Incomex AI Portal
KB-7B7E

CP-07 Directus SELECT-Only Read Path Review

4 min read Revision 1
fix7architecturet1-reviewcp07

07 - SUPERTRACK G — CP-07 Directus SELECT-Only Base-Table Read Path Review

Source reviewed: doc 08-cp07-directus-select-retention-read-path.md (revision 1).

Verdict: CP07_VERIFIED

Checklist evidence

  • Path decided — VERIFIED. FIX7 selects path A explicitly: "Directus retains SELECT on the exact manifest-listed base tables it currently reads. FIX7 does not migrate Directus reads to presentation views." This removes the prior base-table-vs-view ambiguity that drove CP-07.
  • Directus retains SELECT on listed business base tables — VERIFIED, and not hardcoded: the table list is "the exact ACTIVE PRIVILEGE_SET manifest subset where grantee principal is the sealed Directus runtime principal, object type is base table, and privilege is SELECT." Manifest-driven, sealed, quorum-activated.
  • Directus loses DML/DDL authority over control-plane — VERIFIED ("no INSERT/UPDATE/DELETE/TRUNCATE/REFERENCES/TRIGGER/CREATE/EXECUTE/ownership/grant option on control-plane/protected objects"; PUBLIC no privilege; owner default privileges do not grant Directus/PUBLIC authority).
  • Preflight specified, sourced from real queries — VERIFIED. infra-preflight "captures Directus's actual emitted query surface from registered Directus collection metadata plus read-only database access/audit evidence," compares actual base-table/view reads to proposed manifest SELECT objects in BOTH EXCEPT directions, and returns BLOCKED_READ_PATH on any missing/extra/unknown/unmanifested read. This is the real-emitted-query capture I asked for.
  • Cutover + post-cutover smoke — VERIFIED. FIX7b atomically transfers ownership, removes authority, applies exact SELECT/USAGE manifest rows, fixes default privileges, increments epoch, keeps readiness false. Smoke "replays every registered Directus read contract and compares response/status hashes; mutation/DDL/EXECUTE denial tests must also pass."
  • No-go if read paths break / readiness blocked until verified — VERIFIED ("Readiness remains blocked until both read-smoke and authority-zero evidence are fresh and hash-bound").
  • Rollback — VERIFIED ("restores only the prior reviewed SELECT/USAGE manifest as a new version, never DML/DDL or unsafe writer authority; increments epoch and keeps readiness false").

Residual (RP-08, advisory)

The preflight derives the "actual emitted query surface" from collection metadata + db access/audit evidence. Audit evidence is only as complete as its observation window; an under-representative window could miss a rarely-emitted base-table read, which would surface as a post-cutover break (fail-closed, but disruptive). Recommend the preflight evidence assert observation completeness (min coverage period / source-completeness attestation) and fail closed if insufficient. Advisory — the both-EXCEPT-direction block already fails closed on any unmanifested read at smoke time.

Conclusion

Path A is chosen unambiguously with real-query preflight, hash-bound smoke, and safe rollback, all manifest-driven. CP07_VERIFIED; observation-window completeness carried as advisory RP-08.

Back to Knowledge Hub knowledge/dev/reports/architecture/t1-fix7-corrected-spec-short-review-proposals-2026-06-07/07-cp07-directus-read-path-review.md