pub fn router(state: AppState) -> RouterExpand description
Build the full axum router with all routes mounted at their
canonical paths. AppState is cloned per request via axum’s
with_state.
ADR-0017 §D2: cellos-server is API-only. The static bundle moved
to cellctl and is served by cellctl webui. There is no
ServeDir fallback here — unmatched paths return 404.
ADR-0016 (read-only browser boundary): CORS is restricted to
GET + OPTIONS so a misbehaving browser context (XSS, malicious
extension, or a hostile in-page script that slipped past the
cellctl webui proxy) cannot mutate state via a cross-origin
POST /v1/formations. The localhost proxy makes browser origins a
non-issue in practice, but we enforce the read-only shape
structurally so the boundary survives a proxy bug.