kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// #219: opt-in marker that this job COLLECTS files into a bundle.
72 /// The script does the collection work and prints a single JSON
73 /// object on stdout carrying a `files` array of paths (the field
74 /// name is [`CollectHint::files_field`], default `"files"`); the
75 /// agent — after the script exits successfully — zips those files,
76 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79 /// downloads bundles from the SPA Collect page.
80 ///
81 /// Like `inventory:` / `check:` this reads a JSON object from stdout,
82 /// but it consumes that stdout for its OWN contract (a `files`
83 /// list), so it is mutually exclusive with `inventory:` / `check:` /
84 /// `emit:` (enforced in [`Manifest::validate`]). It composes with
85 /// `client:` — a `collect:` + `client:` job lets an end user trigger
86 /// a collection from the Client App (the same-host agent runs it).
87 #[serde(default, skip_serializing_if = "Option::is_none")]
88 pub collect: Option<CollectHint>,
89 /// #720: opt-in declarative aggregation over `obs_events` that drives
90 /// the SPA **Analytics** page. Unlike the other hints this one never
91 /// touches stdout and is never delivered to the agent — it's a pure
92 /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
93 /// turns into `json_extract` aggregation SQL. Each entry is one widget
94 /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
95 /// fleet-wide rollup. Because it consumes nothing at run time it
96 /// composes with every other hint (typically paired with `emit:`,
97 /// which produces the events it reads). See [`AggregateWidget`].
98 ///
99 /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
100 #[serde(default, skip_serializing_if = "Option::is_none")]
101 pub aggregate: Option<Vec<AggregateWidget>>,
102 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
103 /// what the agent does at fire time when it can't verify the
104 /// `script_current` / `script_status` KV values are fresh —
105 /// especially relevant for `runs_on: agent` schedules where
106 /// the agent may fire from cache while offline. Defaults to
107 /// `Staleness::Cached` (silently use cached values), which
108 /// matches every pre-v0.26 Manifest.
109 #[serde(default)]
110 pub staleness: Staleness,
111 /// #291: opt-in marker that this job is offered to **end users**
112 /// in the Client App's job tabs over KLP (`jobs.list` →
113 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
114 /// [`emit`]: the block's mere presence is the opt-in, and it
115 /// groups the end-user presentation fields (name / category /
116 /// icon) that only make sense for a user-facing job. `None`
117 /// (the default) ⇒ an operator-only job — inventory, checks,
118 /// scheduled maintenance — that never surfaces in the catalog.
119 ///
120 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
121 /// (SPEC §2.1), so removing the block takes a job out of a
122 /// running client on its next action.
123 ///
124 /// [`inventory`]: Manifest::inventory
125 /// [`check`]: Manifest::check
126 /// [`emit`]: Manifest::emit
127 #[serde(default, skip_serializing_if = "Option::is_none")]
128 pub client: Option<ClientHint>,
129 /// Free-form operator taxonomy for the Jobs catalog. Purely a
130 /// SPA-side organisational aid — agents / scheduler / projector
131 /// never read it — so it carries no runtime semantics and any
132 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
133 /// cross-cut (a `check-bitlocker` is at once a health-check, a
134 /// security control, and Windows-specific), which is why this is
135 /// a multi-valued list rather than the single closed-enum
136 /// [`ClientHint::category`] (whose values are the end-user Client
137 /// App's tabs, a different concern). The operator Jobs page groups
138 /// rows by id-prefix for free; tags add the orthogonal filter axis
139 /// prefixes can't express.
140 ///
141 /// Empty by default (the overwhelming majority of jobs), and a
142 /// new field, so it follows the #492 wire rule: `serde(default)`
143 /// plus `skip_serializing_if` keep gradually-upgrading old readers
144 /// from tripping over its absence / presence.
145 #[serde(default, skip_serializing_if = "Vec::is_empty")]
146 pub tags: Vec<String>,
147 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
148 /// `kanade job create` when the source YAML lives inside a Git work
149 /// tree, so the SPA can render the job read-only and point edits
150 /// back at the repo instead of letting a ClickOps edit silently
151 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
152 /// `None` for SPA-born jobs and for manifests applied from outside
153 /// any Git repo. Purely informational: agents / scheduler /
154 /// projector never read it, and it survives `script_file:` inlining
155 /// (it's orthogonal to the exactly-one-of script-source rule). New
156 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
157 #[serde(default, skip_serializing_if = "Option::is_none")]
158 pub origin: Option<RepoOrigin>,
159}
160
161/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
162/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
163/// `kanade schedule create` from the Git context of the source YAML;
164/// the SPA reads it to render Git-managed entries read-only and link
165/// the operator back at the repo. Never consulted by the runtime.
166#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
167pub struct RepoOrigin {
168 /// Repo-relative path of the source YAML — the primary edit target
169 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
170 /// regardless of the authoring OS.
171 pub path: String,
172 /// `origin` remote URL, when the repo has one. Lets the SPA turn
173 /// `path` into a clickable link; `None` for remote-less repos.
174 #[serde(default, skip_serializing_if = "Option::is_none")]
175 pub repo: Option<String>,
176 /// Repo-relative path of the `script_file:` a job manifest inlined,
177 /// when it used one — a secondary pointer shown beneath `path`.
178 /// Always `None` for schedules (they carry no script).
179 #[serde(default, skip_serializing_if = "Option::is_none")]
180 pub script_file: Option<String>,
181}
182
183/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
184/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
185/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
186/// here keeps the validation + serialisation logic in one place.
187#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
188pub struct FanoutPlan {
189 #[serde(default)]
190 pub target: Target,
191 /// Optional wave rollout — when present, the backend publishes
192 /// each wave's group subject on its own delay schedule instead
193 /// of fanning out the `target` block in one go. `target` then
194 /// only labels the deploy for the audit log.
195 #[serde(default, skip_serializing_if = "Option::is_none")]
196 pub rollout: Option<Rollout>,
197 /// Optional humantime jitter; agent uses it to randomise
198 /// execution start. Lives here (not on the script) so different
199 /// schedules / ad-hoc fires of the same job can pick different
200 /// stagger windows.
201 #[serde(default, skip_serializing_if = "Option::is_none")]
202 pub jitter: Option<String>,
203 /// Absolute time the scheduler stamps on each emitted Command
204 /// when this exec was driven by a [`Schedule`] with
205 /// `starting_deadline`. Agents receiving a Command after this
206 /// instant publish a synthetic skipped-result instead of
207 /// running the script. `None` (default) = no deadline / catch
208 /// up whenever delivered. Operators don't usually set this
209 /// directly — the scheduler computes it from `tick_at +
210 /// starting_deadline`.
211 #[serde(default, skip_serializing_if = "Option::is_none")]
212 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
213}
214
215/// Manifest sub-section: how the SPA should render the inventory
216/// facts this job produces. Each field name (`field`) is a top-level
217/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
218///
219/// Two render modes:
220/// * `display` — vertical "field / value" per PC, used by the
221/// `/inventory?pc=<id>` detail view. ALL columns the operator
222/// wants visible on the detail page.
223/// * `summary` — horizontal table across the fleet (row = PC,
224/// column = field) on `/inventory`. Optional; when omitted the
225/// SPA falls back to `display`, but operators usually want a
226/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
227#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
228pub struct InventoryHint {
229 /// Detail-view columns, in order.
230 pub display: Vec<DisplayField>,
231 /// Optional fleet-list columns (row = PC). Defaults to `display`
232 /// when omitted, but operators usually pick a 3-5 column subset.
233 #[serde(default, skip_serializing_if = "Option::is_none")]
234 pub summary: Option<Vec<DisplayField>>,
235 /// v0.31 / #40: payload arrays that should be exploded into
236 /// per-element rows of a derived SQLite table. Lets operators
237 /// answer cross-PC questions ("which PCs still have Chrome <
238 /// 120?", "C: >90% full") with normal SQL filters + indexes
239 /// instead of grepping JSON. The projector creates the derived
240 /// table on register and replaces this PC's rows on each result
241 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
242 /// [`ExplodeSpec`] for the per-spec schema.
243 #[serde(default, skip_serializing_if = "Option::is_none")]
244 pub explode: Option<Vec<ExplodeSpec>>,
245 /// v0.35 / #93: top-level scalar fields whose changes the
246 /// projector logs to `inventory_history` (one event per
247 /// changed field per scan). Pairs with `explode[].track_history`
248 /// — that covers array elements; this covers single-valued
249 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
250 /// `os_build` that operators want to track for "did the RAM
251 /// get upgraded?" / "when did Win 11 land on this PC?" /
252 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
253 /// in the history row, `identity_json` is NULL, `before_json`
254 /// / `after_json` each carry `{"value": <prior or new value>}`.
255 /// First-ever observation of a scalar (no prior facts row)
256 /// emits `added`; subsequent value changes emit `changed`. No
257 /// `removed` events — a scalar disappearing from the payload
258 /// is rare and the operator can still see the last value via
259 /// the `before_json` of the most recent change.
260 #[serde(default, skip_serializing_if = "Option::is_none")]
261 pub history_scalars: Option<Vec<String>>,
262}
263
264/// Manifest sub-section (#290): marks a job as an operator-defined
265/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
266/// The stdout contract is a free-form JSON object (same as any
267/// inventory job) from which the agent reads `status_field` /
268/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
269/// on the Client App's Health tab.
270///
271/// There is deliberately **no timing field** — when / how often /
272/// in which window a check runs is driven by the job's Schedule,
273/// exactly like inventory jobs, so operators get the full `when:` /
274/// rollout / `runs_on` expressiveness for free.
275///
276/// A check's stdout is a **free-form inventory object** (arbitrary
277/// key/value pairs + arrays) — same as any inventory job — that also
278/// carries a status field. `check:` adds only the health semantics on
279/// top: which field is the ok/warn/fail/unknown status, an optional
280/// one-line summary field, and a remediation job. Everything else
281/// (rich per-PC detail, `explode` sub-tables like a software list) is
282/// driven by a co-present [`InventoryHint`] and rendered with the
283/// SAME display logic the SPA Inventory page uses — on the Client App
284/// too. This keeps checks maximally expressive without a bespoke
285/// payload type.
286#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
287pub struct CheckHint {
288 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
289 /// the SPA/Client React key + analytics label. Unique within the
290 /// fleet's check set. Machine-friendly slug (`disk_space`,
291 /// `defender_rtp`); for the human-facing row title see [`label`].
292 ///
293 /// [`label`]: CheckHint::label
294 pub name: String,
295 /// Optional human-facing display title →
296 /// [`Check.label`](crate::ipc::state::Check). The Client App's
297 /// Health tab and the operator SPA's Compliance page render this
298 /// instead of the [`name`](CheckHint::name) slug when set
299 /// (`"ウイルス対策のリアルタイム保護"` reads better than
300 /// `defender_rtp`). Falls back to the slug when absent, so it's
301 /// purely additive. Author it in the check's language — there's no
302 /// per-locale variant; checks are operator-defined per fleet.
303 #[serde(default, skip_serializing_if = "Option::is_none")]
304 pub label: Option<String>,
305 /// Top-level stdout field whose string value
306 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
307 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
308 /// `"status"`; a missing / unparseable value → `unknown`.
309 #[serde(default = "default_status_field")]
310 pub status_field: String,
311 /// Top-level stdout field used as the Health-tab row's one-line
312 /// summary. Defaults to `"detail"`; absent in the payload → no
313 /// detail line (the rich breakdown lives in the inventory view).
314 #[serde(default = "default_detail_field")]
315 pub detail_field: String,
316 /// Optional remediation job id →
317 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
318 /// App shows a "修復する" button when present; that job must be
319 /// `user_invokable`.
320 #[serde(default, skip_serializing_if = "Option::is_none")]
321 pub troubleshoot: Option<String>,
322 /// #290 PR-E: when `true` (default), the backend also projects this
323 /// check's `status` / `detail` into the `check_status` table so the
324 /// operator SPA gets a fleet-wide compliance view for free — no
325 /// `inventory:` block needed. Set `fleet: false` for a client-only
326 /// check the operator doesn't want surfaced across the fleet.
327 #[serde(default = "default_fleet")]
328 pub fleet: bool,
329}
330
331fn default_status_field() -> String {
332 "status".to_string()
333}
334
335fn default_detail_field() -> String {
336 "detail".to_string()
337}
338
339fn default_fleet() -> bool {
340 true
341}
342
343fn default_files_field() -> String {
344 "files".to_string()
345}
346
347/// Fallback cap on a collect bundle's total input size when the
348/// manifest's `collect.max_size` is unset. 50 MB (decimal).
349pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
350
351/// Manifest sub-section (#219): marks a job as a **file collector** and
352/// carries how the collected bundle presents in the SPA. Parallel to
353/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
354/// opt-in. The script prints a single JSON object on stdout whose
355/// [`files_field`](CollectHint::files_field) key holds an array of file
356/// paths to bundle (env vars are expanded); the agent zips them and
357/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
358#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
359pub struct CollectHint {
360 /// Operator/end-user-facing title for the collection, shown as the
361 /// bundle's heading on the SPA Collect page (and the Client App row
362 /// when paired with `client:`). Required; validated non-empty.
363 pub name: String,
364 /// Optional one-line description of what the bundle contains.
365 #[serde(default, skip_serializing_if = "Option::is_none")]
366 pub description: Option<String>,
367 /// Human-readable cap on the bundle's total input size
368 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
369 /// bundle whose listed files exceed this. `None` ⇒
370 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
371 /// [`Manifest::validate`] rejects an unparseable value at create
372 /// time.
373 ///
374 /// Note: this bounds the **uncompressed** bytes the agent reads off
375 /// disk, not the resulting zip. Text logs compress well, so the
376 /// download is usually much smaller; many tiny files add a little
377 /// per-entry zip overhead. Read it as "how much the agent reads +
378 /// packs", not "the exact download size".
379 #[serde(default, skip_serializing_if = "Option::is_none")]
380 pub max_size: Option<String>,
381 /// Top-level stdout JSON key holding the array of file paths to
382 /// bundle. Defaults to `"files"`.
383 #[serde(default = "default_files_field")]
384 pub files_field: String,
385}
386
387impl CollectHint {
388 /// The effective size cap in bytes — the parsed `max_size` or
389 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
390 /// present) already passed [`Manifest::validate`]; falls back to the
391 /// default on a parse error rather than panicking on the fire path.
392 pub fn max_size_bytes(&self) -> u64 {
393 match &self.max_size {
394 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
395 None => DEFAULT_COLLECT_MAX_SIZE,
396 }
397 }
398}
399
400/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
401/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
402/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
403/// Case-insensitive. Shared by `collect.max_size` validation and the
404/// agent's bundle-size enforcement.
405pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
406 let t = s.trim();
407 if t.is_empty() {
408 return Err("size must not be empty".to_string());
409 }
410 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
411 let (num_str, unit_raw) = t.split_at(split);
412 if num_str.is_empty() {
413 return Err(format!("size '{s}': missing leading number"));
414 }
415 let num: u64 = num_str
416 .parse()
417 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
418 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
419 "" | "b" => 1,
420 "kb" => 1_000,
421 "mb" => 1_000_000,
422 "gb" => 1_000_000_000,
423 "kib" => 1024,
424 "mib" => 1024 * 1024,
425 "gib" => 1024 * 1024 * 1024,
426 other => {
427 return Err(format!(
428 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
429 ));
430 }
431 };
432 num.checked_mul(mult)
433 .ok_or_else(|| format!("size '{s}': overflow"))
434}
435
436/// Manifest sub-section (#291): marks a job as **user-invokable**
437/// from the Client App and carries how it presents to the end user.
438/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
439/// the block's presence is the opt-in (no separate boolean), and its
440/// required fields (`name`, `category`) are enforced by serde at
441/// parse time, so a half-filled catalog entry fails
442/// `kanade job create` instead of rendering a nameless / tab-less row.
443///
444/// The agent maps this 1:1 into the KLP
445/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
446/// that `jobs.list` returns; the Client App renders one row per job in
447/// the tab named by `category`.
448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
449pub struct ClientHint {
450 /// End-user-facing title for the job row. The operator-internal
451 /// `Manifest::id` slug is rarely what an end user should read, so
452 /// this is required (and validated non-empty by
453 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
454 pub name: String,
455 /// Optional one-line subtitle under `name` in the Client App.
456 /// Distinct from the operator-facing top-level
457 /// [`Manifest::description`] — this one is written for the end
458 /// user. Maps to `UserInvokableJob::display_description`.
459 #[serde(default, skip_serializing_if = "Option::is_none")]
460 pub description: Option<String>,
461 /// Which Client App tab the job lives in (`software_update` →
462 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
463 /// catalog). Required — without it the agent can't place the job
464 /// in a tab.
465 pub category: JobCategory,
466 /// Optional icon hint for the job row — a lucide-react icon name
467 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
468 /// category's default icon. Surfaced verbatim in
469 /// `jobs.list[].icon`.
470 #[serde(default, skip_serializing_if = "Option::is_none")]
471 pub icon: Option<String>,
472}
473
474/// #720 — one widget on the SPA **Analytics** page: a declarative
475/// aggregation over the `obs_events` table. The backend reads these off
476/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
477/// the `json_extract` GROUP BY / time-bucket SQL from these generic
478/// primitives, so an operator can chart any emitted event without a Rust
479/// change. The reference shapes are the attendance dashboards
480/// (presence / app_sample / web_visit), but the same DSL covers logon /
481/// reboot / agent-health trends, etc.
482#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
483pub struct AggregateWidget {
484 /// Tab this widget lives under on the Analytics page. Widgets from
485 /// every job are collected and grouped by this label, so the same
486 /// string across jobs builds one multi-source dashboard. Required.
487 pub dashboard: String,
488 /// Widget heading. Required, validated non-empty.
489 pub title: String,
490 /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
491 /// (and unlocks `group_by: pc_id` to rank PCs against each other).
492 /// Defaults to `pc`.
493 #[serde(default)]
494 pub scope: AggregateScope,
495 /// `obs_events.kind` this widget reads (e.g. `app_sample`,
496 /// `presence`, `unexpected_shutdown`). Required.
497 pub kind: String,
498 /// Optional `obs_events.source` filter, when one `kind` is emitted by
499 /// more than one collector.
500 #[serde(default, skip_serializing_if = "Option::is_none")]
501 pub source: Option<String>,
502 /// How to roll the matching events up. See [`AggregateAgg`].
503 pub agg: AggregateAgg,
504 /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
505 /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
506 /// it groups by the `pc_id` column (fleet ranking), not a payload
507 /// field. Omit for a single total. Required when `agg: sum` needs a
508 /// breakdown; for `agg: count` omitting it yields the grand total.
509 #[serde(default, skip_serializing_if = "Option::is_none")]
510 pub group_by: Option<String>,
511 /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
512 /// the widget reports `true_count / total`. Required when `agg: ratio`.
513 #[serde(default, skip_serializing_if = "Option::is_none")]
514 pub bool_path: Option<String>,
515 /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
516 #[serde(default, skip_serializing_if = "Option::is_none")]
517 pub value_path: Option<String>,
518 /// Optional value transform applied before grouping. Currently only
519 /// `host` (parse a URL down to its host) — used by the top-sites
520 /// widget, where SQLite can't parse a URL so the backend does it in
521 /// Rust. See [`AggregateTransform`].
522 #[serde(default, skip_serializing_if = "Option::is_none")]
523 pub transform: Option<AggregateTransform>,
524 /// Optional sampling cadence in minutes. When set, a `count` is also
525 /// reported as estimated time (`count × sample_minutes`) — e.g. a
526 /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
527 #[serde(default, skip_serializing_if = "Option::is_none")]
528 #[schemars(range(min = 1))]
529 pub sample_minutes: Option<u32>,
530 /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
531 /// lock screen doesn't top the app ranking). Empty by default.
532 #[serde(default, skip_serializing_if = "Vec::is_empty")]
533 pub exclude: Vec<String>,
534 /// Optional time bucketing — `hour` buckets events by local
535 /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
536 #[serde(default, skip_serializing_if = "Option::is_none")]
537 pub time_bucket: Option<AggregateTimeBucket>,
538 /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
539 #[serde(default, skip_serializing_if = "Option::is_none")]
540 #[schemars(range(min = 1))]
541 pub limit: Option<u32>,
542 /// Which widget the SPA draws. See [`AggregateRender`].
543 pub render: AggregateRender,
544}
545
546/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
547#[derive(
548 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
549)]
550#[serde(rename_all = "lowercase")]
551#[non_exhaustive]
552pub enum AggregateScope {
553 /// Roll up the single PC the operator selected. The default.
554 #[default]
555 Pc,
556 /// Roll up across every PC. Unlocks `group_by: pc_id`.
557 Fleet,
558 /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
559 /// an older reader must tolerate a future variant rather than failing
560 /// to decode the whole job. The backend skips an `Unknown` widget.
561 #[serde(other)]
562 Unknown,
563}
564
565/// The rollup function for an [`AggregateWidget`].
566#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
567#[serde(rename_all = "lowercase")]
568#[non_exhaustive]
569pub enum AggregateAgg {
570 /// Row count, optionally grouped (`group_by`) and time-estimated
571 /// (`sample_minutes`).
572 Count,
573 /// `true_count / total` over `bool_path`.
574 Ratio,
575 /// Sum of `value_path`, optionally grouped.
576 Sum,
577 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
578 #[serde(other)]
579 Unknown,
580}
581
582/// Optional pre-grouping value transform for an [`AggregateWidget`].
583#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
584#[serde(rename_all = "lowercase")]
585#[non_exhaustive]
586pub enum AggregateTransform {
587 /// Parse the grouped value as a URL and keep only its host.
588 Host,
589 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
590 #[serde(other)]
591 Unknown,
592}
593
594/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
595#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
596#[serde(rename_all = "lowercase")]
597#[non_exhaustive]
598pub enum AggregateTimeBucket {
599 /// Bucket by local hour-of-day (0–23), summed over the window.
600 Hour,
601 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
602 #[serde(other)]
603 Unknown,
604}
605
606/// Which visual the SPA renders an [`AggregateWidget`] as.
607#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
608#[serde(rename_all = "lowercase")]
609#[non_exhaustive]
610pub enum AggregateRender {
611 /// Ranked horizontal bars (a grouped `count` / `sum`).
612 Bar,
613 /// A single ratio dial (`agg: ratio`).
614 Gauge,
615 /// 24-hour activity strip (`time_bucket: hour`).
616 Timeline,
617 /// A single headline number (an ungrouped total).
618 Stat,
619 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
620 #[serde(other)]
621 Unknown,
622}
623
624/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
625/// segments joined by single dots — the shape safe to bind into
626/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
627/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
628/// `"foo..bar"`, which would pass the charset but produce a malformed
629/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
630/// `active`, etc.
631fn is_valid_json_path(p: &str) -> bool {
632 !p.is_empty()
633 && p.split('.').all(|seg| {
634 !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
635 })
636}
637
638/// Issue #246 — `emit:` manifest block for jobs whose stdout is
639/// NDJSON observability events (one `ObsEvent` per line). Parallel
640/// to `inventory:` but for the append-only timeline pipeline; see
641/// `Manifest::emit` for the full contract.
642#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
643pub struct EmitConfig {
644 /// What kind of payload the agent should expect on stdout. Only
645 /// `events` is defined today (parses each non-empty line as
646 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
647 /// (e.g. metrics streams, structured trace events) plug in here.
648 #[serde(rename = "type")]
649 pub kind: EmitKind,
650 /// Operator hint for where the script keeps its own state — the
651 /// watermark file the PowerShell / sh body reads + writes
652 /// between runs so it only emits NEW events since the last
653 /// poll. The agent doesn't read this; it's documentation that
654 /// the SPA (and `kanade job edit`) can surface to operators
655 /// reviewing the manifest. Optional; the script is allowed to
656 /// keep state anywhere (registry, env, etc.) — the field's
657 /// presence makes the convention discoverable.
658 #[serde(default, skip_serializing_if = "Option::is_none")]
659 pub watermark_path: Option<String>,
660}
661
662/// `emit.type` enum. Lowercase serde so manifests read
663/// `type: events` rather than `Events`.
664#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
665#[serde(rename_all = "lowercase")]
666pub enum EmitKind {
667 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
668 /// `obs.<pc_id>`, drops the stdout from the resulting
669 /// `ExecResult`.
670 Events,
671}
672
673/// v0.31 / #40: declarative "flatten this JSON array into a real
674/// SQLite table" spec on an inventory manifest. The projector
675/// creates the table on first registration (CREATE TABLE IF NOT
676/// EXISTS + indexes) and writes a row per element of
677/// `payload[field]` on every result, scoped by (pc_id, job_id) so
678/// each PC's rows replace cleanly without a per-PC schema.
679#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
680pub struct ExplodeSpec {
681 /// JSON array key under the payload to explode. E.g. `"apps"`
682 /// for `payload: { apps: [{...}, {...}] }`.
683 pub field: String,
684 /// Derived SQLite table name. Operators choose this — pick
685 /// something namespaced + stable (`inventory_sw_apps`, not
686 /// `apps`) so multiple inventory manifests don't collide on a
687 /// generic name.
