kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// `deny_unknown_fields` makes operators copy-pasting an older yaml
15/// that still has `target:` / `rollout:` see a clear parse error at
16/// `kanade job create` time instead of mysteriously losing it.
17#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
18#[serde(deny_unknown_fields)]
19pub struct Manifest {
20 pub id: String,
21 pub version: String,
22 #[serde(default)]
23 pub description: Option<String>,
24 pub execute: Execute,
25 #[serde(default)]
26 pub require_approval: bool,
27 /// Opt-in marker that this job produces a JSON inventory fact
28 /// payload on stdout. When present, the backend's results
29 /// projector parses `ExecResult.stdout` as JSON and upserts an
30 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
31 /// `display` sub-config drives the SPA's Inventory page render.
32 #[serde(default)]
33 pub inventory: Option<InventoryHint>,
34 /// Issue #246: opt-in marker that this job emits per-line
35 /// observability events on stdout (one JSON `ObsEvent` per
36 /// newline). When present, the agent — after the script exits
37 /// successfully — parses each non-empty stdout line as an
38 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
39 /// `obs_outbox`, and (intentionally) **omits the stdout from
40 /// the `ExecResult`** so the timeline data doesn't double up
41 /// in `execution_results.stdout` (which would multiply rows
42 /// by ~50/day/PC of noise).
43 ///
44 /// Distinct from `inventory:` (single JSON object → projector
45 /// upsert) — events are append-only timeline points consumed
46 /// by the dedicated `obs_events` table.
47 #[serde(default)]
48 pub emit: Option<EmitConfig>,
49 /// #290: opt-in marker that this job is an operator-defined
50 /// **health check** whose result feeds the Client App's Health
51 /// tab over KLP (`StateSnapshot.checks`). The script prints a
52 /// free-form JSON object on stdout (like any inventory job); the
53 /// agent reads the [`CheckHint::status_field`] value dynamically
54 /// into a [`crate::ipc::state::Check`] named `check.name`.
55 /// Cadence / windows / conditions come from
56 /// the job's Schedule (exactly like inventory) — there is
57 /// deliberately no interval here. **Composes with `inventory:`**:
58 /// the script's stdout is one JSON object, so a check can also
59 /// carry an `inventory:` block to project the rest of that object
60 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
61 /// `emit:` (NDJSON stdout) is incompatible.
62 #[serde(default)]
63 pub check: Option<CheckHint>,
64 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
65 /// what the agent does at fire time when it can't verify the
66 /// `script_current` / `script_status` KV values are fresh —
67 /// especially relevant for `runs_on: agent` schedules where
68 /// the agent may fire from cache while offline. Defaults to
69 /// `Staleness::Cached` (silently use cached values), which
70 /// matches every pre-v0.26 Manifest.
71 #[serde(default)]
72 pub staleness: Staleness,
73 /// #291: opt-in marker that this job is offered to **end users**
74 /// in the Client App's job tabs over KLP (`jobs.list` →
75 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
76 /// [`emit`]: the block's mere presence is the opt-in, and it
77 /// groups the end-user presentation fields (name / category /
78 /// icon) that only make sense for a user-facing job. `None`
79 /// (the default) ⇒ an operator-only job — inventory, checks,
80 /// scheduled maintenance — that never surfaces in the catalog.
81 ///
82 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
83 /// (SPEC §2.1), so removing the block takes a job out of a
84 /// running client on its next action.
85 ///
86 /// [`inventory`]: Manifest::inventory
87 /// [`check`]: Manifest::check
88 /// [`emit`]: Manifest::emit
89 #[serde(default, skip_serializing_if = "Option::is_none")]
90 pub client: Option<ClientHint>,
91}
92
93/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
94/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
95/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
96/// here keeps the validation + serialisation logic in one place.
97#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
98pub struct FanoutPlan {
99 #[serde(default)]
100 pub target: Target,
101 /// Optional wave rollout — when present, the backend publishes
102 /// each wave's group subject on its own delay schedule instead
103 /// of fanning out the `target` block in one go. `target` then
104 /// only labels the deploy for the audit log.
105 #[serde(default, skip_serializing_if = "Option::is_none")]
106 pub rollout: Option<Rollout>,
107 /// Optional humantime jitter; agent uses it to randomise
108 /// execution start. Lives here (not on the script) so different
109 /// schedules / ad-hoc fires of the same job can pick different
110 /// stagger windows.
111 #[serde(default, skip_serializing_if = "Option::is_none")]
112 pub jitter: Option<String>,
113 /// Absolute time the scheduler stamps on each emitted Command
114 /// when this exec was driven by a [`Schedule`] with
115 /// `starting_deadline`. Agents receiving a Command after this
116 /// instant publish a synthetic skipped-result instead of
117 /// running the script. `None` (default) = no deadline / catch
118 /// up whenever delivered. Operators don't usually set this
119 /// directly — the scheduler computes it from `tick_at +
120 /// starting_deadline`.
121 #[serde(default, skip_serializing_if = "Option::is_none")]
122 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
123}
124
125/// Manifest sub-section: how the SPA should render the inventory
126/// facts this job produces. Each field name (`field`) is a top-level
127/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
128///
129/// Two render modes:
130/// * `display` — vertical "field / value" per PC, used by the
131/// `/inventory?pc=<id>` detail view. ALL columns the operator
132/// wants visible on the detail page.
133/// * `summary` — horizontal table across the fleet (row = PC,
134/// column = field) on `/inventory`. Optional; when omitted the
135/// SPA falls back to `display`, but operators usually want a
136/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
137#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
138pub struct InventoryHint {
139 /// Detail-view columns, in order.
140 pub display: Vec<DisplayField>,
141 /// Optional fleet-list columns (row = PC). Defaults to `display`
142 /// when omitted, but operators usually pick a 3-5 column subset.
143 #[serde(default, skip_serializing_if = "Option::is_none")]
144 pub summary: Option<Vec<DisplayField>>,
145 /// v0.31 / #40: payload arrays that should be exploded into
146 /// per-element rows of a derived SQLite table. Lets operators
147 /// answer cross-PC questions ("which PCs still have Chrome <
148 /// 120?", "C: >90% full") with normal SQL filters + indexes
149 /// instead of grepping JSON. The projector creates the derived
150 /// table on register and replaces this PC's rows on each result
151 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
152 /// [`ExplodeSpec`] for the per-spec schema.
153 #[serde(default, skip_serializing_if = "Option::is_none")]
154 pub explode: Option<Vec<ExplodeSpec>>,
155 /// v0.35 / #93: top-level scalar fields whose changes the
156 /// projector logs to `inventory_history` (one event per
157 /// changed field per scan). Pairs with `explode[].track_history`
158 /// — that covers array elements; this covers single-valued
159 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
160 /// `os_build` that operators want to track for "did the RAM
161 /// get upgraded?" / "when did Win 11 land on this PC?" /
162 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
163 /// in the history row, `identity_json` is NULL, `before_json`
164 /// / `after_json` each carry `{"value": <prior or new value>}`.
165 /// First-ever observation of a scalar (no prior facts row)
166 /// emits `added`; subsequent value changes emit `changed`. No
167 /// `removed` events — a scalar disappearing from the payload
168 /// is rare and the operator can still see the last value via
169 /// the `before_json` of the most recent change.
170 #[serde(default, skip_serializing_if = "Option::is_none")]
171 pub history_scalars: Option<Vec<String>>,
172}
173
174/// Manifest sub-section (#290): marks a job as an operator-defined
175/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
176/// The stdout contract is a free-form JSON object (same as any
177/// inventory job) from which the agent reads `status_field` /
178/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
179/// on the Client App's Health tab.
180///
181/// There is deliberately **no timing field** — when / how often /
182/// in which window a check runs is driven by the job's Schedule,
183/// exactly like inventory jobs, so operators get the full `when:` /
184/// rollout / `runs_on` expressiveness for free.
185///
186/// A check's stdout is a **free-form inventory object** (arbitrary
187/// key/value pairs + arrays) — same as any inventory job — that also
188/// carries a status field. `check:` adds only the health semantics on
189/// top: which field is the ok/warn/fail/unknown status, an optional
190/// one-line summary field, and a remediation job. Everything else
191/// (rich per-PC detail, `explode` sub-tables like a software list) is
192/// driven by a co-present [`InventoryHint`] and rendered with the
193/// SAME display logic the SPA Inventory page uses — on the Client App
194/// too. This keeps checks maximally expressive without a bespoke
195/// payload type.
196#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
197#[serde(deny_unknown_fields)]
198pub struct CheckHint {
199 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
200 /// the SPA/Client React key + analytics label. Unique within the
201 /// fleet's check set.
202 pub name: String,
203 /// Top-level stdout field whose string value
204 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
205 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
206 /// `"status"`; a missing / unparseable value → `unknown`.
207 #[serde(default = "default_status_field")]
208 pub status_field: String,
209 /// Top-level stdout field used as the Health-tab row's one-line
210 /// summary. Defaults to `"detail"`; absent in the payload → no
211 /// detail line (the rich breakdown lives in the inventory view).
212 #[serde(default = "default_detail_field")]
213 pub detail_field: String,
214 /// Optional remediation job id →
215 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
216 /// App shows a "修復する" button when present; that job must be
217 /// `user_invokable`.
218 #[serde(default, skip_serializing_if = "Option::is_none")]
219 pub troubleshoot: Option<String>,
220 /// #290 PR-E: when `true` (default), the backend also projects this
221 /// check's `status` / `detail` into the `check_status` table so the
222 /// operator SPA gets a fleet-wide compliance view for free — no
223 /// `inventory:` block needed. Set `fleet: false` for a client-only
224 /// check the operator doesn't want surfaced across the fleet.
225 #[serde(default = "default_fleet")]
226 pub fleet: bool,
227}
228
229fn default_status_field() -> String {
230 "status".to_string()
231}
232
233fn default_detail_field() -> String {
234 "detail".to_string()
235}
236
237fn default_fleet() -> bool {
238 true
239}
240
241/// Manifest sub-section (#291): marks a job as **user-invokable**
242/// from the Client App and carries how it presents to the end user.
243/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
244/// the block's presence is the opt-in (no separate boolean), and its
245/// required fields (`name`, `category`) are enforced by serde at
246/// parse time, so a half-filled catalog entry fails
247/// `kanade job create` instead of rendering a nameless / tab-less row.
248///
249/// The agent maps this 1:1 into the KLP
250/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
251/// that `jobs.list` returns; the Client App renders one row per job in
252/// the tab named by `category`.
253#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
254#[serde(deny_unknown_fields)]
255pub struct ClientHint {
256 /// End-user-facing title for the job row. The operator-internal
257 /// `Manifest::id` slug is rarely what an end user should read, so
258 /// this is required (and validated non-empty by
259 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
260 pub name: String,
261 /// Optional one-line subtitle under `name` in the Client App.
262 /// Distinct from the operator-facing top-level
263 /// [`Manifest::description`] — this one is written for the end
264 /// user. Maps to `UserInvokableJob::display_description`.
265 #[serde(default, skip_serializing_if = "Option::is_none")]
266 pub description: Option<String>,
267 /// Which Client App tab the job lives in (`software_update` →
268 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
269 /// catalog). Required — without it the agent can't place the job
270 /// in a tab.
271 pub category: JobCategory,
272 /// Optional icon hint for the job row — a lucide-react icon name
273 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
274 /// category's default icon. Surfaced verbatim in
275 /// `jobs.list[].icon`.
276 #[serde(default, skip_serializing_if = "Option::is_none")]
277 pub icon: Option<String>,
278}
279
280/// Issue #246 — `emit:` manifest block for jobs whose stdout is
281/// NDJSON observability events (one `ObsEvent` per line). Parallel
282/// to `inventory:` but for the append-only timeline pipeline; see
283/// `Manifest::emit` for the full contract.
284#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
285#[serde(deny_unknown_fields)]
286pub struct EmitConfig {
287 /// What kind of payload the agent should expect on stdout. Only
288 /// `events` is defined today (parses each non-empty line as
289 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
290 /// (e.g. metrics streams, structured trace events) plug in here.
291 #[serde(rename = "type")]
292 pub kind: EmitKind,
293 /// Operator hint for where the script keeps its own state — the
294 /// watermark file the PowerShell / sh body reads + writes
295 /// between runs so it only emits NEW events since the last
296 /// poll. The agent doesn't read this; it's documentation that
297 /// the SPA (and `kanade job edit`) can surface to operators
298 /// reviewing the manifest. Optional; the script is allowed to
299 /// keep state anywhere (registry, env, etc.) — the field's
300 /// presence makes the convention discoverable.
301 #[serde(default, skip_serializing_if = "Option::is_none")]
302 pub watermark_path: Option<String>,
303}
304
305/// `emit.type` enum. Lowercase serde so manifests read
306/// `type: events` rather than `Events`.
307#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
308#[serde(rename_all = "lowercase")]
309pub enum EmitKind {
310 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
311 /// `obs.<pc_id>`, drops the stdout from the resulting
312 /// `ExecResult`.
313 Events,
314}
315
316/// v0.31 / #40: declarative "flatten this JSON array into a real
317/// SQLite table" spec on an inventory manifest. The projector
318/// creates the table on first registration (CREATE TABLE IF NOT
319/// EXISTS + indexes) and writes a row per element of
320/// `payload[field]` on every result, scoped by (pc_id, job_id) so
321/// each PC's rows replace cleanly without a per-PC schema.
322#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
323pub struct ExplodeSpec {
324 /// JSON array key under the payload to explode. E.g. `"apps"`
325 /// for `payload: { apps: [{...}, {...}] }`.
326 pub field: String,
327 /// Derived SQLite table name. Operators choose this — pick
328 /// something namespaced + stable (`inventory_sw_apps`, not
329 /// `apps`) so multiple inventory manifests don't collide on a
330 /// generic name.
331 pub table: String,
332 /// Element-level fields that uniquely identify a row inside one
333 /// PC's payload. The full PK is `(pc_id, job_id) + these
334 /// columns`. Required — operators must think about uniqueness
335 /// (e.g. `["name", "source"]` for installed apps because the
336 /// same name appears in multiple uninstall hives).
337 ///
338 /// v0.31 / #41: same tuple drives history identity. When
339 /// `track_history` is on, the projector serialises these
340 /// fields' values into `inventory_history.identity_json` for
341 /// every change event, so queries like "every PC that ever
342 /// installed Chrome (any source)" filter on identity_json
343 /// content without a per-manifest schema.
344 pub primary_key: Vec<String>,
345 /// Per-element fields that become columns in the derived table.
346 pub columns: Vec<ExplodeColumn>,
347 /// v0.31 / #41: when true (default false), the projector
348 /// diffs each PC's incoming payload against the prior rows
349 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
350 /// replace, and writes added / removed / changed events into
351 /// `inventory_history`. Lets operators answer time-dimension
352 /// questions ("when did Chrome 120 first appear on PC X?",
353 /// "what's the Win 11 23H2 rollout curve") without storing
354 /// per-scan snapshots. Off by default so operators opt in
355 /// per-spec — history has a real storage cost on long-lived
356 /// deployments (mitigated by the 90-day default retention
357 /// sweeper, see `cleanup` module).
