[codex] fix RFC-011 follow-up regressions (#258)

* fix rfc-011 follow-up regressions * test(cli): remove served schema-apply tests obsoleted by the cluster 409 This PR disables server-side schema apply for cluster-backed serving (409 → `omnigraph cluster apply`). Two system_local tests still drove *served* schema apply against a spawned `--cluster` server and asserted the pre-409 behavior, so they failed under `cargo test --workspace`: - `local_cli_schema_apply_enforces_engine_layer_policy` — expected a per-actor policy `denied`/allow on the served route; the route now 409s for everyone before policy runs. - `local_cli_schema_apply_rejects_stored_query_breakage_before_publish` — expected a served apply to reject a stored-query breakage; the route now 409s before any apply. Both exercise a path the PR intentionally removed. Their surviving coverage: the 409 itself is pinned by `schema_routes::schema_apply_route_refuses_cluster_backed_server_mode` (asserts 409 + no mutation); stored-query-breakage-before-publish stays covered by `schema_routes::schema_apply_route_rejects_stored_query_breakage_before_publish` (single-mode); engine-layer schema_apply Cedar enforcement stays covered by `policy_engine_chassis`. Remove the obsolete served versions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * fix(server): report the cluster-backed schema-apply 409 after the Cedar gate The 409 ("schema apply is disabled for cluster-backed serving") fired at the top of `server_schema_apply`, before `authorize_request`. An authenticated-but- unauthorized actor therefore learned the server is cluster-backed (409) instead of getting a normal 403 — leaking topology before authorization, against the same posture that keeps `GET /graphs` default-deny. Move the 409 below the Cedar gate so the route reports 401 → 403 → 409: an unauthorized actor gets 403, and only an actor authorized for `schema_apply` sees the actionable "use `omnigraph cluster apply`" 409. (An open/unauthenticated server still 409s, as it has no topology to protect.) Regression: `schema_apply_route_cluster_backed_denies_unauthorized_actor_before_409` (POLICY_YAML grants no schema_apply → act-ragnor gets 403, not 409). Addresses the bot-review finding on #258. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-24 02:38:06 +02:00 · 2026-06-16 03:11:43 +03:00 · 2026-06-16 03:11:43 +03:00 · b5658dc696
commit b5658dc696
parent 9513b076d2
19 changed files with 429 additions and 261 deletions
--- a/crates/omnigraph-cli/src/scope.rs
+++ b/crates/omnigraph-cli/src/scope.rs
@ -186,9 +186,9 @@ fn scope_from_binding(
        ScopeBinding::Cluster(cluster) => {
            if capability == Capability::Any {
                bail!(
-                    "{source} resolves a cluster scope, which is maintenance-only; run \
-                     data commands through a server, or use --store <uri> for ad-hoc \
-                     direct access"
+                    "{source} resolves a cluster scope, which is not valid for graph data \
+                     commands; run data commands through a server, or use --store <uri> \
+                     for ad-hoc direct access"
                );
            }
            // A cluster value is a config name (resolved against `clusters:`)
@ -501,7 +501,7 @@ mod tests {
        )
        .unwrap_err()
        .to_string();
-        assert!(err.contains("maintenance-only"), "{err}");
+        assert!(err.contains("not valid for graph data commands"), "{err}");
    }

    #[test]