GPT Review — 18a DOT-119 Redesign rev2

Date: 2026-05-05 Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI Reviewed: knowledge/dev/laws/dieu44-trien-khai/design/18a-dot119-metadata-driven-no-clobber-redesign.md rev 2

Verdict

Rev2 is architecturally good, but rev3 is required before execution-pack design.

Rev2 fixed the major conceptual issues:

• DOT-119 is correctly placed under Đ4 as professional/domain owner.
• Multi-law jurisdiction is now explicit.
• Default is unclassified, not silent synthetic_id.
• legacy_id_single_colon is separated.
• DOT-119 reads metadata and does not require function changes.
• Sentinel is formalized.
• Unclassified handling now produces remediation/finding/health visibility.

However, per the User’s reminder of constitutional principle 14, the design still needs stronger agent/code operability. It should specify what the tool’s CLI/API contract returns, what exit codes mean, what output is machine-readable, and how an agent can safely decide next actions without reading prose.

Required rev3 fixes — HP14 / Agent-Code perspective

B1 — Add DOT-119 CLI contract

Define exact commands and modes:

dot-birth-trigger-setup --collection=<name> --dry-run --json
dot-birth-trigger-setup --collection=<name> --execute --json
dot-birth-trigger-setup --collection=<name> --verify --json
dot-birth-trigger-setup --collection=<name> --drop --json   # if allowed, probably admin-only

The tool must not infer mode from absence of --dry-run. Safer default should be dry-run or require explicit --execute.

B2 — Add exit-code contract

Agents need deterministic handling. Define:

• 0 = success
• 10 = unclassified metadata STOP
• 11 = invalid metadata / missing column
• 12 = unsafe script / no-clobber violation
• 13 = function fallback missing
• 14 = trigger already exists / idempotent state mismatch
• 20 = execution failed / rollback required
• 30 = permission/tooling error

Exact numbers can change, but the design must define them.

B3 — Add JSON output schema

For agent-code use, every dry-run/execute/verify should output JSON fields:

{
  "status": "ok|stop|error|skipped",
  "collection": "information_unit",
  "strategy": "synthetic_id",
  "birth_code_column": null,
  "sentinel": "__birth_synthetic_id__",
  "trigger_name": "trg_birth_information_unit",
  "function_name": "fn_birth_registry_auto",
  "proposed_sql": "CREATE TRIGGER ...",
  "will_modify_function": false,
  "fn_hash_before": "...",
  "fn_hash_after": "...",
  "finding_code": null,
  "remediation": []
}

This prevents future agents from parsing Vietnamese terminal text.

B4 — Make system_issues write path legal/tooled

Rev2 says create finding in system_issues “if legal mechanism exists”. Rev3 must define a concrete design:

• preferred: use existing issue/DOT tool if one exists;
• otherwise: no raw insert in DOT-119 v2; emit JSON finding + rely on health check/report until an issue-writer tool is approved;
• do not leave the tool to decide at runtime.

B5 — Add metadata validation rules as code-level invariants

For each strategy, define exact checks:

• column: birth_code_column IS NOT NULL, column exists, value is text-castable, not nullable or fallback behavior explicitly allowed.
• synthetic_id: birth_code_column IS NULL, id exists, id is NOT NULL, sentinel column absent.
• legacy_id_single_colon: only allowed for explicitly grandfathered collections or approved exceptions.
• subordinate: parent collection/reference must be documented, no trigger created.
• disabled: governance_role must justify disabled/excluded.
• unclassified: always STOP.

B6 — Add idempotency behavior

If trigger already exists:

• If exact trigger definition matches expected → status=ok, no change.
• If trigger exists but differs → STOP with TRIGGER_MISMATCH.
• Do not drop/recreate automatically unless explicit repair mode is approved.

B7 — Add transaction and rollback contract

For execute mode:

• BEGIN; CREATE TRIGGER; verify; COMMIT;
• if verify fails → ROLLBACK.
• function hash before/after must match.
• report whether transaction committed or rolled back.

B8 — Add metadata source and audit fields decision

Rev2 marks source/review fields optional. From agent-code governance perspective, at least one source field is strongly recommended:

• birth_identity_source = inferred_from_existing_trigger | manual | system_default | migration_seed

Optionally reviewed_at/by can be deferred, but without source, future agents cannot distinguish inferred vs approved. Rev3 should recommend whether source is required in 18b.

B9 — Add unclassified health-check lifecycle

Do not just propose H-BIRTH-IDENTITY-UNCLASSIFIED. Define:

• where query lives;
• whether it is warning/info;
• who closes finding;
• closing condition: birth_code_strategy != 'unclassified' and metadata passes validation.

B10 — Add precise decision request

Rev3 should ask GPT/User to decide:

1. Metadata endpoint: collection_registry fields?
2. Minimum fields: 2 fields only or include birth_identity_source now?
3. Tool interface: require --json and explicit --execute?
4. Issue writing: JSON/report only now, or design a legal system_issues writer?
5. Execution split: 18b metadata/tool repair, 18c IU trigger.

Current recommendation

GPT’s current leaning:

• Metadata endpoint: collection_registry.
• Minimum fields for 18b: birth_code_strategy, birth_code_column, plus birth_identity_source.
• Default strategy: unclassified.
• Tool interface: require --dry-run default and explicit --execute, support --json.
• system_issues writing: defer raw writes; output machine-readable JSON finding + add health check. Implement legal writer later if needed.
• Execution split: 18b then 18c.

Directive to Opus/Ocus

Patch file 18a to rev3 with the HP14/agent-code contract sections above.

Do not execute. Do not create 18b yet until rev3 is reviewed.

Hard boundaries remain:

• no code changes;
• no DDL;
• no DOT-119 execution;
• no function edits;
• no IU trigger;
• no IU rows;
• no Pack 2B.