kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
72 /// what the agent does at fire time when it can't verify the
73 /// `script_current` / `script_status` KV values are fresh —
74 /// especially relevant for `runs_on: agent` schedules where
75 /// the agent may fire from cache while offline. Defaults to
76 /// `Staleness::Cached` (silently use cached values), which
77 /// matches every pre-v0.26 Manifest.
78 #[serde(default)]
79 pub staleness: Staleness,
80 /// #291: opt-in marker that this job is offered to **end users**
81 /// in the Client App's job tabs over KLP (`jobs.list` →
82 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
83 /// [`emit`]: the block's mere presence is the opt-in, and it
84 /// groups the end-user presentation fields (name / category /
85 /// icon) that only make sense for a user-facing job. `None`
86 /// (the default) ⇒ an operator-only job — inventory, checks,
87 /// scheduled maintenance — that never surfaces in the catalog.
88 ///
89 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
90 /// (SPEC §2.1), so removing the block takes a job out of a
91 /// running client on its next action.
92 ///
93 /// [`inventory`]: Manifest::inventory
94 /// [`check`]: Manifest::check
95 /// [`emit`]: Manifest::emit
96 #[serde(default, skip_serializing_if = "Option::is_none")]
97 pub client: Option<ClientHint>,
98 /// Free-form operator taxonomy for the Jobs catalog. Purely a
99 /// SPA-side organisational aid — agents / scheduler / projector
100 /// never read it — so it carries no runtime semantics and any
101 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
102 /// cross-cut (a `check-bitlocker` is at once a health-check, a
103 /// security control, and Windows-specific), which is why this is
104 /// a multi-valued list rather than the single closed-enum
105 /// [`ClientHint::category`] (whose values are the end-user Client
106 /// App's tabs, a different concern). The operator Jobs page groups
107 /// rows by id-prefix for free; tags add the orthogonal filter axis
108 /// prefixes can't express.
109 ///
110 /// Empty by default (the overwhelming majority of jobs), and a
111 /// new field, so it follows the #492 wire rule: `serde(default)`
112 /// plus `skip_serializing_if` keep gradually-upgrading old readers
113 /// from tripping over its absence / presence.
114 #[serde(default, skip_serializing_if = "Vec::is_empty")]
115 pub tags: Vec<String>,
116 /// GitOps provenance (#678) — see [`JobOrigin`]. Stamped by
117 /// `kanade job create` when the source YAML lives inside a Git work
118 /// tree, so the SPA can render the job read-only and point edits
119 /// back at the repo instead of letting a ClickOps edit silently
120 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
121 /// `None` for SPA-born jobs and for manifests applied from outside
122 /// any Git repo. Purely informational: agents / scheduler /
123 /// projector never read it, and it survives `script_file:` inlining
124 /// (it's orthogonal to the exactly-one-of script-source rule). New
125 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
126 #[serde(default, skip_serializing_if = "Option::is_none")]
127 pub origin: Option<JobOrigin>,
128}
129
130/// GitOps provenance for a [`Manifest`] (#678). Populated by
131/// `kanade job create` from the Git context of the source YAML; the
132/// SPA reads it to render Git-managed jobs read-only and link the
133/// operator back at the repo. Never consulted by the runtime.
134#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
135pub struct JobOrigin {
136 /// Repo-relative path of the manifest YAML — the primary edit
137 /// target the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward
138 /// slashes regardless of the authoring OS.
139 pub path: String,
140 /// `origin` remote URL, when the repo has one. Lets the SPA turn
141 /// `path` into a clickable link; `None` for remote-less repos.
142 #[serde(default, skip_serializing_if = "Option::is_none")]
143 pub repo: Option<String>,
144 /// Repo-relative path of the `script_file:` this manifest inlined,
145 /// when it used one — a secondary pointer shown beneath `path`.
146 #[serde(default, skip_serializing_if = "Option::is_none")]
147 pub script_file: Option<String>,
148}
149
150/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
151/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
152/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
153/// here keeps the validation + serialisation logic in one place.
154#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
155pub struct FanoutPlan {
156 #[serde(default)]
157 pub target: Target,
158 /// Optional wave rollout — when present, the backend publishes
159 /// each wave's group subject on its own delay schedule instead
160 /// of fanning out the `target` block in one go. `target` then
161 /// only labels the deploy for the audit log.
162 #[serde(default, skip_serializing_if = "Option::is_none")]
163 pub rollout: Option<Rollout>,
164 /// Optional humantime jitter; agent uses it to randomise
165 /// execution start. Lives here (not on the script) so different
166 /// schedules / ad-hoc fires of the same job can pick different
167 /// stagger windows.
168 #[serde(default, skip_serializing_if = "Option::is_none")]
169 pub jitter: Option<String>,
170 /// Absolute time the scheduler stamps on each emitted Command
171 /// when this exec was driven by a [`Schedule`] with
172 /// `starting_deadline`. Agents receiving a Command after this
173 /// instant publish a synthetic skipped-result instead of
174 /// running the script. `None` (default) = no deadline / catch
175 /// up whenever delivered. Operators don't usually set this
176 /// directly — the scheduler computes it from `tick_at +
177 /// starting_deadline`.
178 #[serde(default, skip_serializing_if = "Option::is_none")]
179 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
180}
181
182/// Manifest sub-section: how the SPA should render the inventory
183/// facts this job produces. Each field name (`field`) is a top-level
184/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
185///
186/// Two render modes:
187/// * `display` — vertical "field / value" per PC, used by the
188/// `/inventory?pc=<id>` detail view. ALL columns the operator
189/// wants visible on the detail page.
190/// * `summary` — horizontal table across the fleet (row = PC,
191/// column = field) on `/inventory`. Optional; when omitted the
192/// SPA falls back to `display`, but operators usually want a
193/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
194#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
195pub struct InventoryHint {
196 /// Detail-view columns, in order.
197 pub display: Vec<DisplayField>,
198 /// Optional fleet-list columns (row = PC). Defaults to `display`
199 /// when omitted, but operators usually pick a 3-5 column subset.
200 #[serde(default, skip_serializing_if = "Option::is_none")]
201 pub summary: Option<Vec<DisplayField>>,
202 /// v0.31 / #40: payload arrays that should be exploded into
203 /// per-element rows of a derived SQLite table. Lets operators
204 /// answer cross-PC questions ("which PCs still have Chrome <
205 /// 120?", "C: >90% full") with normal SQL filters + indexes
206 /// instead of grepping JSON. The projector creates the derived
207 /// table on register and replaces this PC's rows on each result
208 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
209 /// [`ExplodeSpec`] for the per-spec schema.
210 #[serde(default, skip_serializing_if = "Option::is_none")]
211 pub explode: Option<Vec<ExplodeSpec>>,
212 /// v0.35 / #93: top-level scalar fields whose changes the
213 /// projector logs to `inventory_history` (one event per
214 /// changed field per scan). Pairs with `explode[].track_history`
215 /// — that covers array elements; this covers single-valued
216 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
217 /// `os_build` that operators want to track for "did the RAM
218 /// get upgraded?" / "when did Win 11 land on this PC?" /
219 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
220 /// in the history row, `identity_json` is NULL, `before_json`
221 /// / `after_json` each carry `{"value": <prior or new value>}`.
222 /// First-ever observation of a scalar (no prior facts row)
223 /// emits `added`; subsequent value changes emit `changed`. No
224 /// `removed` events — a scalar disappearing from the payload
225 /// is rare and the operator can still see the last value via
226 /// the `before_json` of the most recent change.
227 #[serde(default, skip_serializing_if = "Option::is_none")]
228 pub history_scalars: Option<Vec<String>>,
229}
230
231/// Manifest sub-section (#290): marks a job as an operator-defined
232/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
233/// The stdout contract is a free-form JSON object (same as any
234/// inventory job) from which the agent reads `status_field` /
235/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
236/// on the Client App's Health tab.
237///
238/// There is deliberately **no timing field** — when / how often /
239/// in which window a check runs is driven by the job's Schedule,
240/// exactly like inventory jobs, so operators get the full `when:` /
241/// rollout / `runs_on` expressiveness for free.
242///
243/// A check's stdout is a **free-form inventory object** (arbitrary
244/// key/value pairs + arrays) — same as any inventory job — that also
245/// carries a status field. `check:` adds only the health semantics on
246/// top: which field is the ok/warn/fail/unknown status, an optional
247/// one-line summary field, and a remediation job. Everything else
248/// (rich per-PC detail, `explode` sub-tables like a software list) is
249/// driven by a co-present [`InventoryHint`] and rendered with the
250/// SAME display logic the SPA Inventory page uses — on the Client App
251/// too. This keeps checks maximally expressive without a bespoke
252/// payload type.
253#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
254pub struct CheckHint {
255 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
256 /// the SPA/Client React key + analytics label. Unique within the
257 /// fleet's check set. Machine-friendly slug (`disk_space`,
258 /// `defender_rtp`); for the human-facing row title see [`label`].
259 ///
260 /// [`label`]: CheckHint::label
261 pub name: String,
262 /// Optional human-facing display title →
263 /// [`Check.label`](crate::ipc::state::Check). The Client App's
264 /// Health tab and the operator SPA's Compliance page render this
265 /// instead of the [`name`](CheckHint::name) slug when set
266 /// (`"ウイルス対策のリアルタイム保護"` reads better than
267 /// `defender_rtp`). Falls back to the slug when absent, so it's
268 /// purely additive. Author it in the check's language — there's no
269 /// per-locale variant; checks are operator-defined per fleet.
270 #[serde(default, skip_serializing_if = "Option::is_none")]
271 pub label: Option<String>,
272 /// Top-level stdout field whose string value
273 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
274 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
275 /// `"status"`; a missing / unparseable value → `unknown`.
276 #[serde(default = "default_status_field")]
277 pub status_field: String,
278 /// Top-level stdout field used as the Health-tab row's one-line
279 /// summary. Defaults to `"detail"`; absent in the payload → no
280 /// detail line (the rich breakdown lives in the inventory view).
281 #[serde(default = "default_detail_field")]
282 pub detail_field: String,
283 /// Optional remediation job id →
284 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
285 /// App shows a "修復する" button when present; that job must be
286 /// `user_invokable`.
287 #[serde(default, skip_serializing_if = "Option::is_none")]
288 pub troubleshoot: Option<String>,
289 /// #290 PR-E: when `true` (default), the backend also projects this
290 /// check's `status` / `detail` into the `check_status` table so the
291 /// operator SPA gets a fleet-wide compliance view for free — no
292 /// `inventory:` block needed. Set `fleet: false` for a client-only
293 /// check the operator doesn't want surfaced across the fleet.
294 #[serde(default = "default_fleet")]
295 pub fleet: bool,
296}
297
298fn default_status_field() -> String {
299 "status".to_string()
300}
301
302fn default_detail_field() -> String {
303 "detail".to_string()
304}
305
306fn default_fleet() -> bool {
307 true
308}
309
310/// Manifest sub-section (#291): marks a job as **user-invokable**
311/// from the Client App and carries how it presents to the end user.
312/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
313/// the block's presence is the opt-in (no separate boolean), and its
314/// required fields (`name`, `category`) are enforced by serde at
315/// parse time, so a half-filled catalog entry fails
316/// `kanade job create` instead of rendering a nameless / tab-less row.
317///
318/// The agent maps this 1:1 into the KLP
319/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
320/// that `jobs.list` returns; the Client App renders one row per job in
321/// the tab named by `category`.
322#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
323pub struct ClientHint {
324 /// End-user-facing title for the job row. The operator-internal
325 /// `Manifest::id` slug is rarely what an end user should read, so
326 /// this is required (and validated non-empty by
327 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
328 pub name: String,
329 /// Optional one-line subtitle under `name` in the Client App.
330 /// Distinct from the operator-facing top-level
331 /// [`Manifest::description`] — this one is written for the end
332 /// user. Maps to `UserInvokableJob::display_description`.
333 #[serde(default, skip_serializing_if = "Option::is_none")]
334 pub description: Option<String>,
335 /// Which Client App tab the job lives in (`software_update` →
336 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
337 /// catalog). Required — without it the agent can't place the job
338 /// in a tab.
339 pub category: JobCategory,
340 /// Optional icon hint for the job row — a lucide-react icon name
341 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
342 /// category's default icon. Surfaced verbatim in
343 /// `jobs.list[].icon`.
344 #[serde(default, skip_serializing_if = "Option::is_none")]
345 pub icon: Option<String>,
346}
347
348/// Issue #246 — `emit:` manifest block for jobs whose stdout is
349/// NDJSON observability events (one `ObsEvent` per line). Parallel
350/// to `inventory:` but for the append-only timeline pipeline; see
351/// `Manifest::emit` for the full contract.
352#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
353pub struct EmitConfig {
354 /// What kind of payload the agent should expect on stdout. Only
355 /// `events` is defined today (parses each non-empty line as
356 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
357 /// (e.g. metrics streams, structured trace events) plug in here.
358 #[serde(rename = "type")]
359 pub kind: EmitKind,
360 /// Operator hint for where the script keeps its own state — the
361 /// watermark file the PowerShell / sh body reads + writes
362 /// between runs so it only emits NEW events since the last
363 /// poll. The agent doesn't read this; it's documentation that
364 /// the SPA (and `kanade job edit`) can surface to operators
365 /// reviewing the manifest. Optional; the script is allowed to
366 /// keep state anywhere (registry, env, etc.) — the field's
367 /// presence makes the convention discoverable.
368 #[serde(default, skip_serializing_if = "Option::is_none")]
369 pub watermark_path: Option<String>,
370}
371
372/// `emit.type` enum. Lowercase serde so manifests read
373/// `type: events` rather than `Events`.
374#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
375#[serde(rename_all = "lowercase")]
376pub enum EmitKind {
377 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
378 /// `obs.<pc_id>`, drops the stdout from the resulting
379 /// `ExecResult`.
380 Events,
381}
382
383/// v0.31 / #40: declarative "flatten this JSON array into a real
384/// SQLite table" spec on an inventory manifest. The projector
385/// creates the table on first registration (CREATE TABLE IF NOT
386/// EXISTS + indexes) and writes a row per element of
387/// `payload[field]` on every result, scoped by (pc_id, job_id) so
388/// each PC's rows replace cleanly without a per-PC schema.
389#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
390pub struct ExplodeSpec {
391 /// JSON array key under the payload to explode. E.g. `"apps"`
392 /// for `payload: { apps: [{...}, {...}] }`.
393 pub field: String,
394 /// Derived SQLite table name. Operators choose this — pick
395 /// something namespaced + stable (`inventory_sw_apps`, not
396 /// `apps`) so multiple inventory manifests don't collide on a
397 /// generic name.
398 pub table: String,
399 /// Element-level fields that uniquely identify a row inside one
400 /// PC's payload. The full PK is `(pc_id, job_id) + these
401 /// columns`. Required — operators must think about uniqueness
402 /// (e.g. `["name", "source"]` for installed apps because the
403 /// same name appears in multiple uninstall hives).
404 ///
405 /// v0.31 / #41: same tuple drives history identity. When
406 /// `track_history` is on, the projector serialises these
407 /// fields' values into `inventory_history.identity_json` for
408 /// every change event, so queries like "every PC that ever
409 /// installed Chrome (any source)" filter on identity_json
410 /// content without a per-manifest schema.
411 pub primary_key: Vec<String>,
412 /// Per-element fields that become columns in the derived table.
413 pub columns: Vec<ExplodeColumn>,
414 /// v0.31 / #41: when true (default false), the projector
415 /// diffs each PC's incoming payload against the prior rows
416 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
417 /// replace, and writes added / removed / changed events into
418 /// `inventory_history`. Lets operators answer time-dimension
419 /// questions ("when did Chrome 120 first appear on PC X?",
420 /// "what's the Win 11 23H2 rollout curve") without storing
421 /// per-scan snapshots. Off by default so operators opt in
422 /// per-spec — history has a real storage cost on long-lived
423 /// deployments (mitigated by the 90-day default retention
424 /// sweeper, see `cleanup` module).
425 #[serde(default)]
426 pub track_history: bool,
427}
428
429/// One column in an [`ExplodeSpec`]'s derived table.
430#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
431pub struct ExplodeColumn {
432 /// JSON key under each array element. Becomes the column name
433 /// in the derived SQLite table — we don't rename.
434 pub field: String,
435 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
436 /// Storage maps directly via `sqlx::query.bind(...)`; type
437 /// mismatches at INSERT-time fail loudly rather than silently
438 /// dropping the row.
439 #[serde(default, skip_serializing_if = "Option::is_none")]
440 #[serde(rename = "type")]
441 pub kind: Option<String>,
442 /// When true, the projector creates a `CREATE INDEX` on this
443 /// column at table-creation time. Boost for the common-filter
444 /// columns (`name`, `version`) — operators mark them
445 /// explicitly, the projector won't guess.
446 #[serde(default)]
447 pub index: bool,
448}
449
450#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
451pub struct DisplayField {
452 /// Top-level key in the stdout JSON.
453 pub field: String,
454 /// Human-readable column header.
455 pub label: String,
456 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
457 /// or `"table"` (#39). Defaults to plain text rendering on the
458 /// SPA side. `"table"` expects the field's value to be a JSON
459 /// array of objects and renders a nested sub-table on the
460 /// per-PC detail page using `columns` as the schema; the fleet
461 /// summary view falls back to showing the row count for
462 /// `"table"` cells so the wide list stays compact.
463 #[serde(default, skip_serializing_if = "Option::is_none")]
464 #[serde(rename = "type")]
465 pub kind: Option<String>,
466 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
467 /// field's value (an array of objects like
468 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
469 /// sub-table using these columns. Each column is itself a
470 /// `DisplayField`, so the nested cells reuse the same render
471 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
472 /// pipeline. Ignored for any other `kind`.
473 #[serde(default, skip_serializing_if = "Option::is_none")]
474 pub columns: Option<Vec<DisplayField>>,
475}
476
477#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
478pub struct Rollout {
479 #[serde(default)]
480 pub strategy: RolloutStrategy,
481 pub waves: Vec<Wave>,
482}
483
484#[derive(
485 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
486)]
487#[serde(rename_all = "lowercase")]
488pub enum RolloutStrategy {
489 #[default]
490 Wave,
491}
492
493#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
494pub struct Wave {
495 pub group: String,
496 /// humantime delay measured from the deploy's publish time. wave[0]
497 /// typically has "0s"; subsequent waves use minutes / hours.
498 pub delay: String,
499}
500
501#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
502pub struct Target {
503 #[serde(default)]
504 pub groups: Vec<String>,
505 #[serde(default)]
506 pub pcs: Vec<String>,
507 #[serde(default)]
508 pub all: bool,
509}
510
511impl Target {
512 /// At least one of all / groups / pcs is set.
513 pub fn is_specified(&self) -> bool {
514 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
515 }
516}
517
518#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
519pub struct Execute {
520 pub shell: ExecuteShell,
521 /// Inline script body. Mutually exclusive with [`script_file`]
522 /// and [`script_object`]; exactly one of the three must be set
523 /// (enforced by [`Execute::validate_script_source`] at the
524 /// write-side parse boundaries — `kanade job create` and
525 /// `POST /api/jobs`).
526 ///
527 /// Empty string is treated as **unset** so operators can swap
528 /// to a `script_file:` / `script_object:` alternative just by
529 /// commenting out the body, without having to also drop the
530 /// `script:` key entirely.
531 ///
532 /// [`script_file`]: Self::script_file
533 /// [`script_object`]: Self::script_object
534 #[serde(default, skip_serializing_if = "Option::is_none")]
535 pub script: Option<String>,
536 /// Repo-local file path resolved by the operator-side CLI at
537 /// `kanade job create` time. The CLI reads the file, slots its
538 /// contents into `script`, and clears this field before
539 /// POSTing — so the backend / agents never see `script_file`
540 /// in stored manifests. SPEC §2.4.1.
541 ///
542 /// Resolver lands in a follow-up PR
543 /// (yukimemi/kanade#210); today this field passes parse-time
544 /// validation but the operator-side CLI bails with "not yet
545 /// implemented" until the resolver ships, so manifests that
546 /// reach the backend with `script_file` set are treated as a
547 /// schema-bug.
548 #[serde(default, skip_serializing_if = "Option::is_none")]
549 pub script_file: Option<String>,
550 /// Object Store reference (`<name>/<version>`) into the
551 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
552 /// at Execute time via `/api/script-objects/{name}/{version}`
553 /// and cache it locally. SPEC §2.4.1.
554 ///
555 /// Fully wired (#210/#211): the backend resolves the digest at
556 /// exec submission (`api::exec::resolve_script_source`), the agent
557 /// fetches + sha-verifies + caches the body (`script_cache`), and
558 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
559 /// CLI-side, git-managed), this keeps the body in versioned,
560 /// digest-pinned object storage — the ops-managed counterpart.
