Incomex AI Portal
KB-3E0F

AgentData GPT Connector SSL/API Gateway Investigation - 2026-05-13

13 min read Revision 1
agent-datagpt-connectorsslapi-gatewayincident2026-05-13

AgentData GPT Connector SSL/API Gateway Investigation

Date: 2026-05-13 12:11-12:15 +07 Agent: Codex Scope: vps_incomexsaigoncorp_vn__jit_plugin, AgentData REST/MCP, OPS proxy, TLS gateway

Ket luan ngan

SSL khong phai nguyen nhan truc tiep.

Bang chung TLS live:

  • Certificate con han: notAfter=Jul 30 00:04:05 2026 GMT.
  • SAN khop: DNS:directus.incomexsaigoncorp.vn, DNS:ops.incomexsaigoncorp.vn, DNS:vps.incomexsaigoncorp.vn.
  • Chain day du: leaf vps.incomexsaigoncorp.vn -> Let's Encrypt E7 -> ISRG Root X1.
  • OpenSSL: Verify return code: 0 (ok).

Root cause co kha nang cao: GPT connector/action wrapper dang goi sai method hoac sai schema so voi REST/OpenAPI live:

  • healthCheck phai la GET /api/health; HEAD tra 405 Method Not Allowed.
  • searchKnowledge REST dung top_k, khong dung limit; gui limit tra 422.
  • createDocument REST yeu cau document_id, parent_id, content{mime_type,body}, metadata{title,tags}; payload cu dang phang path/title/content/tags tra 422.
  • MCP schema lai dung search_knowledge(limit) va upload_document(path, content), nen neu GPT wrapper tron MCP schema voi REST OpenAPI thi se sinh ClientResponseError.

Endpoint that

Tu .mcp.json:

agent-data MCP URL = https://vps.incomexsaigoncorp.vn/api/mcp

Tu live OpenAPI:

title = Incomex Knowledge Hub API
version = 1.2.0
x-connector-schema-version = gpt-agent-data-2026-05-12.1
x-connector-schema-hash = aaec3d401df2
server = https://vps.incomexsaigoncorp.vn/api
paths = /chat, /documents, /health, /kb/list

OPS endpoint:

server = https://ops.incomexsaigoncorp.vn
title = Incomex OPS Proxy - Multi-Collection API
paths include /items/tasks, /items/task_comments, /items/ai_tasks

Evidence

Buoc 0-1: skill + knowledge rules

Da doc:

  • .claude/skills/incomex-rules.md: 36 muc, 8 buoc.
  • search_knowledge("operating rules SSOT"): tra knowledge/dev/ssot/operating-rules.md, v7.58, 2026-05-01.
  • search_knowledge("hien phap v4.0 constitution"): tra knowledge/dev/laws/constitution.md, metadata v4.6.3.
  • search_knowledge("law API gateway SSL reverse proxy Agent Data connection Directus Agent Data Qdrant"): tra knowledge/dev/ssot/agent-data/index.md, knowledge/dev/ssot/data-connection-law.md, Directus/connection SSOT.

TLS: curl -Iv https://vps.incomexsaigoncorp.vn/api/health

Note: -I sends HEAD, so HTTP layer returns 405; TLS still verifies OK.

* Connected to vps.incomexsaigoncorp.vn (38.242.240.89) port 443
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* Server certificate:
*  subject: CN=vps.incomexsaigoncorp.vn
*  start date: May  1 00:04:06 2026 GMT
*  expire date: Jul 30 00:04:05 2026 GMT
*  subjectAltName: host "vps.incomexsaigoncorp.vn" matched cert's "vps.incomexsaigoncorp.vn"
*  issuer: C=US; O=Let's Encrypt; CN=E7
*  SSL certificate verify ok.
< HTTP/1.1 405 Method Not Allowed
< allow: GET

TLS: openssl s_client -connect vps.incomexsaigoncorp.vn:443 -servername vps.incomexsaigoncorp.vn -showcerts

depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=E7
verify return:1
depth=0 CN=vps.incomexsaigoncorp.vn
verify return:1
Certificate chain
 0 s:CN=vps.incomexsaigoncorp.vn
   i:C=US, O=Let's Encrypt, CN=E7
   v:NotBefore: May  1 00:04:06 2026 GMT; NotAfter: Jul 30 00:04:05 2026 GMT
 1 s:C=US, O=Let's Encrypt, CN=E7
   i:C=US, O=Internet Security Research Group, CN=ISRG Root X1
Verification: OK
Verify return code: 0 (ok)

TLS dates/SAN

notBefore=May  1 00:04:06 2026 GMT
notAfter=Jul 30 00:04:05 2026 GMT
subject=CN=vps.incomexsaigoncorp.vn
issuer=C=US, O=Let's Encrypt, CN=E7
X509v3 Subject Alternative Name:
    DNS:directus.incomexsaigoncorp.vn, DNS:ops.incomexsaigoncorp.vn, DNS:vps.incomexsaigoncorp.vn

directus.incomexsaigoncorp.vn va ops.incomexsaigoncorp.vn cung dang dung cert live nay, SAN khop.

