2026-04-17 14:26:31 +02:00
{
"openapi" : "3.1.0" ,
"info" : {
"title" : "Omnigraph API" ,
"description" : "HTTP API for the Omnigraph graph database" ,
"license" : {
"name" : "MIT" ,
"identifier" : "MIT"
} ,
mr-668: composite e2e tests, race fix, v0.7.0 release (PR 9/10)
PR 9 — the final integration PR for MR-668 multi-graph server work.
Closes the v0.7.0 release.
Composite lifecycle tests (closes gaps flagged in PR 7's coverage
review):
- `multi_graph_lifecycle_post_query_restart_persistence` — POST a
graph, query it via cluster route, reload the config from disk
and confirm `load_server_settings` sees the rewritten YAML.
Validates the "restart resolves orphans" failure-mode story.
- `per_graph_policy_enforced_on_post_created_graph` — POST a graph
with a per-graph policy attached, then send authenticated read
and change requests. Per-graph Cedar enforcement fires correctly
on a POST-created graph (engine-layer policy reinstalled via
`Omnigraph::with_policy` inside the create flow).
- `concurrent_post_graphs_distinct_ids_all_succeed` — 4 concurrent
POSTs with distinct graph_ids all return 201. Caught a real
race in `rewrite_atomic` (see below).
Race fix — `rewrite_atomic_with_modify`:
The first composite test surfaced a real bug. The old
`rewrite_atomic(path, new_config, expected_hash)` captured the
baseline hash OUTSIDE the flock, then called rewrite_atomic which
re-acquired it inside. Under concurrent writers:
- POST A: captures baseline H0, calls rewrite_atomic.
- POST B: captures baseline H0 too (before A's update lands).
- A: acquires flock, on-disk == H0, writes H1, releases.
- A: updates baseline H0 → H1.
- B: tries to acquire flock — waits.
- B: acquires flock. On-disk is now H1. Expected (captured
before A finished) is H0. MISMATCH → spurious Drift error.
Worse: even if the timing happens to align, B's `updated` config
was constructed from BYTES read before the flock. B writes a config
that doesn't include A's new graph — silent data loss.
The fix: new `config::rewrite_atomic_with_modify(path, baseline,
modify)` takes a closure. Inside the flock + baseline mutex:
1. Read on-disk bytes, hash, compare to baseline.
2. Parse on-disk YAML.
3. Call `modify(parsed)` to produce the new config — receives
fresh on-disk state, returns the modification.
4. Serialize + write + fsync + rename + update baseline.
Everything is read-modify-write under the same critical section.
Concurrent writers serialize cleanly. Test confirmed this is no
longer a race.
The old `rewrite_atomic(path, new_config, expected_hash)` API stays
for tests that don't need the read-modify-write shape; the POST
handler switches to the new shape.
Version bump v0.6.0 → v0.7.0:
- All 5 `crates/*/Cargo.toml` (compiler, engine, policy, cli, server)
plus their inter-crate `path` dep version constraints.
- `Cargo.lock` regenerated by `cargo build --workspace`.
- `AGENTS.md` "Version surveyed" line, capability matrix HTTP-server
row updated to mention multi-graph + cluster routes + atomic YAML
rewrite.
- `openapi.json` regenerated.
Docs:
- `docs/releases/v0.7.0.md` (new) — release notes with breaking
changes, new features, deferred items (DELETE, `delete_prefix`,
actor forwarding), and the single→multi migration recipe.
- `docs/user/server.md` — substantial section additions for the
two modes, mode inference, cluster endpoint table, management
endpoints, `omnigraph.yaml` ownership contract, `POST /graphs`
body shape + status codes.
- `docs/user/cli.md` — `omnigraph graphs list/create` section,
deferred-DELETE note.
- `docs/user/policy.md` — server-scoped Cedar actions
(`graph_create`, `graph_list`), per-graph vs server-level policy
composition, example server-level policy.
Workspace test pass: 573 tests green across all crates. Zero
failures. MR-731 spoof regression still pinned and passing across
the entire 10-PR series.
This commit closes MR-668. v0.7.0 is ready for tagging.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 21:32:49 +02:00
"version" : "0.7.0"
2026-04-17 14:26:31 +02:00
} ,
"paths" : {
"/branches" : {
"get" : {
"tags" : [
"branches"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "List all branches." ,
"description" : "Returns branch names sorted alphabetically. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "listBranches" ,
"responses" : {
"200" : {
"description" : "List of branches" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchListOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
} ,
"post" : {
"tags" : [
"branches"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Create a new branch." ,
"description" : "Forks `name` off of `from` (defaults to `main`). The new branch shares\ntable data with its parent until it is mutated. Returns 409 if `name`\nalready exists." ,
2026-04-17 14:26:31 +02:00
"operationId" : "createBranch" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchCreateRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Branch created" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchCreateOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"409" : {
"description" : "Branch already exists" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/branches/merge" : {
"post" : {
"tags" : [
"branches"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Merge one branch into another." ,
"description" : "Merges `source` into `target` (defaults to `main`). Outcome is one of\n`already_up_to_date`, `fast_forward`, or `merged`. Returns 409 with the\nlist of conflicts if the merge cannot be completed; the target is left\nunchanged in that case. **Destructive** to `target` on success." ,
2026-04-17 14:26:31 +02:00
"operationId" : "mergeBranches" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchMergeRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Branches merged" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchMergeOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"409" : {
"description" : "Merge conflict" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/branches/{branch}" : {
"delete" : {
"tags" : [
"branches"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Delete a branch." ,
"description" : "**Irreversible.** Removes the branch pointer; commits remain reachable\nonly if referenced by another branch. Returns 404 if the branch does not\nexist." ,
2026-04-17 14:26:31 +02:00
"operationId" : "deleteBranch" ,
"parameters" : [
{
"name" : "branch" ,
"in" : "path" ,
"description" : "Branch name to delete" ,
"required" : true ,
"schema" : {
"type" : "string"
}
}
] ,
"responses" : {
"200" : {
"description" : "Branch deleted" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/BranchDeleteOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"404" : {
"description" : "Branch not found" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/change" : {
"post" : {
"tags" : [
"mutations"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Apply a GQ mutation to a branch." ,
"description" : "Writes to the named `branch` (defaults to `main`). Mutations are atomic\nper call and produce a new commit. Returns counts of nodes and edges\naffected. **Destructive**: on success the branch is updated; rejected\nmutations may still acquire locks briefly. Returns 409 on merge conflict." ,
2026-04-17 14:26:31 +02:00
"operationId" : "change" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ChangeRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Mutation results" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ChangeOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"409" : {
"description" : "Merge conflict" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/commits" : {
"get" : {
"tags" : [
"commits"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "List commits." ,
"description" : "Filter by `branch` to get the commits on a single branch (most recent\nfirst); omit to list across all branches. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "listCommits" ,
"parameters" : [
{
"name" : "branch" ,
"in" : "query" ,
"required" : false ,
"schema" : {
"type" : [
"string" ,
"null"
]
}
}
] ,
"responses" : {
"200" : {
"description" : "List of commits" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/CommitListOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/commits/{commit_id}" : {
"get" : {
"tags" : [
"commits"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Get a single commit." ,
"description" : "Returns the commit's manifest version, parent commit(s), and creation\nmetadata. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "getCommit" ,
"parameters" : [
{
"name" : "commit_id" ,
"in" : "path" ,
"description" : "Commit identifier" ,
"required" : true ,
"schema" : {
"type" : "string"
}
}
] ,
"responses" : {
"200" : {
"description" : "Commit details" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/CommitOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"404" : {
"description" : "Commit not found" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/export" : {
"post" : {
"tags" : [
"queries"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Stream the contents of a branch as NDJSON." ,
"description" : "Emits one JSON object per line (`application/x-ndjson`). Filter with\n`type_names` (node/edge type names) and/or `table_keys`; both empty\nstreams the entire branch. Suitable for large exports — the response is\nstreamed, not buffered. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "export" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ExportRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Exported data as NDJSON" ,
"content" : {
"application/x-ndjson" : { }
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
mr-668: GET /graphs endpoint + per-graph policy wire-up (PR 6b/10)
PR 6b of the MR-668 multi-graph server work. First management endpoint —
`GET /graphs` lists every graph registered with the server, gated by the
server-level Cedar policy from PR 6a.
