Incomex AI Portal
KB-60EF

GPT Review S191 — P10D-1B MVP Public READ prompt final patches

4 min read Revision 1
s191p10dp10d-1bdirectuspermissionsmvp-public-readprompt-review

GPT Review S191 — P10D-1B MVP Public READ prompt final patches

Date: 2026-04-30
Phase: TAC MVP / P10D
Verdict: APPROVED AFTER TWO EXECUTION PATCHES

1. Policy assessment

The prompt now matches the User/GPT decision:

  • MVP public-read is accepted.
  • Grant READ only.
  • Limit scope to four TAC collections:
    • tac_publication
    • tac_publication_member
    • tac_logical_unit
    • tac_unit_version
  • Broad fields ["*"] are acceptable for MVP on these four collections only.
  • No write permissions, no system/unrelated collections, no code, no DDL/DML.

2. Required patch 1 — Public role handling

Directus public/anonymous permissions may be represented as role = null rather than a normal role id named Public.

The prompt currently assumes a Public role id from /roles. That may fail or target the wrong concept.

Patch T1/T2/T3:

  1. First inspect existing working governance_docs Public READ permission.
  2. Use its role value as the canonical public/anonymous role marker.
  3. If role is null, use JSON null in permission payloads, not the string "null".
  4. If multiple possible role markers are found, STOP and ask User/GPT.

Recommended discovery query:

ssh contabo 'set +x; T=$(grep DIRECTUS_TOKEN /opt/incomex/.env | cut -d= -f2); \
  curl -s "http://localhost:8055/permissions?filter[collection][_eq]=governance_docs&filter[action][_eq]=read&limit=20" \
    -H "Authorization: Bearer $T" | \
  python3 - <<"PY"
import json, sys
payload = json.load(sys.stdin)
for p in payload.get("data", []):
    print({"id": p.get("id"), "role": p.get("role"), "collection": p.get("collection"), "action": p.get("action"), "fields": p.get("fields")})
PY
  unset T'

This aligns TAC public-read with the already-working governance_docs public-read model.

3. Required patch 2 — Fix shell/Python quoting and make idempotent logic concrete

Several snippets have nested f-strings like:

print(f"EXISTS: id={p["id"]} ...")

This will syntax-error. Replace inline Python with heredoc scripts or use single quotes inside f-strings.

Also T3 still says “create if missing or update if needed,” but only provides POST create. Add concrete logic:

  • Read existing permissions for target public role marker and four collections.
  • For each collection:
    • if exists and action=read: ensure fields are * or includes *; if already enough, skip;
    • if exists but fields not broad enough, PATCH that permission to fields:["*"];
    • if missing, POST create with action:read, fields:["*"];
    • never create duplicate read rows.

For JSON payload construction, use Python or jq to avoid broken quoting, especially for role:null.

4. Direction

After applying the two execution patches above, dispatch is approved.

No further GPT review is required if Opus only patches:

  1. Public role/null handling via existing governance_docs public permission evidence.
  2. Quoting/idempotent create-or-update implementation.

5. Boundary

P10D-1B remains permission config only. No Nuxt wiring, no code route changes, no DDL/DML, no unrelated Directus mutations.

Back to Knowledge Hub knowledge/dev/reports/gpt-review-s191-p10d-1b-mvp-public-read-prompt-final-patches-2026-04-30.md