From 58855c0a7c61972fb6272aa5d205bbe375b3f7c0 Mon Sep 17 00:00:00 2001 From: aaltshuler Date: Thu, 11 Jun 2026 15:56:22 +0300 Subject: [PATCH] feat(cluster,server): inline policy content + config-free --cluster URI boot MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two serving changes that complete RFC-006's read side: ServingPolicy carries the policy bundle CONTENT (digest-verified at snapshot read) instead of a blob path — the catalog may live on object storage, and the server must not re-read mutable state after the snapshot. The server grows a PolicySource enum: File for omnigraph.yaml deployments (unchanged), Inline for cluster boots, wired through PolicyEngine::load_{graph,server}_from_source. read_serving_snapshot_from_storage(uri) reads the applied revision straight from a storage root, and --cluster accepts a scheme-qualified URI (s3://bucket/prefix): config-free serving — a serving box needs only the URI and credentials; the ledger and catalog on the bucket ARE the deployment artifact. Bare paths keep the config-directory behavior. Co-Authored-By: Claude Fable 5 --- crates/omnigraph-cluster/src/lib.rs | 2 +- crates/omnigraph-cluster/src/serve.rs | 33 +++++++++---- crates/omnigraph-cluster/src/tests.rs | 4 +- crates/omnigraph-server/src/lib.rs | 47 ++++++++++++++----- crates/omnigraph-server/src/main.rs | 8 ++-- crates/omnigraph-server/src/settings.rs | 44 ++++++++++++----- .../omnigraph-server/tests/boot_settings.rs | 24 +++++----- crates/omnigraph-server/tests/multi_graph.rs | 34 +++++++------- 8 files changed, 127 insertions(+), 69 deletions(-) diff --git a/crates/omnigraph-cluster/src/lib.rs b/crates/omnigraph-cluster/src/lib.rs index d97bb5b..1422dad 100644 --- a/crates/omnigraph-cluster/src/lib.rs +++ b/crates/omnigraph-cluster/src/lib.rs @@ -28,7 +28,7 @@ mod store; use store::{ClusterStore, StateLockGuard, StateSnapshot}; pub use types::*; use types::*; -pub use serve::{ServingGraph, ServingPolicy, ServingQuery, ServingSnapshot, read_serving_snapshot}; +pub use serve::{ServingGraph, ServingPolicy, ServingQuery, ServingSnapshot, read_serving_snapshot, read_serving_snapshot_from_storage}; use config::{QueriesDecl, observe_declared_graphs, validate_cluster_header, future_field_diagnostics, initial_import_state, observe_live_graph, preview_schema_migration, state_resource_digests, graph_address, policy_address, query_address, schema_address, load_desired, normalize_policy_target, parse_cluster_config, resolve_config_path, resolve_query_decls, validate_id, validate_query_source}; use diff::{FailedGraphOrigin, ResourceKind, append_policy_binding_changes, approved_resources, classify_changes, compute_approvals, compute_blast_radius, demote_dependents_of_failed_graphs, diff_resources, resource_kind}; use sweep::{mark_approvals_consumed, record_approval_consumed, sweep_recovery_sidecars, tombstone_graph_subtree, warn_pending_recovery_sidecars}; diff --git a/crates/omnigraph-cluster/src/serve.rs b/crates/omnigraph-cluster/src/serve.rs index b459641..4abd0bf 100644 --- a/crates/omnigraph-cluster/src/serve.rs +++ b/crates/omnigraph-cluster/src/serve.rs @@ -23,7 +23,10 @@ pub struct ServingQuery { #[derive(Debug, Clone)] pub struct ServingPolicy { pub name: String, - pub blob_path: PathBuf, + /// The policy bundle CONTENT, digest-verified against the applied + /// revision at read time. Content, not a path: the catalog may live on + /// object storage, and the server must not re-read mutable state. + pub source: String, pub applies_to: Vec, } @@ -44,7 +47,6 @@ pub async fn read_serving_snapshot( config_dir: impl AsRef, ) -> Result> { let config_dir = config_dir.as_ref().to_path_buf(); - let mut diagnostics: Vec = Vec::new(); // The declared storage: root decides where the ledger/catalog/graphs // live; config