Skip to main content

kanade_shared/
manifest.rs

1use serde::{Deserialize, Serialize};
2
3use crate::wire::{FinalizeCommand, RunAs, Shell, Staleness};
4
5/// YAML job manifest (= registered "what to run", v0.18.0+).
6///
7/// Owns only script-intrinsic fields. **Who** (`target`), **how to
8/// phase fanout** (`rollout`), and **when to stagger start**
9/// (`jitter`) all moved to the Schedule / exec request side — same
10/// script can now be fired against different targets / rollouts
11/// without copying the script body.
12///
13/// #492: these types are READ fleet-wide (agents decode them from
14/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
15/// must tolerate unknown fields — `deny_unknown_fields` here made a
16/// gradually-upgrading fleet's OLD agents reject the whole object
17/// the moment a newer backend added any field. Operator typo
18/// protection (the old reason for the attribute) lives at the WRITE
19/// boundaries instead: `kanade job/schedule create` and the backend
20/// POST extractor parse via [`crate::strict`], which rejects unknown
21/// keys with their full paths. The wire rule: new fields always get
22/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
23/// may still be strict).
24#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
25pub struct Manifest {
26    pub id: String,
27    pub version: String,
28    #[serde(default)]
29    pub description: Option<String>,
30    pub execute: Execute,
31    #[serde(default)]
32    pub require_approval: bool,
33    /// Opt-in marker that this job produces a JSON inventory fact
34    /// payload on stdout. When present, the backend's results
35    /// projector parses `ExecResult.stdout` as JSON and upserts an
36    /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
37    /// `display` sub-config drives the SPA's Inventory page render.
38    #[serde(default)]
39    pub inventory: Option<InventoryHint>,
40    /// Issue #246: opt-in marker that this job emits per-line
41    /// observability events on stdout (one JSON `ObsEvent` per
42    /// newline). When present, the agent — after the script exits
43    /// successfully — parses each non-empty stdout line as an
44    /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
45    /// `obs_outbox`, and (intentionally) **omits the stdout from
46    /// the `ExecResult`** so the timeline data doesn't double up
47    /// in `execution_results.stdout` (which would multiply rows
48    /// by ~50/day/PC of noise).
49    ///
50    /// Distinct from `inventory:` (single JSON object → projector
51    /// upsert) — events are append-only timeline points consumed
52    /// by the dedicated `obs_events` table.
53    #[serde(default)]
54    pub emit: Option<EmitConfig>,
55    /// #290: opt-in marker that this job is an operator-defined
56    /// **health check** whose result feeds the Client App's Health
57    /// tab over KLP (`StateSnapshot.checks`). The script prints a
58    /// free-form JSON object on stdout (like any inventory job); the
59    /// agent reads the [`CheckHint::status_field`] value dynamically
60    /// into a [`crate::ipc::state::Check`] named `check.name`.
61    /// Cadence / windows / conditions come from
62    /// the job's Schedule (exactly like inventory) — there is
63    /// deliberately no interval here. **Composes with `inventory:` and
64    /// `collect:`** (#821): each reads its own `#KANADE-<KIND>`-fenced
65    /// stdout block, so one job can drive a check, project inventory
66    /// facts, and collect files in a single run. Only `emit:` (NDJSON
67    /// stdout) is incompatible. A check-only job may skip the fence
68    /// (whole stdout is the JSON); a multi-hint job fences each block.
69    #[serde(default)]
70    pub check: Option<CheckHint>,
71    /// #219: opt-in marker that this job COLLECTS files into a bundle.
72    /// The script does the collection work and prints a single JSON
73    /// object on stdout carrying a `files` array of paths (the field
74    /// name is [`CollectHint::files_field`], default `"files"`); the
75    /// agent — after the script exits successfully — zips those files,
76    /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77    /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78    /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79    /// downloads bundles from the SPA Collect page.
80    ///
81    /// Like `inventory:` / `check:` this reads a JSON object from stdout.
82    /// #821: it reads its own `#KANADE-COLLECT-BEGIN/END`-fenced block,
83    /// so it **composes with `inventory:` / `check:`** (and a user
84    /// message) on one stdout — only `emit:` (NDJSON) is incompatible
85    /// (enforced in [`Manifest::validate`]). A collect-only job may skip
86    /// the fence. It also composes with `client:` — a `collect:` +
87    /// `client:` job lets an end user trigger a collection from the
88    /// Client App (the same-host agent runs it).
89    #[serde(default, skip_serializing_if = "Option::is_none")]
90    pub collect: Option<CollectHint>,
91    /// #720: opt-in declarative aggregation over `obs_events` that drives
92    /// the SPA **Analytics** page. Unlike the other hints this one never
93    /// touches stdout and is never delivered to the agent — it's a pure
94    /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
95    /// turns into `json_extract` aggregation SQL. Each entry is one widget
96    /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
97    /// fleet-wide rollup. Because it consumes nothing at run time it
98    /// composes with every other hint (typically paired with `emit:`,
99    /// which produces the events it reads). See [`AggregateWidget`].
100    ///
101    /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
102    #[serde(default, skip_serializing_if = "Option::is_none")]
103    pub aggregate: Option<Vec<AggregateWidget>>,
104    /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
105    /// what the agent does at fire time when it can't verify the
106    /// `script_current` / `script_status` KV values are fresh —
107    /// especially relevant for `runs_on: agent` schedules where
108    /// the agent may fire from cache while offline. Defaults to
109    /// `Staleness::Cached` (silently use cached values), which
110    /// matches every pre-v0.26 Manifest.
111    #[serde(default)]
112    pub staleness: Staleness,
113    /// #291: opt-in marker that this job is offered to **end users**
114    /// in the Client App's job tabs over KLP (`jobs.list` →
115    /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
116    /// [`emit`]: the block's mere presence is the opt-in, and it
117    /// groups the end-user presentation fields (name / category /
118    /// icon) that only make sense for a user-facing job. `None`
119    /// (the default) ⇒ an operator-only job — inventory, checks,
120    /// scheduled maintenance — that never surfaces in the catalog.
121    ///
122    /// The agent re-reads this at every `jobs.list` / `jobs.execute`
123    /// (SPEC §2.1), so removing the block takes a job out of a
124    /// running client on its next action.
125    ///
126    /// [`inventory`]: Manifest::inventory
127    /// [`check`]: Manifest::check
128    /// [`emit`]: Manifest::emit
129    #[serde(default, skip_serializing_if = "Option::is_none")]
130    pub client: Option<ClientHint>,
131    /// Free-form operator taxonomy for the Jobs catalog. Purely a
132    /// SPA-side organisational aid — agents / scheduler / projector
133    /// never read it — so it carries no runtime semantics and any
134    /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
135    /// cross-cut (a `check-bitlocker` is at once a health-check, a
136    /// security control, and Windows-specific), which is why this is
137    /// a multi-valued list rather than the single closed-enum
138    /// [`ClientHint::category`] (whose values are the end-user Client
139    /// App's tabs, a different concern). The operator Jobs page groups
140    /// rows by id-prefix for free; tags add the orthogonal filter axis
141    /// prefixes can't express.
142    ///
143    /// Empty by default (the overwhelming majority of jobs), and a
144    /// new field, so it follows the #492 wire rule: `serde(default)`
145    /// plus `skip_serializing_if` keep gradually-upgrading old readers
146    /// from tripping over its absence / presence.
147    #[serde(default, skip_serializing_if = "Vec::is_empty")]
148    pub tags: Vec<String>,
149    /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
150    /// `kanade job create` when the source YAML lives inside a Git work
151    /// tree, so the SPA can render the job read-only and point edits
152    /// back at the repo instead of letting a ClickOps edit silently
153    /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
154    /// `None` for SPA-born jobs and for manifests applied from outside
155    /// any Git repo. Purely informational: agents / scheduler /
156    /// projector never read it, and it survives `script_file:` inlining
157    /// (it's orthogonal to the exactly-one-of script-source rule). New
158    /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
159    #[serde(default, skip_serializing_if = "Option::is_none")]
160    pub origin: Option<RepoOrigin>,
161    /// Job-generic post-step hook. When set, the agent runs this script
162    /// AFTER the main `execute:` script exits cleanly (and, for a
163    /// `collect:` job, after the bundle finishes uploading), so the
164    /// operator can delete / move / notify based on what the step
165    /// produced. Best-effort: a finalize failure is logged but never
166    /// fails the run — the upload (if any) already succeeded.
167    ///
168    /// For `collect:` jobs the agent injects the environment variable
169    /// `KANADE_COLLECT_RESULT` — a JSON object
170    /// `{ "ok": true, "bundles": [ { "key", "uploaded", "files": [...] } ] }`
171    /// — so the hook acts on exactly the files that were bundled and
172    /// uploaded (e.g. deletes only the `uploaded` ones). Composes with
173    /// every hint. New field ⇒ #492 wire rule (`default` +
174    /// `skip_serializing_if`).
175    #[serde(default, skip_serializing_if = "Option::is_none")]
176    pub finalize: Option<FinalizeSpec>,
177}
178
179/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
180/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
181/// `kanade schedule create` from the Git context of the source YAML;
182/// the SPA reads it to render Git-managed entries read-only and link
183/// the operator back at the repo. Never consulted by the runtime.
184#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
185pub struct RepoOrigin {
186    /// Repo-relative path of the source YAML — the primary edit target
187    /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
188    /// regardless of the authoring OS.
189    pub path: String,
190    /// `origin` remote URL, when the repo has one. Lets the SPA turn
191    /// `path` into a clickable link; `None` for remote-less repos.
192    #[serde(default, skip_serializing_if = "Option::is_none")]
193    pub repo: Option<String>,
194    /// Repo-relative path of the `script_file:` a job manifest inlined,
195    /// when it used one — a secondary pointer shown beneath `path`.
196    /// Always `None` for schedules (they carry no script).
197    #[serde(default, skip_serializing_if = "Option::is_none")]
198    pub script_file: Option<String>,
199}
200
201/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
202/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
203/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
204/// here keeps the validation + serialisation logic in one place.
205#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
206pub struct FanoutPlan {
207    #[serde(default)]
208    pub target: Target,
209    /// Optional wave rollout — when present, the backend publishes
210    /// each wave's group subject on its own delay schedule instead
211    /// of fanning out the `target` block in one go. `target` then
212    /// only labels the deploy for the audit log.
213    #[serde(default, skip_serializing_if = "Option::is_none")]
214    pub rollout: Option<Rollout>,
215    /// Optional humantime jitter; agent uses it to randomise
216    /// execution start. Lives here (not on the script) so different
217    /// schedules / ad-hoc fires of the same job can pick different
218    /// stagger windows.
219    #[serde(default, skip_serializing_if = "Option::is_none")]
220    pub jitter: Option<String>,
221    /// Absolute time the scheduler stamps on each emitted Command
222    /// when this exec was driven by a [`Schedule`] with
223    /// `starting_deadline`. Agents receiving a Command after this
224    /// instant publish a synthetic skipped-result instead of
225    /// running the script. `None` (default) = no deadline / catch
226    /// up whenever delivered. Operators don't usually set this
227    /// directly — the scheduler computes it from `tick_at +
228    /// starting_deadline`.
229    #[serde(default, skip_serializing_if = "Option::is_none")]
230    pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
231}
232
233/// Sentinel lines that fence a hint's structured JSON payload inside an
234/// otherwise human-readable job stdout. Each stdout-reading hint
235/// (`inventory:` / `check:` / `collect:`) has its OWN `#KANADE-<KIND>-
236/// BEGIN`/`-END` pair, so one job can carry several of them at once
237/// (and/or a user-facing message) on its single stdout stream — every
238/// consumer extracts only its own block via [`fenced_payload`].
239///
240/// Originated for inventory (#793): a `client:` job couldn't put both a
241/// friendly message and a JSON object on one stdout (the Client App
242/// renders stdout verbatim, the projector needs JSON). #821 generalised
243/// it so inventory / check / collect can coexist. `emit:` is the
244/// exception — its stdout is line-delimited NDJSON consumed whole, so it
245/// never fences and never coexists with the others.
246///
247/// A job carrying a SINGLE hint may still skip the fence —
248/// [`fenced_payload`] falls back to the whole stdout — but a job
249/// COMBINING hints must fence each block (else every consumer would try
250/// to parse the same whole stdout).
251pub const INVENTORY_BLOCK_BEGIN: &str = "#KANADE-INVENTORY-BEGIN";
252/// Closing marker — see [`INVENTORY_BLOCK_BEGIN`].
253pub const INVENTORY_BLOCK_END: &str = "#KANADE-INVENTORY-END";
254/// Check-payload opening marker — see [`INVENTORY_BLOCK_BEGIN`].
255pub const CHECK_BLOCK_BEGIN: &str = "#KANADE-CHECK-BEGIN";
256/// Check-payload closing marker.
257pub const CHECK_BLOCK_END: &str = "#KANADE-CHECK-END";
258/// Collect-payload opening marker — see [`INVENTORY_BLOCK_BEGIN`].
259pub const COLLECT_BLOCK_BEGIN: &str = "#KANADE-COLLECT-BEGIN";
260/// Collect-payload closing marker.
261pub const COLLECT_BLOCK_END: &str = "#KANADE-COLLECT-END";
262
263/// Extract a hint's fenced block when the `begin` marker is present, else
264/// `None`. An unterminated fence (closing marker missing, e.g. truncated
265/// output) takes everything after the opener. Trimmed so surrounding
266/// message text / whitespace never reaches the JSON parser.
267pub fn fenced_payload_if_present<'a>(stdout: &'a str, begin: &str, end: &str) -> Option<&'a str> {
268    let b = find_line_marker(stdout, begin)?;
269    let after = &stdout[b + begin.len()..];
270    let inner = match find_line_marker(after, end) {
271        Some(e) => &after[..e],
272        None => after,
273    };
274    Some(inner.trim())
275}
276
277/// True if stdout carries ANY `#KANADE-<KIND>-BEGIN` fence at a line
278/// start — i.e. the script opted into fenced output. Used to decide
279/// whether a missing fence means "single-hint, use the whole stdout" or
280/// "multi-hint author error / truncation, this hint just has no block".
281pub fn has_any_hint_fence(stdout: &str) -> bool {
282    [
283        INVENTORY_BLOCK_BEGIN,
284        CHECK_BLOCK_BEGIN,
285        COLLECT_BLOCK_BEGIN,
286    ]
287    .iter()
288    .any(|m| find_line_marker(stdout, m).is_some())
289}
290
291/// Extract one hint's JSON payload from a job's stdout. When the hint's
292/// own `#KANADE-<KIND>` fence is present, return that block. When it's
293/// absent, fall back to the WHOLE stdout only for an unfenced (single-
294/// hint) job; if any OTHER hint's fence is present (#821 multi-hint
295/// output) return `""` instead — the script opted into fences but this
296/// block is missing (author error or truncation), so this consumer must
297/// NOT grab a sibling hint's block. An empty payload fails the consumer's
298/// JSON parse and degrades to "no data for this hint", never cross-parse.
299pub fn fenced_payload<'a>(stdout: &'a str, begin: &str, end: &str) -> &'a str {
300    if let Some(p) = fenced_payload_if_present(stdout, begin, end) {
301        return p;
302    }
303    if has_any_hint_fence(stdout) {
304        ""
305    } else {
306        stdout.trim()
307    }
308}
309
310/// Inventory's fenced payload — [`fenced_payload`] with the inventory
311/// markers. Kept as a named helper for the projector call site.
312pub fn inventory_payload(stdout: &str) -> &str {
313    fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END)
314}
315
316/// Find `needle` only where it begins a line (start of `hay` or right
317/// after a `\n`). Anchoring to line start means a script echoing the
318/// literal sentinel mid-message (e.g. printing a command name) can't
319/// false-trigger the fence (Claude #793).
320fn find_line_marker(hay: &str, needle: &str) -> Option<usize> {
321    if hay.starts_with(needle) {
322        return Some(0);
323    }
324    hay.find(&format!("\n{needle}")).map(|p| p + 1)
325}
326
327/// Manifest sub-section: how the SPA should render the inventory
328/// facts this job produces. Each field name (`field`) is a top-level
329/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
330///
331/// Two render modes:
332///   * `display` — vertical "field / value" per PC, used by the
333///     `/inventory?pc=<id>` detail view. ALL columns the operator
334///     wants visible on the detail page.
335///   * `summary` — horizontal table across the fleet (row = PC,
336///     column = field) on `/inventory`. Optional; when omitted the
337///     SPA falls back to `display`, but operators usually want a
338///     trimmer "hostname / OS / CPU / RAM" set for the fleet view.
339#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
340pub struct InventoryHint {
341    /// Detail-view columns, in order.
342    pub display: Vec<DisplayField>,
343    /// Optional fleet-list columns (row = PC). Defaults to `display`
344    /// when omitted, but operators usually pick a 3-5 column subset.
345    #[serde(default, skip_serializing_if = "Option::is_none")]
346    pub summary: Option<Vec<DisplayField>>,
347    /// v0.31 / #40: payload arrays that should be exploded into
348    /// per-element rows of a derived SQLite table. Lets operators
349    /// answer cross-PC questions ("which PCs still have Chrome <
350    /// 120?", "C: >90% full") with normal SQL filters + indexes
351    /// instead of grepping JSON. The projector creates the derived
352    /// table on register and replaces this PC's rows on each result
353    /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
354    /// [`ExplodeSpec`] for the per-spec schema.
355    #[serde(default, skip_serializing_if = "Option::is_none")]
356    pub explode: Option<Vec<ExplodeSpec>>,
357    /// v0.35 / #93: top-level scalar fields whose changes the
358    /// projector logs to `inventory_history` (one event per
359    /// changed field per scan). Pairs with `explode[].track_history`
360    /// — that covers array elements; this covers single-valued
361    /// fields like `ram_bytes` / `os_version` / `cpu_model` /
362    /// `os_build` that operators want to track for "did the RAM
363    /// get upgraded?" / "when did Win 11 land on this PC?" /
364    /// "BIOS / firmware bumped?" questions. Field name = `field_path`
365    /// in the history row, `identity_json` is NULL, `before_json`
366    /// / `after_json` each carry `{"value": <prior or new value>}`.
367    /// First-ever observation of a scalar (no prior facts row)
368    /// emits `added`; subsequent value changes emit `changed`. No
369    /// `removed` events — a scalar disappearing from the payload
370    /// is rare and the operator can still see the last value via
371    /// the `before_json` of the most recent change.
372    #[serde(default, skip_serializing_if = "Option::is_none")]
373    pub history_scalars: Option<Vec<String>>,
374}
375
376/// Manifest sub-section (#290): marks a job as an operator-defined
377/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
378/// The stdout contract is a free-form JSON object (same as any
379/// inventory job) from which the agent reads `status_field` /
380/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
381/// on the Client App's Health tab.
382///
383/// There is deliberately **no timing field** — when / how often /
384/// in which window a check runs is driven by the job's Schedule,
385/// exactly like inventory jobs, so operators get the full `when:` /
386/// rollout / `runs_on` expressiveness for free.
387///
388/// A check's stdout is a **free-form inventory object** (arbitrary
389/// key/value pairs + arrays) — same as any inventory job — that also
390/// carries a status field. `check:` adds only the health semantics on
391/// top: which field is the ok/warn/fail/unknown status, an optional
392/// one-line summary field, and a remediation job. Everything else
393/// (rich per-PC detail, `explode` sub-tables like a software list) is
394/// driven by a co-present [`InventoryHint`] and rendered with the
395/// SAME display logic the SPA Inventory page uses — on the Client App
396/// too. This keeps checks maximally expressive without a bespoke
397/// payload type.
398#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
399pub struct CheckHint {
400    /// Stable check id → [`Check.name`](crate::ipc::state::Check),
401    /// the SPA/Client React key + analytics label. Unique within the
402    /// fleet's check set. Machine-friendly slug (`disk_space`,
403    /// `defender_rtp`); for the human-facing row title see [`label`].
404    ///
405    /// [`label`]: CheckHint::label
406    pub name: String,
407    /// Optional human-facing display title →
408    /// [`Check.label`](crate::ipc::state::Check). The Client App's
409    /// Health tab and the operator SPA's Compliance page render this
410    /// instead of the [`name`](CheckHint::name) slug when set
411    /// (`"ウイルス対策のリアルタイム保護"` reads better than
412    /// `defender_rtp`). Falls back to the slug when absent, so it's
413    /// purely additive. Author it in the check's language — there's no
414    /// per-locale variant; checks are operator-defined per fleet.
415    #[serde(default, skip_serializing_if = "Option::is_none")]
416    pub label: Option<String>,
417    /// Top-level stdout field whose string value
418    /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
419    /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
420    /// `"status"`; a missing / unparseable value → `unknown`.
421    #[serde(default = "default_status_field")]
422    pub status_field: String,
423    /// Top-level stdout field used as the Health-tab row's one-line
424    /// summary. Defaults to `"detail"`; absent in the payload → no
425    /// detail line (the rich breakdown lives in the inventory view).
426    #[serde(default = "default_detail_field")]
427    pub detail_field: String,
428    /// Optional remediation job id →
429    /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
430    /// App shows a "修復する" button when present; that job must be
431    /// `user_invokable`.
432    #[serde(default, skip_serializing_if = "Option::is_none")]
433    pub troubleshoot: Option<String>,
434    /// #290 PR-E: when `true` (default), the backend also projects this
435    /// check's `status` / `detail` into the `check_status` table so the
436    /// operator SPA gets a fleet-wide compliance view for free — no
437    /// `inventory:` block needed. Set `fleet: false` for a client-only
438    /// check the operator doesn't want surfaced across the fleet.
439    #[serde(default = "default_true")]
440    pub fleet: bool,
441    /// When `true` (default), this check is shown on the Client App's
442    /// Health tab (the end user sees its ok/warn/fail row). Set
443    /// `health: false` for a **gate-only** check — one that exists purely
444    /// to drive a `client.show_when` display gate (e.g. `myapp-up-to-date`)
445    /// and would just be noise as a Health row. The agent still records it
446    /// into `StateSnapshot.checks` (so `show_when` can read it and the gate
447    /// keeps working); only the Client App's Health *rendering* skips it,
448    /// via the [`Check.health_hidden`](crate::ipc::state::Check::health_hidden)
449    /// wire flag. Orthogonal to [`fleet`](CheckHint::fleet): `fleet` gates
450    /// the operator SPA fleet view, `health` gates the end-user Health tab,
451    /// so a pure gate detector typically sets neither (`fleet: false` +
452    /// `health: false`) to stay invisible everywhere while still driving
453    /// the gate.
454    #[serde(default = "default_true")]
455    pub health: bool,
456    /// Optional auto-notification on a compliance transition. When set, the
457    /// backend publishes an end-user notification the moment this check
458    /// transitions *into* one of [`CheckAlert::on`] (e.g. ok → fail) — to
459    /// the failing PC's user and/or operator groups. Fired once per
460    /// transition (not on every poll). Requires `fleet: true` (the alert
461    /// rides the same projection that fills `check_status`).
462    #[serde(default, skip_serializing_if = "Option::is_none")]
463    pub alert: Option<CheckAlert>,
464}
465
466/// Auto-notification rule for a [`CheckHint`] (compliance alerting). When a
467/// check's status transitions into one of [`on`](Self::on), the backend
468/// publishes a notification to the failing PC's user
469/// ([`notify_user`](Self::notify_user)) and/or operator groups
470/// ([`notify_groups`](Self::notify_groups)). Deliberately config-driven:
471/// who gets told, how loud, and the wording all live in the manifest, not
472/// hardcoded in the backend.
473#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
474pub struct CheckAlert {
475    /// Statuses that fire the alert on *transition into* them (a check that
476    /// stays failing doesn't re-alert every poll). Defaults to `[fail]`.
477    /// `ok` is not representable — [`CheckAlertStatus`] has no `Ok` variant,
478    /// so a YAML `on: [ok]` fails to deserialize (before `validate()` is
479    /// even reached); "recovered" notifications are out of scope.
480    #[serde(default = "default_alert_on")]
481    pub on: Vec<CheckAlertStatus>,
482    /// Notify the user(s) on the failing PC (`notifications.pc.<pc_id>`).
483    #[serde(default)]
484    pub notify_user: bool,
485    /// Notify these operator groups (`notifications.group.<name>`).
486    #[serde(default, skip_serializing_if = "Vec::is_empty")]
487    pub notify_groups: Vec<String>,
488    /// Notification priority (colour/label only — toasting is the separate
489    /// `toast` flag). Defaults to `warn`.
490    #[serde(default = "default_alert_priority")]
491    pub priority: crate::ipc::notifications::NotificationPriority,
492    /// Require the recipient to click 確認 to dismiss.
493    #[serde(default)]
494    pub require_ack: bool,
495    /// Surface an OS toast (launches a closed Client App, Action Center
496    /// while locked). Recommended `true` for `notify_user` so a
497    /// non-emergency "your PC is non-compliant" nudge still reaches a user
498    /// whose app is closed.
499    #[serde(default)]
500    pub toast: bool,
501    /// Also send the alert by email, to every address mapped to the
502    /// `notify_groups` (via the `group_contacts` KV, edited on the SPA
503    /// Groups page). Opt-in: defaults to `false`, so an existing alert
504    /// never starts emailing on its own. Requires `notify_groups` to be
505    /// non-empty (there is no per-PC user email) and the backend's
506    /// `[mail]` config to be present; otherwise the email is a logged
507    /// no-op while the in-app/toast notification still fires.
508    #[serde(default)]
509    pub email: bool,
510    /// Notification title (required). May use the same `{…}` placeholders
511    /// as [`body`](Self::body).
512    pub title: String,
513    /// Notification body template. Placeholders: `{pc_id}`, `{name}` (check
514    /// slug), `{label}` (check label, falls back to slug), `{status}`,
515    /// `{detail}` (the check's one-line summary), `{last_logon}` (the PC's
516    /// last sign-in account). Absent → empty body.
517    #[serde(default, skip_serializing_if = "Option::is_none")]
518    pub body: Option<String>,
519}
520
521/// A check status that can trigger a [`CheckAlert`]. Mirrors the
522/// projected `check_status.status` values minus `ok` (alerting on `ok` is
523/// rejected at validation).
524#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
525#[serde(rename_all = "snake_case")]
526pub enum CheckAlertStatus {
527    Warn,
528    Fail,
529    Unknown,
530}
531
532impl CheckAlertStatus {
533    /// The wire string, matching the projected `check_status.status`.
534    pub fn as_str(self) -> &'static str {
535        match self {
536            Self::Warn => "warn",
537            Self::Fail => "fail",
538            Self::Unknown => "unknown",
539        }
540    }
541}
542
543fn default_alert_on() -> Vec<CheckAlertStatus> {
544    vec![CheckAlertStatus::Fail]
545}
546
547fn default_alert_priority() -> crate::ipc::notifications::NotificationPriority {
548    crate::ipc::notifications::NotificationPriority::Warn
549}
550
551fn default_status_field() -> String {
552    "status".to_string()
553}
554
555fn default_detail_field() -> String {
556    "detail".to_string()
557}
558
559fn default_files_field() -> String {
560    "files".to_string()
561}
562
563/// Fallback cap on a collect bundle's total input size when the
564/// manifest's `collect.max_size` is unset. 50 MB (decimal).
565pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
566
567/// Manifest sub-section (#219): marks a job as a **file collector** and
568/// carries how the collected bundle presents in the SPA. Parallel to
569/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
570/// opt-in. The script prints a single JSON object on stdout whose
571/// [`files_field`](CollectHint::files_field) key holds an array of file
572/// paths to bundle (env vars are expanded); the agent zips them and
573/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
574#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
575pub struct CollectHint {
576    /// Operator/end-user-facing title for the collection, shown as the
577    /// bundle's heading on the SPA Collect page (and the Client App row
578    /// when paired with `client:`). Required; validated non-empty.
579    pub name: String,
580    /// Optional one-line description of what the bundle contains.
581    #[serde(default, skip_serializing_if = "Option::is_none")]
582    pub description: Option<String>,
583    /// Human-readable cap on the bundle's total input size
584    /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
585    /// bundle whose listed files exceed this. `None` ⇒
586    /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
587    /// [`Manifest::validate`] rejects an unparseable value at create
588    /// time.
589    ///
590    /// Note: this bounds the **uncompressed** bytes the agent reads off
591    /// disk, not the resulting zip. Text logs compress well, so the
592    /// download is usually much smaller; many tiny files add a little
593    /// per-entry zip overhead. Read it as "how much the agent reads +
594    /// packs", not "the exact download size".
595    #[serde(default, skip_serializing_if = "Option::is_none")]
596    pub max_size: Option<String>,
597    /// Top-level stdout JSON key holding the array of file paths to
598    /// bundle. Defaults to `"files"`.
599    #[serde(default = "default_files_field")]
600    pub files_field: String,
601}
602
603impl CollectHint {
604    /// The effective size cap in bytes — the parsed `max_size` or
605    /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
606    /// present) already passed [`Manifest::validate`]; falls back to the
607    /// default on a parse error rather than panicking on the fire path.
608    pub fn max_size_bytes(&self) -> u64 {
609        match &self.max_size {
610            Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
611            None => DEFAULT_COLLECT_MAX_SIZE,
612        }
613    }
614}
615
616/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
617/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
618/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
619/// Case-insensitive. Shared by `collect.max_size` validation and the
620/// agent's bundle-size enforcement.
621pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
622    let t = s.trim();
623    if t.is_empty() {
624        return Err("size must not be empty".to_string());
625    }
626    let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
627    let (num_str, unit_raw) = t.split_at(split);
628    if num_str.is_empty() {
629        return Err(format!("size '{s}': missing leading number"));
630    }
631    let num: u64 = num_str
632        .parse()
633        .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
634    let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
635        "" | "b" => 1,
636        "kb" => 1_000,
637        "mb" => 1_000_000,
638        "gb" => 1_000_000_000,
639        "kib" => 1024,
640        "mib" => 1024 * 1024,
641        "gib" => 1024 * 1024 * 1024,
642        other => {
643            return Err(format!(
644                "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
645            ));
646        }
647    };
648    num.checked_mul(mult)
649        .ok_or_else(|| format!("size '{s}': overflow"))
650}
651
652/// Manifest sub-section (#291): marks a job as **user-invokable**
653/// from the Client App and carries how it presents to the end user.
654/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
655/// the block's presence is the opt-in (no separate boolean), and its
656/// required fields (`name`, `category`) are enforced by serde at
657/// parse time, so a half-filled catalog entry fails
658/// `kanade job create` instead of rendering a nameless / tab-less row.
659///
660/// The agent maps this 1:1 into the KLP
661/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
662/// that `jobs.list` returns; the Client App renders one row per job in
663/// the tab named by `category`.
664#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
665pub struct ClientHint {
666    /// End-user-facing title for the job row. The operator-internal
667    /// `Manifest::id` slug is rarely what an end user should read, so
668    /// this is required (and validated non-empty by
669    /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
670    pub name: String,
671    /// Optional one-line subtitle under `name` in the Client App.
672    /// Distinct from the operator-facing top-level
673    /// [`Manifest::description`] — this one is written for the end
674    /// user. Maps to `UserInvokableJob::display_description`.
675    #[serde(default, skip_serializing_if = "Option::is_none")]
676    pub description: Option<String>,
677    /// Which Client App tab the job lives in — a **free-form category
678    /// key** (#792). The Client App renders one tab per distinct key.
679    /// Well-known keys (`software_update`, `troubleshoot`, `catalog`)
680    /// carry built-in tab labels/icons; any other key defines a new tab
681    /// (style it with `category_label` / `category_icon`). Required and
682    /// validated non-empty — without it the agent can't place the job.
683    /// Note: the `software_update` key also drives the agent's
684    /// maintenance / auto-reboot grouping.
685    pub category: String,
686    /// Optional display name for the category's TAB. Set it on (at least
687    /// one of) a custom category's jobs to name the tab; `None` ⇒ a
688    /// built-in default for a well-known key, else the key itself.
689    #[serde(default, skip_serializing_if = "Option::is_none")]
690    pub category_label: Option<String>,
691    /// Optional icon for the category's TAB (lucide name or `data:` URL).
692    /// `None` ⇒ Client App default for the key.
693    #[serde(default, skip_serializing_if = "Option::is_none")]
694    pub category_icon: Option<String>,
695    /// Optional sort order for the TAB; lower sorts first. `None` ⇒
696    /// default (well-known keys keep their familiar order; custom keys
697    /// sort after, then by label).
698    #[serde(default, skip_serializing_if = "Option::is_none")]
699    pub category_order: Option<i64>,
700    /// Optional icon hint for the job ROW — a lucide-react icon name
701    /// or a `data:` URL. `None` ⇒ the Client App falls back to the
702    /// category's icon. Surfaced verbatim in `jobs.list[].icon`.
703    #[serde(default, skip_serializing_if = "Option::is_none")]
704    pub icon: Option<String>,
705    /// Optional visibility scope for the end-user Client App (#816).
706    ///
707    /// `None` ⇒ visible to every PC (current behavior). When set, only
708    /// agents whose `pc_id` / group membership match the [`Target`] list
709    /// the job in `jobs.list` and may run it via KLP `jobs.execute`.
