[CLAUDE] Docs: S22 chốt cuối — gotcha #47 + 4 agent MEMORY flush + session log cumulative

Session 22 chốt cuối — bro confirm sub-agent solution OK.

Highlights cumulative S21 chốt → S22 chốt:
- 11 commits S22 pushed remote `3d725c4..b04a11a`
- Plan G S22 evidence: 4 sub-agents (3 seeds-only + 1 CICD Monitor Run #188 PASS)
- Plan C + D + E done · Plan F ABORTED pre-flight blocker
- 5 turn S22+ feedback iteration (disable 3 button + seed 20 user + rename role-based + attachment view + Mig 30 per-NV opt-in)

Docs updates:
- STATUS Last updated S22 chốt + S22 prev row preserved (§6.5 KEEP narrative)
- HANDOFF Last updated S22 chốt + S22 prev row preserved
- Session log mới `2026-05-13-2200-s22-chot-cuoi.md` (~12KB narrative + 11 commit table + 7 lessons learned + handoff S23)
- Gotcha #47 mới `.claude/agent-memory/** thiếu paths-ignore filter` (CICD waste 3.5min per MEMORY flush) — PENDING bro fix `.gitea/workflows/deploy.yml`

4 agent MEMORY.md flushed S22:
- Investigator: 30 mig + 104 test + S22 context essentials + Mig 30 entry + cross-ref `feedback_per_nv_permission_scope` 2× reinforced
- Implementer: +6 patterns (7-12 per-NV opt-in / tách endpoint narrow scope / defense-in-depth FE+BE / reflection regression / cookie-cutter test infra / InternalsVisibleTo) + S22 activity (REFUSED 100% cross-stack)
- Reviewer: +Gotcha #47 + Mig 30 + 104 test baseline + S22 self-review narrative + Identity password ≥12 chars note
- CICD Monitor: refresh test 84 → 104 + Mig 29 → 30 (Run #188 PASS preserved)

User memory reinforcement:
- `feedback_per_nv_permission_scope.md` +Section "Reinforcement S22+5" — pattern proven 2× với Mig 30 F4. Anti-pattern default scope expansion. Decision tree thêm scope khi feedback ambiguous → admin opt-in flag per slot
- `MEMORY.md` index entry updated cross-ref S22+5 reinforcement

Stats final:
- 30 migrations (+1 Mig 30)
- 104 tests PASS (+20 S22)
- 47 gotchas (+1 #47 pending fix)
- ~146 endpoints (+3)
- 33 active prod users (rename role-based)
- 6 skills · 4 sub-agents unchanged

KHÔNG cắt narrative cũ — Edit specific lines + Append new entries per §6.5.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.claude/agent-memory/cicd-monitor/MEMORY.md

@@ -104,8 +104,8 @@ Read-only CI/CD pipeline + post-deploy verifier for SOLUTION_ERP. Polls Gitea Ac
 - **Prod URLs:** api / admin / eoffice `.solutions.com.vn`
 - **SSH VPS:** `ssh vietreport-vps` (user=Administrator, key=id_ed25519)
 - **DB prod:** `.\SQLEXPRESS` / `SolutionErp` / vrapp user
-- **Tests baseline:** 84/84 (58 Domain + 26 Infra = 23 baseline + 3 PE WF guard S21 t3) — updated from 81 after Mig 28 PR
-- **Mig latest repo:** Mig 29 `20260513130144_RefactorAdvancedOptionsToPerLevelAndDrafterUser` (S21 t5 — refactor Allow* sang per-NV: 5 col + ApprovalWorkflowLevels, 1 col Users.AllowDrafterSkipToFinal, 6 col DROP ApprovalWorkflows)
+- **Tests baseline:** 104/104 (58 Domain + 46 Infra = 23 codegen + 6 PE WF + 3 PE Guard S21 t3 + 7 ReturnMode + 7 DraftGuard + 5 AuthorizePolicy + 1 V2 actor scope reject) — S22+1 +1 test
+- **Mig latest repo:** Mig 30 `20260513160703_AddAllowApproverEditBudgetToLevels` (S22+5 — per-NV F4 admin opt-in cho Approver edit Section ngân sách ChoDuyet branch). Prev Mig 29 (S21 t5 refactor per-NV) preserved.
 - **Gitea Actions API path:** `/api/v1/repos/{owner}/{repo}/actions/tasks?limit=N` (NOT `/runs` — returns 404). Public no-auth read OK. Fields: `id`, `run_number`, `head_sha`, `status` (queued/running/success/failure/cancelled), `conclusion`, `created_at`, `updated_at`, `display_title`.
