POSA_LEAKSMS/docs/solutions/workflow-issues/review-cycle-knowledge-capture-2026-05-19.md

---
title: Review Cycle Knowledge Capture for Leak SMS v2605
date: 2026-05-19
last_updated: 2026-05-20
category: docs/solutions/workflow-issues
module: leak_sms_v2 operations workflow
problem_type: workflow_issue
component: development_workflow
severity: medium
applies_when:
  - "Finishing a review and execution cycle on the leak monitoring project"
  - "Adding schema, dashboard, report, or Raspberry Pi runtime behavior in one pass"
  - "Adding security evidence pages, attachment packages, or operational checklists"
tags: [v2605, review-cycle, compound, verification, operations]
---

# Review Cycle Knowledge Capture for Leak SMS v2605

> 참고: 이 문서는 누수감지 시절의 기록(레거시)이며, 현재 시스템은 SHT30 온습도 전용으로 전환되었습니다.

## Context

The v2605 hardening work touched PHP pages, MySQL schema, Raspberry Pi capture logic, operations documentation, and deployment notes at the same time. That creates two recurring risks: a feature can be visible in the UI before the DB migration is applied, and static syntax checks can miss broken HTML or operational gaps.

## Guidance

At the end of each execution-review cycle, capture the concrete lessons in `docs/solutions/` before declaring the work finished. For this project, the minimum checklist is:

- Run PHP syntax checks on every changed PHP entry point, including new admin pages.
- Run Python compile checks after Raspberry Pi runtime edits.
- Search non-backup files for stale secrets, old endpoint names, or legacy phone numbers.
- Keep stale-secret search patterns out of durable docs or mask them; otherwise the verification command can reintroduce the exact legacy values it is meant to detect.
- Confirm new SQL migrations are documented in both the project README and the top-level report.
- If a feature depends on optional schema, code the PHP page to degrade safely when the table or column is absent.
- When adding security-evidence features, update both sides of the handoff: runtime screens/scripts (`security_evidence.php`, `collect_evidence.py`) and the HWP attachment docs that tell an operator what to submit.
- After `python -m py_compile`, remove all generated `__pycache__` directories under the workspace, not just the runtime package that was edited.

## Why This Matters

The deployment target is a small operational system where a hidden migration miss can block incident response after a real leak alert. Capturing these checks makes the next cycle faster and reduces repeat mistakes around migrations, secrets, and PHP pages that pass `php -l` but still need markup review.

## When to Apply

- Before calling a v2605 improvement complete.
- After adding DB columns used by dashboard/report pages.
- After adding Raspberry Pi environment variables or runtime timing logic.
- Before handing off deployment notes to an operator.

## Examples

For photo timeline work, the compatible pattern is to detect `leak_photo.sequence_no` and `leak_photo.photo_stage` before using them. New installs can use `sql/schema_v2605.sql`, while existing installs apply `sql/migration_photo_timeline.sql`.

For final verification, keep generated cache directories out of the handoff after running `python -m py_compile`.

For security evidence work, the runtime artifacts and the submission guide must stay aligned. If `php/security_evidence.php?format=md` exists, `docs/SECURITY_EVIDENCE_PACKAGE.md`, `docs/SECURITY_PLAN_PASS_READINESS.md`, and `docs/SECURITY_PLAN_HWP_REVIEW.md` should all point to it. If a Pi evidence collector exists, installation docs must include the exact command and explain that raw API/SMS keys are not printed.

## Related

- `docs/README.md`
- `sql/migration_photo_timeline.sql`
- `php/setup_wizard.php`
- `php/security_evidence.php`
- `php/monthly_report.php`
- `raspberry_pi/collect_evidence.py`
- `docs/SECURITY_EVIDENCE_PACKAGE.md`