mr-668: remove POST /graphs and CLI graphs create (defer runtime graph mgmt)

The POST /graphs runtime-create endpoint shipped in PR 7/10 has three unresolved high-severity bugs: - flock-on-renamed-inode race: the YAML flock is taken on omnigraph.yaml itself, then a temp file is renamed over it. Cross-process writers end up locking different inodes — both believing they hold exclusive access. - duplicate-check outside the file lock: precheck runs against the in-memory registry only; the locked closure does config.graphs.insert(...) unconditionally. Concurrent same-id POSTs can persist the loser in YAML while the in-memory registry keeps the winner — they disagree after restart. - best_effort_cleanup_init_artifacts deletes _schema.pg / _schema.ir.json / __schema_state.json on any init failure. An accidental re-init against an existing graph's URI destroys its schema; subsequent open() fails at read_text(_schema.pg). The correct fix is a Lance-style cluster catalog (reserve → init → publish with recovery sidecars), parallel to the engine's existing __manifest discipline. That work is out of scope for v0.7.0. For now, disable runtime add/remove from the network and CLI surface. Operators add graphs by editing omnigraph.yaml and restarting. The GET /graphs read-only enumeration stays. Removed: - POST /graphs handler + router fragment + utoipa registration - 13 post_graphs_* server tests + 3 composite POST tests + multi_mode_app_with_real_config / post_graph helpers - CLI omnigraph graphs create subcommand + its handler + cli.rs tests - system_remote.rs combined list+create test trimmed to list-only - YAML rewrite infra: rewrite_atomic[_with_modify], RewriteAtomicError, staging_path, hash_config_file, AppState::config_hash field + threading through new_multi and open_multi_graph_state - fs2 dependency (verified absent from cargo tree) - sha2/fs2 imports in config.rs (only the rewrite path used them) - Cedar PolicyAction::GraphCreate variant + "graph_create" match arms + action def in Cedar schema + graph_create_action_authorizes_against_server_resource test - GraphCreateRequest / GraphCreateResponse / GraphSchemaSpec / GraphPolicySpec API types (only the POST handler / CLI imported them) Kept: - GET /graphs (read-only enumeration) and graph_list Cedar action - omnigraph graphs list CLI subcommand - All multi-graph startup, mode inference, cluster routes, per-graph + server-level Cedar policies - server_settings_drive_multi_graph_startup_end_to_end (the test that covers operator-authored YAML + restart — the path that survives) - best_effort_cleanup_init_artifacts and the three init failpoints (still reachable from CLI `omnigraph init`; preflight fix deferred as a follow-up) - GraphRegistry::insert and its concurrency tests — production callers gone, but the method is the natural seam for the future cluster-catalog work Also fixed (transcript issue 4): - ALWAYS_FLAT_PATHS now includes /graphs so multi-mode OpenAPI advertises the management route correctly (was previously rewritten to /graphs/{graph_id}/graphs) - multi_mode_openapi_keeps_healthz_flat → renamed to multi_mode_openapi_keeps_management_paths_flat, asserts both /healthz and /graphs stay flat - multi_mode_openapi_prefixes_operation_ids_with_cluster skips /graphs in addition to /healthz Doc fixes: - docs/user/cli.md: graphs list example was --target http://..., but --target is a config-graph-name lookup; corrected to --uri. Removed the graphs create example. - docs/user/server.md: dropped POST /graphs row, "omnigraph.yaml ownership", and "POST /graphs body shape" sections. Added a paragraph stating runtime add/remove is not exposed in v0.7.0. - docs/user/policy.md: dropped graph_create action; reworded the "Configuration" line to clarify that server-scoped rules (graph_list) take neither branch_scope nor target_branch_scope. - docs/releases/v0.7.0.md: rewrote release narrative — multi-graph mode ships; runtime add/remove deferred. - AGENTS.md: HTTP server bullet and capability matrix row updated to reflect read-only GET /graphs and the operator-edit workflow. - openapi.json regenerated; /graphs has only .get, no .post. Diff: 17 files, +123 −1525 LOC. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-27 02:39:38 +02:00 · 2026-05-26 17:49:38 +02:00 · 2026-05-26 17:49:38 +02:00 · 937fd6382d
commit 937fd6382d
parent d11c18fb27
18 changed files with 136 additions and 1727 deletions
--- a/crates/omnigraph-cli/src/main.rs
+++ b/crates/omnigraph-cli/src/main.rs
@ -18,9 +18,8 @@ use omnigraph_compiler::{
 use omnigraph_server::api::{
    BranchCreateOutput, BranchCreateRequest, BranchDeleteOutput, BranchListOutput,
    BranchMergeOutput, BranchMergeRequest, ChangeOutput, ChangeRequest, CommitListOutput,
-    CommitOutput, ErrorOutput, ExportRequest, GraphCreateRequest, GraphCreateResponse,
-    GraphListResponse, GraphPolicySpec, GraphSchemaSpec, IngestOutput, IngestRequest, ReadOutput,
-    ReadRequest, SchemaApplyOutput, SchemaApplyRequest, SchemaOutput, SnapshotOutput,
+    CommitOutput, ErrorOutput, ExportRequest, GraphListResponse, IngestOutput, IngestRequest,
+    ReadOutput, ReadRequest, SchemaApplyOutput, SchemaApplyRequest, SchemaOutput, SnapshotOutput,
    SnapshotTableOutput, commit_output, ingest_output, read_output, schema_apply_output,
    snapshot_payload,
 };
@ -265,13 +264,9 @@ enum Command {
 /// Operations on the graph registry of a multi-graph server (MR-668).