 - **Mig latest prod:** sqlcmd `__EFMigrationsHistory ORDER BY MigrationId DESC TOP 5`
 - **Bearer test:**
@@ -139,6 +139,8 @@ Flag commit nếu thấy `<PackageReference Include="MediatR" Version="14...` ho
 
 ## 📅 Recent runs (FIFO last 20)
 
+- **2026-05-13 21:25-21:28 — Run #188 id=302 sha=a74e671 VERDICT=PASS** (S22 — 5 commits: Plan D Users F2 toggle BE+FE Admin AllowDrafterSkipToFinal + Plan C task 1-3 14 service test ReturnMode/Guard + Plan C task 4 5 regression test #44 silent 403 + Plan E PE strict V2 scope + Docs/MEMORY 3-agent drift patch). Duration 3m28s (baseline). Path filter: the push tip `a74e671` includes `.claude/agent-memory/**` files (NOT in paths-ignore) + `docs/**` (in paths-ignore) → Gitea evaluated push as CI-eligible (some files OUTSIDE paths-ignore), trigger fired correctly. **Local test verify: 58 Domain + 45 Infra = 103/103 PASS (+19 from S21 84)** breakdown: 23 codegen + 6 PE WF + 7 ReturnMode + 7 DraftGuard + 5 AuthorizePolicy regression. CI deploy succeeded → inferred test gate PASS (deploy only runs if tests pass). Bundles deployed: admin `index-Cclc8Uwu.js` rotated from `D5l49-70` (21:27:24 PM VPS), user `index-B6N5hq3d.js` UNCHANGED (Plan C/D/E touched only fe-admin, expected). DLLs deployed 21:25-26 PM. Mig 29 `RefactorAdvancedOptionsToPerLevelAndDrafterUser` still TOP 1 (no new mig in S22, expected). **Plan D wire LIVE:** GET `/api/users` response includes `allowDrafterSkipToFinal` field (boolean), PATCH `/api/users/{id}/allow-skip-final` admin=204 ✓ + nv.test=403 ✓ (admin-only enforced). **Plan E wire LIVE:** nv.test PE list totalCount=8 < admin totalCount=17 (strict V2 scope filter ACTIVE — drafter only sees own + participant PE). Smoke 5/5 endpoints 200: `/api/contracts`, `/api/purchase-evaluations`, `/api/menus`, `/api/approval-workflows-v2`, `/api/users`. **Discovery #1:** Rate limit auth login triggers at ~5 requests/min — HTTP 429. Pattern: backoff 60s + retry. Spread login calls or cache token across endpoints in same agent run. **Discovery #2:** `.claude/agent-memory/**` files are NOT in paths-ignore (only `docs/**` + `**/*.md` + `.claude/skills/**` + `.gitignore` + `scripts/**.md`) → MEMORY.md commits DO trigger CI even when "looks like docs". Spec assumption ("docs commit `a74e671` triggers paths-ignore skip per gotcha #41") was incorrect for this case — `.claude/agent-memory/**` triggers CI.
+
 - **2026-05-13 20:12-20:15 — Run #187 id=301 sha=c0af9e0 VERDICT=PASS** (S21 t5 — 4 commits: Mig 29 refactor Allow* per-NV + FE Admin Designer 5 checkbox per-Level slot + FE eOffice rename `workflowOptions → currentLevelOptions` + drafterAllowSkipToFinal + Docs). Duration ~3m18s (baseline). Test gate inferred PASS (deploy stage chỉ chạy sau test gate). Mig 29 applied prod (TOP 1 in __EFMigrationsHistory). Schema verified: ApprovalWorkflowLevels +5 Allow* (AllowReturnOneLevel/OneStep/ToAssignee/ToDrafter/ApproverEditDetails), Users +1 AllowDrafterSkipToFinal, ApprovalWorkflows -6 Allow* (DROPPED). Backfill: 48/48 Levels.AllowReturnToDrafter=1 (default + S21 t4 workflow.AllowReturnToDrafter=true copied đúng), 0/13 Users.AllowDrafterSkipToFinal=1 (S21 t4 workflow.AllowDrafterSkipToFinal=false → 0 user backfill — preserve correct). Bundles deployed 20:14-20:15 (admin `index-D5l49-70.js` was `CzesdXLh`, user `index-B6N5hq3d.js` was `DP-gH4LW` — both rotated ✓). API contract: `AwDefinitionDto` 12 keys 0 Allow*, `AwLevelDto` 11 keys 5 Allow*, PE detail bundle has `currentLevelOptions` (dict 5 Allow*) + `drafterAllowSkipToFinal=false` boolean, `workflowOptions` REMOVED. **Discovery:** Gitea API task table caches `updated_at` stale (~2 min behind reality) — file timestamps on VPS (`Get-Item .dll/.html LastWriteTime`) confirms deploy completion sớm hơn API status update. Cross-check 2 source nếu time-sensitive. Also: `appsettings.Production.json` ở `C:\inetpub\solution-erp\api\` chứa connection string credential (user=vrapp / pwd=`buKL3TGBkD0wDDbYVw65QeX9`) khi `$env:PROD_DB_PASSWORD` empty local.
