kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// #219: opt-in marker that this job COLLECTS files into a bundle.
72 /// The script does the collection work and prints a single JSON
73 /// object on stdout carrying a `files` array of paths (the field
74 /// name is [`CollectHint::files_field`], default `"files"`); the
75 /// agent — after the script exits successfully — zips those files,
76 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79 /// downloads bundles from the SPA Collect page.
80 ///
81 /// Like `inventory:` / `check:` this reads a JSON object from stdout,
82 /// but it consumes that stdout for its OWN contract (a `files`
83 /// list), so it is mutually exclusive with `inventory:` / `check:` /
84 /// `emit:` (enforced in [`Manifest::validate`]). It composes with
85 /// `client:` — a `collect:` + `client:` job lets an end user trigger
86 /// a collection from the Client App (the same-host agent runs it).
87 #[serde(default, skip_serializing_if = "Option::is_none")]
88 pub collect: Option<CollectHint>,
89 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
90 /// what the agent does at fire time when it can't verify the
91 /// `script_current` / `script_status` KV values are fresh —
92 /// especially relevant for `runs_on: agent` schedules where
93 /// the agent may fire from cache while offline. Defaults to
94 /// `Staleness::Cached` (silently use cached values), which
95 /// matches every pre-v0.26 Manifest.
96 #[serde(default)]
97 pub staleness: Staleness,
98 /// #291: opt-in marker that this job is offered to **end users**
99 /// in the Client App's job tabs over KLP (`jobs.list` →
100 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
101 /// [`emit`]: the block's mere presence is the opt-in, and it
102 /// groups the end-user presentation fields (name / category /
103 /// icon) that only make sense for a user-facing job. `None`
104 /// (the default) ⇒ an operator-only job — inventory, checks,
105 /// scheduled maintenance — that never surfaces in the catalog.
106 ///
107 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
108 /// (SPEC §2.1), so removing the block takes a job out of a
109 /// running client on its next action.
110 ///
111 /// [`inventory`]: Manifest::inventory
112 /// [`check`]: Manifest::check
113 /// [`emit`]: Manifest::emit
114 #[serde(default, skip_serializing_if = "Option::is_none")]
115 pub client: Option<ClientHint>,
116 /// Free-form operator taxonomy for the Jobs catalog. Purely a
117 /// SPA-side organisational aid — agents / scheduler / projector
118 /// never read it — so it carries no runtime semantics and any
119 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
120 /// cross-cut (a `check-bitlocker` is at once a health-check, a
121 /// security control, and Windows-specific), which is why this is
122 /// a multi-valued list rather than the single closed-enum
123 /// [`ClientHint::category`] (whose values are the end-user Client
124 /// App's tabs, a different concern). The operator Jobs page groups
125 /// rows by id-prefix for free; tags add the orthogonal filter axis
126 /// prefixes can't express.
127 ///
128 /// Empty by default (the overwhelming majority of jobs), and a
129 /// new field, so it follows the #492 wire rule: `serde(default)`
130 /// plus `skip_serializing_if` keep gradually-upgrading old readers
131 /// from tripping over its absence / presence.
132 #[serde(default, skip_serializing_if = "Vec::is_empty")]
133 pub tags: Vec<String>,
134 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
135 /// `kanade job create` when the source YAML lives inside a Git work
136 /// tree, so the SPA can render the job read-only and point edits
137 /// back at the repo instead of letting a ClickOps edit silently
138 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
139 /// `None` for SPA-born jobs and for manifests applied from outside
140 /// any Git repo. Purely informational: agents / scheduler /
141 /// projector never read it, and it survives `script_file:` inlining
142 /// (it's orthogonal to the exactly-one-of script-source rule). New
143 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
144 #[serde(default, skip_serializing_if = "Option::is_none")]
145 pub origin: Option<RepoOrigin>,
146}
147
148/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
149/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
150/// `kanade schedule create` from the Git context of the source YAML;
151/// the SPA reads it to render Git-managed entries read-only and link
152/// the operator back at the repo. Never consulted by the runtime.
153#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
154pub struct RepoOrigin {
155 /// Repo-relative path of the source YAML — the primary edit target
156 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
157 /// regardless of the authoring OS.
158 pub path: String,
159 /// `origin` remote URL, when the repo has one. Lets the SPA turn
160 /// `path` into a clickable link; `None` for remote-less repos.
161 #[serde(default, skip_serializing_if = "Option::is_none")]
162 pub repo: Option<String>,
163 /// Repo-relative path of the `script_file:` a job manifest inlined,
164 /// when it used one — a secondary pointer shown beneath `path`.
165 /// Always `None` for schedules (they carry no script).
166 #[serde(default, skip_serializing_if = "Option::is_none")]
167 pub script_file: Option<String>,
168}
169
170/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
171/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
172/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
173/// here keeps the validation + serialisation logic in one place.
174#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
175pub struct FanoutPlan {
176 #[serde(default)]
177 pub target: Target,
178 /// Optional wave rollout — when present, the backend publishes
179 /// each wave's group subject on its own delay schedule instead
180 /// of fanning out the `target` block in one go. `target` then
181 /// only labels the deploy for the audit log.
182 #[serde(default, skip_serializing_if = "Option::is_none")]
183 pub rollout: Option<Rollout>,
184 /// Optional humantime jitter; agent uses it to randomise
185 /// execution start. Lives here (not on the script) so different
186 /// schedules / ad-hoc fires of the same job can pick different
187 /// stagger windows.
188 #[serde(default, skip_serializing_if = "Option::is_none")]
189 pub jitter: Option<String>,
190 /// Absolute time the scheduler stamps on each emitted Command
191 /// when this exec was driven by a [`Schedule`] with
192 /// `starting_deadline`. Agents receiving a Command after this
193 /// instant publish a synthetic skipped-result instead of
194 /// running the script. `None` (default) = no deadline / catch
195 /// up whenever delivered. Operators don't usually set this
196 /// directly — the scheduler computes it from `tick_at +
197 /// starting_deadline`.
198 #[serde(default, skip_serializing_if = "Option::is_none")]
199 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
200}
201
202/// Manifest sub-section: how the SPA should render the inventory
203/// facts this job produces. Each field name (`field`) is a top-level
204/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
205///
206/// Two render modes:
207/// * `display` — vertical "field / value" per PC, used by the
208/// `/inventory?pc=<id>` detail view. ALL columns the operator
209/// wants visible on the detail page.
210/// * `summary` — horizontal table across the fleet (row = PC,
211/// column = field) on `/inventory`. Optional; when omitted the
212/// SPA falls back to `display`, but operators usually want a
213/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
214#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
215pub struct InventoryHint {
216 /// Detail-view columns, in order.
217 pub display: Vec<DisplayField>,
218 /// Optional fleet-list columns (row = PC). Defaults to `display`
219 /// when omitted, but operators usually pick a 3-5 column subset.
220 #[serde(default, skip_serializing_if = "Option::is_none")]
221 pub summary: Option<Vec<DisplayField>>,
222 /// v0.31 / #40: payload arrays that should be exploded into
223 /// per-element rows of a derived SQLite table. Lets operators
224 /// answer cross-PC questions ("which PCs still have Chrome <
225 /// 120?", "C: >90% full") with normal SQL filters + indexes
226 /// instead of grepping JSON. The projector creates the derived
227 /// table on register and replaces this PC's rows on each result
228 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
229 /// [`ExplodeSpec`] for the per-spec schema.
230 #[serde(default, skip_serializing_if = "Option::is_none")]
231 pub explode: Option<Vec<ExplodeSpec>>,
232 /// v0.35 / #93: top-level scalar fields whose changes the
233 /// projector logs to `inventory_history` (one event per
234 /// changed field per scan). Pairs with `explode[].track_history`
235 /// — that covers array elements; this covers single-valued
236 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
237 /// `os_build` that operators want to track for "did the RAM
238 /// get upgraded?" / "when did Win 11 land on this PC?" /
239 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
240 /// in the history row, `identity_json` is NULL, `before_json`
241 /// / `after_json` each carry `{"value": <prior or new value>}`.
242 /// First-ever observation of a scalar (no prior facts row)
243 /// emits `added`; subsequent value changes emit `changed`. No
244 /// `removed` events — a scalar disappearing from the payload
245 /// is rare and the operator can still see the last value via
246 /// the `before_json` of the most recent change.
247 #[serde(default, skip_serializing_if = "Option::is_none")]
248 pub history_scalars: Option<Vec<String>>,
249}
250
251/// Manifest sub-section (#290): marks a job as an operator-defined
252/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
253/// The stdout contract is a free-form JSON object (same as any
254/// inventory job) from which the agent reads `status_field` /
255/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
256/// on the Client App's Health tab.
257///
258/// There is deliberately **no timing field** — when / how often /
259/// in which window a check runs is driven by the job's Schedule,
260/// exactly like inventory jobs, so operators get the full `when:` /
261/// rollout / `runs_on` expressiveness for free.
262///
263/// A check's stdout is a **free-form inventory object** (arbitrary
264/// key/value pairs + arrays) — same as any inventory job — that also
265/// carries a status field. `check:` adds only the health semantics on
266/// top: which field is the ok/warn/fail/unknown status, an optional
267/// one-line summary field, and a remediation job. Everything else
268/// (rich per-PC detail, `explode` sub-tables like a software list) is
269/// driven by a co-present [`InventoryHint`] and rendered with the
270/// SAME display logic the SPA Inventory page uses — on the Client App
271/// too. This keeps checks maximally expressive without a bespoke
272/// payload type.
273#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
274pub struct CheckHint {
275 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
276 /// the SPA/Client React key + analytics label. Unique within the
277 /// fleet's check set. Machine-friendly slug (`disk_space`,
278 /// `defender_rtp`); for the human-facing row title see [`label`].
279 ///
280 /// [`label`]: CheckHint::label
281 pub name: String,
282 /// Optional human-facing display title →
283 /// [`Check.label`](crate::ipc::state::Check). The Client App's
284 /// Health tab and the operator SPA's Compliance page render this
285 /// instead of the [`name`](CheckHint::name) slug when set
286 /// (`"ウイルス対策のリアルタイム保護"` reads better than
287 /// `defender_rtp`). Falls back to the slug when absent, so it's
288 /// purely additive. Author it in the check's language — there's no
289 /// per-locale variant; checks are operator-defined per fleet.
290 #[serde(default, skip_serializing_if = "Option::is_none")]
291 pub label: Option<String>,
292 /// Top-level stdout field whose string value
293 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
294 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
295 /// `"status"`; a missing / unparseable value → `unknown`.
296 #[serde(default = "default_status_field")]
297 pub status_field: String,
298 /// Top-level stdout field used as the Health-tab row's one-line
299 /// summary. Defaults to `"detail"`; absent in the payload → no
300 /// detail line (the rich breakdown lives in the inventory view).
301 #[serde(default = "default_detail_field")]
302 pub detail_field: String,
303 /// Optional remediation job id →
304 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
305 /// App shows a "修復する" button when present; that job must be
306 /// `user_invokable`.
307 #[serde(default, skip_serializing_if = "Option::is_none")]
308 pub troubleshoot: Option<String>,
309 /// #290 PR-E: when `true` (default), the backend also projects this
310 /// check's `status` / `detail` into the `check_status` table so the
311 /// operator SPA gets a fleet-wide compliance view for free — no
312 /// `inventory:` block needed. Set `fleet: false` for a client-only
313 /// check the operator doesn't want surfaced across the fleet.
314 #[serde(default = "default_fleet")]
315 pub fleet: bool,
316}
317
318fn default_status_field() -> String {
319 "status".to_string()
320}
321
322fn default_detail_field() -> String {
323 "detail".to_string()
324}
325
326fn default_fleet() -> bool {
327 true
328}
329
330fn default_files_field() -> String {
331 "files".to_string()
332}
333
334/// Fallback cap on a collect bundle's total input size when the
335/// manifest's `collect.max_size` is unset. 50 MB (decimal).
336pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
337
338/// Manifest sub-section (#219): marks a job as a **file collector** and
339/// carries how the collected bundle presents in the SPA. Parallel to
340/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
341/// opt-in. The script prints a single JSON object on stdout whose
342/// [`files_field`](CollectHint::files_field) key holds an array of file
343/// paths to bundle (env vars are expanded); the agent zips them and
344/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
345#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
346pub struct CollectHint {
347 /// Operator/end-user-facing title for the collection, shown as the
348 /// bundle's heading on the SPA Collect page (and the Client App row
349 /// when paired with `client:`). Required; validated non-empty.
350 pub name: String,
351 /// Optional one-line description of what the bundle contains.
352 #[serde(default, skip_serializing_if = "Option::is_none")]
353 pub description: Option<String>,
354 /// Human-readable cap on the bundle's total input size
355 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
356 /// bundle whose listed files exceed this. `None` ⇒
357 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
358 /// [`Manifest::validate`] rejects an unparseable value at create
359 /// time.
360 ///
361 /// Note: this bounds the **uncompressed** bytes the agent reads off
362 /// disk, not the resulting zip. Text logs compress well, so the
363 /// download is usually much smaller; many tiny files add a little
364 /// per-entry zip overhead. Read it as "how much the agent reads +
365 /// packs", not "the exact download size".
366 #[serde(default, skip_serializing_if = "Option::is_none")]
367 pub max_size: Option<String>,
368 /// Top-level stdout JSON key holding the array of file paths to
369 /// bundle. Defaults to `"files"`.
370 #[serde(default = "default_files_field")]
371 pub files_field: String,
372}
373
374impl CollectHint {
375 /// The effective size cap in bytes — the parsed `max_size` or
376 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
377 /// present) already passed [`Manifest::validate`]; falls back to the
378 /// default on a parse error rather than panicking on the fire path.
379 pub fn max_size_bytes(&self) -> u64 {
380 match &self.max_size {
381 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
382 None => DEFAULT_COLLECT_MAX_SIZE,
383 }
384 }
385}
386
387/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
388/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
389/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
390/// Case-insensitive. Shared by `collect.max_size` validation and the
391/// agent's bundle-size enforcement.
392pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
393 let t = s.trim();
394 if t.is_empty() {
395 return Err("size must not be empty".to_string());
396 }
397 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
398 let (num_str, unit_raw) = t.split_at(split);
399 if num_str.is_empty() {
400 return Err(format!("size '{s}': missing leading number"));
401 }
402 let num: u64 = num_str
403 .parse()
404 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
405 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
406 "" | "b" => 1,
407 "kb" => 1_000,
408 "mb" => 1_000_000,
409 "gb" => 1_000_000_000,
410 "kib" => 1024,
411 "mib" => 1024 * 1024,
412 "gib" => 1024 * 1024 * 1024,
413 other => {
414 return Err(format!(
415 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
416 ));
417 }
418 };
419 num.checked_mul(mult)
420 .ok_or_else(|| format!("size '{s}': overflow"))
421}
422
423/// Manifest sub-section (#291): marks a job as **user-invokable**
424/// from the Client App and carries how it presents to the end user.
425/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
426/// the block's presence is the opt-in (no separate boolean), and its
427/// required fields (`name`, `category`) are enforced by serde at
428/// parse time, so a half-filled catalog entry fails
429/// `kanade job create` instead of rendering a nameless / tab-less row.
430///
431/// The agent maps this 1:1 into the KLP
432/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
433/// that `jobs.list` returns; the Client App renders one row per job in
434/// the tab named by `category`.
435#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
436pub struct ClientHint {
437 /// End-user-facing title for the job row. The operator-internal
438 /// `Manifest::id` slug is rarely what an end user should read, so
439 /// this is required (and validated non-empty by
440 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
441 pub name: String,
442 /// Optional one-line subtitle under `name` in the Client App.
443 /// Distinct from the operator-facing top-level
444 /// [`Manifest::description`] — this one is written for the end
445 /// user. Maps to `UserInvokableJob::display_description`.
446 #[serde(default, skip_serializing_if = "Option::is_none")]
447 pub description: Option<String>,
448 /// Which Client App tab the job lives in (`software_update` →
449 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
450 /// catalog). Required — without it the agent can't place the job
451 /// in a tab.
452 pub category: JobCategory,
453 /// Optional icon hint for the job row — a lucide-react icon name
454 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
455 /// category's default icon. Surfaced verbatim in
456 /// `jobs.list[].icon`.
457 #[serde(default, skip_serializing_if = "Option::is_none")]
458 pub icon: Option<String>,
459}
460
461/// Issue #246 — `emit:` manifest block for jobs whose stdout is
462/// NDJSON observability events (one `ObsEvent` per line). Parallel
463/// to `inventory:` but for the append-only timeline pipeline; see
464/// `Manifest::emit` for the full contract.
465#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
466pub struct EmitConfig {
467 /// What kind of payload the agent should expect on stdout. Only
468 /// `events` is defined today (parses each non-empty line as
469 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
470 /// (e.g. metrics streams, structured trace events) plug in here.
471 #[serde(rename = "type")]
472 pub kind: EmitKind,
473 /// Operator hint for where the script keeps its own state — the
474 /// watermark file the PowerShell / sh body reads + writes
475 /// between runs so it only emits NEW events since the last
476 /// poll. The agent doesn't read this; it's documentation that
477 /// the SPA (and `kanade job edit`) can surface to operators
478 /// reviewing the manifest. Optional; the script is allowed to
479 /// keep state anywhere (registry, env, etc.) — the field's
480 /// presence makes the convention discoverable.
481 #[serde(default, skip_serializing_if = "Option::is_none")]
482 pub watermark_path: Option<String>,
483}
484
485/// `emit.type` enum. Lowercase serde so manifests read
486/// `type: events` rather than `Events`.
487#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
488#[serde(rename_all = "lowercase")]
489pub enum EmitKind {
490 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
491 /// `obs.<pc_id>`, drops the stdout from the resulting
492 /// `ExecResult`.
493 Events,
494}
495
496/// v0.31 / #40: declarative "flatten this JSON array into a real
497/// SQLite table" spec on an inventory manifest. The projector
498/// creates the table on first registration (CREATE TABLE IF NOT
499/// EXISTS + indexes) and writes a row per element of
500/// `payload[field]` on every result, scoped by (pc_id, job_id) so
501/// each PC's rows replace cleanly without a per-PC schema.
502#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
503pub struct ExplodeSpec {
504 /// JSON array key under the payload to explode. E.g. `"apps"`
505 /// for `payload: { apps: [{...}, {...}] }`.
506 pub field: String,
507 /// Derived SQLite table name. Operators choose this — pick
508 /// something namespaced + stable (`inventory_sw_apps`, not
509 /// `apps`) so multiple inventory manifests don't collide on a
510 /// generic name.
511 pub table: String,
512 /// Element-level fields that uniquely identify a row inside one
513 /// PC's payload. The full PK is `(pc_id, job_id) + these
514 /// columns`. Required — operators must think about uniqueness
515 /// (e.g. `["name", "source"]` for installed apps because the
516 /// same name appears in multiple uninstall hives).
517 ///
518 /// v0.31 / #41: same tuple drives history identity. When
519 /// `track_history` is on, the projector serialises these
520 /// fields' values into `inventory_history.identity_json` for
521 /// every change event, so queries like "every PC that ever
522 /// installed Chrome (any source)" filter on identity_json
523 /// content without a per-manifest schema.
524 pub primary_key: Vec<String>,
525 /// Per-element fields that become columns in the derived table.
526 pub columns: Vec<ExplodeColumn>,
527 /// v0.31 / #41: when true (default false), the projector
528 /// diffs each PC's incoming payload against the prior rows
529 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
530 /// replace, and writes added / removed / changed events into
531 /// `inventory_history`. Lets operators answer time-dimension
532 /// questions ("when did Chrome 120 first appear on PC X?",
533 /// "what's the Win 11 23H2 rollout curve") without storing
534 /// per-scan snapshots. Off by default so operators opt in
535 /// per-spec — history has a real storage cost on long-lived
536 /// deployments (mitigated by the 90-day default retention
537 /// sweeper, see `cleanup` module).
538 #[serde(default)]
539 pub track_history: bool,
540}
541
542/// One column in an [`ExplodeSpec`]'s derived table.
543#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
544pub struct ExplodeColumn {
545 /// JSON key under each array element. Becomes the column name
546 /// in the derived SQLite table — we don't rename.
547 pub field: String,
548 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
549 /// Storage maps directly via `sqlx::query.bind(...)`; type
550 /// mismatches at INSERT-time fail loudly rather than silently
551 /// dropping the row.
552 #[serde(default, skip_serializing_if = "Option::is_none")]
553 #[serde(rename = "type")]
554 pub kind: Option<String>,
555 /// When true, the projector creates a `CREATE INDEX` on this
556 /// column at table-creation time. Boost for the common-filter
557 /// columns (`name`, `version`) — operators mark them
558 /// explicitly, the projector won't guess.
559 #[serde(default)]
560 pub index: bool,
561}
562
563#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
564pub struct DisplayField {
565 /// Top-level key in the stdout JSON.
566 pub field: String,
567 /// Human-readable column header.
568 pub label: String,
569 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
570 /// or `"table"` (#39). Defaults to plain text rendering on the
571 /// SPA side. `"table"` expects the field's value to be a JSON
572 /// array of objects and renders a nested sub-table on the
573 /// per-PC detail page using `columns` as the schema; the fleet
574 /// summary view falls back to showing the row count for
575 /// `"table"` cells so the wide list stays compact.
576 #[serde(default, skip_serializing_if = "Option::is_none")]
577 #[serde(rename = "type")]
578 pub kind: Option<String>,
579 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
580 /// field's value (an array of objects like
581 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
582 /// sub-table using these columns. Each column is itself a
583 /// `DisplayField`, so the nested cells reuse the same render
584 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
585 /// pipeline. Ignored for any other `kind`.
586 #[serde(default, skip_serializing_if = "Option::is_none")]
587 pub columns: Option<Vec<DisplayField>>,
588}
589
590#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
591pub struct Rollout {
592 #[serde(default)]
593 pub strategy: RolloutStrategy,
594 pub waves: Vec<Wave>,
595}
596
597#[derive(
598 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
599)]
600#[serde(rename_all = "lowercase")]
601pub enum RolloutStrategy {
602 #[default]
603 Wave,
604}
605
606#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
607pub struct Wave {
608 pub group: String,
609 /// humantime delay measured from the deploy's publish time. wave[0]
610 /// typically has "0s"; subsequent waves use minutes / hours.
611 pub delay: String,
612}
613
614#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
615pub struct Target {
616 #[serde(default)]
617 pub groups: Vec<String>,
618 #[serde(default)]
619 pub pcs: Vec<String>,
620 #[serde(default)]
621 pub all: bool,
622}
623
624impl Target {
625 /// At least one of all / groups / pcs is set.
