P3D — B3-F1c-d Dispatch Bridge Decision Design (Patched)
P3D — B3-F1c-d Dispatch Bridge Decision Design (Patched per GPT review)
Date: 2026-05-13 Author: Opus Status: DESIGN — requires GPT review + probe confirmation before any execution Patched: 11 items per GPT review
gpt-review-b3f1c-d-dispatch-bridge-design-patch-required-2026-05-13.md
1. Decision: Option C — Agent Data API Bridge (PENDING PROBE)
Why
| Factor | Option A (Nuxt PG) | Option B (Directus ext) | Option C (Agent Data) |
|---|---|---|---|
| PG access exists | ❌ zero clients | ❌ no isolated-vm | ✅ already connected (VERIFY role+privilege in probe) |
| Credentials in env | ❌ need new secret | ❌ need ext config | ✅ AGENT_DATA_API_KEY in FLOWS_ENV_ALLOW_LIST (VERIFY in probe) |
| Directus Flow can call | via WEB_URL | ❌ not via HTTP | ✅ via AGENT_DATA_URL (VERIFY internal URL in probe) |
| New dependency | pg npm package | extension build system | ✅ none expected (VERIFY in probe) |
| Existing pattern | ❌ none in Nuxt | ❌ none in repo | ✅ DOT Sync flows call Agent Data (VERIFY pattern in probe) |
Architecture (CANDIDATE — all values probe-required)
Directus Flow (schedule trigger, CANDIDATE cadence — requires GPT/user approval)
└→ HTTP Request operation
url: CANDIDATE — discover Agent Data internal Docker URL + route conventions
method: CANDIDATE — discover from existing Agent Data route patterns
headers: CANDIDATE — discover auth convention from existing Agent Data endpoints
body: CANDIDATE — discover request body convention
└→ Agent Data endpoint (new route — CANDIDATE path/pattern from probe)
1. Check enabled flag (CANDIDATE — discover config pattern)
2. SELECT public.fn_birth_onboarding_full_scan()
⚠️ THIS IS DML-AFFECTING: function may write to system_issues via helper.
Manual test/invocation requires SEPARATE GPT/user approval.
3. Parse JSONB result
4. Write summary to system_issues (ONLY if discovered PG role has INSERT privilege)
5. Return result to caller
└→ PG function (already installed, SECURITY DEFINER)
Revised Directus Flow seed
B3-F1c-c compiled Flow seed targets Nuxt. Must be revised to target Agent Data. Key changes:
- URL: from Nuxt internal URL → Agent Data internal URL (discover in probe)
- Headers: add Agent Data auth (discover convention in probe)
- Default status:
inactive(NOTactive) — activation is a SEPARATE step after endpoint is verified and approved. Do not create a scheduled flow calling an endpoint that doesn't exist yet.
Cadence
0 */6 * * * remains a CANDIDATE only. Cadence must be approved by GPT/user before either dot_config seed or Directus Flow seed is executed. Both seeds MUST use the same approved value. No "same cron" inheritance without review.
2. What needs probing (NEEDS_AGENT_READONLY_PROBE)
| # | Question | Why | Note |
|---|---|---|---|
| 1 | Agent Data PG connection pattern | Library, sync/async, connection string source, pool | Do NOT assume library or config path |
| 2 | Agent Data PG ROLE | What DB role does Agent Data use? | Do NOT assume directus — discover from config |
| 3 | Function EXECUTE privilege for discovered role | Can that role call fn_birth_onboarding_full_scan? | Check with discovered role, not assumed |
| 4 | system_issues INSERT privilege for discovered role | Can that role write summary? | If false → BLOCKED |
| 5 | Agent Data route/endpoint pattern | Framework, decorators, routers/modules, middleware | Probe FULL app tree, not just server.py |
| 6 | Agent Data auth pattern | How are existing endpoints authenticated? | Discover from middleware/dependencies |
| 7 | Docker internal URL + port | Service name, port, network | Discover from docker-compose |
| 8 | dot_config unique constraint/index on key | Verify ON CONFLICT safety | Check BOTH pg_constraint AND pg_index |
3. Rollback
B3-F1c-c rollback seed for Directus Flow + dot_config + dot_tools remains valid (with URL revision). Agent Data endpoint rollback = git revert the Python code change.
4. Security: Secret redaction
All probe and compile activities must REDACT secret values. Report variable names and non-secret metadata only. Passwords, tokens, API keys, full connection strings must NEVER appear in KB artifacts or reports.
5. Compile dependencies
Endpoint code compilation requires ALL prerequisites true (route/auth/role/privileges/redaction). If any false → gap analysis, not code.
Revised Flow seed compilation requires endpoint_code_compiled=true. If endpoint not compiled → flow seed gap analysis. Prevents creating scheduled flow targeting nonexistent endpoint (B3-F1c-c lesson).
6. Two-pass plan
B3-F1c-d-a (probe + compile — NO EXECUTION):
Probe all 8 questions above → compile endpoint code + revised flow seed → KB
GPT review
B3-F1c-d-b (execution — REQUIRES SEPARATE APPROVAL PER STEP):
1. Add endpoint to Agent Data (code change)
2. docker compose build + up agent-data
3. Verify endpoint responds (non-DML health-style check only)
4. Execute revised Directus Flow seed (status=inactive)
5. Execute dot_config + dot_tools seeds
6. Activate flow (SEPARATE APPROVAL after endpoint verified)
7. Manual test call — DML-AFFECTING, SEPARATE APPROVAL
8. Git commit — SEPARATE APPROVAL
7. What this design does NOT change
- fn_birth_onboarding_full_scan() — installed, no changes
- B3-F1b soft gate — no changes
- B3-A triggers — no changes
- Nuxt codebase — NO CHANGES (no Nuxt endpoint needed)
- dot_config sibling policy — no changes
B3-F1c-d Dispatch Bridge Design | Patched per GPT review | Opus | 2026-05-13