vietreport-admin/solution-erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CLAUDE] Docs: S65 session-end closeout — HRM go-live + Hồ sơ NS master-detail + Department hierarchy + PE Link hồ sơ (6 deploy #289→#295)

Browse Source 
Closeout S65 (~6 deploy prod-verified, anh + anh Kiệt FDC UAT realtime):
- STATUS/HANDOFF S65 (Mig 52 · 88 bảng · 263 test · 65 gotcha · menu 53 · bundle admin BDwV5d0X / user DbVv6rsf Run #295) + session log #289→#295.
- gotcha #65 (build csproj con ≠ dotnet build slnx gồm tests → CS7036 Run #291 FAIL-gated; fix +trailing-optional sweep).
- CLAUDE.md root Mig 50→52 + PE row +Mig 52.
- Harvest: H2 GATE 2-MISS closed — 2 on-behalf record (PE-Workflow FE + reviewer empty-return #53) → impl-frontend + reviewer agent-memory. H1 tooling CLEAN (roster/skill/plugin 11/6/18).
- Memory (user-global): +feedback_workflow_fanout_reliability.
Carry-P1: cicd-monitor L1 82KB curate-L2 · mirror Employee page→fe-admin · test-after (HoSoLink/ParentId/HRM-perm).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
pqhuy1987
2026-06-16 11:56:03 +07:00
parent 456c7a721b
commit fe28ca3993
12 changed files with 148 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
.claude/agent-memory/cicd-monitor/MEMORY.md
View File

@ -50,7 +50,7 @@ Read-only CI/CD + post-deploy verifier SOLUTION_ERP. Polls Gitea Actions API, ve
- **Tests baseline:** **263 PASS** (S62 Run #286 sha 7926c21 spec; 45 Domain + 218 Infra em-main supplied; supersedes prev 228/240/256). CI gate runs both test projects BEFORE build/deploy status=success test gate passed (`tasks` endpoint reports terminal as `status:success`, `conclusion` field NOT populated). Local grep undercounts (Theory/InlineData) trust CI conclusion. Phase 9 UAT mode skip per chunk OK.
- **Mig latest repo:** **Mig 50 `20260612173224_ReplaceBudgetModuleWithPeWorkItemBudgets`** (S61; DROPS old Budget module tables + adds PeWorkItemBudgets schema net-reduce). Prev Mig 49 `AddWorkItemToPurchaseEvaluation` + 48 AddProjectMasterFields. Path `src/Backend/SolutionErp.Infrastructure/Persistence/Migrations/` (50 mig .cs non-designer total). Prod check `sqlcmd __EFMigrationsHistory ORDER BY MigrationId DESC TOP 5`. Table-count: `sys.tables` (is_ms_shipped=0, excl mighist) = **88** (S62 Run #286 verified S61 Budget-replace DROPPED tables 9388). Narrative-93 is STALE pre-S61 when commit touches no schema, 88 is correct, don't FAIL on 8893. Always cross-ref COMMIT scope vs ambient count.
- **Bearer:** admin `admin@solutions.com.vn/Admin@123456` (full) · UAT `nv.test@solutions.com.vn/TestUser@123456` (Drafter CCM, gotcha #44 check)
- **Bundle hash live S62:** admin `0xKYGhhf` · user `C81ZdG9G` (Run #286 sha 7926c21, ROTATED from S61 `DsGZlNzT`/`DTL_bjzQ` PE budget soft-warning allow-negative FE×2). Prev-prev S59 `B1DtNT9C`/`D6uF3Mln` (now 2 deploys stale). S50 mid-deploy transient lesson: pre-success snapshot can show intermediate FE copy in-flight re-confirm hash AFTER status=success ALWAYS (anti-pattern #3).
- **Bundle hash live S69:** admin `BDwV5d0X` (FROZEN since S68 Run #293 fe-admin untouched S69) · user `CZfo_PFZ` (Run #294 sha ec517f7 ROTATED from `DXkyUjtQ`, FE-user-only EmployeesListPage org-tree root "SOLUTION COMPANY" 1 file). ASYMMETRIC-deploy lesson (S66): FE-one-app commit that app's bundle MUST rotate + OTHER app MUST stay frozen; admin-rotate-when-only-fe-user-changed = anomaly flag. S50 mid-deploy transient lesson: pre-success snapshot can show intermediate FE copy in-flight re-confirm hash AFTER status=success ALWAYS (anti-pattern #3). FROZEN-expectation runs (BE-only or other-app): hash MUST stay = live pre-deploy value; rotate w/o relevant FE change = anomaly.
- **DB pw (S42, when `$PROD_DB_PASSWORD` empty):** `vrapp/buKL3TGBkD0wDDbYVw65QeX9` read from `C:\inetpub\solution-erp\api\appsettings.Production.json``ConnectionStrings.Default`. Skill-doc path `C:\inetpub\apps\SolutionErp\Api` is STALE real path `C:\inetpub\solution-erp\api`. sqlcmd over SSH works direct (no UTF-16 encode needed). sys-catalog string-concat queries hit collation conflict (`Latin1_General_CI_AS_KS_WS` vs `SQL_Latin1_General_CP1_CI_AS`) add `COLLATE DATABASE_DEFAULT` per concatenated column.
## 🔑 Critical config (flag commit nếu tái xuất)
@ -68,6 +68,13 @@ BE (test+build) ~90s · FE × 2 ~60s/app · deploy ~30s · **total ~3min code /
## 📅 Recent runs (FIFO — older → archive/git)
- **2026-06-16 S70 Run #295 (run_number 295, id409) sha=`456c7a7` PASS ~4m21s (FE-User "Hồ sơ Nhân sự" layout 2-cột: cây tổ chức + list chồng cột trái, detail cột phải + tô màu panel chi tiết — FE-USER-ONLY 1 file, NO BE, NO migration; follow-up S69 Run #294 same page):** Push `ec517f7..456c7a7` 1 file `fe-user/src/pages/hrm/EmployeesListPage.tsx` (309+/262, 571-line layout rewrite). `.tsx` → full pipeline RAN. Both tokens SET this run (GITEA_TOKEN+PROD_DB_PW present — unlike S65-S69 empty; DB pw still works via prod `appsettings.Production.json``ConnectionStrings.Default` `buKL3...` len24). Run IN-PROGRESS first poll (running 11:36) — correctly did NOT verify-bundle-mid-flight (anti#3), polled iter6 status=success (started ~11:36 → success 11:40:46 ≈4m21s). Pre-deploy baseline snapshot iter0: user `CZfo_PFZ` (S69 baseline) + admin `BDwV5d0X` — captured BEFORE poll, correct timing. CI gate (both proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45D+218I; FE-only ⟹ 0 BE call-site risk) passed; `conclusion` empty — trust success). **★ BUNDLE ASYMMETRIC (the change-point — FE-one-app verify) ALL PASS, verified AFTER status=success +re-confirm STABLE 2nd-fetch identical no transient (anti#3): user ROTATE `CZfo_PFZ→DbVv6rsf`** ✓ (EmployeesListPage layout-2col shipped — re-rotated from S69's CZfo_PFZ, consecutive FE-user deploys on SAME page = new content-hash each, normal) **+ admin FROZEN `BDwV5d0X`==baseline** ✓ (fe-admin 0 files touched → MUST NOT rotate = correct; rotate-when-untouched = anomaly→flag). Health api live+ready **200/200** + admin/eoffice root 200. **NO migration** — prod `__EFMigrationsHistory` top = `20260616035929_AddHoSoLinkToPurchaseEvaluation` (Mig 52) == repo HEAD GIỮ NGUYÊN ✓ (commit 0 mig files — `git diff --name-only | grep Migrations/` = NONE; FE-only cannot alter schema → top did NOT advance past S68's Mig 52; prev-2 = `AddDepartmentParentId` Mig51 + `ReplaceBudgetModuleWithPeWorkItemBudgets` Mig50 chain intact). sys.tables stays 88 by construction (no schema touch — skipped explicit count, FE-only). 0 regression. NO prod-data mutation (read-only curls + sqlcmd SELECT-only). Visual "2-cột đẹp/tô-màu" NOT verified (anh xem mắt) — only ship+rotate+health+mig-unchanged. **LESSON: pure-FE-one-app verify (3rd consecutive same-page FE-user S68→S69→S70) = (a) status=success ⟹ deploy ran; (b) target-app bundle ROTATE + sibling-app FROZEN (asymmetric — re-rotate of already-rotated page across sessions is NORMAL, each deploy=new hash; rotate-sibling-when-untouched = anomaly); (c) migration top MUST stay = prev (FE cannot alter schema — advancing top on FE-only commit = bug); (d) health 200×3. No BE call-site/DTO/endpoint smoke needed (no API surface). Tokens-present vs empty: both paths work — when GITEA_TOKEN set use `token` header, but anon also fine for public repo. NEVER fixed code (READ-only).** Tag `[s70, run295, pass, fe-user-hoso-2col-layout, fe-only-1file, bundle-asymmetric-user-rotate-admin-frozen, no-mig-top-stays-mig52, tables88, no-regression, test263, tokens-present]`.
