kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
72 /// what the agent does at fire time when it can't verify the
73 /// `script_current` / `script_status` KV values are fresh —
74 /// especially relevant for `runs_on: agent` schedules where
75 /// the agent may fire from cache while offline. Defaults to
76 /// `Staleness::Cached` (silently use cached values), which
77 /// matches every pre-v0.26 Manifest.
78 #[serde(default)]
79 pub staleness: Staleness,
80 /// #291: opt-in marker that this job is offered to **end users**
81 /// in the Client App's job tabs over KLP (`jobs.list` →
82 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
83 /// [`emit`]: the block's mere presence is the opt-in, and it
84 /// groups the end-user presentation fields (name / category /
85 /// icon) that only make sense for a user-facing job. `None`
86 /// (the default) ⇒ an operator-only job — inventory, checks,
87 /// scheduled maintenance — that never surfaces in the catalog.
88 ///
89 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
90 /// (SPEC §2.1), so removing the block takes a job out of a
91 /// running client on its next action.
92 ///
93 /// [`inventory`]: Manifest::inventory
94 /// [`check`]: Manifest::check
95 /// [`emit`]: Manifest::emit
96 #[serde(default, skip_serializing_if = "Option::is_none")]
97 pub client: Option<ClientHint>,
98 /// Free-form operator taxonomy for the Jobs catalog. Purely a
99 /// SPA-side organisational aid — agents / scheduler / projector
100 /// never read it — so it carries no runtime semantics and any
101 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
102 /// cross-cut (a `check-bitlocker` is at once a health-check, a
103 /// security control, and Windows-specific), which is why this is
104 /// a multi-valued list rather than the single closed-enum
105 /// [`ClientHint::category`] (whose values are the end-user Client
106 /// App's tabs, a different concern). The operator Jobs page groups
107 /// rows by id-prefix for free; tags add the orthogonal filter axis
108 /// prefixes can't express.
109 ///
110 /// Empty by default (the overwhelming majority of jobs), and a
111 /// new field, so it follows the #492 wire rule: `serde(default)`
112 /// plus `skip_serializing_if` keep gradually-upgrading old readers
113 /// from tripping over its absence / presence.
114 #[serde(default, skip_serializing_if = "Vec::is_empty")]
115 pub tags: Vec<String>,
116}
117
118/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
119/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
120/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
121/// here keeps the validation + serialisation logic in one place.
122#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
123pub struct FanoutPlan {
124 #[serde(default)]
125 pub target: Target,
126 /// Optional wave rollout — when present, the backend publishes
127 /// each wave's group subject on its own delay schedule instead
128 /// of fanning out the `target` block in one go. `target` then
129 /// only labels the deploy for the audit log.
130 #[serde(default, skip_serializing_if = "Option::is_none")]
131 pub rollout: Option<Rollout>,
132 /// Optional humantime jitter; agent uses it to randomise
133 /// execution start. Lives here (not on the script) so different
134 /// schedules / ad-hoc fires of the same job can pick different
135 /// stagger windows.
136 #[serde(default, skip_serializing_if = "Option::is_none")]
137 pub jitter: Option<String>,
138 /// Absolute time the scheduler stamps on each emitted Command
139 /// when this exec was driven by a [`Schedule`] with
140 /// `starting_deadline`. Agents receiving a Command after this
141 /// instant publish a synthetic skipped-result instead of
142 /// running the script. `None` (default) = no deadline / catch
143 /// up whenever delivered. Operators don't usually set this
144 /// directly — the scheduler computes it from `tick_at +
145 /// starting_deadline`.
146 #[serde(default, skip_serializing_if = "Option::is_none")]
147 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
148}
149
150/// Manifest sub-section: how the SPA should render the inventory
151/// facts this job produces. Each field name (`field`) is a top-level
152/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
153///
154/// Two render modes:
155/// * `display` — vertical "field / value" per PC, used by the
156/// `/inventory?pc=<id>` detail view. ALL columns the operator
157/// wants visible on the detail page.
158/// * `summary` — horizontal table across the fleet (row = PC,
159/// column = field) on `/inventory`. Optional; when omitted the
160/// SPA falls back to `display`, but operators usually want a
161/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
162#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
163pub struct InventoryHint {
164 /// Detail-view columns, in order.
165 pub display: Vec<DisplayField>,
166 /// Optional fleet-list columns (row = PC). Defaults to `display`
167 /// when omitted, but operators usually pick a 3-5 column subset.
168 #[serde(default, skip_serializing_if = "Option::is_none")]
169 pub summary: Option<Vec<DisplayField>>,
170 /// v0.31 / #40: payload arrays that should be exploded into
171 /// per-element rows of a derived SQLite table. Lets operators
172 /// answer cross-PC questions ("which PCs still have Chrome <
173 /// 120?", "C: >90% full") with normal SQL filters + indexes
174 /// instead of grepping JSON. The projector creates the derived
175 /// table on register and replaces this PC's rows on each result
176 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
177 /// [`ExplodeSpec`] for the per-spec schema.
178 #[serde(default, skip_serializing_if = "Option::is_none")]
179 pub explode: Option<Vec<ExplodeSpec>>,
180 /// v0.35 / #93: top-level scalar fields whose changes the
181 /// projector logs to `inventory_history` (one event per
182 /// changed field per scan). Pairs with `explode[].track_history`
183 /// — that covers array elements; this covers single-valued
184 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
185 /// `os_build` that operators want to track for "did the RAM
186 /// get upgraded?" / "when did Win 11 land on this PC?" /
187 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
188 /// in the history row, `identity_json` is NULL, `before_json`
189 /// / `after_json` each carry `{"value": <prior or new value>}`.
190 /// First-ever observation of a scalar (no prior facts row)
191 /// emits `added`; subsequent value changes emit `changed`. No
192 /// `removed` events — a scalar disappearing from the payload
193 /// is rare and the operator can still see the last value via
194 /// the `before_json` of the most recent change.
195 #[serde(default, skip_serializing_if = "Option::is_none")]
196 pub history_scalars: Option<Vec<String>>,
197}
198
199/// Manifest sub-section (#290): marks a job as an operator-defined
200/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
201/// The stdout contract is a free-form JSON object (same as any
202/// inventory job) from which the agent reads `status_field` /
203/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
204/// on the Client App's Health tab.
205///
206/// There is deliberately **no timing field** — when / how often /
207/// in which window a check runs is driven by the job's Schedule,
208/// exactly like inventory jobs, so operators get the full `when:` /
209/// rollout / `runs_on` expressiveness for free.
210///
211/// A check's stdout is a **free-form inventory object** (arbitrary
212/// key/value pairs + arrays) — same as any inventory job — that also
213/// carries a status field. `check:` adds only the health semantics on
214/// top: which field is the ok/warn/fail/unknown status, an optional
215/// one-line summary field, and a remediation job. Everything else
216/// (rich per-PC detail, `explode` sub-tables like a software list) is
217/// driven by a co-present [`InventoryHint`] and rendered with the
218/// SAME display logic the SPA Inventory page uses — on the Client App
219/// too. This keeps checks maximally expressive without a bespoke
220/// payload type.
221#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
222pub struct CheckHint {
223 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
224 /// the SPA/Client React key + analytics label. Unique within the
225 /// fleet's check set. Machine-friendly slug (`disk_space`,
226 /// `defender_rtp`); for the human-facing row title see [`label`].
227 ///
228 /// [`label`]: CheckHint::label
229 pub name: String,
230 /// Optional human-facing display title →
231 /// [`Check.label`](crate::ipc::state::Check). The Client App's
232 /// Health tab and the operator SPA's Compliance page render this
233 /// instead of the [`name`](CheckHint::name) slug when set
234 /// (`"ウイルス対策のリアルタイム保護"` reads better than
235 /// `defender_rtp`). Falls back to the slug when absent, so it's
236 /// purely additive. Author it in the check's language — there's no
237 /// per-locale variant; checks are operator-defined per fleet.
238 #[serde(default, skip_serializing_if = "Option::is_none")]
239 pub label: Option<String>,
240 /// Top-level stdout field whose string value
241 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
242 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
243 /// `"status"`; a missing / unparseable value → `unknown`.
244 #[serde(default = "default_status_field")]
245 pub status_field: String,
246 /// Top-level stdout field used as the Health-tab row's one-line
247 /// summary. Defaults to `"detail"`; absent in the payload → no
248 /// detail line (the rich breakdown lives in the inventory view).
249 #[serde(default = "default_detail_field")]
250 pub detail_field: String,
251 /// Optional remediation job id →
252 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
253 /// App shows a "修復する" button when present; that job must be
254 /// `user_invokable`.
255 #[serde(default, skip_serializing_if = "Option::is_none")]
256 pub troubleshoot: Option<String>,
257 /// #290 PR-E: when `true` (default), the backend also projects this
258 /// check's `status` / `detail` into the `check_status` table so the
259 /// operator SPA gets a fleet-wide compliance view for free — no
260 /// `inventory:` block needed. Set `fleet: false` for a client-only
261 /// check the operator doesn't want surfaced across the fleet.
262 #[serde(default = "default_fleet")]
263 pub fleet: bool,
264}
265
266fn default_status_field() -> String {
267 "status".to_string()
268}
269
270fn default_detail_field() -> String {
271 "detail".to_string()
272}
273
274fn default_fleet() -> bool {
275 true
276}
277
278/// Manifest sub-section (#291): marks a job as **user-invokable**
279/// from the Client App and carries how it presents to the end user.
280/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
281/// the block's presence is the opt-in (no separate boolean), and its
282/// required fields (`name`, `category`) are enforced by serde at
283/// parse time, so a half-filled catalog entry fails
284/// `kanade job create` instead of rendering a nameless / tab-less row.
285///
286/// The agent maps this 1:1 into the KLP
287/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
288/// that `jobs.list` returns; the Client App renders one row per job in
289/// the tab named by `category`.
290#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
291pub struct ClientHint {
292 /// End-user-facing title for the job row. The operator-internal
293 /// `Manifest::id` slug is rarely what an end user should read, so
294 /// this is required (and validated non-empty by
295 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
296 pub name: String,
297 /// Optional one-line subtitle under `name` in the Client App.
298 /// Distinct from the operator-facing top-level
299 /// [`Manifest::description`] — this one is written for the end
300 /// user. Maps to `UserInvokableJob::display_description`.
301 #[serde(default, skip_serializing_if = "Option::is_none")]
302 pub description: Option<String>,
303 /// Which Client App tab the job lives in (`software_update` →
304 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
305 /// catalog). Required — without it the agent can't place the job
306 /// in a tab.
307 pub category: JobCategory,
308 /// Optional icon hint for the job row — a lucide-react icon name
309 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
310 /// category's default icon. Surfaced verbatim in
311 /// `jobs.list[].icon`.
312 #[serde(default, skip_serializing_if = "Option::is_none")]
313 pub icon: Option<String>,
314}
315
316/// Issue #246 — `emit:` manifest block for jobs whose stdout is
317/// NDJSON observability events (one `ObsEvent` per line). Parallel
318/// to `inventory:` but for the append-only timeline pipeline; see
319/// `Manifest::emit` for the full contract.
320#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
321pub struct EmitConfig {
322 /// What kind of payload the agent should expect on stdout. Only
323 /// `events` is defined today (parses each non-empty line as
324 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
325 /// (e.g. metrics streams, structured trace events) plug in here.
326 #[serde(rename = "type")]
327 pub kind: EmitKind,
328 /// Operator hint for where the script keeps its own state — the
329 /// watermark file the PowerShell / sh body reads + writes
330 /// between runs so it only emits NEW events since the last
331 /// poll. The agent doesn't read this; it's documentation that
332 /// the SPA (and `kanade job edit`) can surface to operators
333 /// reviewing the manifest. Optional; the script is allowed to
334 /// keep state anywhere (registry, env, etc.) — the field's
335 /// presence makes the convention discoverable.
336 #[serde(default, skip_serializing_if = "Option::is_none")]
337 pub watermark_path: Option<String>,
338}
339
340/// `emit.type` enum. Lowercase serde so manifests read
341/// `type: events` rather than `Events`.
342#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
343#[serde(rename_all = "lowercase")]
344pub enum EmitKind {
345 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
346 /// `obs.<pc_id>`, drops the stdout from the resulting
347 /// `ExecResult`.
348 Events,
349}
350
351/// v0.31 / #40: declarative "flatten this JSON array into a real
352/// SQLite table" spec on an inventory manifest. The projector
353/// creates the table on first registration (CREATE TABLE IF NOT
354/// EXISTS + indexes) and writes a row per element of
355/// `payload[field]` on every result, scoped by (pc_id, job_id) so
356/// each PC's rows replace cleanly without a per-PC schema.
357#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
358pub struct ExplodeSpec {
359 /// JSON array key under the payload to explode. E.g. `"apps"`
360 /// for `payload: { apps: [{...}, {...}] }`.
361 pub field: String,
362 /// Derived SQLite table name. Operators choose this — pick
363 /// something namespaced + stable (`inventory_sw_apps`, not
364 /// `apps`) so multiple inventory manifests don't collide on a
365 /// generic name.
366 pub table: String,
367 /// Element-level fields that uniquely identify a row inside one
368 /// PC's payload. The full PK is `(pc_id, job_id) + these
369 /// columns`. Required — operators must think about uniqueness
370 /// (e.g. `["name", "source"]` for installed apps because the
371 /// same name appears in multiple uninstall hives).
372 ///
373 /// v0.31 / #41: same tuple drives history identity. When
374 /// `track_history` is on, the projector serialises these
375 /// fields' values into `inventory_history.identity_json` for
376 /// every change event, so queries like "every PC that ever
377 /// installed Chrome (any source)" filter on identity_json
378 /// content without a per-manifest schema.
379 pub primary_key: Vec<String>,
380 /// Per-element fields that become columns in the derived table.
381 pub columns: Vec<ExplodeColumn>,
382 /// v0.31 / #41: when true (default false), the projector
383 /// diffs each PC's incoming payload against the prior rows
384 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
385 /// replace, and writes added / removed / changed events into
386 /// `inventory_history`. Lets operators answer time-dimension
387 /// questions ("when did Chrome 120 first appear on PC X?",
388 /// "what's the Win 11 23H2 rollout curve") without storing
389 /// per-scan snapshots. Off by default so operators opt in
390 /// per-spec — history has a real storage cost on long-lived
391 /// deployments (mitigated by the 90-day default retention
392 /// sweeper, see `cleanup` module).
393 #[serde(default)]
394 pub track_history: bool,
395}
396
397/// One column in an [`ExplodeSpec`]'s derived table.
398#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
399pub struct ExplodeColumn {
400 /// JSON key under each array element. Becomes the column name
401 /// in the derived SQLite table — we don't rename.
402 pub field: String,
403 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
404 /// Storage maps directly via `sqlx::query.bind(...)`; type
405 /// mismatches at INSERT-time fail loudly rather than silently
406 /// dropping the row.
407 #[serde(default, skip_serializing_if = "Option::is_none")]
408 #[serde(rename = "type")]
409 pub kind: Option<String>,
410 /// When true, the projector creates a `CREATE INDEX` on this
411 /// column at table-creation time. Boost for the common-filter
412 /// columns (`name`, `version`) — operators mark them
413 /// explicitly, the projector won't guess.
414 #[serde(default)]
415 pub index: bool,
416}
417
418#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
419pub struct DisplayField {
420 /// Top-level key in the stdout JSON.
421 pub field: String,
422 /// Human-readable column header.
423 pub label: String,
424 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
425 /// or `"table"` (#39). Defaults to plain text rendering on the
426 /// SPA side. `"table"` expects the field's value to be a JSON
427 /// array of objects and renders a nested sub-table on the
428 /// per-PC detail page using `columns` as the schema; the fleet
429 /// summary view falls back to showing the row count for
430 /// `"table"` cells so the wide list stays compact.
431 #[serde(default, skip_serializing_if = "Option::is_none")]
432 #[serde(rename = "type")]
433 pub kind: Option<String>,
434 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
435 /// field's value (an array of objects like
436 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
437 /// sub-table using these columns. Each column is itself a
438 /// `DisplayField`, so the nested cells reuse the same render
439 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
440 /// pipeline. Ignored for any other `kind`.
441 #[serde(default, skip_serializing_if = "Option::is_none")]
442 pub columns: Option<Vec<DisplayField>>,
443}
444
445#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
446pub struct Rollout {
447 #[serde(default)]
448 pub strategy: RolloutStrategy,
449 pub waves: Vec<Wave>,
450}
451
452#[derive(
453 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
454)]
455#[serde(rename_all = "lowercase")]
456pub enum RolloutStrategy {
457 #[default]
458 Wave,
459}
460
461#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
462pub struct Wave {
463 pub group: String,
464 /// humantime delay measured from the deploy's publish time. wave[0]
465 /// typically has "0s"; subsequent waves use minutes / hours.
466 pub delay: String,
467}
468
469#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
470pub struct Target {
471 #[serde(default)]
472 pub groups: Vec<String>,
473 #[serde(default)]
474 pub pcs: Vec<String>,
475 #[serde(default)]
476 pub all: bool,
477}
478
479impl Target {
480 /// At least one of all / groups / pcs is set.
481 pub fn is_specified(&self) -> bool {
482 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
483 }
484}
485
486#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
487pub struct Execute {
488 pub shell: ExecuteShell,
489 /// Inline script body. Mutually exclusive with [`script_file`]
490 /// and [`script_object`]; exactly one of the three must be set
491 /// (enforced by [`Execute::validate_script_source`] at the
492 /// write-side parse boundaries — `kanade job create` and
493 /// `POST /api/jobs`).
494 ///
495 /// Empty string is treated as **unset** so operators can swap
496 /// to a `script_file:` / `script_object:` alternative just by
497 /// commenting out the body, without having to also drop the
498 /// `script:` key entirely.
499 ///
500 /// [`script_file`]: Self::script_file
501 /// [`script_object`]: Self::script_object
502 #[serde(default, skip_serializing_if = "Option::is_none")]
503 pub script: Option<String>,
504 /// Repo-local file path resolved by the operator-side CLI at
505 /// `kanade job create` time. The CLI reads the file, slots its
506 /// contents into `script`, and clears this field before
507 /// POSTing — so the backend / agents never see `script_file`
508 /// in stored manifests. SPEC §2.4.1.
509 ///
510 /// Resolver lands in a follow-up PR
511 /// (yukimemi/kanade#210); today this field passes parse-time
512 /// validation but the operator-side CLI bails with "not yet
513 /// implemented" until the resolver ships, so manifests that
514 /// reach the backend with `script_file` set are treated as a
515 /// schema-bug.
516 #[serde(default, skip_serializing_if = "Option::is_none")]
517 pub script_file: Option<String>,
518 /// Object Store reference (`<name>/<version>`) into the
519 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
520 /// at Execute time via `/api/script-objects/{name}/{version}`
521 /// and cache it locally. SPEC §2.4.1.
522 ///
523 /// Resolver lands in the same follow-up PR as `script_file`;
524 /// today this field passes parse-time validation but the
525 /// backend / agent exec paths bail with "not yet implemented"
526 /// when they see it.
527 #[serde(default, skip_serializing_if = "Option::is_none")]
528 pub script_object: Option<String>,
529 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
530 /// — represents how long this script reasonably takes to run.
531 pub timeout: String,
532 /// Token + session combination the agent uses to launch the
533 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
534 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
535 #[serde(default)]
536 pub run_as: RunAs,
537 /// Working directory for the spawned child (v0.21.1). When
538 /// unset, the child inherits the agent's cwd — on Windows that
539 /// means `%SystemRoot%\System32` for the prod service, which is
540 /// almost never what operators actually want. Use an absolute
541 /// path; relative paths are passed through to the OS verbatim.
542 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
543 /// you'd want `%USERPROFILE%` (but expansion happens in the
544 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
545 /// it via teravars before `kanade job create`).
546 #[serde(default, skip_serializing_if = "Option::is_none")]
547 pub cwd: Option<String>,
548}
549
550impl Execute {
551 /// Treat an empty `script:` body as "intentionally unset". Operators
552 /// commenting out a block-scalar tend to leave the key behind, and
553 /// failing the validator on `script: ""` would surprise them.
554 fn has_inline_script(&self) -> bool {
555 matches!(&self.script, Some(s) if !s.is_empty())
556 }
557
558 /// Enforce that exactly one of `script` / `script_file` /
559 /// `script_object` is set. Called at the write-side parse
560 /// boundaries (CLI `kanade job create` + backend
561 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
562 /// reaches the JOBS KV. Read paths (projector, agent
563 /// scheduler, list endpoints) skip this check — they only ever
564 /// see what the write path already validated.
