kanade_shared/manifest.rs
1use serde::{Deserialize, Serialize};
2
3use crate::wire::{FinalizeCommand, RunAs, Shell, Staleness};
4
5/// YAML job manifest (= registered "what to run", v0.18.0+).
6///
7/// Owns only script-intrinsic fields. **Who** (`target`), **how to
8/// phase fanout** (`rollout`), and **when to stagger start**
9/// (`jitter`) all moved to the Schedule / exec request side — same
10/// script can now be fired against different targets / rollouts
11/// without copying the script body.
12///
13/// #492: these types are READ fleet-wide (agents decode them from
14/// BUCKET_JOBS / BUCKET_SCHEDULES and inside live Commands), so they
15/// must tolerate unknown fields — `deny_unknown_fields` here made a
16/// gradually-upgrading fleet's OLD agents reject the whole object
17/// the moment a newer backend added any field. Operator typo
18/// protection (the old reason for the attribute) lives at the WRITE
19/// boundaries instead: `kanade job/schedule create` and the backend
20/// POST extractor parse via [`crate::strict`], which rejects unknown
21/// keys with their full paths. The wire rule: new fields always get
22/// `#[serde(default)]` (+ `skip_serializing_if` while old readers
23/// may still be strict).
24#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
25pub struct Manifest {
26 pub id: String,
27 pub version: String,
28 #[serde(default)]
29 pub description: Option<String>,
30 pub execute: Execute,
31 #[serde(default)]
32 pub require_approval: bool,
33 /// Opt-in marker that this job produces a JSON inventory fact
34 /// payload on stdout. When present, the backend's results
35 /// projector parses `ExecResult.stdout` as JSON and upserts an
36 /// `inventory_facts` row keyed by `(pc_id, manifest.id)`. The
37 /// `display` sub-config drives the SPA's Inventory page render.
38 #[serde(default)]
39 pub inventory: Option<InventoryHint>,
40 /// Issue #246: opt-in marker that this job emits per-line
41 /// observability events on stdout (one JSON `ObsEvent` per
42 /// newline). When present, the agent — after the script exits
43 /// successfully — parses each non-empty stdout line as an
44 /// `ObsEvent`, publishes it on `obs.<pc_id>` via the
45 /// `obs_outbox`, and (intentionally) **omits the stdout from
46 /// the `ExecResult`** so the timeline data doesn't double up
47 /// in `execution_results.stdout` (which would multiply rows
48 /// by ~50/day/PC of noise).
49 ///
50 /// Distinct from `inventory:` (single JSON object → projector
51 /// upsert) — events are append-only timeline points consumed
52 /// by the dedicated `obs_events` table.
53 #[serde(default)]
54 pub emit: Option<EmitConfig>,
55 /// #290: opt-in marker that this job is an operator-defined
56 /// **health check** whose result feeds the Client App's Health
57 /// tab over KLP (`StateSnapshot.checks`). The script prints a
58 /// free-form JSON object on stdout (like any inventory job); the
59 /// agent reads the [`CheckHint::status_field`] value dynamically
60 /// into a [`crate::ipc::state::Check`] named `check.name`.
61 /// Cadence / windows / conditions come from
62 /// the job's Schedule (exactly like inventory) — there is
63 /// deliberately no interval here. **Composes with `inventory:` and
64 /// `collect:`** (#821): each reads its own `#KANADE-<KIND>`-fenced
65 /// stdout block, so one job can drive a check, project inventory
66 /// facts, and collect files in a single run. Only `emit:` (NDJSON
67 /// stdout) is incompatible. A check-only job may skip the fence
68 /// (whole stdout is the JSON); a multi-hint job fences each block.
69 #[serde(default)]
70 pub check: Option<CheckHint>,
71 /// #219: opt-in marker that this job COLLECTS files into a bundle.
72 /// The script does the collection work and prints a single JSON
73 /// object on stdout carrying a `files` array of paths (the field
74 /// name is [`CollectHint::files_field`], default `"files"`); the
75 /// agent — after the script exits successfully — zips those files,
76 /// uploads the archive to the `OBJECT_COLLECTIONS` Object Store
77 /// bucket (key `<pc_id>/<job_id>/<timestamp>.zip`), and records the
78 /// key in [`crate::wire::ExecResult::collect_object`]. The operator
79 /// downloads bundles from the SPA Collect page.
80 ///
81 /// Like `inventory:` / `check:` this reads a JSON object from stdout.
82 /// #821: it reads its own `#KANADE-COLLECT-BEGIN/END`-fenced block,
83 /// so it **composes with `inventory:` / `check:`** (and a user
84 /// message) on one stdout — only `emit:` (NDJSON) is incompatible
85 /// (enforced in [`Manifest::validate`]). A collect-only job may skip
86 /// the fence. It also composes with `client:` — a `collect:` +
87 /// `client:` job lets an end user trigger a collection from the
88 /// Client App (the same-host agent runs it).
89 #[serde(default, skip_serializing_if = "Option::is_none")]
90 pub collect: Option<CollectHint>,
91 /// #720: opt-in declarative aggregation over `obs_events` that drives
92 /// the SPA **Analytics** page. Unlike the other hints this one never
93 /// touches stdout and is never delivered to the agent — it's a pure
94 /// *read spec* the backend reads from `BUCKET_JOBS` at query time and
95 /// turns into `json_extract` aggregation SQL. Each entry is one widget
96 /// (a `dashboard:` tab groups them); `scope:` selects per-PC vs
97 /// fleet-wide rollup. Because it consumes nothing at run time it
98 /// composes with every other hint (typically paired with `emit:`,
99 /// which produces the events it reads). See [`AggregateWidget`].
100 ///
101 /// New field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
102 #[serde(default, skip_serializing_if = "Option::is_none")]
103 pub aggregate: Option<Vec<AggregateWidget>>,
104 /// v0.26: Layer 2 staleness policy (SPEC.md §2.6.2). Controls
105 /// what the agent does at fire time when it can't verify the
106 /// `script_current` / `script_status` KV values are fresh —
107 /// especially relevant for `runs_on: agent` schedules where
108 /// the agent may fire from cache while offline. Defaults to
109 /// `Staleness::Cached` (silently use cached values), which
110 /// matches every pre-v0.26 Manifest.
111 #[serde(default)]
112 pub staleness: Staleness,
113 /// #291: opt-in marker that this job is offered to **end users**
114 /// in the Client App's job tabs over KLP (`jobs.list` →
115 /// `jobs.execute`). Parallel to [`inventory`] / [`check`] /
116 /// [`emit`]: the block's mere presence is the opt-in, and it
117 /// groups the end-user presentation fields (name / category /
118 /// icon) that only make sense for a user-facing job. `None`
119 /// (the default) ⇒ an operator-only job — inventory, checks,
120 /// scheduled maintenance — that never surfaces in the catalog.
121 ///
122 /// The agent re-reads this at every `jobs.list` / `jobs.execute`
123 /// (SPEC §2.1), so removing the block takes a job out of a
124 /// running client on its next action.
125 ///
126 /// [`inventory`]: Manifest::inventory
127 /// [`check`]: Manifest::check
128 /// [`emit`]: Manifest::emit
129 #[serde(default, skip_serializing_if = "Option::is_none")]
130 pub client: Option<ClientHint>,
131 /// Free-form operator taxonomy for the Jobs catalog. Purely a
132 /// SPA-side organisational aid — agents / scheduler / projector
133 /// never read it — so it carries no runtime semantics and any
134 /// string is allowed (`security`, `weekly`, `windows`, …). Jobs
135 /// cross-cut (a `check-bitlocker` is at once a health-check, a
136 /// security control, and Windows-specific), which is why this is
137 /// a multi-valued list rather than the single closed-enum
138 /// [`ClientHint::category`] (whose values are the end-user Client
139 /// App's tabs, a different concern). The operator Jobs page groups
140 /// rows by id-prefix for free; tags add the orthogonal filter axis
141 /// prefixes can't express.
142 ///
143 /// Empty by default (the overwhelming majority of jobs), and a
144 /// new field, so it follows the #492 wire rule: `serde(default)`
145 /// plus `skip_serializing_if` keep gradually-upgrading old readers
146 /// from tripping over its absence / presence.
147 #[serde(default, skip_serializing_if = "Vec::is_empty")]
148 pub tags: Vec<String>,
149 /// GitOps provenance (#678) — see [`RepoOrigin`]. Stamped by
150 /// `kanade job create` when the source YAML lives inside a Git work
151 /// tree, so the SPA can render the job read-only and point edits
152 /// back at the repo instead of letting a ClickOps edit silently
153 /// diverge from Git (SPEC design principle #3: 設定駆動 YAML + Git).
154 /// `None` for SPA-born jobs and for manifests applied from outside
155 /// any Git repo. Purely informational: agents / scheduler /
156 /// projector never read it, and it survives `script_file:` inlining
157 /// (it's orthogonal to the exactly-one-of script-source rule). New
158 /// field ⇒ #492 wire rule (`default` + `skip_serializing_if`).
159 #[serde(default, skip_serializing_if = "Option::is_none")]
160 pub origin: Option<RepoOrigin>,
161 /// Job-generic post-step hook. When set, the agent runs this script
162 /// AFTER the main `execute:` script exits cleanly (and, for a
163 /// `collect:` job, after the bundle finishes uploading), so the
164 /// operator can delete / move / notify based on what the step
165 /// produced. Best-effort: a finalize failure is logged but never
166 /// fails the run — the upload (if any) already succeeded.
167 ///
168 /// For `collect:` jobs the agent injects the environment variable
169 /// `KANADE_COLLECT_RESULT` — a JSON object
170 /// `{ "ok": true, "bundles": [ { "key", "uploaded", "files": [...] } ] }`
171 /// — so the hook acts on exactly the files that were bundled and
172 /// uploaded (e.g. deletes only the `uploaded` ones). Composes with
173 /// every hint. New field ⇒ #492 wire rule (`default` +
174 /// `skip_serializing_if`).
175 #[serde(default, skip_serializing_if = "Option::is_none")]
176 pub finalize: Option<FinalizeSpec>,
177}
178
179/// GitOps provenance for a repo-managed YAML artifact — a [`Manifest`]
180/// (#678) or a [`Schedule`] (#695). Populated by `kanade job create` /
181/// `kanade schedule create` from the Git context of the source YAML;
182/// the SPA reads it to render Git-managed entries read-only and link
183/// the operator back at the repo. Never consulted by the runtime.
184#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
185pub struct RepoOrigin {
186 /// Repo-relative path of the source YAML — the primary edit target
187 /// the SPA surfaces (e.g. `configs/jobs/foo.yaml`). Forward slashes
188 /// regardless of the authoring OS.
189 pub path: String,
190 /// `origin` remote URL, when the repo has one. Lets the SPA turn
191 /// `path` into a clickable link; `None` for remote-less repos.
192 #[serde(default, skip_serializing_if = "Option::is_none")]
193 pub repo: Option<String>,
194 /// Repo-relative path of the `script_file:` a job manifest inlined,
195 /// when it used one — a secondary pointer shown beneath `path`.
196 /// Always `None` for schedules (they carry no script).
197 #[serde(default, skip_serializing_if = "Option::is_none")]
198 pub script_file: Option<String>,
199}
200
201/// "Who + how + when-to-stagger" — the fanout-plan side of an exec.
202/// Used both as the POST `/api/exec/{job_id}` body and as the embedded
203/// `target` / `rollout` / `jitter` slot on [`Schedule`]. Centralising
204/// here keeps the validation + serialisation logic in one place.
205#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
206pub struct FanoutPlan {
207 #[serde(default)]
208 pub target: Target,
209 /// Optional wave rollout — when present, the backend publishes
210 /// each wave's group subject on its own delay schedule instead
211 /// of fanning out the `target` block in one go. `target` then
212 /// only labels the deploy for the audit log.
213 #[serde(default, skip_serializing_if = "Option::is_none")]
214 pub rollout: Option<Rollout>,
215 /// Optional humantime jitter; agent uses it to randomise
216 /// execution start. Lives here (not on the script) so different
217 /// schedules / ad-hoc fires of the same job can pick different
218 /// stagger windows.
219 #[serde(default, skip_serializing_if = "Option::is_none")]
220 pub jitter: Option<String>,
221 /// Absolute time the scheduler stamps on each emitted Command
222 /// when this exec was driven by a [`Schedule`] with
223 /// `starting_deadline`. Agents receiving a Command after this
224 /// instant publish a synthetic skipped-result instead of
225 /// running the script. `None` (default) = no deadline / catch
226 /// up whenever delivered. Operators don't usually set this
227 /// directly — the scheduler computes it from `tick_at +
228 /// starting_deadline`.
229 #[serde(default, skip_serializing_if = "Option::is_none")]
230 pub deadline_at: Option<chrono::DateTime<chrono::Utc>>,
231}
232
233/// Sentinel lines that fence a hint's structured JSON payload inside an
234/// otherwise human-readable job stdout. Each stdout-reading hint
235/// (`inventory:` / `check:` / `collect:`) has its OWN `#KANADE-<KIND>-
236/// BEGIN`/`-END` pair, so one job can carry several of them at once
237/// (and/or a user-facing message) on its single stdout stream — every
238/// consumer extracts only its own block via [`fenced_payload`].
239///
240/// Originated for inventory (#793): a `client:` job couldn't put both a
241/// friendly message and a JSON object on one stdout (the Client App
242/// renders stdout verbatim, the projector needs JSON). #821 generalised
243/// it so inventory / check / collect can coexist. `emit:` is the
244/// exception — its stdout is line-delimited NDJSON consumed whole, so it
245/// never fences and never coexists with the others.
246///
247/// A job carrying a SINGLE hint may still skip the fence —
248/// [`fenced_payload`] falls back to the whole stdout — but a job
249/// COMBINING hints must fence each block (else every consumer would try
250/// to parse the same whole stdout).
251pub const INVENTORY_BLOCK_BEGIN: &str = "#KANADE-INVENTORY-BEGIN";
252/// Closing marker — see [`INVENTORY_BLOCK_BEGIN`].
253pub const INVENTORY_BLOCK_END: &str = "#KANADE-INVENTORY-END";
254/// Check-payload opening marker — see [`INVENTORY_BLOCK_BEGIN`].
255pub const CHECK_BLOCK_BEGIN: &str = "#KANADE-CHECK-BEGIN";
256/// Check-payload closing marker.
257pub const CHECK_BLOCK_END: &str = "#KANADE-CHECK-END";
258/// Collect-payload opening marker — see [`INVENTORY_BLOCK_BEGIN`].
259pub const COLLECT_BLOCK_BEGIN: &str = "#KANADE-COLLECT-BEGIN";
260/// Collect-payload closing marker.
261pub const COLLECT_BLOCK_END: &str = "#KANADE-COLLECT-END";
262
263/// Extract a hint's fenced block when the `begin` marker is present, else
264/// `None`. An unterminated fence (closing marker missing, e.g. truncated
265/// output) takes everything after the opener. Trimmed so surrounding
266/// message text / whitespace never reaches the JSON parser.
267pub fn fenced_payload_if_present<'a>(stdout: &'a str, begin: &str, end: &str) -> Option<&'a str> {
268 let b = find_line_marker(stdout, begin)?;
269 let after = &stdout[b + begin.len()..];
270 let inner = match find_line_marker(after, end) {
271 Some(e) => &after[..e],
272 None => after,
273 };
274 Some(inner.trim())
275}
276
277/// True if stdout carries ANY `#KANADE-<KIND>-BEGIN` fence at a line
278/// start — i.e. the script opted into fenced output. Used to decide
279/// whether a missing fence means "single-hint, use the whole stdout" or
280/// "multi-hint author error / truncation, this hint just has no block".
281pub fn has_any_hint_fence(stdout: &str) -> bool {
282 [
283 INVENTORY_BLOCK_BEGIN,
284 CHECK_BLOCK_BEGIN,
285 COLLECT_BLOCK_BEGIN,
286 ]
287 .iter()
288 .any(|m| find_line_marker(stdout, m).is_some())
289}
290
291/// Extract one hint's JSON payload from a job's stdout. When the hint's
292/// own `#KANADE-<KIND>` fence is present, return that block. When it's
293/// absent, fall back to the WHOLE stdout only for an unfenced (single-
294/// hint) job; if any OTHER hint's fence is present (#821 multi-hint
295/// output) return `""` instead — the script opted into fences but this
296/// block is missing (author error or truncation), so this consumer must
297/// NOT grab a sibling hint's block. An empty payload fails the consumer's
298/// JSON parse and degrades to "no data for this hint", never cross-parse.
299pub fn fenced_payload<'a>(stdout: &'a str, begin: &str, end: &str) -> &'a str {
300 if let Some(p) = fenced_payload_if_present(stdout, begin, end) {
301 return p;
302 }
303 if has_any_hint_fence(stdout) {
304 ""
305 } else {
306 stdout.trim()
307 }
308}
309
310/// Inventory's fenced payload — [`fenced_payload`] with the inventory
311/// markers. Kept as a named helper for the projector call site.
312pub fn inventory_payload(stdout: &str) -> &str {
313 fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END)
314}
315
316/// Find `needle` only where it begins a line (start of `hay` or right
317/// after a `\n`). Anchoring to line start means a script echoing the
318/// literal sentinel mid-message (e.g. printing a command name) can't
319/// false-trigger the fence (Claude #793).
320fn find_line_marker(hay: &str, needle: &str) -> Option<usize> {
321 if hay.starts_with(needle) {
322 return Some(0);
323 }
324 hay.find(&format!("\n{needle}")).map(|p| p + 1)
325}
326
327/// Manifest sub-section: how the SPA should render the inventory
328/// facts this job produces. Each field name (`field`) is a top-level
329/// key in the stdout JSON, e.g. `hostname`, `ram_gb`.
330///
331/// Two render modes:
332/// * `display` — vertical "field / value" per PC, used by the
333/// `/inventory?pc=<id>` detail view. ALL columns the operator
334/// wants visible on the detail page.
335/// * `summary` — horizontal table across the fleet (row = PC,
336/// column = field) on `/inventory`. Optional; when omitted the
337/// SPA falls back to `display`, but operators usually want a
338/// trimmer "hostname / OS / CPU / RAM" set for the fleet view.
339#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
340pub struct InventoryHint {
341 /// Detail-view columns, in order.
342 pub display: Vec<DisplayField>,
343 /// Optional fleet-list columns (row = PC). Defaults to `display`
344 /// when omitted, but operators usually pick a 3-5 column subset.
345 #[serde(default, skip_serializing_if = "Option::is_none")]
346 pub summary: Option<Vec<DisplayField>>,
347 /// v0.31 / #40: payload arrays that should be exploded into
348 /// per-element rows of a derived SQLite table. Lets operators
349 /// answer cross-PC questions ("which PCs still have Chrome <
350 /// 120?", "C: >90% full") with normal SQL filters + indexes
351 /// instead of grepping JSON. The projector creates the derived
352 /// table on register and replaces this PC's rows on each result
353 /// (DELETE WHERE pc_id=? AND job_id=? + bulk INSERT). See
354 /// [`ExplodeSpec`] for the per-spec schema.
355 #[serde(default, skip_serializing_if = "Option::is_none")]
356 pub explode: Option<Vec<ExplodeSpec>>,
357 /// v0.35 / #93: top-level scalar fields whose changes the
358 /// projector logs to `inventory_history` (one event per
359 /// changed field per scan). Pairs with `explode[].track_history`
360 /// — that covers array elements; this covers single-valued
361 /// fields like `ram_bytes` / `os_version` / `cpu_model` /
362 /// `os_build` that operators want to track for "did the RAM
363 /// get upgraded?" / "when did Win 11 land on this PC?" /
364 /// "BIOS / firmware bumped?" questions. Field name = `field_path`
365 /// in the history row, `identity_json` is NULL, `before_json`
366 /// / `after_json` each carry `{"value": <prior or new value>}`.
367 /// First-ever observation of a scalar (no prior facts row)
368 /// emits `added`; subsequent value changes emit `changed`. No
369 /// `removed` events — a scalar disappearing from the payload
370 /// is rare and the operator can still see the last value via
371 /// the `before_json` of the most recent change.
372 #[serde(default, skip_serializing_if = "Option::is_none")]
373 pub history_scalars: Option<Vec<String>>,
374}
375
376/// Manifest sub-section (#290): marks a job as an operator-defined
377/// **health check**. Parallel to [`InventoryHint`] / `EmitConfig`.
378/// The stdout contract is a free-form JSON object (same as any
379/// inventory job) from which the agent reads `status_field` /
380/// `detail_field` to build the KLP [`crate::ipc::state::Check`] shown
381/// on the Client App's Health tab.
382///
383/// There is deliberately **no timing field** — when / how often /
384/// in which window a check runs is driven by the job's Schedule,
385/// exactly like inventory jobs, so operators get the full `when:` /
386/// rollout / `runs_on` expressiveness for free.
387///
388/// A check's stdout is a **free-form inventory object** (arbitrary
389/// key/value pairs + arrays) — same as any inventory job — that also
390/// carries a status field. `check:` adds only the health semantics on
391/// top: which field is the ok/warn/fail/unknown status, an optional
392/// one-line summary field, and a remediation job. Everything else
393/// (rich per-PC detail, `explode` sub-tables like a software list) is
394/// driven by a co-present [`InventoryHint`] and rendered with the
395/// SAME display logic the SPA Inventory page uses — on the Client App
396/// too. This keeps checks maximally expressive without a bespoke
397/// payload type.
398#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
399pub struct CheckHint {
400 /// Stable check id → [`Check.name`](crate::ipc::state::Check),
401 /// the SPA/Client React key + analytics label. Unique within the
402 /// fleet's check set. Machine-friendly slug (`disk_space`,
403 /// `defender_rtp`); for the human-facing row title see [`label`].
404 ///
405 /// [`label`]: CheckHint::label
406 pub name: String,
407 /// Optional human-facing display title →
408 /// [`Check.label`](crate::ipc::state::Check). The Client App's
409 /// Health tab and the operator SPA's Compliance page render this
410 /// instead of the [`name`](CheckHint::name) slug when set
411 /// (`"ウイルス対策のリアルタイム保護"` reads better than
412 /// `defender_rtp`). Falls back to the slug when absent, so it's
413 /// purely additive. Author it in the check's language — there's no
414 /// per-locale variant; checks are operator-defined per fleet.
415 #[serde(default, skip_serializing_if = "Option::is_none")]
416 pub label: Option<String>,
417 /// Top-level stdout field whose string value
418 /// (`ok`/`warn`/`fail`/`unknown`) becomes the Health-tab light
419 /// ([`CheckStatus`](crate::ipc::state::CheckStatus)). Defaults to
420 /// `"status"`; a missing / unparseable value → `unknown`.
421 #[serde(default = "default_status_field")]
422 pub status_field: String,
423 /// Top-level stdout field used as the Health-tab row's one-line
424 /// summary. Defaults to `"detail"`; absent in the payload → no
425 /// detail line (the rich breakdown lives in the inventory view).
426 #[serde(default = "default_detail_field")]
427 pub detail_field: String,
428 /// Optional remediation job id →
429 /// [`Check.troubleshoot`](crate::ipc::state::Check). The Client
430 /// App shows a "修復する" button when present; that job must be
431 /// `user_invokable`.
432 #[serde(default, skip_serializing_if = "Option::is_none")]
433 pub troubleshoot: Option<String>,
434 /// #290 PR-E: when `true` (default), the backend also projects this
435 /// check's `status` / `detail` into the `check_status` table so the
436 /// operator SPA gets a fleet-wide compliance view for free — no
437 /// `inventory:` block needed. Set `fleet: false` for a client-only
438 /// check the operator doesn't want surfaced across the fleet.
439 #[serde(default = "default_true")]
440 pub fleet: bool,
441 /// When `true` (default), this check is shown on the Client App's
442 /// Health tab (the end user sees its ok/warn/fail row). Set
443 /// `health: false` for a **gate-only** check — one that exists purely
444 /// to drive a `client.show_when` display gate (e.g. `myapp-up-to-date`)
445 /// and would just be noise as a Health row. The agent still records it
446 /// into `StateSnapshot.checks` (so `show_when` can read it and the gate
447 /// keeps working); only the Client App's Health *rendering* skips it,
448 /// via the [`Check.health_hidden`](crate::ipc::state::Check::health_hidden)
449 /// wire flag. Orthogonal to [`fleet`](CheckHint::fleet): `fleet` gates
450 /// the operator SPA fleet view, `health` gates the end-user Health tab,
451 /// so a pure gate detector typically sets neither (`fleet: false` +
452 /// `health: false`) to stay invisible everywhere while still driving
453 /// the gate.
454 #[serde(default = "default_true")]
455 pub health: bool,
456 /// Optional auto-notification on a compliance transition. When set, the
457 /// backend publishes an end-user notification the moment this check
458 /// transitions *into* one of [`CheckAlert::on`] (e.g. ok → fail) — to
459 /// the failing PC's user and/or operator groups. Fired once per
460 /// transition (not on every poll). Requires `fleet: true` (the alert
461 /// rides the same projection that fills `check_status`).
462 #[serde(default, skip_serializing_if = "Option::is_none")]
463 pub alert: Option<CheckAlert>,
464}
465
466/// Auto-notification rule for a [`CheckHint`] (compliance alerting). When a
467/// check's status transitions into one of [`on`](Self::on), the backend
468/// publishes a notification to the failing PC's user
469/// ([`notify_user`](Self::notify_user)) and/or operator groups
470/// ([`notify_groups`](Self::notify_groups)). Deliberately config-driven:
471/// who gets told, how loud, and the wording all live in the manifest, not
472/// hardcoded in the backend.
473#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
474pub struct CheckAlert {
475 /// Statuses that fire the alert on *transition into* them (a check that
476 /// stays failing doesn't re-alert every poll). Defaults to `[fail]`.
477 /// `ok` is not representable — [`CheckAlertStatus`] has no `Ok` variant,
478 /// so a YAML `on: [ok]` fails to deserialize (before `validate()` is
479 /// even reached); "recovered" notifications are out of scope.
480 #[serde(default = "default_alert_on")]
481 pub on: Vec<CheckAlertStatus>,
482 /// Notify the user(s) on the failing PC (`notifications.pc.<pc_id>`).
483 #[serde(default)]
484 pub notify_user: bool,
485 /// Notify these operator groups (`notifications.group.<name>`).
486 #[serde(default, skip_serializing_if = "Vec::is_empty")]
487 pub notify_groups: Vec<String>,
488 /// Notification priority (colour/label only — toasting is the separate
489 /// `toast` flag). Defaults to `warn`.
490 #[serde(default = "default_alert_priority")]
491 pub priority: crate::ipc::notifications::NotificationPriority,
492 /// Require the recipient to click 確認 to dismiss.
493 #[serde(default)]
494 pub require_ack: bool,
495 /// Surface an OS toast (launches a closed Client App, Action Center
496 /// while locked). Recommended `true` for `notify_user` so a
497 /// non-emergency "your PC is non-compliant" nudge still reaches a user
498 /// whose app is closed.
499 #[serde(default)]
500 pub toast: bool,
501 /// Also send the alert by email, to every address mapped to the
502 /// `notify_groups` (via the `group_contacts` KV, edited on the SPA
503 /// Groups page). Opt-in: defaults to `false`, so an existing alert
504 /// never starts emailing on its own. Requires `notify_groups` to be
505 /// non-empty (there is no per-PC user email) and the backend's
506 /// `[mail]` config to be present; otherwise the email is a logged
507 /// no-op while the in-app/toast notification still fires.
508 #[serde(default)]
509 pub email: bool,
510 /// Notification title (required). May use the same `{…}` placeholders
511 /// as [`body`](Self::body).
512 pub title: String,
513 /// Notification body template. Placeholders: `{pc_id}`, `{name}` (check
514 /// slug), `{label}` (check label, falls back to slug), `{status}`,
515 /// `{detail}` (the check's one-line summary), `{last_logon}` (the PC's
516 /// last sign-in account). Absent → empty body.
517 #[serde(default, skip_serializing_if = "Option::is_none")]
518 pub body: Option<String>,
519}
520
521/// A check status that can trigger a [`CheckAlert`]. Mirrors the
522/// projected `check_status.status` values minus `ok` (alerting on `ok` is
523/// rejected at validation).
524#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
525#[serde(rename_all = "snake_case")]
526pub enum CheckAlertStatus {
527 Warn,
528 Fail,
529 Unknown,
530}
531
532impl CheckAlertStatus {
533 /// The wire string, matching the projected `check_status.status`.
