08 - CP-07 Definitive Directus SELECT-Only Base-Table Read Path

Selected Path

FIX7 selects path A: Directus retains SELECT on the exact manifest-listed base tables it currently reads. FIX7 does not migrate Directus reads to presentation views. This preserves current Directus REST/Admin behavior while removing authority.

The actual table list is not hardcoded in this document or SQL. It is the exact ACTIVE PRIVILEGE_SET manifest subset where grantee principal is the sealed Directus runtime principal, object type is base table, and privilege is SELECT. Any change is a new sealed, hashed, quorum-activated manifest version.

Exact Post-Cutover Privileges

• Directus: schema USAGE plus SELECT on exactly the active manifest-listed base tables and any separately manifest-listed views;
• Directus: no INSERT/UPDATE/DELETE/TRUNCATE/REFERENCES/TRIGGER/CREATE/EXECUTE/ownership/grant option on control-plane/protected objects;
• PUBLIC: no privilege;
• default privileges owned by qt001_cp_owner do not grant Directus/PUBLIC authority.

Preflight, Cutover, And Smoke

Before revoke, infra-preflight captures Directus's actual emitted query surface from registered Directus collection metadata plus read-only database access/audit evidence. It compares actual base-table/view reads to proposed manifest SELECT objects in both EXCEPT directions. Any missing or extra object, unknown query path, or unmanifested read returns BLOCKED_READ_PATH.

The expected read contract is the ACTIVE PRIVILEGE_SET Directus SELECT subset. Each applicable row binds query family, endpoint group, object, observation source, required smoke pattern hash, and sealed observation_max_age_seconds. Expected and observed read surfaces are compared in both EXCEPT directions. Observed-not-expected returns BLOCKED_READ_PATH; expected-not-observed or stale/incomplete observation returns operator-required and keeps readiness blocked. No fixed observation-window literal is permitted.

FIX7b atomically transfers ownership, removes authority, applies exact SELECT/USAGE manifest rows, fixes default privileges, increments epoch, and keeps readiness false. Post-cutover smoke replays every registered Directus read contract and compares response/status hashes; mutation/DDL/EXECUTE denial tests must also pass. Readiness remains blocked until both read-smoke and authority-zero evidence are fresh and hash-bound.

Rollback restores only the prior reviewed SELECT/USAGE manifest as a new version, never DML/DDL or unsafe writer authority; increments epoch and keeps readiness false.