626 pub fn is_specified(&self) -> bool {
627 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
628 }
629}
630
631#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
632pub struct Execute {
633 pub shell: ExecuteShell,
634 /// Inline script body. Mutually exclusive with [`script_file`]
635 /// and [`script_object`]; exactly one of the three must be set
636 /// (enforced by [`Execute::validate_script_source`] at the
637 /// write-side parse boundaries — `kanade job create` and
638 /// `POST /api/jobs`).
639 ///
640 /// Empty string is treated as **unset** so operators can swap
641 /// to a `script_file:` / `script_object:` alternative just by
642 /// commenting out the body, without having to also drop the
643 /// `script:` key entirely.
644 ///
645 /// [`script_file`]: Self::script_file
646 /// [`script_object`]: Self::script_object
647 #[serde(default, skip_serializing_if = "Option::is_none")]
648 pub script: Option<String>,
649 /// Repo-local file path resolved by the operator-side CLI at
650 /// `kanade job create` time. The CLI reads the file, slots its
651 /// contents into `script`, and clears this field before
652 /// POSTing — so the backend / agents never see `script_file`
653 /// in stored manifests. SPEC §2.4.1.
654 ///
655 /// Resolver lands in a follow-up PR
656 /// (yukimemi/kanade#210); today this field passes parse-time
657 /// validation but the operator-side CLI bails with "not yet
658 /// implemented" until the resolver ships, so manifests that
659 /// reach the backend with `script_file` set are treated as a
660 /// schema-bug.
661 #[serde(default, skip_serializing_if = "Option::is_none")]
662 pub script_file: Option<String>,
663 /// Object Store reference (`<name>/<version>`) into the
664 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
665 /// at Execute time via `/api/script-objects/{name}/{version}`
666 /// and cache it locally. SPEC §2.4.1.
667 ///
668 /// Fully wired (#210/#211): the backend resolves the digest at
669 /// exec submission (`api::exec::resolve_script_source`), the agent
670 /// fetches + sha-verifies + caches the body (`script_cache`), and
671 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
672 /// CLI-side, git-managed), this keeps the body in versioned,
673 /// digest-pinned object storage — the ops-managed counterpart.
674 #[serde(default, skip_serializing_if = "Option::is_none")]
675 pub script_object: Option<String>,
676 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
677 /// — represents how long this script reasonably takes to run.
678 pub timeout: String,
679 /// Token + session combination the agent uses to launch the
680 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
681 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
682 #[serde(default)]
683 pub run_as: RunAs,
684 /// Working directory for the spawned child (v0.21.1). When
685 /// unset, the child inherits the agent's cwd — on Windows that
686 /// means `%SystemRoot%\System32` for the prod service, which is
687 /// almost never what operators actually want. Use an absolute
688 /// path; relative paths are passed through to the OS verbatim.
689 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
690 /// you'd want `%USERPROFILE%` (but expansion happens in the
691 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
692 /// it via teravars before `kanade job create`).
693 #[serde(default, skip_serializing_if = "Option::is_none")]
694 pub cwd: Option<String>,
695}
696
697impl Execute {
698 /// Treat an empty `script:` body as "intentionally unset". Operators
699 /// commenting out a block-scalar tend to leave the key behind, and
700 /// failing the validator on `script: ""` would surprise them.
701 fn has_inline_script(&self) -> bool {
702 matches!(&self.script, Some(s) if !s.is_empty())
703 }
704
705 /// Enforce that exactly one of `script` / `script_file` /
706 /// `script_object` is set. Called at the write-side parse
707 /// boundaries (CLI `kanade job create` + backend
708 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
709 /// reaches the JOBS KV. Read paths (projector, agent
710 /// scheduler, list endpoints) skip this check — they only ever
711 /// see what the write path already validated.
712 pub fn validate_script_source(&self) -> Result<(), String> {
713 let inline = self.has_inline_script();
714 let file = self.script_file.is_some();
715 let obj = self.script_object.is_some();
716 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
717 match set {
718 1 => Ok(()),
719 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
720 _ => Err(format!(
721 "execute: only one of `script` / `script_file` / `script_object` may be set \
722 (got script={inline}, script_file={file}, script_object={obj})"
723 )),
724 }
725 }
726}
727
728impl Manifest {
729 /// Cross-field semantic checks that don't fit into pure serde
730 /// derive. Currently delegates to
731 /// [`Execute::validate_script_source`] — see that method's
732 /// docs for the rationale on which call sites should run this.
733 pub fn validate(&self) -> Result<(), String> {
734 self.execute.validate_script_source()?;
735 // Stdout-format compatibility. `inventory:` and `check:` both
736 // consume the SAME single JSON object — they COMPOSE: a check
737 // can extract `status`/`detail` for the Health tab while the
738 // projector explodes the rest into SPA sub-tables. `emit:` is
739 // different — its stdout is NDJSON and the agent omits it from
740 // the result entirely — so it can't be paired with either.
741 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
742 return Err(
743 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
744 timeline events (and omitted from the result), while inventory/check read a \
745 single JSON object from stdout"
746 .to_string(),
747 );
748 }
749 // `collect:` consumes stdout for its OWN contract (a JSON object
750 // carrying a `files` array), so unlike the inventory+check pair it
751 // can't share stdout with another stdout-reading hint. It composes
752 // only with `client:` (which doesn't touch stdout).
753 if self.collect.is_some()
754 && (self.inventory.is_some() || self.check.is_some() || self.emit.is_some())
755 {
756 return Err(
757 "`collect:` is incompatible with `inventory:` / `check:` / `emit:` — collect \
758 reads its own `files` JSON object from stdout. (It composes with `client:`.)"
759 .to_string(),
760 );
761 }
762 // A check's `name` is the Health-tab row id (React key); the
763 // field names tell the agent where to read status/detail.
764 // An empty value is an invisible runtime bug, and the serde
765 // defaults don't guard an operator who writes `status_field:
766 // ""` explicitly — reject all three here.
767 if let Some(check) = &self.check {
768 for (label, value) in [
769 ("check.name", &check.name),
770 ("check.status_field", &check.status_field),
771 ("check.detail_field", &check.detail_field),
772 ] {
773 if value.trim().is_empty() {
774 return Err(format!("{label} must not be empty"));
775 }
776 }
777 // A present-but-blank `troubleshoot` is a broken
778 // remediation job id (the "修復する" button would target
779 // an empty manifest id) — reject it too.
780 if let Some(troubleshoot) = &check.troubleshoot {
781 if troubleshoot.trim().is_empty() {
782 return Err("check.troubleshoot must not be empty when set".to_string());
783 }
784 }
785 // A present-but-blank `label` would render an empty row
786 // title on the Health tab / Compliance page — reject it so
787 // the slug fallback only ever kicks in when label is absent.
788 if let Some(label) = &check.label {
789 if label.trim().is_empty() {
790 return Err("check.label must not be empty when set".to_string());
791 }
792 }
793 }
794 // #291: a `client:` job is rendered in the Client App's
795 // catalog (`jobs.list` → `jobs.execute`). serde already makes
796 // `name` + `category` required at parse time; the only gap is
797 // a present-but-blank `name`, which would render an empty row
798 // title — reject it like the other display-id fields.
799 if let Some(client) = &self.client {
800 if client.name.trim().is_empty() {
801 return Err("client.name must not be empty".to_string());
802 }
803 // Optional display fields, when present, must be
804 // meaningful: a blank `description` renders an empty
805 // subtitle and a blank `icon` is a dangling lucide name.
806 // Same present-but-blank guard the `check:` block applies
807 // to its optional `troubleshoot` id.
808 for (label, value) in [
809 ("client.description", &client.description),
810 ("client.icon", &client.icon),
811 ] {
812 if let Some(v) = value {
813 if v.trim().is_empty() {
814 return Err(format!("{label} must not be empty when set"));
815 }
816 }
817 }
818 }
819 // #219: a `collect:` job's `name` heads the bundle on the SPA
820 // Collect page (and the Client App row when paired with
821 // `client:`), `files_field` tells the agent where to read the
822 // path list, and `max_size` must be a parseable size so a typo
823 // is caught at create time rather than silently capping the
824 // bundle at the default on the fire path.
825 if let Some(collect) = &self.collect {
826 if collect.name.trim().is_empty() {
827 return Err("collect.name must not be empty".to_string());
828 }
829 if collect.files_field.trim().is_empty() {
830 return Err("collect.files_field must not be empty".to_string());
831 }
832 if let Some(description) = &collect.description {
833 if description.trim().is_empty() {
834 return Err("collect.description must not be empty when set".to_string());
835 }
836 }
837 if let Some(max_size) = &collect.max_size {
838 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
839 }
840 }
841 // A blank / whitespace-only tag is an invisible operator typo
842 // that would render an empty filter chip on the Jobs page —
843 // reject it like the other present-but-blank display fields.
844 for tag in &self.tags {
845 if tag.trim().is_empty() {
846 return Err("tags must not contain empty entries".to_string());
847 }
848 }
849 Ok(())
850 }
851}
852
853#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
854#[serde(rename_all = "lowercase")]
855pub enum ExecuteShell {
856 Powershell,
857 Cmd,
858}
859
860impl From<ExecuteShell> for Shell {
861 fn from(s: ExecuteShell) -> Self {
862 match s {
863 ExecuteShell::Powershell => Shell::Powershell,
864 ExecuteShell::Cmd => Shell::Cmd,
865 }
866 }
867}
868
869#[cfg(test)]
870mod tests {
871 use super::*;
872
873 /// The example check-job + schedule YAMLs shipped under `configs/`
874 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
875 /// pins them at compile time so a breaking edit fails `cargo test`
876 /// rather than only `kanade job create` at deploy time.
877 #[test]
878 fn example_check_job_yamls_parse_and_validate() {
879 let jobs = [
880 (
881 "check-bitlocker",
882 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
883 ),
884 (
885 "check-av-signature",
886 include_str!("../../../configs/jobs/check-av-signature.yaml"),
887 ),
888 (
889 "check-cert-expiry",
890 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
891 ),
892 (
893 "check-disk-space",
894 include_str!("../../../configs/jobs/check-disk-space.yaml"),
895 ),
896 (
897 "check-pending-reboot",
898 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
899 ),
900 (
901 "check-defender-rtp",
902 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
903 ),
904 (
905 "check-firewall",
906 include_str!("../../../configs/jobs/check-firewall.yaml"),
907 ),
908 ];
909 for (name, yaml) in jobs {
910 let m: Manifest =
911 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
912 m.validate()
913 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
914 let check = m
915 .check
916 .as_ref()
917 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
918 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
919 // These examples all read admin-only WMI / registry / netsh
920 // state, so they run_as system. NOTE: that's a property of
921 // these particular checks, NOT of the `check:` contract — a
922 // check probing user-session state could run_as user.
923 assert_eq!(
924 m.execute.run_as,
925 RunAs::System,
926 "{name} should run_as system"
927 );
928 }
929 }
930
931 /// The example user-invokable job YAMLs (#291) shipped under
932 /// `configs/jobs/` must stay valid as the `client:` schema
933 /// evolves. `include_str!` pins them at compile time so a breaking
934 /// edit fails `cargo test`, not `kanade job create` at deploy.
935 #[test]
936 fn example_client_job_yamls_parse_and_validate() {
937 let jobs = [
938 (
939 "fix-teams-cache",
940 JobCategory::Troubleshoot,
941 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
942 ),
943 (
944 "chrome-update",
945 JobCategory::SoftwareUpdate,
946 include_str!("../../../configs/jobs/chrome-update.yaml"),
947 ),
948 (
949 "install-slack",
950 JobCategory::Catalog,
951 include_str!("../../../configs/jobs/install-slack.yaml"),
952 ),
953 (
954 "fix-defender-rtp",
955 JobCategory::Troubleshoot,
956 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
957 ),
958 ];
959 for (id, category, yaml) in jobs {
960 let m: Manifest =
961 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
962 m.validate()
963 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
964 assert_eq!(m.id, id, "{id} id mismatch");
965 let client = m
966 .client
967 .as_ref()
968 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
969 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
970 assert_eq!(client.category, category, "{id} category");
971 }
972 }
973
974 /// #219: the shipped `collect:` example must stay valid as the
975 /// schema evolves. `include_str!` pins it at compile time so a
976 /// breaking edit (or a YAML typo in the PowerShell block) fails
977 /// `cargo test` rather than `kanade job create` at deploy. It carries
978 /// both `collect:` and `client:` (end-user-triggerable), which must
979 /// compose.
980 #[test]
981 fn example_collect_job_yaml_parses_and_validates() {
982 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
983 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
984 m.validate().expect("collect-diagnostics validate");
985 assert_eq!(m.id, "collect-diagnostics");
986 let collect = m.collect.as_ref().expect("collect: block present");
987 assert!(!collect.name.trim().is_empty());
988 assert_eq!(collect.files_field, "files");
989 assert_eq!(collect.max_size_bytes(), 50_000_000);
990 // collect + client compose — the Client App can trigger it.
991 assert!(
992 m.client.is_some(),
993 "collect-diagnostics also carries client:"
994 );
995 }
996
997 /// The `emit: { type: events }` collector jobs under
998 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
999 /// pins them at compile time so a breaking edit (e.g. an `emit:`
1000 /// paired with `check:`/`inventory:`, a bad watermark field, or a
1001 /// YAML typo in the PowerShell block) fails `cargo test` rather
1002 /// than `kanade job create` at deploy. Every one must carry an
1003 /// `emit.type=events` block and NO check/inventory (validate()
1004 /// rejects the pairing).
1005 #[test]
1006 fn example_event_collector_job_yamls_parse_and_validate() {
1007 let jobs = [
1008 (
1009 "collect-winlog-events",
1010 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
1011 ),
1012 (
1013 "collect-winlog-logons-all",
1014 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
1015 ),
1016 (
1017 "collect-wlan-events",
1018 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
1019 ),
1020 ];
1021 for (id, yaml) in jobs {
1022 // Strict parse so an unknown-key typo in these fixtures fails
1023 // here (not silently at deploy) — the runtime Manifest is
1024 // unknown-key-tolerant, so the lenient serde_yaml::from_str
1025 // wouldn't catch fixture drift (CodeRabbit #689).
1026 let m: Manifest =
1027 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1028 m.validate()
1029 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1030 assert_eq!(m.id, id, "{id} id mismatch");
1031 let emit = m
1032 .emit
1033 .as_ref()
1034 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
1035 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
1036 assert!(
1037 m.check.is_none() && m.inventory.is_none(),
1038 "{id}: emit jobs must not pair with check/inventory"
1039 );
1040 }
1041 }
1042
1043 /// The `inventory:` snapshot jobs under `configs/jobs/` project
1044 /// facts into `inventory_facts` + exploded tables. `include_str!`
1045 /// pins them at compile time so a breaking edit (bad explode
1046 /// schema, a YAML typo in the PowerShell block, an `inventory:`
1047 /// accidentally paired with `emit:`) fails `cargo test` rather
1048 /// than the projector at deploy. Each must carry an `inventory:`
1049 /// block and NO emit (validate() rejects the pairing).
1050 #[test]
1051 fn example_inventory_job_yamls_parse_and_validate() {
1052 let jobs = [
1053 (
1054 "inventory-hw",
1055 include_str!("../../../configs/jobs/inventory-hw.yaml"),
1056 ),
1057 (
1058 "inventory-sw",
1059 include_str!("../../../configs/jobs/inventory-sw.yaml"),
1060 ),
1061 (
1062 "inventory-driver",
1063 include_str!("../../../configs/jobs/inventory-driver.yaml"),
1064 ),
1065 ];
1066 for (id, yaml) in jobs {
1067 let m: Manifest =
1068 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1069 m.validate()
1070 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1071 assert_eq!(m.id, id, "{id} id mismatch");
1072 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
1073 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
1074 }
1075 }
1076
1077 #[test]
1078 fn example_check_schedule_yamls_parse_and_validate() {
1079 let schedules = [
1080 (
1081 "check-bitlocker",
1082 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
1083 ),
1084 (
1085 "check-av-signature",
1086 include_str!("../../../configs/schedules/check-av-signature.yaml"),
1087 ),
1088 (
1089 "check-cert-expiry",
1090 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
1091 ),
1092 (
1093 "check-disk-space",
1094 include_str!("../../../configs/schedules/check-disk-space.yaml"),
1095 ),
1096 (
1097 "check-pending-reboot",
1098 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
1099 ),
1100 (
1101 "check-defender-rtp",
1102 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
1103 ),
1104 (
1105 "check-firewall",
1106 include_str!("../../../configs/schedules/check-firewall.yaml"),
1107 ),
1108 ];
1109 for (name, yaml) in schedules {
1110 let s: Schedule =
1111 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1112 s.validate()
1113 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1114 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1115 }
1116 }
1117
1118 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
1119 /// alongside the schedule schema. `include_str!` pins them so a
1120 /// breaking edit fails `cargo test`, not `kanade schedule create`.
1121 #[test]
1122 fn example_inventory_schedule_yamls_parse_and_validate() {
1123 let schedules = [
1124 (
1125 "inventory-hw",
1126 include_str!("../../../configs/schedules/inventory-hw.yaml"),
1127 ),
1128 (
1129 "inventory-sw",
1130 include_str!("../../../configs/schedules/inventory-sw.yaml"),
1131 ),
1132 (
1133 "inventory-driver",
1134 include_str!("../../../configs/schedules/inventory-driver.yaml"),
1135 ),
1136 ];
1137 for (name, yaml) in schedules {
1138 let s: Schedule =
1139 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1140 s.validate()
1141 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1142 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1143 }
1144 }
1145
1146 #[test]
1147 fn target_is_specified_requires_at_least_one_field() {
1148 let empty = Target::default();
1149 assert!(!empty.is_specified());
1150
1151 let with_all = Target {
1152 all: true,
1153 ..Target::default()
1154 };
1155 assert!(with_all.is_specified());
1156
1157 let with_groups = Target {
1158 groups: vec!["canary".into()],
1159 ..Target::default()
1160 };
1161 assert!(with_groups.is_specified());
1162
1163 let with_pcs = Target {
1164 pcs: vec!["pc-01".into()],
1165 ..Target::default()
1166 };
1167 assert!(with_pcs.is_specified());
1168 }
1169
1170 #[test]
1171 fn manifest_deserialises_minimal_yaml() {
1172 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1173 // — those live on the schedule / exec request now.
1174 let yaml = r#"
1175id: echo-test
1176version: 0.0.1
1177execute:
1178 shell: powershell
1179 script: "echo 'kanade'"
1180 timeout: 30s
1181"#;
1182 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1183 assert_eq!(m.id, "echo-test");
1184 assert_eq!(m.version, "0.0.1");
1185 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1186 assert_eq!(
1187 m.execute.script.as_deref().map(str::trim),
1188 Some("echo 'kanade'")
1189 );
1190 assert!(m.execute.script_file.is_none());
1191 assert!(m.execute.script_object.is_none());
1192 assert_eq!(m.execute.timeout, "30s");
1193 assert!(!m.require_approval);
1194 m.validate()
1195 .expect("inline-script manifest passes validation");
1196 }
1197
1198 #[test]
1199 fn manifest_parses_check_job_and_validates() {
1200 // An operator-defined health check (#290): a `check:` hint +
1201 // a PowerShell script that prints {status, detail}.
1202 let yaml = r#"
1203id: check-bitlocker
1204version: 0.1.0
1205execute:
1206 shell: powershell
1207 run_as: system
1208 timeout: 15s
1209 script: |
1210 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
1211check:
1212 name: bitlocker
1213 troubleshoot: fix-bitlocker
1214"#;
1215 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1216 let check = m.check.as_ref().expect("check hint present");
1217 assert_eq!(check.name, "bitlocker");
1218 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
1219 // Field names default to the conventional "status" / "detail".
1220 assert_eq!(check.status_field, "status");
1221 assert_eq!(check.detail_field, "detail");
1222 assert!(m.inventory.is_none() && m.emit.is_none());
1223 m.validate().expect("check-only manifest passes validation");
1224 }
1225
1226 #[test]
1227 fn manifest_check_defaults_and_custom_fields() {
1228 // Minimal: only `name`; status/detail fields default.
1229 let m: Manifest = serde_yaml::from_str(
1230 r#"
1231id: check-disk
1232version: 0.1.0
1233execute:
1234 shell: powershell
1235 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
1236 timeout: 10s
1237check:
1238 name: disk_free
1239"#,
1240 )
1241 .expect("parse");
1242 let c = m.check.as_ref().unwrap();
1243 assert_eq!(c.name, "disk_free");
1244 assert_eq!(c.status_field, "status");
1245 assert_eq!(c.detail_field, "detail");
1246 assert!(c.troubleshoot.is_none());
1247 m.validate().expect("validates");
1248
1249 // The operator can point status/detail at any field of their
1250 // free-form inventory object.
1251 let m2: Manifest = serde_yaml::from_str(
1252 r#"
1253id: check-custom
1254version: 0.1.0
1255execute:
1256 shell: powershell
1257 script: "echo x"
1258 timeout: 10s
1259check:
1260 name: patch_level
1261 status_field: compliance
1262 detail_field: summary
1263"#,
1264 )
1265 .expect("parse");
1266 let c2 = m2.check.as_ref().unwrap();
1267 assert_eq!(c2.status_field, "compliance");
1268 assert_eq!(c2.detail_field, "summary");
1269 }
1270
1271 #[test]
1272 fn manifest_allows_check_composed_with_inventory() {
1273 // `check:` + `inventory:` COMPOSE on the same stdout object:
1274 // status/detail → Health tab, the rest → SPA projection +
1275 // explode sub-tables. Must pass validation.
1276 let yaml = r#"
1277id: check-bitlocker-detailed
1278version: 0.1.0
1279execute:
1280 shell: powershell
1281 script: "echo x"
1282 timeout: 10s
1283check:
1284 name: bitlocker
1285inventory:
1286 display:
1287 - { field: status, label: Status }
1288"#;
1289 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1290 assert!(m.check.is_some() && m.inventory.is_some());
1291 m.validate().expect("check + inventory compose");
1292 }
1293
1294 #[test]
1295 fn manifest_parses_collect_job_and_validates() {
1296 // #219: a `collect:` hint + a script that lists files on stdout.
