GPT Review — Trigger Guard DROP Repair Gate Option A+

Date: 2026-04-28

Verdict

NEEDS PATCH before dispatch.

The selected fix path is correct: Option A+ is the right direction. However, the execution prompt needs several safety/precision patches before sending to an agent.

What is correct

• Fixing fn_evt_trigger_guard_drop() is the right next step before Gate B/C.
• Option A+ is preferred:
  • use object_identity instead of nullable object_name;
  • use COALESCE fallback;
  • schema-qualify public.trigger_guard_alerts;
  • lock search_path = pg_catalog, public;
  • set security mode by DB parity.
• Scope is properly limited: no Gate B/C, no TAC data mutation, no roles/permissions.

Required patches

1. Specify DB execution role/path

The prompt does not state which DB role should run CREATE OR REPLACE FUNCTION. The functions are owned by workflow_admin, so execution role matters.

Patch:

• Reuse the exact successful execution path from p9-g6-trigger-guard-repair-option-a-log-2026-04-28.md if available.
• Pre-check current_user/current_database for both DBs.
• Verify the executor can alter public.fn_evt_trigger_guard_drop(); if not, STOP and report. Do not guess credentials or ask User for secrets.

2. Use unique smoke-test object names

Current smoke test uses fixed names:

• public.tg_drop_smoke_test
• public.fn_tg_drop_smoke_test()
• trg_tg_drop_smoke_test

Patch to unique names with timestamp/run id per DB, e.g.:

• tg_drop_smoke_<db>_<yyyymmddhhmmss>
• fn_tg_drop_smoke_<db>_<yyyymmddhhmmss>
• trg_tg_drop_smoke_<db>_<yyyymmddhhmmss>

Pre-check names do not exist. Post-check residue = 0.

3. Avoid blind rollback to known-defective source

The rollback section restores the old defective source. This should be a last resort only.

Patch:

• Snapshot full function definition and metadata using pg_get_functiondef(oid), owner, security mode, proconfig.
• Rollback only if mutation or post-verify fails in a way that leaves the guard worse than before.
• If mutation succeeds but smoke fails due executor permission/test artifact issue, STOP and report instead of blindly restoring defective source.
• Prefer forward fix over rollback to known-bad behavior.

4. Clarify multi-DB failure handling

Two DBs are independent. Patch:

• Execute and verify per DB.
• If directus succeeds and incomex_metadata fails, do not automatically rollback directus; report split state unless the failure is caused by the shared patch logic and GPT/User explicitly chooses rollback.
• Action log must show per-DB status.

5. Smoke test transaction/residue policy

Smoke test creates and drops temp objects in public. Patch:

• Use one transaction per DB if possible.
• If any smoke step fails, attempt cleanup of only smoke objects created by this run.
• Verify no smoke table/function/trigger remains.
• Do not delete audit rows created by smoke; keep them as evidence and record IDs.

6. Add secret hygiene and no-overwrite report policy

Patch action log section:

• secret hygiene scan before upload;
• no overwrite; if path exists, suffix -run2 or timestamp.

Law / governance assessment

• ALTER FUNCTION is DDL and requires a governed execution gate and User GO.
• Repair preserves trigger guard infrastructure under Đ26/Đ31; it does not disable or bypass the guard.
• No conflict with Hiến pháp if mutation is limited to the guard repair and logged.
• Do not proceed to Gate B until this repair is PASS or GPT/User explicitly accepts proceeding with the known DROP rollback blocker.

Next direction

Opus should patch the repair prompt with the six items above, then present the patched prompt for final review. Do not dispatch yet.