New API shapes (in `omnigraph-server::api`):
- `GraphInfo { graph_id, uri }` — one entry per registered graph.
- `GraphListResponse { graphs: Vec<GraphInfo> }` — sorted alphabetically
by `graph_id` for deterministic output.
Handler `server_graphs_list`:
- Mounted at `GET /graphs` in both modes.
- Single mode: returns 405 (resource exists in the API surface, just
not operational without a `graphs:` map). 405 chosen over 404 so
clients see "resource exists, wrong context" rather than "no such
resource".
- Multi mode: requires bearer auth (when configured); Cedar-gated by
`PolicyAction::GraphList` against `Omnigraph::Server::"root"`
(PR 6a's chassis). Returns the sorted registry list.
Cedar gate composition:
- When no `server.policy.file` is configured, the MR-723 default-deny
falls through: `GraphList` is not `Read`, so an authenticated actor
without a server policy gets 403. This is the right default — don't
expose the registry until the operator explicitly authorizes it.
- When a server policy is configured, Cedar evaluates the rule. The
test `get_graphs_with_server_policy_authorizes_per_cedar` pins the
admin-allow / viewer-deny split.
Routing:
- New `management` sub-router holding `/graphs` (auth-required, no
`resolve_graph_handle` middleware — operates on the registry, not
a single graph).
- Single mode merges flat protected routes + management.
- Multi mode merges nested `/graphs/{graph_id}/...` + management.
OpenAPI:
- `server_graphs_list` registered in `ApiDoc::paths(...)`.
- `EXPECTED_PATHS` in `tests/openapi.rs` gains `/graphs`.
- `openapi.json` regenerated (auto-tracked by
`openapi_spec_is_up_to_date` in CI).
Tests: 4 new in `tests/server.rs::multi_graph_startup`:
- `get_graphs_lists_registered_graphs_in_multi_mode`
- `get_graphs_returns_405_in_single_mode`
- `get_graphs_requires_bearer_auth_when_configured`
- `get_graphs_with_server_policy_authorizes_per_cedar`
What's NOT in this PR (deferred):
- Per-graph policy enforcement is wired through `handle.policy`
(PR 4a already did this); PR 6b doesn't add new per-graph
behavior beyond making sure the server policy lookup composes
cleanly alongside it.
- `POST /graphs` (PR 7) and `DELETE /graphs/{id}` (out of scope
for v0.7.0).
- CLI `omnigraph graphs list` (PR 8 will add).
Result: 215 server tests green (74 lib + 66 openapi + 75 integration),
11 policy tests green. MR-731 spoof regression preserved across all
this work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:24:52 +02:00
"/graphs" : {
"get" : {
"tags" : [
"management"
] ,
"summary" : "List every graph currently registered with this server (MR-668)." ,
"description" : "Multi-graph mode only. In single mode, the route returns 405 — there's\nno registry to enumerate. Cedar-gated by the server-level policy via\nthe `graph_list` action against `Omnigraph::Server::\"root\"`.\n\nOrder: alphabetical by `graph_id` (server-sorted so clients see\ndeterministic output across requests)." ,
"operationId" : "listGraphs" ,
"responses" : {
"200" : {
"description" : "List of registered graphs" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/GraphListResponse"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"405" : {
"description" : "Method not allowed (single-graph mode)" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
mr-668: POST /graphs runtime create endpoint (PR 7/10)
PR 7 of the MR-668 multi-graph server work. Operators can now add a
graph to a running multi-graph server without restarting:
curl -X POST http://server/graphs \
-H "Content-Type: application/json" \
-d '{
"graph_id": "beta",
"uri": "/data/beta.omni",
"schema": { "source": "node Person { name: String @key }\n" },
"policy": { "file": "./policies/beta.yaml" }
}'
DELETE remains deferred (out of v0.7.0 scope per the trimmed plan —
no `delete_prefix`, no tombstones).
Body shape (decision 7):
- Nested `schema: { source: "..." }` (mirrors the `policy: { file }`
pattern; leaves room for future fields without breakage).
- Optional nested `policy: { file: "..." }` for per-graph Cedar.
- 32 MiB body limit (reuses `INGEST_REQUEST_BODY_LIMIT_BYTES`).
- Asymmetric with `SchemaApplyRequest` which keeps flat
`schema_source: String` — documented in api.rs.
Atomic YAML rewrite + drift detection:
- New `config::rewrite_atomic(path, new_config, expected_hash)`:
flock → re-read + hash check → serialize → write `.tmp` → fsync
→ rename → fsync parent dir. Returns the new hash for the caller
to update its in-memory baseline.
- New `config::hash_config_file(path)` — SHA-256 of the on-disk
bytes, used at startup and after each rewrite.
- New `RewriteAtomicError { Drift | Io | Serialize }` enum.
- `AppState.config_hash: Option<Arc<Mutex<[u8;32]>>>` carries the
in-memory baseline. Updated after every successful rewrite so
subsequent POSTs don't false-trigger drift.
- The mutex is `std::sync::Mutex` (brief critical section, no .await
inside). The flock itself serializes file access process-wide
AND across multiple server instances (defense in depth).
- All sync I/O runs inside `tokio::task::spawn_blocking` — flock
is sync.
Handler ordering (the load-bearing sequence):
1. Mode check: 405 in single mode.
2. Cedar authorize: `GraphCreate` against `Omnigraph::Server::"root"`.
3. Validate body: `GraphId::try_from` (regex + reserved-name), empty
schema/uri checks, per-graph policy file parse.
4. Pre-check registry for duplicate graph_id / duplicate uri (409).
5. `Omnigraph::init` the new engine.
6. Atomic YAML rewrite (drift detection inside).
7. Publish in registry (atomic re-check via `GraphRegistry::insert`).
Failure modes (documented in handler rustdoc):
- Init fails → orphan storage at `req.uri` (PR 2a cleans up schema
files; Lance datasets remain orphans until `delete_prefix` lands).
- YAML rewrite fails (drift, IO) → orphan storage; YAML unchanged.
- Registry insert fails (race) → YAML has entry but registry doesn't;
next restart opens it cleanly.
New dependency: `fs2 = "0.4"` (workspace + omnigraph-server). POSIX-only
file locking. Linux/macOS deployment supported; Windows out of scope.
Tests (10 new in `tests/server.rs::multi_graph_startup`):
- `post_graphs_creates_a_new_graph_end_to_end` — happy path, includes
YAML inspection to confirm the rewrite landed.
- `post_graphs_baseline_hash_updates_between_rewrites` — two POSTs in
a row both succeed (drift baseline updates correctly).
