Surface policy-engine errors from stored-query invoke

The invoke handler mapped every authorize_request failure to 404 ('stored query not found'), which collapsed the authorization decision (deny -> 403) together with operational failures (no actor -> 401, Cedar evaluation error -> 500). A real policy-engine 500 was hidden as a missing query. Separate the two concerns instead of sniffing the masked status. Extract authorize() returning an Authz { Allowed, Denied(msg) } decision and reserve Err for operational failures only; authorize_request becomes a thin wrapper that maps Denied -> 403, so the 16 deny-as-403 callers are unchanged. The invoke handler now matches the decision directly: a denial stays 404 (deny == missing, so the catalog can't be probed without the grant), while a 401/500 propagates with its true status. 500 is now a reachable outcome on POST /queries/{name}; document it in the endpoint responses and regenerate openapi.json.
2026-06-12 01:45:14 +02:00 · 2026-06-01 11:28:00 +02:00 · 2026-06-01 11:28:00 +02:00 · 200fcbb215
commit 200fcbb215
parent 98831d4fa9
2 changed files with 137 additions and 13 deletions
--- a/openapi.json
+++ b/openapi.json
@ -975,6 +975,16 @@
                }
              }
            }
+          },
+          "500": {
+            "description": "Policy evaluation error (a denial is reported as 404, not 500)",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorOutput"
+                }
+              }
+            }
          }
        },
        "security": [