@haposoft/cafekit 0.7.24 → 0.7.26

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@haposoft/cafekit",
-  "version": "0.7.24",
+  "version": "0.7.26",
   "description": "Claude Code-first spec-driven workflow for AI coding assistants. Bundles CafeKit hapo: skills, runtime hooks, agents, and installer scaffolding.",
   "author": "Haposoft <nghialt@haposoft.com>",
   "license": "MIT",

package/src/claude/agents/code-auditor.md

@@ -19,9 +19,10 @@ If the prompt includes task file paths, requirement IDs, completion criteria, or
 
 Extract and verify:
 1. Declared deliverables (files, routes, entrypoints, UI surfaces, schemas, migrations)
-2. Completion Criteria
-3. Verification & Evidence expectations
-4. Canonical Contracts & Invariants from the design
+2. Declared task scope (`Related Files` and direct support files that are clearly justified)
+3. Completion Criteria
+4. Verification & Evidence expectations
+5. Canonical Contracts & Invariants from the design
 
 Any missing declared deliverable, placeholder-only wiring, or contract drift is a **Critical** issue even if tests/build pass.
 
@@ -58,6 +59,7 @@ Before reading any specific logic, you MUST run a Dependency Scope Check (Blast
 - Hunt serious logic bugs (crashes, data loss, infinite loops).
 - Hunt severe architecture violations (circular imports, cross-layer coupling).
 - Hunt missing required artifacts/runtime entrypoints and spec contract mismatches.
+- Hunt overscope edits: later-task deliverables, unjustified file additions, or edits outside the active task packet.
 
 **Pass 2 — Quality Scan (Non-Blocking Issues):**
 - Project conventions (`docs/code-standards.md` if available).
@@ -94,6 +96,7 @@ Classify each issue:
 
 ### Task / Spec Compliance
 - [OK or issue] Required deliverables present?
+- [OK or issue] Changes stayed within task scope?
 - [OK or issue] Completion criteria actually satisfied?
 - [OK or issue] Any contract drift vs design/task?
 
@@ -126,6 +129,8 @@ When called from `hapo:develop` Step 4 (Quality Gate Auto-Fix):
 - Missing required entrypoint/artifact/runtime output named in the task/spec
 - Placeholder scaffolding marked as complete when the task demanded real wiring
 - Auth/session/transport/persistence behavior that contradicts the design contracts
+- Files or features from later tasks delivered early without explicit scope-escape justification
+- Task marked complete while required commands/evidence are still FAIL / UNVERIFIED
 
 ## Operating Guidelines
 

package/src/claude/agents/docs-keeper.md

@@ -40,10 +40,21 @@ Before documenting ANY code reference, you MUST prove it exists:
 
 ### 4. Codebase Summary Engine
 Generate the project's technical DNA map:
-- Run `repomix` to compact the entire repo into `./repomix-output.xml`.
+- Default to direct code + docs verification first.
+- Run `repomix` only when macro-architecture context is truly required or `./docs/codebase-summary.md` is missing/stale enough that you cannot safely update docs from the local evidence alone.
+- When `repomix` is used, compact the repo into `./repomix-output.xml`.
 - Digest and synthesize into `./docs/codebase-summary.md` (Update the existing one).
 - This file acts as the single source of truth for all other agents to quickly grasp the project landscape.
 
+### 4b. Task Closeout Mode
+When called from `hapo:develop` after a verified task is complete:
+- Treat the job as a **lightweight task-closeout sync**
+- Update only the existing docs affected by that task
+- Start by classifying `Docs impact: none | minor | major`
+- If impact is `none`, return a short report and do not force edits
+- If impact is `minor` or `major`, prefer surgical edits to `docs/project-overview-pdr.md`, `docs/system-architecture.md`, `docs/code-standards.md`, changelog/roadmap files, or other already-existing docs
+- Do NOT run `repomix` just because code changed; use it only if direct verification is insufficient
+
 ### 5. File Size Discipline
 If any doc file exceeds **800 LOC**, enforce modularity:
 1. Identify semantic boundaries (distinct topics that can stand alone).

package/src/claude/agents/god-developer.md

@@ -35,7 +35,7 @@ Any logic gaps must be clarified BEFORE typing, not discovered after bugs ship.
 ### 1. Read & Understand Input
 
 When activated, you will receive one of two input types:
-- **Task file list** (`tasks/task-01-*.md`, `task-02-*.md`...) with `spec.json`.
+- **Task file list** (`tasks/task-R0-01-*.md`, `task-R1-01-*.md`...) with `spec.json`.
 - **Direct description** from the main agent or `hapo:develop` skill. 
   *(Always proactively leverage domain-specific best practices by invoking `hapo:frontend-development`, `hapo:backend-development`, `hapo:mobile-development`, or `hapo:react-best-practices` depending on the current task).*
 
@@ -77,8 +77,8 @@ Upon completion, output a concise report in this format:
 - ...
 
