[CLAUDE] Docs: S58 closeout — lock fix prod-verified Run #382 + S57bis flush + gotcha #59/#60 + harvest on-behalf

- STATUS/HANDOFF: thêm S57bis + S58 (2-session gap S57bis đóng vội), counts re-ground (Mig 49 · test 240 · gotcha 60 · menu 57 · bundle CP4CB1ym/BmZ3VHnm curl-verified · RAG 2420). Ops S56 "gán user IT" RESOLVED (nv.cao/nv.truong sống lại nhờ password fix). - gotchas: #59 (PS5.1 git commit -F, residual S57bis) + #60 NEW (Identity seed CreateAsync silent-fail vs prod RequiredLength=12 — population Dev ≠ prod, dump data thật trước lock/seed-by-email) + checklist 31/32. - agent-memory: cicd Run #381 (residual) + #382 · 4 spawn-record on-behalf (database-agent/impl-backend/impl-frontend/reviewer — H2 Coverage 4-MISS đóng) · investigator-codebase recon · 2 monitor RE-REPORT entries. - skills: ef-core +row Mig 49 (49 mig ×5 chỗ) · README + dep-audit count sync. - CLAUDE.md root: Mig 49 + test 240 + gotcha 60 + schema-ref 32-49. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 13:09:29 +07:00
parent 5998163642
commit 2aefb3134d
15 changed files with 102 additions and 23 deletions
--- a/.claude/agent-memory/cicd-monitor/MEMORY.md
+++ b/.claude/agent-memory/cicd-monitor/MEMORY.md
@ -68,6 +68,8 @@ BE (test+build) ~90s · FE × 2 ~60s/app · deploy ~30s · **total ~3min code /

 ## 📅 Recent runs (FIFO — older → archive/git)

+- **2026-06-11 Run #382 (run_number 268) sha=`5998163` PASS ~3m31s (S58 FIX the Run #381 lock NO-OP — DbInitializer.cs ONLY, BE-only, NO Mig/FE):** Push `dd117b7..5998163` 1 commit 1 file `DbInitializer.cs` (+28/-5). Fix: (1) `LockDemoSampleUsersAsync` union +20 UAT-matrix prod email (`{act,equ,fin,hra,pm,qs}.{nv,pp,tp}@`+`bod.{1,2}@`) into prior 14 named-person = 34-email list; (2) `DemoUserPassword` 11→12 chars (`User@123456`→`User@1234567`) fixing silent CreateAsync-fail vs prod `RequiredLength=12` (S56 helpdesk-inert root cause). `.cs` present → full pipeline RAN. Poll iter5 status=success (started 12:58:06 → 13:01:37). **Bundle FROZEN admin `CP4CB1ym` + user `BmZ3VHnm`** (= #381 UNCHANGED ✓ CORRECT for BE-only, verified AFTER status=success — NOT ship-fail). **NO migration** — prod `__EFMigrationsHistory` top = Mig 49 `AddWorkItemToPurchaseEvaluation` == repo, GIỮ NGUYÊN ✓. sys.tables=**93** unchanged. Health live/ready 200 + admin/eoffice root 200. **THE FIX VERIFIED prod (Users table — note: custom Identity table name `Users` NOT `AspNetUsers`):** total **55** users · **21 active** · **34 inactive==34 locked-future** (== lock-list size exactly). 12-sample UAT-matrix all `active=0 locked=1` (#381 NO-OP now RESOLVED — these exist in prod + got locked ✓). Named-person 14/14 found+locked (CREATED this startup via 12-char pw fix + locked same run). **Must-stay-active 6/6** admin·catalog.manager·nv.test·chuong.phan@solution.com.vn(typo-domain)·**nv.cao+nv.truong** ALL `active=1` (IT helpdesk pool ALIVE — S56 ops-pending RESOLVED by pw fix, created this startup not in lock-list). **5 new real staff** (thanh.lethanh/anh.nguyen/tring.le/truong.le/long.nguyen) all CREATED+`active=1` ✓ (12-char pw passes RequiredLength=12). Smoke nv.test login OK (token 477) + GET /api/menus 200 + /purchase-evaluations 200. 0 regression. **LESSON: lock-by-email NO-OP (#381) was a DATA-mismatch not code-bug → S58 reconciled email-list to actual prod population (UAT-matrix created via admin UI, never in seed) + the 11-vs-12 pw bug was a SECOND latent cause silently blocking ALL non-existing-user CREATE on prod (RequiredLength=12) — same fix resurrected 16 named + 5 staff + helpdesk pool. Verify lock-fix = dump Users cohorts (active/inactive split + named exact-IN), NOT just total count.** Tag `[s58, run382, pass, fix-lock-noop, pw-11to12, be-only-bundle-frozen]`.
+- **2026-06-11 Run #381 (run_number 267) sha=`dd117b7` PASS+1PARTIAL ~4m25s (S57bis PE gắn WorkItem Mig 49 + all-role Pe perm + menu Cá nhân regroup + lock-14-demo-user — cross-stack BE+FE×2+Mig+test, +12 PeWorkItemGuardTests→240):** 2-commit push: prev `17b23a4` (governance+hmw.js → Run #380 **cancelled**, superseded — correct, no FE/BE contract change) then `dd117b7` (PRODUCT, Run 381 = the deciding run). 26 files: Mig 49 `20260611044424_AddWorkItemToPurchaseEvaluation` (3-file, PE.WorkItemId Guid? loose-Guid NO physical FK + `IX_PurchaseEvaluations_WorkItemId`) + Domain `PurchaseEvaluation.cs` + Config + Features + DbInitializer (perm + `LockDemoSampleUsersAsync` + menu regroup) + MenuKeys + 3 master controllers (write-lock Admin/CatMgr) + FE×2 (PeDetailTabs/PeHeaderForm/PeWorkspaceCreateView/menuKeys/types). **Run IN-PROGRESS at first check (status=running 12:14) — polled to terminal** (12:14:16→12:18:41 ≈4m25s success). ⚠️ poll-grep gotcha: `"status"` field sits AFTER `"display_title"` in tasks JSON → `[^}]*"display_title"` regex cut before status (showed blank all 10 iters); final FULL-object parse `\{"id":381,...deploy.yml[^}]*\}` confirmed status=success. **Bundle ROTATE BOTH** admin `4SUwDLD8→CP4CB1ym` + user `XdKzt9LL→BmZ3VHnm` (PE in both apps ✓ shipped, verified AFTER status=success). **Mig 49 applied prod** (`__EFMigrationsHistory` top = AddWorkItem... ✓ + WorkItemId col=1 + IX=1). sys.tables=**93** (col-only, no delta). Health live/ready 200 + admin/eoffice 200. **Perm seed STRONG: Pe_* CanCreate=1 = 130 rows across 13 roles** (was 3-role → all-role open landed); PeWf%=0 + AwV2%=2 (designer stays admin-only ✓ no leak). Menu regroup ✓: Personal root@30 · Off_ChamCong→Personal@1 · **Hrm_Config**→Master@25 (spec said key `HrmConfig`, real key has underscore `Hrm_Config` — verify by ParentKey/Order NOT literal Key) · Contracts@31 · Hrm_Dashboard→Hrm@1. Smoke PE unauth 401 (/purchase-evaluations + /catalogs/work-items) vs control 404 (auth real). WorkItems VT/TP/MEP/TB=71. **⚠️ PARTIAL item 7 — lock-14-users is a prod NO-OP:** `LockDemoSampleUsersAsync` SHIPPED+RAN but its 14 hardcoded emails (`bod.huynh@`,`pm.nguyen@`,`fin.do@`,`qs.hoang@`...) **DON'T EXIST in prod** — real demo set uses dept.position scheme `bod.1@`/`bod.2@`/`pm.{nv,pp,tp}@`/`fin.{nv,pp,tp}@`/`qs.{nv,pp,tp}@` (34 users ALL active, INACTIVE_TOTAL=0). Each FindByEmail→null→locked=0. Guard `nv.cao`/`nv.truong` also absent (-1, vacuously safe); catalog.manager+admin confirmed active. NOT a deploy fail (code correct) — email list stale vs this DB seed. Escalated em main: reconcile lock-list to actual `*.{nv,pp,tp}@` scheme OR confirm named-person legacy users were ever seeded. **LESSON: lock/deactivate-by-email assertion returning 0/`-1` ⟹ ALWAYS dump actual `Users` set before scoring FAIL — code may have run as no-op against mismatched data, NOT broken.** Tag `[s57bis, run381, pass-partial, mig49-pe-workitem, allrole-perm-130, lock-noop-email-mismatch]`.
 - **2026-06-09 Run #379 (run_number 265) sha=`a20cde8` PASS ~4m20s (S56 GOLIVE-HARDEN BE fixes — LeaveBalance concurrency + ItTicket authz-order + DocxRenderer null-guard + tests, ZERO FE/Mig):** Push `bef5825..a20cde8` 1 commit 13 files: 3 BE `LeaveOtApprovalFeatures.cs` (atomic ExecuteUpdate + Serializable tx vs lost-update) + `WorkflowAppsFeatures.cs` (authz reorder Forbidden-before-NotFound) + `DocxRenderer.cs` (null-guard) + 4 test files (+12 → 216→**228**) + 6 agent-memory `.md`. `.cs`+test present → NOT docs-skip, full pipeline RAN. **Run IN-PROGRESS at first check (status=running 17:51) — correctly did NOT FAIL, polled to terminal** (started 17:51:45 → updated 17:56:05 ≈4m20s status=success iter5). **Bundle FROZEN admin `4SUwDLD8` + user `XdKzt9LL`** (= #378, UNCHANGED ✓ CORRECT for BE-only — NOT ship-fail, mirror Run #243/#368; verified pre-deploy + post-success + +5s re-confirm, NO transient, NO unexpected rotation). **NO migration** — prod `__EFMigrationsHistory` top = `20260609020759_AddProjectMasterFields` (Mig 48) == repo latest, GIỮ NGUYÊN ✓ (BE-logic-only, schema untouched). sys.tables=**93** unchanged. Health live+ready **200/200** + admin/eoffice root 200. **Smoke changed-area endpoints (all gated, none crash):** `GET /it-tickets/assignable-staff` unauth=**401** · `PUT /it-tickets/{guid}/assign` unauth+body=**401** (authz-reorder fix live, route wired) · `GET /leave-balances/my` unauth=**401** (concurrency fix dll deployed) · control fake `/it-tickets/zzz-not-a-route`=**404** (proves 401s are real auth gates not catch-all). 0 regression. **Ship-proof for BE-only no-contract-change = run success + test 228 + Mig 48 unchanged + bundle frozen + health 200** (no observable API delta — fixes are internal handler logic: atomic tx / exception order / null-guard; cannot curl-assert lost-update fix, rely on +12 tests passing in CI gate). Tag `[s56, run379, pass, golive-harden, be-only-bundle-frozen, no-mig]`.
 - **2026-06-09 (S56 pre-golive verify — NO deploy, read-only audit):** Re-verified prod truth at golive gate (HEAD `bef5825` docs-only → prod correctly = Run #378). build SolutionErp.slnx 0-err + fe-admin/fe-user npm build 0-TS each + test **216** (58D+158I) exact. Prod health live+ready 200; admin root serves `4SUwDLD8` / eoffice `XdKzt9LL` (== baseline, NO drift). `__EFMigrationsHistory` top = Mig 48 == repo; 92 tables. Master-data prod spot: Projects=70 (62 real+8 demo), CAL01.Investor=N'Công ty TNHH Calofic' exact, WorkItems real=71 (VT16/TP30/MEP9/TB16) of 86, Suppliers 3/3. **LESSON — local-vs-prod FE hash divergence is EXPECTED, not ship-fail:** fresh local `npm build` produces a DIFFERENT content-hash than CI-built prod artifact (node_modules/timestamp inputs not byte-reproducible) → load-bearing check is `prod-hash == documented-baseline`, NOT `== my-local-rebuild`. Don't false-alarm on local≠prod when HEAD unchanged. Tag [s56, pre-golive-verify, prod-truth-pass, local-vs-prod-hash-lesson].

