Incomex AI Portal
KB-44AD

P9 G8B Token Provisioning Log 2026-04-29 — FAIL GSM IAM

4 min read Revision 1
dieu38p9g8b-tokentoken-provisioningfailgsm-iams186

P9 G8B-Token Provisioning Log — 2026-04-29

Scope: G8B-Token ONLY — Directus users + static tokens for tac-agent / tac-admin
Executor: Claude Code via SSH contabo
Result: FAIL — GSM IAM blocker
Mutation status: No Directus users created. No Directus token patch. No TAC item writes.

1. Pre-checks

1.1 VPS + admin token

# G8B-TOKEN PREFLIGHT 2026-04-29T03:30:15+02:00
HOST=vmi3080463
ADMIN_TOKEN=****d495

1.2 GSM preflight

/usr/bin/gcloud
GSM_ACCOUNT=cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com
GSM_PROJECT=github-chatgpt-ggcloud
SECRET_DIRECTUS_TAC_AGENT_TOKEN=ABSENT
SECRET_DIRECTUS_TAC_ADMIN_TOKEN=ABSENT

1.3 Existing TAC users / G8B-RP state

TAC_USERS=[]
TAC_ROLES=[
  {"id":"81a7571c-1cab-4978-8f36-bc9e1406c3b9","name":"tac-admin"},
  {"id":"8b7e0fb7-6b9d-4513-83a1-0d9dd7a7eb88","name":"tac-agent"}
]
TAC_PERMISSIONS=84
GATE_B_COLLECTIONS=14

1.4 Gate A / C

tables=14
functions=7
triggers=6
tac_total_rows=61

Pre-check classification: clean slate for TAC users and target GSM secrets.

2. Execution Attempt

Generated token values were masked only:

# G8B-TOKEN EXECUTION 2026-04-29T03:32:08+02:00
TAC_AGENT_TOKEN=****1143
TAC_ADMIN_TOKEN=****1657

Execution stopped at first GSM create step before any Directus user creation.

Observed blocker:

ERROR: (gcloud.secrets.create) [cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com] does not have permission to access projects instance [github-chatgpt-ggcloud] (or it may not exist): Permission 'secretmanager.secrets.create' denied on resource (or it may not exist).

No gcloud secrets versions add completed. No GSM version IDs were created.

3. Residue Check

Read-only residue check after failure:

# G8B-TOKEN RESIDUE CHECK 2026-04-29T03:32:39+02:00
## GSM secrets
SECRET_DIRECTUS_TAC_AGENT_TOKEN=ABSENT
SECRET_DIRECTUS_TAC_ADMIN_TOKEN=ABSENT

## Directus users
TAC_USERS=[]

## Gate A/B/C
tables=14
functions=7
triggers=6
tac_total_rows=61

Interpretation:

  • No TAC Directus users exist.
  • No target GSM secrets exist.
  • Gate A unchanged.
  • Gate B unchanged from previous reverify state.
  • Gate C unchanged: 61 total TAC rows.

4. Hard Exclusions Confirmed

  • No DDL.
  • No POST/DELETE/PATCH/PUT to /items/tac_*.
  • No roles/policies/permissions mutation.
  • No registry/birth/catalog/DOT writes.
  • No G11.
  • No full token/password logged.
  • No existing GSM secret version overwritten or destroyed.
  • All commands ran through ssh contabo.

5. Secret Hygiene

Automated scan returned REVIEW because it matched masked token lines and secret names:

TAC_ADMIN_TOKEN=****1657
ADMIN_TOKEN=****d495
SECRET_DIRECTUS_TAC_ADMIN_TOKEN=ABSENT

Review result: PASS for secret hygiene. Only masked last-4 token values and secret names were logged; no full token/password value appears in this report.

6. Verdict

G8B-Token FAIL — GSM IAM blocker.

Blocking permission:

secretmanager.secrets.create

Required next step: grant the active account cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com sufficient Secret Manager permission to create DIRECTUS_TAC_AGENT_TOKEN and DIRECTUS_TAC_ADMIN_TOKEN, or pre-create both secrets and grant permission to add/access versions. Then rerun G8B-Token gate.

STOP. Token provisioning remains incomplete. Full G8 is not PASS yet.