 ### Tasks Completed
-- [x] Task 01: ...
-- [x] Task 02: ...
+- [x] R0-01: ...
+- [x] R0-02: ...
 
 ### Build Results
 - Typecheck: [pass/fail]

package/src/claude/agents/spec-maker.md

@@ -85,6 +85,7 @@ Before writing `design.md`, select a discovery mode and record the reason:
 - For light mode: Load `{{SKILLS_DIR}}/specs/rules/design-discovery-light.md`
 - Include Mermaid diagrams for multi-step or cross-boundary flows
 - For auth/session, transport/entrypoint, persistence/schema, generated-artifact, or runtime-sensitive work: fill the `Canonical Contracts & Invariants` section and keep those decisions stable across all task files.
+- For privacy/delete-data work: the design MUST choose one canonical deletion policy and express it verbatim in `Canonical Contracts & Invariants` before tasks are generated.
 - Record `discovery_mode` and `discovery_reason` in `spec.json.design_context`
 
 ### Requirements Traceability (MANDATORY)
@@ -107,6 +108,7 @@ Before writing `design.md`, select a discovery mode and record the reason:
 - Apply `(P)` parallel markers when applicable (load `{{SKILLS_DIR}}/specs/rules/tasks-parallel-analysis.md`)
 - Every task MUST include `Verification & Evidence` with exact commands, artifacts/runtime surfaces, and negative-path checks.
 - Completion criteria MUST be objective enough that a downstream quality gate can prove them without guesswork.
+- Validation decisions that affect implementation MUST be written into implementation-facing sections (`Objective`, `Constraints`, `Implementation Steps`, `Completion Criteria`, `Verification & Evidence`) rather than only `Risk Assessment`.
 
 ### Sub-Task Detail Requirements (MANDATORY)
 Each task file MUST contain granular sub-tasks with the following structure:
@@ -137,17 +139,22 @@ Task(subagent_type="researcher", prompt="Research [feature topic]")
 
 ## Pre-Completion Checklist
 
-Before finalizing any specification, assert all 11 points in the `Pre-Finalization Checklist` defined in `SKILL.md`. Do not exit or declare completion until verifiable.
+Before finalizing any specification, assert every point in the `Pre-Finalization Checklist` defined in `SKILL.md`. Do not exit or declare completion until verifiable.
 
 ### Finalization Audit (MANDATORY)
 
 Before marking the spec ready:
 1. Re-scan `tasks/` and write `spec.json.task_files` from the real filesystem (sorted, relative paths)
-2. Fail if any on-disk task file is missing from `task_files`
-3. Fail if any path in `task_files` does not exist
-4. Infer `design_context.validation_recommended = true` for auth, privacy, delete-data, migration, schema-change, browser-extension-permission, external-provider, or 5+ task file specs
-5. If `validation_recommended = true` and validation has not completed (or the user did not explicitly accept risk), keep `ready_for_implementation = false`
-6. Reject task files that use legacy non-numeric mappings like `NFR-1`
+2. Build or refresh `spec.json.task_registry` from the same filesystem scan. Each registry entry MUST include `id`, `title`, `status`, `dependencies` (relative task paths), `blocker`, `started_at`, `completed_at`, and `last_updated_at`
+3. Fail if any on-disk task file is missing from `task_files`
+4. Fail if any path in `task_files` does not exist
+5. Fail if any on-disk task file is missing from `task_registry` or any registry path does not exist
+6. Infer `design_context.validation_recommended = true` for auth, privacy, delete-data, migration, schema-change, browser-extension-permission, external-provider, or 5+ task file specs
+7. If the spec scope switched away from Claude/Anthropic, fail if `requirements.md`, `design.md`, or `tasks/*.md` still contain stale provider strings like `Claude API`, `Haiku`, or `haiku_reachable`. `research.md` may mention old providers only as historical comparison.
+8. For delete/privacy specs, fail if requirements/design/tasks mix multiple deletion policies (for example `email_hash` in one place and `deleted-<uuid>` in another) without one canonical design decision.
+9. If `validation_recommended = true` and validation has not completed (or the user did not explicitly accept risk), keep `ready_for_implementation = false`
+10. Reject task files that use legacy non-numeric mappings like `NFR-1`
+11. If validation decisions were accepted, fail unless they are reflected in implementation-facing sections of affected artifacts and `spec.json.updated_at` / review timestamps reflect the reviewed state
 