710    ///
711    /// This gates the END-USER surface ONLY. Operators are unaffected:
712    /// `POST /api/exec/{job_id}` (SPA / `kanade exec`) is a separate path
713    /// that never consults `client:`, so an operator can still run the
714    /// job on any PC regardless of `visible_to`. Reuses the schedule
715    /// `Target` shape (`all` / `groups` / `pcs`); a present-but-empty
716    /// target is rejected by [`Manifest::validate`].
717    #[serde(default, skip_serializing_if = "Option::is_none")]
718    pub visible_to: Option<Target>,
719    /// Optional **dynamic display gate** keyed on a health check's result.
720    ///
721    /// `None` ⇒ always listed (current behavior). When set, the agent
722    /// lists the job in `jobs.list` ONLY while the named [`check:`] slug's
723    /// latest result is one of [`ShowWhen::is`]. The canonical use is an
724    /// update action that hides itself once the machine is already current:
725    /// pair the update job with a `check:` that reports `ok` when up to
726    /// date and gate on `is: [fail]`.
727    ///
728    /// Evaluated agent-side at `jobs.list` time against the live
729    /// `StateSnapshot.checks`, which is **keyed by check name** — so the
730    /// detector `check:` and this job may live in *different* manifests and
731    /// still share one slug. Distinct from [`visible_to`](ClientHint::visible_to):
732    /// that gates BOTH listing and `jobs.execute` (an authorization
733    /// boundary); `show_when` gates listing ONLY (a UX hint), so it can't
734    /// cause a list/execute race. New field ⇒ #492 wire rule.
735    ///
736    /// [`check:`]: crate::manifest::CheckHint
737    #[serde(default, skip_serializing_if = "Option::is_none")]
738    pub show_when: Option<ShowWhen>,
739}
740
741/// Dynamic display gate for a [`ClientHint`] — see
742/// [`ClientHint::show_when`]. Shows the job only while the named check's
743/// latest status is one of [`is`](ShowWhen::is).
744#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
745pub struct ShowWhen {
746    /// The `check:` slug (a [`CheckHint::name`](crate::manifest::CheckHint::name))
747    /// whose latest status gates this job. May be defined by a *different*
748    /// manifest: checks are keyed by name in the agent's snapshot, so a
749    /// standalone detector job and this one can share a slug. A check that
750    /// has never run (absent from the snapshot) does NOT match — the job
751    /// stays hidden until the detector first reports (fails closed, like
752    /// `visible_to`).
753    pub check: String,
754    /// The check status(es) in which the job is SHOWN. Accepts a single
755    /// status (`is: fail`) or a list (`is: [fail, unknown]`); both
756    /// deserialize to a `Vec`. The `length(min = 1)` schema constraint +
757    /// [`Manifest::validate`] both reject an empty set (it would match
758    /// nothing and silently hide the job) so schema-driven tooling and the
759    /// write path agree.
760    #[serde(deserialize_with = "de_one_or_many_check_status")]
761    #[schemars(length(min = 1))]
762    pub is: Vec<crate::ipc::state::CheckStatus>,
763}
764
765/// Accept either a single `CheckStatus` (`is: fail`) or a sequence
766/// (`is: [fail, unknown]`) for [`ShowWhen::is`], normalising to a `Vec`.
767/// The scalar form is purely author ergonomics; the JSON schema advertises
768/// the canonical array form (`#[schemars(with = ...)]`).
769fn de_one_or_many_check_status<'de, D>(
770    d: D,
771) -> Result<Vec<crate::ipc::state::CheckStatus>, D::Error>
772where
773    D: serde::Deserializer<'de>,
774{
775    use crate::ipc::state::CheckStatus;
776    #[derive(Deserialize)]
777    #[serde(untagged)]
778    enum OneOrMany {
779        One(CheckStatus),
780        Many(Vec<CheckStatus>),
781    }
782    Ok(match OneOrMany::deserialize(d)? {
783        OneOrMany::One(c) => vec![c],
784        OneOrMany::Many(v) => v,
785    })
786}
787
788/// #720 — one widget on the SPA **Analytics** page: a declarative
789/// aggregation over the `obs_events` table. The backend reads these off
790/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
791/// the `json_extract` GROUP BY / time-bucket SQL from these generic
792/// primitives, so an operator can chart any emitted event without a Rust
793/// change. The reference shapes are the attendance dashboards
794/// (presence / app_sample / web_visit), but the same DSL covers logon /
795/// reboot / agent-health trends, etc.
796#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
797pub struct AggregateWidget {
798    /// Tab this widget lives under on the Analytics page. Widgets from
799    /// every job are collected and grouped by this label, so the same
800    /// string across jobs builds one multi-source dashboard. Required.
801    pub dashboard: String,
802    /// Widget heading. Required, validated non-empty.
803    pub title: String,
804    /// Optional one-line subtitle shown muted under the `title` on the
805    /// Analytics page — room for a unit, a caveat, or what the number
806    /// means ("samples × 2 min", "Security 4624 only"). Rejected if
807    /// present-but-blank.
808    #[serde(default, skip_serializing_if = "Option::is_none")]
809    pub description: Option<String>,
810    /// Optional sort weight (#743). Once the order-aware sort lands (PR2)
811    /// widgets render in `(order, dashboard, title)` order, so a lower
812    /// `order` pulls a widget — and its tab — earlier; equal/absent `order`
813    /// falls back to the alphabetical `(dashboard, title)` ordering. Treated
814    /// as `0` when unset, so a fleet with no `order` anywhere stays purely
815    /// alphabetical (today's behaviour); negatives are allowed to pin
816    /// something first. (This field only carries the value; the backend
817    /// applies it.)
818    #[serde(default, skip_serializing_if = "Option::is_none")]
819    pub order: Option<i32>,
820    /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
821    /// (and unlocks `group_by: pc_id` to rank PCs against each other).
822    /// Defaults to `pc`.
823    #[serde(default)]
824    pub scope: AggregateScope,
825    /// `obs_events.kind` this widget reads (e.g. `app_sample`,
826    /// `presence`, `unexpected_shutdown`). Required for every aggregation
827    /// render (`bar`/`gauge`/`timeline`/`stat`); rejected for
828    /// `op_timeline`, which reconstructs a fixed multi-kind operational
829    /// swimlane (power/session/sleep) baked into the SPA and so reads no
830    /// single `kind`.
831    #[serde(default, skip_serializing_if = "Option::is_none")]
832    pub kind: Option<String>,
833    /// Optional `obs_events.source` filter, when one `kind` is emitted by
834    /// more than one collector.
835    #[serde(default, skip_serializing_if = "Option::is_none")]
836    pub source: Option<String>,
837    /// How to roll the matching events up. See [`AggregateAgg`]. Required
838    /// for every aggregation render; rejected for `op_timeline` (which
839    /// performs no rollup — it returns the raw operational events and the
840    /// SPA folds them into lane spans).
841    #[serde(default, skip_serializing_if = "Option::is_none")]
842    pub agg: Option<AggregateAgg>,
843    /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
844    /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
845    /// it groups by the `pc_id` column (fleet ranking), not a payload
846    /// field. Omit for a single total. Required when `agg: sum` needs a
847    /// breakdown; for `agg: count` omitting it yields the grand total.
848    #[serde(default, skip_serializing_if = "Option::is_none")]
849    pub group_by: Option<String>,
850    /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
851    /// the widget reports `true_count / total`. Required when `agg: ratio`.
852    #[serde(default, skip_serializing_if = "Option::is_none")]
853    pub bool_path: Option<String>,
854    /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
855    #[serde(default, skip_serializing_if = "Option::is_none")]
856    pub value_path: Option<String>,
857    /// Optional value transform applied before grouping. Currently only
858    /// `host` (parse a URL down to its host) — used by the top-sites
859    /// widget, where SQLite can't parse a URL so the backend does it in
860    /// Rust. See [`AggregateTransform`].
861    #[serde(default, skip_serializing_if = "Option::is_none")]
862    pub transform: Option<AggregateTransform>,
863    /// Optional sampling cadence in minutes. When set, a `count` is also
864    /// reported as estimated time (`count × sample_minutes`) — e.g. a
865    /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
866    #[serde(default, skip_serializing_if = "Option::is_none")]
867    #[schemars(range(min = 1))]
868    pub sample_minutes: Option<u32>,
869    /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
870    /// lock screen doesn't top the app ranking). Empty by default.
871    #[serde(default, skip_serializing_if = "Vec::is_empty")]
872    pub exclude: Vec<String>,
873    /// Optional time bucketing — `hour` buckets events by local
874    /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
875    #[serde(default, skip_serializing_if = "Option::is_none")]
876    pub time_bucket: Option<AggregateTimeBucket>,
877    /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
878    #[serde(default, skip_serializing_if = "Option::is_none")]
879    #[schemars(range(min = 1))]
880    pub limit: Option<u32>,
881    /// Which widget the SPA draws. See [`AggregateRender`].
882    pub render: AggregateRender,
883}
884
885/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
886#[derive(
887    Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
888)]
889#[serde(rename_all = "lowercase")]
890#[non_exhaustive]
891pub enum AggregateScope {
892    /// Roll up the single PC the operator selected. The default.
893    #[default]
894    Pc,
895    /// Roll up across every PC. Unlocks `group_by: pc_id`.
896    Fleet,
897    /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
898    /// an older reader must tolerate a future variant rather than failing
899    /// to decode the whole job. The backend skips an `Unknown` widget.
900    #[serde(other)]
901    Unknown,
902}
903
904/// The rollup function for an [`AggregateWidget`].
905#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
906#[serde(rename_all = "lowercase")]
907#[non_exhaustive]
908pub enum AggregateAgg {
909    /// Row count, optionally grouped (`group_by`) and time-estimated
910    /// (`sample_minutes`).
911    Count,
912    /// `true_count / total` over `bool_path`.
913    Ratio,
914    /// Sum of `value_path`, optionally grouped.
915    Sum,
916    /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
917    #[serde(other)]
918    Unknown,
919}
920
921/// Optional pre-grouping value transform for an [`AggregateWidget`].
922#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
923#[serde(rename_all = "lowercase")]
924#[non_exhaustive]
925pub enum AggregateTransform {
926    /// Parse the grouped value as a URL and keep only its host.
927    Host,
928    /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
929    #[serde(other)]
930    Unknown,
931}
932
933/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
934#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
935#[serde(rename_all = "lowercase")]
936#[non_exhaustive]
937pub enum AggregateTimeBucket {
938    /// Bucket by local hour-of-day (0–23), summed over the window.
939    Hour,
940    /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
941    #[serde(other)]
942    Unknown,
943}
944
945/// Which visual the SPA renders an [`AggregateWidget`] as.
946#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
947#[serde(rename_all = "lowercase")]
948#[non_exhaustive]
949pub enum AggregateRender {
950    /// Ranked horizontal bars (a grouped `count` / `sum`).
951    Bar,
952    /// A single ratio dial (`agg: ratio`).
953    Gauge,
954    /// 24-hour activity strip (`time_bucket: hour`).
955    Timeline,
956    /// A single headline number (an ungrouped total).
957    Stat,
958    /// Per-PC operational swimlane (power / session / sleep) reconstructed
959    /// from a fixed multi-kind event set. Unlike the aggregation renders it
960    /// reads no single `kind`/`agg`: the backend returns the raw events in
961    /// the window and the SPA folds them into lane spans (shared with the
962    /// Events page strip). Per-PC only (`scope: pc`).
963    #[serde(rename = "op_timeline")]
964    OpTimeline,
965    /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
966    #[serde(other)]
967    Unknown,
968}
969
970/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
971/// segments joined by single dots — the shape safe to bind into
972/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
973/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
974/// `"foo..bar"`, which would pass the charset but produce a malformed
975/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
976/// `active`, etc.
977fn is_valid_json_path(p: &str) -> bool {
978    !p.is_empty()
979        && p.split('.').all(|seg| {
980            !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
981        })
982}
983
984/// Per-widget validation for a list of [`AggregateWidget`]s — shared by
985/// the `aggregate:` job hint ([`Manifest::validate`]) and the standalone
986/// [`View`] resource (#743) so the two can't diverge. `field` names the
987/// containing key for error messages (`"aggregate"` or `"widgets"`).
988///
989/// Enforces: non-empty list; non-empty dashboard/title (and `kind`/`agg`
990/// for every aggregation render); a blank-when-set `source`; rejection of
991/// any #492 `Unknown` enum (an operator typo at create time); safe dotted
992/// JSON paths; the value path each `agg` needs (and rejection of mis-paired
993/// ones); `pc_id` grouping only in `fleet` scope; `transform`/`limit`/
994/// `exclude` only with a `group_by`; positive `limit`/`sample_minutes`;
995/// `gauge`⇔`ratio`; and `timeline`⇔`time_bucket`. A `render: op_timeline`
996/// widget is validated separately (per-PC, no aggregation knobs) — see
997/// [`validate_op_timeline_widget`].
998pub fn validate_aggregate_widgets(widgets: &[AggregateWidget], field: &str) -> Result<(), String> {
999    if widgets.is_empty() {
1000        return Err(format!(
1001            "`{field}:` must list at least one widget when present"
1002        ));
1003    }
1004    for (i, w) in widgets.iter().enumerate() {
1005        let at = format!("{field}[{i}]");
1006        for (label, value) in [("dashboard", &w.dashboard), ("title", &w.title)] {
1007            if value.trim().is_empty() {
1008                return Err(format!("{at}.{label} must not be empty"));
1009            }
1010        }
1011        // A present-but-blank `description` renders an empty muted line —
1012        // reject it so the subtitle only shows when it says something.
1013        if let Some(description) = &w.description {
1014            if description.trim().is_empty() {
1015                return Err(format!("{at}.description must not be empty when set"));
1016            }
1017        }
1018        // Reject values that fell through to the #492 `Unknown` catch-all:
1019        // at create time on the current version that's an operator typo. (A
1020        // genuinely-future variant only reaches an older reader via a stored
1021        // resource, which is never re-validated, so forward-compat holds.)
1022        if w.scope == AggregateScope::Unknown {
1023            return Err(format!("{at}.scope is not a known value (pc | fleet)"));
1024        }
1025        if w.render == AggregateRender::Unknown {
1026            return Err(format!(
1027                "{at}.render is not a known value (bar | gauge | timeline | stat | op_timeline)"
1028            ));
1029        }
1030        // `op_timeline` reconstructs a fixed per-PC operational swimlane
1031        // (power/session/sleep) from a baked-in multi-kind set — it uses none
1032        // of the aggregation knobs, so validate it on its own terms (per-PC,
1033        // no `kind`/`agg`/grouping) and skip the rollup rules below.
1034        if w.render == AggregateRender::OpTimeline {
1035            validate_op_timeline_widget(w, &at)?;
1036            continue;
1037        }
1038        // Every other render is an aggregation over a single `kind`.
1039        if w.kind.as_deref().map(str::trim).unwrap_or("").is_empty() {
1040            return Err(format!("{at}.kind must not be empty"));
1041        }
1042        let agg = match w.agg {
1043            Some(AggregateAgg::Unknown) => {
1044                return Err(format!(
1045                    "{at}.agg is not a known value (count | ratio | sum)"
1046                ));
1047            }
1048            Some(agg) => agg,
1049            None => return Err(format!("{at}.agg is required")),
1050        };
1051        // A present-but-blank `source` is a no-op filter — reject like the
1052        // other blank-when-set guards.
1053        if let Some(source) = &w.source {
1054            if source.trim().is_empty() {
1055                return Err(format!("{at}.source must not be empty when set"));
1056            }
1057        }
1058        if w.transform == Some(AggregateTransform::Unknown) {
1059            return Err(format!("{at}.transform is not a known value (host)"));
1060        }
1061        if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
1062            return Err(format!("{at}.time_bucket is not a known value (hour)"));
1063        }
1064        for (label, path) in [
1065            ("group_by", &w.group_by),
1066            ("bool_path", &w.bool_path),
1067            ("value_path", &w.value_path),
1068        ] {
1069            if let Some(p) = path {
1070                if !is_valid_json_path(p) {
1071                    return Err(format!(
1072                        "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
1073                    ));
1074                }
1075            }
1076        }
1077        // Each agg uses exactly one value path; reject a mis-paired path so
1078        // a typo fails at create rather than being ignored.
1079        match agg {
1080            // count: grouped → ranking, ungrouped → grand total.
1081            AggregateAgg::Count => {
1082                for (label, path) in [("bool_path", &w.bool_path), ("value_path", &w.value_path)] {
1083                    if path.is_some() {
1084                        return Err(format!("{at}.agg=count does not use `{label}`"));
1085                    }
1086                }
1087            }
1088            AggregateAgg::Ratio => {
1089                if w.bool_path.is_none() {
1090                    return Err(format!("{at}.agg=ratio requires `bool_path`"));
1091                }
1092                if w.value_path.is_some() {
1093                    return Err(format!("{at}.agg=ratio does not use `value_path`"));
1094                }
1095            }
1096            AggregateAgg::Sum => {
1097                if w.value_path.is_none() {
1098                    return Err(format!("{at}.agg=sum requires `value_path`"));
1099                }
1100                if w.bool_path.is_some() {
1101                    return Err(format!("{at}.agg=sum does not use `bool_path`"));
1102                }
1103            }
1104            // Rejected above; arm exists only for exhaustiveness.
1105            AggregateAgg::Unknown => {}
1106        }
1107        // Ranking PCs against each other only means something across the
1108        // fleet — within one PC it's a single bar.
1109        if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
1110            return Err(format!(
1111                "{at}.group_by: pc_id is only valid with scope: fleet"
1112            ));
1113        }
1114        // `transform` rewrites the grouped PAYLOAD value (URL→host); it's
1115        // meaningless on a `pc_id` grouping (the pc_id column, not a payload
1116        // field), so reject the combo at create time.
1117        if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
1118            return Err(format!("{at}.transform is not valid with group_by: pc_id"));
1119        }
1120        // limit / transform / exclude all operate on grouped values, so
1121        // without a `group_by` they're silent no-ops — reject.
1122        if w.group_by.is_none() {
1123            if w.limit.is_some() {
1124                return Err(format!("{at}.limit requires `group_by`"));
1125            }
1126            if w.transform.is_some() {
1127                return Err(format!("{at}.transform requires `group_by`"));
1128            }
1129            if !w.exclude.is_empty() {
1130                return Err(format!("{at}.exclude requires `group_by`"));
1131            }
1132        }
1133        if w.limit == Some(0) {
1134            return Err(format!("{at}.limit must be > 0"));
1135        }
1136        if w.sample_minutes == Some(0) {
1137            return Err(format!("{at}.sample_minutes must be > 0"));
1138        }
1139        for ex in &w.exclude {
1140            if ex.trim().is_empty() {
1141                return Err(format!("{at}.exclude must not contain empty entries"));
1142            }
1143        }
1144        // A gauge draws a single ratio dial — only meaningful for agg: ratio.
1145        if w.render == AggregateRender::Gauge && agg != AggregateAgg::Ratio {
1146            return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
1147        }
1148        // A timeline needs a bucket; a bucket on any other render is a no-op
1149        // that signals operator confusion — reject both.
1150        match (w.render, &w.time_bucket) {
1151            (AggregateRender::Timeline, None) => {
1152                return Err(format!("{at}.render=timeline requires `time_bucket`"));
1153            }
1154            (r, Some(_)) if r != AggregateRender::Timeline => {
1155                return Err(format!(
1156                    "{at}.time_bucket is only valid with render: timeline"
1157                ));
1158            }
1159            _ => {}
1160        }
1161    }
1162    Ok(())
1163}
1164
1165/// Validate a `render: op_timeline` widget. It draws a fixed per-PC
1166/// operational swimlane (power / session / sleep) reconstructed by the SPA
1167/// from a baked-in multi-kind event set, so it uses none of the aggregation
1168/// knobs: require `scope: pc` and reject every field that only makes sense
1169/// for a rollup (`kind`/`source`/`agg`/`group_by`/`bool_path`/`value_path`/
1170/// `transform`/`sample_minutes`/`exclude`/`time_bucket`/`limit`). Rejecting
1171/// the unused fields (rather than ignoring them) keeps an operator typo from
1172/// silently doing nothing, matching the rest of this validator.
1173fn validate_op_timeline_widget(w: &AggregateWidget, at: &str) -> Result<(), String> {
1174    // Per-PC only: a fleet-wide swimlane of every PC's spans is unbounded
1175    // and unreadable, and the backend only computes it in per-PC scope.
1176    if w.scope != AggregateScope::Pc {
1177        return Err(format!("{at}.render=op_timeline requires scope: pc"));
1178    }
1179    // Each unused field, with the name the operator wrote, so the error
1180    // points at exactly what to delete.
1181    if w.kind.is_some() {
1182        return Err(format!("{at}.render=op_timeline does not use `kind`"));
1183    }
1184    if w.source.is_some() {
1185        return Err(format!("{at}.render=op_timeline does not use `source`"));
1186    }
1187    if w.agg.is_some() {
1188        return Err(format!("{at}.render=op_timeline does not use `agg`"));
1189    }
1190    for (label, set) in [
1191        ("group_by", w.group_by.is_some()),
1192        ("bool_path", w.bool_path.is_some()),
1193        ("value_path", w.value_path.is_some()),
1194        ("transform", w.transform.is_some()),
1195        ("sample_minutes", w.sample_minutes.is_some()),
1196        ("time_bucket", w.time_bucket.is_some()),
1197        ("limit", w.limit.is_some()),
1198        ("exclude", !w.exclude.is_empty()),
1199    ] {
1200        if set {
1201            return Err(format!("{at}.render=op_timeline does not use `{label}`"));
1202        }
1203    }
1204    Ok(())
1205}
1206
1207/// A standalone declarative read/aggregation for the Analytics page (#743).
1208///
1209/// A **view** aggregates stored fleet data (`obs_events`, …) without an
1210/// `execute` or a schedule — unlike a [`Manifest`] it only declares
1211/// [`AggregateWidget`]s. (The first line is concise on purpose: `schemars`
1212/// uses it as the generated schema's `title`.) The backend reads views from
1213/// `BUCKET_VIEWS` at
1214/// query time and merges their widgets with the co-located `aggregate:`
1215/// hints on jobs, so a cross-cutting dashboard (one that charts events
1216/// emitted by several other jobs / the agent) has a home that doesn't need
1217/// a noop job carrier. Stored JSON in `BUCKET_VIEWS`, keyed by `id`.
1218#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1219pub struct View {
1220    /// Stable identifier (the KV key). Required, validated non-empty.
1221    pub id: String,
1222    /// Optional human description shown on the Views admin page.
1223    #[serde(default, skip_serializing_if = "Option::is_none")]
1224    pub description: Option<String>,
1225    /// The widgets this view contributes to the Analytics page.
1226    pub widgets: Vec<AggregateWidget>,
1227    /// Free-form operator taxonomy (same role as [`Manifest::tags`]).
1228    #[serde(default, skip_serializing_if = "Vec::is_empty")]
1229    pub tags: Vec<String>,
1230    /// GitOps provenance (#678), stamped by `kanade view create` from the
1231    /// source YAML's Git context — same as [`Manifest::origin`].
1232    #[serde(default, skip_serializing_if = "Option::is_none")]
1233    pub origin: Option<RepoOrigin>,
1234}
1235
1236/// True if `id` is a safe resource identifier — non-empty and only
1237/// `[A-Za-z0-9._-]`. A view `id` becomes a NATS KV key *and* a URL path
1238/// segment (`/api/views/{id}`), so this blocks `/`, `..`, whitespace and
1239/// other characters that would break the KV key or let a CLI arg wander
1240/// the URL space. (#743 / #744 follow-up — a deliberately small charset
1241/// rather than the looser set NATS technically allows.)
1242pub fn is_valid_resource_id(id: &str) -> bool {
1243    !id.is_empty()
1244        && id
1245            .chars()
1246            .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
1247}
1248
1249impl View {
1250    pub fn validate(&self) -> Result<(), String> {
1251        if !is_valid_resource_id(self.id.trim()) {
1252            return Err(
1253                "view.id must be non-empty and only [A-Za-z0-9._-] (it's a KV key + URL segment)"
1254                    .to_string(),
1255            );
1256        }
1257        validate_aggregate_widgets(&self.widgets, "widgets")?;
1258        for tag in &self.tags {
1259            if tag.trim().is_empty() {
1260                return Err("tags must not contain empty entries".to_string());
1261            }
1262        }
1263        Ok(())
1264    }
1265}
1266
1267/// Issue #246 — `emit:` manifest block for jobs whose stdout is
1268/// NDJSON observability events (one `ObsEvent` per line). Parallel
1269/// to `inventory:` but for the append-only timeline pipeline; see
1270/// `Manifest::emit` for the full contract.
1271#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1272pub struct EmitConfig {
1273    /// What kind of payload the agent should expect on stdout. Only
1274    /// `events` is defined today (parses each non-empty line as
1275    /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
1276    /// (e.g. metrics streams, structured trace events) plug in here.
1277    #[serde(rename = "type")]
1278    pub kind: EmitKind,
1279    /// Operator hint for where the script keeps its own state — the
1280    /// watermark file the PowerShell / sh body reads + writes
1281    /// between runs so it only emits NEW events since the last
1282    /// poll. The agent doesn't read this; it's documentation that
1283    /// the SPA (and `kanade job edit`) can surface to operators
1284    /// reviewing the manifest. Optional; the script is allowed to
1285    /// keep state anywhere (registry, env, etc.) — the field's
1286    /// presence makes the convention discoverable.
1287    #[serde(default, skip_serializing_if = "Option::is_none")]
1288    pub watermark_path: Option<String>,
1289}
1290
1291/// `emit.type` enum. Lowercase serde so manifests read
1292/// `type: events` rather than `Events`.
1293#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1294#[serde(rename_all = "lowercase")]
1295pub enum EmitKind {
1296    /// Per-line `ObsEvent` JSON. Agent parses + publishes on
1297    /// `obs.<pc_id>`, drops the stdout from the resulting
1298    /// `ExecResult`.
1299    Events,
1300}
1301
1302/// v0.31 / #40: declarative "flatten this JSON array into a real
1303/// SQLite table" spec on an inventory manifest. The projector
1304/// creates the table on first registration (CREATE TABLE IF NOT
1305/// EXISTS + indexes) and writes a row per element of
1306/// `payload[field]` on every result, scoped by (pc_id, job_id) so
1307/// each PC's rows replace cleanly without a per-PC schema.
1308#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1309pub struct ExplodeSpec {
1310    /// JSON array key under the payload to explode. E.g. `"apps"`
1311    /// for `payload: { apps: [{...}, {...}] }`.
1312    pub field: String,
1313    /// Derived SQLite table name. Operators choose this — pick
1314    /// something namespaced + stable (`inventory_sw_apps`, not
1315    /// `apps`) so multiple inventory manifests don't collide on a
1316    /// generic name.
1317    pub table: String,
1318    /// Element-level fields that uniquely identify a row inside one
1319    /// PC's payload. The full PK is `(pc_id, job_id) + these
1320    /// columns`. Required — operators must think about uniqueness
1321    /// (e.g. `["name", "source"]` for installed apps because the
1322    /// same name appears in multiple uninstall hives).
1323    ///
1324    /// v0.31 / #41: same tuple drives history identity. When
1325    /// `track_history` is on, the projector serialises these
1326    /// fields' values into `inventory_history.identity_json` for
1327    /// every change event, so queries like "every PC that ever
1328    /// installed Chrome (any source)" filter on identity_json
1329    /// content without a per-manifest schema.
1330    pub primary_key: Vec<String>,
1331    /// Per-element fields that become columns in the derived table.
1332    pub columns: Vec<ExplodeColumn>,
1333    /// v0.31 / #41: when true (default false), the projector
1334    /// diffs each PC's incoming payload against the prior rows
1335    /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
1336    /// replace, and writes added / removed / changed events into
1337    /// `inventory_history`. Lets operators answer time-dimension
1338    /// questions ("when did Chrome 120 first appear on PC X?",
1339    /// "what's the Win 11 23H2 rollout curve") without storing
1340    /// per-scan snapshots. Off by default so operators opt in
1341    /// per-spec — history has a real storage cost on long-lived
1342    /// deployments (mitigated by the 90-day default retention
1343    /// sweeper, see `cleanup` module).
1344    #[serde(default)]
1345    pub track_history: bool,
1346}
1347
1348/// One column in an [`ExplodeSpec`]'s derived table.
1349#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1350pub struct ExplodeColumn {
1351    /// JSON key under each array element. Becomes the column name
1352    /// in the derived SQLite table — we don't rename.
1353    pub field: String,
1354    /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
1355    /// Storage maps directly via `sqlx::query.bind(...)`; type
1356    /// mismatches at INSERT-time fail loudly rather than silently
1357    /// dropping the row.
1358    #[serde(default, skip_serializing_if = "Option::is_none")]
1359    #[serde(rename = "type")]
1360    pub kind: Option<String>,
1361    /// When true, the projector creates a `CREATE INDEX` on this
1362    /// column at table-creation time. Boost for the common-filter
1363    /// columns (`name`, `version`) — operators mark them
1364    /// explicitly, the projector won't guess.
1365    #[serde(default)]
1366    pub index: bool,
1367}
1368
1369#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1370pub struct DisplayField {
1371    /// Top-level key in the stdout JSON.
1372    pub field: String,
1373    /// Human-readable column header.
1374    pub label: String,
1375    /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
1376    /// or `"table"` (#39). Defaults to plain text rendering on the
1377    /// SPA side. `"table"` expects the field's value to be a JSON
1378    /// array of objects and renders a nested sub-table on the
1379    /// per-PC detail page using `columns` as the schema; the fleet
1380    /// summary view falls back to showing the row count for
1381    /// `"table"` cells so the wide list stays compact.
1382    #[serde(default, skip_serializing_if = "Option::is_none")]
1383    #[serde(rename = "type")]
1384    pub kind: Option<String>,
1385    /// v0.30 / #39: when `kind == "table"`, the SPA renders the
1386    /// field's value (an array of objects like
1387    /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
1388    /// sub-table using these columns. Each column is itself a
1389    /// `DisplayField`, so the nested cells reuse the same render
1390    /// hints (`bytes`, `number`, `timestamp`) — no parallel format
1391    /// pipeline. Ignored for any other `kind`.
1392    #[serde(default, skip_serializing_if = "Option::is_none")]
1393    pub columns: Option<Vec<DisplayField>>,
1394}
1395
1396#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1397pub struct Rollout {
1398    #[serde(default)]
1399    pub strategy: RolloutStrategy,
1400    pub waves: Vec<Wave>,
1401}
1402
1403#[derive(
1404    Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
1405)]
1406#[serde(rename_all = "lowercase")]
1407pub enum RolloutStrategy {
1408    #[default]
1409    Wave,
1410}
1411
1412#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1413pub struct Wave {
1414    pub group: String,
1415    /// humantime delay measured from the deploy's publish time. wave[0]
1416    /// typically has "0s"; subsequent waves use minutes / hours.
1417    pub delay: String,
1418}
1419
1420#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
1421pub struct Target {
1422    #[serde(default)]
1423    pub groups: Vec<String>,
1424    #[serde(default)]
1425    pub pcs: Vec<String>,
1426    #[serde(default)]
1427    pub all: bool,
1428}
1429
1430impl Target {
1431    /// At least one of all / groups / pcs is set.
1432    pub fn is_specified(&self) -> bool {
1433        self.all || !self.groups.is_empty() || !self.pcs.is_empty()
1434    }
1435
1436    /// Whether a PC (its `pc_id` + group membership) falls in this target:
1437    /// `all`, or the pc is listed, or it belongs to a listed group. Used
1438    /// by the agent to scope `client.visible_to` (#816). An unspecified
1439    /// target matches nobody (callers should treat "no target" as
1440    /// "visible to all" before calling this).
1441    pub fn matches(&self, pc_id: &str, groups: &[String]) -> bool {
1442        self.all
1443            || self.pcs.iter().any(|p| p == pc_id)
1444            || self.groups.iter().any(|g| groups.contains(g))
1445    }
1446}
1447
1448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1449pub struct Execute {
1450    pub shell: ExecuteShell,
1451    /// Inline script body. Mutually exclusive with [`script_file`]
1452    /// and [`script_object`]; exactly one of the three must be set
1453    /// (enforced by [`Execute::validate_script_source`] at the
1454    /// write-side parse boundaries — `kanade job create` and
1455    /// `POST /api/jobs`).
1456    ///
1457    /// Empty string is treated as **unset** so operators can swap
1458    /// to a `script_file:` / `script_object:` alternative just by
1459    /// commenting out the body, without having to also drop the
1460    /// `script:` key entirely.
1461    ///
1462    /// [`script_file`]: Self::script_file
1463    /// [`script_object`]: Self::script_object
1464    #[serde(default, skip_serializing_if = "Option::is_none")]
1465    pub script: Option<String>,
1466    /// Repo-local file path resolved by the operator-side CLI at
1467    /// `kanade job create` time. The CLI reads the file, slots its
1468    /// contents into `script`, and clears this field before
1469    /// POSTing — so the backend / agents never see `script_file`
1470    /// in stored manifests. SPEC §2.4.1.
1471    ///
1472    /// Resolver lands in a follow-up PR
1473    /// (yukimemi/kanade#210); today this field passes parse-time
1474    /// validation but the operator-side CLI bails with "not yet
1475    /// implemented" until the resolver ships, so manifests that
1476    /// reach the backend with `script_file` set are treated as a
1477    /// schema-bug.
