kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::ipc::jobs::JobCategory;
4use crate::wire::{RunAs, Shell, Staleness};
5
6/// YAML job manifest (= registered "what to run", v0.18.0+).
7///
8/// Owns only script-intrinsic fields. **Who** (`target`), **how to
9/// phase fanout** (`rollout`), and **when to stagger start**
10/// (`jitter`) all moved to the Schedule / exec request side — same
11/// script can now be fired against different targets / rollouts
12/// without copying the script body.
13///
14/// #492: these types are READ fleet-wide (agents decode them from
15/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
16/// must tolerate unknown fields — `deny_unknown_fields` here made a
17/// gradually-upgrading fleet's OLD agents reject the whole object
18/// the moment a newer backend added any field. Operator typo
19/// protection (the old reason for the attribute) lives at the WRITE
20/// boundaries instead: `kanade job/schedule create` and the backend
21/// POST extractor parse via [`crate::strict`], which rejects unknown
22/// keys with their full paths. The wire rule: new fields always get
23/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
24/// may still be strict).
25#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
26pub struct Manifest {
27 pub id: String,
28 pub version: String,
29 #[serde(default)]
30 pub description: Option<String>,
31 pub execute: Execute,
32 #[serde(default)]
33 pub require_approval: bool,
34 /// Opt-in marker that this job produces a JSON inventory fact
35 /// payload on stdout. When present, the backend's results
36 /// projector parses `ExecResult.stdout` as JSON and upserts an
37 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
38 /// `display` sub-config drives the SPA's Inventory page render.
39 #[serde(default)]
40 pub inventory: Option<InventoryHint>,
41 /// Issue #246: opt-in marker that this job emits per-line
42 /// observability events on stdout (one JSON `ObsEvent` per
43 /// newline). When present, the agent — after the script exits
44 /// successfully — parses each non-empty stdout line as an
45 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
46 /// `obs_outbox`, and (intentionally) **omits the stdout from
47 /// the `ExecResult`** so the timeline data doesn't double up
48 /// in `execution_results.stdout` (which would multiply rows
49 /// by ~50/day/PC of noise).
50 ///
51 /// Distinct from `inventory:` (single JSON object → projector
52 /// upsert) — events are append-only timeline points consumed
53 /// by the dedicated `obs_events` table.
54 #[serde(default)]
55 pub emit: Option<EmitConfig>,
56 /// #290: opt-in marker that this job is an operator-defined
57 /// **health check** whose result feeds the Client App's Health
58 /// tab over KLP (`StateSnapshot.checks`). The script prints a
59 /// free-form JSON object on stdout (like any inventory job); the
60 /// agent reads the [`CheckHint::status_field`] value dynamically
61 /// into a [`crate::ipc::state::Check`] named `check.name`.
62 /// Cadence / windows / conditions come from
63 /// the job's Schedule (exactly like inventory) — there is
64 /// deliberately no interval here. **Composes with `inventory:`**:
65 /// the script's stdout is one JSON object, so a check can also
66 /// carry an `inventory:` block to project the rest of that object
67 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
68 /// `emit:` (NDJSON stdout) is incompatible.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// #219: opt-in marker that this job COLLECTS files into a bundle.
72 /// The script does the collection work and prints a single JSON
73 /// object on stdout carrying a `files` array of paths (the field
74 /// name is [`CollectHint::files_field`], default `"files"`); the
75 /// agent — after the script exits successfully — zips those files,
76 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79 /// downloads bundles from the SPA Collect page.
80 ///
81 /// Like `inventory:` / `check:` this reads a JSON object from stdout,
82 /// but it consumes that stdout for its OWN contract (a `files`
83 /// list), so it is mutually exclusive with `inventory:` / `check:` /
84 /// `emit:` (enforced in [`Manifest::validate`]). It composes with
85 /// `client:` — a `collect:` + `client:` job lets an end user trigger
86 /// a collection from the Client App (the same-host agent runs it).
87 #[serde(default, skip_serializing_if = "Option::is_none")]
88 pub collect: Option<CollectHint>,
89 /// #720: opt-in declarative aggregation over `obs_events` that drives
90 /// the SPA **Analytics** page. Unlike the other hints this one never
91 /// touches stdout and is never delivered to the agent — it's a pure
92 /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
93 /// turns into `json_extract` aggregation SQL. Each entry is one widget
94 /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
95 /// fleet-wide rollup. Because it consumes nothing at run time it
96 /// composes with every other hint (typically paired with `emit:`,
97 /// which produces the events it reads). See [`AggregateWidget`].
98 ///
99 /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
100 #[serde(default, skip_serializing_if = "Option::is_none")]
101 pub aggregate: Option<Vec<AggregateWidget>>,
102 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
103 /// what the agent does at fire time when it can't verify the
104 /// `script_current` / `script_status` KV values are fresh —
105 /// especially relevant for `runs_on: agent` schedules where
106 /// the agent may fire from cache while offline. Defaults to
107 /// `Staleness::Cached` (silently use cached values), which
108 /// matches every pre-v0.26 Manifest.
109 #[serde(default)]
110 pub staleness: Staleness,
111 /// #291: opt-in marker that this job is offered to **end users**
112 /// in the Client App's job tabs over KLP (`jobs.list` →
113 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
114 /// [`emit`]: the block's mere presence is the opt-in, and it
115 /// groups the end-user presentation fields (name / category /
116 /// icon) that only make sense for a user-facing job. `None`
117 /// (the default) ⇒ an operator-only job — inventory, checks,
118 /// scheduled maintenance — that never surfaces in the catalog.
119 ///
120 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
121 /// (SPEC §2.1), so removing the block takes a job out of a
122 /// running client on its next action.
123 ///
124 /// [`inventory`]: Manifest::inventory
125 /// [`check`]: Manifest::check
126 /// [`emit`]: Manifest::emit
127 #[serde(default, skip_serializing_if = "Option::is_none")]
128 pub client: Option<ClientHint>,
129 /// Free-form operator taxonomy for the Jobs catalog. Purely a
130 /// SPA-side organisational aid — agents / scheduler / projector
131 /// never read it — so it carries no runtime semantics and any
132 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
133 /// cross-cut (a `check-bitlocker` is at once a health-check, a
134 /// security control, and Windows-specific), which is why this is
135 /// a multi-valued list rather than the single closed-enum
136 /// [`ClientHint::category`] (whose values are the end-user Client
137 /// App's tabs, a different concern). The operator Jobs page groups
138 /// rows by id-prefix for free; tags add the orthogonal filter axis
139 /// prefixes can't express.
140 ///
141 /// Empty by default (the overwhelming majority of jobs), and a
142 /// new field, so it follows the #492 wire rule: `serde(default)`
143 /// plus `skip_serializing_if` keep gradually-upgrading old readers
144 /// from tripping over its absence / presence.
145 #[serde(default, skip_serializing_if = "Vec::is_empty")]
146 pub tags: Vec<String>,
147 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
148 /// `kanade job create` when the source YAML lives inside a Git work
149 /// tree, so the SPA can render the job read-only and point edits
150 /// back at the repo instead of letting a ClickOps edit silently
151 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
152 /// `None` for SPA-born jobs and for manifests applied from outside
153 /// any Git repo. Purely informational: agents / scheduler /
154 /// projector never read it, and it survives `script_file:` inlining
155 /// (it's orthogonal to the exactly-one-of script-source rule). New
156 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
157 #[serde(default, skip_serializing_if = "Option::is_none")]
158 pub origin: Option<RepoOrigin>,
159}
160
161/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
162/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
163/// `kanade schedule create` from the Git context of the source YAML;
164/// the SPA reads it to render Git-managed entries read-only and link
165/// the operator back at the repo. Never consulted by the runtime.
166#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
167pub struct RepoOrigin {
168 /// Repo-relative path of the source YAML — the primary edit target
169 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
170 /// regardless of the authoring OS.
171 pub path: String,
172 /// `origin` remote URL, when the repo has one. Lets the SPA turn
173 /// `path` into a clickable link; `None` for remote-less repos.
174 #[serde(default, skip_serializing_if = "Option::is_none")]
175 pub repo: Option<String>,
176 /// Repo-relative path of the `script_file:` a job manifest inlined,
177 /// when it used one — a secondary pointer shown beneath `path`.
178 /// Always `None` for schedules (they carry no script).
179 #[serde(default, skip_serializing_if = "Option::is_none")]
180 pub script_file: Option<String>,
181}
182
183/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
184/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
185/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
186/// here keeps the validation + serialisation logic in one place.
187#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
188pub struct FanoutPlan {
189 #[serde(default)]
190 pub target: Target,
191 /// Optional wave rollout — when present, the backend publishes
192 /// each wave's group subject on its own delay schedule instead
193 /// of fanning out the `target` block in one go. `target` then
194 /// only labels the deploy for the audit log.
195 #[serde(default, skip_serializing_if = "Option::is_none")]
196 pub rollout: Option<Rollout>,
197 /// Optional humantime jitter; agent uses it to randomise
198 /// execution start. Lives here (not on the script) so different
199 /// schedules / ad-hoc fires of the same job can pick different
200 /// stagger windows.
201 #[serde(default, skip_serializing_if = "Option::is_none")]
202 pub jitter: Option<String>,
203 /// Absolute time the scheduler stamps on each emitted Command
204 /// when this exec was driven by a [`Schedule`] with
205 /// `starting_deadline`. Agents receiving a Command after this
206 /// instant publish a synthetic skipped-result instead of
207 /// running the script. `None` (default) = no deadline / catch
208 /// up whenever delivered. Operators don't usually set this
209 /// directly — the scheduler computes it from `tick_at +
210 /// starting_deadline`.
211 #[serde(default, skip_serializing_if = "Option::is_none")]
212 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
213}
214
215/// Manifest sub-section: how the SPA should render the inventory
216/// facts this job produces. Each field name (`field`) is a top-level
217/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
218///
219/// Two render modes:
220/// * `display` — vertical "field / value" per PC, used by the
221/// `/inventory?pc=<id>` detail view. ALL columns the operator
222/// wants visible on the detail page.
223/// * `summary` — horizontal table across the fleet (row = PC,
224/// column = field) on `/inventory`. Optional; when omitted the
225/// SPA falls back to `display`, but operators usually want a
226/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
227#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
228pub struct InventoryHint {
229 /// Detail-view columns, in order.
230 pub display: Vec<DisplayField>,
231 /// Optional fleet-list columns (row = PC). Defaults to `display`
232 /// when omitted, but operators usually pick a 3-5 column subset.
233 #[serde(default, skip_serializing_if = "Option::is_none")]
234 pub summary: Option<Vec<DisplayField>>,
235 /// v0.31 / #40: payload arrays that should be exploded into
236 /// per-element rows of a derived SQLite table. Lets operators
237 /// answer cross-PC questions ("which PCs still have Chrome <
238 /// 120?", "C: >90% full") with normal SQL filters + indexes
239 /// instead of grepping JSON. The projector creates the derived
240 /// table on register and replaces this PC's rows on each result
241 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
242 /// [`ExplodeSpec`] for the per-spec schema.
243 #[serde(default, skip_serializing_if = "Option::is_none")]
244 pub explode: Option<Vec<ExplodeSpec>>,
245 /// v0.35 / #93: top-level scalar fields whose changes the
246 /// projector logs to `inventory_history` (one event per
247 /// changed field per scan). Pairs with `explode[].track_history`
248 /// — that covers array elements; this covers single-valued
249 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
250 /// `os_build` that operators want to track for "did the RAM
251 /// get upgraded?" / "when did Win 11 land on this PC?" /
252 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
253 /// in the history row, `identity_json` is NULL, `before_json`
254 /// / `after_json` each carry `{"value": <prior or new value>}`.
255 /// First-ever observation of a scalar (no prior facts row)
256 /// emits `added`; subsequent value changes emit `changed`. No
257 /// `removed` events — a scalar disappearing from the payload
258 /// is rare and the operator can still see the last value via
259 /// the `before_json` of the most recent change.
260 #[serde(default, skip_serializing_if = "Option::is_none")]
261 pub history_scalars: Option<Vec<String>>,
262}
263
264/// Manifest sub-section (#290): marks a job as an operator-defined
265/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
266/// The stdout contract is a free-form JSON object (same as any
267/// inventory job) from which the agent reads `status_field` /
268/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
269/// on the Client App's Health tab.
270///
271/// There is deliberately **no timing field** — when / how often /
272/// in which window a check runs is driven by the job's Schedule,
273/// exactly like inventory jobs, so operators get the full `when:` /
274/// rollout / `runs_on` expressiveness for free.
275///
276/// A check's stdout is a **free-form inventory object** (arbitrary
277/// key/value pairs + arrays) — same as any inventory job — that also
278/// carries a status field. `check:` adds only the health semantics on
279/// top: which field is the ok/warn/fail/unknown status, an optional
280/// one-line summary field, and a remediation job. Everything else
281/// (rich per-PC detail, `explode` sub-tables like a software list) is
282/// driven by a co-present [`InventoryHint`] and rendered with the
283/// SAME display logic the SPA Inventory page uses — on the Client App
284/// too. This keeps checks maximally expressive without a bespoke
285/// payload type.
286#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
287pub struct CheckHint {
288 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
289 /// the SPA/Client React key + analytics label. Unique within the
290 /// fleet's check set. Machine-friendly slug (`disk_space`,
291 /// `defender_rtp`); for the human-facing row title see [`label`].
292 ///
293 /// [`label`]: CheckHint::label
294 pub name: String,
295 /// Optional human-facing display title →
296 /// [`Check.label`](crate::ipc::state::Check). The Client App's
297 /// Health tab and the operator SPA's Compliance page render this
298 /// instead of the [`name`](CheckHint::name) slug when set
299 /// (`"ウイルス対策のリアルタイム保護"` reads better than
300 /// `defender_rtp`). Falls back to the slug when absent, so it's
301 /// purely additive. Author it in the check's language — there's no
302 /// per-locale variant; checks are operator-defined per fleet.
303 #[serde(default, skip_serializing_if = "Option::is_none")]
304 pub label: Option<String>,
305 /// Top-level stdout field whose string value
306 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
307 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
308 /// `"status"`; a missing / unparseable value → `unknown`.
309 #[serde(default = "default_status_field")]
310 pub status_field: String,
311 /// Top-level stdout field used as the Health-tab row's one-line
312 /// summary. Defaults to `"detail"`; absent in the payload → no
313 /// detail line (the rich breakdown lives in the inventory view).
314 #[serde(default = "default_detail_field")]
315 pub detail_field: String,
316 /// Optional remediation job id →
317 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
318 /// App shows a "修復する" button when present; that job must be
319 /// `user_invokable`.
320 #[serde(default, skip_serializing_if = "Option::is_none")]
321 pub troubleshoot: Option<String>,
322 /// #290 PR-E: when `true` (default), the backend also projects this
323 /// check's `status` / `detail` into the `check_status` table so the
324 /// operator SPA gets a fleet-wide compliance view for free — no
325 /// `inventory:` block needed. Set `fleet: false` for a client-only
326 /// check the operator doesn't want surfaced across the fleet.
327 #[serde(default = "default_fleet")]
328 pub fleet: bool,
329 /// Optional auto-notification on a compliance transition. When set, the
330 /// backend publishes an end-user notification the moment this check
331 /// transitions *into* one of [`CheckAlert::on`] (e.g. ok → fail) — to
332 /// the failing PC's user and/or operator groups. Fired once per
333 /// transition (not on every poll). Requires `fleet: true` (the alert
334 /// rides the same projection that fills `check_status`).
335 #[serde(default, skip_serializing_if = "Option::is_none")]
336 pub alert: Option<CheckAlert>,
337}
338
339/// Auto-notification rule for a [`CheckHint`] (compliance alerting). When a
340/// check's status transitions into one of [`on`](Self::on), the backend
341/// publishes a notification to the failing PC's user
342/// ([`notify_user`](Self::notify_user)) and/or operator groups
343/// ([`notify_groups`](Self::notify_groups)). Deliberately config-driven:
344/// who gets told, how loud, and the wording all live in the manifest, not
345/// hardcoded in the backend.
346#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
347pub struct CheckAlert {
348 /// Statuses that fire the alert on *transition into* them (a check that
349 /// stays failing doesn't re-alert every poll). Defaults to `[fail]`.
350 /// `ok` is not representable — [`CheckAlertStatus`] has no `Ok` variant,
351 /// so a YAML `on: [ok]` fails to deserialize (before `validate()` is
352 /// even reached); "recovered" notifications are out of scope.
353 #[serde(default = "default_alert_on")]
354 pub on: Vec<CheckAlertStatus>,
355 /// Notify the user(s) on the failing PC (`notifications.pc.<pc_id>`).
356 #[serde(default)]
357 pub notify_user: bool,
358 /// Notify these operator groups (`notifications.group.<name>`).
359 #[serde(default, skip_serializing_if = "Vec::is_empty")]
360 pub notify_groups: Vec<String>,
361 /// Notification priority (colour/label only — toasting is the separate
362 /// `toast` flag). Defaults to `warn`.
363 #[serde(default = "default_alert_priority")]
364 pub priority: crate::ipc::notifications::NotificationPriority,
365 /// Require the recipient to click 確認 to dismiss.
366 #[serde(default)]
367 pub require_ack: bool,
368 /// Surface an OS toast (launches a closed Client App, Action Center
369 /// while locked). Recommended `true` for `notify_user` so a
370 /// non-emergency "your PC is non-compliant" nudge still reaches a user
371 /// whose app is closed.
372 #[serde(default)]
373 pub toast: bool,
374 /// Also send the alert by email, to every address mapped to the
375 /// `notify_groups` (via the `group_contacts` KV, edited on the SPA
376 /// Groups page). Opt-in: defaults to `false`, so an existing alert
377 /// never starts emailing on its own. Requires `notify_groups` to be
378 /// non-empty (there is no per-PC user email) and the backend's
379 /// `[mail]` config to be present; otherwise the email is a logged
380 /// no-op while the in-app/toast notification still fires.
381 #[serde(default)]
382 pub email: bool,
383 /// Notification title (required). May use the same `{…}` placeholders
384 /// as [`body`](Self::body).
385 pub title: String,
386 /// Notification body template. Placeholders: `{pc_id}`, `{name}` (check
387 /// slug), `{label}` (check label, falls back to slug), `{status}`,
388 /// `{detail}` (the check's one-line summary), `{last_logon}` (the PC's
389 /// last sign-in account). Absent → empty body.
390 #[serde(default, skip_serializing_if = "Option::is_none")]
391 pub body: Option<String>,
392}
393
394/// A check status that can trigger a [`CheckAlert`]. Mirrors the
395/// projected `check_status.status` values minus `ok` (alerting on `ok` is
396/// rejected at validation).
397#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
398#[serde(rename_all = "snake_case")]
399pub enum CheckAlertStatus {
400 Warn,
401 Fail,
402 Unknown,
403}
404
405impl CheckAlertStatus {
406 /// The wire string, matching the projected `check_status.status`.
407 pub fn as_str(self) -> &'static str {
408 match self {
409 Self::Warn => "warn",
410 Self::Fail => "fail",
411 Self::Unknown => "unknown",
412 }
413 }
414}
415
416fn default_alert_on() -> Vec<CheckAlertStatus> {
417 vec![CheckAlertStatus::Fail]
418}
419
420fn default_alert_priority() -> crate::ipc::notifications::NotificationPriority {
421 crate::ipc::notifications::NotificationPriority::Warn
422}
423
424fn default_status_field() -> String {
425 "status".to_string()
426}
427
428fn default_detail_field() -> String {
429 "detail".to_string()
430}
431
432fn default_fleet() -> bool {
433 true
434}
435
436fn default_files_field() -> String {
437 "files".to_string()
438}
439
440/// Fallback cap on a collect bundle's total input size when the
441/// manifest's `collect.max_size` is unset. 50 MB (decimal).
442pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
443
444/// Manifest sub-section (#219): marks a job as a **file collector** and
445/// carries how the collected bundle presents in the SPA. Parallel to
446/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
447/// opt-in. The script prints a single JSON object on stdout whose
448/// [`files_field`](CollectHint::files_field) key holds an array of file
449/// paths to bundle (env vars are expanded); the agent zips them and
450/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
451#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
452pub struct CollectHint {
453 /// Operator/end-user-facing title for the collection, shown as the
454 /// bundle's heading on the SPA Collect page (and the Client App row
455 /// when paired with `client:`). Required; validated non-empty.
456 pub name: String,
457 /// Optional one-line description of what the bundle contains.
458 #[serde(default, skip_serializing_if = "Option::is_none")]
459 pub description: Option<String>,
460 /// Human-readable cap on the bundle's total input size
461 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
462 /// bundle whose listed files exceed this. `None` ⇒
463 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
464 /// [`Manifest::validate`] rejects an unparseable value at create
465 /// time.
466 ///
467 /// Note: this bounds the **uncompressed** bytes the agent reads off
468 /// disk, not the resulting zip. Text logs compress well, so the
469 /// download is usually much smaller; many tiny files add a little
470 /// per-entry zip overhead. Read it as "how much the agent reads +
471 /// packs", not "the exact download size".
472 #[serde(default, skip_serializing_if = "Option::is_none")]
473 pub max_size: Option<String>,
474 /// Top-level stdout JSON key holding the array of file paths to
475 /// bundle. Defaults to `"files"`.
476 #[serde(default = "default_files_field")]
477 pub files_field: String,
478}
479
480impl CollectHint {
481 /// The effective size cap in bytes — the parsed `max_size` or
482 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
483 /// present) already passed [`Manifest::validate`]; falls back to the
484 /// default on a parse error rather than panicking on the fire path.
485 pub fn max_size_bytes(&self) -> u64 {
486 match &self.max_size {
487 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
488 None => DEFAULT_COLLECT_MAX_SIZE,
489 }
490 }
491}
492
493/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
494/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
495/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
496/// Case-insensitive. Shared by `collect.max_size` validation and the
497/// agent's bundle-size enforcement.
498pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
499 let t = s.trim();
500 if t.is_empty() {
501 return Err("size must not be empty".to_string());
502 }
503 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
504 let (num_str, unit_raw) = t.split_at(split);
505 if num_str.is_empty() {
506 return Err(format!("size '{s}': missing leading number"));
507 }
508 let num: u64 = num_str
509 .parse()
510 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
511 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
512 "" | "b" => 1,
513 "kb" => 1_000,
514 "mb" => 1_000_000,
515 "gb" => 1_000_000_000,
516 "kib" => 1024,
517 "mib" => 1024 * 1024,
518 "gib" => 1024 * 1024 * 1024,
519 other => {
520 return Err(format!(
521 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
522 ));
523 }
524 };
525 num.checked_mul(mult)
526 .ok_or_else(|| format!("size '{s}': overflow"))
527}
528
529/// Manifest sub-section (#291): marks a job as **user-invokable**
530/// from the Client App and carries how it presents to the end user.
531/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
532/// the block's presence is the opt-in (no separate boolean), and its
533/// required fields (`name`, `category`) are enforced by serde at
534/// parse time, so a half-filled catalog entry fails
535/// `kanade job create` instead of rendering a nameless / tab-less row.
536///
537/// The agent maps this 1:1 into the KLP
538/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
539/// that `jobs.list` returns; the Client App renders one row per job in
540/// the tab named by `category`.
541#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
542pub struct ClientHint {
543 /// End-user-facing title for the job row. The operator-internal
544 /// `Manifest::id` slug is rarely what an end user should read, so
545 /// this is required (and validated non-empty by
546 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
547 pub name: String,
548 /// Optional one-line subtitle under `name` in the Client App.
549 /// Distinct from the operator-facing top-level
550 /// [`Manifest::description`] — this one is written for the end
551 /// user. Maps to `UserInvokableJob::display_description`.
552 #[serde(default, skip_serializing_if = "Option::is_none")]
553 pub description: Option<String>,
554 /// Which Client App tab the job lives in (`software_update` →
555 /// アップデート, `troubleshoot` → 困ったとき, `catalog` → software
556 /// catalog). Required — without it the agent can't place the job
557 /// in a tab.
558 pub category: JobCategory,
559 /// Optional icon hint for the job row — a lucide-react icon name
560 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
561 /// category's default icon. Surfaced verbatim in
562 /// `jobs.list[].icon`.
563 #[serde(default, skip_serializing_if = "Option::is_none")]
564 pub icon: Option<String>,
565}
566
567/// #720 — one widget on the SPA **Analytics** page: a declarative
568/// aggregation over the `obs_events` table. The backend reads these off
569/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
570/// the `json_extract` GROUP BY / time-bucket SQL from these generic
571/// primitives, so an operator can chart any emitted event without a Rust
572/// change. The reference shapes are the attendance dashboards
573/// (presence / app_sample / web_visit), but the same DSL covers logon /
574/// reboot / agent-health trends, etc.
575#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
576pub struct AggregateWidget {
577 /// Tab this widget lives under on the Analytics page. Widgets from
578 /// every job are collected and grouped by this label, so the same
579 /// string across jobs builds one multi-source dashboard. Required.
580 pub dashboard: String,
581 /// Widget heading. Required, validated non-empty.
582 pub title: String,
583 /// Optional one-line subtitle shown muted under the `title` on the
584 /// Analytics page — room for a unit, a caveat, or what the number
585 /// means ("samples × 2 min", "Security 4624 only"). Rejected if
586 /// present-but-blank.
587 #[serde(default, skip_serializing_if = "Option::is_none")]
588 pub description: Option<String>,
589 /// Optional sort weight (#743). Once the order-aware sort lands (PR2)
590 /// widgets render in `(order, dashboard, title)` order, so a lower
591 /// `order` pulls a widget — and its tab — earlier; equal/absent `order`
592 /// falls back to the alphabetical `(dashboard, title)` ordering. Treated
593 /// as `0` when unset, so a fleet with no `order` anywhere stays purely
594 /// alphabetical (today's behaviour); negatives are allowed to pin
595 /// something first. (This field only carries the value; the backend
596 /// applies it.)
597 #[serde(default, skip_serializing_if = "Option::is_none")]
598 pub order: Option<i32>,
599 /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
600 /// (and unlocks `group_by: pc_id` to rank PCs against each other).
601 /// Defaults to `pc`.
602 #[serde(default)]
603 pub scope: AggregateScope,
604 /// `obs_events.kind` this widget reads (e.g. `app_sample`,
605 /// `presence`, `unexpected_shutdown`). Required.
606 pub kind: String,
607 /// Optional `obs_events.source` filter, when one `kind` is emitted by
608 /// more than one collector.
609 #[serde(default, skip_serializing_if = "Option::is_none")]
610 pub source: Option<String>,
611 /// How to roll the matching events up. See [`AggregateAgg`].
612 pub agg: AggregateAgg,
613 /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
614 /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
615 /// it groups by the `pc_id` column (fleet ranking), not a payload
616 /// field. Omit for a single total. Required when `agg: sum` needs a
617 /// breakdown; for `agg: count` omitting it yields the grand total.
618 #[serde(default, skip_serializing_if = "Option::is_none")]
619 pub group_by: Option<String>,
620 /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
621 /// the widget reports `true_count / total`. Required when `agg: ratio`.
622 #[serde(default, skip_serializing_if = "Option::is_none")]
623 pub bool_path: Option<String>,
624 /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
625 #[serde(default, skip_serializing_if = "Option::is_none")]
626 pub value_path: Option<String>,
627 /// Optional value transform applied before grouping. Currently only
628 /// `host` (parse a URL down to its host) — used by the top-sites
629 /// widget, where SQLite can't parse a URL so the backend does it in
630 /// Rust. See [`AggregateTransform`].
