GPT Prompt S191 — P10D-2C VPS SSOT Activate/Verify for Opus
GPT Prompt S191 — P10D-2C VPS SSOT Activate/Verify for Opus
Date: 2026-04-30
Purpose: Give Opus a corrected prompt that respects VPS as code/runtime SSOT and enforces “if not certainly right, it is wrong.”
Prompt to Opus
Opus, reset the deploy framing.
Do not assume GitHub/CI is the source of truth. Current law and operating reality say:
VPS = SSOT for code/runtime.
GitHub/CI, if used, is only a pipe/tool.
Relevant law/evidence:
- Điều 41 v1.1 is enacted for the current phase where VPS is operating SSOT.
- Prior deploy reports explicitly warn not to blindly
git pull/checkout/resetwhen VPS diverges from origin.
User’s principle:
Không chắc đúng = sai.
Do not issue any instruction based on assumptions.
Anything Opus cannot verify directly must be sent to Agent for verification before deciding.
Your next task is not “push to GitHub and deploy.” Your next task is to determine the correct VPS-SSOT activation path for commit 5ce3437, then either authorize the safe activation or stop with evidence.
P10D-2C — VPS SSOT Activation Path Check + Runtime Verify
1. Goal
Activate the already-committed P10D-2B code on the live Nuxt runtime without violating VPS-as-SSOT.
Commit to activate:
5ce3437 — P10D: add parallel TAC official laws screen
Do not make new feature code changes in this task.
2. Known facts
Known from P10D-2B report:
- VPS repo
/opt/incomex/docker/nuxt-repocontains commit5ce3437. - Nuxt container currently serves a prebuilt
.output/from/opt/incomex/deploys/nuxt-output. - Source changes do not become live until the runtime
.output/is updated.
Unknown / must verify before action:
- Is
5ce3437already pushed to origin or only local VPS? - What is the approved current build/deploy path for Nuxt under Điều 41?
- Is GitHub Actions the actual pipe used now, or is there a VPS-local build/deploy script?
- Would pushing/pulling/CI overwrite VPS SSOT changes?
- Are there existing dirty files/divergence that must be preserved?
3. Authority split: Opus vs Agent
Opus may decide only from evidence already in KB or from Agent’s fresh report.
If Opus is not 100% certain about a runtime/deploy fact, Opus must dispatch Agent to verify it.
Agent must not activate/deploy until the activation path is known and safe, unless the prompt explicitly authorizes a specific verified activation command.
4. Gate 0 — Machine identity
All checks on runtime/repo must be via SSH to VPS.
echo "=== Control Host ==="
hostname && whoami
echo "=== Runtime Host via SSH ==="
ssh contabo 'hostname -f || hostname'
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && pwd'
ssh contabo 'docker ps --format "{{.Names}}" | grep -E "nuxt|nginx|directus|postgres"'
ssh contabo 'docker exec postgres psql -U directus -d directus -tAc "SELECT current_database() || chr(47) || current_user;"'
PASS only if runtime is VPS and DB identity is directus/directus.
5. Phase A — Read-only activation path discovery
Agent must collect evidence first. No deploy/build/restart yet.
A1. Confirm repo state
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && git status --short && git log --oneline -5 && git branch --show-current && git remote -v'
Report:
- current branch;
- latest commit;
- whether
5ce3437is HEAD; - dirty files;
- remote URL names only, not credentials.
A2. Check origin/divergence without changing local state
Do not pull/reset/checkout.
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && git fetch --dry-run 2>&1 || true'
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && git status -sb'
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && git log --oneline --decorate --graph --max-count=12 --all'
If git fetch --dry-run is not safe/available, report and skip. Do not mutate.
A3. Inspect current Nuxt runtime wiring
ssh contabo 'docker inspect incomex-nuxt --format "{{json .Mounts}}" 2>/dev/null || docker inspect nuxt --format "{{json .Mounts}}" 2>/dev/null || true'
ssh contabo 'docker ps --format "table {{.Names}}\t{{.Image}}\t{{.Command}}\t{{.Ports}}" | grep -E "nuxt|nginx" || true'
ssh contabo 'ls -la /opt/incomex/deploys/nuxt-output 2>/dev/null || true'
ssh contabo 'find /opt/incomex -maxdepth 4 -iname "*deploy*" -o -iname "docker-compose*.yml" -o -iname "package.json" | head -80'
Report:
- which container serves Nuxt;
- where
.outputcomes from; - whether repo source is bind-mounted into runtime or only build output is mounted.
