mirror of
https://github.com/ModernRelay/omnigraph.git
synced 2026-06-30 02:49:39 +02:00
mr-668: comment cleanup and policy format style
Strip "PR Na/Nb" sub-PR references throughout MR-668 surfaces — they were useful during the 10-PR delivery sequence but rot now that the work is in the tree. Keep the MR-668 umbrella references. Also: - Add explicit `when = when` and `resource_literal = resource_literal` named args in `compile_policy_source`'s outer `format!` to match the surrounding crate style (already explicit for `group` and `action`). - Rename the best-effort cleanup tracing target from "omnigraph::init" to "omnigraph::init::cleanup" so operators can filter init-failure cleanup events separately from init's other log lines. No behavior change. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
937fd6382d
commit
52f28cebe8
7 changed files with 16 additions and 14 deletions
|
|
@ -591,7 +591,7 @@ fn compile_entities(config: &PolicyConfig, graph_id: &str, schema: &Schema) -> R
|
||||||
entities.extend(actor_entities);
|
entities.extend(actor_entities);
|
||||||
entities.push(graph_entity);
|
entities.push(graph_entity);
|
||||||
|
|
||||||
// MR-668 PR 6a: include the `Omnigraph::Server::"root"` entity
|
// MR-668: include the `Omnigraph::Server::"root"` entity
|
||||||
// whenever any rule references a server-scoped action. Cedar's
|
// whenever any rule references a server-scoped action. Cedar's
|
||||||
// schema validator will otherwise reject the policy. Keeping this
|
// schema validator will otherwise reject the policy. Keeping this
|
||||||
// conditional (rather than always-on) avoids polluting test
|
// conditional (rather than always-on) avoids polluting test
|
||||||
|
|
@ -648,7 +648,7 @@ fn compile_policy_source(rule: &PolicyRule, action: &PolicyAction, graph_id: &st
|
||||||
format!("\nwhen {{ {} }}", conditions.join(" && "))
|
format!("\nwhen {{ {} }}", conditions.join(" && "))
|
||||||
};
|
};
|
||||||
|
|
||||||
// MR-668 PR 6a: emit the resource literal that matches the action's
|
// MR-668: emit the resource literal that matches the action's
|
||||||
// `resource_kind`. Per-graph actions reference the engine's
|
// `resource_kind`. Per-graph actions reference the engine's
|
||||||
// `Omnigraph::Graph::"<graph_label>"` instance; server-scoped
|
// `Omnigraph::Graph::"<graph_label>"` instance; server-scoped
|
||||||
// actions reference the singleton `Omnigraph::Server::"root"`.
|
// actions reference the singleton `Omnigraph::Server::"root"`.
|
||||||
|
|
@ -669,6 +669,8 @@ fn compile_policy_source(rule: &PolicyRule, action: &PolicyAction, graph_id: &st
|
||||||
){when};"#,
|
){when};"#,
|
||||||
group = cedar_literal(&rule.allow.actors.group),
|
group = cedar_literal(&rule.allow.actors.group),
|
||||||
action = cedar_literal(action.as_str()),
|
action = cedar_literal(action.as_str()),
|
||||||
|
when = when,
|
||||||
|
resource_literal = resource_literal,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -697,7 +699,7 @@ fn target_branch_scope_condition(scope: PolicyBranchScope) -> String {
|
||||||
}
|
}
|
||||||
|
|
||||||
fn policy_schema_source() -> &'static str {
|
fn policy_schema_source() -> &'static str {
|
||||||
// MR-668 PR 6a: `entity Server;` plus the `graph_list` action that
|
// MR-668: `entity Server;` plus the `graph_list` action that
|
||||||
// binds to it. Per-graph actions stay bound to `Graph`.
|
// binds to it. Per-graph actions stay bound to `Graph`.
|
||||||
// The Cedar schema string lives here (not on a fixture file) so any
|
// The Cedar schema string lives here (not on a fixture file) so any
|
||||||
// omnigraph-policy build picks up the new vocabulary in lock-step
|
// omnigraph-policy build picks up the new vocabulary in lock-step
|
||||||
|
|
|
||||||
|
|
@ -468,7 +468,7 @@ pub fn read_target_output(target: &ReadTarget) -> ReadTargetOutput {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// ─── MR-668 PR 6b — management endpoint shapes ─────────────────────────────
|
// ─── MR-668 — management endpoint shapes ──────────────────────────────────
|
||||||
|
|
||||||
/// One entry in the response from `GET /graphs`. Cluster operators
|
/// One entry in the response from `GET /graphs`. Cluster operators
|
||||||
/// consume this list to discover which graphs the server is currently
|
/// consume this list to discover which graphs the server is currently
|
||||||
|
|
|
||||||
|
|
@ -157,7 +157,7 @@ pub enum ServerConfigMode {
|
||||||
/// non-empty `graphs:` map and no single-mode selector.
|
/// non-empty `graphs:` map and no single-mode selector.
|
||||||
Multi {
|
Multi {
|
||||||
/// Per-graph startup configs, sorted by graph id (BTreeMap
|
/// Per-graph startup configs, sorted by graph id (BTreeMap
|
||||||
/// iteration order). PR 5's parallel-open loop iterates this.
|
/// iteration order). The parallel-open loop iterates this.
|
||||||
graphs: Vec<GraphStartupConfig>,
|
graphs: Vec<GraphStartupConfig>,
|
||||||
/// Path to the config file the server was started from. Kept on
|
/// Path to the config file the server was started from. Kept on
|
||||||
/// the mode so future runtime mutation (deferred — see release
|
/// the mode so future runtime mutation (deferred — see release
|
||||||
|
|
@ -214,8 +214,8 @@ pub struct AppState {
|
||||||
/// Topology + (single mode only) the single graph's URI for
|
/// Topology + (single mode only) the single graph's URI for
|
||||||
/// startup wiring. The registry below is the runtime source of truth.