631 #[serde(default, skip_serializing_if = "Option::is_none")]
632 pub transform: Option<AggregateTransform>,
633 /// Optional sampling cadence in minutes. When set, a `count` is also
634 /// reported as estimated time (`count × sample_minutes`) — e.g. a
635 /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
636 #[serde(default, skip_serializing_if = "Option::is_none")]
637 #[schemars(range(min = 1))]
638 pub sample_minutes: Option<u32>,
639 /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
640 /// lock screen doesn't top the app ranking). Empty by default.
641 #[serde(default, skip_serializing_if = "Vec::is_empty")]
642 pub exclude: Vec<String>,
643 /// Optional time bucketing — `hour` buckets events by local
644 /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
645 #[serde(default, skip_serializing_if = "Option::is_none")]
646 pub time_bucket: Option<AggregateTimeBucket>,
647 /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
648 #[serde(default, skip_serializing_if = "Option::is_none")]
649 #[schemars(range(min = 1))]
650 pub limit: Option<u32>,
651 /// Which widget the SPA draws. See [`AggregateRender`].
652 pub render: AggregateRender,
653}
654
655/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
656#[derive(
657 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
658)]
659#[serde(rename_all = "lowercase")]
660#[non_exhaustive]
661pub enum AggregateScope {
662 /// Roll up the single PC the operator selected. The default.
663 #[default]
664 Pc,
665 /// Roll up across every PC. Unlocks `group_by: pc_id`.
666 Fleet,
667 /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
668 /// an older reader must tolerate a future variant rather than failing
669 /// to decode the whole job. The backend skips an `Unknown` widget.
670 #[serde(other)]
671 Unknown,
672}
673
674/// The rollup function for an [`AggregateWidget`].
675#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
676#[serde(rename_all = "lowercase")]
677#[non_exhaustive]
678pub enum AggregateAgg {
679 /// Row count, optionally grouped (`group_by`) and time-estimated
680 /// (`sample_minutes`).
681 Count,
682 /// `true_count / total` over `bool_path`.
683 Ratio,
684 /// Sum of `value_path`, optionally grouped.
685 Sum,
686 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
687 #[serde(other)]
688 Unknown,
689}
690
691/// Optional pre-grouping value transform for an [`AggregateWidget`].
692#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
693#[serde(rename_all = "lowercase")]
694#[non_exhaustive]
695pub enum AggregateTransform {
696 /// Parse the grouped value as a URL and keep only its host.
697 Host,
698 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
699 #[serde(other)]
700 Unknown,
701}
702
703/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
704#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
705#[serde(rename_all = "lowercase")]
706#[non_exhaustive]
707pub enum AggregateTimeBucket {
708 /// Bucket by local hour-of-day (0–23), summed over the window.
709 Hour,
710 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
711 #[serde(other)]
712 Unknown,
713}
714
715/// Which visual the SPA renders an [`AggregateWidget`] as.
716#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
717#[serde(rename_all = "lowercase")]
718#[non_exhaustive]
719pub enum AggregateRender {
720 /// Ranked horizontal bars (a grouped `count` / `sum`).
721 Bar,
722 /// A single ratio dial (`agg: ratio`).
723 Gauge,
724 /// 24-hour activity strip (`time_bucket: hour`).
725 Timeline,
726 /// A single headline number (an ungrouped total).
727 Stat,
728 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
729 #[serde(other)]
730 Unknown,
731}
732
733/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
734/// segments joined by single dots — the shape safe to bind into
735/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
736/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
737/// `"foo..bar"`, which would pass the charset but produce a malformed
738/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
739/// `active`, etc.
740fn is_valid_json_path(p: &str) -> bool {
741 !p.is_empty()
742 && p.split('.').all(|seg| {
743 !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
744 })
745}
746
747/// Per-widget validation for a list of [`AggregateWidget`]s — shared by
748/// the `aggregate:` job hint ([`Manifest::validate`]) and the standalone
749/// [`View`] resource (#743) so the two can't diverge. `field` names the
750/// containing key for error messages (`"aggregate"` or `"widgets"`).
751///
752/// Enforces: non-empty list; non-empty dashboard/title/kind; a
753/// blank-when-set `source`; rejection of any #492 `Unknown` enum
754/// (an operator typo at create time); safe dotted JSON paths; the value
755/// path each `agg` needs (and rejection of mis-paired ones); `pc_id`
756/// grouping only in `fleet` scope; `transform`/`limit`/`exclude` only with
757/// a `group_by`; positive `limit`/`sample_minutes`; `gauge`⇔`ratio`; and
758/// `timeline`⇔`time_bucket`.
759pub fn validate_aggregate_widgets(widgets: &[AggregateWidget], field: &str) -> Result<(), String> {
760 if widgets.is_empty() {
761 return Err(format!(
762 "`{field}:` must list at least one widget when present"
763 ));
764 }
765 for (i, w) in widgets.iter().enumerate() {
766 let at = format!("{field}[{i}]");
767 for (label, value) in [
768 ("dashboard", &w.dashboard),
769 ("title", &w.title),
770 ("kind", &w.kind),
771 ] {
772 if value.trim().is_empty() {
773 return Err(format!("{at}.{label} must not be empty"));
774 }
775 }
776 // A present-but-blank `source` is a no-op filter — reject like the
777 // other blank-when-set guards.
778 if let Some(source) = &w.source {
779 if source.trim().is_empty() {
780 return Err(format!("{at}.source must not be empty when set"));
781 }
782 }
783 // A present-but-blank `description` renders an empty muted line —
784 // reject it so the subtitle only shows when it says something.
785 if let Some(description) = &w.description {
786 if description.trim().is_empty() {
787 return Err(format!("{at}.description must not be empty when set"));
788 }
789 }
790 // Reject values that fell through to the #492 `Unknown` catch-all:
791 // at create time on the current version that's an operator typo. (A
792 // genuinely-future variant only reaches an older reader via a stored
793 // resource, which is never re-validated, so forward-compat holds.)
794 if w.scope == AggregateScope::Unknown {
795 return Err(format!("{at}.scope is not a known value (pc | fleet)"));
796 }
797 if w.agg == AggregateAgg::Unknown {
798 return Err(format!(
799 "{at}.agg is not a known value (count | ratio | sum)"
800 ));
801 }
802 if w.render == AggregateRender::Unknown {
803 return Err(format!(
804 "{at}.render is not a known value (bar | gauge | timeline | stat)"
805 ));
806 }
807 if w.transform == Some(AggregateTransform::Unknown) {
808 return Err(format!("{at}.transform is not a known value (host)"));
809 }
810 if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
811 return Err(format!("{at}.time_bucket is not a known value (hour)"));
812 }
813 for (label, path) in [
814 ("group_by", &w.group_by),
815 ("bool_path", &w.bool_path),
816 ("value_path", &w.value_path),
817 ] {
818 if let Some(p) = path {
819 if !is_valid_json_path(p) {
820 return Err(format!(
821 "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
822 ));
823 }
824 }
825 }
826 // Each agg uses exactly one value path; reject a mis-paired path so
827 // a typo fails at create rather than being ignored.
828 match w.agg {
829 // count: grouped → ranking, ungrouped → grand total.
830 AggregateAgg::Count => {
831 for (label, path) in [("bool_path", &w.bool_path), ("value_path", &w.value_path)] {
832 if path.is_some() {
833 return Err(format!("{at}.agg=count does not use `{label}`"));
834 }
835 }
836 }
837 AggregateAgg::Ratio => {
838 if w.bool_path.is_none() {
839 return Err(format!("{at}.agg=ratio requires `bool_path`"));
840 }
841 if w.value_path.is_some() {
842 return Err(format!("{at}.agg=ratio does not use `value_path`"));
843 }
844 }
845 AggregateAgg::Sum => {
846 if w.value_path.is_none() {
847 return Err(format!("{at}.agg=sum requires `value_path`"));
848 }
849 if w.bool_path.is_some() {
850 return Err(format!("{at}.agg=sum does not use `bool_path`"));
851 }
852 }
853 // Rejected above; arm exists only for exhaustiveness.
854 AggregateAgg::Unknown => {}
855 }
856 // Ranking PCs against each other only means something across the
857 // fleet — within one PC it's a single bar.
858 if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
859 return Err(format!(
860 "{at}.group_by: pc_id is only valid with scope: fleet"
861 ));
862 }
863 // `transform` rewrites the grouped PAYLOAD value (URL→host); it's
864 // meaningless on a `pc_id` grouping (the pc_id column, not a payload
865 // field), so reject the combo at create time.
866 if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
867 return Err(format!("{at}.transform is not valid with group_by: pc_id"));
868 }
869 // limit / transform / exclude all operate on grouped values, so
870 // without a `group_by` they're silent no-ops — reject.
871 if w.group_by.is_none() {
872 if w.limit.is_some() {
873 return Err(format!("{at}.limit requires `group_by`"));
874 }
875 if w.transform.is_some() {
876 return Err(format!("{at}.transform requires `group_by`"));
877 }
878 if !w.exclude.is_empty() {
879 return Err(format!("{at}.exclude requires `group_by`"));
880 }
881 }
882 if w.limit == Some(0) {
883 return Err(format!("{at}.limit must be > 0"));
884 }
885 if w.sample_minutes == Some(0) {
886 return Err(format!("{at}.sample_minutes must be > 0"));
887 }
888 for ex in &w.exclude {
889 if ex.trim().is_empty() {
890 return Err(format!("{at}.exclude must not contain empty entries"));
891 }
892 }
893 // A gauge draws a single ratio dial — only meaningful for agg: ratio.
894 if w.render == AggregateRender::Gauge && w.agg != AggregateAgg::Ratio {
895 return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
896 }
897 // A timeline needs a bucket; a bucket on any other render is a no-op
898 // that signals operator confusion — reject both.
899 match (w.render, &w.time_bucket) {
900 (AggregateRender::Timeline, None) => {
901 return Err(format!("{at}.render=timeline requires `time_bucket`"));
902 }
903 (r, Some(_)) if r != AggregateRender::Timeline => {
904 return Err(format!(
905 "{at}.time_bucket is only valid with render: timeline"
906 ));
907 }
908 _ => {}
909 }
910 }
911 Ok(())
912}
913
914/// A standalone declarative read/aggregation for the Analytics page (#743).
915///
916/// A **view** aggregates stored fleet data (`obs_events`, …) without an
917/// `execute` or a schedule — unlike a [`Manifest`] it only declares
918/// [`AggregateWidget`]s. (The first line is concise on purpose: `schemars`
919/// uses it as the generated schema's `title`.) The backend reads views from
920/// `BUCKET_VIEWS` at
921/// query time and merges their widgets with the co-located `aggregate:`
922/// hints on jobs, so a cross-cutting dashboard (one that charts events
923/// emitted by several other jobs / the agent) has a home that doesn't need
924/// a noop job carrier. Stored JSON in `BUCKET_VIEWS`, keyed by `id`.
925#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
926pub struct View {
927 /// Stable identifier (the KV key). Required, validated non-empty.
928 pub id: String,
929 /// Optional human description shown on the Views admin page.
930 #[serde(default, skip_serializing_if = "Option::is_none")]
931 pub description: Option<String>,
932 /// The widgets this view contributes to the Analytics page.
933 pub widgets: Vec<AggregateWidget>,
934 /// Free-form operator taxonomy (same role as [`Manifest::tags`]).
935 #[serde(default, skip_serializing_if = "Vec::is_empty")]
936 pub tags: Vec<String>,
937 /// GitOps provenance (#678), stamped by `kanade view create` from the
938 /// source YAML's Git context — same as [`Manifest::origin`].
939 #[serde(default, skip_serializing_if = "Option::is_none")]
940 pub origin: Option<RepoOrigin>,
941}
942
943/// True if `id` is a safe resource identifier — non-empty and only
944/// `[A-Za-z0-9._-]`. A view `id` becomes a NATS KV key *and* a URL path
945/// segment (`/api/views/{id}`), so this blocks `/`, `..`, whitespace and
946/// other characters that would break the KV key or let a CLI arg wander
947/// the URL space. (#743 / #744 follow-up — a deliberately small charset
948/// rather than the looser set NATS technically allows.)
949pub fn is_valid_resource_id(id: &str) -> bool {
950 !id.is_empty()
951 && id
952 .chars()
953 .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
954}
955
956impl View {
957 pub fn validate(&self) -> Result<(), String> {
958 if !is_valid_resource_id(self.id.trim()) {
959 return Err(
960 "view.id must be non-empty and only [A-Za-z0-9._-] (it's a KV key + URL segment)"
961 .to_string(),
962 );
963 }
964 validate_aggregate_widgets(&self.widgets, "widgets")?;
965 for tag in &self.tags {
966 if tag.trim().is_empty() {
967 return Err("tags must not contain empty entries".to_string());
968 }
969 }
970 Ok(())
971 }
972}
973
974/// Issue #246 — `emit:` manifest block for jobs whose stdout is
975/// NDJSON observability events (one `ObsEvent` per line). Parallel
976/// to `inventory:` but for the append-only timeline pipeline; see
977/// `Manifest::emit` for the full contract.
978#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
979pub struct EmitConfig {
980 /// What kind of payload the agent should expect on stdout. Only
981 /// `events` is defined today (parses each non-empty line as
982 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
983 /// (e.g. metrics streams, structured trace events) plug in here.
984 #[serde(rename = "type")]
985 pub kind: EmitKind,
986 /// Operator hint for where the script keeps its own state — the
987 /// watermark file the PowerShell / sh body reads + writes
988 /// between runs so it only emits NEW events since the last
989 /// poll. The agent doesn't read this; it's documentation that
990 /// the SPA (and `kanade job edit`) can surface to operators
991 /// reviewing the manifest. Optional; the script is allowed to
992 /// keep state anywhere (registry, env, etc.) — the field's
993 /// presence makes the convention discoverable.
994 #[serde(default, skip_serializing_if = "Option::is_none")]
995 pub watermark_path: Option<String>,
996}
997
998/// `emit.type` enum. Lowercase serde so manifests read
999/// `type: events` rather than `Events`.
1000#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1001#[serde(rename_all = "lowercase")]
1002pub enum EmitKind {
1003 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
1004 /// `obs.<pc_id>`, drops the stdout from the resulting
1005 /// `ExecResult`.
1006 Events,
1007}
1008
1009/// v0.31 / #40: declarative "flatten this JSON array into a real
1010/// SQLite table" spec on an inventory manifest. The projector
1011/// creates the table on first registration (CREATE TABLE IF NOT
1012/// EXISTS + indexes) and writes a row per element of
1013/// `payload[field]` on every result, scoped by (pc_id, job_id) so
1014/// each PC's rows replace cleanly without a per-PC schema.
1015#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1016pub struct ExplodeSpec {
1017 /// JSON array key under the payload to explode. E.g. `"apps"`
1018 /// for `payload: { apps: [{...}, {...}] }`.
1019 pub field: String,
1020 /// Derived SQLite table name. Operators choose this — pick
1021 /// something namespaced + stable (`inventory_sw_apps`, not
1022 /// `apps`) so multiple inventory manifests don't collide on a
1023 /// generic name.
1024 pub table: String,
1025 /// Element-level fields that uniquely identify a row inside one
1026 /// PC's payload. The full PK is `(pc_id, job_id) + these
1027 /// columns`. Required — operators must think about uniqueness
1028 /// (e.g. `["name", "source"]` for installed apps because the
1029 /// same name appears in multiple uninstall hives).
1030 ///
1031 /// v0.31 / #41: same tuple drives history identity. When
1032 /// `track_history` is on, the projector serialises these
1033 /// fields' values into `inventory_history.identity_json` for
1034 /// every change event, so queries like "every PC that ever
1035 /// installed Chrome (any source)" filter on identity_json
1036 /// content without a per-manifest schema.
1037 pub primary_key: Vec<String>,
1038 /// Per-element fields that become columns in the derived table.
1039 pub columns: Vec<ExplodeColumn>,
1040 /// v0.31 / #41: when true (default false), the projector
1041 /// diffs each PC's incoming payload against the prior rows
1042 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
1043 /// replace, and writes added / removed / changed events into
1044 /// `inventory_history`. Lets operators answer time-dimension
1045 /// questions ("when did Chrome 120 first appear on PC X?",
1046 /// "what's the Win 11 23H2 rollout curve") without storing
1047 /// per-scan snapshots. Off by default so operators opt in
1048 /// per-spec — history has a real storage cost on long-lived
1049 /// deployments (mitigated by the 90-day default retention
1050 /// sweeper, see `cleanup` module).
1051 #[serde(default)]
1052 pub track_history: bool,
1053}
1054
1055/// One column in an [`ExplodeSpec`]'s derived table.
1056#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1057pub struct ExplodeColumn {
1058 /// JSON key under each array element. Becomes the column name
1059 /// in the derived SQLite table — we don't rename.
1060 pub field: String,
1061 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
1062 /// Storage maps directly via `sqlx::query.bind(...)`; type
1063 /// mismatches at INSERT-time fail loudly rather than silently
1064 /// dropping the row.
1065 #[serde(default, skip_serializing_if = "Option::is_none")]
1066 #[serde(rename = "type")]
1067 pub kind: Option<String>,
1068 /// When true, the projector creates a `CREATE INDEX` on this
1069 /// column at table-creation time. Boost for the common-filter
1070 /// columns (`name`, `version`) — operators mark them
1071 /// explicitly, the projector won't guess.
1072 #[serde(default)]
1073 pub index: bool,
1074}
1075
1076#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1077pub struct DisplayField {
1078 /// Top-level key in the stdout JSON.
1079 pub field: String,
1080 /// Human-readable column header.
1081 pub label: String,
1082 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
1083 /// or `"table"` (#39). Defaults to plain text rendering on the
1084 /// SPA side. `"table"` expects the field's value to be a JSON
1085 /// array of objects and renders a nested sub-table on the
1086 /// per-PC detail page using `columns` as the schema; the fleet
1087 /// summary view falls back to showing the row count for
1088 /// `"table"` cells so the wide list stays compact.
1089 #[serde(default, skip_serializing_if = "Option::is_none")]
1090 #[serde(rename = "type")]
1091 pub kind: Option<String>,
1092 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
1093 /// field's value (an array of objects like
1094 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
1095 /// sub-table using these columns. Each column is itself a
1096 /// `DisplayField`, so the nested cells reuse the same render
1097 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
1098 /// pipeline. Ignored for any other `kind`.
1099 #[serde(default, skip_serializing_if = "Option::is_none")]
1100 pub columns: Option<Vec<DisplayField>>,
1101}
1102
1103#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1104pub struct Rollout {
1105 #[serde(default)]
1106 pub strategy: RolloutStrategy,
1107 pub waves: Vec<Wave>,
1108}
1109
1110#[derive(
1111 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
1112)]
1113#[serde(rename_all = "lowercase")]
1114pub enum RolloutStrategy {
1115 #[default]
1116 Wave,
1117}
1118
1119#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1120pub struct Wave {
1121 pub group: String,
1122 /// humantime delay measured from the deploy's publish time. wave[0]
1123 /// typically has "0s"; subsequent waves use minutes / hours.
1124 pub delay: String,
1125}
1126
1127#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
1128pub struct Target {
1129 #[serde(default)]
1130 pub groups: Vec<String>,
1131 #[serde(default)]
1132 pub pcs: Vec<String>,
1133 #[serde(default)]
1134 pub all: bool,
1135}
1136
1137impl Target {
1138 /// At least one of all / groups / pcs is set.
1139 pub fn is_specified(&self) -> bool {
1140 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
1141 }
1142}
1143
1144#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1145pub struct Execute {
1146 pub shell: ExecuteShell,
1147 /// Inline script body. Mutually exclusive with [`script_file`]
1148 /// and [`script_object`]; exactly one of the three must be set
1149 /// (enforced by [`Execute::validate_script_source`] at the
1150 /// write-side parse boundaries — `kanade job create` and
1151 /// `POST /api/jobs`).
1152 ///
1153 /// Empty string is treated as **unset** so operators can swap
1154 /// to a `script_file:` / `script_object:` alternative just by
1155 /// commenting out the body, without having to also drop the
1156 /// `script:` key entirely.
1157 ///
1158 /// [`script_file`]: Self::script_file
1159 /// [`script_object`]: Self::script_object
1160 #[serde(default, skip_serializing_if = "Option::is_none")]
1161 pub script: Option<String>,
1162 /// Repo-local file path resolved by the operator-side CLI at
1163 /// `kanade job create` time. The CLI reads the file, slots its
1164 /// contents into `script`, and clears this field before
1165 /// POSTing — so the backend / agents never see `script_file`
1166 /// in stored manifests. SPEC §2.4.1.
1167 ///
1168 /// Resolver lands in a follow-up PR
1169 /// (yukimemi/kanade#210); today this field passes parse-time
1170 /// validation but the operator-side CLI bails with "not yet
1171 /// implemented" until the resolver ships, so manifests that
1172 /// reach the backend with `script_file` set are treated as a
1173 /// schema-bug.
1174 #[serde(default, skip_serializing_if = "Option::is_none")]
1175 pub script_file: Option<String>,
1176 /// Object Store reference (`<name>/<version>`) into the
1177 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
1178 /// at Execute time via `/api/script-objects/{name}/{version}`
1179 /// and cache it locally. SPEC §2.4.1.
1180 ///
1181 /// Fully wired (#210/#211): the backend resolves the digest at
1182 /// exec submission (`api::exec::resolve_script_source`), the agent
1183 /// fetches + sha-verifies + caches the body (`script_cache`), and
1184 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
1185 /// CLI-side, git-managed), this keeps the body in versioned,
1186 /// digest-pinned object storage — the ops-managed counterpart.
1187 #[serde(default, skip_serializing_if = "Option::is_none")]
1188 pub script_object: Option<String>,
1189 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
1190 /// — represents how long this script reasonably takes to run.
1191 pub timeout: String,
1192 /// Token + session combination the agent uses to launch the
1193 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
1194 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
1195 #[serde(default)]
1196 pub run_as: RunAs,
1197 /// Working directory for the spawned child (v0.21.1). When
1198 /// unset, the child inherits the agent's cwd — on Windows that
1199 /// means `%SystemRoot%\System32` for the prod service, which is
1200 /// almost never what operators actually want. Use an absolute
1201 /// path; relative paths are passed through to the OS verbatim.
1202 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
1203 /// you'd want `%USERPROFILE%` (but expansion happens in the
1204 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
1205 /// it via teravars before `kanade job create`).
1206 #[serde(default, skip_serializing_if = "Option::is_none")]
1207 pub cwd: Option<String>,
1208}
1209
1210impl Execute {
1211 /// Treat an empty `script:` body as "intentionally unset". Operators
1212 /// commenting out a block-scalar tend to leave the key behind, and
1213 /// failing the validator on `script: ""` would surprise them.
1214 fn has_inline_script(&self) -> bool {
1215 matches!(&self.script, Some(s) if !s.is_empty())
1216 }
1217
1218 /// Enforce that exactly one of `script` / `script_file` /
1219 /// `script_object` is set. Called at the write-side parse
1220 /// boundaries (CLI `kanade job create` + backend
1221 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
1222 /// reaches the JOBS KV. Read paths (projector, agent
1223 /// scheduler, list endpoints) skip this check — they only ever
1224 /// see what the write path already validated.
1225 pub fn validate_script_source(&self) -> Result<(), String> {
1226 let inline = self.has_inline_script();
1227 let file = self.script_file.is_some();
1228 let obj = self.script_object.is_some();
1229 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
1230 match set {
1231 1 => Ok(()),
1232 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
1233 _ => Err(format!(
1234 "execute: only one of `script` / `script_file` / `script_object` may be set \
1235 (got script={inline}, script_file={file}, script_object={obj})"
1236 )),
1237 }
1238 }
1239}
1240
1241impl Manifest {
1242 /// Cross-field semantic checks that don't fit into pure serde
1243 /// derive. Currently delegates to
1244 /// [`Execute::validate_script_source`] — see that method's
1245 /// docs for the rationale on which call sites should run this.
1246 pub fn validate(&self) -> Result<(), String> {
1247 self.execute.validate_script_source()?;
1248 // Stdout-format compatibility. `inventory:` and `check:` both
1249 // consume the SAME single JSON object — they COMPOSE: a check
1250 // can extract `status`/`detail` for the Health tab while the
1251 // projector explodes the rest into SPA sub-tables. `emit:` is
1252 // different — its stdout is NDJSON and the agent omits it from
1253 // the result entirely — so it can't be paired with either.
1254 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
1255 return Err(
1256 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
1257 timeline events (and omitted from the result), while inventory/check read a \
1258 single JSON object from stdout"
1259 .to_string(),
1260 );
1261 }
1262 // `collect:` consumes stdout for its OWN contract (a JSON object
1263 // carrying a `files` array), so unlike the inventory+check pair it
1264 // can't share stdout with another stdout-reading hint. It composes
1265 // only with `client:` (which doesn't touch stdout).
1266 if self.collect.is_some()
1267 && (self.inventory.is_some() || self.check.is_some() || self.emit.is_some())
1268 {
1269 return Err(
1270 "`collect:` is incompatible with `inventory:` / `check:` / `emit:` — collect \
1271 reads its own `files` JSON object from stdout. (It composes with `client:`.)"
1272 .to_string(),
1273 );
1274 }
1275 // A check's `name` is the Health-tab row id (React key); the
1276 // field names tell the agent where to read status/detail.
1277 // An empty value is an invisible runtime bug, and the serde
1278 // defaults don't guard an operator who writes `status_field:
1279 // ""` explicitly — reject all three here.
1280 if let Some(check) = &self.check {
1281 for (label, value) in [
1282 ("check.name", &check.name),
1283 ("check.status_field", &check.status_field),
1284 ("check.detail_field", &check.detail_field),
1285 ] {
1286 if value.trim().is_empty() {
1287 return Err(format!("{label} must not be empty"));
1288 }
1289 }
1290 // A present-but-blank `troubleshoot` is a broken
1291 // remediation job id (the "修復する" button would target
1292 // an empty manifest id) — reject it too.
1293 if let Some(troubleshoot) = &check.troubleshoot {
1294 if troubleshoot.trim().is_empty() {
1295 return Err("check.troubleshoot must not be empty when set".to_string());
1296 }
1297 }
1298 // A present-but-blank `label` would render an empty row
1299 // title on the Health tab / Compliance page — reject it so
1300 // the slug fallback only ever kicks in when label is absent.
1301 if let Some(label) = &check.label {
1302 if label.trim().is_empty() {
1303 return Err("check.label must not be empty when set".to_string());
1304 }
1305 }
1306 if let Some(alert) = &check.alert {
1307 // An alert that names no recipient is a silent no-op.
1308 if !alert.notify_user && alert.notify_groups.is_empty() {
1309 return Err("check.alert must set notify_user and/or notify_groups".to_string());
1310 }
1311 if alert.title.trim().is_empty() {
1312 return Err("check.alert.title must not be empty".to_string());
1313 }
1314 // `on: []` would never fire; an empty group name resolves to
1315 // a malformed `notifications.group.` subject.
1316 if alert.on.is_empty() {
1317 return Err("check.alert.on must list at least one status".to_string());
1318 }
1319 if alert.notify_groups.iter().any(|g| g.trim().is_empty()) {
1320 return Err("check.alert.notify_groups must not contain blanks".to_string());
1321 }
1322 // Email is addressed via group_contacts (group → email), so
1323 // there must be a group to map. notify_user has no email.
1324 if alert.email && alert.notify_groups.is_empty() {
1325 return Err(
1326 "check.alert.email requires notify_groups (email is addressed per group, not per user)"
1327 .to_string(),
1328 );
1329 }
1330 // The alert rides the `check_status` projection, which only
1331 // runs for `fleet: true`.
