_guard_present=false
bash_source_guard_patch_needed=true
patch_compiled=true
rollback_compiled=true
verification_plan_non_mutating=true
execution_allowed=false
next_recommended_action=GPT_REVIEW_B3F1C_G_VPS_PATCH_ARTIFACT