kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::wire::{FinalizeCommand, RunAs, Shell, Staleness};
4
5/// YAML job manifest (= registered "what to run", v0.18.0+).
6///
7/// Owns only script-intrinsic fields. **Who** (`target`), **how to
8/// phase fanout** (`rollout`), and **when to stagger start**
9/// (`jitter`) all moved to the Schedule / exec request side — same
10/// script can now be fired against different targets / rollouts
11/// without copying the script body.
12///
13/// #492: these types are READ fleet-wide (agents decode them from
14/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
15/// must tolerate unknown fields — `deny_unknown_fields` here made a
16/// gradually-upgrading fleet's OLD agents reject the whole object
17/// the moment a newer backend added any field. Operator typo
18/// protection (the old reason for the attribute) lives at the WRITE
19/// boundaries instead: `kanade job/schedule create` and the backend
20/// POST extractor parse via [`crate::strict`], which rejects unknown
21/// keys with their full paths. The wire rule: new fields always get
22/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
23/// may still be strict).
24#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
25pub struct Manifest {
26 pub id: String,
27 pub version: String,
28 #[serde(default)]
29 pub description: Option<String>,
30 pub execute: Execute,
31 #[serde(default)]
32 pub require_approval: bool,
33 /// Opt-in marker that this job produces a JSON inventory fact
34 /// payload on stdout. When present, the backend's results
35 /// projector parses `ExecResult.stdout` as JSON and upserts an
36 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
37 /// `display` sub-config drives the SPA's Inventory page render.
38 #[serde(default)]
39 pub inventory: Option<InventoryHint>,
40 /// Issue #246: opt-in marker that this job emits per-line
41 /// observability events on stdout (one JSON `ObsEvent` per
42 /// newline). When present, the agent — after the script exits
43 /// successfully — parses each non-empty stdout line as an
44 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
45 /// `obs_outbox`, and (intentionally) **omits the stdout from
46 /// the `ExecResult`** so the timeline data doesn't double up
47 /// in `execution_results.stdout` (which would multiply rows
48 /// by ~50/day/PC of noise).
49 ///
50 /// Distinct from `inventory:` (single JSON object → projector
51 /// upsert) — events are append-only timeline points consumed
52 /// by the dedicated `obs_events` table.
53 #[serde(default)]
54 pub emit: Option<EmitConfig>,
55 /// #290: opt-in marker that this job is an operator-defined
56 /// **health check** whose result feeds the Client App's Health
57 /// tab over KLP (`StateSnapshot.checks`). The script prints a
58 /// free-form JSON object on stdout (like any inventory job); the
59 /// agent reads the [`CheckHint::status_field`] value dynamically
60 /// into a [`crate::ipc::state::Check`] named `check.name`.
61 /// Cadence / windows / conditions come from
62 /// the job's Schedule (exactly like inventory) — there is
63 /// deliberately no interval here. **Composes with `inventory:`**:
64 /// the script's stdout is one JSON object, so a check can also
65 /// carry an `inventory:` block to project the rest of that object
66 /// (incl. `explode` sub-tables) for SPA fleet-querying. Only
67 /// `emit:` (NDJSON stdout) is incompatible.
68 #[serde(default)]
69 pub check: Option<CheckHint>,
70 /// #219: opt-in marker that this job COLLECTS files into a bundle.
71 /// The script does the collection work and prints a single JSON
72 /// object on stdout carrying a `files` array of paths (the field
73 /// name is [`CollectHint::files_field`], default `"files"`); the
74 /// agent — after the script exits successfully — zips those files,
75 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
76 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
77 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
78 /// downloads bundles from the SPA Collect page.
79 ///
80 /// Like `inventory:` / `check:` this reads a JSON object from stdout,
81 /// but it consumes that stdout for its OWN contract (a `files`
82 /// list), so it is mutually exclusive with `inventory:` / `check:` /
83 /// `emit:` (enforced in [`Manifest::validate`]). It composes with
84 /// `client:` — a `collect:` + `client:` job lets an end user trigger
85 /// a collection from the Client App (the same-host agent runs it).
86 #[serde(default, skip_serializing_if = "Option::is_none")]
87 pub collect: Option<CollectHint>,
88 /// #720: opt-in declarative aggregation over `obs_events` that drives
89 /// the SPA **Analytics** page. Unlike the other hints this one never
90 /// touches stdout and is never delivered to the agent — it's a pure
91 /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
92 /// turns into `json_extract` aggregation SQL. Each entry is one widget
93 /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
94 /// fleet-wide rollup. Because it consumes nothing at run time it
95 /// composes with every other hint (typically paired with `emit:`,
96 /// which produces the events it reads). See [`AggregateWidget`].
97 ///
98 /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
99 #[serde(default, skip_serializing_if = "Option::is_none")]
100 pub aggregate: Option<Vec<AggregateWidget>>,
101 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
102 /// what the agent does at fire time when it can't verify the
103 /// `script_current` / `script_status` KV values are fresh —
104 /// especially relevant for `runs_on: agent` schedules where
105 /// the agent may fire from cache while offline. Defaults to
106 /// `Staleness::Cached` (silently use cached values), which
107 /// matches every pre-v0.26 Manifest.
108 #[serde(default)]
109 pub staleness: Staleness,
110 /// #291: opt-in marker that this job is offered to **end users**
111 /// in the Client App's job tabs over KLP (`jobs.list` →
112 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
113 /// [`emit`]: the block's mere presence is the opt-in, and it
114 /// groups the end-user presentation fields (name / category /
115 /// icon) that only make sense for a user-facing job. `None`
116 /// (the default) ⇒ an operator-only job — inventory, checks,
117 /// scheduled maintenance — that never surfaces in the catalog.
118 ///
119 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
120 /// (SPEC §2.1), so removing the block takes a job out of a
121 /// running client on its next action.
122 ///
123 /// [`inventory`]: Manifest::inventory
124 /// [`check`]: Manifest::check
125 /// [`emit`]: Manifest::emit
126 #[serde(default, skip_serializing_if = "Option::is_none")]
127 pub client: Option<ClientHint>,
128 /// Free-form operator taxonomy for the Jobs catalog. Purely a
129 /// SPA-side organisational aid — agents / scheduler / projector
130 /// never read it — so it carries no runtime semantics and any
131 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
132 /// cross-cut (a `check-bitlocker` is at once a health-check, a
133 /// security control, and Windows-specific), which is why this is
134 /// a multi-valued list rather than the single closed-enum
135 /// [`ClientHint::category`] (whose values are the end-user Client
136 /// App's tabs, a different concern). The operator Jobs page groups
137 /// rows by id-prefix for free; tags add the orthogonal filter axis
138 /// prefixes can't express.
139 ///
140 /// Empty by default (the overwhelming majority of jobs), and a
141 /// new field, so it follows the #492 wire rule: `serde(default)`
142 /// plus `skip_serializing_if` keep gradually-upgrading old readers
143 /// from tripping over its absence / presence.
144 #[serde(default, skip_serializing_if = "Vec::is_empty")]
145 pub tags: Vec<String>,
146 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
147 /// `kanade job create` when the source YAML lives inside a Git work
148 /// tree, so the SPA can render the job read-only and point edits
149 /// back at the repo instead of letting a ClickOps edit silently
150 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
151 /// `None` for SPA-born jobs and for manifests applied from outside
152 /// any Git repo. Purely informational: agents / scheduler /
153 /// projector never read it, and it survives `script_file:` inlining
154 /// (it's orthogonal to the exactly-one-of script-source rule). New
155 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
156 #[serde(default, skip_serializing_if = "Option::is_none")]
157 pub origin: Option<RepoOrigin>,
158 /// Job-generic post-step hook. When set, the agent runs this script
159 /// AFTER the main `execute:` script exits cleanly (and, for a
160 /// `collect:` job, after the bundle finishes uploading), so the
161 /// operator can delete / move / notify based on what the step
162 /// produced. Best-effort: a finalize failure is logged but never
163 /// fails the run — the upload (if any) already succeeded.
164 ///
165 /// For `collect:` jobs the agent injects the environment variable
166 /// `KANADE_COLLECT_RESULT` — a JSON object
167 /// `{ "ok": true, "bundles": [ { "key", "uploaded", "files": [...] } ] }`
168 /// — so the hook acts on exactly the files that were bundled and
169 /// uploaded (e.g. deletes only the `uploaded` ones). Composes with
170 /// every hint. New field ⇒ #492 wire rule (`default` +
171 /// `skip_serializing_if`).
172 #[serde(default, skip_serializing_if = "Option::is_none")]
173 pub finalize: Option<FinalizeSpec>,
174}
175
176/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
177/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
178/// `kanade schedule create` from the Git context of the source YAML;
179/// the SPA reads it to render Git-managed entries read-only and link
180/// the operator back at the repo. Never consulted by the runtime.
181#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
182pub struct RepoOrigin {
183 /// Repo-relative path of the source YAML — the primary edit target
184 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
185 /// regardless of the authoring OS.
186 pub path: String,
187 /// `origin` remote URL, when the repo has one. Lets the SPA turn
188 /// `path` into a clickable link; `None` for remote-less repos.
189 #[serde(default, skip_serializing_if = "Option::is_none")]
190 pub repo: Option<String>,
191 /// Repo-relative path of the `script_file:` a job manifest inlined,
192 /// when it used one — a secondary pointer shown beneath `path`.
193 /// Always `None` for schedules (they carry no script).
194 #[serde(default, skip_serializing_if = "Option::is_none")]
195 pub script_file: Option<String>,
196}
197
198/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
199/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
200/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
201/// here keeps the validation + serialisation logic in one place.
202#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
203pub struct FanoutPlan {
204 #[serde(default)]
205 pub target: Target,
206 /// Optional wave rollout — when present, the backend publishes
207 /// each wave's group subject on its own delay schedule instead
208 /// of fanning out the `target` block in one go. `target` then
209 /// only labels the deploy for the audit log.
210 #[serde(default, skip_serializing_if = "Option::is_none")]
211 pub rollout: Option<Rollout>,
212 /// Optional humantime jitter; agent uses it to randomise
213 /// execution start. Lives here (not on the script) so different
214 /// schedules / ad-hoc fires of the same job can pick different
215 /// stagger windows.
216 #[serde(default, skip_serializing_if = "Option::is_none")]
217 pub jitter: Option<String>,
218 /// Absolute time the scheduler stamps on each emitted Command
219 /// when this exec was driven by a [`Schedule`] with
220 /// `starting_deadline`. Agents receiving a Command after this
221 /// instant publish a synthetic skipped-result instead of
222 /// running the script. `None` (default) = no deadline / catch
223 /// up whenever delivered. Operators don't usually set this
224 /// directly — the scheduler computes it from `tick_at +
225 /// starting_deadline`.
226 #[serde(default, skip_serializing_if = "Option::is_none")]
227 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
228}
229
230/// Sentinel lines that fence an inventory JSON payload inside an
231/// otherwise human-readable job stdout (#793).
232///
233/// A user-invokable (`client:`) job can't put both a friendly message
234/// and a JSON inventory object on its single stdout stream — the Client
235/// App renders stdout verbatim, while the projector needs it to be JSON.
236/// The convention: print a readable message for the user, then wrap the
237/// inventory JSON object between these two marker lines. The projector
238/// parses the fenced region (see [`inventory_payload`]) and the Client
239/// App strips it from what it shows the user. A plain inventory job (no
240/// `client:`) needs no fence — its whole stdout is the JSON.
241pub const INVENTORY_BLOCK_BEGIN: &str = "#KANADE-INVENTORY-BEGIN";
242/// Closing marker — see [`INVENTORY_BLOCK_BEGIN`].
243pub const INVENTORY_BLOCK_END: &str = "#KANADE-INVENTORY-END";
244
245/// Extract the inventory JSON payload from a job's stdout: the text
246/// between [`INVENTORY_BLOCK_BEGIN`] and [`INVENTORY_BLOCK_END`] when the
247/// fence is present, else the whole stdout (back-compat — a pure-JSON
248/// inventory job has no fence). An unterminated fence (the closing marker
249/// missing, e.g. truncated output) takes everything after the opener.
250/// The result is trimmed so surrounding message text / whitespace never
251/// reaches the JSON parser.
252pub fn inventory_payload(stdout: &str) -> &str {
253 let Some(begin) = find_line_marker(stdout, INVENTORY_BLOCK_BEGIN) else {
254 return stdout.trim();
255 };
256 let after = &stdout[begin + INVENTORY_BLOCK_BEGIN.len()..];
257 let inner = match find_line_marker(after, INVENTORY_BLOCK_END) {
258 Some(end) => &after[..end],
259 None => after,
260 };
261 inner.trim()
262}
263
264/// Find `needle` only where it begins a line (start of `hay` or right
265/// after a `\n`). Anchoring to line start means a script echoing the
266/// literal sentinel mid-message (e.g. printing a command name) can't
267/// false-trigger the fence (Claude #793).
268fn find_line_marker(hay: &str, needle: &str) -> Option<usize> {
269 if hay.starts_with(needle) {
270 return Some(0);
271 }
272 hay.find(&format!("\n{needle}")).map(|p| p + 1)
273}
274
275/// Manifest sub-section: how the SPA should render the inventory
276/// facts this job produces. Each field name (`field`) is a top-level
277/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
278///
279/// Two render modes:
280/// * `display` — vertical "field / value" per PC, used by the
281/// `/inventory?pc=<id>` detail view. ALL columns the operator
282/// wants visible on the detail page.
283/// * `summary` — horizontal table across the fleet (row = PC,
284/// column = field) on `/inventory`. Optional; when omitted the
285/// SPA falls back to `display`, but operators usually want a
286/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
287#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
288pub struct InventoryHint {
289 /// Detail-view columns, in order.
290 pub display: Vec<DisplayField>,
291 /// Optional fleet-list columns (row = PC). Defaults to `display`
292 /// when omitted, but operators usually pick a 3-5 column subset.
293 #[serde(default, skip_serializing_if = "Option::is_none")]
294 pub summary: Option<Vec<DisplayField>>,
295 /// v0.31 / #40: payload arrays that should be exploded into
296 /// per-element rows of a derived SQLite table. Lets operators
297 /// answer cross-PC questions ("which PCs still have Chrome <
298 /// 120?", "C: >90% full") with normal SQL filters + indexes
299 /// instead of grepping JSON. The projector creates the derived
300 /// table on register and replaces this PC's rows on each result
301 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
302 /// [`ExplodeSpec`] for the per-spec schema.
303 #[serde(default, skip_serializing_if = "Option::is_none")]
304 pub explode: Option<Vec<ExplodeSpec>>,
305 /// v0.35 / #93: top-level scalar fields whose changes the
306 /// projector logs to `inventory_history` (one event per
307 /// changed field per scan). Pairs with `explode[].track_history`
308 /// — that covers array elements; this covers single-valued
309 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
310 /// `os_build` that operators want to track for "did the RAM
311 /// get upgraded?" / "when did Win 11 land on this PC?" /
312 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
313 /// in the history row, `identity_json` is NULL, `before_json`
314 /// / `after_json` each carry `{"value": <prior or new value>}`.
315 /// First-ever observation of a scalar (no prior facts row)
316 /// emits `added`; subsequent value changes emit `changed`. No
317 /// `removed` events — a scalar disappearing from the payload
318 /// is rare and the operator can still see the last value via
319 /// the `before_json` of the most recent change.
320 #[serde(default, skip_serializing_if = "Option::is_none")]
321 pub history_scalars: Option<Vec<String>>,
322}
323
324/// Manifest sub-section (#290): marks a job as an operator-defined
325/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
326/// The stdout contract is a free-form JSON object (same as any
327/// inventory job) from which the agent reads `status_field` /
328/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
329/// on the Client App's Health tab.
330///
331/// There is deliberately **no timing field** — when / how often /
332/// in which window a check runs is driven by the job's Schedule,
333/// exactly like inventory jobs, so operators get the full `when:` /
334/// rollout / `runs_on` expressiveness for free.
335///
336/// A check's stdout is a **free-form inventory object** (arbitrary
337/// key/value pairs + arrays) — same as any inventory job — that also
338/// carries a status field. `check:` adds only the health semantics on
339/// top: which field is the ok/warn/fail/unknown status, an optional
340/// one-line summary field, and a remediation job. Everything else
341/// (rich per-PC detail, `explode` sub-tables like a software list) is
342/// driven by a co-present [`InventoryHint`] and rendered with the
343/// SAME display logic the SPA Inventory page uses — on the Client App
344/// too. This keeps checks maximally expressive without a bespoke
345/// payload type.
346#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
347pub struct CheckHint {
348 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
349 /// the SPA/Client React key + analytics label. Unique within the
350 /// fleet's check set. Machine-friendly slug (`disk_space`,
351 /// `defender_rtp`); for the human-facing row title see [`label`].
352 ///
353 /// [`label`]: CheckHint::label
354 pub name: String,
355 /// Optional human-facing display title →
356 /// [`Check.label`](crate::ipc::state::Check). The Client App's
357 /// Health tab and the operator SPA's Compliance page render this
358 /// instead of the [`name`](CheckHint::name) slug when set
359 /// (`"ウイルス対策のリアルタイム保護"` reads better than
360 /// `defender_rtp`). Falls back to the slug when absent, so it's
361 /// purely additive. Author it in the check's language — there's no
362 /// per-locale variant; checks are operator-defined per fleet.
363 #[serde(default, skip_serializing_if = "Option::is_none")]
364 pub label: Option<String>,
365 /// Top-level stdout field whose string value
366 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
367 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
368 /// `"status"`; a missing / unparseable value → `unknown`.
369 #[serde(default = "default_status_field")]
370 pub status_field: String,
371 /// Top-level stdout field used as the Health-tab row's one-line
372 /// summary. Defaults to `"detail"`; absent in the payload → no
373 /// detail line (the rich breakdown lives in the inventory view).
374 #[serde(default = "default_detail_field")]
375 pub detail_field: String,
376 /// Optional remediation job id →
377 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
378 /// App shows a "修復する" button when present; that job must be
379 /// `user_invokable`.
380 #[serde(default, skip_serializing_if = "Option::is_none")]
381 pub troubleshoot: Option<String>,
382 /// #290 PR-E: when `true` (default), the backend also projects this
383 /// check's `status` / `detail` into the `check_status` table so the
384 /// operator SPA gets a fleet-wide compliance view for free — no
385 /// `inventory:` block needed. Set `fleet: false` for a client-only
386 /// check the operator doesn't want surfaced across the fleet.
387 #[serde(default = "default_fleet")]
388 pub fleet: bool,
389 /// Optional auto-notification on a compliance transition. When set, the
390 /// backend publishes an end-user notification the moment this check
391 /// transitions *into* one of [`CheckAlert::on`] (e.g. ok → fail) — to
392 /// the failing PC's user and/or operator groups. Fired once per
393 /// transition (not on every poll). Requires `fleet: true` (the alert
394 /// rides the same projection that fills `check_status`).
395 #[serde(default, skip_serializing_if = "Option::is_none")]
396 pub alert: Option<CheckAlert>,
397}
398
399/// Auto-notification rule for a [`CheckHint`] (compliance alerting). When a
400/// check's status transitions into one of [`on`](Self::on), the backend
401/// publishes a notification to the failing PC's user
402/// ([`notify_user`](Self::notify_user)) and/or operator groups
403/// ([`notify_groups`](Self::notify_groups)). Deliberately config-driven:
404/// who gets told, how loud, and the wording all live in the manifest, not
405/// hardcoded in the backend.
406#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
407pub struct CheckAlert {
408 /// Statuses that fire the alert on *transition into* them (a check that
409 /// stays failing doesn't re-alert every poll). Defaults to `[fail]`.
410 /// `ok` is not representable — [`CheckAlertStatus`] has no `Ok` variant,
411 /// so a YAML `on: [ok]` fails to deserialize (before `validate()` is
412 /// even reached); "recovered" notifications are out of scope.
413 #[serde(default = "default_alert_on")]
414 pub on: Vec<CheckAlertStatus>,
415 /// Notify the user(s) on the failing PC (`notifications.pc.<pc_id>`).
416 #[serde(default)]
417 pub notify_user: bool,
418 /// Notify these operator groups (`notifications.group.<name>`).
419 #[serde(default, skip_serializing_if = "Vec::is_empty")]
420 pub notify_groups: Vec<String>,
421 /// Notification priority (colour/label only — toasting is the separate
422 /// `toast` flag). Defaults to `warn`.
423 #[serde(default = "default_alert_priority")]
424 pub priority: crate::ipc::notifications::NotificationPriority,
425 /// Require the recipient to click 確認 to dismiss.
426 #[serde(default)]
427 pub require_ack: bool,
428 /// Surface an OS toast (launches a closed Client App, Action Center
429 /// while locked). Recommended `true` for `notify_user` so a
430 /// non-emergency "your PC is non-compliant" nudge still reaches a user
431 /// whose app is closed.
432 #[serde(default)]
433 pub toast: bool,
434 /// Also send the alert by email, to every address mapped to the
435 /// `notify_groups` (via the `group_contacts` KV, edited on the SPA
436 /// Groups page). Opt-in: defaults to `false`, so an existing alert
437 /// never starts emailing on its own. Requires `notify_groups` to be
438 /// non-empty (there is no per-PC user email) and the backend's
439 /// `[mail]` config to be present; otherwise the email is a logged
440 /// no-op while the in-app/toast notification still fires.
441 #[serde(default)]
442 pub email: bool,
443 /// Notification title (required). May use the same `{…}` placeholders
444 /// as [`body`](Self::body).
445 pub title: String,
446 /// Notification body template. Placeholders: `{pc_id}`, `{name}` (check
447 /// slug), `{label}` (check label, falls back to slug), `{status}`,
448 /// `{detail}` (the check's one-line summary), `{last_logon}` (the PC's
449 /// last sign-in account). Absent → empty body.
450 #[serde(default, skip_serializing_if = "Option::is_none")]
451 pub body: Option<String>,
452}
453
454/// A check status that can trigger a [`CheckAlert`]. Mirrors the
455/// projected `check_status.status` values minus `ok` (alerting on `ok` is
456/// rejected at validation).
457#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
458#[serde(rename_all = "snake_case")]
459pub enum CheckAlertStatus {
460 Warn,
461 Fail,
462 Unknown,
463}
464
465impl CheckAlertStatus {
466 /// The wire string, matching the projected `check_status.status`.
467 pub fn as_str(self) -> &'static str {
468 match self {
469 Self::Warn => "warn",
470 Self::Fail => "fail",
471 Self::Unknown => "unknown",
472 }
473 }
474}
475
476fn default_alert_on() -> Vec<CheckAlertStatus> {
477 vec![CheckAlertStatus::Fail]
478}
479
480fn default_alert_priority() -> crate::ipc::notifications::NotificationPriority {
481 crate::ipc::notifications::NotificationPriority::Warn
482}
483
484fn default_status_field() -> String {
485 "status".to_string()
486}
487
488fn default_detail_field() -> String {
489 "detail".to_string()
490}
491
492fn default_fleet() -> bool {
493 true
494}
495
496fn default_files_field() -> String {
497 "files".to_string()
498}
499
500/// Fallback cap on a collect bundle's total input size when the
501/// manifest's `collect.max_size` is unset. 50 MB (decimal).
502pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
503
504/// Manifest sub-section (#219): marks a job as a **file collector** and
505/// carries how the collected bundle presents in the SPA. Parallel to
506/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
507/// opt-in. The script prints a single JSON object on stdout whose
508/// [`files_field`](CollectHint::files_field) key holds an array of file
509/// paths to bundle (env vars are expanded); the agent zips them and
510/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
511#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
512pub struct CollectHint {
513 /// Operator/end-user-facing title for the collection, shown as the
514 /// bundle's heading on the SPA Collect page (and the Client App row
515 /// when paired with `client:`). Required; validated non-empty.
516 pub name: String,
517 /// Optional one-line description of what the bundle contains.
518 #[serde(default, skip_serializing_if = "Option::is_none")]
519 pub description: Option<String>,
520 /// Human-readable cap on the bundle's total input size
521 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
522 /// bundle whose listed files exceed this. `None` ⇒
523 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
524 /// [`Manifest::validate`] rejects an unparseable value at create
525 /// time.
526 ///
527 /// Note: this bounds the **uncompressed** bytes the agent reads off
528 /// disk, not the resulting zip. Text logs compress well, so the
529 /// download is usually much smaller; many tiny files add a little
530 /// per-entry zip overhead. Read it as "how much the agent reads +
531 /// packs", not "the exact download size".
532 #[serde(default, skip_serializing_if = "Option::is_none")]
533 pub max_size: Option<String>,
534 /// Top-level stdout JSON key holding the array of file paths to
535 /// bundle. Defaults to `"files"`.
536 #[serde(default = "default_files_field")]
537 pub files_field: String,
538}
539
540impl CollectHint {
541 /// The effective size cap in bytes — the parsed `max_size` or
542 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
543 /// present) already passed [`Manifest::validate`]; falls back to the
544 /// default on a parse error rather than panicking on the fire path.
545 pub fn max_size_bytes(&self) -> u64 {
546 match &self.max_size {
547 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
548 None => DEFAULT_COLLECT_MAX_SIZE,
549 }
550 }
551}
552
553/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
554/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
555/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
556/// Case-insensitive. Shared by `collect.max_size` validation and the
557/// agent's bundle-size enforcement.
558pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
559 let t = s.trim();
560 if t.is_empty() {
561 return Err("size must not be empty".to_string());
562 }
563 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
564 let (num_str, unit_raw) = t.split_at(split);
565 if num_str.is_empty() {
566 return Err(format!("size '{s}': missing leading number"));
567 }
568 let num: u64 = num_str
569 .parse()
570 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
571 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
572 "" | "b" => 1,
573 "kb" => 1_000,
574 "mb" => 1_000_000,
575 "gb" => 1_000_000_000,
576 "kib" => 1024,
577 "mib" => 1024 * 1024,
578 "gib" => 1024 * 1024 * 1024,
579 other => {
580 return Err(format!(
581 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
582 ));
583 }
584 };
585 num.checked_mul(mult)
586 .ok_or_else(|| format!("size '{s}': overflow"))
587}
588
589/// Manifest sub-section (#291): marks a job as **user-invokable**
590/// from the Client App and carries how it presents to the end user.
591/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
592/// the block's presence is the opt-in (no separate boolean), and its
593/// required fields (`name`, `category`) are enforced by serde at
594/// parse time, so a half-filled catalog entry fails
595/// `kanade job create` instead of rendering a nameless / tab-less row.
596///
597/// The agent maps this 1:1 into the KLP
598/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
599/// that `jobs.list` returns; the Client App renders one row per job in
600/// the tab named by `category`.
601#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
602pub struct ClientHint {
603 /// End-user-facing title for the job row. The operator-internal
604 /// `Manifest::id` slug is rarely what an end user should read, so
605 /// this is required (and validated non-empty by
606 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
607 pub name: String,
608 /// Optional one-line subtitle under `name` in the Client App.
609 /// Distinct from the operator-facing top-level
610 /// [`Manifest::description`] — this one is written for the end
611 /// user. Maps to `UserInvokableJob::display_description`.
612 #[serde(default, skip_serializing_if = "Option::is_none")]
613 pub description: Option<String>,
614 /// Which Client App tab the job lives in — a **free-form category
615 /// key** (#792). The Client App renders one tab per distinct key.
616 /// Well-known keys (`software_update`, `troubleshoot`, `catalog`)
617 /// carry built-in tab labels/icons; any other key defines a new tab
618 /// (style it with `category_label` / `category_icon`). Required and
619 /// validated non-empty — without it the agent can't place the job.
620 /// Note: the `software_update` key also drives the agent's
621 /// maintenance / auto-reboot grouping.
622 pub category: String,
623 /// Optional display name for the category's TAB. Set it on (at least
624 /// one of) a custom category's jobs to name the tab; `None` ⇒ a
625 /// built-in default for a well-known key, else the key itself.
626 #[serde(default, skip_serializing_if = "Option::is_none")]
627 pub category_label: Option<String>,
628 /// Optional icon for the category's TAB (lucide name or `data:` URL).
629 /// `None` ⇒ Client App default for the key.
630 #[serde(default, skip_serializing_if = "Option::is_none")]
631 pub category_icon: Option<String>,
632 /// Optional sort order for the TAB; lower sorts first. `None` ⇒
633 /// default (well-known keys keep their familiar order; custom keys
634 /// sort after, then by label).
635 #[serde(default, skip_serializing_if = "Option::is_none")]
636 pub category_order: Option<i64>,
637 /// Optional icon hint for the job ROW — a lucide-react icon name
638 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
639 /// category's icon. Surfaced verbatim in `jobs.list[].icon`.
640 #[serde(default, skip_serializing_if = "Option::is_none")]
641 pub icon: Option<String>,
642 /// Optional visibility scope for the end-user Client App (#816).
643 ///
644 /// `None` ⇒ visible to every PC (current behavior). When set, only
645 /// agents whose `pc_id` / group membership match the [`Target`] list
646 /// the job in `jobs.list` and may run it via KLP `jobs.execute`.
647 ///
648 /// This gates the END-USER surface ONLY. Operators are unaffected:
649 /// `POST /api/exec/{job_id}` (SPA / `kanade exec`) is a separate path
650 /// that never consults `client:`, so an operator can still run the
651 /// job on any PC regardless of `visible_to`. Reuses the schedule
652 /// `Target` shape (`all` / `groups` / `pcs`); a present-but-empty
653 /// target is rejected by [`Manifest::validate`].
654 #[serde(default, skip_serializing_if = "Option::is_none")]
655 pub visible_to: Option<Target>,
656}
657
658/// #720 — one widget on the SPA **Analytics** page: a declarative
659/// aggregation over the `obs_events` table. The backend reads these off
660/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
661/// the `json_extract` GROUP BY / time-bucket SQL from these generic
662/// primitives, so an operator can chart any emitted event without a Rust
663/// change. The reference shapes are the attendance dashboards
664/// (presence / app_sample / web_visit), but the same DSL covers logon /
665/// reboot / agent-health trends, etc.