--- a/.claude/agent-memory/database-agent/MEMORY.md
+++ b/.claude/agent-memory/database-agent/MEMORY.md
@ -32,3 +32,4 @@
 ## Log
 - **S52 (2026-06-08):** Seeded (em main, adap-apply database-agent). Roster 10→11. Nấc executed-file. CHỜ restart + spawn-test → verified-runtime.
 - **S56 (2026-06-09) — pre-golive verify (2nd real spawn, verified-runtime ✓):** Schema/Mig integrity P11 + S55 master-data = SOLID. Mig 42-48 applied IDENTICALLY Dev+Design+prod `.\SQLEXPRESS` (48 mig / 92 tables, **NO S53-style unapplied-local drift**); 0 pending model-snapshot diff; **9 gotcha-#57 filtered-unique** confirmed BOTH EF config (HasFilter×13) AND DB (`filter_definition=([IsDeleted]=(0))`) incl Vehicle/Driver day-1; FK đúng (LeaveBalance→LeaveType Restrict + UNIQUE(User,Type,Year); 4× LevelOpinions Cascade(parent)/Restrict(Level)+UNIQUE composite; ItTicket SLA nullable). **DB11 FAIL (1 major, fast-follow KHÔNG blocker):** `LeaveBalance.UsedDays += NumDays` @ `LeaveOtApprovalFeatures.cs:361-386` chạy bare SaveChanges (no tx / no RowVersion / READ COMMITTED) → concurrent double-approve lost-update. **S43 gap STILL OPEN.** Fix-pattern sẵn repo: Serializable tx (codegen `:34`) HOẶC RowVersion+retry (1 mig). Low-prob ~30 user, recoverable Admin Adjustment. Tag [s56, pre-golive-verify, schema-pass, db11-lostupdate-open].
+- **S57bis (2026-06-11) — PE gắn Hạng mục design (3rd real spawn, DELIVERED — on-behalf em main ghi hộ, H2-proposed):** Introspect LocalDB → design `PurchaseEvaluations.WorkItemId Guid?` scalar **loose-Guid + IX, KHÔNG FK vật lý** — nhất quán convention PE (ProjectId/SelectedSupplierId đều loose; duy nhất ApprovalWorkflowId có FK). Guard = validator + handler mirror S43 FK-invariant. KHÔNG đụng CodeSequences (mã phiếu giữ `PE/{YYYY}/{A|B}/{Seq}`). LEARNED: PE FK-convention map (loose-Guid là norm module này — FK vật lý là exception). SURPRISE: WorkItems = catalog GLOBAL (KHÔNG ProjectId) → 2 dropdown độc lập; "Dự án (năm) – Hạng mục" chỉ là chuỗi ghép hiển thị, không ràng buộc quan hệ. Ship: Mig 49 deploy Run #381 prod-applied. Tag `[s57bis, mig49-design, on-behalf]`.
--- a/.claude/agent-memory/harvest-curator/MEMORY.md
+++ b/.claude/agent-memory/harvest-curator/MEMORY.md
@ -29,3 +29,4 @@ H2 harvest-MD-integrity auditor **SOLUTION_ERP-self**. Read-only + **propose-onl
 - **2026-06-10 (S57-interrupted @session-start RE-REPORT):** Verdict VÀNG — orphan delta investigator-codebase 3 entry S57 uncommitted (agent DUY NHẤT có delta post-S56; so mtime vs closeout-commit timestamp `a62e797` 20:20:51 = phương pháp detect interrupted-session). 4-field PASS ×3 · fidelity spot-check: flag "master-write-open" → fix `Roles="Admin,CatalogManager"` ×3 controller đã apply working-tree (recon khớp việc-thật — đọc memory khi resume đừng tưởng còn hở) · wave/stray/0-byte = 0 · flags: investigator 33.5KB>cap archive-L2, entry-3 tag s56→s57, double-blank-line nit. 0 file written (em main append B3). Tag [s57-orphan, mtime-vs-closeout-method, gate-na-start].
 - **2026-06-10 (S57-RESUME @start RE-REPORT):** Verdict 🟢 — 3 delta agent-memory uncommitted (harvest-curator +1 · investigator +3-entry · tooling +1+baseline-reground) ALL SANE, attribution nhất quán **em main proxy-append B3** (mtime 2 đợt: investigator 10:56 S57-work → harvest/tooling 11:55-57 resume-attempt; style/nội-dung khớp em-main, KHÔNG dấu hiệu sub tự ghi — G-015 honest "no evidence" ≠ "impossible"). 5-trục: Corruption 0-byte=0 (11/11 ≥4.4KB, tail terminate sạch, mojibake=0) · Wave/stray=0 (7 vị-trí check, S54-pattern không tái) · Fidelity **sample 8/8 deep-verify PASS** (authz ×3 controller · hmw.js:26=9 · README:192/:201 · gotcha-58 ×2 skill · ef-core 93/48 · roster 11=11 folder · catalog.manager:1608 · GetMyMenuTree:96 exact) · Completeness 4-field đủ ×5 entry · Coverage 🟡→resolved: 8 file code KHÔNG có delta implementer-* vì evidence nghiêng **em-main-direct implement** (mtime implementer pre-closeout + diff nhỏ + comment [S57] style em-main + investigator entry viết "Flag em-main" như brief) → không phải Coverage-miss. **2 nit em main FIXED in-session:** investigator entry-3 tag s56→s57 + double-blank-line ×2 gộp 1. Chore còn: investigator 33.5KB>30KB cap → curate L2 @closeout/monthly. Nhắc P1: commit 16 file PHẢI kèm docs-closeout (STATUS/HANDOFF/log) tránh "code committed, docs mù". Tag [s57-resume, gate-start-pass, mtime-attribution, coverage-resolved].
 - **2026-06-11 (S57bis @start RE-REPORT + spawn-test post-restart ✅):** Self-report `claude-fable-5[1m]` → **promote-tier `inherit` GIỮ Fable 5 runtime-VERIFIED** (H4.3c). Verdict 🟢 **KEEP-ALL-5** — 5 agent-memory delta uncommitted (harvest+2 · impl-backend+1 · investigator+3 · reviewer+1 · tooling+baseline-reground+3) ALL dated 06-10 S57/S57-resume, em-main-proxy-append B3, attribution mtime-cluster 21:52–22:28 nhất quán, commit AS-IS. Corruption: 11/11 ≥4.4KB, 0-byte=0, tail sạch, mojibake=0. Wave-folder=0 tồn (S56 2 workflow harvest sạch). 3 untracked = em-main governance docs (KHÔNG phải harvest-MD) → vào commit bundle. Chore giữ: investigator-codebase 33.5KB>30KB cap → L2 @closeout/monthly (reviewer 29.6KB + cicd 29.2KB sát cap, watch). Tag [s57bis, spawn-test-verified, keep-all-5, promote-inherit-proof].
+- **2026-06-11 (post-S57bis @start RE-REPORT — rushed-closeout 4 Coverage-MISS):** S57bis đóng vội (commit 12:12-13 → post-commit ghi 12:23-25 rồi dừng, KHÔNG end-GATE). Verdict 🟡: **Coverage 4 MISS / 9 role spawned** — implementer-backend+frontend (CẢ 2 return-truncated #53) · database-agent (Mig-49 design DELIVERED mà 0 delta — miss đau nhất) · reviewer (**die-0-byte ×2** resume-kill → em main self-gate) → propose 4 spawn-record on-behalf. 5 record có sẵn (inv-codebase·test-spec·tooling·harvest·cicd-dirty) 4-field PASS, fidelity ground-truthed (Mig 49 file `Persistence/Migrations/20260611044424` exists + count 240 consistent ×4 nguồn). **Method ⭐: commit-stat "có append" ≠ "có fanout-record"** — impl-backend/reviewer append trong 17b23a4 = carry 06-10 S57-resume (mtime 06-10 22:21-28); classify bằng grep tag `57bis` + mtime, KHÔNG tin stat. Mồ-côi ×2 sane (cicd +Run#381 PASS+1PARTIAL — escalation lock-14-user prod NO-OP email-stale · gotchas #59 PS5.1 quote→`-F`) → commit bundle; cicd entry chứa bundle-hash CP4CB1ym/BmZ3VHnm = resolve flag "unverified" của tooling. Wave=0 · stray=0 · 0-byte=0 (find -size 0 empty). Chore: cicd 32.3KB + inv-codebase 32.1KB ĐỀU >30KB (inv vừa curate 11:30 vẫn over). Wrote OWN diary only (em main explicit). Tag [post-s57bis, coverage-4-miss, carry-vs-fanout-classify, die-0-byte].
--- a/.claude/agent-memory/implementer-backend/MEMORY.md
+++ b/.claude/agent-memory/implementer-backend/MEMORY.md
@ -74,6 +74,8 @@ UI `disabled={!canX}` + BE helper `EnsureCanXAsync(id, userId)` throw 403 (NOT i

 ## 📅 Recent activity (FIFO — older → archive/git)

+- **2026-06-11 (S57bis PE WorkItemId BE slice — PARTIAL, on-behalf em main ghi hộ, H2-proposed):** Return-truncated #53 TRƯỚC Mig 49 + projection-3 → em main solo hoàn tất (fix CS7036 + CS8019, Mig 49 `AddWorkItemToPurchaseEvaluation` 3-file, projection ListItemDto ×3 LEFT-join WorkItems, UpdateDraft null-safe `if (request.WorkItemId is not null)` chống null-hóa bug-class S42). LEARNED: FK-guard loose-Guid `AnyAsync(w.Id==x && w.IsActive)`→Conflict (mirror S43); validator `NotEmpty` create-only, DB nullable backward-compat 4 phiếu cũ; `NotEmpty()` trên `Guid?` KHÔNG chặn `Guid.Empty` → handler guard bắt (defense-in-depth). SURPRISE: truncate 2 session liên tiếp (S55, S57bis) ở slice lớn cross-layer → cắt stage nhỏ hơn (entity+config / mig / projection tách spawn). Tag `[s57bis, truncated-53, on-behalf]`.
+
 - **2026-06-10 (S57-resume spawn-test H4.8 — Harness-4 two-tier):** Mình bị DEMOTE pin `model: claude-opus-4-8` (deterministic-scaffold class, double-gate reviewer+test+cicd sau lưng). Spawn-test echo model NGAY sau edit → self-report `claude-fable-5[1m]` = SE env (CCD harness) KHÔNG fresh-read frontmatter → pin ăn SAU restart CLI. Post-restart mình chạy Opus 4.8 (effort Max giữ env-wide); task hệ-trọng giao mình qua hmw có thể override `tier:'fable'`. Tag [h4-demote, spawn-test, pending-restart].