565 pub fn validate_script_source(&self) -> Result<(), String> {
566 let inline = self.has_inline_script();
567 let file = self.script_file.is_some();
568 let obj = self.script_object.is_some();
569 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
570 match set {
571 1 => Ok(()),
572 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
573 _ => Err(format!(
574 "execute: only one of `script` / `script_file` / `script_object` may be set \
575 (got script={inline}, script_file={file}, script_object={obj})"
576 )),
577 }
578 }
579}
580
581impl Manifest {
582 /// Cross-field semantic checks that don't fit into pure serde
583 /// derive. Currently delegates to
584 /// [`Execute::validate_script_source`] — see that method's
585 /// docs for the rationale on which call sites should run this.
586 pub fn validate(&self) -> Result<(), String> {
587 self.execute.validate_script_source()?;
588 // Stdout-format compatibility. `inventory:` and `check:` both
589 // consume the SAME single JSON object — they COMPOSE: a check
590 // can extract `status`/`detail` for the Health tab while the
591 // projector explodes the rest into SPA sub-tables. `emit:` is
592 // different — its stdout is NDJSON and the agent omits it from
593 // the result entirely — so it can't be paired with either.
594 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
595 return Err(
596 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
597 timeline events (and omitted from the result), while inventory/check read a \
598 single JSON object from stdout"
599 .to_string(),
600 );
601 }
602 // A check's `name` is the Health-tab row id (React key); the
603 // field names tell the agent where to read status/detail.
604 // An empty value is an invisible runtime bug, and the serde
605 // defaults don't guard an operator who writes `status_field:
606 // ""` explicitly — reject all three here.
607 if let Some(check) = &self.check {
608 for (label, value) in [
609 ("check.name", &check.name),
610 ("check.status_field", &check.status_field),
611 ("check.detail_field", &check.detail_field),
612 ] {
613 if value.trim().is_empty() {
614 return Err(format!("{label} must not be empty"));
615 }
616 }
617 // A present-but-blank `troubleshoot` is a broken
618 // remediation job id (the "修復する" button would target
619 // an empty manifest id) — reject it too.
620 if let Some(troubleshoot) = &check.troubleshoot {
621 if troubleshoot.trim().is_empty() {
622 return Err("check.troubleshoot must not be empty when set".to_string());
623 }
624 }
625 // A present-but-blank `label` would render an empty row
626 // title on the Health tab / Compliance page — reject it so
627 // the slug fallback only ever kicks in when label is absent.
628 if let Some(label) = &check.label {
629 if label.trim().is_empty() {
630 return Err("check.label must not be empty when set".to_string());
631 }
632 }
633 }
634 // #291: a `client:` job is rendered in the Client App's
635 // catalog (`jobs.list` → `jobs.execute`). serde already makes
636 // `name` + `category` required at parse time; the only gap is
637 // a present-but-blank `name`, which would render an empty row
638 // title — reject it like the other display-id fields.
639 if let Some(client) = &self.client {
640 if client.name.trim().is_empty() {
641 return Err("client.name must not be empty".to_string());
642 }
643 // Optional display fields, when present, must be
644 // meaningful: a blank `description` renders an empty
645 // subtitle and a blank `icon` is a dangling lucide name.
646 // Same present-but-blank guard the `check:` block applies
647 // to its optional `troubleshoot` id.
648 for (label, value) in [
649 ("client.description", &client.description),
650 ("client.icon", &client.icon),
651 ] {
652 if let Some(v) = value {
653 if v.trim().is_empty() {
654 return Err(format!("{label} must not be empty when set"));
655 }
656 }
657 }
658 }
659 // A blank / whitespace-only tag is an invisible operator typo
660 // that would render an empty filter chip on the Jobs page —
661 // reject it like the other present-but-blank display fields.
662 for tag in &self.tags {
663 if tag.trim().is_empty() {
664 return Err("tags must not contain empty entries".to_string());
665 }
666 }
667 Ok(())
668 }
669}
670
671#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
672#[serde(rename_all = "lowercase")]
673pub enum ExecuteShell {
674 Powershell,
675 Cmd,
676}
677
678impl From<ExecuteShell> for Shell {
679 fn from(s: ExecuteShell) -> Self {
680 match s {
681 ExecuteShell::Powershell => Shell::Powershell,
682 ExecuteShell::Cmd => Shell::Cmd,
683 }
684 }
685}
686
687#[cfg(test)]
688mod tests {
689 use super::*;
690
691 /// The example check-job + schedule YAMLs shipped under `configs/`
692 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
693 /// pins them at compile time so a breaking edit fails `cargo test`
694 /// rather than only `kanade job create` at deploy time.
695 #[test]
696 fn example_check_job_yamls_parse_and_validate() {
697 let jobs = [
698 (
699 "check-bitlocker",
700 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
701 ),
702 (
703 "check-av-signature",
704 include_str!("../../../configs/jobs/check-av-signature.yaml"),
705 ),
706 (
707 "check-cert-expiry",
708 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
709 ),
710 (
711 "check-disk-space",
712 include_str!("../../../configs/jobs/check-disk-space.yaml"),
713 ),
714 (
715 "check-pending-reboot",
716 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
717 ),
718 (
719 "check-defender-rtp",
720 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
721 ),
722 (
723 "check-firewall",
724 include_str!("../../../configs/jobs/check-firewall.yaml"),
725 ),
726 ];
727 for (name, yaml) in jobs {
728 let m: Manifest =
729 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
730 m.validate()
731 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
732 let check = m
733 .check
734 .as_ref()
735 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
736 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
737 // These examples all read admin-only WMI / registry / netsh
738 // state, so they run_as system. NOTE: that's a property of
739 // these particular checks, NOT of the `check:` contract — a
740 // check probing user-session state could run_as user.
741 assert_eq!(
742 m.execute.run_as,
743 RunAs::System,
744 "{name} should run_as system"
745 );
746 }
747 }
748
749 /// The example user-invokable job YAMLs (#291) shipped under
750 /// `configs/jobs/` must stay valid as the `client:` schema
751 /// evolves. `include_str!` pins them at compile time so a breaking
752 /// edit fails `cargo test`, not `kanade job create` at deploy.
753 #[test]
754 fn example_client_job_yamls_parse_and_validate() {
755 let jobs = [
756 (
757 "fix-teams-cache",
758 JobCategory::Troubleshoot,
759 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
760 ),
761 (
762 "chrome-update",
763 JobCategory::SoftwareUpdate,
764 include_str!("../../../configs/jobs/chrome-update.yaml"),
765 ),
766 (
767 "install-slack",
768 JobCategory::Catalog,
769 include_str!("../../../configs/jobs/install-slack.yaml"),
770 ),
771 (
772 "fix-defender-rtp",
773 JobCategory::Troubleshoot,
774 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
775 ),
776 ];
777 for (id, category, yaml) in jobs {
778 let m: Manifest =
779 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
780 m.validate()
781 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
782 assert_eq!(m.id, id, "{id} id mismatch");
783 let client = m
784 .client
785 .as_ref()
786 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
787 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
788 assert_eq!(client.category, category, "{id} category");
789 }
790 }
791
792 #[test]
793 fn example_check_schedule_yamls_parse_and_validate() {
794 let schedules = [
795 (
796 "check-bitlocker",
797 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
798 ),
799 (
800 "check-av-signature",
801 include_str!("../../../configs/schedules/check-av-signature.yaml"),
802 ),
803 (
804 "check-cert-expiry",
805 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
806 ),
807 (
808 "check-disk-space",
809 include_str!("../../../configs/schedules/check-disk-space.yaml"),
810 ),
811 (
812 "check-pending-reboot",
813 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
814 ),
815 (
816 "check-defender-rtp",
817 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
818 ),
819 (
820 "check-firewall",
821 include_str!("../../../configs/schedules/check-firewall.yaml"),
822 ),
823 ];
824 for (name, yaml) in schedules {
825 let s: Schedule =
826 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
827 s.validate()
828 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
829 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
830 }
831 }
832
833 #[test]
834 fn target_is_specified_requires_at_least_one_field() {
835 let empty = Target::default();
836 assert!(!empty.is_specified());
837
838 let with_all = Target {
839 all: true,
840 ..Target::default()
841 };
842 assert!(with_all.is_specified());
843
844 let with_groups = Target {
845 groups: vec!["canary".into()],
846 ..Target::default()
847 };
848 assert!(with_groups.is_specified());
849
850 let with_pcs = Target {
851 pcs: vec!["pc-01".into()],
852 ..Target::default()
853 };
854 assert!(with_pcs.is_specified());
855 }
856
857 #[test]
858 fn manifest_deserialises_minimal_yaml() {
859 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
860 // — those live on the schedule / exec request now.
861 let yaml = r#"
862id: echo-test
863version: 0.0.1
864execute:
865 shell: powershell
866 script: "echo 'kanade'"
867 timeout: 30s
868"#;
869 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
870 assert_eq!(m.id, "echo-test");
871 assert_eq!(m.version, "0.0.1");
872 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
873 assert_eq!(
874 m.execute.script.as_deref().map(str::trim),
875 Some("echo 'kanade'")
876 );
877 assert!(m.execute.script_file.is_none());
878 assert!(m.execute.script_object.is_none());
879 assert_eq!(m.execute.timeout, "30s");
880 assert!(!m.require_approval);
881 m.validate()
882 .expect("inline-script manifest passes validation");
883 }
884
885 #[test]
886 fn manifest_parses_check_job_and_validates() {
887 // An operator-defined health check (#290): a `check:` hint +
888 // a PowerShell script that prints {status, detail}.
889 let yaml = r#"
890id: check-bitlocker
891version: 0.1.0
892execute:
893 shell: powershell
894 run_as: system
895 timeout: 15s
896 script: |
897 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
898check:
899 name: bitlocker
900 troubleshoot: fix-bitlocker
901"#;
902 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
903 let check = m.check.as_ref().expect("check hint present");
904 assert_eq!(check.name, "bitlocker");
905 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
906 // Field names default to the conventional "status" / "detail".
907 assert_eq!(check.status_field, "status");
908 assert_eq!(check.detail_field, "detail");
909 assert!(m.inventory.is_none() && m.emit.is_none());
910 m.validate().expect("check-only manifest passes validation");
911 }
912
913 #[test]
914 fn manifest_check_defaults_and_custom_fields() {
915 // Minimal: only `name`; status/detail fields default.
916 let m: Manifest = serde_yaml::from_str(
917 r#"
918id: check-disk
919version: 0.1.0
920execute:
921 shell: powershell
922 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
923 timeout: 10s
924check:
925 name: disk_free
926"#,
927 )
928 .expect("parse");
929 let c = m.check.as_ref().unwrap();
930 assert_eq!(c.name, "disk_free");
931 assert_eq!(c.status_field, "status");
932 assert_eq!(c.detail_field, "detail");
933 assert!(c.troubleshoot.is_none());
934 m.validate().expect("validates");
935
936 // The operator can point status/detail at any field of their
937 // free-form inventory object.
938 let m2: Manifest = serde_yaml::from_str(
939 r#"
940id: check-custom
941version: 0.1.0
942execute:
943 shell: powershell
944 script: "echo x"
945 timeout: 10s
946check:
947 name: patch_level
948 status_field: compliance
949 detail_field: summary
950"#,
951 )
952 .expect("parse");
953 let c2 = m2.check.as_ref().unwrap();
954 assert_eq!(c2.status_field, "compliance");
955 assert_eq!(c2.detail_field, "summary");
956 }
957
958 #[test]
959 fn manifest_allows_check_composed_with_inventory() {
960 // `check:` + `inventory:` COMPOSE on the same stdout object:
961 // status/detail → Health tab, the rest → SPA projection +
962 // explode sub-tables. Must pass validation.
963 let yaml = r#"
964id: check-bitlocker-detailed
965version: 0.1.0
966execute:
967 shell: powershell
968 script: "echo x"
969 timeout: 10s
970check:
971 name: bitlocker
972inventory:
973 display:
974 - { field: status, label: Status }
975"#;
976 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
977 assert!(m.check.is_some() && m.inventory.is_some());
978 m.validate().expect("check + inventory compose");
979 }
980
981 #[test]
982 fn manifest_rejects_check_combined_with_emit() {
983 // `emit:` stdout is NDJSON (and omitted from the result), so
984 // it can't pair with `check:` (which needs a single JSON
985 // object on stdout).
986 let yaml = r#"
987id: bad-mix
988version: 0.1.0
989execute:
990 shell: powershell
991 script: "echo x"
992 timeout: 10s
993check:
994 name: bitlocker
995emit:
996 type: events
997"#;
998 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
999 let err = m.validate().expect_err("emit + check must fail");
1000 assert!(err.contains("incompatible"), "err: {err}");
1001 }
1002
1003 #[test]
1004 fn manifest_rejects_emit_combined_with_inventory() {
1005 // The other half of the emit-incompatibility condition.
1006 let yaml = r#"
1007id: bad-mix-2
1008version: 0.1.0
1009execute:
1010 shell: powershell
1011 script: "echo x"
1012 timeout: 10s
1013emit:
1014 type: events
1015inventory:
1016 display:
1017 - { field: status, label: Status }
1018"#;
1019 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1020 let err = m.validate().expect_err("emit + inventory must fail");
1021 assert!(err.contains("incompatible"), "err: {err}");
1022 }
1023
1024 #[test]
1025 fn manifest_rejects_empty_check_field_names() {
1026 // Empty name / status_field / detail_field are invisible
1027 // runtime bugs (empty React key, agent reads the wrong field)
1028 // — reject them even though serde supplies non-empty defaults.
1029 let base = |inner: &str| {
1030 format!(
1031 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1032 )
1033 };
1034 for inner in [
1035 " name: \"\"\n",
1036 " name: ok\n status_field: \"\"\n",
1037 " name: ok\n detail_field: \" \"\n",
1038 // present-but-blank troubleshoot → broken remediation id.
1039 " name: ok\n troubleshoot: \" \"\n",
1040 ] {
1041 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1042 let err = m.validate().expect_err("empty field must fail");
1043 assert!(err.contains("must not be empty"), "err: {err}");
1044 }
1045 }
1046
1047 #[test]
1048 fn manifest_client_absent_by_default() {
1049 // A plain operator job (the overwhelming majority) carries no
1050 // `client:` block, so it never surfaces in the end-user
1051 // catalog.
1052 let yaml = r#"
1053id: echo-test
1054version: 0.0.1
1055execute:
1056 shell: powershell
1057 script: "echo 'kanade'"
1058 timeout: 30s
1059"#;
1060 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1061 assert!(m.client.is_none());
1062 m.validate().expect("operator-only job validates");
1063 }
1064
1065 #[test]
1066 fn manifest_client_parses_and_validates() {
1067 // The Client App "困ったとき" remediation job shape: a
1068 // user-invokable troubleshoot job with the end-user fields the
1069 // KLP `jobs.list` wire needs, grouped under `client:`.
1070 let yaml = r#"
1071id: fix-teams-cache
1072version: 1.0.0
1073execute:
1074 shell: powershell
1075 script: "echo clearing"
1076 timeout: 60s
1077client:
1078 name: "Teams のキャッシュをクリア"
1079 description: "Teams が重いときに試してください"
1080 category: troubleshoot
1081 icon: brush-cleaning
1082"#;
1083 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1084 let c = m.client.as_ref().expect("client block present");
1085 assert_eq!(c.name, "Teams のキャッシュをクリア");
1086 assert_eq!(
1087 c.description.as_deref(),
1088 Some("Teams が重いときに試してください")
1089 );
1090 assert_eq!(c.category, JobCategory::Troubleshoot);
1091 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1092 m.validate().expect("user-invokable job validates");
1093 }
1094
1095 #[test]
1096 fn manifest_client_minimal_only_name_and_category() {
1097 // description + icon are optional; name + category are the
1098 // serde-required minimum.
1099 let yaml = r#"
1100id: install-slack
1101version: 1.0.0
1102execute:
1103 shell: powershell
1104 script: "echo install"
1105 timeout: 600s
1106client:
1107 name: Slack
1108 category: catalog
1109"#;
1110 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1111 let c = m.client.as_ref().expect("client present");
1112 assert_eq!(c.category, JobCategory::Catalog);
1113 assert!(c.description.is_none() && c.icon.is_none());
1114 m.validate().expect("minimal client validates");
1115 }
1116
1117 #[test]
1118 fn manifest_client_rejects_blank_name() {
1119 // serde guarantees `name`/`category` are present; the one gap
1120 // is a present-but-blank name → empty catalog row title.
1121 let yaml = r#"
1122id: j
1123version: 1.0.0
1124execute:
1125 shell: powershell
1126 script: "echo x"
1127 timeout: 30s
1128client:
1129 name: " "
1130 category: catalog
1131"#;
1132 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1133 let err = m.validate().expect_err("blank name must fail");
1134 assert!(err.contains("client.name"), "err: {err}");
1135 }
1136
1137 #[test]
1138 fn manifest_client_rejects_blank_optional_fields() {
1139 // description / icon are optional, but a present-but-blank
1140 // value is a bug (empty subtitle / dangling icon name) — reject
1141 // it, mirroring the check: block's troubleshoot guard.
1142 for (field, line) in [
1143 ("client.description", " description: \" \"\n"),
1144 ("client.icon", " icon: \"\"\n"),
1145 ] {
1146 let yaml = format!(
1147 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1148 );
1149 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1150 let err = m.validate().expect_err("blank optional field must fail");
1151 assert!(err.contains(field), "expected {field} in err: {err}");
1152 }
1153 }
1154
1155 #[test]
1156 fn manifest_client_requires_category_at_parse() {
1157 // A `client:` block missing `category` is a hard parse error
1158 // (serde required field) — no manual validate() needed.
1159 let yaml = r#"
1160id: j
1161version: 1.0.0
1162execute:
1163 shell: powershell
1164 script: "echo x"
1165 timeout: 30s
1166client:
1167 name: "A job"
1168"#;
1169 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1170 assert!(
1171 r.is_err(),
1172 "missing category must be a parse error, got {r:?}"
1173 );
1174 }
1175
1176 #[test]
1177 fn manifest_client_rejects_unknown_field() {
1178 // #492: the strict create boundary catches a fat-fingered
1179 // `displayname:` (with its path) instead of silently
1180 // dropping it; the tolerant read path accepts it.
1181 let yaml = r#"
1182id: j
1183version: 1.0.0
1184execute:
1185 shell: powershell
1186 script: "echo x"
1187 timeout: 30s
1188client:
1189 name: "A job"
1190 category: catalog
1191 displayname: oops
1192"#;
1193 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1194 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1195 // serde_ignored renders the Option layer as `?`:
1196 // `client.?.displayname`. Assert on the leaf key.
1197 assert!(err.contains("displayname"), "{err}");
1198 // The READ path tolerates the same payload (gradual-upgrade
1199 // contract: an old agent must accept a newer writer's field).
1200 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1201 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1202 }
1203
1204 #[test]
1205 fn manifest_tags_default_empty() {
1206 // The overwhelming majority of jobs carry no tags; the field
1207 // must default to an empty Vec (not fail to parse) and skip
1208 // serialisation so old readers never see the key.
1209 let yaml = r#"
1210id: echo-test
1211version: 0.0.1
1212execute:
1213 shell: powershell
1214 script: "echo 'kanade'"
1215 timeout: 30s
1216"#;
1217 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1218 assert!(m.tags.is_empty());
1219 m.validate().expect("tag-less job validates");
1220 // skip_serializing_if = empty ⇒ the key is absent from JSON.
1221 let json = serde_json::to_string(&m).expect("serialize");
1222 assert!(
1223 !json.contains("tags"),
1224 "empty tags must not serialise: {json}"
1225 );
1226 }
1227
1228 #[test]
1229 fn manifest_parses_and_validates_tags() {
1230 let yaml = r#"
1231id: check-bitlocker
1232version: 0.1.0
1233execute:
1234 shell: powershell
1235 script: "echo x"
1236 timeout: 30s
1237tags: [security, windows, health-check]
1238"#;
1239 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1240 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
1241 m.validate().expect("tagged job validates");
1242 // Round-trips through JSON (the wire format the SPA reads).
1243 let json = serde_json::to_string(&m).expect("serialize");
1244 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
1245 }
1246
1247 #[test]
1248 fn manifest_rejects_blank_tag() {
1249 // A whitespace-only tag renders an empty filter chip — reject
1250 // it at the write boundary like the other blank display fields.