 ## Execution Workflow Summary
 
@@ -175,7 +182,7 @@ specs/<feature>/
 
 ### 4. Handoff
 - Update `spec.json` with `"status": "in_progress"` and `"current_phase": "develop"`
-- Ensure `task_files` is synchronized and `ready_for_implementation` reflects the finalization audit outcome
+- Ensure `task_files` + `task_registry` are synchronized and `ready_for_implementation` reflects the finalization audit outcome
 - Report the spec directory path to the orchestrator
 - DO NOT begin implementation yourself
 

package/src/claude/agents/test-runner.md

@@ -13,6 +13,15 @@ You are a battle-hardened QA engineer who has been burned by production incident
 If the prompt includes task file paths, Completion Criteria, or Verification & Evidence instructions, treat them as authoritative.
 Diff-aware test selection does NOT replace task-specific verification.
 
+## Command Resolution Order
+
+When the task file names exact commands, use this order:
+1. Run every exact executable command from `Verification & Evidence` in declaration order.
+2. Run repo-default typecheck/test/build commands only to fill gaps not already covered above.
+3. Apply diff-aware test selection only after task-mandated commands are satisfied.
+
+Never silently substitute a lighter command for a task-mandated one. Example: if the task says `pnpm typecheck`, you must run `pnpm typecheck`, not just `pnpm build`.
+
 ## Operating Modes
 
 ### Mode 1: Diff-Aware (Default)
@@ -73,6 +82,9 @@ Run the entire test suite without diff filtering. Use when: first run, major ref
 - Typecheck/Lint: PASS | FAIL | N/A
 - Build: PASS | FAIL | N/A
 
+### Exact Commands Executed
+- `command here` → PASS | FAIL | UNVERIFIED
+
 ### Coverage
 - Lines: [X%] | Branches: [X%] | Functions: [X%]
 - ⚠️ Below threshold: [list modules < 80%]
@@ -100,4 +112,6 @@ Run the entire test suite without diff filtering. Use when: first run, major ref
 - **Flaky Tests:** If a test is flaky (passes/fails intermittently), flag it explicitly — do not retry silently.
 - **No Evidence, No PASS:** If required artifact/runtime verification is missing, omitted, or blocked, you MUST NOT return PASS.
 - **Placeholder Trap:** If build succeeds but the task-required entrypoint/artifact/runtime surface is missing (for example popup, content script, route, migration, auth flow), return FAIL or NEEDS_ATTENTION with evidence.
+- **Required Command Missing = FAIL:** If the task explicitly names a command and it was not run successfully, you MUST NOT return PASS.
+- **NO_TESTS Semantics:** If no tests exist, report `NO_TESTS` explicitly. `NO_TESTS` is only compatible with PASS when the task did not require a dedicated automated test suite and all other required commands/evidence passed.
 - Report honestly. A failing test suite with a clear diagnosis is worth more than a green lie.

package/src/claude/hooks/privacy-block.cjs

@@ -3,124 +3,177 @@
  * Copyright (c) 2026 Haposoft. MIT License.
  *
  * PreToolUse Hook — privacy-block.cjs
- * Implements: https://docs.anthropic.com/en/docs/claude-code/hooks
  *
- * Blocks access to sensitive files unless the user explicitly approves.
+ * Claude Code CLI privacy gate for sensitive files.
  *
- * Approval flow:
- *   1. Hook blocks with exit(2) and shows a prompt
- *   2. Claude Code asks user for approval
- *   3. User approves → Claude retries with "APPROVED:" prefix
- *   4. Hook detects prefix → allows through
- *
- * Disable: set "privacyBlock": false in .claude/runtime.json
+ * Runtime contract:
+ * - Non-bash file access to sensitive files is blocked with a JSON marker
+ * - Assistant must use AskUserQuestion with that JSON payload
+ * - If user approves, assistant should read via `bash cat "file"`
+ * - Bash access is allowed with a warning to enable the approved follow-up path
  *
  * Exit: 0 = allow, 2 = block
  */
 
 try {
-  const fs   = require('fs');
+  const fs = require('fs');
   const path = require('path');
 
