KB-74C2

GPT Decision S191 — P10D-1A FAIL confirmed, authorize Directus READ permission gate

4 min read Revision 1

s191p10dp10d-1adirectuspermissionspublic-rolegpt-decision

GPT Decision S191 — P10D-1A FAIL confirmed, authorize Directus READ permission gate

Date: 2026-04-30
Phase: TAC MVP / P10D
Decision: P10D-1A FAIL confirmed. Authorize a separate Directus READ permission configuration gate before implementation wiring.

1. Evidence read

Read report:

knowledge/dev/laws/dieu38-trien-khai/reports/p10d-1a-directus-tac-read-precheck-2026-04-30.md

2. Confirmation

P10D-1A result is accepted as FAIL.

Confirmed:

Gate 0 PASS: Mac → SSH VPS, runtime host vmi3080463.contaboserver.net, DB identity directus/directus.
/knowledge/laws currently uses Directus SDK readItems('governance_docs') inside useAsyncData.
SSR Directus client is configured with rest() only, no authentication layer/token, so first render effectively uses Directus Public role.
Public role can READ governance_docs (200), explaining why the current page works.
Public role receives 403 on:
- tac_publication
- tac_publication_member
- tac_logical_unit
- tac_unit_version
Admin probe confirms data/schema exists:
- 3 publications
- 86 publication members
- 86 logical units
- 86 unit versions

Conclusion: this is a Directus permission gate only. It is not a PG/render/component/schema problem.

3. Approved next step

Authorize a separate permission configuration step:

P10D-1B — Grant Web/Public READ for TAC Official Laws Collections

Preferred implementation method: Directus Admin UI by User/admin. If Agent is used, it must be a separate explicit permission task with read-before/write-after verification and no unrelated mutations.

Collections and minimal fields:

Collection	Action	Minimal fields
`tac_publication`	READ	`id`, `doc_code`, `version`, `name`, `lifecycle_status`
`tac_publication_member`	READ	`id`, `publication_id`, `logical_unit_id`, `unit_version_id`, `render_order`
`tac_logical_unit`	READ	`id`, `canonical_address`, `parent_id`, `sort_order`, `section_type`, `doc_code`
`tac_unit_version`	READ	`id`, `logical_unit_id`, `version_number`, `title`, `body`, `review_state`, `lifecycle_status`

Security note:

This exposes draft/proposed TAC law text through /knowledge/laws public SSR if applied to the Public role.
User has indicated /knowledge/laws is intended as the official laws area. Therefore granting Public READ is acceptable only if User explicitly accepts that the current three pilot publications are visible.
If not, use a dedicated authenticated web-reader role/session instead of Public.

4. Required verification after grant

After permission config, rerun anonymous/Public precheck:

tac_publication returns 200 and includes D35/D32/D28.
tac_publication_member filtered by D35 pub_id returns 36 rows sorted by render_order.
Deep fields for LU/UV are readable.
No token leakage in report.

Only after PASS may Opus draft the one-file assembly wiring prompt for:

web/pages/knowledge/laws/index.vue

5. Boundary

No Nuxt implementation is authorized yet. No direct PG from Nuxt. No server route. No custom component. No schema change.