1251 let yaml = r#"
1252id: j
1253version: 0.1.0
1254execute:
1255 shell: powershell
1256 script: "echo x"
1257 timeout: 30s
1258tags: [ok, " "]
1259"#;
1260 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1261 let err = m.validate().expect_err("blank tag must fail");
1262 assert!(err.contains("tags must not contain empty"), "err: {err}");
1263 }
1264
1265 fn execute_with(
1266 script: Option<&str>,
1267 script_file: Option<&str>,
1268 script_object: Option<&str>,
1269 ) -> Execute {
1270 Execute {
1271 shell: ExecuteShell::Powershell,
1272 script: script.map(str::to_owned),
1273 script_file: script_file.map(str::to_owned),
1274 script_object: script_object.map(str::to_owned),
1275 timeout: "30s".into(),
1276 run_as: RunAs::default(),
1277 cwd: None,
1278 }
1279 }
1280
1281 #[test]
1282 fn validate_accepts_inline_script() {
1283 let e = execute_with(Some("echo hi"), None, None);
1284 assert!(e.validate_script_source().is_ok());
1285 }
1286
1287 #[test]
1288 fn validate_accepts_script_file_alone() {
1289 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1290 assert!(e.validate_script_source().is_ok());
1291 }
1292
1293 #[test]
1294 fn validate_accepts_script_object_alone() {
1295 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1296 assert!(e.validate_script_source().is_ok());
1297 }
1298
1299 #[test]
1300 fn validate_treats_empty_inline_script_as_unset() {
1301 // `script: ""` + `script_object` set is the natural shape
1302 // when an operator comments out the YAML block-scalar body
1303 // but leaves the key. Should pass.
1304 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1305 assert!(e.validate_script_source().is_ok());
1306 }
1307
1308 #[test]
1309 fn validate_rejects_zero_sources() {
1310 let e = execute_with(None, None, None);
1311 let err = e.validate_script_source().unwrap_err();
1312 assert!(err.contains("must be set"), "got: {err}");
1313 }
1314
1315 #[test]
1316 fn validate_rejects_empty_inline_only() {
1317 let e = execute_with(Some(""), None, None);
1318 let err = e.validate_script_source().unwrap_err();
1319 assert!(err.contains("must be set"), "got: {err}");
1320 }
1321
1322 #[test]
1323 fn validate_rejects_inline_plus_file() {
1324 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1325 let err = e.validate_script_source().unwrap_err();
1326 assert!(err.contains("only one of"), "got: {err}");
1327 }
1328
1329 #[test]
1330 fn validate_rejects_inline_plus_object() {
1331 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1332 let err = e.validate_script_source().unwrap_err();
1333 assert!(err.contains("only one of"), "got: {err}");
1334 }
1335
1336 #[test]
1337 fn validate_rejects_file_plus_object() {
1338 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1339 let err = e.validate_script_source().unwrap_err();
1340 assert!(err.contains("only one of"), "got: {err}");
1341 }
1342
1343 #[test]
1344 fn validate_rejects_all_three() {
1345 let e = execute_with(
1346 Some("echo hi"),
1347 Some("scripts/cleanup.ps1"),
1348 Some("cleanup/1.0.0"),
1349 );
1350 let err = e.validate_script_source().unwrap_err();
1351 assert!(err.contains("only one of"), "got: {err}");
1352 }
1353
1354 #[test]
1355 fn manifest_deserialises_script_object_yaml() {
1356 // SPEC §2.4.1 example shape with the Object Store
1357 // reference picked over inline.
1358 let yaml = r#"
1359id: cleanup-disk-temp
1360version: 1.0.1
1361execute:
1362 shell: powershell
1363 script_object: cleanup-disk-temp/1.0.1
1364 timeout: 600s
1365"#;
1366 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1367 assert_eq!(
1368 m.execute.script_object.as_deref(),
1369 Some("cleanup-disk-temp/1.0.1")
1370 );
1371 assert!(m.execute.script.is_none());
1372 m.validate()
1373 .expect("script_object-only manifest passes validation");
1374 }
1375
1376 #[test]
1377 fn manifest_rejects_typo_in_script_field_name() {
1378 // #492: the strict create boundary catches `script_objectt`
1379 // and similar fat-fingers (with the full path) instead of
1380 // letting them silently fall through to "all three unset".
1381 let yaml = r#"
1382id: typo
1383version: 1.0.0
1384execute:
1385 shell: powershell
1386 script_objectt: oops
1387 timeout: 30s
1388"#;
1389 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
1390 .expect_err("typo'd execute field must be rejected at the write boundary");
1391 assert!(err.contains("execute.script_objectt"), "{err}");
1392 }
1393
1394 #[test]
1395 fn schedule_carries_target_and_rollout() {
1396 let yaml = r#"
1397id: hourly-cleanup-canary
1398when:
1399 per_pc: { every: 1h }
1400job_id: cleanup
1401enabled: true
1402target:
1403 groups: [canary, wave1]
1404jitter: 30s
1405rollout:
1406 strategy: wave
1407 waves:
1408 - { group: canary, delay: 0s }
1409 - { group: wave1, delay: 5s }
1410"#;
1411 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1412 assert_eq!(s.id, "hourly-cleanup-canary");
1413 assert_eq!(s.job_id, "cleanup");
1414 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1415 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1416 let rollout = s.plan.rollout.expect("rollout present");
1417 assert_eq!(rollout.waves.len(), 2);
1418 assert_eq!(rollout.waves[0].group, "canary");
1419 assert_eq!(rollout.waves[1].delay, "5s");
1420 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1421 }
1422
1423 #[test]
1424 fn schedule_minimal_target_all() {
1425 let yaml = r#"
1426id: kitting
1427when:
1428 per_pc: once
1429enabled: true
1430job_id: scheduled-echo
1431target: { all: true }
1432"#;
1433 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1434 assert_eq!(s.id, "kitting");
1435 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1436 assert!(s.enabled);
1437 assert_eq!(s.job_id, "scheduled-echo");
1438 assert!(s.plan.target.all);
1439 assert!(s.plan.rollout.is_none());
1440 assert!(s.plan.jitter.is_none());
1441 assert!(s.active.is_empty());
1442 }
1443
1444 #[test]
1445 fn schedule_enabled_defaults_to_true() {
1446 let yaml = r#"
1447id: x
1448when:
1449 per_pc: once
1450job_id: y
1451target: { all: true }
1452"#;
1453 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1454 assert!(s.enabled);
1455 }
1456
1457 #[test]
1458 fn schedule_tags_default_empty_and_skip_serialise() {
1459 let yaml = r#"
1460id: x
1461when:
1462 per_pc: once
1463job_id: y
1464target: { all: true }
1465"#;
1466 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1467 assert!(s.tags.is_empty());
1468 s.validate().expect("tag-less schedule validates");
1469 let json = serde_json::to_string(&s).expect("serialize");
1470 assert!(
1471 !json.contains("tags"),
1472 "empty tags must not serialise: {json}"
1473 );
1474 }
1475
1476 #[test]
1477 fn schedule_parses_and_validates_tags() {
1478 let yaml = r#"
1479id: weekly-cleanup
1480when:
1481 per_pc: { every: 1h }
1482job_id: cleanup
1483target: { all: true }
1484tags: [weekly, maintenance]
1485"#;
1486 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1487 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
1488 s.validate().expect("tagged schedule validates");
1489 }
1490
1491 #[test]
1492 fn schedule_rejects_blank_tag() {
1493 let yaml = r#"
1494id: x
1495when:
1496 per_pc: once
1497job_id: y
1498target: { all: true }
1499tags: [ok, " "]
1500"#;
1501 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1502 let err = s.validate().expect_err("blank tag must fail");
1503 assert!(err.contains("tags must not contain empty"), "err: {err}");
1504 }
1505
1506 // ---- `when` parsing (#418 Phase 1) ----
1507
1508 fn schedule_yaml_with(when_block: &str) -> String {
1509 format!(
1510 r#"
1511id: x
1512when:
1513{when_block}
1514job_id: y
1515target: {{ all: true }}
1516"#
1517 )
1518 }
1519
1520 #[test]
1521 fn when_per_pc_every_parses_unquoted_humantime() {
1522 // `6h` is digit-led but non-numeric → YAML string, same as
1523 // the old `cooldown: 6h` convention. No quotes needed.
1524 let s: Schedule =
1525 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1526 assert_eq!(
1527 s.when,
1528 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1529 );
1530 }
1531
1532 #[test]
1533 fn when_per_target_every_parses() {
1534 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1535 .expect("parse");
1536 assert_eq!(
1537 s.when,
1538 When::PerTarget(PerPolicy::Every(EverySpec {
1539 every: "24h".into()
1540 }))
1541 );
1542 }
1543
1544 #[test]
1545 fn when_per_target_once_parses() {
1546 // Falls out of the shared PerPolicy shape and decide_fire
1547 // already implements it ("any one pc succeeds → skip the
1548 // target forever"), so it is allowed, not rejected.
1549 let s: Schedule =
1550 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
1551 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
1552 }
1553
1554 #[test]
1555 fn when_calendar_time_parses() {
1556 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
1557 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
1558 ))
1559 .expect("parse");
1560 match &s.when {
1561 When::Calendar(c) => {
1562 assert_eq!(c.at, "09:00");
1563 assert_eq!(c.days, vec!["mon-fri"]);
1564 }
1565 other => panic!("expected calendar, got {other:?}"),
1566 }
1567 }
1568
1569 #[test]
1570 fn when_calendar_days_default_empty() {
1571 let s: Schedule =
1572 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
1573 .expect("parse");
1574 match &s.when {
1575 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
1576 other => panic!("expected calendar, got {other:?}"),
1577 }
1578 }
1579
1580 #[test]
1581 fn when_calendar_datetime_parses_all_separators() {
1582 // one-shot: date+time in hyphen / ISO-T / slash forms
1583 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
1584 let block = format!(" calendar:\n at: \"{at}\"");
1585 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
1586 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
1587 match &s.when {
1588 When::Calendar(c) => {
1589 use chrono::Datelike;
1590 let p = c.parse_at().expect("parse_at");
1591 let d = p.date.expect("datetime at carries a date");
1592 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
1593 }
1594 other => panic!("expected calendar, got {other:?}"),
1595 }
1596 }
1597 }
1598
1599 #[test]
1600 fn when_rejects_bad_once_keyword() {
1601 // `onec` must be a parse error, not a silently-absorbed
1602 // string (OnceLiteral is a single-variant enum for exactly
1603 // this reason).
1604 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
1605 assert!(r.is_err(), "expected parse error, got {r:?}");
1606 }
1607
1608 #[test]
1609 fn when_rejects_unknown_key_in_every() {
1610 // `{ evry: 6h }` still fails on the tolerant read path: the
1611 // required `every` key is missing, so no PerPolicy variant
1612 // matches (#492 removed deny_unknown_fields, but required
1613 // keys keep the untagged disambiguation honest).
1614 let r: Result<Schedule, _> =
1615 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
1616 assert!(r.is_err(), "expected parse error, got {r:?}");
1617 }
1618
1619 #[test]
1620 fn when_rejects_unknown_variant() {
1621 let r: Result<Schedule, _> =
1622 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
1623 assert!(r.is_err(), "expected parse error, got {r:?}");
1624 }
1625
1626 #[test]
1627 fn when_rejects_old_top_level_cron_field() {
1628 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
1629 // loudly (missing `when`), which is what turns stale KV
1630 // blobs into warn-skips after the upgrade.
1631 let yaml = r#"
1632id: x
1633cron: "* * * * * *"
1634job_id: y
1635target: { all: true }
1636"#;
1637 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
1638 assert!(r.is_err(), "expected parse error, got {r:?}");
1639 }
1640
1641 #[test]
1642 fn when_rejects_retired_cron_escape_hatch() {
1643 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
1644 // is now an unknown variant → parse error (operators use the
1645 // calendar form instead).
1646 let r: Result<Schedule, _> =
1647 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
1648 assert!(
1649 r.is_err(),
1650 "expected parse error for retired cron, got {r:?}"
1651 );
1652 }
1653
1654 #[test]
1655 fn when_round_trips_json_and_yaml() {
1656 // Round-trip through the full Schedule: that is the wire
1657 // unit for both stores (JSON catalog KV + YAML mirror), and
1658 // it exercises the singleton_map field attribute that keeps
1659 // serde_yaml on the map shape instead of `!per_pc` tags.
1660 for when in [
1661 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1662 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1663 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1664 When::PerTarget(PerPolicy::Every(EverySpec {
1665 every: "24h".into(),
1666 })),
1667 calendar("09:00", &["mon-fri"]),
1668 calendar("2026-06-10 09:00", &[]),
1669 When::On(vec![OnTrigger::Startup]),
1670 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1671 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1672 When::On(vec![OnTrigger::NetworkChange]),
1673 ] {
1674 // Event triggers are agent-only; the rest validate on backend.
1675 let runs_on = if matches!(when, When::On(_)) {
1676 RunsOn::Agent
1677 } else {
1678 RunsOn::Backend
1679 };
1680 let s = schedule_with(when.clone(), runs_on);
1681
1682 let json = serde_json::to_string(&s).expect("json serialise");
1683 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
1684 assert_eq!(back.when, when, "json round-trip for {when}");
1685
1686 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
1687 assert!(
1688 !yaml.contains('!'),
1689 "yaml must use the map shape, not tags: {yaml}"
1690 );
1691 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
1692 assert_eq!(back.when, when, "yaml round-trip for {when}");
1693 }
1694 }
1695
1696 #[test]
1697 fn when_once_serialises_as_bare_keyword() {
1698 // The wire shape operators see in the YAML mirror must stay
1699 // the ergonomic `per_pc: once`, not a one-variant map.
1700 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
1701 .expect("serialise");
1702 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
1703 }
1704
1705 #[test]
1706 fn when_displays_operator_summary() {
1707 for (when, expected) in [
1708 (
1709 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1710 "per_pc once",
1711 ),
1712 (
1713 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1714 "per_pc every 6h",
1715 ),
1716 (
1717 When::PerTarget(PerPolicy::Every(EverySpec {
1718 every: "24h".into(),
1719 })),
1720 "per_target every 24h",
1721 ),
1722 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
1723 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
1724 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
1725 (
1726 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1727 "on [startup,logon]",
1728 ),
1729 (
1730 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1731 "on [lock,unlock]",
1732 ),
1733 (
1734 When::On(vec![OnTrigger::NetworkChange]),
1735 "on [network_change]",
1736 ),
1737 ] {
1738 assert_eq!(when.to_string(), expected);
1739 }
1740 }
1741
1742 // ---- lowering (#418: when → engine vocabulary) ----
1743
1744 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
1745 Schedule {
1746 id: "x".into(),
1747 when,
1748 job_id: "y".into(),
1749 plan: FanoutPlan::default(),
1750 active: Active::default(),
1751 constraints: Constraints::default(),
1752 on_failure: OnFailure::default(),
1753 tz: ScheduleTz::default(),
1754 starting_deadline: None,
1755 runs_on,
1756 enabled: true,
1757 tags: Vec::new(),
1758 }
1759 }
1760
1761 fn calendar(at: &str, days: &[&str]) -> When {
1762 When::Calendar(CalendarSpec {
1763 at: at.into(),
1764 days: days.iter().map(|d| (*d).to_string()).collect(),
1765 })
1766 }
1767
1768 #[test]
1769 fn next_calendar_fire_returns_next_utc_occurrence() {
1770 use chrono::TimeZone;
1771 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
1772 // next strict occurrence is 09:00 that day.
1773 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1774 s.tz = ScheduleTz::Utc;
1775 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
1776 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
1777 assert_eq!(
1778 next,
1779 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
1780 );
1781 }
1782
1783 #[test]
1784 fn next_calendar_fire_is_strictly_after_now() {
1785 use chrono::TimeZone;
1786 // Standing exactly on a fire instant must preview the *next*
1787 // one (inclusive = false), not the one firing right now.
1788 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1789 s.tz = ScheduleTz::Utc;
1790 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
1791 let next = s
1792 .next_calendar_fire(on_fire)
1793 .expect("calendar has a next fire");
1794 assert_eq!(
1795 next,
1796 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
1797 );
1798 }
1799
1800 #[test]
1801 fn next_calendar_fire_none_for_reconcile_shapes() {
1802 // `per_pc` / `per_target` lower to the every-minute poll cron —
1803 // no discrete upcoming event to preview, so `None`.
1804 let now = chrono::Utc::now();
1805 for when in [
1806 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1807 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1808 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1809 When::PerTarget(PerPolicy::Every(EverySpec {
1810 every: "24h".into(),
1811 })),
1812 ] {
1813 let s = schedule_with(when, RunsOn::Backend);
1814 assert!(
1815 s.next_calendar_fire(now).is_none(),
1816 "reconcile shapes have no calendar fire",
1817 );
1818 }
1819 }
1820
1821 // ---- preview_fires (#418 dry-run / preview) ----
1822
1823 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
1824 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
1825 s.tz = ScheduleTz::Utc; // host-independent assertions
1826 s
1827 }
1828
1829 #[test]
1830 fn preview_lists_next_calendar_occurrences() {
1831 use chrono::TimeZone;
1832 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
1833 // fires skip the weekend (Sat 13 / Sun 14).
1834 let s = cal_utc("09:00", &["mon-fri"]);
1835 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1836 let got = s.preview_fires(now, 5);
1837 let want: Vec<_> = [
1838 (2026, 6, 10), // Wed
1839 (2026, 6, 11), // Thu
1840 (2026, 6, 12), // Fri
1841 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
1842 (2026, 6, 16), // Tue
1843 ]
1844 .iter()
1845 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
1846 .collect();
1847 assert_eq!(got, want);
1848 }
1849
1850 #[test]
1851 fn preview_handles_nth_and_last_weekday() {
1852 use chrono::TimeZone;
1853 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1854 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
1855 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
1856 assert_eq!(
1857 nth,
1858 vec![
1859 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
1860 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
1861 ]
1862 );
1863 // Last Friday of the month: Jun 26, Jul 31 2026.
1864 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
1865 assert_eq!(
1866 last,
1867 vec![
1868 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
1869 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
1870 ]
1871 );
1872 }
1873
1874 #[test]
1875 fn preview_is_empty_for_reconcile_and_zero_count() {
1876 let now = chrono::Utc::now();
1877 // reconcile shapes have no discrete fire times
1878 let recon = schedule_with(
1879 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1880 RunsOn::Backend,
1881 );
1882 assert!(recon.preview_fires(now, 5).is_empty());
1883 // count == 0 yields nothing even for a calendar
1884 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
1885 }
1886
1887 #[test]
1888 fn preview_skips_outside_active_window() {
1889 use chrono::TimeZone;
1890 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
1891 // before `from` are skipped; `until` is exclusive, so 06-17's
1892 // fire is out — leaving exactly the 15th and 16th.
1893 let mut s = cal_utc("09:00", &[]);
1894 s.active = Active {
1895 from: Some("2026-06-15".into()),
1896 until: Some("2026-06-17".into()),
1897 };
1898 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1899 let got = s.preview_fires(now, 5);
1900 assert_eq!(
1901 got,
1902 vec![
1903 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
1904 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
1905 ]
1906 );
1907 }
1908
1909 #[test]
1910 fn preview_empty_when_calendar_time_outside_window() {
1911 use chrono::TimeZone;
1912 // Fires at 09:00 but the maintenance window is overnight — it can
1913 // never run, so the preview is empty (matches
1914 // `calendar_outside_window`), and the scan still terminates.
1915 let mut s = cal_utc("09:00", &[]);
1916 s.constraints = Constraints {
1917 window: Some("22:00-05:00".into()),
1918 ..Constraints::default()
1919 };
1920 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1921 assert!(s.preview_fires(now, 5).is_empty());
1922 // Every candidate tick is rejected, so this also exercises the
1923 // SCAN_CAP bound: a large `count` must still terminate (and
1924 // return empty) rather than spin (claude #578 review).
1925 assert!(s.preview_fires(now, 50).is_empty());
1926 }
1927
1928 #[test]
1929 fn preview_past_one_shot_is_empty() {
1930 use chrono::TimeZone;
1931 // A dated one-shot whose instant has passed never fires again.
1932 let s = cal_utc("2026-06-10 09:00", &[]);
1933 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
1934 assert!(s.preview_fires(now, 5).is_empty());
1935 // …but from before it, the single future fire shows up.