1478    #[serde(default, skip_serializing_if = "Option::is_none")]
1479    pub script_file: Option<String>,
1480    /// Object Store reference (`<name>/<version>`) into the
1481    /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
1482    /// at Execute time via `/api/script-objects/{name}/{version}`
1483    /// and cache it locally. SPEC §2.4.1.
1484    ///
1485    /// Fully wired (#210/#211): the backend resolves the digest at
1486    /// exec submission (`api::exec::resolve_script_source`), the agent
1487    /// fetches + sha-verifies + caches the body (`script_cache`), and
1488    /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
1489    /// CLI-side, git-managed), this keeps the body in versioned,
1490    /// digest-pinned object storage — the ops-managed counterpart.
1491    #[serde(default, skip_serializing_if = "Option::is_none")]
1492    pub script_object: Option<String>,
1493    /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
1494    /// — represents how long this script reasonably takes to run.
1495    pub timeout: String,
1496    /// Token + session combination the agent uses to launch the
1497    /// script (v0.21). Default = [`RunAs::System`] (Session 0,
1498    /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
1499    #[serde(default)]
1500    pub run_as: RunAs,
1501    /// Working directory for the spawned child (v0.21.1). When
1502    /// unset, the child inherits the agent's cwd — on Windows that
1503    /// means `%SystemRoot%\System32` for the prod service, which is
1504    /// almost never what operators actually want. Use an absolute
1505    /// path; relative paths are passed through to the OS verbatim.
1506    /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
1507    /// you'd want `%USERPROFILE%` (but expansion happens in the
1508    /// shell, so write `$env:USERPROFILE` for PowerShell, or set
1509    /// it via teravars before `kanade job create`).
1510    #[serde(default, skip_serializing_if = "Option::is_none")]
1511    pub cwd: Option<String>,
1512}
1513
1514impl Execute {
1515    /// Treat an empty `script:` body as "intentionally unset". Operators
1516    /// commenting out a block-scalar tend to leave the key behind, and
1517    /// failing the validator on `script: ""` would surprise them.
1518    fn has_inline_script(&self) -> bool {
1519        matches!(&self.script, Some(s) if !s.is_empty())
1520    }
1521
1522    /// Enforce that exactly one of `script` / `script_file` /
1523    /// `script_object` is set. Called at the write-side parse
1524    /// boundaries (CLI `kanade job create` + backend
1525    /// `POST /api/jobs`) so ambiguous YAML is rejected before it
1526    /// reaches the JOBS KV. Read paths (projector, agent
1527    /// scheduler, list endpoints) skip this check — they only ever
1528    /// see what the write path already validated.
1529    pub fn validate_script_source(&self) -> Result<(), String> {
1530        let inline = self.has_inline_script();
1531        let file = self.script_file.is_some();
1532        let obj = self.script_object.is_some();
1533        let set = [inline, file, obj].into_iter().filter(|b| *b).count();
1534        match set {
1535            1 => Ok(()),
1536            0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
1537            _ => Err(format!(
1538                "execute: only one of `script` / `script_file` / `script_object` may be set \
1539                 (got script={inline}, script_file={file}, script_object={obj})"
1540            )),
1541        }
1542    }
1543}
1544
1545/// Job-generic post-step hook (see [`Manifest::finalize`]). Runs after
1546/// the main `execute:` script (and the collect upload) on a clean exit,
1547/// with the step's structured result injected via an environment
1548/// variable. P1 supports an inline `script:` only — `script_file:` /
1549/// `script_object:` are follow-ups.
1550#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1551pub struct FinalizeSpec {
1552    pub shell: ExecuteShell,
1553    /// Inline script body (required; inline-only in P1).
1554    pub script: String,
1555    /// humantime duration string (e.g. `"60s"`, `"5m"`). Defaults to
1556    /// `60s` when unset.
1557    #[serde(default = "default_finalize_timeout")]
1558    pub timeout: String,
1559    /// Token + session combination, like [`Execute::run_as`]. Defaults
1560    /// to [`RunAs::System`].
1561    #[serde(default)]
1562    pub run_as: RunAs,
1563    /// Working directory for the hook child, like [`Execute::cwd`].
1564    #[serde(default, skip_serializing_if = "Option::is_none")]
1565    pub cwd: Option<String>,
1566}
1567
1568/// Default `finalize.timeout` when the operator omits it.
1569fn default_finalize_timeout() -> String {
1570    "60s".to_string()
1571}
1572
1573impl FinalizeSpec {
1574    /// Lower to the wire form forwarded onto a [`Command`]. The timeout
1575    /// parse falls back to 60s — [`Manifest::validate`] already rejects
1576    /// an unparseable value at create time, so the fire path uses a safe
1577    /// default rather than failing (mirrors
1578    /// [`CollectHint::max_size_bytes`]). A sub-second timeout floors at
1579    /// 1s for the same reason `build_command` does.
1580    pub fn lower(&self) -> FinalizeCommand {
1581        let timeout_secs = humantime::parse_duration(&self.timeout)
1582            .map(|d| d.as_secs().max(1))
1583            .unwrap_or(60);
1584        FinalizeCommand {
1585            shell: self.shell.into(),
1586            script: self.script.clone(),
1587            timeout_secs,
1588            run_as: self.run_as,
1589            cwd: self.cwd.clone(),
1590        }
1591    }
1592}
1593
1594impl Manifest {
1595    /// Cross-field semantic checks that don't fit into pure serde
1596    /// derive. Currently delegates to
1597    /// [`Execute::validate_script_source`] — see that method's
1598    /// docs for the rationale on which call sites should run this.
1599    pub fn validate(&self) -> Result<(), String> {
1600        self.execute.validate_script_source()?;
1601        // A present-but-empty finalize script is an invisible no-op
1602        // (the hook would run an empty body); reject it at the write
1603        // boundary. Inline-only in P1, so `script` is the sole source.
1604        if let Some(finalize) = &self.finalize {
1605            if finalize.script.trim().is_empty() {
1606                return Err("finalize.script must not be empty".to_string());
1607            }
1608            // Reject an unparseable timeout at the write boundary so the
1609            // operator sees the error at `job create` rather than getting
1610            // a silent fire-time fallback (`FinalizeSpec::lower` floors to
1611            // 60s, which would otherwise mask a typo).
1612            if humantime::parse_duration(&finalize.timeout).is_err() {
1613                return Err(format!(
1614                    "finalize.timeout '{}' is not a valid duration",
1615                    finalize.timeout
1616                ));
1617            }
1618            // Disallow cmd for finalize: the agent injects the result JSON
1619            // into the hook's environment, and cmd.exe quoting doesn't
1620            // nest — JSON's `"` plus shell metacharacters in a collected
1621            // path/key could break out into command injection at the
1622            // agent's (often LocalSystem) privilege. PowerShell's
1623            // single-quote escaping is safe, and finalize hooks are
1624            // PowerShell by convention anyway.
1625            if finalize.shell == ExecuteShell::Cmd {
1626                return Err(
1627                    "finalize.shell: cmd is not supported for finalize hooks (shell-injection \
1628                     risk when the result JSON is injected into the environment); use powershell"
1629                        .to_string(),
1630                );
1631            }
1632        }
1633        // Stdout-format compatibility (#821). `inventory:` / `check:` /
1634        // `collect:` now COMPOSE: each reads its own `#KANADE-<KIND>-
1635        // BEGIN/END`-fenced JSON block from stdout, so a single job can
1636        // project inventory facts, drive a Health-tab check, AND collect
1637        // files in one run. (A single-hint job may still skip the fence;
1638        // a multi-hint job must fence each block.)
1639        //
1640        // `emit:` remains the exception — its stdout is line-delimited
1641        // NDJSON consumed whole and then omitted from the result — so it
1642        // can't share stdout with any fenced hint.
1643        if self.emit.is_some()
1644            && (self.inventory.is_some() || self.check.is_some() || self.collect.is_some())
1645        {
1646            return Err(
1647                "`emit:` is incompatible with `inventory:` / `check:` / `collect:` — emit's \
1648                 stdout is NDJSON timeline events (consumed whole and omitted from the result), \
1649                 while the others read fenced JSON blocks from stdout"
1650                    .to_string(),
1651            );
1652        }
1653        // A check's `name` is the Health-tab row id (React key); the
1654        // field names tell the agent where to read status/detail.
1655        // An empty value is an invisible runtime bug, and the serde
1656        // defaults don't guard an operator who writes `status_field:
1657        // ""` explicitly — reject all three here.
1658        if let Some(check) = &self.check {
1659            for (label, value) in [
1660                ("check.name", &check.name),
1661                ("check.status_field", &check.status_field),
1662                ("check.detail_field", &check.detail_field),
1663            ] {
1664                if value.trim().is_empty() {
1665                    return Err(format!("{label} must not be empty"));
1666                }
1667            }
1668            // A present-but-blank `troubleshoot` is a broken
1669            // remediation job id (the "修復する" button would target
1670            // an empty manifest id) — reject it too.
1671            if let Some(troubleshoot) = &check.troubleshoot {
1672                if troubleshoot.trim().is_empty() {
1673                    return Err("check.troubleshoot must not be empty when set".to_string());
1674                }
1675            }
1676            // A present-but-blank `label` would render an empty row
1677            // title on the Health tab / Compliance page — reject it so
1678            // the slug fallback only ever kicks in when label is absent.
1679            if let Some(label) = &check.label {
1680                if label.trim().is_empty() {
1681                    return Err("check.label must not be empty when set".to_string());
1682                }
1683            }
1684            if let Some(alert) = &check.alert {
1685                // An alert that names no recipient is a silent no-op.
1686                if !alert.notify_user && alert.notify_groups.is_empty() {
1687                    return Err("check.alert must set notify_user and/or notify_groups".to_string());
1688                }
1689                if alert.title.trim().is_empty() {
1690                    return Err("check.alert.title must not be empty".to_string());
1691                }
1692                // `on: []` would never fire; an empty group name resolves to
1693                // a malformed `notifications.group.` subject.
1694                if alert.on.is_empty() {
1695                    return Err("check.alert.on must list at least one status".to_string());
1696                }
1697                if alert.notify_groups.iter().any(|g| g.trim().is_empty()) {
1698                    return Err("check.alert.notify_groups must not contain blanks".to_string());
1699                }
1700                // Email is addressed via group_contacts (group → email), so
1701                // there must be a group to map. notify_user has no email.
1702                if alert.email && alert.notify_groups.is_empty() {
1703                    return Err(
1704                        "check.alert.email requires notify_groups (email is addressed per group, not per user)"
1705                            .to_string(),
1706                    );
1707                }
1708                // The alert rides the `check_status` projection, which only
1709                // runs for `fleet: true`.
1710                if !check.fleet {
1711                    return Err(
1712                        "check.alert requires fleet: true (the alert rides the compliance projection)"
1713                            .to_string(),
1714                    );
1715                }
1716            }
1717        }
1718        // #291: a `client:` job is rendered in the Client App's
1719        // catalog (`jobs.list` → `jobs.execute`). serde already makes
1720        // `name` + `category` required at parse time; the only gap is
1721        // a present-but-blank `name`, which would render an empty row
1722        // title — reject it like the other display-id fields.
1723        if let Some(client) = &self.client {
1724            if client.name.trim().is_empty() {
1725                return Err("client.name must not be empty".to_string());
1726            }
1727            // #792: category is a free-form key now, so a blank one would
1728            // group the job under an empty tab — reject it like `name`.
1729            if client.category.trim().is_empty() {
1730                return Err("client.category must not be empty".to_string());
1731            }
1732            // Optional display fields, when present, must be
1733            // meaningful: a blank `description` renders an empty
1734            // subtitle and a blank `icon` is a dangling lucide name.
1735            // Same present-but-blank guard the `check:` block applies
1736            // to its optional `troubleshoot` id.
1737            for (label, value) in [
1738                ("client.description", &client.description),
1739                ("client.icon", &client.icon),
1740                ("client.category_label", &client.category_label),
1741                ("client.category_icon", &client.category_icon),
1742            ] {
1743                if let Some(v) = value {
1744                    if v.trim().is_empty() {
1745                        return Err(format!("{label} must not be empty when set"));
1746                    }
1747                }
1748            }
1749            // #816: a present-but-empty `visible_to` (no all/groups/pcs)
1750            // would hide the job from everyone in the Client App — almost
1751            // certainly a mistake. Require at least one selector; omit the
1752            // whole block to mean "visible to all".
1753            if let Some(t) = &client.visible_to {
1754                if !t.is_specified() {
1755                    return Err(
1756                        "client.visible_to must set at least one of all / groups / pcs (omit it for all PCs)"
1757                            .to_string(),
1758                    );
1759                }
1760            }
1761            // show_when: a dynamic display gate keyed on a check result. A
1762            // malformed check slug matches nothing and an empty status list
1763            // matches nothing — both would silently hide the job forever,
1764            // so reject them at create time rather than at a confused
1765            // "why isn't my job showing?" later. The slug must be a clean
1766            // resource id (same charset checks/jobs use): a typo with spaces
1767            // or punctuation can never match a real check name, so catch it
1768            // here instead of failing closed at runtime. (Whether the slug
1769            // names a check that actually EXISTS can't be checked here —
1770            // checks are keyed by name across manifests — so a valid-but-
1771            // unknown slug stays a runtime miss = hidden, the documented
1772            // fail-closed behavior.)
1773            if let Some(sw) = &client.show_when {
1774                if !is_valid_resource_id(sw.check.trim()) {
1775                    return Err(
1776                        "client.show_when.check must be a non-empty check slug ([A-Za-z0-9._-])"
1777                            .to_string(),
1778                    );
1779                }
1780                if sw.is.is_empty() {
1781                    return Err(
1782                        "client.show_when.is must list at least one check status".to_string()
1783                    );
1784                }
1785            }
1786        }
1787        // #219: a `collect:` job's `name` heads the bundle on the SPA
1788        // Collect page (and the Client App row when paired with
1789        // `client:`), `files_field` tells the agent where to read the
1790        // path list, and `max_size` must be a parseable size so a typo
1791        // is caught at create time rather than silently capping the
1792        // bundle at the default on the fire path.
1793        if let Some(collect) = &self.collect {
1794            if collect.name.trim().is_empty() {
1795                return Err("collect.name must not be empty".to_string());
1796            }
1797            if collect.files_field.trim().is_empty() {
1798                return Err("collect.files_field must not be empty".to_string());
1799            }
1800            if let Some(description) = &collect.description {
1801                if description.trim().is_empty() {
1802                    return Err("collect.description must not be empty when set".to_string());
1803                }
1804            }
1805            if let Some(max_size) = &collect.max_size {
1806                parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1807            }
1808        }
1809        // #720/#743: `aggregate:` is a pure read-spec (it never touches
1810        // stdout and is never sent to an agent), so it composes with every
1811        // other hint. The per-widget rules are shared with the standalone
1812        // `view` resource — see [`validate_aggregate_widgets`].
1813        if let Some(widgets) = &self.aggregate {
1814            validate_aggregate_widgets(widgets, "aggregate")?;
1815        }
1816        // A blank / whitespace-only tag is an invisible operator typo
1817        // that would render an empty filter chip on the Jobs page —
1818        // reject it like the other present-but-blank display fields.
1819        for tag in &self.tags {
1820            if tag.trim().is_empty() {
1821                return Err("tags must not contain empty entries".to_string());
1822            }
1823        }
1824        Ok(())
1825    }
1826}
1827
1828#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1829#[serde(rename_all = "lowercase")]
1830pub enum ExecuteShell {
1831    Powershell,
1832    Cmd,
1833}
1834
1835impl From<ExecuteShell> for Shell {
1836    fn from(s: ExecuteShell) -> Self {
1837        match s {
1838            ExecuteShell::Powershell => Shell::Powershell,
1839            ExecuteShell::Cmd => Shell::Cmd,
1840        }
1841    }
1842}
1843
1844#[cfg(test)]
1845mod tests {
1846    use super::*;
1847
1848    #[test]
1849    fn inventory_payload_extracts_fenced_block() {
1850        // Readable message + fenced JSON → only the JSON, trimmed.
1851        let stdout = "Wi-Fi 設定を適用しました。\n\
1852            #KANADE-INVENTORY-BEGIN\n\
1853            {\"applied\": true}\n\
1854            #KANADE-INVENTORY-END\n";
1855        assert_eq!(inventory_payload(stdout), "{\"applied\": true}");
1856    }
1857
1858    #[test]
1859    fn inventory_payload_falls_back_to_whole_stdout() {
1860        // No fence (a plain inventory job) → whole stdout, trimmed.
1861        assert_eq!(
1862            inventory_payload("  {\"ram_gb\": 16}\n"),
1863            "{\"ram_gb\": 16}"
1864        );
1865    }
1866
1867    #[test]
1868    fn inventory_payload_handles_unterminated_fence() {
1869        // Closing marker missing (e.g. truncated) → everything after the
1870        // opener, trimmed.
1871        let stdout = "msg\n#KANADE-INVENTORY-BEGIN\n{\"a\": 1}";
1872        assert_eq!(inventory_payload(stdout), "{\"a\": 1}");
1873    }
1874
1875    #[test]
1876    fn inventory_payload_ignores_mid_line_sentinel() {
1877        // The marker echoed mid-line (not at a line start) must NOT be
1878        // treated as a fence — fall back to the whole stdout.
1879        let stdout = "see #KANADE-INVENTORY-BEGIN in the docs\nnot json";
1880        assert_eq!(inventory_payload(stdout), stdout.trim());
1881    }
1882
1883    #[test]
1884    fn fenced_payload_extracts_each_hint_block_independently() {
1885        // #821: one stdout carrying a user message + all three fenced
1886        // blocks — every consumer pulls only its own.
1887        let stdout = "\
1888done!
1889#KANADE-INVENTORY-BEGIN
1890{\"os\":\"win\"}
1891#KANADE-INVENTORY-END
1892#KANADE-CHECK-BEGIN
1893{\"status\":\"ok\"}
1894#KANADE-CHECK-END
1895#KANADE-COLLECT-BEGIN
1896{\"files\":[\"a\"]}
1897#KANADE-COLLECT-END
1898";
1899        assert_eq!(
1900            fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END),
1901            "{\"os\":\"win\"}"
1902        );
1903        assert_eq!(
1904            fenced_payload(stdout, CHECK_BLOCK_BEGIN, CHECK_BLOCK_END),
1905            "{\"status\":\"ok\"}"
1906        );
1907        assert_eq!(
1908            fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1909            "{\"files\":[\"a\"]}"
1910        );
1911    }
1912
1913    #[test]
1914    fn fenced_payload_falls_back_to_whole_stdout_without_fence() {
1915        // A single-hint job needs no fence — the whole (trimmed) stdout is
1916        // the payload.
1917        let stdout = "  {\"files\":[\"a\"]}  ";
1918        assert_eq!(
1919            fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1920            "{\"files\":[\"a\"]}"
1921        );
1922    }
1923
1924    #[test]
1925    fn fenced_payload_returns_empty_when_other_fences_present_but_mine_missing() {
1926        // Multi-hint output (inventory + check fenced) but the COLLECT
1927        // fence is missing — collect must NOT fall back to the whole
1928        // stdout (which holds the inventory/check blocks) and cross-parse
1929        // a sibling block; it gets "" → its JSON parse fails → no data.
1930        let stdout = "\
1931#KANADE-INVENTORY-BEGIN
1932{\"os\":\"win\"}
1933#KANADE-INVENTORY-END
1934#KANADE-CHECK-BEGIN
1935{\"status\":\"ok\"}
1936#KANADE-CHECK-END
1937";
1938        assert_eq!(
1939            fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1940            ""
1941        );
1942        // ...while the hints that DID fence still extract correctly.
1943        assert_eq!(
1944            fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END),
1945            "{\"os\":\"win\"}"
1946        );
1947    }
1948
1949    /// The example check-job + schedule YAMLs shipped under `configs/`
1950    /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1951    /// pins them at compile time so a breaking edit fails `cargo test`
1952    /// rather than only `kanade job create` at deploy time.
1953    #[test]
1954    fn example_check_job_yamls_parse_and_validate() {
1955        let jobs = [
1956            (
1957                "check-bitlocker",
1958                include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1959            ),
1960            (
1961                "check-av-signature",
1962                include_str!("../../../configs/jobs/check-av-signature.yaml"),
1963            ),
1964            (
1965                "check-cert-expiry",
1966                include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1967            ),
1968            (
1969                "check-disk-space",
1970                include_str!("../../../configs/jobs/check-disk-space.yaml"),
1971            ),
1972            (
1973                "check-pending-reboot",
1974                include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1975            ),
1976            (
1977                "check-defender-rtp",
1978                include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1979            ),
1980            (
1981                "check-firewall",
1982                include_str!("../../../configs/jobs/check-firewall.yaml"),
1983            ),
1984        ];
1985        for (name, yaml) in jobs {
1986            let m: Manifest =
1987                serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1988            m.validate()
1989                .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1990            let check = m
1991                .check
1992                .as_ref()
1993                .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1994            assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1995            // These examples all read admin-only WMI / registry / netsh
1996            // state, so they run_as system. NOTE: that's a property of
1997            // these particular checks, NOT of the `check:` contract — a
1998            // check probing user-session state could run_as user.
1999            assert_eq!(
2000                m.execute.run_as,
2001                RunAs::System,
2002                "{name} should run_as system"
2003            );
2004        }
2005    }
2006
2007    /// The example user-invokable job YAMLs (#291) shipped under
2008    /// `configs/jobs/` must stay valid as the `client:` schema
2009    /// evolves. `include_str!` pins them at compile time so a breaking
2010    /// edit fails `cargo test`, not `kanade job create` at deploy.
2011    #[test]
2012    fn example_client_job_yamls_parse_and_validate() {
2013        let jobs = [
2014            (
2015                "fix-teams-cache",
2016                "troubleshoot",
2017                include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
2018            ),
2019            (
2020                "chrome-update",
2021                "software_update",
2022                include_str!("../../../configs/jobs/chrome-update.yaml"),
2023            ),
2024            (
2025                "install-slack",
2026                "catalog",
2027                include_str!("../../../configs/jobs/install-slack.yaml"),
2028            ),
2029            (
2030                "fix-defender-rtp",
2031                "troubleshoot",
2032                include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
2033            ),
2034            // #792 custom category ("settings") + #809 message/inventory.
2035            (
2036                "example-power-plan",
2037                "settings",
2038                include_str!("../../../configs/jobs/example-power-plan.yaml"),
2039            ),
2040            // #792: diagnostics moved to its own "support" tab.
2041            (
2042                "collect-diagnostics",
2043                "support",
2044                include_str!("../../../configs/jobs/collect-diagnostics.yaml"),
2045            ),
2046        ];
2047        for (id, category, yaml) in jobs {
2048            let m: Manifest =
2049                serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2050            m.validate()
2051                .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2052            assert_eq!(m.id, id, "{id} id mismatch");
2053            let client = m
2054                .client
2055                .as_ref()
2056                .unwrap_or_else(|| panic!("{id} must carry a client: block"));
2057            assert!(!client.name.trim().is_empty(), "{id} client.name empty");
2058            assert_eq!(client.category, category, "{id} category");
2059        }
2060    }
2061
2062    /// #219: the shipped `collect:` example must stay valid as the
2063    /// schema evolves. `include_str!` pins it at compile time so a
2064    /// breaking edit (or a YAML typo in the PowerShell block) fails
2065    /// `cargo test` rather than `kanade job create` at deploy. It carries
2066    /// both `collect:` and `client:` (end-user-triggerable), which must
2067    /// compose.
2068    #[test]
2069    fn example_collect_job_yaml_parses_and_validates() {
2070        let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
2071        let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
2072        m.validate().expect("collect-diagnostics validate");
2073        assert_eq!(m.id, "collect-diagnostics");
2074        let collect = m.collect.as_ref().expect("collect: block present");
2075        assert!(!collect.name.trim().is_empty());
2076        assert_eq!(collect.files_field, "files");
2077        assert_eq!(collect.max_size_bytes(), 50_000_000);
2078        // collect + client compose — the Client App can trigger it.
2079        assert!(
2080            m.client.is_some(),
2081            "collect-diagnostics also carries client:"
2082        );
2083    }
2084
2085    /// The `emit: { type: events }` collector jobs under
2086    /// `configs/jobs/` feed the obs_events timeline. `include_str!`
2087    /// pins them at compile time so a breaking edit (e.g. an `emit:`
2088    /// paired with `check:`/`inventory:`, a bad watermark field, or a
2089    /// YAML typo in the PowerShell block) fails `cargo test` rather
2090    /// than `kanade job create` at deploy. Every one must carry an
2091    /// `emit.type=events` block and NO check/inventory (validate()
2092    /// rejects the pairing).
2093    #[test]
2094    fn example_event_collector_job_yamls_parse_and_validate() {
2095        let jobs = [
2096            // collect-winlog-events was retired in #841 PR2 — the scheduled
2097            // human-session / power timeline is now read natively by the
2098            // agent (kanade-agent `winlog` module via EvtQuery), no
2099            // PowerShell job. collect-winlog-logons-all stays as the
2100            // on-demand forensic all-token-logons companion.
2101            (
2102                "collect-winlog-logons-all",
2103                include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
2104            ),
2105            (
2106                "collect-wlan-events",
2107                include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
2108            ),
2109        ];
2110        for (id, yaml) in jobs {
2111            // Strict parse so an unknown-key typo in these fixtures fails
2112            // here (not silently at deploy) — the runtime Manifest is
2113            // unknown-key-tolerant, so the lenient serde_yaml::from_str
2114            // wouldn't catch fixture drift (CodeRabbit #689).
2115            let m: Manifest =
2116                crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2117            m.validate()
2118                .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2119            assert_eq!(m.id, id, "{id} id mismatch");
2120            let emit = m
2121                .emit
2122                .as_ref()
2123                .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
2124            assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
2125            assert!(
2126                m.check.is_none() && m.inventory.is_none(),
2127                "{id}: emit jobs must not pair with check/inventory"
2128            );
2129        }
2130    }
2131
2132    /// The `inventory:` snapshot jobs under `configs/jobs/` project
2133    /// facts into `inventory_facts` + exploded tables. `include_str!`
2134    /// pins them at compile time so a breaking edit (bad explode
2135    /// schema, a YAML typo in the PowerShell block, an `inventory:`
2136    /// accidentally paired with `emit:`) fails `cargo test` rather
2137    /// than the projector at deploy. Each must carry an `inventory:`
2138    /// block and NO emit (validate() rejects the pairing).
2139    #[test]
2140    fn example_inventory_job_yamls_parse_and_validate() {
2141        let jobs = [
2142            (
2143                "inventory-hw",
2144                include_str!("../../../configs/jobs/inventory-hw.yaml"),
2145            ),
2146            (
2147                "inventory-sw",
2148                include_str!("../../../configs/jobs/inventory-sw.yaml"),
2149            ),
2150            (
2151                "inventory-driver",
2152                include_str!("../../../configs/jobs/inventory-driver.yaml"),
2153            ),
2154        ];
2155        for (id, yaml) in jobs {
2156            let m: Manifest =
2157                serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2158            m.validate()
2159                .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2160            assert_eq!(m.id, id, "{id} id mismatch");
2161            assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
2162            assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
2163        }
2164    }
2165
2166    #[test]
2167    fn example_check_schedule_yamls_parse_and_validate() {
2168        let schedules = [
2169            (
2170                "check-bitlocker",
2171                include_str!("../../../configs/schedules/check-bitlocker.yaml"),
2172            ),
2173            (
2174                "check-av-signature",
2175                include_str!("../../../configs/schedules/check-av-signature.yaml"),
2176            ),
2177            (
2178                "check-cert-expiry",
2179                include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
2180            ),
2181            (
2182                "check-disk-space",
2183                include_str!("../../../configs/schedules/check-disk-space.yaml"),
2184            ),
2185            (
2186                "check-pending-reboot",
2187                include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
2188            ),
2189            (
2190                "check-defender-rtp",
2191                include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
2192            ),
2193            (
2194                "check-firewall",
2195                include_str!("../../../configs/schedules/check-firewall.yaml"),
2196            ),
2197        ];
2198        for (name, yaml) in schedules {
2199            let s: Schedule =
2200                serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
2201            s.validate()
2202                .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
2203            assert_eq!(s.job_id, name, "{name} schedule must reference its job");
2204        }
2205    }
2206
2207    /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
2208    /// alongside the schedule schema. `include_str!` pins them so a
2209    /// breaking edit fails `cargo test`, not `kanade schedule create`.
2210    #[test]
2211    fn example_inventory_schedule_yamls_parse_and_validate() {
2212        let schedules = [
2213            (
2214                "inventory-hw",
2215                include_str!("../../../configs/schedules/inventory-hw.yaml"),
2216            ),
2217            (
2218                "inventory-sw",
2219                include_str!("../../../configs/schedules/inventory-sw.yaml"),
2220            ),
2221            (
2222                "inventory-driver",
2223                include_str!("../../../configs/schedules/inventory-driver.yaml"),
2224            ),
2225        ];
2226        for (name, yaml) in schedules {
2227            let s: Schedule =
2228                serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
2229            s.validate()
2230                .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
2231            assert_eq!(s.job_id, name, "{name} schedule must reference its job");
2232        }
2233    }
2234
2235    #[test]
2236    fn target_is_specified_requires_at_least_one_field() {
2237        let empty = Target::default();
2238        assert!(!empty.is_specified());
2239
2240        let with_all = Target {
2241            all: true,
2242            ..Target::default()
2243        };
2244        assert!(with_all.is_specified());
2245
2246        let with_groups = Target {
2247            groups: vec!["canary".into()],
2248            ..Target::default()
2249        };
2250        assert!(with_groups.is_specified());
2251
2252        let with_pcs = Target {
2253            pcs: vec!["pc-01".into()],
2254            ..Target::default()
2255        };
2256        assert!(with_pcs.is_specified());
2257    }
2258
2259    #[test]
2260    fn manifest_deserialises_minimal_yaml() {
2261        // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
2262        // — those live on the schedule / exec request now.
2263        let yaml = r#"
2264id: echo-test
2265version: 0.0.1
2266execute:
2267  shell: powershell
2268  script: "echo 'kanade'"
2269  timeout: 30s
2270"#;
2271        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2272        assert_eq!(m.id, "echo-test");
2273        assert_eq!(m.version, "0.0.1");
2274        assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
2275        assert_eq!(
2276            m.execute.script.as_deref().map(str::trim),
2277            Some("echo 'kanade'")
2278        );
2279        assert!(m.execute.script_file.is_none());
2280        assert!(m.execute.script_object.is_none());
2281        assert_eq!(m.execute.timeout, "30s");
2282        assert!(!m.require_approval);
2283        m.validate()
2284            .expect("inline-script manifest passes validation");
2285    }
2286
2287    #[test]
2288    fn manifest_parses_check_job_and_validates() {
2289        // An operator-defined health check (#290): a `check:` hint +
2290        // a PowerShell script that prints {status, detail}.
2291        let yaml = r#"
2292id: check-bitlocker
2293version: 0.1.0
2294execute:
2295  shell: powershell
2296  run_as: system
2297  timeout: 15s
2298  script: |
2299    [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
2300check:
2301  name: bitlocker
2302  troubleshoot: fix-bitlocker
2303"#;
2304        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2305        let check = m.check.as_ref().expect("check hint present");
2306        assert_eq!(check.name, "bitlocker");
2307        assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
2308        // Field names default to the conventional "status" / "detail".
2309        assert_eq!(check.status_field, "status");
2310        assert_eq!(check.detail_field, "detail");
2311        assert!(m.inventory.is_none() && m.emit.is_none());
2312        m.validate().expect("check-only manifest passes validation");
2313    }
2314
2315    #[test]
2316    fn manifest_check_defaults_and_custom_fields() {
2317        // Minimal: only `name`; status/detail fields default.
2318        let m: Manifest = serde_yaml::from_str(
2319            r#"
2320id: check-disk
2321version: 0.1.0
2322execute:
2323  shell: powershell
2324  script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
2325  timeout: 10s
2326check:
2327  name: disk_free
2328"#,
2329        )
2330        .expect("parse");
2331        let c = m.check.as_ref().unwrap();
2332        assert_eq!(c.name, "disk_free");
2333        assert_eq!(c.status_field, "status");
2334        assert_eq!(c.detail_field, "detail");
2335        assert!(c.troubleshoot.is_none());
2336        m.validate().expect("validates");
2337
2338        // The operator can point status/detail at any field of their
2339        // free-form inventory object.
2340        let m2: Manifest = serde_yaml::from_str(
2341            r#"
2342id: check-custom
2343version: 0.1.0
2344execute:
2345  shell: powershell
2346  script: "echo x"
2347  timeout: 10s
2348check:
2349  name: patch_level
2350  status_field: compliance
2351  detail_field: summary
2352"#,
2353        )
2354        .expect("parse");
2355        let c2 = m2.check.as_ref().unwrap();
2356        assert_eq!(c2.status_field, "compliance");
2357        assert_eq!(c2.detail_field, "summary");
2358    }
2359
2360    #[test]
2361    fn manifest_allows_check_composed_with_inventory() {
2362        // `check:` + `inventory:` COMPOSE on the same stdout object:
2363        // status/detail → Health tab, the rest → SPA projection +
2364        // explode sub-tables. Must pass validation.