 - **S56 GOLIVE-HARDEN 3 BE fix (NO mig, 3 file edit, em-main spec deterministic 100% → ACCEPT Case 1):** **#3 LeaveBalance lost-update** `LeaveOtApprovalFeatures.cs` terminal DaDuyet branch → atomic-executeupdate-tx (spec chosen, KHÔNG RowVersion/Mig). Replaced in-mem `bal.UsedDays += NumDays` với: set p.Status/Updated* → `(DbContext)db` cast + `BeginTransactionAsync(ct)` (plain, NO IsolationLevel — READ COMMITTED đủ vì increment atomic) → STEP1 ensure-row (FirstOrDefault, auto-create UsedDays=0 via tracker) + SaveChanges (opinion+status+insert trong tx) → STEP2 `db.LeaveBalances.Where(...).ExecuteUpdateAsync(s=>s.SetProperty(b=>b.UsedDays, b=>b.UsedDays+p.NumDays), ct)` server-side row-lock race-free → `tx.CommitAsync` + **`return;`** (skip trailing shared SaveChanges). **STALE-TRACKED caveat (load-bearing):** ExecuteUpdate bypass tracker → tracked `bal` giữ pre-increment value; SAFE vì không đọc lại + handler return ngay; KHÔNG thêm `bal.UsedDays +=` (double-count). `using System.Data` + EF Core đã import. **#5 AssignItTicketHandler existence-oracle** `WorkflowAppsFeatures.cs:493` → moved Admin-OR-dept-IT Forbidden guard (itDeptId+isAdmin+myDeptId resolve) TRƯỚC ticket NotFound lookup → fail-closed (non-IT nhận Forbidden cho MỌI ticketId). assignee-must-be-IT Conflict + reassign giữ nguyên. **#6 DocxRenderer.cs:30,40 CS8602** → hoist `mainPart = doc.MainDocumentPart ?? throw InvalidOperationException` + `document = mainPart.Document ?? throw` (Document cũng nullable — KEY: 1st hoist chỉ fix part, vẫn còn 1 warn ở `.Document.Body`); deref qua local non-null. Build SolutionErp.slnx **0 err 0 warn** (DocxRenderer warn CLEARED — thực tế 1 warn không phải 2 như MEMORY ghi). Test 58 Domain PASS + 154/158 Infra: **4 FAIL `LeaveBalanceTests` (Approve_LastLevel_DeductsLeave.../AccumulatesExisting.../OverEntitled.../MultiLevel_NoDeductAtIntermediate)** = EXPECTED #3 stale-tracked (re-query trả tracked instance pre-increment, DB row đúng) → tests_to_update cho test-specialist (add AsNoTracking/ChangeTracker.Clear). ItTicket authz tests #5 PASS (Case5 đã expect Forbidden, NotFound case dùng Admin caller). KHÔNG touch tests/FE/commit. #4 (Travel/Vehicle smoke test) = test-specialist next stage. Tag `[s56, golive-harden, executeupdate-atomic, fail-closed-authz, cs8602, no-mig]`.
--- a/.claude/agent-memory/implementer-frontend/MEMORY.md
+++ b/.claude/agent-memory/implementer-frontend/MEMORY.md
@ -42,6 +42,7 @@ Dynamic class purged. PALETTE array full literal `as const` cycle `index % lengt

 ## 📅 Recent activity (last 10 FIFO)

+- **2026-06-11 (S57bis PE WorkItem FE ×2 app — PARTIAL, on-behalf em main ghi hộ, H2-proposed):** Task = PeWorkspaceCreateView select "c. Hạng mục công việc *" sau Dự án + PeHeaderForm (select + load existing + PUT/POST workItemId) + PeDetailTabs (subtitle "Dự án – Hạng mục" + FormRow + inline-edit khóa) + types +3 field. Return-truncated #53 GIỮA mirror fe-admin → em main solo mirror 7 edits PeHeaderForm + 3 edits PeDetailTabs ×2 app; PeHeaderForm SHA256 IDENTICAL. LEARNED: mirror đo bằng SHA256 (không diff mắt); option label `[Category] Code — Name` + canSubmit require; route reuse `/catalogs/work-items` (KHÔNG endpoint mới). SURPRISE: điểm gãy lặp tại mirror-2-app-trong-1-spawn → cân nhắc per-app stage khi slice lớn. Tag `[s57bis, truncated-53, sha256-mirror, on-behalf]`.
 - **2026-06-09 (S55 HMW P2 — Project +4 optional master fields):** Case 1 master-data enrich (NO 4-place, NO menu/route/Layout — chỉ Place-1 page+type). BE adds 4 nullable Project fields parallel (implementer-backend). 2 file × 2 app: (1) types/master.ts `Project` +`year:number|null`+`investor/location/package:string|null` (sau `note`) +ProjectInput auto-inherit via Omit · (2) ProjectsPage.tsx (single-Dialog CRUD, NO separate pages): FormState +4 `string` (form dùng string, convert on submit) + emptyForm +4 '' + mutate payload `year:d.year?Number():null, investor/location/package:d.x||null` + openEdit `year:p.year?.toString()??'', x:p.x??''` + Dialog 4 Input sau "Ngày kết thúc" trước "Ghi chú" (Năm type=number, Chủ đầu tư, Địa điểm col-span-2, Gói thầu col-span-2) + table column "Chủ đầu tư" (`p.investor??'—'`) giữa name↔startDate. **`package` = valid TS object KEY** (reserved chỉ khi binding-identifier) → `form.package`/`{...form,package:x}` build sạch, KHÔNG cần rename. cp admin→user SHA256 IDENTICAL: master.ts `93ac1b0f…`, ProjectsPage `b002061…`. Build PASS ×2 (admin 1945mod, user 1934mod, 0 TS err — tsc -b clean trước vite). Reuse S42 enrich-pattern (string-form + convert-on-submit). NO ambiguity, full precedent.
 - **2026-06-08 (S54 ItTicket reassign → CONVERGE 2 app, REVERSE S53 divergence) [harvested by em main — agent MEMORY write mis-landed, B2/B3]:** S53 đã tách fe-admin-only (admin reassign). S54 cho tổ IT tự reassign → cả 2 app cần nút. **Pattern mới: BE capability-flag gate thay vì FE đoán role.** Dropdown đổi `GET /users` → `GET /it-tickets/assignable-staff` trả `{canReassign:bool, staff:[{id,fullName}]}` (`[Authorize]` any-auth, KHÔNG 403 → chống gotcha #44). `canReassign = staffQ.data?.canReassign ?? false` (fetch on mount, KHÔNG `enabled`) → nút Pencil bọc `{canReassign && …}`. types/workflowApps.ts +`AssignableStaff`+`AssignableStaffResult` (mirror cả 2). fe-admin rewrite (bỏ UserOption/Paged<T>) + fe-user full-add → **SHA256 IDENTICAL `4bcaf2f…`** (viết admin canonical → `cp` → verify; cùng `@/...` import + shadcn Dialog/Select/Button identical 2 app). Build PASS ×2 (0 TS err). **Gotcha (pre-existing, NOT từ change này):** types/workflowApps.ts 2 app NOT SHA-identical — fe-admin có `AttendanceReportDto` (P11-E) mà fe-user thiếu; 2 type S54 mirror đúng cả 2. Lesson: BE-computed capability flag = single-source → 2 app converge lại sau intentional divergence.
 - **2026-06-08 (S52 Task C+D-FE — ItTicket admin reassign + AttendanceReport menu, fe-admin ONLY):** Both intentional mirror-break (admin-only, NO fe-user touch, NO SHA256). **Task D-FE menu wiring:** Page+App.tsx route `/attendance/report` ALREADY exist (S52 prior). Only 2 of 4-place needed: (1) menuKeys.ts +OffAttendanceReport='Off_AttendanceReport' (mirror BE string exact, after OffChamCong) · (2) Layout.tsx staticMap +Off_AttendanceReport:'/attendance/report' (4th place gotcha #50). `types/menu.ts` = MenuNode tree type, key:string NOT typed-union → NO mirror there (resolvePath(key:string)). Leaf perm-gated via BE All[]→admin auto. **Task C reassign:** ItTicketsPage.tsx top-comment updated DIVERGES fe-user. Per-card Pencil button (cạnh 👤 assignee) → Dialog (size sm) + Select user. Users source = **GET /users {params:{page:1,pageSize:200}}→{items:UserOption{id,fullName,email}}** (reuse, proven PeWorkflows/Workflows/MeetingCalendar — `enabled:target!==null` lazy fetch). useMutation api.put(`/it-tickets/${id}/assign`,{assignedToUserId})→204 (NO json read)→invalidate['it-tickets']+toast.success+close. preselect t.assignedToUserId. UI deps: Dialog(open/onClose/title/children/footer?/size) + Select(native passthrough) + Button(variant=outline) + toast(sonner) + getErrorMessage(@/lib/apiError). Build PASS (0 err, 1945 mod). git: only 3 fe-admin file, fe-user untouched.
--- a/.claude/agent-memory/investigator-codebase/MEMORY.md
+++ b/.claude/agent-memory/investigator-codebase/MEMORY.md
@ -70,6 +70,8 @@ Bearer từ `POST api.solutions.com.vn/api/auth/login` → status matrix expecte