1936 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1937 assert_eq!(
1938 s.preview_fires(before, 5),
1939 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
1940 );
1941 }
1942
1943 #[test]
1944 fn lowering_matches_the_418_table() {
1945 let cases = [
1946 (
1947 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1948 (POLL_CRON, ExecMode::OncePerPc, None),
1949 ),
1950 (
1951 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1952 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
1953 ),
1954 (
1955 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1956 (POLL_CRON, ExecMode::OncePerTarget, None),
1957 ),
1958 (
1959 When::PerTarget(PerPolicy::Every(EverySpec {
1960 every: "24h".into(),
1961 })),
1962 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
1963 ),
1964 // calendar repeating → 6-field cron
1965 (
1966 calendar("09:00", &["mon-fri"]),
1967 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
1968 ),
1969 // calendar daily (no days) → DOW *
1970 (
1971 calendar("18:30", &[]),
1972 ("0 30 18 * * *", ExecMode::EveryTick, None),
1973 ),
1974 // calendar one-shot → 7-field year cron
1975 (
1976 calendar("2026-06-10 09:00", &[]),
1977 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
1978 ),
1979 ];
1980 for (when, (cron, mode, cooldown)) in cases {
1981 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
1982 assert_eq!(l.cron, cron, "cron for {when}");
1983 assert_eq!(l.mode, mode, "mode for {when}");
1984 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
1985 }
1986 }
1987
1988 #[test]
1989 fn lowered_carries_schedule_tz() {
1990 for (tz, want) in [
1991 (ScheduleTz::Local, ScheduleTz::Local),
1992 (ScheduleTz::Utc, ScheduleTz::Utc),
1993 ] {
1994 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
1995 s.tz = tz;
1996 assert_eq!(s.lowered().tz, want, "calendar carries tz");
1997 // reconcile shapes carry tz too (for the active-window check)
1998 let mut s = schedule_with(
1999 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2000 RunsOn::Backend,
2001 );
2002 s.tz = tz;
2003 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
2004 }
2005 }
2006
2007 #[test]
2008 fn poll_cron_is_accepted_by_the_engine_parser() {
2009 // POLL_CRON is system-generated — if the engine's parser
2010 // ever rejected it every reconcile schedule would die at
2011 // register time. Validate it with the same croner config
2012 // (Seconds::Required, dom_and_dow, year optional).
2013 croner::parser::CronParser::builder()
2014 .seconds(croner::parser::Seconds::Required)
2015 .dom_and_dow(true)
2016 .build()
2017 .parse(POLL_CRON)
2018 .expect("POLL_CRON must parse");
2019 }
2020
2021 // ---- Schedule::validate() (#418 decision F) ----
2022
2023 #[test]
2024 fn validate_accepts_reconcile_shapes() {
2025 for when in [
2026 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2027 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2028 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2029 When::PerTarget(PerPolicy::Every(EverySpec {
2030 every: "24h".into(),
2031 })),
2032 ] {
2033 schedule_with(when.clone(), RunsOn::Backend)
2034 .validate()
2035 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2036 }
2037 }
2038
2039 #[test]
2040 fn validate_accepts_per_pc_on_agent() {
2041 schedule_with(
2042 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
2043 RunsOn::Agent,
2044 )
2045 .validate()
2046 .expect("per_pc + agent is the offline-inventory shape");
2047 }
2048
2049 // ---- #418 event triggers (when: { on }) ----
2050
2051 #[test]
2052 fn validate_accepts_event_on_agent() {
2053 for triggers in [
2054 vec![OnTrigger::Startup],
2055 vec![OnTrigger::Logon],
2056 vec![OnTrigger::Lock],
2057 vec![OnTrigger::Unlock],
2058 vec![OnTrigger::NetworkChange],
2059 vec![
2060 OnTrigger::Startup,
2061 OnTrigger::Logon,
2062 OnTrigger::Lock,
2063 OnTrigger::Unlock,
2064 OnTrigger::NetworkChange,
2065 ],
2066 ] {
2067 schedule_with(When::On(triggers), RunsOn::Agent)
2068 .validate()
2069 .expect("when.on is valid on runs_on: agent");
2070 }
2071 }
2072
2073 #[test]
2074 fn validate_rejects_event_on_backend() {
2075 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
2076 .validate()
2077 .unwrap_err();
2078 assert!(err.contains("when.on"), "got: {err}");
2079 assert!(err.contains("runs_on: agent"), "got: {err}");
2080 }
2081
2082 #[test]
2083 fn validate_rejects_empty_event_list() {
2084 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
2085 .validate()
2086 .unwrap_err();
2087 assert!(err.contains("when.on"), "got: {err}");
2088 assert!(err.contains("at least one"), "got: {err}");
2089 }
2090
2091 #[test]
2092 fn event_schedule_lowers_to_event_mode_and_is_event() {
2093 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
2094 assert!(s.is_event());
2095 assert_eq!(s.lowered().mode, ExecMode::Event);
2096 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
2097 // non-event schedules report no triggers.
2098 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2099 assert!(!cal.is_event());
2100 assert!(cal.event_triggers().is_empty());
2101 }
2102
2103 // ---- #418 constraints.require (env gates) ----
2104
2105 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
2106 let mut s = schedule_with(
2107 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
2108 runs_on,
2109 );
2110 s.constraints.require = Some(req);
2111 s
2112 }
2113
2114 #[test]
2115 fn require_met_combinations() {
2116 use std::time::Duration;
2117 let idle = |m: u64| Some(Duration::from_secs(m * 60));
2118 // Builder for the sensed state: (ac, idle, cpu, network).
2119 let env = |ac, idle, cpu, net| EnvState {
2120 ac_online: ac,
2121 idle,
2122 cpu_pct: cpu,
2123 network_up: net,
2124 };
2125 // Empty require — always met regardless of sensed state.
2126 assert!(require_met(
2127 &Require::default(),
2128 &env(false, None, None, false)
2129 ));
2130 // ac_power: only on AC.
2131 let ac = Require {
2132 ac_power: true,
2133 ..Default::default()
2134 };
2135 assert!(!require_met(&ac, &env(false, None, None, true)));
2136 assert!(require_met(&ac, &env(true, None, None, false)));
2137 // idle: needs >= the configured min; None idle never satisfies.
2138 let idle10 = Require {
2139 idle: Some("10m".into()),
2140 ..Default::default()
2141 };
2142 assert!(!require_met(&idle10, &env(true, None, None, true)));
2143 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
2144 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
2145 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
2146 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
2147 let cpu20 = Require {
2148 cpu_below: Some(20.0),
2149 ..Default::default()
2150 };
2151 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
2152 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
2153 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
2154 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
2155 // network: only when online.
2156 let net = Require {
2157 network: true,
2158 ..Default::default()
2159 };
2160 assert!(!require_met(&net, &env(true, None, None, false))); // offline
2161 assert!(require_met(&net, &env(true, None, None, true))); // online
2162 // all four: AND.
2163 let all = Require {
2164 ac_power: true,
2165 idle: Some("10m".into()),
2166 cpu_below: Some(20.0),
2167 network: true,
2168 };
2169 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
2170 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
2171 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
2172 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
2173 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
2174 // An unparseable idle is treated as no-requirement by require_met
2175 // (validate rejects it at create time, so this only guards a
2176 // hand-edited blob): ac still gates.
2177 let bad = Require {
2178 ac_power: true,
2179 idle: Some("garbage".into()),
2180 ..Default::default()
2181 };
2182 assert!(require_met(&bad, &env(true, None, None, true)));
2183 assert!(!require_met(&bad, &env(false, None, None, true)));
2184 }
2185
2186 #[test]
2187 fn validate_accepts_and_rejects_cpu_below() {
2188 // In-range accepted.
2189 require_schedule(
2190 Require {
2191 cpu_below: Some(20.0),
2192 ..Default::default()
2193 },
2194 RunsOn::Agent,
2195 )
2196 .validate()
2197 .expect("cpu_below 20 is valid");
2198 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
2199 // 100%). Pins the inclusive upper bound against a future c < 100.0.
2200 require_schedule(
2201 Require {
2202 cpu_below: Some(100.0),
2203 ..Default::default()
2204 },
2205 RunsOn::Agent,
2206 )
2207 .validate()
2208 .expect("cpu_below 100 is valid");
2209 // Out of range rejected (0 and >100).
2210 for bad in [0.0, -5.0, 100.1] {
2211 let err = require_schedule(
2212 Require {
2213 cpu_below: Some(bad),
2214 ..Default::default()
2215 },
2216 RunsOn::Agent,
2217 )
2218 .validate()
2219 .unwrap_err();
2220 assert!(
2221 err.contains("constraints.require.cpu_below"),
2222 "cpu_below {bad}: {err}"
2223 );
2224 }
2225 }
2226
2227 #[test]
2228 fn validate_accepts_require_on_agent() {
2229 require_schedule(
2230 Require {
2231 ac_power: true,
2232 idle: Some("10m".into()),
2233 cpu_below: Some(20.0),
2234 network: true,
2235 },
2236 RunsOn::Agent,
2237 )
2238 .validate()
2239 .expect("constraints.require is valid on runs_on: agent");
2240 }
2241
2242 #[test]
2243 fn validate_rejects_require_on_backend() {
2244 let err = require_schedule(
2245 Require {
2246 ac_power: true,
2247 ..Default::default()
2248 },
2249 RunsOn::Backend,
2250 )
2251 .validate()
2252 .unwrap_err();
2253 assert!(err.contains("constraints.require"), "got: {err}");
2254 assert!(err.contains("runs_on: agent"), "got: {err}");
2255
2256 // An idle-only require (ac_power: false) is also non-empty
2257 // (is_empty folds the fields) and must reject on backend too —
2258 // guards against a regression in Require::is_empty.
2259 let err = require_schedule(
2260 Require {
2261 idle: Some("10m".into()),
2262 ..Default::default()
2263 },
2264 RunsOn::Backend,
2265 )
2266 .validate()
2267 .unwrap_err();
2268 assert!(
2269 err.contains("constraints.require"),
2270 "idle-only on backend: {err}"
2271 );
2272 }
2273
2274 #[test]
2275 fn validate_rejects_bad_require_idle() {
2276 let err = require_schedule(
2277 Require {
2278 idle: Some("not-a-duration".into()),
2279 ..Default::default()
2280 },
2281 RunsOn::Agent,
2282 )
2283 .validate()
2284 .unwrap_err();
2285 assert!(err.contains("constraints.require.idle"), "got: {err}");
2286 }
2287
2288 #[test]
2289 fn require_round_trips_and_skips_empty() {
2290 // ac_power: false is skipped; an all-default require nested in
2291 // constraints is omitted (is_empty folds it in).
2292 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
2293 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
2294 network: true } }\n";
2295 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2296 let req = s.constraints.require.as_ref().expect("require present");
2297 assert!(req.ac_power);
2298 assert_eq!(req.idle.as_deref(), Some("10m"));
2299 assert_eq!(req.cpu_below, Some(20.0));
2300 assert!(req.network);
2301 // Re-serialize: idle + cpu_below + network present, ac_power true.
2302 let back = serde_json::to_string(&s.constraints).unwrap();
2303 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
2304 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
2305 assert!(back.contains("\"network\":true"), "got: {back}");
2306 // An empty require is omitted entirely by is_empty.
2307 let mut empty = s.clone();
2308 empty.constraints.require = Some(Require::default());
2309 assert!(empty.constraints.is_empty());
2310 }
2311
2312 #[test]
2313 fn validate_rejects_per_target_on_agent() {
2314 let err = schedule_with(
2315 When::PerTarget(PerPolicy::Every(EverySpec {
2316 every: "24h".into(),
2317 })),
2318 RunsOn::Agent,
2319 )
2320 .validate()
2321 .unwrap_err();
2322 assert!(err.contains("per_target"), "got: {err}");
2323 assert!(err.contains("runs_on: agent"), "got: {err}");
2324
2325 // per_target: once is also backend-only.
2326 let err = schedule_with(
2327 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2328 RunsOn::Agent,
2329 )
2330 .validate()
2331 .unwrap_err();
2332 assert!(err.contains("per_target"), "got (once): {err}");
2333 assert!(err.contains("runs_on: agent"), "got (once): {err}");
2334 }
2335
2336 #[test]
2337 fn validate_rejects_bad_every_duration() {
2338 let err = schedule_with(
2339 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
2340 RunsOn::Backend,
2341 )
2342 .validate()
2343 .unwrap_err();
2344 assert!(err.contains("when.every"), "got: {err}");
2345 }
2346
2347 #[test]
2348 fn validate_rejects_bad_jitter_and_starting_deadline() {
2349 let mut s = schedule_with(
2350 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2351 RunsOn::Backend,
2352 );
2353 s.plan.jitter = Some("5x".into());
2354 let err = s.validate().unwrap_err();
2355 assert!(err.contains("jitter"), "got: {err}");
2356
2357 let mut s = schedule_with(
2358 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2359 RunsOn::Backend,
2360 );
2361 s.starting_deadline = Some("soon".into());
2362 let err = s.validate().unwrap_err();
2363 assert!(err.contains("starting_deadline"), "got: {err}");
2364 }
2365
2366 #[test]
2367 fn validate_accepts_calendar_shapes() {
2368 for when in [
2369 calendar("09:00", &["mon-fri"]), // weekday morning
2370 calendar("00:00", &["sun"]), // weekly
2371 calendar("18:30", &[]), // daily
2372 calendar("2026-06-10 09:00", &[]), // one-shot
2373 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
2374 ] {
2375 schedule_with(when.clone(), RunsOn::Backend)
2376 .validate()
2377 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2378 }
2379 }
2380
2381 #[test]
2382 fn validate_rejects_bad_at() {
2383 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
2384 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
2385 .validate()
2386 .unwrap_err();
2387 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
2388 }
2389 }
2390
2391 #[test]
2392 fn validate_rejects_datetime_at_with_days() {
2393 // A dated `at` is a one-shot — pairing it with days is a
2394 // contradiction (the date already pins the day).
2395 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
2396 .validate()
2397 .unwrap_err();
2398 assert!(
2399 err.contains("one-shot") && err.contains("days"),
2400 "got: {err}"
2401 );
2402 }
2403
2404 #[test]
2405 fn validate_rejects_bad_day_name() {
2406 // A garbage DOW token is caught by the days pre-flight and
2407 // reported against `when.days`, not the confusing
2408 // "when.at lowered to invalid cron" (claude #432 review).
2409 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
2410 .validate()
2411 .unwrap_err();
2412 assert!(err.contains("when.days"), "got: {err}");
2413 assert!(err.contains("funday"), "names the bad token: {err}");
2414 // a degenerate range like `mon-` reports the whole token, not
2415 // a cryptic empty part (claude #432 follow-up)
2416 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
2417 .validate()
2418 .unwrap_err();
2419 assert!(err.contains("'mon-'"), "names the whole token: {err}");
2420 // valid names / ranges / numeric / * all pass
2421 for ok in [
2422 calendar("09:00", &["mon-fri"]),
2423 calendar("09:00", &["mon", "wed", "sun"]),
2424 calendar("09:00", &["1-5"]),
2425 ] {
2426 schedule_with(ok.clone(), RunsOn::Backend)
2427 .validate()
2428 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2429 }
2430 }
2431
2432 #[test]
2433 fn validate_accepts_nth_weekday() {
2434 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
2435 // a cron and parses it with croner, so passing here proves the
2436 // whole chain — token → DOW field → engine-acceptable cron.
2437 for ok in [
2438 calendar("09:00", &["tue#2"]), // 2nd Tuesday
2439 calendar("09:00", &["fri#1"]), // 1st Friday
2440 calendar("03:00", &["sun#5"]), // 5th Sunday
2441 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
2442 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
2443 // Case-insensitive both sides: validate lowercases, croner
2444 // upper-cases the whole pattern before aliasing (claude #547).
2445 calendar("09:00", &["TUE#2"]),
2446 ] {
2447 schedule_with(ok.clone(), RunsOn::Backend)
2448 .validate()
2449 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2450 }
2451 }
2452
2453 #[test]
2454 fn validate_rejects_bad_nth_weekday() {
2455 // ordinal out of 1..5, a range with #, and a bad day before #.
2456 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
2457 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2458 .validate()
2459 .unwrap_err();
2460 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2461 }
2462 }
2463
2464 #[test]
2465 fn validate_accepts_last_weekday() {
2466 // #418: last-weekday (`friL` = last Friday). Like the nth case,
2467 // validate() lowers to a cron and round-trips it through croner,
2468 // so passing proves token → DOW field → engine-acceptable cron
2469 // with the verified last-<dow>-of-month semantics.
2470 for ok in [
2471 calendar("09:00", &["friL"]), // last Friday
2472 calendar("03:00", &["sunL"]), // last Sunday
2473 calendar("22:00", &["5L"]), // numeric DOW + last
2474 calendar("00:00", &["0L"]), // numeric Sunday (0…
2475 calendar("00:00", &["7L"]), // …and its 7 alias)
2476 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
2477 // Case-insensitive both the weekday and the `L` suffix:
2478 // validate lowercases the day, croner upper-cases the whole
2479 // pattern before aliasing (claude #547).
2480 calendar("09:00", &["FRIL"]),
2481 calendar("09:00", &["fril"]),
2482 ] {
2483 schedule_with(ok.clone(), RunsOn::Backend)
2484 .validate()
2485 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2486 }
2487 }
2488
2489 #[test]
2490 fn validate_rejects_bad_last_weekday() {
2491 // bare `L` (no weekday — a footgun croner reads as Saturday), a
2492 // range with L, a bad day before L, and an internal space that
2493 // would otherwise leak a malformed cron downstream (gemini #560).
2494 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
2495 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2496 .validate()
2497 .unwrap_err();
2498 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2499 }
2500 }
2501
2502 #[test]
2503 fn calendar_oneshot_instant_detects_past() {
2504 use chrono::TimeZone;
2505 // a dated `at` resolves to an absolute instant…
2506 let c = CalendarSpec {
2507 at: "2024-01-01 09:00".into(),
2508 days: vec![],
2509 };
2510 let t = c
2511 .oneshot_instant(ScheduleTz::Utc)
2512 .expect("one-shot instant");
2513 assert_eq!(
2514 t,
2515 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
2516 );
2517 assert!(t < chrono::Utc::now(), "2024 is in the past");
2518 // …while a repeating (time-only) calendar has no instant
2519 let rep = CalendarSpec {
2520 at: "09:00".into(),
2521 days: vec!["mon-fri".into()],
2522 };
2523 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
2524 }
2525
2526 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
2527 let mut s = schedule_with(
2528 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2529 RunsOn::Backend,
2530 );
2531 s.active = Active {
2532 from: from.map(str::to_owned),
2533 until: until.map(str::to_owned),
2534 };
2535 s
2536 }
2537
2538 #[test]
2539 fn validate_accepts_active_window() {
2540 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
2541 .validate()
2542 .expect("date + rfc3339 bounds should validate");
2543 }
2544
2545 #[test]
2546 fn validate_rejects_unparseable_active_bound() {
2547 let err = schedule_with_active(Some("July 1st"), None)
2548 .validate()
2549 .unwrap_err();
2550 assert!(err.contains("active"), "got: {err}");
2551 }
2552
2553 #[test]
2554 fn validate_rejects_from_not_before_until() {
2555 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
2556 .validate()
2557 .unwrap_err();
2558 assert!(err.contains("strictly before"), "got: {err}");
2559
2560 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
2561 .validate()
2562 .unwrap_err();
2563 assert!(err.contains("strictly before"), "got: {err}");
2564 }
2565
2566 // ---- Active window semantics ----
2567
2568 #[test]
2569 fn active_window_is_half_open() {
2570 use chrono::TimeZone;
2571 let active = Active {
2572 from: Some("2026-07-01".into()),
2573 until: Some("2026-08-01".into()),
2574 };
2575 // UTC tz so the date bounds are UTC midnight.
2576 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
2577 let c = |t| active.contains(t, ScheduleTz::Utc);
2578 assert!(!c(at(2026, 6, 30, 23)), "before from");
2579 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
2580 assert!(c(at(2026, 7, 15, 12)), "inside");
2581 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
2582 assert!(!c(at(2026, 8, 2, 0)), "after until");
2583 }
2584
2585 #[test]
2586 fn active_empty_window_is_always_active() {
2587 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
2588 }
2589
2590 #[test]
2591 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
2592 use chrono::TimeZone;
2593 let active = Active {
2594 from: Some("2026-07-01T09:00:00+09:00".into()),
2595 until: None,
2596 };
2597 // RFC3339 carries its own offset → tz arg is ignored.