1332 if !check.fleet {
1333 return Err(
1334 "check.alert requires fleet: true (the alert rides the compliance projection)"
1335 .to_string(),
1336 );
1337 }
1338 }
1339 }
1340 // #291: a `client:` job is rendered in the Client App's
1341 // catalog (`jobs.list` → `jobs.execute`). serde already makes
1342 // `name` + `category` required at parse time; the only gap is
1343 // a present-but-blank `name`, which would render an empty row
1344 // title — reject it like the other display-id fields.
1345 if let Some(client) = &self.client {
1346 if client.name.trim().is_empty() {
1347 return Err("client.name must not be empty".to_string());
1348 }
1349 // Optional display fields, when present, must be
1350 // meaningful: a blank `description` renders an empty
1351 // subtitle and a blank `icon` is a dangling lucide name.
1352 // Same present-but-blank guard the `check:` block applies
1353 // to its optional `troubleshoot` id.
1354 for (label, value) in [
1355 ("client.description", &client.description),
1356 ("client.icon", &client.icon),
1357 ] {
1358 if let Some(v) = value {
1359 if v.trim().is_empty() {
1360 return Err(format!("{label} must not be empty when set"));
1361 }
1362 }
1363 }
1364 }
1365 // #219: a `collect:` job's `name` heads the bundle on the SPA
1366 // Collect page (and the Client App row when paired with
1367 // `client:`), `files_field` tells the agent where to read the
1368 // path list, and `max_size` must be a parseable size so a typo
1369 // is caught at create time rather than silently capping the
1370 // bundle at the default on the fire path.
1371 if let Some(collect) = &self.collect {
1372 if collect.name.trim().is_empty() {
1373 return Err("collect.name must not be empty".to_string());
1374 }
1375 if collect.files_field.trim().is_empty() {
1376 return Err("collect.files_field must not be empty".to_string());
1377 }
1378 if let Some(description) = &collect.description {
1379 if description.trim().is_empty() {
1380 return Err("collect.description must not be empty when set".to_string());
1381 }
1382 }
1383 if let Some(max_size) = &collect.max_size {
1384 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1385 }
1386 }
1387 // #720/#743: `aggregate:` is a pure read-spec (it never touches
1388 // stdout and is never sent to an agent), so it composes with every
1389 // other hint. The per-widget rules are shared with the standalone
1390 // `view` resource — see [`validate_aggregate_widgets`].
1391 if let Some(widgets) = &self.aggregate {
1392 validate_aggregate_widgets(widgets, "aggregate")?;
1393 }
1394 // A blank / whitespace-only tag is an invisible operator typo
1395 // that would render an empty filter chip on the Jobs page —
1396 // reject it like the other present-but-blank display fields.
1397 for tag in &self.tags {
1398 if tag.trim().is_empty() {
1399 return Err("tags must not contain empty entries".to_string());
1400 }
1401 }
1402 Ok(())
1403 }
1404}
1405
1406#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1407#[serde(rename_all = "lowercase")]
1408pub enum ExecuteShell {
1409 Powershell,
1410 Cmd,
1411}
1412
1413impl From<ExecuteShell> for Shell {
1414 fn from(s: ExecuteShell) -> Self {
1415 match s {
1416 ExecuteShell::Powershell => Shell::Powershell,
1417 ExecuteShell::Cmd => Shell::Cmd,
1418 }
1419 }
1420}
1421
1422#[cfg(test)]
1423mod tests {
1424 use super::*;
1425
1426 /// The example check-job + schedule YAMLs shipped under `configs/`
1427 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1428 /// pins them at compile time so a breaking edit fails `cargo test`
1429 /// rather than only `kanade job create` at deploy time.
1430 #[test]
1431 fn example_check_job_yamls_parse_and_validate() {
1432 let jobs = [
1433 (
1434 "check-bitlocker",
1435 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1436 ),
1437 (
1438 "check-av-signature",
1439 include_str!("../../../configs/jobs/check-av-signature.yaml"),
1440 ),
1441 (
1442 "check-cert-expiry",
1443 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1444 ),
1445 (
1446 "check-disk-space",
1447 include_str!("../../../configs/jobs/check-disk-space.yaml"),
1448 ),
1449 (
1450 "check-pending-reboot",
1451 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1452 ),
1453 (
1454 "check-defender-rtp",
1455 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1456 ),
1457 (
1458 "check-firewall",
1459 include_str!("../../../configs/jobs/check-firewall.yaml"),
1460 ),
1461 ];
1462 for (name, yaml) in jobs {
1463 let m: Manifest =
1464 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1465 m.validate()
1466 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1467 let check = m
1468 .check
1469 .as_ref()
1470 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1471 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1472 // These examples all read admin-only WMI / registry / netsh
1473 // state, so they run_as system. NOTE: that's a property of
1474 // these particular checks, NOT of the `check:` contract — a
1475 // check probing user-session state could run_as user.
1476 assert_eq!(
1477 m.execute.run_as,
1478 RunAs::System,
1479 "{name} should run_as system"
1480 );
1481 }
1482 }
1483
1484 /// The example user-invokable job YAMLs (#291) shipped under
1485 /// `configs/jobs/` must stay valid as the `client:` schema
1486 /// evolves. `include_str!` pins them at compile time so a breaking
1487 /// edit fails `cargo test`, not `kanade job create` at deploy.
1488 #[test]
1489 fn example_client_job_yamls_parse_and_validate() {
1490 let jobs = [
1491 (
1492 "fix-teams-cache",
1493 JobCategory::Troubleshoot,
1494 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
1495 ),
1496 (
1497 "chrome-update",
1498 JobCategory::SoftwareUpdate,
1499 include_str!("../../../configs/jobs/chrome-update.yaml"),
1500 ),
1501 (
1502 "install-slack",
1503 JobCategory::Catalog,
1504 include_str!("../../../configs/jobs/install-slack.yaml"),
1505 ),
1506 (
1507 "fix-defender-rtp",
1508 JobCategory::Troubleshoot,
1509 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
1510 ),
1511 ];
1512 for (id, category, yaml) in jobs {
1513 let m: Manifest =
1514 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1515 m.validate()
1516 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1517 assert_eq!(m.id, id, "{id} id mismatch");
1518 let client = m
1519 .client
1520 .as_ref()
1521 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
1522 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
1523 assert_eq!(client.category, category, "{id} category");
1524 }
1525 }
1526
1527 /// #219: the shipped `collect:` example must stay valid as the
1528 /// schema evolves. `include_str!` pins it at compile time so a
1529 /// breaking edit (or a YAML typo in the PowerShell block) fails
1530 /// `cargo test` rather than `kanade job create` at deploy. It carries
1531 /// both `collect:` and `client:` (end-user-triggerable), which must
1532 /// compose.
1533 #[test]
1534 fn example_collect_job_yaml_parses_and_validates() {
1535 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
1536 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
1537 m.validate().expect("collect-diagnostics validate");
1538 assert_eq!(m.id, "collect-diagnostics");
1539 let collect = m.collect.as_ref().expect("collect: block present");
1540 assert!(!collect.name.trim().is_empty());
1541 assert_eq!(collect.files_field, "files");
1542 assert_eq!(collect.max_size_bytes(), 50_000_000);
1543 // collect + client compose — the Client App can trigger it.
1544 assert!(
1545 m.client.is_some(),
1546 "collect-diagnostics also carries client:"
1547 );
1548 }
1549
1550 /// The `emit: { type: events }` collector jobs under
1551 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
1552 /// pins them at compile time so a breaking edit (e.g. an `emit:`
1553 /// paired with `check:`/`inventory:`, a bad watermark field, or a
1554 /// YAML typo in the PowerShell block) fails `cargo test` rather
1555 /// than `kanade job create` at deploy. Every one must carry an
1556 /// `emit.type=events` block and NO check/inventory (validate()
1557 /// rejects the pairing).
1558 #[test]
1559 fn example_event_collector_job_yamls_parse_and_validate() {
1560 let jobs = [
1561 (
1562 "collect-winlog-events",
1563 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
1564 ),
1565 (
1566 "collect-winlog-logons-all",
1567 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
1568 ),
1569 (
1570 "collect-wlan-events",
1571 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
1572 ),
1573 ];
1574 for (id, yaml) in jobs {
1575 // Strict parse so an unknown-key typo in these fixtures fails
1576 // here (not silently at deploy) — the runtime Manifest is
1577 // unknown-key-tolerant, so the lenient serde_yaml::from_str
1578 // wouldn't catch fixture drift (CodeRabbit #689).
1579 let m: Manifest =
1580 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1581 m.validate()
1582 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1583 assert_eq!(m.id, id, "{id} id mismatch");
1584 let emit = m
1585 .emit
1586 .as_ref()
1587 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
1588 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
1589 assert!(
1590 m.check.is_none() && m.inventory.is_none(),
1591 "{id}: emit jobs must not pair with check/inventory"
1592 );
1593 }
1594 }
1595
1596 /// The `inventory:` snapshot jobs under `configs/jobs/` project
1597 /// facts into `inventory_facts` + exploded tables. `include_str!`
1598 /// pins them at compile time so a breaking edit (bad explode
1599 /// schema, a YAML typo in the PowerShell block, an `inventory:`
1600 /// accidentally paired with `emit:`) fails `cargo test` rather
1601 /// than the projector at deploy. Each must carry an `inventory:`
1602 /// block and NO emit (validate() rejects the pairing).
1603 #[test]
1604 fn example_inventory_job_yamls_parse_and_validate() {
1605 let jobs = [
1606 (
1607 "inventory-hw",
1608 include_str!("../../../configs/jobs/inventory-hw.yaml"),
1609 ),
1610 (
1611 "inventory-sw",
1612 include_str!("../../../configs/jobs/inventory-sw.yaml"),
1613 ),
1614 (
1615 "inventory-driver",
1616 include_str!("../../../configs/jobs/inventory-driver.yaml"),
1617 ),
1618 ];
1619 for (id, yaml) in jobs {
1620 let m: Manifest =
1621 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1622 m.validate()
1623 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1624 assert_eq!(m.id, id, "{id} id mismatch");
1625 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
1626 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
1627 }
1628 }
1629
1630 #[test]
1631 fn example_check_schedule_yamls_parse_and_validate() {
1632 let schedules = [
1633 (
1634 "check-bitlocker",
1635 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
1636 ),
1637 (
1638 "check-av-signature",
1639 include_str!("../../../configs/schedules/check-av-signature.yaml"),
1640 ),
1641 (
1642 "check-cert-expiry",
1643 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
1644 ),
1645 (
1646 "check-disk-space",
1647 include_str!("../../../configs/schedules/check-disk-space.yaml"),
1648 ),
1649 (
1650 "check-pending-reboot",
1651 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
1652 ),
1653 (
1654 "check-defender-rtp",
1655 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
1656 ),
1657 (
1658 "check-firewall",
1659 include_str!("../../../configs/schedules/check-firewall.yaml"),
1660 ),
1661 ];
1662 for (name, yaml) in schedules {
1663 let s: Schedule =
1664 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1665 s.validate()
1666 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1667 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1668 }
1669 }
1670
1671 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
1672 /// alongside the schedule schema. `include_str!` pins them so a
1673 /// breaking edit fails `cargo test`, not `kanade schedule create`.
1674 #[test]
1675 fn example_inventory_schedule_yamls_parse_and_validate() {
1676 let schedules = [
1677 (
1678 "inventory-hw",
1679 include_str!("../../../configs/schedules/inventory-hw.yaml"),
1680 ),
1681 (
1682 "inventory-sw",
1683 include_str!("../../../configs/schedules/inventory-sw.yaml"),
1684 ),
1685 (
1686 "inventory-driver",
1687 include_str!("../../../configs/schedules/inventory-driver.yaml"),
1688 ),
1689 ];
1690 for (name, yaml) in schedules {
1691 let s: Schedule =
1692 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1693 s.validate()
1694 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1695 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1696 }
1697 }
1698
1699 #[test]
1700 fn target_is_specified_requires_at_least_one_field() {
1701 let empty = Target::default();
1702 assert!(!empty.is_specified());
1703
1704 let with_all = Target {
1705 all: true,
1706 ..Target::default()
1707 };
1708 assert!(with_all.is_specified());
1709
1710 let with_groups = Target {
1711 groups: vec!["canary".into()],
1712 ..Target::default()
1713 };
1714 assert!(with_groups.is_specified());
1715
1716 let with_pcs = Target {
1717 pcs: vec!["pc-01".into()],
1718 ..Target::default()
1719 };
1720 assert!(with_pcs.is_specified());
1721 }
1722
1723 #[test]
1724 fn manifest_deserialises_minimal_yaml() {
1725 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1726 // — those live on the schedule / exec request now.
1727 let yaml = r#"
1728id: echo-test
1729version: 0.0.1
1730execute:
1731 shell: powershell
1732 script: "echo 'kanade'"
1733 timeout: 30s
1734"#;
1735 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1736 assert_eq!(m.id, "echo-test");
1737 assert_eq!(m.version, "0.0.1");
1738 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1739 assert_eq!(
1740 m.execute.script.as_deref().map(str::trim),
1741 Some("echo 'kanade'")
1742 );
1743 assert!(m.execute.script_file.is_none());
1744 assert!(m.execute.script_object.is_none());
1745 assert_eq!(m.execute.timeout, "30s");
1746 assert!(!m.require_approval);
1747 m.validate()
1748 .expect("inline-script manifest passes validation");
1749 }
1750
1751 #[test]
1752 fn manifest_parses_check_job_and_validates() {
1753 // An operator-defined health check (#290): a `check:` hint +
1754 // a PowerShell script that prints {status, detail}.
1755 let yaml = r#"
1756id: check-bitlocker
1757version: 0.1.0
1758execute:
1759 shell: powershell
1760 run_as: system
1761 timeout: 15s
1762 script: |
1763 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
1764check:
1765 name: bitlocker
1766 troubleshoot: fix-bitlocker
1767"#;
1768 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1769 let check = m.check.as_ref().expect("check hint present");
1770 assert_eq!(check.name, "bitlocker");
1771 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
1772 // Field names default to the conventional "status" / "detail".
1773 assert_eq!(check.status_field, "status");
1774 assert_eq!(check.detail_field, "detail");
1775 assert!(m.inventory.is_none() && m.emit.is_none());
1776 m.validate().expect("check-only manifest passes validation");
1777 }
1778
1779 #[test]
1780 fn manifest_check_defaults_and_custom_fields() {
1781 // Minimal: only `name`; status/detail fields default.
1782 let m: Manifest = serde_yaml::from_str(
1783 r#"
1784id: check-disk
1785version: 0.1.0
1786execute:
1787 shell: powershell
1788 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
1789 timeout: 10s
1790check:
1791 name: disk_free
1792"#,
1793 )
1794 .expect("parse");
1795 let c = m.check.as_ref().unwrap();
1796 assert_eq!(c.name, "disk_free");
1797 assert_eq!(c.status_field, "status");
1798 assert_eq!(c.detail_field, "detail");
1799 assert!(c.troubleshoot.is_none());
1800 m.validate().expect("validates");
1801
1802 // The operator can point status/detail at any field of their
1803 // free-form inventory object.
1804 let m2: Manifest = serde_yaml::from_str(
1805 r#"
1806id: check-custom
1807version: 0.1.0
1808execute:
1809 shell: powershell
1810 script: "echo x"
1811 timeout: 10s
1812check:
1813 name: patch_level
1814 status_field: compliance
1815 detail_field: summary
1816"#,
1817 )
1818 .expect("parse");
1819 let c2 = m2.check.as_ref().unwrap();
1820 assert_eq!(c2.status_field, "compliance");
1821 assert_eq!(c2.detail_field, "summary");
1822 }
1823
1824 #[test]
1825 fn manifest_allows_check_composed_with_inventory() {
1826 // `check:` + `inventory:` COMPOSE on the same stdout object:
1827 // status/detail → Health tab, the rest → SPA projection +
1828 // explode sub-tables. Must pass validation.
1829 let yaml = r#"
1830id: check-bitlocker-detailed
1831version: 0.1.0
1832execute:
1833 shell: powershell
1834 script: "echo x"
1835 timeout: 10s
1836check:
1837 name: bitlocker
1838inventory:
1839 display:
1840 - { field: status, label: Status }
1841"#;
1842 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1843 assert!(m.check.is_some() && m.inventory.is_some());
1844 m.validate().expect("check + inventory compose");
1845 }
1846
1847 #[test]
1848 fn manifest_parses_collect_job_and_validates() {
1849 // #219: a `collect:` hint + a script that lists files on stdout.
1850 let yaml = r#"
1851id: collect-diagnostics
1852version: 0.1.0
1853execute:
1854 shell: powershell
1855 run_as: system
1856 timeout: 120s
1857 script: |
1858 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
1859collect:
1860 name: "Full diagnostics"
1861 description: "Event logs + process"
1862 max_size: 50MB
1863"#;
1864 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1865 let c = m.collect.as_ref().expect("collect hint present");
1866 assert_eq!(c.name, "Full diagnostics");
1867 assert_eq!(c.files_field, "files"); // default
1868 assert_eq!(c.max_size_bytes(), 50_000_000);
1869 m.validate().expect("collect-only manifest validates");
1870 }
1871
1872 #[test]
1873 fn manifest_collect_max_size_defaults_when_unset() {
1874 let m: Manifest = serde_yaml::from_str(
1875 r#"
1876id: collect-min
1877version: 0.1.0
1878execute:
1879 shell: powershell
1880 script: "echo x"
1881 timeout: 10s
1882collect:
1883 name: minimal
1884"#,
1885 )
1886 .expect("parse");
1887 let c = m.collect.as_ref().unwrap();
1888 assert!(c.max_size.is_none());
1889 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
1890 m.validate().expect("validates");
1891 }
1892
1893 #[test]
1894 fn manifest_allows_collect_with_client() {
1895 // collect composes with client (client doesn't touch stdout):
1896 // an end user can trigger a collection from the Client App.
1897 let yaml = r#"
1898id: collect-diag-client
1899version: 0.1.0
1900execute:
1901 shell: powershell
1902 script: "echo x"
1903 timeout: 10s
1904collect:
1905 name: diagnostics
1906client:
1907 name: "Send diagnostics"
1908 category: troubleshoot
1909"#;
1910 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1911 assert!(m.collect.is_some() && m.client.is_some());
1912 m.validate().expect("collect + client compose");
1913 }
1914
1915 #[test]
1916 fn manifest_rejects_collect_combined_with_inventory() {
1917 // collect consumes stdout for its own `files` contract → can't
1918 // share with inventory/check/emit.
1919 let yaml = r#"
1920id: bad-collect-mix
1921version: 0.1.0
1922execute:
1923 shell: powershell
1924 script: "echo x"
1925 timeout: 10s
1926collect:
1927 name: diag
1928inventory:
1929 display:
1930 - { field: status, label: Status }
1931"#;
1932 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1933 let err = m
1934 .validate()
1935 .expect_err("collect + inventory must be rejected");
1936 assert!(err.contains("collect"), "error mentions collect: {err}");
1937 }
1938
1939 #[test]
1940 fn manifest_rejects_collect_combined_with_check_or_emit() {
1941 // collect is exclusive with every stdout-consuming hint, not
1942 // just inventory — guard the check + emit branches too.
1943 for extra in ["check:\n name: health\n", "emit:\n type: events\n"] {
1944 let yaml = format!(
1945 "id: bad-collect-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
1946 script: \"echo x\"\n timeout: 10s\ncollect:\n name: diag\n{extra}"
1947 );
1948 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
1949 let err = m
1950 .validate()
1951 .expect_err("collect + stdout-consuming hint must fail");
1952 assert!(err.contains("collect"), "error mentions collect: {err}");
1953 }
1954 }
1955
1956 #[test]
1957 fn manifest_rejects_collect_empty_name_and_bad_size() {
1958 let empty_name: Manifest = serde_yaml::from_str(
1959 r#"
1960id: c
1961version: 0.1.0
1962execute: { shell: powershell, script: "echo x", timeout: 10s }
1963collect: { name: " " }
1964"#,
1965 )
1966 .expect("parse");
1967 assert!(
1968 empty_name.validate().is_err(),
1969 "blank collect.name rejected"
1970 );
1971
1972 let bad_size: Manifest = serde_yaml::from_str(
1973 r#"
1974id: c
1975version: 0.1.0
1976execute: { shell: powershell, script: "echo x", timeout: 10s }
1977collect: { name: diag, max_size: "50 quux" }
1978"#,
1979 )
1980 .expect("parse");
1981 let err = bad_size.validate().expect_err("bad max_size rejected");
1982 assert!(err.contains("max_size"), "error mentions max_size: {err}");
1983 }
1984
1985 #[test]
1986 fn parse_size_bytes_units() {
1987 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
1988 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
1989 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
1990 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
1991 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
1992 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
1993 assert!(parse_size_bytes("").is_err());
1994 assert!(parse_size_bytes("MB").is_err());
1995 assert!(parse_size_bytes("12 zonks").is_err());
1996 }
1997
1998 #[test]
1999 fn manifest_rejects_check_combined_with_emit() {
2000 // `emit:` stdout is NDJSON (and omitted from the result), so
2001 // it can't pair with `check:` (which needs a single JSON
2002 // object on stdout).
2003 let yaml = r#"
2004id: bad-mix
2005version: 0.1.0
2006execute:
2007 shell: powershell
2008 script: "echo x"
2009 timeout: 10s
2010check:
2011 name: bitlocker
2012emit:
2013 type: events
2014"#;
2015 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2016 let err = m.validate().expect_err("emit + check must fail");
2017 assert!(err.contains("incompatible"), "err: {err}");
2018 }
2019
2020 #[test]
2021 fn manifest_rejects_emit_combined_with_inventory() {
2022 // The other half of the emit-incompatibility condition.
2023 let yaml = r#"
2024id: bad-mix-2
2025version: 0.1.0
2026execute:
2027 shell: powershell
2028 script: "echo x"
2029 timeout: 10s
2030emit:
2031 type: events
2032inventory:
2033 display:
2034 - { field: status, label: Status }
2035"#;
2036 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2037 let err = m.validate().expect_err("emit + inventory must fail");
2038 assert!(err.contains("incompatible"), "err: {err}");
2039 }
2040
2041 #[test]
2042 fn manifest_rejects_empty_check_field_names() {
2043 // Empty name / status_field / detail_field are invisible
2044 // runtime bugs (empty React key, agent reads the wrong field)
2045 // — reject them even though serde supplies non-empty defaults.
2046 let base = |inner: &str| {
2047 format!(
2048 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
2049 )
2050 };
2051 for inner in [
2052 " name: \"\"\n",
2053 " name: ok\n status_field: \"\"\n",
2054 " name: ok\n detail_field: \" \"\n",
2055 // present-but-blank troubleshoot → broken remediation id.
2056 " name: ok\n troubleshoot: \" \"\n",
2057 ] {
2058 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
2059 let err = m.validate().expect_err("empty field must fail");
2060 assert!(err.contains("must not be empty"), "err: {err}");
2061 }
2062 }
2063
2064 #[test]
2065 fn check_alert_decodes_with_defaults_and_validates() {
2066 let yaml = r#"
2067id: c
2068version: 0.1.0
2069execute:
2070 shell: powershell
2071 script: "echo x"
2072 timeout: 10s
2073check:
2074 name: bitlocker
2075 alert:
2076 notify_user: true
2077 title: "BitLocker 未準拠"
2078"#;
2079 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2080 m.validate().expect("valid alert");
2081 let alert = m.check.unwrap().alert.unwrap();
2082 // Defaults: on = [fail], priority = warn, body = None.
2083 assert_eq!(alert.on, vec![CheckAlertStatus::Fail]);
2084 assert_eq!(
2085 alert.priority,
2086 crate::ipc::notifications::NotificationPriority::Warn
2087 );
2088 assert!(alert.body.is_none());
2089 assert!(alert.notify_user);
2090 }
2091
2092 #[test]
2093 fn check_alert_validation_rejects_bad_configs() {
2094 let base = |alert: &str| {
2095 format!(
2096 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n name: bitlocker\n alert:\n{alert}"
2097 )
2098 };
2099 let cases = [
2100 // No recipient.
2101 (" title: t\n", "notify_user and/or notify_groups"),
2102 // Empty title.
2103 (
2104 " notify_user: true\n title: \" \"\n",
2105 "title must not be empty",
2106 ),
2107 // Empty `on`.
2108 (
2109 " notify_user: true\n title: t\n on: []\n",
2110 "on must list at least one status",
2111 ),
2112 // Blank group name.
2113 (
2114 " notify_groups: [\" \"]\n title: t\n",
2115 "notify_groups must not contain blanks",
2116 ),
2117 // alert requires fleet: true.
2118 (
2119 " notify_user: true\n title: t\n fleet: false\n",
2120 "requires fleet: true",
2121 ),
2122 // email opt-in without a group to address.
2123 (
2124 " notify_user: true\n email: true\n title: t\n",
2125 "email requires notify_groups",
2126 ),
2127 ];
2128 for (alert, want) in cases {
2129 let m: Manifest = serde_yaml::from_str(&base(alert)).expect("parse");
2130 let err = m.validate().expect_err("bad alert must fail");
2131 assert!(err.contains(want), "for {alert:?}: got {err}");
2132 }
2133 }
2134
2135 #[test]
2136 fn manifest_client_absent_by_default() {
2137 // A plain operator job (the overwhelming majority) carries no
2138 // `client:` block, so it never surfaces in the end-user
2139 // catalog.
2140 let yaml = r#"
2141id: echo-test
2142version: 0.0.1
2143execute:
2144 shell: powershell
2145 script: "echo 'kanade'"
2146 timeout: 30s
2147"#;
2148 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2149 assert!(m.client.is_none());
2150 m.validate().expect("operator-only job validates");
2151 }
2152
2153 #[test]
2154 fn manifest_client_parses_and_validates() {
2155 // The Client App "困ったとき" remediation job shape: a
2156 // user-invokable troubleshoot job with the end-user fields the
2157 // KLP `jobs.list` wire needs, grouped under `client:`.
2158 let yaml = r#"
2159id: fix-teams-cache
2160version: 1.0.0
2161execute:
2162 shell: powershell
2163 script: "echo clearing"
2164 timeout: 60s
2165client:
2166 name: "Teams のキャッシュをクリア"
2167 description: "Teams が重いときに試してください"
2168 category: troubleshoot
2169 icon: brush-cleaning
2170"#;
2171 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2172 let c = m.client.as_ref().expect("client block present");
2173 assert_eq!(c.name, "Teams のキャッシュをクリア");
2174 assert_eq!(
2175 c.description.as_deref(),
2176 Some("Teams が重いときに試してください")
2177 );
2178 assert_eq!(c.category, JobCategory::Troubleshoot);
2179 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
2180 m.validate().expect("user-invokable job validates");
2181 }
2182
2183 #[test]
2184 fn manifest_client_minimal_only_name_and_category() {
2185 // description + icon are optional; name + category are the
2186 // serde-required minimum.
2187 let yaml = r#"
2188id: install-slack
2189version: 1.0.0
2190execute:
2191 shell: powershell
2192 script: "echo install"
2193 timeout: 600s
2194client:
2195 name: Slack
2196 category: catalog
2197"#;
2198 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2199 let c = m.client.as_ref().expect("client present");
2200 assert_eq!(c.category, JobCategory::Catalog);
2201 assert!(c.description.is_none() && c.icon.is_none());
2202 m.validate().expect("minimal client validates");
2203 }
2204
2205 #[test]
2206 fn manifest_client_rejects_blank_name() {
2207 // serde guarantees `name`/`category` are present; the one gap
2208 // is a present-but-blank name → empty catalog row title.
