GPT Review — D28 Generated Table Map Implementation Prompt rev2

Date: 2026-05-09
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md rev2

Verdict

REV3 REQUIRED — do not dispatch rev2.

Rev2 correctly fixes the major Phase 1B boundary problems: no deploy, no live route smoke, safer CI/token framing, literal reverse map, controlled commit, and draft exclusion. However, several execution-risk issues remain.

The most important risk is that the prompt may report token availability from .env while the generator still cannot read it, because the generator only reads process env. It also does not verify the Directus base URL needed for the GET call.

Accepted rev2 fixes

• Phase 1B is clearly no-deploy.
• Live route smoke is deferred.
• CI token absence becomes BLOCKED_TOKEN_REQUIRED, not “manual is enough.”
• Token values must not be printed.
• reverseCollectionMap must be emitted as a literal object.
• .gitignore patch is conditional and path-relative.
• tsx availability is checked.
• Git commit is controlled by clean repo + expected files + verification.
• Build/typecheck vs blocked-env is separated.
• Draft artifact is excluded by default and committed artifact must not include draft.

Required rev3 patches

P1 — Verify Directus base URL, not only token

The generator cannot query Directus with token alone. Rev2 must also verify the Directus URL/base endpoint.

Add preflight fields:

directus_url_present=true|false
directus_url_source=NUXT_PUBLIC_DIRECTUS_URL|DIRECTUS_URL|runtime_config|BLOCKED

Generator should accept either:

• NUXT_PUBLIC_DIRECTUS_URL; or
• DIRECTUS_URL; or
• a clearly documented existing env var already used by Nuxt/Directus SDK.

Do not print secret values. Printing the base URL is acceptable if it is public; otherwise report source only.

If no base URL is available, STOP with:

DIRECTUS_URL_UNAVAILABLE

P2 — Token check must match generator runtime

Rev2 checks .env for token but generator reads only process env. This can produce a false PASS.

Patch one of these designs:

Preferred: generator loads .env safely with existing project convention if available, without printing values.

or

Simpler: prompt requires Agent to run generator with env loaded explicitly from the existing deployment/runtime environment, without printing token.

Report must include:

generator_token_runtime_available=true|false
token_check_matches_generator_runtime=true|false

If .env contains token but generator cannot access it at runtime, STOP TOKEN_RUNTIME_MISMATCH.

P3 — Avoid npx auto-install risk

Rev2 forbids ad hoc package install but uses:

npx tsx ...

Depending on npm behavior, npx may attempt to download if the package is not installed. Since prompt checks tsx in package.json, use the local binary instead where possible:

./node_modules/.bin/tsx scripts/generate-table-maps.ts

or use npm scripts after package.json is patched:

npm run verify:table-maps

Patch all npx tsx calls to avoid package download, or explicitly use npx --no-install tsx.

P4 — tsx_available check should inspect lockfile/node_modules too

grep -q 'tsx' package.json is too weak; it may match text but package is not installed, or dependency may be absent from lockfile.

Patch preflight:

• verify tsx in package.json dependencies/devDependencies;
• verify local binary exists: web/node_modules/.bin/tsx; or lockfile contains tsx and dependencies are installed;
• if dependencies are not installed, do not run install; report NODE_MODULES_OR_TSX_BINARY_MISSING.

P5 — Generated script must define Directus API request details precisely

Rev2 only says GET query. Add implementation requirements:

• use fetch or existing Directus SDK? choose one in prompt;
• send token via Authorization: Bearer <token>;
• handle Directus response shape { data: [...] };
• handle pagination/limit=-1 response;
• handle HTTP errors with status but not body if body may contain sensitive info;
• verify no unsafe fields are requested.

P6 — Row status handling must match live values exactly

Rev2 says default status IN ('active','published'). Agent reports live rows include published/draft, but some registries may use other status terms.

Patch:

• generator must log/report all distinct live status values;
• allowed production statuses configurable in script constant, default ['active','published'];
• if a row has unexpected status and is not included, report it;
• fail only if required production row has unsupported status.

P7 — SKIP and STATIC_EXTRAS must be justified in report

tbl_workflow_timeline is skipped due collection collision. trigger/comment/taxonomy are not in table_registry.

Patch report to require:

skipped_rows_with_reason=<list>
static_extras_with_reason=<list>

This prevents hidden hand-maintained map creep.

P8 — Consumer replacement should require type/import alias verification

Rev2 assumes ~/generated/... works in server API. Design said it was safe, but implementation should verify.

Patch:

• after replacing imports, run a targeted TypeScript import check if possible;
• if server route cannot import ~/generated/..., switch to relative import or generated server-safe path per report;
• report generated_import_alias_safe=PASS|FAIL|FIXED_RELATIVE_IMPORT.

P9 — Commit should not happen if CI check is BLOCKED unless explicitly allowed

Rev2 allows commit when build/typecheck pass and check pass, even if CI token is blocked. That could be acceptable, but it should be explicit.

Patch:

• if ci_check_status=BLOCKED_TOKEN_REQUIRED, phase status must be PARTIAL, not PASS;
• commit may be created only if GPT/User approved partial commit policy in prompt.

For rev3, set policy:

commit_allowed_if_ci_blocked=true, but phase1b_status=PARTIAL and follow_up_packs includes D28_CI_TOKEN_SETUP_PACK.

P10 — Report should include exact expected-file whitelist

Before commit, Agent must verify only expected files changed:

web/scripts/generate-table-maps.ts
web/generated/table-maps.generated.ts
web/pages/knowledge/registries/[entityType]/index.vue
web/config/detail-sections.ts
web/server/api/discovery/relations.get.ts
web/package.json
web/.gitignore only if needed
CI workflow file only if modified
package-lock/yarn.lock/pnpm-lock.yaml only if dependency change explicitly allowed

Because dependency install is forbidden, lockfile changes should normally be zero.

P11 — Build command with tail can hide important failures

Rev2 pipes build output to tail -30. That is fine for chat, but report should capture enough context.

Patch:

• store build/typecheck logs to temp file on VPS or capture summary without leaking secrets;
• report final error block and command exit code;
• do not rely only on tail for decision.

Directive to Opus

Patch the prompt to rev3 at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md

Patch narrowly. Keep Phase 1B no-deploy scope. Do not dispatch after patch; return for GPT/User review.

Hard boundaries unchanged

• No deploy.
• No live route smoke.
• No Directus mutation.
• No PG mutation.
• No publish tbl_event_outbox.
• No change permission 1483.
• No change table_registry row 21.
• No add entity_type column.
• No fix tbl_modules_list.collection in this pack.
• No deep Nuxt redesign.
• No touch Families 2–8.
• No notification-specific UI.
• No manual hardcoded map edit without generator.
• No secret in code/log/report.
• No ad hoc package install.

Summary

Rev2 is much safer than rev1, but rev3 must close execution gaps around Directus URL, token runtime access, npx auto-install, precise API request behavior, status handling, import alias verification, and partial commit policy.