API gateway: health GET

Command: curl -sS -D - https://vps.incomexsaigoncorp.vn/api/health

HTTP/1.1 200 OK
Server: nginx/1.29.5
x-request-id: 668e0d25-17c2-47ca-a991-f768bfd69f25

{"status":"healthy","version":"0.1.0","langroid_available":true,
"services":{"qdrant":{"status":"ok","latency_ms":11.8,"last_error":null},
"postgres":{"status":"ok","latency_ms":1.2,"last_error":null},
"openai":{"status":"ok","latency_ms":0.0,"last_error":null}},
"service_count":3,
"data_integrity":{"document_count":2823,"vector_point_count":5776,"ratio":2.05,"sync_status":"warning","embed_calls":10,"embed_tokens":8848},
"event_system":{"enabled":true,"webhooks_registered":0,"webhooks_active":0,"listeners":1,"events_logged":411}}

API gateway: listDocuments

No auth:

GET /api/kb/list?prefix=knowledge/current-state/reports&limit=2&offset=0
HTTP/1.1 401 Unauthorized
Server: nginx/1.29.5

With X-API-Key from local env:

HTTP/1.1 200 OK
x-request-id: 54856fcc-2f75-4e5b-b798-520fa64f8f0c

{"items":[
{"document_id":"knowledge/current-state/reports/README.md",...},
{"document_id":"knowledge/current-state/reports/agent-data-connectivity-check-gpt-2026-03-31.md",...}
],"count":405,"returned_count":2,"limit":2,"offset":0,"next_offset":2,"truncated":true}

API gateway: searchKnowledge schema mismatch

Wrong REST payload with limit:

POST /api/chat {"query":"connector SSL gateway diagnostic 2026-05-13","limit":2}
HTTP/1.1 422 Unprocessable Entity

{"detail":[{"type":"extra_forbidden","loc":["body","limit"],"msg":"Extra inputs are not permitted","input":2}]}

Correct REST payload with top_k:

POST /api/chat {"query":"connector SSL gateway diagnostic 2026-05-13","top_k":2}
HTTP/1.1 200 OK
x-request-id: 2beb1f66-1aea-452d-9dfe-5d99aac742bf

{"session_id":"a24c9ab5-48a2-440b-be19-771d1e394e9d","usage":{"latency_ms":341,"qdrant_hits":2}}

API gateway: createDocument schema mismatch

Wrong old/flat payload:

POST /api/documents?upsert=true
HTTP/1.1 422 Unprocessable Entity

{"detail":[
{"type":"missing","loc":["body","document_id"],"msg":"Field required"},
{"type":"model_attributes_type","loc":["body","content"],"msg":"Input should be a valid dictionary or object to extract fields from"},
{"type":"missing","loc":["body","metadata"],"msg":"Field required"}
]}

Correct payload:

{
  "document_id": "knowledge/current-state/reports/agentdata-gpt-connector-ssl-gateway-rest-diagnostic-2026-05-13.md",
  "parent_id": "knowledge/current-state/reports",
  "content": {"mime_type": "text/markdown", "body": "..."},
  "metadata": {"title": "...", "tags": ["agent-data","gpt-connector","ssl","gateway","diagnostic","2026-05-13"], "source": "codex-rest-diagnostic"}
}

Response:

HTTP/1.1 200 OK
x-request-id: df4cda2a-76a2-498e-93b5-d47aa354cc22

{"id":"knowledge/current-state/reports/agentdata-gpt-connector-ssl-gateway-rest-diagnostic-2026-05-13.md","status":"created","revision":1}

MCP endpoint

Command: GET https://vps.incomexsaigoncorp.vn/api/mcp

HTTP/1.1 200 OK
connector_schema_version: gpt-agent-data-2026-05-12.1
connector_schema_hash: 5f13902e975a
tools include:
- search_knowledge(query, limit)
- list_documents(path, limit, offset)
- upload_document(path, content, title, tags)

This differs from REST OpenAPI:

  • REST /chat uses top_k.
  • REST /kb/list uses prefix, not path.
  • REST /documents uses structured DocumentCreate.

OPS proxy

Command: GET https://ops.incomexsaigoncorp.vn/items/tasks?limit=1 with X-API-Key.

