docs: audit pass — drop pre-0.7.0 release notes; scrub RFC refs from user docs (#272)

* docs: audit pass — drop pre-0.7.0 release notes; scrub RFC refs from user docs

- Delete the pre-0.7.0 release-notes archive (v0.2.0 … v0.6.2); keep v0.7.0.
- Rewrite every inline "RFC-0NN" citation in docs/user/** into durable
  plain language (the behavior is the contract, not the planning doc):
  cli/index.md, cli/reference.md, clusters/index.md, operations/{maintenance,
  policy,server}.md. Updated the in-page "Scopes & profiles" anchor to match
  the de-RFC'd heading.

No sub-0.7.0 version caveats or stale Lance-version refs were present in
docs/user/**. Dev docs, AGENTS.md, and instruction files are out of scope for
this pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* docs: second alignment pass — drop residual pre-cluster-only framing

- cli/reference.md: rewrite the server-scope graph-resolution rule — an
  omnigraph-server is always cluster-backed, so GET /graphs always answers and
  --graph is required; the bare-URL path is only the fallback for an
  unavailable/non-omnigraph endpoint (was "a single-graph / flat server …
  uses its bare URL as before").
- embeddings.md: "Direct single-graph serving" → "Direct (--store) access"
  (there is no single-graph serving mode under cluster-only).
- clusters/{config,index}.md: drop the removed --target flag from the
  "--cluster cannot combine with …" clauses.

Verified: no Linear tickets, no RFC refs, no single-graph-as-current, no
--target-as-combinable in docs/user/**.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

docs/user/cli/index.md

@@ -14,7 +14,7 @@ omnigraph mutate insert_person --params '{"name":"Mina","age":28}'
 `omnigraph query` is the canonical read command (pairs with `POST /query`);
 `omnigraph mutate` is the canonical write command (pairs with `POST /mutate`).
 The positional argument is the **stored-query name**, invoked from the served
-catalog (RFC-011 D3) — the graph is addressed by scope (`--server` / `--profile`
+catalog — the graph is addressed by scope (`--server` / `--profile`
 / defaults), and the verb asserts the query's kind (`query` rejects a stored
 mutation, and vice-versa). The previous names `omnigraph read` and
 `omnigraph change` keep working as visible aliases — invocations emit a one-line

docs/user/cli/reference.md

@@ -2,7 +2,7 @@
 
 A reference for the `omnigraph` binary's command surface and the per-operator `~/.omnigraph/config.yaml` schema. For a quick-start guide, see [cli.md](index.md).
 
-Top-level command families and subcommands. Graph-targeting commands accept a positional `file://`/`s3://` URI, `--server <name|url>` (an operator-defined server from `~/.omnigraph/config.yaml` by name, or a literal `http(s)://` URL, optionally with `--graph <id>` for multi-graph servers; exclusive with a positional URI), `--store <uri>` (a single graph's storage directly), or `--profile <name>` / `$OMNIGRAPH_PROFILE` (a named scope bundle; see [Scopes & profiles](#scopes--profiles-rfc-011)); `cluster` commands use `--config <dir>`, while `policy` and `queries` read a cluster's applied state via `--cluster <dir|uri>`. A remote server is addressed only with `--server` — a positional `http(s)://` URI is rejected. **`query`/`mutate` are the exception**: their positional is a stored-query *name* (RFC-011 D3), not a graph URI, so they address the graph only via `--store`/`--server`/`--profile`/defaults.
+Top-level command families and subcommands. Graph-targeting commands accept a positional `file://`/`s3://` URI, `--server <name|url>` (an operator-defined server from `~/.omnigraph/config.yaml` by name, or a literal `http(s)://` URL, optionally with `--graph <id>` for multi-graph servers; exclusive with a positional URI), `--store <uri>` (a single graph's storage directly), or `--profile <name>` / `$OMNIGRAPH_PROFILE` (a named scope bundle; see [Scopes & profiles](#scopes--profiles)); `cluster` commands use `--config <dir>`, while `policy` and `queries` read a cluster's applied state via `--cluster <dir|uri>`. A remote server is addressed only with `--server` — a positional `http(s)://` URI is rejected. **`query`/`mutate` are the exception**: their positional is a stored-query *name*, not a graph URI, so they address the graph only via `--store`/`--server`/`--profile`/defaults.
 