parse errors surface through the normal validation path. let parsed = parse_cluster_config(&config_dir); @@ -62,6 +64,25 @@ pub async fn read_serving_snapshot( }, None => ClusterStore::for_config_dir(&config_dir), }; + read_snapshot_with_store(backend).await +} + +/// Read the applied revision directly from a storage root URI — config-free +/// serving: a `--cluster s3://bucket/prefix` server needs no local files at +/// all, only the bucket and credentials. The ledger and catalog ARE the +/// deployment artifact. +pub async fn read_serving_snapshot_from_storage( + storage_root: &str, +) -> Result> { + let backend = + ClusterStore::for_storage_root(storage_root).map_err(|diagnostic| vec![diagnostic])?; + read_snapshot_with_store(backend).await +} + +async fn read_snapshot_with_store( + backend: ClusterStore, +) -> Result> { + let mut diagnostics: Vec = Vec::new(); // A ledger a sweep is about to rewrite must not start serving. let sidecars = backend.list_recovery_sidecars(&mut diagnostics).await; @@ -136,13 +157,9 @@ pub async fn read_serving_snapshot( continue; }; match backend.read_verified_payload(&kind, &entry.digest, address).await { - Ok(_) => policies.push(ServingPolicy { + Ok(source) => policies.push(ServingPolicy { name: name.clone(), - blob_path: PathBuf::from( - backend - .payload_display(&kind, &entry.digest) - .expect("policy kind always has a payload path"), - ), + source, applies_to, }), Err(diagnostic) => diagnostics.push(diagnostic), diff --git a/crates/omnigraph-cluster/src/tests.rs b/crates/omnigraph-cluster/src/tests.rs index ba7019f..63e7da7 100644 --- a/crates/omnigraph-cluster/src/tests.rs +++ b/crates/omnigraph-cluster/src/tests.rs @@ -2843,7 +2843,9 @@ policies: assert!(snapshot.queries[0].source.contains("query find_person")); assert_eq!(snapshot.policies.len(), 1); assert_eq!(snapshot.policies[0].applies_to, vec!["graph.knowledge"]); - assert!(snapshot.policies[0].blob_path.exists()); + // Content, not a path: the catalog may live on object storage. + // The fixture bundle is `rules: []` — assert the verified text. + assert!(snapshot.policies[0].source.contains("rules:")); } #[tokio::test] diff --git a/crates/omnigraph-server/src/lib.rs b/crates/omnigraph-server/src/lib.rs index 1c70083..3bde2a7 100644 --- a/crates/omnigraph-server/src/lib.rs +++ b/crates/omnigraph-server/src/lib.rs @@ -193,18 +193,28 @@ pub enum ServerConfigMode { config_path: PathBuf, /// `server.policy.file` (server-level Cedar policy for the /// management endpoints). Wired into `GET /graphs` authorization. - server_policy_file: Option, + server_policy: Option, }, } +/// Where a Cedar policy bundle comes from at startup. File-based for +/// omnigraph.yaml deployments; inline (digest-verified catalog content) +/// for cluster-mode boots, where the catalog may live on object storage +/// and the server must not re-read mutable state after the snapshot. +#[derive(Debug, Clone)] +pub enum PolicySource { + File(PathBuf), + Inline(String), +} + /// One graph's startup-time configuration: id, opened URI, optional -/// per-graph policy file path. Constructed by `load_server_settings` +/// per-graph policy source. Constructed by `load_server_settings` /// in multi mode; consumed by `serve`'s parallel open loop. #[derive(Debug, Clone)] pub struct GraphStartupConfig { pub graph_id: String, pub uri: String, - pub policy_file: Option, + pub policy: Option, /// Per-graph stored-query registry, loaded and identity-checked at /// settings-build time; type-checked against the schema when this /// graph's engine opens. @@ -994,9 +1004,9 @@ pub async fn serve(config: ServerConfig) -> Result<()> { ServerConfigMode::Single { policy_file, .. } => policy_file.is_some(), ServerConfigMode::Multi { graphs, - server_policy_file, + server_policy, .. - } => server_policy_file.is_some() || graphs.iter().any(|g| g.policy_file.is_some()), + } => server_policy.is_some() || graphs.iter().any(|g| g.policy.is_some()), }; let runtime_state = classify_server_runtime_state( !tokens.is_empty(), @@ -1045,7 +1055,7 @@ pub async fn serve(config: ServerConfig) -> Result<()> { ServerConfigMode::Multi { graphs, config_path, - server_policy_file, + server_policy, } => { info!