- `post_graphs_duplicate_graph_id_returns_409`
- `post_graphs_duplicate_uri_returns_409`
- `post_graphs_invalid_graph_id_returns_400` (reserved name)
- `post_graphs_empty_schema_source_returns_400`
- `post_graphs_returns_405_in_single_mode`
- `post_graphs_yaml_drift_detection_returns_503` — operator hand-edits
omnigraph.yaml; server refuses to clobber.
- `hash_config_file_is_deterministic_and_detects_changes`
- `rewrite_atomic_refuses_when_hash_drifts`
OpenAPI: `server_graphs_create` registered in `ApiDoc::paths(...)`;
openapi.json regenerated.
Result: 225 server tests green (74 lib + 66 openapi + 85 integration),
all MR-731 regressions still pinned.
LOC: ~580 lib.rs net (handler + helpers), ~120 config.rs (rewrite
machinery), +71 api.rs (request/response shapes), +332 tests/server.rs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:38:58 +02:00
} ,
"post" : {
"tags" : [
"management"
] ,
"summary" : "Create a new graph at runtime (MR-668 PR 7)." ,
"description" : "Multi-graph mode only. Operators add a graph to the registry\nwithout restarting the server. The server `Omnigraph::init`s the\nnew graph at `req.uri`, atomically rewrites `omnigraph.yaml` to\ninclude the new entry, then publishes the handle in the registry.\n\nCedar-gated by `PolicyAction::GraphCreate` against\n`Omnigraph::Server::\"root\"` (the same server-level policy as\n`GET /graphs`).\n\nFailure modes:\n* Init fails → orphan storage files at `req.uri` (PR 2a cleans up\n schema files but not Lance datasets; operator removes manually).\n* Rewrite fails (`fs2::flock` IO error) → orphan storage; YAML\n unchanged.\n* YAML drift (operator edited the file) → 503; YAML and storage\n both unchanged.\n* Duplicate `graph_id` or `uri` → 409; storage already in use." ,
"operationId" : "createGraph" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/GraphCreateRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"201" : {
"description" : "Graph created" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/GraphCreateResponse"
}
}
}
} ,
"400" : {
"description" : "Invalid request body (graph_id, schema, policy file)" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"405" : {
"description" : "Method not allowed (single-graph mode)" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"409" : {
"description" : "graph_id or uri already registered" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"413" : {
"description" : "Request body too large (>32 MiB)" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"500" : {
"description" : "Init failure or YAML rewrite failure" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"503" : {
"description" : "omnigraph.yaml drift detected (operator edited the file)" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
mr-668: GET /graphs endpoint + per-graph policy wire-up (PR 6b/10)
PR 6b of the MR-668 multi-graph server work. First management endpoint —
`GET /graphs` lists every graph registered with the server, gated by the
server-level Cedar policy from PR 6a.
New API shapes (in `omnigraph-server::api`):
- `GraphInfo { graph_id, uri }` — one entry per registered graph.
- `GraphListResponse { graphs: Vec<GraphInfo> }` — sorted alphabetically
by `graph_id` for deterministic output.
Handler `server_graphs_list`:
- Mounted at `GET /graphs` in both modes.
- Single mode: returns 405 (resource exists in the API surface, just
not operational without a `graphs:` map). 405 chosen over 404 so
clients see "resource exists, wrong context" rather than "no such
resource".
- Multi mode: requires bearer auth (when configured); Cedar-gated by
`PolicyAction::GraphList` against `Omnigraph::Server::"root"`
(PR 6a's chassis). Returns the sorted registry list.
Cedar gate composition:
- When no `server.policy.file` is configured, the MR-723 default-deny
falls through: `GraphList` is not `Read`, so an authenticated actor
without a server policy gets 403. This is the right default — don't
expose the registry until the operator explicitly authorizes it.
- When a server policy is configured, Cedar evaluates the rule. The
test `get_graphs_with_server_policy_authorizes_per_cedar` pins the
admin-allow / viewer-deny split.
Routing:
- New `management` sub-router holding `/graphs` (auth-required, no
`resolve_graph_handle` middleware — operates on the registry, not
a single graph).
- Single mode merges flat protected routes + management.
- Multi mode merges nested `/graphs/{graph_id}/...` + management.
OpenAPI:
- `server_graphs_list` registered in `ApiDoc::paths(...)`.
- `EXPECTED_PATHS` in `tests/openapi.rs` gains `/graphs`.
- `openapi.json` regenerated (auto-tracked by
`openapi_spec_is_up_to_date` in CI).
Tests: 4 new in `tests/server.rs::multi_graph_startup`:
- `get_graphs_lists_registered_graphs_in_multi_mode`
- `get_graphs_returns_405_in_single_mode`
- `get_graphs_requires_bearer_auth_when_configured`
- `get_graphs_with_server_policy_authorizes_per_cedar`
What's NOT in this PR (deferred):
- Per-graph policy enforcement is wired through `handle.policy`
(PR 4a already did this); PR 6b doesn't add new per-graph
behavior beyond making sure the server policy lookup composes
cleanly alongside it.
- `POST /graphs` (PR 7) and `DELETE /graphs/{id}` (out of scope
for v0.7.0).
- CLI `omnigraph graphs list` (PR 8 will add).
Result: 215 server tests green (74 lib + 66 openapi + 75 integration),
11 policy tests green. MR-731 spoof regression preserved across all
this work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:24:52 +02:00
}
} ,
2026-04-17 14:26:31 +02:00
"/healthz" : {
"get" : {
"tags" : [
"health"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Liveness probe." ,
"description" : "Returns server status and version. Unauthenticated; safe to call from any\ncaller. Use this to confirm the server is reachable before invoking other\nendpoints." ,
2026-04-17 14:26:31 +02:00
"operationId" : "health" ,
"responses" : {
"200" : {
"description" : "Server is healthy" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/HealthOutput"
}
}
}
}
}
}
} ,
"/ingest" : {
"post" : {
"tags" : [
"mutations"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Bulk-ingest NDJSON data into a branch." ,
"description" : "`data` is NDJSON with one record per line. `mode` controls behavior on\nexisting rows: `merge` upserts by id (default), `append` blindly inserts,\n`overwrite` replaces table contents. If `branch` does not exist it is\ncreated from `from` (defaults to `main`). **Destructive** when `mode` is\n`overwrite` or when ingest produces conflicting writes." ,
2026-04-17 14:26:31 +02:00
"operationId" : "ingest" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/IngestRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Ingest results" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/IngestOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/read" : {
"post" : {
"tags" : [
"queries"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Execute a GQ read query." ,
"description" : "Runs the query in `query_source` against either a branch or a frozen\nsnapshot (mutually exclusive). When `query_source` defines multiple named\nqueries, pick one with `query_name`. `params` is a JSON object whose keys\nmatch the parameters declared by the query. Returns rows as a JSON array\nplus a `columns` list. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "read" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ReadRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Query results" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ReadOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
2026-04-18 20:24:39 +02:00
"/schema" : {
"get" : {
"tags" : [
"schema"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Read the current schema source." ,
"description" : "Returns the project's schema as a single string in `.pg` source form.\nUseful for clients that want to introspect available types and tables\nbefore constructing GQ queries. Read-only." ,
2026-04-18 20:24:39 +02:00
"operationId" : "getSchema" ,
"responses" : {
"200" : {
"description" : "Current schema source" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/SchemaOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
2026-04-17 14:26:31 +02:00
"/schema/apply" : {
"post" : {
"tags" : [
"mutations"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Apply a schema migration." ,
"description" : "Diffs `schema_source` against the current schema and applies the resulting\nmigration steps (add/drop type, add/drop column, etc.). **Destructive**:\nsome steps drop data. Returns the list of steps applied; if `applied` is\nfalse the diff was unsupported and no changes were made." ,
2026-04-17 14:26:31 +02:00
"operationId" : "applySchema" ,
"requestBody" : {
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/SchemaApplyRequest"
}
}
} ,
"required" : true
} ,
"responses" : {
"200" : {
"description" : "Schema apply results" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/SchemaApplyOutput"
}
}
}
} ,
"400" : {
"description" : "Bad request" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-05-08 17:49:02 +02:00
} ,
"429" : {
"description" : "Per-actor admission cap exceeded; honor `Retry-After` header" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
2026-04-17 14:26:31 +02:00
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
} ,
"/snapshot" : {
"get" : {
"tags" : [
"snapshots"
] ,
2026-04-25 16:36:51 +02:00
"summary" : "Read the current snapshot of a branch." ,
"description" : "Returns the manifest version plus per-table metadata (path, version, row\ncount) for every table on the branch. Defaults to `main` when `branch` is\nomitted. Read-only." ,
2026-04-17 14:26:31 +02:00
"operationId" : "getSnapshot" ,
"parameters" : [
{
"name" : "branch" ,
"in" : "query" ,
"required" : false ,
"schema" : {
"type" : [
"string" ,
"null"
]
}
}
] ,
"responses" : {
"200" : {
"description" : "Database snapshot" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/SnapshotOutput"
}
}
}
} ,
"401" : {
"description" : "Unauthorized" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
} ,
"403" : {
"description" : "Forbidden" ,
"content" : {
"application/json" : {
"schema" : {
"$ref" : "#/components/schemas/ErrorOutput"
}
}
}
}
} ,
"security" : [
{
"bearer_token" : [ ]
}
]
}
}
} ,
"components" : {
"schemas" : {
"BranchCreateOutput" : {
"type" : "object" ,
"required" : [
"uri" ,
"from" ,
"name"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"from" : {
"type" : "string"
} ,
"name" : {
"type" : "string"
} ,
"uri" : {
"type" : "string"
}
}
} ,
"BranchCreateRequest" : {
"type" : "object" ,
"required" : [
"name"
] ,
"properties" : {
"from" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Parent branch to fork from. Defaults to `main`."