2598 // 09:00 JST = 00:00 UTC.
2599 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
2600 assert!(
2601 !active.contains(
2602 chrono::Utc
2603 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
2604 .unwrap(),
2605 tz
2606 )
2607 );
2608 assert!(active.contains(
2609 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
2610 tz
2611 ));
2612 }
2613 }
2614
2615 #[test]
2616 fn active_date_bound_respects_tz() {
2617 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
2618 // tz* (#418 Phase 2). The UTC interpretation is exact and
2619 // host-independent; assert that precisely.
2620 use chrono::TimeZone;
2621 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
2622 assert_eq!(
2623 utc,
2624 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
2625 );
2626
2627 // The local interpretation must equal what chrono::Local
2628 // computes for the same wall-clock midnight — proves the tz
2629 // path is wired to the host zone (the magnitude vs UTC is
2630 // host-dependent, so we compare against Local directly rather
2631 // than hard-coding the JST offset, keeping CI green on UTC
2632 // runners).
2633 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
2634 let want = chrono::Local
2635 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
2636 .single()
2637 .expect("local midnight is unambiguous")
2638 .with_timezone(&chrono::Utc);
2639 assert_eq!(local, want, "date bound resolved in host-local tz");
2640 }
2641
2642 #[test]
2643 fn active_empty_is_skipped_when_serialising() {
2644 let s = schedule_with(
2645 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2646 RunsOn::Backend,
2647 );
2648 let json = serde_json::to_value(&s).expect("serialise");
2649 assert!(
2650 json.get("active").is_none(),
2651 "empty active must not appear on the wire: {json}"
2652 );
2653 }
2654
2655 // ---- constraints.window (#418 Phase 3) ----
2656
2657 fn with_window(win: &str) -> Schedule {
2658 let mut s = schedule_with(
2659 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2660 RunsOn::Backend,
2661 );
2662 s.constraints.window = Some(win.into());
2663 s
2664 }
2665
2666 #[test]
2667 fn constraints_window_parses_and_round_trips() {
2668 let yaml = r#"
2669id: x
2670when:
2671 per_pc: { every: 6h }
2672job_id: y
2673target: { all: true }
2674constraints:
2675 window: "22:00-05:00"
2676"#;
2677 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2678 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
2679 let back: Schedule =
2680 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2681 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
2682 }
2683
2684 #[test]
2685 fn constraints_empty_is_skipped_when_serialising() {
2686 let s = schedule_with(
2687 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2688 RunsOn::Backend,
2689 );
2690 let json = serde_json::to_value(&s).expect("serialise");
2691 assert!(
2692 json.get("constraints").is_none(),
2693 "empty constraints must not appear on the wire: {json}"
2694 );
2695 }
2696
2697 #[test]
2698 fn window_no_constraint_always_allows() {
2699 let c = Constraints::default();
2700 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
2701 }
2702
2703 #[test]
2704 fn window_same_day_is_half_open() {
2705 use chrono::TimeZone;
2706 let s = with_window("09:00-17:00");
2707 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2708 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2709 assert!(!a(at(8, 59)), "before start");
2710 assert!(a(at(9, 0)), "at start (inclusive)");
2711 assert!(a(at(16, 59)), "inside");
2712 assert!(!a(at(17, 0)), "at end (exclusive)");
2713 assert!(!a(at(23, 0)), "after end");
2714 }
2715
2716 #[test]
2717 fn window_crossing_midnight() {
2718 use chrono::TimeZone;
2719 let s = with_window("22:00-05:00");
2720 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2721 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2722 assert!(a(at(22, 0)), "at start tonight");
2723 assert!(a(at(23, 30)), "late tonight");
2724 assert!(a(at(3, 0)), "early tomorrow");
2725 assert!(!a(at(5, 0)), "at end (exclusive)");
2726 assert!(!a(at(12, 0)), "midday outside");
2727 assert!(!a(at(21, 59)), "just before start");
2728 }
2729
2730 #[test]
2731 fn window_respects_tz() {
2732 // The same instant is inside the window under one tz and may
2733 // be outside under another. Compare UTC vs Local via the
2734 // host's own offset (kept CI-green on UTC runners like the
2735 // active tz test does).
2736 use chrono::TimeZone;
2737 let s = with_window("09:00-17:00");
2738 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
2739 // Under UTC, 12:00 is inside 09:00-17:00.
2740 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
2741 // Under Local, the verdict tracks the host wall-clock time;
2742 // assert it matches a direct wall_time membership check.
2743 let local_t = noon_utc.with_timezone(&chrono::Local).time();
2744 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
2745 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
2746 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
2747 }
2748
2749 #[test]
2750 fn validate_accepts_good_window() {
2751 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
2752 with_window(w)
2753 .validate()
2754 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
2755 }
2756 }
2757
2758 #[test]
2759 fn validate_rejects_bad_window() {
2760 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
2761 let err = with_window(bad).validate().unwrap_err();
2762 assert!(
2763 err.contains("constraints.window"),
2764 "for '{bad}', got: {err}"
2765 );
2766 }
2767 }
2768
2769 // ---- constraints.skip_dates (#418 holiday exclusion) ----
2770
2771 fn with_skip_dates(dates: &[&str]) -> Schedule {
2772 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2773 s.tz = ScheduleTz::Utc; // host-independent date assertions
2774 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
2775 s
2776 }
2777
2778 #[test]
2779 fn allows_blocks_listed_skip_date() {
2780 use chrono::TimeZone;
2781 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
2782 // Any time on a listed date is blocked (whole day).
2783 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
2784 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
2785 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
2786 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
2787 // A date not in the list fires normally.
2788 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2789 assert!(s.constraints.allows(off, ScheduleTz::Utc));
2790 }
2791
2792 #[test]
2793 fn allows_corrupt_skip_date_fails_closed() {
2794 use chrono::TimeZone;
2795 // A garbled entry (only reachable via hand-edited KV) blocks
2796 // rather than silently re-enabling fires — same posture as a
2797 // corrupt window.
2798 let s = with_skip_dates(&["not-a-date"]);
2799 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2800 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
2801 }
2802
2803 #[test]
2804 fn validate_accepts_good_skip_dates() {
2805 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
2806 .validate()
2807 .expect("well-formed skip dates should validate");
2808 }
2809
2810 #[test]
2811 fn validate_rejects_bad_skip_date() {
2812 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
2813 let err = with_skip_dates(&[bad]).validate().unwrap_err();
2814 assert!(
2815 err.contains("constraints.skip_dates"),
2816 "for '{bad}', got: {err}"
2817 );
2818 }
2819 }
2820
2821 #[test]
2822 fn preview_skips_holidays() {
2823 use chrono::TimeZone;
2824 // Daily 09:00 with two of the next five days marked as holidays
2825 // — preview drops exactly those, since it gates on `allows`.
2826 let mut s = cal_utc("09:00", &[]);
2827 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
2828 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2829 let got = s.preview_fires(now, 4);
2830 let want: Vec<_> = [
2831 (2026, 6, 10),
2832 (2026, 6, 12), // skips 06-11
2833 (2026, 6, 14), // skips 06-13
2834 (2026, 6, 15),
2835 ]
2836 .iter()
2837 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2838 .collect();
2839 assert_eq!(got, want);
2840 }
2841
2842 // ---- constraints.max_concurrent (#418) ----
2843
2844 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
2845 let mut s = schedule_with(
2846 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2847 runs_on,
2848 );
2849 s.constraints.max_concurrent = Some(max);
2850 s
2851 }
2852
2853 #[test]
2854 fn validate_accepts_backend_max_concurrent() {
2855 with_max_concurrent(5, RunsOn::Backend)
2856 .validate()
2857 .expect("backend max_concurrent should validate");
2858 }
2859
2860 #[test]
2861 fn validate_rejects_max_concurrent_on_agent() {
2862 // Decision E: a central running-instance cap needs a central
2863 // counter, which agents don't have.
2864 let err = with_max_concurrent(5, RunsOn::Agent)
2865 .validate()
2866 .unwrap_err();
2867 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
2868 assert!(err.contains("runs_on: agent"), "got: {err}");
2869 }
2870
2871 #[test]
2872 fn validate_rejects_zero_max_concurrent() {
2873 let err = with_max_concurrent(0, RunsOn::Backend)
2874 .validate()
2875 .unwrap_err();
2876 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
2877 }
2878
2879 #[test]
2880 fn max_concurrent_round_trips_and_skips_when_absent() {
2881 let s = with_max_concurrent(3, RunsOn::Backend);
2882 let json = serde_json::to_value(&s.constraints).expect("ser");
2883 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
2884 // A schedule with no constraints omits the whole block.
2885 let bare = schedule_with(
2886 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2887 RunsOn::Backend,
2888 );
2889 assert!(bare.constraints.is_empty());
2890 }
2891
2892 #[test]
2893 fn window_fail_closed_on_corrupt_blob() {
2894 // A malformed window (only reachable via a hand-edited KV
2895 // blob — validate() rejects it at create) must BLOCK, not
2896 // silently allow fires during a change-freeze (gemini #452).
2897 let s = with_window("22:00_05:00");
2898 assert!(
2899 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
2900 "corrupt window fails closed"
2901 );
2902 // …and the scheduler can surface why it's stuck.
2903 assert!(
2904 s.bad_window().is_some(),
2905 "bad_window reports the parse error"
2906 );
2907 assert!(with_window("22:00-05:00").bad_window().is_none());
2908 }
2909
2910 #[test]
2911 fn calendar_outside_window_is_flagged() {
2912 // at 09:00 can never fall in 22:00-05:00 → never fires.
2913 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2914 s.constraints.window = Some("22:00-05:00".into());
2915 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
2916
2917 // at 23:00 IS inside the overnight window → fine.
2918 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
2919 s.constraints.window = Some("22:00-05:00".into());
2920 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
2921
2922 // reconcile shapes are never flagged (they poll every minute).
2923 let mut s = schedule_with(
2924 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2925 RunsOn::Backend,
2926 );
2927 s.constraints.window = Some("22:00-05:00".into());
2928 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
2929
2930 // no window → never flagged.
2931 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2932 assert!(!s.calendar_outside_window());
2933 }
2934
2935 // ---- on_failure.retry (#418 Phase 4) ----
2936
2937 fn with_retry(max: u32, backoff: &str) -> Schedule {
2938 let mut s = schedule_with(
2939 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2940 RunsOn::Backend,
2941 );
2942 s.on_failure.retry = Some(Retry {
2943 max,
2944 backoff: backoff.into(),
2945 });
2946 s
2947 }
2948
2949 #[test]
2950 fn on_failure_parses_and_round_trips() {
2951 let yaml = r#"
2952id: x
2953when:
2954 per_pc: { every: 6h }
2955job_id: y
2956target: { all: true }
2957on_failure:
2958 retry: { max: 3, backoff: 10m }
2959"#;
2960 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2961 let r = s.on_failure.retry.as_ref().expect("retry present");
2962 assert_eq!(r.max, 3);
2963 assert_eq!(r.backoff, "10m");
2964 let back: Schedule =
2965 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2966 assert_eq!(back.on_failure, s.on_failure);
2967 }
2968
2969 #[test]
2970 fn on_failure_empty_is_skipped_when_serialising() {
2971 let s = schedule_with(
2972 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2973 RunsOn::Backend,
2974 );
2975 let json = serde_json::to_value(&s).expect("serialise");
2976 assert!(
2977 json.get("on_failure").is_none(),
2978 "empty on_failure must not appear on the wire: {json}"
2979 );
2980 }
2981
2982 #[test]
2983 fn validate_accepts_good_retry() {
2984 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
2985 with_retry(max, backoff)
2986 .validate()
2987 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
2988 }
2989 }
2990
2991 #[test]
2992 fn validate_rejects_bad_backoff() {
2993 let err = with_retry(3, "soon").validate().unwrap_err();
2994 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
2995 }
2996
2997 #[test]
2998 fn validate_rejects_sub_second_backoff() {
2999 // "500ms" parses as humantime but lowers to 0s on the wire —
3000 // reject it so the operator doesn't get a silent no-wait
3001 // (coderabbit #466).
3002 for bad in ["500ms", "0s", "999ms"] {
3003 let err = with_retry(3, bad).validate().unwrap_err();
3004 assert!(
3005 err.contains("on_failure.retry.backoff must be >= 1s"),
3006 "for '{bad}', got: {err}"
3007 );
3008 }
3009 }
3010
3011 #[test]
3012 fn validate_rejects_out_of_range_max() {
3013 for bad in [0u32, 11, 1000] {
3014 let err = with_retry(bad, "10m").validate().unwrap_err();
3015 assert!(
3016 err.contains("on_failure.retry.max"),
3017 "for max={bad}, got: {err}"
3018 );
3019 }
3020 }
3021
3022 #[test]
3023 fn lowered_retry_reduces_backoff_to_seconds() {
3024 let s = with_retry(3, "10m");
3025 let spec = s.on_failure.lowered_retry().expect("a retry policy");
3026 assert_eq!(spec.max, 3);
3027 assert_eq!(spec.backoff_secs, 600);
3028 }
3029
3030 #[test]
3031 fn lowered_retry_is_none_without_policy() {
3032 let s = schedule_with(
3033 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3034 RunsOn::Backend,
3035 );
3036 assert!(s.on_failure.lowered_retry().is_none());
3037 }
3038
3039 // ---- global change-freeze (#418 Phase 5) ----
3040
3041 #[test]
3042 fn freeze_empty_window_is_always_active() {
3043 // The big-red-button shape: no bounds = frozen until cleared.
3044 let f = Freeze::default();
3045 assert!(f.is_active(chrono::Utc::now()));
3046 }
3047
3048 #[test]
3049 fn freeze_window_is_half_open() {
3050 use chrono::TimeZone;
3051 let f = Freeze {
3052 from: Some("2026-12-20T00:00:00+00:00".into()),
3053 until: Some("2027-01-05T00:00:00+00:00".into()),
3054 reason: Some("year-end".into()),
3055 tz: ScheduleTz::Utc,
3056 };
3057 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
3058 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
3059 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
3060 assert!(f.is_active(at(2026, 12, 31)), "inside window");
3061 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
3062 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
3063 }
3064
3065 #[test]
3066 fn freeze_fails_closed_on_corrupt_bound() {
3067 // A freeze is a safety switch: an unparseable bound (only
3068 // reachable via a hand-edited KV blob) must read as FROZEN, not
3069 // "fire normally" (coderabbit #472) — the opposite of `active`,
3070 // which fail-opens.
3071 let f = Freeze {
3072 from: Some("not-a-date".into()),
3073 until: None,
3074 reason: None,
3075 tz: ScheduleTz::Utc,
3076 };
3077 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
3078 }
3079
3080 #[test]
3081 fn freeze_validate_accepts_good_bounds() {
3082 Freeze {
3083 from: Some("2026-12-20".into()),
3084 until: Some("2027-01-05T12:00:00+09:00".into()),
3085 reason: None,
3086 tz: ScheduleTz::Local,
3087 }
3088 .validate()
3089 .expect("date + rfc3339 bounds should validate");
3090 // Empty (indefinite) freeze is valid.
3091 Freeze::default().validate().expect("empty freeze is valid");
3092 }
3093
3094 #[test]
3095 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
3096 let err = Freeze {
3097 from: Some("never".into()),
3098 ..Default::default()
3099 }
3100 .validate()
3101 .unwrap_err();
3102 assert!(err.contains("freeze:"), "got: {err}");
3103
3104 let inverted = Freeze {
3105 from: Some("2027-01-05".into()),
3106 until: Some("2026-12-20".into()),
3107 ..Default::default()
3108 }
3109 .validate()
3110 .unwrap_err();
3111 assert!(inverted.contains("freeze.from"), "got: {inverted}");
3112 }
3113
3114 #[test]
3115 fn freeze_round_trips_and_skips_empty_fields() {
3116 let f = Freeze {
3117 from: None,
3118 until: Some("2027-01-05".into()),
3119 reason: Some("INC-1234".into()),
3120 tz: ScheduleTz::Utc,
3121 };
3122 let json = serde_json::to_value(&f).expect("serialise");
3123 assert!(json.get("from").is_none(), "empty from omitted: {json}");
3124 let back: Freeze = serde_json::from_value(json).expect("round-trip");
3125 assert_eq!(back, f);
3126 }
3127
3128 #[test]
3129 fn shipped_schedule_configs_parse_and_validate() {
3130 // Every YAML under configs/schedules/ must parse with the
3131 // current Schedule serde AND pass validate() — keeps the
3132 // shipped examples from drifting out of sync with the model
3133 // (#418 removed back-compat, so drift = broken at create).
3134 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
3135 let mut seen = 0;
3136 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
3137 let path = entry.expect("dir entry").path();
3138 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
3139 continue;
3140 }
3141 let body = std::fs::read_to_string(&path).expect("read yaml");
3142 let s: Schedule = serde_yaml::from_str(&body)
3143 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
3144 s.validate()
3145 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
3146 seen += 1;
3147 }
3148 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
3149 }
3150
3151 // ---- pre-existing enum wire formats (unchanged by #418) ----
3152
3153 #[test]
3154 fn exec_mode_serialises_snake_case() {
3155 for (mode, expected) in [
3156 (ExecMode::EveryTick, "every_tick"),
3157 (ExecMode::OncePerPc, "once_per_pc"),
3158 (ExecMode::OncePerTarget, "once_per_target"),
3159 ] {
3160 let s = serde_json::to_value(mode).expect("serialise");
3161 assert_eq!(s, serde_json::Value::String(expected.into()));
3162 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
3163 .expect("deserialise");
3164 assert_eq!(back, mode, "round-trip for {expected}");
3165 }
3166 }
3167
3168 #[test]
3169 fn schedule_runs_on_defaults_to_backend() {
3170 let yaml = r#"
3171id: x
3172when:
3173 per_pc: once
3174job_id: y
3175target: { all: true }
3176"#;
3177 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3178 assert_eq!(s.runs_on, RunsOn::Backend);
3179 }
3180
3181 #[test]
3182 fn schedule_runs_on_agent_parses() {
3183 let yaml = r#"
3184id: offline-inv
3185when:
3186 per_pc: { every: 1h }
3187job_id: inventory-hw
3188target: { all: true }
3189runs_on: agent
3190"#;
3191 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3192 assert_eq!(s.runs_on, RunsOn::Agent);
3193 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
3194 }
3195
3196 #[test]
3197 fn runs_on_serialises_snake_case() {
3198 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
3199 let s = serde_json::to_value(mode).expect("serialise");
3200 assert_eq!(s, serde_json::Value::String(expected.into()));
3201 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
3202 .expect("deserialise");
3203 assert_eq!(back, mode);
3204 }
3205 }
3206
3207 #[test]
3208 fn execute_shell_into_wire_shell() {
3209 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
3210 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
3211 }
3212
3213 #[test]
3214 fn manifest_staleness_defaults_to_cached() {
3215 let yaml = r#"
3216id: x
3217version: 1.0.0
3218execute:
3219 shell: powershell
3220 script: "echo"
3221 timeout: 1s
3222"#;
3223 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3224 assert_eq!(m.staleness, Staleness::Cached);
3225 }
3226
3227 #[test]
3228 fn manifest_strict_staleness_parses() {
3229 let yaml = r#"
3230id: urgent-patch
3231version: 2.5.1
3232execute:
3233 shell: powershell
3234 script: Install-Hotfix
3235 timeout: 5m
3236staleness:
3237 mode: strict
3238 max_cache_age: 0s
3239"#;
3240 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3241 match m.staleness {
3242 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
3243 other => panic!("expected strict, got {other:?}"),
3244 }
3245 }
3246
3247 #[test]
3248 fn manifest_unchecked_staleness_parses() {
3249 let yaml = r#"
3250id: legacy
3251version: 0.1.0
3252execute:
3253 shell: cmd
3254 script: "echo"
3255 timeout: 1s
3256staleness:
3257 mode: unchecked
3258"#;
3259 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3260 assert_eq!(m.staleness, Staleness::Unchecked);
3261 }
3262
3263 #[test]
3264 fn missing_required_field_errors() {
3265 // `id` missing.