- **2026-06-16 S69 Run #294 (run_number 294, id408) sha=`ec517f7` PASS ~4m18s (FE-User cây tổ chức gốc "SOLUTION COMPANY" toả xuống phòng ban — gộp nút "Tất cả"+list-phẳng → 1 node gốc công ty; FE-USER-ONLY 1 file, NO BE, NO migration):** Push `5a0aaa4..ec517f7` 1 file `fe-user/src/pages/hrm/EmployeesListPage.tsx`. `.tsx` → full pipeline RAN. GITEA_TOKEN+PROD_DB_PW empty → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default` (`buKL3...` len24). Run IN-PROGRESS first poll (running 11:24:05) — correctly did NOT verify-bundle-mid-flight (anti#3), polled iter5 status=success (started 11:24:05 → success ~11:28:23 ≈4m18s). CI gate (both proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45D+218I; FE-only ⟹ 0 BE call-site risk) passed; `conclusion` empty — trust success). **★ BUNDLE ASYMMETRIC (the change-point — FE-one-app verify) ALL PASS, verified AFTER status=success +re-confirm STABLE 2nd-fetch identical no transient (anti#3): user ROTATE `DXkyUjtQ→CZfo_PFZ`** ✓ (EmployeesListPage shipped — was rotated S68, now re-rotated) **+ admin FROZEN `BDwV5d0X`==baseline** ✓ (fe-admin 0 files touched → MUST NOT rotate = correct; rotate-when-untouched = anomaly→flag). Health api live+ready **200/200** + admin/eoffice root 200. **NO migration** — prod `__EFMigrationsHistory` top = `20260616035929_AddHoSoLinkToPurchaseEvaluation` (Mig 52) == repo HEAD GIỮ NGUYÊN ✓ (commit 0 mig files; FE-only cannot alter schema — top did NOT advance past S68's Mig 52; prev-2 = `AddDepartmentParentId` Mig51 + `ReplaceBudgetModuleWithPeWorkItemBudgets` Mig50 confirm chain intact). sys.tables stays 88 by construction (no schema touch). 0 regression. NO prod-data mutation (read-only curls + sqlcmd SELECT-only). Visual "đẹp/cây-gốc-công-ty" NOT verified (anh xem mắt) — only ship+rotate+health. **LESSON: pure-FE-one-app verify = (a) status=success ⟹ deploy ran; (b) target-app bundle ROTATE + sibling-app FROZEN (asymmetric — rotate-sibling-when-untouched = anomaly); (c) migration top MUST stay = prev (FE cannot alter schema — advancing top on a FE-only commit would be a bug); (d) health 200×3. No BE call-site risk, no DTO/endpoint smoke needed (no API surface changed). Re-rotate of an already-rotated app across consecutive sessions is normal (each FE deploy = new content-hash). Tokens empty: anon Gitea + prod-appsettings DB pw works (Bash tool POSIX — read pw via ssh→appsettings ConnectionStrings.Default len24).** Tag `[s69, run294, pass, fe-user-org-tree-root-company, fe-only-1file, bundle-asymmetric-user-rotate-admin-frozen, no-mig-top-stays-mig52, tables88, no-regression, test263]`.
- **2026-06-16 S68 Run #293 (run_number 293, id407) sha=`5a0aaa4` PASS ~5m00s (FE-User "Hồ sơ Nhân sự" 3-panel master-detail 5-tab rewrite + PE "Link hồ sơ" hyperlink NAS + rename "Dự trù PRO"→"Ngân sách PRO" — CROSS-STACK BE Mig 52 + FE×2; 2-commit `318860a`(FE-User EmployeesListPage) + `5a0aaa4`(PE cross-stack)):** Push `6ce5803..5a0aaa4` 15 files: BE `PurchaseEvaluation.cs`(+HoSoLink) + `PurchaseEvaluationConfiguration.cs` + `PurchaseEvaluationFeatures.cs`(Create/Update cmd +trailing optional `HoSoLink=null`) + `PurchaseEvaluationDtos.cs`(Detail DTO +hoSoLink) + Mig 52 `20260616035929_AddHoSoLinkToPurchaseEvaluation`(3-file) + FE `EmployeesListPage.tsx`(fe-user, 3-panel rewrite cây-tổ-chức+list+5-tab) + PE×2 (`PeDetailTabs.tsx`+`PeWorkspaceCreateView.tsx`+`types/purchaseEvaluation.ts` both apps, mục E hyperlink + label rename). `.cs`+`.tsx`+Mig → full pipeline RAN. GITEA_TOKEN+PROD_DB_PW empty → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default` (`buKL3...`). Run IN-PROGRESS first poll (running 11:15) — correctly did NOT verify-bundle-mid-flight (anti#3), polled iter5 status=success (started 11:13:57 → success 11:18:57 ≈5m). CI gate (both proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45D+218I; BE Create/Update +trailing optional param=null ⟹ call-sites UNBROKEN) passed; `conclusion` empty — trust success). **★ MIGRATION APPLIED (the KEY): prod `__EFMigrationsHistory` top = `20260616035929_AddHoSoLinkToPurchaseEvaluation`** ✓ (Mig 52; ADVANCED from prev top Mig 51 `AddDepartmentParentId`; DbInitializer auto-migrate on startup ran — api ready=200 confirms boot OK post-mig). Mig content = AddColumn `HoSoLink nvarchar(1000) maxLength=1000 NULL` (AddColumn-only, NO new table → **sys.tables stays 88** verified). DB-level: `sys.columns WHERE object_id=OBJECT_ID('PurchaseEvaluations') AND name='HoSoLink'` = 1 row ✓ (column physically present prod). **★ BUNDLE BOTH ROTATE (verified AFTER status=success +re-confirm STABLE 2nd-fetch no transient — anti#3): admin `Df06fmpq→BDwV5d0X`** ✓ (PE files shipped — was FROZEN since S67, now correctly rotated) **+ user `DxK3fCfh→DXkyUjtQ`** ✓ (EmployeesListPage + PE files shipped). Both required to rotate per spec → BOTH did. Health api live+ready **200/200** + admin/eoffice root 200. **★ NEW-FIELD live smoke (admin bearer, route `/api/auth/login` field `accessToken` len468):** `GET /api/purchase-evaluations/{48154149...}` (phiếu thật `PE/2026/A/015`) = **200** ✓ JSON detail carries `"hoSoLink":null` (key PRESENT, null cho phiếu cũ = backward-compat ✓ — Detail DTO wired AND Create/Update signature-change did NOT break GET path) · `GET /api/departments/tree` = **200** ✓ (Phase B dependency from Mig 51, still live). 0 regression. NO prod-data mutation (read-only GETs + sqlcmd SELECT-only). **LESSON: nullable-AddColumn cross-stack verify = (a) `__EFMigrationsHistory` top ADVANCED to new Mig (Mig 52) + api ready=200 (auto-migrate boot OK); (b) `sys.tables`=88 unchanged (AddColumn ≠ new table) + `sys.columns` confirms col present; (c) Detail DTO field-presence via authed GET on a REAL phiếu — `"hoSoLink":null` for old rows proves both DTO-wiring AND backward-compat (trailing-optional Create/Update param won't break GET — confirmed 200); (d) cross-stack BE+FE×2 = BOTH bundles rotate (admin un-froze from S67). Tokens empty: anon Gitea + prod-appsettings DB pw works (Bash tool is POSIX bash NOT PS despite shell=PowerShell env — `$env:`/`jq`/`python3` unavailable; parse via `tr ','|grep` + read pw via `ssh→appsettings`).** Tag `[s68, run293, pass, pe-hosolink-mig52-applied, fe-user-hoso-3panel-rewrite, pe-link-hoso-hyperlink, rename-dutru-to-ngansach, bundle-both-rotate-admin-unfroze, hosolink-null-in-dto-backward-compat, no-new-table-88, test263]`.