534 pub fn as_str(self) -> &'static str {
535 match self {
536 Self::Warn => "warn",
537 Self::Fail => "fail",
538 Self::Unknown => "unknown",
539 }
540 }
541}
542
543fn default_alert_on() -> Vec<CheckAlertStatus> {
544 vec![CheckAlertStatus::Fail]
545}
546
547fn default_alert_priority() -> crate::ipc::notifications::NotificationPriority {
548 crate::ipc::notifications::NotificationPriority::Warn
549}
550
551fn default_status_field() -> String {
552 "status".to_string()
553}
554
555fn default_detail_field() -> String {
556 "detail".to_string()
557}
558
559fn default_files_field() -> String {
560 "files".to_string()
561}
562
563/// Fallback cap on a collect bundle's total input size when the
564/// manifest's `collect.max_size` is unset. 50 MB (decimal).
565pub const DEFAULT_COLLECT_MAX_SIZE: u64 = 50 * 1_000_000;
566
567/// Manifest sub-section (#219): marks a job as a **file collector** and
568/// carries how the collected bundle presents in the SPA. Parallel to
569/// [`InventoryHint`] / [`CheckHint`] — the block's presence is the
570/// opt-in. The script prints a single JSON object on stdout whose
571/// [`files_field`](CollectHint::files_field) key holds an array of file
572/// paths to bundle (env vars are expanded); the agent zips them and
573/// uploads to `OBJECT_COLLECTIONS`. See [`Manifest::collect`].
574#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
575pub struct CollectHint {
576 /// Operator/end-user-facing title for the collection, shown as the
577 /// bundle's heading on the SPA Collect page (and the Client App row
578 /// when paired with `client:`). Required; validated non-empty.
579 pub name: String,
580 /// Optional one-line description of what the bundle contains.
581 #[serde(default, skip_serializing_if = "Option::is_none")]
582 pub description: Option<String>,
583 /// Human-readable cap on the bundle's total input size
584 /// (`"50MB"`, `"500KB"`, `"1GiB"`). The agent refuses to build a
585 /// bundle whose listed files exceed this. `None` ⇒
586 /// [`DEFAULT_COLLECT_MAX_SIZE`]. Parsed by [`parse_size_bytes`];
587 /// [`Manifest::validate`] rejects an unparseable value at create
588 /// time.
589 ///
590 /// Note: this bounds the **uncompressed** bytes the agent reads off
591 /// disk, not the resulting zip. Text logs compress well, so the
592 /// download is usually much smaller; many tiny files add a little
593 /// per-entry zip overhead. Read it as "how much the agent reads +
594 /// packs", not "the exact download size".
595 #[serde(default, skip_serializing_if = "Option::is_none")]
596 pub max_size: Option<String>,
597 /// Top-level stdout JSON key holding the array of file paths to
598 /// bundle. Defaults to `"files"`.
599 #[serde(default = "default_files_field")]
600 pub files_field: String,
601}
602
603impl CollectHint {
604 /// The effective size cap in bytes — the parsed `max_size` or
605 /// [`DEFAULT_COLLECT_MAX_SIZE`] when unset. Assumes `max_size` (if
606 /// present) already passed [`Manifest::validate`]; falls back to the
607 /// default on a parse error rather than panicking on the fire path.
608 pub fn max_size_bytes(&self) -> u64 {
609 match &self.max_size {
610 Some(s) => parse_size_bytes(s).unwrap_or(DEFAULT_COLLECT_MAX_SIZE),
611 None => DEFAULT_COLLECT_MAX_SIZE,
612 }
613 }
614}
615
616/// Parse a human-readable byte size (`"50MB"`, `"500 KB"`, `"1GiB"`,
617/// `"1024"`). Decimal units (KB/MB/GB) are 1000-based; binary units
618/// (KiB/MiB/GiB) are 1024-based; a bare number (or `B`) is bytes.
619/// Case-insensitive. Shared by `collect.max_size` validation and the
620/// agent's bundle-size enforcement.
621pub fn parse_size_bytes(s: &str) -> Result<u64, String> {
622 let t = s.trim();
623 if t.is_empty() {
624 return Err("size must not be empty".to_string());
625 }
626 let split = t.find(|c: char| !c.is_ascii_digit()).unwrap_or(t.len());
627 let (num_str, unit_raw) = t.split_at(split);
628 if num_str.is_empty() {
629 return Err(format!("size '{s}': missing leading number"));
630 }
631 let num: u64 = num_str
632 .parse()
633 .map_err(|_| format!("size '{s}': bad number '{num_str}'"))?;
634 let mult: u64 = match unit_raw.trim().to_ascii_lowercase().as_str() {
635 "" | "b" => 1,
636 "kb" => 1_000,
637 "mb" => 1_000_000,
638 "gb" => 1_000_000_000,
639 "kib" => 1024,
640 "mib" => 1024 * 1024,
641 "gib" => 1024 * 1024 * 1024,
642 other => {
643 return Err(format!(
644 "size '{s}': unknown unit '{other}' (use B/KB/MB/GB/KiB/MiB/GiB)"
645 ));
646 }
647 };
648 num.checked_mul(mult)
649 .ok_or_else(|| format!("size '{s}': overflow"))
650}
651
652/// Manifest sub-section (#291): marks a job as **user-invokable**
653/// from the Client App and carries how it presents to the end user.
654/// Parallel to [`InventoryHint`] / [`CheckHint`] / `EmitConfig` —
655/// the block's presence is the opt-in (no separate boolean), and its
656/// required fields (`name`, `category`) are enforced by serde at
657/// parse time, so a half-filled catalog entry fails
658/// `kanade job create` instead of rendering a nameless / tab-less row.
659///
660/// The agent maps this 1:1 into the KLP
661/// [`UserInvokableJob`](crate::ipc::jobs::UserInvokableJob) wire shape
662/// that `jobs.list` returns; the Client App renders one row per job in
663/// the tab named by `category`.
664#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
665pub struct ClientHint {
666 /// End-user-facing title for the job row. The operator-internal
667 /// `Manifest::id` slug is rarely what an end user should read, so
668 /// this is required (and validated non-empty by
669 /// [`Manifest::validate`]). Maps to `UserInvokableJob::display_name`.
670 pub name: String,
671 /// Optional one-line subtitle under `name` in the Client App.
672 /// Distinct from the operator-facing top-level
673 /// [`Manifest::description`] — this one is written for the end
674 /// user. Maps to `UserInvokableJob::display_description`.
675 #[serde(default, skip_serializing_if = "Option::is_none")]
676 pub description: Option<String>,
677 /// Which Client App tab the job lives in — a **free-form category
678 /// key** (#792). The Client App renders one tab per distinct key.
679 /// Well-known keys (`software_update`, `troubleshoot`, `catalog`)
680 /// carry built-in tab labels/icons; any other key defines a new tab
681 /// (style it with `category_label` / `category_icon`). Required and
682 /// validated non-empty — without it the agent can't place the job.
683 /// Note: the `software_update` key also drives the agent's
684 /// maintenance / auto-reboot grouping.
685 pub category: String,
686 /// Optional display name for the category's TAB. Set it on (at least
687 /// one of) a custom category's jobs to name the tab; `None` ⇒ a
688 /// built-in default for a well-known key, else the key itself.
689 #[serde(default, skip_serializing_if = "Option::is_none")]
690 pub category_label: Option<String>,
691 /// Optional icon for the category's TAB (lucide name or `data:` URL).
692 /// `None` ⇒ Client App default for the key.
693 #[serde(default, skip_serializing_if = "Option::is_none")]
694 pub category_icon: Option<String>,
695 /// Optional sort order for the TAB; lower sorts first. `None` ⇒
696 /// default (well-known keys keep their familiar order; custom keys
697 /// sort after, then by label).
698 #[serde(default, skip_serializing_if = "Option::is_none")]
699 pub category_order: Option<i64>,
700 /// Optional icon hint for the job ROW — a lucide-react icon name
701 /// or a `data:` URL. `None` ⇒ the Client App falls back to the
702 /// category's icon. Surfaced verbatim in `jobs.list[].icon`.
703 #[serde(default, skip_serializing_if = "Option::is_none")]
704 pub icon: Option<String>,
705 /// Optional visibility scope for the end-user Client App (#816).
706 ///
707 /// `None` ⇒ visible to every PC (current behavior). When set, only
708 /// agents whose `pc_id` / group membership match the [`Target`] list
709 /// the job in `jobs.list` and may run it via KLP `jobs.execute`.
710 ///
711 /// This gates the END-USER surface ONLY. Operators are unaffected:
712 /// `POST /api/exec/{job_id}` (SPA / `kanade exec`) is a separate path
713 /// that never consults `client:`, so an operator can still run the
714 /// job on any PC regardless of `visible_to`. Reuses the schedule
715 /// `Target` shape (`all` / `groups` / `pcs`); a present-but-empty
716 /// target is rejected by [`Manifest::validate`].
717 #[serde(default, skip_serializing_if = "Option::is_none")]
718 pub visible_to: Option<Target>,
719 /// Optional **dynamic display gate** keyed on a health check's result.
720 ///
721 /// `None` ⇒ always listed (current behavior). When set, the agent
722 /// lists the job in `jobs.list` ONLY while the named [`check:`] slug's
723 /// latest result is one of [`ShowWhen::is`]. The canonical use is an
724 /// update action that hides itself once the machine is already current:
725 /// pair the update job with a `check:` that reports `ok` when up to
726 /// date and gate on `is: [fail]`.
727 ///
728 /// Evaluated agent-side at `jobs.list` time against the live
729 /// `StateSnapshot.checks`, which is **keyed by check name** — so the
730 /// detector `check:` and this job may live in *different* manifests and
731 /// still share one slug. Distinct from [`visible_to`](ClientHint::visible_to):
732 /// that gates BOTH listing and `jobs.execute` (an authorization
733 /// boundary); `show_when` gates listing ONLY (a UX hint), so it can't
734 /// cause a list/execute race. New field ⇒ #492 wire rule.
735 ///
736 /// [`check:`]: crate::manifest::CheckHint
737 #[serde(default, skip_serializing_if = "Option::is_none")]
738 pub show_when: Option<ShowWhen>,
739}
740
741/// Dynamic display gate for a [`ClientHint`] — see
742/// [`ClientHint::show_when`]. Shows the job only while the named check's
743/// latest status is one of [`is`](ShowWhen::is).
744#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
745pub struct ShowWhen {
746 /// The `check:` slug (a [`CheckHint::name`](crate::manifest::CheckHint::name))
747 /// whose latest status gates this job. May be defined by a *different*
748 /// manifest: checks are keyed by name in the agent's snapshot, so a
749 /// standalone detector job and this one can share a slug. A check that
750 /// has never run (absent from the snapshot) does NOT match — the job
751 /// stays hidden until the detector first reports (fails closed, like
752 /// `visible_to`).
753 pub check: String,
754 /// The check status(es) in which the job is SHOWN. Accepts a single
755 /// status (`is: fail`) or a list (`is: [fail, unknown]`); both
756 /// deserialize to a `Vec`. The `length(min = 1)` schema constraint +
757 /// [`Manifest::validate`] both reject an empty set (it would match
758 /// nothing and silently hide the job) so schema-driven tooling and the
759 /// write path agree.
760 #[serde(deserialize_with = "de_one_or_many_check_status")]
761 #[schemars(length(min = 1))]
762 pub is: Vec<crate::ipc::state::CheckStatus>,
763}
764
765/// Accept either a single `CheckStatus` (`is: fail`) or a sequence
766/// (`is: [fail, unknown]`) for [`ShowWhen::is`], normalising to a `Vec`.
767/// The scalar form is purely author ergonomics; the JSON schema advertises
768/// the canonical array form (`#[schemars(with = ...)]`).
769fn de_one_or_many_check_status<'de, D>(
770 d: D,
771) -> Result<Vec<crate::ipc::state::CheckStatus>, D::Error>
772where
773 D: serde::Deserializer<'de>,
774{
775 use crate::ipc::state::CheckStatus;
776 #[derive(Deserialize)]
777 #[serde(untagged)]
778 enum OneOrMany {
779 One(CheckStatus),
780 Many(Vec<CheckStatus>),
781 }
782 Ok(match OneOrMany::deserialize(d)? {
783 OneOrMany::One(c) => vec![c],
784 OneOrMany::Many(v) => v,
785 })
786}
787
788/// #720 — one widget on the SPA **Analytics** page: a declarative
789/// aggregation over the `obs_events` table. The backend reads these off
790/// `Manifest::aggregate` (from `BUCKET_JOBS`) at query time and builds
791/// the `json_extract` GROUP BY / time-bucket SQL from these generic
792/// primitives, so an operator can chart any emitted event without a Rust
793/// change. The reference shapes are the attendance dashboards
794/// (presence / app_sample / web_visit), but the same DSL covers logon /
795/// reboot / agent-health trends, etc.
796#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
797pub struct AggregateWidget {
798 /// Tab this widget lives under on the Analytics page. Widgets from
799 /// every job are collected and grouped by this label, so the same
800 /// string across jobs builds one multi-source dashboard. Required.
801 pub dashboard: String,
802 /// Widget heading. Required, validated non-empty.
803 pub title: String,
804 /// Optional one-line subtitle shown muted under the `title` on the
805 /// Analytics page — room for a unit, a caveat, or what the number
806 /// means ("samples × 2 min", "Security 4624 only"). Rejected if
807 /// present-but-blank.
808 #[serde(default, skip_serializing_if = "Option::is_none")]
809 pub description: Option<String>,
810 /// Optional sort weight (#743). Once the order-aware sort lands (PR2)
811 /// widgets render in `(order, dashboard, title)` order, so a lower
812 /// `order` pulls a widget — and its tab — earlier; equal/absent `order`
813 /// falls back to the alphabetical `(dashboard, title)` ordering. Treated
814 /// as `0` when unset, so a fleet with no `order` anywhere stays purely
815 /// alphabetical (today's behaviour); negatives are allowed to pin
816 /// something first. (This field only carries the value; the backend
817 /// applies it.)
818 #[serde(default, skip_serializing_if = "Option::is_none")]
819 pub order: Option<i32>,
820 /// `pc` rolls up a single selected PC; `fleet` rolls up all PCs
821 /// (and unlocks `group_by: pc_id` to rank PCs against each other).
822 /// Defaults to `pc`.
823 #[serde(default)]
824 pub scope: AggregateScope,
825 /// `obs_events.kind` this widget reads (e.g. `app_sample`,
826 /// `presence`, `unexpected_shutdown`). Required for every aggregation
827 /// render (`bar`/`gauge`/`timeline`/`stat`); rejected for
828 /// `op_timeline`, which reconstructs a fixed multi-kind operational
829 /// swimlane (power/session/sleep) baked into the SPA and so reads no
830 /// single `kind`.
831 #[serde(default, skip_serializing_if = "Option::is_none")]
832 pub kind: Option<String>,
833 /// Optional `obs_events.source` filter, when one `kind` is emitted by
834 /// more than one collector.
835 #[serde(default, skip_serializing_if = "Option::is_none")]
836 pub source: Option<String>,
837 /// How to roll the matching events up. See [`AggregateAgg`]. Required
838 /// for every aggregation render; rejected for `op_timeline` (which
839 /// performs no rollup — it returns the raw operational events and the
840 /// SPA folds them into lane spans).
841 #[serde(default, skip_serializing_if = "Option::is_none")]
842 pub agg: Option<AggregateAgg>,
843 /// Dotted JSON path (no `$.` prefix) to group by for `agg: count` /
844 /// `sum` — e.g. `foreground.app`. The literal `pc_id` is special:
845 /// it groups by the `pc_id` column (fleet ranking), not a payload
846 /// field. Omit for a single total. Required when `agg: sum` needs a
847 /// breakdown; for `agg: count` omitting it yields the grand total.
848 #[serde(default, skip_serializing_if = "Option::is_none")]
849 pub group_by: Option<String>,
850 /// Dotted JSON path to a boolean for `agg: ratio` (e.g. `active`):
851 /// the widget reports `true_count / total`. Required when `agg: ratio`.
852 #[serde(default, skip_serializing_if = "Option::is_none")]
853 pub bool_path: Option<String>,
854 /// Dotted JSON path to a number for `agg: sum`. Required when `agg: sum`.
855 #[serde(default, skip_serializing_if = "Option::is_none")]
856 pub value_path: Option<String>,
857 /// Optional value transform applied before grouping. Currently only
858 /// `host` (parse a URL down to its host) — used by the top-sites
859 /// widget, where SQLite can't parse a URL so the backend does it in
860 /// Rust. See [`AggregateTransform`].
861 #[serde(default, skip_serializing_if = "Option::is_none")]
862 pub transform: Option<AggregateTransform>,
863 /// Optional sampling cadence in minutes. When set, a `count` is also
864 /// reported as estimated time (`count × sample_minutes`) — e.g. a
865 /// 2-minute app sampler turns 11 samples into ~22 minutes. Must be ≥ 1.
866 #[serde(default, skip_serializing_if = "Option::is_none")]
867 #[schemars(range(min = 1))]
868 pub sample_minutes: Option<u32>,
869 /// Grouped values to drop from the rollup (e.g. `["LockApp"]` so the
870 /// lock screen doesn't top the app ranking). Empty by default.
871 #[serde(default, skip_serializing_if = "Vec::is_empty")]
872 pub exclude: Vec<String>,
873 /// Optional time bucketing — `hour` buckets events by local
874 /// hour-of-day for a `timeline` render. See [`AggregateTimeBucket`].
875 #[serde(default, skip_serializing_if = "Option::is_none")]
876 pub time_bucket: Option<AggregateTimeBucket>,
877 /// Top-N cap for grouped renders (`bar`). Defaults to 10 when unset.
878 #[serde(default, skip_serializing_if = "Option::is_none")]
879 #[schemars(range(min = 1))]
880 pub limit: Option<u32>,
881 /// Which widget the SPA draws. See [`AggregateRender`].
882 pub render: AggregateRender,
883}
884
885/// Per-PC vs fleet-wide rollup for an [`AggregateWidget`].
886#[derive(
887 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
888)]
889#[serde(rename_all = "lowercase")]
890#[non_exhaustive]
891pub enum AggregateScope {
892 /// Roll up the single PC the operator selected. The default.
893 #[default]
894 Pc,
895 /// Roll up across every PC. Unlocks `group_by: pc_id`.
896 Fleet,
897 /// #492 forward-compat catch-all — a Manifest is read fleet-wide, so
898 /// an older reader must tolerate a future variant rather than failing
899 /// to decode the whole job. The backend skips an `Unknown` widget.
900 #[serde(other)]
901 Unknown,
902}
903
904/// The rollup function for an [`AggregateWidget`].
905#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
906#[serde(rename_all = "lowercase")]
907#[non_exhaustive]
908pub enum AggregateAgg {
909 /// Row count, optionally grouped (`group_by`) and time-estimated
910 /// (`sample_minutes`).
911 Count,
912 /// `true_count / total` over `bool_path`.
913 Ratio,
914 /// Sum of `value_path`, optionally grouped.
915 Sum,
916 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
917 #[serde(other)]
918 Unknown,
919}
920
921/// Optional pre-grouping value transform for an [`AggregateWidget`].
922#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
923#[serde(rename_all = "lowercase")]
924#[non_exhaustive]
925pub enum AggregateTransform {
926 /// Parse the grouped value as a URL and keep only its host.
927 Host,
928 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
929 #[serde(other)]
930 Unknown,
931}
932
933/// Time bucketing for an [`AggregateWidget`] (drives a `timeline`).
934#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
935#[serde(rename_all = "lowercase")]
936#[non_exhaustive]
937pub enum AggregateTimeBucket {
938 /// Bucket by local hour-of-day (0–23), summed over the window.
939 Hour,
940 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
941 #[serde(other)]
942 Unknown,
943}
944
945/// Which visual the SPA renders an [`AggregateWidget`] as.
946#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
947#[serde(rename_all = "lowercase")]
948#[non_exhaustive]
949pub enum AggregateRender {
950 /// Ranked horizontal bars (a grouped `count` / `sum`).
951 Bar,
952 /// A single ratio dial (`agg: ratio`).
953 Gauge,
954 /// 24-hour activity strip (`time_bucket: hour`).
955 Timeline,
956 /// A single headline number (an ungrouped total).
957 Stat,
958 /// Per-PC operational swimlane (power / session / sleep) reconstructed
959 /// from a fixed multi-kind event set. Unlike the aggregation renders it
960 /// reads no single `kind`/`agg`: the backend returns the raw events in
961 /// the window and the SPA folds them into lane spans (shared with the
962 /// Events page strip). Per-PC only (`scope: pc`).
963 #[serde(rename = "op_timeline")]
964 OpTimeline,
965 /// #492 forward-compat catch-all (see [`AggregateScope::Unknown`]).
966 #[serde(other)]
967 Unknown,
968}
969
970/// True if `p` is a well-formed dotted JSON path of `[A-Za-z0-9_]`
971/// segments joined by single dots — the shape safe to bind into
972/// `json_extract(payload, '$.' || ?)`. The charset blocks injection; the
973/// segment check additionally rejects `"."`, `".foo"`, `"foo."`,
974/// `"foo..bar"`, which would pass the charset but produce a malformed
975/// `$.` path that errors at query time. Accepts `pc_id`, `foreground.app`,
976/// `active`, etc.
977fn is_valid_json_path(p: &str) -> bool {
978 !p.is_empty()
979 && p.split('.').all(|seg| {
980 !seg.is_empty() && seg.chars().all(|c| c.is_ascii_alphanumeric() || c == '_')
981 })
982}
983
984/// Per-widget validation for a list of [`AggregateWidget`]s — shared by
985/// the `aggregate:` job hint ([`Manifest::validate`]) and the standalone
986/// [`View`] resource (#743) so the two can't diverge. `field` names the
987/// containing key for error messages (`"aggregate"` or `"widgets"`).
988///
989/// Enforces: non-empty list; non-empty dashboard/title (and `kind`/`agg`
990/// for every aggregation render); a blank-when-set `source`; rejection of
991/// any #492 `Unknown` enum (an operator typo at create time); safe dotted
992/// JSON paths; the value path each `agg` needs (and rejection of mis-paired
993/// ones); `pc_id` grouping only in `fleet` scope; `transform`/`limit`/
994/// `exclude` only with a `group_by`; positive `limit`/`sample_minutes`;
995/// `gauge`⇔`ratio`; and `timeline`⇔`time_bucket`. A `render: op_timeline`
996/// widget is validated separately (per-PC, no aggregation knobs) — see
997/// [`validate_op_timeline_widget`].
998pub fn validate_aggregate_widgets(widgets: &[AggregateWidget], field: &str) -> Result<(), String> {
999 if widgets.is_empty() {
1000 return Err(format!(
1001 "`{field}:` must list at least one widget when present"
1002 ));
1003 }
1004 for (i, w) in widgets.iter().enumerate() {
1005 let at = format!("{field}[{i}]");
1006 for (label, value) in [("dashboard", &w.dashboard), ("title", &w.title)] {
1007 if value.trim().is_empty() {
1008 return Err(format!("{at}.{label} must not be empty"));
1009 }
1010 }
1011 // A present-but-blank `description` renders an empty muted line —
1012 // reject it so the subtitle only shows when it says something.
1013 if let Some(description) = &w.description {
1014 if description.trim().is_empty() {
1015 return Err(format!("{at}.description must not be empty when set"));
1016 }
1017 }
1018 // Reject values that fell through to the #492 `Unknown` catch-all:
1019 // at create time on the current version that's an operator typo. (A
1020 // genuinely-future variant only reaches an older reader via a stored
1021 // resource, which is never re-validated, so forward-compat holds.)
1022 if w.scope == AggregateScope::Unknown {
1023 return Err(format!("{at}.scope is not a known value (pc | fleet)"));
1024 }
1025 if w.render == AggregateRender::Unknown {
1026 return Err(format!(
1027 "{at}.render is not a known value (bar | gauge | timeline | stat | op_timeline)"
1028 ));
1029 }
1030 // `op_timeline` reconstructs a fixed per-PC operational swimlane
1031 // (power/session/sleep) from a baked-in multi-kind set — it uses none
1032 // of the aggregation knobs, so validate it on its own terms (per-PC,
1033 // no `kind`/`agg`/grouping) and skip the rollup rules below.
1034 if w.render == AggregateRender::OpTimeline {
1035 validate_op_timeline_widget(w, &at)?;
1036 continue;
1037 }
1038 // Every other render is an aggregation over a single `kind`.
1039 if w.kind.as_deref().map(str::trim).unwrap_or("").is_empty() {
1040 return Err(format!("{at}.kind must not be empty"));
1041 }
1042 let agg = match w.agg {
1043 Some(AggregateAgg::Unknown) => {
1044 return Err(format!(
1045 "{at}.agg is not a known value (count | ratio | sum)"
1046 ));
1047 }
1048 Some(agg) => agg,
1049 None => return Err(format!("{at}.agg is required")),
1050 };
1051 // A present-but-blank `source` is a no-op filter — reject like the
1052 // other blank-when-set guards.
1053 if let Some(source) = &w.source {
1054 if source.trim().is_empty() {
1055 return Err(format!("{at}.source must not be empty when set"));
1056 }
1057 }
1058 if w.transform == Some(AggregateTransform::Unknown) {
1059 return Err(format!("{at}.transform is not a known value (host)"));
1060 }
1061 if w.time_bucket == Some(AggregateTimeBucket::Unknown) {
1062 return Err(format!("{at}.time_bucket is not a known value (hour)"));
1063 }
1064 for (label, path) in [
1065 ("group_by", &w.group_by),
1066 ("bool_path", &w.bool_path),
1067 ("value_path", &w.value_path),
1068 ] {
1069 if let Some(p) = path {
1070 if !is_valid_json_path(p) {
1071 return Err(format!(
1072 "{at}.{label} '{p}' must be a dotted JSON path of [A-Za-z0-9_] segments"
1073 ));
1074 }
1075 }
1076 }
1077 // Each agg uses exactly one value path; reject a mis-paired path so
1078 // a typo fails at create rather than being ignored.
1079 match agg {
1080 // count: grouped → ranking, ungrouped → grand total.
1081 AggregateAgg::Count => {
1082 for (label, path) in [("bool_path", &w.bool_path), ("value_path", &w.value_path)] {
1083 if path.is_some() {
1084 return Err(format!("{at}.agg=count does not use `{label}`"));
1085 }
1086 }
1087 }
1088 AggregateAgg::Ratio => {
1089 if w.bool_path.is_none() {
1090 return Err(format!("{at}.agg=ratio requires `bool_path`"));
1091 }
1092 if w.value_path.is_some() {
1093 return Err(format!("{at}.agg=ratio does not use `value_path`"));
1094 }
1095 }
1096 AggregateAgg::Sum => {
1097 if w.value_path.is_none() {
1098 return Err(format!("{at}.agg=sum requires `value_path`"));
1099 }
1100 if w.bool_path.is_some() {
1101 return Err(format!("{at}.agg=sum does not use `bool_path`"));
1102 }
1103 }
1104 // Rejected above; arm exists only for exhaustiveness.
1105 AggregateAgg::Unknown => {}
1106 }
1107 // Ranking PCs against each other only means something across the
1108 // fleet — within one PC it's a single bar.
1109 if w.group_by.as_deref() == Some("pc_id") && w.scope != AggregateScope::Fleet {
1110 return Err(format!(
1111 "{at}.group_by: pc_id is only valid with scope: fleet"
1112 ));
1113 }
1114 // `transform` rewrites the grouped PAYLOAD value (URL→host); it's
1115 // meaningless on a `pc_id` grouping (the pc_id column, not a payload
1116 // field), so reject the combo at create time.
1117 if w.transform.is_some() && w.group_by.as_deref() == Some("pc_id") {
1118 return Err(format!("{at}.transform is not valid with group_by: pc_id"));
1119 }
1120 // limit / transform / exclude all operate on grouped values, so
1121 // without a `group_by` they're silent no-ops — reject.
1122 if w.group_by.is_none() {
1123 if w.limit.is_some() {
1124 return Err(format!("{at}.limit requires `group_by`"));
1125 }
1126 if w.transform.is_some() {
1127 return Err(format!("{at}.transform requires `group_by`"));
1128 }
1129 if !w.exclude.is_empty() {
1130 return Err(format!("{at}.exclude requires `group_by`"));
1131 }
1132 }
1133 if w.limit == Some(0) {
1134 return Err(format!("{at}.limit must be > 0"));
1135 }
1136 if w.sample_minutes == Some(0) {
1137 return Err(format!("{at}.sample_minutes must be > 0"));
1138 }
1139 for ex in &w.exclude {
1140 if ex.trim().is_empty() {
1141 return Err(format!("{at}.exclude must not contain empty entries"));
1142 }
1143 }
1144 // A gauge draws a single ratio dial — only meaningful for agg: ratio.
