KB-60D4 rev 4

G8A — Directus Roles Readiness Design v0.3 — GPT PASS

10 min read Revision 4

g8adirectusrolespoliciesd11p9s185gpt-pass

G8A — Directus Roles Readiness Design v0.3

Status: DRAFT v0.3 — revised per G8A-0 probe results + GPT review (PASS) Loại: G8A (design/readiness), KHÔNG phải G8B (execution) Phiên: S185 | Ngày: 2026-04-28 P9 Gate: 10/12 PASS | Tiếp: GPT review v0.3 → Production DDL/Collection gates → G8B execution gate → G11 Revision history: v0.1 (S184) → v0.2 (GPT R39 patch) → v0.3 (D11 model revision per probe, GPT PASS)

⚠️ DOC-ONLY — KHÔNG AUTHORIZE MUTATION

Không tạo role, không tạo policy, không assign permission, không provision token, không tạo collection.

1. Architecture Facts

1.1 Directus trên PostgreSQL

Directus đã migrate từ MySQL → PostgreSQL (S115, 2026-03-13). Directus hiện chạy trên cùng PostgreSQL instance với tac_* tables (database directus).

→ tac_* tables CÓ THỂ là Directus collections. G8 khả thi.

Note: directus-architecture.md SSOT ghi DB_CLIENT=mysql — outdated (pre-S115). Tracked as separate doc cleanup issue, không block G8A.

1.2 Directus 11 Permission Model (G8A-0 Probe confirmed)

Version: 11.5.1 | Model: Policies (not legacy Permissions)

Legacy (v9/v10):   Role ──→ Permissions
Directus 11:       Role ──→ directus_access ──→ Policy ──→ Permissions

Layer	Table	Chức năng
Role	`directus_roles`	Identity/group label — KHÔNG chứa permissions
Policy	`directus_policies`	Chứa `admin_access`, `app_access` flags
Access	`directus_access`	Binding table: role ↔ policy (many-to-many)
Permission	`directus_permissions`	Binds to policy (not role): collection, action, fields, validation

1.3 Probe-confirmed Facts

Fact	Value	Probe check
Roles CAN be created before collections exist	YES	#3
`permissions.collection` is text field	YES	#2
OPS proxy does NOT block G8B	YES	#4
`tac-agent`/`tac-admin` do not exist yet	Confirmed	#1
Reference pattern: `AI Agent` role (API-only, policy-bound)	Available	#1

2. Role Definitions

Directus 11: Roles are identity/group labels, not permission containers.

2.1 `tac-agent`

Thuộc tính	Giá trị
Purpose	Daily DOT operations (API-only)
Pattern	Similar to existing `AI Agent` role
Token	Via GSM, API Bearer
DOT creation	DOT-TAC-ROLE-ENSURE

2.2 `tac-admin`

Thuộc tính	Giá trị
Purpose	Bootstrap + emergency (seed, config changes)
Token	Via GSM, API Bearer
DOT creation	DOT-TAC-ROLE-ENSURE

3. Policy Definitions (NEW — D11 specific)

Directus 11: Policies carry admin_access/app_access flags and bind permissions.

3.1 `tac-agent-policy`

Thuộc tính	Giá trị
`admin_access`	`false`
`app_access`	`false` (API-only, no Directus UI)
Scope	Permission matrix §4.1 (CRU core, CRUD members, read-only vocab/config)

3.2 `tac-admin-policy`

Thuộc tính	Giá trị
`admin_access`	`false` (scoped to tac_* only, not global admin)
`app_access`	⚠️ DECISION PENDING — default `false` unless UI workflow explicitly confirmed by GPT/User
Scope	Full CRUD on all 14 tac_* collections (§4.2). DDL/schema mutation NOT granted — separate governed DB/DOT path

3.3 Access Binding

Binding	Role → Policy
`tac-agent` → `tac-agent-policy`	via `directus_access`
`tac-admin` → `tac-admin-policy`	via `directus_access`

4. Permission Matrix — tac_* Collections

D11: All permission rows bind to policy ID, not role ID.

4.1 `tac-agent-policy` permissions (14 rows)

#	Collection	Create	Read	Update	Delete	Notes
1	tac_logical_unit	✅	✅	✅	❌	Birth gate enforced via trigger
2	tac_unit_version	✅	✅	✅	❌	Lifecycle transition via update
3	tac_publication	✅	✅	✅	❌	Lifecycle: proposed → enacted
4	tac_publication_member	✅	✅	✅	✅	Composition management
5	tac_change_set	✅	✅	✅	❌	Lifecycle: draft → enacted
6	tac_change_set_member	✅	✅	✅	✅	Composition management
7	tac_lu_lifecycle_vocab	❌	✅	❌	❌	Read-only vocab
8	tac_uv_lifecycle_vocab	❌	✅	❌	❌	Read-only vocab
9	tac_review_state_vocab	❌	✅	❌	❌	Read-only vocab
10	tac_pub_lifecycle_vocab	❌	✅	❌	❌	Read-only vocab
11	tac_cs_lifecycle_vocab	❌	✅	❌	❌	Read-only vocab
12	tac_section_type_vocab	❌	✅	❌	❌	Read-only vocab
13	tac_publication_type_vocab	❌	✅	❌	❌	Read-only vocab
14	tac_birth_gate_config	❌	✅	❌	❌	Read-only config