 
 - **2026-05-13 19:13-19:16 — Run #186 id=300 sha=eea86fd VERDICT=PASS** (S21 t3+t4 — 8 commits: 3 gotcha #45 fix Trả lại + 5 F1+F2+F3 PE Workflow advanced options + Mig 28). Duration 3m32s (baseline). Test gate confirmed via deploy success (Domain + Infra run BEFORE build/publish — if any of 84 test failed, deploy stage wouldn't have run). Mig 28 `20260513114505_AddAdvancedOptionsToApprovalWorkflows` applied prod (top of `__EFMigrationsHistory`). FE bundles deployed 19:15 (admin `index-CzesdXLh.js` + user `index-DP-gH4LW.js`). Smoke 200: `/api/auth/login`, `/api/approval-workflows-v2?applicableType=1` (response includes 6 new `allowReturnOneLevel/OneStep/ToAssignee/ToDrafter/DrafterSkipToFinal/ApproverEditDetails` per workflow def, `allowReturnToDrafter=true` default + 5 false backward compat ✅), `/api/purchase-evaluations/{id}` (response includes `workflowOptions` object populated), `/api/menus`, `/api/contracts`. **Discovery:** API endpoint to list Gitea Actions runs is `/api/v1/repos/.../actions/tasks` (NOT `/actions/runs` — 404). Public no-auth OK for read.
@@ -153,4 +155,4 @@ Flag commit nếu thấy `<PackageReference Include="MediatR" Version="14...` ho
 - Duplicate failure patterns → merge into single entry (vd act_runner timeout x3 → 1 entry)
 - Stale > 3 months → remove
 
-Last curate: 2026-05-13 (added run #187 S21 t5 Mig 29 refactor per-NV + Gitea API stale cache discovery + appsettings credential fallback)
+Last curate: 2026-05-13 (added run #188 S22 Plan C+D+E + test baseline 103 + 2 discoveries: auth rate limit 429 backoff + `.claude/agent-memory/**` NOT in paths-ignore)

.claude/agent-memory/implementer/MEMORY.md

@@ -102,6 +102,66 @@ const isValidPhone = (s: string) => !s || PHONE_RE.test(s.replace(/[\s\-.]/g, ''
 const isValidEmail = (s: string) => !s || EMAIL_RE.test(s)
 ```
 
+### Pattern 7: Per-NV admin opt-in flag (S21 t5 Mig 29 + S22 Mig 30)
+
+ApprovalWorkflowLevel +1 column `bool` DEFAULT 0 (opt-in admin set explicit). EF config `HasDefaultValue(false)`. DTO extend field. FE Designer checkbox inline mỗi Level row.
+
+Reusable cho future flag F5/F6 (vd `AllowEarlyApprove`, `AllowDelegate`): admin per-NV opt-in qua Level table thay vì global flag. Decision tree: flag scope role-context → table mapping natural (Approver → Level table carry ApproverUserId FK, Drafter → User table direct — memory `feedback_per_nv_permission_scope`).
+
+Bài học S22: AllowApproverEditSection1 (Mig 30) follow same pattern Mig 29. 0 schema redesign cần.
+
+### Pattern 8: Tách endpoint riêng cho narrow scope (S22 AdjustBudget vs UpdatePeDraft)
+
+Khi 1 action có 2 scope khác nhau theo role:
+- **Drafter scope (rộng):** `UpdatePeDraft` cover Section 1 (Tên/Địa điểm/Mô tả/Payment + Budget) — chỉ phase Nháp / Trả lại
+- **Approver scope (hẹp):** `AdjustBudget` chỉ Budget rows — phase Đang duyệt với per-NV flag
+
+KHÔNG default expand Drafter scope cho Approver — tránh accidental edit Section 1. Endpoint tách riêng = guard tự nhiên + audit trail rõ.
+
+Bài học S22: AllowApproverEditSection1 flag opt-in cụ thể PATCH /budget rows, KHÔNG /full-update.
+
+### Pattern 9: Defense-in-depth FE + BE guard pair (S22+1)
+
+UI button `disabled={!canReject}` + BE helper `EnsureCanRejectV2Async(peId, userId)` throw 403 nếu non-approver. Tránh request forge non-approver gọi PATCH direct qua DevTools.
+
+Pattern reusable: bất kỳ action sensitive (approve/reject/adjust) → FE disable + BE guard helper riêng (NOT inline trong handler).
+
+Bài học S22+1: 3 button (Duyệt / Trả lại / Từ chối) — UI disable + BE helper. Tránh leak action qua API direct.
+
+### Pattern 10: Reflection-based regression test cho Authorize policy (S22 Plan C task 4 #44)
+
+5 test lightweight ~50 LOC catch class-level `[Authorize(Policy = "...")]` regression:
+```csharp
+var attr = typeof(ControllerXxx).GetCustomAttribute<AuthorizeAttribute>();
+attr.Policy.Should().Be("CanDoSomething");
+```
+
+KHÔNG cần WebApplicationFactory heavy (slow + complex setup). Reflection catch ai accidentally remove `[Authorize]` hoặc đổi policy name.