- **2026-06-16 S67 Run #292 (run_number 292, id406) sha=`6ce5803` PASS ~4m06s (phân cấp phòng ban Department.ParentId + /tree + FE-admin "Phòng cha" picker — CROSS-STACK BE+FE-admin+Mig 51, RETRY của Run #291 FAIL):** Push 3-commit chain `0f44d97`(BE Department.ParentId + DepartmentFeatures + /tree + Config + Mig 51) → `8c8179c`(FE-admin DepartmentsPage picker + types/master.ts) → `6ce5803`(Tests fix `MasterCatalogFilteredUniqueTests.cs` +ParentId 5th arg CreateDepartmentCommand call-site). **★ Run #291 (id405) sha=`8c8179c` = `failure` @10:42:18 (test-gate CS7036 — CreateDepartmentCommand thêm ParentId param nhưng test call-site chưa update → build_test FAIL → deploy GATED → Mig NOT applied).** `6ce5803` = the fix → Run #292 status=success @10:50:16→10:54:22. Files full-range (8 src incl `.cs`+`.tsx`+Mig 3-file) → full pipeline RAN. Tokens empty → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default` (`buKL3...`). CI gate (both proj pre-deploy ⟹ status=success ⟹ test gate **263** (45D+218I, +1 fixed call-site) passed; `conclusion` empty — trust success). **★ MIGRATION APPLIED (the KEY — last time gated, this time landed): prod `__EFMigrationsHistory` top = `20260616032402_AddDepartmentParentId`** ✓ (Mig 51; prev top Mig 50 `ReplaceBudgetModuleWithPeWorkItemBudgets`; DbInitializer auto-migrate on startup ran — api ready=200 confirms boot OK post-mig). Mig content = AddColumn `ParentId uniqueidentifier NULL` + `IX_Departments_ParentId` (loose-Guid NO physical FK — convention Master; AddColumn-only, NO new table → sys.tables stays 88). **★ BUNDLE ASYMMETRIC (verified AFTER status=success, terminal not mid-flight): admin ROTATE `DRob3iVl→Df06fmpq`** ✓ (fe-admin picker shipped — was FROZEN since S65, now rotated correctly) **+ user FROZEN `DxK3fCfh`==baseline** ✓ (fe-user 0 files touched → MUST NOT rotate = correct). Health api live+ready **200/200** + admin/eoffice root 200. **★ NEW-ENDPOINT live smoke (admin bearer, route `/api/auth/login` field `accessToken` len468):** `GET /api/departments/tree` = **200** ✓ JSON array nodes each w/ `parentId`+`directEmployeeCount`+`totalEmployeeCount`+`children[]` (e.g. CCM direct=10/total=10, BOD 1/1, ACT 0/0; all `parentId:null` currently — no parent assigned yet in prod, but col+endpoint live) · `GET /api/departments?page=1&pageSize=5` list = **200** ✓ DTO includes `parentId` (IT/PM both null). 0 regression. **LESSON: FAIL→retry chain — when commit N fails test-gate (CS7036 call-site mismatch from a signature change) the deploy is GATED so prod Mig stays at N-1; the FIX commit N+1 must re-trigger a NEW run (here #292) whose success ⟹ Mig finally applies. KEY verify on retry = confirm `__EFMigrationsHistory` top ADVANCED to the new Mig (not stuck at prev) + api ready=200 (no startup crash from the auto-migrate). Cross-stack BE+FE-one-app = asymmetric bundle: changed-app rotates (admin un-froze from S65), untouched-app stays frozen. New endpoint = curl 200 + structural-key presence proof; FK-less ParentId is convention (PE/Master loose-Guid) not a defect. Tokens empty: anon Gitea + prod-appsettings DB pw works (PS `$env:` syntax in spec N/A — Bash tool is POSIX, read pw via ssh→appsettings).** Tag `[s67, run292, pass, dept-parentid-hierarchy, mig51-applied-after-291-fail, retry-chain-cs7036-fix, bundle-asymmetric-admin-rotate-user-frozen, tree-endpoint-200, no-new-table-88, test263]`.
- **2026-06-16 S66 Run #290 (run_number 290, id404) sha=`c98030f` PASS ~4m24s (redesign foundation màu fe-user "nâng màu giữ brand" — FE-USER-ONLY 14 files, NO BE, NO migration):** Push `4004481..c98030f` 14 files all `fe-user/src/**` (index.css + 6 ui primitives Button/Dialog/Input/Label/Select/Textarea + 4 shell DataTable/Layout/PageHeader/TopBar + UserDashboardPage + 2 color-map types contracts/purchaseEvaluation). `.tsx`+`.css` → full pipeline RAN. GITEA_TOKEN+PROD_DB_PW empty → anon Gitea API + (DB pw read deferred, FE-only no DB touch). Run IN-PROGRESS first poll (running 10:15) — correctly did NOT verify-bundle-mid-flight (anti#3), polled iter3 status=success (10:13:04→10:17:28 ≈4m24s). CI gate (both test proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45 Domain + 218 Infra) passed; `conclusion` empty — trust success). **★ BUNDLE ASYMMETRIC (the change-point — one-app-FE verify) ALL PASS, verified AFTER status=success +re-confirm STABLE no transient: user ROTATE `Cpion_xQ→DxK3fCfh`** ✓ (fe-user 14 files shipped) **+ admin FROZEN `DRob3iVl`==baseline** ✓ (fe-admin 0 files touched → MUST NOT rotate = correct). Health api live+ready **200/200** + admin/eoffice root 200. **★ CSS-REDESIGN-SHIPPED PROOF (live-vs-source diff, defeats stale-bundle false-pass):** fetch live eoffice CSS `index-DZ-56qoN.css` (71740 B) → grep brand `#1F7DC1` PRESENT + NEW accent tokens `--color-teal-{50..800}` + `app-gradient-brand` + `card-accent` (×5) + `--color-accent-{500,600}` ALL PRESENT ✓. Cross-check: these tokens = **0 occurrences in HEAD~1 index.css**, **added in c98030f** (git show source: teal×6, app-gradient-brand×1, card-accent×5, 1F7DC1×1) → live CSS IS new redesign NOT stale. **NO migration** — repo HEAD top = Mig 50 `ReplaceBudgetModuleWithPeWorkItemBudgets` GIỮ ✓ (commit 0 mig files; FE-only cannot alter schema → prod `__EFMigrationsHistory` top stays Mig 50 by construction, fe-user site static no .NET runtime — DB check skipped per FE-only scope). 0 regression. **LESSON: ASYMMETRIC FE-one-app verify = (a) status=success ⟹ deploy ran; (b) target-app bundle ROTATE + sibling-app FROZEN (rotate-sibling-when-untouched = anomaly→flag); (c) for visual/CSS redesign — fetch live CSS asset + grep claimed tokens, AND diff-prove tokens were 0-in-HEAD~1 / added-in-commit (live-token-present alone could be coincidental stale; the 0→N delta defeats stale-bundle false-pass). Visual "đẹp" NOT verified (anh xem mắt) — only ship+rotate+CSS-token-present. Tokens empty: anon Gitea works; FE-only ⟹ no DB pw needed.** Tag `[s66, run290, pass, fe-user-redesign-foundation, fe-only-14files, bundle-asymmetric-user-rotate-admin-frozen, css-tokens-shipped-0to-N-delta, teal-accent-gradient-brand, no-mig, test263]`.
