KB-D9EA
P9 Tier 3 Readiness Package — G6/G8/G11
7 min read Revision 1
dieu38p9tier3g6g8g11readiness
P9 Tier 3 — Remaining Gates Readiness Package (G6/G8/G11)
Phase: P9 Entry Gate, Tier 3 Trạng thái: DRAFT — Chờ GPT + User review Phiên: S183 | Ngày: 2026-04-27 P9 Gate Progress: 9/12 PASS. Remaining: G6, G8, G11. Scope: Doc-only readiness assessment. Không DDL/DML. Không migration. Không role creation. Không P9 execution.
1. Current P9 Gate Status
| Gate | Criterion | Status | Resolved by |
|---|---|---|---|
| G1 | P8 OFFICIAL | ✅ PASS | P8 v0.4 |
| G2 | Đ24 facets verified | ✅ PASS | E5: FAC-07/08/09 |
| G3 | entity_code format | ✅ PASS | E-E3: P8 §5.2 |
| G4 | DOT-TAC-* registered | ✅ PASS | E7: 19 DOTs |
| G5 | dot-dot-register adapter | ✅ PASS | E7 v0.2 |
| G7 | system_issues schema | ✅ PASS | E-R3: fn_tac_log_checker_issue |
| G9 | Backup plan | ✅ PASS | P8 §8.3 |
| G10 | TRIGGER-GUARD | ✅ PASS | P8 §8.4 |
| G12 | Component/BOM defer | ✅ PASS | P8 §7 |
| G6 | Migration dry-run | ⏳ NEEDS DESIGN | Tier 3 |
| G8 | Directus roles | ⏳ NEEDS DESIGN | Tier 3 |
| G11 | User approval | ⏳ PENDING | Last gate |
2. G6 — Migration Dry-run Readiness
2.1 What needs dry-run
Per P8 §8.1, migration = 10 steps:
| Step | Description | Risk | Dry-run approach |
|---|---|---|---|
| 1 | Create vocab+config tables (6) | DDL | Script review + sandbox verify |
| 2 | Create core tables (6) | DDL | Script review + sandbox verify |
| 3 | Create functions/triggers | DDL | Script review (fn_tac_uv_compute_derived, birth gate trigger) |
| 4 | Directus collections (DOT-driven) | API | DOT-TAC-COLLECTION-REGISTER dry-run |
| 5 | Roles (DOT-driven) | API | DOT-TAC-ROLE-ENSURE dry-run |
| 6 | DOTs (dot-dot-register) | API | ✅ DONE (E7) |
| 7 | Seed (Directus API) | DML | Seed script review + SHA-256 verify vs KB snapshot |
| 8 | Crons | Config | Crontab review |
| 9 | Verify | Read-only | DOT-TAC-SCHEMA-VERIFY + DOT-TAC-COLLECTION-VERIFY |
| 10 | Rollback test | DDL | DROP CASCADE + verify clean |
2.2 Pre-checks for dry-run
- sandbox_tac schema still intact on VPS (reference baseline)
- P5 schema doc available for DDL generation
- Seed data: KB snapshot + SHA-256 (P8 §8.2)
- Rollback: P8 §8.3 plan documented
2.3 PASS/FAIL criteria
- All DDL scripts compile without error (psql syntax check)
- Table count matches P8 §1.4 (14 tables)
- FK/constraint/index matches P5 design
- Seed data SHA-256 matches KB snapshot
- Rollback script verified (DROP CASCADE → 0 tac_* objects)
2.4 Gate requirement
G6 PASS = migration script reviewed + dry-run on sandbox or test schema + verify + rollback verified. Needs agent prompt for DDL generation + sandbox execution.
2.5 Scope estimate
Medium effort. Agent needs VPS access (DDL). Desktop designs prompt. GPT reviews.