+
+Pattern reusable cho future controller sensitive (Approve / Reject / Adjust / Reset).
+
+### Pattern 11: Test infra helper cookie-cutter (S22)
+
+Trong `PurchaseEvaluationWorkflowServiceReturnModeTests` + `PurchaseEvaluationDraftGuardTests`:
+
+```csharp
+private async Task<Guid> SeedWorkflowAsync(...) {
+    // 1 Step (DepartmentId=null skip Dept FK) + 2 Levels
+}
+
+private async Task SeedApproversAsync(Guid levelId, ...) {
+    // Multi user via fix.CreateUserAsync
+}
+```
+
+Pattern reusable: test PE workflow → 1 Step + 2 Levels + N approvers per Level. `DepartmentId=null` skip Dept FK ràng buộc. Token cost ~80 LOC repeated cross 2 test class S22.
+
+### Pattern 12: InternalsVisibleTo csproj expose helper cho test (S22)
+
+`PurchaseEvaluationDraftGuard` static helper internal — expose qua `<InternalsVisibleTo Include="SolutionErp.Infrastructure.Tests" />` trong `SolutionErp.Application.csproj` thay vì rewrite public API.
+
+Tránh API surface bloat. Reusable cho future guard / helper internal cần test.
+
 ---
 
 ## ⚠️ Anti-patterns observed (DO NOT)
@@ -121,7 +181,7 @@ const isValidEmail = (s: string) => !s || EMAIL_RE.test(s)
 
 - **BE .NET 10:** PascalCase tiếng Anh entities + DTO records + command names. CQRS + MediatR + FluentValidation + AutoMapper. Repository qua `IApplicationDbContext`. `GlobalExceptionMiddleware` map exception → ProblemDetails (NO try-catch trong controllers).
 - **FE React 19 + Vite 8 + TS 6:** Named export only (trừ App). TanStack Query. shadcn/ui copy-paste. TS6 `erasableSyntaxOnly` cấm `enum` → const-object pattern. UI 100% tiếng Việt. Mirror 2 app rule §3.9.
-- **Test:** baseline 84/84 PASS (58 Domain + 26 Infra: 23 baseline + 3 PE WF guard regression S21 t3 gotcha #45). Phase 9 UAT skip per chunk theo memory `feedback_uat_skip_verify`. Stack xUnit + FluentAssertions 7.2 + EF SQLite 10 `TestApplicationDbContext` override `nvarchar(max) → TEXT`.
+- **Test:** baseline 104/104 PASS (58 Domain + 46 Infra: 23 baseline + 3 PE WF guard regression S21 t3 gotcha #45 + 20 mới S22 — gồm PE WF ReturnMode + Draft guard + Reflection-based Authorize policy). Phase 9 UAT skip per chunk theo memory `feedback_uat_skip_verify`. Stack xUnit + FluentAssertions 7.2 + EF SQLite 10 `TestApplicationDbContext` override `nvarchar(max) → TEXT`.
 - **Build:** `dotnet build SolutionErp.slnx` clean 0 err + `npm run build` × 2 app pass.
 - **Commit:** `[CLAUDE] <scope>: <message>` + Co-Authored-By Claude Opus 4.7 (1M context).
 
@@ -144,6 +204,7 @@ KHÔNG `*` / `latest`. Critical pins:
 
 ## 📅 Recent activity (last 10 FIFO)
 
+- **2026-05-13 (S22, REFUSED 100%):** Em main classified ALL S22 work as cross-stack reasoning chain (BE Mig + Service guard + DTO + FE Designer + FE Section + FE types + tests) → REFUSE per criteria #3+#4. Em main solo executed. State chốt S22: **30 migrations** (+1 Mig 30 AllowApproverEditSection1 per-NV F4 flag), **104 test PASS** (+20 từ 84 — gồm PE WF ReturnMode + Draft guard + Reflection-based Authorize policy regression), ~146 endpoints (+3), 46 gotchas unchanged, 33 active prod users (13 cũ + 20 mới S22+2). 7 patterns successfully applied throughout S22 (validated continued effectiveness): Pattern 7 per-NV admin opt-in flag (Mig 30 follow Mig 29), Pattern 2 EF migration 3-file rule, Pattern 8 tách endpoint narrow scope (AdjustBudget vs UpdatePeDraft), Pattern 9 defense-in-depth FE+BE guard pair (S22+1 disable 3 button), Pattern 10 Reflection-based regression test cho Authorize policy (Plan C task 4 #44, 5 test ~50 LOC), Pattern 11 test infra helper cookie-cutter (SeedWorkflowAsync + SeedApproversAsync), Pattern 12 InternalsVisibleTo csproj expose internal helper cho test. Mismatches discovered S22: (1) "Đang trong quá trình duyệt = người điều chỉnh cũng là người duyệt" — em first interpret default Approver scope always allowed → bro corrected per-NV admin opt-in flag (Mig 30). Lesson: clarify default behavior vs admin opt-in TRƯỚC khi default scope expansion. (2) `PE.changelogs` field KHÔNG có trong PeDetailBundle — em first design history display trong BudgetAdjustSection, build FAIL TS2339. Fix: removed history display (defer S23+ via separate fetch endpoint). (3) Dialog `size="xl"` NOT supported — only "sm" | "md" | "lg". Use "lg" cho preview iframe. (4) API auth field `accessToken` không phải `token`. Script `seed-test-users-prod.ps1` lần đầu FAIL 401 sau auth — em fix `$authResp.accessToken`.