- **2026-06-16 S65 Run #289 (run_number 289, id403) sha=`4004481` PASS ~4m41s (mở quyền XEM "Hồ sơ Nhân sự" read-only cho MỌI role eoffice — BE-ONLY 1 file DbInitializer SEED, NO migration, NO FE):** Push `cfed3d0..4004481` 1 file `DbInitializer.cs` (+66, new `SeedAllRolesHrmProfileReadPermissionsAsync` grant CanRead `Hrm`+`Hrm_HoSo` 13 role, upgrade-only mirror PE :2107, chạy SAU `RevokeTemporarilyHiddenModulesAsync` S58 để THẮNG revoke; Create/Update/Delete giữ false). `.cs` → full pipeline RAN. **GITEA_TOKEN+PROD_DB_PW empty** → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default` (`buKL3...`). Run IN-PROGRESS first poll (running 09:53) — correctly did NOT FAIL/verify-bundle-mid-flight (anti#3), polled iter5 status=success (09:52:03→09:56:44 ≈4m41s). CI gate (both proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45 Domain + 218 Infra) passed; `conclusion` empty — trust success). **Bundle FROZEN (BE-only, NO FE change → MUST NOT rotate = correct): admin `DRob3iVl` + user `Cpion_xQ`** ✓ both unchanged pre==post (live advanced from S62 `0xKYGhhf`/`C81ZdG9G` via intervening S63/S64 FE deploys — narrative-Run#286 hash now 3 deploys stale; current live = baseline). Health live+ready **200/200** + admin/eoffice root 200. **NO migration** — prod `__EFMigrationsHistory` top = `20260612173224_ReplaceBudgetModuleWithPeWorkItemBudgets` (Mig 50) == repo HEAD GIỮ ✓ (commit 0 mig files). **★ SEED-EFFECT 7-CHECK reviewer ALL PASS (the change-point — asymmetric read-open/write-locked, non-admin `nv.test`=Drafter + admin):** (1) menus/me non-admin tree = exactly `['Hrm','Hrm_HoSo']` present ✓ + (4) `Hrm_Dashboard`+`Hrm_Config*` ABSENT ✓ (revoke still che); (2) non-admin GET /api/employees?page=1&pageSize=20 = **200** ✓ (was 403 — MẤU CHỐT, seed áp đúng + `Hrm_HoSo.Read` resolve qua permission matrix); (3) non-admin GET /api/employees/{id} = **200** ✓; (5) non-admin POST = **403** ✓; (6) non-admin PUT+DELETE = **403/403** ✓ (read-only giữ); (7) admin GET = **200** ✓ no regression. **DB-level ground-truth (sqlcmd via SSH):** `Permissions WHERE MenuKey IN ('Hrm','Hrm_HoSo')` = 13 rows EACH, all CanRead=1, AnyWrite=1 (=Admin only, full CRUD legit — upgrade-only KHÔNG hạ write existing) ✓. EmployeeProfiles=33 INTACT + ZZCICD-PROBE=0 (403 POST tạo 0 rows, no leak) ✓. ⚠️ **CRED NOTE: reviewer spec ghi non-admin pw `User@1234567` SAI** → 401 "Email/mật khẩu không đúng"; pw THẬT = memory-baseline `TestUser@123456` ✓. 0 regression. **LESSON: SEED-change verify (DbInitializer, no-mig) = (a) status=success ⟹ app restarted ⟹ seed ran; (b) prove EFFECT not schema — curl asymmetric probe (read 200 / write 403 / admin 200) + sqlcmd Permission-row count==role-count w/ CanRead=1 & write-row=Admin-only; (c) "seed NO-OP" failure-class (S58) caught iff check#2 still 403 post-restart — here 200 ⟹ revoke-then-grant ordering correct. BE-only ⟹ bundle FROZEN = pass-signal (rotate w/o FE = anomaly). Tokens empty: anon Gitea + prod-appsettings DB pw works. Spec creds may be illustrative — fall back to memory-baseline on 401.** Tag `[s65, run289, pass, hrm-hoso-public-readonly, seed-only-no-mig, bundle-frozen, asymmetric-read200-write403, permrows-13-canread, no-leak, spec-cred-wrong-fallback-baseline]`.
- **2026-06-13 S62 Run #286 (run_number 286, id400) sha=`7926c21` PASS ~4m41s (PE "vượt ngân sách" → SOFT-WARNING: gỡ chặn số âm — CROSS-STACK 1 BE validator-rule-removal + 2 FE PeDetailTabs ×2 + 1 test flip, NO migration):** Push `79ef8da..7926c21` 4 files: BE `PurchaseEvaluationFeatures.cs` (gỡ 1 FluentValidation rule `ExpectedRemainingAmount >= 0` trong `AdjustPurchaseEvaluationBudgetCommandValidator`) + `PeDetailTabs.tsx` ×2 app (allowNegative row8 + banner "Vượt ngân sách") + `PeWorkItemBudgetTests.cs` (flip 1 test). `.cs`+`.tsx` → full pipeline RAN. GITEA_TOKEN+PROD_DB_PW empty → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default`. Run IN-PROGRESS first poll (running 11:15) — correctly did NOT FAIL/verify-bundle-mid-flight (anti-pattern #3), polled iter5 status=success (started 11:14:00 → success 11:18:41 ≈4m41s). CI gate (both test proj pre-deploy ⟹ status=success ⟹ test gate **263** baseline (45 Domain + 218 Infra) passed; `tasks` endpoint reports terminal as `status:success`, `conclusion` empty — trust success). **Bundle ROTATE BOTH (load-bearing FE×2, verified AFTER status=success +re-confirm STABLE no transient — anti-pattern#3): admin `DsGZlNzT→0xKYGhhf` + user `DTL_bjzQ→C81ZdG9G`** ✓ both touched (FE changed both apps). Title "Solutions ERP · Admin" preserved. Health live+ready **200/200** + admin/eoffice root 200. Smoke: PE unauth **401** (auth gate real) + control `/api/zzz-not-a-route` **404** (routing live, 401 not catch-all). **NO migration** — prod `__EFMigrationsHistory` top = `20260612173224_ReplaceBudgetModuleWithPeWorkItemBudgets` (= S61 "Mig 50", Budget→PeWorkItemBudgets replace) == repo HEAD, GIỮ NGUYÊN ✓ (commit 0 migration files; repo 50 mig .cs total). sys.tables(excl mighist)=**88** (S61 replace-mig DROPPED Budget tables 93→88; convention/count shift from S61 NOT this commit — FE+validator-only cannot alter schema). 0 regression. **LESSON: validator-rule-removal (negative-allow soft-warning) = internal handler-pipeline behavior — cannot curl-assert "now accepts negative ExpectedRemainingAmount" without authed multi-step adjust flow → rely on +flip PeWorkItemBudgetTests in CI gate 263 passing + bundle-rotate-both (FE banner shipped). Table count 88 (not 93) is S61 Budget-replace aftermath, not regression — always cross-ref what the COMMIT touched vs ambient schema state.** Tag `[s62, run286, pass, pe-budget-soft-warning, allow-negative, cross-stack, bundle-rotate-both, no-mig, test263, tables88-s61-aftermath]`.
