HTTP wire DTOs. The types and their engine-result -> DTO mappings live
in the shared omnigraph-api-types crate (RFC-009 Phase 2) so the CLI
and server share one definition; re-exported here so every
omnigraph_server::api::* path (handlers, the OpenApi schema list,
CLI imports) keeps resolving unchanged. Only query_catalog_entry
stays — it maps the server’s runtime StoredQuery (not a wire type)
into the shared QueryCatalogEntry DTO.
Runtime routing for the server (RFC-011 cluster-only). Every
deployment serves cluster routes (/graphs/{graph_id}/...) backed by
a registry of N graphs (N ≥ 1). The single-graph convenience
constructors build a one-graph registry keyed by default; the
cluster boot path builds an N-graph registry. There is no longer a
flat-route mode.
One graph’s startup-time configuration: id, opened URI, optional
per-graph policy source. Constructed by load_server_settings
in multi mode; consumed by serve’s parallel open loop.
What a caller wants to do, sans identity. Actor identity flows
through a separate actor_id: &str parameter on
PolicyEngine::authorize / PolicyChecker::check — encoding
the architectural invariant that actor identity is server-authoritative
and must not be supplied by the same code path that supplies the
requested action. In the HTTP layer, the bearer-token middleware
resolves the actor and passes it independently; clients cannot
smuggle identity inside this struct.
Which Cedar entity an action’s policies apply to. Internal to
omnigraph-policy — drives the compile_policy_source template
and the request-time resource UID construction.
Where a Cedar policy bundle comes from at startup. Cluster-local files are
used during config application; inline digest-verified catalog content is
used for serving, where the catalog may live on object storage and the
server must not re-read mutable state after the snapshot.
What load_server_settings produces. RFC-011 cluster-only: the
server always boots from a cluster’s applied revision into a
multi-graph deployment (N ≥ 1 graphs).
Compute the ServerRuntimeState from the configured inputs.
Pulled out as a pure function so the matrix is unit-testable
without standing up the full server.
RFC-011 cluster-only boot: the server serves exclusively from a
cluster’s applied revision (--cluster <dir | s3://…>). The legacy
omnigraph.yaml / --target / positional-URI single-graph boot paths
were removed — a deployment serves from exactly one source.
Parallel open of every graph in the startup config, with bounded
concurrency (buffer_unordered(4)). Graph-specific open failures
quarantine that graph; startup succeeds as long as at least one graph
opens.
The canonical served OpenAPI shape (RFC-011 cluster-only): the static
ApiDoc with every protected path nested under /graphs/{graph_id}/…
and cluster_-prefixed operation ids. /healthz and /graphs stay
flat. This is the single source of nesting — both the runtime
server_openapi handler and the committed openapi.json derive from
it, so the published spec can never describe routes the server does
not serve. The handler additionally strips security in open mode; the
committed spec retains it.