 ## Top-level commands
 
@@ -13,14 +13,14 @@ Top-level command families and subcommands. Graph-targeting commands accept a po
 | `ingest` | deprecated alias of `load --from <base>` (defaults: `--from main --mode merge`); prints a one-line warning to stderr |
 | `query <name>` (alias: `read`) | run a read query. **Catalog lane** (default): `<name>` is a stored query invoked **by name** from the served catalog (served-only — address with `--server`/`--profile`; the verb asserts the query is a read). **Ad-hoc lane**: with `--query <path>` or `-e`/`--query-string <GQ>`, runs that source (the positional `<name>` then selects which query in it). No positional graph URI — address via `--store`/`--server`/`--profile`. `read` is the deprecated previous name (one-line stderr warning) |
 | `mutate <name>` (alias: `change`) | run a mutation query; same catalog (by-name, served-only, verb asserts mutation) / ad-hoc (`--query`/`-e`) lanes as `query`. `change` is the deprecated previous name (one-line stderr warning) |
-| `alias <name> [args]` | invoke an operator alias — a read-only personal binding (under `aliases:` in `~/.omnigraph/config.yaml`) to a stored query on a named server (RFC-011 D4; replaces the removed `--alias` flag; stored mutations are rejected before execution) |
+| `alias <name> [args]` | invoke an operator alias — a read-only personal binding (under `aliases:` in `~/.omnigraph/config.yaml`) to a stored query on a named server (replaces the removed `--alias` flag; stored mutations are rejected before execution) |
 | `snapshot` | print current snapshot (per-table version + row count) |
 | `export` | dump to JSONL on stdout (`--type T`, `--table K` filters) |
 | `branch create \| list \| delete \| merge` | branching ops |
 | `commit list \| show` | inspect commit graph |
 | `schema plan \| apply \| show (alias: get)` | migrations. `apply` refuses a cluster-managed graph (one whose storage is inside a cluster) and points at `cluster apply` — those graphs evolve through the cluster ledger, not a direct apply |
 | `lint` (alias: `check`) | offline / graph-backed query validation. Replaces `query lint` / `query check`, which are kept as deprecated argv-level shims that print a one-line warning and rewrite to `omnigraph lint` |
-| `cluster validate \| plan \| apply \| approve \| status \| refresh \| import \| force-unlock` | declarative cluster control plane. `validate` checks a local `cluster.yaml` folder and referenced schema/query/policy files; `plan` diffs it against local JSON state at `__cluster/state.json`, annotates dispositions, and embeds real schema-migration previews; `apply` converges the cluster — stored-query/policy catalog writes (content-addressed under `__cluster/resources/`), graph creates, schema updates (soft drops only; `--as` records the actor), and graph deletes behind a digest-bound approval from `cluster approve <resource> --as <actor>` (`apply`/`approve` default the actor from `~/.omnigraph/config.yaml`'s `operator.actor` when `--as` is omitted); what apply converges is what an `omnigraph-server --cluster <dir>` deployment serves on its next restart (`--cluster` is the server's only boot source — RFC-011 cluster-only); `status` reads the state ledger; `refresh`/`import` explicitly update local JSON state from read-only graph observations; `force-unlock <LOCK_ID>` manually removes a held local state lock by exact id |
+| `cluster validate \| plan \| apply \| approve \| status \| refresh \| import \| force-unlock` | declarative cluster control plane. `validate` checks a local `cluster.yaml` folder and referenced schema/query/policy files; `plan` diffs it against local JSON state at `__cluster/state.json`, annotates dispositions, and embeds real schema-migration previews; `apply` converges the cluster — stored-query/policy catalog writes (content-addressed under `__cluster/resources/`), graph creates, schema updates (soft drops only; `--as` records the actor), and graph deletes behind a digest-bound approval from `cluster approve <resource> --as <actor>` (`apply`/`approve` default the actor from `~/.omnigraph/config.yaml`'s `operator.actor` when `--as` is omitted); what apply converges is what an `omnigraph-server --cluster <dir>` deployment serves on its next restart (`--cluster` is the server's only boot source — cluster-only); `status` reads the state ledger; `refresh`/`import` explicitly update local JSON state from read-only graph observations; `force-unlock <LOCK_ID>` manually removes a held local state lock by exact id |
 | `optimize` | non-destructive Lance compaction (skips tables with `Blob` columns or uncovered drift; `--json` reports `skipped`) |
 | `repair [--confirm] [--force]` | preview or explicitly publish uncovered manifest/head drift. `--confirm` heals verified maintenance drift and exits non-zero if suspicious/unverifiable drift is refused; `--force --confirm` publishes suspicious/unverifiable drift after operator review |
 | `cleanup --keep N --older-than 7d --confirm` | destructive version GC (`--confirm` to execute; also needs `--yes` against a non-local `s3://` target — see *Write diagnostics & destructive confirmation*) |
@@ -52,7 +52,7 @@ To maintain a server-backed graph, run the `direct` verbs from a host with stora
 