- **2026-06-12 S60 Run #283 (run_number 283) sha=`37122f0` PASS ~5m (PE guard 4-thông-tin mục 3 khi gửi duyệt + bypass người-soạn-trong-chuỗi-duyệt + rename heading "Đơn vị NCC/TP được chọn" — CROSS-STACK 1 BE service + 2 FE PeDetailTabs ×2 + 1 NEW test file):** Push `792c030..37122f0` 7 files: `PurchaseEvaluationWorkflowService.cs` (BE submit-guard + drafter-bypass) + `PeDetailTabs.tsx` ×2 app + `PeSubmitGuardAndBypassTests.cs` (NEW, +14 → 240→**254** expected) + 3 agent-memory `.md` (harvest-curator/investigator-codebase/test-specialist — `.claude/agent-memory/**` matches `**/*.md` glob → ignored, but `.cs`+`.tsx` present ⟹ whole-range builds, Discovery #3). GITEA_TOKEN+PROD_DB_PW empty → anon Gitea API + DB pw từ prod `appsettings.Production.json``ConnectionStrings.Default`. Run IN-PROGRESS first poll (running 11:55) — correctly did NOT FAIL, polled iter5 status=success (started ~11:54 → success 11:59:26 ≈5m). CI gate (both test proj pre-deploy ⟹ status=success ⟹ test gate 254 passed; `tasks` endpoint reports terminal as `status:success`, `conclusion` empty — trust success). **Bundle ROTATE BOTH (load-bearing, verified AFTER status=success — anti-pattern#3): admin `B1DtNT9C→akytoBnc` + user `D6uF3Mln→BzSdQmN0`** ✓ both touched (FE changed both apps). Brand `1F7DC1` preserved both HTML. Health live+ready **200/200** + admin/eoffice root 200. Smoke: PE unauth **401** + contracts unauth **401** + control `/api/zzz-not-a-route` **404** (auth gates real, routing live). **NO migration** — prod `__EFMigrationsHistory` top = Mig 49 `AddWorkItemToPurchaseEvaluation` == repo, GIỮ NGUYÊN ✓ (PE.MaPhieu col, not Code). sys.tables(excl mighist)=**92** (convention diff vs narrative-93, no new table — col/logic-only). **DATA INTACT (no-touch verify, sqlcmd): PE_count=3 · PE/2026/A/001 EXISTS (=1, phiếu UAT thật giữ nguyên ✓) · Suppliers=23 · WorkItems=71** — counts vs S59 (PE was 1 #275, Suppliers 22 #278) GREW from legit ongoing-UAT (this commit = FE+BE-service, NO DbInitializer/seed change → cannot resurrect/wipe; growth is user activity not deploy-induced). 0 regression. **LESSON (cross-stack submit-guard + drafter-bypass = ship-proof via run-success + test 254 + bundle-rotate-both + PE-data-preserved; the guard/bypass logic is internal handler behavior — cannot curl-assert "block submit when mục-3 incomplete" or "skip drafter in chain" without authed multi-step flow → rely on +14 PeSubmitGuardAndBypassTests in CI gate passing). SSH→sqlcmd via `iconv UTF-16LE|base64`→`powershell -EncodedCommand` (nested bash→ssh→PS strips `$vars`/mangles quotes); PE code column = `MaPhieu` NOT `Code`.** Tag `[s60, run283, pass, pe-submit-guard, drafter-bypass-in-chain, cross-stack, bundle-rotate-both, no-mig, test254, pe-a001-preserved]`. **↳đợt2 (14:14): Run #284 (run_number 284, id398) sha=`6db195d` PASS ~4m31s — GỠ hành động "Từ chối" khỏi quy trình PE (chỉ còn Duyệt/Trả lại; CROSS-STACK Domain `PurchaseEvaluationPolicy.cs` + Infra `PurchaseEvaluationWorkflowService.cs` guard + FE `PeWorkflowPanel.tsx` ×2 app + 2 NEW test `PurchaseEvaluationPolicyTests`/`PurchaseEvaluationWorkflowServiceGuardTests`, +2 → 254→256 expected: 59 Domain + 197 Infra). Push `37122f0..6db195d` 6 files (.cs+.tsx → full pipeline). Tokens empty → anon Gitea API + prod appsettings DB pw `ConnectionStrings.Default`. Run IN-PROGRESS first poll (running 14:31) — correctly did NOT FAIL, polled iter5 status=success (14:30:51→14:35:22 ≈4m31s; CI both-proj-pre-deploy ⟹ success ⟹ 256-gate passed, `conclusion` empty trust success). Bundle ROTATE BOTH (verified AFTER status=success — anti#3): admin `akytoBnc→DSvM8h3A` + user `BzSdQmN0→Cs2Tt5n6` ✓ both touched. Health live+ready 200/200 + admin/eoffice root 200 + PE unauth 401 + control /api/zzz-not-a-route 404. NO migration — prod top=Mig 49 `AddWorkItemToPurchaseEvaluation`==repo GIỮ ✓. sys.tables(excl mighist)=92. DATA INTACT: PE_count=4 (grew from 3 @#283 — legit ongoing-UAT; BE-policy+FE-only NO seed change → cannot resurrect/wipe) · PE/2026/A/001 EXISTS (=1 phiếu UAT thật giữ ✓). 0 regression. LESSON: "Từ chối"-removal = internal policy/handler behavior, cannot curl-assert "reject action gone" without authed multi-step flow → rely on +2 PolicyTests/GuardTests in CI gate passing. Tag `[s60-dot2, run284, pass, pe-remove-reject-action, cross-stack, bundle-rotate-both, no-mig, test256, pe-a001-preserved]`.**
