# Prompt Implementasi UU PDP — IBL Production Server

> Gunakan prompt ini untuk menginstruksikan agent/Claude saat implementasi di IBL server produksi.
> Branch: `main` | Repo: `BE_IBL/one-api-lab`

---

## Prompt untuk Agent

```
Kamu akan mengimplementasikan enkripsi PII pasien (UU PDP) ke IBL production server.

PENTING: Baca seluruh runbook di `docs/pdp-encryption-runbook.md` sebelum memulai.

KONTEKS:
- Server IBL: SSH config "devibl" (atau sesuai config SSH yang tersedia)
- Project path di server: /home/one/project/one/one-api-lab/ (atau sesuai deployment IBL)
- Database: one_lab, one_lab_log
- Enkripsi: AES-256-GCM, key dari .env (passphrase, bukan hex)
- PHP: 7.2 (hindari syntax fn() arrow function)

LANGKAH WAJIB SEBELUM APAPUN:
1. Cek disk space: minimal 10GB free
   - Jika kurang, hapus file lama di /home/one/ (bukan backup PDP, bukan MySQL data)
   - Journal logs butuh sudo: sudo journalctl --vacuum-size=300M

2. BACKUP DATABASE DULU:
   bash scripts/backup_pdp_tables.sh
   Verifikasi backup ada dan tidak kosong sebelum lanjut.

3. Buat .env di server (isi passphrase dari password manager IBL):
   IBL_ENCRYPT_KEY=<passphrase-dari-password-manager>
   IBL_ENCRYPT_SEARCH_KEY=<passphrase-search-dari-password-manager>
   chmod 600 .env

URUTAN EKSEKUSI (ikuti runbook):
1. Backup database
2. Buat .env
3. Jalankan SQL migration:
   - sql/manual_changes/2026-05-31-pdp-encrypt-columns.sql
   - sql/manual_changes/2026-05-31-pdp-update-triggers-enc.sql
   - sql/manual_changes/2026-05-31-pdp-birt-sp-cache-join.sql (buat patient_print_cache)
   - sql/manual_changes/2026-06-08-pdp-fo-birt-sp-patient-print-cache.sql (update keluarga SP report FO lama: invoice, kwitansi, nota, billing)
4. DROP triggers sebelum migration data:
   mysql one_lab -e 'DROP TRIGGER IF EXISTS vm_patient_ai; DROP TRIGGER IF EXISTS vm_patient_bu; DROP TRIGGER IF EXISTS m_patient_au; DROP TRIGGER IF EXISTS m_patientaddress_ai; DROP TRIGGER IF EXISTS m_patientaddress_bu;'
5. Encrypt m_patient: php scripts/migrate_encrypt_patient.php
6. Populate NIK bidx: php scripts/migrate_nik_bidx.php
7. Encrypt address: php scripts/migrate_address_enc.php
8. Encrypt orderdelivery: php scripts/migrate_encrypt_orderdelivery.php
9. Masking plaintext (setelah encrypt selesai):
   php scripts/mask_patient_plaintext.php
   php scripts/remask_patient_name.php
10. Recreate triggers:
    mysql one_lab < sql/manual_changes/2026-05-31-pdp-update-triggers-enc.sql
11. Truncate log lama: mysql one_lab_log -e 'TRUNCATE TABLE log_patient; TRUNCATE TABLE order_log;'
12. Verifikasi: cek sample data, cek disk, cek MySQL

PERHATIAN DISK:
- Setiap kali masking banyak baris, log_patient bisa penuh
- Jika disk penuh: sudo systemctl start mariadb (setelah hapus file), truncate log_patient, drop trigger, lanjut
- Selalu DROP trigger sebelum masking, recreate sesudahnya
- Jangan hapus: backup_pdp_*, one_lab_tables.sql

VERIFIKASI SETIAP STEP:
- Setelah encrypt: SELECT COUNT(*), COUNT(M_PatientName_enc) FROM m_patient;
- Setelah masking: SELECT M_PatientName, M_PatientHP FROM m_patient LIMIT 5; (harus tampil "NAMA A***", "0812***")
- Cek disk: df -h /
- Test search patient: pastikan search by nama (3+ karakter) masih bekerja via API

JANGAN LAKUKAN:
- Jangan hapus backup_pdp_* files
- Jangan delete MySQL data files (/var/lib/mysql/ibdata*)
- Jangan commit .env ke git
- Jangan lanjut kalau disk < 2GB free
- Jangan skip backup

File referensi lengkap: docs/pdp-encryption-runbook.md
```

---

## Checklist Pre-Implementasi

Sebelum mulai, pastikan:

- [ ] SSH ke IBL server bisa
- [ ] Disk minimal 10GB free
- [ ] Passphrase key sudah disiapkan (dari password manager)
- [ ] Ada window maintenance (user tidak aktif)
- [ ] Backup terverifikasi sebelum lanjut ke step berikutnya
- [ ] Tim tahu ada maintenance (beri tahu jika ada downtime)

## File Penting

| File | Fungsi |
|------|--------|
| `docs/pdp-encryption-runbook.md` | Runbook lengkap step by step |
| `.env` | Key enkripsi (buat manual di server, JANGAN commit) |
| `scripts/backup_pdp_tables.sh` | Script backup sebelum migration |
| `sql/manual_changes/2026-05-31-pdp-encrypt-columns.sql` | Tambah kolom _enc + _bidx |
| `sql/manual_changes/2026-05-31-pdp-update-triggers-enc.sql` | Update trigger pakai _enc |
| `sql/manual_changes/2026-05-31-pdp-birt-sp-cache-join.sql` | patient_print_cache + update 6 SP BIRT |
| `sql/manual_changes/2026-06-08-pdp-fo-birt-sp-patient-print-cache.sql` | Update keluarga SP report FO lama agar baca `patient_print_cache` |
| `scripts/migrate_encrypt_patient.php` | Encrypt 178K patient rows |
| `scripts/migrate_nik_bidx.php` | Populate NIK search index |
| `scripts/migrate_address_enc.php` | Encrypt address rows |
| `scripts/migrate_encrypt_orderdelivery.php` | Encrypt delivery destination |
| `scripts/mask_patient_plaintext.php` | Masking HP/email/POB/NIK/alamat |
| `scripts/remask_patient_name.php` | Remask nama format "NAMA A***" |