GPT Review — P10B-2B D28 Package Generation Prompt v0.1

Date: 2026-04-29

Verdict

DO NOT DISPATCH YET — patch required.

The prompt is directionally correct and has no conceptual conflict with the Constitution / laws after patch. However, it contains one critical input-certainty flaw and several precision gaps.

Legal / constitutional check

Relevant constraints from KB / context-pack red zones:

• No case-dispatch per section.
• No built-in renderer fallback.
• No ALTER TABLE / DDL.
• No manual mutation outside approved gates.
• Zero Trust: if input is not certainly right, it is wrong.

P10B-2B is read-only package generation, so the scope is acceptable if the prompt is patched.

Blockers / required patches

B1 — Critical: candidate-units-r2.json location is not guaranteed

The prompt assumes:

/tmp/p10b-2a-r2/candidate-units-r2.json

But the Agent report for R2 said it ran from local Mac and only /tmp/p10b-2a-r2/* ephemeral files were created. P10B-2B targets VPS/DB and cannot assume that local /tmp file exists on the same host.

Patch:

• Do not treat /tmp/p10b-2a-r2/candidate-units-r2.json as canonical.
• Canonical input must be the KB report: knowledge/dev/laws/dieu38-trien-khai/reports/p10b-2a-d28-hash-r2-evidence-2026-04-29.md.
• Agent must reconstruct/export candidate-units-r2.json from the KB report only if the report includes full body for all 27 units; otherwise STOP and request the JSON artifact upload.
• Better: require a separate KB artifact path for candidate-units-r2.json, or embed full JSON in the report. No package generation from missing /tmp file.

B2 — Require full-body availability check before SQL generation

P10B-2B must not generate SQL from hash/excerpt only.

Patch:

• Verify candidate JSON has full body for all 27 units.
• Verify every body SHA equals R2 per-unit hash.
• Verify JSON SHA equals e47775e33cc752656468edb287cca7b58539804678443b6c1b1dd03b165de8ad.
• If full bodies are not available, STOP. Do not re-segment source and do not infer body boundaries.

B3 — Strengthen SQL literal/body safety

Đ28 contains SQL fences, markdown tables, pipes, quotes, and special characters.

Patch:

• Generator must use a safe SQL literal escaping function for all text fields.
• Report the escaping method.
• Include a body preservation check: count code fences and markdown table rows in candidate JSON vs generated SQL/report, or at least sample S3-P2/S3-P3.
• No manual edits after generation.

B4 — Clarify generated SQL transaction terminator pattern

D32 PF found COMMIT/ROLLBACK were both commented. For Đ28, package must explicitly report the ending pattern.

Patch:

• Generated insert SQL must end with both decision lines commented, same as D32, or clearly documented.
• Report exact tail lines.
• P10B-2C-PF will inspect before execute.

B5 — Full hardcode audit must inspect helper scripts, not only grep narrow patterns

Patch:

• Inspect all .py/.sh helper scripts.
• Allowed: JSON data contains D38-DIEU28-*.
• Not allowed: arrays/case-dispatch in logic such as Roman numeral lists, if section ==, or manual unit arrays.
• Report audit method and findings.

Direction to Opus

Patch P10B-2B prompt v0.1 → v0.2 with B1–B5.

Most important: solve the canonical JSON input problem before dispatch.

After patch, if the prompt requires Agent to fetch candidate JSON from KB/report and verify full body + SHA before generation, it may be marked GPT AUTHORIZED.

No SQL execution. No INSERT. No mutation.