2365        let yaml = r#"
2366id: check-bitlocker-detailed
2367version: 0.1.0
2368execute:
2369  shell: powershell
2370  script: "echo x"
2371  timeout: 10s
2372check:
2373  name: bitlocker
2374inventory:
2375  display:
2376    - { field: status, label: Status }
2377"#;
2378        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2379        assert!(m.check.is_some() && m.inventory.is_some());
2380        m.validate().expect("check + inventory compose");
2381    }
2382
2383    #[test]
2384    fn manifest_parses_collect_job_and_validates() {
2385        // #219: a `collect:` hint + a script that lists files on stdout.
2386        let yaml = r#"
2387id: collect-diagnostics
2388version: 0.1.0
2389execute:
2390  shell: powershell
2391  run_as: system
2392  timeout: 120s
2393  script: |
2394    @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
2395collect:
2396  name: "Full diagnostics"
2397  description: "Event logs + process"
2398  max_size: 50MB
2399"#;
2400        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2401        let c = m.collect.as_ref().expect("collect hint present");
2402        assert_eq!(c.name, "Full diagnostics");
2403        assert_eq!(c.files_field, "files"); // default
2404        assert_eq!(c.max_size_bytes(), 50_000_000);
2405        m.validate().expect("collect-only manifest validates");
2406    }
2407
2408    #[test]
2409    fn manifest_finalize_powershell_validates_and_lowers() {
2410        let yaml = r#"
2411id: collect-fin
2412version: 0.1.0
2413execute:
2414  shell: powershell
2415  timeout: 120s
2416  script: |
2417    @{ files = @() } | ConvertTo-Json
2418collect:
2419  name: "diag"
2420  max_size: 50MB
2421finalize:
2422  shell: powershell
2423  timeout: 30s
2424  run_as: system
2425  script: |
2426    Write-Output "cleanup"
2427"#;
2428        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2429        m.validate().expect("powershell finalize validates");
2430        let lowered = m.finalize.as_ref().expect("finalize present").lower();
2431        assert_eq!(lowered.timeout_secs, 30);
2432        assert!(matches!(lowered.shell, Shell::Powershell));
2433    }
2434
2435    #[test]
2436    fn manifest_finalize_rejects_cmd_shell() {
2437        // cmd finalize is an injection risk (the agent injects JSON into
2438        // the hook's env; cmd.exe quoting doesn't nest) — validate must
2439        // reject it.
2440        let yaml = r#"
2441id: collect-fin-cmd
2442version: 0.1.0
2443execute:
2444  shell: powershell
2445  timeout: 120s
2446  script: |
2447    @{ files = @() } | ConvertTo-Json
2448finalize:
2449  shell: cmd
2450  script: |
2451    echo hi
2452"#;
2453        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2454        let err = m.validate().expect_err("cmd finalize rejected");
2455        assert!(err.contains("finalize.shell"), "got: {err}");
2456    }
2457
2458    #[test]
2459    fn manifest_finalize_rejects_empty_script() {
2460        let yaml = r#"
2461id: collect-fin-empty
2462version: 0.1.0
2463execute:
2464  shell: powershell
2465  timeout: 120s
2466  script: |
2467    @{ files = @() } | ConvertTo-Json
2468finalize:
2469  shell: powershell
2470  script: "   "
2471"#;
2472        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2473        let err = m.validate().expect_err("empty finalize script rejected");
2474        assert!(err.contains("finalize.script"), "got: {err}");
2475    }
2476
2477    #[test]
2478    fn manifest_collect_max_size_defaults_when_unset() {
2479        let m: Manifest = serde_yaml::from_str(
2480            r#"
2481id: collect-min
2482version: 0.1.0
2483execute:
2484  shell: powershell
2485  script: "echo x"
2486  timeout: 10s
2487collect:
2488  name: minimal
2489"#,
2490        )
2491        .expect("parse");
2492        let c = m.collect.as_ref().unwrap();
2493        assert!(c.max_size.is_none());
2494        assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
2495        m.validate().expect("validates");
2496    }
2497
2498    #[test]
2499    fn manifest_allows_collect_with_client() {
2500        // collect composes with client (client doesn't touch stdout):
2501        // an end user can trigger a collection from the Client App.
2502        let yaml = r#"
2503id: collect-diag-client
2504version: 0.1.0
2505execute:
2506  shell: powershell
2507  script: "echo x"
2508  timeout: 10s
2509collect:
2510  name: diagnostics
2511client:
2512  name: "Send diagnostics"
2513  category: troubleshoot
2514"#;
2515        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2516        assert!(m.collect.is_some() && m.client.is_some());
2517        m.validate().expect("collect + client compose");
2518    }
2519
2520    #[test]
2521    fn manifest_allows_inventory_check_collect_coexistence() {
2522        // #821: the three fenced hints now COMPOSE — each reads its own
2523        // `#KANADE-<KIND>` stdout block, so one job can do all three.
2524        let yaml = r#"
2525id: multi-hint
2526version: 0.1.0
2527execute:
2528  shell: powershell
2529  script: "echo x"
2530  timeout: 10s
2531inventory:
2532  display:
2533    - { field: status, label: Status }
2534check:
2535  name: health
2536collect:
2537  name: diag
2538"#;
2539        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2540        m.validate()
2541            .expect("inventory + check + collect coexist after #821");
2542    }
2543
2544    #[test]
2545    fn manifest_rejects_emit_combined_with_fenced_hints() {
2546        // `emit:` consumes stdout as NDJSON (and blanks it), so it still
2547        // can't share with any fenced hint — inventory, check, OR collect.
2548        for extra in [
2549            "inventory:\n  display:\n    - { field: s, label: S }\n",
2550            "check:\n  name: health\n",
2551            "collect:\n  name: diag\n",
2552        ] {
2553            let yaml = format!(
2554                "id: bad-emit-mix\nversion: 0.1.0\nexecute:\n  shell: powershell\n  \
2555                 script: \"echo x\"\n  timeout: 10s\nemit:\n  type: events\n{extra}"
2556            );
2557            let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2558            let err = m
2559                .validate()
2560                .expect_err("emit + fenced hint must be rejected");
2561            assert!(err.contains("emit"), "error mentions emit: {err}");
2562        }
2563    }
2564
2565    #[test]
2566    fn manifest_rejects_collect_empty_name_and_bad_size() {
2567        let empty_name: Manifest = serde_yaml::from_str(
2568            r#"
2569id: c
2570version: 0.1.0
2571execute: { shell: powershell, script: "echo x", timeout: 10s }
2572collect: { name: "  " }
2573"#,
2574        )
2575        .expect("parse");
2576        assert!(
2577            empty_name.validate().is_err(),
2578            "blank collect.name rejected"
2579        );
2580
2581        let bad_size: Manifest = serde_yaml::from_str(
2582            r#"
2583id: c
2584version: 0.1.0
2585execute: { shell: powershell, script: "echo x", timeout: 10s }
2586collect: { name: diag, max_size: "50 quux" }
2587"#,
2588        )
2589        .expect("parse");
2590        let err = bad_size.validate().expect_err("bad max_size rejected");
2591        assert!(err.contains("max_size"), "error mentions max_size: {err}");
2592    }
2593
2594    #[test]
2595    fn parse_size_bytes_units() {
2596        assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
2597        assert_eq!(parse_size_bytes("1B").unwrap(), 1);
2598        assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
2599        assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
2600        assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
2601        assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
2602        assert!(parse_size_bytes("").is_err());
2603        assert!(parse_size_bytes("MB").is_err());
2604        assert!(parse_size_bytes("12 zonks").is_err());
2605    }
2606
2607    #[test]
2608    fn manifest_rejects_check_combined_with_emit() {
2609        // `emit:` stdout is NDJSON (and omitted from the result), so
2610        // it can't pair with `check:` (which needs a single JSON
2611        // object on stdout).
2612        let yaml = r#"
2613id: bad-mix
2614version: 0.1.0
2615execute:
2616  shell: powershell
2617  script: "echo x"
2618  timeout: 10s
2619check:
2620  name: bitlocker
2621emit:
2622  type: events
2623"#;
2624        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2625        let err = m.validate().expect_err("emit + check must fail");
2626        assert!(err.contains("incompatible"), "err: {err}");
2627    }
2628
2629    #[test]
2630    fn manifest_rejects_emit_combined_with_inventory() {
2631        // The other half of the emit-incompatibility condition.
2632        let yaml = r#"
2633id: bad-mix-2
2634version: 0.1.0
2635execute:
2636  shell: powershell
2637  script: "echo x"
2638  timeout: 10s
2639emit:
2640  type: events
2641inventory:
2642  display:
2643    - { field: status, label: Status }
2644"#;
2645        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2646        let err = m.validate().expect_err("emit + inventory must fail");
2647        assert!(err.contains("incompatible"), "err: {err}");
2648    }
2649
2650    #[test]
2651    fn manifest_rejects_empty_check_field_names() {
2652        // Empty name / status_field / detail_field are invisible
2653        // runtime bugs (empty React key, agent reads the wrong field)
2654        // — reject them even though serde supplies non-empty defaults.
2655        let base = |inner: &str| {
2656            format!(
2657                "id: c\nversion: 0.1.0\nexecute:\n  shell: powershell\n  script: \"echo x\"\n  timeout: 10s\ncheck:\n{inner}"
2658            )
2659        };
2660        for inner in [
2661            "  name: \"\"\n",
2662            "  name: ok\n  status_field: \"\"\n",
2663            "  name: ok\n  detail_field: \"   \"\n",
2664            // present-but-blank troubleshoot → broken remediation id.
2665            "  name: ok\n  troubleshoot: \"  \"\n",
2666        ] {
2667            let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
2668            let err = m.validate().expect_err("empty field must fail");
2669            assert!(err.contains("must not be empty"), "err: {err}");
2670        }
2671    }
2672
2673    #[test]
2674    fn check_alert_decodes_with_defaults_and_validates() {
2675        let yaml = r#"
2676id: c
2677version: 0.1.0
2678execute:
2679  shell: powershell
2680  script: "echo x"
2681  timeout: 10s
2682check:
2683  name: bitlocker
2684  alert:
2685    notify_user: true
2686    title: "BitLocker 未準拠"
2687"#;
2688        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2689        m.validate().expect("valid alert");
2690        let alert = m.check.unwrap().alert.unwrap();
2691        // Defaults: on = [fail], priority = warn, body = None.
2692        assert_eq!(alert.on, vec![CheckAlertStatus::Fail]);
2693        assert_eq!(
2694            alert.priority,
2695            crate::ipc::notifications::NotificationPriority::Warn
2696        );
2697        assert!(alert.body.is_none());
2698        assert!(alert.notify_user);
2699    }
2700
2701    #[test]
2702    fn check_alert_validation_rejects_bad_configs() {
2703        let base = |alert: &str| {
2704            format!(
2705                "id: c\nversion: 0.1.0\nexecute:\n  shell: powershell\n  script: \"echo x\"\n  timeout: 10s\ncheck:\n  name: bitlocker\n  alert:\n{alert}"
2706            )
2707        };
2708        let cases = [
2709            // No recipient.
2710            ("    title: t\n", "notify_user and/or notify_groups"),
2711            // Empty title.
2712            (
2713                "    notify_user: true\n    title: \"  \"\n",
2714                "title must not be empty",
2715            ),
2716            // Empty `on`.
2717            (
2718                "    notify_user: true\n    title: t\n    on: []\n",
2719                "on must list at least one status",
2720            ),
2721            // Blank group name.
2722            (
2723                "    notify_groups: [\"  \"]\n    title: t\n",
2724                "notify_groups must not contain blanks",
2725            ),
2726            // alert requires fleet: true.
2727            (
2728                "    notify_user: true\n    title: t\n  fleet: false\n",
2729                "requires fleet: true",
2730            ),
2731            // email opt-in without a group to address.
2732            (
2733                "    notify_user: true\n    email: true\n    title: t\n",
2734                "email requires notify_groups",
2735            ),
2736        ];
2737        for (alert, want) in cases {
2738            let m: Manifest = serde_yaml::from_str(&base(alert)).expect("parse");
2739            let err = m.validate().expect_err("bad alert must fail");
2740            assert!(err.contains(want), "for {alert:?}: got {err}");
2741        }
2742    }
2743
2744    #[test]
2745    fn manifest_client_absent_by_default() {
2746        // A plain operator job (the overwhelming majority) carries no
2747        // `client:` block, so it never surfaces in the end-user
2748        // catalog.
2749        let yaml = r#"
2750id: echo-test
2751version: 0.0.1
2752execute:
2753  shell: powershell
2754  script: "echo 'kanade'"
2755  timeout: 30s
2756"#;
2757        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2758        assert!(m.client.is_none());
2759        m.validate().expect("operator-only job validates");
2760    }
2761
2762    #[test]
2763    fn manifest_client_parses_and_validates() {
2764        // The Client App "困ったとき" remediation job shape: a
2765        // user-invokable troubleshoot job with the end-user fields the
2766        // KLP `jobs.list` wire needs, grouped under `client:`.
2767        let yaml = r#"
2768id: fix-teams-cache
2769version: 1.0.0
2770execute:
2771  shell: powershell
2772  script: "echo clearing"
2773  timeout: 60s
2774client:
2775  name: "Teams のキャッシュをクリア"
2776  description: "Teams が重いときに試してください"
2777  category: troubleshoot
2778  icon: brush-cleaning
2779"#;
2780        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2781        let c = m.client.as_ref().expect("client block present");
2782        assert_eq!(c.name, "Teams のキャッシュをクリア");
2783        assert_eq!(
2784            c.description.as_deref(),
2785            Some("Teams が重いときに試してください")
2786        );
2787        assert_eq!(c.category, "troubleshoot");
2788        assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
2789        m.validate().expect("user-invokable job validates");
2790    }
2791
2792    #[test]
2793    fn manifest_client_minimal_only_name_and_category() {
2794        // description + icon are optional; name + category are the
2795        // serde-required minimum.
2796        let yaml = r#"
2797id: install-slack
2798version: 1.0.0
2799execute:
2800  shell: powershell
2801  script: "echo install"
2802  timeout: 600s
2803client:
2804  name: Slack
2805  category: catalog
2806"#;
2807        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2808        let c = m.client.as_ref().expect("client present");
2809        assert_eq!(c.category, "catalog");
2810        assert!(c.description.is_none() && c.icon.is_none());
2811        m.validate().expect("minimal client validates");
2812    }
2813
2814    #[test]
2815    fn manifest_client_rejects_blank_name() {
2816        // serde guarantees `name`/`category` are present; the one gap
2817        // is a present-but-blank name → empty catalog row title.
2818        let yaml = r#"
2819id: j
2820version: 1.0.0
2821execute:
2822  shell: powershell
2823  script: "echo x"
2824  timeout: 30s
2825client:
2826  name: "   "
2827  category: catalog
2828"#;
2829        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2830        let err = m.validate().expect_err("blank name must fail");
2831        assert!(err.contains("client.name"), "err: {err}");
2832    }
2833
2834    #[test]
2835    fn manifest_client_rejects_blank_optional_fields() {
2836        // description / icon are optional, but a present-but-blank
2837        // value is a bug (empty subtitle / dangling icon name) — reject
2838        // it, mirroring the check: block's troubleshoot guard.
2839        for (field, line) in [
2840            ("client.description", "  description: \"  \"\n"),
2841            ("client.icon", "  icon: \"\"\n"),
2842            // #792: the new category tab-metadata fields get the same
2843            // present-but-blank guard.
2844            ("client.category_label", "  category_label: \"  \"\n"),
2845            ("client.category_icon", "  category_icon: \"\"\n"),
2846        ] {
2847            let yaml = format!(
2848                "id: j\nversion: 1.0.0\nexecute:\n  shell: powershell\n  script: \"echo x\"\n  timeout: 30s\nclient:\n  name: A\n  category: catalog\n{line}"
2849            );
2850            let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2851            let err = m.validate().expect_err("blank optional field must fail");
2852            assert!(err.contains(field), "expected {field} in err: {err}");
2853        }
2854    }
2855
2856    #[test]
2857    fn manifest_client_rejects_blank_category() {
2858        // #792: category is a free-form key now; serde keeps it required,
2859        // but a present-but-blank value would group the job under an empty
2860        // tab — validate() must reject it.
2861        let yaml = r#"
2862id: j
2863version: 1.0.0
2864execute:
2865  shell: powershell
2866  script: "echo x"
2867  timeout: 30s
2868client:
2869  name: "A job"
2870  category: "   "
2871"#;
2872        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2873        let err = m.validate().expect_err("blank category must fail");
2874        assert!(err.contains("client.category"), "err: {err}");
2875    }
2876
2877    #[test]
2878    fn target_matches_pc_group_and_all() {
2879        // #816: pc match, group match, all, and the no-match case.
2880        let by_pc = Target {
2881            pcs: vec!["PC1".into()],
2882            ..Default::default()
2883        };
2884        assert!(by_pc.matches("PC1", &[]));
2885        assert!(!by_pc.matches("PC2", &["g1".into()]));
2886
2887        let by_group = Target {
2888            groups: vec!["g1".into()],
2889            ..Default::default()
2890        };
2891        assert!(by_group.matches("PC2", &["g1".into()]));
2892        assert!(!by_group.matches("PC2", &["g2".into()]));
2893
2894        let all = Target {
2895            all: true,
2896            ..Default::default()
2897        };
2898        assert!(all.matches("anyPC", &[]));
2899    }
2900
2901    #[test]
2902    fn manifest_client_rejects_empty_visible_to() {
2903        // #816: a present-but-empty visible_to (no all/groups/pcs) would
2904        // hide the job from everyone — validate() must reject it.
2905        let yaml = r#"
2906id: j
2907version: 1.0.0
2908execute:
2909  shell: powershell
2910  script: "echo x"
2911  timeout: 30s
2912client:
2913  name: "A job"
2914  category: troubleshoot
2915  visible_to: {}
2916"#;
2917        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2918        let err = m.validate().expect_err("empty visible_to must fail");
2919        assert!(err.contains("client.visible_to"), "err: {err}");
2920    }
2921
2922    #[test]
2923    fn manifest_client_accepts_visible_to_groups() {
2924        let yaml = r#"
2925id: j
2926version: 1.0.0
2927execute:
2928  shell: powershell
2929  script: "echo x"
2930  timeout: 30s
2931client:
2932  name: "A job"
2933  category: settings
2934  visible_to:
2935    groups: [wifi-affected]
2936"#;
2937        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2938        m.validate().expect("visible_to with a group validates");
2939        let vt = m.client.unwrap().visible_to.unwrap();
2940        assert_eq!(vt.groups, vec!["wifi-affected".to_string()]);
2941    }
2942
2943    #[test]
2944    fn manifest_client_show_when_accepts_scalar_and_seq() {
2945        use crate::ipc::state::CheckStatus;
2946        // `is:` accepts a single status (author ergonomics) ...
2947        let scalar = r#"
2948id: office-update
2949version: 1.0.0
2950execute:
2951  shell: powershell
2952  script: "echo x"
2953  timeout: 30s
2954client:
2955  name: "Office を最新に更新"
2956  category: software_update
2957  show_when:
2958    check: office-up-to-date
2959    is: fail
2960"#;
2961        let m: Manifest = serde_yaml::from_str(scalar).expect("parse scalar");
2962        m.validate().expect("scalar show_when validates");
2963        let sw = m.client.unwrap().show_when.unwrap();
2964        assert_eq!(sw.check, "office-up-to-date");
2965        assert_eq!(sw.is, vec![CheckStatus::Fail]);
2966
2967        // ... and a list (e.g. fail-open on a not-yet-run check).
2968        let seq = scalar.replace("is: fail", "is: [fail, unknown]");
2969        let m: Manifest = serde_yaml::from_str(&seq).expect("parse seq");
2970        m.validate().expect("seq show_when validates");
2971        assert_eq!(
2972            m.client.unwrap().show_when.unwrap().is,
2973            vec![CheckStatus::Fail, CheckStatus::Unknown]
2974        );
2975    }
2976
2977    #[test]
2978    fn manifest_client_show_when_rejects_empty() {
2979        // A malformed check slug (here: internal spaces — a typo that could
2980        // never match a real check name) or an empty status list would
2981        // silently hide the job forever — validate() must reject both.
2982        let bad_check = r#"
2983id: j
2984version: 1.0.0
2985execute:
2986  shell: powershell
2987  script: "echo x"
2988  timeout: 30s
2989client:
2990  name: "A job"
2991  category: software_update
2992  show_when:
2993    check: "office up to date"
2994    is: fail
2995"#;
2996        let m: Manifest = serde_yaml::from_str(bad_check).expect("parse");
2997        let err = m.validate().expect_err("malformed check slug must fail");
2998        assert!(err.contains("client.show_when.check"), "err: {err}");
2999
3000        let empty_is = r#"
3001id: j
3002version: 1.0.0
3003execute:
3004  shell: powershell
3005  script: "echo x"
3006  timeout: 30s
3007client:
3008  name: "A job"
3009  category: software_update
3010  show_when:
3011    check: office-up-to-date
3012    is: []
3013"#;
3014        let m: Manifest = serde_yaml::from_str(empty_is).expect("parse");
3015        let err = m.validate().expect_err("empty is[] must fail");
3016        assert!(err.contains("client.show_when.is"), "err: {err}");
3017    }
3018
3019    #[test]
3020    fn manifest_client_requires_category_at_parse() {
3021        // A `client:` block missing `category` is a hard parse error
3022        // (serde required field) — no manual validate() needed.
3023        let yaml = r#"
3024id: j
3025version: 1.0.0
3026execute:
3027  shell: powershell
3028  script: "echo x"
3029  timeout: 30s
3030client:
3031  name: "A job"
3032"#;
3033        let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3034        assert!(
3035            r.is_err(),
3036            "missing category must be a parse error, got {r:?}"
3037        );
3038    }
3039
3040    #[test]
3041    fn manifest_client_rejects_unknown_field() {
3042        // #492: the strict create boundary catches a fat-fingered
3043        // `displayname:` (with its path) instead of silently
3044        // dropping it; the tolerant read path accepts it.
3045        let yaml = r#"
3046id: j
3047version: 1.0.0
3048execute:
3049  shell: powershell
3050  script: "echo x"
3051  timeout: 30s
3052client:
3053  name: "A job"
3054  category: catalog
3055  displayname: oops
3056"#;
3057        let r = crate::strict::from_yaml_str::<Manifest>(yaml);
3058        let err = r.expect_err("unknown client field must be rejected at the write boundary");
3059        // serde_ignored renders the Option layer as `?`:
3060        // `client.?.displayname`. Assert on the leaf key.
3061        assert!(err.contains("displayname"), "{err}");
3062        // The READ path tolerates the same payload (gradual-upgrade
3063        // contract: an old agent must accept a newer writer's field).
3064        let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
3065        assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
3066    }
3067
3068    #[test]
3069    fn manifest_tags_default_empty() {
3070        // The overwhelming majority of jobs carry no tags; the field
3071        // must default to an empty Vec (not fail to parse) and skip
3072        // serialisation so old readers never see the key.
3073        let yaml = r#"
3074id: echo-test
3075version: 0.0.1
3076execute:
3077  shell: powershell
3078  script: "echo 'kanade'"
3079  timeout: 30s
3080"#;
3081        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3082        assert!(m.tags.is_empty());
3083        m.validate().expect("tag-less job validates");
3084        // skip_serializing_if = empty ⇒ the key is absent from JSON.
3085        let json = serde_json::to_string(&m).expect("serialize");
3086        assert!(
3087            !json.contains("tags"),
3088            "empty tags must not serialise: {json}"
3089        );
3090    }
3091
3092    #[test]
3093    fn manifest_parses_and_validates_tags() {
3094        let yaml = r#"
3095id: check-bitlocker
3096version: 0.1.0
3097execute:
3098  shell: powershell
3099  script: "echo x"
3100  timeout: 30s
3101tags: [security, windows, health-check]
3102"#;
3103        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3104        assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
3105        m.validate().expect("tagged job validates");
3106        // Round-trips through JSON (the wire format the SPA reads).
3107        let json = serde_json::to_string(&m).expect("serialize");
3108        assert!(json.contains("\"tags\""), "non-empty tags must serialise");
3109    }
3110
3111    #[test]
3112    fn manifest_rejects_blank_tag() {
3113        // A whitespace-only tag renders an empty filter chip — reject
3114        // it at the write boundary like the other blank display fields.
3115        let yaml = r#"
3116id: j
3117version: 0.1.0
3118execute:
3119  shell: powershell
3120  script: "echo x"
3121  timeout: 30s
3122tags: [ok, "   "]
3123"#;
3124        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3125        let err = m.validate().expect_err("blank tag must fail");
3126        assert!(err.contains("tags must not contain empty"), "err: {err}");
3127    }
3128
3129    // #720 — wrap an `aggregate:` YAML block (already indented as a
3130    // top-level key body) into an otherwise-minimal valid manifest.
3131    fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
3132        let yaml = format!(
3133            "id: t\nversion: 0.0.1\nexecute:\n  shell: powershell\n  script: echo hi\n  timeout: 30s\n{aggregate_block}"
3134        );
3135        serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
3136    }
3137
3138    #[test]
3139    fn aggregate_accepts_full_valid_spec() {
3140        // count+group_by+exclude+sample_minutes, ratio+bool_path,
3141        // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
3142        // bare total stat — alongside emit (composes with every hint).
3143        let m = manifest_with_aggregate(
3144            "emit:\n  type: events\naggregate:\n\
3145             - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
3146             - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
3147             - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
3148             - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
3149             - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
3150        );
3151        m.validate().expect("valid aggregate spec");
3152    }
3153
3154    #[test]
3155    fn aggregate_rejects_empty_list() {
3156        let m = manifest_with_aggregate("aggregate: []\n");
3157        let err = m.validate().expect_err("empty list must fail");
3158        assert!(err.contains("at least one widget"), "err: {err}");
3159    }
3160
3161    #[test]
3162    fn aggregate_rejects_ratio_without_bool_path() {
3163        let m = manifest_with_aggregate(
3164            "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
3165        );
3166        let err = m.validate().expect_err("ratio needs bool_path");
3167        assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
3168    }
3169
3170    #[test]
3171    fn aggregate_rejects_sum_without_value_path() {
3172        let m = manifest_with_aggregate(
3173            "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
3174        );
3175        let err = m.validate().expect_err("sum needs value_path");
3176        assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
3177    }
3178
3179    #[test]
3180    fn aggregate_rejects_pc_id_group_without_fleet() {
3181        let m = manifest_with_aggregate(
3182            "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
3183        );
3184        let err = m.validate().expect_err("pc_id grouping needs fleet");
3185        assert!(
3186            err.contains("pc_id is only valid with scope: fleet"),
3187            "err: {err}"
3188        );
3189    }
3190
3191    #[test]
3192    fn aggregate_rejects_transform_with_pc_id_group() {
3193        let m = manifest_with_aggregate(
3194            "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
3195        );
3196        let err = m
3197            .validate()
3198            .expect_err("transform on pc_id grouping must fail");
3199        assert!(
3200            err.contains("transform is not valid with group_by: pc_id"),
3201            "err: {err}"
3202        );
3203    }
3204
3205    #[test]
3206    fn aggregate_rejects_timeline_without_bucket() {
3207        let m = manifest_with_aggregate(
3208            "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
3209        );
3210        let err = m.validate().expect_err("timeline needs a bucket");
3211        assert!(
3212            err.contains("render=timeline requires `time_bucket`"),
3213            "err: {err}"
3214        );
3215    }
3216
3217    #[test]
3218    fn aggregate_rejects_bucket_on_non_timeline() {
3219        let m = manifest_with_aggregate(
3220            "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
3221        );
3222        let err = m.validate().expect_err("bucket only on timeline");
3223        assert!(
3224            err.contains("time_bucket is only valid with render: timeline"),
3225            "err: {err}"
3226        );
3227    }
3228
3229    #[test]
3230    fn aggregate_rejects_unsafe_json_path() {
3231        // A path with characters outside [A-Za-z0-9_.] could break out of
3232        // the `'$.' || ?` bind — reject at create time.
3233        let m = manifest_with_aggregate(
3234            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
3235        );
3236        let err = m.validate().expect_err("unsafe path must fail");
3237        assert!(err.contains("dotted JSON path"), "err: {err}");
3238    }
3239
3240    #[test]
3241    fn aggregate_rejects_blank_title() {
3242        let m = manifest_with_aggregate(
3243            "aggregate:\n- { dashboard: D, title: \"  \", kind: k, agg: count, render: stat }\n",
3244        );
3245        let err = m.validate().expect_err("blank title must fail");
3246        assert!(err.contains("title must not be empty"), "err: {err}");
3247    }
3248
3249    #[test]
3250    fn aggregate_rejects_blank_kind() {
3251        let m = manifest_with_aggregate(
3252            "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
3253        );
3254        let err = m.validate().expect_err("blank kind must fail");
3255        assert!(err.contains("kind must not be empty"), "err: {err}");
3256    }
3257
3258    #[test]
3259    fn aggregate_rejects_blank_source_when_set() {
3260        let m = manifest_with_aggregate(
3261            "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
3262        );
3263        let err = m.validate().expect_err("blank source must fail");
3264        assert!(
3265            err.contains("source must not be empty when set"),
3266            "err: {err}"
3267        );
3268    }
3269
3270    #[test]
3271    fn aggregate_accepts_description_and_rejects_blank() {
3272        let ok = manifest_with_aggregate(
3273            "aggregate:\n- { dashboard: D, title: T, description: \"samples x 2 min\", kind: k, agg: count, render: stat }\n",
3274        );
3275        ok.validate()
3276            .expect("description is a valid optional field");
3277        assert_eq!(
3278            ok.aggregate.as_ref().unwrap()[0].description.as_deref(),
3279            Some("samples x 2 min")
3280        );
3281        let bad = manifest_with_aggregate(
3282            "aggregate:\n- { dashboard: D, title: T, description: \"  \", kind: k, agg: count, render: stat }\n",
3283        );
3284        let err = bad.validate().expect_err("blank description must fail");
3285        assert!(
3286            err.contains("description must not be empty when set"),
3287            "err: {err}"
3288        );
3289    }
3290
3291    #[test]
3292    fn aggregate_rejects_count_with_value_path() {
3293        let m = manifest_with_aggregate(
3294            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
3295        );
3296        let err = m.validate().expect_err("count must not use value_path");
3297        assert!(
3298            err.contains("agg=count does not use `value_path`"),
3299            "err: {err}"
3300        );
3301    }
3302
3303    #[test]
3304    fn aggregate_rejects_ratio_with_value_path() {
3305        let m = manifest_with_aggregate(
3306            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
3307        );
3308        let err = m.validate().expect_err("ratio must not use value_path");
3309        assert!(
3310            err.contains("agg=ratio does not use `value_path`"),
3311            "err: {err}"
3312        );
3313    }
3314
3315    #[test]
3316    fn aggregate_rejects_gauge_without_ratio() {
3317        let m = manifest_with_aggregate(
3318            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
3319        );
3320        let err = m.validate().expect_err("gauge needs ratio");
3321        assert!(
3322            err.contains("render=gauge is only valid with agg: ratio"),
3323            "err: {err}"
3324        );
3325    }
3326
3327    #[test]
3328    fn aggregate_rejects_limit_without_group_by() {
3329        let m = manifest_with_aggregate(
3330            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
3331        );
3332        let err = m.validate().expect_err("limit needs group_by");
3333        assert!(err.contains("limit requires `group_by`"), "err: {err}");
3334    }
3335
3336    #[test]
3337    fn aggregate_rejects_exclude_without_group_by() {
3338        let m = manifest_with_aggregate(
3339            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
3340        );
3341        let err = m.validate().expect_err("exclude needs group_by");
3342        assert!(err.contains("exclude requires `group_by`"), "err: {err}");
3343    }
3344
3345    #[test]
3346    fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
3347        let m = manifest_with_aggregate(
3348            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
3349        );
3350        assert!(m.validate().unwrap_err().contains("limit must be > 0"));
3351        let m = manifest_with_aggregate(
3352            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
3353        );
3354        assert!(
3355            m.validate()
3356                .unwrap_err()
3357                .contains("sample_minutes must be > 0")
3358        );
3359    }
3360
3361    #[test]
3362    fn aggregate_rejects_empty_exclude_entry() {
3363        let m = manifest_with_aggregate(
3364            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\"  \"], render: bar }\n",
3365        );
3366        let err = m.validate().expect_err("blank exclude entry must fail");
3367        assert!(
3368            err.contains("exclude must not contain empty entries"),
3369            "err: {err}"
3370        );
3371    }
3372
3373    #[test]
3374    fn aggregate_rejects_malformed_dotted_paths() {
3375        for bad in [".foo", "foo.", "foo..bar", "."] {
3376            let m = manifest_with_aggregate(&format!(
3377                "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
3378            ));
3379            let err = m.validate().expect_err("malformed path must fail");
3380            assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
3381        }
3382    }
3383
3384    #[test]
3385    fn aggregate_rejects_unknown_enum_value() {
3386        // An unrecognised render string deserialises to the #492 Unknown
3387        // catch-all (so old readers don't choke); validate() rejects it as
3388        // a typo at create time.