- **2026-06-11 S59-CLOSE Run #280 (run_number 280) sha=`69997da` PASS ~4m24s (FINAL đóng sổ session — FE-only ×2 PeDetailTabs+PeHeaderForm bỏ ô "Tên ngân sách" manual budget UAT vòng4):** Push `f21c55d..69997da` 4 `.tsx` (PeDetailTabs+PeHeaderForm ×2 app). **Run #279 (id393) sha=`f21c55d` (NCC table-fixed UAT vòng3) = `cancelled` @18:22:33 — supersede-BENIGN:** #280 push @18:22:34 (1s gap → Gitea concurrency-cancel in-flight) + `git merge-base --is-ancestor f21c55d 69997da`=TRUE ✓ (f21c55d preserved trong HEAD, ships via #280 — verified diff f21c55d→69997da chỉ +4 PeDetail/Header file, không re-touch 12 file vòng3). Tokens empty → anon Gitea API + prod appsettings DB. Poll iter4 status=success (18:22:34→18:26:58). **Bundle ROTATE BOTH FINAL (verified AFTER success +re-confirm STABLE no transient — anti#3): admin `BSh2fG2X→BKy_8OO9` + user `D22KfpPc→XcZ6PRyA`** ✓ session-close hash, brand `1F7DC1`+"Solutions ERP" preserved ×2. Health live+ready **200/200** + admin/eoffice root 200 + PE unauth 401 + control 404. **NO migration** (FE-only, Mig 49 held). LESSON (mirror Run #385 supersede-chain): same-SHA `cancelled` mid-flight = concurrency-supersede bởi newer push (1s HEAD-move), KHÔNG build/deploy-fault → ancestor-check TRUE = benign, verify prod qua SUCCESSFUL run #280 (NOT cancelled #279), KHÔNG escalate. Tag `[s59-close, run280-pass, run279-cancelled-benign, supersede-chain, fe-budget-name-remove-x2, bundle-rotate-both-FINAL, no-mig]`. **↳FINAL-v2 (tối): `80b64dd` (Run #281 cancelled-BENIGN) gỡ "Điều khoản thanh toán" 3-form ×2 → superseded bởi `792c030` Run #282 PASS ~4m (UAT vòng6 bỏ nút "+Thêm hạng mục" PeDetailTabs ×2). Ancestor 80b64dd⊂792c030=TRUE ✓ (792c030 chỉ re-touch PeDetailTabs, KHÔNG đụng PeHeaderForm/PeWorkspaceCreateView → paymentTerms-removal survives). Verify qua #282-success. Bundle ROTATE BOTH ĐÓNG-SỔ-THẬT (AFTER success +re-confirm STABLE no transient): admin `BKy_8OO9→B1DtNT9C` + user `XcZ6PRyA→D6uF3Mln` ✓, brand `1F7DC1` ok. Health live+ready 200/200 + 2 FE root 200. NO mig (FE-only). Lần thứ 3 liên tiếp supersede-chain (#279/#281 cancelled-benign) — pattern stable.**
@ -79,6 +86,7 @@ BE (test+build) ~90s · FE × 2 ~60s/app · deploy ~30s · **total ~3min code /
- **2026-06-11 Run #274 (run_number 274) sha=`0eafcd3` PASS ~4m51s (S59-đợt2 FE×2 PE-list tree 4-tầng "Năm>Dự án>Hạng mục>Phiếu" — follow-up Run #273 đổi từ 2-tầng-gộp-label sang 4-tầng explicit):** Push `56882ac..0eafcd3` 2 files `PurchaseEvaluationsListPage.tsx` ×2 app ONLY (SHA256 mirror identical `95d524ee`). `.tsx` → pipeline RAN. GITEA_TOKEN+PROD_DB_PW empty → anon API + prod appsettings pw. Run IN-PROGRESS first poll (running 16:37) — polled iter6 status=success (16:37:06→16:41:57). **Bundle ROTATE BOTH (verified AFTER success +re-confirm stable NO transient — anti-pattern#3): admin `R9uGRxvw→DuU7OTym` + user `DikfX1RD→DWyeTzf3`** ✓ both touched. Health live+ready **200/200** + admin/eoffice root 200. **NO migration** (FE-only). Spot-check **PE=0** held post-deploy (FE-only no restart-resurrection risk; wipe gate still HELD from #273). Test gate 240 (CI both proj pre-deploy ⟹ success=passed). 0 regression. LESSON: FE-only follow-up of a wipe-session needs only light PE=0 re-confirm (no full infra re-audit) — restart risk already cleared #273. Tag `[s59-dot2, run274, pass, fe-list-4tier-x2, bundle-rotate-both, no-mig, pe-zero-held]`.
- **2026-06-11 Run #385#386 SUPERSEDE-CHAIN sha=`ea793a4` CANCELLED(benign)→shipped-via `3ebaf84` #386 PASS ~4m25s (S58 brand-accent polish x2 app then PE-workitem-merge):** Target push `6e53e33..ea793a4` 8 files FE polish CẢ 2 app (Layout/TopBar/PageHeader/DataTable each — stripe đỉnh + logo-zone tint + PageHeader accent bar + thead brand-50/60), NO BE/Mig. **Run #385 (run_number 271) status=`cancelled` @14:14:22 — NOT a fail: superseded by newer push `3ebaf84` (#386 run_number 272) landed @14:14:31 (Gitea concurrency-guard cancels in-flight same-branch run).** HEAD moved ea793a4→`3ebaf84`. **Verified ea793a4 IS ancestor of 3ebaf84 + the 8 polish files NOT re-touched by 3ebaf84 → polish PRESERVED in tree, ships via #386.** #386 adds 4 PE files (PeHeaderForm/PeWorkspaceCreateView ×2 app, anh Kiệt FDC 14:06 — gộp Tên gói thầu=chọn Hạng mục) → both apps rebuilt anyway. Polled #386 to status=`success` (started 14:14:31→14:18:56). **Bundle ROTATE BOTH (load-bearing, verified AFTER #386 success — anti-pattern #3): admin `CP4CB1ym→DMm9rtNA` (css `vMtY6u47→DDlKud5i`) + user `CKjwqnGL→BUkOMn_Y` (css `CV0H5hnq→BgAUPcnL`)** ✓ both touched → both rotate. **Brand preserved both apps: `1F7DC1` in HTML + `Be Vietnam Pro`+`1f7dc1` in CSS bundle; BONUS polish landed: `brand-50`/`brand-60` Tailwind classes present in BOTH CSS bundles** (thead/tint/accent shipped). Health live+ready **200/200** + admin/eoffice root 200. **NO migration** — prod `__EFMigrationsHistory` top = Mig 49 `AddWorkItemToPurchaseEvaluation` == repo, GIỮ NGUYÊN ✓ (neither ea793a4 nor 3ebaf84 has Mig). Smoke PE+contracts unauth=**401** + control `/api/zzz-not-a-route`=**404** (auth gates real). Test gate (CI both proj pre-deploy ⟹ #386 success=passed). Prior today #382/#383/#384 all PASS. **LESSON (cancelled ≠ fail — supersede-chain verify): a same-SHA run flipping to `cancelled` mid-flight is almost always Gitea concurrency-supersede by a newer push, NOT a build/deploy fault → MUST (1) check tasks list for newer run + HEAD movement, (2) `git merge-base --is-ancestor` confirm target commit preserved in new HEAD, (3) `git diff target..newHEAD -- <target-files>` empty ⟹ target changes survive, (4) verify prod via the SUCCESSFUL superseding run not the cancelled one. Do NOT report FAIL/escalate on a benign supersede-cancel.** Tag `[s58, run385-cancelled-benign, run386-pass, supersede-chain, brand-polish-x2, bundle-rotate-both, no-mig]`.
