GPT Review — 23-P3D4C1U Prompt rev5

Date: 2026-05-08
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed: knowledge/dev/laws/dieu44-trien-khai/prompts/23-p3d4c1u-universal-core-implementation-prompt.md rev5

Verdict

REV6 REQUIRED — do not dispatch rev5.

Rev5 is architecturally better than rev4. The User/Opus correction is accepted: the universal signal system should use a two-lane model, not a pure polling model.

This is the right simplification:

Immediate lane: trigger -> event_outbox directly -> visible now.
Delayed lane: trigger -> event_pending -> worker later only when debounce/grouping is actually needed.

For the system_issues PoC, all active events are immediate, so no worker/cron schedule is required. This avoids idle polling and better follows the constitutional principle of solving with the simplest reliable mechanism.

However rev5 still has a few dispatch blockers that must be patched before production execution.

Accepted improvements in rev5

Delivery model is now explicit: immediate vs delayed.
system_issues active PoC events are immediate.
Capture trigger writes directly to event_outbox + event_read(implicit_self).
No pending rows for PoC immediate events.
No pg_cron schedule for PoC.
Idle polling is avoided.
delivery_lane is added to event_type_registry and event_outbox.
red_zone_violation remains deferred/inactive.
Tests are simplified from worker-driven to immediate-emission driven.

Required rev6 patches

P1 — Registry trigger must validate `delivery_lane`, not only type/stream

Rev5 says registry controls the lane, but Step 2 still says the enforcement trigger validates only event_type + event_stream.

Patch fn_event_type_validate() to validate:

(event_domain,event_type) exists;
active=true;
NEW.event_stream = registry.event_stream;
NEW.delivery_lane = registry.delivery_lane.

For immediate PoC events, any attempt to insert delivery_lane='delayed' into event_outbox for issue_opened/resolved/archived must be rejected.

P2 — Immediate trigger must handle idempotency safely

Rev5 trigger does:

INSERT INTO event_outbox (...) RETURNING id INTO v_event_id;
INSERT INTO event_read(event_id, ...)

But it does not specify an idempotency key or ON CONFLICT behavior. If duplicate status updates or retry execution happens, this may either duplicate events or fail. If ON CONFLICT DO NOTHING is later added, RETURNING id may return no row and event_read insert will fail/null.

Patch to require one safe pattern:

define a deterministic unique key for immediate system issue events, e.g. (event_domain,event_type,event_subject_table,event_subject_ref);
use INSERT ... ON CONFLICT (...) DO UPDATE/NOTHING RETURNING id, or insert then SELECT existing id on conflict;
only insert event_read(implicit_self) when a valid event id is available;
tests must verify duplicate/retry does not create duplicate outbox rows.

P3 — `fn_event_type_validate` should distinguish unknown/inactive/stream mismatch/lane mismatch

For future debugging, error messages should distinguish:

unknown event type;
inactive event type;
stream mismatch;
delivery lane mismatch.

This avoids opaque production failures.

P4 — pg_cron should not be part of P3D4C1U execution at all if no delayed lane is active

Rev5 correctly says no schedule. But it still asks for pg_cron availability preflight and worker function creation.

To keep the PoC simplest and avoid unnecessary admin dependency, patch:

pg_cron availability is optional informational only and must never block P3D4C1U when all active events are immediate;
do not install pg_cron;
do not query cron.job unless pg_cron is installed;
T9 must be safe if cron schema does not exist.

Preferred T9 wording:

If pg_cron is installed, verify no job named event-worker exists.
If pg_cron is not installed, pass T9 as NOT_INSTALLED_NO_CRON_JOB_POSSIBLE.

P5 — Worker function should be deferred unless needed

Rev5 still says:

Worker function: CREATE but do NOT schedule cron

Given the PoC is all-immediate and the User explicitly wants the simplest reliable solution, creating an unused worker function is unnecessary surface area.

