GPT Review — D28 Stage1 Service Name Drift + Rev5 Directive
GPT Review — D28 Stage 1 Preflight Service-Name Drift + Rev5 Directive
Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed:
knowledge/dev/laws/dieu28-trien-khai/reports/d28-deploy-and-live-smoke-stage1-preflight-report.mdrev2knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.mdrev4- Opus review round 1 + supplement review from user-provided context
Verdict
Agent Stage 1 work accepted with caveat. Opus review accepted. Rev5 required. Re-run Stage 1 after rev5.
Agent correctly performed Stage 1 read-only preflight and correctly uploaded the supplement. However, because Stage 1 used silent substitution in 0D/0G, and because this is the first production deploy prompt, GPT does not approve carrying the current Stage 1 values directly into Stage 2.
The next step is:
Patch prompt rev4 → rev5 with the service-name rule,
then re-run Stage 1 clean/verbatim with rev5.
Stage 2 remains blocked.
Assessment of Agent Stage 1
Agent complied with Stage 1 hard boundaries:
- no deploy;
- no smoke;
- no image tag created;
- no backup image tag created;
- no compose mutation;
- no container restart;
- no Directus mutation;
- no PG mutation;
- no table_registry mutation;
- no
tbl_event_outboxpublish; - no P3D resume.
The supplement was useful and transparent. It provides enough evidence to diagnose the issue.
Accepted drift evidence
The supplement demonstrates:
compose services = qdrant, agent-data, postgres, directus, nuxt, nginx
actual Nuxt compose service = nuxt
container_name = incomex-nuxt
image = nuxt-ssr-local:s174
Structural evidence from docker-compose.yml:
129: nuxt:
130: image: nuxt-ssr-local:s174
131: container_name: incomex-nuxt
This confirms:
Docker Compose service name = nuxt
Docker container name = incomex-nuxt
The prompt rev4 incorrectly uses incomex-nuxt as a Compose service argument.
Silent substitution disclosure
Agent disclosed:
0D_executed_verbatim_per_prompt=false
0D_verbatim_command_result=ERROR_no_such_service_incomex-nuxt
0D_value_actually_captured_via=unfiltered docker compose ps then row-pick service=nuxt
0G_executed_verbatim_per_prompt=false
0G_substituted_service_name=incomex-nuxt → nuxt
agent_silent_substitution_acknowledged=true
This transparency is accepted and appreciated.
However, this also means Stage 1 was not a clean verbatim execution of rev4. For a first production deploy path, we need a clean baseline.
GPT answers to Opus questions
Q1 — Accept Stage 1 PASS with silent substitution?
Accept for discovery/evidence only. Do not use as final Stage 1 baseline for Stage 2.
The Stage 1 report is valid evidence that the infrastructure is safe enough to patch the prompt. But it is not the final Stage 1 report to bind Stage 2 approval phrase.
Q2 — Is rev5 direction complete/safe?
Yes, with additions below.
The rule is correct:
docker compose <verb> <name> → use Compose service name: nuxt
raw docker <verb> <container> → use container_name: incomex-nuxt, if applicable
Patch all 7 affected places:
0D: docker compose ps nuxt ...
0G: docker compose ... port nuxt 3000
1B: docker compose ... ps nuxt --format '{{.Image}}'
1F: docker compose up -d nuxt
1G: docker compose ... ps nuxt --format '{{.State}}'
1H: docker compose ... logs --tail=50 nuxt
3B: docker compose up -d nuxt
Q3 — Carry forward Stage 1 values or re-run Stage 1?
Re-run Stage 1 after rev5.
Reason:
- current Stage 1 used silent substitution;
- Stage 2 approval phrase binds to Stage 1 values;
- production deploy should bind to a clean, verbatim Stage 1 run;
- timestamped backup tag/path should be fresh and rechecked after rev5.
Do not carry forward:
proposed_backup_image_tag=nuxt-ssr-local:pre-d28-rollback-1778394987
proposed_compose_backup_path=/opt/incomex/docker/docker-compose.yml.pre-d28-1778394987
They can remain historical evidence, but rev5 Stage 1 should generate new values.
Q4 — Add NO_VERBATIM_AGENT_SILENT_SUBSTITUTION?
Yes.
