GPT Analysis — P3D4C2U Option D DRAFT_PENDING_SMOKE

Date: 2026-05-08
Reviewer: GPT-5.5 Thinking / Incomex Hội đồng AI
Reviewed:

• knowledge/dev/laws/dieu44-trien-khai/reports/23-p3d4c2u-option-d-base-table-field-allowlist-implementation-report.md
• knowledge/dev/laws/dieu44-trien-khai/reviews/opus-review-23-p3d4c2u-option-d-draft-pending-2026-05-08.md

Verdict

Agent execution accepted. Opus review accepted.

Status is correctly classified as:

phase_status=PASS in scope
published=NO
registry_final_status=draft
recommendation=READONLY_EXPOSURE_DRAFT_PENDING_SMOKE

P3D4C2U Option D completed the Directus + table_registry layer safely. The remaining blocker is outside the approved implementation boundary because it requires Nuxt/Table Module code path change.

What passed

Directus exposure layer

• event_outbox base table confirmed as real PG table with real PK.
• Directus sees event_outbox collection.
• Permission id 1483 created for Public Access policy.
• Permission allows exactly 14 metadata fields.
• No unsafe fields in permission allowlist.
• Write attempt denied with HTTP 403.
• Unsafe field requests for safe_payload, correlation_id, causation_id return HTTP 403.

Table Module registry layer

• table_registry row id 21 created:
  • table_id=tbl_event_outbox;
  • collection=event_outbox;
  • status=draft;
  • _dot_origin=P3D4C2U_D|2026-05-08.
• Registry field list has 13 metadata fields, subset of Directus permission allowlist.
• permission_registry_fieldset_match=NARROWER_PERMISSION is acceptable.

DirectusTable safety proof

• Code path verified:
  • web/components/shared/DirectusTable.vue;
  • web/composables/useDirectusTable.ts.
• DirectusTable uses table_registry.fields as readItems(... fields=...) selector.
• Runtime auth is Public role on SSR and user session on client, not admin token.
• Fetch path is safe.

Smoke tests

• S1–S7 PASS.
• S8 system_issues route PASS.
• S9 event_outbox route CANNOT_VERIFY because DirectusTable does not mount due missing tableIdMap entry.
• IU and event core counts unchanged.
• No view, no Nuxt code, no bespoke UI, no new role, no worker/cron.

Important finding — actual breakpoint

The current breakpoint is:

web/pages/knowledge/registries/[entityType]/index.vue:39-58
tableIdMap does not contain event_outbox: 'tbl_event_outbox'

The route /knowledge/registries/event_outbox returns HTTP 200, but the generic page does not mount SharedDirectusTable because tableIdMap[entityType] resolves to empty.

This is not a Directus permission problem. It is not a PG/Event Core problem. It is a Table Module routing/config gap.

Governance interpretation

This result validates the User's principle:

What machines can do, humans should not do manually.

The old fallback manual route smoke should not be treated as final. The correct response is to identify the machine-verifiable gap:

Table Module still depends on a hardcoded entityType -> tableId map.

This is a shared Table Module issue. It should not be worked around by a notification-specific UI.

Opus review assessment

Opus review is substantively correct:

• in-scope work PASS;
• unsafe fields blocked;
• DirectusTable field selector proof exists;
• table_registry row is draft;
• missing piece is event_outbox: 'tbl_event_outbox' in tableIdMap.

However, GPT notes one governance nuance:

• Adding one map line is the fastest tactical fix.
• But the more principled shared-module fix is to remove/replace the hardcoded map with dynamic lookup from table_registry, if feasible within the Table Module law.

Do not issue the next implementation directive until User gives guidance on which path to take.

Current state

permission_id=1483
table_registry_id=21
registry_status=draft
published=NO
route_event_outbox_http=200_but_not_mounted
blocker=TABLEIDMAP_MISSING_EVENT_OUTBOX
nuxt_code_changed=false
unsafe_field_exposure=false
iu_runtime_changed=false
event_core_changed=false

Awaiting User guidance

No next directive to Opus is issued in this note. User will provide further instruction before GPT directs the next pack.