666#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
667pub struct AggregateWidget {
668 /// Tab this widget lives under on the Analytics page. Widgets from
669 /// every job are collected and grouped by this label, so the same
670 /// string across jobs builds one multi-source dashboard. Required.
671 pub dashboard: String,
672 /// Widget heading. Required, validated non-empty.
673 pub title: String,
674 /// Optional one-line subtitle shown muted under the `title` on the
675 /// Analytics page — room for a unit, a caveat, or what the number
676 /// means ("samples × 2 min", "Security 4624 only"). Rejected if
677 /// present-but-blank.
678 #[serde(default, skip_serializing_if = "Option::is_none")]
679 pub description: Option<String>,
680 /// Optional sort weight (#743). Once the order-aware sort lands (PR2)
681 /// widgets render in `(order, dashboard, title)` order, so a lower
682 /// `order` pulls a widget — and its tab — earlier; equal/absent `order`
683 /// falls back to the alphabetical `(dashboard, title)` ordering. Treated
684 /// as `0` when unset, so a fleet with no `order` anywhere stays purely
685 /// alphabetical (today's behaviour); negatives are allowed to pin
686 /// something first. (This field only carries the value; the backend
687 /// applies it.)
688 #[serde(default, skip_serializing_if = "Option::is_none")]
689 pub order: Option<i32>,
690 /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
691 /// (and unlocks `group_by: pc_id` to rank PCs against each other).
692 /// Defaults to `pc`.
693 #[serde(default)]
694 pub scope: AggregateScope,
695 /// `obs_events.kind` this widget reads (e.g. `app_sample`,
696 /// `presence`, `unexpected_shutdown`). Required.
697 pub kind: String,
698 /// Optional `obs_events.source` filter, when one `kind` is emitted by
699 /// more than one collector.
700 #[serde(default, skip_serializing_if = "Option::is_none")]
701 pub source: Option<String>,
702 /// How to roll the matching events up. See [`AggregateAgg`].
703 pub agg: AggregateAgg,
704 /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
705 /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
706 /// it groups by the `pc_id` column (fleet ranking), not a payload
707 /// field. Omit for a single total. Required when `agg: sum` needs a
708 /// breakdown; for `agg: count` omitting it yields the grand total.
709 #[serde(default, skip_serializing_if = "Option::is_none")]
710 pub group_by: Option<String>,
711 /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
712 /// the widget reports `true_count / total`. Required when `agg: ratio`.
713 #[serde(default, skip_serializing_if = "Option::is_none")]
714 pub bool_path: Option<String>,
715 /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
716 #[serde(default, skip_serializing_if = "Option::is_none")]
717 pub value_path: Option<String>,
718 /// Optional value transform applied before grouping. Currently only
719 /// `host` (parse a URL down to its host) — used by the top-sites
720 /// widget, where SQLite can't parse a URL so the backend does it in
721 /// Rust. See [`AggregateTransform`].
722 #[serde(default, skip_serializing_if = "Option::is_none")]
723 pub transform: Option<AggregateTransform>,
724 /// Optional sampling cadence in minutes. When set, a `count` is also
725 /// reported as estimated time (`count × sample_minutes`) — e.g. a
726 /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
727 #[serde(default, skip_serializing_if = "Option::is_none")]
728 #[schemars(range(min = 1))]
729 pub sample_minutes: Option<u32>,
730 /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
731 /// lock screen doesn't top the app ranking). Empty by default.
732 #[serde(default, skip_serializing_if = "Vec::is_empty")]
733 pub exclude: Vec<String>,
734 /// Optional time bucketing — `hour` buckets events by local
735 /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
736 #[serde(default, skip_serializing_if = "Option::is_none")]
737 pub time_bucket: Option<AggregateTimeBucket>,
738 /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
739 #[serde(default, skip_serializing_if = "Option::is_none")]
740 #[schemars(range(min = 1))]
741 pub limit: Option<u32>,
742 /// Which widget the SPA draws. See [`AggregateRender`].
743 pub render: AggregateRender,
744}
745
746/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
747#[derive(
748 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
749)]
750#[serde(rename_all = "lowercase")]
751#[non_exhaustive]
752pub enum AggregateScope {
753 /// Roll up the single PC the operator selected. The default.
754 #[default]
755 Pc,
756 /// Roll up across every PC. Unlocks `group_by: pc_id`.
757 Fleet,
758 /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
759 /// an older reader must tolerate a future variant rather than failing
760 /// to decode the whole job. The backend skips an `Unknown` widget.
761 #[serde(other)]
762 Unknown,
763}
764
765/// The rollup function for an [`AggregateWidget`].
766#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
767#[serde(rename_all = "lowercase")]
768#[non_exhaustive]
769pub enum AggregateAgg {
770 /// Row count, optionally grouped (`group_by`) and time-estimated
771 /// (`sample_minutes`).
772 Count,
773 /// `true_count / total` over `bool_path`.
774 Ratio,
775 /// Sum of `value_path`, optionally grouped.
776 Sum,
777 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
778 #[serde(other)]
779 Unknown,
780}
781
782/// Optional pre-grouping value transform for an [`AggregateWidget`].
783#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
784#[serde(rename_all = "lowercase")]
785#[non_exhaustive]
786pub enum AggregateTransform {
787 /// Parse the grouped value as a URL and keep only its host.
788 Host,
789 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
790 #[serde(other)]
791 Unknown,
792}
793
794/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
795#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
796#[serde(rename_all = "lowercase")]
797#[non_exhaustive]
798pub enum AggregateTimeBucket {
799 /// Bucket by local hour-of-day (0–23), summed over the window.
800 Hour,
801 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
802 #[serde(other)]
803 Unknown,
804}
805
806/// Which visual the SPA renders an [`AggregateWidget`] as.
807#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
808#[serde(rename_all = "lowercase")]
809#[non_exhaustive]
810pub enum AggregateRender {
811 /// Ranked horizontal bars (a grouped `count` / `sum`).
812 Bar,
813 /// A single ratio dial (`agg: ratio`).
814 Gauge,
815 /// 24-hour activity strip (`time_bucket: hour`).
816 Timeline,
817 /// A single headline number (an ungrouped total).
818 Stat,
819 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
820 #[serde(other)]
821 Unknown,
822}
823
824/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
825/// segments joined by single dots — the shape safe to bind into
826/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
827/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
828/// `"foo..bar"`, which would pass the charset but produce a malformed
829/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
830/// `active`, etc.
831fn is_valid_json_path(p: &str) -> bool {
832 !p.is_empty()
833 && p.split('.').all(|seg| {
834 !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
835 })
836}
837
838/// Per-widget validation for a list of [`AggregateWidget`]s — shared by
839/// the `aggregate:` job hint ([`Manifest::validate`]) and the standalone
840/// [`View`] resource (#743) so the two can't diverge. `field` names the
841/// containing key for error messages (`"aggregate"` or `"widgets"`).
842///
843/// Enforces: non-empty list; non-empty dashboard/title/kind; a
844/// blank-when-set `source`; rejection of any #492 `Unknown` enum
845/// (an operator typo at create time); safe dotted JSON paths; the value
846/// path each `agg` needs (and rejection of mis-paired ones); `pc_id`
847/// grouping only in `fleet` scope; `transform`/`limit`/`exclude` only with
848/// a `group_by`; positive `limit`/`sample_minutes`; `gauge`⇔`ratio`; and
849/// `timeline`⇔`time_bucket`.
850pub fn validate_aggregate_widgets(widgets: &[AggregateWidget], field: &str) -> Result<(), String> {
851 if widgets.is_empty() {
852 return Err(format!(
853 "`{field}:` must list at least one widget when present"
854 ));
855 }
856 for (i, w) in widgets.iter().enumerate() {
857 let at = format!("{field}[{i}]");
858 for (label, value) in [
859 ("dashboard", &w.dashboard),
860 ("title", &w.title),
861 ("kind", &w.kind),
862 ] {
863 if value.trim().is_empty() {
864 return Err(format!("{at}.{label} must not be empty"));
865 }
866 }
867 // A present-but-blank `source` is a no-op filter — reject like the
868 // other blank-when-set guards.
869 if let Some(source) = &w.source {
870 if source.trim().is_empty() {
871 return Err(format!("{at}.source must not be empty when set"));
872 }
873 }
874 // A present-but-blank `description` renders an empty muted line —
875 // reject it so the subtitle only shows when it says something.
876 if let Some(description) = &w.description {
877 if description.trim().is_empty() {
878 return Err(format!("{at}.description must not be empty when set"));
879 }
880 }
881 // Reject values that fell through to the #492 `Unknown` catch-all:
882 // at create time on the current version that's an operator typo. (A
883 // genuinely-future variant only reaches an older reader via a stored
884 // resource, which is never re-validated, so forward-compat holds.)
885 if w.scope == AggregateScope::Unknown {
886 return Err(format!("{at}.scope is not a known value (pc | fleet)"));
887 }
888 if w.agg == AggregateAgg::Unknown {
889 return Err(format!(
890 "{at}.agg is not a known value (count | ratio | sum)"
891 ));
892 }
893 if w.render == AggregateRender::Unknown {
894 return Err(format!(
895 "{at}.render is not a known value (bar | gauge | timeline | stat)"
896 ));
897 }
898 if w.transform == Some(AggregateTransform::Unknown) {
899 return Err(format!("{at}.transform is not a known value (host)"));
900 }
901 if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
902 return Err(format!("{at}.time_bucket is not a known value (hour)"));
903 }
904 for (label, path) in [
905 ("group_by", &w.group_by),
906 ("bool_path", &w.bool_path),
907 ("value_path", &w.value_path),
908 ] {
909 if let Some(p) = path {
910 if !is_valid_json_path(p) {
911 return Err(format!(
912 "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
913 ));
914 }
915 }
916 }
917 // Each agg uses exactly one value path; reject a mis-paired path so
918 // a typo fails at create rather than being ignored.
919 match w.agg {
920 // count: grouped → ranking, ungrouped → grand total.
921 AggregateAgg::Count => {
922 for (label, path) in [("bool_path", &w.bool_path), ("value_path", &w.value_path)] {
923 if path.is_some() {
924 return Err(format!("{at}.agg=count does not use `{label}`"));
925 }
926 }
927 }
928 AggregateAgg::Ratio => {
929 if w.bool_path.is_none() {
930 return Err(format!("{at}.agg=ratio requires `bool_path`"));
931 }
932 if w.value_path.is_some() {
933 return Err(format!("{at}.agg=ratio does not use `value_path`"));
934 }
935 }
936 AggregateAgg::Sum => {
937 if w.value_path.is_none() {
938 return Err(format!("{at}.agg=sum requires `value_path`"));
939 }
940 if w.bool_path.is_some() {
941 return Err(format!("{at}.agg=sum does not use `bool_path`"));
942 }
943 }
944 // Rejected above; arm exists only for exhaustiveness.
945 AggregateAgg::Unknown => {}
946 }
947 // Ranking PCs against each other only means something across the
948 // fleet — within one PC it's a single bar.
949 if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
950 return Err(format!(
951 "{at}.group_by: pc_id is only valid with scope: fleet"
952 ));
953 }
954 // `transform` rewrites the grouped PAYLOAD value (URL→host); it's
955 // meaningless on a `pc_id` grouping (the pc_id column, not a payload
956 // field), so reject the combo at create time.
957 if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
958 return Err(format!("{at}.transform is not valid with group_by: pc_id"));
959 }
960 // limit / transform / exclude all operate on grouped values, so
961 // without a `group_by` they're silent no-ops — reject.
962 if w.group_by.is_none() {
963 if w.limit.is_some() {
964 return Err(format!("{at}.limit requires `group_by`"));
965 }
966 if w.transform.is_some() {
967 return Err(format!("{at}.transform requires `group_by`"));
968 }
969 if !w.exclude.is_empty() {
970 return Err(format!("{at}.exclude requires `group_by`"));
971 }
972 }
973 if w.limit == Some(0) {
974 return Err(format!("{at}.limit must be > 0"));
975 }
976 if w.sample_minutes == Some(0) {
977 return Err(format!("{at}.sample_minutes must be > 0"));
978 }
979 for ex in &w.exclude {
980 if ex.trim().is_empty() {
981 return Err(format!("{at}.exclude must not contain empty entries"));
982 }
983 }
984 // A gauge draws a single ratio dial — only meaningful for agg: ratio.
985 if w.render == AggregateRender::Gauge && w.agg != AggregateAgg::Ratio {
986 return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
987 }
988 // A timeline needs a bucket; a bucket on any other render is a no-op
989 // that signals operator confusion — reject both.
990 match (w.render, &w.time_bucket) {
991 (AggregateRender::Timeline, None) => {
992 return Err(format!("{at}.render=timeline requires `time_bucket`"));
993 }
994 (r, Some(_)) if r != AggregateRender::Timeline => {
995 return Err(format!(
996 "{at}.time_bucket is only valid with render: timeline"
997 ));
998 }
999 _ => {}
1000 }
1001 }
1002 Ok(())
1003}
1004
1005/// A standalone declarative read/aggregation for the Analytics page (#743).
1006///
1007/// A **view** aggregates stored fleet data (`obs_events`, …) without an
1008/// `execute` or a schedule — unlike a [`Manifest`] it only declares
1009/// [`AggregateWidget`]s. (The first line is concise on purpose: `schemars`
1010/// uses it as the generated schema's `title`.) The backend reads views from
1011/// `BUCKET_VIEWS` at
1012/// query time and merges their widgets with the co-located `aggregate:`
1013/// hints on jobs, so a cross-cutting dashboard (one that charts events
1014/// emitted by several other jobs / the agent) has a home that doesn't need
1015/// a noop job carrier. Stored JSON in `BUCKET_VIEWS`, keyed by `id`.
1016#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1017pub struct View {
1018 /// Stable identifier (the KV key). Required, validated non-empty.
1019 pub id: String,
1020 /// Optional human description shown on the Views admin page.
1021 #[serde(default, skip_serializing_if = "Option::is_none")]
1022 pub description: Option<String>,
1023 /// The widgets this view contributes to the Analytics page.
1024 pub widgets: Vec<AggregateWidget>,
1025 /// Free-form operator taxonomy (same role as [`Manifest::tags`]).
1026 #[serde(default, skip_serializing_if = "Vec::is_empty")]
1027 pub tags: Vec<String>,
1028 /// GitOps provenance (#678), stamped by `kanade view create` from the
1029 /// source YAML's Git context — same as [`Manifest::origin`].
1030 #[serde(default, skip_serializing_if = "Option::is_none")]
1031 pub origin: Option<RepoOrigin>,
1032}
1033
1034/// True if `id` is a safe resource identifier — non-empty and only
1035/// `[A-Za-z0-9._-]`. A view `id` becomes a NATS KV key *and* a URL path
1036/// segment (`/api/views/{id}`), so this blocks `/`, `..`, whitespace and
1037/// other characters that would break the KV key or let a CLI arg wander
1038/// the URL space. (#743 / #744 follow-up — a deliberately small charset
1039/// rather than the looser set NATS technically allows.)
1040pub fn is_valid_resource_id(id: &str) -> bool {
1041 !id.is_empty()
1042 && id
1043 .chars()
1044 .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
1045}
1046
1047impl View {
1048 pub fn validate(&self) -> Result<(), String> {
1049 if !is_valid_resource_id(self.id.trim()) {
1050 return Err(
1051 "view.id must be non-empty and only [A-Za-z0-9._-] (it's a KV key + URL segment)"
1052 .to_string(),
1053 );
1054 }
1055 validate_aggregate_widgets(&self.widgets, "widgets")?;
1056 for tag in &self.tags {
1057 if tag.trim().is_empty() {
1058 return Err("tags must not contain empty entries".to_string());
1059 }
1060 }
1061 Ok(())
1062 }
1063}
1064
1065/// Issue #246 — `emit:` manifest block for jobs whose stdout is
1066/// NDJSON observability events (one `ObsEvent` per line). Parallel
1067/// to `inventory:` but for the append-only timeline pipeline; see
1068/// `Manifest::emit` for the full contract.
1069#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1070pub struct EmitConfig {
1071 /// What kind of payload the agent should expect on stdout. Only
1072 /// `events` is defined today (parses each non-empty line as
1073 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
1074 /// (e.g. metrics streams, structured trace events) plug in here.
1075 #[serde(rename = "type")]
1076 pub kind: EmitKind,
1077 /// Operator hint for where the script keeps its own state — the
1078 /// watermark file the PowerShell / sh body reads + writes
1079 /// between runs so it only emits NEW events since the last
1080 /// poll. The agent doesn't read this; it's documentation that
1081 /// the SPA (and `kanade job edit`) can surface to operators
1082 /// reviewing the manifest. Optional; the script is allowed to
1083 /// keep state anywhere (registry, env, etc.) — the field's
1084 /// presence makes the convention discoverable.
1085 #[serde(default, skip_serializing_if = "Option::is_none")]
1086 pub watermark_path: Option<String>,
1087}
1088
1089/// `emit.type` enum. Lowercase serde so manifests read
1090/// `type: events` rather than `Events`.
1091#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1092#[serde(rename_all = "lowercase")]
1093pub enum EmitKind {
1094 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
1095 /// `obs.<pc_id>`, drops the stdout from the resulting
1096 /// `ExecResult`.
1097 Events,
1098}
1099
1100/// v0.31 / #40: declarative "flatten this JSON array into a real
1101/// SQLite table" spec on an inventory manifest. The projector
1102/// creates the table on first registration (CREATE TABLE IF NOT
1103/// EXISTS + indexes) and writes a row per element of
1104/// `payload[field]` on every result, scoped by (pc_id, job_id) so
1105/// each PC's rows replace cleanly without a per-PC schema.
1106#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1107pub struct ExplodeSpec {
1108 /// JSON array key under the payload to explode. E.g. `"apps"`
1109 /// for `payload: { apps: [{...}, {...}] }`.
1110 pub field: String,
1111 /// Derived SQLite table name. Operators choose this — pick
1112 /// something namespaced + stable (`inventory_sw_apps`, not
1113 /// `apps`) so multiple inventory manifests don't collide on a
1114 /// generic name.
1115 pub table: String,
1116 /// Element-level fields that uniquely identify a row inside one
1117 /// PC's payload. The full PK is `(pc_id, job_id) + these
1118 /// columns`. Required — operators must think about uniqueness
1119 /// (e.g. `["name", "source"]` for installed apps because the
1120 /// same name appears in multiple uninstall hives).
1121 ///
1122 /// v0.31 / #41: same tuple drives history identity. When
1123 /// `track_history` is on, the projector serialises these
1124 /// fields' values into `inventory_history.identity_json` for
1125 /// every change event, so queries like "every PC that ever
1126 /// installed Chrome (any source)" filter on identity_json
1127 /// content without a per-manifest schema.
1128 pub primary_key: Vec<String>,
1129 /// Per-element fields that become columns in the derived table.
1130 pub columns: Vec<ExplodeColumn>,
1131 /// v0.31 / #41: when true (default false), the projector
1132 /// diffs each PC's incoming payload against the prior rows
1133 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
1134 /// replace, and writes added / removed / changed events into
1135 /// `inventory_history`. Lets operators answer time-dimension
1136 /// questions ("when did Chrome 120 first appear on PC X?",
1137 /// "what's the Win 11 23H2 rollout curve") without storing
1138 /// per-scan snapshots. Off by default so operators opt in
1139 /// per-spec — history has a real storage cost on long-lived
1140 /// deployments (mitigated by the 90-day default retention
1141 /// sweeper, see `cleanup` module).
1142 #[serde(default)]
1143 pub track_history: bool,
1144}
1145
1146/// One column in an [`ExplodeSpec`]'s derived table.
1147#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1148pub struct ExplodeColumn {
1149 /// JSON key under each array element. Becomes the column name
1150 /// in the derived SQLite table — we don't rename.
1151 pub field: String,
1152 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
1153 /// Storage maps directly via `sqlx::query.bind(...)`; type
1154 /// mismatches at INSERT-time fail loudly rather than silently
1155 /// dropping the row.
1156 #[serde(default, skip_serializing_if = "Option::is_none")]
1157 #[serde(rename = "type")]
1158 pub kind: Option<String>,
1159 /// When true, the projector creates a `CREATE INDEX` on this
1160 /// column at table-creation time. Boost for the common-filter
1161 /// columns (`name`, `version`) — operators mark them
1162 /// explicitly, the projector won't guess.
1163 #[serde(default)]
1164 pub index: bool,
1165}
1166
1167#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1168pub struct DisplayField {
1169 /// Top-level key in the stdout JSON.
1170 pub field: String,
1171 /// Human-readable column header.
1172 pub label: String,
1173 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
1174 /// or `"table"` (#39). Defaults to plain text rendering on the
1175 /// SPA side. `"table"` expects the field's value to be a JSON
1176 /// array of objects and renders a nested sub-table on the
1177 /// per-PC detail page using `columns` as the schema; the fleet
1178 /// summary view falls back to showing the row count for
1179 /// `"table"` cells so the wide list stays compact.
1180 #[serde(default, skip_serializing_if = "Option::is_none")]
1181 #[serde(rename = "type")]
1182 pub kind: Option<String>,
1183 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
1184 /// field's value (an array of objects like
1185 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
1186 /// sub-table using these columns. Each column is itself a
1187 /// `DisplayField`, so the nested cells reuse the same render
1188 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
1189 /// pipeline. Ignored for any other `kind`.
1190 #[serde(default, skip_serializing_if = "Option::is_none")]
1191 pub columns: Option<Vec<DisplayField>>,
1192}
1193
1194#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1195pub struct Rollout {
1196 #[serde(default)]
1197 pub strategy: RolloutStrategy,
1198 pub waves: Vec<Wave>,
1199}
1200
1201#[derive(
1202 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
1203)]
1204#[serde(rename_all = "lowercase")]
1205pub enum RolloutStrategy {
1206 #[default]
1207 Wave,
1208}
1209
1210#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1211pub struct Wave {
1212 pub group: String,
1213 /// humantime delay measured from the deploy's publish time. wave[0]
1214 /// typically has "0s"; subsequent waves use minutes / hours.
1215 pub delay: String,
1216}
1217
1218#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
1219pub struct Target {
1220 #[serde(default)]
1221 pub groups: Vec<String>,
1222 #[serde(default)]
1223 pub pcs: Vec<String>,
1224 #[serde(default)]
1225 pub all: bool,
1226}
1227
1228impl Target {
1229 /// At least one of all / groups / pcs is set.
1230 pub fn is_specified(&self) -> bool {
1231 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
1232 }
1233
1234 /// Whether a PC (its `pc_id` + group membership) falls in this target:
1235 /// `all`, or the pc is listed, or it belongs to a listed group. Used
1236 /// by the agent to scope `client.visible_to` (#816). An unspecified
1237 /// target matches nobody (callers should treat "no target" as
1238 /// "visible to all" before calling this).
1239 pub fn matches(&self, pc_id: &str, groups: &[String]) -> bool {
1240 self.all
1241 || self.pcs.iter().any(|p| p == pc_id)
1242 || self.groups.iter().any(|g| groups.contains(g))
1243 }
1244}
1245
1246#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1247pub struct Execute {
1248 pub shell: ExecuteShell,
1249 /// Inline script body. Mutually exclusive with [`script_file`]
1250 /// and [`script_object`]; exactly one of the three must be set
1251 /// (enforced by [`Execute::validate_script_source`] at the
1252 /// write-side parse boundaries — `kanade job create` and
1253 /// `POST /api/jobs`).
1254 ///
1255 /// Empty string is treated as **unset** so operators can swap
1256 /// to a `script_file:` / `script_object:` alternative just by
1257 /// commenting out the body, without having to also drop the
1258 /// `script:` key entirely.
1259 ///
1260 /// [`script_file`]: Self::script_file
1261 /// [`script_object`]: Self::script_object
1262 #[serde(default, skip_serializing_if = "Option::is_none")]
1263 pub script: Option<String>,
1264 /// Repo-local file path resolved by the operator-side CLI at
1265 /// `kanade job create` time. The CLI reads the file, slots its
1266 /// contents into `script`, and clears this field before
1267 /// POSTing — so the backend / agents never see `script_file`
1268 /// in stored manifests. SPEC §2.4.1.
1269 ///
1270 /// Resolver lands in a follow-up PR
1271 /// (yukimemi/kanade#210); today this field passes parse-time
1272 /// validation but the operator-side CLI bails with "not yet
1273 /// implemented" until the resolver ships, so manifests that
1274 /// reach the backend with `script_file` set are treated as a
1275 /// schema-bug.
1276 #[serde(default, skip_serializing_if = "Option::is_none")]
1277 pub script_file: Option<String>,
1278 /// Object Store reference (`<name>/<version>`) into the
1279 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
1280 /// at Execute time via `/api/script-objects/{name}/{version}`
1281 /// and cache it locally. SPEC §2.4.1.
1282 ///
1283 /// Fully wired (#210/#211): the backend resolves the digest at
1284 /// exec submission (`api::exec::resolve_script_source`), the agent
1285 /// fetches + sha-verifies + caches the body (`script_cache`), and
1286 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
1287 /// CLI-side, git-managed), this keeps the body in versioned,
1288 /// digest-pinned object storage — the ops-managed counterpart.
1289 #[serde(default, skip_serializing_if = "Option::is_none")]
1290 pub script_object: Option<String>,
1291 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
1292 /// — represents how long this script reasonably takes to run.
1293 pub timeout: String,
1294 /// Token + session combination the agent uses to launch the
1295 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
1296 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
1297 #[serde(default)]
1298 pub run_as: RunAs,
1299 /// Working directory for the spawned child (v0.21.1). When
1300 /// unset, the child inherits the agent's cwd — on Windows that
1301 /// means `%SystemRoot%\System32` for the prod service, which is
1302 /// almost never what operators actually want. Use an absolute
1303 /// path; relative paths are passed through to the OS verbatim.
1304 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
1305 /// you'd want `%USERPROFILE%` (but expansion happens in the
1306 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
1307 /// it via teravars before `kanade job create`).
1308 #[serde(default, skip_serializing_if = "Option::is_none")]
1309 pub cwd: Option<String>,
1310}
1311
1312impl Execute {
1313 /// Treat an empty `script:` body as "intentionally unset". Operators
1314 /// commenting out a block-scalar tend to leave the key behind, and
1315 /// failing the validator on `script: ""` would surprise them.
1316 fn has_inline_script(&self) -> bool {
1317 matches!(&self.script, Some(s) if !s.is_empty())
1318 }
1319
1320 /// Enforce that exactly one of `script` / `script_file` /
1321 /// `script_object` is set. Called at the write-side parse
1322 /// boundaries (CLI `kanade job create` + backend
1323 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
1324 /// reaches the JOBS KV. Read paths (projector, agent
1325 /// scheduler, list endpoints) skip this check — they only ever
1326 /// see what the write path already validated.
1327 pub fn validate_script_source(&self) -> Result<(), String> {
1328 let inline = self.has_inline_script();
1329 let file = self.script_file.is_some();
1330 let obj = self.script_object.is_some();
1331 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
1332 match set {
1333 1 => Ok(()),
1334 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
1335 _ => Err(format!(
1336 "execute: only one of `script` / `script_file` / `script_object` may be set \
1337 (got script={inline}, script_file={file}, script_object={obj})"
1338 )),
1339 }
1340 }
1341}
1342
1343/// Job-generic post-step hook (see [`Manifest::finalize`]). Runs after
1344/// the main `execute:` script (and the collect upload) on a clean exit,
1345/// with the step's structured result injected via an environment
1346/// variable. P1 supports an inline `script:` only — `script_file:` /
1347/// `script_object:` are follow-ups.
1348#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1349pub struct FinalizeSpec {
1350 pub shell: ExecuteShell,
1351 /// Inline script body (required; inline-only in P1).
1352 pub script: String,
1353 /// humantime duration string (e.g. `"60s"`, `"5m"`). Defaults to
1354 /// `60s` when unset.
1355 #[serde(default = "default_finalize_timeout")]
1356 pub timeout: String,
1357 /// Token + session combination, like [`Execute::run_as`]. Defaults
1358 /// to [`RunAs::System`].
1359 #[serde(default)]
1360 pub run_as: RunAs,
1361 /// Working directory for the hook child, like [`Execute::cwd`].
1362 #[serde(default, skip_serializing_if = "Option::is_none")]
1363 pub cwd: Option<String>,
1364}
1365
1366/// Default `finalize.timeout` when the operator omits it.
1367fn default_finalize_timeout() -> String {
1368 "60s".to_string()
1369}
1370
1371impl FinalizeSpec {
1372 /// Lower to the wire form forwarded onto a [`Command`]. The timeout
1373 /// parse falls back to 60s — [`Manifest::validate`] already rejects
1374 /// an unparseable value at create time, so the fire path uses a safe
1375 /// default rather than failing (mirrors
1376 /// [`CollectHint::max_size_bytes`]). A sub-second timeout floors at
1377 /// 1s for the same reason `build_command` does.
1378 pub fn lower(&self) -> FinalizeCommand {
1379 let timeout_secs = humantime::parse_duration(&self.timeout)
1380 .map(|d| d.as_secs().max(1))
1381 .unwrap_or(60);
1382 FinalizeCommand {
1383 shell: self.shell.into(),
1384 script: self.script.clone(),
1385 timeout_secs,
1386 run_as: self.run_as,
1387 cwd: self.cwd.clone(),
1388 }
1389 }
1390}
1391
1392impl Manifest {
1393 /// Cross-field semantic checks that don't fit into pure serde
1394 /// derive. Currently delegates to
1395 /// [`Execute::validate_script_source`] — see that method's
1396 /// docs for the rationale on which call sites should run this.