358 #[serde(default)]
359 pub track_history: bool,
360}
361
362/// One column in an [`ExplodeSpec`]'s derived table.
363#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
364pub struct ExplodeColumn {
365 /// JSON key under each array element. Becomes the column name
366 /// in the derived SQLite table — we don't rename.
367 pub field: String,
368 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
369 /// Storage maps directly via `sqlx::query.bind(...)`; type
370 /// mismatches at INSERT-time fail loudly rather than silently
371 /// dropping the row.
372 #[serde(default, skip_serializing_if = "Option::is_none")]
373 #[serde(rename = "type")]
374 pub kind: Option<String>,
375 /// When true, the projector creates a `CREATE INDEX` on this
376 /// column at table-creation time. Boost for the common-filter
377 /// columns (`name`, `version`) — operators mark them
378 /// explicitly, the projector won't guess.
379 #[serde(default)]
380 pub index: bool,
381}
382
383#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
384pub struct DisplayField {
385 /// Top-level key in the stdout JSON.
386 pub field: String,
387 /// Human-readable column header.
388 pub label: String,
389 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
390 /// or `"table"` (#39). Defaults to plain text rendering on the
391 /// SPA side. `"table"` expects the field's value to be a JSON
392 /// array of objects and renders a nested sub-table on the
393 /// per-PC detail page using `columns` as the schema; the fleet
394 /// summary view falls back to showing the row count for
395 /// `"table"` cells so the wide list stays compact.
396 #[serde(default, skip_serializing_if = "Option::is_none")]
397 #[serde(rename = "type")]
398 pub kind: Option<String>,
399 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
400 /// field's value (an array of objects like
401 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
402 /// sub-table using these columns. Each column is itself a
403 /// `DisplayField`, so the nested cells reuse the same render
404 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
405 /// pipeline. Ignored for any other `kind`.
406 #[serde(default, skip_serializing_if = "Option::is_none")]
407 pub columns: Option<Vec<DisplayField>>,
408}
409
410#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
411pub struct Rollout {
412 #[serde(default)]
413 pub strategy: RolloutStrategy,
414 pub waves: Vec<Wave>,
415}
416
417#[derive(
418 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
419)]
420#[serde(rename_all = "lowercase")]
421pub enum RolloutStrategy {
422 #[default]
423 Wave,
424}
425
426#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
427pub struct Wave {
428 pub group: String,
429 /// humantime delay measured from the deploy's publish time. wave[0]
430 /// typically has "0s"; subsequent waves use minutes / hours.
431 pub delay: String,
432}
433
434#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
435pub struct Target {
436 #[serde(default)]
437 pub groups: Vec<String>,
438 #[serde(default)]
439 pub pcs: Vec<String>,
440 #[serde(default)]
441 pub all: bool,
442}
443
444impl Target {
445 /// At least one of all / groups / pcs is set.
446 pub fn is_specified(&self) -> bool {
447 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
448 }
449}
450
451#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
452#[serde(deny_unknown_fields)]
453pub struct Execute {
454 pub shell: ExecuteShell,
455 /// Inline script body. Mutually exclusive with [`script_file`]
456 /// and [`script_object`]; exactly one of the three must be set
457 /// (enforced by [`Execute::validate_script_source`] at the
458 /// write-side parse boundaries — `kanade job create` and
459 /// `POST /api/jobs`).
460 ///
461 /// Empty string is treated as **unset** so operators can swap
462 /// to a `script_file:` / `script_object:` alternative just by
463 /// commenting out the body, without having to also drop the
464 /// `script:` key entirely.
465 ///
466 /// [`script_file`]: Self::script_file
467 /// [`script_object`]: Self::script_object
468 #[serde(default, skip_serializing_if = "Option::is_none")]
469 pub script: Option<String>,
470 /// Repo-local file path resolved by the operator-side CLI at
471 /// `kanade job create` time. The CLI reads the file, slots its
472 /// contents into `script`, and clears this field before
473 /// POSTing — so the backend / agents never see `script_file`
474 /// in stored manifests. SPEC §2.4.1.
475 ///
476 /// Resolver lands in a follow-up PR
477 /// (yukimemi/kanade#210); today this field passes parse-time
478 /// validation but the operator-side CLI bails with "not yet
479 /// implemented" until the resolver ships, so manifests that
480 /// reach the backend with `script_file` set are treated as a
481 /// schema-bug.
482 #[serde(default, skip_serializing_if = "Option::is_none")]
483 pub script_file: Option<String>,
484 /// Object Store reference (`<name>/<version>`) into the
485 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
486 /// at Execute time via `/api/script-objects/{name}/{version}`
487 /// and cache it locally. SPEC §2.4.1.
488 ///
489 /// Resolver lands in the same follow-up PR as `script_file`;
490 /// today this field passes parse-time validation but the
491 /// backend / agent exec paths bail with "not yet implemented"
492 /// when they see it.
493 #[serde(default, skip_serializing_if = "Option::is_none")]
494 pub script_object: Option<String>,
495 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
496 /// — represents how long this script reasonably takes to run.
497 pub timeout: String,
498 /// Token + session combination the agent uses to launch the
499 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
500 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
501 #[serde(default)]
502 pub run_as: RunAs,
503 /// Working directory for the spawned child (v0.21.1). When
504 /// unset, the child inherits the agent's cwd — on Windows that
505 /// means `%SystemRoot%\System32` for the prod service, which is
506 /// almost never what operators actually want. Use an absolute
507 /// path; relative paths are passed through to the OS verbatim.
508 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
509 /// you'd want `%USERPROFILE%` (but expansion happens in the
510 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
511 /// it via teravars before `kanade job create`).
512 #[serde(default, skip_serializing_if = "Option::is_none")]
513 pub cwd: Option<String>,
514}
515
516impl Execute {
517 /// Treat an empty `script:` body as "intentionally unset". Operators
518 /// commenting out a block-scalar tend to leave the key behind, and
519 /// failing the validator on `script: ""` would surprise them.
520 fn has_inline_script(&self) -> bool {
521 matches!(&self.script, Some(s) if !s.is_empty())
522 }
523
524 /// Enforce that exactly one of `script` / `script_file` /
525 /// `script_object` is set. Called at the write-side parse
526 /// boundaries (CLI `kanade job create` + backend
527 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
528 /// reaches the JOBS KV. Read paths (projector, agent
529 /// scheduler, list endpoints) skip this check — they only ever
530 /// see what the write path already validated.
531 pub fn validate_script_source(&self) -> Result<(), String> {
532 let inline = self.has_inline_script();
533 let file = self.script_file.is_some();
534 let obj = self.script_object.is_some();
535 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
536 match set {
537 1 => Ok(()),
538 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
539 _ => Err(format!(
540 "execute: only one of `script` / `script_file` / `script_object` may be set \
541 (got script={inline}, script_file={file}, script_object={obj})"
542 )),
543 }
544 }
545}
546
547impl Manifest {
548 /// Cross-field semantic checks that don't fit into pure serde
549 /// derive. Currently delegates to
550 /// [`Execute::validate_script_source`] — see that method's
551 /// docs for the rationale on which call sites should run this.
552 pub fn validate(&self) -> Result<(), String> {
553 self.execute.validate_script_source()?;
554 // Stdout-format compatibility. `inventory:` and `check:` both
555 // consume the SAME single JSON object — they COMPOSE: a check
556 // can extract `status`/`detail` for the Health tab while the
557 // projector explodes the rest into SPA sub-tables. `emit:` is
558 // different — its stdout is NDJSON and the agent omits it from
559 // the result entirely — so it can't be paired with either.
560 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
561 return Err(
562 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
563 timeline events (and omitted from the result), while inventory/check read a \
564 single JSON object from stdout"
565 .to_string(),
566 );
567 }
568 // A check's `name` is the Health-tab row id (React key); the
569 // field names tell the agent where to read status/detail.
570 // An empty value is an invisible runtime bug, and the serde
571 // defaults don't guard an operator who writes `status_field:
572 // ""` explicitly — reject all three here.
573 if let Some(check) = &self.check {
574 for (label, value) in [
575 ("check.name", &check.name),
576 ("check.status_field", &check.status_field),
577 ("check.detail_field", &check.detail_field),
578 ] {
579 if value.trim().is_empty() {
580 return Err(format!("{label} must not be empty"));
581 }
582 }
583 // A present-but-blank `troubleshoot` is a broken
584 // remediation job id (the "修復する" button would target
585 // an empty manifest id) — reject it too.
586 if let Some(troubleshoot) = &check.troubleshoot {
587 if troubleshoot.trim().is_empty() {
588 return Err("check.troubleshoot must not be empty when set".to_string());
589 }
590 }
591 }
592 // #291: a `client:` job is rendered in the Client App's
593 // catalog (`jobs.list` → `jobs.execute`). serde already makes
594 // `name` + `category` required at parse time; the only gap is
595 // a present-but-blank `name`, which would render an empty row
596 // title — reject it like the other display-id fields.
597 if let Some(client) = &self.client {
598 if client.name.trim().is_empty() {
599 return Err("client.name must not be empty".to_string());
600 }
601 // Optional display fields, when present, must be
602 // meaningful: a blank `description` renders an empty
603 // subtitle and a blank `icon` is a dangling lucide name.
604 // Same present-but-blank guard the `check:` block applies
605 // to its optional `troubleshoot` id.
606 for (label, value) in [
607 ("client.description", &client.description),
608 ("client.icon", &client.icon),
609 ] {
610 if let Some(v) = value {
611 if v.trim().is_empty() {
612 return Err(format!("{label} must not be empty when set"));
613 }
614 }
615 }
616 }
617 Ok(())
618 }
619}
620
621#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
622#[serde(rename_all = "lowercase")]
623pub enum ExecuteShell {
624 Powershell,
625 Cmd,
626}
627
628impl From<ExecuteShell> for Shell {
629 fn from(s: ExecuteShell) -> Self {
630 match s {
631 ExecuteShell::Powershell => Shell::Powershell,
632 ExecuteShell::Cmd => Shell::Cmd,
633 }
634 }
635}
636
637#[cfg(test)]
638mod tests {
639 use super::*;
640
641 /// The example check-job + schedule YAMLs shipped under `configs/`
642 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
643 /// pins them at compile time so a breaking edit fails `cargo test`
644 /// rather than only `kanade job create` at deploy time.
645 #[test]
646 fn example_check_job_yamls_parse_and_validate() {
647 let jobs = [
648 (
649 "check-bitlocker",
650 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
651 ),
652 (
653 "check-av-signature",
654 include_str!("../../../configs/jobs/check-av-signature.yaml"),
655 ),
656 (
657 "check-cert-expiry",
658 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
659 ),
660 ];
661 for (name, yaml) in jobs {
662 let m: Manifest =
663 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
664 m.validate()
665 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
666 let check = m
667 .check
668 .as_ref()
669 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
670 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
671 // These three examples all read admin-only WMI namespaces,
672 // so they run_as system. NOTE: that's a property of these
673 // particular checks, NOT of the `check:` contract — a check
674 // probing user-session state could legitimately run_as user.
675 assert_eq!(
676 m.execute.run_as,
677 RunAs::System,
678 "{name} should run_as system"
679 );
680 }
681 }
682
683 /// The example user-invokable job YAMLs (#291) shipped under
684 /// `configs/jobs/` must stay valid as the `client:` schema
685 /// evolves. `include_str!` pins them at compile time so a breaking
686 /// edit fails `cargo test`, not `kanade job create` at deploy.
687 #[test]
688 fn example_client_job_yamls_parse_and_validate() {
689 let jobs = [
690 (
691 "fix-teams-cache",
692 JobCategory::Troubleshoot,
693 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
694 ),
695 (
696 "chrome-update",
697 JobCategory::SoftwareUpdate,
698 include_str!("../../../configs/jobs/chrome-update.yaml"),
699 ),
700 (
701 "install-slack",
702 JobCategory::Catalog,
703 include_str!("../../../configs/jobs/install-slack.yaml"),
704 ),
705 ];
706 for (id, category, yaml) in jobs {
707 let m: Manifest =
708 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
709 m.validate()
710 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
711 assert_eq!(m.id, id, "{id} id mismatch");
712 let client = m
713 .client
714 .as_ref()
715 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
716 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
717 assert_eq!(client.category, category, "{id} category");
718 }
719 }
720
721 #[test]
722 fn example_check_schedule_yamls_parse_and_validate() {
723 let schedules = [
724 (
725 "check-bitlocker",
726 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
727 ),
728 (
729 "check-av-signature",
730 include_str!("../../../configs/schedules/check-av-signature.yaml"),
731 ),
732 (
733 "check-cert-expiry",
734 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
735 ),
736 ];
737 for (name, yaml) in schedules {
738 let s: Schedule =
739 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
740 s.validate()
741 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
742 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
743 }
744 }
745
746 #[test]
747 fn target_is_specified_requires_at_least_one_field() {
748 let empty = Target::default();
749 assert!(!empty.is_specified());
750
751 let with_all = Target {
752 all: true,
753 ..Target::default()
754 };
755 assert!(with_all.is_specified());
756
757 let with_groups = Target {
758 groups: vec!["canary".into()],
759 ..Target::default()
760 };
761 assert!(with_groups.is_specified());
762
763 let with_pcs = Target {
764 pcs: vec!["pc-01".into()],
765 ..Target::default()
766 };
767 assert!(with_pcs.is_specified());
768 }
769
770 #[test]
771 fn manifest_deserialises_minimal_yaml() {
772 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
773 // — those live on the schedule / exec request now.
774 let yaml = r#"
775id: echo-test
776version: 0.0.1
777execute:
778 shell: powershell
779 script: "echo 'kanade'"
780 timeout: 30s
781"#;
782 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
783 assert_eq!(m.id, "echo-test");
784 assert_eq!(m.version, "0.0.1");
785 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
786 assert_eq!(
787 m.execute.script.as_deref().map(str::trim),
788 Some("echo 'kanade'")
789 );
790 assert!(m.execute.script_file.is_none());
791 assert!(m.execute.script_object.is_none());
792 assert_eq!(m.execute.timeout, "30s");
793 assert!(!m.require_approval);
794 m.validate()
795 .expect("inline-script manifest passes validation");
796 }
797
798 #[test]
799 fn manifest_parses_check_job_and_validates() {
800 // An operator-defined health check (#290): a `check:` hint +
801 // a PowerShell script that prints {status, detail}.
802 let yaml = r#"
803id: check-bitlocker
804version: 0.1.0
805execute:
806 shell: powershell
807 run_as: system
808 timeout: 15s
809 script: |
810 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
811check:
812 name: bitlocker
813 troubleshoot: fix-bitlocker
814"#;
815 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
816 let check = m.check.as_ref().expect("check hint present");
817 assert_eq!(check.name, "bitlocker");
818 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
819 // Field names default to the conventional "status" / "detail".