-  // Sensitive file patterns — matched against basename and full path
   const RESTRICTED_PATTERNS = [
-    /^\.env(\.|$)/i,                  // .env, .env.local, .env.production …
-    /^credentials/i,                  // credentials.json, aws-credentials …
-    /secrets?\.(ya?ml|json)$/i,       // secrets.yaml, secret.json
-    /\.pem$/i,                        // TLS certificates
-    /\.key$/i,                        // Private keys
-    /\.p12$/i,                        // PKCS12 bundles
-    /\.pfx$/i,                        // PFX bundles
-    /^id_(rsa|ed25519|ecdsa|dsa)$/i,  // SSH private keys
-    /\.netrc$/i,                      // Network credentials
-    /\.pgpass$/i,                     // PostgreSQL passwords
-    /kubeconfig/i,                    // Kubernetes config
-    /\.keystore$/i,                   // Java / Android keystores
-    /\.jks$/i,                        // Java KeyStore
-    /auth\.json$/i,                   // OAuth tokens
-    /token(s)?\.json$/i,              // Token files
+    /^\.env(\.|$)/i,
+    /^credentials/i,
+    /secrets?\.(ya?ml|json)$/i,
+    /\.pem$/i,
+    /\.key$/i,
+    /\.p12$/i,
+    /\.pfx$/i,
+    /^id_(rsa|ed25519|ecdsa|dsa)$/i,
+    /\.netrc$/i,
+    /\.pgpass$/i,
+    /kubeconfig/i,
+    /\.keystore$/i,
+    /\.jks$/i,
+    /auth\.json$/i,
+    /token(s)?\.json$/i
   ];
 
-  // Safe exceptions — these always pass through (example / template files)
   const ALLOWED_EXEMPTIONS = [
-    /\.env\.(example|sample|template|test)$/i,
+    /\.env\.(example|sample|template|test)$/i
   ];
 
-  function isSafe(p)      { const b = path.basename(p); return ALLOWED_EXEMPTIONS.some(r => r.test(b) || r.test(p)); }
-  function isSensitive(p) { const b = path.basename(p); return RESTRICTED_PATTERNS.some(r => r.test(b) || r.test(p)); }
-
-  /** Extract file paths from various tool inputs */
-  function extractPaths(toolName, input) {
-    const out = [];
-    if (!input) return out;
-    if (input.file_path) out.push(input.file_path);
-    if (input.path)      out.push(input.path);
-    // Bash: look for cat/less/head/tail etc.
-    if (typeof input.command === 'string') {
-      const m = input.command.match(/(?:cat|less|more|head|tail|source|\.)\s+(\S+)/g);
-      if (m) m.forEach(s => out.push(s.trim().split(/\s+/).pop()));
+  function readRuntime(cwd) {
+    try {
+      const file = path.join(cwd, '.claude', 'runtime.json');
+      return fs.existsSync(file) ? JSON.parse(fs.readFileSync(file, 'utf8')) : {};
+    } catch {
+      return {};
     }
-    return out.filter(Boolean);
   }
 
-  /** True if the user prompt contains an APPROVED: prefix */
-  function approved(prompt) {
-    return typeof prompt === 'string' && prompt.includes('APPROVED:');
+  function isSafe(filePath) {
+    const base = path.basename(filePath);
+    return ALLOWED_EXEMPTIONS.some((rule) => rule.test(base) || rule.test(filePath));
   }
 