1397 pub fn validate(&self) -> Result<(), String> {
1398 self.execute.validate_script_source()?;
1399 // A present-but-empty finalize script is an invisible no-op
1400 // (the hook would run an empty body); reject it at the write
1401 // boundary. Inline-only in P1, so `script` is the sole source.
1402 if let Some(finalize) = &self.finalize {
1403 if finalize.script.trim().is_empty() {
1404 return Err("finalize.script must not be empty".to_string());
1405 }
1406 // Reject an unparseable timeout at the write boundary so the
1407 // operator sees the error at `job create` rather than getting
1408 // a silent fire-time fallback (`FinalizeSpec::lower` floors to
1409 // 60s, which would otherwise mask a typo).
1410 if humantime::parse_duration(&finalize.timeout).is_err() {
1411 return Err(format!(
1412 "finalize.timeout '{}' is not a valid duration",
1413 finalize.timeout
1414 ));
1415 }
1416 // Disallow cmd for finalize: the agent injects the result JSON
1417 // into the hook's environment, and cmd.exe quoting doesn't
1418 // nest — JSON's `"` plus shell metacharacters in a collected
1419 // path/key could break out into command injection at the
1420 // agent's (often LocalSystem) privilege. PowerShell's
1421 // single-quote escaping is safe, and finalize hooks are
1422 // PowerShell by convention anyway.
1423 if finalize.shell == ExecuteShell::Cmd {
1424 return Err(
1425 "finalize.shell: cmd is not supported for finalize hooks (shell-injection \
1426 risk when the result JSON is injected into the environment); use powershell"
1427 .to_string(),
1428 );
1429 }
1430 }
1431 // Stdout-format compatibility. `inventory:` and `check:` both
1432 // consume the SAME single JSON object — they COMPOSE: a check
1433 // can extract `status`/`detail` for the Health tab while the
1434 // projector explodes the rest into SPA sub-tables. `emit:` is
1435 // different — its stdout is NDJSON and the agent omits it from
1436 // the result entirely — so it can't be paired with either.
1437 if self.emit.is_some() && (self.inventory.is_some() || self.check.is_some()) {
1438 return Err(
1439 "`emit:` is incompatible with `inventory:` / `check:` — emit's stdout is NDJSON \
1440 timeline events (and omitted from the result), while inventory/check read a \
1441 single JSON object from stdout"
1442 .to_string(),
1443 );
1444 }
1445 // `collect:` consumes stdout for its OWN contract (a JSON object
1446 // carrying a `files` array), so unlike the inventory+check pair it
1447 // can't share stdout with another stdout-reading hint. It composes
1448 // only with `client:` (which doesn't touch stdout).
1449 if self.collect.is_some()
1450 && (self.inventory.is_some() || self.check.is_some() || self.emit.is_some())
1451 {
1452 return Err(
1453 "`collect:` is incompatible with `inventory:` / `check:` / `emit:` — collect \
1454 reads its own `files` JSON object from stdout. (It composes with `client:`.)"
1455 .to_string(),
1456 );
1457 }
1458 // A check's `name` is the Health-tab row id (React key); the
1459 // field names tell the agent where to read status/detail.
1460 // An empty value is an invisible runtime bug, and the serde
1461 // defaults don't guard an operator who writes `status_field:
1462 // ""` explicitly — reject all three here.
1463 if let Some(check) = &self.check {
1464 for (label, value) in [
1465 ("check.name", &check.name),
1466 ("check.status_field", &check.status_field),
1467 ("check.detail_field", &check.detail_field),
1468 ] {
1469 if value.trim().is_empty() {
1470 return Err(format!("{label} must not be empty"));
1471 }
1472 }
1473 // A present-but-blank `troubleshoot` is a broken
1474 // remediation job id (the "修復する" button would target
1475 // an empty manifest id) — reject it too.
1476 if let Some(troubleshoot) = &check.troubleshoot {
1477 if troubleshoot.trim().is_empty() {
1478 return Err("check.troubleshoot must not be empty when set".to_string());
1479 }
1480 }
1481 // A present-but-blank `label` would render an empty row
1482 // title on the Health tab / Compliance page — reject it so
1483 // the slug fallback only ever kicks in when label is absent.
1484 if let Some(label) = &check.label {
1485 if label.trim().is_empty() {
1486 return Err("check.label must not be empty when set".to_string());
1487 }
1488 }
1489 if let Some(alert) = &check.alert {
1490 // An alert that names no recipient is a silent no-op.
1491 if !alert.notify_user && alert.notify_groups.is_empty() {
1492 return Err("check.alert must set notify_user and/or notify_groups".to_string());
1493 }
1494 if alert.title.trim().is_empty() {
1495 return Err("check.alert.title must not be empty".to_string());
1496 }
1497 // `on: []` would never fire; an empty group name resolves to
1498 // a malformed `notifications.group.` subject.
1499 if alert.on.is_empty() {
1500 return Err("check.alert.on must list at least one status".to_string());
1501 }
1502 if alert.notify_groups.iter().any(|g| g.trim().is_empty()) {
1503 return Err("check.alert.notify_groups must not contain blanks".to_string());
1504 }
1505 // Email is addressed via group_contacts (group → email), so
1506 // there must be a group to map. notify_user has no email.
1507 if alert.email && alert.notify_groups.is_empty() {
1508 return Err(
1509 "check.alert.email requires notify_groups (email is addressed per group, not per user)"
1510 .to_string(),
1511 );
1512 }
1513 // The alert rides the `check_status` projection, which only
1514 // runs for `fleet: true`.
1515 if !check.fleet {
1516 return Err(
1517 "check.alert requires fleet: true (the alert rides the compliance projection)"
1518 .to_string(),
1519 );
1520 }
1521 }
1522 }
1523 // #291: a `client:` job is rendered in the Client App's
1524 // catalog (`jobs.list` → `jobs.execute`). serde already makes
1525 // `name` + `category` required at parse time; the only gap is
1526 // a present-but-blank `name`, which would render an empty row
1527 // title — reject it like the other display-id fields.
1528 if let Some(client) = &self.client {
1529 if client.name.trim().is_empty() {
1530 return Err("client.name must not be empty".to_string());
1531 }
1532 // #792: category is a free-form key now, so a blank one would
1533 // group the job under an empty tab — reject it like `name`.
1534 if client.category.trim().is_empty() {
1535 return Err("client.category must not be empty".to_string());
1536 }
1537 // Optional display fields, when present, must be
1538 // meaningful: a blank `description` renders an empty
1539 // subtitle and a blank `icon` is a dangling lucide name.
1540 // Same present-but-blank guard the `check:` block applies
1541 // to its optional `troubleshoot` id.
1542 for (label, value) in [
1543 ("client.description", &client.description),
1544 ("client.icon", &client.icon),
1545 ("client.category_label", &client.category_label),
1546 ("client.category_icon", &client.category_icon),
1547 ] {
1548 if let Some(v) = value {
1549 if v.trim().is_empty() {
1550 return Err(format!("{label} must not be empty when set"));
1551 }
1552 }
1553 }
1554 // #816: a present-but-empty `visible_to` (no all/groups/pcs)
1555 // would hide the job from everyone in the Client App — almost
1556 // certainly a mistake. Require at least one selector; omit the
1557 // whole block to mean "visible to all".
1558 if let Some(t) = &client.visible_to {
1559 if !t.is_specified() {
1560 return Err(
1561 "client.visible_to must set at least one of all / groups / pcs (omit it for all PCs)"
1562 .to_string(),
1563 );
1564 }
1565 }
1566 }
1567 // #219: a `collect:` job's `name` heads the bundle on the SPA
1568 // Collect page (and the Client App row when paired with
1569 // `client:`), `files_field` tells the agent where to read the
1570 // path list, and `max_size` must be a parseable size so a typo
1571 // is caught at create time rather than silently capping the
1572 // bundle at the default on the fire path.
1573 if let Some(collect) = &self.collect {
1574 if collect.name.trim().is_empty() {
1575 return Err("collect.name must not be empty".to_string());
1576 }
1577 if collect.files_field.trim().is_empty() {
1578 return Err("collect.files_field must not be empty".to_string());
1579 }
1580 if let Some(description) = &collect.description {
1581 if description.trim().is_empty() {
1582 return Err("collect.description must not be empty when set".to_string());
1583 }
1584 }
1585 if let Some(max_size) = &collect.max_size {
1586 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1587 }
1588 }
1589 // #720/#743: `aggregate:` is a pure read-spec (it never touches
1590 // stdout and is never sent to an agent), so it composes with every
1591 // other hint. The per-widget rules are shared with the standalone
1592 // `view` resource — see [`validate_aggregate_widgets`].
1593 if let Some(widgets) = &self.aggregate {
1594 validate_aggregate_widgets(widgets, "aggregate")?;
1595 }
1596 // A blank / whitespace-only tag is an invisible operator typo
1597 // that would render an empty filter chip on the Jobs page —
1598 // reject it like the other present-but-blank display fields.
1599 for tag in &self.tags {
1600 if tag.trim().is_empty() {
1601 return Err("tags must not contain empty entries".to_string());
1602 }
1603 }
1604 Ok(())
1605 }
1606}
1607
1608#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1609#[serde(rename_all = "lowercase")]
1610pub enum ExecuteShell {
1611 Powershell,
1612 Cmd,
1613}
1614
1615impl From<ExecuteShell> for Shell {
1616 fn from(s: ExecuteShell) -> Self {
1617 match s {
1618 ExecuteShell::Powershell => Shell::Powershell,
1619 ExecuteShell::Cmd => Shell::Cmd,
1620 }
1621 }
1622}
1623
1624#[cfg(test)]
1625mod tests {
1626 use super::*;
1627
1628 #[test]
1629 fn inventory_payload_extracts_fenced_block() {
1630 // Readable message + fenced JSON → only the JSON, trimmed.
1631 let stdout = "Wi-Fi 設定を適用しました。\n\
1632 #KANADE-INVENTORY-BEGIN\n\
1633 {\"applied\": true}\n\
1634 #KANADE-INVENTORY-END\n";
1635 assert_eq!(inventory_payload(stdout), "{\"applied\": true}");
1636 }
1637
1638 #[test]
1639 fn inventory_payload_falls_back_to_whole_stdout() {
1640 // No fence (a plain inventory job) → whole stdout, trimmed.
1641 assert_eq!(
1642 inventory_payload(" {\"ram_gb\": 16}\n"),
1643 "{\"ram_gb\": 16}"
1644 );
1645 }
1646
1647 #[test]
1648 fn inventory_payload_handles_unterminated_fence() {
1649 // Closing marker missing (e.g. truncated) → everything after the
1650 // opener, trimmed.
1651 let stdout = "msg\n#KANADE-INVENTORY-BEGIN\n{\"a\": 1}";
1652 assert_eq!(inventory_payload(stdout), "{\"a\": 1}");
1653 }
1654
1655 #[test]
1656 fn inventory_payload_ignores_mid_line_sentinel() {
1657 // The marker echoed mid-line (not at a line start) must NOT be
1658 // treated as a fence — fall back to the whole stdout.
1659 let stdout = "see #KANADE-INVENTORY-BEGIN in the docs\nnot json";
1660 assert_eq!(inventory_payload(stdout), stdout.trim());
1661 }
1662
1663 /// The example check-job + schedule YAMLs shipped under `configs/`
1664 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1665 /// pins them at compile time so a breaking edit fails `cargo test`
1666 /// rather than only `kanade job create` at deploy time.
1667 #[test]
1668 fn example_check_job_yamls_parse_and_validate() {
1669 let jobs = [
1670 (
1671 "check-bitlocker",
1672 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1673 ),
1674 (
1675 "check-av-signature",
1676 include_str!("../../../configs/jobs/check-av-signature.yaml"),
1677 ),
1678 (
1679 "check-cert-expiry",
1680 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1681 ),
1682 (
1683 "check-disk-space",
1684 include_str!("../../../configs/jobs/check-disk-space.yaml"),
1685 ),
1686 (
1687 "check-pending-reboot",
1688 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1689 ),
1690 (
1691 "check-defender-rtp",
1692 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1693 ),
1694 (
1695 "check-firewall",
1696 include_str!("../../../configs/jobs/check-firewall.yaml"),
1697 ),
1698 ];
1699 for (name, yaml) in jobs {
1700 let m: Manifest =
1701 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1702 m.validate()
1703 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1704 let check = m
1705 .check
1706 .as_ref()
1707 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1708 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1709 // These examples all read admin-only WMI / registry / netsh
1710 // state, so they run_as system. NOTE: that's a property of
1711 // these particular checks, NOT of the `check:` contract — a
1712 // check probing user-session state could run_as user.
1713 assert_eq!(
1714 m.execute.run_as,
1715 RunAs::System,
1716 "{name} should run_as system"
1717 );
1718 }
1719 }
1720
1721 /// The example user-invokable job YAMLs (#291) shipped under
1722 /// `configs/jobs/` must stay valid as the `client:` schema
1723 /// evolves. `include_str!` pins them at compile time so a breaking
1724 /// edit fails `cargo test`, not `kanade job create` at deploy.
1725 #[test]
1726 fn example_client_job_yamls_parse_and_validate() {
1727 let jobs = [
1728 (
1729 "fix-teams-cache",
1730 "troubleshoot",
1731 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
1732 ),
1733 (
1734 "chrome-update",
1735 "software_update",
1736 include_str!("../../../configs/jobs/chrome-update.yaml"),
1737 ),
1738 (
1739 "install-slack",
1740 "catalog",
1741 include_str!("../../../configs/jobs/install-slack.yaml"),
1742 ),
1743 (
1744 "fix-defender-rtp",
1745 "troubleshoot",
1746 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
1747 ),
1748 // #792 custom category ("settings") + #809 message/inventory.
1749 (
1750 "example-power-plan",
1751 "settings",
1752 include_str!("../../../configs/jobs/example-power-plan.yaml"),
1753 ),
1754 // #792: diagnostics moved to its own "support" tab.
1755 (
1756 "collect-diagnostics",
1757 "support",
1758 include_str!("../../../configs/jobs/collect-diagnostics.yaml"),
1759 ),
1760 ];
1761 for (id, category, yaml) in jobs {
1762 let m: Manifest =
1763 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1764 m.validate()
1765 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1766 assert_eq!(m.id, id, "{id} id mismatch");
1767 let client = m
1768 .client
1769 .as_ref()
1770 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
1771 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
1772 assert_eq!(client.category, category, "{id} category");
1773 }
1774 }
1775
1776 /// #219: the shipped `collect:` example must stay valid as the
1777 /// schema evolves. `include_str!` pins it at compile time so a
1778 /// breaking edit (or a YAML typo in the PowerShell block) fails
1779 /// `cargo test` rather than `kanade job create` at deploy. It carries
1780 /// both `collect:` and `client:` (end-user-triggerable), which must
1781 /// compose.
1782 #[test]
1783 fn example_collect_job_yaml_parses_and_validates() {
1784 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
1785 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
1786 m.validate().expect("collect-diagnostics validate");
1787 assert_eq!(m.id, "collect-diagnostics");
1788 let collect = m.collect.as_ref().expect("collect: block present");
1789 assert!(!collect.name.trim().is_empty());
1790 assert_eq!(collect.files_field, "files");
1791 assert_eq!(collect.max_size_bytes(), 50_000_000);
1792 // collect + client compose — the Client App can trigger it.
1793 assert!(
1794 m.client.is_some(),
1795 "collect-diagnostics also carries client:"
1796 );
1797 }
1798
1799 /// The `emit: { type: events }` collector jobs under
1800 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
1801 /// pins them at compile time so a breaking edit (e.g. an `emit:`
1802 /// paired with `check:`/`inventory:`, a bad watermark field, or a
1803 /// YAML typo in the PowerShell block) fails `cargo test` rather
1804 /// than `kanade job create` at deploy. Every one must carry an
1805 /// `emit.type=events` block and NO check/inventory (validate()
1806 /// rejects the pairing).
1807 #[test]
1808 fn example_event_collector_job_yamls_parse_and_validate() {
1809 let jobs = [
1810 (
1811 "collect-winlog-events",
1812 include_str!("../../../configs/jobs/collect-winlog-events.yaml"),
1813 ),
1814 (
1815 "collect-winlog-logons-all",
1816 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
1817 ),
1818 (
1819 "collect-wlan-events",
1820 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
1821 ),
1822 ];
1823 for (id, yaml) in jobs {
1824 // Strict parse so an unknown-key typo in these fixtures fails
1825 // here (not silently at deploy) — the runtime Manifest is
1826 // unknown-key-tolerant, so the lenient serde_yaml::from_str
1827 // wouldn't catch fixture drift (CodeRabbit #689).
1828 let m: Manifest =
1829 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1830 m.validate()
1831 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1832 assert_eq!(m.id, id, "{id} id mismatch");
1833 let emit = m
1834 .emit
1835 .as_ref()
1836 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
1837 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
1838 assert!(
1839 m.check.is_none() && m.inventory.is_none(),
1840 "{id}: emit jobs must not pair with check/inventory"
1841 );
1842 }
1843 }
1844
1845 /// The `inventory:` snapshot jobs under `configs/jobs/` project
1846 /// facts into `inventory_facts` + exploded tables. `include_str!`
1847 /// pins them at compile time so a breaking edit (bad explode
1848 /// schema, a YAML typo in the PowerShell block, an `inventory:`
1849 /// accidentally paired with `emit:`) fails `cargo test` rather
1850 /// than the projector at deploy. Each must carry an `inventory:`
1851 /// block and NO emit (validate() rejects the pairing).
1852 #[test]
1853 fn example_inventory_job_yamls_parse_and_validate() {
1854 let jobs = [
1855 (
1856 "inventory-hw",
1857 include_str!("../../../configs/jobs/inventory-hw.yaml"),
1858 ),
1859 (
1860 "inventory-sw",
1861 include_str!("../../../configs/jobs/inventory-sw.yaml"),
1862 ),
1863 (
1864 "inventory-driver",
1865 include_str!("../../../configs/jobs/inventory-driver.yaml"),
1866 ),
1867 ];
1868 for (id, yaml) in jobs {
1869 let m: Manifest =
1870 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
1871 m.validate()
1872 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
1873 assert_eq!(m.id, id, "{id} id mismatch");
1874 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
1875 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
1876 }
1877 }
1878
1879 #[test]
1880 fn example_check_schedule_yamls_parse_and_validate() {
1881 let schedules = [
1882 (
1883 "check-bitlocker",
1884 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
1885 ),
1886 (
1887 "check-av-signature",
1888 include_str!("../../../configs/schedules/check-av-signature.yaml"),
1889 ),
1890 (
1891 "check-cert-expiry",
1892 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
1893 ),
1894 (
1895 "check-disk-space",
1896 include_str!("../../../configs/schedules/check-disk-space.yaml"),
1897 ),
1898 (
1899 "check-pending-reboot",
1900 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
1901 ),
1902 (
1903 "check-defender-rtp",
1904 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
1905 ),
1906 (
1907 "check-firewall",
1908 include_str!("../../../configs/schedules/check-firewall.yaml"),
1909 ),
1910 ];
1911 for (name, yaml) in schedules {
1912 let s: Schedule =
1913 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1914 s.validate()
1915 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1916 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1917 }
1918 }
1919
1920 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
1921 /// alongside the schedule schema. `include_str!` pins them so a
1922 /// breaking edit fails `cargo test`, not `kanade schedule create`.
1923 #[test]
1924 fn example_inventory_schedule_yamls_parse_and_validate() {
1925 let schedules = [
1926 (
1927 "inventory-hw",
1928 include_str!("../../../configs/schedules/inventory-hw.yaml"),
1929 ),
1930 (
1931 "inventory-sw",
1932 include_str!("../../../configs/schedules/inventory-sw.yaml"),
1933 ),
1934 (
1935 "inventory-driver",
1936 include_str!("../../../configs/schedules/inventory-driver.yaml"),
1937 ),
1938 ];
1939 for (name, yaml) in schedules {
1940 let s: Schedule =
1941 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
1942 s.validate()
1943 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
1944 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
1945 }
1946 }
1947
1948 #[test]
1949 fn target_is_specified_requires_at_least_one_field() {
1950 let empty = Target::default();
1951 assert!(!empty.is_specified());
1952
1953 let with_all = Target {
1954 all: true,
1955 ..Target::default()
1956 };
1957 assert!(with_all.is_specified());
1958
1959 let with_groups = Target {
1960 groups: vec!["canary".into()],
1961 ..Target::default()
1962 };
1963 assert!(with_groups.is_specified());
1964
1965 let with_pcs = Target {
1966 pcs: vec!["pc-01".into()],
1967 ..Target::default()
1968 };
1969 assert!(with_pcs.is_specified());
1970 }
1971
1972 #[test]
1973 fn manifest_deserialises_minimal_yaml() {
1974 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
1975 // — those live on the schedule / exec request now.
1976 let yaml = r#"
1977id: echo-test
1978version: 0.0.1
1979execute:
1980 shell: powershell
1981 script: "echo 'kanade'"
1982 timeout: 30s
1983"#;
1984 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
1985 assert_eq!(m.id, "echo-test");
1986 assert_eq!(m.version, "0.0.1");
1987 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
1988 assert_eq!(
1989 m.execute.script.as_deref().map(str::trim),
1990 Some("echo 'kanade'")
1991 );
1992 assert!(m.execute.script_file.is_none());
1993 assert!(m.execute.script_object.is_none());
1994 assert_eq!(m.execute.timeout, "30s");
1995 assert!(!m.require_approval);
1996 m.validate()
1997 .expect("inline-script manifest passes validation");
1998 }
1999
2000 #[test]
2001 fn manifest_parses_check_job_and_validates() {
2002 // An operator-defined health check (#290): a `check:` hint +
2003 // a PowerShell script that prints {status, detail}.
2004 let yaml = r#"
2005id: check-bitlocker
2006version: 0.1.0
2007execute:
2008 shell: powershell
2009 run_as: system
2010 timeout: 15s
2011 script: |
2012 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
2013check:
2014 name: bitlocker
2015 troubleshoot: fix-bitlocker
2016"#;
2017 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2018 let check = m.check.as_ref().expect("check hint present");
2019 assert_eq!(check.name, "bitlocker");
2020 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
2021 // Field names default to the conventional "status" / "detail".
2022 assert_eq!(check.status_field, "status");
2023 assert_eq!(check.detail_field, "detail");
2024 assert!(m.inventory.is_none() && m.emit.is_none());
2025 m.validate().expect("check-only manifest passes validation");
2026 }
2027
2028 #[test]
2029 fn manifest_check_defaults_and_custom_fields() {
2030 // Minimal: only `name`; status/detail fields default.
2031 let m: Manifest = serde_yaml::from_str(
2032 r#"
2033id: check-disk
2034version: 0.1.0
2035execute:
2036 shell: powershell
2037 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
2038 timeout: 10s
2039check:
2040 name: disk_free
2041"#,
2042 )
2043 .expect("parse");
2044 let c = m.check.as_ref().unwrap();
2045 assert_eq!(c.name, "disk_free");
2046 assert_eq!(c.status_field, "status");
2047 assert_eq!(c.detail_field, "detail");
2048 assert!(c.troubleshoot.is_none());
2049 m.validate().expect("validates");
2050
2051 // The operator can point status/detail at any field of their
2052 // free-form inventory object.
2053 let m2: Manifest = serde_yaml::from_str(
2054 r#"
2055id: check-custom
2056version: 0.1.0
2057execute:
2058 shell: powershell
2059 script: "echo x"
2060 timeout: 10s
2061check:
2062 name: patch_level
2063 status_field: compliance
2064 detail_field: summary
2065"#,
2066 )
2067 .expect("parse");
2068 let c2 = m2.check.as_ref().unwrap();
2069 assert_eq!(c2.status_field, "compliance");
2070 assert_eq!(c2.detail_field, "summary");
2071 }
2072
2073 #[test]
2074 fn manifest_allows_check_composed_with_inventory() {
2075 // `check:` + `inventory:` COMPOSE on the same stdout object:
2076 // status/detail → Health tab, the rest → SPA projection +
2077 // explode sub-tables. Must pass validation.
2078 let yaml = r#"
2079id: check-bitlocker-detailed
2080version: 0.1.0
2081execute:
2082 shell: powershell
2083 script: "echo x"
2084 timeout: 10s
2085check:
2086 name: bitlocker
2087inventory:
2088 display:
2089 - { field: status, label: Status }
2090"#;
2091 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2092 assert!(m.check.is_some() && m.inventory.is_some());
2093 m.validate().expect("check + inventory compose");
2094 }
2095
2096 #[test]
2097 fn manifest_parses_collect_job_and_validates() {
2098 // #219: a `collect:` hint + a script that lists files on stdout.
2099 let yaml = r#"
2100id: collect-diagnostics
2101version: 0.1.0
2102execute:
2103 shell: powershell
2104 run_as: system
2105 timeout: 120s
2106 script: |
2107 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
2108collect:
2109 name: "Full diagnostics"
2110 description: "Event logs + process"
2111 max_size: 50MB
2112"#;
2113 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2114 let c = m.collect.as_ref().expect("collect hint present");
2115 assert_eq!(c.name, "Full diagnostics");
2116 assert_eq!(c.files_field, "files"); // default
2117 assert_eq!(c.max_size_bytes(), 50_000_000);
2118 m.validate().expect("collect-only manifest validates");
2119 }
2120
2121 #[test]
2122 fn manifest_finalize_powershell_validates_and_lowers() {
2123 let yaml = r#"
2124id: collect-fin
2125version: 0.1.0
2126execute:
2127 shell: powershell
2128 timeout: 120s
2129 script: |
2130 @{ files = @() } | ConvertTo-Json
2131collect:
2132 name: "diag"
2133 max_size: 50MB
2134finalize:
2135 shell: powershell
2136 timeout: 30s
2137 run_as: system
2138 script: |
2139 Write-Output "cleanup"
2140"#;
2141 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2142 m.validate().expect("powershell finalize validates");
2143 let lowered = m.finalize.as_ref().expect("finalize present").lower();
2144 assert_eq!(lowered.timeout_secs, 30);
2145 assert!(matches!(lowered.shell, Shell::Powershell));
2146 }
2147
2148 #[test]
2149 fn manifest_finalize_rejects_cmd_shell() {
2150 // cmd finalize is an injection risk (the agent injects JSON into
2151 // the hook's env; cmd.exe quoting doesn't nest) — validate must
2152 // reject it.
2153 let yaml = r#"
2154id: collect-fin-cmd
2155version: 0.1.0
2156execute:
2157 shell: powershell
2158 timeout: 120s
2159 script: |
2160 @{ files = @() } | ConvertTo-Json
2161finalize:
2162 shell: cmd
2163 script: |
2164 echo hi
2165"#;
2166 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2167 let err = m.validate().expect_err("cmd finalize rejected");
2168 assert!(err.contains("finalize.shell"), "got: {err}");
2169 }
2170
2171 #[test]
2172 fn manifest_finalize_rejects_empty_script() {
2173 let yaml = r#"
2174id: collect-fin-empty
2175version: 0.1.0
2176execute:
2177 shell: powershell
2178 timeout: 120s
2179 script: |
2180 @{ files = @() } | ConvertTo-Json
2181finalize:
2182 shell: powershell
2183 script: " "
2184"#;
2185 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2186 let err = m.validate().expect_err("empty finalize script rejected");
2187 assert!(err.contains("finalize.script"), "got: {err}");
2188 }
2189
2190 #[test]
2191 fn manifest_collect_max_size_defaults_when_unset() {
2192 let m: Manifest = serde_yaml::from_str(
2193 r#"
2194id: collect-min
2195version: 0.1.0
2196execute:
2197 shell: powershell
2198 script: "echo x"
2199 timeout: 10s
2200collect:
2201 name: minimal
2202"#,
2203 )
2204 .expect("parse");
2205 let c = m.collect.as_ref().unwrap();
2206 assert!(c.max_size.is_none());
2207 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
2208 m.validate().expect("validates");
2209 }
2210
2211 #[test]
2212 fn manifest_allows_collect_with_client() {
2213 // collect composes with client (client doesn't touch stdout):
2214 // an end user can trigger a collection from the Client App.
2215 let yaml = r#"
2216id: collect-diag-client
2217version: 0.1.0
2218execute:
2219 shell: powershell
2220 script: "echo x"
2221 timeout: 10s
2222collect:
2223 name: diagnostics
2224client:
2225 name: "Send diagnostics"
2226 category: troubleshoot
2227"#;
2228 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2229 assert!(m.collect.is_some() && m.client.is_some());
2230 m.validate().expect("collect + client compose");
2231 }
2232
2233 #[test]
2234 fn manifest_rejects_collect_combined_with_inventory() {
2235 // collect consumes stdout for its own `files` contract → can't
2236 // share with inventory/check/emit.
2237 let yaml = r#"
2238id: bad-collect-mix
2239version: 0.1.0
2240execute:
2241 shell: powershell
2242 script: "echo x"
2243 timeout: 10s
2244collect:
2245 name: diag
2246inventory:
2247 display:
2248 - { field: status, label: Status }
2249"#;
2250 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2251 let err = m
2252 .validate()
2253 .expect_err("collect + inventory must be rejected");
2254 assert!(err.contains("collect"), "error mentions collect: {err}");
2255 }
2256
2257 #[test]
2258 fn manifest_rejects_collect_combined_with_check_or_emit() {
2259 // collect is exclusive with every stdout-consuming hint, not
2260 // just inventory — guard the check + emit branches too.