3266 let yaml = r#"
3267version: 1.0.0
3268target: { all: true }
3269execute:
3270 shell: powershell
3271 script: "echo"
3272 timeout: 1s
3273"#;
3274 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3275 assert!(r.is_err(), "expected error, got {:?}", r);
3276 }
3277
3278 #[test]
3279 fn display_field_table_kind_round_trips_with_nested_columns() {
3280 // #39: `type: table` + `columns:` on a DisplayField gets
3281 // round-tripped through serde so the SPA receives the
3282 // nested schema verbatim. Nested columns themselves are
3283 // DisplayFields so they can carry `type: bytes` /
3284 // `type: number` for cell formatting.
3285 let yaml = r#"
3286id: inv-hw
3287version: 1.0.0
3288execute:
3289 shell: powershell
3290 script: "echo"
3291 timeout: 60s
3292inventory:
3293 display:
3294 - field: hostname
3295 label: Hostname
3296 - field: disks
3297 label: Disks
3298 type: table
3299 columns:
3300 - field: device_id
3301 label: Drive
3302 - field: size_bytes
3303 label: Size
3304 type: bytes
3305 - field: free_bytes
3306 label: Free
3307 type: bytes
3308 - field: file_system
3309 label: FS
3310"#;
3311 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3312 let inv = m.inventory.as_ref().expect("inventory hint");
3313 let disks = inv
3314 .display
3315 .iter()
3316 .find(|d| d.field == "disks")
3317 .expect("disks display row");
3318 assert_eq!(disks.kind.as_deref(), Some("table"));
3319 let cols = disks.columns.as_ref().expect("table needs columns");
3320 assert_eq!(cols.len(), 4);
3321 assert_eq!(cols[1].field, "size_bytes");
3322 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
3323 }
3324
3325 #[test]
3326 fn display_field_scalar_kind_keeps_columns_none() {
3327 // Defensive: when type is a scalar (`bytes` / `number` /
3328 // `timestamp`) the `columns` field stays None — the SPA
3329 // uses its presence as the "render nested table" signal,
3330 // so it must not leak in via serde defaults.
3331 let yaml = r#"
3332id: x
3333version: 1.0.0
3334execute:
3335 shell: powershell
3336 script: "echo"
3337 timeout: 5s
3338inventory:
3339 display:
3340 - { field: ram_bytes, label: RAM, type: bytes }
3341"#;
3342 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3343 let inv = m.inventory.as_ref().unwrap();
3344 assert!(inv.display[0].columns.is_none());
3345 }
3346
3347 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
3348
3349 /// The JSON Schemas under `docs/schemas/` must match what
3350 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
3351 /// so a `Schedule` / `Manifest` field change can't silently drift
3352 /// the operator-facing schema. The SPA editor, the backend
3353 /// `/api/schemas/*` endpoints, and these files all read the same
3354 /// derived shape; this test fails CI if the checked-in copy lags.
3355 /// Regenerate with:
3356 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
3357 #[test]
3358 fn schema_files_are_current() {
3359 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
3360 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
3361 }
3362
3363 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
3364 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
3365 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
3366 .join("../../docs/schemas")
3367 .join(name);
3368 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
3369 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
3370 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
3371 return;
3372 }
3373 // Normalize CRLF→LF before comparing: `.gitattributes` already
3374 // pins these files to `eol=lf`, but a stray CRLF working-tree
3375 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
3376 // freshness check into a confusing line-ending failure — that's
3377 // .gitattributes' job, not this test's (gemini #588).
3378 let on_disk = std::fs::read_to_string(&path)
3379 .unwrap_or_else(|e| {
3380 panic!(
3381 "read {path:?}: {e}\n\
3382 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3383 )
3384 })
3385 .replace("\r\n", "\n");
3386 assert_eq!(
3387 on_disk, generated,
3388 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
3389 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3390 );
3391 }
3392}
3393
3394/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
3395/// (target + optional rollout + optional jitter) inline; the
3396/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
3397/// script body. Two schedules of the same job can target different
3398/// groups on different cadences without copying the manifest.
3399///
3400/// #418 Phase 1: the cadence is the single [`When`] field. The old
3401/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
3402/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
3403/// are warn-skipped; re-`schedule create` to upgrade them). The
3404/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
3405/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
3406/// `decide_fire` always ran on.
3407#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
3408pub struct Schedule {
3409 pub id: String,
3410 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
3411 /// or a calendar time trigger (`at` / `days`). See [`When`].
3412 ///
3413 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
3414 /// enums as `!per_pc` YAML tags by default; this keeps the
3415 /// operator-facing map shape (`when: { per_pc: once }`). JSON
3416 /// output is identical either way, and the schemars schema
3417 /// (external tagging = oneOf of single-key objects) already
3418 /// matches the singleton-map wire shape.
3419 #[serde(with = "serde_yaml::with::singleton_map")]
3420 #[schemars(with = "When")]
3421 pub when: When,
3422 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
3423 /// Manifest's `id`.
3424 pub job_id: String,
3425 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
3426 /// carry these any more — same job + different fanout = different
3427 /// schedule.
3428 #[serde(flatten)]
3429 pub plan: FanoutPlan,
3430 /// Optional validity window. Outside `[from, until)` the
3431 /// schedule is dormant — still registered, still visible, but
3432 /// every tick is skipped (deleted ≠ dormant: a campaign that
3433 /// ended stays inspectable and can be re-armed by editing the
3434 /// window). Checked at tick time on both the backend scheduler
3435 /// and the agent's local scheduler.
3436 #[serde(default, skip_serializing_if = "Active::is_empty")]
3437 pub active: Active,
3438 /// #418 operational constraints gating *when within an active
3439 /// period* a fire may happen: a maintenance `window`, a fleet
3440 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
3441 /// wall-clock ones are evaluated in the schedule's `tz`; future
3442 /// `require` (env gates) lands in the same namespace. Checked at
3443 /// tick time on both schedulers (and surfaced by `preview`).
3444 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
3445 pub constraints: Constraints,
3446 /// #418 Phase 4: what to do after a fire's script comes back
3447 /// failed. Currently just `retry` (fixed-backoff in-process
3448 /// re-run); future `notify` / `disable` join the same namespace.
3449 /// Applied fire-side in `handle_command` (the retry policy is
3450 /// lowered onto every Command this schedule produces), so it
3451 /// covers both `runs_on` locations.
3452 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
3453 pub on_failure: OnFailure,
3454 /// #418 Phase 2: the timezone this schedule's wall-clock fields
3455 /// are evaluated in — both the calendar `at` firing time AND the
3456 /// `active.{from,until}` window bounds. `local` (default) = the
3457 /// running host's TZ (the agent's for `runs_on: agent`, the
3458 /// backend server's otherwise); `utc` for TZ-independent
3459 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
3460 /// for firing (poll cron runs every minute regardless) but still
3461 /// honor it for the `active` window.
3462 #[serde(default)]
3463 pub tz: ScheduleTz,
3464 /// v0.22: optional humantime window after a cron tick during
3465 /// which the Command is still considered "live". The scheduler
3466 /// computes `tick_at + starting_deadline` and stamps it onto
3467 /// each Command as `deadline_at`; agents skip Commands they
3468 /// receive after that absolute time. `None` (default) = no
3469 /// deadline, meaning a Command queued in the broker / stream
3470 /// during agent downtime runs whenever the agent reconnects —
3471 /// good for kitting / inventory / cleanup. Set this for
3472 /// time-of-day notifications, lunch reminders, etc., where
3473 /// "fire 3 hours late" would be wrong.
3474 #[serde(default, skip_serializing_if = "Option::is_none")]
3475 pub starting_deadline: Option<String>,
3476 /// v0.23: where does the cron tick happen? `Backend` (default,
3477 /// historical) = backend's scheduler fires Commands via NATS;
3478 /// agents passively receive. `Agent` = each targeted agent runs
3479 /// its own internal cron and fires locally, so the schedule
3480 /// keeps ticking even when the broker is unreachable (laptop on
3481 /// the train, broker maintenance window, full WAN outage). The
3482 /// two locations are mutually exclusive — when `Agent`, the
3483 /// backend scheduler stays out and just keeps the definition in
3484 /// KV for agents to read.
3485 #[serde(default)]
3486 pub runs_on: RunsOn,
3487 #[serde(default = "default_true")]
3488 pub enabled: bool,
3489 /// Free-form operator taxonomy for the Schedules page — the
3490 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
3491 /// code ref rather than an intra-doc link, since that field isn't
3492 /// on this branch until #640 merges). Purely a SPA-side
3493 /// organisational aid (search / filter chips alongside the
3494 /// id-prefix grouping); the scheduler never reads it, so any
3495 /// string is allowed and it carries no firing semantics. A
3496 /// schedule's own tags are independent of its job's: the same job
3497 /// may back a `weekly` maintenance schedule and a `canary` rollout
3498 /// schedule. Empty by default and `skip_serializing_if`-elided per
3499 /// the #492 gradual-upgrade wire rule.
3500 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3501 pub tags: Vec<String>,
3502}
3503
3504/// v0.23 — where the cron tick fires from.
3505#[derive(
3506 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3507)]
3508#[serde(rename_all = "snake_case")]
3509pub enum RunsOn {
3510 /// Backend's central scheduler ticks and publishes Commands to
3511 /// NATS. Historical default, what every pre-v0.23 schedule
3512 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
3513 /// reconnects ⇒ catch-up via [`command_replay`](crate)
3514 /// (see kanade-agent's command_replay module).
3515 #[default]
3516 Backend,
3517 /// Each targeted agent runs the cron tick locally. Survives
3518 /// broker / WAN outages. Best for laptops / mobile devices that
3519 /// roam off the corporate network. Agent must be online for the
3520 /// initial schedule + job-catalog pull, but once cached the
3521 /// agent fires the script standalone.
3522 Agent,
3523}
3524
3525/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
3526#[derive(
3527 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3528)]
3529#[serde(rename_all = "snake_case")]
3530pub enum ExecMode {
3531 /// Fire on every cron tick at the whole target. Historical
3532 /// (pre-v0.19) behavior; no dedup.
3533 #[default]
3534 EveryTick,
3535 /// Fire at each pc until that pc succeeds; then skip it until
3536 /// the optional cooldown elapses (or forever if no cooldown).
3537 /// Use for kitting / first-boot / per-pc compliance checks.
3538 OncePerPc,
3539 /// Fire at the whole target until **any** pc succeeds; then
3540 /// skip the whole target until the optional cooldown elapses
3541 /// (or forever if no cooldown). Use for "one delegate is
3542 /// enough" tasks like license check-in.
3543 OncePerTarget,
3544 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
3545 /// no cron — the agent fires it from an OS event source (boot /
3546 /// session-change), not a tick — so the scheduler skips
3547 /// `tokio-cron` registration for it. Each event occurrence fires
3548 /// once, gated by the standard freeze / active / window /
3549 /// skip_dates checks.
3550 Event,
3551}
3552
3553/// #418 Phase 1 — the single "when does this fire" axis.
3554///
3555/// Replaces the old `cron` + `mode` + `cooldown` trio whose
3556/// interactions were implicit (cron doubled as both a real
3557/// time-of-day trigger and a reconcile poll period; contradictory
3558/// combinations silently no-opped). Two shapes:
3559///
3560/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
3561/// pc (or one delegate) should have run this within `every`".
3562/// The poll period is system-generated ([`POLL_CRON`], every
3563/// minute) and no longer the operator's concern.
3564/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
3565/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
3566/// the whole target at the given time, no dedup. `at: "09:00"` +
3567/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
3568/// exactly once. Evaluated in the schedule's top-level `tz`.
3569#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3570#[serde(rename_all = "snake_case")]
3571pub enum When {
3572 /// Fire at each targeted pc: `once` (kitting — succeed once,
3573 /// skip forever, forever catching brand-new / re-imaged pcs)
3574 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
3575 /// the interval).
3576 PerPc(PerPolicy),
3577 /// Fire until **any** one pc of the target succeeds, then skip
3578 /// the whole target (`once`) or re-arm after `every`. Needs
3579 /// fleet-wide completion data, so it is backend-only —
3580 /// `runs_on: agent` + `per_target` is rejected by
3581 /// [`Schedule::validate`].
3582 PerTarget(PerPolicy),
3583 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
3584 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
3585 /// the whole target at that wall-clock time in the schedule's
3586 /// `tz` — no dedup, no cooldown.
3587 Calendar(CalendarSpec),
3588 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
3589 /// Fires when the agent observes the listed OS event(s) rather than
3590 /// on a clock — there is no cron. `runs_on: agent` only (the agent
3591 /// owns the event source); [`Schedule::validate`] rejects it on
3592 /// `backend` and rejects an empty list. Each event occurrence fires
3593 /// once, gated by the same freeze / active / `constraints.window` /
3594 /// `skip_dates` checks as the cron path. `startup` fires once per OS
3595 /// boot (deduped via the host boot time); a `starting_deadline`, if
3596 /// set, limits it to "agent came up within that long after boot".
3597 On(Vec<OnTrigger>),
3598}
3599
3600/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
3601#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
3602#[serde(rename_all = "snake_case")]
3603pub enum OnTrigger {
3604 /// Once per OS boot (the agent's first run for that boot). Catches
3605 /// freshly-imaged / reinstalled hosts at their next startup.
3606 Startup,
3607 /// On an interactive-session user logon — console, RDP, or
3608 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
3609 /// service / network / batch logons (no interactive session).
3610 Logon,
3611 /// When the workstation is locked (Win+L / idle lock; Windows
3612 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
3613 Lock,
3614 /// When the workstation is unlocked — the user returns to a locked
3615 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
3616 /// compliance / refresh state when work resumes.
3617 Unlock,
3618 /// When the host's network changes — IP address table change on
3619 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
3620 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
3621 /// from one transition fires once after the network settles), so
3622 /// use it for "re-check connectivity / re-register on network move"
3623 /// rather than expecting one fire per raw adapter event.
3624 ///
3625 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
3626 /// transition that touches only IPv6 addresses won't fire. In practice
3627 /// dual-stack networks change both tables together, but a pure-IPv6
3628 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
3629 NetworkChange,
3630}
3631
3632/// Calendar time trigger (#418 Phase 2). `at` is either a time of
3633/// day (`"HH:MM"`, repeating — combine with `days`) or a full
3634/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
3635/// never again). Evaluated in the schedule's top-level `tz`.
3636#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3637pub struct CalendarSpec {
3638 /// `"HH:MM"` (24h) for a repeating trigger, or
3639 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
3640 /// accepted) for a one-shot. Parsed lazily —
3641 /// [`Schedule::validate`] rejects garbage at create time.
3642 pub at: String,
3643 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
3644 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
3645 /// field, so ranges and names both work). An **nth-weekday**
3646 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
3647 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
3648 /// `["friL"]` fires only on the last Friday of each month (handy
3649 /// for monthly maintenance). Empty = every day. Must be empty
3650 /// when `at` carries a date (the date already pins the day).
3651 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3652 pub days: Vec<String>,
3653}
3654
3655/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
3656/// date for a one-shot (`None` = repeating time-of-day).
3657struct ParsedAt {
3658 minute: u32,
3659 hour: u32,
3660 date: Option<chrono::NaiveDate>,
3661}
3662
3663impl CalendarSpec {
3664 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
3665 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
3666 fn parse_at(&self) -> Result<ParsedAt, String> {
3667 use chrono::Timelike;
3668 let s = self.at.trim();
3669 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
3670 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
3671 return Ok(ParsedAt {
3672 minute: dt.minute(),
3673 hour: dt.hour(),
3674 date: Some(dt.date()),
3675 });
3676 }
3677 }
3678 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
3679 return Ok(ParsedAt {
3680 minute: t.minute(),
3681 hour: t.hour(),
3682 date: None,
3683 });
3684 }
3685 Err(format!(
3686 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
3687 self.at
3688 ))
3689 }
3690
3691 /// Pre-flight check on the `days` tokens so a bad day name gives
3692 /// a `when.days:`-scoped error instead of croner's confusing
3693 /// "when.at lowered to invalid cron" (claude #432 review). Each
3694 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
3695 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
3696 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
3697 /// **last-weekday** like `friL` (last Friday of the month).
3698 fn validate_days(&self) -> Result<(), String> {
3699 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
3700 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
3701 for tok in &self.days {
3702 // Report the whole token on a malformed range like `mon-`
3703 // (which would otherwise split to a cryptic empty part —
3704 // claude #432 follow-up).
3705 let invalid = |reason: &str| {
3706 Err(format!(
3707 "when.days: invalid day token '{tok}' ({reason}; \
3708 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
3709 like tue#2, a last-weekday like friL, or *)"
3710 ))
3711 };
3712 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
3713 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
3714 // `to_cron` passes the token through verbatim, so the
3715 // engine fires only on that occurrence. It's a single
3716 // weekday + ordinal — not combinable with a range.
3717 if let Some((day_part, nth_part)) = tok.split_once('#') {
3718 // Normalize once and use `d` consistently (gemini #547);
3719 // the outer `invalid` already echoes the raw `tok`.
3720 let d = day_part.trim().to_ascii_lowercase();
3721 if d.contains('-') || !is_day(&d) {
3722 return invalid("the part before # must be a single weekday");
3723 }
3724 match nth_part.trim().parse::<u8>() {
3725 Ok(n) if (1..=5).contains(&n) => {}
3726 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
3727 }
3728 continue;
3729 }
3730 // #418: last-weekday suffix (`friL` = last Friday of the
3731 // month — the monthly-maintenance sibling of Patch Tuesday).
3732 // Croner accepts `<dow>L` in the DOW field with verified
3733 // last-<dow>-of-month semantics, and `to_cron` passes it
3734 // through verbatim. A single weekday + `L` — bare `L` and
3735 // ranges are rejected (croner would read bare `L` as
3736 // Saturday, which is a confusing footgun).
3737 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
3738 // No `.trim()`: a cron DOW token can't carry internal
3739 // whitespace, so `"fri L"` must be *rejected* here (its
3740 // strip leaves `"fri "`, and `is_day` catches the space)
3741 // rather than trimmed into a clean `"fri"` that then
3742 // produces a malformed `fri L` cron downstream and a
3743 // confusing croner error (gemini #560).
3744 let d = day_part.to_ascii_lowercase();
3745 if d.is_empty() {
3746 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
3747 }
3748 if d.contains('-') || !is_day(&d) {
3749 return invalid(
3750 "the part before L must be a single weekday (e.g. friL = last Friday)",
3751 );
3752 }
3753 continue;
3754 }
3755 for part in tok.split('-') {
3756 let p = part.trim().to_ascii_lowercase();
3757 if p.is_empty() {
3758 return invalid("empty range bound");
3759 }
3760 if p != "*" && !is_day(&p) {
3761 return invalid(&format!("'{part}' is not a day"));
3762 }
3763 }
3764 }
3765 Ok(())
3766 }
3767
3768 /// For a one-shot (`at` carries a date), the absolute instant it
3769 /// fires in `tz`. `None` for a repeating calendar. Used to warn
3770 /// about a one-shot whose date is already in the past (it would
3771 /// never fire).
3772 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
3773 let p = self.parse_at().ok()?;
3774 let date = p.date?;
3775 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
3776 tz.naive_to_utc(naive)
3777 }
3778
3779 /// The wall-clock time-of-day this calendar fires at (`None` if
3780 /// `at` is unparseable — validate() guards that). Used to detect
3781 /// a calendar whose fire time can never fall inside its
3782 /// `constraints.window` (claude #452 review).
3783 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
3784 let p = self.parse_at().ok()?;
3785 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
3786 }
3787
3788 /// Lower to the cron string the scheduler engine runs. Repeating
3789 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
3790 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
3791 /// fires — that's what makes it one-shot).
3792 fn to_cron(&self) -> Result<String, String> {
3793 use chrono::Datelike;
3794 let ParsedAt { minute, hour, date } = self.parse_at()?;
3795 match date {
3796 Some(d) => {
3797 if !self.days.is_empty() {
3798 return Err(
3799 "when.at with a date is a one-shot and cannot be combined with days".into(),
3800 );
3801 }
3802 Ok(format!(
3803 "0 {minute} {hour} {} {} * {}",
3804 d.day(),
3805 d.month(),
3806 d.year()
3807 ))
3808 }
3809 None => {
3810 let dow = if self.days.is_empty() {
3811 "*".to_string()
3812 } else {
3813 self.validate_days()?;
3814 self.days.join(",")
3815 };
3816 Ok(format!("0 {minute} {hour} * * {dow}"))
3817 }
3818 }
3819 }
3820}
3821
3822/// The timezone a schedule's wall-clock fields (`when.at`,
3823/// `active.{from,until}`) are evaluated in (#418 Phase 2).