1145 if w.render == AggregateRender::Gauge && agg != AggregateAgg::Ratio {
1146 return Err(format!("{at}.render=gauge is only valid with agg: ratio"));
1147 }
1148 // A timeline needs a bucket; a bucket on any other render is a no-op
1149 // that signals operator confusion — reject both.
1150 match (w.render, &w.time_bucket) {
1151 (AggregateRender::Timeline, None) => {
1152 return Err(format!("{at}.render=timeline requires `time_bucket`"));
1153 }
1154 (r, Some(_)) if r != AggregateRender::Timeline => {
1155 return Err(format!(
1156 "{at}.time_bucket is only valid with render: timeline"
1157 ));
1158 }
1159 _ => {}
1160 }
1161 }
1162 Ok(())
1163}
1164
1165/// Validate a `render: op_timeline` widget. It draws a fixed per-PC
1166/// operational swimlane (power / session / sleep) reconstructed by the SPA
1167/// from a baked-in multi-kind event set, so it uses none of the aggregation
1168/// knobs: require `scope: pc` and reject every field that only makes sense
1169/// for a rollup (`kind`/`source`/`agg`/`group_by`/`bool_path`/`value_path`/
1170/// `transform`/`sample_minutes`/`exclude`/`time_bucket`/`limit`). Rejecting
1171/// the unused fields (rather than ignoring them) keeps an operator typo from
1172/// silently doing nothing, matching the rest of this validator.
1173fn validate_op_timeline_widget(w: &AggregateWidget, at: &str) -> Result<(), String> {
1174 // Per-PC only: a fleet-wide swimlane of every PC's spans is unbounded
1175 // and unreadable, and the backend only computes it in per-PC scope.
1176 if w.scope != AggregateScope::Pc {
1177 return Err(format!("{at}.render=op_timeline requires scope: pc"));
1178 }
1179 // Each unused field, with the name the operator wrote, so the error
1180 // points at exactly what to delete.
1181 if w.kind.is_some() {
1182 return Err(format!("{at}.render=op_timeline does not use `kind`"));
1183 }
1184 if w.source.is_some() {
1185 return Err(format!("{at}.render=op_timeline does not use `source`"));
1186 }
1187 if w.agg.is_some() {
1188 return Err(format!("{at}.render=op_timeline does not use `agg`"));
1189 }
1190 for (label, set) in [
1191 ("group_by", w.group_by.is_some()),
1192 ("bool_path", w.bool_path.is_some()),
1193 ("value_path", w.value_path.is_some()),
1194 ("transform", w.transform.is_some()),
1195 ("sample_minutes", w.sample_minutes.is_some()),
1196 ("time_bucket", w.time_bucket.is_some()),
1197 ("limit", w.limit.is_some()),
1198 ("exclude", !w.exclude.is_empty()),
1199 ] {
1200 if set {
1201 return Err(format!("{at}.render=op_timeline does not use `{label}`"));
1202 }
1203 }
1204 Ok(())
1205}
1206
1207/// A standalone declarative read/aggregation for the Analytics page (#743).
1208///
1209/// A **view** aggregates stored fleet data (`obs_events`, …) without an
1210/// `execute` or a schedule — unlike a [`Manifest`] it only declares
1211/// [`AggregateWidget`]s. (The first line is concise on purpose: `schemars`
1212/// uses it as the generated schema's `title`.) The backend reads views from
1213/// `BUCKET_VIEWS` at
1214/// query time and merges their widgets with the co-located `aggregate:`
1215/// hints on jobs, so a cross-cutting dashboard (one that charts events
1216/// emitted by several other jobs / the agent) has a home that doesn't need
1217/// a noop job carrier. Stored JSON in `BUCKET_VIEWS`, keyed by `id`.
1218#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1219pub struct View {
1220 /// Stable identifier (the KV key). Required, validated non-empty.
1221 pub id: String,
1222 /// Optional human description shown on the Views admin page.
1223 #[serde(default, skip_serializing_if = "Option::is_none")]
1224 pub description: Option<String>,
1225 /// The widgets this view contributes to the Analytics page.
1226 pub widgets: Vec<AggregateWidget>,
1227 /// Free-form operator taxonomy (same role as [`Manifest::tags`]).
1228 #[serde(default, skip_serializing_if = "Vec::is_empty")]
1229 pub tags: Vec<String>,
1230 /// GitOps provenance (#678), stamped by `kanade view create` from the
1231 /// source YAML's Git context — same as [`Manifest::origin`].
1232 #[serde(default, skip_serializing_if = "Option::is_none")]
1233 pub origin: Option<RepoOrigin>,
1234}
1235
1236/// True if `id` is a safe resource identifier — non-empty and only
1237/// `[A-Za-z0-9._-]`. A view `id` becomes a NATS KV key *and* a URL path
1238/// segment (`/api/views/{id}`), so this blocks `/`, `..`, whitespace and
1239/// other characters that would break the KV key or let a CLI arg wander
1240/// the URL space. (#743 / #744 follow-up — a deliberately small charset
1241/// rather than the looser set NATS technically allows.)
1242pub fn is_valid_resource_id(id: &str) -> bool {
1243 !id.is_empty()
1244 && id
1245 .chars()
1246 .all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_' || c == '-')
1247}
1248
1249impl View {
1250 pub fn validate(&self) -> Result<(), String> {
1251 if !is_valid_resource_id(self.id.trim()) {
1252 return Err(
1253 "view.id must be non-empty and only [A-Za-z0-9._-] (it's a KV key + URL segment)"
1254 .to_string(),
1255 );
1256 }
1257 validate_aggregate_widgets(&self.widgets, "widgets")?;
1258 for tag in &self.tags {
1259 if tag.trim().is_empty() {
1260 return Err("tags must not contain empty entries".to_string());
1261 }
1262 }
1263 Ok(())
1264 }
1265}
1266
1267/// Issue #246 — `emit:` manifest block for jobs whose stdout is
1268/// NDJSON observability events (one `ObsEvent` per line). Parallel
1269/// to `inventory:` but for the append-only timeline pipeline; see
1270/// `Manifest::emit` for the full contract.
1271#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1272pub struct EmitConfig {
1273 /// What kind of payload the agent should expect on stdout. Only
1274 /// `events` is defined today (parses each non-empty line as
1275 /// `ObsEvent` and publishes on `obs.<pc_id>`); future variants
1276 /// (e.g. metrics streams, structured trace events) plug in here.
1277 #[serde(rename = "type")]
1278 pub kind: EmitKind,
1279 /// Operator hint for where the script keeps its own state — the
1280 /// watermark file the PowerShell / sh body reads + writes
1281 /// between runs so it only emits NEW events since the last
1282 /// poll. The agent doesn't read this; it's documentation that
1283 /// the SPA (and `kanade job edit`) can surface to operators
1284 /// reviewing the manifest. Optional; the script is allowed to
1285 /// keep state anywhere (registry, env, etc.) — the field's
1286 /// presence makes the convention discoverable.
1287 #[serde(default, skip_serializing_if = "Option::is_none")]
1288 pub watermark_path: Option<String>,
1289}
1290
1291/// `emit.type` enum. Lowercase serde so manifests read
1292/// `type: events` rather than `Events`.
1293#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1294#[serde(rename_all = "lowercase")]
1295pub enum EmitKind {
1296 /// Per-line `ObsEvent` JSON. Agent parses + publishes on
1297 /// `obs.<pc_id>`, drops the stdout from the resulting
1298 /// `ExecResult`.
1299 Events,
1300}
1301
1302/// v0.31 / #40: declarative "flatten this JSON array into a real
1303/// SQLite table" spec on an inventory manifest. The projector
1304/// creates the table on first registration (CREATE TABLE IF NOT
1305/// EXISTS + indexes) and writes a row per element of
1306/// `payload[field]` on every result, scoped by (pc_id, job_id) so
1307/// each PC's rows replace cleanly without a per-PC schema.
1308#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1309pub struct ExplodeSpec {
1310 /// JSON array key under the payload to explode. E.g. `"apps"`
1311 /// for `payload: { apps: [{...}, {...}] }`.
1312 pub field: String,
1313 /// Derived SQLite table name. Operators choose this — pick
1314 /// something namespaced + stable (`inventory_sw_apps`, not
1315 /// `apps`) so multiple inventory manifests don't collide on a
1316 /// generic name.
1317 pub table: String,
1318 /// Element-level fields that uniquely identify a row inside one
1319 /// PC's payload. The full PK is `(pc_id, job_id) + these
1320 /// columns`. Required — operators must think about uniqueness
1321 /// (e.g. `["name", "source"]` for installed apps because the
1322 /// same name appears in multiple uninstall hives).
1323 ///
1324 /// v0.31 / #41: same tuple drives history identity. When
1325 /// `track_history` is on, the projector serialises these
1326 /// fields' values into `inventory_history.identity_json` for
1327 /// every change event, so queries like "every PC that ever
1328 /// installed Chrome (any source)" filter on identity_json
1329 /// content without a per-manifest schema.
1330 pub primary_key: Vec<String>,
1331 /// Per-element fields that become columns in the derived table.
1332 pub columns: Vec<ExplodeColumn>,
1333 /// v0.31 / #41: when true (default false), the projector
1334 /// diffs each PC's incoming payload against the prior rows
1335 /// for the same (pc_id, job_id) BEFORE the DELETE-then-INSERT
1336 /// replace, and writes added / removed / changed events into
1337 /// `inventory_history`. Lets operators answer time-dimension
1338 /// questions ("when did Chrome 120 first appear on PC X?",
1339 /// "what's the Win 11 23H2 rollout curve") without storing
1340 /// per-scan snapshots. Off by default so operators opt in
1341 /// per-spec — history has a real storage cost on long-lived
1342 /// deployments (mitigated by the 90-day default retention
1343 /// sweeper, see `cleanup` module).
1344 #[serde(default)]
1345 pub track_history: bool,
1346}
1347
1348/// One column in an [`ExplodeSpec`]'s derived table.
1349#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1350pub struct ExplodeColumn {
1351 /// JSON key under each array element. Becomes the column name
1352 /// in the derived SQLite table — we don't rename.
1353 pub field: String,
1354 /// SQLite affinity: `"text"` (default), `"integer"`, `"real"`.
1355 /// Storage maps directly via `sqlx::query.bind(...)`; type
1356 /// mismatches at INSERT-time fail loudly rather than silently
1357 /// dropping the row.
1358 #[serde(default, skip_serializing_if = "Option::is_none")]
1359 #[serde(rename = "type")]
1360 pub kind: Option<String>,
1361 /// When true, the projector creates a `CREATE INDEX` on this
1362 /// column at table-creation time. Boost for the common-filter
1363 /// columns (`name`, `version`) — operators mark them
1364 /// explicitly, the projector won't guess.
1365 #[serde(default)]
1366 pub index: bool,
1367}
1368
1369#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1370pub struct DisplayField {
1371 /// Top-level key in the stdout JSON.
1372 pub field: String,
1373 /// Human-readable column header.
1374 pub label: String,
1375 /// Optional render hint — `"number"`, `"bytes"`, `"timestamp"`,
1376 /// or `"table"` (#39). Defaults to plain text rendering on the
1377 /// SPA side. `"table"` expects the field's value to be a JSON
1378 /// array of objects and renders a nested sub-table on the
1379 /// per-PC detail page using `columns` as the schema; the fleet
1380 /// summary view falls back to showing the row count for
1381 /// `"table"` cells so the wide list stays compact.
1382 #[serde(default, skip_serializing_if = "Option::is_none")]
1383 #[serde(rename = "type")]
1384 pub kind: Option<String>,
1385 /// v0.30 / #39: when `kind == "table"`, the SPA renders the
1386 /// field's value (an array of objects like
1387 /// `disks: [{ device_id, size_bytes, ... }]`) as a nested
1388 /// sub-table using these columns. Each column is itself a
1389 /// `DisplayField`, so the nested cells reuse the same render
1390 /// hints (`bytes`, `number`, `timestamp`) — no parallel format
1391 /// pipeline. Ignored for any other `kind`.
1392 #[serde(default, skip_serializing_if = "Option::is_none")]
1393 pub columns: Option<Vec<DisplayField>>,
1394}
1395
1396#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1397pub struct Rollout {
1398 #[serde(default)]
1399 pub strategy: RolloutStrategy,
1400 pub waves: Vec<Wave>,
1401}
1402
1403#[derive(
1404 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
1405)]
1406#[serde(rename_all = "lowercase")]
1407pub enum RolloutStrategy {
1408 #[default]
1409 Wave,
1410}
1411
1412#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1413pub struct Wave {
1414 pub group: String,
1415 /// humantime delay measured from the deploy's publish time. wave[0]
1416 /// typically has "0s"; subsequent waves use minutes / hours.
1417 pub delay: String,
1418}
1419
1420#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default)]
1421pub struct Target {
1422 #[serde(default)]
1423 pub groups: Vec<String>,
1424 #[serde(default)]
1425 pub pcs: Vec<String>,
1426 #[serde(default)]
1427 pub all: bool,
1428}
1429
1430impl Target {
1431 /// At least one of all / groups / pcs is set.
1432 pub fn is_specified(&self) -> bool {
1433 self.all || !self.groups.is_empty() || !self.pcs.is_empty()
1434 }
1435
1436 /// Whether a PC (its `pc_id` + group membership) falls in this target:
1437 /// `all`, or the pc is listed, or it belongs to a listed group. Used
1438 /// by the agent to scope `client.visible_to` (#816). An unspecified
1439 /// target matches nobody (callers should treat "no target" as
1440 /// "visible to all" before calling this).
1441 pub fn matches(&self, pc_id: &str, groups: &[String]) -> bool {
1442 self.all
1443 || self.pcs.iter().any(|p| p == pc_id)
1444 || self.groups.iter().any(|g| groups.contains(g))
1445 }
1446}
1447
1448#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1449pub struct Execute {
1450 pub shell: ExecuteShell,
1451 /// Inline script body. Mutually exclusive with [`script_file`]
1452 /// and [`script_object`]; exactly one of the three must be set
1453 /// (enforced by [`Execute::validate_script_source`] at the
1454 /// write-side parse boundaries — `kanade job create` and
1455 /// `POST /api/jobs`).
1456 ///
1457 /// Empty string is treated as **unset** so operators can swap
1458 /// to a `script_file:` / `script_object:` alternative just by
1459 /// commenting out the body, without having to also drop the
1460 /// `script:` key entirely.
1461 ///
1462 /// [`script_file`]: Self::script_file
1463 /// [`script_object`]: Self::script_object
1464 #[serde(default, skip_serializing_if = "Option::is_none")]
1465 pub script: Option<String>,
1466 /// Repo-local file path resolved by the operator-side CLI at
1467 /// `kanade job create` time. The CLI reads the file, slots its
1468 /// contents into `script`, and clears this field before
1469 /// POSTing — so the backend / agents never see `script_file`
1470 /// in stored manifests. SPEC §2.4.1.
1471 ///
1472 /// Resolver lands in a follow-up PR
1473 /// (yukimemi/kanade#210); today this field passes parse-time
1474 /// validation but the operator-side CLI bails with "not yet
1475 /// implemented" until the resolver ships, so manifests that
1476 /// reach the backend with `script_file` set are treated as a
1477 /// schema-bug.
1478 #[serde(default, skip_serializing_if = "Option::is_none")]
1479 pub script_file: Option<String>,
1480 /// Object Store reference (`<name>/<version>`) into the
1481 /// `scripts` bucket (`OBJECT_SCRIPTS`). Agents fetch the body
1482 /// at Execute time via `/api/script-objects/{name}/{version}`
1483 /// and cache it locally. SPEC §2.4.1.
1484 ///
1485 /// Fully wired (#210/#211): the backend resolves the digest at
1486 /// exec submission (`api::exec::resolve_script_source`), the agent
1487 /// fetches + sha-verifies + caches the body (`script_cache`), and
1488 /// `kanade script` CRUDs the store. Unlike `script_file:` (inlined
1489 /// CLI-side, git-managed), this keeps the body in versioned,
1490 /// digest-pinned object storage — the ops-managed counterpart.
1491 #[serde(default, skip_serializing_if = "Option::is_none")]
1492 pub script_object: Option<String>,
1493 /// humantime duration string (e.g. "30s", "10m"). Script-intrinsic
1494 /// — represents how long this script reasonably takes to run.
1495 pub timeout: String,
1496 /// Token + session combination the agent uses to launch the
1497 /// script (v0.21). Default = [`RunAs::System`] (Session 0,
1498 /// LocalSystem privileges, no GUI) — matches pre-v0.21 behavior.
1499 #[serde(default)]
1500 pub run_as: RunAs,
1501 /// Working directory for the spawned child (v0.21.1). When
1502 /// unset, the child inherits the agent's cwd — on Windows that
1503 /// means `%SystemRoot%\System32` for the prod service, which is
1504 /// almost never what operators actually want. Use an absolute
1505 /// path; relative paths are passed through to the OS verbatim.
1506 /// `%PROGRAMDATA%` works for `run_as: system`; for `run_as: user`
1507 /// you'd want `%USERPROFILE%` (but expansion happens in the
1508 /// shell, so write `$env:USERPROFILE` for PowerShell, or set
1509 /// it via teravars before `kanade job create`).
1510 #[serde(default, skip_serializing_if = "Option::is_none")]
1511 pub cwd: Option<String>,
1512}
1513
1514impl Execute {
1515 /// Treat an empty `script:` body as "intentionally unset". Operators
1516 /// commenting out a block-scalar tend to leave the key behind, and
1517 /// failing the validator on `script: ""` would surprise them.
1518 fn has_inline_script(&self) -> bool {
1519 matches!(&self.script, Some(s) if !s.is_empty())
1520 }
1521
1522 /// Enforce that exactly one of `script` / `script_file` /
1523 /// `script_object` is set. Called at the write-side parse
1524 /// boundaries (CLI `kanade job create` + backend
1525 /// `POST /api/jobs`) so ambiguous YAML is rejected before it
1526 /// reaches the JOBS KV. Read paths (projector, agent
1527 /// scheduler, list endpoints) skip this check — they only ever
1528 /// see what the write path already validated.
1529 pub fn validate_script_source(&self) -> Result<(), String> {
1530 let inline = self.has_inline_script();
1531 let file = self.script_file.is_some();
1532 let obj = self.script_object.is_some();
1533 let set = [inline, file, obj].into_iter().filter(|b| *b).count();
1534 match set {
1535 1 => Ok(()),
1536 0 => Err("execute: one of `script`, `script_file`, `script_object` must be set".into()),
1537 _ => Err(format!(
1538 "execute: only one of `script` / `script_file` / `script_object` may be set \
1539 (got script={inline}, script_file={file}, script_object={obj})"
1540 )),
1541 }
1542 }
1543}
1544
1545/// Job-generic post-step hook (see [`Manifest::finalize`]). Runs after
1546/// the main `execute:` script (and the collect upload) on a clean exit,
1547/// with the step's structured result injected via an environment
1548/// variable. P1 supports an inline `script:` only — `script_file:` /
1549/// `script_object:` are follow-ups.
1550#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
1551pub struct FinalizeSpec {
1552 pub shell: ExecuteShell,
1553 /// Inline script body (required; inline-only in P1).
1554 pub script: String,
1555 /// humantime duration string (e.g. `"60s"`, `"5m"`). Defaults to
1556 /// `60s` when unset.
1557 #[serde(default = "default_finalize_timeout")]
1558 pub timeout: String,
1559 /// Token + session combination, like [`Execute::run_as`]. Defaults
1560 /// to [`RunAs::System`].
1561 #[serde(default)]
1562 pub run_as: RunAs,
1563 /// Working directory for the hook child, like [`Execute::cwd`].
1564 #[serde(default, skip_serializing_if = "Option::is_none")]
1565 pub cwd: Option<String>,
1566}
1567
1568/// Default `finalize.timeout` when the operator omits it.
1569fn default_finalize_timeout() -> String {
1570 "60s".to_string()
1571}
1572
1573impl FinalizeSpec {
1574 /// Lower to the wire form forwarded onto a [`Command`]. The timeout
1575 /// parse falls back to 60s — [`Manifest::validate`] already rejects
1576 /// an unparseable value at create time, so the fire path uses a safe
1577 /// default rather than failing (mirrors
1578 /// [`CollectHint::max_size_bytes`]). A sub-second timeout floors at
1579 /// 1s for the same reason `build_command` does.
1580 pub fn lower(&self) -> FinalizeCommand {
1581 let timeout_secs = humantime::parse_duration(&self.timeout)
1582 .map(|d| d.as_secs().max(1))
1583 .unwrap_or(60);
1584 FinalizeCommand {
1585 shell: self.shell.into(),
1586 script: self.script.clone(),
1587 timeout_secs,
1588 run_as: self.run_as,
1589 cwd: self.cwd.clone(),
1590 }
1591 }
1592}
1593
1594impl Manifest {
1595 /// Cross-field semantic checks that don't fit into pure serde
1596 /// derive. Currently delegates to
1597 /// [`Execute::validate_script_source`] — see that method's
1598 /// docs for the rationale on which call sites should run this.
1599 pub fn validate(&self) -> Result<(), String> {
1600 self.execute.validate_script_source()?;
1601 // A present-but-empty finalize script is an invisible no-op
1602 // (the hook would run an empty body); reject it at the write
1603 // boundary. Inline-only in P1, so `script` is the sole source.
1604 if let Some(finalize) = &self.finalize {
1605 if finalize.script.trim().is_empty() {
1606 return Err("finalize.script must not be empty".to_string());
1607 }
1608 // Reject an unparseable timeout at the write boundary so the
1609 // operator sees the error at `job create` rather than getting
1610 // a silent fire-time fallback (`FinalizeSpec::lower` floors to
1611 // 60s, which would otherwise mask a typo).
1612 if humantime::parse_duration(&finalize.timeout).is_err() {
1613 return Err(format!(
1614 "finalize.timeout '{}' is not a valid duration",
1615 finalize.timeout
1616 ));
1617 }
1618 // Disallow cmd for finalize: the agent injects the result JSON
1619 // into the hook's environment, and cmd.exe quoting doesn't
1620 // nest — JSON's `"` plus shell metacharacters in a collected
1621 // path/key could break out into command injection at the
1622 // agent's (often LocalSystem) privilege. PowerShell's
1623 // single-quote escaping is safe, and finalize hooks are
1624 // PowerShell by convention anyway.
1625 if finalize.shell == ExecuteShell::Cmd {
1626 return Err(
1627 "finalize.shell: cmd is not supported for finalize hooks (shell-injection \
1628 risk when the result JSON is injected into the environment); use powershell"
1629 .to_string(),
1630 );
1631 }
1632 }
1633 // Stdout-format compatibility (#821). `inventory:` / `check:` /
1634 // `collect:` now COMPOSE: each reads its own `#KANADE-<KIND>-
1635 // BEGIN/END`-fenced JSON block from stdout, so a single job can
1636 // project inventory facts, drive a Health-tab check, AND collect
1637 // files in one run. (A single-hint job may still skip the fence;
1638 // a multi-hint job must fence each block.)
1639 //
1640 // `emit:` remains the exception — its stdout is line-delimited
1641 // NDJSON consumed whole and then omitted from the result — so it
1642 // can't share stdout with any fenced hint.
1643 if self.emit.is_some()
1644 && (self.inventory.is_some() || self.check.is_some() || self.collect.is_some())
1645 {
1646 return Err(
1647 "`emit:` is incompatible with `inventory:` / `check:` / `collect:` — emit's \
1648 stdout is NDJSON timeline events (consumed whole and omitted from the result), \
1649 while the others read fenced JSON blocks from stdout"
1650 .to_string(),
1651 );
1652 }
1653 // A check's `name` is the Health-tab row id (React key); the
1654 // field names tell the agent where to read status/detail.
1655 // An empty value is an invisible runtime bug, and the serde
1656 // defaults don't guard an operator who writes `status_field:
1657 // ""` explicitly — reject all three here.
1658 if let Some(check) = &self.check {
1659 for (label, value) in [
1660 ("check.name", &check.name),
1661 ("check.status_field", &check.status_field),
1662 ("check.detail_field", &check.detail_field),
1663 ] {
1664 if value.trim().is_empty() {
1665 return Err(format!("{label} must not be empty"));
1666 }
1667 }
1668 // A present-but-blank `troubleshoot` is a broken
1669 // remediation job id (the "修復する" button would target
1670 // an empty manifest id) — reject it too.
1671 if let Some(troubleshoot) = &check.troubleshoot {
1672 if troubleshoot.trim().is_empty() {
1673 return Err("check.troubleshoot must not be empty when set".to_string());
1674 }
1675 }
1676 // A present-but-blank `label` would render an empty row
1677 // title on the Health tab / Compliance page — reject it so
1678 // the slug fallback only ever kicks in when label is absent.
1679 if let Some(label) = &check.label {
1680 if label.trim().is_empty() {
1681 return Err("check.label must not be empty when set".to_string());
1682 }
1683 }
1684 if let Some(alert) = &check.alert {
1685 // An alert that names no recipient is a silent no-op.
1686 if !alert.notify_user && alert.notify_groups.is_empty() {
1687 return Err("check.alert must set notify_user and/or notify_groups".to_string());
1688 }
1689 if alert.title.trim().is_empty() {
1690 return Err("check.alert.title must not be empty".to_string());
1691 }
1692 // `on: []` would never fire; an empty group name resolves to
1693 // a malformed `notifications.group.` subject.
1694 if alert.on.is_empty() {
1695 return Err("check.alert.on must list at least one status".to_string());
1696 }
1697 if alert.notify_groups.iter().any(|g| g.trim().is_empty()) {
1698 return Err("check.alert.notify_groups must not contain blanks".to_string());
1699 }
1700 // Email is addressed via group_contacts (group → email), so
1701 // there must be a group to map. notify_user has no email.
1702 if alert.email && alert.notify_groups.is_empty() {
1703 return Err(
1704 "check.alert.email requires notify_groups (email is addressed per group, not per user)"
1705 .to_string(),
1706 );
1707 }
1708 // The alert rides the `check_status` projection, which only
1709 // runs for `fleet: true`.
1710 if !check.fleet {
1711 return Err(
1712 "check.alert requires fleet: true (the alert rides the compliance projection)"
1713 .to_string(),
1714 );
1715 }
1716 }
1717 }
1718 // #291: a `client:` job is rendered in the Client App's
1719 // catalog (`jobs.list` → `jobs.execute`). serde already makes
1720 // `name` + `category` required at parse time; the only gap is
1721 // a present-but-blank `name`, which would render an empty row
1722 // title — reject it like the other display-id fields.
1723 if let Some(client) = &self.client {
1724 if client.name.trim().is_empty() {
1725 return Err("client.name must not be empty".to_string());
1726 }
1727 // #792: category is a free-form key now, so a blank one would
1728 // group the job under an empty tab — reject it like `name`.
1729 if client.category.trim().is_empty() {
1730 return Err("client.category must not be empty".to_string());
1731 }
1732 // Optional display fields, when present, must be
1733 // meaningful: a blank `description` renders an empty
1734 // subtitle and a blank `icon` is a dangling lucide name.
1735 // Same present-but-blank guard the `check:` block applies
1736 // to its optional `troubleshoot` id.
1737 for (label, value) in [
1738 ("client.description", &client.description),
1739 ("client.icon", &client.icon),
1740 ("client.category_label", &client.category_label),
1741 ("client.category_icon", &client.category_icon),
1742 ] {
1743 if let Some(v) = value {
1744 if v.trim().is_empty() {
1745 return Err(format!("{label} must not be empty when set"));
1746 }
1747 }
1748 }
1749 // #816: a present-but-empty `visible_to` (no all/groups/pcs)
1750 // would hide the job from everyone in the Client App — almost
1751 // certainly a mistake. Require at least one selector; omit the
1752 // whole block to mean "visible to all".
1753 if let Some(t) = &client.visible_to {
1754 if !t.is_specified() {
1755 return Err(
1756 "client.visible_to must set at least one of all / groups / pcs (omit it for all PCs)"
1757 .to_string(),
1758 );
1759 }
1760 }
1761 // show_when: a dynamic display gate keyed on a check result. A
1762 // malformed check slug matches nothing and an empty status list
1763 // matches nothing — both would silently hide the job forever,
1764 // so reject them at create time rather than at a confused
1765 // "why isn't my job showing?" later. The slug must be a clean
1766 // resource id (same charset checks/jobs use): a typo with spaces
1767 // or punctuation can never match a real check name, so catch it
1768 // here instead of failing closed at runtime. (Whether the slug
1769 // names a check that actually EXISTS can't be checked here —
1770 // checks are keyed by name across manifests — so a valid-but-
1771 // unknown slug stays a runtime miss = hidden, the documented
1772 // fail-closed behavior.)