-  /** Read runtime.json */
-  function readRuntime(cwd) {
-    try {
-      const p = path.join(cwd, '.claude', 'runtime.json');
-      return fs.existsSync(p) ? JSON.parse(fs.readFileSync(p, 'utf8')) : {};
-    } catch { return {}; }
+  function isSensitive(filePath) {
+    const base = path.basename(filePath);
+    return RESTRICTED_PATTERNS.some((rule) => rule.test(base) || rule.test(filePath));
+  }
+
+  function extractBashPaths(command) {
+    const paths = [];
+    const regex = /(?:cat|less|more|head|tail|source|\.)\s+(?:"([^"]+)"|'([^']+)'|([^\s]+))/g;
+    let match;
+    while ((match = regex.exec(command)) !== null) {
+      paths.push(match[1] || match[2] || match[3]);
+    }
+    return paths;
+  }
+
+  function extractPaths(toolName, input) {
+    const paths = [];
+    if (!input) return paths;
+
+    for (const key of ['file_path', 'path']) {
+      if (typeof input[key] === 'string' && input[key].trim()) {
+        paths.push(input[key].trim());
+      }
+    }
+
+    for (const key of ['paths', 'search_paths']) {
+      if (Array.isArray(input[key])) {
+        paths.push(...input[key].filter(Boolean));
+      }
+    }
+
+    if (toolName === 'Bash' && typeof input.command === 'string') {
+      paths.push(...extractBashPaths(input.command));
+    }
+
+    return paths.filter(Boolean);
   }
 
-  // ── Main ──────────────────────────────────────────────────────────────────
+  function formatBlockMessage(filePath) {
+    const basename = path.basename(filePath);
+    const promptData = {
+      type: 'PRIVACY_PROMPT',
+      file: filePath,
+      basename,
+      question: {
+        header: 'File Access',
+        text: `I need to read "${basename}" which may contain sensitive data (API keys, passwords, tokens). Do you approve?`,
+        options: [
+          {
+            label: 'Yes, approve access',
+            description: `Allow reading ${basename} this time`
+          },
+          {
+            label: 'No, skip this file',
+            description: 'Continue without accessing this file'
+          }
+        ]
+      }
+    };
+
+    return [
+      'NOTE: This is not an error. This block protects sensitive data.',
+      '',
+      `PRIVACY BLOCK: Sensitive file access requires user approval`,
+      `File: ${filePath}`,
+      '',
+      '@@PRIVACY_PROMPT_START@@',
+      JSON.stringify(promptData, null, 2),
+      '@@PRIVACY_PROMPT_END@@',
+      '',
+      'Claude Code follow-up:',
+      `- If approved: use bash to read: cat "${filePath}"`,
+      '- If denied: continue without this file'
+    ].join('\n');
+  }
 
-  const stdin   = fs.readFileSync(0, 'utf8').trim();
+  const stdin = fs.readFileSync(0, 'utf8').trim();
   if (!stdin) process.exit(0);
 
-  const data      = JSON.parse(stdin);
-  const toolName  = data.tool_name  || '';
+  const data = JSON.parse(stdin);
+  const toolName = data.tool_name || '';
   const toolInput = data.tool_input || {};
-  const prompt    = data.prompt     || '';
-  const cwd       = data.cwd        || process.cwd();
-  const runtime   = readRuntime(cwd);
+  const cwd = data.cwd || process.cwd();
+  const runtime = readRuntime(cwd);
 
-  // Disabled via config
   if (runtime.privacyBlock === false) process.exit(0);
 
-  // Already approved by user
-  if (approved(prompt)) process.exit(0);
-
   const paths = extractPaths(toolName, toolInput);
   if (!paths.length) process.exit(0);
 
   for (const filePath of paths) {
     if (isSafe(filePath)) continue;
-    if (isSensitive(filePath)) {
-      console.log(
-        `RESTRICTED ACCESS: File protection active — approval required\n` +
-        `Target: ${filePath}\n\n` +
-        `Retry query with: APPROVED:${filePath}\n\n` +
-        `--- RESTRICTED_FILE_PROMPT_BEGIN ---\n` +
-        JSON.stringify({ type: 'RESTRICTED_PROMPT', file: filePath, tool: toolName }) + '\n' +
-        `--- RESTRICTED_FILE_PROMPT_END ---`
-      );
-      process.exit(2);
+    if (!isSensitive(filePath)) continue;
+
+    if (toolName === 'Bash') {
+      console.error(`WARN: Privacy-sensitive file access via bash allowed for approved follow-up: ${path.basename(filePath)}`);
+      process.exit(0);
     }
+
+    console.error(formatBlockMessage(filePath));
+    process.exit(2);
   }
 