688 pub table: String,
689 /// Element-level fields that uniquely identify a row inside one
690 /// PC's payload. The full PK is `(pc_id, job_id) + these
691 /// columns`. Required — operators must think about uniqueness
692 /// (e.g. `["name", "source"]` for installed apps because the
693 /// same name appears in multiple uninstall hives).
694 ///
695 /// v0.31 / #41: same tuple drives history identity. When
696 /// `track_history` is on, the projector serialises these
697 /// fields' values into `inventory_history.identity_json` for
698 /// every change event, so queries like "every PC that ever
699 /// installed Chrome (any source)" filter on identity_json
700 /// content without a per-manifest schema.
701 pub primary_key: Vec<String>,
702 /// Per-element fields that become columns in the derived table.
703 pub columns: Vec<ExplodeColumn>,
704 /// v0.31 / #41: when true (default false), the projector
705 /// diffs each PC's incoming payload against the prior rows
706 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
707 /// replace, and writes added / removed / changed events into
708 /// `inventory_history`. Lets operators answer time-dimension
709 /// questions ("when did Chrome 120 first appear on PC X?",
710 /// "what's the Win 11 23H2 rollout curve") without storing
711 /// per-scan snapshots. Off by default so operators opt in
712 /// per-spec — history has a real storage cost on long-lived
713 /// deployments (mitigated by the 90-day default retention
714 /// sweeper, see `cleanup` module).
715 #[serde(default)]
716 pub track_history: bool,
717}
718
719/// One column in an [`ExplodeSpec`]'s derived table.
720#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
721pub struct ExplodeColumn {
722 /// JSON key under each array element. Becomes the column name
723 /// in the derived SQLite table — we don't rename.
724 pub field: String,
725 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
726 /// Storage maps directly via `sqlx::query.bind(...)`; type
727 /// mismatches at INSERT-time fail loudly rather than silently
728 /// dropping the row.
729 #[serde(default, skip_serializing_if = "Option::is_none")]
730 #[serde(rename = "type")]
731 pub kind: Option<String>,
732 /// When true, the projector creates a `CREATE INDEX` on this
733 /// column at table-creation time. Boost for the common-filter
734 /// columns (`name`, `version`) — operators mark them
735 /// explicitly, the projector won't guess.
736 #[serde(default)]
737 pub index: bool,
738}
739
740#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
741pub struct DisplayField {
742 /// Top-level key in the stdout JSON.
743 pub field: String,
744 /// Human-readable column header.
745 pub label: String,
746 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
747 /// or `"table"` (#39). Defaults to plain text rendering on the
748 /// SPA side. `"table"` expects the field's value to be a JSON
749 /// array of objects and renders a nested sub-table on the
750 /// per-PC detail page using `columns` as the schema; the fleet
751 /// summary view falls back to showing the row count for
752 /// `"table"` cells so the wide list stays compact.
753 #[serde(default, skip_serializing_if = "Option::is_none")]
754 #[serde(rename = "type")]
755 pub kind: Option<String>,
756 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
757 /// field's value (an array of objects like
758 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
759 /// sub-table using these columns. Each column is itself a
760 /// `DisplayField`, so the nested cells reuse the same render
761 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
762 /// pipeline. Ignored for any other `kind`.
763 #[serde(default, skip_serializing_if = "Option::is_none")]
764 pub columns: Option<Vec<DisplayField>>,
765}
766
767#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
768pub struct Rollout {
769 #[serde(default)]
770 pub strategy: RolloutStrategy,
771 pub waves: Vec<Wave>,
772}
773
774#[derive(
775 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
776)]
777#[serde(rename_all = "lowercase")]
778pub enum RolloutStrategy {
779 #[default]
780 Wave,
781}
782
783#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
784pub struct Wave {
785 pub group: String,
786 /// humantime delay measured from the deploy's publish time. wave[0]
787 /// typically has "0s"; subsequent waves use minutes / hours.
788 pub delay: String,
789}
790
791#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
792pub struct Target {
793 #[serde(default)]
794 pub groups: Vec<String>,
795 #[serde(default)]
796 pub pcs: Vec<String>,
797 #[serde(default)]
798 pub all: bool,
799}
800
801impl Target {
802 /// At least one of all / groups / pcs is set.
803 pub fn is_specified(&self) -> bool {
804 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
805 }
806}
807
808#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
809pub struct Execute {
810 pub shell: ExecuteShell,
811 /// Inline script body. Mutually exclusive with [`script_file`]
812 /// and [`script_object`]; exactly one of the three must be set
813 /// (enforced by [`Execute::validate_script_source`] at the
814 /// write-side parse boundaries — `kanade job create` and
815 /// `POST /api/jobs`).
816 ///
817 /// Empty string is treated as **unset** so operators can swap
818 /// to a `script_file:` / `script_object:` alternative just by
819 /// commenting out the body, without having to also drop the
820 /// `script:` key entirely.
821 ///
822 /// [`script_file`]: Self::script_file
823 /// [`script_object`]: Self::script_object
824 #[serde(default, skip_serializing_if = "Option::is_none")]
825 pub script: Option<String>,
826 /// Repo-local file path resolved by the operator-side CLI at
827 /// `kanade job create` time. The CLI reads the file, slots its
828 /// contents into `script`, and clears this field before
829 /// POSTing — so the backend / agents never see `script_file`
830 /// in stored manifests. SPEC §2.4.1.
831 ///
832 /// Resolver lands in a follow-up PR
833 /// (yukimemi/kanade#210); today this field passes parse-time
834 /// validation but the operator-side CLI bails with "not yet
835 /// implemented" until the resolver ships, so manifests that
836 /// reach the backend with `script_file` set are treated as a
837 /// schema-bug.
838 #[serde(default, skip_serializing_if = "Option::is_none")]
839 pub script_file: Option<String>,
840 /// Object Store reference (`<name>/<version>`) into the
841 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
842 /// at Execute time via `/api/script-objects/{name}/{version}`
843 /// and cache it locally. SPEC §2.4.1.
844 ///
845 /// Fully wired (#210/#211): the backend resolves the digest at
846 /// exec submission (`api::exec::resolve_script_source`), the agent
847 /// fetches + sha-verifies + caches the body (`script_cache`), and
848 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
849 /// CLI-side, git-managed), this keeps the body in versioned,
850 /// digest-pinned object storage — the ops-managed counterpart.
851 #[serde(default, skip_serializing_if = "Option::is_none")]
852 pub script_object: Option<String>,
853 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
854 /// — represents how long this script reasonably takes to run.
855 pub timeout: String,
856 /// Token + session combination the agent uses to launch the
857 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
858 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
859 #[serde(default)]
860 pub run_as: RunAs,
861 /// Working directory for the spawned child (v0.21.1). When
862 /// unset, the child inherits the agent's cwd — on Windows that
863 /// means `%SystemRoot%\System32` for the prod service, which is
864 /// almost never what operators actually want. Use an absolute
865 /// path; relative paths are passed through to the OS verbatim.
866 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
867 /// you'd want `%USERPROFILE%` (but expansion happens in the
868 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
869 /// it via teravars before `kanade job create`).
870 #[serde(default, skip_serializing_if = "Option::is_none")]
871 pub cwd: Option<String>,
872}
873
874impl Execute {
875 /// Treat an empty `script:` body as "intentionally unset". Operators
876 /// commenting out a block-scalar tend to leave the key behind, and
877 /// failing the validator on `script: ""` would surprise them.
878 fn has_inline_script(&self) -> bool {
879 matches!(&self.script, Some(s) if !s.is_empty())
880 }
881
882 /// Enforce that exactly one of `script` / `script_file` /
883 /// `script_object` is set. Called at the write-side parse
884 /// boundaries (CLI `kanade job create` + backend
885 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
886 /// reaches the JOBS KV. Read paths (projector, agent
887 /// scheduler, list endpoints) skip this check — they only ever
888 /// see what the write path already validated.
889 pub fn validate_script_source(&self) -> Result<(), String> {
890 let inline = self.has_inline_script();
891 let file = self.script_file.is_some();
892 let obj = self.script_object.is_some();
893 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
894 match set {
895 1 => Ok(()),
896 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
897 _ => Err(format!(
898 "execute: only one of `script` / `script_file` / `script_object` may be set \
899 (got script={inline}, script_file={file}, script_object={obj})"
900 )),
901 }
902 }
903}
904
905impl Manifest {
906 /// Cross-field semantic checks that don't fit into pure serde
907 /// derive. Currently delegates to
908 /// [`Execute::validate_script_source`] — see that method's
909 /// docs for the rationale on which call sites should run this.
910 pub fn validate(&self) -> Result<(), String> {
911 self.execute.validate_script_source()?;
912 // Stdout-format compatibility. `inventory:` and `check:` both
913 // consume the SAME single JSON object — they COMPOSE: a check
914 // can extract `status`/`detail` for the Health tab while the
915 // projector explodes the rest into SPA sub-tables. `emit:` is
916 // different — its stdout is NDJSON and the agent omits it from
917 // the result entirely — so it can't be paired with either.
918 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
919 return Err(
920 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
921 timeline events (and omitted from the result), while inventory/check read a \
922 single JSON object from stdout"
923 .to_string(),
924 );
925 }
926 // `collect:` consumes stdout for its OWN contract (a JSON object
927 // carrying a `files` array), so unlike the inventory+check pair it
928 // can't share stdout with another stdout-reading hint. It composes
929 // only with `client:` (which doesn't touch stdout).
930 if self.collect.is_some()
931 && (self.inventory.is_some() || self.check.is_some() || self.emit.is_some())
932 {
933 return Err(
934 "`collect:` is incompatible with `inventory:` / `check:` / `emit:` — collect \
935 reads its own `files` JSON object from stdout. (It composes with `client:`.)"
936 .to_string(),
937 );
938 }
939 // A check's `name` is the Health-tab row id (React key); the
940 // field names tell the agent where to read status/detail.
941 // An empty value is an invisible runtime bug, and the serde
942 // defaults don't guard an operator who writes `status_field:
943 // ""` explicitly — reject all three here.
944 if let Some(check) = &self.check {
945 for (label, value) in [
946 ("check.name", &check.name),
947 ("check.status_field", &check.status_field),
948 ("check.detail_field", &check.detail_field),
949 ] {
950 if value.trim().is_empty() {
951 return Err(format!("{label} must not be empty"));
952 }
953 }
954 // A present-but-blank `troubleshoot` is a broken
955 // remediation job id (the "修復する" button would target
956 // an empty manifest id) — reject it too.
957 if let Some(troubleshoot) = &check.troubleshoot {
958 if troubleshoot.trim().is_empty() {
959 return Err("check.troubleshoot must not be empty when set".to_string());
960 }
961 }
962 // A present-but-blank `label` would render an empty row
963 // title on the Health tab / Compliance page — reject it so
964 // the slug fallback only ever kicks in when label is absent.
965 if let Some(label) = &check.label {
966 if label.trim().is_empty() {
967 return Err("check.label must not be empty when set".to_string());
968 }
969 }
970 }
971 // #291: a `client:` job is rendered in the Client App's
972 // catalog (`jobs.list` → `jobs.execute`). serde already makes
973 // `name` + `category` required at parse time; the only gap is
974 // a present-but-blank `name`, which would render an empty row
975 // title — reject it like the other display-id fields.
976 if let Some(client) = &self.client {
977 if client.name.trim().is_empty() {
978 return Err("client.name must not be empty".to_string());
979 }
980 // Optional display fields, when present, must be
981 // meaningful: a blank `description` renders an empty
982 // subtitle and a blank `icon` is a dangling lucide name.
983 // Same present-but-blank guard the `check:` block applies
984 // to its optional `troubleshoot` id.
985 for (label, value) in [
986 ("client.description", &client.description),
987 ("client.icon", &client.icon),
988 ] {
989 if let Some(v) = value {
990 if v.trim().is_empty() {
991 return Err(format!("{label} must not be empty when set"));
992 }
993 }
994 }
995 }
996 // #219: a `collect:` job's `name` heads the bundle on the SPA
997 // Collect page (and the Client App row when paired with
998 // `client:`), `files_field` tells the agent where to read the
999 // path list, and `max_size` must be a parseable size so a typo
1000 // is caught at create time rather than silently capping the
1001 // bundle at the default on the fire path.
1002 if let Some(collect) = &self.collect {
1003 if collect.name.trim().is_empty() {
1004 return Err("collect.name must not be empty".to_string());
1005 }
1006 if collect.files_field.trim().is_empty() {
1007 return Err("collect.files_field must not be empty".to_string());
1008 }
1009 if let Some(description) = &collect.description {
1010 if description.trim().is_empty() {
1011 return Err("collect.description must not be empty when set".to_string());
1012 }
1013 }
1014 if let Some(max_size) = &collect.max_size {
1015 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1016 }
1017 }
1018 // #720: `aggregate:` is a pure read-spec (it never touches stdout
1019 // and is never sent to an agent), so it composes with every other
1020 // hint. Validate each widget's internal consistency: the value
1021 // path its `agg` needs, a safe JSON path charset (these bind into
1022 // `json_extract(payload, '$.' || ?)`), and scope/render coherence.
1023 if let Some(widgets) = &self.aggregate {
1024 if widgets.is_empty() {
1025 return Err("`aggregate:` must list at least one widget when present".to_string());
1026 }
1027 for (i, w) in widgets.iter().enumerate() {
1028 let at = format!("aggregate[{i}]");
1029 for (label, value) in [
1030 ("dashboard", &w.dashboard),
1031 ("title", &w.title),
1032 ("kind", &w.kind),
1033 ] {
1034 if value.trim().is_empty() {
1035 return Err(format!("{at}.{label} must not be empty"));
1036 }
1037 }
1038 // A present-but-blank `source` is a no-op filter — reject
1039 // like the other blank-when-set guards.
1040 if let Some(source) = &w.source {
1041 if source.trim().is_empty() {
1042 return Err(format!("{at}.source must not be empty when set"));
1043 }
1044 }
1045 // Reject values that fell through to the #492 `Unknown`
1046 // catch-all: at create time on the current version that's an
1047 // operator typo. (A genuinely-future variant only reaches an
1048 // older reader via a stored manifest, which is never
1049 // re-validated, so forward-compat is preserved.)
1050 if w.scope == AggregateScope::Unknown {
1051 return Err(format!("{at}.scope is not a known value (pc | fleet)"));
1052 }
1053 if w.agg == AggregateAgg::Unknown {
1054 return Err(format!(
1055 "{at}.agg is not a known value (count | ratio | sum)"
1056 ));
1057 }
1058 if w.render == AggregateRender::Unknown {
1059 return Err(format!(
1060 "{at}.render is not a known value (bar | gauge | timeline | stat)"
1061 ));
1062 }
1063 if w.transform == Some(AggregateTransform::Unknown) {
1064 return Err(format!("{at}.transform is not a known value (host)"));
1065 }
1066 if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
1067 return Err(format!("{at}.time_bucket is not a known value (hour)"));
1068 }
1069 for (label, path) in [
1070 ("group_by", &w.group_by),
1071 ("bool_path", &w.bool_path),
1072 ("value_path", &w.value_path),
1073 ] {
1074 if let Some(p) = path {
1075 if !is_valid_json_path(p) {
1076 return Err(format!(
1077 "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
1078 ));
1079 }
1080 }
1081 }
1082 // Each agg uses exactly one value path; reject a mis-paired
1083 // path so a typo fails at create rather than being ignored.
1084 match w.agg {
1085 // count: grouped → ranking, ungrouped → grand total.
1086 AggregateAgg::Count => {
1087 for (label, path) in
1088 [("bool_path", &w.bool_path), ("value_path", &w.value_path)]
1089 {
1090 if path.is_some() {
1091 return Err(format!("{at}.agg=count does not use `{label}`"));
1092 }
1093 }
1094 }
1095 AggregateAgg::Ratio => {
1096 if w.bool_path.is_none() {
1097 return Err(format!("{at}.agg=ratio requires `bool_path`"));
1098 }
1099 if w.value_path.is_some() {
1100 return Err(format!("{at}.agg=ratio does not use `value_path`"));
1101 }
1102 }
1103 AggregateAgg::Sum => {
1104 if w.value_path.is_none() {
1105 return Err(format!("{at}.agg=sum requires `value_path`"));
1106 }
1107 if w.bool_path.is_some() {
1108 return Err(format!("{at}.agg=sum does not use `bool_path`"));
1109 }
1110 }
1111 // Rejected above; arm exists only for exhaustiveness.
1112 AggregateAgg::Unknown => {}
1113 }
1114 // Ranking PCs against each other only means something across
1115 // the fleet — within one PC it's a single bar.
1116 if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
1117 return Err(format!(
1118 "{at}.group_by: pc_id is only valid with scope: fleet"
1119 ));
1120 }
1121 // `transform` rewrites the grouped PAYLOAD value (URL→host);
1122 // it's meaningless on a `pc_id` grouping (the pc_id column,
1123 // not a payload field), so reject the combo at create time.
1124 if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
1125 return Err(format!("{at}.transform is not valid with group_by: pc_id"));
1126 }
1127 // limit / transform / exclude all operate on grouped values,
1128 // so without a `group_by` they're silent no-ops — reject.
1129 if w.group_by.is_none() {
1130 if w.limit.is_some() {
1131 return Err(format!("{at}.limit requires `group_by`"));
1132 }
1133 if w.transform.is_some() {
1134 return Err(format!("{at}.transform requires `group_by`"));
1135 }
1136 if !w.exclude.is_empty() {
1137 return Err(format!("{at}.exclude requires `group_by`"));
1138 }
1139 }
1140 if w.limit == Some(0) {
1141 return Err(format!("{at}.limit must be > 0"));
1142 }
1143 if w.sample_minutes == Some(0) {
1144 return Err(format!("{at}.sample_minutes must be > 0"));
1145 }
1146 for ex in &w.exclude {
1147 if ex.trim().is_empty() {
1148 return Err(format!("{at}.exclude must not contain empty entries"));
1149 }
1150 }
1151 // A gauge draws a single ratio dial — only meaningful for
1152 // agg: ratio.
1153 if w.render == AggregateRender::Gauge && w.agg != AggregateAgg::Ratio {
1154 return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
1155 }
1156 // A timeline needs a bucket; a bucket on any other render is
1157 // a no-op that signals operator confusion — reject both.
1158 match (w.render, &w.time_bucket) {
1159 (AggregateRender::Timeline, None) => {
1160 return Err(format!("{at}.render=timeline requires `time_bucket`"));
1161 }
1162 (r, Some(_)) if r != AggregateRender::Timeline => {
1163 return Err(format!(
1164 "{at}.time_bucket is only valid with render: timeline"
1165 ));
1166 }
1167 _ => {}
1168 }
1169 }
1170 }
1171 // A blank / whitespace-only tag is an invisible operator typo
1172 // that would render an empty filter chip on the Jobs page —
1173 // reject it like the other present-but-blank display fields.
1174 for tag in &self.tags {
1175 if tag.trim().is_empty() {
1176 return Err("tags must not contain empty entries".to_string());
1177 }
1178 }
1179 Ok(())
1180 }
1181}
1182
1183#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1184#[serde(rename_all = "lowercase")]
1185pub enum ExecuteShell {
1186 Powershell,
1187 Cmd,
1188}
1189
1190impl From<ExecuteShell> for Shell {
1191 fn from(s: ExecuteShell) -> Self {
1192 match s {
1193 ExecuteShell::Powershell => Shell::Powershell,
1194 ExecuteShell::Cmd => Shell::Cmd,
1195 }
1196 }
1197}
1198
1199#[cfg(test)]
1200mod tests {
1201 use super::*;
1202
1203 /// The example check-job + schedule YAMLs shipped under `configs/`
1204 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1205 /// pins them at compile time so a breaking edit fails `cargo test`
1206 /// rather than only `kanade job create` at deploy time.
1207 #[test]
1208 fn example_check_job_yamls_parse_and_validate() {
1209 let jobs = [
1210 (
1211 "check-bitlocker",
1212 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1213 ),
1214 (
1215 "check-av-signature",
1216 include_str!("../../../configs/jobs/check-av-signature.yaml"),
1217 ),
1218 (
1219 "check-cert-expiry",
1220 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1221 ),
1222 (
1223 "check-disk-space",
1224 include_str!("../../../configs/jobs/check-disk-space.yaml"),
1225 ),
1226 (
1227 "check-pending-reboot",
1228 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1229 ),
1230 (
1231 "check-defender-rtp",
1232 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1233 ),
1234 (
1235 "check-firewall",
1236 include_str!("../../../configs/jobs/check-firewall.yaml"),
1237 ),
1238 ];
1239 for (name, yaml) in jobs {
1240 let m: Manifest =
1241 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1242 m.validate()
1243 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1244 let check = m
1245 .check
1246 .as_ref()
1247 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1248 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1249 // These examples all read admin-only WMI / registry / netsh
1250 // state, so they run_as system. NOTE: that's a property of
1251 // these particular checks, NOT of the `check:` contract — a
1252 // check probing user-session state could run_as user.
1253 assert_eq!(
1254 m.execute.run_as,
1255 RunAs::System,
1256 "{name} should run_as system"
1257 );
1258 }
1259 }
1260
1261 /// The example user-invokable job YAMLs (#291) shipped under
1262 /// `configs/jobs/` must stay valid as the `client:` schema
1263 /// evolves. `include_str!` pins them at compile time so a breaking
1264 /// edit fails `cargo test`, not `kanade job create` at deploy.
1265 #[test]
1266 fn example_client_job_yamls_parse_and_validate() {
1267 let jobs = [
1268 (
1269 "fix-teams-cache",
1270 JobCategory::Troubleshoot,
1271 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
1272 ),
1273 (
1274 "chrome-update",
1275 JobCategory::SoftwareUpdate,
1276 include_str!("../../../configs/jobs/chrome-update.yaml"),
1277 ),
1278 (
1279 "install-slack",
1280 JobCategory::Catalog,
1281 include_str!("../../../configs/jobs/install-slack.yaml"),
1282 ),
1283 (
1284 "fix-defender-rtp",
1285 JobCategory::Troubleshoot,
1286 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
1287 ),
1288 ];
1289 for (id, category, yaml) in jobs {
1290 let m: Manifest =
1291 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1292 m.validate()
1293 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1294 assert_eq!(m.id, id, "{id} id mismatch");
1295 let client = m
1296 .client
1297 .as_ref()
1298 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
1299 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
1300 assert_eq!(client.category, category, "{id} category");
1301 }
1302 }
1303
1304 /// #219: the shipped `collect:` example must stay valid as the
1305 /// schema evolves. `include_str!` pins it at compile time so a
1306 /// breaking edit (or a YAML typo in the PowerShell block) fails
1307 /// `cargo test` rather than `kanade job create` at deploy. It carries
1308 /// both `collect:` and `client:` (end-user-triggerable), which must
1309 /// compose.
1310 #[test]
1311 fn example_collect_job_yaml_parses_and_validates() {
1312 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
1313 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
1314 m.validate().expect("collect-diagnostics validate");
1315 assert_eq!(m.id, "collect-diagnostics");
1316 let collect = m.collect.as_ref().expect("collect: block present");
1317 assert!(!collect.name.trim().is_empty());
1318 assert_eq!(collect.files_field, "files");
1319 assert_eq!(collect.max_size_bytes(), 50_000_000);
1320 // collect + client compose — the Client App can trigger it.
1321 assert!(
1322 m.client.is_some(),
1323 "collect-diagnostics also carries client:"
1324 );
1325 }
1326
1327 /// The `emit: { type: events }` collector jobs under
1328 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
1329 /// pins them at compile time so a breaking edit (e.g. an `emit:`
1330 /// paired with `check:`/`inventory:`, a bad watermark field, or a
1331 /// YAML typo in the PowerShell block) fails `cargo test` rather
1332 /// than `kanade job create` at deploy. Every one must carry an
1333 /// `emit.type=events` block and NO check/inventory (validate()
1334 /// rejects the pairing).
1335 #[test]
1336 fn example_event_collector_job_yamls_parse_and_validate() {
1337 let jobs = [
1338 (
1339 "collect-winlog-events",
1340 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
1341 ),
1342 (
1343 "collect-winlog-logons-all",
1344 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
1345 ),
1346 (
1347 "collect-wlan-events",
1348 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
1349 ),
1350 ];
1351 for (id, yaml) in jobs {
1352 // Strict parse so an unknown-key typo in these fixtures fails
1353 // here (not silently at deploy) — the runtime Manifest is
1354 // unknown-key-tolerant, so the lenient serde_yaml::from_str
1355 // wouldn't catch fixture drift (CodeRabbit #689).
1356 let m: Manifest =
1357 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1358 m.validate()
1359 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1360 assert_eq!(m.id, id, "{id} id mismatch");
1361 let emit = m
1362 .emit
1363 .as_ref()
1364 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
1365 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
1366 assert!(
1367 m.check.is_none() && m.inventory.is_none(),
1368 "{id}: emit jobs must not pair with check/inventory"
1369 );
1370 }
1371 }
1372
1373 /// The `inventory:` snapshot jobs under `configs/jobs/` project
1374 /// facts into `inventory_facts` + exploded tables. `include_str!`
1375 /// pins them at compile time so a breaking edit (bad explode
1376 /// schema, a YAML typo in the PowerShell block, an `inventory:`
1377 /// accidentally paired with `emit:`) fails `cargo test` rather
1378 /// than the projector at deploy. Each must carry an `inventory:`
1379 /// block and NO emit (validate() rejects the pairing).