Patch to defer worker function creation:

worker_function_created=DEFERRED_NOT_REQUIRED_FOR_IMMEDIATE_POC
worker_required_for_poc=false
worker_cron_scheduled=NO_NOT_REQUIRED_FOR_IMMEDIATE_POC

Keep event_pending / event_worker_log either:

deferred entirely; or
created as empty schema only if Opus strongly justifies universal core completeness.

GPT preference for simplicity: defer worker function and cron; create only tables needed by immediate PoC plus registry/subscription/read/outbox. If event_pending is created, it must stay empty and unused.

P6 — Rollback block still shows unconditional DROP statements

Rev5 says data-safe, but Step 8 code shows unconditional:

DROP TABLE IF EXISTS event_worker_log;
DROP TABLE IF EXISTS event_pending;
DROP TABLE IF EXISTS event_read;
DROP TABLE IF EXISTS event_subscription;
DROP TABLE IF EXISTS event_outbox;
DROP TABLE IF EXISTS event_type_registry;

Patch rollback to be explicitly guarded:

count non-test events before dropping event_outbox;
do not drop if non-test event rows exist unless User-approved rollback;
cleanup test-tagged rows only;
no destructive rollback on success;
report rollback_executed=NO_ON_SUCCESS.

Do not provide unconditional DROP block without guard conditions.

P7 — Test cleanup assumes `system_issues.title` exists

Rev5 says title contains [P3D4C1U-TEST]. Earlier prompt required inventory exact columns. Patch tests to use whichever safe text/code field exists from inventory:

title if exists;
else description if safe;
else an available code/source field;
else STOP and report test_tag_field=NOT_FOUND.

Do not hardcode title.

P8 — `event_read` implicit self-read in trigger is acceptable but must be transactional and idempotent

Patch to require:

event_outbox insert and event_read insert occur in same trigger transaction;
event_read insert uses ON CONFLICT (event_id, actor_ref) DO NOTHING for implicit self;
if event already existed, choose whether to insert/update implicit self-read based on returned/existing event id;
no implicit self row for actor_ref IS NULL or blank; actor must fallback to system.

P9 — Access functions can be simplified for Phase 2

To reduce complexity, make mandatory functions:

fn_event_unread;
fn_event_mark_read.

Make fn_event_board optional/minimal or deferred to Directus exposure pack unless Agent needs it for tests.

Board aggregation is read-path only and allowed, but not necessary for immediate PoC. Simpler is safer.

P10 — Report fields must reflect no worker/cron execution

Update verification fields:

worker_function_created=DEFERRED_NOT_REQUIRED_FOR_IMMEDIATE_POC|PASS_IF_CREATED_WITH_JUSTIFICATION
worker_cron_scheduled=NO_NOT_REQUIRED_FOR_IMMEDIATE_POC
pg_cron_required_for_poc=false
pg_cron_installed_by_pack=false
idle_polling_avoided=true
test_no_cron_scheduled=PASS|NOT_INSTALLED_NO_CRON_JOB_POSSIBLE

Directive to Opus

Patch the prompt to rev6 at:

knowledge/dev/laws/dieu44-trien-khai/prompts/23-p3d4c1u-universal-core-implementation-prompt.md

Patch narrowly. Do not reopen the whole design. The target is to keep the hybrid model and make the immediate PoC simpler and dispatch-safe.

Do not dispatch after patch. Return for GPT/User final review.

Hard boundaries unchanged

No PG mutation during prompt patch.
No Directus mutation.
No Nuxt code.
No Hermes/Codex dispatch.
No external scheduler/tool/service.
No pg_cron install/schedule for immediate-only PoC.
No change to existing iu_notification_* runtime.
No old IU-specific P3D4C1 resume.
No body/raw payload/vector/secret/personal data exposure.
No activity-log creep.

Operating lesson recorded

When designing infrastructure, first ask: what is the simplest mechanism that satisfies the real requirement? For common single events, the simplest PG-native mechanism is direct durable insert from the trigger. A worker is only justified when delayed grouping/debounce is actually needed.