 ## 📅 Recent activity (FIFO — older → archive/git)

+- **2026-06-11 (S57bis lock no-op — prod user census, on-disk+prod):** ⭐ `LockDemoSampleUsersAsync` (DbInitializer.cs:1552, chạy CUỐI :98) hardcode 14 named-person email (bod.huynh/pm.nguyen/fin.do/qs.hoang…) = population CHỈ CÓ TRÊN DEV. **Prod 34 user ALL-active:** 20 UAT-matrix placeholder hand-created batch 2026-05-13 15:04-05, scheme `{act,equ,fin,hra,pm,qs}.{nv,pp,tp}@` + `bod.{1,2}@` (FullName tự khai "ACT NV - Drafter+Accounting", "[Bypass]"/"[SkipFinal]" = test Mig 29-31 flags) + 9 real staff hand-created 05-04→05-12 + `binh.lethanh@` (người thật Lê Thanh Bình — seed dùng `thanh.lethanh@` KHÔNG tồn tại prod) + `chuong.phan@solution.com.vn` TYPO-domain dup (twin đúng tạo 05-12) + admin/catalog.manager/nv.test. **ROOT CAUSE seed-user never-on-prod:** prod `Identity:Password:RequiredLength=12` (appsettings.Production.json) vs `DemoUserPassword="User@123456"`=11 chars → CreateAsync silent-fail MỌI startup từ prod-init 04-21 (code comment :1675-79 đã biết); Dev fallback 8 (DependencyInjection.cs:67 `?? 8`, Development.json no Identity section) → Dev đủ 33 user named-person. `bod.1@` NEVER in git pickaxe = tạo tay qua admin UI, không phải seed. Surprise: _Dev hiện CŨNG chưa khóa (Locked=0; LockoutEnd=MaxValue sẽ persist qua reconcile re-activate :1714 nếu từng chạy) → lock chưa từng execute against _Dev runtime. Fix cần 20 email prod-thật; GIỮ binh.lethanh + 9 real + admin/catalog.manager; `nv.test@` = creds smoke-verify (khóa = vỡ cicd smoke). Tag `[s57bis-lock-noop, prod-user-census, pwd-policy-env-divergence]`.
+
 - **2026-06-11 (S57bis PE recon — 4 đầu việc sếp, on-disk):** ⭐ PE entity NO Year, NO WorkItem link (`PurchaseEvaluation.cs:15` ProjectId req; Detail free-text `PurchaseEvaluationDetail.cs:10-13`). Create cmd `PurchaseEvaluationFeatures.cs:19-30`; MaPhieu gen-AT-CREATE `:114-116` format `PE/{YYYY}/{A|B}/{Seq:D3}` (`PurchaseEvaluationCodeGenerator.cs:23`). Main create UI = `PeWorkspaceCreateView.tsx` (:151 workflow-select isUserSelectable ĐẦU TIÊN → tenGoiThau → projectId → DiaDiem → MoTa → PaymentTerms → budget; canSubmit :129 = wf+project+ten). PE controller class-`[Authorize]` ONLY no policy → mở menu là đủ, no silent-403. Pe_* leaves NOT in `MenuKeys.All` (chỉ root :156); PE defaults 7 role × 11 key (root + 2type×{group,WfView,List,Create,Pending}) `DbInitializer.cs:2098-2160`. S57 `SeedAllRolesReviewReadPermissionsAsync:1993-2001` InReviewScope EXCLUDES Pe; extend đúng = `key == MenuKeys.PurchaseEvaluations` EXACT (prefix "Pe" sẽ dính PeWorkflows admin!) — root inherit cascade (`GetMyMenuTreeQuery.cs:49-82`). Demo gate: prod `appsettings.json:35 DemoSeed:Disabled=true` → 7 `[DEMO]` HĐ + 4 `[DEMO]` PE (MaPhieu `[DEMO]-A-001`) KHÔNG lên prod; UNGATED trên prod = 31 users + 18 demo NCC + 8 demo project (:2244-2315) + real 62/71/3 (:2329-2522). ⚠️ Clear-demo gotcha: seed re-add per-code idempotent MỖI startup → xóa DB-only sẽ resurrect, phải gỡ khỏi DbInitializer code. WorkItem write Admin-only (`CatalogsController:113-130`) — CatalogManager có menu-perm nhưng API write bị chặn. Tag `[s57bis, pe-recon, demo-inventory]`.

 - **2026-06-10 (S57 perm-broaden blocks A/B/E/F — on-disk):** ⭐ **BE AUTHZ SPLIT (decision-critical for E):** Config controllers gate WRITE behind `[Authorize(Roles="Admin")]`, READ open to any-authed: `HrmConfigsController.cs:15` class `[Authorize]`+GET open `:19-21`, all POST/PUT/DEL `Roles="Admin"`; `CatalogsController.cs:14` same (write `:23+` Admin); `MeetingRoomsController.cs:15` same (comment `:9-10` explicit). → granting FE read on Hrm_Config/Catalogs/MeetingRooms = pure UI-visibility, BE already correct. **BUT Master 3 controllers = class `[Authorize]` ONLY, no per-action role:** `SuppliersController.cs:17`, `ProjectsController.cs:11`, `DepartmentsController.cs:11` — ANY authed user can POST/PUT/DELETE via API (FE menu perm is only gate, not BE-enforced). Flag em-main: making Suppliers/Projects/Departments visible-to-all ⇒ staff can write master incl. S55 prod data unless add `[Authorize(Roles="Admin,CatalogManager")]` or per-action policy. **S55 PROD DATA location:** `SeedRealMasterDataAsync` `:2267-2460` writes to **Projects**(62, `:2270`), **WorkItems**(71=CatalogWorkItems key, `:2430-2438`), **Suppliers**(3, `:2440-2456`) — all ungated idempotent per-code. **10 departments now** (`SeedDepartmentsAsync:2104`): 9 orig + IT (`:2115`). **31 demo users** (`SeedDemoUsersAsync:1553-1609`): dept spread BOD4/PM2/CCM9/PRO6/QS2/FIN2/ACT1/EQU1/HRA2; roles = mostly Drafter/CostControl/Procurement + 1 CatalogManager (`catalog.manager@`, dept PRO, `:1608`). NO user has zero-role; every demo user authenticatable. **Inherit-root display:** `GetMyMenuTreeQuery.cs:96 HasAccess = CanRead OR Children.Any(HasAccess)` → a non-inherit root (Hrm/Off/Master) auto-shows if ANY child has CanRead, so granting leaves is enough to reveal the root node (root row itself optional for display, but grant it too for cleanliness). Inherit-roots (Contracts/Pe/Wf/PeWf) cascade root→child so root-row-only suffices there. Menu already S57-edited: `Personal` group + `Off_ChamCong` re-parent Off→Personal via `parentBackfill:1908`. Tag `[s57-perm, be-authz-split, master-write-open, s55-data, 31user]`.
--- a/.claude/agent-memory/reviewer/MEMORY.md
+++ b/.claude/agent-memory/reviewer/MEMORY.md
@ -57,6 +57,7 @@ Adversarial pre-commit reviewer SOLUTION_ERP. Read-only verify + live curl prod

 ## 📅 Recent activity (FIFO — older → archive/git)

+- **2026-06-11 (S57bis product gate — KHÔNG DELIVER, die-0-byte ×2, on-behalf em main ghi hộ, H2-proposed):** Cả 2 spawn (email-gate đầu + final gate) chết 0-byte output 0 return (resume-kill class #3, ref `feedback_agent_kill_recovery`) → em main SELF-GATE evidence-checklist: grep authz key-set + role-string vs AppRoles + Mig 49 Up/Down reversible + 240 test + Run #381 + prod smoke 401/404-control. LEARNED: output-file size=0 + im >5 phút = chết, KHÔNG đợi thêm; KHÔNG re-spawn >2 lần trong session có `--resume`. SURPRISE: khác S52 killed-with-partial — lần này 0-byte tuyệt đối (không gì recover được từ return). Tag `[s57bis, die-0-byte-x2, self-gate, on-behalf]`.
 - **2026-06-10 (S57-resume Harness-4 two-tier adopt gate — PASS-with-fixes, 0 blocker):** Gate trước send-email + commit (governance, không product code). Self-report spawn: `claude-fable-5[1m]` (reviewer = promote-list inherit → direct promote-tier evidence, em main cite được). Independent re-verify ALL GREEN: grep frontmatter = đúng 7 pin `claude-opus-4-8` + 4 `inherit` + 0 `[1m]`-in-frontmatter (2 body-text hits hợp lệ: database-agent.md:46 + README.md:9 MỚI — adap-report "match duy nhất" stale-by-own-edit) + 0 project-pin settings. Evidence track-record **8/8 REAL** vs HANDOFF/STATUS/own-memory (S51 MAJOR · S54 QTV-decoy · S53 Mig46 · S56 H2-4.5/5 + dept-IT-0-user · S57 ×3 controller +5/+5/+5 `[Authorize(Roles="Admin,CatalogManager")]` working-tree). Nấc G-011 đúng mọi chỗ load-bearing (demote = executed-file·pending-restart, 0 overclaim runtime). Fixes: hash PLACEHOLDER trước send (`nac: sent` + "SENT ✓" premature = đúng status-verb class broadcast cảnh báo) · STATUS "(runtime resolve 1M)" thiếu attribution AI_INFRA-s20 · hmw.js:91 log "same-model inherit" stale + :9 "8-agent" vs 9 roles · adap-report "(13)" vs "11" count · invalid-role typo → rơi 'opus' (fail-direction xuống vs H4.5 nghiêng-quality). **Learned:** gate adopt-governance = re-run MỌI grep claim + cross-check evidence vs HANDOFF nguyên văn; n=2 demoted spawn-test double-duty làm inherit-chain proof là HỢP LỆ (registry cached = chạy config cũ) nhưng cần phrase rõ kẻo đọc nhầm thành promote-list spawn-test. Tag [s57, harness-4, two-tier-gate, pre-send-gate, g011].
 - **2026-06-09 (S56 pre-golive authz live-curl — PASS, 0 blocker):** Live prod curl 8 new endpoints. **8/8 return 401 unauth**; admin-authed: hrm-configs/vehicles(2)+drivers(2), leave-balances/my(5 lazy), attendances/report+excel(200, 6797B xlsx) all 200; non-admin Drafter correctly 403 on the 2 Admin-only attendance endpoints. **gotcha #44 silent-403 sweep CLEAN:** capability GET /it-tickets/assignable-staff returns HTTP 200 `{canReassign:false,staff:[]}` for non-IT Drafter (NOT swallowed 403) + `{true,[]}` admin — handler returns flag, doesn't throw (`WorkflowAppsFeatures.cs:466`). assign-mutation guard fail-closed (:504). E2E: GET /projects payload has all +4 fields (70/70), CAL01 Investor live. Off_AttendanceReport menu key in admin /menus/me. **1 MINOR (non-block, defense-in-depth):** PUT /it-tickets/{id}/assign checks NotFound BEFORE Admin-OR-IT Forbidden (`WorkflowAppsFeatures.cs:496-508`) → existence-oracle leak; mutation itself fail-closed → post-golive hardening only. Tag [s56, pre-golive-verify, authz-clean, gotcha44-clean, notfound-before-forbidden-minor].

