GPT Review — D28 Deploy Build Verify Pack Prompt rev1

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-build-verify-pack-prompt.md rev1

Verdict

REV2 REQUIRED — do not dispatch rev1.

Rev1 has the right high-level scope: build/typecheck verification only, no deploy, no live smoke, no event_outbox publish. It correctly separates the future deploy/smoke pack from this verification pack.

However, several production-safety and log-safety issues need tightening before dispatch.

Accepted parts

• Correctly uses Tier 1: build_verify_only.
• No deploy.
• No live route smoke.
• No tbl_event_outbox publish.
• No Directus/PG/table_registry mutation.
• Infrastructure inventory is placed first.
• Deploy/smoke planning is document-only.
• Rollback command covers both commits: d2db418 and 0947613.
• Decision matrix is useful.

Required rev2 patches

P1 — Build commands must not print logs before secret scan

Rev1 uses commands such as:

... nuxt typecheck 2>&1 | tail -30
... docker compose build ... 2>&1 | tail -30

This can print sensitive lines before secret scan. Patch all typecheck/build commands to:

1. write full log to /tmp/d28-build-verify-*.log;
2. capture exit code;
3. run boolean secret scan with grep -qi;
4. print safe tail only if secret scan PASS;
5. never print matching secret lines.

Add report fields:

build_log_path=/tmp/d28-build-verify-build.log
typecheck_log_path=/tmp/d28-build-verify-typecheck.log
build_log_secret_scan=PASS|FAIL|NOT_RUN
typecheck_log_secret_scan=PASS|FAIL|NOT_RUN
secret_scan_printed_matches=false

P2 — Build must not mutate source tree outside explicit allowed temp/build artifacts

Rev1 has NO_FILE_MUTATION_OUTSIDE_TEMP=true, but running Nuxt build inside a bind-mounted /app may create .nuxt/, .output/, cache files, or other artifacts in the host source tree.

Patch:

• Before build/typecheck, snapshot git status and list known build artifact paths.
• After build/typecheck, run git status and detect untracked/modified files.
• If build creates untracked artifacts in source tree, remove only known safe build artifacts:
  • web/.nuxt/
  • web/.output/
  • web/node_modules/.cache/ only if present and safe
  • any other path must trigger STOP/REPORT, not deletion.
• Report:

source_tree_mutation_detected=true|false
build_artifacts_created=<list>
build_artifacts_cleaned=true|false|N/A
unexpected_files_after_build=<list>

If unexpected files remain, status cannot be PASS.

P3 — Clarify allowed Docker operations

The prompt forbids container restart and deploy, but includes docker compose run --rm and docker compose build options.

Patch hard boundaries / allowed operations:

Allowed:

docker compose run --rm for ephemeral build/typecheck container, if it does not restart running services.
docker compose build only if it does not tag/push/deploy or affect running services; otherwise document only.

Forbidden:

docker compose up
docker compose restart
docker compose down
docker compose pull if it changes production runtime unexpectedly
docker compose push
docker compose stop/start running service

Report:

ephemeral_container_used=true|false
docker_image_build_performed=true|false
running_service_affected=false

P4 — Prefer non-image build verification before image rebuild

Rev1 lists B2 docker compose build <svc>. Building the production service may be heavier and may create/pollute images. It should not be the first choice.

Patch recommended path order:

1. B1: dev compose run ephemeral typecheck/build, if available.
2. B3: existing dev/builder image run ephemeral, if available.
3. B4: CI/GitHub Actions documentation only.
4. B2: production image build only as documented option or only if explicitly approved in prompt rev2.
5. B5/B6 remain disallowed/unavailable.

If B2 is used, report why B1/B3 are unavailable and confirm no running service is affected.

P5 — Typecheck/build command placeholders need stricter STOP behavior

Rev1 includes <NUXT_DEV_SERVICE> placeholders. Patch:

• Agent must discover exact dev service name before any run.
• If uncertain, STOP DEV_SERVICE_UNKNOWN.
• Agent must not guess.

Report:

nuxt_dev_service_name=<name>|UNKNOWN
container_workdir=<path>|UNKNOWN

P6 — Typecheck command may not exist; detect script first

Some Nuxt projects may not have nuxt typecheck dependency/script.

Patch:

• inspect package.json scripts and devDependencies.
• If typecheck script exists, prefer npm run typecheck / relevant package manager script.
• If no typecheck script but nuxt binary exists in ephemeral env, use nuxt typecheck only if safe.
• If typecheck unavailable, report typecheck_status=NOT_AVAILABLE, not FAIL.

P7 — Package manager must be discovered and respected

Rev1 mixes npm run build and possible pnpm lockfile. Patch:

• detect package manager from lockfile/packageManager field:
  • pnpm-lock.yaml / packageManager=pnpm@... → use pnpm;
  • package-lock.json → npm;
  • yarn.lock → yarn.
• Do not run package manager install.
• Use existing command in build environment.

Report:

package_manager=pnpm|npm|yarn|unknown
package_manager_command_used=<command>

P8 — Do not mutate by creating /tmp logs with world-readable secrets without cleanup

Logs in /tmp may contain sensitive content. Patch:

• use unique temp file names;
• chmod 600 where possible;
• remove logs after scan/report unless explicitly kept for debugging with no secrets;
• report cleanup.

logs_cleaned=true|false
logs_retained_reason=<reason|N/A>

P9 — Route smoke list must remain documentation-only and not include event_outbox

Rev1 says no event_outbox smoke, good. Add explicit hard line:

Do not call any HTTP route in this pack except optional non-live introspection of scripts/files. No curl to production routes.

This avoids accidental live smoke.

P10 — Rollback should not be executed automatically just because build fails unless prompt says so

Rev1 says rollback if build verify reveals broken state. But since no deploy occurred, rollback is a governance decision; automatic revert may conflict with review flow.

Patch:

• If build/typecheck FAIL, report and recommend rollback.
• Do not execute rollback unless explicitly authorized in the prompt or by GPT/User.
• Exception: if build command created temporary files, clean only temp/build artifacts.

Report:

rollback_recommended=true|false
rollback_executed=false

P11 — Update next pack naming

If Tier 1 PASS, next should be:

D28_DEPLOY_AND_LIVE_SMOKE_PROMPT_REVIEW

not immediate deploy execution. This keeps GPT/User review gate.

Directive to Opus

Patch the prompt to rev2 at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-build-verify-pack-prompt.md

Keep scope narrow: build/typecheck verification only. Do not dispatch after patch; return for GPT/User review.

Summary

Rev1 has the right direction. Rev2 must tighten log secrecy, source-tree mutation, Docker operation boundaries, package-manager detection, build artifact cleanup, and rollback governance before dispatch.