Mở rộng 2-stage logic từ PE sang Contract workflow (Migration 16 đã có schema):
BE Service:
- ContractWorkflowService thêm UserManager<User> DI
- Mirror logic 2-stage từ PurchaseEvaluationWorkflowService.TransitionAsync
Sau policy guard, trước gen mã HĐ:
- User.DepartmentId != null + actor không admin/system + KHÔNG resume
- DeptManager (TPB) → Stage=Confirm trực tiếp
- CanBypassReview=true → Stage=Confirm + IsBypassed=true
- Else (NV) → Stage=Review only, BLOCK transition
- Insert ContractDepartmentApproval row (UPSERT theo UNIQUE)
- Block transition khi chưa có Stage=Confirm:
- Insert ContractApproval (FromPhase=ToPhase=fromPhase, [Review NV] comment)
- Insert ContractChangelog "đã review, chờ TPB confirm"
- Notify TPB cùng dept (UserManager filter DeptManager role)
- Return early — phase KHÔNG đổi
App + Api:
- ContractDepartmentApprovalFeatures.cs (List query mirror PE)
- ContractsController endpoint GET /contracts/{id}/department-approvals
FE (cả fe-admin + fe-user):
- types/contracts.ts thêm ApprovalStage const + ContractDepartmentApproval type
- WorkflowHistoryPanel section "Tiến trình duyệt 2-cấp phòng ban":
- Group by phase × dept, show Review NV + Confirm TPB
- Highlight amber "chờ TPB confirm" khi current phase có Review chưa Confirm
- Badge fuchsia "bypass" khi NV.CanBypassReview=true
- Insert giữa WorkflowSummaryCard và Lịch sử duyệt
- Mirror cả 2 app (rule §3.9)
Use case mirror PE: HĐ ở phase DangGopY (P.CCM) — nv.cao (NV) duyệt thì
phase KHÔNG đổi (Review only), chờ ccm.tran (TPB) confirm mới sang DangXetDuyet.
Build: BE pass + FE pass cả 2 + 77 test pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Admin UI bật/tắt CanBypassReview per user (Migration 16):
- BE: UserDto thêm field CanBypassReview (List + Get queries)
- FE: User type thêm canBypassReview field
- UsersPage: column "Bypass" badge fuchsia khi true + button toggle ShieldCheck
(icon highlight fuchsia khi enabled, slate khi disabled)
- bypassMut PATCH /users/{id}/bypass-review { canBypassReview: !current }
Use case: phòng ban không có TPB hoặc TPB ủy quyền cho 1 NV cụ thể —
NV được Stage=Confirm trực tiếp (skip Stage Review), IsBypassed=true ghi audit.
Endpoint backend đã có sẵn ở Chunk E1 (commit 3c49316). Chỉ wire FE.
fe-user KHÔNG có UsersPage (admin-only function) — chỉ update fe-admin.
Build: BE pass + FE-admin pass + 77 test pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
FE Workflow Panel hiển thị progress 2-cấp duyệt phòng ban (Migration 16):
- Section "Tiến trình duyệt 2-cấp phòng ban" trong PeWorkflowPanel
- Group rows by Phase × Department, show Stage Review NV + Confirm TPB
- Highlight amber "chờ TPB confirm" khi current phase có Review nhưng chưa Confirm
- Badge fuchsia "bypass" khi NV được CanBypassReview
- useQuery fetch endpoint GET /pe/{id}/department-approvals
- Invalidate query sau transition để refresh ngay
Type mới: ApprovalStage const + PeDepartmentApproval DTO trong types/purchaseEvaluation.ts.
User flow anh Kiệt test:
- phuong.nguyen (NV.PRO) Duyệt phase ChoPurchasing
→ row Review xuất hiện, panel hiển thị "⏳ chờ TPB confirm" (amber)
- tra.bui (TPB.PRO, DeptManager) Duyệt
→ row Confirm xuất hiện (emerald) + phase chuyển sang ChoCCM
2 file đồng bộ giữa fe-admin + fe-user (rule §3.9 duplicate có chủ đích).
Build: cả 2 FE pass.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Ràng buộc 2 (Phase 9): khi reject, trả về Drafter (DangSoanThao) + lưu phase
nguồn. Drafter sửa lại + trình lại → quay về phase đã reject (skip phase
trung gian).