3389        let m = manifest_with_aggregate(
3390            "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
3391        );
3392        let err = m.validate().expect_err("unknown render must fail");
3393        assert!(err.contains("render is not a known value"), "err: {err}");
3394    }
3395
3396    #[test]
3397    fn aggregate_accepts_order_field() {
3398        let m = manifest_with_aggregate(
3399            "aggregate:\n- { dashboard: D, title: T, order: -5, kind: k, agg: count, render: stat }\n",
3400        );
3401        m.validate().expect("order is a valid optional field");
3402        let w = &m.aggregate.as_ref().unwrap()[0];
3403        assert_eq!(w.order, Some(-5));
3404    }
3405
3406    #[test]
3407    fn aggregate_accepts_minimal_op_timeline() {
3408        // op_timeline needs no kind/agg — it reconstructs a fixed multi-kind
3409        // swimlane. A bare per-PC spec is valid, and `kind`/`agg` stay None.
3410        let m = manifest_with_aggregate(
3411            "aggregate:\n- { dashboard: Uptime, title: Operational state, scope: pc, render: op_timeline }\n",
3412        );
3413        m.validate().expect("minimal op_timeline is valid");
3414        let w = &m.aggregate.as_ref().unwrap()[0];
3415        assert_eq!(w.render, AggregateRender::OpTimeline);
3416        assert!(w.kind.is_none());
3417        assert!(w.agg.is_none());
3418    }
3419
3420    #[test]
3421    fn aggregate_rejects_op_timeline_with_fleet_scope() {
3422        let m = manifest_with_aggregate(
3423            "aggregate:\n- { dashboard: Uptime, title: T, scope: fleet, render: op_timeline }\n",
3424        );
3425        let err = m.validate().expect_err("op_timeline must be per-PC");
3426        assert!(
3427            err.contains("render=op_timeline requires scope: pc"),
3428            "err: {err}"
3429        );
3430    }
3431
3432    #[test]
3433    fn aggregate_rejects_op_timeline_with_aggregation_fields() {
3434        // Each aggregation knob the operator might paste in is rejected
3435        // (rather than silently ignored), pointing at the field to delete.
3436        for (block, field) in [
3437            ("kind: boot", "kind"),
3438            ("agg: count", "agg"),
3439            ("source: winlog:Security", "source"),
3440            ("group_by: pc_id", "group_by"),
3441            ("bool_path: active", "bool_path"),
3442            ("time_bucket: hour", "time_bucket"),
3443            ("limit: 5", "limit"),
3444        ] {
3445            let m = manifest_with_aggregate(&format!(
3446                "aggregate:\n- {{ dashboard: Uptime, title: T, scope: pc, {block}, render: op_timeline }}\n"
3447            ));
3448            let err = m
3449                .validate()
3450                .expect_err(&format!("op_timeline must reject {field}"));
3451            assert!(
3452                err.contains(&format!("render=op_timeline does not use `{field}`")),
3453                "field {field}: {err}"
3454            );
3455        }
3456    }
3457
3458    // ── #743 View resource ───────────────────────────────────────────
3459    fn view_from(yaml_body: &str) -> View {
3460        serde_yaml::from_str(&format!("id: v1\n{yaml_body}")).expect("parse view")
3461    }
3462
3463    #[test]
3464    fn view_accepts_valid_widgets() {
3465        let v = view_from(
3466            "widgets:\n\
3467             - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
3468             - { dashboard: Reliability, title: Total, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
3469        );
3470        v.validate().expect("valid view");
3471    }
3472
3473    #[test]
3474    fn view_rejects_empty_widgets() {
3475        let v = view_from("widgets: []\n");
3476        let err = v.validate().expect_err("empty widgets must fail");
3477        assert!(err.contains("at least one widget"), "err: {err}");
3478    }
3479
3480    #[test]
3481    fn view_rejects_blank_id() {
3482        let v: View = serde_yaml::from_str(
3483            "id: \"  \"\nwidgets:\n- { dashboard: D, title: T, kind: k, agg: count, render: stat }\n",
3484        )
3485        .expect("parse");
3486        let err = v.validate().expect_err("blank id must fail");
3487        assert!(err.contains("view.id must"), "err: {err}");
3488    }
3489
3490    #[test]
3491    fn view_rejects_unsafe_id() {
3492        // A `/` or `..` in the id would break the KV key and the
3493        // `/api/views/{id}` URL segment — reject at create time.
3494        for bad in ["../etc", "a/b", "has space", "x;y"] {
3495            let v: View = serde_yaml::from_str(&format!(
3496                "id: \"{bad}\"\nwidgets:\n- {{ dashboard: D, title: T, kind: k, agg: count, render: stat }}\n",
3497            ))
3498            .expect("parse");
3499            let err = v.validate().expect_err("unsafe id must fail");
3500            assert!(err.contains("[A-Za-z0-9._-]"), "id {bad}: {err}");
3501        }
3502        assert!(is_valid_resource_id("dashboards-fleet.v1_2"));
3503    }
3504
3505    #[test]
3506    fn view_reuses_shared_widget_validation() {
3507        // The same per-widget rule the job hint enforces (ratio needs
3508        // bool_path), reported under the `widgets[..]` field.
3509        let v = view_from(
3510            "widgets:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
3511        );
3512        let err = v.validate().expect_err("ratio without bool_path must fail");
3513        assert!(
3514            err.contains("widgets[0].agg=ratio requires `bool_path`"),
3515            "err: {err}"
3516        );
3517    }
3518
3519    fn execute_with(
3520        script: Option<&str>,
3521        script_file: Option<&str>,
3522        script_object: Option<&str>,
3523    ) -> Execute {
3524        Execute {
3525            shell: ExecuteShell::Powershell,
3526            script: script.map(str::to_owned),
3527            script_file: script_file.map(str::to_owned),
3528            script_object: script_object.map(str::to_owned),
3529            timeout: "30s".into(),
3530            run_as: RunAs::default(),
3531            cwd: None,
3532        }
3533    }
3534
3535    #[test]
3536    fn validate_accepts_inline_script() {
3537        let e = execute_with(Some("echo hi"), None, None);
3538        assert!(e.validate_script_source().is_ok());
3539    }
3540
3541    #[test]
3542    fn validate_accepts_script_file_alone() {
3543        let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
3544        assert!(e.validate_script_source().is_ok());
3545    }
3546
3547    #[test]
3548    fn validate_accepts_script_object_alone() {
3549        let e = execute_with(None, None, Some("cleanup/1.0.0"));
3550        assert!(e.validate_script_source().is_ok());
3551    }
3552
3553    #[test]
3554    fn validate_treats_empty_inline_script_as_unset() {
3555        // `script: ""` + `script_object` set is the natural shape
3556        // when an operator comments out the YAML block-scalar body
3557        // but leaves the key. Should pass.
3558        let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
3559        assert!(e.validate_script_source().is_ok());
3560    }
3561
3562    #[test]
3563    fn validate_rejects_zero_sources() {
3564        let e = execute_with(None, None, None);
3565        let err = e.validate_script_source().unwrap_err();
3566        assert!(err.contains("must be set"), "got: {err}");
3567    }
3568
3569    #[test]
3570    fn validate_rejects_empty_inline_only() {
3571        let e = execute_with(Some(""), None, None);
3572        let err = e.validate_script_source().unwrap_err();
3573        assert!(err.contains("must be set"), "got: {err}");
3574    }
3575
3576    #[test]
3577    fn validate_rejects_inline_plus_file() {
3578        let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
3579        let err = e.validate_script_source().unwrap_err();
3580        assert!(err.contains("only one of"), "got: {err}");
3581    }
3582
3583    #[test]
3584    fn validate_rejects_inline_plus_object() {
3585        let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
3586        let err = e.validate_script_source().unwrap_err();
3587        assert!(err.contains("only one of"), "got: {err}");
3588    }
3589
3590    #[test]
3591    fn validate_rejects_file_plus_object() {
3592        let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
3593        let err = e.validate_script_source().unwrap_err();
3594        assert!(err.contains("only one of"), "got: {err}");
3595    }
3596
3597    #[test]
3598    fn validate_rejects_all_three() {
3599        let e = execute_with(
3600            Some("echo hi"),
3601            Some("scripts/cleanup.ps1"),
3602            Some("cleanup/1.0.0"),
3603        );
3604        let err = e.validate_script_source().unwrap_err();
3605        assert!(err.contains("only one of"), "got: {err}");
3606    }
3607
3608    #[test]
3609    fn manifest_deserialises_script_object_yaml() {
3610        // SPEC §2.4.1 example shape with the Object Store
3611        // reference picked over inline.
3612        let yaml = r#"
3613id: cleanup-disk-temp
3614version: 1.0.1
3615execute:
3616  shell: powershell
3617  script_object: cleanup-disk-temp/1.0.1
3618  timeout: 600s
3619"#;
3620        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3621        assert_eq!(
3622            m.execute.script_object.as_deref(),
3623            Some("cleanup-disk-temp/1.0.1")
3624        );
3625        assert!(m.execute.script.is_none());
3626        m.validate()
3627            .expect("script_object-only manifest passes validation");
3628    }
3629
3630    #[test]
3631    fn manifest_rejects_typo_in_script_field_name() {
3632        // #492: the strict create boundary catches `script_objectt`
3633        // and similar fat-fingers (with the full path) instead of
3634        // letting them silently fall through to "all three unset".
3635        let yaml = r#"
3636id: typo
3637version: 1.0.0
3638execute:
3639  shell: powershell
3640  script_objectt: oops
3641  timeout: 30s
3642"#;
3643        let err = crate::strict::from_yaml_str::<Manifest>(yaml)
3644            .expect_err("typo'd execute field must be rejected at the write boundary");
3645        assert!(err.contains("execute.script_objectt"), "{err}");
3646    }
3647
3648    #[test]
3649    fn schedule_carries_target_and_rollout() {
3650        let yaml = r#"
3651id: hourly-cleanup-canary
3652when:
3653  per_pc: { every: 1h }
3654job_id: cleanup
3655enabled: true
3656target:
3657  groups: [canary, wave1]
3658jitter: 30s
3659rollout:
3660  strategy: wave
3661  waves:
3662    - { group: canary, delay: 0s }
3663    - { group: wave1,  delay: 5s }
3664"#;
3665        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3666        assert_eq!(s.id, "hourly-cleanup-canary");
3667        assert_eq!(s.job_id, "cleanup");
3668        assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
3669        assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
3670        let rollout = s.plan.rollout.expect("rollout present");
3671        assert_eq!(rollout.waves.len(), 2);
3672        assert_eq!(rollout.waves[0].group, "canary");
3673        assert_eq!(rollout.waves[1].delay, "5s");
3674        assert_eq!(rollout.strategy, RolloutStrategy::Wave);
3675    }
3676
3677    #[test]
3678    fn schedule_minimal_target_all() {
3679        let yaml = r#"
3680id: kitting
3681when:
3682  per_pc: once
3683enabled: true
3684job_id: scheduled-echo
3685target: { all: true }
3686"#;
3687        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3688        assert_eq!(s.id, "kitting");
3689        assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
3690        assert!(s.enabled);
3691        assert_eq!(s.job_id, "scheduled-echo");
3692        assert!(s.plan.target.all);
3693        assert!(s.plan.rollout.is_none());
3694        assert!(s.plan.jitter.is_none());
3695        assert!(s.active.is_empty());
3696    }
3697
3698    #[test]
3699    fn schedule_enabled_defaults_to_true() {
3700        let yaml = r#"
3701id: x
3702when:
3703  per_pc: once
3704job_id: y
3705target: { all: true }
3706"#;
3707        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3708        assert!(s.enabled);
3709    }
3710
3711    #[test]
3712    fn schedule_tags_default_empty_and_skip_serialise() {
3713        let yaml = r#"
3714id: x
3715when:
3716  per_pc: once
3717job_id: y
3718target: { all: true }
3719"#;
3720        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3721        assert!(s.tags.is_empty());
3722        s.validate().expect("tag-less schedule validates");
3723        let json = serde_json::to_string(&s).expect("serialize");
3724        assert!(
3725            !json.contains("tags"),
3726            "empty tags must not serialise: {json}"
3727        );
3728    }
3729
3730    #[test]
3731    fn schedule_parses_and_validates_tags() {
3732        let yaml = r#"
3733id: weekly-cleanup
3734when:
3735  per_pc: { every: 1h }
3736job_id: cleanup
3737target: { all: true }
3738tags: [weekly, maintenance]
3739"#;
3740        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3741        assert_eq!(s.tags, vec!["weekly", "maintenance"]);
3742        s.validate().expect("tagged schedule validates");
3743    }
3744
3745    #[test]
3746    fn schedule_rejects_blank_tag() {
3747        let yaml = r#"
3748id: x
3749when:
3750  per_pc: once
3751job_id: y
3752target: { all: true }
3753tags: [ok, "  "]
3754"#;
3755        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3756        let err = s.validate().expect_err("blank tag must fail");
3757        assert!(err.contains("tags must not contain empty"), "err: {err}");
3758    }
3759
3760    // ---- `when` parsing (#418 Phase 1) ----
3761
3762    fn schedule_yaml_with(when_block: &str) -> String {
3763        format!(
3764            r#"
3765id: x
3766when:
3767{when_block}
3768job_id: y
3769target: {{ all: true }}
3770"#
3771        )
3772    }
3773
3774    #[test]
3775    fn when_per_pc_every_parses_unquoted_humantime() {
3776        // `6h` is digit-led but non-numeric → YAML string, same as
3777        // the old `cooldown: 6h` convention. No quotes needed.
3778        let s: Schedule =
3779            serde_yaml::from_str(&schedule_yaml_with("  per_pc: { every: 6h }")).expect("parse");
3780        assert_eq!(
3781            s.when,
3782            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
3783        );
3784    }
3785
3786    #[test]
3787    fn when_per_target_every_parses() {
3788        let s: Schedule = serde_yaml::from_str(&schedule_yaml_with("  per_target: { every: 24h }"))
3789            .expect("parse");
3790        assert_eq!(
3791            s.when,
3792            When::PerTarget(PerPolicy::Every(EverySpec {
3793                every: "24h".into()
3794            }))
3795        );
3796    }
3797
3798    #[test]
3799    fn when_per_target_once_parses() {
3800        // Falls out of the shared PerPolicy shape and decide_fire
3801        // already implements it ("any one pc succeeds → skip the
3802        // target forever"), so it is allowed, not rejected.
3803        let s: Schedule =
3804            serde_yaml::from_str(&schedule_yaml_with("  per_target: once")).expect("parse");
3805        assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
3806    }
3807
3808    #[test]
3809    fn when_calendar_time_parses() {
3810        let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
3811            "  calendar:\n    at: \"09:00\"\n    days: [mon-fri]",
3812        ))
3813        .expect("parse");
3814        match &s.when {
3815            When::Calendar(c) => {
3816                assert_eq!(c.at, "09:00");
3817                assert_eq!(c.days, vec!["mon-fri"]);
3818            }
3819            other => panic!("expected calendar, got {other:?}"),
3820        }
3821    }
3822
3823    #[test]
3824    fn when_calendar_days_default_empty() {
3825        let s: Schedule =
3826            serde_yaml::from_str(&schedule_yaml_with("  calendar:\n    at: \"09:00\""))
3827                .expect("parse");
3828        match &s.when {
3829            When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
3830            other => panic!("expected calendar, got {other:?}"),
3831        }
3832    }
3833
3834    #[test]
3835    fn when_calendar_datetime_parses_all_separators() {
3836        // one-shot: date+time in hyphen / ISO-T / slash forms
3837        for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
3838            let block = format!("  calendar:\n    at: \"{at}\"");
3839            let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
3840                .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
3841            match &s.when {
3842                When::Calendar(c) => {
3843                    use chrono::Datelike;
3844                    let p = c.parse_at().expect("parse_at");
3845                    let d = p.date.expect("datetime at carries a date");
3846                    assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
3847                }
3848                other => panic!("expected calendar, got {other:?}"),
3849            }
3850        }
3851    }
3852
3853    #[test]
3854    fn when_rejects_bad_once_keyword() {
3855        // `onec` must be a parse error, not a silently-absorbed
3856        // string (OnceLiteral is a single-variant enum for exactly
3857        // this reason).
3858        let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with("  per_pc: onec"));
3859        assert!(r.is_err(), "expected parse error, got {r:?}");
3860    }
3861
3862    #[test]
3863    fn when_rejects_unknown_key_in_every() {
3864        // `{ evry: 6h }` still fails on the tolerant read path: the
3865        // required `every` key is missing, so no PerPolicy variant
3866        // matches (#492 removed deny_unknown_fields, but required
3867        // keys keep the untagged disambiguation honest).
3868        let r: Result<Schedule, _> =
3869            serde_yaml::from_str(&schedule_yaml_with("  per_pc: { evry: 6h }"));
3870        assert!(r.is_err(), "expected parse error, got {r:?}");
3871    }
3872
3873    #[test]
3874    fn when_rejects_unknown_variant() {
3875        let r: Result<Schedule, _> =
3876            serde_yaml::from_str(&schedule_yaml_with("  per_galaxy: once"));
3877        assert!(r.is_err(), "expected parse error, got {r:?}");
3878    }
3879
3880    #[test]
3881    fn when_rejects_old_top_level_cron_field() {
3882        // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
3883        // loudly (missing `when`), which is what turns stale KV
3884        // blobs into warn-skips after the upgrade.
3885        let yaml = r#"
3886id: x
3887cron: "* * * * * *"
3888job_id: y
3889target: { all: true }
3890"#;
3891        let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
3892        assert!(r.is_err(), "expected parse error, got {r:?}");
3893    }
3894
3895    #[test]
3896    fn when_rejects_retired_cron_escape_hatch() {
3897        // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
3898        // is now an unknown variant → parse error (operators use the
3899        // calendar form instead).
3900        let r: Result<Schedule, _> =
3901            serde_yaml::from_str(&schedule_yaml_with("  cron: \"0 0 9 * * mon-fri\""));
3902        assert!(
3903            r.is_err(),
3904            "expected parse error for retired cron, got {r:?}"
3905        );
3906    }
3907
3908    #[test]
3909    fn when_round_trips_json_and_yaml() {
3910        // Round-trip through the full Schedule: that is the wire
3911        // unit for both stores (JSON catalog KV + YAML mirror), and
3912        // it exercises the singleton_map field attribute that keeps
3913        // serde_yaml on the map shape instead of `!per_pc` tags.
3914        for when in [
3915            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3916            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3917            When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3918            When::PerTarget(PerPolicy::Every(EverySpec {
3919                every: "24h".into(),
3920            })),
3921            calendar("09:00", &["mon-fri"]),
3922            calendar("2026-06-10 09:00", &[]),
3923            When::On(vec![OnTrigger::Startup]),
3924            When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3925            When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3926            When::On(vec![OnTrigger::NetworkChange]),
3927        ] {
3928            // Event triggers are agent-only; the rest validate on backend.
3929            let runs_on = if matches!(when, When::On(_)) {
3930                RunsOn::Agent
3931            } else {
3932                RunsOn::Backend
3933            };
3934            let s = schedule_with(when.clone(), runs_on);
3935
3936            let json = serde_json::to_string(&s).expect("json serialise");
3937            let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
3938            assert_eq!(back.when, when, "json round-trip for {when}");
3939
3940            let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
3941            assert!(
3942                !yaml.contains('!'),
3943                "yaml must use the map shape, not tags: {yaml}"
3944            );
3945            let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
3946            assert_eq!(back.when, when, "yaml round-trip for {when}");
3947        }
3948    }
3949
3950    #[test]
3951    fn when_once_serialises_as_bare_keyword() {
3952        // The wire shape operators see in the YAML mirror must stay
3953        // the ergonomic `per_pc: once`, not a one-variant map.
3954        let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
3955            .expect("serialise");
3956        assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
3957    }
3958
3959    #[test]
3960    fn when_displays_operator_summary() {
3961        for (when, expected) in [
3962            (
3963                When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3964                "per_pc once",
3965            ),
3966            (
3967                When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3968                "per_pc every 6h",
3969            ),
3970            (
3971                When::PerTarget(PerPolicy::Every(EverySpec {
3972                    every: "24h".into(),
3973                })),
3974                "per_target every 24h",
3975            ),
3976            (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
3977            (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
3978            (When::On(vec![OnTrigger::Startup]), "on [startup]"),
3979            (
3980                When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3981                "on [startup,logon]",
3982            ),
3983            (
3984                When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3985                "on [lock,unlock]",
3986            ),
3987            (
3988                When::On(vec![OnTrigger::NetworkChange]),
3989                "on [network_change]",
3990            ),
3991        ] {
3992            assert_eq!(when.to_string(), expected);
3993        }
3994    }
3995
3996    // ---- lowering (#418: when → engine vocabulary) ----
3997
3998    fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
3999        Schedule {
4000            id: "x".into(),
4001            when,
4002            job_id: "y".into(),
4003            plan: FanoutPlan::default(),
4004            active: Active::default(),
4005            constraints: Constraints::default(),
4006            on_failure: OnFailure::default(),
4007            tz: ScheduleTz::default(),
4008            starting_deadline: None,
4009            runs_on,
4010            enabled: true,
4011            tags: Vec::new(),
4012            origin: None,
4013        }
4014    }
4015
4016    fn calendar(at: &str, days: &[&str]) -> When {
4017        When::Calendar(CalendarSpec {
4018            at: at.into(),
4019            days: days.iter().map(|d| (*d).to_string()).collect(),
4020        })
4021    }
4022
4023    #[test]
4024    fn next_calendar_fire_returns_next_utc_occurrence() {
4025        use chrono::TimeZone;
4026        // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
4027        // next strict occurrence is 09:00 that day.
4028        let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4029        s.tz = ScheduleTz::Utc;
4030        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
4031        let next = s.next_calendar_fire(now).expect("calendar has a next fire");
4032        assert_eq!(
4033            next,
4034            chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
4035        );
4036    }
4037
4038    #[test]
4039    fn next_calendar_fire_is_strictly_after_now() {
4040        use chrono::TimeZone;
4041        // Standing exactly on a fire instant must preview the *next*
4042        // one (inclusive = false), not the one firing right now.
4043        let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4044        s.tz = ScheduleTz::Utc;
4045        let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
4046        let next = s
4047            .next_calendar_fire(on_fire)
4048            .expect("calendar has a next fire");
4049        assert_eq!(
4050            next,
4051            chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
4052        );
4053    }
4054
4055    #[test]
4056    fn next_calendar_fire_none_for_reconcile_shapes() {
4057        // `per_pc` / `per_target` lower to the every-minute poll cron —
4058        // no discrete upcoming event to preview, so `None`.
4059        let now = chrono::Utc::now();
4060        for when in [
4061            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4062            When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4063            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4064            When::PerTarget(PerPolicy::Every(EverySpec {
4065                every: "24h".into(),
4066            })),
4067        ] {
4068            let s = schedule_with(when, RunsOn::Backend);
4069            assert!(
4070                s.next_calendar_fire(now).is_none(),
4071                "reconcile shapes have no calendar fire",
4072            );
4073        }
4074    }
4075
4076    // ---- preview_fires (#418 dry-run / preview) ----
4077
4078    fn cal_utc(at: &str, days: &[&str]) -> Schedule {
4079        let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
4080        s.tz = ScheduleTz::Utc; // host-independent assertions
4081        s
4082    }
4083
4084    #[test]
4085    fn preview_lists_next_calendar_occurrences() {
4086        use chrono::TimeZone;
4087        // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
4088        // fires skip the weekend (Sat 13 / Sun 14).
4089        let s = cal_utc("09:00", &["mon-fri"]);
4090        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4091        let got = s.preview_fires(now, 5);
4092        let want: Vec<_> = [
4093            (2026, 6, 10), // Wed
4094            (2026, 6, 11), // Thu
4095            (2026, 6, 12), // Fri
4096            (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
4097            (2026, 6, 16), // Tue
4098        ]
4099        .iter()
4100        .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
4101        .collect();
4102        assert_eq!(got, want);
4103    }
4104
4105    #[test]
4106    fn preview_handles_nth_and_last_weekday() {
4107        use chrono::TimeZone;
4108        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
4109        // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
4110        let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
4111        assert_eq!(
4112            nth,
4113            vec![
4114                chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
4115                chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
4116            ]
4117        );
4118        // Last Friday of the month: Jun 26, Jul 31 2026.
4119        let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
4120        assert_eq!(
4121            last,
4122            vec![
4123                chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
4124                chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
4125            ]
4126        );
4127    }
4128
4129    #[test]
4130    fn preview_is_empty_for_reconcile_and_zero_count() {
4131        let now = chrono::Utc::now();
4132        // reconcile shapes have no discrete fire times
4133        let recon = schedule_with(
4134            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4135            RunsOn::Backend,
4136        );
4137        assert!(recon.preview_fires(now, 5).is_empty());
4138        // count == 0 yields nothing even for a calendar
4139        assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
4140    }
4141
4142    #[test]
4143    fn preview_skips_outside_active_window() {
4144        use chrono::TimeZone;
4145        // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
4146        // before `from` are skipped; `until` is exclusive, so 06-17's
4147        // fire is out — leaving exactly the 15th and 16th.
4148        let mut s = cal_utc("09:00", &[]);
4149        s.active = Active {
4150            from: Some("2026-06-15".into()),
4151            until: Some("2026-06-17".into()),
4152        };
4153        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4154        let got = s.preview_fires(now, 5);
4155        assert_eq!(
4156            got,
4157            vec![
4158                chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
4159                chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
4160            ]
4161        );
4162    }
4163
4164    #[test]
4165    fn preview_empty_when_calendar_time_outside_window() {
4166        use chrono::TimeZone;
4167        // Fires at 09:00 but the maintenance window is overnight — it can
4168        // never run, so the preview is empty (matches
4169        // `calendar_outside_window`), and the scan still terminates.
4170        let mut s = cal_utc("09:00", &[]);
4171        s.constraints = Constraints {
4172            window: Some("22:00-05:00".into()),
4173            ..Constraints::default()
4174        };
4175        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4176        assert!(s.preview_fires(now, 5).is_empty());
4177        // Every candidate tick is rejected, so this also exercises the
4178        // SCAN_CAP bound: a large `count` must still terminate (and
4179        // return empty) rather than spin (claude #578 review).
4180        assert!(s.preview_fires(now, 50).is_empty());
4181    }
4182
4183    #[test]
4184    fn preview_past_one_shot_is_empty() {
4185        use chrono::TimeZone;
4186        // A dated one-shot whose instant has passed never fires again.
4187        let s = cal_utc("2026-06-10 09:00", &[]);
4188        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
4189        assert!(s.preview_fires(now, 5).is_empty());
4190        // …but from before it, the single future fire shows up.
4191        let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
4192        assert_eq!(
4193            s.preview_fires(before, 5),
4194            vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
4195        );
4196    }
4197
4198    #[test]
4199    fn lowering_matches_the_418_table() {
4200        let cases = [
4201            (
4202                When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4203                (POLL_CRON, ExecMode::OncePerPc, None),
4204            ),
4205            (
4206                When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4207                (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
4208            ),
4209            (
4210                When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4211                (POLL_CRON, ExecMode::OncePerTarget, None),
4212            ),
4213            (
4214                When::PerTarget(PerPolicy::Every(EverySpec {
4215                    every: "24h".into(),
4216                })),
4217                (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
4218            ),
4219            // calendar repeating → 6-field cron
4220            (
4221                calendar("09:00", &["mon-fri"]),
4222                ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
4223            ),
4224            // calendar daily (no days) → DOW *
4225            (
4226                calendar("18:30", &[]),
4227                ("0 30 18 * * *", ExecMode::EveryTick, None),
4228            ),
4229            // calendar one-shot → 7-field year cron
4230            (
4231                calendar("2026-06-10 09:00", &[]),
4232                ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
4233            ),
4234        ];
4235        for (when, (cron, mode, cooldown)) in cases {
4236            let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
4237            assert_eq!(l.cron, cron, "cron for {when}");
4238            assert_eq!(l.mode, mode, "mode for {when}");
4239            assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
4240        }
4241    }
4242
4243    #[test]
4244    fn lowered_carries_schedule_tz() {
4245        for (tz, want) in [
4246            (ScheduleTz::Local, ScheduleTz::Local),
4247            (ScheduleTz::Utc, ScheduleTz::Utc),
4248        ] {
4249            let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
4250            s.tz = tz;
4251            assert_eq!(s.lowered().tz, want, "calendar carries tz");
4252            // reconcile shapes carry tz too (for the active-window check)
4253            let mut s = schedule_with(
4254                When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4255                RunsOn::Backend,
4256            );
4257            s.tz = tz;
4258            assert_eq!(s.lowered().tz, want, "reconcile carries tz");
4259        }
4260    }
4261
4262    #[test]
4263    fn poll_cron_is_accepted_by_the_engine_parser() {
4264        // POLL_CRON is system-generated — if the engine's parser
4265        // ever rejected it every reconcile schedule would die at
4266        // register time. Validate it with the same croner config
4267        // (Seconds::Required, dom_and_dow, year optional).
4268        croner::parser::CronParser::builder()
4269            .seconds(croner::parser::Seconds::Required)
4270            .dom_and_dow(true)
4271            .build()
4272            .parse(POLL_CRON)
4273            .expect("POLL_CRON must parse");
4274    }
4275
4276    // ---- Schedule::validate() (#418 decision F) ----
4277
4278    #[test]
4279    fn validate_accepts_reconcile_shapes() {
4280        for when in [
4281            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4282            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4283            When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4284            When::PerTarget(PerPolicy::Every(EverySpec {
4285                every: "24h".into(),
4286            })),
4287        ] {
4288            schedule_with(when.clone(), RunsOn::Backend)
4289                .validate()
4290                .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
4291        }
4292    }
4293
4294    #[test]
4295    fn validate_accepts_per_pc_on_agent() {
4296        schedule_with(
4297            When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
4298            RunsOn::Agent,
4299        )
4300        .validate()
4301        .expect("per_pc + agent is the offline-inventory shape");
4302    }
4303
4304    // ---- #418 event triggers (when: { on }) ----
4305
4306    #[test]
4307    fn validate_accepts_event_on_agent() {
4308        for triggers in [
4309            vec![OnTrigger::Startup],
4310            vec![OnTrigger::Logon],
4311            vec![OnTrigger::Lock],
4312            vec![OnTrigger::Unlock],
4313            vec![OnTrigger::NetworkChange],
4314            vec![
4315                OnTrigger::Startup,
4316                OnTrigger::Logon,
4317                OnTrigger::Lock,
4318                OnTrigger::Unlock,
4319                OnTrigger::NetworkChange,
4320            ],
4321        ] {
4322            schedule_with(When::On(triggers), RunsOn::Agent)
4323                .validate()
4324                .expect("when.on is valid on runs_on: agent");
4325        }
4326    }
4327
4328    #[test]
4329    fn validate_rejects_event_on_backend() {
4330        let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
4331            .validate()
4332            .unwrap_err();
4333        assert!(err.contains("when.on"), "got: {err}");
4334        assert!(err.contains("runs_on: agent"), "got: {err}");
4335    }
4336
4337    #[test]
4338    fn validate_rejects_empty_event_list() {
4339        let err = schedule_with(When::On(vec![]), RunsOn::Agent)
4340            .validate()
4341            .unwrap_err();
4342        assert!(err.contains("when.on"), "got: {err}");
4343        assert!(err.contains("at least one"), "got: {err}");
4344    }
4345
4346    #[test]
4347    fn event_schedule_lowers_to_event_mode_and_is_event() {
4348        let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
4349        assert!(s.is_event());
4350        assert_eq!(s.lowered().mode, ExecMode::Event);
4351        assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
4352        // non-event schedules report no triggers.
4353        let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4354        assert!(!cal.is_event());
4355        assert!(cal.event_triggers().is_empty());
4356    }
4357
4358    // ---- #418 constraints.require (env gates) ----
4359
4360    fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
4361        let mut s = schedule_with(
4362            When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
4363            runs_on,
4364        );
4365        s.constraints.require = Some(req);
4366        s
4367    }
4368
4369    #[test]
4370    fn require_met_combinations() {
4371        use std::time::Duration;
4372        let idle = |m: u64| Some(Duration::from_secs(m * 60));
4373        // Builder for the sensed state: (ac, idle, cpu, network).
4374        let env = |ac, idle, cpu, net| EnvState {
4375            ac_online: ac,
4376            idle,
4377            cpu_pct: cpu,
4378            network_up: net,
4379        };
4380        // Empty require — always met regardless of sensed state.
4381        assert!(require_met(
4382            &Require::default(),
4383            &env(false, None, None, false)
4384        ));
4385        // ac_power: only on AC.
4386        let ac = Require {
4387            ac_power: true,
4388            ..Default::default()
4389        };
4390        assert!(!require_met(&ac, &env(false, None, None, true)));
4391        assert!(require_met(&ac, &env(true, None, None, false)));
4392        // idle: needs >= the configured min; None idle never satisfies.
4393        let idle10 = Require {
4394            idle: Some("10m".into()),
4395            ..Default::default()
4396        };
4397        assert!(!require_met(&idle10, &env(true, None, None, true)));
4398        assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
4399        assert!(require_met(&idle10, &env(true, idle(15), None, true)));
4400        assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
4401        // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
4402        let cpu20 = Require {
4403            cpu_below: Some(20.0),
4404            ..Default::default()
4405        };
4406        assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
4407        assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
4408        assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
4409        assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
4410        // network: only when online.
