Incomex AI Portal
KB-5DB4

GPT Confirm — Gate C PASS and Opus Next Directive G8B

6 min read Revision 1
s186gpt-confirmgate-cpassg8brolespermissionsdieu38p9opus-directive

GPT Confirm — Gate C PASS and Opus Next Directive G8B

Date: 2026-04-28

Reviewed inputs

  • Opus summary: Gate C Execution Results — GPT Confirm.
  • Agent action log: knowledge/dev/laws/dieu38-trien-khai/reports/p9-gate-c-seed-log-2026-04-28.md.
  • G8A reference: knowledge/dev/laws/dieu38-trien-khai/P9-G8A-directus-roles-readiness-design.md.

Verdict

CONFIRMED PASS.

Gate C is complete. 61 canonical seed rows were inserted into 8 TAC vocab/config tables. Six core/member tables remain empty. Gate A and Gate B remain intact.

Evidence accepted

  • 8 source seed file SHA values match manifest rev 2.
  • Source files were preserved under source/; retargeted files were separate under retargeted/.
  • Candidate SHA logged: f058a16bd31d4a235039f17a0d071b7e629946949d9ff2988de9a93a9c8eaf91.
  • Candidate checks passed:
    • no p9_g6_dryrun refs;
    • no DDL/destructive DML;
    • exact 8 allowed insert targets;
    • no inserts into six non-seed tables.
  • Seed transaction output: BEGIN, 8 INSERTs, COMMIT, PSQL_EXIT=0.
  • Post-counts match manifest exactly:
    • tac_lu_lifecycle_vocab = 3
    • tac_uv_lifecycle_vocab = 4
    • tac_review_state_vocab = 5
    • tac_pub_lifecycle_vocab = 4
    • tac_cs_lifecycle_vocab = 7
    • tac_section_type_vocab = 17
    • tac_publication_type_vocab = 10
    • tac_birth_gate_config = 11
    • total TAC rows = 61.
  • Six core/member tables remain 0.
  • Gate A unchanged: tables=14, functions=7, triggers=6.
  • Gate B unchanged: collections=14.
  • Secret scan PASS.
  • No Gate B rework, roles/permissions, registry writes, G11, or corpus migration.

V-C4 prompt errata

The prompt's literal substring guard could false-positive on tac_publication because tac_publication_type_vocab has that prefix. Agent correctly used exact-boundary matching after exact target-set verification.

This is accepted as a prompt errata and not a data/scope violation.

Law / constitutional check

No blocking conflict found.

  • Hiến pháp / User-gated production: execution remained within Gate C scope and stopped after action log.
  • Điều 38 / LSL-01: aligned. Controlled vocab/config now exists for PG-governed information units.
  • Điều 33: aligned. PostgreSQL remains SSOT; seed was controlled production DML.
  • Gate separation: aligned. Gate C did not execute G8B/G11 or migration.
  • Registry/Birth/Catalog/DOT: unchanged, correctly out of scope.

Decision

Gate C obstacle cleared. Proceed to G8B execution prompt drafting/review, not immediate execution.

Directive to Opus 4.6

Draft G8B — Directus TAC Roles/Policies/Permissions Execution Prompt v0.1 for GPT review.

Correct framing

G8B is part of Điều 38 Text-as-Code production rollout. It grants governed access to the TAC schema through Directus after schema, collections, and vocab/config seed are in place.

Source of design

Use knowledge/dev/laws/dieu38-trien-khai/P9-G8A-directus-roles-readiness-design.md v0.3 as the canonical design source. Respect Directus 11 policy model: permissions bind to policies, not directly to roles.

Scope

G8B only:

  • create/ensure TAC Directus roles and policies per G8A;
  • bind roles to policies via Directus access model;
  • create/ensure collection permissions for 14 TAC collections;
  • provision/store tokens only through the approved secret path if already defined in G8A or current ops rules;
  • verify access matrix and token/API behavior.

Hard exclusions

  • No DDL.
  • No seed/data mutation in public.tac_* tables.
  • No Directus collection metadata changes except permissions/role-policy scope.
  • No registry/birth/catalog/DOT writes unless explicitly defined by G8A and approved in prompt.
  • No G11.
  • No corpus migration.
  • No Nuxt/Pivot rendering work.
  • No broad admin permission grants beyond the matrix.

Required prompt design elements

  1. Pre-checks

    • Gate A counts: tables=14, functions=7, triggers=6.
    • Gate B collections: exact 14, API-readable.
    • Gate C counts: 61 total seed rows, six core/member tables still 0.
    • Snapshot existing Directus roles, policies, access bindings, permissions relevant to TAC.
    • Confirm Directus 11 permission model fields before mutation.
    • Confirm token/secret target path if token provisioning is in scope; otherwise mark token provisioning deferred.

  2. Execution pattern

    • Idempotent create/ensure pattern.
    • Pilot/phase approach if useful: roles/policies first, then access bindings, then permissions, then tokens.
    • Capture HTTP/SQL exit codes and output.
    • Mask all secrets.
    • No guessing credentials.

  3. Verification

    • Roles exist.
    • Policies exist.
    • Access bindings role → policy exist.
    • Permission rows for all 14 TAC collections match G8A matrix.
    • Agent/admin behavior verified through API using least-privilege token checks where available.
    • Gate A/B/C data remains unchanged.

  4. Failure handling

    • Stop on model mismatch.
    • No blanket deletion of existing roles/policies/permissions.
    • If partial state occurs, report exact split state and await GPT/User decision unless cleanup is exact and prompt-authorized.

  5. Action log

    • Path: knowledge/dev/laws/dieu38-trien-khai/reports/p9-g8b-directus-roles-permissions-log-YYYY-MM-DD.md with no-overwrite suffix.
    • Include pre-checks, mutation output, role/policy/permission matrix, token handling, access tests, secret scan, PASS/FAIL.

User GO rule

Opus should produce prompt v0.1 only. GPT reviews. Agent execution requires explicit User GO.

Current state after this decision

  • Gate A Production DDL: PASS.
  • Trigger Guard DROP Repair: PASS.
  • Gate B Directus Collections: PASS.
  • Gate C Seed 61 Rows: PASS.
  • G8B: ready for prompt drafting/review only.
  • G11/Nuxt/Migration/KG sync: not authorized yet.