3. G8 — Directus Roles Readiness
3.1 Roles needed (P8 §2.5)
| Role | Scope | Purpose |
|---|---|---|
| tac-agent | CRUD tac_* collections only | Daily DOT operations |
| tac-admin | Full tac_* + DDL | Bootstrap + emergency |
3.2 Pre-checks
- Check if
tac-agent/tac-adminroles already exist in Directus - Check current permissions for tac_* collections (if collections exist)
- DOT-TAC-ROLE-ENSURE registered ✅ (E7) — but script not yet implemented
3.3 Design questions
| Question | Impact |
|---|---|
| Create roles before or after tac_* collections? | After — need collections to assign permissions |
| Manual role creation or DOT-TAC-ROLE-ENSURE script? | DOT preferred (100% DOT), but script needs implementation |
| Token provisioning via GSM? | Yes per Đ33/P8 §2.5 |
3.4 PASS/FAIL criteria
- tac-agent role exists with CRUD on tac_* collections
- tac-admin role exists with full access on tac_*
- Tokens provisioned via GSM
- DOT-TAC-ROLE-VERIFY confirms role/permission correct
3.5 Gate requirement
G8 PASS = roles created + permissions assigned + tokens in GSM + DOT-TAC-ROLE-VERIFY PASS. Needs: tac_* collections first (G6 migration), then role creation prompt/gate.
3.6 Dependency
G8 depends on G6. Cannot assign permissions to collections that don't exist. Sequence: G6 (create tables + collections) → G8 (create roles + permissions) → G11 (User approval).
4. G11 — User Approval Package (draft, not yet requesting)
4.1 Go/No-go Summary
| Category | Status | Blocker? |
|---|---|---|
| Legal phase (L1–L5) | ✅ PASS | No |
| Design phase (C1–C3) | ✅ PASS | No |
| Schema (P5/P5b) | ✅ PASS | No |
| Checkers (P6) | ✅ PASS | No |
| Pilot (P7) | ✅ PASS | No |
| Implementation design (P8 v0.4) | ✅ PASS | No |
| Facets (E4/E5) | ✅ PASS | No |
| DOTs (E7) | ✅ PASS | No |
| Checker adapter (E-R3) | ✅ PASS | No |
| Migration dry-run (G6) | ⏳ Pending | Yes — must PASS first |
| Directus roles (G8) | ⏳ Pending | Yes — must PASS first |
4.2 G11 conditions
G11 can only be requested after:
- G6 migration dry-run PASS
- G8 Directus roles PASS
- All 11/12 gates PASS
- No open blockers
4.3 G11 decision form (template, NOT active)
{
"gate": "G11",
"package_id": "P9-G11-USER-APPROVAL",
"gates_passed": 11,
"gates_total": 12,
"remaining": ["G11"],
"decision": null,
"decided_by": null,
"decided_at": null,
"scope": "Authorize P9 production migration execution"
}
5. Recommended Sequence
G6 Migration dry-run
→ Agent: generate DDL from P5 schema
→ Agent: dry-run on test schema (sandbox_tac or new test schema)
→ Agent: verify tables + constraints + rollback
→ GPT review → PASS/FAIL
G8 Directus roles (after G6 PASS)
→ Agent: create tac_* Directus collections via DOT-TAC-COLLECTION-REGISTER
→ Agent: create roles via DOT-TAC-ROLE-ENSURE or manual DOT prompt
→ Agent: verify via DOT-TAC-ROLE-VERIFY
→ GPT review → PASS/FAIL
G11 User approval (after G6+G8 PASS)
→ Present full P9 gate summary to User
→ User decides: GO / NO-GO / CONDITIONAL
6. Scope Exclusions
| Action | In scope? |
|---|---|
| Readiness assessment (doc) | ✅ |
| P9 migration execution | ❌ |
| Directus role creation | ❌ |
| DDL/DML | ❌ |
| Cron activation | ❌ |
| DOT script implementation | ❌ |
| taxonomy_labels/entity_labels | ❌ |
| system_issues writes | ❌ |
| _dot_origin cleanup | ❌ |
P9 Tier 3 Readiness Package | S183 | 2026-04-27 | Opus 4.6 Chờ GPT + User review