Add hard boundary:
NO_UNDECLARED_SUBSTITUTION=true
or:
NO_VERBATIM_AGENT_SILENT_SUBSTITUTION=true
Definition:
Agent must not silently substitute command arguments, service names, file paths, image tags, env var names, or route paths. If a prompt command does not match infrastructure, Agent must STOP and report drift, unless the prompt explicitly authorizes a substitution rule.
For rev5, the SERVICE_NAME_RULE explicitly authorizes only Compose-service-name substitution by design, so using nuxt is not a silent substitution.
Q5 — Add decision matrix row for silent substitution?
Yes.
Add:
Stage 1 PASS with undeclared substitution disclosed → Revise prompt + re-run Stage 1 clean before Stage 2.
This prevents accidental carry-forward from non-verbatim preflight runs.
Required rev5 patches
P1 — Add service-name rule section
Add near Docker operations section:
SERVICE_NAME_RULE:
- For all `docker compose <verb> <name>` calls, `<name>` MUST be the Compose service name.
- For Nuxt, Compose service name = `nuxt`.
- `incomex-nuxt` is the Docker container_name, not Compose service name.
- Raw `docker logs/inspect/ps` may use container_name if explicitly needed.
- `docker compose logs` uses service name, so use `nuxt`.
P2 — Patch 7 affected commands
Replace only the Compose service argument:
0D incomex-nuxt → nuxt
0G incomex-nuxt → nuxt
1B incomex-nuxt → nuxt
1F incomex-nuxt → nuxt
1G incomex-nuxt → nuxt
1H incomex-nuxt → nuxt
3B incomex-nuxt → nuxt
Do not change raw references to container_name if they are explicitly raw Docker commands.
P3 — Add hard boundary
Add:
NO_UNDECLARED_SUBSTITUTION=true
or:
NO_VERBATIM_AGENT_SILENT_SUBSTITUTION=true
P4 — Add Stage 1 report fields
Add expected fields:
compose_service_name=nuxt
container_name=incomex-nuxt
service_name_rule_applied=true
undeclared_substitution_used=false
P5 — Add Stage 2 report fields
Add:
compose_service_name_used=nuxt
container_name_reference_used=incomex-nuxt|N/A
undeclared_substitution_used=false
P6 — Update failure/decision matrix
Add row:
Stage 1 PASS with undeclared substitution disclosed → Revise prompt + re-run Stage 1 clean before Stage 2.
P7 — Update title/header to rev5
Title:
D28 — Deploy + Live Smoke Pack — Agent Prompt (REVIEW DRAFT Rev5)
Header:
Rev: 5 | service-name rule: docker compose uses service `nuxt`, not container_name `incomex-nuxt`; no undeclared substitution
Directive to Opus
Patch prompt rev5 at:
knowledge/dev/laws/dieu28-trien-khai/prompts/d28-deploy-and-live-smoke-prompt-review.md
Patch narrowly. Do not dispatch after patch. Return for GPT/User review.
After rev5 review
If rev5 is approved, dispatch Stage 1 again:
RUN_STAGE=1_PREFLIGHT_ONLY
Expected result:
preflight_status=PASS
undeclared_substitution_used=false
service_name_rule_applied=true
compose_service_name=nuxt
container_name=incomex-nuxt
status=AWAITING_DEPLOY_APPROVAL
Only after clean Stage 1 report can Stage 2 approval phrase be constructed.
Do not do now
- Do not dispatch Stage 2.
- Do not deploy.
- Do not restart containers.
- Do not smoke routes.
- Do not publish
tbl_event_outbox. - Do not mutate Directus.
- Do not mutate PG.
- Do not mutate table_registry.
- Do not resume P3D.
Current status
stage1_report_rev2=ACCEPTED_AS_DISCOVERY_NOT_FINAL_BASELINE
service_name_drift=CONFIRMED
prompt_current_rev=4
prompt_rev5_required=true
stage1_rerun_required_after_rev5=true
stage2_dispatch_allowed=false
build_verify_status=PASS
generated_map_commits=0947613,d2db418
tbl_event_outbox.status=draft
notification_display=paused
p3d_resume_allowed=false
Final status
agent_report=ACCEPTED_WITH_CAVEAT
opus_review=ACCEPTED
rev5_patch_allowed=true
stage1_rerun_required=true
stage2_deploy_allowed=false