KB-1BF2

P10D-1B — Public READ grant for TAC official laws (2026-04-30)

4 min read Revision 1

p10dtacpermissionspublic-readdieu38

P10D-1B — Grant MVP Public READ for TAC Official Laws Collections

Date: 2026-04-30 Runtime: vmi3080463.contaboserver.net (VPS contabo) — Directus 11 / PostgreSQL Scope: Grant Public/anonymous READ on 4 tac_* collections (fields ["*"]). No code, no DDL/DML. Outcome: ✅ PASS

GATE 0

Control host: Nguyens-MacBook-Air.local (nmhuyen)
Runtime host: vmi3080463.contaboserver.net
DB: directus / directus
All Directus API calls executed via docker exec incomex-directus wget … (host has no curl path to container; container has wget, no curl).

T1 — Public role/policy marker

Anonymous in this Directus 11 instance is policy-based (role = null, policy = <Public Access>).

Reference: governance_docs READ permission id=989, role=null, policy=abf8a154-5b1c-4a46-ac9c-7300570f4f17, fields=["*"].
Public policy id chosen: abf8a154-5b1c-4a46-ac9c-7300570f4f17 ($t:public_label, the system Public policy).
(A second policy named "Public Access" a513bc9d-… exists but is not the one used by governance_docs public read; not used here.)

T2 — Existing TAC permissions for this policy

Query: policy=abf8a154… × collection in (tac_publication, tac_publication_member, tac_logical_unit, tac_unit_version) × action=read. Result: data: [] — none existed. Safe to create all 4.

T3 — Created READ permissions (POST /permissions)

Collection	Permission ID	role	policy	action	fields
tac_publication	1464	null	abf8a154-5b1c-4a46-ac9c-7300570f4f17	read	`["*"]`
tac_publication_member	1465	null	abf8a154-5b1c-4a46-ac9c-7300570f4f17	read	`["*"]`
tac_logical_unit	1466	null	abf8a154-5b1c-4a46-ac9c-7300570f4f17	read	`["*"]`
tac_unit_version	1467	null	abf8a154-5b1c-4a46-ac9c-7300570f4f17	read	`["*"]`

All 4 returned 200 with the expected payload.

T4 — Anonymous READ HTTP status

tac_publication → 200
tac_publication_member → 200
tac_logical_unit → 200
tac_unit_version → 200

T5 — Publications visible (anonymous)

Total: 3

DIEU-35 v5.2 — ĐIỀU 35: LUẬT QUẢN TRỊ DOT — v5.2 FINAL
DIEU-32 v1.1 — Điều 32: Luật Phê duyệt — v1.1 BAN HÀNH
DIEU-28 v2.0 — ĐIỀU 28: LUẬT KỸ THUẬT HIỂN THỊ — v2.0 BAN HÀNH

T6 — Deep-read D35 (publication_id `27e48995-d6a1-4a44-8559-cab6a07fdbe0`)

First 3 rows by render_order:

ro=0 ca=D38-DIEU35-ROOT title=ĐIỀU 35: LUẬT QUẢN TRỊ DOT — v5.2 FINAL body_len=67
ro=1 ca=D38-DIEU35-S0 title=ĐIỀU 35: LUẬT QUẢN TRỊ DOT — v5.2 FINAL (BAN HÀNH … body_len=1285
ro=2 ca=D38-DIEU35-S1 title=§1. MỤC TIÊU body_len=1015

canonical_address, title, and body all populated through the M2O joins → relational anonymous read works.

T7 — D35 member count

aggregate[count]=id → 36 ✅

PASS/FAIL Summary

#	Check	Expected	Actual	Result
T4	4 collections HTTP 200	All 200	200×4	✅
T5	≥3 publications visible	D28, D32, D35	All 3	✅
T6	Deep-read ca + title + body	Non-empty	Non-empty	✅
T7	D35 member count	36	36	✅

P10D-1B PASS — chìa khoá đã mở.

Notes / Constraints honored

READ only on the 4 listed tac_* collections, fields ["*"]. No WRITE/CREATE/UPDATE/DELETE granted.
No system collections, no unrelated tables, no governance_docs mutation, no DDL/DML.
No code/routes touched.
Tokens never echoed; set +x enforced; admin token sourced from /opt/incomex/docker/.env (DIRECTUS_ADMIN_TOKEN).
Field-level restriction deferred to admin/governance phase as planned.

Rollback (if ever needed)

DELETE /permissions/1464
DELETE /permissions/1465
DELETE /permissions/1466
DELETE /permissions/1467

STOP — không implement Nuxt.