561 #[serde(default, skip_serializing_if = "Option::is_none")]
562 pub script_object: Option<String>,
563 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
564 /// — represents how long this script reasonably takes to run.
565 pub timeout: String,
566 /// Token + session combination the agent uses to launch the
567 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
568 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
569 #[serde(default)]
570 pub run_as: RunAs,
571 /// Working directory for the spawned child (v0.21.1). When
572 /// unset, the child inherits the agent's cwd — on Windows that
573 /// means `%SystemRoot%\System32` for the prod service, which is
574 /// almost never what operators actually want. Use an absolute
575 /// path; relative paths are passed through to the OS verbatim.
576 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
577 /// you'd want `%USERPROFILE%` (but expansion happens in the
578 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
579 /// it via teravars before `kanade job create`).
580 #[serde(default, skip_serializing_if = "Option::is_none")]
581 pub cwd: Option<String>,
582}
583
584impl Execute {
585 /// Treat an empty `script:` body as "intentionally unset". Operators
586 /// commenting out a block-scalar tend to leave the key behind, and
587 /// failing the validator on `script: ""` would surprise them.
588 fn has_inline_script(&self) -> bool {
589 matches!(&self.script, Some(s) if !s.is_empty())
590 }
591
592 /// Enforce that exactly one of `script` / `script_file` /
593 /// `script_object` is set. Called at the write-side parse
594 /// boundaries (CLI `kanade job create` + backend
595 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
596 /// reaches the JOBS KV. Read paths (projector, agent
597 /// scheduler, list endpoints) skip this check — they only ever
598 /// see what the write path already validated.
599 pub fn validate_script_source(&self) -> Result<(), String> {
600 let inline = self.has_inline_script();
601 let file = self.script_file.is_some();
602 let obj = self.script_object.is_some();
603 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
604 match set {
605 1 => Ok(()),
606 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
607 _ => Err(format!(
608 "execute: only one of `script` / `script_file` / `script_object` may be set \
609 (got script={inline}, script_file={file}, script_object={obj})"
610 )),
611 }
612 }
613}
614
615impl Manifest {
616 /// Cross-field semantic checks that don't fit into pure serde
617 /// derive. Currently delegates to
618 /// [`Execute::validate_script_source`] — see that method's
619 /// docs for the rationale on which call sites should run this.
620 pub fn validate(&self) -> Result<(), String> {
621 self.execute.validate_script_source()?;
622 // Stdout-format compatibility. `inventory:` and `check:` both
623 // consume the SAME single JSON object — they COMPOSE: a check
624 // can extract `status`/`detail` for the Health tab while the
625 // projector explodes the rest into SPA sub-tables. `emit:` is
626 // different — its stdout is NDJSON and the agent omits it from
627 // the result entirely — so it can't be paired with either.
628 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
629 return Err(
630 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
631 timeline events (and omitted from the result), while inventory/check read a \
632 single JSON object from stdout"
633 .to_string(),
634 );
635 }
636 // A check's `name` is the Health-tab row id (React key); the
637 // field names tell the agent where to read status/detail.
638 // An empty value is an invisible runtime bug, and the serde
639 // defaults don't guard an operator who writes `status_field:
640 // ""` explicitly — reject all three here.
641 if let Some(check) = &self.check {
642 for (label, value) in [
643 ("check.name", &check.name),
644 ("check.status_field", &check.status_field),
645 ("check.detail_field", &check.detail_field),
646 ] {
647 if value.trim().is_empty() {
648 return Err(format!("{label} must not be empty"));
649 }
650 }
651 // A present-but-blank `troubleshoot` is a broken
652 // remediation job id (the "修復する" button would target
653 // an empty manifest id) — reject it too.
654 if let Some(troubleshoot) = &check.troubleshoot {
655 if troubleshoot.trim().is_empty() {
656 return Err("check.troubleshoot must not be empty when set".to_string());
657 }
658 }
659 // A present-but-blank `label` would render an empty row
660 // title on the Health tab / Compliance page — reject it so
661 // the slug fallback only ever kicks in when label is absent.
662 if let Some(label) = &check.label {
663 if label.trim().is_empty() {
664 return Err("check.label must not be empty when set".to_string());
665 }
666 }
667 }
668 // #291: a `client:` job is rendered in the Client App's
669 // catalog (`jobs.list` → `jobs.execute`). serde already makes
670 // `name` + `category` required at parse time; the only gap is
671 // a present-but-blank `name`, which would render an empty row
672 // title — reject it like the other display-id fields.
673 if let Some(client) = &self.client {
674 if client.name.trim().is_empty() {
675 return Err("client.name must not be empty".to_string());
676 }
677 // Optional display fields, when present, must be
678 // meaningful: a blank `description` renders an empty
679 // subtitle and a blank `icon` is a dangling lucide name.
680 // Same present-but-blank guard the `check:` block applies
681 // to its optional `troubleshoot` id.
682 for (label, value) in [
683 ("client.description", &client.description),
684 ("client.icon", &client.icon),
685 ] {
686 if let Some(v) = value {
687 if v.trim().is_empty() {
688 return Err(format!("{label} must not be empty when set"));
689 }
690 }
691 }
692 }
693 // A blank / whitespace-only tag is an invisible operator typo
694 // that would render an empty filter chip on the Jobs page —
695 // reject it like the other present-but-blank display fields.
696 for tag in &self.tags {
697 if tag.trim().is_empty() {
698 return Err("tags must not contain empty entries".to_string());
699 }
700 }
701 Ok(())
702 }
703}
704
705#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
706#[serde(rename_all = "lowercase")]
707pub enum ExecuteShell {
708 Powershell,
709 Cmd,
710}
711
712impl From<ExecuteShell> for Shell {
713 fn from(s: ExecuteShell) -> Self {
714 match s {
715 ExecuteShell::Powershell => Shell::Powershell,
716 ExecuteShell::Cmd => Shell::Cmd,
717 }
718 }
719}
720
721#[cfg(test)]
722mod tests {
723 use super::*;
724
725 /// The example check-job + schedule YAMLs shipped under `configs/`
726 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
727 /// pins them at compile time so a breaking edit fails `cargo test`
728 /// rather than only `kanade job create` at deploy time.
729 #[test]
730 fn example_check_job_yamls_parse_and_validate() {
731 let jobs = [
732 (
733 "check-bitlocker",
734 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
735 ),
736 (
737 "check-av-signature",
738 include_str!("../../../configs/jobs/check-av-signature.yaml"),
739 ),
740 (
741 "check-cert-expiry",
742 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
743 ),
744 (
745 "check-disk-space",
746 include_str!("../../../configs/jobs/check-disk-space.yaml"),
747 ),
748 (
749 "check-pending-reboot",
750 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
751 ),
752 (
753 "check-defender-rtp",
754 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
755 ),
756 (
757 "check-firewall",
758 include_str!("../../../configs/jobs/check-firewall.yaml"),
759 ),
760 ];
761 for (name, yaml) in jobs {
762 let m: Manifest =
763 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
764 m.validate()
765 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
766 let check = m
767 .check
768 .as_ref()
769 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
770 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
771 // These examples all read admin-only WMI / registry / netsh
772 // state, so they run_as system. NOTE: that's a property of
773 // these particular checks, NOT of the `check:` contract — a
774 // check probing user-session state could run_as user.
775 assert_eq!(
776 m.execute.run_as,
777 RunAs::System,
778 "{name} should run_as system"
779 );
780 }
781 }
782
783 /// The example user-invokable job YAMLs (#291) shipped under
784 /// `configs/jobs/` must stay valid as the `client:` schema
785 /// evolves. `include_str!` pins them at compile time so a breaking
786 /// edit fails `cargo test`, not `kanade job create` at deploy.
787 #[test]
788 fn example_client_job_yamls_parse_and_validate() {
789 let jobs = [
790 (
791 "fix-teams-cache",
792 JobCategory::Troubleshoot,
793 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
794 ),
795 (
796 "chrome-update",
797 JobCategory::SoftwareUpdate,
798 include_str!("../../../configs/jobs/chrome-update.yaml"),
799 ),
800 (
801 "install-slack",
802 JobCategory::Catalog,
803 include_str!("../../../configs/jobs/install-slack.yaml"),
804 ),
805 (
806 "fix-defender-rtp",
807 JobCategory::Troubleshoot,
808 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
809 ),
810 ];
811 for (id, category, yaml) in jobs {
812 let m: Manifest =
813 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
814 m.validate()
815 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
816 assert_eq!(m.id, id, "{id} id mismatch");
817 let client = m
818 .client
819 .as_ref()
820 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
821 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
822 assert_eq!(client.category, category, "{id} category");
823 }
824 }
825
826 #[test]
827 fn example_check_schedule_yamls_parse_and_validate() {
828 let schedules = [
829 (
830 "check-bitlocker",
831 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
832 ),
833 (
834 "check-av-signature",
835 include_str!("../../../configs/schedules/check-av-signature.yaml"),
836 ),
837 (
838 "check-cert-expiry",
839 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
840 ),
841 (
842 "check-disk-space",
843 include_str!("../../../configs/schedules/check-disk-space.yaml"),
844 ),
845 (
846 "check-pending-reboot",
847 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
848 ),
849 (
850 "check-defender-rtp",
851 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
852 ),
853 (
854 "check-firewall",
855 include_str!("../../../configs/schedules/check-firewall.yaml"),
856 ),
857 ];
858 for (name, yaml) in schedules {
859 let s: Schedule =
860 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
861 s.validate()
862 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
863 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
864 }
865 }
866
867 #[test]
868 fn target_is_specified_requires_at_least_one_field() {
869 let empty = Target::default();
870 assert!(!empty.is_specified());
871
872 let with_all = Target {
873 all: true,
874 ..Target::default()
875 };
876 assert!(with_all.is_specified());
877
878 let with_groups = Target {
879 groups: vec!["canary".into()],
880 ..Target::default()
881 };
882 assert!(with_groups.is_specified());
883
884 let with_pcs = Target {
885 pcs: vec!["pc-01".into()],
886 ..Target::default()
887 };
888 assert!(with_pcs.is_specified());
889 }
890
891 #[test]
892 fn manifest_deserialises_minimal_yaml() {
893 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
894 // — those live on the schedule / exec request now.
895 let yaml = r#"
896id: echo-test
897version: 0.0.1
898execute:
899 shell: powershell
900 script: "echo 'kanade'"
901 timeout: 30s
902"#;
903 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
904 assert_eq!(m.id, "echo-test");
905 assert_eq!(m.version, "0.0.1");
906 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
907 assert_eq!(
908 m.execute.script.as_deref().map(str::trim),
909 Some("echo 'kanade'")
910 );
911 assert!(m.execute.script_file.is_none());
912 assert!(m.execute.script_object.is_none());
913 assert_eq!(m.execute.timeout, "30s");
914 assert!(!m.require_approval);
915 m.validate()
916 .expect("inline-script manifest passes validation");
917 }
918
919 #[test]
920 fn manifest_parses_check_job_and_validates() {
921 // An operator-defined health check (#290): a `check:` hint +
922 // a PowerShell script that prints {status, detail}.
923 let yaml = r#"
924id: check-bitlocker
925version: 0.1.0
926execute:
927 shell: powershell
928 run_as: system
929 timeout: 15s
930 script: |
931 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
932check:
933 name: bitlocker
934 troubleshoot: fix-bitlocker
935"#;
936 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
937 let check = m.check.as_ref().expect("check hint present");
938 assert_eq!(check.name, "bitlocker");
939 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
940 // Field names default to the conventional "status" / "detail".
941 assert_eq!(check.status_field, "status");
942 assert_eq!(check.detail_field, "detail");
943 assert!(m.inventory.is_none() && m.emit.is_none());
944 m.validate().expect("check-only manifest passes validation");
945 }
946
947 #[test]
948 fn manifest_check_defaults_and_custom_fields() {
949 // Minimal: only `name`; status/detail fields default.
950 let m: Manifest = serde_yaml::from_str(
951 r#"
952id: check-disk
953version: 0.1.0
954execute:
955 shell: powershell
956 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
957 timeout: 10s
958check:
959 name: disk_free
960"#,
961 )
962 .expect("parse");
963 let c = m.check.as_ref().unwrap();
964 assert_eq!(c.name, "disk_free");
965 assert_eq!(c.status_field, "status");
966 assert_eq!(c.detail_field, "detail");
967 assert!(c.troubleshoot.is_none());
968 m.validate().expect("validates");
969
970 // The operator can point status/detail at any field of their
971 // free-form inventory object.
972 let m2: Manifest = serde_yaml::from_str(
973 r#"
974id: check-custom
975version: 0.1.0
976execute:
977 shell: powershell
978 script: "echo x"
979 timeout: 10s
980check:
981 name: patch_level
982 status_field: compliance
983 detail_field: summary
984"#,
985 )
986 .expect("parse");
987 let c2 = m2.check.as_ref().unwrap();
988 assert_eq!(c2.status_field, "compliance");
989 assert_eq!(c2.detail_field, "summary");
990 }
991
992 #[test]
993 fn manifest_allows_check_composed_with_inventory() {
994 // `check:` + `inventory:` COMPOSE on the same stdout object:
995 // status/detail → Health tab, the rest → SPA projection +
996 // explode sub-tables. Must pass validation.
997 let yaml = r#"
998id: check-bitlocker-detailed
999version: 0.1.0
1000execute:
1001 shell: powershell
1002 script: "echo x"
1003 timeout: 10s
1004check:
1005 name: bitlocker
1006inventory:
1007 display:
1008 - { field: status, label: Status }
1009"#;
1010 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1011 assert!(m.check.is_some() && m.inventory.is_some());
1012 m.validate().expect("check + inventory compose");
1013 }
1014
1015 #[test]
1016 fn manifest_rejects_check_combined_with_emit() {
1017 // `emit:` stdout is NDJSON (and omitted from the result), so
1018 // it can't pair with `check:` (which needs a single JSON
1019 // object on stdout).
1020 let yaml = r#"
1021id: bad-mix
1022version: 0.1.0
1023execute:
1024 shell: powershell
1025 script: "echo x"
1026 timeout: 10s
1027check:
1028 name: bitlocker
1029emit:
1030 type: events
1031"#;
1032 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1033 let err = m.validate().expect_err("emit + check must fail");
1034 assert!(err.contains("incompatible"), "err: {err}");
1035 }
1036
1037 #[test]
1038 fn manifest_rejects_emit_combined_with_inventory() {
1039 // The other half of the emit-incompatibility condition.
1040 let yaml = r#"
1041id: bad-mix-2
1042version: 0.1.0
1043execute:
1044 shell: powershell
1045 script: "echo x"
1046 timeout: 10s
1047emit:
1048 type: events
1049inventory:
1050 display:
1051 - { field: status, label: Status }
1052"#;
1053 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1054 let err = m.validate().expect_err("emit + inventory must fail");
1055 assert!(err.contains("incompatible"), "err: {err}");
1056 }
1057
1058 #[test]
1059 fn manifest_rejects_empty_check_field_names() {
1060 // Empty name / status_field / detail_field are invisible
1061 // runtime bugs (empty React key, agent reads the wrong field)
1062 // — reject them even though serde supplies non-empty defaults.
1063 let base = |inner: &str| {
1064 format!(
1065 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1066 )
1067 };
1068 for inner in [
1069 " name: \"\"\n",
1070 " name: ok\n status_field: \"\"\n",
1071 " name: ok\n detail_field: \" \"\n",
1072 // present-but-blank troubleshoot → broken remediation id.
1073 " name: ok\n troubleshoot: \" \"\n",
1074 ] {
1075 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1076 let err = m.validate().expect_err("empty field must fail");
1077 assert!(err.contains("must not be empty"), "err: {err}");
1078 }
1079 }
1080
1081 #[test]
1082 fn manifest_client_absent_by_default() {
1083 // A plain operator job (the overwhelming majority) carries no
1084 // `client:` block, so it never surfaces in the end-user
1085 // catalog.
1086 let yaml = r#"
1087id: echo-test
1088version: 0.0.1
1089execute:
1090 shell: powershell
1091 script: "echo 'kanade'"
1092 timeout: 30s
1093"#;
1094 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1095 assert!(m.client.is_none());
1096 m.validate().expect("operator-only job validates");
1097 }
1098
1099 #[test]
1100 fn manifest_client_parses_and_validates() {
1101 // The Client App "困ったとき" remediation job shape: a
1102 // user-invokable troubleshoot job with the end-user fields the
1103 // KLP `jobs.list` wire needs, grouped under `client:`.
1104 let yaml = r#"
1105id: fix-teams-cache
1106version: 1.0.0
1107execute:
1108 shell: powershell
1109 script: "echo clearing"
1110 timeout: 60s
1111client:
1112 name: "Teams のキャッシュをクリア"
1113 description: "Teams が重いときに試してください"
1114 category: troubleshoot
1115 icon: brush-cleaning
1116"#;
1117 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1118 let c = m.client.as_ref().expect("client block present");
1119 assert_eq!(c.name, "Teams のキャッシュをクリア");
1120 assert_eq!(
1121 c.description.as_deref(),
1122 Some("Teams が重いときに試してください")
1123 );
1124 assert_eq!(c.category, JobCategory::Troubleshoot);
1125 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1126 m.validate().expect("user-invokable job validates");
1127 }
1128
1129 #[test]
1130 fn manifest_client_minimal_only_name_and_category() {
1131 // description + icon are optional; name + category are the
1132 // serde-required minimum.
1133 let yaml = r#"
1134id: install-slack
1135version: 1.0.0
1136execute:
1137 shell: powershell
1138 script: "echo install"
1139 timeout: 600s
1140client:
1141 name: Slack
1142 category: catalog
1143"#;
1144 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1145 let c = m.client.as_ref().expect("client present");
1146 assert_eq!(c.category, JobCategory::Catalog);
1147 assert!(c.description.is_none() && c.icon.is_none());
1148 m.validate().expect("minimal client validates");
1149 }
1150
1151 #[test]
1152 fn manifest_client_rejects_blank_name() {
1153 // serde guarantees `name`/`category` are present; the one gap
1154 // is a present-but-blank name → empty catalog row title.
1155 let yaml = r#"
1156id: j
1157version: 1.0.0
1158execute:
1159 shell: powershell
1160 script: "echo x"
1161 timeout: 30s
1162client:
1163 name: " "
1164 category: catalog
1165"#;
1166 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1167 let err = m.validate().expect_err("blank name must fail");
1168 assert!(err.contains("client.name"), "err: {err}");
1169 }
1170
1171 #[test]
1172 fn manifest_client_rejects_blank_optional_fields() {
1173 // description / icon are optional, but a present-but-blank
1174 // value is a bug (empty subtitle / dangling icon name) — reject
1175 // it, mirroring the check: block's troubleshoot guard.
1176 for (field, line) in [
1177 ("client.description", " description: \" \"\n"),
1178 ("client.icon", " icon: \"\"\n"),
1179 ] {
1180 let yaml = format!(
1181 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1182 );
1183 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1184 let err = m.validate().expect_err("blank optional field must fail");
1185 assert!(err.contains(field), "expected {field} in err: {err}");
1186 }
1187 }
1188
1189 #[test]
1190 fn manifest_client_requires_category_at_parse() {
1191 // A `client:` block missing `category` is a hard parse error
1192 // (serde required field) — no manual validate() needed.
1193 let yaml = r#"
1194id: j
1195version: 1.0.0
1196execute:
1197 shell: powershell
1198 script: "echo x"
1199 timeout: 30s
1200client:
1201 name: "A job"
1202"#;
1203 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1204 assert!(
1205 r.is_err(),
1206 "missing category must be a parse error, got {r:?}"
1207 );
1208 }
1209
1210 #[test]
1211 fn manifest_client_rejects_unknown_field() {
1212 // #492: the strict create boundary catches a fat-fingered
1213 // `displayname:` (with its path) instead of silently
1214 // dropping it; the tolerant read path accepts it.
1215 let yaml = r#"
1216id: j
1217version: 1.0.0
1218execute:
1219 shell: powershell
1220 script: "echo x"
1221 timeout: 30s
1222client:
1223 name: "A job"
1224 category: catalog
1225 displayname: oops
1226"#;
1227 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1228 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1229 // serde_ignored renders the Option layer as `?`:
1230 // `client.?.displayname`. Assert on the leaf key.
1231 assert!(err.contains("displayname"), "{err}");
1232 // The READ path tolerates the same payload (gradual-upgrade
1233 // contract: an old agent must accept a newer writer's field).
