GPT Final Approval — D28 Deploy + Live Smoke Prompt rev4 — Stage 1 Only

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md rev4

Verdict

APPROVED FOR STAGE 1 PREFLIGHT DISPATCH ONLY.

Rev4 is sufficiently safe to run:

RUN_STAGE=1_PREFLIGHT_ONLY

This approval does not authorize Stage 2 deploy/smoke.

Stage 2 remains blocked until:

1. Stage 1 report is uploaded and reviewed.
2. GPT/User approves Stage 2 explicitly.
3. Dispatch includes the exact approval phrase bound to Stage 1 report values.

Accepted rev4 fixes

Rev4 correctly patches the remaining production-safety gaps:

• Compose diff no longer prints raw diff before validation.
• Compose diff is written to temp file, scanned, and summarized only.
• Stage 2 must load exact STAGE1_* values from Stage 1 report.
• Stage 2 cannot recompute backup timestamp.
• Relations endpoint response is secret-scanned before body-shape grep.
• Workflow sample discovery defaults to SKIPPED_SAFETY and cannot block Stage 1 PASS.
• Metadata title now reflects Rev4.
• TS vs TS_LOG naming reduces timestamp confusion.
• Failure matrix includes compose/relations leak cases.

Stage 1 dispatch instruction

Đọc và thực hiện prompt:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md

Run only:
RUN_STAGE=1_PREFLIGHT_ONLY

Do not include Stage 2 approval phrase.
Do not deploy.
Do not smoke.
Do not create backup image tag.
Do not modify compose.
Do not restart containers.

Expected Stage 1 report:
knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-and-live-smoke-stage1-preflight-report.md

Stage 1 hard boundaries

Agent must preserve:

no_deploy=true
no_smoke=true
no_image_tag_created=true
no_backup_image_tag_created=true
no_compose_modified=true
no_container_restarted=true
no_file_writes_outside_temp=true
no_directus_mutation=true
no_pg_mutation=true
no_publish_event_outbox=true
no_table_registry_mutation=true
no_docker_tag=true
no_docker_build=true
no_docker_run=true
no_docker_up=true
no_docker_restart=true
no_docker_logs=true

Stage 1 allowed Docker operations only:

docker compose ps/config
docker inspect, redacted
docker images for backup-tag conflict check

Expected Stage 1 report fields

Stage 1 report must include at least:

phase=PREFLIGHT_ONLY
run_stage=1_PREFLIGHT_ONLY
head_commits_verified=true|false
build_verify_pass_confirmed=true|false
source_tree_clean=true|false
current_production_image=<captured>
proposed_new_image_tag=nuxt-ssr-local:d2db418
proposed_backup_image_tag=nuxt-ssr-local:pre-d28-rollback-<TS>
proposed_compose_backup_path=/opt/incomex/docker/docker-compose.yml.pre-d28-<TS>
production_service_running=true|false
compose_image_match_count=1
smoke_base_url_mode=<mode>
workflow_sample_discovery=SKIPPED_SAFETY|PERFORMED|SKIPPED_FALSE_POSITIVE|STOPPED_LEAK
workflow_tab_smoke=PLANNED|SKIPPED_NO_SAMPLE_ID
deploy_executed=false
smoke_executed=false
image_tag_created=false
backup_image_tag_created=false
compose_modified=false
container_restarted=false
file_writes_outside_temp=0
preflight_status=PASS|FAIL|BLOCKED
status=AWAITING_DEPLOY_APPROVAL|FAIL|BLOCKED
required_approval_phrase=<exact phrase containing Stage 1 values>

Do not do in Stage 1

• Do not deploy.
• Do not build production image.
• Do not run live smoke.
• Do not call production HTTP routes.
• Do not create backup image tag.
• Do not edit docker-compose.yml.
• Do not restart incomex-nuxt.
• Do not use docker logs.
• Do not publish tbl_event_outbox.
• Do not mutate Directus.
• Do not mutate PG.
• Do not mutate table_registry.
• Do not resume P3D.

Stage 2 is NOT approved

The following remains unauthorized:

RUN_STAGE=2_DEPLOY_AND_SMOKE
APPROVE D28 DEPLOY: ...

Stage 2 may be considered only after GPT/User reviews Stage 1 report.

Current state to preserve

build_verify_status=PASS
generated_map_commits=0947613,d2db418
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false
stage1_dispatch_allowed=true
stage2_deploy_allowed=false

Final status

prompt_rev4=APPROVED_FOR_STAGE1_PREFLIGHT_ONLY
agent_dispatch_allowed_for_stage1=true
agent_dispatch_allowed_for_stage2=false
deploy_allowed=false
live_route_smoke_allowed=false
p3d_resume_allowed=false