1773 if let Some(sw) = &client.show_when {
1774 if !is_valid_resource_id(sw.check.trim()) {
1775 return Err(
1776 "client.show_when.check must be a non-empty check slug ([A-Za-z0-9._-])"
1777 .to_string(),
1778 );
1779 }
1780 if sw.is.is_empty() {
1781 return Err(
1782 "client.show_when.is must list at least one check status".to_string()
1783 );
1784 }
1785 }
1786 }
1787 // #219: a `collect:` job's `name` heads the bundle on the SPA
1788 // Collect page (and the Client App row when paired with
1789 // `client:`), `files_field` tells the agent where to read the
1790 // path list, and `max_size` must be a parseable size so a typo
1791 // is caught at create time rather than silently capping the
1792 // bundle at the default on the fire path.
1793 if let Some(collect) = &self.collect {
1794 if collect.name.trim().is_empty() {
1795 return Err("collect.name must not be empty".to_string());
1796 }
1797 if collect.files_field.trim().is_empty() {
1798 return Err("collect.files_field must not be empty".to_string());
1799 }
1800 if let Some(description) = &collect.description {
1801 if description.trim().is_empty() {
1802 return Err("collect.description must not be empty when set".to_string());
1803 }
1804 }
1805 if let Some(max_size) = &collect.max_size {
1806 parse_size_bytes(max_size).map_err(|e| format!("collect.max_size: {e}"))?;
1807 }
1808 }
1809 // #720/#743: `aggregate:` is a pure read-spec (it never touches
1810 // stdout and is never sent to an agent), so it composes with every
1811 // other hint. The per-widget rules are shared with the standalone
1812 // `view` resource — see [`validate_aggregate_widgets`].
1813 if let Some(widgets) = &self.aggregate {
1814 validate_aggregate_widgets(widgets, "aggregate")?;
1815 }
1816 // A blank / whitespace-only tag is an invisible operator typo
1817 // that would render an empty filter chip on the Jobs page —
1818 // reject it like the other present-but-blank display fields.
1819 for tag in &self.tags {
1820 if tag.trim().is_empty() {
1821 return Err("tags must not contain empty entries".to_string());
1822 }
1823 }
1824 Ok(())
1825 }
1826}
1827
1828#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
1829#[serde(rename_all = "lowercase")]
1830pub enum ExecuteShell {
1831 Powershell,
1832 Cmd,
1833}
1834
1835impl From<ExecuteShell> for Shell {
1836 fn from(s: ExecuteShell) -> Self {
1837 match s {
1838 ExecuteShell::Powershell => Shell::Powershell,
1839 ExecuteShell::Cmd => Shell::Cmd,
1840 }
1841 }
1842}
1843
1844#[cfg(test)]
1845mod tests {
1846 use super::*;
1847
1848 #[test]
1849 fn inventory_payload_extracts_fenced_block() {
1850 // Readable message + fenced JSON → only the JSON, trimmed.
1851 let stdout = "Wi-Fi 設定を適用しました。\n\
1852 #KANADE-INVENTORY-BEGIN\n\
1853 {\"applied\": true}\n\
1854 #KANADE-INVENTORY-END\n";
1855 assert_eq!(inventory_payload(stdout), "{\"applied\": true}");
1856 }
1857
1858 #[test]
1859 fn inventory_payload_falls_back_to_whole_stdout() {
1860 // No fence (a plain inventory job) → whole stdout, trimmed.
1861 assert_eq!(
1862 inventory_payload(" {\"ram_gb\": 16}\n"),
1863 "{\"ram_gb\": 16}"
1864 );
1865 }
1866
1867 #[test]
1868 fn inventory_payload_handles_unterminated_fence() {
1869 // Closing marker missing (e.g. truncated) → everything after the
1870 // opener, trimmed.
1871 let stdout = "msg\n#KANADE-INVENTORY-BEGIN\n{\"a\": 1}";
1872 assert_eq!(inventory_payload(stdout), "{\"a\": 1}");
1873 }
1874
1875 #[test]
1876 fn inventory_payload_ignores_mid_line_sentinel() {
1877 // The marker echoed mid-line (not at a line start) must NOT be
1878 // treated as a fence — fall back to the whole stdout.
1879 let stdout = "see #KANADE-INVENTORY-BEGIN in the docs\nnot json";
1880 assert_eq!(inventory_payload(stdout), stdout.trim());
1881 }
1882
1883 #[test]
1884 fn fenced_payload_extracts_each_hint_block_independently() {
1885 // #821: one stdout carrying a user message + all three fenced
1886 // blocks — every consumer pulls only its own.
1887 let stdout = "\
1888done!
1889#KANADE-INVENTORY-BEGIN
1890{\"os\":\"win\"}
1891#KANADE-INVENTORY-END
1892#KANADE-CHECK-BEGIN
1893{\"status\":\"ok\"}
1894#KANADE-CHECK-END
1895#KANADE-COLLECT-BEGIN
1896{\"files\":[\"a\"]}
1897#KANADE-COLLECT-END
1898";
1899 assert_eq!(
1900 fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END),
1901 "{\"os\":\"win\"}"
1902 );
1903 assert_eq!(
1904 fenced_payload(stdout, CHECK_BLOCK_BEGIN, CHECK_BLOCK_END),
1905 "{\"status\":\"ok\"}"
1906 );
1907 assert_eq!(
1908 fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1909 "{\"files\":[\"a\"]}"
1910 );
1911 }
1912
1913 #[test]
1914 fn fenced_payload_falls_back_to_whole_stdout_without_fence() {
1915 // A single-hint job needs no fence — the whole (trimmed) stdout is
1916 // the payload.
1917 let stdout = " {\"files\":[\"a\"]} ";
1918 assert_eq!(
1919 fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1920 "{\"files\":[\"a\"]}"
1921 );
1922 }
1923
1924 #[test]
1925 fn fenced_payload_returns_empty_when_other_fences_present_but_mine_missing() {
1926 // Multi-hint output (inventory + check fenced) but the COLLECT
1927 // fence is missing — collect must NOT fall back to the whole
1928 // stdout (which holds the inventory/check blocks) and cross-parse
1929 // a sibling block; it gets "" → its JSON parse fails → no data.
1930 let stdout = "\
1931#KANADE-INVENTORY-BEGIN
1932{\"os\":\"win\"}
1933#KANADE-INVENTORY-END
1934#KANADE-CHECK-BEGIN
1935{\"status\":\"ok\"}
1936#KANADE-CHECK-END
1937";
1938 assert_eq!(
1939 fenced_payload(stdout, COLLECT_BLOCK_BEGIN, COLLECT_BLOCK_END),
1940 ""
1941 );
1942 // ...while the hints that DID fence still extract correctly.
1943 assert_eq!(
1944 fenced_payload(stdout, INVENTORY_BLOCK_BEGIN, INVENTORY_BLOCK_END),
1945 "{\"os\":\"win\"}"
1946 );
1947 }
1948
1949 /// The example check-job + schedule YAMLs shipped under `configs/`
1950 /// must stay valid as the schema evolves (#290 PR-C). `include_str!`
1951 /// pins them at compile time so a breaking edit fails `cargo test`
1952 /// rather than only `kanade job create` at deploy time.
1953 #[test]
1954 fn example_check_job_yamls_parse_and_validate() {
1955 let jobs = [
1956 (
1957 "check-bitlocker",
1958 include_str!("../../../configs/jobs/check-bitlocker.yaml"),
1959 ),
1960 (
1961 "check-av-signature",
1962 include_str!("../../../configs/jobs/check-av-signature.yaml"),
1963 ),
1964 (
1965 "check-cert-expiry",
1966 include_str!("../../../configs/jobs/check-cert-expiry.yaml"),
1967 ),
1968 (
1969 "check-disk-space",
1970 include_str!("../../../configs/jobs/check-disk-space.yaml"),
1971 ),
1972 (
1973 "check-pending-reboot",
1974 include_str!("../../../configs/jobs/check-pending-reboot.yaml"),
1975 ),
1976 (
1977 "check-defender-rtp",
1978 include_str!("../../../configs/jobs/check-defender-rtp.yaml"),
1979 ),
1980 (
1981 "check-firewall",
1982 include_str!("../../../configs/jobs/check-firewall.yaml"),
1983 ),
1984 ];
1985 for (name, yaml) in jobs {
1986 let m: Manifest =
1987 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} parse: {e}"));
1988 m.validate()
1989 .unwrap_or_else(|e| panic!("{name} validate: {e}"));
1990 let check = m
1991 .check
1992 .as_ref()
1993 .unwrap_or_else(|| panic!("{name} must carry a check: hint"));
1994 assert!(!check.name.trim().is_empty(), "{name} check.name empty");
1995 // These examples all read admin-only WMI / registry / netsh
1996 // state, so they run_as system. NOTE: that's a property of
1997 // these particular checks, NOT of the `check:` contract — a
1998 // check probing user-session state could run_as user.
1999 assert_eq!(
2000 m.execute.run_as,
2001 RunAs::System,
2002 "{name} should run_as system"
2003 );
2004 }
2005 }
2006
2007 /// The example user-invokable job YAMLs (#291) shipped under
2008 /// `configs/jobs/` must stay valid as the `client:` schema
2009 /// evolves. `include_str!` pins them at compile time so a breaking
2010 /// edit fails `cargo test`, not `kanade job create` at deploy.
2011 #[test]
2012 fn example_client_job_yamls_parse_and_validate() {
2013 let jobs = [
2014 (
2015 "fix-teams-cache",
2016 "troubleshoot",
2017 include_str!("../../../configs/jobs/fix-teams-cache.yaml"),
2018 ),
2019 (
2020 "chrome-update",
2021 "software_update",
2022 include_str!("../../../configs/jobs/chrome-update.yaml"),
2023 ),
2024 (
2025 "install-slack",
2026 "catalog",
2027 include_str!("../../../configs/jobs/install-slack.yaml"),
2028 ),
2029 (
2030 "fix-defender-rtp",
2031 "troubleshoot",
2032 include_str!("../../../configs/jobs/fix-defender-rtp.yaml"),
2033 ),
2034 // #792 custom category ("settings") + #809 message/inventory.
2035 (
2036 "example-power-plan",
2037 "settings",
2038 include_str!("../../../configs/jobs/example-power-plan.yaml"),
2039 ),
2040 // #792: diagnostics moved to its own "support" tab.
2041 (
2042 "collect-diagnostics",
2043 "support",
2044 include_str!("../../../configs/jobs/collect-diagnostics.yaml"),
2045 ),
2046 ];
2047 for (id, category, yaml) in jobs {
2048 let m: Manifest =
2049 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2050 m.validate()
2051 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2052 assert_eq!(m.id, id, "{id} id mismatch");
2053 let client = m
2054 .client
2055 .as_ref()
2056 .unwrap_or_else(|| panic!("{id} must carry a client: block"));
2057 assert!(!client.name.trim().is_empty(), "{id} client.name empty");
2058 assert_eq!(client.category, category, "{id} category");
2059 }
2060 }
2061
2062 /// #219: the shipped `collect:` example must stay valid as the
2063 /// schema evolves. `include_str!` pins it at compile time so a
2064 /// breaking edit (or a YAML typo in the PowerShell block) fails
2065 /// `cargo test` rather than `kanade job create` at deploy. It carries
2066 /// both `collect:` and `client:` (end-user-triggerable), which must
2067 /// compose.
2068 #[test]
2069 fn example_collect_job_yaml_parses_and_validates() {
2070 let yaml = include_str!("../../../configs/jobs/collect-diagnostics.yaml");
2071 let m: Manifest = serde_yaml::from_str(yaml).expect("collect-diagnostics parse");
2072 m.validate().expect("collect-diagnostics validate");
2073 assert_eq!(m.id, "collect-diagnostics");
2074 let collect = m.collect.as_ref().expect("collect: block present");
2075 assert!(!collect.name.trim().is_empty());
2076 assert_eq!(collect.files_field, "files");
2077 assert_eq!(collect.max_size_bytes(), 50_000_000);
2078 // collect + client compose — the Client App can trigger it.
2079 assert!(
2080 m.client.is_some(),
2081 "collect-diagnostics also carries client:"
2082 );
2083 }
2084
2085 /// The `emit: { type: events }` collector jobs under
2086 /// `configs/jobs/` feed the obs_events timeline. `include_str!`
2087 /// pins them at compile time so a breaking edit (e.g. an `emit:`
2088 /// paired with `check:`/`inventory:`, a bad watermark field, or a
2089 /// YAML typo in the PowerShell block) fails `cargo test` rather
2090 /// than `kanade job create` at deploy. Every one must carry an
2091 /// `emit.type=events` block and NO check/inventory (validate()
2092 /// rejects the pairing).
2093 #[test]
2094 fn example_event_collector_job_yamls_parse_and_validate() {
2095 let jobs = [
2096 // collect-winlog-events was retired in #841 PR2 — the scheduled
2097 // human-session / power timeline is now read natively by the
2098 // agent (kanade-agent `winlog` module via EvtQuery), no
2099 // PowerShell job. collect-winlog-logons-all stays as the
2100 // on-demand forensic all-token-logons companion.
2101 (
2102 "collect-winlog-logons-all",
2103 include_str!("../../../configs/jobs/collect-winlog-logons-all.yaml"),
2104 ),
2105 (
2106 "collect-wlan-events",
2107 include_str!("../../../configs/jobs/collect-wlan-events.yaml"),
2108 ),
2109 ];
2110 for (id, yaml) in jobs {
2111 // Strict parse so an unknown-key typo in these fixtures fails
2112 // here (not silently at deploy) — the runtime Manifest is
2113 // unknown-key-tolerant, so the lenient serde_yaml::from_str
2114 // wouldn't catch fixture drift (CodeRabbit #689).
2115 let m: Manifest =
2116 crate::strict::from_yaml_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2117 m.validate()
2118 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2119 assert_eq!(m.id, id, "{id} id mismatch");
2120 let emit = m
2121 .emit
2122 .as_ref()
2123 .unwrap_or_else(|| panic!("{id} must carry an emit: block"));
2124 assert_eq!(emit.kind, EmitKind::Events, "{id} emit.type");
2125 assert!(
2126 m.check.is_none() && m.inventory.is_none(),
2127 "{id}: emit jobs must not pair with check/inventory"
2128 );
2129 }
2130 }
2131
2132 /// The `inventory:` snapshot jobs under `configs/jobs/` project
2133 /// facts into `inventory_facts` + exploded tables. `include_str!`
2134 /// pins them at compile time so a breaking edit (bad explode
2135 /// schema, a YAML typo in the PowerShell block, an `inventory:`
2136 /// accidentally paired with `emit:`) fails `cargo test` rather
2137 /// than the projector at deploy. Each must carry an `inventory:`
2138 /// block and NO emit (validate() rejects the pairing).
2139 #[test]
2140 fn example_inventory_job_yamls_parse_and_validate() {
2141 let jobs = [
2142 (
2143 "inventory-hw",
2144 include_str!("../../../configs/jobs/inventory-hw.yaml"),
2145 ),
2146 (
2147 "inventory-sw",
2148 include_str!("../../../configs/jobs/inventory-sw.yaml"),
2149 ),
2150 (
2151 "inventory-driver",
2152 include_str!("../../../configs/jobs/inventory-driver.yaml"),
2153 ),
2154 ];
2155 for (id, yaml) in jobs {
2156 let m: Manifest =
2157 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{id} parse: {e}"));
2158 m.validate()
2159 .unwrap_or_else(|e| panic!("{id} validate: {e}"));
2160 assert_eq!(m.id, id, "{id} id mismatch");
2161 assert!(m.inventory.is_some(), "{id} must carry an inventory: block");
2162 assert!(m.emit.is_none(), "{id}: inventory jobs must not set emit:");
2163 }
2164 }
2165
2166 #[test]
2167 fn example_check_schedule_yamls_parse_and_validate() {
2168 let schedules = [
2169 (
2170 "check-bitlocker",
2171 include_str!("../../../configs/schedules/check-bitlocker.yaml"),
2172 ),
2173 (
2174 "check-av-signature",
2175 include_str!("../../../configs/schedules/check-av-signature.yaml"),
2176 ),
2177 (
2178 "check-cert-expiry",
2179 include_str!("../../../configs/schedules/check-cert-expiry.yaml"),
2180 ),
2181 (
2182 "check-disk-space",
2183 include_str!("../../../configs/schedules/check-disk-space.yaml"),
2184 ),
2185 (
2186 "check-pending-reboot",
2187 include_str!("../../../configs/schedules/check-pending-reboot.yaml"),
2188 ),
2189 (
2190 "check-defender-rtp",
2191 include_str!("../../../configs/schedules/check-defender-rtp.yaml"),
2192 ),
2193 (
2194 "check-firewall",
2195 include_str!("../../../configs/schedules/check-firewall.yaml"),
2196 ),
2197 ];
2198 for (name, yaml) in schedules {
2199 let s: Schedule =
2200 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
2201 s.validate()
2202 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
2203 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
2204 }
2205 }
2206
2207 /// Inventory schedule wrappers (`per_pc` cadence) must stay valid
2208 /// alongside the schedule schema. `include_str!` pins them so a
2209 /// breaking edit fails `cargo test`, not `kanade schedule create`.
2210 #[test]
2211 fn example_inventory_schedule_yamls_parse_and_validate() {
2212 let schedules = [
2213 (
2214 "inventory-hw",
2215 include_str!("../../../configs/schedules/inventory-hw.yaml"),
2216 ),
2217 (
2218 "inventory-sw",
2219 include_str!("../../../configs/schedules/inventory-sw.yaml"),
2220 ),
2221 (
2222 "inventory-driver",
2223 include_str!("../../../configs/schedules/inventory-driver.yaml"),
2224 ),
2225 ];
2226 for (name, yaml) in schedules {
2227 let s: Schedule =
2228 serde_yaml::from_str(yaml).unwrap_or_else(|e| panic!("{name} schedule parse: {e}"));
2229 s.validate()
2230 .unwrap_or_else(|e| panic!("{name} schedule validate: {e}"));
2231 assert_eq!(s.job_id, name, "{name} schedule must reference its job");
2232 }
2233 }
2234
2235 #[test]
2236 fn target_is_specified_requires_at_least_one_field() {
2237 let empty = Target::default();
2238 assert!(!empty.is_specified());
2239
2240 let with_all = Target {
2241 all: true,
2242 ..Target::default()
2243 };
2244 assert!(with_all.is_specified());
2245
2246 let with_groups = Target {
2247 groups: vec!["canary".into()],
2248 ..Target::default()
2249 };
2250 assert!(with_groups.is_specified());
2251
2252 let with_pcs = Target {
2253 pcs: vec!["pc-01".into()],
2254 ..Target::default()
2255 };
2256 assert!(with_pcs.is_specified());
2257 }
2258
2259 #[test]
2260 fn manifest_deserialises_minimal_yaml() {
2261 // Matches jobs/echo-test.yaml. v0.18: no target/rollout/jitter
2262 // — those live on the schedule / exec request now.
2263 let yaml = r#"
2264id: echo-test
2265version: 0.0.1
2266execute:
2267 shell: powershell
2268 script: "echo 'kanade'"
2269 timeout: 30s
2270"#;
2271 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2272 assert_eq!(m.id, "echo-test");
2273 assert_eq!(m.version, "0.0.1");
2274 assert!(matches!(m.execute.shell, ExecuteShell::Powershell));
2275 assert_eq!(
2276 m.execute.script.as_deref().map(str::trim),
2277 Some("echo 'kanade'")
2278 );
2279 assert!(m.execute.script_file.is_none());
2280 assert!(m.execute.script_object.is_none());
2281 assert_eq!(m.execute.timeout, "30s");
2282 assert!(!m.require_approval);
2283 m.validate()
2284 .expect("inline-script manifest passes validation");
2285 }
2286
2287 #[test]
2288 fn manifest_parses_check_job_and_validates() {
2289 // An operator-defined health check (#290): a `check:` hint +
2290 // a PowerShell script that prints {status, detail}.
2291 let yaml = r#"
2292id: check-bitlocker
2293version: 0.1.0
2294execute:
2295 shell: powershell
2296 run_as: system
2297 timeout: 15s
2298 script: |
2299 [pscustomobject]@{ status = 'ok'; detail = 'all volumes protected' } | ConvertTo-Json -Compress
2300check:
2301 name: bitlocker
2302 troubleshoot: fix-bitlocker
2303"#;
2304 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2305 let check = m.check.as_ref().expect("check hint present");
2306 assert_eq!(check.name, "bitlocker");
2307 assert_eq!(check.troubleshoot.as_deref(), Some("fix-bitlocker"));
2308 // Field names default to the conventional "status" / "detail".
2309 assert_eq!(check.status_field, "status");
2310 assert_eq!(check.detail_field, "detail");
2311 assert!(m.inventory.is_none() && m.emit.is_none());
2312 m.validate().expect("check-only manifest passes validation");
2313 }
2314
2315 #[test]
2316 fn manifest_check_defaults_and_custom_fields() {
2317 // Minimal: only `name`; status/detail fields default.
2318 let m: Manifest = serde_yaml::from_str(
2319 r#"
2320id: check-disk
2321version: 0.1.0
2322execute:
2323 shell: powershell
2324 script: "[pscustomobject]@{ status = 'ok' } | ConvertTo-Json -Compress"
2325 timeout: 10s
2326check:
2327 name: disk_free
2328"#,
2329 )
2330 .expect("parse");
2331 let c = m.check.as_ref().unwrap();
2332 assert_eq!(c.name, "disk_free");
2333 assert_eq!(c.status_field, "status");
2334 assert_eq!(c.detail_field, "detail");
2335 assert!(c.troubleshoot.is_none());
2336 m.validate().expect("validates");
2337
2338 // The operator can point status/detail at any field of their
2339 // free-form inventory object.
2340 let m2: Manifest = serde_yaml::from_str(
2341 r#"
2342id: check-custom
2343version: 0.1.0
2344execute:
2345 shell: powershell
2346 script: "echo x"
2347 timeout: 10s
2348check:
2349 name: patch_level
2350 status_field: compliance
2351 detail_field: summary
2352"#,
2353 )
2354 .expect("parse");
2355 let c2 = m2.check.as_ref().unwrap();
2356 assert_eq!(c2.status_field, "compliance");
2357 assert_eq!(c2.detail_field, "summary");
2358 }
2359
2360 #[test]
2361 fn manifest_allows_check_composed_with_inventory() {
2362 // `check:` + `inventory:` COMPOSE on the same stdout object:
2363 // status/detail → Health tab, the rest → SPA projection +
2364 // explode sub-tables. Must pass validation.
2365 let yaml = r#"
2366id: check-bitlocker-detailed
2367version: 0.1.0
2368execute:
2369 shell: powershell
2370 script: "echo x"
2371 timeout: 10s
2372check:
2373 name: bitlocker
2374inventory:
2375 display:
2376 - { field: status, label: Status }
2377"#;
2378 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2379 assert!(m.check.is_some() && m.inventory.is_some());
2380 m.validate().expect("check + inventory compose");
2381 }
2382
2383 #[test]
2384 fn manifest_parses_collect_job_and_validates() {
2385 // #219: a `collect:` hint + a script that lists files on stdout.
2386 let yaml = r#"
2387id: collect-diagnostics
2388version: 0.1.0
2389execute:
2390 shell: powershell
2391 run_as: system
2392 timeout: 120s
2393 script: |
2394 @{ files = @("$env:KANADE_COLLECT_DIR/system.csv") } | ConvertTo-Json
2395collect:
2396 name: "Full diagnostics"
2397 description: "Event logs + process"
2398 max_size: 50MB
2399"#;
2400 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2401 let c = m.collect.as_ref().expect("collect hint present");
2402 assert_eq!(c.name, "Full diagnostics");
2403 assert_eq!(c.files_field, "files"); // default
2404 assert_eq!(c.max_size_bytes(), 50_000_000);
2405 m.validate().expect("collect-only manifest validates");
2406 }
2407
2408 #[test]
2409 fn manifest_finalize_powershell_validates_and_lowers() {
2410 let yaml = r#"
2411id: collect-fin
2412version: 0.1.0
2413execute:
2414 shell: powershell
2415 timeout: 120s
2416 script: |
2417 @{ files = @() } | ConvertTo-Json
2418collect:
2419 name: "diag"
2420 max_size: 50MB
2421finalize:
2422 shell: powershell
2423 timeout: 30s
2424 run_as: system
2425 script: |
2426 Write-Output "cleanup"
2427"#;
2428 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2429 m.validate().expect("powershell finalize validates");
2430 let lowered = m.finalize.as_ref().expect("finalize present").lower();
2431 assert_eq!(lowered.timeout_secs, 30);
2432 assert!(matches!(lowered.shell, Shell::Powershell));
2433 }
2434
2435 #[test]
2436 fn manifest_finalize_rejects_cmd_shell() {
2437 // cmd finalize is an injection risk (the agent injects JSON into
2438 // the hook's env; cmd.exe quoting doesn't nest) — validate must
2439 // reject it.
2440 let yaml = r#"
2441id: collect-fin-cmd
2442version: 0.1.0
2443execute:
2444 shell: powershell
2445 timeout: 120s
2446 script: |
2447 @{ files = @() } | ConvertTo-Json
2448finalize:
2449 shell: cmd
2450 script: |
2451 echo hi
2452"#;
2453 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2454 let err = m.validate().expect_err("cmd finalize rejected");
2455 assert!(err.contains("finalize.shell"), "got: {err}");
2456 }
2457
2458 #[test]
2459 fn manifest_finalize_rejects_empty_script() {
2460 let yaml = r#"
2461id: collect-fin-empty
2462version: 0.1.0
2463execute:
2464 shell: powershell
2465 timeout: 120s
2466 script: |
2467 @{ files = @() } | ConvertTo-Json
2468finalize:
2469 shell: powershell
2470 script: " "
2471"#;
2472 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2473 let err = m.validate().expect_err("empty finalize script rejected");
2474 assert!(err.contains("finalize.script"), "got: {err}");
2475 }
2476
2477 #[test]
2478 fn manifest_collect_max_size_defaults_when_unset() {
2479 let m: Manifest = serde_yaml::from_str(
2480 r#"
2481id: collect-min
2482version: 0.1.0
2483execute:
2484 shell: powershell
2485 script: "echo x"
2486 timeout: 10s
2487collect:
2488 name: minimal
2489"#,
2490 )
2491 .expect("parse");
2492 let c = m.collect.as_ref().unwrap();
2493 assert!(c.max_size.is_none());
2494 assert_eq!(c.max_size_bytes(), DEFAULT_COLLECT_MAX_SIZE);
2495 m.validate().expect("validates");
2496 }
2497
2498 #[test]
2499 fn manifest_allows_collect_with_client() {
2500 // collect composes with client (client doesn't touch stdout):
2501 // an end user can trigger a collection from the Client App.
2502 let yaml = r#"
2503id: collect-diag-client
2504version: 0.1.0
2505execute:
2506 shell: powershell
2507 script: "echo x"
2508 timeout: 10s
2509collect:
2510 name: diagnostics
2511client:
2512 name: "Send diagnostics"
2513 category: troubleshoot
2514"#;
2515 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2516 assert!(m.collect.is_some() && m.client.is_some());
2517 m.validate().expect("collect + client compose");
2518 }
2519
2520 #[test]
2521 fn manifest_allows_inventory_check_collect_coexistence() {
2522 // #821: the three fenced hints now COMPOSE — each reads its own
2523 // `#KANADE-<KIND>` stdout block, so one job can do all three.
2524 let yaml = r#"
2525id: multi-hint
2526version: 0.1.0
2527execute:
2528 shell: powershell
2529 script: "echo x"
2530 timeout: 10s
2531inventory:
2532 display:
2533 - { field: status, label: Status }
2534check:
2535 name: health
2536collect:
2537 name: diag
2538"#;
2539 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2540 m.validate()
2541 .expect("inventory + check + collect coexist after #821");
2542 }
2543
2544 #[test]
2545 fn manifest_rejects_emit_combined_with_fenced_hints() {
2546 // `emit:` consumes stdout as NDJSON (and blanks it), so it still
2547 // can't share with any fenced hint — inventory, check, OR collect.