1234 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1235 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1236 }
1237
1238 #[test]
1239 fn manifest_tags_default_empty() {
1240 // The overwhelming majority of jobs carry no tags; the field
1241 // must default to an empty Vec (not fail to parse) and skip
1242 // serialisation so old readers never see the key.
1243 let yaml = r#"
1244id: echo-test
1245version: 0.0.1
1246execute:
1247 shell: powershell
1248 script: "echo 'kanade'"
1249 timeout: 30s
1250"#;
1251 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1252 assert!(m.tags.is_empty());
1253 m.validate().expect("tag-less job validates");
1254 // skip_serializing_if = empty ⇒ the key is absent from JSON.
1255 let json = serde_json::to_string(&m).expect("serialize");
1256 assert!(
1257 !json.contains("tags"),
1258 "empty tags must not serialise: {json}"
1259 );
1260 }
1261
1262 #[test]
1263 fn manifest_parses_and_validates_tags() {
1264 let yaml = r#"
1265id: check-bitlocker
1266version: 0.1.0
1267execute:
1268 shell: powershell
1269 script: "echo x"
1270 timeout: 30s
1271tags: [security, windows, health-check]
1272"#;
1273 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1274 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
1275 m.validate().expect("tagged job validates");
1276 // Round-trips through JSON (the wire format the SPA reads).
1277 let json = serde_json::to_string(&m).expect("serialize");
1278 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
1279 }
1280
1281 #[test]
1282 fn manifest_rejects_blank_tag() {
1283 // A whitespace-only tag renders an empty filter chip — reject
1284 // it at the write boundary like the other blank display fields.
1285 let yaml = r#"
1286id: j
1287version: 0.1.0
1288execute:
1289 shell: powershell
1290 script: "echo x"
1291 timeout: 30s
1292tags: [ok, " "]
1293"#;
1294 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1295 let err = m.validate().expect_err("blank tag must fail");
1296 assert!(err.contains("tags must not contain empty"), "err: {err}");
1297 }
1298
1299 fn execute_with(
1300 script: Option<&str>,
1301 script_file: Option<&str>,
1302 script_object: Option<&str>,
1303 ) -> Execute {
1304 Execute {
1305 shell: ExecuteShell::Powershell,
1306 script: script.map(str::to_owned),
1307 script_file: script_file.map(str::to_owned),
1308 script_object: script_object.map(str::to_owned),
1309 timeout: "30s".into(),
1310 run_as: RunAs::default(),
1311 cwd: None,
1312 }
1313 }
1314
1315 #[test]
1316 fn validate_accepts_inline_script() {
1317 let e = execute_with(Some("echo hi"), None, None);
1318 assert!(e.validate_script_source().is_ok());
1319 }
1320
1321 #[test]
1322 fn validate_accepts_script_file_alone() {
1323 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1324 assert!(e.validate_script_source().is_ok());
1325 }
1326
1327 #[test]
1328 fn validate_accepts_script_object_alone() {
1329 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1330 assert!(e.validate_script_source().is_ok());
1331 }
1332
1333 #[test]
1334 fn validate_treats_empty_inline_script_as_unset() {
1335 // `script: ""` + `script_object` set is the natural shape
1336 // when an operator comments out the YAML block-scalar body
1337 // but leaves the key. Should pass.
1338 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1339 assert!(e.validate_script_source().is_ok());
1340 }
1341
1342 #[test]
1343 fn validate_rejects_zero_sources() {
1344 let e = execute_with(None, None, None);
1345 let err = e.validate_script_source().unwrap_err();
1346 assert!(err.contains("must be set"), "got: {err}");
1347 }
1348
1349 #[test]
1350 fn validate_rejects_empty_inline_only() {
1351 let e = execute_with(Some(""), None, None);
1352 let err = e.validate_script_source().unwrap_err();
1353 assert!(err.contains("must be set"), "got: {err}");
1354 }
1355
1356 #[test]
1357 fn validate_rejects_inline_plus_file() {
1358 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1359 let err = e.validate_script_source().unwrap_err();
1360 assert!(err.contains("only one of"), "got: {err}");
1361 }
1362
1363 #[test]
1364 fn validate_rejects_inline_plus_object() {
1365 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1366 let err = e.validate_script_source().unwrap_err();
1367 assert!(err.contains("only one of"), "got: {err}");
1368 }
1369
1370 #[test]
1371 fn validate_rejects_file_plus_object() {
1372 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1373 let err = e.validate_script_source().unwrap_err();
1374 assert!(err.contains("only one of"), "got: {err}");
1375 }
1376
1377 #[test]
1378 fn validate_rejects_all_three() {
1379 let e = execute_with(
1380 Some("echo hi"),
1381 Some("scripts/cleanup.ps1"),
1382 Some("cleanup/1.0.0"),
1383 );
1384 let err = e.validate_script_source().unwrap_err();
1385 assert!(err.contains("only one of"), "got: {err}");
1386 }
1387
1388 #[test]
1389 fn manifest_deserialises_script_object_yaml() {
1390 // SPEC §2.4.1 example shape with the Object Store
1391 // reference picked over inline.
1392 let yaml = r#"
1393id: cleanup-disk-temp
1394version: 1.0.1
1395execute:
1396 shell: powershell
1397 script_object: cleanup-disk-temp/1.0.1
1398 timeout: 600s
1399"#;
1400 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1401 assert_eq!(
1402 m.execute.script_object.as_deref(),
1403 Some("cleanup-disk-temp/1.0.1")
1404 );
1405 assert!(m.execute.script.is_none());
1406 m.validate()
1407 .expect("script_object-only manifest passes validation");
1408 }
1409
1410 #[test]
1411 fn manifest_rejects_typo_in_script_field_name() {
1412 // #492: the strict create boundary catches `script_objectt`
1413 // and similar fat-fingers (with the full path) instead of
1414 // letting them silently fall through to "all three unset".
1415 let yaml = r#"
1416id: typo
1417version: 1.0.0
1418execute:
1419 shell: powershell
1420 script_objectt: oops
1421 timeout: 30s
1422"#;
1423 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
1424 .expect_err("typo'd execute field must be rejected at the write boundary");
1425 assert!(err.contains("execute.script_objectt"), "{err}");
1426 }
1427
1428 #[test]
1429 fn schedule_carries_target_and_rollout() {
1430 let yaml = r#"
1431id: hourly-cleanup-canary
1432when:
1433 per_pc: { every: 1h }
1434job_id: cleanup
1435enabled: true
1436target:
1437 groups: [canary, wave1]
1438jitter: 30s
1439rollout:
1440 strategy: wave
1441 waves:
1442 - { group: canary, delay: 0s }
1443 - { group: wave1, delay: 5s }
1444"#;
1445 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1446 assert_eq!(s.id, "hourly-cleanup-canary");
1447 assert_eq!(s.job_id, "cleanup");
1448 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1449 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1450 let rollout = s.plan.rollout.expect("rollout present");
1451 assert_eq!(rollout.waves.len(), 2);
1452 assert_eq!(rollout.waves[0].group, "canary");
1453 assert_eq!(rollout.waves[1].delay, "5s");
1454 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1455 }
1456
1457 #[test]
1458 fn schedule_minimal_target_all() {
1459 let yaml = r#"
1460id: kitting
1461when:
1462 per_pc: once
1463enabled: true
1464job_id: scheduled-echo
1465target: { all: true }
1466"#;
1467 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1468 assert_eq!(s.id, "kitting");
1469 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1470 assert!(s.enabled);
1471 assert_eq!(s.job_id, "scheduled-echo");
1472 assert!(s.plan.target.all);
1473 assert!(s.plan.rollout.is_none());
1474 assert!(s.plan.jitter.is_none());
1475 assert!(s.active.is_empty());
1476 }
1477
1478 #[test]
1479 fn schedule_enabled_defaults_to_true() {
1480 let yaml = r#"
1481id: x
1482when:
1483 per_pc: once
1484job_id: y
1485target: { all: true }
1486"#;
1487 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1488 assert!(s.enabled);
1489 }
1490
1491 #[test]
1492 fn schedule_tags_default_empty_and_skip_serialise() {
1493 let yaml = r#"
1494id: x
1495when:
1496 per_pc: once
1497job_id: y
1498target: { all: true }
1499"#;
1500 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1501 assert!(s.tags.is_empty());
1502 s.validate().expect("tag-less schedule validates");
1503 let json = serde_json::to_string(&s).expect("serialize");
1504 assert!(
1505 !json.contains("tags"),
1506 "empty tags must not serialise: {json}"
1507 );
1508 }
1509
1510 #[test]
1511 fn schedule_parses_and_validates_tags() {
1512 let yaml = r#"
1513id: weekly-cleanup
1514when:
1515 per_pc: { every: 1h }
1516job_id: cleanup
1517target: { all: true }
1518tags: [weekly, maintenance]
1519"#;
1520 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1521 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
1522 s.validate().expect("tagged schedule validates");
1523 }
1524
1525 #[test]
1526 fn schedule_rejects_blank_tag() {
1527 let yaml = r#"
1528id: x
1529when:
1530 per_pc: once
1531job_id: y
1532target: { all: true }
1533tags: [ok, " "]
1534"#;
1535 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1536 let err = s.validate().expect_err("blank tag must fail");
1537 assert!(err.contains("tags must not contain empty"), "err: {err}");
1538 }
1539
1540 // ---- `when` parsing (#418 Phase 1) ----
1541
1542 fn schedule_yaml_with(when_block: &str) -> String {
1543 format!(
1544 r#"
1545id: x
1546when:
1547{when_block}
1548job_id: y
1549target: {{ all: true }}
1550"#
1551 )
1552 }
1553
1554 #[test]
1555 fn when_per_pc_every_parses_unquoted_humantime() {
1556 // `6h` is digit-led but non-numeric → YAML string, same as
1557 // the old `cooldown: 6h` convention. No quotes needed.
1558 let s: Schedule =
1559 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1560 assert_eq!(
1561 s.when,
1562 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1563 );
1564 }
1565
1566 #[test]
1567 fn when_per_target_every_parses() {
1568 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1569 .expect("parse");
1570 assert_eq!(
1571 s.when,
1572 When::PerTarget(PerPolicy::Every(EverySpec {
1573 every: "24h".into()
1574 }))
1575 );
1576 }
1577
1578 #[test]
1579 fn when_per_target_once_parses() {
1580 // Falls out of the shared PerPolicy shape and decide_fire
1581 // already implements it ("any one pc succeeds → skip the
1582 // target forever"), so it is allowed, not rejected.
1583 let s: Schedule =
1584 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
1585 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
1586 }
1587
1588 #[test]
1589 fn when_calendar_time_parses() {
1590 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
1591 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
1592 ))
1593 .expect("parse");
1594 match &s.when {
1595 When::Calendar(c) => {
1596 assert_eq!(c.at, "09:00");
1597 assert_eq!(c.days, vec!["mon-fri"]);
1598 }
1599 other => panic!("expected calendar, got {other:?}"),
1600 }
1601 }
1602
1603 #[test]
1604 fn when_calendar_days_default_empty() {
1605 let s: Schedule =
1606 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
1607 .expect("parse");
1608 match &s.when {
1609 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
1610 other => panic!("expected calendar, got {other:?}"),
1611 }
1612 }
1613
1614 #[test]
1615 fn when_calendar_datetime_parses_all_separators() {
1616 // one-shot: date+time in hyphen / ISO-T / slash forms
1617 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
1618 let block = format!(" calendar:\n at: \"{at}\"");
1619 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
1620 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
1621 match &s.when {
1622 When::Calendar(c) => {
1623 use chrono::Datelike;
1624 let p = c.parse_at().expect("parse_at");
1625 let d = p.date.expect("datetime at carries a date");
1626 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
1627 }
1628 other => panic!("expected calendar, got {other:?}"),
1629 }
1630 }
1631 }
1632
1633 #[test]
1634 fn when_rejects_bad_once_keyword() {
1635 // `onec` must be a parse error, not a silently-absorbed
1636 // string (OnceLiteral is a single-variant enum for exactly
1637 // this reason).
1638 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
1639 assert!(r.is_err(), "expected parse error, got {r:?}");
1640 }
1641
1642 #[test]
1643 fn when_rejects_unknown_key_in_every() {
1644 // `{ evry: 6h }` still fails on the tolerant read path: the
1645 // required `every` key is missing, so no PerPolicy variant
1646 // matches (#492 removed deny_unknown_fields, but required
1647 // keys keep the untagged disambiguation honest).
1648 let r: Result<Schedule, _> =
1649 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
1650 assert!(r.is_err(), "expected parse error, got {r:?}");
1651 }
1652
1653 #[test]
1654 fn when_rejects_unknown_variant() {
1655 let r: Result<Schedule, _> =
1656 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
1657 assert!(r.is_err(), "expected parse error, got {r:?}");
1658 }
1659
1660 #[test]
1661 fn when_rejects_old_top_level_cron_field() {
1662 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
1663 // loudly (missing `when`), which is what turns stale KV
1664 // blobs into warn-skips after the upgrade.
1665 let yaml = r#"
1666id: x
1667cron: "* * * * * *"
1668job_id: y
1669target: { all: true }
1670"#;
1671 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
1672 assert!(r.is_err(), "expected parse error, got {r:?}");
1673 }
1674
1675 #[test]
1676 fn when_rejects_retired_cron_escape_hatch() {
1677 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
1678 // is now an unknown variant → parse error (operators use the
1679 // calendar form instead).
1680 let r: Result<Schedule, _> =
1681 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
1682 assert!(
1683 r.is_err(),
1684 "expected parse error for retired cron, got {r:?}"
1685 );
1686 }
1687
1688 #[test]
1689 fn when_round_trips_json_and_yaml() {
1690 // Round-trip through the full Schedule: that is the wire
1691 // unit for both stores (JSON catalog KV + YAML mirror), and
1692 // it exercises the singleton_map field attribute that keeps
1693 // serde_yaml on the map shape instead of `!per_pc` tags.
1694 for when in [
1695 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1696 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1697 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1698 When::PerTarget(PerPolicy::Every(EverySpec {
1699 every: "24h".into(),
1700 })),
1701 calendar("09:00", &["mon-fri"]),
1702 calendar("2026-06-10 09:00", &[]),
1703 When::On(vec![OnTrigger::Startup]),
1704 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1705 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1706 When::On(vec![OnTrigger::NetworkChange]),
1707 ] {
1708 // Event triggers are agent-only; the rest validate on backend.
1709 let runs_on = if matches!(when, When::On(_)) {
1710 RunsOn::Agent
1711 } else {
1712 RunsOn::Backend
1713 };
1714 let s = schedule_with(when.clone(), runs_on);
1715
1716 let json = serde_json::to_string(&s).expect("json serialise");
1717 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
1718 assert_eq!(back.when, when, "json round-trip for {when}");
1719
1720 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
1721 assert!(
1722 !yaml.contains('!'),
1723 "yaml must use the map shape, not tags: {yaml}"
1724 );
1725 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
1726 assert_eq!(back.when, when, "yaml round-trip for {when}");
1727 }
1728 }
1729
1730 #[test]
1731 fn when_once_serialises_as_bare_keyword() {
1732 // The wire shape operators see in the YAML mirror must stay
1733 // the ergonomic `per_pc: once`, not a one-variant map.
1734 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
1735 .expect("serialise");
1736 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
1737 }
1738
1739 #[test]
1740 fn when_displays_operator_summary() {
1741 for (when, expected) in [
1742 (
1743 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1744 "per_pc once",
1745 ),
1746 (
1747 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1748 "per_pc every 6h",
1749 ),
1750 (
1751 When::PerTarget(PerPolicy::Every(EverySpec {
1752 every: "24h".into(),
1753 })),
1754 "per_target every 24h",
1755 ),
1756 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
1757 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
1758 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
1759 (
1760 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1761 "on [startup,logon]",
1762 ),
1763 (
1764 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1765 "on [lock,unlock]",
1766 ),
1767 (
1768 When::On(vec![OnTrigger::NetworkChange]),
1769 "on [network_change]",
1770 ),
1771 ] {
1772 assert_eq!(when.to_string(), expected);
1773 }
1774 }
1775
1776 // ---- lowering (#418: when → engine vocabulary) ----
1777
1778 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
1779 Schedule {
1780 id: "x".into(),
1781 when,
1782 job_id: "y".into(),
1783 plan: FanoutPlan::default(),
1784 active: Active::default(),
1785 constraints: Constraints::default(),
1786 on_failure: OnFailure::default(),
1787 tz: ScheduleTz::default(),
1788 starting_deadline: None,
1789 runs_on,
1790 enabled: true,
1791 tags: Vec::new(),
1792 }
1793 }
1794
1795 fn calendar(at: &str, days: &[&str]) -> When {
1796 When::Calendar(CalendarSpec {
1797 at: at.into(),
1798 days: days.iter().map(|d| (*d).to_string()).collect(),
1799 })
1800 }
1801
1802 #[test]
1803 fn next_calendar_fire_returns_next_utc_occurrence() {
1804 use chrono::TimeZone;
1805 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
1806 // next strict occurrence is 09:00 that day.
1807 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1808 s.tz = ScheduleTz::Utc;
1809 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
1810 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
1811 assert_eq!(
1812 next,
1813 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
1814 );
1815 }
1816
1817 #[test]
1818 fn next_calendar_fire_is_strictly_after_now() {
1819 use chrono::TimeZone;
1820 // Standing exactly on a fire instant must preview the *next*
1821 // one (inclusive = false), not the one firing right now.
1822 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1823 s.tz = ScheduleTz::Utc;
1824 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
1825 let next = s
1826 .next_calendar_fire(on_fire)
1827 .expect("calendar has a next fire");
1828 assert_eq!(
1829 next,
1830 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
1831 );
1832 }
1833
1834 #[test]
1835 fn next_calendar_fire_none_for_reconcile_shapes() {
1836 // `per_pc` / `per_target` lower to the every-minute poll cron —
1837 // no discrete upcoming event to preview, so `None`.
1838 let now = chrono::Utc::now();
1839 for when in [
1840 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1841 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1842 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1843 When::PerTarget(PerPolicy::Every(EverySpec {
1844 every: "24h".into(),
1845 })),
1846 ] {
1847 let s = schedule_with(when, RunsOn::Backend);
1848 assert!(
1849 s.next_calendar_fire(now).is_none(),
1850 "reconcile shapes have no calendar fire",
1851 );
1852 }
1853 }
1854
1855 // ---- preview_fires (#418 dry-run / preview) ----
1856
1857 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
1858 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
1859 s.tz = ScheduleTz::Utc; // host-independent assertions
1860 s
1861 }
1862
1863 #[test]
1864 fn preview_lists_next_calendar_occurrences() {
1865 use chrono::TimeZone;
1866 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
1867 // fires skip the weekend (Sat 13 / Sun 14).
1868 let s = cal_utc("09:00", &["mon-fri"]);
1869 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1870 let got = s.preview_fires(now, 5);
1871 let want: Vec<_> = [
1872 (2026, 6, 10), // Wed
1873 (2026, 6, 11), // Thu
1874 (2026, 6, 12), // Fri
1875 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
1876 (2026, 6, 16), // Tue
1877 ]
1878 .iter()
1879 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
1880 .collect();
1881 assert_eq!(got, want);
1882 }
1883
1884 #[test]
1885 fn preview_handles_nth_and_last_weekday() {
1886 use chrono::TimeZone;
1887 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1888 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
1889 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
1890 assert_eq!(
1891 nth,
1892 vec![
1893 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
1894 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
1895 ]
1896 );
1897 // Last Friday of the month: Jun 26, Jul 31 2026.
1898 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
1899 assert_eq!(
1900 last,
1901 vec![
1902 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
1903 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
1904 ]
1905 );
1906 }
1907
1908 #[test]
1909 fn preview_is_empty_for_reconcile_and_zero_count() {
1910 let now = chrono::Utc::now();
1911 // reconcile shapes have no discrete fire times
1912 let recon = schedule_with(
1913 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1914 RunsOn::Backend,
1915 );
1916 assert!(recon.preview_fires(now, 5).is_empty());
1917 // count == 0 yields nothing even for a calendar
1918 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
1919 }
1920
1921 #[test]
1922 fn preview_skips_outside_active_window() {
1923 use chrono::TimeZone;
1924 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
1925 // before `from` are skipped; `until` is exclusive, so 06-17's
1926 // fire is out — leaving exactly the 15th and 16th.
1927 let mut s = cal_utc("09:00", &[]);
1928 s.active = Active {
1929 from: Some("2026-06-15".into()),
1930 until: Some("2026-06-17".into()),
1931 };
1932 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1933 let got = s.preview_fires(now, 5);
1934 assert_eq!(
1935 got,
1936 vec![
1937 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
1938 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
1939 ]
1940 );
1941 }
1942
1943 #[test]
1944 fn preview_empty_when_calendar_time_outside_window() {
1945 use chrono::TimeZone;
1946 // Fires at 09:00 but the maintenance window is overnight — it can
1947 // never run, so the preview is empty (matches
1948 // `calendar_outside_window`), and the scan still terminates.