2026-04-17 14:26:31 +02:00
} ,
"name" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "Name of the new branch. Must not already exist."
2026-04-17 14:26:31 +02:00
}
}
} ,
"BranchDeleteOutput" : {
"type" : "object" ,
"required" : [
"uri" ,
"name"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"name" : {
"type" : "string"
} ,
"uri" : {
"type" : "string"
}
}
} ,
"BranchListOutput" : {
"type" : "object" ,
"required" : [
"branches"
] ,
"properties" : {
"branches" : {
"type" : "array" ,
"items" : {
"type" : "string"
}
}
}
} ,
"BranchMergeOutcome" : {
"type" : "string" ,
"enum" : [
"already_up_to_date" ,
"fast_forward" ,
"merged"
]
} ,
"BranchMergeOutput" : {
"type" : "object" ,
"required" : [
"source" ,
"target" ,
"outcome"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"outcome" : {
"$ref" : "#/components/schemas/BranchMergeOutcome"
} ,
"source" : {
"type" : "string"
} ,
"target" : {
"type" : "string"
}
}
} ,
"BranchMergeRequest" : {
"type" : "object" ,
"required" : [
"source"
] ,
"properties" : {
"source" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "Source branch whose commits will be merged."
2026-04-17 14:26:31 +02:00
} ,
"target" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Target branch that will receive the merge. Defaults to `main`."
2026-04-17 14:26:31 +02:00
}
}
} ,
"ChangeOutput" : {
"type" : "object" ,
"required" : [
"branch" ,
"query_name" ,
"affected_nodes" ,
"affected_edges"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"affected_edges" : {
"type" : "integer" ,
"minimum" : 0
} ,
"affected_nodes" : {
"type" : "integer" ,
"minimum" : 0
} ,
"branch" : {
"type" : "string"
} ,
"query_name" : {
"type" : "string"
}
}
} ,
"ChangeRequest" : {
"type" : "object" ,
"required" : [
"query_source"
] ,
"properties" : {
"branch" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Target branch. Defaults to `main`."
} ,
"params" : {
"description" : "JSON object whose keys match the mutation's declared parameters."
2026-04-17 14:26:31 +02:00
} ,
"query_name" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Name of the mutation to run when `query_source` declares multiple."
2026-04-17 14:26:31 +02:00
} ,
"query_source" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "GQ mutation source containing `insert`, `update`, or `delete` statements.\nMay declare multiple named mutations; pick one with `query_name`." ,
"example" : "query insert_person($name: String, $age: I32) {\n insert Person { name: $name, age: $age }\n}"
2026-04-17 14:26:31 +02:00
}
}
} ,
"CommitListOutput" : {
"type" : "object" ,
"required" : [
"commits"
] ,
"properties" : {
"commits" : {
"type" : "array" ,
"items" : {
"$ref" : "#/components/schemas/CommitOutput"
}
}
}
} ,
"CommitOutput" : {
"type" : "object" ,
"required" : [
"graph_commit_id" ,
"manifest_version" ,
"created_at"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"created_at" : {
"type" : "integer" ,
2026-04-25 16:36:51 +02:00
"format" : "int64" ,
"description" : "Commit creation time as Unix epoch microseconds." ,
"example" : 1714000000000000
2026-04-17 14:26:31 +02:00
} ,
"graph_commit_id" : {
"type" : "string"
} ,
"manifest_branch" : {
"type" : [
"string" ,
"null"
]
} ,
"manifest_version" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"merged_parent_commit_id" : {
"type" : [
"string" ,
"null"
]
} ,
"parent_commit_id" : {
"type" : [
"string" ,
"null"
]
}
}
} ,
"ErrorCode" : {
"type" : "string" ,
"enum" : [
"unauthorized" ,
"forbidden" ,
"bad_request" ,
"not_found" ,
"conflict" ,
server: flip AppState to Arc<Omnigraph>, wire admission on /change (PR 2 Step F)
The substantive PR 2 change. Removes the global server `RwLock<Omnigraph>`
that has serialized every mutating request across all actors. Disjoint
`(table, branch)` writes from different actors now run concurrently,
guarded only by the engine's per-(table, branch) write queue (PR 1b)
and per-actor admission control (PR 2 Step E).
AppState changes:
- `db: Arc<RwLock<Omnigraph>>` -> `engine: Arc<Omnigraph>`
- New field: `workload: Arc<workload::WorkloadController>` initialized
from env (`OMNIGRAPH_PER_ACTOR_INFLIGHT_MAX=16`,
`OMNIGRAPH_PER_ACTOR_BYTES_MAX=4GiB`,
`OMNIGRAPH_GLOBAL_REWRITE_MAX=4`).
- `tokio::sync::RwLock` import dropped.
Handler updates (16 sites):
- All `Arc::clone(&state.db).read_owned().await` and `write_owned()`
calls replaced with `let db = &state.engine`. Engine APIs are now
`&self` (Step C) so this works directly.
- `/export` clones `Arc<Omnigraph>` once and moves into the spawned
task instead of acquiring a long-held read lock.
- `/change` handler additionally wires
`state.workload.try_admit(&actor_arc, est_bytes)`. Cedar runs FIRST
so denied requests don't consume admission slots; admission runs
SECOND before the engine call. `est_bytes` uses the request body
size as a coarse proxy.