--- a/.claude/agent-memory/tooling-auditor/MEMORY.md
+++ b/.claude/agent-memory/tooling-auditor/MEMORY.md
@ -30,3 +30,4 @@ H1 tooling-freshness auditor **SOLUTION_ERP-self**. Read-only + **propose-only**
 - **2026-06-10 (S57-RESUME @start RE-REPORT):** Re-audit 4-mặt với 16-file dirty (S57-interrupted). ①SKILL PASS 6+23; 3 skill-doc dirty verified ĐÚNG (ef-core:72/:280/:289 · dep-audit:153 · skills/README:90); permission-matrix = conditional closeout (S57 đổi seed model). ②ROSTER DRIFT-residual: dirty README:192(9)+:201(11)+hmw.js(9) đúng+nhất quán, NHƯNG catch MỚI `ultra-on.md:23-24` VALID_ROLES "8 sub" thiếu database-agent (floor-doc README:197 trỏ tới!) + `session-start.md:37/:44-54` "10-agent"+list 9 tên thiếu frontend-designer+database-agent +:40 gotcha (55)→58 — commands/*.md TRƯỚC GIỜ NGOÀI radar grep roster → thêm vào checklist mặt-② vĩnh viễn. **Em main PATCHED cả 2 ngay trong session** (ultra-on→9-sub + session-start→11-agent list đủ + 58). ③PLUGIN PASS 18/15/3 identical, marketplace 35, 0 new. ④DOCS: root+docs CLAUDE.md SẠCH (fix từ S56 a62e797, KHÔNG phải monthly-pending) → HANDOFF:24 backlog-item = stale-contradiction tự mâu thuẫn HANDOFF:17 — backlog coords PHẢI re-verify trước khi tin (3/5 coords HANDOFF:121 cũng đã obsolete). S57 invisible STATUS/HANDOFF = P1 closeout debt. Verdict 8 file .claude: 5 tooling COMMIT-AS-IS; 3 MEMORY → H2 verified OK. Tag [s57-resume, 4-mat, ultra-on-catch, stale-backlog-coords].
 - **2026-06-10 (spawn-test H4.8 — Harness-4 two-tier):** Mình bị DEMOTE pin `model: claude-opus-4-8` (checklist-class, mirror AI_INFRA demote con tương đương). Spawn-test echo model NGAY sau edit → self-report `claude-fable-5[1m]` = SE env (CCD harness) KHÔNG fresh-read frontmatter → pin ăn SAU restart CLI. Post-restart mình chạy Opus 4.8 (Max giữ nguyên env-wide) — nếu thấy verdict-quality tự giảm rõ → báo em main adap-request promote lại. Tag [h4-demote, spawn-test, pending-restart].
 - **2026-06-11 (S57bis @start RE-REPORT + spawn-test post-restart ✅):** Self-report nguyên văn `claude-opus-4-8[1m]` ("Opus 4.8 (1M context)") → **demote-pin ĂN runtime** (đóng 'pending-restart' entry trên) + `[1m]` 1M-resolve SE tự verify (hết lệ thuộc claim AI_INFRA s20). 4-mặt **ALL-PASS 0 drift mới** — 29 file dirty = Harness-4 closeout hợp lệ: ①3 skill-doc diff = freshness-fix đúng (48 mig/93 bảng/58 gotcha) ②roster 11=11=11, frontmatter grep = 7 pin + 4 inherit, 0 `[1m]` frontmatter ③plugin 18/15/3 identical, 0 new-alloc ④STATUS diff hợp lệ + 3 untracked governance đúng nấc → đề xuất promote PENDING-RESTART→runtime-verified (em main đã thực hiện cùng session). Carry-flag: docs/CLAUDE.md gotcha "(55)"→58 (defer monthly 07-01) · schema-diagram §16+ 14-mig ERD debt. Demote-watch data-point #1: verdict-quality trên Opus 4.8 tự đánh giá CHƯA suy giảm. Tag [s57bis, spawn-test-verified, 4-mat-pass, demote-watch-1].
+- **2026-06-11 (post-S57bis @start RE-REPORT — count-drift S57bis CHƯA flush docs):** Working tree 2 dirty (cicd MEMORY +Run#381 · gotchas.md +#59) — S57bis code đã COMMIT (dd117b7+17b23a4 push). 4-mặt: ①SKILL 6+23 unchanged; ef-core SKILL STALE 4 cite "48"→49 (:3 desc · :19 H2 "48 migration hiện có" · :72 "§16+ Mig 27-48"→27-49 · :280 "48 migration") + :280/:289 "93 bảng" giữ (Mig 49 AddColumn-only no new table — KHÔNG đổi); skills/README:20 "48 migration"→49 + :90 "58 bẫy/#58"→59; dep-audit:153 "58 bẫy"→59. ②ROSTER **CLEAN 11=11=11** (disk/README/STATUS); model-tier frontmatter grep = **4 inherit (database-agent·harvest-curator·investigator-codebase·reviewer) + 7 pin claude-opus-4-8** ✅ khớp two-tier H4 chính xác. ③PLUGIN **CLEAN 18/15/3 identical** (3 OFF: pr-review-toolkit·code-modernization·hookify), 0 new-alloc. ④DOCS **MAJOR data-row drift**: STATUS row :24 sub-agent ĐÃ cập runtime-VERIFIED 06-11 NHƯNG data-rows CHƯA: :14 Mig "48"→49 · :20 Tests "228"→240 · :21 Gotchas "58"→59 · :27 bundle (S57bis FE-touched nhưng session-log KHÔNG ghi hash mới → CP4CB1ym/BmZ3VHnm anh-cite KHÔNG verify được, grep 0 match) · STATUS:38 In-Progress "(none S56)" stale (S57+S57bis shipped). HANDOFF:5 Last-updated 06-09 S56 + thiếu HẲN S57/S57bis section. Root CLAUDE.md:53 "48 mig"→49 · :66/:87 "228"→240 · :133 "58 bẫy"→59. **Method-learning:** test attr-count disk=225 (`[Fact]/[Theory]`) NHƯNG authoritative=240 (S57bis log :14 "228→240"; Theory expand runtime → KHÔNG dùng attr-count làm count, tin session-log/test-run) · bundle-hash anh-cite phải verify từ session-log/cicd-MEMORY trước khi tin (S57bis log không ghi → flag "unverified" KHÔNG copy). Top-5 patch propose → em main APPEND. Tag [post-s57bis, 4-mat, count-drift-flush-pending, bundle-hash-unverified].
--- a/.claude/skills/README.md
+++ b/.claude/skills/README.md
@ -17,7 +17,7 @@ Skill này là tài liệu chuyên biệt để Claude (và developer khác) dù
 | Skill | Mục đích | Trigger ví dụ | Trạng thái |
 |---|---|---|---|
 | `dependency-audit-erp` | Scan CVE NuGet + npm 2 FE, respect pin constraint (MediatR 12.4.1, Swashbuckle 6.9.0) | "npm audit", "dotnet vulnerable", "deps scan", "nâng cấp package" | ✅ New Tier 3 |
-| `ef-core-migration` | Tạo/revert EF Core 10 migration, 3-file rule, DesignTimeDbContextFactory, **48 migration history** (Init → AddProjectMasterFields Mig 48) | "thêm migration", "EF migration", "schema update", "snapshot lỗi" | ✅ Updated S55 (Mig 48 Project master fields) |
+| `ef-core-migration` | Tạo/revert EF Core 10 migration, 3-file rule, DesignTimeDbContextFactory, **49 migration history** (Init → AddWorkItemToPurchaseEvaluation Mig 49) | "thêm migration", "EF migration", "schema update", "snapshot lỗi" | ✅ Updated S58 (Mig 49 PE WorkItem) |
 | `iis-deploy-runbook` | 3 IIS site + win-acme cert + gitea-runner + LibreOffice + debug 500/502/SignalR prod + **G-084 IPv4/IPv6 hardening** | "prod 500", "IIS fail", "cert hết hạn", "restart app pool", "deploy IIS", "port hijack" | ✅ Updated (G-084) |

 ## Format chuẩn 1 skill
@ -87,5 +87,5 @@ when-to-use:
 ## Related

 - `docs/CLAUDE.md` — quick rules + full stack context
- `docs/gotchas.md` — 58 bẫy đã gặp (latest #58 EF read-modify-write lost-update → `ExecuteUpdateAsync` atomic, S56)
+- `docs/gotchas.md` — 60 bẫy đã gặp (latest #60 Identity seed CreateAsync silent-fail vs prod password-policy → population Dev ≠ prod, S58)
 - `docs/changelog/migration-todos.md` — roadmap 5 phase + Tier 3
--- a/.claude/skills/dependency-audit-erp/SKILL.md
+++ b/.claude/skills/dependency-audit-erp/SKILL.md
@ -150,6 +150,6 @@ Lưu vào `docs/changelog/deps-audit-{YYYY-MM-DD}.md` nếu có action.

 ## Related

- `docs/gotchas.md` — 58 bẫy package compat / CI / IIS / Identity / per-NV refactor / SQLite tie-break đã gặp
+- `docs/gotchas.md` — 60 bẫy package compat / CI / IIS / Identity / per-NV refactor / SQLite tie-break đã gặp
 - `docs/changelog/migration-todos.md` Phase 5.1 — checklist deps scan CI
 - `SolutionErp.slnx` + `global.json` — .NET version pin
--- a/.claude/skills/ef-core-migration/SKILL.md
+++ b/.claude/skills/ef-core-migration/SKILL.md
@ -1,6 +1,6 @@
 ---
 name: ef-core-migration
-description: Tạo/sửa/revert EF Core 10 migration cho SOLUTION_ERP. Dùng khi thêm entity mới, thay đổi schema, rollback migration, debug DesignTimeDbContextFactory fail. Đã có 48 migration sẵn (Init → AddProjectMasterFields Mig 48, S55). Snapshot + Designer + Migration 3-file rule bắt buộc commit đủ.
+description: Tạo/sửa/revert EF Core 10 migration cho SOLUTION_ERP. Dùng khi thêm entity mới, thay đổi schema, rollback migration, debug DesignTimeDbContextFactory fail. Đã có 49 migration sẵn (Init → AddWorkItemToPurchaseEvaluation Mig 49, S57bis). Snapshot + Designer + Migration 3-file rule bắt buộc commit đủ.
 when-to-use:
  - "thêm migration"
  - "EF Core migration"
@ -16,7 +16,7 @@ when-to-use:

 > **Context:** .NET 10 + EF Core 10 + SQL Server. DbContext: `ApplicationDbContext` ở `Infrastructure/Persistence/`. Startup: `SolutionErp.Api`.