( bind = %bind, @@ -1054,7 +1064,7 @@ pub async fn serve(config: ServerConfig) -> Result<()> { config = %config_path.display(), "serving omnigraph" ); - open_multi_graph_state(graphs, tokens, server_policy_file.as_ref(), config_path).await? + open_multi_graph_state(graphs, tokens, server_policy.as_ref(), config_path).await? } }; @@ -1065,6 +1075,14 @@ pub async fn serve(config: ServerConfig) -> Result<()> { Ok(()) } +/// Load a graph-scoped policy bundle from either source kind. +fn load_graph_policy(source: &PolicySource, graph_id: &str) -> Result { + match source { + PolicySource::File(path) => Ok(PolicyEngine::load_graph(path, graph_id)?), + PolicySource::Inline(text) => Ok(PolicyEngine::load_graph_from_source(text, graph_id)?), + } +} + /// Parallel open of every graph in the startup config, with bounded /// concurrency (`buffer_unordered(4)`). Fail-fast — the first open error /// aborts startup; other in-flight opens are dropped (their `Omnigraph` @@ -1076,7 +1094,7 @@ pub async fn serve(config: ServerConfig) -> Result<()> { pub async fn open_multi_graph_state( graphs: Vec, tokens: Vec<(String, String)>, - server_policy_file: Option<&PathBuf>, + server_policy_source: Option<&PolicySource>, config_path: PathBuf, ) -> Result { use futures::{StreamExt, TryStreamExt}; @@ -1089,8 +1107,11 @@ pub async fn open_multi_graph_state( // The placeholder graph_id `"server"` is the sentinel the Cedar // resource-model refactor maps to the singleton // `Omnigraph::Server::"root"` entity at evaluation time. - let server_policy = match server_policy_file { - Some(path) => Some(PolicyEngine::load_server(path)?), + let server_policy = match server_policy_source { + Some(PolicySource::File(path)) => Some(PolicyEngine::load_server(path)?), + Some(PolicySource::Inline(source)) => { + Some(PolicyEngine::load_server_from_source(source)?) + } None => None, }; @@ -1128,9 +1149,9 @@ async fn open_single_graph(cfg: GraphStartupConfig) -> Result> // owned `Arc`, so no borrow of `db` survives into the match. let queries = validate_and_attach(cfg.queries, &db.catalog(), graph_id.as_str())?; - let (policy_arc, db) = match &cfg.policy_file { - Some(path) => { - let policy = PolicyEngine::load_graph(path, graph_id.as_str())?; + let (policy_arc, db) = match &cfg.policy { + Some(source) => { + let policy = load_graph_policy(source, graph_id.as_str())?; let policy_arc: Arc = Arc::new(policy); let checker = Arc::clone(&policy_arc) as Arc; (Some(policy_arc), db.with_policy(checker)) diff --git a/crates/omnigraph-server/src/main.rs b/crates/omnigraph-server/src/main.rs index 9000910..a138d12 100644 --- a/crates/omnigraph-server/src/main.rs +++ b/crates/omnigraph-server/src/main.rs @@ -14,10 +14,10 @@ struct Cli { target: Option, #[arg(long)] config: Option, - /// Boot from a cluster directory (the applied revision in - /// __cluster/state.json + content-addressed catalog blobs) instead of - /// omnigraph.yaml. Exclusive: cannot combine with , --target, or - /// --config. + /// Boot from a cluster: either a config directory (storage resolved + /// through cluster.yaml) or a storage-root URI directly + /// (s3://bucket/prefix — config-free serving from the bucket). + /// Exclusive: cannot combine with , --target, or --config. #[arg(long)] cluster: Option, #[arg(long)] diff --git a/crates/omnigraph-server/src/settings.rs b/crates/omnigraph-server/src/settings.rs