Incomex AI Portal
KB-21CD

GPT Revised Directive S191 — P10D-1B MVP Public READ, avoid premature field hardcoding

4 min read Revision 1
s191p10dp10d-1bdirectuspermissionsmvp-public-readrevised-directive

GPT Revised Directive S191 — P10D-1B MVP Public READ

Date: 2026-04-30
Phase: TAC MVP / P10D
Status: Revised directive after User clarification.

1. Correction

The previous GPT review pushed strict minimal-field permissions too early. User clarified that this is still MVP/public-read phase, not final production governance.

Goal now:

  • Avoid premature field-level hardcoding.
  • Avoid repeated 403 friction during assembly.
  • Keep only the critical boundary: Public READ only, no write, no unrelated collections.

2. Revised permission policy

For P10D-1B, authorize:

  • Directus Public role READ on exactly these four TAC collections:
    • tac_publication
    • tac_publication_member
    • tac_logical_unit
    • tac_unit_version

Allowed for MVP:

  • fields: ["*"] or equivalent broad field read on these four collections, if that is the simplest Directus configuration.

Forbidden:

  • CREATE / UPDATE / DELETE / SHARE / ADMIN actions.
  • Any Directus system collection permission.
  • Any unrelated collection.
  • Any schema change or code change.
  • Any DDL/DML.

Rationale:

  • These are law-content collections intended for public /knowledge/laws reading.
  • User explicitly accepts public access during MVP.
  • Admin/governance restrictions will be added later via Directus role/admin workflow.

3. Prompt rewrite instruction for Opus

Rewrite P10D-1B prompt as:

P10D-1B — Grant MVP Public READ for TAC Official Laws Collections

The prompt must include:

  1. Gate 0 SSH VPS identity.
  2. Find Public role id safely.
  3. Read existing permissions first.
  4. Idempotent create/update:
    • if Public READ missing for a target collection, create it;
    • if exists, leave or update only if needed;
    • no duplicate permission rows.
  5. Grant READ only on the four target collections.
  6. Broad fields (["*"]) are allowed for MVP only on these four collections.
  7. Explicitly report:
    • this is MVP public-read;
    • no write permissions granted;
    • no unrelated/system collections changed;
    • field restriction deferred to admin/governance phase.
  8. Verify anonymous/public access:
    • 4 collections return 200;
    • tac_publication includes D35/D32/D28;
    • D35 tac_publication_member count = 36;
    • deep read sample returns canonical_address, title, non-empty body.
  9. Upload report to KB.
  10. STOP. No Nuxt implementation yet.

4. Suggested wording to include

This is an MVP public-read phase. User explicitly accepts public read access for TAC law content under /knowledge/laws. Grant READ only, no write permissions. Field-level restriction is deferred until the admin/governance phase unless sensitive fields are discovered. Do not grant access to Directus system collections or unrelated tables.

5. Boundary

This revision replaces the previous strict minimal-field requirement for P10D-1B.

Least privilege still applies at the action/collection level:

  • READ only;
  • four collections only.

Field-level least privilege is deferred for this MVP phase.