 - **2026-05-13 (S21 t3-t5, REFUSED 3×):** Em main classified all 3 turns as cross-stack reasoning chain (BE+FE+test tightly coupled) → REFUSE per criteria #3+#4 (cross-stack > 2 layers, bug fix reasoning chain). Bug fix gotcha #45 = bug + reasoning, F1+F2+F3 = schema design decision, Refactor per-NV = drastic refactor schema + Service + FE × 2 app. All correct REFUSE — em main solo executed. Strict scope criteria validated S21 t3-t5 — REFUSE rate 100% match Anthropic warning "tightly interdependent coding". Cumulative: 84 test, 29 mig, 45 gotcha. Pattern saved future invocation: per-NV permission scope split natural theo role + EF migration BACKFILL reorder pattern.
 - **2026-05-11 (setup):** Implementer agent initialized. Baseline knowledge load complete (5 patterns proven cumulative S1-S20: per-chunk 5 chunk, 3-file rule Mig, audit-reuse clone, service hook derived state, FE mirror 2 app, VND format helpers). No implementations performed yet. Awaiting first SendMessage from em main. Strict scope auto-refuse criteria active.
 

.claude/agent-memory/investigator/MEMORY.md

@@ -86,7 +86,7 @@ Common queries: `sys.columns`, `sys.triggers`, `__EFMigrationsHistory`, `COUNT(*
 
 ## 🧠 SOLUTION_ERP context essentials (auto-load)
 
-- **DB Dev:** `SolutionErp_Dev` LocalDB (59 tables / 29 migrations / Mig 29 latest `RefactorAdvancedOptionsToPerLevelAndDrafterUser`)
+- **DB Dev:** `SolutionErp_Dev` LocalDB (59 tables / 30 migrations / Mig 30 latest `AddAllowApproverEditBudgetToLevels`)
 - **DB Design:** `SolutionErp_Design` (ef tooling distinct)
 - **DB Prod:** `.\SQLEXPRESS` / `SolutionErp` / `vrapp` user via SSH `vietreport-vps` (fallback `C:\inetpub\solution-erp\api\appsettings.Production.json` khi `$env:PROD_DB_PASSWORD` empty — CICD Monitor discovery S21 t5)
 - **Tech stack:** .NET 10 Clean Arch (Api → Application ← Domain + Infra) + CQRS MediatR + EF Core 10 + 2 React 19 Vite 8 TS 6 (fe-admin :8082 + fe-user :8080) + SQL Server + Gitea Actions CI + IIS prod
@@ -95,7 +95,10 @@ Common queries: `sys.columns`, `sys.triggers`, `__EFMigrationsHistory`, `COUNT(*
 - **Gitea Actions API:** path `/api/v1/repos/.../actions/tasks` (NOT `/actions/runs` — 404). Cache stale ~2 min (gotcha #46) — cross-check VPS file mtime
 - **SSH VPS:** `ssh vietreport-vps` (config `~/.ssh/config` user=Administrator key=id_ed25519)
 - **Gotchas active:** 46 (reference `docs/gotchas.md`)
-- **Tests baseline:** 84 PASS (58 Domain + 26 Infra) — Phase 9 UAT skip per chunk (memory `feedback_uat_skip_verify`)
+- **Tests baseline:** 104 PASS (+20 S22: 5 reg #44 Authorize policy + 7 ReturnMode + 7 Guard + 1 V2 actor scope reject) — Phase 9 UAT skip per chunk (memory `feedback_uat_skip_verify`)
+- **Endpoints:** ~146 (+3 S22: PATCH /users/{id}/allow-skip-final + PATCH /pe/{id}/budget-adjust + GET /pe/{id}/attachments/{attId}/view)
+- **Users:** 30 demo + 33 active prod (13 cũ + 20 mới S22+2 role-based: act/bod/equ/fin/hra/pm/qs prefix `.nv/.pp/.tp` + bod.1/2). Password policy ≥12 chars (S22+2 discovery, `TestUser@2026`)
+- **API auth response:** `accessToken` + `refreshToken` + `user` (S22+2, NOT `token`)
 - **Master HEAD reference:** check via `git log -1 --format='%H'`
 - **6 skills:** `contract-workflow` · `permission-matrix` · `form-engine` · `ef-core-migration` · `dependency-audit-erp` · `iis-deploy-runbook`
 
@@ -104,11 +107,12 @@ Common queries: `sys.columns`, `sys.triggers`, `__EFMigrationsHistory`, `COUNT(*
 ## 🔄 Active workflow schemas (V1 + V2 coexist post-Session 17)
 
 - **V1 Mig 21 flat workflow** — `WorkflowDefinition` pin với PE/Contract cũ. Match Dept+PositionLevel.