2261 for extra in ["check:\n name: health\n", "emit:\n type: events\n"] {
2262 let yaml = format!(
2263 "id: bad-collect-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
2264 script: \"echo x\"\n timeout: 10s\ncollect:\n name: diag\n{extra}"
2265 );
2266 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2267 let err = m
2268 .validate()
2269 .expect_err("collect + stdout-consuming hint must fail");
2270 assert!(err.contains("collect"), "error mentions collect: {err}");
2271 }
2272 }
2273
2274 #[test]
2275 fn manifest_rejects_collect_empty_name_and_bad_size() {
2276 let empty_name: Manifest = serde_yaml::from_str(
2277 r#"
2278id: c
2279version: 0.1.0
2280execute: { shell: powershell, script: "echo x", timeout: 10s }
2281collect: { name: " " }
2282"#,
2283 )
2284 .expect("parse");
2285 assert!(
2286 empty_name.validate().is_err(),
2287 "blank collect.name rejected"
2288 );
2289
2290 let bad_size: Manifest = serde_yaml::from_str(
2291 r#"
2292id: c
2293version: 0.1.0
2294execute: { shell: powershell, script: "echo x", timeout: 10s }
2295collect: { name: diag, max_size: "50 quux" }
2296"#,
2297 )
2298 .expect("parse");
2299 let err = bad_size.validate().expect_err("bad max_size rejected");
2300 assert!(err.contains("max_size"), "error mentions max_size: {err}");
2301 }
2302
2303 #[test]
2304 fn parse_size_bytes_units() {
2305 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
2306 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
2307 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
2308 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
2309 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
2310 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
2311 assert!(parse_size_bytes("").is_err());
2312 assert!(parse_size_bytes("MB").is_err());
2313 assert!(parse_size_bytes("12 zonks").is_err());
2314 }
2315
2316 #[test]
2317 fn manifest_rejects_check_combined_with_emit() {
2318 // `emit:` stdout is NDJSON (and omitted from the result), so
2319 // it can't pair with `check:` (which needs a single JSON
2320 // object on stdout).
2321 let yaml = r#"
2322id: bad-mix
2323version: 0.1.0
2324execute:
2325 shell: powershell
2326 script: "echo x"
2327 timeout: 10s
2328check:
2329 name: bitlocker
2330emit:
2331 type: events
2332"#;
2333 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2334 let err = m.validate().expect_err("emit + check must fail");
2335 assert!(err.contains("incompatible"), "err: {err}");
2336 }
2337
2338 #[test]
2339 fn manifest_rejects_emit_combined_with_inventory() {
2340 // The other half of the emit-incompatibility condition.
2341 let yaml = r#"
2342id: bad-mix-2
2343version: 0.1.0
2344execute:
2345 shell: powershell
2346 script: "echo x"
2347 timeout: 10s
2348emit:
2349 type: events
2350inventory:
2351 display:
2352 - { field: status, label: Status }
2353"#;
2354 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2355 let err = m.validate().expect_err("emit + inventory must fail");
2356 assert!(err.contains("incompatible"), "err: {err}");
2357 }
2358
2359 #[test]
2360 fn manifest_rejects_empty_check_field_names() {
2361 // Empty name / status_field / detail_field are invisible
2362 // runtime bugs (empty React key, agent reads the wrong field)
2363 // — reject them even though serde supplies non-empty defaults.
2364 let base = |inner: &str| {
2365 format!(
2366 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
2367 )
2368 };
2369 for inner in [
2370 " name: \"\"\n",
2371 " name: ok\n status_field: \"\"\n",
2372 " name: ok\n detail_field: \" \"\n",
2373 // present-but-blank troubleshoot → broken remediation id.
2374 " name: ok\n troubleshoot: \" \"\n",
2375 ] {
2376 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
2377 let err = m.validate().expect_err("empty field must fail");
2378 assert!(err.contains("must not be empty"), "err: {err}");
2379 }
2380 }
2381
2382 #[test]
2383 fn check_alert_decodes_with_defaults_and_validates() {
2384 let yaml = r#"
2385id: c
2386version: 0.1.0
2387execute:
2388 shell: powershell
2389 script: "echo x"
2390 timeout: 10s
2391check:
2392 name: bitlocker
2393 alert:
2394 notify_user: true
2395 title: "BitLocker 未準拠"
2396"#;
2397 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2398 m.validate().expect("valid alert");
2399 let alert = m.check.unwrap().alert.unwrap();
2400 // Defaults: on = [fail], priority = warn, body = None.
2401 assert_eq!(alert.on, vec![CheckAlertStatus::Fail]);
2402 assert_eq!(
2403 alert.priority,
2404 crate::ipc::notifications::NotificationPriority::Warn
2405 );
2406 assert!(alert.body.is_none());
2407 assert!(alert.notify_user);
2408 }
2409
2410 #[test]
2411 fn check_alert_validation_rejects_bad_configs() {
2412 let base = |alert: &str| {
2413 format!(
2414 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n name: bitlocker\n alert:\n{alert}"
2415 )
2416 };
2417 let cases = [
2418 // No recipient.
2419 (" title: t\n", "notify_user and/or notify_groups"),
2420 // Empty title.
2421 (
2422 " notify_user: true\n title: \" \"\n",
2423 "title must not be empty",
2424 ),
2425 // Empty `on`.
2426 (
2427 " notify_user: true\n title: t\n on: []\n",
2428 "on must list at least one status",
2429 ),
2430 // Blank group name.
2431 (
2432 " notify_groups: [\" \"]\n title: t\n",
2433 "notify_groups must not contain blanks",
2434 ),
2435 // alert requires fleet: true.
2436 (
2437 " notify_user: true\n title: t\n fleet: false\n",
2438 "requires fleet: true",
2439 ),
2440 // email opt-in without a group to address.
2441 (
2442 " notify_user: true\n email: true\n title: t\n",
2443 "email requires notify_groups",
2444 ),
2445 ];
2446 for (alert, want) in cases {
2447 let m: Manifest = serde_yaml::from_str(&base(alert)).expect("parse");
2448 let err = m.validate().expect_err("bad alert must fail");
2449 assert!(err.contains(want), "for {alert:?}: got {err}");
2450 }
2451 }
2452
2453 #[test]
2454 fn manifest_client_absent_by_default() {
2455 // A plain operator job (the overwhelming majority) carries no
2456 // `client:` block, so it never surfaces in the end-user
2457 // catalog.
2458 let yaml = r#"
2459id: echo-test
2460version: 0.0.1
2461execute:
2462 shell: powershell
2463 script: "echo 'kanade'"
2464 timeout: 30s
2465"#;
2466 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2467 assert!(m.client.is_none());
2468 m.validate().expect("operator-only job validates");
2469 }
2470
2471 #[test]
2472 fn manifest_client_parses_and_validates() {
2473 // The Client App "困ったとき" remediation job shape: a
2474 // user-invokable troubleshoot job with the end-user fields the
2475 // KLP `jobs.list` wire needs, grouped under `client:`.
2476 let yaml = r#"
2477id: fix-teams-cache
2478version: 1.0.0
2479execute:
2480 shell: powershell
2481 script: "echo clearing"
2482 timeout: 60s
2483client:
2484 name: "Teams のキャッシュをクリア"
2485 description: "Teams が重いときに試してください"
2486 category: troubleshoot
2487 icon: brush-cleaning
2488"#;
2489 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2490 let c = m.client.as_ref().expect("client block present");
2491 assert_eq!(c.name, "Teams のキャッシュをクリア");
2492 assert_eq!(
2493 c.description.as_deref(),
2494 Some("Teams が重いときに試してください")
2495 );
2496 assert_eq!(c.category, "troubleshoot");
2497 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
2498 m.validate().expect("user-invokable job validates");
2499 }
2500
2501 #[test]
2502 fn manifest_client_minimal_only_name_and_category() {
2503 // description + icon are optional; name + category are the
2504 // serde-required minimum.
2505 let yaml = r#"
2506id: install-slack
2507version: 1.0.0
2508execute:
2509 shell: powershell
2510 script: "echo install"
2511 timeout: 600s
2512client:
2513 name: Slack
2514 category: catalog
2515"#;
2516 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2517 let c = m.client.as_ref().expect("client present");
2518 assert_eq!(c.category, "catalog");
2519 assert!(c.description.is_none() && c.icon.is_none());
2520 m.validate().expect("minimal client validates");
2521 }
2522
2523 #[test]
2524 fn manifest_client_rejects_blank_name() {
2525 // serde guarantees `name`/`category` are present; the one gap
2526 // is a present-but-blank name → empty catalog row title.
2527 let yaml = r#"
2528id: j
2529version: 1.0.0
2530execute:
2531 shell: powershell
2532 script: "echo x"
2533 timeout: 30s
2534client:
2535 name: " "
2536 category: catalog
2537"#;
2538 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2539 let err = m.validate().expect_err("blank name must fail");
2540 assert!(err.contains("client.name"), "err: {err}");
2541 }
2542
2543 #[test]
2544 fn manifest_client_rejects_blank_optional_fields() {
2545 // description / icon are optional, but a present-but-blank
2546 // value is a bug (empty subtitle / dangling icon name) — reject
2547 // it, mirroring the check: block's troubleshoot guard.
2548 for (field, line) in [
2549 ("client.description", " description: \" \"\n"),
2550 ("client.icon", " icon: \"\"\n"),
2551 // #792: the new category tab-metadata fields get the same
2552 // present-but-blank guard.
2553 ("client.category_label", " category_label: \" \"\n"),
2554 ("client.category_icon", " category_icon: \"\"\n"),
2555 ] {
2556 let yaml = format!(
2557 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
2558 );
2559 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2560 let err = m.validate().expect_err("blank optional field must fail");
2561 assert!(err.contains(field), "expected {field} in err: {err}");
2562 }
2563 }
2564
2565 #[test]
2566 fn manifest_client_rejects_blank_category() {
2567 // #792: category is a free-form key now; serde keeps it required,
2568 // but a present-but-blank value would group the job under an empty
2569 // tab — validate() must reject it.
2570 let yaml = r#"
2571id: j
2572version: 1.0.0
2573execute:
2574 shell: powershell
2575 script: "echo x"
2576 timeout: 30s
2577client:
2578 name: "A job"
2579 category: " "
2580"#;
2581 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2582 let err = m.validate().expect_err("blank category must fail");
2583 assert!(err.contains("client.category"), "err: {err}");
2584 }
2585
2586 #[test]
2587 fn target_matches_pc_group_and_all() {
2588 // #816: pc match, group match, all, and the no-match case.
2589 let by_pc = Target {
2590 pcs: vec!["PC1".into()],
2591 ..Default::default()
2592 };
2593 assert!(by_pc.matches("PC1", &[]));
2594 assert!(!by_pc.matches("PC2", &["g1".into()]));
2595
2596 let by_group = Target {
2597 groups: vec!["g1".into()],
2598 ..Default::default()
2599 };
2600 assert!(by_group.matches("PC2", &["g1".into()]));
2601 assert!(!by_group.matches("PC2", &["g2".into()]));
2602
2603 let all = Target {
2604 all: true,
2605 ..Default::default()
2606 };
2607 assert!(all.matches("anyPC", &[]));
2608 }
2609
2610 #[test]
2611 fn manifest_client_rejects_empty_visible_to() {
2612 // #816: a present-but-empty visible_to (no all/groups/pcs) would
2613 // hide the job from everyone — validate() must reject it.
2614 let yaml = r#"
2615id: j
2616version: 1.0.0
2617execute:
2618 shell: powershell
2619 script: "echo x"
2620 timeout: 30s
2621client:
2622 name: "A job"
2623 category: troubleshoot
2624 visible_to: {}
2625"#;
2626 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2627 let err = m.validate().expect_err("empty visible_to must fail");
2628 assert!(err.contains("client.visible_to"), "err: {err}");
2629 }
2630
2631 #[test]
2632 fn manifest_client_accepts_visible_to_groups() {
2633 let yaml = r#"
2634id: j
2635version: 1.0.0
2636execute:
2637 shell: powershell
2638 script: "echo x"
2639 timeout: 30s
2640client:
2641 name: "A job"
2642 category: settings
2643 visible_to:
2644 groups: [wifi-affected]
2645"#;
2646 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2647 m.validate().expect("visible_to with a group validates");
2648 let vt = m.client.unwrap().visible_to.unwrap();
2649 assert_eq!(vt.groups, vec!["wifi-affected".to_string()]);
2650 }
2651
2652 #[test]
2653 fn manifest_client_requires_category_at_parse() {
2654 // A `client:` block missing `category` is a hard parse error
2655 // (serde required field) — no manual validate() needed.
2656 let yaml = r#"
2657id: j
2658version: 1.0.0
2659execute:
2660 shell: powershell
2661 script: "echo x"
2662 timeout: 30s
2663client:
2664 name: "A job"
2665"#;
2666 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
2667 assert!(
2668 r.is_err(),
2669 "missing category must be a parse error, got {r:?}"
2670 );
2671 }
2672
2673 #[test]
2674 fn manifest_client_rejects_unknown_field() {
2675 // #492: the strict create boundary catches a fat-fingered
2676 // `displayname:` (with its path) instead of silently
2677 // dropping it; the tolerant read path accepts it.
2678 let yaml = r#"
2679id: j
2680version: 1.0.0
2681execute:
2682 shell: powershell
2683 script: "echo x"
2684 timeout: 30s
2685client:
2686 name: "A job"
2687 category: catalog
2688 displayname: oops
2689"#;
2690 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
2691 let err = r.expect_err("unknown client field must be rejected at the write boundary");
2692 // serde_ignored renders the Option layer as `?`:
2693 // `client.?.displayname`. Assert on the leaf key.
2694 assert!(err.contains("displayname"), "{err}");
2695 // The READ path tolerates the same payload (gradual-upgrade
2696 // contract: an old agent must accept a newer writer's field).
2697 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
2698 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
2699 }
2700
2701 #[test]
2702 fn manifest_tags_default_empty() {
2703 // The overwhelming majority of jobs carry no tags; the field
2704 // must default to an empty Vec (not fail to parse) and skip
2705 // serialisation so old readers never see the key.
2706 let yaml = r#"
2707id: echo-test
2708version: 0.0.1
2709execute:
2710 shell: powershell
2711 script: "echo 'kanade'"
2712 timeout: 30s
2713"#;
2714 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2715 assert!(m.tags.is_empty());
2716 m.validate().expect("tag-less job validates");
2717 // skip_serializing_if = empty ⇒ the key is absent from JSON.
2718 let json = serde_json::to_string(&m).expect("serialize");
2719 assert!(
2720 !json.contains("tags"),
2721 "empty tags must not serialise: {json}"
2722 );
2723 }
2724
2725 #[test]
2726 fn manifest_parses_and_validates_tags() {
2727 let yaml = r#"
2728id: check-bitlocker
2729version: 0.1.0
2730execute:
2731 shell: powershell
2732 script: "echo x"
2733 timeout: 30s
2734tags: [security, windows, health-check]
2735"#;
2736 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2737 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
2738 m.validate().expect("tagged job validates");
2739 // Round-trips through JSON (the wire format the SPA reads).
2740 let json = serde_json::to_string(&m).expect("serialize");
2741 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
2742 }
2743
2744 #[test]
2745 fn manifest_rejects_blank_tag() {
2746 // A whitespace-only tag renders an empty filter chip — reject
2747 // it at the write boundary like the other blank display fields.
2748 let yaml = r#"
2749id: j
2750version: 0.1.0
2751execute:
2752 shell: powershell
2753 script: "echo x"
2754 timeout: 30s
2755tags: [ok, " "]
2756"#;
2757 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2758 let err = m.validate().expect_err("blank tag must fail");
2759 assert!(err.contains("tags must not contain empty"), "err: {err}");
2760 }
2761
2762 // #720 — wrap an `aggregate:` YAML block (already indented as a
2763 // top-level key body) into an otherwise-minimal valid manifest.
2764 fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
2765 let yaml = format!(
2766 "id: t\nversion: 0.0.1\nexecute:\n shell: powershell\n script: echo hi\n timeout: 30s\n{aggregate_block}"
2767 );
2768 serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
2769 }
2770
2771 #[test]
2772 fn aggregate_accepts_full_valid_spec() {
2773 // count+group_by+exclude+sample_minutes, ratio+bool_path,
2774 // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
2775 // bare total stat — alongside emit (composes with every hint).
2776 let m = manifest_with_aggregate(
2777 "emit:\n type: events\naggregate:\n\
2778 - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
2779 - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
2780 - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
2781 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
2782 - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
2783 );
2784 m.validate().expect("valid aggregate spec");
2785 }
2786
2787 #[test]
2788 fn aggregate_rejects_empty_list() {
2789 let m = manifest_with_aggregate("aggregate: []\n");
2790 let err = m.validate().expect_err("empty list must fail");
2791 assert!(err.contains("at least one widget"), "err: {err}");
2792 }
2793
2794 #[test]
2795 fn aggregate_rejects_ratio_without_bool_path() {
2796 let m = manifest_with_aggregate(
2797 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
2798 );
2799 let err = m.validate().expect_err("ratio needs bool_path");
2800 assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
2801 }
2802
2803 #[test]
2804 fn aggregate_rejects_sum_without_value_path() {
2805 let m = manifest_with_aggregate(
2806 "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
2807 );
2808 let err = m.validate().expect_err("sum needs value_path");
2809 assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
2810 }
2811
2812 #[test]
2813 fn aggregate_rejects_pc_id_group_without_fleet() {
2814 let m = manifest_with_aggregate(
2815 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
2816 );
2817 let err = m.validate().expect_err("pc_id grouping needs fleet");
2818 assert!(
2819 err.contains("pc_id is only valid with scope: fleet"),
2820 "err: {err}"
2821 );
2822 }
2823
2824 #[test]
2825 fn aggregate_rejects_transform_with_pc_id_group() {
2826 let m = manifest_with_aggregate(
2827 "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
2828 );
2829 let err = m
2830 .validate()
2831 .expect_err("transform on pc_id grouping must fail");
2832 assert!(
2833 err.contains("transform is not valid with group_by: pc_id"),
2834 "err: {err}"
2835 );
2836 }
2837
2838 #[test]
2839 fn aggregate_rejects_timeline_without_bucket() {
2840 let m = manifest_with_aggregate(
2841 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
2842 );
2843 let err = m.validate().expect_err("timeline needs a bucket");
2844 assert!(
2845 err.contains("render=timeline requires `time_bucket`"),
2846 "err: {err}"
2847 );
2848 }
2849
2850 #[test]
2851 fn aggregate_rejects_bucket_on_non_timeline() {
2852 let m = manifest_with_aggregate(
2853 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
2854 );
2855 let err = m.validate().expect_err("bucket only on timeline");
2856 assert!(
2857 err.contains("time_bucket is only valid with render: timeline"),
2858 "err: {err}"
2859 );
2860 }
2861
2862 #[test]
2863 fn aggregate_rejects_unsafe_json_path() {
2864 // A path with characters outside [A-Za-z0-9_.] could break out of
2865 // the `'$.' || ?` bind — reject at create time.
2866 let m = manifest_with_aggregate(
2867 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
2868 );
2869 let err = m.validate().expect_err("unsafe path must fail");
2870 assert!(err.contains("dotted JSON path"), "err: {err}");
2871 }
2872
2873 #[test]
2874 fn aggregate_rejects_blank_title() {
2875 let m = manifest_with_aggregate(
2876 "aggregate:\n- { dashboard: D, title: \" \", kind: k, agg: count, render: stat }\n",
2877 );
2878 let err = m.validate().expect_err("blank title must fail");
2879 assert!(err.contains("title must not be empty"), "err: {err}");
2880 }
2881
2882 #[test]
2883 fn aggregate_rejects_blank_kind() {
2884 let m = manifest_with_aggregate(
2885 "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
2886 );
2887 let err = m.validate().expect_err("blank kind must fail");
2888 assert!(err.contains("kind must not be empty"), "err: {err}");
2889 }
2890
2891 #[test]
2892 fn aggregate_rejects_blank_source_when_set() {
2893 let m = manifest_with_aggregate(
2894 "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
2895 );
2896 let err = m.validate().expect_err("blank source must fail");
2897 assert!(
2898 err.contains("source must not be empty when set"),
2899 "err: {err}"
2900 );
2901 }
2902
2903 #[test]
2904 fn aggregate_accepts_description_and_rejects_blank() {
2905 let ok = manifest_with_aggregate(
2906 "aggregate:\n- { dashboard: D, title: T, description: \"samples x 2 min\", kind: k, agg: count, render: stat }\n",
2907 );
2908 ok.validate()
2909 .expect("description is a valid optional field");
2910 assert_eq!(
2911 ok.aggregate.as_ref().unwrap()[0].description.as_deref(),
2912 Some("samples x 2 min")
2913 );
2914 let bad = manifest_with_aggregate(
2915 "aggregate:\n- { dashboard: D, title: T, description: \" \", kind: k, agg: count, render: stat }\n",
2916 );
2917 let err = bad.validate().expect_err("blank description must fail");
2918 assert!(
2919 err.contains("description must not be empty when set"),
2920 "err: {err}"
2921 );
2922 }
2923
2924 #[test]
2925 fn aggregate_rejects_count_with_value_path() {
2926 let m = manifest_with_aggregate(
2927 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
2928 );
2929 let err = m.validate().expect_err("count must not use value_path");
2930 assert!(
2931 err.contains("agg=count does not use `value_path`"),
2932 "err: {err}"
2933 );
2934 }
2935
2936 #[test]
2937 fn aggregate_rejects_ratio_with_value_path() {
2938 let m = manifest_with_aggregate(
2939 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
2940 );
2941 let err = m.validate().expect_err("ratio must not use value_path");
2942 assert!(
2943 err.contains("agg=ratio does not use `value_path`"),
2944 "err: {err}"
2945 );
2946 }
2947
2948 #[test]
2949 fn aggregate_rejects_gauge_without_ratio() {
2950 let m = manifest_with_aggregate(
2951 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
2952 );
2953 let err = m.validate().expect_err("gauge needs ratio");
2954 assert!(
2955 err.contains("render=gauge is only valid with agg: ratio"),
2956 "err: {err}"
2957 );
2958 }
2959
2960 #[test]
2961 fn aggregate_rejects_limit_without_group_by() {
2962 let m = manifest_with_aggregate(
2963 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
2964 );
2965 let err = m.validate().expect_err("limit needs group_by");
2966 assert!(err.contains("limit requires `group_by`"), "err: {err}");
2967 }
2968
2969 #[test]
2970 fn aggregate_rejects_exclude_without_group_by() {
2971 let m = manifest_with_aggregate(
2972 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
2973 );
2974 let err = m.validate().expect_err("exclude needs group_by");
2975 assert!(err.contains("exclude requires `group_by`"), "err: {err}");
2976 }
2977
2978 #[test]
2979 fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
2980 let m = manifest_with_aggregate(
2981 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
2982 );
2983 assert!(m.validate().unwrap_err().contains("limit must be > 0"));
2984 let m = manifest_with_aggregate(
2985 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
2986 );
2987 assert!(
2988 m.validate()
2989 .unwrap_err()
2990 .contains("sample_minutes must be > 0")
2991 );
2992 }
2993
2994 #[test]
2995 fn aggregate_rejects_empty_exclude_entry() {
2996 let m = manifest_with_aggregate(
2997 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\" \"], render: bar }\n",
2998 );
2999 let err = m.validate().expect_err("blank exclude entry must fail");
3000 assert!(
3001 err.contains("exclude must not contain empty entries"),
3002 "err: {err}"
3003 );
3004 }
3005
3006 #[test]
3007 fn aggregate_rejects_malformed_dotted_paths() {
3008 for bad in [".foo", "foo.", "foo..bar", "."] {
3009 let m = manifest_with_aggregate(&format!(
3010 "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
3011 ));
3012 let err = m.validate().expect_err("malformed path must fail");
3013 assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
3014 }
3015 }
3016
3017 #[test]
3018 fn aggregate_rejects_unknown_enum_value() {
3019 // An unrecognised render string deserialises to the #492 Unknown
3020 // catch-all (so old readers don't choke); validate() rejects it as
3021 // a typo at create time.
3022 let m = manifest_with_aggregate(
3023 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
3024 );
3025 let err = m.validate().expect_err("unknown render must fail");
3026 assert!(err.contains("render is not a known value"), "err: {err}");
3027 }
3028
3029 #[test]
3030 fn aggregate_accepts_order_field() {
3031 let m = manifest_with_aggregate(
3032 "aggregate:\n- { dashboard: D, title: T, order: -5, kind: k, agg: count, render: stat }\n",
3033 );
3034 m.validate().expect("order is a valid optional field");
3035 let w = &m.aggregate.as_ref().unwrap()[0];
3036 assert_eq!(w.order, Some(-5));
3037 }
3038
3039 // ── #743 View resource ───────────────────────────────────────────
3040 fn view_from(yaml_body: &str) -> View {
3041 serde_yaml::from_str(&format!("id: v1\n{yaml_body}")).expect("parse view")
3042 }
3043
3044 #[test]
3045 fn view_accepts_valid_widgets() {
3046 let v = view_from(
3047 "widgets:\n\
3048 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
3049 - { dashboard: Reliability, title: Total, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
3050 );
3051 v.validate().expect("valid view");
3052 }
3053
3054 #[test]
3055 fn view_rejects_empty_widgets() {
3056 let v = view_from("widgets: []\n");
3057 let err = v.validate().expect_err("empty widgets must fail");
3058 assert!(err.contains("at least one widget"), "err: {err}");
3059 }
3060
3061 #[test]
3062 fn view_rejects_blank_id() {
3063 let v: View = serde_yaml::from_str(
3064 "id: \" \"\nwidgets:\n- { dashboard: D, title: T, kind: k, agg: count, render: stat }\n",
3065 )
3066 .expect("parse");
3067 let err = v.validate().expect_err("blank id must fail");
3068 assert!(err.contains("view.id must"), "err: {err}");
3069 }
3070
3071 #[test]
3072 fn view_rejects_unsafe_id() {
3073 // A `/` or `..` in the id would break the KV key and the
3074 // `/api/views/{id}` URL segment — reject at create time.
3075 for bad in ["../etc", "a/b", "has space", "x;y"] {
3076 let v: View = serde_yaml::from_str(&format!(
3077 "id: \"{bad}\"\nwidgets:\n- {{ dashboard: D, title: T, kind: k, agg: count, render: stat }}\n",
3078 ))
3079 .expect("parse");
3080 let err = v.validate().expect_err("unsafe id must fail");
3081 assert!(err.contains("[A-Za-z0-9._-]"), "id {bad}: {err}");
3082 }
3083 assert!(is_valid_resource_id("dashboards-fleet.v1_2"));
3084 }
3085
3086 #[test]
3087 fn view_reuses_shared_widget_validation() {
3088 // The same per-widget rule the job hint enforces (ratio needs
3089 // bool_path), reported under the `widgets[..]` field.
3090 let v = view_from(
3091 "widgets:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
3092 );
3093 let err = v.validate().expect_err("ratio without bool_path must fail");
3094 assert!(
3095 err.contains("widgets[0].agg=ratio requires `bool_path`"),
3096 "err: {err}"
3097 );
3098 }
3099
3100 fn execute_with(
3101 script: Option<&str>,
3102 script_file: Option<&str>,
3103 script_object: Option<&str>,
3104 ) -> Execute {
3105 Execute {
3106 shell: ExecuteShell::Powershell,
3107 script: script.map(str::to_owned),
3108 script_file: script_file.map(str::to_owned),
3109 script_object: script_object.map(str::to_owned),
3110 timeout: "30s".into(),
3111 run_as: RunAs::default(),
3112 cwd: None,
3113 }
3114 }
3115
3116 #[test]
3117 fn validate_accepts_inline_script() {
3118 let e = execute_with(Some("echo hi"), None, None);
3119 assert!(e.validate_script_source().is_ok());
3120 }
3121
3122 #[test]
3123 fn validate_accepts_script_file_alone() {
3124 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
3125 assert!(e.validate_script_source().is_ok());
3126 }
3127
3128 #[test]
3129 fn validate_accepts_script_object_alone() {
3130 let e = execute_with(None, None, Some("cleanup/1.0.0"));
3131 assert!(e.validate_script_source().is_ok());
3132 }
3133
3134 #[test]
3135 fn validate_treats_empty_inline_script_as_unset() {
3136 // `script: ""` + `script_object` set is the natural shape
3137 // when an operator comments out the YAML block-scalar body
3138 // but leaves the key. Should pass.
3139 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
3140 assert!(e.validate_script_source().is_ok());
3141 }
3142
3143 #[test]
3144 fn validate_rejects_zero_sources() {
3145 let e = execute_with(None, None, None);
3146 let err = e.validate_script_source().unwrap_err();
3147 assert!(err.contains("must be set"), "got: {err}");
3148 }
3149
3150 #[test]
3151 fn validate_rejects_empty_inline_only() {
3152 let e = execute_with(Some(""), None, None);
3153 let err = e.validate_script_source().unwrap_err();
3154 assert!(err.contains("must be set"), "got: {err}");
3155 }
3156
3157 #[test]
3158 fn validate_rejects_inline_plus_file() {
3159 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
3160 let err = e.validate_script_source().unwrap_err();
3161 assert!(err.contains("only one of"), "got: {err}");
3162 }
3163
3164 #[test]
3165 fn validate_rejects_inline_plus_object() {
3166 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
3167 let err = e.validate_script_source().unwrap_err();
3168 assert!(err.contains("only one of"), "got: {err}");
3169 }
3170
3171 #[test]
3172 fn validate_rejects_file_plus_object() {
3173 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
3174 let err = e.validate_script_source().unwrap_err();
3175 assert!(err.contains("only one of"), "got: {err}");
3176 }
3177
3178 #[test]
3179 fn validate_rejects_all_three() {
3180 let e = execute_with(
3181 Some("echo hi"),
3182 Some("scripts/cleanup.ps1"),
3183 Some("cleanup/1.0.0"),
3184 );
3185 let err = e.validate_script_source().unwrap_err();
3186 assert!(err.contains("only one of"), "got: {err}");
3187 }
3188
3189 #[test]
3190 fn manifest_deserialises_script_object_yaml() {
3191 // SPEC §2.4.1 example shape with the Object Store
3192 // reference picked over inline.