Logic flow:
1. Reject (Decision=Reject):
- entity.RejectedFromPhase = currentPhase // snapshot phase đang reject
- targetPhase override = DangSoanThao // force về Drafter
- Approval row: FromPhase=X, ToPhase=DangSoanThao, Decision=Reject
- Notification cho Drafter
2. Resume after reject (Decision=Approve, fromPhase=DangSoanThao,
RejectedFromPhase != null):
- targetPhase override = entity.RejectedFromPhase!.Value
- entity.RejectedFromPhase = null // clear field
- Skip policy guard (Drafter có quyền trình lại sau khi sửa)
- Approval row: FromPhase=DangSoanThao, ToPhase=ResumePhase, Decision=Approve
3. Normal transition (chưa reject hoặc đã clear):
- Logic cũ giữ nguyên — policy guard check + transition
Pattern unified cho 3 module:
- ContractWorkflowService.TransitionAsync: 2 case detect + override
- PurchaseEvaluationWorkflowService.TransitionAsync: tương tự
- TransitionBudgetCommandHandler.Handle: tương tự (Budget không có service riêng,
logic ở handler)
Files:
- src/Backend/SolutionErp.Infrastructure/Services/ContractWorkflowService.cs
- src/Backend/SolutionErp.Infrastructure/Services/PurchaseEvaluationWorkflowService.cs
- src/Backend/SolutionErp.Application/Budgets/BudgetFeatures.cs
Verify:
- Build pass (2 warning DocxRenderer cũ, không liên quan)
- 77 unit test pass — Domain policy không đổi, tests giữ nguyên
Note: Approval history giờ track đầy đủ cycle reject→sửa→resume:
Approval 1: DangGopY → DangSoanThao, Decision=Reject (CCM reject)
Approval 2: DangSoanThao → DangGopY, Decision=Approve (Drafter resume)
UI có thể detect "đã từng reject" qua RejectedFromPhase != null hoặc
qua Approval history (Decision=Reject row gần nhất). Hiển thị banner
đỏ "Phiếu đã bị reject từ phase X, lý do: Y" cho Drafter.
Smart reject hoàn tất Ràng buộc 2. Còn Ràng buộc 3 (2-stage dept approval)
ở Chunk D.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Test path filter on:push:paths-ignore — commit này CHỈ touch docs/STATUS.md.
Expected: Gitea Actions KHÔNG trigger run mới.
Verify bằng cách check Actions UI sau ~30s — vẫn ở run #112 (a21790d).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Run #111 (commit 29eb5d9) FAIL với `'tsc' is not recognized` ở step Build fe-admin.
Symptoms confusing:
- VPS check: cache dir C:\npm-cache-erp\ chưa có (cold)
- Log: KHÔNG có Write-Host "cache MISS" hay "added 239 packages"
- Timing: 1.6s từ end-of-BE-build → start-of-fe-admin-build (impossible cho npm install 49s)
- Test gate (Domain 54 + Infra 17) PASS nên không phải code regression
Khả năng cao: junction Move-Item disrupted node_modules .bin/ structure HOẶC
act_runner PowerShell stream capture có quirk với cache MISS branch. Cần debug
riêng — không nên block deploy chính.
Decision:
- Rollback npm cache logic về fresh install như cũ (49s + 33s)
- GIỮ path filter on:push:paths-ignore (đây mới là win lớn nhất — 100% saving cho MD-only commit)
- Document gotcha cho session sau (sẽ thử robocopy thay vì junction, hoặc dùng act_runner cache server local)
Path filter behavior (giữ lại):
- Commit chỉ docs/MD/skill/gitignore → SKIP CI hoàn toàn (~196s/commit saved)
- Commit code OR cùng commit có code+docs → vẫn trigger (đúng)
Verify dotnet test local: 71 pass / 1s (BE không thay đổi).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Optimize CI/CD theo Option C bàn trong chat:
==== Path filter (saving 100% time cho commit MD-only) ====
on: push: paths-ignore mới — skip CI khi commit chỉ docs/skill/MD/gitignore.
- 'docs/**'
- '**/*.md'
- '.claude/skills/**'
- '.gitignore'
- 'scripts/**.md'
Commit 'Docs: chốt session' và similar sẽ KHÔNG trigger workflow → save 196s/commit.