3824#[derive(
3825 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3826)]
3827#[serde(rename_all = "snake_case")]
3828pub enum ScheduleTz {
3829 /// The running host's local timezone — the agent's for
3830 /// `runs_on: agent`, the backend server's otherwise. Default.
3831 #[default]
3832 Local,
3833 /// UTC — for timezone-independent schedules.
3834 Utc,
3835}
3836
3837impl ScheduleTz {
3838 /// Interpret a naive (zoneless) datetime as being in this tz and
3839 /// convert to UTC. On a DST *fold* (the local time occurs twice
3840 /// when clocks go back) we pick `.earliest()` rather than
3841 /// rejecting it; `None` is reserved for a true DST *gap* (a local
3842 /// time that never exists). `Utc` is fixed-offset so neither ever
3843 /// happens; `Local` is whatever timezone the running host is set
3844 /// to and *can* hit a gap/fold on any DST-observing host — not
3845 /// just the JST we run today (gemini + claude #432 review).
3846 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
3847 use chrono::TimeZone;
3848 match self {
3849 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
3850 naive,
3851 chrono::Utc,
3852 )),
3853 ScheduleTz::Local => chrono::Local
3854 .from_local_datetime(&naive)
3855 .earliest()
3856 .map(|dt| dt.with_timezone(&chrono::Utc)),
3857 }
3858 }
3859
3860 /// The wall-clock time-of-day `now` reads as in this tz — used by
3861 /// [`Constraints::allows`] to test a maintenance window
3862 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
3863 /// running host's local time.
3864 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
3865 match self {
3866 ScheduleTz::Utc => now.time(),
3867 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
3868 }
3869 }
3870
3871 /// The wall-clock *date* `now` reads as in this tz — used by
3872 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
3873 /// exclusion). Same tz semantics as [`Self::wall_time`].
3874 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
3875 match self {
3876 ScheduleTz::Utc => now.date_naive(),
3877 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
3878 }
3879 }
3880
3881 /// Stable lowercase wire/display label (`local` / `utc`) — matches
3882 /// the serde `snake_case` representation. Used for the preview
3883 /// response's `tz` field so the JSON shape isn't coupled to the
3884 /// `Debug` repr (claude #578 review).
3885 pub fn as_str(self) -> &'static str {
3886 match self {
3887 ScheduleTz::Local => "local",
3888 ScheduleTz::Utc => "utc",
3889 }
3890 }
3891}
3892
3893impl std::fmt::Display for ScheduleTz {
3894 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3895 f.write_str(self.as_str())
3896 }
3897}
3898
3899/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
3900/// `per_target`. Untagged so the YAML stays the bare keyword or a
3901/// one-key map, nothing more ceremonial.
3902#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3903#[serde(untagged)]
3904pub enum PerPolicy {
3905 /// The bare string `once`: succeed once, then skip permanently
3906 /// (cooldown = infinity).
3907 Once(OnceLiteral),
3908 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
3909 Every(EverySpec),
3910}
3911
3912/// Single-variant enum so serde accepts exactly the string `once`
3913/// (a free-form `String` would swallow typos like `onec`).
3914#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
3915#[serde(rename_all = "snake_case")]
3916pub enum OnceLiteral {
3917 Once,
3918}
3919
3920/// `{ every: <humantime> }`. Standalone struct (not an inline
3921/// struct variant). `{ evry: 6h }` still fails to parse (the
3922/// required `every` key is missing), and the create boundaries
3923/// reject the unknown `evry` via [`crate::strict`] with its path —
3924/// while agents reading a future writer's extra fields tolerate
3925/// them (#492).
3926#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3927pub struct EverySpec {
3928 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
3929 /// [`Schedule::validate`] rejects garbage at create time.
3930 pub every: String,
3931}
3932
3933impl PerPolicy {
3934 /// The cooldown this policy lowers to: `once` = `None`
3935 /// (permanent skip), `every` = the interval.
3936 fn cooldown(&self) -> Option<String> {
3937 match self {
3938 PerPolicy::Once(_) => None,
3939 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
3940 }
3941 }
3942}
3943
3944impl std::fmt::Display for When {
3945 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
3946 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
3947 /// lines, audit payloads and the API's `ScheduleSummary`.
3948 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3949 let policy = |p: &PerPolicy| match p {
3950 PerPolicy::Once(_) => "once".to_string(),
3951 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
3952 };
3953 match self {
3954 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
3955 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
3956 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
3957 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
3958 When::On(triggers) => {
3959 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
3960 write!(f, "on [{}]", names.join(","))
3961 }
3962 }
3963 }
3964}
3965
3966impl OnTrigger {
3967 /// Lowercase wire/display label (matches the serde `snake_case`).
3968 pub fn as_str(self) -> &'static str {
3969 match self {
3970 OnTrigger::Startup => "startup",
3971 OnTrigger::Logon => "logon",
3972 OnTrigger::Lock => "lock",
3973 OnTrigger::Unlock => "unlock",
3974 OnTrigger::NetworkChange => "network_change",
3975 }
3976 }
3977}
3978
3979/// Optional validity window for a [`Schedule`] (#418 decision G).
3980/// Half-open `[from, until)`; either bound may be omitted. Bounds
3981/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
3982/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
3983/// strings so the JSON Schema the SPA editor consumes stays two
3984/// plain string fields, mirroring `jitter` / `starting_deadline`.
3985///
3986/// #418 Phase 2: bounds are evaluated in the schedule's top-level
3987/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
3988/// calendar `at` AND the `active` window local — one consistent
3989/// timezone per schedule.
3990#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
3991pub struct Active {
3992 /// Dormant before this instant.
3993 #[serde(default, skip_serializing_if = "Option::is_none")]
3994 pub from: Option<String>,
3995 /// Dormant from this instant on (exclusive).
3996 #[serde(default, skip_serializing_if = "Option::is_none")]
3997 pub until: Option<String>,
3998}
3999
4000impl Active {
4001 /// `skip_serializing_if` helper — an empty window means "always
4002 /// active" and is omitted from the wire format entirely.
4003 pub fn is_empty(&self) -> bool {
4004 self.from.is_none() && self.until.is_none()
4005 }
4006
4007 /// Parse one bound: RFC3339 first (offset honored, `tz`
4008 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
4009 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
4010 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
4011 return Ok(dt.with_timezone(&chrono::Utc));
4012 }
4013 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
4014 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
4015 return tz.naive_to_utc(midnight).ok_or_else(|| {
4016 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
4017 });
4018 }
4019 Err(format!(
4020 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
4021 ))
4022 }
4023
4024 /// Is `now` inside the window? Unparseable bounds are treated
4025 /// as absent here (fail-open) — [`Schedule::validate`] is the
4026 /// place that rejects them loudly; this runs on every tick and
4027 /// must never panic on a stale KV blob.
4028 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4029 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
4030 if bound(&self.from).is_some_and(|from| now < from) {
4031 return false;
4032 }
4033 if bound(&self.until).is_some_and(|until| now >= until) {
4034 return false;
4035 }
4036 true
4037 }
4038}
4039
4040/// Host-environment gate (#418 `constraints.require`). Fire only when
4041/// the target host is in the required state. Sensed **in-process by the
4042/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
4043/// read a target host's power/idle state ([`Schedule::validate`]
4044/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
4045///
4046/// Evaluated at fire time as a skip-this-tick gate (NOT in
4047/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
4048/// cadence re-checks every minute (so it effectively defers until the
4049/// state is met — the intended pairing); a `calendar` fire that lands
4050/// while the state is unmet is simply missed, same as `window`. It is
4051/// therefore a *runtime* gate and does not appear in `preview`.
4052// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
4053#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4054pub struct Require {
4055 /// Fire only while on **AC power** (skip on battery). Reads
4056 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
4057 /// as not-on-AC (fail-closed — a restrictive gate must not fire
4058 /// when it can't confirm the condition). `false` (default) = no
4059 /// power requirement.
4060 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4061 pub ac_power: bool,
4062 /// Fire only when the active console session has had **no keyboard /
4063 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
4064 /// "don't run while the user is actively working". Input-based
4065 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
4066 /// headless / disconnected console (no interactive user) trivially
4067 /// satisfies it. `None` (default) = no idle requirement. Parsed
4068 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4069 #[serde(default, skip_serializing_if = "Option::is_none")]
4070 pub idle: Option<String>,
4071 /// Fire only when the **whole-machine CPU usage is below this
4072 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
4073 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
4074 /// sample (`sysinfo` mean over cores), so the reading is up to one
4075 /// `host_perf` cadence old (default 60s) — fine as a "generally
4076 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
4077 /// needs two samples). An unavailable sample (host_perf not warmed
4078 /// up yet, or stale) is treated as "not below" (fail-closed — a
4079 /// restrictive gate must not fire when it can't confirm). `None`
4080 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
4081 /// out-of-range value at create time.
4082 #[serde(default, skip_serializing_if = "Option::is_none")]
4083 pub cpu_below: Option<f64>,
4084 /// Fire only when the host has **internet connectivity** (Windows
4085 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
4086 /// until online" for jobs that download / phone home. A captive
4087 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
4088 /// unknown/unreadable state is treated as offline (fail-closed) — a
4089 /// portal would just fail a download, so we hold the run. For VPN /
4090 /// SASE / app-specific conditions, use a custom script gate (separate
4091 /// slice). `false` (default) = no network requirement.
4092 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4093 pub network: bool,
4094}
4095
4096impl Require {
4097 /// `skip_serializing_if` helper for an embedded empty `require`.
4098 pub fn is_empty(&self) -> bool {
4099 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
4100 }
4101
4102 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
4103 /// unparseable value — `validate` rejects the latter at create time).
4104 pub fn min_idle(&self) -> Option<std::time::Duration> {
4105 self.idle
4106 .as_deref()
4107 .and_then(|s| humantime::parse_duration(s.trim()).ok())
4108 }
4109
4110 /// First unparseable field for create-time rejection (mirrors
4111 /// [`Constraints::bad_skip_date`]).
4112 pub fn bad_idle(&self) -> Option<String> {
4113 self.idle.as_deref().and_then(|s| {
4114 humantime::parse_duration(s.trim())
4115 .err()
4116 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
4117 })
4118 }
4119}
4120
4121/// Host-environment state sensed by the agent, fed to [`require_met`].
4122/// A named struct (not positional args) so the growing set of sensed
4123/// signals — several of them `bool` — can't be transposed at a call
4124/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
4125#[derive(Debug, Clone, Copy, Default)]
4126pub struct EnvState {
4127 /// Is the host on AC power (`false` if on battery or unreadable).
4128 pub ac_online: bool,
4129 /// How long the console has been idle (`None` = couldn't determine).
4130 pub idle: Option<std::time::Duration>,
4131 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
4132 pub cpu_pct: Option<f64>,
4133 /// Does the host have internet connectivity (`false` if offline /
4134 /// LAN-only / unreadable).
4135 pub network_up: bool,
4136}
4137
4138/// Pure env-gate decision (#418 `constraints.require`). The Win32
4139/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
4140/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
4141/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
4142/// pure and `preview` never evaluates a runtime gate. Each set
4143/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
4144pub fn require_met(req: &Require, env: &EnvState) -> bool {
4145 if req.ac_power && !env.ac_online {
4146 return false;
4147 }
4148 if let Some(min) = req.min_idle() {
4149 match env.idle {
4150 Some(d) if d >= min => {}
4151 _ => return false,
4152 }
4153 }
4154 if let Some(max) = req.cpu_below {
4155 match env.cpu_pct {
4156 Some(p) if p < max => {}
4157 _ => return false,
4158 }
4159 }
4160 if req.network && !env.network_up {
4161 return false;
4162 }
4163 true
4164}
4165
4166/// [`Active`] decides *over what date range* a schedule is live,
4167/// `Constraints` decides *when, within an active period,* a fire is
4168/// allowed: `window` (a maintenance time-of-day window),
4169/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
4170/// (holiday exclusion) and `require` (host-environment gates, agent-only
4171/// — see [`Require`]).
4172// No `Eq`: contains `require: Option<Require>` which holds an f64.
4173#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4174pub struct Constraints {
4175 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
4176 /// `tz`). Fires outside it are skipped — mainly for reconcile
4177 /// cadences ("patrol every 6h, but only fire overnight") and
4178 /// daytime change-freezes. `start > end` crosses midnight
4179 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
4180 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4181 #[serde(default, skip_serializing_if = "Option::is_none")]
4182 pub window: Option<String>,
4183 /// Fleet-wide cap on how many instances of this schedule's job may
4184 /// run **at the same time** (#418 "同時実行ハード上限"). The
4185 /// backend scheduler counts the job's still-in-flight runs
4186 /// (`execution_results.finished_at IS NULL`) each tick and only
4187 /// dispatches to as many remaining pcs as there are free slots —
4188 /// a rolling window that refills as runs complete. Useful for
4189 /// disk/CPU/network-heavy jobs you don't want hammering the whole
4190 /// fleet at once.
4191 ///
4192 /// **Backend-only** (it needs a central counter): combining it
4193 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
4194 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
4195 /// for `per_pc` reconcile cadences, where the poll re-ticks and
4196 /// refills slots. `None` (default) = no cap.
4197 #[serde(default, skip_serializing_if = "Option::is_none")]
4198 pub max_concurrent: Option<u32>,
4199 /// Calendar dates the schedule must **not** fire on — holidays,
4200 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
4201 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
4202 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
4203 /// the whole day; a calendar fire landing on the date is
4204 /// suppressed) and is honored by both the live scheduler and
4205 /// `preview`, since both gate on [`Constraints::allows`]. Empty
4206 /// (default) = no skips. Operator-supplied: there is no built-in
4207 /// holiday calendar — list the dates you care about. Parsed lazily;
4208 /// [`Schedule::validate`] rejects a malformed date at create time.
4209 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4210 pub skip_dates: Vec<String>,
4211 /// Host-environment gate (#418): fire only when the target host is
4212 /// in the required state (on AC power, idle). Agent-sensed at fire
4213 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
4214 /// no environment requirement.
4215 #[serde(default, skip_serializing_if = "Option::is_none")]
4216 pub require: Option<Require>,
4217}
4218
4219impl Constraints {
4220 /// `skip_serializing_if` helper — empty constraints are omitted
4221 /// from the wire format entirely.
4222 pub fn is_empty(&self) -> bool {
4223 self.window.is_none()
4224 && self.max_concurrent.is_none()
4225 && self.skip_dates.is_empty()
4226 && self.require.as_ref().is_none_or(Require::is_empty)
4227 }
4228
4229 /// The first unparseable `skip_dates` entry, if any — the
4230 /// scheduler logs it at register time so a fail-closed
4231 /// (never-firing) schedule from a hand-edited KV blob is
4232 /// diagnosable, mirroring [`Schedule::bad_window`].
4233 pub fn bad_skip_date(&self) -> Option<String> {
4234 self.skip_dates.iter().find_map(|s| {
4235 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
4236 .err()
4237 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
4238 })
4239 }
4240
4241 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
4242 /// error (a zero-width or all-day window is ambiguous — write no
4243 /// window for "always").
4244 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
4245 let (a, b) = s
4246 .split_once('-')
4247 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
4248 let parse = |part: &str| {
4249 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
4250 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
4251 };
4252 let (start, end) = (parse(a)?, parse(b)?);
4253 if start == end {
4254 return Err(format!(
4255 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
4256 ));
4257 }
4258 Ok((start, end))
4259 }
4260
4261 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
4262 /// always allowed. Half-open `[start, end)`; `start > end`
4263 /// crosses midnight.
4264 ///
4265 /// **Fail-closed** on an unparseable window (returns `false`,
4266 /// gemini #452 review): a window is a *restrictive* constraint
4267 /// (change-freeze / overnight-only), so a corrupt one must NOT
4268 /// silently allow fires during the restricted hours. Bad windows
4269 /// are rejected at create time by [`Schedule::validate`]; this
4270 /// only bites a hand-edited KV blob, where blocking is the safe
4271 /// direction. The scheduler warns at register time
4272 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
4273 /// The tick path never panics regardless.
4274 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4275 // #418 holiday / blackout dates: never fire on a listed wall
4276 // date (in `tz`). Checked before the window since a skipped day
4277 // overrides any within-window allowance. Fail-closed on a
4278 // corrupt entry (same posture as `window`): a skip date is a
4279 // *restrictive* constraint, so a garbled one must not silently
4280 // re-enable fires — it blocks until fixed (`validate` rejects it
4281 // at create time; `bad_skip_date` lets the scheduler warn).
4282 if !self.skip_dates.is_empty() {
4283 let today = tz.wall_date(now);
4284 let blocked = self.skip_dates.iter().any(|s| {
4285 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
4286 Ok(d) => d == today,
4287 Err(_) => true, // corrupt entry → fail-closed (block)
4288 }
4289 });
4290 if blocked {
4291 return false;
4292 }
4293 }
4294 match self.window.as_deref() {
4295 // No window → always allowed.
4296 None => true,
4297 // Window set: membership, or fail-closed if unparseable
4298 // (`window_contains` returns None for a corrupt window).
4299 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
4300 }
4301 }
4302
4303 /// Membership of a wall-clock time-of-day in the window. `None`
4304 /// when there is no window or it's unparseable (callers decide
4305 /// the failure direction). `start > end` crosses midnight.
4306 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
4307 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
4308 Some(if start <= end {
4309 start <= t && t < end
4310 } else {
4311 t >= start || t < end
4312 })
4313 }
4314}
4315
4316/// What to do when a fire's script fails (#418 Phase 4 — the "高"
4317/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
4318/// happens, `OnFailure` decides what happens *after* one ran and
4319/// came back bad. Only `retry` so far; future `notify` / `disable`
4320/// would join the same namespace.
4321#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4322pub struct OnFailure {
4323 /// Re-run the script in-process when it exits non-zero (or times
4324 /// out), up to a cap, with a fixed backoff between attempts.
4325 /// `None` (default) = no retry: a failed run is published as-is
4326 /// and (for reconcile cadences) simply re-fires on the next poll
4327 /// tick. See [`Retry`].
4328 #[serde(default, skip_serializing_if = "Option::is_none")]
4329 pub retry: Option<Retry>,
4330}
4331
4332impl OnFailure {
4333 /// `skip_serializing_if` helper — an empty policy is omitted from
4334 /// the wire format entirely.
4335 pub fn is_empty(&self) -> bool {
4336 self.retry.is_none()
4337 }
4338
4339 /// Lower the operator-facing `retry` (humantime backoff) onto the
4340 /// engine vocabulary the agent's executor runs on (backoff in
4341 /// whole seconds). Single seam shared by the backend command
4342 /// builder and the agent's local scheduler so the two stamp the
4343 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
4344 /// `None` when there is no retry policy or the backoff is
4345 /// unparseable (validate() rejects the latter at create time;
4346 /// this stays fail-safe = "no retry" for a hand-edited KV blob
4347 /// rather than panicking on the fire path).
4348 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
4349 let r = self.retry.as_ref()?;
4350 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
4351 Some(crate::wire::RetrySpec {
4352 max: r.max,
4353 backoff_secs,
4354 })
4355 }
4356}
4357
4358/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
4359/// *additional* attempts after the first run (so `max: 3` = up to 4
4360/// total executions); `backoff` is the humantime delay slept between
4361/// attempts. The retry happens fire-side (inside `kanade fire` /
4362/// `handle_command`) on every OS for the PoC — the Windows-native
4363/// "restart on failure" Task Scheduler path is deferred to the
4364/// native-delegation phase (#418 decision H).
4365#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4366pub struct Retry {
4367 /// Max additional attempts after the first failure. Bounded
4368 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
4369 /// with a short backoff would otherwise pin a flapping script in
4370 /// a tight loop for the whole window.
4371 pub max: u32,
4372 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
4373 pub backoff: String,
4374}
4375
4376/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
4377/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
4378/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
4379/// global* "stop all automated change" switch the operator flips
4380/// during an incident or a year-end change-freeze. It lives in its
4381/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
4382/// active, both the backend scheduler and every agent's local
4383/// scheduler skip *every* fire.
4384///
4385/// Shapes:
4386/// * `{}` (no bounds) — frozen indefinitely until the operator
4387/// clears it (incident "big red button").
4388/// * `{ from, until }` — frozen only within `[from, until)`,
4389/// evaluated in `tz` (planned change-freeze; auto-thaws).
4390///
4391/// The KV key being *absent* means "not frozen" — so clearing the
4392/// freeze is a KV delete, and `is_active` only ever runs on a freeze
4393/// the operator actually set.
