Operate & govern
Auth
Foundational kernel: connectors, ActorContext, runtime-compiled policy, scope-chain merge.
This page is the documentation contract for the Auth surface in Vadyl's final form. It is not a marketing summary: it names the authorities, projections, runtime behavior, examples, limits, errors, and observability expectations that every product implementation must honor.
What this surface owns
- Auth owns the canonical product-facing contract described here; provider-specific machinery stays behind capability declarations.
- Foundational kernel: connectors, ActorContext, runtime-compiled policy, scope-chain merge.
- The final docs treat this as complete: REST, GraphQL, gRPC, SDK, CLI, MCP, dashboard, observability, limits, errors, and explainability are all covered as projections of one authority.
Canonical authorities
| Authority | Role |
|---|---|
ProjectRuntimeDescriptor | Pins Auth to a publication, runtime descriptor, worker, or substrate realization. |
SnapshotManifest | Canonical owner for Auth; downstream surfaces derive from this rather than inventing their own truth. |
Branching CAS | Canonical owner for Auth; downstream surfaces derive from this rather than inventing their own truth. |
EffectiveGovernanceEnvelope | Canonical owner for Auth; downstream surfaces derive from this rather than inventing their own truth. |
Usage ledger | Canonical owner for Auth; downstream surfaces derive from this rather than inventing their own truth. |
Projection coverage
| Surface kinds | GovernancePolicySurface, BillingMeterSurface, IdentityProviderSurface, AuthSchemeSurface, ObservabilitySurface, ExplainabilitySurface |
| Projection facets | Branches, Publications, Observability, Explainability, Installations, ExposureBindings |
| Protocols | Rest, OpenApi, Sdk, Cli, Dashboard |
| Public projections | project APIs; branch APIs; version APIs; identity/auth APIs; usage APIs; explainability APIs |
Project-scope parity
Publish, install, consume
Consumption evidence
Runtime behavior
- branch-aware descriptor compilation
- publication pinning
- hierarchy inheritance
- quota reservation
- observability relay
REST and controller surface
Code-backed controllers are listed here so the docs menu does not hide the real endpoint surface. The complete route-by-route table remains in the REST controller atlas.
| Controller | Base route | Endpoint count | Examples |
|---|---|---|---|
| Projects | /api/projects | 14 | POST createGET resolvePOST {parentProjectId}/childrenGET {projectId}/provider-bindings |
| Branch | /api/Branch | 64 | GET branchesPOST branchesGET branches/{id}DELETE branches/{id} |
| VersionGovernance | /api/version | 13 | GET /GET projects/{projectId}GET projects/{projectId}/publication/{publicationVersion:long}GET platform-baseline |
| IdentityManagement | /api/IdentityManagement | 7 | GET subjectsGET subjects/{id}POST subjects/{id}/deactivateGET memberships |
| Usage | /api/Usage | 7 | GET {projectId}/eventsGET {projectId}/rollupsGET {projectId}/quotasPOST {projectId}/quotas |
| Observability | /api/Observability | 8 | GET EntriesGET Entries/{id}GET Trail/{entityName}GET Trails |
| Explainability | /api/Explainability | 15 | GET surfaceGET project-runtimeGET publication/latestGET publication/{publicationVersion:long} |
| IdentityEntrypoint | /api/identity | 9 | GET discoveryPOST loginPOST registerPOST refresh |
| CredentialReveal | /api/CredentialReveal | 1 | POST {tokenId}/reveal |
SDK and CLI surface
| Projection | Namespace / group | Coverage |
|---|---|---|
| SDK | branching | branches, commits, workspaces, sandboxes, proposals, environments, deploy, rollback. Rendered methods: 5. |
| SDK | observability | audit, operational, debug, metrics, traces, diagnostics, reason-code correlation. Rendered methods: 4. |
| SDK | explainability | access, read-plan, surface, publication, analytics, automation, PCG, measure explanations. Rendered methods: 3. |
| SDK | platform | provider health/capabilities, runtime fabric scaling, distribution, version governance, data portability. Rendered methods: 12. |
| CLI | vadyl project | Create, suspend, archive, traverse the project hierarchy. Rendered commands: 7. |
| CLI | vadyl branch | Manage branches and workspaces for the canonical contract. Rendered commands: 6. |
| CLI | vadyl publication | Project runtime publications. Rendered commands: 5. |
| CLI | vadyl deploy | Plan, apply, ramp, and roll back deployments. Rendered commands: 5. |
| CLI | vadyl audit | Tail / search the canonical audit log. Rendered commands: 2. |
| CLI | vadyl explain | Project canonical decision reasoning. Rendered commands: 4. |
| CLI | vadyl auth | Sign in, manage tokens, switch tenant/project scope. Rendered commands: 5. |
Input request and output
POST /api/projects/create HTTP/1.1
Host: api.vadyl.app
Authorization: Bearer $VADYL_TOKEN
X-Vadyl-Tenant: acme
X-Vadyl-Project: billing
Content-Type: application/json
{
"surface": "auth",
"publicationVersion": 412,
"explain": true
}Limits and quotas
Error model
| Error | Meaning |
|---|