 ## Write diagnostics & destructive confirmation
 
-Two global flags make writes self-documenting and guard the dangerous ones (RFC-011 Decision 9):
+Two global flags make writes self-documenting and guard the dangerous ones:
 
 - **Every write echoes its resolved target to stderr** — `omnigraph load → s3://acme/brain/graphs/knowledge.omni (direct, remote)` — so you catch a scope that resolved somewhere unexpected (e.g. *prod*) before it lands. Applies to `load`, `ingest`, `mutate`, `branch create|delete|merge`, `schema apply`, `optimize`, `repair`, `cleanup`. The line is stderr, so `--json` consumers reading stdout are unaffected; suppress it with **`--quiet`**.
 - **Destructive writes against a non-local scope require confirmation.** `cleanup`, overwrite `load` (`--mode overwrite`), and `branch delete` proceed freely against a local (`file://`) graph, but when the resolved target is **not local** (a served `http(s)://` graph or an `s3://` store/cluster) they require explicit consent: pass **`--yes`** to confirm, an interactive terminal is prompted, and a non-interactive run (no TTY, or `--json`) **refuses with an error** rather than silently destroying. `cleanup` still also requires its existing `--confirm` (preview→execute); `--yes` is the additional non-local consent.
@@ -79,15 +79,15 @@ servers:                # operator-owned endpoints; names key the credentials
     url: https://graph.example.com     # no tokens in this file, ever
 defaults:
   output: table         # read format default, below --json/--format/alias
-  server: prod          # the everyday SERVED scope when no address is given (RFC-011)
+  server: prod          # the everyday SERVED scope when no address is given
   # store: file:///data/dev.omni   # OR a zero-flag LOCAL default (mutually
   #                                #   exclusive with `server`); the local-dev
   #                                #   counterpart of `server`
   default_graph: knowledge   # graph selected in a server/cluster scope
-clusters:               # admin-only: managed-cluster storage roots (RFC-011).
+clusters:               # admin-only: managed-cluster storage roots.
   brain:                #   the ONLY place a storage root lives in this file.
     root: s3://acme/clusters/brain
-profiles:               # named scope bundles (RFC-011); pick with --profile
+profiles:               # named scope bundles; pick with --profile
   staging: { server: staging, default_graph: knowledge }   # a served scope
   brain-admin: { cluster: brain, default_graph: knowledge } # a direct cluster scope
 ```
@@ -96,7 +96,7 @@ Absent file = empty layer. Unknown keys warn and load (a file written for a
 newer CLI works on an older one). Override the config directory with
 `$OMNIGRAPH_HOME`.
 
-#### Scopes & profiles (RFC-011)