2548 for extra in [
2549 "inventory:\n display:\n - { field: s, label: S }\n",
2550 "check:\n name: health\n",
2551 "collect:\n name: diag\n",
2552 ] {
2553 let yaml = format!(
2554 "id: bad-emit-mix\nversion: 0.1.0\nexecute:\n shell: powershell\n \
2555 script: \"echo x\"\n timeout: 10s\nemit:\n type: events\n{extra}"
2556 );
2557 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2558 let err = m
2559 .validate()
2560 .expect_err("emit + fenced hint must be rejected");
2561 assert!(err.contains("emit"), "error mentions emit: {err}");
2562 }
2563 }
2564
2565 #[test]
2566 fn manifest_rejects_collect_empty_name_and_bad_size() {
2567 let empty_name: Manifest = serde_yaml::from_str(
2568 r#"
2569id: c
2570version: 0.1.0
2571execute: { shell: powershell, script: "echo x", timeout: 10s }
2572collect: { name: " " }
2573"#,
2574 )
2575 .expect("parse");
2576 assert!(
2577 empty_name.validate().is_err(),
2578 "blank collect.name rejected"
2579 );
2580
2581 let bad_size: Manifest = serde_yaml::from_str(
2582 r#"
2583id: c
2584version: 0.1.0
2585execute: { shell: powershell, script: "echo x", timeout: 10s }
2586collect: { name: diag, max_size: "50 quux" }
2587"#,
2588 )
2589 .expect("parse");
2590 let err = bad_size.validate().expect_err("bad max_size rejected");
2591 assert!(err.contains("max_size"), "error mentions max_size: {err}");
2592 }
2593
2594 #[test]
2595 fn parse_size_bytes_units() {
2596 assert_eq!(parse_size_bytes("1024").unwrap(), 1024);
2597 assert_eq!(parse_size_bytes("1B").unwrap(), 1);
2598 assert_eq!(parse_size_bytes("50MB").unwrap(), 50_000_000);
2599 assert_eq!(parse_size_bytes("500 KB").unwrap(), 500_000);
2600 assert_eq!(parse_size_bytes("1GiB").unwrap(), 1024 * 1024 * 1024);
2601 assert_eq!(parse_size_bytes("2mib").unwrap(), 2 * 1024 * 1024);
2602 assert!(parse_size_bytes("").is_err());
2603 assert!(parse_size_bytes("MB").is_err());
2604 assert!(parse_size_bytes("12 zonks").is_err());
2605 }
2606
2607 #[test]
2608 fn manifest_rejects_check_combined_with_emit() {
2609 // `emit:` stdout is NDJSON (and omitted from the result), so
2610 // it can't pair with `check:` (which needs a single JSON
2611 // object on stdout).
2612 let yaml = r#"
2613id: bad-mix
2614version: 0.1.0
2615execute:
2616 shell: powershell
2617 script: "echo x"
2618 timeout: 10s
2619check:
2620 name: bitlocker
2621emit:
2622 type: events
2623"#;
2624 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2625 let err = m.validate().expect_err("emit + check must fail");
2626 assert!(err.contains("incompatible"), "err: {err}");
2627 }
2628
2629 #[test]
2630 fn manifest_rejects_emit_combined_with_inventory() {
2631 // The other half of the emit-incompatibility condition.
2632 let yaml = r#"
2633id: bad-mix-2
2634version: 0.1.0
2635execute:
2636 shell: powershell
2637 script: "echo x"
2638 timeout: 10s
2639emit:
2640 type: events
2641inventory:
2642 display:
2643 - { field: status, label: Status }
2644"#;
2645 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2646 let err = m.validate().expect_err("emit + inventory must fail");
2647 assert!(err.contains("incompatible"), "err: {err}");
2648 }
2649
2650 #[test]
2651 fn manifest_rejects_empty_check_field_names() {
2652 // Empty name / status_field / detail_field are invisible
2653 // runtime bugs (empty React key, agent reads the wrong field)
2654 // — reject them even though serde supplies non-empty defaults.
2655 let base = |inner: &str| {
2656 format!(
2657 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n{inner}"
2658 )
2659 };
2660 for inner in [
2661 " name: \"\"\n",
2662 " name: ok\n status_field: \"\"\n",
2663 " name: ok\n detail_field: \" \"\n",
2664 // present-but-blank troubleshoot → broken remediation id.
2665 " name: ok\n troubleshoot: \" \"\n",
2666 ] {
2667 let m: Manifest = serde_yaml::from_str(&base(inner)).expect("parse");
2668 let err = m.validate().expect_err("empty field must fail");
2669 assert!(err.contains("must not be empty"), "err: {err}");
2670 }
2671 }
2672
2673 #[test]
2674 fn check_alert_decodes_with_defaults_and_validates() {
2675 let yaml = r#"
2676id: c
2677version: 0.1.0
2678execute:
2679 shell: powershell
2680 script: "echo x"
2681 timeout: 10s
2682check:
2683 name: bitlocker
2684 alert:
2685 notify_user: true
2686 title: "BitLocker 未準拠"
2687"#;
2688 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2689 m.validate().expect("valid alert");
2690 let alert = m.check.unwrap().alert.unwrap();
2691 // Defaults: on = [fail], priority = warn, body = None.
2692 assert_eq!(alert.on, vec![CheckAlertStatus::Fail]);
2693 assert_eq!(
2694 alert.priority,
2695 crate::ipc::notifications::NotificationPriority::Warn
2696 );
2697 assert!(alert.body.is_none());
2698 assert!(alert.notify_user);
2699 }
2700
2701 #[test]
2702 fn check_alert_validation_rejects_bad_configs() {
2703 let base = |alert: &str| {
2704 format!(
2705 "id: c\nversion: 0.1.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 10s\ncheck:\n name: bitlocker\n alert:\n{alert}"
2706 )
2707 };
2708 let cases = [
2709 // No recipient.
2710 (" title: t\n", "notify_user and/or notify_groups"),
2711 // Empty title.
2712 (
2713 " notify_user: true\n title: \" \"\n",
2714 "title must not be empty",
2715 ),
2716 // Empty `on`.
2717 (
2718 " notify_user: true\n title: t\n on: []\n",
2719 "on must list at least one status",
2720 ),
2721 // Blank group name.
2722 (
2723 " notify_groups: [\" \"]\n title: t\n",
2724 "notify_groups must not contain blanks",
2725 ),
2726 // alert requires fleet: true.
2727 (
2728 " notify_user: true\n title: t\n fleet: false\n",
2729 "requires fleet: true",
2730 ),
2731 // email opt-in without a group to address.
2732 (
2733 " notify_user: true\n email: true\n title: t\n",
2734 "email requires notify_groups",
2735 ),
2736 ];
2737 for (alert, want) in cases {
2738 let m: Manifest = serde_yaml::from_str(&base(alert)).expect("parse");
2739 let err = m.validate().expect_err("bad alert must fail");
2740 assert!(err.contains(want), "for {alert:?}: got {err}");
2741 }
2742 }
2743
2744 #[test]
2745 fn manifest_client_absent_by_default() {
2746 // A plain operator job (the overwhelming majority) carries no
2747 // `client:` block, so it never surfaces in the end-user
2748 // catalog.
2749 let yaml = r#"
2750id: echo-test
2751version: 0.0.1
2752execute:
2753 shell: powershell
2754 script: "echo 'kanade'"
2755 timeout: 30s
2756"#;
2757 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2758 assert!(m.client.is_none());
2759 m.validate().expect("operator-only job validates");
2760 }
2761
2762 #[test]
2763 fn manifest_client_parses_and_validates() {
2764 // The Client App "困ったとき" remediation job shape: a
2765 // user-invokable troubleshoot job with the end-user fields the
2766 // KLP `jobs.list` wire needs, grouped under `client:`.
2767 let yaml = r#"
2768id: fix-teams-cache
2769version: 1.0.0
2770execute:
2771 shell: powershell
2772 script: "echo clearing"
2773 timeout: 60s
2774client:
2775 name: "Teams のキャッシュをクリア"
2776 description: "Teams が重いときに試してください"
2777 category: troubleshoot
2778 icon: brush-cleaning
2779"#;
2780 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2781 let c = m.client.as_ref().expect("client block present");
2782 assert_eq!(c.name, "Teams のキャッシュをクリア");
2783 assert_eq!(
2784 c.description.as_deref(),
2785 Some("Teams が重いときに試してください")
2786 );
2787 assert_eq!(c.category, "troubleshoot");
2788 assert_eq!(c.icon.as_deref(), Some("brush-cleaning"));
2789 m.validate().expect("user-invokable job validates");
2790 }
2791
2792 #[test]
2793 fn manifest_client_minimal_only_name_and_category() {
2794 // description + icon are optional; name + category are the
2795 // serde-required minimum.
2796 let yaml = r#"
2797id: install-slack
2798version: 1.0.0
2799execute:
2800 shell: powershell
2801 script: "echo install"
2802 timeout: 600s
2803client:
2804 name: Slack
2805 category: catalog
2806"#;
2807 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2808 let c = m.client.as_ref().expect("client present");
2809 assert_eq!(c.category, "catalog");
2810 assert!(c.description.is_none() && c.icon.is_none());
2811 m.validate().expect("minimal client validates");
2812 }
2813
2814 #[test]
2815 fn manifest_client_rejects_blank_name() {
2816 // serde guarantees `name`/`category` are present; the one gap
2817 // is a present-but-blank name → empty catalog row title.
2818 let yaml = r#"
2819id: j
2820version: 1.0.0
2821execute:
2822 shell: powershell
2823 script: "echo x"
2824 timeout: 30s
2825client:
2826 name: " "
2827 category: catalog
2828"#;
2829 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2830 let err = m.validate().expect_err("blank name must fail");
2831 assert!(err.contains("client.name"), "err: {err}");
2832 }
2833
2834 #[test]
2835 fn manifest_client_rejects_blank_optional_fields() {
2836 // description / icon are optional, but a present-but-blank
2837 // value is a bug (empty subtitle / dangling icon name) — reject
2838 // it, mirroring the check: block's troubleshoot guard.
2839 for (field, line) in [
2840 ("client.description", " description: \" \"\n"),
2841 ("client.icon", " icon: \"\"\n"),
2842 // #792: the new category tab-metadata fields get the same
2843 // present-but-blank guard.
2844 ("client.category_label", " category_label: \" \"\n"),
2845 ("client.category_icon", " category_icon: \"\"\n"),
2846 ] {
2847 let yaml = format!(
2848 "id: j\nversion: 1.0.0\nexecute:\n shell: powershell\n script: \"echo x\"\n timeout: 30s\nclient:\n name: A\n category: catalog\n{line}"
2849 );
2850 let m: Manifest = serde_yaml::from_str(&yaml).expect("parse");
2851 let err = m.validate().expect_err("blank optional field must fail");
2852 assert!(err.contains(field), "expected {field} in err: {err}");
2853 }
2854 }
2855
2856 #[test]
2857 fn manifest_client_rejects_blank_category() {
2858 // #792: category is a free-form key now; serde keeps it required,
2859 // but a present-but-blank value would group the job under an empty
2860 // tab — validate() must reject it.
2861 let yaml = r#"
2862id: j
2863version: 1.0.0
2864execute:
2865 shell: powershell
2866 script: "echo x"
2867 timeout: 30s
2868client:
2869 name: "A job"
2870 category: " "
2871"#;
2872 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2873 let err = m.validate().expect_err("blank category must fail");
2874 assert!(err.contains("client.category"), "err: {err}");
2875 }
2876
2877 #[test]
2878 fn target_matches_pc_group_and_all() {
2879 // #816: pc match, group match, all, and the no-match case.
2880 let by_pc = Target {
2881 pcs: vec!["PC1".into()],
2882 ..Default::default()
2883 };
2884 assert!(by_pc.matches("PC1", &[]));
2885 assert!(!by_pc.matches("PC2", &["g1".into()]));
2886
2887 let by_group = Target {
2888 groups: vec!["g1".into()],
2889 ..Default::default()
2890 };
2891 assert!(by_group.matches("PC2", &["g1".into()]));
2892 assert!(!by_group.matches("PC2", &["g2".into()]));
2893
2894 let all = Target {
2895 all: true,
2896 ..Default::default()
2897 };
2898 assert!(all.matches("anyPC", &[]));
2899 }
2900
2901 #[test]
2902 fn manifest_client_rejects_empty_visible_to() {
2903 // #816: a present-but-empty visible_to (no all/groups/pcs) would
2904 // hide the job from everyone — validate() must reject it.
2905 let yaml = r#"
2906id: j
2907version: 1.0.0
2908execute:
2909 shell: powershell
2910 script: "echo x"
2911 timeout: 30s
2912client:
2913 name: "A job"
2914 category: troubleshoot
2915 visible_to: {}
2916"#;
2917 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2918 let err = m.validate().expect_err("empty visible_to must fail");
2919 assert!(err.contains("client.visible_to"), "err: {err}");
2920 }
2921
2922 #[test]
2923 fn manifest_client_accepts_visible_to_groups() {
2924 let yaml = r#"
2925id: j
2926version: 1.0.0
2927execute:
2928 shell: powershell
2929 script: "echo x"
2930 timeout: 30s
2931client:
2932 name: "A job"
2933 category: settings
2934 visible_to:
2935 groups: [wifi-affected]
2936"#;
2937 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
2938 m.validate().expect("visible_to with a group validates");
2939 let vt = m.client.unwrap().visible_to.unwrap();
2940 assert_eq!(vt.groups, vec!["wifi-affected".to_string()]);
2941 }
2942
2943 #[test]
2944 fn manifest_client_show_when_accepts_scalar_and_seq() {
2945 use crate::ipc::state::CheckStatus;
2946 // `is:` accepts a single status (author ergonomics) ...
2947 let scalar = r#"
2948id: office-update
2949version: 1.0.0
2950execute:
2951 shell: powershell
2952 script: "echo x"
2953 timeout: 30s
2954client:
2955 name: "Office を最新に更新"
2956 category: software_update
2957 show_when:
2958 check: office-up-to-date
2959 is: fail
2960"#;
2961 let m: Manifest = serde_yaml::from_str(scalar).expect("parse scalar");
2962 m.validate().expect("scalar show_when validates");
2963 let sw = m.client.unwrap().show_when.unwrap();
2964 assert_eq!(sw.check, "office-up-to-date");
2965 assert_eq!(sw.is, vec![CheckStatus::Fail]);
2966
2967 // ... and a list (e.g. fail-open on a not-yet-run check).
2968 let seq = scalar.replace("is: fail", "is: [fail, unknown]");
2969 let m: Manifest = serde_yaml::from_str(&seq).expect("parse seq");
2970 m.validate().expect("seq show_when validates");
2971 assert_eq!(
2972 m.client.unwrap().show_when.unwrap().is,
2973 vec![CheckStatus::Fail, CheckStatus::Unknown]
2974 );
2975 }
2976
2977 #[test]
2978 fn manifest_client_show_when_rejects_empty() {
2979 // A malformed check slug (here: internal spaces — a typo that could
2980 // never match a real check name) or an empty status list would
2981 // silently hide the job forever — validate() must reject both.
2982 let bad_check = r#"
2983id: j
2984version: 1.0.0
2985execute:
2986 shell: powershell
2987 script: "echo x"
2988 timeout: 30s
2989client:
2990 name: "A job"
2991 category: software_update
2992 show_when:
2993 check: "office up to date"
2994 is: fail
2995"#;
2996 let m: Manifest = serde_yaml::from_str(bad_check).expect("parse");
2997 let err = m.validate().expect_err("malformed check slug must fail");
2998 assert!(err.contains("client.show_when.check"), "err: {err}");
2999
3000 let empty_is = r#"
3001id: j
3002version: 1.0.0
3003execute:
3004 shell: powershell
3005 script: "echo x"
3006 timeout: 30s
3007client:
3008 name: "A job"
3009 category: software_update
3010 show_when:
3011 check: office-up-to-date
3012 is: []
3013"#;
3014 let m: Manifest = serde_yaml::from_str(empty_is).expect("parse");
3015 let err = m.validate().expect_err("empty is[] must fail");
3016 assert!(err.contains("client.show_when.is"), "err: {err}");
3017 }
3018
3019 #[test]
3020 fn manifest_client_requires_category_at_parse() {
3021 // A `client:` block missing `category` is a hard parse error
3022 // (serde required field) — no manual validate() needed.
3023 let yaml = r#"
3024id: j
3025version: 1.0.0
3026execute:
3027 shell: powershell
3028 script: "echo x"
3029 timeout: 30s
3030client:
3031 name: "A job"
3032"#;
3033 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
3034 assert!(
3035 r.is_err(),
3036 "missing category must be a parse error, got {r:?}"
3037 );
3038 }
3039
3040 #[test]
3041 fn manifest_client_rejects_unknown_field() {
3042 // #492: the strict create boundary catches a fat-fingered
3043 // `displayname:` (with its path) instead of silently
3044 // dropping it; the tolerant read path accepts it.
3045 let yaml = r#"
3046id: j
3047version: 1.0.0
3048execute:
3049 shell: powershell
3050 script: "echo x"
3051 timeout: 30s
3052client:
3053 name: "A job"
3054 category: catalog
3055 displayname: oops
3056"#;
3057 let r = crate::strict::from_yaml_str::<Manifest>(yaml);
3058 let err = r.expect_err("unknown client field must be rejected at the write boundary");
3059 // serde_ignored renders the Option layer as `?`:
3060 // `client.?.displayname`. Assert on the leaf key.
3061 assert!(err.contains("displayname"), "{err}");
3062 // The READ path tolerates the same payload (gradual-upgrade
3063 // contract: an old agent must accept a newer writer's field).
3064 let m: Manifest = serde_yaml::from_str(yaml).expect("tolerant read");
3065 assert_eq!(m.client.as_ref().map(|c| c.name.as_str()), Some("A job"));
3066 }
3067
3068 #[test]
3069 fn manifest_tags_default_empty() {
3070 // The overwhelming majority of jobs carry no tags; the field
3071 // must default to an empty Vec (not fail to parse) and skip
3072 // serialisation so old readers never see the key.
3073 let yaml = r#"
3074id: echo-test
3075version: 0.0.1
3076execute:
3077 shell: powershell
3078 script: "echo 'kanade'"
3079 timeout: 30s
3080"#;
3081 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3082 assert!(m.tags.is_empty());
3083 m.validate().expect("tag-less job validates");
3084 // skip_serializing_if = empty ⇒ the key is absent from JSON.
3085 let json = serde_json::to_string(&m).expect("serialize");
3086 assert!(
3087 !json.contains("tags"),
3088 "empty tags must not serialise: {json}"
3089 );
3090 }
3091
3092 #[test]
3093 fn manifest_parses_and_validates_tags() {
3094 let yaml = r#"
3095id: check-bitlocker
3096version: 0.1.0
3097execute:
3098 shell: powershell
3099 script: "echo x"
3100 timeout: 30s
3101tags: [security, windows, health-check]
3102"#;
3103 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3104 assert_eq!(m.tags, vec!["security", "windows", "health-check"]);
3105 m.validate().expect("tagged job validates");
3106 // Round-trips through JSON (the wire format the SPA reads).
3107 let json = serde_json::to_string(&m).expect("serialize");
3108 assert!(json.contains("\"tags\""), "non-empty tags must serialise");
3109 }
3110
3111 #[test]
3112 fn manifest_rejects_blank_tag() {
3113 // A whitespace-only tag renders an empty filter chip — reject
3114 // it at the write boundary like the other blank display fields.
3115 let yaml = r#"
3116id: j
3117version: 0.1.0
3118execute:
3119 shell: powershell
3120 script: "echo x"
3121 timeout: 30s
3122tags: [ok, " "]
3123"#;
3124 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3125 let err = m.validate().expect_err("blank tag must fail");
3126 assert!(err.contains("tags must not contain empty"), "err: {err}");
3127 }
3128
3129 // #720 — wrap an `aggregate:` YAML block (already indented as a
3130 // top-level key body) into an otherwise-minimal valid manifest.
3131 fn manifest_with_aggregate(aggregate_block: &str) -> Manifest {
3132 let yaml = format!(
3133 "id: t\nversion: 0.0.1\nexecute:\n shell: powershell\n script: echo hi\n timeout: 30s\n{aggregate_block}"
3134 );
3135 serde_yaml::from_str(&yaml).expect("parse aggregate manifest")
3136 }
3137
3138 #[test]
3139 fn aggregate_accepts_full_valid_spec() {
3140 // count+group_by+exclude+sample_minutes, ratio+bool_path,
3141 // timeline+time_bucket, fleet ranking via group_by: pc_id, and a
3142 // bare total stat — alongside emit (composes with every hint).
3143 let m = manifest_with_aggregate(
3144 "emit:\n type: events\naggregate:\n\
3145 - { dashboard: Utilization, title: Top apps, kind: app_sample, agg: count, group_by: foreground.app, sample_minutes: 2, exclude: [LockApp], render: bar }\n\
3146 - { dashboard: Utilization, title: Active ratio, kind: presence, agg: ratio, bool_path: active, sample_minutes: 5, render: gauge }\n\
3147 - { dashboard: Utilization, title: By hour, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: timeline }\n\
3148 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
3149 - { dashboard: Reliability, title: Total crashes, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
3150 );
3151 m.validate().expect("valid aggregate spec");
3152 }
3153
3154 #[test]
3155 fn aggregate_rejects_empty_list() {
3156 let m = manifest_with_aggregate("aggregate: []\n");
3157 let err = m.validate().expect_err("empty list must fail");
3158 assert!(err.contains("at least one widget"), "err: {err}");
3159 }
3160
3161 #[test]
3162 fn aggregate_rejects_ratio_without_bool_path() {
3163 let m = manifest_with_aggregate(
3164 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
3165 );
3166 let err = m.validate().expect_err("ratio needs bool_path");
3167 assert!(err.contains("agg=ratio requires `bool_path`"), "err: {err}");
3168 }
3169
3170 #[test]
3171 fn aggregate_rejects_sum_without_value_path() {
3172 let m = manifest_with_aggregate(
3173 "aggregate:\n- { dashboard: D, title: T, kind: io, agg: sum, render: bar }\n",
3174 );
3175 let err = m.validate().expect_err("sum needs value_path");
3176 assert!(err.contains("agg=sum requires `value_path`"), "err: {err}");
3177 }
3178
3179 #[test]
3180 fn aggregate_rejects_pc_id_group_without_fleet() {
3181 let m = manifest_with_aggregate(
3182 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: count, group_by: pc_id, render: bar }\n",
3183 );
3184 let err = m.validate().expect_err("pc_id grouping needs fleet");
3185 assert!(
3186 err.contains("pc_id is only valid with scope: fleet"),
3187 "err: {err}"
3188 );
3189 }
3190
3191 #[test]
3192 fn aggregate_rejects_transform_with_pc_id_group() {
3193 let m = manifest_with_aggregate(
3194 "aggregate:\n- { dashboard: D, title: T, scope: fleet, kind: web_visit, agg: count, group_by: pc_id, transform: host, render: bar }\n",
3195 );
3196 let err = m
3197 .validate()
3198 .expect_err("transform on pc_id grouping must fail");
3199 assert!(
3200 err.contains("transform is not valid with group_by: pc_id"),
3201 "err: {err}"
3202 );
3203 }
3204
3205 #[test]
3206 fn aggregate_rejects_timeline_without_bucket() {
3207 let m = manifest_with_aggregate(
3208 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, render: timeline }\n",
3209 );
3210 let err = m.validate().expect_err("timeline needs a bucket");
3211 assert!(
3212 err.contains("render=timeline requires `time_bucket`"),
3213 "err: {err}"
3214 );
3215 }
3216
3217 #[test]
3218 fn aggregate_rejects_bucket_on_non_timeline() {
3219 let m = manifest_with_aggregate(
3220 "aggregate:\n- { dashboard: D, title: T, kind: presence, agg: ratio, bool_path: active, time_bucket: hour, render: gauge }\n",
3221 );
3222 let err = m.validate().expect_err("bucket only on timeline");
3223 assert!(
3224 err.contains("time_bucket is only valid with render: timeline"),
3225 "err: {err}"
3226 );
3227 }
3228
3229 #[test]
3230 fn aggregate_rejects_unsafe_json_path() {
3231 // A path with characters outside [A-Za-z0-9_.] could break out of
3232 // the `'$.' || ?` bind — reject at create time.
3233 let m = manifest_with_aggregate(
3234 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: \"foo'; DROP\", render: bar }\n",
3235 );
3236 let err = m.validate().expect_err("unsafe path must fail");
3237 assert!(err.contains("dotted JSON path"), "err: {err}");
3238 }
3239
3240 #[test]
3241 fn aggregate_rejects_blank_title() {
3242 let m = manifest_with_aggregate(
3243 "aggregate:\n- { dashboard: D, title: \" \", kind: k, agg: count, render: stat }\n",
3244 );
3245 let err = m.validate().expect_err("blank title must fail");
3246 assert!(err.contains("title must not be empty"), "err: {err}");
3247 }
3248
3249 #[test]
3250 fn aggregate_rejects_blank_kind() {
3251 let m = manifest_with_aggregate(
3252 "aggregate:\n- { dashboard: D, title: T, kind: \" \", agg: count, render: stat }\n",
3253 );
3254 let err = m.validate().expect_err("blank kind must fail");
3255 assert!(err.contains("kind must not be empty"), "err: {err}");
3256 }
3257
3258 #[test]
3259 fn aggregate_rejects_blank_source_when_set() {
3260 let m = manifest_with_aggregate(
3261 "aggregate:\n- { dashboard: D, title: T, kind: k, source: \"\", agg: count, render: stat }\n",
3262 );
3263 let err = m.validate().expect_err("blank source must fail");
3264 assert!(
3265 err.contains("source must not be empty when set"),
3266 "err: {err}"
3267 );
3268 }
3269
3270 #[test]
3271 fn aggregate_accepts_description_and_rejects_blank() {
3272 let ok = manifest_with_aggregate(
3273 "aggregate:\n- { dashboard: D, title: T, description: \"samples x 2 min\", kind: k, agg: count, render: stat }\n",
3274 );
3275 ok.validate()
3276 .expect("description is a valid optional field");
3277 assert_eq!(
3278 ok.aggregate.as_ref().unwrap()[0].description.as_deref(),
3279 Some("samples x 2 min")
3280 );
3281 let bad = manifest_with_aggregate(
3282 "aggregate:\n- { dashboard: D, title: T, description: \" \", kind: k, agg: count, render: stat }\n",
3283 );
3284 let err = bad.validate().expect_err("blank description must fail");
3285 assert!(
3286 err.contains("description must not be empty when set"),
3287 "err: {err}"
3288 );
3289 }
3290
3291 #[test]
3292 fn aggregate_rejects_count_with_value_path() {
3293 let m = manifest_with_aggregate(
3294 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, value_path: bytes, render: stat }\n",
3295 );
3296 let err = m.validate().expect_err("count must not use value_path");
3297 assert!(
3298 err.contains("agg=count does not use `value_path`"),
3299 "err: {err}"
3300 );
3301 }
3302
3303 #[test]
3304 fn aggregate_rejects_ratio_with_value_path() {
3305 let m = manifest_with_aggregate(
3306 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: ratio, bool_path: active, value_path: bytes, render: gauge }\n",
3307 );
3308 let err = m.validate().expect_err("ratio must not use value_path");
3309 assert!(
3310 err.contains("agg=ratio does not use `value_path`"),
3311 "err: {err}"
3312 );
3313 }
3314
3315 #[test]
3316 fn aggregate_rejects_gauge_without_ratio() {
3317 let m = manifest_with_aggregate(
3318 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, render: gauge }\n",
3319 );
3320 let err = m.validate().expect_err("gauge needs ratio");
3321 assert!(
3322 err.contains("render=gauge is only valid with agg: ratio"),
3323 "err: {err}"
3324 );
3325 }
3326
3327 #[test]
3328 fn aggregate_rejects_limit_without_group_by() {
3329 let m = manifest_with_aggregate(
3330 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, limit: 5, render: stat }\n",
3331 );
3332 let err = m.validate().expect_err("limit needs group_by");
3333 assert!(err.contains("limit requires `group_by`"), "err: {err}");
3334 }
3335
3336 #[test]
3337 fn aggregate_rejects_exclude_without_group_by() {
3338 let m = manifest_with_aggregate(
3339 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, exclude: [x], render: stat }\n",
3340 );
3341 let err = m.validate().expect_err("exclude needs group_by");
3342 assert!(err.contains("exclude requires `group_by`"), "err: {err}");
3343 }
3344
3345 #[test]
3346 fn aggregate_rejects_zero_limit_and_zero_sample_minutes() {
3347 let m = manifest_with_aggregate(
3348 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, limit: 0, render: bar }\n",
3349 );
3350 assert!(m.validate().unwrap_err().contains("limit must be > 0"));
3351 let m = manifest_with_aggregate(
3352 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, sample_minutes: 0, render: bar }\n",
3353 );
3354 assert!(
3355 m.validate()
3356 .unwrap_err()
3357 .contains("sample_minutes must be > 0")
3358 );
3359 }
3360
3361 #[test]
3362 fn aggregate_rejects_empty_exclude_entry() {
3363 let m = manifest_with_aggregate(
3364 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, group_by: app, exclude: [\" \"], render: bar }\n",
3365 );
3366 let err = m.validate().expect_err("blank exclude entry must fail");
3367 assert!(
3368 err.contains("exclude must not contain empty entries"),
3369 "err: {err}"
3370 );
3371 }
3372
3373 #[test]
3374 fn aggregate_rejects_malformed_dotted_paths() {
3375 for bad in [".foo", "foo.", "foo..bar", "."] {
3376 let m = manifest_with_aggregate(&format!(
3377 "aggregate:\n- {{ dashboard: D, title: T, kind: k, agg: count, group_by: \"{bad}\", render: bar }}\n"
3378 ));
3379 let err = m.validate().expect_err("malformed path must fail");
3380 assert!(err.contains("dotted JSON path"), "path {bad}: {err}");
3381 }
3382 }
3383
3384 #[test]
3385 fn aggregate_rejects_unknown_enum_value() {
3386 // An unrecognised render string deserialises to the #492 Unknown
3387 // catch-all (so old readers don't choke); validate() rejects it as
3388 // a typo at create time.