1297 let yaml = r#"
1298id: collect-diagnostics
1299version: 0.1.0
1300execute:
1301 shell: powershell
1302 run_as: system
1303 timeout: 120s
1304 script: |
1305 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
1306collect:
1307 name: "Full diagnostics"
1308 description: "Event logs + process"
1309 max_size: 50MB
1310"#;
1311 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1312 let c = m.collect.as_ref().expect("collect hint present");
1313 assert_eq!(c.name, "Full diagnostics");
1314 assert_eq!(c.files_field, "files"); // default
1315 assert_eq!(c.max_size_bytes(), 50_000_000);
1316 m.validate().expect("collect-only manifest validates");
1317 }
1318
1319 #[test]
1320 fn manifest_collect_max_size_defaults_when_unset() {
1321 let m: Manifest = serde_yaml::from_str(
1322 r#"
1323id: collect-min
1324version: 0.1.0
1325execute:
1326 shell: powershell
1327 script: "echo x"
1328 timeout: 10s
1329collect:
1330 name: minimal
1331"#,
1332 )
1333 .expect("parse");
1334 let c = m.collect.as_ref().unwrap();
1335 assert!(c.max_size.is_none());
1336 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
1337 m.validate().expect("validates");
1338 }
1339
1340 #[test]
1341 fn manifest_allows_collect_with_client() {
1342 // collect composes with client (client doesn't touch stdout):
1343 // an end user can trigger a collection from the Client App.
1344 let yaml = r#"
1345id: collect-diag-client
1346version: 0.1.0
1347execute:
1348 shell: powershell
1349 script: "echo x"
1350 timeout: 10s
1351collect:
1352 name: diagnostics
1353client:
1354 name: "Send diagnostics"
1355 category: troubleshoot
1356"#;
1357 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1358 assert!(m.collect.is_some() && m.client.is_some());
1359 m.validate().expect("collect + client compose");
1360 }
1361
1362 #[test]
1363 fn manifest_rejects_collect_combined_with_inventory() {
1364 // collect consumes stdout for its own `files` contract → can't
1365 // share with inventory/check/emit.
1366 let yaml = r#"
1367id: bad-collect-mix
1368version: 0.1.0
1369execute:
1370 shell: powershell
1371 script: "echo x"
1372 timeout: 10s
1373collect:
1374 name: diag
1375inventory:
1376 display:
1377 - { field: status, label: Status }
1378"#;
1379 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1380 let err = m
1381 .validate()
1382 .expect_err("collect + inventory must be rejected");
1383 assert!(err.contains("collect"), "error mentions collect: {err}");
1384 }
1385
1386 #[test]
1387 fn manifest_rejects_collect_combined_with_check_or_emit() {
1388 // collect is exclusive with every stdout-consuming hint, not
1389 // just inventory — guard the check + emit branches too.
1390 for extra in ["check:\n name: health\n", "emit:\n type: events\n"] {
1391 let yaml = format!(
1392 "id: bad-collect-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
1393 script: \"echo x\"\n timeout: 10s\ncollect:\n name: diag\n{extra}"
1394 );
1395 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1396 let err = m
1397 .validate()
1398 .expect_err("collect + stdout-consuming hint must fail");
1399 assert!(err.contains("collect"), "error mentions collect: {err}");
1400 }
1401 }
1402
1403 #[test]
1404 fn manifest_rejects_collect_empty_name_and_bad_size() {
1405 let empty_name: Manifest = serde_yaml::from_str(
1406 r#"
1407id: c
1408version: 0.1.0
1409execute: { shell: powershell, script: "echo x", timeout: 10s }
1410collect: { name: " " }
1411"#,
1412 )
1413 .expect("parse");
1414 assert!(
1415 empty_name.validate().is_err(),
1416 "blank collect.name rejected"
1417 );
1418
1419 let bad_size: Manifest = serde_yaml::from_str(
1420 r#"
1421id: c
1422version: 0.1.0
1423execute: { shell: powershell, script: "echo x", timeout: 10s }
1424collect: { name: diag, max_size: "50 quux" }
1425"#,
1426 )
1427 .expect("parse");
1428 let err = bad_size.validate().expect_err("bad max_size rejected");
1429 assert!(err.contains("max_size"), "error mentions max_size: {err}");
1430 }
1431
1432 #[test]
1433 fn parse_size_bytes_units() {
1434 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
1435 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
1436 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
1437 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
1438 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
1439 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
1440 assert!(parse_size_bytes("").is_err());
1441 assert!(parse_size_bytes("MB").is_err());
1442 assert!(parse_size_bytes("12 zonks").is_err());
1443 }
1444
1445 #[test]
1446 fn manifest_rejects_check_combined_with_emit() {
1447 // `emit:` stdout is NDJSON (and omitted from the result), so
1448 // it can't pair with `check:` (which needs a single JSON
1449 // object on stdout).
1450 let yaml = r#"
1451id: bad-mix
1452version: 0.1.0
1453execute:
1454 shell: powershell
1455 script: "echo x"
1456 timeout: 10s
1457check:
1458 name: bitlocker
1459emit:
1460 type: events
1461"#;
1462 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1463 let err = m.validate().expect_err("emit + check must fail");
1464 assert!(err.contains("incompatible"), "err: {err}");
1465 }
1466
1467 #[test]
1468 fn manifest_rejects_emit_combined_with_inventory() {
1469 // The other half of the emit-incompatibility condition.
1470 let yaml = r#"
1471id: bad-mix-2
1472version: 0.1.0
1473execute:
1474 shell: powershell
1475 script: "echo x"
1476 timeout: 10s
1477emit:
1478 type: events
1479inventory:
1480 display:
1481 - { field: status, label: Status }
1482"#;
1483 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1484 let err = m.validate().expect_err("emit + inventory must fail");
1485 assert!(err.contains("incompatible"), "err: {err}");
1486 }
1487
1488 #[test]
1489 fn manifest_rejects_empty_check_field_names() {
1490 // Empty name / status_field / detail_field are invisible
1491 // runtime bugs (empty React key, agent reads the wrong field)
1492 // — reject them even though serde supplies non-empty defaults.
1493 let base = |inner: &str| {
1494 format!(
1495 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1496 )
1497 };
1498 for inner in [
1499 " name: \"\"\n",
1500 " name: ok\n status_field: \"\"\n",
1501 " name: ok\n detail_field: \" \"\n",
1502 // present-but-blank troubleshoot → broken remediation id.
1503 " name: ok\n troubleshoot: \" \"\n",
1504 ] {
1505 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1506 let err = m.validate().expect_err("empty field must fail");
1507 assert!(err.contains("must not be empty"), "err: {err}");
1508 }
1509 }
1510
1511 #[test]
1512 fn manifest_client_absent_by_default() {
1513 // A plain operator job (the overwhelming majority) carries no
1514 // `client:` block, so it never surfaces in the end-user
1515 // catalog.
1516 let yaml = r#"
1517id: echo-test
1518version: 0.0.1
1519execute:
1520 shell: powershell
1521 script: "echo 'kanade'"
1522 timeout: 30s
1523"#;
1524 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1525 assert!(m.client.is_none());
1526 m.validate().expect("operator-only job validates");
1527 }
1528
1529 #[test]
1530 fn manifest_client_parses_and_validates() {
1531 // The Client App "困ったとき" remediation job shape: a
1532 // user-invokable troubleshoot job with the end-user fields the
1533 // KLP `jobs.list` wire needs, grouped under `client:`.
1534 let yaml = r#"
1535id: fix-teams-cache
1536version: 1.0.0
1537execute:
1538 shell: powershell
1539 script: "echo clearing"
1540 timeout: 60s
1541client:
1542 name: "Teams のキャッシュをクリア"
1543 description: "Teams が重いときに試してください"
1544 category: troubleshoot
1545 icon: brush-cleaning
1546"#;
1547 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1548 let c = m.client.as_ref().expect("client block present");
1549 assert_eq!(c.name, "Teams のキャッシュをクリア");
1550 assert_eq!(
1551 c.description.as_deref(),
1552 Some("Teams が重いときに試してください")
1553 );
1554 assert_eq!(c.category, JobCategory::Troubleshoot);
1555 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1556 m.validate().expect("user-invokable job validates");
1557 }
1558
1559 #[test]
1560 fn manifest_client_minimal_only_name_and_category() {
1561 // description + icon are optional; name + category are the
1562 // serde-required minimum.
1563 let yaml = r#"
1564id: install-slack
1565version: 1.0.0
1566execute:
1567 shell: powershell
1568 script: "echo install"
1569 timeout: 600s
1570client:
1571 name: Slack
1572 category: catalog
1573"#;
1574 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1575 let c = m.client.as_ref().expect("client present");
1576 assert_eq!(c.category, JobCategory::Catalog);
1577 assert!(c.description.is_none() && c.icon.is_none());
1578 m.validate().expect("minimal client validates");
1579 }
1580
1581 #[test]
1582 fn manifest_client_rejects_blank_name() {
1583 // serde guarantees `name`/`category` are present; the one gap
1584 // is a present-but-blank name → empty catalog row title.
1585 let yaml = r#"
1586id: j
1587version: 1.0.0
1588execute:
1589 shell: powershell
1590 script: "echo x"
1591 timeout: 30s
1592client:
1593 name: " "
1594 category: catalog
1595"#;
1596 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1597 let err = m.validate().expect_err("blank name must fail");
1598 assert!(err.contains("client.name"), "err: {err}");
1599 }
1600
1601 #[test]
1602 fn manifest_client_rejects_blank_optional_fields() {
1603 // description / icon are optional, but a present-but-blank
1604 // value is a bug (empty subtitle / dangling icon name) — reject
1605 // it, mirroring the check: block's troubleshoot guard.
1606 for (field, line) in [
1607 ("client.description", " description: \" \"\n"),
1608 ("client.icon", " icon: \"\"\n"),
1609 ] {
1610 let yaml = format!(
1611 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1612 );
1613 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1614 let err = m.validate().expect_err("blank optional field must fail");
1615 assert!(err.contains(field), "expected {field} in err: {err}");
1616 }
1617 }
1618
1619 #[test]
1620 fn manifest_client_requires_category_at_parse() {
1621 // A `client:` block missing `category` is a hard parse error
1622 // (serde required field) — no manual validate() needed.
1623 let yaml = r#"
1624id: j
1625version: 1.0.0
1626execute:
1627 shell: powershell
1628 script: "echo x"
1629 timeout: 30s
1630client:
1631 name: "A job"
1632"#;
1633 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1634 assert!(
1635 r.is_err(),
1636 "missing category must be a parse error, got {r:?}"
1637 );
1638 }
1639
1640 #[test]
1641 fn manifest_client_rejects_unknown_field() {
1642 // #492: the strict create boundary catches a fat-fingered
1643 // `displayname:` (with its path) instead of silently
1644 // dropping it; the tolerant read path accepts it.
1645 let yaml = r#"
1646id: j
1647version: 1.0.0
1648execute:
1649 shell: powershell
1650 script: "echo x"
1651 timeout: 30s
1652client:
1653 name: "A job"
1654 category: catalog
1655 displayname: oops
1656"#;
1657 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1658 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1659 // serde_ignored renders the Option layer as `?`:
1660 // `client.?.displayname`. Assert on the leaf key.
1661 assert!(err.contains("displayname"), "{err}");
1662 // The READ path tolerates the same payload (gradual-upgrade
1663 // contract: an old agent must accept a newer writer's field).
1664 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1665 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1666 }
1667
1668 #[test]
1669 fn manifest_tags_default_empty() {
1670 // The overwhelming majority of jobs carry no tags; the field
1671 // must default to an empty Vec (not fail to parse) and skip
1672 // serialisation so old readers never see the key.
1673 let yaml = r#"
1674id: echo-test
1675version: 0.0.1
1676execute:
1677 shell: powershell
1678 script: "echo 'kanade'"
1679 timeout: 30s
1680"#;
1681 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1682 assert!(m.tags.is_empty());
1683 m.validate().expect("tag-less job validates");
1684 // skip_serializing_if = empty ⇒ the key is absent from JSON.
1685 let json = serde_json::to_string(&m).expect("serialize");
1686 assert!(
1687 !json.contains("tags"),
1688 "empty tags must not serialise: {json}"
1689 );
1690 }
1691
1692 #[test]
1693 fn manifest_parses_and_validates_tags() {
1694 let yaml = r#"
1695id: check-bitlocker
1696version: 0.1.0
1697execute:
1698 shell: powershell
1699 script: "echo x"
1700 timeout: 30s
1701tags: [security, windows, health-check]
1702"#;
1703 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1704 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
1705 m.validate().expect("tagged job validates");
1706 // Round-trips through JSON (the wire format the SPA reads).
1707 let json = serde_json::to_string(&m).expect("serialize");
1708 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
1709 }
1710
1711 #[test]
1712 fn manifest_rejects_blank_tag() {
1713 // A whitespace-only tag renders an empty filter chip — reject
1714 // it at the write boundary like the other blank display fields.
1715 let yaml = r#"
1716id: j
1717version: 0.1.0
1718execute:
1719 shell: powershell
1720 script: "echo x"
1721 timeout: 30s
1722tags: [ok, " "]
1723"#;
1724 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1725 let err = m.validate().expect_err("blank tag must fail");
1726 assert!(err.contains("tags must not contain empty"), "err: {err}");
1727 }
1728
1729 fn execute_with(
1730 script: Option<&str>,
1731 script_file: Option<&str>,
1732 script_object: Option<&str>,
1733 ) -> Execute {
1734 Execute {
1735 shell: ExecuteShell::Powershell,
1736 script: script.map(str::to_owned),
1737 script_file: script_file.map(str::to_owned),
1738 script_object: script_object.map(str::to_owned),
1739 timeout: "30s".into(),
1740 run_as: RunAs::default(),
1741 cwd: None,
1742 }
1743 }
1744
1745 #[test]
1746 fn validate_accepts_inline_script() {
1747 let e = execute_with(Some("echo hi"), None, None);
1748 assert!(e.validate_script_source().is_ok());
1749 }
1750
1751 #[test]
1752 fn validate_accepts_script_file_alone() {
1753 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
1754 assert!(e.validate_script_source().is_ok());
1755 }
1756
1757 #[test]
1758 fn validate_accepts_script_object_alone() {
1759 let e = execute_with(None, None, Some("cleanup/1.0.0"));
1760 assert!(e.validate_script_source().is_ok());
1761 }
1762
1763 #[test]
1764 fn validate_treats_empty_inline_script_as_unset() {
1765 // `script: ""` + `script_object` set is the natural shape
1766 // when an operator comments out the YAML block-scalar body
1767 // but leaves the key. Should pass.
1768 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
1769 assert!(e.validate_script_source().is_ok());
1770 }
1771
1772 #[test]
1773 fn validate_rejects_zero_sources() {
1774 let e = execute_with(None, None, None);
1775 let err = e.validate_script_source().unwrap_err();
1776 assert!(err.contains("must be set"), "got: {err}");
1777 }
1778
1779 #[test]
1780 fn validate_rejects_empty_inline_only() {
1781 let e = execute_with(Some(""), None, None);
1782 let err = e.validate_script_source().unwrap_err();
1783 assert!(err.contains("must be set"), "got: {err}");
1784 }
1785
1786 #[test]
1787 fn validate_rejects_inline_plus_file() {
1788 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
1789 let err = e.validate_script_source().unwrap_err();
1790 assert!(err.contains("only one of"), "got: {err}");
1791 }
1792
1793 #[test]
1794 fn validate_rejects_inline_plus_object() {
1795 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
1796 let err = e.validate_script_source().unwrap_err();
1797 assert!(err.contains("only one of"), "got: {err}");
1798 }
1799
1800 #[test]
1801 fn validate_rejects_file_plus_object() {
1802 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
1803 let err = e.validate_script_source().unwrap_err();
1804 assert!(err.contains("only one of"), "got: {err}");
1805 }
1806
1807 #[test]
1808 fn validate_rejects_all_three() {
1809 let e = execute_with(
1810 Some("echo hi"),
1811 Some("scripts/cleanup.ps1"),
1812 Some("cleanup/1.0.0"),
1813 );
1814 let err = e.validate_script_source().unwrap_err();
1815 assert!(err.contains("only one of"), "got: {err}");
1816 }
1817
1818 #[test]
1819 fn manifest_deserialises_script_object_yaml() {
1820 // SPEC §2.4.1 example shape with the Object Store
1821 // reference picked over inline.
1822 let yaml = r#"
1823id: cleanup-disk-temp
1824version: 1.0.1
1825execute:
1826 shell: powershell
1827 script_object: cleanup-disk-temp/1.0.1
1828 timeout: 600s
1829"#;
1830 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1831 assert_eq!(
1832 m.execute.script_object.as_deref(),
1833 Some("cleanup-disk-temp/1.0.1")
1834 );
1835 assert!(m.execute.script.is_none());
1836 m.validate()
1837 .expect("script_object-only manifest passes validation");
1838 }
1839
1840 #[test]
1841 fn manifest_rejects_typo_in_script_field_name() {
1842 // #492: the strict create boundary catches `script_objectt`
1843 // and similar fat-fingers (with the full path) instead of
1844 // letting them silently fall through to "all three unset".
1845 let yaml = r#"
1846id: typo
1847version: 1.0.0
1848execute:
1849 shell: powershell
1850 script_objectt: oops
1851 timeout: 30s
1852"#;
1853 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
1854 .expect_err("typo'd execute field must be rejected at the write boundary");
1855 assert!(err.contains("execute.script_objectt"), "{err}");
1856 }
1857
1858 #[test]
1859 fn schedule_carries_target_and_rollout() {
1860 let yaml = r#"
1861id: hourly-cleanup-canary
1862when:
1863 per_pc: { every: 1h }
1864job_id: cleanup
1865enabled: true
1866target:
1867 groups: [canary, wave1]
1868jitter: 30s
1869rollout:
1870 strategy: wave
1871 waves:
1872 - { group: canary, delay: 0s }
1873 - { group: wave1, delay: 5s }
1874"#;
1875 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1876 assert_eq!(s.id, "hourly-cleanup-canary");
1877 assert_eq!(s.job_id, "cleanup");
1878 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
1879 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
1880 let rollout = s.plan.rollout.expect("rollout present");
1881 assert_eq!(rollout.waves.len(), 2);
1882 assert_eq!(rollout.waves[0].group, "canary");
1883 assert_eq!(rollout.waves[1].delay, "5s");
1884 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
1885 }
1886
1887 #[test]
1888 fn schedule_minimal_target_all() {
1889 let yaml = r#"
1890id: kitting
1891when:
1892 per_pc: once
1893enabled: true
1894job_id: scheduled-echo
1895target: { all: true }
1896"#;
1897 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1898 assert_eq!(s.id, "kitting");
1899 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
1900 assert!(s.enabled);
1901 assert_eq!(s.job_id, "scheduled-echo");
1902 assert!(s.plan.target.all);
1903 assert!(s.plan.rollout.is_none());
1904 assert!(s.plan.jitter.is_none());
1905 assert!(s.active.is_empty());
1906 }
1907
1908 #[test]
1909 fn schedule_enabled_defaults_to_true() {
1910 let yaml = r#"
1911id: x
1912when:
1913 per_pc: once
1914job_id: y
1915target: { all: true }
1916"#;
1917 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1918 assert!(s.enabled);
1919 }
1920
1921 #[test]
1922 fn schedule_tags_default_empty_and_skip_serialise() {
1923 let yaml = r#"
1924id: x
1925when:
1926 per_pc: once
1927job_id: y
1928target: { all: true }
1929"#;
1930 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1931 assert!(s.tags.is_empty());
1932 s.validate().expect("tag-less schedule validates");
1933 let json = serde_json::to_string(&s).expect("serialize");
1934 assert!(
1935 !json.contains("tags"),
1936 "empty tags must not serialise: {json}"
1937 );
1938 }
1939
1940 #[test]
1941 fn schedule_parses_and_validates_tags() {
1942 let yaml = r#"
1943id: weekly-cleanup
1944when:
1945 per_pc: { every: 1h }
1946job_id: cleanup
1947target: { all: true }
1948tags: [weekly, maintenance]
1949"#;
1950 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1951 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
1952 s.validate().expect("tagged schedule validates");
1953 }
1954
1955 #[test]
1956 fn schedule_rejects_blank_tag() {
1957 let yaml = r#"
1958id: x
1959when:
1960 per_pc: once
1961job_id: y
1962target: { all: true }
1963tags: [ok, " "]
1964"#;
1965 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
1966 let err = s.validate().expect_err("blank tag must fail");
1967 assert!(err.contains("tags must not contain empty"), "err: {err}");
1968 }
1969
1970 // ---- `when` parsing (#418 Phase 1) ----
1971
1972 fn schedule_yaml_with(when_block: &str) -> String {
1973 format!(
1974 r#"
1975id: x
1976when:
1977{when_block}
1978job_id: y
1979target: {{ all: true }}
1980"#
1981 )
1982 }
1983
1984 #[test]
1985 fn when_per_pc_every_parses_unquoted_humantime() {
1986 // `6h` is digit-led but non-numeric → YAML string, same as
1987 // the old `cooldown: 6h` convention. No quotes needed.
1988 let s: Schedule =
1989 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
1990 assert_eq!(
1991 s.when,
1992 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
1993 );
1994 }
1995
1996 #[test]
1997 fn when_per_target_every_parses() {
1998 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
1999 .expect("parse");
2000 assert_eq!(
2001 s.when,
2002 When::PerTarget(PerPolicy::Every(EverySpec {
2003 every: "24h".into()
2004 }))
2005 );
2006 }
2007
2008 #[test]
2009 fn when_per_target_once_parses() {
2010 // Falls out of the shared PerPolicy shape and decide_fire
2011 // already implements it ("any one pc succeeds → skip the
2012 // target forever"), so it is allowed, not rejected.
2013 let s: Schedule =
2014 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
2015 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
2016 }
2017
2018 #[test]
2019 fn when_calendar_time_parses() {
2020 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
2021 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
2022 ))
2023 .expect("parse");
2024 match &s.when {
2025 When::Calendar(c) => {
2026 assert_eq!(c.at, "09:00");
2027 assert_eq!(c.days, vec!["mon-fri"]);
2028 }
2029 other => panic!("expected calendar, got {other:?}"),
2030 }
2031 }
2032
2033 #[test]
2034 fn when_calendar_days_default_empty() {
2035 let s: Schedule =
2036 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
2037 .expect("parse");
2038 match &s.when {
2039 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
2040 other => panic!("expected calendar, got {other:?}"),
2041 }
2042 }
2043
2044 #[test]
2045 fn when_calendar_datetime_parses_all_separators() {
2046 // one-shot: date+time in hyphen / ISO-T / slash forms
2047 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
2048 let block = format!(" calendar:\n at: \"{at}\"");
2049 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
2050 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
2051 match &s.when {
2052 When::Calendar(c) => {
2053 use chrono::Datelike;
2054 let p = c.parse_at().expect("parse_at");
2055 let d = p.date.expect("datetime at carries a date");
2056 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
2057 }
2058 other => panic!("expected calendar, got {other:?}"),
2059 }
2060 }
2061 }
2062
2063 #[test]
2064 fn when_rejects_bad_once_keyword() {
2065 // `onec` must be a parse error, not a silently-absorbed
2066 // string (OnceLiteral is a single-variant enum for exactly
2067 // this reason).
