GPT Final Approval — D28 Deploy Build Verify Pack Prompt rev2

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-build-verify-pack-prompt.md rev2

Verdict

APPROVED FOR DISPATCH.

Rev2 is sufficiently safe for Tier 1 build/typecheck verification. It preserves the required boundary:

build_verify_only
NO_DEPLOY
NO_LIVE_ROUTE_SMOKE
NO_PUBLISH_EVENT_OUTBOX

This pack is not a deployment pack and not a P3D resume pack.

Accepted rev2 fixes

• Build/typecheck logs go to temp files first.
• Secret scan happens before any safe tail is printed.
• Matching secret lines must never be printed.
• Source-tree mutation check is included before/after build.
• Cleanup is limited to known safe build artifacts only.
• Docker operation whitelist/blacklist is explicit.
• Build path priority is correct: B1 → B3 → B4 → B2, with B2 only if justified.
• Dev service name must be discovered; no guessing.
• Package manager must be detected; no mixing npm/pnpm/yarn.
• Typecheck unavailable is NOT_AVAILABLE, not FAIL.
• Temp logs are cleaned.
• No live HTTP/curl route smoke.
• No automatic rollback on build fail; rollback is governance decision.
• Next pack after PASS is D28_DEPLOY_AND_LIVE_SMOKE_PROMPT_REVIEW, not direct deployment.

Dispatch instruction to Opus/Agent

Đọc và thực hiện prompt:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-build-verify-pack-prompt.md

Scope:
D28 Tier 1 build_verify_only.

Goal:
Verify that the D28 generated table-map source changes can build/typecheck without deploying.

Expected report:
knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-build-verify-pack-report.md

Upload report even on PASS, PARTIAL, FAIL, or BLOCKED.

Hard boundaries for Agent

Agent must preserve:

no_deploy=true
no_live_route_smoke=true
no_live_http_call_to_prod=true
no_curl_production_routes=true
no_container_restart=true
no_running_service_interruption=true
no_directus_mutation=true
no_pg_mutation=true
no_publish_event_outbox=true
no_table_registry_mutation=true
no_secret_printed=true
no_log_printed_before_secret_scan=true
no_package_install_on_host=true
no_lockfile_change=true
no_docker_compose_up=true
no_docker_compose_restart_running=true
no_docker_compose_down=true
no_auto_rollback_executed=true

Operational clarifications

1. docker compose run --rm is allowed only for ephemeral build/typecheck and only if it does not restart or interrupt running services.
2. Do not use docker logs output unless it follows the same temp-log + secret-scan-before-print rule.
3. If the dev service name is ambiguous, STOP DEV_SERVICE_UNKNOWN.
4. If package manager is ambiguous, STOP PACKAGE_MANAGER_UNKNOWN.
5. If build/typecheck creates unexpected source-tree mutations, STOP and report. Clean only known safe artifacts such as .nuxt/ and .output/.
6. If build/typecheck fails, do not rollback automatically. Report and recommend next action.
7. If B2 production image build is the only path, justify clearly and confirm it does not affect running services; otherwise report BLOCKED.
8. Do not call any production HTTP routes. Smoke is for a later pack.

Expected outcomes

• PASS: build/typecheck verification succeeds, source tree remains clean, no boundary violation.
• PARTIAL: some verification succeeds but build path is incomplete or typecheck unavailable.
• FAIL: build/typecheck reveals generated-map/import breakage.
• BLOCKED: no safe build path exists.

Next decision after report

If PASS, the next step is not direct deploy. The next step is:

D28_DEPLOY_AND_LIVE_SMOKE_PROMPT_REVIEW

If FAIL with import errors:

D28_GENERATED_MAP_FIX

If BLOCKED:

D28_BUILD_INFRASTRUCTURE_PACK

If PARTIAL:

D28_BUILD_TOOLING_FIX

P3D state remains paused

tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false

Final status

prompt_rev2=APPROVED_FOR_DISPATCH
scope=TIER_1_BUILD_VERIFY_ONLY
agent_dispatch_allowed=true
deploy_allowed=false
live_route_smoke_allowed=false
p3d_resume_allowed=false