kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
72 /// what the agent does at fire time when it can't verify the
73 /// `script_current` / `script_status` KV values are fresh —
74 /// especially relevant for `runs_on: agent` schedules where
75 /// the agent may fire from cache while offline. Defaults to
76 /// `Staleness::Cached` (silently use cached values), which
77 /// matches every pre-v0.26 Manifest.
78 #[serde(default)]
79 pub staleness: Staleness,
80 /// #291: opt-in marker that this job is offered to **end users**
81 /// in the Client App's job tabs over KLP (`jobs.list` →
82 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
83 /// [`emit`]: the block's mere presence is the opt-in, and it
84 /// groups the end-user presentation fields (name / category /
85 /// icon) that only make sense for a user-facing job. `None`
86 /// (the default) ⇒ an operator-only job — inventory, checks,
87 /// scheduled maintenance — that never surfaces in the catalog.
88 ///
89 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
90 /// (SPEC §2.1), so removing the block takes a job out of a
91 /// running client on its next action.
92 ///
93 /// [`inventory`]: Manifest::inventory
94 /// [`check`]: Manifest::check
95 /// [`emit`]: Manifest::emit
96 #[serde(default, skip_serializing_if = "Option::is_none")]
97 pub client: Option<ClientHint>,
98}
99
100/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
101/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
102/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
103/// here keeps the validation + serialisation logic in one place.
104#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
105pub struct FanoutPlan {
106 #[serde(default)]
107 pub target: Target,
108 /// Optional wave rollout — when present, the backend publishes
109 /// each wave's group subject on its own delay schedule instead
110 /// of fanning out the `target` block in one go. `target` then
111 /// only labels the deploy for the audit log.
112 #[serde(default, skip_serializing_if = "Option::is_none")]
113 pub rollout: Option<Rollout>,
114 /// Optional humantime jitter; agent uses it to randomise
115 /// execution start. Lives here (not on the script) so different
116 /// schedules / ad-hoc fires of the same job can pick different
117 /// stagger windows.
118 #[serde(default, skip_serializing_if = "Option::is_none")]
119 pub jitter: Option<String>,
120 /// Absolute time the scheduler stamps on each emitted Command
121 /// when this exec was driven by a [`Schedule`] with
122 /// `starting_deadline`. Agents receiving a Command after this
123 /// instant publish a synthetic skipped-result instead of
124 /// running the script. `None` (default) = no deadline / catch
125 /// up whenever delivered. Operators don't usually set this
126 /// directly — the scheduler computes it from `tick_at +
127 /// starting_deadline`.
128 #[serde(default, skip_serializing_if = "Option::is_none")]
129 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
130}
131
132/// Manifest sub-section: how the SPA should render the inventory
133/// facts this job produces. Each field name (`field`) is a top-level
134/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
135///
136/// Two render modes:
137/// * `display` — vertical "field / value" per PC, used by the
138/// `/inventory?pc=<id>` detail view. ALL columns the operator
139/// wants visible on the detail page.
140/// * `summary` — horizontal table across the fleet (row = PC,
141/// column = field) on `/inventory`. Optional; when omitted the
142/// SPA falls back to `display`, but operators usually want a
143/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
144#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
145pub struct InventoryHint {
146 /// Detail-view columns, in order.
147 pub display: Vec<DisplayField>,
148 /// Optional fleet-list columns (row = PC). Defaults to `display`
149 /// when omitted, but operators usually pick a 3-5 column subset.
150 #[serde(default, skip_serializing_if = "Option::is_none")]
151 pub summary: Option<Vec<DisplayField>>,
152 /// v0.31 / #40: payload arrays that should be exploded into
153 /// per-element rows of a derived SQLite table. Lets operators
154 /// answer cross-PC questions ("which PCs still have Chrome <
155 /// 120?", "C: >90% full") with normal SQL filters + indexes
156 /// instead of grepping JSON. The projector creates the derived
157 /// table on register and replaces this PC's rows on each result
158 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
159 /// [`ExplodeSpec`] for the per-spec schema.
160 #[serde(default, skip_serializing_if = "Option::is_none")]
161 pub explode: Option<Vec<ExplodeSpec>>,
162 /// v0.35 / #93: top-level scalar fields whose changes the
163 /// projector logs to `inventory_history` (one event per
164 /// changed field per scan). Pairs with `explode[].track_history`
165 /// — that covers array elements; this covers single-valued
166 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
167 /// `os_build` that operators want to track for "did the RAM
168 /// get upgraded?" / "when did Win 11 land on this PC?" /
169 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
170 /// in the history row, `identity_json` is NULL, `before_json`
171 /// / `after_json` each carry `{"value": <prior or new value>}`.
172 /// First-ever observation of a scalar (no prior facts row)
173 /// emits `added`; subsequent value changes emit `changed`. No
174 /// `removed` events — a scalar disappearing from the payload
175 /// is rare and the operator can still see the last value via
176 /// the `before_json` of the most recent change.
177 #[serde(default, skip_serializing_if = "Option::is_none")]
178 pub history_scalars: Option<Vec<String>>,
179}
180
181/// Manifest sub-section (#290): marks a job as an operator-defined
182/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
183/// The stdout contract is a free-form JSON object (same as any
184/// inventory job) from which the agent reads `status_field` /
185/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
186/// on the Client App's Health tab.
187///
188/// There is deliberately **no timing field** — when / how often /
189/// in which window a check runs is driven by the job's Schedule,
190/// exactly like inventory jobs, so operators get the full `when:` /
191/// rollout / `runs_on` expressiveness for free.
192///
193/// A check's stdout is a **free-form inventory object** (arbitrary
194/// key/value pairs + arrays) — same as any inventory job — that also
195/// carries a status field. `check:` adds only the health semantics on
196/// top: which field is the ok/warn/fail/unknown status, an optional
197/// one-line summary field, and a remediation job. Everything else
198/// (rich per-PC detail, `explode` sub-tables like a software list) is
199/// driven by a co-present [`InventoryHint`] and rendered with the
200/// SAME display logic the SPA Inventory page uses — on the Client App
201/// too. This keeps checks maximally expressive without a bespoke
202/// payload type.
203#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
204pub struct CheckHint {
205 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
206 /// the SPA/Client React key + analytics label. Unique within the
207 /// fleet's check set.
208 pub name: String,
209 /// Top-level stdout field whose string value
210 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
211 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
212 /// `"status"`; a missing / unparseable value → `unknown`.
213 #[serde(default = "default_status_field")]
214 pub status_field: String,
215 /// Top-level stdout field used as the Health-tab row's one-line
216 /// summary. Defaults to `"detail"`; absent in the payload → no
217 /// detail line (the rich breakdown lives in the inventory view).
218 #[serde(default = "default_detail_field")]
219 pub detail_field: String,
220 /// Optional remediation job id →
221 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
222 /// App shows a "修復する" button when present; that job must be
223 /// `user_invokable`.
224 #[serde(default, skip_serializing_if = "Option::is_none")]
225 pub troubleshoot: Option<String>,
226 /// #290 PR-E: when `true` (default), the backend also projects this
227 /// check's `status` / `detail` into the `check_status` table so the
228 /// operator SPA gets a fleet-wide compliance view for free — no
229 /// `inventory:` block needed. Set `fleet: false` for a client-only
230 /// check the operator doesn't want surfaced across the fleet.
231 #[serde(default = "default_fleet")]
232 pub fleet: bool,
233}
234
235fn default_status_field() -> String {
236 "status".to_string()
237}
238
239fn default_detail_field() -> String {
240 "detail".to_string()
241}
242
243fn default_fleet() -> bool {
244 true
245}
246
247/// Manifest sub-section (#291): marks a job as **user-invokable**
248/// from the Client App and carries how it presents to the end user.
249/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
250/// the block's presence is the opt-in (no separate boolean), and its
251/// required fields (`name`, `category`) are enforced by serde at
252/// parse time, so a half-filled catalog entry fails
253/// `kanade job create` instead of rendering a nameless / tab-less row.
254///
255/// The agent maps this 1:1 into the KLP
256/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
257/// that `jobs.list` returns; the Client App renders one row per job in
258/// the tab named by `category`.
259#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
260pub struct ClientHint {
261 /// End-user-facing title for the job row. The operator-internal
262 /// `Manifest::id` slug is rarely what an end user should read, so
263 /// this is required (and validated non-empty by
264 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
265 pub name: String,
266 /// Optional one-line subtitle under `name` in the Client App.
267 /// Distinct from the operator-facing top-level
268 /// [`Manifest::description`] — this one is written for the end
269 /// user. Maps to `UserInvokableJob::display_description`.
270 #[serde(default, skip_serializing_if = "Option::is_none")]
271 pub description: Option<String>,
272 /// Which Client App tab the job lives in (`software_update` →
273 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
274 /// catalog). Required — without it the agent can't place the job
275 /// in a tab.
276 pub category: JobCategory,
277 /// Optional icon hint for the job row — a lucide-react icon name
278 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
279 /// category's default icon. Surfaced verbatim in
280 /// `jobs.list[].icon`.
281 #[serde(default, skip_serializing_if = "Option::is_none")]
282 pub icon: Option<String>,
283}
284
285/// Issue #246 — `emit:` manifest block for jobs whose stdout is
286/// NDJSON observability events (one `ObsEvent` per line). Parallel
287/// to `inventory:` but for the append-only timeline pipeline; see
288/// `Manifest::emit` for the full contract.
289#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
290pub struct EmitConfig {
291 /// What kind of payload the agent should expect on stdout. Only
292 /// `events` is defined today (parses each non-empty line as
293 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
294 /// (e.g. metrics streams, structured trace events) plug in here.
295 #[serde(rename = "type")]
296 pub kind: EmitKind,
297 /// Operator hint for where the script keeps its own state — the
298 /// watermark file the PowerShell / sh body reads + writes
299 /// between runs so it only emits NEW events since the last
300 /// poll. The agent doesn't read this; it's documentation that
301 /// the SPA (and `kanade job edit`) can surface to operators
302 /// reviewing the manifest. Optional; the script is allowed to
303 /// keep state anywhere (registry, env, etc.) — the field's
304 /// presence makes the convention discoverable.
305 #[serde(default, skip_serializing_if = "Option::is_none")]
306 pub watermark_path: Option<String>,
307}
308
309/// `emit.type` enum. Lowercase serde so manifests read
310/// `type: events` rather than `Events`.
311#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
312#[serde(rename_all = "lowercase")]
313pub enum EmitKind {
314 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
315 /// `obs.<pc_id>`, drops the stdout from the resulting
316 /// `ExecResult`.
317 Events,
318}
319
320/// v0.31 / #40: declarative "flatten this JSON array into a real
321/// SQLite table" spec on an inventory manifest. The projector
322/// creates the table on first registration (CREATE TABLE IF NOT
323/// EXISTS + indexes) and writes a row per element of
324/// `payload[field]` on every result, scoped by (pc_id, job_id) so
325/// each PC's rows replace cleanly without a per-PC schema.
326#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
327pub struct ExplodeSpec {
328 /// JSON array key under the payload to explode. E.g. `"apps"`
329 /// for `payload: { apps: [{...}, {...}] }`.
330 pub field: String,
331 /// Derived SQLite table name. Operators choose this — pick
332 /// something namespaced + stable (`inventory_sw_apps`, not
333 /// `apps`) so multiple inventory manifests don't collide on a
334 /// generic name.
335 pub table: String,
336 /// Element-level fields that uniquely identify a row inside one
337 /// PC's payload. The full PK is `(pc_id, job_id) + these
338 /// columns`. Required — operators must think about uniqueness
339 /// (e.g. `["name", "source"]` for installed apps because the
340 /// same name appears in multiple uninstall hives).
341 ///
342 /// v0.31 / #41: same tuple drives history identity. When
343 /// `track_history` is on, the projector serialises these
344 /// fields' values into `inventory_history.identity_json` for
345 /// every change event, so queries like "every PC that ever
346 /// installed Chrome (any source)" filter on identity_json
347 /// content without a per-manifest schema.
348 pub primary_key: Vec<String>,
349 /// Per-element fields that become columns in the derived table.
350 pub columns: Vec<ExplodeColumn>,
351 /// v0.31 / #41: when true (default false), the projector
352 /// diffs each PC's incoming payload against the prior rows
353 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
354 /// replace, and writes added / removed / changed events into
355 /// `inventory_history`. Lets operators answer time-dimension
356 /// questions ("when did Chrome 120 first appear on PC X?",
357 /// "what's the Win 11 23H2 rollout curve") without storing
358 /// per-scan snapshots. Off by default so operators opt in
359 /// per-spec — history has a real storage cost on long-lived
360 /// deployments (mitigated by the 90-day default retention
361 /// sweeper, see `cleanup` module).
362 #[serde(default)]
363 pub track_history: bool,
364}
365
366/// One column in an [`ExplodeSpec`]'s derived table.
367#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
368pub struct ExplodeColumn {
369 /// JSON key under each array element. Becomes the column name
370 /// in the derived SQLite table — we don't rename.
371 pub field: String,
372 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
373 /// Storage maps directly via `sqlx::query.bind(...)`; type
374 /// mismatches at INSERT-time fail loudly rather than silently
375 /// dropping the row.
376 #[serde(default, skip_serializing_if = "Option::is_none")]
377 #[serde(rename = "type")]
378 pub kind: Option<String>,
379 /// When true, the projector creates a `CREATE INDEX` on this
380 /// column at table-creation time. Boost for the common-filter
381 /// columns (`name`, `version`) — operators mark them
382 /// explicitly, the projector won't guess.
383 #[serde(default)]
384 pub index: bool,
385}
386
387#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
388pub struct DisplayField {
389 /// Top-level key in the stdout JSON.
390 pub field: String,
391 /// Human-readable column header.
392 pub label: String,
393 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
394 /// or `"table"` (#39). Defaults to plain text rendering on the
395 /// SPA side. `"table"` expects the field's value to be a JSON
396 /// array of objects and renders a nested sub-table on the
397 /// per-PC detail page using `columns` as the schema; the fleet
398 /// summary view falls back to showing the row count for
399 /// `"table"` cells so the wide list stays compact.
400 #[serde(default, skip_serializing_if = "Option::is_none")]
401 #[serde(rename = "type")]
402 pub kind: Option<String>,
403 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
404 /// field's value (an array of objects like
405 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
406 /// sub-table using these columns. Each column is itself a
407 /// `DisplayField`, so the nested cells reuse the same render
408 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
409 /// pipeline. Ignored for any other `kind`.
410 #[serde(default, skip_serializing_if = "Option::is_none")]
411 pub columns: Option<Vec<DisplayField>>,
412}
413
414#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
415pub struct Rollout {
416 #[serde(default)]
417 pub strategy: RolloutStrategy,
418 pub waves: Vec<Wave>,
419}
420
421#[derive(
422 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
423)]
424#[serde(rename_all = "lowercase")]
425pub enum RolloutStrategy {
426 #[default]
427 Wave,
428}
429
430#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
431pub struct Wave {
432 pub group: String,
433 /// humantime delay measured from the deploy's publish time. wave[0]
434 /// typically has "0s"; subsequent waves use minutes / hours.
435 pub delay: String,
436}
437
438#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
439pub struct Target {
440 #[serde(default)]
441 pub groups: Vec<String>,
442 #[serde(default)]
443 pub pcs: Vec<String>,
444 #[serde(default)]
445 pub all: bool,
446}
447
448impl Target {
449 /// At least one of all / groups / pcs is set.
450 pub fn is_specified(&self) -> bool {
451 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
452 }
453}
454
455#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
456pub struct Execute {
457 pub shell: ExecuteShell,
458 /// Inline script body. Mutually exclusive with [`script_file`]
459 /// and [`script_object`]; exactly one of the three must be set
460 /// (enforced by [`Execute::validate_script_source`] at the
461 /// write-side parse boundaries — `kanade job create` and
462 /// `POST /api/jobs`).
463 ///
464 /// Empty string is treated as **unset** so operators can swap
465 /// to a `script_file:` / `script_object:` alternative just by
466 /// commenting out the body, without having to also drop the
467 /// `script:` key entirely.
468 ///
469 /// [`script_file`]: Self::script_file
470 /// [`script_object`]: Self::script_object
471 #[serde(default, skip_serializing_if = "Option::is_none")]
472 pub script: Option<String>,
473 /// Repo-local file path resolved by the operator-side CLI at
474 /// `kanade job create` time. The CLI reads the file, slots its
475 /// contents into `script`, and clears this field before
476 /// POSTing — so the backend / agents never see `script_file`
477 /// in stored manifests. SPEC §2.4.1.
478 ///
479 /// Resolver lands in a follow-up PR
480 /// (yukimemi/kanade#210); today this field passes parse-time
481 /// validation but the operator-side CLI bails with "not yet
482 /// implemented" until the resolver ships, so manifests that
483 /// reach the backend with `script_file` set are treated as a
484 /// schema-bug.
485 #[serde(default, skip_serializing_if = "Option::is_none")]
486 pub script_file: Option<String>,
487 /// Object Store reference (`<name>/<version>`) into the
488 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
489 /// at Execute time via `/api/script-objects/{name}/{version}`
490 /// and cache it locally. SPEC §2.4.1.
491 ///
492 /// Resolver lands in the same follow-up PR as `script_file`;
493 /// today this field passes parse-time validation but the
494 /// backend / agent exec paths bail with "not yet implemented"
495 /// when they see it.
496 #[serde(default, skip_serializing_if = "Option::is_none")]
497 pub script_object: Option<String>,
498 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
499 /// — represents how long this script reasonably takes to run.
500 pub timeout: String,
501 /// Token + session combination the agent uses to launch the
502 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
503 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
504 #[serde(default)]
505 pub run_as: RunAs,
506 /// Working directory for the spawned child (v0.21.1). When
507 /// unset, the child inherits the agent's cwd — on Windows that
508 /// means `%SystemRoot%\System32` for the prod service, which is
509 /// almost never what operators actually want. Use an absolute
510 /// path; relative paths are passed through to the OS verbatim.
511 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
512 /// you'd want `%USERPROFILE%` (but expansion happens in the
513 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
514 /// it via teravars before `kanade job create`).
515 #[serde(default, skip_serializing_if = "Option::is_none")]
516 pub cwd: Option<String>,
517}
518
519impl Execute {
520 /// Treat an empty `script:` body as "intentionally unset". Operators
521 /// commenting out a block-scalar tend to leave the key behind, and
522 /// failing the validator on `script: ""` would surprise them.
523 fn has_inline_script(&self) -> bool {
524 matches!(&self.script, Some(s) if !s.is_empty())
525 }
526
527 /// Enforce that exactly one of `script` / `script_file` /
528 /// `script_object` is set. Called at the write-side parse
529 /// boundaries (CLI `kanade job create` + backend
530 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
531 /// reaches the JOBS KV. Read paths (projector, agent
532 /// scheduler, list endpoints) skip this check — they only ever
533 /// see what the write path already validated.
534 pub fn validate_script_source(&self) -> Result<(), String> {
535 let inline = self.has_inline_script();
536 let file = self.script_file.is_some();
537 let obj = self.script_object.is_some();
538 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
539 match set {
540 1 => Ok(()),
541 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
542 _ => Err(format!(
543 "execute: only one of `script` / `script_file` / `script_object` may be set \
544 (got script={inline}, script_file={file}, script_object={obj})"
545 )),
546 }
547 }
548}
549
550impl Manifest {
551 /// Cross-field semantic checks that don't fit into pure serde
552 /// derive. Currently delegates to
553 /// [`Execute::validate_script_source`] — see that method's
554 /// docs for the rationale on which call sites should run this.