- **2026-06-11 Run #384 (run_number 270) sha=`e959f72` PASS ~4m30s (S58 FE-USER visual redesign density-first per AI_INFRA UI/UX guide — keep brand #1F7DC1/Be Vietnam Pro/slate; FE-USER-ONLY, ZERO BE/Mig/fe-admin):** Push `6c5fd26..e959f72` 1 commit 16 files: 14 fe-user (`index.css` tokens + 6 ui primitives Button/Dialog/Input/Label/Select/Textarea + 6 shell DataTable/EmptyState/Layout/PageHeader/PhaseBadge/TopBar + LoginPage) + 2 broadcasts `.md`. NO fe-admin, NO `.cs`, NO Mig. `.tsx`/`.css` present → NOT docs-skip, pipeline RAN. ⚠️ GITEA_TOKEN empty both shells → unauth public API (200, no token needed). Run IN-PROGRESS at first poll (status=running 13:51) — correctly did NOT FAIL, polled iter6 status=success (started 13:51:18 → 13:55:48). **ASYMMETRIC bundle (load-bearing) PASS: user ROTATE `BmZ3VHnm→CKjwqnGL`** (redesign shipped, verified AFTER status=success, stable on +recheck no transient) **+ admin FROZEN `CP4CB1ym`** (=#382 UNCHANGED ✓ scope-correct, NO fe-admin leak — mirror Run #378 asymmetric fe-admin-only logic, inverted). user `.js` HEAD 200 app/js 1.47MB + CSS rotate `index-CV0H5hnq.css` 200 63KB. **Brand preserved: `1F7DC1` in HTML + `Be Vietnam Pro`+`1f7dc1` in CSS bundle** ✓; title "Solutions ERP". Health live+ready **200/200** + admin/eoffice root 200. **NO migration** — prod `__EFMigrationsHistory` top = Mig 49 `AddWorkItemToPurchaseEvaluation` == repo, GIỮ NGUYÊN ✓. sys.tables(excl mighist)=**92** (FE-only no new table). Smoke PE unauth=**401** + control `/api/zzz`=**404** (auth gates real). Test gate **240** (CI both proj pre-deploy ⟹ success=passed). 0 regression. Prior today #382(`5998163` lock-fix)+#383(`6c5fd26` hide-modules) both PASS as noted. **LESSON (single-app FE-USER redesign — asymmetric verify, inverse of #378):** PASS criteria asymmetric — user hash MUST rotate (ship-proof) AND admin hash MUST stay frozen (scope-proof, no accidental fe-admin redeploy). admin-unchanged is POSITIVE here. Visual-only CSS-token+className redesign rotates bundle exactly like logic change (Vite content-hash byte-sensitive). SSH→sqlcmd `<>`/`NOT LIKE '__%'` quoting traps: `<` mangled by PS redirect (use `!=`/CONCAT-CHAR), `_` is LIKE-wildcard (escape `'[_][_]%'`). Tag `[s58, run384, pass, fe-user-only-redesign, asymmetric-bundle-verify, no-mig, brand-preserved]`.
- **2026-06-16 S? Run #291 (run_number 291, id405) sha=`8c8179c` ❌ FAIL ~64s (TEST-GATE COMPILE BREAK — Department.ParentId phân cấp cây tổ chức, BE Mig + FE-admin picker; DEPLOY DID NOT RUN, prod UNCHANGED @baseline):** Push `c98030f..8c8179c` 2 commits: `0f44d97` BE (Mig `20260616032402_AddDepartmentParentId` = AddColumn `ParentId Guid? nullable` + CreateIndex `IX_Departments_ParentId`, NO new table; `GET /api/departments/tree`; Create/Update nhận parentId — `CreateDepartmentCommand` record signature CHANGED to `(string,string,Guid?,string?,Guid?)` +5th positional ParentId, `UpdateDepartmentCommand` +6th) + `8c8179c` FE-admin DepartmentsPage picker "Phòng cha". Tokens empty → anon Gitea + prod-appsettings DB pw. Task #291 status=**failure** created 10:41:14 → updated 10:42:18 = **~64s** (far < ~3min normal → early-stage fail, NOT deploy stage). Anon API can't reach `/tasks/{id}` + `/logs` (404 — need auth) + WebFetch Actions UI JS-rendered (empty) → **reproduced FAIL locally** (anti-pattern #2 no-speculate): `dotnet build SolutionErp.slnx -c Release`**error CS7036** `tests/SolutionErp.Infrastructure.Tests/Application/MasterCatalogFilteredUniqueTests.cs(63,25)`: "no argument given that corresponds to the required parameter 'ParentId' of CreateDepartmentCommand". **Root cause: spec-change miss** — commit added `ParentId` as REQUIRED positional param but the gotcha#57 filtered-unique test line 63 still calls old 4-arg `new CreateDepartmentCommand("DUP1","Phòng ban mới", null, null)` (needs 5). grep `new CreateDepartmentCommand\(` repo-wide = ONLY this 1 broken call site; UpdateDepartmentCommand has 0 test call site (compiles). Test gate runs BEFORE build/deploy → compile-fail in test proj ⟹ whole `dotnet build slnx` (incl tests) fails ⟹ **deploy never ran**. **Prod CONFIRMED untouched @ baseline c98030f (Run #290):** admin bundle `DRob3iVl` (FROZEN=baseline ✓ NOT rotated — picker NOT shipped) · user `DxK3fCfh` (FROZEN=baseline ✓ correct, fe-user untouched) · health api live+ready **200/200** + admin/eoffice root 200 · prod `__EFMigrationsHistory` top = `20260612173224_ReplaceBudgetModuleWithPeWorkItemBudgets` (Mig 50) — **`AddDepartmentParentId` NOT applied** ✓ (deploy didn't run, DbInitializer never fired). All 4 post-deploy KEY checks correctly N/A (no ship). **ESCALATE em-main: fix = update `MasterCatalogFilteredUniqueTests.cs:63` to pass 5th arg (e.g. `..., null, null, null)`) — CLAUDE.md §7 "spec change = update test cũ + code chung commit" violated; re-push → re-verify deploy.** READ-only, did NOT fix. **LESSON: short-duration (~60s) `failure` on a BE/FE commit = test-gate or BE-build compile break, NOT deploy/transient — when anon API blocks logs, `dotnet build SolutionErp.slnx` locally reproduces exact CS error + line; a record-constructor positional-param ADD silently breaks every un-updated call site (grep `new <Command>\(` to enumerate). FAIL ⟹ deploy gated ⟹ verify prod = STILL baseline (bundles frozen + mig NOT applied) rather than skipping post-deploy entirely.** Tag `[s?, run291, FAIL, test-gate-compile-break, CS7036-CreateDepartmentCommand-5th-param, dept-parentid-tree, deploy-did-not-run, prod-unchanged-baseline, bundle-frozen-both, mig-not-applied, escalate-fix-test-line63]`.
- **2026-06-11 Run #382 (run_number 268) sha=`5998163` PASS ~3m31s (S58 FIX the Run #381 lock NO-OP — DbInitializer.cs ONLY, BE-only, NO Mig/FE):** Push `dd117b7..5998163` 1 commit 1 file `DbInitializer.cs` (+28/-5). Fix: (1) `LockDemoSampleUsersAsync` union +20 UAT-matrix prod email (`{act,equ,fin,hra,pm,qs}.{nv,pp,tp}@`+`bod.{1,2}@`) into prior 14 named-person = 34-email list; (2) `DemoUserPassword` 11→12 chars (`User@123456``User@1234567`) fixing silent CreateAsync-fail vs prod `RequiredLength=12` (S56 helpdesk-inert root cause). `.cs` present → full pipeline RAN. Poll iter5 status=success (started 12:58:06 → 13:01:37). **Bundle FROZEN admin `CP4CB1ym` + user `BmZ3VHnm`** (= #381 UNCHANGED ✓ CORRECT for BE-only, verified AFTER status=success — NOT ship-fail). **NO migration** — prod `__EFMigrationsHistory` top = Mig 49 `AddWorkItemToPurchaseEvaluation` == repo, GIỮ NGUYÊN ✓. sys.tables=**93** unchanged. Health live/ready 200 + admin/eoffice root 200. **THE FIX VERIFIED prod (Users table — note: custom Identity table name `Users` NOT `AspNetUsers`):** total **55** users · **21 active** · **34 inactive==34 locked-future** (== lock-list size exactly). 12-sample UAT-matrix all `active=0 locked=1` (#381 NO-OP now RESOLVED — these exist in prod + got locked ✓). Named-person 14/14 found+locked (CREATED this startup via 12-char pw fix + locked same run). **Must-stay-active 6/6** admin·catalog.manager·nv.test·chuong.phan@solution.com.vn(typo-domain)·**nv.cao+nv.truong** ALL `active=1` (IT helpdesk pool ALIVE — S56 ops-pending RESOLVED by pw fix, created this startup not in lock-list). **5 new real staff** (thanh.lethanh/anh.nguyen/tring.le/truong.le/long.nguyen) all CREATED+`active=1` ✓ (12-char pw passes RequiredLength=12). Smoke nv.test login OK (token 477) + GET /api/menus 200 + /purchase-evaluations 200. 0 regression. **LESSON: lock-by-email NO-OP (#381) was a DATA-mismatch not code-bug → S58 reconciled email-list to actual prod population (UAT-matrix created via admin UI, never in seed) + the 11-vs-12 pw bug was a SECOND latent cause silently blocking ALL non-existing-user CREATE on prod (RequiredLength=12) — same fix resurrected 16 named + 5 staff + helpdesk pool. Verify lock-fix = dump Users cohorts (active/inactive split + named exact-IN), NOT just total count.** Tag `[s58, run382, pass, fix-lock-noop, pw-11to12, be-only-bundle-frozen]`.