-## Migration history (48 migration hiện có)
+## Migration history (49 migration hiện có)

 | # | Name | Tables added / changed |
 |---|---|---|
@ -68,8 +68,9 @@ when-to-use:
 | **46** | **`AddSlaFieldsToItTicket`** | **🎯 Phase 11 P11-D (S52) — ItTickets +SlaDueAt/SlaWarnedSent/SlaBreached (SLA timer). Column-only, no new table.** |
 | **47** | **`FilterMasterCatalogUniqueIndexesByIsDeleted`** | **🎯 S53 — Department + Supplier + Project Code UNIQUE filtered `WHERE [IsDeleted]=0` (gotcha #57 EXT Master, 6× cumulative). Index-only.** |
 | **48** | **`AddProjectMasterFields`** | **🎯 S55 — Project +4 cột nullable (Year int · Investor 250 · Location 500 · Package 300). AddColumn-only, no new table. Kèm `SeedRealMasterDataAsync` ungated nạp 62 dự án + 71 hạng mục + 3 NCC real từ Excel.** |
+| **49** | **`AddWorkItemToPurchaseEvaluation`** | **🎯 S57bis — PE.WorkItemId `Guid?` loose-Guid (KHÔNG FK vật lý — convention PE: ProjectId/SelectedSupplierId đều loose) + `IX_PurchaseEvaluations_WorkItemId`. AddColumn+CreateIndex-only, no new table. Guard = validator NotEmpty (create) + handler AnyAsync IsActive→Conflict.** |

-Total: **93 bảng** dbo + `__EFMigrationsHistory` (re-ground S56 `sys.tables` — last Mig 48 AddProjectMasterFields, column-only). Xem `docs/database/schema-diagram.md` migration table + §11-15 module ERD (§16+ Mig 27-48 chi tiết pending).
+Total: **93 bảng** dbo + `__EFMigrationsHistory` (re-ground S56 `sys.tables` — last Mig 49 AddWorkItemToPurchaseEvaluation, column+index-only). Xem `docs/database/schema-diagram.md` migration table + §11-15 module ERD (§16+ Mig 27-49 chi tiết pending).

 ## N-stage workflow pattern (Mig 18-20 — Session 12-13)

@ -277,7 +278,7 @@ sqlcmd -S .\SQLEXPRESS -d SolutionErp -U vrapp -P <pw> -i migrate.sql

 ## Code pointers

- `src/Backend/SolutionErp.Infrastructure/Persistence/ApplicationDbContext.cs` — DbSet cho 93 bảng (48 migration)
+- `src/Backend/SolutionErp.Infrastructure/Persistence/ApplicationDbContext.cs` — DbSet cho 93 bảng (49 migration)
 - `src/Backend/SolutionErp.Infrastructure/Persistence/DesignTimeDbContextFactory.cs` — EF tooling factory
 - `src/Backend/SolutionErp.Infrastructure/Persistence/DbInitializer.cs` — seed + warn + migrate runtime + backfill (idempotent reconcile pattern)
 - `src/Backend/SolutionErp.Infrastructure/Persistence/Configurations/` — IEntityTypeConfiguration<T> per entity
@ -286,5 +287,5 @@ sqlcmd -S .\SQLEXPRESS -d SolutionErp -U vrapp -P <pw> -i migrate.sql
 ## Related

 - `docs/database/database-guide.md` — conventions + migration workflow chi tiết
- `docs/database/schema-diagram.md` — **ERD 93 bảng** + §11 PE + §12 Budget + §13 PEDeptOpinions (Mig 15) + §14 ApprovalWorkflow V2 (Mig 22-25) + §15 PE Level Opinions V2 (Mig 26); §16+ Mig 27-48 detail pending (xem migration table)
+- `docs/database/schema-diagram.md` — **ERD 93 bảng** + §11 PE + §12 Budget + §13 PEDeptOpinions (Mig 15) + §14 ApprovalWorkflow V2 (Mig 22-25) + §15 PE Level Opinions V2 (Mig 26); §16+ Mig 27-49 detail pending (xem migration table)
 - `docs/gotchas.md` #7, #17, #38 — migration pitfalls + Identity 4-field rename
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -50,7 +50,7 @@ Kiến trúc: **.NET 10 Clean Architecture + 2 React FE (admin + user) + SQL Ser
 - Audit fields: `CreatedAt`, `UpdatedAt`, `CreatedBy`, `UpdatedBy` (`BaseEntity`)
 - Soft delete: `IsDeleted`, `DeletedAt`, `DeletedBy` (`AuditableEntity`)
 - Migrations: `dotnet ef migrations add <Name> --project src/Backend/SolutionErp.Infrastructure --startup-project src/Backend/SolutionErp.Api`
- **Hiện có 48 migration → 93 bảng** (Phase 10 COMPLETE + Phase 11 P11-A→F done — Mig 34-42 HRM/Office/WorkflowApps/Attendance + Contract V2 (32-33) + WireWorkflowApps V2 (41) + LeaveBalance (42) + Holiday filtered-unique (43, S45) + Vehicle/Driver catalog (44, S51) + HRM-catalog filtered-unique 3× (45, S51) + ItTicket SLA (46, S52) + Master filtered-unique 3× (47, S53 gotcha #57 EXT) + Project master fields Year/Investor/Location/Package (48, S55 — AddColumn no new table, kèm nạp 62 dự án + 71 hạng mục + 3 NCC real data từ Excel qua `SeedRealMasterDataAsync` ungated idempotent). V2 schema history S29-era bên dưới giữ nguyên — Mig 32+33 Plan B Contract V2 cookie-cutter mirror PE Mig 22-26 (S29). Mig 26 `AddPeLevelOpinionsForV2`: bảng mới `PurchaseEvaluationLevelOpinions` UNIQUE composite (PEId, LevelId), FK Cascade Pe + Restrict Level. Section 5 "Ý kiến cấp duyệt" V2 dynamic theo workflow đã pin: forEach Step (Phòng) → forEach Level (Cấp) → forEach NV → 1 OpinionBox. Service `ApproveV2Async` UPSERT auto khi NV duyệt — Q1=1B (sync gắn với Duyệt, KHÔNG form input rời). SignedByUserId track signer thật, FE banner "Admin duyệt thay" khi !== ApproverUserId. Comment empty → "(duyệt — không ý kiến)" placeholder. Phiếu V1 legacy fallback Mig 15 4 box readOnly (data history). Mig 25 `AddIsUserSelectableToApprovalWorkflows`: ALTER `ApprovalWorkflows` +`IsUserSelectable bit` (admin pin/unpin workflow nào cho user pick lúc create phiếu, multi-select độc lập IsActive). Backfill `WHERE IsActive=1 SET 1` giữ behavior cũ. Designer +badge "Cho user chọn" + button Ghim/Bỏ ghim. Workspace filter dropdown chỉ workflows `IsUserSelectable=true`. Mig 22-24 V2 schema (Session 17): `ApprovalWorkflows`/Steps/Levels — Quy trình > Bước (Phòng) > Cấp (N NV cụ thể qua ApproverUserId, OR-of-N cùng cấp). PE.ApprovalWorkflowId pin V2. PE.CurrentApprovalLevelOrder track. State machine 5 trạng thái: Nháp / Đã gửi duyệt / Trả lại (Phase riêng TraLai=98) / Từ chối / Đã duyệt. PE Service V2 wire match `actor.Id == ApproverUserId`. Contract V2 ĐÃ WIRE (Mig 32+33 Plan B S29 — cookie-cutter mirror PE V2: `ApproveV2Async` + `ContractLevelOpinions` UPSERT + Workspace V2 Select dropdown). Mig 21 V1 flat workflow vẫn live cho phiếu cũ.)
+- **Hiện có 49 migration → 93 bảng** (Phase 10 COMPLETE + Phase 11 P11-A→F done — Mig 34-42 HRM/Office/WorkflowApps/Attendance + Contract V2 (32-33) + WireWorkflowApps V2 (41) + LeaveBalance (42) + Holiday filtered-unique (43, S45) + Vehicle/Driver catalog (44, S51) + HRM-catalog filtered-unique 3× (45, S51) + ItTicket SLA (46, S52) + Master filtered-unique 3× (47, S53 gotcha #57 EXT) + Project master fields Year/Investor/Location/Package (48, S55 — AddColumn no new table, kèm nạp 62 dự án + 71 hạng mục + 3 NCC real data từ Excel qua `SeedRealMasterDataAsync` ungated idempotent) + PE gắn Hạng mục công việc WorkItemId loose-Guid KHÔNG FK vật lý (49, S57bis — AddColumn+CreateIndex, no new table). V2 schema history S29-era bên dưới giữ nguyên — Mig 32+33 Plan B Contract V2 cookie-cutter mirror PE Mig 22-26 (S29). Mig 26 `AddPeLevelOpinionsForV2`: bảng mới `PurchaseEvaluationLevelOpinions` UNIQUE composite (PEId, LevelId), FK Cascade Pe + Restrict Level. Section 5 "Ý kiến cấp duyệt" V2 dynamic theo workflow đã pin: forEach Step (Phòng) → forEach Level (Cấp) → forEach NV → 1 OpinionBox. Service `ApproveV2Async` UPSERT auto khi NV duyệt — Q1=1B (sync gắn với Duyệt, KHÔNG form input rời). SignedByUserId track signer thật, FE banner "Admin duyệt thay" khi !== ApproverUserId. Comment empty → "(duyệt — không ý kiến)" placeholder. Phiếu V1 legacy fallback Mig 15 4 box readOnly (data history). Mig 25 `AddIsUserSelectableToApprovalWorkflows`: ALTER `ApprovalWorkflows` +`IsUserSelectable bit` (admin pin/unpin workflow nào cho user pick lúc create phiếu, multi-select độc lập IsActive). Backfill `WHERE IsActive=1 SET 1` giữ behavior cũ. Designer +badge "Cho user chọn" + button Ghim/Bỏ ghim. Workspace filter dropdown chỉ workflows `IsUserSelectable=true`. Mig 22-24 V2 schema (Session 17): `ApprovalWorkflows`/Steps/Levels — Quy trình > Bước (Phòng) > Cấp (N NV cụ thể qua ApproverUserId, OR-of-N cùng cấp). PE.ApprovalWorkflowId pin V2. PE.CurrentApprovalLevelOrder track. State machine 5 trạng thái: Nháp / Đã gửi duyệt / Trả lại (Phase riêng TraLai=98) / Từ chối / Đã duyệt. PE Service V2 wire match `actor.Id == ApproverUserId`. Contract V2 ĐÃ WIRE (Mig 32+33 Plan B S29 — cookie-cutter mirror PE V2: `ApproveV2Async` + `ContractLevelOpinions` UPSERT + Workspace V2 Select dropdown). Mig 21 V1 flat workflow vẫn live cho phiếu cũ.)