1380 #[test]
1381 fn example_inventory_job_yamls_parse_and_validate() {
1382 let jobs = [
1383 (
1384 "inventory-hw",
1385 include_str!("../../../configs/jobs/inventory-hw.yaml"),
1386 ),
1387 (
1388 "inventory-sw",
1389 include_str!("../../../configs/jobs/inventory-sw.yaml"),
1390 ),
1391 (
1392 "inventory-driver",
1393 include_str!("../../../configs/jobs/inventory-driver.yaml"),
1394 ),
1395 ];
1396 for (id, yaml) in jobs {
1397 let m: Manifest =
1398 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1399 m.validate()
1400 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1401 assert_eq!(m.id, id, "{id} id mismatch");
1402 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
1403 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
1404 }
1405 }
1406
1407 #[test]
1408 fn example_check_schedule_yamls_parse_and_validate() {
1409 let schedules = [
1410 (
1411 "check-bitlocker",
1412 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
1413 ),
1414 (
1415 "check-av-signature",
1416 include_str!("../../../configs/schedules/check-av-signature.yaml"),
1417 ),
1418 (
1419 "check-cert-expiry",
1420 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
1421 ),
1422 (
1423 "check-disk-space",
1424 include_str!("../../../configs/schedules/check-disk-space.yaml"),
1425 ),
1426 (
1427 "check-pending-reboot",
1428 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
1429 ),
1430 (
1431 "check-defender-rtp",
1432 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
1433 ),
1434 (
1435 "check-firewall",
1436 include_str!("../../../configs/schedules/check-firewall.yaml"),
1437 ),
1438 ];
1439 for (name, yaml) in schedules {
1440 let s: Schedule =
1441 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1442 s.validate()
1443 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1444 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1445 }
1446 }
1447
1448 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
1449 /// alongside the schedule schema. `include_str!` pins them so a
1450 /// breaking edit fails `cargo test`, not `kanade schedule create`.
1451 #[test]
1452 fn example_inventory_schedule_yamls_parse_and_validate() {
1453 let schedules = [
1454 (
1455 "inventory-hw",
1456 include_str!("../../../configs/schedules/inventory-hw.yaml"),
1457 ),
1458 (
1459 "inventory-sw",
1460 include_str!("../../../configs/schedules/inventory-sw.yaml"),
1461 ),
1462 (
1463 "inventory-driver",
1464 include_str!("../../../configs/schedules/inventory-driver.yaml"),
1465 ),
1466 ];
1467 for (name, yaml) in schedules {
1468 let s: Schedule =
1469 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1470 s.validate()
1471 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1472 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1473 }
1474 }
1475
1476 #[test]
1477 fn target_is_specified_requires_at_least_one_field() {
1478 let empty = Target::default();
1479 assert!(!empty.is_specified());
1480
1481 let with_all = Target {
1482 all: true,
1483 ..Target::default()
1484 };
1485 assert!(with_all.is_specified());
1486
1487 let with_groups = Target {
1488 groups: vec!["canary".into()],
1489 ..Target::default()
1490 };
1491 assert!(with_groups.is_specified());
1492
1493 let with_pcs = Target {
1494 pcs: vec!["pc-01".into()],
1495 ..Target::default()
1496 };
1497 assert!(with_pcs.is_specified());
1498 }
1499
1500 #[test]
1501 fn manifest_deserialises_minimal_yaml() {
1502 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1503 // — those live on the schedule / exec request now.
1504 let yaml = r#"
1505id: echo-test
1506version: 0.0.1
1507execute:
1508 shell: powershell
1509 script: "echo 'kanade'"
1510 timeout: 30s
1511"#;
1512 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1513 assert_eq!(m.id, "echo-test");
1514 assert_eq!(m.version, "0.0.1");
1515 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1516 assert_eq!(
1517 m.execute.script.as_deref().map(str::trim),
1518 Some("echo 'kanade'")
1519 );
1520 assert!(m.execute.script_file.is_none());
1521 assert!(m.execute.script_object.is_none());
1522 assert_eq!(m.execute.timeout, "30s");
1523 assert!(!m.require_approval);
1524 m.validate()
1525 .expect("inline-script manifest passes validation");
1526 }
1527
1528 #[test]
1529 fn manifest_parses_check_job_and_validates() {
1530 // An operator-defined health check (#290): a `check:` hint +
1531 // a PowerShell script that prints {status, detail}.
1532 let yaml = r#"
1533id: check-bitlocker
1534version: 0.1.0
1535execute:
1536 shell: powershell
1537 run_as: system
1538 timeout: 15s
1539 script: |
1540 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
1541check:
1542 name: bitlocker
1543 troubleshoot: fix-bitlocker
1544"#;
1545 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1546 let check = m.check.as_ref().expect("check hint present");
1547 assert_eq!(check.name, "bitlocker");
1548 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
1549 // Field names default to the conventional "status" / "detail".
1550 assert_eq!(check.status_field, "status");
1551 assert_eq!(check.detail_field, "detail");
1552 assert!(m.inventory.is_none() && m.emit.is_none());
1553 m.validate().expect("check-only manifest passes validation");
1554 }
1555
1556 #[test]
1557 fn manifest_check_defaults_and_custom_fields() {
1558 // Minimal: only `name`; status/detail fields default.
1559 let m: Manifest = serde_yaml::from_str(
1560 r#"
1561id: check-disk
1562version: 0.1.0
1563execute:
1564 shell: powershell
1565 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
1566 timeout: 10s
1567check:
1568 name: disk_free
1569"#,
1570 )
1571 .expect("parse");
1572 let c = m.check.as_ref().unwrap();
1573 assert_eq!(c.name, "disk_free");
1574 assert_eq!(c.status_field, "status");
1575 assert_eq!(c.detail_field, "detail");
1576 assert!(c.troubleshoot.is_none());
1577 m.validate().expect("validates");
1578
1579 // The operator can point status/detail at any field of their
1580 // free-form inventory object.
1581 let m2: Manifest = serde_yaml::from_str(
1582 r#"
1583id: check-custom
1584version: 0.1.0
1585execute:
1586 shell: powershell
1587 script: "echo x"
1588 timeout: 10s
1589check:
1590 name: patch_level
1591 status_field: compliance
1592 detail_field: summary
1593"#,
1594 )
1595 .expect("parse");
1596 let c2 = m2.check.as_ref().unwrap();
1597 assert_eq!(c2.status_field, "compliance");
1598 assert_eq!(c2.detail_field, "summary");
1599 }
1600
1601 #[test]
1602 fn manifest_allows_check_composed_with_inventory() {
1603 // `check:` + `inventory:` COMPOSE on the same stdout object:
1604 // status/detail → Health tab, the rest → SPA projection +
1605 // explode sub-tables. Must pass validation.
1606 let yaml = r#"
1607id: check-bitlocker-detailed
1608version: 0.1.0
1609execute:
1610 shell: powershell
1611 script: "echo x"
1612 timeout: 10s
1613check:
1614 name: bitlocker
1615inventory:
1616 display:
1617 - { field: status, label: Status }
1618"#;
1619 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1620 assert!(m.check.is_some() && m.inventory.is_some());
1621 m.validate().expect("check + inventory compose");
1622 }
1623
1624 #[test]
1625 fn manifest_parses_collect_job_and_validates() {
1626 // #219: a `collect:` hint + a script that lists files on stdout.
1627 let yaml = r#"
1628id: collect-diagnostics
1629version: 0.1.0
1630execute:
1631 shell: powershell
1632 run_as: system
1633 timeout: 120s
1634 script: |
1635 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
1636collect:
1637 name: "Full diagnostics"
1638 description: "Event logs + process"
1639 max_size: 50MB
1640"#;
1641 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1642 let c = m.collect.as_ref().expect("collect hint present");
1643 assert_eq!(c.name, "Full diagnostics");
1644 assert_eq!(c.files_field, "files"); // default
1645 assert_eq!(c.max_size_bytes(), 50_000_000);
1646 m.validate().expect("collect-only manifest validates");
1647 }
1648
1649 #[test]
1650 fn manifest_collect_max_size_defaults_when_unset() {
1651 let m: Manifest = serde_yaml::from_str(
1652 r#"
1653id: collect-min
1654version: 0.1.0
1655execute:
1656 shell: powershell
1657 script: "echo x"
1658 timeout: 10s
1659collect:
1660 name: minimal
1661"#,
1662 )
1663 .expect("parse");
1664 let c = m.collect.as_ref().unwrap();
1665 assert!(c.max_size.is_none());
1666 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
1667 m.validate().expect("validates");
1668 }
1669
1670 #[test]
1671 fn manifest_allows_collect_with_client() {
1672 // collect composes with client (client doesn't touch stdout):
1673 // an end user can trigger a collection from the Client App.
1674 let yaml = r#"
1675id: collect-diag-client
1676version: 0.1.0
1677execute:
1678 shell: powershell
1679 script: "echo x"
1680 timeout: 10s
1681collect:
1682 name: diagnostics
1683client:
1684 name: "Send diagnostics"
1685 category: troubleshoot
1686"#;
1687 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1688 assert!(m.collect.is_some() && m.client.is_some());
1689 m.validate().expect("collect + client compose");
1690 }
1691
1692 #[test]
1693 fn manifest_rejects_collect_combined_with_inventory() {
1694 // collect consumes stdout for its own `files` contract → can't
1695 // share with inventory/check/emit.
1696 let yaml = r#"
1697id: bad-collect-mix
1698version: 0.1.0
1699execute:
1700 shell: powershell
1701 script: "echo x"
1702 timeout: 10s
1703collect:
1704 name: diag
1705inventory:
1706 display:
1707 - { field: status, label: Status }
1708"#;
1709 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1710 let err = m
1711 .validate()
1712 .expect_err("collect + inventory must be rejected");
1713 assert!(err.contains("collect"), "error mentions collect: {err}");
1714 }
1715
1716 #[test]
1717 fn manifest_rejects_collect_combined_with_check_or_emit() {
1718 // collect is exclusive with every stdout-consuming hint, not
1719 // just inventory — guard the check + emit branches too.
1720 for extra in ["check:\n name: health\n", "emit:\n type: events\n"] {
1721 let yaml = format!(
1722 "id: bad-collect-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
1723 script: \"echo x\"\n timeout: 10s\ncollect:\n name: diag\n{extra}"
1724 );
1725 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1726 let err = m
1727 .validate()
1728 .expect_err("collect + stdout-consuming hint must fail");
1729 assert!(err.contains("collect"), "error mentions collect: {err}");
1730 }
1731 }
1732
1733 #[test]
1734 fn manifest_rejects_collect_empty_name_and_bad_size() {
1735 let empty_name: Manifest = serde_yaml::from_str(
1736 r#"
1737id: c
1738version: 0.1.0
1739execute: { shell: powershell, script: "echo x", timeout: 10s }
1740collect: { name: " " }
1741"#,
1742 )
1743 .expect("parse");
1744 assert!(
1745 empty_name.validate().is_err(),
1746 "blank collect.name rejected"
1747 );
1748
1749 let bad_size: Manifest = serde_yaml::from_str(
1750 r#"
1751id: c
1752version: 0.1.0
1753execute: { shell: powershell, script: "echo x", timeout: 10s }
1754collect: { name: diag, max_size: "50 quux" }
1755"#,
1756 )
1757 .expect("parse");
1758 let err = bad_size.validate().expect_err("bad max_size rejected");
1759 assert!(err.contains("max_size"), "error mentions max_size: {err}");
1760 }
1761
1762 #[test]
1763 fn parse_size_bytes_units() {
1764 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
1765 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
1766 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
1767 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
1768 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
1769 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
1770 assert!(parse_size_bytes("").is_err());
1771 assert!(parse_size_bytes("MB").is_err());
1772 assert!(parse_size_bytes("12 zonks").is_err());
1773 }
1774
1775 #[test]
1776 fn manifest_rejects_check_combined_with_emit() {
1777 // `emit:` stdout is NDJSON (and omitted from the result), so
1778 // it can't pair with `check:` (which needs a single JSON
1779 // object on stdout).
1780 let yaml = r#"
1781id: bad-mix
1782version: 0.1.0
1783execute:
1784 shell: powershell
1785 script: "echo x"
1786 timeout: 10s
1787check:
1788 name: bitlocker
1789emit:
1790 type: events
1791"#;
1792 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1793 let err = m.validate().expect_err("emit + check must fail");
1794 assert!(err.contains("incompatible"), "err: {err}");
1795 }
1796
1797 #[test]
1798 fn manifest_rejects_emit_combined_with_inventory() {
1799 // The other half of the emit-incompatibility condition.
1800 let yaml = r#"
1801id: bad-mix-2
1802version: 0.1.0
1803execute:
1804 shell: powershell
1805 script: "echo x"
1806 timeout: 10s
1807emit:
1808 type: events
1809inventory:
1810 display:
1811 - { field: status, label: Status }
1812"#;
1813 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1814 let err = m.validate().expect_err("emit + inventory must fail");
1815 assert!(err.contains("incompatible"), "err: {err}");
1816 }
1817
1818 #[test]
1819 fn manifest_rejects_empty_check_field_names() {
1820 // Empty name / status_field / detail_field are invisible
1821 // runtime bugs (empty React key, agent reads the wrong field)
1822 // — reject them even though serde supplies non-empty defaults.
1823 let base = |inner: &str| {
1824 format!(
1825 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
1826 )
1827 };
1828 for inner in [
1829 " name: \"\"\n",
1830 " name: ok\n status_field: \"\"\n",
1831 " name: ok\n detail_field: \" \"\n",
1832 // present-but-blank troubleshoot → broken remediation id.
1833 " name: ok\n troubleshoot: \" \"\n",
1834 ] {
1835 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
1836 let err = m.validate().expect_err("empty field must fail");
1837 assert!(err.contains("must not be empty"), "err: {err}");
1838 }
1839 }
1840
1841 #[test]
1842 fn manifest_client_absent_by_default() {
1843 // A plain operator job (the overwhelming majority) carries no
1844 // `client:` block, so it never surfaces in the end-user
1845 // catalog.
1846 let yaml = r#"
1847id: echo-test
1848version: 0.0.1
1849execute:
1850 shell: powershell
1851 script: "echo 'kanade'"
1852 timeout: 30s
1853"#;
1854 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1855 assert!(m.client.is_none());
1856 m.validate().expect("operator-only job validates");
1857 }
1858
1859 #[test]
1860 fn manifest_client_parses_and_validates() {
1861 // The Client App "困ったとき" remediation job shape: a
1862 // user-invokable troubleshoot job with the end-user fields the
1863 // KLP `jobs.list` wire needs, grouped under `client:`.
1864 let yaml = r#"
1865id: fix-teams-cache
1866version: 1.0.0
1867execute:
1868 shell: powershell
1869 script: "echo clearing"
1870 timeout: 60s
1871client:
1872 name: "Teams のキャッシュをクリア"
1873 description: "Teams が重いときに試してください"
1874 category: troubleshoot
1875 icon: brush-cleaning
1876"#;
1877 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1878 let c = m.client.as_ref().expect("client block present");
1879 assert_eq!(c.name, "Teams のキャッシュをクリア");
1880 assert_eq!(
1881 c.description.as_deref(),
1882 Some("Teams が重いときに試してください")
1883 );
1884 assert_eq!(c.category, JobCategory::Troubleshoot);
1885 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
1886 m.validate().expect("user-invokable job validates");
1887 }
1888
1889 #[test]
1890 fn manifest_client_minimal_only_name_and_category() {
1891 // description + icon are optional; name + category are the
1892 // serde-required minimum.
1893 let yaml = r#"
1894id: install-slack
1895version: 1.0.0
1896execute:
1897 shell: powershell
1898 script: "echo install"
1899 timeout: 600s
1900client:
1901 name: Slack
1902 category: catalog
1903"#;
1904 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1905 let c = m.client.as_ref().expect("client present");
1906 assert_eq!(c.category, JobCategory::Catalog);
1907 assert!(c.description.is_none() && c.icon.is_none());
1908 m.validate().expect("minimal client validates");
1909 }
1910
1911 #[test]
1912 fn manifest_client_rejects_blank_name() {
1913 // serde guarantees `name`/`category` are present; the one gap
1914 // is a present-but-blank name → empty catalog row title.
1915 let yaml = r#"
1916id: j
1917version: 1.0.0
1918execute:
1919 shell: powershell
1920 script: "echo x"
1921 timeout: 30s
1922client:
1923 name: " "
1924 category: catalog
1925"#;
1926 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1927 let err = m.validate().expect_err("blank name must fail");
1928 assert!(err.contains("client.name"), "err: {err}");
1929 }
1930
1931 #[test]
1932 fn manifest_client_rejects_blank_optional_fields() {
1933 // description / icon are optional, but a present-but-blank
1934 // value is a bug (empty subtitle / dangling icon name) — reject
1935 // it, mirroring the check: block's troubleshoot guard.
1936 for (field, line) in [
1937 ("client.description", " description: \" \"\n"),
1938 ("client.icon", " icon: \"\"\n"),
1939 ] {
1940 let yaml = format!(
1941 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
1942 );
1943 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1944 let err = m.validate().expect_err("blank optional field must fail");
1945 assert!(err.contains(field), "expected {field} in err: {err}");
1946 }
1947 }
1948
1949 #[test]
1950 fn manifest_client_requires_category_at_parse() {
1951 // A `client:` block missing `category` is a hard parse error
1952 // (serde required field) — no manual validate() needed.
1953 let yaml = r#"
1954id: j
1955version: 1.0.0
1956execute:
1957 shell: powershell
1958 script: "echo x"
1959 timeout: 30s
1960client:
1961 name: "A job"
1962"#;
1963 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
1964 assert!(
1965 r.is_err(),
1966 "missing category must be a parse error, got {r:?}"
1967 );
1968 }
1969
1970 #[test]
1971 fn manifest_client_rejects_unknown_field() {
1972 // #492: the strict create boundary catches a fat-fingered
1973 // `displayname:` (with its path) instead of silently
1974 // dropping it; the tolerant read path accepts it.
1975 let yaml = r#"
1976id: j
1977version: 1.0.0
1978execute:
1979 shell: powershell
1980 script: "echo x"
1981 timeout: 30s
1982client:
1983 name: "A job"
1984 category: catalog
1985 displayname: oops
1986"#;
1987 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
1988 let err = r.expect_err("unknown client field must be rejected at the write boundary");
1989 // serde_ignored renders the Option layer as `?`:
1990 // `client.?.displayname`. Assert on the leaf key.
1991 assert!(err.contains("displayname"), "{err}");
1992 // The READ path tolerates the same payload (gradual-upgrade
1993 // contract: an old agent must accept a newer writer's field).
1994 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
1995 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
1996 }
1997
1998 #[test]
1999 fn manifest_tags_default_empty() {
2000 // The overwhelming majority of jobs carry no tags; the field
2001 // must default to an empty Vec (not fail to parse) and skip
2002 // serialisation so old readers never see the key.
2003 let yaml = r#"
2004id: echo-test
2005version: 0.0.1
2006execute:
2007 shell: powershell
2008 script: "echo 'kanade'"
2009 timeout: 30s
2010"#;
2011 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2012 assert!(m.tags.is_empty());
2013 m.validate().expect("tag-less job validates");
2014 // skip_serializing_if = empty ⇒ the key is absent from JSON.
2015 let json = serde_json::to_string(&m).expect("serialize");
2016 assert!(
2017 !json.contains("tags"),
2018 "empty tags must not serialise: {json}"
2019 );
2020 }
2021
2022 #[test]
2023 fn manifest_parses_and_validates_tags() {
2024 let yaml = r#"
2025id: check-bitlocker
2026version: 0.1.0
2027execute:
2028 shell: powershell
2029 script: "echo x"
2030 timeout: 30s
2031tags: [security, windows, health-check]
2032"#;
2033 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2034 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
2035 m.validate().expect("tagged job validates");
2036 // Round-trips through JSON (the wire format the SPA reads).
2037 let json = serde_json::to_string(&m).expect("serialize");
2038 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
2039 }
2040
2041 #[test]
2042 fn manifest_rejects_blank_tag() {
2043 // A whitespace-only tag renders an empty filter chip — reject
2044 // it at the write boundary like the other blank display fields.
2045 let yaml = r#"
2046id: j
2047version: 0.1.0
2048execute:
2049 shell: powershell
2050 script: "echo x"
2051 timeout: 30s
2052tags: [ok, " "]
2053"#;
2054 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2055 let err = m.validate().expect_err("blank tag must fail");
2056 assert!(err.contains("tags must not contain empty"), "err: {err}");
2057 }
2058
2059 // #720 — wrap an `aggregate:` YAML block (already indented as a
2060 // top-level key body) into an otherwise-minimal valid manifest.
2061 fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
2062 let yaml = format!(
2063 "id: t\nversion: 0.0.1\nexecute:\n shell: powershell\n script: echo hi\n timeout: 30s\n{aggregate_block}"
2064 );
2065 serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
2066 }
2067
2068 #[test]
2069 fn aggregate_accepts_full_valid_spec() {
2070 // count+group_by+exclude+sample_minutes, ratio+bool_path,
2071 // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
2072 // bare total stat — alongside emit (composes with every hint).
2073 let m = manifest_with_aggregate(
2074 "emit:\n type: events\naggregate:\n\
2075 - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
2076 - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
2077 - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
2078 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2079 - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2080 );
2081 m.validate().expect("valid aggregate spec");
2082 }
2083
2084 #[test]
2085 fn aggregate_rejects_empty_list() {
2086 let m = manifest_with_aggregate("aggregate: []\n");
2087 let err = m.validate().expect_err("empty list must fail");
2088 assert!(err.contains("at least one widget"), "err: {err}");
2089 }
2090
2091 #[test]
2092 fn aggregate_rejects_ratio_without_bool_path() {
2093 let m = manifest_with_aggregate(
2094 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2095 );
2096 let err = m.validate().expect_err("ratio needs bool_path");
2097 assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
2098 }
2099
2100 #[test]
2101 fn aggregate_rejects_sum_without_value_path() {
2102 let m = manifest_with_aggregate(
2103 "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
2104 );
2105 let err = m.validate().expect_err("sum needs value_path");
2106 assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
2107 }
2108
2109 #[test]
2110 fn aggregate_rejects_pc_id_group_without_fleet() {
2111 let m = manifest_with_aggregate(
2112 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
2113 );
2114 let err = m.validate().expect_err("pc_id grouping needs fleet");
2115 assert!(
2116 err.contains("pc_id is only valid with scope: fleet"),
2117 "err: {err}"
2118 );
2119 }
2120
2121 #[test]
2122 fn aggregate_rejects_transform_with_pc_id_group() {
2123 let m = manifest_with_aggregate(
2124 "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
2125 );
2126 let err = m
2127 .validate()
2128 .expect_err("transform on pc_id grouping must fail");
2129 assert!(
2130 err.contains("transform is not valid with group_by: pc_id"),
2131 "err: {err}"
2132 );
2133 }
2134
2135 #[test]
2136 fn aggregate_rejects_timeline_without_bucket() {
2137 let m = manifest_with_aggregate(
2138 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
2139 );
2140 let err = m.validate().expect_err("timeline needs a bucket");
2141 assert!(
2142 err.contains("render=timeline requires `time_bucket`"),
2143 "err: {err}"
2144 );
2145 }
2146
2147 #[test]
2148 fn aggregate_rejects_bucket_on_non_timeline() {
2149 let m = manifest_with_aggregate(
2150 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
2151 );
2152 let err = m.validate().expect_err("bucket only on timeline");
2153 assert!(
2154 err.contains("time_bucket is only valid with render: timeline"),
2155 "err: {err}"
2156 );
2157 }
2158
2159 #[test]
2160 fn aggregate_rejects_unsafe_json_path() {
2161 // A path with characters outside [A-Za-z0-9_.] could break out of
2162 // the `'$.' || ?` bind — reject at create time.