   process.exit(0);
-
-} catch (e) {
+} catch (error) {
   try {
-    const fs = require('fs'), p = require('path');
-    const d = p.join(__dirname, '.logs');
-    if (!fs.existsSync(d)) fs.mkdirSync(d, { recursive: true });
-    fs.appendFileSync(p.join(d, 'hook-log.jsonl'),
-      JSON.stringify({ ts: new Date().toISOString(), hook: 'privacy-block', status: 'crash', error: e.message }) + '\n');
+    const fs = require('fs');
+    const path = require('path');
+    const logDir = path.join(__dirname, '.logs');
+    if (!fs.existsSync(logDir)) fs.mkdirSync(logDir, { recursive: true });
+    fs.appendFileSync(
+      path.join(logDir, 'hook-log.jsonl'),
+      JSON.stringify({
+        ts: new Date().toISOString(),
+        hook: 'privacy-block',
+        status: 'crash',
+        error: error.message
+      }) + '\n'
+    );
   } catch (_) {}
-  process.exit(0); // fail-open
+  process.exit(0);
 }

package/src/claude/hooks/spec-state.cjs

@@ -63,17 +63,36 @@ try {
   }
 
   const phase = activeSpec.current_phase || activeSpec.phase || 'unknown';
-  
+  const taskRegistry = activeSpec.task_registry || {};
+  const taskEntries = Object.entries(taskRegistry);
+  const taskCounts = taskEntries.reduce((acc, [, task]) => {
+    const status = task?.status || 'pending';
+    acc[status] = (acc[status] || 0) + 1;
+    return acc;
+  }, {});
+  const taskStatusByPath = new Map(taskEntries.map(([taskPath, task]) => [taskPath, task?.status || 'pending']));
+  const nextUnblocked = taskEntries.find(([, task]) => {
+    const status = task?.status || 'pending';
+    const deps = Array.isArray(task?.dependencies) ? task.dependencies : [];
+    return status === 'pending' && deps.every((dep) => taskStatusByPath.get(dep) === 'done');
+  });
+
   // Format the output
   const lines = [];
   lines.push('');
   lines.push('### 🔴 URGENT SYSTEM TOLLGATE (STATE SYNC) 🔴');
   lines.push(`- **Active Feature:** \`${featureName}\``);
   lines.push(`- **Current Phase:** \`${phase}\``);
+  if (taskEntries.length > 0) {
+    lines.push(`- **Task Registry:** \`${taskEntries.length} total | ${(taskCounts.done || 0)} done | ${(taskCounts.in_progress || 0)} in_progress | ${(taskCounts.blocked || 0)} blocked | ${(taskCounts.pending || 0)} pending\``);
+    if (nextUnblocked) {
+      lines.push(`- **Next Unblocked Task:** \`${nextUnblocked[0]}\``);
+    }
+  }
   lines.push('');
   lines.push(`> BẮT BUỘC (MANDATORY): Nếu bạn vừa hoàn thành một bước, bạn KHÔNG ĐƯỢC báo cáo "Đã xong" ngay.`);
   lines.push(`> Bạn PHẢI sử dụng công cụ Edit để cập nhật trạng thái vật lý sau khi đã có bằng chứng verify thật (build/test/runtime/artifact), không phải chỉ vì code đã viết xong.`);
-  lines.push(`> 1. Sửa file \`spec.json\` (status, phase/current_phase, timestamps, \`task_files\`, validation state nếu có thay đổi).`);
+  lines.push(`> 1. Sửa file \`spec.json\` (status, phase/current_phase, timestamps, \`task_files\`, \`task_registry\`, validation state nếu có thay đổi).`);
   lines.push(`> 2. Chỉ khi verify xong mới sửa file \`tasks/task-*.md\` (status + tick '[x]' các sub-task và completion criteria liên quan).`);
   lines.push(`> 3. NẾU VỪA HOÀN THÀNH 1 TASK CÓ SỬA SOURCE CODE, BẮT BUỘC cập nhật ngay tài liệu trong \`docs/\` (\`system-architecture.md\` hoặc Changelog) cho đồng bộ.`);
   lines.push(`> CẤM VI PHẠM LUẬT TOLLGATE NÀY NHẰM ĐẢM BẢO TÍNH ĐỒNG BỘ CỦA HỆ THỐNG.`);