555 pub fn validate(&self) -> Result<(), String> {
556 self.execute.validate_script_source()?;
557 // Stdout-format compatibility. `inventory:` and `check:` both
558 // consume the SAME single JSON object — they COMPOSE: a check
559 // can extract `status`/`detail` for the Health tab while the
560 // projector explodes the rest into SPA sub-tables. `emit:` is
561 // different — its stdout is NDJSON and the agent omits it from
562 // the result entirely — so it can't be paired with either.
563 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
564 return Err(
565 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
566 timeline events (and omitted from the result), while inventory/check read a \
567 single JSON object from stdout"
568 .to_string(),
569 );
570 }
571 // A check's `name` is the Health-tab row id (React key); the
572 // field names tell the agent where to read status/detail.
573 // An empty value is an invisible runtime bug, and the serde
574 // defaults don't guard an operator who writes `status_field:
575 // ""` explicitly — reject all three here.
576 if let Some(check) = &self.check {
577 for (label, value) in [
578 ("check.name", &check.name),
579 ("check.status_field", &check.status_field),
580 ("check.detail_field", &check.detail_field),
581 ] {
582 if value.trim().is_empty() {
583 return Err(format!("{label} must not be empty"));
584 }
585 }
586 // A present-but-blank `troubleshoot` is a broken
587 // remediation job id (the "修復する" button would target
588 // an empty manifest id) — reject it too.
589 if let Some(troubleshoot) = &check.troubleshoot {
590 if troubleshoot.trim().is_empty() {
591 return Err("check.troubleshoot must not be empty when set".to_string());
592 }
593 }
594 }
595 // #291: a `client:` job is rendered in the Client App's
596 // catalog (`jobs.list` → `jobs.execute`). serde already makes
597 // `name` + `category` required at parse time; the only gap is
598 // a present-but-blank `name`, which would render an empty row
599 // title — reject it like the other display-id fields.
600 if let Some(client) = &self.client {
601 if client.name.trim().is_empty() {
602 return Err("client.name must not be empty".to_string());
603 }
604 // Optional display fields, when present, must be
605 // meaningful: a blank `description` renders an empty
606 // subtitle and a blank `icon` is a dangling lucide name.
607 // Same present-but-blank guard the `check:` block applies
608 // to its optional `troubleshoot` id.
609 for (label, value) in [
610 ("client.description", &client.description),
611 ("client.icon", &client.icon),
612 ] {
613 if let Some(v) = value {
614 if v.trim().is_empty() {
615 return Err(format!("{label} must not be empty when set"));
616 }
617 }
618 }
619 }
620 Ok(())
621 }
622}
623
624#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
625#[serde(rename_all = "lowercase")]
626pub enum ExecuteShell {
627 Powershell,
628 Cmd,
629}
630
631impl From<ExecuteShell> for Shell {
632 fn from(s: ExecuteShell) -> Self {
633 match s {
634 ExecuteShell::Powershell => Shell::Powershell,
635 ExecuteShell::Cmd => Shell::Cmd,
636 }
637 }
638}
639
640#[cfg(test)]
641mod tests {
642 use super::*;
643
644 /// The example check-job + schedule YAMLs shipped under `configs/`
645 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
646 /// pins them at compile time so a breaking edit fails `cargo test`
647 /// rather than only `kanade job create` at deploy time.
648 #[test]
649 fn example_check_job_yamls_parse_and_validate() {
650 let jobs = [
651 (
652 "check-bitlocker",
653 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
654 ),
655 (
656 "check-av-signature",
657 include_str!("../../../configs/jobs/check-av-signature.yaml"),
658 ),
659 (
660 "check-cert-expiry",
661 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
662 ),
663 ];
664 for (name, yaml) in jobs {
665 let m: Manifest =
666 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
667 m.validate()
668 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
669 let check = m
670 .check
671 .as_ref()
672 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
673 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
674 // These three examples all read admin-only WMI namespaces,
675 // so they run_as system. NOTE: that's a property of these
676 // particular checks, NOT of the `check:` contract — a check
677 // probing user-session state could legitimately run_as user.
678 assert_eq!(
679 m.execute.run_as,
680 RunAs::System,
681 "{name} should run_as system"
682 );
683 }
684 }
685
686 /// The example user-invokable job YAMLs (#291) shipped under
687 /// `configs/jobs/` must stay valid as the `client:` schema
688 /// evolves. `include_str!` pins them at compile time so a breaking
689 /// edit fails `cargo test`, not `kanade job create` at deploy.
690 #[test]
691 fn example_client_job_yamls_parse_and_validate() {
692 let jobs = [
693 (
694 "fix-teams-cache",
695 JobCategory::Troubleshoot,
696 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
697 ),
698 (
699 "chrome-update",
700 JobCategory::SoftwareUpdate,
701 include_str!("../../../configs/jobs/chrome-update.yaml"),
702 ),
703 (
704 "install-slack",
705 JobCategory::Catalog,
706 include_str!("../../../configs/jobs/install-slack.yaml"),
707 ),
708 ];
709 for (id, category, yaml) in jobs {
710 let m: Manifest =
711 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
712 m.validate()
713 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
714 assert_eq!(m.id, id, "{id} id mismatch");
715 let client = m
716 .client
717 .as_ref()
718 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
719 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
720 assert_eq!(client.category, category, "{id} category");
721 }
722 }
723
724 #[test]
725 fn example_check_schedule_yamls_parse_and_validate() {
726 let schedules = [
727 (
728 "check-bitlocker",
729 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
730 ),
731 (
732 "check-av-signature",
733 include_str!("../../../configs/schedules/check-av-signature.yaml"),
734 ),
735 (
736 "check-cert-expiry",
737 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
738 ),
739 ];
740 for (name, yaml) in schedules {
741 let s: Schedule =
742 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
743 s.validate()
744 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
745 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
746 }
747 }
748
749 #[test]
750 fn target_is_specified_requires_at_least_one_field() {
751 let empty = Target::default();
752 assert!(!empty.is_specified());
753
754 let with_all = Target {
755 all: true,
756 ..Target::default()
757 };
758 assert!(with_all.is_specified());
759
760 let with_groups = Target {
761 groups: vec!["canary".into()],
762 ..Target::default()
763 };
764 assert!(with_groups.is_specified());
765
766 let with_pcs = Target {
767 pcs: vec!["pc-01".into()],
768 ..Target::default()
769 };
770 assert!(with_pcs.is_specified());
771 }
772
773 #[test]
774 fn manifest_deserialises_minimal_yaml() {
775 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
776 // — those live on the schedule / exec request now.
777 let yaml = r#"
778id: echo-test
779version: 0.0.1
780execute:
781 shell: powershell
782 script: "echo 'kanade'"
783 timeout: 30s
784"#;
785 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
786 assert_eq!(m.id, "echo-test");
787 assert_eq!(m.version, "0.0.1");
788 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
789 assert_eq!(
790 m.execute.script.as_deref().map(str::trim),
791 Some("echo 'kanade'")
792 );
793 assert!(m.execute.script_file.is_none());
794 assert!(m.execute.script_object.is_none());
795 assert_eq!(m.execute.timeout, "30s");
796 assert!(!m.require_approval);
797 m.validate()
798 .expect("inline-script manifest passes validation");
799 }
800
801 #[test]
802 fn manifest_parses_check_job_and_validates() {
803 // An operator-defined health check (#290): a `check:` hint +
804 // a PowerShell script that prints {status, detail}.
805 let yaml = r#"
806id: check-bitlocker
807version: 0.1.0
808execute:
809 shell: powershell
810 run_as: system
811 timeout: 15s
812 script: |
813 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
814check:
815 name: bitlocker
816 troubleshoot: fix-bitlocker
817"#;
818 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
819 let check = m.check.as_ref().expect("check hint present");
820 assert_eq!(check.name, "bitlocker");
821 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
822 // Field names default to the conventional "status" / "detail".
823 assert_eq!(check.status_field, "status");
824 assert_eq!(check.detail_field, "detail");
825 assert!(m.inventory.is_none() && m.emit.is_none());
826 m.validate().expect("check-only manifest passes validation");
827 }
828
829 #[test]
830 fn manifest_check_defaults_and_custom_fields() {
831 // Minimal: only `name`; status/detail fields default.
832 let m: Manifest = serde_yaml::from_str(
833 r#"
834id: check-disk
835version: 0.1.0
836execute:
837 shell: powershell
838 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
839 timeout: 10s
840check:
841 name: disk_free
842"#,
843 )
844 .expect("parse");
845 let c = m.check.as_ref().unwrap();
846 assert_eq!(c.name, "disk_free");
847 assert_eq!(c.status_field, "status");
848 assert_eq!(c.detail_field, "detail");
849 assert!(c.troubleshoot.is_none());
850 m.validate().expect("validates");
851
852 // The operator can point status/detail at any field of their
853 // free-form inventory object.
854 let m2: Manifest = serde_yaml::from_str(
855 r#"
856id: check-custom
857version: 0.1.0
858execute:
859 shell: powershell
860 script: "echo x"
861 timeout: 10s
862check:
863 name: patch_level
864 status_field: compliance
865 detail_field: summary
866"#,
867 )
868 .expect("parse");
869 let c2 = m2.check.as_ref().unwrap();
870 assert_eq!(c2.status_field, "compliance");
871 assert_eq!(c2.detail_field, "summary");
872 }
873
874 #[test]
875 fn manifest_allows_check_composed_with_inventory() {
876 // `check:` + `inventory:` COMPOSE on the same stdout object:
877 // status/detail → Health tab, the rest → SPA projection +
878 // explode sub-tables. Must pass validation.
879 let yaml = r#"
880id: check-bitlocker-detailed
881version: 0.1.0
882execute:
883 shell: powershell
884 script: "echo x"
885 timeout: 10s
886check:
887 name: bitlocker
888inventory:
889 display:
890 - { field: status, label: Status }
891"#;
892 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
893 assert!(m.check.is_some() && m.inventory.is_some());
894 m.validate().expect("check + inventory compose");
895 }
896
897 #[test]
898 fn manifest_rejects_check_combined_with_emit() {
899 // `emit:` stdout is NDJSON (and omitted from the result), so
900 // it can't pair with `check:` (which needs a single JSON
901 // object on stdout).
902 let yaml = r#"
903id: bad-mix
904version: 0.1.0
905execute:
906 shell: powershell
907 script: "echo x"
908 timeout: 10s
909check:
910 name: bitlocker
911emit:
912 type: events
913"#;
914 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
915 let err = m.validate().expect_err("emit + check must fail");
916 assert!(err.contains("incompatible"), "err: {err}");
917 }
918
919 #[test]
920 fn manifest_rejects_emit_combined_with_inventory() {
921 // The other half of the emit-incompatibility condition.
922 let yaml = r#"
923id: bad-mix-2
924version: 0.1.0
925execute:
926 shell: powershell
927 script: "echo x"
928 timeout: 10s
929emit:
930 type: events
931inventory:
932 display:
933 - { field: status, label: Status }
934"#;
935 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
936 let err = m.validate().expect_err("emit + inventory must fail");
937 assert!(err.contains("incompatible"), "err: {err}");
938 }
939
940 #[test]
941 fn manifest_rejects_empty_check_field_names() {
942 // Empty name / status_field / detail_field are invisible
943 // runtime bugs (empty React key, agent reads the wrong field)
944 // — reject them even though serde supplies non-empty defaults.
945 let base = |inner: &str| {
946 format!(
947 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
948 )
949 };
950 for inner in [
951 " name: \"\"\n",
952 " name: ok\n status_field: \"\"\n",
953 " name: ok\n detail_field: \" \"\n",
954 // present-but-blank troubleshoot → broken remediation id.
955 " name: ok\n troubleshoot: \" \"\n",
956 ] {
957 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
958 let err = m.validate().expect_err("empty field must fail");
959 assert!(err.contains("must not be empty"), "err: {err}");
960 }
961 }
962
963 #[test]
964 fn manifest_client_absent_by_default() {
965 // A plain operator job (the overwhelming majority) carries no
966 // `client:` block, so it never surfaces in the end-user
967 // catalog.
968 let yaml = r#"
969id: echo-test
970version: 0.0.1
971execute:
972 shell: powershell
973 script: "echo 'kanade'"
974 timeout: 30s
975"#;
976 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
977 assert!(m.client.is_none());
978 m.validate().expect("operator-only job validates");
979 }
980
981 #[test]
982 fn manifest_client_parses_and_validates() {
983 // The Client App "困ったとき" remediation job shape: a
984 // user-invokable troubleshoot job with the end-user fields the
985 // KLP `jobs.list` wire needs, grouped under `client:`.
986 let yaml = r#"
987id: fix-teams-cache
988version: 1.0.0
989execute:
990 shell: powershell
991 script: "echo clearing"
992 timeout: 60s
993client:
994 name: "Teams のキャッシュをクリア"
995 description: "Teams が重いときに試してください"
996 category: troubleshoot
997 icon: brush-cleaning
998"#;
999 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1000 let c = m.client.as_ref().expect("client block present");
1001 assert_eq!(c.name, "Teams のキャッシュをクリア");
1002 assert_eq!(
1003 c.description.as_deref(),
1004 Some("Teams が重いときに試してください")
1005 );
1006 assert_eq!(c.category, JobCategory::Troubleshoot);
1007 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1008 m.validate().expect("user-invokable job validates");
1009 }
1010
1011 #[test]
1012 fn manifest_client_minimal_only_name_and_category() {
1013 // description + icon are optional; name + category are the
1014 // serde-required minimum.
1015 let yaml = r#"
1016id: install-slack
1017version: 1.0.0
1018execute:
1019 shell: powershell
1020 script: "echo install"
1021 timeout: 600s
1022client:
1023 name: Slack
1024 category: catalog
1025"#;
1026 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1027 let c = m.client.as_ref().expect("client present");
1028 assert_eq!(c.category, JobCategory::Catalog);
1029 assert!(c.description.is_none() && c.icon.is_none());
1030 m.validate().expect("minimal client validates");
1031 }
1032
1033 #[test]
1034 fn manifest_client_rejects_blank_name() {
1035 // serde guarantees `name`/`category` are present; the one gap
1036 // is a present-but-blank name → empty catalog row title.
1037 let yaml = r#"
1038id: j
1039version: 1.0.0
1040execute:
1041 shell: powershell
1042 script: "echo x"
1043 timeout: 30s
1044client:
1045 name: " "
1046 category: catalog
1047"#;
1048 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1049 let err = m.validate().expect_err("blank name must fail");
1050 assert!(err.contains("client.name"), "err: {err}");
1051 }
1052
1053 #[test]
1054 fn manifest_client_rejects_blank_optional_fields() {
1055 // description / icon are optional, but a present-but-blank
1056 // value is a bug (empty subtitle / dangling icon name) — reject
1057 // it, mirroring the check: block's troubleshoot guard.
1058 for (field, line) in [
1059 ("client.description", " description: \" \"\n"),
1060 ("client.icon", " icon: \"\"\n"),
1061 ] {
1062 let yaml = format!(
1063 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1064 );
1065 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1066 let err = m.validate().expect_err("blank optional field must fail");
1067 assert!(err.contains(field), "expected {field} in err: {err}");
1068 }
1069 }
1070
1071 #[test]
1072 fn manifest_client_requires_category_at_parse() {
1073 // A `client:` block missing `category` is a hard parse error
1074 // (serde required field) — no manual validate() needed.
1075 let yaml = r#"
1076id: j
1077version: 1.0.0
1078execute:
1079 shell: powershell
1080 script: "echo x"
1081 timeout: 30s
1082client:
1083 name: "A job"
1084"#;
1085 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1086 assert!(
1087 r.is_err(),
1088 "missing category must be a parse error, got {r:?}"
1089 );
1090 }
1091
1092 #[test]
1093 fn manifest_client_rejects_unknown_field() {
1094 // #492: the strict create boundary catches a fat-fingered
1095 // `displayname:` (with its path) instead of silently
1096 // dropping it; the tolerant read path accepts it.
1097 let yaml = r#"
1098id: j
1099version: 1.0.0
1100execute:
1101 shell: powershell
1102 script: "echo x"
1103 timeout: 30s
1104client:
1105 name: "A job"
1106 category: catalog
1107 displayname: oops
1108"#;
1109 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1110 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1111 // serde_ignored renders the Option layer as `?`:
1112 // `client.?.displayname`. Assert on the leaf key.
1113 assert!(err.contains("displayname"), "{err}");
1114 // The READ path tolerates the same payload (gradual-upgrade
1115 // contract: an old agent must accept a newer writer's field).
1116 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1117 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1118 }
1119
1120 fn execute_with(
1121 script: Option<&str>,
1122 script_file: Option<&str>,
1123 script_object: Option<&str>,
1124 ) -> Execute {
1125 Execute {
1126 shell: ExecuteShell::Powershell,
1127 script: script.map(str::to_owned),
1128 script_file: script_file.map(str::to_owned),
1129 script_object: script_object.map(str::to_owned),
1130 timeout: "30s".into(),
1131 run_as: RunAs::default(),
1132 cwd: None,
1133 }
1134 }
1135
1136 #[test]
1137 fn validate_accepts_inline_script() {
1138 let e = execute_with(Some("echo hi"), None, None);
1139 assert!(e.validate_script_source().is_ok());
1140 }
1141
1142 #[test]
1143 fn validate_accepts_script_file_alone() {
1144 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1145 assert!(e.validate_script_source().is_ok());
1146 }
1147
1148 #[test]
1149 fn validate_accepts_script_object_alone() {
1150 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1151 assert!(e.validate_script_source().is_ok());
1152 }
1153
1154 #[test]
1155 fn validate_treats_empty_inline_script_as_unset() {
1156 // `script: ""` + `script_object` set is the natural shape
1157 // when an operator comments out the YAML block-scalar body
1158 // but leaves the key. Should pass.
1159 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1160 assert!(e.validate_script_source().is_ok());
1161 }
1162
1163 #[test]
1164 fn validate_rejects_zero_sources() {
1165 let e = execute_with(None, None, None);
1166 let err = e.validate_script_source().unwrap_err();
1167 assert!(err.contains("must be set"), "got: {err}");
1168 }
1169
1170 #[test]
1171 fn validate_rejects_empty_inline_only() {
1172 let e = execute_with(Some(""), None, None);
1173 let err = e.validate_script_source().unwrap_err();
1174 assert!(err.contains("must be set"), "got: {err}");
1175 }
1176
1177 #[test]
1178 fn validate_rejects_inline_plus_file() {
1179 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1180 let err = e.validate_script_source().unwrap_err();
1181 assert!(err.contains("only one of"), "got: {err}");
1182 }
1183
1184 #[test]
1185 fn validate_rejects_inline_plus_object() {
1186 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1187 let err = e.validate_script_source().unwrap_err();
1188 assert!(err.contains("only one of"), "got: {err}");
1189 }
1190
1191 #[test]
1192 fn validate_rejects_file_plus_object() {
1193 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1194 let err = e.validate_script_source().unwrap_err();
1195 assert!(err.contains("only one of"), "got: {err}");
1196 }
1197
1198 #[test]
1199 fn validate_rejects_all_three() {
1200 let e = execute_with(
1201 Some("echo hi"),
1202 Some("scripts/cleanup.ps1"),
1203 Some("cleanup/1.0.0"),
1204 );
1205 let err = e.validate_script_source().unwrap_err();
1206 assert!(err.contains("only one of"), "got: {err}");
1207 }
1208
1209 #[test]
1210 fn manifest_deserialises_script_object_yaml() {
1211 // SPEC §2.4.1 example shape with the Object Store
1212 // reference picked over inline.