2163 let m = manifest_with_aggregate(
2164 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
2165 );
2166 let err = m.validate().expect_err("unsafe path must fail");
2167 assert!(err.contains("dotted JSON path"), "err: {err}");
2168 }
2169
2170 #[test]
2171 fn aggregate_rejects_blank_title() {
2172 let m = manifest_with_aggregate(
2173 "aggregate:\n- { dashboard: D, title: \" \", kind: k, agg: count, render: stat }\n",
2174 );
2175 let err = m.validate().expect_err("blank title must fail");
2176 assert!(err.contains("title must not be empty"), "err: {err}");
2177 }
2178
2179 #[test]
2180 fn aggregate_rejects_blank_kind() {
2181 let m = manifest_with_aggregate(
2182 "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
2183 );
2184 let err = m.validate().expect_err("blank kind must fail");
2185 assert!(err.contains("kind must not be empty"), "err: {err}");
2186 }
2187
2188 #[test]
2189 fn aggregate_rejects_blank_source_when_set() {
2190 let m = manifest_with_aggregate(
2191 "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
2192 );
2193 let err = m.validate().expect_err("blank source must fail");
2194 assert!(
2195 err.contains("source must not be empty when set"),
2196 "err: {err}"
2197 );
2198 }
2199
2200 #[test]
2201 fn aggregate_rejects_count_with_value_path() {
2202 let m = manifest_with_aggregate(
2203 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
2204 );
2205 let err = m.validate().expect_err("count must not use value_path");
2206 assert!(
2207 err.contains("agg=count does not use `value_path`"),
2208 "err: {err}"
2209 );
2210 }
2211
2212 #[test]
2213 fn aggregate_rejects_ratio_with_value_path() {
2214 let m = manifest_with_aggregate(
2215 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
2216 );
2217 let err = m.validate().expect_err("ratio must not use value_path");
2218 assert!(
2219 err.contains("agg=ratio does not use `value_path`"),
2220 "err: {err}"
2221 );
2222 }
2223
2224 #[test]
2225 fn aggregate_rejects_gauge_without_ratio() {
2226 let m = manifest_with_aggregate(
2227 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
2228 );
2229 let err = m.validate().expect_err("gauge needs ratio");
2230 assert!(
2231 err.contains("render=gauge is only valid with agg: ratio"),
2232 "err: {err}"
2233 );
2234 }
2235
2236 #[test]
2237 fn aggregate_rejects_limit_without_group_by() {
2238 let m = manifest_with_aggregate(
2239 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
2240 );
2241 let err = m.validate().expect_err("limit needs group_by");
2242 assert!(err.contains("limit requires `group_by`"), "err: {err}");
2243 }
2244
2245 #[test]
2246 fn aggregate_rejects_exclude_without_group_by() {
2247 let m = manifest_with_aggregate(
2248 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
2249 );
2250 let err = m.validate().expect_err("exclude needs group_by");
2251 assert!(err.contains("exclude requires `group_by`"), "err: {err}");
2252 }
2253
2254 #[test]
2255 fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
2256 let m = manifest_with_aggregate(
2257 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
2258 );
2259 assert!(m.validate().unwrap_err().contains("limit must be > 0"));
2260 let m = manifest_with_aggregate(
2261 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
2262 );
2263 assert!(
2264 m.validate()
2265 .unwrap_err()
2266 .contains("sample_minutes must be > 0")
2267 );
2268 }
2269
2270 #[test]
2271 fn aggregate_rejects_empty_exclude_entry() {
2272 let m = manifest_with_aggregate(
2273 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\" \"], render: bar }\n",
2274 );
2275 let err = m.validate().expect_err("blank exclude entry must fail");
2276 assert!(
2277 err.contains("exclude must not contain empty entries"),
2278 "err: {err}"
2279 );
2280 }
2281
2282 #[test]
2283 fn aggregate_rejects_malformed_dotted_paths() {
2284 for bad in [".foo", "foo.", "foo..bar", "."] {
2285 let m = manifest_with_aggregate(&format!(
2286 "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
2287 ));
2288 let err = m.validate().expect_err("malformed path must fail");
2289 assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
2290 }
2291 }
2292
2293 #[test]
2294 fn aggregate_rejects_unknown_enum_value() {
2295 // An unrecognised render string deserialises to the #492 Unknown
2296 // catch-all (so old readers don't choke); validate() rejects it as
2297 // a typo at create time.
2298 let m = manifest_with_aggregate(
2299 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
2300 );
2301 let err = m.validate().expect_err("unknown render must fail");
2302 assert!(err.contains("render is not a known value"), "err: {err}");
2303 }
2304
2305 fn execute_with(
2306 script: Option<&str>,
2307 script_file: Option<&str>,
2308 script_object: Option<&str>,
2309 ) -> Execute {
2310 Execute {
2311 shell: ExecuteShell::Powershell,
2312 script: script.map(str::to_owned),
2313 script_file: script_file.map(str::to_owned),
2314 script_object: script_object.map(str::to_owned),
2315 timeout: "30s".into(),
2316 run_as: RunAs::default(),
2317 cwd: None,
2318 }
2319 }
2320
2321 #[test]
2322 fn validate_accepts_inline_script() {
2323 let e = execute_with(Some("echo hi"), None, None);
2324 assert!(e.validate_script_source().is_ok());
2325 }
2326
2327 #[test]
2328 fn validate_accepts_script_file_alone() {
2329 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
2330 assert!(e.validate_script_source().is_ok());
2331 }
2332
2333 #[test]
2334 fn validate_accepts_script_object_alone() {
2335 let e = execute_with(None, None, Some("cleanup/1.0.0"));
2336 assert!(e.validate_script_source().is_ok());
2337 }
2338
2339 #[test]
2340 fn validate_treats_empty_inline_script_as_unset() {
2341 // `script: ""` + `script_object` set is the natural shape
2342 // when an operator comments out the YAML block-scalar body
2343 // but leaves the key. Should pass.
2344 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
2345 assert!(e.validate_script_source().is_ok());
2346 }
2347
2348 #[test]
2349 fn validate_rejects_zero_sources() {
2350 let e = execute_with(None, None, None);
2351 let err = e.validate_script_source().unwrap_err();
2352 assert!(err.contains("must be set"), "got: {err}");
2353 }
2354
2355 #[test]
2356 fn validate_rejects_empty_inline_only() {
2357 let e = execute_with(Some(""), None, None);
2358 let err = e.validate_script_source().unwrap_err();
2359 assert!(err.contains("must be set"), "got: {err}");
2360 }
2361
2362 #[test]
2363 fn validate_rejects_inline_plus_file() {
2364 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
2365 let err = e.validate_script_source().unwrap_err();
2366 assert!(err.contains("only one of"), "got: {err}");
2367 }
2368
2369 #[test]
2370 fn validate_rejects_inline_plus_object() {
2371 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
2372 let err = e.validate_script_source().unwrap_err();
2373 assert!(err.contains("only one of"), "got: {err}");
2374 }
2375
2376 #[test]
2377 fn validate_rejects_file_plus_object() {
2378 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
2379 let err = e.validate_script_source().unwrap_err();
2380 assert!(err.contains("only one of"), "got: {err}");
2381 }
2382
2383 #[test]
2384 fn validate_rejects_all_three() {
2385 let e = execute_with(
2386 Some("echo hi"),
2387 Some("scripts/cleanup.ps1"),
2388 Some("cleanup/1.0.0"),
2389 );
2390 let err = e.validate_script_source().unwrap_err();
2391 assert!(err.contains("only one of"), "got: {err}");
2392 }
2393
2394 #[test]
2395 fn manifest_deserialises_script_object_yaml() {
2396 // SPEC §2.4.1 example shape with the Object Store
2397 // reference picked over inline.
2398 let yaml = r#"
2399id: cleanup-disk-temp
2400version: 1.0.1
2401execute:
2402 shell: powershell
2403 script_object: cleanup-disk-temp/1.0.1
2404 timeout: 600s
2405"#;
2406 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2407 assert_eq!(
2408 m.execute.script_object.as_deref(),
2409 Some("cleanup-disk-temp/1.0.1")
2410 );
2411 assert!(m.execute.script.is_none());
2412 m.validate()
2413 .expect("script_object-only manifest passes validation");
2414 }
2415
2416 #[test]
2417 fn manifest_rejects_typo_in_script_field_name() {
2418 // #492: the strict create boundary catches `script_objectt`
2419 // and similar fat-fingers (with the full path) instead of
2420 // letting them silently fall through to "all three unset".
2421 let yaml = r#"
2422id: typo
2423version: 1.0.0
2424execute:
2425 shell: powershell
2426 script_objectt: oops
2427 timeout: 30s
2428"#;
2429 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
2430 .expect_err("typo'd execute field must be rejected at the write boundary");
2431 assert!(err.contains("execute.script_objectt"), "{err}");
2432 }
2433
2434 #[test]
2435 fn schedule_carries_target_and_rollout() {
2436 let yaml = r#"
2437id: hourly-cleanup-canary
2438when:
2439 per_pc: { every: 1h }
2440job_id: cleanup
2441enabled: true
2442target:
2443 groups: [canary, wave1]
2444jitter: 30s
2445rollout:
2446 strategy: wave
2447 waves:
2448 - { group: canary, delay: 0s }
2449 - { group: wave1, delay: 5s }
2450"#;
2451 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2452 assert_eq!(s.id, "hourly-cleanup-canary");
2453 assert_eq!(s.job_id, "cleanup");
2454 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
2455 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
2456 let rollout = s.plan.rollout.expect("rollout present");
2457 assert_eq!(rollout.waves.len(), 2);
2458 assert_eq!(rollout.waves[0].group, "canary");
2459 assert_eq!(rollout.waves[1].delay, "5s");
2460 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
2461 }
2462
2463 #[test]
2464 fn schedule_minimal_target_all() {
2465 let yaml = r#"
2466id: kitting
2467when:
2468 per_pc: once
2469enabled: true
2470job_id: scheduled-echo
2471target: { all: true }
2472"#;
2473 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2474 assert_eq!(s.id, "kitting");
2475 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
2476 assert!(s.enabled);
2477 assert_eq!(s.job_id, "scheduled-echo");
2478 assert!(s.plan.target.all);
2479 assert!(s.plan.rollout.is_none());
2480 assert!(s.plan.jitter.is_none());
2481 assert!(s.active.is_empty());
2482 }
2483
2484 #[test]
2485 fn schedule_enabled_defaults_to_true() {
2486 let yaml = r#"
2487id: x
2488when:
2489 per_pc: once
2490job_id: y
2491target: { all: true }
2492"#;
2493 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2494 assert!(s.enabled);
2495 }
2496
2497 #[test]
2498 fn schedule_tags_default_empty_and_skip_serialise() {
2499 let yaml = r#"
2500id: x
2501when:
2502 per_pc: once
2503job_id: y
2504target: { all: true }
2505"#;
2506 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2507 assert!(s.tags.is_empty());
2508 s.validate().expect("tag-less schedule validates");
2509 let json = serde_json::to_string(&s).expect("serialize");
2510 assert!(
2511 !json.contains("tags"),
2512 "empty tags must not serialise: {json}"
2513 );
2514 }
2515
2516 #[test]
2517 fn schedule_parses_and_validates_tags() {
2518 let yaml = r#"
2519id: weekly-cleanup
2520when:
2521 per_pc: { every: 1h }
2522job_id: cleanup
2523target: { all: true }
2524tags: [weekly, maintenance]
2525"#;
2526 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2527 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
2528 s.validate().expect("tagged schedule validates");
2529 }
2530
2531 #[test]
2532 fn schedule_rejects_blank_tag() {
2533 let yaml = r#"
2534id: x
2535when:
2536 per_pc: once
2537job_id: y
2538target: { all: true }
2539tags: [ok, " "]
2540"#;
2541 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2542 let err = s.validate().expect_err("blank tag must fail");
2543 assert!(err.contains("tags must not contain empty"), "err: {err}");
2544 }
2545
2546 // ---- `when` parsing (#418 Phase 1) ----
2547
2548 fn schedule_yaml_with(when_block: &str) -> String {
2549 format!(
2550 r#"
2551id: x
2552when:
2553{when_block}
2554job_id: y
2555target: {{ all: true }}
2556"#
2557 )
2558 }
2559
2560 #[test]
2561 fn when_per_pc_every_parses_unquoted_humantime() {
2562 // `6h` is digit-led but non-numeric → YAML string, same as
2563 // the old `cooldown: 6h` convention. No quotes needed.
2564 let s: Schedule =
2565 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
2566 assert_eq!(
2567 s.when,
2568 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
2569 );
2570 }
2571
2572 #[test]
2573 fn when_per_target_every_parses() {
2574 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
2575 .expect("parse");
2576 assert_eq!(
2577 s.when,
2578 When::PerTarget(PerPolicy::Every(EverySpec {
2579 every: "24h".into()
2580 }))
2581 );
2582 }
2583
2584 #[test]
2585 fn when_per_target_once_parses() {
2586 // Falls out of the shared PerPolicy shape and decide_fire
2587 // already implements it ("any one pc succeeds → skip the
2588 // target forever"), so it is allowed, not rejected.
2589 let s: Schedule =
2590 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
2591 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
2592 }
2593
2594 #[test]
2595 fn when_calendar_time_parses() {
2596 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
2597 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
2598 ))
2599 .expect("parse");
2600 match &s.when {
2601 When::Calendar(c) => {
2602 assert_eq!(c.at, "09:00");
2603 assert_eq!(c.days, vec!["mon-fri"]);
2604 }
2605 other => panic!("expected calendar, got {other:?}"),
2606 }
2607 }
2608
2609 #[test]
2610 fn when_calendar_days_default_empty() {
2611 let s: Schedule =
2612 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
2613 .expect("parse");
2614 match &s.when {
2615 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
2616 other => panic!("expected calendar, got {other:?}"),
2617 }
2618 }
2619
2620 #[test]
2621 fn when_calendar_datetime_parses_all_separators() {
2622 // one-shot: date+time in hyphen / ISO-T / slash forms
2623 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
2624 let block = format!(" calendar:\n at: \"{at}\"");
2625 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
2626 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
2627 match &s.when {
2628 When::Calendar(c) => {
2629 use chrono::Datelike;
2630 let p = c.parse_at().expect("parse_at");
2631 let d = p.date.expect("datetime at carries a date");
2632 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
2633 }
2634 other => panic!("expected calendar, got {other:?}"),
2635 }
2636 }
2637 }
2638
2639 #[test]
2640 fn when_rejects_bad_once_keyword() {
2641 // `onec` must be a parse error, not a silently-absorbed
2642 // string (OnceLiteral is a single-variant enum for exactly
2643 // this reason).
2644 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
2645 assert!(r.is_err(), "expected parse error, got {r:?}");
2646 }
2647
2648 #[test]
2649 fn when_rejects_unknown_key_in_every() {
2650 // `{ evry: 6h }` still fails on the tolerant read path: the
2651 // required `every` key is missing, so no PerPolicy variant
2652 // matches (#492 removed deny_unknown_fields, but required
2653 // keys keep the untagged disambiguation honest).
2654 let r: Result<Schedule, _> =
2655 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
2656 assert!(r.is_err(), "expected parse error, got {r:?}");
2657 }
2658
2659 #[test]
2660 fn when_rejects_unknown_variant() {
2661 let r: Result<Schedule, _> =
2662 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
2663 assert!(r.is_err(), "expected parse error, got {r:?}");
2664 }
2665
2666 #[test]
2667 fn when_rejects_old_top_level_cron_field() {
2668 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
2669 // loudly (missing `when`), which is what turns stale KV
2670 // blobs into warn-skips after the upgrade.
2671 let yaml = r#"
2672id: x
2673cron: "* * * * * *"
2674job_id: y
2675target: { all: true }
2676"#;
2677 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
2678 assert!(r.is_err(), "expected parse error, got {r:?}");
2679 }
2680
2681 #[test]
2682 fn when_rejects_retired_cron_escape_hatch() {
2683 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
2684 // is now an unknown variant → parse error (operators use the
2685 // calendar form instead).
2686 let r: Result<Schedule, _> =
2687 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
2688 assert!(
2689 r.is_err(),
2690 "expected parse error for retired cron, got {r:?}"
2691 );
2692 }
2693
2694 #[test]
2695 fn when_round_trips_json_and_yaml() {
2696 // Round-trip through the full Schedule: that is the wire
2697 // unit for both stores (JSON catalog KV + YAML mirror), and
2698 // it exercises the singleton_map field attribute that keeps
2699 // serde_yaml on the map shape instead of `!per_pc` tags.
2700 for when in [
2701 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2702 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2703 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2704 When::PerTarget(PerPolicy::Every(EverySpec {
2705 every: "24h".into(),
2706 })),
2707 calendar("09:00", &["mon-fri"]),
2708 calendar("2026-06-10 09:00", &[]),
2709 When::On(vec![OnTrigger::Startup]),
2710 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2711 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2712 When::On(vec![OnTrigger::NetworkChange]),
2713 ] {
2714 // Event triggers are agent-only; the rest validate on backend.
2715 let runs_on = if matches!(when, When::On(_)) {
2716 RunsOn::Agent
2717 } else {
2718 RunsOn::Backend
2719 };
2720 let s = schedule_with(when.clone(), runs_on);
2721
2722 let json = serde_json::to_string(&s).expect("json serialise");
2723 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
2724 assert_eq!(back.when, when, "json round-trip for {when}");
2725
2726 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
2727 assert!(
2728 !yaml.contains('!'),
2729 "yaml must use the map shape, not tags: {yaml}"
2730 );
2731 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
2732 assert_eq!(back.when, when, "yaml round-trip for {when}");
2733 }
2734 }
2735
2736 #[test]
2737 fn when_once_serialises_as_bare_keyword() {
2738 // The wire shape operators see in the YAML mirror must stay
2739 // the ergonomic `per_pc: once`, not a one-variant map.
2740 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
2741 .expect("serialise");
2742 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
2743 }
2744
2745 #[test]
2746 fn when_displays_operator_summary() {
2747 for (when, expected) in [
2748 (
2749 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2750 "per_pc once",
2751 ),
2752 (
2753 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2754 "per_pc every 6h",
2755 ),
2756 (
2757 When::PerTarget(PerPolicy::Every(EverySpec {
2758 every: "24h".into(),
2759 })),
2760 "per_target every 24h",
2761 ),
2762 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
2763 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
2764 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
2765 (
2766 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
2767 "on [startup,logon]",
2768 ),
2769 (
2770 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
2771 "on [lock,unlock]",
2772 ),
2773 (
2774 When::On(vec![OnTrigger::NetworkChange]),
2775 "on [network_change]",
2776 ),
2777 ] {
2778 assert_eq!(when.to_string(), expected);
2779 }
2780 }
2781
2782 // ---- lowering (#418: when → engine vocabulary) ----
2783
2784 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
2785 Schedule {
2786 id: "x".into(),
2787 when,
2788 job_id: "y".into(),
2789 plan: FanoutPlan::default(),
2790 active: Active::default(),
2791 constraints: Constraints::default(),
2792 on_failure: OnFailure::default(),
2793 tz: ScheduleTz::default(),
2794 starting_deadline: None,
2795 runs_on,
2796 enabled: true,
2797 tags: Vec::new(),
2798 origin: None,
2799 }
2800 }
2801
2802 fn calendar(at: &str, days: &[&str]) -> When {
2803 When::Calendar(CalendarSpec {
2804 at: at.into(),
2805 days: days.iter().map(|d| (*d).to_string()).collect(),
2806 })
2807 }
2808
2809 #[test]
2810 fn next_calendar_fire_returns_next_utc_occurrence() {
2811 use chrono::TimeZone;
2812 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
2813 // next strict occurrence is 09:00 that day.
2814 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2815 s.tz = ScheduleTz::Utc;
2816 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
2817 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
2818 assert_eq!(
2819 next,
2820 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
2821 );
2822 }
2823
2824 #[test]
2825 fn next_calendar_fire_is_strictly_after_now() {
2826 use chrono::TimeZone;
2827 // Standing exactly on a fire instant must preview the *next*
2828 // one (inclusive = false), not the one firing right now.
2829 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
2830 s.tz = ScheduleTz::Utc;
2831 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
2832 let next = s
2833 .next_calendar_fire(on_fire)
2834 .expect("calendar has a next fire");
2835 assert_eq!(
2836 next,
2837 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
2838 );
2839 }
2840
2841 #[test]
2842 fn next_calendar_fire_none_for_reconcile_shapes() {
2843 // `per_pc` / `per_target` lower to the every-minute poll cron —
2844 // no discrete upcoming event to preview, so `None`.
2845 let now = chrono::Utc::now();
2846 for when in [
2847 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2848 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2849 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2850 When::PerTarget(PerPolicy::Every(EverySpec {
2851 every: "24h".into(),
2852 })),
2853 ] {
2854 let s = schedule_with(when, RunsOn::Backend);
2855 assert!(
2856 s.next_calendar_fire(now).is_none(),
2857 "reconcile shapes have no calendar fire",
2858 );
2859 }
2860 }
2861
2862 // ---- preview_fires (#418 dry-run / preview) ----
2863
2864 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
2865 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
2866 s.tz = ScheduleTz::Utc; // host-independent assertions
2867 s
2868 }
2869
2870 #[test]
2871 fn preview_lists_next_calendar_occurrences() {
2872 use chrono::TimeZone;
2873 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
2874 // fires skip the weekend (Sat 13 / Sun 14).
2875 let s = cal_utc("09:00", &["mon-fri"]);
2876 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2877 let got = s.preview_fires(now, 5);
2878 let want: Vec<_> = [
2879 (2026, 6, 10), // Wed
2880 (2026, 6, 11), // Thu
2881 (2026, 6, 12), // Fri
2882 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
2883 (2026, 6, 16), // Tue
2884 ]
2885 .iter()
2886 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
2887 .collect();
2888 assert_eq!(got, want);
2889 }
2890
2891 #[test]
2892 fn preview_handles_nth_and_last_weekday() {
2893 use chrono::TimeZone;
2894 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
2895 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
2896 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
2897 assert_eq!(
2898 nth,
2899 vec![
2900 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
2901 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
2902 ]
2903 );
2904 // Last Friday of the month: Jun 26, Jul 31 2026.
2905 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
2906 assert_eq!(
2907 last,
2908 vec![
2909 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
2910 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
2911 ]
2912 );
2913 }
2914
2915 #[test]
2916 fn preview_is_empty_for_reconcile_and_zero_count() {
2917 let now = chrono::Utc::now();
2918 // reconcile shapes have no discrete fire times
2919 let recon = schedule_with(
2920 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2921 RunsOn::Backend,
2922 );
2923 assert!(recon.preview_fires(now, 5).is_empty());
2924 // count == 0 yields nothing even for a calendar
2925 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
2926 }
2927
2928 #[test]
2929 fn preview_skips_outside_active_window() {
2930 use chrono::TimeZone;
2931 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
2932 // before `from` are skipped; `until` is exclusive, so 06-17's
2933 // fire is out — leaving exactly the 15th and 16th.
2934 let mut s = cal_utc("09:00", &[]);
2935 s.active = Active {
2936 from: Some("2026-06-15".into()),
2937 until: Some("2026-06-17".into()),
2938 };
2939 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2940 let got = s.preview_fires(now, 5);
2941 assert_eq!(
2942 got,
2943 vec![
2944 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
2945 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
2946 ]
2947 );
2948 }
2949
2950 #[test]
2951 fn preview_empty_when_calendar_time_outside_window() {
2952 use chrono::TimeZone;
2953 // Fires at 09:00 but the maintenance window is overnight — it can
2954 // never run, so the preview is empty (matches
2955 // `calendar_outside_window`), and the scan still terminates.
2956 let mut s = cal_utc("09:00", &[]);
2957 s.constraints = Constraints {
2958 window: Some("22:00-05:00".into()),
2959 ..Constraints::default()
2960 };
2961 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
2962 assert!(s.preview_fires(now, 5).is_empty());
2963 // Every candidate tick is rejected, so this also exercises the
2964 // SCAN_CAP bound: a large `count` must still terminate (and
2965 // return empty) rather than spin (claude #578 review).
2966 assert!(s.preview_fires(now, 50).is_empty());
2967 }
2968
2969 #[test]
2970 fn preview_past_one_shot_is_empty() {
2971 use chrono::TimeZone;
2972 // A dated one-shot whose instant has passed never fires again.
2973 let s = cal_utc("2026-06-10 09:00", &[]);
2974 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
2975 assert!(s.preview_fires(now, 5).is_empty());
2976 // …but from before it, the single future fire shows up.
2977 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
2978 assert_eq!(
2979 s.preview_fires(before, 5),
2980 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
2981 );
2982 }
2983
2984 #[test]
2985 fn lowering_matches_the_418_table() {
2986 let cases = [
2987 (
2988 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
2989 (POLL_CRON, ExecMode::OncePerPc, None),
2990 ),
2991 (
2992 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
2993 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
2994 ),
2995 (
2996 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
2997 (POLL_CRON, ExecMode::OncePerTarget, None),
2998 ),
2999 (
3000 When::PerTarget(PerPolicy::Every(EverySpec {
3001 every: "24h".into(),
3002 })),
3003 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
3004 ),
3005 // calendar repeating → 6-field cron
3006 (
3007 calendar("09:00", &["mon-fri"]),
3008 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
3009 ),
3010 // calendar daily (no days) → DOW *
3011 (
3012 calendar("18:30", &[]),
3013 ("0 30 18 * * *", ExecMode::EveryTick, None),
3014 ),
3015 // calendar one-shot → 7-field year cron
3016 (
3017 calendar("2026-06-10 09:00", &[]),
3018 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
3019 ),
3020 ];
3021 for (when, (cron, mode, cooldown)) in cases {
3022 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
3023 assert_eq!(l.cron, cron, "cron for {when}");
3024 assert_eq!(l.mode, mode, "mode for {when}");
3025 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
3026 }
3027 }
3028
3029 #[test]
3030 fn lowered_carries_schedule_tz() {
3031 for (tz, want) in [
3032 (ScheduleTz::Local, ScheduleTz::Local),
3033 (ScheduleTz::Utc, ScheduleTz::Utc),
3034 ] {
3035 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3036 s.tz = tz;
3037 assert_eq!(s.lowered().tz, want, "calendar carries tz");
3038 // reconcile shapes carry tz too (for the active-window check)
3039 let mut s = schedule_with(
3040 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3041 RunsOn::Backend,
3042 );
3043 s.tz = tz;
3044 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
3045 }
3046 }
3047
3048 #[test]
3049 fn poll_cron_is_accepted_by_the_engine_parser() {
3050 // POLL_CRON is system-generated — if the engine's parser
3051 // ever rejected it every reconcile schedule would die at
3052 // register time. Validate it with the same croner config
3053 // (Seconds::Required, dom_and_dow, year optional).
