actions: deny plants annotated denied/<id> tag

apply-commit denials now leave a git object behind: tag denied/<id> annotated with the operator's note (or empty body if they didn't supply one) at proposal/<id> inside the applied repo. rejected configs become first-class git history — git show denied/<id> in the manager's applied.git mount yields the tree the operator rejected plus the reason. helper event carries the tag for parity with deployed/failed. spawn denials fall through unannotated since they have no proposal commit. deny becomes async (single git plumbing call); dashboard + admin-socket callers grow .await.
2026-05-15 23:01:22 +02:00 · 2026-05-15 23:01:22 +02:00 · 6cf66e23dc
commit 6cf66e23dc
parent df9da4d6e1
3 changed files with 34 additions and 4 deletions
--- a/hive-c0re/src/server.rs
+++ b/hive-c0re/src/server.rs
@ -146,7 +146,7 @@ async fn dispatch(req: &HostRequest, coord: Arc<Coordinator>) -> HostResponse {
                HostResponse::success()
            }
            HostRequest::Deny { id } => {
-                actions::deny(&coord, *id, None)?;
+                actions::deny(&coord, *id, None).await?;
                HostResponse::success()
            }
        })