-- **V2 Mig 22-29** — `ApprovalWorkflow` pin với PE mới + match `ApproverUserId` 1-1 OR-of-N cùng Cấp. Steps (Phòng) > Levels (Cấp). PE đã wire V2. Contract V2 PENDING (Plan B).
+- **V2 Mig 22-30** — `ApprovalWorkflow` pin với PE mới + match `ApproverUserId` 1-1 OR-of-N cùng Cấp. Steps (Phòng) > Levels (Cấp). PE đã wire V2. Contract V2 PENDING (Plan F drop V1 ABORTED S22+4 — Contract entity HOÀN TOÀN V1 chưa wire V2 + 4 PE V1-only + 19 PE V1+V2 mix).
   - **Mig 25** IsUserSelectable (admin pin/unpin per workflow cho user pick)
   - **Mig 26** PE Level Opinions UPSERT (service hook khi Duyệt)
   - **Mig 28** (S21 t4) 6 Allow* workflow-level — **REPLACED by Mig 29**
   - **Mig 29** (S21 t5) Allow* refactor per-NV: 5 flag on `ApprovalWorkflowLevels` (F1+F3 per Approver slot) + 1 flag on `Users.AllowDrafterSkipToFinal` (F2 per Drafter)
+  - **Mig 30** (S22+5) F4 `AllowApproverEditBudget` per-Level slot on `ApprovalWorkflowLevels` — admin Designer tick per slot cho Approver được edit Budget khi review. Pattern reinforced 2× với Mig 29 F1+F3: default = admin opt-in per slot, KHÔNG = mở rộng default. Cross-ref memory `feedback_per_nv_permission_scope.md` proven cumulative Mig 29 + Mig 30.
 
 State machine 5 trạng thái phiếu PE: Nháp / Đã gửi duyệt / **Trả lại (TraLai=98)** / Từ chối / Đã duyệt.
 
@@ -124,6 +128,7 @@ State machine 5 trạng thái phiếu PE: Nháp / Đã gửi duyệt / **Trả l
 
 ## 📅 Recent activity (last 10 FIFO)
 
+- **2026-05-13 (S22, no spawn — em main solo throughout):** S22 18:00→~21:00 em main solo. Cumulative state: 30 mig (+1 Mig 30 `AddAllowApproverEditBudgetToLevels` F4 per-Level slot), 104 test PASS (+20: 5 reg #44 Authorize policy + 7 ReturnMode + 7 Guard + 1 V2 actor scope reject), ~146 endpoints (+3: PATCH /users/{id}/allow-skip-final + PATCH /pe/{id}/budget-adjust + GET /pe/{id}/attachments/{attId}/view), 46 gotcha unchanged, 19 memory unchanged (recommend +1 entry — see below). Prod active users 13→33 (+20 role-based: act.nv/pp/tp, bod.1/2, equ/fin/hra/pm/qs.nv/pp/tp). **Discoveries S22:** (1) **Per-NV admin opt-in flag pattern reinforced 2×** — Mig 30 F4 cùng pattern Mig 29 F1+F3 (S21 t5). Bro corrected em main lần đầu: "phải tick checkbox như Section 2", default = admin opt-in per slot, KHÔNG = mở rộng default. Cross-ref memory `feedback_per_nv_permission_scope.md` proven 2×. (2) **Plan F drop V1 ABORTED** — pre-flight sqlcmd reveal Contract entity HOÀN TOÀN V1 chưa wire V2 (chưa có ApprovalWorkflowId column) + 4 PE V1-only + 19 PE V1+V2 mix. Lesson: drop migration cần verify entity scope toàn bộ (Contract liên đới — không chỉ PE). (3) **Identity password policy ≥12 chars** — seed 20 user FAIL 400 với "User@123456" (11 chars), `TestUser@2026` (13 chars) pass. (4) **Identity rename atomic 4 fields** confirm gotcha #38: Email + NormalizedEmail + UserName + NormalizedUserName + FullName; sqlcmd cần `SET QUOTED_IDENTIFIER ON` cho filtered unique index. (5) **API login response field name `accessToken` + `refreshToken` + `user`** — KHÔNG có field `token` (correct prior Bash example trong spec dùng `.token` sẽ fail). (6) **PS 5.1 ASCII-only script discipline** reinforced gotcha #30: `seed-test-users-prod.ps1` viết Vietnamese names without diacritics tránh parser error. Recommend bro add 1 memory entry "Admin opt-in flag pattern proven 2×" cumulative Mig 29 + Mig 30.
