Expand description
HTTP server wiring — composes the workflow API + dashboard + auth
routers into one axum Router. URL surface:
/auth/*OIDC spec (discovery, authorize, token, …)/api/v1/engine/core/*engine-core admin (admin-bearer-gated)/api/v1/engine/workflow/*workflow API (admin-bearer-gated)/api/v1/engine/auth/*engine-internal auth + admin/api/v1/vault/*vault module (admin-bearer-gated)/healthzredirect to/api/v1/engine/core/health
Per the decoupled-modules architecture: each module accepts ONLY an admin bearer token at its HTTP boundary. Per-user authentication and policy decisions live upstream of the engine — typically in a dashboard / BFF / API gateway that validates the user session, asks zanzibar if they’re allowed, and then forwards the call to the engine using its own admin bearer. The engine itself does not resolve sessions or check zanzibar at request time.
Share-redeem (GET /api/v1/vault/share/{token}) is the one route
that bypasses admin bearer — the biscuit token in the URL is its
own auth, verified inside the handler.
Functions§
- bind_
and_ serve - Bind a TCP listener on
bind_addrand serve a pre-builtaxum::Router. - build_
app - Compose the full
axum::Routerfor the engine. - build_
workflow_ ctx - Start a
WorkflowCtxaround the given store. Authentication + authorization are no longer the workflow’s concern — the engine wraps the workflow router with a gate middleware (build_app) that handles all of that. - build_
workflow_ ctx_ with_ bus - Like
build_workflow_ctxbut also wires the engine-wide event bus into the workflow context so SSE + the dispatch-wakeup loop see state transitions. - serve
- Bind a TCP listener on
bind_addrand serve the composed app.