4411        let net = Require {
4412            network: true,
4413            ..Default::default()
4414        };
4415        assert!(!require_met(&net, &env(true, None, None, false))); // offline
4416        assert!(require_met(&net, &env(true, None, None, true))); // online
4417        // all four: AND.
4418        let all = Require {
4419            ac_power: true,
4420            idle: Some("10m".into()),
4421            cpu_below: Some(20.0),
4422            network: true,
4423        };
4424        assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
4425        assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
4426        assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
4427        assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
4428        assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
4429        // An unparseable idle is treated as no-requirement by require_met
4430        // (validate rejects it at create time, so this only guards a
4431        // hand-edited blob): ac still gates.
4432        let bad = Require {
4433            ac_power: true,
4434            idle: Some("garbage".into()),
4435            ..Default::default()
4436        };
4437        assert!(require_met(&bad, &env(true, None, None, true)));
4438        assert!(!require_met(&bad, &env(false, None, None, true)));
4439    }
4440
4441    #[test]
4442    fn validate_accepts_and_rejects_cpu_below() {
4443        // In-range accepted.
4444        require_schedule(
4445            Require {
4446                cpu_below: Some(20.0),
4447                ..Default::default()
4448            },
4449            RunsOn::Agent,
4450        )
4451        .validate()
4452        .expect("cpu_below 20 is valid");
4453        // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
4454        // 100%). Pins the inclusive upper bound against a future c < 100.0.
4455        require_schedule(
4456            Require {
4457                cpu_below: Some(100.0),
4458                ..Default::default()
4459            },
4460            RunsOn::Agent,
4461        )
4462        .validate()
4463        .expect("cpu_below 100 is valid");
4464        // Out of range rejected (0 and >100).
4465        for bad in [0.0, -5.0, 100.1] {
4466            let err = require_schedule(
4467                Require {
4468                    cpu_below: Some(bad),
4469                    ..Default::default()
4470                },
4471                RunsOn::Agent,
4472            )
4473            .validate()
4474            .unwrap_err();
4475            assert!(
4476                err.contains("constraints.require.cpu_below"),
4477                "cpu_below {bad}: {err}"
4478            );
4479        }
4480    }
4481
4482    #[test]
4483    fn validate_accepts_require_on_agent() {
4484        require_schedule(
4485            Require {
4486                ac_power: true,
4487                idle: Some("10m".into()),
4488                cpu_below: Some(20.0),
4489                network: true,
4490            },
4491            RunsOn::Agent,
4492        )
4493        .validate()
4494        .expect("constraints.require is valid on runs_on: agent");
4495    }
4496
4497    #[test]
4498    fn validate_rejects_require_on_backend() {
4499        let err = require_schedule(
4500            Require {
4501                ac_power: true,
4502                ..Default::default()
4503            },
4504            RunsOn::Backend,
4505        )
4506        .validate()
4507        .unwrap_err();
4508        assert!(err.contains("constraints.require"), "got: {err}");
4509        assert!(err.contains("runs_on: agent"), "got: {err}");
4510
4511        // An idle-only require (ac_power: false) is also non-empty
4512        // (is_empty folds the fields) and must reject on backend too —
4513        // guards against a regression in Require::is_empty.
4514        let err = require_schedule(
4515            Require {
4516                idle: Some("10m".into()),
4517                ..Default::default()
4518            },
4519            RunsOn::Backend,
4520        )
4521        .validate()
4522        .unwrap_err();
4523        assert!(
4524            err.contains("constraints.require"),
4525            "idle-only on backend: {err}"
4526        );
4527    }
4528
4529    #[test]
4530    fn validate_rejects_bad_require_idle() {
4531        let err = require_schedule(
4532            Require {
4533                idle: Some("not-a-duration".into()),
4534                ..Default::default()
4535            },
4536            RunsOn::Agent,
4537        )
4538        .validate()
4539        .unwrap_err();
4540        assert!(err.contains("constraints.require.idle"), "got: {err}");
4541    }
4542
4543    #[test]
4544    fn require_round_trips_and_skips_empty() {
4545        // ac_power: false is skipped; an all-default require nested in
4546        // constraints is omitted (is_empty folds it in).
4547        let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
4548                    constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
4549                    network: true } }\n";
4550        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4551        let req = s.constraints.require.as_ref().expect("require present");
4552        assert!(req.ac_power);
4553        assert_eq!(req.idle.as_deref(), Some("10m"));
4554        assert_eq!(req.cpu_below, Some(20.0));
4555        assert!(req.network);
4556        // Re-serialize: idle + cpu_below + network present, ac_power true.
4557        let back = serde_json::to_string(&s.constraints).unwrap();
4558        assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
4559        assert!(back.contains("\"cpu_below\":20"), "got: {back}");
4560        assert!(back.contains("\"network\":true"), "got: {back}");
4561        // An empty require is omitted entirely by is_empty.
4562        let mut empty = s.clone();
4563        empty.constraints.require = Some(Require::default());
4564        assert!(empty.constraints.is_empty());
4565    }
4566
4567    #[test]
4568    fn validate_rejects_per_target_on_agent() {
4569        let err = schedule_with(
4570            When::PerTarget(PerPolicy::Every(EverySpec {
4571                every: "24h".into(),
4572            })),
4573            RunsOn::Agent,
4574        )
4575        .validate()
4576        .unwrap_err();
4577        assert!(err.contains("per_target"), "got: {err}");
4578        assert!(err.contains("runs_on: agent"), "got: {err}");
4579
4580        // per_target: once is also backend-only.
4581        let err = schedule_with(
4582            When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4583            RunsOn::Agent,
4584        )
4585        .validate()
4586        .unwrap_err();
4587        assert!(err.contains("per_target"), "got (once): {err}");
4588        assert!(err.contains("runs_on: agent"), "got (once): {err}");
4589    }
4590
4591    #[test]
4592    fn validate_rejects_bad_every_duration() {
4593        let err = schedule_with(
4594            When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
4595            RunsOn::Backend,
4596        )
4597        .validate()
4598        .unwrap_err();
4599        assert!(err.contains("when.every"), "got: {err}");
4600    }
4601
4602    #[test]
4603    fn validate_rejects_bad_jitter_and_starting_deadline() {
4604        let mut s = schedule_with(
4605            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4606            RunsOn::Backend,
4607        );
4608        s.plan.jitter = Some("5x".into());
4609        let err = s.validate().unwrap_err();
4610        assert!(err.contains("jitter"), "got: {err}");
4611
4612        let mut s = schedule_with(
4613            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4614            RunsOn::Backend,
4615        );
4616        s.starting_deadline = Some("soon".into());
4617        let err = s.validate().unwrap_err();
4618        assert!(err.contains("starting_deadline"), "got: {err}");
4619    }
4620
4621    #[test]
4622    fn validate_accepts_calendar_shapes() {
4623        for when in [
4624            calendar("09:00", &["mon-fri"]),   // weekday morning
4625            calendar("00:00", &["sun"]),       // weekly
4626            calendar("18:30", &[]),            // daily
4627            calendar("2026-06-10 09:00", &[]), // one-shot
4628            calendar("2026/12/25 00:00", &[]), // one-shot, slash form
4629        ] {
4630            schedule_with(when.clone(), RunsOn::Backend)
4631                .validate()
4632                .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
4633        }
4634    }
4635
4636    #[test]
4637    fn validate_rejects_bad_at() {
4638        for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
4639            let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
4640                .validate()
4641                .unwrap_err();
4642            assert!(err.contains("when.at"), "for '{bad}', got: {err}");
4643        }
4644    }
4645
4646    #[test]
4647    fn validate_rejects_datetime_at_with_days() {
4648        // A dated `at` is a one-shot — pairing it with days is a
4649        // contradiction (the date already pins the day).
4650        let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
4651            .validate()
4652            .unwrap_err();
4653        assert!(
4654            err.contains("one-shot") && err.contains("days"),
4655            "got: {err}"
4656        );
4657    }
4658
4659    #[test]
4660    fn validate_rejects_bad_day_name() {
4661        // A garbage DOW token is caught by the days pre-flight and
4662        // reported against `when.days`, not the confusing
4663        // "when.at lowered to invalid cron" (claude #432 review).
4664        let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
4665            .validate()
4666            .unwrap_err();
4667        assert!(err.contains("when.days"), "got: {err}");
4668        assert!(err.contains("funday"), "names the bad token: {err}");
4669        // a degenerate range like `mon-` reports the whole token, not
4670        // a cryptic empty part (claude #432 follow-up)
4671        let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
4672            .validate()
4673            .unwrap_err();
4674        assert!(err.contains("'mon-'"), "names the whole token: {err}");
4675        // valid names / ranges / numeric / * all pass
4676        for ok in [
4677            calendar("09:00", &["mon-fri"]),
4678            calendar("09:00", &["mon", "wed", "sun"]),
4679            calendar("09:00", &["1-5"]),
4680        ] {
4681            schedule_with(ok.clone(), RunsOn::Backend)
4682                .validate()
4683                .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4684        }
4685    }
4686
4687    #[test]
4688    fn validate_accepts_nth_weekday() {
4689        // #418: nth-weekday (Patch Tuesday). validate() also lowers to
4690        // a cron and parses it with croner, so passing here proves the
4691        // whole chain — token → DOW field → engine-acceptable cron.
4692        for ok in [
4693            calendar("09:00", &["tue#2"]),          // 2nd Tuesday
4694            calendar("09:00", &["fri#1"]),          // 1st Friday
4695            calendar("03:00", &["sun#5"]),          // 5th Sunday
4696            calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
4697            calendar("09:00", &["2#2"]),            // numeric DOW + ordinal
4698            // Case-insensitive both sides: validate lowercases, croner
4699            // upper-cases the whole pattern before aliasing (claude #547).
4700            calendar("09:00", &["TUE#2"]),
4701        ] {
4702            schedule_with(ok.clone(), RunsOn::Backend)
4703                .validate()
4704                .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4705        }
4706    }
4707
4708    #[test]
4709    fn validate_rejects_bad_nth_weekday() {
4710        // ordinal out of 1..5, a range with #, and a bad day before #.
4711        for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
4712            let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4713                .validate()
4714                .unwrap_err();
4715            assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4716        }
4717    }
4718
4719    #[test]
4720    fn validate_accepts_last_weekday() {
4721        // #418: last-weekday (`friL` = last Friday). Like the nth case,
4722        // validate() lowers to a cron and round-trips it through croner,
4723        // so passing proves token → DOW field → engine-acceptable cron
4724        // with the verified last-<dow>-of-month semantics.
4725        for ok in [
4726            calendar("09:00", &["friL"]),         // last Friday
4727            calendar("03:00", &["sunL"]),         // last Sunday
4728            calendar("22:00", &["5L"]),           // numeric DOW + last
4729            calendar("00:00", &["0L"]),           // numeric Sunday (0…
4730            calendar("00:00", &["7L"]),           // …and its 7 alias)
4731            calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
4732            // Case-insensitive both the weekday and the `L` suffix:
4733            // validate lowercases the day, croner upper-cases the whole
4734            // pattern before aliasing (claude #547).
4735            calendar("09:00", &["FRIL"]),
4736            calendar("09:00", &["fril"]),
4737        ] {
4738            schedule_with(ok.clone(), RunsOn::Backend)
4739                .validate()
4740                .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4741        }
4742    }
4743
4744    #[test]
4745    fn validate_rejects_bad_last_weekday() {
4746        // bare `L` (no weekday — a footgun croner reads as Saturday), a
4747        // range with L, a bad day before L, and an internal space that
4748        // would otherwise leak a malformed cron downstream (gemini #560).
4749        for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
4750            let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4751                .validate()
4752                .unwrap_err();
4753            assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4754        }
4755    }
4756
4757    #[test]
4758    fn calendar_oneshot_instant_detects_past() {
4759        use chrono::TimeZone;
4760        // a dated `at` resolves to an absolute instant…
4761        let c = CalendarSpec {
4762            at: "2024-01-01 09:00".into(),
4763            days: vec![],
4764        };
4765        let t = c
4766            .oneshot_instant(ScheduleTz::Utc)
4767            .expect("one-shot instant");
4768        assert_eq!(
4769            t,
4770            chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
4771        );
4772        assert!(t < chrono::Utc::now(), "2024 is in the past");
4773        // …while a repeating (time-only) calendar has no instant
4774        let rep = CalendarSpec {
4775            at: "09:00".into(),
4776            days: vec!["mon-fri".into()],
4777        };
4778        assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
4779    }
4780
4781    fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
4782        let mut s = schedule_with(
4783            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4784            RunsOn::Backend,
4785        );
4786        s.active = Active {
4787            from: from.map(str::to_owned),
4788            until: until.map(str::to_owned),
4789        };
4790        s
4791    }
4792
4793    #[test]
4794    fn validate_accepts_active_window() {
4795        schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
4796            .validate()
4797            .expect("date + rfc3339 bounds should validate");
4798    }
4799
4800    #[test]
4801    fn validate_rejects_unparseable_active_bound() {
4802        let err = schedule_with_active(Some("July 1st"), None)
4803            .validate()
4804            .unwrap_err();
4805        assert!(err.contains("active"), "got: {err}");
4806    }
4807
4808    #[test]
4809    fn validate_rejects_from_not_before_until() {
4810        let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
4811            .validate()
4812            .unwrap_err();
4813        assert!(err.contains("strictly before"), "got: {err}");
4814
4815        let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
4816            .validate()
4817            .unwrap_err();
4818        assert!(err.contains("strictly before"), "got: {err}");
4819    }
4820
4821    // ---- Active window semantics ----
4822
4823    #[test]
4824    fn active_window_is_half_open() {
4825        use chrono::TimeZone;
4826        let active = Active {
4827            from: Some("2026-07-01".into()),
4828            until: Some("2026-08-01".into()),
4829        };
4830        // UTC tz so the date bounds are UTC midnight.
4831        let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
4832        let c = |t| active.contains(t, ScheduleTz::Utc);
4833        assert!(!c(at(2026, 6, 30, 23)), "before from");
4834        assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
4835        assert!(c(at(2026, 7, 15, 12)), "inside");
4836        assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
4837        assert!(!c(at(2026, 8, 2, 0)), "after until");
4838    }
4839
4840    #[test]
4841    fn active_empty_window_is_always_active() {
4842        assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
4843    }
4844
4845    #[test]
4846    fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
4847        use chrono::TimeZone;
4848        let active = Active {
4849            from: Some("2026-07-01T09:00:00+09:00".into()),
4850            until: None,
4851        };
4852        // RFC3339 carries its own offset → tz arg is ignored.
4853        // 09:00 JST = 00:00 UTC.
4854        for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
4855            assert!(
4856                !active.contains(
4857                    chrono::Utc
4858                        .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
4859                        .unwrap(),
4860                    tz
4861                )
4862            );
4863            assert!(active.contains(
4864                chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
4865                tz
4866            ));
4867        }
4868    }
4869
4870    #[test]
4871    fn active_date_bound_respects_tz() {
4872        // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
4873        // tz* (#418 Phase 2). The UTC interpretation is exact and
4874        // host-independent; assert that precisely.
4875        use chrono::TimeZone;
4876        let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
4877        assert_eq!(
4878            utc,
4879            chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
4880        );
4881
4882        // The local interpretation must equal what chrono::Local
4883        // computes for the same wall-clock midnight — proves the tz
4884        // path is wired to the host zone (the magnitude vs UTC is
4885        // host-dependent, so we compare against Local directly rather
4886        // than hard-coding the JST offset, keeping CI green on UTC
4887        // runners).
4888        let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
4889        let want = chrono::Local
4890            .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
4891            .single()
4892            .expect("local midnight is unambiguous")
4893            .with_timezone(&chrono::Utc);
4894        assert_eq!(local, want, "date bound resolved in host-local tz");
4895    }
4896
4897    #[test]
4898    fn active_empty_is_skipped_when_serialising() {
4899        let s = schedule_with(
4900            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4901            RunsOn::Backend,
4902        );
4903        let json = serde_json::to_value(&s).expect("serialise");
4904        assert!(
4905            json.get("active").is_none(),
4906            "empty active must not appear on the wire: {json}"
4907        );
4908    }
4909
4910    // ---- constraints.window (#418 Phase 3) ----
4911
4912    fn with_window(win: &str) -> Schedule {
4913        let mut s = schedule_with(
4914            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4915            RunsOn::Backend,
4916        );
4917        s.constraints.window = Some(win.into());
4918        s
4919    }
4920
4921    #[test]
4922    fn constraints_window_parses_and_round_trips() {
4923        let yaml = r#"
4924id: x
4925when:
4926  per_pc: { every: 6h }
4927job_id: y
4928target: { all: true }
4929constraints:
4930  window: "22:00-05:00"
4931"#;
4932        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4933        assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
4934        let back: Schedule =
4935            serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4936        assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
4937    }
4938
4939    #[test]
4940    fn constraints_empty_is_skipped_when_serialising() {
4941        let s = schedule_with(
4942            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4943            RunsOn::Backend,
4944        );
4945        let json = serde_json::to_value(&s).expect("serialise");
4946        assert!(
4947            json.get("constraints").is_none(),
4948            "empty constraints must not appear on the wire: {json}"
4949        );
4950    }
4951
4952    #[test]
4953    fn window_no_constraint_always_allows() {
4954        let c = Constraints::default();
4955        assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
4956    }
4957
4958    #[test]
4959    fn window_same_day_is_half_open() {
4960        use chrono::TimeZone;
4961        let s = with_window("09:00-17:00");
4962        let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4963        let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4964        assert!(!a(at(8, 59)), "before start");
4965        assert!(a(at(9, 0)), "at start (inclusive)");
4966        assert!(a(at(16, 59)), "inside");
4967        assert!(!a(at(17, 0)), "at end (exclusive)");
4968        assert!(!a(at(23, 0)), "after end");
4969    }
4970
4971    #[test]
4972    fn window_crossing_midnight() {
4973        use chrono::TimeZone;
4974        let s = with_window("22:00-05:00");
4975        let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4976        let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4977        assert!(a(at(22, 0)), "at start tonight");
4978        assert!(a(at(23, 30)), "late tonight");
4979        assert!(a(at(3, 0)), "early tomorrow");
4980        assert!(!a(at(5, 0)), "at end (exclusive)");
4981        assert!(!a(at(12, 0)), "midday outside");
4982        assert!(!a(at(21, 59)), "just before start");
4983    }
4984
4985    #[test]
4986    fn window_respects_tz() {
4987        // The same instant is inside the window under one tz and may
4988        // be outside under another. Compare UTC vs Local via the
4989        // host's own offset (kept CI-green on UTC runners like the
4990        // active tz test does).
4991        use chrono::TimeZone;
4992        let s = with_window("09:00-17:00");
4993        let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
4994        // Under UTC, 12:00 is inside 09:00-17:00.
4995        assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
4996        // Under Local, the verdict tracks the host wall-clock time;
4997        // assert it matches a direct wall_time membership check.
4998        let local_t = noon_utc.with_timezone(&chrono::Local).time();
4999        let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
5000            && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
5001        assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
5002    }
5003
5004    #[test]
5005    fn validate_accepts_good_window() {
5006        for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
5007            with_window(w)
5008                .validate()
5009                .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
5010        }
5011    }
5012
5013    #[test]
5014    fn validate_rejects_bad_window() {
5015        for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
5016            let err = with_window(bad).validate().unwrap_err();
5017            assert!(
5018                err.contains("constraints.window"),
5019                "for '{bad}', got: {err}"
5020            );
5021        }
5022    }
5023
5024    // ---- constraints.skip_dates (#418 holiday exclusion) ----
5025
5026    fn with_skip_dates(dates: &[&str]) -> Schedule {
5027        let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
5028        s.tz = ScheduleTz::Utc; // host-independent date assertions
5029        s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
5030        s
5031    }
5032
5033    #[test]
5034    fn allows_blocks_listed_skip_date() {
5035        use chrono::TimeZone;
5036        let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
5037        // Any time on a listed date is blocked (whole day).
5038        let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
5039        assert!(!s.constraints.allows(on, ScheduleTz::Utc));
5040        let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
5041        assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
5042        // A date not in the list fires normally.
5043        let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
5044        assert!(s.constraints.allows(off, ScheduleTz::Utc));
5045    }
5046
5047    #[test]
5048    fn allows_corrupt_skip_date_fails_closed() {
5049        use chrono::TimeZone;
5050        // A garbled entry (only reachable via hand-edited KV) blocks
5051        // rather than silently re-enabling fires — same posture as a
5052        // corrupt window.
5053        let s = with_skip_dates(&["not-a-date"]);
5054        let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
5055        assert!(!s.constraints.allows(any, ScheduleTz::Utc));
5056    }
5057
5058    #[test]
5059    fn validate_accepts_good_skip_dates() {
5060        with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
5061            .validate()
5062            .expect("well-formed skip dates should validate");
5063    }
5064
5065    #[test]
5066    fn validate_rejects_bad_skip_date() {
5067        for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
5068            let err = with_skip_dates(&[bad]).validate().unwrap_err();
5069            assert!(
5070                err.contains("constraints.skip_dates"),
5071                "for '{bad}', got: {err}"
5072            );
5073        }
5074    }
5075
5076    #[test]
5077    fn preview_skips_holidays() {
5078        use chrono::TimeZone;
5079        // Daily 09:00 with two of the next five days marked as holidays
5080        // — preview drops exactly those, since it gates on `allows`.
5081        let mut s = cal_utc("09:00", &[]);
5082        s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
5083        let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
5084        let got = s.preview_fires(now, 4);
5085        let want: Vec<_> = [
5086            (2026, 6, 10),
5087            (2026, 6, 12), // skips 06-11
5088            (2026, 6, 14), // skips 06-13
5089            (2026, 6, 15),
5090        ]
5091        .iter()
5092        .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
5093        .collect();
5094        assert_eq!(got, want);
5095    }
5096
5097    // ---- constraints.max_concurrent (#418) ----
5098
5099    fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
5100        let mut s = schedule_with(
5101            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5102            runs_on,
5103        );
5104        s.constraints.max_concurrent = Some(max);
5105        s
5106    }
5107
5108    #[test]
5109    fn validate_accepts_backend_max_concurrent() {
5110        with_max_concurrent(5, RunsOn::Backend)
5111            .validate()
5112            .expect("backend max_concurrent should validate");
5113    }
5114
5115    #[test]
5116    fn validate_rejects_max_concurrent_on_agent() {
5117        // Decision E: a central running-instance cap needs a central
5118        // counter, which agents don't have.
5119        let err = with_max_concurrent(5, RunsOn::Agent)
5120            .validate()
5121            .unwrap_err();
5122        assert!(err.contains("constraints.max_concurrent"), "got: {err}");
5123        assert!(err.contains("runs_on: agent"), "got: {err}");
5124    }
5125
5126    #[test]
5127    fn validate_rejects_zero_max_concurrent() {
5128        let err = with_max_concurrent(0, RunsOn::Backend)
5129            .validate()
5130            .unwrap_err();
5131        assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
5132    }
5133
5134    #[test]
5135    fn max_concurrent_round_trips_and_skips_when_absent() {
5136        let s = with_max_concurrent(3, RunsOn::Backend);
5137        let json = serde_json::to_value(&s.constraints).expect("ser");
5138        assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
5139        // A schedule with no constraints omits the whole block.
5140        let bare = schedule_with(
5141            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5142            RunsOn::Backend,
5143        );
5144        assert!(bare.constraints.is_empty());
5145    }
5146
5147    #[test]
5148    fn window_fail_closed_on_corrupt_blob() {
5149        // A malformed window (only reachable via a hand-edited KV
5150        // blob — validate() rejects it at create) must BLOCK, not
5151        // silently allow fires during a change-freeze (gemini #452).
5152        let s = with_window("22:00_05:00");
5153        assert!(
5154            !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
5155            "corrupt window fails closed"
5156        );
5157        // …and the scheduler can surface why it's stuck.
5158        assert!(
5159            s.bad_window().is_some(),
5160            "bad_window reports the parse error"
5161        );
5162        assert!(with_window("22:00-05:00").bad_window().is_none());
5163    }
5164
5165    #[test]
5166    fn calendar_outside_window_is_flagged() {
5167        // at 09:00 can never fall in 22:00-05:00 → never fires.
5168        let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
5169        s.constraints.window = Some("22:00-05:00".into());
5170        assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
5171
5172        // at 23:00 IS inside the overnight window → fine.
5173        let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
5174        s.constraints.window = Some("22:00-05:00".into());
5175        assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
5176
5177        // reconcile shapes are never flagged (they poll every minute).
5178        let mut s = schedule_with(
5179            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5180            RunsOn::Backend,
5181        );
5182        s.constraints.window = Some("22:00-05:00".into());
5183        assert!(!s.calendar_outside_window(), "reconcile is unaffected");
5184
5185        // no window → never flagged.
5186        let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
5187        assert!(!s.calendar_outside_window());
5188    }
5189
5190    // ---- on_failure.retry (#418 Phase 4) ----
5191
5192    fn with_retry(max: u32, backoff: &str) -> Schedule {
5193        let mut s = schedule_with(
5194            When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5195            RunsOn::Backend,
5196        );
5197        s.on_failure.retry = Some(Retry {
5198            max,
5199            backoff: backoff.into(),
5200        });
5201        s
5202    }
5203
5204    #[test]
5205    fn on_failure_parses_and_round_trips() {
5206        let yaml = r#"
5207id: x
5208when:
5209  per_pc: { every: 6h }
5210job_id: y
5211target: { all: true }
5212on_failure:
5213  retry: { max: 3, backoff: 10m }
5214"#;
5215        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5216        let r = s.on_failure.retry.as_ref().expect("retry present");
5217        assert_eq!(r.max, 3);
5218        assert_eq!(r.backoff, "10m");
5219        let back: Schedule =
5220            serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
5221        assert_eq!(back.on_failure, s.on_failure);
5222    }
5223
5224    #[test]
5225    fn on_failure_empty_is_skipped_when_serialising() {
5226        let s = schedule_with(
5227            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5228            RunsOn::Backend,
5229        );
5230        let json = serde_json::to_value(&s).expect("serialise");
5231        assert!(
5232            json.get("on_failure").is_none(),
5233            "empty on_failure must not appear on the wire: {json}"
5234        );
5235    }
5236
5237    #[test]
5238    fn validate_accepts_good_retry() {
5239        for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
5240            with_retry(max, backoff)
5241                .validate()
5242                .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
5243        }
5244    }
5245
5246    #[test]
5247    fn validate_rejects_bad_backoff() {
5248        let err = with_retry(3, "soon").validate().unwrap_err();
5249        assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
5250    }
5251
5252    #[test]
5253    fn validate_rejects_sub_second_backoff() {
5254        // "500ms" parses as humantime but lowers to 0s on the wire —
5255        // reject it so the operator doesn't get a silent no-wait
5256        // (coderabbit #466).
5257        for bad in ["500ms", "0s", "999ms"] {
5258            let err = with_retry(3, bad).validate().unwrap_err();
5259            assert!(
5260                err.contains("on_failure.retry.backoff must be >= 1s"),
5261                "for '{bad}', got: {err}"
5262            );
5263        }
5264    }
5265
5266    #[test]
5267    fn validate_rejects_out_of_range_max() {
5268        for bad in [0u32, 11, 1000] {
5269            let err = with_retry(bad, "10m").validate().unwrap_err();
5270            assert!(
5271                err.contains("on_failure.retry.max"),
5272                "for max={bad}, got: {err}"
5273            );
5274        }
5275    }
5276
5277    #[test]
5278    fn lowered_retry_reduces_backoff_to_seconds() {
5279        let s = with_retry(3, "10m");
5280        let spec = s.on_failure.lowered_retry().expect("a retry policy");
5281        assert_eq!(spec.max, 3);
5282        assert_eq!(spec.backoff_secs, 600);
5283    }
5284
5285    #[test]
5286    fn lowered_retry_is_none_without_policy() {
5287        let s = schedule_with(
5288            When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5289            RunsOn::Backend,
5290        );
5291        assert!(s.on_failure.lowered_retry().is_none());
5292    }
5293
5294    // ---- global change-freeze (#418 Phase 5) ----
5295
5296    #[test]
5297    fn freeze_empty_window_is_always_active() {
5298        // The big-red-button shape: no bounds = frozen until cleared.
5299        let f = Freeze::default();
5300        assert!(f.is_active(chrono::Utc::now()));
5301    }
5302
5303    #[test]
5304    fn freeze_window_is_half_open() {
5305        use chrono::TimeZone;
5306        let f = Freeze {
5307            from: Some("2026-12-20T00:00:00+00:00".into()),
5308            until: Some("2027-01-05T00:00:00+00:00".into()),
5309            reason: Some("year-end".into()),
5310            tz: ScheduleTz::Utc,
5311        };
5312        let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
5313        assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
5314        assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
5315        assert!(f.is_active(at(2026, 12, 31)), "inside window");
5316        assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
5317        assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
5318    }
5319
5320    #[test]
5321    fn freeze_fails_closed_on_corrupt_bound() {
5322        // A freeze is a safety switch: an unparseable bound (only
5323        // reachable via a hand-edited KV blob) must read as FROZEN, not
5324        // "fire normally" (coderabbit #472) — the opposite of `active`,
5325        // which fail-opens.
5326        let f = Freeze {
5327            from: Some("not-a-date".into()),
5328            until: None,
5329            reason: None,
5330            tz: ScheduleTz::Utc,
5331        };
5332        assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
5333    }
5334
5335    #[test]
5336    fn freeze_validate_accepts_good_bounds() {
5337        Freeze {
5338            from: Some("2026-12-20".into()),
5339            until: Some("2027-01-05T12:00:00+09:00".into()),
5340            reason: None,
5341            tz: ScheduleTz::Local,
5342        }
5343        .validate()
5344        .expect("date + rfc3339 bounds should validate");
5345        // Empty (indefinite) freeze is valid.
5346        Freeze::default().validate().expect("empty freeze is valid");
5347    }
5348
5349    #[test]
5350    fn freeze_validate_rejects_bad_bound_and_inverted_window() {
5351        let err = Freeze {
5352            from: Some("never".into()),
5353            ..Default::default()
5354        }
5355        .validate()
5356        .unwrap_err();
5357        assert!(err.contains("freeze:"), "got: {err}");
5358
5359        let inverted = Freeze {
5360            from: Some("2027-01-05".into()),
5361            until: Some("2026-12-20".into()),
5362            ..Default::default()
5363        }
5364        .validate()
5365        .unwrap_err();
5366        assert!(inverted.contains("freeze.from"), "got: {inverted}");
5367    }
5368
5369    #[test]
5370    fn freeze_round_trips_and_skips_empty_fields() {
5371        let f = Freeze {
5372            from: None,
5373            until: Some("2027-01-05".into()),
5374            reason: Some("INC-1234".into()),
5375            tz: ScheduleTz::Utc,
5376        };
5377        let json = serde_json::to_value(&f).expect("serialise");
5378        assert!(json.get("from").is_none(), "empty from omitted: {json}");
5379        let back: Freeze = serde_json::from_value(json).expect("round-trip");
5380        assert_eq!(back, f);
5381    }
5382
5383    #[test]
5384    fn shipped_schedule_configs_parse_and_validate() {
5385        // Every YAML under configs/schedules/ must parse with the
5386        // current Schedule serde AND pass validate() — keeps the
5387        // shipped examples from drifting out of sync with the model
5388        // (#418 removed back-compat, so drift = broken at create).