Nếu cùng commit thay đổi cả MD + code → vẫn trigger (đúng behavior expected).
Workflow file `.gitea/workflows/**` chính NÓ thì không trong paths-ignore →
vẫn trigger khi sửa CI config (an toàn).
==== npm junction cache (saving ~70-80s code commit) ====
Replace Build fe-admin + fe-user steps với cache-aware version.
Strategy:
- Cache key = SHA256(package.json) 16-char prefix → đổi deps = miss → fresh
- Cache stored: C:\npm-cache-erp\<app>\<hash>\node_modules (ngoài workspace)
- Junction `fe-admin\node_modules → cache` (instant, không file copy)
- Lần đầu (cold): 49s + 33s = 82s (như cũ)
- Lần sau (warm): mklink instant + skip npm install → ~3s + 3s = 6s (saving ~76s)
Safety:
- Trước Deploy: convert junction → nothing (cmd /c rmdir /q chỉ remove ref,
không follow target). Tránh trường hợp act_runner cleanup workspace
follow junction + delete cache.
- Pruning: keep top 5 cache per app (~250MB × 5 × 2 = 2.5GB max disk usage).
Stale evicted FIFO theo LastWriteTime DESC.
Vite 8 rolldown native binding gotcha (#20) vẫn respect: cache install trên
runner Windows nên rolldown binding match → reuse được.
==== Expected ====
- Commit MD-only: 0s CI (skip hoàn toàn)
- Commit code lần đầu sau cache miss (vd npm update): ~3min (như cũ)
- Commit code thường (cache hit): ~120s = 2 phút (giảm 38%)
Verify dotnet test local: 71 pass / 2s (BE không thay đổi).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Vấn đề persistent (run #108 và #109 đều fail trong 21-22s):
Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack":
dial tcp 20.205.243.166:443: connectex: connection failed/timeout
act_runner v0.2.13 mỗi run đều `git fetch` actions/checkout từ github.com
để check update — VPS network → github.com TCP timeout 21s liên tục →
toàn job fail TRƯỚC khi tới test gate.
Fix: thay actions ngoài bằng native shell, eliminate github.com dependency.
- Replace `uses: actions/checkout@v4` → manual `git init` + `git fetch`
từ Gitea internal network (luôn ổn định, không qua public internet)
- Auth: github.token (act_runner cũng dùng tên này) — tự sẵn per job
- Fetch by ref (branch) thay vì SHA, depth=30 đủ buffer nếu main commit
thêm trong lúc job pickup
- Checkout đúng commit SHA của event push
- Log 1-line để confirm checkout đúng
- Replace `uses: actions/upload-artifact@v4` (cũng phụ thuộc github.com)
→ step "List test results" local. TRX file vẫn save trong workspace
test-results/, đọc qua runner workspace nếu cần debug.
Test gate giữ nguyên (Domain + Infra). dotnet test local 71 pass / 2s.
Long-term option (nếu Gitea Actions thêm hỗ trợ): config `github_mirror`
trong gitea-runner config.yaml để mirror github.com → Gitea internal,
hoặc pre-cache actions/* repos vào runner cache dir.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Run #108 failed in 22s với:
Get "https://github.com/actions/checkout/info/refs?service=git-upload-pack":
dial tcp 20.205.243.166:443: connectex: A connection attempt failed
because the connected party did not properly respond...
Network từ VPS → github.com bị timeout transient lúc act_runner clone
`actions/checkout@v4` source. Test gate chưa kịp chạy.
Verify network giờ đã ok (TcpTestSucceeded: True) + dotnet test local
71 pass / 2s. Empty commit để re-trigger CI.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 2 — chống regression code generator. 17 test mới integration với
DB thật (SQLite in-memory) tổng cộng 71 test pass < 3 giây.