3389 let m = manifest_with_aggregate(
3390 "aggregate:\n- { dashboard: D, title: T, kind: k, agg: count, render: heatmap }\n",
3391 );
3392 let err = m.validate().expect_err("unknown render must fail");
3393 assert!(err.contains("render is not a known value"), "err: {err}");
3394 }
3395
3396 #[test]
3397 fn aggregate_accepts_order_field() {
3398 let m = manifest_with_aggregate(
3399 "aggregate:\n- { dashboard: D, title: T, order: -5, kind: k, agg: count, render: stat }\n",
3400 );
3401 m.validate().expect("order is a valid optional field");
3402 let w = &m.aggregate.as_ref().unwrap()[0];
3403 assert_eq!(w.order, Some(-5));
3404 }
3405
3406 #[test]
3407 fn aggregate_accepts_minimal_op_timeline() {
3408 // op_timeline needs no kind/agg — it reconstructs a fixed multi-kind
3409 // swimlane. A bare per-PC spec is valid, and `kind`/`agg` stay None.
3410 let m = manifest_with_aggregate(
3411 "aggregate:\n- { dashboard: Uptime, title: Operational state, scope: pc, render: op_timeline }\n",
3412 );
3413 m.validate().expect("minimal op_timeline is valid");
3414 let w = &m.aggregate.as_ref().unwrap()[0];
3415 assert_eq!(w.render, AggregateRender::OpTimeline);
3416 assert!(w.kind.is_none());
3417 assert!(w.agg.is_none());
3418 }
3419
3420 #[test]
3421 fn aggregate_rejects_op_timeline_with_fleet_scope() {
3422 let m = manifest_with_aggregate(
3423 "aggregate:\n- { dashboard: Uptime, title: T, scope: fleet, render: op_timeline }\n",
3424 );
3425 let err = m.validate().expect_err("op_timeline must be per-PC");
3426 assert!(
3427 err.contains("render=op_timeline requires scope: pc"),
3428 "err: {err}"
3429 );
3430 }
3431
3432 #[test]
3433 fn aggregate_rejects_op_timeline_with_aggregation_fields() {
3434 // Each aggregation knob the operator might paste in is rejected
3435 // (rather than silently ignored), pointing at the field to delete.
3436 for (block, field) in [
3437 ("kind: boot", "kind"),
3438 ("agg: count", "agg"),
3439 ("source: winlog:Security", "source"),
3440 ("group_by: pc_id", "group_by"),
3441 ("bool_path: active", "bool_path"),
3442 ("time_bucket: hour", "time_bucket"),
3443 ("limit: 5", "limit"),
3444 ] {
3445 let m = manifest_with_aggregate(&format!(
3446 "aggregate:\n- {{ dashboard: Uptime, title: T, scope: pc, {block}, render: op_timeline }}\n"
3447 ));
3448 let err = m
3449 .validate()
3450 .expect_err(&format!("op_timeline must reject {field}"));
3451 assert!(
3452 err.contains(&format!("render=op_timeline does not use `{field}`")),
3453 "field {field}: {err}"
3454 );
3455 }
3456 }
3457
3458 // ── #743 View resource ───────────────────────────────────────────
3459 fn view_from(yaml_body: &str) -> View {
3460 serde_yaml::from_str(&format!("id: v1\n{yaml_body}")).expect("parse view")
3461 }
3462
3463 #[test]
3464 fn view_accepts_valid_widgets() {
3465 let v = view_from(
3466 "widgets:\n\
3467 - { dashboard: Reliability, title: Crashes by PC, scope: fleet, kind: unexpected_shutdown, agg: count, group_by: pc_id, render: bar }\n\
3468 - { dashboard: Reliability, title: Total, scope: fleet, kind: unexpected_shutdown, agg: count, render: stat }\n",
3469 );
3470 v.validate().expect("valid view");
3471 }
3472
3473 #[test]
3474 fn view_rejects_empty_widgets() {
3475 let v = view_from("widgets: []\n");
3476 let err = v.validate().expect_err("empty widgets must fail");
3477 assert!(err.contains("at least one widget"), "err: {err}");
3478 }
3479
3480 #[test]
3481 fn view_rejects_blank_id() {
3482 let v: View = serde_yaml::from_str(
3483 "id: \" \"\nwidgets:\n- { dashboard: D, title: T, kind: k, agg: count, render: stat }\n",
3484 )
3485 .expect("parse");
3486 let err = v.validate().expect_err("blank id must fail");
3487 assert!(err.contains("view.id must"), "err: {err}");
3488 }
3489
3490 #[test]
3491 fn view_rejects_unsafe_id() {
3492 // A `/` or `..` in the id would break the KV key and the
3493 // `/api/views/{id}` URL segment — reject at create time.
3494 for bad in ["../etc", "a/b", "has space", "x;y"] {
3495 let v: View = serde_yaml::from_str(&format!(
3496 "id: \"{bad}\"\nwidgets:\n- {{ dashboard: D, title: T, kind: k, agg: count, render: stat }}\n",
3497 ))
3498 .expect("parse");
3499 let err = v.validate().expect_err("unsafe id must fail");
3500 assert!(err.contains("[A-Za-z0-9._-]"), "id {bad}: {err}");
3501 }
3502 assert!(is_valid_resource_id("dashboards-fleet.v1_2"));
3503 }
3504
3505 #[test]
3506 fn view_reuses_shared_widget_validation() {
3507 // The same per-widget rule the job hint enforces (ratio needs
3508 // bool_path), reported under the `widgets[..]` field.
3509 let v = view_from(
3510 "widgets:\n- { dashboard: D, title: T, kind: presence, agg: ratio, render: gauge }\n",
3511 );
3512 let err = v.validate().expect_err("ratio without bool_path must fail");
3513 assert!(
3514 err.contains("widgets[0].agg=ratio requires `bool_path`"),
3515 "err: {err}"
3516 );
3517 }
3518
3519 fn execute_with(
3520 script: Option<&str>,
3521 script_file: Option<&str>,
3522 script_object: Option<&str>,
3523 ) -> Execute {
3524 Execute {
3525 shell: ExecuteShell::Powershell,
3526 script: script.map(str::to_owned),
3527 script_file: script_file.map(str::to_owned),
3528 script_object: script_object.map(str::to_owned),
3529 timeout: "30s".into(),
3530 run_as: RunAs::default(),
3531 cwd: None,
3532 }
3533 }
3534
3535 #[test]
3536 fn validate_accepts_inline_script() {
3537 let e = execute_with(Some("echo hi"), None, None);
3538 assert!(e.validate_script_source().is_ok());
3539 }
3540
3541 #[test]
3542 fn validate_accepts_script_file_alone() {
3543 let e = execute_with(None, Some("scripts/cleanup.ps1"), None);
3544 assert!(e.validate_script_source().is_ok());
3545 }
3546
3547 #[test]
3548 fn validate_accepts_script_object_alone() {
3549 let e = execute_with(None, None, Some("cleanup/1.0.0"));
3550 assert!(e.validate_script_source().is_ok());
3551 }
3552
3553 #[test]
3554 fn validate_treats_empty_inline_script_as_unset() {
3555 // `script: ""` + `script_object` set is the natural shape
3556 // when an operator comments out the YAML block-scalar body
3557 // but leaves the key. Should pass.
3558 let e = execute_with(Some(""), None, Some("cleanup/1.0.0"));
3559 assert!(e.validate_script_source().is_ok());
3560 }
3561
3562 #[test]
3563 fn validate_rejects_zero_sources() {
3564 let e = execute_with(None, None, None);
3565 let err = e.validate_script_source().unwrap_err();
3566 assert!(err.contains("must be set"), "got: {err}");
3567 }
3568
3569 #[test]
3570 fn validate_rejects_empty_inline_only() {
3571 let e = execute_with(Some(""), None, None);
3572 let err = e.validate_script_source().unwrap_err();
3573 assert!(err.contains("must be set"), "got: {err}");
3574 }
3575
3576 #[test]
3577 fn validate_rejects_inline_plus_file() {
3578 let e = execute_with(Some("echo hi"), Some("scripts/cleanup.ps1"), None);
3579 let err = e.validate_script_source().unwrap_err();
3580 assert!(err.contains("only one of"), "got: {err}");
3581 }
3582
3583 #[test]
3584 fn validate_rejects_inline_plus_object() {
3585 let e = execute_with(Some("echo hi"), None, Some("cleanup/1.0.0"));
3586 let err = e.validate_script_source().unwrap_err();
3587 assert!(err.contains("only one of"), "got: {err}");
3588 }
3589
3590 #[test]
3591 fn validate_rejects_file_plus_object() {
3592 let e = execute_with(None, Some("scripts/cleanup.ps1"), Some("cleanup/1.0.0"));
3593 let err = e.validate_script_source().unwrap_err();
3594 assert!(err.contains("only one of"), "got: {err}");
3595 }
3596
3597 #[test]
3598 fn validate_rejects_all_three() {
3599 let e = execute_with(
3600 Some("echo hi"),
3601 Some("scripts/cleanup.ps1"),
3602 Some("cleanup/1.0.0"),
3603 );
3604 let err = e.validate_script_source().unwrap_err();
3605 assert!(err.contains("only one of"), "got: {err}");
3606 }
3607
3608 #[test]
3609 fn manifest_deserialises_script_object_yaml() {
3610 // SPEC §2.4.1 example shape with the Object Store
3611 // reference picked over inline.
3612 let yaml = r#"
3613id: cleanup-disk-temp
3614version: 1.0.1
3615execute:
3616 shell: powershell
3617 script_object: cleanup-disk-temp/1.0.1
3618 timeout: 600s
3619"#;
3620 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
3621 assert_eq!(
3622 m.execute.script_object.as_deref(),
3623 Some("cleanup-disk-temp/1.0.1")
3624 );
3625 assert!(m.execute.script.is_none());
3626 m.validate()
3627 .expect("script_object-only manifest passes validation");
3628 }
3629
3630 #[test]
3631 fn manifest_rejects_typo_in_script_field_name() {
3632 // #492: the strict create boundary catches `script_objectt`
3633 // and similar fat-fingers (with the full path) instead of
3634 // letting them silently fall through to "all three unset".
3635 let yaml = r#"
3636id: typo
3637version: 1.0.0
3638execute:
3639 shell: powershell
3640 script_objectt: oops
3641 timeout: 30s
3642"#;
3643 let err = crate::strict::from_yaml_str::<Manifest>(yaml)
3644 .expect_err("typo'd execute field must be rejected at the write boundary");
3645 assert!(err.contains("execute.script_objectt"), "{err}");
3646 }
3647
3648 #[test]
3649 fn schedule_carries_target_and_rollout() {
3650 let yaml = r#"
3651id: hourly-cleanup-canary
3652when:
3653 per_pc: { every: 1h }
3654job_id: cleanup
3655enabled: true
3656target:
3657 groups: [canary, wave1]
3658jitter: 30s
3659rollout:
3660 strategy: wave
3661 waves:
3662 - { group: canary, delay: 0s }
3663 - { group: wave1, delay: 5s }
3664"#;
3665 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3666 assert_eq!(s.id, "hourly-cleanup-canary");
3667 assert_eq!(s.job_id, "cleanup");
3668 assert_eq!(s.plan.target.groups, vec!["canary", "wave1"]);
3669 assert_eq!(s.plan.jitter.as_deref(), Some("30s"));
3670 let rollout = s.plan.rollout.expect("rollout present");
3671 assert_eq!(rollout.waves.len(), 2);
3672 assert_eq!(rollout.waves[0].group, "canary");
3673 assert_eq!(rollout.waves[1].delay, "5s");
3674 assert_eq!(rollout.strategy, RolloutStrategy::Wave);
3675 }
3676
3677 #[test]
3678 fn schedule_minimal_target_all() {
3679 let yaml = r#"
3680id: kitting
3681when:
3682 per_pc: once
3683enabled: true
3684job_id: scheduled-echo
3685target: { all: true }
3686"#;
3687 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3688 assert_eq!(s.id, "kitting");
3689 assert_eq!(s.when, When::PerPc(PerPolicy::Once(OnceLiteral::Once)));
3690 assert!(s.enabled);
3691 assert_eq!(s.job_id, "scheduled-echo");
3692 assert!(s.plan.target.all);
3693 assert!(s.plan.rollout.is_none());
3694 assert!(s.plan.jitter.is_none());
3695 assert!(s.active.is_empty());
3696 }
3697
3698 #[test]
3699 fn schedule_enabled_defaults_to_true() {
3700 let yaml = r#"
3701id: x
3702when:
3703 per_pc: once
3704job_id: y
3705target: { all: true }
3706"#;
3707 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3708 assert!(s.enabled);
3709 }
3710
3711 #[test]
3712 fn schedule_tags_default_empty_and_skip_serialise() {
3713 let yaml = r#"
3714id: x
3715when:
3716 per_pc: once
3717job_id: y
3718target: { all: true }
3719"#;
3720 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3721 assert!(s.tags.is_empty());
3722 s.validate().expect("tag-less schedule validates");
3723 let json = serde_json::to_string(&s).expect("serialize");
3724 assert!(
3725 !json.contains("tags"),
3726 "empty tags must not serialise: {json}"
3727 );
3728 }
3729
3730 #[test]
3731 fn schedule_parses_and_validates_tags() {
3732 let yaml = r#"
3733id: weekly-cleanup
3734when:
3735 per_pc: { every: 1h }
3736job_id: cleanup
3737target: { all: true }
3738tags: [weekly, maintenance]
3739"#;
3740 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3741 assert_eq!(s.tags, vec!["weekly", "maintenance"]);
3742 s.validate().expect("tagged schedule validates");
3743 }
3744
3745 #[test]
3746 fn schedule_rejects_blank_tag() {
3747 let yaml = r#"
3748id: x
3749when:
3750 per_pc: once
3751job_id: y
3752target: { all: true }
3753tags: [ok, " "]
3754"#;
3755 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
3756 let err = s.validate().expect_err("blank tag must fail");
3757 assert!(err.contains("tags must not contain empty"), "err: {err}");
3758 }
3759
3760 // ---- `when` parsing (#418 Phase 1) ----
3761
3762 fn schedule_yaml_with(when_block: &str) -> String {
3763 format!(
3764 r#"
3765id: x
3766when:
3767{when_block}
3768job_id: y
3769target: {{ all: true }}
3770"#
3771 )
3772 }
3773
3774 #[test]
3775 fn when_per_pc_every_parses_unquoted_humantime() {
3776 // `6h` is digit-led but non-numeric → YAML string, same as
3777 // the old `cooldown: 6h` convention. No quotes needed.
3778 let s: Schedule =
3779 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { every: 6h }")).expect("parse");
3780 assert_eq!(
3781 s.when,
3782 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() }))
3783 );
3784 }
3785
3786 #[test]
3787 fn when_per_target_every_parses() {
3788 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(" per_target: { every: 24h }"))
3789 .expect("parse");
3790 assert_eq!(
3791 s.when,
3792 When::PerTarget(PerPolicy::Every(EverySpec {
3793 every: "24h".into()
3794 }))
3795 );
3796 }
3797
3798 #[test]
3799 fn when_per_target_once_parses() {
3800 // Falls out of the shared PerPolicy shape and decide_fire
3801 // already implements it ("any one pc succeeds → skip the
3802 // target forever"), so it is allowed, not rejected.
3803 let s: Schedule =
3804 serde_yaml::from_str(&schedule_yaml_with(" per_target: once")).expect("parse");
3805 assert_eq!(s.when, When::PerTarget(PerPolicy::Once(OnceLiteral::Once)));
3806 }
3807
3808 #[test]
3809 fn when_calendar_time_parses() {
3810 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(
3811 " calendar:\n at: \"09:00\"\n days: [mon-fri]",
3812 ))
3813 .expect("parse");
3814 match &s.when {
3815 When::Calendar(c) => {
3816 assert_eq!(c.at, "09:00");
3817 assert_eq!(c.days, vec!["mon-fri"]);
3818 }
3819 other => panic!("expected calendar, got {other:?}"),
3820 }
3821 }
3822
3823 #[test]
3824 fn when_calendar_days_default_empty() {
3825 let s: Schedule =
3826 serde_yaml::from_str(&schedule_yaml_with(" calendar:\n at: \"09:00\""))
3827 .expect("parse");
3828 match &s.when {
3829 When::Calendar(c) => assert!(c.days.is_empty(), "days defaults to empty (= daily)"),
3830 other => panic!("expected calendar, got {other:?}"),
3831 }
3832 }
3833
3834 #[test]
3835 fn when_calendar_datetime_parses_all_separators() {
3836 // one-shot: date+time in hyphen / ISO-T / slash forms
3837 for at in ["2026-06-10 09:00", "2026-06-10T09:00", "2026/06/10 09:00"] {
3838 let block = format!(" calendar:\n at: \"{at}\"");
3839 let s: Schedule = serde_yaml::from_str(&schedule_yaml_with(&block))
3840 .unwrap_or_else(|e| panic!("parse '{at}': {e}"));
3841 match &s.when {
3842 When::Calendar(c) => {
3843 use chrono::Datelike;
3844 let p = c.parse_at().expect("parse_at");
3845 let d = p.date.expect("datetime at carries a date");
3846 assert_eq!((d.year(), d.month(), d.day()), (2026, 6, 10), "for '{at}'");
3847 }
3848 other => panic!("expected calendar, got {other:?}"),
3849 }
3850 }
3851 }
3852
3853 #[test]
3854 fn when_rejects_bad_once_keyword() {
3855 // `onec` must be a parse error, not a silently-absorbed
3856 // string (OnceLiteral is a single-variant enum for exactly
3857 // this reason).
3858 let r: Result<Schedule, _> = serde_yaml::from_str(&schedule_yaml_with(" per_pc: onec"));
3859 assert!(r.is_err(), "expected parse error, got {r:?}");
3860 }
3861
3862 #[test]
3863 fn when_rejects_unknown_key_in_every() {
3864 // `{ evry: 6h }` still fails on the tolerant read path: the
3865 // required `every` key is missing, so no PerPolicy variant
3866 // matches (#492 removed deny_unknown_fields, but required
3867 // keys keep the untagged disambiguation honest).
3868 let r: Result<Schedule, _> =
3869 serde_yaml::from_str(&schedule_yaml_with(" per_pc: { evry: 6h }"));
3870 assert!(r.is_err(), "expected parse error, got {r:?}");
3871 }
3872
3873 #[test]
3874 fn when_rejects_unknown_variant() {
3875 let r: Result<Schedule, _> =
3876 serde_yaml::from_str(&schedule_yaml_with(" per_galaxy: once"));
3877 assert!(r.is_err(), "expected parse error, got {r:?}");
3878 }
3879
3880 #[test]
3881 fn when_rejects_old_top_level_cron_field() {
3882 // Pre-#418 shape: top-level `cron:` + no `when:`. Must fail
3883 // loudly (missing `when`), which is what turns stale KV
3884 // blobs into warn-skips after the upgrade.
3885 let yaml = r#"
3886id: x
3887cron: "* * * * * *"
3888job_id: y
3889target: { all: true }
3890"#;
3891 let r: Result<Schedule, _> = serde_yaml::from_str(yaml);
3892 assert!(r.is_err(), "expected parse error, got {r:?}");
3893 }
3894
3895 #[test]
3896 fn when_rejects_retired_cron_escape_hatch() {
3897 // #418 Phase 2 retired `when: { cron: "..." }`. A raw cron
3898 // is now an unknown variant → parse error (operators use the
3899 // calendar form instead).
3900 let r: Result<Schedule, _> =
3901 serde_yaml::from_str(&schedule_yaml_with(" cron: \"0 0 9 * * mon-fri\""));
3902 assert!(
3903 r.is_err(),
3904 "expected parse error for retired cron, got {r:?}"
3905 );
3906 }
3907
3908 #[test]
3909 fn when_round_trips_json_and_yaml() {
3910 // Round-trip through the full Schedule: that is the wire
3911 // unit for both stores (JSON catalog KV + YAML mirror), and
3912 // it exercises the singleton_map field attribute that keeps
3913 // serde_yaml on the map shape instead of `!per_pc` tags.
3914 for when in [
3915 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3916 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3917 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
3918 When::PerTarget(PerPolicy::Every(EverySpec {
3919 every: "24h".into(),
3920 })),
3921 calendar("09:00", &["mon-fri"]),
3922 calendar("2026-06-10 09:00", &[]),
3923 When::On(vec![OnTrigger::Startup]),
3924 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3925 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3926 When::On(vec![OnTrigger::NetworkChange]),
3927 ] {
3928 // Event triggers are agent-only; the rest validate on backend.
3929 let runs_on = if matches!(when, When::On(_)) {
3930 RunsOn::Agent
3931 } else {
3932 RunsOn::Backend
3933 };
3934 let s = schedule_with(when.clone(), runs_on);
3935
3936 let json = serde_json::to_string(&s).expect("json serialise");
3937 let back: Schedule = serde_json::from_str(&json).expect("json deserialise");
3938 assert_eq!(back.when, when, "json round-trip for {when}");
3939
3940 let yaml = serde_yaml::to_string(&s).expect("yaml serialise");
3941 assert!(
3942 !yaml.contains('!'),
3943 "yaml must use the map shape, not tags: {yaml}"
3944 );
3945 let back: Schedule = serde_yaml::from_str(&yaml).expect("yaml deserialise");
3946 assert_eq!(back.when, when, "yaml round-trip for {when}");
3947 }
3948 }
3949
3950 #[test]
3951 fn when_once_serialises_as_bare_keyword() {
3952 // The wire shape operators see in the YAML mirror must stay
3953 // the ergonomic `per_pc: once`, not a one-variant map.
3954 let json = serde_json::to_value(When::PerPc(PerPolicy::Once(OnceLiteral::Once)))
3955 .expect("serialise");
3956 assert_eq!(json, serde_json::json!({ "per_pc": "once" }));
3957 }
3958
3959 #[test]
3960 fn when_displays_operator_summary() {
3961 for (when, expected) in [
3962 (
3963 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
3964 "per_pc once",
3965 ),
3966 (
3967 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
3968 "per_pc every 6h",
3969 ),
3970 (
3971 When::PerTarget(PerPolicy::Every(EverySpec {
3972 every: "24h".into(),
3973 })),
3974 "per_target every 24h",
3975 ),
3976 (calendar("09:00", &["mon-fri"]), "at 09:00 [mon-fri]"),
3977 (calendar("2026-06-10 09:00", &[]), "at 2026-06-10 09:00"),
3978 (When::On(vec![OnTrigger::Startup]), "on [startup]"),
3979 (
3980 When::On(vec![OnTrigger::Startup, OnTrigger::Logon]),
3981 "on [startup,logon]",
3982 ),
3983 (
3984 When::On(vec![OnTrigger::Lock, OnTrigger::Unlock]),
3985 "on [lock,unlock]",
3986 ),
3987 (
3988 When::On(vec![OnTrigger::NetworkChange]),
3989 "on [network_change]",
3990 ),
3991 ] {
3992 assert_eq!(when.to_string(), expected);
3993 }
3994 }
3995
3996 // ---- lowering (#418: when → engine vocabulary) ----
3997
3998 fn schedule_with(when: When, runs_on: RunsOn) -> Schedule {
3999 Schedule {
4000 id: "x".into(),
4001 when,
4002 job_id: "y".into(),
4003 plan: FanoutPlan::default(),
4004 active: Active::default(),
4005 constraints: Constraints::default(),
4006 on_failure: OnFailure::default(),
4007 tz: ScheduleTz::default(),
4008 starting_deadline: None,
4009 runs_on,
4010 enabled: true,
4011 tags: Vec::new(),
4012 origin: None,
4013 }
4014 }
4015
4016 fn calendar(at: &str, days: &[&str]) -> When {
4017 When::Calendar(CalendarSpec {
4018 at: at.into(),
4019 days: days.iter().map(|d| (*d).to_string()).collect(),
4020 })
4021 }
4022
4023 #[test]
4024 fn next_calendar_fire_returns_next_utc_occurrence() {
4025 use chrono::TimeZone;
4026 // Daily 09:00, evaluated in UTC. From 08:00 the same day, the
4027 // next strict occurrence is 09:00 that day.
4028 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4029 s.tz = ScheduleTz::Utc;
4030 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 8, 0, 0).unwrap();
4031 let next = s.next_calendar_fire(now).expect("calendar has a next fire");
4032 assert_eq!(
4033 next,
4034 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap()
4035 );
4036 }
4037
4038 #[test]
4039 fn next_calendar_fire_is_strictly_after_now() {
4040 use chrono::TimeZone;
4041 // Standing exactly on a fire instant must preview the *next*
4042 // one (inclusive = false), not the one firing right now.
4043 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4044 s.tz = ScheduleTz::Utc;
4045 let on_fire = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap();
4046 let next = s
4047 .next_calendar_fire(on_fire)
4048 .expect("calendar has a next fire");
4049 assert_eq!(
4050 next,
4051 chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()
4052 );
4053 }
4054
4055 #[test]
4056 fn next_calendar_fire_none_for_reconcile_shapes() {
4057 // `per_pc` / `per_target` lower to the every-minute poll cron —
4058 // no discrete upcoming event to preview, so `None`.
4059 let now = chrono::Utc::now();
4060 for when in [
4061 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4062 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4063 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4064 When::PerTarget(PerPolicy::Every(EverySpec {
4065 every: "24h".into(),
4066 })),
4067 ] {
4068 let s = schedule_with(when, RunsOn::Backend);
4069 assert!(
4070 s.next_calendar_fire(now).is_none(),
4071 "reconcile shapes have no calendar fire",
4072 );
4073 }
4074 }
4075
4076 // ---- preview_fires (#418 dry-run / preview) ----
4077
4078 fn cal_utc(at: &str, days: &[&str]) -> Schedule {
4079 let mut s = schedule_with(calendar(at, days), RunsOn::Backend);
4080 s.tz = ScheduleTz::Utc; // host-independent assertions
4081 s
4082 }
4083
4084 #[test]
4085 fn preview_lists_next_calendar_occurrences() {
4086 use chrono::TimeZone;
4087 // Weekday 09:00, from Wed 2026-06-10 00:00 UTC: the next five
4088 // fires skip the weekend (Sat 13 / Sun 14).
4089 let s = cal_utc("09:00", &["mon-fri"]);
4090 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4091 let got = s.preview_fires(now, 5);
4092 let want: Vec<_> = [
4093 (2026, 6, 10), // Wed
4094 (2026, 6, 11), // Thu
4095 (2026, 6, 12), // Fri
4096 (2026, 6, 15), // Mon (skips Sat 13 / Sun 14)
4097 (2026, 6, 16), // Tue
4098 ]
4099 .iter()
4100 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
4101 .collect();
4102 assert_eq!(got, want);
4103 }
4104
4105 #[test]
4106 fn preview_handles_nth_and_last_weekday() {
4107 use chrono::TimeZone;
4108 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
4109 // 2nd Tuesday (Patch Tuesday): Jun 9, Jul 14 2026.