API surface additions (`api::ErrorCode`):
- `TooManyRequests` -> HTTP 429 (per-actor cap exceeded; respect
`Retry-After`)
- `ServiceUnavailable` -> HTTP 503 (global rewrite pool exhausted)
`ApiError` constructors `too_many_requests` / `service_unavailable` and
`from_workload_reject` (maps `RejectReason` variants to HTTP status).
Other mutating handlers (`/ingest`, `/branches/*`, `/branches/merge`,
`/schema/apply`) currently flow through the Arc<Omnigraph> path
without admission gates; wiring those is mechanical and lands as a
follow-up. The /change hot path covers the bulk of MR-686's load
profile.
OpenAPI regenerated to include the new ErrorCode variants.
102 lib + 39 server tests + 5 workload tests pass. The regression
sentinel `change_conflict_returns_manifest_conflict_409` continues
to pass (revalidation perf opt + per-table queue + publisher CAS
preserve manifest_conflict semantics under concurrent writers).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 17:08:26 +02:00
"too_many_requests" ,
2026-04-17 14:26:31 +02:00
"internal"
]
} ,
"ErrorOutput" : {
"type" : "object" ,
"required" : [
"error"
] ,
"properties" : {
"code" : {
"oneOf" : [
{
"type" : "null"
} ,
{
"$ref" : "#/components/schemas/ErrorCode"
}
]
} ,
"error" : {
"type" : "string"
} ,
2026-04-30 08:52:50 +02:00
"manifest_conflict" : {
"oneOf" : [
{
"type" : "null"
} ,
{
"$ref" : "#/components/schemas/ManifestConflictOutput" ,
"description" : "Set when the conflict is a publisher CAS rejection\n(`ManifestConflictDetails::ExpectedVersionMismatch`). The caller's\npre-write view of `table_key` was at version `expected` but the\nmanifest is now at `actual`. Refresh and retry."
}
]
} ,
2026-04-17 14:26:31 +02:00
"merge_conflicts" : {
"type" : "array" ,
"items" : {
"$ref" : "#/components/schemas/MergeConflictOutput"
}
}
}
} ,
"ExportRequest" : {
"type" : "object" ,
"properties" : {
"branch" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Branch to export. Defaults to `main`."
2026-04-17 14:26:31 +02:00
} ,
"table_keys" : {
"type" : "array" ,
"items" : {
"type" : "string"
2026-04-25 16:36:51 +02:00
} ,
"description" : "Restrict the export to these table keys. Empty exports all tables."
2026-04-17 14:26:31 +02:00
} ,
"type_names" : {
"type" : "array" ,
"items" : {
"type" : "string"
2026-04-25 16:36:51 +02:00
} ,
"description" : "Restrict the export to these node/edge type names. Empty exports all types."
2026-04-17 14:26:31 +02:00
}
}
} ,
mr-668: POST /graphs runtime create endpoint (PR 7/10)
PR 7 of the MR-668 multi-graph server work. Operators can now add a
graph to a running multi-graph server without restarting:
curl -X POST http://server/graphs \
-H "Content-Type: application/json" \
-d '{
"graph_id": "beta",
"uri": "/data/beta.omni",
"schema": { "source": "node Person { name: String @key }\n" },
"policy": { "file": "./policies/beta.yaml" }
}'
DELETE remains deferred (out of v0.7.0 scope per the trimmed plan —
no `delete_prefix`, no tombstones).
Body shape (decision 7):
- Nested `schema: { source: "..." }` (mirrors the `policy: { file }`
pattern; leaves room for future fields without breakage).
- Optional nested `policy: { file: "..." }` for per-graph Cedar.
- 32 MiB body limit (reuses `INGEST_REQUEST_BODY_LIMIT_BYTES`).
- Asymmetric with `SchemaApplyRequest` which keeps flat
`schema_source: String` — documented in api.rs.
Atomic YAML rewrite + drift detection:
- New `config::rewrite_atomic(path, new_config, expected_hash)`:
flock → re-read + hash check → serialize → write `.tmp` → fsync
→ rename → fsync parent dir. Returns the new hash for the caller
to update its in-memory baseline.
- New `config::hash_config_file(path)` — SHA-256 of the on-disk
bytes, used at startup and after each rewrite.
- New `RewriteAtomicError { Drift | Io | Serialize }` enum.
- `AppState.config_hash: Option<Arc<Mutex<[u8;32]>>>` carries the
in-memory baseline. Updated after every successful rewrite so
subsequent POSTs don't false-trigger drift.
- The mutex is `std::sync::Mutex` (brief critical section, no .await
inside). The flock itself serializes file access process-wide
AND across multiple server instances (defense in depth).
- All sync I/O runs inside `tokio::task::spawn_blocking` — flock
is sync.
Handler ordering (the load-bearing sequence):
1. Mode check: 405 in single mode.
2. Cedar authorize: `GraphCreate` against `Omnigraph::Server::"root"`.
3. Validate body: `GraphId::try_from` (regex + reserved-name), empty
schema/uri checks, per-graph policy file parse.
4. Pre-check registry for duplicate graph_id / duplicate uri (409).
5. `Omnigraph::init` the new engine.
6. Atomic YAML rewrite (drift detection inside).
7. Publish in registry (atomic re-check via `GraphRegistry::insert`).
Failure modes (documented in handler rustdoc):
- Init fails → orphan storage at `req.uri` (PR 2a cleans up schema
files; Lance datasets remain orphans until `delete_prefix` lands).
- YAML rewrite fails (drift, IO) → orphan storage; YAML unchanged.
- Registry insert fails (race) → YAML has entry but registry doesn't;
next restart opens it cleanly.
New dependency: `fs2 = "0.4"` (workspace + omnigraph-server). POSIX-only
file locking. Linux/macOS deployment supported; Windows out of scope.
Tests (10 new in `tests/server.rs::multi_graph_startup`):
- `post_graphs_creates_a_new_graph_end_to_end` — happy path, includes
YAML inspection to confirm the rewrite landed.
- `post_graphs_baseline_hash_updates_between_rewrites` — two POSTs in
a row both succeed (drift baseline updates correctly).
- `post_graphs_duplicate_graph_id_returns_409`
- `post_graphs_duplicate_uri_returns_409`
- `post_graphs_invalid_graph_id_returns_400` (reserved name)
- `post_graphs_empty_schema_source_returns_400`
- `post_graphs_returns_405_in_single_mode`
- `post_graphs_yaml_drift_detection_returns_503` — operator hand-edits
omnigraph.yaml; server refuses to clobber.
- `hash_config_file_is_deterministic_and_detects_changes`
- `rewrite_atomic_refuses_when_hash_drifts`
OpenAPI: `server_graphs_create` registered in `ApiDoc::paths(...)`;
openapi.json regenerated.
Result: 225 server tests green (74 lib + 66 openapi + 85 integration),
all MR-731 regressions still pinned.
LOC: ~580 lib.rs net (handler + helpers), ~120 config.rs (rewrite
machinery), +71 api.rs (request/response shapes), +332 tests/server.rs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:38:58 +02:00
"GraphCreateRequest" : {
"type" : "object" ,
"description" : "Request body for `POST /graphs` (MR-668 PR 7).\n\nBody shape:\n```json\n{\n \"graph_id\": \"alpha\",\n \"uri\": \"/path/to/alpha.omni\",\n \"schema\": { \"source\": \"<inline .pg source>\" },\n \"policy\": { \"file\": \"./policies/alpha.yaml\" }\n}\n```\n\n32 MiB body limit (matches `INGEST_REQUEST_BODY_LIMIT_BYTES`)." ,
"required" : [
"graph_id" ,
"uri" ,
"schema"
] ,
"properties" : {
"graph_id" : {
"type" : "string" ,
"description" : "New graph's id. Must satisfy `^[a-zA-Z0-9-]{1,64}$`, not start with\n`_`, and not be a reserved name. See `GraphId::try_from`."
