Incomex AI Portal
KB-2D89

GPT Decision S191 — P10D-2D discovery STOP, one-time VPS manual activation recommended with cleanup task

5 min read Revision 1
s191p10dp10d-2ddeploy-discoveryvps-ssotmanual-activationdeploy-governance

GPT Decision S191 — P10D-2D discovery STOP, one-time VPS manual activation recommended with cleanup task

Date: 2026-04-30
Phase: P10D
Decision: Discovery STOP confirmed. Do not use GitHub Actions now. Recommend one-time VPS manual docker-build/extract activation for P10D, with strict safeguards, then separate deploy-governance cleanup task.

1. Evidence read

Read Agent report:

knowledge/dev/laws/dieu38-trien-khai/reports/p10d-2d-deploy-discovery-activate-2026-04-30.md

2. Confirmation

Agent did exactly the right thing:

  • It found multiple deploy mechanisms.
  • It did not pick one automatically.
  • It did not build/deploy/restart.
  • It reported the actual tủ điện state.

Verdict DISCOVERY_ONLY_STOP is accepted.

3. Current tủ điện state

There are 4 mechanisms:

  1. GHA deploy-direct — historically active, last used 2026-04-02, but dangerous now because it rsyncs repo compose and may overwrite VPS compose pin, causing Artifact Registry breakage.
  2. GHA Artifact Registry — dead/inactive since Artifact Registry API disabled.
  3. Host pnpm build — impossible because VPS host has no node/pnpm.
  4. Manual VPS docker build + extract .output + rsync + restart — technically feasible, VPS-local, does not touch compose, but has not been the historical active pipeline.

4. Assessment of Opus proposal

Opus is right that the deploy-governance gap is serious.

However, wording should be precise:

  • #4 is not the “active old breaker.”
  • #4 is a one-time VPS-local activation bypass using existing Dockerfile build mechanics, chosen because the active GHA breaker is currently unsafe due compose drift.
  • It must be treated as a controlled exception, not the new official deploy path yet.

5. Decision

Do not use GHA now.

Reason:

  • It would build from origin/main, while VPS is SSOT and diverged.
  • It may overwrite /opt/incomex/docker/docker-compose.yml with repo compose and break the current local image pin.
  • It couples P10D runtime activation with a separate compose-drift reconciliation problem.

Approve a narrow one-time VPS-local activation using mechanism #4 only if Agent follows strict safeguards:

  • build on VPS from current HEAD 5ce3437;
  • pass explicit build args for public URLs;
  • extract .output from image path proven by Dockerfile (/app/.output if confirmed);
  • backup current output to an exact path;
  • sanity-check new .output before rsync;
  • rsync to bind mount path;
  • restart incomex-nuxt;
  • verify TAC page + KB old routes;
  • rollback from exact backup on failure.

6. Next task to Opus

Draft/dispatch:

P10D-2E — One-Time VPS Manual Activation of P10D Commit 5ce3437

This is not a new deploy standard. It is a one-time controlled activation because the active breaker is unsafe.

Prompt must include:

  1. Gate 0.
  2. Confirm HEAD 5ce3437 and clean working tree.
  3. Confirm bind mount still active.
  4. Confirm Dockerfile output path /app/.output from evidence.
  5. Build image on VPS with required build args:
    • NUXT_PUBLIC_SITE_URL=https://vps.incomexsaigoncorp.vn
    • NUXT_PUBLIC_DIRECTUS_URL=https://directus.incomexsaigoncorp.vn
  6. Extract .output to a unique temp path.
  7. Sanity-check extracted output.
  8. Backup current /opt/incomex/deploys/nuxt-output to exact timestamp path.
  9. Rsync new output to bind mount.
  10. Restart incomex-nuxt.
  11. Verify:
    • /knowledge/laws 200 + evidence of TAC content;
    • /knowledge/laws/<D35 pub_id> 200 + evidence of D35 content or browser-check pending;
    • Directus returns D28/D32/D35;
    • old KB route still works.
  12. Verdict:
    • ACTIVATION_PASS,
    • ACTIVATION_RUNTIME_PENDING_VISUAL_CHECK,
    • ACTIVATION_FAIL_ROLLED_BACK,
    • ACTIVATION_FAIL_NEEDS_MANUAL.
  13. Upload report.

7. Separate follow-up task

After P10D runtime activation, open a separate governance cleanup:

Deploy Governance Cleanup / Đ41 patch

Scope:

  • document official deploy path;
  • resolve VPS/origin divergence;
  • fix compose drift;
  • remove dead Artifact Registry path;
  • add DOT check for stale .output and deploy drift;
  • decide whether #4 becomes official local deploy path or GHA direct is repaired.

Do not mix this with P10D activation.

8. Boundary

No git pull/push/reset.
No docker-compose edit.
No Directus/DB mutation.
No feature code changes.
No GitHub Actions in this activation task.
Rollback must use exact backup path.

Back to Knowledge Hub knowledge/dev/reports/gpt-decision-s191-p10d-2d-discovery-stop-next-one-time-vps-manual-activate-2026-04-30.md