index 6531c3a..59c437b 100644 --- a/crates/omnigraph-server/src/settings.rs +++ b/crates/omnigraph-server/src/settings.rs @@ -14,7 +14,19 @@ pub(crate) async fn load_cluster_settings( cli_bind: Option, cli_allow_unauthenticated: bool, ) -> Result { - let snapshot = omnigraph_cluster::read_serving_snapshot(cluster_dir).await.map_err(|diagnostics| { + // `--cluster` accepts either a config directory (the ledger location is + // resolved through cluster.yaml's `storage:` key) or a storage-root URI + // directly (`s3://bucket/prefix`) — config-free serving: the ledger and + // catalog on the bucket ARE the deployment artifact. + // Any scheme-qualified argument (s3://, file://) is a storage root; a + // bare path is a config directory. + let cluster_arg = cluster_dir.to_string_lossy(); + let snapshot = if cluster_arg.contains("://") { + omnigraph_cluster::read_serving_snapshot_from_storage(cluster_arg.as_ref()).await + } else { + omnigraph_cluster::read_serving_snapshot(cluster_dir).await + } + .map_err(|diagnostics| { let details = diagnostics .iter() .map(|diagnostic| format!("[{}] {}: {}", diagnostic.code, diagnostic.path, diagnostic.message)) @@ -26,19 +38,25 @@ pub(crate) async fn load_cluster_settings( // Bindings -> Cedar slots. The serving pipeline loads one bundle per // graph plus one server-level bundle; stacked bundles per scope are a // later slice — refuse loudly rather than silently merging policy. - let mut server_policy_file: Option = None; - let mut graph_policy_files: BTreeMap = BTreeMap::new(); + let mut server_policy: Option = None; + let mut graph_policies: BTreeMap = BTreeMap::new(); for policy in &snapshot.policies { for binding in &policy.applies_to { if binding == "cluster" { - if server_policy_file.replace(policy.blob_path.clone()).is_some() { + if server_policy + .replace(PolicySource::Inline(policy.source.clone())) + .is_some() + { bail!( "multiple policy bundles bind the cluster scope; cluster-mode serving supports one bundle per scope — split or merge bundles (multi-bundle scopes are a later slice)" ); } } else if let Some(graph_id) = binding.strip_prefix("graph.") { - if graph_policy_files - .insert(graph_id.to_string(), policy.blob_path.clone()) + if graph_policies + .insert( + graph_id.to_string(), + PolicySource::Inline(policy.source.clone()), + ) .is_some() { bail!( @@ -80,7 +98,7 @@ pub(crate) async fn load_cluster_settings( graphs.push(GraphStartupConfig { graph_id: graph.graph_id.clone(), uri: graph.root.to_string_lossy().to_string(), - policy_file: graph_policy_files.get(&graph.graph_id).cloned(), + policy: graph_policies.get(&graph.graph_id).cloned(), queries: registry, }); } @@ -97,7 +115,7 @@ pub(crate) async fn load_cluster_settings( mode: ServerConfigMode::Multi { graphs, config_path: cluster_dir.clone(), - server_policy_file, + server_policy, }, bind: cli_bind.unwrap_or_else(|| "127.0.0.1:8080".to_string()), allow_unauthenticated: cli_allow_unauthenticated || env_unauth, @@ -226,18 +244,18 @@ pub async fn load_server_settings( graphs.push(GraphStartupConfig { graph_id: name.clone(), uri, - policy_file: config.resolve_target_policy_file(name), + policy: config.resolve_target_policy_file(name).map(PolicySource::File), queries, }); } let config_path = config_path .cloned() .expect("has_explicit_config implies config_path is Some"); - let server_policy_file = config.resolve_server_policy_file(); + let server_policy = config.resolve_server_policy_file().map(PolicySource::File); ServerConfigMode::Multi { graphs, config_path, - server_policy_file, + server_policy, } } else { // Rule 5 → error with migration hint. @@ -729,11 +747,11 @@ server: .join("alpha.omni") .to_string_lossy() .into_owned(), - policy_file: None, + policy: None, queries: crate::queries::QueryRegistry::default(), }], config_path: temp.path().join("omnigraph.yaml"), - server_policy_file: Some(policy_path), + server_policy: Some(crate::PolicySource::File(policy_path)), }, bind: "127.0.0.1:0".to_string(), allow_unauthenticated: false, diff --git a/crates/omnigraph-server/tests/boot_settings.rs b/crates/omnigraph-server/tests/boot_settings.rs index 0e75486..3869d27 100644 --- a/crates/omnigraph-server/tests/boot_settings.rs +++ b/crates/omnigraph-server/tests/boot_settings.rs @@ -702,12 +702,14 @@ graphs: let alpha = &graphs[0]; let beta = &graphs[1]; assert_eq!