3193 let yaml = r#"
3194id: cleanup-disk-temp
3195version: 1.0.1
3196execute:
3197 shell: powershell
3198 script_object: cleanup-disk-temp/1.0.1
3199 timeout: 600s
3200"#;
3201 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3202 assert_eq!(
3203 m.execute.script_object.as_deref(),
3204 Some("cleanup-disk-temp/1.0.1")
3205 );
3206 assert!(m.execute.script.is_none());
3207 m.validate()
3208 .expect("script_object-only manifest passes validation");
3209 }
3210
3211 #[test]
3212 fn manifest_rejects_typo_in_script_field_name() {
3213 // #492: the strict create boundary catches `script_objectt`
3214 // and similar fat-fingers (with the full path) instead of
3215 // letting them silently fall through to "all three unset".
3216 let yaml = r#"
3217id: typo
3218version: 1.0.0
3219execute:
3220 shell: powershell
3221 script_objectt: oops
3222 timeout: 30s
3223"#;
3224 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
3225 .expect_err("typo'd execute field must be rejected at the write boundary");
3226 assert!(err.contains("execute.script_objectt"), "{err}");
3227 }
3228
3229 #[test]
3230 fn schedule_carries_target_and_rollout() {
3231 let yaml = r#"
3232id: hourly-cleanup-canary
3233when:
3234 per_pc: { every: 1h }
3235job_id: cleanup
3236enabled: true
3237target:
3238 groups: [canary, wave1]
3239jitter: 30s
3240rollout:
3241 strategy: wave
3242 waves:
3243 - { group: canary, delay: 0s }
3244 - { group: wave1, delay: 5s }
3245"#;
3246 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3247 assert_eq!(s.id, "hourly-cleanup-canary");
3248 assert_eq!(s.job_id, "cleanup");
3249 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
3250 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
3251 let rollout = s.plan.rollout.expect("rollout present");
3252 assert_eq!(rollout.waves.len(), 2);
3253 assert_eq!(rollout.waves[0].group, "canary");
3254 assert_eq!(rollout.waves[1].delay, "5s");
3255 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
3256 }
3257
3258 #[test]
3259 fn schedule_minimal_target_all() {
3260 let yaml = r#"
3261id: kitting
3262when:
3263 per_pc: once
3264enabled: true
3265job_id: scheduled-echo
3266target: { all: true }
3267"#;
3268 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3269 assert_eq!(s.id, "kitting");
3270 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
3271 assert!(s.enabled);
3272 assert_eq!(s.job_id, "scheduled-echo");
3273 assert!(s.plan.target.all);
3274 assert!(s.plan.rollout.is_none());
3275 assert!(s.plan.jitter.is_none());
3276 assert!(s.active.is_empty());
3277 }
3278
3279 #[test]
3280 fn schedule_enabled_defaults_to_true() {
3281 let yaml = r#"
3282id: x
3283when:
3284 per_pc: once
3285job_id: y
3286target: { all: true }
3287"#;
3288 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3289 assert!(s.enabled);
3290 }
3291
3292 #[test]
3293 fn schedule_tags_default_empty_and_skip_serialise() {
3294 let yaml = r#"
3295id: x
3296when:
3297 per_pc: once
3298job_id: y
3299target: { all: true }
3300"#;
3301 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3302 assert!(s.tags.is_empty());
3303 s.validate().expect("tag-less schedule validates");
3304 let json = serde_json::to_string(&s).expect("serialize");
3305 assert!(
3306 !json.contains("tags"),
3307 "empty tags must not serialise: {json}"
3308 );
3309 }
3310
3311 #[test]
3312 fn schedule_parses_and_validates_tags() {
3313 let yaml = r#"
3314id: weekly-cleanup
3315when:
3316 per_pc: { every: 1h }
3317job_id: cleanup
3318target: { all: true }
3319tags: [weekly, maintenance]
3320"#;
3321 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3322 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
3323 s.validate().expect("tagged schedule validates");
3324 }
3325
3326 #[test]
3327 fn schedule_rejects_blank_tag() {
3328 let yaml = r#"
3329id: x
3330when:
3331 per_pc: once
3332job_id: y
3333target: { all: true }
3334tags: [ok, " "]
3335"#;
3336 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3337 let err = s.validate().expect_err("blank tag must fail");
3338 assert!(err.contains("tags must not contain empty"), "err: {err}");
3339 }
3340
3341 // ---- `when` parsing (#418 Phase 1) ----
3342
3343 fn schedule_yaml_with(when_block: &str) -> String {
3344 format!(
3345 r#"
3346id: x
3347when:
3348{when_block}
3349job_id: y
3350target: {{ all: true }}
3351"#
3352 )
3353 }
3354
3355 #[test]
3356 fn when_per_pc_every_parses_unquoted_humantime() {
3357 // `6h` is digit-led but non-numeric → YAML string, same as
3358 // the old `cooldown: 6h` convention. No quotes needed.
3359 let s: Schedule =
3360 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
3361 assert_eq!(
3362 s.when,
3363 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
3364 );
3365 }
3366
3367 #[test]
3368 fn when_per_target_every_parses() {
3369 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
3370 .expect("parse");
3371 assert_eq!(
3372 s.when,
3373 When::PerTarget(PerPolicy::Every(EverySpec {
3374 every: "24h".into()
3375 }))
3376 );
3377 }
3378
3379 #[test]
3380 fn when_per_target_once_parses() {
3381 // Falls out of the shared PerPolicy shape and decide_fire
3382 // already implements it ("any one pc succeeds → skip the
3383 // target forever"), so it is allowed, not rejected.
3384 let s: Schedule =
3385 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
3386 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
3387 }
3388
3389 #[test]
3390 fn when_calendar_time_parses() {
3391 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
3392 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
3393 ))
3394 .expect("parse");
3395 match &s.when {
3396 When::Calendar(c) => {
3397 assert_eq!(c.at, "09:00");
3398 assert_eq!(c.days, vec!["mon-fri"]);
3399 }
3400 other => panic!("expected calendar, got {other:?}"),
3401 }
3402 }
3403
3404 #[test]
3405 fn when_calendar_days_default_empty() {
3406 let s: Schedule =
3407 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
3408 .expect("parse");
3409 match &s.when {
3410 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
3411 other => panic!("expected calendar, got {other:?}"),
3412 }
3413 }
3414
3415 #[test]
3416 fn when_calendar_datetime_parses_all_separators() {
3417 // one-shot: date+time in hyphen / ISO-T / slash forms
3418 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
3419 let block = format!(" calendar:\n at: \"{at}\"");
3420 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
3421 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
3422 match &s.when {
3423 When::Calendar(c) => {
3424 use chrono::Datelike;
3425 let p = c.parse_at().expect("parse_at");
3426 let d = p.date.expect("datetime at carries a date");
3427 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
3428 }
3429 other => panic!("expected calendar, got {other:?}"),
3430 }
3431 }
3432 }
3433
3434 #[test]
3435 fn when_rejects_bad_once_keyword() {
3436 // `onec` must be a parse error, not a silently-absorbed
3437 // string (OnceLiteral is a single-variant enum for exactly
3438 // this reason).
3439 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
3440 assert!(r.is_err(), "expected parse error, got {r:?}");
3441 }
3442
3443 #[test]
3444 fn when_rejects_unknown_key_in_every() {
3445 // `{ evry: 6h }` still fails on the tolerant read path: the
3446 // required `every` key is missing, so no PerPolicy variant
3447 // matches (#492 removed deny_unknown_fields, but required
3448 // keys keep the untagged disambiguation honest).
3449 let r: Result<Schedule, _> =
3450 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
3451 assert!(r.is_err(), "expected parse error, got {r:?}");
3452 }
3453
3454 #[test]
3455 fn when_rejects_unknown_variant() {
3456 let r: Result<Schedule, _> =
3457 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
3458 assert!(r.is_err(), "expected parse error, got {r:?}");
3459 }
3460
3461 #[test]
3462 fn when_rejects_old_top_level_cron_field() {
3463 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
3464 // loudly (missing `when`), which is what turns stale KV
3465 // blobs into warn-skips after the upgrade.
3466 let yaml = r#"
3467id: x
3468cron: "* * * * * *"
3469job_id: y
3470target: { all: true }
3471"#;
3472 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
3473 assert!(r.is_err(), "expected parse error, got {r:?}");
3474 }
3475
3476 #[test]
3477 fn when_rejects_retired_cron_escape_hatch() {
3478 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
3479 // is now an unknown variant → parse error (operators use the
3480 // calendar form instead).
3481 let r: Result<Schedule, _> =
3482 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
3483 assert!(
3484 r.is_err(),
3485 "expected parse error for retired cron, got {r:?}"
3486 );
3487 }
3488
3489 #[test]
3490 fn when_round_trips_json_and_yaml() {
3491 // Round-trip through the full Schedule: that is the wire
3492 // unit for both stores (JSON catalog KV + YAML mirror), and
3493 // it exercises the singleton_map field attribute that keeps
3494 // serde_yaml on the map shape instead of `!per_pc` tags.
3495 for when in [
3496 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3497 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3498 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3499 When::PerTarget(PerPolicy::Every(EverySpec {
3500 every: "24h".into(),
3501 })),
3502 calendar("09:00", &["mon-fri"]),
3503 calendar("2026-06-10 09:00", &[]),
3504 When::On(vec![OnTrigger::Startup]),
3505 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3506 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3507 When::On(vec![OnTrigger::NetworkChange]),
3508 ] {
3509 // Event triggers are agent-only; the rest validate on backend.
3510 let runs_on = if matches!(when, When::On(_)) {
3511 RunsOn::Agent
3512 } else {
3513 RunsOn::Backend
3514 };
3515 let s = schedule_with(when.clone(), runs_on);
3516
3517 let json = serde_json::to_string(&s).expect("json serialise");
3518 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
3519 assert_eq!(back.when, when, "json round-trip for {when}");
3520
3521 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
3522 assert!(
3523 !yaml.contains('!'),
3524 "yaml must use the map shape, not tags: {yaml}"
3525 );
3526 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
3527 assert_eq!(back.when, when, "yaml round-trip for {when}");
3528 }
3529 }
3530
3531 #[test]
3532 fn when_once_serialises_as_bare_keyword() {
3533 // The wire shape operators see in the YAML mirror must stay
3534 // the ergonomic `per_pc: once`, not a one-variant map.
3535 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
3536 .expect("serialise");
3537 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
3538 }
3539
3540 #[test]
3541 fn when_displays_operator_summary() {
3542 for (when, expected) in [
3543 (
3544 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3545 "per_pc once",
3546 ),
3547 (
3548 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3549 "per_pc every 6h",
3550 ),
3551 (
3552 When::PerTarget(PerPolicy::Every(EverySpec {
3553 every: "24h".into(),
3554 })),
3555 "per_target every 24h",
3556 ),
3557 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
3558 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
3559 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
3560 (
3561 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3562 "on [startup,logon]",
3563 ),
3564 (
3565 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3566 "on [lock,unlock]",
3567 ),
3568 (
3569 When::On(vec![OnTrigger::NetworkChange]),
3570 "on [network_change]",
3571 ),
3572 ] {
3573 assert_eq!(when.to_string(), expected);
3574 }
3575 }
3576
3577 // ---- lowering (#418: when → engine vocabulary) ----
3578
3579 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
3580 Schedule {
3581 id: "x".into(),
3582 when,
3583 job_id: "y".into(),
3584 plan: FanoutPlan::default(),
3585 active: Active::default(),
3586 constraints: Constraints::default(),
3587 on_failure: OnFailure::default(),
3588 tz: ScheduleTz::default(),
3589 starting_deadline: None,
3590 runs_on,
3591 enabled: true,
3592 tags: Vec::new(),
3593 origin: None,
3594 }
3595 }
3596
3597 fn calendar(at: &str, days: &[&str]) -> When {
3598 When::Calendar(CalendarSpec {
3599 at: at.into(),
3600 days: days.iter().map(|d| (*d).to_string()).collect(),
3601 })
3602 }
3603
3604 #[test]
3605 fn next_calendar_fire_returns_next_utc_occurrence() {
3606 use chrono::TimeZone;
3607 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
3608 // next strict occurrence is 09:00 that day.
3609 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3610 s.tz = ScheduleTz::Utc;
3611 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
3612 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
3613 assert_eq!(
3614 next,
3615 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
3616 );
3617 }
3618
3619 #[test]
3620 fn next_calendar_fire_is_strictly_after_now() {
3621 use chrono::TimeZone;
3622 // Standing exactly on a fire instant must preview the *next*
3623 // one (inclusive = false), not the one firing right now.
3624 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3625 s.tz = ScheduleTz::Utc;
3626 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
3627 let next = s
3628 .next_calendar_fire(on_fire)
3629 .expect("calendar has a next fire");
3630 assert_eq!(
3631 next,
3632 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
3633 );
3634 }
3635
3636 #[test]
3637 fn next_calendar_fire_none_for_reconcile_shapes() {
3638 // `per_pc` / `per_target` lower to the every-minute poll cron —
3639 // no discrete upcoming event to preview, so `None`.
3640 let now = chrono::Utc::now();
3641 for when in [
3642 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3643 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3644 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3645 When::PerTarget(PerPolicy::Every(EverySpec {
3646 every: "24h".into(),
3647 })),
3648 ] {
3649 let s = schedule_with(when, RunsOn::Backend);
3650 assert!(
3651 s.next_calendar_fire(now).is_none(),
3652 "reconcile shapes have no calendar fire",
3653 );
3654 }
3655 }
3656
3657 // ---- preview_fires (#418 dry-run / preview) ----
3658
3659 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
3660 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
3661 s.tz = ScheduleTz::Utc; // host-independent assertions
3662 s
3663 }
3664
3665 #[test]
3666 fn preview_lists_next_calendar_occurrences() {
3667 use chrono::TimeZone;
3668 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
3669 // fires skip the weekend (Sat 13 / Sun 14).
3670 let s = cal_utc("09:00", &["mon-fri"]);
3671 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3672 let got = s.preview_fires(now, 5);
3673 let want: Vec<_> = [
3674 (2026, 6, 10), // Wed
3675 (2026, 6, 11), // Thu
3676 (2026, 6, 12), // Fri
3677 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
3678 (2026, 6, 16), // Tue
3679 ]
3680 .iter()
3681 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
3682 .collect();
3683 assert_eq!(got, want);
3684 }
3685
3686 #[test]
3687 fn preview_handles_nth_and_last_weekday() {
3688 use chrono::TimeZone;
3689 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3690 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
3691 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
3692 assert_eq!(
3693 nth,
3694 vec![
3695 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
3696 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
3697 ]
3698 );
3699 // Last Friday of the month: Jun 26, Jul 31 2026.
3700 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
3701 assert_eq!(
3702 last,
3703 vec![
3704 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
3705 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
3706 ]
3707 );
3708 }
3709
3710 #[test]
3711 fn preview_is_empty_for_reconcile_and_zero_count() {
3712 let now = chrono::Utc::now();
3713 // reconcile shapes have no discrete fire times
3714 let recon = schedule_with(
3715 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3716 RunsOn::Backend,
3717 );
3718 assert!(recon.preview_fires(now, 5).is_empty());
3719 // count == 0 yields nothing even for a calendar
3720 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
3721 }
3722
3723 #[test]
3724 fn preview_skips_outside_active_window() {
3725 use chrono::TimeZone;
3726 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
3727 // before `from` are skipped; `until` is exclusive, so 06-17's
3728 // fire is out — leaving exactly the 15th and 16th.
3729 let mut s = cal_utc("09:00", &[]);
3730 s.active = Active {
3731 from: Some("2026-06-15".into()),
3732 until: Some("2026-06-17".into()),
3733 };
3734 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3735 let got = s.preview_fires(now, 5);
3736 assert_eq!(
3737 got,
3738 vec![
3739 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
3740 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
3741 ]
3742 );
3743 }
3744
3745 #[test]
3746 fn preview_empty_when_calendar_time_outside_window() {
3747 use chrono::TimeZone;
3748 // Fires at 09:00 but the maintenance window is overnight — it can
3749 // never run, so the preview is empty (matches
3750 // `calendar_outside_window`), and the scan still terminates.
3751 let mut s = cal_utc("09:00", &[]);
3752 s.constraints = Constraints {
3753 window: Some("22:00-05:00".into()),
3754 ..Constraints::default()
3755 };
3756 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
3757 assert!(s.preview_fires(now, 5).is_empty());
3758 // Every candidate tick is rejected, so this also exercises the
3759 // SCAN_CAP bound: a large `count` must still terminate (and
3760 // return empty) rather than spin (claude #578 review).
3761 assert!(s.preview_fires(now, 50).is_empty());
3762 }
3763
3764 #[test]
3765 fn preview_past_one_shot_is_empty() {
3766 use chrono::TimeZone;
3767 // A dated one-shot whose instant has passed never fires again.
3768 let s = cal_utc("2026-06-10 09:00", &[]);
3769 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
3770 assert!(s.preview_fires(now, 5).is_empty());
3771 // …but from before it, the single future fire shows up.
3772 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
3773 assert_eq!(
3774 s.preview_fires(before, 5),
3775 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
3776 );
3777 }
3778
3779 #[test]
3780 fn lowering_matches_the_418_table() {
3781 let cases = [
3782 (
3783 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3784 (POLL_CRON, ExecMode::OncePerPc, None),
3785 ),
3786 (
3787 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3788 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
3789 ),
3790 (
3791 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3792 (POLL_CRON, ExecMode::OncePerTarget, None),
3793 ),
3794 (
3795 When::PerTarget(PerPolicy::Every(EverySpec {
3796 every: "24h".into(),
3797 })),
3798 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
3799 ),
3800 // calendar repeating → 6-field cron
3801 (
3802 calendar("09:00", &["mon-fri"]),
3803 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
3804 ),
3805 // calendar daily (no days) → DOW *
3806 (
3807 calendar("18:30", &[]),
3808 ("0 30 18 * * *", ExecMode::EveryTick, None),
3809 ),
3810 // calendar one-shot → 7-field year cron
3811 (
3812 calendar("2026-06-10 09:00", &[]),
3813 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
3814 ),
3815 ];
3816 for (when, (cron, mode, cooldown)) in cases {
3817 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
3818 assert_eq!(l.cron, cron, "cron for {when}");
3819 assert_eq!(l.mode, mode, "mode for {when}");
3820 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
3821 }
3822 }
3823
3824 #[test]
3825 fn lowered_carries_schedule_tz() {
3826 for (tz, want) in [
3827 (ScheduleTz::Local, ScheduleTz::Local),
3828 (ScheduleTz::Utc, ScheduleTz::Utc),
3829 ] {
3830 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
3831 s.tz = tz;
3832 assert_eq!(s.lowered().tz, want, "calendar carries tz");
3833 // reconcile shapes carry tz too (for the active-window check)
3834 let mut s = schedule_with(
3835 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3836 RunsOn::Backend,
3837 );
3838 s.tz = tz;
3839 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
3840 }
3841 }
3842
3843 #[test]
3844 fn poll_cron_is_accepted_by_the_engine_parser() {
3845 // POLL_CRON is system-generated — if the engine's parser
3846 // ever rejected it every reconcile schedule would die at
3847 // register time. Validate it with the same croner config
3848 // (Seconds::Required, dom_and_dow, year optional).
3849 croner::parser::CronParser::builder()
3850 .seconds(croner::parser::Seconds::Required)
3851 .dom_and_dow(true)
3852 .build()
3853 .parse(POLL_CRON)
3854 .expect("POLL_CRON must parse");
3855 }
3856
3857 // ---- Schedule::validate() (#418 decision F) ----
3858
3859 #[test]
3860 fn validate_accepts_reconcile_shapes() {
3861 for when in [
3862 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3863 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3864 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3865 When::PerTarget(PerPolicy::Every(EverySpec {
3866 every: "24h".into(),
3867 })),
3868 ] {
3869 schedule_with(when.clone(), RunsOn::Backend)
3870 .validate()
3871 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
3872 }
3873 }
3874
3875 #[test]
3876 fn validate_accepts_per_pc_on_agent() {
3877 schedule_with(
3878 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
3879 RunsOn::Agent,
3880 )
3881 .validate()
3882 .expect("per_pc + agent is the offline-inventory shape");
3883 }
3884
3885 // ---- #418 event triggers (when: { on }) ----
3886
3887 #[test]
3888 fn validate_accepts_event_on_agent() {
3889 for triggers in [
3890 vec![OnTrigger::Startup],
3891 vec![OnTrigger::Logon],
3892 vec![OnTrigger::Lock],
3893 vec![OnTrigger::Unlock],
3894 vec![OnTrigger::NetworkChange],
3895 vec![
3896 OnTrigger::Startup,
3897 OnTrigger::Logon,
3898 OnTrigger::Lock,
3899 OnTrigger::Unlock,
3900 OnTrigger::NetworkChange,
3901 ],
3902 ] {
3903 schedule_with(When::On(triggers), RunsOn::Agent)
3904 .validate()
3905 .expect("when.on is valid on runs_on: agent");
3906 }
3907 }
3908
3909 #[test]
3910 fn validate_rejects_event_on_backend() {
3911 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
3912 .validate()
3913 .unwrap_err();
3914 assert!(err.contains("when.on"), "got: {err}");
3915 assert!(err.contains("runs_on: agent"), "got: {err}");
3916 }
3917
3918 #[test]
3919 fn validate_rejects_empty_event_list() {
3920 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
3921 .validate()
3922 .unwrap_err();
3923 assert!(err.contains("when.on"), "got: {err}");
3924 assert!(err.contains("at least one"), "got: {err}");
3925 }
3926
3927 #[test]
3928 fn event_schedule_lowers_to_event_mode_and_is_event() {
3929 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
3930 assert!(s.is_event());
3931 assert_eq!(s.lowered().mode, ExecMode::Event);
3932 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
3933 // non-event schedules report no triggers.
3934 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
3935 assert!(!cal.is_event());
3936 assert!(cal.event_triggers().is_empty());
3937 }
3938
3939 // ---- #418 constraints.require (env gates) ----
3940
3941 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
3942 let mut s = schedule_with(
3943 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
3944 runs_on,
3945 );
3946 s.constraints.require = Some(req);
3947 s
3948 }
3949
3950 #[test]
3951 fn require_met_combinations() {
3952 use std::time::Duration;
3953 let idle = |m: u64| Some(Duration::from_secs(m * 60));
3954 // Builder for the sensed state: (ac, idle, cpu, network).
3955 let env = |ac, idle, cpu, net| EnvState {
3956 ac_online: ac,
3957 idle,
3958 cpu_pct: cpu,
3959 network_up: net,
3960 };
3961 // Empty require — always met regardless of sensed state.
3962 assert!(require_met(
3963 &Require::default(),
3964 &env(false, None, None, false)
3965 ));
3966 // ac_power: only on AC.
3967 let ac = Require {
3968 ac_power: true,
3969 ..Default::default()
3970 };
3971 assert!(!require_met(&ac, &env(false, None, None, true)));
3972 assert!(require_met(&ac, &env(true, None, None, false)));
3973 // idle: needs >= the configured min; None idle never satisfies.
3974 let idle10 = Require {
3975 idle: Some("10m".into()),
3976 ..Default::default()
3977 };
3978 assert!(!require_met(&idle10, &env(true, None, None, true)));
3979 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
3980 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
3981 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
3982 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
3983 let cpu20 = Require {
3984 cpu_below: Some(20.0),
3985 ..Default::default()
3986 };
3987 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
3988 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
3989 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
3990 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
3991 // network: only when online.
3992 let net = Require {
3993 network: true,
3994 ..Default::default()
3995 };
3996 assert!(!require_met(&net, &env(true, None, None, false))); // offline
3997 assert!(require_met(&net, &env(true, None, None, true))); // online
3998 // all four: AND.
3999 let all = Require {
4000 ac_power: true,
4001 idle: Some("10m".into()),
4002 cpu_below: Some(20.0),
4003 network: true,
4004 };
4005 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
4006 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
4007 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
4008 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
4009 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
4010 // An unparseable idle is treated as no-requirement by require_met
4011 // (validate rejects it at create time, so this only guards a
4012 // hand-edited blob): ac still gates.
4013 let bad = Require {
4014 ac_power: true,
4015 idle: Some("garbage".into()),
4016 ..Default::default()
4017 };
4018 assert!(require_met(&bad, &env(true, None, None, true)));
4019 assert!(!require_met(&bad, &env(false, None, None, true)));
4020 }
4021
4022 #[test]
4023 fn validate_accepts_and_rejects_cpu_below() {
4024 // In-range accepted.
4025 require_schedule(
4026 Require {
4027 cpu_below: Some(20.0),
4028 ..Default::default()
4029 },
4030 RunsOn::Agent,
4031 )
4032 .validate()
4033 .expect("cpu_below 20 is valid");
4034 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
4035 // 100%). Pins the inclusive upper bound against a future c < 100.0.
4036 require_schedule(
4037 Require {
4038 cpu_below: Some(100.0),
4039 ..Default::default()
4040 },
4041 RunsOn::Agent,
4042 )
4043 .validate()
4044 .expect("cpu_below 100 is valid");
4045 // Out of range rejected (0 and >100).
4046 for bad in [0.0, -5.0, 100.1] {
4047 let err = require_schedule(
4048 Require {
4049 cpu_below: Some(bad),
4050 ..Default::default()
4051 },
4052 RunsOn::Agent,
4053 )
4054 .validate()
4055 .unwrap_err();
4056 assert!(
4057 err.contains("constraints.require.cpu_below"),
4058 "cpu_below {bad}: {err}"
4059 );
4060 }
4061 }
4062
4063 #[test]
4064 fn validate_accepts_require_on_agent() {
4065 require_schedule(
4066 Require {
4067 ac_power: true,
4068 idle: Some("10m".into()),
4069 cpu_below: Some(20.0),
4070 network: true,
4071 },
4072 RunsOn::Agent,
4073 )
4074 .validate()
4075 .expect("constraints.require is valid on runs_on: agent");
4076 }
4077
4078 #[test]
4079 fn validate_rejects_require_on_backend() {
4080 let err = require_schedule(
4081 Require {
4082 ac_power: true,
4083 ..Default::default()
4084 },
4085 RunsOn::Backend,
4086 )
4087 .validate()
4088 .unwrap_err();
4089 assert!(err.contains("constraints.require"), "got: {err}");
4090 assert!(err.contains("runs_on: agent"), "got: {err}");
4091
4092 // An idle-only require (ac_power: false) is also non-empty
4093 // (is_empty folds the fields) and must reject on backend too —
4094 // guards against a regression in Require::is_empty.
4095 let err = require_schedule(
4096 Require {
4097 idle: Some("10m".into()),
4098 ..Default::default()
4099 },
4100 RunsOn::Backend,
4101 )
4102 .validate()
4103 .unwrap_err();
4104 assert!(
4105 err.contains("constraints.require"),
4106 "idle-only on backend: {err}"
4107 );
4108 }
4109
4110 #[test]
4111 fn validate_rejects_bad_require_idle() {
4112 let err = require_schedule(
4113 Require {
4114 idle: Some("not-a-duration".into()),
4115 ..Default::default()
4116 },
4117 RunsOn::Agent,
4118 )
4119 .validate()
4120 .unwrap_err();
4121 assert!(err.contains("constraints.require.idle"), "got: {err}");
4122 }
4123
4124 #[test]
4125 fn require_round_trips_and_skips_empty() {
4126 // ac_power: false is skipped; an all-default require nested in
4127 // constraints is omitted (is_empty folds it in).
4128 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
4129 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
4130 network: true } }\n";
4131 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4132 let req = s.constraints.require.as_ref().expect("require present");
4133 assert!(req.ac_power);
4134 assert_eq!(req.idle.as_deref(), Some("10m"));
4135 assert_eq!(req.cpu_below, Some(20.0));
4136 assert!(req.network);
4137 // Re-serialize: idle + cpu_below + network present, ac_power true.
4138 let back = serde_json::to_string(&s.constraints).unwrap();
4139 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
4140 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
4141 assert!(back.contains("\"network\":true"), "got: {back}");
4142 // An empty require is omitted entirely by is_empty.
4143 let mut empty = s.clone();
4144 empty.constraints.require = Some(Require::default());
4145 assert!(empty.constraints.is_empty());
4146 }
4147
4148 #[test]
4149 fn validate_rejects_per_target_on_agent() {
4150 let err = schedule_with(
4151 When::PerTarget(PerPolicy::Every(EverySpec {
4152 every: "24h".into(),
4153 })),
4154 RunsOn::Agent,
4155 )
4156 .validate()
4157 .unwrap_err();
4158 assert!(err.contains("per_target"), "got: {err}");
4159 assert!(err.contains("runs_on: agent"), "got: {err}");
4160
4161 // per_target: once is also backend-only.
4162 let err = schedule_with(
4163 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4164 RunsOn::Agent,
4165 )
4166 .validate()
4167 .unwrap_err();
4168 assert!(err.contains("per_target"), "got (once): {err}");
4169 assert!(err.contains("runs_on: agent"), "got (once): {err}");
4170 }
4171
4172 #[test]
4173 fn validate_rejects_bad_every_duration() {
4174 let err = schedule_with(
4175 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
4176 RunsOn::Backend,
4177 )
4178 .validate()
4179 .unwrap_err();
4180 assert!(err.contains("when.every"), "got: {err}");
4181 }
4182
4183 #[test]
4184 fn validate_rejects_bad_jitter_and_starting_deadline() {
4185 let mut s = schedule_with(
4186 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4187 RunsOn::Backend,
4188 );
4189 s.plan.jitter = Some("5x".into());
4190 let err = s.validate().unwrap_err();
4191 assert!(err.contains("jitter"), "got: {err}");
4192
4193 let mut s = schedule_with(
4194 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4195 RunsOn::Backend,
4196 );
4197 s.starting_deadline = Some("soon".into());
4198 let err = s.validate().unwrap_err();
4199 assert!(err.contains("starting_deadline"), "got: {err}");
4200 }
4201
4202 #[test]
4203 fn validate_accepts_calendar_shapes() {
4204 for when in [
4205 calendar("09:00", &["mon-fri"]), // weekday morning
4206 calendar("00:00", &["sun"]), // weekly
4207 calendar("18:30", &[]), // daily
4208 calendar("2026-06-10 09:00", &[]), // one-shot
4209 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
4210 ] {
4211 schedule_with(when.clone(), RunsOn::Backend)
4212 .validate()
4213 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
4214 }
4215 }
4216
4217 #[test]
4218 fn validate_rejects_bad_at() {
4219 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
4220 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
4221 .validate()
4222 .unwrap_err();
4223 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
4224 }
4225 }
4226
4227 #[test]
4228 fn validate_rejects_datetime_at_with_days() {
4229 // A dated `at` is a one-shot — pairing it with days is a
4230 // contradiction (the date already pins the day).