1213 let yaml = r#"
1214id: cleanup-disk-temp
1215version: 1.0.1
1216execute:
1217 shell: powershell
1218 script_object: cleanup-disk-temp/1.0.1
1219 timeout: 600s
1220"#;
1221 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1222 assert_eq!(
1223 m.execute.script_object.as_deref(),
1224 Some("cleanup-disk-temp/1.0.1")
1225 );
1226 assert!(m.execute.script.is_none());
1227 m.validate()
1228 .expect("script_object-only manifest passes validation");
1229 }
1230
1231 #[test]
1232 fn manifest_rejects_typo_in_script_field_name() {
1233 // #492: the strict create boundary catches `script_objectt`
1234 // and similar fat-fingers (with the full path) instead of
1235 // letting them silently fall through to "all three unset".
1236 let yaml = r#"
1237id: typo
1238version: 1.0.0
1239execute:
1240 shell: powershell
1241 script_objectt: oops
1242 timeout: 30s
1243"#;
1244 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
1245 .expect_err("typo'd execute field must be rejected at the write boundary");
1246 assert!(err.contains("execute.script_objectt"), "{err}");
1247 }
1248
1249 #[test]
1250 fn schedule_carries_target_and_rollout() {
1251 let yaml = r#"
1252id: hourly-cleanup-canary
1253when:
1254 per_pc: { every: 1h }
1255job_id: cleanup
1256enabled: true
1257target:
1258 groups: [canary, wave1]
1259jitter: 30s
1260rollout:
1261 strategy: wave
1262 waves:
1263 - { group: canary, delay: 0s }
1264 - { group: wave1, delay: 5s }
1265"#;
1266 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1267 assert_eq!(s.id, "hourly-cleanup-canary");
1268 assert_eq!(s.job_id, "cleanup");
1269 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1270 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1271 let rollout = s.plan.rollout.expect("rollout present");
1272 assert_eq!(rollout.waves.len(), 2);
1273 assert_eq!(rollout.waves[0].group, "canary");
1274 assert_eq!(rollout.waves[1].delay, "5s");
1275 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1276 }
1277
1278 #[test]
1279 fn schedule_minimal_target_all() {
1280 let yaml = r#"
1281id: kitting
1282when:
1283 per_pc: once
1284enabled: true
1285job_id: scheduled-echo
1286target: { all: true }
1287"#;
1288 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1289 assert_eq!(s.id, "kitting");
1290 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1291 assert!(s.enabled);
1292 assert_eq!(s.job_id, "scheduled-echo");
1293 assert!(s.plan.target.all);
1294 assert!(s.plan.rollout.is_none());
1295 assert!(s.plan.jitter.is_none());
1296 assert!(s.active.is_empty());
1297 }
1298
1299 #[test]
1300 fn schedule_enabled_defaults_to_true() {
1301 let yaml = r#"
1302id: x
1303when:
1304 per_pc: once
1305job_id: y
1306target: { all: true }
1307"#;
1308 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1309 assert!(s.enabled);
1310 }
1311
1312 // ---- `when` parsing (#418 Phase 1) ----
1313
1314 fn schedule_yaml_with(when_block: &str) -> String {
1315 format!(
1316 r#"
1317id: x
1318when:
1319{when_block}
1320job_id: y
1321target: {{ all: true }}
1322"#
1323 )
1324 }
1325
1326 #[test]
1327 fn when_per_pc_every_parses_unquoted_humantime() {
1328 // `6h` is digit-led but non-numeric → YAML string, same as
1329 // the old `cooldown: 6h` convention. No quotes needed.
1330 let s: Schedule =
1331 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1332 assert_eq!(
1333 s.when,
1334 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1335 );
1336 }
1337
1338 #[test]
1339 fn when_per_target_every_parses() {
1340 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1341 .expect("parse");
1342 assert_eq!(
1343 s.when,
1344 When::PerTarget(PerPolicy::Every(EverySpec {
1345 every: "24h".into()
1346 }))
1347 );
1348 }
1349
1350 #[test]
1351 fn when_per_target_once_parses() {
1352 // Falls out of the shared PerPolicy shape and decide_fire
1353 // already implements it ("any one pc succeeds → skip the
1354 // target forever"), so it is allowed, not rejected.
1355 let s: Schedule =
1356 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
1357 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
1358 }
1359
1360 #[test]
1361 fn when_calendar_time_parses() {
1362 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
1363 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
1364 ))
1365 .expect("parse");
1366 match &s.when {
1367 When::Calendar(c) => {
1368 assert_eq!(c.at, "09:00");
1369 assert_eq!(c.days, vec!["mon-fri"]);
1370 }
1371 other => panic!("expected calendar, got {other:?}"),
1372 }
1373 }
1374
1375 #[test]
1376 fn when_calendar_days_default_empty() {
1377 let s: Schedule =
1378 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
1379 .expect("parse");
1380 match &s.when {
1381 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
1382 other => panic!("expected calendar, got {other:?}"),
1383 }
1384 }
1385
1386 #[test]
1387 fn when_calendar_datetime_parses_all_separators() {
1388 // one-shot: date+time in hyphen / ISO-T / slash forms
1389 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
1390 let block = format!(" calendar:\n at: \"{at}\"");
1391 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
1392 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
1393 match &s.when {
1394 When::Calendar(c) => {
1395 use chrono::Datelike;
1396 let p = c.parse_at().expect("parse_at");
1397 let d = p.date.expect("datetime at carries a date");
1398 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
1399 }
1400 other => panic!("expected calendar, got {other:?}"),
1401 }
1402 }
1403 }
1404
1405 #[test]
1406 fn when_rejects_bad_once_keyword() {
1407 // `onec` must be a parse error, not a silently-absorbed
1408 // string (OnceLiteral is a single-variant enum for exactly
1409 // this reason).
1410 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
1411 assert!(r.is_err(), "expected parse error, got {r:?}");
1412 }
1413
1414 #[test]
1415 fn when_rejects_unknown_key_in_every() {
1416 // `{ evry: 6h }` still fails on the tolerant read path: the
1417 // required `every` key is missing, so no PerPolicy variant
1418 // matches (#492 removed deny_unknown_fields, but required
1419 // keys keep the untagged disambiguation honest).
1420 let r: Result<Schedule, _> =
1421 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
1422 assert!(r.is_err(), "expected parse error, got {r:?}");
1423 }
1424
1425 #[test]
1426 fn when_rejects_unknown_variant() {
1427 let r: Result<Schedule, _> =
1428 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
1429 assert!(r.is_err(), "expected parse error, got {r:?}");
1430 }
1431
1432 #[test]
1433 fn when_rejects_old_top_level_cron_field() {
1434 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
1435 // loudly (missing `when`), which is what turns stale KV
1436 // blobs into warn-skips after the upgrade.
1437 let yaml = r#"
1438id: x
1439cron: "* * * * * *"
1440job_id: y
1441target: { all: true }
1442"#;
1443 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
1444 assert!(r.is_err(), "expected parse error, got {r:?}");
1445 }
1446
1447 #[test]
1448 fn when_rejects_retired_cron_escape_hatch() {
1449 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
1450 // is now an unknown variant → parse error (operators use the
1451 // calendar form instead).
1452 let r: Result<Schedule, _> =
1453 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
1454 assert!(
1455 r.is_err(),
1456 "expected parse error for retired cron, got {r:?}"
1457 );
1458 }
1459
1460 #[test]
1461 fn when_round_trips_json_and_yaml() {
1462 // Round-trip through the full Schedule: that is the wire
1463 // unit for both stores (JSON catalog KV + YAML mirror), and
1464 // it exercises the singleton_map field attribute that keeps
1465 // serde_yaml on the map shape instead of `!per_pc` tags.
1466 for when in [
1467 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1468 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1469 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1470 When::PerTarget(PerPolicy::Every(EverySpec {
1471 every: "24h".into(),
1472 })),
1473 calendar("09:00", &["mon-fri"]),
1474 calendar("2026-06-10 09:00", &[]),
1475 When::On(vec![OnTrigger::Startup]),
1476 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1477 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1478 When::On(vec![OnTrigger::NetworkChange]),
1479 ] {
1480 // Event triggers are agent-only; the rest validate on backend.
1481 let runs_on = if matches!(when, When::On(_)) {
1482 RunsOn::Agent
1483 } else {
1484 RunsOn::Backend
1485 };
1486 let s = schedule_with(when.clone(), runs_on);
1487
1488 let json = serde_json::to_string(&s).expect("json serialise");
1489 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
1490 assert_eq!(back.when, when, "json round-trip for {when}");
1491
1492 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
1493 assert!(
1494 !yaml.contains('!'),
1495 "yaml must use the map shape, not tags: {yaml}"
1496 );
1497 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
1498 assert_eq!(back.when, when, "yaml round-trip for {when}");
1499 }
1500 }
1501
1502 #[test]
1503 fn when_once_serialises_as_bare_keyword() {
1504 // The wire shape operators see in the YAML mirror must stay
1505 // the ergonomic `per_pc: once`, not a one-variant map.
1506 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
1507 .expect("serialise");
1508 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
1509 }
1510
1511 #[test]
1512 fn when_displays_operator_summary() {
1513 for (when, expected) in [
1514 (
1515 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1516 "per_pc once",
1517 ),
1518 (
1519 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1520 "per_pc every 6h",
1521 ),
1522 (
1523 When::PerTarget(PerPolicy::Every(EverySpec {
1524 every: "24h".into(),
1525 })),
1526 "per_target every 24h",
1527 ),
1528 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
1529 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
1530 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
1531 (
1532 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1533 "on [startup,logon]",
1534 ),
1535 (
1536 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1537 "on [lock,unlock]",
1538 ),
1539 (
1540 When::On(vec![OnTrigger::NetworkChange]),
1541 "on [network_change]",
1542 ),
1543 ] {
1544 assert_eq!(when.to_string(), expected);
1545 }
1546 }
1547
1548 // ---- lowering (#418: when → engine vocabulary) ----
1549
1550 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
1551 Schedule {
1552 id: "x".into(),
1553 when,
1554 job_id: "y".into(),
1555 plan: FanoutPlan::default(),
1556 active: Active::default(),
1557 constraints: Constraints::default(),
1558 on_failure: OnFailure::default(),
1559 tz: ScheduleTz::default(),
1560 starting_deadline: None,
1561 runs_on,
1562 enabled: true,
1563 }
1564 }
1565
1566 fn calendar(at: &str, days: &[&str]) -> When {
1567 When::Calendar(CalendarSpec {
1568 at: at.into(),
1569 days: days.iter().map(|d| (*d).to_string()).collect(),
1570 })
1571 }
1572
1573 #[test]
1574 fn next_calendar_fire_returns_next_utc_occurrence() {
1575 use chrono::TimeZone;
1576 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
1577 // next strict occurrence is 09:00 that day.
1578 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1579 s.tz = ScheduleTz::Utc;
1580 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
1581 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
1582 assert_eq!(
1583 next,
1584 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
1585 );
1586 }
1587
1588 #[test]
1589 fn next_calendar_fire_is_strictly_after_now() {
1590 use chrono::TimeZone;
1591 // Standing exactly on a fire instant must preview the *next*
1592 // one (inclusive = false), not the one firing right now.
1593 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1594 s.tz = ScheduleTz::Utc;
1595 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
1596 let next = s
1597 .next_calendar_fire(on_fire)
1598 .expect("calendar has a next fire");
1599 assert_eq!(
1600 next,
1601 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
1602 );
1603 }
1604
1605 #[test]
1606 fn next_calendar_fire_none_for_reconcile_shapes() {
1607 // `per_pc` / `per_target` lower to the every-minute poll cron —
1608 // no discrete upcoming event to preview, so `None`.
1609 let now = chrono::Utc::now();
1610 for when in [
1611 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1612 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1613 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1614 When::PerTarget(PerPolicy::Every(EverySpec {
1615 every: "24h".into(),
1616 })),
1617 ] {
1618 let s = schedule_with(when, RunsOn::Backend);
1619 assert!(
1620 s.next_calendar_fire(now).is_none(),
1621 "reconcile shapes have no calendar fire",
1622 );
1623 }
1624 }
1625
1626 // ---- preview_fires (#418 dry-run / preview) ----
1627
1628 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
1629 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
1630 s.tz = ScheduleTz::Utc; // host-independent assertions
1631 s
1632 }
1633
1634 #[test]
1635 fn preview_lists_next_calendar_occurrences() {
1636 use chrono::TimeZone;
1637 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
1638 // fires skip the weekend (Sat 13 / Sun 14).
1639 let s = cal_utc("09:00", &["mon-fri"]);
1640 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1641 let got = s.preview_fires(now, 5);
1642 let want: Vec<_> = [
1643 (2026, 6, 10), // Wed
1644 (2026, 6, 11), // Thu
1645 (2026, 6, 12), // Fri
1646 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
1647 (2026, 6, 16), // Tue
1648 ]
1649 .iter()
1650 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
1651 .collect();
1652 assert_eq!(got, want);
1653 }
1654
1655 #[test]
1656 fn preview_handles_nth_and_last_weekday() {
1657 use chrono::TimeZone;
1658 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1659 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
1660 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
1661 assert_eq!(
1662 nth,
1663 vec![
1664 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
1665 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
1666 ]
1667 );
1668 // Last Friday of the month: Jun 26, Jul 31 2026.
1669 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
1670 assert_eq!(
1671 last,
1672 vec![
1673 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
1674 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
1675 ]
1676 );
1677 }
1678
1679 #[test]
1680 fn preview_is_empty_for_reconcile_and_zero_count() {
1681 let now = chrono::Utc::now();
1682 // reconcile shapes have no discrete fire times
1683 let recon = schedule_with(
1684 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1685 RunsOn::Backend,
1686 );
1687 assert!(recon.preview_fires(now, 5).is_empty());
1688 // count == 0 yields nothing even for a calendar
1689 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
1690 }
1691
1692 #[test]
1693 fn preview_skips_outside_active_window() {
1694 use chrono::TimeZone;
1695 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
1696 // before `from` are skipped; `until` is exclusive, so 06-17's
1697 // fire is out — leaving exactly the 15th and 16th.
1698 let mut s = cal_utc("09:00", &[]);
1699 s.active = Active {
1700 from: Some("2026-06-15".into()),
1701 until: Some("2026-06-17".into()),
1702 };
1703 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1704 let got = s.preview_fires(now, 5);
1705 assert_eq!(
1706 got,
1707 vec![
1708 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
1709 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
1710 ]
1711 );
1712 }
1713
1714 #[test]
1715 fn preview_empty_when_calendar_time_outside_window() {
1716 use chrono::TimeZone;
1717 // Fires at 09:00 but the maintenance window is overnight — it can
1718 // never run, so the preview is empty (matches
1719 // `calendar_outside_window`), and the scan still terminates.
1720 let mut s = cal_utc("09:00", &[]);
1721 s.constraints = Constraints {
1722 window: Some("22:00-05:00".into()),
1723 ..Constraints::default()
1724 };
1725 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1726 assert!(s.preview_fires(now, 5).is_empty());
1727 // Every candidate tick is rejected, so this also exercises the
1728 // SCAN_CAP bound: a large `count` must still terminate (and
1729 // return empty) rather than spin (claude #578 review).
1730 assert!(s.preview_fires(now, 50).is_empty());
1731 }
1732
1733 #[test]
1734 fn preview_past_one_shot_is_empty() {
1735 use chrono::TimeZone;
1736 // A dated one-shot whose instant has passed never fires again.
1737 let s = cal_utc("2026-06-10 09:00", &[]);
1738 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
1739 assert!(s.preview_fires(now, 5).is_empty());
1740 // …but from before it, the single future fire shows up.
1741 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1742 assert_eq!(
1743 s.preview_fires(before, 5),
1744 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
1745 );
1746 }
1747
1748 #[test]
1749 fn lowering_matches_the_418_table() {
1750 let cases = [
1751 (
1752 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1753 (POLL_CRON, ExecMode::OncePerPc, None),
1754 ),
1755 (
1756 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1757 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
1758 ),
1759 (
1760 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1761 (POLL_CRON, ExecMode::OncePerTarget, None),
1762 ),
1763 (
1764 When::PerTarget(PerPolicy::Every(EverySpec {
1765 every: "24h".into(),
1766 })),
1767 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
1768 ),
1769 // calendar repeating → 6-field cron
1770 (
1771 calendar("09:00", &["mon-fri"]),
1772 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
1773 ),
1774 // calendar daily (no days) → DOW *
1775 (
1776 calendar("18:30", &[]),
1777 ("0 30 18 * * *", ExecMode::EveryTick, None),
1778 ),
1779 // calendar one-shot → 7-field year cron
1780 (
1781 calendar("2026-06-10 09:00", &[]),
1782 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
1783 ),
1784 ];
1785 for (when, (cron, mode, cooldown)) in cases {
1786 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
1787 assert_eq!(l.cron, cron, "cron for {when}");
1788 assert_eq!(l.mode, mode, "mode for {when}");
1789 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
1790 }
1791 }
1792
1793 #[test]
1794 fn lowered_carries_schedule_tz() {
1795 for (tz, want) in [
1796 (ScheduleTz::Local, ScheduleTz::Local),
1797 (ScheduleTz::Utc, ScheduleTz::Utc),
1798 ] {
1799 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
1800 s.tz = tz;
1801 assert_eq!(s.lowered().tz, want, "calendar carries tz");
1802 // reconcile shapes carry tz too (for the active-window check)
1803 let mut s = schedule_with(
1804 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1805 RunsOn::Backend,
1806 );
1807 s.tz = tz;
1808 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
1809 }
1810 }
1811
1812 #[test]
1813 fn poll_cron_is_accepted_by_the_engine_parser() {
1814 // POLL_CRON is system-generated — if the engine's parser
1815 // ever rejected it every reconcile schedule would die at
1816 // register time. Validate it with the same croner config
1817 // (Seconds::Required, dom_and_dow, year optional).
1818 croner::parser::CronParser::builder()
1819 .seconds(croner::parser::Seconds::Required)
1820 .dom_and_dow(true)
1821 .build()
1822 .parse(POLL_CRON)
1823 .expect("POLL_CRON must parse");
1824 }
1825
1826 // ---- Schedule::validate() (#418 decision F) ----
1827
1828 #[test]
1829 fn validate_accepts_reconcile_shapes() {
1830 for when in [
1831 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1832 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1833 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1834 When::PerTarget(PerPolicy::Every(EverySpec {
1835 every: "24h".into(),
1836 })),
1837 ] {
1838 schedule_with(when.clone(), RunsOn::Backend)
1839 .validate()
1840 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
1841 }
1842 }
1843
1844 #[test]
1845 fn validate_accepts_per_pc_on_agent() {
1846 schedule_with(
1847 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
1848 RunsOn::Agent,
1849 )
1850 .validate()
1851 .expect("per_pc + agent is the offline-inventory shape");
1852 }
1853
1854 // ---- #418 event triggers (when: { on }) ----
1855
1856 #[test]
1857 fn validate_accepts_event_on_agent() {
1858 for triggers in [
1859 vec![OnTrigger::Startup],
1860 vec![OnTrigger::Logon],
1861 vec![OnTrigger::Lock],
1862 vec![OnTrigger::Unlock],
1863 vec![OnTrigger::NetworkChange],
1864 vec![
1865 OnTrigger::Startup,
1866 OnTrigger::Logon,
1867 OnTrigger::Lock,
1868 OnTrigger::Unlock,
1869 OnTrigger::NetworkChange,
1870 ],
1871 ] {
1872 schedule_with(When::On(triggers), RunsOn::Agent)
1873 .validate()
1874 .expect("when.on is valid on runs_on: agent");
1875 }
1876 }
1877
1878 #[test]
1879 fn validate_rejects_event_on_backend() {
1880 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
1881 .validate()
1882 .unwrap_err();
1883 assert!(err.contains("when.on"), "got: {err}");
1884 assert!(err.contains("runs_on: agent"), "got: {err}");
1885 }
1886
1887 #[test]
1888 fn validate_rejects_empty_event_list() {
1889 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
1890 .validate()
1891 .unwrap_err();
1892 assert!(err.contains("when.on"), "got: {err}");
1893 assert!(err.contains("at least one"), "got: {err}");
1894 }
1895
1896 #[test]
1897 fn event_schedule_lowers_to_event_mode_and_is_event() {
1898 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
1899 assert!(s.is_event());
1900 assert_eq!(s.lowered().mode, ExecMode::Event);
1901 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
1902 // non-event schedules report no triggers.
