KB-6851
XHigh Review - Directus Read-vs-Authority Cutover
3 min read Revision 1
fix7architecturexhigh-reviewdirectus-cutover
04 - SUPERTRACK D: Directus Read-vs-Authority Cutover Review
Checks
| check | result |
|---|---|
| Directus SELECT retention preserved | PASS - #21 privilege_set + G-DIRECTUS-READ; re-grant identical SELECT at S16 |
| Directus DML/DDL authority removed only in operator-gated phase | PASS - REVOKE only at PKG-G (OPERATOR); never in author-only packages |
| Directus read-contract captured before cutover | PASS - S00 captures the live SELECT set (MX-1); PKG-B blocked until captured |
| no blueprint step breaks live CMS/read paths | PASS-after-fix - G-DIRECTUS-APP-INTACT keeps directus_* app + business-table authority; scope limited to control objects |
| ACL cutover scoped to control objects only | PASS - doc 04 S16 / doc 07 PKG-G / doc 08 all say qt001_cp + enumerated legacy control objects ONLY |
| rollback snapshot before REVOKE mandatory + rehearsed | PASS - MX-3: captured, read-back-verified, restore-rehearsed before any REVOKE; unverified snapshot blocks cutover |
| Directus cannot mutate authority after cutover | PASS - ownership moves to qt001_cp_owner; directus/PUBLIC authority revoked on control objects; writers SECURITY DEFINER owner-controlled |
| before cutover, readiness remains blocked | PASS - readiness stays BLOCKED until the manifest path is active + cutover done; doc 04 ordering note |
Finding
XHD-01 (P2) - PKG-G no-go incomplete
- PKG-G validation already listed G-DIRECTUS-APP-INTACT, but the PKG-G no-go line read only
"Directus loses required SELECT; readiness false-unblock" - it omitted (a) loss of
directus_*/ business-table authority and (b) the unverified-snapshot stop condition. A no-go that is weaker than the validation is a latent gap. - Fix: PKG-G no-go now reads "Directus loses required SELECT OR its
directus_*/business-table authority; unverified ACL snapshot; readiness false-unblock."
Cross-impact checked
- Scoping the REVOKE to control objects is consistent across doc 04 S16, doc 07 PKG-G, doc 08 Directus row, and the new G-DIRECTUS-APP-INTACT guard - no contradiction.
- The "262 control objects owned by directus" reference (doc 01/08) is a FIX6-era broad figure;
XHigh live-counted 26
qt001%/birth%relations owned by directus (the 196v_qt001_*views carry a different prefix). The cutover targets the enumerated control-object set, not a literal count, so the figure discrepancy does not affect correctness; noted for precision.
Verdict
DIRECTUS_CUTOVER_PASS_AFTER_FIX - read retained, authority removed only operator-gated and only
on control objects, snapshot verified before REVOKE, no-go tightened. Live CMS app authority is
explicitly preserved.