1949 let mut s = cal_utc("09:00", &[]);
1950 s.constraints = Constraints {
1951 window: Some("22:00-05:00".into()),
1952 ..Constraints::default()
1953 };
1954 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1955 assert!(s.preview_fires(now, 5).is_empty());
1956 // Every candidate tick is rejected, so this also exercises the
1957 // SCAN_CAP bound: a large `count` must still terminate (and
1958 // return empty) rather than spin (claude #578 review).
1959 assert!(s.preview_fires(now, 50).is_empty());
1960 }
1961
1962 #[test]
1963 fn preview_past_one_shot_is_empty() {
1964 use chrono::TimeZone;
1965 // A dated one-shot whose instant has passed never fires again.
1966 let s = cal_utc("2026-06-10 09:00", &[]);
1967 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
1968 assert!(s.preview_fires(now, 5).is_empty());
1969 // …but from before it, the single future fire shows up.
1970 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1971 assert_eq!(
1972 s.preview_fires(before, 5),
1973 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
1974 );
1975 }
1976
1977 #[test]
1978 fn lowering_matches_the_418_table() {
1979 let cases = [
1980 (
1981 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1982 (POLL_CRON, ExecMode::OncePerPc, None),
1983 ),
1984 (
1985 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1986 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
1987 ),
1988 (
1989 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1990 (POLL_CRON, ExecMode::OncePerTarget, None),
1991 ),
1992 (
1993 When::PerTarget(PerPolicy::Every(EverySpec {
1994 every: "24h".into(),
1995 })),
1996 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
1997 ),
1998 // calendar repeating → 6-field cron
1999 (
2000 calendar("09:00", &["mon-fri"]),
2001 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
2002 ),
2003 // calendar daily (no days) → DOW *
2004 (
2005 calendar("18:30", &[]),
2006 ("0 30 18 * * *", ExecMode::EveryTick, None),
2007 ),
2008 // calendar one-shot → 7-field year cron
2009 (
2010 calendar("2026-06-10 09:00", &[]),
2011 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
2012 ),
2013 ];
2014 for (when, (cron, mode, cooldown)) in cases {
2015 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
2016 assert_eq!(l.cron, cron, "cron for {when}");
2017 assert_eq!(l.mode, mode, "mode for {when}");
2018 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
2019 }
2020 }
2021
2022 #[test]
2023 fn lowered_carries_schedule_tz() {
2024 for (tz, want) in [
2025 (ScheduleTz::Local, ScheduleTz::Local),
2026 (ScheduleTz::Utc, ScheduleTz::Utc),
2027 ] {
2028 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2029 s.tz = tz;
2030 assert_eq!(s.lowered().tz, want, "calendar carries tz");
2031 // reconcile shapes carry tz too (for the active-window check)
2032 let mut s = schedule_with(
2033 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2034 RunsOn::Backend,
2035 );
2036 s.tz = tz;
2037 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
2038 }
2039 }
2040
2041 #[test]
2042 fn poll_cron_is_accepted_by_the_engine_parser() {
2043 // POLL_CRON is system-generated — if the engine's parser
2044 // ever rejected it every reconcile schedule would die at
2045 // register time. Validate it with the same croner config
2046 // (Seconds::Required, dom_and_dow, year optional).
2047 croner::parser::CronParser::builder()
2048 .seconds(croner::parser::Seconds::Required)
2049 .dom_and_dow(true)
2050 .build()
2051 .parse(POLL_CRON)
2052 .expect("POLL_CRON must parse");
2053 }
2054
2055 // ---- Schedule::validate() (#418 decision F) ----
2056
2057 #[test]
2058 fn validate_accepts_reconcile_shapes() {
2059 for when in [
2060 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2061 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2062 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2063 When::PerTarget(PerPolicy::Every(EverySpec {
2064 every: "24h".into(),
2065 })),
2066 ] {
2067 schedule_with(when.clone(), RunsOn::Backend)
2068 .validate()
2069 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2070 }
2071 }
2072
2073 #[test]
2074 fn validate_accepts_per_pc_on_agent() {
2075 schedule_with(
2076 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
2077 RunsOn::Agent,
2078 )
2079 .validate()
2080 .expect("per_pc + agent is the offline-inventory shape");
2081 }
2082
2083 // ---- #418 event triggers (when: { on }) ----
2084
2085 #[test]
2086 fn validate_accepts_event_on_agent() {
2087 for triggers in [
2088 vec![OnTrigger::Startup],
2089 vec![OnTrigger::Logon],
2090 vec![OnTrigger::Lock],
2091 vec![OnTrigger::Unlock],
2092 vec![OnTrigger::NetworkChange],
2093 vec![
2094 OnTrigger::Startup,
2095 OnTrigger::Logon,
2096 OnTrigger::Lock,
2097 OnTrigger::Unlock,
2098 OnTrigger::NetworkChange,
2099 ],
2100 ] {
2101 schedule_with(When::On(triggers), RunsOn::Agent)
2102 .validate()
2103 .expect("when.on is valid on runs_on: agent");
2104 }
2105 }
2106
2107 #[test]
2108 fn validate_rejects_event_on_backend() {
2109 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
2110 .validate()
2111 .unwrap_err();
2112 assert!(err.contains("when.on"), "got: {err}");
2113 assert!(err.contains("runs_on: agent"), "got: {err}");
2114 }
2115
2116 #[test]
2117 fn validate_rejects_empty_event_list() {
2118 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
2119 .validate()
2120 .unwrap_err();
2121 assert!(err.contains("when.on"), "got: {err}");
2122 assert!(err.contains("at least one"), "got: {err}");
2123 }
2124
2125 #[test]
2126 fn event_schedule_lowers_to_event_mode_and_is_event() {
2127 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
2128 assert!(s.is_event());
2129 assert_eq!(s.lowered().mode, ExecMode::Event);
2130 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
2131 // non-event schedules report no triggers.
2132 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2133 assert!(!cal.is_event());
2134 assert!(cal.event_triggers().is_empty());
2135 }
2136
2137 // ---- #418 constraints.require (env gates) ----
2138
2139 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
2140 let mut s = schedule_with(
2141 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
2142 runs_on,
2143 );
2144 s.constraints.require = Some(req);
2145 s
2146 }
2147
2148 #[test]
2149 fn require_met_combinations() {
2150 use std::time::Duration;
2151 let idle = |m: u64| Some(Duration::from_secs(m * 60));
2152 // Builder for the sensed state: (ac, idle, cpu, network).
2153 let env = |ac, idle, cpu, net| EnvState {
2154 ac_online: ac,
2155 idle,
2156 cpu_pct: cpu,
2157 network_up: net,
2158 };
2159 // Empty require — always met regardless of sensed state.
2160 assert!(require_met(
2161 &Require::default(),
2162 &env(false, None, None, false)
2163 ));
2164 // ac_power: only on AC.
2165 let ac = Require {
2166 ac_power: true,
2167 ..Default::default()
2168 };
2169 assert!(!require_met(&ac, &env(false, None, None, true)));
2170 assert!(require_met(&ac, &env(true, None, None, false)));
2171 // idle: needs >= the configured min; None idle never satisfies.
2172 let idle10 = Require {
2173 idle: Some("10m".into()),
2174 ..Default::default()
2175 };
2176 assert!(!require_met(&idle10, &env(true, None, None, true)));
2177 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
2178 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
2179 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
2180 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
2181 let cpu20 = Require {
2182 cpu_below: Some(20.0),
2183 ..Default::default()
2184 };
2185 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
2186 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
2187 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
2188 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
2189 // network: only when online.
2190 let net = Require {
2191 network: true,
2192 ..Default::default()
2193 };
2194 assert!(!require_met(&net, &env(true, None, None, false))); // offline
2195 assert!(require_met(&net, &env(true, None, None, true))); // online
2196 // all four: AND.
2197 let all = Require {
2198 ac_power: true,
2199 idle: Some("10m".into()),
2200 cpu_below: Some(20.0),
2201 network: true,
2202 };
2203 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
2204 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
2205 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
2206 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
2207 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
2208 // An unparseable idle is treated as no-requirement by require_met
2209 // (validate rejects it at create time, so this only guards a
2210 // hand-edited blob): ac still gates.
2211 let bad = Require {
2212 ac_power: true,
2213 idle: Some("garbage".into()),
2214 ..Default::default()
2215 };
2216 assert!(require_met(&bad, &env(true, None, None, true)));
2217 assert!(!require_met(&bad, &env(false, None, None, true)));
2218 }
2219
2220 #[test]
2221 fn validate_accepts_and_rejects_cpu_below() {
2222 // In-range accepted.
2223 require_schedule(
2224 Require {
2225 cpu_below: Some(20.0),
2226 ..Default::default()
2227 },
2228 RunsOn::Agent,
2229 )
2230 .validate()
2231 .expect("cpu_below 20 is valid");
2232 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
2233 // 100%). Pins the inclusive upper bound against a future c < 100.0.
2234 require_schedule(
2235 Require {
2236 cpu_below: Some(100.0),
2237 ..Default::default()
2238 },
2239 RunsOn::Agent,
2240 )
2241 .validate()
2242 .expect("cpu_below 100 is valid");
2243 // Out of range rejected (0 and >100).
2244 for bad in [0.0, -5.0, 100.1] {
2245 let err = require_schedule(
2246 Require {
2247 cpu_below: Some(bad),
2248 ..Default::default()
2249 },
2250 RunsOn::Agent,
2251 )
2252 .validate()
2253 .unwrap_err();
2254 assert!(
2255 err.contains("constraints.require.cpu_below"),
2256 "cpu_below {bad}: {err}"
2257 );
2258 }
2259 }
2260
2261 #[test]
2262 fn validate_accepts_require_on_agent() {
2263 require_schedule(
2264 Require {
2265 ac_power: true,
2266 idle: Some("10m".into()),
2267 cpu_below: Some(20.0),
2268 network: true,
2269 },
2270 RunsOn::Agent,
2271 )
2272 .validate()
2273 .expect("constraints.require is valid on runs_on: agent");
2274 }
2275
2276 #[test]
2277 fn validate_rejects_require_on_backend() {
2278 let err = require_schedule(
2279 Require {
2280 ac_power: true,
2281 ..Default::default()
2282 },
2283 RunsOn::Backend,
2284 )
2285 .validate()
2286 .unwrap_err();
2287 assert!(err.contains("constraints.require"), "got: {err}");
2288 assert!(err.contains("runs_on: agent"), "got: {err}");
2289
2290 // An idle-only require (ac_power: false) is also non-empty
2291 // (is_empty folds the fields) and must reject on backend too —
2292 // guards against a regression in Require::is_empty.
2293 let err = require_schedule(
2294 Require {
2295 idle: Some("10m".into()),
2296 ..Default::default()
2297 },
2298 RunsOn::Backend,
2299 )
2300 .validate()
2301 .unwrap_err();
2302 assert!(
2303 err.contains("constraints.require"),
2304 "idle-only on backend: {err}"
2305 );
2306 }
2307
2308 #[test]
2309 fn validate_rejects_bad_require_idle() {
2310 let err = require_schedule(
2311 Require {
2312 idle: Some("not-a-duration".into()),
2313 ..Default::default()
2314 },
2315 RunsOn::Agent,
2316 )
2317 .validate()
2318 .unwrap_err();
2319 assert!(err.contains("constraints.require.idle"), "got: {err}");
2320 }
2321
2322 #[test]
2323 fn require_round_trips_and_skips_empty() {
2324 // ac_power: false is skipped; an all-default require nested in
2325 // constraints is omitted (is_empty folds it in).
2326 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
2327 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
2328 network: true } }\n";
2329 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2330 let req = s.constraints.require.as_ref().expect("require present");
2331 assert!(req.ac_power);
2332 assert_eq!(req.idle.as_deref(), Some("10m"));
2333 assert_eq!(req.cpu_below, Some(20.0));
2334 assert!(req.network);
2335 // Re-serialize: idle + cpu_below + network present, ac_power true.
2336 let back = serde_json::to_string(&s.constraints).unwrap();
2337 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
2338 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
2339 assert!(back.contains("\"network\":true"), "got: {back}");
2340 // An empty require is omitted entirely by is_empty.
2341 let mut empty = s.clone();
2342 empty.constraints.require = Some(Require::default());
2343 assert!(empty.constraints.is_empty());
2344 }
2345
2346 #[test]
2347 fn validate_rejects_per_target_on_agent() {
2348 let err = schedule_with(
2349 When::PerTarget(PerPolicy::Every(EverySpec {
2350 every: "24h".into(),
2351 })),
2352 RunsOn::Agent,
2353 )
2354 .validate()
2355 .unwrap_err();
2356 assert!(err.contains("per_target"), "got: {err}");
2357 assert!(err.contains("runs_on: agent"), "got: {err}");
2358
2359 // per_target: once is also backend-only.
2360 let err = schedule_with(
2361 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2362 RunsOn::Agent,
2363 )
2364 .validate()
2365 .unwrap_err();
2366 assert!(err.contains("per_target"), "got (once): {err}");
2367 assert!(err.contains("runs_on: agent"), "got (once): {err}");
2368 }
2369
2370 #[test]
2371 fn validate_rejects_bad_every_duration() {
2372 let err = schedule_with(
2373 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
2374 RunsOn::Backend,
2375 )
2376 .validate()
2377 .unwrap_err();
2378 assert!(err.contains("when.every"), "got: {err}");
2379 }
2380
2381 #[test]
2382 fn validate_rejects_bad_jitter_and_starting_deadline() {
2383 let mut s = schedule_with(
2384 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2385 RunsOn::Backend,
2386 );
2387 s.plan.jitter = Some("5x".into());
2388 let err = s.validate().unwrap_err();
2389 assert!(err.contains("jitter"), "got: {err}");
2390
2391 let mut s = schedule_with(
2392 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2393 RunsOn::Backend,
2394 );
2395 s.starting_deadline = Some("soon".into());
2396 let err = s.validate().unwrap_err();
2397 assert!(err.contains("starting_deadline"), "got: {err}");
2398 }
2399
2400 #[test]
2401 fn validate_accepts_calendar_shapes() {
2402 for when in [
2403 calendar("09:00", &["mon-fri"]), // weekday morning
2404 calendar("00:00", &["sun"]), // weekly
2405 calendar("18:30", &[]), // daily
2406 calendar("2026-06-10 09:00", &[]), // one-shot
2407 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
2408 ] {
2409 schedule_with(when.clone(), RunsOn::Backend)
2410 .validate()
2411 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2412 }
2413 }
2414
2415 #[test]
2416 fn validate_rejects_bad_at() {
2417 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
2418 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
2419 .validate()
2420 .unwrap_err();
2421 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
2422 }
2423 }
2424
2425 #[test]
2426 fn validate_rejects_datetime_at_with_days() {
2427 // A dated `at` is a one-shot — pairing it with days is a
2428 // contradiction (the date already pins the day).
2429 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
2430 .validate()
2431 .unwrap_err();
2432 assert!(
2433 err.contains("one-shot") && err.contains("days"),
2434 "got: {err}"
2435 );
2436 }
2437
2438 #[test]
2439 fn validate_rejects_bad_day_name() {
2440 // A garbage DOW token is caught by the days pre-flight and
2441 // reported against `when.days`, not the confusing
2442 // "when.at lowered to invalid cron" (claude #432 review).
2443 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
2444 .validate()
2445 .unwrap_err();
2446 assert!(err.contains("when.days"), "got: {err}");
2447 assert!(err.contains("funday"), "names the bad token: {err}");
2448 // a degenerate range like `mon-` reports the whole token, not
2449 // a cryptic empty part (claude #432 follow-up)
2450 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
2451 .validate()
2452 .unwrap_err();
2453 assert!(err.contains("'mon-'"), "names the whole token: {err}");
2454 // valid names / ranges / numeric / * all pass
2455 for ok in [
2456 calendar("09:00", &["mon-fri"]),
2457 calendar("09:00", &["mon", "wed", "sun"]),
2458 calendar("09:00", &["1-5"]),
2459 ] {
2460 schedule_with(ok.clone(), RunsOn::Backend)
2461 .validate()
2462 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2463 }
2464 }
2465
2466 #[test]
2467 fn validate_accepts_nth_weekday() {
2468 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
2469 // a cron and parses it with croner, so passing here proves the
2470 // whole chain — token → DOW field → engine-acceptable cron.
2471 for ok in [
2472 calendar("09:00", &["tue#2"]), // 2nd Tuesday
2473 calendar("09:00", &["fri#1"]), // 1st Friday
2474 calendar("03:00", &["sun#5"]), // 5th Sunday
2475 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
2476 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
2477 // Case-insensitive both sides: validate lowercases, croner
2478 // upper-cases the whole pattern before aliasing (claude #547).
2479 calendar("09:00", &["TUE#2"]),
2480 ] {
2481 schedule_with(ok.clone(), RunsOn::Backend)
2482 .validate()
2483 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2484 }
2485 }
2486
2487 #[test]
2488 fn validate_rejects_bad_nth_weekday() {
2489 // ordinal out of 1..5, a range with #, and a bad day before #.
2490 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
2491 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2492 .validate()
2493 .unwrap_err();
2494 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2495 }
2496 }
2497
2498 #[test]
2499 fn validate_accepts_last_weekday() {
2500 // #418: last-weekday (`friL` = last Friday). Like the nth case,
2501 // validate() lowers to a cron and round-trips it through croner,
2502 // so passing proves token → DOW field → engine-acceptable cron
2503 // with the verified last-<dow>-of-month semantics.
2504 for ok in [
2505 calendar("09:00", &["friL"]), // last Friday
2506 calendar("03:00", &["sunL"]), // last Sunday
2507 calendar("22:00", &["5L"]), // numeric DOW + last
2508 calendar("00:00", &["0L"]), // numeric Sunday (0…
2509 calendar("00:00", &["7L"]), // …and its 7 alias)
2510 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
2511 // Case-insensitive both the weekday and the `L` suffix:
2512 // validate lowercases the day, croner upper-cases the whole
2513 // pattern before aliasing (claude #547).
2514 calendar("09:00", &["FRIL"]),
2515 calendar("09:00", &["fril"]),
2516 ] {
2517 schedule_with(ok.clone(), RunsOn::Backend)
2518 .validate()
2519 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2520 }
2521 }
2522
2523 #[test]
2524 fn validate_rejects_bad_last_weekday() {
2525 // bare `L` (no weekday — a footgun croner reads as Saturday), a
2526 // range with L, a bad day before L, and an internal space that
2527 // would otherwise leak a malformed cron downstream (gemini #560).
2528 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
2529 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2530 .validate()
2531 .unwrap_err();
2532 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2533 }
2534 }
2535
2536 #[test]
2537 fn calendar_oneshot_instant_detects_past() {
2538 use chrono::TimeZone;
2539 // a dated `at` resolves to an absolute instant…
2540 let c = CalendarSpec {
2541 at: "2024-01-01 09:00".into(),
2542 days: vec![],
2543 };
2544 let t = c
2545 .oneshot_instant(ScheduleTz::Utc)
2546 .expect("one-shot instant");
2547 assert_eq!(
2548 t,
2549 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
2550 );
2551 assert!(t < chrono::Utc::now(), "2024 is in the past");
2552 // …while a repeating (time-only) calendar has no instant
2553 let rep = CalendarSpec {
2554 at: "09:00".into(),
2555 days: vec!["mon-fri".into()],
2556 };
2557 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
2558 }
2559
2560 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
2561 let mut s = schedule_with(
2562 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2563 RunsOn::Backend,
2564 );
2565 s.active = Active {
2566 from: from.map(str::to_owned),
2567 until: until.map(str::to_owned),
2568 };
2569 s
2570 }
2571
2572 #[test]
2573 fn validate_accepts_active_window() {
2574 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
2575 .validate()
2576 .expect("date + rfc3339 bounds should validate");
2577 }
2578
2579 #[test]
2580 fn validate_rejects_unparseable_active_bound() {
2581 let err = schedule_with_active(Some("July 1st"), None)
2582 .validate()
2583 .unwrap_err();
2584 assert!(err.contains("active"), "got: {err}");
2585 }
2586
2587 #[test]
2588 fn validate_rejects_from_not_before_until() {
2589 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
2590 .validate()
2591 .unwrap_err();
2592 assert!(err.contains("strictly before"), "got: {err}");
2593
2594 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
2595 .validate()
2596 .unwrap_err();
2597 assert!(err.contains("strictly before"), "got: {err}");
2598 }
2599
2600 // ---- Active window semantics ----
2601
2602 #[test]
2603 fn active_window_is_half_open() {
2604 use chrono::TimeZone;
2605 let active = Active {
2606 from: Some("2026-07-01".into()),
2607 until: Some("2026-08-01".into()),
2608 };
2609 // UTC tz so the date bounds are UTC midnight.