4231 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
4232 .validate()
4233 .unwrap_err();
4234 assert!(
4235 err.contains("one-shot") && err.contains("days"),
4236 "got: {err}"
4237 );
4238 }
4239
4240 #[test]
4241 fn validate_rejects_bad_day_name() {
4242 // A garbage DOW token is caught by the days pre-flight and
4243 // reported against `when.days`, not the confusing
4244 // "when.at lowered to invalid cron" (claude #432 review).
4245 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
4246 .validate()
4247 .unwrap_err();
4248 assert!(err.contains("when.days"), "got: {err}");
4249 assert!(err.contains("funday"), "names the bad token: {err}");
4250 // a degenerate range like `mon-` reports the whole token, not
4251 // a cryptic empty part (claude #432 follow-up)
4252 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
4253 .validate()
4254 .unwrap_err();
4255 assert!(err.contains("'mon-'"), "names the whole token: {err}");
4256 // valid names / ranges / numeric / * all pass
4257 for ok in [
4258 calendar("09:00", &["mon-fri"]),
4259 calendar("09:00", &["mon", "wed", "sun"]),
4260 calendar("09:00", &["1-5"]),
4261 ] {
4262 schedule_with(ok.clone(), RunsOn::Backend)
4263 .validate()
4264 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4265 }
4266 }
4267
4268 #[test]
4269 fn validate_accepts_nth_weekday() {
4270 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
4271 // a cron and parses it with croner, so passing here proves the
4272 // whole chain — token → DOW field → engine-acceptable cron.
4273 for ok in [
4274 calendar("09:00", &["tue#2"]), // 2nd Tuesday
4275 calendar("09:00", &["fri#1"]), // 1st Friday
4276 calendar("03:00", &["sun#5"]), // 5th Sunday
4277 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
4278 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
4279 // Case-insensitive both sides: validate lowercases, croner
4280 // upper-cases the whole pattern before aliasing (claude #547).
4281 calendar("09:00", &["TUE#2"]),
4282 ] {
4283 schedule_with(ok.clone(), RunsOn::Backend)
4284 .validate()
4285 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4286 }
4287 }
4288
4289 #[test]
4290 fn validate_rejects_bad_nth_weekday() {
4291 // ordinal out of 1..5, a range with #, and a bad day before #.
4292 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
4293 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4294 .validate()
4295 .unwrap_err();
4296 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4297 }
4298 }
4299
4300 #[test]
4301 fn validate_accepts_last_weekday() {
4302 // #418: last-weekday (`friL` = last Friday). Like the nth case,
4303 // validate() lowers to a cron and round-trips it through croner,
4304 // so passing proves token → DOW field → engine-acceptable cron
4305 // with the verified last-<dow>-of-month semantics.
4306 for ok in [
4307 calendar("09:00", &["friL"]), // last Friday
4308 calendar("03:00", &["sunL"]), // last Sunday
4309 calendar("22:00", &["5L"]), // numeric DOW + last
4310 calendar("00:00", &["0L"]), // numeric Sunday (0…
4311 calendar("00:00", &["7L"]), // …and its 7 alias)
4312 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
4313 // Case-insensitive both the weekday and the `L` suffix:
4314 // validate lowercases the day, croner upper-cases the whole
4315 // pattern before aliasing (claude #547).
4316 calendar("09:00", &["FRIL"]),
4317 calendar("09:00", &["fril"]),
4318 ] {
4319 schedule_with(ok.clone(), RunsOn::Backend)
4320 .validate()
4321 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4322 }
4323 }
4324
4325 #[test]
4326 fn validate_rejects_bad_last_weekday() {
4327 // bare `L` (no weekday — a footgun croner reads as Saturday), a
4328 // range with L, a bad day before L, and an internal space that
4329 // would otherwise leak a malformed cron downstream (gemini #560).
4330 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
4331 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4332 .validate()
4333 .unwrap_err();
4334 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4335 }
4336 }
4337
4338 #[test]
4339 fn calendar_oneshot_instant_detects_past() {
4340 use chrono::TimeZone;
4341 // a dated `at` resolves to an absolute instant…
4342 let c = CalendarSpec {
4343 at: "2024-01-01 09:00".into(),
4344 days: vec![],
4345 };
4346 let t = c
4347 .oneshot_instant(ScheduleTz::Utc)
4348 .expect("one-shot instant");
4349 assert_eq!(
4350 t,
4351 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
4352 );
4353 assert!(t < chrono::Utc::now(), "2024 is in the past");
4354 // …while a repeating (time-only) calendar has no instant
4355 let rep = CalendarSpec {
4356 at: "09:00".into(),
4357 days: vec!["mon-fri".into()],
4358 };
4359 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
4360 }
4361
4362 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
4363 let mut s = schedule_with(
4364 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4365 RunsOn::Backend,
4366 );
4367 s.active = Active {
4368 from: from.map(str::to_owned),
4369 until: until.map(str::to_owned),
4370 };
4371 s
4372 }
4373
4374 #[test]
4375 fn validate_accepts_active_window() {
4376 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
4377 .validate()
4378 .expect("date + rfc3339 bounds should validate");
4379 }
4380
4381 #[test]
4382 fn validate_rejects_unparseable_active_bound() {
4383 let err = schedule_with_active(Some("July 1st"), None)
4384 .validate()
4385 .unwrap_err();
4386 assert!(err.contains("active"), "got: {err}");
4387 }
4388
4389 #[test]
4390 fn validate_rejects_from_not_before_until() {
4391 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
4392 .validate()
4393 .unwrap_err();
4394 assert!(err.contains("strictly before"), "got: {err}");
4395
4396 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
4397 .validate()
4398 .unwrap_err();
4399 assert!(err.contains("strictly before"), "got: {err}");
4400 }
4401
4402 // ---- Active window semantics ----
4403
4404 #[test]
4405 fn active_window_is_half_open() {
4406 use chrono::TimeZone;
4407 let active = Active {
4408 from: Some("2026-07-01".into()),
4409 until: Some("2026-08-01".into()),
4410 };
4411 // UTC tz so the date bounds are UTC midnight.
4412 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
4413 let c = |t| active.contains(t, ScheduleTz::Utc);
4414 assert!(!c(at(2026, 6, 30, 23)), "before from");
4415 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
4416 assert!(c(at(2026, 7, 15, 12)), "inside");
4417 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
4418 assert!(!c(at(2026, 8, 2, 0)), "after until");
4419 }
4420
4421 #[test]
4422 fn active_empty_window_is_always_active() {
4423 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
4424 }
4425
4426 #[test]
4427 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
4428 use chrono::TimeZone;
4429 let active = Active {
4430 from: Some("2026-07-01T09:00:00+09:00".into()),
4431 until: None,
4432 };
4433 // RFC3339 carries its own offset → tz arg is ignored.
4434 // 09:00 JST = 00:00 UTC.
4435 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
4436 assert!(
4437 !active.contains(
4438 chrono::Utc
4439 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
4440 .unwrap(),
4441 tz
4442 )
4443 );
4444 assert!(active.contains(
4445 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
4446 tz
4447 ));
4448 }
4449 }
4450
4451 #[test]
4452 fn active_date_bound_respects_tz() {
4453 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
4454 // tz* (#418 Phase 2). The UTC interpretation is exact and
4455 // host-independent; assert that precisely.
4456 use chrono::TimeZone;
4457 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
4458 assert_eq!(
4459 utc,
4460 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
4461 );
4462
4463 // The local interpretation must equal what chrono::Local
4464 // computes for the same wall-clock midnight — proves the tz
4465 // path is wired to the host zone (the magnitude vs UTC is
4466 // host-dependent, so we compare against Local directly rather
4467 // than hard-coding the JST offset, keeping CI green on UTC
4468 // runners).
4469 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
4470 let want = chrono::Local
4471 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
4472 .single()
4473 .expect("local midnight is unambiguous")
4474 .with_timezone(&chrono::Utc);
4475 assert_eq!(local, want, "date bound resolved in host-local tz");
4476 }
4477
4478 #[test]
4479 fn active_empty_is_skipped_when_serialising() {
4480 let s = schedule_with(
4481 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4482 RunsOn::Backend,
4483 );
4484 let json = serde_json::to_value(&s).expect("serialise");
4485 assert!(
4486 json.get("active").is_none(),
4487 "empty active must not appear on the wire: {json}"
4488 );
4489 }
4490
4491 // ---- constraints.window (#418 Phase 3) ----
4492
4493 fn with_window(win: &str) -> Schedule {
4494 let mut s = schedule_with(
4495 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4496 RunsOn::Backend,
4497 );
4498 s.constraints.window = Some(win.into());
4499 s
4500 }
4501
4502 #[test]
4503 fn constraints_window_parses_and_round_trips() {
4504 let yaml = r#"
4505id: x
4506when:
4507 per_pc: { every: 6h }
4508job_id: y
4509target: { all: true }
4510constraints:
4511 window: "22:00-05:00"
4512"#;
4513 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4514 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
4515 let back: Schedule =
4516 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4517 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
4518 }
4519
4520 #[test]
4521 fn constraints_empty_is_skipped_when_serialising() {
4522 let s = schedule_with(
4523 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4524 RunsOn::Backend,
4525 );
4526 let json = serde_json::to_value(&s).expect("serialise");
4527 assert!(
4528 json.get("constraints").is_none(),
4529 "empty constraints must not appear on the wire: {json}"
4530 );
4531 }
4532
4533 #[test]
4534 fn window_no_constraint_always_allows() {
4535 let c = Constraints::default();
4536 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
4537 }
4538
4539 #[test]
4540 fn window_same_day_is_half_open() {
4541 use chrono::TimeZone;
4542 let s = with_window("09:00-17:00");
4543 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4544 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4545 assert!(!a(at(8, 59)), "before start");
4546 assert!(a(at(9, 0)), "at start (inclusive)");
4547 assert!(a(at(16, 59)), "inside");
4548 assert!(!a(at(17, 0)), "at end (exclusive)");
4549 assert!(!a(at(23, 0)), "after end");
4550 }
4551
4552 #[test]
4553 fn window_crossing_midnight() {
4554 use chrono::TimeZone;
4555 let s = with_window("22:00-05:00");
4556 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4557 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4558 assert!(a(at(22, 0)), "at start tonight");
4559 assert!(a(at(23, 30)), "late tonight");
4560 assert!(a(at(3, 0)), "early tomorrow");
4561 assert!(!a(at(5, 0)), "at end (exclusive)");
4562 assert!(!a(at(12, 0)), "midday outside");
4563 assert!(!a(at(21, 59)), "just before start");
4564 }
4565
4566 #[test]
4567 fn window_respects_tz() {
4568 // The same instant is inside the window under one tz and may
4569 // be outside under another. Compare UTC vs Local via the
4570 // host's own offset (kept CI-green on UTC runners like the
4571 // active tz test does).
4572 use chrono::TimeZone;
4573 let s = with_window("09:00-17:00");
4574 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
4575 // Under UTC, 12:00 is inside 09:00-17:00.
4576 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
4577 // Under Local, the verdict tracks the host wall-clock time;
4578 // assert it matches a direct wall_time membership check.
4579 let local_t = noon_utc.with_timezone(&chrono::Local).time();
4580 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
4581 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
4582 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
4583 }
4584
4585 #[test]
4586 fn validate_accepts_good_window() {
4587 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
4588 with_window(w)
4589 .validate()
4590 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
4591 }
4592 }
4593
4594 #[test]
4595 fn validate_rejects_bad_window() {
4596 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
4597 let err = with_window(bad).validate().unwrap_err();
4598 assert!(
4599 err.contains("constraints.window"),
4600 "for '{bad}', got: {err}"
4601 );
4602 }
4603 }
4604
4605 // ---- constraints.skip_dates (#418 holiday exclusion) ----
4606
4607 fn with_skip_dates(dates: &[&str]) -> Schedule {
4608 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4609 s.tz = ScheduleTz::Utc; // host-independent date assertions
4610 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
4611 s
4612 }
4613
4614 #[test]
4615 fn allows_blocks_listed_skip_date() {
4616 use chrono::TimeZone;
4617 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
4618 // Any time on a listed date is blocked (whole day).
4619 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
4620 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
4621 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
4622 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
4623 // A date not in the list fires normally.
4624 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4625 assert!(s.constraints.allows(off, ScheduleTz::Utc));
4626 }
4627
4628 #[test]
4629 fn allows_corrupt_skip_date_fails_closed() {
4630 use chrono::TimeZone;
4631 // A garbled entry (only reachable via hand-edited KV) blocks
4632 // rather than silently re-enabling fires — same posture as a
4633 // corrupt window.
4634 let s = with_skip_dates(&["not-a-date"]);
4635 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
4636 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
4637 }
4638
4639 #[test]
4640 fn validate_accepts_good_skip_dates() {
4641 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
4642 .validate()
4643 .expect("well-formed skip dates should validate");
4644 }
4645
4646 #[test]
4647 fn validate_rejects_bad_skip_date() {
4648 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
4649 let err = with_skip_dates(&[bad]).validate().unwrap_err();
4650 assert!(
4651 err.contains("constraints.skip_dates"),
4652 "for '{bad}', got: {err}"
4653 );
4654 }
4655 }
4656
4657 #[test]
4658 fn preview_skips_holidays() {
4659 use chrono::TimeZone;
4660 // Daily 09:00 with two of the next five days marked as holidays
4661 // — preview drops exactly those, since it gates on `allows`.
4662 let mut s = cal_utc("09:00", &[]);
4663 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
4664 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4665 let got = s.preview_fires(now, 4);
4666 let want: Vec<_> = [
4667 (2026, 6, 10),
4668 (2026, 6, 12), // skips 06-11
4669 (2026, 6, 14), // skips 06-13
4670 (2026, 6, 15),
4671 ]
4672 .iter()
4673 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
4674 .collect();
4675 assert_eq!(got, want);
4676 }
4677
4678 // ---- constraints.max_concurrent (#418) ----
4679
4680 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
4681 let mut s = schedule_with(
4682 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4683 runs_on,
4684 );
4685 s.constraints.max_concurrent = Some(max);
4686 s
4687 }
4688
4689 #[test]
4690 fn validate_accepts_backend_max_concurrent() {
4691 with_max_concurrent(5, RunsOn::Backend)
4692 .validate()
4693 .expect("backend max_concurrent should validate");
4694 }
4695
4696 #[test]
4697 fn validate_rejects_max_concurrent_on_agent() {
4698 // Decision E: a central running-instance cap needs a central
4699 // counter, which agents don't have.
4700 let err = with_max_concurrent(5, RunsOn::Agent)
4701 .validate()
4702 .unwrap_err();
4703 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
4704 assert!(err.contains("runs_on: agent"), "got: {err}");
4705 }
4706
4707 #[test]
4708 fn validate_rejects_zero_max_concurrent() {
4709 let err = with_max_concurrent(0, RunsOn::Backend)
4710 .validate()
4711 .unwrap_err();
4712 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
4713 }
4714
4715 #[test]
4716 fn max_concurrent_round_trips_and_skips_when_absent() {
4717 let s = with_max_concurrent(3, RunsOn::Backend);
4718 let json = serde_json::to_value(&s.constraints).expect("ser");
4719 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
4720 // A schedule with no constraints omits the whole block.
4721 let bare = schedule_with(
4722 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4723 RunsOn::Backend,
4724 );
4725 assert!(bare.constraints.is_empty());
4726 }
4727
4728 #[test]
4729 fn window_fail_closed_on_corrupt_blob() {
4730 // A malformed window (only reachable via a hand-edited KV
4731 // blob — validate() rejects it at create) must BLOCK, not
4732 // silently allow fires during a change-freeze (gemini #452).
4733 let s = with_window("22:00_05:00");
4734 assert!(
4735 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
4736 "corrupt window fails closed"
4737 );
4738 // …and the scheduler can surface why it's stuck.
4739 assert!(
4740 s.bad_window().is_some(),
4741 "bad_window reports the parse error"
4742 );
4743 assert!(with_window("22:00-05:00").bad_window().is_none());
4744 }
4745
4746 #[test]
4747 fn calendar_outside_window_is_flagged() {
4748 // at 09:00 can never fall in 22:00-05:00 → never fires.
4749 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
4750 s.constraints.window = Some("22:00-05:00".into());
4751 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
4752
4753 // at 23:00 IS inside the overnight window → fine.
4754 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
4755 s.constraints.window = Some("22:00-05:00".into());
4756 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
4757
4758 // reconcile shapes are never flagged (they poll every minute).
4759 let mut s = schedule_with(
4760 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4761 RunsOn::Backend,
4762 );
4763 s.constraints.window = Some("22:00-05:00".into());
4764 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
4765
4766 // no window → never flagged.
4767 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4768 assert!(!s.calendar_outside_window());
4769 }
4770
4771 // ---- on_failure.retry (#418 Phase 4) ----
4772
4773 fn with_retry(max: u32, backoff: &str) -> Schedule {
4774 let mut s = schedule_with(
4775 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4776 RunsOn::Backend,
4777 );
4778 s.on_failure.retry = Some(Retry {
4779 max,
4780 backoff: backoff.into(),
4781 });
4782 s
4783 }
4784
4785 #[test]
4786 fn on_failure_parses_and_round_trips() {
4787 let yaml = r#"
4788id: x
4789when:
4790 per_pc: { every: 6h }
4791job_id: y
4792target: { all: true }
4793on_failure:
4794 retry: { max: 3, backoff: 10m }
4795"#;
4796 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4797 let r = s.on_failure.retry.as_ref().expect("retry present");
4798 assert_eq!(r.max, 3);
4799 assert_eq!(r.backoff, "10m");
4800 let back: Schedule =
4801 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4802 assert_eq!(back.on_failure, s.on_failure);
4803 }
4804
4805 #[test]
4806 fn on_failure_empty_is_skipped_when_serialising() {
4807 let s = schedule_with(
4808 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4809 RunsOn::Backend,
4810 );
4811 let json = serde_json::to_value(&s).expect("serialise");
4812 assert!(
4813 json.get("on_failure").is_none(),
4814 "empty on_failure must not appear on the wire: {json}"
4815 );
4816 }
4817
4818 #[test]
4819 fn validate_accepts_good_retry() {
4820 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
4821 with_retry(max, backoff)
4822 .validate()
4823 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
4824 }
4825 }
4826
4827 #[test]
4828 fn validate_rejects_bad_backoff() {
4829 let err = with_retry(3, "soon").validate().unwrap_err();
4830 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
4831 }
4832
4833 #[test]
4834 fn validate_rejects_sub_second_backoff() {
4835 // "500ms" parses as humantime but lowers to 0s on the wire —
4836 // reject it so the operator doesn't get a silent no-wait
4837 // (coderabbit #466).
4838 for bad in ["500ms", "0s", "999ms"] {
4839 let err = with_retry(3, bad).validate().unwrap_err();
4840 assert!(
4841 err.contains("on_failure.retry.backoff must be >= 1s"),
4842 "for '{bad}', got: {err}"
4843 );
4844 }
4845 }
4846
4847 #[test]
4848 fn validate_rejects_out_of_range_max() {
4849 for bad in [0u32, 11, 1000] {
4850 let err = with_retry(bad, "10m").validate().unwrap_err();
4851 assert!(
4852 err.contains("on_failure.retry.max"),
4853 "for max={bad}, got: {err}"
4854 );
4855 }
4856 }
4857
4858 #[test]
4859 fn lowered_retry_reduces_backoff_to_seconds() {
4860 let s = with_retry(3, "10m");
4861 let spec = s.on_failure.lowered_retry().expect("a retry policy");
4862 assert_eq!(spec.max, 3);
4863 assert_eq!(spec.backoff_secs, 600);
4864 }
4865
4866 #[test]
4867 fn lowered_retry_is_none_without_policy() {
4868 let s = schedule_with(
4869 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4870 RunsOn::Backend,
4871 );
4872 assert!(s.on_failure.lowered_retry().is_none());
4873 }
4874
4875 // ---- global change-freeze (#418 Phase 5) ----
4876
4877 #[test]
4878 fn freeze_empty_window_is_always_active() {
4879 // The big-red-button shape: no bounds = frozen until cleared.
4880 let f = Freeze::default();
4881 assert!(f.is_active(chrono::Utc::now()));
4882 }
4883
4884 #[test]
4885 fn freeze_window_is_half_open() {
4886 use chrono::TimeZone;
4887 let f = Freeze {
4888 from: Some("2026-12-20T00:00:00+00:00".into()),
4889 until: Some("2027-01-05T00:00:00+00:00".into()),
4890 reason: Some("year-end".into()),
4891 tz: ScheduleTz::Utc,
4892 };
4893 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
4894 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
4895 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
4896 assert!(f.is_active(at(2026, 12, 31)), "inside window");
4897 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
4898 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
4899 }
4900
4901 #[test]
4902 fn freeze_fails_closed_on_corrupt_bound() {
4903 // A freeze is a safety switch: an unparseable bound (only
4904 // reachable via a hand-edited KV blob) must read as FROZEN, not
4905 // "fire normally" (coderabbit #472) — the opposite of `active`,
4906 // which fail-opens.
4907 let f = Freeze {
4908 from: Some("not-a-date".into()),
4909 until: None,
4910 reason: None,
4911 tz: ScheduleTz::Utc,
4912 };
4913 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
4914 }
4915
4916 #[test]
4917 fn freeze_validate_accepts_good_bounds() {
4918 Freeze {
4919 from: Some("2026-12-20".into()),
4920 until: Some("2027-01-05T12:00:00+09:00".into()),
4921 reason: None,
4922 tz: ScheduleTz::Local,
4923 }
4924 .validate()
4925 .expect("date + rfc3339 bounds should validate");
4926 // Empty (indefinite) freeze is valid.
4927 Freeze::default().validate().expect("empty freeze is valid");
4928 }
4929
4930 #[test]
4931 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
4932 let err = Freeze {
4933 from: Some("never".into()),
4934 ..Default::default()
4935 }
4936 .validate()
4937 .unwrap_err();
4938 assert!(err.contains("freeze:"), "got: {err}");
4939
4940 let inverted = Freeze {
4941 from: Some("2027-01-05".into()),
4942 until: Some("2026-12-20".into()),
4943 ..Default::default()
4944 }
4945 .validate()
4946 .unwrap_err();
4947 assert!(inverted.contains("freeze.from"), "got: {inverted}");
4948 }
4949
4950 #[test]
4951 fn freeze_round_trips_and_skips_empty_fields() {
4952 let f = Freeze {
4953 from: None,
4954 until: Some("2027-01-05".into()),
4955 reason: Some("INC-1234".into()),
4956 tz: ScheduleTz::Utc,
4957 };
4958 let json = serde_json::to_value(&f).expect("serialise");
4959 assert!(json.get("from").is_none(), "empty from omitted: {json}");
4960 let back: Freeze = serde_json::from_value(json).expect("round-trip");
4961 assert_eq!(back, f);
4962 }
4963
4964 #[test]
4965 fn shipped_schedule_configs_parse_and_validate() {
4966 // Every YAML under configs/schedules/ must parse with the
4967 // current Schedule serde AND pass validate() — keeps the
4968 // shipped examples from drifting out of sync with the model
4969 // (#418 removed back-compat, so drift = broken at create).
4970 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
4971 let mut seen = 0;
4972 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
4973 let path = entry.expect("dir entry").path();
4974 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
4975 continue;
4976 }
4977 let body = std::fs::read_to_string(&path).expect("read yaml");
4978 let s: Schedule = serde_yaml::from_str(&body)
4979 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
4980 s.validate()
4981 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
4982 seen += 1;
4983 }
4984 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
4985 }
4986
4987 // ---- pre-existing enum wire formats (unchanged by #418) ----
4988
4989 #[test]
4990 fn exec_mode_serialises_snake_case() {
4991 for (mode, expected) in [
4992 (ExecMode::EveryTick, "every_tick"),
4993 (ExecMode::OncePerPc, "once_per_pc"),
4994 (ExecMode::OncePerTarget, "once_per_target"),
4995 ] {
4996 let s = serde_json::to_value(mode).expect("serialise");
4997 assert_eq!(s, serde_json::Value::String(expected.into()));
4998 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
4999 .expect("deserialise");
5000 assert_eq!(back, mode, "round-trip for {expected}");
5001 }
5002 }
5003
5004 #[test]
5005 fn schedule_runs_on_defaults_to_backend() {
5006 let yaml = r#"
5007id: x
5008when:
5009 per_pc: once
5010job_id: y
5011target: { all: true }
5012"#;
5013 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5014 assert_eq!(s.runs_on, RunsOn::Backend);
5015 }
5016
5017 #[test]
5018 fn schedule_runs_on_agent_parses() {
5019 let yaml = r#"
5020id: offline-inv
5021when:
5022 per_pc: { every: 1h }
5023job_id: inventory-hw
5024target: { all: true }
5025runs_on: agent
5026"#;
5027 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5028 assert_eq!(s.runs_on, RunsOn::Agent);
5029 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
5030 }
5031
5032 #[test]
5033 fn runs_on_serialises_snake_case() {
5034 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
5035 let s = serde_json::to_value(mode).expect("serialise");
5036 assert_eq!(s, serde_json::Value::String(expected.into()));
5037 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
5038 .expect("deserialise");
5039 assert_eq!(back, mode);
5040 }
5041 }
5042
5043 #[test]
5044 fn execute_shell_into_wire_shell() {
5045 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
5046 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
5047 }
5048
5049 #[test]
5050 fn manifest_staleness_defaults_to_cached() {
5051 let yaml = r#"
5052id: x
5053version: 1.0.0
5054execute:
5055 shell: powershell
5056 script: "echo"
5057 timeout: 1s
5058"#;
5059 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5060 assert_eq!(m.staleness, Staleness::Cached);
5061 }
5062
5063 #[test]
5064 fn manifest_strict_staleness_parses() {
5065 let yaml = r#"
5066id: urgent-patch
5067version: 2.5.1
5068execute:
5069 shell: powershell
5070 script: Install-Hotfix
5071 timeout: 5m
5072staleness:
5073 mode: strict
5074 max_cache_age: 0s
5075"#;
5076 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5077 match m.staleness {
5078 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
5079 other => panic!("expected strict, got {other:?}"),
5080 }
5081 }
5082
5083 #[test]
5084 fn manifest_unchecked_staleness_parses() {
5085 let yaml = r#"
5086id: legacy
5087version: 0.1.0
5088execute:
5089 shell: cmd
5090 script: "echo"
5091 timeout: 1s
5092staleness:
5093 mode: unchecked
5094"#;
5095 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5096 assert_eq!(m.staleness, Staleness::Unchecked);
5097 }
5098
5099 #[test]
5100 fn missing_required_field_errors() {
5101 // `id` missing.
5102 let yaml = r#"
5103version: 1.0.0
5104target: { all: true }
5105execute:
5106 shell: powershell
5107 script: "echo"
5108 timeout: 1s
5109"#;
5110 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
5111 assert!(r.is_err(), "expected error, got {:?}", r);
5112 }
5113
5114 #[test]
5115 fn display_field_table_kind_round_trips_with_nested_columns() {
5116 // #39: `type: table` + `columns:` on a DisplayField gets
5117 // round-tripped through serde so the SPA receives the
5118 // nested schema verbatim. Nested columns themselves are
5119 // DisplayFields so they can carry `type: bytes` /
5120 // `type: number` for cell formatting.
5121 let yaml = r#"
5122id: inv-hw
5123version: 1.0.0
5124execute:
5125 shell: powershell
5126 script: "echo"
5127 timeout: 60s
5128inventory:
5129 display:
5130 - field: hostname
5131 label: Hostname
5132 - field: disks
5133 label: Disks
5134 type: table
5135 columns:
5136 - field: device_id
5137 label: Drive
5138 - field: size_bytes
5139 label: Size
5140 type: bytes
5141 - field: free_bytes
5142 label: Free
5143 type: bytes
5144 - field: file_system
5145 label: FS
5146"#;
5147 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5148 let inv = m.inventory.as_ref().expect("inventory hint");
5149 let disks = inv
5150 .display
5151 .iter()
5152 .find(|d| d.field == "disks")
5153 .expect("disks display row");
5154 assert_eq!(disks.kind.as_deref(), Some("table"));
5155 let cols = disks.columns.as_ref().expect("table needs columns");
5156 assert_eq!(cols.len(), 4);
5157 assert_eq!(cols[1].field, "size_bytes");
5158 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
5159 }
5160
5161 #[test]
5162 fn display_field_scalar_kind_keeps_columns_none() {
5163 // Defensive: when type is a scalar (`bytes` / `number` /
5164 // `timestamp`) the `columns` field stays None — the SPA
5165 // uses its presence as the "render nested table" signal,
5166 // so it must not leak in via serde defaults.
5167 let yaml = r#"
5168id: x
5169version: 1.0.0
5170execute:
5171 shell: powershell
5172 script: "echo"
5173 timeout: 5s
5174inventory:
5175 display:
5176 - { field: ram_bytes, label: RAM, type: bytes }
5177"#;
5178 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5179 let inv = m.inventory.as_ref().unwrap();
5180 assert!(inv.display[0].columns.is_none());
5181 }
5182
5183 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
5184
5185 /// The JSON Schemas under `docs/schemas/` must match what
5186 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
5187 /// so a `Schedule` / `Manifest` field change can't silently drift
5188 /// the operator-facing schema. The SPA editor, the backend
5189 /// `/api/schemas/*` endpoints, and these files all read the same
5190 /// derived shape; this test fails CI if the checked-in copy lags.
