kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
72 /// what the agent does at fire time when it can't verify the
73 /// `script_current` / `script_status` KV values are fresh —
74 /// especially relevant for `runs_on: agent` schedules where
75 /// the agent may fire from cache while offline. Defaults to
76 /// `Staleness::Cached` (silently use cached values), which
77 /// matches every pre-v0.26 Manifest.
78 #[serde(default)]
79 pub staleness: Staleness,
80 /// #291: opt-in marker that this job is offered to **end users**
81 /// in the Client App's job tabs over KLP (`jobs.list` →
82 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
83 /// [`emit`]: the block's mere presence is the opt-in, and it
84 /// groups the end-user presentation fields (name / category /
85 /// icon) that only make sense for a user-facing job. `None`
86 /// (the default) ⇒ an operator-only job — inventory, checks,
87 /// scheduled maintenance — that never surfaces in the catalog.
88 ///
89 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
90 /// (SPEC §2.1), so removing the block takes a job out of a
91 /// running client on its next action.
92 ///
93 /// [`inventory`]: Manifest::inventory
94 /// [`check`]: Manifest::check
95 /// [`emit`]: Manifest::emit
96 #[serde(default, skip_serializing_if = "Option::is_none")]
97 pub client: Option<ClientHint>,
98 /// Free-form operator taxonomy for the Jobs catalog. Purely a
99 /// SPA-side organisational aid — agents / scheduler / projector
100 /// never read it — so it carries no runtime semantics and any
101 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
102 /// cross-cut (a `check-bitlocker` is at once a health-check, a
103 /// security control, and Windows-specific), which is why this is
104 /// a multi-valued list rather than the single closed-enum
105 /// [`ClientHint::category`] (whose values are the end-user Client
106 /// App's tabs, a different concern). The operator Jobs page groups
107 /// rows by id-prefix for free; tags add the orthogonal filter axis
108 /// prefixes can't express.
109 ///
110 /// Empty by default (the overwhelming majority of jobs), and a
111 /// new field, so it follows the #492 wire rule: `serde(default)`
112 /// plus `skip_serializing_if` keep gradually-upgrading old readers
113 /// from tripping over its absence / presence.
114 #[serde(default, skip_serializing_if = "Vec::is_empty")]
115 pub tags: Vec<String>,
116 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
117 /// `kanade job create` when the source YAML lives inside a Git work
118 /// tree, so the SPA can render the job read-only and point edits
119 /// back at the repo instead of letting a ClickOps edit silently
120 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
121 /// `None` for SPA-born jobs and for manifests applied from outside
122 /// any Git repo. Purely informational: agents / scheduler /
123 /// projector never read it, and it survives `script_file:` inlining
124 /// (it's orthogonal to the exactly-one-of script-source rule). New
125 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
126 #[serde(default, skip_serializing_if = "Option::is_none")]
127 pub origin: Option<RepoOrigin>,
128}
129
130/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
131/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
132/// `kanade schedule create` from the Git context of the source YAML;
133/// the SPA reads it to render Git-managed entries read-only and link
134/// the operator back at the repo. Never consulted by the runtime.
135#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
136pub struct RepoOrigin {
137 /// Repo-relative path of the source YAML — the primary edit target
138 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
139 /// regardless of the authoring OS.
140 pub path: String,
141 /// `origin` remote URL, when the repo has one. Lets the SPA turn
142 /// `path` into a clickable link; `None` for remote-less repos.
143 #[serde(default, skip_serializing_if = "Option::is_none")]
144 pub repo: Option<String>,
145 /// Repo-relative path of the `script_file:` a job manifest inlined,
146 /// when it used one — a secondary pointer shown beneath `path`.
147 /// Always `None` for schedules (they carry no script).
148 #[serde(default, skip_serializing_if = "Option::is_none")]
149 pub script_file: Option<String>,
150}
151
152/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
153/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
154/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
155/// here keeps the validation + serialisation logic in one place.
156#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
157pub struct FanoutPlan {
158 #[serde(default)]
159 pub target: Target,
160 /// Optional wave rollout — when present, the backend publishes
161 /// each wave's group subject on its own delay schedule instead
162 /// of fanning out the `target` block in one go. `target` then
163 /// only labels the deploy for the audit log.
164 #[serde(default, skip_serializing_if = "Option::is_none")]
165 pub rollout: Option<Rollout>,
166 /// Optional humantime jitter; agent uses it to randomise
167 /// execution start. Lives here (not on the script) so different
168 /// schedules / ad-hoc fires of the same job can pick different
169 /// stagger windows.
170 #[serde(default, skip_serializing_if = "Option::is_none")]
171 pub jitter: Option<String>,
172 /// Absolute time the scheduler stamps on each emitted Command
173 /// when this exec was driven by a [`Schedule`] with
174 /// `starting_deadline`. Agents receiving a Command after this
175 /// instant publish a synthetic skipped-result instead of
176 /// running the script. `None` (default) = no deadline / catch
177 /// up whenever delivered. Operators don't usually set this
178 /// directly — the scheduler computes it from `tick_at +
179 /// starting_deadline`.
180 #[serde(default, skip_serializing_if = "Option::is_none")]
181 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
182}
183
184/// Manifest sub-section: how the SPA should render the inventory
185/// facts this job produces. Each field name (`field`) is a top-level
186/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
187///
188/// Two render modes:
189/// * `display` — vertical "field / value" per PC, used by the
190/// `/inventory?pc=<id>` detail view. ALL columns the operator
191/// wants visible on the detail page.
192/// * `summary` — horizontal table across the fleet (row = PC,
193/// column = field) on `/inventory`. Optional; when omitted the
194/// SPA falls back to `display`, but operators usually want a
195/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
196#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
197pub struct InventoryHint {
198 /// Detail-view columns, in order.
199 pub display: Vec<DisplayField>,
200 /// Optional fleet-list columns (row = PC). Defaults to `display`
201 /// when omitted, but operators usually pick a 3-5 column subset.
202 #[serde(default, skip_serializing_if = "Option::is_none")]
203 pub summary: Option<Vec<DisplayField>>,
204 /// v0.31 / #40: payload arrays that should be exploded into
205 /// per-element rows of a derived SQLite table. Lets operators
206 /// answer cross-PC questions ("which PCs still have Chrome <
207 /// 120?", "C: >90% full") with normal SQL filters + indexes
208 /// instead of grepping JSON. The projector creates the derived
209 /// table on register and replaces this PC's rows on each result
210 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
211 /// [`ExplodeSpec`] for the per-spec schema.
212 #[serde(default, skip_serializing_if = "Option::is_none")]
213 pub explode: Option<Vec<ExplodeSpec>>,
214 /// v0.35 / #93: top-level scalar fields whose changes the
215 /// projector logs to `inventory_history` (one event per
216 /// changed field per scan). Pairs with `explode[].track_history`
217 /// — that covers array elements; this covers single-valued
218 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
219 /// `os_build` that operators want to track for "did the RAM
220 /// get upgraded?" / "when did Win 11 land on this PC?" /
221 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
222 /// in the history row, `identity_json` is NULL, `before_json`
223 /// / `after_json` each carry `{"value": <prior or new value>}`.
224 /// First-ever observation of a scalar (no prior facts row)
225 /// emits `added`; subsequent value changes emit `changed`. No
226 /// `removed` events — a scalar disappearing from the payload
227 /// is rare and the operator can still see the last value via
228 /// the `before_json` of the most recent change.
229 #[serde(default, skip_serializing_if = "Option::is_none")]
230 pub history_scalars: Option<Vec<String>>,
231}
232
233/// Manifest sub-section (#290): marks a job as an operator-defined
234/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
235/// The stdout contract is a free-form JSON object (same as any
236/// inventory job) from which the agent reads `status_field` /
237/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
238/// on the Client App's Health tab.
239///
240/// There is deliberately **no timing field** — when / how often /
241/// in which window a check runs is driven by the job's Schedule,
242/// exactly like inventory jobs, so operators get the full `when:` /
243/// rollout / `runs_on` expressiveness for free.
244///
245/// A check's stdout is a **free-form inventory object** (arbitrary
246/// key/value pairs + arrays) — same as any inventory job — that also
247/// carries a status field. `check:` adds only the health semantics on
248/// top: which field is the ok/warn/fail/unknown status, an optional
249/// one-line summary field, and a remediation job. Everything else
250/// (rich per-PC detail, `explode` sub-tables like a software list) is
251/// driven by a co-present [`InventoryHint`] and rendered with the
252/// SAME display logic the SPA Inventory page uses — on the Client App
253/// too. This keeps checks maximally expressive without a bespoke
254/// payload type.
255#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
256pub struct CheckHint {
257 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
258 /// the SPA/Client React key + analytics label. Unique within the
259 /// fleet's check set. Machine-friendly slug (`disk_space`,
260 /// `defender_rtp`); for the human-facing row title see [`label`].
261 ///
262 /// [`label`]: CheckHint::label
263 pub name: String,
264 /// Optional human-facing display title →
265 /// [`Check.label`](crate::ipc::state::Check). The Client App's
266 /// Health tab and the operator SPA's Compliance page render this
267 /// instead of the [`name`](CheckHint::name) slug when set
268 /// (`"ウイルス対策のリアルタイム保護"` reads better than
269 /// `defender_rtp`). Falls back to the slug when absent, so it's
270 /// purely additive. Author it in the check's language — there's no
271 /// per-locale variant; checks are operator-defined per fleet.
272 #[serde(default, skip_serializing_if = "Option::is_none")]
273 pub label: Option<String>,
274 /// Top-level stdout field whose string value
275 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
276 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
277 /// `"status"`; a missing / unparseable value → `unknown`.
278 #[serde(default = "default_status_field")]
279 pub status_field: String,
280 /// Top-level stdout field used as the Health-tab row's one-line
281 /// summary. Defaults to `"detail"`; absent in the payload → no
282 /// detail line (the rich breakdown lives in the inventory view).
283 #[serde(default = "default_detail_field")]
284 pub detail_field: String,
285 /// Optional remediation job id →
286 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
287 /// App shows a "修復する" button when present; that job must be
288 /// `user_invokable`.
289 #[serde(default, skip_serializing_if = "Option::is_none")]
290 pub troubleshoot: Option<String>,
291 /// #290 PR-E: when `true` (default), the backend also projects this
292 /// check's `status` / `detail` into the `check_status` table so the
293 /// operator SPA gets a fleet-wide compliance view for free — no
294 /// `inventory:` block needed. Set `fleet: false` for a client-only
295 /// check the operator doesn't want surfaced across the fleet.
296 #[serde(default = "default_fleet")]
297 pub fleet: bool,
298}
299
300fn default_status_field() -> String {
301 "status".to_string()
302}
303
304fn default_detail_field() -> String {
305 "detail".to_string()
306}
307
308fn default_fleet() -> bool {
309 true
310}
311
312/// Manifest sub-section (#291): marks a job as **user-invokable**
313/// from the Client App and carries how it presents to the end user.
314/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
315/// the block's presence is the opt-in (no separate boolean), and its
316/// required fields (`name`, `category`) are enforced by serde at
317/// parse time, so a half-filled catalog entry fails
318/// `kanade job create` instead of rendering a nameless / tab-less row.
319///
320/// The agent maps this 1:1 into the KLP
321/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
322/// that `jobs.list` returns; the Client App renders one row per job in
323/// the tab named by `category`.
324#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
325pub struct ClientHint {
326 /// End-user-facing title for the job row. The operator-internal
327 /// `Manifest::id` slug is rarely what an end user should read, so
328 /// this is required (and validated non-empty by
329 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
330 pub name: String,
331 /// Optional one-line subtitle under `name` in the Client App.
332 /// Distinct from the operator-facing top-level
333 /// [`Manifest::description`] — this one is written for the end
334 /// user. Maps to `UserInvokableJob::display_description`.
335 #[serde(default, skip_serializing_if = "Option::is_none")]
336 pub description: Option<String>,
337 /// Which Client App tab the job lives in (`software_update` →
338 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
339 /// catalog). Required — without it the agent can't place the job
340 /// in a tab.
341 pub category: JobCategory,
342 /// Optional icon hint for the job row — a lucide-react icon name
343 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
344 /// category's default icon. Surfaced verbatim in
345 /// `jobs.list[].icon`.
346 #[serde(default, skip_serializing_if = "Option::is_none")]
347 pub icon: Option<String>,
348}
349
350/// Issue #246 — `emit:` manifest block for jobs whose stdout is
351/// NDJSON observability events (one `ObsEvent` per line). Parallel
352/// to `inventory:` but for the append-only timeline pipeline; see
353/// `Manifest::emit` for the full contract.
354#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
355pub struct EmitConfig {
356 /// What kind of payload the agent should expect on stdout. Only
357 /// `events` is defined today (parses each non-empty line as
358 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
359 /// (e.g. metrics streams, structured trace events) plug in here.
360 #[serde(rename = "type")]
361 pub kind: EmitKind,
362 /// Operator hint for where the script keeps its own state — the
363 /// watermark file the PowerShell / sh body reads + writes
364 /// between runs so it only emits NEW events since the last
365 /// poll. The agent doesn't read this; it's documentation that
366 /// the SPA (and `kanade job edit`) can surface to operators
367 /// reviewing the manifest. Optional; the script is allowed to
368 /// keep state anywhere (registry, env, etc.) — the field's
369 /// presence makes the convention discoverable.
370 #[serde(default, skip_serializing_if = "Option::is_none")]
371 pub watermark_path: Option<String>,
372}
373
374/// `emit.type` enum. Lowercase serde so manifests read
375/// `type: events` rather than `Events`.
376#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
377#[serde(rename_all = "lowercase")]
378pub enum EmitKind {
379 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
380 /// `obs.<pc_id>`, drops the stdout from the resulting
381 /// `ExecResult`.
382 Events,
383}
384
385/// v0.31 / #40: declarative "flatten this JSON array into a real
386/// SQLite table" spec on an inventory manifest. The projector
387/// creates the table on first registration (CREATE TABLE IF NOT
388/// EXISTS + indexes) and writes a row per element of
389/// `payload[field]` on every result, scoped by (pc_id, job_id) so
390/// each PC's rows replace cleanly without a per-PC schema.
391#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
392pub struct ExplodeSpec {
393 /// JSON array key under the payload to explode. E.g. `"apps"`
394 /// for `payload: { apps: [{...}, {...}] }`.
395 pub field: String,
396 /// Derived SQLite table name. Operators choose this — pick
397 /// something namespaced + stable (`inventory_sw_apps`, not
398 /// `apps`) so multiple inventory manifests don't collide on a
399 /// generic name.
400 pub table: String,
401 /// Element-level fields that uniquely identify a row inside one
402 /// PC's payload. The full PK is `(pc_id, job_id) + these
403 /// columns`. Required — operators must think about uniqueness
404 /// (e.g. `["name", "source"]` for installed apps because the
405 /// same name appears in multiple uninstall hives).
406 ///
407 /// v0.31 / #41: same tuple drives history identity. When
408 /// `track_history` is on, the projector serialises these
409 /// fields' values into `inventory_history.identity_json` for
410 /// every change event, so queries like "every PC that ever
411 /// installed Chrome (any source)" filter on identity_json
412 /// content without a per-manifest schema.
413 pub primary_key: Vec<String>,
414 /// Per-element fields that become columns in the derived table.
415 pub columns: Vec<ExplodeColumn>,
416 /// v0.31 / #41: when true (default false), the projector
417 /// diffs each PC's incoming payload against the prior rows
418 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
419 /// replace, and writes added / removed / changed events into
420 /// `inventory_history`. Lets operators answer time-dimension
421 /// questions ("when did Chrome 120 first appear on PC X?",
422 /// "what's the Win 11 23H2 rollout curve") without storing
423 /// per-scan snapshots. Off by default so operators opt in
424 /// per-spec — history has a real storage cost on long-lived
425 /// deployments (mitigated by the 90-day default retention
426 /// sweeper, see `cleanup` module).
427 #[serde(default)]
428 pub track_history: bool,
429}
430
431/// One column in an [`ExplodeSpec`]'s derived table.
432#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
433pub struct ExplodeColumn {
434 /// JSON key under each array element. Becomes the column name
435 /// in the derived SQLite table — we don't rename.
436 pub field: String,
437 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
438 /// Storage maps directly via `sqlx::query.bind(...)`; type
439 /// mismatches at INSERT-time fail loudly rather than silently
440 /// dropping the row.
441 #[serde(default, skip_serializing_if = "Option::is_none")]
442 #[serde(rename = "type")]
443 pub kind: Option<String>,
444 /// When true, the projector creates a `CREATE INDEX` on this
445 /// column at table-creation time. Boost for the common-filter
446 /// columns (`name`, `version`) — operators mark them
447 /// explicitly, the projector won't guess.
448 #[serde(default)]
449 pub index: bool,
450}
451
452#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
453pub struct DisplayField {
454 /// Top-level key in the stdout JSON.
455 pub field: String,
456 /// Human-readable column header.
457 pub label: String,
458 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
459 /// or `"table"` (#39). Defaults to plain text rendering on the
460 /// SPA side. `"table"` expects the field's value to be a JSON
461 /// array of objects and renders a nested sub-table on the
462 /// per-PC detail page using `columns` as the schema; the fleet
463 /// summary view falls back to showing the row count for
464 /// `"table"` cells so the wide list stays compact.
465 #[serde(default, skip_serializing_if = "Option::is_none")]
466 #[serde(rename = "type")]
467 pub kind: Option<String>,
468 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
469 /// field's value (an array of objects like
470 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
471 /// sub-table using these columns. Each column is itself a
472 /// `DisplayField`, so the nested cells reuse the same render
473 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
474 /// pipeline. Ignored for any other `kind`.
475 #[serde(default, skip_serializing_if = "Option::is_none")]
476 pub columns: Option<Vec<DisplayField>>,
477}
478
479#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
480pub struct Rollout {
481 #[serde(default)]
482 pub strategy: RolloutStrategy,
483 pub waves: Vec<Wave>,
484}
485
486#[derive(
487 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
488)]
489#[serde(rename_all = "lowercase")]
490pub enum RolloutStrategy {
491 #[default]
492 Wave,
493}
494
495#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
496pub struct Wave {
497 pub group: String,
498 /// humantime delay measured from the deploy's publish time. wave[0]
499 /// typically has "0s"; subsequent waves use minutes / hours.
500 pub delay: String,
501}
502
503#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
504pub struct Target {
505 #[serde(default)]
506 pub groups: Vec<String>,
507 #[serde(default)]
508 pub pcs: Vec<String>,
509 #[serde(default)]
510 pub all: bool,
511}
512
513impl Target {
514 /// At least one of all / groups / pcs is set.
515 pub fn is_specified(&self) -> bool {
516 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
517 }
518}
519
520#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
521pub struct Execute {
522 pub shell: ExecuteShell,
523 /// Inline script body. Mutually exclusive with [`script_file`]
524 /// and [`script_object`]; exactly one of the three must be set
525 /// (enforced by [`Execute::validate_script_source`] at the
526 /// write-side parse boundaries — `kanade job create` and
527 /// `POST /api/jobs`).
528 ///
529 /// Empty string is treated as **unset** so operators can swap
530 /// to a `script_file:` / `script_object:` alternative just by
531 /// commenting out the body, without having to also drop the
532 /// `script:` key entirely.
533 ///
534 /// [`script_file`]: Self::script_file
535 /// [`script_object`]: Self::script_object
536 #[serde(default, skip_serializing_if = "Option::is_none")]
537 pub script: Option<String>,
538 /// Repo-local file path resolved by the operator-side CLI at
539 /// `kanade job create` time. The CLI reads the file, slots its
540 /// contents into `script`, and clears this field before
541 /// POSTing — so the backend / agents never see `script_file`
542 /// in stored manifests. SPEC §2.4.1.
543 ///
544 /// Resolver lands in a follow-up PR
545 /// (yukimemi/kanade#210); today this field passes parse-time
546 /// validation but the operator-side CLI bails with "not yet
547 /// implemented" until the resolver ships, so manifests that
548 /// reach the backend with `script_file` set are treated as a
549 /// schema-bug.
550 #[serde(default, skip_serializing_if = "Option::is_none")]
551 pub script_file: Option<String>,
552 /// Object Store reference (`<name>/<version>`) into the
553 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
554 /// at Execute time via `/api/script-objects/{name}/{version}`
555 /// and cache it locally. SPEC §2.4.1.
556 ///
557 /// Fully wired (#210/#211): the backend resolves the digest at
558 /// exec submission (`api::exec::resolve_script_source`), the agent
559 /// fetches + sha-verifies + caches the body (`script_cache`), and
560 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
561 /// CLI-side, git-managed), this keeps the body in versioned,
562 /// digest-pinned object storage — the ops-managed counterpart.
563 #[serde(default, skip_serializing_if = "Option::is_none")]
564 pub script_object: Option<String>,
565 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
566 /// — represents how long this script reasonably takes to run.
567 pub timeout: String,
568 /// Token + session combination the agent uses to launch the
569 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
570 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
571 #[serde(default)]
572 pub run_as: RunAs,
573 /// Working directory for the spawned child (v0.21.1). When
574 /// unset, the child inherits the agent's cwd — on Windows that
575 /// means `%SystemRoot%\System32` for the prod service, which is
576 /// almost never what operators actually want. Use an absolute
577 /// path; relative paths are passed through to the OS verbatim.
578 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
579 /// you'd want `%USERPROFILE%` (but expansion happens in the
580 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
581 /// it via teravars before `kanade job create`).
582 #[serde(default, skip_serializing_if = "Option::is_none")]
583 pub cwd: Option<String>,
584}
585
586impl Execute {
587 /// Treat an empty `script:` body as "intentionally unset". Operators
588 /// commenting out a block-scalar tend to leave the key behind, and
589 /// failing the validator on `script: ""` would surprise them.
590 fn has_inline_script(&self) -> bool {
591 matches!(&self.script, Some(s) if !s.is_empty())
592 }
593
594 /// Enforce that exactly one of `script` / `script_file` /
595 /// `script_object` is set. Called at the write-side parse
596 /// boundaries (CLI `kanade job create` + backend
597 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
598 /// reaches the JOBS KV. Read paths (projector, agent
599 /// scheduler, list endpoints) skip this check — they only ever
600 /// see what the write path already validated.
601 pub fn validate_script_source(&self) -> Result<(), String> {
602 let inline = self.has_inline_script();
603 let file = self.script_file.is_some();
604 let obj = self.script_object.is_some();
605 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
606 match set {
607 1 => Ok(()),
608 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
609 _ => Err(format!(
610 "execute: only one of `script` / `script_file` / `script_object` may be set \
611 (got script={inline}, script_file={file}, script_object={obj})"
612 )),
613 }
614 }
615}
616
617impl Manifest {
618 /// Cross-field semantic checks that don't fit into pure serde
619 /// derive. Currently delegates to
620 /// [`Execute::validate_script_source`] — see that method's
621 /// docs for the rationale on which call sites should run this.
622 pub fn validate(&self) -> Result<(), String> {
623 self.execute.validate_script_source()?;
624 // Stdout-format compatibility. `inventory:` and `check:` both
625 // consume the SAME single JSON object — they COMPOSE: a check
626 // can extract `status`/`detail` for the Health tab while the
627 // projector explodes the rest into SPA sub-tables. `emit:` is
628 // different — its stdout is NDJSON and the agent omits it from
629 // the result entirely — so it can't be paired with either.
630 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
631 return Err(
632 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
633 timeline events (and omitted from the result), while inventory/check read a \
634 single JSON object from stdout"
635 .to_string(),
636 );
637 }
638 // A check's `name` is the Health-tab row id (React key); the
639 // field names tell the agent where to read status/detail.
640 // An empty value is an invisible runtime bug, and the serde
641 // defaults don't guard an operator who writes `status_field:
642 // ""` explicitly — reject all three here.
643 if let Some(check) = &self.check {
644 for (label, value) in [
645 ("check.name", &check.name),
646 ("check.status_field", &check.status_field),
647 ("check.detail_field", &check.detail_field),
648 ] {
649 if value.trim().is_empty() {
650 return Err(format!("{label} must not be empty"));
651 }
652 }
653 // A present-but-blank `troubleshoot` is a broken
654 // remediation job id (the "修復する" button would target
655 // an empty manifest id) — reject it too.
656 if let Some(troubleshoot) = &check.troubleshoot {
657 if troubleshoot.trim().is_empty() {
658 return Err("check.troubleshoot must not be empty when set".to_string());
659 }
660 }
661 // A present-but-blank `label` would render an empty row
662 // title on the Health tab / Compliance page — reject it so
663 // the slug fallback only ever kicks in when label is absent.
664 if let Some(label) = &check.label {
665 if label.trim().is_empty() {
666 return Err("check.label must not be empty when set".to_string());
667 }
668 }
669 }
670 // #291: a `client:` job is rendered in the Client App's
671 // catalog (`jobs.list` → `jobs.execute`). serde already makes
672 // `name` + `category` required at parse time; the only gap is
673 // a present-but-blank `name`, which would render an empty row
674 // title — reject it like the other display-id fields.
675 if let Some(client) = &self.client {
676 if client.name.trim().is_empty() {
677 return Err("client.name must not be empty".to_string());
678 }
679 // Optional display fields, when present, must be
680 // meaningful: a blank `description` renders an empty
681 // subtitle and a blank `icon` is a dangling lucide name.
682 // Same present-but-blank guard the `check:` block applies
683 // to its optional `troubleshoot` id.
684 for (label, value) in [
685 ("client.description", &client.description),
686 ("client.icon", &client.icon),
687 ] {
688 if let Some(v) = value {
689 if v.trim().is_empty() {
690 return Err(format!("{label} must not be empty when set"));
691 }
692 }
693 }
694 }
695 // A blank / whitespace-only tag is an invisible operator typo
696 // that would render an empty filter chip on the Jobs page —
697 // reject it like the other present-but-blank display fields.
698 for tag in &self.tags {
699 if tag.trim().is_empty() {
700 return Err("tags must not contain empty entries".to_string());
701 }
702 }
703 Ok(())
704 }
705}
706
707#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
708#[serde(rename_all = "lowercase")]
709pub enum ExecuteShell {
710 Powershell,
711 Cmd,
712}
713
714impl From<ExecuteShell> for Shell {
715 fn from(s: ExecuteShell) -> Self {
716 match s {
717 ExecuteShell::Powershell => Shell::Powershell,
718 ExecuteShell::Cmd => Shell::Cmd,
719 }
720 }
721}
722
723#[cfg(test)]
724mod tests {
725 use super::*;
726
727 /// The example check-job + schedule YAMLs shipped under `configs/`
728 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
729 /// pins them at compile time so a breaking edit fails `cargo test`
730 /// rather than only `kanade job create` at deploy time.
731 #[test]
732 fn example_check_job_yamls_parse_and_validate() {
733 let jobs = [
734 (
735 "check-bitlocker",
736 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
737 ),
738 (
739 "check-av-signature",
740 include_str!("../../../configs/jobs/check-av-signature.yaml"),
741 ),
742 (
743 "check-cert-expiry",
744 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
745 ),
746 (
747 "check-disk-space",
748 include_str!("../../../configs/jobs/check-disk-space.yaml"),
749 ),
750 (
751 "check-pending-reboot",
752 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
753 ),
754 (
755 "check-defender-rtp",
756 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
757 ),
758 (
759 "check-firewall",
760 include_str!("../../../configs/jobs/check-firewall.yaml"),
761 ),
762 ];
763 for (name, yaml) in jobs {
764 let m: Manifest =
765 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
766 m.validate()
767 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
768 let check = m
769 .check
770 .as_ref()
771 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
772 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
773 // These examples all read admin-only WMI / registry / netsh
774 // state, so they run_as system. NOTE: that's a property of
775 // these particular checks, NOT of the `check:` contract — a
776 // check probing user-session state could run_as user.
777 assert_eq!(
778 m.execute.run_as,
779 RunAs::System,
780 "{name} should run_as system"
781 );
782 }
783 }
784
785 /// The example user-invokable job YAMLs (#291) shipped under
786 /// `configs/jobs/` must stay valid as the `client:` schema
787 /// evolves. `include_str!` pins them at compile time so a breaking
788 /// edit fails `cargo test`, not `kanade job create` at deploy.
789 #[test]
790 fn example_client_job_yamls_parse_and_validate() {
791 let jobs = [
792 (
793 "fix-teams-cache",
794 JobCategory::Troubleshoot,
795 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
796 ),
797 (
798 "chrome-update",
799 JobCategory::SoftwareUpdate,
800 include_str!("../../../configs/jobs/chrome-update.yaml"),
801 ),
802 (
803 "install-slack",
804 JobCategory::Catalog,
805 include_str!("../../../configs/jobs/install-slack.yaml"),
806 ),
807 (
808 "fix-defender-rtp",
809 JobCategory::Troubleshoot,
810 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
811 ),
812 ];
813 for (id, category, yaml) in jobs {
814 let m: Manifest =
815 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
816 m.validate()
817 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
818 assert_eq!(m.id, id, "{id} id mismatch");
819 let client = m
820 .client
821 .as_ref()
822 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
823 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
824 assert_eq!(client.category, category, "{id} category");
825 }
826 }
827
828 /// The `emit: { type: events }` collector jobs under
829 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
830 /// pins them at compile time so a breaking edit (e.g. an `emit:`
831 /// paired with `check:`/`inventory:`, a bad watermark field, or a
832 /// YAML typo in the PowerShell block) fails `cargo test` rather
833 /// than `kanade job create` at deploy. Every one must carry an
834 /// `emit.type=events` block and NO check/inventory (validate()
835 /// rejects the pairing).
836 #[test]
837 fn example_event_collector_job_yamls_parse_and_validate() {
838 let jobs = [
839 (
840 "collect-winlog-events",
841 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
842 ),
843 (
844 "collect-winlog-logons-all",
845 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
846 ),
847 (
848 "collect-wlan-events",
849 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
850 ),
851 ];
852 for (id, yaml) in jobs {
853 // Strict parse so an unknown-key typo in these fixtures fails
854 // here (not silently at deploy) — the runtime Manifest is
855 // unknown-key-tolerant, so the lenient serde_yaml::from_str
856 // wouldn't catch fixture drift (CodeRabbit #689).
857 let m: Manifest =
858 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
859 m.validate()
860 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
861 assert_eq!(m.id, id, "{id} id mismatch");
862 let emit = m
863 .emit
864 .as_ref()
865 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
866 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
867 assert!(
868 m.check.is_none() && m.inventory.is_none(),
869 "{id}: emit jobs must not pair with check/inventory"
870 );
871 }
872 }
873
874 /// The `inventory:` snapshot jobs under `configs/jobs/` project
875 /// facts into `inventory_facts` + exploded tables. `include_str!`
876 /// pins them at compile time so a breaking edit (bad explode
877 /// schema, a YAML typo in the PowerShell block, an `inventory:`
878 /// accidentally paired with `emit:`) fails `cargo test` rather
879 /// than the projector at deploy. Each must carry an `inventory:`
880 /// block and NO emit (validate() rejects the pairing).
881 #[test]
882 fn example_inventory_job_yamls_parse_and_validate() {
883 let jobs = [
884 (
885 "inventory-hw",
886 include_str!("../../../configs/jobs/inventory-hw.yaml"),
887 ),
888 (
889 "inventory-sw",
890 include_str!("../../../configs/jobs/inventory-sw.yaml"),
891 ),
892 (
893 "inventory-driver",
894 include_str!("../../../configs/jobs/inventory-driver.yaml"),
895 ),
896 ];
897 for (id, yaml) in jobs {
898 let m: Manifest =
899 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
900 m.validate()
901 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
902 assert_eq!(m.id, id, "{id} id mismatch");
903 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
904 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
905 }
906 }
907
908 #[test]
909 fn example_check_schedule_yamls_parse_and_validate() {
910 let schedules = [
911 (
912 "check-bitlocker",
913 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
914 ),
915 (
916 "check-av-signature",
917 include_str!("../../../configs/schedules/check-av-signature.yaml"),
918 ),
919 (
920 "check-cert-expiry",
921 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
922 ),
923 (
924 "check-disk-space",
925 include_str!("../../../configs/schedules/check-disk-space.yaml"),
926 ),
927 (
928 "check-pending-reboot",
929 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
930 ),
931 (
932 "check-defender-rtp",
933 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
934 ),
935 (
936 "check-firewall",
937 include_str!("../../../configs/schedules/check-firewall.yaml"),
938 ),
939 ];
940 for (name, yaml) in schedules {
941 let s: Schedule =
942 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
943 s.validate()
944 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
945 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
946 }
947 }
948
949 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
950 /// alongside the schedule schema. `include_str!` pins them so a
951 /// breaking edit fails `cargo test`, not `kanade schedule create`.
952 #[test]
953 fn example_inventory_schedule_yamls_parse_and_validate() {
954 let schedules = [
955 (
956 "inventory-hw",
957 include_str!("../../../configs/schedules/inventory-hw.yaml"),
958 ),
959 (
960 "inventory-sw",
961 include_str!("../../../configs/schedules/inventory-sw.yaml"),
962 ),
963 (
964 "inventory-driver",
965 include_str!("../../../configs/schedules/inventory-driver.yaml"),
966 ),
967 ];
968 for (name, yaml) in schedules {
969 let s: Schedule =
970 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
971 s.validate()
972 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
973 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
974 }
975 }
976
977 #[test]
978 fn target_is_specified_requires_at_least_one_field() {
979 let empty = Target::default();
980 assert!(!empty.is_specified());
981
982 let with_all = Target {
983 all: true,
984 ..Target::default()
985 };
986 assert!(with_all.is_specified());
987
988 let with_groups = Target {
989 groups: vec!["canary".into()],
990 ..Target::default()
991 };
992 assert!(with_groups.is_specified());
993
994 let with_pcs = Target {
995 pcs: vec!["pc-01".into()],
996 ..Target::default()
997 };
998 assert!(with_pcs.is_specified());
999 }
1000
1001 #[test]
1002 fn manifest_deserialises_minimal_yaml() {
1003 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1004 // — those live on the schedule / exec request now.
1005 let yaml = r#"
1006id: echo-test
1007version: 0.0.1
1008execute:
1009 shell: powershell
1010 script: "echo 'kanade'"
1011 timeout: 30s
1012"#;
1013 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1014 assert_eq!(m.id, "echo-test");
1015 assert_eq!(m.version, "0.0.1");
1016 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1017 assert_eq!(
1018 m.execute.script.as_deref().map(str::trim),
1019 Some("echo 'kanade'")
1020 );
1021 assert!(m.execute.script_file.is_none());
1022 assert!(m.execute.script_object.is_none());
1023 assert_eq!(m.execute.timeout, "30s");
1024 assert!(!m.require_approval);
1025 m.validate()
1026 .expect("inline-script manifest passes validation");
1027 }
1028
1029 #[test]
1030 fn manifest_parses_check_job_and_validates() {
1031 // An operator-defined health check (#290): a `check:` hint +
1032 // a PowerShell script that prints {status, detail}.
1033 let yaml = r#"
1034id: check-bitlocker
1035version: 0.1.0
1036execute:
1037 shell: powershell
1038 run_as: system
1039 timeout: 15s
1040 script: |
1041 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
1042check:
1043 name: bitlocker
1044 troubleshoot: fix-bitlocker
1045"#;
1046 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1047 let check = m.check.as_ref().expect("check hint present");
1048 assert_eq!(check.name, "bitlocker");
1049 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
1050 // Field names default to the conventional "status" / "detail".
1051 assert_eq!(check.status_field, "status");
1052 assert_eq!(check.detail_field, "detail");
1053 assert!(m.inventory.is_none() && m.emit.is_none());
1054 m.validate().expect("check-only manifest passes validation");
1055 }
1056
1057 #[test]
1058 fn manifest_check_defaults_and_custom_fields() {
1059 // Minimal: only `name`; status/detail fields default.
1060 let m: Manifest = serde_yaml::from_str(
1061 r#"
1062id: check-disk
1063version: 0.1.0
1064execute:
1065 shell: powershell
1066 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
1067 timeout: 10s
1068check:
1069 name: disk_free
1070"#,
1071 )
1072 .expect("parse");
1073 let c = m.check.as_ref().unwrap();
1074 assert_eq!(c.name, "disk_free");
1075 assert_eq!(c.status_field, "status");
1076 assert_eq!(c.detail_field, "detail");
1077 assert!(c.troubleshoot.is_none());
1078 m.validate().expect("validates");
1079
1080 // The operator can point status/detail at any field of their
1081 // free-form inventory object.
1082 let m2: Manifest = serde_yaml::from_str(
1083 r#"
1084id: check-custom
1085version: 0.1.0
1086execute:
1087 shell: powershell
1088 script: "echo x"
1089 timeout: 10s
1090check:
1091 name: patch_level
1092 status_field: compliance
1093 detail_field: summary
1094"#,
1095 )
1096 .expect("parse");
1097 let c2 = m2.check.as_ref().unwrap();
1098 assert_eq!(c2.status_field, "compliance");
1099 assert_eq!(c2.detail_field, "summary");
1100 }
1101
1102 #[test]
1103 fn manifest_allows_check_composed_with_inventory() {
1104 // `check:` + `inventory:` COMPOSE on the same stdout object:
1105 // status/detail → Health tab, the rest → SPA projection +
1106 // explode sub-tables. Must pass validation.
1107 let yaml = r#"
1108id: check-bitlocker-detailed
1109version: 0.1.0
1110execute:
1111 shell: powershell
1112 script: "echo x"
1113 timeout: 10s
1114check:
1115 name: bitlocker
1116inventory:
1117 display:
1118 - { field: status, label: Status }
1119"#;
1120 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1121 assert!(m.check.is_some() && m.inventory.is_some());
1122 m.validate().expect("check + inventory compose");
1123 }
1124
1125 #[test]
1126 fn manifest_rejects_check_combined_with_emit() {
1127 // `emit:` stdout is NDJSON (and omitted from the result), so
1128 // it can't pair with `check:` (which needs a single JSON
1129 // object on stdout).
1130 let yaml = r#"
1131id: bad-mix
1132version: 0.1.0
1133execute:
1134 shell: powershell
1135 script: "echo x"
1136 timeout: 10s
1137check:
1138 name: bitlocker
1139emit:
1140 type: events
1141"#;
1142 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1143 let err = m.validate().expect_err("emit + check must fail");
1144 assert!(err.contains("incompatible"), "err: {err}");
1145 }
1146
1147 #[test]
1148 fn manifest_rejects_emit_combined_with_inventory() {
1149 // The other half of the emit-incompatibility condition.
1150 let yaml = r#"
1151id: bad-mix-2
1152version: 0.1.0
1153execute:
1154 shell: powershell
1155 script: "echo x"
1156 timeout: 10s
1157emit:
1158 type: events
1159inventory:
1160 display:
1161 - { field: status, label: Status }
1162"#;
1163 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1164 let err = m.validate().expect_err("emit + inventory must fail");
1165 assert!(err.contains("incompatible"), "err: {err}");
1166 }
1167
1168 #[test]
1169 fn manifest_rejects_empty_check_field_names() {
1170 // Empty name / status_field / detail_field are invisible
1171 // runtime bugs (empty React key, agent reads the wrong field)
1172 // — reject them even though serde supplies non-empty defaults.
1173 let base = |inner: &str| {
1174 format!(
1175 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1176 )
1177 };
1178 for inner in [
1179 " name: \"\"\n",
1180 " name: ok\n status_field: \"\"\n",
1181 " name: ok\n detail_field: \" \"\n",
1182 // present-but-blank troubleshoot → broken remediation id.
1183 " name: ok\n troubleshoot: \" \"\n",
1184 ] {
1185 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1186 let err = m.validate().expect_err("empty field must fail");
1187 assert!(err.contains("must not be empty"), "err: {err}");
1188 }
1189 }
1190
1191 #[test]
1192 fn manifest_client_absent_by_default() {
1193 // A plain operator job (the overwhelming majority) carries no
1194 // `client:` block, so it never surfaces in the end-user
1195 // catalog.
1196 let yaml = r#"
1197id: echo-test
1198version: 0.0.1
1199execute:
1200 shell: powershell
1201 script: "echo 'kanade'"
1202 timeout: 30s
1203"#;
1204 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1205 assert!(m.client.is_none());
1206 m.validate().expect("operator-only job validates");
1207 }
1208
1209 #[test]
1210 fn manifest_client_parses_and_validates() {
1211 // The Client App "困ったとき" remediation job shape: a
1212 // user-invokable troubleshoot job with the end-user fields the
1213 // KLP `jobs.list` wire needs, grouped under `client:`.
1214 let yaml = r#"
1215id: fix-teams-cache
1216version: 1.0.0
1217execute:
1218 shell: powershell
1219 script: "echo clearing"
1220 timeout: 60s
1221client:
1222 name: "Teams のキャッシュをクリア"
1223 description: "Teams が重いときに試してください"
1224 category: troubleshoot
1225 icon: brush-cleaning
1226"#;
1227 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1228 let c = m.client.as_ref().expect("client block present");
1229 assert_eq!(c.name, "Teams のキャッシュをクリア");
1230 assert_eq!(
1231 c.description.as_deref(),
1232 Some("Teams が重いときに試してください")
1233 );
1234 assert_eq!(c.category, JobCategory::Troubleshoot);
1235 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1236 m.validate().expect("user-invokable job validates");
1237 }
1238
1239 #[test]
1240 fn manifest_client_minimal_only_name_and_category() {
1241 // description + icon are optional; name + category are the
1242 // serde-required minimum.
1243 let yaml = r#"
1244id: install-slack
1245version: 1.0.0
1246execute:
1247 shell: powershell
1248 script: "echo install"
1249 timeout: 600s
1250client:
1251 name: Slack
1252 category: catalog
1253"#;
1254 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1255 let c = m.client.as_ref().expect("client present");
1256 assert_eq!(c.category, JobCategory::Catalog);
1257 assert!(c.description.is_none() && c.icon.is_none());
1258 m.validate().expect("minimal client validates");
1259 }
1260
1261 #[test]
1262 fn manifest_client_rejects_blank_name() {
1263 // serde guarantees `name`/`category` are present; the one gap
1264 // is a present-but-blank name → empty catalog row title.
1265 let yaml = r#"
1266id: j
1267version: 1.0.0
1268execute:
1269 shell: powershell
1270 script: "echo x"
1271 timeout: 30s
1272client:
1273 name: " "
1274 category: catalog
1275"#;
1276 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1277 let err = m.validate().expect_err("blank name must fail");
1278 assert!(err.contains("client.name"), "err: {err}");
1279 }
1280
1281 #[test]
1282 fn manifest_client_rejects_blank_optional_fields() {
1283 // description / icon are optional, but a present-but-blank
1284 // value is a bug (empty subtitle / dangling icon name) — reject
1285 // it, mirroring the check: block's troubleshoot guard.
1286 for (field, line) in [
1287 ("client.description", " description: \" \"\n"),
1288 ("client.icon", " icon: \"\"\n"),
1289 ] {
1290 let yaml = format!(
1291 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1292 );
1293 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1294 let err = m.validate().expect_err("blank optional field must fail");
1295 assert!(err.contains(field), "expected {field} in err: {err}");
1296 }
1297 }
1298
1299 #[test]
1300 fn manifest_client_requires_category_at_parse() {
1301 // A `client:` block missing `category` is a hard parse error
1302 // (serde required field) — no manual validate() needed.
1303 let yaml = r#"
1304id: j
1305version: 1.0.0
1306execute:
1307 shell: powershell
1308 script: "echo x"
1309 timeout: 30s
1310client:
1311 name: "A job"
1312"#;
1313 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1314 assert!(
1315 r.is_err(),
1316 "missing category must be a parse error, got {r:?}"
1317 );
1318 }
1319
1320 #[test]
1321 fn manifest_client_rejects_unknown_field() {
1322 // #492: the strict create boundary catches a fat-fingered
1323 // `displayname:` (with its path) instead of silently
1324 // dropping it; the tolerant read path accepts it.
1325 let yaml = r#"
1326id: j
1327version: 1.0.0
1328execute:
1329 shell: powershell
1330 script: "echo x"
1331 timeout: 30s
1332client:
1333 name: "A job"
1334 category: catalog
1335 displayname: oops
1336"#;
1337 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1338 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1339 // serde_ignored renders the Option layer as `?`:
1340 // `client.?.displayname`. Assert on the leaf key.
1341 assert!(err.contains("displayname"), "{err}");
1342 // The READ path tolerates the same payload (gradual-upgrade
1343 // contract: an old agent must accept a newer writer's field).
1344 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1345 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1346 }
1347
1348 #[test]
1349 fn manifest_tags_default_empty() {
1350 // The overwhelming majority of jobs carry no tags; the field
1351 // must default to an empty Vec (not fail to parse) and skip
1352 // serialisation so old readers never see the key.
1353 let yaml = r#"
1354id: echo-test
1355version: 0.0.1
1356execute:
1357 shell: powershell
1358 script: "echo 'kanade'"
1359 timeout: 30s
1360"#;
1361 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1362 assert!(m.tags.is_empty());
1363 m.validate().expect("tag-less job validates");
1364 // skip_serializing_if = empty ⇒ the key is absent from JSON.
1365 let json = serde_json::to_string(&m).expect("serialize");
1366 assert!(
1367 !json.contains("tags"),
1368 "empty tags must not serialise: {json}"
1369 );
1370 }
1371
1372 #[test]
1373 fn manifest_parses_and_validates_tags() {
1374 let yaml = r#"
1375id: check-bitlocker
1376version: 0.1.0
1377execute:
1378 shell: powershell
1379 script: "echo x"
1380 timeout: 30s
1381tags: [security, windows, health-check]
1382"#;
1383 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1384 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
1385 m.validate().expect("tagged job validates");
1386 // Round-trips through JSON (the wire format the SPA reads).
1387 let json = serde_json::to_string(&m).expect("serialize");
1388 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
1389 }
1390
1391 #[test]
1392 fn manifest_rejects_blank_tag() {
1393 // A whitespace-only tag renders an empty filter chip — reject
1394 // it at the write boundary like the other blank display fields.
1395 let yaml = r#"
1396id: j
1397version: 0.1.0
1398execute:
1399 shell: powershell
1400 script: "echo x"
1401 timeout: 30s
1402tags: [ok, " "]
1403"#;
1404 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1405 let err = m.validate().expect_err("blank tag must fail");
1406 assert!(err.contains("tags must not contain empty"), "err: {err}");
1407 }
1408
1409 fn execute_with(
1410 script: Option<&str>,
1411 script_file: Option<&str>,
1412 script_object: Option<&str>,
1413 ) -> Execute {
1414 Execute {
1415 shell: ExecuteShell::Powershell,
1416 script: script.map(str::to_owned),
1417 script_file: script_file.map(str::to_owned),
1418 script_object: script_object.map(str::to_owned),
1419 timeout: "30s".into(),
1420 run_as: RunAs::default(),
1421 cwd: None,
1422 }
1423 }
1424
1425 #[test]
1426 fn validate_accepts_inline_script() {
1427 let e = execute_with(Some("echo hi"), None, None);
1428 assert!(e.validate_script_source().is_ok());
1429 }
1430
1431 #[test]
1432 fn validate_accepts_script_file_alone() {
1433 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1434 assert!(e.validate_script_source().is_ok());
1435 }
1436
1437 #[test]
1438 fn validate_accepts_script_object_alone() {
1439 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1440 assert!(e.validate_script_source().is_ok());
1441 }
1442
1443 #[test]
1444 fn validate_treats_empty_inline_script_as_unset() {
1445 // `script: ""` + `script_object` set is the natural shape
1446 // when an operator comments out the YAML block-scalar body
1447 // but leaves the key. Should pass.
1448 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1449 assert!(e.validate_script_source().is_ok());
1450 }
1451
1452 #[test]
1453 fn validate_rejects_zero_sources() {
1454 let e = execute_with(None, None, None);
1455 let err = e.validate_script_source().unwrap_err();
1456 assert!(err.contains("must be set"), "got: {err}");
1457 }
1458
1459 #[test]
1460 fn validate_rejects_empty_inline_only() {
1461 let e = execute_with(Some(""), None, None);
1462 let err = e.validate_script_source().unwrap_err();
1463 assert!(err.contains("must be set"), "got: {err}");
1464 }
1465
1466 #[test]
1467 fn validate_rejects_inline_plus_file() {
1468 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1469 let err = e.validate_script_source().unwrap_err();
1470 assert!(err.contains("only one of"), "got: {err}");
1471 }
1472
1473 #[test]
1474 fn validate_rejects_inline_plus_object() {
1475 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1476 let err = e.validate_script_source().unwrap_err();
1477 assert!(err.contains("only one of"), "got: {err}");
1478 }
1479
1480 #[test]
1481 fn validate_rejects_file_plus_object() {
1482 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1483 let err = e.validate_script_source().unwrap_err();
1484 assert!(err.contains("only one of"), "got: {err}");
1485 }
1486
1487 #[test]
1488 fn validate_rejects_all_three() {
1489 let e = execute_with(
1490 Some("echo hi"),
1491 Some("scripts/cleanup.ps1"),
1492 Some("cleanup/1.0.0"),
1493 );
1494 let err = e.validate_script_source().unwrap_err();
1495 assert!(err.contains("only one of"), "got: {err}");
1496 }
1497
1498 #[test]
1499 fn manifest_deserialises_script_object_yaml() {
1500 // SPEC §2.4.1 example shape with the Object Store
1501 // reference picked over inline.
1502 let yaml = r#"
1503id: cleanup-disk-temp
1504version: 1.0.1
1505execute:
1506 shell: powershell
1507 script_object: cleanup-disk-temp/1.0.1
1508 timeout: 600s
1509"#;
1510 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1511 assert_eq!(
1512 m.execute.script_object.as_deref(),
1513 Some("cleanup-disk-temp/1.0.1")
1514 );
1515 assert!(m.execute.script.is_none());
1516 m.validate()
1517 .expect("script_object-only manifest passes validation");
1518 }
1519
1520 #[test]
1521 fn manifest_rejects_typo_in_script_field_name() {
1522 // #492: the strict create boundary catches `script_objectt`
1523 // and similar fat-fingers (with the full path) instead of
1524 // letting them silently fall through to "all three unset".
1525 let yaml = r#"
1526id: typo
1527version: 1.0.0
1528execute:
1529 shell: powershell
1530 script_objectt: oops
1531 timeout: 30s
1532"#;
1533 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
1534 .expect_err("typo'd execute field must be rejected at the write boundary");
1535 assert!(err.contains("execute.script_objectt"), "{err}");
1536 }
1537
1538 #[test]
1539 fn schedule_carries_target_and_rollout() {
1540 let yaml = r#"
1541id: hourly-cleanup-canary
1542when:
1543 per_pc: { every: 1h }
1544job_id: cleanup
1545enabled: true
1546target:
1547 groups: [canary, wave1]
1548jitter: 30s
1549rollout:
1550 strategy: wave
1551 waves:
1552 - { group: canary, delay: 0s }
1553 - { group: wave1, delay: 5s }
1554"#;
1555 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1556 assert_eq!(s.id, "hourly-cleanup-canary");
1557 assert_eq!(s.job_id, "cleanup");
1558 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1559 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1560 let rollout = s.plan.rollout.expect("rollout present");
1561 assert_eq!(rollout.waves.len(), 2);
1562 assert_eq!(rollout.waves[0].group, "canary");
1563 assert_eq!(rollout.waves[1].delay, "5s");
1564 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1565 }
1566
1567 #[test]
1568 fn schedule_minimal_target_all() {
1569 let yaml = r#"
1570id: kitting
1571when:
1572 per_pc: once
1573enabled: true
1574job_id: scheduled-echo
1575target: { all: true }
1576"#;
1577 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1578 assert_eq!(s.id, "kitting");
1579 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1580 assert!(s.enabled);
1581 assert_eq!(s.job_id, "scheduled-echo");
1582 assert!(s.plan.target.all);
1583 assert!(s.plan.rollout.is_none());
1584 assert!(s.plan.jitter.is_none());
1585 assert!(s.active.is_empty());
1586 }
1587
1588 #[test]
1589 fn schedule_enabled_defaults_to_true() {
1590 let yaml = r#"
1591id: x
1592when:
1593 per_pc: once
1594job_id: y
1595target: { all: true }
1596"#;
1597 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1598 assert!(s.enabled);
1599 }
1600
1601 #[test]
1602 fn schedule_tags_default_empty_and_skip_serialise() {
1603 let yaml = r#"
1604id: x
1605when:
1606 per_pc: once
1607job_id: y
1608target: { all: true }
1609"#;
1610 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1611 assert!(s.tags.is_empty());
1612 s.validate().expect("tag-less schedule validates");
1613 let json = serde_json::to_string(&s).expect("serialize");
1614 assert!(
1615 !json.contains("tags"),
1616 "empty tags must not serialise: {json}"
1617 );
1618 }
1619
1620 #[test]
1621 fn schedule_parses_and_validates_tags() {
1622 let yaml = r#"
1623id: weekly-cleanup
1624when:
1625 per_pc: { every: 1h }
1626job_id: cleanup
1627target: { all: true }
1628tags: [weekly, maintenance]
1629"#;
1630 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1631 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
1632 s.validate().expect("tagged schedule validates");
1633 }
1634
1635 #[test]
1636 fn schedule_rejects_blank_tag() {
1637 let yaml = r#"
1638id: x
1639when:
1640 per_pc: once
1641job_id: y
1642target: { all: true }
1643tags: [ok, " "]
1644"#;
1645 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1646 let err = s.validate().expect_err("blank tag must fail");
1647 assert!(err.contains("tags must not contain empty"), "err: {err}");
1648 }
1649
1650 // ---- `when` parsing (#418 Phase 1) ----
1651
1652 fn schedule_yaml_with(when_block: &str) -> String {
1653 format!(
1654 r#"
1655id: x
1656when:
1657{when_block}
1658job_id: y
1659target: {{ all: true }}
1660"#
1661 )
1662 }
1663
1664 #[test]
1665 fn when_per_pc_every_parses_unquoted_humantime() {
1666 // `6h` is digit-led but non-numeric → YAML string, same as
1667 // the old `cooldown: 6h` convention. No quotes needed.
1668 let s: Schedule =
1669 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1670 assert_eq!(
1671 s.when,
1672 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1673 );
1674 }
1675
1676 #[test]
1677 fn when_per_target_every_parses() {
1678 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1679 .expect("parse");
1680 assert_eq!(
1681 s.when,
1682 When::PerTarget(PerPolicy::Every(EverySpec {
1683 every: "24h".into()
1684 }))
1685 );
1686 }
1687
1688 #[test]
1689 fn when_per_target_once_parses() {
1690 // Falls out of the shared PerPolicy shape and decide_fire
1691 // already implements it ("any one pc succeeds → skip the
1692 // target forever"), so it is allowed, not rejected.
1693 let s: Schedule =
1694 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
1695 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
1696 }
1697
1698 #[test]
1699 fn when_calendar_time_parses() {
1700 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
1701 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
1702 ))
1703 .expect("parse");
1704 match &s.when {
1705 When::Calendar(c) => {
1706 assert_eq!(c.at, "09:00");
1707 assert_eq!(c.days, vec!["mon-fri"]);
1708 }
1709 other => panic!("expected calendar, got {other:?}"),
1710 }
1711 }
1712
1713 #[test]
1714 fn when_calendar_days_default_empty() {
1715 let s: Schedule =
1716 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
1717 .expect("parse");
1718 match &s.when {
1719 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
1720 other => panic!("expected calendar, got {other:?}"),
1721 }
1722 }
1723
1724 #[test]
1725 fn when_calendar_datetime_parses_all_separators() {
1726 // one-shot: date+time in hyphen / ISO-T / slash forms
1727 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
1728 let block = format!(" calendar:\n at: \"{at}\"");
1729 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
1730 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
1731 match &s.when {
1732 When::Calendar(c) => {
1733 use chrono::Datelike;
1734 let p = c.parse_at().expect("parse_at");
1735 let d = p.date.expect("datetime at carries a date");
1736 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
1737 }
1738 other => panic!("expected calendar, got {other:?}"),
1739 }
1740 }
1741 }
1742
1743 #[test]
1744 fn when_rejects_bad_once_keyword() {
1745 // `onec` must be a parse error, not a silently-absorbed
1746 // string (OnceLiteral is a single-variant enum for exactly
1747 // this reason).
1748 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
1749 assert!(r.is_err(), "expected parse error, got {r:?}");
1750 }
1751
1752 #[test]
1753 fn when_rejects_unknown_key_in_every() {
1754 // `{ evry: 6h }` still fails on the tolerant read path: the
1755 // required `every` key is missing, so no PerPolicy variant
1756 // matches (#492 removed deny_unknown_fields, but required
1757 // keys keep the untagged disambiguation honest).
1758 let r: Result<Schedule, _> =
1759 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
1760 assert!(r.is_err(), "expected parse error, got {r:?}");
1761 }
1762
1763 #[test]
1764 fn when_rejects_unknown_variant() {
1765 let r: Result<Schedule, _> =
1766 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
1767 assert!(r.is_err(), "expected parse error, got {r:?}");
1768 }
1769
1770 #[test]
1771 fn when_rejects_old_top_level_cron_field() {
1772 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
1773 // loudly (missing `when`), which is what turns stale KV
1774 // blobs into warn-skips after the upgrade.
1775 let yaml = r#"
1776id: x
1777cron: "* * * * * *"
1778job_id: y
1779target: { all: true }
1780"#;
1781 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
1782 assert!(r.is_err(), "expected parse error, got {r:?}");
1783 }
1784
1785 #[test]
1786 fn when_rejects_retired_cron_escape_hatch() {
1787 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
1788 // is now an unknown variant → parse error (operators use the
1789 // calendar form instead).
1790 let r: Result<Schedule, _> =
1791 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
1792 assert!(
1793 r.is_err(),
1794 "expected parse error for retired cron, got {r:?}"
1795 );
1796 }
1797
1798 #[test]
1799 fn when_round_trips_json_and_yaml() {
1800 // Round-trip through the full Schedule: that is the wire
1801 // unit for both stores (JSON catalog KV + YAML mirror), and
1802 // it exercises the singleton_map field attribute that keeps
1803 // serde_yaml on the map shape instead of `!per_pc` tags.
1804 for when in [
1805 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1806 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1807 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1808 When::PerTarget(PerPolicy::Every(EverySpec {
1809 every: "24h".into(),
1810 })),
1811 calendar("09:00", &["mon-fri"]),
1812 calendar("2026-06-10 09:00", &[]),
1813 When::On(vec![OnTrigger::Startup]),
1814 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1815 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1816 When::On(vec![OnTrigger::NetworkChange]),
1817 ] {
1818 // Event triggers are agent-only; the rest validate on backend.
1819 let runs_on = if matches!(when, When::On(_)) {
1820 RunsOn::Agent
1821 } else {
1822 RunsOn::Backend
1823 };
1824 let s = schedule_with(when.clone(), runs_on);
1825
1826 let json = serde_json::to_string(&s).expect("json serialise");
1827 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
1828 assert_eq!(back.when, when, "json round-trip for {when}");
1829
1830 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
1831 assert!(
1832 !yaml.contains('!'),
1833 "yaml must use the map shape, not tags: {yaml}"
1834 );
1835 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
1836 assert_eq!(back.when, when, "yaml round-trip for {when}");
1837 }
1838 }
1839
1840 #[test]
1841 fn when_once_serialises_as_bare_keyword() {
1842 // The wire shape operators see in the YAML mirror must stay
1843 // the ergonomic `per_pc: once`, not a one-variant map.
1844 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
1845 .expect("serialise");
1846 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
1847 }
1848
1849 #[test]
1850 fn when_displays_operator_summary() {
1851 for (when, expected) in [
1852 (
1853 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1854 "per_pc once",
1855 ),
1856 (
1857 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1858 "per_pc every 6h",
1859 ),
1860 (
1861 When::PerTarget(PerPolicy::Every(EverySpec {
1862 every: "24h".into(),
1863 })),
1864 "per_target every 24h",
1865 ),
1866 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
1867 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
1868 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
1869 (
1870 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
1871 "on [startup,logon]",
1872 ),
1873 (
1874 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
1875 "on [lock,unlock]",
1876 ),
1877 (
1878 When::On(vec![OnTrigger::NetworkChange]),
1879 "on [network_change]",
1880 ),
1881 ] {
1882 assert_eq!(when.to_string(), expected);
1883 }
1884 }
1885
1886 // ---- lowering (#418: when → engine vocabulary) ----
1887
1888 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
1889 Schedule {
1890 id: "x".into(),
1891 when,
1892 job_id: "y".into(),
1893 plan: FanoutPlan::default(),
1894 active: Active::default(),
1895 constraints: Constraints::default(),
1896 on_failure: OnFailure::default(),
1897 tz: ScheduleTz::default(),
1898 starting_deadline: None,
1899 runs_on,
1900 enabled: true,
1901 tags: Vec::new(),
1902 origin: None,
1903 }
1904 }
1905
1906 fn calendar(at: &str, days: &[&str]) -> When {
1907 When::Calendar(CalendarSpec {
1908 at: at.into(),
1909 days: days.iter().map(|d| (*d).to_string()).collect(),
1910 })
1911 }
1912
1913 #[test]
1914 fn next_calendar_fire_returns_next_utc_occurrence() {
1915 use chrono::TimeZone;
1916 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
1917 // next strict occurrence is 09:00 that day.
1918 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1919 s.tz = ScheduleTz::Utc;
1920 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
1921 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
1922 assert_eq!(
1923 next,
1924 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
1925 );
1926 }
1927
1928 #[test]
1929 fn next_calendar_fire_is_strictly_after_now() {
1930 use chrono::TimeZone;
1931 // Standing exactly on a fire instant must preview the *next*
1932 // one (inclusive = false), not the one firing right now.
1933 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
1934 s.tz = ScheduleTz::Utc;
1935 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
1936 let next = s
1937 .next_calendar_fire(on_fire)
1938 .expect("calendar has a next fire");
1939 assert_eq!(
1940 next,
1941 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
1942 );
1943 }
1944
1945 #[test]
1946 fn next_calendar_fire_none_for_reconcile_shapes() {
1947 // `per_pc` / `per_target` lower to the every-minute poll cron —
1948 // no discrete upcoming event to preview, so `None`.
1949 let now = chrono::Utc::now();
1950 for when in [
1951 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
1952 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
1953 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
1954 When::PerTarget(PerPolicy::Every(EverySpec {
1955 every: "24h".into(),
1956 })),
1957 ] {
1958 let s = schedule_with(when, RunsOn::Backend);
1959 assert!(
1960 s.next_calendar_fire(now).is_none(),
1961 "reconcile shapes have no calendar fire",
1962 );
1963 }
1964 }
1965
1966 // ---- preview_fires (#418 dry-run / preview) ----
1967
1968 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
1969 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
1970 s.tz = ScheduleTz::Utc; // host-independent assertions
1971 s
1972 }
1973
1974 #[test]
1975 fn preview_lists_next_calendar_occurrences() {
1976 use chrono::TimeZone;
1977 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
1978 // fires skip the weekend (Sat 13 / Sun 14).
1979 let s = cal_utc("09:00", &["mon-fri"]);
1980 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
1981 let got = s.preview_fires(now, 5);
1982 let want: Vec<_> = [
1983 (2026, 6, 10), // Wed
1984 (2026, 6, 11), // Thu
1985 (2026, 6, 12), // Fri
1986 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
1987 (2026, 6, 16), // Tue
1988 ]
1989 .iter()
1990 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
1991 .collect();
1992 assert_eq!(got, want);
1993 }
1994
1995 #[test]
1996 fn preview_handles_nth_and_last_weekday() {
1997 use chrono::TimeZone;
1998 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
1999 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
2000 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
2001 assert_eq!(
2002 nth,
2003 vec![
2004 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
2005 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
2006 ]
2007 );
2008 // Last Friday of the month: Jun 26, Jul 31 2026.
2009 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
2010 assert_eq!(
2011 last,
2012 vec![
2013 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
2014 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
2015 ]
2016 );
2017 }
2018
2019 #[test]
2020 fn preview_is_empty_for_reconcile_and_zero_count() {
2021 let now = chrono::Utc::now();
2022 // reconcile shapes have no discrete fire times
2023 let recon = schedule_with(
2024 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2025 RunsOn::Backend,
2026 );
2027 assert!(recon.preview_fires(now, 5).is_empty());
2028 // count == 0 yields nothing even for a calendar
2029 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
2030 }
2031
2032 #[test]
2033 fn preview_skips_outside_active_window() {
2034 use chrono::TimeZone;
2035 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
2036 // before `from` are skipped; `until` is exclusive, so 06-17's
2037 // fire is out — leaving exactly the 15th and 16th.
2038 let mut s = cal_utc("09:00", &[]);
2039 s.active = Active {
2040 from: Some("2026-06-15".into()),
2041 until: Some("2026-06-17".into()),
2042 };
2043 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2044 let got = s.preview_fires(now, 5);
2045 assert_eq!(
2046 got,
2047 vec![
2048 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
2049 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
2050 ]
2051 );
2052 }
2053
2054 #[test]
2055 fn preview_empty_when_calendar_time_outside_window() {
2056 use chrono::TimeZone;
2057 // Fires at 09:00 but the maintenance window is overnight — it can
2058 // never run, so the preview is empty (matches
2059 // `calendar_outside_window`), and the scan still terminates.
2060 let mut s = cal_utc("09:00", &[]);
2061 s.constraints = Constraints {
2062 window: Some("22:00-05:00".into()),
2063 ..Constraints::default()
2064 };
2065 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2066 assert!(s.preview_fires(now, 5).is_empty());
2067 // Every candidate tick is rejected, so this also exercises the
2068 // SCAN_CAP bound: a large `count` must still terminate (and
2069 // return empty) rather than spin (claude #578 review).
2070 assert!(s.preview_fires(now, 50).is_empty());
2071 }
2072
2073 #[test]
2074 fn preview_past_one_shot_is_empty() {
2075 use chrono::TimeZone;
2076 // A dated one-shot whose instant has passed never fires again.
2077 let s = cal_utc("2026-06-10 09:00", &[]);
2078 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
2079 assert!(s.preview_fires(now, 5).is_empty());
2080 // …but from before it, the single future fire shows up.
2081 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
2082 assert_eq!(
2083 s.preview_fires(before, 5),
2084 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
2085 );
2086 }
2087
2088 #[test]
2089 fn lowering_matches_the_418_table() {
2090 let cases = [
2091 (
2092 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2093 (POLL_CRON, ExecMode::OncePerPc, None),
2094 ),
2095 (
2096 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2097 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
2098 ),
2099 (
2100 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2101 (POLL_CRON, ExecMode::OncePerTarget, None),
2102 ),
2103 (
2104 When::PerTarget(PerPolicy::Every(EverySpec {
2105 every: "24h".into(),
2106 })),
2107 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
2108 ),
2109 // calendar repeating → 6-field cron
2110 (
2111 calendar("09:00", &["mon-fri"]),
2112 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
2113 ),
2114 // calendar daily (no days) → DOW *
2115 (
2116 calendar("18:30", &[]),
2117 ("0 30 18 * * *", ExecMode::EveryTick, None),
2118 ),
2119 // calendar one-shot → 7-field year cron
2120 (
2121 calendar("2026-06-10 09:00", &[]),
2122 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
2123 ),
2124 ];
2125 for (when, (cron, mode, cooldown)) in cases {
2126 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
2127 assert_eq!(l.cron, cron, "cron for {when}");
2128 assert_eq!(l.mode, mode, "mode for {when}");
2129 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
2130 }
2131 }
2132
2133 #[test]
2134 fn lowered_carries_schedule_tz() {
2135 for (tz, want) in [
2136 (ScheduleTz::Local, ScheduleTz::Local),
2137 (ScheduleTz::Utc, ScheduleTz::Utc),
2138 ] {
2139 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2140 s.tz = tz;
2141 assert_eq!(s.lowered().tz, want, "calendar carries tz");
2142 // reconcile shapes carry tz too (for the active-window check)
2143 let mut s = schedule_with(
2144 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2145 RunsOn::Backend,
2146 );
2147 s.tz = tz;
2148 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
2149 }
2150 }
2151
2152 #[test]
2153 fn poll_cron_is_accepted_by_the_engine_parser() {
2154 // POLL_CRON is system-generated — if the engine's parser
2155 // ever rejected it every reconcile schedule would die at
2156 // register time. Validate it with the same croner config
2157 // (Seconds::Required, dom_and_dow, year optional).
2158 croner::parser::CronParser::builder()
2159 .seconds(croner::parser::Seconds::Required)
2160 .dom_and_dow(true)
2161 .build()
2162 .parse(POLL_CRON)
2163 .expect("POLL_CRON must parse");
2164 }
2165
2166 // ---- Schedule::validate() (#418 decision F) ----
2167
2168 #[test]
2169 fn validate_accepts_reconcile_shapes() {
2170 for when in [
2171 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2172 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2173 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2174 When::PerTarget(PerPolicy::Every(EverySpec {
2175 every: "24h".into(),
2176 })),
2177 ] {
2178 schedule_with(when.clone(), RunsOn::Backend)
2179 .validate()
2180 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2181 }
2182 }
2183
2184 #[test]
2185 fn validate_accepts_per_pc_on_agent() {
2186 schedule_with(
2187 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
2188 RunsOn::Agent,
2189 )
2190 .validate()
2191 .expect("per_pc + agent is the offline-inventory shape");
2192 }
2193
2194 // ---- #418 event triggers (when: { on }) ----
2195
2196 #[test]
2197 fn validate_accepts_event_on_agent() {
2198 for triggers in [
2199 vec![OnTrigger::Startup],
2200 vec![OnTrigger::Logon],
2201 vec![OnTrigger::Lock],
2202 vec![OnTrigger::Unlock],
2203 vec![OnTrigger::NetworkChange],
2204 vec![
2205 OnTrigger::Startup,
2206 OnTrigger::Logon,
2207 OnTrigger::Lock,
2208 OnTrigger::Unlock,
2209 OnTrigger::NetworkChange,
2210 ],
2211 ] {
2212 schedule_with(When::On(triggers), RunsOn::Agent)
2213 .validate()
2214 .expect("when.on is valid on runs_on: agent");
2215 }
2216 }
2217
2218 #[test]
2219 fn validate_rejects_event_on_backend() {
2220 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
2221 .validate()
2222 .unwrap_err();
2223 assert!(err.contains("when.on"), "got: {err}");
2224 assert!(err.contains("runs_on: agent"), "got: {err}");
2225 }
2226
2227 #[test]
2228 fn validate_rejects_empty_event_list() {
2229 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
2230 .validate()
2231 .unwrap_err();
2232 assert!(err.contains("when.on"), "got: {err}");
2233 assert!(err.contains("at least one"), "got: {err}");
2234 }
2235
2236 #[test]
2237 fn event_schedule_lowers_to_event_mode_and_is_event() {
2238 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
2239 assert!(s.is_event());
2240 assert_eq!(s.lowered().mode, ExecMode::Event);
2241 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
2242 // non-event schedules report no triggers.
2243 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2244 assert!(!cal.is_event());
2245 assert!(cal.event_triggers().is_empty());
2246 }
2247
2248 // ---- #418 constraints.require (env gates) ----
2249
2250 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
2251 let mut s = schedule_with(
2252 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
2253 runs_on,
2254 );
2255 s.constraints.require = Some(req);
2256 s
2257 }
2258
2259 #[test]
2260 fn require_met_combinations() {
2261 use std::time::Duration;
2262 let idle = |m: u64| Some(Duration::from_secs(m * 60));
2263 // Builder for the sensed state: (ac, idle, cpu, network).
2264 let env = |ac, idle, cpu, net| EnvState {
2265 ac_online: ac,
2266 idle,
2267 cpu_pct: cpu,
2268 network_up: net,
2269 };
2270 // Empty require — always met regardless of sensed state.
2271 assert!(require_met(
2272 &Require::default(),
2273 &env(false, None, None, false)
2274 ));
2275 // ac_power: only on AC.
2276 let ac = Require {
2277 ac_power: true,
2278 ..Default::default()
2279 };
2280 assert!(!require_met(&ac, &env(false, None, None, true)));
2281 assert!(require_met(&ac, &env(true, None, None, false)));
2282 // idle: needs >= the configured min; None idle never satisfies.
2283 let idle10 = Require {
2284 idle: Some("10m".into()),
2285 ..Default::default()
2286 };
2287 assert!(!require_met(&idle10, &env(true, None, None, true)));
2288 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
2289 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
2290 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
2291 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
2292 let cpu20 = Require {
2293 cpu_below: Some(20.0),
2294 ..Default::default()
2295 };
2296 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
2297 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
2298 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
2299 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
2300 // network: only when online.
2301 let net = Require {
2302 network: true,
2303 ..Default::default()
2304 };
2305 assert!(!require_met(&net, &env(true, None, None, false))); // offline
2306 assert!(require_met(&net, &env(true, None, None, true))); // online
2307 // all four: AND.
2308 let all = Require {
2309 ac_power: true,
2310 idle: Some("10m".into()),
2311 cpu_below: Some(20.0),
2312 network: true,
2313 };
2314 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
2315 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
2316 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
2317 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
2318 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
2319 // An unparseable idle is treated as no-requirement by require_met
2320 // (validate rejects it at create time, so this only guards a
2321 // hand-edited blob): ac still gates.
2322 let bad = Require {
2323 ac_power: true,
2324 idle: Some("garbage".into()),
2325 ..Default::default()
2326 };
2327 assert!(require_met(&bad, &env(true, None, None, true)));
2328 assert!(!require_met(&bad, &env(false, None, None, true)));
2329 }
2330
2331 #[test]
2332 fn validate_accepts_and_rejects_cpu_below() {
2333 // In-range accepted.
2334 require_schedule(
2335 Require {
2336 cpu_below: Some(20.0),
2337 ..Default::default()
2338 },
2339 RunsOn::Agent,
2340 )
2341 .validate()
2342 .expect("cpu_below 20 is valid");
2343 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
2344 // 100%). Pins the inclusive upper bound against a future c < 100.0.
2345 require_schedule(
2346 Require {
2347 cpu_below: Some(100.0),
2348 ..Default::default()
2349 },
2350 RunsOn::Agent,
2351 )
2352 .validate()
2353 .expect("cpu_below 100 is valid");
2354 // Out of range rejected (0 and >100).
2355 for bad in [0.0, -5.0, 100.1] {
2356 let err = require_schedule(
2357 Require {
2358 cpu_below: Some(bad),
2359 ..Default::default()
2360 },
2361 RunsOn::Agent,
2362 )
2363 .validate()
2364 .unwrap_err();
2365 assert!(
2366 err.contains("constraints.require.cpu_below"),
2367 "cpu_below {bad}: {err}"
2368 );
2369 }
2370 }
2371
2372 #[test]
2373 fn validate_accepts_require_on_agent() {
2374 require_schedule(
2375 Require {
2376 ac_power: true,
2377 idle: Some("10m".into()),
2378 cpu_below: Some(20.0),
2379 network: true,
2380 },
2381 RunsOn::Agent,
2382 )
2383 .validate()
2384 .expect("constraints.require is valid on runs_on: agent");
2385 }
2386
2387 #[test]
2388 fn validate_rejects_require_on_backend() {
2389 let err = require_schedule(
2390 Require {
2391 ac_power: true,
2392 ..Default::default()
2393 },
2394 RunsOn::Backend,
2395 )
2396 .validate()
2397 .unwrap_err();
2398 assert!(err.contains("constraints.require"), "got: {err}");
2399 assert!(err.contains("runs_on: agent"), "got: {err}");
2400
2401 // An idle-only require (ac_power: false) is also non-empty
2402 // (is_empty folds the fields) and must reject on backend too —
2403 // guards against a regression in Require::is_empty.
2404 let err = require_schedule(
2405 Require {
2406 idle: Some("10m".into()),
2407 ..Default::default()
2408 },
2409 RunsOn::Backend,
2410 )
2411 .validate()
2412 .unwrap_err();
2413 assert!(
2414 err.contains("constraints.require"),
2415 "idle-only on backend: {err}"
2416 );
2417 }
2418
2419 #[test]
2420 fn validate_rejects_bad_require_idle() {
2421 let err = require_schedule(
2422 Require {
2423 idle: Some("not-a-duration".into()),
2424 ..Default::default()
2425 },
2426 RunsOn::Agent,
2427 )
2428 .validate()
2429 .unwrap_err();
2430 assert!(err.contains("constraints.require.idle"), "got: {err}");
2431 }
2432
2433 #[test]
2434 fn require_round_trips_and_skips_empty() {
2435 // ac_power: false is skipped; an all-default require nested in
2436 // constraints is omitted (is_empty folds it in).
2437 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
2438 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
2439 network: true } }\n";
2440 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2441 let req = s.constraints.require.as_ref().expect("require present");
2442 assert!(req.ac_power);
2443 assert_eq!(req.idle.as_deref(), Some("10m"));
2444 assert_eq!(req.cpu_below, Some(20.0));
2445 assert!(req.network);
2446 // Re-serialize: idle + cpu_below + network present, ac_power true.
2447 let back = serde_json::to_string(&s.constraints).unwrap();
2448 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
2449 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
2450 assert!(back.contains("\"network\":true"), "got: {back}");
2451 // An empty require is omitted entirely by is_empty.
2452 let mut empty = s.clone();
2453 empty.constraints.require = Some(Require::default());
2454 assert!(empty.constraints.is_empty());
2455 }
2456
2457 #[test]
2458 fn validate_rejects_per_target_on_agent() {
2459 let err = schedule_with(
2460 When::PerTarget(PerPolicy::Every(EverySpec {
2461 every: "24h".into(),
2462 })),
2463 RunsOn::Agent,
2464 )
2465 .validate()
2466 .unwrap_err();
2467 assert!(err.contains("per_target"), "got: {err}");
2468 assert!(err.contains("runs_on: agent"), "got: {err}");
2469
2470 // per_target: once is also backend-only.
2471 let err = schedule_with(
2472 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2473 RunsOn::Agent,
2474 )
2475 .validate()
2476 .unwrap_err();
2477 assert!(err.contains("per_target"), "got (once): {err}");
2478 assert!(err.contains("runs_on: agent"), "got (once): {err}");
2479 }
2480
2481 #[test]
2482 fn validate_rejects_bad_every_duration() {
2483 let err = schedule_with(
2484 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
2485 RunsOn::Backend,
2486 )
2487 .validate()
2488 .unwrap_err();
2489 assert!(err.contains("when.every"), "got: {err}");
2490 }
2491
2492 #[test]
2493 fn validate_rejects_bad_jitter_and_starting_deadline() {
2494 let mut s = schedule_with(
2495 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2496 RunsOn::Backend,
2497 );
2498 s.plan.jitter = Some("5x".into());
2499 let err = s.validate().unwrap_err();
2500 assert!(err.contains("jitter"), "got: {err}");
2501
2502 let mut s = schedule_with(
2503 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2504 RunsOn::Backend,
2505 );
2506 s.starting_deadline = Some("soon".into());
2507 let err = s.validate().unwrap_err();
2508 assert!(err.contains("starting_deadline"), "got: {err}");
2509 }
2510
2511 #[test]
2512 fn validate_accepts_calendar_shapes() {
2513 for when in [
2514 calendar("09:00", &["mon-fri"]), // weekday morning
2515 calendar("00:00", &["sun"]), // weekly
2516 calendar("18:30", &[]), // daily
2517 calendar("2026-06-10 09:00", &[]), // one-shot
2518 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
2519 ] {
2520 schedule_with(when.clone(), RunsOn::Backend)
2521 .validate()
2522 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2523 }
2524 }
2525
2526 #[test]
2527 fn validate_rejects_bad_at() {
2528 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
2529 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
2530 .validate()
2531 .unwrap_err();
2532 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
2533 }
2534 }
2535
2536 #[test]
2537 fn validate_rejects_datetime_at_with_days() {
2538 // A dated `at` is a one-shot — pairing it with days is a
2539 // contradiction (the date already pins the day).
2540 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
2541 .validate()
2542 .unwrap_err();
2543 assert!(
2544 err.contains("one-shot") && err.contains("days"),
2545 "got: {err}"
2546 );
2547 }
2548
2549 #[test]
2550 fn validate_rejects_bad_day_name() {
2551 // A garbage DOW token is caught by the days pre-flight and
2552 // reported against `when.days`, not the confusing
2553 // "when.at lowered to invalid cron" (claude #432 review).
2554 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
2555 .validate()
2556 .unwrap_err();
2557 assert!(err.contains("when.days"), "got: {err}");
2558 assert!(err.contains("funday"), "names the bad token: {err}");
2559 // a degenerate range like `mon-` reports the whole token, not
2560 // a cryptic empty part (claude #432 follow-up)
2561 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
2562 .validate()
2563 .unwrap_err();
2564 assert!(err.contains("'mon-'"), "names the whole token: {err}");
2565 // valid names / ranges / numeric / * all pass
2566 for ok in [
2567 calendar("09:00", &["mon-fri"]),
2568 calendar("09:00", &["mon", "wed", "sun"]),
2569 calendar("09:00", &["1-5"]),
2570 ] {
2571 schedule_with(ok.clone(), RunsOn::Backend)
2572 .validate()
2573 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2574 }
2575 }
2576
2577 #[test]
2578 fn validate_accepts_nth_weekday() {
2579 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
2580 // a cron and parses it with croner, so passing here proves the
2581 // whole chain — token → DOW field → engine-acceptable cron.
2582 for ok in [
2583 calendar("09:00", &["tue#2"]), // 2nd Tuesday
2584 calendar("09:00", &["fri#1"]), // 1st Friday
2585 calendar("03:00", &["sun#5"]), // 5th Sunday
2586 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
2587 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
2588 // Case-insensitive both sides: validate lowercases, croner
2589 // upper-cases the whole pattern before aliasing (claude #547).
2590 calendar("09:00", &["TUE#2"]),
2591 ] {
2592 schedule_with(ok.clone(), RunsOn::Backend)
2593 .validate()
2594 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2595 }
2596 }
2597
2598 #[test]
2599 fn validate_rejects_bad_nth_weekday() {
2600 // ordinal out of 1..5, a range with #, and a bad day before #.
2601 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
2602 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2603 .validate()
2604 .unwrap_err();
2605 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2606 }
2607 }
2608
2609 #[test]
2610 fn validate_accepts_last_weekday() {
2611 // #418: last-weekday (`friL` = last Friday). Like the nth case,
2612 // validate() lowers to a cron and round-trips it through croner,
2613 // so passing proves token → DOW field → engine-acceptable cron
2614 // with the verified last-<dow>-of-month semantics.
2615 for ok in [
2616 calendar("09:00", &["friL"]), // last Friday
2617 calendar("03:00", &["sunL"]), // last Sunday
2618 calendar("22:00", &["5L"]), // numeric DOW + last
2619 calendar("00:00", &["0L"]), // numeric Sunday (0…
2620 calendar("00:00", &["7L"]), // …and its 7 alias)
2621 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
2622 // Case-insensitive both the weekday and the `L` suffix:
2623 // validate lowercases the day, croner upper-cases the whole
2624 // pattern before aliasing (claude #547).
2625 calendar("09:00", &["FRIL"]),
2626 calendar("09:00", &["fril"]),
2627 ] {
2628 schedule_with(ok.clone(), RunsOn::Backend)
2629 .validate()
2630 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2631 }
2632 }
2633
2634 #[test]
2635 fn validate_rejects_bad_last_weekday() {
2636 // bare `L` (no weekday — a footgun croner reads as Saturday), a
2637 // range with L, a bad day before L, and an internal space that
2638 // would otherwise leak a malformed cron downstream (gemini #560).
2639 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
2640 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2641 .validate()
2642 .unwrap_err();
2643 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2644 }
2645 }
2646
2647 #[test]
2648 fn calendar_oneshot_instant_detects_past() {
2649 use chrono::TimeZone;
2650 // a dated `at` resolves to an absolute instant…
2651 let c = CalendarSpec {
2652 at: "2024-01-01 09:00".into(),
2653 days: vec![],
2654 };
2655 let t = c
2656 .oneshot_instant(ScheduleTz::Utc)
2657 .expect("one-shot instant");
2658 assert_eq!(
2659 t,
2660 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
2661 );
2662 assert!(t < chrono::Utc::now(), "2024 is in the past");
2663 // …while a repeating (time-only) calendar has no instant
2664 let rep = CalendarSpec {
2665 at: "09:00".into(),
2666 days: vec!["mon-fri".into()],
2667 };
2668 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
2669 }
2670
2671 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
2672 let mut s = schedule_with(
2673 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2674 RunsOn::Backend,
2675 );
2676 s.active = Active {
2677 from: from.map(str::to_owned),
2678 until: until.map(str::to_owned),
2679 };
2680 s
2681 }
2682
2683 #[test]
2684 fn validate_accepts_active_window() {
2685 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
2686 .validate()
2687 .expect("date + rfc3339 bounds should validate");
2688 }
2689
2690 #[test]
2691 fn validate_rejects_unparseable_active_bound() {
2692 let err = schedule_with_active(Some("July 1st"), None)
2693 .validate()
2694 .unwrap_err();
2695 assert!(err.contains("active"), "got: {err}");
2696 }
2697
2698 #[test]
2699 fn validate_rejects_from_not_before_until() {
2700 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
2701 .validate()
2702 .unwrap_err();
2703 assert!(err.contains("strictly before"), "got: {err}");
2704
2705 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
2706 .validate()
2707 .unwrap_err();
2708 assert!(err.contains("strictly before"), "got: {err}");
2709 }
2710
2711 // ---- Active window semantics ----
2712
2713 #[test]
2714 fn active_window_is_half_open() {
2715 use chrono::TimeZone;
2716 let active = Active {
2717 from: Some("2026-07-01".into()),
2718 until: Some("2026-08-01".into()),
2719 };
2720 // UTC tz so the date bounds are UTC midnight.
2721 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
2722 let c = |t| active.contains(t, ScheduleTz::Utc);
2723 assert!(!c(at(2026, 6, 30, 23)), "before from");
2724 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
2725 assert!(c(at(2026, 7, 15, 12)), "inside");
2726 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
2727 assert!(!c(at(2026, 8, 2, 0)), "after until");
2728 }
2729
2730 #[test]
2731 fn active_empty_window_is_always_active() {
2732 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
2733 }
2734
2735 #[test]
2736 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
2737 use chrono::TimeZone;
2738 let active = Active {
2739 from: Some("2026-07-01T09:00:00+09:00".into()),
2740 until: None,
2741 };
2742 // RFC3339 carries its own offset → tz arg is ignored.
2743 // 09:00 JST = 00:00 UTC.
2744 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
2745 assert!(
2746 !active.contains(
2747 chrono::Utc
2748 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
2749 .unwrap(),
2750 tz
2751 )
2752 );
2753 assert!(active.contains(
2754 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
2755 tz
2756 ));
2757 }
2758 }
2759
2760 #[test]
2761 fn active_date_bound_respects_tz() {
2762 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
2763 // tz* (#418 Phase 2). The UTC interpretation is exact and
2764 // host-independent; assert that precisely.
2765 use chrono::TimeZone;
2766 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
2767 assert_eq!(
2768 utc,
2769 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
2770 );
2771
2772 // The local interpretation must equal what chrono::Local
2773 // computes for the same wall-clock midnight — proves the tz
2774 // path is wired to the host zone (the magnitude vs UTC is
2775 // host-dependent, so we compare against Local directly rather
2776 // than hard-coding the JST offset, keeping CI green on UTC
2777 // runners).
2778 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
2779 let want = chrono::Local
2780 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
2781 .single()
2782 .expect("local midnight is unambiguous")
2783 .with_timezone(&chrono::Utc);
2784 assert_eq!(local, want, "date bound resolved in host-local tz");
2785 }
2786
2787 #[test]
2788 fn active_empty_is_skipped_when_serialising() {
2789 let s = schedule_with(
2790 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2791 RunsOn::Backend,
2792 );
2793 let json = serde_json::to_value(&s).expect("serialise");
2794 assert!(
2795 json.get("active").is_none(),
2796 "empty active must not appear on the wire: {json}"
2797 );
2798 }
2799
2800 // ---- constraints.window (#418 Phase 3) ----
2801
2802 fn with_window(win: &str) -> Schedule {
2803 let mut s = schedule_with(
2804 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2805 RunsOn::Backend,
2806 );
2807 s.constraints.window = Some(win.into());
2808 s
2809 }
2810
2811 #[test]
2812 fn constraints_window_parses_and_round_trips() {
2813 let yaml = r#"
2814id: x
2815when:
2816 per_pc: { every: 6h }
2817job_id: y
2818target: { all: true }
2819constraints:
2820 window: "22:00-05:00"
2821"#;
2822 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2823 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
2824 let back: Schedule =
2825 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
2826 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
2827 }
2828
2829 #[test]
2830 fn constraints_empty_is_skipped_when_serialising() {
2831 let s = schedule_with(
2832 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2833 RunsOn::Backend,
2834 );
2835 let json = serde_json::to_value(&s).expect("serialise");
2836 assert!(
2837 json.get("constraints").is_none(),
2838 "empty constraints must not appear on the wire: {json}"
2839 );
2840 }
2841
2842 #[test]
2843 fn window_no_constraint_always_allows() {
2844 let c = Constraints::default();
2845 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
2846 }
2847
2848 #[test]
2849 fn window_same_day_is_half_open() {
2850 use chrono::TimeZone;
2851 let s = with_window("09:00-17:00");
2852 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2853 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2854 assert!(!a(at(8, 59)), "before start");
2855 assert!(a(at(9, 0)), "at start (inclusive)");
2856 assert!(a(at(16, 59)), "inside");
2857 assert!(!a(at(17, 0)), "at end (exclusive)");
2858 assert!(!a(at(23, 0)), "after end");
2859 }
2860
2861 #[test]
2862 fn window_crossing_midnight() {
2863 use chrono::TimeZone;
2864 let s = with_window("22:00-05:00");
2865 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
2866 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
2867 assert!(a(at(22, 0)), "at start tonight");
2868 assert!(a(at(23, 30)), "late tonight");
2869 assert!(a(at(3, 0)), "early tomorrow");
2870 assert!(!a(at(5, 0)), "at end (exclusive)");
2871 assert!(!a(at(12, 0)), "midday outside");
2872 assert!(!a(at(21, 59)), "just before start");
2873 }
2874
2875 #[test]
2876 fn window_respects_tz() {
2877 // The same instant is inside the window under one tz and may
2878 // be outside under another. Compare UTC vs Local via the
2879 // host's own offset (kept CI-green on UTC runners like the
2880 // active tz test does).
2881 use chrono::TimeZone;
2882 let s = with_window("09:00-17:00");
2883 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
2884 // Under UTC, 12:00 is inside 09:00-17:00.
2885 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
2886 // Under Local, the verdict tracks the host wall-clock time;
2887 // assert it matches a direct wall_time membership check.
2888 let local_t = noon_utc.with_timezone(&chrono::Local).time();
2889 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
2890 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
2891 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
2892 }
2893
2894 #[test]
2895 fn validate_accepts_good_window() {
2896 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
2897 with_window(w)
2898 .validate()
2899 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
2900 }
2901 }
2902
2903 #[test]
2904 fn validate_rejects_bad_window() {
2905 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
2906 let err = with_window(bad).validate().unwrap_err();
2907 assert!(
2908 err.contains("constraints.window"),
2909 "for '{bad}', got: {err}"
2910 );
2911 }
2912 }
2913
2914 // ---- constraints.skip_dates (#418 holiday exclusion) ----
2915
2916 fn with_skip_dates(dates: &[&str]) -> Schedule {
2917 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2918 s.tz = ScheduleTz::Utc; // host-independent date assertions
2919 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
2920 s
2921 }
2922
2923 #[test]
2924 fn allows_blocks_listed_skip_date() {
2925 use chrono::TimeZone;
2926 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
2927 // Any time on a listed date is blocked (whole day).
2928 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
2929 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
2930 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
2931 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
2932 // A date not in the list fires normally.
2933 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2934 assert!(s.constraints.allows(off, ScheduleTz::Utc));
2935 }
2936
2937 #[test]
2938 fn allows_corrupt_skip_date_fails_closed() {
2939 use chrono::TimeZone;
2940 // A garbled entry (only reachable via hand-edited KV) blocks
2941 // rather than silently re-enabling fires — same posture as a
2942 // corrupt window.
2943 let s = with_skip_dates(&["not-a-date"]);
2944 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
2945 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
2946 }
2947
2948 #[test]
2949 fn validate_accepts_good_skip_dates() {
2950 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
2951 .validate()
2952 .expect("well-formed skip dates should validate");
2953 }
2954
2955 #[test]
2956 fn validate_rejects_bad_skip_date() {
2957 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
2958 let err = with_skip_dates(&[bad]).validate().unwrap_err();
2959 assert!(
2960 err.contains("constraints.skip_dates"),
2961 "for '{bad}', got: {err}"
2962 );
2963 }
2964 }
2965
2966 #[test]
2967 fn preview_skips_holidays() {
2968 use chrono::TimeZone;
2969 // Daily 09:00 with two of the next five days marked as holidays
2970 // — preview drops exactly those, since it gates on `allows`.
2971 let mut s = cal_utc("09:00", &[]);
2972 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
2973 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2974 let got = s.preview_fires(now, 4);
2975 let want: Vec<_> = [
2976 (2026, 6, 10),
2977 (2026, 6, 12), // skips 06-11
2978 (2026, 6, 14), // skips 06-13
2979 (2026, 6, 15),
2980 ]
2981 .iter()
2982 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2983 .collect();
2984 assert_eq!(got, want);
2985 }
2986
2987 // ---- constraints.max_concurrent (#418) ----
2988
2989 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
2990 let mut s = schedule_with(
2991 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2992 runs_on,
2993 );
2994 s.constraints.max_concurrent = Some(max);
2995 s
2996 }
2997
2998 #[test]
2999 fn validate_accepts_backend_max_concurrent() {
3000 with_max_concurrent(5, RunsOn::Backend)
3001 .validate()
3002 .expect("backend max_concurrent should validate");
3003 }
3004
3005 #[test]
3006 fn validate_rejects_max_concurrent_on_agent() {
3007 // Decision E: a central running-instance cap needs a central
3008 // counter, which agents don't have.
3009 let err = with_max_concurrent(5, RunsOn::Agent)
3010 .validate()
3011 .unwrap_err();
3012 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
3013 assert!(err.contains("runs_on: agent"), "got: {err}");
3014 }
3015
3016 #[test]
3017 fn validate_rejects_zero_max_concurrent() {
3018 let err = with_max_concurrent(0, RunsOn::Backend)
3019 .validate()
3020 .unwrap_err();
3021 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
3022 }
3023
3024 #[test]
3025 fn max_concurrent_round_trips_and_skips_when_absent() {
3026 let s = with_max_concurrent(3, RunsOn::Backend);
3027 let json = serde_json::to_value(&s.constraints).expect("ser");
3028 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
3029 // A schedule with no constraints omits the whole block.
3030 let bare = schedule_with(
3031 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3032 RunsOn::Backend,
3033 );
3034 assert!(bare.constraints.is_empty());
3035 }
3036
3037 #[test]
3038 fn window_fail_closed_on_corrupt_blob() {
3039 // A malformed window (only reachable via a hand-edited KV
3040 // blob — validate() rejects it at create) must BLOCK, not
3041 // silently allow fires during a change-freeze (gemini #452).
3042 let s = with_window("22:00_05:00");
3043 assert!(
3044 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
3045 "corrupt window fails closed"
3046 );
3047 // …and the scheduler can surface why it's stuck.
3048 assert!(
3049 s.bad_window().is_some(),
3050 "bad_window reports the parse error"
3051 );
3052 assert!(with_window("22:00-05:00").bad_window().is_none());
3053 }
3054
3055 #[test]
3056 fn calendar_outside_window_is_flagged() {
3057 // at 09:00 can never fall in 22:00-05:00 → never fires.
3058 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3059 s.constraints.window = Some("22:00-05:00".into());
3060 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
3061
3062 // at 23:00 IS inside the overnight window → fine.
3063 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
3064 s.constraints.window = Some("22:00-05:00".into());
3065 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
3066
3067 // reconcile shapes are never flagged (they poll every minute).
3068 let mut s = schedule_with(
3069 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3070 RunsOn::Backend,
3071 );
3072 s.constraints.window = Some("22:00-05:00".into());
3073 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
3074
3075 // no window → never flagged.
3076 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3077 assert!(!s.calendar_outside_window());
3078 }
3079
3080 // ---- on_failure.retry (#418 Phase 4) ----
3081
3082 fn with_retry(max: u32, backoff: &str) -> Schedule {
3083 let mut s = schedule_with(
3084 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3085 RunsOn::Backend,
3086 );
3087 s.on_failure.retry = Some(Retry {
3088 max,
3089 backoff: backoff.into(),
3090 });
3091 s
3092 }
3093
3094 #[test]
3095 fn on_failure_parses_and_round_trips() {
3096 let yaml = r#"
3097id: x
3098when:
3099 per_pc: { every: 6h }
3100job_id: y
3101target: { all: true }
3102on_failure:
3103 retry: { max: 3, backoff: 10m }
3104"#;
3105 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3106 let r = s.on_failure.retry.as_ref().expect("retry present");
3107 assert_eq!(r.max, 3);
3108 assert_eq!(r.backoff, "10m");
3109 let back: Schedule =
3110 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3111 assert_eq!(back.on_failure, s.on_failure);
3112 }
3113
3114 #[test]
3115 fn on_failure_empty_is_skipped_when_serialising() {
3116 let s = schedule_with(
3117 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3118 RunsOn::Backend,
3119 );
3120 let json = serde_json::to_value(&s).expect("serialise");
3121 assert!(
3122 json.get("on_failure").is_none(),
3123 "empty on_failure must not appear on the wire: {json}"
3124 );
3125 }
3126
3127 #[test]
3128 fn validate_accepts_good_retry() {
3129 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
3130 with_retry(max, backoff)
3131 .validate()
3132 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
3133 }
3134 }
3135
3136 #[test]
3137 fn validate_rejects_bad_backoff() {
3138 let err = with_retry(3, "soon").validate().unwrap_err();
3139 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
3140 }
3141
3142 #[test]
3143 fn validate_rejects_sub_second_backoff() {
3144 // "500ms" parses as humantime but lowers to 0s on the wire —
3145 // reject it so the operator doesn't get a silent no-wait
3146 // (coderabbit #466).
3147 for bad in ["500ms", "0s", "999ms"] {
3148 let err = with_retry(3, bad).validate().unwrap_err();
3149 assert!(
3150 err.contains("on_failure.retry.backoff must be >= 1s"),
3151 "for '{bad}', got: {err}"
3152 );
3153 }
3154 }
3155
3156 #[test]
3157 fn validate_rejects_out_of_range_max() {
3158 for bad in [0u32, 11, 1000] {
3159 let err = with_retry(bad, "10m").validate().unwrap_err();
3160 assert!(
3161 err.contains("on_failure.retry.max"),
3162 "for max={bad}, got: {err}"
3163 );
3164 }
3165 }
3166
3167 #[test]
3168 fn lowered_retry_reduces_backoff_to_seconds() {
3169 let s = with_retry(3, "10m");
3170 let spec = s.on_failure.lowered_retry().expect("a retry policy");
3171 assert_eq!(spec.max, 3);
3172 assert_eq!(spec.backoff_secs, 600);
3173 }
3174
3175 #[test]
3176 fn lowered_retry_is_none_without_policy() {
3177 let s = schedule_with(
3178 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3179 RunsOn::Backend,
3180 );
3181 assert!(s.on_failure.lowered_retry().is_none());
3182 }
3183
3184 // ---- global change-freeze (#418 Phase 5) ----
3185
3186 #[test]
3187 fn freeze_empty_window_is_always_active() {
3188 // The big-red-button shape: no bounds = frozen until cleared.
3189 let f = Freeze::default();
3190 assert!(f.is_active(chrono::Utc::now()));
3191 }
3192
3193 #[test]
3194 fn freeze_window_is_half_open() {
3195 use chrono::TimeZone;
3196 let f = Freeze {
3197 from: Some("2026-12-20T00:00:00+00:00".into()),
3198 until: Some("2027-01-05T00:00:00+00:00".into()),
3199 reason: Some("year-end".into()),
3200 tz: ScheduleTz::Utc,
3201 };
3202 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
3203 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
3204 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
3205 assert!(f.is_active(at(2026, 12, 31)), "inside window");
3206 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
3207 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
3208 }
3209
3210 #[test]
3211 fn freeze_fails_closed_on_corrupt_bound() {
3212 // A freeze is a safety switch: an unparseable bound (only
3213 // reachable via a hand-edited KV blob) must read as FROZEN, not
3214 // "fire normally" (coderabbit #472) — the opposite of `active`,
3215 // which fail-opens.
3216 let f = Freeze {
3217 from: Some("not-a-date".into()),
3218 until: None,
3219 reason: None,
3220 tz: ScheduleTz::Utc,
3221 };
3222 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
3223 }
3224
3225 #[test]
3226 fn freeze_validate_accepts_good_bounds() {
3227 Freeze {
3228 from: Some("2026-12-20".into()),
3229 until: Some("2027-01-05T12:00:00+09:00".into()),
3230 reason: None,
3231 tz: ScheduleTz::Local,
3232 }
3233 .validate()
3234 .expect("date + rfc3339 bounds should validate");
3235 // Empty (indefinite) freeze is valid.
3236 Freeze::default().validate().expect("empty freeze is valid");
3237 }
3238
3239 #[test]
3240 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
3241 let err = Freeze {
3242 from: Some("never".into()),
3243 ..Default::default()
3244 }
3245 .validate()
3246 .unwrap_err();
3247 assert!(err.contains("freeze:"), "got: {err}");
3248
3249 let inverted = Freeze {
3250 from: Some("2027-01-05".into()),
3251 until: Some("2026-12-20".into()),
3252 ..Default::default()
3253 }
3254 .validate()
3255 .unwrap_err();
3256 assert!(inverted.contains("freeze.from"), "got: {inverted}");
3257 }
3258
3259 #[test]
3260 fn freeze_round_trips_and_skips_empty_fields() {
3261 let f = Freeze {
3262 from: None,
3263 until: Some("2027-01-05".into()),
3264 reason: Some("INC-1234".into()),
3265 tz: ScheduleTz::Utc,
3266 };
3267 let json = serde_json::to_value(&f).expect("serialise");
3268 assert!(json.get("from").is_none(), "empty from omitted: {json}");
3269 let back: Freeze = serde_json::from_value(json).expect("round-trip");
3270 assert_eq!(back, f);
3271 }
3272
3273 #[test]
3274 fn shipped_schedule_configs_parse_and_validate() {
3275 // Every YAML under configs/schedules/ must parse with the
3276 // current Schedule serde AND pass validate() — keeps the
3277 // shipped examples from drifting out of sync with the model
3278 // (#418 removed back-compat, so drift = broken at create).
3279 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
3280 let mut seen = 0;
3281 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
3282 let path = entry.expect("dir entry").path();
3283 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
3284 continue;
3285 }
3286 let body = std::fs::read_to_string(&path).expect("read yaml");
3287 let s: Schedule = serde_yaml::from_str(&body)
3288 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
3289 s.validate()
3290 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
3291 seen += 1;
3292 }
3293 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
3294 }
3295
3296 // ---- pre-existing enum wire formats (unchanged by #418) ----
3297
3298 #[test]
3299 fn exec_mode_serialises_snake_case() {
3300 for (mode, expected) in [
3301 (ExecMode::EveryTick, "every_tick"),
3302 (ExecMode::OncePerPc, "once_per_pc"),
3303 (ExecMode::OncePerTarget, "once_per_target"),
3304 ] {
3305 let s = serde_json::to_value(mode).expect("serialise");
3306 assert_eq!(s, serde_json::Value::String(expected.into()));
3307 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
3308 .expect("deserialise");
3309 assert_eq!(back, mode, "round-trip for {expected}");
3310 }
3311 }
3312
3313 #[test]
3314 fn schedule_runs_on_defaults_to_backend() {
3315 let yaml = r#"
3316id: x
3317when:
3318 per_pc: once
3319job_id: y
3320target: { all: true }
3321"#;
3322 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3323 assert_eq!(s.runs_on, RunsOn::Backend);
3324 }
3325
3326 #[test]
3327 fn schedule_runs_on_agent_parses() {
3328 let yaml = r#"
3329id: offline-inv
3330when:
3331 per_pc: { every: 1h }
3332job_id: inventory-hw
3333target: { all: true }
3334runs_on: agent
3335"#;
3336 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3337 assert_eq!(s.runs_on, RunsOn::Agent);
3338 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
3339 }
3340
3341 #[test]
3342 fn runs_on_serialises_snake_case() {
3343 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
3344 let s = serde_json::to_value(mode).expect("serialise");
3345 assert_eq!(s, serde_json::Value::String(expected.into()));
3346 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
3347 .expect("deserialise");
3348 assert_eq!(back, mode);
3349 }
3350 }
3351
3352 #[test]
3353 fn execute_shell_into_wire_shell() {
3354 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
3355 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
3356 }
3357
3358 #[test]
3359 fn manifest_staleness_defaults_to_cached() {
3360 let yaml = r#"
3361id: x
3362version: 1.0.0
3363execute:
3364 shell: powershell
3365 script: "echo"
3366 timeout: 1s
3367"#;
3368 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3369 assert_eq!(m.staleness, Staleness::Cached);
3370 }
3371
3372 #[test]
3373 fn manifest_strict_staleness_parses() {
3374 let yaml = r#"
3375id: urgent-patch
3376version: 2.5.1
3377execute:
3378 shell: powershell
3379 script: Install-Hotfix
3380 timeout: 5m
3381staleness:
3382 mode: strict
3383 max_cache_age: 0s
3384"#;
3385 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3386 match m.staleness {
3387 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
3388 other => panic!("expected strict, got {other:?}"),
3389 }
3390 }
3391
3392 #[test]
3393 fn manifest_unchecked_staleness_parses() {
3394 let yaml = r#"
3395id: legacy
3396version: 0.1.0
3397execute:
3398 shell: cmd
3399 script: "echo"
3400 timeout: 1s
3401staleness:
3402 mode: unchecked
3403"#;
3404 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3405 assert_eq!(m.staleness, Staleness::Unchecked);
3406 }
3407
3408 #[test]
3409 fn missing_required_field_errors() {
3410 // `id` missing.
3411 let yaml = r#"
3412version: 1.0.0
3413target: { all: true }
3414execute:
3415 shell: powershell
3416 script: "echo"
3417 timeout: 1s
3418"#;
3419 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3420 assert!(r.is_err(), "expected error, got {:?}", r);
3421 }
3422
3423 #[test]
3424 fn display_field_table_kind_round_trips_with_nested_columns() {
3425 // #39: `type: table` + `columns:` on a DisplayField gets
3426 // round-tripped through serde so the SPA receives the
3427 // nested schema verbatim. Nested columns themselves are
3428 // DisplayFields so they can carry `type: bytes` /
3429 // `type: number` for cell formatting.
3430 let yaml = r#"
3431id: inv-hw
3432version: 1.0.0
3433execute:
3434 shell: powershell
3435 script: "echo"
3436 timeout: 60s
3437inventory:
3438 display:
3439 - field: hostname
3440 label: Hostname
3441 - field: disks
3442 label: Disks
3443 type: table
3444 columns:
3445 - field: device_id
3446 label: Drive
3447 - field: size_bytes
3448 label: Size
3449 type: bytes
3450 - field: free_bytes
3451 label: Free
3452 type: bytes
3453 - field: file_system
3454 label: FS
3455"#;
3456 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3457 let inv = m.inventory.as_ref().expect("inventory hint");
3458 let disks = inv
3459 .display
3460 .iter()
3461 .find(|d| d.field == "disks")
3462 .expect("disks display row");
3463 assert_eq!(disks.kind.as_deref(), Some("table"));
3464 let cols = disks.columns.as_ref().expect("table needs columns");
3465 assert_eq!(cols.len(), 4);
3466 assert_eq!(cols[1].field, "size_bytes");
3467 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
3468 }
3469
3470 #[test]
3471 fn display_field_scalar_kind_keeps_columns_none() {
3472 // Defensive: when type is a scalar (`bytes` / `number` /
3473 // `timestamp`) the `columns` field stays None — the SPA
3474 // uses its presence as the "render nested table" signal,
3475 // so it must not leak in via serde defaults.
3476 let yaml = r#"
3477id: x
3478version: 1.0.0
3479execute:
3480 shell: powershell
3481 script: "echo"
3482 timeout: 5s
3483inventory:
3484 display:
3485 - { field: ram_bytes, label: RAM, type: bytes }
3486"#;
3487 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3488 let inv = m.inventory.as_ref().unwrap();
3489 assert!(inv.display[0].columns.is_none());
3490 }
3491
3492 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
3493
3494 /// The JSON Schemas under `docs/schemas/` must match what
3495 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
3496 /// so a `Schedule` / `Manifest` field change can't silently drift
3497 /// the operator-facing schema. The SPA editor, the backend
3498 /// `/api/schemas/*` endpoints, and these files all read the same
3499 /// derived shape; this test fails CI if the checked-in copy lags.
3500 /// Regenerate with:
3501 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
3502 #[test]
3503 fn schema_files_are_current() {
3504 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
3505 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
3506 }
3507
3508 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
3509 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
3510 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
3511 .join("../../docs/schemas")
3512 .join(name);
3513 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
3514 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
3515 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
3516 return;
3517 }
3518 // Normalize CRLF→LF before comparing: `.gitattributes` already
3519 // pins these files to `eol=lf`, but a stray CRLF working-tree
3520 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
3521 // freshness check into a confusing line-ending failure — that's
3522 // .gitattributes' job, not this test's (gemini #588).
3523 let on_disk = std::fs::read_to_string(&path)
3524 .unwrap_or_else(|e| {
3525 panic!(
3526 "read {path:?}: {e}\n\
3527 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3528 )
3529 })
3530 .replace("\r\n", "\n");
3531 assert_eq!(
3532 on_disk, generated,
3533 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
3534 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3535 );
3536 }
3537}
3538
3539/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
3540/// (target + optional rollout + optional jitter) inline; the
3541/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
3542/// script body. Two schedules of the same job can target different
3543/// groups on different cadences without copying the manifest.
3544///
3545/// #418 Phase 1: the cadence is the single [`When`] field. The old
3546/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
3547/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
3548/// are warn-skipped; re-`schedule create` to upgrade them). The
3549/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
3550/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
3551/// `decide_fire` always ran on.
3552#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
3553pub struct Schedule {
3554 pub id: String,
3555 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
3556 /// or a calendar time trigger (`at` / `days`). See [`When`].
3557 ///
3558 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
3559 /// enums as `!per_pc` YAML tags by default; this keeps the
3560 /// operator-facing map shape (`when: { per_pc: once }`). JSON
3561 /// output is identical either way, and the schemars schema
3562 /// (external tagging = oneOf of single-key objects) already
3563 /// matches the singleton-map wire shape.
3564 #[serde(with = "serde_yaml::with::singleton_map")]
3565 #[schemars(with = "When")]
3566 pub when: When,
3567 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
3568 /// Manifest's `id`.
3569 pub job_id: String,
3570 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
3571 /// carry these any more — same job + different fanout = different
3572 /// schedule.
3573 #[serde(flatten)]
3574 pub plan: FanoutPlan,
3575 /// Optional validity window. Outside `[from, until)` the
3576 /// schedule is dormant — still registered, still visible, but
3577 /// every tick is skipped (deleted ≠ dormant: a campaign that
3578 /// ended stays inspectable and can be re-armed by editing the
3579 /// window). Checked at tick time on both the backend scheduler
3580 /// and the agent's local scheduler.
3581 #[serde(default, skip_serializing_if = "Active::is_empty")]
3582 pub active: Active,
3583 /// #418 operational constraints gating *when within an active
3584 /// period* a fire may happen: a maintenance `window`, a fleet
3585 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
3586 /// wall-clock ones are evaluated in the schedule's `tz`; future
3587 /// `require` (env gates) lands in the same namespace. Checked at
3588 /// tick time on both schedulers (and surfaced by `preview`).
3589 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
3590 pub constraints: Constraints,
3591 /// #418 Phase 4: what to do after a fire's script comes back
3592 /// failed. Currently just `retry` (fixed-backoff in-process
3593 /// re-run); future `notify` / `disable` join the same namespace.
3594 /// Applied fire-side in `handle_command` (the retry policy is
3595 /// lowered onto every Command this schedule produces), so it
3596 /// covers both `runs_on` locations.
3597 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
3598 pub on_failure: OnFailure,
3599 /// #418 Phase 2: the timezone this schedule's wall-clock fields
3600 /// are evaluated in — both the calendar `at` firing time AND the
3601 /// `active.{from,until}` window bounds. `local` (default) = the
3602 /// running host's TZ (the agent's for `runs_on: agent`, the
3603 /// backend server's otherwise); `utc` for TZ-independent
3604 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
3605 /// for firing (poll cron runs every minute regardless) but still
3606 /// honor it for the `active` window.
3607 #[serde(default)]
3608 pub tz: ScheduleTz,
3609 /// v0.22: optional humantime window after a cron tick during
3610 /// which the Command is still considered "live". The scheduler
3611 /// computes `tick_at + starting_deadline` and stamps it onto
3612 /// each Command as `deadline_at`; agents skip Commands they
3613 /// receive after that absolute time. `None` (default) = no
3614 /// deadline, meaning a Command queued in the broker / stream
3615 /// during agent downtime runs whenever the agent reconnects —
3616 /// good for kitting / inventory / cleanup. Set this for
3617 /// time-of-day notifications, lunch reminders, etc., where
3618 /// "fire 3 hours late" would be wrong.
3619 #[serde(default, skip_serializing_if = "Option::is_none")]
3620 pub starting_deadline: Option<String>,
3621 /// v0.23: where does the cron tick happen? `Backend` (default,
3622 /// historical) = backend's scheduler fires Commands via NATS;
3623 /// agents passively receive. `Agent` = each targeted agent runs
3624 /// its own internal cron and fires locally, so the schedule
3625 /// keeps ticking even when the broker is unreachable (laptop on
3626 /// the train, broker maintenance window, full WAN outage). The
3627 /// two locations are mutually exclusive — when `Agent`, the
3628 /// backend scheduler stays out and just keeps the definition in
3629 /// KV for agents to read.
3630 #[serde(default)]
3631 pub runs_on: RunsOn,
3632 #[serde(default = "default_true")]
3633 pub enabled: bool,
3634 /// Free-form operator taxonomy for the Schedules page — the
3635 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
3636 /// code ref rather than an intra-doc link, since that field isn't
3637 /// on this branch until #640 merges). Purely a SPA-side
3638 /// organisational aid (search / filter chips alongside the
3639 /// id-prefix grouping); the scheduler never reads it, so any
3640 /// string is allowed and it carries no firing semantics. A
3641 /// schedule's own tags are independent of its job's: the same job
3642 /// may back a `weekly` maintenance schedule and a `canary` rollout
3643 /// schedule. Empty by default and `skip_serializing_if`-elided per
3644 /// the #492 gradual-upgrade wire rule.
3645 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3646 pub tags: Vec<String>,
3647 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
3648 /// `kanade schedule create` when the source YAML lives inside a Git
3649 /// work tree, so the SPA renders the schedule read-only and points
3650 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
3651 /// Git), parity with a job's [`Manifest::origin`]. `None` for
3652 /// SPA-born schedules and ones applied from outside any repo. Purely
3653 /// informational — the scheduler never reads it. New field ⇒ #492
3654 /// wire rule (`default` + `skip_serializing_if`).
3655 #[serde(default, skip_serializing_if = "Option::is_none")]
3656 pub origin: Option<RepoOrigin>,
3657}
3658
3659/// v0.23 — where the cron tick fires from.
3660#[derive(
3661 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3662)]
3663#[serde(rename_all = "snake_case")]
3664pub enum RunsOn {
3665 /// Backend's central scheduler ticks and publishes Commands to
3666 /// NATS. Historical default, what every pre-v0.23 schedule
3667 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
3668 /// reconnects ⇒ catch-up via [`command_replay`](crate)
3669 /// (see kanade-agent's command_replay module).
3670 #[default]
3671 Backend,
3672 /// Each targeted agent runs the cron tick locally. Survives
3673 /// broker / WAN outages. Best for laptops / mobile devices that
3674 /// roam off the corporate network. Agent must be online for the
3675 /// initial schedule + job-catalog pull, but once cached the
3676 /// agent fires the script standalone.
3677 Agent,
3678}
3679
3680/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
3681#[derive(
3682 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3683)]
3684#[serde(rename_all = "snake_case")]
3685pub enum ExecMode {
3686 /// Fire on every cron tick at the whole target. Historical
3687 /// (pre-v0.19) behavior; no dedup.
3688 #[default]
3689 EveryTick,
3690 /// Fire at each pc until that pc succeeds; then skip it until
3691 /// the optional cooldown elapses (or forever if no cooldown).
3692 /// Use for kitting / first-boot / per-pc compliance checks.
3693 OncePerPc,
3694 /// Fire at the whole target until **any** pc succeeds; then
3695 /// skip the whole target until the optional cooldown elapses
3696 /// (or forever if no cooldown). Use for "one delegate is
3697 /// enough" tasks like license check-in.
3698 OncePerTarget,
3699 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
3700 /// no cron — the agent fires it from an OS event source (boot /
3701 /// session-change), not a tick — so the scheduler skips
3702 /// `tokio-cron` registration for it. Each event occurrence fires
3703 /// once, gated by the standard freeze / active / window /
3704 /// skip_dates checks.
3705 Event,
3706}
3707
3708/// #418 Phase 1 — the single "when does this fire" axis.
3709///
3710/// Replaces the old `cron` + `mode` + `cooldown` trio whose
3711/// interactions were implicit (cron doubled as both a real
3712/// time-of-day trigger and a reconcile poll period; contradictory
3713/// combinations silently no-opped). Two shapes:
3714///
3715/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
3716/// pc (or one delegate) should have run this within `every`".
3717/// The poll period is system-generated ([`POLL_CRON`], every
3718/// minute) and no longer the operator's concern.
3719/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
3720/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
3721/// the whole target at the given time, no dedup. `at: "09:00"` +
3722/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
3723/// exactly once. Evaluated in the schedule's top-level `tz`.
3724#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3725#[serde(rename_all = "snake_case")]
3726pub enum When {
3727 /// Fire at each targeted pc: `once` (kitting — succeed once,
3728 /// skip forever, forever catching brand-new / re-imaged pcs)
3729 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
3730 /// the interval).
3731 PerPc(PerPolicy),
3732 /// Fire until **any** one pc of the target succeeds, then skip
3733 /// the whole target (`once`) or re-arm after `every`. Needs
3734 /// fleet-wide completion data, so it is backend-only —
3735 /// `runs_on: agent` + `per_target` is rejected by
3736 /// [`Schedule::validate`].
3737 PerTarget(PerPolicy),
3738 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
3739 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
3740 /// the whole target at that wall-clock time in the schedule's
3741 /// `tz` — no dedup, no cooldown.
3742 Calendar(CalendarSpec),
3743 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
3744 /// Fires when the agent observes the listed OS event(s) rather than
3745 /// on a clock — there is no cron. `runs_on: agent` only (the agent
3746 /// owns the event source); [`Schedule::validate`] rejects it on
3747 /// `backend` and rejects an empty list. Each event occurrence fires
3748 /// once, gated by the same freeze / active / `constraints.window` /
3749 /// `skip_dates` checks as the cron path. `startup` fires once per OS
3750 /// boot (deduped via the host boot time); a `starting_deadline`, if
3751 /// set, limits it to "agent came up within that long after boot".
3752 On(Vec<OnTrigger>),
3753}
3754
3755/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
3756#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
3757#[serde(rename_all = "snake_case")]
3758pub enum OnTrigger {
3759 /// Once per OS boot (the agent's first run for that boot). Catches
3760 /// freshly-imaged / reinstalled hosts at their next startup.
3761 Startup,
3762 /// On an interactive-session user logon — console, RDP, or
3763 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
3764 /// service / network / batch logons (no interactive session).
3765 Logon,
3766 /// When the workstation is locked (Win+L / idle lock; Windows
3767 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
3768 Lock,
3769 /// When the workstation is unlocked — the user returns to a locked
3770 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
3771 /// compliance / refresh state when work resumes.
3772 Unlock,
3773 /// When the host's network changes — IP address table change on
3774 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
3775 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
3776 /// from one transition fires once after the network settles), so
3777 /// use it for "re-check connectivity / re-register on network move"
3778 /// rather than expecting one fire per raw adapter event.
3779 ///
3780 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
3781 /// transition that touches only IPv6 addresses won't fire. In practice
3782 /// dual-stack networks change both tables together, but a pure-IPv6
3783 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
3784 NetworkChange,
3785}
3786
3787/// Calendar time trigger (#418 Phase 2). `at` is either a time of
3788/// day (`"HH:MM"`, repeating — combine with `days`) or a full
3789/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
3790/// never again). Evaluated in the schedule's top-level `tz`.
3791#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
3792pub struct CalendarSpec {
3793 /// `"HH:MM"` (24h) for a repeating trigger, or
3794 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
3795 /// accepted) for a one-shot. Parsed lazily —
3796 /// [`Schedule::validate`] rejects garbage at create time.
3797 pub at: String,
3798 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
3799 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
3800 /// field, so ranges and names both work). An **nth-weekday**
3801 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
3802 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
3803 /// `["friL"]` fires only on the last Friday of each month (handy
3804 /// for monthly maintenance). Empty = every day. Must be empty
3805 /// when `at` carries a date (the date already pins the day).
3806 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3807 pub days: Vec<String>,
3808}
3809
3810/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
3811/// date for a one-shot (`None` = repeating time-of-day).
3812struct ParsedAt {
3813 minute: u32,
3814 hour: u32,
3815 date: Option<chrono::NaiveDate>,
3816}
3817
3818impl CalendarSpec {
3819 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
3820 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
3821 fn parse_at(&self) -> Result<ParsedAt, String> {
3822 use chrono::Timelike;
3823 let s = self.at.trim();
3824 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
3825 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
3826 return Ok(ParsedAt {
3827 minute: dt.minute(),
3828 hour: dt.hour(),
3829 date: Some(dt.date()),
3830 });
3831 }
3832 }
3833 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
3834 return Ok(ParsedAt {
3835 minute: t.minute(),
3836 hour: t.hour(),
3837 date: None,
3838 });
3839 }
3840 Err(format!(
3841 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
3842 self.at
3843 ))
3844 }
3845
3846 /// Pre-flight check on the `days` tokens so a bad day name gives
3847 /// a `when.days:`-scoped error instead of croner's confusing
3848 /// "when.at lowered to invalid cron" (claude #432 review). Each
3849 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
3850 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
3851 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
3852 /// **last-weekday** like `friL` (last Friday of the month).
3853 fn validate_days(&self) -> Result<(), String> {
3854 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
3855 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
3856 for tok in &self.days {
3857 // Report the whole token on a malformed range like `mon-`
3858 // (which would otherwise split to a cryptic empty part —
3859 // claude #432 follow-up).
3860 let invalid = |reason: &str| {
3861 Err(format!(
3862 "when.days: invalid day token '{tok}' ({reason}; \
3863 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
3864 like tue#2, a last-weekday like friL, or *)"
3865 ))
3866 };
3867 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
3868 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
3869 // `to_cron` passes the token through verbatim, so the
3870 // engine fires only on that occurrence. It's a single
3871 // weekday + ordinal — not combinable with a range.
3872 if let Some((day_part, nth_part)) = tok.split_once('#') {
3873 // Normalize once and use `d` consistently (gemini #547);
3874 // the outer `invalid` already echoes the raw `tok`.
3875 let d = day_part.trim().to_ascii_lowercase();
3876 if d.contains('-') || !is_day(&d) {
3877 return invalid("the part before # must be a single weekday");
3878 }
3879 match nth_part.trim().parse::<u8>() {
3880 Ok(n) if (1..=5).contains(&n) => {}
3881 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
3882 }
3883 continue;
3884 }
3885 // #418: last-weekday suffix (`friL` = last Friday of the
3886 // month — the monthly-maintenance sibling of Patch Tuesday).
3887 // Croner accepts `<dow>L` in the DOW field with verified
3888 // last-<dow>-of-month semantics, and `to_cron` passes it
3889 // through verbatim. A single weekday + `L` — bare `L` and
3890 // ranges are rejected (croner would read bare `L` as
3891 // Saturday, which is a confusing footgun).
3892 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
3893 // No `.trim()`: a cron DOW token can't carry internal
3894 // whitespace, so `"fri L"` must be *rejected* here (its
3895 // strip leaves `"fri "`, and `is_day` catches the space)
3896 // rather than trimmed into a clean `"fri"` that then
3897 // produces a malformed `fri L` cron downstream and a
3898 // confusing croner error (gemini #560).
3899 let d = day_part.to_ascii_lowercase();
3900 if d.is_empty() {
3901 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
3902 }
3903 if d.contains('-') || !is_day(&d) {
3904 return invalid(
3905 "the part before L must be a single weekday (e.g. friL = last Friday)",
3906 );
3907 }
3908 continue;
3909 }
3910 for part in tok.split('-') {
3911 let p = part.trim().to_ascii_lowercase();
3912 if p.is_empty() {
3913 return invalid("empty range bound");
3914 }
3915 if p != "*" && !is_day(&p) {
3916 return invalid(&format!("'{part}' is not a day"));
3917 }
3918 }
3919 }
3920 Ok(())
3921 }
3922
3923 /// For a one-shot (`at` carries a date), the absolute instant it
3924 /// fires in `tz`. `None` for a repeating calendar. Used to warn
3925 /// about a one-shot whose date is already in the past (it would
3926 /// never fire).
3927 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
3928 let p = self.parse_at().ok()?;
3929 let date = p.date?;
3930 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
3931 tz.naive_to_utc(naive)
3932 }
3933
3934 /// The wall-clock time-of-day this calendar fires at (`None` if
3935 /// `at` is unparseable — validate() guards that). Used to detect
3936 /// a calendar whose fire time can never fall inside its
3937 /// `constraints.window` (claude #452 review).
3938 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
3939 let p = self.parse_at().ok()?;
3940 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
3941 }
3942
3943 /// Lower to the cron string the scheduler engine runs. Repeating
3944 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
3945 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
3946 /// fires — that's what makes it one-shot).
3947 fn to_cron(&self) -> Result<String, String> {
3948 use chrono::Datelike;
3949 let ParsedAt { minute, hour, date } = self.parse_at()?;
3950 match date {
3951 Some(d) => {
3952 if !self.days.is_empty() {
3953 return Err(
3954 "when.at with a date is a one-shot and cannot be combined with days".into(),
3955 );
3956 }
3957 Ok(format!(
3958 "0 {minute} {hour} {} {} * {}",
3959 d.day(),
3960 d.month(),
3961 d.year()
3962 ))
3963 }
3964 None => {
3965 let dow = if self.days.is_empty() {
3966 "*".to_string()
3967 } else {
3968 self.validate_days()?;
3969 self.days.join(",")
3970 };
3971 Ok(format!("0 {minute} {hour} * * {dow}"))
3972 }
3973 }
3974 }
3975}
3976
3977/// The timezone a schedule's wall-clock fields (`when.at`,
3978/// `active.{from,until}`) are evaluated in (#418 Phase 2).
3979#[derive(
3980 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3981)]
3982#[serde(rename_all = "snake_case")]
3983pub enum ScheduleTz {
3984 /// The running host's local timezone — the agent's for
3985 /// `runs_on: agent`, the backend server's otherwise. Default.
3986 #[default]
3987 Local,
3988 /// UTC — for timezone-independent schedules.
3989 Utc,
3990}
3991
3992impl ScheduleTz {
3993 /// Interpret a naive (zoneless) datetime as being in this tz and
3994 /// convert to UTC. On a DST *fold* (the local time occurs twice
3995 /// when clocks go back) we pick `.earliest()` rather than
3996 /// rejecting it; `None` is reserved for a true DST *gap* (a local
3997 /// time that never exists). `Utc` is fixed-offset so neither ever
3998 /// happens; `Local` is whatever timezone the running host is set
3999 /// to and *can* hit a gap/fold on any DST-observing host — not
4000 /// just the JST we run today (gemini + claude #432 review).
4001 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
4002 use chrono::TimeZone;
4003 match self {
4004 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
4005 naive,
4006 chrono::Utc,
4007 )),
4008 ScheduleTz::Local => chrono::Local
4009 .from_local_datetime(&naive)
4010 .earliest()
4011 .map(|dt| dt.with_timezone(&chrono::Utc)),
4012 }
4013 }
4014
4015 /// The wall-clock time-of-day `now` reads as in this tz — used by
4016 /// [`Constraints::allows`] to test a maintenance window
4017 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
4018 /// running host's local time.
4019 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
4020 match self {
4021 ScheduleTz::Utc => now.time(),
4022 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
4023 }
4024 }
4025
4026 /// The wall-clock *date* `now` reads as in this tz — used by
4027 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
4028 /// exclusion). Same tz semantics as [`Self::wall_time`].
4029 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
4030 match self {
4031 ScheduleTz::Utc => now.date_naive(),
4032 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
4033 }
4034 }
4035
4036 /// Stable lowercase wire/display label (`local` / `utc`) — matches
4037 /// the serde `snake_case` representation. Used for the preview
4038 /// response's `tz` field so the JSON shape isn't coupled to the
4039 /// `Debug` repr (claude #578 review).
4040 pub fn as_str(self) -> &'static str {
4041 match self {
4042 ScheduleTz::Local => "local",
4043 ScheduleTz::Utc => "utc",
4044 }
4045 }
4046}
4047
4048impl std::fmt::Display for ScheduleTz {
4049 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4050 f.write_str(self.as_str())
4051 }
4052}
4053
4054/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
4055/// `per_target`. Untagged so the YAML stays the bare keyword or a
4056/// one-key map, nothing more ceremonial.
4057#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4058#[serde(untagged)]
4059pub enum PerPolicy {
4060 /// The bare string `once`: succeed once, then skip permanently
4061 /// (cooldown = infinity).
4062 Once(OnceLiteral),
4063 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
4064 Every(EverySpec),
4065}
4066
4067/// Single-variant enum so serde accepts exactly the string `once`
4068/// (a free-form `String` would swallow typos like `onec`).
4069#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
4070#[serde(rename_all = "snake_case")]
4071pub enum OnceLiteral {
4072 Once,
4073}
4074
4075/// `{ every: <humantime> }`. Standalone struct (not an inline
4076/// struct variant). `{ evry: 6h }` still fails to parse (the
4077/// required `every` key is missing), and the create boundaries
4078/// reject the unknown `evry` via [`crate::strict`] with its path —
4079/// while agents reading a future writer's extra fields tolerate
4080/// them (#492).
4081#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4082pub struct EverySpec {
4083 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
4084 /// [`Schedule::validate`] rejects garbage at create time.
4085 pub every: String,
4086}
4087
4088impl PerPolicy {
4089 /// The cooldown this policy lowers to: `once` = `None`
4090 /// (permanent skip), `every` = the interval.
4091 fn cooldown(&self) -> Option<String> {
4092 match self {
4093 PerPolicy::Once(_) => None,
4094 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
4095 }
4096 }
4097}
4098
4099impl std::fmt::Display for When {
4100 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
4101 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
4102 /// lines, audit payloads and the API's `ScheduleSummary`.
4103 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4104 let policy = |p: &PerPolicy| match p {
4105 PerPolicy::Once(_) => "once".to_string(),
4106 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
4107 };
4108 match self {
4109 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
4110 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
4111 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
4112 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
4113 When::On(triggers) => {
4114 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
4115 write!(f, "on [{}]", names.join(","))
4116 }
4117 }
4118 }
4119}
4120
4121impl OnTrigger {
4122 /// Lowercase wire/display label (matches the serde `snake_case`).
4123 pub fn as_str(self) -> &'static str {
4124 match self {
4125 OnTrigger::Startup => "startup",
4126 OnTrigger::Logon => "logon",
4127 OnTrigger::Lock => "lock",
4128 OnTrigger::Unlock => "unlock",
4129 OnTrigger::NetworkChange => "network_change",
4130 }
4131 }
4132}
4133
4134/// Optional validity window for a [`Schedule`] (#418 decision G).
4135/// Half-open `[from, until)`; either bound may be omitted. Bounds
4136/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
4137/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
4138/// strings so the JSON Schema the SPA editor consumes stays two
4139/// plain string fields, mirroring `jitter` / `starting_deadline`.
4140///
4141/// #418 Phase 2: bounds are evaluated in the schedule's top-level
4142/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
4143/// calendar `at` AND the `active` window local — one consistent
4144/// timezone per schedule.
4145#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4146pub struct Active {
4147 /// Dormant before this instant.
4148 #[serde(default, skip_serializing_if = "Option::is_none")]
4149 pub from: Option<String>,
4150 /// Dormant from this instant on (exclusive).
4151 #[serde(default, skip_serializing_if = "Option::is_none")]
4152 pub until: Option<String>,
4153}
4154
4155impl Active {
4156 /// `skip_serializing_if` helper — an empty window means "always
4157 /// active" and is omitted from the wire format entirely.
4158 pub fn is_empty(&self) -> bool {
4159 self.from.is_none() && self.until.is_none()
4160 }
4161
4162 /// Parse one bound: RFC3339 first (offset honored, `tz`
4163 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
4164 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
4165 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
4166 return Ok(dt.with_timezone(&chrono::Utc));
4167 }
4168 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
4169 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
4170 return tz.naive_to_utc(midnight).ok_or_else(|| {
4171 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
4172 });
4173 }
4174 Err(format!(
4175 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
4176 ))
4177 }
4178
4179 /// Is `now` inside the window? Unparseable bounds are treated
4180 /// as absent here (fail-open) — [`Schedule::validate`] is the
4181 /// place that rejects them loudly; this runs on every tick and
4182 /// must never panic on a stale KV blob.
4183 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4184 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
4185 if bound(&self.from).is_some_and(|from| now < from) {
4186 return false;
4187 }
4188 if bound(&self.until).is_some_and(|until| now >= until) {
4189 return false;
4190 }
4191 true
4192 }
4193}
4194
4195/// Host-environment gate (#418 `constraints.require`). Fire only when
4196/// the target host is in the required state. Sensed **in-process by the
4197/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
4198/// read a target host's power/idle state ([`Schedule::validate`]
4199/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
4200///
4201/// Evaluated at fire time as a skip-this-tick gate (NOT in
4202/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
4203/// cadence re-checks every minute (so it effectively defers until the
4204/// state is met — the intended pairing); a `calendar` fire that lands
4205/// while the state is unmet is simply missed, same as `window`. It is
4206/// therefore a *runtime* gate and does not appear in `preview`.
4207// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
4208#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4209pub struct Require {
4210 /// Fire only while on **AC power** (skip on battery). Reads
4211 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
4212 /// as not-on-AC (fail-closed — a restrictive gate must not fire
4213 /// when it can't confirm the condition). `false` (default) = no
4214 /// power requirement.
4215 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4216 pub ac_power: bool,
4217 /// Fire only when the active console session has had **no keyboard /
4218 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
4219 /// "don't run while the user is actively working". Input-based
4220 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
4221 /// headless / disconnected console (no interactive user) trivially
4222 /// satisfies it. `None` (default) = no idle requirement. Parsed
4223 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4224 #[serde(default, skip_serializing_if = "Option::is_none")]
4225 pub idle: Option<String>,
4226 /// Fire only when the **whole-machine CPU usage is below this
4227 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
4228 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
4229 /// sample (`sysinfo` mean over cores), so the reading is up to one
4230 /// `host_perf` cadence old (default 60s) — fine as a "generally
4231 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
4232 /// needs two samples). An unavailable sample (host_perf not warmed
4233 /// up yet, or stale) is treated as "not below" (fail-closed — a
4234 /// restrictive gate must not fire when it can't confirm). `None`
4235 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
4236 /// out-of-range value at create time.
4237 #[serde(default, skip_serializing_if = "Option::is_none")]
4238 pub cpu_below: Option<f64>,
4239 /// Fire only when the host has **internet connectivity** (Windows
4240 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
4241 /// until online" for jobs that download / phone home. A captive
4242 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
4243 /// unknown/unreadable state is treated as offline (fail-closed) — a
4244 /// portal would just fail a download, so we hold the run. For VPN /
4245 /// SASE / app-specific conditions, use a custom script gate (separate
4246 /// slice). `false` (default) = no network requirement.
4247 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4248 pub network: bool,
4249}
4250
4251impl Require {
4252 /// `skip_serializing_if` helper for an embedded empty `require`.
4253 pub fn is_empty(&self) -> bool {
4254 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
4255 }
4256
4257 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
4258 /// unparseable value — `validate` rejects the latter at create time).
4259 pub fn min_idle(&self) -> Option<std::time::Duration> {
4260 self.idle
4261 .as_deref()
4262 .and_then(|s| humantime::parse_duration(s.trim()).ok())
4263 }
4264
4265 /// First unparseable field for create-time rejection (mirrors
4266 /// [`Constraints::bad_skip_date`]).
4267 pub fn bad_idle(&self) -> Option<String> {
4268 self.idle.as_deref().and_then(|s| {
4269 humantime::parse_duration(s.trim())
4270 .err()
4271 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
4272 })
4273 }
4274}
4275
4276/// Host-environment state sensed by the agent, fed to [`require_met`].
4277/// A named struct (not positional args) so the growing set of sensed
4278/// signals — several of them `bool` — can't be transposed at a call
4279/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
4280#[derive(Debug, Clone, Copy, Default)]
4281pub struct EnvState {
4282 /// Is the host on AC power (`false` if on battery or unreadable).
4283 pub ac_online: bool,
4284 /// How long the console has been idle (`None` = couldn't determine).
4285 pub idle: Option<std::time::Duration>,
4286 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
4287 pub cpu_pct: Option<f64>,
4288 /// Does the host have internet connectivity (`false` if offline /
4289 /// LAN-only / unreadable).
4290 pub network_up: bool,
4291}
4292
4293/// Pure env-gate decision (#418 `constraints.require`). The Win32
4294/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
4295/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
4296/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
4297/// pure and `preview` never evaluates a runtime gate. Each set
4298/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
4299pub fn require_met(req: &Require, env: &EnvState) -> bool {
4300 if req.ac_power && !env.ac_online {
4301 return false;
4302 }
4303 if let Some(min) = req.min_idle() {
4304 match env.idle {
4305 Some(d) if d >= min => {}
4306 _ => return false,
4307 }
4308 }
4309 if let Some(max) = req.cpu_below {
4310 match env.cpu_pct {
4311 Some(p) if p < max => {}
4312 _ => return false,
4313 }
4314 }
4315 if req.network && !env.network_up {
4316 return false;
4317 }
4318 true
4319}
4320
4321/// [`Active`] decides *over what date range* a schedule is live,
4322/// `Constraints` decides *when, within an active period,* a fire is
4323/// allowed: `window` (a maintenance time-of-day window),
4324/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
4325/// (holiday exclusion) and `require` (host-environment gates, agent-only
4326/// — see [`Require`]).
4327// No `Eq`: contains `require: Option<Require>` which holds an f64.
4328#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4329pub struct Constraints {
4330 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
4331 /// `tz`). Fires outside it are skipped — mainly for reconcile
4332 /// cadences ("patrol every 6h, but only fire overnight") and
4333 /// daytime change-freezes. `start > end` crosses midnight
4334 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
4335 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4336 #[serde(default, skip_serializing_if = "Option::is_none")]
4337 pub window: Option<String>,
4338 /// Fleet-wide cap on how many instances of this schedule's job may
4339 /// run **at the same time** (#418 "同時実行ハード上限"). The
4340 /// backend scheduler counts the job's still-in-flight runs
4341 /// (`execution_results.finished_at IS NULL`) each tick and only
4342 /// dispatches to as many remaining pcs as there are free slots —
4343 /// a rolling window that refills as runs complete. Useful for
4344 /// disk/CPU/network-heavy jobs you don't want hammering the whole
4345 /// fleet at once.
4346 ///
4347 /// **Backend-only** (it needs a central counter): combining it
4348 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
4349 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
4350 /// for `per_pc` reconcile cadences, where the poll re-ticks and
4351 /// refills slots. `None` (default) = no cap.
4352 #[serde(default, skip_serializing_if = "Option::is_none")]
4353 pub max_concurrent: Option<u32>,
4354 /// Calendar dates the schedule must **not** fire on — holidays,
4355 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
4356 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
4357 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
4358 /// the whole day; a calendar fire landing on the date is
4359 /// suppressed) and is honored by both the live scheduler and
4360 /// `preview`, since both gate on [`Constraints::allows`]. Empty
4361 /// (default) = no skips. Operator-supplied: there is no built-in
4362 /// holiday calendar — list the dates you care about. Parsed lazily;
4363 /// [`Schedule::validate`] rejects a malformed date at create time.
4364 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4365 pub skip_dates: Vec<String>,
4366 /// Host-environment gate (#418): fire only when the target host is
4367 /// in the required state (on AC power, idle). Agent-sensed at fire
4368 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
4369 /// no environment requirement.
4370 #[serde(default, skip_serializing_if = "Option::is_none")]
4371 pub require: Option<Require>,
4372}
4373
4374impl Constraints {
4375 /// `skip_serializing_if` helper — empty constraints are omitted
4376 /// from the wire format entirely.
4377 pub fn is_empty(&self) -> bool {
4378 self.window.is_none()
4379 && self.max_concurrent.is_none()
4380 && self.skip_dates.is_empty()
4381 && self.require.as_ref().is_none_or(Require::is_empty)
4382 }
4383
4384 /// The first unparseable `skip_dates` entry, if any — the
4385 /// scheduler logs it at register time so a fail-closed
4386 /// (never-firing) schedule from a hand-edited KV blob is
4387 /// diagnosable, mirroring [`Schedule::bad_window`].
4388 pub fn bad_skip_date(&self) -> Option<String> {
4389 self.skip_dates.iter().find_map(|s| {
4390 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
4391 .err()
4392 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
4393 })
4394 }
4395
4396 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
4397 /// error (a zero-width or all-day window is ambiguous — write no
4398 /// window for "always").
4399 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
4400 let (a, b) = s
4401 .split_once('-')
4402 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
4403 let parse = |part: &str| {
4404 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
4405 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
4406 };
4407 let (start, end) = (parse(a)?, parse(b)?);
4408 if start == end {
4409 return Err(format!(
4410 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
4411 ));
4412 }
4413 Ok((start, end))
4414 }
4415
4416 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
4417 /// always allowed. Half-open `[start, end)`; `start > end`
4418 /// crosses midnight.
4419 ///
4420 /// **Fail-closed** on an unparseable window (returns `false`,
4421 /// gemini #452 review): a window is a *restrictive* constraint
4422 /// (change-freeze / overnight-only), so a corrupt one must NOT
4423 /// silently allow fires during the restricted hours. Bad windows
4424 /// are rejected at create time by [`Schedule::validate`]; this
4425 /// only bites a hand-edited KV blob, where blocking is the safe
4426 /// direction. The scheduler warns at register time
4427 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
4428 /// The tick path never panics regardless.
4429 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4430 // #418 holiday / blackout dates: never fire on a listed wall
4431 // date (in `tz`). Checked before the window since a skipped day
4432 // overrides any within-window allowance. Fail-closed on a
4433 // corrupt entry (same posture as `window`): a skip date is a
4434 // *restrictive* constraint, so a garbled one must not silently
4435 // re-enable fires — it blocks until fixed (`validate` rejects it
4436 // at create time; `bad_skip_date` lets the scheduler warn).
4437 if !self.skip_dates.is_empty() {
4438 let today = tz.wall_date(now);
4439 let blocked = self.skip_dates.iter().any(|s| {
4440 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
4441 Ok(d) => d == today,
4442 Err(_) => true, // corrupt entry → fail-closed (block)
4443 }
4444 });
4445 if blocked {
4446 return false;
4447 }
4448 }
4449 match self.window.as_deref() {
4450 // No window → always allowed.
4451 None => true,
4452 // Window set: membership, or fail-closed if unparseable
4453 // (`window_contains` returns None for a corrupt window).
4454 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
4455 }
4456 }
4457
4458 /// Membership of a wall-clock time-of-day in the window. `None`
4459 /// when there is no window or it's unparseable (callers decide
4460 /// the failure direction). `start > end` crosses midnight.
4461 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
4462 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
4463 Some(if start <= end {
4464 start <= t && t < end
4465 } else {
4466 t >= start || t < end
4467 })
4468 }
4469}
4470
4471/// What to do when a fire's script fails (#418 Phase 4 — the "高"
4472/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
4473/// happens, `OnFailure` decides what happens *after* one ran and
4474/// came back bad. Only `retry` so far; future `notify` / `disable`
4475/// would join the same namespace.
4476#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4477pub struct OnFailure {
4478 /// Re-run the script in-process when it exits non-zero (or times
4479 /// out), up to a cap, with a fixed backoff between attempts.
4480 /// `None` (default) = no retry: a failed run is published as-is
4481 /// and (for reconcile cadences) simply re-fires on the next poll
4482 /// tick. See [`Retry`].
4483 #[serde(default, skip_serializing_if = "Option::is_none")]
4484 pub retry: Option<Retry>,
4485}
4486
4487impl OnFailure {
4488 /// `skip_serializing_if` helper — an empty policy is omitted from
4489 /// the wire format entirely.
4490 pub fn is_empty(&self) -> bool {
4491 self.retry.is_none()
4492 }
4493
4494 /// Lower the operator-facing `retry` (humantime backoff) onto the
4495 /// engine vocabulary the agent's executor runs on (backoff in
4496 /// whole seconds). Single seam shared by the backend command
4497 /// builder and the agent's local scheduler so the two stamp the
4498 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
4499 /// `None` when there is no retry policy or the backoff is
4500 /// unparseable (validate() rejects the latter at create time;
4501 /// this stays fail-safe = "no retry" for a hand-edited KV blob
4502 /// rather than panicking on the fire path).
4503 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
4504 let r = self.retry.as_ref()?;
4505 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
4506 Some(crate::wire::RetrySpec {
4507 max: r.max,
4508 backoff_secs,
4509 })
4510 }
4511}
4512
4513/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
4514/// *additional* attempts after the first run (so `max: 3` = up to 4
4515/// total executions); `backoff` is the humantime delay slept between
4516/// attempts. The retry happens fire-side (inside `kanade fire` /
4517/// `handle_command`) on every OS for the PoC — the Windows-native
4518/// "restart on failure" Task Scheduler path is deferred to the
4519/// native-delegation phase (#418 decision H).
4520#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4521pub struct Retry {
4522 /// Max additional attempts after the first failure. Bounded
4523 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
4524 /// with a short backoff would otherwise pin a flapping script in
4525 /// a tight loop for the whole window.
4526 pub max: u32,
4527 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
4528 pub backoff: String,
4529}
4530
4531/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
4532/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
4533/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
4534/// global* "stop all automated change" switch the operator flips
4535/// during an incident or a year-end change-freeze. It lives in its
4536/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
4537/// active, both the backend scheduler and every agent's local
4538/// scheduler skip *every* fire.
4539///
4540/// Shapes:
4541/// * `{}` (no bounds) — frozen indefinitely until the operator
4542/// clears it (incident "big red button").
4543/// * `{ from, until }` — frozen only within `[from, until)`,
4544/// evaluated in `tz` (planned change-freeze; auto-thaws).
4545///
4546/// The KV key being *absent* means "not frozen" — so clearing the
4547/// freeze is a KV delete, and `is_active` only ever runs on a freeze
4548/// the operator actually set.
4549#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4550pub struct Freeze {
4551 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
4552 /// `tz`). `None` ⇒ frozen from the beginning of time.
4553 #[serde(default, skip_serializing_if = "Option::is_none")]
4554 pub from: Option<String>,
4555 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
4556 /// no scheduled end (manual clear required).
4557 #[serde(default, skip_serializing_if = "Option::is_none")]
4558 pub until: Option<String>,
4559 /// Operator-supplied note surfaced on the freeze-skip log and the
4560 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
4561 #[serde(default, skip_serializing_if = "Option::is_none")]
4562 pub reason: Option<String>,
4563 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
4564 /// carry their own offset). Defaults to host-local like a
4565 /// schedule's `tz`.
4566 #[serde(default)]
4567 pub tz: ScheduleTz,
4568}
4569
4570impl Freeze {
4571 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
4572 /// both absent) is frozen unconditionally; otherwise membership of
4573 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
4574 /// but **fails CLOSED** on an unparseable bound — a freeze is a
4575 /// safety switch, so a corrupt window (only reachable via a
4576 /// hand-edited KV blob; `validate` rejects it at set time) must
4577 /// mean "frozen", not "fire normally" (coderabbit #472). This is
4578 /// the one deliberate divergence from `active`'s fail-OPEN
4579 /// behaviour, where an unparseable bound dormant-skips a schedule.
4580 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
4581 // Parse a bound; an unparseable one short-circuits the whole
4582 // check to `true` (frozen) via the closure's `None` sentinel
4583 // handled below.
4584 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
4585 match s.as_deref() {
4586 None => Ok(None),
4587 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
4588 }
4589 };
4590 let (from, until) = match (bound(&self.from), bound(&self.until)) {
4591 (Ok(f), Ok(u)) => (f, u),
4592 // Any corrupt bound → fail closed (frozen).
4593 _ => return true,
4594 };
4595 if from.is_some_and(|f| now < f) {
4596 return false;
4597 }
4598 if until.is_some_and(|u| now >= u) {
4599 return false;
4600 }
4601 true
4602 }
4603
4604 /// Reject unparseable bounds / `from >= until` at set time (the
4605 /// API + CLI counterpart to [`Schedule::validate`]).
4606 pub fn validate(&self) -> Result<(), String> {
4607 let from = self
4608 .from
4609 .as_deref()
4610 .map(|s| Active::parse_bound(s, self.tz))
4611 .transpose()
4612 .map_err(|e| e.replace("active:", "freeze:"))?;
4613 let until = self
4614 .until
4615 .as_deref()
4616 .map(|s| Active::parse_bound(s, self.tz))
4617 .transpose()
4618 .map_err(|e| e.replace("active:", "freeze:"))?;
4619 if let (Some(f), Some(u)) = (from, until) {
4620 if f >= u {
4621 return Err(format!(
4622 "freeze.from ({}) must be strictly before freeze.until ({})",
4623 self.from.as_deref().unwrap_or_default(),
4624 self.until.as_deref().unwrap_or_default(),
4625 ));
4626 }
4627 }
4628 Ok(())
4629 }
4630}
4631
4632/// The system-generated poll cadence every reconcile-shaped `when`
4633/// lowers to. Operators never write this: the real inter-run
4634/// spacing is the `every` cooldown; this only bounds "how soon do
4635/// we notice somebody is due" (#418 decision B took the poll
4636/// period away from the operator).
4637pub const POLL_CRON: &str = "0 * * * * *";
4638
4639/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
4640/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
4641/// unchanged is what lets Phase 1 swap the operator surface without
4642/// touching the tick / dedup machinery.
4643pub struct Lowered {
4644 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
4645 /// reconcile shapes, a 6/7-field cron for calendar shapes.
4646 pub cron: String,
4647 /// Dedup semantics for `decide_fire`.
4648 pub mode: ExecMode,
4649 /// Humantime re-arm interval (`None` = succeed once, skip
4650 /// forever).
4651 pub cooldown: Option<String>,
4652 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
4653 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
4654 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
4655 /// so the same value drives the `active`-window check.
4656 pub tz: ScheduleTz,
4657}
4658
4659impl Schedule {
4660 /// The error message if this schedule's `constraints.window` is
4661 /// set but unparseable, else `None`. The scheduler logs this at
4662 /// register time so a fail-closed (never-firing) schedule from a
4663 /// hand-edited KV blob is diagnosable (gemini #452 review).
4664 pub fn bad_window(&self) -> Option<String> {
4665 let w = self.constraints.window.as_deref()?;
4666 Constraints::parse_window(w).err()
4667 }
4668
4669 /// True when this is a `calendar` schedule whose fire time can
4670 /// never fall inside its `constraints.window` — the cron fires,
4671 /// the window check rejects it, and (firing only at that
4672 /// time-of-day) it effectively never runs. An easy misconfig to
4673 /// set up by accident; the scheduler warns at register time
4674 /// (claude #452 review). Reconcile shapes poll every minute, so
4675 /// they always catch the window opening and aren't affected.
4676 pub fn calendar_outside_window(&self) -> bool {
4677 let When::Calendar(c) = &self.when else {
4678 return false;
4679 };
4680 let Some(t) = c.fire_time() else {
4681 return false;
4682 };
4683 matches!(self.constraints.window_contains(t), Some(false))
4684 }
4685
4686 /// Up to `count` future instants this schedule will fire, as
4687 /// absolute UTC, strictly after `now` — the dry-run / preview
4688 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
4689 /// schedules have discrete fire times; reconcile shapes
4690 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
4691 /// they return an empty vec and the caller describes the cadence
4692 /// instead. Occurrences outside the `active.{from,until}` window or
4693 /// the `constraints.window` are **skipped**, so the list reflects
4694 /// when the schedule will ACTUALLY run, not the raw cron ticks.
4695 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
4696 /// `Job::new_async_tz`, and with the same croner config the
4697 /// scheduler / [`Schedule::validate`] use, so a preview can never
4698 /// disagree with a real fire. A schedule that can never fire (a
4699 /// calendar time wholly outside its window, a past one-shot,
4700 /// `enabled: false` is *not* considered here — callers gate on
4701 /// `enabled` separately) yields an empty vec.
4702 pub fn preview_fires(
4703 &self,
4704 now: chrono::DateTime<chrono::Utc>,
4705 count: usize,
4706 ) -> Vec<chrono::DateTime<chrono::Utc>> {
4707 use croner::parser::{CronParser, Seconds};
4708 if !matches!(self.when, When::Calendar(_)) {
4709 return Vec::new();
4710 }
4711 // Same lowering + croner config as `next_calendar_fire` and the
4712 // live scheduler, so a preview can never disagree with a real
4713 // fire. `preview_fires` adds the N-occurrence walk and the
4714 // active / window filtering on top of that single seam.
4715 let lowered = self.lowered();
4716 let Ok(cron) = CronParser::builder()
4717 .seconds(Seconds::Required)
4718 .dom_and_dow(true)
4719 .build()
4720 .parse(&lowered.cron)
4721 else {
4722 return Vec::new();
4723 };
4724 let accept = |utc: chrono::DateTime<chrono::Utc>| {
4725 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
4726 };
4727 match self.tz {
4728 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
4729 ScheduleTz::Local => {
4730 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
4731 }
4732 }
4733 }
4734
4735 /// Walk croner forward from `after` collecting up to `count`
4736 /// accepted occurrences (converted to UTC). Generic over the tz the
4737 /// cron is evaluated in so `preview_fires` can run it in either
4738 /// `Utc` or `Local` without duplicating the loop.
4739 fn next_occurrences<Tz>(
4740 cron: &croner::Cron,
4741 after: chrono::DateTime<Tz>,
4742 count: usize,
4743 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
4744 ) -> Vec<chrono::DateTime<chrono::Utc>>
4745 where
4746 Tz: chrono::TimeZone,
4747 {
4748 // Bound the scan so an `active`/window dead-end (every future
4749 // tick rejected) can't spin forever: ~4096 raw ticks covers
4750 // >10y of a daily calendar while staying instant for croner.
4751 const SCAN_CAP: usize = 4096;
4752 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
4753 let mut cursor = after;
4754 let mut scanned = 0usize;
4755 while out.len() < count && scanned < SCAN_CAP {
4756 scanned += 1;
4757 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
4758 break;
4759 };
4760 let utc = next.with_timezone(&chrono::Utc);
4761 if accept(utc) {
4762 out.push(utc);
4763 }
4764 // `find_next_occurrence(.., inclusive = false)` already
4765 // advances strictly past `cursor`, so handing it `next`
4766 // verbatim gets the following occurrence — no manual +1s
4767 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
4768 cursor = next;
4769 }
4770 out
4771 }
4772
4773 /// Lower the operator-facing `when` onto the engine vocabulary.
4774 /// Single seam shared by the backend scheduler and the agent's
4775 /// local scheduler so the two can never drift.
4776 pub fn lowered(&self) -> Lowered {
4777 let tz = self.tz;
4778 match &self.when {
4779 When::PerPc(p) => Lowered {
4780 cron: POLL_CRON.into(),
4781 mode: ExecMode::OncePerPc,
4782 cooldown: p.cooldown(),
4783 tz,
4784 },
4785 When::PerTarget(p) => Lowered {
4786 cron: POLL_CRON.into(),
4787 mode: ExecMode::OncePerTarget,
4788 cooldown: p.cooldown(),
4789 tz,
4790 },
4791 // `to_cron` only fails on a malformed `at` (rejected by
4792 // validate() at create time). For a hand-edited KV blob
4793 // that slipped past, emit a deliberately-invalid cron so
4794 // register()'s Job::new_async_tz fails → warn+skip,
4795 // rather than firing at the wrong time.
4796 When::Calendar(c) => Lowered {
4797 cron: c
4798 .to_cron()
4799 .unwrap_or_else(|_| "# invalid calendar at".into()),
4800 mode: ExecMode::EveryTick,
4801 cooldown: None,
4802 tz,
4803 },
4804 // Event triggers have no cron — the agent fires them from an
4805 // OS event source. The `# event-trigger` cron is never
4806 // registered (the scheduler branches on `is_event()` first),
4807 // but keep it deliberately-invalid as a belt-and-suspenders
4808 // so a stray registration would fail rather than misfire.
4809 When::On(_) => Lowered {
4810 cron: "# event-trigger (no cron)".into(),
4811 mode: ExecMode::Event,
4812 cooldown: None,
4813 tz,
4814 },
4815 }
4816 }
4817
4818 /// True when this schedule fires from an OS event (`when: { on }`)
4819 /// rather than a clock — the agent skips `tokio-cron` registration
4820 /// for these and drives them from boot / session-change instead.
4821 pub fn is_event(&self) -> bool {
4822 matches!(self.when, When::On(_))
4823 }
4824
4825 /// The OS event triggers this schedule listens for, or `&[]` when it
4826 /// is not an event schedule.
4827 pub fn event_triggers(&self) -> &[OnTrigger] {
4828 match &self.when {
4829 When::On(t) => t,
4830 _ => &[],
4831 }
4832 }
4833
4834 /// The next absolute (UTC) time this schedule fires, or `None` when
4835 /// it has no discrete upcoming fire to preview.
4836 ///
4837 /// Used by the KLP `maintenance.list` preview ("what's about to
4838 /// happen on my PC", SPEC §2.1). Returns `None` for:
4839 ///
4840 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
4841 /// every-minute [`POLL_CRON`] and re-converge state continuously,
4842 /// so "next fire" is always ~60s away and means nothing to a user
4843 /// previewing upcoming maintenance;
4844 /// - a calendar schedule whose lowered cron won't parse (a
4845 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
4846 /// - a cron with no future occurrence.
4847 ///
4848 /// The wall-clock fire is evaluated in the schedule's own `tz`
4849 /// (matching the live tick's `Job::new_async_tz`) then normalised
4850 /// to UTC for the wire. `inclusive = false`: strictly the *next*
4851 /// fire after `now`, never one matching the current instant.
4852 pub fn next_calendar_fire(
4853 &self,
4854 now: chrono::DateTime<chrono::Utc>,
4855 ) -> Option<chrono::DateTime<chrono::Utc>> {
4856 if !matches!(self.when, When::Calendar(_)) {
4857 return None;
4858 }
4859 let lowered = self.lowered();
4860 // Same parser configuration tokio-cron-scheduler 0.15 uses
4861 // internally, so this can never compute a fire the live
4862 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
4863 let cron = croner::parser::CronParser::builder()
4864 .seconds(croner::parser::Seconds::Required)
4865 .dom_and_dow(true)
4866 .build()
4867 .parse(&lowered.cron)
4868 .ok()?;
4869 match lowered.tz {
4870 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
4871 ScheduleTz::Local => {
4872 let now_local = now.with_timezone(&chrono::Local);
4873 cron.find_next_occurrence(&now_local, false)
4874 .ok()
4875 .map(|t| t.with_timezone(&chrono::Utc))
4876 }
4877 }
4878 }
4879
4880 /// Cross-field semantic checks that don't fit pure serde derive
4881 /// — the [`Manifest::validate`] counterpart (#418 decision F;
4882 /// pre-Phase-1 a broken schedule was accepted at create time
4883 /// and silently warn-skipped at tick time). Run at every create
4884 /// site: `kanade schedule create` (client-side) and
4885 /// `POST /api/schedules`. The job_id-exists check lives in the
4886 /// API handler instead — it needs the JOBS KV.
4887 pub fn validate(&self) -> Result<(), String> {
4888 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
4889 return Err(
4890 "when.per_target needs fleet-wide completion data and is backend-only; \
4891 it cannot be combined with runs_on: agent (each agent self-schedules, \
4892 so per-target dedup would be deduping across a target of 1)"
4893 .into(),
4894 );
4895 }
4896 // #418 event triggers: the agent owns the OS event source
4897 // (boot / session-change), so `when: { on }` is agent-only and
4898 // needs at least one trigger.
4899 if let When::On(triggers) = &self.when {
4900 if !matches!(self.runs_on, RunsOn::Agent) {
4901 return Err(
4902 "when.on (OS event trigger) is fired by the agent's own event \
4903 source, so it requires runs_on: agent"
4904 .into(),
4905 );
4906 }
4907 if triggers.is_empty() {
4908 return Err(
4909 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
4910 );
4911 }
4912 }
4913 if let Some(cd) = self.lowered().cooldown.as_deref() {
4914 humantime::parse_duration(cd)
4915 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
4916 }
4917 if let When::Calendar(c) = &self.when {
4918 // Lower the calendar form to its cron (catches a bad `at`
4919 // and the date+days conflict), then validate that cron
4920 // with the same parser configuration tokio-cron-scheduler
4921 // 0.15 uses internally (croner, seconds required,
4922 // DOM-and-DOW both honored, year optional) — create-time
4923 // validation can never accept what register() rejects.
4924 let cron = c.to_cron()?;
4925 croner::parser::CronParser::builder()
4926 .seconds(croner::parser::Seconds::Required)
4927 .dom_and_dow(true)
4928 .build()
4929 .parse(&cron)
4930 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
4931 }
4932 // The other humantime strings on the schedule (claude #419
4933 // review): runtime degrades gracefully on both (bad jitter →
4934 // silent no-op, bad starting_deadline → warn + skipped tick),
4935 // but "rejected at create time" should cover every field the
4936 // operator can typo, not just `when`.
4937 if let Some(j) = &self.plan.jitter {
4938 humantime::parse_duration(j)
4939 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
4940 }
4941 if let Some(sd) = &self.starting_deadline {
4942 humantime::parse_duration(sd)
4943 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
4944 }
4945 let from = self
4946 .active
4947 .from
4948 .as_deref()
4949 .map(|s| Active::parse_bound(s, self.tz))
4950 .transpose()?;
4951 let until = self
4952 .active
4953 .until
4954 .as_deref()
4955 .map(|s| Active::parse_bound(s, self.tz))
4956 .transpose()?;
4957 if let (Some(f), Some(u)) = (from, until) {
4958 if f >= u {
4959 return Err(format!(
4960 "active.from ({}) must be strictly before active.until ({})",
4961 self.active.from.as_deref().unwrap_or_default(),
4962 self.active.until.as_deref().unwrap_or_default(),
4963 ));
4964 }
4965 }
4966 // #418 Phase 3: a bad maintenance window is rejected at create
4967 // time (parse_window also catches equal bounds).
4968 if let Some(w) = self.constraints.window.as_deref() {
4969 Constraints::parse_window(w)?;
4970 }
4971 // #418 holiday exclusion: reject a malformed skip date at create
4972 // time so the fail-closed `allows` path only ever bites a
4973 // hand-edited KV blob, not a fresh `kanade schedule create`.
4974 if let Some(err) = self.constraints.bad_skip_date() {
4975 return Err(err);
4976 }
4977 // #418: constraints.max_concurrent is a central running-instance
4978 // cap, so it needs the backend's counter — reject it on
4979 // runs_on: agent (decision E), and reject a meaningless 0.
4980 if let Some(mc) = self.constraints.max_concurrent {
4981 // Check the structural incompatibility (agent has no central
4982 // counter) before the value range, so a `max_concurrent: 0`
4983 // + `runs_on: agent` combo reports the more fundamental
4984 // problem first (claude #542).
4985 if matches!(self.runs_on, RunsOn::Agent) {
4986 return Err(
4987 "constraints.max_concurrent needs a central counter and is backend-only; \
4988 it cannot be combined with runs_on: agent (each agent self-schedules, \
4989 so there is no fleet-wide count to cap against)"
4990 .into(),
4991 );
4992 }
4993 if mc == 0 {
4994 return Err(
4995 "constraints.max_concurrent must be >= 1 (0 would never fire; \
4996 omit it for no cap)"
4997 .into(),
4998 );
4999 }
5000 }
5001 // #418: constraints.require (host-state env gates: ac_power /
5002 // idle / cpu_below / network) is sensed in-process by the agent,
5003 // so it needs runs_on: agent — the backend can't read a target
5004 // host's power / idle / cpu / connectivity state. Symmetric with
5005 // `when: { on }` (also agent-only); inverse of max_concurrent
5006 // (backend-only).
5007 if let Some(req) = &self.constraints.require {
5008 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
5009 return Err(
5010 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
5011 network) is sensed in-process by the agent and needs runs_on: agent; the \
5012 backend cannot read a target host's power / idle / cpu / connectivity state"
5013 .into(),
5014 );
5015 }
5016 // Reject a malformed idle duration at create time so the
5017 // fail-closed runtime path only ever bites a hand-edited
5018 // KV blob (mirror skip_dates / on_failure.retry).
5019 if let Some(err) = req.bad_idle() {
5020 return Err(err);
5021 }
5022 // cpu_below is a percent — reject out-of-range so a typo
5023 // can't make a schedule that never (>=100 is always-busy?
5024 // no — <0 never matches) or trivially fires.
5025 if let Some(c) = req.cpu_below
5026 && !(c > 0.0 && c <= 100.0)
5027 {
5028 return Err(format!(
5029 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
5030 omit it for no CPU requirement"
5031 ));
5032 }
5033 }
5034 // #418 Phase 4: a bad on_failure.retry is rejected at create
5035 // time — backoff must be valid humantime, and max is bounded
5036 // so a typo can't pin a flapping script in a tight loop.
5037 if let Some(r) = &self.on_failure.retry {
5038 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
5039 format!(
5040 "on_failure.retry.backoff: invalid duration '{}': {e}",
5041 r.backoff
5042 )
5043 })?;
5044 // The wire form lowers backoff to whole seconds, so a
5045 // sub-second value would silently become a 0s no-wait
5046 // (coderabbit #466). Reject it rather than honour a backoff
5047 // the operator can't actually get.
5048 if backoff.as_secs() < 1 {
5049 return Err(format!(
5050 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
5051 round to 0 on the wire",
5052 r.backoff
5053 ));
5054 }
5055 if !(1..=10).contains(&r.max) {
5056 return Err(format!(
5057 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
5058 attempts after the first run",
5059 r.max
5060 ));
5061 }
5062 }
5063 // A blank / whitespace-only tag renders an empty filter chip on
5064 // the Schedules page — reject it at create time, mirroring the
5065 // Manifest::validate tag guard.
5066 for tag in &self.tags {
5067 if tag.trim().is_empty() {
5068 return Err("tags must not contain empty entries".to_string());
5069 }
5070 }
5071 Ok(())
5072 }
5073}
5074
5075fn default_true() -> bool {
5076 true
5077}