Fix Permissions 403 Report

Date: 2026-03-07 Mission: FIX-PERMISSIONS-403

Investigation

meta_catalog permissions

• Public READ: Already had fields: ["*"] via policy abf8a154-... (id=339)
• AI Agent CRUD: Already had fields: ["*"] via policy e81a70bc-... (ids 330-333, 405-408)
• The 3 new fields (actual_count, orphan_count, last_scan_date) were covered by ["*"]
• Result: Permissions were NOT the issue on meta_catalog

checkpoint_sets and checkpoint_set_items

• Both already had public READ permissions
• Verified: public API returns data correctly

/knowledge/registries page

• Returns HTTP 200 with correct content
• Layer 2 pages (/knowledge/registries/dot_tool, /knowledge/registries/collection) also 200

Root cause

• The 403 may have been a transient cache issue, or the user tested before deploy completed
• All permissions were correctly set by the original PR #455

Actions Taken

1. Registered 6 orphans

• DOT-094 dot-flow-setup-auto-id
• DOT-095 dot-orphan-scan
• DOT-096 dot-registry-diff
• DOT-097 dot-schema-checkpoint-node-identity
• PG-036 web/pages/knowledge/registries/[entityType].vue
• PG-037 web/pages/knowledge/registries/[entityType]/[id].vue

2. Auto-ID flow issue discovered

• Auto-ID flows use type=exec (isolated-vm) which crashes on Directus 11.5.1
• Workaround: temporarily disabled flows, created items with explicit codes, re-enabled
• This is a known tech debt (TD-077 pattern)

3. Orphan scan re-run

• Coverage: 100.0% (399/399 entities registered, 0 orphans)
• Report uploaded to Agent Data

Verification

• /knowledge/registries returns 200
• meta_catalog API returns all fields including new ones
• checkpoint_sets public read works
• checkpoint_set_items public read works
• Layer 2 pages load correctly
• CI GREEN on main
• 0 orphans after registration