820 assert_eq!(check.status_field, "status");
821 assert_eq!(check.detail_field, "detail");
822 assert!(m.inventory.is_none() && m.emit.is_none());
823 m.validate().expect("check-only manifest passes validation");
824 }
825
826 #[test]
827 fn manifest_check_defaults_and_custom_fields() {
828 // Minimal: only `name`; status/detail fields default.
829 let m: Manifest = serde_yaml::from_str(
830 r#"
831id: check-disk
832version: 0.1.0
833execute:
834 shell: powershell
835 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
836 timeout: 10s
837check:
838 name: disk_free
839"#,
840 )
841 .expect("parse");
842 let c = m.check.as_ref().unwrap();
843 assert_eq!(c.name, "disk_free");
844 assert_eq!(c.status_field, "status");
845 assert_eq!(c.detail_field, "detail");
846 assert!(c.troubleshoot.is_none());
847 m.validate().expect("validates");
848
849 // The operator can point status/detail at any field of their
850 // free-form inventory object.
851 let m2: Manifest = serde_yaml::from_str(
852 r#"
853id: check-custom
854version: 0.1.0
855execute:
856 shell: powershell
857 script: "echo x"
858 timeout: 10s
859check:
860 name: patch_level
861 status_field: compliance
862 detail_field: summary
863"#,
864 )
865 .expect("parse");
866 let c2 = m2.check.as_ref().unwrap();
867 assert_eq!(c2.status_field, "compliance");
868 assert_eq!(c2.detail_field, "summary");
869 }
870
871 #[test]
872 fn manifest_allows_check_composed_with_inventory() {
873 // `check:` + `inventory:` COMPOSE on the same stdout object:
874 // status/detail → Health tab, the rest → SPA projection +
875 // explode sub-tables. Must pass validation.
876 let yaml = r#"
877id: check-bitlocker-detailed
878version: 0.1.0
879execute:
880 shell: powershell
881 script: "echo x"
882 timeout: 10s
883check:
884 name: bitlocker
885inventory:
886 display:
887 - { field: status, label: Status }
888"#;
889 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
890 assert!(m.check.is_some() && m.inventory.is_some());
891 m.validate().expect("check + inventory compose");
892 }
893
894 #[test]
895 fn manifest_rejects_check_combined_with_emit() {
896 // `emit:` stdout is NDJSON (and omitted from the result), so
897 // it can't pair with `check:` (which needs a single JSON
898 // object on stdout).
899 let yaml = r#"
900id: bad-mix
901version: 0.1.0
902execute:
903 shell: powershell
904 script: "echo x"
905 timeout: 10s
906check:
907 name: bitlocker
908emit:
909 type: events
910"#;
911 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
912 let err = m.validate().expect_err("emit + check must fail");
913 assert!(err.contains("incompatible"), "err: {err}");
914 }
915
916 #[test]
917 fn manifest_rejects_emit_combined_with_inventory() {
918 // The other half of the emit-incompatibility condition.
919 let yaml = r#"
920id: bad-mix-2
921version: 0.1.0
922execute:
923 shell: powershell
924 script: "echo x"
925 timeout: 10s
926emit:
927 type: events
928inventory:
929 display:
930 - { field: status, label: Status }
931"#;
932 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
933 let err = m.validate().expect_err("emit + inventory must fail");
934 assert!(err.contains("incompatible"), "err: {err}");
935 }
936
937 #[test]
938 fn manifest_rejects_empty_check_field_names() {
939 // Empty name / status_field / detail_field are invisible
940 // runtime bugs (empty React key, agent reads the wrong field)
941 // — reject them even though serde supplies non-empty defaults.
942 let base = |inner: &str| {
943 format!(
944 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
945 )
946 };
947 for inner in [
948 " name: \"\"\n",
949 " name: ok\n status_field: \"\"\n",
950 " name: ok\n detail_field: \" \"\n",
951 // present-but-blank troubleshoot → broken remediation id.
952 " name: ok\n troubleshoot: \" \"\n",
953 ] {
954 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
955 let err = m.validate().expect_err("empty field must fail");
956 assert!(err.contains("must not be empty"), "err: {err}");
957 }
958 }
959
960 #[test]
961 fn manifest_client_absent_by_default() {
962 // A plain operator job (the overwhelming majority) carries no
963 // `client:` block, so it never surfaces in the end-user
964 // catalog.
965 let yaml = r#"
966id: echo-test
967version: 0.0.1
968execute:
969 shell: powershell
970 script: "echo 'kanade'"
971 timeout: 30s
972"#;
973 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
974 assert!(m.client.is_none());
975 m.validate().expect("operator-only job validates");
976 }
977
978 #[test]
979 fn manifest_client_parses_and_validates() {
980 // The Client App "困ったとき" remediation job shape: a
981 // user-invokable troubleshoot job with the end-user fields the
982 // KLP `jobs.list` wire needs, grouped under `client:`.
983 let yaml = r#"
984id: fix-teams-cache
985version: 1.0.0
986execute:
987 shell: powershell
988 script: "echo clearing"
989 timeout: 60s
990client:
991 name: "Teams のキャッシュをクリア"
992 description: "Teams が重いときに試してください"
993 category: troubleshoot
994 icon: brush-cleaning
995"#;
996 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
997 let c = m.client.as_ref().expect("client block present");
998 assert_eq!(c.name, "Teams のキャッシュをクリア");
999 assert_eq!(
1000 c.description.as_deref(),
1001 Some("Teams が重いときに試してください")
1002 );
1003 assert_eq!(c.category, JobCategory::Troubleshoot);
1004 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1005 m.validate().expect("user-invokable job validates");
1006 }
1007
1008 #[test]
1009 fn manifest_client_minimal_only_name_and_category() {
1010 // description + icon are optional; name + category are the
1011 // serde-required minimum.
1012 let yaml = r#"
1013id: install-slack
1014version: 1.0.0
1015execute:
1016 shell: powershell
1017 script: "echo install"
1018 timeout: 600s
1019client:
1020 name: Slack
1021 category: catalog
1022"#;
1023 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1024 let c = m.client.as_ref().expect("client present");
1025 assert_eq!(c.category, JobCategory::Catalog);
1026 assert!(c.description.is_none() && c.icon.is_none());
1027 m.validate().expect("minimal client validates");
1028 }
1029
1030 #[test]
1031 fn manifest_client_rejects_blank_name() {
1032 // serde guarantees `name`/`category` are present; the one gap
1033 // is a present-but-blank name → empty catalog row title.
1034 let yaml = r#"
1035id: j
1036version: 1.0.0
1037execute:
1038 shell: powershell
1039 script: "echo x"
1040 timeout: 30s
1041client:
1042 name: " "
1043 category: catalog
1044"#;
1045 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1046 let err = m.validate().expect_err("blank name must fail");
1047 assert!(err.contains("client.name"), "err: {err}");
1048 }
1049
1050 #[test]
1051 fn manifest_client_rejects_blank_optional_fields() {
1052 // description / icon are optional, but a present-but-blank
1053 // value is a bug (empty subtitle / dangling icon name) — reject
1054 // it, mirroring the check: block's troubleshoot guard.
1055 for (field, line) in [
1056 ("client.description", " description: \" \"\n"),
1057 ("client.icon", " icon: \"\"\n"),
1058 ] {
1059 let yaml = format!(
1060 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1061 );
1062 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1063 let err = m.validate().expect_err("blank optional field must fail");
1064 assert!(err.contains(field), "expected {field} in err: {err}");
1065 }
1066 }
1067
1068 #[test]
1069 fn manifest_client_requires_category_at_parse() {
1070 // A `client:` block missing `category` is a hard parse error
1071 // (serde required field) — no manual validate() needed.
1072 let yaml = r#"
1073id: j
1074version: 1.0.0
1075execute:
1076 shell: powershell
1077 script: "echo x"
1078 timeout: 30s
1079client:
1080 name: "A job"
1081"#;
1082 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1083 assert!(
1084 r.is_err(),
1085 "missing category must be a parse error, got {r:?}"
1086 );
1087 }
1088
1089 #[test]
1090 fn manifest_client_rejects_unknown_field() {
1091 // `deny_unknown_fields` on ClientHint catches a fat-fingered
1092 // `displayname:` instead of silently dropping it.
1093 let yaml = r#"
1094id: j
1095version: 1.0.0
1096execute:
1097 shell: powershell
1098 script: "echo x"
1099 timeout: 30s
1100client:
1101 name: "A job"
1102 category: catalog
1103 displayname: oops
1104"#;
1105 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1106 assert!(
1107 r.is_err(),
1108 "unknown client field must be a parse error, got {r:?}"
1109 );
1110 }
1111
1112 fn execute_with(
1113 script: Option<&str>,
1114 script_file: Option<&str>,
1115 script_object: Option<&str>,
1116 ) -> Execute {
1117 Execute {
1118 shell: ExecuteShell::Powershell,
1119 script: script.map(str::to_owned),
1120 script_file: script_file.map(str::to_owned),
1121 script_object: script_object.map(str::to_owned),
1122 timeout: "30s".into(),
1123 run_as: RunAs::default(),
1124 cwd: None,
1125 }
1126 }
1127
1128 #[test]
1129 fn validate_accepts_inline_script() {
1130 let e = execute_with(Some("echo hi"), None, None);
1131 assert!(e.validate_script_source().is_ok());
1132 }
1133
1134 #[test]
1135 fn validate_accepts_script_file_alone() {
1136 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1137 assert!(e.validate_script_source().is_ok());
1138 }
1139
1140 #[test]
1141 fn validate_accepts_script_object_alone() {
1142 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1143 assert!(e.validate_script_source().is_ok());
1144 }
1145
1146 #[test]
1147 fn validate_treats_empty_inline_script_as_unset() {
1148 // `script: ""` + `script_object` set is the natural shape
1149 // when an operator comments out the YAML block-scalar body
1150 // but leaves the key. Should pass.
1151 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1152 assert!(e.validate_script_source().is_ok());
1153 }
1154
1155 #[test]
1156 fn validate_rejects_zero_sources() {
1157 let e = execute_with(None, None, None);
1158 let err = e.validate_script_source().unwrap_err();
1159 assert!(err.contains("must be set"), "got: {err}");
1160 }
1161
1162 #[test]
1163 fn validate_rejects_empty_inline_only() {
1164 let e = execute_with(Some(""), None, None);
1165 let err = e.validate_script_source().unwrap_err();
1166 assert!(err.contains("must be set"), "got: {err}");
1167 }
1168
1169 #[test]
1170 fn validate_rejects_inline_plus_file() {
1171 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1172 let err = e.validate_script_source().unwrap_err();
1173 assert!(err.contains("only one of"), "got: {err}");
1174 }
1175
1176 #[test]
1177 fn validate_rejects_inline_plus_object() {
1178 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1179 let err = e.validate_script_source().unwrap_err();
1180 assert!(err.contains("only one of"), "got: {err}");
1181 }
1182
1183 #[test]
1184 fn validate_rejects_file_plus_object() {
1185 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1186 let err = e.validate_script_source().unwrap_err();
1187 assert!(err.contains("only one of"), "got: {err}");
1188 }
1189
1190 #[test]
1191 fn validate_rejects_all_three() {
1192 let e = execute_with(
1193 Some("echo hi"),
1194 Some("scripts/cleanup.ps1"),
1195 Some("cleanup/1.0.0"),
1196 );
1197 let err = e.validate_script_source().unwrap_err();
1198 assert!(err.contains("only one of"), "got: {err}");
1199 }
1200
1201 #[test]
1202 fn manifest_deserialises_script_object_yaml() {
1203 // SPEC §2.4.1 example shape with the Object Store
1204 // reference picked over inline.
1205 let yaml = r#"
1206id: cleanup-disk-temp
1207version: 1.0.1
1208execute:
1209 shell: powershell
1210 script_object: cleanup-disk-temp/1.0.1
1211 timeout: 600s
1212"#;
1213 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1214 assert_eq!(
1215 m.execute.script_object.as_deref(),
1216 Some("cleanup-disk-temp/1.0.1")
1217 );
1218 assert!(m.execute.script.is_none());
1219 m.validate()
1220 .expect("script_object-only manifest passes validation");
1221 }
1222
1223 #[test]
1224 fn manifest_rejects_typo_in_script_field_name() {
1225 // `deny_unknown_fields` on Execute catches `script_objectt`
1226 // and similar fat-fingers at parse time instead of letting
1227 // them silently fall through to "all three unset".
1228 let yaml = r#"
1229id: typo
1230version: 1.0.0
1231execute:
1232 shell: powershell
1233 script_objectt: oops
1234 timeout: 30s
1235"#;
1236 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1237 assert!(r.is_err(), "expected parse error, got {r:?}");
1238 }
1239
1240 #[test]
1241 fn schedule_carries_target_and_rollout() {
1242 let yaml = r#"
1243id: hourly-cleanup-canary
1244when:
1245 per_pc: { every: 1h }
1246job_id: cleanup
1247enabled: true
1248target:
1249 groups: [canary, wave1]
1250jitter: 30s
1251rollout:
1252 strategy: wave
1253 waves:
1254 - { group: canary, delay: 0s }
1255 - { group: wave1, delay: 5s }
1256"#;
1257 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1258 assert_eq!(s.id, "hourly-cleanup-canary");
1259 assert_eq!(s.job_id, "cleanup");
1260 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1261 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1262 let rollout = s.plan.rollout.expect("rollout present");
1263 assert_eq!(rollout.waves.len(), 2);
1264 assert_eq!(rollout.waves[0].group, "canary");
1265 assert_eq!(rollout.waves[1].delay, "5s");
1266 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1267 }
1268
1269 #[test]
1270 fn schedule_minimal_target_all() {
1271 let yaml = r#"
1272id: kitting
1273when:
1274 per_pc: once
1275enabled: true
1276job_id: scheduled-echo
1277target: { all: true }
1278"#;
1279 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1280 assert_eq!(s.id, "kitting");
1281 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1282 assert!(s.enabled);
1283 assert_eq!(s.job_id, "scheduled-echo");
1284 assert!(s.plan.target.all);
1285 assert!(s.plan.rollout.is_none());
1286 assert!(s.plan.jitter.is_none());
1287 assert!(s.active.is_empty());
1288 }
1289
1290 #[test]
1291 fn schedule_enabled_defaults_to_true() {
1292 let yaml = r#"
1293id: x
1294when:
1295 per_pc: once
1296job_id: y
1297target: { all: true }
1298"#;
1299 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1300 assert!(s.enabled);
1301 }
1302
1303 // ---- `when` parsing (#418 Phase 1) ----
1304
1305 fn schedule_yaml_with(when_block: &str) -> String {
1306 format!(
1307 r#"
1308id: x
1309when:
1310{when_block}
1311job_id: y
1312target: {{ all: true }}
1313"#
1314 )
1315 }
1316
1317 #[test]
1318 fn when_per_pc_every_parses_unquoted_humantime() {
1319 // `6h` is digit-led but non-numeric → YAML string, same as
1320 // the old `cooldown: 6h` convention. No quotes needed.
