Add cluster state lock recovery

2026-06-12 01:45:14 +02:00 · 2026-06-09 02:12:00 +03:00 · 2026-06-09 02:12:00 +03:00 · 89b876c797
commit 89b876c797
parent 737a0f6e45
6 changed files with 597 additions and 51 deletions
--- a/docs/user/cli-reference.md
+++ b/docs/user/cli-reference.md
@ -19,7 +19,7 @@ Top-level command families and subcommands. Graph-targeting commands accept eith
 | `commit list \| show` | inspect commit graph |
 | `schema plan \| apply \| show (alias: get)` | migrations |
 | `lint` (alias: `check`) | offline / graph-backed query validation. Replaces `query lint` / `query check`, which are kept as deprecated argv-level shims that print a one-line warning and rewrite to `omnigraph lint` |
-| `cluster validate \| plan \| status \| refresh \| import` | cluster-control preview. `validate` checks a local `cluster.yaml` folder and referenced schema/query/policy files; `plan` diffs it against local JSON state at `__cluster/state.json`; `status` reads the state ledger; `refresh`/`import` explicitly update local JSON state from read-only graph observations. No apply, graph-resource mutation, server change, or `plan --refresh` occurs in Stage 2B |
+| `cluster validate \| plan \| status \| refresh \| import \| force-unlock` | cluster-control preview. `validate` checks a local `cluster.yaml` folder and referenced schema/query/policy files; `plan` diffs it against local JSON state at `__cluster/state.json`; `status` reads the state ledger; `refresh`/`import` explicitly update local JSON state from read-only graph observations; `force-unlock <LOCK_ID>` manually removes a held local state lock by exact id. No apply, graph-resource mutation, server change, automatic stale-lock breaking, or `plan --refresh` occurs in Stage 2C |
 | `optimize` | non-destructive Lance compaction (skips tables with `Blob` columns or uncovered drift; `--json` reports `skipped`) |
 | `repair [--confirm] [--force]` | preview or explicitly publish uncovered manifest/head drift. `--confirm` heals verified maintenance drift and exits non-zero if suspicious/unverifiable drift is refused; `--force --confirm` publishes suspicious/unverifiable drift after operator review |
 | `cleanup --keep N --older-than 7d --confirm` | destructive version GC |
@ -81,19 +81,22 @@ omnigraph cluster plan     --config ./company-brain --json
 omnigraph cluster status   --config ./company-brain --json
 omnigraph cluster refresh  --config ./company-brain --json
 omnigraph cluster import   --config ./company-brain --json
+omnigraph cluster force-unlock <LOCK_ID> --config ./company-brain --json
 ```

 `--config` is a directory containing `cluster.yaml`; it defaults to `.`.
-Stage 2B accepts graphs, schemas, stored queries, and policy bundle file
+Stage 2C accepts graphs, schemas, stored queries, and policy bundle file
 references. `cluster plan` reads local JSON state from
 `<config-dir>/__cluster/state.json`; a missing file means empty state. Plan,
 refresh, and import acquire `__cluster/lock.json` by default and release it
 before returning. `cluster status` reads state only and reports any existing
-lock. `refresh` requires an existing `state.json`; `import` creates one only
-when it is missing. Both observe declared graphs read-only at
+lock metadata. `force-unlock` removes a lock only when the supplied id exactly
+matches the lock file. `refresh` requires an existing `state.json`; `import`
+creates one only when it is missing. Both observe declared graphs read-only at
 `<config-dir>/graphs/<graph-id>.omni`. External state backends, apply,
-`plan --refresh`, pipelines, UI specs, embeddings, aliases, and bindings are
-reserved for later stages. See [cluster-config.md](cluster-config.md).
+automatic stale-lock breaking, `plan --refresh`, pipelines, UI specs,
+embeddings, aliases, and bindings are reserved for later stages. See
+[cluster-config.md](cluster-config.md).

 ## Output formats (`query` command, alias: `read`)