 ///
 /// All operations target a remote multi-graph server URL (http:// or
-/// https://). Local-URI invocations return a clear error; for local
-/// graphs operators add/remove entries by editing `omnigraph.yaml`
-/// directly and restarting.
-///
-/// `Delete` is intentionally omitted in v0.7.0 — server-side DELETE
-/// was deferred to bound the release scope. Operators remove graphs
-/// by stopping the server, editing `omnigraph.yaml`, then restarting.
+/// https://). Local-URI invocations return a clear error. To add or
+/// remove graphs, operators edit `omnigraph.yaml` directly and restart
+/// the server — runtime mutation is not exposed in v0.7.0.
 #[derive(Debug, Subcommand)]
 enum GraphsCommand {
    /// List every graph registered with the multi-graph server.
@ -286,38 +281,6 @@ enum GraphsCommand {
        #[arg(long)]
        json: bool,
    },
-    /// Create a new graph at runtime via `POST /graphs`.
-    ///
-    /// The schema file is read locally and the bytes are inlined as
-    /// `schema.source` in the request body. The server runs
-    /// `Omnigraph::init` at the supplied `uri` and atomically rewrites
-    /// `omnigraph.yaml` to include the new entry.
-    Create {
-        /// Remote server URL (e.g. `https://server.example.com`).
-        #[arg(long)]
-        uri: Option<String>,
-        #[arg(long)]
-        target: Option<String>,
-        #[arg(long)]
-        config: Option<PathBuf>,
-        /// New graph identifier. Must satisfy `^[a-zA-Z0-9-]{1,64}$`.
-        #[arg(long)]
-        graph_id: String,
-        /// Storage URI for the new graph (local path or `s3://...`).
-        /// Operator-supplied; the server `Omnigraph::init`s here.
-        #[arg(long = "graph-uri")]
-        graph_uri: String,
-        /// Local path to the schema `.pg` file. CLI reads the file
-        /// and inlines its contents as `schema.source` in the body.
-        #[arg(long)]
-        schema: PathBuf,
-        /// Optional per-graph policy file path. Sent verbatim to the
-        /// server, where it must be readable at request time.
-        #[arg(long)]
-        policy_file: Option<String>,
-        #[arg(long)]
-        json: bool,
-    },
 }

 #[derive(Debug, Subcommand)]
@ -2655,59 +2618,6 @@ async fn main() -> Result<()> {
                    }
                }
            }
-            GraphsCommand::Create {
-                uri,
-                target,
-                config,
-                graph_id,
-                graph_uri,
-                schema,
-                policy_file,
-                json,
-            } => {
-                let config = load_cli_config(config.as_ref())?;
-                let bearer_token =
-                    resolve_remote_bearer_token(&config, uri.as_deref(), target.as_deref())?;
-                let uri = resolve_uri(&config, uri, target.as_deref())?;
-                if !is_remote_uri(&uri) {
-                    bail!(
-                        "`omnigraph graphs create` requires a remote multi-graph server URL \
-                         (http:// or https://). To add a graph to a local config, edit \
-                         `omnigraph.yaml` and restart the server."
-                    );
-                }
-                let schema_source = fs::read_to_string(&schema).map_err(|err| {
-                    color_eyre::eyre::eyre!(
-                        "reading schema file '{}': {err}",
-                        schema.display()
-                    )
-                })?;
-                let request_body = GraphCreateRequest {
-                    graph_id: graph_id.clone(),
-                    uri: graph_uri.clone(),
-                    schema: GraphSchemaSpec {
-                        source: schema_source,
-                    },
-                    policy: policy_file
-                        .as_ref()
-                        .map(|file| GraphPolicySpec {
-                            file: Some(file.clone()),
-                        }),
-                };
-                let payload = remote_json::<GraphCreateResponse>(
-                    &http_client,
-                    Method::POST,
-                    remote_url(&uri, "/graphs"),
-                    Some(serde_json::to_value(&request_body)?),
-                    bearer_token.as_deref(),
-                )
-                .await?;
-                if json {
-                    print_json(&payload)?;
-                } else {
-                    println!("created graph {} at {}", payload.graph_id, payload.uri);
-                }
-            }
        },
    }
    Ok(())