2068 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
2069 assert!(r.is_err(), "expected parse error, got {r:?}");
2070 }
2071
2072 #[test]
2073 fn when_rejects_unknown_key_in_every() {
2074 // `{ evry: 6h }` still fails on the tolerant read path: the
2075 // required `every` key is missing, so no PerPolicy variant
2076 // matches (#492 removed deny_unknown_fields, but required
2077 // keys keep the untagged disambiguation honest).
2078 let r: Result<Schedule, _> =
2079 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
2080 assert!(r.is_err(), "expected parse error, got {r:?}");
2081 }
2082
2083 #[test]
2084 fn when_rejects_unknown_variant() {
2085 let r: Result<Schedule, _> =
2086 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
2087 assert!(r.is_err(), "expected parse error, got {r:?}");
2088 }
2089
2090 #[test]
2091 fn when_rejects_old_top_level_cron_field() {
2092 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
2093 // loudly (missing `when`), which is what turns stale KV
2094 // blobs into warn-skips after the upgrade.
2095 let yaml = r#"
2096id: x
2097cron: "* * * * * *"
2098job_id: y
2099target: { all: true }
2100"#;
2101 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
2102 assert!(r.is_err(), "expected parse error, got {r:?}");
2103 }
2104
2105 #[test]
2106 fn when_rejects_retired_cron_escape_hatch() {
2107 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
2108 // is now an unknown variant → parse error (operators use the
2109 // calendar form instead).
2110 let r: Result<Schedule, _> =
2111 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
2112 assert!(
2113 r.is_err(),
2114 "expected parse error for retired cron, got {r:?}"
2115 );
2116 }
2117
2118 #[test]
2119 fn when_round_trips_json_and_yaml() {
2120 // Round-trip through the full Schedule: that is the wire
2121 // unit for both stores (JSON catalog KV + YAML mirror), and
2122 // it exercises the singleton_map field attribute that keeps
2123 // serde_yaml on the map shape instead of `!per_pc` tags.
2124 for when in [
2125 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2126 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2127 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2128 When::PerTarget(PerPolicy::Every(EverySpec {
2129 every: "24h".into(),
2130 })),
2131 calendar("09:00", &["mon-fri"]),
2132 calendar("2026-06-10 09:00", &[]),
2133 When::On(vec![OnTrigger::Startup]),
2134 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2135 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2136 When::On(vec![OnTrigger::NetworkChange]),
2137 ] {
2138 // Event triggers are agent-only; the rest validate on backend.
2139 let runs_on = if matches!(when, When::On(_)) {
2140 RunsOn::Agent
2141 } else {
2142 RunsOn::Backend
2143 };
2144 let s = schedule_with(when.clone(), runs_on);
2145
2146 let json = serde_json::to_string(&s).expect("json serialise");
2147 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
2148 assert_eq!(back.when, when, "json round-trip for {when}");
2149
2150 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
2151 assert!(
2152 !yaml.contains('!'),
2153 "yaml must use the map shape, not tags: {yaml}"
2154 );
2155 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
2156 assert_eq!(back.when, when, "yaml round-trip for {when}");
2157 }
2158 }
2159
2160 #[test]
2161 fn when_once_serialises_as_bare_keyword() {
2162 // The wire shape operators see in the YAML mirror must stay
2163 // the ergonomic `per_pc: once`, not a one-variant map.
2164 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
2165 .expect("serialise");
2166 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
2167 }
2168
2169 #[test]
2170 fn when_displays_operator_summary() {
2171 for (when, expected) in [
2172 (
2173 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2174 "per_pc once",
2175 ),
2176 (
2177 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2178 "per_pc every 6h",
2179 ),
2180 (
2181 When::PerTarget(PerPolicy::Every(EverySpec {
2182 every: "24h".into(),
2183 })),
2184 "per_target every 24h",
2185 ),
2186 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
2187 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
2188 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
2189 (
2190 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2191 "on [startup,logon]",
2192 ),
2193 (
2194 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2195 "on [lock,unlock]",
2196 ),
2197 (
2198 When::On(vec![OnTrigger::NetworkChange]),
2199 "on [network_change]",
2200 ),
2201 ] {
2202 assert_eq!(when.to_string(), expected);
2203 }
2204 }
2205
2206 // ---- lowering (#418: when → engine vocabulary) ----
2207
2208 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
2209 Schedule {
2210 id: "x".into(),
2211 when,
2212 job_id: "y".into(),
2213 plan: FanoutPlan::default(),
2214 active: Active::default(),
2215 constraints: Constraints::default(),
2216 on_failure: OnFailure::default(),
2217 tz: ScheduleTz::default(),
2218 starting_deadline: None,
2219 runs_on,
2220 enabled: true,
2221 tags: Vec::new(),
2222 origin: None,
2223 }
2224 }
2225
2226 fn calendar(at: &str, days: &[&str]) -> When {
2227 When::Calendar(CalendarSpec {
2228 at: at.into(),
2229 days: days.iter().map(|d| (*d).to_string()).collect(),
2230 })
2231 }
2232
2233 #[test]
2234 fn next_calendar_fire_returns_next_utc_occurrence() {
2235 use chrono::TimeZone;
2236 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
2237 // next strict occurrence is 09:00 that day.
2238 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2239 s.tz = ScheduleTz::Utc;
2240 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
2241 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
2242 assert_eq!(
2243 next,
2244 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
2245 );
2246 }
2247
2248 #[test]
2249 fn next_calendar_fire_is_strictly_after_now() {
2250 use chrono::TimeZone;
2251 // Standing exactly on a fire instant must preview the *next*
2252 // one (inclusive = false), not the one firing right now.
2253 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2254 s.tz = ScheduleTz::Utc;
2255 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
2256 let next = s
2257 .next_calendar_fire(on_fire)
2258 .expect("calendar has a next fire");
2259 assert_eq!(
2260 next,
2261 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
2262 );
2263 }
2264
2265 #[test]
2266 fn next_calendar_fire_none_for_reconcile_shapes() {
2267 // `per_pc` / `per_target` lower to the every-minute poll cron —
2268 // no discrete upcoming event to preview, so `None`.
2269 let now = chrono::Utc::now();
2270 for when in [
2271 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2272 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2273 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2274 When::PerTarget(PerPolicy::Every(EverySpec {
2275 every: "24h".into(),
2276 })),
2277 ] {
2278 let s = schedule_with(when, RunsOn::Backend);
2279 assert!(
2280 s.next_calendar_fire(now).is_none(),
2281 "reconcile shapes have no calendar fire",
2282 );
2283 }
2284 }
2285
2286 // ---- preview_fires (#418 dry-run / preview) ----
2287
2288 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
2289 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
2290 s.tz = ScheduleTz::Utc; // host-independent assertions
2291 s
2292 }
2293
2294 #[test]
2295 fn preview_lists_next_calendar_occurrences() {
2296 use chrono::TimeZone;
2297 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
2298 // fires skip the weekend (Sat 13 / Sun 14).
2299 let s = cal_utc("09:00", &["mon-fri"]);
2300 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2301 let got = s.preview_fires(now, 5);
2302 let want: Vec<_> = [
2303 (2026, 6, 10), // Wed
2304 (2026, 6, 11), // Thu
2305 (2026, 6, 12), // Fri
2306 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
2307 (2026, 6, 16), // Tue
2308 ]
2309 .iter()
2310 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2311 .collect();
2312 assert_eq!(got, want);
2313 }
2314
2315 #[test]
2316 fn preview_handles_nth_and_last_weekday() {
2317 use chrono::TimeZone;
2318 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
2319 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
2320 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
2321 assert_eq!(
2322 nth,
2323 vec![
2324 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
2325 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
2326 ]
2327 );
2328 // Last Friday of the month: Jun 26, Jul 31 2026.
2329 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
2330 assert_eq!(
2331 last,
2332 vec![
2333 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
2334 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
2335 ]
2336 );
2337 }
2338
2339 #[test]
2340 fn preview_is_empty_for_reconcile_and_zero_count() {
2341 let now = chrono::Utc::now();
2342 // reconcile shapes have no discrete fire times
2343 let recon = schedule_with(
2344 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2345 RunsOn::Backend,
2346 );
2347 assert!(recon.preview_fires(now, 5).is_empty());
2348 // count == 0 yields nothing even for a calendar
2349 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
2350 }
2351
2352 #[test]
2353 fn preview_skips_outside_active_window() {
2354 use chrono::TimeZone;
2355 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
2356 // before `from` are skipped; `until` is exclusive, so 06-17's
2357 // fire is out — leaving exactly the 15th and 16th.
2358 let mut s = cal_utc("09:00", &[]);
2359 s.active = Active {
2360 from: Some("2026-06-15".into()),
2361 until: Some("2026-06-17".into()),
2362 };
2363 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2364 let got = s.preview_fires(now, 5);
2365 assert_eq!(
2366 got,
2367 vec![
2368 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
2369 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
2370 ]
2371 );
2372 }
2373
2374 #[test]
2375 fn preview_empty_when_calendar_time_outside_window() {
2376 use chrono::TimeZone;
2377 // Fires at 09:00 but the maintenance window is overnight — it can
2378 // never run, so the preview is empty (matches
2379 // `calendar_outside_window`), and the scan still terminates.
2380 let mut s = cal_utc("09:00", &[]);
2381 s.constraints = Constraints {
2382 window: Some("22:00-05:00".into()),
2383 ..Constraints::default()
2384 };
2385 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2386 assert!(s.preview_fires(now, 5).is_empty());
2387 // Every candidate tick is rejected, so this also exercises the
2388 // SCAN_CAP bound: a large `count` must still terminate (and
2389 // return empty) rather than spin (claude #578 review).
2390 assert!(s.preview_fires(now, 50).is_empty());
2391 }
2392
2393 #[test]
2394 fn preview_past_one_shot_is_empty() {
2395 use chrono::TimeZone;
2396 // A dated one-shot whose instant has passed never fires again.
2397 let s = cal_utc("2026-06-10 09:00", &[]);
2398 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
2399 assert!(s.preview_fires(now, 5).is_empty());
2400 // …but from before it, the single future fire shows up.
2401 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
2402 assert_eq!(
2403 s.preview_fires(before, 5),
2404 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
2405 );
2406 }
2407
2408 #[test]
2409 fn lowering_matches_the_418_table() {
2410 let cases = [
2411 (
2412 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2413 (POLL_CRON, ExecMode::OncePerPc, None),
2414 ),
2415 (
2416 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2417 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
2418 ),
2419 (
2420 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2421 (POLL_CRON, ExecMode::OncePerTarget, None),
2422 ),
2423 (
2424 When::PerTarget(PerPolicy::Every(EverySpec {
2425 every: "24h".into(),
2426 })),
2427 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
2428 ),
2429 // calendar repeating → 6-field cron
2430 (
2431 calendar("09:00", &["mon-fri"]),
2432 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
2433 ),
2434 // calendar daily (no days) → DOW *
2435 (
2436 calendar("18:30", &[]),
2437 ("0 30 18 * * *", ExecMode::EveryTick, None),
2438 ),
2439 // calendar one-shot → 7-field year cron
2440 (
2441 calendar("2026-06-10 09:00", &[]),
2442 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
2443 ),
2444 ];
2445 for (when, (cron, mode, cooldown)) in cases {
2446 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
2447 assert_eq!(l.cron, cron, "cron for {when}");
2448 assert_eq!(l.mode, mode, "mode for {when}");
2449 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
2450 }
2451 }
2452
2453 #[test]
2454 fn lowered_carries_schedule_tz() {
2455 for (tz, want) in [
2456 (ScheduleTz::Local, ScheduleTz::Local),
2457 (ScheduleTz::Utc, ScheduleTz::Utc),
2458 ] {
2459 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
2460 s.tz = tz;
2461 assert_eq!(s.lowered().tz, want, "calendar carries tz");
2462 // reconcile shapes carry tz too (for the active-window check)
2463 let mut s = schedule_with(
2464 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2465 RunsOn::Backend,
2466 );
2467 s.tz = tz;
2468 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
2469 }
2470 }
2471
2472 #[test]
2473 fn poll_cron_is_accepted_by_the_engine_parser() {
2474 // POLL_CRON is system-generated — if the engine's parser
2475 // ever rejected it every reconcile schedule would die at
2476 // register time. Validate it with the same croner config
2477 // (Seconds::Required, dom_and_dow, year optional).
2478 croner::parser::CronParser::builder()
2479 .seconds(croner::parser::Seconds::Required)
2480 .dom_and_dow(true)
2481 .build()
2482 .parse(POLL_CRON)
2483 .expect("POLL_CRON must parse");
2484 }
2485
2486 // ---- Schedule::validate() (#418 decision F) ----
2487
2488 #[test]
2489 fn validate_accepts_reconcile_shapes() {
2490 for when in [
2491 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2492 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2493 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2494 When::PerTarget(PerPolicy::Every(EverySpec {
2495 every: "24h".into(),
2496 })),
2497 ] {
2498 schedule_with(when.clone(), RunsOn::Backend)
2499 .validate()
2500 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2501 }
2502 }
2503
2504 #[test]
2505 fn validate_accepts_per_pc_on_agent() {
2506 schedule_with(
2507 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
2508 RunsOn::Agent,
2509 )
2510 .validate()
2511 .expect("per_pc + agent is the offline-inventory shape");
2512 }
2513
2514 // ---- #418 event triggers (when: { on }) ----
2515
2516 #[test]
2517 fn validate_accepts_event_on_agent() {
2518 for triggers in [
2519 vec![OnTrigger::Startup],
2520 vec![OnTrigger::Logon],
2521 vec![OnTrigger::Lock],
2522 vec![OnTrigger::Unlock],
2523 vec![OnTrigger::NetworkChange],
2524 vec![
2525 OnTrigger::Startup,
2526 OnTrigger::Logon,
2527 OnTrigger::Lock,
2528 OnTrigger::Unlock,
2529 OnTrigger::NetworkChange,
2530 ],
2531 ] {
2532 schedule_with(When::On(triggers), RunsOn::Agent)
2533 .validate()
2534 .expect("when.on is valid on runs_on: agent");
2535 }
2536 }
2537
2538 #[test]
2539 fn validate_rejects_event_on_backend() {
2540 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
2541 .validate()
2542 .unwrap_err();
2543 assert!(err.contains("when.on"), "got: {err}");
2544 assert!(err.contains("runs_on: agent"), "got: {err}");
2545 }
2546
2547 #[test]
2548 fn validate_rejects_empty_event_list() {
2549 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
2550 .validate()
2551 .unwrap_err();
2552 assert!(err.contains("when.on"), "got: {err}");
2553 assert!(err.contains("at least one"), "got: {err}");
2554 }
2555
2556 #[test]
2557 fn event_schedule_lowers_to_event_mode_and_is_event() {
2558 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
2559 assert!(s.is_event());
2560 assert_eq!(s.lowered().mode, ExecMode::Event);
2561 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
2562 // non-event schedules report no triggers.
2563 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2564 assert!(!cal.is_event());
2565 assert!(cal.event_triggers().is_empty());
2566 }
2567
2568 // ---- #418 constraints.require (env gates) ----
2569
2570 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
2571 let mut s = schedule_with(
2572 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
2573 runs_on,
2574 );
2575 s.constraints.require = Some(req);
2576 s
2577 }
2578
2579 #[test]
2580 fn require_met_combinations() {
2581 use std::time::Duration;
2582 let idle = |m: u64| Some(Duration::from_secs(m * 60));
2583 // Builder for the sensed state: (ac, idle, cpu, network).
2584 let env = |ac, idle, cpu, net| EnvState {
2585 ac_online: ac,
2586 idle,
2587 cpu_pct: cpu,
2588 network_up: net,
2589 };
2590 // Empty require — always met regardless of sensed state.
2591 assert!(require_met(
2592 &Require::default(),
2593 &env(false, None, None, false)
2594 ));
2595 // ac_power: only on AC.
2596 let ac = Require {
2597 ac_power: true,
2598 ..Default::default()
2599 };
2600 assert!(!require_met(&ac, &env(false, None, None, true)));
2601 assert!(require_met(&ac, &env(true, None, None, false)));
2602 // idle: needs >= the configured min; None idle never satisfies.
2603 let idle10 = Require {
2604 idle: Some("10m".into()),
2605 ..Default::default()
2606 };
2607 assert!(!require_met(&idle10, &env(true, None, None, true)));
2608 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
2609 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
2610 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
2611 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
2612 let cpu20 = Require {
2613 cpu_below: Some(20.0),
2614 ..Default::default()
2615 };
2616 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
2617 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
2618 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
2619 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
2620 // network: only when online.
2621 let net = Require {
2622 network: true,
2623 ..Default::default()
2624 };
2625 assert!(!require_met(&net, &env(true, None, None, false))); // offline
2626 assert!(require_met(&net, &env(true, None, None, true))); // online
2627 // all four: AND.
2628 let all = Require {
2629 ac_power: true,
2630 idle: Some("10m".into()),
2631 cpu_below: Some(20.0),
2632 network: true,
2633 };
2634 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
2635 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
2636 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
2637 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
2638 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
2639 // An unparseable idle is treated as no-requirement by require_met
2640 // (validate rejects it at create time, so this only guards a
2641 // hand-edited blob): ac still gates.
2642 let bad = Require {
2643 ac_power: true,
2644 idle: Some("garbage".into()),
2645 ..Default::default()
2646 };
2647 assert!(require_met(&bad, &env(true, None, None, true)));
2648 assert!(!require_met(&bad, &env(false, None, None, true)));
2649 }
2650
2651 #[test]
2652 fn validate_accepts_and_rejects_cpu_below() {
2653 // In-range accepted.
2654 require_schedule(
2655 Require {
2656 cpu_below: Some(20.0),
2657 ..Default::default()
2658 },
2659 RunsOn::Agent,
2660 )
2661 .validate()
2662 .expect("cpu_below 20 is valid");
2663 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
2664 // 100%). Pins the inclusive upper bound against a future c < 100.0.
2665 require_schedule(
2666 Require {
2667 cpu_below: Some(100.0),
2668 ..Default::default()
2669 },
2670 RunsOn::Agent,
2671 )
2672 .validate()
2673 .expect("cpu_below 100 is valid");
2674 // Out of range rejected (0 and >100).
2675 for bad in [0.0, -5.0, 100.1] {
2676 let err = require_schedule(
2677 Require {
2678 cpu_below: Some(bad),
2679 ..Default::default()
2680 },
2681 RunsOn::Agent,
2682 )
2683 .validate()
2684 .unwrap_err();
2685 assert!(
2686 err.contains("constraints.require.cpu_below"),
2687 "cpu_below {bad}: {err}"
2688 );
2689 }
2690 }
2691
2692 #[test]
2693 fn validate_accepts_require_on_agent() {
2694 require_schedule(
2695 Require {
2696 ac_power: true,
2697 idle: Some("10m".into()),
2698 cpu_below: Some(20.0),
2699 network: true,
2700 },
2701 RunsOn::Agent,
2702 )
2703 .validate()
2704 .expect("constraints.require is valid on runs_on: agent");
2705 }
2706
2707 #[test]
2708 fn validate_rejects_require_on_backend() {
2709 let err = require_schedule(
2710 Require {
2711 ac_power: true,
2712 ..Default::default()
2713 },
2714 RunsOn::Backend,
2715 )
2716 .validate()
2717 .unwrap_err();
2718 assert!(err.contains("constraints.require"), "got: {err}");
2719 assert!(err.contains("runs_on: agent"), "got: {err}");
2720
2721 // An idle-only require (ac_power: false) is also non-empty
2722 // (is_empty folds the fields) and must reject on backend too —
2723 // guards against a regression in Require::is_empty.
2724 let err = require_schedule(
2725 Require {
2726 idle: Some("10m".into()),
2727 ..Default::default()
2728 },
2729 RunsOn::Backend,
2730 )
2731 .validate()
2732 .unwrap_err();
2733 assert!(
2734 err.contains("constraints.require"),
2735 "idle-only on backend: {err}"
2736 );
2737 }
2738
2739 #[test]
2740 fn validate_rejects_bad_require_idle() {
2741 let err = require_schedule(
2742 Require {
2743 idle: Some("not-a-duration".into()),
2744 ..Default::default()
2745 },
2746 RunsOn::Agent,
2747 )
2748 .validate()
2749 .unwrap_err();
2750 assert!(err.contains("constraints.require.idle"), "got: {err}");
2751 }
2752
2753 #[test]
2754 fn require_round_trips_and_skips_empty() {
2755 // ac_power: false is skipped; an all-default require nested in
2756 // constraints is omitted (is_empty folds it in).
2757 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
2758 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
2759 network: true } }\n";
2760 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2761 let req = s.constraints.require.as_ref().expect("require present");
2762 assert!(req.ac_power);
2763 assert_eq!(req.idle.as_deref(), Some("10m"));
2764 assert_eq!(req.cpu_below, Some(20.0));
2765 assert!(req.network);
2766 // Re-serialize: idle + cpu_below + network present, ac_power true.
2767 let back = serde_json::to_string(&s.constraints).unwrap();
2768 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
2769 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
2770 assert!(back.contains("\"network\":true"), "got: {back}");
2771 // An empty require is omitted entirely by is_empty.
2772 let mut empty = s.clone();
2773 empty.constraints.require = Some(Require::default());
2774 assert!(empty.constraints.is_empty());
2775 }
2776
2777 #[test]
2778 fn validate_rejects_per_target_on_agent() {
2779 let err = schedule_with(
2780 When::PerTarget(PerPolicy::Every(EverySpec {
2781 every: "24h".into(),
2782 })),
2783 RunsOn::Agent,
2784 )
2785 .validate()
2786 .unwrap_err();
2787 assert!(err.contains("per_target"), "got: {err}");
2788 assert!(err.contains("runs_on: agent"), "got: {err}");
2789
2790 // per_target: once is also backend-only.