1321 let s: Schedule =
1322 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1323 assert_eq!(
1324 s.when,
1325 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1326 );
1327 }
1328
1329 #[test]
1330 fn when_per_target_every_parses() {
1331 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1332 .expect("parse");
1333 assert_eq!(
1334 s.when,
1335 When::PerTarget(PerPolicy::Every(EverySpec {
1336 every: "24h".into()
1337 }))
1338 );
1339 }
1340
1341 #[test]
1342 fn when_per_target_once_parses() {
1343 // Falls out of the shared PerPolicy shape and decide_fire
1344 // already implements it ("any one pc succeeds → skip the
1345 // target forever"), so it is allowed, not rejected.
1346 let s: Schedule =
1347 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
1348 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
1349 }
1350
1351 #[test]
1352 fn when_calendar_time_parses() {
1353 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
1354 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
1355 ))
1356 .expect("parse");
1357 match &s.when {
1358 When::Calendar(c) => {
1359 assert_eq!(c.at, "09:00");
1360 assert_eq!(c.days, vec!["mon-fri"]);
1361 }
1362 other => panic!("expected calendar, got {other:?}"),
1363 }
1364 }
1365
1366 #[test]
1367 fn when_calendar_days_default_empty() {
1368 let s: Schedule =
1369 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
1370 .expect("parse");
1371 match &s.when {
1372 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
1373 other => panic!("expected calendar, got {other:?}"),
1374 }
1375 }
1376
1377 #[test]
1378 fn when_calendar_datetime_parses_all_separators() {
1379 // one-shot: date+time in hyphen / ISO-T / slash forms
1380 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
1381 let block = format!(" calendar:\n at: \"{at}\"");
1382 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
1383 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
1384 match &s.when {
1385 When::Calendar(c) => {
1386 use chrono::Datelike;
1387 let p = c.parse_at().expect("parse_at");
1388 let d = p.date.expect("datetime at carries a date");
1389 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
1390 }
1391 other => panic!("expected calendar, got {other:?}"),
1392 }
1393 }
1394 }
1395
1396 #[test]
1397 fn when_rejects_bad_once_keyword() {
1398 // `onec` must be a parse error, not a silently-absorbed
1399 // string (OnceLiteral is a single-variant enum for exactly
1400 // this reason).
1401 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
1402 assert!(r.is_err(), "expected parse error, got {r:?}");
1403 }
1404
1405 #[test]
1406 fn when_rejects_unknown_key_in_every() {
1407 // EverySpec is deny_unknown_fields so `evry:` typos fail
1408 // even under the untagged PerPolicy.
1409 let r: Result<Schedule, _> =
1410 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
1411 assert!(r.is_err(), "expected parse error, got {r:?}");
1412 }
1413
1414 #[test]
1415 fn when_rejects_unknown_variant() {
1416 let r: Result<Schedule, _> =
1417 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
1418 assert!(r.is_err(), "expected parse error, got {r:?}");
1419 }
1420
1421 #[test]
1422 fn when_rejects_old_top_level_cron_field() {
1423 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
1424 // loudly (missing `when`), which is what turns stale KV
1425 // blobs into warn-skips after the upgrade.
1426 let yaml = r#"
1427id: x
1428cron: "* * * * * *"
1429job_id: y
1430target: { all: true }
1431"#;
1432 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
1433 assert!(r.is_err(), "expected parse error, got {r:?}");
1434 }
1435
1436 #[test]
1437 fn when_rejects_retired_cron_escape_hatch() {
1438 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
1439 // is now an unknown variant → parse error (operators use the
1440 // calendar form instead).
1441 let r: Result<Schedule, _> =
1442 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
1443 assert!(
1444 r.is_err(),
1445 "expected parse error for retired cron, got {r:?}"
1446 );
1447 }
1448
1449 #[test]
1450 fn when_round_trips_json_and_yaml() {
1451 // Round-trip through the full Schedule: that is the wire
1452 // unit for both stores (JSON catalog KV + YAML mirror), and
1453 // it exercises the singleton_map field attribute that keeps
1454 // serde_yaml on the map shape instead of `!per_pc` tags.
1455 for when in [
1456 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1457 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1458 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1459 When::PerTarget(PerPolicy::Every(EverySpec {
1460 every: "24h".into(),
1461 })),
1462 calendar("09:00", &["mon-fri"]),
1463 calendar("2026-06-10 09:00", &[]),
1464 ] {
1465 let s = schedule_with(when.clone(), RunsOn::Backend);
1466
1467 let json = serde_json::to_string(&s).expect("json serialise");
1468 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
1469 assert_eq!(back.when, when, "json round-trip for {when}");
1470
1471 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
1472 assert!(
1473 !yaml.contains('!'),
1474 "yaml must use the map shape, not tags: {yaml}"
1475 );
1476 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
1477 assert_eq!(back.when, when, "yaml round-trip for {when}");
1478 }
1479 }
1480
1481 #[test]
1482 fn when_once_serialises_as_bare_keyword() {
1483 // The wire shape operators see in the YAML mirror must stay
1484 // the ergonomic `per_pc: once`, not a one-variant map.
1485 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
1486 .expect("serialise");
1487 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
1488 }
1489
1490 #[test]
1491 fn when_displays_operator_summary() {
1492 for (when, expected) in [
1493 (
1494 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1495 "per_pc once",
1496 ),
1497 (
1498 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1499 "per_pc every 6h",
1500 ),
1501 (
1502 When::PerTarget(PerPolicy::Every(EverySpec {
1503 every: "24h".into(),
1504 })),
1505 "per_target every 24h",
1506 ),
1507 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
1508 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
1509 ] {
1510 assert_eq!(when.to_string(), expected);
1511 }
1512 }
1513
1514 // ---- lowering (#418: when → engine vocabulary) ----
1515
1516 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
1517 Schedule {
1518 id: "x".into(),
1519 when,
1520 job_id: "y".into(),
1521 plan: FanoutPlan::default(),
1522 active: Active::default(),
1523 constraints: Constraints::default(),
1524 on_failure: OnFailure::default(),
1525 tz: ScheduleTz::default(),
1526 starting_deadline: None,
1527 runs_on,
1528 enabled: true,
1529 }
1530 }
1531
1532 fn calendar(at: &str, days: &[&str]) -> When {
1533 When::Calendar(CalendarSpec {
1534 at: at.into(),
1535 days: days.iter().map(|d| (*d).to_string()).collect(),
1536 })
1537 }
1538
1539 #[test]
1540 fn lowering_matches_the_418_table() {
1541 let cases = [
1542 (
1543 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1544 (POLL_CRON, ExecMode::OncePerPc, None),
1545 ),
1546 (
1547 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1548 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
1549 ),
1550 (
1551 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1552 (POLL_CRON, ExecMode::OncePerTarget, None),
1553 ),
1554 (
1555 When::PerTarget(PerPolicy::Every(EverySpec {
1556 every: "24h".into(),
1557 })),
1558 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
1559 ),
1560 // calendar repeating → 6-field cron
1561 (
1562 calendar("09:00", &["mon-fri"]),
1563 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
1564 ),
1565 // calendar daily (no days) → DOW *
1566 (
1567 calendar("18:30", &[]),
1568 ("0 30 18 * * *", ExecMode::EveryTick, None),
1569 ),
1570 // calendar one-shot → 7-field year cron
1571 (
1572 calendar("2026-06-10 09:00", &[]),
1573 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
1574 ),
1575 ];
1576 for (when, (cron, mode, cooldown)) in cases {
1577 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
1578 assert_eq!(l.cron, cron, "cron for {when}");
1579 assert_eq!(l.mode, mode, "mode for {when}");
1580 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
1581 }
1582 }
1583
1584 #[test]
1585 fn lowered_carries_schedule_tz() {
1586 for (tz, want) in [
1587 (ScheduleTz::Local, ScheduleTz::Local),
1588 (ScheduleTz::Utc, ScheduleTz::Utc),
1589 ] {
1590 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
1591 s.tz = tz;
1592 assert_eq!(s.lowered().tz, want, "calendar carries tz");
1593 // reconcile shapes carry tz too (for the active-window check)
1594 let mut s = schedule_with(
1595 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1596 RunsOn::Backend,
1597 );
1598 s.tz = tz;
1599 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
1600 }
1601 }
1602
1603 #[test]
1604 fn poll_cron_is_accepted_by_the_engine_parser() {
1605 // POLL_CRON is system-generated — if the engine's parser
1606 // ever rejected it every reconcile schedule would die at
1607 // register time. Validate it with the same croner config
1608 // (Seconds::Required, dom_and_dow, year optional).
1609 croner::parser::CronParser::builder()
1610 .seconds(croner::parser::Seconds::Required)
1611 .dom_and_dow(true)
1612 .build()
1613 .parse(POLL_CRON)
1614 .expect("POLL_CRON must parse");
1615 }
1616
1617 // ---- Schedule::validate() (#418 decision F) ----
1618
1619 #[test]
1620 fn validate_accepts_reconcile_shapes() {
1621 for when in [
1622 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1623 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1624 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1625 When::PerTarget(PerPolicy::Every(EverySpec {
1626 every: "24h".into(),
1627 })),
1628 ] {
1629 schedule_with(when.clone(), RunsOn::Backend)
1630 .validate()
1631 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
1632 }
1633 }
1634
1635 #[test]
1636 fn validate_accepts_per_pc_on_agent() {
1637 schedule_with(
1638 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
1639 RunsOn::Agent,
1640 )
1641 .validate()
1642 .expect("per_pc + agent is the offline-inventory shape");
1643 }
1644
1645 #[test]
1646 fn validate_rejects_per_target_on_agent() {
1647 let err = schedule_with(
1648 When::PerTarget(PerPolicy::Every(EverySpec {
1649 every: "24h".into(),
1650 })),
1651 RunsOn::Agent,
1652 )
1653 .validate()
1654 .unwrap_err();
1655 assert!(err.contains("per_target"), "got: {err}");
1656 assert!(err.contains("runs_on: agent"), "got: {err}");
1657
1658 // per_target: once is also backend-only.
1659 let err = schedule_with(
1660 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1661 RunsOn::Agent,
1662 )
1663 .validate()
1664 .unwrap_err();
1665 assert!(err.contains("per_target"), "got (once): {err}");
1666 assert!(err.contains("runs_on: agent"), "got (once): {err}");
1667 }
1668
1669 #[test]
1670 fn validate_rejects_bad_every_duration() {
1671 let err = schedule_with(
1672 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
1673 RunsOn::Backend,
1674 )
1675 .validate()
1676 .unwrap_err();
1677 assert!(err.contains("when.every"), "got: {err}");
1678 }
1679
1680 #[test]
1681 fn validate_rejects_bad_jitter_and_starting_deadline() {
1682 let mut s = schedule_with(
1683 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1684 RunsOn::Backend,
1685 );
1686 s.plan.jitter = Some("5x".into());
1687 let err = s.validate().unwrap_err();
1688 assert!(err.contains("jitter"), "got: {err}");
1689
1690 let mut s = schedule_with(
1691 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1692 RunsOn::Backend,
1693 );
1694 s.starting_deadline = Some("soon".into());
1695 let err = s.validate().unwrap_err();
1696 assert!(err.contains("starting_deadline"), "got: {err}");
1697 }
1698
1699 #[test]
1700 fn validate_accepts_calendar_shapes() {
1701 for when in [
1702 calendar("09:00", &["mon-fri"]), // weekday morning
1703 calendar("00:00", &["sun"]), // weekly
1704 calendar("18:30", &[]), // daily
1705 calendar("2026-06-10 09:00", &[]), // one-shot
1706 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
1707 ] {
1708 schedule_with(when.clone(), RunsOn::Backend)
1709 .validate()
1710 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
1711 }
1712 }
1713
1714 #[test]
1715 fn validate_rejects_bad_at() {
1716 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
1717 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
1718 .validate()
1719 .unwrap_err();
1720 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
1721 }
1722 }
1723
1724 #[test]
1725 fn validate_rejects_datetime_at_with_days() {
1726 // A dated `at` is a one-shot — pairing it with days is a
1727 // contradiction (the date already pins the day).
1728 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
1729 .validate()
1730 .unwrap_err();
1731 assert!(
1732 err.contains("one-shot") && err.contains("days"),
1733 "got: {err}"
1734 );
1735 }
1736
1737 #[test]
1738 fn validate_rejects_bad_day_name() {
1739 // A garbage DOW token is caught by the days pre-flight and
1740 // reported against `when.days`, not the confusing
1741 // "when.at lowered to invalid cron" (claude #432 review).
1742 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
1743 .validate()
1744 .unwrap_err();
1745 assert!(err.contains("when.days"), "got: {err}");
1746 assert!(err.contains("funday"), "names the bad token: {err}");
1747 // a degenerate range like `mon-` reports the whole token, not
1748 // a cryptic empty part (claude #432 follow-up)
1749 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
1750 .validate()
1751 .unwrap_err();
1752 assert!(err.contains("'mon-'"), "names the whole token: {err}");
1753 // valid names / ranges / numeric / * all pass
1754 for ok in [
1755 calendar("09:00", &["mon-fri"]),
1756 calendar("09:00", &["mon", "wed", "sun"]),
1757 calendar("09:00", &["1-5"]),
1758 ] {
1759 schedule_with(ok.clone(), RunsOn::Backend)
1760 .validate()
1761 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
1762 }
1763 }
1764
1765 #[test]
1766 fn validate_accepts_nth_weekday() {
1767 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
1768 // a cron and parses it with croner, so passing here proves the
1769 // whole chain — token → DOW field → engine-acceptable cron.
1770 for ok in [
1771 calendar("09:00", &["tue#2"]), // 2nd Tuesday
1772 calendar("09:00", &["fri#1"]), // 1st Friday
1773 calendar("03:00", &["sun#5"]), // 5th Sunday
1774 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
1775 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
1776 // Case-insensitive both sides: validate lowercases, croner
1777 // upper-cases the whole pattern before aliasing (claude #547).
1778 calendar("09:00", &["TUE#2"]),
1779 ] {
1780 schedule_with(ok.clone(), RunsOn::Backend)
1781 .validate()
1782 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
1783 }
1784 }
1785
1786 #[test]
1787 fn validate_rejects_bad_nth_weekday() {
1788 // ordinal out of 1..5, a range with #, and a bad day before #.