1903 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1904 assert!(!cal.is_event());
1905 assert!(cal.event_triggers().is_empty());
1906 }
1907
1908 // ---- #418 constraints.require (env gates) ----
1909
1910 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
1911 let mut s = schedule_with(
1912 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
1913 runs_on,
1914 );
1915 s.constraints.require = Some(req);
1916 s
1917 }
1918
1919 #[test]
1920 fn require_met_combinations() {
1921 use std::time::Duration;
1922 let idle = |m: u64| Some(Duration::from_secs(m * 60));
1923 // Builder for the sensed state: (ac, idle, cpu, network).
1924 let env = |ac, idle, cpu, net| EnvState {
1925 ac_online: ac,
1926 idle,
1927 cpu_pct: cpu,
1928 network_up: net,
1929 };
1930 // Empty require — always met regardless of sensed state.
1931 assert!(require_met(
1932 &Require::default(),
1933 &env(false, None, None, false)
1934 ));
1935 // ac_power: only on AC.
1936 let ac = Require {
1937 ac_power: true,
1938 ..Default::default()
1939 };
1940 assert!(!require_met(&ac, &env(false, None, None, true)));
1941 assert!(require_met(&ac, &env(true, None, None, false)));
1942 // idle: needs >= the configured min; None idle never satisfies.
1943 let idle10 = Require {
1944 idle: Some("10m".into()),
1945 ..Default::default()
1946 };
1947 assert!(!require_met(&idle10, &env(true, None, None, true)));
1948 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
1949 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
1950 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
1951 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
1952 let cpu20 = Require {
1953 cpu_below: Some(20.0),
1954 ..Default::default()
1955 };
1956 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
1957 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
1958 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
1959 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
1960 // network: only when online.
1961 let net = Require {
1962 network: true,
1963 ..Default::default()
1964 };
1965 assert!(!require_met(&net, &env(true, None, None, false))); // offline
1966 assert!(require_met(&net, &env(true, None, None, true))); // online
1967 // all four: AND.
1968 let all = Require {
1969 ac_power: true,
1970 idle: Some("10m".into()),
1971 cpu_below: Some(20.0),
1972 network: true,
1973 };
1974 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
1975 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
1976 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
1977 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
1978 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
1979 // An unparseable idle is treated as no-requirement by require_met
1980 // (validate rejects it at create time, so this only guards a
1981 // hand-edited blob): ac still gates.
1982 let bad = Require {
1983 ac_power: true,
1984 idle: Some("garbage".into()),
1985 ..Default::default()
1986 };
1987 assert!(require_met(&bad, &env(true, None, None, true)));
1988 assert!(!require_met(&bad, &env(false, None, None, true)));
1989 }
1990
1991 #[test]
1992 fn validate_accepts_and_rejects_cpu_below() {
1993 // In-range accepted.
1994 require_schedule(
1995 Require {
1996 cpu_below: Some(20.0),
1997 ..Default::default()
1998 },
1999 RunsOn::Agent,
2000 )
2001 .validate()
2002 .expect("cpu_below 20 is valid");
2003 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
2004 // 100%). Pins the inclusive upper bound against a future c < 100.0.
2005 require_schedule(
2006 Require {
2007 cpu_below: Some(100.0),
2008 ..Default::default()
2009 },
2010 RunsOn::Agent,
2011 )
2012 .validate()
2013 .expect("cpu_below 100 is valid");
2014 // Out of range rejected (0 and >100).
2015 for bad in [0.0, -5.0, 100.1] {
2016 let err = require_schedule(
2017 Require {
2018 cpu_below: Some(bad),
2019 ..Default::default()
2020 },
2021 RunsOn::Agent,
2022 )
2023 .validate()
2024 .unwrap_err();
2025 assert!(
2026 err.contains("constraints.require.cpu_below"),
2027 "cpu_below {bad}: {err}"
2028 );
2029 }
2030 }
2031
2032 #[test]
2033 fn validate_accepts_require_on_agent() {
2034 require_schedule(
2035 Require {
2036 ac_power: true,
2037 idle: Some("10m".into()),
2038 cpu_below: Some(20.0),
2039 network: true,
2040 },
2041 RunsOn::Agent,
2042 )
2043 .validate()
2044 .expect("constraints.require is valid on runs_on: agent");
2045 }
2046
2047 #[test]
2048 fn validate_rejects_require_on_backend() {
2049 let err = require_schedule(
2050 Require {
2051 ac_power: true,
2052 ..Default::default()
2053 },
2054 RunsOn::Backend,
2055 )
2056 .validate()
2057 .unwrap_err();
2058 assert!(err.contains("constraints.require"), "got: {err}");
2059 assert!(err.contains("runs_on: agent"), "got: {err}");
2060
2061 // An idle-only require (ac_power: false) is also non-empty
2062 // (is_empty folds the fields) and must reject on backend too —
2063 // guards against a regression in Require::is_empty.
2064 let err = require_schedule(
2065 Require {
2066 idle: Some("10m".into()),
2067 ..Default::default()
2068 },
2069 RunsOn::Backend,
2070 )
2071 .validate()
2072 .unwrap_err();
2073 assert!(
2074 err.contains("constraints.require"),
2075 "idle-only on backend: {err}"
2076 );
2077 }
2078
2079 #[test]
2080 fn validate_rejects_bad_require_idle() {
2081 let err = require_schedule(
2082 Require {
2083 idle: Some("not-a-duration".into()),
2084 ..Default::default()
2085 },
2086 RunsOn::Agent,
2087 )
2088 .validate()
2089 .unwrap_err();
2090 assert!(err.contains("constraints.require.idle"), "got: {err}");
2091 }
2092
2093 #[test]
2094 fn require_round_trips_and_skips_empty() {
2095 // ac_power: false is skipped; an all-default require nested in
2096 // constraints is omitted (is_empty folds it in).
2097 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
2098 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
2099 network: true } }\n";
2100 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2101 let req = s.constraints.require.as_ref().expect("require present");
2102 assert!(req.ac_power);
2103 assert_eq!(req.idle.as_deref(), Some("10m"));
2104 assert_eq!(req.cpu_below, Some(20.0));
2105 assert!(req.network);
2106 // Re-serialize: idle + cpu_below + network present, ac_power true.
2107 let back = serde_json::to_string(&s.constraints).unwrap();
2108 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
2109 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
2110 assert!(back.contains("\"network\":true"), "got: {back}");
2111 // An empty require is omitted entirely by is_empty.
2112 let mut empty = s.clone();
2113 empty.constraints.require = Some(Require::default());
2114 assert!(empty.constraints.is_empty());
2115 }
2116
2117 #[test]
2118 fn validate_rejects_per_target_on_agent() {
2119 let err = schedule_with(
2120 When::PerTarget(PerPolicy::Every(EverySpec {
2121 every: "24h".into(),
2122 })),
2123 RunsOn::Agent,
2124 )
2125 .validate()
2126 .unwrap_err();
2127 assert!(err.contains("per_target"), "got: {err}");
2128 assert!(err.contains("runs_on: agent"), "got: {err}");
2129
2130 // per_target: once is also backend-only.
2131 let err = schedule_with(
2132 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2133 RunsOn::Agent,
2134 )
2135 .validate()
2136 .unwrap_err();
2137 assert!(err.contains("per_target"), "got (once): {err}");
2138 assert!(err.contains("runs_on: agent"), "got (once): {err}");
2139 }
2140
2141 #[test]
2142 fn validate_rejects_bad_every_duration() {
2143 let err = schedule_with(
2144 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
2145 RunsOn::Backend,
2146 )
2147 .validate()
2148 .unwrap_err();
2149 assert!(err.contains("when.every"), "got: {err}");
2150 }
2151
2152 #[test]
2153 fn validate_rejects_bad_jitter_and_starting_deadline() {
2154 let mut s = schedule_with(
2155 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2156 RunsOn::Backend,
2157 );
2158 s.plan.jitter = Some("5x".into());
2159 let err = s.validate().unwrap_err();
2160 assert!(err.contains("jitter"), "got: {err}");
2161
2162 let mut s = schedule_with(
2163 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2164 RunsOn::Backend,
2165 );
2166 s.starting_deadline = Some("soon".into());
2167 let err = s.validate().unwrap_err();
2168 assert!(err.contains("starting_deadline"), "got: {err}");
2169 }
2170
2171 #[test]
2172 fn validate_accepts_calendar_shapes() {
2173 for when in [
2174 calendar("09:00", &["mon-fri"]), // weekday morning
2175 calendar("00:00", &["sun"]), // weekly
2176 calendar("18:30", &[]), // daily
2177 calendar("2026-06-10 09:00", &[]), // one-shot
2178 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
2179 ] {
2180 schedule_with(when.clone(), RunsOn::Backend)
2181 .validate()
2182 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2183 }
2184 }
2185
2186 #[test]
2187 fn validate_rejects_bad_at() {
2188 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
2189 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
2190 .validate()
2191 .unwrap_err();
2192 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
2193 }
2194 }
2195
2196 #[test]
2197 fn validate_rejects_datetime_at_with_days() {
2198 // A dated `at` is a one-shot — pairing it with days is a
2199 // contradiction (the date already pins the day).
2200 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
2201 .validate()
2202 .unwrap_err();
2203 assert!(
2204 err.contains("one-shot") && err.contains("days"),
2205 "got: {err}"
2206 );
2207 }
2208
2209 #[test]
2210 fn validate_rejects_bad_day_name() {
2211 // A garbage DOW token is caught by the days pre-flight and
2212 // reported against `when.days`, not the confusing
2213 // "when.at lowered to invalid cron" (claude #432 review).
2214 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
2215 .validate()
2216 .unwrap_err();
2217 assert!(err.contains("when.days"), "got: {err}");
2218 assert!(err.contains("funday"), "names the bad token: {err}");
2219 // a degenerate range like `mon-` reports the whole token, not
2220 // a cryptic empty part (claude #432 follow-up)
2221 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
2222 .validate()
2223 .unwrap_err();
2224 assert!(err.contains("'mon-'"), "names the whole token: {err}");
2225 // valid names / ranges / numeric / * all pass
2226 for ok in [
2227 calendar("09:00", &["mon-fri"]),
2228 calendar("09:00", &["mon", "wed", "sun"]),
2229 calendar("09:00", &["1-5"]),
2230 ] {
2231 schedule_with(ok.clone(), RunsOn::Backend)
2232 .validate()
2233 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2234 }
2235 }
2236
2237 #[test]
2238 fn validate_accepts_nth_weekday() {
2239 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
2240 // a cron and parses it with croner, so passing here proves the
2241 // whole chain — token → DOW field → engine-acceptable cron.
2242 for ok in [
2243 calendar("09:00", &["tue#2"]), // 2nd Tuesday
2244 calendar("09:00", &["fri#1"]), // 1st Friday
2245 calendar("03:00", &["sun#5"]), // 5th Sunday
2246 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
2247 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
2248 // Case-insensitive both sides: validate lowercases, croner
2249 // upper-cases the whole pattern before aliasing (claude #547).
2250 calendar("09:00", &["TUE#2"]),
2251 ] {
2252 schedule_with(ok.clone(), RunsOn::Backend)
2253 .validate()
2254 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2255 }
2256 }
2257
2258 #[test]
2259 fn validate_rejects_bad_nth_weekday() {
2260 // ordinal out of 1..5, a range with #, and a bad day before #.
2261 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
2262 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2263 .validate()
2264 .unwrap_err();
2265 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2266 }
2267 }
2268
2269 #[test]
2270 fn validate_accepts_last_weekday() {
2271 // #418: last-weekday (`friL` = last Friday). Like the nth case,
2272 // validate() lowers to a cron and round-trips it through croner,
2273 // so passing proves token → DOW field → engine-acceptable cron
2274 // with the verified last-<dow>-of-month semantics.
2275 for ok in [
2276 calendar("09:00", &["friL"]), // last Friday
2277 calendar("03:00", &["sunL"]), // last Sunday
2278 calendar("22:00", &["5L"]), // numeric DOW + last
2279 calendar("00:00", &["0L"]), // numeric Sunday (0…
2280 calendar("00:00", &["7L"]), // …and its 7 alias)
2281 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
2282 // Case-insensitive both the weekday and the `L` suffix:
2283 // validate lowercases the day, croner upper-cases the whole
2284 // pattern before aliasing (claude #547).
2285 calendar("09:00", &["FRIL"]),
2286 calendar("09:00", &["fril"]),
2287 ] {
2288 schedule_with(ok.clone(), RunsOn::Backend)
2289 .validate()
2290 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2291 }
2292 }
2293
2294 #[test]
2295 fn validate_rejects_bad_last_weekday() {
2296 // bare `L` (no weekday — a footgun croner reads as Saturday), a
2297 // range with L, a bad day before L, and an internal space that
2298 // would otherwise leak a malformed cron downstream (gemini #560).
2299 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
2300 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2301 .validate()
2302 .unwrap_err();
2303 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2304 }
2305 }
2306
2307 #[test]
2308 fn calendar_oneshot_instant_detects_past() {
2309 use chrono::TimeZone;
2310 // a dated `at` resolves to an absolute instant…
2311 let c = CalendarSpec {
2312 at: "2024-01-01 09:00".into(),
2313 days: vec![],
2314 };
2315 let t = c
2316 .oneshot_instant(ScheduleTz::Utc)
2317 .expect("one-shot instant");
2318 assert_eq!(
2319 t,
2320 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
2321 );
2322 assert!(t < chrono::Utc::now(), "2024 is in the past");
2323 // …while a repeating (time-only) calendar has no instant
2324 let rep = CalendarSpec {
2325 at: "09:00".into(),
2326 days: vec!["mon-fri".into()],
2327 };
2328 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
2329 }
2330
2331 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
2332 let mut s = schedule_with(
2333 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2334 RunsOn::Backend,
2335 );
2336 s.active = Active {
2337 from: from.map(str::to_owned),
2338 until: until.map(str::to_owned),
2339 };
2340 s
2341 }
2342
2343 #[test]
2344 fn validate_accepts_active_window() {
2345 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
2346 .validate()
2347 .expect("date + rfc3339 bounds should validate");
2348 }
2349
2350 #[test]
2351 fn validate_rejects_unparseable_active_bound() {
2352 let err = schedule_with_active(Some("July 1st"), None)
2353 .validate()
2354 .unwrap_err();
2355 assert!(err.contains("active"), "got: {err}");
2356 }
2357
2358 #[test]
2359 fn validate_rejects_from_not_before_until() {
2360 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
2361 .validate()
2362 .unwrap_err();
2363 assert!(err.contains("strictly before"), "got: {err}");
2364
2365 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
2366 .validate()
2367 .unwrap_err();
2368 assert!(err.contains("strictly before"), "got: {err}");
2369 }
2370
2371 // ---- Active window semantics ----
2372
2373 #[test]
2374 fn active_window_is_half_open() {
2375 use chrono::TimeZone;
2376 let active = Active {
2377 from: Some("2026-07-01".into()),
2378 until: Some("2026-08-01".into()),
2379 };
2380 // UTC tz so the date bounds are UTC midnight.
2381 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
2382 let c = |t| active.contains(t, ScheduleTz::Utc);
2383 assert!(!c(at(2026, 6, 30, 23)), "before from");
2384 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
2385 assert!(c(at(2026, 7, 15, 12)), "inside");
2386 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
2387 assert!(!c(at(2026, 8, 2, 0)), "after until");
2388 }
2389
2390 #[test]
2391 fn active_empty_window_is_always_active() {
2392 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
2393 }
2394
2395 #[test]
2396 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
2397 use chrono::TimeZone;
2398 let active = Active {
2399 from: Some("2026-07-01T09:00:00+09:00".into()),
2400 until: None,
2401 };
2402 // RFC3339 carries its own offset → tz arg is ignored.
2403 // 09:00 JST = 00:00 UTC.
2404 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
2405 assert!(
2406 !active.contains(
2407 chrono::Utc
2408 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
2409 .unwrap(),
2410 tz
2411 )
2412 );
2413 assert!(active.contains(
2414 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
2415 tz
2416 ));
2417 }
2418 }
2419
2420 #[test]
2421 fn active_date_bound_respects_tz() {
2422 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
2423 // tz* (#418 Phase 2). The UTC interpretation is exact and
2424 // host-independent; assert that precisely.
2425 use chrono::TimeZone;
2426 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
2427 assert_eq!(
2428 utc,
2429 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
2430 );
2431
2432 // The local interpretation must equal what chrono::Local
2433 // computes for the same wall-clock midnight — proves the tz
2434 // path is wired to the host zone (the magnitude vs UTC is
2435 // host-dependent, so we compare against Local directly rather
2436 // than hard-coding the JST offset, keeping CI green on UTC
2437 // runners).
2438 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
2439 let want = chrono::Local
2440 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
2441 .single()
2442 .expect("local midnight is unambiguous")
2443 .with_timezone(&chrono::Utc);
2444 assert_eq!(local, want, "date bound resolved in host-local tz");
2445 }
2446
2447 #[test]
2448 fn active_empty_is_skipped_when_serialising() {
2449 let s = schedule_with(
2450 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2451 RunsOn::Backend,
2452 );
2453 let json = serde_json::to_value(&s).expect("serialise");
2454 assert!(
2455 json.get("active").is_none(),
2456 "empty active must not appear on the wire: {json}"
2457 );
2458 }
2459
2460 // ---- constraints.window (#418 Phase 3) ----
2461
2462 fn with_window(win: &str) -> Schedule {
2463 let mut s = schedule_with(
2464 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2465 RunsOn::Backend,
2466 );
2467 s.constraints.window = Some(win.into());
2468 s
2469 }
2470
2471 #[test]
2472 fn constraints_window_parses_and_round_trips() {
2473 let yaml = r#"
2474id: x
2475when:
2476 per_pc: { every: 6h }
2477job_id: y
2478target: { all: true }
2479constraints:
2480 window: "22:00-05:00"
2481"#;
2482 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2483 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
2484 let back: Schedule =
2485 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2486 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
2487 }
2488
2489 #[test]
2490 fn constraints_empty_is_skipped_when_serialising() {
2491 let s = schedule_with(
2492 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2493 RunsOn::Backend,
2494 );
2495 let json = serde_json::to_value(&s).expect("serialise");
2496 assert!(
2497 json.get("constraints").is_none(),
2498 "empty constraints must not appear on the wire: {json}"
2499 );
2500 }
2501
2502 #[test]
2503 fn window_no_constraint_always_allows() {
2504 let c = Constraints::default();
2505 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
2506 }
2507
2508 #[test]
2509 fn window_same_day_is_half_open() {
2510 use chrono::TimeZone;
2511 let s = with_window("09:00-17:00");
2512 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2513 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2514 assert!(!a(at(8, 59)), "before start");
2515 assert!(a(at(9, 0)), "at start (inclusive)");
2516 assert!(a(at(16, 59)), "inside");
2517 assert!(!a(at(17, 0)), "at end (exclusive)");
2518 assert!(!a(at(23, 0)), "after end");
2519 }
2520
2521 #[test]
2522 fn window_crossing_midnight() {
2523 use chrono::TimeZone;
2524 let s = with_window("22:00-05:00");
2525 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2526 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2527 assert!(a(at(22, 0)), "at start tonight");
2528 assert!(a(at(23, 30)), "late tonight");
2529 assert!(a(at(3, 0)), "early tomorrow");
2530 assert!(!a(at(5, 0)), "at end (exclusive)");
2531 assert!(!a(at(12, 0)), "midday outside");
2532 assert!(!a(at(21, 59)), "just before start");
2533 }
2534
2535 #[test]
2536 fn window_respects_tz() {
2537 // The same instant is inside the window under one tz and may
2538 // be outside under another. Compare UTC vs Local via the
2539 // host's own offset (kept CI-green on UTC runners like the
2540 // active tz test does).