A4. Inspect approved build/deploy scripts/docs
Search only. Do not run.
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && find . -maxdepth 4 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "package.json" -o -name "README*" -o -name "*.sh" \) | sort | head -200'
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && grep -RIn "deploy-vps\|nuxt-output\|pnpm build\|nuxt build\|rsync\|incomex-nuxt\|deploys/nuxt-output" .github scripts . package.json 2>/dev/null | head -200'
Report exact file/line evidence for the deploy path.
A5. Determine activation options
Agent must output one of these:
Option A: Existing documented VPS-local build/deploy command is available and safe.
Option B: Existing GitHub Actions/CI is the documented pipe, but must be reconciled with VPS SSOT.
Option C: Deployment path unclear or unsafe — STOP.
For each option, state:
- evidence;
- risk to VPS SSOT;
- exact next command(s) if safe;
- whether a separate authorization is needed before execution.
6. Phase B — Activation only if safe
Agent may proceed to activation only if Phase A proves an approved path with no SSOT risk.
If Option A — VPS-local build/deploy is documented
Run only documented commands. No invented commands.
Before activation:
ssh contabo 'cd /opt/incomex/docker/nuxt-repo && git status --short && git log --oneline -1'
After activation, verify runtime.
If Option B — GitHub Actions/CI is the documented pipe
Do not assume push is safe.
Agent must verify:
- Is
5ce3437already on the remote branch that triggers deploy? - Would pushing from VPS be allowed and safe under Điều 41?
- Are there any local commits not on origin that would be included?
- Could CI deploy overwrite VPS runtime with a different commit?
If any answer is uncertain → STOP and ask User/GPT.
If all safe and authorized:
- push only the current branch/commit as needed;
- record pushed commit hash;
- observe/verify CI deploy evidence if accessible;
- do not run
git pull/reset/checkouton VPS.
If Option C — unclear/unsafe
STOP. Upload discovery report. Do not deploy.
7. Phase C — Runtime verification after activation
Only after activation.
Verify:
C1. TAC official screen
ssh contabo 'curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/knowledge/laws"'
ssh contabo 'curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/knowledge/laws/27e48995-d6a1-4a44-8559-cab6a07fdbe0"'
Expected: 200.
Check content by HTML if SSR exposes it; if not, record need for browser visual check.
C2. Directus data still visible
ssh contabo 'curl -s "http://localhost:8055/items/tac_publication?fields=doc_code,version" | python3 -c "import json,sys; d=json.load(sys.stdin).get(\"data\",[]); print(len(d)); [print(x.get(\"doc_code\"), x.get(\"version\")) for x in d]"'
Expected: D28/D32/D35 visible.
C3. KB legacy still works
Use a known real KB route from P10D-2B report:
ssh contabo 'curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/knowledge"'
ssh contabo 'curl -s -o /dev/null -w "%{http_code}" "http://localhost:3000/knowledge/dev/blueprints/architecture-decisions"'
Expected: 200.
C4. Logs if needed
If any HTTP check fails:
ssh contabo 'docker logs --tail=120 incomex-nuxt 2>/dev/null || true'
ssh contabo 'docker logs --tail=120 incomex-nginx 2>/dev/null || true'
Do not debug beyond evidence capture unless separately authorized.
8. Output report
Upload:
knowledge/dev/laws/dieu38-trien-khai/reports/p10d-2c-vps-ssot-activate-runtime-verify-2026-04-30.md
Report sections:
- Gate 0.
- VPS repo state and commit evidence.
- Runtime wiring evidence.
- Deploy/build path evidence.
- Activation option chosen: A/B/C.
- Commands executed, if any.
- Runtime verification results.
- KB legacy route verification.
- Verdict:
- DISCOVERY_ONLY_STOP,
- ACTIVATION_PASS,
- ACTIVATION_FAIL.
- Next action recommendation.
9. Hard boundaries
- Do not assume.
- Do not pull/reset/checkout blindly.
- Do not overwrite VPS SSOT.
- Do not make new feature code changes.
- Do not mutate Directus or DB.
- Do not invent build commands.
- If unsure, STOP and report.
10. Explanation style
Use User’s metaphor:
VPS is the real house. GitHub/CI may be a truck or tool, not the house. Before flipping the breaker, inspect which breaker actually powers the new TAC screen. If unsure, stop and report.