Test project:
- tests/SolutionErp.Infrastructure.Tests/ (xUnit + FluentAssertions + EF SQLite 10)
- ProjectReference SolutionErp.Infrastructure (transitively get Application + Domain)
- Added vào SolutionErp.slnx
Test fixtures:
- Common/SqliteDbFixture.cs:
- SQLite ":memory:" + shared connection + EnsureCreated() từ DbContext model
- TestApplicationDbContext subclass — override OnModelCreating replace
'nvarchar(max)' → 'TEXT' (SQLite không support max keyword)
- FixedDateTime stub IDateTime cho deterministic year boundary test
Test files:
- Services/ContractCodeGeneratorTests.cs (10 test):
- Format per ContractType (5 type × Project scope) — RG-001 spec
- Framework HĐ (NguyenTacNCC + NguyenTacDV) → year scope thay vì project
- Sequence increment per prefix (3 calls → /01, /02, /03)
- Different prefixes (project / supplier) → independent sequences
- Year change (2026 → 2027) → reset sequence vì prefix khác
- PersistsSequenceRow LastSeq verification
- Services/PurchaseEvaluationCodeGeneratorTests.cs (7 test):
- Format A/B (DuyetNcc → 'A', DuyetNccPhuongAn → 'B')
- Seq là 3-digit padded (001..012)
- Type A và B sequence độc lập trong cùng năm
- Year boundary reset cả A và B
CI gate update (.gitea/workflows/deploy.yml):
- Step "Run integration tests (Infrastructure)" thêm sau Domain tests
- TRX log saved riêng (infra-tests.trx)
- Cả 2 step đều exit non-zero → no deploy
Verify local:
- dotnet test SolutionErp.slnx → Total tests: 71 (54 Domain + 17 Infra) / Passed: 71 / 2.1s
- dotnet build SolutionErp.slnx → 0 error
Phase 3+ pending:
- Application handler tests (CQRS) với EF InMemory hoặc SQLite (~1 ngày)
- API smoke tests qua WebApplicationFactory (~0.5 ngày)
- FE Vitest cho lib utility (~0.5 ngày)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Match form chính thức 4 section đánh số:
1. Thông tin gói thầu — chỉ a. Tên gói thầu + b. Dự án (Địa điểm + Mô tả compact bên dưới nếu có).
2. Chọn NCC / TP — đúng a/b/c/d:
a. NCC/TP được chọn — selectedSupplierName badge xanh
b. Ngân sách — link Budget với mã + tên + tổng
c. Giá chào thầu — tự compute = sum quotes của winner supplier (filter quotes.purchaseEvaluationSupplierId === winnerRowId)
d. Bản so sánh — embed GeneralAttachmentsSection (attachments không gắn supplier-row, purpose=ComparisonTable)
+ ĐKTT + HĐ kế thừa link bonus
+ Banner emerald 'Tạo HĐ từ phiếu' khi DaDuyet + chưa có Contract
3. NCC/TP tham gia — section riêng giữ table 5 cột (NCC/Liên hệ/ĐKTT/File/Action — nhiều info hơn spec table 3 cột, useful cho UX web).
4. Hạng mục + Báo giá — matrix với cột 'NS link · Δ' + footer aggregate (giữ nguyên).
Side change:
- FormRow helper mới (label 176px + value flex) thay cho dl grid 2-col cũ — match style form giấy
- Drop Field helper cũ (now unused)
- InfoTab signature đổi: bỏ readOnly param (chỉ display, action move sang ChonNccSection)
TS build pass cả 2 app. Mirror fe-user identical.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
User cung cap danh sach nhan vien thuc te. Add vao SeedDemoUsersAsync,
idempotent (FindByEmail trong reconcile pattern). Pass = User@123456
(matching demo pattern, policy 12 char + digit + lower + upper + special).
PRO (5):
- tra.bui — Bui Le Thuy Tra — TP Cung ung (Procurement+DeptManager)
- phuong.nguyen — Nguyen Thi Bich Phuong (Procurement+Drafter)
- thanh.lethanh — Le Thanh Binh (Procurement+Drafter)
- long.chau — Chau Ta Kim Long (Procurement+Drafter)
- duy.nguyen — Nguyen Van Duy (Procurement+Drafter)
CCM (7):
- chuong.phan — Phan Van Chuong — TP Kiem soat Chi phi (CostControl+DeptManager)
- binh.le — Le Van Binh (CostControl)
- luu.tran — Tran Xuan Luu (CostControl)
- nguyen.ho — Ho Thi Nu Nguyen (CostControl)
- anh.nguyen — Nguyen Thi Kim Anh (CostControl)
- tring.le — Le Tu Dang Trinh (CostControl) — giu literal user provided
- truong.le — Le Tran Dang Truong (CostControl)
ISO (1):
- long.nguyen — Nguyen Hoang Chanh Long — Dep HRA, role HrAdmin (dong dau HD)
CEO (1):
- truong.nguyen — Nguyen Van Truong — Dep BOD, role Director (ASCII fix tu 'truong.nguyen' co dau)
Email typo fix:
- 'phuong.nguyen@soluttions.com' → 'phuong.nguyen@solutions.com.vn'
- 'truong.nguyen' co dau → 'truong.nguyen' ASCII (KHONG conflict voi truong.le CCM)
Reconcile pattern dam bao: neu user da exist (email collision), update
dept/position/role thay vi error. Pass khong overwrite cho existing user.