2541 use chrono::TimeZone;
2542 let s = with_window("09:00-17:00");
2543 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
2544 // Under UTC, 12:00 is inside 09:00-17:00.
2545 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
2546 // Under Local, the verdict tracks the host wall-clock time;
2547 // assert it matches a direct wall_time membership check.
2548 let local_t = noon_utc.with_timezone(&chrono::Local).time();
2549 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
2550 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
2551 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
2552 }
2553
2554 #[test]
2555 fn validate_accepts_good_window() {
2556 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
2557 with_window(w)
2558 .validate()
2559 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
2560 }
2561 }
2562
2563 #[test]
2564 fn validate_rejects_bad_window() {
2565 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
2566 let err = with_window(bad).validate().unwrap_err();
2567 assert!(
2568 err.contains("constraints.window"),
2569 "for '{bad}', got: {err}"
2570 );
2571 }
2572 }
2573
2574 // ---- constraints.skip_dates (#418 holiday exclusion) ----
2575
2576 fn with_skip_dates(dates: &[&str]) -> Schedule {
2577 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2578 s.tz = ScheduleTz::Utc; // host-independent date assertions
2579 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
2580 s
2581 }
2582
2583 #[test]
2584 fn allows_blocks_listed_skip_date() {
2585 use chrono::TimeZone;
2586 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
2587 // Any time on a listed date is blocked (whole day).
2588 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
2589 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
2590 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
2591 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
2592 // A date not in the list fires normally.
2593 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2594 assert!(s.constraints.allows(off, ScheduleTz::Utc));
2595 }
2596
2597 #[test]
2598 fn allows_corrupt_skip_date_fails_closed() {
2599 use chrono::TimeZone;
2600 // A garbled entry (only reachable via hand-edited KV) blocks
2601 // rather than silently re-enabling fires — same posture as a
2602 // corrupt window.
2603 let s = with_skip_dates(&["not-a-date"]);
2604 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2605 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
2606 }
2607
2608 #[test]
2609 fn validate_accepts_good_skip_dates() {
2610 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
2611 .validate()
2612 .expect("well-formed skip dates should validate");
2613 }
2614
2615 #[test]
2616 fn validate_rejects_bad_skip_date() {
2617 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
2618 let err = with_skip_dates(&[bad]).validate().unwrap_err();
2619 assert!(
2620 err.contains("constraints.skip_dates"),
2621 "for '{bad}', got: {err}"
2622 );
2623 }
2624 }
2625
2626 #[test]
2627 fn preview_skips_holidays() {
2628 use chrono::TimeZone;
2629 // Daily 09:00 with two of the next five days marked as holidays
2630 // — preview drops exactly those, since it gates on `allows`.
2631 let mut s = cal_utc("09:00", &[]);
2632 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
2633 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2634 let got = s.preview_fires(now, 4);
2635 let want: Vec<_> = [
2636 (2026, 6, 10),
2637 (2026, 6, 12), // skips 06-11
2638 (2026, 6, 14), // skips 06-13
2639 (2026, 6, 15),
2640 ]
2641 .iter()
2642 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2643 .collect();
2644 assert_eq!(got, want);
2645 }
2646
2647 // ---- constraints.max_concurrent (#418) ----
2648
2649 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
2650 let mut s = schedule_with(
2651 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2652 runs_on,
2653 );
2654 s.constraints.max_concurrent = Some(max);
2655 s
2656 }
2657
2658 #[test]
2659 fn validate_accepts_backend_max_concurrent() {
2660 with_max_concurrent(5, RunsOn::Backend)
2661 .validate()
2662 .expect("backend max_concurrent should validate");
2663 }
2664
2665 #[test]
2666 fn validate_rejects_max_concurrent_on_agent() {
2667 // Decision E: a central running-instance cap needs a central
2668 // counter, which agents don't have.
2669 let err = with_max_concurrent(5, RunsOn::Agent)
2670 .validate()
2671 .unwrap_err();
2672 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
2673 assert!(err.contains("runs_on: agent"), "got: {err}");
2674 }
2675
2676 #[test]
2677 fn validate_rejects_zero_max_concurrent() {
2678 let err = with_max_concurrent(0, RunsOn::Backend)
2679 .validate()
2680 .unwrap_err();
2681 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
2682 }
2683
2684 #[test]
2685 fn max_concurrent_round_trips_and_skips_when_absent() {
2686 let s = with_max_concurrent(3, RunsOn::Backend);
2687 let json = serde_json::to_value(&s.constraints).expect("ser");
2688 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
2689 // A schedule with no constraints omits the whole block.
2690 let bare = schedule_with(
2691 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2692 RunsOn::Backend,
2693 );
2694 assert!(bare.constraints.is_empty());
2695 }
2696
2697 #[test]
2698 fn window_fail_closed_on_corrupt_blob() {
2699 // A malformed window (only reachable via a hand-edited KV
2700 // blob — validate() rejects it at create) must BLOCK, not
2701 // silently allow fires during a change-freeze (gemini #452).
2702 let s = with_window("22:00_05:00");
2703 assert!(
2704 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
2705 "corrupt window fails closed"
2706 );
2707 // …and the scheduler can surface why it's stuck.
2708 assert!(
2709 s.bad_window().is_some(),
2710 "bad_window reports the parse error"
2711 );
2712 assert!(with_window("22:00-05:00").bad_window().is_none());
2713 }
2714
2715 #[test]
2716 fn calendar_outside_window_is_flagged() {
2717 // at 09:00 can never fall in 22:00-05:00 → never fires.
2718 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2719 s.constraints.window = Some("22:00-05:00".into());
2720 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
2721
2722 // at 23:00 IS inside the overnight window → fine.
2723 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
2724 s.constraints.window = Some("22:00-05:00".into());
2725 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
2726
2727 // reconcile shapes are never flagged (they poll every minute).
2728 let mut s = schedule_with(
2729 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2730 RunsOn::Backend,
2731 );
2732 s.constraints.window = Some("22:00-05:00".into());
2733 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
2734
2735 // no window → never flagged.
2736 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2737 assert!(!s.calendar_outside_window());
2738 }
2739
2740 // ---- on_failure.retry (#418 Phase 4) ----
2741
2742 fn with_retry(max: u32, backoff: &str) -> Schedule {
2743 let mut s = schedule_with(
2744 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2745 RunsOn::Backend,
2746 );
2747 s.on_failure.retry = Some(Retry {
2748 max,
2749 backoff: backoff.into(),
2750 });
2751 s
2752 }
2753
2754 #[test]
2755 fn on_failure_parses_and_round_trips() {
2756 let yaml = r#"
2757id: x
2758when:
2759 per_pc: { every: 6h }
2760job_id: y
2761target: { all: true }
2762on_failure:
2763 retry: { max: 3, backoff: 10m }
2764"#;
2765 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2766 let r = s.on_failure.retry.as_ref().expect("retry present");
2767 assert_eq!(r.max, 3);
2768 assert_eq!(r.backoff, "10m");
2769 let back: Schedule =
2770 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2771 assert_eq!(back.on_failure, s.on_failure);
2772 }
2773
2774 #[test]
2775 fn on_failure_empty_is_skipped_when_serialising() {
2776 let s = schedule_with(
2777 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2778 RunsOn::Backend,
2779 );
2780 let json = serde_json::to_value(&s).expect("serialise");
2781 assert!(
2782 json.get("on_failure").is_none(),
2783 "empty on_failure must not appear on the wire: {json}"
2784 );
2785 }
2786
2787 #[test]
2788 fn validate_accepts_good_retry() {
2789 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
2790 with_retry(max, backoff)
2791 .validate()
2792 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
2793 }
2794 }
2795
2796 #[test]
2797 fn validate_rejects_bad_backoff() {
2798 let err = with_retry(3, "soon").validate().unwrap_err();
2799 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
2800 }
2801
2802 #[test]
2803 fn validate_rejects_sub_second_backoff() {
2804 // "500ms" parses as humantime but lowers to 0s on the wire —
2805 // reject it so the operator doesn't get a silent no-wait
2806 // (coderabbit #466).
2807 for bad in ["500ms", "0s", "999ms"] {
2808 let err = with_retry(3, bad).validate().unwrap_err();
2809 assert!(
2810 err.contains("on_failure.retry.backoff must be >= 1s"),
2811 "for '{bad}', got: {err}"
2812 );
2813 }
2814 }
2815
2816 #[test]
2817 fn validate_rejects_out_of_range_max() {
2818 for bad in [0u32, 11, 1000] {
2819 let err = with_retry(bad, "10m").validate().unwrap_err();
2820 assert!(
2821 err.contains("on_failure.retry.max"),
2822 "for max={bad}, got: {err}"
2823 );
2824 }
2825 }
2826
2827 #[test]
2828 fn lowered_retry_reduces_backoff_to_seconds() {
2829 let s = with_retry(3, "10m");
2830 let spec = s.on_failure.lowered_retry().expect("a retry policy");
2831 assert_eq!(spec.max, 3);
2832 assert_eq!(spec.backoff_secs, 600);
2833 }
2834
2835 #[test]
2836 fn lowered_retry_is_none_without_policy() {
2837 let s = schedule_with(
2838 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2839 RunsOn::Backend,
2840 );
2841 assert!(s.on_failure.lowered_retry().is_none());
2842 }
2843
2844 // ---- global change-freeze (#418 Phase 5) ----
2845
2846 #[test]
2847 fn freeze_empty_window_is_always_active() {
2848 // The big-red-button shape: no bounds = frozen until cleared.
2849 let f = Freeze::default();
2850 assert!(f.is_active(chrono::Utc::now()));
2851 }
2852
2853 #[test]
2854 fn freeze_window_is_half_open() {
2855 use chrono::TimeZone;
2856 let f = Freeze {
2857 from: Some("2026-12-20T00:00:00+00:00".into()),
2858 until: Some("2027-01-05T00:00:00+00:00".into()),
2859 reason: Some("year-end".into()),
2860 tz: ScheduleTz::Utc,
2861 };
2862 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
2863 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
2864 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
2865 assert!(f.is_active(at(2026, 12, 31)), "inside window");
2866 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
2867 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
2868 }
2869
2870 #[test]
2871 fn freeze_fails_closed_on_corrupt_bound() {
2872 // A freeze is a safety switch: an unparseable bound (only
2873 // reachable via a hand-edited KV blob) must read as FROZEN, not
2874 // "fire normally" (coderabbit #472) — the opposite of `active`,
2875 // which fail-opens.
2876 let f = Freeze {
2877 from: Some("not-a-date".into()),
2878 until: None,
2879 reason: None,
2880 tz: ScheduleTz::Utc,
2881 };
2882 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
2883 }
2884
2885 #[test]
2886 fn freeze_validate_accepts_good_bounds() {
2887 Freeze {
2888 from: Some("2026-12-20".into()),
2889 until: Some("2027-01-05T12:00:00+09:00".into()),
2890 reason: None,
2891 tz: ScheduleTz::Local,
2892 }
2893 .validate()
2894 .expect("date + rfc3339 bounds should validate");
2895 // Empty (indefinite) freeze is valid.
2896 Freeze::default().validate().expect("empty freeze is valid");
2897 }
2898
2899 #[test]
2900 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
2901 let err = Freeze {
2902 from: Some("never".into()),
2903 ..Default::default()
2904 }
2905 .validate()
2906 .unwrap_err();
2907 assert!(err.contains("freeze:"), "got: {err}");
2908
2909 let inverted = Freeze {
2910 from: Some("2027-01-05".into()),
2911 until: Some("2026-12-20".into()),
2912 ..Default::default()
2913 }
2914 .validate()
2915 .unwrap_err();
2916 assert!(inverted.contains("freeze.from"), "got: {inverted}");
2917 }
2918
2919 #[test]
2920 fn freeze_round_trips_and_skips_empty_fields() {
2921 let f = Freeze {
2922 from: None,
2923 until: Some("2027-01-05".into()),
2924 reason: Some("INC-1234".into()),
2925 tz: ScheduleTz::Utc,
2926 };
2927 let json = serde_json::to_value(&f).expect("serialise");
2928 assert!(json.get("from").is_none(), "empty from omitted: {json}");
2929 let back: Freeze = serde_json::from_value(json).expect("round-trip");
2930 assert_eq!(back, f);
2931 }
2932
2933 #[test]
2934 fn shipped_schedule_configs_parse_and_validate() {
2935 // Every YAML under configs/schedules/ must parse with the
2936 // current Schedule serde AND pass validate() — keeps the
2937 // shipped examples from drifting out of sync with the model
2938 // (#418 removed back-compat, so drift = broken at create).
2939 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
2940 let mut seen = 0;
2941 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
2942 let path = entry.expect("dir entry").path();
2943 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
2944 continue;
2945 }
2946 let body = std::fs::read_to_string(&path).expect("read yaml");
2947 let s: Schedule = serde_yaml::from_str(&body)
2948 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
2949 s.validate()
2950 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
2951 seen += 1;
2952 }
2953 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
2954 }
2955
2956 // ---- pre-existing enum wire formats (unchanged by #418) ----
2957
2958 #[test]
2959 fn exec_mode_serialises_snake_case() {
2960 for (mode, expected) in [
2961 (ExecMode::EveryTick, "every_tick"),
2962 (ExecMode::OncePerPc, "once_per_pc"),
2963 (ExecMode::OncePerTarget, "once_per_target"),
2964 ] {
2965 let s = serde_json::to_value(mode).expect("serialise");
2966 assert_eq!(s, serde_json::Value::String(expected.into()));
2967 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
2968 .expect("deserialise");
2969 assert_eq!(back, mode, "round-trip for {expected}");
2970 }
2971 }
2972
2973 #[test]
2974 fn schedule_runs_on_defaults_to_backend() {
2975 let yaml = r#"
2976id: x
2977when:
2978 per_pc: once
2979job_id: y
2980target: { all: true }
2981"#;
2982 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2983 assert_eq!(s.runs_on, RunsOn::Backend);
2984 }
2985
2986 #[test]
2987 fn schedule_runs_on_agent_parses() {
2988 let yaml = r#"
2989id: offline-inv
2990when:
2991 per_pc: { every: 1h }
2992job_id: inventory-hw
2993target: { all: true }
2994runs_on: agent
2995"#;
2996 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2997 assert_eq!(s.runs_on, RunsOn::Agent);
2998 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
2999 }
3000
3001 #[test]
3002 fn runs_on_serialises_snake_case() {
3003 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
3004 let s = serde_json::to_value(mode).expect("serialise");
3005 assert_eq!(s, serde_json::Value::String(expected.into()));
3006 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
3007 .expect("deserialise");
3008 assert_eq!(back, mode);
3009 }
3010 }
3011
3012 #[test]
3013 fn execute_shell_into_wire_shell() {
3014 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
3015 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
3016 }
3017
3018 #[test]
3019 fn manifest_staleness_defaults_to_cached() {
3020 let yaml = r#"
3021id: x
3022version: 1.0.0
3023execute:
3024 shell: powershell
3025 script: "echo"
3026 timeout: 1s
3027"#;
3028 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3029 assert_eq!(m.staleness, Staleness::Cached);
3030 }
3031
3032 #[test]
3033 fn manifest_strict_staleness_parses() {
3034 let yaml = r#"
3035id: urgent-patch
3036version: 2.5.1
3037execute:
3038 shell: powershell
3039 script: Install-Hotfix
3040 timeout: 5m
3041staleness:
3042 mode: strict
3043 max_cache_age: 0s
3044"#;
3045 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3046 match m.staleness {
3047 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
3048 other => panic!("expected strict, got {other:?}"),
3049 }
3050 }
3051
3052 #[test]
3053 fn manifest_unchecked_staleness_parses() {
3054 let yaml = r#"
3055id: legacy
3056version: 0.1.0
3057execute:
3058 shell: cmd
3059 script: "echo"
3060 timeout: 1s
3061staleness:
3062 mode: unchecked
3063"#;
3064 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3065 assert_eq!(m.staleness, Staleness::Unchecked);
3066 }
3067
3068 #[test]
3069 fn missing_required_field_errors() {
3070 // `id` missing.
3071 let yaml = r#"
3072version: 1.0.0
3073target: { all: true }
3074execute:
3075 shell: powershell
3076 script: "echo"
3077 timeout: 1s
3078"#;
3079 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3080 assert!(r.is_err(), "expected error, got {:?}", r);
3081 }
3082
3083 #[test]
3084 fn display_field_table_kind_round_trips_with_nested_columns() {
3085 // #39: `type: table` + `columns:` on a DisplayField gets
3086 // round-tripped through serde so the SPA receives the
3087 // nested schema verbatim. Nested columns themselves are
3088 // DisplayFields so they can carry `type: bytes` /
3089 // `type: number` for cell formatting.
3090 let yaml = r#"
3091id: inv-hw
3092version: 1.0.0
3093execute:
3094 shell: powershell
3095 script: "echo"
3096 timeout: 60s
3097inventory:
3098 display:
3099 - field: hostname
3100 label: Hostname
3101 - field: disks
3102 label: Disks
3103 type: table
3104 columns:
3105 - field: device_id
3106 label: Drive
3107 - field: size_bytes
3108 label: Size
3109 type: bytes
3110 - field: free_bytes
3111 label: Free
3112 type: bytes
3113 - field: file_system
3114 label: FS
3115"#;
3116 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3117 let inv = m.inventory.as_ref().expect("inventory hint");
3118 let disks = inv
3119 .display
3120 .iter()
3121 .find(|d| d.field == "disks")
3122 .expect("disks display row");
3123 assert_eq!(disks.kind.as_deref(), Some("table"));
3124 let cols = disks.columns.as_ref().expect("table needs columns");
3125 assert_eq!(cols.len(), 4);
3126 assert_eq!(cols[1].field, "size_bytes");
3127 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
3128 }
3129
3130 #[test]
3131 fn display_field_scalar_kind_keeps_columns_none() {
3132 // Defensive: when type is a scalar (`bytes` / `number` /
3133 // `timestamp`) the `columns` field stays None — the SPA
3134 // uses its presence as the "render nested table" signal,
3135 // so it must not leak in via serde defaults.