 ### Modules

@ -63,7 +63,7 @@ Kiến trúc: **.NET 10 Clean Architecture + 2 React FE (admin + user) + SQL Ser
 | Identity (User/Role/Permission/MenuItem) | `Domain/Identity/` | 1, 3, 11 | Feature-complete (30 demo user — 16 sample + 14 Solutions thật) |
 | Forms (Template + Clause) | `Domain/Forms/` | 4 | Feature-complete |
 | Notifications | `Domain/Notifications/` | 6 | In-app + SignalR OK, email SMTP TODO |
-| **Tests** | `tests/SolutionErp.{Domain,Infrastructure}.Tests/` | — | **228 test pass** (58 Domain + 170 Infra) — CI gate + path filter docs-only skip |
+| **Tests** | `tests/SolutionErp.{Domain,Infrastructure}.Tests/` | — | **240 test pass** (58 Domain + 182 Infra) — CI gate + path filter docs-only skip |

 ### Commit convention

@ -84,7 +84,7 @@ tests/
    └── Application/                  (6 test - PeWorkflowDefinition versioning)
 ```

-**228 unit test pass** (58 Domain + 170 Infra). CI gate + path filter live. (S56 +12 golive-harden; S52 +14→200; S53 +3 `MasterCatalogFilteredUniqueTests` — gotcha #57 EXT Master Department/Supplier/Project DONE Mig 47, S53.)
+**240 unit test pass** (58 Domain + 182 Infra). CI gate + path filter live. (S57bis +12 `PeWorkItemGuardTests`; S56 +12 golive-harden; S52 +14→200; S53 +3 `MasterCatalogFilteredUniqueTests` — gotcha #57 EXT Master DONE Mig 47.)

 ```bash
 dotnet test SolutionErp.slnx     # chạy cả 2 test project
@ -128,9 +128,9 @@ Quy tắc:
 | [`docs/workflow-contract.md`](docs/workflow-contract.md) | State machine 9 phase HĐ + role matrix |
 | [`docs/forms-spec.md`](docs/forms-spec.md) | Catalog 8 form + quy định mã HĐ RG-001 |
 | [`docs/database/database-guide.md`](docs/database/database-guide.md) | DB conventions + migration workflow + cheatsheet |
-| [`docs/database/schema-diagram.md`](docs/database/schema-diagram.md) | ⭐ ERD + luồng DB + data flow 93 table (+ §11 PE + §12 Budget + §13 PEDeptOpinions + §14 Contract V2 LevelOpinions; §16+ Mig 32-48 pending) |
+| [`docs/database/schema-diagram.md`](docs/database/schema-diagram.md) | ⭐ ERD + luồng DB + data flow 93 table (+ §11 PE + §12 Budget + §13 PEDeptOpinions + §14 Contract V2 LevelOpinions; §16+ Mig 32-49 pending) |
 | [`docs/flows/README.md`](docs/flows/README.md) | Index 6 flow (auth, permission, contract, form, SLA) |
-| [`docs/gotchas.md`](docs/gotchas.md) | ⭐ 58 bẫy đã gặp — đọc trước khi debug tương tự |
+| [`docs/gotchas.md`](docs/gotchas.md) | ⭐ 60 bẫy đã gặp — đọc trước khi debug tương tự |
 | [`.claude/skills/`](.claude/skills/README.md) | 6 skill: contract-workflow, form-engine, permission-matrix, dependency-audit-erp, ef-core-migration, iis-deploy-runbook |
 | [`docs/guides/vps-setup.md`](docs/guides/vps-setup.md) | ⭐ Master runbook deploy VPS shared với VIETREPORT |

--- a/docs/HANDOFF.md
+++ b/docs/HANDOFF.md
@ -2,7 +2,34 @@

 > **Tiering rule (S40):** giữ **2-3 session gần nhất**. Cũ hơn → `docs/changelog/sessions/`. Full brief history pre-S40 → `docs/_archive/HANDOFF-preS40-fullhistory.md`.

-**Last updated:** 2026-06-09 (Session 56 — **Pre-golive verify sweep + golive-harden 4 fix — Run #379 PASS, code golive-ready**. WF1 `pre-golive-verify` 7-stream + adversarial → 6 PASS/1 CONCERN/0 blocker = GO (key finds = ops not code). WF2 `golive-harden` fix 4: #3 LeaveBalance lost-update→atomic ExecuteUpdate+Serializable tx (NO mig) · #5 ItTicket authz Forbidden-trước-NotFound · #6 DocxRenderer null-guard · #4 Travel/Vehicle ApproveV2 tests. Test 216→**228**. Bundle FROZEN `4SUwDLD8`/`XdKzt9LL`. `sys.tables` re-ground 92→**93**. gotcha **#58** NEW. reviewer StructuredOutput-fail→em main đỡ. **2 ops VPS pending** (gán user IT + tzutil UTC+7). FE Phase 2 redesign **deferred** (recon ready). Commit `a20cde8`. Prev S55 — **Nạp master data thật từ Excel (62 dự án + 71 hạng mục + 3 NCC) + Project +4 cột (Mig 48) — prod-verified**. HMW-mode ON. Commit `69cb393` → Run #377 PASS ~4m33s. Test 216 (compile-fix only). Bundle admin `B-d6893W`/user `XdKzt9LL`. `SeedRealMasterDataAsync` ungated idempotent → coexist demo. 2 agent return truncated (BE+reviewer) → em main disk/runtime-recover. Prev S54 — IT staff tự reassign ticket (cross-stack authz) — prod-verified. 1 code commit `ca4b602` → Run #376 PASS ~4m18s. Test 203→**216**. Bundle admin `DfCfHUE9`→`DmjI8Cmn`/user `_3S0BPJ2`→`YxL_MljK` (cả 2 rotate). NO migration. Task 1 Phase 9 Ops anh dừng. ⚠️ residual: 3 agent ghi MEMORY nhầm `src/Backend/.claude` → em main reconcile. Prev S53: gotcha #57 EXT Master Mig 47 + P11-D/E + database-agent verified-runtime.)
+**Last updated:** 2026-06-11 (Session 58 — **Fix lock-demo-user prod NO-OP — Run #382 PASS, việc sếp deadline 15:00 ĐÓNG TRỌN**. Root cause 2 tầng: lock-list = population Dev-only + `DemoUserPassword` 11 ký tự < prod RequiredLength=12 → CreateAsync silent-fail từ trước tới giờ (= "helpdesk inert" S56). Fix union 20 UAT email + password 12 ký tự → prod 55 user/34 locked, nv.cao+nv.truong sống, 5 real staff tạo. gotcha #59+#60. Commit `5998163`. Prev S57bis — **PE gắn Hạng mục (Mig 49) + Pe all-role + menu Cá nhân + Harness-4 runtime-VERIFIED**. Test 228→**240**. Bundle `CP4CB1ym`/`BmZ3VHnm`. Commit `17b23a4`+`dd117b7` → Run #381 PASS+1PARTIAL (lock NO-OP → RESOLVED S58). Prev S56 — **Pre-golive verify sweep + golive-harden 4 fix — Run #379 PASS, code golive-ready**. WF1 `pre-golive-verify` 7-stream + adversarial → 6 PASS/1 CONCERN/0 blocker = GO (key finds = ops not code). WF2 `golive-harden` fix 4: #3 LeaveBalance lost-update→atomic ExecuteUpdate+Serializable tx (NO mig) · #5 ItTicket authz Forbidden-trước-NotFound · #6 DocxRenderer null-guard · #4 Travel/Vehicle ApproveV2 tests. Test 216→**228**. Bundle FROZEN `4SUwDLD8`/`XdKzt9LL`. `sys.tables` re-ground 92→**93**. gotcha **#58** NEW. reviewer StructuredOutput-fail→em main đỡ. **2 ops VPS pending** (gán user IT + tzutil UTC+7). FE Phase 2 redesign **deferred** (recon ready). Commit `a20cde8`. Prev S55 — **Nạp master data thật từ Excel (62 dự án + 71 hạng mục + 3 NCC) + Project +4 cột (Mig 48) — prod-verified**. HMW-mode ON. Commit `69cb393` → Run #377 PASS ~4m33s. Test 216 (compile-fix only). Bundle admin `B-d6893W`/user `XdKzt9LL`. `SeedRealMasterDataAsync` ungated idempotent → coexist demo. 2 agent return truncated (BE+reviewer) → em main disk/runtime-recover. Prev S54 — IT staff tự reassign ticket (cross-stack authz) — prod-verified. 1 code commit `ca4b602` → Run #376 PASS ~4m18s. Test 203→**216**. Bundle admin `DfCfHUE9`→`DmjI8Cmn`/user `_3S0BPJ2`→`YxL_MljK` (cả 2 rotate). NO migration. Task 1 Phase 9 Ops anh dừng. ⚠️ residual: 3 agent ghi MEMORY nhầm `src/Backend/.claude` → em main reconcile. Prev S53: gotcha #57 EXT Master Mig 47 + P11-D/E + database-agent verified-runtime.)
+
+---
+
+## S58 (2026-06-11) — Fix lock-demo-user prod NO-OP + password-seed root-cause (1 code commit prod-verified Run #382)
+
+**Anh: `/session-start` → bootstrap bắt Run #381 PARTIAL + 2 dirty S57bis → recon → anh chốt 3 quyết định (union+password-fix · giữ chuong.phan-typo · giữ nv.test) → ship 13:00, prod-verified 13:05 (deadline 15:00 dư ~2h).**
+
+**Done (commit `5998163` → Run #382 PASS ~3m31s):**
+- **Fix `DbInitializer.cs` 2 chỗ:** lock list union 20 email UAT-matrix prod thật (`{act,equ,fin,hra,pm,qs}.{nv,pp,tp}@` + `bod.{1,2}@` — tạo TAY 05-13, exact-email KHÔNG pattern) + `DemoUserPassword` `User@123456`→`User@1234567` (11→12 ký tự, thỏa prod `RequiredLength=12` — root cause CreateAsync silent-fail mọi user seed trên prod từ trước, luôn cả nv.cao/nv.truong IT pool + 5 real staff).
+- **🟩 cicd Run #382:** prod Users **55/21 active/34 locked** ✓ · nv.cao+nv.truong CREATED+ACTIVE (**ops S56 "gán user IT" RESOLVED** — helpdesk round-robin sống) · 5 real staff created+active · guard 6/6 (admin/catalog.manager/nv.test/chuong.phan-typo/binh.le/binh.lethanh) · nv.test login+authed 200 · bundle FROZEN `CP4CB1ym`/`BmZ3VHnm` · Mig giữ 49 · 93 tables · custom Identity table = `Users` (không phải `AspNetUsers`).
+- **Closeout S57bis residual:** commit 2 dirty (gotcha #59 + cicd Run #381 entry) · gotcha **#60** NEW · 4 spawn-record on-behalf (H2 Coverage 4-MISS đóng) · H1 5-patch (ef-core +Mig 49 row · skills/README · dep-audit · CLAUDE.md root) · STATUS/HANDOFF flush S57bis+S58 · menu keys re-ground **57** · RAG 2420.
+
+**🔴 NEXT SESSION (anh pick):**
+- **Ops của anh:** (1) `ssh vietreport-vps "tzutil /g"` → confirm `SE Asia Standard Time` · (2) hỏi anh Chương dùng email nào → dọn `chuong.phan@solution.com.vn` typo (đang active chủ đích) · (3) báo 5 real staff mới (`thanh.lethanh`, `anh.nguyen`, `tring.le`, `truong.le`, `long.nguyen`) password mặc định `User@1234567` + yêu cầu đổi · (4) khi gán người thật vào CNTT → thêm nv.cao/nv.truong vào lock list.
+- **test-specialist guard test** cho `LockDemoSampleUsersAsync` (test-after — deadline trade-off S58, IdentityFixture sẵn).
+- **FE redesign Phase 2** (recon ready) · **Phase 9 Ops** (SMTP/backup/creds/UAT) · **monthly audit 2026-07-01** (kèm schema-diagram §16+ Mig 32-49 ERD debt + L1 cap curate cicd-monitor 32.2KB/investigator-codebase 32.1KB + STATUS/HANDOFF re-tier).
+- **Cert** `api.solutions.com.vn` expire ~2026-07-23 (auto-renew ~06-23).
+
+---
+
+## S57bis (2026-06-11 sáng) — PE gắn Hạng mục công việc (Mig 49) + Pe all-role + menu "Cá nhân" + Harness-4 runtime-VERIFIED (Run #381 PASS+1PARTIAL)
+
+**Sếp Zalo 11:02-11:17 deadline 15:00: mapping master data + phân quyền PE all-user + flow tạo phiếu Dự án→Hạng mục→NCC + clear data cũ. Anh chốt: khóa CHỈ user sample · quyền Xem+Tạo · 1 phiếu 1 hạng mục header. 2 commit `17b23a4` (Harness-4) + `dd117b7` (product 26 file) → Run #381 PASS ~4m25s.**
+
+**Done:**
+- **Mig 49 `AddWorkItemToPurchaseEvaluation`** (🔵 database-agent design): PE.WorkItemId `Guid?` loose-Guid KHÔNG FK vật lý (convention PE) + IX + validator NotEmpty create-only + FK-guard `AnyAsync(IsActive)`→Conflict + UpdateDraft null-safe (chống null-hóa S42). WorkItems = catalog GLOBAL → 2 dropdown độc lập, "Dự án (năm) – Hạng mục" = chuỗi ghép. FE ×2 (PeHeaderForm SHA256 IDENTICAL). **Pe_* all-role 130 rows/13 role** (Pe_* leaf KHÔNG trong `MenuKeys.All` → factory; PeWf_* GIỮ Admin). Menu Personal root@30 + re-parent + Master write-lock ×3 controller. Excel (3) = NO-CHANGE vs S55. Test 228→**240** (+12). **Harness-4 runtime-VERIFIED** (spawn-test 2 chiều) + email-back AI_INFRA.
+- ⚠️ **Lessons:** 2 builder truncated #53 + reviewer **die-0-byte ×2** → em main solo vá + self-gate. Đóng VỘI → 2 file dirty trôi S58 (đã commit S58). `LockDemoSampleUsersAsync` 14 email = prod NO-OP (population Dev-only — cicd #381 bắt, → **RESOLVED S58**). → session log `2026-06-11-S57bis-pe-workitem-perm-golive-prep.md`.