User request: 'review cap nhat va tai cau truc lai MD sao cho phu hop
voi hien tai, cac phan thua va da dieu chinh co the bo ra luon hoac
cap nhat lai'.
Cleanup highlights:
1. Archive 2 file Phase 0 raw dump → docs/_archive/ (forms-spec-raw 657
line + workflow-raw 62 line). Update link reference 2 file goc.
2. Compact migration-todos.md 386 → 114 line (-71%). Collapse Phase 0-5
+ Tier 3 + Sessions detailed thanh 1 bang summary. Detail xem session
logs. Phase 6 iter 1+2 + Phase 7 active checklist.
3. Compact STATUS.md In Progress: bo ~17 row ✅ done (giu chỉ 5+ task
pending: 3 PE feature gap + 4 optional polish + 2 Ops). Recently Done
table giu day du history.
4. Update flows/README — tat ca 6 flow ✅ Implemented + them PE row
reference architecture.md §9.
5. Update docs/CLAUDE.md — project layout co PurchaseEvaluations, _archive,
skills 6 (3 dom + 3 ops). Roadmap them Phase 6 ✅ + Phase 7 WIP. Lien
he them prod URL solutions.com.vn + SSH config + login admin.
6. Skill ef-core-migration: 13 migration label.
Net delta: -800 line docs (chu yeu archive + collapse migration-todos).
PART A: Section 'Bang so sanh' (file tong ho so so sanh)
User request: 'theo them cho thong tin ve Bang so sanh, cho dinh kem
file so sanh tong len'.
BE:
- PurchaseEvaluationAttachmentPurpose.ComparisonTable = 4 (new enum value)
Backend validator IsInEnum pass, khong can migration (int column).
FE types (2 app):
- PeAttachmentPurpose.ComparisonTable + Label '4: Bang so sanh'.
FE PeDetailTabs:
- Them section thu 4 'Bang so sanh (file tong)' sau 'Hang muc + Bao gia'.
- Component GeneralAttachmentsSection: upload KHONG truyen supplierRowId
(BE luu NULL) → purpose=ComparisonTable default. Filter attachments
co supplierRowId===null de render.
- Card layout khac SupplierAttachmentsCell: full-width card + brand color
+ purpose chip + date. Upload button to hon ([+ Tai len bang so sanh]).
- readOnly hide upload + delete, giu download.
PART B: Demo email rebrand @solutionerp.local → @solutions.com.vn
User request: 'tao nguoi dung demo theo email cua ben nay'.
BE DbInitializer:
- Rename 18 email in source: AdminEmail const + 17 demo users
(bod/pm/ccm/pro/fin/act/equ/hra/qs/nv) — keep password + role unchanged.
- Them BackfillUserEmailDomainAsync (idempotent): scan user co email
@solutionerp.local, rename sang @solutions.com.vn, update Email +
NormalizedEmail + UserName + NormalizedUserName. Skip neu co conflict
user da ton tai voi email moi. Chay truoc SeedAdmin de tranh tao
duplicate admin.
Admin permission tao user da co san qua /system/users page.
Comment input khi duyet da co san o PeWorkflowPanel (Ghi chu tuy chon
Textarea) + ContractDetailContent (Yeu cau sua / Duyet tiep dialog).
User request: 'cho hop dong dua cac thong tin lich su dieu chinh sang
duoi lich su duyet nhen'.
ContractDetailContent (Panel 2): xoa section 'Lich su dieu chinh' (cot
3/10 grid 7/3) → Chi tiet HD gio full-width. Remove import History +
ContractChangelogsTab.