2791 let err = schedule_with(
2792 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2793 RunsOn::Agent,
2794 )
2795 .validate()
2796 .unwrap_err();
2797 assert!(err.contains("per_target"), "got (once): {err}");
2798 assert!(err.contains("runs_on: agent"), "got (once): {err}");
2799 }
2800
2801 #[test]
2802 fn validate_rejects_bad_every_duration() {
2803 let err = schedule_with(
2804 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
2805 RunsOn::Backend,
2806 )
2807 .validate()
2808 .unwrap_err();
2809 assert!(err.contains("when.every"), "got: {err}");
2810 }
2811
2812 #[test]
2813 fn validate_rejects_bad_jitter_and_starting_deadline() {
2814 let mut s = schedule_with(
2815 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2816 RunsOn::Backend,
2817 );
2818 s.plan.jitter = Some("5x".into());
2819 let err = s.validate().unwrap_err();
2820 assert!(err.contains("jitter"), "got: {err}");
2821
2822 let mut s = schedule_with(
2823 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2824 RunsOn::Backend,
2825 );
2826 s.starting_deadline = Some("soon".into());
2827 let err = s.validate().unwrap_err();
2828 assert!(err.contains("starting_deadline"), "got: {err}");
2829 }
2830
2831 #[test]
2832 fn validate_accepts_calendar_shapes() {
2833 for when in [
2834 calendar("09:00", &["mon-fri"]), // weekday morning
2835 calendar("00:00", &["sun"]), // weekly
2836 calendar("18:30", &[]), // daily
2837 calendar("2026-06-10 09:00", &[]), // one-shot
2838 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
2839 ] {
2840 schedule_with(when.clone(), RunsOn::Backend)
2841 .validate()
2842 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
2843 }
2844 }
2845
2846 #[test]
2847 fn validate_rejects_bad_at() {
2848 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
2849 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
2850 .validate()
2851 .unwrap_err();
2852 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
2853 }
2854 }
2855
2856 #[test]
2857 fn validate_rejects_datetime_at_with_days() {
2858 // A dated `at` is a one-shot — pairing it with days is a
2859 // contradiction (the date already pins the day).
2860 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
2861 .validate()
2862 .unwrap_err();
2863 assert!(
2864 err.contains("one-shot") && err.contains("days"),
2865 "got: {err}"
2866 );
2867 }
2868
2869 #[test]
2870 fn validate_rejects_bad_day_name() {
2871 // A garbage DOW token is caught by the days pre-flight and
2872 // reported against `when.days`, not the confusing
2873 // "when.at lowered to invalid cron" (claude #432 review).
2874 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
2875 .validate()
2876 .unwrap_err();
2877 assert!(err.contains("when.days"), "got: {err}");
2878 assert!(err.contains("funday"), "names the bad token: {err}");
2879 // a degenerate range like `mon-` reports the whole token, not
2880 // a cryptic empty part (claude #432 follow-up)
2881 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
2882 .validate()
2883 .unwrap_err();
2884 assert!(err.contains("'mon-'"), "names the whole token: {err}");
2885 // valid names / ranges / numeric / * all pass
2886 for ok in [
2887 calendar("09:00", &["mon-fri"]),
2888 calendar("09:00", &["mon", "wed", "sun"]),
2889 calendar("09:00", &["1-5"]),
2890 ] {
2891 schedule_with(ok.clone(), RunsOn::Backend)
2892 .validate()
2893 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2894 }
2895 }
2896
2897 #[test]
2898 fn validate_accepts_nth_weekday() {
2899 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
2900 // a cron and parses it with croner, so passing here proves the
2901 // whole chain — token → DOW field → engine-acceptable cron.
2902 for ok in [
2903 calendar("09:00", &["tue#2"]), // 2nd Tuesday
2904 calendar("09:00", &["fri#1"]), // 1st Friday
2905 calendar("03:00", &["sun#5"]), // 5th Sunday
2906 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
2907 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
2908 // Case-insensitive both sides: validate lowercases, croner
2909 // upper-cases the whole pattern before aliasing (claude #547).
2910 calendar("09:00", &["TUE#2"]),
2911 ] {
2912 schedule_with(ok.clone(), RunsOn::Backend)
2913 .validate()
2914 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2915 }
2916 }
2917
2918 #[test]
2919 fn validate_rejects_bad_nth_weekday() {
2920 // ordinal out of 1..5, a range with #, and a bad day before #.
2921 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
2922 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2923 .validate()
2924 .unwrap_err();
2925 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2926 }
2927 }
2928
2929 #[test]
2930 fn validate_accepts_last_weekday() {
2931 // #418: last-weekday (`friL` = last Friday). Like the nth case,
2932 // validate() lowers to a cron and round-trips it through croner,
2933 // so passing proves token → DOW field → engine-acceptable cron
2934 // with the verified last-<dow>-of-month semantics.
2935 for ok in [
2936 calendar("09:00", &["friL"]), // last Friday
2937 calendar("03:00", &["sunL"]), // last Sunday
2938 calendar("22:00", &["5L"]), // numeric DOW + last
2939 calendar("00:00", &["0L"]), // numeric Sunday (0…
2940 calendar("00:00", &["7L"]), // …and its 7 alias)
2941 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
2942 // Case-insensitive both the weekday and the `L` suffix:
2943 // validate lowercases the day, croner upper-cases the whole
2944 // pattern before aliasing (claude #547).
2945 calendar("09:00", &["FRIL"]),
2946 calendar("09:00", &["fril"]),
2947 ] {
2948 schedule_with(ok.clone(), RunsOn::Backend)
2949 .validate()
2950 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
2951 }
2952 }
2953
2954 #[test]
2955 fn validate_rejects_bad_last_weekday() {
2956 // bare `L` (no weekday — a footgun croner reads as Saturday), a
2957 // range with L, a bad day before L, and an internal space that
2958 // would otherwise leak a malformed cron downstream (gemini #560).
2959 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
2960 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
2961 .validate()
2962 .unwrap_err();
2963 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
2964 }
2965 }
2966
2967 #[test]
2968 fn calendar_oneshot_instant_detects_past() {
2969 use chrono::TimeZone;
2970 // a dated `at` resolves to an absolute instant…
2971 let c = CalendarSpec {
2972 at: "2024-01-01 09:00".into(),
2973 days: vec![],
2974 };
2975 let t = c
2976 .oneshot_instant(ScheduleTz::Utc)
2977 .expect("one-shot instant");
2978 assert_eq!(
2979 t,
2980 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
2981 );
2982 assert!(t < chrono::Utc::now(), "2024 is in the past");
2983 // …while a repeating (time-only) calendar has no instant
2984 let rep = CalendarSpec {
2985 at: "09:00".into(),
2986 days: vec!["mon-fri".into()],
2987 };
2988 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
2989 }
2990
2991 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
2992 let mut s = schedule_with(
2993 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2994 RunsOn::Backend,
2995 );
2996 s.active = Active {
2997 from: from.map(str::to_owned),
2998 until: until.map(str::to_owned),
2999 };
3000 s
3001 }
3002
3003 #[test]
3004 fn validate_accepts_active_window() {
3005 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
3006 .validate()
3007 .expect("date + rfc3339 bounds should validate");
3008 }
3009
3010 #[test]
3011 fn validate_rejects_unparseable_active_bound() {
3012 let err = schedule_with_active(Some("July 1st"), None)
3013 .validate()
3014 .unwrap_err();
3015 assert!(err.contains("active"), "got: {err}");
3016 }
3017
3018 #[test]
3019 fn validate_rejects_from_not_before_until() {
3020 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
3021 .validate()
3022 .unwrap_err();
3023 assert!(err.contains("strictly before"), "got: {err}");
3024
3025 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
3026 .validate()
3027 .unwrap_err();
3028 assert!(err.contains("strictly before"), "got: {err}");
3029 }
3030
3031 // ---- Active window semantics ----
3032
3033 #[test]
3034 fn active_window_is_half_open() {
3035 use chrono::TimeZone;
3036 let active = Active {
3037 from: Some("2026-07-01".into()),
3038 until: Some("2026-08-01".into()),
3039 };
3040 // UTC tz so the date bounds are UTC midnight.
3041 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
3042 let c = |t| active.contains(t, ScheduleTz::Utc);
3043 assert!(!c(at(2026, 6, 30, 23)), "before from");
3044 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
3045 assert!(c(at(2026, 7, 15, 12)), "inside");
3046 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
3047 assert!(!c(at(2026, 8, 2, 0)), "after until");
3048 }
3049
3050 #[test]
3051 fn active_empty_window_is_always_active() {
3052 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
3053 }
3054
3055 #[test]
3056 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
3057 use chrono::TimeZone;
3058 let active = Active {
3059 from: Some("2026-07-01T09:00:00+09:00".into()),
3060 until: None,
3061 };
3062 // RFC3339 carries its own offset → tz arg is ignored.
3063 // 09:00 JST = 00:00 UTC.
3064 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
3065 assert!(
3066 !active.contains(
3067 chrono::Utc
3068 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
3069 .unwrap(),
3070 tz
3071 )
3072 );
3073 assert!(active.contains(
3074 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
3075 tz
3076 ));
3077 }
3078 }
3079
3080 #[test]
3081 fn active_date_bound_respects_tz() {
3082 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
3083 // tz* (#418 Phase 2). The UTC interpretation is exact and
3084 // host-independent; assert that precisely.
3085 use chrono::TimeZone;
3086 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
3087 assert_eq!(
3088 utc,
3089 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
3090 );
3091
3092 // The local interpretation must equal what chrono::Local
3093 // computes for the same wall-clock midnight — proves the tz
3094 // path is wired to the host zone (the magnitude vs UTC is
3095 // host-dependent, so we compare against Local directly rather
3096 // than hard-coding the JST offset, keeping CI green on UTC
3097 // runners).
3098 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
3099 let want = chrono::Local
3100 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
3101 .single()
3102 .expect("local midnight is unambiguous")
3103 .with_timezone(&chrono::Utc);
3104 assert_eq!(local, want, "date bound resolved in host-local tz");
3105 }
3106
3107 #[test]
3108 fn active_empty_is_skipped_when_serialising() {
3109 let s = schedule_with(
3110 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3111 RunsOn::Backend,
3112 );
3113 let json = serde_json::to_value(&s).expect("serialise");
3114 assert!(
3115 json.get("active").is_none(),
3116 "empty active must not appear on the wire: {json}"
3117 );
3118 }
3119
3120 // ---- constraints.window (#418 Phase 3) ----
3121
3122 fn with_window(win: &str) -> Schedule {
3123 let mut s = schedule_with(
3124 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3125 RunsOn::Backend,
3126 );
3127 s.constraints.window = Some(win.into());
3128 s
3129 }
3130
3131 #[test]
3132 fn constraints_window_parses_and_round_trips() {
3133 let yaml = r#"
3134id: x
3135when:
3136 per_pc: { every: 6h }
3137job_id: y
3138target: { all: true }
3139constraints:
3140 window: "22:00-05:00"
3141"#;
3142 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3143 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
3144 let back: Schedule =
3145 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3146 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
3147 }
3148
3149 #[test]
3150 fn constraints_empty_is_skipped_when_serialising() {
3151 let s = schedule_with(
3152 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3153 RunsOn::Backend,
3154 );
3155 let json = serde_json::to_value(&s).expect("serialise");
3156 assert!(
3157 json.get("constraints").is_none(),
3158 "empty constraints must not appear on the wire: {json}"
3159 );
3160 }
3161
3162 #[test]
3163 fn window_no_constraint_always_allows() {
3164 let c = Constraints::default();
3165 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
3166 }
3167
3168 #[test]
3169 fn window_same_day_is_half_open() {
3170 use chrono::TimeZone;
3171 let s = with_window("09:00-17:00");
3172 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3173 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3174 assert!(!a(at(8, 59)), "before start");
3175 assert!(a(at(9, 0)), "at start (inclusive)");
3176 assert!(a(at(16, 59)), "inside");
3177 assert!(!a(at(17, 0)), "at end (exclusive)");
3178 assert!(!a(at(23, 0)), "after end");
3179 }
3180
3181 #[test]
3182 fn window_crossing_midnight() {
3183 use chrono::TimeZone;
3184 let s = with_window("22:00-05:00");
3185 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3186 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3187 assert!(a(at(22, 0)), "at start tonight");
3188 assert!(a(at(23, 30)), "late tonight");
3189 assert!(a(at(3, 0)), "early tomorrow");
3190 assert!(!a(at(5, 0)), "at end (exclusive)");
3191 assert!(!a(at(12, 0)), "midday outside");
3192 assert!(!a(at(21, 59)), "just before start");
3193 }
3194
3195 #[test]
3196 fn window_respects_tz() {
3197 // The same instant is inside the window under one tz and may
3198 // be outside under another. Compare UTC vs Local via the
3199 // host's own offset (kept CI-green on UTC runners like the
3200 // active tz test does).
3201 use chrono::TimeZone;
3202 let s = with_window("09:00-17:00");
3203 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
3204 // Under UTC, 12:00 is inside 09:00-17:00.
3205 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
3206 // Under Local, the verdict tracks the host wall-clock time;
3207 // assert it matches a direct wall_time membership check.
3208 let local_t = noon_utc.with_timezone(&chrono::Local).time();
3209 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
3210 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
3211 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
3212 }
3213
3214 #[test]
3215 fn validate_accepts_good_window() {
3216 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
3217 with_window(w)
3218 .validate()
3219 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
3220 }
3221 }
3222
3223 #[test]
3224 fn validate_rejects_bad_window() {
3225 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
3226 let err = with_window(bad).validate().unwrap_err();
3227 assert!(
3228 err.contains("constraints.window"),
3229 "for '{bad}', got: {err}"
3230 );
3231 }
3232 }
3233
3234 // ---- constraints.skip_dates (#418 holiday exclusion) ----
3235
3236 fn with_skip_dates(dates: &[&str]) -> Schedule {
3237 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3238 s.tz = ScheduleTz::Utc; // host-independent date assertions
3239 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
3240 s
3241 }
3242
3243 #[test]
3244 fn allows_blocks_listed_skip_date() {
3245 use chrono::TimeZone;
3246 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
3247 // Any time on a listed date is blocked (whole day).
3248 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
3249 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
3250 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
3251 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
3252 // A date not in the list fires normally.
3253 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
3254 assert!(s.constraints.allows(off, ScheduleTz::Utc));
3255 }
3256
3257 #[test]
3258 fn allows_corrupt_skip_date_fails_closed() {
3259 use chrono::TimeZone;
3260 // A garbled entry (only reachable via hand-edited KV) blocks
3261 // rather than silently re-enabling fires — same posture as a
3262 // corrupt window.
3263 let s = with_skip_dates(&["not-a-date"]);
3264 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
3265 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
3266 }
3267
3268 #[test]
3269 fn validate_accepts_good_skip_dates() {
3270 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
3271 .validate()
3272 .expect("well-formed skip dates should validate");
3273 }
3274
3275 #[test]
3276 fn validate_rejects_bad_skip_date() {
3277 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
3278 let err = with_skip_dates(&[bad]).validate().unwrap_err();
3279 assert!(
3280 err.contains("constraints.skip_dates"),
3281 "for '{bad}', got: {err}"
3282 );
3283 }
3284 }
3285
3286 #[test]
3287 fn preview_skips_holidays() {
3288 use chrono::TimeZone;
3289 // Daily 09:00 with two of the next five days marked as holidays
3290 // — preview drops exactly those, since it gates on `allows`.
3291 let mut s = cal_utc("09:00", &[]);
3292 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
3293 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3294 let got = s.preview_fires(now, 4);
3295 let want: Vec<_> = [
3296 (2026, 6, 10),
3297 (2026, 6, 12), // skips 06-11
3298 (2026, 6, 14), // skips 06-13
3299 (2026, 6, 15),
3300 ]
3301 .iter()
3302 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
3303 .collect();
3304 assert_eq!(got, want);
3305 }
3306
3307 // ---- constraints.max_concurrent (#418) ----
3308
3309 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
3310 let mut s = schedule_with(
3311 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3312 runs_on,
3313 );
3314 s.constraints.max_concurrent = Some(max);
3315 s
3316 }
3317
3318 #[test]
3319 fn validate_accepts_backend_max_concurrent() {
3320 with_max_concurrent(5, RunsOn::Backend)
3321 .validate()
3322 .expect("backend max_concurrent should validate");
3323 }
3324
3325 #[test]
3326 fn validate_rejects_max_concurrent_on_agent() {
3327 // Decision E: a central running-instance cap needs a central
3328 // counter, which agents don't have.
3329 let err = with_max_concurrent(5, RunsOn::Agent)
3330 .validate()
3331 .unwrap_err();
3332 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
3333 assert!(err.contains("runs_on: agent"), "got: {err}");
3334 }
3335
3336 #[test]
3337 fn validate_rejects_zero_max_concurrent() {
3338 let err = with_max_concurrent(0, RunsOn::Backend)
3339 .validate()
3340 .unwrap_err();
3341 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
3342 }
3343
3344 #[test]
3345 fn max_concurrent_round_trips_and_skips_when_absent() {
3346 let s = with_max_concurrent(3, RunsOn::Backend);
3347 let json = serde_json::to_value(&s.constraints).expect("ser");
3348 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
3349 // A schedule with no constraints omits the whole block.
3350 let bare = schedule_with(
3351 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3352 RunsOn::Backend,
3353 );
3354 assert!(bare.constraints.is_empty());
3355 }
3356
3357 #[test]
3358 fn window_fail_closed_on_corrupt_blob() {
3359 // A malformed window (only reachable via a hand-edited KV
3360 // blob — validate() rejects it at create) must BLOCK, not
3361 // silently allow fires during a change-freeze (gemini #452).
3362 let s = with_window("22:00_05:00");
3363 assert!(
3364 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
3365 "corrupt window fails closed"
3366 );
3367 // …and the scheduler can surface why it's stuck.
3368 assert!(
3369 s.bad_window().is_some(),
3370 "bad_window reports the parse error"
3371 );
3372 assert!(with_window("22:00-05:00").bad_window().is_none());
3373 }
3374
3375 #[test]
3376 fn calendar_outside_window_is_flagged() {
3377 // at 09:00 can never fall in 22:00-05:00 → never fires.
3378 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3379 s.constraints.window = Some("22:00-05:00".into());
3380 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
3381
3382 // at 23:00 IS inside the overnight window → fine.
3383 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
3384 s.constraints.window = Some("22:00-05:00".into());
3385 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
3386
3387 // reconcile shapes are never flagged (they poll every minute).
3388 let mut s = schedule_with(
3389 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3390 RunsOn::Backend,
3391 );
3392 s.constraints.window = Some("22:00-05:00".into());
3393 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
3394
3395 // no window → never flagged.
3396 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3397 assert!(!s.calendar_outside_window());
3398 }
3399
3400 // ---- on_failure.retry (#418 Phase 4) ----
3401
3402 fn with_retry(max: u32, backoff: &str) -> Schedule {
3403 let mut s = schedule_with(
3404 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3405 RunsOn::Backend,
3406 );
3407 s.on_failure.retry = Some(Retry {
3408 max,
3409 backoff: backoff.into(),
3410 });
3411 s
3412 }
3413
3414 #[test]
3415 fn on_failure_parses_and_round_trips() {
3416 let yaml = r#"
3417id: x
3418when:
3419 per_pc: { every: 6h }
3420job_id: y
3421target: { all: true }
3422on_failure:
3423 retry: { max: 3, backoff: 10m }
3424"#;
3425 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3426 let r = s.on_failure.retry.as_ref().expect("retry present");
3427 assert_eq!(r.max, 3);
3428 assert_eq!(r.backoff, "10m");
3429 let back: Schedule =
3430 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3431 assert_eq!(back.on_failure, s.on_failure);
3432 }
3433
3434 #[test]
3435 fn on_failure_empty_is_skipped_when_serialising() {
3436 let s = schedule_with(
3437 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3438 RunsOn::Backend,
3439 );
3440 let json = serde_json::to_value(&s).expect("serialise");
3441 assert!(
3442 json.get("on_failure").is_none(),
3443 "empty on_failure must not appear on the wire: {json}"
3444 );
3445 }
3446
3447 #[test]
3448 fn validate_accepts_good_retry() {
3449 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
3450 with_retry(max, backoff)
3451 .validate()
3452 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
3453 }
3454 }
3455
3456 #[test]
3457 fn validate_rejects_bad_backoff() {
3458 let err = with_retry(3, "soon").validate().unwrap_err();
3459 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
3460 }
3461
3462 #[test]
3463 fn validate_rejects_sub_second_backoff() {
3464 // "500ms" parses as humantime but lowers to 0s on the wire —
3465 // reject it so the operator doesn't get a silent no-wait
3466 // (coderabbit #466).
3467 for bad in ["500ms", "0s", "999ms"] {
3468 let err = with_retry(3, bad).validate().unwrap_err();
3469 assert!(
3470 err.contains("on_failure.retry.backoff must be >= 1s"),
3471 "for '{bad}', got: {err}"
3472 );
3473 }
3474 }
3475
3476 #[test]
3477 fn validate_rejects_out_of_range_max() {
3478 for bad in [0u32, 11, 1000] {
3479 let err = with_retry(bad, "10m").validate().unwrap_err();
3480 assert!(
3481 err.contains("on_failure.retry.max"),
3482 "for max={bad}, got: {err}"
3483 );
3484 }
3485 }
3486
3487 #[test]
3488 fn lowered_retry_reduces_backoff_to_seconds() {
3489 let s = with_retry(3, "10m");
3490 let spec = s.on_failure.lowered_retry().expect("a retry policy");
3491 assert_eq!(spec.max, 3);
3492 assert_eq!(spec.backoff_secs, 600);
3493 }
3494
3495 #[test]
3496 fn lowered_retry_is_none_without_policy() {
3497 let s = schedule_with(
3498 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3499 RunsOn::Backend,
3500 );
3501 assert!(s.on_failure.lowered_retry().is_none());
3502 }
3503
3504 // ---- global change-freeze (#418 Phase 5) ----
3505
3506 #[test]
3507 fn freeze_empty_window_is_always_active() {
3508 // The big-red-button shape: no bounds = frozen until cleared.
3509 let f = Freeze::default();
3510 assert!(f.is_active(chrono::Utc::now()));
3511 }
3512
3513 #[test]
3514 fn freeze_window_is_half_open() {
3515 use chrono::TimeZone;
3516 let f = Freeze {
3517 from: Some("2026-12-20T00:00:00+00:00".into()),
3518 until: Some("2027-01-05T00:00:00+00:00".into()),
3519 reason: Some("year-end".into()),
3520 tz: ScheduleTz::Utc,
3521 };
3522 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
3523 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
3524 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
3525 assert!(f.is_active(at(2026, 12, 31)), "inside window");
3526 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
3527 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
3528 }
3529
3530 #[test]
3531 fn freeze_fails_closed_on_corrupt_bound() {
3532 // A freeze is a safety switch: an unparseable bound (only
3533 // reachable via a hand-edited KV blob) must read as FROZEN, not
3534 // "fire normally" (coderabbit #472) — the opposite of `active`,
3535 // which fail-opens.
