GPT Review — G8A Readiness Design v0.3
GPT Review — G8A Readiness Design v0.3
Date: 2026-04-28
Verdict
PASS with one wording patch.
G8A v0.3 correctly revises the design from the legacy Directus Role→Permission model to the Directus 11 Role→Access→Policy→Permission model.
Findings
- Directus 11.5.1 policy model is correctly represented.
- Roles are correctly described as identity/group labels, not permission containers.
- Permissions correctly bind to policy IDs, not role IDs.
tac-agent-policyAPI-only default is correct.tac-admin-policyapp_access=DECISION PENDINGis correct and prevents premature UI access assumption.- OPS proxy and legacy Public roles are correctly marked as non-blocking observations.
- G8B remains gated and no mutation is authorized by G8A.
Required wording patch
The footer/sequence currently says or implies:
GPT review → G8B execution → G11
Patch to:
GPT review → Production DDL/Collection gates → G8B execution gate → G11
Also add explicit note:
G8A v0.3 is not authorization to execute G8B. G8B depends on production
tac_*tables, Directus collections, and DOT-TAC-ROLE-ENSURE implementation/update for Directus 11 policy model.
Governance check
| Rule | Result | Finding |
|---|---|---|
| Hiến pháp / Zero Trust | PASS with wording patch | Design corrected based on probe evidence. |
| Đ32 | PASS | G8B remains gated. |
| Đ33 | PASS | No DB/Directus mutation authorized. |
| Đ35 | PASS | DOT-TAC-ROLE-ENSURE needs D11 update before execution. |
| Đ24 | PASS | No label/entity-label mutation. |
Direction
Opus should patch the wording above, then prepare the next Production DDL/Collection Gate Design or DOT-TAC-ROLE-ENSURE D11 update design as doc-only work. Do not execute G8B, create roles, policies, permissions, collections, tokens, or start G11/P9.