Incomex AI Portal
KB-5E06

Dieu 38 P-A Fix Manual Report

4 min read Revision 1

Dieu 38 P-A Fix Manual Report

Date: 2026-04-02 | Session: S157

BEFORE ROLLBACK (Evidence)

  • 3 manual species: SPE-NRM (normative), SPE-NRC (normative_config), SPE-NRR (normative_relation)
  • 5 species_collection_map entries (manual)
  • 33 directus_permissions entries (manual)
  • collection_registry: COL-148 (normative_registry), COL-154-157 (4 new) — all governance_role='governed'
  • Directus collections: 5 registered via API
  • schema_birth_registry: table does not exist (birth records stored elsewhere)

ROLLBACK (Cleanup exception — Dieu 37 §10 precedent, will not repeat)

  • DELETE 5 species_collection_map entries
  • DELETE 3 entity_species (SPE-NRM, SPE-NRC, SPE-NRR) — verified 0 other mappings first
  • DELETE 33 directus_permissions
  • DELETE 1 system_issue (locked config conflict)
  • UPDATE species_code: normative→law (normative_registry), normative_config/normative_relation→governance_infra (4 others)
  • Directus collections: KEPT (registration via API was correct procedure, just wrong governance_role)
  • collection_registry entries: KEPT (needed for governance)

FIX GOC: governance_role 'locked'

  • UPDATE governance_role='locked' for: binding_registry, nrm_doc_type_config, nrm_approval_rules
  • Health script v2.2.0:
    • Governance warning: 4 roles recognized (governed/observed/excluded/locked)
    • H15a (read): includes locked (read-only viewable)
    • H15b (create): governed+observed only (locked SKIPPED)
    • H15c (update): governed only (locked SKIPPED)
    • H17 (no DELETE): governed+locked (locked also protected)
  • PRs: #665 (locked support), #666 (H15a read for locked)

ONBOARD VIA DOT

  • dot-collection-create: CANNOT use — exits with error "Table already exists" (line 117). No --skip-create-table option.
  • TD (uu tien cao): dot-collection-create needs --skip-create-table for onboarding existing PG tables
  • TD: dot-collection-create needs --governance-role locked support
  • Alternative: dot-collection-health H15+H16+H17 auto-healed permissions + species for existing collections

VERIFY

Health run 1:

  • H14: PASS (FK ok)
  • H15: 15 read gaps auto-fixed (3 locked × 5 policies). 0 create, 0 update for locked.
  • H16: species mapped (normative_registry→law, normative_relations→governance_infra)
  • H17: PASS (0 DELETE)

Health run 2 (idempotent):

  • H14: PASS, H15: PASS, H17: PASS
  • 0 auto-fixes — fully idempotent

Permissions (7a/7b/7c):

  • 7a: governed = create,read,update ✅
  • 7b: locked = read ONLY ✅
  • 7c: 0 DELETE on all 5 ✅

TD (Nhu cau upgrade DOT)

  1. dot-collection-create: add --skip-create-table for onboarding existing tables
  2. dot-collection-create: add --governance-role locked
  3. H16 species: 25 governed collections with NULL species_code (pre-existing, not from P-A)

CONCLUSION

P-A Fix: DONE

  • Manual species/permissions ROLLED BACK
  • governance_role 'locked' IMPLEMENTED (goc fix)
  • Health auto-heals correctly for governed + locked
  • Idempotent: 0 conflicts on 2nd run
  • Permissions verified: governed=CRU, locked=R, all=no DELETE