+#### Scopes & profiles
 
 A command resolves a **scope** — a server, a cluster, or a store — then selects a
 graph in it; the served-vs-direct access path is derived from the scope, not
@@ -116,14 +116,15 @@ sticky "current" mode. Inspect what is defined with `omnigraph profile list` and
   `--cluster <root> --graph <id>`. A `--graph` flag overrides the profile's default.
 - A `server`-bound scope on a maintenance verb, or a `cluster`-bound scope on a
   data verb, is rejected with a message pointing at the right addressing.
-- **No graph selected (RFC-011 D7).** When a scope has no `--graph` and no
+- **No graph selected.** When a scope has no `--graph` and no
   `default_graph`, the CLI never silently picks:
   - **Cluster scope** — exactly **one** applied graph is used automatically;
     **several** errors and lists the candidates (from the served catalog).
-  - **Server scope** — a multi-graph server (any non-empty `GET /graphs`, even a
-    single entry) errors and lists the candidates: you must pass `--graph <id>`.
-    A single-graph / flat server (405 on `/graphs`), or one whose `/graphs` is
-    policy-gated or unreachable, uses its bare URL as before.
+  - **Server scope** — an `omnigraph-server` is always cluster-backed, so its
+    `GET /graphs` lists the graphs and you must pass `--graph <id>` (the CLI
+    lists the candidates if you omit it). It falls back to the bare URL only
+    when `/graphs` is unavailable: policy-gated, unreachable, or a
+    non-`omnigraph` endpoint.
 
 `--target`, `--cluster-graph`, and the positional-`http(s)://`→remote dispatch
 have been **removed** (`--graph` is now the one graph selector across server and
@@ -158,7 +159,7 @@ aliases:
 
 `omnigraph alias triage 2026-06-01` invokes
 `POST <server>/graphs/spike/queries/weekly_triage` with the keyed
-credential. Aliases live in their own `alias` namespace (RFC-011 Decision 4),
+credential. Aliases live in their own `alias` namespace,
 so an alias can never shadow — or be shadowed by — a built-in verb. (The old
 `--alias <name>` flag on `query`/`mutate` was removed.)
 

docs/user/clusters/config.md

@@ -390,7 +390,7 @@ omnigraph-server --cluster company-brain --bind 0.0.0.0:8080
 ```
 
 `--cluster <dir>` is an **exclusive boot source** (axiom 15): it cannot
-combine with a graph URI, `--target`, or `--config`, and in this mode
+combine with a graph URI or `--config`, and in this mode
 `omnigraph.yaml` is never read — not for graphs, not for queries, not for
 policies. The server serves the **applied revision**: graph roots recorded in
 `state.json`, stored-query and policy content from the content-addressed

docs/user/clusters/index.md

@@ -91,7 +91,7 @@ only the URI and credentials, no checkout of the config repo. The ledger and
 catalog on the bucket are the deployment artifact.
 