2209 let yaml = r#"
2210id: j
2211version: 1.0.0
2212execute:
2213 shell: powershell
2214 script: "echo x"
2215 timeout: 30s
2216client:
2217 name: " "
2218 category: catalog
2219"#;
2220 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2221 let err = m.validate().expect_err("blank name must fail");
2222 assert!(err.contains("client.name"), "err: {err}");
2223 }
2224
2225 #[test]
2226 fn manifest_client_rejects_blank_optional_fields() {
2227 // description / icon are optional, but a present-but-blank
2228 // value is a bug (empty subtitle / dangling icon name) — reject
2229 // it, mirroring the check: block's troubleshoot guard.
2230 for (field, line) in [
2231 ("client.description", " description: \" \"\n"),
2232 ("client.icon", " icon: \"\"\n"),
2233 ] {
2234 let yaml = format!(
2235 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
2236 );
2237 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2238 let err = m.validate().expect_err("blank optional field must fail");
2239 assert!(err.contains(field), "expected {field} in err: {err}");
2240 }
2241 }
2242
2243 #[test]
2244 fn manifest_client_requires_category_at_parse() {
2245 // A `client:` block missing `category` is a hard parse error
2246 // (serde required field) — no manual validate() needed.
2247 let yaml = r#"
2248id: j
2249version: 1.0.0
2250execute:
2251 shell: powershell
2252 script: "echo x"
2253 timeout: 30s
2254client:
2255 name: "A job"
2256"#;
2257 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
2258 assert!(
2259 r.is_err(),
2260 "missing category must be a parse error, got {r:?}"
2261 );
2262 }
2263
2264 #[test]
2265 fn manifest_client_rejects_unknown_field() {
2266 // #492: the strict create boundary catches a fat-fingered
2267 // `displayname:` (with its path) instead of silently
2268 // dropping it; the tolerant read path accepts it.
2269 let yaml = r#"
2270id: j
2271version: 1.0.0
2272execute:
2273 shell: powershell
2274 script: "echo x"
2275 timeout: 30s
2276client:
2277 name: "A job"
2278 category: catalog
2279 displayname: oops
2280"#;
2281 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
2282 let err = r.expect_err("unknown client field must be rejected at the write boundary");
2283 // serde_ignored renders the Option layer as `?`:
2284 // `client.?.displayname`. Assert on the leaf key.
2285 assert!(err.contains("displayname"), "{err}");
2286 // The READ path tolerates the same payload (gradual-upgrade
2287 // contract: an old agent must accept a newer writer's field).
2288 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
2289 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
2290 }
2291
2292 #[test]
2293 fn manifest_tags_default_empty() {
2294 // The overwhelming majority of jobs carry no tags; the field
2295 // must default to an empty Vec (not fail to parse) and skip
2296 // serialisation so old readers never see the key.
2297 let yaml = r#"
2298id: echo-test
2299version: 0.0.1
2300execute:
2301 shell: powershell
2302 script: "echo 'kanade'"
2303 timeout: 30s
2304"#;
2305 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2306 assert!(m.tags.is_empty());
2307 m.validate().expect("tag-less job validates");
2308 // skip_serializing_if = empty ⇒ the key is absent from JSON.
2309 let json = serde_json::to_string(&m).expect("serialize");
2310 assert!(
2311 !json.contains("tags"),
2312 "empty tags must not serialise: {json}"
2313 );
2314 }
2315
2316 #[test]
2317 fn manifest_parses_and_validates_tags() {
2318 let yaml = r#"
2319id: check-bitlocker
2320version: 0.1.0
2321execute:
2322 shell: powershell
2323 script: "echo x"
2324 timeout: 30s
2325tags: [security, windows, health-check]
2326"#;
2327 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2328 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
2329 m.validate().expect("tagged job validates");
2330 // Round-trips through JSON (the wire format the SPA reads).
2331 let json = serde_json::to_string(&m).expect("serialize");
2332 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
2333 }
2334
2335 #[test]
2336 fn manifest_rejects_blank_tag() {
2337 // A whitespace-only tag renders an empty filter chip — reject
2338 // it at the write boundary like the other blank display fields.
2339 let yaml = r#"
2340id: j
2341version: 0.1.0
2342execute:
2343 shell: powershell
2344 script: "echo x"
2345 timeout: 30s
2346tags: [ok, " "]
2347"#;
2348 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2349 let err = m.validate().expect_err("blank tag must fail");
2350 assert!(err.contains("tags must not contain empty"), "err: {err}");
2351 }
2352
2353 // #720 — wrap an `aggregate:` YAML block (already indented as a
2354 // top-level key body) into an otherwise-minimal valid manifest.
2355 fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
2356 let yaml = format!(
2357 "id: t\nversion: 0.0.1\nexecute:\n shell: powershell\n script: echo hi\n timeout: 30s\n{aggregate_block}"
2358 );
2359 serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
2360 }
2361
2362 #[test]
2363 fn aggregate_accepts_full_valid_spec() {
2364 // count+group_by+exclude+sample_minutes, ratio+bool_path,
2365 // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
2366 // bare total stat — alongside emit (composes with every hint).
2367 let m = manifest_with_aggregate(
2368 "emit:\n type: events\naggregate:\n\
2369 - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
2370 - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
2371 - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
2372 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2373 - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2374 );
2375 m.validate().expect("valid aggregate spec");
2376 }
2377
2378 #[test]
2379 fn aggregate_rejects_empty_list() {
2380 let m = manifest_with_aggregate("aggregate: []\n");
2381 let err = m.validate().expect_err("empty list must fail");
2382 assert!(err.contains("at least one widget"), "err: {err}");
2383 }
2384
2385 #[test]
2386 fn aggregate_rejects_ratio_without_bool_path() {
2387 let m = manifest_with_aggregate(
2388 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2389 );
2390 let err = m.validate().expect_err("ratio needs bool_path");
2391 assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
2392 }
2393
2394 #[test]
2395 fn aggregate_rejects_sum_without_value_path() {
2396 let m = manifest_with_aggregate(
2397 "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
2398 );
2399 let err = m.validate().expect_err("sum needs value_path");
2400 assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
2401 }
2402
2403 #[test]
2404 fn aggregate_rejects_pc_id_group_without_fleet() {
2405 let m = manifest_with_aggregate(
2406 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
2407 );
2408 let err = m.validate().expect_err("pc_id grouping needs fleet");
2409 assert!(
2410 err.contains("pc_id is only valid with scope: fleet"),
2411 "err: {err}"
2412 );
2413 }
2414
2415 #[test]
2416 fn aggregate_rejects_transform_with_pc_id_group() {
2417 let m = manifest_with_aggregate(
2418 "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
2419 );
2420 let err = m
2421 .validate()
2422 .expect_err("transform on pc_id grouping must fail");
2423 assert!(
2424 err.contains("transform is not valid with group_by: pc_id"),
2425 "err: {err}"
2426 );
2427 }
2428
2429 #[test]
2430 fn aggregate_rejects_timeline_without_bucket() {
2431 let m = manifest_with_aggregate(
2432 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
2433 );
2434 let err = m.validate().expect_err("timeline needs a bucket");
2435 assert!(
2436 err.contains("render=timeline requires `time_bucket`"),
2437 "err: {err}"
2438 );
2439 }
2440
2441 #[test]
2442 fn aggregate_rejects_bucket_on_non_timeline() {
2443 let m = manifest_with_aggregate(
2444 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
2445 );
2446 let err = m.validate().expect_err("bucket only on timeline");
2447 assert!(
2448 err.contains("time_bucket is only valid with render: timeline"),
2449 "err: {err}"
2450 );
2451 }
2452
2453 #[test]
2454 fn aggregate_rejects_unsafe_json_path() {
2455 // A path with characters outside [A-Za-z0-9_.] could break out of
2456 // the `'$.' || ?` bind — reject at create time.
2457 let m = manifest_with_aggregate(
2458 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
2459 );
2460 let err = m.validate().expect_err("unsafe path must fail");
2461 assert!(err.contains("dotted JSON path"), "err: {err}");
2462 }
2463
2464 #[test]
2465 fn aggregate_rejects_blank_title() {
2466 let m = manifest_with_aggregate(
2467 "aggregate:\n- { dashboard: D, title: \" \", kind: k, agg: count, render: stat }\n",
2468 );
2469 let err = m.validate().expect_err("blank title must fail");
2470 assert!(err.contains("title must not be empty"), "err: {err}");
2471 }
2472
2473 #[test]
2474 fn aggregate_rejects_blank_kind() {
2475 let m = manifest_with_aggregate(
2476 "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
2477 );
2478 let err = m.validate().expect_err("blank kind must fail");
2479 assert!(err.contains("kind must not be empty"), "err: {err}");
2480 }
2481
2482 #[test]
2483 fn aggregate_rejects_blank_source_when_set() {
2484 let m = manifest_with_aggregate(
2485 "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
2486 );
2487 let err = m.validate().expect_err("blank source must fail");
2488 assert!(
2489 err.contains("source must not be empty when set"),
2490 "err: {err}"
2491 );
2492 }
2493
2494 #[test]
2495 fn aggregate_accepts_description_and_rejects_blank() {
2496 let ok = manifest_with_aggregate(
2497 "aggregate:\n- { dashboard: D, title: T, description: \"samples x 2 min\", kind: k, agg: count, render: stat }\n",
2498 );
2499 ok.validate()
2500 .expect("description is a valid optional field");
2501 assert_eq!(
2502 ok.aggregate.as_ref().unwrap()[0].description.as_deref(),
2503 Some("samples x 2 min")
2504 );
2505 let bad = manifest_with_aggregate(
2506 "aggregate:\n- { dashboard: D, title: T, description: \" \", kind: k, agg: count, render: stat }\n",
2507 );
2508 let err = bad.validate().expect_err("blank description must fail");
2509 assert!(
2510 err.contains("description must not be empty when set"),
2511 "err: {err}"
2512 );
2513 }
2514
2515 #[test]
2516 fn aggregate_rejects_count_with_value_path() {
2517 let m = manifest_with_aggregate(
2518 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
2519 );
2520 let err = m.validate().expect_err("count must not use value_path");
2521 assert!(
2522 err.contains("agg=count does not use `value_path`"),
2523 "err: {err}"
2524 );
2525 }
2526
2527 #[test]
2528 fn aggregate_rejects_ratio_with_value_path() {
2529 let m = manifest_with_aggregate(
2530 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
2531 );
2532 let err = m.validate().expect_err("ratio must not use value_path");
2533 assert!(
2534 err.contains("agg=ratio does not use `value_path`"),
2535 "err: {err}"
2536 );
2537 }
2538
2539 #[test]
2540 fn aggregate_rejects_gauge_without_ratio() {
2541 let m = manifest_with_aggregate(
2542 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
2543 );
2544 let err = m.validate().expect_err("gauge needs ratio");
2545 assert!(
2546 err.contains("render=gauge is only valid with agg: ratio"),
2547 "err: {err}"
2548 );
2549 }
2550
2551 #[test]
2552 fn aggregate_rejects_limit_without_group_by() {
2553 let m = manifest_with_aggregate(
2554 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
2555 );
2556 let err = m.validate().expect_err("limit needs group_by");
2557 assert!(err.contains("limit requires `group_by`"), "err: {err}");
2558 }
2559
2560 #[test]
2561 fn aggregate_rejects_exclude_without_group_by() {
2562 let m = manifest_with_aggregate(
2563 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
2564 );
2565 let err = m.validate().expect_err("exclude needs group_by");
2566 assert!(err.contains("exclude requires `group_by`"), "err: {err}");
2567 }
2568
2569 #[test]
2570 fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
2571 let m = manifest_with_aggregate(
2572 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
2573 );
2574 assert!(m.validate().unwrap_err().contains("limit must be > 0"));
2575 let m = manifest_with_aggregate(
2576 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
2577 );
2578 assert!(
2579 m.validate()
2580 .unwrap_err()
2581 .contains("sample_minutes must be > 0")
2582 );
2583 }
2584
2585 #[test]
2586 fn aggregate_rejects_empty_exclude_entry() {
2587 let m = manifest_with_aggregate(
2588 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\" \"], render: bar }\n",
2589 );
2590 let err = m.validate().expect_err("blank exclude entry must fail");
2591 assert!(
2592 err.contains("exclude must not contain empty entries"),
2593 "err: {err}"
2594 );
2595 }
2596
2597 #[test]
2598 fn aggregate_rejects_malformed_dotted_paths() {
2599 for bad in [".foo", "foo.", "foo..bar", "."] {
2600 let m = manifest_with_aggregate(&format!(
2601 "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
2602 ));
2603 let err = m.validate().expect_err("malformed path must fail");
2604 assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
2605 }
2606 }
2607
2608 #[test]
2609 fn aggregate_rejects_unknown_enum_value() {
2610 // An unrecognised render string deserialises to the #492 Unknown
2611 // catch-all (so old readers don't choke); validate() rejects it as
2612 // a typo at create time.
2613 let m = manifest_with_aggregate(
2614 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
2615 );
2616 let err = m.validate().expect_err("unknown render must fail");
2617 assert!(err.contains("render is not a known value"), "err: {err}");
2618 }
2619
2620 #[test]
2621 fn aggregate_accepts_order_field() {
2622 let m = manifest_with_aggregate(
2623 "aggregate:\n- { dashboard: D, title: T, order: -5, kind: k, agg: count, render: stat }\n",
2624 );
2625 m.validate().expect("order is a valid optional field");
2626 let w = &m.aggregate.as_ref().unwrap()[0];
2627 assert_eq!(w.order, Some(-5));
2628 }
2629
2630 // ── #743 View resource ───────────────────────────────────────────
2631 fn view_from(yaml_body: &str) -> View {
2632 serde_yaml::from_str(&format!("id: v1\n{yaml_body}")).expect("parse view")
2633 }
2634
2635 #[test]
2636 fn view_accepts_valid_widgets() {
2637 let v = view_from(
2638 "widgets:\n\
2639 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2640 - { dashboard: Reliability, title: Total, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2641 );
2642 v.validate().expect("valid view");
2643 }
2644
2645 #[test]
2646 fn view_rejects_empty_widgets() {
2647 let v = view_from("widgets: []\n");
2648 let err = v.validate().expect_err("empty widgets must fail");
2649 assert!(err.contains("at least one widget"), "err: {err}");
2650 }
2651
2652 #[test]
2653 fn view_rejects_blank_id() {
2654 let v: View = serde_yaml::from_str(
2655 "id: \" \"\nwidgets:\n- { dashboard: D, title: T, kind: k, agg: count, render: stat }\n",
2656 )
2657 .expect("parse");
2658 let err = v.validate().expect_err("blank id must fail");
2659 assert!(err.contains("view.id must"), "err: {err}");
2660 }
2661
2662 #[test]
2663 fn view_rejects_unsafe_id() {
2664 // A `/` or `..` in the id would break the KV key and the
2665 // `/api/views/{id}` URL segment — reject at create time.
2666 for bad in ["../etc", "a/b", "has space", "x;y"] {
2667 let v: View = serde_yaml::from_str(&format!(
2668 "id: \"{bad}\"\nwidgets:\n- {{ dashboard: D, title: T, kind: k, agg: count, render: stat }}\n",
2669 ))
2670 .expect("parse");
2671 let err = v.validate().expect_err("unsafe id must fail");
2672 assert!(err.contains("[A-Za-z0-9._-]"), "id {bad}: {err}");
2673 }
2674 assert!(is_valid_resource_id("dashboards-fleet.v1_2"));
2675 }
2676
2677 #[test]
2678 fn view_reuses_shared_widget_validation() {
2679 // The same per-widget rule the job hint enforces (ratio needs
2680 // bool_path), reported under the `widgets[..]` field.
2681 let v = view_from(
2682 "widgets:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2683 );
2684 let err = v.validate().expect_err("ratio without bool_path must fail");
2685 assert!(
2686 err.contains("widgets[0].agg=ratio requires `bool_path`"),
2687 "err: {err}"
2688 );
2689 }
2690
2691 fn execute_with(
2692 script: Option<&str>,
2693 script_file: Option<&str>,
2694 script_object: Option<&str>,
2695 ) -> Execute {
2696 Execute {
2697 shell: ExecuteShell::Powershell,
2698 script: script.map(str::to_owned),
2699 script_file: script_file.map(str::to_owned),
2700 script_object: script_object.map(str::to_owned),
2701 timeout: "30s".into(),
2702 run_as: RunAs::default(),
2703 cwd: None,
2704 }
2705 }
2706
2707 #[test]
2708 fn validate_accepts_inline_script() {
2709 let e = execute_with(Some("echo hi"), None, None);
2710 assert!(e.validate_script_source().is_ok());
2711 }
2712
2713 #[test]
2714 fn validate_accepts_script_file_alone() {
2715 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
2716 assert!(e.validate_script_source().is_ok());
2717 }
2718
2719 #[test]
2720 fn validate_accepts_script_object_alone() {
2721 let e = execute_with(None, None, Some("cleanup/1.0.0"));
2722 assert!(e.validate_script_source().is_ok());
2723 }
2724
2725 #[test]
2726 fn validate_treats_empty_inline_script_as_unset() {
2727 // `script: ""` + `script_object` set is the natural shape
2728 // when an operator comments out the YAML block-scalar body
2729 // but leaves the key. Should pass.
2730 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
2731 assert!(e.validate_script_source().is_ok());
2732 }
2733
2734 #[test]
2735 fn validate_rejects_zero_sources() {
2736 let e = execute_with(None, None, None);
2737 let err = e.validate_script_source().unwrap_err();
2738 assert!(err.contains("must be set"), "got: {err}");
2739 }
2740
2741 #[test]
2742 fn validate_rejects_empty_inline_only() {
2743 let e = execute_with(Some(""), None, None);
2744 let err = e.validate_script_source().unwrap_err();
2745 assert!(err.contains("must be set"), "got: {err}");
2746 }
2747
2748 #[test]
2749 fn validate_rejects_inline_plus_file() {
2750 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
2751 let err = e.validate_script_source().unwrap_err();
2752 assert!(err.contains("only one of"), "got: {err}");
2753 }
2754
2755 #[test]
2756 fn validate_rejects_inline_plus_object() {
2757 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
2758 let err = e.validate_script_source().unwrap_err();
2759 assert!(err.contains("only one of"), "got: {err}");
2760 }
2761
2762 #[test]
2763 fn validate_rejects_file_plus_object() {
2764 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
2765 let err = e.validate_script_source().unwrap_err();
2766 assert!(err.contains("only one of"), "got: {err}");
2767 }
2768
2769 #[test]
2770 fn validate_rejects_all_three() {
2771 let e = execute_with(
2772 Some("echo hi"),
2773 Some("scripts/cleanup.ps1"),
2774 Some("cleanup/1.0.0"),
2775 );
2776 let err = e.validate_script_source().unwrap_err();
2777 assert!(err.contains("only one of"), "got: {err}");
2778 }
2779
2780 #[test]
2781 fn manifest_deserialises_script_object_yaml() {
2782 // SPEC §2.4.1 example shape with the Object Store
2783 // reference picked over inline.
2784 let yaml = r#"
2785id: cleanup-disk-temp
2786version: 1.0.1
2787execute:
2788 shell: powershell
2789 script_object: cleanup-disk-temp/1.0.1
2790 timeout: 600s
2791"#;
2792 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2793 assert_eq!(
2794 m.execute.script_object.as_deref(),
2795 Some("cleanup-disk-temp/1.0.1")
2796 );
2797 assert!(m.execute.script.is_none());
2798 m.validate()
2799 .expect("script_object-only manifest passes validation");
2800 }
2801
2802 #[test]
2803 fn manifest_rejects_typo_in_script_field_name() {
2804 // #492: the strict create boundary catches `script_objectt`
2805 // and similar fat-fingers (with the full path) instead of
2806 // letting them silently fall through to "all three unset".
2807 let yaml = r#"
2808id: typo
2809version: 1.0.0
2810execute:
2811 shell: powershell
2812 script_objectt: oops
2813 timeout: 30s
2814"#;
2815 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
2816 .expect_err("typo'd execute field must be rejected at the write boundary");
2817 assert!(err.contains("execute.script_objectt"), "{err}");
2818 }
2819
2820 #[test]
2821 fn schedule_carries_target_and_rollout() {
2822 let yaml = r#"
2823id: hourly-cleanup-canary
2824when:
2825 per_pc: { every: 1h }
2826job_id: cleanup
2827enabled: true
2828target:
2829 groups: [canary, wave1]
2830jitter: 30s
2831rollout:
2832 strategy: wave
2833 waves:
2834 - { group: canary, delay: 0s }
2835 - { group: wave1, delay: 5s }
2836"#;
2837 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2838 assert_eq!(s.id, "hourly-cleanup-canary");
2839 assert_eq!(s.job_id, "cleanup");
2840 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
2841 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
2842 let rollout = s.plan.rollout.expect("rollout present");
2843 assert_eq!(rollout.waves.len(), 2);
2844 assert_eq!(rollout.waves[0].group, "canary");
2845 assert_eq!(rollout.waves[1].delay, "5s");
2846 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
2847 }
2848
2849 #[test]
2850 fn schedule_minimal_target_all() {
2851 let yaml = r#"
2852id: kitting
2853when:
2854 per_pc: once
2855enabled: true
2856job_id: scheduled-echo
2857target: { all: true }
2858"#;
2859 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2860 assert_eq!(s.id, "kitting");
2861 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
2862 assert!(s.enabled);
2863 assert_eq!(s.job_id, "scheduled-echo");
2864 assert!(s.plan.target.all);
2865 assert!(s.plan.rollout.is_none());
2866 assert!(s.plan.jitter.is_none());
2867 assert!(s.active.is_empty());
2868 }
2869
2870 #[test]
2871 fn schedule_enabled_defaults_to_true() {
2872 let yaml = r#"
2873id: x
2874when:
2875 per_pc: once
2876job_id: y
2877target: { all: true }
2878"#;
2879 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2880 assert!(s.enabled);
2881 }
2882
2883 #[test]
2884 fn schedule_tags_default_empty_and_skip_serialise() {
2885 let yaml = r#"
2886id: x
2887when:
2888 per_pc: once
2889job_id: y
2890target: { all: true }
2891"#;
2892 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2893 assert!(s.tags.is_empty());
2894 s.validate().expect("tag-less schedule validates");
2895 let json = serde_json::to_string(&s).expect("serialize");
2896 assert!(
2897 !json.contains("tags"),
2898 "empty tags must not serialise: {json}"
2899 );
2900 }
2901
2902 #[test]
2903 fn schedule_parses_and_validates_tags() {
2904 let yaml = r#"
2905id: weekly-cleanup
2906when:
2907 per_pc: { every: 1h }
2908job_id: cleanup
2909target: { all: true }
2910tags: [weekly, maintenance]
2911"#;
2912 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2913 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
2914 s.validate().expect("tagged schedule validates");
2915 }
2916
2917 #[test]
2918 fn schedule_rejects_blank_tag() {
2919 let yaml = r#"
2920id: x
2921when:
2922 per_pc: once
2923job_id: y
2924target: { all: true }
2925tags: [ok, " "]
2926"#;
2927 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
2928 let err = s.validate().expect_err("blank tag must fail");
2929 assert!(err.contains("tags must not contain empty"), "err: {err}");
2930 }
2931
2932 // ---- `when` parsing (#418 Phase 1) ----
2933
2934 fn schedule_yaml_with(when_block: &str) -> String {
2935 format!(
2936 r#"
2937id: x
2938when:
2939{when_block}
2940job_id: y
2941target: {{ all: true }}
2942"#
2943 )
2944 }
2945
2946 #[test]
2947 fn when_per_pc_every_parses_unquoted_humantime() {
2948 // `6h` is digit-led but non-numeric → YAML string, same as
2949 // the old `cooldown: 6h` convention. No quotes needed.
2950 let s: Schedule =
2951 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
2952 assert_eq!(
2953 s.when,
2954 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
2955 );
2956 }
2957
2958 #[test]
2959 fn when_per_target_every_parses() {
2960 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
2961 .expect("parse");
2962 assert_eq!(
2963 s.when,
2964 When::PerTarget(PerPolicy::Every(EverySpec {
2965 every: "24h".into()
2966 }))
2967 );
2968 }
2969
2970 #[test]
2971 fn when_per_target_once_parses() {
2972 // Falls out of the shared PerPolicy shape and decide_fire
2973 // already implements it ("any one pc succeeds → skip the
2974 // target forever"), so it is allowed, not rejected.
2975 let s: Schedule =
2976 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
2977 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
2978 }
2979
2980 #[test]
2981 fn when_calendar_time_parses() {
2982 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
2983 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
2984 ))
2985 .expect("parse");
2986 match &s.when {
2987 When::Calendar(c) => {
2988 assert_eq!(c.at, "09:00");
2989 assert_eq!(c.days, vec!["mon-fri"]);
2990 }
2991 other => panic!("expected calendar, got {other:?}"),
2992 }
2993 }
2994
2995 #[test]
2996 fn when_calendar_days_default_empty() {
2997 let s: Schedule =
2998 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
2999 .expect("parse");
3000 match &s.when {
3001 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
3002 other => panic!("expected calendar, got {other:?}"),
3003 }
3004 }
3005
3006 #[test]
3007 fn when_calendar_datetime_parses_all_separators() {
3008 // one-shot: date+time in hyphen / ISO-T / slash forms
3009 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
3010 let block = format!(" calendar:\n at: \"{at}\"");
3011 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
3012 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
3013 match &s.when {
3014 When::Calendar(c) => {
3015 use chrono::Datelike;
3016 let p = c.parse_at().expect("parse_at");
3017 let d = p.date.expect("datetime at carries a date");
3018 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
3019 }
3020 other => panic!("expected calendar, got {other:?}"),
3021 }
3022 }
3023 }
3024
3025 #[test]
3026 fn when_rejects_bad_once_keyword() {
3027 // `onec` must be a parse error, not a silently-absorbed
3028 // string (OnceLiteral is a single-variant enum for exactly
3029 // this reason).
3030 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
3031 assert!(r.is_err(), "expected parse error, got {r:?}");
3032 }
3033
3034 #[test]
3035 fn when_rejects_unknown_key_in_every() {
3036 // `{ evry: 6h }` still fails on the tolerant read path: the
3037 // required `every` key is missing, so no PerPolicy variant
3038 // matches (#492 removed deny_unknown_fields, but required
3039 // keys keep the untagged disambiguation honest).
3040 let r: Result<Schedule, _> =
3041 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
3042 assert!(r.is_err(), "expected parse error, got {r:?}");
3043 }
3044
3045 #[test]
3046 fn when_rejects_unknown_variant() {
3047 let r: Result<Schedule, _> =
3048 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
3049 assert!(r.is_err(), "expected parse error, got {r:?}");
3050 }
3051
3052 #[test]
3053 fn when_rejects_old_top_level_cron_field() {
3054 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
3055 // loudly (missing `when`), which is what turns stale KV
3056 // blobs into warn-skips after the upgrade.
3057 let yaml = r#"
3058id: x
3059cron: "* * * * * *"
3060job_id: y
3061target: { all: true }
3062"#;
3063 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
3064 assert!(r.is_err(), "expected parse error, got {r:?}");
3065 }
3066
3067 #[test]
3068 fn when_rejects_retired_cron_escape_hatch() {
3069 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
3070 // is now an unknown variant → parse error (operators use the
3071 // calendar form instead).
3072 let r: Result<Schedule, _> =
3073 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
3074 assert!(
3075 r.is_err(),
3076 "expected parse error for retired cron, got {r:?}"
3077 );
3078 }
3079
3080 #[test]
3081 fn when_round_trips_json_and_yaml() {
3082 // Round-trip through the full Schedule: that is the wire
3083 // unit for both stores (JSON catalog KV + YAML mirror), and
3084 // it exercises the singleton_map field attribute that keeps
3085 // serde_yaml on the map shape instead of `!per_pc` tags.