1789 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
1790 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
1791 .validate()
1792 .unwrap_err();
1793 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
1794 }
1795 }
1796
1797 #[test]
1798 fn calendar_oneshot_instant_detects_past() {
1799 use chrono::TimeZone;
1800 // a dated `at` resolves to an absolute instant…
1801 let c = CalendarSpec {
1802 at: "2024-01-01 09:00".into(),
1803 days: vec![],
1804 };
1805 let t = c
1806 .oneshot_instant(ScheduleTz::Utc)
1807 .expect("one-shot instant");
1808 assert_eq!(
1809 t,
1810 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
1811 );
1812 assert!(t < chrono::Utc::now(), "2024 is in the past");
1813 // …while a repeating (time-only) calendar has no instant
1814 let rep = CalendarSpec {
1815 at: "09:00".into(),
1816 days: vec!["mon-fri".into()],
1817 };
1818 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
1819 }
1820
1821 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
1822 let mut s = schedule_with(
1823 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1824 RunsOn::Backend,
1825 );
1826 s.active = Active {
1827 from: from.map(str::to_owned),
1828 until: until.map(str::to_owned),
1829 };
1830 s
1831 }
1832
1833 #[test]
1834 fn validate_accepts_active_window() {
1835 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
1836 .validate()
1837 .expect("date + rfc3339 bounds should validate");
1838 }
1839
1840 #[test]
1841 fn validate_rejects_unparseable_active_bound() {
1842 let err = schedule_with_active(Some("July 1st"), None)
1843 .validate()
1844 .unwrap_err();
1845 assert!(err.contains("active"), "got: {err}");
1846 }
1847
1848 #[test]
1849 fn validate_rejects_from_not_before_until() {
1850 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
1851 .validate()
1852 .unwrap_err();
1853 assert!(err.contains("strictly before"), "got: {err}");
1854
1855 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
1856 .validate()
1857 .unwrap_err();
1858 assert!(err.contains("strictly before"), "got: {err}");
1859 }
1860
1861 // ---- Active window semantics ----
1862
1863 #[test]
1864 fn active_window_is_half_open() {
1865 use chrono::TimeZone;
1866 let active = Active {
1867 from: Some("2026-07-01".into()),
1868 until: Some("2026-08-01".into()),
1869 };
1870 // UTC tz so the date bounds are UTC midnight.
1871 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
1872 let c = |t| active.contains(t, ScheduleTz::Utc);
1873 assert!(!c(at(2026, 6, 30, 23)), "before from");
1874 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
1875 assert!(c(at(2026, 7, 15, 12)), "inside");
1876 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
1877 assert!(!c(at(2026, 8, 2, 0)), "after until");
1878 }
1879
1880 #[test]
1881 fn active_empty_window_is_always_active() {
1882 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
1883 }
1884
1885 #[test]
1886 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
1887 use chrono::TimeZone;
1888 let active = Active {
1889 from: Some("2026-07-01T09:00:00+09:00".into()),
1890 until: None,
1891 };
1892 // RFC3339 carries its own offset → tz arg is ignored.
1893 // 09:00 JST = 00:00 UTC.
1894 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
1895 assert!(
1896 !active.contains(
1897 chrono::Utc
1898 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
1899 .unwrap(),
1900 tz
1901 )
1902 );
1903 assert!(active.contains(
1904 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
1905 tz
1906 ));
1907 }
1908 }
1909
1910 #[test]
1911 fn active_date_bound_respects_tz() {
1912 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
1913 // tz* (#418 Phase 2). The UTC interpretation is exact and
1914 // host-independent; assert that precisely.
1915 use chrono::TimeZone;
1916 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
1917 assert_eq!(
1918 utc,
1919 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
1920 );
1921
1922 // The local interpretation must equal what chrono::Local
1923 // computes for the same wall-clock midnight — proves the tz
1924 // path is wired to the host zone (the magnitude vs UTC is
1925 // host-dependent, so we compare against Local directly rather
1926 // than hard-coding the JST offset, keeping CI green on UTC
1927 // runners).
1928 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
1929 let want = chrono::Local
1930 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
1931 .single()
1932 .expect("local midnight is unambiguous")
1933 .with_timezone(&chrono::Utc);
1934 assert_eq!(local, want, "date bound resolved in host-local tz");
1935 }
1936
1937 #[test]
1938 fn active_empty_is_skipped_when_serialising() {
1939 let s = schedule_with(
1940 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1941 RunsOn::Backend,
1942 );
1943 let json = serde_json::to_value(&s).expect("serialise");
1944 assert!(
1945 json.get("active").is_none(),
1946 "empty active must not appear on the wire: {json}"
1947 );
1948 }
1949
1950 // ---- constraints.window (#418 Phase 3) ----
1951
1952 fn with_window(win: &str) -> Schedule {
1953 let mut s = schedule_with(
1954 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1955 RunsOn::Backend,
1956 );
1957 s.constraints.window = Some(win.into());
1958 s
1959 }
1960
1961 #[test]
1962 fn constraints_window_parses_and_round_trips() {
1963 let yaml = r#"
1964id: x
1965when:
1966 per_pc: { every: 6h }
1967job_id: y
1968target: { all: true }
1969constraints:
1970 window: "22:00-05:00"
1971"#;
1972 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1973 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
1974 let back: Schedule =
1975 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
1976 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
1977 }
1978
1979 #[test]
1980 fn constraints_empty_is_skipped_when_serialising() {
1981 let s = schedule_with(
1982 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1983 RunsOn::Backend,
1984 );
1985 let json = serde_json::to_value(&s).expect("serialise");
1986 assert!(
1987 json.get("constraints").is_none(),
1988 "empty constraints must not appear on the wire: {json}"
1989 );
1990 }
1991
1992 #[test]
1993 fn window_no_constraint_always_allows() {
1994 let c = Constraints::default();
1995 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
1996 }
1997
1998 #[test]
1999 fn window_same_day_is_half_open() {
2000 use chrono::TimeZone;
2001 let s = with_window("09:00-17:00");
2002 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2003 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2004 assert!(!a(at(8, 59)), "before start");
2005 assert!(a(at(9, 0)), "at start (inclusive)");
2006 assert!(a(at(16, 59)), "inside");
2007 assert!(!a(at(17, 0)), "at end (exclusive)");
2008 assert!(!a(at(23, 0)), "after end");
2009 }
2010
2011 #[test]
2012 fn window_crossing_midnight() {
2013 use chrono::TimeZone;
2014 let s = with_window("22:00-05:00");
2015 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2016 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2017 assert!(a(at(22, 0)), "at start tonight");
2018 assert!(a(at(23, 30)), "late tonight");
2019 assert!(a(at(3, 0)), "early tomorrow");
2020 assert!(!a(at(5, 0)), "at end (exclusive)");
2021 assert!(!a(at(12, 0)), "midday outside");
2022 assert!(!a(at(21, 59)), "just before start");
2023 }
2024
2025 #[test]
2026 fn window_respects_tz() {
2027 // The same instant is inside the window under one tz and may
2028 // be outside under another. Compare UTC vs Local via the
2029 // host's own offset (kept CI-green on UTC runners like the
2030 // active tz test does).
2031 use chrono::TimeZone;
2032 let s = with_window("09:00-17:00");
2033 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
2034 // Under UTC, 12:00 is inside 09:00-17:00.
2035 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
2036 // Under Local, the verdict tracks the host wall-clock time;
2037 // assert it matches a direct wall_time membership check.
2038 let local_t = noon_utc.with_timezone(&chrono::Local).time();
2039 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
2040 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
2041 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
2042 }
2043
2044 #[test]
2045 fn validate_accepts_good_window() {
2046 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
2047 with_window(w)
2048 .validate()
2049 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
2050 }
2051 }
2052
2053 #[test]
2054 fn validate_rejects_bad_window() {
2055 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
2056 let err = with_window(bad).validate().unwrap_err();
2057 assert!(
2058 err.contains("constraints.window"),
2059 "for '{bad}', got: {err}"
2060 );
2061 }
2062 }
2063
2064 // ---- constraints.max_concurrent (#418) ----
2065
2066 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
2067 let mut s = schedule_with(
2068 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2069 runs_on,
2070 );
2071 s.constraints.max_concurrent = Some(max);
2072 s
2073 }
2074
2075 #[test]
2076 fn validate_accepts_backend_max_concurrent() {
2077 with_max_concurrent(5, RunsOn::Backend)
2078 .validate()
2079 .expect("backend max_concurrent should validate");
2080 }
2081
2082 #[test]
2083 fn validate_rejects_max_concurrent_on_agent() {
2084 // Decision E: a central running-instance cap needs a central
2085 // counter, which agents don't have.
2086 let err = with_max_concurrent(5, RunsOn::Agent)
2087 .validate()
2088 .unwrap_err();
2089 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
2090 assert!(err.contains("runs_on: agent"), "got: {err}");
2091 }
2092
2093 #[test]
2094 fn validate_rejects_zero_max_concurrent() {
2095 let err = with_max_concurrent(0, RunsOn::Backend)
2096 .validate()
2097 .unwrap_err();
2098 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
2099 }
2100
2101 #[test]
2102 fn max_concurrent_round_trips_and_skips_when_absent() {
2103 let s = with_max_concurrent(3, RunsOn::Backend);
2104 let json = serde_json::to_value(&s.constraints).expect("ser");
2105 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
2106 // A schedule with no constraints omits the whole block.
2107 let bare = schedule_with(
2108 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2109 RunsOn::Backend,
2110 );
2111 assert!(bare.constraints.is_empty());
2112 }
2113
2114 #[test]
2115 fn window_fail_closed_on_corrupt_blob() {
2116 // A malformed window (only reachable via a hand-edited KV
2117 // blob — validate() rejects it at create) must BLOCK, not
2118 // silently allow fires during a change-freeze (gemini #452).
2119 let s = with_window("22:00_05:00");
2120 assert!(
2121 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
2122 "corrupt window fails closed"
2123 );
2124 // …and the scheduler can surface why it's stuck.
2125 assert!(
2126 s.bad_window().is_some(),
2127 "bad_window reports the parse error"
2128 );
2129 assert!(with_window("22:00-05:00").bad_window().is_none());
2130 }
2131
2132 #[test]
2133 fn calendar_outside_window_is_flagged() {
2134 // at 09:00 can never fall in 22:00-05:00 → never fires.
2135 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2136 s.constraints.window = Some("22:00-05:00".into());
2137 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
2138
2139 // at 23:00 IS inside the overnight window → fine.
2140 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
2141 s.constraints.window = Some("22:00-05:00".into());
2142 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
2143
2144 // reconcile shapes are never flagged (they poll every minute).
2145 let mut s = schedule_with(
2146 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2147 RunsOn::Backend,
2148 );
2149 s.constraints.window = Some("22:00-05:00".into());
2150 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
2151
2152 // no window → never flagged.
2153 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2154 assert!(!s.calendar_outside_window());
2155 }
2156
2157 // ---- on_failure.retry (#418 Phase 4) ----
2158
2159 fn with_retry(max: u32, backoff: &str) -> Schedule {
2160 let mut s = schedule_with(
2161 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2162 RunsOn::Backend,
2163 );
2164 s.on_failure.retry = Some(Retry {
2165 max,
2166 backoff: backoff.into(),
2167 });
2168 s
2169 }
2170
2171 #[test]
2172 fn on_failure_parses_and_round_trips() {
2173 let yaml = r#"
2174id: x
2175when:
2176 per_pc: { every: 6h }
2177job_id: y
2178target: { all: true }
2179on_failure:
2180 retry: { max: 3, backoff: 10m }
2181"#;
2182 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2183 let r = s.on_failure.retry.as_ref().expect("retry present");
2184 assert_eq!(r.max, 3);
2185 assert_eq!(r.backoff, "10m");
2186 let back: Schedule =
2187 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2188 assert_eq!(back.on_failure, s.on_failure);
2189 }
2190
2191 #[test]
2192 fn on_failure_empty_is_skipped_when_serialising() {
2193 let s = schedule_with(
2194 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2195 RunsOn::Backend,
2196 );
2197 let json = serde_json::to_value(&s).expect("serialise");
2198 assert!(
2199 json.get("on_failure").is_none(),
2200 "empty on_failure must not appear on the wire: {json}"
2201 );
2202 }
2203
2204 #[test]
2205 fn validate_accepts_good_retry() {
2206 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
2207 with_retry(max, backoff)
2208 .validate()
2209 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
2210 }
2211 }
2212
2213 #[test]
2214 fn validate_rejects_bad_backoff() {
2215 let err = with_retry(3, "soon").validate().unwrap_err();
2216 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
2217 }
2218
2219 #[test]
2220 fn validate_rejects_sub_second_backoff() {
2221 // "500ms" parses as humantime but lowers to 0s on the wire —
2222 // reject it so the operator doesn't get a silent no-wait
2223 // (coderabbit #466).
2224 for bad in ["500ms", "0s", "999ms"] {
2225 let err = with_retry(3, bad).validate().unwrap_err();
2226 assert!(
2227 err.contains("on_failure.retry.backoff must be >= 1s"),
2228 "for '{bad}', got: {err}"
2229 );
2230 }
2231 }
2232
2233 #[test]
2234 fn validate_rejects_out_of_range_max() {
2235 for bad in [0u32, 11, 1000] {
2236 let err = with_retry(bad, "10m").validate().unwrap_err();
2237 assert!(
2238 err.contains("on_failure.retry.max"),
2239 "for max={bad}, got: {err}"
2240 );
2241 }
2242 }
2243
2244 #[test]
2245 fn lowered_retry_reduces_backoff_to_seconds() {
2246 let s = with_retry(3, "10m");
2247 let spec = s.on_failure.lowered_retry().expect("a retry policy");
2248 assert_eq!(spec.max, 3);
2249 assert_eq!(spec.backoff_secs, 600);
2250 }
2251
2252 #[test]
2253 fn lowered_retry_is_none_without_policy() {
2254 let s = schedule_with(
2255 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2256 RunsOn::Backend,
2257 );
2258 assert!(s.on_failure.lowered_retry().is_none());
2259 }
2260
2261 // ---- global change-freeze (#418 Phase 5) ----
2262
2263 #[test]
2264 fn freeze_empty_window_is_always_active() {
2265 // The big-red-button shape: no bounds = frozen until cleared.
2266 let f = Freeze::default();
2267 assert!(f.is_active(chrono::Utc::now()));
2268 }
2269
2270 #[test]
2271 fn freeze_window_is_half_open() {
2272 use chrono::TimeZone;
2273 let f = Freeze {
2274 from: Some("2026-12-20T00:00:00+00:00".into()),
2275 until: Some("2027-01-05T00:00:00+00:00".into()),
2276 reason: Some("year-end".into()),
2277 tz: ScheduleTz::Utc,
2278 };
2279 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
2280 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
2281 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
2282 assert!(f.is_active(at(2026, 12, 31)), "inside window");
2283 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
2284 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
2285 }
2286
2287 #[test]
2288 fn freeze_fails_closed_on_corrupt_bound() {
2289 // A freeze is a safety switch: an unparseable bound (only
2290 // reachable via a hand-edited KV blob) must read as FROZEN, not
2291 // "fire normally" (coderabbit #472) — the opposite of `active`,
2292 // which fail-opens.
2293 let f = Freeze {
2294 from: Some("not-a-date".into()),
2295 until: None,
2296 reason: None,
2297 tz: ScheduleTz::Utc,
2298 };
2299 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
2300 }
2301
2302 #[test]
2303 fn freeze_validate_accepts_good_bounds() {
2304 Freeze {
2305 from: Some("2026-12-20".into()),
2306 until: Some("2027-01-05T12:00:00+09:00".into()),
2307 reason: None,
2308 tz: ScheduleTz::Local,
2309 }
2310 .validate()
2311 .expect("date + rfc3339 bounds should validate");
2312 // Empty (indefinite) freeze is valid.
