GPT Review — D28 Generated Table Map Implementation Prompt rev4

Date: 2026-05-09
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md rev4

Verdict

REV5 REQUIRED — small safety patch before dispatch.

Rev4 correctly fixes the major env-export/runtime gap using set -a. It is close to dispatch. However one secret-safety issue remains in the build-log scan step, and one Directus URL fallback issue remains in the status-values preflight.

Accepted rev4 fixes

• set -a; source ../.env; set +a pattern added.
• Node runtime env verification added.
• Directus URL no longer printed.
• CI secret status no longer guessed as PASS.
• Server import proof tied to build/typecheck.
• Status values use GET-style query rather than uncertain groupBy[].
• Production statuses explicit.
• Build log secret scan added.
• No-deploy/no-mutation attestations added.

Required rev5 patches

P1 — Build log secret scan must not print matching secret lines

Current command:

npm run build 2>&1 | grep -i 'token\|secret\|bearer\|password' | head -5

If a secret appears, this command can print the leaked line into logs/report, violating NO_SECRET_IN_CODE_OR_LOG.

Patch to never print matching lines. Use grep -qi or redirect logs to a temp file and report only boolean:

ssh contabo "cd /opt/incomex/docker/nuxt-repo/web && set -a; source ../.env 2>/dev/null; set +a; npm run build > /tmp/d28-table-map-build.log 2>&1; CODE=\$?; if grep -qi 'token\|secret\|bearer\|password' /tmp/d28-table-map-build.log; then echo BUILD_LOG_SECRET_SCAN=FAIL; else echo BUILD_LOG_SECRET_SCAN=PASS; fi; echo BUILD_EXIT=\$CODE"

If failure summary is needed, print only non-sensitive last lines after confirming scan PASS, or redact before printing.

P2 — Avoid running build twice just for secret scan

Rev4 has both 6C build and 6D build scan. This doubles cost and can produce different results.

Patch to one build command that:

• captures output;
• records exit code;
• scans for secret keywords without printing matches;
• optionally prints safe tail only if scan PASS.

P3 — Status-values Directus URL fallback must use both env names

Current 0G uses:

process.env.DIRECTUS_URL + '/items/table_registry...'

If only NUXT_PUBLIC_DIRECTUS_URL is available, 0E passes but 0G fails.

Patch 0G to use:

const url = process.env.DIRECTUS_URL || process.env.NUXT_PUBLIC_DIRECTUS_URL;

P4 — Typecheck command should avoid npx auto-install ambiguity

Rev4 uses:

npx --no-install nuxt typecheck

--no-install helps, but for consistency use one of:

./node_modules/.bin/nuxt typecheck

or explicitly retain npx --no-install and report it cannot install. This is minor; either is acceptable if stated.

P5 — Add report fields for build log storage and redaction

Add:

build_log_path=/tmp/d28-table-map-build.log
build_log_printed=false|safe_tail_only
secret_scan_printed_matches=false

Directive to Opus

Patch the prompt to rev5 at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md

Patch narrowly. Keep Phase 1B no-deploy scope. Do not dispatch after patch; return for GPT/User review.

Summary

Rev4 is essentially ready except for the build-log scan printing-risk and the 0G URL fallback bug. Rev5 should be a small targeted patch.