WorkflowHistoryPanel (Panel 3): them section Lich su dieu chinh duoi
Lich su duyet. Import History icon + ContractChangelogsTab. Reuse same
component, chi doi vi tri render.
Mirror fe-admin + fe-user.
User request: 'cho tat ca cai nay the hien tren dung 1 man hinh nhe, cai
duyet va lich su thi dua sang panel 3'.
Panel 2 (PeDetailTabs): truoc 5 tab (Info/NCC/Items/Approvals/History).
Sau bo tabs, flat render 3 section stack doc voi divider + title uppercase:
Thong tin → NCC tham gia (N) → Hang muc + Bao gia (N)
Panel 3 (PeWorkflowPanel): truoc chi workflow timeline + transition btn.
Sau them 2 section ben duoi:
Workflow timeline → Lich su duyet (PeApprovalsSection) → Lich su thay doi
(PeHistorySection)
Export PeApprovalsSection + PeHistorySection tu PeDetailTabs — reuse
ApprovalsTab + HistoryTab logic cu, wrap them <h3> section title.
Dong bo ca fe-admin + fe-user (copy identical file).
Bug: click leaf 'Duyet' (/purchase-evaluations?type=2&pendingMe=1) khien
leaf 'Danh sach' (/purchase-evaluations?type=2) cung highlight cung luc.
Nguyen nhan: NavLink 'end' prop chi match pathname. 2 leaf cung pathname
/purchase-evaluations → ca 2 active.
Fix: custom isActive voi queryMatches helper — compare query string dang
key-value set (thu tu param khong quan trong). 2 leaf chi active khi
pathname + query dung khop.
Dong bo ca fe-admin + fe-user. Anh huong tat ca menu leaf co ?query=
variants: Ct_* (Danh sach /contracts?type=N vs Duyet /contracts?type=N&
pendingMe=1), Pe_* (tuong tu /purchase-evaluations), admin workflow leaf
Wf_* + PeWf_* (khong dinh vi path khong query params).
GetMyMenuTreeQuery truoc chi inherit Contracts (Ct_*) va Workflows
(Wf_*). Extend 2 root moi PurchaseEvaluations (Pe_*) + PeWorkflows
(PeWf_*) de admin co PurchaseEvaluations.Read auto thay 2 group Pe_* +
6 leaf (Danh sach/Thao tac/Duyet x 2 type) + 2 PeWf_* leaf admin designer
UI, khong can add per-subitem permission row.
Verify bug: /menus/me cho admin hien chi root 'PurchaseEvaluations'
+ 'PeWorkflows' nhung khong co Pe_DuyetNcc group / Pe_DuyetNccPhuongAn
group children du DB co 12 row (sqlcmd confirm). Root cause: hardcoded
2 inherit roots trong BuildChildren switch.
Fix: expand switch cover 4 inherit roots. Propagate nextInherit xuong
tat ca descendants.
Bài học từ VietReport VPS shared (2026-04-23): Next.js app hijack port
3000 IPv4 → Gitea bị đẩy IPv6-only → IIS ARR localhost:3000 resolve
IPv4 first → git.baocaogiaoduc.vn trả homepage VietReport.
Apply 3 rules G-084 preemptively cho SOLUTION_ERP (risk thấp vì API
in-process IIS, nhưng vẫn chuẩn hóa):
1. `scripts/deploy-iis.ps1` — HealthUrl `localhost` → `127.0.0.1`
2. `.claude/skills/iis-deploy-runbook/SKILL.md` — 7 ref localhost →
127.0.0.1 + section Hardening mới giải thích G-084 + 3 rules + note
SOLUTION_ERP relevance (risk thấp vì no standalone Kestrel/no ARR
proxy hiện tại, nhưng tương lai thêm phải tuân)
3. `docs/gotchas.md` — thêm entry #33 G-084 full writeup (triệu chứng,
root cause, 3 rules, SOLUTION_ERP relevance) + update debug
checklist
3 rules:
- Reverse-proxy luôn IP literal 127.0.0.1, không localhost
- Backend services bind loopback IPv4 explicit, không 0.0.0.0
- Service dependency cho boot order khi nhiều service cùng port family