2313 Freeze::default().validate().expect("empty freeze is valid");
2314 }
2315
2316 #[test]
2317 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
2318 let err = Freeze {
2319 from: Some("never".into()),
2320 ..Default::default()
2321 }
2322 .validate()
2323 .unwrap_err();
2324 assert!(err.contains("freeze:"), "got: {err}");
2325
2326 let inverted = Freeze {
2327 from: Some("2027-01-05".into()),
2328 until: Some("2026-12-20".into()),
2329 ..Default::default()
2330 }
2331 .validate()
2332 .unwrap_err();
2333 assert!(inverted.contains("freeze.from"), "got: {inverted}");
2334 }
2335
2336 #[test]
2337 fn freeze_round_trips_and_skips_empty_fields() {
2338 let f = Freeze {
2339 from: None,
2340 until: Some("2027-01-05".into()),
2341 reason: Some("INC-1234".into()),
2342 tz: ScheduleTz::Utc,
2343 };
2344 let json = serde_json::to_value(&f).expect("serialise");
2345 assert!(json.get("from").is_none(), "empty from omitted: {json}");
2346 let back: Freeze = serde_json::from_value(json).expect("round-trip");
2347 assert_eq!(back, f);
2348 }
2349
2350 #[test]
2351 fn shipped_schedule_configs_parse_and_validate() {
2352 // Every YAML under configs/schedules/ must parse with the
2353 // current Schedule serde AND pass validate() — keeps the
2354 // shipped examples from drifting out of sync with the model
2355 // (#418 removed back-compat, so drift = broken at create).
2356 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
2357 let mut seen = 0;
2358 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
2359 let path = entry.expect("dir entry").path();
2360 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
2361 continue;
2362 }
2363 let body = std::fs::read_to_string(&path).expect("read yaml");
2364 let s: Schedule = serde_yaml::from_str(&body)
2365 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
2366 s.validate()
2367 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
2368 seen += 1;
2369 }
2370 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
2371 }
2372
2373 // ---- pre-existing enum wire formats (unchanged by #418) ----
2374
2375 #[test]
2376 fn exec_mode_serialises_snake_case() {
2377 for (mode, expected) in [
2378 (ExecMode::EveryTick, "every_tick"),
2379 (ExecMode::OncePerPc, "once_per_pc"),
2380 (ExecMode::OncePerTarget, "once_per_target"),
2381 ] {
2382 let s = serde_json::to_value(mode).expect("serialise");
2383 assert_eq!(s, serde_json::Value::String(expected.into()));
2384 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
2385 .expect("deserialise");
2386 assert_eq!(back, mode, "round-trip for {expected}");
2387 }
2388 }
2389
2390 #[test]
2391 fn schedule_runs_on_defaults_to_backend() {
2392 let yaml = r#"
2393id: x
2394when:
2395 per_pc: once
2396job_id: y
2397target: { all: true }
2398"#;
2399 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2400 assert_eq!(s.runs_on, RunsOn::Backend);
2401 }
2402
2403 #[test]
2404 fn schedule_runs_on_agent_parses() {
2405 let yaml = r#"
2406id: offline-inv
2407when:
2408 per_pc: { every: 1h }
2409job_id: inventory-hw
2410target: { all: true }
2411runs_on: agent
2412"#;
2413 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2414 assert_eq!(s.runs_on, RunsOn::Agent);
2415 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
2416 }
2417
2418 #[test]
2419 fn runs_on_serialises_snake_case() {
2420 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
2421 let s = serde_json::to_value(mode).expect("serialise");
2422 assert_eq!(s, serde_json::Value::String(expected.into()));
2423 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
2424 .expect("deserialise");
2425 assert_eq!(back, mode);
2426 }
2427 }
2428
2429 #[test]
2430 fn execute_shell_into_wire_shell() {
2431 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
2432 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
2433 }
2434
2435 #[test]
2436 fn manifest_staleness_defaults_to_cached() {
2437 let yaml = r#"
2438id: x
2439version: 1.0.0
2440execute:
2441 shell: powershell
2442 script: "echo"
2443 timeout: 1s
2444"#;
2445 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2446 assert_eq!(m.staleness, Staleness::Cached);
2447 }
2448
2449 #[test]
2450 fn manifest_strict_staleness_parses() {
2451 let yaml = r#"
2452id: urgent-patch
2453version: 2.5.1
2454execute:
2455 shell: powershell
2456 script: Install-Hotfix
2457 timeout: 5m
2458staleness:
2459 mode: strict
2460 max_cache_age: 0s
2461"#;
2462 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2463 match m.staleness {
2464 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
2465 other => panic!("expected strict, got {other:?}"),
2466 }
2467 }
2468
2469 #[test]
2470 fn manifest_unchecked_staleness_parses() {
2471 let yaml = r#"
2472id: legacy
2473version: 0.1.0
2474execute:
2475 shell: cmd
2476 script: "echo"
2477 timeout: 1s
2478staleness:
2479 mode: unchecked
2480"#;
2481 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2482 assert_eq!(m.staleness, Staleness::Unchecked);
2483 }
2484
2485 #[test]
2486 fn missing_required_field_errors() {
2487 // `id` missing.
2488 let yaml = r#"
2489version: 1.0.0
2490target: { all: true }
2491execute:
2492 shell: powershell
2493 script: "echo"
2494 timeout: 1s
2495"#;
2496 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
2497 assert!(r.is_err(), "expected error, got {:?}", r);
2498 }
2499
2500 #[test]
2501 fn display_field_table_kind_round_trips_with_nested_columns() {
2502 // #39: `type: table` + `columns:` on a DisplayField gets
2503 // round-tripped through serde so the SPA receives the
2504 // nested schema verbatim. Nested columns themselves are
2505 // DisplayFields so they can carry `type: bytes` /
2506 // `type: number` for cell formatting.
2507 let yaml = r#"
2508id: inv-hw
2509version: 1.0.0
2510execute:
2511 shell: powershell
2512 script: "echo"
2513 timeout: 60s
2514inventory:
2515 display:
2516 - field: hostname
2517 label: Hostname
2518 - field: disks
2519 label: Disks
2520 type: table
2521 columns:
2522 - field: device_id
2523 label: Drive
2524 - field: size_bytes
2525 label: Size
2526 type: bytes
2527 - field: free_bytes
2528 label: Free
2529 type: bytes
2530 - field: file_system
2531 label: FS
2532"#;
2533 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2534 let inv = m.inventory.as_ref().expect("inventory hint");
2535 let disks = inv
2536 .display
2537 .iter()
2538 .find(|d| d.field == "disks")
2539 .expect("disks display row");
2540 assert_eq!(disks.kind.as_deref(), Some("table"));
2541 let cols = disks.columns.as_ref().expect("table needs columns");
2542 assert_eq!(cols.len(), 4);
2543 assert_eq!(cols[1].field, "size_bytes");
2544 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
2545 }
2546
2547 #[test]
2548 fn display_field_scalar_kind_keeps_columns_none() {
2549 // Defensive: when type is a scalar (`bytes` / `number` /
2550 // `timestamp`) the `columns` field stays None — the SPA
2551 // uses its presence as the "render nested table" signal,
2552 // so it must not leak in via serde defaults.
2553 let yaml = r#"
2554id: x
2555version: 1.0.0
2556execute:
2557 shell: powershell
2558 script: "echo"
2559 timeout: 5s
2560inventory:
2561 display:
2562 - { field: ram_bytes, label: RAM, type: bytes }
2563"#;
2564 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2565 let inv = m.inventory.as_ref().unwrap();
2566 assert!(inv.display[0].columns.is_none());
2567 }
2568}
2569
2570/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
2571/// (target + optional rollout + optional jitter) inline; the
2572/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
2573/// script body. Two schedules of the same job can target different
2574/// groups on different cadences without copying the manifest.
2575///
2576/// #418 Phase 1: the cadence is the single [`When`] field. The old
2577/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
2578/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
2579/// are warn-skipped; re-`schedule create` to upgrade them). The
2580/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
2581/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
2582/// `decide_fire` always ran on.
2583#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
2584pub struct Schedule {
2585 pub id: String,
2586 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
2587 /// or a calendar time trigger (`at` / `days`). See [`When`].
2588 ///
2589 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
2590 /// enums as `!per_pc` YAML tags by default; this keeps the
2591 /// operator-facing map shape (`when: { per_pc: once }`). JSON
2592 /// output is identical either way, and the schemars schema
2593 /// (external tagging = oneOf of single-key objects) already
2594 /// matches the singleton-map wire shape.
2595 #[serde(with = "serde_yaml::with::singleton_map")]
2596 #[schemars(with = "When")]
2597 pub when: When,
2598 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
2599 /// Manifest's `id`.
2600 pub job_id: String,
2601 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
2602 /// carry these any more — same job + different fanout = different
2603 /// schedule.
2604 #[serde(flatten)]
2605 pub plan: FanoutPlan,
2606 /// Optional validity window. Outside `[from, until)` the
2607 /// schedule is dormant — still registered, still visible, but
2608 /// every tick is skipped (deleted ≠ dormant: a campaign that
2609 /// ended stays inspectable and can be re-armed by editing the
2610 /// window). Checked at tick time on both the backend scheduler
2611 /// and the agent's local scheduler.
2612 #[serde(default, skip_serializing_if = "Active::is_empty")]
2613 pub active: Active,
2614 /// #418 Phase 3: operational constraints gating *when within an
2615 /// active period* a fire may happen. Currently just `window`
2616 /// (a maintenance time-of-day window); future `require`
2617 /// (env gates) and `max_concurrent` land in the same namespace.
2618 /// Evaluated in the schedule's `tz` like the other wall-clock
2619 /// fields. Checked at tick time on both schedulers.
2620 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
2621 pub constraints: Constraints,
2622 /// #418 Phase 4: what to do after a fire's script comes back
2623 /// failed. Currently just `retry` (fixed-backoff in-process
2624 /// re-run); future `notify` / `disable` join the same namespace.
2625 /// Applied fire-side in `handle_command` (the retry policy is
2626 /// lowered onto every Command this schedule produces), so it
2627 /// covers both `runs_on` locations.
2628 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
2629 pub on_failure: OnFailure,
2630 /// #418 Phase 2: the timezone this schedule's wall-clock fields
2631 /// are evaluated in — both the calendar `at` firing time AND the
2632 /// `active.{from,until}` window bounds. `local` (default) = the
2633 /// running host's TZ (the agent's for `runs_on: agent`, the
2634 /// backend server's otherwise); `utc` for TZ-independent
2635 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
2636 /// for firing (poll cron runs every minute regardless) but still
2637 /// honor it for the `active` window.
2638 #[serde(default)]
2639 pub tz: ScheduleTz,
2640 /// v0.22: optional humantime window after a cron tick during
2641 /// which the Command is still considered "live". The scheduler
2642 /// computes `tick_at + starting_deadline` and stamps it onto
2643 /// each Command as `deadline_at`; agents skip Commands they
2644 /// receive after that absolute time. `None` (default) = no
2645 /// deadline, meaning a Command queued in the broker / stream
2646 /// during agent downtime runs whenever the agent reconnects —
2647 /// good for kitting / inventory / cleanup. Set this for
2648 /// time-of-day notifications, lunch reminders, etc., where
2649 /// "fire 3 hours late" would be wrong.
2650 #[serde(default, skip_serializing_if = "Option::is_none")]
2651 pub starting_deadline: Option<String>,
2652 /// v0.23: where does the cron tick happen? `Backend` (default,
2653 /// historical) = backend's scheduler fires Commands via NATS;
2654 /// agents passively receive. `Agent` = each targeted agent runs
2655 /// its own internal cron and fires locally, so the schedule
2656 /// keeps ticking even when the broker is unreachable (laptop on
2657 /// the train, broker maintenance window, full WAN outage). The
2658 /// two locations are mutually exclusive — when `Agent`, the
2659 /// backend scheduler stays out and just keeps the definition in
2660 /// KV for agents to read.
2661 #[serde(default)]
2662 pub runs_on: RunsOn,
2663 #[serde(default = "default_true")]
2664 pub enabled: bool,
2665}
2666
2667/// v0.23 — where the cron tick fires from.
2668#[derive(
2669 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
2670)]
2671#[serde(rename_all = "snake_case")]
2672pub enum RunsOn {
2673 /// Backend's central scheduler ticks and publishes Commands to
2674 /// NATS. Historical default, what every pre-v0.23 schedule
2675 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
2676 /// reconnects ⇒ catch-up via [`command_replay`](crate)
2677 /// (see kanade-agent's command_replay module).
2678 #[default]
2679 Backend,
2680 /// Each targeted agent runs the cron tick locally. Survives
2681 /// broker / WAN outages. Best for laptops / mobile devices that
2682 /// roam off the corporate network. Agent must be online for the
2683 /// initial schedule + job-catalog pull, but once cached the
2684 /// agent fires the script standalone.
2685 Agent,
2686}
2687
2688/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
2689#[derive(
2690 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
2691)]
2692#[serde(rename_all = "snake_case")]
2693pub enum ExecMode {
2694 /// Fire on every cron tick at the whole target. Historical
2695 /// (pre-v0.19) behavior; no dedup.
2696 #[default]
2697 EveryTick,
2698 /// Fire at each pc until that pc succeeds; then skip it until
2699 /// the optional cooldown elapses (or forever if no cooldown).
2700 /// Use for kitting / first-boot / per-pc compliance checks.
2701 OncePerPc,
2702 /// Fire at the whole target until **any** pc succeeds; then
2703 /// skip the whole target until the optional cooldown elapses
2704 /// (or forever if no cooldown). Use for "one delegate is
2705 /// enough" tasks like license check-in.
2706 OncePerTarget,
2707}
2708
2709/// #418 Phase 1 — the single "when does this fire" axis.
2710///
2711/// Replaces the old `cron` + `mode` + `cooldown` trio whose
2712/// interactions were implicit (cron doubled as both a real
2713/// time-of-day trigger and a reconcile poll period; contradictory
2714/// combinations silently no-opped). Two shapes:
2715///
2716/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
2717/// pc (or one delegate) should have run this within `every`".
2718/// The poll period is system-generated ([`POLL_CRON`], every
2719/// minute) and no longer the operator's concern.
2720/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
2721/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
2722/// the whole target at the given time, no dedup. `at: "09:00"` +
2723/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
2724/// exactly once. Evaluated in the schedule's top-level `tz`.
2725#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
2726#[serde(rename_all = "snake_case")]
2727pub enum When {
2728 /// Fire at each targeted pc: `once` (kitting — succeed once,
2729 /// skip forever, forever catching brand-new / re-imaged pcs)
2730 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
2731 /// the interval).
2732 PerPc(PerPolicy),
2733 /// Fire until **any** one pc of the target succeeds, then skip
2734 /// the whole target (`once`) or re-arm after `every`. Needs
2735 /// fleet-wide completion data, so it is backend-only —
2736 /// `runs_on: agent` + `per_target` is rejected by
2737 /// [`Schedule::validate`].