3054 croner::parser::CronParser::builder()
3055 .seconds(croner::parser::Seconds::Required)
3056 .dom_and_dow(true)
3057 .build()
3058 .parse(POLL_CRON)
3059 .expect("POLL_CRON must parse");
3060 }
3061
3062 // ---- Schedule::validate() (#418 decision F) ----
3063
3064 #[test]
3065 fn validate_accepts_reconcile_shapes() {
3066 for when in [
3067 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3068 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3069 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3070 When::PerTarget(PerPolicy::Every(EverySpec {
3071 every: "24h".into(),
3072 })),
3073 ] {
3074 schedule_with(when.clone(), RunsOn::Backend)
3075 .validate()
3076 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3077 }
3078 }
3079
3080 #[test]
3081 fn validate_accepts_per_pc_on_agent() {
3082 schedule_with(
3083 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
3084 RunsOn::Agent,
3085 )
3086 .validate()
3087 .expect("per_pc + agent is the offline-inventory shape");
3088 }
3089
3090 // ---- #418 event triggers (when: { on }) ----
3091
3092 #[test]
3093 fn validate_accepts_event_on_agent() {
3094 for triggers in [
3095 vec![OnTrigger::Startup],
3096 vec![OnTrigger::Logon],
3097 vec![OnTrigger::Lock],
3098 vec![OnTrigger::Unlock],
3099 vec![OnTrigger::NetworkChange],
3100 vec![
3101 OnTrigger::Startup,
3102 OnTrigger::Logon,
3103 OnTrigger::Lock,
3104 OnTrigger::Unlock,
3105 OnTrigger::NetworkChange,
3106 ],
3107 ] {
3108 schedule_with(When::On(triggers), RunsOn::Agent)
3109 .validate()
3110 .expect("when.on is valid on runs_on: agent");
3111 }
3112 }
3113
3114 #[test]
3115 fn validate_rejects_event_on_backend() {
3116 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
3117 .validate()
3118 .unwrap_err();
3119 assert!(err.contains("when.on"), "got: {err}");
3120 assert!(err.contains("runs_on: agent"), "got: {err}");
3121 }
3122
3123 #[test]
3124 fn validate_rejects_empty_event_list() {
3125 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
3126 .validate()
3127 .unwrap_err();
3128 assert!(err.contains("when.on"), "got: {err}");
3129 assert!(err.contains("at least one"), "got: {err}");
3130 }
3131
3132 #[test]
3133 fn event_schedule_lowers_to_event_mode_and_is_event() {
3134 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
3135 assert!(s.is_event());
3136 assert_eq!(s.lowered().mode, ExecMode::Event);
3137 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
3138 // non-event schedules report no triggers.
3139 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3140 assert!(!cal.is_event());
3141 assert!(cal.event_triggers().is_empty());
3142 }
3143
3144 // ---- #418 constraints.require (env gates) ----
3145
3146 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
3147 let mut s = schedule_with(
3148 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
3149 runs_on,
3150 );
3151 s.constraints.require = Some(req);
3152 s
3153 }
3154
3155 #[test]
3156 fn require_met_combinations() {
3157 use std::time::Duration;
3158 let idle = |m: u64| Some(Duration::from_secs(m * 60));
3159 // Builder for the sensed state: (ac, idle, cpu, network).
3160 let env = |ac, idle, cpu, net| EnvState {
3161 ac_online: ac,
3162 idle,
3163 cpu_pct: cpu,
3164 network_up: net,
3165 };
3166 // Empty require — always met regardless of sensed state.
3167 assert!(require_met(
3168 &Require::default(),
3169 &env(false, None, None, false)
3170 ));
3171 // ac_power: only on AC.
3172 let ac = Require {
3173 ac_power: true,
3174 ..Default::default()
3175 };
3176 assert!(!require_met(&ac, &env(false, None, None, true)));
3177 assert!(require_met(&ac, &env(true, None, None, false)));
3178 // idle: needs >= the configured min; None idle never satisfies.
3179 let idle10 = Require {
3180 idle: Some("10m".into()),
3181 ..Default::default()
3182 };
3183 assert!(!require_met(&idle10, &env(true, None, None, true)));
3184 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
3185 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
3186 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
3187 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
3188 let cpu20 = Require {
3189 cpu_below: Some(20.0),
3190 ..Default::default()
3191 };
3192 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
3193 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
3194 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
3195 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
3196 // network: only when online.
3197 let net = Require {
3198 network: true,
3199 ..Default::default()
3200 };
3201 assert!(!require_met(&net, &env(true, None, None, false))); // offline
3202 assert!(require_met(&net, &env(true, None, None, true))); // online
3203 // all four: AND.
3204 let all = Require {
3205 ac_power: true,
3206 idle: Some("10m".into()),
3207 cpu_below: Some(20.0),
3208 network: true,
3209 };
3210 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
3211 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
3212 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
3213 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
3214 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
3215 // An unparseable idle is treated as no-requirement by require_met
3216 // (validate rejects it at create time, so this only guards a
3217 // hand-edited blob): ac still gates.
3218 let bad = Require {
3219 ac_power: true,
3220 idle: Some("garbage".into()),
3221 ..Default::default()
3222 };
3223 assert!(require_met(&bad, &env(true, None, None, true)));
3224 assert!(!require_met(&bad, &env(false, None, None, true)));
3225 }
3226
3227 #[test]
3228 fn validate_accepts_and_rejects_cpu_below() {
3229 // In-range accepted.
3230 require_schedule(
3231 Require {
3232 cpu_below: Some(20.0),
3233 ..Default::default()
3234 },
3235 RunsOn::Agent,
3236 )
3237 .validate()
3238 .expect("cpu_below 20 is valid");
3239 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
3240 // 100%). Pins the inclusive upper bound against a future c < 100.0.
3241 require_schedule(
3242 Require {
3243 cpu_below: Some(100.0),
3244 ..Default::default()
3245 },
3246 RunsOn::Agent,
3247 )
3248 .validate()
3249 .expect("cpu_below 100 is valid");
3250 // Out of range rejected (0 and >100).
3251 for bad in [0.0, -5.0, 100.1] {
3252 let err = require_schedule(
3253 Require {
3254 cpu_below: Some(bad),
3255 ..Default::default()
3256 },
3257 RunsOn::Agent,
3258 )
3259 .validate()
3260 .unwrap_err();
3261 assert!(
3262 err.contains("constraints.require.cpu_below"),
3263 "cpu_below {bad}: {err}"
3264 );
3265 }
3266 }
3267
3268 #[test]
3269 fn validate_accepts_require_on_agent() {
3270 require_schedule(
3271 Require {
3272 ac_power: true,
3273 idle: Some("10m".into()),
3274 cpu_below: Some(20.0),
3275 network: true,
3276 },
3277 RunsOn::Agent,
3278 )
3279 .validate()
3280 .expect("constraints.require is valid on runs_on: agent");
3281 }
3282
3283 #[test]
3284 fn validate_rejects_require_on_backend() {
3285 let err = require_schedule(
3286 Require {
3287 ac_power: true,
3288 ..Default::default()
3289 },
3290 RunsOn::Backend,
3291 )
3292 .validate()
3293 .unwrap_err();
3294 assert!(err.contains("constraints.require"), "got: {err}");
3295 assert!(err.contains("runs_on: agent"), "got: {err}");
3296
3297 // An idle-only require (ac_power: false) is also non-empty
3298 // (is_empty folds the fields) and must reject on backend too —
3299 // guards against a regression in Require::is_empty.
3300 let err = require_schedule(
3301 Require {
3302 idle: Some("10m".into()),
3303 ..Default::default()
3304 },
3305 RunsOn::Backend,
3306 )
3307 .validate()
3308 .unwrap_err();
3309 assert!(
3310 err.contains("constraints.require"),
3311 "idle-only on backend: {err}"
3312 );
3313 }
3314
3315 #[test]
3316 fn validate_rejects_bad_require_idle() {
3317 let err = require_schedule(
3318 Require {
3319 idle: Some("not-a-duration".into()),
3320 ..Default::default()
3321 },
3322 RunsOn::Agent,
3323 )
3324 .validate()
3325 .unwrap_err();
3326 assert!(err.contains("constraints.require.idle"), "got: {err}");
3327 }
3328
3329 #[test]
3330 fn require_round_trips_and_skips_empty() {
3331 // ac_power: false is skipped; an all-default require nested in
3332 // constraints is omitted (is_empty folds it in).
3333 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
3334 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
3335 network: true } }\n";
3336 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3337 let req = s.constraints.require.as_ref().expect("require present");
3338 assert!(req.ac_power);
3339 assert_eq!(req.idle.as_deref(), Some("10m"));
3340 assert_eq!(req.cpu_below, Some(20.0));
3341 assert!(req.network);
3342 // Re-serialize: idle + cpu_below + network present, ac_power true.
3343 let back = serde_json::to_string(&s.constraints).unwrap();
3344 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
3345 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
3346 assert!(back.contains("\"network\":true"), "got: {back}");
3347 // An empty require is omitted entirely by is_empty.
3348 let mut empty = s.clone();
3349 empty.constraints.require = Some(Require::default());
3350 assert!(empty.constraints.is_empty());
3351 }
3352
3353 #[test]
3354 fn validate_rejects_per_target_on_agent() {
3355 let err = schedule_with(
3356 When::PerTarget(PerPolicy::Every(EverySpec {
3357 every: "24h".into(),
3358 })),
3359 RunsOn::Agent,
3360 )
3361 .validate()
3362 .unwrap_err();
3363 assert!(err.contains("per_target"), "got: {err}");
3364 assert!(err.contains("runs_on: agent"), "got: {err}");
3365
3366 // per_target: once is also backend-only.
3367 let err = schedule_with(
3368 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3369 RunsOn::Agent,
3370 )
3371 .validate()
3372 .unwrap_err();
3373 assert!(err.contains("per_target"), "got (once): {err}");
3374 assert!(err.contains("runs_on: agent"), "got (once): {err}");
3375 }
3376
3377 #[test]
3378 fn validate_rejects_bad_every_duration() {
3379 let err = schedule_with(
3380 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
3381 RunsOn::Backend,
3382 )
3383 .validate()
3384 .unwrap_err();
3385 assert!(err.contains("when.every"), "got: {err}");
3386 }
3387
3388 #[test]
3389 fn validate_rejects_bad_jitter_and_starting_deadline() {
3390 let mut s = schedule_with(
3391 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3392 RunsOn::Backend,
3393 );
3394 s.plan.jitter = Some("5x".into());
3395 let err = s.validate().unwrap_err();
3396 assert!(err.contains("jitter"), "got: {err}");
3397
3398 let mut s = schedule_with(
3399 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3400 RunsOn::Backend,
3401 );
3402 s.starting_deadline = Some("soon".into());
3403 let err = s.validate().unwrap_err();
3404 assert!(err.contains("starting_deadline"), "got: {err}");
3405 }
3406
3407 #[test]
3408 fn validate_accepts_calendar_shapes() {
3409 for when in [
3410 calendar("09:00", &["mon-fri"]), // weekday morning
3411 calendar("00:00", &["sun"]), // weekly
3412 calendar("18:30", &[]), // daily
3413 calendar("2026-06-10 09:00", &[]), // one-shot
3414 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
3415 ] {
3416 schedule_with(when.clone(), RunsOn::Backend)
3417 .validate()
3418 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3419 }
3420 }
3421
3422 #[test]
3423 fn validate_rejects_bad_at() {
3424 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
3425 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
3426 .validate()
3427 .unwrap_err();
3428 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
3429 }
3430 }
3431
3432 #[test]
3433 fn validate_rejects_datetime_at_with_days() {
3434 // A dated `at` is a one-shot — pairing it with days is a
3435 // contradiction (the date already pins the day).
3436 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
3437 .validate()
3438 .unwrap_err();
3439 assert!(
3440 err.contains("one-shot") && err.contains("days"),
3441 "got: {err}"
3442 );
3443 }
3444
3445 #[test]
3446 fn validate_rejects_bad_day_name() {
3447 // A garbage DOW token is caught by the days pre-flight and
3448 // reported against `when.days`, not the confusing
3449 // "when.at lowered to invalid cron" (claude #432 review).
3450 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
3451 .validate()
3452 .unwrap_err();
3453 assert!(err.contains("when.days"), "got: {err}");
3454 assert!(err.contains("funday"), "names the bad token: {err}");
3455 // a degenerate range like `mon-` reports the whole token, not
3456 // a cryptic empty part (claude #432 follow-up)
3457 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
3458 .validate()
3459 .unwrap_err();
3460 assert!(err.contains("'mon-'"), "names the whole token: {err}");
3461 // valid names / ranges / numeric / * all pass
3462 for ok in [
3463 calendar("09:00", &["mon-fri"]),
3464 calendar("09:00", &["mon", "wed", "sun"]),
3465 calendar("09:00", &["1-5"]),
3466 ] {
3467 schedule_with(ok.clone(), RunsOn::Backend)
3468 .validate()
3469 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3470 }
3471 }
3472
3473 #[test]
3474 fn validate_accepts_nth_weekday() {
3475 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
3476 // a cron and parses it with croner, so passing here proves the
3477 // whole chain — token → DOW field → engine-acceptable cron.
3478 for ok in [
3479 calendar("09:00", &["tue#2"]), // 2nd Tuesday
3480 calendar("09:00", &["fri#1"]), // 1st Friday
3481 calendar("03:00", &["sun#5"]), // 5th Sunday
3482 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
3483 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
3484 // Case-insensitive both sides: validate lowercases, croner
3485 // upper-cases the whole pattern before aliasing (claude #547).
3486 calendar("09:00", &["TUE#2"]),
3487 ] {
3488 schedule_with(ok.clone(), RunsOn::Backend)
3489 .validate()
3490 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3491 }
3492 }
3493
3494 #[test]
3495 fn validate_rejects_bad_nth_weekday() {
3496 // ordinal out of 1..5, a range with #, and a bad day before #.
3497 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
3498 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3499 .validate()
3500 .unwrap_err();
3501 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3502 }
3503 }
3504
3505 #[test]
3506 fn validate_accepts_last_weekday() {
3507 // #418: last-weekday (`friL` = last Friday). Like the nth case,
3508 // validate() lowers to a cron and round-trips it through croner,
3509 // so passing proves token → DOW field → engine-acceptable cron
3510 // with the verified last-<dow>-of-month semantics.
3511 for ok in [
3512 calendar("09:00", &["friL"]), // last Friday
3513 calendar("03:00", &["sunL"]), // last Sunday
3514 calendar("22:00", &["5L"]), // numeric DOW + last
3515 calendar("00:00", &["0L"]), // numeric Sunday (0…
3516 calendar("00:00", &["7L"]), // …and its 7 alias)
3517 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
3518 // Case-insensitive both the weekday and the `L` suffix:
3519 // validate lowercases the day, croner upper-cases the whole
3520 // pattern before aliasing (claude #547).
3521 calendar("09:00", &["FRIL"]),
3522 calendar("09:00", &["fril"]),
3523 ] {
3524 schedule_with(ok.clone(), RunsOn::Backend)
3525 .validate()
3526 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3527 }
3528 }
3529
3530 #[test]
3531 fn validate_rejects_bad_last_weekday() {
3532 // bare `L` (no weekday — a footgun croner reads as Saturday), a
3533 // range with L, a bad day before L, and an internal space that
3534 // would otherwise leak a malformed cron downstream (gemini #560).
3535 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
3536 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3537 .validate()
3538 .unwrap_err();
3539 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3540 }
3541 }
3542
3543 #[test]
3544 fn calendar_oneshot_instant_detects_past() {
3545 use chrono::TimeZone;
3546 // a dated `at` resolves to an absolute instant…
3547 let c = CalendarSpec {
3548 at: "2024-01-01 09:00".into(),
3549 days: vec![],
3550 };
3551 let t = c
3552 .oneshot_instant(ScheduleTz::Utc)
3553 .expect("one-shot instant");
3554 assert_eq!(
3555 t,
3556 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
3557 );
3558 assert!(t < chrono::Utc::now(), "2024 is in the past");
3559 // …while a repeating (time-only) calendar has no instant
3560 let rep = CalendarSpec {
3561 at: "09:00".into(),
3562 days: vec!["mon-fri".into()],
3563 };
3564 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
3565 }
3566
3567 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
3568 let mut s = schedule_with(
3569 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3570 RunsOn::Backend,
3571 );
3572 s.active = Active {
3573 from: from.map(str::to_owned),
3574 until: until.map(str::to_owned),
3575 };
3576 s
3577 }
3578
3579 #[test]
3580 fn validate_accepts_active_window() {
3581 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
3582 .validate()
3583 .expect("date + rfc3339 bounds should validate");
3584 }
3585
3586 #[test]
3587 fn validate_rejects_unparseable_active_bound() {
3588 let err = schedule_with_active(Some("July 1st"), None)
3589 .validate()
3590 .unwrap_err();
3591 assert!(err.contains("active"), "got: {err}");
3592 }
3593
3594 #[test]
3595 fn validate_rejects_from_not_before_until() {
3596 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
3597 .validate()
3598 .unwrap_err();
3599 assert!(err.contains("strictly before"), "got: {err}");
3600
3601 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
3602 .validate()
3603 .unwrap_err();
3604 assert!(err.contains("strictly before"), "got: {err}");
3605 }
3606
3607 // ---- Active window semantics ----
3608
3609 #[test]
3610 fn active_window_is_half_open() {
3611 use chrono::TimeZone;
3612 let active = Active {
3613 from: Some("2026-07-01".into()),
3614 until: Some("2026-08-01".into()),
3615 };
3616 // UTC tz so the date bounds are UTC midnight.
3617 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
3618 let c = |t| active.contains(t, ScheduleTz::Utc);
3619 assert!(!c(at(2026, 6, 30, 23)), "before from");
3620 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
3621 assert!(c(at(2026, 7, 15, 12)), "inside");
3622 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
3623 assert!(!c(at(2026, 8, 2, 0)), "after until");
3624 }
3625
3626 #[test]
3627 fn active_empty_window_is_always_active() {
3628 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
3629 }
3630
3631 #[test]
3632 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
3633 use chrono::TimeZone;
3634 let active = Active {
3635 from: Some("2026-07-01T09:00:00+09:00".into()),
3636 until: None,
3637 };
3638 // RFC3339 carries its own offset → tz arg is ignored.
3639 // 09:00 JST = 00:00 UTC.
3640 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
3641 assert!(
3642 !active.contains(
3643 chrono::Utc
3644 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
3645 .unwrap(),
3646 tz
3647 )
3648 );
3649 assert!(active.contains(
3650 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
3651 tz
3652 ));
3653 }
3654 }
3655
3656 #[test]
3657 fn active_date_bound_respects_tz() {
3658 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
3659 // tz* (#418 Phase 2). The UTC interpretation is exact and
3660 // host-independent; assert that precisely.
3661 use chrono::TimeZone;
3662 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
3663 assert_eq!(
3664 utc,
3665 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
3666 );
3667
3668 // The local interpretation must equal what chrono::Local
3669 // computes for the same wall-clock midnight — proves the tz
3670 // path is wired to the host zone (the magnitude vs UTC is
3671 // host-dependent, so we compare against Local directly rather
3672 // than hard-coding the JST offset, keeping CI green on UTC
3673 // runners).
3674 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
3675 let want = chrono::Local
3676 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
3677 .single()
3678 .expect("local midnight is unambiguous")
3679 .with_timezone(&chrono::Utc);
3680 assert_eq!(local, want, "date bound resolved in host-local tz");
3681 }
3682
3683 #[test]
3684 fn active_empty_is_skipped_when_serialising() {
3685 let s = schedule_with(
3686 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3687 RunsOn::Backend,
3688 );
3689 let json = serde_json::to_value(&s).expect("serialise");
3690 assert!(
3691 json.get("active").is_none(),
3692 "empty active must not appear on the wire: {json}"
3693 );
3694 }
3695
3696 // ---- constraints.window (#418 Phase 3) ----
3697
3698 fn with_window(win: &str) -> Schedule {
3699 let mut s = schedule_with(
3700 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3701 RunsOn::Backend,
3702 );
3703 s.constraints.window = Some(win.into());
3704 s
3705 }
3706
3707 #[test]
3708 fn constraints_window_parses_and_round_trips() {
3709 let yaml = r#"
3710id: x
3711when:
3712 per_pc: { every: 6h }
3713job_id: y
3714target: { all: true }
3715constraints:
3716 window: "22:00-05:00"
3717"#;
3718 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3719 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
3720 let back: Schedule =
3721 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
3722 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
3723 }
3724
3725 #[test]
3726 fn constraints_empty_is_skipped_when_serialising() {
3727 let s = schedule_with(
3728 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3729 RunsOn::Backend,
3730 );
3731 let json = serde_json::to_value(&s).expect("serialise");
3732 assert!(
3733 json.get("constraints").is_none(),
3734 "empty constraints must not appear on the wire: {json}"
3735 );
3736 }
3737
3738 #[test]
3739 fn window_no_constraint_always_allows() {
3740 let c = Constraints::default();
3741 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
3742 }
3743
3744 #[test]
3745 fn window_same_day_is_half_open() {
3746 use chrono::TimeZone;
3747 let s = with_window("09:00-17:00");
3748 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3749 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3750 assert!(!a(at(8, 59)), "before start");
3751 assert!(a(at(9, 0)), "at start (inclusive)");
3752 assert!(a(at(16, 59)), "inside");
3753 assert!(!a(at(17, 0)), "at end (exclusive)");
3754 assert!(!a(at(23, 0)), "after end");
3755 }
3756
3757 #[test]
3758 fn window_crossing_midnight() {
3759 use chrono::TimeZone;
3760 let s = with_window("22:00-05:00");
3761 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
3762 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
3763 assert!(a(at(22, 0)), "at start tonight");
3764 assert!(a(at(23, 30)), "late tonight");
3765 assert!(a(at(3, 0)), "early tomorrow");
3766 assert!(!a(at(5, 0)), "at end (exclusive)");
3767 assert!(!a(at(12, 0)), "midday outside");
3768 assert!(!a(at(21, 59)), "just before start");
3769 }
3770
3771 #[test]
3772 fn window_respects_tz() {
3773 // The same instant is inside the window under one tz and may
3774 // be outside under another. Compare UTC vs Local via the
3775 // host's own offset (kept CI-green on UTC runners like the
3776 // active tz test does).
3777 use chrono::TimeZone;
3778 let s = with_window("09:00-17:00");
3779 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
3780 // Under UTC, 12:00 is inside 09:00-17:00.
3781 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
3782 // Under Local, the verdict tracks the host wall-clock time;
3783 // assert it matches a direct wall_time membership check.
3784 let local_t = noon_utc.with_timezone(&chrono::Local).time();
3785 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
3786 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
3787 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
3788 }
3789
3790 #[test]
3791 fn validate_accepts_good_window() {
3792 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
3793 with_window(w)
3794 .validate()
3795 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
3796 }
3797 }
3798
3799 #[test]
3800 fn validate_rejects_bad_window() {
3801 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
3802 let err = with_window(bad).validate().unwrap_err();
3803 assert!(
3804 err.contains("constraints.window"),
3805 "for '{bad}', got: {err}"
3806 );
3807 }
3808 }
3809
3810 // ---- constraints.skip_dates (#418 holiday exclusion) ----
3811
3812 fn with_skip_dates(dates: &[&str]) -> Schedule {
3813 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3814 s.tz = ScheduleTz::Utc; // host-independent date assertions
3815 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
3816 s
3817 }
3818
3819 #[test]
3820 fn allows_blocks_listed_skip_date() {
3821 use chrono::TimeZone;
3822 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
3823 // Any time on a listed date is blocked (whole day).
3824 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
3825 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
3826 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
3827 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
3828 // A date not in the list fires normally.
3829 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
3830 assert!(s.constraints.allows(off, ScheduleTz::Utc));
3831 }
3832
3833 #[test]
3834 fn allows_corrupt_skip_date_fails_closed() {
3835 use chrono::TimeZone;
3836 // A garbled entry (only reachable via hand-edited KV) blocks
3837 // rather than silently re-enabling fires — same posture as a
3838 // corrupt window.
3839 let s = with_skip_dates(&["not-a-date"]);
3840 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
3841 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
3842 }
3843
3844 #[test]
3845 fn validate_accepts_good_skip_dates() {
3846 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
3847 .validate()
3848 .expect("well-formed skip dates should validate");
3849 }
3850
3851 #[test]
3852 fn validate_rejects_bad_skip_date() {
3853 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
3854 let err = with_skip_dates(&[bad]).validate().unwrap_err();
3855 assert!(
3856 err.contains("constraints.skip_dates"),
3857 "for '{bad}', got: {err}"
3858 );
3859 }
3860 }
3861
3862 #[test]
3863 fn preview_skips_holidays() {
3864 use chrono::TimeZone;
3865 // Daily 09:00 with two of the next five days marked as holidays
3866 // — preview drops exactly those, since it gates on `allows`.
