mirror of https://github.com/ModernRelay/omnigraph.git synced 2026-06-12 01:45:14 +02:00

Devin AI 9ff4af47fb Merge branch 'main' into devin/1779464281-mr-656-inline-query-strings

Resolve conflicts: keep query/mutate canonical CLI subcommands and
top-level lint command (this branch) alongside the repo→graph terminology
rename from main. Update test helpers (repo_path → graph_path,
init_repo → init_graph, app_for_loaded_repo → app_for_loaded_graph) and
align tempdir variable names so the merged tests compile. Drop the now-
unused QueryCommand enum (Lint was promoted to a top-level Command).

Co-Authored-By: Ragnor Comerford <ragnor.comerford@gmail.com>

2026-05-24 17:27:48 +00:00

7.6 KiB

Raw Blame History

HTTP Server (`omnigraph-server`)

Axum 0.8 + tokio + utoipa-generated OpenAPI. Single graph per process; deploy multiple processes for multi-tenant.

Endpoint inventory

Method	Path	Auth	Action	Handler
GET	`/healthz`	none	—	`server_health`
GET	`/openapi.json`	none	—	`server_openapi` (strips security if auth disabled)
GET	`/snapshot?branch=`	bearer + `read`	snapshot of branch	`server_snapshot`
POST	`/query`	bearer + `read`	run inline read query (canonical; clean field names `query`/`name`; mutations → 400)	`server_query`
POST	`/read`	bearer + `read`	deprecated alias of `/query` for legacy clients (legacy field names `query_source`/`query_name`, byte-stable response); response carries `Deprecation: true` + `Link: </query>; rel="successor-version"`	`server_read`
POST	`/export`	bearer + `export`	NDJSON stream	`server_export`
POST	`/mutate`	bearer + `change`	mutation query (canonical; `query`/`name`; accepts legacy `query_source`/`query_name` as serde aliases)	`server_mutate`
POST	`/change`	bearer + `change`	deprecated alias of `/mutate` for legacy clients; response carries `Deprecation: true` + `Link: </mutate>; rel="successor-version"`	`server_change`
GET	`/schema`	bearer + `read`	get current `.pg` source	`server_schema_get`
POST	`/schema/apply`	bearer + `schema_apply` (target=`main`)	migrate	`server_schema_apply`
POST	`/ingest`	bearer + `branch_create` (if new) + `change`	bulk load	`server_ingest` (32 MB body limit)
GET	`/branches`	bearer + `read`	list branches	`server_branch_list`
POST	`/branches`	bearer + `branch_create`	create	`server_branch_create`
DELETE	`/branches/{branch}`	bearer + `branch_delete`	delete	`server_branch_delete`
POST	`/branches/merge`	bearer + `branch_merge`	merge `source → target`	`server_branch_merge`
GET	`/commits?branch=`	bearer + `read`	list	`server_commit_list`
GET	`/commits/{commit_id}`	bearer + `read`	show	`server_commit_show`

Inline read queries (`POST /query`)

POST /query is the read-only, agent-friendly twin of POST /read. The request body uses clean field names that match the CLI -e flag and the GQ query keyword:

{
  "query":    "query find($n: String) { match { $p: Person { name: $n } } return { $p.name } }",
  "name":     "find",
  "params":   { "n": "Alice" },
  "branch":   "main",
  "snapshot": null
}

Response shape is identical to /read (ReadOutput). If the inline source contains mutations (insert / update / delete), the request is rejected with HTTP 400 and an error pointing the caller at POST /mutate — the read-only contract is enforced at the URL.

POST /mutate is the canonical mutation endpoint. It accepts the same clean field names (query, name); the legacy field names query_source and query_name continue to deserialize as serde aliases so existing clients keep working without changes.

