[CLAUDE] Docs: S58 session-end closeout — E-008/AS-12 error-ledger + session log + STATUS/HANDOFF final Run #386 + harvest gate PASS 5/5

- error-ledger: AS-12 NEW (identifier-based prod op phải dump env-đích) + E-008 RCA lock NO-OP 2 tầng (population Dev-only + password 11<12 silent CreateAsync-fail; Why-0 RAG-archaeology: từng phát hiện S22 nhưng const không fix — lesson "discovery phải thành code-fix/guard ngay") + Active-Guard episodic mới (1 strike, verified Run #382). - Session log S58 NEW: 5 đợt việc / 7 commit / Run #382-#386 (4 PASS + #385 cancelled-supersede-benign) / 11 spawn / lessons / bundle final DMm9rtNA/BUkOMn_Y. - STATUS/HANDOFF: bundle line final + In-Progress refresh (ops anh: tzutil · chuong.phan typo · 5 staff password · lock IT users sau gán người thật) + S58-chiều section đủ 5 đợt + chore-flag H2-đo (cicd 41.1KB + inv 32.9KB). - Harvest (H2 GATE PASS 5/5): cicd #386 supersede-chain entry + #383 mark "VỊ TRÍ LẠC" chống curate-sweep nhầm (P2) + investigator tag normalize s58 (P5) + tooling-auditor H1-end on-behalf (return-cut partial — finding salvaged: docs verified-flushed) + harvest-curator H2-end entry. - RAG: +1 chunk S58 key facts (1153b74b, rerank 0.898 retrievable). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 14:33:20 +07:00
parent 3ebaf84531
commit 157792749f
8 changed files with 61 additions and 5 deletions
--- a/docs/governance/error-ledger.md
+++ b/docs/governance/error-ledger.md
@ -30,6 +30,7 @@ Detect by **action-signature** (NOT "AI tự phán có vi phạm không"). Scan
 | AS-9 | A/B/C choice handed to anh **without** decision-brief trục | Gov-v2 §G2 | reframe as full brief |
 | AS-10 | sub-agent writes a tracked file (MEMORY.md / code) despite **R1 return-only** (Write/Bash residual) | R1 return-only (HMW) — prompt-rule, NOT mechanized (G-015) | git-diff post-P2 catch → lead VERIFY benign+accurate+placement → keep or revert (NOT a bug if correct; chunk-count for RAG-write) |
 | AS-11 | cross-stack feature: BE validator/nullability ≠ FE required-marker for the SAME field | em-main shared-contract consistency (E-007) | RCA + align FE↔BE + reviewer-gate (held S51) |
+| AS-12 | identifier-based data op trên prod (lock/seed/migrate-by-email/code) viết theo population đọc từ CODE/Dev, KHÔNG dump bảng env đích | gotcha #60 (E-008) — assertion 0-row/`-1` ⟹ nghi data-mismatch TRƯỚC code-bug | RCA + dump env-đích trước khi viết list + seed-password thỏa policy nghiêm nhất mọi env |

 ## 🛡️ Active-Guards index (2-strike promote: episodic → procedural)

@ -48,11 +49,20 @@ Detect by **action-signature** (NOT "AI tự phán có vi phạm không"). Scan
 | **git-diff + chunk-count post-P2 containment** (defense-in-depth, HMW) | R1 sub-write residual (AS-10) · store_memory bypass (AS-3) | **procedural** (institutionalized S50 = standard B6 post-wave audit) | 1 (S49) | ✅ S49 (caught inv-api self-MEMORY in git-diff; chunk 2414=2414) + **S50 wave `h2-verify` (git-diff agent-memory EMPTY, chunk 2415=2415, 0 leak)** | ++ (G-015 honest — NOT allowlist-alone) |
 | heavy spawn → `run_in_background` | looks-frozen | **procedural** (2-strike met) | 2 (S45, S48) | ✅ S48 (FD bg) + S50 (all 4 monitor+wave spawns bg) | + |
 | RAG glob `**/`-anchored (not root) | gotcha #10 node_modules leak | procedural | 1 (S41) | ✅ (2406 clean) | ++ |
+| dump bảng env-đích TRƯỚC identifier-based data op (lock/seed-by-email) | gotcha #60 (AS-12) | episodic | 1 (S57bis lock NO-OP) | ✅ S58 (recon dump → fix `5998163` → Run #382 đo 34 locked) | ++ |