3867 let mut s = cal_utc("09:00", &[]);
3868 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
3869 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3870 let got = s.preview_fires(now, 4);
3871 let want: Vec<_> = [
3872 (2026, 6, 10),
3873 (2026, 6, 12), // skips 06-11
3874 (2026, 6, 14), // skips 06-13
3875 (2026, 6, 15),
3876 ]
3877 .iter()
3878 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
3879 .collect();
3880 assert_eq!(got, want);
3881 }
3882
3883 // ---- constraints.max_concurrent (#418) ----
3884
3885 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
3886 let mut s = schedule_with(
3887 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3888 runs_on,
3889 );
3890 s.constraints.max_concurrent = Some(max);
3891 s
3892 }
3893
3894 #[test]
3895 fn validate_accepts_backend_max_concurrent() {
3896 with_max_concurrent(5, RunsOn::Backend)
3897 .validate()
3898 .expect("backend max_concurrent should validate");
3899 }
3900
3901 #[test]
3902 fn validate_rejects_max_concurrent_on_agent() {
3903 // Decision E: a central running-instance cap needs a central
3904 // counter, which agents don't have.
3905 let err = with_max_concurrent(5, RunsOn::Agent)
3906 .validate()
3907 .unwrap_err();
3908 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
3909 assert!(err.contains("runs_on: agent"), "got: {err}");
3910 }
3911
3912 #[test]
3913 fn validate_rejects_zero_max_concurrent() {
3914 let err = with_max_concurrent(0, RunsOn::Backend)
3915 .validate()
3916 .unwrap_err();
3917 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
3918 }
3919
3920 #[test]
3921 fn max_concurrent_round_trips_and_skips_when_absent() {
3922 let s = with_max_concurrent(3, RunsOn::Backend);
3923 let json = serde_json::to_value(&s.constraints).expect("ser");
3924 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
3925 // A schedule with no constraints omits the whole block.
3926 let bare = schedule_with(
3927 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3928 RunsOn::Backend,
3929 );
3930 assert!(bare.constraints.is_empty());
3931 }
3932
3933 #[test]
3934 fn window_fail_closed_on_corrupt_blob() {
3935 // A malformed window (only reachable via a hand-edited KV
3936 // blob — validate() rejects it at create) must BLOCK, not
3937 // silently allow fires during a change-freeze (gemini #452).
3938 let s = with_window("22:00_05:00");
3939 assert!(
3940 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
3941 "corrupt window fails closed"
3942 );
3943 // …and the scheduler can surface why it's stuck.
3944 assert!(
3945 s.bad_window().is_some(),
3946 "bad_window reports the parse error"
3947 );
3948 assert!(with_window("22:00-05:00").bad_window().is_none());
3949 }
3950
3951 #[test]
3952 fn calendar_outside_window_is_flagged() {
3953 // at 09:00 can never fall in 22:00-05:00 → never fires.
3954 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3955 s.constraints.window = Some("22:00-05:00".into());
3956 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
3957
3958 // at 23:00 IS inside the overnight window → fine.
3959 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
3960 s.constraints.window = Some("22:00-05:00".into());
3961 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
3962
3963 // reconcile shapes are never flagged (they poll every minute).
3964 let mut s = schedule_with(
3965 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3966 RunsOn::Backend,
3967 );
3968 s.constraints.window = Some("22:00-05:00".into());
3969 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
3970
3971 // no window → never flagged.
3972 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3973 assert!(!s.calendar_outside_window());
3974 }
3975
3976 // ---- on_failure.retry (#418 Phase 4) ----
3977
3978 fn with_retry(max: u32, backoff: &str) -> Schedule {
3979 let mut s = schedule_with(
3980 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3981 RunsOn::Backend,
3982 );
3983 s.on_failure.retry = Some(Retry {
3984 max,
3985 backoff: backoff.into(),
3986 });
3987 s
3988 }
3989
3990 #[test]
3991 fn on_failure_parses_and_round_trips() {
3992 let yaml = r#"
3993id: x
3994when:
3995 per_pc: { every: 6h }
3996job_id: y
3997target: { all: true }
3998on_failure:
3999 retry: { max: 3, backoff: 10m }
4000"#;
4001 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4002 let r = s.on_failure.retry.as_ref().expect("retry present");
4003 assert_eq!(r.max, 3);
4004 assert_eq!(r.backoff, "10m");
4005 let back: Schedule =
4006 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4007 assert_eq!(back.on_failure, s.on_failure);
4008 }
4009
4010 #[test]
4011 fn on_failure_empty_is_skipped_when_serialising() {
4012 let s = schedule_with(
4013 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4014 RunsOn::Backend,
4015 );
4016 let json = serde_json::to_value(&s).expect("serialise");
4017 assert!(
4018 json.get("on_failure").is_none(),
4019 "empty on_failure must not appear on the wire: {json}"
4020 );
4021 }
4022
4023 #[test]
4024 fn validate_accepts_good_retry() {
4025 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
4026 with_retry(max, backoff)
4027 .validate()
4028 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
4029 }
4030 }
4031
4032 #[test]
4033 fn validate_rejects_bad_backoff() {
4034 let err = with_retry(3, "soon").validate().unwrap_err();
4035 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
4036 }
4037
4038 #[test]
4039 fn validate_rejects_sub_second_backoff() {
4040 // "500ms" parses as humantime but lowers to 0s on the wire —
4041 // reject it so the operator doesn't get a silent no-wait
4042 // (coderabbit #466).
4043 for bad in ["500ms", "0s", "999ms"] {
4044 let err = with_retry(3, bad).validate().unwrap_err();
4045 assert!(
4046 err.contains("on_failure.retry.backoff must be >= 1s"),
4047 "for '{bad}', got: {err}"
4048 );
4049 }
4050 }
4051
4052 #[test]
4053 fn validate_rejects_out_of_range_max() {
4054 for bad in [0u32, 11, 1000] {
4055 let err = with_retry(bad, "10m").validate().unwrap_err();
4056 assert!(
4057 err.contains("on_failure.retry.max"),
4058 "for max={bad}, got: {err}"
4059 );
4060 }
4061 }
4062
4063 #[test]
4064 fn lowered_retry_reduces_backoff_to_seconds() {
4065 let s = with_retry(3, "10m");
4066 let spec = s.on_failure.lowered_retry().expect("a retry policy");
4067 assert_eq!(spec.max, 3);
4068 assert_eq!(spec.backoff_secs, 600);
4069 }
4070
4071 #[test]
4072 fn lowered_retry_is_none_without_policy() {
4073 let s = schedule_with(
4074 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4075 RunsOn::Backend,
4076 );
4077 assert!(s.on_failure.lowered_retry().is_none());
4078 }
4079
4080 // ---- global change-freeze (#418 Phase 5) ----
4081
4082 #[test]
4083 fn freeze_empty_window_is_always_active() {
4084 // The big-red-button shape: no bounds = frozen until cleared.
4085 let f = Freeze::default();
4086 assert!(f.is_active(chrono::Utc::now()));
4087 }
4088
4089 #[test]
4090 fn freeze_window_is_half_open() {
4091 use chrono::TimeZone;
4092 let f = Freeze {
4093 from: Some("2026-12-20T00:00:00+00:00".into()),
4094 until: Some("2027-01-05T00:00:00+00:00".into()),
4095 reason: Some("year-end".into()),
4096 tz: ScheduleTz::Utc,
4097 };
4098 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
4099 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
4100 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
4101 assert!(f.is_active(at(2026, 12, 31)), "inside window");
4102 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
4103 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
4104 }
4105
4106 #[test]
4107 fn freeze_fails_closed_on_corrupt_bound() {
4108 // A freeze is a safety switch: an unparseable bound (only
4109 // reachable via a hand-edited KV blob) must read as FROZEN, not
4110 // "fire normally" (coderabbit #472) — the opposite of `active`,
4111 // which fail-opens.
4112 let f = Freeze {
4113 from: Some("not-a-date".into()),
4114 until: None,
4115 reason: None,
4116 tz: ScheduleTz::Utc,
4117 };
4118 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
4119 }
4120
4121 #[test]
4122 fn freeze_validate_accepts_good_bounds() {
4123 Freeze {
4124 from: Some("2026-12-20".into()),
4125 until: Some("2027-01-05T12:00:00+09:00".into()),
4126 reason: None,
4127 tz: ScheduleTz::Local,
4128 }
4129 .validate()
4130 .expect("date + rfc3339 bounds should validate");
4131 // Empty (indefinite) freeze is valid.
4132 Freeze::default().validate().expect("empty freeze is valid");
4133 }
4134
4135 #[test]
4136 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
4137 let err = Freeze {
4138 from: Some("never".into()),
4139 ..Default::default()
4140 }
4141 .validate()
4142 .unwrap_err();
4143 assert!(err.contains("freeze:"), "got: {err}");
4144
4145 let inverted = Freeze {
4146 from: Some("2027-01-05".into()),
4147 until: Some("2026-12-20".into()),
4148 ..Default::default()
4149 }
4150 .validate()
4151 .unwrap_err();
4152 assert!(inverted.contains("freeze.from"), "got: {inverted}");
4153 }
4154
4155 #[test]
4156 fn freeze_round_trips_and_skips_empty_fields() {
4157 let f = Freeze {
4158 from: None,
4159 until: Some("2027-01-05".into()),
4160 reason: Some("INC-1234".into()),
4161 tz: ScheduleTz::Utc,
4162 };
4163 let json = serde_json::to_value(&f).expect("serialise");
4164 assert!(json.get("from").is_none(), "empty from omitted: {json}");
4165 let back: Freeze = serde_json::from_value(json).expect("round-trip");
4166 assert_eq!(back, f);
4167 }
4168
4169 #[test]
4170 fn shipped_schedule_configs_parse_and_validate() {
4171 // Every YAML under configs/schedules/ must parse with the
4172 // current Schedule serde AND pass validate() — keeps the
4173 // shipped examples from drifting out of sync with the model
4174 // (#418 removed back-compat, so drift = broken at create).
4175 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
4176 let mut seen = 0;
4177 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
4178 let path = entry.expect("dir entry").path();
4179 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
4180 continue;
4181 }
4182 let body = std::fs::read_to_string(&path).expect("read yaml");
4183 let s: Schedule = serde_yaml::from_str(&body)
4184 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
4185 s.validate()
4186 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
4187 seen += 1;
4188 }
4189 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
4190 }
4191
4192 // ---- pre-existing enum wire formats (unchanged by #418) ----
4193
4194 #[test]
4195 fn exec_mode_serialises_snake_case() {
4196 for (mode, expected) in [
4197 (ExecMode::EveryTick, "every_tick"),
4198 (ExecMode::OncePerPc, "once_per_pc"),
4199 (ExecMode::OncePerTarget, "once_per_target"),
4200 ] {
4201 let s = serde_json::to_value(mode).expect("serialise");
4202 assert_eq!(s, serde_json::Value::String(expected.into()));
4203 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
4204 .expect("deserialise");
4205 assert_eq!(back, mode, "round-trip for {expected}");
4206 }
4207 }
4208
4209 #[test]
4210 fn schedule_runs_on_defaults_to_backend() {
4211 let yaml = r#"
4212id: x
4213when:
4214 per_pc: once
4215job_id: y
4216target: { all: true }
4217"#;
4218 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4219 assert_eq!(s.runs_on, RunsOn::Backend);
4220 }
4221
4222 #[test]
4223 fn schedule_runs_on_agent_parses() {
4224 let yaml = r#"
4225id: offline-inv
4226when:
4227 per_pc: { every: 1h }
4228job_id: inventory-hw
4229target: { all: true }
4230runs_on: agent
4231"#;
4232 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4233 assert_eq!(s.runs_on, RunsOn::Agent);
4234 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
4235 }
4236
4237 #[test]
4238 fn runs_on_serialises_snake_case() {
4239 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
4240 let s = serde_json::to_value(mode).expect("serialise");
4241 assert_eq!(s, serde_json::Value::String(expected.into()));
4242 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
4243 .expect("deserialise");
4244 assert_eq!(back, mode);
4245 }
4246 }
4247
4248 #[test]
4249 fn execute_shell_into_wire_shell() {
4250 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
4251 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
4252 }
4253
4254 #[test]
4255 fn manifest_staleness_defaults_to_cached() {
4256 let yaml = r#"
4257id: x
4258version: 1.0.0
4259execute:
4260 shell: powershell
4261 script: "echo"
4262 timeout: 1s
4263"#;
4264 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4265 assert_eq!(m.staleness, Staleness::Cached);
4266 }
4267
4268 #[test]
4269 fn manifest_strict_staleness_parses() {
4270 let yaml = r#"
4271id: urgent-patch
4272version: 2.5.1
4273execute:
4274 shell: powershell
4275 script: Install-Hotfix
4276 timeout: 5m
4277staleness:
4278 mode: strict
4279 max_cache_age: 0s
4280"#;
4281 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4282 match m.staleness {
4283 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
4284 other => panic!("expected strict, got {other:?}"),
4285 }
4286 }
4287
4288 #[test]
4289 fn manifest_unchecked_staleness_parses() {
4290 let yaml = r#"
4291id: legacy
4292version: 0.1.0
4293execute:
4294 shell: cmd
4295 script: "echo"
4296 timeout: 1s
4297staleness:
4298 mode: unchecked
4299"#;
4300 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4301 assert_eq!(m.staleness, Staleness::Unchecked);
4302 }
4303
4304 #[test]
4305 fn missing_required_field_errors() {
4306 // `id` missing.
4307 let yaml = r#"
4308version: 1.0.0
4309target: { all: true }
4310execute:
4311 shell: powershell
4312 script: "echo"
4313 timeout: 1s
4314"#;
4315 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
4316 assert!(r.is_err(), "expected error, got {:?}", r);
4317 }
4318
4319 #[test]
4320 fn display_field_table_kind_round_trips_with_nested_columns() {
4321 // #39: `type: table` + `columns:` on a DisplayField gets
4322 // round-tripped through serde so the SPA receives the
4323 // nested schema verbatim. Nested columns themselves are
4324 // DisplayFields so they can carry `type: bytes` /
4325 // `type: number` for cell formatting.
4326 let yaml = r#"
4327id: inv-hw
4328version: 1.0.0
4329execute:
4330 shell: powershell
4331 script: "echo"
4332 timeout: 60s
4333inventory:
4334 display:
4335 - field: hostname
4336 label: Hostname
4337 - field: disks
4338 label: Disks
4339 type: table
4340 columns:
4341 - field: device_id
4342 label: Drive
4343 - field: size_bytes
4344 label: Size
4345 type: bytes
4346 - field: free_bytes
4347 label: Free
4348 type: bytes
4349 - field: file_system
4350 label: FS
4351"#;
4352 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4353 let inv = m.inventory.as_ref().expect("inventory hint");
4354 let disks = inv
4355 .display
4356 .iter()
4357 .find(|d| d.field == "disks")
4358 .expect("disks display row");
4359 assert_eq!(disks.kind.as_deref(), Some("table"));
4360 let cols = disks.columns.as_ref().expect("table needs columns");
4361 assert_eq!(cols.len(), 4);
4362 assert_eq!(cols[1].field, "size_bytes");
4363 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
4364 }
4365
4366 #[test]
4367 fn display_field_scalar_kind_keeps_columns_none() {
4368 // Defensive: when type is a scalar (`bytes` / `number` /
4369 // `timestamp`) the `columns` field stays None — the SPA
4370 // uses its presence as the "render nested table" signal,
4371 // so it must not leak in via serde defaults.
4372 let yaml = r#"
4373id: x
4374version: 1.0.0
4375execute:
4376 shell: powershell
4377 script: "echo"
4378 timeout: 5s
4379inventory:
4380 display:
4381 - { field: ram_bytes, label: RAM, type: bytes }
4382"#;
4383 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4384 let inv = m.inventory.as_ref().unwrap();
4385 assert!(inv.display[0].columns.is_none());
4386 }
4387
4388 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
4389
4390 /// The JSON Schemas under `docs/schemas/` must match what
4391 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
4392 /// so a `Schedule` / `Manifest` field change can't silently drift
4393 /// the operator-facing schema. The SPA editor, the backend
4394 /// `/api/schemas/*` endpoints, and these files all read the same
4395 /// derived shape; this test fails CI if the checked-in copy lags.
4396 /// Regenerate with:
4397 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
4398 #[test]
4399 fn schema_files_are_current() {
4400 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
4401 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
4402 }
4403
4404 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
4405 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
4406 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
4407 .join("../../docs/schemas")
4408 .join(name);
4409 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
4410 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
4411 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
4412 return;
4413 }
4414 // Normalize CRLF→LF before comparing: `.gitattributes` already
4415 // pins these files to `eol=lf`, but a stray CRLF working-tree
4416 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
4417 // freshness check into a confusing line-ending failure — that's
4418 // .gitattributes' job, not this test's (gemini #588).
4419 let on_disk = std::fs::read_to_string(&path)
4420 .unwrap_or_else(|e| {
4421 panic!(
4422 "read {path:?}: {e}\n\
4423 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4424 )
4425 })
4426 .replace("\r\n", "\n");
4427 assert_eq!(
4428 on_disk, generated,
4429 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
4430 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4431 );
4432 }
4433}
4434
4435/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
4436/// (target + optional rollout + optional jitter) inline; the
4437/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
4438/// script body. Two schedules of the same job can target different
4439/// groups on different cadences without copying the manifest.
4440///
4441/// #418 Phase 1: the cadence is the single [`When`] field. The old
4442/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
4443/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
4444/// are warn-skipped; re-`schedule create` to upgrade them). The
4445/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
4446/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
4447/// `decide_fire` always ran on.
4448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
4449pub struct Schedule {
4450 pub id: String,
4451 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
4452 /// or a calendar time trigger (`at` / `days`). See [`When`].
4453 ///
4454 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
4455 /// enums as `!per_pc` YAML tags by default; this keeps the
4456 /// operator-facing map shape (`when: { per_pc: once }`). JSON
4457 /// output is identical either way, and the schemars schema
4458 /// (external tagging = oneOf of single-key objects) already
4459 /// matches the singleton-map wire shape.
4460 #[serde(with = "serde_yaml::with::singleton_map")]
4461 #[schemars(with = "When")]
4462 pub when: When,
4463 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
4464 /// Manifest's `id`.
4465 pub job_id: String,
4466 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
4467 /// carry these any more — same job + different fanout = different
4468 /// schedule.
4469 #[serde(flatten)]
4470 pub plan: FanoutPlan,
4471 /// Optional validity window. Outside `[from, until)` the
4472 /// schedule is dormant — still registered, still visible, but
4473 /// every tick is skipped (deleted ≠ dormant: a campaign that
4474 /// ended stays inspectable and can be re-armed by editing the
4475 /// window). Checked at tick time on both the backend scheduler
4476 /// and the agent's local scheduler.
4477 #[serde(default, skip_serializing_if = "Active::is_empty")]
4478 pub active: Active,
4479 /// #418 operational constraints gating *when within an active
4480 /// period* a fire may happen: a maintenance `window`, a fleet
4481 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
4482 /// wall-clock ones are evaluated in the schedule's `tz`; future
4483 /// `require` (env gates) lands in the same namespace. Checked at
4484 /// tick time on both schedulers (and surfaced by `preview`).
4485 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
4486 pub constraints: Constraints,
4487 /// #418 Phase 4: what to do after a fire's script comes back
4488 /// failed. Currently just `retry` (fixed-backoff in-process
4489 /// re-run); future `notify` / `disable` join the same namespace.
4490 /// Applied fire-side in `handle_command` (the retry policy is
4491 /// lowered onto every Command this schedule produces), so it
4492 /// covers both `runs_on` locations.
4493 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
4494 pub on_failure: OnFailure,
4495 /// #418 Phase 2: the timezone this schedule's wall-clock fields
4496 /// are evaluated in — both the calendar `at` firing time AND the
4497 /// `active.{from,until}` window bounds. `local` (default) = the
4498 /// running host's TZ (the agent's for `runs_on: agent`, the
4499 /// backend server's otherwise); `utc` for TZ-independent
4500 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
4501 /// for firing (poll cron runs every minute regardless) but still
4502 /// honor it for the `active` window.
4503 #[serde(default)]
4504 pub tz: ScheduleTz,
4505 /// v0.22: optional humantime window after a cron tick during
4506 /// which the Command is still considered "live". The scheduler
4507 /// computes `tick_at + starting_deadline` and stamps it onto
4508 /// each Command as `deadline_at`; agents skip Commands they
4509 /// receive after that absolute time. `None` (default) = no
4510 /// deadline, meaning a Command queued in the broker / stream
4511 /// during agent downtime runs whenever the agent reconnects —
4512 /// good for kitting / inventory / cleanup. Set this for
4513 /// time-of-day notifications, lunch reminders, etc., where
4514 /// "fire 3 hours late" would be wrong.
4515 #[serde(default, skip_serializing_if = "Option::is_none")]
4516 pub starting_deadline: Option<String>,
4517 /// v0.23: where does the cron tick happen? `Backend` (default,
4518 /// historical) = backend's scheduler fires Commands via NATS;
4519 /// agents passively receive. `Agent` = each targeted agent runs
4520 /// its own internal cron and fires locally, so the schedule
4521 /// keeps ticking even when the broker is unreachable (laptop on
4522 /// the train, broker maintenance window, full WAN outage). The
4523 /// two locations are mutually exclusive — when `Agent`, the
4524 /// backend scheduler stays out and just keeps the definition in
4525 /// KV for agents to read.
4526 #[serde(default)]
4527 pub runs_on: RunsOn,
4528 #[serde(default = "default_true")]
4529 pub enabled: bool,
4530 /// Free-form operator taxonomy for the Schedules page — the
4531 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
4532 /// code ref rather than an intra-doc link, since that field isn't
4533 /// on this branch until #640 merges). Purely a SPA-side
4534 /// organisational aid (search / filter chips alongside the
4535 /// id-prefix grouping); the scheduler never reads it, so any
4536 /// string is allowed and it carries no firing semantics. A
4537 /// schedule's own tags are independent of its job's: the same job
4538 /// may back a `weekly` maintenance schedule and a `canary` rollout
4539 /// schedule. Empty by default and `skip_serializing_if`-elided per
4540 /// the #492 gradual-upgrade wire rule.
4541 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4542 pub tags: Vec<String>,
4543 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
4544 /// `kanade schedule create` when the source YAML lives inside a Git
4545 /// work tree, so the SPA renders the schedule read-only and points
4546 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
4547 /// Git), parity with a job's [`Manifest::origin`]. `None` for
4548 /// SPA-born schedules and ones applied from outside any repo. Purely
4549 /// informational — the scheduler never reads it. New field ⇒ #492
4550 /// wire rule (`default` + `skip_serializing_if`).
4551 #[serde(default, skip_serializing_if = "Option::is_none")]
4552 pub origin: Option<RepoOrigin>,
4553}
4554
4555/// v0.23 — where the cron tick fires from.
4556#[derive(
4557 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4558)]
4559#[serde(rename_all = "snake_case")]
4560pub enum RunsOn {
4561 /// Backend's central scheduler ticks and publishes Commands to
4562 /// NATS. Historical default, what every pre-v0.23 schedule
4563 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
4564 /// reconnects ⇒ catch-up via [`command_replay`](crate)
4565 /// (see kanade-agent's command_replay module).
4566 #[default]
4567 Backend,
4568 /// Each targeted agent runs the cron tick locally. Survives
4569 /// broker / WAN outages. Best for laptops / mobile devices that
4570 /// roam off the corporate network. Agent must be online for the
4571 /// initial schedule + job-catalog pull, but once cached the
4572 /// agent fires the script standalone.
4573 Agent,
4574}
4575
4576/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
4577#[derive(
4578 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4579)]
4580#[serde(rename_all = "snake_case")]
4581pub enum ExecMode {
4582 /// Fire on every cron tick at the whole target. Historical
4583 /// (pre-v0.19) behavior; no dedup.
4584 #[default]
4585 EveryTick,
4586 /// Fire at each pc until that pc succeeds; then skip it until
4587 /// the optional cooldown elapses (or forever if no cooldown).
4588 /// Use for kitting / first-boot / per-pc compliance checks.
4589 OncePerPc,
4590 /// Fire at the whole target until **any** pc succeeds; then
4591 /// skip the whole target until the optional cooldown elapses
4592 /// (or forever if no cooldown). Use for "one delegate is
4593 /// enough" tasks like license check-in.
4594 OncePerTarget,
4595 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
4596 /// no cron — the agent fires it from an OS event source (boot /
4597 /// session-change), not a tick — so the scheduler skips
4598 /// `tokio-cron` registration for it. Each event occurrence fires
4599 /// once, gated by the standard freeze / active / window /
4600 /// skip_dates checks.
4601 Event,
4602}
4603
4604/// #418 Phase 1 — the single "when does this fire" axis.
4605///
4606/// Replaces the old `cron` + `mode` + `cooldown` trio whose
4607/// interactions were implicit (cron doubled as both a real
4608/// time-of-day trigger and a reconcile poll period; contradictory
4609/// combinations silently no-opped). Two shapes:
4610///
4611/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
4612/// pc (or one delegate) should have run this within `every`".