3136 let yaml = r#"
3137id: x
3138version: 1.0.0
3139execute:
3140 shell: powershell
3141 script: "echo"
3142 timeout: 5s
3143inventory:
3144 display:
3145 - { field: ram_bytes, label: RAM, type: bytes }
3146"#;
3147 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3148 let inv = m.inventory.as_ref().unwrap();
3149 assert!(inv.display[0].columns.is_none());
3150 }
3151
3152 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
3153
3154 /// The JSON Schemas under `docs/schemas/` must match what
3155 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
3156 /// so a `Schedule` / `Manifest` field change can't silently drift
3157 /// the operator-facing schema. The SPA editor, the backend
3158 /// `/api/schemas/*` endpoints, and these files all read the same
3159 /// derived shape; this test fails CI if the checked-in copy lags.
3160 /// Regenerate with:
3161 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
3162 #[test]
3163 fn schema_files_are_current() {
3164 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
3165 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
3166 }
3167
3168 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
3169 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
3170 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
3171 .join("../../docs/schemas")
3172 .join(name);
3173 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
3174 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
3175 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
3176 return;
3177 }
3178 // Normalize CRLF→LF before comparing: `.gitattributes` already
3179 // pins these files to `eol=lf`, but a stray CRLF working-tree
3180 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
3181 // freshness check into a confusing line-ending failure — that's
3182 // .gitattributes' job, not this test's (gemini #588).
3183 let on_disk = std::fs::read_to_string(&path)
3184 .unwrap_or_else(|e| {
3185 panic!(
3186 "read {path:?}: {e}\n\
3187 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3188 )
3189 })
3190 .replace("\r\n", "\n");
3191 assert_eq!(
3192 on_disk, generated,
3193 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
3194 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3195 );
3196 }
3197}
3198
3199/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
3200/// (target + optional rollout + optional jitter) inline; the
3201/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
3202/// script body. Two schedules of the same job can target different
3203/// groups on different cadences without copying the manifest.
3204///
3205/// #418 Phase 1: the cadence is the single [`When`] field. The old
3206/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
3207/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
3208/// are warn-skipped; re-`schedule create` to upgrade them). The
3209/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
3210/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
3211/// `decide_fire` always ran on.
3212#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
3213pub struct Schedule {
3214 pub id: String,
3215 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
3216 /// or a calendar time trigger (`at` / `days`). See [`When`].
3217 ///
3218 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
3219 /// enums as `!per_pc` YAML tags by default; this keeps the
3220 /// operator-facing map shape (`when: { per_pc: once }`). JSON
3221 /// output is identical either way, and the schemars schema
3222 /// (external tagging = oneOf of single-key objects) already
3223 /// matches the singleton-map wire shape.
3224 #[serde(with = "serde_yaml::with::singleton_map")]
3225 #[schemars(with = "When")]
3226 pub when: When,
3227 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
3228 /// Manifest's `id`.
3229 pub job_id: String,
3230 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
3231 /// carry these any more — same job + different fanout = different
3232 /// schedule.
3233 #[serde(flatten)]
3234 pub plan: FanoutPlan,
3235 /// Optional validity window. Outside `[from, until)` the
3236 /// schedule is dormant — still registered, still visible, but
3237 /// every tick is skipped (deleted ≠ dormant: a campaign that
3238 /// ended stays inspectable and can be re-armed by editing the
3239 /// window). Checked at tick time on both the backend scheduler
3240 /// and the agent's local scheduler.
3241 #[serde(default, skip_serializing_if = "Active::is_empty")]
3242 pub active: Active,
3243 /// #418 operational constraints gating *when within an active
3244 /// period* a fire may happen: a maintenance `window`, a fleet
3245 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
3246 /// wall-clock ones are evaluated in the schedule's `tz`; future
3247 /// `require` (env gates) lands in the same namespace. Checked at
3248 /// tick time on both schedulers (and surfaced by `preview`).
3249 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
3250 pub constraints: Constraints,
3251 /// #418 Phase 4: what to do after a fire's script comes back
3252 /// failed. Currently just `retry` (fixed-backoff in-process
3253 /// re-run); future `notify` / `disable` join the same namespace.
3254 /// Applied fire-side in `handle_command` (the retry policy is
3255 /// lowered onto every Command this schedule produces), so it
3256 /// covers both `runs_on` locations.
3257 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
3258 pub on_failure: OnFailure,
3259 /// #418 Phase 2: the timezone this schedule's wall-clock fields
3260 /// are evaluated in — both the calendar `at` firing time AND the
3261 /// `active.{from,until}` window bounds. `local` (default) = the
3262 /// running host's TZ (the agent's for `runs_on: agent`, the
3263 /// backend server's otherwise); `utc` for TZ-independent
3264 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
3265 /// for firing (poll cron runs every minute regardless) but still
3266 /// honor it for the `active` window.
3267 #[serde(default)]
3268 pub tz: ScheduleTz,
3269 /// v0.22: optional humantime window after a cron tick during
3270 /// which the Command is still considered "live". The scheduler
3271 /// computes `tick_at + starting_deadline` and stamps it onto
3272 /// each Command as `deadline_at`; agents skip Commands they
3273 /// receive after that absolute time. `None` (default) = no
3274 /// deadline, meaning a Command queued in the broker / stream
3275 /// during agent downtime runs whenever the agent reconnects —
3276 /// good for kitting / inventory / cleanup. Set this for
3277 /// time-of-day notifications, lunch reminders, etc., where
3278 /// "fire 3 hours late" would be wrong.
3279 #[serde(default, skip_serializing_if = "Option::is_none")]
3280 pub starting_deadline: Option<String>,
3281 /// v0.23: where does the cron tick happen? `Backend` (default,
3282 /// historical) = backend's scheduler fires Commands via NATS;
3283 /// agents passively receive. `Agent` = each targeted agent runs
3284 /// its own internal cron and fires locally, so the schedule
3285 /// keeps ticking even when the broker is unreachable (laptop on
3286 /// the train, broker maintenance window, full WAN outage). The
3287 /// two locations are mutually exclusive — when `Agent`, the
3288 /// backend scheduler stays out and just keeps the definition in
3289 /// KV for agents to read.
3290 #[serde(default)]
3291 pub runs_on: RunsOn,
3292 #[serde(default = "default_true")]
3293 pub enabled: bool,
3294}
3295
3296/// v0.23 — where the cron tick fires from.
3297#[derive(
3298 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3299)]
3300#[serde(rename_all = "snake_case")]
3301pub enum RunsOn {
3302 /// Backend's central scheduler ticks and publishes Commands to
3303 /// NATS. Historical default, what every pre-v0.23 schedule
3304 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
3305 /// reconnects ⇒ catch-up via [`command_replay`](crate)
3306 /// (see kanade-agent's command_replay module).
3307 #[default]
3308 Backend,
3309 /// Each targeted agent runs the cron tick locally. Survives
3310 /// broker / WAN outages. Best for laptops / mobile devices that
3311 /// roam off the corporate network. Agent must be online for the
3312 /// initial schedule + job-catalog pull, but once cached the
3313 /// agent fires the script standalone.
3314 Agent,
3315}
3316
3317/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
3318#[derive(
3319 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3320)]
3321#[serde(rename_all = "snake_case")]
3322pub enum ExecMode {
3323 /// Fire on every cron tick at the whole target. Historical
3324 /// (pre-v0.19) behavior; no dedup.
3325 #[default]
3326 EveryTick,
3327 /// Fire at each pc until that pc succeeds; then skip it until
3328 /// the optional cooldown elapses (or forever if no cooldown).
3329 /// Use for kitting / first-boot / per-pc compliance checks.
3330 OncePerPc,
3331 /// Fire at the whole target until **any** pc succeeds; then
3332 /// skip the whole target until the optional cooldown elapses
3333 /// (or forever if no cooldown). Use for "one delegate is
3334 /// enough" tasks like license check-in.
3335 OncePerTarget,
3336 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
3337 /// no cron — the agent fires it from an OS event source (boot /
3338 /// session-change), not a tick — so the scheduler skips
3339 /// `tokio-cron` registration for it. Each event occurrence fires
3340 /// once, gated by the standard freeze / active / window /
3341 /// skip_dates checks.
3342 Event,
3343}
3344
3345/// #418 Phase 1 — the single "when does this fire" axis.
3346///
3347/// Replaces the old `cron` + `mode` + `cooldown` trio whose
3348/// interactions were implicit (cron doubled as both a real
3349/// time-of-day trigger and a reconcile poll period; contradictory
3350/// combinations silently no-opped). Two shapes:
3351///
3352/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
3353/// pc (or one delegate) should have run this within `every`".
3354/// The poll period is system-generated ([`POLL_CRON`], every
3355/// minute) and no longer the operator's concern.
3356/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
3357/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
3358/// the whole target at the given time, no dedup. `at: "09:00"` +
3359/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
3360/// exactly once. Evaluated in the schedule's top-level `tz`.
3361#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3362#[serde(rename_all = "snake_case")]
3363pub enum When {
3364 /// Fire at each targeted pc: `once` (kitting — succeed once,
3365 /// skip forever, forever catching brand-new / re-imaged pcs)
3366 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
3367 /// the interval).
3368 PerPc(PerPolicy),
3369 /// Fire until **any** one pc of the target succeeds, then skip
3370 /// the whole target (`once`) or re-arm after `every`. Needs
3371 /// fleet-wide completion data, so it is backend-only —
3372 /// `runs_on: agent` + `per_target` is rejected by
3373 /// [`Schedule::validate`].
3374 PerTarget(PerPolicy),
3375 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
3376 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
3377 /// the whole target at that wall-clock time in the schedule's
3378 /// `tz` — no dedup, no cooldown.
3379 Calendar(CalendarSpec),
3380 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
3381 /// Fires when the agent observes the listed OS event(s) rather than
3382 /// on a clock — there is no cron. `runs_on: agent` only (the agent
3383 /// owns the event source); [`Schedule::validate`] rejects it on
3384 /// `backend` and rejects an empty list. Each event occurrence fires
3385 /// once, gated by the same freeze / active / `constraints.window` /
3386 /// `skip_dates` checks as the cron path. `startup` fires once per OS
3387 /// boot (deduped via the host boot time); a `starting_deadline`, if
3388 /// set, limits it to "agent came up within that long after boot".
3389 On(Vec<OnTrigger>),
3390}
3391
3392/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
3393#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
3394#[serde(rename_all = "snake_case")]
3395pub enum OnTrigger {
3396 /// Once per OS boot (the agent's first run for that boot). Catches
3397 /// freshly-imaged / reinstalled hosts at their next startup.
3398 Startup,
3399 /// On an interactive-session user logon — console, RDP, or
3400 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
3401 /// service / network / batch logons (no interactive session).
3402 Logon,
3403 /// When the workstation is locked (Win+L / idle lock; Windows
3404 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
3405 Lock,
3406 /// When the workstation is unlocked — the user returns to a locked
3407 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
3408 /// compliance / refresh state when work resumes.
3409 Unlock,
3410 /// When the host's network changes — IP address table change on
3411 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
3412 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
3413 /// from one transition fires once after the network settles), so
3414 /// use it for "re-check connectivity / re-register on network move"
3415 /// rather than expecting one fire per raw adapter event.
3416 ///
3417 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
3418 /// transition that touches only IPv6 addresses won't fire. In practice
3419 /// dual-stack networks change both tables together, but a pure-IPv6
3420 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
3421 NetworkChange,
3422}
3423
3424/// Calendar time trigger (#418 Phase 2). `at` is either a time of
3425/// day (`"HH:MM"`, repeating — combine with `days`) or a full
3426/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
3427/// never again). Evaluated in the schedule's top-level `tz`.
3428#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3429pub struct CalendarSpec {
3430 /// `"HH:MM"` (24h) for a repeating trigger, or
3431 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
3432 /// accepted) for a one-shot. Parsed lazily —
3433 /// [`Schedule::validate`] rejects garbage at create time.
3434 pub at: String,
3435 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
3436 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
3437 /// field, so ranges and names both work). An **nth-weekday**
3438 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
3439 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
3440 /// `["friL"]` fires only on the last Friday of each month (handy
3441 /// for monthly maintenance). Empty = every day. Must be empty
3442 /// when `at` carries a date (the date already pins the day).
3443 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3444 pub days: Vec<String>,
3445}
3446
3447/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
3448/// date for a one-shot (`None` = repeating time-of-day).
3449struct ParsedAt {
3450 minute: u32,
3451 hour: u32,
3452 date: Option<chrono::NaiveDate>,
3453}
3454
3455impl CalendarSpec {
3456 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
3457 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
3458 fn parse_at(&self) -> Result<ParsedAt, String> {
3459 use chrono::Timelike;
3460 let s = self.at.trim();
3461 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
3462 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
3463 return Ok(ParsedAt {
3464 minute: dt.minute(),
3465 hour: dt.hour(),
3466 date: Some(dt.date()),
3467 });
3468 }
3469 }
3470 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
3471 return Ok(ParsedAt {
3472 minute: t.minute(),
3473 hour: t.hour(),
3474 date: None,
3475 });
3476 }
3477 Err(format!(
3478 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
3479 self.at
3480 ))
3481 }
3482
3483 /// Pre-flight check on the `days` tokens so a bad day name gives
3484 /// a `when.days:`-scoped error instead of croner's confusing
3485 /// "when.at lowered to invalid cron" (claude #432 review). Each
3486 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
3487 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
3488 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
3489 /// **last-weekday** like `friL` (last Friday of the month).
3490 fn validate_days(&self) -> Result<(), String> {
3491 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
3492 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
3493 for tok in &self.days {
3494 // Report the whole token on a malformed range like `mon-`
3495 // (which would otherwise split to a cryptic empty part —
3496 // claude #432 follow-up).
3497 let invalid = |reason: &str| {
3498 Err(format!(
3499 "when.days: invalid day token '{tok}' ({reason}; \
3500 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
3501 like tue#2, a last-weekday like friL, or *)"
3502 ))
3503 };
3504 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
3505 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
3506 // `to_cron` passes the token through verbatim, so the
3507 // engine fires only on that occurrence. It's a single
3508 // weekday + ordinal — not combinable with a range.
3509 if let Some((day_part, nth_part)) = tok.split_once('#') {
3510 // Normalize once and use `d` consistently (gemini #547);
3511 // the outer `invalid` already echoes the raw `tok`.
3512 let d = day_part.trim().to_ascii_lowercase();
3513 if d.contains('-') || !is_day(&d) {
3514 return invalid("the part before # must be a single weekday");
3515 }
3516 match nth_part.trim().parse::<u8>() {
3517 Ok(n) if (1..=5).contains(&n) => {}
3518 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
3519 }
3520 continue;
3521 }
3522 // #418: last-weekday suffix (`friL` = last Friday of the
3523 // month — the monthly-maintenance sibling of Patch Tuesday).
3524 // Croner accepts `<dow>L` in the DOW field with verified
3525 // last-<dow>-of-month semantics, and `to_cron` passes it
3526 // through verbatim. A single weekday + `L` — bare `L` and
3527 // ranges are rejected (croner would read bare `L` as
3528 // Saturday, which is a confusing footgun).
3529 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
3530 // No `.trim()`: a cron DOW token can't carry internal
3531 // whitespace, so `"fri L"` must be *rejected* here (its
3532 // strip leaves `"fri "`, and `is_day` catches the space)
3533 // rather than trimmed into a clean `"fri"` that then
3534 // produces a malformed `fri L` cron downstream and a
3535 // confusing croner error (gemini #560).
3536 let d = day_part.to_ascii_lowercase();
3537 if d.is_empty() {
3538 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
3539 }
3540 if d.contains('-') || !is_day(&d) {
3541 return invalid(
3542 "the part before L must be a single weekday (e.g. friL = last Friday)",
3543 );
3544 }
3545 continue;
3546 }
3547 for part in tok.split('-') {
3548 let p = part.trim().to_ascii_lowercase();
3549 if p.is_empty() {
3550 return invalid("empty range bound");
3551 }
3552 if p != "*" && !is_day(&p) {
3553 return invalid(&format!("'{part}' is not a day"));
3554 }
3555 }
3556 }
3557 Ok(())
3558 }
3559
3560 /// For a one-shot (`at` carries a date), the absolute instant it
3561 /// fires in `tz`. `None` for a repeating calendar. Used to warn
3562 /// about a one-shot whose date is already in the past (it would
3563 /// never fire).
3564 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
3565 let p = self.parse_at().ok()?;
3566 let date = p.date?;
3567 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
3568 tz.naive_to_utc(naive)
3569 }
3570
3571 /// The wall-clock time-of-day this calendar fires at (`None` if
3572 /// `at` is unparseable — validate() guards that). Used to detect
3573 /// a calendar whose fire time can never fall inside its
3574 /// `constraints.window` (claude #452 review).
3575 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
3576 let p = self.parse_at().ok()?;
3577 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
3578 }
3579
3580 /// Lower to the cron string the scheduler engine runs. Repeating
3581 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
3582 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
3583 /// fires — that's what makes it one-shot).
3584 fn to_cron(&self) -> Result<String, String> {
3585 use chrono::Datelike;
3586 let ParsedAt { minute, hour, date } = self.parse_at()?;
3587 match date {
3588 Some(d) => {
3589 if !self.days.is_empty() {
3590 return Err(
3591 "when.at with a date is a one-shot and cannot be combined with days".into(),
3592 );
3593 }
3594 Ok(format!(
3595 "0 {minute} {hour} {} {} * {}",
3596 d.day(),
3597 d.month(),
3598 d.year()
3599 ))
3600 }
3601 None => {
3602 let dow = if self.days.is_empty() {
3603 "*".to_string()
3604 } else {
3605 self.validate_days()?;
3606 self.days.join(",")
3607 };
3608 Ok(format!("0 {minute} {hour} * * {dow}"))
3609 }
3610 }
3611 }
3612}
3613
3614/// The timezone a schedule's wall-clock fields (`when.at`,
3615/// `active.{from,until}`) are evaluated in (#418 Phase 2).
3616#[derive(
3617 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3618)]
3619#[serde(rename_all = "snake_case")]
3620pub enum ScheduleTz {
3621 /// The running host's local timezone — the agent's for
3622 /// `runs_on: agent`, the backend server's otherwise. Default.
3623 #[default]
3624 Local,
3625 /// UTC — for timezone-independent schedules.
3626 Utc,
3627}
3628
3629impl ScheduleTz {
3630 /// Interpret a naive (zoneless) datetime as being in this tz and
3631 /// convert to UTC. On a DST *fold* (the local time occurs twice
3632 /// when clocks go back) we pick `.earliest()` rather than
3633 /// rejecting it; `None` is reserved for a true DST *gap* (a local
3634 /// time that never exists). `Utc` is fixed-offset so neither ever
3635 /// happens; `Local` is whatever timezone the running host is set
3636 /// to and *can* hit a gap/fold on any DST-observing host — not
3637 /// just the JST we run today (gemini + claude #432 review).
3638 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
3639 use chrono::TimeZone;
3640 match self {
3641 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
3642 naive,
3643 chrono::Utc,
3644 )),
3645 ScheduleTz::Local => chrono::Local
3646 .from_local_datetime(&naive)
3647 .earliest()
3648 .map(|dt| dt.with_timezone(&chrono::Utc)),
3649 }
3650 }
3651
3652 /// The wall-clock time-of-day `now` reads as in this tz — used by
3653 /// [`Constraints::allows`] to test a maintenance window
3654 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
3655 /// running host's local time.
3656 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
3657 match self {
3658 ScheduleTz::Utc => now.time(),
3659 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
3660 }
3661 }
3662
3663 /// The wall-clock *date* `now` reads as in this tz — used by
3664 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
3665 /// exclusion). Same tz semantics as [`Self::wall_time`].
