GPT Review — P3D4C2U Resume Notification Display Prompt rev2

Date: 2026-05-10
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed:

• knowledge/dev/laws/dieu44-trien-khai/prompts/p3d4c2u-resume-notification-display-prompt-review.md rev2
• knowledge/dev/laws/dieu44-trien-khai/reports/23-p3d4c2u-option-d-base-table-field-allowlist-implementation-report.md

Verdict

REV3 REQUIRED — do not dispatch rev2.

Rev2 correctly applies most GPT patches from rev1, but it introduces a critical field-classification error: it treats safe_payload, correlation_id, and causation_id as whitelist/safe fields. Prior P3D4C2U Option D evidence shows these fields are unsafe / excluded from the Public Access permission allowlist and were explicitly blocked with HTTP 403.

This must be patched before Agent dispatch.

Critical evidence from Option D implementation report

The earlier P3D4C2U Option D report states permission #1483 allowed fields are exactly:

id
occurred_at
created_at
event_domain
event_type
event_stream
delivery_lane
event_severity
event_subject_table
event_subject_ref
canonical_address
actor_ref
source_system
payload_classification

It also states unsafe field smoke results:

safe_payload → HTTP 403
correlation_id → HTTP 403
causation_id → HTTP 403 (also absent from schema)

Therefore, rev2 is wrong where it says:

Whitelist — safe fields:
id, created_at, event_type, correlation_id, causation_id, safe_payload

safe_payload, correlation_id, and causation_id must be in the deny/probe list, not whitelist.

Required rev3 patches

P1 — Correct whitelist / denylist definitions

Replace the Field schema reference with:

Permission #1483 expected allowlist:
id, occurred_at, created_at, event_domain, event_type, event_stream,
delivery_lane, event_severity, event_subject_table, event_subject_ref,
canonical_address, actor_ref, source_system, payload_classification

Registry row expected fields (DirectusTable config, id auto-added by component):
occurred_at, event_domain, event_type, event_stream, delivery_lane,
event_severity, event_subject_table, event_subject_ref, canonical_address,
actor_ref, source_system, payload_classification, created_at

Known unsafe / explicitly denied probes:
safe_payload, correlation_id, causation_id, payload, body, raw_payload,
vector, embedding, secret, token, password, ssn, personal_data,
payload_raw, internal_*, admin_only

Do not call safe_payload safe in this public route context.

P2 — Fix Phase 0D permission check

Phase 0D should require permission #1483 fields to match or be safely narrower than the known allowlist above.

It must confirm fields do not contain:

safe_payload
correlation_id
causation_id

as well as the other denylist fields.

Report:

permission_allowed_fields=<list>
permission_matches_option_d_allowlist=true|false
permission_excludes_safe_payload=true
permission_excludes_correlation_id=true
permission_excludes_causation_id=true

P3 — Fix Phase 2C HTML unsafe scan

Add the three known unsafe fields to the critical HTML denylist:

safe_payload|correlation_id|causation_id

If any of these appear in the rendered route body as a field/column key, classify as FAIL_CRITICAL_SECURITY.

P4 — Fix Phase 2D runtime API deny smoke

Rev2 currently treats safe_payload,correlation_id,causation_id as a “safe field request”. This is wrong.

Patch runtime API checks:

• Safe request should use only known allowed fields, e.g.:

fields=id,occurred_at,event_domain,event_type,payload_classification

• Unsafe request(s) should explicitly test:

fields=safe_payload
fields=correlation_id
fields=causation_id

Expected for unsafe requests: HTTP 403 / denied / field not allowed.

Report:

runtime_field_allow_safe_test_status=<HTTP|N/A>
runtime_field_deny_safe_payload_status=<HTTP|N/A>
runtime_field_deny_correlation_id_status=<HTTP|N/A>
runtime_field_deny_causation_id_status=<HTTP|N/A>
runtime_known_unsafe_fields_denied=true|false|SKIPPED_NO_PUBLIC_TOKEN

P5 — Remove wording “safe_payload” as safe anywhere

Search the rev2 prompt and remove/replace any wording implying safe_payload is safe for Public route display.

safe_payload may be a safe internal payload concept in other contexts, but P3D4C2U Option D Public Access table exposure explicitly excludes it. For this pack, it is unsafe / denied.

P6 — Ensure table_registry fields match Option D report

The prompt should verify table_registry id=21 fields are the 13 fields from the Option D report, not a guessed set.

Expected registry fields:

occurred_at
event_domain
event_type
event_stream
delivery_lane
event_severity
event_subject_table
event_subject_ref
canonical_address
actor_ref
source_system
payload_classification
created_at

If table_registry includes safe_payload, correlation_id, or causation_id, STOP REGISTRY_FIELDS_UNSAFE_DRIFT before publishing.

P7 — Keep rev2 improvements

Do not remove the good rev2 patches:

• SSR marker informational;
• notification_display_checkpoint wording;
• permission column split;
• PG check optional;
• DOT not found acceptable;
• no auto rollback;
• PASS_HTTP_ONLY_WITH_INCONCLUSIVE_MARKERS;
• runtime field deny smoke;
• no Directus/PG/schema/Nuxt/deploy mutations outside the 1-row publish.

Directive to Opus

Patch prompt rev3 at:

knowledge/dev/laws/dieu44-trien-khai/prompts/p3d4c2u-resume-notification-display-prompt-review.md

Patch narrowly. Do not dispatch after patch. Return for GPT/User review.

If session transfer is needed

Use this document as the handoff basis. The key point is:

Rev2 is blocked because it misclassified safe_payload/correlation_id/causation_id as safe whitelist fields. Option D report proves they are denied/unsafe for Public Access exposure.

Current status

p3d_resume_prompt_current_rev=2
p3d_resume_prompt_rev3_required=true
agent_dispatch_allowed=false
D28_chain_status=PASS
production_image=nuxt-ssr-local:d2db418
tbl_event_outbox.status=draft
notification_display_checkpoint=paused/unblocked_pending
critical_blocker=FIELD_CLASSIFICATION_MISMATCH_WITH_OPTION_D_REPORT

Final status

opus_review=ACCEPTED_WITH_CRITICAL_PATCH
next_action=OPUS_PATCH_P3D4C2U_RESUME_PROMPT_REV3