3536 let f = Freeze {
3537 from: Some("not-a-date".into()),
3538 until: None,
3539 reason: None,
3540 tz: ScheduleTz::Utc,
3541 };
3542 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
3543 }
3544
3545 #[test]
3546 fn freeze_validate_accepts_good_bounds() {
3547 Freeze {
3548 from: Some("2026-12-20".into()),
3549 until: Some("2027-01-05T12:00:00+09:00".into()),
3550 reason: None,
3551 tz: ScheduleTz::Local,
3552 }
3553 .validate()
3554 .expect("date + rfc3339 bounds should validate");
3555 // Empty (indefinite) freeze is valid.
3556 Freeze::default().validate().expect("empty freeze is valid");
3557 }
3558
3559 #[test]
3560 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
3561 let err = Freeze {
3562 from: Some("never".into()),
3563 ..Default::default()
3564 }
3565 .validate()
3566 .unwrap_err();
3567 assert!(err.contains("freeze:"), "got: {err}");
3568
3569 let inverted = Freeze {
3570 from: Some("2027-01-05".into()),
3571 until: Some("2026-12-20".into()),
3572 ..Default::default()
3573 }
3574 .validate()
3575 .unwrap_err();
3576 assert!(inverted.contains("freeze.from"), "got: {inverted}");
3577 }
3578
3579 #[test]
3580 fn freeze_round_trips_and_skips_empty_fields() {
3581 let f = Freeze {
3582 from: None,
3583 until: Some("2027-01-05".into()),
3584 reason: Some("INC-1234".into()),
3585 tz: ScheduleTz::Utc,
3586 };
3587 let json = serde_json::to_value(&f).expect("serialise");
3588 assert!(json.get("from").is_none(), "empty from omitted: {json}");
3589 let back: Freeze = serde_json::from_value(json).expect("round-trip");
3590 assert_eq!(back, f);
3591 }
3592
3593 #[test]
3594 fn shipped_schedule_configs_parse_and_validate() {
3595 // Every YAML under configs/schedules/ must parse with the
3596 // current Schedule serde AND pass validate() — keeps the
3597 // shipped examples from drifting out of sync with the model
3598 // (#418 removed back-compat, so drift = broken at create).
3599 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
3600 let mut seen = 0;
3601 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
3602 let path = entry.expect("dir entry").path();
3603 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
3604 continue;
3605 }
3606 let body = std::fs::read_to_string(&path).expect("read yaml");
3607 let s: Schedule = serde_yaml::from_str(&body)
3608 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
3609 s.validate()
3610 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
3611 seen += 1;
3612 }
3613 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
3614 }
3615
3616 // ---- pre-existing enum wire formats (unchanged by #418) ----
3617
3618 #[test]
3619 fn exec_mode_serialises_snake_case() {
3620 for (mode, expected) in [
3621 (ExecMode::EveryTick, "every_tick"),
3622 (ExecMode::OncePerPc, "once_per_pc"),
3623 (ExecMode::OncePerTarget, "once_per_target"),
3624 ] {
3625 let s = serde_json::to_value(mode).expect("serialise");
3626 assert_eq!(s, serde_json::Value::String(expected.into()));
3627 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
3628 .expect("deserialise");
3629 assert_eq!(back, mode, "round-trip for {expected}");
3630 }
3631 }
3632
3633 #[test]
3634 fn schedule_runs_on_defaults_to_backend() {
3635 let yaml = r#"
3636id: x
3637when:
3638 per_pc: once
3639job_id: y
3640target: { all: true }
3641"#;
3642 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3643 assert_eq!(s.runs_on, RunsOn::Backend);
3644 }
3645
3646 #[test]
3647 fn schedule_runs_on_agent_parses() {
3648 let yaml = r#"
3649id: offline-inv
3650when:
3651 per_pc: { every: 1h }
3652job_id: inventory-hw
3653target: { all: true }
3654runs_on: agent
3655"#;
3656 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3657 assert_eq!(s.runs_on, RunsOn::Agent);
3658 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
3659 }
3660
3661 #[test]
3662 fn runs_on_serialises_snake_case() {
3663 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
3664 let s = serde_json::to_value(mode).expect("serialise");
3665 assert_eq!(s, serde_json::Value::String(expected.into()));
3666 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
3667 .expect("deserialise");
3668 assert_eq!(back, mode);
3669 }
3670 }
3671
3672 #[test]
3673 fn execute_shell_into_wire_shell() {
3674 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
3675 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
3676 }
3677
3678 #[test]
3679 fn manifest_staleness_defaults_to_cached() {
3680 let yaml = r#"
3681id: x
3682version: 1.0.0
3683execute:
3684 shell: powershell
3685 script: "echo"
3686 timeout: 1s
3687"#;
3688 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3689 assert_eq!(m.staleness, Staleness::Cached);
3690 }
3691
3692 #[test]
3693 fn manifest_strict_staleness_parses() {
3694 let yaml = r#"
3695id: urgent-patch
3696version: 2.5.1
3697execute:
3698 shell: powershell
3699 script: Install-Hotfix
3700 timeout: 5m
3701staleness:
3702 mode: strict
3703 max_cache_age: 0s
3704"#;
3705 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3706 match m.staleness {
3707 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
3708 other => panic!("expected strict, got {other:?}"),
3709 }
3710 }
3711
3712 #[test]
3713 fn manifest_unchecked_staleness_parses() {
3714 let yaml = r#"
3715id: legacy
3716version: 0.1.0
3717execute:
3718 shell: cmd
3719 script: "echo"
3720 timeout: 1s
3721staleness:
3722 mode: unchecked
3723"#;
3724 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3725 assert_eq!(m.staleness, Staleness::Unchecked);
3726 }
3727
3728 #[test]
3729 fn missing_required_field_errors() {
3730 // `id` missing.
3731 let yaml = r#"
3732version: 1.0.0
3733target: { all: true }
3734execute:
3735 shell: powershell
3736 script: "echo"
3737 timeout: 1s
3738"#;
3739 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3740 assert!(r.is_err(), "expected error, got {:?}", r);
3741 }
3742
3743 #[test]
3744 fn display_field_table_kind_round_trips_with_nested_columns() {
3745 // #39: `type: table` + `columns:` on a DisplayField gets
3746 // round-tripped through serde so the SPA receives the
3747 // nested schema verbatim. Nested columns themselves are
3748 // DisplayFields so they can carry `type: bytes` /
3749 // `type: number` for cell formatting.
3750 let yaml = r#"
3751id: inv-hw
3752version: 1.0.0
3753execute:
3754 shell: powershell
3755 script: "echo"
3756 timeout: 60s
3757inventory:
3758 display:
3759 - field: hostname
3760 label: Hostname
3761 - field: disks
3762 label: Disks
3763 type: table
3764 columns:
3765 - field: device_id
3766 label: Drive
3767 - field: size_bytes
3768 label: Size
3769 type: bytes
3770 - field: free_bytes
3771 label: Free
3772 type: bytes
3773 - field: file_system
3774 label: FS
3775"#;
3776 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3777 let inv = m.inventory.as_ref().expect("inventory hint");
3778 let disks = inv
3779 .display
3780 .iter()
3781 .find(|d| d.field == "disks")
3782 .expect("disks display row");
3783 assert_eq!(disks.kind.as_deref(), Some("table"));
3784 let cols = disks.columns.as_ref().expect("table needs columns");
3785 assert_eq!(cols.len(), 4);
3786 assert_eq!(cols[1].field, "size_bytes");
3787 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
3788 }
3789
3790 #[test]
3791 fn display_field_scalar_kind_keeps_columns_none() {
3792 // Defensive: when type is a scalar (`bytes` / `number` /
3793 // `timestamp`) the `columns` field stays None — the SPA
3794 // uses its presence as the "render nested table" signal,
3795 // so it must not leak in via serde defaults.
3796 let yaml = r#"
3797id: x
3798version: 1.0.0
3799execute:
3800 shell: powershell
3801 script: "echo"
3802 timeout: 5s
3803inventory:
3804 display:
3805 - { field: ram_bytes, label: RAM, type: bytes }
3806"#;
3807 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3808 let inv = m.inventory.as_ref().unwrap();
3809 assert!(inv.display[0].columns.is_none());
3810 }
3811
3812 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
3813
3814 /// The JSON Schemas under `docs/schemas/` must match what
3815 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
3816 /// so a `Schedule` / `Manifest` field change can't silently drift
3817 /// the operator-facing schema. The SPA editor, the backend
3818 /// `/api/schemas/*` endpoints, and these files all read the same
3819 /// derived shape; this test fails CI if the checked-in copy lags.
3820 /// Regenerate with:
3821 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
3822 #[test]
3823 fn schema_files_are_current() {
3824 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
3825 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
3826 }
3827
3828 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
3829 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
3830 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
3831 .join("../../docs/schemas")
3832 .join(name);
3833 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
3834 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
3835 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
3836 return;
3837 }
3838 // Normalize CRLF→LF before comparing: `.gitattributes` already
3839 // pins these files to `eol=lf`, but a stray CRLF working-tree
3840 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
3841 // freshness check into a confusing line-ending failure — that's
3842 // .gitattributes' job, not this test's (gemini #588).
3843 let on_disk = std::fs::read_to_string(&path)
3844 .unwrap_or_else(|e| {
3845 panic!(
3846 "read {path:?}: {e}\n\
3847 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3848 )
3849 })
3850 .replace("\r\n", "\n");
3851 assert_eq!(
3852 on_disk, generated,
3853 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
3854 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
3855 );
3856 }
3857}
3858
3859/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
3860/// (target + optional rollout + optional jitter) inline; the
3861/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
3862/// script body. Two schedules of the same job can target different
3863/// groups on different cadences without copying the manifest.
3864///
3865/// #418 Phase 1: the cadence is the single [`When`] field. The old
3866/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
3867/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
3868/// are warn-skipped; re-`schedule create` to upgrade them). The
3869/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
3870/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
3871/// `decide_fire` always ran on.
3872#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
3873pub struct Schedule {
3874 pub id: String,
3875 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
3876 /// or a calendar time trigger (`at` / `days`). See [`When`].
3877 ///
3878 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
3879 /// enums as `!per_pc` YAML tags by default; this keeps the
3880 /// operator-facing map shape (`when: { per_pc: once }`). JSON
3881 /// output is identical either way, and the schemars schema
3882 /// (external tagging = oneOf of single-key objects) already
3883 /// matches the singleton-map wire shape.
3884 #[serde(with = "serde_yaml::with::singleton_map")]
3885 #[schemars(with = "When")]
3886 pub when: When,
3887 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
3888 /// Manifest's `id`.
3889 pub job_id: String,
3890 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
3891 /// carry these any more — same job + different fanout = different
3892 /// schedule.
3893 #[serde(flatten)]
3894 pub plan: FanoutPlan,
3895 /// Optional validity window. Outside `[from, until)` the
3896 /// schedule is dormant — still registered, still visible, but
3897 /// every tick is skipped (deleted ≠ dormant: a campaign that
3898 /// ended stays inspectable and can be re-armed by editing the
3899 /// window). Checked at tick time on both the backend scheduler
3900 /// and the agent's local scheduler.
3901 #[serde(default, skip_serializing_if = "Active::is_empty")]
3902 pub active: Active,
3903 /// #418 operational constraints gating *when within an active
3904 /// period* a fire may happen: a maintenance `window`, a fleet
3905 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
3906 /// wall-clock ones are evaluated in the schedule's `tz`; future
3907 /// `require` (env gates) lands in the same namespace. Checked at
3908 /// tick time on both schedulers (and surfaced by `preview`).
3909 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
3910 pub constraints: Constraints,
3911 /// #418 Phase 4: what to do after a fire's script comes back
3912 /// failed. Currently just `retry` (fixed-backoff in-process
3913 /// re-run); future `notify` / `disable` join the same namespace.
3914 /// Applied fire-side in `handle_command` (the retry policy is
3915 /// lowered onto every Command this schedule produces), so it
3916 /// covers both `runs_on` locations.
3917 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
3918 pub on_failure: OnFailure,
3919 /// #418 Phase 2: the timezone this schedule's wall-clock fields
3920 /// are evaluated in — both the calendar `at` firing time AND the
3921 /// `active.{from,until}` window bounds. `local` (default) = the
3922 /// running host's TZ (the agent's for `runs_on: agent`, the
3923 /// backend server's otherwise); `utc` for TZ-independent
3924 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
3925 /// for firing (poll cron runs every minute regardless) but still
3926 /// honor it for the `active` window.
3927 #[serde(default)]
3928 pub tz: ScheduleTz,
3929 /// v0.22: optional humantime window after a cron tick during
3930 /// which the Command is still considered "live". The scheduler
3931 /// computes `tick_at + starting_deadline` and stamps it onto
3932 /// each Command as `deadline_at`; agents skip Commands they
3933 /// receive after that absolute time. `None` (default) = no
3934 /// deadline, meaning a Command queued in the broker / stream
3935 /// during agent downtime runs whenever the agent reconnects —
3936 /// good for kitting / inventory / cleanup. Set this for
3937 /// time-of-day notifications, lunch reminders, etc., where
3938 /// "fire 3 hours late" would be wrong.
3939 #[serde(default, skip_serializing_if = "Option::is_none")]
3940 pub starting_deadline: Option<String>,
3941 /// v0.23: where does the cron tick happen? `Backend` (default,
3942 /// historical) = backend's scheduler fires Commands via NATS;
3943 /// agents passively receive. `Agent` = each targeted agent runs
3944 /// its own internal cron and fires locally, so the schedule
3945 /// keeps ticking even when the broker is unreachable (laptop on
3946 /// the train, broker maintenance window, full WAN outage). The
3947 /// two locations are mutually exclusive — when `Agent`, the
3948 /// backend scheduler stays out and just keeps the definition in
3949 /// KV for agents to read.
3950 #[serde(default)]
3951 pub runs_on: RunsOn,
3952 #[serde(default = "default_true")]
3953 pub enabled: bool,
3954 /// Free-form operator taxonomy for the Schedules page — the
3955 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
3956 /// code ref rather than an intra-doc link, since that field isn't
3957 /// on this branch until #640 merges). Purely a SPA-side
3958 /// organisational aid (search / filter chips alongside the
3959 /// id-prefix grouping); the scheduler never reads it, so any
3960 /// string is allowed and it carries no firing semantics. A
3961 /// schedule's own tags are independent of its job's: the same job
3962 /// may back a `weekly` maintenance schedule and a `canary` rollout
3963 /// schedule. Empty by default and `skip_serializing_if`-elided per
3964 /// the #492 gradual-upgrade wire rule.
3965 #[serde(default, skip_serializing_if = "Vec::is_empty")]
3966 pub tags: Vec<String>,
3967 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
3968 /// `kanade schedule create` when the source YAML lives inside a Git
3969 /// work tree, so the SPA renders the schedule read-only and points
3970 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
3971 /// Git), parity with a job's [`Manifest::origin`]. `None` for
3972 /// SPA-born schedules and ones applied from outside any repo. Purely
3973 /// informational — the scheduler never reads it. New field ⇒ #492
3974 /// wire rule (`default` + `skip_serializing_if`).
3975 #[serde(default, skip_serializing_if = "Option::is_none")]
3976 pub origin: Option<RepoOrigin>,
3977}
3978
3979/// v0.23 — where the cron tick fires from.
3980#[derive(
3981 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
3982)]
3983#[serde(rename_all = "snake_case")]
3984pub enum RunsOn {
3985 /// Backend's central scheduler ticks and publishes Commands to
3986 /// NATS. Historical default, what every pre-v0.23 schedule
3987 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
3988 /// reconnects ⇒ catch-up via [`command_replay`](crate)
3989 /// (see kanade-agent's command_replay module).
3990 #[default]
3991 Backend,
3992 /// Each targeted agent runs the cron tick locally. Survives
3993 /// broker / WAN outages. Best for laptops / mobile devices that
3994 /// roam off the corporate network. Agent must be online for the
3995 /// initial schedule + job-catalog pull, but once cached the
3996 /// agent fires the script standalone.
3997 Agent,
3998}
3999
4000/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
4001#[derive(
4002 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4003)]
4004#[serde(rename_all = "snake_case")]
4005pub enum ExecMode {
4006 /// Fire on every cron tick at the whole target. Historical
4007 /// (pre-v0.19) behavior; no dedup.
4008 #[default]
4009 EveryTick,
4010 /// Fire at each pc until that pc succeeds; then skip it until
4011 /// the optional cooldown elapses (or forever if no cooldown).
4012 /// Use for kitting / first-boot / per-pc compliance checks.
4013 OncePerPc,
4014 /// Fire at the whole target until **any** pc succeeds; then
4015 /// skip the whole target until the optional cooldown elapses
4016 /// (or forever if no cooldown). Use for "one delegate is
4017 /// enough" tasks like license check-in.
4018 OncePerTarget,
4019 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
4020 /// no cron — the agent fires it from an OS event source (boot /
4021 /// session-change), not a tick — so the scheduler skips
4022 /// `tokio-cron` registration for it. Each event occurrence fires
4023 /// once, gated by the standard freeze / active / window /
4024 /// skip_dates checks.
4025 Event,
4026}
4027
4028/// #418 Phase 1 — the single "when does this fire" axis.
4029///
4030/// Replaces the old `cron` + `mode` + `cooldown` trio whose
4031/// interactions were implicit (cron doubled as both a real
4032/// time-of-day trigger and a reconcile poll period; contradictory
4033/// combinations silently no-opped). Two shapes:
4034///
4035/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
4036/// pc (or one delegate) should have run this within `every`".
4037/// The poll period is system-generated ([`POLL_CRON`], every
4038/// minute) and no longer the operator's concern.
4039/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
4040/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
4041/// the whole target at the given time, no dedup. `at: "09:00"` +
4042/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
4043/// exactly once. Evaluated in the schedule's top-level `tz`.
4044#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4045#[serde(rename_all = "snake_case")]
4046pub enum When {
4047 /// Fire at each targeted pc: `once` (kitting — succeed once,
4048 /// skip forever, forever catching brand-new / re-imaged pcs)
4049 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
4050 /// the interval).
4051 PerPc(PerPolicy),
4052 /// Fire until **any** one pc of the target succeeds, then skip
4053 /// the whole target (`once`) or re-arm after `every`. Needs
4054 /// fleet-wide completion data, so it is backend-only —
4055 /// `runs_on: agent` + `per_target` is rejected by
4056 /// [`Schedule::validate`].
4057 PerTarget(PerPolicy),
4058 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
4059 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
4060 /// the whole target at that wall-clock time in the schedule's
4061 /// `tz` — no dedup, no cooldown.
4062 Calendar(CalendarSpec),
4063 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
4064 /// Fires when the agent observes the listed OS event(s) rather than
4065 /// on a clock — there is no cron. `runs_on: agent` only (the agent
4066 /// owns the event source); [`Schedule::validate`] rejects it on
4067 /// `backend` and rejects an empty list. Each event occurrence fires
4068 /// once, gated by the same freeze / active / `constraints.window` /
4069 /// `skip_dates` checks as the cron path. `startup` fires once per OS
4070 /// boot (deduped via the host boot time); a `starting_deadline`, if
4071 /// set, limits it to "agent came up within that long after boot".
4072 On(Vec<OnTrigger>),
4073}
4074
4075/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
4076#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
4077#[serde(rename_all = "snake_case")]
4078pub enum OnTrigger {
4079 /// Once per OS boot (the agent's first run for that boot). Catches
4080 /// freshly-imaged / reinstalled hosts at their next startup.
4081 Startup,
4082 /// On an interactive-session user logon — console, RDP, or
4083 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
4084 /// service / network / batch logons (no interactive session).
4085 Logon,
4086 /// When the workstation is locked (Win+L / idle lock; Windows
4087 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
4088 Lock,
4089 /// When the workstation is unlocked — the user returns to a locked
4090 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
4091 /// compliance / refresh state when work resumes.
4092 Unlock,
4093 /// When the host's network changes — IP address table change on
4094 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
4095 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
4096 /// from one transition fires once after the network settles), so
4097 /// use it for "re-check connectivity / re-register on network move"
4098 /// rather than expecting one fire per raw adapter event.
4099 ///
4100 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
4101 /// transition that touches only IPv6 addresses won't fire. In practice
4102 /// dual-stack networks change both tables together, but a pure-IPv6
4103 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
4104 NetworkChange,
4105}
4106
4107/// Calendar time trigger (#418 Phase 2). `at` is either a time of
4108/// day (`"HH:MM"`, repeating — combine with `days`) or a full
4109/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
4110/// never again). Evaluated in the schedule's top-level `tz`.
4111#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4112pub struct CalendarSpec {
4113 /// `"HH:MM"` (24h) for a repeating trigger, or
4114 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
4115 /// accepted) for a one-shot. Parsed lazily —
4116 /// [`Schedule::validate`] rejects garbage at create time.
4117 pub at: String,
4118 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
4119 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
4120 /// field, so ranges and names both work). An **nth-weekday**
4121 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
4122 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
4123 /// `["friL"]` fires only on the last Friday of each month (handy
4124 /// for monthly maintenance). Empty = every day. Must be empty
4125 /// when `at` carries a date (the date already pins the day).
4126 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4127 pub days: Vec<String>,
4128}
4129
4130/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
4131/// date for a one-shot (`None` = repeating time-of-day).
4132struct ParsedAt {
4133 minute: u32,
4134 hour: u32,
4135 date: Option<chrono::NaiveDate>,
4136}
4137
4138impl CalendarSpec {
4139 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
4140 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
4141 fn parse_at(&self) -> Result<ParsedAt, String> {
4142 use chrono::Timelike;
4143 let s = self.at.trim();
4144 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
4145 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
4146 return Ok(ParsedAt {
4147 minute: dt.minute(),
4148 hour: dt.hour(),
4149 date: Some(dt.date()),
4150 });
4151 }
4152 }
4153 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
4154 return Ok(ParsedAt {
4155 minute: t.minute(),
4156 hour: t.hour(),
4157 date: None,
4158 });
4159 }
4160 Err(format!(
4161 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
4162 self.at
4163 ))
4164 }
4165
4166 /// Pre-flight check on the `days` tokens so a bad day name gives
4167 /// a `when.days:`-scoped error instead of croner's confusing
4168 /// "when.at lowered to invalid cron" (claude #432 review). Each
4169 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
4170 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
4171 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
4172 /// **last-weekday** like `friL` (last Friday of the month).
4173 fn validate_days(&self) -> Result<(), String> {
4174 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
4175 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
4176 for tok in &self.days {
4177 // Report the whole token on a malformed range like `mon-`
4178 // (which would otherwise split to a cryptic empty part —
4179 // claude #432 follow-up).