 ---

--- a/docs/STATUS.md
+++ b/docs/STATUS.md
--- a/docs/gotchas.md
+++ b/docs/gotchas.md
@ -1070,6 +1070,30 @@ for h in resp.points:    # ← .points không phải iterable trực tiếp

 **References:** `LeaveOtApprovalFeatures.cs:354-405` (ApproveLeaveRequestHandler terminal DaDuyet) · `LeaveBalanceTests.cs` (TwoSeparateRequests accumulate test) · database-agent design S56 (DB11) · surfaced bởi `pre-golive-verify` workflow.

+### 59. PowerShell 5.1 vỡ `git commit -m` khi message chứa `"` — dùng `git commit -F <file>` (Session 57bis)
+
+**Triệu chứng:** `git commit -m @'...here-string có "quote kép"...'@` qua PowerShell 5.1 → git báo `error: pathspec 'án' did not match any file(s) known to git` — message bị CẮT tại dấu `"` đầu tiên, phần sau git hiểu thành pathspec args. Commit KHÔNG được tạo. Dễ tưởng nhầm lỗi Unicode tiếng Việt (không phải — tiếng Việt OK nếu không có `"`).
+
+**Root cause:** here-string single-quote giữ literal ĐÚNG ở tầng PowerShell, nhưng khi gọi native exe (git.exe), PS 5.1 rebuild command-line và escape `"` không chuẩn (legacy native-arg passing) → `"` trong arg phá vỡ arg boundary.
+
+**Fix (proven S57bis):** message dài / nhiều dòng / chứa quote → Write tool ghi file UTF-8 (vd `%TEMP%\commit_msg.txt`) → `git commit -F <file>`. Tránh hẳn native-arg escaping. Message 1 dòng không quote thì `-m` vẫn OK. Cùng họ bài thuốc "file payload" của #8 (Unicode CLI).
+
+**References:** S57bis commit `dd117b7` (lần 1 `-m` fail pathspec — commit 1 cùng batch KHÔNG có `"` nên pass; lần 2 `-F` PASS) · họ hàng #30/#37 (PS 5.1 encoding class).
+
+### 60. Identity seed `CreateAsync` silent-fail vs prod password policy — population Dev ≠ prod, lock/seed-by-email phải dump data thật (Session 58)
+
+**Triệu chứng:** `LockDemoSampleUsersAsync` (S57bis) ship + chạy trên prod nhưng locked=0 — NO-OP hoàn toàn. 14 email hardcode (`bod.huynh@`...) không tồn tại trên prod; demo user thật trên prod là 20 account UAT-matrix scheme khác (`bod.1@`, `pm.nv@`... tạo TAY qua admin UI 05-13, chưa từng nằm trong code). Test xanh + deploy PASS + health 200 — không gì báo lỗi.
+
+**Root cause (2 tầng):**
+1. **Seed silent-fail:** `DemoUserPassword = "User@123456"` (11 ký tự) < prod `Identity:Password:RequiredLength=12` (appsettings.Production.json; Dev fallback 8) → `userManager.CreateAsync` trả `IdentityResult.Failed` — seed code chỉ `LogWarning` + `continue` (by-design 1-fail-không-abort) → **named-person user CHƯA BAO GIỜ được tạo trên prod**, luôn cả `nv.cao`/`nv.truong` (IT pool — chính là root cause "helpdesk inert phòng IT 0 user" S56) + 5 real staff.
+2. **Lock-by-email viết theo population Dev:** author đọc seed code (Dev truth) thay vì dump prod Users → list lệch hoàn toàn.
+
+**Fix (S58 `5998163`):** (a) `DemoUserPassword` → `"User@1234567"` (12 ký tự, thỏa policy mọi env); (b) lock list = union 14 Dev-population + 20 prod-population (exact-email, KHÔNG pattern — `binh.le@` là người thật sát scheme demo).
+
+**Phòng tái diễn:** (1) Mọi thao tác theo-email trên user (lock/deactivate/migrate) → **dump bảng Users env đích TRƯỚC** khi viết list; assertion trả 0/`-1` ⟹ nghi data-mismatch trước khi nghi code. (2) Seed tạo user → password const phải thỏa policy NGHIÊM NHẤT mọi env (prod 12). (3) `IdentityResult` không throw — grep `LogWarning` sau deploy có user-seed mới.
+
+**References:** `DbInitializer.cs` `DemoUserPassword` + `LockDemoSampleUsersAsync` · `DependencyInjection.cs:67` (RequiredLength fallback 8) · `appsettings.Production.json:18` (12) · cicd-monitor Run #381 entry (phát hiện PARTIAL) · investigator-codebase recon S58.
+
 ---

 ## Checklist debug bug mới
@ -1105,3 +1129,5 @@ for h in resp.points:    # ← .points không phải iterable trực tiếp
 28. Nếu sub-agent (Reviewer/CICD) return PASS verdict bị cut mid-sentence ở "Update MEMORY.md" step → MEMORY > 25KB triggers truncation risk. Mitigation: tight brief ≤ 8K + em main grep verify manual + curate MEMORY pre-spawn nếu > 25KB (#53)
 29. Nếu spawn sub-agent trả `API Error: 529 Overloaded` + `tokens=0` → Anthropic API transient overload, agent KHÔNG chạy. KHÔNG retry loop → em main solo fallback reliable (#54). Phân biệt với #53 truncation (agent chạy đủ token nhưng cut output)
 30. Nếu sub-agent WRITE truncate NGAY ĐẦU exploration phase (chưa write file, đọc > 4 reference) → heavy spec ~10K + context bloat. Mitigation: brief ≤ 8K + pre-supply reference snippet trong brief HOẶC em main solo nếu cần đọc > 4 reference file (#55)
+31. Nếu `git commit -m` qua PS 5.1 báo `error: pathspec 'xxx' did not match` với message tiếng Việt có `"` → native-arg escaping vỡ tại quote kép → Write message ra file UTF-8 + `git commit -F <file>` (#59)
+32. Nếu thao tác theo-email/code trên data prod (lock/seed/migrate) trả 0 row affected → DUMP bảng env đích trước khi nghi code — population Dev ≠ prod (seed silent-fail `IdentityResult` không throw) (#60)