(alpha.graph_id, "alpha"); - assert_eq!( - alpha.policy_file.as_ref().unwrap(), - &temp.path().join("policies/alpha.yaml") - ); + let omnigraph_server::PolicySource::File(alpha_policy) = + alpha.policy.as_ref().unwrap() + else { + panic!("yaml-configured policy must stay file-based"); + }; + assert_eq!(alpha_policy, &temp.path().join("policies/alpha.yaml")); assert_eq!(beta.graph_id, "beta"); - assert!(beta.policy_file.is_none()); + assert!(beta.policy.is_none()); } /// `server.policy.file` resolves alongside the graphs map. @@ -729,13 +731,11 @@ graphs: .unwrap(); let settings = load_server_settings(Some(&config_path), None, None, None, None, true).await.unwrap(); match settings.mode { - ServerConfigMode::Multi { - server_policy_file, .. - } => { - assert_eq!( - server_policy_file.unwrap(), - temp.path().join("server-policy.yaml") - ); + ServerConfigMode::Multi { server_policy, .. } => { + let omnigraph_server::PolicySource::File(path) = server_policy.unwrap() else { + panic!("yaml-configured server policy must stay file-based"); + }; + assert_eq!(path, temp.path().join("server-policy.yaml")); } _ => panic!("expected Multi"), } diff --git a/crates/omnigraph-server/tests/multi_graph.rs b/crates/omnigraph-server/tests/multi_graph.rs index 251f899..5ad847f 100644 --- a/crates/omnigraph-server/tests/multi_graph.rs +++ b/crates/omnigraph-server/tests/multi_graph.rs @@ -401,14 +401,14 @@ async fn cluster_boot_serves_applied_state() { let omnigraph_server::ServerConfigMode::Multi { graphs, config_path, - server_policy_file, + server_policy, } = settings.mode else { panic!("cluster boot must select multi-graph routing"); }; assert_eq!(graphs.len(), 1); assert_eq!(graphs[0].graph_id, "knowledge"); - assert!(server_policy_file.is_none()); + assert!(server_policy.is_none()); let state = omnigraph_server::open_multi_graph_state(graphs, Vec::new(), None, config_path) @@ -516,26 +516,26 @@ graphs: let settings = cluster_settings(temp.path()).await.unwrap(); let omnigraph_server::ServerConfigMode::Multi { graphs, - server_policy_file, + server_policy, .. } = settings.mode else { panic!("cluster boot must select multi-graph routing"); }; - let graph_policy = graphs[0].policy_file.as_ref().expect("graph-bound bundle"); - assert!( - graph_policy - .to_string_lossy() - .contains("__cluster/resources/policy/graph_rules/"), - "{graph_policy:?}" - ); - let server_policy = server_policy_file.expect("cluster-bound bundle"); - assert!( - server_policy - .to_string_lossy() - .contains("__cluster/resources/policy/cluster_rules/"), - "{server_policy:?}" - ); + // Cluster boots carry policy CONTENT (digest-verified catalog blobs), + // not paths — the catalog may live on object storage. + let omnigraph_server::PolicySource::Inline(graph_policy) = + graphs[0].policy.as_ref().expect("graph-bound bundle") + else { + panic!("cluster-mode graph policy must be inline content"); + }; + assert!(graph_policy.contains("actors:"), "{graph_policy:?}"); + let omnigraph_server::PolicySource::Inline(server_policy) = + server_policy.expect("cluster-bound bundle") + else { + panic!("cluster-mode server policy must be inline content"); + }; + assert!(server_policy.contains("kind: server"), "{server_policy:?}"); } #[tokio::test]