HTTP/1.1 200 OK
X-Powered-By: Directus

{"data_type":"array","data_len":1,"errors":null}

OPS OpenAPI:

https://ops.incomexsaigoncorp.vn
Incomex OPS Proxy - Multi-Collection API
/items/ai_tasks
/items/ai_tasks/{ai_task_id}
/items/task_comments
/items/task_comments/{comment_id}
/items/tasks
/items/tasks/{task_id}

Directus health:

GET https://directus.incomexsaigoncorp.vn/server/health
HTTP/1.1 200 OK
{"status":"ok"}

Reverse proxy / certificate renewal status

Repo Nginx config confirms:

ssl_certificate /etc/letsencrypt/live/vps.incomexsaigoncorp.vn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/vps.incomexsaigoncorp.vn/privkey.pem;
location ~ ^/api/(chat|kb/list|kb/get|ingest)(/.*)?$ -> agent_data_backend
location /api/ -> agent_data_backend

Local environment is not the VPS:

hostname = Nguyens-MacBook-Air.local
uname = Darwin ... arm64

Commands needing VPS sudo could not run from this local machine:

sudo certbot certificates -> sudo: a password is required
sudo nginx -t -> sudo: a password is required
sudo journalctl -u nginx --since '2 hours ago' -> sudo: a password is required

No renew/reload was executed. This is intentional: live cert is valid and recently issued (May 1 2026), so renewal/reload is not justified from current evidence.

Root cause

Most likely root cause: connector/action registry is stale or conflates MCP tool schema with REST OpenAPI schema.

Specific mismatch:

  • healthCheck: GPT may issue HEAD or stale MCP health tool; canonical REST action is GET /api/health.
  • searchKnowledge: GPT/action sends limit; REST accepts top_k. MCP accepts limit, but REST does not.
  • listDocuments: REST accepts prefix; MCP accepts path; stale REST path is explicitly rejected by contract.
  • createDocument: GPT/action likely sends MCP-style path/content/title/tags; REST endpoint requires document_id/parent_id/content object/metadata object.

This explains aiohttp.client_exceptions.ClientResponseError: aiohttp raises for 4xx/5xx if connector wrapper calls raise_for_status().

Hanh dong da thuc hien

  • Read skill and required knowledge documents through AgentData MCP.
  • Confirmed actual AgentData endpoints from .mcp.json and live OpenAPI.
  • Verified TLS chain, expiry, SAN, and OpenSSL verify code.
  • Verified GET /api/health returns 200.
  • Verified no-auth protected endpoint returns 401 at Nginx, auth endpoint returns 200.
  • Reproduced likely connector failure as 422 using wrong REST schemas.
  • Verified correct REST schemas for searchKnowledge and createDocument return 200.
  • Verified OPS proxy GET and Directus health return 200.
  • Created one diagnostic AgentData document via REST: knowledge/current-state/reports/agentdata-gpt-connector-ssl-gateway-rest-diagnostic-2026-05-13.md.

Hanh dong can nguoi van hanh xac nhan

No production SSL renewal is needed now.

Required fix should be in GPT connector/action wrapper registry:

  • Refresh/import live OpenAPI from https://vps.incomexsaigoncorp.vn/api/openapi.json.
  • Ensure healthCheck uses GET /api/health.
  • Ensure REST searchKnowledge sends top_k, not limit.
  • Ensure REST listDocuments sends prefix, not path.
  • Ensure REST createDocument sends structured DocumentCreate.
  • Do not mix MCP schema from /api/mcp with REST OpenAPI action schema.

If VPS-level confirmation is still required, run on VPS:

sudo certbot certificates
sudo certbot renew --dry-run
sudo nginx -t
sudo journalctl -u nginx --since "2 hours ago" --no-pager

Rui ro con lai

  • I could not inspect live VPS Certbot renewal status or Nginx/backend logs because this session is on a local Mac and sudo/VPS access was unavailable.
  • Data integrity health reports sync_status:"warning" with document_count=2823, vector_point_count=5776, ratio 2.05; this is not the SSL/GPT gateway blocker but should be tracked separately.
  • Static REST OpenAPI and MCP endpoint both report gpt-agent-data-2026-05-12.1, but their hashes differ (aaec3d401df2 vs 5f13902e975a) and schemas differ by design. GPT connector config must bind to the REST schema for REST actions.

OR / TD / handoff

OR update: Khong can update OR. Day la incident investigation, root cause nam o connector/action registry contract, khong phai thay doi nguyen tac van hanh.

Technical debt recommended:

  • Add a scheduled connector-contract selftest that calls live REST actions with GPT/OpenAPI payloads: health, list, search, create dry-run/upsert diagnostic.
  • Add alert if live OpenAPI hash differs from connector registry hash currently imported into GPT.