2610 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
2611 let c = |t| active.contains(t, ScheduleTz::Utc);
2612 assert!(!c(at(2026, 6, 30, 23)), "before from");
2613 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
2614 assert!(c(at(2026, 7, 15, 12)), "inside");
2615 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
2616 assert!(!c(at(2026, 8, 2, 0)), "after until");
2617 }
2618
2619 #[test]
2620 fn active_empty_window_is_always_active() {
2621 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
2622 }
2623
2624 #[test]
2625 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
2626 use chrono::TimeZone;
2627 let active = Active {
2628 from: Some("2026-07-01T09:00:00+09:00".into()),
2629 until: None,
2630 };
2631 // RFC3339 carries its own offset → tz arg is ignored.
2632 // 09:00 JST = 00:00 UTC.
2633 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
2634 assert!(
2635 !active.contains(
2636 chrono::Utc
2637 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
2638 .unwrap(),
2639 tz
2640 )
2641 );
2642 assert!(active.contains(
2643 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
2644 tz
2645 ));
2646 }
2647 }
2648
2649 #[test]
2650 fn active_date_bound_respects_tz() {
2651 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
2652 // tz* (#418 Phase 2). The UTC interpretation is exact and
2653 // host-independent; assert that precisely.
2654 use chrono::TimeZone;
2655 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
2656 assert_eq!(
2657 utc,
2658 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
2659 );
2660
2661 // The local interpretation must equal what chrono::Local
2662 // computes for the same wall-clock midnight — proves the tz
2663 // path is wired to the host zone (the magnitude vs UTC is
2664 // host-dependent, so we compare against Local directly rather
2665 // than hard-coding the JST offset, keeping CI green on UTC
2666 // runners).
2667 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
2668 let want = chrono::Local
2669 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
2670 .single()
2671 .expect("local midnight is unambiguous")
2672 .with_timezone(&chrono::Utc);
2673 assert_eq!(local, want, "date bound resolved in host-local tz");
2674 }
2675
2676 #[test]
2677 fn active_empty_is_skipped_when_serialising() {
2678 let s = schedule_with(
2679 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2680 RunsOn::Backend,
2681 );
2682 let json = serde_json::to_value(&s).expect("serialise");
2683 assert!(
2684 json.get("active").is_none(),
2685 "empty active must not appear on the wire: {json}"
2686 );
2687 }
2688
2689 // ---- constraints.window (#418 Phase 3) ----
2690
2691 fn with_window(win: &str) -> Schedule {
2692 let mut s = schedule_with(
2693 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2694 RunsOn::Backend,
2695 );
2696 s.constraints.window = Some(win.into());
2697 s
2698 }
2699
2700 #[test]
2701 fn constraints_window_parses_and_round_trips() {
2702 let yaml = r#"
2703id: x
2704when:
2705 per_pc: { every: 6h }
2706job_id: y
2707target: { all: true }
2708constraints:
2709 window: "22:00-05:00"
2710"#;
2711 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2712 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
2713 let back: Schedule =
2714 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2715 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
2716 }
2717
2718 #[test]
2719 fn constraints_empty_is_skipped_when_serialising() {
2720 let s = schedule_with(
2721 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2722 RunsOn::Backend,
2723 );
2724 let json = serde_json::to_value(&s).expect("serialise");
2725 assert!(
2726 json.get("constraints").is_none(),
2727 "empty constraints must not appear on the wire: {json}"
2728 );
2729 }
2730
2731 #[test]
2732 fn window_no_constraint_always_allows() {
2733 let c = Constraints::default();
2734 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
2735 }
2736
2737 #[test]
2738 fn window_same_day_is_half_open() {
2739 use chrono::TimeZone;
2740 let s = with_window("09:00-17:00");
2741 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2742 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2743 assert!(!a(at(8, 59)), "before start");
2744 assert!(a(at(9, 0)), "at start (inclusive)");
2745 assert!(a(at(16, 59)), "inside");
2746 assert!(!a(at(17, 0)), "at end (exclusive)");
2747 assert!(!a(at(23, 0)), "after end");
2748 }
2749
2750 #[test]
2751 fn window_crossing_midnight() {
2752 use chrono::TimeZone;
2753 let s = with_window("22:00-05:00");
2754 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2755 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2756 assert!(a(at(22, 0)), "at start tonight");
2757 assert!(a(at(23, 30)), "late tonight");
2758 assert!(a(at(3, 0)), "early tomorrow");
2759 assert!(!a(at(5, 0)), "at end (exclusive)");
2760 assert!(!a(at(12, 0)), "midday outside");
2761 assert!(!a(at(21, 59)), "just before start");
2762 }
2763
2764 #[test]
2765 fn window_respects_tz() {
2766 // The same instant is inside the window under one tz and may
2767 // be outside under another. Compare UTC vs Local via the
2768 // host's own offset (kept CI-green on UTC runners like the
2769 // active tz test does).
2770 use chrono::TimeZone;
2771 let s = with_window("09:00-17:00");
2772 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
2773 // Under UTC, 12:00 is inside 09:00-17:00.
2774 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
2775 // Under Local, the verdict tracks the host wall-clock time;
2776 // assert it matches a direct wall_time membership check.
2777 let local_t = noon_utc.with_timezone(&chrono::Local).time();
2778 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
2779 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
2780 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
2781 }
2782
2783 #[test]
2784 fn validate_accepts_good_window() {
2785 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
2786 with_window(w)
2787 .validate()
2788 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
2789 }
2790 }
2791
2792 #[test]
2793 fn validate_rejects_bad_window() {
2794 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
2795 let err = with_window(bad).validate().unwrap_err();
2796 assert!(
2797 err.contains("constraints.window"),
2798 "for '{bad}', got: {err}"
2799 );
2800 }
2801 }
2802
2803 // ---- constraints.skip_dates (#418 holiday exclusion) ----
2804
2805 fn with_skip_dates(dates: &[&str]) -> Schedule {
2806 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2807 s.tz = ScheduleTz::Utc; // host-independent date assertions
2808 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
2809 s
2810 }
2811
2812 #[test]
2813 fn allows_blocks_listed_skip_date() {
2814 use chrono::TimeZone;
2815 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
2816 // Any time on a listed date is blocked (whole day).
2817 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
2818 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
2819 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
2820 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
2821 // A date not in the list fires normally.
2822 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2823 assert!(s.constraints.allows(off, ScheduleTz::Utc));
2824 }
2825
2826 #[test]
2827 fn allows_corrupt_skip_date_fails_closed() {
2828 use chrono::TimeZone;
2829 // A garbled entry (only reachable via hand-edited KV) blocks
2830 // rather than silently re-enabling fires — same posture as a
2831 // corrupt window.
2832 let s = with_skip_dates(&["not-a-date"]);
2833 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2834 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
2835 }
2836
2837 #[test]
2838 fn validate_accepts_good_skip_dates() {
2839 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
2840 .validate()
2841 .expect("well-formed skip dates should validate");
2842 }
2843
2844 #[test]
2845 fn validate_rejects_bad_skip_date() {
2846 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
2847 let err = with_skip_dates(&[bad]).validate().unwrap_err();
2848 assert!(
2849 err.contains("constraints.skip_dates"),
2850 "for '{bad}', got: {err}"
2851 );
2852 }
2853 }
2854
2855 #[test]
2856 fn preview_skips_holidays() {
2857 use chrono::TimeZone;
2858 // Daily 09:00 with two of the next five days marked as holidays
2859 // — preview drops exactly those, since it gates on `allows`.
2860 let mut s = cal_utc("09:00", &[]);
2861 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
2862 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2863 let got = s.preview_fires(now, 4);
2864 let want: Vec<_> = [
2865 (2026, 6, 10),
2866 (2026, 6, 12), // skips 06-11
2867 (2026, 6, 14), // skips 06-13
2868 (2026, 6, 15),
2869 ]
2870 .iter()
2871 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2872 .collect();
2873 assert_eq!(got, want);
2874 }
2875
2876 // ---- constraints.max_concurrent (#418) ----
2877
2878 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
2879 let mut s = schedule_with(
2880 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2881 runs_on,
2882 );
2883 s.constraints.max_concurrent = Some(max);
2884 s
2885 }
2886
2887 #[test]
2888 fn validate_accepts_backend_max_concurrent() {
2889 with_max_concurrent(5, RunsOn::Backend)
2890 .validate()
2891 .expect("backend max_concurrent should validate");
2892 }
2893
2894 #[test]
2895 fn validate_rejects_max_concurrent_on_agent() {
2896 // Decision E: a central running-instance cap needs a central
2897 // counter, which agents don't have.
2898 let err = with_max_concurrent(5, RunsOn::Agent)
2899 .validate()
2900 .unwrap_err();
2901 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
2902 assert!(err.contains("runs_on: agent"), "got: {err}");
2903 }
2904
2905 #[test]
2906 fn validate_rejects_zero_max_concurrent() {
2907 let err = with_max_concurrent(0, RunsOn::Backend)
2908 .validate()
2909 .unwrap_err();
2910 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
2911 }
2912
2913 #[test]
2914 fn max_concurrent_round_trips_and_skips_when_absent() {
2915 let s = with_max_concurrent(3, RunsOn::Backend);
2916 let json = serde_json::to_value(&s.constraints).expect("ser");
2917 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
2918 // A schedule with no constraints omits the whole block.
2919 let bare = schedule_with(
2920 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2921 RunsOn::Backend,
2922 );
2923 assert!(bare.constraints.is_empty());
2924 }
2925
2926 #[test]
2927 fn window_fail_closed_on_corrupt_blob() {
2928 // A malformed window (only reachable via a hand-edited KV
2929 // blob — validate() rejects it at create) must BLOCK, not
2930 // silently allow fires during a change-freeze (gemini #452).
2931 let s = with_window("22:00_05:00");
2932 assert!(
2933 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
2934 "corrupt window fails closed"
2935 );
2936 // …and the scheduler can surface why it's stuck.
2937 assert!(
2938 s.bad_window().is_some(),
2939 "bad_window reports the parse error"
2940 );
2941 assert!(with_window("22:00-05:00").bad_window().is_none());
2942 }
2943
2944 #[test]
2945 fn calendar_outside_window_is_flagged() {
2946 // at 09:00 can never fall in 22:00-05:00 → never fires.
2947 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2948 s.constraints.window = Some("22:00-05:00".into());
2949 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
2950
2951 // at 23:00 IS inside the overnight window → fine.
2952 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
2953 s.constraints.window = Some("22:00-05:00".into());
2954 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
2955
2956 // reconcile shapes are never flagged (they poll every minute).
2957 let mut s = schedule_with(
2958 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2959 RunsOn::Backend,
2960 );
2961 s.constraints.window = Some("22:00-05:00".into());
2962 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
2963
2964 // no window → never flagged.
2965 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2966 assert!(!s.calendar_outside_window());
2967 }
2968
2969 // ---- on_failure.retry (#418 Phase 4) ----
2970
2971 fn with_retry(max: u32, backoff: &str) -> Schedule {
2972 let mut s = schedule_with(
2973 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2974 RunsOn::Backend,
2975 );
2976 s.on_failure.retry = Some(Retry {
2977 max,
2978 backoff: backoff.into(),
2979 });
2980 s
2981 }
2982
2983 #[test]
2984 fn on_failure_parses_and_round_trips() {
2985 let yaml = r#"
2986id: x
2987when:
2988 per_pc: { every: 6h }
2989job_id: y
2990target: { all: true }
2991on_failure:
2992 retry: { max: 3, backoff: 10m }
2993"#;
2994 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2995 let r = s.on_failure.retry.as_ref().expect("retry present");
2996 assert_eq!(r.max, 3);
2997 assert_eq!(r.backoff, "10m");
2998 let back: Schedule =
2999 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3000 assert_eq!(back.on_failure, s.on_failure);
3001 }
3002
3003 #[test]
3004 fn on_failure_empty_is_skipped_when_serialising() {
3005 let s = schedule_with(
3006 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3007 RunsOn::Backend,
3008 );
3009 let json = serde_json::to_value(&s).expect("serialise");
3010 assert!(
3011 json.get("on_failure").is_none(),
3012 "empty on_failure must not appear on the wire: {json}"
3013 );
3014 }
3015
3016 #[test]
3017 fn validate_accepts_good_retry() {
3018 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
3019 with_retry(max, backoff)
3020 .validate()
3021 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
3022 }
3023 }
3024
3025 #[test]
3026 fn validate_rejects_bad_backoff() {
3027 let err = with_retry(3, "soon").validate().unwrap_err();
3028 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
3029 }
3030
3031 #[test]
3032 fn validate_rejects_sub_second_backoff() {
3033 // "500ms" parses as humantime but lowers to 0s on the wire —
3034 // reject it so the operator doesn't get a silent no-wait
3035 // (coderabbit #466).
3036 for bad in ["500ms", "0s", "999ms"] {
3037 let err = with_retry(3, bad).validate().unwrap_err();
3038 assert!(
3039 err.contains("on_failure.retry.backoff must be >= 1s"),
3040 "for '{bad}', got: {err}"
3041 );
3042 }
3043 }
3044
3045 #[test]
3046 fn validate_rejects_out_of_range_max() {
3047 for bad in [0u32, 11, 1000] {
3048 let err = with_retry(bad, "10m").validate().unwrap_err();
3049 assert!(
3050 err.contains("on_failure.retry.max"),
3051 "for max={bad}, got: {err}"
3052 );
3053 }
3054 }
3055
3056 #[test]
3057 fn lowered_retry_reduces_backoff_to_seconds() {
3058 let s = with_retry(3, "10m");
3059 let spec = s.on_failure.lowered_retry().expect("a retry policy");
3060 assert_eq!(spec.max, 3);
3061 assert_eq!(spec.backoff_secs, 600);
3062 }
3063
3064 #[test]
3065 fn lowered_retry_is_none_without_policy() {
3066 let s = schedule_with(
3067 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3068 RunsOn::Backend,
3069 );
3070 assert!(s.on_failure.lowered_retry().is_none());
3071 }
3072
3073 // ---- global change-freeze (#418 Phase 5) ----
3074
3075 #[test]
3076 fn freeze_empty_window_is_always_active() {
3077 // The big-red-button shape: no bounds = frozen until cleared.
3078 let f = Freeze::default();
3079 assert!(f.is_active(chrono::Utc::now()));
3080 }
3081
3082 #[test]
3083 fn freeze_window_is_half_open() {
3084 use chrono::TimeZone;
3085 let f = Freeze {
3086 from: Some("2026-12-20T00:00:00+00:00".into()),
3087 until: Some("2027-01-05T00:00:00+00:00".into()),
3088 reason: Some("year-end".into()),
3089 tz: ScheduleTz::Utc,
3090 };
3091 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
3092 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
3093 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
3094 assert!(f.is_active(at(2026, 12, 31)), "inside window");
3095 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
3096 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
3097 }
3098
3099 #[test]
3100 fn freeze_fails_closed_on_corrupt_bound() {
3101 // A freeze is a safety switch: an unparseable bound (only
3102 // reachable via a hand-edited KV blob) must read as FROZEN, not
3103 // "fire normally" (coderabbit #472) — the opposite of `active`,
3104 // which fail-opens.
3105 let f = Freeze {
3106 from: Some("not-a-date".into()),
3107 until: None,
3108 reason: None,
3109 tz: ScheduleTz::Utc,
3110 };
3111 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
3112 }
3113
3114 #[test]
3115 fn freeze_validate_accepts_good_bounds() {
3116 Freeze {
3117 from: Some("2026-12-20".into()),
3118 until: Some("2027-01-05T12:00:00+09:00".into()),
3119 reason: None,
3120 tz: ScheduleTz::Local,
3121 }
3122 .validate()
3123 .expect("date + rfc3339 bounds should validate");
3124 // Empty (indefinite) freeze is valid.
3125 Freeze::default().validate().expect("empty freeze is valid");
3126 }
3127
3128 #[test]
3129 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
3130 let err = Freeze {
3131 from: Some("never".into()),
3132 ..Default::default()
3133 }
3134 .validate()
3135 .unwrap_err();
3136 assert!(err.contains("freeze:"), "got: {err}");
3137
3138 let inverted = Freeze {
3139 from: Some("2027-01-05".into()),
3140 until: Some("2026-12-20".into()),
3141 ..Default::default()
3142 }
3143 .validate()
3144 .unwrap_err();
3145 assert!(inverted.contains("freeze.from"), "got: {inverted}");
3146 }
3147
3148 #[test]
3149 fn freeze_round_trips_and_skips_empty_fields() {
3150 let f = Freeze {
3151 from: None,
3152 until: Some("2027-01-05".into()),
3153 reason: Some("INC-1234".into()),
3154 tz: ScheduleTz::Utc,
3155 };
3156 let json = serde_json::to_value(&f).expect("serialise");
3157 assert!(json.get("from").is_none(), "empty from omitted: {json}");
3158 let back: Freeze = serde_json::from_value(json).expect("round-trip");
3159 assert_eq!(back, f);
3160 }
3161
3162 #[test]
3163 fn shipped_schedule_configs_parse_and_validate() {
3164 // Every YAML under configs/schedules/ must parse with the
3165 // current Schedule serde AND pass validate() — keeps the
3166 // shipped examples from drifting out of sync with the model
3167 // (#418 removed back-compat, so drift = broken at create).
3168 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
3169 let mut seen = 0;
3170 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
3171 let path = entry.expect("dir entry").path();
3172 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
3173 continue;
3174 }
3175 let body = std::fs::read_to_string(&path).expect("read yaml");
3176 let s: Schedule = serde_yaml::from_str(&body)
3177 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
3178 s.validate()
3179 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
3180 seen += 1;
3181 }
3182 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
3183 }
3184
3185 // ---- pre-existing enum wire formats (unchanged by #418) ----
3186
3187 #[test]
3188 fn exec_mode_serialises_snake_case() {
3189 for (mode, expected) in [
3190 (ExecMode::EveryTick, "every_tick"),
3191 (ExecMode::OncePerPc, "once_per_pc"),
3192 (ExecMode::OncePerTarget, "once_per_target"),
3193 ] {
3194 let s = serde_json::to_value(mode).expect("serialise");
3195 assert_eq!(s, serde_json::Value::String(expected.into()));
3196 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
3197 .expect("deserialise");
3198 assert_eq!(back, mode, "round-trip for {expected}");
3199 }
3200 }
3201
3202 #[test]
3203 fn schedule_runs_on_defaults_to_backend() {
3204 let yaml = r#"
3205id: x
3206when:
3207 per_pc: once
3208job_id: y
3209target: { all: true }
3210"#;
3211 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3212 assert_eq!(s.runs_on, RunsOn::Backend);
3213 }
3214
3215 #[test]
3216 fn schedule_runs_on_agent_parses() {
3217 let yaml = r#"
3218id: offline-inv
3219when:
3220 per_pc: { every: 1h }
3221job_id: inventory-hw
3222target: { all: true }
3223runs_on: agent
3224"#;
3225 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3226 assert_eq!(s.runs_on, RunsOn::Agent);
3227 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
3228 }
3229
3230 #[test]
3231 fn runs_on_serialises_snake_case() {
3232 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
3233 let s = serde_json::to_value(mode).expect("serialise");
3234 assert_eq!(s, serde_json::Value::String(expected.into()));
3235 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
3236 .expect("deserialise");
3237 assert_eq!(back, mode);
3238 }
3239 }
3240
3241 #[test]
3242 fn execute_shell_into_wire_shell() {
3243 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
3244 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
3245 }
3246
3247 #[test]
3248 fn manifest_staleness_defaults_to_cached() {
3249 let yaml = r#"
3250id: x
3251version: 1.0.0
3252execute:
3253 shell: powershell
3254 script: "echo"
3255 timeout: 1s
3256"#;
3257 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3258 assert_eq!(m.staleness, Staleness::Cached);
3259 }
3260
3261 #[test]
3262 fn manifest_strict_staleness_parses() {
3263 let yaml = r#"
3264id: urgent-patch
3265version: 2.5.1
3266execute:
3267 shell: powershell
3268 script: Install-Hotfix
3269 timeout: 5m
3270staleness:
3271 mode: strict
3272 max_cache_age: 0s
3273"#;
3274 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3275 match m.staleness {
3276 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
3277 other => panic!("expected strict, got {other:?}"),
3278 }
3279 }
3280
3281 #[test]
3282 fn manifest_unchecked_staleness_parses() {
3283 let yaml = r#"
3284id: legacy
3285version: 0.1.0
3286execute:
3287 shell: cmd
3288 script: "echo"
3289 timeout: 1s
3290staleness:
3291 mode: unchecked
3292"#;
3293 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3294 assert_eq!(m.staleness, Staleness::Unchecked);
3295 }
3296
3297 #[test]
3298 fn missing_required_field_errors() {
3299 // `id` missing.