3086 for when in [
3087 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3088 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3089 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3090 When::PerTarget(PerPolicy::Every(EverySpec {
3091 every: "24h".into(),
3092 })),
3093 calendar("09:00", &["mon-fri"]),
3094 calendar("2026-06-10 09:00", &[]),
3095 When::On(vec![OnTrigger::Startup]),
3096 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3097 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3098 When::On(vec![OnTrigger::NetworkChange]),
3099 ] {
3100 // Event triggers are agent-only; the rest validate on backend.
3101 let runs_on = if matches!(when, When::On(_)) {
3102 RunsOn::Agent
3103 } else {
3104 RunsOn::Backend
3105 };
3106 let s = schedule_with(when.clone(), runs_on);
3107
3108 let json = serde_json::to_string(&s).expect("json serialise");
3109 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
3110 assert_eq!(back.when, when, "json round-trip for {when}");
3111
3112 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
3113 assert!(
3114 !yaml.contains('!'),
3115 "yaml must use the map shape, not tags: {yaml}"
3116 );
3117 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
3118 assert_eq!(back.when, when, "yaml round-trip for {when}");
3119 }
3120 }
3121
3122 #[test]
3123 fn when_once_serialises_as_bare_keyword() {
3124 // The wire shape operators see in the YAML mirror must stay
3125 // the ergonomic `per_pc: once`, not a one-variant map.
3126 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
3127 .expect("serialise");
3128 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
3129 }
3130
3131 #[test]
3132 fn when_displays_operator_summary() {
3133 for (when, expected) in [
3134 (
3135 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3136 "per_pc once",
3137 ),
3138 (
3139 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3140 "per_pc every 6h",
3141 ),
3142 (
3143 When::PerTarget(PerPolicy::Every(EverySpec {
3144 every: "24h".into(),
3145 })),
3146 "per_target every 24h",
3147 ),
3148 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
3149 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
3150 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
3151 (
3152 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3153 "on [startup,logon]",
3154 ),
3155 (
3156 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3157 "on [lock,unlock]",
3158 ),
3159 (
3160 When::On(vec![OnTrigger::NetworkChange]),
3161 "on [network_change]",
3162 ),
3163 ] {
3164 assert_eq!(when.to_string(), expected);
3165 }
3166 }
3167
3168 // ---- lowering (#418: when → engine vocabulary) ----
3169
3170 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
3171 Schedule {
3172 id: "x".into(),
3173 when,
3174 job_id: "y".into(),
3175 plan: FanoutPlan::default(),
3176 active: Active::default(),
3177 constraints: Constraints::default(),
3178 on_failure: OnFailure::default(),
3179 tz: ScheduleTz::default(),
3180 starting_deadline: None,
3181 runs_on,
3182 enabled: true,
3183 tags: Vec::new(),
3184 origin: None,
3185 }
3186 }
3187
3188 fn calendar(at: &str, days: &[&str]) -> When {
3189 When::Calendar(CalendarSpec {
3190 at: at.into(),
3191 days: days.iter().map(|d| (*d).to_string()).collect(),
3192 })
3193 }
3194
3195 #[test]
3196 fn next_calendar_fire_returns_next_utc_occurrence() {
3197 use chrono::TimeZone;
3198 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
3199 // next strict occurrence is 09:00 that day.
3200 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3201 s.tz = ScheduleTz::Utc;
3202 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
3203 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
3204 assert_eq!(
3205 next,
3206 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
3207 );
3208 }
3209
3210 #[test]
3211 fn next_calendar_fire_is_strictly_after_now() {
3212 use chrono::TimeZone;
3213 // Standing exactly on a fire instant must preview the *next*
3214 // one (inclusive = false), not the one firing right now.
3215 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3216 s.tz = ScheduleTz::Utc;
3217 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
3218 let next = s
3219 .next_calendar_fire(on_fire)
3220 .expect("calendar has a next fire");
3221 assert_eq!(
3222 next,
3223 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
3224 );
3225 }
3226
3227 #[test]
3228 fn next_calendar_fire_none_for_reconcile_shapes() {
3229 // `per_pc` / `per_target` lower to the every-minute poll cron —
3230 // no discrete upcoming event to preview, so `None`.
3231 let now = chrono::Utc::now();
3232 for when in [
3233 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3234 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3235 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3236 When::PerTarget(PerPolicy::Every(EverySpec {
3237 every: "24h".into(),
3238 })),
3239 ] {
3240 let s = schedule_with(when, RunsOn::Backend);
3241 assert!(
3242 s.next_calendar_fire(now).is_none(),
3243 "reconcile shapes have no calendar fire",
3244 );
3245 }
3246 }
3247
3248 // ---- preview_fires (#418 dry-run / preview) ----
3249
3250 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
3251 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
3252 s.tz = ScheduleTz::Utc; // host-independent assertions
3253 s
3254 }
3255
3256 #[test]
3257 fn preview_lists_next_calendar_occurrences() {
3258 use chrono::TimeZone;
3259 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
3260 // fires skip the weekend (Sat 13 / Sun 14).
3261 let s = cal_utc("09:00", &["mon-fri"]);
3262 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3263 let got = s.preview_fires(now, 5);
3264 let want: Vec<_> = [
3265 (2026, 6, 10), // Wed
3266 (2026, 6, 11), // Thu
3267 (2026, 6, 12), // Fri
3268 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
3269 (2026, 6, 16), // Tue
3270 ]
3271 .iter()
3272 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
3273 .collect();
3274 assert_eq!(got, want);
3275 }
3276
3277 #[test]
3278 fn preview_handles_nth_and_last_weekday() {
3279 use chrono::TimeZone;
3280 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3281 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
3282 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
3283 assert_eq!(
3284 nth,
3285 vec![
3286 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
3287 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
3288 ]
3289 );
3290 // Last Friday of the month: Jun 26, Jul 31 2026.
3291 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
3292 assert_eq!(
3293 last,
3294 vec![
3295 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
3296 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
3297 ]
3298 );
3299 }
3300
3301 #[test]
3302 fn preview_is_empty_for_reconcile_and_zero_count() {
3303 let now = chrono::Utc::now();
3304 // reconcile shapes have no discrete fire times
3305 let recon = schedule_with(
3306 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3307 RunsOn::Backend,
3308 );
3309 assert!(recon.preview_fires(now, 5).is_empty());
3310 // count == 0 yields nothing even for a calendar
3311 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
3312 }
3313
3314 #[test]
3315 fn preview_skips_outside_active_window() {
3316 use chrono::TimeZone;
3317 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
3318 // before `from` are skipped; `until` is exclusive, so 06-17's
3319 // fire is out — leaving exactly the 15th and 16th.
3320 let mut s = cal_utc("09:00", &[]);
3321 s.active = Active {
3322 from: Some("2026-06-15".into()),
3323 until: Some("2026-06-17".into()),
3324 };
3325 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3326 let got = s.preview_fires(now, 5);
3327 assert_eq!(
3328 got,
3329 vec![
3330 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
3331 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
3332 ]
3333 );
3334 }
3335
3336 #[test]
3337 fn preview_empty_when_calendar_time_outside_window() {
3338 use chrono::TimeZone;
3339 // Fires at 09:00 but the maintenance window is overnight — it can
3340 // never run, so the preview is empty (matches
3341 // `calendar_outside_window`), and the scan still terminates.
3342 let mut s = cal_utc("09:00", &[]);
3343 s.constraints = Constraints {
3344 window: Some("22:00-05:00".into()),
3345 ..Constraints::default()
3346 };
3347 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3348 assert!(s.preview_fires(now, 5).is_empty());
3349 // Every candidate tick is rejected, so this also exercises the
3350 // SCAN_CAP bound: a large `count` must still terminate (and
3351 // return empty) rather than spin (claude #578 review).
3352 assert!(s.preview_fires(now, 50).is_empty());
3353 }
3354
3355 #[test]
3356 fn preview_past_one_shot_is_empty() {
3357 use chrono::TimeZone;
3358 // A dated one-shot whose instant has passed never fires again.
3359 let s = cal_utc("2026-06-10 09:00", &[]);
3360 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
3361 assert!(s.preview_fires(now, 5).is_empty());
3362 // …but from before it, the single future fire shows up.
3363 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3364 assert_eq!(
3365 s.preview_fires(before, 5),
3366 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
3367 );
3368 }
3369
3370 #[test]
3371 fn lowering_matches_the_418_table() {
3372 let cases = [
3373 (
3374 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3375 (POLL_CRON, ExecMode::OncePerPc, None),
3376 ),
3377 (
3378 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3379 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
3380 ),
3381 (
3382 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3383 (POLL_CRON, ExecMode::OncePerTarget, None),
3384 ),
3385 (
3386 When::PerTarget(PerPolicy::Every(EverySpec {
3387 every: "24h".into(),
3388 })),
3389 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
3390 ),
3391 // calendar repeating → 6-field cron
3392 (
3393 calendar("09:00", &["mon-fri"]),
3394 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
3395 ),
3396 // calendar daily (no days) → DOW *
3397 (
3398 calendar("18:30", &[]),
3399 ("0 30 18 * * *", ExecMode::EveryTick, None),
3400 ),
3401 // calendar one-shot → 7-field year cron
3402 (
3403 calendar("2026-06-10 09:00", &[]),
3404 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
3405 ),
3406 ];
3407 for (when, (cron, mode, cooldown)) in cases {
3408 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
3409 assert_eq!(l.cron, cron, "cron for {when}");
3410 assert_eq!(l.mode, mode, "mode for {when}");
3411 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
3412 }
3413 }
3414
3415 #[test]
3416 fn lowered_carries_schedule_tz() {
3417 for (tz, want) in [
3418 (ScheduleTz::Local, ScheduleTz::Local),
3419 (ScheduleTz::Utc, ScheduleTz::Utc),
3420 ] {
3421 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3422 s.tz = tz;
3423 assert_eq!(s.lowered().tz, want, "calendar carries tz");
3424 // reconcile shapes carry tz too (for the active-window check)
3425 let mut s = schedule_with(
3426 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3427 RunsOn::Backend,
3428 );
3429 s.tz = tz;
3430 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
3431 }
3432 }
3433
3434 #[test]
3435 fn poll_cron_is_accepted_by_the_engine_parser() {
3436 // POLL_CRON is system-generated — if the engine's parser
3437 // ever rejected it every reconcile schedule would die at
3438 // register time. Validate it with the same croner config
3439 // (Seconds::Required, dom_and_dow, year optional).
3440 croner::parser::CronParser::builder()
3441 .seconds(croner::parser::Seconds::Required)
3442 .dom_and_dow(true)
3443 .build()
3444 .parse(POLL_CRON)
3445 .expect("POLL_CRON must parse");
3446 }
3447
3448 // ---- Schedule::validate() (#418 decision F) ----
3449
3450 #[test]
3451 fn validate_accepts_reconcile_shapes() {
3452 for when in [
3453 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3454 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3455 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3456 When::PerTarget(PerPolicy::Every(EverySpec {
3457 every: "24h".into(),
3458 })),
3459 ] {
3460 schedule_with(when.clone(), RunsOn::Backend)
3461 .validate()
3462 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3463 }
3464 }
3465
3466 #[test]
3467 fn validate_accepts_per_pc_on_agent() {
3468 schedule_with(
3469 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
3470 RunsOn::Agent,
3471 )
3472 .validate()
3473 .expect("per_pc + agent is the offline-inventory shape");
3474 }
3475
3476 // ---- #418 event triggers (when: { on }) ----
3477
3478 #[test]
3479 fn validate_accepts_event_on_agent() {
3480 for triggers in [
3481 vec![OnTrigger::Startup],
3482 vec![OnTrigger::Logon],
3483 vec![OnTrigger::Lock],
3484 vec![OnTrigger::Unlock],
3485 vec![OnTrigger::NetworkChange],
3486 vec![
3487 OnTrigger::Startup,
3488 OnTrigger::Logon,
3489 OnTrigger::Lock,
3490 OnTrigger::Unlock,
3491 OnTrigger::NetworkChange,
3492 ],
3493 ] {
3494 schedule_with(When::On(triggers), RunsOn::Agent)
3495 .validate()
3496 .expect("when.on is valid on runs_on: agent");
3497 }
3498 }
3499
3500 #[test]
3501 fn validate_rejects_event_on_backend() {
3502 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
3503 .validate()
3504 .unwrap_err();
3505 assert!(err.contains("when.on"), "got: {err}");
3506 assert!(err.contains("runs_on: agent"), "got: {err}");
3507 }
3508
3509 #[test]
3510 fn validate_rejects_empty_event_list() {
3511 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
3512 .validate()
3513 .unwrap_err();
3514 assert!(err.contains("when.on"), "got: {err}");
3515 assert!(err.contains("at least one"), "got: {err}");
3516 }
3517
3518 #[test]
3519 fn event_schedule_lowers_to_event_mode_and_is_event() {
3520 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
3521 assert!(s.is_event());
3522 assert_eq!(s.lowered().mode, ExecMode::Event);
3523 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
3524 // non-event schedules report no triggers.
3525 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3526 assert!(!cal.is_event());
3527 assert!(cal.event_triggers().is_empty());
3528 }
3529
3530 // ---- #418 constraints.require (env gates) ----
3531
3532 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
3533 let mut s = schedule_with(
3534 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
3535 runs_on,
3536 );
3537 s.constraints.require = Some(req);
3538 s
3539 }
3540
3541 #[test]
3542 fn require_met_combinations() {
3543 use std::time::Duration;
3544 let idle = |m: u64| Some(Duration::from_secs(m * 60));
3545 // Builder for the sensed state: (ac, idle, cpu, network).
3546 let env = |ac, idle, cpu, net| EnvState {
3547 ac_online: ac,
3548 idle,
3549 cpu_pct: cpu,
3550 network_up: net,
3551 };
3552 // Empty require — always met regardless of sensed state.
3553 assert!(require_met(
3554 &Require::default(),
3555 &env(false, None, None, false)
3556 ));
3557 // ac_power: only on AC.
3558 let ac = Require {
3559 ac_power: true,
3560 ..Default::default()
3561 };
3562 assert!(!require_met(&ac, &env(false, None, None, true)));
3563 assert!(require_met(&ac, &env(true, None, None, false)));
3564 // idle: needs >= the configured min; None idle never satisfies.
3565 let idle10 = Require {
3566 idle: Some("10m".into()),
3567 ..Default::default()
3568 };
3569 assert!(!require_met(&idle10, &env(true, None, None, true)));
3570 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
3571 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
3572 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
3573 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
3574 let cpu20 = Require {
3575 cpu_below: Some(20.0),
3576 ..Default::default()
3577 };
3578 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
3579 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
3580 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
3581 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
3582 // network: only when online.
3583 let net = Require {
3584 network: true,
3585 ..Default::default()
3586 };
3587 assert!(!require_met(&net, &env(true, None, None, false))); // offline
3588 assert!(require_met(&net, &env(true, None, None, true))); // online
3589 // all four: AND.
3590 let all = Require {
3591 ac_power: true,
3592 idle: Some("10m".into()),
3593 cpu_below: Some(20.0),
3594 network: true,
3595 };
3596 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
3597 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
3598 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
3599 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
3600 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
3601 // An unparseable idle is treated as no-requirement by require_met
3602 // (validate rejects it at create time, so this only guards a
3603 // hand-edited blob): ac still gates.
3604 let bad = Require {
3605 ac_power: true,
3606 idle: Some("garbage".into()),
3607 ..Default::default()
3608 };
3609 assert!(require_met(&bad, &env(true, None, None, true)));
3610 assert!(!require_met(&bad, &env(false, None, None, true)));
3611 }
3612
3613 #[test]
3614 fn validate_accepts_and_rejects_cpu_below() {
3615 // In-range accepted.
3616 require_schedule(
3617 Require {
3618 cpu_below: Some(20.0),
3619 ..Default::default()
3620 },
3621 RunsOn::Agent,
3622 )
3623 .validate()
3624 .expect("cpu_below 20 is valid");
3625 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
3626 // 100%). Pins the inclusive upper bound against a future c < 100.0.
3627 require_schedule(
3628 Require {
3629 cpu_below: Some(100.0),
3630 ..Default::default()
3631 },
3632 RunsOn::Agent,
3633 )
3634 .validate()
3635 .expect("cpu_below 100 is valid");
3636 // Out of range rejected (0 and >100).
3637 for bad in [0.0, -5.0, 100.1] {
3638 let err = require_schedule(
3639 Require {
3640 cpu_below: Some(bad),
3641 ..Default::default()
3642 },
3643 RunsOn::Agent,
3644 )
3645 .validate()
3646 .unwrap_err();
3647 assert!(
3648 err.contains("constraints.require.cpu_below"),
3649 "cpu_below {bad}: {err}"
3650 );
3651 }
3652 }
3653
3654 #[test]
3655 fn validate_accepts_require_on_agent() {
3656 require_schedule(
3657 Require {
3658 ac_power: true,
3659 idle: Some("10m".into()),
3660 cpu_below: Some(20.0),
3661 network: true,
3662 },
3663 RunsOn::Agent,
3664 )
3665 .validate()
3666 .expect("constraints.require is valid on runs_on: agent");
3667 }
3668
3669 #[test]
3670 fn validate_rejects_require_on_backend() {
3671 let err = require_schedule(
3672 Require {
3673 ac_power: true,
3674 ..Default::default()
3675 },
3676 RunsOn::Backend,
3677 )
3678 .validate()
3679 .unwrap_err();
3680 assert!(err.contains("constraints.require"), "got: {err}");
3681 assert!(err.contains("runs_on: agent"), "got: {err}");
3682
3683 // An idle-only require (ac_power: false) is also non-empty
3684 // (is_empty folds the fields) and must reject on backend too —
3685 // guards against a regression in Require::is_empty.
3686 let err = require_schedule(
3687 Require {
3688 idle: Some("10m".into()),
3689 ..Default::default()
3690 },
3691 RunsOn::Backend,
3692 )
3693 .validate()
3694 .unwrap_err();
3695 assert!(
3696 err.contains("constraints.require"),
3697 "idle-only on backend: {err}"
3698 );
3699 }
3700
3701 #[test]
3702 fn validate_rejects_bad_require_idle() {
3703 let err = require_schedule(
3704 Require {
3705 idle: Some("not-a-duration".into()),
3706 ..Default::default()
3707 },
3708 RunsOn::Agent,
3709 )
3710 .validate()
3711 .unwrap_err();
3712 assert!(err.contains("constraints.require.idle"), "got: {err}");
3713 }
3714
3715 #[test]
3716 fn require_round_trips_and_skips_empty() {
3717 // ac_power: false is skipped; an all-default require nested in
3718 // constraints is omitted (is_empty folds it in).
3719 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
3720 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
3721 network: true } }\n";
3722 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3723 let req = s.constraints.require.as_ref().expect("require present");
3724 assert!(req.ac_power);
3725 assert_eq!(req.idle.as_deref(), Some("10m"));
3726 assert_eq!(req.cpu_below, Some(20.0));
3727 assert!(req.network);
3728 // Re-serialize: idle + cpu_below + network present, ac_power true.
3729 let back = serde_json::to_string(&s.constraints).unwrap();
3730 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
3731 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
3732 assert!(back.contains("\"network\":true"), "got: {back}");
3733 // An empty require is omitted entirely by is_empty.
3734 let mut empty = s.clone();
3735 empty.constraints.require = Some(Require::default());
3736 assert!(empty.constraints.is_empty());
3737 }
3738
3739 #[test]
3740 fn validate_rejects_per_target_on_agent() {
3741 let err = schedule_with(
3742 When::PerTarget(PerPolicy::Every(EverySpec {
3743 every: "24h".into(),
3744 })),
3745 RunsOn::Agent,
3746 )
3747 .validate()
3748 .unwrap_err();
3749 assert!(err.contains("per_target"), "got: {err}");
3750 assert!(err.contains("runs_on: agent"), "got: {err}");
3751
3752 // per_target: once is also backend-only.
3753 let err = schedule_with(
3754 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3755 RunsOn::Agent,
3756 )
3757 .validate()
3758 .unwrap_err();
3759 assert!(err.contains("per_target"), "got (once): {err}");
3760 assert!(err.contains("runs_on: agent"), "got (once): {err}");
3761 }
3762
3763 #[test]
3764 fn validate_rejects_bad_every_duration() {
3765 let err = schedule_with(
3766 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
3767 RunsOn::Backend,
3768 )
3769 .validate()
3770 .unwrap_err();
3771 assert!(err.contains("when.every"), "got: {err}");
3772 }
3773
3774 #[test]
3775 fn validate_rejects_bad_jitter_and_starting_deadline() {
3776 let mut s = schedule_with(
3777 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3778 RunsOn::Backend,
3779 );
3780 s.plan.jitter = Some("5x".into());
3781 let err = s.validate().unwrap_err();
3782 assert!(err.contains("jitter"), "got: {err}");
3783
3784 let mut s = schedule_with(
3785 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3786 RunsOn::Backend,
3787 );
3788 s.starting_deadline = Some("soon".into());
3789 let err = s.validate().unwrap_err();
3790 assert!(err.contains("starting_deadline"), "got: {err}");
3791 }
3792
3793 #[test]
3794 fn validate_accepts_calendar_shapes() {
3795 for when in [
3796 calendar("09:00", &["mon-fri"]), // weekday morning
3797 calendar("00:00", &["sun"]), // weekly
3798 calendar("18:30", &[]), // daily
3799 calendar("2026-06-10 09:00", &[]), // one-shot
3800 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
3801 ] {
3802 schedule_with(when.clone(), RunsOn::Backend)
3803 .validate()
3804 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3805 }
3806 }
3807
3808 #[test]
3809 fn validate_rejects_bad_at() {
3810 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
3811 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
3812 .validate()
3813 .unwrap_err();
3814 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
3815 }
3816 }
3817
3818 #[test]
3819 fn validate_rejects_datetime_at_with_days() {
3820 // A dated `at` is a one-shot — pairing it with days is a
3821 // contradiction (the date already pins the day).
3822 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
3823 .validate()
3824 .unwrap_err();
3825 assert!(
3826 err.contains("one-shot") && err.contains("days"),
3827 "got: {err}"
3828 );
3829 }
3830
3831 #[test]
3832 fn validate_rejects_bad_day_name() {
3833 // A garbage DOW token is caught by the days pre-flight and
3834 // reported against `when.days`, not the confusing
3835 // "when.at lowered to invalid cron" (claude #432 review).
3836 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
3837 .validate()
3838 .unwrap_err();
3839 assert!(err.contains("when.days"), "got: {err}");
3840 assert!(err.contains("funday"), "names the bad token: {err}");
3841 // a degenerate range like `mon-` reports the whole token, not
3842 // a cryptic empty part (claude #432 follow-up)
3843 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
3844 .validate()
3845 .unwrap_err();
3846 assert!(err.contains("'mon-'"), "names the whole token: {err}");
3847 // valid names / ranges / numeric / * all pass
3848 for ok in [
3849 calendar("09:00", &["mon-fri"]),
3850 calendar("09:00", &["mon", "wed", "sun"]),
3851 calendar("09:00", &["1-5"]),
3852 ] {
3853 schedule_with(ok.clone(), RunsOn::Backend)
3854 .validate()
3855 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3856 }
3857 }
3858
3859 #[test]
3860 fn validate_accepts_nth_weekday() {
3861 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
3862 // a cron and parses it with croner, so passing here proves the
3863 // whole chain — token → DOW field → engine-acceptable cron.
3864 for ok in [
3865 calendar("09:00", &["tue#2"]), // 2nd Tuesday
3866 calendar("09:00", &["fri#1"]), // 1st Friday
3867 calendar("03:00", &["sun#5"]), // 5th Sunday
3868 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
3869 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
3870 // Case-insensitive both sides: validate lowercases, croner
3871 // upper-cases the whole pattern before aliasing (claude #547).
3872 calendar("09:00", &["TUE#2"]),
3873 ] {
3874 schedule_with(ok.clone(), RunsOn::Backend)
3875 .validate()
3876 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3877 }
3878 }
3879
3880 #[test]
3881 fn validate_rejects_bad_nth_weekday() {
3882 // ordinal out of 1..5, a range with #, and a bad day before #.
3883 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
3884 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3885 .validate()
3886 .unwrap_err();
3887 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3888 }
3889 }
3890
3891 #[test]
3892 fn validate_accepts_last_weekday() {
3893 // #418: last-weekday (`friL` = last Friday). Like the nth case,
3894 // validate() lowers to a cron and round-trips it through croner,
3895 // so passing proves token → DOW field → engine-acceptable cron
3896 // with the verified last-<dow>-of-month semantics.
3897 for ok in [
3898 calendar("09:00", &["friL"]), // last Friday
3899 calendar("03:00", &["sunL"]), // last Sunday
3900 calendar("22:00", &["5L"]), // numeric DOW + last
3901 calendar("00:00", &["0L"]), // numeric Sunday (0…
3902 calendar("00:00", &["7L"]), // …and its 7 alias)
3903 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
3904 // Case-insensitive both the weekday and the `L` suffix:
3905 // validate lowercases the day, croner upper-cases the whole
3906 // pattern before aliasing (claude #547).
3907 calendar("09:00", &["FRIL"]),
3908 calendar("09:00", &["fril"]),
3909 ] {
3910 schedule_with(ok.clone(), RunsOn::Backend)
3911 .validate()
3912 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
3913 }
3914 }
3915
3916 #[test]
3917 fn validate_rejects_bad_last_weekday() {
3918 // bare `L` (no weekday — a footgun croner reads as Saturday), a
3919 // range with L, a bad day before L, and an internal space that
3920 // would otherwise leak a malformed cron downstream (gemini #560).
3921 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
3922 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
3923 .validate()
3924 .unwrap_err();
3925 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
3926 }
3927 }
3928
3929 #[test]
3930 fn calendar_oneshot_instant_detects_past() {
3931 use chrono::TimeZone;
3932 // a dated `at` resolves to an absolute instant…
3933 let c = CalendarSpec {
3934 at: "2024-01-01 09:00".into(),
3935 days: vec![],
3936 };
3937 let t = c
3938 .oneshot_instant(ScheduleTz::Utc)
3939 .expect("one-shot instant");
3940 assert_eq!(
3941 t,
3942 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
3943 );
3944 assert!(t < chrono::Utc::now(), "2024 is in the past");
3945 // …while a repeating (time-only) calendar has no instant
3946 let rep = CalendarSpec {
3947 at: "09:00".into(),
3948 days: vec!["mon-fri".into()],
3949 };
3950 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
3951 }
3952
3953 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
3954 let mut s = schedule_with(
3955 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3956 RunsOn::Backend,
3957 );
3958 s.active = Active {
3959 from: from.map(str::to_owned),
3960 until: until.map(str::to_owned),
3961 };
3962 s
3963 }
3964
3965 #[test]
3966 fn validate_accepts_active_window() {
3967 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
3968 .validate()
3969 .expect("date + rfc3339 bounds should validate");
3970 }
3971
3972 #[test]
3973 fn validate_rejects_unparseable_active_bound() {
3974 let err = schedule_with_active(Some("July 1st"), None)
3975 .validate()
3976 .unwrap_err();
3977 assert!(err.contains("active"), "got: {err}");
3978 }
3979
3980 #[test]
3981 fn validate_rejects_from_not_before_until() {
3982 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
3983 .validate()
3984 .unwrap_err();
3985 assert!(err.contains("strictly before"), "got: {err}");
3986
3987 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
3988 .validate()
3989 .unwrap_err();
3990 assert!(err.contains("strictly before"), "got: {err}");
3991 }
3992
3993 // ---- Active window semantics ----
3994
3995 #[test]
3996 fn active_window_is_half_open() {
3997 use chrono::TimeZone;
3998 let active = Active {
3999 from: Some("2026-07-01".into()),
4000 until: Some("2026-08-01".into()),
4001 };
4002 // UTC tz so the date bounds are UTC midnight.
