KB-7ADB

GPT Review — D28 Deploy Live Smoke Prompt rev3

6 min read Revision 1

gpt-reviewdieu28deploylive-smokerev4-requiredproduction

GPT Review — D28 Deploy + Live Smoke Prompt rev3

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md rev3

Verdict

REV4 REQUIRED — small production-safety patch before Stage 1 dispatch.

Opus phiên mới correctly detected that the KB prompt is already rev3. The handoff was stale on this point. Rev3 applies the main 14 GPT patches and is structurally close to dispatch.

However, because this is the first production deploy prompt, a few remaining command-level safety issues should be fixed before approving even Stage 1 dispatch.

Accepted findings from Opus phiên mới

The handoff saying “rev2 → rev3” is stale.
The prompt currently in KB is already rev3.
No GPT review for rev3 existed before this document.
Opus correctly did not patch, did not dispatch, did not deploy, did not smoke, did not publish tbl_event_outbox.
Opus correctly checked rev3 against the 14 requested patches.

Rev3 accepted improvements

Rev3 successfully includes:

Stage 1 no-impact model.
Unique backup image tag using timestamp.
Unique compose backup path using timestamp.
Stage 2 reads Stage 1 report.
Exact approval phrase binding to Stage 1 values.
Stage 2 drift recheck before mutation.
NO_PRINT_TAIL_AFTER_SCAN_FAIL policy.
Event_outbox smoke excluded.
Rollback by restoring compose backup, not mixed sed rollback.
Stage 1 no docker logs.
No raw Dockerfile head.
Smoke base URL redaction.
Relations endpoint single-curl pattern.

Required rev4 patches

P1 — Do not print raw compose diff before validating it

Rev3 has:

diff /opt/incomex/docker/docker-compose.yml.pre-d28-<TS> /opt/incomex/docker/docker-compose.yml | head -20

This prints raw compose diff before confirming it only contains the Nuxt image line. Compose files can include environment references, service config, or other sensitive operational data. Even if likely safe, production deploy prompt should not print raw diffs first.

Patch 1E:

write diff to a temp file;
chmod 600;
verify diff contains exactly the expected two changed lines;
verify both changed lines contain image: and nuxt-ssr-local;
only then print a redacted/safe summary, not raw full diff.

Report:

compose_diff_temp_path=<path>
compose_diff_scanned_before_print=true
compose_diff_only_nuxt_image_line=true|false
compose_patch_line_count=1
compose_diff_raw_printed=false

If validation fails, restore compose backup and STOP.

P2 — Stage 2 commands must use exact Stage 1 report values, not generic `<TS>` placeholders

Rev3 says Stage 2 reads Stage 1 report, but later commands still use <TS> placeholders for backup tag and compose backup path. This can cause ambiguity if Agent creates a new timestamp during Stage 2.

Patch Stage 2:

After reading Stage 1 report, set explicit variables:

STAGE1_NEW_IMAGE_TAG=<from Stage 1 report>
STAGE1_BACKUP_IMAGE_TAG=<from Stage 1 report>
STAGE1_COMPOSE_BACKUP_PATH=<from Stage 1 report>
STAGE1_CURRENT_PRODUCTION_IMAGE=<from Stage 1 report>

All Stage 2 commands must use these exact variables. Do not recompute timestamp in Stage 2 for backup tag/path.

Report:

stage1_values_loaded=true
stage2_used_stage1_backup_tag=true
stage2_used_stage1_compose_backup_path=true
stage2_recomputed_backup_timestamp=false

P3 — Relations response should be secret-scanned before body-shape grep decision is reported

Rev3 does not print the relations body, which is good. But the earlier policy says relations response should also follow log/body safety. Add a boolean scan after writing the response file:

relations_response_secret_scan=PASS|FAIL_FILENAME_FALSE_POSITIVE|FAIL_SECRET_LEAK_SUSPECTED

If scan is FAIL_SECRET_LEAK_SUSPECTED, do not run/report body-shape details except status and byte count; STOP or mark smoke critical review. Do not print body.

If scan PASS, then run grep -q 'system_issue'.

P4 — Stage 1 workflow sample discovery should clearly allow skip without Directus admin token

Rev3 says optional but still provides an admin-token curl as the main command. Patch wording:

Default policy: workflow_sample_discovery=SKIPPED_SAFETY unless a safe existing sample source is available.
Agent may use Directus API only if it can perform the temp-file + scan + no-body-print protocol safely.
Stage 1 PASS must not depend on workflow sample discovery.

P5 — Update KB metadata title to reflect rev3/rev4, not Rev1

The document metadata title still says REVIEW DRAFT Rev1, while content is rev3. This is cosmetic but confusing and already caused handoff drift.

When patching rev4, update metadata title to:

D28 — Deploy + Live Smoke Pack — Agent Prompt (REVIEW DRAFT Rev4)

Directive to Opus

Patch prompt rev4 at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md

Patch narrowly. Keep two-stage model. Do not dispatch after patch; return for GPT/User review.

Do not do

Do not run Stage 1.
Do not run Stage 2.
Do not deploy.
Do not restart containers.
Do not smoke routes.
Do not publish tbl_event_outbox.
Do not mutate Directus.
Do not mutate PG.
Do not mutate table_registry.
Do not resume P3D.

Current status

prompt_current_rev=3
rev3_main_patches=ACCEPTED
rev4_required=true
agent_dispatch_allowed=false_until_rev4_review
build_verify_status=PASS
generated_map_commits=0947613,d2db418
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false

Summary

Rev3 is close. Rev4 should be a small safety patch: no raw compose diff print, Stage 2 must use exact Stage 1 variables, relations response scan, safer optional workflow sample discovery, and metadata title correction.