3300 let yaml = r#"
3301version: 1.0.0
3302target: { all: true }
3303execute:
3304 shell: powershell
3305 script: "echo"
3306 timeout: 1s
3307"#;
3308 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3309 assert!(r.is_err(), "expected error, got {:?}", r);
3310 }
3311
3312 #[test]
3313 fn display_field_table_kind_round_trips_with_nested_columns() {
3314 // #39: `type: table` + `columns:` on a DisplayField gets
3315 // round-tripped through serde so the SPA receives the
3316 // nested schema verbatim. Nested columns themselves are
3317 // DisplayFields so they can carry `type: bytes` /
3318 // `type: number` for cell formatting.
3319 let yaml = r#"
3320id: inv-hw
3321version: 1.0.0
3322execute:
3323 shell: powershell
3324 script: "echo"
3325 timeout: 60s
3326inventory:
3327 display:
3328 - field: hostname
3329 label: Hostname
3330 - field: disks
3331 label: Disks
3332 type: table
3333 columns:
3334 - field: device_id
3335 label: Drive
3336 - field: size_bytes
3337 label: Size
3338 type: bytes
3339 - field: free_bytes
3340 label: Free
3341 type: bytes
3342 - field: file_system
3343 label: FS
3344"#;
3345 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3346 let inv = m.inventory.as_ref().expect("inventory hint");
3347 let disks = inv
3348 .display
3349 .iter()
3350 .find(|d| d.field == "disks")
3351 .expect("disks display row");
3352 assert_eq!(disks.kind.as_deref(), Some("table"));
3353 let cols = disks.columns.as_ref().expect("table needs columns");
3354 assert_eq!(cols.len(), 4);
3355 assert_eq!(cols[1].field, "size_bytes");
3356 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
3357 }
3358
3359 #[test]
3360 fn display_field_scalar_kind_keeps_columns_none() {
3361 // Defensive: when type is a scalar (`bytes` / `number` /
3362 // `timestamp`) the `columns` field stays None — the SPA
3363 // uses its presence as the "render nested table" signal,
3364 // so it must not leak in via serde defaults.
3365 let yaml = r#"
3366id: x
3367version: 1.0.0
3368execute:
3369 shell: powershell
3370 script: "echo"
3371 timeout: 5s
3372inventory:
3373 display:
3374 - { field: ram_bytes, label: RAM, type: bytes }
3375"#;
3376 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3377 let inv = m.inventory.as_ref().unwrap();
3378 assert!(inv.display[0].columns.is_none());
3379 }
3380
3381 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
3382
3383 /// The JSON Schemas under `docs/schemas/` must match what
3384 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
3385 /// so a `Schedule` / `Manifest` field change can't silently drift
3386 /// the operator-facing schema. The SPA editor, the backend
3387 /// `/api/schemas/*` endpoints, and these files all read the same
3388 /// derived shape; this test fails CI if the checked-in copy lags.
3389 /// Regenerate with:
3390 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
3391 #[test]
3392 fn schema_files_are_current() {
3393 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
3394 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
3395 }
3396
3397 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
3398 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
3399 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
3400 .join("../../docs/schemas")
3401 .join(name);
3402 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
3403 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
3404 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
3405 return;
3406 }
3407 // Normalize CRLF→LF before comparing: `.gitattributes` already
3408 // pins these files to `eol=lf`, but a stray CRLF working-tree
3409 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
3410 // freshness check into a confusing line-ending failure — that's
3411 // .gitattributes' job, not this test's (gemini #588).
3412 let on_disk = std::fs::read_to_string(&path)
3413 .unwrap_or_else(|e| {
3414 panic!(
3415 "read {path:?}: {e}\n\
3416 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3417 )
3418 })
3419 .replace("\r\n", "\n");
3420 assert_eq!(
3421 on_disk, generated,
3422 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
3423 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3424 );
3425 }
3426}
3427
3428/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
3429/// (target + optional rollout + optional jitter) inline; the
3430/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
3431/// script body. Two schedules of the same job can target different
3432/// groups on different cadences without copying the manifest.
3433///
3434/// #418 Phase 1: the cadence is the single [`When`] field. The old
3435/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
3436/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
3437/// are warn-skipped; re-`schedule create` to upgrade them). The
3438/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
3439/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
3440/// `decide_fire` always ran on.
3441#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
3442pub struct Schedule {
3443 pub id: String,
3444 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
3445 /// or a calendar time trigger (`at` / `days`). See [`When`].
3446 ///
3447 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
3448 /// enums as `!per_pc` YAML tags by default; this keeps the
3449 /// operator-facing map shape (`when: { per_pc: once }`). JSON
3450 /// output is identical either way, and the schemars schema
3451 /// (external tagging = oneOf of single-key objects) already
3452 /// matches the singleton-map wire shape.
3453 #[serde(with = "serde_yaml::with::singleton_map")]
3454 #[schemars(with = "When")]
3455 pub when: When,
3456 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
3457 /// Manifest's `id`.
3458 pub job_id: String,
3459 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
3460 /// carry these any more — same job + different fanout = different
3461 /// schedule.
3462 #[serde(flatten)]
3463 pub plan: FanoutPlan,
3464 /// Optional validity window. Outside `[from, until)` the
3465 /// schedule is dormant — still registered, still visible, but
3466 /// every tick is skipped (deleted ≠ dormant: a campaign that
3467 /// ended stays inspectable and can be re-armed by editing the
3468 /// window). Checked at tick time on both the backend scheduler
3469 /// and the agent's local scheduler.
3470 #[serde(default, skip_serializing_if = "Active::is_empty")]
3471 pub active: Active,
3472 /// #418 operational constraints gating *when within an active
3473 /// period* a fire may happen: a maintenance `window`, a fleet
3474 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
3475 /// wall-clock ones are evaluated in the schedule's `tz`; future
3476 /// `require` (env gates) lands in the same namespace. Checked at
3477 /// tick time on both schedulers (and surfaced by `preview`).
3478 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
3479 pub constraints: Constraints,
3480 /// #418 Phase 4: what to do after a fire's script comes back
3481 /// failed. Currently just `retry` (fixed-backoff in-process
3482 /// re-run); future `notify` / `disable` join the same namespace.
3483 /// Applied fire-side in `handle_command` (the retry policy is
3484 /// lowered onto every Command this schedule produces), so it
3485 /// covers both `runs_on` locations.
3486 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
3487 pub on_failure: OnFailure,
3488 /// #418 Phase 2: the timezone this schedule's wall-clock fields
3489 /// are evaluated in — both the calendar `at` firing time AND the
3490 /// `active.{from,until}` window bounds. `local` (default) = the
3491 /// running host's TZ (the agent's for `runs_on: agent`, the
3492 /// backend server's otherwise); `utc` for TZ-independent
3493 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
3494 /// for firing (poll cron runs every minute regardless) but still
3495 /// honor it for the `active` window.
3496 #[serde(default)]
3497 pub tz: ScheduleTz,
3498 /// v0.22: optional humantime window after a cron tick during
3499 /// which the Command is still considered "live". The scheduler
3500 /// computes `tick_at + starting_deadline` and stamps it onto
3501 /// each Command as `deadline_at`; agents skip Commands they
3502 /// receive after that absolute time. `None` (default) = no
3503 /// deadline, meaning a Command queued in the broker / stream
3504 /// during agent downtime runs whenever the agent reconnects —
3505 /// good for kitting / inventory / cleanup. Set this for
3506 /// time-of-day notifications, lunch reminders, etc., where
3507 /// "fire 3 hours late" would be wrong.
3508 #[serde(default, skip_serializing_if = "Option::is_none")]
3509 pub starting_deadline: Option<String>,
3510 /// v0.23: where does the cron tick happen? `Backend` (default,
3511 /// historical) = backend's scheduler fires Commands via NATS;
3512 /// agents passively receive. `Agent` = each targeted agent runs
3513 /// its own internal cron and fires locally, so the schedule
3514 /// keeps ticking even when the broker is unreachable (laptop on
3515 /// the train, broker maintenance window, full WAN outage). The
3516 /// two locations are mutually exclusive — when `Agent`, the
3517 /// backend scheduler stays out and just keeps the definition in
3518 /// KV for agents to read.
3519 #[serde(default)]
3520 pub runs_on: RunsOn,
3521 #[serde(default = "default_true")]
3522 pub enabled: bool,
3523 /// Free-form operator taxonomy for the Schedules page — the
3524 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
3525 /// code ref rather than an intra-doc link, since that field isn't
3526 /// on this branch until #640 merges). Purely a SPA-side
3527 /// organisational aid (search / filter chips alongside the
3528 /// id-prefix grouping); the scheduler never reads it, so any
3529 /// string is allowed and it carries no firing semantics. A
3530 /// schedule's own tags are independent of its job's: the same job
3531 /// may back a `weekly` maintenance schedule and a `canary` rollout
3532 /// schedule. Empty by default and `skip_serializing_if`-elided per
3533 /// the #492 gradual-upgrade wire rule.
3534 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3535 pub tags: Vec<String>,
3536}
3537
3538/// v0.23 — where the cron tick fires from.
3539#[derive(
3540 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3541)]
3542#[serde(rename_all = "snake_case")]
3543pub enum RunsOn {
3544 /// Backend's central scheduler ticks and publishes Commands to
3545 /// NATS. Historical default, what every pre-v0.23 schedule
3546 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
3547 /// reconnects ⇒ catch-up via [`command_replay`](crate)
3548 /// (see kanade-agent's command_replay module).
3549 #[default]
3550 Backend,
3551 /// Each targeted agent runs the cron tick locally. Survives
3552 /// broker / WAN outages. Best for laptops / mobile devices that
3553 /// roam off the corporate network. Agent must be online for the
3554 /// initial schedule + job-catalog pull, but once cached the
3555 /// agent fires the script standalone.
3556 Agent,
3557}
3558
3559/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
3560#[derive(
3561 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3562)]
3563#[serde(rename_all = "snake_case")]
3564pub enum ExecMode {
3565 /// Fire on every cron tick at the whole target. Historical
3566 /// (pre-v0.19) behavior; no dedup.
3567 #[default]
3568 EveryTick,
3569 /// Fire at each pc until that pc succeeds; then skip it until
3570 /// the optional cooldown elapses (or forever if no cooldown).
3571 /// Use for kitting / first-boot / per-pc compliance checks.
3572 OncePerPc,
3573 /// Fire at the whole target until **any** pc succeeds; then
3574 /// skip the whole target until the optional cooldown elapses
3575 /// (or forever if no cooldown). Use for "one delegate is
3576 /// enough" tasks like license check-in.
3577 OncePerTarget,
3578 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
3579 /// no cron — the agent fires it from an OS event source (boot /
3580 /// session-change), not a tick — so the scheduler skips
3581 /// `tokio-cron` registration for it. Each event occurrence fires
3582 /// once, gated by the standard freeze / active / window /
3583 /// skip_dates checks.
3584 Event,
3585}
3586
3587/// #418 Phase 1 — the single "when does this fire" axis.
3588///
3589/// Replaces the old `cron` + `mode` + `cooldown` trio whose
3590/// interactions were implicit (cron doubled as both a real
3591/// time-of-day trigger and a reconcile poll period; contradictory
3592/// combinations silently no-opped). Two shapes:
3593///
3594/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
3595/// pc (or one delegate) should have run this within `every`".
3596/// The poll period is system-generated ([`POLL_CRON`], every
3597/// minute) and no longer the operator's concern.
3598/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
3599/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
3600/// the whole target at the given time, no dedup. `at: "09:00"` +
3601/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
3602/// exactly once. Evaluated in the schedule's top-level `tz`.
3603#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3604#[serde(rename_all = "snake_case")]
3605pub enum When {
3606 /// Fire at each targeted pc: `once` (kitting — succeed once,
3607 /// skip forever, forever catching brand-new / re-imaged pcs)
3608 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
3609 /// the interval).
3610 PerPc(PerPolicy),
3611 /// Fire until **any** one pc of the target succeeds, then skip
3612 /// the whole target (`once`) or re-arm after `every`. Needs
3613 /// fleet-wide completion data, so it is backend-only —
3614 /// `runs_on: agent` + `per_target` is rejected by
3615 /// [`Schedule::validate`].
3616 PerTarget(PerPolicy),
3617 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
3618 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
3619 /// the whole target at that wall-clock time in the schedule's
3620 /// `tz` — no dedup, no cooldown.
3621 Calendar(CalendarSpec),
3622 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
3623 /// Fires when the agent observes the listed OS event(s) rather than
3624 /// on a clock — there is no cron. `runs_on: agent` only (the agent
3625 /// owns the event source); [`Schedule::validate`] rejects it on
3626 /// `backend` and rejects an empty list. Each event occurrence fires
3627 /// once, gated by the same freeze / active / `constraints.window` /
3628 /// `skip_dates` checks as the cron path. `startup` fires once per OS
3629 /// boot (deduped via the host boot time); a `starting_deadline`, if
3630 /// set, limits it to "agent came up within that long after boot".
3631 On(Vec<OnTrigger>),
3632}
3633
3634/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
3635#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
3636#[serde(rename_all = "snake_case")]
3637pub enum OnTrigger {
3638 /// Once per OS boot (the agent's first run for that boot). Catches
3639 /// freshly-imaged / reinstalled hosts at their next startup.
3640 Startup,
3641 /// On an interactive-session user logon — console, RDP, or
3642 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
3643 /// service / network / batch logons (no interactive session).
3644 Logon,
3645 /// When the workstation is locked (Win+L / idle lock; Windows
3646 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
3647 Lock,
3648 /// When the workstation is unlocked — the user returns to a locked
3649 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
3650 /// compliance / refresh state when work resumes.
3651 Unlock,
3652 /// When the host's network changes — IP address table change on
3653 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
3654 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
3655 /// from one transition fires once after the network settles), so
3656 /// use it for "re-check connectivity / re-register on network move"
3657 /// rather than expecting one fire per raw adapter event.
3658 ///
3659 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
3660 /// transition that touches only IPv6 addresses won't fire. In practice
3661 /// dual-stack networks change both tables together, but a pure-IPv6
3662 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
3663 NetworkChange,
3664}
3665
3666/// Calendar time trigger (#418 Phase 2). `at` is either a time of
3667/// day (`"HH:MM"`, repeating — combine with `days`) or a full
3668/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
3669/// never again). Evaluated in the schedule's top-level `tz`.
3670#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3671pub struct CalendarSpec {
3672 /// `"HH:MM"` (24h) for a repeating trigger, or
3673 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
3674 /// accepted) for a one-shot. Parsed lazily —
3675 /// [`Schedule::validate`] rejects garbage at create time.
3676 pub at: String,
3677 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
3678 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
3679 /// field, so ranges and names both work). An **nth-weekday**
3680 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
3681 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
3682 /// `["friL"]` fires only on the last Friday of each month (handy
3683 /// for monthly maintenance). Empty = every day. Must be empty
3684 /// when `at` carries a date (the date already pins the day).
3685 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3686 pub days: Vec<String>,
3687}
3688
3689/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
3690/// date for a one-shot (`None` = repeating time-of-day).
3691struct ParsedAt {
3692 minute: u32,
3693 hour: u32,
3694 date: Option<chrono::NaiveDate>,
3695}
3696
3697impl CalendarSpec {
3698 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
3699 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
3700 fn parse_at(&self) -> Result<ParsedAt, String> {
3701 use chrono::Timelike;
3702 let s = self.at.trim();
3703 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
3704 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
3705 return Ok(ParsedAt {
3706 minute: dt.minute(),
3707 hour: dt.hour(),
3708 date: Some(dt.date()),
3709 });
3710 }
3711 }
3712 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
3713 return Ok(ParsedAt {
3714 minute: t.minute(),
3715 hour: t.hour(),
3716 date: None,
3717 });
3718 }
3719 Err(format!(
3720 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
3721 self.at
3722 ))
3723 }
3724
3725 /// Pre-flight check on the `days` tokens so a bad day name gives
3726 /// a `when.days:`-scoped error instead of croner's confusing
3727 /// "when.at lowered to invalid cron" (claude #432 review). Each
3728 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
3729 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
3730 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
3731 /// **last-weekday** like `friL` (last Friday of the month).
3732 fn validate_days(&self) -> Result<(), String> {
3733 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
3734 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
3735 for tok in &self.days {
3736 // Report the whole token on a malformed range like `mon-`
3737 // (which would otherwise split to a cryptic empty part —
3738 // claude #432 follow-up).
3739 let invalid = |reason: &str| {
3740 Err(format!(
3741 "when.days: invalid day token '{tok}' ({reason}; \
3742 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
3743 like tue#2, a last-weekday like friL, or *)"
3744 ))
3745 };
3746 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
3747 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
3748 // `to_cron` passes the token through verbatim, so the
3749 // engine fires only on that occurrence. It's a single
3750 // weekday + ordinal — not combinable with a range.
3751 if let Some((day_part, nth_part)) = tok.split_once('#') {
3752 // Normalize once and use `d` consistently (gemini #547);
3753 // the outer `invalid` already echoes the raw `tok`.
3754 let d = day_part.trim().to_ascii_lowercase();
3755 if d.contains('-') || !is_day(&d) {
3756 return invalid("the part before # must be a single weekday");
3757 }
3758 match nth_part.trim().parse::<u8>() {
3759 Ok(n) if (1..=5).contains(&n) => {}
3760 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
3761 }
3762 continue;
3763 }
3764 // #418: last-weekday suffix (`friL` = last Friday of the
3765 // month — the monthly-maintenance sibling of Patch Tuesday).
3766 // Croner accepts `<dow>L` in the DOW field with verified
3767 // last-<dow>-of-month semantics, and `to_cron` passes it
3768 // through verbatim. A single weekday + `L` — bare `L` and
3769 // ranges are rejected (croner would read bare `L` as
3770 // Saturday, which is a confusing footgun).
3771 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
3772 // No `.trim()`: a cron DOW token can't carry internal
3773 // whitespace, so `"fri L"` must be *rejected* here (its
3774 // strip leaves `"fri "`, and `is_day` catches the space)
3775 // rather than trimmed into a clean `"fri"` that then
3776 // produces a malformed `fri L` cron downstream and a
3777 // confusing croner error (gemini #560).
3778 let d = day_part.to_ascii_lowercase();
3779 if d.is_empty() {
3780 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
3781 }
3782 if d.contains('-') || !is_day(&d) {
3783 return invalid(
3784 "the part before L must be a single weekday (e.g. friL = last Friday)",
3785 );
3786 }
3787 continue;
3788 }
3789 for part in tok.split('-') {
3790 let p = part.trim().to_ascii_lowercase();
3791 if p.is_empty() {
3792 return invalid("empty range bound");
3793 }
3794 if p != "*" && !is_day(&p) {
3795 return invalid(&format!("'{part}' is not a day"));
3796 }
3797 }
3798 }
3799 Ok(())
3800 }
3801
3802 /// For a one-shot (`at` carries a date), the absolute instant it
3803 /// fires in `tz`. `None` for a repeating calendar. Used to warn
3804 /// about a one-shot whose date is already in the past (it would
3805 /// never fire).
3806 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
3807 let p = self.parse_at().ok()?;
3808 let date = p.date?;
3809 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
3810 tz.naive_to_utc(naive)
3811 }
3812
3813 /// The wall-clock time-of-day this calendar fires at (`None` if
3814 /// `at` is unparseable — validate() guards that). Used to detect
3815 /// a calendar whose fire time can never fall inside its
3816 /// `constraints.window` (claude #452 review).
3817 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
3818 let p = self.parse_at().ok()?;
3819 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
3820 }
3821
3822 /// Lower to the cron string the scheduler engine runs. Repeating
3823 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
3824 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
3825 /// fires — that's what makes it one-shot).
3826 fn to_cron(&self) -> Result<String, String> {
3827 use chrono::Datelike;
3828 let ParsedAt { minute, hour, date } = self.parse_at()?;
3829 match date {
3830 Some(d) => {
3831 if !self.days.is_empty() {
3832 return Err(
3833 "when.at with a date is a one-shot and cannot be combined with days".into(),
3834 );
3835 }
3836 Ok(format!(
3837 "0 {minute} {hour} {} {} * {}",
3838 d.day(),
3839 d.month(),
3840 d.year()
3841 ))
3842 }
3843 None => {
3844 let dow = if self.days.is_empty() {
3845 "*".to_string()
3846 } else {
3847 self.validate_days()?;
3848 self.days.join(",")
3849 };
3850 Ok(format!("0 {minute} {hour} * * {dow}"))
3851 }
3852 }
3853 }
3854}
3855
3856/// The timezone a schedule's wall-clock fields (`when.at`,
3857/// `active.{from,until}`) are evaluated in (#418 Phase 2).