4003 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
4004 let c = |t| active.contains(t, ScheduleTz::Utc);
4005 assert!(!c(at(2026, 6, 30, 23)), "before from");
4006 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
4007 assert!(c(at(2026, 7, 15, 12)), "inside");
4008 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
4009 assert!(!c(at(2026, 8, 2, 0)), "after until");
4010 }
4011
4012 #[test]
4013 fn active_empty_window_is_always_active() {
4014 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
4015 }
4016
4017 #[test]
4018 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
4019 use chrono::TimeZone;
4020 let active = Active {
4021 from: Some("2026-07-01T09:00:00+09:00".into()),
4022 until: None,
4023 };
4024 // RFC3339 carries its own offset → tz arg is ignored.
4025 // 09:00 JST = 00:00 UTC.
4026 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
4027 assert!(
4028 !active.contains(
4029 chrono::Utc
4030 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
4031 .unwrap(),
4032 tz
4033 )
4034 );
4035 assert!(active.contains(
4036 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
4037 tz
4038 ));
4039 }
4040 }
4041
4042 #[test]
4043 fn active_date_bound_respects_tz() {
4044 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
4045 // tz* (#418 Phase 2). The UTC interpretation is exact and
4046 // host-independent; assert that precisely.
4047 use chrono::TimeZone;
4048 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
4049 assert_eq!(
4050 utc,
4051 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
4052 );
4053
4054 // The local interpretation must equal what chrono::Local
4055 // computes for the same wall-clock midnight — proves the tz
4056 // path is wired to the host zone (the magnitude vs UTC is
4057 // host-dependent, so we compare against Local directly rather
4058 // than hard-coding the JST offset, keeping CI green on UTC
4059 // runners).
4060 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
4061 let want = chrono::Local
4062 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
4063 .single()
4064 .expect("local midnight is unambiguous")
4065 .with_timezone(&chrono::Utc);
4066 assert_eq!(local, want, "date bound resolved in host-local tz");
4067 }
4068
4069 #[test]
4070 fn active_empty_is_skipped_when_serialising() {
4071 let s = schedule_with(
4072 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4073 RunsOn::Backend,
4074 );
4075 let json = serde_json::to_value(&s).expect("serialise");
4076 assert!(
4077 json.get("active").is_none(),
4078 "empty active must not appear on the wire: {json}"
4079 );
4080 }
4081
4082 // ---- constraints.window (#418 Phase 3) ----
4083
4084 fn with_window(win: &str) -> Schedule {
4085 let mut s = schedule_with(
4086 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4087 RunsOn::Backend,
4088 );
4089 s.constraints.window = Some(win.into());
4090 s
4091 }
4092
4093 #[test]
4094 fn constraints_window_parses_and_round_trips() {
4095 let yaml = r#"
4096id: x
4097when:
4098 per_pc: { every: 6h }
4099job_id: y
4100target: { all: true }
4101constraints:
4102 window: "22:00-05:00"
4103"#;
4104 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4105 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
4106 let back: Schedule =
4107 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4108 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
4109 }
4110
4111 #[test]
4112 fn constraints_empty_is_skipped_when_serialising() {
4113 let s = schedule_with(
4114 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4115 RunsOn::Backend,
4116 );
4117 let json = serde_json::to_value(&s).expect("serialise");
4118 assert!(
4119 json.get("constraints").is_none(),
4120 "empty constraints must not appear on the wire: {json}"
4121 );
4122 }
4123
4124 #[test]
4125 fn window_no_constraint_always_allows() {
4126 let c = Constraints::default();
4127 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
4128 }
4129
4130 #[test]
4131 fn window_same_day_is_half_open() {
4132 use chrono::TimeZone;
4133 let s = with_window("09:00-17:00");
4134 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4135 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4136 assert!(!a(at(8, 59)), "before start");
4137 assert!(a(at(9, 0)), "at start (inclusive)");
4138 assert!(a(at(16, 59)), "inside");
4139 assert!(!a(at(17, 0)), "at end (exclusive)");
4140 assert!(!a(at(23, 0)), "after end");
4141 }
4142
4143 #[test]
4144 fn window_crossing_midnight() {
4145 use chrono::TimeZone;
4146 let s = with_window("22:00-05:00");
4147 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4148 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4149 assert!(a(at(22, 0)), "at start tonight");
4150 assert!(a(at(23, 30)), "late tonight");
4151 assert!(a(at(3, 0)), "early tomorrow");
4152 assert!(!a(at(5, 0)), "at end (exclusive)");
4153 assert!(!a(at(12, 0)), "midday outside");
4154 assert!(!a(at(21, 59)), "just before start");
4155 }
4156
4157 #[test]
4158 fn window_respects_tz() {
4159 // The same instant is inside the window under one tz and may
4160 // be outside under another. Compare UTC vs Local via the
4161 // host's own offset (kept CI-green on UTC runners like the
4162 // active tz test does).
4163 use chrono::TimeZone;
4164 let s = with_window("09:00-17:00");
4165 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
4166 // Under UTC, 12:00 is inside 09:00-17:00.
4167 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
4168 // Under Local, the verdict tracks the host wall-clock time;
4169 // assert it matches a direct wall_time membership check.
4170 let local_t = noon_utc.with_timezone(&chrono::Local).time();
4171 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
4172 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
4173 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
4174 }
4175
4176 #[test]
4177 fn validate_accepts_good_window() {
4178 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
4179 with_window(w)
4180 .validate()
4181 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
4182 }
4183 }
4184
4185 #[test]
4186 fn validate_rejects_bad_window() {
4187 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
4188 let err = with_window(bad).validate().unwrap_err();
4189 assert!(
4190 err.contains("constraints.window"),
4191 "for '{bad}', got: {err}"
4192 );
4193 }
4194 }
4195
4196 // ---- constraints.skip_dates (#418 holiday exclusion) ----
4197
4198 fn with_skip_dates(dates: &[&str]) -> Schedule {
4199 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4200 s.tz = ScheduleTz::Utc; // host-independent date assertions
4201 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
4202 s
4203 }
4204
4205 #[test]
4206 fn allows_blocks_listed_skip_date() {
4207 use chrono::TimeZone;
4208 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
4209 // Any time on a listed date is blocked (whole day).
4210 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
4211 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
4212 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
4213 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
4214 // A date not in the list fires normally.
4215 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4216 assert!(s.constraints.allows(off, ScheduleTz::Utc));
4217 }
4218
4219 #[test]
4220 fn allows_corrupt_skip_date_fails_closed() {
4221 use chrono::TimeZone;
4222 // A garbled entry (only reachable via hand-edited KV) blocks
4223 // rather than silently re-enabling fires — same posture as a
4224 // corrupt window.
4225 let s = with_skip_dates(&["not-a-date"]);
4226 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4227 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
4228 }
4229
4230 #[test]
4231 fn validate_accepts_good_skip_dates() {
4232 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
4233 .validate()
4234 .expect("well-formed skip dates should validate");
4235 }
4236
4237 #[test]
4238 fn validate_rejects_bad_skip_date() {
4239 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
4240 let err = with_skip_dates(&[bad]).validate().unwrap_err();
4241 assert!(
4242 err.contains("constraints.skip_dates"),
4243 "for '{bad}', got: {err}"
4244 );
4245 }
4246 }
4247
4248 #[test]
4249 fn preview_skips_holidays() {
4250 use chrono::TimeZone;
4251 // Daily 09:00 with two of the next five days marked as holidays
4252 // — preview drops exactly those, since it gates on `allows`.
4253 let mut s = cal_utc("09:00", &[]);
4254 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
4255 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4256 let got = s.preview_fires(now, 4);
4257 let want: Vec<_> = [
4258 (2026, 6, 10),
4259 (2026, 6, 12), // skips 06-11
4260 (2026, 6, 14), // skips 06-13
4261 (2026, 6, 15),
4262 ]
4263 .iter()
4264 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
4265 .collect();
4266 assert_eq!(got, want);
4267 }
4268
4269 // ---- constraints.max_concurrent (#418) ----
4270
4271 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
4272 let mut s = schedule_with(
4273 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4274 runs_on,
4275 );
4276 s.constraints.max_concurrent = Some(max);
4277 s
4278 }
4279
4280 #[test]
4281 fn validate_accepts_backend_max_concurrent() {
4282 with_max_concurrent(5, RunsOn::Backend)
4283 .validate()
4284 .expect("backend max_concurrent should validate");
4285 }
4286
4287 #[test]
4288 fn validate_rejects_max_concurrent_on_agent() {
4289 // Decision E: a central running-instance cap needs a central
4290 // counter, which agents don't have.
4291 let err = with_max_concurrent(5, RunsOn::Agent)
4292 .validate()
4293 .unwrap_err();
4294 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
4295 assert!(err.contains("runs_on: agent"), "got: {err}");
4296 }
4297
4298 #[test]
4299 fn validate_rejects_zero_max_concurrent() {
4300 let err = with_max_concurrent(0, RunsOn::Backend)
4301 .validate()
4302 .unwrap_err();
4303 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
4304 }
4305
4306 #[test]
4307 fn max_concurrent_round_trips_and_skips_when_absent() {
4308 let s = with_max_concurrent(3, RunsOn::Backend);
4309 let json = serde_json::to_value(&s.constraints).expect("ser");
4310 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
4311 // A schedule with no constraints omits the whole block.
4312 let bare = schedule_with(
4313 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4314 RunsOn::Backend,
4315 );
4316 assert!(bare.constraints.is_empty());
4317 }
4318
4319 #[test]
4320 fn window_fail_closed_on_corrupt_blob() {
4321 // A malformed window (only reachable via a hand-edited KV
4322 // blob — validate() rejects it at create) must BLOCK, not
4323 // silently allow fires during a change-freeze (gemini #452).
4324 let s = with_window("22:00_05:00");
4325 assert!(
4326 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
4327 "corrupt window fails closed"
4328 );
4329 // …and the scheduler can surface why it's stuck.
4330 assert!(
4331 s.bad_window().is_some(),
4332 "bad_window reports the parse error"
4333 );
4334 assert!(with_window("22:00-05:00").bad_window().is_none());
4335 }
4336
4337 #[test]
4338 fn calendar_outside_window_is_flagged() {
4339 // at 09:00 can never fall in 22:00-05:00 → never fires.
4340 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
4341 s.constraints.window = Some("22:00-05:00".into());
4342 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
4343
4344 // at 23:00 IS inside the overnight window → fine.
4345 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
4346 s.constraints.window = Some("22:00-05:00".into());
4347 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
4348
4349 // reconcile shapes are never flagged (they poll every minute).
4350 let mut s = schedule_with(
4351 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4352 RunsOn::Backend,
4353 );
4354 s.constraints.window = Some("22:00-05:00".into());
4355 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
4356
4357 // no window → never flagged.
4358 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4359 assert!(!s.calendar_outside_window());
4360 }
4361
4362 // ---- on_failure.retry (#418 Phase 4) ----
4363
4364 fn with_retry(max: u32, backoff: &str) -> Schedule {
4365 let mut s = schedule_with(
4366 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4367 RunsOn::Backend,
4368 );
4369 s.on_failure.retry = Some(Retry {
4370 max,
4371 backoff: backoff.into(),
4372 });
4373 s
4374 }
4375
4376 #[test]
4377 fn on_failure_parses_and_round_trips() {
4378 let yaml = r#"
4379id: x
4380when:
4381 per_pc: { every: 6h }
4382job_id: y
4383target: { all: true }
4384on_failure:
4385 retry: { max: 3, backoff: 10m }
4386"#;
4387 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4388 let r = s.on_failure.retry.as_ref().expect("retry present");
4389 assert_eq!(r.max, 3);
4390 assert_eq!(r.backoff, "10m");
4391 let back: Schedule =
4392 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4393 assert_eq!(back.on_failure, s.on_failure);
4394 }
4395
4396 #[test]
4397 fn on_failure_empty_is_skipped_when_serialising() {
4398 let s = schedule_with(
4399 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4400 RunsOn::Backend,
4401 );
4402 let json = serde_json::to_value(&s).expect("serialise");
4403 assert!(
4404 json.get("on_failure").is_none(),
4405 "empty on_failure must not appear on the wire: {json}"
4406 );
4407 }
4408
4409 #[test]
4410 fn validate_accepts_good_retry() {
4411 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
4412 with_retry(max, backoff)
4413 .validate()
4414 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
4415 }
4416 }
4417
4418 #[test]
4419 fn validate_rejects_bad_backoff() {
4420 let err = with_retry(3, "soon").validate().unwrap_err();
4421 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
4422 }
4423
4424 #[test]
4425 fn validate_rejects_sub_second_backoff() {
4426 // "500ms" parses as humantime but lowers to 0s on the wire —
4427 // reject it so the operator doesn't get a silent no-wait
4428 // (coderabbit #466).
4429 for bad in ["500ms", "0s", "999ms"] {
4430 let err = with_retry(3, bad).validate().unwrap_err();
4431 assert!(
4432 err.contains("on_failure.retry.backoff must be >= 1s"),
4433 "for '{bad}', got: {err}"
4434 );
4435 }
4436 }
4437
4438 #[test]
4439 fn validate_rejects_out_of_range_max() {
4440 for bad in [0u32, 11, 1000] {
4441 let err = with_retry(bad, "10m").validate().unwrap_err();
4442 assert!(
4443 err.contains("on_failure.retry.max"),
4444 "for max={bad}, got: {err}"
4445 );
4446 }
4447 }
4448
4449 #[test]
4450 fn lowered_retry_reduces_backoff_to_seconds() {
4451 let s = with_retry(3, "10m");
4452 let spec = s.on_failure.lowered_retry().expect("a retry policy");
4453 assert_eq!(spec.max, 3);
4454 assert_eq!(spec.backoff_secs, 600);
4455 }
4456
4457 #[test]
4458 fn lowered_retry_is_none_without_policy() {
4459 let s = schedule_with(
4460 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4461 RunsOn::Backend,
4462 );
4463 assert!(s.on_failure.lowered_retry().is_none());
4464 }
4465
4466 // ---- global change-freeze (#418 Phase 5) ----
4467
4468 #[test]
4469 fn freeze_empty_window_is_always_active() {
4470 // The big-red-button shape: no bounds = frozen until cleared.
4471 let f = Freeze::default();
4472 assert!(f.is_active(chrono::Utc::now()));
4473 }
4474
4475 #[test]
4476 fn freeze_window_is_half_open() {
4477 use chrono::TimeZone;
4478 let f = Freeze {
4479 from: Some("2026-12-20T00:00:00+00:00".into()),
4480 until: Some("2027-01-05T00:00:00+00:00".into()),
4481 reason: Some("year-end".into()),
4482 tz: ScheduleTz::Utc,
4483 };
4484 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
4485 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
4486 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
4487 assert!(f.is_active(at(2026, 12, 31)), "inside window");
4488 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
4489 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
4490 }
4491
4492 #[test]
4493 fn freeze_fails_closed_on_corrupt_bound() {
4494 // A freeze is a safety switch: an unparseable bound (only
4495 // reachable via a hand-edited KV blob) must read as FROZEN, not
4496 // "fire normally" (coderabbit #472) — the opposite of `active`,
4497 // which fail-opens.
4498 let f = Freeze {
4499 from: Some("not-a-date".into()),
4500 until: None,
4501 reason: None,
4502 tz: ScheduleTz::Utc,
4503 };
4504 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
4505 }
4506
4507 #[test]
4508 fn freeze_validate_accepts_good_bounds() {
4509 Freeze {
4510 from: Some("2026-12-20".into()),
4511 until: Some("2027-01-05T12:00:00+09:00".into()),
4512 reason: None,
4513 tz: ScheduleTz::Local,
4514 }
4515 .validate()
4516 .expect("date + rfc3339 bounds should validate");
4517 // Empty (indefinite) freeze is valid.
4518 Freeze::default().validate().expect("empty freeze is valid");
4519 }
4520
4521 #[test]
4522 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
4523 let err = Freeze {
4524 from: Some("never".into()),
4525 ..Default::default()
4526 }
4527 .validate()
4528 .unwrap_err();
4529 assert!(err.contains("freeze:"), "got: {err}");
4530
4531 let inverted = Freeze {
4532 from: Some("2027-01-05".into()),
4533 until: Some("2026-12-20".into()),
4534 ..Default::default()
4535 }
4536 .validate()
4537 .unwrap_err();
4538 assert!(inverted.contains("freeze.from"), "got: {inverted}");
4539 }
4540
4541 #[test]
4542 fn freeze_round_trips_and_skips_empty_fields() {
4543 let f = Freeze {
4544 from: None,
4545 until: Some("2027-01-05".into()),
4546 reason: Some("INC-1234".into()),
4547 tz: ScheduleTz::Utc,
4548 };
4549 let json = serde_json::to_value(&f).expect("serialise");
4550 assert!(json.get("from").is_none(), "empty from omitted: {json}");
4551 let back: Freeze = serde_json::from_value(json).expect("round-trip");
4552 assert_eq!(back, f);
4553 }
4554
4555 #[test]
4556 fn shipped_schedule_configs_parse_and_validate() {
4557 // Every YAML under configs/schedules/ must parse with the
4558 // current Schedule serde AND pass validate() — keeps the
4559 // shipped examples from drifting out of sync with the model
4560 // (#418 removed back-compat, so drift = broken at create).
4561 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
4562 let mut seen = 0;
4563 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
4564 let path = entry.expect("dir entry").path();
4565 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
4566 continue;
4567 }
4568 let body = std::fs::read_to_string(&path).expect("read yaml");
4569 let s: Schedule = serde_yaml::from_str(&body)
4570 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
4571 s.validate()
4572 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
4573 seen += 1;
4574 }
4575 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
4576 }
4577
4578 // ---- pre-existing enum wire formats (unchanged by #418) ----
4579
4580 #[test]
4581 fn exec_mode_serialises_snake_case() {
4582 for (mode, expected) in [
4583 (ExecMode::EveryTick, "every_tick"),
4584 (ExecMode::OncePerPc, "once_per_pc"),
4585 (ExecMode::OncePerTarget, "once_per_target"),
4586 ] {
4587 let s = serde_json::to_value(mode).expect("serialise");
4588 assert_eq!(s, serde_json::Value::String(expected.into()));
4589 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
4590 .expect("deserialise");
4591 assert_eq!(back, mode, "round-trip for {expected}");
4592 }
4593 }
4594
4595 #[test]
4596 fn schedule_runs_on_defaults_to_backend() {
4597 let yaml = r#"
4598id: x
4599when:
4600 per_pc: once
4601job_id: y
4602target: { all: true }
4603"#;
4604 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4605 assert_eq!(s.runs_on, RunsOn::Backend);
4606 }
4607
4608 #[test]
4609 fn schedule_runs_on_agent_parses() {
4610 let yaml = r#"
4611id: offline-inv
4612when:
4613 per_pc: { every: 1h }
4614job_id: inventory-hw
4615target: { all: true }
4616runs_on: agent
4617"#;
4618 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4619 assert_eq!(s.runs_on, RunsOn::Agent);
4620 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
4621 }
4622
4623 #[test]
4624 fn runs_on_serialises_snake_case() {
4625 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
4626 let s = serde_json::to_value(mode).expect("serialise");
4627 assert_eq!(s, serde_json::Value::String(expected.into()));
4628 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
4629 .expect("deserialise");
4630 assert_eq!(back, mode);
4631 }
4632 }
4633
4634 #[test]
4635 fn execute_shell_into_wire_shell() {
4636 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
4637 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
4638 }
4639
4640 #[test]
4641 fn manifest_staleness_defaults_to_cached() {
4642 let yaml = r#"
4643id: x
4644version: 1.0.0
4645execute:
4646 shell: powershell
4647 script: "echo"
4648 timeout: 1s
4649"#;
4650 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4651 assert_eq!(m.staleness, Staleness::Cached);
4652 }
4653
4654 #[test]
4655 fn manifest_strict_staleness_parses() {
4656 let yaml = r#"
4657id: urgent-patch
4658version: 2.5.1
4659execute:
4660 shell: powershell
4661 script: Install-Hotfix
4662 timeout: 5m
4663staleness:
4664 mode: strict
4665 max_cache_age: 0s
4666"#;
4667 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4668 match m.staleness {
4669 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
4670 other => panic!("expected strict, got {other:?}"),
4671 }
4672 }
4673
4674 #[test]
4675 fn manifest_unchecked_staleness_parses() {
4676 let yaml = r#"
4677id: legacy
4678version: 0.1.0
4679execute:
4680 shell: cmd
4681 script: "echo"
4682 timeout: 1s
4683staleness:
4684 mode: unchecked
4685"#;
4686 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4687 assert_eq!(m.staleness, Staleness::Unchecked);
4688 }
4689
4690 #[test]
4691 fn missing_required_field_errors() {
4692 // `id` missing.
4693 let yaml = r#"
4694version: 1.0.0
4695target: { all: true }
4696execute:
4697 shell: powershell
4698 script: "echo"
4699 timeout: 1s
4700"#;
4701 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
4702 assert!(r.is_err(), "expected error, got {:?}", r);
4703 }
4704
4705 #[test]
4706 fn display_field_table_kind_round_trips_with_nested_columns() {
4707 // #39: `type: table` + `columns:` on a DisplayField gets
4708 // round-tripped through serde so the SPA receives the
4709 // nested schema verbatim. Nested columns themselves are
4710 // DisplayFields so they can carry `type: bytes` /
4711 // `type: number` for cell formatting.
4712 let yaml = r#"
4713id: inv-hw
4714version: 1.0.0
4715execute:
4716 shell: powershell
4717 script: "echo"
4718 timeout: 60s
4719inventory:
4720 display:
4721 - field: hostname
4722 label: Hostname
4723 - field: disks
4724 label: Disks
4725 type: table
4726 columns:
4727 - field: device_id
4728 label: Drive
4729 - field: size_bytes
4730 label: Size
4731 type: bytes
4732 - field: free_bytes
4733 label: Free
4734 type: bytes
4735 - field: file_system
4736 label: FS
4737"#;
4738 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4739 let inv = m.inventory.as_ref().expect("inventory hint");
4740 let disks = inv
4741 .display
4742 .iter()
4743 .find(|d| d.field == "disks")
4744 .expect("disks display row");
4745 assert_eq!(disks.kind.as_deref(), Some("table"));
4746 let cols = disks.columns.as_ref().expect("table needs columns");
4747 assert_eq!(cols.len(), 4);
4748 assert_eq!(cols[1].field, "size_bytes");
4749 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
4750 }
4751
4752 #[test]
4753 fn display_field_scalar_kind_keeps_columns_none() {
4754 // Defensive: when type is a scalar (`bytes` / `number` /
4755 // `timestamp`) the `columns` field stays None — the SPA
4756 // uses its presence as the "render nested table" signal,
4757 // so it must not leak in via serde defaults.
4758 let yaml = r#"
4759id: x
4760version: 1.0.0
4761execute:
4762 shell: powershell
4763 script: "echo"
4764 timeout: 5s
4765inventory:
4766 display:
4767 - { field: ram_bytes, label: RAM, type: bytes }
4768"#;
4769 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
4770 let inv = m.inventory.as_ref().unwrap();
4771 assert!(inv.display[0].columns.is_none());
4772 }
4773
4774 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
4775
4776 /// The JSON Schemas under `docs/schemas/` must match what
4777 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
4778 /// so a `Schedule` / `Manifest` field change can't silently drift
4779 /// the operator-facing schema. The SPA editor, the backend
4780 /// `/api/schemas/*` endpoints, and these files all read the same
4781 /// derived shape; this test fails CI if the checked-in copy lags.
4782 /// Regenerate with:
4783 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
4784 #[test]
4785 fn schema_files_are_current() {
4786 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
4787 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
4788 assert_schema_file("view.schema.json", &schemars::schema_for!(View));
4789 }
4790
4791 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
4792 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
4793 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
4794 .join("../../docs/schemas")
4795 .join(name);
4796 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
4797 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
4798 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
4799 return;
4800 }
4801 // Normalize CRLF→LF before comparing: `.gitattributes` already
4802 // pins these files to `eol=lf`, but a stray CRLF working-tree
4803 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
4804 // freshness check into a confusing line-ending failure — that's
4805 // .gitattributes' job, not this test's (gemini #588).
4806 let on_disk = std::fs::read_to_string(&path)
4807 .unwrap_or_else(|e| {
4808 panic!(
4809 "read {path:?}: {e}\n\
4810 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4811 )
4812 })
4813 .replace("\r\n", "\n");
4814 assert_eq!(
4815 on_disk, generated,
4816 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
4817 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
4818 );
4819 }
4820}
4821
4822/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
4823/// (target + optional rollout + optional jitter) inline; the
4824/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
4825/// script body. Two schedules of the same job can target different
4826/// groups on different cadences without copying the manifest.
4827///
4828/// #418 Phase 1: the cadence is the single [`When`] field. The old
4829/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
4830/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
4831/// are warn-skipped; re-`schedule create` to upgrade them). The
4832/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
4833/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
4834/// `decide_fire` always ran on.
4835#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
4836pub struct Schedule {
4837 pub id: String,
4838 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
4839 /// or a calendar time trigger (`at` / `days`). See [`When`].
4840 ///
4841 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
4842 /// enums as `!per_pc` YAML tags by default; this keeps the
4843 /// operator-facing map shape (`when: { per_pc: once }`). JSON
4844 /// output is identical either way, and the schemars schema
4845 /// (external tagging = oneOf of single-key objects) already
4846 /// matches the singleton-map wire shape.
4847 #[serde(with = "serde_yaml::with::singleton_map")]
4848 #[schemars(with = "When")]
4849 pub when: When,
4850 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
4851 /// Manifest's `id`.
4852 pub job_id: String,
4853 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
4854 /// carry these any more — same job + different fanout = different
4855 /// schedule.
4856 #[serde(flatten)]
4857 pub plan: FanoutPlan,
4858 /// Optional validity window. Outside `[from, until)` the
4859 /// schedule is dormant — still registered, still visible, but
4860 /// every tick is skipped (deleted ≠ dormant: a campaign that
4861 /// ended stays inspectable and can be re-armed by editing the
4862 /// window). Checked at tick time on both the backend scheduler
4863 /// and the agent's local scheduler.
4864 #[serde(default, skip_serializing_if = "Active::is_empty")]
4865 pub active: Active,
4866 /// #418 operational constraints gating *when within an active
4867 /// period* a fire may happen: a maintenance `window`, a fleet
4868 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
4869 /// wall-clock ones are evaluated in the schedule's `tz`; future
4870 /// `require` (env gates) lands in the same namespace. Checked at
4871 /// tick time on both schedulers (and surfaced by `preview`).
4872 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
4873 pub constraints: Constraints,
4874 /// #418 Phase 4: what to do after a fire's script comes back
4875 /// failed. Currently just `retry` (fixed-backoff in-process
4876 /// re-run); future `notify` / `disable` join the same namespace.
4877 /// Applied fire-side in `handle_command` (the retry policy is
4878 /// lowered onto every Command this schedule produces), so it
4879 /// covers both `runs_on` locations.
4880 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
4881 pub on_failure: OnFailure,
4882 /// #418 Phase 2: the timezone this schedule's wall-clock fields
4883 /// are evaluated in — both the calendar `at` firing time AND the
4884 /// `active.{from,until}` window bounds. `local` (default) = the
4885 /// running host's TZ (the agent's for `runs_on: agent`, the
4886 /// backend server's otherwise); `utc` for TZ-independent
4887 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
4888 /// for firing (poll cron runs every minute regardless) but still
4889 /// honor it for the `active` window.
