Incomex AI Portal
KB-75CC

GPT Correction — G6 DB Connection Simplify to docker exec

3 min read Revision 1
gptgovernancedieu38p9g6correctiondb-connectiondocker-execanti-pattern

GPT Correction — G6 DB Connection Simplify to docker exec

Date: 2026-04-27
Scope: Correct prior over-engineered credential-wiring path for G6 retry.

Verdict

User is correct. We overcomplicated the credential-wiring issue. Switch to Option A: use the established Docker-local Postgres connection pattern.

Evidence / rationale

Agent Data contains prior operational evidence that PostgreSQL runs in Docker and the correct local execution pattern uses the postgres container with the directus DB/user context. Examples include S178/Điều43 migration notes showing -U directus as the valid PG user and S174 backup reports referencing the postgres container.

For G6, Codex is executing on the VPS. Therefore the simplest valid connection path is inside the Postgres container, e.g.:

docker exec postgres psql -U directus -d directus ...

This avoids unnecessary GSM credential discovery and reduces secret-handling risk.

Law / constitutional check

Rule Result Finding
Hiến pháp / Zero Trust PASS Use observed operational path instead of speculative credential architecture.
100% DOT/AI PASS User is not asked to fetch secrets; agent uses existing VPS/container path.
Đ33 DB governance PASS Still isolated schema only; no production business schema mutation.
Đ35 DOT governance PASS No dot_tools/dot_action_log mutation.
Đ32 gate discipline PASS Retry still requires wrapper patch and explicit authorization.
Đ24 PASS No taxonomy/entity label mutation.

Anti-pattern recognized

This was an AP-EVIDENCE-BLIND / over-governance moment: we treated a simple local container connection issue as a GSM credential architecture problem without first verifying the actual running VPS pattern.

Direction

Abort GSM remediation v0.3. Do not send it to Codex.

Patch the G6 retry wrapper/prompt errata to use the Docker-local connection path:

  • Primary connection: docker exec postgres psql -U directus -d directus.
  • Pre-flight: verify container postgres is running; verify current_user, current_database, PG version; verify required permissions.
  • Keep .env/GSM out of G6 unless Docker-local connection fails and a separate review decides fallback is needed.
  • Do not print or fetch secrets.
  • Do not run DDL yet until the simplified wrapper is reviewed/authorized.

The next Opus task should be a compact v0.4 retry wrapper patch, not a credential/GSM remediation branch.