2738 PerTarget(PerPolicy),
2739 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
2740 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
2741 /// the whole target at that wall-clock time in the schedule's
2742 /// `tz` — no dedup, no cooldown.
2743 Calendar(CalendarSpec),
2744}
2745
2746/// Calendar time trigger (#418 Phase 2). `at` is either a time of
2747/// day (`"HH:MM"`, repeating — combine with `days`) or a full
2748/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
2749/// never again). Evaluated in the schedule's top-level `tz`.
2750#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
2751#[serde(deny_unknown_fields)]
2752pub struct CalendarSpec {
2753 /// `"HH:MM"` (24h) for a repeating trigger, or
2754 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
2755 /// accepted) for a one-shot. Parsed lazily —
2756 /// [`Schedule::validate`] rejects garbage at create time.
2757 pub at: String,
2758 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
2759 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
2760 /// field, so ranges and names both work). An **nth-weekday**
2761 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
2762 /// ("Patch Tuesday"); the ordinal is `1..5`. Empty = every day.
2763 /// Must be empty when `at` carries a date (the date already
2764 /// pins the day).
2765 #[serde(default, skip_serializing_if = "Vec::is_empty")]
2766 pub days: Vec<String>,
2767}
2768
2769/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
2770/// date for a one-shot (`None` = repeating time-of-day).
2771struct ParsedAt {
2772 minute: u32,
2773 hour: u32,
2774 date: Option<chrono::NaiveDate>,
2775}
2776
2777impl CalendarSpec {
2778 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
2779 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
2780 fn parse_at(&self) -> Result<ParsedAt, String> {
2781 use chrono::Timelike;
2782 let s = self.at.trim();
2783 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
2784 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
2785 return Ok(ParsedAt {
2786 minute: dt.minute(),
2787 hour: dt.hour(),
2788 date: Some(dt.date()),
2789 });
2790 }
2791 }
2792 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
2793 return Ok(ParsedAt {
2794 minute: t.minute(),
2795 hour: t.hour(),
2796 date: None,
2797 });
2798 }
2799 Err(format!(
2800 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
2801 self.at
2802 ))
2803 }
2804
2805 /// Pre-flight check on the `days` tokens so a bad day name gives
2806 /// a `when.days:`-scoped error instead of croner's confusing
2807 /// "when.at lowered to invalid cron" (claude #432 review). Each
2808 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
2809 /// `*`, a `-` range of those, or an **nth-weekday** like `tue#2`
2810 /// (2nd Tuesday of the month — "Patch Tuesday").
2811 fn validate_days(&self) -> Result<(), String> {
2812 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
2813 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
2814 for tok in &self.days {
2815 // Report the whole token on a malformed range like `mon-`
2816 // (which would otherwise split to a cryptic empty part —
2817 // claude #432 follow-up).
2818 let invalid = |reason: &str| {
2819 Err(format!(
2820 "when.days: invalid day token '{tok}' ({reason}; \
2821 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
2822 like tue#2, or *)"
2823 ))
2824 };
2825 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
2826 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
2827 // `to_cron` passes the token through verbatim, so the
2828 // engine fires only on that occurrence. It's a single
2829 // weekday + ordinal — not combinable with a range.
2830 if let Some((day_part, nth_part)) = tok.split_once('#') {
2831 // Normalize once and use `d` consistently (gemini #547);
2832 // the outer `invalid` already echoes the raw `tok`.
2833 let d = day_part.trim().to_ascii_lowercase();
2834 if d.contains('-') || !is_day(&d) {
2835 return invalid("the part before # must be a single weekday");
2836 }
2837 match nth_part.trim().parse::<u8>() {
2838 Ok(n) if (1..=5).contains(&n) => {}
2839 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
2840 }
2841 continue;
2842 }
2843 for part in tok.split('-') {
2844 let p = part.trim().to_ascii_lowercase();
2845 if p.is_empty() {
2846 return invalid("empty range bound");
2847 }
2848 if p != "*" && !is_day(&p) {
2849 return invalid(&format!("'{part}' is not a day"));
2850 }
2851 }
2852 }
2853 Ok(())
2854 }
2855
2856 /// For a one-shot (`at` carries a date), the absolute instant it
2857 /// fires in `tz`. `None` for a repeating calendar. Used to warn
2858 /// about a one-shot whose date is already in the past (it would
2859 /// never fire).
2860 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
2861 let p = self.parse_at().ok()?;
2862 let date = p.date?;
2863 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
2864 tz.naive_to_utc(naive)
2865 }
2866
2867 /// The wall-clock time-of-day this calendar fires at (`None` if
2868 /// `at` is unparseable — validate() guards that). Used to detect
2869 /// a calendar whose fire time can never fall inside its
2870 /// `constraints.window` (claude #452 review).
2871 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
2872 let p = self.parse_at().ok()?;
2873 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
2874 }
2875
2876 /// Lower to the cron string the scheduler engine runs. Repeating
2877 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
2878 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
2879 /// fires — that's what makes it one-shot).
2880 fn to_cron(&self) -> Result<String, String> {
2881 use chrono::Datelike;
2882 let ParsedAt { minute, hour, date } = self.parse_at()?;
2883 match date {
2884 Some(d) => {
2885 if !self.days.is_empty() {
2886 return Err(
2887 "when.at with a date is a one-shot and cannot be combined with days".into(),
2888 );
2889 }
2890 Ok(format!(
2891 "0 {minute} {hour} {} {} * {}",
2892 d.day(),
2893 d.month(),
2894 d.year()
2895 ))
2896 }
2897 None => {
2898 let dow = if self.days.is_empty() {
2899 "*".to_string()
2900 } else {
2901 self.validate_days()?;
2902 self.days.join(",")
2903 };
2904 Ok(format!("0 {minute} {hour} * * {dow}"))
2905 }
2906 }
2907 }
2908}
2909
2910/// The timezone a schedule's wall-clock fields (`when.at`,
2911/// `active.{from,until}`) are evaluated in (#418 Phase 2).
2912#[derive(
2913 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
2914)]
2915#[serde(rename_all = "snake_case")]
2916pub enum ScheduleTz {
2917 /// The running host's local timezone — the agent's for
2918 /// `runs_on: agent`, the backend server's otherwise. Default.
2919 #[default]
2920 Local,
2921 /// UTC — for timezone-independent schedules.
2922 Utc,
2923}
2924
2925impl ScheduleTz {
2926 /// Interpret a naive (zoneless) datetime as being in this tz and
2927 /// convert to UTC. On a DST *fold* (the local time occurs twice
2928 /// when clocks go back) we pick `.earliest()` rather than
2929 /// rejecting it; `None` is reserved for a true DST *gap* (a local
2930 /// time that never exists). `Utc` is fixed-offset so neither ever
2931 /// happens; `Local` is whatever timezone the running host is set
2932 /// to and *can* hit a gap/fold on any DST-observing host — not
2933 /// just the JST we run today (gemini + claude #432 review).
2934 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
2935 use chrono::TimeZone;
2936 match self {
2937 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
2938 naive,
2939 chrono::Utc,
2940 )),
2941 ScheduleTz::Local => chrono::Local
2942 .from_local_datetime(&naive)
2943 .earliest()
2944 .map(|dt| dt.with_timezone(&chrono::Utc)),
2945 }
2946 }
2947
2948 /// The wall-clock time-of-day `now` reads as in this tz — used by
2949 /// [`Constraints::allows`] to test a maintenance window
2950 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
2951 /// running host's local time.
2952 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
2953 match self {
2954 ScheduleTz::Utc => now.time(),
2955 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
2956 }
2957 }
2958}
2959
2960/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
2961/// `per_target`. Untagged so the YAML stays the bare keyword or a
2962/// one-key map, nothing more ceremonial.
2963#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
2964#[serde(untagged)]
2965pub enum PerPolicy {
2966 /// The bare string `once`: succeed once, then skip permanently
2967 /// (cooldown = infinity).
2968 Once(OnceLiteral),
2969 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
2970 Every(EverySpec),
2971}
2972
2973/// Single-variant enum so serde accepts exactly the string `once`
2974/// (a free-form `String` would swallow typos like `onec`).
2975#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
2976#[serde(rename_all = "snake_case")]
2977pub enum OnceLiteral {
2978 Once,
2979}
2980
2981/// `{ every: <humantime> }`. Standalone struct (not an inline
2982/// struct variant) so `deny_unknown_fields` still bites under the
2983/// untagged [`PerPolicy`] — `{ evry: 6h }` is a parse error, not a
2984/// silently-ignored key.
2985#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
2986#[serde(deny_unknown_fields)]
2987pub struct EverySpec {
2988 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
2989 /// [`Schedule::validate`] rejects garbage at create time.
2990 pub every: String,
2991}
2992
2993impl PerPolicy {
2994 /// The cooldown this policy lowers to: `once` = `None`
2995 /// (permanent skip), `every` = the interval.
2996 fn cooldown(&self) -> Option<String> {
2997 match self {
2998 PerPolicy::Once(_) => None,
2999 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
3000 }
3001 }
3002}
3003
3004impl std::fmt::Display for When {
3005 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
3006 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
3007 /// lines, audit payloads and the API's `ScheduleSummary`.
3008 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3009 let policy = |p: &PerPolicy| match p {
3010 PerPolicy::Once(_) => "once".to_string(),
3011 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
3012 };
3013 match self {
3014 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
3015 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
3016 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
3017 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
3018 }
3019 }
3020}
3021
3022/// Optional validity window for a [`Schedule`] (#418 decision G).
3023/// Half-open `[from, until)`; either bound may be omitted. Bounds
3024/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
3025/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
3026/// strings so the JSON Schema the SPA editor consumes stays two
3027/// plain string fields, mirroring `jitter` / `starting_deadline`.
3028///
3029/// #418 Phase 2: bounds are evaluated in the schedule's top-level
3030/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
3031/// calendar `at` AND the `active` window local — one consistent
3032/// timezone per schedule.
3033#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3034#[serde(deny_unknown_fields)]
3035pub struct Active {
3036 /// Dormant before this instant.
3037 #[serde(default, skip_serializing_if = "Option::is_none")]
3038 pub from: Option<String>,
3039 /// Dormant from this instant on (exclusive).
3040 #[serde(default, skip_serializing_if = "Option::is_none")]
3041 pub until: Option<String>,
3042}
3043
3044impl Active {
3045 /// `skip_serializing_if` helper — an empty window means "always
3046 /// active" and is omitted from the wire format entirely.
3047 pub fn is_empty(&self) -> bool {
3048 self.from.is_none() && self.until.is_none()
3049 }
3050
3051 /// Parse one bound: RFC3339 first (offset honored, `tz`
3052 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
3053 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
3054 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
3055 return Ok(dt.with_timezone(&chrono::Utc));
3056 }
3057 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
3058 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
3059 return tz.naive_to_utc(midnight).ok_or_else(|| {
3060 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
3061 });
3062 }
3063 Err(format!(
3064 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
3065 ))
3066 }
3067
3068 /// Is `now` inside the window? Unparseable bounds are treated
3069 /// as absent here (fail-open) — [`Schedule::validate`] is the
3070 /// place that rejects them loudly; this runs on every tick and
3071 /// must never panic on a stale KV blob.
3072 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
3073 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
3074 if bound(&self.from).is_some_and(|from| now < from) {
3075 return false;
3076 }
3077 if bound(&self.until).is_some_and(|until| now >= until) {
3078 return false;
3079 }
3080 true
3081 }
3082}
3083
3084/// Operational constraints on a [`Schedule`] (#418 Phase 3). Where
3085/// [`Active`] decides *over what date range* a schedule is live,
3086/// `Constraints` decides *when, within an active period,* a fire is
3087/// allowed. `window` (a maintenance time-of-day window) and
3088/// `max_concurrent` (a fleet-wide running-instance cap) so far;
3089/// `require` (env gates) joins this struct in a later phase.
3090#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3091#[serde(deny_unknown_fields)]
3092pub struct Constraints {
3093 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
3094 /// `tz`). Fires outside it are skipped — mainly for reconcile
3095 /// cadences ("patrol every 6h, but only fire overnight") and
3096 /// daytime change-freezes. `start > end` crosses midnight
3097 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
3098 /// lazily; [`Schedule::validate`] rejects garbage at create time.
3099 #[serde(default, skip_serializing_if = "Option::is_none")]
3100 pub window: Option<String>,
3101 /// Fleet-wide cap on how many instances of this schedule's job may
3102 /// run **at the same time** (#418 "同時実行ハード上限"). The
3103 /// backend scheduler counts the job's still-in-flight runs
3104 /// (`execution_results.finished_at IS NULL`) each tick and only
3105 /// dispatches to as many remaining pcs as there are free slots —
3106 /// a rolling window that refills as runs complete. Useful for
3107 /// disk/CPU/network-heavy jobs you don't want hammering the whole
3108 /// fleet at once.
3109 ///
3110 /// **Backend-only** (it needs a central counter): combining it
3111 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
3112 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
3113 /// for `per_pc` reconcile cadences, where the poll re-ticks and
3114 /// refills slots. `None` (default) = no cap.
3115 #[serde(default, skip_serializing_if = "Option::is_none")]
3116 pub max_concurrent: Option<u32>,
3117}
3118
3119impl Constraints {
3120 /// `skip_serializing_if` helper — empty constraints are omitted
3121 /// from the wire format entirely.
3122 pub fn is_empty(&self) -> bool {
3123 self.window.is_none() && self.max_concurrent.is_none()
3124 }
3125
3126 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
3127 /// error (a zero-width or all-day window is ambiguous — write no
3128 /// window for "always").
3129 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
3130 let (a, b) = s
3131 .split_once('-')
3132 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
3133 let parse = |part: &str| {
3134 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
3135 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
3136 };
3137 let (start, end) = (parse(a)?, parse(b)?);
3138 if start == end {
3139 return Err(format!(
3140 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
3141 ));
3142 }
3143 Ok((start, end))
3144 }
3145
3146 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
3147 /// always allowed. Half-open `[start, end)`; `start > end`
3148 /// crosses midnight.
3149 ///
3150 /// **Fail-closed** on an unparseable window (returns `false`,
3151 /// gemini #452 review): a window is a *restrictive* constraint
3152 /// (change-freeze / overnight-only), so a corrupt one must NOT
3153 /// silently allow fires during the restricted hours. Bad windows
3154 /// are rejected at create time by [`Schedule::validate`]; this
3155 /// only bites a hand-edited KV blob, where blocking is the safe
3156 /// direction. The scheduler warns at register time
3157 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
3158 /// The tick path never panics regardless.
3159 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
3160 match self.window.as_deref() {
3161 // No window → always allowed.
3162 None => true,
3163 // Window set: membership, or fail-closed if unparseable
3164 // (`window_contains` returns None for a corrupt window).
3165 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
3166 }
3167 }
3168
3169 /// Membership of a wall-clock time-of-day in the window. `None`
3170 /// when there is no window or it's unparseable (callers decide
3171 /// the failure direction). `start > end` crosses midnight.