} ,
"policy" : {
"oneOf" : [
{
"type" : "null"
} ,
{
"$ref" : "#/components/schemas/GraphPolicySpec" ,
"description" : "Per-graph Cedar policy. Optional — `None` means the graph has\nno per-graph policy enforcement (HTTP auth still applies if\nconfigured)."
}
]
} ,
"schema" : {
"$ref" : "#/components/schemas/GraphSchemaSpec" ,
"description" : "Inline schema (`{ source }`). Required."
} ,
"uri" : {
"type" : "string" ,
"description" : "Storage URI (local path or `s3://...`). Must NOT already be in\nuse by another registered graph. Server `Omnigraph::init`s the\ngraph at this URI."
}
}
} ,
"GraphCreateResponse" : {
"type" : "object" ,
"description" : "Response from `POST /graphs` on success (201 Created)." ,
"required" : [
"graph_id" ,
"uri"
] ,
"properties" : {
"graph_id" : {
"type" : "string"
} ,
"uri" : {
"type" : "string"
}
}
} ,
mr-668: GET /graphs endpoint + per-graph policy wire-up (PR 6b/10)
PR 6b of the MR-668 multi-graph server work. First management endpoint —
`GET /graphs` lists every graph registered with the server, gated by the
server-level Cedar policy from PR 6a.
New API shapes (in `omnigraph-server::api`):
- `GraphInfo { graph_id, uri }` — one entry per registered graph.
- `GraphListResponse { graphs: Vec<GraphInfo> }` — sorted alphabetically
by `graph_id` for deterministic output.
Handler `server_graphs_list`:
- Mounted at `GET /graphs` in both modes.
- Single mode: returns 405 (resource exists in the API surface, just
not operational without a `graphs:` map). 405 chosen over 404 so
clients see "resource exists, wrong context" rather than "no such
resource".
- Multi mode: requires bearer auth (when configured); Cedar-gated by
`PolicyAction::GraphList` against `Omnigraph::Server::"root"`
(PR 6a's chassis). Returns the sorted registry list.
Cedar gate composition:
- When no `server.policy.file` is configured, the MR-723 default-deny
falls through: `GraphList` is not `Read`, so an authenticated actor
without a server policy gets 403. This is the right default — don't
expose the registry until the operator explicitly authorizes it.
- When a server policy is configured, Cedar evaluates the rule. The
test `get_graphs_with_server_policy_authorizes_per_cedar` pins the
admin-allow / viewer-deny split.
Routing:
- New `management` sub-router holding `/graphs` (auth-required, no
`resolve_graph_handle` middleware — operates on the registry, not
a single graph).
- Single mode merges flat protected routes + management.
- Multi mode merges nested `/graphs/{graph_id}/...` + management.
OpenAPI:
- `server_graphs_list` registered in `ApiDoc::paths(...)`.
- `EXPECTED_PATHS` in `tests/openapi.rs` gains `/graphs`.
- `openapi.json` regenerated (auto-tracked by
`openapi_spec_is_up_to_date` in CI).
Tests: 4 new in `tests/server.rs::multi_graph_startup`:
- `get_graphs_lists_registered_graphs_in_multi_mode`
- `get_graphs_returns_405_in_single_mode`
- `get_graphs_requires_bearer_auth_when_configured`
- `get_graphs_with_server_policy_authorizes_per_cedar`
What's NOT in this PR (deferred):
- Per-graph policy enforcement is wired through `handle.policy`
(PR 4a already did this); PR 6b doesn't add new per-graph
behavior beyond making sure the server policy lookup composes
cleanly alongside it.
- `POST /graphs` (PR 7) and `DELETE /graphs/{id}` (out of scope
for v0.7.0).
- CLI `omnigraph graphs list` (PR 8 will add).
Result: 215 server tests green (74 lib + 66 openapi + 75 integration),
11 policy tests green. MR-731 spoof regression preserved across all
this work.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:24:52 +02:00
"GraphInfo" : {
"type" : "object" ,
"description" : "One entry in the response from `GET /graphs`. Cluster operators\nconsume this list to discover which graphs the server is currently\nserving. The shape is intentionally minimal — `graph_id` and `uri`\nare the only fields a routing client needs." ,
"required" : [
"graph_id" ,
"uri"
] ,
"properties" : {
"graph_id" : {
"type" : "string"
} ,
"uri" : {
"type" : "string"
}
}
} ,
"GraphListResponse" : {
"type" : "object" ,
"description" : "Response from `GET /graphs`. Lists every graph registered with the\nserver in alphabetical order by `graph_id` (sorted server-side so\nclients get deterministic output across requests)." ,
"required" : [
"graphs"
] ,
"properties" : {
"graphs" : {
"type" : "array" ,
"items" : {
"$ref" : "#/components/schemas/GraphInfo"
}
}
}
} ,
mr-668: POST /graphs runtime create endpoint (PR 7/10)
PR 7 of the MR-668 multi-graph server work. Operators can now add a
graph to a running multi-graph server without restarting:
curl -X POST http://server/graphs \
-H "Content-Type: application/json" \
-d '{
"graph_id": "beta",
"uri": "/data/beta.omni",
"schema": { "source": "node Person { name: String @key }\n" },
"policy": { "file": "./policies/beta.yaml" }
}'
DELETE remains deferred (out of v0.7.0 scope per the trimmed plan —
no `delete_prefix`, no tombstones).
Body shape (decision 7):
- Nested `schema: { source: "..." }` (mirrors the `policy: { file }`
pattern; leaves room for future fields without breakage).
- Optional nested `policy: { file: "..." }` for per-graph Cedar.
- 32 MiB body limit (reuses `INGEST_REQUEST_BODY_LIMIT_BYTES`).
- Asymmetric with `SchemaApplyRequest` which keeps flat
`schema_source: String` — documented in api.rs.
Atomic YAML rewrite + drift detection:
- New `config::rewrite_atomic(path, new_config, expected_hash)`:
flock → re-read + hash check → serialize → write `.tmp` → fsync
→ rename → fsync parent dir. Returns the new hash for the caller
to update its in-memory baseline.
- New `config::hash_config_file(path)` — SHA-256 of the on-disk
bytes, used at startup and after each rewrite.
- New `RewriteAtomicError { Drift | Io | Serialize }` enum.
- `AppState.config_hash: Option<Arc<Mutex<[u8;32]>>>` carries the
in-memory baseline. Updated after every successful rewrite so
subsequent POSTs don't false-trigger drift.
- The mutex is `std::sync::Mutex` (brief critical section, no .await
inside). The flock itself serializes file access process-wide
AND across multiple server instances (defense in depth).
- All sync I/O runs inside `tokio::task::spawn_blocking` — flock
is sync.
Handler ordering (the load-bearing sequence):
1. Mode check: 405 in single mode.
2. Cedar authorize: `GraphCreate` against `Omnigraph::Server::"root"`.
3. Validate body: `GraphId::try_from` (regex + reserved-name), empty
schema/uri checks, per-graph policy file parse.
4. Pre-check registry for duplicate graph_id / duplicate uri (409).
5. `Omnigraph::init` the new engine.