4110 let nth = cal_utc("09:00", &["tue#2"]).preview_fires(now, 2);
4111 assert_eq!(
4112 nth,
4113 vec![
4114 chrono::Utc.with_ymd_and_hms(2026, 6, 9, 9, 0, 0).unwrap(),
4115 chrono::Utc.with_ymd_and_hms(2026, 7, 14, 9, 0, 0).unwrap(),
4116 ]
4117 );
4118 // Last Friday of the month: Jun 26, Jul 31 2026.
4119 let last = cal_utc("22:00", &["friL"]).preview_fires(now, 2);
4120 assert_eq!(
4121 last,
4122 vec![
4123 chrono::Utc.with_ymd_and_hms(2026, 6, 26, 22, 0, 0).unwrap(),
4124 chrono::Utc.with_ymd_and_hms(2026, 7, 31, 22, 0, 0).unwrap(),
4125 ]
4126 );
4127 }
4128
4129 #[test]
4130 fn preview_is_empty_for_reconcile_and_zero_count() {
4131 let now = chrono::Utc::now();
4132 // reconcile shapes have no discrete fire times
4133 let recon = schedule_with(
4134 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4135 RunsOn::Backend,
4136 );
4137 assert!(recon.preview_fires(now, 5).is_empty());
4138 // count == 0 yields nothing even for a calendar
4139 assert!(cal_utc("09:00", &[]).preview_fires(now, 0).is_empty());
4140 }
4141
4142 #[test]
4143 fn preview_skips_outside_active_window() {
4144 use chrono::TimeZone;
4145 // Daily 09:00, active only [2026-06-15, 2026-06-17). Occurrences
4146 // before `from` are skipped; `until` is exclusive, so 06-17's
4147 // fire is out — leaving exactly the 15th and 16th.
4148 let mut s = cal_utc("09:00", &[]);
4149 s.active = Active {
4150 from: Some("2026-06-15".into()),
4151 until: Some("2026-06-17".into()),
4152 };
4153 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4154 let got = s.preview_fires(now, 5);
4155 assert_eq!(
4156 got,
4157 vec![
4158 chrono::Utc.with_ymd_and_hms(2026, 6, 15, 9, 0, 0).unwrap(),
4159 chrono::Utc.with_ymd_and_hms(2026, 6, 16, 9, 0, 0).unwrap(),
4160 ]
4161 );
4162 }
4163
4164 #[test]
4165 fn preview_empty_when_calendar_time_outside_window() {
4166 use chrono::TimeZone;
4167 // Fires at 09:00 but the maintenance window is overnight — it can
4168 // never run, so the preview is empty (matches
4169 // `calendar_outside_window`), and the scan still terminates.
4170 let mut s = cal_utc("09:00", &[]);
4171 s.constraints = Constraints {
4172 window: Some("22:00-05:00".into()),
4173 ..Constraints::default()
4174 };
4175 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
4176 assert!(s.preview_fires(now, 5).is_empty());
4177 // Every candidate tick is rejected, so this also exercises the
4178 // SCAN_CAP bound: a large `count` must still terminate (and
4179 // return empty) rather than spin (claude #578 review).
4180 assert!(s.preview_fires(now, 50).is_empty());
4181 }
4182
4183 #[test]
4184 fn preview_past_one_shot_is_empty() {
4185 use chrono::TimeZone;
4186 // A dated one-shot whose instant has passed never fires again.
4187 let s = cal_utc("2026-06-10 09:00", &[]);
4188 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 0, 0, 0).unwrap();
4189 assert!(s.preview_fires(now, 5).is_empty());
4190 // …but from before it, the single future fire shows up.
4191 let before = chrono::Utc.with_ymd_and_hms(2026, 6, 1, 0, 0, 0).unwrap();
4192 assert_eq!(
4193 s.preview_fires(before, 5),
4194 vec![chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap()]
4195 );
4196 }
4197
4198 #[test]
4199 fn lowering_matches_the_418_table() {
4200 let cases = [
4201 (
4202 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4203 (POLL_CRON, ExecMode::OncePerPc, None),
4204 ),
4205 (
4206 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4207 (POLL_CRON, ExecMode::OncePerPc, Some("6h")),
4208 ),
4209 (
4210 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4211 (POLL_CRON, ExecMode::OncePerTarget, None),
4212 ),
4213 (
4214 When::PerTarget(PerPolicy::Every(EverySpec {
4215 every: "24h".into(),
4216 })),
4217 (POLL_CRON, ExecMode::OncePerTarget, Some("24h")),
4218 ),
4219 // calendar repeating → 6-field cron
4220 (
4221 calendar("09:00", &["mon-fri"]),
4222 ("0 0 9 * * mon-fri", ExecMode::EveryTick, None),
4223 ),
4224 // calendar daily (no days) → DOW *
4225 (
4226 calendar("18:30", &[]),
4227 ("0 30 18 * * *", ExecMode::EveryTick, None),
4228 ),
4229 // calendar one-shot → 7-field year cron
4230 (
4231 calendar("2026-06-10 09:00", &[]),
4232 ("0 0 9 10 6 * 2026", ExecMode::EveryTick, None),
4233 ),
4234 ];
4235 for (when, (cron, mode, cooldown)) in cases {
4236 let l = schedule_with(when.clone(), RunsOn::Backend).lowered();
4237 assert_eq!(l.cron, cron, "cron for {when}");
4238 assert_eq!(l.mode, mode, "mode for {when}");
4239 assert_eq!(l.cooldown.as_deref(), cooldown, "cooldown for {when}");
4240 }
4241 }
4242
4243 #[test]
4244 fn lowered_carries_schedule_tz() {
4245 for (tz, want) in [
4246 (ScheduleTz::Local, ScheduleTz::Local),
4247 (ScheduleTz::Utc, ScheduleTz::Utc),
4248 ] {
4249 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
4250 s.tz = tz;
4251 assert_eq!(s.lowered().tz, want, "calendar carries tz");
4252 // reconcile shapes carry tz too (for the active-window check)
4253 let mut s = schedule_with(
4254 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4255 RunsOn::Backend,
4256 );
4257 s.tz = tz;
4258 assert_eq!(s.lowered().tz, want, "reconcile carries tz");
4259 }
4260 }
4261
4262 #[test]
4263 fn poll_cron_is_accepted_by_the_engine_parser() {
4264 // POLL_CRON is system-generated — if the engine's parser
4265 // ever rejected it every reconcile schedule would die at
4266 // register time. Validate it with the same croner config
4267 // (Seconds::Required, dom_and_dow, year optional).
4268 croner::parser::CronParser::builder()
4269 .seconds(croner::parser::Seconds::Required)
4270 .dom_and_dow(true)
4271 .build()
4272 .parse(POLL_CRON)
4273 .expect("POLL_CRON must parse");
4274 }
4275
4276 // ---- Schedule::validate() (#418 decision F) ----
4277
4278 #[test]
4279 fn validate_accepts_reconcile_shapes() {
4280 for when in [
4281 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4282 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4283 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4284 When::PerTarget(PerPolicy::Every(EverySpec {
4285 every: "24h".into(),
4286 })),
4287 ] {
4288 schedule_with(when.clone(), RunsOn::Backend)
4289 .validate()
4290 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
4291 }
4292 }
4293
4294 #[test]
4295 fn validate_accepts_per_pc_on_agent() {
4296 schedule_with(
4297 When::PerPc(PerPolicy::Every(EverySpec { every: "1h".into() })),
4298 RunsOn::Agent,
4299 )
4300 .validate()
4301 .expect("per_pc + agent is the offline-inventory shape");
4302 }
4303
4304 // ---- #418 event triggers (when: { on }) ----
4305
4306 #[test]
4307 fn validate_accepts_event_on_agent() {
4308 for triggers in [
4309 vec![OnTrigger::Startup],
4310 vec![OnTrigger::Logon],
4311 vec![OnTrigger::Lock],
4312 vec![OnTrigger::Unlock],
4313 vec![OnTrigger::NetworkChange],
4314 vec![
4315 OnTrigger::Startup,
4316 OnTrigger::Logon,
4317 OnTrigger::Lock,
4318 OnTrigger::Unlock,
4319 OnTrigger::NetworkChange,
4320 ],
4321 ] {
4322 schedule_with(When::On(triggers), RunsOn::Agent)
4323 .validate()
4324 .expect("when.on is valid on runs_on: agent");
4325 }
4326 }
4327
4328 #[test]
4329 fn validate_rejects_event_on_backend() {
4330 let err = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Backend)
4331 .validate()
4332 .unwrap_err();
4333 assert!(err.contains("when.on"), "got: {err}");
4334 assert!(err.contains("runs_on: agent"), "got: {err}");
4335 }
4336
4337 #[test]
4338 fn validate_rejects_empty_event_list() {
4339 let err = schedule_with(When::On(vec![]), RunsOn::Agent)
4340 .validate()
4341 .unwrap_err();
4342 assert!(err.contains("when.on"), "got: {err}");
4343 assert!(err.contains("at least one"), "got: {err}");
4344 }
4345
4346 #[test]
4347 fn event_schedule_lowers_to_event_mode_and_is_event() {
4348 let s = schedule_with(When::On(vec![OnTrigger::Startup]), RunsOn::Agent);
4349 assert!(s.is_event());
4350 assert_eq!(s.lowered().mode, ExecMode::Event);
4351 assert_eq!(s.event_triggers(), &[OnTrigger::Startup]);
4352 // non-event schedules report no triggers.
4353 let cal = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
4354 assert!(!cal.is_event());
4355 assert!(cal.event_triggers().is_empty());
4356 }
4357
4358 // ---- #418 constraints.require (env gates) ----
4359
4360 fn require_schedule(req: Require, runs_on: RunsOn) -> Schedule {
4361 let mut s = schedule_with(
4362 When::PerPc(PerPolicy::Every(EverySpec { every: "1m".into() })),
4363 runs_on,
4364 );
4365 s.constraints.require = Some(req);
4366 s
4367 }
4368
4369 #[test]
4370 fn require_met_combinations() {
4371 use std::time::Duration;
4372 let idle = |m: u64| Some(Duration::from_secs(m * 60));
4373 // Builder for the sensed state: (ac, idle, cpu, network).
4374 let env = |ac, idle, cpu, net| EnvState {
4375 ac_online: ac,
4376 idle,
4377 cpu_pct: cpu,
4378 network_up: net,
4379 };
4380 // Empty require — always met regardless of sensed state.
4381 assert!(require_met(
4382 &Require::default(),
4383 &env(false, None, None, false)
4384 ));
4385 // ac_power: only on AC.
4386 let ac = Require {
4387 ac_power: true,
4388 ..Default::default()
4389 };
4390 assert!(!require_met(&ac, &env(false, None, None, true)));
4391 assert!(require_met(&ac, &env(true, None, None, false)));
4392 // idle: needs >= the configured min; None idle never satisfies.
4393 let idle10 = Require {
4394 idle: Some("10m".into()),
4395 ..Default::default()
4396 };
4397 assert!(!require_met(&idle10, &env(true, None, None, true)));
4398 assert!(!require_met(&idle10, &env(true, idle(5), None, true)));
4399 assert!(require_met(&idle10, &env(true, idle(15), None, true)));
4400 assert!(require_met(&idle10, &env(true, idle(10), None, true))); // boundary inclusive
4401 // cpu_below: needs CPU strictly < threshold; None cpu never satisfies.
4402 let cpu20 = Require {
4403 cpu_below: Some(20.0),
4404 ..Default::default()
4405 };
4406 assert!(!require_met(&cpu20, &env(true, None, None, true))); // no sample → fail-closed
4407 assert!(!require_met(&cpu20, &env(true, None, Some(20.0), true))); // == threshold
4408 assert!(!require_met(&cpu20, &env(true, None, Some(55.0), true))); // busy
4409 assert!(require_met(&cpu20, &env(true, None, Some(5.0), true))); // quiet
4410 // network: only when online.
4411 let net = Require {
4412 network: true,
4413 ..Default::default()
4414 };
4415 assert!(!require_met(&net, &env(true, None, None, false))); // offline
4416 assert!(require_met(&net, &env(true, None, None, true))); // online
4417 // all four: AND.
4418 let all = Require {
4419 ac_power: true,
4420 idle: Some("10m".into()),
4421 cpu_below: Some(20.0),
4422 network: true,
4423 };
4424 assert!(!require_met(&all, &env(false, idle(20), Some(5.0), true))); // on battery
4425 assert!(!require_met(&all, &env(true, idle(1), Some(5.0), true))); // not idle enough
4426 assert!(!require_met(&all, &env(true, idle(20), Some(50.0), true))); // busy
4427 assert!(!require_met(&all, &env(true, idle(20), Some(5.0), false))); // offline
4428 assert!(require_met(&all, &env(true, idle(20), Some(5.0), true)));
4429 // An unparseable idle is treated as no-requirement by require_met
4430 // (validate rejects it at create time, so this only guards a
4431 // hand-edited blob): ac still gates.
4432 let bad = Require {
4433 ac_power: true,
4434 idle: Some("garbage".into()),
4435 ..Default::default()
4436 };
4437 assert!(require_met(&bad, &env(true, None, None, true)));
4438 assert!(!require_met(&bad, &env(false, None, None, true)));
4439 }
4440
4441 #[test]
4442 fn validate_accepts_and_rejects_cpu_below() {
4443 // In-range accepted.
4444 require_schedule(
4445 Require {
4446 cpu_below: Some(20.0),
4447 ..Default::default()
4448 },
4449 RunsOn::Agent,
4450 )
4451 .validate()
4452 .expect("cpu_below 20 is valid");
4453 // Upper boundary: 100.0 is accepted (fires unless CPU is exactly
4454 // 100%). Pins the inclusive upper bound against a future c < 100.0.
4455 require_schedule(
4456 Require {
4457 cpu_below: Some(100.0),
4458 ..Default::default()
4459 },
4460 RunsOn::Agent,
4461 )
4462 .validate()
4463 .expect("cpu_below 100 is valid");
4464 // Out of range rejected (0 and >100).
4465 for bad in [0.0, -5.0, 100.1] {
4466 let err = require_schedule(
4467 Require {
4468 cpu_below: Some(bad),
4469 ..Default::default()
4470 },
4471 RunsOn::Agent,
4472 )
4473 .validate()
4474 .unwrap_err();
4475 assert!(
4476 err.contains("constraints.require.cpu_below"),
4477 "cpu_below {bad}: {err}"
4478 );
4479 }
4480 }
4481
4482 #[test]
4483 fn validate_accepts_require_on_agent() {
4484 require_schedule(
4485 Require {
4486 ac_power: true,
4487 idle: Some("10m".into()),
4488 cpu_below: Some(20.0),
4489 network: true,
4490 },
4491 RunsOn::Agent,
4492 )
4493 .validate()
4494 .expect("constraints.require is valid on runs_on: agent");
4495 }
4496
4497 #[test]
4498 fn validate_rejects_require_on_backend() {
4499 let err = require_schedule(
4500 Require {
4501 ac_power: true,
4502 ..Default::default()
4503 },
4504 RunsOn::Backend,
4505 )
4506 .validate()
4507 .unwrap_err();
4508 assert!(err.contains("constraints.require"), "got: {err}");
4509 assert!(err.contains("runs_on: agent"), "got: {err}");
4510
4511 // An idle-only require (ac_power: false) is also non-empty
4512 // (is_empty folds the fields) and must reject on backend too —
4513 // guards against a regression in Require::is_empty.
4514 let err = require_schedule(
4515 Require {
4516 idle: Some("10m".into()),
4517 ..Default::default()
4518 },
4519 RunsOn::Backend,
4520 )
4521 .validate()
4522 .unwrap_err();
4523 assert!(
4524 err.contains("constraints.require"),
4525 "idle-only on backend: {err}"
4526 );
4527 }
4528
4529 #[test]
4530 fn validate_rejects_bad_require_idle() {
4531 let err = require_schedule(
4532 Require {
4533 idle: Some("not-a-duration".into()),
4534 ..Default::default()
4535 },
4536 RunsOn::Agent,
4537 )
4538 .validate()
4539 .unwrap_err();
4540 assert!(err.contains("constraints.require.idle"), "got: {err}");
4541 }
4542
4543 #[test]
4544 fn require_round_trips_and_skips_empty() {
4545 // ac_power: false is skipped; an all-default require nested in
4546 // constraints is omitted (is_empty folds it in).
4547 let yaml = "id: s\nwhen: { per_pc: { every: 1m } }\njob_id: j\nruns_on: agent\n\
4548 constraints: { require: { ac_power: true, idle: 10m, cpu_below: 20, \
4549 network: true } }\n";
4550 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4551 let req = s.constraints.require.as_ref().expect("require present");
4552 assert!(req.ac_power);
4553 assert_eq!(req.idle.as_deref(), Some("10m"));
4554 assert_eq!(req.cpu_below, Some(20.0));
4555 assert!(req.network);
4556 // Re-serialize: idle + cpu_below + network present, ac_power true.
4557 let back = serde_json::to_string(&s.constraints).unwrap();
4558 assert!(back.contains("\"idle\":\"10m\""), "got: {back}");
4559 assert!(back.contains("\"cpu_below\":20"), "got: {back}");
4560 assert!(back.contains("\"network\":true"), "got: {back}");
4561 // An empty require is omitted entirely by is_empty.
4562 let mut empty = s.clone();
4563 empty.constraints.require = Some(Require::default());
4564 assert!(empty.constraints.is_empty());
4565 }
4566
4567 #[test]
4568 fn validate_rejects_per_target_on_agent() {
4569 let err = schedule_with(
4570 When::PerTarget(PerPolicy::Every(EverySpec {
4571 every: "24h".into(),
4572 })),
4573 RunsOn::Agent,
4574 )
4575 .validate()
4576 .unwrap_err();
4577 assert!(err.contains("per_target"), "got: {err}");
4578 assert!(err.contains("runs_on: agent"), "got: {err}");
4579
4580 // per_target: once is also backend-only.
4581 let err = schedule_with(
4582 When::PerTarget(PerPolicy::Once(OnceLiteral::Once)),
4583 RunsOn::Agent,
4584 )
4585 .validate()
4586 .unwrap_err();
4587 assert!(err.contains("per_target"), "got (once): {err}");
4588 assert!(err.contains("runs_on: agent"), "got (once): {err}");
4589 }
4590
4591 #[test]
4592 fn validate_rejects_bad_every_duration() {
4593 let err = schedule_with(
4594 When::PerPc(PerPolicy::Every(EverySpec { every: "6x".into() })),
4595 RunsOn::Backend,
4596 )
4597 .validate()
4598 .unwrap_err();
4599 assert!(err.contains("when.every"), "got: {err}");
4600 }
4601
4602 #[test]
4603 fn validate_rejects_bad_jitter_and_starting_deadline() {
4604 let mut s = schedule_with(
4605 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4606 RunsOn::Backend,
4607 );
4608 s.plan.jitter = Some("5x".into());
4609 let err = s.validate().unwrap_err();
4610 assert!(err.contains("jitter"), "got: {err}");
4611
4612 let mut s = schedule_with(
4613 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4614 RunsOn::Backend,
4615 );
4616 s.starting_deadline = Some("soon".into());
4617 let err = s.validate().unwrap_err();
4618 assert!(err.contains("starting_deadline"), "got: {err}");
4619 }
4620
4621 #[test]
4622 fn validate_accepts_calendar_shapes() {
4623 for when in [
4624 calendar("09:00", &["mon-fri"]), // weekday morning
4625 calendar("00:00", &["sun"]), // weekly
4626 calendar("18:30", &[]), // daily
4627 calendar("2026-06-10 09:00", &[]), // one-shot
4628 calendar("2026/12/25 00:00", &[]), // one-shot, slash form
4629 ] {
4630 schedule_with(when.clone(), RunsOn::Backend)
4631 .validate()
4632 .unwrap_or_else(|e| panic!("{when} should validate: {e}"));
4633 }
4634 }
4635
4636 #[test]
4637 fn validate_rejects_bad_at() {
4638 for bad in ["25:00", "09:60", "9", "noon", "2026-13-01 09:00"] {
4639 let err = schedule_with(calendar(bad, &[]), RunsOn::Backend)
4640 .validate()
4641 .unwrap_err();
4642 assert!(err.contains("when.at"), "for '{bad}', got: {err}");
4643 }
4644 }
4645
4646 #[test]
4647 fn validate_rejects_datetime_at_with_days() {
4648 // A dated `at` is a one-shot — pairing it with days is a
4649 // contradiction (the date already pins the day).
4650 let err = schedule_with(calendar("2026-06-10 09:00", &["mon"]), RunsOn::Backend)
4651 .validate()
4652 .unwrap_err();
4653 assert!(
4654 err.contains("one-shot") && err.contains("days"),
4655 "got: {err}"
4656 );
4657 }
4658
4659 #[test]
4660 fn validate_rejects_bad_day_name() {
4661 // A garbage DOW token is caught by the days pre-flight and
4662 // reported against `when.days`, not the confusing
4663 // "when.at lowered to invalid cron" (claude #432 review).
4664 let err = schedule_with(calendar("09:00", &["funday"]), RunsOn::Backend)
4665 .validate()
4666 .unwrap_err();
4667 assert!(err.contains("when.days"), "got: {err}");
4668 assert!(err.contains("funday"), "names the bad token: {err}");
4669 // a degenerate range like `mon-` reports the whole token, not
4670 // a cryptic empty part (claude #432 follow-up)
4671 let err = schedule_with(calendar("09:00", &["mon-"]), RunsOn::Backend)
4672 .validate()
4673 .unwrap_err();
4674 assert!(err.contains("'mon-'"), "names the whole token: {err}");
4675 // valid names / ranges / numeric / * all pass
4676 for ok in [
4677 calendar("09:00", &["mon-fri"]),
4678 calendar("09:00", &["mon", "wed", "sun"]),
4679 calendar("09:00", &["1-5"]),
4680 ] {
4681 schedule_with(ok.clone(), RunsOn::Backend)
4682 .validate()
4683 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4684 }
4685 }
4686
4687 #[test]
4688 fn validate_accepts_nth_weekday() {
4689 // #418: nth-weekday (Patch Tuesday). validate() also lowers to
4690 // a cron and parses it with croner, so passing here proves the
4691 // whole chain — token → DOW field → engine-acceptable cron.
4692 for ok in [
4693 calendar("09:00", &["tue#2"]), // 2nd Tuesday
4694 calendar("09:00", &["fri#1"]), // 1st Friday
4695 calendar("03:00", &["sun#5"]), // 5th Sunday
4696 calendar("09:00", &["tue#2", "thu#2"]), // a list of nths
4697 calendar("09:00", &["2#2"]), // numeric DOW + ordinal
4698 // Case-insensitive both sides: validate lowercases, croner
4699 // upper-cases the whole pattern before aliasing (claude #547).
4700 calendar("09:00", &["TUE#2"]),
4701 ] {
4702 schedule_with(ok.clone(), RunsOn::Backend)
4703 .validate()
4704 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4705 }
4706 }
4707
4708 #[test]
4709 fn validate_rejects_bad_nth_weekday() {
4710 // ordinal out of 1..5, a range with #, and a bad day before #.
4711 for bad in ["tue#0", "tue#6", "tue#x", "mon-fri#2", "funday#2"] {
4712 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4713 .validate()
4714 .unwrap_err();
4715 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4716 }
4717 }
4718
4719 #[test]
4720 fn validate_accepts_last_weekday() {
4721 // #418: last-weekday (`friL` = last Friday). Like the nth case,
4722 // validate() lowers to a cron and round-trips it through croner,
4723 // so passing proves token → DOW field → engine-acceptable cron
4724 // with the verified last-<dow>-of-month semantics.
4725 for ok in [
4726 calendar("09:00", &["friL"]), // last Friday
4727 calendar("03:00", &["sunL"]), // last Sunday
4728 calendar("22:00", &["5L"]), // numeric DOW + last
4729 calendar("00:00", &["0L"]), // numeric Sunday (0…
4730 calendar("00:00", &["7L"]), // …and its 7 alias)
4731 calendar("09:00", &["monL", "friL"]), // a list of last-weekdays
4732 // Case-insensitive both the weekday and the `L` suffix:
4733 // validate lowercases the day, croner upper-cases the whole
4734 // pattern before aliasing (claude #547).
4735 calendar("09:00", &["FRIL"]),
4736 calendar("09:00", &["fril"]),
4737 ] {
4738 schedule_with(ok.clone(), RunsOn::Backend)
4739 .validate()
4740 .unwrap_or_else(|e| panic!("{ok} should validate: {e}"));
4741 }
4742 }
4743
4744 #[test]
4745 fn validate_rejects_bad_last_weekday() {
4746 // bare `L` (no weekday — a footgun croner reads as Saturday), a
4747 // range with L, a bad day before L, and an internal space that
4748 // would otherwise leak a malformed cron downstream (gemini #560).
4749 for bad in ["L", "l", "mon-friL", "fundayL", "8L", "*L", "fri L"] {
4750 let err = schedule_with(calendar("09:00", &[bad]), RunsOn::Backend)
4751 .validate()
4752 .unwrap_err();
4753 assert!(err.contains("when.days"), "for '{bad}', got: {err}");
4754 }
4755 }
4756
4757 #[test]
4758 fn calendar_oneshot_instant_detects_past() {
4759 use chrono::TimeZone;
4760 // a dated `at` resolves to an absolute instant…
4761 let c = CalendarSpec {
4762 at: "2024-01-01 09:00".into(),
4763 days: vec![],
4764 };
4765 let t = c
4766 .oneshot_instant(ScheduleTz::Utc)
4767 .expect("one-shot instant");
4768 assert_eq!(
4769 t,
4770 chrono::Utc.with_ymd_and_hms(2024, 1, 1, 9, 0, 0).unwrap()
4771 );
4772 assert!(t < chrono::Utc::now(), "2024 is in the past");
4773 // …while a repeating (time-only) calendar has no instant
4774 let rep = CalendarSpec {
4775 at: "09:00".into(),
4776 days: vec!["mon-fri".into()],
4777 };
4778 assert!(rep.oneshot_instant(ScheduleTz::Utc).is_none());
4779 }
4780
4781 fn schedule_with_active(from: Option<&str>, until: Option<&str>) -> Schedule {
4782 let mut s = schedule_with(
4783 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4784 RunsOn::Backend,
4785 );
4786 s.active = Active {
4787 from: from.map(str::to_owned),
4788 until: until.map(str::to_owned),
4789 };
4790 s
4791 }
4792
4793 #[test]
4794 fn validate_accepts_active_window() {
4795 schedule_with_active(Some("2026-07-01"), Some("2026-08-01T12:00:00+09:00"))
4796 .validate()
4797 .expect("date + rfc3339 bounds should validate");
4798 }
4799
4800 #[test]
4801 fn validate_rejects_unparseable_active_bound() {
4802 let err = schedule_with_active(Some("July 1st"), None)
4803 .validate()
4804 .unwrap_err();
4805 assert!(err.contains("active"), "got: {err}");
4806 }
4807
4808 #[test]
4809 fn validate_rejects_from_not_before_until() {
4810 let err = schedule_with_active(Some("2026-08-01"), Some("2026-07-01"))
4811 .validate()
4812 .unwrap_err();
4813 assert!(err.contains("strictly before"), "got: {err}");
4814
4815 let err = schedule_with_active(Some("2026-07-01"), Some("2026-07-01"))
4816 .validate()
4817 .unwrap_err();
4818 assert!(err.contains("strictly before"), "got: {err}");
4819 }
4820
4821 // ---- Active window semantics ----
4822
4823 #[test]
4824 fn active_window_is_half_open() {
4825 use chrono::TimeZone;
4826 let active = Active {
4827 from: Some("2026-07-01".into()),
4828 until: Some("2026-08-01".into()),
4829 };
4830 // UTC tz so the date bounds are UTC midnight.
4831 let at = |y, m, d, h| chrono::Utc.with_ymd_and_hms(y, m, d, h, 0, 0).unwrap();
4832 let c = |t| active.contains(t, ScheduleTz::Utc);
4833 assert!(!c(at(2026, 6, 30, 23)), "before from");
4834 assert!(c(at(2026, 7, 1, 0)), "at from (inclusive)");
4835 assert!(c(at(2026, 7, 15, 12)), "inside");
4836 assert!(!c(at(2026, 8, 1, 0)), "at until (exclusive)");
4837 assert!(!c(at(2026, 8, 2, 0)), "after until");
4838 }
4839
4840 #[test]
4841 fn active_empty_window_is_always_active() {
4842 assert!(Active::default().contains(chrono::Utc::now(), ScheduleTz::Local));
4843 }
4844
4845 #[test]
4846 fn active_rfc3339_bound_honours_offset_regardless_of_tz() {
4847 use chrono::TimeZone;
4848 let active = Active {
4849 from: Some("2026-07-01T09:00:00+09:00".into()),
4850 until: None,
4851 };
4852 // RFC3339 carries its own offset → tz arg is ignored.