 `--cluster` is an **exclusive boot source**: it cannot be combined with a
-graph URI, `--target`, or `--config`, and `omnigraph.yaml` is never read in
+graph URI or `--config`, and `omnigraph.yaml` is never read in
 this mode. Routing is always multi-graph:
 
 ```bash
@@ -273,7 +273,7 @@ a cluster are created by `cluster apply`, not by hand.
 
 If the cluster has exactly **one** applied graph you can omit `--graph` — it is
 used automatically. With **several**, omitting `--graph` errors and lists the
-candidates (RFC-011 D7); it never picks one for you.
+candidates; it never picks one for you.
 
 Against an **`s3://`-backed cluster** the resolved graph storage is non-local, so a
 destructive `cleanup` additionally requires **`--yes`** (an interactive prompt

docs/user/operations/maintenance.md

@@ -35,7 +35,7 @@
   backstop, so it does as much as it can and converges on re-run. The CLI reports
   any failed tables; rerun `cleanup` to retry them.
 - CLI guards with `--confirm`; without it, prints a preview line.
-- **Non-local consent (RFC-011 D9).** Against a non-local target (an `s3://` store/cluster), `cleanup` additionally requires `--yes` on top of `--confirm`: a TTY is prompted, and a non-interactive run (no TTY, or `--json`) refuses rather than destroying. A local (`file://`) target needs only `--confirm`. The same `--yes` gate applies to overwrite `load` and `branch delete`; every maintenance run echoes its resolved target to stderr (suppress with `--quiet`).
+- **Non-local consent.** Against a non-local target (an `s3://` store/cluster), `cleanup` additionally requires `--yes` on top of `--confirm`: a TTY is prompted, and a non-interactive run (no TTY, or `--json`) refuses rather than destroying. A local (`file://`) target needs only `--confirm`. The same `--yes` gate applies to overwrite `load` and `branch delete`; every maintenance run echoes its resolved target to stderr (suppress with `--quiet`).
 - **Recovery floor:** `--keep < 3` may garbage-collect versions that crash recovery needs as a rollback target. Default `--keep 10` is safe.
 - **Orphaned-branch reconciliation:** before the version GC, cleanup reclaims any per-table or commit-graph branch absent from the manifest branch list. These orphans arise when a `branch_delete` flips the manifest authority but a downstream best-effort reclaim does not complete (see [branches-commits.md](../branching/index.md)). The reconciler is idempotent (it no-ops once nothing is orphaned), runs regardless of the `keep_versions` / `older_than` values (those gate version GC only), and never reclaims `main` or system-branch forks. Reclaimed forks are logged.
 

docs/user/operations/policy.md

@@ -78,7 +78,7 @@ The default actor identity for CLI direct-engine (`--store`) writes is
 `operator.actor` in `~/.omnigraph/config.yaml`. Override per-invocation with
 `--as <ACTOR>` — `--as` wins, otherwise `operator.actor`, otherwise no actor.
 Remote HTTP writes ignore both — they resolve their actor server-side from the
-bearer token. (Direct-store access carries no Cedar policy under RFC-011; policy
+bearer token. (Direct-store access carries no Cedar policy; policy
 lives in the cluster/server.)
 
 ## CLI

docs/user/operations/server.md

@@ -1,6 +1,6 @@
 # HTTP Server (`omnigraph-server`)
 
-Axum 0.8 + tokio + utoipa-generated OpenAPI. **Cluster-only boot** (RFC-011): the server always boots from a cluster (`--cluster <dir | s3://…>`) and serves N graphs (N ≥ 1) under cluster routes. There is no longer a single-graph flat-route mode, no positional `<URI>` boot, no `--target`, and no `omnigraph.yaml`-`graphs:`-map boot. All HTTP is nested under `/graphs/{graph_id}/...`; `/healthz` and the management `/graphs` enumeration stay flat.
+Axum 0.8 + tokio + utoipa-generated OpenAPI. **Cluster-only boot**: the server always boots from a cluster (`--cluster <dir | s3://…>`) and serves N graphs (N ≥ 1) under cluster routes. There is no longer a single-graph flat-route mode, no positional `<URI>` boot, no `--target`, and no `omnigraph.yaml`-`graphs:`-map boot. All HTTP is nested under `/graphs/{graph_id}/...`; `/healthz` and the management `/graphs` enumeration stay flat.
 
 ## Boot
 

docs/user/search/embeddings.md

@@ -42,7 +42,7 @@ boots from the applied cluster ledger, so `cluster validate`, `plan`, and
 needs no key. Vector dimensions stay schema-driven by the target `Vector(N)`
 column.
 
-Direct single-graph serving, embedded callers, and the offline
+Direct (`--store`) access, embedded callers, and the offline
 `omnigraph embed` pipeline use environment configuration unless they inject an
 `EmbeddingConfig` directly.