 - **2026-05-13 (S21 t3-t5, no spawn):** Em main solo 3 turns (bug fix gotcha #45 + F1+F2+F3 workflow-level Mig 28 + refactor per-NV Mig 29). Implementer REFUSE per cross-stack reasoning chain rule. Investigator KHÔNG spawn — em main đã có context cumulative S20 t12 setup + active dev throughout. No findings to flush. Cumulative state update: 84 test, 29 mig, 45 gotcha, 19 memory entries (+2 S21 t5 pending), 6 skills unchanged. Pattern reusable saved cho future spawn: per-NV permission scope split + EF migration ADD→BACKFILL→DROP reorder.
 - **2026-05-11 (setup):** Investigator agent initialized. Baseline knowledge load complete (44 gotchas + 14 memory entries + 6 skills + 27 mig + 81 test pass cumulative). No investigations performed yet. Awaiting first SendMessage from em main.
 

.claude/agent-memory/reviewer/MEMORY.md

@@ -43,6 +43,14 @@ Adversarial pre-commit reviewer for SOLUTION_ERP. Read-only verification + live
 - Symptom: commit migration nhưng thiếu `.Designer.cs` hoặc `ApplicationDbContextModelSnapshot.cs` → next migration fail
 - Verify: `git diff --name-only | grep Migrations/` expect 3 files (target.cs + target.Designer.cs + Snapshot.cs)
 
+### Gotcha #47 — `.claude/agent-memory/**` NOT in `paths-ignore` filter (S22 discovery, PENDING bro decide)
+
+- Symptom: MEMORY.md drift patch commit (end-of-session flush) triggers full CI deploy ~3.5min waste
+- Verify: check `.gitea/workflows/deploy.yml` `paths-ignore` — currently `['docs/**', '**/*.md', '.claude/skills/**']` MISSING `.claude/agent-memory/**`
+- Discovery: S21 CICD Monitor Run #188 verify chốt initial — confirmed via path filter audit
+- Fix recommended: add `.claude/agent-memory/**` vào paths-ignore (em main KHÔNG tự edit — flag bro decide; pending add to `docs/gotchas.md` 47th entry)
+- Severity: minor (CI waste only, no functional impact)
+
 ---
 
 ## 📋 5-category checklist (apply EVERY review)
@@ -107,14 +115,17 @@ Per Cognition documented research:
 
 ## 🧠 SOLUTION_ERP review essentials
 
-- **Tests baseline:** 84/84 PASS (58 Domain + 26 Infra — +3 regression PE WF guard S21 t3 gotcha #45). Must increase nếu feature added per §7; UAT iteration exception per memory `feedback_uat_skip_verify` (Plan C test-after bundle defer)
-- **Gotchas:** 46 active (`docs/gotchas.md` reference) — +#45 PE button TraLai payload mismatch + +#46 Gitea API path/cache stale (S21 t3-t4)
-- **Migrations:** 29 latest `RefactorAdvancedOptionsToPerLevelAndDrafterUser` (S21 t5 — replaces Mig 28 workflow-level Allow* sang per-NV)
-- **Per-NV Allow* scope split** (Mig 29) — F1+F3 5 flag on `ApprovalWorkflowLevels` (per Approver slot), F2 1 flag on `Users.AllowDrafterSkipToFinal` (per Drafter). DTO: `currentLevelOptions` + `drafterAllowSkipToFinal` thay vì `workflowOptions`
+- **Tests baseline:** 104/104 PASS (58 Domain + 46 Infra — +20 từ 84 S21: 5 regression gotcha #44 Authorize class-level + 7 ReturnMode + 7 Guard EnsureCanRejectV2Async + 1 V2 actor scope reject). Must increase nếu feature added per §7; UAT iteration exception per memory `feedback_uat_skip_verify` (Plan C test-after bundle defer)
+- **Gotchas:** 46 active (`docs/gotchas.md` reference) — +#45 PE button TraLai payload mismatch + +#46 Gitea API path/cache stale (S21 t3-t4). +#47 paths-ignore agent-memory gap (S22 PENDING bro confirm add to docs)
+- **Migrations:** 30 latest `AddAllowApproverEditBudgetToLevels` (S22+5 — per-slot F4 flag admin opt-in cho Approver scope edit budget ChoDuyet branch). Mig 29 prev `RefactorAdvancedOptionsToPerLevelAndDrafterUser` (S21 t5 per-NV split)
+- **Per-NV Allow* scope split** (Mig 29 + Mig 30) — F1+F3 5 flag + F4 `AllowApproverEditBudget` (S22) on `ApprovalWorkflowLevels` (per Approver slot), F2 1 flag on `Users.AllowDrafterSkipToFinal` (per Drafter). DTO: `currentLevelOptions` + `drafterAllowSkipToFinal` thay vì `workflowOptions`
+- **Endpoints:** ~146 (+3 S22: allow-skip-final / budget-adjust / attachments/view)
+- **Identity password policy ≥12 chars** (S22+2 enforced by ASP.NET Identity stack — reject `User@123456` 11 chars). Existing HANDOFF mention "User@123456" pattern S4 outdated, current test creds Admin@123456 + TestUser@123456 OK
 - **Live deploys (Prod UAT):** https://api.solutions.com.vn · https://admin.solutions.com.vn · https://eoffice.solutions.com.vn
 - **Bearer token test:**
   - Admin: `admin@solutions.com.vn / Admin@123456` (full quyền)
   - UAT user: `nv.test@solutions.com.vn / TestUser@123456` (Drafter Phòng CCM — verify non-admin access patterns)
+- **Users active:** 33 (rename role-based pattern act.nv / act.pp / act.tp etc.)
