apunkt/omnigraph
1
0
Fork 0
mirror of https://github.com/ModernRelay/omnigraph.git synced 2026-06-09 01:35:18 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
omnigraph/crates
History
Ragnor Comerford 200fcbb215
Surface policy-engine errors from stored-query invoke 
The invoke handler mapped every authorize_request failure to 404 ('stored
query not found'), which collapsed the authorization decision (deny -> 403)
together with operational failures (no actor -> 401, Cedar evaluation error ->
500). A real policy-engine 500 was hidden as a missing query.

Separate the two concerns instead of sniffing the masked status. Extract
authorize() returning an Authz { Allowed, Denied(msg) } decision and reserve
Err for operational failures only; authorize_request becomes a thin wrapper
that maps Denied -> 403, so the 16 deny-as-403 callers are unchanged. The
invoke handler now matches the decision directly: a denial stays 404 (deny ==
missing, so the catalog can't be probed without the grant), while a 401/500
propagates with its true status.

500 is now a reachable outcome on POST /queries/{name}; document it in the
endpoint responses and regenerate openapi.json.
2026-06-01 11:45:44 +02:00
..
omnigraph docs: rename runs.md/runs.rs → writes and repoint all references (#131) 2026-05-30 23:20:56 +02:00
omnigraph-cli Validate the graph selection in queries list 2026-06-01 11:45:44 +02:00
omnigraph-compiler (feat): multi-graph server mode (#119) 2026-05-28 16:19:31 +02:00
omnigraph-policy Make invoke_query graph-scoped (one branch authority) 2026-05-31 15:45:19 +02:00
omnigraph-server Surface policy-engine errors from stored-query invoke 2026-06-01 11:45:44 +02:00