Design rationale (unchanged):

Core tables (LU, UV, PUB, CS): CRU, no Delete (lifecycle managed, never hard-delete)
Member tables (PM, CSM): CRUD (composition management)
Vocab/config tables: Read-only (governance-controlled, admin-only changes)

4.2 `tac-admin-policy` permissions (14 rows)

Collection	Create	Read	Update	Delete
All 14 tac_*	✅	✅	✅	✅

Full Directus CRUD for bootstrap, seed management, emergency fixes. DDL/schema mutation NOT included — separate governed DB/DOT path.

5. Dependency Map — G8B Pre-conditions

#	Dependency	Must exist before G8B?	Verification
1	14 tac_* tables in `public` schema	✅	PG query count = 14
2	14 Directus collections registered	✅	Directus API `GET /collections` = 14 tac_*
3	DOT-TAC-ROLE-ENSURE script (updated for D11 model)	✅	Script exists + tested
4	GSM access for token storage	✅	gcloud auth verified
5	Roles `tac-agent`/`tac-admin` do NOT exist yet	Verify	Directus API `GET /roles`
6	Policies `tac-agent-policy`/`tac-admin-policy` do NOT exist yet	Verify	Directus API `GET /policies`
7	`tac-admin` `app_access` decision resolved	✅	GPT/User decision

6. G8B Gate Requirements

6.1 Execution Sequence (D11 model)

Step 1: Create roles (tac-agent, tac-admin)
Step 2: Create policies (tac-agent-policy, tac-admin-policy)
Step 3: Create directus_access bindings (role → policy)
Step 4: Create permission rows against policies (14 + 14 = 28 rows)
Step 5: Token provisioning in GSM (separately authorized)

6.2 PASS criteria

#	Criterion
1	`tac-agent` role exists in `directus_roles`
2	`tac-admin` role exists in `directus_roles`
3	`tac-agent-policy` exists with `admin_access=false`, `app_access=false`
4	`tac-admin-policy` exists with correct flags (per §3.2 decision)
5	`directus_access` binds `tac-agent` → `tac-agent-policy`
6	`directus_access` binds `tac-admin` → `tac-admin-policy`
7	14 permission rows for `tac-agent-policy` match §4.1 matrix
8	14 permission rows for `tac-admin-policy` match §4.2 matrix
9	Tokens for both roles provisioned in GSM
10	DOT-TAC-ROLE-VERIFY confirms all 9 criteria above

6.3 Post-check test-artifact policy

Dùng test records có prefix rõ ràng (vd TEST-G8B-...)
Chỉ xóa đúng test records do run này tạo
KHÔNG xóa production records
Nếu không cleanup → giữ test row làm audit evidence + ghi ID vào action log

7. Rollback / Compensation Plan

Tình huống	Rollback
Role sai	Delete role via Directus API → recreate
Policy sai flags	Update policy via API hoặc delete → recreate
Access binding sai	Delete binding → rebind correct role→policy
Permission too broad	Delete permission rows → recreate with correct matrix
Token sai	Rotate in GSM

8. Corrected Sequence (full P9 remaining)

G6 PASS ✅
  → [GATE] Production DDL: 14 tables + 6 fn/triggers → public
  → [GATE] Directus collection registration (14 tac_*)
  → [GATE] DOT-TAC-ROLE-ENSURE script (updated for D11: role + policy + access + permissions)
  → [GATE] G8B: Role + Policy + Access binding + Permissions + Token
  → [GATE] Seed 61 rows
  → [GATE] Cron setup
  → [GATE] Full verify
  → [GATE] G11: User final approval

9. Observations (non-blocking)

#	Observation	Action
1	2× "Public" roles + 1 "Antigravity Public" — possible legacy	Track for future cleanup, NOT in G8A/G8B
2	`directus-architecture.md` SSOT outdated (MySQL → PG)	Separate doc cleanup issue
3	OPS proxy has no tac_* rules	Track for downstream agent API access setup

10. G8A-0 Probe — RESOLVED

#	Câu hỏi	Kết quả
1	Directus roles/permissions API shape?	D11: Role→Access→Policy→Permissions
2	`tac-agent`/`tac-admin` tồn tại chưa?	NOT present
3	Roles tạo trước collections?	YES — independent
4	OPS proxy ảnh hưởng G8B?	NO — no tac_* rules in nginx
5	Directus version + model?	11.5.1, Policies model

G8A Readiness Design v0.3 | S185 | 2026-04-28 | Doc-only DRAFT | D11 model revision per probe Chờ GPT review → Production DDL/Collection gates → G8B execution gate → G11

G8A v0.3 không authorize G8B. G8B phụ thuộc:

Production tac_* tables tồn tại trong public schema
Directus collections tồn tại (14 tac_*)
DOT-TAC-ROLE-ENSURE đã được update cho Directus 11 policy model