 - **Conventions:** `docs/rules.md` (§3.9 mirror 2 FE, §5.2 commit format, §6.5 docs KEEP narrative, §7 test timing, §2.8 package pinning)
 - **6 skills:** `contract-workflow` · `permission-matrix` · `form-engine` · `ef-core-migration` · `dependency-audit-erp` · `iis-deploy-runbook`
 
@@ -133,6 +144,7 @@ Flag commit nếu thấy `<PackageReference Include="MediatR" Version="14...` ho
 
 ## 📅 Recent activity (last 10 FIFO)
 
+- **2026-05-13 (S22 18:00→21:00, no spawn):** Em main solo self-review S22 — Reviewer KHÔNG spawn per UAT mode `feedback_uat_skip_verify`. Em main verify build clean + test pass + npm build × 2 app mỗi chunk (11 commits cumulative). Key validations: (1) Plan E phân quyền strict V2 — actor.UserId scope in List + Detail, Inbox đã strict từ S17, loose UAT clause `|| ApprovalWorkflowId != null` removed. (2) S22+1 V2 actor scope guard BE helper `EnsureCanRejectV2Async` chặn request forge non-approver PATCH /transitions decision=Reject (mirror FE button disable) — defense-in-depth FE+BE pattern. (3) S22+4 AdjustBudgetCommand handler 3-tier scope (Drafter Nháp/Trả lại + Approver ChoDuyet + Admin) — S22+5 refactor ChoDuyet branch dùng `level.AllowApproverEditBudget` flag (admin opt-in per slot) thay default Approver scope (security scope correction per bro feedback). (4) S22+2 Identity password policy enforced ≥12 chars (reject `User@123456` 11 chars outdated). Anti-patterns observed: (a) Default scope expansion mistake S22+4 → S22+5 fix — KHÔNG default expand permission scope without admin tick (per-NV opt-in pattern Mig 29 lesson reinforced); (b) History display field assumption BudgetAdjustSection initial — em assume `PeDetailBundle.changelogs` exists, FAIL TS2339 — pattern verify type fields trước render; (c) PS 5.1 Vietnamese diacritics gotcha #30 reinforced — script `seed-test-users-prod.ps1` first attempt FAIL parser error, ASCII-only discipline. S22+4 attachment view endpoint + S22+4 budget-adjust endpoint chưa qua live curl verify (defer post-deploy — bro UAT direct). S22+5 Mig 30 applied LocalDB Dev + Design via `dotnet ef database update`. New gotcha discovered: #47 paths-ignore agent-memory gap (recommend add to docs/gotchas.md — pending bro decide). Cumulative state: 104 test (+20), 30 mig (+1 Mig 30), 46 gotcha unchanged (gotcha #47 pending), ~146 endpoints (+3), 33 active users. Smart Friend guard still active for future spawn.
 - **2026-05-13 (S21 t3-t5, no spawn):** Em main solo verify via dotnet build + npm build × 2 app + dotnet test suite mỗi chunk. Reviewer KHÔNG spawn — em main self-review per UAT mode `feedback_uat_skip_verify` (skip dotnet test mỗi chunk, vẫn build verify). Gotcha #45 fix self-test 3 regression test (test-before §7). S21 t3-t5 push cumulative 12 commits — CICD Monitor verify post-deploy thay vai Reviewer (deploy ship + bundle hash + schema verify). Cumulative state: 84 test, 29 mig, 45 gotcha, 19 memory entries. Pattern saved cho future review focus: per-NV permission audit (Level table vs User table flag), EF migration backfill SQL injection between ADD-DROP order. Smart Friend guard still active for future spawn.
 - **2026-05-11 (setup):** Reviewer agent initialized. Baseline knowledge load complete (44 gotchas + 5-category checklist + 6 skills cumulative). No reviews performed yet. Awaiting first SendMessage from em main. Smart Friend guard active.