4613/// The poll period is system-generated ([`POLL_CRON`], every
4614/// minute) and no longer the operator's concern.
4615/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
4616/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
4617/// the whole target at the given time, no dedup. `at: "09:00"` +
4618/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
4619/// exactly once. Evaluated in the schedule's top-level `tz`.
4620#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4621#[serde(rename_all = "snake_case")]
4622pub enum When {
4623 /// Fire at each targeted pc: `once` (kitting — succeed once,
4624 /// skip forever, forever catching brand-new / re-imaged pcs)
4625 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
4626 /// the interval).
4627 PerPc(PerPolicy),
4628 /// Fire until **any** one pc of the target succeeds, then skip
4629 /// the whole target (`once`) or re-arm after `every`. Needs
4630 /// fleet-wide completion data, so it is backend-only —
4631 /// `runs_on: agent` + `per_target` is rejected by
4632 /// [`Schedule::validate`].
4633 PerTarget(PerPolicy),
4634 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
4635 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
4636 /// the whole target at that wall-clock time in the schedule's
4637 /// `tz` — no dedup, no cooldown.
4638 Calendar(CalendarSpec),
4639 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
4640 /// Fires when the agent observes the listed OS event(s) rather than
4641 /// on a clock — there is no cron. `runs_on: agent` only (the agent
4642 /// owns the event source); [`Schedule::validate`] rejects it on
4643 /// `backend` and rejects an empty list. Each event occurrence fires
4644 /// once, gated by the same freeze / active / `constraints.window` /
4645 /// `skip_dates` checks as the cron path. `startup` fires once per OS
4646 /// boot (deduped via the host boot time); a `starting_deadline`, if
4647 /// set, limits it to "agent came up within that long after boot".
4648 On(Vec<OnTrigger>),
4649}
4650
4651/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
4652#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
4653#[serde(rename_all = "snake_case")]
4654pub enum OnTrigger {
4655 /// Once per OS boot (the agent's first run for that boot). Catches
4656 /// freshly-imaged / reinstalled hosts at their next startup.
4657 Startup,
4658 /// On an interactive-session user logon — console, RDP, or
4659 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
4660 /// service / network / batch logons (no interactive session).
4661 Logon,
4662 /// When the workstation is locked (Win+L / idle lock; Windows
4663 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
4664 Lock,
4665 /// When the workstation is unlocked — the user returns to a locked
4666 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
4667 /// compliance / refresh state when work resumes.
4668 Unlock,
4669 /// When the host's network changes — IP address table change on
4670 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
4671 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
4672 /// from one transition fires once after the network settles), so
4673 /// use it for "re-check connectivity / re-register on network move"
4674 /// rather than expecting one fire per raw adapter event.
4675 ///
4676 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
4677 /// transition that touches only IPv6 addresses won't fire. In practice
4678 /// dual-stack networks change both tables together, but a pure-IPv6
4679 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
4680 NetworkChange,
4681}
4682
4683/// Calendar time trigger (#418 Phase 2). `at` is either a time of
4684/// day (`"HH:MM"`, repeating — combine with `days`) or a full
4685/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
4686/// never again). Evaluated in the schedule's top-level `tz`.
4687#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4688pub struct CalendarSpec {
4689 /// `"HH:MM"` (24h) for a repeating trigger, or
4690 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
4691 /// accepted) for a one-shot. Parsed lazily —
4692 /// [`Schedule::validate`] rejects garbage at create time.
4693 pub at: String,
4694 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
4695 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
4696 /// field, so ranges and names both work). An **nth-weekday**
4697 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
4698 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
4699 /// `["friL"]` fires only on the last Friday of each month (handy
4700 /// for monthly maintenance). Empty = every day. Must be empty
4701 /// when `at` carries a date (the date already pins the day).
4702 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4703 pub days: Vec<String>,
4704}
4705
4706/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
4707/// date for a one-shot (`None` = repeating time-of-day).
4708struct ParsedAt {
4709 minute: u32,
4710 hour: u32,
4711 date: Option<chrono::NaiveDate>,
4712}
4713
4714impl CalendarSpec {
4715 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
4716 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
4717 fn parse_at(&self) -> Result<ParsedAt, String> {
4718 use chrono::Timelike;
4719 let s = self.at.trim();
4720 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
4721 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
4722 return Ok(ParsedAt {
4723 minute: dt.minute(),
4724 hour: dt.hour(),
4725 date: Some(dt.date()),
4726 });
4727 }
4728 }
4729 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
4730 return Ok(ParsedAt {
4731 minute: t.minute(),
4732 hour: t.hour(),
4733 date: None,
4734 });
4735 }
4736 Err(format!(
4737 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
4738 self.at
4739 ))
4740 }
4741
4742 /// Pre-flight check on the `days` tokens so a bad day name gives
4743 /// a `when.days:`-scoped error instead of croner's confusing
4744 /// "when.at lowered to invalid cron" (claude #432 review). Each
4745 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
4746 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
4747 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
4748 /// **last-weekday** like `friL` (last Friday of the month).
4749 fn validate_days(&self) -> Result<(), String> {
4750 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
4751 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
4752 for tok in &self.days {
4753 // Report the whole token on a malformed range like `mon-`
4754 // (which would otherwise split to a cryptic empty part —
4755 // claude #432 follow-up).
4756 let invalid = |reason: &str| {
4757 Err(format!(
4758 "when.days: invalid day token '{tok}' ({reason}; \
4759 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
4760 like tue#2, a last-weekday like friL, or *)"
4761 ))
4762 };
4763 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
4764 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
4765 // `to_cron` passes the token through verbatim, so the
4766 // engine fires only on that occurrence. It's a single
4767 // weekday + ordinal — not combinable with a range.
4768 if let Some((day_part, nth_part)) = tok.split_once('#') {
4769 // Normalize once and use `d` consistently (gemini #547);
4770 // the outer `invalid` already echoes the raw `tok`.
4771 let d = day_part.trim().to_ascii_lowercase();
4772 if d.contains('-') || !is_day(&d) {
4773 return invalid("the part before # must be a single weekday");
4774 }
4775 match nth_part.trim().parse::<u8>() {
4776 Ok(n) if (1..=5).contains(&n) => {}
4777 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
4778 }
4779 continue;
4780 }
4781 // #418: last-weekday suffix (`friL` = last Friday of the
4782 // month — the monthly-maintenance sibling of Patch Tuesday).
4783 // Croner accepts `<dow>L` in the DOW field with verified
4784 // last-<dow>-of-month semantics, and `to_cron` passes it
4785 // through verbatim. A single weekday + `L` — bare `L` and
4786 // ranges are rejected (croner would read bare `L` as
4787 // Saturday, which is a confusing footgun).
4788 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
4789 // No `.trim()`: a cron DOW token can't carry internal
4790 // whitespace, so `"fri L"` must be *rejected* here (its
4791 // strip leaves `"fri "`, and `is_day` catches the space)
4792 // rather than trimmed into a clean `"fri"` that then
4793 // produces a malformed `fri L` cron downstream and a
4794 // confusing croner error (gemini #560).
4795 let d = day_part.to_ascii_lowercase();
4796 if d.is_empty() {
4797 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
4798 }
4799 if d.contains('-') || !is_day(&d) {
4800 return invalid(
4801 "the part before L must be a single weekday (e.g. friL = last Friday)",
4802 );
4803 }
4804 continue;
4805 }
4806 for part in tok.split('-') {
4807 let p = part.trim().to_ascii_lowercase();
4808 if p.is_empty() {
4809 return invalid("empty range bound");
4810 }
4811 if p != "*" && !is_day(&p) {
4812 return invalid(&format!("'{part}' is not a day"));
4813 }
4814 }
4815 }
4816 Ok(())
4817 }
4818
4819 /// For a one-shot (`at` carries a date), the absolute instant it
4820 /// fires in `tz`. `None` for a repeating calendar. Used to warn
4821 /// about a one-shot whose date is already in the past (it would
4822 /// never fire).
4823 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
4824 let p = self.parse_at().ok()?;
4825 let date = p.date?;
4826 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
4827 tz.naive_to_utc(naive)
4828 }
4829
4830 /// The wall-clock time-of-day this calendar fires at (`None` if
4831 /// `at` is unparseable — validate() guards that). Used to detect
4832 /// a calendar whose fire time can never fall inside its
4833 /// `constraints.window` (claude #452 review).
4834 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
4835 let p = self.parse_at().ok()?;
4836 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
4837 }
4838
4839 /// Lower to the cron string the scheduler engine runs. Repeating
4840 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
4841 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
4842 /// fires — that's what makes it one-shot).
4843 fn to_cron(&self) -> Result<String, String> {
4844 use chrono::Datelike;
4845 let ParsedAt { minute, hour, date } = self.parse_at()?;
4846 match date {
4847 Some(d) => {
4848 if !self.days.is_empty() {
4849 return Err(
4850 "when.at with a date is a one-shot and cannot be combined with days".into(),
4851 );
4852 }
4853 Ok(format!(
4854 "0 {minute} {hour} {} {} * {}",
4855 d.day(),
4856 d.month(),
4857 d.year()
4858 ))
4859 }
4860 None => {
4861 let dow = if self.days.is_empty() {
4862 "*".to_string()
4863 } else {
4864 self.validate_days()?;
4865 self.days.join(",")
4866 };
4867 Ok(format!("0 {minute} {hour} * * {dow}"))
4868 }
4869 }
4870 }
4871}
4872
4873/// The timezone a schedule's wall-clock fields (`when.at`,
4874/// `active.{from,until}`) are evaluated in (#418 Phase 2).
4875#[derive(
4876 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4877)]
4878#[serde(rename_all = "snake_case")]
4879pub enum ScheduleTz {
4880 /// The running host's local timezone — the agent's for
4881 /// `runs_on: agent`, the backend server's otherwise. Default.
4882 #[default]
4883 Local,
4884 /// UTC — for timezone-independent schedules.
4885 Utc,
4886}
4887
4888impl ScheduleTz {
4889 /// Interpret a naive (zoneless) datetime as being in this tz and
4890 /// convert to UTC. On a DST *fold* (the local time occurs twice
4891 /// when clocks go back) we pick `.earliest()` rather than
4892 /// rejecting it; `None` is reserved for a true DST *gap* (a local
4893 /// time that never exists). `Utc` is fixed-offset so neither ever
4894 /// happens; `Local` is whatever timezone the running host is set
4895 /// to and *can* hit a gap/fold on any DST-observing host — not
4896 /// just the JST we run today (gemini + claude #432 review).
4897 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
4898 use chrono::TimeZone;
4899 match self {
4900 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
4901 naive,
4902 chrono::Utc,
4903 )),
4904 ScheduleTz::Local => chrono::Local
4905 .from_local_datetime(&naive)
4906 .earliest()
4907 .map(|dt| dt.with_timezone(&chrono::Utc)),
4908 }
4909 }
4910
4911 /// The wall-clock time-of-day `now` reads as in this tz — used by
4912 /// [`Constraints::allows`] to test a maintenance window
4913 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
4914 /// running host's local time.
4915 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
4916 match self {
4917 ScheduleTz::Utc => now.time(),
4918 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
4919 }
4920 }
4921
4922 /// The wall-clock *date* `now` reads as in this tz — used by
4923 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
4924 /// exclusion). Same tz semantics as [`Self::wall_time`].
4925 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
4926 match self {
4927 ScheduleTz::Utc => now.date_naive(),
4928 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
4929 }
4930 }
4931
4932 /// Stable lowercase wire/display label (`local` / `utc`) — matches
4933 /// the serde `snake_case` representation. Used for the preview
4934 /// response's `tz` field so the JSON shape isn't coupled to the
4935 /// `Debug` repr (claude #578 review).
4936 pub fn as_str(self) -> &'static str {
4937 match self {
4938 ScheduleTz::Local => "local",
4939 ScheduleTz::Utc => "utc",
4940 }
4941 }
4942}
4943
4944impl std::fmt::Display for ScheduleTz {
4945 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
4946 f.write_str(self.as_str())
4947 }
4948}
4949
4950/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
4951/// `per_target`. Untagged so the YAML stays the bare keyword or a
4952/// one-key map, nothing more ceremonial.
4953#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4954#[serde(untagged)]
4955pub enum PerPolicy {
4956 /// The bare string `once`: succeed once, then skip permanently
4957 /// (cooldown = infinity).
4958 Once(OnceLiteral),
4959 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
4960 Every(EverySpec),
4961}
4962
4963/// Single-variant enum so serde accepts exactly the string `once`
4964/// (a free-form `String` would swallow typos like `onec`).
4965#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
4966#[serde(rename_all = "snake_case")]
4967pub enum OnceLiteral {
4968 Once,
4969}
4970
4971/// `{ every: <humantime> }`. Standalone struct (not an inline
4972/// struct variant). `{ evry: 6h }` still fails to parse (the
4973/// required `every` key is missing), and the create boundaries
4974/// reject the unknown `evry` via [`crate::strict`] with its path —
4975/// while agents reading a future writer's extra fields tolerate
4976/// them (#492).
4977#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
4978pub struct EverySpec {
4979 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
4980 /// [`Schedule::validate`] rejects garbage at create time.
4981 pub every: String,
4982}
4983
4984impl PerPolicy {
4985 /// The cooldown this policy lowers to: `once` = `None`
4986 /// (permanent skip), `every` = the interval.
4987 fn cooldown(&self) -> Option<String> {
4988 match self {
4989 PerPolicy::Once(_) => None,
4990 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
4991 }
4992 }
4993}
4994
4995impl std::fmt::Display for When {
4996 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
4997 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
4998 /// lines, audit payloads and the API's `ScheduleSummary`.
4999 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5000 let policy = |p: &PerPolicy| match p {
5001 PerPolicy::Once(_) => "once".to_string(),
5002 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
5003 };
5004 match self {
5005 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
5006 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
5007 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
5008 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
5009 When::On(triggers) => {
5010 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
5011 write!(f, "on [{}]", names.join(","))
5012 }
5013 }
5014 }
5015}
5016
5017impl OnTrigger {
5018 /// Lowercase wire/display label (matches the serde `snake_case`).
5019 pub fn as_str(self) -> &'static str {
5020 match self {
5021 OnTrigger::Startup => "startup",
5022 OnTrigger::Logon => "logon",
5023 OnTrigger::Lock => "lock",
5024 OnTrigger::Unlock => "unlock",
5025 OnTrigger::NetworkChange => "network_change",
5026 }
5027 }
5028}
5029
5030/// Optional validity window for a [`Schedule`] (#418 decision G).
5031/// Half-open `[from, until)`; either bound may be omitted. Bounds
5032/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
5033/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
5034/// strings so the JSON Schema the SPA editor consumes stays two
5035/// plain string fields, mirroring `jitter` / `starting_deadline`.
5036///
5037/// #418 Phase 2: bounds are evaluated in the schedule's top-level
5038/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
5039/// calendar `at` AND the `active` window local — one consistent
5040/// timezone per schedule.
5041#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5042pub struct Active {
5043 /// Dormant before this instant.
5044 #[serde(default, skip_serializing_if = "Option::is_none")]
5045 pub from: Option<String>,
5046 /// Dormant from this instant on (exclusive).
5047 #[serde(default, skip_serializing_if = "Option::is_none")]
5048 pub until: Option<String>,
5049}
5050
5051impl Active {
5052 /// `skip_serializing_if` helper — an empty window means "always
5053 /// active" and is omitted from the wire format entirely.
5054 pub fn is_empty(&self) -> bool {
5055 self.from.is_none() && self.until.is_none()
5056 }
5057
5058 /// Parse one bound: RFC3339 first (offset honored, `tz`
5059 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
5060 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
5061 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
5062 return Ok(dt.with_timezone(&chrono::Utc));
5063 }
5064 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
5065 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
5066 return tz.naive_to_utc(midnight).ok_or_else(|| {
5067 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
5068 });
5069 }
5070 Err(format!(
5071 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
5072 ))
5073 }
5074
5075 /// Is `now` inside the window? Unparseable bounds are treated
5076 /// as absent here (fail-open) — [`Schedule::validate`] is the
5077 /// place that rejects them loudly; this runs on every tick and
5078 /// must never panic on a stale KV blob.
5079 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5080 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
5081 if bound(&self.from).is_some_and(|from| now < from) {
5082 return false;
5083 }
5084 if bound(&self.until).is_some_and(|until| now >= until) {
5085 return false;
5086 }
5087 true
5088 }
5089}
5090
5091/// Host-environment gate (#418 `constraints.require`). Fire only when
5092/// the target host is in the required state. Sensed **in-process by the
5093/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
5094/// read a target host's power/idle state ([`Schedule::validate`]
5095/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
5096///
5097/// Evaluated at fire time as a skip-this-tick gate (NOT in
5098/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
5099/// cadence re-checks every minute (so it effectively defers until the
5100/// state is met — the intended pairing); a `calendar` fire that lands
5101/// while the state is unmet is simply missed, same as `window`. It is
5102/// therefore a *runtime* gate and does not appear in `preview`.
5103// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
5104#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5105pub struct Require {
5106 /// Fire only while on **AC power** (skip on battery). Reads
5107 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
5108 /// as not-on-AC (fail-closed — a restrictive gate must not fire
5109 /// when it can't confirm the condition). `false` (default) = no
5110 /// power requirement.
5111 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5112 pub ac_power: bool,
5113 /// Fire only when the active console session has had **no keyboard /
5114 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
5115 /// "don't run while the user is actively working". Input-based
5116 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
5117 /// headless / disconnected console (no interactive user) trivially
5118 /// satisfies it. `None` (default) = no idle requirement. Parsed
5119 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5120 #[serde(default, skip_serializing_if = "Option::is_none")]
5121 pub idle: Option<String>,
5122 /// Fire only when the **whole-machine CPU usage is below this
5123 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
5124 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
5125 /// sample (`sysinfo` mean over cores), so the reading is up to one
5126 /// `host_perf` cadence old (default 60s) — fine as a "generally
5127 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
5128 /// needs two samples). An unavailable sample (host_perf not warmed
5129 /// up yet, or stale) is treated as "not below" (fail-closed — a
5130 /// restrictive gate must not fire when it can't confirm). `None`
5131 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
5132 /// out-of-range value at create time.
5133 #[serde(default, skip_serializing_if = "Option::is_none")]
5134 pub cpu_below: Option<f64>,
5135 /// Fire only when the host has **internet connectivity** (Windows
5136 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
5137 /// until online" for jobs that download / phone home. A captive
5138 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
5139 /// unknown/unreadable state is treated as offline (fail-closed) — a
5140 /// portal would just fail a download, so we hold the run. For VPN /
5141 /// SASE / app-specific conditions, use a custom script gate (separate
5142 /// slice). `false` (default) = no network requirement.
5143 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5144 pub network: bool,
5145}
5146
5147impl Require {
5148 /// `skip_serializing_if` helper for an embedded empty `require`.
5149 pub fn is_empty(&self) -> bool {
5150 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
5151 }
5152
5153 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
5154 /// unparseable value — `validate` rejects the latter at create time).
5155 pub fn min_idle(&self) -> Option<std::time::Duration> {
5156 self.idle
5157 .as_deref()
5158 .and_then(|s| humantime::parse_duration(s.trim()).ok())
5159 }
5160
5161 /// First unparseable field for create-time rejection (mirrors
5162 /// [`Constraints::bad_skip_date`]).
5163 pub fn bad_idle(&self) -> Option<String> {
5164 self.idle.as_deref().and_then(|s| {
5165 humantime::parse_duration(s.trim())
5166 .err()
5167 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
5168 })
5169 }
5170}
5171
5172/// Host-environment state sensed by the agent, fed to [`require_met`].
5173/// A named struct (not positional args) so the growing set of sensed
5174/// signals — several of them `bool` — can't be transposed at a call
5175/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
5176#[derive(Debug, Clone, Copy, Default)]
5177pub struct EnvState {
5178 /// Is the host on AC power (`false` if on battery or unreadable).
5179 pub ac_online: bool,
5180 /// How long the console has been idle (`None` = couldn't determine).
5181 pub idle: Option<std::time::Duration>,
5182 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
5183 pub cpu_pct: Option<f64>,
5184 /// Does the host have internet connectivity (`false` if offline /
5185 /// LAN-only / unreadable).
5186 pub network_up: bool,
5187}
5188
5189/// Pure env-gate decision (#418 `constraints.require`). The Win32
5190/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
5191/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
5192/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
5193/// pure and `preview` never evaluates a runtime gate. Each set
5194/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
5195pub fn require_met(req: &Require, env: &EnvState) -> bool {
5196 if req.ac_power && !env.ac_online {
5197 return false;
5198 }
5199 if let Some(min) = req.min_idle() {
5200 match env.idle {
5201 Some(d) if d >= min => {}
5202 _ => return false,
5203 }
5204 }
5205 if let Some(max) = req.cpu_below {
5206 match env.cpu_pct {
5207 Some(p) if p < max => {}
5208 _ => return false,
5209 }
5210 }
5211 if req.network && !env.network_up {
5212 return false;
5213 }
5214 true
5215}
5216
5217/// [`Active`] decides *over what date range* a schedule is live,
5218/// `Constraints` decides *when, within an active period,* a fire is
5219/// allowed: `window` (a maintenance time-of-day window),
5220/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
5221/// (holiday exclusion) and `require` (host-environment gates, agent-only
5222/// — see [`Require`]).
5223// No `Eq`: contains `require: Option<Require>` which holds an f64.
5224#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5225pub struct Constraints {
5226 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
5227 /// `tz`). Fires outside it are skipped — mainly for reconcile
5228 /// cadences ("patrol every 6h, but only fire overnight") and
5229 /// daytime change-freezes. `start > end` crosses midnight
5230 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
5231 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5232 #[serde(default, skip_serializing_if = "Option::is_none")]
5233 pub window: Option<String>,
5234 /// Fleet-wide cap on how many instances of this schedule's job may
5235 /// run **at the same time** (#418 "同時実行ハード上限"). The
5236 /// backend scheduler counts the job's still-in-flight runs
5237 /// (`execution_results.finished_at IS NULL`) each tick and only
5238 /// dispatches to as many remaining pcs as there are free slots —
5239 /// a rolling window that refills as runs complete. Useful for
5240 /// disk/CPU/network-heavy jobs you don't want hammering the whole
5241 /// fleet at once.
5242 ///
5243 /// **Backend-only** (it needs a central counter): combining it
5244 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
5245 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
5246 /// for `per_pc` reconcile cadences, where the poll re-ticks and
5247 /// refills slots. `None` (default) = no cap.
5248 #[serde(default, skip_serializing_if = "Option::is_none")]
5249 pub max_concurrent: Option<u32>,
5250 /// Calendar dates the schedule must **not** fire on — holidays,
5251 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
5252 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
5253 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
5254 /// the whole day; a calendar fire landing on the date is
5255 /// suppressed) and is honored by both the live scheduler and
5256 /// `preview`, since both gate on [`Constraints::allows`]. Empty
5257 /// (default) = no skips. Operator-supplied: there is no built-in
5258 /// holiday calendar — list the dates you care about. Parsed lazily;
5259 /// [`Schedule::validate`] rejects a malformed date at create time.
5260 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5261 pub skip_dates: Vec<String>,
5262 /// Host-environment gate (#418): fire only when the target host is
5263 /// in the required state (on AC power, idle). Agent-sensed at fire
5264 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
5265 /// no environment requirement.
5266 #[serde(default, skip_serializing_if = "Option::is_none")]
5267 pub require: Option<Require>,
5268}
5269
5270impl Constraints {
5271 /// `skip_serializing_if` helper — empty constraints are omitted
5272 /// from the wire format entirely.
5273 pub fn is_empty(&self) -> bool {
5274 self.window.is_none()
5275 && self.max_concurrent.is_none()
5276 && self.skip_dates.is_empty()
5277 && self.require.as_ref().is_none_or(Require::is_empty)
5278 }
5279
5280 /// The first unparseable `skip_dates` entry, if any — the
5281 /// scheduler logs it at register time so a fail-closed
5282 /// (never-firing) schedule from a hand-edited KV blob is
5283 /// diagnosable, mirroring [`Schedule::bad_window`].
5284 pub fn bad_skip_date(&self) -> Option<String> {
5285 self.skip_dates.iter().find_map(|s| {
5286 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
5287 .err()
5288 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
5289 })
5290 }
5291
5292 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
5293 /// error (a zero-width or all-day window is ambiguous — write no
5294 /// window for "always").
5295 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
5296 let (a, b) = s
5297 .split_once('-')
5298 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
5299 let parse = |part: &str| {
5300 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
5301 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
5302 };
5303 let (start, end) = (parse(a)?, parse(b)?);
5304 if start == end {
5305 return Err(format!(
5306 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
5307 ));
5308 }
5309 Ok((start, end))
5310 }
5311
5312 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
5313 /// always allowed. Half-open `[start, end)`; `start > end`
5314 /// crosses midnight.