3858#[derive(
3859 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3860)]
3861#[serde(rename_all = "snake_case")]
3862pub enum ScheduleTz {
3863 /// The running host's local timezone — the agent's for
3864 /// `runs_on: agent`, the backend server's otherwise. Default.
3865 #[default]
3866 Local,
3867 /// UTC — for timezone-independent schedules.
3868 Utc,
3869}
3870
3871impl ScheduleTz {
3872 /// Interpret a naive (zoneless) datetime as being in this tz and
3873 /// convert to UTC. On a DST *fold* (the local time occurs twice
3874 /// when clocks go back) we pick `.earliest()` rather than
3875 /// rejecting it; `None` is reserved for a true DST *gap* (a local
3876 /// time that never exists). `Utc` is fixed-offset so neither ever
3877 /// happens; `Local` is whatever timezone the running host is set
3878 /// to and *can* hit a gap/fold on any DST-observing host — not
3879 /// just the JST we run today (gemini + claude #432 review).
3880 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
3881 use chrono::TimeZone;
3882 match self {
3883 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
3884 naive,
3885 chrono::Utc,
3886 )),
3887 ScheduleTz::Local => chrono::Local
3888 .from_local_datetime(&naive)
3889 .earliest()
3890 .map(|dt| dt.with_timezone(&chrono::Utc)),
3891 }
3892 }
3893
3894 /// The wall-clock time-of-day `now` reads as in this tz — used by
3895 /// [`Constraints::allows`] to test a maintenance window
3896 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
3897 /// running host's local time.
3898 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
3899 match self {
3900 ScheduleTz::Utc => now.time(),
3901 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
3902 }
3903 }
3904
3905 /// The wall-clock *date* `now` reads as in this tz — used by
3906 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
3907 /// exclusion). Same tz semantics as [`Self::wall_time`].
3908 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
3909 match self {
3910 ScheduleTz::Utc => now.date_naive(),
3911 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
3912 }
3913 }
3914
3915 /// Stable lowercase wire/display label (`local` / `utc`) — matches
3916 /// the serde `snake_case` representation. Used for the preview
3917 /// response's `tz` field so the JSON shape isn't coupled to the
3918 /// `Debug` repr (claude #578 review).
3919 pub fn as_str(self) -> &'static str {
3920 match self {
3921 ScheduleTz::Local => "local",
3922 ScheduleTz::Utc => "utc",
3923 }
3924 }
3925}
3926
3927impl std::fmt::Display for ScheduleTz {
3928 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3929 f.write_str(self.as_str())
3930 }
3931}
3932
3933/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
3934/// `per_target`. Untagged so the YAML stays the bare keyword or a
3935/// one-key map, nothing more ceremonial.
3936#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3937#[serde(untagged)]
3938pub enum PerPolicy {
3939 /// The bare string `once`: succeed once, then skip permanently
3940 /// (cooldown = infinity).
3941 Once(OnceLiteral),
3942 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
3943 Every(EverySpec),
3944}
3945
3946/// Single-variant enum so serde accepts exactly the string `once`
3947/// (a free-form `String` would swallow typos like `onec`).
3948#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
3949#[serde(rename_all = "snake_case")]
3950pub enum OnceLiteral {
3951 Once,
3952}
3953
3954/// `{ every: <humantime> }`. Standalone struct (not an inline
3955/// struct variant). `{ evry: 6h }` still fails to parse (the
3956/// required `every` key is missing), and the create boundaries
3957/// reject the unknown `evry` via [`crate::strict`] with its path —
3958/// while agents reading a future writer's extra fields tolerate
3959/// them (#492).
3960#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3961pub struct EverySpec {
3962 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
3963 /// [`Schedule::validate`] rejects garbage at create time.
3964 pub every: String,
3965}
3966
3967impl PerPolicy {
3968 /// The cooldown this policy lowers to: `once` = `None`
3969 /// (permanent skip), `every` = the interval.
3970 fn cooldown(&self) -> Option<String> {
3971 match self {
3972 PerPolicy::Once(_) => None,
3973 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
3974 }
3975 }
3976}
3977
3978impl std::fmt::Display for When {
3979 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
3980 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
3981 /// lines, audit payloads and the API's `ScheduleSummary`.
3982 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
3983 let policy = |p: &PerPolicy| match p {
3984 PerPolicy::Once(_) => "once".to_string(),
3985 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
3986 };
3987 match self {
3988 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
3989 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
3990 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
3991 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
3992 When::On(triggers) => {
3993 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
3994 write!(f, "on [{}]", names.join(","))
3995 }
3996 }
3997 }
3998}
3999
4000impl OnTrigger {
4001 /// Lowercase wire/display label (matches the serde `snake_case`).
4002 pub fn as_str(self) -> &'static str {
4003 match self {
4004 OnTrigger::Startup => "startup",
4005 OnTrigger::Logon => "logon",
4006 OnTrigger::Lock => "lock",
4007 OnTrigger::Unlock => "unlock",
4008 OnTrigger::NetworkChange => "network_change",
4009 }
4010 }
4011}
4012
4013/// Optional validity window for a [`Schedule`] (#418 decision G).
4014/// Half-open `[from, until)`; either bound may be omitted. Bounds
4015/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
4016/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
4017/// strings so the JSON Schema the SPA editor consumes stays two
4018/// plain string fields, mirroring `jitter` / `starting_deadline`.
4019///
4020/// #418 Phase 2: bounds are evaluated in the schedule's top-level
4021/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
4022/// calendar `at` AND the `active` window local — one consistent
4023/// timezone per schedule.
4024#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4025pub struct Active {
4026 /// Dormant before this instant.
4027 #[serde(default, skip_serializing_if = "Option::is_none")]
4028 pub from: Option<String>,
4029 /// Dormant from this instant on (exclusive).
4030 #[serde(default, skip_serializing_if = "Option::is_none")]
4031 pub until: Option<String>,
4032}
4033
4034impl Active {
4035 /// `skip_serializing_if` helper — an empty window means "always
4036 /// active" and is omitted from the wire format entirely.
4037 pub fn is_empty(&self) -> bool {
4038 self.from.is_none() && self.until.is_none()
4039 }
4040
4041 /// Parse one bound: RFC3339 first (offset honored, `tz`
4042 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
4043 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
4044 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
4045 return Ok(dt.with_timezone(&chrono::Utc));
4046 }
4047 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
4048 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
4049 return tz.naive_to_utc(midnight).ok_or_else(|| {
4050 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
4051 });
4052 }
4053 Err(format!(
4054 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
4055 ))
4056 }
4057
4058 /// Is `now` inside the window? Unparseable bounds are treated
4059 /// as absent here (fail-open) — [`Schedule::validate`] is the
4060 /// place that rejects them loudly; this runs on every tick and
4061 /// must never panic on a stale KV blob.
4062 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4063 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
4064 if bound(&self.from).is_some_and(|from| now < from) {
4065 return false;
4066 }
4067 if bound(&self.until).is_some_and(|until| now >= until) {
4068 return false;
4069 }
4070 true
4071 }
4072}
4073
4074/// Host-environment gate (#418 `constraints.require`). Fire only when
4075/// the target host is in the required state. Sensed **in-process by the
4076/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
4077/// read a target host's power/idle state ([`Schedule::validate`]
4078/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
4079///
4080/// Evaluated at fire time as a skip-this-tick gate (NOT in
4081/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
4082/// cadence re-checks every minute (so it effectively defers until the
4083/// state is met — the intended pairing); a `calendar` fire that lands
4084/// while the state is unmet is simply missed, same as `window`. It is
4085/// therefore a *runtime* gate and does not appear in `preview`.
4086// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
4087#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4088pub struct Require {
4089 /// Fire only while on **AC power** (skip on battery). Reads
4090 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
4091 /// as not-on-AC (fail-closed — a restrictive gate must not fire
4092 /// when it can't confirm the condition). `false` (default) = no
4093 /// power requirement.
4094 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4095 pub ac_power: bool,
4096 /// Fire only when the active console session has had **no keyboard /
4097 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
4098 /// "don't run while the user is actively working". Input-based
4099 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
4100 /// headless / disconnected console (no interactive user) trivially
4101 /// satisfies it. `None` (default) = no idle requirement. Parsed
4102 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4103 #[serde(default, skip_serializing_if = "Option::is_none")]
4104 pub idle: Option<String>,
4105 /// Fire only when the **whole-machine CPU usage is below this
4106 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
4107 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
4108 /// sample (`sysinfo` mean over cores), so the reading is up to one
4109 /// `host_perf` cadence old (default 60s) — fine as a "generally
4110 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
4111 /// needs two samples). An unavailable sample (host_perf not warmed
4112 /// up yet, or stale) is treated as "not below" (fail-closed — a
4113 /// restrictive gate must not fire when it can't confirm). `None`
4114 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
4115 /// out-of-range value at create time.
4116 #[serde(default, skip_serializing_if = "Option::is_none")]
4117 pub cpu_below: Option<f64>,
4118 /// Fire only when the host has **internet connectivity** (Windows
4119 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
4120 /// until online" for jobs that download / phone home. A captive
4121 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
4122 /// unknown/unreadable state is treated as offline (fail-closed) — a
4123 /// portal would just fail a download, so we hold the run. For VPN /
4124 /// SASE / app-specific conditions, use a custom script gate (separate
4125 /// slice). `false` (default) = no network requirement.
4126 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4127 pub network: bool,
4128}
4129
4130impl Require {
4131 /// `skip_serializing_if` helper for an embedded empty `require`.
4132 pub fn is_empty(&self) -> bool {
4133 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
4134 }
4135
4136 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
4137 /// unparseable value — `validate` rejects the latter at create time).
4138 pub fn min_idle(&self) -> Option<std::time::Duration> {
4139 self.idle
4140 .as_deref()
4141 .and_then(|s| humantime::parse_duration(s.trim()).ok())
4142 }
4143
4144 /// First unparseable field for create-time rejection (mirrors
4145 /// [`Constraints::bad_skip_date`]).
4146 pub fn bad_idle(&self) -> Option<String> {
4147 self.idle.as_deref().and_then(|s| {
4148 humantime::parse_duration(s.trim())
4149 .err()
4150 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
4151 })
4152 }
4153}
4154
4155/// Host-environment state sensed by the agent, fed to [`require_met`].
4156/// A named struct (not positional args) so the growing set of sensed
4157/// signals — several of them `bool` — can't be transposed at a call
4158/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
4159#[derive(Debug, Clone, Copy, Default)]
4160pub struct EnvState {
4161 /// Is the host on AC power (`false` if on battery or unreadable).
4162 pub ac_online: bool,
4163 /// How long the console has been idle (`None` = couldn't determine).
4164 pub idle: Option<std::time::Duration>,
4165 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
4166 pub cpu_pct: Option<f64>,
4167 /// Does the host have internet connectivity (`false` if offline /
4168 /// LAN-only / unreadable).
4169 pub network_up: bool,
4170}
4171
4172/// Pure env-gate decision (#418 `constraints.require`). The Win32
4173/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
4174/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
4175/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
4176/// pure and `preview` never evaluates a runtime gate. Each set
4177/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
4178pub fn require_met(req: &Require, env: &EnvState) -> bool {
4179 if req.ac_power && !env.ac_online {
4180 return false;
4181 }
4182 if let Some(min) = req.min_idle() {
4183 match env.idle {
4184 Some(d) if d >= min => {}
4185 _ => return false,
4186 }
4187 }
4188 if let Some(max) = req.cpu_below {
4189 match env.cpu_pct {
4190 Some(p) if p < max => {}
4191 _ => return false,
4192 }
4193 }
4194 if req.network && !env.network_up {
4195 return false;
4196 }
4197 true
4198}
4199
4200/// [`Active`] decides *over what date range* a schedule is live,
4201/// `Constraints` decides *when, within an active period,* a fire is
4202/// allowed: `window` (a maintenance time-of-day window),
4203/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
4204/// (holiday exclusion) and `require` (host-environment gates, agent-only
4205/// — see [`Require`]).
4206// No `Eq`: contains `require: Option<Require>` which holds an f64.
4207#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4208pub struct Constraints {
4209 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
4210 /// `tz`). Fires outside it are skipped — mainly for reconcile
4211 /// cadences ("patrol every 6h, but only fire overnight") and
4212 /// daytime change-freezes. `start > end` crosses midnight
4213 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
4214 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4215 #[serde(default, skip_serializing_if = "Option::is_none")]
4216 pub window: Option<String>,
4217 /// Fleet-wide cap on how many instances of this schedule's job may
4218 /// run **at the same time** (#418 "同時実行ハード上限"). The
4219 /// backend scheduler counts the job's still-in-flight runs
4220 /// (`execution_results.finished_at IS NULL`) each tick and only
4221 /// dispatches to as many remaining pcs as there are free slots —
4222 /// a rolling window that refills as runs complete. Useful for
4223 /// disk/CPU/network-heavy jobs you don't want hammering the whole
4224 /// fleet at once.
4225 ///
4226 /// **Backend-only** (it needs a central counter): combining it
4227 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
4228 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
4229 /// for `per_pc` reconcile cadences, where the poll re-ticks and
4230 /// refills slots. `None` (default) = no cap.
4231 #[serde(default, skip_serializing_if = "Option::is_none")]
4232 pub max_concurrent: Option<u32>,
4233 /// Calendar dates the schedule must **not** fire on — holidays,
4234 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
4235 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
4236 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
4237 /// the whole day; a calendar fire landing on the date is
4238 /// suppressed) and is honored by both the live scheduler and
4239 /// `preview`, since both gate on [`Constraints::allows`]. Empty
4240 /// (default) = no skips. Operator-supplied: there is no built-in
4241 /// holiday calendar — list the dates you care about. Parsed lazily;
4242 /// [`Schedule::validate`] rejects a malformed date at create time.
4243 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4244 pub skip_dates: Vec<String>,
4245 /// Host-environment gate (#418): fire only when the target host is
4246 /// in the required state (on AC power, idle). Agent-sensed at fire
4247 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
4248 /// no environment requirement.
4249 #[serde(default, skip_serializing_if = "Option::is_none")]
4250 pub require: Option<Require>,
4251}
4252
4253impl Constraints {
4254 /// `skip_serializing_if` helper — empty constraints are omitted
4255 /// from the wire format entirely.
4256 pub fn is_empty(&self) -> bool {
4257 self.window.is_none()
4258 && self.max_concurrent.is_none()
4259 && self.skip_dates.is_empty()
4260 && self.require.as_ref().is_none_or(Require::is_empty)
4261 }
4262
4263 /// The first unparseable `skip_dates` entry, if any — the
4264 /// scheduler logs it at register time so a fail-closed
4265 /// (never-firing) schedule from a hand-edited KV blob is
4266 /// diagnosable, mirroring [`Schedule::bad_window`].
4267 pub fn bad_skip_date(&self) -> Option<String> {
4268 self.skip_dates.iter().find_map(|s| {
4269 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
4270 .err()
4271 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
4272 })
4273 }
4274
4275 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
4276 /// error (a zero-width or all-day window is ambiguous — write no
4277 /// window for "always").
4278 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
4279 let (a, b) = s
4280 .split_once('-')
4281 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
4282 let parse = |part: &str| {
4283 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
4284 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
4285 };
4286 let (start, end) = (parse(a)?, parse(b)?);
4287 if start == end {
4288 return Err(format!(
4289 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
4290 ));
4291 }
4292 Ok((start, end))
4293 }
4294
4295 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
4296 /// always allowed. Half-open `[start, end)`; `start > end`
4297 /// crosses midnight.
4298 ///
4299 /// **Fail-closed** on an unparseable window (returns `false`,
4300 /// gemini #452 review): a window is a *restrictive* constraint
4301 /// (change-freeze / overnight-only), so a corrupt one must NOT
4302 /// silently allow fires during the restricted hours. Bad windows
4303 /// are rejected at create time by [`Schedule::validate`]; this
4304 /// only bites a hand-edited KV blob, where blocking is the safe
4305 /// direction. The scheduler warns at register time
4306 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
4307 /// The tick path never panics regardless.
4308 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4309 // #418 holiday / blackout dates: never fire on a listed wall
4310 // date (in `tz`). Checked before the window since a skipped day
4311 // overrides any within-window allowance. Fail-closed on a
4312 // corrupt entry (same posture as `window`): a skip date is a
4313 // *restrictive* constraint, so a garbled one must not silently
4314 // re-enable fires — it blocks until fixed (`validate` rejects it
4315 // at create time; `bad_skip_date` lets the scheduler warn).
4316 if !self.skip_dates.is_empty() {
4317 let today = tz.wall_date(now);
4318 let blocked = self.skip_dates.iter().any(|s| {
4319 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
4320 Ok(d) => d == today,
4321 Err(_) => true, // corrupt entry → fail-closed (block)
4322 }
4323 });
4324 if blocked {
4325 return false;
4326 }
4327 }
4328 match self.window.as_deref() {
4329 // No window → always allowed.
4330 None => true,
4331 // Window set: membership, or fail-closed if unparseable
4332 // (`window_contains` returns None for a corrupt window).
4333 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
4334 }
4335 }
4336
4337 /// Membership of a wall-clock time-of-day in the window. `None`
4338 /// when there is no window or it's unparseable (callers decide
4339 /// the failure direction). `start > end` crosses midnight.
4340 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
4341 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
4342 Some(if start <= end {
4343 start <= t && t < end
4344 } else {
4345 t >= start || t < end
4346 })
4347 }
4348}
4349
4350/// What to do when a fire's script fails (#418 Phase 4 — the "高"
4351/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
4352/// happens, `OnFailure` decides what happens *after* one ran and
4353/// came back bad. Only `retry` so far; future `notify` / `disable`
4354/// would join the same namespace.
4355#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4356pub struct OnFailure {
4357 /// Re-run the script in-process when it exits non-zero (or times
4358 /// out), up to a cap, with a fixed backoff between attempts.
4359 /// `None` (default) = no retry: a failed run is published as-is
4360 /// and (for reconcile cadences) simply re-fires on the next poll
4361 /// tick. See [`Retry`].
4362 #[serde(default, skip_serializing_if = "Option::is_none")]
4363 pub retry: Option<Retry>,
4364}
4365
4366impl OnFailure {
4367 /// `skip_serializing_if` helper — an empty policy is omitted from
4368 /// the wire format entirely.
4369 pub fn is_empty(&self) -> bool {
4370 self.retry.is_none()
4371 }
4372
4373 /// Lower the operator-facing `retry` (humantime backoff) onto the
4374 /// engine vocabulary the agent's executor runs on (backoff in
4375 /// whole seconds). Single seam shared by the backend command
4376 /// builder and the agent's local scheduler so the two stamp the
4377 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
4378 /// `None` when there is no retry policy or the backoff is
4379 /// unparseable (validate() rejects the latter at create time;
4380 /// this stays fail-safe = "no retry" for a hand-edited KV blob
4381 /// rather than panicking on the fire path).
4382 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
4383 let r = self.retry.as_ref()?;
4384 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
4385 Some(crate::wire::RetrySpec {
4386 max: r.max,
4387 backoff_secs,
4388 })
4389 }
4390}
4391
4392/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
4393/// *additional* attempts after the first run (so `max: 3` = up to 4
4394/// total executions); `backoff` is the humantime delay slept between
4395/// attempts. The retry happens fire-side (inside `kanade fire` /
4396/// `handle_command`) on every OS for the PoC — the Windows-native
4397/// "restart on failure" Task Scheduler path is deferred to the
4398/// native-delegation phase (#418 decision H).
4399#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4400pub struct Retry {
4401 /// Max additional attempts after the first failure. Bounded
4402 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
4403 /// with a short backoff would otherwise pin a flapping script in
4404 /// a tight loop for the whole window.
4405 pub max: u32,
4406 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
4407 pub backoff: String,
4408}
4409
4410/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
4411/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
4412/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
4413/// global* "stop all automated change" switch the operator flips
4414/// during an incident or a year-end change-freeze. It lives in its
4415/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
4416/// active, both the backend scheduler and every agent's local
4417/// scheduler skip *every* fire.
4418///
4419/// Shapes:
4420/// * `{}` (no bounds) — frozen indefinitely until the operator
4421/// clears it (incident "big red button").