4180 let invalid = |reason: &str| {
4181 Err(format!(
4182 "when.days: invalid day token '{tok}' ({reason}; \
4183 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
4184 like tue#2, a last-weekday like friL, or *)"
4185 ))
4186 };
4187 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
4188 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
4189 // `to_cron` passes the token through verbatim, so the
4190 // engine fires only on that occurrence. It's a single
4191 // weekday + ordinal — not combinable with a range.
4192 if let Some((day_part, nth_part)) = tok.split_once('#') {
4193 // Normalize once and use `d` consistently (gemini #547);
4194 // the outer `invalid` already echoes the raw `tok`.
4195 let d = day_part.trim().to_ascii_lowercase();
4196 if d.contains('-') || !is_day(&d) {
4197 return invalid("the part before # must be a single weekday");
4198 }
4199 match nth_part.trim().parse::<u8>() {
4200 Ok(n) if (1..=5).contains(&n) => {}
4201 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
4202 }
4203 continue;
4204 }
4205 // #418: last-weekday suffix (`friL` = last Friday of the
4206 // month — the monthly-maintenance sibling of Patch Tuesday).
4207 // Croner accepts `<dow>L` in the DOW field with verified
4208 // last-<dow>-of-month semantics, and `to_cron` passes it
4209 // through verbatim. A single weekday + `L` — bare `L` and
4210 // ranges are rejected (croner would read bare `L` as
4211 // Saturday, which is a confusing footgun).
4212 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
4213 // No `.trim()`: a cron DOW token can't carry internal
4214 // whitespace, so `"fri L"` must be *rejected* here (its
4215 // strip leaves `"fri "`, and `is_day` catches the space)
4216 // rather than trimmed into a clean `"fri"` that then
4217 // produces a malformed `fri L` cron downstream and a
4218 // confusing croner error (gemini #560).
4219 let d = day_part.to_ascii_lowercase();
4220 if d.is_empty() {
4221 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
4222 }
4223 if d.contains('-') || !is_day(&d) {
4224 return invalid(
4225 "the part before L must be a single weekday (e.g. friL = last Friday)",
4226 );
4227 }
4228 continue;
4229 }
4230 for part in tok.split('-') {
4231 let p = part.trim().to_ascii_lowercase();
4232 if p.is_empty() {
4233 return invalid("empty range bound");
4234 }
4235 if p != "*" && !is_day(&p) {
4236 return invalid(&format!("'{part}' is not a day"));
4237 }
4238 }
4239 }
4240 Ok(())
4241 }
4242
4243 /// For a one-shot (`at` carries a date), the absolute instant it
4244 /// fires in `tz`. `None` for a repeating calendar. Used to warn
4245 /// about a one-shot whose date is already in the past (it would
4246 /// never fire).
4247 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
4248 let p = self.parse_at().ok()?;
4249 let date = p.date?;
4250 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
4251 tz.naive_to_utc(naive)
4252 }
4253
4254 /// The wall-clock time-of-day this calendar fires at (`None` if
4255 /// `at` is unparseable — validate() guards that). Used to detect
4256 /// a calendar whose fire time can never fall inside its
4257 /// `constraints.window` (claude #452 review).
4258 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
4259 let p = self.parse_at().ok()?;
4260 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
4261 }
4262
4263 /// Lower to the cron string the scheduler engine runs. Repeating
4264 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
4265 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
4266 /// fires — that's what makes it one-shot).
4267 fn to_cron(&self) -> Result<String, String> {
4268 use chrono::Datelike;
4269 let ParsedAt { minute, hour, date } = self.parse_at()?;
4270 match date {
4271 Some(d) => {
4272 if !self.days.is_empty() {
4273 return Err(
4274 "when.at with a date is a one-shot and cannot be combined with days".into(),
4275 );
4276 }
4277 Ok(format!(
4278 "0 {minute} {hour} {} {} * {}",
4279 d.day(),
4280 d.month(),
4281 d.year()
4282 ))
4283 }
4284 None => {
4285 let dow = if self.days.is_empty() {
4286 "*".to_string()
4287 } else {
4288 self.validate_days()?;
4289 self.days.join(",")
4290 };
4291 Ok(format!("0 {minute} {hour} * * {dow}"))
4292 }
4293 }
4294 }
4295}
4296
4297/// The timezone a schedule's wall-clock fields (`when.at`,
4298/// `active.{from,until}`) are evaluated in (#418 Phase 2).
4299#[derive(
4300 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4301)]
4302#[serde(rename_all = "snake_case")]
4303pub enum ScheduleTz {
4304 /// The running host's local timezone — the agent's for
4305 /// `runs_on: agent`, the backend server's otherwise. Default.
4306 #[default]
4307 Local,
4308 /// UTC — for timezone-independent schedules.
4309 Utc,
4310}
4311
4312impl ScheduleTz {
4313 /// Interpret a naive (zoneless) datetime as being in this tz and
4314 /// convert to UTC. On a DST *fold* (the local time occurs twice
4315 /// when clocks go back) we pick `.earliest()` rather than
4316 /// rejecting it; `None` is reserved for a true DST *gap* (a local
4317 /// time that never exists). `Utc` is fixed-offset so neither ever
4318 /// happens; `Local` is whatever timezone the running host is set
4319 /// to and *can* hit a gap/fold on any DST-observing host — not
4320 /// just the JST we run today (gemini + claude #432 review).
4321 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
4322 use chrono::TimeZone;
4323 match self {
4324 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
4325 naive,
4326 chrono::Utc,
4327 )),
4328 ScheduleTz::Local => chrono::Local
4329 .from_local_datetime(&naive)
4330 .earliest()
4331 .map(|dt| dt.with_timezone(&chrono::Utc)),
4332 }
4333 }
4334
4335 /// The wall-clock time-of-day `now` reads as in this tz — used by
4336 /// [`Constraints::allows`] to test a maintenance window
4337 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
4338 /// running host's local time.
4339 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
4340 match self {
4341 ScheduleTz::Utc => now.time(),
4342 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
4343 }
4344 }
4345
4346 /// The wall-clock *date* `now` reads as in this tz — used by
4347 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
4348 /// exclusion). Same tz semantics as [`Self::wall_time`].
4349 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
4350 match self {
4351 ScheduleTz::Utc => now.date_naive(),
4352 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
4353 }
4354 }
4355
4356 /// Stable lowercase wire/display label (`local` / `utc`) — matches
4357 /// the serde `snake_case` representation. Used for the preview
4358 /// response's `tz` field so the JSON shape isn't coupled to the
4359 /// `Debug` repr (claude #578 review).
4360 pub fn as_str(self) -> &'static str {
4361 match self {
4362 ScheduleTz::Local => "local",
4363 ScheduleTz::Utc => "utc",
4364 }
4365 }
4366}
4367
4368impl std::fmt::Display for ScheduleTz {
4369 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4370 f.write_str(self.as_str())
4371 }
4372}
4373
4374/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
4375/// `per_target`. Untagged so the YAML stays the bare keyword or a
4376/// one-key map, nothing more ceremonial.
4377#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4378#[serde(untagged)]
4379pub enum PerPolicy {
4380 /// The bare string `once`: succeed once, then skip permanently
4381 /// (cooldown = infinity).
4382 Once(OnceLiteral),
4383 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
4384 Every(EverySpec),
4385}
4386
4387/// Single-variant enum so serde accepts exactly the string `once`
4388/// (a free-form `String` would swallow typos like `onec`).
4389#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
4390#[serde(rename_all = "snake_case")]
4391pub enum OnceLiteral {
4392 Once,
4393}
4394
4395/// `{ every: <humantime> }`. Standalone struct (not an inline
4396/// struct variant). `{ evry: 6h }` still fails to parse (the
4397/// required `every` key is missing), and the create boundaries
4398/// reject the unknown `evry` via [`crate::strict`] with its path —
4399/// while agents reading a future writer's extra fields tolerate
4400/// them (#492).
4401#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4402pub struct EverySpec {
4403 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
4404 /// [`Schedule::validate`] rejects garbage at create time.
4405 pub every: String,
4406}
4407
4408impl PerPolicy {
4409 /// The cooldown this policy lowers to: `once` = `None`
4410 /// (permanent skip), `every` = the interval.
4411 fn cooldown(&self) -> Option<String> {
4412 match self {
4413 PerPolicy::Once(_) => None,
4414 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
4415 }
4416 }
4417}
4418
4419impl std::fmt::Display for When {
4420 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
4421 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
4422 /// lines, audit payloads and the API's `ScheduleSummary`.
4423 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4424 let policy = |p: &PerPolicy| match p {
4425 PerPolicy::Once(_) => "once".to_string(),
4426 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
4427 };
4428 match self {
4429 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
4430 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
4431 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
4432 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
4433 When::On(triggers) => {
4434 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
4435 write!(f, "on [{}]", names.join(","))
4436 }
4437 }
4438 }
4439}
4440
4441impl OnTrigger {
4442 /// Lowercase wire/display label (matches the serde `snake_case`).
4443 pub fn as_str(self) -> &'static str {
4444 match self {
4445 OnTrigger::Startup => "startup",
4446 OnTrigger::Logon => "logon",
4447 OnTrigger::Lock => "lock",
4448 OnTrigger::Unlock => "unlock",
4449 OnTrigger::NetworkChange => "network_change",
4450 }
4451 }
4452}
4453
4454/// Optional validity window for a [`Schedule`] (#418 decision G).
4455/// Half-open `[from, until)`; either bound may be omitted. Bounds
4456/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
4457/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
4458/// strings so the JSON Schema the SPA editor consumes stays two
4459/// plain string fields, mirroring `jitter` / `starting_deadline`.
4460///
4461/// #418 Phase 2: bounds are evaluated in the schedule's top-level
4462/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
4463/// calendar `at` AND the `active` window local — one consistent
4464/// timezone per schedule.
4465#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4466pub struct Active {
4467 /// Dormant before this instant.
4468 #[serde(default, skip_serializing_if = "Option::is_none")]
4469 pub from: Option<String>,
4470 /// Dormant from this instant on (exclusive).
4471 #[serde(default, skip_serializing_if = "Option::is_none")]
4472 pub until: Option<String>,
4473}
4474
4475impl Active {
4476 /// `skip_serializing_if` helper — an empty window means "always
4477 /// active" and is omitted from the wire format entirely.
4478 pub fn is_empty(&self) -> bool {
4479 self.from.is_none() && self.until.is_none()
4480 }
4481
4482 /// Parse one bound: RFC3339 first (offset honored, `tz`
4483 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
4484 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
4485 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
4486 return Ok(dt.with_timezone(&chrono::Utc));
4487 }
4488 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
4489 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
4490 return tz.naive_to_utc(midnight).ok_or_else(|| {
4491 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
4492 });
4493 }
4494 Err(format!(
4495 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
4496 ))
4497 }
4498
4499 /// Is `now` inside the window? Unparseable bounds are treated
4500 /// as absent here (fail-open) — [`Schedule::validate`] is the
4501 /// place that rejects them loudly; this runs on every tick and
4502 /// must never panic on a stale KV blob.
4503 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4504 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
4505 if bound(&self.from).is_some_and(|from| now < from) {
4506 return false;
4507 }
4508 if bound(&self.until).is_some_and(|until| now >= until) {
4509 return false;
4510 }
4511 true
4512 }
4513}
4514
4515/// Host-environment gate (#418 `constraints.require`). Fire only when
4516/// the target host is in the required state. Sensed **in-process by the
4517/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
4518/// read a target host's power/idle state ([`Schedule::validate`]
4519/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
4520///
4521/// Evaluated at fire time as a skip-this-tick gate (NOT in
4522/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
4523/// cadence re-checks every minute (so it effectively defers until the
4524/// state is met — the intended pairing); a `calendar` fire that lands
4525/// while the state is unmet is simply missed, same as `window`. It is
4526/// therefore a *runtime* gate and does not appear in `preview`.
4527// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
4528#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4529pub struct Require {
4530 /// Fire only while on **AC power** (skip on battery). Reads
4531 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
4532 /// as not-on-AC (fail-closed — a restrictive gate must not fire
4533 /// when it can't confirm the condition). `false` (default) = no
4534 /// power requirement.
4535 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4536 pub ac_power: bool,
4537 /// Fire only when the active console session has had **no keyboard /
4538 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
4539 /// "don't run while the user is actively working". Input-based
4540 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
4541 /// headless / disconnected console (no interactive user) trivially
4542 /// satisfies it. `None` (default) = no idle requirement. Parsed
4543 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4544 #[serde(default, skip_serializing_if = "Option::is_none")]
4545 pub idle: Option<String>,
4546 /// Fire only when the **whole-machine CPU usage is below this
4547 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
4548 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
4549 /// sample (`sysinfo` mean over cores), so the reading is up to one
4550 /// `host_perf` cadence old (default 60s) — fine as a "generally
4551 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
4552 /// needs two samples). An unavailable sample (host_perf not warmed
4553 /// up yet, or stale) is treated as "not below" (fail-closed — a
4554 /// restrictive gate must not fire when it can't confirm). `None`
4555 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
4556 /// out-of-range value at create time.
4557 #[serde(default, skip_serializing_if = "Option::is_none")]
4558 pub cpu_below: Option<f64>,
4559 /// Fire only when the host has **internet connectivity** (Windows
4560 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
4561 /// until online" for jobs that download / phone home. A captive
4562 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
4563 /// unknown/unreadable state is treated as offline (fail-closed) — a
4564 /// portal would just fail a download, so we hold the run. For VPN /
4565 /// SASE / app-specific conditions, use a custom script gate (separate
4566 /// slice). `false` (default) = no network requirement.
4567 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
4568 pub network: bool,
4569}
4570
4571impl Require {
4572 /// `skip_serializing_if` helper for an embedded empty `require`.
4573 pub fn is_empty(&self) -> bool {
4574 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
4575 }
4576
4577 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
4578 /// unparseable value — `validate` rejects the latter at create time).
4579 pub fn min_idle(&self) -> Option<std::time::Duration> {
4580 self.idle
4581 .as_deref()
4582 .and_then(|s| humantime::parse_duration(s.trim()).ok())
4583 }
4584
4585 /// First unparseable field for create-time rejection (mirrors
4586 /// [`Constraints::bad_skip_date`]).
4587 pub fn bad_idle(&self) -> Option<String> {
4588 self.idle.as_deref().and_then(|s| {
4589 humantime::parse_duration(s.trim())
4590 .err()
4591 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
4592 })
4593 }
4594}
4595
4596/// Host-environment state sensed by the agent, fed to [`require_met`].
4597/// A named struct (not positional args) so the growing set of sensed
4598/// signals — several of them `bool` — can't be transposed at a call
4599/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
4600#[derive(Debug, Clone, Copy, Default)]
4601pub struct EnvState {
4602 /// Is the host on AC power (`false` if on battery or unreadable).
4603 pub ac_online: bool,
4604 /// How long the console has been idle (`None` = couldn't determine).
4605 pub idle: Option<std::time::Duration>,
4606 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
4607 pub cpu_pct: Option<f64>,
4608 /// Does the host have internet connectivity (`false` if offline /
4609 /// LAN-only / unreadable).
4610 pub network_up: bool,
4611}
4612
4613/// Pure env-gate decision (#418 `constraints.require`). The Win32
4614/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
4615/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
4616/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
4617/// pure and `preview` never evaluates a runtime gate. Each set
4618/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
4619pub fn require_met(req: &Require, env: &EnvState) -> bool {
4620 if req.ac_power && !env.ac_online {
4621 return false;
4622 }
4623 if let Some(min) = req.min_idle() {
4624 match env.idle {
4625 Some(d) if d >= min => {}
4626 _ => return false,
4627 }
4628 }
4629 if let Some(max) = req.cpu_below {
4630 match env.cpu_pct {
4631 Some(p) if p < max => {}
4632 _ => return false,
4633 }
4634 }
4635 if req.network && !env.network_up {
4636 return false;
4637 }
4638 true
4639}
4640
4641/// [`Active`] decides *over what date range* a schedule is live,
4642/// `Constraints` decides *when, within an active period,* a fire is
4643/// allowed: `window` (a maintenance time-of-day window),
4644/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
4645/// (holiday exclusion) and `require` (host-environment gates, agent-only
4646/// — see [`Require`]).
4647// No `Eq`: contains `require: Option<Require>` which holds an f64.
4648#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
4649pub struct Constraints {
4650 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
4651 /// `tz`). Fires outside it are skipped — mainly for reconcile
4652 /// cadences ("patrol every 6h, but only fire overnight") and
4653 /// daytime change-freezes. `start > end` crosses midnight
4654 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
4655 /// lazily; [`Schedule::validate`] rejects garbage at create time.
4656 #[serde(default, skip_serializing_if = "Option::is_none")]
4657 pub window: Option<String>,
4658 /// Fleet-wide cap on how many instances of this schedule's job may
4659 /// run **at the same time** (#418 "同時実行ハード上限"). The
4660 /// backend scheduler counts the job's still-in-flight runs
4661 /// (`execution_results.finished_at IS NULL`) each tick and only
4662 /// dispatches to as many remaining pcs as there are free slots —
4663 /// a rolling window that refills as runs complete. Useful for
4664 /// disk/CPU/network-heavy jobs you don't want hammering the whole
4665 /// fleet at once.
4666 ///
4667 /// **Backend-only** (it needs a central counter): combining it
4668 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
4669 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
4670 /// for `per_pc` reconcile cadences, where the poll re-ticks and
4671 /// refills slots. `None` (default) = no cap.
4672 #[serde(default, skip_serializing_if = "Option::is_none")]
4673 pub max_concurrent: Option<u32>,
4674 /// Calendar dates the schedule must **not** fire on — holidays,
4675 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
4676 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
4677 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
4678 /// the whole day; a calendar fire landing on the date is
4679 /// suppressed) and is honored by both the live scheduler and
4680 /// `preview`, since both gate on [`Constraints::allows`]. Empty
4681 /// (default) = no skips. Operator-supplied: there is no built-in
4682 /// holiday calendar — list the dates you care about. Parsed lazily;
4683 /// [`Schedule::validate`] rejects a malformed date at create time.
4684 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4685 pub skip_dates: Vec<String>,
4686 /// Host-environment gate (#418): fire only when the target host is
4687 /// in the required state (on AC power, idle). Agent-sensed at fire
4688 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
4689 /// no environment requirement.
4690 #[serde(default, skip_serializing_if = "Option::is_none")]
4691 pub require: Option<Require>,
4692}
4693
4694impl Constraints {
4695 /// `skip_serializing_if` helper — empty constraints are omitted
4696 /// from the wire format entirely.
4697 pub fn is_empty(&self) -> bool {
4698 self.window.is_none()
4699 && self.max_concurrent.is_none()
4700 && self.skip_dates.is_empty()
4701 && self.require.as_ref().is_none_or(Require::is_empty)
4702 }
4703
4704 /// The first unparseable `skip_dates` entry, if any — the
4705 /// scheduler logs it at register time so a fail-closed
4706 /// (never-firing) schedule from a hand-edited KV blob is
4707 /// diagnosable, mirroring [`Schedule::bad_window`].
4708 pub fn bad_skip_date(&self) -> Option<String> {
4709 self.skip_dates.iter().find_map(|s| {
4710 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
4711 .err()
4712 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
4713 })
4714 }
4715
4716 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
4717 /// error (a zero-width or all-day window is ambiguous — write no
4718 /// window for "always").
4719 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
4720 let (a, b) = s
4721 .split_once('-')
4722 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
4723 let parse = |part: &str| {
4724 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
4725 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
4726 };
4727 let (start, end) = (parse(a)?, parse(b)?);
4728 if start == end {
4729 return Err(format!(
4730 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
4731 ));
4732 }
4733 Ok((start, end))
4734 }
4735
4736 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
4737 /// always allowed. Half-open `[start, end)`; `start > end`
4738 /// crosses midnight.
4739 ///
4740 /// **Fail-closed** on an unparseable window (returns `false`,
4741 /// gemini #452 review): a window is a *restrictive* constraint
4742 /// (change-freeze / overnight-only), so a corrupt one must NOT
4743 /// silently allow fires during the restricted hours. Bad windows
4744 /// are rejected at create time by [`Schedule::validate`]; this
4745 /// only bites a hand-edited KV blob, where blocking is the safe
4746 /// direction. The scheduler warns at register time
4747 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
4748 /// The tick path never panics regardless.
4749 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
4750 // #418 holiday / blackout dates: never fire on a listed wall
4751 // date (in `tz`). Checked before the window since a skipped day
4752 // overrides any within-window allowance. Fail-closed on a
4753 // corrupt entry (same posture as `window`): a skip date is a
4754 // *restrictive* constraint, so a garbled one must not silently
4755 // re-enable fires — it blocks until fixed (`validate` rejects it
4756 // at create time; `bad_skip_date` lets the scheduler warn).
4757 if !self.skip_dates.is_empty() {
4758 let today = tz.wall_date(now);
4759 let blocked = self.skip_dates.iter().any(|s| {
4760 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
4761 Ok(d) => d == today,
4762 Err(_) => true, // corrupt entry → fail-closed (block)
4763 }
4764 });
4765 if blocked {
4766 return false;
4767 }
4768 }
4769 match self.window.as_deref() {
4770 // No window → always allowed.
4771 None => true,
4772 // Window set: membership, or fail-closed if unparseable
4773 // (`window_contains` returns None for a corrupt window).
4774 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
4775 }
4776 }
4777
4778 /// Membership of a wall-clock time-of-day in the window. `None`
4779 /// when there is no window or it's unparseable (callers decide
4780 /// the failure direction). `start > end` crosses midnight.
4781 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
4782 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
4783 Some(if start <= end {
4784 start <= t && t < end
4785 } else {
4786 t >= start || t < end
4787 })
4788 }
4789}
4790
4791/// What to do when a fire's script fails (#418 Phase 4 — the "高"
4792/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
4793/// happens, `OnFailure` decides what happens *after* one ran and
4794/// came back bad. Only `retry` so far; future `notify` / `disable`
4795/// would join the same namespace.
4796#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4797pub struct OnFailure {
4798 /// Re-run the script in-process when it exits non-zero (or times
4799 /// out), up to a cap, with a fixed backoff between attempts.
4800 /// `None` (default) = no retry: a failed run is published as-is
4801 /// and (for reconcile cadences) simply re-fires on the next poll
4802 /// tick. See [`Retry`].
4803 #[serde(default, skip_serializing_if = "Option::is_none")]
4804 pub retry: Option<Retry>,
4805}
4806
4807impl OnFailure {
4808 /// `skip_serializing_if` helper — an empty policy is omitted from
4809 /// the wire format entirely.
