Incomex AI Portal
KB-3848

GPT Review — D28 Build Verify PASS and Deploy Review Directive

8 min read Revision 1
gpt-reviewdieu28build-verifypassdeploy-smokedirective

GPT Review — D28 Build Verify PASS and Deploy Review Directive

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed:

  • knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-build-verify-pack-report.md
  • knowledge/dev/laws/dieu28-trien-khai/reviews/opus-review-d28-build-verify-pass-and-deploy-review-pack-recommendation-2026-05-10.md

Verdict

Agent report accepted. Opus review accepted.

D28 Tier 1 build_verify_only achieved PASS.

This means the generated table-map source changes are build-valid in an ephemeral build environment. It does not mean deployment has happened, and it does not mean P3D notification display can resume yet.

Confirmed PASS evidence

The report demonstrates:

  • image build using web/Dockerfile.local succeeded;
  • typecheck succeeded;
  • Nuxt build succeeded;
  • server import alias ~/generated/table-maps.generated resolved;
  • client import resolved;
  • SSR bundle resolved;
  • source tree remained clean after build;
  • no host package install;
  • no lockfile change;
  • no deploy;
  • no live HTTP/curl to production routes;
  • no Directus/PG/table_registry mutation;
  • no tbl_event_outbox publish;
  • no service interruption.

Most important verification:

server_import_verify=PASS_BY_BUILD_SUCCESS
client_import_verify=PASS
ssr_import_verify=PASS

This clears the biggest deferred risk from Phase 1B: whether ~/generated/... imports work in server/client/SSR contexts.

Accepted deviations

D1 — B1 to B3-variant switch

Accepted.

B1 was attempted first and blocked by compose validation because directus.env_file=.env.local was missing. Even --no-deps could not bypass config-time validation.

Agent switched to:

docker build -f web/Dockerfile.local -t d28-build-verify:tmp web/
docker run --rm d28-build-verify:tmp ...

This is acceptable because:

  • it used the dev Dockerfile path;
  • it did not touch running production service;
  • it did not deploy;
  • it did not install packages on host;
  • it did not mutate lockfiles;
  • the temporary image was removed;
  • the source tree stayed clean.

Future prompt templates should explicitly allow an ephemeral docker build + docker run --rm build-verify path when dev compose is blocked and no running service is affected.

D2 — Build log secret scan false positive on forgot-password

Accepted.

The password matches were filenames for existing forgot-password.*.mjs chunks, not credential values. Agent treated them as FILENAME_FALSE_POSITIVE, redacted matched lines, did not print raw secrets, and documented the classification.

Future prompt templates should include false-positive policy:

If match is a filename/path such as forgot-password.* and no credential value is present, classify FILENAME_FALSE_POSITIVE and continue.
Otherwise classify SECRET_LEAK_FAIL and STOP without printing matching lines.

Notes for future cleanup

The following are not blockers now:

  • Both pnpm-lock.yaml and package-lock.json exist. Dockerfile.local confirms pnpm is canonical. Treat orphan package-lock.json as low-priority tech debt.
  • Pre-existing /tmp/d28-* files remain from previous sessions. Do not clean them in current work unless a dedicated cleanup pack is approved.
  • Auto-snapshot behavior is confirmed and must be considered in future commit/rollback prompts.

Directive to Opus — next action

Opus may draft the next prompt:

D28_DEPLOY_AND_LIVE_SMOKE_PROMPT_REVIEW

Create at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md

This must be a prompt review document, not direct execution. Do not dispatch agent yet.

Required scope of next prompt

The prompt should define a controlled deployment/live-smoke execution plan for GPT/User approval.

It must include:

1. Deployment preflight

  • confirm current HEAD includes d2db418 and 0947613;
  • confirm build verify PASS report exists;
  • confirm source tree clean;
  • confirm production service/image names;
  • confirm deploy mechanism;
  • confirm expected user-facing impact, including brief 502 risk;
  • confirm rollback commands;
  • confirm maintenance window or explicit User approval if restart impacts users.

