Incomex AI Portal
KB-DAAA

P9 G8B-Token Provisioning Log 2026-04-29 Run4 — PASS

6 min read Revision 1
dieu38p9g8b-tokentoken-provisioningpasss186run4

P9 G8B-Token Provisioning Log — 2026-04-29 (Run 4)

Scope: G8B-Token v0.4 — Steps 3+4 only (Steps 1–2 done in Run 3, GSM tokens reused) Executor: Claude Code via SSH contabo Result: PASS Mutation status: 2 Directus users created, 2 tokens PATCHed, GSM versions reused (no new versions). No TAC item writes.

0. Inputs (carry-over from Run 3)

HOST=vmi3080463
ADMIN_TOKEN=****d495 (Directus admin, env file)
DIRECTUS_URL=http://172.18.0.4:8055 (container IP)
GCP_PROJECT=github-chatgpt-ggcloud
GSM_ACCOUNT=cursor-ci-builder@github-chatgpt-ggcloud.iam.gserviceaccount.com

GSM existing versions (reused, no rotation):
  DIRECTUS_TAC_AGENT_TOKEN:v2 = ****3a31
  DIRECTUS_TAC_ADMIN_TOKEN:v1 = ****f7ec

Roles:
  TAC_AGENT_ROLE_ID=8b7e0fb7-6b9d-4513-83a1-0d9dd7a7eb88
  TAC_ADMIN_ROLE_ID=81a7571c-1cab-4978-8f36-bc9e1406c3b9

Email domain: corrected `@incomex.local` → `@incomexsaigoncorp.vn`
  (User-authorized; matches AI Agent Registry corp domain)

Pre-execution check: 0 pre-existing users at corrected emails.

1. Step 3 — Directus user create (without token)

Payload includes provider:"default" and text_direction:"ltr" (Run 3 finding: this Directus instance enforces both at create time).

CREATE_AGENT=200 → AGENT_USER_ID=bd532ff2-26b8-455d-b28a-d5aa3d95b2d1
CREATE_ADMIN=200 → ADMIN_USER_ID=4a5a8c9a-bcab-4a8f-8afd-954407e65de7

Both temp payload files were mktemp + chmod 600 and rm -f after curl.

2. Step 4 — PATCH tokens (reuse GSM)

Tokens read from gcloud secrets versions access latest, written via chmod 600 temp files.

PATCH_AGENT_TOKEN=200 (token from DIRECTUS_TAC_AGENT_TOKEN:latest = v2 ****3a31)
PATCH_ADMIN_TOKEN=200 (token from DIRECTUS_TAC_ADMIN_TOKEN:latest = v1 ****f7ec)

Token vars unset after PATCH. No new GSM versions added.

3. Read-only post-verification

3b. Agent identity (token binds to expected user)

GET /users/me as AGENT token → HTTP=200, data.id=bd532ff2-26b8-455d-b28a-d5aa3d95b2d1

Important note on identity fields: the agent and admin policies grant access only to TAC collections, not to system fields on directus_users. So /users/me?fields=email,role,status returns only id. This is correct security posture (policies have admin_access=false, app_access=false, no system-collection grants). Identity is verified by id match against the created AGENT_USER_ID / ADMIN_USER_ID.

3c. Agent read vocab

GET /items/tac_lu_lifecycle_vocab as AGENT → HTTP=200

3d. Admin identity

GET /users/me as ADMIN token → HTTP=200, data.id=4a5a8c9a-bcab-4a8f-8afd-954407e65de7

3e. Admin read all 14 TAC collections

ADMIN_READ_tac_lu_lifecycle_vocab=200
ADMIN_READ_tac_uv_lifecycle_vocab=200
ADMIN_READ_tac_review_state_vocab=200
ADMIN_READ_tac_pub_lifecycle_vocab=200
ADMIN_READ_tac_cs_lifecycle_vocab=200
ADMIN_READ_tac_section_type_vocab=200
ADMIN_READ_tac_publication_type_vocab=200
ADMIN_READ_tac_birth_gate_config=200
ADMIN_READ_tac_logical_unit=200
ADMIN_READ_tac_unit_version=200
ADMIN_READ_tac_publication=200
ADMIN_READ_tac_change_set=200
ADMIN_READ_tac_publication_member=200
ADMIN_READ_tac_change_set_member=200

All 14 = 200. No POST/PUT/PATCH/DELETE issued against /items/tac_*.

3f. Gate A/B/C re-verify (post-execution)

Gate A: tables=14, fn=7, trg=6
Gate B: collections=14
Gate C: tac_total_rows=61

All match the G8B-RP read-only reverify baseline (2026-04-29).

3g. Test tokens cleared

TEST_TOKENS_CLEARED (unset AGENT_TEST_TOKEN ADMIN_TEST_TOKEN)

4. Final state

Directus users:
  bd532ff2-26b8-455d-b28a-d5aa3d95b2d1  tac-agent@incomexsaigoncorp.vn  role=tac-agent  status=active  token=****3a31
  4a5a8c9a-bcab-4a8f-8afd-954407e65de7  tac-admin@incomexsaigoncorp.vn  role=tac-admin  status=active  token=****f7ec

GSM versions (latest, ENABLED, no rotation needed):
  projects/812872501910/secrets/DIRECTUS_TAC_AGENT_TOKEN/versions/2 (****3a31)
  projects/812872501910/secrets/DIRECTUS_TAC_ADMIN_TOKEN/versions/1 (****f7ec)

Roles, policies, access bindings, 84 permissions: untouched
Gate A=14/7/6, B=14, C=61: unchanged
TAC seed rows (61): untouched

Run 3 "orphan" GSM versions are no longer orphan — they are now bound to the corresponding Directus users via PATCH.

5. Hard exclusions audit

# Rule Status
1 Không DDL ✓ no DDL issued
2 Không POST/DELETE/PATCH/PUT vào /items/tac_* ✓ all /items/tac_* calls were GET
3 Không modify roles/policies/permissions ✓ counts unchanged (84)
4 Không registry/birth/catalog/DOT writes
5 Không G11
6 Không log full token/password — mask ****last4 ✓ all four tokens logged as ****last4 only
7 Temp file chmod 600 + rm ✓ all 4 PATCH+CREATE payload files
8 VPS only via SSH contabo
9 GSM primary only — no plaintext fallback
10 Không overwrite/destroy existing GSM secret versions ✓ no destroy / disable issued in Run 4

6. Verdict

G8B-Token PASS.

  • 2 Directus users created (corrected emails).
  • 2 static tokens PATCHed onto users (reused from GSM, no rotation).
  • Read-only auth tests: agent identity (id match) + agent vocab read 200; admin identity (id match) + 14 TAC reads all 200.
  • Gate A/B/C unchanged; permission count 84 unchanged.
  • No TAC item mutation; no role/policy/permission mutation.

G8B-RP PASS + G8B-Token PASS → Full G8 PASS.

STOP. Awaiting GPT confirmation → G11 User final approval.

G8B-Token Run 4 | S186 | 2026-04-29 | PASS

Back to Knowledge Hub knowledge/dev/laws/dieu38-trien-khai/reports/p9-g8b-token-provisioning-log-2026-04-29-run4.md