4890 #[serde(default)]
4891 pub tz: ScheduleTz,
4892 /// v0.22: optional humantime window after a cron tick during
4893 /// which the Command is still considered "live". The scheduler
4894 /// computes `tick_at + starting_deadline` and stamps it onto
4895 /// each Command as `deadline_at`; agents skip Commands they
4896 /// receive after that absolute time. `None` (default) = no
4897 /// deadline, meaning a Command queued in the broker / stream
4898 /// during agent downtime runs whenever the agent reconnects —
4899 /// good for kitting / inventory / cleanup. Set this for
4900 /// time-of-day notifications, lunch reminders, etc., where
4901 /// "fire 3 hours late" would be wrong.
4902 #[serde(default, skip_serializing_if = "Option::is_none")]
4903 pub starting_deadline: Option<String>,
4904 /// v0.23: where does the cron tick happen? `Backend` (default,
4905 /// historical) = backend's scheduler fires Commands via NATS;
4906 /// agents passively receive. `Agent` = each targeted agent runs
4907 /// its own internal cron and fires locally, so the schedule
4908 /// keeps ticking even when the broker is unreachable (laptop on
4909 /// the train, broker maintenance window, full WAN outage). The
4910 /// two locations are mutually exclusive — when `Agent`, the
4911 /// backend scheduler stays out and just keeps the definition in
4912 /// KV for agents to read.
4913 #[serde(default)]
4914 pub runs_on: RunsOn,
4915 #[serde(default = "default_true")]
4916 pub enabled: bool,
4917 /// Free-form operator taxonomy for the Schedules page — the
4918 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
4919 /// code ref rather than an intra-doc link, since that field isn't
4920 /// on this branch until #640 merges). Purely a SPA-side
4921 /// organisational aid (search / filter chips alongside the
4922 /// id-prefix grouping); the scheduler never reads it, so any
4923 /// string is allowed and it carries no firing semantics. A
4924 /// schedule's own tags are independent of its job's: the same job
4925 /// may back a `weekly` maintenance schedule and a `canary` rollout
4926 /// schedule. Empty by default and `skip_serializing_if`-elided per
4927 /// the #492 gradual-upgrade wire rule.
4928 #[serde(default, skip_serializing_if = "Vec::is_empty")]
4929 pub tags: Vec<String>,
4930 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
4931 /// `kanade schedule create` when the source YAML lives inside a Git
4932 /// work tree, so the SPA renders the schedule read-only and points
4933 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
4934 /// Git), parity with a job's [`Manifest::origin`]. `None` for
4935 /// SPA-born schedules and ones applied from outside any repo. Purely
4936 /// informational — the scheduler never reads it. New field ⇒ #492
4937 /// wire rule (`default` + `skip_serializing_if`).
4938 #[serde(default, skip_serializing_if = "Option::is_none")]
4939 pub origin: Option<RepoOrigin>,
4940}
4941
4942/// v0.23 — where the cron tick fires from.
4943#[derive(
4944 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4945)]
4946#[serde(rename_all = "snake_case")]
4947pub enum RunsOn {
4948 /// Backend's central scheduler ticks and publishes Commands to
4949 /// NATS. Historical default, what every pre-v0.23 schedule
4950 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
4951 /// reconnects ⇒ catch-up via [`command_replay`](crate)
4952 /// (see kanade-agent's command_replay module).
4953 #[default]
4954 Backend,
4955 /// Each targeted agent runs the cron tick locally. Survives
4956 /// broker / WAN outages. Best for laptops / mobile devices that
4957 /// roam off the corporate network. Agent must be online for the
4958 /// initial schedule + job-catalog pull, but once cached the
4959 /// agent fires the script standalone.
4960 Agent,
4961}
4962
4963/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
4964#[derive(
4965 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
4966)]
4967#[serde(rename_all = "snake_case")]
4968pub enum ExecMode {
4969 /// Fire on every cron tick at the whole target. Historical
4970 /// (pre-v0.19) behavior; no dedup.
4971 #[default]
4972 EveryTick,
4973 /// Fire at each pc until that pc succeeds; then skip it until
4974 /// the optional cooldown elapses (or forever if no cooldown).
4975 /// Use for kitting / first-boot / per-pc compliance checks.
4976 OncePerPc,
4977 /// Fire at the whole target until **any** pc succeeds; then
4978 /// skip the whole target until the optional cooldown elapses
4979 /// (or forever if no cooldown). Use for "one delegate is
4980 /// enough" tasks like license check-in.
4981 OncePerTarget,
4982 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
4983 /// no cron — the agent fires it from an OS event source (boot /
4984 /// session-change), not a tick — so the scheduler skips
4985 /// `tokio-cron` registration for it. Each event occurrence fires
4986 /// once, gated by the standard freeze / active / window /
4987 /// skip_dates checks.
4988 Event,
4989}
4990
4991/// #418 Phase 1 — the single "when does this fire" axis.
4992///
4993/// Replaces the old `cron` + `mode` + `cooldown` trio whose
4994/// interactions were implicit (cron doubled as both a real
4995/// time-of-day trigger and a reconcile poll period; contradictory
4996/// combinations silently no-opped). Two shapes:
4997///
4998/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
4999/// pc (or one delegate) should have run this within `every`".
5000/// The poll period is system-generated ([`POLL_CRON`], every
5001/// minute) and no longer the operator's concern.
5002/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
5003/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
5004/// the whole target at the given time, no dedup. `at: "09:00"` +
5005/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
5006/// exactly once. Evaluated in the schedule's top-level `tz`.
5007#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5008#[serde(rename_all = "snake_case")]
5009pub enum When {
5010 /// Fire at each targeted pc: `once` (kitting — succeed once,
5011 /// skip forever, forever catching brand-new / re-imaged pcs)
5012 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
5013 /// the interval).
5014 PerPc(PerPolicy),
5015 /// Fire until **any** one pc of the target succeeds, then skip
5016 /// the whole target (`once`) or re-arm after `every`. Needs
5017 /// fleet-wide completion data, so it is backend-only —
5018 /// `runs_on: agent` + `per_target` is rejected by
5019 /// [`Schedule::validate`].
5020 PerTarget(PerPolicy),
5021 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
5022 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
5023 /// the whole target at that wall-clock time in the schedule's
5024 /// `tz` — no dedup, no cooldown.
5025 Calendar(CalendarSpec),
5026 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
5027 /// Fires when the agent observes the listed OS event(s) rather than
5028 /// on a clock — there is no cron. `runs_on: agent` only (the agent
5029 /// owns the event source); [`Schedule::validate`] rejects it on
5030 /// `backend` and rejects an empty list. Each event occurrence fires
5031 /// once, gated by the same freeze / active / `constraints.window` /
5032 /// `skip_dates` checks as the cron path. `startup` fires once per OS
5033 /// boot (deduped via the host boot time); a `starting_deadline`, if
5034 /// set, limits it to "agent came up within that long after boot".
5035 On(Vec<OnTrigger>),
5036}
5037
5038/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
5039#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
5040#[serde(rename_all = "snake_case")]
5041pub enum OnTrigger {
5042 /// Once per OS boot (the agent's first run for that boot). Catches
5043 /// freshly-imaged / reinstalled hosts at their next startup.
5044 Startup,
5045 /// On an interactive-session user logon — console, RDP, or
5046 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
5047 /// service / network / batch logons (no interactive session).
5048 Logon,
5049 /// When the workstation is locked (Win+L / idle lock; Windows
5050 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
5051 Lock,
5052 /// When the workstation is unlocked — the user returns to a locked
5053 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
5054 /// compliance / refresh state when work resumes.
5055 Unlock,
5056 /// When the host's network changes — IP address table change on
5057 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
5058 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
5059 /// from one transition fires once after the network settles), so
5060 /// use it for "re-check connectivity / re-register on network move"
5061 /// rather than expecting one fire per raw adapter event.
5062 ///
5063 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
5064 /// transition that touches only IPv6 addresses won't fire. In practice
5065 /// dual-stack networks change both tables together, but a pure-IPv6
5066 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
5067 NetworkChange,
5068}
5069
5070/// Calendar time trigger (#418 Phase 2). `at` is either a time of
5071/// day (`"HH:MM"`, repeating — combine with `days`) or a full
5072/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
5073/// never again). Evaluated in the schedule's top-level `tz`.
5074#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5075pub struct CalendarSpec {
5076 /// `"HH:MM"` (24h) for a repeating trigger, or
5077 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
5078 /// accepted) for a one-shot. Parsed lazily —
5079 /// [`Schedule::validate`] rejects garbage at create time.
5080 pub at: String,
5081 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
5082 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
5083 /// field, so ranges and names both work). An **nth-weekday**
5084 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
5085 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
5086 /// `["friL"]` fires only on the last Friday of each month (handy
5087 /// for monthly maintenance). Empty = every day. Must be empty
5088 /// when `at` carries a date (the date already pins the day).
5089 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5090 pub days: Vec<String>,
5091}
5092
5093/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
5094/// date for a one-shot (`None` = repeating time-of-day).
5095struct ParsedAt {
5096 minute: u32,
5097 hour: u32,
5098 date: Option<chrono::NaiveDate>,
5099}
5100
5101impl CalendarSpec {
5102 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
5103 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
5104 fn parse_at(&self) -> Result<ParsedAt, String> {
5105 use chrono::Timelike;
5106 let s = self.at.trim();
5107 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
5108 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
5109 return Ok(ParsedAt {
5110 minute: dt.minute(),
5111 hour: dt.hour(),
5112 date: Some(dt.date()),
5113 });
5114 }
5115 }
5116 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
5117 return Ok(ParsedAt {
5118 minute: t.minute(),
5119 hour: t.hour(),
5120 date: None,
5121 });
5122 }
5123 Err(format!(
5124 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
5125 self.at
5126 ))
5127 }
5128
5129 /// Pre-flight check on the `days` tokens so a bad day name gives
5130 /// a `when.days:`-scoped error instead of croner's confusing
5131 /// "when.at lowered to invalid cron" (claude #432 review). Each
5132 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
5133 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
5134 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
5135 /// **last-weekday** like `friL` (last Friday of the month).
5136 fn validate_days(&self) -> Result<(), String> {
5137 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
5138 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
5139 for tok in &self.days {
5140 // Report the whole token on a malformed range like `mon-`
5141 // (which would otherwise split to a cryptic empty part —
5142 // claude #432 follow-up).
5143 let invalid = |reason: &str| {
5144 Err(format!(
5145 "when.days: invalid day token '{tok}' ({reason}; \
5146 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
5147 like tue#2, a last-weekday like friL, or *)"
5148 ))
5149 };
5150 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
5151 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
5152 // `to_cron` passes the token through verbatim, so the
5153 // engine fires only on that occurrence. It's a single
5154 // weekday + ordinal — not combinable with a range.
5155 if let Some((day_part, nth_part)) = tok.split_once('#') {
5156 // Normalize once and use `d` consistently (gemini #547);
5157 // the outer `invalid` already echoes the raw `tok`.
5158 let d = day_part.trim().to_ascii_lowercase();
5159 if d.contains('-') || !is_day(&d) {
5160 return invalid("the part before # must be a single weekday");
5161 }
5162 match nth_part.trim().parse::<u8>() {
5163 Ok(n) if (1..=5).contains(&n) => {}
5164 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
5165 }
5166 continue;
5167 }
5168 // #418: last-weekday suffix (`friL` = last Friday of the
5169 // month — the monthly-maintenance sibling of Patch Tuesday).
5170 // Croner accepts `<dow>L` in the DOW field with verified
5171 // last-<dow>-of-month semantics, and `to_cron` passes it
5172 // through verbatim. A single weekday + `L` — bare `L` and
5173 // ranges are rejected (croner would read bare `L` as
5174 // Saturday, which is a confusing footgun).
5175 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
5176 // No `.trim()`: a cron DOW token can't carry internal
5177 // whitespace, so `"fri L"` must be *rejected* here (its
5178 // strip leaves `"fri "`, and `is_day` catches the space)
5179 // rather than trimmed into a clean `"fri"` that then
5180 // produces a malformed `fri L` cron downstream and a
5181 // confusing croner error (gemini #560).
5182 let d = day_part.to_ascii_lowercase();
5183 if d.is_empty() {
5184 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
5185 }
5186 if d.contains('-') || !is_day(&d) {
5187 return invalid(
5188 "the part before L must be a single weekday (e.g. friL = last Friday)",
5189 );
5190 }
5191 continue;
5192 }
5193 for part in tok.split('-') {
5194 let p = part.trim().to_ascii_lowercase();
5195 if p.is_empty() {
5196 return invalid("empty range bound");
5197 }
5198 if p != "*" && !is_day(&p) {
5199 return invalid(&format!("'{part}' is not a day"));
5200 }
5201 }
5202 }
5203 Ok(())
5204 }
5205
5206 /// For a one-shot (`at` carries a date), the absolute instant it
5207 /// fires in `tz`. `None` for a repeating calendar. Used to warn
5208 /// about a one-shot whose date is already in the past (it would
5209 /// never fire).
5210 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
5211 let p = self.parse_at().ok()?;
5212 let date = p.date?;
5213 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
5214 tz.naive_to_utc(naive)
5215 }
5216
5217 /// The wall-clock time-of-day this calendar fires at (`None` if
5218 /// `at` is unparseable — validate() guards that). Used to detect
5219 /// a calendar whose fire time can never fall inside its
5220 /// `constraints.window` (claude #452 review).
5221 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
5222 let p = self.parse_at().ok()?;
5223 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
5224 }
5225
5226 /// Lower to the cron string the scheduler engine runs. Repeating
5227 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
5228 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
5229 /// fires — that's what makes it one-shot).
5230 fn to_cron(&self) -> Result<String, String> {
5231 use chrono::Datelike;
5232 let ParsedAt { minute, hour, date } = self.parse_at()?;
5233 match date {
5234 Some(d) => {
5235 if !self.days.is_empty() {
5236 return Err(
5237 "when.at with a date is a one-shot and cannot be combined with days".into(),
5238 );
5239 }
5240 Ok(format!(
5241 "0 {minute} {hour} {} {} * {}",
5242 d.day(),
5243 d.month(),
5244 d.year()
5245 ))
5246 }
5247 None => {
5248 let dow = if self.days.is_empty() {
5249 "*".to_string()
5250 } else {
5251 self.validate_days()?;
5252 self.days.join(",")
5253 };
5254 Ok(format!("0 {minute} {hour} * * {dow}"))
5255 }
5256 }
5257 }
5258}
5259
5260/// The timezone a schedule's wall-clock fields (`when.at`,
5261/// `active.{from,until}`) are evaluated in (#418 Phase 2).
5262#[derive(
5263 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5264)]
5265#[serde(rename_all = "snake_case")]
5266pub enum ScheduleTz {
5267 /// The running host's local timezone — the agent's for
5268 /// `runs_on: agent`, the backend server's otherwise. Default.
5269 #[default]
5270 Local,
5271 /// UTC — for timezone-independent schedules.
5272 Utc,
5273}
5274
5275impl ScheduleTz {
5276 /// Interpret a naive (zoneless) datetime as being in this tz and
5277 /// convert to UTC. On a DST *fold* (the local time occurs twice
5278 /// when clocks go back) we pick `.earliest()` rather than
5279 /// rejecting it; `None` is reserved for a true DST *gap* (a local
5280 /// time that never exists). `Utc` is fixed-offset so neither ever
5281 /// happens; `Local` is whatever timezone the running host is set
5282 /// to and *can* hit a gap/fold on any DST-observing host — not
5283 /// just the JST we run today (gemini + claude #432 review).
5284 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
5285 use chrono::TimeZone;
5286 match self {
5287 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
5288 naive,
5289 chrono::Utc,
5290 )),
5291 ScheduleTz::Local => chrono::Local
5292 .from_local_datetime(&naive)
5293 .earliest()
5294 .map(|dt| dt.with_timezone(&chrono::Utc)),
5295 }
5296 }
5297
5298 /// The wall-clock time-of-day `now` reads as in this tz — used by
5299 /// [`Constraints::allows`] to test a maintenance window
5300 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
5301 /// running host's local time.
5302 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
5303 match self {
5304 ScheduleTz::Utc => now.time(),
5305 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
5306 }
5307 }
5308
5309 /// The wall-clock *date* `now` reads as in this tz — used by
5310 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
5311 /// exclusion). Same tz semantics as [`Self::wall_time`].
5312 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
5313 match self {
5314 ScheduleTz::Utc => now.date_naive(),
5315 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
5316 }
5317 }
5318
5319 /// Stable lowercase wire/display label (`local` / `utc`) — matches
5320 /// the serde `snake_case` representation. Used for the preview
5321 /// response's `tz` field so the JSON shape isn't coupled to the
5322 /// `Debug` repr (claude #578 review).
5323 pub fn as_str(self) -> &'static str {
5324 match self {
5325 ScheduleTz::Local => "local",
5326 ScheduleTz::Utc => "utc",
5327 }
5328 }
5329}
5330
5331impl std::fmt::Display for ScheduleTz {
5332 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5333 f.write_str(self.as_str())
5334 }
5335}
5336
5337/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
5338/// `per_target`. Untagged so the YAML stays the bare keyword or a
5339/// one-key map, nothing more ceremonial.
5340#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5341#[serde(untagged)]
5342pub enum PerPolicy {
5343 /// The bare string `once`: succeed once, then skip permanently
5344 /// (cooldown = infinity).
5345 Once(OnceLiteral),
5346 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
5347 Every(EverySpec),
5348}
5349
5350/// Single-variant enum so serde accepts exactly the string `once`
5351/// (a free-form `String` would swallow typos like `onec`).
5352#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
5353#[serde(rename_all = "snake_case")]
5354pub enum OnceLiteral {
5355 Once,
5356}
5357
5358/// `{ every: <humantime> }`. Standalone struct (not an inline
5359/// struct variant). `{ evry: 6h }` still fails to parse (the
5360/// required `every` key is missing), and the create boundaries
5361/// reject the unknown `evry` via [`crate::strict`] with its path —
5362/// while agents reading a future writer's extra fields tolerate
5363/// them (#492).
5364#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5365pub struct EverySpec {
5366 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
5367 /// [`Schedule::validate`] rejects garbage at create time.
5368 pub every: String,
5369}
5370
5371impl PerPolicy {
5372 /// The cooldown this policy lowers to: `once` = `None`
5373 /// (permanent skip), `every` = the interval.
5374 fn cooldown(&self) -> Option<String> {
5375 match self {
5376 PerPolicy::Once(_) => None,
5377 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
5378 }
5379 }
5380}
5381
5382impl std::fmt::Display for When {
5383 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
5384 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
5385 /// lines, audit payloads and the API's `ScheduleSummary`.
5386 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5387 let policy = |p: &PerPolicy| match p {
5388 PerPolicy::Once(_) => "once".to_string(),
5389 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
5390 };
5391 match self {
5392 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
5393 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
5394 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
5395 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
5396 When::On(triggers) => {
5397 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
5398 write!(f, "on [{}]", names.join(","))
5399 }
5400 }
5401 }
5402}
5403
5404impl OnTrigger {
5405 /// Lowercase wire/display label (matches the serde `snake_case`).
5406 pub fn as_str(self) -> &'static str {
5407 match self {
5408 OnTrigger::Startup => "startup",
5409 OnTrigger::Logon => "logon",
5410 OnTrigger::Lock => "lock",
5411 OnTrigger::Unlock => "unlock",
5412 OnTrigger::NetworkChange => "network_change",
5413 }
5414 }
5415}
5416
5417/// Optional validity window for a [`Schedule`] (#418 decision G).
5418/// Half-open `[from, until)`; either bound may be omitted. Bounds
5419/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
5420/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
5421/// strings so the JSON Schema the SPA editor consumes stays two
5422/// plain string fields, mirroring `jitter` / `starting_deadline`.
5423///
5424/// #418 Phase 2: bounds are evaluated in the schedule's top-level
5425/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
5426/// calendar `at` AND the `active` window local — one consistent
5427/// timezone per schedule.
5428#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5429pub struct Active {
5430 /// Dormant before this instant.
5431 #[serde(default, skip_serializing_if = "Option::is_none")]
5432 pub from: Option<String>,
5433 /// Dormant from this instant on (exclusive).
5434 #[serde(default, skip_serializing_if = "Option::is_none")]
5435 pub until: Option<String>,
5436}
5437
5438impl Active {
5439 /// `skip_serializing_if` helper — an empty window means "always
5440 /// active" and is omitted from the wire format entirely.
5441 pub fn is_empty(&self) -> bool {
5442 self.from.is_none() && self.until.is_none()
5443 }
5444
5445 /// Parse one bound: RFC3339 first (offset honored, `tz`
5446 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
5447 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
5448 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
5449 return Ok(dt.with_timezone(&chrono::Utc));
5450 }
5451 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
5452 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
5453 return tz.naive_to_utc(midnight).ok_or_else(|| {
5454 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
5455 });
5456 }
5457 Err(format!(
5458 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
5459 ))
5460 }
5461
5462 /// Is `now` inside the window? Unparseable bounds are treated
5463 /// as absent here (fail-open) — [`Schedule::validate`] is the
5464 /// place that rejects them loudly; this runs on every tick and
5465 /// must never panic on a stale KV blob.
5466 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5467 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
5468 if bound(&self.from).is_some_and(|from| now < from) {
5469 return false;
5470 }
5471 if bound(&self.until).is_some_and(|until| now >= until) {
5472 return false;
5473 }
5474 true
5475 }
5476}
5477
5478/// Host-environment gate (#418 `constraints.require`). Fire only when
5479/// the target host is in the required state. Sensed **in-process by the
5480/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
5481/// read a target host's power/idle state ([`Schedule::validate`]
5482/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
5483///
5484/// Evaluated at fire time as a skip-this-tick gate (NOT in
5485/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
5486/// cadence re-checks every minute (so it effectively defers until the
5487/// state is met — the intended pairing); a `calendar` fire that lands
5488/// while the state is unmet is simply missed, same as `window`. It is
5489/// therefore a *runtime* gate and does not appear in `preview`.
5490// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
5491#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5492pub struct Require {
5493 /// Fire only while on **AC power** (skip on battery). Reads
5494 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
5495 /// as not-on-AC (fail-closed — a restrictive gate must not fire
5496 /// when it can't confirm the condition). `false` (default) = no
5497 /// power requirement.
5498 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5499 pub ac_power: bool,
5500 /// Fire only when the active console session has had **no keyboard /
5501 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
5502 /// "don't run while the user is actively working". Input-based
5503 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
5504 /// headless / disconnected console (no interactive user) trivially
5505 /// satisfies it. `None` (default) = no idle requirement. Parsed
5506 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5507 #[serde(default, skip_serializing_if = "Option::is_none")]
5508 pub idle: Option<String>,
5509 /// Fire only when the **whole-machine CPU usage is below this
5510 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
5511 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
5512 /// sample (`sysinfo` mean over cores), so the reading is up to one
5513 /// `host_perf` cadence old (default 60s) — fine as a "generally
5514 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
5515 /// needs two samples). An unavailable sample (host_perf not warmed
5516 /// up yet, or stale) is treated as "not below" (fail-closed — a
5517 /// restrictive gate must not fire when it can't confirm). `None`
5518 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
5519 /// out-of-range value at create time.
5520 #[serde(default, skip_serializing_if = "Option::is_none")]
5521 pub cpu_below: Option<f64>,
5522 /// Fire only when the host has **internet connectivity** (Windows
5523 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
5524 /// until online" for jobs that download / phone home. A captive
5525 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
5526 /// unknown/unreadable state is treated as offline (fail-closed) — a
5527 /// portal would just fail a download, so we hold the run. For VPN /
5528 /// SASE / app-specific conditions, use a custom script gate (separate
5529 /// slice). `false` (default) = no network requirement.
5530 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5531 pub network: bool,
5532}
5533
5534impl Require {
5535 /// `skip_serializing_if` helper for an embedded empty `require`.
5536 pub fn is_empty(&self) -> bool {
5537 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
5538 }
5539
5540 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
5541 /// unparseable value — `validate` rejects the latter at create time).
5542 pub fn min_idle(&self) -> Option<std::time::Duration> {
5543 self.idle
5544 .as_deref()
5545 .and_then(|s| humantime::parse_duration(s.trim()).ok())
5546 }
5547
5548 /// First unparseable field for create-time rejection (mirrors
5549 /// [`Constraints::bad_skip_date`]).
5550 pub fn bad_idle(&self) -> Option<String> {
5551 self.idle.as_deref().and_then(|s| {
5552 humantime::parse_duration(s.trim())
5553 .err()
5554 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
5555 })
5556 }
5557}
5558
5559/// Host-environment state sensed by the agent, fed to [`require_met`].
5560/// A named struct (not positional args) so the growing set of sensed
5561/// signals — several of them `bool` — can't be transposed at a call
5562/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
5563#[derive(Debug, Clone, Copy, Default)]
5564pub struct EnvState {
5565 /// Is the host on AC power (`false` if on battery or unreadable).
5566 pub ac_online: bool,
5567 /// How long the console has been idle (`None` = couldn't determine).
5568 pub idle: Option<std::time::Duration>,
5569 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
5570 pub cpu_pct: Option<f64>,
5571 /// Does the host have internet connectivity (`false` if offline /
5572 /// LAN-only / unreadable).
5573 pub network_up: bool,
5574}
5575
5576/// Pure env-gate decision (#418 `constraints.require`). The Win32
5577/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
5578/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
5579/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
5580/// pure and `preview` never evaluates a runtime gate. Each set
5581/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
5582pub fn require_met(req: &Require, env: &EnvState) -> bool {
5583 if req.ac_power && !env.ac_online {
5584 return false;
5585 }
5586 if let Some(min) = req.min_idle() {
5587 match env.idle {
5588 Some(d) if d >= min => {}
5589 _ => return false,
5590 }
5591 }
5592 if let Some(max) = req.cpu_below {
5593 match env.cpu_pct {
5594 Some(p) if p < max => {}
5595 _ => return false,
5596 }
5597 }
5598 if req.network && !env.network_up {
5599 return false;
5600 }
5601 true
5602}
5603
5604/// [`Active`] decides *over what date range* a schedule is live,
5605/// `Constraints` decides *when, within an active period,* a fire is
5606/// allowed: `window` (a maintenance time-of-day window),
5607/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
5608/// (holiday exclusion) and `require` (host-environment gates, agent-only
5609/// — see [`Require`]).
5610// No `Eq`: contains `require: Option<Require>` which holds an f64.
5611#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5612pub struct Constraints {
5613 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
5614 /// `tz`). Fires outside it are skipped — mainly for reconcile
5615 /// cadences ("patrol every 6h, but only fire overnight") and
5616 /// daytime change-freezes. `start > end` crosses midnight
5617 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
5618 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5619 #[serde(default, skip_serializing_if = "Option::is_none")]
5620 pub window: Option<String>,
5621 /// Fleet-wide cap on how many instances of this schedule's job may
5622 /// run **at the same time** (#418 "同時実行ハード上限"). The
5623 /// backend scheduler counts the job's still-in-flight runs
5624 /// (`execution_results.finished_at IS NULL`) each tick and only
5625 /// dispatches to as many remaining pcs as there are free slots —
5626 /// a rolling window that refills as runs complete. Useful for
5627 /// disk/CPU/network-heavy jobs you don't want hammering the whole
5628 /// fleet at once.
5629 ///
5630 /// **Backend-only** (it needs a central counter): combining it
5631 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
5632 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
5633 /// for `per_pc` reconcile cadences, where the poll re-ticks and
5634 /// refills slots. `None` (default) = no cap.