3666 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
3667 match self {
3668 ScheduleTz::Utc => now.date_naive(),
3669 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
3670 }
3671 }
3672
3673 /// Stable lowercase wire/display label (`local` / `utc`) — matches
3674 /// the serde `snake_case` representation. Used for the preview
3675 /// response's `tz` field so the JSON shape isn't coupled to the
3676 /// `Debug` repr (claude #578 review).
3677 pub fn as_str(self) -> &'static str {
3678 match self {
3679 ScheduleTz::Local => "local",
3680 ScheduleTz::Utc => "utc",
3681 }
3682 }
3683}
3684
3685impl std::fmt::Display for ScheduleTz {
3686 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3687 f.write_str(self.as_str())
3688 }
3689}
3690
3691/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
3692/// `per_target`. Untagged so the YAML stays the bare keyword or a
3693/// one-key map, nothing more ceremonial.
3694#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3695#[serde(untagged)]
3696pub enum PerPolicy {
3697 /// The bare string `once`: succeed once, then skip permanently
3698 /// (cooldown = infinity).
3699 Once(OnceLiteral),
3700 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
3701 Every(EverySpec),
3702}
3703
3704/// Single-variant enum so serde accepts exactly the string `once`
3705/// (a free-form `String` would swallow typos like `onec`).
3706#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
3707#[serde(rename_all = "snake_case")]
3708pub enum OnceLiteral {
3709 Once,
3710}
3711
3712/// `{ every: <humantime> }`. Standalone struct (not an inline
3713/// struct variant). `{ evry: 6h }` still fails to parse (the
3714/// required `every` key is missing), and the create boundaries
3715/// reject the unknown `evry` via [`crate::strict`] with its path —
3716/// while agents reading a future writer's extra fields tolerate
3717/// them (#492).
3718#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3719pub struct EverySpec {
3720 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
3721 /// [`Schedule::validate`] rejects garbage at create time.
3722 pub every: String,
3723}
3724
3725impl PerPolicy {
3726 /// The cooldown this policy lowers to: `once` = `None`
3727 /// (permanent skip), `every` = the interval.
3728 fn cooldown(&self) -> Option<String> {
3729 match self {
3730 PerPolicy::Once(_) => None,
3731 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
3732 }
3733 }
3734}
3735
3736impl std::fmt::Display for When {
3737 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
3738 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
3739 /// lines, audit payloads and the API's `ScheduleSummary`.
3740 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3741 let policy = |p: &PerPolicy| match p {
3742 PerPolicy::Once(_) => "once".to_string(),
3743 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
3744 };
3745 match self {
3746 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
3747 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
3748 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
3749 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
3750 When::On(triggers) => {
3751 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
3752 write!(f, "on [{}]", names.join(","))
3753 }
3754 }
3755 }
3756}
3757
3758impl OnTrigger {
3759 /// Lowercase wire/display label (matches the serde `snake_case`).
3760 pub fn as_str(self) -> &'static str {
3761 match self {
3762 OnTrigger::Startup => "startup",
3763 OnTrigger::Logon => "logon",
3764 OnTrigger::Lock => "lock",
3765 OnTrigger::Unlock => "unlock",
3766 OnTrigger::NetworkChange => "network_change",
3767 }
3768 }
3769}
3770
3771/// Optional validity window for a [`Schedule`] (#418 decision G).
3772/// Half-open `[from, until)`; either bound may be omitted. Bounds
3773/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
3774/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
3775/// strings so the JSON Schema the SPA editor consumes stays two
3776/// plain string fields, mirroring `jitter` / `starting_deadline`.
3777///
3778/// #418 Phase 2: bounds are evaluated in the schedule's top-level
3779/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
3780/// calendar `at` AND the `active` window local — one consistent
3781/// timezone per schedule.
3782#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3783pub struct Active {
3784 /// Dormant before this instant.
3785 #[serde(default, skip_serializing_if = "Option::is_none")]
3786 pub from: Option<String>,
3787 /// Dormant from this instant on (exclusive).
3788 #[serde(default, skip_serializing_if = "Option::is_none")]
3789 pub until: Option<String>,
3790}
3791
3792impl Active {
3793 /// `skip_serializing_if` helper — an empty window means "always
3794 /// active" and is omitted from the wire format entirely.
3795 pub fn is_empty(&self) -> bool {
3796 self.from.is_none() && self.until.is_none()
3797 }
3798
3799 /// Parse one bound: RFC3339 first (offset honored, `tz`
3800 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
3801 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
3802 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
3803 return Ok(dt.with_timezone(&chrono::Utc));
3804 }
3805 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
3806 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
3807 return tz.naive_to_utc(midnight).ok_or_else(|| {
3808 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
3809 });
3810 }
3811 Err(format!(
3812 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
3813 ))
3814 }
3815
3816 /// Is `now` inside the window? Unparseable bounds are treated
3817 /// as absent here (fail-open) — [`Schedule::validate`] is the
3818 /// place that rejects them loudly; this runs on every tick and
3819 /// must never panic on a stale KV blob.
3820 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
3821 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
3822 if bound(&self.from).is_some_and(|from| now < from) {
3823 return false;
3824 }
3825 if bound(&self.until).is_some_and(|until| now >= until) {
3826 return false;
3827 }
3828 true
3829 }
3830}
3831
3832/// Host-environment gate (#418 `constraints.require`). Fire only when
3833/// the target host is in the required state. Sensed **in-process by the
3834/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
3835/// read a target host's power/idle state ([`Schedule::validate`]
3836/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
3837///
3838/// Evaluated at fire time as a skip-this-tick gate (NOT in
3839/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
3840/// cadence re-checks every minute (so it effectively defers until the
3841/// state is met — the intended pairing); a `calendar` fire that lands
3842/// while the state is unmet is simply missed, same as `window`. It is
3843/// therefore a *runtime* gate and does not appear in `preview`.
3844// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
3845#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
3846pub struct Require {
3847 /// Fire only while on **AC power** (skip on battery). Reads
3848 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
3849 /// as not-on-AC (fail-closed — a restrictive gate must not fire
3850 /// when it can't confirm the condition). `false` (default) = no
3851 /// power requirement.
3852 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
3853 pub ac_power: bool,
3854 /// Fire only when the active console session has had **no keyboard /
3855 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
3856 /// "don't run while the user is actively working". Input-based
3857 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
3858 /// headless / disconnected console (no interactive user) trivially
3859 /// satisfies it. `None` (default) = no idle requirement. Parsed
3860 /// lazily; [`Schedule::validate`] rejects garbage at create time.
3861 #[serde(default, skip_serializing_if = "Option::is_none")]
3862 pub idle: Option<String>,
3863 /// Fire only when the **whole-machine CPU usage is below this
3864 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
3865 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
3866 /// sample (`sysinfo` mean over cores), so the reading is up to one
3867 /// `host_perf` cadence old (default 60s) — fine as a "generally
3868 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
3869 /// needs two samples). An unavailable sample (host_perf not warmed
3870 /// up yet, or stale) is treated as "not below" (fail-closed — a
3871 /// restrictive gate must not fire when it can't confirm). `None`
3872 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
3873 /// out-of-range value at create time.
3874 #[serde(default, skip_serializing_if = "Option::is_none")]
3875 pub cpu_below: Option<f64>,
3876 /// Fire only when the host has **internet connectivity** (Windows
3877 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
3878 /// until online" for jobs that download / phone home. A captive
3879 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
3880 /// unknown/unreadable state is treated as offline (fail-closed) — a
3881 /// portal would just fail a download, so we hold the run. For VPN /
3882 /// SASE / app-specific conditions, use a custom script gate (separate
3883 /// slice). `false` (default) = no network requirement.
3884 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
3885 pub network: bool,
3886}
3887
3888impl Require {
3889 /// `skip_serializing_if` helper for an embedded empty `require`.
3890 pub fn is_empty(&self) -> bool {
3891 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
3892 }
3893
3894 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
3895 /// unparseable value — `validate` rejects the latter at create time).
3896 pub fn min_idle(&self) -> Option<std::time::Duration> {
3897 self.idle
3898 .as_deref()
3899 .and_then(|s| humantime::parse_duration(s.trim()).ok())
3900 }
3901
3902 /// First unparseable field for create-time rejection (mirrors
3903 /// [`Constraints::bad_skip_date`]).
3904 pub fn bad_idle(&self) -> Option<String> {
3905 self.idle.as_deref().and_then(|s| {
3906 humantime::parse_duration(s.trim())
3907 .err()
3908 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
3909 })
3910 }
3911}
3912
3913/// Host-environment state sensed by the agent, fed to [`require_met`].
3914/// A named struct (not positional args) so the growing set of sensed
3915/// signals — several of them `bool` — can't be transposed at a call
3916/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
3917#[derive(Debug, Clone, Copy, Default)]
3918pub struct EnvState {
3919 /// Is the host on AC power (`false` if on battery or unreadable).
3920 pub ac_online: bool,
3921 /// How long the console has been idle (`None` = couldn't determine).
3922 pub idle: Option<std::time::Duration>,
3923 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
3924 pub cpu_pct: Option<f64>,
3925 /// Does the host have internet connectivity (`false` if offline /
3926 /// LAN-only / unreadable).
3927 pub network_up: bool,
3928}
3929
3930/// Pure env-gate decision (#418 `constraints.require`). The Win32
3931/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
3932/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
3933/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
3934/// pure and `preview` never evaluates a runtime gate. Each set
3935/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
3936pub fn require_met(req: &Require, env: &EnvState) -> bool {
3937 if req.ac_power && !env.ac_online {
3938 return false;
3939 }
3940 if let Some(min) = req.min_idle() {
3941 match env.idle {
3942 Some(d) if d >= min => {}
3943 _ => return false,
3944 }
3945 }
3946 if let Some(max) = req.cpu_below {
3947 match env.cpu_pct {
3948 Some(p) if p < max => {}
3949 _ => return false,
3950 }
3951 }
3952 if req.network && !env.network_up {
3953 return false;
3954 }
3955 true
3956}
3957
3958/// [`Active`] decides *over what date range* a schedule is live,
3959/// `Constraints` decides *when, within an active period,* a fire is
3960/// allowed: `window` (a maintenance time-of-day window),
3961/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
3962/// (holiday exclusion) and `require` (host-environment gates, agent-only
3963/// — see [`Require`]).
3964// No `Eq`: contains `require: Option<Require>` which holds an f64.
3965#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
3966pub struct Constraints {
3967 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
3968 /// `tz`). Fires outside it are skipped — mainly for reconcile
3969 /// cadences ("patrol every 6h, but only fire overnight") and
3970 /// daytime change-freezes. `start > end` crosses midnight
3971 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
3972 /// lazily; [`Schedule::validate`] rejects garbage at create time.
3973 #[serde(default, skip_serializing_if = "Option::is_none")]
3974 pub window: Option<String>,
3975 /// Fleet-wide cap on how many instances of this schedule's job may
3976 /// run **at the same time** (#418 "同時実行ハード上限"). The
3977 /// backend scheduler counts the job's still-in-flight runs
3978 /// (`execution_results.finished_at IS NULL`) each tick and only
3979 /// dispatches to as many remaining pcs as there are free slots —
3980 /// a rolling window that refills as runs complete. Useful for
3981 /// disk/CPU/network-heavy jobs you don't want hammering the whole
3982 /// fleet at once.
3983 ///
3984 /// **Backend-only** (it needs a central counter): combining it
3985 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
3986 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
3987 /// for `per_pc` reconcile cadences, where the poll re-ticks and
3988 /// refills slots. `None` (default) = no cap.
3989 #[serde(default, skip_serializing_if = "Option::is_none")]
3990 pub max_concurrent: Option<u32>,
3991 /// Calendar dates the schedule must **not** fire on — holidays,
3992 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
3993 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
3994 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
3995 /// the whole day; a calendar fire landing on the date is
3996 /// suppressed) and is honored by both the live scheduler and
3997 /// `preview`, since both gate on [`Constraints::allows`]. Empty
3998 /// (default) = no skips. Operator-supplied: there is no built-in
3999 /// holiday calendar — list the dates you care about. Parsed lazily;
4000 /// [`Schedule::validate`] rejects a malformed date at create time.
4001 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4002 pub skip_dates: Vec<String>,
4003 /// Host-environment gate (#418): fire only when the target host is
4004 /// in the required state (on AC power, idle). Agent-sensed at fire
4005 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
4006 /// no environment requirement.
4007 #[serde(default, skip_serializing_if = "Option::is_none")]
4008 pub require: Option<Require>,
4009}
4010
4011impl Constraints {
4012 /// `skip_serializing_if` helper — empty constraints are omitted
4013 /// from the wire format entirely.
4014 pub fn is_empty(&self) -> bool {
4015 self.window.is_none()
4016 && self.max_concurrent.is_none()
4017 && self.skip_dates.is_empty()
4018 && self.require.as_ref().is_none_or(Require::is_empty)
4019 }
4020
4021 /// The first unparseable `skip_dates` entry, if any — the
4022 /// scheduler logs it at register time so a fail-closed
4023 /// (never-firing) schedule from a hand-edited KV blob is
4024 /// diagnosable, mirroring [`Schedule::bad_window`].
4025 pub fn bad_skip_date(&self) -> Option<String> {
4026 self.skip_dates.iter().find_map(|s| {
4027 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
4028 .err()
4029 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
4030 })
4031 }
4032
4033 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
4034 /// error (a zero-width or all-day window is ambiguous — write no
4035 /// window for "always").
4036 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
4037 let (a, b) = s
4038 .split_once('-')
4039 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
4040 let parse = |part: &str| {
4041 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
4042 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
4043 };
4044 let (start, end) = (parse(a)?, parse(b)?);
4045 if start == end {
4046 return Err(format!(
4047 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
4048 ));
4049 }
4050 Ok((start, end))
4051 }
4052
4053 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
4054 /// always allowed. Half-open `[start, end)`; `start > end`
4055 /// crosses midnight.
4056 ///
4057 /// **Fail-closed** on an unparseable window (returns `false`,
4058 /// gemini #452 review): a window is a *restrictive* constraint
4059 /// (change-freeze / overnight-only), so a corrupt one must NOT
4060 /// silently allow fires during the restricted hours. Bad windows
4061 /// are rejected at create time by [`Schedule::validate`]; this
4062 /// only bites a hand-edited KV blob, where blocking is the safe
4063 /// direction. The scheduler warns at register time
4064 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
4065 /// The tick path never panics regardless.
4066 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4067 // #418 holiday / blackout dates: never fire on a listed wall
4068 // date (in `tz`). Checked before the window since a skipped day
4069 // overrides any within-window allowance. Fail-closed on a
4070 // corrupt entry (same posture as `window`): a skip date is a
4071 // *restrictive* constraint, so a garbled one must not silently
4072 // re-enable fires — it blocks until fixed (`validate` rejects it
4073 // at create time; `bad_skip_date` lets the scheduler warn).
4074 if !self.skip_dates.is_empty() {
4075 let today = tz.wall_date(now);
4076 let blocked = self.skip_dates.iter().any(|s| {
4077 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
4078 Ok(d) => d == today,
4079 Err(_) => true, // corrupt entry → fail-closed (block)
4080 }
4081 });
4082 if blocked {
4083 return false;
4084 }
4085 }
4086 match self.window.as_deref() {
4087 // No window → always allowed.
4088 None => true,
4089 // Window set: membership, or fail-closed if unparseable
4090 // (`window_contains` returns None for a corrupt window).
4091 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
4092 }
4093 }
4094
4095 /// Membership of a wall-clock time-of-day in the window. `None`
4096 /// when there is no window or it's unparseable (callers decide
4097 /// the failure direction). `start > end` crosses midnight.
4098 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
4099 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
4100 Some(if start <= end {
4101 start <= t && t < end
4102 } else {
4103 t >= start || t < end
4104 })
4105 }
4106}
4107
4108/// What to do when a fire's script fails (#418 Phase 4 — the "高"
4109/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
4110/// happens, `OnFailure` decides what happens *after* one ran and
4111/// came back bad. Only `retry` so far; future `notify` / `disable`
4112/// would join the same namespace.
4113#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4114pub struct OnFailure {
4115 /// Re-run the script in-process when it exits non-zero (or times
4116 /// out), up to a cap, with a fixed backoff between attempts.
4117 /// `None` (default) = no retry: a failed run is published as-is
4118 /// and (for reconcile cadences) simply re-fires on the next poll
4119 /// tick. See [`Retry`].
4120 #[serde(default, skip_serializing_if = "Option::is_none")]
4121 pub retry: Option<Retry>,
4122}
4123
4124impl OnFailure {
4125 /// `skip_serializing_if` helper — an empty policy is omitted from
4126 /// the wire format entirely.
4127 pub fn is_empty(&self) -> bool {
4128 self.retry.is_none()
4129 }
4130
4131 /// Lower the operator-facing `retry` (humantime backoff) onto the
4132 /// engine vocabulary the agent's executor runs on (backoff in
4133 /// whole seconds). Single seam shared by the backend command
4134 /// builder and the agent's local scheduler so the two stamp the
4135 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
4136 /// `None` when there is no retry policy or the backoff is
4137 /// unparseable (validate() rejects the latter at create time;
4138 /// this stays fail-safe = "no retry" for a hand-edited KV blob
4139 /// rather than panicking on the fire path).
4140 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
4141 let r = self.retry.as_ref()?;
4142 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
4143 Some(crate::wire::RetrySpec {
4144 max: r.max,
4145 backoff_secs,
4146 })
4147 }
4148}
4149
4150/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
4151/// *additional* attempts after the first run (so `max: 3` = up to 4
4152/// total executions); `backoff` is the humantime delay slept between
4153/// attempts. The retry happens fire-side (inside `kanade fire` /
4154/// `handle_command`) on every OS for the PoC — the Windows-native
4155/// "restart on failure" Task Scheduler path is deferred to the
4156/// native-delegation phase (#418 decision H).
4157#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4158pub struct Retry {
4159 /// Max additional attempts after the first failure. Bounded
4160 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
4161 /// with a short backoff would otherwise pin a flapping script in
4162 /// a tight loop for the whole window.
4163 pub max: u32,
4164 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
4165 pub backoff: String,
4166}
4167
4168/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
4169/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
4170/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
4171/// global* "stop all automated change" switch the operator flips
4172/// during an incident or a year-end change-freeze. It lives in its
4173/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
4174/// active, both the backend scheduler and every agent's local
4175/// scheduler skip *every* fire.
4176///
4177/// Shapes:
4178/// * `{}` (no bounds) — frozen indefinitely until the operator
4179/// clears it (incident "big red button").
4180/// * `{ from, until }` — frozen only within `[from, until)`,
4181/// evaluated in `tz` (planned change-freeze; auto-thaws).
4182///
4183/// The KV key being *absent* means "not frozen" — so clearing the
4184/// freeze is a KV delete, and `is_active` only ever runs on a freeze
4185/// the operator actually set.
4186#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4187pub struct Freeze {
4188 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
4189 /// `tz`). `None` ⇒ frozen from the beginning of time.
4190 #[serde(default, skip_serializing_if = "Option::is_none")]
4191 pub from: Option<String>,
4192 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
4193 /// no scheduled end (manual clear required).
4194 #[serde(default, skip_serializing_if = "Option::is_none")]
4195 pub until: Option<String>,
4196 /// Operator-supplied note surfaced on the freeze-skip log and the
4197 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
4198 #[serde(default, skip_serializing_if = "Option::is_none")]
4199 pub reason: Option<String>,
4200 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
4201 /// carry their own offset). Defaults to host-local like a
4202 /// schedule's `tz`.