3172 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
3173 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
3174 Some(if start <= end {
3175 start <= t && t < end
3176 } else {
3177 t >= start || t < end
3178 })
3179 }
3180}
3181
3182/// What to do when a fire's script fails (#418 Phase 4 — the "高"
3183/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
3184/// happens, `OnFailure` decides what happens *after* one ran and
3185/// came back bad. Only `retry` so far; future `notify` / `disable`
3186/// would join the same namespace.
3187#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3188#[serde(deny_unknown_fields)]
3189pub struct OnFailure {
3190 /// Re-run the script in-process when it exits non-zero (or times
3191 /// out), up to a cap, with a fixed backoff between attempts.
3192 /// `None` (default) = no retry: a failed run is published as-is
3193 /// and (for reconcile cadences) simply re-fires on the next poll
3194 /// tick. See [`Retry`].
3195 #[serde(default, skip_serializing_if = "Option::is_none")]
3196 pub retry: Option<Retry>,
3197}
3198
3199impl OnFailure {
3200 /// `skip_serializing_if` helper — an empty policy is omitted from
3201 /// the wire format entirely.
3202 pub fn is_empty(&self) -> bool {
3203 self.retry.is_none()
3204 }
3205
3206 /// Lower the operator-facing `retry` (humantime backoff) onto the
3207 /// engine vocabulary the agent's executor runs on (backoff in
3208 /// whole seconds). Single seam shared by the backend command
3209 /// builder and the agent's local scheduler so the two stamp the
3210 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
3211 /// `None` when there is no retry policy or the backoff is
3212 /// unparseable (validate() rejects the latter at create time;
3213 /// this stays fail-safe = "no retry" for a hand-edited KV blob
3214 /// rather than panicking on the fire path).
3215 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
3216 let r = self.retry.as_ref()?;
3217 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
3218 Some(crate::wire::RetrySpec {
3219 max: r.max,
3220 backoff_secs,
3221 })
3222 }
3223}
3224
3225/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
3226/// *additional* attempts after the first run (so `max: 3` = up to 4
3227/// total executions); `backoff` is the humantime delay slept between
3228/// attempts. The retry happens fire-side (inside `kanade fire` /
3229/// `handle_command`) on every OS for the PoC — the Windows-native
3230/// "restart on failure" Task Scheduler path is deferred to the
3231/// native-delegation phase (#418 decision H).
3232#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3233#[serde(deny_unknown_fields)]
3234pub struct Retry {
3235 /// Max additional attempts after the first failure. Bounded
3236 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
3237 /// with a short backoff would otherwise pin a flapping script in
3238 /// a tight loop for the whole window.
3239 pub max: u32,
3240 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
3241 pub backoff: String,
3242}
3243
3244/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
3245/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
3246/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
3247/// global* "stop all automated change" switch the operator flips
3248/// during an incident or a year-end change-freeze. It lives in its
3249/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
3250/// active, both the backend scheduler and every agent's local
3251/// scheduler skip *every* fire.
3252///
3253/// Shapes:
3254/// * `{}` (no bounds) — frozen indefinitely until the operator
3255/// clears it (incident "big red button").
3256/// * `{ from, until }` — frozen only within `[from, until)`,
3257/// evaluated in `tz` (planned change-freeze; auto-thaws).
3258///
3259/// The KV key being *absent* means "not frozen" — so clearing the
3260/// freeze is a KV delete, and `is_active` only ever runs on a freeze
3261/// the operator actually set.
3262#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3263#[serde(deny_unknown_fields)]
3264pub struct Freeze {
3265 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
3266 /// `tz`). `None` ⇒ frozen from the beginning of time.
3267 #[serde(default, skip_serializing_if = "Option::is_none")]
3268 pub from: Option<String>,
3269 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
3270 /// no scheduled end (manual clear required).
3271 #[serde(default, skip_serializing_if = "Option::is_none")]
3272 pub until: Option<String>,
3273 /// Operator-supplied note surfaced on the freeze-skip log and the
3274 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
3275 #[serde(default, skip_serializing_if = "Option::is_none")]
3276 pub reason: Option<String>,
3277 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
3278 /// carry their own offset). Defaults to host-local like a
3279 /// schedule's `tz`.
3280 #[serde(default)]
3281 pub tz: ScheduleTz,
3282}
3283
3284impl Freeze {
3285 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
3286 /// both absent) is frozen unconditionally; otherwise membership of
3287 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
3288 /// but **fails CLOSED** on an unparseable bound — a freeze is a
3289 /// safety switch, so a corrupt window (only reachable via a
3290 /// hand-edited KV blob; `validate` rejects it at set time) must
3291 /// mean "frozen", not "fire normally" (coderabbit #472). This is
3292 /// the one deliberate divergence from `active`'s fail-OPEN
3293 /// behaviour, where an unparseable bound dormant-skips a schedule.
3294 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
3295 // Parse a bound; an unparseable one short-circuits the whole
3296 // check to `true` (frozen) via the closure's `None` sentinel
3297 // handled below.
3298 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
3299 match s.as_deref() {
3300 None => Ok(None),
3301 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
3302 }
3303 };
3304 let (from, until) = match (bound(&self.from), bound(&self.until)) {
3305 (Ok(f), Ok(u)) => (f, u),
3306 // Any corrupt bound → fail closed (frozen).
3307 _ => return true,
3308 };
3309 if from.is_some_and(|f| now < f) {
3310 return false;
3311 }
3312 if until.is_some_and(|u| now >= u) {
3313 return false;
3314 }
3315 true
3316 }
3317
3318 /// Reject unparseable bounds / `from >= until` at set time (the
3319 /// API + CLI counterpart to [`Schedule::validate`]).
3320 pub fn validate(&self) -> Result<(), String> {
3321 let from = self
3322 .from
3323 .as_deref()
3324 .map(|s| Active::parse_bound(s, self.tz))
3325 .transpose()
3326 .map_err(|e| e.replace("active:", "freeze:"))?;
3327 let until = self
3328 .until
3329 .as_deref()
3330 .map(|s| Active::parse_bound(s, self.tz))
3331 .transpose()
3332 .map_err(|e| e.replace("active:", "freeze:"))?;
3333 if let (Some(f), Some(u)) = (from, until) {
3334 if f >= u {
3335 return Err(format!(
3336 "freeze.from ({}) must be strictly before freeze.until ({})",
3337 self.from.as_deref().unwrap_or_default(),
3338 self.until.as_deref().unwrap_or_default(),
3339 ));
3340 }
3341 }
3342 Ok(())
3343 }
3344}
3345
3346/// The system-generated poll cadence every reconcile-shaped `when`
3347/// lowers to. Operators never write this: the real inter-run
3348/// spacing is the `every` cooldown; this only bounds "how soon do
3349/// we notice somebody is due" (#418 decision B took the poll
3350/// period away from the operator).
3351pub const POLL_CRON: &str = "0 * * * * *";
3352
3353/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
3354/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
3355/// unchanged is what lets Phase 1 swap the operator surface without
3356/// touching the tick / dedup machinery.
3357pub struct Lowered {
3358 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
3359 /// reconcile shapes, a 6/7-field cron for calendar shapes.
3360 pub cron: String,
3361 /// Dedup semantics for `decide_fire`.
3362 pub mode: ExecMode,
3363 /// Humantime re-arm interval (`None` = succeed once, skip
3364 /// forever).
3365 pub cooldown: Option<String>,
3366 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
3367 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
3368 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
3369 /// so the same value drives the `active`-window check.
3370 pub tz: ScheduleTz,
3371}
3372
3373impl Schedule {
3374 /// The error message if this schedule's `constraints.window` is
3375 /// set but unparseable, else `None`. The scheduler logs this at
3376 /// register time so a fail-closed (never-firing) schedule from a
3377 /// hand-edited KV blob is diagnosable (gemini #452 review).
3378 pub fn bad_window(&self) -> Option<String> {
3379 let w = self.constraints.window.as_deref()?;
3380 Constraints::parse_window(w).err()
3381 }
3382
3383 /// True when this is a `calendar` schedule whose fire time can
3384 /// never fall inside its `constraints.window` — the cron fires,
3385 /// the window check rejects it, and (firing only at that
3386 /// time-of-day) it effectively never runs. An easy misconfig to
3387 /// set up by accident; the scheduler warns at register time
3388 /// (claude #452 review). Reconcile shapes poll every minute, so
3389 /// they always catch the window opening and aren't affected.
3390 pub fn calendar_outside_window(&self) -> bool {
3391 let When::Calendar(c) = &self.when else {
3392 return false;
3393 };
3394 let Some(t) = c.fire_time() else {
3395 return false;
3396 };
3397 matches!(self.constraints.window_contains(t), Some(false))
3398 }
3399
3400 /// Lower the operator-facing `when` onto the engine vocabulary.
3401 /// Single seam shared by the backend scheduler and the agent's
3402 /// local scheduler so the two can never drift.
3403 pub fn lowered(&self) -> Lowered {
3404 let tz = self.tz;
3405 match &self.when {
3406 When::PerPc(p) => Lowered {
3407 cron: POLL_CRON.into(),
3408 mode: ExecMode::OncePerPc,
3409 cooldown: p.cooldown(),
3410 tz,
3411 },
3412 When::PerTarget(p) => Lowered {
3413 cron: POLL_CRON.into(),
3414 mode: ExecMode::OncePerTarget,
3415 cooldown: p.cooldown(),
3416 tz,
3417 },
3418 // `to_cron` only fails on a malformed `at` (rejected by
3419 // validate() at create time). For a hand-edited KV blob
3420 // that slipped past, emit a deliberately-invalid cron so
3421 // register()'s Job::new_async_tz fails → warn+skip,
3422 // rather than firing at the wrong time.
3423 When::Calendar(c) => Lowered {
3424 cron: c
3425 .to_cron()
3426 .unwrap_or_else(|_| "# invalid calendar at".into()),
3427 mode: ExecMode::EveryTick,
3428 cooldown: None,
3429 tz,
3430 },
3431 }
3432 }
3433
3434 /// Cross-field semantic checks that don't fit pure serde derive
3435 /// — the [`Manifest::validate`] counterpart (#418 decision F;
3436 /// pre-Phase-1 a broken schedule was accepted at create time
3437 /// and silently warn-skipped at tick time). Run at every create
3438 /// site: `kanade schedule create` (client-side) and
3439 /// `POST /api/schedules`. The job_id-exists check lives in the
3440 /// API handler instead — it needs the JOBS KV.
3441 pub fn validate(&self) -> Result<(), String> {
3442 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
3443 return Err(
3444 "when.per_target needs fleet-wide completion data and is backend-only; \
3445 it cannot be combined with runs_on: agent (each agent self-schedules, \
3446 so per-target dedup would be deduping across a target of 1)"
3447 .into(),
3448 );
3449 }
3450 if let Some(cd) = self.lowered().cooldown.as_deref() {
3451 humantime::parse_duration(cd)
3452 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
3453 }
3454 if let When::Calendar(c) = &self.when {
3455 // Lower the calendar form to its cron (catches a bad `at`
3456 // and the date+days conflict), then validate that cron
3457 // with the same parser configuration tokio-cron-scheduler
3458 // 0.15 uses internally (croner, seconds required,
3459 // DOM-and-DOW both honored, year optional) — create-time
3460 // validation can never accept what register() rejects.
3461 let cron = c.to_cron()?;
3462 croner::parser::CronParser::builder()
3463 .seconds(croner::parser::Seconds::Required)
3464 .dom_and_dow(true)
3465 .build()
3466 .parse(&cron)
3467 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
3468 }
3469 // The other humantime strings on the schedule (claude #419
3470 // review): runtime degrades gracefully on both (bad jitter →
3471 // silent no-op, bad starting_deadline → warn + skipped tick),
3472 // but "rejected at create time" should cover every field the
3473 // operator can typo, not just `when`.
3474 if let Some(j) = &self.plan.jitter {
3475 humantime::parse_duration(j)
3476 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
3477 }
3478 if let Some(sd) = &self.starting_deadline {
3479 humantime::parse_duration(sd)
3480 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
3481 }
3482 let from = self
3483 .active
3484 .from
3485 .as_deref()
3486 .map(|s| Active::parse_bound(s, self.tz))
3487 .transpose()?;
3488 let until = self
3489 .active
3490 .until
3491 .as_deref()
3492 .map(|s| Active::parse_bound(s, self.tz))
3493 .transpose()?;
3494 if let (Some(f), Some(u)) = (from, until) {
3495 if f >= u {
3496 return Err(format!(
3497 "active.from ({}) must be strictly before active.until ({})",
3498 self.active.from.as_deref().unwrap_or_default(),
3499 self.active.until.as_deref().unwrap_or_default(),
3500 ));
3501 }
3502 }
3503 // #418 Phase 3: a bad maintenance window is rejected at create
3504 // time (parse_window also catches equal bounds).
3505 if let Some(w) = self.constraints.window.as_deref() {
3506 Constraints::parse_window(w)?;
3507 }
3508 // #418: constraints.max_concurrent is a central running-instance
3509 // cap, so it needs the backend's counter — reject it on
3510 // runs_on: agent (decision E), and reject a meaningless 0.
3511 if let Some(mc) = self.constraints.max_concurrent {
3512 // Check the structural incompatibility (agent has no central
3513 // counter) before the value range, so a `max_concurrent: 0`
3514 // + `runs_on: agent` combo reports the more fundamental
3515 // problem first (claude #542).
3516 if matches!(self.runs_on, RunsOn::Agent) {
3517 return Err(
3518 "constraints.max_concurrent needs a central counter and is backend-only; \
3519 it cannot be combined with runs_on: agent (each agent self-schedules, \
3520 so there is no fleet-wide count to cap against)"
3521 .into(),
3522 );
3523 }
3524 if mc == 0 {
3525 return Err(
3526 "constraints.max_concurrent must be >= 1 (0 would never fire; \
3527 omit it for no cap)"
3528 .into(),
3529 );
3530 }
3531 }
3532 // #418 Phase 4: a bad on_failure.retry is rejected at create
3533 // time — backoff must be valid humantime, and max is bounded
3534 // so a typo can't pin a flapping script in a tight loop.
3535 if let Some(r) = &self.on_failure.retry {
3536 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
3537 format!(
3538 "on_failure.retry.backoff: invalid duration '{}': {e}",
3539 r.backoff
3540 )
3541 })?;
3542 // The wire form lowers backoff to whole seconds, so a
3543 // sub-second value would silently become a 0s no-wait
3544 // (coderabbit #466). Reject it rather than honour a backoff
3545 // the operator can't actually get.
3546 if backoff.as_secs() < 1 {
3547 return Err(format!(
3548 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
3549 round to 0 on the wire",
3550 r.backoff
3551 ));
3552 }
3553 if !(1..=10).contains(&r.max) {
3554 return Err(format!(
3555 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
3556 attempts after the first run",
3557 r.max
3558 ));
3559 }
3560 }
3561 Ok(())
3562 }
3563}
3564
3565fn default_true() -> bool {
3566 true
3567}