5389        let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
5390        let mut seen = 0;
5391        for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
5392            let path = entry.expect("dir entry").path();
5393            if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
5394                continue;
5395            }
5396            let body = std::fs::read_to_string(&path).expect("read yaml");
5397            let s: Schedule = serde_yaml::from_str(&body)
5398                .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
5399            s.validate()
5400                .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
5401            seen += 1;
5402        }
5403        assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
5404    }
5405
5406    // ---- pre-existing enum wire formats (unchanged by #418) ----
5407
5408    #[test]
5409    fn exec_mode_serialises_snake_case() {
5410        for (mode, expected) in [
5411            (ExecMode::EveryTick, "every_tick"),
5412            (ExecMode::OncePerPc, "once_per_pc"),
5413            (ExecMode::OncePerTarget, "once_per_target"),
5414        ] {
5415            let s = serde_json::to_value(mode).expect("serialise");
5416            assert_eq!(s, serde_json::Value::String(expected.into()));
5417            let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
5418                .expect("deserialise");
5419            assert_eq!(back, mode, "round-trip for {expected}");
5420        }
5421    }
5422
5423    #[test]
5424    fn schedule_runs_on_defaults_to_backend() {
5425        let yaml = r#"
5426id: x
5427when:
5428  per_pc: once
5429job_id: y
5430target: { all: true }
5431"#;
5432        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5433        assert_eq!(s.runs_on, RunsOn::Backend);
5434    }
5435
5436    #[test]
5437    fn schedule_runs_on_agent_parses() {
5438        let yaml = r#"
5439id: offline-inv
5440when:
5441  per_pc: { every: 1h }
5442job_id: inventory-hw
5443target: { all: true }
5444runs_on: agent
5445"#;
5446        let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5447        assert_eq!(s.runs_on, RunsOn::Agent);
5448        assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
5449    }
5450
5451    #[test]
5452    fn runs_on_serialises_snake_case() {
5453        for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
5454            let s = serde_json::to_value(mode).expect("serialise");
5455            assert_eq!(s, serde_json::Value::String(expected.into()));
5456            let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
5457                .expect("deserialise");
5458            assert_eq!(back, mode);
5459        }
5460    }
5461
5462    #[test]
5463    fn execute_shell_into_wire_shell() {
5464        assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
5465        assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
5466    }
5467
5468    #[test]
5469    fn manifest_staleness_defaults_to_cached() {
5470        let yaml = r#"
5471id: x
5472version: 1.0.0
5473execute:
5474  shell: powershell
5475  script: "echo"
5476  timeout: 1s
5477"#;
5478        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5479        assert_eq!(m.staleness, Staleness::Cached);
5480    }
5481
5482    #[test]
5483    fn manifest_strict_staleness_parses() {
5484        let yaml = r#"
5485id: urgent-patch
5486version: 2.5.1
5487execute:
5488  shell: powershell
5489  script: Install-Hotfix
5490  timeout: 5m
5491staleness:
5492  mode: strict
5493  max_cache_age: 0s
5494"#;
5495        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5496        match m.staleness {
5497            Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
5498            other => panic!("expected strict, got {other:?}"),
5499        }
5500    }
5501
5502    #[test]
5503    fn manifest_unchecked_staleness_parses() {
5504        let yaml = r#"
5505id: legacy
5506version: 0.1.0
5507execute:
5508  shell: cmd
5509  script: "echo"
5510  timeout: 1s
5511staleness:
5512  mode: unchecked
5513"#;
5514        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5515        assert_eq!(m.staleness, Staleness::Unchecked);
5516    }
5517
5518    #[test]
5519    fn missing_required_field_errors() {
5520        // `id` missing.
5521        let yaml = r#"
5522version: 1.0.0
5523target: { all: true }
5524execute:
5525  shell: powershell
5526  script: "echo"
5527  timeout: 1s
5528"#;
5529        let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
5530        assert!(r.is_err(), "expected error, got {:?}", r);
5531    }
5532
5533    #[test]
5534    fn display_field_table_kind_round_trips_with_nested_columns() {
5535        // #39: `type: table` + `columns:` on a DisplayField gets
5536        // round-tripped through serde so the SPA receives the
5537        // nested schema verbatim. Nested columns themselves are
5538        // DisplayFields so they can carry `type: bytes` /
5539        // `type: number` for cell formatting.
5540        let yaml = r#"
5541id: inv-hw
5542version: 1.0.0
5543execute:
5544  shell: powershell
5545  script: "echo"
5546  timeout: 60s
5547inventory:
5548  display:
5549    - field: hostname
5550      label: Hostname
5551    - field: disks
5552      label: Disks
5553      type: table
5554      columns:
5555        - field: device_id
5556          label: Drive
5557        - field: size_bytes
5558          label: Size
5559          type: bytes
5560        - field: free_bytes
5561          label: Free
5562          type: bytes
5563        - field: file_system
5564          label: FS
5565"#;
5566        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5567        let inv = m.inventory.as_ref().expect("inventory hint");
5568        let disks = inv
5569            .display
5570            .iter()
5571            .find(|d| d.field == "disks")
5572            .expect("disks display row");
5573        assert_eq!(disks.kind.as_deref(), Some("table"));
5574        let cols = disks.columns.as_ref().expect("table needs columns");
5575        assert_eq!(cols.len(), 4);
5576        assert_eq!(cols[1].field, "size_bytes");
5577        assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
5578    }
5579
5580    #[test]
5581    fn display_field_scalar_kind_keeps_columns_none() {
5582        // Defensive: when type is a scalar (`bytes` / `number` /
5583        // `timestamp`) the `columns` field stays None — the SPA
5584        // uses its presence as the "render nested table" signal,
5585        // so it must not leak in via serde defaults.
5586        let yaml = r#"
5587id: x
5588version: 1.0.0
5589execute:
5590  shell: powershell
5591  script: "echo"
5592  timeout: 5s
5593inventory:
5594  display:
5595    - { field: ram_bytes, label: RAM, type: bytes }
5596"#;
5597        let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5598        let inv = m.inventory.as_ref().unwrap();
5599        assert!(inv.display[0].columns.is_none());
5600    }
5601
5602    // ---- checked-in JSON Schema freshness (docs/schemas/) ----
5603
5604    /// The JSON Schemas under `docs/schemas/` must match what
5605    /// `schema_for!` produces today — a Cargo.lock-style freshness guard
5606    /// so a `Schedule` / `Manifest` field change can't silently drift
5607    /// the operator-facing schema. The SPA editor, the backend
5608    /// `/api/schemas/*` endpoints, and these files all read the same
5609    /// derived shape; this test fails CI if the checked-in copy lags.
5610    /// Regenerate with:
5611    ///   `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
5612    #[test]
5613    fn schema_files_are_current() {
5614        assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
5615        assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
5616        assert_schema_file("view.schema.json", &schemars::schema_for!(View));
5617    }
5618
5619    fn assert_schema_file(name: &str, schema: &schemars::Schema) {
5620        let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
5621        let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
5622            .join("../../docs/schemas")
5623            .join(name);
5624        if std::env::var_os("UPDATE_SCHEMAS").is_some() {
5625            std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
5626            std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
5627            return;
5628        }
5629        // Normalize CRLF→LF before comparing: `.gitattributes` already
5630        // pins these files to `eol=lf`, but a stray CRLF working-tree
5631        // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
5632        // freshness check into a confusing line-ending failure — that's
5633        // .gitattributes' job, not this test's (gemini #588).
5634        let on_disk = std::fs::read_to_string(&path)
5635            .unwrap_or_else(|e| {
5636                panic!(
5637                    "read {path:?}: {e}\n\
5638                     generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5639                )
5640            })
5641            .replace("\r\n", "\n");
5642        assert_eq!(
5643            on_disk, generated,
5644            "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
5645             Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5646        );
5647    }
5648}
5649
5650/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
5651/// (target + optional rollout + optional jitter) inline; the
5652/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
5653/// script body. Two schedules of the same job can target different
5654/// groups on different cadences without copying the manifest.
5655///
5656/// #418 Phase 1: the cadence is the single [`When`] field. The old
5657/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
5658/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
5659/// are warn-skipped; re-`schedule create` to upgrade them). The
5660/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
5661/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
5662/// `decide_fire` always ran on.
5663#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
5664pub struct Schedule {
5665    pub id: String,
5666    /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
5667    /// or a calendar time trigger (`at` / `days`). See [`When`].
5668    ///
5669    /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
5670    /// enums as `!per_pc` YAML tags by default; this keeps the
5671    /// operator-facing map shape (`when: { per_pc: once }`). JSON
5672    /// output is identical either way, and the schemars schema
5673    /// (external tagging = oneOf of single-key objects) already
5674    /// matches the singleton-map wire shape.
5675    #[serde(with = "serde_yaml::with::singleton_map")]
5676    #[schemars(with = "When")]
5677    pub when: When,
5678    /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
5679    /// Manifest's `id`.
5680    pub job_id: String,
5681    /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
5682    /// carry these any more — same job + different fanout = different
5683    /// schedule.
5684    #[serde(flatten)]
5685    pub plan: FanoutPlan,
5686    /// Optional validity window. Outside `[from, until)` the
5687    /// schedule is dormant — still registered, still visible, but
5688    /// every tick is skipped (deleted ≠ dormant: a campaign that
5689    /// ended stays inspectable and can be re-armed by editing the
5690    /// window). Checked at tick time on both the backend scheduler
5691    /// and the agent's local scheduler.
5692    #[serde(default, skip_serializing_if = "Active::is_empty")]
5693    pub active: Active,
5694    /// #418 operational constraints gating *when within an active
5695    /// period* a fire may happen: a maintenance `window`, a fleet
5696    /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
5697    /// wall-clock ones are evaluated in the schedule's `tz`; future
5698    /// `require` (env gates) lands in the same namespace. Checked at
5699    /// tick time on both schedulers (and surfaced by `preview`).
5700    #[serde(default, skip_serializing_if = "Constraints::is_empty")]
5701    pub constraints: Constraints,
5702    /// #418 Phase 4: what to do after a fire's script comes back
5703    /// failed. Currently just `retry` (fixed-backoff in-process
5704    /// re-run); future `notify` / `disable` join the same namespace.
5705    /// Applied fire-side in `handle_command` (the retry policy is
5706    /// lowered onto every Command this schedule produces), so it
5707    /// covers both `runs_on` locations.
5708    #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
5709    pub on_failure: OnFailure,
5710    /// #418 Phase 2: the timezone this schedule's wall-clock fields
5711    /// are evaluated in — both the calendar `at` firing time AND the
5712    /// `active.{from,until}` window bounds. `local` (default) = the
5713    /// running host's TZ (the agent's for `runs_on: agent`, the
5714    /// backend server's otherwise); `utc` for TZ-independent
5715    /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
5716    /// for firing (poll cron runs every minute regardless) but still
5717    /// honor it for the `active` window.
5718    #[serde(default)]
5719    pub tz: ScheduleTz,
5720    /// v0.22: optional humantime window after a cron tick during
5721    /// which the Command is still considered "live". The scheduler
5722    /// computes `tick_at + starting_deadline` and stamps it onto
5723    /// each Command as `deadline_at`; agents skip Commands they
5724    /// receive after that absolute time. `None` (default) = no
5725    /// deadline, meaning a Command queued in the broker / stream
5726    /// during agent downtime runs whenever the agent reconnects —
5727    /// good for kitting / inventory / cleanup. Set this for
5728    /// time-of-day notifications, lunch reminders, etc., where
5729    /// "fire 3 hours late" would be wrong.
5730    #[serde(default, skip_serializing_if = "Option::is_none")]
5731    pub starting_deadline: Option<String>,
5732    /// v0.23: where does the cron tick happen? `Backend` (default,
5733    /// historical) = backend's scheduler fires Commands via NATS;
5734    /// agents passively receive. `Agent` = each targeted agent runs
5735    /// its own internal cron and fires locally, so the schedule
5736    /// keeps ticking even when the broker is unreachable (laptop on
5737    /// the train, broker maintenance window, full WAN outage). The
5738    /// two locations are mutually exclusive — when `Agent`, the
5739    /// backend scheduler stays out and just keeps the definition in
5740    /// KV for agents to read.
5741    #[serde(default)]
5742    pub runs_on: RunsOn,
5743    #[serde(default = "default_true")]
5744    pub enabled: bool,
5745    /// Free-form operator taxonomy for the Schedules page — the
5746    /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
5747    /// code ref rather than an intra-doc link, since that field isn't
5748    /// on this branch until #640 merges). Purely a SPA-side
5749    /// organisational aid (search / filter chips alongside the
5750    /// id-prefix grouping); the scheduler never reads it, so any
5751    /// string is allowed and it carries no firing semantics. A
5752    /// schedule's own tags are independent of its job's: the same job
5753    /// may back a `weekly` maintenance schedule and a `canary` rollout
5754    /// schedule. Empty by default and `skip_serializing_if`-elided per
5755    /// the #492 gradual-upgrade wire rule.
5756    #[serde(default, skip_serializing_if = "Vec::is_empty")]
5757    pub tags: Vec<String>,
5758    /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
5759    /// `kanade schedule create` when the source YAML lives inside a Git
5760    /// work tree, so the SPA renders the schedule read-only and points
5761    /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
5762    /// Git), parity with a job's [`Manifest::origin`]. `None` for
5763    /// SPA-born schedules and ones applied from outside any repo. Purely
5764    /// informational — the scheduler never reads it. New field ⇒ #492
5765    /// wire rule (`default` + `skip_serializing_if`).
5766    #[serde(default, skip_serializing_if = "Option::is_none")]
5767    pub origin: Option<RepoOrigin>,
5768}
5769
5770/// v0.23 — where the cron tick fires from.
5771#[derive(
5772    Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5773)]
5774#[serde(rename_all = "snake_case")]
5775pub enum RunsOn {
5776    /// Backend's central scheduler ticks and publishes Commands to
5777    /// NATS. Historical default, what every pre-v0.23 schedule
5778    /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
5779    /// reconnects ⇒ catch-up via [`command_replay`](crate)
5780    /// (see kanade-agent's command_replay module).
5781    #[default]
5782    Backend,
5783    /// Each targeted agent runs the cron tick locally. Survives
5784    /// broker / WAN outages. Best for laptops / mobile devices that
5785    /// roam off the corporate network. Agent must be online for the
5786    /// initial schedule + job-catalog pull, but once cached the
5787    /// agent fires the script standalone.
5788    Agent,
5789}
5790
5791/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
5792#[derive(
5793    Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5794)]
5795#[serde(rename_all = "snake_case")]
5796pub enum ExecMode {
5797    /// Fire on every cron tick at the whole target. Historical
5798    /// (pre-v0.19) behavior; no dedup.
5799    #[default]
5800    EveryTick,
5801    /// Fire at each pc until that pc succeeds; then skip it until
5802    /// the optional cooldown elapses (or forever if no cooldown).
5803    /// Use for kitting / first-boot / per-pc compliance checks.
5804    OncePerPc,
5805    /// Fire at the whole target until **any** pc succeeds; then
5806    /// skip the whole target until the optional cooldown elapses
5807    /// (or forever if no cooldown). Use for "one delegate is
5808    /// enough" tasks like license check-in.
5809    OncePerTarget,
5810    /// #418 OS-native event trigger (`when: { on: [...] }`). There is
5811    /// no cron — the agent fires it from an OS event source (boot /
5812    /// session-change), not a tick — so the scheduler skips
5813    /// `tokio-cron` registration for it. Each event occurrence fires
5814    /// once, gated by the standard freeze / active / window /
5815    /// skip_dates checks.
5816    Event,
5817}
5818
5819/// #418 Phase 1 — the single "when does this fire" axis.
5820///
5821/// Replaces the old `cron` + `mode` + `cooldown` trio whose
5822/// interactions were implicit (cron doubled as both a real
5823/// time-of-day trigger and a reconcile poll period; contradictory
5824/// combinations silently no-opped). Two shapes:
5825///
5826/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
5827///   pc (or one delegate) should have run this within `every`".
5828///   The poll period is system-generated ([`POLL_CRON`], every
5829///   minute) and no longer the operator's concern.
5830/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
5831///   (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
5832///   the whole target at the given time, no dedup. `at: "09:00"` +
5833///   `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
5834///   exactly once. Evaluated in the schedule's top-level `tz`.
5835#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5836#[serde(rename_all = "snake_case")]
5837pub enum When {
5838    /// Fire at each targeted pc: `once` (kitting — succeed once,
5839    /// skip forever, forever catching brand-new / re-imaged pcs)
5840    /// or `{ every: <humantime> }` (patrol — re-arm per pc after
5841    /// the interval).
5842    PerPc(PerPolicy),
5843    /// Fire until **any** one pc of the target succeeds, then skip
5844    /// the whole target (`once`) or re-arm after `every`. Needs
5845    /// fleet-wide completion data, so it is backend-only —
5846    /// `runs_on: agent` + `per_target` is rejected by
5847    /// [`Schedule::validate`].
5848    PerTarget(PerPolicy),
5849    /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
5850    /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
5851    /// the whole target at that wall-clock time in the schedule's
5852    /// `tz` — no dedup, no cooldown.
5853    Calendar(CalendarSpec),
5854    /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
5855    /// Fires when the agent observes the listed OS event(s) rather than
5856    /// on a clock — there is no cron. `runs_on: agent` only (the agent
5857    /// owns the event source); [`Schedule::validate`] rejects it on
5858    /// `backend` and rejects an empty list. Each event occurrence fires
5859    /// once, gated by the same freeze / active / `constraints.window` /
5860    /// `skip_dates` checks as the cron path. `startup` fires once per OS
5861    /// boot (deduped via the host boot time); a `starting_deadline`, if
5862    /// set, limits it to "agent came up within that long after boot".
5863    On(Vec<OnTrigger>),
5864}
5865
5866/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
5867#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
5868#[serde(rename_all = "snake_case")]
5869pub enum OnTrigger {
5870    /// Once per OS boot (the agent's first run for that boot). Catches
5871    /// freshly-imaged / reinstalled hosts at their next startup.
5872    Startup,
5873    /// On an interactive-session user logon — console, RDP, or
5874    /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
5875    /// service / network / batch logons (no interactive session).
5876    Logon,
5877    /// When the workstation is locked (Win+L / idle lock; Windows
5878    /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
5879    Lock,
5880    /// When the workstation is unlocked — the user returns to a locked
5881    /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
5882    /// compliance / refresh state when work resumes.
5883    Unlock,
5884    /// When the host's network changes — IP address table change on
5885    /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
5886    /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
5887    /// from one transition fires once after the network settles), so
5888    /// use it for "re-check connectivity / re-register on network move"
5889    /// rather than expecting one fire per raw adapter event.
5890    ///
5891    /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
5892    /// transition that touches only IPv6 addresses won't fire. In practice
5893    /// dual-stack networks change both tables together, but a pure-IPv6
5894    /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
5895    NetworkChange,
5896}
5897
5898/// Calendar time trigger (#418 Phase 2). `at` is either a time of
5899/// day (`"HH:MM"`, repeating — combine with `days`) or a full
5900/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
5901/// never again). Evaluated in the schedule's top-level `tz`.
5902#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5903pub struct CalendarSpec {
5904    /// `"HH:MM"` (24h) for a repeating trigger, or
5905    /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
5906    /// accepted) for a one-shot. Parsed lazily —
5907    /// [`Schedule::validate`] rejects garbage at create time.
5908    pub at: String,
5909    /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
5910    /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
5911    /// field, so ranges and names both work). An **nth-weekday**
5912    /// `["tue#2"]` fires only on the 2nd Tuesday of each month
5913    /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
5914    /// `["friL"]` fires only on the last Friday of each month (handy
5915    /// for monthly maintenance). Empty = every day. Must be empty
5916    /// when `at` carries a date (the date already pins the day).
5917    #[serde(default, skip_serializing_if = "Vec::is_empty")]
5918    pub days: Vec<String>,
5919}
5920
5921/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
5922/// date for a one-shot (`None` = repeating time-of-day).
5923struct ParsedAt {
5924    minute: u32,
5925    hour: u32,
5926    date: Option<chrono::NaiveDate>,
5927}
5928
5929impl CalendarSpec {
5930    /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
5931    /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
5932    fn parse_at(&self) -> Result<ParsedAt, String> {
5933        use chrono::Timelike;
5934        let s = self.at.trim();
5935        for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
5936            if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
5937                return Ok(ParsedAt {
5938                    minute: dt.minute(),
5939                    hour: dt.hour(),
5940                    date: Some(dt.date()),
5941                });
5942            }
5943        }
5944        if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
5945            return Ok(ParsedAt {
5946                minute: t.minute(),
5947                hour: t.hour(),
5948                date: None,
5949            });
5950        }
5951        Err(format!(
5952            "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
5953            self.at
5954        ))
5955    }
5956
5957    /// Pre-flight check on the `days` tokens so a bad day name gives
5958    /// a `when.days:`-scoped error instead of croner's confusing
5959    /// "when.at lowered to invalid cron" (claude #432 review). Each
5960    /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
5961    /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
5962    /// (2nd Tuesday of the month — "Patch Tuesday"), or a
5963    /// **last-weekday** like `friL` (last Friday of the month).
5964    fn validate_days(&self) -> Result<(), String> {
5965        const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
5966        let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
5967        for tok in &self.days {
5968            // Report the whole token on a malformed range like `mon-`
5969            // (which would otherwise split to a cryptic empty part —
5970            // claude #432 follow-up).
5971            let invalid = |reason: &str| {
5972                Err(format!(
5973                    "when.days: invalid day token '{tok}' ({reason}; \
5974                     want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
5975                     like tue#2, a last-weekday like friL, or *)"
5976                ))
5977            };
5978            // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
5979            // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
5980            // `to_cron` passes the token through verbatim, so the
5981            // engine fires only on that occurrence. It's a single
5982            // weekday + ordinal — not combinable with a range.
5983            if let Some((day_part, nth_part)) = tok.split_once('#') {
5984                // Normalize once and use `d` consistently (gemini #547);
5985                // the outer `invalid` already echoes the raw `tok`.
5986                let d = day_part.trim().to_ascii_lowercase();
5987                if d.contains('-') || !is_day(&d) {
5988                    return invalid("the part before # must be a single weekday");
5989                }
5990                match nth_part.trim().parse::<u8>() {
5991                    Ok(n) if (1..=5).contains(&n) => {}
5992                    _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
5993                }
5994                continue;
5995            }
5996            // #418: last-weekday suffix (`friL` = last Friday of the
5997            // month — the monthly-maintenance sibling of Patch Tuesday).
5998            // Croner accepts `<dow>L` in the DOW field with verified
5999            // last-<dow>-of-month semantics, and `to_cron` passes it
6000            // through verbatim. A single weekday + `L` — bare `L` and
6001            // ranges are rejected (croner would read bare `L` as
6002            // Saturday, which is a confusing footgun).
6003            if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
6004                // No `.trim()`: a cron DOW token can't carry internal
6005                // whitespace, so `"fri L"` must be *rejected* here (its
6006                // strip leaves `"fri "`, and `is_day` catches the space)
6007                // rather than trimmed into a clean `"fri"` that then
6008                // produces a malformed `fri L` cron downstream and a
6009                // confusing croner error (gemini #560).
6010                let d = day_part.to_ascii_lowercase();
6011                if d.is_empty() {
6012                    return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
6013                }
6014                if d.contains('-') || !is_day(&d) {
6015                    return invalid(
6016                        "the part before L must be a single weekday (e.g. friL = last Friday)",
6017                    );
6018                }
6019                continue;
6020            }
6021            for part in tok.split('-') {
6022                let p = part.trim().to_ascii_lowercase();
6023                if p.is_empty() {
6024                    return invalid("empty range bound");
6025                }
6026                if p != "*" && !is_day(&p) {
6027                    return invalid(&format!("'{part}' is not a day"));
6028                }
6029            }
6030        }
6031        Ok(())
6032    }
6033
6034    /// For a one-shot (`at` carries a date), the absolute instant it
6035    /// fires in `tz`. `None` for a repeating calendar. Used to warn
6036    /// about a one-shot whose date is already in the past (it would
6037    /// never fire).
6038    pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
6039        let p = self.parse_at().ok()?;
6040        let date = p.date?;
6041        let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
6042        tz.naive_to_utc(naive)
6043    }
6044
6045    /// The wall-clock time-of-day this calendar fires at (`None` if
6046    /// `at` is unparseable — validate() guards that). Used to detect
6047    /// a calendar whose fire time can never fall inside its
6048    /// `constraints.window` (claude #452 review).
6049    pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
6050        let p = self.parse_at().ok()?;
6051        chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
6052    }
6053
6054    /// Lower to the cron string the scheduler engine runs. Repeating
6055    /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
6056    /// `0 {min} {hour} {day} {month} * {year}` (a past year never
6057    /// fires — that's what makes it one-shot).
6058    fn to_cron(&self) -> Result<String, String> {
6059        use chrono::Datelike;
6060        let ParsedAt { minute, hour, date } = self.parse_at()?;
6061        match date {
6062            Some(d) => {
6063                if !self.days.is_empty() {
6064                    return Err(
6065                        "when.at with a date is a one-shot and cannot be combined with days".into(),
6066                    );
6067                }
6068                Ok(format!(
6069                    "0 {minute} {hour} {} {} * {}",
6070                    d.day(),
6071                    d.month(),
6072                    d.year()
6073                ))
6074            }
6075            None => {
6076                let dow = if self.days.is_empty() {
6077                    "*".to_string()
6078                } else {
6079                    self.validate_days()?;
6080                    self.days.join(",")
6081                };
6082                Ok(format!("0 {minute} {hour} * * {dow}"))
6083            }
6084        }
6085    }
6086}
6087
6088/// The timezone a schedule's wall-clock fields (`when.at`,
6089/// `active.{from,until}`) are evaluated in (#418 Phase 2).
6090#[derive(
6091    Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
6092)]
6093#[serde(rename_all = "snake_case")]
6094pub enum ScheduleTz {
6095    /// The running host's local timezone — the agent's for
6096    /// `runs_on: agent`, the backend server's otherwise. Default.
6097    #[default]
6098    Local,
6099    /// UTC — for timezone-independent schedules.
6100    Utc,
6101}
6102
6103impl ScheduleTz {
6104    /// Interpret a naive (zoneless) datetime as being in this tz and
6105    /// convert to UTC. On a DST *fold* (the local time occurs twice
6106    /// when clocks go back) we pick `.earliest()` rather than
6107    /// rejecting it; `None` is reserved for a true DST *gap* (a local
6108    /// time that never exists). `Utc` is fixed-offset so neither ever
6109    /// happens; `Local` is whatever timezone the running host is set
6110    /// to and *can* hit a gap/fold on any DST-observing host — not
6111    /// just the JST we run today (gemini + claude #432 review).
6112    fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
6113        use chrono::TimeZone;
6114        match self {
6115            ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
6116                naive,
6117                chrono::Utc,
6118            )),
6119            ScheduleTz::Local => chrono::Local
6120                .from_local_datetime(&naive)
6121                .earliest()
6122                .map(|dt| dt.with_timezone(&chrono::Utc)),
6123        }
6124    }
6125
6126    /// The wall-clock time-of-day `now` reads as in this tz — used by
6127    /// [`Constraints::allows`] to test a maintenance window
6128    /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
6129    /// running host's local time.
6130    fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
6131        match self {
6132            ScheduleTz::Utc => now.time(),
6133            ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
6134        }
6135    }
6136
6137    /// The wall-clock *date* `now` reads as in this tz — used by
6138    /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
6139    /// exclusion). Same tz semantics as [`Self::wall_time`].
6140    fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
6141        match self {
6142            ScheduleTz::Utc => now.date_naive(),
6143            ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
6144        }
6145    }
6146
6147    /// Stable lowercase wire/display label (`local` / `utc`) — matches
6148    /// the serde `snake_case` representation. Used for the preview
6149    /// response's `tz` field so the JSON shape isn't coupled to the
6150    /// `Debug` repr (claude #578 review).
6151    pub fn as_str(self) -> &'static str {
6152        match self {
6153            ScheduleTz::Local => "local",
6154            ScheduleTz::Utc => "utc",
6155        }
6156    }
6157}
6158
6159impl std::fmt::Display for ScheduleTz {
6160    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
6161        f.write_str(self.as_str())
6162    }
6163}
6164
6165/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
6166/// `per_target`. Untagged so the YAML stays the bare keyword or a
6167/// one-key map, nothing more ceremonial.
6168#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6169#[serde(untagged)]
6170pub enum PerPolicy {
6171    /// The bare string `once`: succeed once, then skip permanently
6172    /// (cooldown = infinity).
6173    Once(OnceLiteral),
6174    /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
6175    Every(EverySpec),
6176}
6177
6178/// Single-variant enum so serde accepts exactly the string `once`
6179/// (a free-form `String` would swallow typos like `onec`).
6180#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
6181#[serde(rename_all = "snake_case")]
6182pub enum OnceLiteral {
6183    Once,
6184}
6185
6186/// `{ every: <humantime> }`. Standalone struct (not an inline
6187/// struct variant). `{ evry: 6h }` still fails to parse (the
6188/// required `every` key is missing), and the create boundaries
6189/// reject the unknown `evry` via [`crate::strict`] with its path —
6190/// while agents reading a future writer's extra fields tolerate
6191/// them (#492).
6192#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6193pub struct EverySpec {
6194    /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
6195    /// [`Schedule::validate`] rejects garbage at create time.
6196    pub every: String,
6197}
6198
6199impl PerPolicy {
6200    /// The cooldown this policy lowers to: `once` = `None`
6201    /// (permanent skip), `every` = the interval.
6202    fn cooldown(&self) -> Option<String> {
6203        match self {
6204            PerPolicy::Once(_) => None,
6205            PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
6206        }
6207    }
6208}
6209
6210impl std::fmt::Display for When {
6211    /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
6212    /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
6213    /// lines, audit payloads and the API's `ScheduleSummary`.
6214    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
6215        let policy = |p: &PerPolicy| match p {
6216            PerPolicy::Once(_) => "once".to_string(),
6217            PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
6218        };
6219        match self {
6220            When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
6221            When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
6222            When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
6223            When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
6224            When::On(triggers) => {
6225                let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
6226                write!(f, "on [{}]", names.join(","))
6227            }
6228        }
6229    }
6230}
6231
6232impl OnTrigger {
6233    /// Lowercase wire/display label (matches the serde `snake_case`).
6234    pub fn as_str(self) -> &'static str {
6235        match self {
6236            OnTrigger::Startup => "startup",
6237            OnTrigger::Logon => "logon",
6238            OnTrigger::Lock => "lock",
6239            OnTrigger::Unlock => "unlock",
6240            OnTrigger::NetworkChange => "network_change",
6241        }
6242    }
6243}
6244
6245/// Optional validity window for a [`Schedule`] (#418 decision G).
6246/// Half-open `[from, until)`; either bound may be omitted. Bounds
6247/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
6248/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
6249/// strings so the JSON Schema the SPA editor consumes stays two
6250/// plain string fields, mirroring `jitter` / `starting_deadline`.
6251///
6252/// #418 Phase 2: bounds are evaluated in the schedule's top-level
6253/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
6254/// calendar `at` AND the `active` window local — one consistent
6255/// timezone per schedule.
6256#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6257pub struct Active {
6258    /// Dormant before this instant.
6259    #[serde(default, skip_serializing_if = "Option::is_none")]
6260    pub from: Option<String>,
6261    /// Dormant from this instant on (exclusive).
6262    #[serde(default, skip_serializing_if = "Option::is_none")]
6263    pub until: Option<String>,
6264}
6265
6266impl Active {
6267    /// `skip_serializing_if` helper — an empty window means "always
6268    /// active" and is omitted from the wire format entirely.
6269    pub fn is_empty(&self) -> bool {
6270        self.from.is_none() && self.until.is_none()
6271    }
6272
6273    /// Parse one bound: RFC3339 first (offset honored, `tz`
6274    /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
6275    pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
6276        if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
6277            return Ok(dt.with_timezone(&chrono::Utc));
6278        }
6279        if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
6280            let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
6281            return tz.naive_to_utc(midnight).ok_or_else(|| {
6282                format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
6283            });
6284        }
6285        Err(format!(
6286            "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
6287        ))
6288    }
6289
6290    /// Is `now` inside the window? Unparseable bounds are treated
6291    /// as absent here (fail-open) — [`Schedule::validate`] is the
6292    /// place that rejects them loudly; this runs on every tick and
6293    /// must never panic on a stale KV blob.
6294    pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
6295        let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
6296        if bound(&self.from).is_some_and(|from| now < from) {
6297            return false;
6298        }
6299        if bound(&self.until).is_some_and(|until| now >= until) {
6300            return false;
6301        }
6302        true
6303    }
6304}
6305
6306/// Host-environment gate (#418 `constraints.require`). Fire only when
6307/// the target host is in the required state. Sensed **in-process by the
6308/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
6309/// read a target host's power/idle state ([`Schedule::validate`]
6310/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
6311///
6312/// Evaluated at fire time as a skip-this-tick gate (NOT in
6313/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
6314/// cadence re-checks every minute (so it effectively defers until the
6315/// state is met — the intended pairing); a `calendar` fire that lands
6316/// while the state is unmet is simply missed, same as `window`. It is
6317/// therefore a *runtime* gate and does not appear in `preview`.
6318// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
6319#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
6320pub struct Require {
6321    /// Fire only while on **AC power** (skip on battery). Reads
6322    /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
6323    /// as not-on-AC (fail-closed — a restrictive gate must not fire
6324    /// when it can't confirm the condition). `false` (default) = no
6325    /// power requirement.
6326    #[serde(default, skip_serializing_if = "std::ops::Not::not")]
6327    pub ac_power: bool,
6328    /// Fire only when the active console session has had **no keyboard /
6329    /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
6330    /// "don't run while the user is actively working". Input-based
6331    /// (simpler than Task Scheduler's CPU/disk-aware idle). A
6332    /// headless / disconnected console (no interactive user) trivially
6333    /// satisfies it. `None` (default) = no idle requirement. Parsed
6334    /// lazily; [`Schedule::validate`] rejects garbage at create time.
6335    #[serde(default, skip_serializing_if = "Option::is_none")]
6336    pub idle: Option<String>,
6337    /// Fire only when the **whole-machine CPU usage is below this
6338    /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
6339    /// while the box is busy". Reuses the agent's `host_perf` system CPU%
6340    /// sample (`sysinfo` mean over cores), so the reading is up to one
6341    /// `host_perf` cadence old (default 60s) — fine as a "generally
6342    /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
6343    /// needs two samples). An unavailable sample (host_perf not warmed
6344    /// up yet, or stale) is treated as "not below" (fail-closed — a
6345    /// restrictive gate must not fire when it can't confirm). `None`
6346    /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
6347    /// out-of-range value at create time.
