Incomex AI Portal
KB-4E54

GPT Review — G8A Directus Roles Readiness Design Draft

4 min read Revision 1
gptreviewg8adirectusrolespermissionsdieu38p9

GPT Review — G8A Directus Roles Readiness Design Draft

Date: 2026-04-28

Verdict

PASS as a useful draft, but PATCH REQUIRED before using it as gate input.

The document is correctly doc-only and identifies key dependencies. However, several permission-boundary statements need tightening before the roadmap can be safely used for G8B planning.

Evidence checked

  • knowledge/dev/laws/dieu38-trien-khai/P9-G8A-directus-roles-readiness-design.md rev 1.
  • knowledge/dev/laws/dieu38-trien-khai/P9-tier3-readiness-package.md.
  • knowledge/dev/laws/dieu38-trien-khai/P8-implementation-design-plan-v0-1.md.
  • knowledge/dev/reports/gpt-review-production-candidate-pack-v0-2-2026-04-28.md.

Findings

  1. The draft correctly states doc-only and does not authorize mutation.
  2. The draft correctly splits G8A design from G8B execution.
  3. The Directus MySQL→PostgreSQL point was investigated and is not a blocker, but the stale architecture SSOT must be tracked separately.
  4. tac-agent definition says “CRUD on 14 tac_* collections ONLY”, but the matrix only allows read-only on vocab/config tables. Wording must be changed to avoid overbroad scope.
  5. tac-admin is described as having “DDL/schema mutation” while being a Directus scoped role. Directus role permissions should not be described as DB-level DDL authority unless a separate governed DB/DOT path exists. This must be clarified.
  6. The G8B post-check proposes live CRUD tests. Those tests can create/update/delete data and require a dedicated test-artifact policy, or should be run only after a separate execution gate.
  7. OPS proxy whitelist and DOT-TAC-ROLE-ENSURE script implementation are correctly identified as dependencies.
  8. Before finalizing the permission matrix, a low-effort read-only Directus permission model probe should verify the current Directus role/permission schema/API shape and whether roles can exist without collection permissions.

Governance check

Rule Result Finding
Hiến pháp / Zero Trust PASS with patch Requires probe for uncertain Directus permission model.
Đ32 PASS No mutation yet; G8B requires gate.
Đ33 PASS with patch DB DDL must not be implied by Directus role.
Đ35 PASS DOT-TAC-ROLE-ENSURE implementation gap is called out.
Đ24 PASS No labels/entity-label mutation.

Required patches

  1. Change tac-agent scope wording from “CRUD on 14 tac_* collections” to: “permission matrix-defined access on 14 tac_* collections; CRU on core, CRUD on member tables, read-only on vocab/config.”

  2. Change tac-admin wording:

    • Directus role: full CRUD on 14 tac_* collections.
    • DB DDL/schema mutation: not granted by Directus role; must remain a separate governed DB/DOT path.

  3. Add a test-artifact policy for post-checks:

    • Any CRUD post-check must use clearly named test records.
    • It must clean up exact test records where allowed.
    • It must not delete production records.
    • If cleanup is not allowed, retain test rows as audit evidence and document IDs.

  4. Add a G8A-0 Directus Permission Model Probe before finalizing v0.2:

    • low effort, read-only only.
    • verify Directus DB/API role and permission schema shape.
    • verify current existing roles state for tac-agent / tac-admin.
    • verify whether roles can be created before collections and how permissions bind to collections.
    • verify whether OPS proxy whitelist affects G8B or only downstream agent access.

  5. Track stale Directus architecture SSOT as a separate documentation cleanup issue; do not let it block G8A.

Direction

Opus should patch the G8A draft and run/dispatch the low-effort read-only G8A-0 probe before finalizing v0.2. Do not execute G8B, create roles, assign permissions, create collections, provision tokens, or start G11/P9.