6. Atomic YAML rewrite (drift detection inside).
7. Publish in registry (atomic re-check via `GraphRegistry::insert`).
Failure modes (documented in handler rustdoc):
- Init fails → orphan storage at `req.uri` (PR 2a cleans up schema
files; Lance datasets remain orphans until `delete_prefix` lands).
- YAML rewrite fails (drift, IO) → orphan storage; YAML unchanged.
- Registry insert fails (race) → YAML has entry but registry doesn't;
next restart opens it cleanly.
New dependency: `fs2 = "0.4"` (workspace + omnigraph-server). POSIX-only
file locking. Linux/macOS deployment supported; Windows out of scope.
Tests (10 new in `tests/server.rs::multi_graph_startup`):
- `post_graphs_creates_a_new_graph_end_to_end` — happy path, includes
YAML inspection to confirm the rewrite landed.
- `post_graphs_baseline_hash_updates_between_rewrites` — two POSTs in
a row both succeed (drift baseline updates correctly).
- `post_graphs_duplicate_graph_id_returns_409`
- `post_graphs_duplicate_uri_returns_409`
- `post_graphs_invalid_graph_id_returns_400` (reserved name)
- `post_graphs_empty_schema_source_returns_400`
- `post_graphs_returns_405_in_single_mode`
- `post_graphs_yaml_drift_detection_returns_503` — operator hand-edits
omnigraph.yaml; server refuses to clobber.
- `hash_config_file_is_deterministic_and_detects_changes`
- `rewrite_atomic_refuses_when_hash_drifts`
OpenAPI: `server_graphs_create` registered in `ApiDoc::paths(...)`;
openapi.json regenerated.
Result: 225 server tests green (74 lib + 66 openapi + 85 integration),
all MR-731 regressions still pinned.
LOC: ~580 lib.rs net (handler + helpers), ~120 config.rs (rewrite
machinery), +71 api.rs (request/response shapes), +332 tests/server.rs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-25 20:38:58 +02:00
"GraphPolicySpec" : {
"type" : "object" ,
"description" : "Per-graph policy specification in `POST /graphs`. Mirrors the\n`policy: { file }` shape in `omnigraph.yaml`'s `graphs.<id>.policy`\nsection." ,
"properties" : {
"file" : {
"type" : [
"string" ,
"null"
] ,
"description" : "Path to the per-graph Cedar policy file, server-side.\nMust be readable by the server process at request time.\nPath is relative to the server's working directory (NOT to the\n`omnigraph.yaml`'s `base_dir`) — caller-supplied paths are\ntrusted as-is."
}
}
} ,
"GraphSchemaSpec" : {
"type" : "object" ,
"description" : "Schema specification for a new graph in `POST /graphs`. Nested\nper MR-668 decision 7 — leaves room for future fields without\nbreaking the request shape. Mirrors the `policy: { file }` nesting\npattern.\n\nToday only `source` (inline `.pg` text) is supported. Future fields\nmight include `schema.allow_data_loss`, `schema.version`, etc.\n\n**Asymmetric with `SchemaApplyRequest`**: `POST /schema/apply` still\nuses a flat `schema_source: String` for backwards compatibility.\nA follow-up release may migrate that too." ,
"required" : [
"source"
] ,
"properties" : {
"source" : {
"type" : "string" ,
"description" : "Inline `.pg` schema source." ,
"example" : "node Person {\n name: String @key\n age: I32?\n}"
}
}
} ,
2026-04-17 14:26:31 +02:00
"HealthOutput" : {
"type" : "object" ,
"required" : [
"status" ,
"version"
] ,
"properties" : {
"source_version" : {
"type" : [
"string" ,
"null"
]
} ,
"status" : {
"type" : "string"
} ,
"version" : {
"type" : "string"
}
}
} ,
"IngestOutput" : {
"type" : "object" ,
"required" : [
"uri" ,
"branch" ,
"base_branch" ,
"branch_created" ,
"mode" ,
"tables"
] ,
"properties" : {
"actor_id" : {
"type" : [
"string" ,
"null"
]
} ,
"base_branch" : {
"type" : "string"
} ,
"branch" : {
"type" : "string"
} ,
"branch_created" : {
"type" : "boolean"
} ,
"mode" : {
"$ref" : "#/components/schemas/LoadMode"
} ,
"tables" : {
"type" : "array" ,
"items" : {
"$ref" : "#/components/schemas/IngestTableOutput"
}
} ,
"uri" : {
"type" : "string"
}
}
} ,
"IngestRequest" : {
"type" : "object" ,
"required" : [
"data"
] ,
"properties" : {
"branch" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Target branch. Created from `from` if it does not yet exist. Defaults to `main`."
2026-04-17 14:26:31 +02:00
} ,
"data" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "NDJSON payload: one record per line, each shaped\n`{\"type\": \"<TypeName>\", \"data\": {...}}`." ,
"example" : "{\"type\": \"Person\", \"data\": {\"name\": \"Alice\", \"age\": 30}}\n{\"type\": \"Person\", \"data\": {\"name\": \"Bob\", \"age\": 25}}"
2026-04-17 14:26:31 +02:00
} ,
"from" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Parent branch used to create `branch` if it does not exist. Defaults to `main`."
2026-04-17 14:26:31 +02:00
} ,
"mode" : {
"oneOf" : [
{
"type" : "null"
} ,
{
2026-04-25 16:36:51 +02:00
"$ref" : "#/components/schemas/LoadMode" ,
"description" : "How existing rows are handled. Defaults to `merge`."
2026-04-17 14:26:31 +02:00
}
]
}
}
} ,
"IngestTableOutput" : {
"type" : "object" ,
"required" : [
"table_key" ,
"rows_loaded"
] ,
"properties" : {
"rows_loaded" : {
"type" : "integer" ,
"minimum" : 0
} ,
"table_key" : {
"type" : "string"
}
}
} ,
"LoadMode" : {
"type" : "string" ,
"description" : "Shadow enum for documenting [`LoadMode`] in the OpenAPI schema." ,
"enum" : [
"overwrite" ,
"append" ,
"merge"
]
} ,
2026-04-30 08:52:50 +02:00
"ManifestConflictOutput" : {
"type" : "object" ,
"description" : "Structured details for a publisher-level OCC failure. Surfaces alongside\nHTTP 409 when a write was rejected because the caller's pre-write view of\none table's manifest version was stale relative to the current head. The\nexpected/actual fields tell the client which table to refresh." ,
"required" : [
"table_key" ,
"expected" ,
"actual"
] ,
"properties" : {
"actual" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"expected" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"table_key" : {
"type" : "string"
}
}
} ,
2026-04-17 14:26:31 +02:00
"MergeConflictKindOutput" : {
"type" : "string" ,
"enum" : [
"divergent_insert" ,
"divergent_update" ,
"delete_vs_update" ,
"orphan_edge" ,
"unique_violation" ,
"cardinality_violation" ,
"value_constraint_violation"
]
} ,
"MergeConflictOutput" : {
"type" : "object" ,
"required" : [
"table_key" ,
"kind" ,
"message"
] ,
"properties" : {
"kind" : {
"$ref" : "#/components/schemas/MergeConflictKindOutput"
} ,
"message" : {
"type" : "string"
} ,
"row_id" : {
"type" : [
"string" ,
"null"
]
} ,
"table_key" : {
"type" : "string"
}
}
} ,
"ReadOutput" : {
"type" : "object" ,
"required" : [
"query_name" ,
"target" ,
"row_count" ,
"rows"
] ,
"properties" : {
"columns" : {
"type" : "array" ,
"items" : {
"type" : "string"
}
} ,
"query_name" : {
"type" : "string"
} ,
"row_count" : {
"type" : "integer" ,
"minimum" : 0
} ,
"rows" : { } ,
"target" : {
"$ref" : "#/components/schemas/ReadTargetOutput"
}
}
} ,
"ReadRequest" : {
"type" : "object" ,
"required" : [
"query_source"
] ,
"properties" : {
"branch" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Branch to read from. Mutually exclusive with `snapshot`. Defaults to `main`."