2. Deployment execution plan

The plan should explain, but not yet execute until approved:

  • build production image or use existing deploy pipeline;
  • update/restart only Nuxt service if needed;
  • avoid Directus/PG mutation;
  • avoid table_registry mutation;
  • avoid tbl_event_outbox publish;
  • capture logs safely;
  • avoid printing secrets.

3. Live smoke plan

After deploy, smoke only the affected existing routes and endpoint:

  • 13 registry entity routes:
    • /knowledge/registries/catalog
    • /knowledge/registries/table
    • /knowledge/registries/module
    • /knowledge/registries/dot_tool
    • /knowledge/registries/page
    • /knowledge/registries/collection
    • /knowledge/registries/agent
    • /knowledge/registries/checkpoint_type
    • /knowledge/registries/checkpoint_set
    • /knowledge/registries/entity_dependency
    • /knowledge/registries/checkpoint_instance
    • /knowledge/registries/changelog
    • /knowledge/registries/system_issue
  • 3 non-registry pages:
    • /knowledge/workflows
    • /knowledge/modules
    • /knowledge/current-tasks
  • special routes:
    • /admin/proposals
    • /knowledge/registries
    • workflow matrix/wcr tab routes only if a valid workflow id can be discovered safely;
  • API endpoint:
    • /api/discovery/relations

Do not smoke /knowledge/registries/event_outbox in this D28 deploy pack unless explicitly scoped later. tbl_event_outbox remains draft.

4. Failure handling

The prompt must specify:

  • if build/deploy fails before service restart, do not touch running production service;
  • if deploy succeeds but smoke fails, choose one of:
    • rollback immediately if user-facing regression is critical;
    • hold deployment and report if failure is minor/non-critical;
  • rollback command includes both Phase 1B commits:
git revert d2db418 0947613 --no-edit
  • rollback requires redeploy to take effect.

5. Required report fields

The prompt should require:

phase_status=PASS|PARTIAL|FAIL|BLOCKED
deploy_performed=true|false
production_image_built=true|false
production_service_restarted=true|false
service_interruption_observed=true|false
brief_502_expected=true|false
routes_smoked_count=<number>
route_smoke_pass_count=<number>
route_smoke_failures=<list>
relations_endpoint_smoke=PASS|FAIL|SKIPPED
workflow_tab_smoke=PASS|FAIL|SKIPPED_NO_SAMPLE_ID
secret_log_scan=PASS|FAIL
rollback_executed=true|false
rollback_reason=<reason|N/A>
no_directus_mutation=true
no_pg_mutation=true
no_table_registry_mutation=true
no_publish_event_outbox=true
next_required_pack=P3D4C2U_RESUME_NOTIFICATION_DISPLAY|D28_DEPLOY_FIX|D28_ROLLBACK_REVIEW|BLOCKED

Hard boundaries for next prompt draft

Until GPT/User approves the next prompt:

  • do not deploy;
  • do not restart containers;
  • do not live smoke;
  • do not publish tbl_event_outbox;
  • do not mutate Directus;
  • do not mutate PG;
  • do not mutate table_registry;
  • do not fix tbl_modules_list.collection;
  • do not add entity_type;
  • do not resume P3D.

Current state

build_verify_status=PASS
generated_map_commits=0947613,d2db418
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false
next_action=OPUS_DRAFT_D28_DEPLOY_AND_LIVE_SMOKE_PROMPT_REVIEW

Final status

agent_report=ACCEPTED
opus_review=ACCEPTED
deviations=ACCEPTED
build_verify=PASS
next_prompt_draft_allowed=true
agent_dispatch_allowed=false_until_prompt_review
p3d_resume_allowed=false
Back to Knowledge Hub knowledge/dev/laws/dieu44-trien-khai/reviews/gpt-review-d28-build-verify-pass-and-deploy-review-directive-2026-05-10.md