 ## 📋 RCA entries (blameless — newest on top)

 > Format: `E-NNN | date | rule | what | 5-why root | fix (prod-bug = 2-fix: code + guard) | prevention | tags[TYPE/ACTOR/COMPONENT]`

+### E-008 — AS-12 lock-demo-user prod NO-OP: population Dev ≠ prod + seed silent-fail (S57bis ship, S58 fix, cicd-caught)
+- **rule (AS-12 NEW):** thao tác data theo-identifier trên prod (lock/seed/migrate-by-email) mà list viết từ CODE/Dev population, KHÔNG dump bảng env đích → silent NO-OP/sai-target. Assertion trả 0-row/`-1` ⟹ nghi data-mismatch TRƯỚC khi nghi code.
+- **what:** S57bis ship `LockDemoSampleUsersAsync` 14 email named-person (đọc từ seed code = population Dev-only). Demo prod thật = 20 UAT-matrix (`bod.1@`, `pm.nv@`… tạo TAY 05-13, chưa từng trong code). Run #381 deploy PASS + health 200 + code RAN — locked=0, hoàn toàn silent. Tầng 2 ẩn sâu hơn: `DemoUserPassword` 11 ký tự < prod `Identity:Password:RequiredLength=12` → `CreateAsync` trả `IdentityResult.Failed` (LogWarning-only, by-design 1-fail-không-abort) **mọi startup từ trước tới giờ** → named-person + `nv.cao`/`nv.truong` (IT pool — root cause "helpdesk inert" S56!) + 5 real staff KHÔNG BAO GIỜ tồn tại trên prod.
+- **5-why:** author tin seed code là source-of-truth population → Dev ≠ prod vì password-policy silent-fail → silent vì `IdentityResult` không throw → warning log prod không ai đọc → chỉ cicd #381 data-dump (PASS+PARTIAL) bắt được — test xanh + CI gate + health 200 đều mù với data-absence. **Why-0 (RAG-archaeology S58):** bug này TỪNG được phát hiện S22 (2026-05-13, session log ghi "Identity password policy ≥12 — existing memory mention `User@123456` 11 chars OUTDATED", 20 UAT user seed bằng `TestUser@2026` 12 ký tự) — nhưng const `DemoUserPassword` trong code KHÔNG được fix lúc đó → knowledge nằm trong session-log mà không thành code-fix/guard → tái diễn S57bis. Lesson: discovery phải đổi thành code-fix HOẶC ledger-guard ngay, session-log alone = chết.
+- **fix (prod-bug = 2-fix):** (code) `5998163` union 20 email prod-population (exact-email, KHÔNG pattern — `binh.le@` người thật sát scheme demo) + password → 12 ký tự → Run #382 đo thật: 55 user / 34 locked / helpdesk sống / 5 staff tạo / guard 6-6 active. (guard) gotcha **#60** + debug-checklist item 32 + cicd LESSON "lock/deactivate-by-email trả 0 ⟹ ALWAYS dump actual Users trước khi score FAIL" + Active-Guard episodic mới (dump-env-đích).
+- **prevention/guard:** mọi identifier-based op → dump env đích TRƯỚC khi viết list; seed password const thỏa policy NGHIÊM NHẤT mọi env (prod 12); grep warning log sau deploy có user-seed mới. AS-12 added §L.a.
+- **tags:** [seed-silent-fail+population-mismatch / em-main-S57bis-author · cicd-caught · recon-grounded / DbInitializer]
+
 ### E-007 — AS-11 parallel-fan-out shared-contract mismatch (S51, reviewer-caught pre-commit)
 - **rule (AS-11 NEW):** cross-stack feature fan-out where BE field nullability/validator ≠ FE required-marker for the SAME field → contract mismatch (empty submit → 400/500). Em-main shared-contract must spec required/optional consistently BOTH sides.
 - **what:** P11-C BE∥FE parallel (file-disjoint) spawn. Driver `phoneNumber/licenseNumber/licenseClass`: BE `NotEmpty()` validator + EF `.IsRequired()` NOT NULL, but FE KIND_CONFIG rendered them OPTIONAL (no `required:true`) → `buildBody` empty→null → 400/500. 186 tests GREEN (no test hit empty-optional path).