tandem-server 0.6.9

HTTP server for Tandem engine APIs
impl AppState {
    fn hosted_governance_readiness_required() -> anyhow::Result<bool> {
        let config = tandem_memory::decrypt_broker::MemoryDecryptBrokerConfig::from_env()
            .context("resolve memory crypto mode for hosted governance readiness")?;
        Ok(config.crypto_mode().is_hosted())
    }

    pub(crate) async fn validate_hosted_governance_readiness(&self) -> anyhow::Result<()> {
        let probe_context =
            crate::governance_store::GovernanceStoreFile::PolicyDecisions.storage_context();
        crate::encrypted_file_store::validate_hosted_crypto_ready(&probe_context.manifest)
            .context("validate hosted governance KMS readiness")?;
        self.load_enterprise_org_units()
            .await
            .context("load hosted organization-unit store")?;
        self.load_enterprise_org_unit_memberships()
            .await
            .context("load hosted organization-unit membership store")?;
        self.load_enterprise_org_unit_access_grants()
            .await
            .context("load hosted organization-unit access-grant store")?;
        self.load_enterprise_cross_tenant_grants()
            .await
            .context("load hosted cross-tenant grant store")?;
        self.load_enterprise_source_bindings()
            .await
            .context("load hosted source-binding store")?;
        self.load_policy_decisions()
            .await
            .context("load hosted policy-decision store")?;
        self.load_enterprise_policy_rules_if_needed()
            .await
            .context("load hosted policy-rule store")?;
        crate::audit::validate_protected_audit_ledger_if_present(&self.protected_audit_path)
            .await
            .context("validate hosted protected-audit store")?;
        crate::http::memory_audit_store::load_memory_audit_events_strict(self)
            .await
            .context("validate hosted memory-audit store")?;
        Ok(())
    }
}