5635 #[serde(default, skip_serializing_if = "Option::is_none")]
5636 pub max_concurrent: Option<u32>,
5637 /// Calendar dates the schedule must **not** fire on — holidays,
5638 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
5639 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
5640 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
5641 /// the whole day; a calendar fire landing on the date is
5642 /// suppressed) and is honored by both the live scheduler and
5643 /// `preview`, since both gate on [`Constraints::allows`]. Empty
5644 /// (default) = no skips. Operator-supplied: there is no built-in
5645 /// holiday calendar — list the dates you care about. Parsed lazily;
5646 /// [`Schedule::validate`] rejects a malformed date at create time.
5647 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5648 pub skip_dates: Vec<String>,
5649 /// Host-environment gate (#418): fire only when the target host is
5650 /// in the required state (on AC power, idle). Agent-sensed at fire
5651 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
5652 /// no environment requirement.
5653 #[serde(default, skip_serializing_if = "Option::is_none")]
5654 pub require: Option<Require>,
5655}
5656
5657impl Constraints {
5658 /// `skip_serializing_if` helper — empty constraints are omitted
5659 /// from the wire format entirely.
5660 pub fn is_empty(&self) -> bool {
5661 self.window.is_none()
5662 && self.max_concurrent.is_none()
5663 && self.skip_dates.is_empty()
5664 && self.require.as_ref().is_none_or(Require::is_empty)
5665 }
5666
5667 /// The first unparseable `skip_dates` entry, if any — the
5668 /// scheduler logs it at register time so a fail-closed
5669 /// (never-firing) schedule from a hand-edited KV blob is
5670 /// diagnosable, mirroring [`Schedule::bad_window`].
5671 pub fn bad_skip_date(&self) -> Option<String> {
5672 self.skip_dates.iter().find_map(|s| {
5673 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
5674 .err()
5675 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
5676 })
5677 }
5678
5679 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
5680 /// error (a zero-width or all-day window is ambiguous — write no
5681 /// window for "always").
5682 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
5683 let (a, b) = s
5684 .split_once('-')
5685 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
5686 let parse = |part: &str| {
5687 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
5688 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
5689 };
5690 let (start, end) = (parse(a)?, parse(b)?);
5691 if start == end {
5692 return Err(format!(
5693 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
5694 ));
5695 }
5696 Ok((start, end))
5697 }
5698
5699 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
5700 /// always allowed. Half-open `[start, end)`; `start > end`
5701 /// crosses midnight.
5702 ///
5703 /// **Fail-closed** on an unparseable window (returns `false`,
5704 /// gemini #452 review): a window is a *restrictive* constraint
5705 /// (change-freeze / overnight-only), so a corrupt one must NOT
5706 /// silently allow fires during the restricted hours. Bad windows
5707 /// are rejected at create time by [`Schedule::validate`]; this
5708 /// only bites a hand-edited KV blob, where blocking is the safe
5709 /// direction. The scheduler warns at register time
5710 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
5711 /// The tick path never panics regardless.
5712 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5713 // #418 holiday / blackout dates: never fire on a listed wall
5714 // date (in `tz`). Checked before the window since a skipped day
5715 // overrides any within-window allowance. Fail-closed on a
5716 // corrupt entry (same posture as `window`): a skip date is a
5717 // *restrictive* constraint, so a garbled one must not silently
5718 // re-enable fires — it blocks until fixed (`validate` rejects it
5719 // at create time; `bad_skip_date` lets the scheduler warn).
5720 if !self.skip_dates.is_empty() {
5721 let today = tz.wall_date(now);
5722 let blocked = self.skip_dates.iter().any(|s| {
5723 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
5724 Ok(d) => d == today,
5725 Err(_) => true, // corrupt entry → fail-closed (block)
5726 }
5727 });
5728 if blocked {
5729 return false;
5730 }
5731 }
5732 match self.window.as_deref() {
5733 // No window → always allowed.
5734 None => true,
5735 // Window set: membership, or fail-closed if unparseable
5736 // (`window_contains` returns None for a corrupt window).
5737 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
5738 }
5739 }
5740
5741 /// Membership of a wall-clock time-of-day in the window. `None`
5742 /// when there is no window or it's unparseable (callers decide
5743 /// the failure direction). `start > end` crosses midnight.
5744 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
5745 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
5746 Some(if start <= end {
5747 start <= t && t < end
5748 } else {
5749 t >= start || t < end
5750 })
5751 }
5752}
5753
5754/// What to do when a fire's script fails (#418 Phase 4 — the "高"
5755/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
5756/// happens, `OnFailure` decides what happens *after* one ran and
5757/// came back bad. Only `retry` so far; future `notify` / `disable`
5758/// would join the same namespace.
5759#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5760pub struct OnFailure {
5761 /// Re-run the script in-process when it exits non-zero (or times
5762 /// out), up to a cap, with a fixed backoff between attempts.
5763 /// `None` (default) = no retry: a failed run is published as-is
5764 /// and (for reconcile cadences) simply re-fires on the next poll
5765 /// tick. See [`Retry`].
5766 #[serde(default, skip_serializing_if = "Option::is_none")]
5767 pub retry: Option<Retry>,
5768}
5769
5770impl OnFailure {
5771 /// `skip_serializing_if` helper — an empty policy is omitted from
5772 /// the wire format entirely.
5773 pub fn is_empty(&self) -> bool {
5774 self.retry.is_none()
5775 }
5776
5777 /// Lower the operator-facing `retry` (humantime backoff) onto the
5778 /// engine vocabulary the agent's executor runs on (backoff in
5779 /// whole seconds). Single seam shared by the backend command
5780 /// builder and the agent's local scheduler so the two stamp the
5781 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
5782 /// `None` when there is no retry policy or the backoff is
5783 /// unparseable (validate() rejects the latter at create time;
5784 /// this stays fail-safe = "no retry" for a hand-edited KV blob
5785 /// rather than panicking on the fire path).
5786 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
5787 let r = self.retry.as_ref()?;
5788 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
5789 Some(crate::wire::RetrySpec {
5790 max: r.max,
5791 backoff_secs,
5792 })
5793 }
5794}
5795
5796/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
5797/// *additional* attempts after the first run (so `max: 3` = up to 4
5798/// total executions); `backoff` is the humantime delay slept between
5799/// attempts. The retry happens fire-side (inside `kanade fire` /
5800/// `handle_command`) on every OS for the PoC — the Windows-native
5801/// "restart on failure" Task Scheduler path is deferred to the
5802/// native-delegation phase (#418 decision H).
5803#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5804pub struct Retry {
5805 /// Max additional attempts after the first failure. Bounded
5806 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
5807 /// with a short backoff would otherwise pin a flapping script in
5808 /// a tight loop for the whole window.
5809 pub max: u32,
5810 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
5811 pub backoff: String,
5812}
5813
5814/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
5815/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
5816/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
5817/// global* "stop all automated change" switch the operator flips
5818/// during an incident or a year-end change-freeze. It lives in its
5819/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
5820/// active, both the backend scheduler and every agent's local
5821/// scheduler skip *every* fire.
5822///
5823/// Shapes:
5824/// * `{}` (no bounds) — frozen indefinitely until the operator
5825/// clears it (incident "big red button").
5826/// * `{ from, until }` — frozen only within `[from, until)`,
5827/// evaluated in `tz` (planned change-freeze; auto-thaws).
5828///
5829/// The KV key being *absent* means "not frozen" — so clearing the
5830/// freeze is a KV delete, and `is_active` only ever runs on a freeze
5831/// the operator actually set.
5832#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5833pub struct Freeze {
5834 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
5835 /// `tz`). `None` ⇒ frozen from the beginning of time.
5836 #[serde(default, skip_serializing_if = "Option::is_none")]
5837 pub from: Option<String>,
5838 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
5839 /// no scheduled end (manual clear required).
5840 #[serde(default, skip_serializing_if = "Option::is_none")]
5841 pub until: Option<String>,
5842 /// Operator-supplied note surfaced on the freeze-skip log and the
5843 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
5844 #[serde(default, skip_serializing_if = "Option::is_none")]
5845 pub reason: Option<String>,
5846 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
5847 /// carry their own offset). Defaults to host-local like a
5848 /// schedule's `tz`.
5849 #[serde(default)]
5850 pub tz: ScheduleTz,
5851}
5852
5853impl Freeze {
5854 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
5855 /// both absent) is frozen unconditionally; otherwise membership of
5856 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
5857 /// but **fails CLOSED** on an unparseable bound — a freeze is a
5858 /// safety switch, so a corrupt window (only reachable via a
5859 /// hand-edited KV blob; `validate` rejects it at set time) must
5860 /// mean "frozen", not "fire normally" (coderabbit #472). This is
5861 /// the one deliberate divergence from `active`'s fail-OPEN
5862 /// behaviour, where an unparseable bound dormant-skips a schedule.
5863 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
5864 // Parse a bound; an unparseable one short-circuits the whole
5865 // check to `true` (frozen) via the closure's `None` sentinel
5866 // handled below.
5867 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
5868 match s.as_deref() {
5869 None => Ok(None),
5870 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
5871 }
5872 };
5873 let (from, until) = match (bound(&self.from), bound(&self.until)) {
5874 (Ok(f), Ok(u)) => (f, u),
5875 // Any corrupt bound → fail closed (frozen).
5876 _ => return true,
5877 };
5878 if from.is_some_and(|f| now < f) {
5879 return false;
5880 }
5881 if until.is_some_and(|u| now >= u) {
5882 return false;
5883 }
5884 true
5885 }
5886
5887 /// Reject unparseable bounds / `from >= until` at set time (the
5888 /// API + CLI counterpart to [`Schedule::validate`]).
5889 pub fn validate(&self) -> Result<(), String> {
5890 let from = self
5891 .from
5892 .as_deref()
5893 .map(|s| Active::parse_bound(s, self.tz))
5894 .transpose()
5895 .map_err(|e| e.replace("active:", "freeze:"))?;
5896 let until = self
5897 .until
5898 .as_deref()
5899 .map(|s| Active::parse_bound(s, self.tz))
5900 .transpose()
5901 .map_err(|e| e.replace("active:", "freeze:"))?;
5902 if let (Some(f), Some(u)) = (from, until) {
5903 if f >= u {
5904 return Err(format!(
5905 "freeze.from ({}) must be strictly before freeze.until ({})",
5906 self.from.as_deref().unwrap_or_default(),
5907 self.until.as_deref().unwrap_or_default(),
5908 ));
5909 }
5910 }
5911 Ok(())
5912 }
5913}
5914
5915/// The system-generated poll cadence every reconcile-shaped `when`
5916/// lowers to. Operators never write this: the real inter-run
5917/// spacing is the `every` cooldown; this only bounds "how soon do
5918/// we notice somebody is due" (#418 decision B took the poll
5919/// period away from the operator).
5920pub const POLL_CRON: &str = "0 * * * * *";
5921
5922/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
5923/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
5924/// unchanged is what lets Phase 1 swap the operator surface without
5925/// touching the tick / dedup machinery.
5926pub struct Lowered {
5927 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
5928 /// reconcile shapes, a 6/7-field cron for calendar shapes.
5929 pub cron: String,
5930 /// Dedup semantics for `decide_fire`.
5931 pub mode: ExecMode,
5932 /// Humantime re-arm interval (`None` = succeed once, skip
5933 /// forever).
5934 pub cooldown: Option<String>,
5935 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
5936 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
5937 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
5938 /// so the same value drives the `active`-window check.
5939 pub tz: ScheduleTz,
5940}
5941
5942impl Schedule {
5943 /// The error message if this schedule's `constraints.window` is
5944 /// set but unparseable, else `None`. The scheduler logs this at
5945 /// register time so a fail-closed (never-firing) schedule from a
5946 /// hand-edited KV blob is diagnosable (gemini #452 review).
5947 pub fn bad_window(&self) -> Option<String> {
5948 let w = self.constraints.window.as_deref()?;
5949 Constraints::parse_window(w).err()
5950 }
5951
5952 /// True when this is a `calendar` schedule whose fire time can
5953 /// never fall inside its `constraints.window` — the cron fires,
5954 /// the window check rejects it, and (firing only at that
5955 /// time-of-day) it effectively never runs. An easy misconfig to
5956 /// set up by accident; the scheduler warns at register time
5957 /// (claude #452 review). Reconcile shapes poll every minute, so
5958 /// they always catch the window opening and aren't affected.
5959 pub fn calendar_outside_window(&self) -> bool {
5960 let When::Calendar(c) = &self.when else {
5961 return false;
5962 };
5963 let Some(t) = c.fire_time() else {
5964 return false;
5965 };
5966 matches!(self.constraints.window_contains(t), Some(false))
5967 }
5968
5969 /// Up to `count` future instants this schedule will fire, as
5970 /// absolute UTC, strictly after `now` — the dry-run / preview
5971 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
5972 /// schedules have discrete fire times; reconcile shapes
5973 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
5974 /// they return an empty vec and the caller describes the cadence
5975 /// instead. Occurrences outside the `active.{from,until}` window or
5976 /// the `constraints.window` are **skipped**, so the list reflects
5977 /// when the schedule will ACTUALLY run, not the raw cron ticks.
5978 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
5979 /// `Job::new_async_tz`, and with the same croner config the
5980 /// scheduler / [`Schedule::validate`] use, so a preview can never
5981 /// disagree with a real fire. A schedule that can never fire (a
5982 /// calendar time wholly outside its window, a past one-shot,
5983 /// `enabled: false` is *not* considered here — callers gate on
5984 /// `enabled` separately) yields an empty vec.
5985 pub fn preview_fires(
5986 &self,
5987 now: chrono::DateTime<chrono::Utc>,
5988 count: usize,
5989 ) -> Vec<chrono::DateTime<chrono::Utc>> {
5990 use croner::parser::{CronParser, Seconds};
5991 if !matches!(self.when, When::Calendar(_)) {
5992 return Vec::new();
5993 }
5994 // Same lowering + croner config as `next_calendar_fire` and the
5995 // live scheduler, so a preview can never disagree with a real
5996 // fire. `preview_fires` adds the N-occurrence walk and the
5997 // active / window filtering on top of that single seam.
5998 let lowered = self.lowered();
5999 let Ok(cron) = CronParser::builder()
6000 .seconds(Seconds::Required)
6001 .dom_and_dow(true)
6002 .build()
6003 .parse(&lowered.cron)
6004 else {
6005 return Vec::new();
6006 };
6007 let accept = |utc: chrono::DateTime<chrono::Utc>| {
6008 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
6009 };
6010 match self.tz {
6011 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
6012 ScheduleTz::Local => {
6013 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
6014 }
6015 }
6016 }
6017
6018 /// Walk croner forward from `after` collecting up to `count`
6019 /// accepted occurrences (converted to UTC). Generic over the tz the
6020 /// cron is evaluated in so `preview_fires` can run it in either
6021 /// `Utc` or `Local` without duplicating the loop.
6022 fn next_occurrences<Tz>(
6023 cron: &croner::Cron,
6024 after: chrono::DateTime<Tz>,
6025 count: usize,
6026 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
6027 ) -> Vec<chrono::DateTime<chrono::Utc>>
6028 where
6029 Tz: chrono::TimeZone,
6030 {
6031 // Bound the scan so an `active`/window dead-end (every future
6032 // tick rejected) can't spin forever: ~4096 raw ticks covers
6033 // >10y of a daily calendar while staying instant for croner.
6034 const SCAN_CAP: usize = 4096;
6035 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
6036 let mut cursor = after;
6037 let mut scanned = 0usize;
6038 while out.len() < count && scanned < SCAN_CAP {
6039 scanned += 1;
6040 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
6041 break;
6042 };
6043 let utc = next.with_timezone(&chrono::Utc);
6044 if accept(utc) {
6045 out.push(utc);
6046 }
6047 // `find_next_occurrence(.., inclusive = false)` already
6048 // advances strictly past `cursor`, so handing it `next`
6049 // verbatim gets the following occurrence — no manual +1s
6050 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
6051 cursor = next;
6052 }
6053 out
6054 }
6055
6056 /// Lower the operator-facing `when` onto the engine vocabulary.
6057 /// Single seam shared by the backend scheduler and the agent's
6058 /// local scheduler so the two can never drift.
6059 pub fn lowered(&self) -> Lowered {
6060 let tz = self.tz;
6061 match &self.when {
6062 When::PerPc(p) => Lowered {
6063 cron: POLL_CRON.into(),
6064 mode: ExecMode::OncePerPc,
6065 cooldown: p.cooldown(),
6066 tz,
6067 },
6068 When::PerTarget(p) => Lowered {
6069 cron: POLL_CRON.into(),
6070 mode: ExecMode::OncePerTarget,
6071 cooldown: p.cooldown(),
6072 tz,
6073 },
6074 // `to_cron` only fails on a malformed `at` (rejected by
6075 // validate() at create time). For a hand-edited KV blob
6076 // that slipped past, emit a deliberately-invalid cron so
6077 // register()'s Job::new_async_tz fails → warn+skip,
6078 // rather than firing at the wrong time.
6079 When::Calendar(c) => Lowered {
6080 cron: c
6081 .to_cron()
6082 .unwrap_or_else(|_| "# invalid calendar at".into()),
6083 mode: ExecMode::EveryTick,
6084 cooldown: None,
6085 tz,
6086 },
6087 // Event triggers have no cron — the agent fires them from an
6088 // OS event source. The `# event-trigger` cron is never
6089 // registered (the scheduler branches on `is_event()` first),
6090 // but keep it deliberately-invalid as a belt-and-suspenders
6091 // so a stray registration would fail rather than misfire.
6092 When::On(_) => Lowered {
6093 cron: "# event-trigger (no cron)".into(),
6094 mode: ExecMode::Event,
6095 cooldown: None,
6096 tz,
6097 },
6098 }
6099 }
6100
6101 /// True when this schedule fires from an OS event (`when: { on }`)
6102 /// rather than a clock — the agent skips `tokio-cron` registration
6103 /// for these and drives them from boot / session-change instead.
6104 pub fn is_event(&self) -> bool {
6105 matches!(self.when, When::On(_))
6106 }
6107
6108 /// The OS event triggers this schedule listens for, or `&[]` when it
6109 /// is not an event schedule.
6110 pub fn event_triggers(&self) -> &[OnTrigger] {
6111 match &self.when {
6112 When::On(t) => t,
6113 _ => &[],
6114 }
6115 }
6116
6117 /// The next absolute (UTC) time this schedule fires, or `None` when
6118 /// it has no discrete upcoming fire to preview.
6119 ///
6120 /// Used by the KLP `maintenance.list` preview ("what's about to
6121 /// happen on my PC", SPEC §2.1). Returns `None` for:
6122 ///
6123 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
6124 /// every-minute [`POLL_CRON`] and re-converge state continuously,
6125 /// so "next fire" is always ~60s away and means nothing to a user
6126 /// previewing upcoming maintenance;
6127 /// - a calendar schedule whose lowered cron won't parse (a
6128 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
6129 /// - a cron with no future occurrence.
6130 ///
6131 /// The wall-clock fire is evaluated in the schedule's own `tz`
6132 /// (matching the live tick's `Job::new_async_tz`) then normalised
6133 /// to UTC for the wire. `inclusive = false`: strictly the *next*
6134 /// fire after `now`, never one matching the current instant.
6135 pub fn next_calendar_fire(
6136 &self,
6137 now: chrono::DateTime<chrono::Utc>,
6138 ) -> Option<chrono::DateTime<chrono::Utc>> {
6139 if !matches!(self.when, When::Calendar(_)) {
6140 return None;
6141 }
6142 let lowered = self.lowered();
6143 // Same parser configuration tokio-cron-scheduler 0.15 uses
6144 // internally, so this can never compute a fire the live
6145 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
6146 let cron = croner::parser::CronParser::builder()
6147 .seconds(croner::parser::Seconds::Required)
6148 .dom_and_dow(true)
6149 .build()
6150 .parse(&lowered.cron)
6151 .ok()?;
6152 match lowered.tz {
6153 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
6154 ScheduleTz::Local => {
6155 let now_local = now.with_timezone(&chrono::Local);
6156 cron.find_next_occurrence(&now_local, false)
6157 .ok()
6158 .map(|t| t.with_timezone(&chrono::Utc))
6159 }
6160 }
6161 }
6162
6163 /// Cross-field semantic checks that don't fit pure serde derive
6164 /// — the [`Manifest::validate`] counterpart (#418 decision F;
6165 /// pre-Phase-1 a broken schedule was accepted at create time
6166 /// and silently warn-skipped at tick time). Run at every create
6167 /// site: `kanade schedule create` (client-side) and
6168 /// `POST /api/schedules`. The job_id-exists check lives in the
6169 /// API handler instead — it needs the JOBS KV.
6170 pub fn validate(&self) -> Result<(), String> {
6171 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
6172 return Err(
6173 "when.per_target needs fleet-wide completion data and is backend-only; \
6174 it cannot be combined with runs_on: agent (each agent self-schedules, \
6175 so per-target dedup would be deduping across a target of 1)"
6176 .into(),
6177 );
6178 }
6179 // #418 event triggers: the agent owns the OS event source
6180 // (boot / session-change), so `when: { on }` is agent-only and
6181 // needs at least one trigger.
6182 if let When::On(triggers) = &self.when {
6183 if !matches!(self.runs_on, RunsOn::Agent) {
6184 return Err(
6185 "when.on (OS event trigger) is fired by the agent's own event \
6186 source, so it requires runs_on: agent"
6187 .into(),
6188 );
6189 }
6190 if triggers.is_empty() {
6191 return Err(
6192 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
6193 );
6194 }
6195 }
6196 if let Some(cd) = self.lowered().cooldown.as_deref() {
6197 humantime::parse_duration(cd)
6198 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
6199 }
6200 if let When::Calendar(c) = &self.when {
6201 // Lower the calendar form to its cron (catches a bad `at`
6202 // and the date+days conflict), then validate that cron
6203 // with the same parser configuration tokio-cron-scheduler
6204 // 0.15 uses internally (croner, seconds required,
6205 // DOM-and-DOW both honored, year optional) — create-time
6206 // validation can never accept what register() rejects.
6207 let cron = c.to_cron()?;
6208 croner::parser::CronParser::builder()
6209 .seconds(croner::parser::Seconds::Required)
6210 .dom_and_dow(true)
6211 .build()
6212 .parse(&cron)
6213 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
6214 }
6215 // The other humantime strings on the schedule (claude #419
6216 // review): runtime degrades gracefully on both (bad jitter →
6217 // silent no-op, bad starting_deadline → warn + skipped tick),
6218 // but "rejected at create time" should cover every field the
6219 // operator can typo, not just `when`.
6220 if let Some(j) = &self.plan.jitter {
6221 humantime::parse_duration(j)
6222 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
6223 }
6224 if let Some(sd) = &self.starting_deadline {
6225 humantime::parse_duration(sd)
6226 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
6227 }
6228 let from = self
6229 .active
6230 .from
6231 .as_deref()
6232 .map(|s| Active::parse_bound(s, self.tz))
6233 .transpose()?;
6234 let until = self
6235 .active
6236 .until
6237 .as_deref()
6238 .map(|s| Active::parse_bound(s, self.tz))
6239 .transpose()?;
6240 if let (Some(f), Some(u)) = (from, until) {
6241 if f >= u {
6242 return Err(format!(
6243 "active.from ({}) must be strictly before active.until ({})",
6244 self.active.from.as_deref().unwrap_or_default(),
6245 self.active.until.as_deref().unwrap_or_default(),
6246 ));
6247 }
6248 }
6249 // #418 Phase 3: a bad maintenance window is rejected at create
6250 // time (parse_window also catches equal bounds).
6251 if let Some(w) = self.constraints.window.as_deref() {
6252 Constraints::parse_window(w)?;
6253 }
6254 // #418 holiday exclusion: reject a malformed skip date at create
6255 // time so the fail-closed `allows` path only ever bites a
6256 // hand-edited KV blob, not a fresh `kanade schedule create`.
6257 if let Some(err) = self.constraints.bad_skip_date() {
6258 return Err(err);
6259 }
6260 // #418: constraints.max_concurrent is a central running-instance
6261 // cap, so it needs the backend's counter — reject it on
6262 // runs_on: agent (decision E), and reject a meaningless 0.
6263 if let Some(mc) = self.constraints.max_concurrent {
6264 // Check the structural incompatibility (agent has no central
6265 // counter) before the value range, so a `max_concurrent: 0`
6266 // + `runs_on: agent` combo reports the more fundamental
6267 // problem first (claude #542).
6268 if matches!(self.runs_on, RunsOn::Agent) {
6269 return Err(
6270 "constraints.max_concurrent needs a central counter and is backend-only; \
6271 it cannot be combined with runs_on: agent (each agent self-schedules, \
6272 so there is no fleet-wide count to cap against)"
6273 .into(),
6274 );
6275 }
6276 if mc == 0 {
6277 return Err(
6278 "constraints.max_concurrent must be >= 1 (0 would never fire; \
6279 omit it for no cap)"
6280 .into(),
6281 );
6282 }
6283 }
6284 // #418: constraints.require (host-state env gates: ac_power /
6285 // idle / cpu_below / network) is sensed in-process by the agent,
6286 // so it needs runs_on: agent — the backend can't read a target
6287 // host's power / idle / cpu / connectivity state. Symmetric with
6288 // `when: { on }` (also agent-only); inverse of max_concurrent
6289 // (backend-only).
6290 if let Some(req) = &self.constraints.require {
6291 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
6292 return Err(
6293 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
6294 network) is sensed in-process by the agent and needs runs_on: agent; the \
6295 backend cannot read a target host's power / idle / cpu / connectivity state"
6296 .into(),
6297 );
6298 }
6299 // Reject a malformed idle duration at create time so the
6300 // fail-closed runtime path only ever bites a hand-edited
6301 // KV blob (mirror skip_dates / on_failure.retry).
6302 if let Some(err) = req.bad_idle() {
6303 return Err(err);
6304 }
6305 // cpu_below is a percent — reject out-of-range so a typo
6306 // can't make a schedule that never (>=100 is always-busy?
6307 // no — <0 never matches) or trivially fires.
6308 if let Some(c) = req.cpu_below
6309 && !(c > 0.0 && c <= 100.0)
6310 {
6311 return Err(format!(
6312 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
6313 omit it for no CPU requirement"
6314 ));
6315 }
6316 }
6317 // #418 Phase 4: a bad on_failure.retry is rejected at create
6318 // time — backoff must be valid humantime, and max is bounded
6319 // so a typo can't pin a flapping script in a tight loop.
6320 if let Some(r) = &self.on_failure.retry {
6321 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
6322 format!(
6323 "on_failure.retry.backoff: invalid duration '{}': {e}",
6324 r.backoff
6325 )
6326 })?;
6327 // The wire form lowers backoff to whole seconds, so a
6328 // sub-second value would silently become a 0s no-wait
6329 // (coderabbit #466). Reject it rather than honour a backoff
6330 // the operator can't actually get.
6331 if backoff.as_secs() < 1 {
6332 return Err(format!(
6333 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
6334 round to 0 on the wire",
6335 r.backoff
6336 ));
6337 }
6338 if !(1..=10).contains(&r.max) {
6339 return Err(format!(
6340 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
6341 attempts after the first run",
6342 r.max
6343 ));
6344 }
6345 }
6346 // A blank / whitespace-only tag renders an empty filter chip on
6347 // the Schedules page — reject it at create time, mirroring the
6348 // Manifest::validate tag guard.
6349 for tag in &self.tags {
6350 if tag.trim().is_empty() {
6351 return Err("tags must not contain empty entries".to_string());
6352 }
6353 }
6354 Ok(())
6355 }
6356}
6357
6358fn default_true() -> bool {
6359 true
6360}