Deprecated names (`/read`, `/change`)

POST /read and POST /change are kept for back-compat indefinitely — they are byte-stable on the request side and otherwise behave identically to /query / /mutate. They are flagged as deprecated through three independent channels:

OpenAPI: the operations carry deprecated: true in openapi.json, so every OpenAPI codegen (typescript-fetch, openapi-generator, oapi-codegen, …) emits a @deprecated marker on the generated SDK method.
Response headers (RFC 9745): every response carries Deprecation: true.
Response headers (RFC 8288): every response carries a Link header pointing at the canonical successor: Link: </query>; rel="successor-version" for /read, and Link: </mutate>; rel="successor-version" for /change. SDKs and HTTP proxies can pick the successor up automatically.

Migration is purely cosmetic on the client side — swap the URL path, leave the request body and response handling alone.

Streaming

Only /export streams (application/x-ndjson, MPSC channel + Body::from_stream). Everything else is buffered JSON.

Error model

Uniform ErrorOutput { error, code?, merge_conflicts[], manifest_conflict? } with code ∈ unauthorized | forbidden | bad_request | not_found | conflict | too_many_requests | internal. Merge conflicts attach structured MergeConflictOutput { table_key, row_id?, kind, message }.

manifest_conflict is set on publisher CAS rejections (HTTP 409): the caller's pre-write view of one table's manifest version was stale. ManifestConflictOutput { table_key, expected, actual } tells the client which table to refresh and retry. This is the conflict shape produced by concurrent /mutate (or its /change alias) or /ingest calls landing the same (table, branch) race.

HTTP status codes used: 200, 400, 401, 403, 404, 409, 429, 500.

Per-actor admission control

Disjoint (table, branch) writes from different actors now run concurrently, guarded only by the engine's per-(table, branch) write queue. To keep one heavy actor from exhausting shared capacity (Lance I/O, manifest churn, network), the server gates mutating handlers through a WorkloadController configured per-process from environment variables:

Env var	Default	Purpose
`OMNIGRAPH_PER_ACTOR_INFLIGHT_MAX`	16	Concurrent in-flight mutations per actor
`OMNIGRAPH_PER_ACTOR_BYTES_MAX`	4 GiB	In-flight estimated bytes per actor

When an actor exceeds its in-flight count or byte budget, the server returns HTTP 429 Too Many Requests with code: too_many_requests and a Retry-After header (seconds). The actor should back off; other actors are unaffected.

Cedar policy authorization runs before admission accounting so denied requests don't consume admission slots.

Today admission gates every mutating handler: /mutate (and its deprecated alias /change), /ingest, /branches/{create,delete,merge}, and /schema/apply. Read-only endpoints (/snapshot, /query, /read, /export, /branches GET, /commits, /schema GET) are not admission-gated.

Body limits

Default: 1 MB
/ingest: 32 MB

Auth model (`bearer + SHA-256`)

Tokens are SHA-256 hashed on startup; plaintext is never persisted in memory.
Constant-time comparison via subtle::ConstantTimeEq.
Three sources, in precedence:
1. OMNIGRAPH_SERVER_BEARER_TOKENS_AWS_SECRET — AWS Secrets Manager (build with --features aws)
2. OMNIGRAPH_SERVER_BEARER_TOKENS_FILE or OMNIGRAPH_SERVER_BEARER_TOKENS_JSON — JSON {actor_id: token, …}
3. OMNIGRAPH_SERVER_BEARER_TOKEN — single legacy token, actor default
If no tokens configured, server runs unauthenticated (local dev) and /openapi.json strips the security scheme.

See deployment.md for token-source operational details.

Tracing & observability

tower_http::TraceLayer::new_for_http()
Policy decisions logged at INFO level with actor, action, branch, decision, matched rule
Startup logs: token source name, graph URI, bind address
Graceful SIGINT shutdown

Not implemented (by design or "TBD")

CORS — not configured; add tower_http::cors if needed.
Rate limiting — per-actor admission control gates /mutate (alias /change), /ingest, /branches/{create,delete,merge}, /schema/apply (see "Per-actor admission control" above). No global rate limiter is configured; add tower_http::limit if a graph-wide cap is needed.
Pagination — none (commits/branches return everything; export streams).
Multi-tenant routing — one graph per process.

7.6 KiB Raw Blame History

HTTP Server (omnigraph-server)