5191 /// Regenerate with:
5192 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
5193 #[test]
5194 fn schema_files_are_current() {
5195 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
5196 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
5197 assert_schema_file("view.schema.json", &schemars::schema_for!(View));
5198 }
5199
5200 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
5201 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
5202 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
5203 .join("../../docs/schemas")
5204 .join(name);
5205 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
5206 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
5207 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
5208 return;
5209 }
5210 // Normalize CRLF→LF before comparing: `.gitattributes` already
5211 // pins these files to `eol=lf`, but a stray CRLF working-tree
5212 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
5213 // freshness check into a confusing line-ending failure — that's
5214 // .gitattributes' job, not this test's (gemini #588).
5215 let on_disk = std::fs::read_to_string(&path)
5216 .unwrap_or_else(|e| {
5217 panic!(
5218 "read {path:?}: {e}\n\
5219 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5220 )
5221 })
5222 .replace("\r\n", "\n");
5223 assert_eq!(
5224 on_disk, generated,
5225 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
5226 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5227 );
5228 }
5229}
5230
5231/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
5232/// (target + optional rollout + optional jitter) inline; the
5233/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
5234/// script body. Two schedules of the same job can target different
5235/// groups on different cadences without copying the manifest.
5236///
5237/// #418 Phase 1: the cadence is the single [`When`] field. The old
5238/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
5239/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
5240/// are warn-skipped; re-`schedule create` to upgrade them). The
5241/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
5242/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
5243/// `decide_fire` always ran on.
5244#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
5245pub struct Schedule {
5246 pub id: String,
5247 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
5248 /// or a calendar time trigger (`at` / `days`). See [`When`].
5249 ///
5250 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
5251 /// enums as `!per_pc` YAML tags by default; this keeps the
5252 /// operator-facing map shape (`when: { per_pc: once }`). JSON
5253 /// output is identical either way, and the schemars schema
5254 /// (external tagging = oneOf of single-key objects) already
5255 /// matches the singleton-map wire shape.
5256 #[serde(with = "serde_yaml::with::singleton_map")]
5257 #[schemars(with = "When")]
5258 pub when: When,
5259 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
5260 /// Manifest's `id`.
5261 pub job_id: String,
5262 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
5263 /// carry these any more — same job + different fanout = different
5264 /// schedule.
5265 #[serde(flatten)]
5266 pub plan: FanoutPlan,
5267 /// Optional validity window. Outside `[from, until)` the
5268 /// schedule is dormant — still registered, still visible, but
5269 /// every tick is skipped (deleted ≠ dormant: a campaign that
5270 /// ended stays inspectable and can be re-armed by editing the
5271 /// window). Checked at tick time on both the backend scheduler
5272 /// and the agent's local scheduler.
5273 #[serde(default, skip_serializing_if = "Active::is_empty")]
5274 pub active: Active,
5275 /// #418 operational constraints gating *when within an active
5276 /// period* a fire may happen: a maintenance `window`, a fleet
5277 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
5278 /// wall-clock ones are evaluated in the schedule's `tz`; future
5279 /// `require` (env gates) lands in the same namespace. Checked at
5280 /// tick time on both schedulers (and surfaced by `preview`).
5281 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
5282 pub constraints: Constraints,
5283 /// #418 Phase 4: what to do after a fire's script comes back
5284 /// failed. Currently just `retry` (fixed-backoff in-process
5285 /// re-run); future `notify` / `disable` join the same namespace.
5286 /// Applied fire-side in `handle_command` (the retry policy is
5287 /// lowered onto every Command this schedule produces), so it
5288 /// covers both `runs_on` locations.
5289 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
5290 pub on_failure: OnFailure,
5291 /// #418 Phase 2: the timezone this schedule's wall-clock fields
5292 /// are evaluated in — both the calendar `at` firing time AND the
5293 /// `active.{from,until}` window bounds. `local` (default) = the
5294 /// running host's TZ (the agent's for `runs_on: agent`, the
5295 /// backend server's otherwise); `utc` for TZ-independent
5296 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
5297 /// for firing (poll cron runs every minute regardless) but still
5298 /// honor it for the `active` window.
5299 #[serde(default)]
5300 pub tz: ScheduleTz,
5301 /// v0.22: optional humantime window after a cron tick during
5302 /// which the Command is still considered "live". The scheduler
5303 /// computes `tick_at + starting_deadline` and stamps it onto
5304 /// each Command as `deadline_at`; agents skip Commands they
5305 /// receive after that absolute time. `None` (default) = no
5306 /// deadline, meaning a Command queued in the broker / stream
5307 /// during agent downtime runs whenever the agent reconnects —
5308 /// good for kitting / inventory / cleanup. Set this for
5309 /// time-of-day notifications, lunch reminders, etc., where
5310 /// "fire 3 hours late" would be wrong.
5311 #[serde(default, skip_serializing_if = "Option::is_none")]
5312 pub starting_deadline: Option<String>,
5313 /// v0.23: where does the cron tick happen? `Backend` (default,
5314 /// historical) = backend's scheduler fires Commands via NATS;
5315 /// agents passively receive. `Agent` = each targeted agent runs
5316 /// its own internal cron and fires locally, so the schedule
5317 /// keeps ticking even when the broker is unreachable (laptop on
5318 /// the train, broker maintenance window, full WAN outage). The
5319 /// two locations are mutually exclusive — when `Agent`, the
5320 /// backend scheduler stays out and just keeps the definition in
5321 /// KV for agents to read.
5322 #[serde(default)]
5323 pub runs_on: RunsOn,
5324 #[serde(default = "default_true")]
5325 pub enabled: bool,
5326 /// Free-form operator taxonomy for the Schedules page — the
5327 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
5328 /// code ref rather than an intra-doc link, since that field isn't
5329 /// on this branch until #640 merges). Purely a SPA-side
5330 /// organisational aid (search / filter chips alongside the
5331 /// id-prefix grouping); the scheduler never reads it, so any
5332 /// string is allowed and it carries no firing semantics. A
5333 /// schedule's own tags are independent of its job's: the same job
5334 /// may back a `weekly` maintenance schedule and a `canary` rollout
5335 /// schedule. Empty by default and `skip_serializing_if`-elided per
5336 /// the #492 gradual-upgrade wire rule.
5337 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5338 pub tags: Vec<String>,
5339 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
5340 /// `kanade schedule create` when the source YAML lives inside a Git
5341 /// work tree, so the SPA renders the schedule read-only and points
5342 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
5343 /// Git), parity with a job's [`Manifest::origin`]. `None` for
5344 /// SPA-born schedules and ones applied from outside any repo. Purely
5345 /// informational — the scheduler never reads it. New field ⇒ #492
5346 /// wire rule (`default` + `skip_serializing_if`).
5347 #[serde(default, skip_serializing_if = "Option::is_none")]
5348 pub origin: Option<RepoOrigin>,
5349}
5350
5351/// v0.23 — where the cron tick fires from.
5352#[derive(
5353 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5354)]
5355#[serde(rename_all = "snake_case")]
5356pub enum RunsOn {
5357 /// Backend's central scheduler ticks and publishes Commands to
5358 /// NATS. Historical default, what every pre-v0.23 schedule
5359 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
5360 /// reconnects ⇒ catch-up via [`command_replay`](crate)
5361 /// (see kanade-agent's command_replay module).
5362 #[default]
5363 Backend,
5364 /// Each targeted agent runs the cron tick locally. Survives
5365 /// broker / WAN outages. Best for laptops / mobile devices that
5366 /// roam off the corporate network. Agent must be online for the
5367 /// initial schedule + job-catalog pull, but once cached the
5368 /// agent fires the script standalone.
5369 Agent,
5370}
5371
5372/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
5373#[derive(
5374 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5375)]
5376#[serde(rename_all = "snake_case")]
5377pub enum ExecMode {
5378 /// Fire on every cron tick at the whole target. Historical
5379 /// (pre-v0.19) behavior; no dedup.
5380 #[default]
5381 EveryTick,
5382 /// Fire at each pc until that pc succeeds; then skip it until
5383 /// the optional cooldown elapses (or forever if no cooldown).
5384 /// Use for kitting / first-boot / per-pc compliance checks.
5385 OncePerPc,
5386 /// Fire at the whole target until **any** pc succeeds; then
5387 /// skip the whole target until the optional cooldown elapses
5388 /// (or forever if no cooldown). Use for "one delegate is
5389 /// enough" tasks like license check-in.
5390 OncePerTarget,
5391 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
5392 /// no cron — the agent fires it from an OS event source (boot /
5393 /// session-change), not a tick — so the scheduler skips
5394 /// `tokio-cron` registration for it. Each event occurrence fires
5395 /// once, gated by the standard freeze / active / window /
5396 /// skip_dates checks.
5397 Event,
5398}
5399
5400/// #418 Phase 1 — the single "when does this fire" axis.
5401///
5402/// Replaces the old `cron` + `mode` + `cooldown` trio whose
5403/// interactions were implicit (cron doubled as both a real
5404/// time-of-day trigger and a reconcile poll period; contradictory
5405/// combinations silently no-opped). Two shapes:
5406///
5407/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
5408/// pc (or one delegate) should have run this within `every`".
5409/// The poll period is system-generated ([`POLL_CRON`], every
5410/// minute) and no longer the operator's concern.
5411/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
5412/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
5413/// the whole target at the given time, no dedup. `at: "09:00"` +
5414/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
5415/// exactly once. Evaluated in the schedule's top-level `tz`.
5416#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5417#[serde(rename_all = "snake_case")]
5418pub enum When {
5419 /// Fire at each targeted pc: `once` (kitting — succeed once,
5420 /// skip forever, forever catching brand-new / re-imaged pcs)
5421 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
5422 /// the interval).
5423 PerPc(PerPolicy),
5424 /// Fire until **any** one pc of the target succeeds, then skip
5425 /// the whole target (`once`) or re-arm after `every`. Needs
5426 /// fleet-wide completion data, so it is backend-only —
5427 /// `runs_on: agent` + `per_target` is rejected by
5428 /// [`Schedule::validate`].
5429 PerTarget(PerPolicy),
5430 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
5431 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
5432 /// the whole target at that wall-clock time in the schedule's
5433 /// `tz` — no dedup, no cooldown.
5434 Calendar(CalendarSpec),
5435 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
5436 /// Fires when the agent observes the listed OS event(s) rather than
5437 /// on a clock — there is no cron. `runs_on: agent` only (the agent
5438 /// owns the event source); [`Schedule::validate`] rejects it on
5439 /// `backend` and rejects an empty list. Each event occurrence fires
5440 /// once, gated by the same freeze / active / `constraints.window` /
5441 /// `skip_dates` checks as the cron path. `startup` fires once per OS
5442 /// boot (deduped via the host boot time); a `starting_deadline`, if
5443 /// set, limits it to "agent came up within that long after boot".
5444 On(Vec<OnTrigger>),
5445}
5446
5447/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
5448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
5449#[serde(rename_all = "snake_case")]
5450pub enum OnTrigger {
5451 /// Once per OS boot (the agent's first run for that boot). Catches
5452 /// freshly-imaged / reinstalled hosts at their next startup.
5453 Startup,
5454 /// On an interactive-session user logon — console, RDP, or
5455 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
5456 /// service / network / batch logons (no interactive session).
5457 Logon,
5458 /// When the workstation is locked (Win+L / idle lock; Windows
5459 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
5460 Lock,
5461 /// When the workstation is unlocked — the user returns to a locked
5462 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
5463 /// compliance / refresh state when work resumes.
5464 Unlock,
5465 /// When the host's network changes — IP address table change on
5466 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
5467 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
5468 /// from one transition fires once after the network settles), so
5469 /// use it for "re-check connectivity / re-register on network move"
5470 /// rather than expecting one fire per raw adapter event.
5471 ///
5472 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
5473 /// transition that touches only IPv6 addresses won't fire. In practice
5474 /// dual-stack networks change both tables together, but a pure-IPv6
5475 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
5476 NetworkChange,
5477}
5478
5479/// Calendar time trigger (#418 Phase 2). `at` is either a time of
5480/// day (`"HH:MM"`, repeating — combine with `days`) or a full
5481/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
5482/// never again). Evaluated in the schedule's top-level `tz`.
5483#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5484pub struct CalendarSpec {
5485 /// `"HH:MM"` (24h) for a repeating trigger, or
5486 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
5487 /// accepted) for a one-shot. Parsed lazily —
5488 /// [`Schedule::validate`] rejects garbage at create time.
5489 pub at: String,
5490 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
5491 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
5492 /// field, so ranges and names both work). An **nth-weekday**
5493 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
5494 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
5495 /// `["friL"]` fires only on the last Friday of each month (handy
5496 /// for monthly maintenance). Empty = every day. Must be empty
5497 /// when `at` carries a date (the date already pins the day).
5498 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5499 pub days: Vec<String>,
5500}
5501
5502/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
5503/// date for a one-shot (`None` = repeating time-of-day).
5504struct ParsedAt {
5505 minute: u32,
5506 hour: u32,
5507 date: Option<chrono::NaiveDate>,
5508}
5509
5510impl CalendarSpec {
5511 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
5512 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
5513 fn parse_at(&self) -> Result<ParsedAt, String> {
5514 use chrono::Timelike;
5515 let s = self.at.trim();
5516 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
5517 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
5518 return Ok(ParsedAt {
5519 minute: dt.minute(),
5520 hour: dt.hour(),
5521 date: Some(dt.date()),
5522 });
5523 }
5524 }
5525 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
5526 return Ok(ParsedAt {
5527 minute: t.minute(),
5528 hour: t.hour(),
5529 date: None,
5530 });
5531 }
5532 Err(format!(
5533 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
5534 self.at
5535 ))
5536 }
5537
5538 /// Pre-flight check on the `days` tokens so a bad day name gives
5539 /// a `when.days:`-scoped error instead of croner's confusing
5540 /// "when.at lowered to invalid cron" (claude #432 review). Each
5541 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
5542 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
5543 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
5544 /// **last-weekday** like `friL` (last Friday of the month).
5545 fn validate_days(&self) -> Result<(), String> {
5546 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
5547 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
5548 for tok in &self.days {
5549 // Report the whole token on a malformed range like `mon-`
5550 // (which would otherwise split to a cryptic empty part —
5551 // claude #432 follow-up).
5552 let invalid = |reason: &str| {
5553 Err(format!(
5554 "when.days: invalid day token '{tok}' ({reason}; \
5555 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
5556 like tue#2, a last-weekday like friL, or *)"
5557 ))
5558 };
5559 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
5560 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
5561 // `to_cron` passes the token through verbatim, so the
5562 // engine fires only on that occurrence. It's a single
5563 // weekday + ordinal — not combinable with a range.
5564 if let Some((day_part, nth_part)) = tok.split_once('#') {
5565 // Normalize once and use `d` consistently (gemini #547);
5566 // the outer `invalid` already echoes the raw `tok`.
5567 let d = day_part.trim().to_ascii_lowercase();
5568 if d.contains('-') || !is_day(&d) {
5569 return invalid("the part before # must be a single weekday");
5570 }
5571 match nth_part.trim().parse::<u8>() {
5572 Ok(n) if (1..=5).contains(&n) => {}
5573 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
5574 }
5575 continue;
5576 }
5577 // #418: last-weekday suffix (`friL` = last Friday of the
5578 // month — the monthly-maintenance sibling of Patch Tuesday).
5579 // Croner accepts `<dow>L` in the DOW field with verified
5580 // last-<dow>-of-month semantics, and `to_cron` passes it
5581 // through verbatim. A single weekday + `L` — bare `L` and
5582 // ranges are rejected (croner would read bare `L` as
5583 // Saturday, which is a confusing footgun).
5584 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
5585 // No `.trim()`: a cron DOW token can't carry internal
5586 // whitespace, so `"fri L"` must be *rejected* here (its
5587 // strip leaves `"fri "`, and `is_day` catches the space)
5588 // rather than trimmed into a clean `"fri"` that then
5589 // produces a malformed `fri L` cron downstream and a
5590 // confusing croner error (gemini #560).
5591 let d = day_part.to_ascii_lowercase();
5592 if d.is_empty() {
5593 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
5594 }
5595 if d.contains('-') || !is_day(&d) {
5596 return invalid(
5597 "the part before L must be a single weekday (e.g. friL = last Friday)",
5598 );
5599 }
5600 continue;
5601 }
5602 for part in tok.split('-') {
5603 let p = part.trim().to_ascii_lowercase();
5604 if p.is_empty() {
5605 return invalid("empty range bound");
5606 }
5607 if p != "*" && !is_day(&p) {
5608 return invalid(&format!("'{part}' is not a day"));
5609 }
5610 }
5611 }
5612 Ok(())
5613 }
5614
5615 /// For a one-shot (`at` carries a date), the absolute instant it
5616 /// fires in `tz`. `None` for a repeating calendar. Used to warn
5617 /// about a one-shot whose date is already in the past (it would
5618 /// never fire).
5619 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
5620 let p = self.parse_at().ok()?;
5621 let date = p.date?;
5622 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
5623 tz.naive_to_utc(naive)
5624 }
5625
5626 /// The wall-clock time-of-day this calendar fires at (`None` if
5627 /// `at` is unparseable — validate() guards that). Used to detect
5628 /// a calendar whose fire time can never fall inside its
5629 /// `constraints.window` (claude #452 review).
5630 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
5631 let p = self.parse_at().ok()?;
5632 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
5633 }
5634
5635 /// Lower to the cron string the scheduler engine runs. Repeating
5636 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
5637 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
5638 /// fires — that's what makes it one-shot).
5639 fn to_cron(&self) -> Result<String, String> {
5640 use chrono::Datelike;
5641 let ParsedAt { minute, hour, date } = self.parse_at()?;
5642 match date {
5643 Some(d) => {
5644 if !self.days.is_empty() {
5645 return Err(
5646 "when.at with a date is a one-shot and cannot be combined with days".into(),
5647 );
5648 }
5649 Ok(format!(
5650 "0 {minute} {hour} {} {} * {}",
5651 d.day(),
5652 d.month(),
5653 d.year()
5654 ))
5655 }
5656 None => {
5657 let dow = if self.days.is_empty() {
5658 "*".to_string()
5659 } else {
5660 self.validate_days()?;
5661 self.days.join(",")
5662 };
5663 Ok(format!("0 {minute} {hour} * * {dow}"))
5664 }
5665 }
5666 }
5667}
5668
5669/// The timezone a schedule's wall-clock fields (`when.at`,
5670/// `active.{from,until}`) are evaluated in (#418 Phase 2).
5671#[derive(
5672 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5673)]
5674#[serde(rename_all = "snake_case")]
5675pub enum ScheduleTz {
5676 /// The running host's local timezone — the agent's for
5677 /// `runs_on: agent`, the backend server's otherwise. Default.
5678 #[default]
5679 Local,
5680 /// UTC — for timezone-independent schedules.
5681 Utc,
5682}
5683
5684impl ScheduleTz {
5685 /// Interpret a naive (zoneless) datetime as being in this tz and
5686 /// convert to UTC. On a DST *fold* (the local time occurs twice
5687 /// when clocks go back) we pick `.earliest()` rather than
5688 /// rejecting it; `None` is reserved for a true DST *gap* (a local
5689 /// time that never exists). `Utc` is fixed-offset so neither ever
5690 /// happens; `Local` is whatever timezone the running host is set
5691 /// to and *can* hit a gap/fold on any DST-observing host — not
5692 /// just the JST we run today (gemini + claude #432 review).
5693 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
5694 use chrono::TimeZone;
5695 match self {
5696 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
5697 naive,
5698 chrono::Utc,
5699 )),
5700 ScheduleTz::Local => chrono::Local
5701 .from_local_datetime(&naive)
5702 .earliest()
5703 .map(|dt| dt.with_timezone(&chrono::Utc)),
5704 }
5705 }
5706
5707 /// The wall-clock time-of-day `now` reads as in this tz — used by
5708 /// [`Constraints::allows`] to test a maintenance window
5709 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
5710 /// running host's local time.
5711 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
5712 match self {
5713 ScheduleTz::Utc => now.time(),
5714 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
5715 }
5716 }
5717
5718 /// The wall-clock *date* `now` reads as in this tz — used by
5719 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
5720 /// exclusion). Same tz semantics as [`Self::wall_time`].
5721 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
5722 match self {
5723 ScheduleTz::Utc => now.date_naive(),
5724 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
5725 }
5726 }
5727
5728 /// Stable lowercase wire/display label (`local` / `utc`) — matches
5729 /// the serde `snake_case` representation. Used for the preview
5730 /// response's `tz` field so the JSON shape isn't coupled to the
5731 /// `Debug` repr (claude #578 review).
5732 pub fn as_str(self) -> &'static str {
5733 match self {
5734 ScheduleTz::Local => "local",
5735 ScheduleTz::Utc => "utc",
5736 }
5737 }
5738}
5739
5740impl std::fmt::Display for ScheduleTz {
5741 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5742 f.write_str(self.as_str())
5743 }
5744}
5745
5746/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
5747/// `per_target`. Untagged so the YAML stays the bare keyword or a
5748/// one-key map, nothing more ceremonial.
5749#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5750#[serde(untagged)]
5751pub enum PerPolicy {
5752 /// The bare string `once`: succeed once, then skip permanently
5753 /// (cooldown = infinity).
5754 Once(OnceLiteral),
5755 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
5756 Every(EverySpec),
5757}
5758
5759/// Single-variant enum so serde accepts exactly the string `once`
5760/// (a free-form `String` would swallow typos like `onec`).
5761#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
5762#[serde(rename_all = "snake_case")]
5763pub enum OnceLiteral {
5764 Once,
5765}
5766
5767/// `{ every: <humantime> }`. Standalone struct (not an inline
5768/// struct variant). `{ evry: 6h }` still fails to parse (the
5769/// required `every` key is missing), and the create boundaries
5770/// reject the unknown `evry` via [`crate::strict`] with its path —
5771/// while agents reading a future writer's extra fields tolerate
5772/// them (#492).
5773#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5774pub struct EverySpec {
5775 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
5776 /// [`Schedule::validate`] rejects garbage at create time.
5777 pub every: String,
5778}
5779
5780impl PerPolicy {
5781 /// The cooldown this policy lowers to: `once` = `None`
5782 /// (permanent skip), `every` = the interval.
5783 fn cooldown(&self) -> Option<String> {
5784 match self {
5785 PerPolicy::Once(_) => None,
5786 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
5787 }
5788 }
5789}
5790
5791impl std::fmt::Display for When {
5792 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
5793 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
5794 /// lines, audit payloads and the API's `ScheduleSummary`.
5795 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
5796 let policy = |p: &PerPolicy| match p {
5797 PerPolicy::Once(_) => "once".to_string(),
5798 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
5799 };
5800 match self {
5801 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
5802 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
5803 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
5804 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
5805 When::On(triggers) => {
5806 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
5807 write!(f, "on [{}]", names.join(","))
5808 }
5809 }
5810 }
5811}
5812
5813impl OnTrigger {
5814 /// Lowercase wire/display label (matches the serde `snake_case`).
5815 pub fn as_str(self) -> &'static str {
5816 match self {
5817 OnTrigger::Startup => "startup",
5818 OnTrigger::Logon => "logon",
5819 OnTrigger::Lock => "lock",
5820 OnTrigger::Unlock => "unlock",
5821 OnTrigger::NetworkChange => "network_change",
5822 }
5823 }
5824}
5825
5826/// Optional validity window for a [`Schedule`] (#418 decision G).
5827/// Half-open `[from, until)`; either bound may be omitted. Bounds
5828/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
5829/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
5830/// strings so the JSON Schema the SPA editor consumes stays two
5831/// plain string fields, mirroring `jitter` / `starting_deadline`.
5832///
5833/// #418 Phase 2: bounds are evaluated in the schedule's top-level
5834/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
5835/// calendar `at` AND the `active` window local — one consistent
5836/// timezone per schedule.
5837#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
5838pub struct Active {
5839 /// Dormant before this instant.
5840 #[serde(default, skip_serializing_if = "Option::is_none")]
5841 pub from: Option<String>,
5842 /// Dormant from this instant on (exclusive).
5843 #[serde(default, skip_serializing_if = "Option::is_none")]
5844 pub until: Option<String>,
5845}
5846
5847impl Active {
5848 /// `skip_serializing_if` helper — an empty window means "always
5849 /// active" and is omitted from the wire format entirely.
5850 pub fn is_empty(&self) -> bool {
5851 self.from.is_none() && self.until.is_none()
5852 }
5853
5854 /// Parse one bound: RFC3339 first (offset honored, `tz`
5855 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
5856 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
5857 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
5858 return Ok(dt.with_timezone(&chrono::Utc));
5859 }
5860 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
5861 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
5862 return tz.naive_to_utc(midnight).ok_or_else(|| {
5863 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
5864 });
5865 }
5866 Err(format!(
5867 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
5868 ))
5869 }
5870
5871 /// Is `now` inside the window? Unparseable bounds are treated
5872 /// as absent here (fail-open) — [`Schedule::validate`] is the
5873 /// place that rejects them loudly; this runs on every tick and
5874 /// must never panic on a stale KV blob.
5875 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
5876 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
5877 if bound(&self.from).is_some_and(|from| now < from) {
5878 return false;
5879 }
5880 if bound(&self.until).is_some_and(|until| now >= until) {
5881 return false;
5882 }
5883 true
5884 }
5885}
5886
5887/// Host-environment gate (#418 `constraints.require`). Fire only when
5888/// the target host is in the required state. Sensed **in-process by the
5889/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
5890/// read a target host's power/idle state ([`Schedule::validate`]
5891/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
5892///
5893/// Evaluated at fire time as a skip-this-tick gate (NOT in
5894/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
5895/// cadence re-checks every minute (so it effectively defers until the
5896/// state is met — the intended pairing); a `calendar` fire that lands
5897/// while the state is unmet is simply missed, same as `window`. It is
5898/// therefore a *runtime* gate and does not appear in `preview`.
5899// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
5900#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
5901pub struct Require {
5902 /// Fire only while on **AC power** (skip on battery). Reads
5903 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
5904 /// as not-on-AC (fail-closed — a restrictive gate must not fire
5905 /// when it can't confirm the condition). `false` (default) = no
5906 /// power requirement.
5907 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5908 pub ac_power: bool,
5909 /// Fire only when the active console session has had **no keyboard /
5910 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
5911 /// "don't run while the user is actively working". Input-based
5912 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
5913 /// headless / disconnected console (no interactive user) trivially
5914 /// satisfies it. `None` (default) = no idle requirement. Parsed
5915 /// lazily; [`Schedule::validate`] rejects garbage at create time.
5916 #[serde(default, skip_serializing_if = "Option::is_none")]
5917 pub idle: Option<String>,
5918 /// Fire only when the **whole-machine CPU usage is below this
5919 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
5920 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
5921 /// sample (`sysinfo` mean over cores), so the reading is up to one
5922 /// `host_perf` cadence old (default 60s) — fine as a "generally
5923 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
5924 /// needs two samples). An unavailable sample (host_perf not warmed
5925 /// up yet, or stale) is treated as "not below" (fail-closed — a
5926 /// restrictive gate must not fire when it can't confirm). `None`
5927 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
5928 /// out-of-range value at create time.
5929 #[serde(default, skip_serializing_if = "Option::is_none")]
5930 pub cpu_below: Option<f64>,
5931 /// Fire only when the host has **internet connectivity** (Windows
5932 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
5933 /// until online" for jobs that download / phone home. A captive
5934 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
5935 /// unknown/unreadable state is treated as offline (fail-closed) — a
5936 /// portal would just fail a download, so we hold the run. For VPN /
5937 /// SASE / app-specific conditions, use a custom script gate (separate
5938 /// slice). `false` (default) = no network requirement.
5939 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
5940 pub network: bool,
5941}
5942
5943impl Require {
5944 /// `skip_serializing_if` helper for an embedded empty `require`.
5945 pub fn is_empty(&self) -> bool {
5946 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
5947 }
5948
5949 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
5950 /// unparseable value — `validate` rejects the latter at create time).
5951 pub fn min_idle(&self) -> Option<std::time::Duration> {
5952 self.idle
5953 .as_deref()
5954 .and_then(|s| humantime::parse_duration(s.trim()).ok())
5955 }
5956
5957 /// First unparseable field for create-time rejection (mirrors
5958 /// [`Constraints::bad_skip_date`]).
5959 pub fn bad_idle(&self) -> Option<String> {
5960 self.idle.as_deref().and_then(|s| {
5961 humantime::parse_duration(s.trim())
5962 .err()
5963 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
5964 })
5965 }
5966}
5967
5968/// Host-environment state sensed by the agent, fed to [`require_met`].
5969/// A named struct (not positional args) so the growing set of sensed
5970/// signals — several of them `bool` — can't be transposed at a call
5971/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
5972#[derive(Debug, Clone, Copy, Default)]
5973pub struct EnvState {
5974 /// Is the host on AC power (`false` if on battery or unreadable).
5975 pub ac_online: bool,
5976 /// How long the console has been idle (`None` = couldn't determine).
5977 pub idle: Option<std::time::Duration>,
5978 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
5979 pub cpu_pct: Option<f64>,
5980 /// Does the host have internet connectivity (`false` if offline /
5981 /// LAN-only / unreadable).