5315 ///
5316 /// **Fail-closed** on an unparseable window (returns `false`,
5317 /// gemini #452 review): a window is a *restrictive* constraint
5318 /// (change-freeze / overnight-only), so a corrupt one must NOT
5319 /// silently allow fires during the restricted hours. Bad windows
5320 /// are rejected at create time by [`Schedule::validate`]; this
5321 /// only bites a hand-edited KV blob, where blocking is the safe
5322 /// direction. The scheduler warns at register time
5323 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
5324 /// The tick path never panics regardless.
5325 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5326 // #418 holiday / blackout dates: never fire on a listed wall
5327 // date (in `tz`). Checked before the window since a skipped day
5328 // overrides any within-window allowance. Fail-closed on a
5329 // corrupt entry (same posture as `window`): a skip date is a
5330 // *restrictive* constraint, so a garbled one must not silently
5331 // re-enable fires — it blocks until fixed (`validate` rejects it
5332 // at create time; `bad_skip_date` lets the scheduler warn).
5333 if !self.skip_dates.is_empty() {
5334 let today = tz.wall_date(now);
5335 let blocked = self.skip_dates.iter().any(|s| {
5336 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
5337 Ok(d) => d == today,
5338 Err(_) => true, // corrupt entry → fail-closed (block)
5339 }
5340 });
5341 if blocked {
5342 return false;
5343 }
5344 }
5345 match self.window.as_deref() {
5346 // No window → always allowed.
5347 None => true,
5348 // Window set: membership, or fail-closed if unparseable
5349 // (`window_contains` returns None for a corrupt window).
5350 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
5351 }
5352 }
5353
5354 /// Membership of a wall-clock time-of-day in the window. `None`
5355 /// when there is no window or it's unparseable (callers decide
5356 /// the failure direction). `start > end` crosses midnight.
5357 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
5358 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
5359 Some(if start <= end {
5360 start <= t && t < end
5361 } else {
5362 t >= start || t < end
5363 })
5364 }
5365}
5366
5367/// What to do when a fire's script fails (#418 Phase 4 — the "高"
5368/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
5369/// happens, `OnFailure` decides what happens *after* one ran and
5370/// came back bad. Only `retry` so far; future `notify` / `disable`
5371/// would join the same namespace.
5372#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5373pub struct OnFailure {
5374 /// Re-run the script in-process when it exits non-zero (or times
5375 /// out), up to a cap, with a fixed backoff between attempts.
5376 /// `None` (default) = no retry: a failed run is published as-is
5377 /// and (for reconcile cadences) simply re-fires on the next poll
5378 /// tick. See [`Retry`].
5379 #[serde(default, skip_serializing_if = "Option::is_none")]
5380 pub retry: Option<Retry>,
5381}
5382
5383impl OnFailure {
5384 /// `skip_serializing_if` helper — an empty policy is omitted from
5385 /// the wire format entirely.
5386 pub fn is_empty(&self) -> bool {
5387 self.retry.is_none()
5388 }
5389
5390 /// Lower the operator-facing `retry` (humantime backoff) onto the
5391 /// engine vocabulary the agent's executor runs on (backoff in
5392 /// whole seconds). Single seam shared by the backend command
5393 /// builder and the agent's local scheduler so the two stamp the
5394 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
5395 /// `None` when there is no retry policy or the backoff is
5396 /// unparseable (validate() rejects the latter at create time;
5397 /// this stays fail-safe = "no retry" for a hand-edited KV blob
5398 /// rather than panicking on the fire path).
5399 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
5400 let r = self.retry.as_ref()?;
5401 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
5402 Some(crate::wire::RetrySpec {
5403 max: r.max,
5404 backoff_secs,
5405 })
5406 }
5407}
5408
5409/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
5410/// *additional* attempts after the first run (so `max: 3` = up to 4
5411/// total executions); `backoff` is the humantime delay slept between
5412/// attempts. The retry happens fire-side (inside `kanade fire` /
5413/// `handle_command`) on every OS for the PoC — the Windows-native
5414/// "restart on failure" Task Scheduler path is deferred to the
5415/// native-delegation phase (#418 decision H).
5416#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5417pub struct Retry {
5418 /// Max additional attempts after the first failure. Bounded
5419 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
5420 /// with a short backoff would otherwise pin a flapping script in
5421 /// a tight loop for the whole window.
5422 pub max: u32,
5423 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
5424 pub backoff: String,
5425}
5426
5427/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
5428/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
5429/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
5430/// global* "stop all automated change" switch the operator flips
5431/// during an incident or a year-end change-freeze. It lives in its
5432/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
5433/// active, both the backend scheduler and every agent's local
5434/// scheduler skip *every* fire.
5435///
5436/// Shapes:
5437/// * `{}` (no bounds) — frozen indefinitely until the operator
5438/// clears it (incident "big red button").
5439/// * `{ from, until }` — frozen only within `[from, until)`,
5440/// evaluated in `tz` (planned change-freeze; auto-thaws).
5441///
5442/// The KV key being *absent* means "not frozen" — so clearing the
5443/// freeze is a KV delete, and `is_active` only ever runs on a freeze
5444/// the operator actually set.
5445#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5446pub struct Freeze {
5447 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
5448 /// `tz`). `None` ⇒ frozen from the beginning of time.
5449 #[serde(default, skip_serializing_if = "Option::is_none")]
5450 pub from: Option<String>,
5451 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
5452 /// no scheduled end (manual clear required).
5453 #[serde(default, skip_serializing_if = "Option::is_none")]
5454 pub until: Option<String>,
5455 /// Operator-supplied note surfaced on the freeze-skip log and the
5456 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
5457 #[serde(default, skip_serializing_if = "Option::is_none")]
5458 pub reason: Option<String>,
5459 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
5460 /// carry their own offset). Defaults to host-local like a
5461 /// schedule's `tz`.
5462 #[serde(default)]
5463 pub tz: ScheduleTz,
5464}
5465
5466impl Freeze {
5467 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
5468 /// both absent) is frozen unconditionally; otherwise membership of
5469 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
5470 /// but **fails CLOSED** on an unparseable bound — a freeze is a
5471 /// safety switch, so a corrupt window (only reachable via a
5472 /// hand-edited KV blob; `validate` rejects it at set time) must
5473 /// mean "frozen", not "fire normally" (coderabbit #472). This is
5474 /// the one deliberate divergence from `active`'s fail-OPEN
5475 /// behaviour, where an unparseable bound dormant-skips a schedule.
5476 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
5477 // Parse a bound; an unparseable one short-circuits the whole
5478 // check to `true` (frozen) via the closure's `None` sentinel
5479 // handled below.
5480 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
5481 match s.as_deref() {
5482 None => Ok(None),
5483 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
5484 }
5485 };
5486 let (from, until) = match (bound(&self.from), bound(&self.until)) {
5487 (Ok(f), Ok(u)) => (f, u),
5488 // Any corrupt bound → fail closed (frozen).
5489 _ => return true,
5490 };
5491 if from.is_some_and(|f| now < f) {
5492 return false;
5493 }
5494 if until.is_some_and(|u| now >= u) {
5495 return false;
5496 }
5497 true
5498 }
5499
5500 /// Reject unparseable bounds / `from >= until` at set time (the
5501 /// API + CLI counterpart to [`Schedule::validate`]).
5502 pub fn validate(&self) -> Result<(), String> {
5503 let from = self
5504 .from
5505 .as_deref()
5506 .map(|s| Active::parse_bound(s, self.tz))
5507 .transpose()
5508 .map_err(|e| e.replace("active:", "freeze:"))?;
5509 let until = self
5510 .until
5511 .as_deref()
5512 .map(|s| Active::parse_bound(s, self.tz))
5513 .transpose()
5514 .map_err(|e| e.replace("active:", "freeze:"))?;
5515 if let (Some(f), Some(u)) = (from, until) {
5516 if f >= u {
5517 return Err(format!(
5518 "freeze.from ({}) must be strictly before freeze.until ({})",
5519 self.from.as_deref().unwrap_or_default(),
5520 self.until.as_deref().unwrap_or_default(),
5521 ));
5522 }
5523 }
5524 Ok(())
5525 }
5526}
5527
5528/// The system-generated poll cadence every reconcile-shaped `when`
5529/// lowers to. Operators never write this: the real inter-run
5530/// spacing is the `every` cooldown; this only bounds "how soon do
5531/// we notice somebody is due" (#418 decision B took the poll
5532/// period away from the operator).
5533pub const POLL_CRON: &str = "0 * * * * *";
5534
5535/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
5536/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
5537/// unchanged is what lets Phase 1 swap the operator surface without
5538/// touching the tick / dedup machinery.
5539pub struct Lowered {
5540 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
5541 /// reconcile shapes, a 6/7-field cron for calendar shapes.
5542 pub cron: String,
5543 /// Dedup semantics for `decide_fire`.
5544 pub mode: ExecMode,
5545 /// Humantime re-arm interval (`None` = succeed once, skip
5546 /// forever).
5547 pub cooldown: Option<String>,
5548 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
5549 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
5550 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
5551 /// so the same value drives the `active`-window check.
5552 pub tz: ScheduleTz,
5553}
5554
5555impl Schedule {
5556 /// The error message if this schedule's `constraints.window` is
5557 /// set but unparseable, else `None`. The scheduler logs this at
5558 /// register time so a fail-closed (never-firing) schedule from a
5559 /// hand-edited KV blob is diagnosable (gemini #452 review).
5560 pub fn bad_window(&self) -> Option<String> {
5561 let w = self.constraints.window.as_deref()?;
5562 Constraints::parse_window(w).err()
5563 }
5564
5565 /// True when this is a `calendar` schedule whose fire time can
5566 /// never fall inside its `constraints.window` — the cron fires,
5567 /// the window check rejects it, and (firing only at that
5568 /// time-of-day) it effectively never runs. An easy misconfig to
5569 /// set up by accident; the scheduler warns at register time
5570 /// (claude #452 review). Reconcile shapes poll every minute, so
5571 /// they always catch the window opening and aren't affected.
5572 pub fn calendar_outside_window(&self) -> bool {
5573 let When::Calendar(c) = &self.when else {
5574 return false;
5575 };
5576 let Some(t) = c.fire_time() else {
5577 return false;
5578 };
5579 matches!(self.constraints.window_contains(t), Some(false))
5580 }
5581
5582 /// Up to `count` future instants this schedule will fire, as
5583 /// absolute UTC, strictly after `now` — the dry-run / preview
5584 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
5585 /// schedules have discrete fire times; reconcile shapes
5586 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
5587 /// they return an empty vec and the caller describes the cadence
5588 /// instead. Occurrences outside the `active.{from,until}` window or
5589 /// the `constraints.window` are **skipped**, so the list reflects
5590 /// when the schedule will ACTUALLY run, not the raw cron ticks.
5591 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
5592 /// `Job::new_async_tz`, and with the same croner config the
5593 /// scheduler / [`Schedule::validate`] use, so a preview can never
5594 /// disagree with a real fire. A schedule that can never fire (a
5595 /// calendar time wholly outside its window, a past one-shot,
5596 /// `enabled: false` is *not* considered here — callers gate on
5597 /// `enabled` separately) yields an empty vec.
5598 pub fn preview_fires(
5599 &self,
5600 now: chrono::DateTime<chrono::Utc>,
5601 count: usize,
5602 ) -> Vec<chrono::DateTime<chrono::Utc>> {
5603 use croner::parser::{CronParser, Seconds};
5604 if !matches!(self.when, When::Calendar(_)) {
5605 return Vec::new();
5606 }
5607 // Same lowering + croner config as `next_calendar_fire` and the
5608 // live scheduler, so a preview can never disagree with a real
5609 // fire. `preview_fires` adds the N-occurrence walk and the
5610 // active / window filtering on top of that single seam.
5611 let lowered = self.lowered();
5612 let Ok(cron) = CronParser::builder()
5613 .seconds(Seconds::Required)
5614 .dom_and_dow(true)
5615 .build()
5616 .parse(&lowered.cron)
5617 else {
5618 return Vec::new();
5619 };
5620 let accept = |utc: chrono::DateTime<chrono::Utc>| {
5621 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
5622 };
5623 match self.tz {
5624 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
5625 ScheduleTz::Local => {
5626 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
5627 }
5628 }
5629 }
5630
5631 /// Walk croner forward from `after` collecting up to `count`
5632 /// accepted occurrences (converted to UTC). Generic over the tz the
5633 /// cron is evaluated in so `preview_fires` can run it in either
5634 /// `Utc` or `Local` without duplicating the loop.
5635 fn next_occurrences<Tz>(
5636 cron: &croner::Cron,
5637 after: chrono::DateTime<Tz>,
5638 count: usize,
5639 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
5640 ) -> Vec<chrono::DateTime<chrono::Utc>>
5641 where
5642 Tz: chrono::TimeZone,
5643 {
5644 // Bound the scan so an `active`/window dead-end (every future
5645 // tick rejected) can't spin forever: ~4096 raw ticks covers
5646 // >10y of a daily calendar while staying instant for croner.
5647 const SCAN_CAP: usize = 4096;
5648 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
5649 let mut cursor = after;
5650 let mut scanned = 0usize;
5651 while out.len() < count && scanned < SCAN_CAP {
5652 scanned += 1;
5653 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
5654 break;
5655 };
5656 let utc = next.with_timezone(&chrono::Utc);
5657 if accept(utc) {
5658 out.push(utc);
5659 }
5660 // `find_next_occurrence(.., inclusive = false)` already
5661 // advances strictly past `cursor`, so handing it `next`
5662 // verbatim gets the following occurrence — no manual +1s
5663 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
5664 cursor = next;
5665 }
5666 out
5667 }
5668
5669 /// Lower the operator-facing `when` onto the engine vocabulary.
5670 /// Single seam shared by the backend scheduler and the agent's
5671 /// local scheduler so the two can never drift.
5672 pub fn lowered(&self) -> Lowered {
5673 let tz = self.tz;
5674 match &self.when {
5675 When::PerPc(p) => Lowered {
5676 cron: POLL_CRON.into(),
5677 mode: ExecMode::OncePerPc,
5678 cooldown: p.cooldown(),
5679 tz,
5680 },
5681 When::PerTarget(p) => Lowered {
5682 cron: POLL_CRON.into(),
5683 mode: ExecMode::OncePerTarget,
5684 cooldown: p.cooldown(),
5685 tz,
5686 },
5687 // `to_cron` only fails on a malformed `at` (rejected by
5688 // validate() at create time). For a hand-edited KV blob
5689 // that slipped past, emit a deliberately-invalid cron so
5690 // register()'s Job::new_async_tz fails → warn+skip,
5691 // rather than firing at the wrong time.
5692 When::Calendar(c) => Lowered {
5693 cron: c
5694 .to_cron()
5695 .unwrap_or_else(|_| "# invalid calendar at".into()),
5696 mode: ExecMode::EveryTick,
5697 cooldown: None,
5698 tz,
5699 },
5700 // Event triggers have no cron — the agent fires them from an
5701 // OS event source. The `# event-trigger` cron is never
5702 // registered (the scheduler branches on `is_event()` first),
5703 // but keep it deliberately-invalid as a belt-and-suspenders
5704 // so a stray registration would fail rather than misfire.
5705 When::On(_) => Lowered {
5706 cron: "# event-trigger (no cron)".into(),
5707 mode: ExecMode::Event,
5708 cooldown: None,
5709 tz,
5710 },
5711 }
5712 }
5713
5714 /// True when this schedule fires from an OS event (`when: { on }`)
5715 /// rather than a clock — the agent skips `tokio-cron` registration
5716 /// for these and drives them from boot / session-change instead.
5717 pub fn is_event(&self) -> bool {
5718 matches!(self.when, When::On(_))
5719 }
5720
5721 /// The OS event triggers this schedule listens for, or `&[]` when it
5722 /// is not an event schedule.
5723 pub fn event_triggers(&self) -> &[OnTrigger] {
5724 match &self.when {
5725 When::On(t) => t,
5726 _ => &[],
5727 }
5728 }
5729
5730 /// The next absolute (UTC) time this schedule fires, or `None` when
5731 /// it has no discrete upcoming fire to preview.
5732 ///
5733 /// Used by the KLP `maintenance.list` preview ("what's about to
5734 /// happen on my PC", SPEC §2.1). Returns `None` for:
5735 ///
5736 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
5737 /// every-minute [`POLL_CRON`] and re-converge state continuously,
5738 /// so "next fire" is always ~60s away and means nothing to a user
5739 /// previewing upcoming maintenance;
5740 /// - a calendar schedule whose lowered cron won't parse (a
5741 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
5742 /// - a cron with no future occurrence.
5743 ///
5744 /// The wall-clock fire is evaluated in the schedule's own `tz`
5745 /// (matching the live tick's `Job::new_async_tz`) then normalised
5746 /// to UTC for the wire. `inclusive = false`: strictly the *next*
5747 /// fire after `now`, never one matching the current instant.
5748 pub fn next_calendar_fire(
5749 &self,
5750 now: chrono::DateTime<chrono::Utc>,
5751 ) -> Option<chrono::DateTime<chrono::Utc>> {
5752 if !matches!(self.when, When::Calendar(_)) {
5753 return None;
5754 }
5755 let lowered = self.lowered();
5756 // Same parser configuration tokio-cron-scheduler 0.15 uses
5757 // internally, so this can never compute a fire the live
5758 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
5759 let cron = croner::parser::CronParser::builder()
5760 .seconds(croner::parser::Seconds::Required)
5761 .dom_and_dow(true)
5762 .build()
5763 .parse(&lowered.cron)
5764 .ok()?;
5765 match lowered.tz {
5766 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
5767 ScheduleTz::Local => {
5768 let now_local = now.with_timezone(&chrono::Local);
5769 cron.find_next_occurrence(&now_local, false)
5770 .ok()
5771 .map(|t| t.with_timezone(&chrono::Utc))
5772 }
5773 }
5774 }
5775
5776 /// Cross-field semantic checks that don't fit pure serde derive
5777 /// — the [`Manifest::validate`] counterpart (#418 decision F;
5778 /// pre-Phase-1 a broken schedule was accepted at create time
5779 /// and silently warn-skipped at tick time). Run at every create
5780 /// site: `kanade schedule create` (client-side) and
5781 /// `POST /api/schedules`. The job_id-exists check lives in the
5782 /// API handler instead — it needs the JOBS KV.
5783 pub fn validate(&self) -> Result<(), String> {
5784 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
5785 return Err(
5786 "when.per_target needs fleet-wide completion data and is backend-only; \
5787 it cannot be combined with runs_on: agent (each agent self-schedules, \
5788 so per-target dedup would be deduping across a target of 1)"
5789 .into(),
5790 );
5791 }
5792 // #418 event triggers: the agent owns the OS event source
5793 // (boot / session-change), so `when: { on }` is agent-only and
5794 // needs at least one trigger.
5795 if let When::On(triggers) = &self.when {
5796 if !matches!(self.runs_on, RunsOn::Agent) {
5797 return Err(
5798 "when.on (OS event trigger) is fired by the agent's own event \
5799 source, so it requires runs_on: agent"
5800 .into(),
5801 );
5802 }
5803 if triggers.is_empty() {
5804 return Err(
5805 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
5806 );
5807 }
5808 }
5809 if let Some(cd) = self.lowered().cooldown.as_deref() {
5810 humantime::parse_duration(cd)
5811 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
5812 }
5813 if let When::Calendar(c) = &self.when {
5814 // Lower the calendar form to its cron (catches a bad `at`
5815 // and the date+days conflict), then validate that cron
5816 // with the same parser configuration tokio-cron-scheduler
5817 // 0.15 uses internally (croner, seconds required,
5818 // DOM-and-DOW both honored, year optional) — create-time
5819 // validation can never accept what register() rejects.
5820 let cron = c.to_cron()?;
5821 croner::parser::CronParser::builder()
5822 .seconds(croner::parser::Seconds::Required)
5823 .dom_and_dow(true)
5824 .build()
5825 .parse(&cron)
5826 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
5827 }
5828 // The other humantime strings on the schedule (claude #419
5829 // review): runtime degrades gracefully on both (bad jitter →
5830 // silent no-op, bad starting_deadline → warn + skipped tick),
5831 // but "rejected at create time" should cover every field the
5832 // operator can typo, not just `when`.
5833 if let Some(j) = &self.plan.jitter {
5834 humantime::parse_duration(j)
5835 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
5836 }
5837 if let Some(sd) = &self.starting_deadline {
5838 humantime::parse_duration(sd)
5839 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
5840 }
5841 let from = self
5842 .active
5843 .from
5844 .as_deref()
5845 .map(|s| Active::parse_bound(s, self.tz))
5846 .transpose()?;
5847 let until = self
5848 .active
5849 .until
5850 .as_deref()
5851 .map(|s| Active::parse_bound(s, self.tz))
5852 .transpose()?;
5853 if let (Some(f), Some(u)) = (from, until) {
5854 if f >= u {
5855 return Err(format!(
5856 "active.from ({}) must be strictly before active.until ({})",
5857 self.active.from.as_deref().unwrap_or_default(),
5858 self.active.until.as_deref().unwrap_or_default(),
5859 ));
5860 }
5861 }
5862 // #418 Phase 3: a bad maintenance window is rejected at create
5863 // time (parse_window also catches equal bounds).
5864 if let Some(w) = self.constraints.window.as_deref() {
5865 Constraints::parse_window(w)?;
5866 }
5867 // #418 holiday exclusion: reject a malformed skip date at create
5868 // time so the fail-closed `allows` path only ever bites a
5869 // hand-edited KV blob, not a fresh `kanade schedule create`.
5870 if let Some(err) = self.constraints.bad_skip_date() {
5871 return Err(err);
5872 }
5873 // #418: constraints.max_concurrent is a central running-instance
5874 // cap, so it needs the backend's counter — reject it on
5875 // runs_on: agent (decision E), and reject a meaningless 0.
5876 if let Some(mc) = self.constraints.max_concurrent {
5877 // Check the structural incompatibility (agent has no central
5878 // counter) before the value range, so a `max_concurrent: 0`
5879 // + `runs_on: agent` combo reports the more fundamental
5880 // problem first (claude #542).
5881 if matches!(self.runs_on, RunsOn::Agent) {
5882 return Err(
5883 "constraints.max_concurrent needs a central counter and is backend-only; \
5884 it cannot be combined with runs_on: agent (each agent self-schedules, \
5885 so there is no fleet-wide count to cap against)"
5886 .into(),
5887 );
5888 }
5889 if mc == 0 {
5890 return Err(
5891 "constraints.max_concurrent must be >= 1 (0 would never fire; \
5892 omit it for no cap)"
5893 .into(),
5894 );
5895 }
5896 }
5897 // #418: constraints.require (host-state env gates: ac_power /
5898 // idle / cpu_below / network) is sensed in-process by the agent,
5899 // so it needs runs_on: agent — the backend can't read a target
5900 // host's power / idle / cpu / connectivity state. Symmetric with
5901 // `when: { on }` (also agent-only); inverse of max_concurrent
5902 // (backend-only).
5903 if let Some(req) = &self.constraints.require {
5904 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
5905 return Err(
5906 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
5907 network) is sensed in-process by the agent and needs runs_on: agent; the \
5908 backend cannot read a target host's power / idle / cpu / connectivity state"
5909 .into(),
5910 );
5911 }
5912 // Reject a malformed idle duration at create time so the
5913 // fail-closed runtime path only ever bites a hand-edited
5914 // KV blob (mirror skip_dates / on_failure.retry).
5915 if let Some(err) = req.bad_idle() {
5916 return Err(err);
5917 }
5918 // cpu_below is a percent — reject out-of-range so a typo
5919 // can't make a schedule that never (>=100 is always-busy?
5920 // no — <0 never matches) or trivially fires.
5921 if let Some(c) = req.cpu_below
5922 && !(c > 0.0 && c <= 100.0)
5923 {
5924 return Err(format!(
5925 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
5926 omit it for no CPU requirement"
5927 ));
5928 }
5929 }
5930 // #418 Phase 4: a bad on_failure.retry is rejected at create
5931 // time — backoff must be valid humantime, and max is bounded
5932 // so a typo can't pin a flapping script in a tight loop.
5933 if let Some(r) = &self.on_failure.retry {
5934 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
5935 format!(
5936 "on_failure.retry.backoff: invalid duration '{}': {e}",
5937 r.backoff
5938 )
5939 })?;
5940 // The wire form lowers backoff to whole seconds, so a
5941 // sub-second value would silently become a 0s no-wait
5942 // (coderabbit #466). Reject it rather than honour a backoff
5943 // the operator can't actually get.
5944 if backoff.as_secs() < 1 {
5945 return Err(format!(
5946 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
5947 round to 0 on the wire",
5948 r.backoff
5949 ));
5950 }
5951 if !(1..=10).contains(&r.max) {
5952 return Err(format!(
5953 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
5954 attempts after the first run",
5955 r.max
5956 ));
5957 }
5958 }
5959 // A blank / whitespace-only tag renders an empty filter chip on
5960 // the Schedules page — reject it at create time, mirroring the
5961 // Manifest::validate tag guard.
5962 for tag in &self.tags {
5963 if tag.trim().is_empty() {
5964 return Err("tags must not contain empty entries".to_string());
5965 }
5966 }
5967 Ok(())
5968 }
5969}
5970
5971fn default_true() -> bool {
5972 true
5973}