} ,
"params" : {
"description" : "JSON object whose keys match the query's declared parameters."
2026-04-17 14:26:31 +02:00
} ,
"query_name" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Name of the query to run when `query_source` declares multiple. Optional\nwhen only one query is declared."
2026-04-17 14:26:31 +02:00
} ,
"query_source" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "GQ query source. May declare one or more named queries; pick one with\n`query_name` if there is more than one." ,
"example" : "query get_person($name: String) {\n match {\n $p: Person { name: $name }\n }\n return { $p.name, $p.age }\n}"
2026-04-17 14:26:31 +02:00
} ,
"snapshot" : {
"type" : [
"string" ,
"null"
2026-04-25 16:36:51 +02:00
] ,
"description" : "Snapshot id to read from. Mutually exclusive with `branch`."
2026-04-17 14:26:31 +02:00
}
}
} ,
"ReadTargetOutput" : {
"type" : "object" ,
"properties" : {
"branch" : {
"type" : [
"string" ,
"null"
]
} ,
"snapshot" : {
"type" : [
"string" ,
"null"
]
}
}
} ,
"SchemaApplyOutput" : {
"type" : "object" ,
"required" : [
"uri" ,
"supported" ,
"applied" ,
"step_count" ,
"manifest_version" ,
"steps"
] ,
"properties" : {
"applied" : {
"type" : "boolean"
} ,
"manifest_version" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"step_count" : {
"type" : "integer" ,
"minimum" : 0
} ,
"steps" : {
"type" : "array" ,
"items" : { }
} ,
"supported" : {
"type" : "boolean"
} ,
"uri" : {
"type" : "string"
}
}
} ,
"SchemaApplyRequest" : {
"type" : "object" ,
"required" : [
"schema_source"
] ,
"properties" : {
schema: HTTP allow_data_loss exposure + e2e drop coverage (MR-694 follow-up) (#107)
The schema-lint chassis v1.2 (PR #100) shipped `--allow-data-loss` on
the CLI, but `SchemaApplyRequest` had no equivalent field — Hard-mode
drops were CLI-only. This commit closes that feature gap and adds e2e
test coverage for drop modes across HTTP + CLI, plus data preservation
on additive apply, plus a CLI↔SDK plan-parity assertion.
Feature gap closed:
- `crates/omnigraph-server/src/api.rs` — added `allow_data_loss: bool`
(default false via `#[serde(default)]`) to `SchemaApplyRequest`.
Added `Default` derive so test usages can use `..Default::default()`.
- `crates/omnigraph-server/src/lib.rs` — `server_schema_apply` now
constructs `SchemaApplyOptions { allow_data_loss: request.allow_data_loss }`
and threads through to `apply_schema_as`.
- `crates/omnigraph-cli/src/main.rs` — remote-URI schema-apply path
used to bail with "--allow-data-loss not yet supported on remote";
now forwards the flag into the JSON payload so the CLI behaves
identically against local and remote URIs.
- `openapi.json` — regenerated; only diff is the new field on
`SchemaApplyRequest`.
Tests added (8 new):
* `crates/omnigraph-server/tests/server.rs` (+5):
- `schema_apply_route_soft_drops_property_via_http` — POST schema
removing nullable property, verify catalog reflects the drop AND
`snapshot_at_version(pre)` still has `age` in the field list
(time-travel reachability is the Soft contract).
- `schema_apply_route_soft_drops_node_type_via_http` — POST schema
removing `Company` node + cascading `WorksAt` edge.
- `schema_apply_route_hard_drops_property_with_allow_data_loss` —
POST with `allow_data_loss: true`, verify plan step reports
`mode: hard`.
- `schema_apply_route_keeps_drops_soft_without_flag` — same schema
without flag, verify `mode: soft`. Pins default semantics against
accidental Hard promotion.
- `schema_apply_route_additive_property_preserves_existing_rows` —
load fixture, POST adding nullable property, verify row count
preserved (SDK suite covers data preservation on drops + renames;
additive AddProperty wasn't pinned).
Plus helpers `schema_without_age` and `schema_without_company`.
* `crates/omnigraph-cli/tests/cli.rs` (+3):
- `schema_apply_allow_data_loss_flag_promotes_drops_to_hard` — CLI
`omnigraph schema apply --allow-data-loss --schema X.pg --json`,
verify plan step has `mode: hard`.
- `schema_apply_without_allow_data_loss_keeps_soft_drops` — without
flag, verify Soft.
- `schema_plan_parity_cli_and_sdk` — same `.pg` source through
`Omnigraph::plan_schema` (SDK) and `omnigraph schema plan --json`
(CLI), assert the steps array is byte-identical post-JSON. HTTP
has no `/schema/plan` endpoint; apply-side parity is implicitly
covered by the HTTP drop tests + CLI drop tests using identical
fixtures.
Docs:
- `docs/user/schema-language.md` — new "Destructive drops" section
documenting Soft vs Hard semantics and that `allow_data_loss` is
now honored uniformly across CLI / HTTP / SDK.
Verification: every new test passes; full `cargo test --workspace --locked`
green; `scripts/check-agents-md.sh` passes.
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-19 01:56:46 +03:00
"allow_data_loss" : {
"type" : "boolean" ,
"description" : "When true, promote every `DropMode::Soft` step in the plan to\n`DropMode::Hard`, making the prior column data unreachable\nafter the apply. Matches the CLI's `--allow-data-loss` flag.\nDefaults to `false` (drops remain reversible via time travel)."
} ,
2026-04-17 14:26:31 +02:00
"schema_source" : {
2026-04-25 16:36:51 +02:00
"type" : "string" ,
"description" : "Project schema in `.pg` source form. The diff against the current\nschema produces the migration steps that will be applied." ,
"example" : "node Person {\n name: String @key\n age: I32?\n}\n\nedge Knows: Person -> Person"
2026-04-17 14:26:31 +02:00
}
}
} ,
2026-04-18 20:24:39 +02:00
"SchemaOutput" : {
"type" : "object" ,
"required" : [
"schema_source"
] ,
"properties" : {
"schema_source" : {
"type" : "string"
}
}
} ,
2026-04-17 14:26:31 +02:00
"SnapshotOutput" : {
"type" : "object" ,
"required" : [
"branch" ,
"manifest_version" ,
"tables"
] ,
"properties" : {
"branch" : {
"type" : "string"
} ,
"manifest_version" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"tables" : {
"type" : "array" ,
"items" : {
"$ref" : "#/components/schemas/SnapshotTableOutput"
}
}
}
} ,
"SnapshotTableOutput" : {
"type" : "object" ,
"required" : [
"table_key" ,
"table_path" ,
"table_version" ,
"row_count"
] ,
"properties" : {
"row_count" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
} ,
"table_branch" : {
"type" : [
"string" ,
"null"
]
} ,
"table_key" : {
"type" : "string"
} ,
"table_path" : {
"type" : "string"
} ,
"table_version" : {
"type" : "integer" ,
"format" : "int64" ,
"minimum" : 0
}
}
}
} ,
"securitySchemes" : {
"bearer_token" : {
"type" : "http" ,
"scheme" : "bearer"
}
}
}
}