- **2026-06-11 Run #381 (run_number 267) sha=`dd117b7` PASS+1PARTIAL ~4m25s (S57bis PE gắn WorkItem Mig 49 + all-role Pe perm + menu Cá nhân regroup + lock-14-demo-user — cross-stack BE+FE×2+Mig+test, +12 PeWorkItemGuardTests→240):** 2-commit push: prev `17b23a4` (governance+hmw.js → Run #380 **cancelled**, superseded — correct, no FE/BE contract change) then `dd117b7` (PRODUCT, Run 381 = the deciding run). 26 files: Mig 49 `20260611044424_AddWorkItemToPurchaseEvaluation` (3-file, PE.WorkItemId Guid? loose-Guid NO physical FK + `IX_PurchaseEvaluations_WorkItemId`) + Domain `PurchaseEvaluation.cs` + Config + Features + DbInitializer (perm + `LockDemoSampleUsersAsync` + menu regroup) + MenuKeys + 3 master controllers (write-lock Admin/CatMgr) + FE×2 (PeDetailTabs/PeHeaderForm/PeWorkspaceCreateView/menuKeys/types). **Run IN-PROGRESS at first check (status=running 12:14) — polled to terminal** (12:14:16→12:18:41 ≈4m25s success). ⚠️ poll-grep gotcha: `"status"` field sits AFTER `"display_title"` in tasks JSON → `[^}]*"display_title"` regex cut before status (showed blank all 10 iters); final FULL-object parse `\{"id":381,...deploy.yml[^}]*\}` confirmed status=success. **Bundle ROTATE BOTH** admin `4SUwDLD8→CP4CB1ym` + user `XdKzt9LL→BmZ3VHnm` (PE in both apps ✓ shipped, verified AFTER status=success). **Mig 49 applied prod** (`__EFMigrationsHistory` top = AddWorkItem... ✓ + WorkItemId col=1 + IX=1). sys.tables=**93** (col-only, no delta). Health live/ready 200 + admin/eoffice 200. **Perm seed STRONG: Pe_* CanCreate=1 = 130 rows across 13 roles** (was 3-role → all-role open landed); PeWf%=0 + AwV2%=2 (designer stays admin-only ✓ no leak). Menu regroup ✓: Personal root@30 · Off_ChamCong→Personal@1 · **Hrm_Config**→Master@25 (spec said key `HrmConfig`, real key has underscore `Hrm_Config` — verify by ParentKey/Order NOT literal Key) · Contracts@31 · Hrm_Dashboard→Hrm@1. Smoke PE unauth 401 (/purchase-evaluations + /catalogs/work-items) vs control 404 (auth real). WorkItems VT/TP/MEP/TB=71. **⚠️ PARTIAL item 7 — lock-14-users is a prod NO-OP:** `LockDemoSampleUsersAsync` SHIPPED+RAN but its 14 hardcoded emails (`bod.huynh@`,`pm.nguyen@`,`fin.do@`,`qs.hoang@`...) **DON'T EXIST in prod** — real demo set uses dept.position scheme `bod.1@`/`bod.2@`/`pm.{nv,pp,tp}@`/`fin.{nv,pp,tp}@`/`qs.{nv,pp,tp}@` (34 users ALL active, INACTIVE_TOTAL=0). Each FindByEmail→null→locked=0. Guard `nv.cao`/`nv.truong` also absent (-1, vacuously safe); catalog.manager+admin confirmed active. NOT a deploy fail (code correct) — email list stale vs this DB seed. Escalated em main: reconcile lock-list to actual `*.{nv,pp,tp}@` scheme OR confirm named-person legacy users were ever seeded. **LESSON: lock/deactivate-by-email assertion returning 0/`-1` ⟹ ALWAYS dump actual `Users` set before scoring FAIL — code may have run as no-op against mismatched data, NOT broken.** Tag `[s57bis, run381, pass-partial, mig49-pe-workitem, allrole-perm-130, lock-noop-email-mismatch]`.
- **2026-06-09 Run #379 (run_number 265) sha=`a20cde8` PASS ~4m20s (S56 GOLIVE-HARDEN BE fixes — LeaveBalance concurrency + ItTicket authz-order + DocxRenderer null-guard + tests, ZERO FE/Mig):** Push `bef5825..a20cde8` 1 commit 13 files: 3 BE `LeaveOtApprovalFeatures.cs` (atomic ExecuteUpdate + Serializable tx vs lost-update) + `WorkflowAppsFeatures.cs` (authz reorder Forbidden-before-NotFound) + `DocxRenderer.cs` (null-guard) + 4 test files (+12 → 216→**228**) + 6 agent-memory `.md`. `.cs`+test present → NOT docs-skip, full pipeline RAN. **Run IN-PROGRESS at first check (status=running 17:51) — correctly did NOT FAIL, polled to terminal** (started 17:51:45 → updated 17:56:05 ≈4m20s status=success iter5). **Bundle FROZEN admin `4SUwDLD8` + user `XdKzt9LL`** (= #378, UNCHANGED ✓ CORRECT for BE-only — NOT ship-fail, mirror Run #243/#368; verified pre-deploy + post-success + +5s re-confirm, NO transient, NO unexpected rotation). **NO migration** — prod `__EFMigrationsHistory` top = `20260609020759_AddProjectMasterFields` (Mig 48) == repo latest, GIỮ NGUYÊN ✓ (BE-logic-only, schema untouched). sys.tables=**93** unchanged. Health live+ready **200/200** + admin/eoffice root 200. **Smoke changed-area endpoints (all gated, none crash):** `GET /it-tickets/assignable-staff` unauth=**401** · `PUT /it-tickets/{guid}/assign` unauth+body=**401** (authz-reorder fix live, route wired) · `GET /leave-balances/my` unauth=**401** (concurrency fix dll deployed) · control fake `/it-tickets/zzz-not-a-route`=**404** (proves 401s are real auth gates not catch-all). 0 regression. **Ship-proof for BE-only no-contract-change = run success + test 228 + Mig 48 unchanged + bundle frozen + health 200** (no observable API delta — fixes are internal handler logic: atomic tx / exception order / null-guard; cannot curl-assert lost-update fix, rely on +12 tests passing in CI gate). Tag `[s56, run379, pass, golive-harden, be-only-bundle-frozen, no-mig]`.