|
/// startup wiring. The registry below is the runtime source of truth.
|
||||||
mode: ServerMode,
|
mode: ServerMode,
|
||||||
/// PR 2 (MR-686) + PR 4a (MR-668): the engine and per-graph policy
|
/// MR-686 + MR-668: the engine and per-graph policy live inside
|
||||||
/// now live inside `GraphHandle`s in the registry. Reads via
|
/// `GraphHandle`s in the registry. Reads via
|
||||||
/// `ArcSwap` are lock-free; mutations (currently only `insert`)
|
/// `ArcSwap` are lock-free; mutations (currently only `insert`)
|
||||||
/// serialize through the registry's internal mutex.
|
/// serialize through the registry's internal mutex.
|
||||||
registry: Arc<GraphRegistry>,
|
registry: Arc<GraphRegistry>,
|
||||||
|
|
@ -433,7 +433,7 @@ impl AppState {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Multi-mode constructor — used by PR 5's startup loop. Operators
|
/// Multi-mode constructor — used by the startup loop. Operators
|
||||||
/// reach this by invoking `omnigraph-server --config omnigraph.yaml`
|
/// reach this by invoking `omnigraph-server --config omnigraph.yaml`
|
||||||
/// with a non-empty `graphs:` map.
|
/// with a non-empty `graphs:` map.
|
||||||
///
|
///
|
||||||
|
|
@ -1204,7 +1204,7 @@ async fn server_openapi(State(state): State<AppState>) -> Json<utoipa::openapi::
|
||||||
if !state.requires_bearer_auth() {
|
if !state.requires_bearer_auth() {
|
||||||
strip_security(&mut doc);
|
strip_security(&mut doc);
|
||||||
}
|
}
|
||||||
// MR-668 PR 4b: in multi mode, the protected routes live under
|
// MR-668: in multi mode, the protected routes live under
|
||||||
// `/graphs/{graph_id}/...`. Rewrite the doc so the spec matches
|
// `/graphs/{graph_id}/...`. Rewrite the doc so the spec matches
|
||||||
// the routes the router actually serves. Public paths (`/healthz`)
|
// the routes the router actually serves. Public paths (`/healthz`)
|
||||||
// stay flat in both modes.
|
// stay flat in both modes.
|
||||||
|
|
@ -1329,7 +1329,7 @@ async fn require_bearer_auth(
|
||||||
Ok(next.run(request).await)
|
Ok(next.run(request).await)
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Routing middleware (MR-668 PR 4a). Resolves the active graph for the
|
/// Routing middleware (MR-668). Resolves the active graph for the
|
||||||
/// request and injects `Arc<GraphHandle>` as an extension so handlers can
|
/// request and injects `Arc<GraphHandle>` as an extension so handlers can
|
||||||
/// extract it via `Extension<Arc<GraphHandle>>`.
|
/// extract it via `Extension<Arc<GraphHandle>>`.
|
||||||
///
|
///
|
||||||
|
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
||||||
//! `GraphRegistry` — the multi-graph routing substrate (MR-668 PR 3).
|
//! `GraphRegistry` — the multi-graph routing substrate (MR-668).
|
||||||
//!
|
//!
|
||||||
//! Holds the open `Arc<GraphHandle>` for every graph the server is currently
|
//! Holds the open `Arc<GraphHandle>` for every graph the server is currently
|
||||||
//! serving. Lock-free reads via `ArcSwap<RegistrySnapshot>`; mutations
|
//! serving. Lock-free reads via `ArcSwap<RegistrySnapshot>`; mutations
|
||||||
|
|
|
||||||
|
|
@ -960,7 +960,7 @@ fn openapi_spec_is_up_to_date() {
|
||||||
}
|
}
|
||||||
|
|
||||||
// ---------------------------------------------------------------------------
|
// ---------------------------------------------------------------------------
|
||||||
// MR-668 PR 4b — multi-mode OpenAPI cluster filter
|
// MR-668 — multi-mode OpenAPI cluster filter
|
||||||
// ---------------------------------------------------------------------------
|
// ---------------------------------------------------------------------------
|
||||||
//
|
//
|
||||||
// In multi-graph mode, `/openapi.json` reports cluster routes
|
// In multi-graph mode, `/openapi.json` reports cluster routes
|
||||||
|
|
|
||||||
|
|
@ -4334,7 +4334,7 @@ async fn schema_apply_route_additive_property_preserves_existing_rows() {
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
// ─── MR-668 PR 5: multi-graph startup ─────────────────────────────────────
|
// ─── MR-668: multi-graph startup ──────────────────────────────────────────
|
||||||
|
|
||||||
mod multi_graph_startup {
|
mod multi_graph_startup {
|
||||||
use super::*;
|
use super::*;
|
||||||
|
|
|
||||||
|
|
@ -1551,7 +1551,7 @@ async fn best_effort_cleanup_init_artifacts(root: &str, storage: &dyn StorageAda
|
||||||
] {
|
] {
|
||||||
if let Err(err) = storage.delete(&uri).await {
|
if let Err(err) = storage.delete(&uri).await {
|
||||||
tracing::warn!(
|
tracing::warn!(
|
||||||
target: "omnigraph::init",
|
target: "omnigraph::init::cleanup",
|
||||||
uri = %uri,
|
uri = %uri,
|
||||||
error = %err,
|
error = %err,
|
||||||
"init failed; best-effort cleanup could not delete artifact",
|
"init failed; best-effort cleanup could not delete artifact",
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue