kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// #219: opt-in marker that this job COLLECTS files into a bundle.
72 /// The script does the collection work and prints a single JSON
73 /// object on stdout carrying a `files` array of paths (the field
74 /// name is [`CollectHint::files_field`], default `"files"`); the
75 /// agent — after the script exits successfully — zips those files,
76 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79 /// downloads bundles from the SPA Collect page.
80 ///
81 /// Like `inventory:` / `check:` this reads a JSON object from stdout,
82 /// but it consumes that stdout for its OWN contract (a `files`
83 /// list), so it is mutually exclusive with `inventory:` / `check:` /
84 /// `emit:` (enforced in [`Manifest::validate`]). It composes with
85 /// `client:` — a `collect:` + `client:` job lets an end user trigger
86 /// a collection from the Client App (the same-host agent runs it).
87 #[serde(default, skip_serializing_if = "Option::is_none")]
88 pub collect: Option<CollectHint>,
89 /// #720: opt-in declarative aggregation over `obs_events` that drives
90 /// the SPA **Analytics** page. Unlike the other hints this one never
91 /// touches stdout and is never delivered to the agent — it's a pure
92 /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
93 /// turns into `json_extract` aggregation SQL. Each entry is one widget
94 /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
95 /// fleet-wide rollup. Because it consumes nothing at run time it
96 /// composes with every other hint (typically paired with `emit:`,
97 /// which produces the events it reads). See [`AggregateWidget`].
98 ///
99 /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
100 #[serde(default, skip_serializing_if = "Option::is_none")]
101 pub aggregate: Option<Vec<AggregateWidget>>,
102 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
103 /// what the agent does at fire time when it can't verify the
104 /// `script_current` / `script_status` KV values are fresh —
105 /// especially relevant for `runs_on: agent` schedules where
106 /// the agent may fire from cache while offline. Defaults to
107 /// `Staleness::Cached` (silently use cached values), which
108 /// matches every pre-v0.26 Manifest.
109 #[serde(default)]
110 pub staleness: Staleness,
111 /// #291: opt-in marker that this job is offered to **end users**
112 /// in the Client App's job tabs over KLP (`jobs.list` →
113 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
114 /// [`emit`]: the block's mere presence is the opt-in, and it
115 /// groups the end-user presentation fields (name / category /
116 /// icon) that only make sense for a user-facing job. `None`
117 /// (the default) ⇒ an operator-only job — inventory, checks,
118 /// scheduled maintenance — that never surfaces in the catalog.
119 ///
120 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
121 /// (SPEC §2.1), so removing the block takes a job out of a
122 /// running client on its next action.
123 ///
124 /// [`inventory`]: Manifest::inventory
125 /// [`check`]: Manifest::check
126 /// [`emit`]: Manifest::emit
127 #[serde(default, skip_serializing_if = "Option::is_none")]
128 pub client: Option<ClientHint>,
129 /// Free-form operator taxonomy for the Jobs catalog. Purely a
130 /// SPA-side organisational aid — agents / scheduler / projector
131 /// never read it — so it carries no runtime semantics and any
132 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
133 /// cross-cut (a `check-bitlocker` is at once a health-check, a
134 /// security control, and Windows-specific), which is why this is
135 /// a multi-valued list rather than the single closed-enum
136 /// [`ClientHint::category`] (whose values are the end-user Client
137 /// App's tabs, a different concern). The operator Jobs page groups
138 /// rows by id-prefix for free; tags add the orthogonal filter axis
139 /// prefixes can't express.
140 ///
141 /// Empty by default (the overwhelming majority of jobs), and a
142 /// new field, so it follows the #492 wire rule: `serde(default)`
143 /// plus `skip_serializing_if` keep gradually-upgrading old readers
144 /// from tripping over its absence / presence.
145 #[serde(default, skip_serializing_if = "Vec::is_empty")]
146 pub tags: Vec<String>,
147 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
148 /// `kanade job create` when the source YAML lives inside a Git work
149 /// tree, so the SPA can render the job read-only and point edits
150 /// back at the repo instead of letting a ClickOps edit silently
151 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
152 /// `None` for SPA-born jobs and for manifests applied from outside
153 /// any Git repo. Purely informational: agents / scheduler /
154 /// projector never read it, and it survives `script_file:` inlining
155 /// (it's orthogonal to the exactly-one-of script-source rule). New
156 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
157 #[serde(default, skip_serializing_if = "Option::is_none")]
158 pub origin: Option<RepoOrigin>,
159}
160
161/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
162/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
163/// `kanade schedule create` from the Git context of the source YAML;
164/// the SPA reads it to render Git-managed entries read-only and link
165/// the operator back at the repo. Never consulted by the runtime.
166#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
167pub struct RepoOrigin {
168 /// Repo-relative path of the source YAML — the primary edit target
169 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
170 /// regardless of the authoring OS.
171 pub path: String,
172 /// `origin` remote URL, when the repo has one. Lets the SPA turn
173 /// `path` into a clickable link; `None` for remote-less repos.
174 #[serde(default, skip_serializing_if = "Option::is_none")]
175 pub repo: Option<String>,
176 /// Repo-relative path of the `script_file:` a job manifest inlined,
177 /// when it used one — a secondary pointer shown beneath `path`.
178 /// Always `None` for schedules (they carry no script).
179 #[serde(default, skip_serializing_if = "Option::is_none")]
180 pub script_file: Option<String>,
181}
182
183/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
184/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
185/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
186/// here keeps the validation + serialisation logic in one place.
187#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
188pub struct FanoutPlan {
189 #[serde(default)]
190 pub target: Target,
191 /// Optional wave rollout — when present, the backend publishes
192 /// each wave's group subject on its own delay schedule instead
193 /// of fanning out the `target` block in one go. `target` then
194 /// only labels the deploy for the audit log.
195 #[serde(default, skip_serializing_if = "Option::is_none")]
196 pub rollout: Option<Rollout>,
197 /// Optional humantime jitter; agent uses it to randomise
198 /// execution start. Lives here (not on the script) so different
199 /// schedules / ad-hoc fires of the same job can pick different
200 /// stagger windows.
201 #[serde(default, skip_serializing_if = "Option::is_none")]
202 pub jitter: Option<String>,
203 /// Absolute time the scheduler stamps on each emitted Command
204 /// when this exec was driven by a [`Schedule`] with
205 /// `starting_deadline`. Agents receiving a Command after this
206 /// instant publish a synthetic skipped-result instead of
207 /// running the script. `None` (default) = no deadline / catch
208 /// up whenever delivered. Operators don't usually set this
209 /// directly — the scheduler computes it from `tick_at +
210 /// starting_deadline`.
211 #[serde(default, skip_serializing_if = "Option::is_none")]
212 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
213}
214
215/// Manifest sub-section: how the SPA should render the inventory
216/// facts this job produces. Each field name (`field`) is a top-level
217/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
218///
219/// Two render modes:
220/// * `display` — vertical "field / value" per PC, used by the
221/// `/inventory?pc=<id>` detail view. ALL columns the operator
222/// wants visible on the detail page.
223/// * `summary` — horizontal table across the fleet (row = PC,
224/// column = field) on `/inventory`. Optional; when omitted the
225/// SPA falls back to `display`, but operators usually want a
226/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
227#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
228pub struct InventoryHint {
229 /// Detail-view columns, in order.
230 pub display: Vec<DisplayField>,
231 /// Optional fleet-list columns (row = PC). Defaults to `display`
232 /// when omitted, but operators usually pick a 3-5 column subset.
233 #[serde(default, skip_serializing_if = "Option::is_none")]
234 pub summary: Option<Vec<DisplayField>>,
235 /// v0.31 / #40: payload arrays that should be exploded into
236 /// per-element rows of a derived SQLite table. Lets operators
237 /// answer cross-PC questions ("which PCs still have Chrome <
238 /// 120?", "C: >90% full") with normal SQL filters + indexes
239 /// instead of grepping JSON. The projector creates the derived
240 /// table on register and replaces this PC's rows on each result
241 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
242 /// [`ExplodeSpec`] for the per-spec schema.
243 #[serde(default, skip_serializing_if = "Option::is_none")]
244 pub explode: Option<Vec<ExplodeSpec>>,
245 /// v0.35 / #93: top-level scalar fields whose changes the
246 /// projector logs to `inventory_history` (one event per
247 /// changed field per scan). Pairs with `explode[].track_history`
248 /// — that covers array elements; this covers single-valued
249 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
250 /// `os_build` that operators want to track for "did the RAM
251 /// get upgraded?" / "when did Win 11 land on this PC?" /
252 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
253 /// in the history row, `identity_json` is NULL, `before_json`
254 /// / `after_json` each carry `{"value": <prior or new value>}`.
255 /// First-ever observation of a scalar (no prior facts row)
256 /// emits `added`; subsequent value changes emit `changed`. No
257 /// `removed` events — a scalar disappearing from the payload
258 /// is rare and the operator can still see the last value via
259 /// the `before_json` of the most recent change.
260 #[serde(default, skip_serializing_if = "Option::is_none")]
261 pub history_scalars: Option<Vec<String>>,
262}
263
264/// Manifest sub-section (#290): marks a job as an operator-defined
265/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
266/// The stdout contract is a free-form JSON object (same as any
267/// inventory job) from which the agent reads `status_field` /
268/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
269/// on the Client App's Health tab.
270///
271/// There is deliberately **no timing field** — when / how often /
272/// in which window a check runs is driven by the job's Schedule,
273/// exactly like inventory jobs, so operators get the full `when:` /
274/// rollout / `runs_on` expressiveness for free.
275///
276/// A check's stdout is a **free-form inventory object** (arbitrary
277/// key/value pairs + arrays) — same as any inventory job — that also
278/// carries a status field. `check:` adds only the health semantics on
279/// top: which field is the ok/warn/fail/unknown status, an optional
280/// one-line summary field, and a remediation job. Everything else
281/// (rich per-PC detail, `explode` sub-tables like a software list) is
282/// driven by a co-present [`InventoryHint`] and rendered with the
283/// SAME display logic the SPA Inventory page uses — on the Client App
284/// too. This keeps checks maximally expressive without a bespoke
285/// payload type.
286#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
287pub struct CheckHint {
288 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
289 /// the SPA/Client React key + analytics label. Unique within the
290 /// fleet's check set. Machine-friendly slug (`disk_space`,
291 /// `defender_rtp`); for the human-facing row title see [`label`].
292 ///
293 /// [`label`]: CheckHint::label
294 pub name: String,
295 /// Optional human-facing display title →
296 /// [`Check.label`](crate::ipc::state::Check). The Client App's
297 /// Health tab and the operator SPA's Compliance page render this
298 /// instead of the [`name`](CheckHint::name) slug when set
299 /// (`"ウイルス対策のリアルタイム保護"` reads better than
300 /// `defender_rtp`). Falls back to the slug when absent, so it's
301 /// purely additive. Author it in the check's language — there's no
302 /// per-locale variant; checks are operator-defined per fleet.
303 #[serde(default, skip_serializing_if = "Option::is_none")]
304 pub label: Option<String>,
305 /// Top-level stdout field whose string value
306 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
307 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
308 /// `"status"`; a missing / unparseable value → `unknown`.
309 #[serde(default = "default_status_field")]
310 pub status_field: String,
311 /// Top-level stdout field used as the Health-tab row's one-line
312 /// summary. Defaults to `"detail"`; absent in the payload → no
313 /// detail line (the rich breakdown lives in the inventory view).
314 #[serde(default = "default_detail_field")]
315 pub detail_field: String,
316 /// Optional remediation job id →
317 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
318 /// App shows a "修復する" button when present; that job must be
319 /// `user_invokable`.
320 #[serde(default, skip_serializing_if = "Option::is_none")]
321 pub troubleshoot: Option<String>,
322 /// #290 PR-E: when `true` (default), the backend also projects this
323 /// check's `status` / `detail` into the `check_status` table so the
324 /// operator SPA gets a fleet-wide compliance view for free — no
325 /// `inventory:` block needed. Set `fleet: false` for a client-only
326 /// check the operator doesn't want surfaced across the fleet.
327 #[serde(default = "default_fleet")]
328 pub fleet: bool,
329}
330
331fn default_status_field() -> String {
332 "status".to_string()
333}
334
335fn default_detail_field() -> String {
336 "detail".to_string()
337}
338
339fn default_fleet() -> bool {
340 true
341}
342
343fn default_files_field() -> String {
344 "files".to_string()
345}
346
347/// Fallback cap on a collect bundle's total input size when the
348/// manifest's `collect.max_size` is unset. 50 MB (decimal).
349pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
350
351/// Manifest sub-section (#219): marks a job as a **file collector** and
352/// carries how the collected bundle presents in the SPA. Parallel to
353/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
354/// opt-in. The script prints a single JSON object on stdout whose
355/// [`files_field`](CollectHint::files_field) key holds an array of file
356/// paths to bundle (env vars are expanded); the agent zips them and
357/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
358#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
359pub struct CollectHint {
360 /// Operator/end-user-facing title for the collection, shown as the
361 /// bundle's heading on the SPA Collect page (and the Client App row
362 /// when paired with `client:`). Required; validated non-empty.
363 pub name: String,
364 /// Optional one-line description of what the bundle contains.
365 #[serde(default, skip_serializing_if = "Option::is_none")]
366 pub description: Option<String>,
367 /// Human-readable cap on the bundle's total input size
368 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
369 /// bundle whose listed files exceed this. `None` ⇒
370 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
371 /// [`Manifest::validate`] rejects an unparseable value at create
372 /// time.
373 ///
374 /// Note: this bounds the **uncompressed** bytes the agent reads off
375 /// disk, not the resulting zip. Text logs compress well, so the
376 /// download is usually much smaller; many tiny files add a little
377 /// per-entry zip overhead. Read it as "how much the agent reads +
378 /// packs", not "the exact download size".
379 #[serde(default, skip_serializing_if = "Option::is_none")]
380 pub max_size: Option<String>,
381 /// Top-level stdout JSON key holding the array of file paths to
382 /// bundle. Defaults to `"files"`.
383 #[serde(default = "default_files_field")]
384 pub files_field: String,
385}
386
387impl CollectHint {
388 /// The effective size cap in bytes — the parsed `max_size` or
389 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
390 /// present) already passed [`Manifest::validate`]; falls back to the
391 /// default on a parse error rather than panicking on the fire path.
392 pub fn max_size_bytes(&self) -> u64 {
393 match &self.max_size {
394 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
395 None => DEFAULT_COLLECT_MAX_SIZE,
396 }
397 }
398}
399
400/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
401/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
402/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
403/// Case-insensitive. Shared by `collect.max_size` validation and the
404/// agent's bundle-size enforcement.
405pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
406 let t = s.trim();
407 if t.is_empty() {
408 return Err("size must not be empty".to_string());
409 }
410 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
411 let (num_str, unit_raw) = t.split_at(split);
412 if num_str.is_empty() {
413 return Err(format!("size '{s}': missing leading number"));
414 }
415 let num: u64 = num_str
416 .parse()
417 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
418 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
419 "" | "b" => 1,
420 "kb" => 1_000,
421 "mb" => 1_000_000,
422 "gb" => 1_000_000_000,
423 "kib" => 1024,
424 "mib" => 1024 * 1024,
425 "gib" => 1024 * 1024 * 1024,
426 other => {
427 return Err(format!(
428 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
429 ));
430 }
431 };
432 num.checked_mul(mult)
433 .ok_or_else(|| format!("size '{s}': overflow"))
434}
435
436/// Manifest sub-section (#291): marks a job as **user-invokable**
437/// from the Client App and carries how it presents to the end user.
438/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
439/// the block's presence is the opt-in (no separate boolean), and its
440/// required fields (`name`, `category`) are enforced by serde at
441/// parse time, so a half-filled catalog entry fails
442/// `kanade job create` instead of rendering a nameless / tab-less row.
443///
444/// The agent maps this 1:1 into the KLP
445/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
446/// that `jobs.list` returns; the Client App renders one row per job in
447/// the tab named by `category`.
448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
449pub struct ClientHint {
450 /// End-user-facing title for the job row. The operator-internal
451 /// `Manifest::id` slug is rarely what an end user should read, so
452 /// this is required (and validated non-empty by
453 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
454 pub name: String,
455 /// Optional one-line subtitle under `name` in the Client App.
456 /// Distinct from the operator-facing top-level
457 /// [`Manifest::description`] — this one is written for the end
458 /// user. Maps to `UserInvokableJob::display_description`.
459 #[serde(default, skip_serializing_if = "Option::is_none")]
460 pub description: Option<String>,
461 /// Which Client App tab the job lives in (`software_update` →
462 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
463 /// catalog). Required — without it the agent can't place the job
464 /// in a tab.
465 pub category: JobCategory,
466 /// Optional icon hint for the job row — a lucide-react icon name
467 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
468 /// category's default icon. Surfaced verbatim in
469 /// `jobs.list[].icon`.
470 #[serde(default, skip_serializing_if = "Option::is_none")]
471 pub icon: Option<String>,
472}
473
474/// #720 — one widget on the SPA **Analytics** page: a declarative
475/// aggregation over the `obs_events` table. The backend reads these off
476/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
477/// the `json_extract` GROUP BY / time-bucket SQL from these generic
478/// primitives, so an operator can chart any emitted event without a Rust
479/// change. The reference shapes are the attendance dashboards
480/// (presence / app_sample / web_visit), but the same DSL covers logon /
481/// reboot / agent-health trends, etc.
482#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
483pub struct AggregateWidget {
484 /// Tab this widget lives under on the Analytics page. Widgets from
485 /// every job are collected and grouped by this label, so the same
486 /// string across jobs builds one multi-source dashboard. Required.
487 pub dashboard: String,
488 /// Widget heading. Required, validated non-empty.
489 pub title: String,
490 /// Optional one-line subtitle shown muted under the `title` on the
491 /// Analytics page — room for a unit, a caveat, or what the number
492 /// means ("samples × 2 min", "Security 4624 only"). Rejected if
493 /// present-but-blank.
494 #[serde(default, skip_serializing_if = "Option::is_none")]
495 pub description: Option<String>,
496 /// Optional sort weight (#743). Once the order-aware sort lands (PR2)
497 /// widgets render in `(order, dashboard, title)` order, so a lower
498 /// `order` pulls a widget — and its tab — earlier; equal/absent `order`
499 /// falls back to the alphabetical `(dashboard, title)` ordering. Treated
500 /// as `0` when unset, so a fleet with no `order` anywhere stays purely
501 /// alphabetical (today's behaviour); negatives are allowed to pin
502 /// something first. (This field only carries the value; the backend
503 /// applies it.)
504 #[serde(default, skip_serializing_if = "Option::is_none")]
505 pub order: Option<i32>,
506 /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
507 /// (and unlocks `group_by: pc_id` to rank PCs against each other).
508 /// Defaults to `pc`.
509 #[serde(default)]
510 pub scope: AggregateScope,
511 /// `obs_events.kind` this widget reads (e.g. `app_sample`,
512 /// `presence`, `unexpected_shutdown`). Required.
513 pub kind: String,
514 /// Optional `obs_events.source` filter, when one `kind` is emitted by
515 /// more than one collector.
516 #[serde(default, skip_serializing_if = "Option::is_none")]
517 pub source: Option<String>,
518 /// How to roll the matching events up. See [`AggregateAgg`].
519 pub agg: AggregateAgg,
520 /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
521 /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
522 /// it groups by the `pc_id` column (fleet ranking), not a payload
523 /// field. Omit for a single total. Required when `agg: sum` needs a
524 /// breakdown; for `agg: count` omitting it yields the grand total.
525 #[serde(default, skip_serializing_if = "Option::is_none")]
526 pub group_by: Option<String>,
527 /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
528 /// the widget reports `true_count / total`. Required when `agg: ratio`.
529 #[serde(default, skip_serializing_if = "Option::is_none")]
530 pub bool_path: Option<String>,
531 /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
532 #[serde(default, skip_serializing_if = "Option::is_none")]
533 pub value_path: Option<String>,
534 /// Optional value transform applied before grouping. Currently only
535 /// `host` (parse a URL down to its host) — used by the top-sites
536 /// widget, where SQLite can't parse a URL so the backend does it in
537 /// Rust. See [`AggregateTransform`].
538 #[serde(default, skip_serializing_if = "Option::is_none")]
539 pub transform: Option<AggregateTransform>,
540 /// Optional sampling cadence in minutes. When set, a `count` is also
541 /// reported as estimated time (`count × sample_minutes`) — e.g. a
542 /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
543 #[serde(default, skip_serializing_if = "Option::is_none")]
544 #[schemars(range(min = 1))]
545 pub sample_minutes: Option<u32>,
546 /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
547 /// lock screen doesn't top the app ranking). Empty by default.
548 #[serde(default, skip_serializing_if = "Vec::is_empty")]
549 pub exclude: Vec<String>,
550 /// Optional time bucketing — `hour` buckets events by local
551 /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
552 #[serde(default, skip_serializing_if = "Option::is_none")]
553 pub time_bucket: Option<AggregateTimeBucket>,
554 /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
555 #[serde(default, skip_serializing_if = "Option::is_none")]
556 #[schemars(range(min = 1))]
557 pub limit: Option<u32>,
558 /// Which widget the SPA draws. See [`AggregateRender`].
559 pub render: AggregateRender,
560}
561
562/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
563#[derive(
564 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
565)]
566#[serde(rename_all = "lowercase")]
567#[non_exhaustive]
568pub enum AggregateScope {
569 /// Roll up the single PC the operator selected. The default.
570 #[default]
571 Pc,
572 /// Roll up across every PC. Unlocks `group_by: pc_id`.
573 Fleet,
574 /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
575 /// an older reader must tolerate a future variant rather than failing
576 /// to decode the whole job. The backend skips an `Unknown` widget.
577 #[serde(other)]
578 Unknown,
579}
580
581/// The rollup function for an [`AggregateWidget`].
582#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
583#[serde(rename_all = "lowercase")]
584#[non_exhaustive]
585pub enum AggregateAgg {
586 /// Row count, optionally grouped (`group_by`) and time-estimated
587 /// (`sample_minutes`).
588 Count,
589 /// `true_count / total` over `bool_path`.
590 Ratio,
591 /// Sum of `value_path`, optionally grouped.
592 Sum,
593 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
594 #[serde(other)]
595 Unknown,
596}
597
598/// Optional pre-grouping value transform for an [`AggregateWidget`].
599#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
600#[serde(rename_all = "lowercase")]
601#[non_exhaustive]
602pub enum AggregateTransform {
603 /// Parse the grouped value as a URL and keep only its host.
604 Host,
605 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
606 #[serde(other)]
607 Unknown,
608}
609
610/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
611#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
612#[serde(rename_all = "lowercase")]
613#[non_exhaustive]
614pub enum AggregateTimeBucket {
615 /// Bucket by local hour-of-day (0–23), summed over the window.
616 Hour,
617 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
618 #[serde(other)]
619 Unknown,
620}
621
622/// Which visual the SPA renders an [`AggregateWidget`] as.
623#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
624#[serde(rename_all = "lowercase")]
625#[non_exhaustive]
626pub enum AggregateRender {
627 /// Ranked horizontal bars (a grouped `count` / `sum`).
628 Bar,
629 /// A single ratio dial (`agg: ratio`).
630 Gauge,
631 /// 24-hour activity strip (`time_bucket: hour`).
632 Timeline,
633 /// A single headline number (an ungrouped total).
634 Stat,
635 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
636 #[serde(other)]
637 Unknown,
638}
639
640/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
641/// segments joined by single dots — the shape safe to bind into
642/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
643/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
644/// `"foo..bar"`, which would pass the charset but produce a malformed
645/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
646/// `active`, etc.
647fn is_valid_json_path(p: &str) -> bool {
648 !p.is_empty()
649 && p.split('.').all(|seg| {
650 !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
651 })
652}
653
654/// Per-widget validation for a list of [`AggregateWidget`]s — shared by
655/// the `aggregate:` job hint ([`Manifest::validate`]) and the standalone
656/// [`View`] resource (#743) so the two can't diverge. `field` names the
657/// containing key for error messages (`"aggregate"` or `"widgets"`).
658///
659/// Enforces: non-empty list; non-empty dashboard/title/kind; a
660/// blank-when-set `source`; rejection of any #492 `Unknown` enum
661/// (an operator typo at create time); safe dotted JSON paths; the value
662/// path each `agg` needs (and rejection of mis-paired ones); `pc_id`
663/// grouping only in `fleet` scope; `transform`/`limit`/`exclude` only with
664/// a `group_by`; positive `limit`/`sample_minutes`; `gauge`⇔`ratio`; and
665/// `timeline`⇔`time_bucket`.
666pub fn validate_aggregate_widgets(widgets: &[AggregateWidget], field: &str) -> Result<(), String> {
667 if widgets.is_empty() {
668 return Err(format!(
669 "`{field}:` must list at least one widget when present"
670 ));
671 }
672 for (i, w) in widgets.iter().enumerate() {
673 let at = format!("{field}[{i}]");
674 for (label, value) in [
675 ("dashboard", &w.dashboard),
676 ("title", &w.title),
677 ("kind", &w.kind),
678 ] {
679 if value.trim().is_empty() {
680 return Err(format!("{at}.{label} must not be empty"));
681 }
682 }
683 // A present-but-blank `source` is a no-op filter — reject like the
684 // other blank-when-set guards.
685 if let Some(source) = &w.source {
686 if source.trim().is_empty() {
687 return Err(format!("{at}.source must not be empty when set"));
688 }
689 }
690 // A present-but-blank `description` renders an empty muted line —
691 // reject it so the subtitle only shows when it says something.
692 if let Some(description) = &w.description {
693 if description.trim().is_empty() {
694 return Err(format!("{at}.description must not be empty when set"));
695 }
696 }
697 // Reject values that fell through to the #492 `Unknown` catch-all:
698 // at create time on the current version that's an operator typo. (A
699 // genuinely-future variant only reaches an older reader via a stored
700 // resource, which is never re-validated, so forward-compat holds.)
701 if w.scope == AggregateScope::Unknown {
702 return Err(format!("{at}.scope is not a known value (pc | fleet)"));
703 }
704 if w.agg == AggregateAgg::Unknown {
705 return Err(format!(
706 "{at}.agg is not a known value (count | ratio | sum)"
707 ));
708 }
709 if w.render == AggregateRender::Unknown {
710 return Err(format!(
711 "{at}.render is not a known value (bar | gauge | timeline | stat)"
712 ));
713 }
714 if w.transform == Some(AggregateTransform::Unknown) {
715 return Err(format!("{at}.transform is not a known value (host)"));
716 }
717 if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
718 return Err(format!("{at}.time_bucket is not a known value (hour)"));
719 }
720 for (label, path) in [
721 ("group_by", &w.group_by),
722 ("bool_path", &w.bool_path),
723 ("value_path", &w.value_path),
724 ] {
725 if let Some(p) = path {
726 if !is_valid_json_path(p) {
727 return Err(format!(
728 "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
729 ));
730 }
731 }
732 }
733 // Each agg uses exactly one value path; reject a mis-paired path so
734 // a typo fails at create rather than being ignored.
735 match w.agg {
736 // count: grouped → ranking, ungrouped → grand total.
737 AggregateAgg::Count => {
738 for (label, path) in [("bool_path", &w.bool_path), ("value_path", &w.value_path)] {
739 if path.is_some() {
740 return Err(format!("{at}.agg=count does not use `{label}`"));
741 }
742 }
743 }
744 AggregateAgg::Ratio => {
745 if w.bool_path.is_none() {
746 return Err(format!("{at}.agg=ratio requires `bool_path`"));
747 }
748 if w.value_path.is_some() {
749 return Err(format!("{at}.agg=ratio does not use `value_path`"));
750 }
751 }
752 AggregateAgg::Sum => {
753 if w.value_path.is_none() {
754 return Err(format!("{at}.agg=sum requires `value_path`"));
755 }
756 if w.bool_path.is_some() {
757 return Err(format!("{at}.agg=sum does not use `bool_path`"));
758 }
759 }
760 // Rejected above; arm exists only for exhaustiveness.
761 AggregateAgg::Unknown => {}
762 }
763 // Ranking PCs against each other only means something across the
764 // fleet — within one PC it's a single bar.
765 if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
766 return Err(format!(
767 "{at}.group_by: pc_id is only valid with scope: fleet"
768 ));
769 }
770 // `transform` rewrites the grouped PAYLOAD value (URL→host); it's
771 // meaningless on a `pc_id` grouping (the pc_id column, not a payload
772 // field), so reject the combo at create time.
773 if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
774 return Err(format!("{at}.transform is not valid with group_by: pc_id"));
775 }
776 // limit / transform / exclude all operate on grouped values, so
777 // without a `group_by` they're silent no-ops — reject.
778 if w.group_by.is_none() {
779 if w.limit.is_some() {
780 return Err(format!("{at}.limit requires `group_by`"));
781 }
782 if w.transform.is_some() {
783 return Err(format!("{at}.transform requires `group_by`"));
784 }
785 if !w.exclude.is_empty() {
786 return Err(format!("{at}.exclude requires `group_by`"));
787 }
788 }
789 if w.limit == Some(0) {
790 return Err(format!("{at}.limit must be > 0"));
791 }
792 if w.sample_minutes == Some(0) {
793 return Err(format!("{at}.sample_minutes must be > 0"));
794 }
795 for ex in &w.exclude {
796 if ex.trim().is_empty() {
797 return Err(format!("{at}.exclude must not contain empty entries"));
798 }
799 }
800 // A gauge draws a single ratio dial — only meaningful for agg: ratio.
801 if w.render == AggregateRender::Gauge && w.agg != AggregateAgg::Ratio {
802 return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
803 }
804 // A timeline needs a bucket; a bucket on any other render is a no-op
805 // that signals operator confusion — reject both.
806 match (w.render, &w.time_bucket) {
807 (AggregateRender::Timeline, None) => {
808 return Err(format!("{at}.render=timeline requires `time_bucket`"));
809 }
810 (r, Some(_)) if r != AggregateRender::Timeline => {
811 return Err(format!(
812 "{at}.time_bucket is only valid with render: timeline"
813 ));
814 }
815 _ => {}
816 }
817 }
818 Ok(())
819}
820
821/// A standalone declarative read/aggregation for the Analytics page (#743).
822///
823/// A **view** aggregates stored fleet data (`obs_events`, …) without an
824/// `execute` or a schedule — unlike a [`Manifest`] it only declares
825/// [`AggregateWidget`]s. (The first line is concise on purpose: `schemars`
826/// uses it as the generated schema's `title`.) The backend reads views from
827/// `BUCKET_VIEWS` at
828/// query time and merges their widgets with the co-located `aggregate:`
829/// hints on jobs, so a cross-cutting dashboard (one that charts events
830/// emitted by several other jobs / the agent) has a home that doesn't need
831/// a noop job carrier. Stored JSON in `BUCKET_VIEWS`, keyed by `id`.
832#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
833pub struct View {
834 /// Stable identifier (the KV key). Required, validated non-empty.
835 pub id: String,
836 /// Optional human description shown on the Views admin page.
837 #[serde(default, skip_serializing_if = "Option::is_none")]
838 pub description: Option<String>,
839 /// The widgets this view contributes to the Analytics page.
840 pub widgets: Vec<AggregateWidget>,
841 /// Free-form operator taxonomy (same role as [`Manifest::tags`]).
842 #[serde(default, skip_serializing_if = "Vec::is_empty")]
843 pub tags: Vec<String>,
844 /// GitOps provenance (#678), stamped by `kanade view create` from the
845 /// source YAML's Git context — same as [`Manifest::origin`].
846 #[serde(default, skip_serializing_if = "Option::is_none")]
847 pub origin: Option<RepoOrigin>,
848}
849
850/// True if `id` is a safe resource identifier — non-empty and only
851/// `[A-Za-z0-9._-]`. A view `id` becomes a NATS KV key *and* a URL path
852/// segment (`/api/views/{id}`), so this blocks `/`, `..`, whitespace and
853/// other characters that would break the KV key or let a CLI arg wander
854/// the URL space. (#743 / #744 follow-up — a deliberately small charset
855/// rather than the looser set NATS technically allows.)
856pub fn is_valid_resource_id(id: &str) -> bool {
857 !id.is_empty()
858 && id
859 .chars()
860 .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
861}
862
863impl View {
864 pub fn validate(&self) -> Result<(), String> {
865 if !is_valid_resource_id(self.id.trim()) {
866 return Err(
867 "view.id must be non-empty and only [A-Za-z0-9._-] (it's a KV key + URL segment)"
868 .to_string(),
869 );
870 }
871 validate_aggregate_widgets(&self.widgets, "widgets")?;
872 for tag in &self.tags {
873 if tag.trim().is_empty() {
874 return Err("tags must not contain empty entries".to_string());
875 }
876 }
877 Ok(())
878 }
879}
880
881/// Issue #246 — `emit:` manifest block for jobs whose stdout is
882/// NDJSON observability events (one `ObsEvent` per line). Parallel
883/// to `inventory:` but for the append-only timeline pipeline; see
884/// `Manifest::emit` for the full contract.
885#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
886pub struct EmitConfig {
887 /// What kind of payload the agent should expect on stdout. Only
888 /// `events` is defined today (parses each non-empty line as
889 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
890 /// (e.g. metrics streams, structured trace events) plug in here.
891 #[serde(rename = "type")]
892 pub kind: EmitKind,
893 /// Operator hint for where the script keeps its own state — the
894 /// watermark file the PowerShell / sh body reads + writes
895 /// between runs so it only emits NEW events since the last
896 /// poll. The agent doesn't read this; it's documentation that
897 /// the SPA (and `kanade job edit`) can surface to operators
898 /// reviewing the manifest. Optional; the script is allowed to
899 /// keep state anywhere (registry, env, etc.) — the field's
900 /// presence makes the convention discoverable.
901 #[serde(default, skip_serializing_if = "Option::is_none")]
902 pub watermark_path: Option<String>,
903}
904
905/// `emit.type` enum. Lowercase serde so manifests read
906/// `type: events` rather than `Events`.
907#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
908#[serde(rename_all = "lowercase")]
909pub enum EmitKind {
910 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
911 /// `obs.<pc_id>`, drops the stdout from the resulting
912 /// `ExecResult`.
913 Events,
914}
915
916/// v0.31 / #40: declarative "flatten this JSON array into a real
917/// SQLite table" spec on an inventory manifest. The projector
918/// creates the table on first registration (CREATE TABLE IF NOT
919/// EXISTS + indexes) and writes a row per element of
920/// `payload[field]` on every result, scoped by (pc_id, job_id) so
921/// each PC's rows replace cleanly without a per-PC schema.
922#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
923pub struct ExplodeSpec {
924 /// JSON array key under the payload to explode. E.g. `"apps"`
925 /// for `payload: { apps: [{...}, {...}] }`.
926 pub field: String,
927 /// Derived SQLite table name. Operators choose this — pick
928 /// something namespaced + stable (`inventory_sw_apps`, not
929 /// `apps`) so multiple inventory manifests don't collide on a
930 /// generic name.
931 pub table: String,
932 /// Element-level fields that uniquely identify a row inside one
933 /// PC's payload. The full PK is `(pc_id, job_id) + these
934 /// columns`. Required — operators must think about uniqueness
935 /// (e.g. `["name", "source"]` for installed apps because the
936 /// same name appears in multiple uninstall hives).
937 ///
938 /// v0.31 / #41: same tuple drives history identity. When
939 /// `track_history` is on, the projector serialises these
940 /// fields' values into `inventory_history.identity_json` for
941 /// every change event, so queries like "every PC that ever
942 /// installed Chrome (any source)" filter on identity_json
943 /// content without a per-manifest schema.
944 pub primary_key: Vec<String>,
945 /// Per-element fields that become columns in the derived table.
946 pub columns: Vec<ExplodeColumn>,
947 /// v0.31 / #41: when true (default false), the projector
948 /// diffs each PC's incoming payload against the prior rows
949 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
950 /// replace, and writes added / removed / changed events into
951 /// `inventory_history`. Lets operators answer time-dimension
952 /// questions ("when did Chrome 120 first appear on PC X?",
953 /// "what's the Win 11 23H2 rollout curve") without storing
954 /// per-scan snapshots. Off by default so operators opt in
955 /// per-spec — history has a real storage cost on long-lived
956 /// deployments (mitigated by the 90-day default retention
957 /// sweeper, see `cleanup` module).
958 #[serde(default)]
959 pub track_history: bool,
960}
961
962/// One column in an [`ExplodeSpec`]'s derived table.
963#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
964pub struct ExplodeColumn {
965 /// JSON key under each array element. Becomes the column name
966 /// in the derived SQLite table — we don't rename.
967 pub field: String,
968 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
969 /// Storage maps directly via `sqlx::query.bind(...)`; type
970 /// mismatches at INSERT-time fail loudly rather than silently
971 /// dropping the row.
972 #[serde(default, skip_serializing_if = "Option::is_none")]
973 #[serde(rename = "type")]
974 pub kind: Option<String>,
975 /// When true, the projector creates a `CREATE INDEX` on this
976 /// column at table-creation time. Boost for the common-filter
977 /// columns (`name`, `version`) — operators mark them
978 /// explicitly, the projector won't guess.
979 #[serde(default)]
980 pub index: bool,
981}
982
983#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
984pub struct DisplayField {
985 /// Top-level key in the stdout JSON.
986 pub field: String,
987 /// Human-readable column header.
988 pub label: String,
989 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
990 /// or `"table"` (#39). Defaults to plain text rendering on the
991 /// SPA side. `"table"` expects the field's value to be a JSON
992 /// array of objects and renders a nested sub-table on the
993 /// per-PC detail page using `columns` as the schema; the fleet
994 /// summary view falls back to showing the row count for
995 /// `"table"` cells so the wide list stays compact.
996 #[serde(default, skip_serializing_if = "Option::is_none")]
997 #[serde(rename = "type")]
998 pub kind: Option<String>,
999 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
1000 /// field's value (an array of objects like
1001 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
1002 /// sub-table using these columns. Each column is itself a
1003 /// `DisplayField`, so the nested cells reuse the same render
1004 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
1005 /// pipeline. Ignored for any other `kind`.
1006 #[serde(default, skip_serializing_if = "Option::is_none")]
1007 pub columns: Option<Vec<DisplayField>>,
1008}
1009
1010#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1011pub struct Rollout {
1012 #[serde(default)]
1013 pub strategy: RolloutStrategy,
1014 pub waves: Vec<Wave>,
1015}
1016
1017#[derive(
1018 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
1019)]
1020#[serde(rename_all = "lowercase")]
1021pub enum RolloutStrategy {
1022 #[default]
1023 Wave,
1024}
1025
1026#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1027pub struct Wave {
1028 pub group: String,
1029 /// humantime delay measured from the deploy's publish time. wave[0]
1030 /// typically has "0s"; subsequent waves use minutes / hours.
1031 pub delay: String,
1032}
1033
1034#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
1035pub struct Target {
1036 #[serde(default)]
1037 pub groups: Vec<String>,
1038 #[serde(default)]
1039 pub pcs: Vec<String>,
1040 #[serde(default)]
1041 pub all: bool,
1042}
1043
1044impl Target {
1045 /// At least one of all / groups / pcs is set.
1046 pub fn is_specified(&self) -> bool {
1047 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
1048 }
1049}
1050
1051#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1052pub struct Execute {
1053 pub shell: ExecuteShell,
1054 /// Inline script body. Mutually exclusive with [`script_file`]
1055 /// and [`script_object`]; exactly one of the three must be set
1056 /// (enforced by [`Execute::validate_script_source`] at the
1057 /// write-side parse boundaries — `kanade job create` and
1058 /// `POST /api/jobs`).
1059 ///
1060 /// Empty string is treated as **unset** so operators can swap
1061 /// to a `script_file:` / `script_object:` alternative just by
1062 /// commenting out the body, without having to also drop the
1063 /// `script:` key entirely.
1064 ///
1065 /// [`script_file`]: Self::script_file
1066 /// [`script_object`]: Self::script_object
1067 #[serde(default, skip_serializing_if = "Option::is_none")]
1068 pub script: Option<String>,
1069 /// Repo-local file path resolved by the operator-side CLI at
1070 /// `kanade job create` time. The CLI reads the file, slots its
1071 /// contents into `script`, and clears this field before
1072 /// POSTing — so the backend / agents never see `script_file`
1073 /// in stored manifests. SPEC §2.4.1.
1074 ///
1075 /// Resolver lands in a follow-up PR
1076 /// (yukimemi/kanade#210); today this field passes parse-time
1077 /// validation but the operator-side CLI bails with "not yet
1078 /// implemented" until the resolver ships, so manifests that
1079 /// reach the backend with `script_file` set are treated as a
1080 /// schema-bug.
1081 #[serde(default, skip_serializing_if = "Option::is_none")]
1082 pub script_file: Option<String>,
1083 /// Object Store reference (`<name>/<version>`) into the
1084 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
1085 /// at Execute time via `/api/script-objects/{name}/{version}`
1086 /// and cache it locally. SPEC §2.4.1.
1087 ///
1088 /// Fully wired (#210/#211): the backend resolves the digest at
1089 /// exec submission (`api::exec::resolve_script_source`), the agent
1090 /// fetches + sha-verifies + caches the body (`script_cache`), and
1091 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
1092 /// CLI-side, git-managed), this keeps the body in versioned,
1093 /// digest-pinned object storage — the ops-managed counterpart.
1094 #[serde(default, skip_serializing_if = "Option::is_none")]
1095 pub script_object: Option<String>,
1096 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
1097 /// — represents how long this script reasonably takes to run.
1098 pub timeout: String,
1099 /// Token + session combination the agent uses to launch the
1100 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
1101 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
1102 #[serde(default)]
1103 pub run_as: RunAs,
1104 /// Working directory for the spawned child (v0.21.1). When
1105 /// unset, the child inherits the agent's cwd — on Windows that
1106 /// means `%SystemRoot%\System32` for the prod service, which is
1107 /// almost never what operators actually want. Use an absolute
1108 /// path; relative paths are passed through to the OS verbatim.
1109 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
1110 /// you'd want `%USERPROFILE%` (but expansion happens in the
1111 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
1112 /// it via teravars before `kanade job create`).
1113 #[serde(default, skip_serializing_if = "Option::is_none")]
1114 pub cwd: Option<String>,
1115}
1116
1117impl Execute {
1118 /// Treat an empty `script:` body as "intentionally unset". Operators
1119 /// commenting out a block-scalar tend to leave the key behind, and
1120 /// failing the validator on `script: ""` would surprise them.
1121 fn has_inline_script(&self) -> bool {
1122 matches!(&self.script, Some(s) if !s.is_empty())
1123 }
1124
1125 /// Enforce that exactly one of `script` / `script_file` /
1126 /// `script_object` is set. Called at the write-side parse
1127 /// boundaries (CLI `kanade job create` + backend
1128 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
1129 /// reaches the JOBS KV. Read paths (projector, agent
1130 /// scheduler, list endpoints) skip this check — they only ever
1131 /// see what the write path already validated.
1132 pub fn validate_script_source(&self) -> Result<(), String> {
1133 let inline = self.has_inline_script();
1134 let file = self.script_file.is_some();
1135 let obj = self.script_object.is_some();
1136 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
1137 match set {
1138 1 => Ok(()),
1139 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
1140 _ => Err(format!(
1141 "execute: only one of `script` / `script_file` / `script_object` may be set \
1142 (got script={inline}, script_file={file}, script_object={obj})"
1143 )),
1144 }
1145 }
1146}
1147
1148impl Manifest {
1149 /// Cross-field semantic checks that don't fit into pure serde
1150 /// derive. Currently delegates to
1151 /// [`Execute::validate_script_source`] — see that method's
1152 /// docs for the rationale on which call sites should run this.
1153 pub fn validate(&self) -> Result<(), String> {
1154 self.execute.validate_script_source()?;
1155 // Stdout-format compatibility. `inventory:` and `check:` both
1156 // consume the SAME single JSON object — they COMPOSE: a check
1157 // can extract `status`/`detail` for the Health tab while the
1158 // projector explodes the rest into SPA sub-tables. `emit:` is
1159 // different — its stdout is NDJSON and the agent omits it from
1160 // the result entirely — so it can't be paired with either.
1161 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
1162 return Err(
1163 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
1164 timeline events (and omitted from the result), while inventory/check read a \
1165 single JSON object from stdout"
1166 .to_string(),
1167 );
1168 }
1169 // `collect:` consumes stdout for its OWN contract (a JSON object
1170 // carrying a `files` array), so unlike the inventory+check pair it
1171 // can't share stdout with another stdout-reading hint. It composes
1172 // only with `client:` (which doesn't touch stdout).
1173 if self.collect.is_some()
1174 && (self.inventory.is_some() || self.check.is_some() || self.emit.is_some())
1175 {
1176 return Err(
1177 "`collect:` is incompatible with `inventory:` / `check:` / `emit:` — collect \
1178 reads its own `files` JSON object from stdout. (It composes with `client:`.)"
1179 .to_string(),
1180 );
1181 }
1182 // A check's `name` is the Health-tab row id (React key); the
1183 // field names tell the agent where to read status/detail.
1184 // An empty value is an invisible runtime bug, and the serde
1185 // defaults don't guard an operator who writes `status_field:
1186 // ""` explicitly — reject all three here.
1187 if let Some(check) = &self.check {
1188 for (label, value) in [
1189 ("check.name", &check.name),
1190 ("check.status_field", &check.status_field),
1191 ("check.detail_field", &check.detail_field),
1192 ] {
1193 if value.trim().is_empty() {
1194 return Err(format!("{label} must not be empty"));
1195 }
1196 }
1197 // A present-but-blank `troubleshoot` is a broken
1198 // remediation job id (the "修復する" button would target
1199 // an empty manifest id) — reject it too.
1200 if let Some(troubleshoot) = &check.troubleshoot {
1201 if troubleshoot.trim().is_empty() {
1202 return Err("check.troubleshoot must not be empty when set".to_string());
1203 }
1204 }
1205 // A present-but-blank `label` would render an empty row
1206 // title on the Health tab / Compliance page — reject it so
1207 // the slug fallback only ever kicks in when label is absent.
1208 if let Some(label) = &check.label {
1209 if label.trim().is_empty() {
1210 return Err("check.label must not be empty when set".to_string());
1211 }
1212 }
1213 }
1214 // #291: a `client:` job is rendered in the Client App's
1215 // catalog (`jobs.list` → `jobs.execute`). serde already makes
1216 // `name` + `category` required at parse time; the only gap is
1217 // a present-but-blank `name`, which would render an empty row
1218 // title — reject it like the other display-id fields.
1219 if let Some(client) = &self.client {
1220 if client.name.trim().is_empty() {
1221 return Err("client.name must not be empty".to_string());
1222 }
1223 // Optional display fields, when present, must be
1224 // meaningful: a blank `description` renders an empty
1225 // subtitle and a blank `icon` is a dangling lucide name.
1226 // Same present-but-blank guard the `check:` block applies
1227 // to its optional `troubleshoot` id.
1228 for (label, value) in [
1229 ("client.description", &client.description),
1230 ("client.icon", &client.icon),
1231 ] {
1232 if let Some(v) = value {
1233 if v.trim().is_empty() {
1234 return Err(format!("{label} must not be empty when set"));
1235 }
1236 }
1237 }
1238 }
1239 // #219: a `collect:` job's `name` heads the bundle on the SPA
1240 // Collect page (and the Client App row when paired with
1241 // `client:`), `files_field` tells the agent where to read the
1242 // path list, and `max_size` must be a parseable size so a typo
1243 // is caught at create time rather than silently capping the
1244 // bundle at the default on the fire path.
1245 if let Some(collect) = &self.collect {
1246 if collect.name.trim().is_empty() {
1247 return Err("collect.name must not be empty".to_string());
1248 }
1249 if collect.files_field.trim().is_empty() {
1250 return Err("collect.files_field must not be empty".to_string());
1251 }
1252 if let Some(description) = &collect.description {
1253 if description.trim().is_empty() {
1254 return Err("collect.description must not be empty when set".to_string());
1255 }
1256 }
1257 if let Some(max_size) = &collect.max_size {
1258 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1259 }
1260 }
1261 // #720/#743: `aggregate:` is a pure read-spec (it never touches
1262 // stdout and is never sent to an agent), so it composes with every
1263 // other hint. The per-widget rules are shared with the standalone
1264 // `view` resource — see [`validate_aggregate_widgets`].
1265 if let Some(widgets) = &self.aggregate {
1266 validate_aggregate_widgets(widgets, "aggregate")?;
1267 }
1268 // A blank / whitespace-only tag is an invisible operator typo
1269 // that would render an empty filter chip on the Jobs page —
1270 // reject it like the other present-but-blank display fields.
1271 for tag in &self.tags {
1272 if tag.trim().is_empty() {
1273 return Err("tags must not contain empty entries".to_string());
1274 }
1275 }
1276 Ok(())
1277 }
1278}
1279
1280#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1281#[serde(rename_all = "lowercase")]
1282pub enum ExecuteShell {
1283 Powershell,
1284 Cmd,
1285}
1286
1287impl From<ExecuteShell> for Shell {
1288 fn from(s: ExecuteShell) -> Self {
1289 match s {
1290 ExecuteShell::Powershell => Shell::Powershell,
1291 ExecuteShell::Cmd => Shell::Cmd,
1292 }
1293 }
1294}
1295
1296#[cfg(test)]
1297mod tests {
1298 use super::*;
1299
1300 /// The example check-job + schedule YAMLs shipped under `configs/`
1301 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1302 /// pins them at compile time so a breaking edit fails `cargo test`
1303 /// rather than only `kanade job create` at deploy time.
1304 #[test]
1305 fn example_check_job_yamls_parse_and_validate() {
1306 let jobs = [
1307 (
1308 "check-bitlocker",
1309 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1310 ),
1311 (
1312 "check-av-signature",
1313 include_str!("../../../configs/jobs/check-av-signature.yaml"),
1314 ),
1315 (
1316 "check-cert-expiry",
1317 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1318 ),
1319 (
1320 "check-disk-space",
1321 include_str!("../../../configs/jobs/check-disk-space.yaml"),
1322 ),
1323 (
1324 "check-pending-reboot",
1325 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1326 ),
1327 (
1328 "check-defender-rtp",
1329 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1330 ),
1331 (
1332 "check-firewall",
1333 include_str!("../../../configs/jobs/check-firewall.yaml"),
1334 ),
1335 ];
1336 for (name, yaml) in jobs {
1337 let m: Manifest =
1338 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1339 m.validate()
1340 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1341 let check = m
1342 .check
1343 .as_ref()
1344 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1345 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1346 // These examples all read admin-only WMI / registry / netsh
1347 // state, so they run_as system. NOTE: that's a property of
1348 // these particular checks, NOT of the `check:` contract — a
1349 // check probing user-session state could run_as user.
1350 assert_eq!(
1351 m.execute.run_as,
1352 RunAs::System,
1353 "{name} should run_as system"
1354 );
1355 }
1356 }
1357
1358 /// The example user-invokable job YAMLs (#291) shipped under
1359 /// `configs/jobs/` must stay valid as the `client:` schema
1360 /// evolves. `include_str!` pins them at compile time so a breaking
1361 /// edit fails `cargo test`, not `kanade job create` at deploy.
1362 #[test]
1363 fn example_client_job_yamls_parse_and_validate() {
1364 let jobs = [
1365 (
1366 "fix-teams-cache",
1367 JobCategory::Troubleshoot,
1368 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
1369 ),
1370 (
1371 "chrome-update",
1372 JobCategory::SoftwareUpdate,
1373 include_str!("../../../configs/jobs/chrome-update.yaml"),
1374 ),
1375 (
1376 "install-slack",
1377 JobCategory::Catalog,
1378 include_str!("../../../configs/jobs/install-slack.yaml"),
1379 ),
1380 (
1381 "fix-defender-rtp",
1382 JobCategory::Troubleshoot,
1383 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
1384 ),
1385 ];
1386 for (id, category, yaml) in jobs {
1387 let m: Manifest =
1388 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1389 m.validate()
1390 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1391 assert_eq!(m.id, id, "{id} id mismatch");
1392 let client = m
1393 .client
1394 .as_ref()
1395 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
1396 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
1397 assert_eq!(client.category, category, "{id} category");
1398 }
1399 }
1400
1401 /// #219: the shipped `collect:` example must stay valid as the
1402 /// schema evolves. `include_str!` pins it at compile time so a
1403 /// breaking edit (or a YAML typo in the PowerShell block) fails
1404 /// `cargo test` rather than `kanade job create` at deploy. It carries
1405 /// both `collect:` and `client:` (end-user-triggerable), which must
1406 /// compose.
1407 #[test]
1408 fn example_collect_job_yaml_parses_and_validates() {
1409 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
1410 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
1411 m.validate().expect("collect-diagnostics validate");
1412 assert_eq!(m.id, "collect-diagnostics");
1413 let collect = m.collect.as_ref().expect("collect: block present");
1414 assert!(!collect.name.trim().is_empty());
1415 assert_eq!(collect.files_field, "files");
1416 assert_eq!(collect.max_size_bytes(), 50_000_000);
1417 // collect + client compose — the Client App can trigger it.
1418 assert!(
1419 m.client.is_some(),
1420 "collect-diagnostics also carries client:"
1421 );
1422 }
1423
1424 /// The `emit: { type: events }` collector jobs under
1425 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
1426 /// pins them at compile time so a breaking edit (e.g. an `emit:`
1427 /// paired with `check:`/`inventory:`, a bad watermark field, or a
1428 /// YAML typo in the PowerShell block) fails `cargo test` rather
1429 /// than `kanade job create` at deploy. Every one must carry an
1430 /// `emit.type=events` block and NO check/inventory (validate()
1431 /// rejects the pairing).
1432 #[test]
1433 fn example_event_collector_job_yamls_parse_and_validate() {
1434 let jobs = [
1435 (
1436 "collect-winlog-events",
1437 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
1438 ),
1439 (
1440 "collect-winlog-logons-all",
1441 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
1442 ),
1443 (
1444 "collect-wlan-events",
1445 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
1446 ),
1447 ];
1448 for (id, yaml) in jobs {
1449 // Strict parse so an unknown-key typo in these fixtures fails
1450 // here (not silently at deploy) — the runtime Manifest is
1451 // unknown-key-tolerant, so the lenient serde_yaml::from_str
1452 // wouldn't catch fixture drift (CodeRabbit #689).
1453 let m: Manifest =
1454 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1455 m.validate()
1456 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1457 assert_eq!(m.id, id, "{id} id mismatch");
1458 let emit = m
1459 .emit
1460 .as_ref()
1461 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
1462 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
1463 assert!(
1464 m.check.is_none() && m.inventory.is_none(),
1465 "{id}: emit jobs must not pair with check/inventory"
1466 );
1467 }
1468 }
1469
1470 /// The `inventory:` snapshot jobs under `configs/jobs/` project
1471 /// facts into `inventory_facts` + exploded tables. `include_str!`
1472 /// pins them at compile time so a breaking edit (bad explode
1473 /// schema, a YAML typo in the PowerShell block, an `inventory:`
1474 /// accidentally paired with `emit:`) fails `cargo test` rather
1475 /// than the projector at deploy. Each must carry an `inventory:`
1476 /// block and NO emit (validate() rejects the pairing).
1477 #[test]
1478 fn example_inventory_job_yamls_parse_and_validate() {
1479 let jobs = [
1480 (
1481 "inventory-hw",
1482 include_str!("../../../configs/jobs/inventory-hw.yaml"),
1483 ),
1484 (
1485 "inventory-sw",
1486 include_str!("../../../configs/jobs/inventory-sw.yaml"),
1487 ),
1488 (
1489 "inventory-driver",
1490 include_str!("../../../configs/jobs/inventory-driver.yaml"),
1491 ),
1492 ];
1493 for (id, yaml) in jobs {
1494 let m: Manifest =
1495 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1496 m.validate()
1497 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1498 assert_eq!(m.id, id, "{id} id mismatch");
1499 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
1500 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
1501 }
1502 }
1503
1504 #[test]
1505 fn example_check_schedule_yamls_parse_and_validate() {
1506 let schedules = [
1507 (
1508 "check-bitlocker",
1509 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
1510 ),
1511 (
1512 "check-av-signature",
1513 include_str!("../../../configs/schedules/check-av-signature.yaml"),
1514 ),
1515 (
1516 "check-cert-expiry",
1517 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
1518 ),
1519 (
1520 "check-disk-space",
1521 include_str!("../../../configs/schedules/check-disk-space.yaml"),
1522 ),
1523 (
1524 "check-pending-reboot",
1525 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
1526 ),
1527 (
1528 "check-defender-rtp",
1529 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
1530 ),
1531 (
1532 "check-firewall",
1533 include_str!("../../../configs/schedules/check-firewall.yaml"),
1534 ),
1535 ];
1536 for (name, yaml) in schedules {
1537 let s: Schedule =
1538 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1539 s.validate()
1540 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1541 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1542 }
1543 }
1544
1545 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
1546 /// alongside the schedule schema. `include_str!` pins them so a
1547 /// breaking edit fails `cargo test`, not `kanade schedule create`.
1548 #[test]
1549 fn example_inventory_schedule_yamls_parse_and_validate() {
1550 let schedules = [
1551 (
1552 "inventory-hw",
1553 include_str!("../../../configs/schedules/inventory-hw.yaml"),
1554 ),
1555 (
1556 "inventory-sw",
1557 include_str!("../../../configs/schedules/inventory-sw.yaml"),
1558 ),
1559 (
1560 "inventory-driver",
1561 include_str!("../../../configs/schedules/inventory-driver.yaml"),
1562 ),
1563 ];
1564 for (name, yaml) in schedules {
1565 let s: Schedule =
1566 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1567 s.validate()
1568 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1569 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1570 }
1571 }
1572
1573 #[test]
1574 fn target_is_specified_requires_at_least_one_field() {
1575 let empty = Target::default();
1576 assert!(!empty.is_specified());
1577
1578 let with_all = Target {
1579 all: true,
1580 ..Target::default()
1581 };
1582 assert!(with_all.is_specified());
1583
1584 let with_groups = Target {
1585 groups: vec!["canary".into()],
1586 ..Target::default()
1587 };
1588 assert!(with_groups.is_specified());
1589
1590 let with_pcs = Target {
1591 pcs: vec!["pc-01".into()],
1592 ..Target::default()
1593 };
1594 assert!(with_pcs.is_specified());
1595 }
1596
1597 #[test]
1598 fn manifest_deserialises_minimal_yaml() {
1599 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1600 // — those live on the schedule / exec request now.
1601 let yaml = r#"
1602id: echo-test
1603version: 0.0.1
1604execute:
1605 shell: powershell
1606 script: "echo 'kanade'"
1607 timeout: 30s
1608"#;
1609 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1610 assert_eq!(m.id, "echo-test");
1611 assert_eq!(m.version, "0.0.1");
1612 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1613 assert_eq!(
1614 m.execute.script.as_deref().map(str::trim),
1615 Some("echo 'kanade'")
1616 );
1617 assert!(m.execute.script_file.is_none());
1618 assert!(m.execute.script_object.is_none());
1619 assert_eq!(m.execute.timeout, "30s");
1620 assert!(!m.require_approval);
1621 m.validate()
1622 .expect("inline-script manifest passes validation");
1623 }
1624
1625 #[test]
1626 fn manifest_parses_check_job_and_validates() {
1627 // An operator-defined health check (#290): a `check:` hint +
1628 // a PowerShell script that prints {status, detail}.
1629 let yaml = r#"
1630id: check-bitlocker
1631version: 0.1.0
1632execute:
1633 shell: powershell
1634 run_as: system
1635 timeout: 15s
1636 script: |
1637 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
1638check:
1639 name: bitlocker
1640 troubleshoot: fix-bitlocker
1641"#;
1642 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1643 let check = m.check.as_ref().expect("check hint present");
1644 assert_eq!(check.name, "bitlocker");
1645 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
1646 // Field names default to the conventional "status" / "detail".
1647 assert_eq!(check.status_field, "status");
1648 assert_eq!(check.detail_field, "detail");
1649 assert!(m.inventory.is_none() && m.emit.is_none());
1650 m.validate().expect("check-only manifest passes validation");
1651 }
1652
1653 #[test]
1654 fn manifest_check_defaults_and_custom_fields() {
1655 // Minimal: only `name`; status/detail fields default.
1656 let m: Manifest = serde_yaml::from_str(
1657 r#"
1658id: check-disk
1659version: 0.1.0
1660execute:
1661 shell: powershell
1662 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
1663 timeout: 10s
1664check:
1665 name: disk_free
1666"#,
1667 )
1668 .expect("parse");
1669 let c = m.check.as_ref().unwrap();
1670 assert_eq!(c.name, "disk_free");
1671 assert_eq!(c.status_field, "status");
1672 assert_eq!(c.detail_field, "detail");
1673 assert!(c.troubleshoot.is_none());
1674 m.validate().expect("validates");
1675
1676 // The operator can point status/detail at any field of their
1677 // free-form inventory object.
1678 let m2: Manifest = serde_yaml::from_str(
1679 r#"
1680id: check-custom
1681version: 0.1.0
1682execute:
1683 shell: powershell
1684 script: "echo x"
1685 timeout: 10s
1686check:
1687 name: patch_level
1688 status_field: compliance
1689 detail_field: summary
1690"#,
1691 )
1692 .expect("parse");
1693 let c2 = m2.check.as_ref().unwrap();
1694 assert_eq!(c2.status_field, "compliance");
1695 assert_eq!(c2.detail_field, "summary");
1696 }
1697
1698 #[test]
1699 fn manifest_allows_check_composed_with_inventory() {
1700 // `check:` + `inventory:` COMPOSE on the same stdout object:
1701 // status/detail → Health tab, the rest → SPA projection +
1702 // explode sub-tables. Must pass validation.
1703 let yaml = r#"
1704id: check-bitlocker-detailed
1705version: 0.1.0
1706execute:
1707 shell: powershell
1708 script: "echo x"
1709 timeout: 10s
1710check:
1711 name: bitlocker
1712inventory:
1713 display:
1714 - { field: status, label: Status }
1715"#;
1716 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1717 assert!(m.check.is_some() && m.inventory.is_some());
1718 m.validate().expect("check + inventory compose");
1719 }
1720
1721 #[test]
1722 fn manifest_parses_collect_job_and_validates() {
1723 // #219: a `collect:` hint + a script that lists files on stdout.
1724 let yaml = r#"
1725id: collect-diagnostics
1726version: 0.1.0
1727execute:
1728 shell: powershell
1729 run_as: system
1730 timeout: 120s
1731 script: |
1732 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
1733collect:
1734 name: "Full diagnostics"
1735 description: "Event logs + process"
1736 max_size: 50MB
1737"#;
1738 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1739 let c = m.collect.as_ref().expect("collect hint present");
1740 assert_eq!(c.name, "Full diagnostics");
1741 assert_eq!(c.files_field, "files"); // default
1742 assert_eq!(c.max_size_bytes(), 50_000_000);
1743 m.validate().expect("collect-only manifest validates");
1744 }
1745
1746 #[test]
1747 fn manifest_collect_max_size_defaults_when_unset() {
1748 let m: Manifest = serde_yaml::from_str(
1749 r#"
1750id: collect-min
1751version: 0.1.0
1752execute:
1753 shell: powershell
1754 script: "echo x"
1755 timeout: 10s
1756collect:
1757 name: minimal
1758"#,
1759 )
1760 .expect("parse");
1761 let c = m.collect.as_ref().unwrap();
1762 assert!(c.max_size.is_none());
1763 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
1764 m.validate().expect("validates");
1765 }
1766
1767 #[test]
1768 fn manifest_allows_collect_with_client() {
1769 // collect composes with client (client doesn't touch stdout):
1770 // an end user can trigger a collection from the Client App.
1771 let yaml = r#"
1772id: collect-diag-client
1773version: 0.1.0
1774execute:
1775 shell: powershell
1776 script: "echo x"
1777 timeout: 10s
1778collect:
1779 name: diagnostics
1780client:
1781 name: "Send diagnostics"
1782 category: troubleshoot
1783"#;
1784 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1785 assert!(m.collect.is_some() && m.client.is_some());
1786 m.validate().expect("collect + client compose");
1787 }
1788
1789 #[test]
1790 fn manifest_rejects_collect_combined_with_inventory() {
1791 // collect consumes stdout for its own `files` contract → can't
1792 // share with inventory/check/emit.
1793 let yaml = r#"
1794id: bad-collect-mix
1795version: 0.1.0
1796execute:
1797 shell: powershell
1798 script: "echo x"
1799 timeout: 10s
1800collect:
1801 name: diag
1802inventory:
1803 display:
1804 - { field: status, label: Status }
1805"#;
1806 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1807 let err = m
1808 .validate()
1809 .expect_err("collect + inventory must be rejected");
1810 assert!(err.contains("collect"), "error mentions collect: {err}");
1811 }
1812
1813 #[test]
1814 fn manifest_rejects_collect_combined_with_check_or_emit() {
1815 // collect is exclusive with every stdout-consuming hint, not
1816 // just inventory — guard the check + emit branches too.
1817 for extra in ["check:\n name: health\n", "emit:\n type: events\n"] {
1818 let yaml = format!(
1819 "id: bad-collect-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
1820 script: \"echo x\"\n timeout: 10s\ncollect:\n name: diag\n{extra}"
1821 );
1822 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1823 let err = m
1824 .validate()
1825 .expect_err("collect + stdout-consuming hint must fail");
1826 assert!(err.contains("collect"), "error mentions collect: {err}");
1827 }
1828 }
1829
1830 #[test]
1831 fn manifest_rejects_collect_empty_name_and_bad_size() {
1832 let empty_name: Manifest = serde_yaml::from_str(
1833 r#"
1834id: c
1835version: 0.1.0
1836execute: { shell: powershell, script: "echo x", timeout: 10s }
1837collect: { name: " " }
1838"#,
1839 )
1840 .expect("parse");
1841 assert!(
1842 empty_name.validate().is_err(),
1843 "blank collect.name rejected"
1844 );
1845
1846 let bad_size: Manifest = serde_yaml::from_str(
1847 r#"
1848id: c
1849version: 0.1.0
1850execute: { shell: powershell, script: "echo x", timeout: 10s }
1851collect: { name: diag, max_size: "50 quux" }
1852"#,
1853 )
1854 .expect("parse");
1855 let err = bad_size.validate().expect_err("bad max_size rejected");
1856 assert!(err.contains("max_size"), "error mentions max_size: {err}");
1857 }
1858
1859 #[test]
1860 fn parse_size_bytes_units() {
1861 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
1862 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
1863 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
1864 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
1865 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
1866 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
1867 assert!(parse_size_bytes("").is_err());
1868 assert!(parse_size_bytes("MB").is_err());
1869 assert!(parse_size_bytes("12 zonks").is_err());
1870 }
1871
1872 #[test]
1873 fn manifest_rejects_check_combined_with_emit() {
1874 // `emit:` stdout is NDJSON (and omitted from the result), so
1875 // it can't pair with `check:` (which needs a single JSON
1876 // object on stdout).
1877 let yaml = r#"
1878id: bad-mix
1879version: 0.1.0
1880execute:
1881 shell: powershell
1882 script: "echo x"
1883 timeout: 10s
1884check:
1885 name: bitlocker
1886emit:
1887 type: events
1888"#;
1889 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1890 let err = m.validate().expect_err("emit + check must fail");
1891 assert!(err.contains("incompatible"), "err: {err}");
1892 }
1893
1894 #[test]
1895 fn manifest_rejects_emit_combined_with_inventory() {
1896 // The other half of the emit-incompatibility condition.
1897 let yaml = r#"
1898id: bad-mix-2
1899version: 0.1.0
1900execute:
1901 shell: powershell
1902 script: "echo x"
1903 timeout: 10s
1904emit:
1905 type: events
1906inventory:
1907 display:
1908 - { field: status, label: Status }
1909"#;
1910 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1911 let err = m.validate().expect_err("emit + inventory must fail");
1912 assert!(err.contains("incompatible"), "err: {err}");
1913 }
1914
1915 #[test]
1916 fn manifest_rejects_empty_check_field_names() {
1917 // Empty name / status_field / detail_field are invisible
1918 // runtime bugs (empty React key, agent reads the wrong field)
1919 // — reject them even though serde supplies non-empty defaults.
1920 let base = |inner: &str| {
1921 format!(
1922 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1923 )
1924 };
1925 for inner in [
1926 " name: \"\"\n",
1927 " name: ok\n status_field: \"\"\n",
1928 " name: ok\n detail_field: \" \"\n",
1929 // present-but-blank troubleshoot → broken remediation id.
1930 " name: ok\n troubleshoot: \" \"\n",
1931 ] {
1932 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1933 let err = m.validate().expect_err("empty field must fail");
1934 assert!(err.contains("must not be empty"), "err: {err}");
1935 }
1936 }
1937
1938 #[test]
1939 fn manifest_client_absent_by_default() {
1940 // A plain operator job (the overwhelming majority) carries no
1941 // `client:` block, so it never surfaces in the end-user
1942 // catalog.
1943 let yaml = r#"
1944id: echo-test
1945version: 0.0.1
1946execute:
1947 shell: powershell
1948 script: "echo 'kanade'"
1949 timeout: 30s
1950"#;
1951 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1952 assert!(m.client.is_none());
1953 m.validate().expect("operator-only job validates");
1954 }
1955
1956 #[test]
1957 fn manifest_client_parses_and_validates() {
1958 // The Client App "困ったとき" remediation job shape: a
1959 // user-invokable troubleshoot job with the end-user fields the
1960 // KLP `jobs.list` wire needs, grouped under `client:`.
1961 let yaml = r#"
1962id: fix-teams-cache
1963version: 1.0.0
1964execute:
1965 shell: powershell
1966 script: "echo clearing"
1967 timeout: 60s
1968client:
1969 name: "Teams のキャッシュをクリア"
1970 description: "Teams が重いときに試してください"
1971 category: troubleshoot
1972 icon: brush-cleaning
1973"#;
1974 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1975 let c = m.client.as_ref().expect("client block present");
1976 assert_eq!(c.name, "Teams のキャッシュをクリア");
1977 assert_eq!(
1978 c.description.as_deref(),
1979 Some("Teams が重いときに試してください")
1980 );
1981 assert_eq!(c.category, JobCategory::Troubleshoot);
1982 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1983 m.validate().expect("user-invokable job validates");
1984 }
1985
1986 #[test]
1987 fn manifest_client_minimal_only_name_and_category() {
1988 // description + icon are optional; name + category are the
1989 // serde-required minimum.
1990 let yaml = r#"
1991id: install-slack
1992version: 1.0.0
1993execute:
1994 shell: powershell
1995 script: "echo install"
1996 timeout: 600s
1997client:
1998 name: Slack
1999 category: catalog
2000"#;
2001 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2002 let c = m.client.as_ref().expect("client present");
2003 assert_eq!(c.category, JobCategory::Catalog);
2004 assert!(c.description.is_none() && c.icon.is_none());
2005 m.validate().expect("minimal client validates");
2006 }
2007
2008 #[test]
2009 fn manifest_client_rejects_blank_name() {
2010 // serde guarantees `name`/`category` are present; the one gap
2011 // is a present-but-blank name → empty catalog row title.
2012 let yaml = r#"
2013id: j
2014version: 1.0.0
2015execute:
2016 shell: powershell
2017 script: "echo x"
2018 timeout: 30s
2019client:
2020 name: " "
2021 category: catalog
2022"#;
2023 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2024 let err = m.validate().expect_err("blank name must fail");
2025 assert!(err.contains("client.name"), "err: {err}");
2026 }
2027
2028 #[test]
2029 fn manifest_client_rejects_blank_optional_fields() {
2030 // description / icon are optional, but a present-but-blank
2031 // value is a bug (empty subtitle / dangling icon name) — reject
2032 // it, mirroring the check: block's troubleshoot guard.
2033 for (field, line) in [
2034 ("client.description", " description: \" \"\n"),
2035 ("client.icon", " icon: \"\"\n"),
2036 ] {
2037 let yaml = format!(
2038 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
2039 );
2040 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2041 let err = m.validate().expect_err("blank optional field must fail");
2042 assert!(err.contains(field), "expected {field} in err: {err}");
2043 }
2044 }
2045
2046 #[test]
2047 fn manifest_client_requires_category_at_parse() {
2048 // A `client:` block missing `category` is a hard parse error
2049 // (serde required field) — no manual validate() needed.
2050 let yaml = r#"
2051id: j
2052version: 1.0.0
2053execute:
2054 shell: powershell
2055 script: "echo x"
2056 timeout: 30s
2057client:
2058 name: "A job"
2059"#;
2060 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
2061 assert!(
2062 r.is_err(),
2063 "missing category must be a parse error, got {r:?}"
2064 );
2065 }
2066
2067 #[test]
2068 fn manifest_client_rejects_unknown_field() {
2069 // #492: the strict create boundary catches a fat-fingered
2070 // `displayname:` (with its path) instead of silently
2071 // dropping it; the tolerant read path accepts it.
2072 let yaml = r#"
2073id: j
2074version: 1.0.0
2075execute:
2076 shell: powershell
2077 script: "echo x"
2078 timeout: 30s
2079client:
2080 name: "A job"
2081 category: catalog
2082 displayname: oops
2083"#;
2084 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
2085 let err = r.expect_err("unknown client field must be rejected at the write boundary");
2086 // serde_ignored renders the Option layer as `?`:
2087 // `client.?.displayname`. Assert on the leaf key.
2088 assert!(err.contains("displayname"), "{err}");
2089 // The READ path tolerates the same payload (gradual-upgrade
2090 // contract: an old agent must accept a newer writer's field).
2091 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
2092 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
2093 }
2094
2095 #[test]
2096 fn manifest_tags_default_empty() {
2097 // The overwhelming majority of jobs carry no tags; the field
2098 // must default to an empty Vec (not fail to parse) and skip
2099 // serialisation so old readers never see the key.
2100 let yaml = r#"
2101id: echo-test
2102version: 0.0.1
2103execute:
2104 shell: powershell
2105 script: "echo 'kanade'"
2106 timeout: 30s
2107"#;
2108 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2109 assert!(m.tags.is_empty());
2110 m.validate().expect("tag-less job validates");
2111 // skip_serializing_if = empty ⇒ the key is absent from JSON.
2112 let json = serde_json::to_string(&m).expect("serialize");
2113 assert!(
2114 !json.contains("tags"),
2115 "empty tags must not serialise: {json}"
2116 );
2117 }
2118
2119 #[test]
2120 fn manifest_parses_and_validates_tags() {
2121 let yaml = r#"
2122id: check-bitlocker
2123version: 0.1.0
2124execute:
2125 shell: powershell
2126 script: "echo x"
2127 timeout: 30s
2128tags: [security, windows, health-check]
2129"#;
2130 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2131 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
2132 m.validate().expect("tagged job validates");
2133 // Round-trips through JSON (the wire format the SPA reads).
2134 let json = serde_json::to_string(&m).expect("serialize");
2135 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
2136 }
2137
2138 #[test]
2139 fn manifest_rejects_blank_tag() {
2140 // A whitespace-only tag renders an empty filter chip — reject
2141 // it at the write boundary like the other blank display fields.
2142 let yaml = r#"
2143id: j
2144version: 0.1.0
2145execute:
2146 shell: powershell
2147 script: "echo x"
2148 timeout: 30s
2149tags: [ok, " "]
2150"#;
2151 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2152 let err = m.validate().expect_err("blank tag must fail");
2153 assert!(err.contains("tags must not contain empty"), "err: {err}");
2154 }
2155
2156 // #720 — wrap an `aggregate:` YAML block (already indented as a
2157 // top-level key body) into an otherwise-minimal valid manifest.
2158 fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
2159 let yaml = format!(
2160 "id: t\nversion: 0.0.1\nexecute:\n shell: powershell\n script: echo hi\n timeout: 30s\n{aggregate_block}"
2161 );
2162 serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
2163 }
2164
2165 #[test]
2166 fn aggregate_accepts_full_valid_spec() {
2167 // count+group_by+exclude+sample_minutes, ratio+bool_path,
2168 // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
2169 // bare total stat — alongside emit (composes with every hint).
2170 let m = manifest_with_aggregate(
2171 "emit:\n type: events\naggregate:\n\
2172 - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
2173 - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
2174 - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
2175 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2176 - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2177 );
2178 m.validate().expect("valid aggregate spec");
2179 }
2180
2181 #[test]
2182 fn aggregate_rejects_empty_list() {
2183 let m = manifest_with_aggregate("aggregate: []\n");
2184 let err = m.validate().expect_err("empty list must fail");
2185 assert!(err.contains("at least one widget"), "err: {err}");
2186 }
2187
2188 #[test]
2189 fn aggregate_rejects_ratio_without_bool_path() {
2190 let m = manifest_with_aggregate(
2191 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2192 );
2193 let err = m.validate().expect_err("ratio needs bool_path");
2194 assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
2195 }
2196
2197 #[test]
2198 fn aggregate_rejects_sum_without_value_path() {
2199 let m = manifest_with_aggregate(
2200 "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
2201 );
2202 let err = m.validate().expect_err("sum needs value_path");
2203 assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
2204 }
2205
2206 #[test]
2207 fn aggregate_rejects_pc_id_group_without_fleet() {
2208 let m = manifest_with_aggregate(
2209 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
2210 );
2211 let err = m.validate().expect_err("pc_id grouping needs fleet");
2212 assert!(
2213 err.contains("pc_id is only valid with scope: fleet"),
2214 "err: {err}"
2215 );
2216 }
2217
2218 #[test]
2219 fn aggregate_rejects_transform_with_pc_id_group() {
2220 let m = manifest_with_aggregate(
2221 "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
2222 );
2223 let err = m
2224 .validate()
2225 .expect_err("transform on pc_id grouping must fail");
2226 assert!(
2227 err.contains("transform is not valid with group_by: pc_id"),
2228 "err: {err}"
2229 );
2230 }
2231
2232 #[test]
2233 fn aggregate_rejects_timeline_without_bucket() {
2234 let m = manifest_with_aggregate(
2235 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
2236 );
2237 let err = m.validate().expect_err("timeline needs a bucket");
2238 assert!(
2239 err.contains("render=timeline requires `time_bucket`"),
2240 "err: {err}"
2241 );
2242 }
2243
2244 #[test]
2245 fn aggregate_rejects_bucket_on_non_timeline() {
2246 let m = manifest_with_aggregate(
2247 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
2248 );
2249 let err = m.validate().expect_err("bucket only on timeline");
2250 assert!(
2251 err.contains("time_bucket is only valid with render: timeline"),
2252 "err: {err}"
2253 );
2254 }
2255
2256 #[test]
2257 fn aggregate_rejects_unsafe_json_path() {
2258 // A path with characters outside [A-Za-z0-9_.] could break out of
2259 // the `'$.' || ?` bind — reject at create time.
2260 let m = manifest_with_aggregate(
2261 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
2262 );
2263 let err = m.validate().expect_err("unsafe path must fail");
2264 assert!(err.contains("dotted JSON path"), "err: {err}");
2265 }
2266
2267 #[test]
2268 fn aggregate_rejects_blank_title() {
2269 let m = manifest_with_aggregate(
2270 "aggregate:\n- { dashboard: D, title: \" \", kind: k, agg: count, render: stat }\n",
2271 );
2272 let err = m.validate().expect_err("blank title must fail");
2273 assert!(err.contains("title must not be empty"), "err: {err}");
2274 }
2275
2276 #[test]
2277 fn aggregate_rejects_blank_kind() {
2278 let m = manifest_with_aggregate(
2279 "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
2280 );
2281 let err = m.validate().expect_err("blank kind must fail");
2282 assert!(err.contains("kind must not be empty"), "err: {err}");
2283 }
2284
2285 #[test]
2286 fn aggregate_rejects_blank_source_when_set() {
2287 let m = manifest_with_aggregate(
2288 "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
2289 );
2290 let err = m.validate().expect_err("blank source must fail");
2291 assert!(
2292 err.contains("source must not be empty when set"),
2293 "err: {err}"
2294 );
2295 }
2296
2297 #[test]
2298 fn aggregate_accepts_description_and_rejects_blank() {
2299 let ok = manifest_with_aggregate(
2300 "aggregate:\n- { dashboard: D, title: T, description: \"samples x 2 min\", kind: k, agg: count, render: stat }\n",
2301 );
2302 ok.validate()
2303 .expect("description is a valid optional field");
2304 assert_eq!(
2305 ok.aggregate.as_ref().unwrap()[0].description.as_deref(),
2306 Some("samples x 2 min")
2307 );
2308 let bad = manifest_with_aggregate(
2309 "aggregate:\n- { dashboard: D, title: T, description: \" \", kind: k, agg: count, render: stat }\n",
2310 );
2311 let err = bad.validate().expect_err("blank description must fail");
2312 assert!(
2313 err.contains("description must not be empty when set"),
2314 "err: {err}"
2315 );
2316 }
2317
2318 #[test]
2319 fn aggregate_rejects_count_with_value_path() {
2320 let m = manifest_with_aggregate(
2321 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
2322 );
2323 let err = m.validate().expect_err("count must not use value_path");
2324 assert!(
2325 err.contains("agg=count does not use `value_path`"),
2326 "err: {err}"
2327 );
2328 }
2329
2330 #[test]
2331 fn aggregate_rejects_ratio_with_value_path() {
2332 let m = manifest_with_aggregate(
2333 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
2334 );
2335 let err = m.validate().expect_err("ratio must not use value_path");
2336 assert!(
2337 err.contains("agg=ratio does not use `value_path`"),
2338 "err: {err}"
2339 );
2340 }
2341
2342 #[test]
2343 fn aggregate_rejects_gauge_without_ratio() {
2344 let m = manifest_with_aggregate(
2345 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
2346 );
2347 let err = m.validate().expect_err("gauge needs ratio");
2348 assert!(
2349 err.contains("render=gauge is only valid with agg: ratio"),
2350 "err: {err}"
2351 );
2352 }
2353
2354 #[test]
2355 fn aggregate_rejects_limit_without_group_by() {
2356 let m = manifest_with_aggregate(
2357 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
2358 );
2359 let err = m.validate().expect_err("limit needs group_by");
2360 assert!(err.contains("limit requires `group_by`"), "err: {err}");
2361 }
2362
2363 #[test]
2364 fn aggregate_rejects_exclude_without_group_by() {
2365 let m = manifest_with_aggregate(
2366 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
2367 );
2368 let err = m.validate().expect_err("exclude needs group_by");
2369 assert!(err.contains("exclude requires `group_by`"), "err: {err}");
2370 }
2371
2372 #[test]
2373 fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
2374 let m = manifest_with_aggregate(
2375 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
2376 );
2377 assert!(m.validate().unwrap_err().contains("limit must be > 0"));
2378 let m = manifest_with_aggregate(
2379 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
2380 );
2381 assert!(
2382 m.validate()
2383 .unwrap_err()
2384 .contains("sample_minutes must be > 0")
2385 );
2386 }
2387
2388 #[test]
2389 fn aggregate_rejects_empty_exclude_entry() {
2390 let m = manifest_with_aggregate(
2391 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\" \"], render: bar }\n",
2392 );
2393 let err = m.validate().expect_err("blank exclude entry must fail");
2394 assert!(
2395 err.contains("exclude must not contain empty entries"),
2396 "err: {err}"
2397 );
2398 }
2399
2400 #[test]
2401 fn aggregate_rejects_malformed_dotted_paths() {
2402 for bad in [".foo", "foo.", "foo..bar", "."] {
2403 let m = manifest_with_aggregate(&format!(
2404 "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
2405 ));
2406 let err = m.validate().expect_err("malformed path must fail");
2407 assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
2408 }
2409 }
2410
2411 #[test]
2412 fn aggregate_rejects_unknown_enum_value() {
2413 // An unrecognised render string deserialises to the #492 Unknown
2414 // catch-all (so old readers don't choke); validate() rejects it as
2415 // a typo at create time.
2416 let m = manifest_with_aggregate(
2417 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
2418 );
2419 let err = m.validate().expect_err("unknown render must fail");
2420 assert!(err.contains("render is not a known value"), "err: {err}");
2421 }
2422
2423 #[test]
2424 fn aggregate_accepts_order_field() {
2425 let m = manifest_with_aggregate(
2426 "aggregate:\n- { dashboard: D, title: T, order: -5, kind: k, agg: count, render: stat }\n",
2427 );
2428 m.validate().expect("order is a valid optional field");
2429 let w = &m.aggregate.as_ref().unwrap()[0];
2430 assert_eq!(w.order, Some(-5));
2431 }
2432
2433 // ── #743 View resource ───────────────────────────────────────────
2434 fn view_from(yaml_body: &str) -> View {
2435 serde_yaml::from_str(&format!("id: v1\n{yaml_body}")).expect("parse view")
2436 }
2437
2438 #[test]
2439 fn view_accepts_valid_widgets() {
2440 let v = view_from(
2441 "widgets:\n\
2442 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2443 - { dashboard: Reliability, title: Total, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2444 );
2445 v.validate().expect("valid view");
2446 }
2447
2448 #[test]
2449 fn view_rejects_empty_widgets() {
2450 let v = view_from("widgets: []\n");
2451 let err = v.validate().expect_err("empty widgets must fail");
2452 assert!(err.contains("at least one widget"), "err: {err}");
2453 }
2454
2455 #[test]
2456 fn view_rejects_blank_id() {
2457 let v: View = serde_yaml::from_str(
2458 "id: \" \"\nwidgets:\n- { dashboard: D, title: T, kind: k, agg: count, render: stat }\n",
2459 )
2460 .expect("parse");
2461 let err = v.validate().expect_err("blank id must fail");
2462 assert!(err.contains("view.id must"), "err: {err}");
2463 }
2464
2465 #[test]
2466 fn view_rejects_unsafe_id() {
2467 // A `/` or `..` in the id would break the KV key and the
2468 // `/api/views/{id}` URL segment — reject at create time.
2469 for bad in ["../etc", "a/b", "has space", "x;y"] {
2470 let v: View = serde_yaml::from_str(&format!(
2471 "id: \"{bad}\"\nwidgets:\n- {{ dashboard: D, title: T, kind: k, agg: count, render: stat }}\n",
2472 ))
2473 .expect("parse");
2474 let err = v.validate().expect_err("unsafe id must fail");
2475 assert!(err.contains("[A-Za-z0-9._-]"), "id {bad}: {err}");
2476 }
2477 assert!(is_valid_resource_id("dashboards-fleet.v1_2"));
2478 }
2479
2480 #[test]
2481 fn view_reuses_shared_widget_validation() {
2482 // The same per-widget rule the job hint enforces (ratio needs
2483 // bool_path), reported under the `widgets[..]` field.
2484 let v = view_from(
2485 "widgets:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2486 );
2487 let err = v.validate().expect_err("ratio without bool_path must fail");
2488 assert!(
2489 err.contains("widgets[0].agg=ratio requires `bool_path`"),
2490 "err: {err}"
2491 );
2492 }
2493
2494 fn execute_with(
2495 script: Option<&str>,
2496 script_file: Option<&str>,
2497 script_object: Option<&str>,
2498 ) -> Execute {
2499 Execute {
2500 shell: ExecuteShell::Powershell,
2501 script: script.map(str::to_owned),
2502 script_file: script_file.map(str::to_owned),
2503 script_object: script_object.map(str::to_owned),
2504 timeout: "30s".into(),
2505 run_as: RunAs::default(),
2506 cwd: None,
2507 }
2508 }
2509
2510 #[test]
2511 fn validate_accepts_inline_script() {
2512 let e = execute_with(Some("echo hi"), None, None);
2513 assert!(e.validate_script_source().is_ok());
2514 }
2515
2516 #[test]
2517 fn validate_accepts_script_file_alone() {
2518 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
2519 assert!(e.validate_script_source().is_ok());
2520 }
2521
2522 #[test]
2523 fn validate_accepts_script_object_alone() {
2524 let e = execute_with(None, None, Some("cleanup/1.0.0"));
2525 assert!(e.validate_script_source().is_ok());
2526 }
2527
2528 #[test]
2529 fn validate_treats_empty_inline_script_as_unset() {
2530 // `script: ""` + `script_object` set is the natural shape
2531 // when an operator comments out the YAML block-scalar body
2532 // but leaves the key. Should pass.
2533 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
2534 assert!(e.validate_script_source().is_ok());
2535 }
2536
2537 #[test]
2538 fn validate_rejects_zero_sources() {
2539 let e = execute_with(None, None, None);
2540 let err = e.validate_script_source().unwrap_err();
2541 assert!(err.contains("must be set"), "got: {err}");
2542 }
2543
2544 #[test]
2545 fn validate_rejects_empty_inline_only() {
2546 let e = execute_with(Some(""), None, None);
2547 let err = e.validate_script_source().unwrap_err();
2548 assert!(err.contains("must be set"), "got: {err}");
2549 }
2550
2551 #[test]
2552 fn validate_rejects_inline_plus_file() {
2553 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
2554 let err = e.validate_script_source().unwrap_err();
2555 assert!(err.contains("only one of"), "got: {err}");
2556 }
2557
2558 #[test]
2559 fn validate_rejects_inline_plus_object() {
2560 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
2561 let err = e.validate_script_source().unwrap_err();
2562 assert!(err.contains("only one of"), "got: {err}");
2563 }
2564
2565 #[test]
2566 fn validate_rejects_file_plus_object() {
2567 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
2568 let err = e.validate_script_source().unwrap_err();
2569 assert!(err.contains("only one of"), "got: {err}");
2570 }
2571
2572 #[test]
2573 fn validate_rejects_all_three() {
2574 let e = execute_with(
2575 Some("echo hi"),
2576 Some("scripts/cleanup.ps1"),
2577 Some("cleanup/1.0.0"),
2578 );
2579 let err = e.validate_script_source().unwrap_err();
2580 assert!(err.contains("only one of"), "got: {err}");
2581 }
2582
2583 #[test]
2584 fn manifest_deserialises_script_object_yaml() {
2585 // SPEC §2.4.1 example shape with the Object Store
2586 // reference picked over inline.
2587 let yaml = r#"
2588id: cleanup-disk-temp
2589version: 1.0.1
2590execute:
2591 shell: powershell
2592 script_object: cleanup-disk-temp/1.0.1
2593 timeout: 600s
2594"#;
2595 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2596 assert_eq!(
2597 m.execute.script_object.as_deref(),
2598 Some("cleanup-disk-temp/1.0.1")
2599 );
2600 assert!(m.execute.script.is_none());
2601 m.validate()
2602 .expect("script_object-only manifest passes validation");
2603 }
2604
2605 #[test]
2606 fn manifest_rejects_typo_in_script_field_name() {
2607 // #492: the strict create boundary catches `script_objectt`
2608 // and similar fat-fingers (with the full path) instead of
2609 // letting them silently fall through to "all three unset".
2610 let yaml = r#"
2611id: typo
2612version: 1.0.0
2613execute:
2614 shell: powershell
2615 script_objectt: oops
2616 timeout: 30s
2617"#;
2618 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
2619 .expect_err("typo'd execute field must be rejected at the write boundary");
2620 assert!(err.contains("execute.script_objectt"), "{err}");
2621 }
2622
2623 #[test]
2624 fn schedule_carries_target_and_rollout() {
2625 let yaml = r#"
2626id: hourly-cleanup-canary
2627when:
2628 per_pc: { every: 1h }
2629job_id: cleanup
2630enabled: true
2631target:
2632 groups: [canary, wave1]
2633jitter: 30s
2634rollout:
2635 strategy: wave
2636 waves:
2637 - { group: canary, delay: 0s }
2638 - { group: wave1, delay: 5s }
2639"#;
2640 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2641 assert_eq!(s.id, "hourly-cleanup-canary");
2642 assert_eq!(s.job_id, "cleanup");
2643 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
2644 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
2645 let rollout = s.plan.rollout.expect("rollout present");
2646 assert_eq!(rollout.waves.len(), 2);
2647 assert_eq!(rollout.waves[0].group, "canary");
2648 assert_eq!(rollout.waves[1].delay, "5s");
2649 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
2650 }
2651
2652 #[test]
2653 fn schedule_minimal_target_all() {
2654 let yaml = r#"
2655id: kitting
2656when:
2657 per_pc: once
2658enabled: true
2659job_id: scheduled-echo
2660target: { all: true }
2661"#;
2662 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2663 assert_eq!(s.id, "kitting");
2664 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
2665 assert!(s.enabled);
2666 assert_eq!(s.job_id, "scheduled-echo");
2667 assert!(s.plan.target.all);
2668 assert!(s.plan.rollout.is_none());
2669 assert!(s.plan.jitter.is_none());
2670 assert!(s.active.is_empty());
2671 }
2672
2673 #[test]
2674 fn schedule_enabled_defaults_to_true() {
2675 let yaml = r#"
2676id: x
2677when:
2678 per_pc: once
2679job_id: y
2680target: { all: true }
2681"#;
2682 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2683 assert!(s.enabled);
2684 }
2685
2686 #[test]
2687 fn schedule_tags_default_empty_and_skip_serialise() {
2688 let yaml = r#"
2689id: x
2690when:
2691 per_pc: once
2692job_id: y
2693target: { all: true }
2694"#;
2695 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2696 assert!(s.tags.is_empty());
2697 s.validate().expect("tag-less schedule validates");
2698 let json = serde_json::to_string(&s).expect("serialize");
2699 assert!(
2700 !json.contains("tags"),
2701 "empty tags must not serialise: {json}"
2702 );
2703 }
2704
2705 #[test]
2706 fn schedule_parses_and_validates_tags() {
2707 let yaml = r#"
2708id: weekly-cleanup
2709when:
2710 per_pc: { every: 1h }
2711job_id: cleanup
2712target: { all: true }
2713tags: [weekly, maintenance]
2714"#;
2715 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2716 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
2717 s.validate().expect("tagged schedule validates");
2718 }
2719
2720 #[test]
2721 fn schedule_rejects_blank_tag() {
2722 let yaml = r#"
2723id: x
2724when:
2725 per_pc: once
2726job_id: y
2727target: { all: true }
2728tags: [ok, " "]
2729"#;
2730 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2731 let err = s.validate().expect_err("blank tag must fail");
2732 assert!(err.contains("tags must not contain empty"), "err: {err}");
2733 }
2734
2735 // ---- `when` parsing (#418 Phase 1) ----
2736
2737 fn schedule_yaml_with(when_block: &str) -> String {
2738 format!(
2739 r#"
2740id: x
2741when:
2742{when_block}
2743job_id: y
2744target: {{ all: true }}
2745"#
2746 )
2747 }
2748
2749 #[test]
2750 fn when_per_pc_every_parses_unquoted_humantime() {
2751 // `6h` is digit-led but non-numeric → YAML string, same as
2752 // the old `cooldown: 6h` convention. No quotes needed.
2753 let s: Schedule =
2754 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
2755 assert_eq!(
2756 s.when,
2757 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
2758 );
2759 }
2760
2761 #[test]
2762 fn when_per_target_every_parses() {
2763 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
2764 .expect("parse");
2765 assert_eq!(
2766 s.when,
2767 When::PerTarget(PerPolicy::Every(EverySpec {
2768 every: "24h".into()
2769 }))
2770 );
2771 }
2772
2773 #[test]
2774 fn when_per_target_once_parses() {
2775 // Falls out of the shared PerPolicy shape and decide_fire
2776 // already implements it ("any one pc succeeds → skip the
2777 // target forever"), so it is allowed, not rejected.
2778 let s: Schedule =
2779 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
2780 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
2781 }
2782
2783 #[test]
2784 fn when_calendar_time_parses() {
2785 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
2786 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
2787 ))
2788 .expect("parse");
2789 match &s.when {
2790 When::Calendar(c) => {
2791 assert_eq!(c.at, "09:00");
2792 assert_eq!(c.days, vec!["mon-fri"]);
2793 }
2794 other => panic!("expected calendar, got {other:?}"),
2795 }
2796 }
2797
2798 #[test]
2799 fn when_calendar_days_default_empty() {
2800 let s: Schedule =
2801 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
2802 .expect("parse");
2803 match &s.when {
2804 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
2805 other => panic!("expected calendar, got {other:?}"),
2806 }
2807 }
2808
2809 #[test]
2810 fn when_calendar_datetime_parses_all_separators() {
2811 // one-shot: date+time in hyphen / ISO-T / slash forms
2812 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
2813 let block = format!(" calendar:\n at: \"{at}\"");
2814 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
2815 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
2816 match &s.when {
2817 When::Calendar(c) => {
2818 use chrono::Datelike;
2819 let p = c.parse_at().expect("parse_at");
2820 let d = p.date.expect("datetime at carries a date");
2821 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
2822 }
2823 other => panic!("expected calendar, got {other:?}"),
2824 }
2825 }
2826 }
2827
2828 #[test]
2829 fn when_rejects_bad_once_keyword() {
2830 // `onec` must be a parse error, not a silently-absorbed
2831 // string (OnceLiteral is a single-variant enum for exactly
2832 // this reason).
2833 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
2834 assert!(r.is_err(), "expected parse error, got {r:?}");
2835 }
2836
2837 #[test]
2838 fn when_rejects_unknown_key_in_every() {
2839 // `{ evry: 6h }` still fails on the tolerant read path: the
2840 // required `every` key is missing, so no PerPolicy variant
2841 // matches (#492 removed deny_unknown_fields, but required
2842 // keys keep the untagged disambiguation honest).
2843 let r: Result<Schedule, _> =
2844 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
2845 assert!(r.is_err(), "expected parse error, got {r:?}");
2846 }
2847
2848 #[test]
2849 fn when_rejects_unknown_variant() {
2850 let r: Result<Schedule, _> =
2851 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
2852 assert!(r.is_err(), "expected parse error, got {r:?}");
2853 }
2854
2855 #[test]
2856 fn when_rejects_old_top_level_cron_field() {
2857 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
2858 // loudly (missing `when`), which is what turns stale KV
2859 // blobs into warn-skips after the upgrade.
2860 let yaml = r#"
2861id: x
2862cron: "* * * * * *"
2863job_id: y
2864target: { all: true }
2865"#;
2866 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
2867 assert!(r.is_err(), "expected parse error, got {r:?}");
2868 }
2869
2870 #[test]
2871 fn when_rejects_retired_cron_escape_hatch() {
2872 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
2873 // is now an unknown variant → parse error (operators use the
2874 // calendar form instead).
2875 let r: Result<Schedule, _> =
2876 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
2877 assert!(
2878 r.is_err(),
2879 "expected parse error for retired cron, got {r:?}"
2880 );
2881 }
2882
2883 #[test]
2884 fn when_round_trips_json_and_yaml() {
2885 // Round-trip through the full Schedule: that is the wire
2886 // unit for both stores (JSON catalog KV + YAML mirror), and
2887 // it exercises the singleton_map field attribute that keeps
2888 // serde_yaml on the map shape instead of `!per_pc` tags.
2889 for when in [
2890 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2891 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2892 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2893 When::PerTarget(PerPolicy::Every(EverySpec {
2894 every: "24h".into(),
2895 })),
2896 calendar("09:00", &["mon-fri"]),
2897 calendar("2026-06-10 09:00", &[]),
2898 When::On(vec![OnTrigger::Startup]),
2899 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2900 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2901 When::On(vec![OnTrigger::NetworkChange]),
2902 ] {
2903 // Event triggers are agent-only; the rest validate on backend.
2904 let runs_on = if matches!(when, When::On(_)) {
2905 RunsOn::Agent
2906 } else {
2907 RunsOn::Backend
2908 };
2909 let s = schedule_with(when.clone(), runs_on);
2910
2911 let json = serde_json::to_string(&s).expect("json serialise");
2912 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
2913 assert_eq!(back.when, when, "json round-trip for {when}");
2914
2915 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
2916 assert!(
2917 !yaml.contains('!'),
2918 "yaml must use the map shape, not tags: {yaml}"
2919 );
2920 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
2921 assert_eq!(back.when, when, "yaml round-trip for {when}");
2922 }
2923 }
2924
2925 #[test]
2926 fn when_once_serialises_as_bare_keyword() {
2927 // The wire shape operators see in the YAML mirror must stay
2928 // the ergonomic `per_pc: once`, not a one-variant map.
2929 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
2930 .expect("serialise");
2931 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
2932 }
2933
2934 #[test]
2935 fn when_displays_operator_summary() {
2936 for (when, expected) in [
2937 (
2938 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2939 "per_pc once",
2940 ),
2941 (
2942 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2943 "per_pc every 6h",
2944 ),
2945 (
2946 When::PerTarget(PerPolicy::Every(EverySpec {
2947 every: "24h".into(),
2948 })),
2949 "per_target every 24h",
2950 ),
2951 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
2952 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
2953 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
2954 (
2955 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2956 "on [startup,logon]",
2957 ),
2958 (
2959 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2960 "on [lock,unlock]",
2961 ),
2962 (
2963 When::On(vec![OnTrigger::NetworkChange]),
2964 "on [network_change]",
2965 ),
2966 ] {
2967 assert_eq!(when.to_string(), expected);
2968 }
2969 }
2970
2971 // ---- lowering (#418: when → engine vocabulary) ----
2972
2973 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
2974 Schedule {
2975 id: "x".into(),
2976 when,
2977 job_id: "y".into(),
2978 plan: FanoutPlan::default(),
2979 active: Active::default(),
2980 constraints: Constraints::default(),
2981 on_failure: OnFailure::default(),
2982 tz: ScheduleTz::default(),
2983 starting_deadline: None,
2984 runs_on,
2985 enabled: true,
2986 tags: Vec::new(),
2987 origin: None,
2988 }
2989 }
2990
2991 fn calendar(at: &str, days: &[&str]) -> When {
2992 When::Calendar(CalendarSpec {
2993 at: at.into(),
2994 days: days.iter().map(|d| (*d).to_string()).collect(),
2995 })
2996 }
2997
2998 #[test]
2999 fn next_calendar_fire_returns_next_utc_occurrence() {
3000 use chrono::TimeZone;
3001 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
3002 // next strict occurrence is 09:00 that day.
3003 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3004 s.tz = ScheduleTz::Utc;
3005 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
3006 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
3007 assert_eq!(
3008 next,
3009 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
3010 );
3011 }
3012
3013 #[test]
3014 fn next_calendar_fire_is_strictly_after_now() {
3015 use chrono::TimeZone;
3016 // Standing exactly on a fire instant must preview the *next*
3017 // one (inclusive = false), not the one firing right now.
3018 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3019 s.tz = ScheduleTz::Utc;
3020 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
3021 let next = s
3022 .next_calendar_fire(on_fire)
3023 .expect("calendar has a next fire");
3024 assert_eq!(
3025 next,
3026 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
3027 );
3028 }
3029
3030 #[test]
3031 fn next_calendar_fire_none_for_reconcile_shapes() {
3032 // `per_pc` / `per_target` lower to the every-minute poll cron —
3033 // no discrete upcoming event to preview, so `None`.
3034 let now = chrono::Utc::now();
3035 for when in [
3036 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3037 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3038 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3039 When::PerTarget(PerPolicy::Every(EverySpec {
3040 every: "24h".into(),
3041 })),
3042 ] {
3043 let s = schedule_with(when, RunsOn::Backend);
3044 assert!(
3045 s.next_calendar_fire(now).is_none(),
3046 "reconcile shapes have no calendar fire",
3047 );
3048 }
3049 }
3050
3051 // ---- preview_fires (#418 dry-run / preview) ----
3052
3053 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
3054 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
3055 s.tz = ScheduleTz::Utc; // host-independent assertions
3056 s
3057 }
3058
3059 #[test]
3060 fn preview_lists_next_calendar_occurrences() {
3061 use chrono::TimeZone;
3062 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
3063 // fires skip the weekend (Sat 13 / Sun 14).
3064 let s = cal_utc("09:00", &["mon-fri"]);
3065 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3066 let got = s.preview_fires(now, 5);
3067 let want: Vec<_> = [
3068 (2026, 6, 10), // Wed
3069 (2026, 6, 11), // Thu
3070 (2026, 6, 12), // Fri
3071 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
3072 (2026, 6, 16), // Tue
3073 ]
3074 .iter()
3075 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
3076 .collect();
3077 assert_eq!(got, want);
3078 }
3079
3080 #[test]
3081 fn preview_handles_nth_and_last_weekday() {
3082 use chrono::TimeZone;
3083 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3084 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
3085 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
3086 assert_eq!(
3087 nth,
3088 vec![
3089 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
3090 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
3091 ]
3092 );
3093 // Last Friday of the month: Jun 26, Jul 31 2026.
3094 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
3095 assert_eq!(
3096 last,
3097 vec![
3098 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
3099 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
3100 ]
3101 );
3102 }
3103
3104 #[test]
3105 fn preview_is_empty_for_reconcile_and_zero_count() {
3106 let now = chrono::Utc::now();
3107 // reconcile shapes have no discrete fire times
3108 let recon = schedule_with(
3109 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3110 RunsOn::Backend,
3111 );
3112 assert!(recon.preview_fires(now, 5).is_empty());
3113 // count == 0 yields nothing even for a calendar
3114 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
3115 }
3116
3117 #[test]
3118 fn preview_skips_outside_active_window() {
3119 use chrono::TimeZone;
3120 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
3121 // before `from` are skipped; `until` is exclusive, so 06-17's
3122 // fire is out — leaving exactly the 15th and 16th.
3123 let mut s = cal_utc("09:00", &[]);
3124 s.active = Active {
3125 from: Some("2026-06-15".into()),
3126 until: Some("2026-06-17".into()),
3127 };
3128 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3129 let got = s.preview_fires(now, 5);
3130 assert_eq!(
3131 got,
3132 vec![
3133 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
3134 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
3135 ]
3136 );
3137 }
3138
3139 #[test]
3140 fn preview_empty_when_calendar_time_outside_window() {
3141 use chrono::TimeZone;
3142 // Fires at 09:00 but the maintenance window is overnight — it can
3143 // never run, so the preview is empty (matches
3144 // `calendar_outside_window`), and the scan still terminates.
3145 let mut s = cal_utc("09:00", &[]);
3146 s.constraints = Constraints {
3147 window: Some("22:00-05:00".into()),
3148 ..Constraints::default()
3149 };
3150 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3151 assert!(s.preview_fires(now, 5).is_empty());
3152 // Every candidate tick is rejected, so this also exercises the
3153 // SCAN_CAP bound: a large `count` must still terminate (and
3154 // return empty) rather than spin (claude #578 review).
3155 assert!(s.preview_fires(now, 50).is_empty());
3156 }
3157
3158 #[test]
3159 fn preview_past_one_shot_is_empty() {
3160 use chrono::TimeZone;
3161 // A dated one-shot whose instant has passed never fires again.
3162 let s = cal_utc("2026-06-10 09:00", &[]);
3163 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
3164 assert!(s.preview_fires(now, 5).is_empty());
3165 // …but from before it, the single future fire shows up.
3166 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3167 assert_eq!(
3168 s.preview_fires(before, 5),
3169 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
3170 );
3171 }
3172
3173 #[test]
3174 fn lowering_matches_the_418_table() {
3175 let cases = [
3176 (
3177 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3178 (POLL_CRON, ExecMode::OncePerPc, None),
3179 ),
3180 (
3181 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3182 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
3183 ),
3184 (
3185 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3186 (POLL_CRON, ExecMode::OncePerTarget, None),
3187 ),
3188 (
3189 When::PerTarget(PerPolicy::Every(EverySpec {
3190 every: "24h".into(),
3191 })),
3192 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
3193 ),
3194 // calendar repeating → 6-field cron
3195 (
3196 calendar("09:00", &["mon-fri"]),
3197 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
3198 ),
3199 // calendar daily (no days) → DOW *
3200 (
3201 calendar("18:30", &[]),
3202 ("0 30 18 * * *", ExecMode::EveryTick, None),
3203 ),
3204 // calendar one-shot → 7-field year cron
3205 (
3206 calendar("2026-06-10 09:00", &[]),
3207 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
3208 ),
3209 ];
3210 for (when, (cron, mode, cooldown)) in cases {
3211 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
3212 assert_eq!(l.cron, cron, "cron for {when}");
3213 assert_eq!(l.mode, mode, "mode for {when}");
3214 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
3215 }
3216 }
3217
3218 #[test]
3219 fn lowered_carries_schedule_tz() {
3220 for (tz, want) in [
3221 (ScheduleTz::Local, ScheduleTz::Local),
3222 (ScheduleTz::Utc, ScheduleTz::Utc),
3223 ] {
3224 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3225 s.tz = tz;
3226 assert_eq!(s.lowered().tz, want, "calendar carries tz");
3227 // reconcile shapes carry tz too (for the active-window check)
3228 let mut s = schedule_with(
3229 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3230 RunsOn::Backend,
3231 );
3232 s.tz = tz;
3233 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
3234 }
3235 }
3236
3237 #[test]
3238 fn poll_cron_is_accepted_by_the_engine_parser() {
3239 // POLL_CRON is system-generated — if the engine's parser
3240 // ever rejected it every reconcile schedule would die at
3241 // register time. Validate it with the same croner config
3242 // (Seconds::Required, dom_and_dow, year optional).
3243 croner::parser::CronParser::builder()
3244 .seconds(croner::parser::Seconds::Required)
3245 .dom_and_dow(true)
3246 .build()
3247 .parse(POLL_CRON)
3248 .expect("POLL_CRON must parse");
3249 }
3250
3251 // ---- Schedule::validate() (#418 decision F) ----
3252
3253 #[test]
3254 fn validate_accepts_reconcile_shapes() {
3255 for when in [
3256 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3257 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3258 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3259 When::PerTarget(PerPolicy::Every(EverySpec {
3260 every: "24h".into(),
3261 })),
3262 ] {
3263 schedule_with(when.clone(), RunsOn::Backend)
3264 .validate()
3265 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3266 }
3267 }
3268
3269 #[test]
3270 fn validate_accepts_per_pc_on_agent() {
3271 schedule_with(
3272 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
3273 RunsOn::Agent,
3274 )
3275 .validate()
3276 .expect("per_pc + agent is the offline-inventory shape");
3277 }
3278
3279 // ---- #418 event triggers (when: { on }) ----
3280
3281 #[test]
3282 fn validate_accepts_event_on_agent() {
3283 for triggers in [
3284 vec![OnTrigger::Startup],
3285 vec![OnTrigger::Logon],
3286 vec![OnTrigger::Lock],
3287 vec![OnTrigger::Unlock],
3288 vec![OnTrigger::NetworkChange],
3289 vec![
3290 OnTrigger::Startup,
3291 OnTrigger::Logon,
3292 OnTrigger::Lock,
3293 OnTrigger::Unlock,
3294 OnTrigger::NetworkChange,
3295 ],
3296 ] {
3297 schedule_with(When::On(triggers), RunsOn::Agent)
3298 .validate()
3299 .expect("when.on is valid on runs_on: agent");
3300 }
3301 }
3302
3303 #[test]
3304 fn validate_rejects_event_on_backend() {
3305 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
3306 .validate()
3307 .unwrap_err();
3308 assert!(err.contains("when.on"), "got: {err}");
3309 assert!(err.contains("runs_on: agent"), "got: {err}");
3310 }
3311
3312 #[test]
3313 fn validate_rejects_empty_event_list() {
3314 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
3315 .validate()
3316 .unwrap_err();
3317 assert!(err.contains("when.on"), "got: {err}");
3318 assert!(err.contains("at least one"), "got: {err}");
3319 }
3320
3321 #[test]
3322 fn event_schedule_lowers_to_event_mode_and_is_event() {
3323 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
3324 assert!(s.is_event());
3325 assert_eq!(s.lowered().mode, ExecMode::Event);
3326 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
3327 // non-event schedules report no triggers.
3328 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3329 assert!(!cal.is_event());
3330 assert!(cal.event_triggers().is_empty());
3331 }
3332
3333 // ---- #418 constraints.require (env gates) ----
3334
3335 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
3336 let mut s = schedule_with(
3337 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
3338 runs_on,
3339 );
3340 s.constraints.require = Some(req);
3341 s
3342 }
3343
3344 #[test]
3345 fn require_met_combinations() {
3346 use std::time::Duration;
3347 let idle = |m: u64| Some(Duration::from_secs(m * 60));
3348 // Builder for the sensed state: (ac, idle, cpu, network).
3349 let env = |ac, idle, cpu, net| EnvState {
3350 ac_online: ac,
3351 idle,
3352 cpu_pct: cpu,
3353 network_up: net,
3354 };
3355 // Empty require — always met regardless of sensed state.
3356 assert!(require_met(
3357 &Require::default(),
3358 &env(false, None, None, false)
3359 ));
3360 // ac_power: only on AC.
3361 let ac = Require {
3362 ac_power: true,
3363 ..Default::default()
3364 };
3365 assert!(!require_met(&ac, &env(false, None, None, true)));
3366 assert!(require_met(&ac, &env(true, None, None, false)));
3367 // idle: needs >= the configured min; None idle never satisfies.
3368 let idle10 = Require {
3369 idle: Some("10m".into()),
3370 ..Default::default()
3371 };
3372 assert!(!require_met(&idle10, &env(true, None, None, true)));
3373 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
3374 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
3375 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
3376 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
3377 let cpu20 = Require {
3378 cpu_below: Some(20.0),
3379 ..Default::default()
3380 };
3381 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
3382 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
3383 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
3384 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
3385 // network: only when online.
3386 let net = Require {
3387 network: true,
3388 ..Default::default()
3389 };
3390 assert!(!require_met(&net, &env(true, None, None, false))); // offline
3391 assert!(require_met(&net, &env(true, None, None, true))); // online
3392 // all four: AND.
3393 let all = Require {
3394 ac_power: true,
3395 idle: Some("10m".into()),
3396 cpu_below: Some(20.0),
3397 network: true,
3398 };
3399 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
3400 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
3401 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
3402 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
3403 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
3404 // An unparseable idle is treated as no-requirement by require_met
3405 // (validate rejects it at create time, so this only guards a
3406 // hand-edited blob): ac still gates.
3407 let bad = Require {
3408 ac_power: true,
3409 idle: Some("garbage".into()),
3410 ..Default::default()
3411 };
3412 assert!(require_met(&bad, &env(true, None, None, true)));
3413 assert!(!require_met(&bad, &env(false, None, None, true)));
3414 }
3415
3416 #[test]
3417 fn validate_accepts_and_rejects_cpu_below() {
3418 // In-range accepted.
3419 require_schedule(
3420 Require {
3421 cpu_below: Some(20.0),
3422 ..Default::default()
3423 },
3424 RunsOn::Agent,
3425 )
3426 .validate()
3427 .expect("cpu_below 20 is valid");
3428 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
3429 // 100%). Pins the inclusive upper bound against a future c < 100.0.
3430 require_schedule(
3431 Require {
3432 cpu_below: Some(100.0),
3433 ..Default::default()
3434 },
3435 RunsOn::Agent,
3436 )
3437 .validate()
3438 .expect("cpu_below 100 is valid");
3439 // Out of range rejected (0 and >100).
3440 for bad in [0.0, -5.0, 100.1] {
3441 let err = require_schedule(
3442 Require {
3443 cpu_below: Some(bad),
3444 ..Default::default()
3445 },
3446 RunsOn::Agent,
3447 )
3448 .validate()
3449 .unwrap_err();
3450 assert!(
3451 err.contains("constraints.require.cpu_below"),
3452 "cpu_below {bad}: {err}"
3453 );
3454 }
3455 }
3456
3457 #[test]
3458 fn validate_accepts_require_on_agent() {
3459 require_schedule(
3460 Require {
3461 ac_power: true,
3462 idle: Some("10m".into()),
3463 cpu_below: Some(20.0),
3464 network: true,
3465 },
3466 RunsOn::Agent,
3467 )
3468 .validate()
3469 .expect("constraints.require is valid on runs_on: agent");
3470 }
3471
3472 #[test]
3473 fn validate_rejects_require_on_backend() {
3474 let err = require_schedule(
3475 Require {
3476 ac_power: true,
3477 ..Default::default()
3478 },
3479 RunsOn::Backend,
3480 )
3481 .validate()
3482 .unwrap_err();
3483 assert!(err.contains("constraints.require"), "got: {err}");
3484 assert!(err.contains("runs_on: agent"), "got: {err}");
3485
3486 // An idle-only require (ac_power: false) is also non-empty
3487 // (is_empty folds the fields) and must reject on backend too —
3488 // guards against a regression in Require::is_empty.
3489 let err = require_schedule(
3490 Require {
3491 idle: Some("10m".into()),
3492 ..Default::default()
3493 },
3494 RunsOn::Backend,
3495 )
3496 .validate()
3497 .unwrap_err();
3498 assert!(
3499 err.contains("constraints.require"),
3500 "idle-only on backend: {err}"
3501 );
3502 }
3503
3504 #[test]
3505 fn validate_rejects_bad_require_idle() {
3506 let err = require_schedule(
3507 Require {
3508 idle: Some("not-a-duration".into()),
3509 ..Default::default()
3510 },
3511 RunsOn::Agent,
3512 )
3513 .validate()
3514 .unwrap_err();
3515 assert!(err.contains("constraints.require.idle"), "got: {err}");
3516 }
3517
3518 #[test]
3519 fn require_round_trips_and_skips_empty() {
3520 // ac_power: false is skipped; an all-default require nested in
3521 // constraints is omitted (is_empty folds it in).
3522 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
3523 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
3524 network: true } }\n";
3525 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3526 let req = s.constraints.require.as_ref().expect("require present");
3527 assert!(req.ac_power);
3528 assert_eq!(req.idle.as_deref(), Some("10m"));
3529 assert_eq!(req.cpu_below, Some(20.0));
3530 assert!(req.network);
3531 // Re-serialize: idle + cpu_below + network present, ac_power true.
3532 let back = serde_json::to_string(&s.constraints).unwrap();
3533 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
3534 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
3535 assert!(back.contains("\"network\":true"), "got: {back}");
3536 // An empty require is omitted entirely by is_empty.
3537 let mut empty = s.clone();
3538 empty.constraints.require = Some(Require::default());
3539 assert!(empty.constraints.is_empty());
3540 }
3541
3542 #[test]
3543 fn validate_rejects_per_target_on_agent() {
3544 let err = schedule_with(
3545 When::PerTarget(PerPolicy::Every(EverySpec {
3546 every: "24h".into(),
3547 })),
3548 RunsOn::Agent,
3549 )
3550 .validate()
3551 .unwrap_err();
3552 assert!(err.contains("per_target"), "got: {err}");
3553 assert!(err.contains("runs_on: agent"), "got: {err}");
3554
3555 // per_target: once is also backend-only.
3556 let err = schedule_with(
3557 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3558 RunsOn::Agent,
3559 )
3560 .validate()
3561 .unwrap_err();
3562 assert!(err.contains("per_target"), "got (once): {err}");
3563 assert!(err.contains("runs_on: agent"), "got (once): {err}");
3564 }
3565
3566 #[test]
3567 fn validate_rejects_bad_every_duration() {
3568 let err = schedule_with(
3569 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
3570 RunsOn::Backend,
3571 )
3572 .validate()
3573 .unwrap_err();
3574 assert!(err.contains("when.every"), "got: {err}");
3575 }
3576
3577 #[test]
3578 fn validate_rejects_bad_jitter_and_starting_deadline() {
3579 let mut s = schedule_with(
3580 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3581 RunsOn::Backend,
3582 );
3583 s.plan.jitter = Some("5x".into());
3584 let err = s.validate().unwrap_err();
3585 assert!(err.contains("jitter"), "got: {err}");
3586
3587 let mut s = schedule_with(
3588 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3589 RunsOn::Backend,
3590 );
3591 s.starting_deadline = Some("soon".into());
3592 let err = s.validate().unwrap_err();
3593 assert!(err.contains("starting_deadline"), "got: {err}");
3594 }
3595
3596 #[test]
3597 fn validate_accepts_calendar_shapes() {
3598 for when in [
3599 calendar("09:00", &["mon-fri"]), // weekday morning
3600 calendar("00:00", &["sun"]), // weekly
3601 calendar("18:30", &[]), // daily
3602 calendar("2026-06-10 09:00", &[]), // one-shot
3603 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
3604 ] {
3605 schedule_with(when.clone(), RunsOn::Backend)
3606 .validate()
3607 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3608 }
3609 }
3610
3611 #[test]
3612 fn validate_rejects_bad_at() {
3613 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
3614 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
3615 .validate()
3616 .unwrap_err();
3617 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
3618 }
3619 }
3620
3621 #[test]
3622 fn validate_rejects_datetime_at_with_days() {
3623 // A dated `at` is a one-shot — pairing it with days is a
3624 // contradiction (the date already pins the day).
3625 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
3626 .validate()
3627 .unwrap_err();
3628 assert!(
3629 err.contains("one-shot") && err.contains("days"),
3630 "got: {err}"
3631 );
3632 }
3633
3634 #[test]
3635 fn validate_rejects_bad_day_name() {
3636 // A garbage DOW token is caught by the days pre-flight and
3637 // reported against `when.days`, not the confusing
3638 // "when.at lowered to invalid cron" (claude #432 review).
3639 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
3640 .validate()
3641 .unwrap_err();
3642 assert!(err.contains("when.days"), "got: {err}");
3643 assert!(err.contains("funday"), "names the bad token: {err}");
3644 // a degenerate range like `mon-` reports the whole token, not
3645 // a cryptic empty part (claude #432 follow-up)
3646 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
3647 .validate()
3648 .unwrap_err();
3649 assert!(err.contains("'mon-'"), "names the whole token: {err}");
3650 // valid names / ranges / numeric / * all pass
3651 for ok in [
3652 calendar("09:00", &["mon-fri"]),
3653 calendar("09:00", &["mon", "wed", "sun"]),
3654 calendar("09:00", &["1-5"]),
3655 ] {
3656 schedule_with(ok.clone(), RunsOn::Backend)
3657 .validate()
3658 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3659 }
3660 }
3661
3662 #[test]
3663 fn validate_accepts_nth_weekday() {
3664 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
3665 // a cron and parses it with croner, so passing here proves the
3666 // whole chain — token → DOW field → engine-acceptable cron.
3667 for ok in [
3668 calendar("09:00", &["tue#2"]), // 2nd Tuesday
3669 calendar("09:00", &["fri#1"]), // 1st Friday
3670 calendar("03:00", &["sun#5"]), // 5th Sunday
3671 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
3672 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
3673 // Case-insensitive both sides: validate lowercases, croner
3674 // upper-cases the whole pattern before aliasing (claude #547).
3675 calendar("09:00", &["TUE#2"]),
3676 ] {
3677 schedule_with(ok.clone(), RunsOn::Backend)
3678 .validate()
3679 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3680 }
3681 }
3682
3683 #[test]
3684 fn validate_rejects_bad_nth_weekday() {
3685 // ordinal out of 1..5, a range with #, and a bad day before #.
3686 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
3687 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3688 .validate()
3689 .unwrap_err();
3690 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3691 }
3692 }
3693
3694 #[test]
3695 fn validate_accepts_last_weekday() {
3696 // #418: last-weekday (`friL` = last Friday). Like the nth case,
3697 // validate() lowers to a cron and round-trips it through croner,
3698 // so passing proves token → DOW field → engine-acceptable cron
3699 // with the verified last-<dow>-of-month semantics.
3700 for ok in [
3701 calendar("09:00", &["friL"]), // last Friday
3702 calendar("03:00", &["sunL"]), // last Sunday
3703 calendar("22:00", &["5L"]), // numeric DOW + last
3704 calendar("00:00", &["0L"]), // numeric Sunday (0…
3705 calendar("00:00", &["7L"]), // …and its 7 alias)
3706 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
3707 // Case-insensitive both the weekday and the `L` suffix:
3708 // validate lowercases the day, croner upper-cases the whole
3709 // pattern before aliasing (claude #547).
3710 calendar("09:00", &["FRIL"]),
3711 calendar("09:00", &["fril"]),
3712 ] {
3713 schedule_with(ok.clone(), RunsOn::Backend)
3714 .validate()
3715 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3716 }
3717 }
3718
3719 #[test]
3720 fn validate_rejects_bad_last_weekday() {
3721 // bare `L` (no weekday — a footgun croner reads as Saturday), a
3722 // range with L, a bad day before L, and an internal space that
3723 // would otherwise leak a malformed cron downstream (gemini #560).
3724 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
3725 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3726 .validate()
3727 .unwrap_err();
3728 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3729 }
3730 }
3731
3732 #[test]
3733 fn calendar_oneshot_instant_detects_past() {
3734 use chrono::TimeZone;
3735 // a dated `at` resolves to an absolute instant…
3736 let c = CalendarSpec {
3737 at: "2024-01-01 09:00".into(),
3738 days: vec![],
3739 };
3740 let t = c
3741 .oneshot_instant(ScheduleTz::Utc)
3742 .expect("one-shot instant");
3743 assert_eq!(
3744 t,
3745 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
3746 );
3747 assert!(t < chrono::Utc::now(), "2024 is in the past");
3748 // …while a repeating (time-only) calendar has no instant
3749 let rep = CalendarSpec {
3750 at: "09:00".into(),
3751 days: vec!["mon-fri".into()],
3752 };
3753 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
3754 }
3755
3756 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
3757 let mut s = schedule_with(
3758 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3759 RunsOn::Backend,
3760 );
3761 s.active = Active {
3762 from: from.map(str::to_owned),
3763 until: until.map(str::to_owned),
3764 };
3765 s
3766 }
3767
3768 #[test]
3769 fn validate_accepts_active_window() {
3770 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
3771 .validate()
3772 .expect("date + rfc3339 bounds should validate");
3773 }
3774
3775 #[test]
3776 fn validate_rejects_unparseable_active_bound() {
3777 let err = schedule_with_active(Some("July 1st"), None)
3778 .validate()
3779 .unwrap_err();
3780 assert!(err.contains("active"), "got: {err}");
3781 }
3782
3783 #[test]
3784 fn validate_rejects_from_not_before_until() {
3785 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
3786 .validate()
3787 .unwrap_err();
3788 assert!(err.contains("strictly before"), "got: {err}");
3789
3790 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
3791 .validate()
3792 .unwrap_err();
3793 assert!(err.contains("strictly before"), "got: {err}");
3794 }
3795
3796 // ---- Active window semantics ----
3797
3798 #[test]
3799 fn active_window_is_half_open() {
3800 use chrono::TimeZone;
3801 let active = Active {
3802 from: Some("2026-07-01".into()),
3803 until: Some("2026-08-01".into()),
3804 };
3805 // UTC tz so the date bounds are UTC midnight.
3806 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
3807 let c = |t| active.contains(t, ScheduleTz::Utc);
3808 assert!(!c(at(2026, 6, 30, 23)), "before from");
3809 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
3810 assert!(c(at(2026, 7, 15, 12)), "inside");
3811 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
3812 assert!(!c(at(2026, 8, 2, 0)), "after until");
3813 }
3814
3815 #[test]
3816 fn active_empty_window_is_always_active() {
3817 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
3818 }
3819
3820 #[test]
3821 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
3822 use chrono::TimeZone;
3823 let active = Active {
3824 from: Some("2026-07-01T09:00:00+09:00".into()),
3825 until: None,
3826 };
3827 // RFC3339 carries its own offset → tz arg is ignored.
3828 // 09:00 JST = 00:00 UTC.
3829 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
3830 assert!(
3831 !active.contains(
3832 chrono::Utc
3833 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
3834 .unwrap(),
3835 tz
3836 )
3837 );
3838 assert!(active.contains(
3839 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
3840 tz
3841 ));
3842 }
3843 }
3844
3845 #[test]
3846 fn active_date_bound_respects_tz() {
3847 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
3848 // tz* (#418 Phase 2). The UTC interpretation is exact and
3849 // host-independent; assert that precisely.
3850 use chrono::TimeZone;
3851 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
3852 assert_eq!(
3853 utc,
3854 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
3855 );
3856
3857 // The local interpretation must equal what chrono::Local
3858 // computes for the same wall-clock midnight — proves the tz
3859 // path is wired to the host zone (the magnitude vs UTC is
3860 // host-dependent, so we compare against Local directly rather
3861 // than hard-coding the JST offset, keeping CI green on UTC
3862 // runners).
3863 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
3864 let want = chrono::Local
3865 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
3866 .single()
3867 .expect("local midnight is unambiguous")
3868 .with_timezone(&chrono::Utc);
3869 assert_eq!(local, want, "date bound resolved in host-local tz");
3870 }
3871
3872 #[test]
3873 fn active_empty_is_skipped_when_serialising() {
3874 let s = schedule_with(
3875 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3876 RunsOn::Backend,
3877 );
3878 let json = serde_json::to_value(&s).expect("serialise");
3879 assert!(
3880 json.get("active").is_none(),
3881 "empty active must not appear on the wire: {json}"
3882 );
3883 }
3884
3885 // ---- constraints.window (#418 Phase 3) ----
3886
3887 fn with_window(win: &str) -> Schedule {
3888 let mut s = schedule_with(
3889 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3890 RunsOn::Backend,
3891 );
3892 s.constraints.window = Some(win.into());
3893 s
3894 }
3895
3896 #[test]
3897 fn constraints_window_parses_and_round_trips() {
3898 let yaml = r#"
3899id: x
3900when:
3901 per_pc: { every: 6h }
3902job_id: y
3903target: { all: true }
3904constraints:
3905 window: "22:00-05:00"
3906"#;
3907 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3908 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
3909 let back: Schedule =
3910 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3911 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
3912 }
3913
3914 #[test]
3915 fn constraints_empty_is_skipped_when_serialising() {
3916 let s = schedule_with(
3917 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3918 RunsOn::Backend,
3919 );
3920 let json = serde_json::to_value(&s).expect("serialise");
3921 assert!(
3922 json.get("constraints").is_none(),
3923 "empty constraints must not appear on the wire: {json}"
3924 );
3925 }
3926
3927 #[test]
3928 fn window_no_constraint_always_allows() {
3929 let c = Constraints::default();
3930 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
3931 }
3932
3933 #[test]
3934 fn window_same_day_is_half_open() {
3935 use chrono::TimeZone;
3936 let s = with_window("09:00-17:00");
3937 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3938 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3939 assert!(!a(at(8, 59)), "before start");
3940 assert!(a(at(9, 0)), "at start (inclusive)");
3941 assert!(a(at(16, 59)), "inside");
3942 assert!(!a(at(17, 0)), "at end (exclusive)");
3943 assert!(!a(at(23, 0)), "after end");
3944 }
3945
3946 #[test]
3947 fn window_crossing_midnight() {
3948 use chrono::TimeZone;
3949 let s = with_window("22:00-05:00");
3950 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3951 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3952 assert!(a(at(22, 0)), "at start tonight");
3953 assert!(a(at(23, 30)), "late tonight");
3954 assert!(a(at(3, 0)), "early tomorrow");
3955 assert!(!a(at(5, 0)), "at end (exclusive)");
3956 assert!(!a(at(12, 0)), "midday outside");
3957 assert!(!a(at(21, 59)), "just before start");
3958 }
3959
3960 #[test]
3961 fn window_respects_tz() {
3962 // The same instant is inside the window under one tz and may
3963 // be outside under another. Compare UTC vs Local via the
3964 // host's own offset (kept CI-green on UTC runners like the
3965 // active tz test does).
3966 use chrono::TimeZone;
3967 let s = with_window("09:00-17:00");
3968 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
3969 // Under UTC, 12:00 is inside 09:00-17:00.
3970 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
3971 // Under Local, the verdict tracks the host wall-clock time;
3972 // assert it matches a direct wall_time membership check.
3973 let local_t = noon_utc.with_timezone(&chrono::Local).time();
3974 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
3975 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
3976 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
3977 }
3978
3979 #[test]
3980 fn validate_accepts_good_window() {
3981 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
3982 with_window(w)
3983 .validate()
3984 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
3985 }
3986 }
3987
3988 #[test]
3989 fn validate_rejects_bad_window() {
3990 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
3991 let err = with_window(bad).validate().unwrap_err();
3992 assert!(
3993 err.contains("constraints.window"),
3994 "for '{bad}', got: {err}"
3995 );
3996 }
3997 }
3998
3999 // ---- constraints.skip_dates (#418 holiday exclusion) ----
4000
4001 fn with_skip_dates(dates: &[&str]) -> Schedule {
4002 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4003 s.tz = ScheduleTz::Utc; // host-independent date assertions
4004 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
4005 s
4006 }
4007
4008 #[test]
4009 fn allows_blocks_listed_skip_date() {
4010 use chrono::TimeZone;
4011 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
4012 // Any time on a listed date is blocked (whole day).
4013 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
4014 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
4015 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
4016 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
4017 // A date not in the list fires normally.
4018 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4019 assert!(s.constraints.allows(off, ScheduleTz::Utc));
4020 }
4021
4022 #[test]
4023 fn allows_corrupt_skip_date_fails_closed() {
4024 use chrono::TimeZone;
4025 // A garbled entry (only reachable via hand-edited KV) blocks
4026 // rather than silently re-enabling fires — same posture as a
4027 // corrupt window.
4028 let s = with_skip_dates(&["not-a-date"]);
4029 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4030 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
4031 }
4032
4033 #[test]
4034 fn validate_accepts_good_skip_dates() {
4035 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
4036 .validate()
4037 .expect("well-formed skip dates should validate");
4038 }
4039
4040 #[test]
4041 fn validate_rejects_bad_skip_date() {
4042 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
4043 let err = with_skip_dates(&[bad]).validate().unwrap_err();
4044 assert!(
4045 err.contains("constraints.skip_dates"),
4046 "for '{bad}', got: {err}"
4047 );
4048 }
4049 }
4050
4051 #[test]
4052 fn preview_skips_holidays() {
4053 use chrono::TimeZone;
4054 // Daily 09:00 with two of the next five days marked as holidays
4055 // — preview drops exactly those, since it gates on `allows`.
4056 let mut s = cal_utc("09:00", &[]);
4057 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
4058 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4059 let got = s.preview_fires(now, 4);
4060 let want: Vec<_> = [
4061 (2026, 6, 10),
4062 (2026, 6, 12), // skips 06-11
4063 (2026, 6, 14), // skips 06-13
4064 (2026, 6, 15),
4065 ]
4066 .iter()
4067 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
4068 .collect();
4069 assert_eq!(got, want);
4070 }
4071
4072 // ---- constraints.max_concurrent (#418) ----
4073
4074 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
4075 let mut s = schedule_with(
4076 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4077 runs_on,
4078 );
4079 s.constraints.max_concurrent = Some(max);
4080 s
4081 }
4082
4083 #[test]
4084 fn validate_accepts_backend_max_concurrent() {
4085 with_max_concurrent(5, RunsOn::Backend)
4086 .validate()
4087 .expect("backend max_concurrent should validate");
4088 }
4089
4090 #[test]
4091 fn validate_rejects_max_concurrent_on_agent() {
4092 // Decision E: a central running-instance cap needs a central
4093 // counter, which agents don't have.
4094 let err = with_max_concurrent(5, RunsOn::Agent)
4095 .validate()
4096 .unwrap_err();
4097 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
4098 assert!(err.contains("runs_on: agent"), "got: {err}");
4099 }
4100
4101 #[test]
4102 fn validate_rejects_zero_max_concurrent() {
4103 let err = with_max_concurrent(0, RunsOn::Backend)
4104 .validate()
4105 .unwrap_err();
4106 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
4107 }
4108
4109 #[test]
4110 fn max_concurrent_round_trips_and_skips_when_absent() {
4111 let s = with_max_concurrent(3, RunsOn::Backend);
4112 let json = serde_json::to_value(&s.constraints).expect("ser");
4113 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
4114 // A schedule with no constraints omits the whole block.
4115 let bare = schedule_with(
4116 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4117 RunsOn::Backend,
4118 );
4119 assert!(bare.constraints.is_empty());
4120 }
4121
4122 #[test]
4123 fn window_fail_closed_on_corrupt_blob() {
4124 // A malformed window (only reachable via a hand-edited KV
4125 // blob — validate() rejects it at create) must BLOCK, not
4126 // silently allow fires during a change-freeze (gemini #452).
4127 let s = with_window("22:00_05:00");
4128 assert!(
4129 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
4130 "corrupt window fails closed"
4131 );
4132 // …and the scheduler can surface why it's stuck.
4133 assert!(
4134 s.bad_window().is_some(),
4135 "bad_window reports the parse error"
4136 );
4137 assert!(with_window("22:00-05:00").bad_window().is_none());
4138 }
4139
4140 #[test]
4141 fn calendar_outside_window_is_flagged() {
4142 // at 09:00 can never fall in 22:00-05:00 → never fires.
4143 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
4144 s.constraints.window = Some("22:00-05:00".into());
4145 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
4146
4147 // at 23:00 IS inside the overnight window → fine.
4148 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
4149 s.constraints.window = Some("22:00-05:00".into());
4150 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
4151
4152 // reconcile shapes are never flagged (they poll every minute).
4153 let mut s = schedule_with(
4154 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4155 RunsOn::Backend,
4156 );
4157 s.constraints.window = Some("22:00-05:00".into());
4158 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
4159
4160 // no window → never flagged.
4161 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4162 assert!(!s.calendar_outside_window());
4163 }
4164
4165 // ---- on_failure.retry (#418 Phase 4) ----
4166
4167 fn with_retry(max: u32, backoff: &str) -> Schedule {
4168 let mut s = schedule_with(
4169 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4170 RunsOn::Backend,
4171 );
4172 s.on_failure.retry = Some(Retry {
4173 max,
4174 backoff: backoff.into(),
4175 });
4176 s
4177 }
4178
4179 #[test]
4180 fn on_failure_parses_and_round_trips() {
4181 let yaml = r#"
4182id: x
4183when:
4184 per_pc: { every: 6h }
4185job_id: y
4186target: { all: true }
4187on_failure:
4188 retry: { max: 3, backoff: 10m }
4189"#;
4190 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4191 let r = s.on_failure.retry.as_ref().expect("retry present");
4192 assert_eq!(r.max, 3);
4193 assert_eq!(r.backoff, "10m");
4194 let back: Schedule =
4195 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4196 assert_eq!(back.on_failure, s.on_failure);
4197 }
4198
4199 #[test]
4200 fn on_failure_empty_is_skipped_when_serialising() {
4201 let s = schedule_with(
4202 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4203 RunsOn::Backend,
4204 );
4205 let json = serde_json::to_value(&s).expect("serialise");
4206 assert!(
4207 json.get("on_failure").is_none(),
4208 "empty on_failure must not appear on the wire: {json}"
4209 );
4210 }
4211
4212 #[test]
4213 fn validate_accepts_good_retry() {
4214 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
4215 with_retry(max, backoff)
4216 .validate()
4217 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
4218 }
4219 }
4220
4221 #[test]
4222 fn validate_rejects_bad_backoff() {
4223 let err = with_retry(3, "soon").validate().unwrap_err();
4224 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
4225 }
4226
4227 #[test]
4228 fn validate_rejects_sub_second_backoff() {
4229 // "500ms" parses as humantime but lowers to 0s on the wire —
4230 // reject it so the operator doesn't get a silent no-wait
4231 // (coderabbit #466).
4232 for bad in ["500ms", "0s", "999ms"] {
4233 let err = with_retry(3, bad).validate().unwrap_err();
4234 assert!(
4235 err.contains("on_failure.retry.backoff must be >= 1s"),
4236 "for '{bad}', got: {err}"
4237 );
4238 }
4239 }
4240
4241 #[test]
4242 fn validate_rejects_out_of_range_max() {
4243 for bad in [0u32, 11, 1000] {
4244 let err = with_retry(bad, "10m").validate().unwrap_err();
4245 assert!(
4246 err.contains("on_failure.retry.max"),
4247 "for max={bad}, got: {err}"
4248 );
4249 }
4250 }
4251
4252 #[test]
4253 fn lowered_retry_reduces_backoff_to_seconds() {
4254 let s = with_retry(3, "10m");
4255 let spec = s.on_failure.lowered_retry().expect("a retry policy");
4256 assert_eq!(spec.max, 3);
4257 assert_eq!(spec.backoff_secs, 600);
4258 }
4259
4260 #[test]
4261 fn lowered_retry_is_none_without_policy() {
4262 let s = schedule_with(
4263 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4264 RunsOn::Backend,
4265 );
4266 assert!(s.on_failure.lowered_retry().is_none());
4267 }
4268
4269 // ---- global change-freeze (#418 Phase 5) ----
4270
4271 #[test]
4272 fn freeze_empty_window_is_always_active() {
4273 // The big-red-button shape: no bounds = frozen until cleared.
4274 let f = Freeze::default();
4275 assert!(f.is_active(chrono::Utc::now()));
4276 }
4277
4278 #[test]
4279 fn freeze_window_is_half_open() {
4280 use chrono::TimeZone;
4281 let f = Freeze {
4282 from: Some("2026-12-20T00:00:00+00:00".into()),
4283 until: Some("2027-01-05T00:00:00+00:00".into()),
4284 reason: Some("year-end".into()),
4285 tz: ScheduleTz::Utc,
4286 };
4287 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
4288 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
4289 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
4290 assert!(f.is_active(at(2026, 12, 31)), "inside window");
4291 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
4292 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
4293 }
4294
4295 #[test]
4296 fn freeze_fails_closed_on_corrupt_bound() {
4297 // A freeze is a safety switch: an unparseable bound (only
4298 // reachable via a hand-edited KV blob) must read as FROZEN, not
4299 // "fire normally" (coderabbit #472) — the opposite of `active`,
4300 // which fail-opens.
4301 let f = Freeze {
4302 from: Some("not-a-date".into()),
4303 until: None,
4304 reason: None,
4305 tz: ScheduleTz::Utc,
4306 };
4307 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
4308 }
4309
4310 #[test]
4311 fn freeze_validate_accepts_good_bounds() {
4312 Freeze {
4313 from: Some("2026-12-20".into()),
4314 until: Some("2027-01-05T12:00:00+09:00".into()),
4315 reason: None,
4316 tz: ScheduleTz::Local,
4317 }
4318 .validate()
4319 .expect("date + rfc3339 bounds should validate");
4320 // Empty (indefinite) freeze is valid.
4321 Freeze::default().validate().expect("empty freeze is valid");
4322 }
4323
4324 #[test]
4325 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
4326 let err = Freeze {
4327 from: Some("never".into()),
4328 ..Default::default()
4329 }
4330 .validate()
4331 .unwrap_err();
4332 assert!(err.contains("freeze:"), "got: {err}");
4333
4334 let inverted = Freeze {
4335 from: Some("2027-01-05".into()),
4336 until: Some("2026-12-20".into()),
4337 ..Default::default()
4338 }
4339 .validate()
4340 .unwrap_err();
4341 assert!(inverted.contains("freeze.from"), "got: {inverted}");
4342 }
4343
4344 #[test]
4345 fn freeze_round_trips_and_skips_empty_fields() {
4346 let f = Freeze {
4347 from: None,
4348 until: Some("2027-01-05".into()),
4349 reason: Some("INC-1234".into()),
4350 tz: ScheduleTz::Utc,
4351 };
4352 let json = serde_json::to_value(&f).expect("serialise");
4353 assert!(json.get("from").is_none(), "empty from omitted: {json}");
4354 let back: Freeze = serde_json::from_value(json).expect("round-trip");
4355 assert_eq!(back, f);
4356 }
4357
4358 #[test]
4359 fn shipped_schedule_configs_parse_and_validate() {
4360 // Every YAML under configs/schedules/ must parse with the
4361 // current Schedule serde AND pass validate() — keeps the
4362 // shipped examples from drifting out of sync with the model
4363 // (#418 removed back-compat, so drift = broken at create).
4364 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
4365 let mut seen = 0;
4366 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
4367 let path = entry.expect("dir entry").path();
4368 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
4369 continue;
4370 }
4371 let body = std::fs::read_to_string(&path).expect("read yaml");
4372 let s: Schedule = serde_yaml::from_str(&body)
4373 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
4374 s.validate()
4375 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
4376 seen += 1;
4377 }
4378 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
4379 }
4380
4381 // ---- pre-existing enum wire formats (unchanged by #418) ----
4382
4383 #[test]
4384 fn exec_mode_serialises_snake_case() {
4385 for (mode, expected) in [
4386 (ExecMode::EveryTick, "every_tick"),
4387 (ExecMode::OncePerPc, "once_per_pc"),
4388 (ExecMode::OncePerTarget, "once_per_target"),
4389 ] {
4390 let s = serde_json::to_value(mode).expect("serialise");
4391 assert_eq!(s, serde_json::Value::String(expected.into()));
4392 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
4393 .expect("deserialise");
4394 assert_eq!(back, mode, "round-trip for {expected}");
4395 }
4396 }
4397
4398 #[test]
4399 fn schedule_runs_on_defaults_to_backend() {
4400 let yaml = r#"
4401id: x
4402when:
4403 per_pc: once
4404job_id: y
4405target: { all: true }
4406"#;
4407 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4408 assert_eq!(s.runs_on, RunsOn::Backend);
4409 }
4410
4411 #[test]
4412 fn schedule_runs_on_agent_parses() {
4413 let yaml = r#"
4414id: offline-inv
4415when:
4416 per_pc: { every: 1h }
4417job_id: inventory-hw
4418target: { all: true }
4419runs_on: agent
4420"#;
4421 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4422 assert_eq!(s.runs_on, RunsOn::Agent);
4423 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
4424 }
4425
4426 #[test]
4427 fn runs_on_serialises_snake_case() {
4428 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
4429 let s = serde_json::to_value(mode).expect("serialise");
4430 assert_eq!(s, serde_json::Value::String(expected.into()));
4431 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
4432 .expect("deserialise");
4433 assert_eq!(back, mode);
4434 }
4435 }
4436
4437 #[test]
4438 fn execute_shell_into_wire_shell() {
4439 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
4440 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
4441 }
4442
4443 #[test]
4444 fn manifest_staleness_defaults_to_cached() {
4445 let yaml = r#"
4446id: x
4447version: 1.0.0
4448execute:
4449 shell: powershell
4450 script: "echo"
4451 timeout: 1s
4452"#;
4453 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4454 assert_eq!(m.staleness, Staleness::Cached);
4455 }
4456
4457 #[test]
4458 fn manifest_strict_staleness_parses() {
4459 let yaml = r#"
4460id: urgent-patch
4461version: 2.5.1
4462execute:
4463 shell: powershell
4464 script: Install-Hotfix
4465 timeout: 5m
4466staleness:
4467 mode: strict
4468 max_cache_age: 0s
4469"#;
4470 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4471 match m.staleness {
4472 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
4473 other => panic!("expected strict, got {other:?}"),
4474 }
4475 }
4476
4477 #[test]
4478 fn manifest_unchecked_staleness_parses() {
4479 let yaml = r#"
4480id: legacy
4481version: 0.1.0
4482execute:
4483 shell: cmd
4484 script: "echo"
4485 timeout: 1s
4486staleness:
4487 mode: unchecked
4488"#;
4489 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4490 assert_eq!(m.staleness, Staleness::Unchecked);
4491 }
4492
4493 #[test]
4494 fn missing_required_field_errors() {
4495 // `id` missing.
4496 let yaml = r#"
4497version: 1.0.0
4498target: { all: true }
4499execute:
4500 shell: powershell
4501 script: "echo"
4502 timeout: 1s
4503"#;
4504 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
4505 assert!(r.is_err(), "expected error, got {:?}", r);
4506 }
4507
4508 #[test]
4509 fn display_field_table_kind_round_trips_with_nested_columns() {
4510 // #39: `type: table` + `columns:` on a DisplayField gets
4511 // round-tripped through serde so the SPA receives the
4512 // nested schema verbatim. Nested columns themselves are
4513 // DisplayFields so they can carry `type: bytes` /
4514 // `type: number` for cell formatting.
4515 let yaml = r#"
4516id: inv-hw
4517version: 1.0.0
4518execute:
4519 shell: powershell
4520 script: "echo"
4521 timeout: 60s
4522inventory:
4523 display:
4524 - field: hostname
4525 label: Hostname
4526 - field: disks
4527 label: Disks
4528 type: table
4529 columns:
4530 - field: device_id
4531 label: Drive
4532 - field: size_bytes
4533 label: Size
4534 type: bytes
4535 - field: free_bytes
4536 label: Free
4537 type: bytes
4538 - field: file_system
4539 label: FS
4540"#;
4541 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4542 let inv = m.inventory.as_ref().expect("inventory hint");
4543 let disks = inv
4544 .display
4545 .iter()
4546 .find(|d| d.field == "disks")
4547 .expect("disks display row");
4548 assert_eq!(disks.kind.as_deref(), Some("table"));
4549 let cols = disks.columns.as_ref().expect("table needs columns");
4550 assert_eq!(cols.len(), 4);
4551 assert_eq!(cols[1].field, "size_bytes");
4552 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
4553 }
4554
4555 #[test]
4556 fn display_field_scalar_kind_keeps_columns_none() {
4557 // Defensive: when type is a scalar (`bytes` / `number` /
4558 // `timestamp`) the `columns` field stays None — the SPA
4559 // uses its presence as the "render nested table" signal,
4560 // so it must not leak in via serde defaults.
4561 let yaml = r#"
4562id: x
4563version: 1.0.0
4564execute:
4565 shell: powershell
4566 script: "echo"
4567 timeout: 5s
4568inventory:
4569 display:
4570 - { field: ram_bytes, label: RAM, type: bytes }
4571"#;
4572 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4573 let inv = m.inventory.as_ref().unwrap();
4574 assert!(inv.display[0].columns.is_none());
4575 }
4576
4577 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
4578
4579 /// The JSON Schemas under `docs/schemas/` must match what
4580 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
4581 /// so a `Schedule` / `Manifest` field change can't silently drift
4582 /// the operator-facing schema. The SPA editor, the backend
4583 /// `/api/schemas/*` endpoints, and these files all read the same
4584 /// derived shape; this test fails CI if the checked-in copy lags.
4585 /// Regenerate with:
4586 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
4587 #[test]
4588 fn schema_files_are_current() {
4589 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
4590 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
4591 assert_schema_file("view.schema.json", &schemars::schema_for!(View));
4592 }
4593
4594 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
4595 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
4596 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
4597 .join("../../docs/schemas")
4598 .join(name);
4599 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
4600 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
4601 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
4602 return;
4603 }
4604 // Normalize CRLF→LF before comparing: `.gitattributes` already
4605 // pins these files to `eol=lf`, but a stray CRLF working-tree
4606 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
4607 // freshness check into a confusing line-ending failure — that's
4608 // .gitattributes' job, not this test's (gemini #588).
4609 let on_disk = std::fs::read_to_string(&path)
4610 .unwrap_or_else(|e| {
4611 panic!(
4612 "read {path:?}: {e}\n\
4613 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4614 )
4615 })
4616 .replace("\r\n", "\n");
4617 assert_eq!(
4618 on_disk, generated,
4619 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
4620 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4621 );
4622 }
4623}
4624
4625/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
4626/// (target + optional rollout + optional jitter) inline; the
4627/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
4628/// script body. Two schedules of the same job can target different
4629/// groups on different cadences without copying the manifest.
4630///
4631/// #418 Phase 1: the cadence is the single [`When`] field. The old
4632/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
4633/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
4634/// are warn-skipped; re-`schedule create` to upgrade them). The
4635/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
4636/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
4637/// `decide_fire` always ran on.
4638#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
4639pub struct Schedule {
4640 pub id: String,
4641 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
4642 /// or a calendar time trigger (`at` / `days`). See [`When`].
4643 ///
4644 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
4645 /// enums as `!per_pc` YAML tags by default; this keeps the
4646 /// operator-facing map shape (`when: { per_pc: once }`). JSON
4647 /// output is identical either way, and the schemars schema
4648 /// (external tagging = oneOf of single-key objects) already
4649 /// matches the singleton-map wire shape.
4650 #[serde(with = "serde_yaml::with::singleton_map")]
4651 #[schemars(with = "When")]
4652 pub when: When,
4653 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
4654 /// Manifest's `id`.
4655 pub job_id: String,
4656 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
4657 /// carry these any more — same job + different fanout = different
4658 /// schedule.
4659 #[serde(flatten)]
4660 pub plan: FanoutPlan,
4661 /// Optional validity window. Outside `[from, until)` the
4662 /// schedule is dormant — still registered, still visible, but
4663 /// every tick is skipped (deleted ≠ dormant: a campaign that
4664 /// ended stays inspectable and can be re-armed by editing the
4665 /// window). Checked at tick time on both the backend scheduler
4666 /// and the agent's local scheduler.
4667 #[serde(default, skip_serializing_if = "Active::is_empty")]
4668 pub active: Active,
4669 /// #418 operational constraints gating *when within an active
4670 /// period* a fire may happen: a maintenance `window`, a fleet
4671 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
4672 /// wall-clock ones are evaluated in the schedule's `tz`; future
4673 /// `require` (env gates) lands in the same namespace. Checked at
4674 /// tick time on both schedulers (and surfaced by `preview`).
4675 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
4676 pub constraints: Constraints,
4677 /// #418 Phase 4: what to do after a fire's script comes back
4678 /// failed. Currently just `retry` (fixed-backoff in-process
4679 /// re-run); future `notify` / `disable` join the same namespace.
4680 /// Applied fire-side in `handle_command` (the retry policy is
4681 /// lowered onto every Command this schedule produces), so it
4682 /// covers both `runs_on` locations.
4683 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
4684 pub on_failure: OnFailure,
4685 /// #418 Phase 2: the timezone this schedule's wall-clock fields
4686 /// are evaluated in — both the calendar `at` firing time AND the
4687 /// `active.{from,until}` window bounds. `local` (default) = the
4688 /// running host's TZ (the agent's for `runs_on: agent`, the
4689 /// backend server's otherwise); `utc` for TZ-independent
4690 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
4691 /// for firing (poll cron runs every minute regardless) but still
4692 /// honor it for the `active` window.
4693 #[serde(default)]
4694 pub tz: ScheduleTz,
4695 /// v0.22: optional humantime window after a cron tick during
4696 /// which the Command is still considered "live". The scheduler
4697 /// computes `tick_at + starting_deadline` and stamps it onto
4698 /// each Command as `deadline_at`; agents skip Commands they
4699 /// receive after that absolute time. `None` (default) = no
4700 /// deadline, meaning a Command queued in the broker / stream
4701 /// during agent downtime runs whenever the agent reconnects —
4702 /// good for kitting / inventory / cleanup. Set this for
4703 /// time-of-day notifications, lunch reminders, etc., where
4704 /// "fire 3 hours late" would be wrong.
4705 #[serde(default, skip_serializing_if = "Option::is_none")]
4706 pub starting_deadline: Option<String>,
4707 /// v0.23: where does the cron tick happen? `Backend` (default,
4708 /// historical) = backend's scheduler fires Commands via NATS;
4709 /// agents passively receive. `Agent` = each targeted agent runs
4710 /// its own internal cron and fires locally, so the schedule
4711 /// keeps ticking even when the broker is unreachable (laptop on
4712 /// the train, broker maintenance window, full WAN outage). The
4713 /// two locations are mutually exclusive — when `Agent`, the
4714 /// backend scheduler stays out and just keeps the definition in
4715 /// KV for agents to read.
4716 #[serde(default)]
4717 pub runs_on: RunsOn,
4718 #[serde(default = "default_true")]
4719 pub enabled: bool,
4720 /// Free-form operator taxonomy for the Schedules page — the
4721 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
4722 /// code ref rather than an intra-doc link, since that field isn't
4723 /// on this branch until #640 merges). Purely a SPA-side
4724 /// organisational aid (search / filter chips alongside the
4725 /// id-prefix grouping); the scheduler never reads it, so any
4726 /// string is allowed and it carries no firing semantics. A
4727 /// schedule's own tags are independent of its job's: the same job
4728 /// may back a `weekly` maintenance schedule and a `canary` rollout
4729 /// schedule. Empty by default and `skip_serializing_if`-elided per
4730 /// the #492 gradual-upgrade wire rule.
4731 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4732 pub tags: Vec<String>,
4733 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
4734 /// `kanade schedule create` when the source YAML lives inside a Git
4735 /// work tree, so the SPA renders the schedule read-only and points
4736 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
4737 /// Git), parity with a job's [`Manifest::origin`]. `None` for
4738 /// SPA-born schedules and ones applied from outside any repo. Purely
4739 /// informational — the scheduler never reads it. New field ⇒ #492
4740 /// wire rule (`default` + `skip_serializing_if`).
4741 #[serde(default, skip_serializing_if = "Option::is_none")]
4742 pub origin: Option<RepoOrigin>,
4743}
4744
4745/// v0.23 — where the cron tick fires from.
4746#[derive(
4747 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4748)]
4749#[serde(rename_all = "snake_case")]
4750pub enum RunsOn {
4751 /// Backend's central scheduler ticks and publishes Commands to
4752 /// NATS. Historical default, what every pre-v0.23 schedule
4753 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
4754 /// reconnects ⇒ catch-up via [`command_replay`](crate)
4755 /// (see kanade-agent's command_replay module).
4756 #[default]
4757 Backend,
4758 /// Each targeted agent runs the cron tick locally. Survives
4759 /// broker / WAN outages. Best for laptops / mobile devices that
4760 /// roam off the corporate network. Agent must be online for the
4761 /// initial schedule + job-catalog pull, but once cached the
4762 /// agent fires the script standalone.
4763 Agent,
4764}
4765
4766/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
4767#[derive(
4768 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4769)]
4770#[serde(rename_all = "snake_case")]
4771pub enum ExecMode {
4772 /// Fire on every cron tick at the whole target. Historical
4773 /// (pre-v0.19) behavior; no dedup.
4774 #[default]
4775 EveryTick,
4776 /// Fire at each pc until that pc succeeds; then skip it until
4777 /// the optional cooldown elapses (or forever if no cooldown).
4778 /// Use for kitting / first-boot / per-pc compliance checks.
4779 OncePerPc,
4780 /// Fire at the whole target until **any** pc succeeds; then
4781 /// skip the whole target until the optional cooldown elapses
4782 /// (or forever if no cooldown). Use for "one delegate is
4783 /// enough" tasks like license check-in.
4784 OncePerTarget,
4785 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
4786 /// no cron — the agent fires it from an OS event source (boot /
4787 /// session-change), not a tick — so the scheduler skips
4788 /// `tokio-cron` registration for it. Each event occurrence fires
4789 /// once, gated by the standard freeze / active / window /
4790 /// skip_dates checks.
4791 Event,
4792}
4793
4794/// #418 Phase 1 — the single "when does this fire" axis.
4795///
4796/// Replaces the old `cron` + `mode` + `cooldown` trio whose
4797/// interactions were implicit (cron doubled as both a real
4798/// time-of-day trigger and a reconcile poll period; contradictory
4799/// combinations silently no-opped). Two shapes:
4800///
4801/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
4802/// pc (or one delegate) should have run this within `every`".
4803/// The poll period is system-generated ([`POLL_CRON`], every
4804/// minute) and no longer the operator's concern.
4805/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
4806/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
4807/// the whole target at the given time, no dedup. `at: "09:00"` +
4808/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
4809/// exactly once. Evaluated in the schedule's top-level `tz`.
4810#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4811#[serde(rename_all = "snake_case")]
4812pub enum When {
4813 /// Fire at each targeted pc: `once` (kitting — succeed once,
4814 /// skip forever, forever catching brand-new / re-imaged pcs)
4815 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
4816 /// the interval).
4817 PerPc(PerPolicy),
4818 /// Fire until **any** one pc of the target succeeds, then skip
4819 /// the whole target (`once`) or re-arm after `every`. Needs
4820 /// fleet-wide completion data, so it is backend-only —
4821 /// `runs_on: agent` + `per_target` is rejected by
4822 /// [`Schedule::validate`].
4823 PerTarget(PerPolicy),
4824 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
4825 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
4826 /// the whole target at that wall-clock time in the schedule's
4827 /// `tz` — no dedup, no cooldown.
4828 Calendar(CalendarSpec),
4829 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
4830 /// Fires when the agent observes the listed OS event(s) rather than
4831 /// on a clock — there is no cron. `runs_on: agent` only (the agent
4832 /// owns the event source); [`Schedule::validate`] rejects it on
4833 /// `backend` and rejects an empty list. Each event occurrence fires
4834 /// once, gated by the same freeze / active / `constraints.window` /
4835 /// `skip_dates` checks as the cron path. `startup` fires once per OS
4836 /// boot (deduped via the host boot time); a `starting_deadline`, if
4837 /// set, limits it to "agent came up within that long after boot".
4838 On(Vec<OnTrigger>),
4839}
4840
4841/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
4842#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
4843#[serde(rename_all = "snake_case")]
4844pub enum OnTrigger {
4845 /// Once per OS boot (the agent's first run for that boot). Catches
4846 /// freshly-imaged / reinstalled hosts at their next startup.
4847 Startup,
4848 /// On an interactive-session user logon — console, RDP, or
4849 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
4850 /// service / network / batch logons (no interactive session).
4851 Logon,
4852 /// When the workstation is locked (Win+L / idle lock; Windows
4853 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
4854 Lock,
4855 /// When the workstation is unlocked — the user returns to a locked
4856 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
4857 /// compliance / refresh state when work resumes.
4858 Unlock,
4859 /// When the host's network changes — IP address table change on
4860 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
4861 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
4862 /// from one transition fires once after the network settles), so
4863 /// use it for "re-check connectivity / re-register on network move"
4864 /// rather than expecting one fire per raw adapter event.
4865 ///
4866 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
4867 /// transition that touches only IPv6 addresses won't fire. In practice
4868 /// dual-stack networks change both tables together, but a pure-IPv6
4869 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
4870 NetworkChange,
4871}
4872
4873/// Calendar time trigger (#418 Phase 2). `at` is either a time of
4874/// day (`"HH:MM"`, repeating — combine with `days`) or a full
4875/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
4876/// never again). Evaluated in the schedule's top-level `tz`.
4877#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4878pub struct CalendarSpec {
4879 /// `"HH:MM"` (24h) for a repeating trigger, or
4880 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
4881 /// accepted) for a one-shot. Parsed lazily —
4882 /// [`Schedule::validate`] rejects garbage at create time.
4883 pub at: String,
4884 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
4885 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
4886 /// field, so ranges and names both work). An **nth-weekday**
4887 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
4888 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
4889 /// `["friL"]` fires only on the last Friday of each month (handy
4890 /// for monthly maintenance). Empty = every day. Must be empty
4891 /// when `at` carries a date (the date already pins the day).
4892 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4893 pub days: Vec<String>,
4894}
4895
4896/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
4897/// date for a one-shot (`None` = repeating time-of-day).
4898struct ParsedAt {
4899 minute: u32,
4900 hour: u32,
4901 date: Option<chrono::NaiveDate>,
4902}
4903
4904impl CalendarSpec {
4905 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
4906 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
4907 fn parse_at(&self) -> Result<ParsedAt, String> {
4908 use chrono::Timelike;
4909 let s = self.at.trim();
4910 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
4911 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
4912 return Ok(ParsedAt {
4913 minute: dt.minute(),
4914 hour: dt.hour(),
4915 date: Some(dt.date()),
4916 });
4917 }
4918 }
4919 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
4920 return Ok(ParsedAt {
4921 minute: t.minute(),
4922 hour: t.hour(),
4923 date: None,
4924 });
4925 }
4926 Err(format!(
4927 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
4928 self.at
4929 ))
4930 }
4931
4932 /// Pre-flight check on the `days` tokens so a bad day name gives
4933 /// a `when.days:`-scoped error instead of croner's confusing
4934 /// "when.at lowered to invalid cron" (claude #432 review). Each
4935 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
4936 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
4937 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
4938 /// **last-weekday** like `friL` (last Friday of the month).
4939 fn validate_days(&self) -> Result<(), String> {
4940 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
4941 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
4942 for tok in &self.days {
4943 // Report the whole token on a malformed range like `mon-`
4944 // (which would otherwise split to a cryptic empty part —
4945 // claude #432 follow-up).
4946 let invalid = |reason: &str| {
4947 Err(format!(
4948 "when.days: invalid day token '{tok}' ({reason}; \
4949 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
4950 like tue#2, a last-weekday like friL, or *)"
4951 ))
4952 };
4953 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
4954 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
4955 // `to_cron` passes the token through verbatim, so the
4956 // engine fires only on that occurrence. It's a single
4957 // weekday + ordinal — not combinable with a range.
4958 if let Some((day_part, nth_part)) = tok.split_once('#') {
4959 // Normalize once and use `d` consistently (gemini #547);
4960 // the outer `invalid` already echoes the raw `tok`.
4961 let d = day_part.trim().to_ascii_lowercase();
4962 if d.contains('-') || !is_day(&d) {
4963 return invalid("the part before # must be a single weekday");
4964 }
4965 match nth_part.trim().parse::<u8>() {
4966 Ok(n) if (1..=5).contains(&n) => {}
4967 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
4968 }
4969 continue;
4970 }
4971 // #418: last-weekday suffix (`friL` = last Friday of the
4972 // month — the monthly-maintenance sibling of Patch Tuesday).
4973 // Croner accepts `<dow>L` in the DOW field with verified
4974 // last-<dow>-of-month semantics, and `to_cron` passes it
4975 // through verbatim. A single weekday + `L` — bare `L` and
4976 // ranges are rejected (croner would read bare `L` as
4977 // Saturday, which is a confusing footgun).
4978 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
4979 // No `.trim()`: a cron DOW token can't carry internal
4980 // whitespace, so `"fri L"` must be *rejected* here (its
4981 // strip leaves `"fri "`, and `is_day` catches the space)
4982 // rather than trimmed into a clean `"fri"` that then
4983 // produces a malformed `fri L` cron downstream and a
4984 // confusing croner error (gemini #560).
4985 let d = day_part.to_ascii_lowercase();
4986 if d.is_empty() {
4987 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
4988 }
4989 if d.contains('-') || !is_day(&d) {
4990 return invalid(
4991 "the part before L must be a single weekday (e.g. friL = last Friday)",
4992 );
4993 }
4994 continue;
4995 }
4996 for part in tok.split('-') {
4997 let p = part.trim().to_ascii_lowercase();
4998 if p.is_empty() {
4999 return invalid("empty range bound");
5000 }
5001 if p != "*" && !is_day(&p) {
5002 return invalid(&format!("'{part}' is not a day"));
5003 }
5004 }
5005 }
5006 Ok(())
5007 }
5008
5009 /// For a one-shot (`at` carries a date), the absolute instant it
5010 /// fires in `tz`. `None` for a repeating calendar. Used to warn
5011 /// about a one-shot whose date is already in the past (it would
5012 /// never fire).
5013 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
5014 let p = self.parse_at().ok()?;
5015 let date = p.date?;
5016 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
5017 tz.naive_to_utc(naive)
5018 }
5019
5020 /// The wall-clock time-of-day this calendar fires at (`None` if
5021 /// `at` is unparseable — validate() guards that). Used to detect
5022 /// a calendar whose fire time can never fall inside its
5023 /// `constraints.window` (claude #452 review).
5024 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
5025 let p = self.parse_at().ok()?;
5026 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
5027 }
5028
5029 /// Lower to the cron string the scheduler engine runs. Repeating
5030 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
5031 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
5032 /// fires — that's what makes it one-shot).
5033 fn to_cron(&self) -> Result<String, String> {
5034 use chrono::Datelike;
5035 let ParsedAt { minute, hour, date } = self.parse_at()?;
5036 match date {
5037 Some(d) => {
5038 if !self.days.is_empty() {
5039 return Err(
5040 "when.at with a date is a one-shot and cannot be combined with days".into(),
5041 );
5042 }
5043 Ok(format!(
5044 "0 {minute} {hour} {} {} * {}",
5045 d.day(),
5046 d.month(),
5047 d.year()
5048 ))
5049 }
5050 None => {
5051 let dow = if self.days.is_empty() {
5052 "*".to_string()
5053 } else {
5054 self.validate_days()?;
5055 self.days.join(",")
5056 };
5057 Ok(format!("0 {minute} {hour} * * {dow}"))
5058 }
5059 }
5060 }
5061}
5062
5063/// The timezone a schedule's wall-clock fields (`when.at`,
5064/// `active.{from,until}`) are evaluated in (#418 Phase 2).
5065#[derive(
5066 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5067)]
5068#[serde(rename_all = "snake_case")]
5069pub enum ScheduleTz {
5070 /// The running host's local timezone — the agent's for
5071 /// `runs_on: agent`, the backend server's otherwise. Default.
5072 #[default]
5073 Local,
5074 /// UTC — for timezone-independent schedules.
5075 Utc,
5076}
5077
5078impl ScheduleTz {
5079 /// Interpret a naive (zoneless) datetime as being in this tz and
5080 /// convert to UTC. On a DST *fold* (the local time occurs twice
5081 /// when clocks go back) we pick `.earliest()` rather than
5082 /// rejecting it; `None` is reserved for a true DST *gap* (a local
5083 /// time that never exists). `Utc` is fixed-offset so neither ever
5084 /// happens; `Local` is whatever timezone the running host is set
5085 /// to and *can* hit a gap/fold on any DST-observing host — not
5086 /// just the JST we run today (gemini + claude #432 review).
5087 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
5088 use chrono::TimeZone;
5089 match self {
5090 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
5091 naive,
5092 chrono::Utc,
5093 )),
5094 ScheduleTz::Local => chrono::Local
5095 .from_local_datetime(&naive)
5096 .earliest()
5097 .map(|dt| dt.with_timezone(&chrono::Utc)),
5098 }
5099 }
5100
5101 /// The wall-clock time-of-day `now` reads as in this tz — used by
5102 /// [`Constraints::allows`] to test a maintenance window
5103 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
5104 /// running host's local time.
5105 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
5106 match self {
5107 ScheduleTz::Utc => now.time(),
5108 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
5109 }
5110 }
5111
5112 /// The wall-clock *date* `now` reads as in this tz — used by
5113 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
5114 /// exclusion). Same tz semantics as [`Self::wall_time`].
5115 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
5116 match self {
5117 ScheduleTz::Utc => now.date_naive(),
5118 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
5119 }
5120 }
5121
5122 /// Stable lowercase wire/display label (`local` / `utc`) — matches
5123 /// the serde `snake_case` representation. Used for the preview
5124 /// response's `tz` field so the JSON shape isn't coupled to the
5125 /// `Debug` repr (claude #578 review).
5126 pub fn as_str(self) -> &'static str {
5127 match self {
5128 ScheduleTz::Local => "local",
5129 ScheduleTz::Utc => "utc",
5130 }
5131 }
5132}
5133
5134impl std::fmt::Display for ScheduleTz {
5135 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5136 f.write_str(self.as_str())
5137 }
5138}
5139
5140/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
5141/// `per_target`. Untagged so the YAML stays the bare keyword or a
5142/// one-key map, nothing more ceremonial.
5143#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5144#[serde(untagged)]
5145pub enum PerPolicy {
5146 /// The bare string `once`: succeed once, then skip permanently
5147 /// (cooldown = infinity).
5148 Once(OnceLiteral),
5149 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
5150 Every(EverySpec),
5151}
5152
5153/// Single-variant enum so serde accepts exactly the string `once`
5154/// (a free-form `String` would swallow typos like `onec`).
5155#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
5156#[serde(rename_all = "snake_case")]
5157pub enum OnceLiteral {
5158 Once,
5159}
5160
5161/// `{ every: <humantime> }`. Standalone struct (not an inline
5162/// struct variant). `{ evry: 6h }` still fails to parse (the
5163/// required `every` key is missing), and the create boundaries
5164/// reject the unknown `evry` via [`crate::strict`] with its path —
5165/// while agents reading a future writer's extra fields tolerate
5166/// them (#492).
5167#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5168pub struct EverySpec {
5169 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
5170 /// [`Schedule::validate`] rejects garbage at create time.
5171 pub every: String,
5172}
5173
5174impl PerPolicy {
5175 /// The cooldown this policy lowers to: `once` = `None`
5176 /// (permanent skip), `every` = the interval.
5177 fn cooldown(&self) -> Option<String> {
5178 match self {
5179 PerPolicy::Once(_) => None,
5180 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
5181 }
5182 }
5183}
5184
5185impl std::fmt::Display for When {
5186 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
5187 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
5188 /// lines, audit payloads and the API's `ScheduleSummary`.
5189 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5190 let policy = |p: &PerPolicy| match p {
5191 PerPolicy::Once(_) => "once".to_string(),
5192 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
5193 };
5194 match self {
5195 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
5196 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
5197 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
5198 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
5199 When::On(triggers) => {
5200 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
5201 write!(f, "on [{}]", names.join(","))
5202 }
5203 }
5204 }
5205}
5206
5207impl OnTrigger {
5208 /// Lowercase wire/display label (matches the serde `snake_case`).
5209 pub fn as_str(self) -> &'static str {
5210 match self {
5211 OnTrigger::Startup => "startup",
5212 OnTrigger::Logon => "logon",
5213 OnTrigger::Lock => "lock",
5214 OnTrigger::Unlock => "unlock",
5215 OnTrigger::NetworkChange => "network_change",
5216 }
5217 }
5218}
5219
5220/// Optional validity window for a [`Schedule`] (#418 decision G).
5221/// Half-open `[from, until)`; either bound may be omitted. Bounds
5222/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
5223/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
5224/// strings so the JSON Schema the SPA editor consumes stays two
5225/// plain string fields, mirroring `jitter` / `starting_deadline`.
5226///
5227/// #418 Phase 2: bounds are evaluated in the schedule's top-level
5228/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
5229/// calendar `at` AND the `active` window local — one consistent
5230/// timezone per schedule.
5231#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5232pub struct Active {
5233 /// Dormant before this instant.
5234 #[serde(default, skip_serializing_if = "Option::is_none")]
5235 pub from: Option<String>,
5236 /// Dormant from this instant on (exclusive).
5237 #[serde(default, skip_serializing_if = "Option::is_none")]
5238 pub until: Option<String>,
5239}
5240
5241impl Active {
5242 /// `skip_serializing_if` helper — an empty window means "always
5243 /// active" and is omitted from the wire format entirely.
5244 pub fn is_empty(&self) -> bool {
5245 self.from.is_none() && self.until.is_none()
5246 }
5247
5248 /// Parse one bound: RFC3339 first (offset honored, `tz`
5249 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
5250 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
5251 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
5252 return Ok(dt.with_timezone(&chrono::Utc));
5253 }
5254 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
5255 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
5256 return tz.naive_to_utc(midnight).ok_or_else(|| {
5257 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
5258 });
5259 }
5260 Err(format!(
5261 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
5262 ))
5263 }
5264
5265 /// Is `now` inside the window? Unparseable bounds are treated
5266 /// as absent here (fail-open) — [`Schedule::validate`] is the
5267 /// place that rejects them loudly; this runs on every tick and
5268 /// must never panic on a stale KV blob.
5269 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5270 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
5271 if bound(&self.from).is_some_and(|from| now < from) {
5272 return false;
5273 }
5274 if bound(&self.until).is_some_and(|until| now >= until) {
5275 return false;
5276 }
5277 true
5278 }
5279}
5280
5281/// Host-environment gate (#418 `constraints.require`). Fire only when
5282/// the target host is in the required state. Sensed **in-process by the
5283/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
5284/// read a target host's power/idle state ([`Schedule::validate`]
5285/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
5286///
5287/// Evaluated at fire time as a skip-this-tick gate (NOT in
5288/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
5289/// cadence re-checks every minute (so it effectively defers until the
5290/// state is met — the intended pairing); a `calendar` fire that lands
5291/// while the state is unmet is simply missed, same as `window`. It is
5292/// therefore a *runtime* gate and does not appear in `preview`.
5293// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
5294#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5295pub struct Require {
5296 /// Fire only while on **AC power** (skip on battery). Reads
5297 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
5298 /// as not-on-AC (fail-closed — a restrictive gate must not fire
5299 /// when it can't confirm the condition). `false` (default) = no
5300 /// power requirement.
5301 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5302 pub ac_power: bool,
5303 /// Fire only when the active console session has had **no keyboard /
5304 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
5305 /// "don't run while the user is actively working". Input-based
5306 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
5307 /// headless / disconnected console (no interactive user) trivially
5308 /// satisfies it. `None` (default) = no idle requirement. Parsed
5309 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5310 #[serde(default, skip_serializing_if = "Option::is_none")]
5311 pub idle: Option<String>,
5312 /// Fire only when the **whole-machine CPU usage is below this
5313 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
5314 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
5315 /// sample (`sysinfo` mean over cores), so the reading is up to one
5316 /// `host_perf` cadence old (default 60s) — fine as a "generally
5317 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
5318 /// needs two samples). An unavailable sample (host_perf not warmed
5319 /// up yet, or stale) is treated as "not below" (fail-closed — a
5320 /// restrictive gate must not fire when it can't confirm). `None`
5321 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
5322 /// out-of-range value at create time.
5323 #[serde(default, skip_serializing_if = "Option::is_none")]
5324 pub cpu_below: Option<f64>,
5325 /// Fire only when the host has **internet connectivity** (Windows
5326 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
5327 /// until online" for jobs that download / phone home. A captive
5328 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
5329 /// unknown/unreadable state is treated as offline (fail-closed) — a
5330 /// portal would just fail a download, so we hold the run. For VPN /
5331 /// SASE / app-specific conditions, use a custom script gate (separate
5332 /// slice). `false` (default) = no network requirement.
5333 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5334 pub network: bool,
5335}
5336
5337impl Require {
5338 /// `skip_serializing_if` helper for an embedded empty `require`.
5339 pub fn is_empty(&self) -> bool {
5340 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
5341 }
5342
5343 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
5344 /// unparseable value — `validate` rejects the latter at create time).
5345 pub fn min_idle(&self) -> Option<std::time::Duration> {
5346 self.idle
5347 .as_deref()
5348 .and_then(|s| humantime::parse_duration(s.trim()).ok())
5349 }
5350
5351 /// First unparseable field for create-time rejection (mirrors
5352 /// [`Constraints::bad_skip_date`]).
5353 pub fn bad_idle(&self) -> Option<String> {
5354 self.idle.as_deref().and_then(|s| {
5355 humantime::parse_duration(s.trim())
5356 .err()
5357 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
5358 })
5359 }
5360}
5361
5362/// Host-environment state sensed by the agent, fed to [`require_met`].
5363/// A named struct (not positional args) so the growing set of sensed
5364/// signals — several of them `bool` — can't be transposed at a call
5365/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
5366#[derive(Debug, Clone, Copy, Default)]
5367pub struct EnvState {
5368 /// Is the host on AC power (`false` if on battery or unreadable).
5369 pub ac_online: bool,
5370 /// How long the console has been idle (`None` = couldn't determine).
5371 pub idle: Option<std::time::Duration>,
5372 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
5373 pub cpu_pct: Option<f64>,
5374 /// Does the host have internet connectivity (`false` if offline /
5375 /// LAN-only / unreadable).
5376 pub network_up: bool,
5377}
5378
5379/// Pure env-gate decision (#418 `constraints.require`). The Win32
5380/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
5381/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
5382/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
5383/// pure and `preview` never evaluates a runtime gate. Each set
5384/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
5385pub fn require_met(req: &Require, env: &EnvState) -> bool {
5386 if req.ac_power && !env.ac_online {
5387 return false;
5388 }
5389 if let Some(min) = req.min_idle() {
5390 match env.idle {
5391 Some(d) if d >= min => {}
5392 _ => return false,
5393 }
5394 }
5395 if let Some(max) = req.cpu_below {
5396 match env.cpu_pct {
5397 Some(p) if p < max => {}
5398 _ => return false,
5399 }
5400 }
5401 if req.network && !env.network_up {
5402 return false;
5403 }
5404 true
5405}
5406
5407/// [`Active`] decides *over what date range* a schedule is live,
5408/// `Constraints` decides *when, within an active period,* a fire is
5409/// allowed: `window` (a maintenance time-of-day window),
5410/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
5411/// (holiday exclusion) and `require` (host-environment gates, agent-only
5412/// — see [`Require`]).
5413// No `Eq`: contains `require: Option<Require>` which holds an f64.
5414#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5415pub struct Constraints {
5416 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
5417 /// `tz`). Fires outside it are skipped — mainly for reconcile
5418 /// cadences ("patrol every 6h, but only fire overnight") and
5419 /// daytime change-freezes. `start > end` crosses midnight
5420 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
5421 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5422 #[serde(default, skip_serializing_if = "Option::is_none")]
5423 pub window: Option<String>,
5424 /// Fleet-wide cap on how many instances of this schedule's job may
5425 /// run **at the same time** (#418 "同時実行ハード上限"). The
5426 /// backend scheduler counts the job's still-in-flight runs
5427 /// (`execution_results.finished_at IS NULL`) each tick and only
5428 /// dispatches to as many remaining pcs as there are free slots —
5429 /// a rolling window that refills as runs complete. Useful for
5430 /// disk/CPU/network-heavy jobs you don't want hammering the whole
5431 /// fleet at once.
5432 ///
5433 /// **Backend-only** (it needs a central counter): combining it
5434 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
5435 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
5436 /// for `per_pc` reconcile cadences, where the poll re-ticks and
5437 /// refills slots. `None` (default) = no cap.
5438 #[serde(default, skip_serializing_if = "Option::is_none")]
5439 pub max_concurrent: Option<u32>,
5440 /// Calendar dates the schedule must **not** fire on — holidays,
5441 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
5442 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
5443 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
5444 /// the whole day; a calendar fire landing on the date is
5445 /// suppressed) and is honored by both the live scheduler and
5446 /// `preview`, since both gate on [`Constraints::allows`]. Empty
5447 /// (default) = no skips. Operator-supplied: there is no built-in
5448 /// holiday calendar — list the dates you care about. Parsed lazily;
5449 /// [`Schedule::validate`] rejects a malformed date at create time.
5450 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5451 pub skip_dates: Vec<String>,
5452 /// Host-environment gate (#418): fire only when the target host is
5453 /// in the required state (on AC power, idle). Agent-sensed at fire
5454 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
5455 /// no environment requirement.
5456 #[serde(default, skip_serializing_if = "Option::is_none")]
5457 pub require: Option<Require>,
5458}
5459
5460impl Constraints {
5461 /// `skip_serializing_if` helper — empty constraints are omitted
5462 /// from the wire format entirely.
5463 pub fn is_empty(&self) -> bool {
5464 self.window.is_none()
5465 && self.max_concurrent.is_none()
5466 && self.skip_dates.is_empty()
5467 && self.require.as_ref().is_none_or(Require::is_empty)
5468 }
5469
5470 /// The first unparseable `skip_dates` entry, if any — the
5471 /// scheduler logs it at register time so a fail-closed
5472 /// (never-firing) schedule from a hand-edited KV blob is
5473 /// diagnosable, mirroring [`Schedule::bad_window`].
5474 pub fn bad_skip_date(&self) -> Option<String> {
5475 self.skip_dates.iter().find_map(|s| {
5476 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
5477 .err()
5478 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
5479 })
5480 }
5481
5482 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
5483 /// error (a zero-width or all-day window is ambiguous — write no
5484 /// window for "always").
5485 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
5486 let (a, b) = s
5487 .split_once('-')
5488 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
5489 let parse = |part: &str| {
5490 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
5491 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
5492 };
5493 let (start, end) = (parse(a)?, parse(b)?);
5494 if start == end {
5495 return Err(format!(
5496 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
5497 ));
5498 }
5499 Ok((start, end))
5500 }
5501
5502 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
5503 /// always allowed. Half-open `[start, end)`; `start > end`
5504 /// crosses midnight.
5505 ///
5506 /// **Fail-closed** on an unparseable window (returns `false`,
5507 /// gemini #452 review): a window is a *restrictive* constraint
5508 /// (change-freeze / overnight-only), so a corrupt one must NOT
5509 /// silently allow fires during the restricted hours. Bad windows
5510 /// are rejected at create time by [`Schedule::validate`]; this
5511 /// only bites a hand-edited KV blob, where blocking is the safe
5512 /// direction. The scheduler warns at register time
5513 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
5514 /// The tick path never panics regardless.
5515 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5516 // #418 holiday / blackout dates: never fire on a listed wall
5517 // date (in `tz`). Checked before the window since a skipped day
5518 // overrides any within-window allowance. Fail-closed on a
5519 // corrupt entry (same posture as `window`): a skip date is a
5520 // *restrictive* constraint, so a garbled one must not silently
5521 // re-enable fires — it blocks until fixed (`validate` rejects it
5522 // at create time; `bad_skip_date` lets the scheduler warn).
5523 if !self.skip_dates.is_empty() {
5524 let today = tz.wall_date(now);
5525 let blocked = self.skip_dates.iter().any(|s| {
5526 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
5527 Ok(d) => d == today,
5528 Err(_) => true, // corrupt entry → fail-closed (block)
5529 }
5530 });
5531 if blocked {
5532 return false;
5533 }
5534 }
5535 match self.window.as_deref() {
5536 // No window → always allowed.
5537 None => true,
5538 // Window set: membership, or fail-closed if unparseable
5539 // (`window_contains` returns None for a corrupt window).
5540 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
5541 }
5542 }
5543
5544 /// Membership of a wall-clock time-of-day in the window. `None`
5545 /// when there is no window or it's unparseable (callers decide
5546 /// the failure direction). `start > end` crosses midnight.
5547 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
5548 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
5549 Some(if start <= end {
5550 start <= t && t < end
5551 } else {
5552 t >= start || t < end
5553 })
5554 }
5555}
5556
5557/// What to do when a fire's script fails (#418 Phase 4 — the "高"
5558/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
5559/// happens, `OnFailure` decides what happens *after* one ran and
5560/// came back bad. Only `retry` so far; future `notify` / `disable`
5561/// would join the same namespace.
5562#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5563pub struct OnFailure {
5564 /// Re-run the script in-process when it exits non-zero (or times
5565 /// out), up to a cap, with a fixed backoff between attempts.
5566 /// `None` (default) = no retry: a failed run is published as-is
5567 /// and (for reconcile cadences) simply re-fires on the next poll
5568 /// tick. See [`Retry`].
5569 #[serde(default, skip_serializing_if = "Option::is_none")]
5570 pub retry: Option<Retry>,
5571}
5572
5573impl OnFailure {
5574 /// `skip_serializing_if` helper — an empty policy is omitted from
5575 /// the wire format entirely.
5576 pub fn is_empty(&self) -> bool {
5577 self.retry.is_none()
5578 }
5579
5580 /// Lower the operator-facing `retry` (humantime backoff) onto the
5581 /// engine vocabulary the agent's executor runs on (backoff in
5582 /// whole seconds). Single seam shared by the backend command
5583 /// builder and the agent's local scheduler so the two stamp the
5584 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
5585 /// `None` when there is no retry policy or the backoff is
5586 /// unparseable (validate() rejects the latter at create time;
5587 /// this stays fail-safe = "no retry" for a hand-edited KV blob
5588 /// rather than panicking on the fire path).
5589 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
5590 let r = self.retry.as_ref()?;
5591 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
5592 Some(crate::wire::RetrySpec {
5593 max: r.max,
5594 backoff_secs,
5595 })
5596 }
5597}
5598
5599/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
5600/// *additional* attempts after the first run (so `max: 3` = up to 4
5601/// total executions); `backoff` is the humantime delay slept between
5602/// attempts. The retry happens fire-side (inside `kanade fire` /
5603/// `handle_command`) on every OS for the PoC — the Windows-native
5604/// "restart on failure" Task Scheduler path is deferred to the
5605/// native-delegation phase (#418 decision H).
5606#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5607pub struct Retry {
5608 /// Max additional attempts after the first failure. Bounded
5609 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
5610 /// with a short backoff would otherwise pin a flapping script in
5611 /// a tight loop for the whole window.
5612 pub max: u32,
5613 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
5614 pub backoff: String,
5615}
5616
5617/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
5618/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
5619/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
5620/// global* "stop all automated change" switch the operator flips
5621/// during an incident or a year-end change-freeze. It lives in its
5622/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
5623/// active, both the backend scheduler and every agent's local
5624/// scheduler skip *every* fire.
5625///
5626/// Shapes:
5627/// * `{}` (no bounds) — frozen indefinitely until the operator
5628/// clears it (incident "big red button").
5629/// * `{ from, until }` — frozen only within `[from, until)`,
5630/// evaluated in `tz` (planned change-freeze; auto-thaws).
5631///
5632/// The KV key being *absent* means "not frozen" — so clearing the
5633/// freeze is a KV delete, and `is_active` only ever runs on a freeze
5634/// the operator actually set.
5635#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5636pub struct Freeze {
5637 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
5638 /// `tz`). `None` ⇒ frozen from the beginning of time.
5639 #[serde(default, skip_serializing_if = "Option::is_none")]
5640 pub from: Option<String>,
5641 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
5642 /// no scheduled end (manual clear required).
5643 #[serde(default, skip_serializing_if = "Option::is_none")]
5644 pub until: Option<String>,
5645 /// Operator-supplied note surfaced on the freeze-skip log and the
5646 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
5647 #[serde(default, skip_serializing_if = "Option::is_none")]
5648 pub reason: Option<String>,
5649 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
5650 /// carry their own offset). Defaults to host-local like a
5651 /// schedule's `tz`.
5652 #[serde(default)]
5653 pub tz: ScheduleTz,
5654}
5655
5656impl Freeze {
5657 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
5658 /// both absent) is frozen unconditionally; otherwise membership of
5659 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
5660 /// but **fails CLOSED** on an unparseable bound — a freeze is a
5661 /// safety switch, so a corrupt window (only reachable via a
5662 /// hand-edited KV blob; `validate` rejects it at set time) must
5663 /// mean "frozen", not "fire normally" (coderabbit #472). This is
5664 /// the one deliberate divergence from `active`'s fail-OPEN
5665 /// behaviour, where an unparseable bound dormant-skips a schedule.
5666 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
5667 // Parse a bound; an unparseable one short-circuits the whole
5668 // check to `true` (frozen) via the closure's `None` sentinel
5669 // handled below.
5670 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
5671 match s.as_deref() {
5672 None => Ok(None),
5673 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
5674 }
5675 };
5676 let (from, until) = match (bound(&self.from), bound(&self.until)) {
5677 (Ok(f), Ok(u)) => (f, u),
5678 // Any corrupt bound → fail closed (frozen).
5679 _ => return true,
5680 };
5681 if from.is_some_and(|f| now < f) {
5682 return false;
5683 }
5684 if until.is_some_and(|u| now >= u) {
5685 return false;
5686 }
5687 true
5688 }
5689
5690 /// Reject unparseable bounds / `from >= until` at set time (the
5691 /// API + CLI counterpart to [`Schedule::validate`]).
5692 pub fn validate(&self) -> Result<(), String> {
5693 let from = self
5694 .from
5695 .as_deref()
5696 .map(|s| Active::parse_bound(s, self.tz))
5697 .transpose()
5698 .map_err(|e| e.replace("active:", "freeze:"))?;
5699 let until = self
5700 .until
5701 .as_deref()
5702 .map(|s| Active::parse_bound(s, self.tz))
5703 .transpose()
5704 .map_err(|e| e.replace("active:", "freeze:"))?;
5705 if let (Some(f), Some(u)) = (from, until) {
5706 if f >= u {
5707 return Err(format!(
5708 "freeze.from ({}) must be strictly before freeze.until ({})",
5709 self.from.as_deref().unwrap_or_default(),
5710 self.until.as_deref().unwrap_or_default(),
5711 ));
5712 }
5713 }
5714 Ok(())
5715 }
5716}
5717
5718/// The system-generated poll cadence every reconcile-shaped `when`
5719/// lowers to. Operators never write this: the real inter-run
5720/// spacing is the `every` cooldown; this only bounds "how soon do
5721/// we notice somebody is due" (#418 decision B took the poll
5722/// period away from the operator).
5723pub const POLL_CRON: &str = "0 * * * * *";
5724
5725/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
5726/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
5727/// unchanged is what lets Phase 1 swap the operator surface without
5728/// touching the tick / dedup machinery.
5729pub struct Lowered {
5730 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
5731 /// reconcile shapes, a 6/7-field cron for calendar shapes.
5732 pub cron: String,
5733 /// Dedup semantics for `decide_fire`.
5734 pub mode: ExecMode,
5735 /// Humantime re-arm interval (`None` = succeed once, skip
5736 /// forever).
5737 pub cooldown: Option<String>,
5738 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
5739 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
5740 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
5741 /// so the same value drives the `active`-window check.
5742 pub tz: ScheduleTz,
5743}
5744
5745impl Schedule {
5746 /// The error message if this schedule's `constraints.window` is
5747 /// set but unparseable, else `None`. The scheduler logs this at
5748 /// register time so a fail-closed (never-firing) schedule from a
5749 /// hand-edited KV blob is diagnosable (gemini #452 review).
5750 pub fn bad_window(&self) -> Option<String> {
5751 let w = self.constraints.window.as_deref()?;
5752 Constraints::parse_window(w).err()
5753 }
5754
5755 /// True when this is a `calendar` schedule whose fire time can
5756 /// never fall inside its `constraints.window` — the cron fires,
5757 /// the window check rejects it, and (firing only at that
5758 /// time-of-day) it effectively never runs. An easy misconfig to
5759 /// set up by accident; the scheduler warns at register time
5760 /// (claude #452 review). Reconcile shapes poll every minute, so
5761 /// they always catch the window opening and aren't affected.
5762 pub fn calendar_outside_window(&self) -> bool {
5763 let When::Calendar(c) = &self.when else {
5764 return false;
5765 };
5766 let Some(t) = c.fire_time() else {
5767 return false;
5768 };
5769 matches!(self.constraints.window_contains(t), Some(false))
5770 }
5771
5772 /// Up to `count` future instants this schedule will fire, as
5773 /// absolute UTC, strictly after `now` — the dry-run / preview
5774 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
5775 /// schedules have discrete fire times; reconcile shapes
5776 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
5777 /// they return an empty vec and the caller describes the cadence
5778 /// instead. Occurrences outside the `active.{from,until}` window or
5779 /// the `constraints.window` are **skipped**, so the list reflects
5780 /// when the schedule will ACTUALLY run, not the raw cron ticks.
5781 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
5782 /// `Job::new_async_tz`, and with the same croner config the
5783 /// scheduler / [`Schedule::validate`] use, so a preview can never
5784 /// disagree with a real fire. A schedule that can never fire (a
5785 /// calendar time wholly outside its window, a past one-shot,
5786 /// `enabled: false` is *not* considered here — callers gate on
5787 /// `enabled` separately) yields an empty vec.
5788 pub fn preview_fires(
5789 &self,
5790 now: chrono::DateTime<chrono::Utc>,
5791 count: usize,
5792 ) -> Vec<chrono::DateTime<chrono::Utc>> {
5793 use croner::parser::{CronParser, Seconds};
5794 if !matches!(self.when, When::Calendar(_)) {
5795 return Vec::new();
5796 }
5797 // Same lowering + croner config as `next_calendar_fire` and the
5798 // live scheduler, so a preview can never disagree with a real
5799 // fire. `preview_fires` adds the N-occurrence walk and the
5800 // active / window filtering on top of that single seam.
5801 let lowered = self.lowered();
5802 let Ok(cron) = CronParser::builder()
5803 .seconds(Seconds::Required)
5804 .dom_and_dow(true)
5805 .build()
5806 .parse(&lowered.cron)
5807 else {
5808 return Vec::new();
5809 };
5810 let accept = |utc: chrono::DateTime<chrono::Utc>| {
5811 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
5812 };
5813 match self.tz {
5814 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
5815 ScheduleTz::Local => {
5816 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
5817 }
5818 }
5819 }
5820
5821 /// Walk croner forward from `after` collecting up to `count`
5822 /// accepted occurrences (converted to UTC). Generic over the tz the
5823 /// cron is evaluated in so `preview_fires` can run it in either
5824 /// `Utc` or `Local` without duplicating the loop.
5825 fn next_occurrences<Tz>(
5826 cron: &croner::Cron,
5827 after: chrono::DateTime<Tz>,
5828 count: usize,
5829 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
5830 ) -> Vec<chrono::DateTime<chrono::Utc>>
5831 where
5832 Tz: chrono::TimeZone,
5833 {
5834 // Bound the scan so an `active`/window dead-end (every future
5835 // tick rejected) can't spin forever: ~4096 raw ticks covers
5836 // >10y of a daily calendar while staying instant for croner.
5837 const SCAN_CAP: usize = 4096;
5838 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
5839 let mut cursor = after;
5840 let mut scanned = 0usize;
5841 while out.len() < count && scanned < SCAN_CAP {
5842 scanned += 1;
5843 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
5844 break;
5845 };
5846 let utc = next.with_timezone(&chrono::Utc);
5847 if accept(utc) {
5848 out.push(utc);
5849 }
5850 // `find_next_occurrence(.., inclusive = false)` already
5851 // advances strictly past `cursor`, so handing it `next`
5852 // verbatim gets the following occurrence — no manual +1s
5853 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
5854 cursor = next;
5855 }
5856 out
5857 }
5858
5859 /// Lower the operator-facing `when` onto the engine vocabulary.
5860 /// Single seam shared by the backend scheduler and the agent's
5861 /// local scheduler so the two can never drift.
5862 pub fn lowered(&self) -> Lowered {
5863 let tz = self.tz;
5864 match &self.when {
5865 When::PerPc(p) => Lowered {
5866 cron: POLL_CRON.into(),
5867 mode: ExecMode::OncePerPc,
5868 cooldown: p.cooldown(),
5869 tz,
5870 },
5871 When::PerTarget(p) => Lowered {
5872 cron: POLL_CRON.into(),
5873 mode: ExecMode::OncePerTarget,
5874 cooldown: p.cooldown(),
5875 tz,
5876 },
5877 // `to_cron` only fails on a malformed `at` (rejected by
5878 // validate() at create time). For a hand-edited KV blob
5879 // that slipped past, emit a deliberately-invalid cron so
5880 // register()'s Job::new_async_tz fails → warn+skip,
5881 // rather than firing at the wrong time.
5882 When::Calendar(c) => Lowered {
5883 cron: c
5884 .to_cron()
5885 .unwrap_or_else(|_| "# invalid calendar at".into()),
5886 mode: ExecMode::EveryTick,
5887 cooldown: None,
5888 tz,
5889 },
5890 // Event triggers have no cron — the agent fires them from an
5891 // OS event source. The `# event-trigger` cron is never
5892 // registered (the scheduler branches on `is_event()` first),
5893 // but keep it deliberately-invalid as a belt-and-suspenders
5894 // so a stray registration would fail rather than misfire.
5895 When::On(_) => Lowered {
5896 cron: "# event-trigger (no cron)".into(),
5897 mode: ExecMode::Event,
5898 cooldown: None,
5899 tz,
5900 },
5901 }
5902 }
5903
5904 /// True when this schedule fires from an OS event (`when: { on }`)
5905 /// rather than a clock — the agent skips `tokio-cron` registration
5906 /// for these and drives them from boot / session-change instead.
5907 pub fn is_event(&self) -> bool {
5908 matches!(self.when, When::On(_))
5909 }
5910
5911 /// The OS event triggers this schedule listens for, or `&[]` when it
5912 /// is not an event schedule.
5913 pub fn event_triggers(&self) -> &[OnTrigger] {
5914 match &self.when {
5915 When::On(t) => t,
5916 _ => &[],
5917 }
5918 }
5919
5920 /// The next absolute (UTC) time this schedule fires, or `None` when
5921 /// it has no discrete upcoming fire to preview.
5922 ///
5923 /// Used by the KLP `maintenance.list` preview ("what's about to
5924 /// happen on my PC", SPEC §2.1). Returns `None` for:
5925 ///
5926 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
5927 /// every-minute [`POLL_CRON`] and re-converge state continuously,
5928 /// so "next fire" is always ~60s away and means nothing to a user
5929 /// previewing upcoming maintenance;
5930 /// - a calendar schedule whose lowered cron won't parse (a
5931 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
5932 /// - a cron with no future occurrence.
5933 ///
5934 /// The wall-clock fire is evaluated in the schedule's own `tz`
5935 /// (matching the live tick's `Job::new_async_tz`) then normalised
5936 /// to UTC for the wire. `inclusive = false`: strictly the *next*
5937 /// fire after `now`, never one matching the current instant.
5938 pub fn next_calendar_fire(
5939 &self,
5940 now: chrono::DateTime<chrono::Utc>,
5941 ) -> Option<chrono::DateTime<chrono::Utc>> {
5942 if !matches!(self.when, When::Calendar(_)) {
5943 return None;
5944 }
5945 let lowered = self.lowered();
5946 // Same parser configuration tokio-cron-scheduler 0.15 uses
5947 // internally, so this can never compute a fire the live
5948 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
5949 let cron = croner::parser::CronParser::builder()
5950 .seconds(croner::parser::Seconds::Required)
5951 .dom_and_dow(true)
5952 .build()
5953 .parse(&lowered.cron)
5954 .ok()?;
5955 match lowered.tz {
5956 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
5957 ScheduleTz::Local => {
5958 let now_local = now.with_timezone(&chrono::Local);
5959 cron.find_next_occurrence(&now_local, false)
5960 .ok()
5961 .map(|t| t.with_timezone(&chrono::Utc))
5962 }
5963 }
5964 }
5965
5966 /// Cross-field semantic checks that don't fit pure serde derive
5967 /// — the [`Manifest::validate`] counterpart (#418 decision F;
5968 /// pre-Phase-1 a broken schedule was accepted at create time
5969 /// and silently warn-skipped at tick time). Run at every create
5970 /// site: `kanade schedule create` (client-side) and
5971 /// `POST /api/schedules`. The job_id-exists check lives in the
5972 /// API handler instead — it needs the JOBS KV.
5973 pub fn validate(&self) -> Result<(), String> {
5974 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
5975 return Err(
5976 "when.per_target needs fleet-wide completion data and is backend-only; \
5977 it cannot be combined with runs_on: agent (each agent self-schedules, \
5978 so per-target dedup would be deduping across a target of 1)"
5979 .into(),
5980 );
5981 }
5982 // #418 event triggers: the agent owns the OS event source
5983 // (boot / session-change), so `when: { on }` is agent-only and
5984 // needs at least one trigger.
5985 if let When::On(triggers) = &self.when {
5986 if !matches!(self.runs_on, RunsOn::Agent) {
5987 return Err(
5988 "when.on (OS event trigger) is fired by the agent's own event \
5989 source, so it requires runs_on: agent"
5990 .into(),
5991 );
5992 }
5993 if triggers.is_empty() {
5994 return Err(
5995 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
5996 );
5997 }
5998 }
5999 if let Some(cd) = self.lowered().cooldown.as_deref() {
6000 humantime::parse_duration(cd)
6001 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
6002 }
6003 if let When::Calendar(c) = &self.when {
6004 // Lower the calendar form to its cron (catches a bad `at`
6005 // and the date+days conflict), then validate that cron
6006 // with the same parser configuration tokio-cron-scheduler
6007 // 0.15 uses internally (croner, seconds required,
6008 // DOM-and-DOW both honored, year optional) — create-time
6009 // validation can never accept what register() rejects.
6010 let cron = c.to_cron()?;
6011 croner::parser::CronParser::builder()
6012 .seconds(croner::parser::Seconds::Required)
6013 .dom_and_dow(true)
6014 .build()
6015 .parse(&cron)
6016 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
6017 }
6018 // The other humantime strings on the schedule (claude #419
6019 // review): runtime degrades gracefully on both (bad jitter →
6020 // silent no-op, bad starting_deadline → warn + skipped tick),
6021 // but "rejected at create time" should cover every field the
6022 // operator can typo, not just `when`.
6023 if let Some(j) = &self.plan.jitter {
6024 humantime::parse_duration(j)
6025 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
6026 }
6027 if let Some(sd) = &self.starting_deadline {
6028 humantime::parse_duration(sd)
6029 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
6030 }
6031 let from = self
6032 .active
6033 .from
6034 .as_deref()
6035 .map(|s| Active::parse_bound(s, self.tz))
6036 .transpose()?;
6037 let until = self
6038 .active
6039 .until
6040 .as_deref()
6041 .map(|s| Active::parse_bound(s, self.tz))
6042 .transpose()?;
6043 if let (Some(f), Some(u)) = (from, until) {
6044 if f >= u {
6045 return Err(format!(
6046 "active.from ({}) must be strictly before active.until ({})",
6047 self.active.from.as_deref().unwrap_or_default(),
6048 self.active.until.as_deref().unwrap_or_default(),
6049 ));
6050 }
6051 }
6052 // #418 Phase 3: a bad maintenance window is rejected at create
6053 // time (parse_window also catches equal bounds).
6054 if let Some(w) = self.constraints.window.as_deref() {
6055 Constraints::parse_window(w)?;
6056 }
6057 // #418 holiday exclusion: reject a malformed skip date at create
6058 // time so the fail-closed `allows` path only ever bites a
6059 // hand-edited KV blob, not a fresh `kanade schedule create`.
6060 if let Some(err) = self.constraints.bad_skip_date() {
6061 return Err(err);
6062 }
6063 // #418: constraints.max_concurrent is a central running-instance
6064 // cap, so it needs the backend's counter — reject it on
6065 // runs_on: agent (decision E), and reject a meaningless 0.
6066 if let Some(mc) = self.constraints.max_concurrent {
6067 // Check the structural incompatibility (agent has no central
6068 // counter) before the value range, so a `max_concurrent: 0`
6069 // + `runs_on: agent` combo reports the more fundamental
6070 // problem first (claude #542).
6071 if matches!(self.runs_on, RunsOn::Agent) {
6072 return Err(
6073 "constraints.max_concurrent needs a central counter and is backend-only; \
6074 it cannot be combined with runs_on: agent (each agent self-schedules, \
6075 so there is no fleet-wide count to cap against)"
6076 .into(),
6077 );
6078 }
6079 if mc == 0 {
6080 return Err(
6081 "constraints.max_concurrent must be >= 1 (0 would never fire; \
6082 omit it for no cap)"
6083 .into(),
6084 );
6085 }
6086 }
6087 // #418: constraints.require (host-state env gates: ac_power /
6088 // idle / cpu_below / network) is sensed in-process by the agent,
6089 // so it needs runs_on: agent — the backend can't read a target
6090 // host's power / idle / cpu / connectivity state. Symmetric with
6091 // `when: { on }` (also agent-only); inverse of max_concurrent
6092 // (backend-only).
6093 if let Some(req) = &self.constraints.require {
6094 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
6095 return Err(
6096 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
6097 network) is sensed in-process by the agent and needs runs_on: agent; the \
6098 backend cannot read a target host's power / idle / cpu / connectivity state"
6099 .into(),
6100 );
6101 }
6102 // Reject a malformed idle duration at create time so the
6103 // fail-closed runtime path only ever bites a hand-edited
6104 // KV blob (mirror skip_dates / on_failure.retry).
6105 if let Some(err) = req.bad_idle() {
6106 return Err(err);
6107 }
6108 // cpu_below is a percent — reject out-of-range so a typo
6109 // can't make a schedule that never (>=100 is always-busy?
6110 // no — <0 never matches) or trivially fires.
6111 if let Some(c) = req.cpu_below
6112 && !(c > 0.0 && c <= 100.0)
6113 {
6114 return Err(format!(
6115 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
6116 omit it for no CPU requirement"
6117 ));
6118 }
6119 }
6120 // #418 Phase 4: a bad on_failure.retry is rejected at create
6121 // time — backoff must be valid humantime, and max is bounded
6122 // so a typo can't pin a flapping script in a tight loop.
6123 if let Some(r) = &self.on_failure.retry {
6124 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
6125 format!(
6126 "on_failure.retry.backoff: invalid duration '{}': {e}",
6127 r.backoff
6128 )
6129 })?;
6130 // The wire form lowers backoff to whole seconds, so a
6131 // sub-second value would silently become a 0s no-wait
6132 // (coderabbit #466). Reject it rather than honour a backoff
6133 // the operator can't actually get.
6134 if backoff.as_secs() < 1 {
6135 return Err(format!(
6136 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
6137 round to 0 on the wire",
6138 r.backoff
6139 ));
6140 }
6141 if !(1..=10).contains(&r.max) {
6142 return Err(format!(
6143 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
6144 attempts after the first run",
6145 r.max
6146 ));
6147 }
6148 }
6149 // A blank / whitespace-only tag renders an empty filter chip on
6150 // the Schedules page — reject it at create time, mirroring the
6151 // Manifest::validate tag guard.
6152 for tag in &self.tags {
6153 if tag.trim().is_empty() {
6154 return Err("tags must not contain empty entries".to_string());
6155 }
6156 }
6157 Ok(())
6158 }
6159}
6160
6161fn default_true() -> bool {
6162 true
6163}