GPT Review — P10B-2C-PF D28 Prompt v0.1

Date: 2026-04-29

Verdict

Almost approved — patch before dispatch.

The prompt has correct scope: file-only inspection, no SQL execution, no DB connection. However, D28 contains SQL code blocks inside unit bodies, so regex-based SQL scans must avoid false positives from dollar-quoted body literals.

Required patches

P1 — Verify candidate JSON too

PF uses /tmp/p10b-2b/candidate-units-r2.json for dollar-quoting inspection, but T1 only verifies 4 SQL files.

Add SHA check:

/tmp/p10b-2b/candidate-units-r2.json

Expected SHA:

e47775e33cc752656468edb287cca7b58539804678443b6c1b1dd03b165de8ad

P2 — Destructive command scan must ignore dollar-quoted body literals

Current regex after stripping comments may still see SQL keywords inside markdown/code body literals. Because D28 bodies include SQL code blocks, false positives are likely.

Patch T4:

• Strip SQL comments.
• Also strip dollar-quoted literals, especially $body$...$body$, before scanning for ALTER/DROP/TRUNCATE/UPDATE/DELETE.
• Allow ON COMMIT DROP for temp tables.
• Fail only if destructive commands appear in actual outer SQL statements, not inside body text.

P3 — INSERT count should also ignore dollar-quoted body literals

Not as risky as destructive scan, but for correctness use the same sanitized SQL: comments removed + dollar-quoted body literals replaced with placeholder.

P4 — Dollar delimiter safety must scan both JSON bodies and generated SQL delimiter use

T5 should verify:

1. No JSON body contains literal $body$.
2. Generated SQL uses $body$ or declared delimiter consistently.
3. S3-P3 body containing $$ does not conflict with $body$ delimiter.

Direction to Opus

Patch prompt to v0.2 with P1–P4. After patch, dispatch is approved; no further GPT review required if only these exact changes are made.

Scope remains: file-only inspection, no SQL execution, STOP after report.