omnigraph/docs/policy.md

# Authorization (Cedar policy)

OmniGraph integrates AWS Cedar (`cedar-policy = 4.9`) for ABAC.

## Policy actions

1. `read` — query / snapshot / list branches & commits
2. `export` — NDJSON export
3. `change` — mutations
4. `schema_apply` — apply schema migrations
5. `branch_create`
6. `branch_delete`
7. `branch_merge`
8. `run_publish`
9. `run_abort`
10. `admin` — reserved

## Scope kinds

- `branch_scope` — applied to source branch (`read`, `export`, `change`)
- `target_branch_scope` — applied to destination (`schema_apply`, branch ops, run ops)
- `protected_branches` — named list with special rules; rule scopes are `any | protected | unprotected`

## Configuration

`omnigraph.yaml`:

```yaml
policy:
  file: ./policy.yaml          # Cedar rules + groups
  tests: ./policy.tests.yaml   # declarative test cases
```

Each rule must use exactly one of `branch_scope` or `target_branch_scope`.

## CLI

- `omnigraph policy validate` — parse + count actors, exit 1 on parse error.
- `omnigraph policy test` — run cases in `policy.tests.yaml`, exit 1 on any expectation mismatch.
- `omnigraph policy explain --actor … --action … [--branch …] [--target-branch …]` — show decision and matched rule.

## Server enforcement

Every mutating endpoint calls `authorize_request()` *before* the handler runs; decisions are logged with actor / action / branch / outcome / matched rule.
Refactor AGENTS.md from encyclopedia to map; move spec into docs/ Splits the 990-line AGENTS.md into a 184-line map (architecture, where-to-find index, always-on invariants, capability matrix, maintenance contract) plus 18 new docs/*.md files holding the deep content per topic (storage, schema and query languages, indexes, embeddings, branches/commits, runs, merge, changes, execution, policy, server, CLI reference, audit, errors, CI, constants, v0.3.1 notes). Adds scripts/check-agents-md.sh and a check_agents_md CI job that verifies every docs/ link in AGENTS.md resolves and every doc in the canonical set is linked. CLAUDE.md remains a symlink to AGENTS.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-04-28 23:31:08 +02:00			`# Authorization (Cedar policy)`

			OmniGraph integrates AWS Cedar (`cedar-policy = 4.9`) for ABAC.

			`## Policy actions`

			1. `read` — query / snapshot / list branches & commits
			2. `export` — NDJSON export
			3. `change` — mutations
			4. `schema_apply` — apply schema migrations
			5. `branch_create`
			6. `branch_delete`
			7. `branch_merge`
			8. `run_publish`
			9. `run_abort`
			10. `admin` — reserved

			`## Scope kinds`

			- `branch_scope` — applied to source branch (`read`, `export`, `change`)
			- `target_branch_scope` — applied to destination (`schema_apply`, branch ops, run ops)
			- `protected_branches` — named list with special rules; rule scopes are `any \| protected \| unprotected`

			`## Configuration`

			`omnigraph.yaml`:

			```yaml
			`policy:`
			`file: ./policy.yaml # Cedar rules + groups`
			`tests: ./policy.tests.yaml # declarative test cases`
			```

			Each rule must use exactly one of `branch_scope` or `target_branch_scope`.

			`## CLI`

			- `omnigraph policy validate` — parse + count actors, exit 1 on parse error.
			- `omnigraph policy test` — run cases in `policy.tests.yaml`, exit 1 on any expectation mismatch.
			- `omnigraph policy explain --actor … --action … [--branch …] [--target-branch …]` — show decision and matched rule.

			`## Server enforcement`

			Every mutating endpoint calls `authorize_request()` before the handler runs; decisions are logged with actor / action / branch / outcome / matched rule.