feat(cli)!: excise omnigraph.yaml from the CLI; policy/queries tooling reads --cluster (#251)

The server already dropped omnigraph.yaml (cluster-only boot). This removes the
CLI's last use of the legacy `OmnigraphConfig`: graphs are addressed only via
`--store`/`--server`/`--cluster`/`--profile`/operator defaults, and actor,
output format, and bearer credentials come from `~/.omnigraph/config.yaml`.
After this change no CLI command reads `omnigraph.yaml` except `config migrate`.

Resolvers (helpers.rs): drop every legacy fallback —
- `resolve_actor` → `--as` > `operator.actor` (no `cli.actor`);
- `resolve_read_format` → `--json`/`--format` > alias > `defaults.output`;
- `resolve_branch`/`resolve_read_target` → `--branch` > alias > "main";
- `resolve_uri`/`resolve_cli_graph` → scope path only; an absent address is a
  loud error;
- `resolve_remote_bearer_token` → operator keyed chain + `OMNIGRAPH_BEARER_TOKEN`.
`GraphClient::resolve`/`resolve_with_policy` drop the `&OmnigraphConfig` param;
direct-store access carries no Cedar policy (policy lives in the cluster/server).

Flags (cli.rs): remove `--config` from every data/query command; it stays only
on `cluster *` (the cluster dir) and `config migrate` (the legacy path).

Re-home control-plane tooling to `--cluster` (RFC-011):
- `policy validate|test|explain` source the Cedar bundle from the cluster's
  applied policies; `--graph` picks a graph's bundle; `policy test` takes
  `--tests <file>`;
- `queries list|validate` source the registry + schemas from the cluster
  serving snapshot; `--graph` scopes to one graph;
- `lint` requires `--schema` (offline) or a direct/cluster graph target;
- `schema plan`/`lint` route their graph-target through the shared direct-scope
  resolver so `--store`/`--profile`/`defaults.store` addressing works.

Tests migrate from `omnigraph.yaml` fixtures to `--store`/operator-config/
`--cluster` (converged-cluster fixtures); the now-impossible command-path
RFC-008 tests are deleted (`config migrate` coverage kept). The
`OmnigraphConfig` type, `load_config`/deprecation machinery, and `config
migrate` are removed in a follow-up.

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

crates/omnigraph-cli/tests/cli_schema_config.rs

@@ -546,60 +546,22 @@ fn graphs_subcommand_help_lists_list_only() {
 
 #[test]
 fn graphs_list_against_local_uri_errors_with_remote_only_message() {
+    // RFC-011: `graphs list` is served-only; a `--store` (local) address has no
+    // enumeration endpoint, so it fails loudly pointing at a server / cluster.
     let output = output_failure(
         cli()
             .arg("graphs")
             .arg("list")
-            .arg("--uri")
+            .arg("--store")
             .arg("/tmp/local"),
     );
     let stderr = String::from_utf8_lossy(&output.stderr).into_owned();
     assert!(
-        stderr.contains("remote multi-graph server URL"),
-        "expected 'remote multi-graph server URL' rejection in stderr; got:\n{stderr}"
+        stderr.contains("remote multi-graph server"),
+        "expected a remote-server rejection in stderr; got:\n{stderr}"
     );
 }
 
-/// RFC-008 stage 1: loading a legacy omnigraph.yaml emits the per-key
-/// deprecation block (the migration map applied to THIS file), suppressible
-/// via OMNIGRAPH_SUPPRESS_YAML_DEPRECATION.
-#[test]
-fn legacy_config_load_warns_per_key_and_suppression_silences() {
-    let temp = tempdir().unwrap();
-    fs::write(
-        temp.path().join("omnigraph.yaml"),
-        "cli:\n  actor: act-x\ngraphs:\n  g:\n    uri: /tmp/never-opened\n",
-    )
-    .unwrap();
-
-    // `graphs list --json` loads the config and exits without touching the
-    // graph URI.
-    let output = cli()
-        .current_dir(temp.path())
-        .arg("graphs")
-        .arg("list")
-        .arg("--json")
-        .output()
-        .unwrap();
-    let stderr = String::from_utf8_lossy(&output.stderr);
-    assert!(
-        stderr.contains("deprecated (RFC-008)") && stderr.contains("`cli.actor` -> `operator.actor`"),
-        "{stderr}"
-    );
-    assert!(stderr.contains("config migrate"), "{stderr}");
-
-    let output = cli()
-        .current_dir(temp.path())
-        .env("OMNIGRAPH_SUPPRESS_YAML_DEPRECATION", "1")
-        .arg("graphs")
-        .arg("list")
-        .arg("--json")
-        .output()
-        .unwrap();
-    let stderr = String::from_utf8_lossy(&output.stderr);
-    assert!(!stderr.contains("deprecated (RFC-008)"), "{stderr}");
-}
-
 /// RFC-008 stage 2: `config migrate` proposes the split read-only, applies
 /// it with --write (operator merge never clobbers; cluster.yaml emitted),
 /// and a second --write is idempotent.
@@ -671,38 +633,3 @@ fn config_migrate_splits_legacy_config() {
     assert!(temp.path().join("cluster.yaml.proposed").exists());
 }
 
-/// RFC-008 stage 4: OMNIGRAPH_NO_LEGACY_CONFIG refuses a present legacy
-/// file (pointing at config migrate) but changes nothing on migrated
-/// setups with no file.
-#[test]
-fn strict_mode_refuses_legacy_file_but_not_its_absence() {
-    let temp = tempdir().unwrap();
-    fs::write(temp.path().join("omnigraph.yaml"), "cli:\n  actor: a\n").unwrap();
-    let output = cli()
-        .current_dir(temp.path())
-        .env("OMNIGRAPH_NO_LEGACY_CONFIG", "1")
-        .arg("graphs")
-        .arg("list")
-        .arg("--json")
-        .output()
-        .unwrap();
-    assert!(!output.status.success());
-    let stderr = String::from_utf8_lossy(&output.stderr);
-    assert!(
-        stderr.contains("OMNIGRAPH_NO_LEGACY_CONFIG") && stderr.contains("config migrate"),
-        "{stderr}"
-    );
-
-    // Migrated setup (no file): strict mode is a no-op — a config-loading
-    // command that tolerates empty defaults succeeds.
-    let clean = tempdir().unwrap();
-    let output = cli()
-        .current_dir(clean.path())
-        .env("OMNIGRAPH_NO_LEGACY_CONFIG", "1")
-        .arg("queries")
-        .arg("list")
-        .arg("--json")
-        .output()
-        .unwrap();
-    assert!(output.status.success(), "{output:?}");
-}