4394#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4395pub struct Freeze {
4396 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
4397 /// `tz`). `None` ⇒ frozen from the beginning of time.
4398 #[serde(default, skip_serializing_if = "Option::is_none")]
4399 pub from: Option<String>,
4400 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
4401 /// no scheduled end (manual clear required).
4402 #[serde(default, skip_serializing_if = "Option::is_none")]
4403 pub until: Option<String>,
4404 /// Operator-supplied note surfaced on the freeze-skip log and the
4405 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
4406 #[serde(default, skip_serializing_if = "Option::is_none")]
4407 pub reason: Option<String>,
4408 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
4409 /// carry their own offset). Defaults to host-local like a
4410 /// schedule's `tz`.
4411 #[serde(default)]
4412 pub tz: ScheduleTz,
4413}
4414
4415impl Freeze {
4416 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
4417 /// both absent) is frozen unconditionally; otherwise membership of
4418 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
4419 /// but **fails CLOSED** on an unparseable bound — a freeze is a
4420 /// safety switch, so a corrupt window (only reachable via a
4421 /// hand-edited KV blob; `validate` rejects it at set time) must
4422 /// mean "frozen", not "fire normally" (coderabbit #472). This is
4423 /// the one deliberate divergence from `active`'s fail-OPEN
4424 /// behaviour, where an unparseable bound dormant-skips a schedule.
4425 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
4426 // Parse a bound; an unparseable one short-circuits the whole
4427 // check to `true` (frozen) via the closure's `None` sentinel
4428 // handled below.
4429 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
4430 match s.as_deref() {
4431 None => Ok(None),
4432 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
4433 }
4434 };
4435 let (from, until) = match (bound(&self.from), bound(&self.until)) {
4436 (Ok(f), Ok(u)) => (f, u),
4437 // Any corrupt bound → fail closed (frozen).
4438 _ => return true,
4439 };
4440 if from.is_some_and(|f| now < f) {
4441 return false;
4442 }
4443 if until.is_some_and(|u| now >= u) {
4444 return false;
4445 }
4446 true
4447 }
4448
4449 /// Reject unparseable bounds / `from >= until` at set time (the
4450 /// API + CLI counterpart to [`Schedule::validate`]).
4451 pub fn validate(&self) -> Result<(), String> {
4452 let from = self
4453 .from
4454 .as_deref()
4455 .map(|s| Active::parse_bound(s, self.tz))
4456 .transpose()
4457 .map_err(|e| e.replace("active:", "freeze:"))?;
4458 let until = self
4459 .until
4460 .as_deref()
4461 .map(|s| Active::parse_bound(s, self.tz))
4462 .transpose()
4463 .map_err(|e| e.replace("active:", "freeze:"))?;
4464 if let (Some(f), Some(u)) = (from, until) {
4465 if f >= u {
4466 return Err(format!(
4467 "freeze.from ({}) must be strictly before freeze.until ({})",
4468 self.from.as_deref().unwrap_or_default(),
4469 self.until.as_deref().unwrap_or_default(),
4470 ));
4471 }
4472 }
4473 Ok(())
4474 }
4475}
4476
4477/// The system-generated poll cadence every reconcile-shaped `when`
4478/// lowers to. Operators never write this: the real inter-run
4479/// spacing is the `every` cooldown; this only bounds "how soon do
4480/// we notice somebody is due" (#418 decision B took the poll
4481/// period away from the operator).
4482pub const POLL_CRON: &str = "0 * * * * *";
4483
4484/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
4485/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
4486/// unchanged is what lets Phase 1 swap the operator surface without
4487/// touching the tick / dedup machinery.
4488pub struct Lowered {
4489 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
4490 /// reconcile shapes, a 6/7-field cron for calendar shapes.
4491 pub cron: String,
4492 /// Dedup semantics for `decide_fire`.
4493 pub mode: ExecMode,
4494 /// Humantime re-arm interval (`None` = succeed once, skip
4495 /// forever).
4496 pub cooldown: Option<String>,
4497 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
4498 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
4499 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
4500 /// so the same value drives the `active`-window check.
4501 pub tz: ScheduleTz,
4502}
4503
4504impl Schedule {
4505 /// The error message if this schedule's `constraints.window` is
4506 /// set but unparseable, else `None`. The scheduler logs this at
4507 /// register time so a fail-closed (never-firing) schedule from a
4508 /// hand-edited KV blob is diagnosable (gemini #452 review).
4509 pub fn bad_window(&self) -> Option<String> {
4510 let w = self.constraints.window.as_deref()?;
4511 Constraints::parse_window(w).err()
4512 }
4513
4514 /// True when this is a `calendar` schedule whose fire time can
4515 /// never fall inside its `constraints.window` — the cron fires,
4516 /// the window check rejects it, and (firing only at that
4517 /// time-of-day) it effectively never runs. An easy misconfig to
4518 /// set up by accident; the scheduler warns at register time
4519 /// (claude #452 review). Reconcile shapes poll every minute, so
4520 /// they always catch the window opening and aren't affected.
4521 pub fn calendar_outside_window(&self) -> bool {
4522 let When::Calendar(c) = &self.when else {
4523 return false;
4524 };
4525 let Some(t) = c.fire_time() else {
4526 return false;
4527 };
4528 matches!(self.constraints.window_contains(t), Some(false))
4529 }
4530
4531 /// Up to `count` future instants this schedule will fire, as
4532 /// absolute UTC, strictly after `now` — the dry-run / preview
4533 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
4534 /// schedules have discrete fire times; reconcile shapes
4535 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
4536 /// they return an empty vec and the caller describes the cadence
4537 /// instead. Occurrences outside the `active.{from,until}` window or
4538 /// the `constraints.window` are **skipped**, so the list reflects
4539 /// when the schedule will ACTUALLY run, not the raw cron ticks.
4540 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
4541 /// `Job::new_async_tz`, and with the same croner config the
4542 /// scheduler / [`Schedule::validate`] use, so a preview can never
4543 /// disagree with a real fire. A schedule that can never fire (a
4544 /// calendar time wholly outside its window, a past one-shot,
4545 /// `enabled: false` is *not* considered here — callers gate on
4546 /// `enabled` separately) yields an empty vec.
4547 pub fn preview_fires(
4548 &self,
4549 now: chrono::DateTime<chrono::Utc>,
4550 count: usize,
4551 ) -> Vec<chrono::DateTime<chrono::Utc>> {
4552 use croner::parser::{CronParser, Seconds};
4553 if !matches!(self.when, When::Calendar(_)) {
4554 return Vec::new();
4555 }
4556 // Same lowering + croner config as `next_calendar_fire` and the
4557 // live scheduler, so a preview can never disagree with a real
4558 // fire. `preview_fires` adds the N-occurrence walk and the
4559 // active / window filtering on top of that single seam.
4560 let lowered = self.lowered();
4561 let Ok(cron) = CronParser::builder()
4562 .seconds(Seconds::Required)
4563 .dom_and_dow(true)
4564 .build()
4565 .parse(&lowered.cron)
4566 else {
4567 return Vec::new();
4568 };
4569 let accept = |utc: chrono::DateTime<chrono::Utc>| {
4570 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
4571 };
4572 match self.tz {
4573 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
4574 ScheduleTz::Local => {
4575 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
4576 }
4577 }
4578 }
4579
4580 /// Walk croner forward from `after` collecting up to `count`
4581 /// accepted occurrences (converted to UTC). Generic over the tz the
4582 /// cron is evaluated in so `preview_fires` can run it in either
4583 /// `Utc` or `Local` without duplicating the loop.
4584 fn next_occurrences<Tz>(
4585 cron: &croner::Cron,
4586 after: chrono::DateTime<Tz>,
4587 count: usize,
4588 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
4589 ) -> Vec<chrono::DateTime<chrono::Utc>>
4590 where
4591 Tz: chrono::TimeZone,
4592 {
4593 // Bound the scan so an `active`/window dead-end (every future
4594 // tick rejected) can't spin forever: ~4096 raw ticks covers
4595 // >10y of a daily calendar while staying instant for croner.
4596 const SCAN_CAP: usize = 4096;
4597 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
4598 let mut cursor = after;
4599 let mut scanned = 0usize;
4600 while out.len() < count && scanned < SCAN_CAP {
4601 scanned += 1;
4602 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
4603 break;
4604 };
4605 let utc = next.with_timezone(&chrono::Utc);
4606 if accept(utc) {
4607 out.push(utc);
4608 }
4609 // `find_next_occurrence(.., inclusive = false)` already
4610 // advances strictly past `cursor`, so handing it `next`
4611 // verbatim gets the following occurrence — no manual +1s
4612 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
4613 cursor = next;
4614 }
4615 out
4616 }
4617
4618 /// Lower the operator-facing `when` onto the engine vocabulary.
4619 /// Single seam shared by the backend scheduler and the agent's
4620 /// local scheduler so the two can never drift.
4621 pub fn lowered(&self) -> Lowered {
4622 let tz = self.tz;
4623 match &self.when {
4624 When::PerPc(p) => Lowered {
4625 cron: POLL_CRON.into(),
4626 mode: ExecMode::OncePerPc,
4627 cooldown: p.cooldown(),
4628 tz,
4629 },
4630 When::PerTarget(p) => Lowered {
4631 cron: POLL_CRON.into(),
4632 mode: ExecMode::OncePerTarget,
4633 cooldown: p.cooldown(),
4634 tz,
4635 },
4636 // `to_cron` only fails on a malformed `at` (rejected by
4637 // validate() at create time). For a hand-edited KV blob
4638 // that slipped past, emit a deliberately-invalid cron so
4639 // register()'s Job::new_async_tz fails → warn+skip,
4640 // rather than firing at the wrong time.
4641 When::Calendar(c) => Lowered {
4642 cron: c
4643 .to_cron()
4644 .unwrap_or_else(|_| "# invalid calendar at".into()),
4645 mode: ExecMode::EveryTick,
4646 cooldown: None,
4647 tz,
4648 },
4649 // Event triggers have no cron — the agent fires them from an
4650 // OS event source. The `# event-trigger` cron is never
4651 // registered (the scheduler branches on `is_event()` first),
4652 // but keep it deliberately-invalid as a belt-and-suspenders
4653 // so a stray registration would fail rather than misfire.
4654 When::On(_) => Lowered {
4655 cron: "# event-trigger (no cron)".into(),
4656 mode: ExecMode::Event,
4657 cooldown: None,
4658 tz,
4659 },
4660 }
4661 }
4662
4663 /// True when this schedule fires from an OS event (`when: { on }`)
4664 /// rather than a clock — the agent skips `tokio-cron` registration
4665 /// for these and drives them from boot / session-change instead.
4666 pub fn is_event(&self) -> bool {
4667 matches!(self.when, When::On(_))
4668 }
4669
4670 /// The OS event triggers this schedule listens for, or `&[]` when it
4671 /// is not an event schedule.
4672 pub fn event_triggers(&self) -> &[OnTrigger] {
4673 match &self.when {
4674 When::On(t) => t,
4675 _ => &[],
4676 }
4677 }
4678
4679 /// The next absolute (UTC) time this schedule fires, or `None` when
4680 /// it has no discrete upcoming fire to preview.
4681 ///
4682 /// Used by the KLP `maintenance.list` preview ("what's about to
4683 /// happen on my PC", SPEC §2.1). Returns `None` for:
4684 ///
4685 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
4686 /// every-minute [`POLL_CRON`] and re-converge state continuously,
4687 /// so "next fire" is always ~60s away and means nothing to a user
4688 /// previewing upcoming maintenance;
4689 /// - a calendar schedule whose lowered cron won't parse (a
4690 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
4691 /// - a cron with no future occurrence.
4692 ///
4693 /// The wall-clock fire is evaluated in the schedule's own `tz`
4694 /// (matching the live tick's `Job::new_async_tz`) then normalised
4695 /// to UTC for the wire. `inclusive = false`: strictly the *next*
4696 /// fire after `now`, never one matching the current instant.
4697 pub fn next_calendar_fire(
4698 &self,
4699 now: chrono::DateTime<chrono::Utc>,
4700 ) -> Option<chrono::DateTime<chrono::Utc>> {
4701 if !matches!(self.when, When::Calendar(_)) {
4702 return None;
4703 }
4704 let lowered = self.lowered();
4705 // Same parser configuration tokio-cron-scheduler 0.15 uses
4706 // internally, so this can never compute a fire the live
4707 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
4708 let cron = croner::parser::CronParser::builder()
4709 .seconds(croner::parser::Seconds::Required)
4710 .dom_and_dow(true)
4711 .build()
4712 .parse(&lowered.cron)
4713 .ok()?;
4714 match lowered.tz {
4715 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
4716 ScheduleTz::Local => {
4717 let now_local = now.with_timezone(&chrono::Local);
4718 cron.find_next_occurrence(&now_local, false)
4719 .ok()
4720 .map(|t| t.with_timezone(&chrono::Utc))
4721 }
4722 }
4723 }
4724
4725 /// Cross-field semantic checks that don't fit pure serde derive
4726 /// — the [`Manifest::validate`] counterpart (#418 decision F;
4727 /// pre-Phase-1 a broken schedule was accepted at create time
4728 /// and silently warn-skipped at tick time). Run at every create
4729 /// site: `kanade schedule create` (client-side) and
4730 /// `POST /api/schedules`. The job_id-exists check lives in the
4731 /// API handler instead — it needs the JOBS KV.
4732 pub fn validate(&self) -> Result<(), String> {
4733 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
4734 return Err(
4735 "when.per_target needs fleet-wide completion data and is backend-only; \
4736 it cannot be combined with runs_on: agent (each agent self-schedules, \
4737 so per-target dedup would be deduping across a target of 1)"
4738 .into(),
4739 );
4740 }
4741 // #418 event triggers: the agent owns the OS event source
4742 // (boot / session-change), so `when: { on }` is agent-only and
4743 // needs at least one trigger.
4744 if let When::On(triggers) = &self.when {
4745 if !matches!(self.runs_on, RunsOn::Agent) {
4746 return Err(
4747 "when.on (OS event trigger) is fired by the agent's own event \
4748 source, so it requires runs_on: agent"
4749 .into(),
4750 );
4751 }
4752 if triggers.is_empty() {
4753 return Err(
4754 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
4755 );
4756 }
4757 }
4758 if let Some(cd) = self.lowered().cooldown.as_deref() {
4759 humantime::parse_duration(cd)
4760 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
4761 }
4762 if let When::Calendar(c) = &self.when {
4763 // Lower the calendar form to its cron (catches a bad `at`
4764 // and the date+days conflict), then validate that cron
4765 // with the same parser configuration tokio-cron-scheduler
4766 // 0.15 uses internally (croner, seconds required,
4767 // DOM-and-DOW both honored, year optional) — create-time
4768 // validation can never accept what register() rejects.
4769 let cron = c.to_cron()?;
4770 croner::parser::CronParser::builder()
4771 .seconds(croner::parser::Seconds::Required)
4772 .dom_and_dow(true)
4773 .build()
4774 .parse(&cron)
4775 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
4776 }
4777 // The other humantime strings on the schedule (claude #419
4778 // review): runtime degrades gracefully on both (bad jitter →
4779 // silent no-op, bad starting_deadline → warn + skipped tick),
4780 // but "rejected at create time" should cover every field the
4781 // operator can typo, not just `when`.
4782 if let Some(j) = &self.plan.jitter {
4783 humantime::parse_duration(j)
4784 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
4785 }
4786 if let Some(sd) = &self.starting_deadline {
4787 humantime::parse_duration(sd)
4788 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
4789 }
4790 let from = self
4791 .active
4792 .from
4793 .as_deref()
4794 .map(|s| Active::parse_bound(s, self.tz))
4795 .transpose()?;
4796 let until = self
4797 .active
4798 .until
4799 .as_deref()
4800 .map(|s| Active::parse_bound(s, self.tz))
4801 .transpose()?;
4802 if let (Some(f), Some(u)) = (from, until) {
4803 if f >= u {
4804 return Err(format!(
4805 "active.from ({}) must be strictly before active.until ({})",
4806 self.active.from.as_deref().unwrap_or_default(),
4807 self.active.until.as_deref().unwrap_or_default(),
4808 ));
4809 }
4810 }
4811 // #418 Phase 3: a bad maintenance window is rejected at create
4812 // time (parse_window also catches equal bounds).
4813 if let Some(w) = self.constraints.window.as_deref() {
4814 Constraints::parse_window(w)?;
4815 }
4816 // #418 holiday exclusion: reject a malformed skip date at create
4817 // time so the fail-closed `allows` path only ever bites a
4818 // hand-edited KV blob, not a fresh `kanade schedule create`.
4819 if let Some(err) = self.constraints.bad_skip_date() {
4820 return Err(err);
4821 }
4822 // #418: constraints.max_concurrent is a central running-instance
4823 // cap, so it needs the backend's counter — reject it on
4824 // runs_on: agent (decision E), and reject a meaningless 0.
4825 if let Some(mc) = self.constraints.max_concurrent {
4826 // Check the structural incompatibility (agent has no central
4827 // counter) before the value range, so a `max_concurrent: 0`
4828 // + `runs_on: agent` combo reports the more fundamental
4829 // problem first (claude #542).
4830 if matches!(self.runs_on, RunsOn::Agent) {
4831 return Err(
4832 "constraints.max_concurrent needs a central counter and is backend-only; \
4833 it cannot be combined with runs_on: agent (each agent self-schedules, \
4834 so there is no fleet-wide count to cap against)"
4835 .into(),
4836 );
4837 }
4838 if mc == 0 {
4839 return Err(
4840 "constraints.max_concurrent must be >= 1 (0 would never fire; \
4841 omit it for no cap)"
4842 .into(),
4843 );
4844 }
4845 }
4846 // #418: constraints.require (host-state env gates: ac_power /
4847 // idle / cpu_below / network) is sensed in-process by the agent,
4848 // so it needs runs_on: agent — the backend can't read a target
4849 // host's power / idle / cpu / connectivity state. Symmetric with
4850 // `when: { on }` (also agent-only); inverse of max_concurrent
4851 // (backend-only).
4852 if let Some(req) = &self.constraints.require {
4853 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
4854 return Err(
4855 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
4856 network) is sensed in-process by the agent and needs runs_on: agent; the \
4857 backend cannot read a target host's power / idle / cpu / connectivity state"
4858 .into(),
4859 );
4860 }
4861 // Reject a malformed idle duration at create time so the
4862 // fail-closed runtime path only ever bites a hand-edited
4863 // KV blob (mirror skip_dates / on_failure.retry).
4864 if let Some(err) = req.bad_idle() {
4865 return Err(err);
4866 }
4867 // cpu_below is a percent — reject out-of-range so a typo
4868 // can't make a schedule that never (>=100 is always-busy?
4869 // no — <0 never matches) or trivially fires.
4870 if let Some(c) = req.cpu_below
4871 && !(c > 0.0 && c <= 100.0)
4872 {
4873 return Err(format!(
4874 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
4875 omit it for no CPU requirement"
4876 ));
4877 }
4878 }
4879 // #418 Phase 4: a bad on_failure.retry is rejected at create
4880 // time — backoff must be valid humantime, and max is bounded
4881 // so a typo can't pin a flapping script in a tight loop.
4882 if let Some(r) = &self.on_failure.retry {
4883 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
4884 format!(
4885 "on_failure.retry.backoff: invalid duration '{}': {e}",
4886 r.backoff
4887 )
4888 })?;
4889 // The wire form lowers backoff to whole seconds, so a
4890 // sub-second value would silently become a 0s no-wait
4891 // (coderabbit #466). Reject it rather than honour a backoff
4892 // the operator can't actually get.
4893 if backoff.as_secs() < 1 {
4894 return Err(format!(
4895 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
4896 round to 0 on the wire",
4897 r.backoff
4898 ));
4899 }
4900 if !(1..=10).contains(&r.max) {
4901 return Err(format!(
4902 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
4903 attempts after the first run",
4904 r.max
4905 ));
4906 }
4907 }
4908 // A blank / whitespace-only tag renders an empty filter chip on
4909 // the Schedules page — reject it at create time, mirroring the
4910 // Manifest::validate tag guard.
4911 for tag in &self.tags {
4912 if tag.trim().is_empty() {
4913 return Err("tags must not contain empty entries".to_string());
4914 }
4915 }
4916 Ok(())
4917 }
4918}
4919
4920fn default_true() -> bool {
4921 true
4922}