4203 #[serde(default)]
4204 pub tz: ScheduleTz,
4205}
4206
4207impl Freeze {
4208 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
4209 /// both absent) is frozen unconditionally; otherwise membership of
4210 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
4211 /// but **fails CLOSED** on an unparseable bound — a freeze is a
4212 /// safety switch, so a corrupt window (only reachable via a
4213 /// hand-edited KV blob; `validate` rejects it at set time) must
4214 /// mean "frozen", not "fire normally" (coderabbit #472). This is
4215 /// the one deliberate divergence from `active`'s fail-OPEN
4216 /// behaviour, where an unparseable bound dormant-skips a schedule.
4217 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
4218 // Parse a bound; an unparseable one short-circuits the whole
4219 // check to `true` (frozen) via the closure's `None` sentinel
4220 // handled below.
4221 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
4222 match s.as_deref() {
4223 None => Ok(None),
4224 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
4225 }
4226 };
4227 let (from, until) = match (bound(&self.from), bound(&self.until)) {
4228 (Ok(f), Ok(u)) => (f, u),
4229 // Any corrupt bound → fail closed (frozen).
4230 _ => return true,
4231 };
4232 if from.is_some_and(|f| now < f) {
4233 return false;
4234 }
4235 if until.is_some_and(|u| now >= u) {
4236 return false;
4237 }
4238 true
4239 }
4240
4241 /// Reject unparseable bounds / `from >= until` at set time (the
4242 /// API + CLI counterpart to [`Schedule::validate`]).
4243 pub fn validate(&self) -> Result<(), String> {
4244 let from = self
4245 .from
4246 .as_deref()
4247 .map(|s| Active::parse_bound(s, self.tz))
4248 .transpose()
4249 .map_err(|e| e.replace("active:", "freeze:"))?;
4250 let until = self
4251 .until
4252 .as_deref()
4253 .map(|s| Active::parse_bound(s, self.tz))
4254 .transpose()
4255 .map_err(|e| e.replace("active:", "freeze:"))?;
4256 if let (Some(f), Some(u)) = (from, until) {
4257 if f >= u {
4258 return Err(format!(
4259 "freeze.from ({}) must be strictly before freeze.until ({})",
4260 self.from.as_deref().unwrap_or_default(),
4261 self.until.as_deref().unwrap_or_default(),
4262 ));
4263 }
4264 }
4265 Ok(())
4266 }
4267}
4268
4269/// The system-generated poll cadence every reconcile-shaped `when`
4270/// lowers to. Operators never write this: the real inter-run
4271/// spacing is the `every` cooldown; this only bounds "how soon do
4272/// we notice somebody is due" (#418 decision B took the poll
4273/// period away from the operator).
4274pub const POLL_CRON: &str = "0 * * * * *";
4275
4276/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
4277/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
4278/// unchanged is what lets Phase 1 swap the operator surface without
4279/// touching the tick / dedup machinery.
4280pub struct Lowered {
4281 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
4282 /// reconcile shapes, a 6/7-field cron for calendar shapes.
4283 pub cron: String,
4284 /// Dedup semantics for `decide_fire`.
4285 pub mode: ExecMode,
4286 /// Humantime re-arm interval (`None` = succeed once, skip
4287 /// forever).
4288 pub cooldown: Option<String>,
4289 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
4290 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
4291 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
4292 /// so the same value drives the `active`-window check.
4293 pub tz: ScheduleTz,
4294}
4295
4296impl Schedule {
4297 /// The error message if this schedule's `constraints.window` is
4298 /// set but unparseable, else `None`. The scheduler logs this at
4299 /// register time so a fail-closed (never-firing) schedule from a
4300 /// hand-edited KV blob is diagnosable (gemini #452 review).
4301 pub fn bad_window(&self) -> Option<String> {
4302 let w = self.constraints.window.as_deref()?;
4303 Constraints::parse_window(w).err()
4304 }
4305
4306 /// True when this is a `calendar` schedule whose fire time can
4307 /// never fall inside its `constraints.window` — the cron fires,
4308 /// the window check rejects it, and (firing only at that
4309 /// time-of-day) it effectively never runs. An easy misconfig to
4310 /// set up by accident; the scheduler warns at register time
4311 /// (claude #452 review). Reconcile shapes poll every minute, so
4312 /// they always catch the window opening and aren't affected.
4313 pub fn calendar_outside_window(&self) -> bool {
4314 let When::Calendar(c) = &self.when else {
4315 return false;
4316 };
4317 let Some(t) = c.fire_time() else {
4318 return false;
4319 };
4320 matches!(self.constraints.window_contains(t), Some(false))
4321 }
4322
4323 /// Up to `count` future instants this schedule will fire, as
4324 /// absolute UTC, strictly after `now` — the dry-run / preview
4325 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
4326 /// schedules have discrete fire times; reconcile shapes
4327 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
4328 /// they return an empty vec and the caller describes the cadence
4329 /// instead. Occurrences outside the `active.{from,until}` window or
4330 /// the `constraints.window` are **skipped**, so the list reflects
4331 /// when the schedule will ACTUALLY run, not the raw cron ticks.
4332 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
4333 /// `Job::new_async_tz`, and with the same croner config the
4334 /// scheduler / [`Schedule::validate`] use, so a preview can never
4335 /// disagree with a real fire. A schedule that can never fire (a
4336 /// calendar time wholly outside its window, a past one-shot,
4337 /// `enabled: false` is *not* considered here — callers gate on
4338 /// `enabled` separately) yields an empty vec.
4339 pub fn preview_fires(
4340 &self,
4341 now: chrono::DateTime<chrono::Utc>,
4342 count: usize,
4343 ) -> Vec<chrono::DateTime<chrono::Utc>> {
4344 use croner::parser::{CronParser, Seconds};
4345 if !matches!(self.when, When::Calendar(_)) {
4346 return Vec::new();
4347 }
4348 // Same lowering + croner config as `next_calendar_fire` and the
4349 // live scheduler, so a preview can never disagree with a real
4350 // fire. `preview_fires` adds the N-occurrence walk and the
4351 // active / window filtering on top of that single seam.
4352 let lowered = self.lowered();
4353 let Ok(cron) = CronParser::builder()
4354 .seconds(Seconds::Required)
4355 .dom_and_dow(true)
4356 .build()
4357 .parse(&lowered.cron)
4358 else {
4359 return Vec::new();
4360 };
4361 let accept = |utc: chrono::DateTime<chrono::Utc>| {
4362 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
4363 };
4364 match self.tz {
4365 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
4366 ScheduleTz::Local => {
4367 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
4368 }
4369 }
4370 }
4371
4372 /// Walk croner forward from `after` collecting up to `count`
4373 /// accepted occurrences (converted to UTC). Generic over the tz the
4374 /// cron is evaluated in so `preview_fires` can run it in either
4375 /// `Utc` or `Local` without duplicating the loop.
4376 fn next_occurrences<Tz>(
4377 cron: &croner::Cron,
4378 after: chrono::DateTime<Tz>,
4379 count: usize,
4380 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
4381 ) -> Vec<chrono::DateTime<chrono::Utc>>
4382 where
4383 Tz: chrono::TimeZone,
4384 {
4385 // Bound the scan so an `active`/window dead-end (every future
4386 // tick rejected) can't spin forever: ~4096 raw ticks covers
4387 // >10y of a daily calendar while staying instant for croner.
4388 const SCAN_CAP: usize = 4096;
4389 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
4390 let mut cursor = after;
4391 let mut scanned = 0usize;
4392 while out.len() < count && scanned < SCAN_CAP {
4393 scanned += 1;
4394 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
4395 break;
4396 };
4397 let utc = next.with_timezone(&chrono::Utc);
4398 if accept(utc) {
4399 out.push(utc);
4400 }
4401 // `find_next_occurrence(.., inclusive = false)` already
4402 // advances strictly past `cursor`, so handing it `next`
4403 // verbatim gets the following occurrence — no manual +1s
4404 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
4405 cursor = next;
4406 }
4407 out
4408 }
4409
4410 /// Lower the operator-facing `when` onto the engine vocabulary.
4411 /// Single seam shared by the backend scheduler and the agent's
4412 /// local scheduler so the two can never drift.
4413 pub fn lowered(&self) -> Lowered {
4414 let tz = self.tz;
4415 match &self.when {
4416 When::PerPc(p) => Lowered {
4417 cron: POLL_CRON.into(),
4418 mode: ExecMode::OncePerPc,
4419 cooldown: p.cooldown(),
4420 tz,
4421 },
4422 When::PerTarget(p) => Lowered {
4423 cron: POLL_CRON.into(),
4424 mode: ExecMode::OncePerTarget,
4425 cooldown: p.cooldown(),
4426 tz,
4427 },
4428 // `to_cron` only fails on a malformed `at` (rejected by
4429 // validate() at create time). For a hand-edited KV blob
4430 // that slipped past, emit a deliberately-invalid cron so
4431 // register()'s Job::new_async_tz fails → warn+skip,
4432 // rather than firing at the wrong time.
4433 When::Calendar(c) => Lowered {
4434 cron: c
4435 .to_cron()
4436 .unwrap_or_else(|_| "# invalid calendar at".into()),
4437 mode: ExecMode::EveryTick,
4438 cooldown: None,
4439 tz,
4440 },
4441 // Event triggers have no cron — the agent fires them from an
4442 // OS event source. The `# event-trigger` cron is never
4443 // registered (the scheduler branches on `is_event()` first),
4444 // but keep it deliberately-invalid as a belt-and-suspenders
4445 // so a stray registration would fail rather than misfire.
4446 When::On(_) => Lowered {
4447 cron: "# event-trigger (no cron)".into(),
4448 mode: ExecMode::Event,
4449 cooldown: None,
4450 tz,
4451 },
4452 }
4453 }
4454
4455 /// True when this schedule fires from an OS event (`when: { on }`)
4456 /// rather than a clock — the agent skips `tokio-cron` registration
4457 /// for these and drives them from boot / session-change instead.
4458 pub fn is_event(&self) -> bool {
4459 matches!(self.when, When::On(_))
4460 }
4461
4462 /// The OS event triggers this schedule listens for, or `&[]` when it
4463 /// is not an event schedule.
4464 pub fn event_triggers(&self) -> &[OnTrigger] {
4465 match &self.when {
4466 When::On(t) => t,
4467 _ => &[],
4468 }
4469 }
4470
4471 /// The next absolute (UTC) time this schedule fires, or `None` when
4472 /// it has no discrete upcoming fire to preview.
4473 ///
4474 /// Used by the KLP `maintenance.list` preview ("what's about to
4475 /// happen on my PC", SPEC §2.1). Returns `None` for:
4476 ///
4477 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
4478 /// every-minute [`POLL_CRON`] and re-converge state continuously,
4479 /// so "next fire" is always ~60s away and means nothing to a user
4480 /// previewing upcoming maintenance;
4481 /// - a calendar schedule whose lowered cron won't parse (a
4482 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
4483 /// - a cron with no future occurrence.
4484 ///
4485 /// The wall-clock fire is evaluated in the schedule's own `tz`
4486 /// (matching the live tick's `Job::new_async_tz`) then normalised
4487 /// to UTC for the wire. `inclusive = false`: strictly the *next*
4488 /// fire after `now`, never one matching the current instant.
4489 pub fn next_calendar_fire(
4490 &self,
4491 now: chrono::DateTime<chrono::Utc>,
4492 ) -> Option<chrono::DateTime<chrono::Utc>> {
4493 if !matches!(self.when, When::Calendar(_)) {
4494 return None;
4495 }
4496 let lowered = self.lowered();
4497 // Same parser configuration tokio-cron-scheduler 0.15 uses
4498 // internally, so this can never compute a fire the live
4499 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
4500 let cron = croner::parser::CronParser::builder()
4501 .seconds(croner::parser::Seconds::Required)
4502 .dom_and_dow(true)
4503 .build()
4504 .parse(&lowered.cron)
4505 .ok()?;
4506 match lowered.tz {
4507 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
4508 ScheduleTz::Local => {
4509 let now_local = now.with_timezone(&chrono::Local);
4510 cron.find_next_occurrence(&now_local, false)
4511 .ok()
4512 .map(|t| t.with_timezone(&chrono::Utc))
4513 }
4514 }
4515 }
4516
4517 /// Cross-field semantic checks that don't fit pure serde derive
4518 /// — the [`Manifest::validate`] counterpart (#418 decision F;
4519 /// pre-Phase-1 a broken schedule was accepted at create time
4520 /// and silently warn-skipped at tick time). Run at every create
4521 /// site: `kanade schedule create` (client-side) and
4522 /// `POST /api/schedules`. The job_id-exists check lives in the
4523 /// API handler instead — it needs the JOBS KV.
4524 pub fn validate(&self) -> Result<(), String> {
4525 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
4526 return Err(
4527 "when.per_target needs fleet-wide completion data and is backend-only; \
4528 it cannot be combined with runs_on: agent (each agent self-schedules, \
4529 so per-target dedup would be deduping across a target of 1)"
4530 .into(),
4531 );
4532 }
4533 // #418 event triggers: the agent owns the OS event source
4534 // (boot / session-change), so `when: { on }` is agent-only and
4535 // needs at least one trigger.
4536 if let When::On(triggers) = &self.when {
4537 if !matches!(self.runs_on, RunsOn::Agent) {
4538 return Err(
4539 "when.on (OS event trigger) is fired by the agent's own event \
4540 source, so it requires runs_on: agent"
4541 .into(),
4542 );
4543 }
4544 if triggers.is_empty() {
4545 return Err(
4546 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
4547 );
4548 }
4549 }
4550 if let Some(cd) = self.lowered().cooldown.as_deref() {
4551 humantime::parse_duration(cd)
4552 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
4553 }
4554 if let When::Calendar(c) = &self.when {
4555 // Lower the calendar form to its cron (catches a bad `at`
4556 // and the date+days conflict), then validate that cron
4557 // with the same parser configuration tokio-cron-scheduler
4558 // 0.15 uses internally (croner, seconds required,
4559 // DOM-and-DOW both honored, year optional) — create-time
4560 // validation can never accept what register() rejects.
4561 let cron = c.to_cron()?;
4562 croner::parser::CronParser::builder()
4563 .seconds(croner::parser::Seconds::Required)
4564 .dom_and_dow(true)
4565 .build()
4566 .parse(&cron)
4567 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
4568 }
4569 // The other humantime strings on the schedule (claude #419
4570 // review): runtime degrades gracefully on both (bad jitter →
4571 // silent no-op, bad starting_deadline → warn + skipped tick),
4572 // but "rejected at create time" should cover every field the
4573 // operator can typo, not just `when`.
4574 if let Some(j) = &self.plan.jitter {
4575 humantime::parse_duration(j)
4576 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
4577 }
4578 if let Some(sd) = &self.starting_deadline {
4579 humantime::parse_duration(sd)
4580 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
4581 }
4582 let from = self
4583 .active
4584 .from
4585 .as_deref()
4586 .map(|s| Active::parse_bound(s, self.tz))
4587 .transpose()?;
4588 let until = self
4589 .active
4590 .until
4591 .as_deref()
4592 .map(|s| Active::parse_bound(s, self.tz))
4593 .transpose()?;
4594 if let (Some(f), Some(u)) = (from, until) {
4595 if f >= u {
4596 return Err(format!(
4597 "active.from ({}) must be strictly before active.until ({})",
4598 self.active.from.as_deref().unwrap_or_default(),
4599 self.active.until.as_deref().unwrap_or_default(),
4600 ));
4601 }
4602 }
4603 // #418 Phase 3: a bad maintenance window is rejected at create
4604 // time (parse_window also catches equal bounds).
4605 if let Some(w) = self.constraints.window.as_deref() {
4606 Constraints::parse_window(w)?;
4607 }
4608 // #418 holiday exclusion: reject a malformed skip date at create
4609 // time so the fail-closed `allows` path only ever bites a
4610 // hand-edited KV blob, not a fresh `kanade schedule create`.
4611 if let Some(err) = self.constraints.bad_skip_date() {
4612 return Err(err);
4613 }
4614 // #418: constraints.max_concurrent is a central running-instance
4615 // cap, so it needs the backend's counter — reject it on
4616 // runs_on: agent (decision E), and reject a meaningless 0.
4617 if let Some(mc) = self.constraints.max_concurrent {
4618 // Check the structural incompatibility (agent has no central
4619 // counter) before the value range, so a `max_concurrent: 0`
4620 // + `runs_on: agent` combo reports the more fundamental
4621 // problem first (claude #542).
4622 if matches!(self.runs_on, RunsOn::Agent) {
4623 return Err(
4624 "constraints.max_concurrent needs a central counter and is backend-only; \
4625 it cannot be combined with runs_on: agent (each agent self-schedules, \
4626 so there is no fleet-wide count to cap against)"
4627 .into(),
4628 );
4629 }
4630 if mc == 0 {
4631 return Err(
4632 "constraints.max_concurrent must be >= 1 (0 would never fire; \
4633 omit it for no cap)"
4634 .into(),
4635 );
4636 }
4637 }
4638 // #418: constraints.require (host-state env gates: ac_power /
4639 // idle / cpu_below / network) is sensed in-process by the agent,
4640 // so it needs runs_on: agent — the backend can't read a target
4641 // host's power / idle / cpu / connectivity state. Symmetric with
4642 // `when: { on }` (also agent-only); inverse of max_concurrent
4643 // (backend-only).
4644 if let Some(req) = &self.constraints.require {
4645 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
4646 return Err(
4647 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
4648 network) is sensed in-process by the agent and needs runs_on: agent; the \
4649 backend cannot read a target host's power / idle / cpu / connectivity state"
4650 .into(),
4651 );
4652 }
4653 // Reject a malformed idle duration at create time so the
4654 // fail-closed runtime path only ever bites a hand-edited
4655 // KV blob (mirror skip_dates / on_failure.retry).
4656 if let Some(err) = req.bad_idle() {
4657 return Err(err);
4658 }
4659 // cpu_below is a percent — reject out-of-range so a typo
4660 // can't make a schedule that never (>=100 is always-busy?
4661 // no — <0 never matches) or trivially fires.
4662 if let Some(c) = req.cpu_below
4663 && !(c > 0.0 && c <= 100.0)
4664 {
4665 return Err(format!(
4666 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
4667 omit it for no CPU requirement"
4668 ));
4669 }
4670 }
4671 // #418 Phase 4: a bad on_failure.retry is rejected at create
4672 // time — backoff must be valid humantime, and max is bounded
4673 // so a typo can't pin a flapping script in a tight loop.
4674 if let Some(r) = &self.on_failure.retry {
4675 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
4676 format!(
4677 "on_failure.retry.backoff: invalid duration '{}': {e}",
4678 r.backoff
4679 )
4680 })?;
4681 // The wire form lowers backoff to whole seconds, so a
4682 // sub-second value would silently become a 0s no-wait
4683 // (coderabbit #466). Reject it rather than honour a backoff
4684 // the operator can't actually get.
4685 if backoff.as_secs() < 1 {
4686 return Err(format!(
4687 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
4688 round to 0 on the wire",
4689 r.backoff
4690 ));
4691 }
4692 if !(1..=10).contains(&r.max) {
4693 return Err(format!(
4694 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
4695 attempts after the first run",
4696 r.max
4697 ));
4698 }
4699 }
4700 Ok(())
4701 }
4702}
4703
4704fn default_true() -> bool {
4705 true
4706}