Incomex AI Portal
KB-757F

P9 G8B-RP Read-only Reverify 2026-04-29

4 min read Revision 1
dieu38p9g8b-rpreadonly-reverifyrolespermissionspasss186

P9 G8B-RP Read-only Reverify — 2026-04-29

Scope: Read-only verification only
Executor: Claude Code via SSH contabo
Mutation: none
Result: PASS

1. Execution Identity

# VPS READONLY REVERIFY 2026-04-29T00:45:18+02:00
HOST=vmi3080463
TOKEN=****d495

Commands were run through ssh contabo. Directus API token was masked. No roles, policies, access bindings, permissions, tokens, metadata, or TAC rows were mutated.

2. Roles

[
  {
    "id": "8b7e0fb7-6b9d-4513-83a1-0d9dd7a7eb88",
    "name": "tac-agent",
    "icon": "smart_toy",
    "description": "TAC daily operations (API-only)"
  },
  {
    "id": "81a7571c-1cab-4978-8f36-bc9e1406c3b9",
    "name": "tac-admin",
    "icon": "admin_panel_settings",
    "description": "TAC bootstrap + emergency"
  }
]

UNKNOWN_TAC_ROLES=[]
ROLES_PASS=YES

3. Policies

[
  {
    "id": "75ba345c-96ef-4526-a37c-4241f11e195f",
    "name": "tac-agent-policy",
    "admin_access": false,
    "app_access": false,
    "enforce_tfa": false,
    "icon": "policy",
    "description": "CRU core, CRUD members, read vocab/config"
  },
  {
    "id": "0d5bedbb-1dee-4786-9307-07c810be2d30",
    "name": "tac-admin-policy",
    "admin_access": false,
    "app_access": false,
    "enforce_tfa": false,
    "icon": "shield",
    "description": "Full CRUD all 14 tac_*"
  }
]

UNKNOWN_TAC_POLICIES=[]
POLICIES_PASS=YES

4. Access Bindings

[
  {
    "id": "1a654f01-cb94-474e-baf2-d53e03f68d93",
    "role": "8b7e0fb7-6b9d-4513-83a1-0d9dd7a7eb88",
    "policy": "75ba345c-96ef-4526-a37c-4241f11e195f",
    "user": null
  },
  {
    "id": "ce2a2031-b975-478b-a457-1e795a5d8526",
    "role": "81a7571c-1cab-4978-8f36-bc9e1406c3b9",
    "policy": "0d5bedbb-1dee-4786-9307-07c810be2d30",
    "user": null
  }
]

ACCESS_PASS=YES

5. Full Permission Matrix

Expected set was built as 84 tuples (policy_id, collection, action):

  • tac-agent-policy: 28 rows
    • 4 core collections × create/read/update = 12
    • 2 member collections × create/read/update/delete = 8
    • 8 vocab/config collections × read = 8
  • tac-admin-policy: 56 rows
    • all 14 TAC collections × create/read/update/delete = 56

Actual was queried via Directus API GET /permissions?limit=-1, filtered to collection startsWith("tac_").

EXPECTED_COUNT=84
ACTUAL_TAC_PERMISSION_COUNT=84
AGENT_PERMISSION_COUNT=28
ADMIN_PERMISSION_COUNT=56
MISSING_COUNT=0
EXTRA_COUNT=0
MATRIX_PASS=YES

6. Gate B Collections

GATE_B_COLLECTIONS=14
tac_birth_gate_config
tac_change_set
tac_change_set_member
tac_cs_lifecycle_vocab
tac_logical_unit
tac_lu_lifecycle_vocab
tac_pub_lifecycle_vocab
tac_publication
tac_publication_member
tac_publication_type_vocab
tac_review_state_vocab
tac_section_type_vocab
tac_unit_version
tac_uv_lifecycle_vocab
GATE_B_PASS=YES

7. Gate A and Gate C

## Gate A
tables=14
functions=7
triggers=6

## Gate C
tac_total_rows=61

8. Secret Hygiene

SECRET_SCAN=PASS

No full token, password, bearer token, or env secret was included in this report.

9. Verdict

G8B-RP READ-ONLY REVERIFY PASS.

Production state still matches:

  • 2 TAC roles
  • 2 TAC policies with admin_access=false, app_access=false, enforce_tfa=false
  • 2 role-to-policy access bindings
  • 84 TAC permission rows with full expected matrix, missing=0, extra=0
  • Gate A unchanged: tables=14, functions=7, triggers=6
  • Gate B unchanged: collections=14
  • Gate C unchanged: tac_total_rows=61

STOP after upload. Token provisioning remains deferred.