6348    #[serde(default, skip_serializing_if = "Option::is_none")]
6349    pub cpu_below: Option<f64>,
6350    /// Fire only when the host has **internet connectivity** (Windows
6351    /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
6352    /// until online" for jobs that download / phone home. A captive
6353    /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
6354    /// unknown/unreadable state is treated as offline (fail-closed) — a
6355    /// portal would just fail a download, so we hold the run. For VPN /
6356    /// SASE / app-specific conditions, use a custom script gate (separate
6357    /// slice). `false` (default) = no network requirement.
6358    #[serde(default, skip_serializing_if = "std::ops::Not::not")]
6359    pub network: bool,
6360}
6361
6362impl Require {
6363    /// `skip_serializing_if` helper for an embedded empty `require`.
6364    pub fn is_empty(&self) -> bool {
6365        !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
6366    }
6367
6368    /// Parsed minimum-idle duration (`None` = no idle requirement, or an
6369    /// unparseable value — `validate` rejects the latter at create time).
6370    pub fn min_idle(&self) -> Option<std::time::Duration> {
6371        self.idle
6372            .as_deref()
6373            .and_then(|s| humantime::parse_duration(s.trim()).ok())
6374    }
6375
6376    /// First unparseable field for create-time rejection (mirrors
6377    /// [`Constraints::bad_skip_date`]).
6378    pub fn bad_idle(&self) -> Option<String> {
6379        self.idle.as_deref().and_then(|s| {
6380            humantime::parse_duration(s.trim())
6381                .err()
6382                .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
6383        })
6384    }
6385}
6386
6387/// Host-environment state sensed by the agent, fed to [`require_met`].
6388/// A named struct (not positional args) so the growing set of sensed
6389/// signals — several of them `bool` — can't be transposed at a call
6390/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
6391#[derive(Debug, Clone, Copy, Default)]
6392pub struct EnvState {
6393    /// Is the host on AC power (`false` if on battery or unreadable).
6394    pub ac_online: bool,
6395    /// How long the console has been idle (`None` = couldn't determine).
6396    pub idle: Option<std::time::Duration>,
6397    /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
6398    pub cpu_pct: Option<f64>,
6399    /// Does the host have internet connectivity (`false` if offline /
6400    /// LAN-only / unreadable).
6401    pub network_up: bool,
6402}
6403
6404/// Pure env-gate decision (#418 `constraints.require`). The Win32
6405/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
6406/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
6407/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
6408/// pure and `preview` never evaluates a runtime gate. Each set
6409/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
6410pub fn require_met(req: &Require, env: &EnvState) -> bool {
6411    if req.ac_power && !env.ac_online {
6412        return false;
6413    }
6414    if let Some(min) = req.min_idle() {
6415        match env.idle {
6416            Some(d) if d >= min => {}
6417            _ => return false,
6418        }
6419    }
6420    if let Some(max) = req.cpu_below {
6421        match env.cpu_pct {
6422            Some(p) if p < max => {}
6423            _ => return false,
6424        }
6425    }
6426    if req.network && !env.network_up {
6427        return false;
6428    }
6429    true
6430}
6431
6432/// [`Active`] decides *over what date range* a schedule is live,
6433/// `Constraints` decides *when, within an active period,* a fire is
6434/// allowed: `window` (a maintenance time-of-day window),
6435/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
6436/// (holiday exclusion) and `require` (host-environment gates, agent-only
6437/// — see [`Require`]).
6438// No `Eq`: contains `require: Option<Require>` which holds an f64.
6439#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
6440pub struct Constraints {
6441    /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
6442    /// `tz`). Fires outside it are skipped — mainly for reconcile
6443    /// cadences ("patrol every 6h, but only fire overnight") and
6444    /// daytime change-freezes. `start > end` crosses midnight
6445    /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
6446    /// lazily; [`Schedule::validate`] rejects garbage at create time.
6447    #[serde(default, skip_serializing_if = "Option::is_none")]
6448    pub window: Option<String>,
6449    /// Fleet-wide cap on how many instances of this schedule's job may
6450    /// run **at the same time** (#418 "同時実行ハード上限"). The
6451    /// backend scheduler counts the job's still-in-flight runs
6452    /// (`execution_results.finished_at IS NULL`) each tick and only
6453    /// dispatches to as many remaining pcs as there are free slots —
6454    /// a rolling window that refills as runs complete. Useful for
6455    /// disk/CPU/network-heavy jobs you don't want hammering the whole
6456    /// fleet at once.
6457    ///
6458    /// **Backend-only** (it needs a central counter): combining it
6459    /// with `runs_on: agent` is rejected by [`Schedule::validate`]
6460    /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
6461    /// for `per_pc` reconcile cadences, where the poll re-ticks and
6462    /// refills slots. `None` (default) = no cap.
6463    #[serde(default, skip_serializing_if = "Option::is_none")]
6464    pub max_concurrent: Option<u32>,
6465    /// Calendar dates the schedule must **not** fire on — holidays,
6466    /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
6467    /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
6468    /// `tz`. Applies to every `when` shape (a reconcile cadence skips
6469    /// the whole day; a calendar fire landing on the date is
6470    /// suppressed) and is honored by both the live scheduler and
6471    /// `preview`, since both gate on [`Constraints::allows`]. Empty
6472    /// (default) = no skips. Operator-supplied: there is no built-in
6473    /// holiday calendar — list the dates you care about. Parsed lazily;
6474    /// [`Schedule::validate`] rejects a malformed date at create time.
6475    #[serde(default, skip_serializing_if = "Vec::is_empty")]
6476    pub skip_dates: Vec<String>,
6477    /// Host-environment gate (#418): fire only when the target host is
6478    /// in the required state (on AC power, idle). Agent-sensed at fire
6479    /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
6480    /// no environment requirement.
6481    #[serde(default, skip_serializing_if = "Option::is_none")]
6482    pub require: Option<Require>,
6483}
6484
6485impl Constraints {
6486    /// `skip_serializing_if` helper — empty constraints are omitted
6487    /// from the wire format entirely.
6488    pub fn is_empty(&self) -> bool {
6489        self.window.is_none()
6490            && self.max_concurrent.is_none()
6491            && self.skip_dates.is_empty()
6492            && self.require.as_ref().is_none_or(Require::is_empty)
6493    }
6494
6495    /// The first unparseable `skip_dates` entry, if any — the
6496    /// scheduler logs it at register time so a fail-closed
6497    /// (never-firing) schedule from a hand-edited KV blob is
6498    /// diagnosable, mirroring [`Schedule::bad_window`].
6499    pub fn bad_skip_date(&self) -> Option<String> {
6500        self.skip_dates.iter().find_map(|s| {
6501            chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
6502                .err()
6503                .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
6504        })
6505    }
6506
6507    /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
6508    /// error (a zero-width or all-day window is ambiguous — write no
6509    /// window for "always").
6510    pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
6511        let (a, b) = s
6512            .split_once('-')
6513            .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
6514        let parse = |part: &str| {
6515            chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
6516                .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
6517        };
6518        let (start, end) = (parse(a)?, parse(b)?);
6519        if start == end {
6520            return Err(format!(
6521                "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
6522            ));
6523        }
6524        Ok((start, end))
6525    }
6526
6527    /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
6528    /// always allowed. Half-open `[start, end)`; `start > end`
6529    /// crosses midnight.
6530    ///
6531    /// **Fail-closed** on an unparseable window (returns `false`,
6532    /// gemini #452 review): a window is a *restrictive* constraint
6533    /// (change-freeze / overnight-only), so a corrupt one must NOT
6534    /// silently allow fires during the restricted hours. Bad windows
6535    /// are rejected at create time by [`Schedule::validate`]; this
6536    /// only bites a hand-edited KV blob, where blocking is the safe
6537    /// direction. The scheduler warns at register time
6538    /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
6539    /// The tick path never panics regardless.
6540    pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
6541        // #418 holiday / blackout dates: never fire on a listed wall
6542        // date (in `tz`). Checked before the window since a skipped day
6543        // overrides any within-window allowance. Fail-closed on a
6544        // corrupt entry (same posture as `window`): a skip date is a
6545        // *restrictive* constraint, so a garbled one must not silently
6546        // re-enable fires — it blocks until fixed (`validate` rejects it
6547        // at create time; `bad_skip_date` lets the scheduler warn).
6548        if !self.skip_dates.is_empty() {
6549            let today = tz.wall_date(now);
6550            let blocked = self.skip_dates.iter().any(|s| {
6551                match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
6552                    Ok(d) => d == today,
6553                    Err(_) => true, // corrupt entry → fail-closed (block)
6554                }
6555            });
6556            if blocked {
6557                return false;
6558            }
6559        }
6560        match self.window.as_deref() {
6561            // No window → always allowed.
6562            None => true,
6563            // Window set: membership, or fail-closed if unparseable
6564            // (`window_contains` returns None for a corrupt window).
6565            Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
6566        }
6567    }
6568
6569    /// Membership of a wall-clock time-of-day in the window. `None`
6570    /// when there is no window or it's unparseable (callers decide
6571    /// the failure direction). `start > end` crosses midnight.
6572    fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
6573        let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
6574        Some(if start <= end {
6575            start <= t && t < end
6576        } else {
6577            t >= start || t < end
6578        })
6579    }
6580}
6581
6582/// What to do when a fire's script fails (#418 Phase 4 — the "高"
6583/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
6584/// happens, `OnFailure` decides what happens *after* one ran and
6585/// came back bad. Only `retry` so far; future `notify` / `disable`
6586/// would join the same namespace.
6587#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6588pub struct OnFailure {
6589    /// Re-run the script in-process when it exits non-zero (or times
6590    /// out), up to a cap, with a fixed backoff between attempts.
6591    /// `None` (default) = no retry: a failed run is published as-is
6592    /// and (for reconcile cadences) simply re-fires on the next poll
6593    /// tick. See [`Retry`].
6594    #[serde(default, skip_serializing_if = "Option::is_none")]
6595    pub retry: Option<Retry>,
6596}
6597
6598impl OnFailure {
6599    /// `skip_serializing_if` helper — an empty policy is omitted from
6600    /// the wire format entirely.
6601    pub fn is_empty(&self) -> bool {
6602        self.retry.is_none()
6603    }
6604
6605    /// Lower the operator-facing `retry` (humantime backoff) onto the
6606    /// engine vocabulary the agent's executor runs on (backoff in
6607    /// whole seconds). Single seam shared by the backend command
6608    /// builder and the agent's local scheduler so the two stamp the
6609    /// same [`crate::wire::RetrySpec`] onto every Command. Returns
6610    /// `None` when there is no retry policy or the backoff is
6611    /// unparseable (validate() rejects the latter at create time;
6612    /// this stays fail-safe = "no retry" for a hand-edited KV blob
6613    /// rather than panicking on the fire path).
6614    pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
6615        let r = self.retry.as_ref()?;
6616        let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
6617        Some(crate::wire::RetrySpec {
6618            max: r.max,
6619            backoff_secs,
6620        })
6621    }
6622}
6623
6624/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
6625/// *additional* attempts after the first run (so `max: 3` = up to 4
6626/// total executions); `backoff` is the humantime delay slept between
6627/// attempts. The retry happens fire-side (inside `kanade fire` /
6628/// `handle_command`) on every OS for the PoC — the Windows-native
6629/// "restart on failure" Task Scheduler path is deferred to the
6630/// native-delegation phase (#418 decision H).
6631#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6632pub struct Retry {
6633    /// Max additional attempts after the first failure. Bounded
6634    /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
6635    /// with a short backoff would otherwise pin a flapping script in
6636    /// a tight loop for the whole window.
6637    pub max: u32,
6638    /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
6639    pub backoff: String,
6640}
6641
6642/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
6643/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
6644/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
6645/// global* "stop all automated change" switch the operator flips
6646/// during an incident or a year-end change-freeze. It lives in its
6647/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
6648/// active, both the backend scheduler and every agent's local
6649/// scheduler skip *every* fire.
6650///
6651/// Shapes:
6652/// * `{}` (no bounds) — frozen indefinitely until the operator
6653///   clears it (incident "big red button").
6654/// * `{ from, until }` — frozen only within `[from, until)`,
6655///   evaluated in `tz` (planned change-freeze; auto-thaws).
6656///
6657/// The KV key being *absent* means "not frozen" — so clearing the
6658/// freeze is a KV delete, and `is_active` only ever runs on a freeze
6659/// the operator actually set.
6660#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6661pub struct Freeze {
6662    /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
6663    /// `tz`). `None` ⇒ frozen from the beginning of time.
6664    #[serde(default, skip_serializing_if = "Option::is_none")]
6665    pub from: Option<String>,
6666    /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
6667    /// no scheduled end (manual clear required).
6668    #[serde(default, skip_serializing_if = "Option::is_none")]
6669    pub until: Option<String>,
6670    /// Operator-supplied note surfaced on the freeze-skip log and the
6671    /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
6672    #[serde(default, skip_serializing_if = "Option::is_none")]
6673    pub reason: Option<String>,
6674    /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
6675    /// carry their own offset). Defaults to host-local like a
6676    /// schedule's `tz`.
6677    #[serde(default)]
6678    pub tz: ScheduleTz,
6679}
6680
6681impl Freeze {
6682    /// Is the fleet frozen at `now`? An empty window (`from`/`until`
6683    /// both absent) is frozen unconditionally; otherwise membership of
6684    /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
6685    /// but **fails CLOSED** on an unparseable bound — a freeze is a
6686    /// safety switch, so a corrupt window (only reachable via a
6687    /// hand-edited KV blob; `validate` rejects it at set time) must
6688    /// mean "frozen", not "fire normally" (coderabbit #472). This is
6689    /// the one deliberate divergence from `active`'s fail-OPEN
6690    /// behaviour, where an unparseable bound dormant-skips a schedule.
6691    pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
6692        // Parse a bound; an unparseable one short-circuits the whole
6693        // check to `true` (frozen) via the closure's `None` sentinel
6694        // handled below.
6695        let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
6696            match s.as_deref() {
6697                None => Ok(None),
6698                Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
6699            }
6700        };
6701        let (from, until) = match (bound(&self.from), bound(&self.until)) {
6702            (Ok(f), Ok(u)) => (f, u),
6703            // Any corrupt bound → fail closed (frozen).
6704            _ => return true,
6705        };
6706        if from.is_some_and(|f| now < f) {
6707            return false;
6708        }
6709        if until.is_some_and(|u| now >= u) {
6710            return false;
6711        }
6712        true
6713    }
6714
6715    /// Reject unparseable bounds / `from >= until` at set time (the
6716    /// API + CLI counterpart to [`Schedule::validate`]).
6717    pub fn validate(&self) -> Result<(), String> {
6718        let from = self
6719            .from
6720            .as_deref()
6721            .map(|s| Active::parse_bound(s, self.tz))
6722            .transpose()
6723            .map_err(|e| e.replace("active:", "freeze:"))?;
6724        let until = self
6725            .until
6726            .as_deref()
6727            .map(|s| Active::parse_bound(s, self.tz))
6728            .transpose()
6729            .map_err(|e| e.replace("active:", "freeze:"))?;
6730        if let (Some(f), Some(u)) = (from, until) {
6731            if f >= u {
6732                return Err(format!(
6733                    "freeze.from ({}) must be strictly before freeze.until ({})",
6734                    self.from.as_deref().unwrap_or_default(),
6735                    self.until.as_deref().unwrap_or_default(),
6736                ));
6737            }
6738        }
6739        Ok(())
6740    }
6741}
6742
6743/// The system-generated poll cadence every reconcile-shaped `when`
6744/// lowers to. Operators never write this: the real inter-run
6745/// spacing is the `every` cooldown; this only bounds "how soon do
6746/// we notice somebody is due" (#418 decision B took the poll
6747/// period away from the operator).
6748pub const POLL_CRON: &str = "0 * * * * *";
6749
6750/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
6751/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
6752/// unchanged is what lets Phase 1 swap the operator surface without
6753/// touching the tick / dedup machinery.
6754pub struct Lowered {
6755    /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
6756    /// reconcile shapes, a 6/7-field cron for calendar shapes.
6757    pub cron: String,
6758    /// Dedup semantics for `decide_fire`.
6759    pub mode: ExecMode,
6760    /// Humantime re-arm interval (`None` = succeed once, skip
6761    /// forever).
6762    pub cooldown: Option<String>,
6763    /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
6764    /// passes this to `Job::new_async_tz`. Reconcile shapes carry
6765    /// the schedule's tz too even though POLL_CRON is tz-agnostic,
6766    /// so the same value drives the `active`-window check.
6767    pub tz: ScheduleTz,
6768}
6769
6770impl Schedule {
6771    /// The error message if this schedule's `constraints.window` is
6772    /// set but unparseable, else `None`. The scheduler logs this at
6773    /// register time so a fail-closed (never-firing) schedule from a
6774    /// hand-edited KV blob is diagnosable (gemini #452 review).
6775    pub fn bad_window(&self) -> Option<String> {
6776        let w = self.constraints.window.as_deref()?;
6777        Constraints::parse_window(w).err()
6778    }
6779
6780    /// True when this is a `calendar` schedule whose fire time can
6781    /// never fall inside its `constraints.window` — the cron fires,
6782    /// the window check rejects it, and (firing only at that
6783    /// time-of-day) it effectively never runs. An easy misconfig to
6784    /// set up by accident; the scheduler warns at register time
6785    /// (claude #452 review). Reconcile shapes poll every minute, so
6786    /// they always catch the window opening and aren't affected.
6787    pub fn calendar_outside_window(&self) -> bool {
6788        let When::Calendar(c) = &self.when else {
6789            return false;
6790        };
6791        let Some(t) = c.fire_time() else {
6792            return false;
6793        };
6794        matches!(self.constraints.window_contains(t), Some(false))
6795    }
6796
6797    /// Up to `count` future instants this schedule will fire, as
6798    /// absolute UTC, strictly after `now` — the dry-run / preview
6799    /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
6800    /// schedules have discrete fire times; reconcile shapes
6801    /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
6802    /// they return an empty vec and the caller describes the cadence
6803    /// instead. Occurrences outside the `active.{from,until}` window or
6804    /// the `constraints.window` are **skipped**, so the list reflects
6805    /// when the schedule will ACTUALLY run, not the raw cron ticks.
6806    /// Evaluated in the schedule's `tz`, exactly like the scheduler's
6807    /// `Job::new_async_tz`, and with the same croner config the
6808    /// scheduler / [`Schedule::validate`] use, so a preview can never
6809    /// disagree with a real fire. A schedule that can never fire (a
6810    /// calendar time wholly outside its window, a past one-shot,
6811    /// `enabled: false` is *not* considered here — callers gate on
6812    /// `enabled` separately) yields an empty vec.
6813    pub fn preview_fires(
6814        &self,
6815        now: chrono::DateTime<chrono::Utc>,
6816        count: usize,
6817    ) -> Vec<chrono::DateTime<chrono::Utc>> {
6818        use croner::parser::{CronParser, Seconds};
6819        if !matches!(self.when, When::Calendar(_)) {
6820            return Vec::new();
6821        }
6822        // Same lowering + croner config as `next_calendar_fire` and the
6823        // live scheduler, so a preview can never disagree with a real
6824        // fire. `preview_fires` adds the N-occurrence walk and the
6825        // active / window filtering on top of that single seam.
6826        let lowered = self.lowered();
6827        let Ok(cron) = CronParser::builder()
6828            .seconds(Seconds::Required)
6829            .dom_and_dow(true)
6830            .build()
6831            .parse(&lowered.cron)
6832        else {
6833            return Vec::new();
6834        };
6835        let accept = |utc: chrono::DateTime<chrono::Utc>| {
6836            self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
6837        };
6838        match self.tz {
6839            ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
6840            ScheduleTz::Local => {
6841                Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
6842            }
6843        }
6844    }
6845
6846    /// Walk croner forward from `after` collecting up to `count`
6847    /// accepted occurrences (converted to UTC). Generic over the tz the
6848    /// cron is evaluated in so `preview_fires` can run it in either
6849    /// `Utc` or `Local` without duplicating the loop.
6850    fn next_occurrences<Tz>(
6851        cron: &croner::Cron,
6852        after: chrono::DateTime<Tz>,
6853        count: usize,
6854        accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
6855    ) -> Vec<chrono::DateTime<chrono::Utc>>
6856    where
6857        Tz: chrono::TimeZone,
6858    {
6859        // Bound the scan so an `active`/window dead-end (every future
6860        // tick rejected) can't spin forever: ~4096 raw ticks covers
6861        // >10y of a daily calendar while staying instant for croner.
6862        const SCAN_CAP: usize = 4096;
6863        let mut out = Vec::with_capacity(count.min(SCAN_CAP));
6864        let mut cursor = after;
6865        let mut scanned = 0usize;
6866        while out.len() < count && scanned < SCAN_CAP {
6867            scanned += 1;
6868            let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
6869                break;
6870            };
6871            let utc = next.with_timezone(&chrono::Utc);
6872            if accept(utc) {
6873                out.push(utc);
6874            }
6875            // `find_next_occurrence(.., inclusive = false)` already
6876            // advances strictly past `cursor`, so handing it `next`
6877            // verbatim gets the following occurrence — no manual +1s
6878            // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
6879            cursor = next;
6880        }
6881        out
6882    }
6883
6884    /// Lower the operator-facing `when` onto the engine vocabulary.
6885    /// Single seam shared by the backend scheduler and the agent's
6886    /// local scheduler so the two can never drift.
6887    pub fn lowered(&self) -> Lowered {
6888        let tz = self.tz;
6889        match &self.when {
6890            When::PerPc(p) => Lowered {
6891                cron: POLL_CRON.into(),
6892                mode: ExecMode::OncePerPc,
6893                cooldown: p.cooldown(),
6894                tz,
6895            },
6896            When::PerTarget(p) => Lowered {
6897                cron: POLL_CRON.into(),
6898                mode: ExecMode::OncePerTarget,
6899                cooldown: p.cooldown(),
6900                tz,
6901            },
6902            // `to_cron` only fails on a malformed `at` (rejected by
6903            // validate() at create time). For a hand-edited KV blob
6904            // that slipped past, emit a deliberately-invalid cron so
6905            // register()'s Job::new_async_tz fails → warn+skip,
6906            // rather than firing at the wrong time.
6907            When::Calendar(c) => Lowered {
6908                cron: c
6909                    .to_cron()
6910                    .unwrap_or_else(|_| "# invalid calendar at".into()),
6911                mode: ExecMode::EveryTick,
6912                cooldown: None,
6913                tz,
6914            },
6915            // Event triggers have no cron — the agent fires them from an
6916            // OS event source. The `# event-trigger` cron is never
6917            // registered (the scheduler branches on `is_event()` first),
6918            // but keep it deliberately-invalid as a belt-and-suspenders
6919            // so a stray registration would fail rather than misfire.
6920            When::On(_) => Lowered {
6921                cron: "# event-trigger (no cron)".into(),
6922                mode: ExecMode::Event,
6923                cooldown: None,
6924                tz,
6925            },
6926        }
6927    }
6928
6929    /// True when this schedule fires from an OS event (`when: { on }`)
6930    /// rather than a clock — the agent skips `tokio-cron` registration
6931    /// for these and drives them from boot / session-change instead.
6932    pub fn is_event(&self) -> bool {
6933        matches!(self.when, When::On(_))
6934    }
6935
6936    /// The OS event triggers this schedule listens for, or `&[]` when it
6937    /// is not an event schedule.
6938    pub fn event_triggers(&self) -> &[OnTrigger] {
6939        match &self.when {
6940            When::On(t) => t,
6941            _ => &[],
6942        }
6943    }
6944
6945    /// The next absolute (UTC) time this schedule fires, or `None` when
6946    /// it has no discrete upcoming fire to preview.
6947    ///
6948    /// Used by the KLP `maintenance.list` preview ("what's about to
6949    /// happen on my PC", SPEC §2.1). Returns `None` for:
6950    ///
6951    /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
6952    ///   every-minute [`POLL_CRON`] and re-converge state continuously,
6953    ///   so "next fire" is always ~60s away and means nothing to a user
6954    ///   previewing upcoming maintenance;
6955    /// - a calendar schedule whose lowered cron won't parse (a
6956    ///   hand-edited KV blob that slipped past [`Schedule::validate`]);
6957    /// - a cron with no future occurrence.
6958    ///
6959    /// The wall-clock fire is evaluated in the schedule's own `tz`
6960    /// (matching the live tick's `Job::new_async_tz`) then normalised
6961    /// to UTC for the wire. `inclusive = false`: strictly the *next*
6962    /// fire after `now`, never one matching the current instant.
6963    pub fn next_calendar_fire(
6964        &self,
6965        now: chrono::DateTime<chrono::Utc>,
6966    ) -> Option<chrono::DateTime<chrono::Utc>> {
6967        if !matches!(self.when, When::Calendar(_)) {
6968            return None;
6969        }
6970        let lowered = self.lowered();
6971        // Same parser configuration tokio-cron-scheduler 0.15 uses
6972        // internally, so this can never compute a fire the live
6973        // scheduler wouldn't (seconds required, DOM-and-DOW honored).
6974        let cron = croner::parser::CronParser::builder()
6975            .seconds(croner::parser::Seconds::Required)
6976            .dom_and_dow(true)
6977            .build()
6978            .parse(&lowered.cron)
6979            .ok()?;
6980        match lowered.tz {
6981            ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
6982            ScheduleTz::Local => {
6983                let now_local = now.with_timezone(&chrono::Local);
6984                cron.find_next_occurrence(&now_local, false)
6985                    .ok()
6986                    .map(|t| t.with_timezone(&chrono::Utc))
6987            }
6988        }
6989    }
6990
6991    /// Cross-field semantic checks that don't fit pure serde derive
6992    /// — the [`Manifest::validate`] counterpart (#418 decision F;
6993    /// pre-Phase-1 a broken schedule was accepted at create time
6994    /// and silently warn-skipped at tick time). Run at every create
6995    /// site: `kanade schedule create` (client-side) and
6996    /// `POST /api/schedules`. The job_id-exists check lives in the
6997    /// API handler instead — it needs the JOBS KV.
6998    pub fn validate(&self) -> Result<(), String> {
6999        if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
7000            return Err(
7001                "when.per_target needs fleet-wide completion data and is backend-only; \
7002                 it cannot be combined with runs_on: agent (each agent self-schedules, \
7003                 so per-target dedup would be deduping across a target of 1)"
7004                    .into(),
7005            );
7006        }
7007        // #418 event triggers: the agent owns the OS event source
7008        // (boot / session-change), so `when: { on }` is agent-only and
7009        // needs at least one trigger.
7010        if let When::On(triggers) = &self.when {
7011            if !matches!(self.runs_on, RunsOn::Agent) {
7012                return Err(
7013                    "when.on (OS event trigger) is fired by the agent's own event \
7014                     source, so it requires runs_on: agent"
7015                        .into(),
7016                );
7017            }
7018            if triggers.is_empty() {
7019                return Err(
7020                    "when.on must list at least one trigger (e.g. [startup, logon])".into(),
7021                );
7022            }
7023        }
7024        if let Some(cd) = self.lowered().cooldown.as_deref() {
7025            humantime::parse_duration(cd)
7026                .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
7027        }
7028        if let When::Calendar(c) = &self.when {
7029            // Lower the calendar form to its cron (catches a bad `at`
7030            // and the date+days conflict), then validate that cron
7031            // with the same parser configuration tokio-cron-scheduler
7032            // 0.15 uses internally (croner, seconds required,
7033            // DOM-and-DOW both honored, year optional) — create-time
7034            // validation can never accept what register() rejects.
7035            let cron = c.to_cron()?;
7036            croner::parser::CronParser::builder()
7037                .seconds(croner::parser::Seconds::Required)
7038                .dom_and_dow(true)
7039                .build()
7040                .parse(&cron)
7041                .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
7042        }
7043        // The other humantime strings on the schedule (claude #419
7044        // review): runtime degrades gracefully on both (bad jitter →
7045        // silent no-op, bad starting_deadline → warn + skipped tick),
7046        // but "rejected at create time" should cover every field the
7047        // operator can typo, not just `when`.
7048        if let Some(j) = &self.plan.jitter {
7049            humantime::parse_duration(j)
7050                .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
7051        }
7052        if let Some(sd) = &self.starting_deadline {
7053            humantime::parse_duration(sd)
7054                .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
7055        }
7056        let from = self
7057            .active
7058            .from
7059            .as_deref()
7060            .map(|s| Active::parse_bound(s, self.tz))
7061            .transpose()?;
7062        let until = self
7063            .active
7064            .until
7065            .as_deref()
7066            .map(|s| Active::parse_bound(s, self.tz))
7067            .transpose()?;
7068        if let (Some(f), Some(u)) = (from, until) {
7069            if f >= u {
7070                return Err(format!(
7071                    "active.from ({}) must be strictly before active.until ({})",
7072                    self.active.from.as_deref().unwrap_or_default(),
7073                    self.active.until.as_deref().unwrap_or_default(),
7074                ));
7075            }
7076        }
7077        // #418 Phase 3: a bad maintenance window is rejected at create
7078        // time (parse_window also catches equal bounds).
7079        if let Some(w) = self.constraints.window.as_deref() {
7080            Constraints::parse_window(w)?;
7081        }
7082        // #418 holiday exclusion: reject a malformed skip date at create
7083        // time so the fail-closed `allows` path only ever bites a
7084        // hand-edited KV blob, not a fresh `kanade schedule create`.
7085        if let Some(err) = self.constraints.bad_skip_date() {
7086            return Err(err);
7087        }
7088        // #418: constraints.max_concurrent is a central running-instance
7089        // cap, so it needs the backend's counter — reject it on
7090        // runs_on: agent (decision E), and reject a meaningless 0.
7091        if let Some(mc) = self.constraints.max_concurrent {
7092            // Check the structural incompatibility (agent has no central
7093            // counter) before the value range, so a `max_concurrent: 0`
7094            // + `runs_on: agent` combo reports the more fundamental
7095            // problem first (claude #542).
7096            if matches!(self.runs_on, RunsOn::Agent) {
7097                return Err(
7098                    "constraints.max_concurrent needs a central counter and is backend-only; \
7099                     it cannot be combined with runs_on: agent (each agent self-schedules, \
7100                     so there is no fleet-wide count to cap against)"
7101                        .into(),
7102                );
7103            }
7104            if mc == 0 {
7105                return Err(
7106                    "constraints.max_concurrent must be >= 1 (0 would never fire; \
7107                     omit it for no cap)"
7108                        .into(),
7109                );
7110            }
7111        }
7112        // #418: constraints.require (host-state env gates: ac_power /
7113        // idle / cpu_below / network) is sensed in-process by the agent,
7114        // so it needs runs_on: agent — the backend can't read a target
7115        // host's power / idle / cpu / connectivity state. Symmetric with
7116        // `when: { on }` (also agent-only); inverse of max_concurrent
7117        // (backend-only).
7118        if let Some(req) = &self.constraints.require {
7119            if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
7120                return Err(
7121                    "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
7122                     network) is sensed in-process by the agent and needs runs_on: agent; the \
7123                     backend cannot read a target host's power / idle / cpu / connectivity state"
7124                        .into(),
7125                );
7126            }
7127            // Reject a malformed idle duration at create time so the
7128            // fail-closed runtime path only ever bites a hand-edited
7129            // KV blob (mirror skip_dates / on_failure.retry).
7130            if let Some(err) = req.bad_idle() {
7131                return Err(err);
7132            }
7133            // cpu_below is a percent — reject out-of-range so a typo
7134            // can't make a schedule that never (>=100 is always-busy?
7135            // no — <0 never matches) or trivially fires.
7136            if let Some(c) = req.cpu_below
7137                && !(c > 0.0 && c <= 100.0)
7138            {
7139                return Err(format!(
7140                    "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
7141                     omit it for no CPU requirement"
7142                ));
7143            }
7144        }
7145        // #418 Phase 4: a bad on_failure.retry is rejected at create
7146        // time — backoff must be valid humantime, and max is bounded
7147        // so a typo can't pin a flapping script in a tight loop.
7148        if let Some(r) = &self.on_failure.retry {
7149            let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
7150                format!(
7151                    "on_failure.retry.backoff: invalid duration '{}': {e}",
7152                    r.backoff
7153                )
7154            })?;
7155            // The wire form lowers backoff to whole seconds, so a
7156            // sub-second value would silently become a 0s no-wait
7157            // (coderabbit #466). Reject it rather than honour a backoff
7158            // the operator can't actually get.
7159            if backoff.as_secs() < 1 {
7160                return Err(format!(
7161                    "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
7162                     round to 0 on the wire",
7163                    r.backoff
7164                ));
7165            }
7166            if !(1..=10).contains(&r.max) {
7167                return Err(format!(
7168                    "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
7169                     attempts after the first run",
7170                    r.max
7171                ));
7172            }
7173        }
7174        // A blank / whitespace-only tag renders an empty filter chip on
7175        // the Schedules page — reject it at create time, mirroring the
7176        // Manifest::validate tag guard.
7177        for tag in &self.tags {
7178            if tag.trim().is_empty() {
7179                return Err("tags must not contain empty entries".to_string());
7180            }
7181        }
7182        Ok(())
7183    }
7184}
7185
7186/// Shared `serde(default)` for `bool` fields that default to `true`
7187/// (e.g. `CheckHint::fleet` / `CheckHint::health`). Generic name so it
7188/// doesn't read as "fleet" when reused for `health`.
7189fn default_true() -> bool {
7190    true
7191}