5982 pub network_up: bool,
5983}
5984
5985/// Pure env-gate decision (#418 `constraints.require`). The Win32
5986/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
5987/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
5988/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
5989/// pure and `preview` never evaluates a runtime gate. Each set
5990/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
5991pub fn require_met(req: &Require, env: &EnvState) -> bool {
5992 if req.ac_power && !env.ac_online {
5993 return false;
5994 }
5995 if let Some(min) = req.min_idle() {
5996 match env.idle {
5997 Some(d) if d >= min => {}
5998 _ => return false,
5999 }
6000 }
6001 if let Some(max) = req.cpu_below {
6002 match env.cpu_pct {
6003 Some(p) if p < max => {}
6004 _ => return false,
6005 }
6006 }
6007 if req.network && !env.network_up {
6008 return false;
6009 }
6010 true
6011}
6012
6013/// [`Active`] decides *over what date range* a schedule is live,
6014/// `Constraints` decides *when, within an active period,* a fire is
6015/// allowed: `window` (a maintenance time-of-day window),
6016/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
6017/// (holiday exclusion) and `require` (host-environment gates, agent-only
6018/// — see [`Require`]).
6019// No `Eq`: contains `require: Option<Require>` which holds an f64.
6020#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
6021pub struct Constraints {
6022 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
6023 /// `tz`). Fires outside it are skipped — mainly for reconcile
6024 /// cadences ("patrol every 6h, but only fire overnight") and
6025 /// daytime change-freezes. `start > end` crosses midnight
6026 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
6027 /// lazily; [`Schedule::validate`] rejects garbage at create time.
6028 #[serde(default, skip_serializing_if = "Option::is_none")]
6029 pub window: Option<String>,
6030 /// Fleet-wide cap on how many instances of this schedule's job may
6031 /// run **at the same time** (#418 "同時実行ハード上限"). The
6032 /// backend scheduler counts the job's still-in-flight runs
6033 /// (`execution_results.finished_at IS NULL`) each tick and only
6034 /// dispatches to as many remaining pcs as there are free slots —
6035 /// a rolling window that refills as runs complete. Useful for
6036 /// disk/CPU/network-heavy jobs you don't want hammering the whole
6037 /// fleet at once.
6038 ///
6039 /// **Backend-only** (it needs a central counter): combining it
6040 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
6041 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
6042 /// for `per_pc` reconcile cadences, where the poll re-ticks and
6043 /// refills slots. `None` (default) = no cap.
6044 #[serde(default, skip_serializing_if = "Option::is_none")]
6045 pub max_concurrent: Option<u32>,
6046 /// Calendar dates the schedule must **not** fire on — holidays,
6047 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
6048 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
6049 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
6050 /// the whole day; a calendar fire landing on the date is
6051 /// suppressed) and is honored by both the live scheduler and
6052 /// `preview`, since both gate on [`Constraints::allows`]. Empty
6053 /// (default) = no skips. Operator-supplied: there is no built-in
6054 /// holiday calendar — list the dates you care about. Parsed lazily;
6055 /// [`Schedule::validate`] rejects a malformed date at create time.
6056 #[serde(default, skip_serializing_if = "Vec::is_empty")]
6057 pub skip_dates: Vec<String>,
6058 /// Host-environment gate (#418): fire only when the target host is
6059 /// in the required state (on AC power, idle). Agent-sensed at fire
6060 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
6061 /// no environment requirement.
6062 #[serde(default, skip_serializing_if = "Option::is_none")]
6063 pub require: Option<Require>,
6064}
6065
6066impl Constraints {
6067 /// `skip_serializing_if` helper — empty constraints are omitted
6068 /// from the wire format entirely.
6069 pub fn is_empty(&self) -> bool {
6070 self.window.is_none()
6071 && self.max_concurrent.is_none()
6072 && self.skip_dates.is_empty()
6073 && self.require.as_ref().is_none_or(Require::is_empty)
6074 }
6075
6076 /// The first unparseable `skip_dates` entry, if any — the
6077 /// scheduler logs it at register time so a fail-closed
6078 /// (never-firing) schedule from a hand-edited KV blob is
6079 /// diagnosable, mirroring [`Schedule::bad_window`].
6080 pub fn bad_skip_date(&self) -> Option<String> {
6081 self.skip_dates.iter().find_map(|s| {
6082 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
6083 .err()
6084 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
6085 })
6086 }
6087
6088 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
6089 /// error (a zero-width or all-day window is ambiguous — write no
6090 /// window for "always").
6091 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
6092 let (a, b) = s
6093 .split_once('-')
6094 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
6095 let parse = |part: &str| {
6096 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
6097 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
6098 };
6099 let (start, end) = (parse(a)?, parse(b)?);
6100 if start == end {
6101 return Err(format!(
6102 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
6103 ));
6104 }
6105 Ok((start, end))
6106 }
6107
6108 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
6109 /// always allowed. Half-open `[start, end)`; `start > end`
6110 /// crosses midnight.
6111 ///
6112 /// **Fail-closed** on an unparseable window (returns `false`,
6113 /// gemini #452 review): a window is a *restrictive* constraint
6114 /// (change-freeze / overnight-only), so a corrupt one must NOT
6115 /// silently allow fires during the restricted hours. Bad windows
6116 /// are rejected at create time by [`Schedule::validate`]; this
6117 /// only bites a hand-edited KV blob, where blocking is the safe
6118 /// direction. The scheduler warns at register time
6119 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
6120 /// The tick path never panics regardless.
6121 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
6122 // #418 holiday / blackout dates: never fire on a listed wall
6123 // date (in `tz`). Checked before the window since a skipped day
6124 // overrides any within-window allowance. Fail-closed on a
6125 // corrupt entry (same posture as `window`): a skip date is a
6126 // *restrictive* constraint, so a garbled one must not silently
6127 // re-enable fires — it blocks until fixed (`validate` rejects it
6128 // at create time; `bad_skip_date` lets the scheduler warn).
6129 if !self.skip_dates.is_empty() {
6130 let today = tz.wall_date(now);
6131 let blocked = self.skip_dates.iter().any(|s| {
6132 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
6133 Ok(d) => d == today,
6134 Err(_) => true, // corrupt entry → fail-closed (block)
6135 }
6136 });
6137 if blocked {
6138 return false;
6139 }
6140 }
6141 match self.window.as_deref() {
6142 // No window → always allowed.
6143 None => true,
6144 // Window set: membership, or fail-closed if unparseable
6145 // (`window_contains` returns None for a corrupt window).
6146 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
6147 }
6148 }
6149
6150 /// Membership of a wall-clock time-of-day in the window. `None`
6151 /// when there is no window or it's unparseable (callers decide
6152 /// the failure direction). `start > end` crosses midnight.
6153 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
6154 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
6155 Some(if start <= end {
6156 start <= t && t < end
6157 } else {
6158 t >= start || t < end
6159 })
6160 }
6161}
6162
6163/// What to do when a fire's script fails (#418 Phase 4 — the "高"
6164/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
6165/// happens, `OnFailure` decides what happens *after* one ran and
6166/// came back bad. Only `retry` so far; future `notify` / `disable`
6167/// would join the same namespace.
6168#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6169pub struct OnFailure {
6170 /// Re-run the script in-process when it exits non-zero (or times
6171 /// out), up to a cap, with a fixed backoff between attempts.
6172 /// `None` (default) = no retry: a failed run is published as-is
6173 /// and (for reconcile cadences) simply re-fires on the next poll
6174 /// tick. See [`Retry`].
6175 #[serde(default, skip_serializing_if = "Option::is_none")]
6176 pub retry: Option<Retry>,
6177}
6178
6179impl OnFailure {
6180 /// `skip_serializing_if` helper — an empty policy is omitted from
6181 /// the wire format entirely.
6182 pub fn is_empty(&self) -> bool {
6183 self.retry.is_none()
6184 }
6185
6186 /// Lower the operator-facing `retry` (humantime backoff) onto the
6187 /// engine vocabulary the agent's executor runs on (backoff in
6188 /// whole seconds). Single seam shared by the backend command
6189 /// builder and the agent's local scheduler so the two stamp the
6190 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
6191 /// `None` when there is no retry policy or the backoff is
6192 /// unparseable (validate() rejects the latter at create time;
6193 /// this stays fail-safe = "no retry" for a hand-edited KV blob
6194 /// rather than panicking on the fire path).
6195 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
6196 let r = self.retry.as_ref()?;
6197 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
6198 Some(crate::wire::RetrySpec {
6199 max: r.max,
6200 backoff_secs,
6201 })
6202 }
6203}
6204
6205/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
6206/// *additional* attempts after the first run (so `max: 3` = up to 4
6207/// total executions); `backoff` is the humantime delay slept between
6208/// attempts. The retry happens fire-side (inside `kanade fire` /
6209/// `handle_command`) on every OS for the PoC — the Windows-native
6210/// "restart on failure" Task Scheduler path is deferred to the
6211/// native-delegation phase (#418 decision H).
6212#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6213pub struct Retry {
6214 /// Max additional attempts after the first failure. Bounded
6215 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
6216 /// with a short backoff would otherwise pin a flapping script in
6217 /// a tight loop for the whole window.
6218 pub max: u32,
6219 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
6220 pub backoff: String,
6221}
6222
6223/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
6224/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
6225/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
6226/// global* "stop all automated change" switch the operator flips
6227/// during an incident or a year-end change-freeze. It lives in its
6228/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
6229/// active, both the backend scheduler and every agent's local
6230/// scheduler skip *every* fire.
6231///
6232/// Shapes:
6233/// * `{}` (no bounds) — frozen indefinitely until the operator
6234/// clears it (incident "big red button").
6235/// * `{ from, until }` — frozen only within `[from, until)`,
6236/// evaluated in `tz` (planned change-freeze; auto-thaws).
6237///
6238/// The KV key being *absent* means "not frozen" — so clearing the
6239/// freeze is a KV delete, and `is_active` only ever runs on a freeze
6240/// the operator actually set.
6241#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6242pub struct Freeze {
6243 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
6244 /// `tz`). `None` ⇒ frozen from the beginning of time.
6245 #[serde(default, skip_serializing_if = "Option::is_none")]
6246 pub from: Option<String>,
6247 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
6248 /// no scheduled end (manual clear required).
6249 #[serde(default, skip_serializing_if = "Option::is_none")]
6250 pub until: Option<String>,
6251 /// Operator-supplied note surfaced on the freeze-skip log and the
6252 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
6253 #[serde(default, skip_serializing_if = "Option::is_none")]
6254 pub reason: Option<String>,
6255 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
6256 /// carry their own offset). Defaults to host-local like a
6257 /// schedule's `tz`.
6258 #[serde(default)]
6259 pub tz: ScheduleTz,
6260}
6261
6262impl Freeze {
6263 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
6264 /// both absent) is frozen unconditionally; otherwise membership of
6265 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
6266 /// but **fails CLOSED** on an unparseable bound — a freeze is a
6267 /// safety switch, so a corrupt window (only reachable via a
6268 /// hand-edited KV blob; `validate` rejects it at set time) must
6269 /// mean "frozen", not "fire normally" (coderabbit #472). This is
6270 /// the one deliberate divergence from `active`'s fail-OPEN
6271 /// behaviour, where an unparseable bound dormant-skips a schedule.
6272 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
6273 // Parse a bound; an unparseable one short-circuits the whole
6274 // check to `true` (frozen) via the closure's `None` sentinel
6275 // handled below.
6276 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
6277 match s.as_deref() {
6278 None => Ok(None),
6279 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
6280 }
6281 };
6282 let (from, until) = match (bound(&self.from), bound(&self.until)) {
6283 (Ok(f), Ok(u)) => (f, u),
6284 // Any corrupt bound → fail closed (frozen).
6285 _ => return true,
6286 };
6287 if from.is_some_and(|f| now < f) {
6288 return false;
6289 }
6290 if until.is_some_and(|u| now >= u) {
6291 return false;
6292 }
6293 true
6294 }
6295
6296 /// Reject unparseable bounds / `from >= until` at set time (the
6297 /// API + CLI counterpart to [`Schedule::validate`]).
6298 pub fn validate(&self) -> Result<(), String> {
6299 let from = self
6300 .from
6301 .as_deref()
6302 .map(|s| Active::parse_bound(s, self.tz))
6303 .transpose()
6304 .map_err(|e| e.replace("active:", "freeze:"))?;
6305 let until = self
6306 .until
6307 .as_deref()
6308 .map(|s| Active::parse_bound(s, self.tz))
6309 .transpose()
6310 .map_err(|e| e.replace("active:", "freeze:"))?;
6311 if let (Some(f), Some(u)) = (from, until) {
6312 if f >= u {
6313 return Err(format!(
6314 "freeze.from ({}) must be strictly before freeze.until ({})",
6315 self.from.as_deref().unwrap_or_default(),
6316 self.until.as_deref().unwrap_or_default(),
6317 ));
6318 }
6319 }
6320 Ok(())
6321 }
6322}
6323
6324/// The system-generated poll cadence every reconcile-shaped `when`
6325/// lowers to. Operators never write this: the real inter-run
6326/// spacing is the `every` cooldown; this only bounds "how soon do
6327/// we notice somebody is due" (#418 decision B took the poll
6328/// period away from the operator).
6329pub const POLL_CRON: &str = "0 * * * * *";
6330
6331/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
6332/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
6333/// unchanged is what lets Phase 1 swap the operator surface without
6334/// touching the tick / dedup machinery.
6335pub struct Lowered {
6336 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
6337 /// reconcile shapes, a 6/7-field cron for calendar shapes.
6338 pub cron: String,
6339 /// Dedup semantics for `decide_fire`.
6340 pub mode: ExecMode,
6341 /// Humantime re-arm interval (`None` = succeed once, skip
6342 /// forever).
6343 pub cooldown: Option<String>,
6344 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
6345 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
6346 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
6347 /// so the same value drives the `active`-window check.
6348 pub tz: ScheduleTz,
6349}
6350
6351impl Schedule {
6352 /// The error message if this schedule's `constraints.window` is
6353 /// set but unparseable, else `None`. The scheduler logs this at
6354 /// register time so a fail-closed (never-firing) schedule from a
6355 /// hand-edited KV blob is diagnosable (gemini #452 review).
6356 pub fn bad_window(&self) -> Option<String> {
6357 let w = self.constraints.window.as_deref()?;
6358 Constraints::parse_window(w).err()
6359 }
6360
6361 /// True when this is a `calendar` schedule whose fire time can
6362 /// never fall inside its `constraints.window` — the cron fires,
6363 /// the window check rejects it, and (firing only at that
6364 /// time-of-day) it effectively never runs. An easy misconfig to
6365 /// set up by accident; the scheduler warns at register time
6366 /// (claude #452 review). Reconcile shapes poll every minute, so
6367 /// they always catch the window opening and aren't affected.
6368 pub fn calendar_outside_window(&self) -> bool {
6369 let When::Calendar(c) = &self.when else {
6370 return false;
6371 };
6372 let Some(t) = c.fire_time() else {
6373 return false;
6374 };
6375 matches!(self.constraints.window_contains(t), Some(false))
6376 }
6377
6378 /// Up to `count` future instants this schedule will fire, as
6379 /// absolute UTC, strictly after `now` — the dry-run / preview
6380 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
6381 /// schedules have discrete fire times; reconcile shapes
6382 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
6383 /// they return an empty vec and the caller describes the cadence
6384 /// instead. Occurrences outside the `active.{from,until}` window or
6385 /// the `constraints.window` are **skipped**, so the list reflects
6386 /// when the schedule will ACTUALLY run, not the raw cron ticks.
6387 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
6388 /// `Job::new_async_tz`, and with the same croner config the
6389 /// scheduler / [`Schedule::validate`] use, so a preview can never
6390 /// disagree with a real fire. A schedule that can never fire (a
6391 /// calendar time wholly outside its window, a past one-shot,
6392 /// `enabled: false` is *not* considered here — callers gate on
6393 /// `enabled` separately) yields an empty vec.
6394 pub fn preview_fires(
6395 &self,
6396 now: chrono::DateTime<chrono::Utc>,
6397 count: usize,
6398 ) -> Vec<chrono::DateTime<chrono::Utc>> {
6399 use croner::parser::{CronParser, Seconds};
6400 if !matches!(self.when, When::Calendar(_)) {
6401 return Vec::new();
6402 }
6403 // Same lowering + croner config as `next_calendar_fire` and the
6404 // live scheduler, so a preview can never disagree with a real
6405 // fire. `preview_fires` adds the N-occurrence walk and the
6406 // active / window filtering on top of that single seam.
6407 let lowered = self.lowered();
6408 let Ok(cron) = CronParser::builder()
6409 .seconds(Seconds::Required)
6410 .dom_and_dow(true)
6411 .build()
6412 .parse(&lowered.cron)
6413 else {
6414 return Vec::new();
6415 };
6416 let accept = |utc: chrono::DateTime<chrono::Utc>| {
6417 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
6418 };
6419 match self.tz {
6420 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
6421 ScheduleTz::Local => {
6422 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
6423 }
6424 }
6425 }
6426
6427 /// Walk croner forward from `after` collecting up to `count`
6428 /// accepted occurrences (converted to UTC). Generic over the tz the
6429 /// cron is evaluated in so `preview_fires` can run it in either
6430 /// `Utc` or `Local` without duplicating the loop.
6431 fn next_occurrences<Tz>(
6432 cron: &croner::Cron,
6433 after: chrono::DateTime<Tz>,
6434 count: usize,
6435 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
6436 ) -> Vec<chrono::DateTime<chrono::Utc>>
6437 where
6438 Tz: chrono::TimeZone,
6439 {
6440 // Bound the scan so an `active`/window dead-end (every future
6441 // tick rejected) can't spin forever: ~4096 raw ticks covers
6442 // >10y of a daily calendar while staying instant for croner.
6443 const SCAN_CAP: usize = 4096;
6444 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
6445 let mut cursor = after;
6446 let mut scanned = 0usize;
6447 while out.len() < count && scanned < SCAN_CAP {
6448 scanned += 1;
6449 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
6450 break;
6451 };
6452 let utc = next.with_timezone(&chrono::Utc);
6453 if accept(utc) {
6454 out.push(utc);
6455 }
6456 // `find_next_occurrence(.., inclusive = false)` already
6457 // advances strictly past `cursor`, so handing it `next`
6458 // verbatim gets the following occurrence — no manual +1s
6459 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
6460 cursor = next;
6461 }
6462 out
6463 }
6464
6465 /// Lower the operator-facing `when` onto the engine vocabulary.
6466 /// Single seam shared by the backend scheduler and the agent's
6467 /// local scheduler so the two can never drift.
6468 pub fn lowered(&self) -> Lowered {
6469 let tz = self.tz;
6470 match &self.when {
6471 When::PerPc(p) => Lowered {
6472 cron: POLL_CRON.into(),
6473 mode: ExecMode::OncePerPc,
6474 cooldown: p.cooldown(),
6475 tz,
6476 },
6477 When::PerTarget(p) => Lowered {
6478 cron: POLL_CRON.into(),
6479 mode: ExecMode::OncePerTarget,
6480 cooldown: p.cooldown(),
6481 tz,
6482 },
6483 // `to_cron` only fails on a malformed `at` (rejected by
6484 // validate() at create time). For a hand-edited KV blob
6485 // that slipped past, emit a deliberately-invalid cron so
6486 // register()'s Job::new_async_tz fails → warn+skip,
6487 // rather than firing at the wrong time.
6488 When::Calendar(c) => Lowered {
6489 cron: c
6490 .to_cron()
6491 .unwrap_or_else(|_| "# invalid calendar at".into()),
6492 mode: ExecMode::EveryTick,
6493 cooldown: None,
6494 tz,
6495 },
6496 // Event triggers have no cron — the agent fires them from an
6497 // OS event source. The `# event-trigger` cron is never
6498 // registered (the scheduler branches on `is_event()` first),
6499 // but keep it deliberately-invalid as a belt-and-suspenders
6500 // so a stray registration would fail rather than misfire.
6501 When::On(_) => Lowered {
6502 cron: "# event-trigger (no cron)".into(),
6503 mode: ExecMode::Event,
6504 cooldown: None,
6505 tz,
6506 },
6507 }
6508 }
6509
6510 /// True when this schedule fires from an OS event (`when: { on }`)
6511 /// rather than a clock — the agent skips `tokio-cron` registration
6512 /// for these and drives them from boot / session-change instead.
6513 pub fn is_event(&self) -> bool {
6514 matches!(self.when, When::On(_))
6515 }
6516
6517 /// The OS event triggers this schedule listens for, or `&[]` when it
6518 /// is not an event schedule.
6519 pub fn event_triggers(&self) -> &[OnTrigger] {
6520 match &self.when {
6521 When::On(t) => t,
6522 _ => &[],
6523 }
6524 }
6525
6526 /// The next absolute (UTC) time this schedule fires, or `None` when
6527 /// it has no discrete upcoming fire to preview.
6528 ///
6529 /// Used by the KLP `maintenance.list` preview ("what's about to
6530 /// happen on my PC", SPEC §2.1). Returns `None` for:
6531 ///
6532 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
6533 /// every-minute [`POLL_CRON`] and re-converge state continuously,
6534 /// so "next fire" is always ~60s away and means nothing to a user
6535 /// previewing upcoming maintenance;
6536 /// - a calendar schedule whose lowered cron won't parse (a
6537 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
6538 /// - a cron with no future occurrence.
6539 ///
6540 /// The wall-clock fire is evaluated in the schedule's own `tz`
6541 /// (matching the live tick's `Job::new_async_tz`) then normalised
6542 /// to UTC for the wire. `inclusive = false`: strictly the *next*
6543 /// fire after `now`, never one matching the current instant.
6544 pub fn next_calendar_fire(
6545 &self,
6546 now: chrono::DateTime<chrono::Utc>,
6547 ) -> Option<chrono::DateTime<chrono::Utc>> {
6548 if !matches!(self.when, When::Calendar(_)) {
6549 return None;
6550 }
6551 let lowered = self.lowered();
6552 // Same parser configuration tokio-cron-scheduler 0.15 uses
6553 // internally, so this can never compute a fire the live
6554 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
6555 let cron = croner::parser::CronParser::builder()
6556 .seconds(croner::parser::Seconds::Required)
6557 .dom_and_dow(true)
6558 .build()
6559 .parse(&lowered.cron)
6560 .ok()?;
6561 match lowered.tz {
6562 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
6563 ScheduleTz::Local => {
6564 let now_local = now.with_timezone(&chrono::Local);
6565 cron.find_next_occurrence(&now_local, false)
6566 .ok()
6567 .map(|t| t.with_timezone(&chrono::Utc))
6568 }
6569 }
6570 }
6571
6572 /// Cross-field semantic checks that don't fit pure serde derive
6573 /// — the [`Manifest::validate`] counterpart (#418 decision F;
6574 /// pre-Phase-1 a broken schedule was accepted at create time
6575 /// and silently warn-skipped at tick time). Run at every create
6576 /// site: `kanade schedule create` (client-side) and
6577 /// `POST /api/schedules`. The job_id-exists check lives in the
6578 /// API handler instead — it needs the JOBS KV.
6579 pub fn validate(&self) -> Result<(), String> {
6580 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
6581 return Err(
6582 "when.per_target needs fleet-wide completion data and is backend-only; \
6583 it cannot be combined with runs_on: agent (each agent self-schedules, \
6584 so per-target dedup would be deduping across a target of 1)"
6585 .into(),
6586 );
6587 }
6588 // #418 event triggers: the agent owns the OS event source
6589 // (boot / session-change), so `when: { on }` is agent-only and
6590 // needs at least one trigger.
6591 if let When::On(triggers) = &self.when {
6592 if !matches!(self.runs_on, RunsOn::Agent) {
6593 return Err(
6594 "when.on (OS event trigger) is fired by the agent's own event \
6595 source, so it requires runs_on: agent"
6596 .into(),
6597 );
6598 }
6599 if triggers.is_empty() {
6600 return Err(
6601 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
6602 );
6603 }
6604 }
6605 if let Some(cd) = self.lowered().cooldown.as_deref() {
6606 humantime::parse_duration(cd)
6607 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
6608 }
6609 if let When::Calendar(c) = &self.when {
6610 // Lower the calendar form to its cron (catches a bad `at`
6611 // and the date+days conflict), then validate that cron
6612 // with the same parser configuration tokio-cron-scheduler
6613 // 0.15 uses internally (croner, seconds required,
6614 // DOM-and-DOW both honored, year optional) — create-time
6615 // validation can never accept what register() rejects.
6616 let cron = c.to_cron()?;
6617 croner::parser::CronParser::builder()
6618 .seconds(croner::parser::Seconds::Required)
6619 .dom_and_dow(true)
6620 .build()
6621 .parse(&cron)
6622 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
6623 }
6624 // The other humantime strings on the schedule (claude #419
6625 // review): runtime degrades gracefully on both (bad jitter →
6626 // silent no-op, bad starting_deadline → warn + skipped tick),
6627 // but "rejected at create time" should cover every field the
6628 // operator can typo, not just `when`.
6629 if let Some(j) = &self.plan.jitter {
6630 humantime::parse_duration(j)
6631 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
6632 }
6633 if let Some(sd) = &self.starting_deadline {
6634 humantime::parse_duration(sd)
6635 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
6636 }
6637 let from = self
6638 .active
6639 .from
6640 .as_deref()
6641 .map(|s| Active::parse_bound(s, self.tz))
6642 .transpose()?;
6643 let until = self
6644 .active
6645 .until
6646 .as_deref()
6647 .map(|s| Active::parse_bound(s, self.tz))
6648 .transpose()?;
6649 if let (Some(f), Some(u)) = (from, until) {
6650 if f >= u {
6651 return Err(format!(
6652 "active.from ({}) must be strictly before active.until ({})",
6653 self.active.from.as_deref().unwrap_or_default(),
6654 self.active.until.as_deref().unwrap_or_default(),
6655 ));
6656 }
6657 }
6658 // #418 Phase 3: a bad maintenance window is rejected at create
6659 // time (parse_window also catches equal bounds).
6660 if let Some(w) = self.constraints.window.as_deref() {
6661 Constraints::parse_window(w)?;
6662 }
6663 // #418 holiday exclusion: reject a malformed skip date at create
6664 // time so the fail-closed `allows` path only ever bites a
6665 // hand-edited KV blob, not a fresh `kanade schedule create`.
6666 if let Some(err) = self.constraints.bad_skip_date() {
6667 return Err(err);
6668 }
6669 // #418: constraints.max_concurrent is a central running-instance
6670 // cap, so it needs the backend's counter — reject it on
6671 // runs_on: agent (decision E), and reject a meaningless 0.
6672 if let Some(mc) = self.constraints.max_concurrent {
6673 // Check the structural incompatibility (agent has no central
6674 // counter) before the value range, so a `max_concurrent: 0`
6675 // + `runs_on: agent` combo reports the more fundamental
6676 // problem first (claude #542).
6677 if matches!(self.runs_on, RunsOn::Agent) {
6678 return Err(
6679 "constraints.max_concurrent needs a central counter and is backend-only; \
6680 it cannot be combined with runs_on: agent (each agent self-schedules, \
6681 so there is no fleet-wide count to cap against)"
6682 .into(),
6683 );
6684 }
6685 if mc == 0 {
6686 return Err(
6687 "constraints.max_concurrent must be >= 1 (0 would never fire; \
6688 omit it for no cap)"
6689 .into(),
6690 );
6691 }
6692 }
6693 // #418: constraints.require (host-state env gates: ac_power /
6694 // idle / cpu_below / network) is sensed in-process by the agent,
6695 // so it needs runs_on: agent — the backend can't read a target
6696 // host's power / idle / cpu / connectivity state. Symmetric with
6697 // `when: { on }` (also agent-only); inverse of max_concurrent
6698 // (backend-only).
6699 if let Some(req) = &self.constraints.require {
6700 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
6701 return Err(
6702 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
6703 network) is sensed in-process by the agent and needs runs_on: agent; the \
6704 backend cannot read a target host's power / idle / cpu / connectivity state"
6705 .into(),
6706 );
6707 }
6708 // Reject a malformed idle duration at create time so the
6709 // fail-closed runtime path only ever bites a hand-edited
6710 // KV blob (mirror skip_dates / on_failure.retry).
6711 if let Some(err) = req.bad_idle() {
6712 return Err(err);
6713 }
6714 // cpu_below is a percent — reject out-of-range so a typo
6715 // can't make a schedule that never (>=100 is always-busy?
6716 // no — <0 never matches) or trivially fires.
6717 if let Some(c) = req.cpu_below
6718 && !(c > 0.0 && c <= 100.0)
6719 {
6720 return Err(format!(
6721 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
6722 omit it for no CPU requirement"
6723 ));
6724 }
6725 }
6726 // #418 Phase 4: a bad on_failure.retry is rejected at create
6727 // time — backoff must be valid humantime, and max is bounded
6728 // so a typo can't pin a flapping script in a tight loop.
6729 if let Some(r) = &self.on_failure.retry {
6730 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
6731 format!(
6732 "on_failure.retry.backoff: invalid duration '{}': {e}",
6733 r.backoff
6734 )
6735 })?;
6736 // The wire form lowers backoff to whole seconds, so a
6737 // sub-second value would silently become a 0s no-wait
6738 // (coderabbit #466). Reject it rather than honour a backoff
6739 // the operator can't actually get.
6740 if backoff.as_secs() < 1 {
6741 return Err(format!(
6742 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
6743 round to 0 on the wire",
6744 r.backoff
6745 ));
6746 }
6747 if !(1..=10).contains(&r.max) {
6748 return Err(format!(
6749 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
6750 attempts after the first run",
6751 r.max
6752 ));
6753 }
6754 }
6755 // A blank / whitespace-only tag renders an empty filter chip on
6756 // the Schedules page — reject it at create time, mirroring the
6757 // Manifest::validate tag guard.
6758 for tag in &self.tags {
6759 if tag.trim().is_empty() {
6760 return Err("tags must not contain empty entries".to_string());
6761 }
6762 }
6763 Ok(())
6764 }
6765}
6766
6767fn default_true() -> bool {
6768 true
6769}