GPT Review — D28 Generated Table Map Implementation Prompt rev7

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md rev7

Verdict

REV8 REQUIRED — small safety/accuracy patch before dispatch.

Rev7 correctly adopts Path F: host-side .mjs generator using Node built-ins only. This is the preferred direction because it avoids package install, container restart, dev compose, and host node_modules.

However, a few details must be tightened before dispatch to avoid accidental URL leakage and false PASS reporting.

Accepted rev7 direction

Accepted:

• execution_model=HOST_NODE_MJS_NO_DEPS.
• Generator file changes from .ts/tsx to .mjs/node.
• No external dependency.
• No host package install.
• No container exec required.
• No deploy.
• No live route smoke.
• No Directus/PG/table_registry mutation.
• Output remains TypeScript artifact: web/generated/table-maps.generated.ts.
• Build/typecheck explicitly deferred because host has no deps and production container has no source.

Required rev8 patches

P1 — Generated artifact must not contain Directus URL or token-derived metadata

Rev7 says generated header includes source, but it must be explicit that source means logical source only, not URL.

Patch generator requirements:

Generated artifact MUST NOT include:
- Directus URL;
- token;
- Authorization header;
- env var values;
- hostnames if derived from env.

Allowed source metadata:
- source_table='table_registry';
- row_count;
- status_filter;
- content_hash;
- generated_at;
- generator_path.

P2 — Do not head generated artifact if header might include sensitive source

Rev7 command prints head -10 of generated artifact. After P1 this should be safe, but prompt should still say:

Only print generated artifact head after verifying it contains no URL/token/env value.
Otherwise print file exists + byte count only.

Simpler patch: replace head -10 with:

wc -c /opt/incomex/docker/nuxt-repo/web/generated/table-maps.generated.ts

and optionally grep -q 'AUTO-GENERATED'.

P3 — API failure logging must not print URL

Rev7 preflight 0F uses:

.catch(e=>console.log('API_FAIL:'+e.message))

Node/fetch error messages can include target URL. Patch to:

.catch(()=>console.log('API_FAIL'))

or report status code only. Do not print URL.

Generator script should also avoid printing full URL on fetch failure. It may print:

Directus request failed: HTTP <status>

without URL or response body if body may contain sensitive details.

P4 — Phase status cannot be PASS when build/typecheck is not run and server import is unverified

Rev7 allows phase1b_status=PASS|PARTIAL|FAIL|BLOCKED, but under the rev7 constraints:

build_typecheck_status=NOT_RUN_RUNTIME_CONTAINER_NO_SOURCE_AND_HOST_NO_DEPS
server_import_final_verification=NEEDS_BUILD_VERIFY

Therefore the best possible status for a successful rev7 run should be:

phase1b_status=PARTIAL

unless Agent somehow obtains a valid build/typecheck without violating boundaries.

Patch report/status rules:

If build_typecheck_status starts with NOT_RUN or server_import_final_verification=NEEDS_BUILD_VERIFY, phase1b_status MUST be PARTIAL, not PASS.

P5 — package.json scripts need env expectations documented

The new scripts:

"generate:table-maps": "node scripts/generate-table-maps.mjs",
"verify:table-maps": "node scripts/generate-table-maps.mjs --check"

will not work unless env vars are present. Patch prompt to require the script itself supports both env naming schemes:

Token env accepted: NUXT_DIRECTUS_SERVICE_TOKEN || DIRECTUS_ADMIN_TOKEN
URL env accepted: NUXT_PUBLIC_DIRECTUS_URL || DIRECTUS_PUBLIC_URL || DIRECTUS_URL

This is already partially stated; make it mandatory and report:

env_names_supported=NUXT_DIRECTUS_SERVICE_TOKEN,DIRECTUS_ADMIN_TOKEN,NUXT_PUBLIC_DIRECTUS_URL,DIRECTUS_PUBLIC_URL,DIRECTUS_URL

P6 — Static extras must be treated as legacy exceptions, not normal registry data

Rev7 keeps:

STATIC_EXTRAS = { trigger, comment, taxonomy }

Patch prompt/report to make this explicit:

static_extras_are_legacy_exceptions=true
static_extras_must_not_expand_without_D28_design_review=true

This prevents generated map from becoming a new hidden hardcoded map.

P7 — If relations.get.ts import cannot be verified, do not over-state behavior preservation

Patch text:

Because build/typecheck is deferred, behavior preservation for relations.get.ts is provisional.
Report SERVER_IMPORT_NEEDS_BUILD_VERIFY and require follow-up build pack before deploy.

P8 — Report should include best_possible_status=PARTIAL_UNTIL_BUILD_VERIFY

Add report field:

best_possible_status=PARTIAL_UNTIL_BUILD_VERIFY

This makes clear that a clean rev7 run is expected to be PARTIAL, not a full production-ready PASS.

Directive to Opus

Patch prompt rev8 at:

knowledge/dev/laws/dieu28-trien-khai/prompts/d28-generated-table-map-implementation-prompt.md

Patch narrowly. Keep Path F. Do not dispatch after patch; return for GPT/User review.

Hard boundaries unchanged

NO_DEPLOY=true
NO_LIVE_ROUTE_SMOKE=true
NO_DIRECTUS_MUTATION=true
NO_PG_MUTATION=true
NO_PUBLISH_EVENT_OUTBOX=true
NO_CHANGE_TABLE_REGISTRY=true
NO_SECRET_IN_CODE_OR_LOG=true
NO_PRINT_ENV_TOKEN_URL=true
NO_PACKAGE_INSTALL=true
NO_NPX_AUTO_INSTALL=true
NO_LOCKFILE_CHANGE=true
NO_CONTAINER_RESTART=true
NO_DOCKER_COMPOSE_RESTART=true

Summary

Rev7 is structurally correct and likely close to dispatch. Rev8 must prevent URL leakage and make status semantics honest: under Path F without build/typecheck, a successful run is PARTIAL_UNTIL_BUILD_VERIFY, not final PASS.