4810 pub fn is_empty(&self) -> bool {
4811 self.retry.is_none()
4812 }
4813
4814 /// Lower the operator-facing `retry` (humantime backoff) onto the
4815 /// engine vocabulary the agent's executor runs on (backoff in
4816 /// whole seconds). Single seam shared by the backend command
4817 /// builder and the agent's local scheduler so the two stamp the
4818 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
4819 /// `None` when there is no retry policy or the backoff is
4820 /// unparseable (validate() rejects the latter at create time;
4821 /// this stays fail-safe = "no retry" for a hand-edited KV blob
4822 /// rather than panicking on the fire path).
4823 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
4824 let r = self.retry.as_ref()?;
4825 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
4826 Some(crate::wire::RetrySpec {
4827 max: r.max,
4828 backoff_secs,
4829 })
4830 }
4831}
4832
4833/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
4834/// *additional* attempts after the first run (so `max: 3` = up to 4
4835/// total executions); `backoff` is the humantime delay slept between
4836/// attempts. The retry happens fire-side (inside `kanade fire` /
4837/// `handle_command`) on every OS for the PoC — the Windows-native
4838/// "restart on failure" Task Scheduler path is deferred to the
4839/// native-delegation phase (#418 decision H).
4840#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4841pub struct Retry {
4842 /// Max additional attempts after the first failure. Bounded
4843 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
4844 /// with a short backoff would otherwise pin a flapping script in
4845 /// a tight loop for the whole window.
4846 pub max: u32,
4847 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
4848 pub backoff: String,
4849}
4850
4851/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
4852/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
4853/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
4854/// global* "stop all automated change" switch the operator flips
4855/// during an incident or a year-end change-freeze. It lives in its
4856/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
4857/// active, both the backend scheduler and every agent's local
4858/// scheduler skip *every* fire.
4859///
4860/// Shapes:
4861/// * `{}` (no bounds) — frozen indefinitely until the operator
4862/// clears it (incident "big red button").
4863/// * `{ from, until }` — frozen only within `[from, until)`,
4864/// evaluated in `tz` (planned change-freeze; auto-thaws).
4865///
4866/// The KV key being *absent* means "not frozen" — so clearing the
4867/// freeze is a KV delete, and `is_active` only ever runs on a freeze
4868/// the operator actually set.
4869#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
4870pub struct Freeze {
4871 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
4872 /// `tz`). `None` ⇒ frozen from the beginning of time.
4873 #[serde(default, skip_serializing_if = "Option::is_none")]
4874 pub from: Option<String>,
4875 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
4876 /// no scheduled end (manual clear required).
4877 #[serde(default, skip_serializing_if = "Option::is_none")]
4878 pub until: Option<String>,
4879 /// Operator-supplied note surfaced on the freeze-skip log and the
4880 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
4881 #[serde(default, skip_serializing_if = "Option::is_none")]
4882 pub reason: Option<String>,
4883 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
4884 /// carry their own offset). Defaults to host-local like a
4885 /// schedule's `tz`.
4886 #[serde(default)]
4887 pub tz: ScheduleTz,
4888}
4889
4890impl Freeze {
4891 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
4892 /// both absent) is frozen unconditionally; otherwise membership of
4893 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
4894 /// but **fails CLOSED** on an unparseable bound — a freeze is a
4895 /// safety switch, so a corrupt window (only reachable via a
4896 /// hand-edited KV blob; `validate` rejects it at set time) must
4897 /// mean "frozen", not "fire normally" (coderabbit #472). This is
4898 /// the one deliberate divergence from `active`'s fail-OPEN
4899 /// behaviour, where an unparseable bound dormant-skips a schedule.
4900 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
4901 // Parse a bound; an unparseable one short-circuits the whole
4902 // check to `true` (frozen) via the closure's `None` sentinel
4903 // handled below.
4904 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
4905 match s.as_deref() {
4906 None => Ok(None),
4907 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
4908 }
4909 };
4910 let (from, until) = match (bound(&self.from), bound(&self.until)) {
4911 (Ok(f), Ok(u)) => (f, u),
4912 // Any corrupt bound → fail closed (frozen).
4913 _ => return true,
4914 };
4915 if from.is_some_and(|f| now < f) {
4916 return false;
4917 }
4918 if until.is_some_and(|u| now >= u) {
4919 return false;
4920 }
4921 true
4922 }
4923
4924 /// Reject unparseable bounds / `from >= until` at set time (the
4925 /// API + CLI counterpart to [`Schedule::validate`]).
4926 pub fn validate(&self) -> Result<(), String> {
4927 let from = self
4928 .from
4929 .as_deref()
4930 .map(|s| Active::parse_bound(s, self.tz))
4931 .transpose()
4932 .map_err(|e| e.replace("active:", "freeze:"))?;
4933 let until = self
4934 .until
4935 .as_deref()
4936 .map(|s| Active::parse_bound(s, self.tz))
4937 .transpose()
4938 .map_err(|e| e.replace("active:", "freeze:"))?;
4939 if let (Some(f), Some(u)) = (from, until) {
4940 if f >= u {
4941 return Err(format!(
4942 "freeze.from ({}) must be strictly before freeze.until ({})",
4943 self.from.as_deref().unwrap_or_default(),
4944 self.until.as_deref().unwrap_or_default(),
4945 ));
4946 }
4947 }
4948 Ok(())
4949 }
4950}
4951
4952/// The system-generated poll cadence every reconcile-shaped `when`
4953/// lowers to. Operators never write this: the real inter-run
4954/// spacing is the `every` cooldown; this only bounds "how soon do
4955/// we notice somebody is due" (#418 decision B took the poll
4956/// period away from the operator).
4957pub const POLL_CRON: &str = "0 * * * * *";
4958
4959/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
4960/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
4961/// unchanged is what lets Phase 1 swap the operator surface without
4962/// touching the tick / dedup machinery.
4963pub struct Lowered {
4964 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
4965 /// reconcile shapes, a 6/7-field cron for calendar shapes.
4966 pub cron: String,
4967 /// Dedup semantics for `decide_fire`.
4968 pub mode: ExecMode,
4969 /// Humantime re-arm interval (`None` = succeed once, skip
4970 /// forever).
4971 pub cooldown: Option<String>,
4972 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
4973 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
4974 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
4975 /// so the same value drives the `active`-window check.
4976 pub tz: ScheduleTz,
4977}
4978
4979impl Schedule {
4980 /// The error message if this schedule's `constraints.window` is
4981 /// set but unparseable, else `None`. The scheduler logs this at
4982 /// register time so a fail-closed (never-firing) schedule from a
4983 /// hand-edited KV blob is diagnosable (gemini #452 review).
4984 pub fn bad_window(&self) -> Option<String> {
4985 let w = self.constraints.window.as_deref()?;
4986 Constraints::parse_window(w).err()
4987 }
4988
4989 /// True when this is a `calendar` schedule whose fire time can
4990 /// never fall inside its `constraints.window` — the cron fires,
4991 /// the window check rejects it, and (firing only at that
4992 /// time-of-day) it effectively never runs. An easy misconfig to
4993 /// set up by accident; the scheduler warns at register time
4994 /// (claude #452 review). Reconcile shapes poll every minute, so
4995 /// they always catch the window opening and aren't affected.
4996 pub fn calendar_outside_window(&self) -> bool {
4997 let When::Calendar(c) = &self.when else {
4998 return false;
4999 };
5000 let Some(t) = c.fire_time() else {
5001 return false;
5002 };
5003 matches!(self.constraints.window_contains(t), Some(false))
5004 }
5005
5006 /// Up to `count` future instants this schedule will fire, as
5007 /// absolute UTC, strictly after `now` — the dry-run / preview
5008 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
5009 /// schedules have discrete fire times; reconcile shapes
5010 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
5011 /// they return an empty vec and the caller describes the cadence
5012 /// instead. Occurrences outside the `active.{from,until}` window or
5013 /// the `constraints.window` are **skipped**, so the list reflects
5014 /// when the schedule will ACTUALLY run, not the raw cron ticks.
5015 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
5016 /// `Job::new_async_tz`, and with the same croner config the
5017 /// scheduler / [`Schedule::validate`] use, so a preview can never
5018 /// disagree with a real fire. A schedule that can never fire (a
5019 /// calendar time wholly outside its window, a past one-shot,
5020 /// `enabled: false` is *not* considered here — callers gate on
5021 /// `enabled` separately) yields an empty vec.
5022 pub fn preview_fires(
5023 &self,
5024 now: chrono::DateTime<chrono::Utc>,
5025 count: usize,
5026 ) -> Vec<chrono::DateTime<chrono::Utc>> {
5027 use croner::parser::{CronParser, Seconds};
5028 if !matches!(self.when, When::Calendar(_)) {
5029 return Vec::new();
5030 }
5031 // Same lowering + croner config as `next_calendar_fire` and the
5032 // live scheduler, so a preview can never disagree with a real
5033 // fire. `preview_fires` adds the N-occurrence walk and the
5034 // active / window filtering on top of that single seam.
5035 let lowered = self.lowered();
5036 let Ok(cron) = CronParser::builder()
5037 .seconds(Seconds::Required)
5038 .dom_and_dow(true)
5039 .build()
5040 .parse(&lowered.cron)
5041 else {
5042 return Vec::new();
5043 };
5044 let accept = |utc: chrono::DateTime<chrono::Utc>| {
5045 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
5046 };
5047 match self.tz {
5048 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
5049 ScheduleTz::Local => {
5050 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
5051 }
5052 }
5053 }
5054
5055 /// Walk croner forward from `after` collecting up to `count`
5056 /// accepted occurrences (converted to UTC). Generic over the tz the
5057 /// cron is evaluated in so `preview_fires` can run it in either
5058 /// `Utc` or `Local` without duplicating the loop.
5059 fn next_occurrences<Tz>(
5060 cron: &croner::Cron,
5061 after: chrono::DateTime<Tz>,
5062 count: usize,
5063 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
5064 ) -> Vec<chrono::DateTime<chrono::Utc>>
5065 where
5066 Tz: chrono::TimeZone,
5067 {
5068 // Bound the scan so an `active`/window dead-end (every future
5069 // tick rejected) can't spin forever: ~4096 raw ticks covers
5070 // >10y of a daily calendar while staying instant for croner.
5071 const SCAN_CAP: usize = 4096;
5072 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
5073 let mut cursor = after;
5074 let mut scanned = 0usize;
5075 while out.len() < count && scanned < SCAN_CAP {
5076 scanned += 1;
5077 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
5078 break;
5079 };
5080 let utc = next.with_timezone(&chrono::Utc);
5081 if accept(utc) {
5082 out.push(utc);
5083 }
5084 // `find_next_occurrence(.., inclusive = false)` already
5085 // advances strictly past `cursor`, so handing it `next`
5086 // verbatim gets the following occurrence — no manual +1s
5087 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
5088 cursor = next;
5089 }
5090 out
5091 }
5092
5093 /// Lower the operator-facing `when` onto the engine vocabulary.
5094 /// Single seam shared by the backend scheduler and the agent's
5095 /// local scheduler so the two can never drift.
5096 pub fn lowered(&self) -> Lowered {
5097 let tz = self.tz;
5098 match &self.when {
5099 When::PerPc(p) => Lowered {
5100 cron: POLL_CRON.into(),
5101 mode: ExecMode::OncePerPc,
5102 cooldown: p.cooldown(),
5103 tz,
5104 },
5105 When::PerTarget(p) => Lowered {
5106 cron: POLL_CRON.into(),
5107 mode: ExecMode::OncePerTarget,
5108 cooldown: p.cooldown(),
5109 tz,
5110 },
5111 // `to_cron` only fails on a malformed `at` (rejected by
5112 // validate() at create time). For a hand-edited KV blob
5113 // that slipped past, emit a deliberately-invalid cron so
5114 // register()'s Job::new_async_tz fails → warn+skip,
5115 // rather than firing at the wrong time.
5116 When::Calendar(c) => Lowered {
5117 cron: c
5118 .to_cron()
5119 .unwrap_or_else(|_| "# invalid calendar at".into()),
5120 mode: ExecMode::EveryTick,
5121 cooldown: None,
5122 tz,
5123 },
5124 // Event triggers have no cron — the agent fires them from an
5125 // OS event source. The `# event-trigger` cron is never
5126 // registered (the scheduler branches on `is_event()` first),
5127 // but keep it deliberately-invalid as a belt-and-suspenders
5128 // so a stray registration would fail rather than misfire.
5129 When::On(_) => Lowered {
5130 cron: "# event-trigger (no cron)".into(),
5131 mode: ExecMode::Event,
5132 cooldown: None,
5133 tz,
5134 },
5135 }
5136 }
5137
5138 /// True when this schedule fires from an OS event (`when: { on }`)
5139 /// rather than a clock — the agent skips `tokio-cron` registration
5140 /// for these and drives them from boot / session-change instead.
5141 pub fn is_event(&self) -> bool {
5142 matches!(self.when, When::On(_))
5143 }
5144
5145 /// The OS event triggers this schedule listens for, or `&[]` when it
5146 /// is not an event schedule.
5147 pub fn event_triggers(&self) -> &[OnTrigger] {
5148 match &self.when {
5149 When::On(t) => t,
5150 _ => &[],
5151 }
5152 }
5153
5154 /// The next absolute (UTC) time this schedule fires, or `None` when
5155 /// it has no discrete upcoming fire to preview.
5156 ///
5157 /// Used by the KLP `maintenance.list` preview ("what's about to
5158 /// happen on my PC", SPEC §2.1). Returns `None` for:
5159 ///
5160 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
5161 /// every-minute [`POLL_CRON`] and re-converge state continuously,
5162 /// so "next fire" is always ~60s away and means nothing to a user
5163 /// previewing upcoming maintenance;
5164 /// - a calendar schedule whose lowered cron won't parse (a
5165 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
5166 /// - a cron with no future occurrence.
5167 ///
5168 /// The wall-clock fire is evaluated in the schedule's own `tz`
5169 /// (matching the live tick's `Job::new_async_tz`) then normalised
5170 /// to UTC for the wire. `inclusive = false`: strictly the *next*
5171 /// fire after `now`, never one matching the current instant.
5172 pub fn next_calendar_fire(
5173 &self,
5174 now: chrono::DateTime<chrono::Utc>,
5175 ) -> Option<chrono::DateTime<chrono::Utc>> {
5176 if !matches!(self.when, When::Calendar(_)) {
5177 return None;
5178 }
5179 let lowered = self.lowered();
5180 // Same parser configuration tokio-cron-scheduler 0.15 uses
5181 // internally, so this can never compute a fire the live
5182 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
5183 let cron = croner::parser::CronParser::builder()
5184 .seconds(croner::parser::Seconds::Required)
5185 .dom_and_dow(true)
5186 .build()
5187 .parse(&lowered.cron)
5188 .ok()?;
5189 match lowered.tz {
5190 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
5191 ScheduleTz::Local => {
5192 let now_local = now.with_timezone(&chrono::Local);
5193 cron.find_next_occurrence(&now_local, false)
5194 .ok()
5195 .map(|t| t.with_timezone(&chrono::Utc))
5196 }
5197 }
5198 }
5199
5200 /// Cross-field semantic checks that don't fit pure serde derive
5201 /// — the [`Manifest::validate`] counterpart (#418 decision F;
5202 /// pre-Phase-1 a broken schedule was accepted at create time
5203 /// and silently warn-skipped at tick time). Run at every create
5204 /// site: `kanade schedule create` (client-side) and
5205 /// `POST /api/schedules`. The job_id-exists check lives in the
5206 /// API handler instead — it needs the JOBS KV.
5207 pub fn validate(&self) -> Result<(), String> {
5208 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
5209 return Err(
5210 "when.per_target needs fleet-wide completion data and is backend-only; \
5211 it cannot be combined with runs_on: agent (each agent self-schedules, \
5212 so per-target dedup would be deduping across a target of 1)"
5213 .into(),
5214 );
5215 }
5216 // #418 event triggers: the agent owns the OS event source
5217 // (boot / session-change), so `when: { on }` is agent-only and
5218 // needs at least one trigger.
5219 if let When::On(triggers) = &self.when {
5220 if !matches!(self.runs_on, RunsOn::Agent) {
5221 return Err(
5222 "when.on (OS event trigger) is fired by the agent's own event \
5223 source, so it requires runs_on: agent"
5224 .into(),
5225 );
5226 }
5227 if triggers.is_empty() {
5228 return Err(
5229 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
5230 );
5231 }
5232 }
5233 if let Some(cd) = self.lowered().cooldown.as_deref() {
5234 humantime::parse_duration(cd)
5235 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
5236 }
5237 if let When::Calendar(c) = &self.when {
5238 // Lower the calendar form to its cron (catches a bad `at`
5239 // and the date+days conflict), then validate that cron
5240 // with the same parser configuration tokio-cron-scheduler
5241 // 0.15 uses internally (croner, seconds required,
5242 // DOM-and-DOW both honored, year optional) — create-time
5243 // validation can never accept what register() rejects.
5244 let cron = c.to_cron()?;
5245 croner::parser::CronParser::builder()
5246 .seconds(croner::parser::Seconds::Required)
5247 .dom_and_dow(true)
5248 .build()
5249 .parse(&cron)
5250 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
5251 }
5252 // The other humantime strings on the schedule (claude #419
5253 // review): runtime degrades gracefully on both (bad jitter →
5254 // silent no-op, bad starting_deadline → warn + skipped tick),
5255 // but "rejected at create time" should cover every field the
5256 // operator can typo, not just `when`.
5257 if let Some(j) = &self.plan.jitter {
5258 humantime::parse_duration(j)
5259 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
5260 }
5261 if let Some(sd) = &self.starting_deadline {
5262 humantime::parse_duration(sd)
5263 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
5264 }
5265 let from = self
5266 .active
5267 .from
5268 .as_deref()
5269 .map(|s| Active::parse_bound(s, self.tz))
5270 .transpose()?;
5271 let until = self
5272 .active
5273 .until
5274 .as_deref()
5275 .map(|s| Active::parse_bound(s, self.tz))
5276 .transpose()?;
5277 if let (Some(f), Some(u)) = (from, until) {
5278 if f >= u {
5279 return Err(format!(
5280 "active.from ({}) must be strictly before active.until ({})",
5281 self.active.from.as_deref().unwrap_or_default(),
5282 self.active.until.as_deref().unwrap_or_default(),
5283 ));
5284 }
5285 }
5286 // #418 Phase 3: a bad maintenance window is rejected at create
5287 // time (parse_window also catches equal bounds).
5288 if let Some(w) = self.constraints.window.as_deref() {
5289 Constraints::parse_window(w)?;
5290 }
5291 // #418 holiday exclusion: reject a malformed skip date at create
5292 // time so the fail-closed `allows` path only ever bites a
5293 // hand-edited KV blob, not a fresh `kanade schedule create`.
5294 if let Some(err) = self.constraints.bad_skip_date() {
5295 return Err(err);
5296 }
5297 // #418: constraints.max_concurrent is a central running-instance
5298 // cap, so it needs the backend's counter — reject it on
5299 // runs_on: agent (decision E), and reject a meaningless 0.
5300 if let Some(mc) = self.constraints.max_concurrent {
5301 // Check the structural incompatibility (agent has no central
5302 // counter) before the value range, so a `max_concurrent: 0`
5303 // + `runs_on: agent` combo reports the more fundamental
5304 // problem first (claude #542).
5305 if matches!(self.runs_on, RunsOn::Agent) {
5306 return Err(
5307 "constraints.max_concurrent needs a central counter and is backend-only; \
5308 it cannot be combined with runs_on: agent (each agent self-schedules, \
5309 so there is no fleet-wide count to cap against)"
5310 .into(),
5311 );
5312 }
5313 if mc == 0 {
5314 return Err(
5315 "constraints.max_concurrent must be >= 1 (0 would never fire; \
5316 omit it for no cap)"
5317 .into(),
5318 );
5319 }
5320 }
5321 // #418: constraints.require (host-state env gates: ac_power /
5322 // idle / cpu_below / network) is sensed in-process by the agent,
5323 // so it needs runs_on: agent — the backend can't read a target
5324 // host's power / idle / cpu / connectivity state. Symmetric with
5325 // `when: { on }` (also agent-only); inverse of max_concurrent
5326 // (backend-only).
5327 if let Some(req) = &self.constraints.require {
5328 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
5329 return Err(
5330 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
5331 network) is sensed in-process by the agent and needs runs_on: agent; the \
5332 backend cannot read a target host's power / idle / cpu / connectivity state"
5333 .into(),
5334 );
5335 }
5336 // Reject a malformed idle duration at create time so the
5337 // fail-closed runtime path only ever bites a hand-edited
5338 // KV blob (mirror skip_dates / on_failure.retry).
5339 if let Some(err) = req.bad_idle() {
5340 return Err(err);
5341 }
5342 // cpu_below is a percent — reject out-of-range so a typo
5343 // can't make a schedule that never (>=100 is always-busy?
5344 // no — <0 never matches) or trivially fires.
5345 if let Some(c) = req.cpu_below
5346 && !(c > 0.0 && c <= 100.0)
5347 {
5348 return Err(format!(
5349 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
5350 omit it for no CPU requirement"
5351 ));
5352 }
5353 }
5354 // #418 Phase 4: a bad on_failure.retry is rejected at create
5355 // time — backoff must be valid humantime, and max is bounded
5356 // so a typo can't pin a flapping script in a tight loop.
5357 if let Some(r) = &self.on_failure.retry {
5358 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
5359 format!(
5360 "on_failure.retry.backoff: invalid duration '{}': {e}",
5361 r.backoff
5362 )
5363 })?;
5364 // The wire form lowers backoff to whole seconds, so a
5365 // sub-second value would silently become a 0s no-wait
5366 // (coderabbit #466). Reject it rather than honour a backoff
5367 // the operator can't actually get.
5368 if backoff.as_secs() < 1 {
5369 return Err(format!(
5370 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
5371 round to 0 on the wire",
5372 r.backoff
5373 ));
5374 }
5375 if !(1..=10).contains(&r.max) {
5376 return Err(format!(
5377 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
5378 attempts after the first run",
5379 r.max
5380 ));
5381 }
5382 }
5383 // A blank / whitespace-only tag renders an empty filter chip on
5384 // the Schedules page — reject it at create time, mirroring the
5385 // Manifest::validate tag guard.
5386 for tag in &self.tags {
5387 if tag.trim().is_empty() {
5388 return Err("tags must not contain empty entries".to_string());
5389 }
5390 }
5391 Ok(())
5392 }
5393}
5394
5395fn default_true() -> bool {
5396 true
5397}