GPT Final Approval — 23-P3A Gateway Allow-list Prompt rev4

Date: 2026-05-06
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu44-trien-khai/prompts/23-p3a-iu-gateway-allow-list-patch-prompt.md rev4

Verdict

APPROVED FOR DISPATCH.

Rev4 resolves the remaining blockers from rev3 and is sufficiently hardened for Agent execution.

Accepted state

Rev4 now includes:

• named-parameter call to fn_iu_create;
• assertion of required fn_iu_create parameter names;
• idempotent already-patched behavior;
• exact single-column dot_config.key unique check;
• PUBLIC privilege check via ACL logic;
• fuller gateway error guidance check;
• UV UPDATE guard test as proof of UPDATE-path protection;
• row-leak check for rollback test addresses;
• final verdict handling for both OK and SKIPPED_ALREADY_PATCHED patch states.

Minor caveats accepted

• T8=WARN_NO_README_IN_MSG is acceptable as non-blocking because the essential blocker message and canonical function guidance remain tested.
• UV INSERT may be FK-first; rev4 reports this honestly and uses UV UPDATE to prove gateway guard coverage.
• fn_iu_apply_edit_draft does not yet exist; rev4 correctly tests only future marker acceptance.

Dispatch instruction

Đọc prompt từ KB rồi thực hiện:

knowledge/dev/laws/dieu44-trien-khai/prompts/23-p3a-iu-gateway-allow-list-patch-prompt.md

Mục tiêu: patch fn_iu_gateway_write_guard từ exact-marker sang allow-list mode. Allow-list: fn_iu_create, fn_iu_apply_edit_draft. Không tạo bảng, không tạo edit functions, không đổi trigger, không vector, không cleanup.

Report tại:
knowledge/dev/laws/dieu44-trien-khai/reports/23-p3a-iu-gateway-allow-list-patch-report.md

Upload report even on FAIL/CRITICAL.

Hard boundaries for Agent

• No P3B schema DDL.
• No unit_edit_draft / unit_edit_comment tables.
• No edit/apply/comment functions.
• No trigger create/drop/enable/disable.
• No vector mutation.
• No cleanup / no pilot deletion.
• No Pack 2C.
• No retry/improvisation if unexpected state.

Expected PASS evidence

Report should include:

• phase_status=PASS;
• p3b_readiness=READY;
• patch_status=OK or SKIPPED_ALREADY_PATCHED;
• source hash before/after;
• allowed marker value exact fn_iu_create,fn_iu_apply_edit_draft;
• fn_iu_create real pilot test PASS;
• direct IU blocked;
• UV UPDATE blocked;
• future apply marker accepted in rollback test;
• unknown marker blocked;
• row-leak count zero;
• PUBLIC not broadened;
• boundaries honored.

Next after Agent report

After P3A report is uploaded, Opus/GPT should review it. If PASS, proceed to P3B schema-only design/prompt for:

• unit_edit_draft;
• unit_edit_comment;
• information_unit.sort_order;
• any needed dot_config policy keys.

Do not begin P3B before P3A report review.