KB-53F4 rev 2

API Access Rules

3 min read Revision 2
apiaccess-rulesarchitecturesecurity

API Access Rules

1 service = 1 subdomain duy nhat (ONE service, ONE subdomain)

Service Routing Table

Path ops.incomexsaigoncorp.vn vps.incomexsaigoncorp.vn
/items/* (Directus) 200 OK N/A
/ops/items/* (Directus) N/A 410 DEPRECATED
/api/* (Agent Data) 404 200 OK

Canonical Endpoints

  • Directus = ops.incomexsaigoncorp.vn/items/*
  • Agent Data = vps.incomexsaigoncorp.vn/api/*
  • FORBIDDEN: Using vps.../ops/* for Directus (deprecated, backwards compat only)

Agent Access Matrix

Agent Directus Agent Data
GPT Actions ops.incomexsaigoncorp.vn vps.incomexsaigoncorp.vn
Claude Code CLI DOT tools (internal http://directus:8055) http://agent-data:8800 (internal)
Claude Desktop ops.incomexsaigoncorp.vn (browser fetch) MCP tools via vps.incomexsaigoncorp.vn
Directus Flows N/A (trigger source) http://agent-data:8800 (internal Docker)

Absolute Prohibitions

  1. GPT/Claude Desktop MUST NOT call https://directus.incomexsaigoncorp.vn directly
  2. MUST NOT use vps.../ops/* instead of ops subdomain
  3. Claude Code CLI MUST NOT use curl to Directus (use DOT tools instead)
  4. MUST NOT use ops subdomain to access Agent Data

OpenAPI Spec — Canonical URLs (WEB-85B)

Quy tắc: Mỗi GPT Action = 1 URL duy nhất. KHÔNG dùng GitHub raw, static file phụ, hay URL khác.

GPT Action Canonical URL Nội dung Khi nào re-import
Agent Data KB https://vps.incomexsaigoncorp.vn/api/openapi.json Knowledge CRUD + Search (9 ops) Khi thêm/sửa endpoint
OPS Proxy https://ops.incomexsaigoncorp.vn/openapi.json Tasks + Comments (8 ops) Khi thêm collection mới

Cập nhật spec: Sửa file source → deploy → GPT re-import cùng URL. Không cần copy-paste JSON.

Cấm:

  • Dùng raw.githubusercontent.com cho spec
  • Dùng ai.incomexsaigoncorp.vn/agent_data_openapi.yaml (cũ)
  • Giữ nhiều bản spec ở nhiều nơi

Future TODO

  • Consider disabling /ops/ path on vps subdomain entirely to eliminate confusion