apunkt/omnigraph
1
0
Fork 0
mirror of https://github.com/ModernRelay/omnigraph.git synced 2026-06-09 01:35:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
omnigraph/docs/user/audit.md
Ragnor Comerford 4ed2313a80
refactor(engine): remove the legacy __run__ branch guard (MR-770) 
With the v2→v3 migration sweeping stale `__run__*` branches off `__manifest`
on first read-write open, the defense-in-depth `is_internal_run_branch` guard
is no longer needed.

- delete `db/run_registry.rs`; drop the module + re-export from `db/mod.rs`
- collapse `is_internal_system_branch` to the schema-apply-lock check only
- `ensure_public_branch_ref`: drop the run-ref rejection; `__run__*` is now an
  ordinary branch name
- `branch_merge`: reject `is_internal_system_branch` (was run-only) so the
  schema-apply lock is rejected consistently with create/delete — a small,
  deliberate tightening
- update the inline schema-apply test + the writes integration tests
  (`public_branch_apis_reject_internal_run_refs` →
  `public_branch_apis_reject_internal_system_refs`, which also asserts
  `__run__*` now creates successfully)
- docs: flip the "pending production sweep / defense-in-depth" notes to
  "auto-swept by the v2→v3 migration"; document the read-only-open limitation

Known residual: the inert `_graph_runs.lance` / `_graph_run_actors.lance` bytes
remain until a `StorageAdapter::delete_prefix` primitive lands.
2026-05-31 15:45:32 +02:00

945 B
Raw Blame History

Audit / Actor tracking

  • Omnigraph::audit_actor_id: Option<String> is the actor in effect.
  • _as variants of every write API let callers override the actor: mutate_as, ingest_as, branch_merge_as, apply_schema_as, etc.
  • Actor IDs are persisted on GraphCommit.actor_id with split storage in _graph_commit_actors.lance (the commit graph is split into _graph_commits.lance for the linkage and _graph_commit_actors.lance for the actor map).
  • HTTP server uses the bearer-token actor automatically; CLI uses the local user / explicit env (no implicit actor).
  • Pre-v0.4.0 graphs also stored actor IDs on RunRecord.actor_id in _graph_runs.lance / _graph_run_actors.lance. The Run state machine was removed in MR-771; those files are inert post-v0.4.0. The v2→v3 manifest migration sweeps any stale __run__* branches on first write-open (MR-770); the inert dataset bytes remain until a delete_prefix primitive lands.