Add read-only mode to reject write operations

[eazyhozy]

Problem

There is no server-level mechanism to reject write requests. MutationMode.IGNORE skips mutation execution but does not block DDL/metadata mutations, and the request itself is still processed.

A read-only mode is needed for scenarios where the server shares the infrastructure layer (HBase, metastore) with production but must not perform any writes — e.g., shadow testing, read-only replicas.

Proposed Solution

Add actionbase.read-only property (default false, env var AB_READ_ONLY).

• WebFilter rejects POST/PUT/DELETE/PATCH on /graph/v2 and /graph/v3 paths
• Read-only POST endpoints (/edges/get, /multi-edges/ids, /query) are allowlisted
• Follows the same conditional WebFilter pattern as MirrorRequestFilter

With read-only mode enabled, a server sharing production HBase and metastore can be deployed with no additional configuration.

Alternatives Considered

• MutationMode.IGNORE: Does not cover DDL/metadata mutations. Request is still processed rather than explicitly rejected.
• Network/infra-level blocking (K8s NetworkPolicy, HBase ACL): Opaque error messages. Application-level feedback is more useful for operations.

Additional Context

What HTTP status code should be returned for rejected write requests: 403 Forbidden (not permitted on this server) vs 400 Bad Request (invalid request)? Feedback welcome.

[eazyhozy]

@em3s Would appreciate your thoughts on this 🙏

Two things I'd especially like feedback on:

1. HTTP status code for rejected writes — 403 Forbidden vs 400 Bad Request?
2. Does the read-only POST allowlist (/edges/get, /multi-edges/ids, /query) cover all cases?

[em3s]

+1 for 403. The allowlist looks reasonable.