4422/// * `{ from, until }` — frozen only within `[from, until)`,
4423/// evaluated in `tz` (planned change-freeze; auto-thaws).
4424///
4425/// The KV key being *absent* means "not frozen" — so clearing the
4426/// freeze is a KV delete, and `is_active` only ever runs on a freeze
4427/// the operator actually set.
4428#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4429pub struct Freeze {
4430 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
4431 /// `tz`). `None` ⇒ frozen from the beginning of time.
4432 #[serde(default, skip_serializing_if = "Option::is_none")]
4433 pub from: Option<String>,
4434 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
4435 /// no scheduled end (manual clear required).
4436 #[serde(default, skip_serializing_if = "Option::is_none")]
4437 pub until: Option<String>,
4438 /// Operator-supplied note surfaced on the freeze-skip log and the
4439 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
4440 #[serde(default, skip_serializing_if = "Option::is_none")]
4441 pub reason: Option<String>,
4442 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
4443 /// carry their own offset). Defaults to host-local like a
4444 /// schedule's `tz`.
4445 #[serde(default)]
4446 pub tz: ScheduleTz,
4447}
4448
4449impl Freeze {
4450 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
4451 /// both absent) is frozen unconditionally; otherwise membership of
4452 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
4453 /// but **fails CLOSED** on an unparseable bound — a freeze is a
4454 /// safety switch, so a corrupt window (only reachable via a
4455 /// hand-edited KV blob; `validate` rejects it at set time) must
4456 /// mean "frozen", not "fire normally" (coderabbit #472). This is
4457 /// the one deliberate divergence from `active`'s fail-OPEN
4458 /// behaviour, where an unparseable bound dormant-skips a schedule.
4459 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
4460 // Parse a bound; an unparseable one short-circuits the whole
4461 // check to `true` (frozen) via the closure's `None` sentinel
4462 // handled below.
4463 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
4464 match s.as_deref() {
4465 None => Ok(None),
4466 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
4467 }
4468 };
4469 let (from, until) = match (bound(&self.from), bound(&self.until)) {
4470 (Ok(f), Ok(u)) => (f, u),
4471 // Any corrupt bound → fail closed (frozen).
4472 _ => return true,
4473 };
4474 if from.is_some_and(|f| now < f) {
4475 return false;
4476 }
4477 if until.is_some_and(|u| now >= u) {
4478 return false;
4479 }
4480 true
4481 }
4482
4483 /// Reject unparseable bounds / `from >= until` at set time (the
4484 /// API + CLI counterpart to [`Schedule::validate`]).
4485 pub fn validate(&self) -> Result<(), String> {
4486 let from = self
4487 .from
4488 .as_deref()
4489 .map(|s| Active::parse_bound(s, self.tz))
4490 .transpose()
4491 .map_err(|e| e.replace("active:", "freeze:"))?;
4492 let until = self
4493 .until
4494 .as_deref()
4495 .map(|s| Active::parse_bound(s, self.tz))
4496 .transpose()
4497 .map_err(|e| e.replace("active:", "freeze:"))?;
4498 if let (Some(f), Some(u)) = (from, until) {
4499 if f >= u {
4500 return Err(format!(
4501 "freeze.from ({}) must be strictly before freeze.until ({})",
4502 self.from.as_deref().unwrap_or_default(),
4503 self.until.as_deref().unwrap_or_default(),
4504 ));
4505 }
4506 }
4507 Ok(())
4508 }
4509}
4510
4511/// The system-generated poll cadence every reconcile-shaped `when`
4512/// lowers to. Operators never write this: the real inter-run
4513/// spacing is the `every` cooldown; this only bounds "how soon do
4514/// we notice somebody is due" (#418 decision B took the poll
4515/// period away from the operator).
4516pub const POLL_CRON: &str = "0 * * * * *";
4517
4518/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
4519/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
4520/// unchanged is what lets Phase 1 swap the operator surface without
4521/// touching the tick / dedup machinery.
4522pub struct Lowered {
4523 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
4524 /// reconcile shapes, a 6/7-field cron for calendar shapes.
4525 pub cron: String,
4526 /// Dedup semantics for `decide_fire`.
4527 pub mode: ExecMode,
4528 /// Humantime re-arm interval (`None` = succeed once, skip
4529 /// forever).
4530 pub cooldown: Option<String>,
4531 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
4532 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
4533 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
4534 /// so the same value drives the `active`-window check.
4535 pub tz: ScheduleTz,
4536}
4537
4538impl Schedule {
4539 /// The error message if this schedule's `constraints.window` is
4540 /// set but unparseable, else `None`. The scheduler logs this at
4541 /// register time so a fail-closed (never-firing) schedule from a
4542 /// hand-edited KV blob is diagnosable (gemini #452 review).
4543 pub fn bad_window(&self) -> Option<String> {
4544 let w = self.constraints.window.as_deref()?;
4545 Constraints::parse_window(w).err()
4546 }
4547
4548 /// True when this is a `calendar` schedule whose fire time can
4549 /// never fall inside its `constraints.window` — the cron fires,
4550 /// the window check rejects it, and (firing only at that
4551 /// time-of-day) it effectively never runs. An easy misconfig to
4552 /// set up by accident; the scheduler warns at register time
4553 /// (claude #452 review). Reconcile shapes poll every minute, so
4554 /// they always catch the window opening and aren't affected.
4555 pub fn calendar_outside_window(&self) -> bool {
4556 let When::Calendar(c) = &self.when else {
4557 return false;
4558 };
4559 let Some(t) = c.fire_time() else {
4560 return false;
4561 };
4562 matches!(self.constraints.window_contains(t), Some(false))
4563 }
4564
4565 /// Up to `count` future instants this schedule will fire, as
4566 /// absolute UTC, strictly after `now` — the dry-run / preview
4567 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
4568 /// schedules have discrete fire times; reconcile shapes
4569 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
4570 /// they return an empty vec and the caller describes the cadence
4571 /// instead. Occurrences outside the `active.{from,until}` window or
4572 /// the `constraints.window` are **skipped**, so the list reflects
4573 /// when the schedule will ACTUALLY run, not the raw cron ticks.
4574 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
4575 /// `Job::new_async_tz`, and with the same croner config the
4576 /// scheduler / [`Schedule::validate`] use, so a preview can never
4577 /// disagree with a real fire. A schedule that can never fire (a
4578 /// calendar time wholly outside its window, a past one-shot,
4579 /// `enabled: false` is *not* considered here — callers gate on
4580 /// `enabled` separately) yields an empty vec.
4581 pub fn preview_fires(
4582 &self,
4583 now: chrono::DateTime<chrono::Utc>,
4584 count: usize,
4585 ) -> Vec<chrono::DateTime<chrono::Utc>> {
4586 use croner::parser::{CronParser, Seconds};
4587 if !matches!(self.when, When::Calendar(_)) {
4588 return Vec::new();
4589 }
4590 // Same lowering + croner config as `next_calendar_fire` and the
4591 // live scheduler, so a preview can never disagree with a real
4592 // fire. `preview_fires` adds the N-occurrence walk and the
4593 // active / window filtering on top of that single seam.
4594 let lowered = self.lowered();
4595 let Ok(cron) = CronParser::builder()
4596 .seconds(Seconds::Required)
4597 .dom_and_dow(true)
4598 .build()
4599 .parse(&lowered.cron)
4600 else {
4601 return Vec::new();
4602 };
4603 let accept = |utc: chrono::DateTime<chrono::Utc>| {
4604 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
4605 };
4606 match self.tz {
4607 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
4608 ScheduleTz::Local => {
4609 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
4610 }
4611 }
4612 }
4613
4614 /// Walk croner forward from `after` collecting up to `count`
4615 /// accepted occurrences (converted to UTC). Generic over the tz the
4616 /// cron is evaluated in so `preview_fires` can run it in either
4617 /// `Utc` or `Local` without duplicating the loop.
4618 fn next_occurrences<Tz>(
4619 cron: &croner::Cron,
4620 after: chrono::DateTime<Tz>,
4621 count: usize,
4622 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
4623 ) -> Vec<chrono::DateTime<chrono::Utc>>
4624 where
4625 Tz: chrono::TimeZone,
4626 {
4627 // Bound the scan so an `active`/window dead-end (every future
4628 // tick rejected) can't spin forever: ~4096 raw ticks covers
4629 // >10y of a daily calendar while staying instant for croner.
4630 const SCAN_CAP: usize = 4096;
4631 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
4632 let mut cursor = after;
4633 let mut scanned = 0usize;
4634 while out.len() < count && scanned < SCAN_CAP {
4635 scanned += 1;
4636 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
4637 break;
4638 };
4639 let utc = next.with_timezone(&chrono::Utc);
4640 if accept(utc) {
4641 out.push(utc);
4642 }
4643 // `find_next_occurrence(.., inclusive = false)` already
4644 // advances strictly past `cursor`, so handing it `next`
4645 // verbatim gets the following occurrence — no manual +1s
4646 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
4647 cursor = next;
4648 }
4649 out
4650 }
4651
4652 /// Lower the operator-facing `when` onto the engine vocabulary.
4653 /// Single seam shared by the backend scheduler and the agent's
4654 /// local scheduler so the two can never drift.
4655 pub fn lowered(&self) -> Lowered {
4656 let tz = self.tz;
4657 match &self.when {
4658 When::PerPc(p) => Lowered {
4659 cron: POLL_CRON.into(),
4660 mode: ExecMode::OncePerPc,
4661 cooldown: p.cooldown(),
4662 tz,
4663 },
4664 When::PerTarget(p) => Lowered {
4665 cron: POLL_CRON.into(),
4666 mode: ExecMode::OncePerTarget,
4667 cooldown: p.cooldown(),
4668 tz,
4669 },
4670 // `to_cron` only fails on a malformed `at` (rejected by
4671 // validate() at create time). For a hand-edited KV blob
4672 // that slipped past, emit a deliberately-invalid cron so
4673 // register()'s Job::new_async_tz fails → warn+skip,
4674 // rather than firing at the wrong time.
4675 When::Calendar(c) => Lowered {
4676 cron: c
4677 .to_cron()
4678 .unwrap_or_else(|_| "# invalid calendar at".into()),
4679 mode: ExecMode::EveryTick,
4680 cooldown: None,
4681 tz,
4682 },
4683 // Event triggers have no cron — the agent fires them from an
4684 // OS event source. The `# event-trigger` cron is never
4685 // registered (the scheduler branches on `is_event()` first),
4686 // but keep it deliberately-invalid as a belt-and-suspenders
4687 // so a stray registration would fail rather than misfire.
4688 When::On(_) => Lowered {
4689 cron: "# event-trigger (no cron)".into(),
4690 mode: ExecMode::Event,
4691 cooldown: None,
4692 tz,
4693 },
4694 }
4695 }
4696
4697 /// True when this schedule fires from an OS event (`when: { on }`)
4698 /// rather than a clock — the agent skips `tokio-cron` registration
4699 /// for these and drives them from boot / session-change instead.
4700 pub fn is_event(&self) -> bool {
4701 matches!(self.when, When::On(_))
4702 }
4703
4704 /// The OS event triggers this schedule listens for, or `&[]` when it
4705 /// is not an event schedule.
4706 pub fn event_triggers(&self) -> &[OnTrigger] {
4707 match &self.when {
4708 When::On(t) => t,
4709 _ => &[],
4710 }
4711 }
4712
4713 /// The next absolute (UTC) time this schedule fires, or `None` when
4714 /// it has no discrete upcoming fire to preview.
4715 ///
4716 /// Used by the KLP `maintenance.list` preview ("what's about to
4717 /// happen on my PC", SPEC §2.1). Returns `None` for:
4718 ///
4719 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
4720 /// every-minute [`POLL_CRON`] and re-converge state continuously,
4721 /// so "next fire" is always ~60s away and means nothing to a user
4722 /// previewing upcoming maintenance;
4723 /// - a calendar schedule whose lowered cron won't parse (a
4724 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
4725 /// - a cron with no future occurrence.
4726 ///
4727 /// The wall-clock fire is evaluated in the schedule's own `tz`
4728 /// (matching the live tick's `Job::new_async_tz`) then normalised
4729 /// to UTC for the wire. `inclusive = false`: strictly the *next*
4730 /// fire after `now`, never one matching the current instant.
4731 pub fn next_calendar_fire(
4732 &self,
4733 now: chrono::DateTime<chrono::Utc>,
4734 ) -> Option<chrono::DateTime<chrono::Utc>> {
4735 if !matches!(self.when, When::Calendar(_)) {
4736 return None;
4737 }
4738 let lowered = self.lowered();
4739 // Same parser configuration tokio-cron-scheduler 0.15 uses
4740 // internally, so this can never compute a fire the live
4741 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
4742 let cron = croner::parser::CronParser::builder()
4743 .seconds(croner::parser::Seconds::Required)
4744 .dom_and_dow(true)
4745 .build()
4746 .parse(&lowered.cron)
4747 .ok()?;
4748 match lowered.tz {
4749 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
4750 ScheduleTz::Local => {
4751 let now_local = now.with_timezone(&chrono::Local);
4752 cron.find_next_occurrence(&now_local, false)
4753 .ok()
4754 .map(|t| t.with_timezone(&chrono::Utc))
4755 }
4756 }
4757 }
4758
4759 /// Cross-field semantic checks that don't fit pure serde derive
4760 /// — the [`Manifest::validate`] counterpart (#418 decision F;
4761 /// pre-Phase-1 a broken schedule was accepted at create time
4762 /// and silently warn-skipped at tick time). Run at every create
4763 /// site: `kanade schedule create` (client-side) and
4764 /// `POST /api/schedules`. The job_id-exists check lives in the
4765 /// API handler instead — it needs the JOBS KV.
4766 pub fn validate(&self) -> Result<(), String> {
4767 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
4768 return Err(
4769 "when.per_target needs fleet-wide completion data and is backend-only; \
4770 it cannot be combined with runs_on: agent (each agent self-schedules, \
4771 so per-target dedup would be deduping across a target of 1)"
4772 .into(),
4773 );
4774 }
4775 // #418 event triggers: the agent owns the OS event source
4776 // (boot / session-change), so `when: { on }` is agent-only and
4777 // needs at least one trigger.
4778 if let When::On(triggers) = &self.when {
4779 if !matches!(self.runs_on, RunsOn::Agent) {
4780 return Err(
4781 "when.on (OS event trigger) is fired by the agent's own event \
4782 source, so it requires runs_on: agent"
4783 .into(),
4784 );
4785 }
4786 if triggers.is_empty() {
4787 return Err(
4788 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
4789 );
4790 }
4791 }
4792 if let Some(cd) = self.lowered().cooldown.as_deref() {
4793 humantime::parse_duration(cd)
4794 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
4795 }
4796 if let When::Calendar(c) = &self.when {
4797 // Lower the calendar form to its cron (catches a bad `at`
4798 // and the date+days conflict), then validate that cron
4799 // with the same parser configuration tokio-cron-scheduler
4800 // 0.15 uses internally (croner, seconds required,
4801 // DOM-and-DOW both honored, year optional) — create-time
4802 // validation can never accept what register() rejects.
4803 let cron = c.to_cron()?;
4804 croner::parser::CronParser::builder()
4805 .seconds(croner::parser::Seconds::Required)
4806 .dom_and_dow(true)
4807 .build()
4808 .parse(&cron)
4809 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
4810 }
4811 // The other humantime strings on the schedule (claude #419
4812 // review): runtime degrades gracefully on both (bad jitter →
4813 // silent no-op, bad starting_deadline → warn + skipped tick),
4814 // but "rejected at create time" should cover every field the
4815 // operator can typo, not just `when`.
4816 if let Some(j) = &self.plan.jitter {
4817 humantime::parse_duration(j)
4818 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
4819 }
4820 if let Some(sd) = &self.starting_deadline {
4821 humantime::parse_duration(sd)
4822 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
4823 }
4824 let from = self
4825 .active
4826 .from
4827 .as_deref()
4828 .map(|s| Active::parse_bound(s, self.tz))
4829 .transpose()?;
4830 let until = self
4831 .active
4832 .until
4833 .as_deref()
4834 .map(|s| Active::parse_bound(s, self.tz))
4835 .transpose()?;
4836 if let (Some(f), Some(u)) = (from, until) {
4837 if f >= u {
4838 return Err(format!(
4839 "active.from ({}) must be strictly before active.until ({})",
4840 self.active.from.as_deref().unwrap_or_default(),
4841 self.active.until.as_deref().unwrap_or_default(),
4842 ));
4843 }
4844 }
4845 // #418 Phase 3: a bad maintenance window is rejected at create
4846 // time (parse_window also catches equal bounds).
4847 if let Some(w) = self.constraints.window.as_deref() {
4848 Constraints::parse_window(w)?;
4849 }
4850 // #418 holiday exclusion: reject a malformed skip date at create
4851 // time so the fail-closed `allows` path only ever bites a
4852 // hand-edited KV blob, not a fresh `kanade schedule create`.
4853 if let Some(err) = self.constraints.bad_skip_date() {
4854 return Err(err);
4855 }
4856 // #418: constraints.max_concurrent is a central running-instance
4857 // cap, so it needs the backend's counter — reject it on
4858 // runs_on: agent (decision E), and reject a meaningless 0.
4859 if let Some(mc) = self.constraints.max_concurrent {
4860 // Check the structural incompatibility (agent has no central
4861 // counter) before the value range, so a `max_concurrent: 0`
4862 // + `runs_on: agent` combo reports the more fundamental
4863 // problem first (claude #542).
4864 if matches!(self.runs_on, RunsOn::Agent) {
4865 return Err(
4866 "constraints.max_concurrent needs a central counter and is backend-only; \
4867 it cannot be combined with runs_on: agent (each agent self-schedules, \
4868 so there is no fleet-wide count to cap against)"
4869 .into(),
4870 );
4871 }
4872 if mc == 0 {
4873 return Err(
4874 "constraints.max_concurrent must be >= 1 (0 would never fire; \
4875 omit it for no cap)"
4876 .into(),
4877 );
4878 }
4879 }
4880 // #418: constraints.require (host-state env gates: ac_power /
4881 // idle / cpu_below / network) is sensed in-process by the agent,
4882 // so it needs runs_on: agent — the backend can't read a target
4883 // host's power / idle / cpu / connectivity state. Symmetric with
4884 // `when: { on }` (also agent-only); inverse of max_concurrent
4885 // (backend-only).
4886 if let Some(req) = &self.constraints.require {
4887 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
4888 return Err(
4889 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
4890 network) is sensed in-process by the agent and needs runs_on: agent; the \
4891 backend cannot read a target host's power / idle / cpu / connectivity state"
4892 .into(),
4893 );
4894 }
4895 // Reject a malformed idle duration at create time so the
4896 // fail-closed runtime path only ever bites a hand-edited
4897 // KV blob (mirror skip_dates / on_failure.retry).
4898 if let Some(err) = req.bad_idle() {
4899 return Err(err);
4900 }
4901 // cpu_below is a percent — reject out-of-range so a typo
4902 // can't make a schedule that never (>=100 is always-busy?
4903 // no — <0 never matches) or trivially fires.
4904 if let Some(c) = req.cpu_below
4905 && !(c > 0.0 && c <= 100.0)
4906 {
4907 return Err(format!(
4908 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
4909 omit it for no CPU requirement"
4910 ));
4911 }
4912 }
4913 // #418 Phase 4: a bad on_failure.retry is rejected at create
4914 // time — backoff must be valid humantime, and max is bounded
4915 // so a typo can't pin a flapping script in a tight loop.
4916 if let Some(r) = &self.on_failure.retry {
4917 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
4918 format!(
4919 "on_failure.retry.backoff: invalid duration '{}': {e}",
4920 r.backoff
4921 )
4922 })?;
4923 // The wire form lowers backoff to whole seconds, so a
4924 // sub-second value would silently become a 0s no-wait
4925 // (coderabbit #466). Reject it rather than honour a backoff
4926 // the operator can't actually get.
4927 if backoff.as_secs() < 1 {
4928 return Err(format!(
4929 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
4930 round to 0 on the wire",
4931 r.backoff
4932 ));
4933 }
4934 if !(1..=10).contains(&r.max) {
4935 return Err(format!(
4936 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
4937 attempts after the first run",
4938 r.max
4939 ));
4940 }
4941 }
4942 // A blank / whitespace-only tag renders an empty filter chip on
4943 // the Schedules page — reject it at create time, mirroring the
4944 // Manifest::validate tag guard.
4945 for tag in &self.tags {
4946 if tag.trim().is_empty() {
4947 return Err("tags must not contain empty entries".to_string());
4948 }
4949 }
4950 Ok(())
4951 }
4952}
4953
4954fn default_true() -> bool {
4955 true
4956}