4853 // 09:00 JST = 00:00 UTC.
4854 for tz in [ScheduleTz::Utc, ScheduleTz::Local] {
4855 assert!(
4856 !active.contains(
4857 chrono::Utc
4858 .with_ymd_and_hms(2026, 6, 30, 23, 59, 0)
4859 .unwrap(),
4860 tz
4861 )
4862 );
4863 assert!(active.contains(
4864 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap(),
4865 tz
4866 ));
4867 }
4868 }
4869
4870 #[test]
4871 fn active_date_bound_respects_tz() {
4872 // A bare `YYYY-MM-DD` bound is midnight *in the schedule's
4873 // tz* (#418 Phase 2). The UTC interpretation is exact and
4874 // host-independent; assert that precisely.
4875 use chrono::TimeZone;
4876 let utc = Active::parse_bound("2026-07-01", ScheduleTz::Utc).expect("utc");
4877 assert_eq!(
4878 utc,
4879 chrono::Utc.with_ymd_and_hms(2026, 7, 1, 0, 0, 0).unwrap()
4880 );
4881
4882 // The local interpretation must equal what chrono::Local
4883 // computes for the same wall-clock midnight — proves the tz
4884 // path is wired to the host zone (the magnitude vs UTC is
4885 // host-dependent, so we compare against Local directly rather
4886 // than hard-coding the JST offset, keeping CI green on UTC
4887 // runners).
4888 let local = Active::parse_bound("2026-07-01", ScheduleTz::Local).expect("local");
4889 let want = chrono::Local
4890 .with_ymd_and_hms(2026, 7, 1, 0, 0, 0)
4891 .single()
4892 .expect("local midnight is unambiguous")
4893 .with_timezone(&chrono::Utc);
4894 assert_eq!(local, want, "date bound resolved in host-local tz");
4895 }
4896
4897 #[test]
4898 fn active_empty_is_skipped_when_serialising() {
4899 let s = schedule_with(
4900 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4901 RunsOn::Backend,
4902 );
4903 let json = serde_json::to_value(&s).expect("serialise");
4904 assert!(
4905 json.get("active").is_none(),
4906 "empty active must not appear on the wire: {json}"
4907 );
4908 }
4909
4910 // ---- constraints.window (#418 Phase 3) ----
4911
4912 fn with_window(win: &str) -> Schedule {
4913 let mut s = schedule_with(
4914 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
4915 RunsOn::Backend,
4916 );
4917 s.constraints.window = Some(win.into());
4918 s
4919 }
4920
4921 #[test]
4922 fn constraints_window_parses_and_round_trips() {
4923 let yaml = r#"
4924id: x
4925when:
4926 per_pc: { every: 6h }
4927job_id: y
4928target: { all: true }
4929constraints:
4930 window: "22:00-05:00"
4931"#;
4932 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
4933 assert_eq!(s.constraints.window.as_deref(), Some("22:00-05:00"));
4934 let back: Schedule =
4935 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
4936 assert_eq!(back.constraints.window.as_deref(), Some("22:00-05:00"));
4937 }
4938
4939 #[test]
4940 fn constraints_empty_is_skipped_when_serialising() {
4941 let s = schedule_with(
4942 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
4943 RunsOn::Backend,
4944 );
4945 let json = serde_json::to_value(&s).expect("serialise");
4946 assert!(
4947 json.get("constraints").is_none(),
4948 "empty constraints must not appear on the wire: {json}"
4949 );
4950 }
4951
4952 #[test]
4953 fn window_no_constraint_always_allows() {
4954 let c = Constraints::default();
4955 assert!(c.allows(chrono::Utc::now(), ScheduleTz::Local));
4956 }
4957
4958 #[test]
4959 fn window_same_day_is_half_open() {
4960 use chrono::TimeZone;
4961 let s = with_window("09:00-17:00");
4962 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4963 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4964 assert!(!a(at(8, 59)), "before start");
4965 assert!(a(at(9, 0)), "at start (inclusive)");
4966 assert!(a(at(16, 59)), "inside");
4967 assert!(!a(at(17, 0)), "at end (exclusive)");
4968 assert!(!a(at(23, 0)), "after end");
4969 }
4970
4971 #[test]
4972 fn window_crossing_midnight() {
4973 use chrono::TimeZone;
4974 let s = with_window("22:00-05:00");
4975 let at = |h, m| chrono::Utc.with_ymd_and_hms(2026, 6, 9, h, m, 0).unwrap();
4976 let a = |t| s.constraints.allows(t, ScheduleTz::Utc);
4977 assert!(a(at(22, 0)), "at start tonight");
4978 assert!(a(at(23, 30)), "late tonight");
4979 assert!(a(at(3, 0)), "early tomorrow");
4980 assert!(!a(at(5, 0)), "at end (exclusive)");
4981 assert!(!a(at(12, 0)), "midday outside");
4982 assert!(!a(at(21, 59)), "just before start");
4983 }
4984
4985 #[test]
4986 fn window_respects_tz() {
4987 // The same instant is inside the window under one tz and may
4988 // be outside under another. Compare UTC vs Local via the
4989 // host's own offset (kept CI-green on UTC runners like the
4990 // active tz test does).
4991 use chrono::TimeZone;
4992 let s = with_window("09:00-17:00");
4993 let noon_utc = chrono::Utc.with_ymd_and_hms(2026, 6, 9, 12, 0, 0).unwrap();
4994 // Under UTC, 12:00 is inside 09:00-17:00.
4995 assert!(s.constraints.allows(noon_utc, ScheduleTz::Utc));
4996 // Under Local, the verdict tracks the host wall-clock time;
4997 // assert it matches a direct wall_time membership check.
4998 let local_t = noon_utc.with_timezone(&chrono::Local).time();
4999 let in_local = local_t >= chrono::NaiveTime::from_hms_opt(9, 0, 0).unwrap()
5000 && local_t < chrono::NaiveTime::from_hms_opt(17, 0, 0).unwrap();
5001 assert_eq!(s.constraints.allows(noon_utc, ScheduleTz::Local), in_local);
5002 }
5003
5004 #[test]
5005 fn validate_accepts_good_window() {
5006 for w in ["09:00-17:00", "22:00-05:00", "00:00-23:59"] {
5007 with_window(w)
5008 .validate()
5009 .unwrap_or_else(|e| panic!("'{w}' should validate: {e}"));
5010 }
5011 }
5012
5013 #[test]
5014 fn validate_rejects_bad_window() {
5015 for bad in ["9-5", "22:00", "22:00-22:00", "25:00-05:00", "09:00_17:00"] {
5016 let err = with_window(bad).validate().unwrap_err();
5017 assert!(
5018 err.contains("constraints.window"),
5019 "for '{bad}', got: {err}"
5020 );
5021 }
5022 }
5023
5024 // ---- constraints.skip_dates (#418 holiday exclusion) ----
5025
5026 fn with_skip_dates(dates: &[&str]) -> Schedule {
5027 let mut s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
5028 s.tz = ScheduleTz::Utc; // host-independent date assertions
5029 s.constraints.skip_dates = dates.iter().map(|d| (*d).to_string()).collect();
5030 s
5031 }
5032
5033 #[test]
5034 fn allows_blocks_listed_skip_date() {
5035 use chrono::TimeZone;
5036 let s = with_skip_dates(&["2026-06-10", "2026-12-25"]);
5037 // Any time on a listed date is blocked (whole day).
5038 let on = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 9, 0, 0).unwrap();
5039 assert!(!s.constraints.allows(on, ScheduleTz::Utc));
5040 let on_midnight = chrono::Utc.with_ymd_and_hms(2026, 12, 25, 0, 0, 0).unwrap();
5041 assert!(!s.constraints.allows(on_midnight, ScheduleTz::Utc));
5042 // A date not in the list fires normally.
5043 let off = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
5044 assert!(s.constraints.allows(off, ScheduleTz::Utc));
5045 }
5046
5047 #[test]
5048 fn allows_corrupt_skip_date_fails_closed() {
5049 use chrono::TimeZone;
5050 // A garbled entry (only reachable via hand-edited KV) blocks
5051 // rather than silently re-enabling fires — same posture as a
5052 // corrupt window.
5053 let s = with_skip_dates(&["not-a-date"]);
5054 let any = chrono::Utc.with_ymd_and_hms(2026, 6, 11, 9, 0, 0).unwrap();
5055 assert!(!s.constraints.allows(any, ScheduleTz::Utc));
5056 }
5057
5058 #[test]
5059 fn validate_accepts_good_skip_dates() {
5060 with_skip_dates(&["2026-01-01", "2026-12-25", "2027-05-03"])
5061 .validate()
5062 .expect("well-formed skip dates should validate");
5063 }
5064
5065 #[test]
5066 fn validate_rejects_bad_skip_date() {
5067 for bad in ["2026-13-01", "01-01-2026", "nope", "2026/01/01"] {
5068 let err = with_skip_dates(&[bad]).validate().unwrap_err();
5069 assert!(
5070 err.contains("constraints.skip_dates"),
5071 "for '{bad}', got: {err}"
5072 );
5073 }
5074 }
5075
5076 #[test]
5077 fn preview_skips_holidays() {
5078 use chrono::TimeZone;
5079 // Daily 09:00 with two of the next five days marked as holidays
5080 // — preview drops exactly those, since it gates on `allows`.
5081 let mut s = cal_utc("09:00", &[]);
5082 s.constraints.skip_dates = vec!["2026-06-11".into(), "2026-06-13".into()];
5083 let now = chrono::Utc.with_ymd_and_hms(2026, 6, 10, 0, 0, 0).unwrap();
5084 let got = s.preview_fires(now, 4);
5085 let want: Vec<_> = [
5086 (2026, 6, 10),
5087 (2026, 6, 12), // skips 06-11
5088 (2026, 6, 14), // skips 06-13
5089 (2026, 6, 15),
5090 ]
5091 .iter()
5092 .map(|(y, m, d)| chrono::Utc.with_ymd_and_hms(*y, *m, *d, 9, 0, 0).unwrap())
5093 .collect();
5094 assert_eq!(got, want);
5095 }
5096
5097 // ---- constraints.max_concurrent (#418) ----
5098
5099 fn with_max_concurrent(max: u32, runs_on: RunsOn) -> Schedule {
5100 let mut s = schedule_with(
5101 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5102 runs_on,
5103 );
5104 s.constraints.max_concurrent = Some(max);
5105 s
5106 }
5107
5108 #[test]
5109 fn validate_accepts_backend_max_concurrent() {
5110 with_max_concurrent(5, RunsOn::Backend)
5111 .validate()
5112 .expect("backend max_concurrent should validate");
5113 }
5114
5115 #[test]
5116 fn validate_rejects_max_concurrent_on_agent() {
5117 // Decision E: a central running-instance cap needs a central
5118 // counter, which agents don't have.
5119 let err = with_max_concurrent(5, RunsOn::Agent)
5120 .validate()
5121 .unwrap_err();
5122 assert!(err.contains("constraints.max_concurrent"), "got: {err}");
5123 assert!(err.contains("runs_on: agent"), "got: {err}");
5124 }
5125
5126 #[test]
5127 fn validate_rejects_zero_max_concurrent() {
5128 let err = with_max_concurrent(0, RunsOn::Backend)
5129 .validate()
5130 .unwrap_err();
5131 assert!(err.contains("max_concurrent must be >= 1"), "got: {err}");
5132 }
5133
5134 #[test]
5135 fn max_concurrent_round_trips_and_skips_when_absent() {
5136 let s = with_max_concurrent(3, RunsOn::Backend);
5137 let json = serde_json::to_value(&s.constraints).expect("ser");
5138 assert_eq!(json.get("max_concurrent").and_then(|v| v.as_u64()), Some(3));
5139 // A schedule with no constraints omits the whole block.
5140 let bare = schedule_with(
5141 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5142 RunsOn::Backend,
5143 );
5144 assert!(bare.constraints.is_empty());
5145 }
5146
5147 #[test]
5148 fn window_fail_closed_on_corrupt_blob() {
5149 // A malformed window (only reachable via a hand-edited KV
5150 // blob — validate() rejects it at create) must BLOCK, not
5151 // silently allow fires during a change-freeze (gemini #452).
5152 let s = with_window("22:00_05:00");
5153 assert!(
5154 !s.constraints.allows(chrono::Utc::now(), ScheduleTz::Utc),
5155 "corrupt window fails closed"
5156 );
5157 // …and the scheduler can surface why it's stuck.
5158 assert!(
5159 s.bad_window().is_some(),
5160 "bad_window reports the parse error"
5161 );
5162 assert!(with_window("22:00-05:00").bad_window().is_none());
5163 }
5164
5165 #[test]
5166 fn calendar_outside_window_is_flagged() {
5167 // at 09:00 can never fall in 22:00-05:00 → never fires.
5168 let mut s = schedule_with(calendar("09:00", &["mon-fri"]), RunsOn::Backend);
5169 s.constraints.window = Some("22:00-05:00".into());
5170 assert!(s.calendar_outside_window(), "09:00 is not in 22:00-05:00");
5171
5172 // at 23:00 IS inside the overnight window → fine.
5173 let mut s = schedule_with(calendar("23:00", &[]), RunsOn::Backend);
5174 s.constraints.window = Some("22:00-05:00".into());
5175 assert!(!s.calendar_outside_window(), "23:00 is in 22:00-05:00");
5176
5177 // reconcile shapes are never flagged (they poll every minute).
5178 let mut s = schedule_with(
5179 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5180 RunsOn::Backend,
5181 );
5182 s.constraints.window = Some("22:00-05:00".into());
5183 assert!(!s.calendar_outside_window(), "reconcile is unaffected");
5184
5185 // no window → never flagged.
5186 let s = schedule_with(calendar("09:00", &[]), RunsOn::Backend);
5187 assert!(!s.calendar_outside_window());
5188 }
5189
5190 // ---- on_failure.retry (#418 Phase 4) ----
5191
5192 fn with_retry(max: u32, backoff: &str) -> Schedule {
5193 let mut s = schedule_with(
5194 When::PerPc(PerPolicy::Every(EverySpec { every: "6h".into() })),
5195 RunsOn::Backend,
5196 );
5197 s.on_failure.retry = Some(Retry {
5198 max,
5199 backoff: backoff.into(),
5200 });
5201 s
5202 }
5203
5204 #[test]
5205 fn on_failure_parses_and_round_trips() {
5206 let yaml = r#"
5207id: x
5208when:
5209 per_pc: { every: 6h }
5210job_id: y
5211target: { all: true }
5212on_failure:
5213 retry: { max: 3, backoff: 10m }
5214"#;
5215 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5216 let r = s.on_failure.retry.as_ref().expect("retry present");
5217 assert_eq!(r.max, 3);
5218 assert_eq!(r.backoff, "10m");
5219 let back: Schedule =
5220 serde_json::from_str(&serde_json::to_string(&s).expect("ser")).expect("de");
5221 assert_eq!(back.on_failure, s.on_failure);
5222 }
5223
5224 #[test]
5225 fn on_failure_empty_is_skipped_when_serialising() {
5226 let s = schedule_with(
5227 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5228 RunsOn::Backend,
5229 );
5230 let json = serde_json::to_value(&s).expect("serialise");
5231 assert!(
5232 json.get("on_failure").is_none(),
5233 "empty on_failure must not appear on the wire: {json}"
5234 );
5235 }
5236
5237 #[test]
5238 fn validate_accepts_good_retry() {
5239 for (max, backoff) in [(1, "30s"), (3, "10m"), (10, "1h")] {
5240 with_retry(max, backoff)
5241 .validate()
5242 .unwrap_or_else(|e| panic!("retry {{max:{max}, backoff:{backoff}}}: {e}"));
5243 }
5244 }
5245
5246 #[test]
5247 fn validate_rejects_bad_backoff() {
5248 let err = with_retry(3, "soon").validate().unwrap_err();
5249 assert!(err.contains("on_failure.retry.backoff"), "got: {err}");
5250 }
5251
5252 #[test]
5253 fn validate_rejects_sub_second_backoff() {
5254 // "500ms" parses as humantime but lowers to 0s on the wire —
5255 // reject it so the operator doesn't get a silent no-wait
5256 // (coderabbit #466).
5257 for bad in ["500ms", "0s", "999ms"] {
5258 let err = with_retry(3, bad).validate().unwrap_err();
5259 assert!(
5260 err.contains("on_failure.retry.backoff must be >= 1s"),
5261 "for '{bad}', got: {err}"
5262 );
5263 }
5264 }
5265
5266 #[test]
5267 fn validate_rejects_out_of_range_max() {
5268 for bad in [0u32, 11, 1000] {
5269 let err = with_retry(bad, "10m").validate().unwrap_err();
5270 assert!(
5271 err.contains("on_failure.retry.max"),
5272 "for max={bad}, got: {err}"
5273 );
5274 }
5275 }
5276
5277 #[test]
5278 fn lowered_retry_reduces_backoff_to_seconds() {
5279 let s = with_retry(3, "10m");
5280 let spec = s.on_failure.lowered_retry().expect("a retry policy");
5281 assert_eq!(spec.max, 3);
5282 assert_eq!(spec.backoff_secs, 600);
5283 }
5284
5285 #[test]
5286 fn lowered_retry_is_none_without_policy() {
5287 let s = schedule_with(
5288 When::PerPc(PerPolicy::Once(OnceLiteral::Once)),
5289 RunsOn::Backend,
5290 );
5291 assert!(s.on_failure.lowered_retry().is_none());
5292 }
5293
5294 // ---- global change-freeze (#418 Phase 5) ----
5295
5296 #[test]
5297 fn freeze_empty_window_is_always_active() {
5298 // The big-red-button shape: no bounds = frozen until cleared.
5299 let f = Freeze::default();
5300 assert!(f.is_active(chrono::Utc::now()));
5301 }
5302
5303 #[test]
5304 fn freeze_window_is_half_open() {
5305 use chrono::TimeZone;
5306 let f = Freeze {
5307 from: Some("2026-12-20T00:00:00+00:00".into()),
5308 until: Some("2027-01-05T00:00:00+00:00".into()),
5309 reason: Some("year-end".into()),
5310 tz: ScheduleTz::Utc,
5311 };
5312 let at = |y, mo, d| chrono::Utc.with_ymd_and_hms(y, mo, d, 0, 0, 0).unwrap();
5313 assert!(!f.is_active(at(2026, 12, 19)), "before from = not frozen");
5314 assert!(f.is_active(at(2026, 12, 20)), "from is inclusive");
5315 assert!(f.is_active(at(2026, 12, 31)), "inside window");
5316 assert!(!f.is_active(at(2027, 1, 5)), "until is exclusive");
5317 assert!(!f.is_active(at(2027, 1, 6)), "after until = not frozen");
5318 }
5319
5320 #[test]
5321 fn freeze_fails_closed_on_corrupt_bound() {
5322 // A freeze is a safety switch: an unparseable bound (only
5323 // reachable via a hand-edited KV blob) must read as FROZEN, not
5324 // "fire normally" (coderabbit #472) — the opposite of `active`,
5325 // which fail-opens.
5326 let f = Freeze {
5327 from: Some("not-a-date".into()),
5328 until: None,
5329 reason: None,
5330 tz: ScheduleTz::Utc,
5331 };
5332 assert!(f.is_active(chrono::Utc::now()), "corrupt bound → frozen");
5333 }
5334
5335 #[test]
5336 fn freeze_validate_accepts_good_bounds() {
5337 Freeze {
5338 from: Some("2026-12-20".into()),
5339 until: Some("2027-01-05T12:00:00+09:00".into()),
5340 reason: None,
5341 tz: ScheduleTz::Local,
5342 }
5343 .validate()
5344 .expect("date + rfc3339 bounds should validate");
5345 // Empty (indefinite) freeze is valid.
5346 Freeze::default().validate().expect("empty freeze is valid");
5347 }
5348
5349 #[test]
5350 fn freeze_validate_rejects_bad_bound_and_inverted_window() {
5351 let err = Freeze {
5352 from: Some("never".into()),
5353 ..Default::default()
5354 }
5355 .validate()
5356 .unwrap_err();
5357 assert!(err.contains("freeze:"), "got: {err}");
5358
5359 let inverted = Freeze {
5360 from: Some("2027-01-05".into()),
5361 until: Some("2026-12-20".into()),
5362 ..Default::default()
5363 }
5364 .validate()
5365 .unwrap_err();
5366 assert!(inverted.contains("freeze.from"), "got: {inverted}");
5367 }
5368
5369 #[test]
5370 fn freeze_round_trips_and_skips_empty_fields() {
5371 let f = Freeze {
5372 from: None,
5373 until: Some("2027-01-05".into()),
5374 reason: Some("INC-1234".into()),
5375 tz: ScheduleTz::Utc,
5376 };
5377 let json = serde_json::to_value(&f).expect("serialise");
5378 assert!(json.get("from").is_none(), "empty from omitted: {json}");
5379 let back: Freeze = serde_json::from_value(json).expect("round-trip");
5380 assert_eq!(back, f);
5381 }
5382
5383 #[test]
5384 fn shipped_schedule_configs_parse_and_validate() {
5385 // Every YAML under configs/schedules/ must parse with the
5386 // current Schedule serde AND pass validate() — keeps the
5387 // shipped examples from drifting out of sync with the model
5388 // (#418 removed back-compat, so drift = broken at create).
5389 let dir = std::path::Path::new(env!("CARGO_MANIFEST_DIR")).join("../../configs/schedules");
5390 let mut seen = 0;
5391 for entry in std::fs::read_dir(&dir).expect("read configs/schedules") {
5392 let path = entry.expect("dir entry").path();
5393 if path.extension().and_then(|e| e.to_str()) != Some("yaml") {
5394 continue;
5395 }
5396 let body = std::fs::read_to_string(&path).expect("read yaml");
5397 let s: Schedule = serde_yaml::from_str(&body)
5398 .unwrap_or_else(|e| panic!("{} failed to parse: {e}", path.display()));
5399 s.validate()
5400 .unwrap_or_else(|e| panic!("{} failed validate(): {e}", path.display()));
5401 seen += 1;
5402 }
5403 assert!(seen > 0, "no schedule YAMLs found in {}", dir.display());
5404 }
5405
5406 // ---- pre-existing enum wire formats (unchanged by #418) ----
5407
5408 #[test]
5409 fn exec_mode_serialises_snake_case() {
5410 for (mode, expected) in [
5411 (ExecMode::EveryTick, "every_tick"),
5412 (ExecMode::OncePerPc, "once_per_pc"),
5413 (ExecMode::OncePerTarget, "once_per_target"),
5414 ] {
5415 let s = serde_json::to_value(mode).expect("serialise");
5416 assert_eq!(s, serde_json::Value::String(expected.into()));
5417 let back: ExecMode = serde_json::from_value(serde_json::Value::String(expected.into()))
5418 .expect("deserialise");
5419 assert_eq!(back, mode, "round-trip for {expected}");
5420 }
5421 }
5422
5423 #[test]
5424 fn schedule_runs_on_defaults_to_backend() {
5425 let yaml = r#"
5426id: x
5427when:
5428 per_pc: once
5429job_id: y
5430target: { all: true }
5431"#;
5432 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5433 assert_eq!(s.runs_on, RunsOn::Backend);
5434 }
5435
5436 #[test]
5437 fn schedule_runs_on_agent_parses() {
5438 let yaml = r#"
5439id: offline-inv
5440when:
5441 per_pc: { every: 1h }
5442job_id: inventory-hw
5443target: { all: true }
5444runs_on: agent
5445"#;
5446 let s: Schedule = serde_yaml::from_str(yaml).expect("parse");
5447 assert_eq!(s.runs_on, RunsOn::Agent);
5448 assert_eq!(s.lowered().mode, ExecMode::OncePerPc);
5449 }
5450
5451 #[test]
5452 fn runs_on_serialises_snake_case() {
5453 for (mode, expected) in [(RunsOn::Backend, "backend"), (RunsOn::Agent, "agent")] {
5454 let s = serde_json::to_value(mode).expect("serialise");
5455 assert_eq!(s, serde_json::Value::String(expected.into()));
5456 let back: RunsOn = serde_json::from_value(serde_json::Value::String(expected.into()))
5457 .expect("deserialise");
5458 assert_eq!(back, mode);
5459 }
5460 }
5461
5462 #[test]
5463 fn execute_shell_into_wire_shell() {
5464 assert_eq!(Shell::from(ExecuteShell::Powershell), Shell::Powershell);
5465 assert_eq!(Shell::from(ExecuteShell::Cmd), Shell::Cmd);
5466 }
5467
5468 #[test]
5469 fn manifest_staleness_defaults_to_cached() {
5470 let yaml = r#"
5471id: x
5472version: 1.0.0
5473execute:
5474 shell: powershell
5475 script: "echo"
5476 timeout: 1s
5477"#;
5478 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5479 assert_eq!(m.staleness, Staleness::Cached);
5480 }
5481
5482 #[test]
5483 fn manifest_strict_staleness_parses() {
5484 let yaml = r#"
5485id: urgent-patch
5486version: 2.5.1
5487execute:
5488 shell: powershell
5489 script: Install-Hotfix
5490 timeout: 5m
5491staleness:
5492 mode: strict
5493 max_cache_age: 0s
5494"#;
5495 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5496 match m.staleness {
5497 Staleness::Strict { max_cache_age } => assert_eq!(max_cache_age, "0s"),
5498 other => panic!("expected strict, got {other:?}"),
5499 }
5500 }
5501
5502 #[test]
5503 fn manifest_unchecked_staleness_parses() {
5504 let yaml = r#"
5505id: legacy
5506version: 0.1.0
5507execute:
5508 shell: cmd
5509 script: "echo"
5510 timeout: 1s
5511staleness:
5512 mode: unchecked
5513"#;
5514 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5515 assert_eq!(m.staleness, Staleness::Unchecked);
5516 }
5517
5518 #[test]
5519 fn missing_required_field_errors() {
5520 // `id` missing.
5521 let yaml = r#"
5522version: 1.0.0
5523target: { all: true }
5524execute:
5525 shell: powershell
5526 script: "echo"
5527 timeout: 1s
5528"#;
5529 let r: Result<Manifest, _> = serde_yaml::from_str(yaml);
5530 assert!(r.is_err(), "expected error, got {:?}", r);
5531 }
5532
5533 #[test]
5534 fn display_field_table_kind_round_trips_with_nested_columns() {
5535 // #39: `type: table` + `columns:` on a DisplayField gets
5536 // round-tripped through serde so the SPA receives the
5537 // nested schema verbatim. Nested columns themselves are
5538 // DisplayFields so they can carry `type: bytes` /
5539 // `type: number` for cell formatting.
5540 let yaml = r#"
5541id: inv-hw
5542version: 1.0.0
5543execute:
5544 shell: powershell
5545 script: "echo"
5546 timeout: 60s
5547inventory:
5548 display:
5549 - field: hostname
5550 label: Hostname
5551 - field: disks
5552 label: Disks
5553 type: table
5554 columns:
5555 - field: device_id
5556 label: Drive
5557 - field: size_bytes
5558 label: Size
5559 type: bytes
5560 - field: free_bytes
5561 label: Free
5562 type: bytes
5563 - field: file_system
5564 label: FS
5565"#;
5566 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5567 let inv = m.inventory.as_ref().expect("inventory hint");
5568 let disks = inv
5569 .display
5570 .iter()
5571 .find(|d| d.field == "disks")
5572 .expect("disks display row");
5573 assert_eq!(disks.kind.as_deref(), Some("table"));
5574 let cols = disks.columns.as_ref().expect("table needs columns");
5575 assert_eq!(cols.len(), 4);
5576 assert_eq!(cols[1].field, "size_bytes");
5577 assert_eq!(cols[1].kind.as_deref(), Some("bytes"));
5578 }
5579
5580 #[test]
5581 fn display_field_scalar_kind_keeps_columns_none() {
5582 // Defensive: when type is a scalar (`bytes` / `number` /
5583 // `timestamp`) the `columns` field stays None — the SPA
5584 // uses its presence as the "render nested table" signal,
5585 // so it must not leak in via serde defaults.
5586 let yaml = r#"
5587id: x
5588version: 1.0.0
5589execute:
5590 shell: powershell
5591 script: "echo"
5592 timeout: 5s
5593inventory:
5594 display:
5595 - { field: ram_bytes, label: RAM, type: bytes }
5596"#;
5597 let m: Manifest = serde_yaml::from_str(yaml).expect("parse");
5598 let inv = m.inventory.as_ref().unwrap();
5599 assert!(inv.display[0].columns.is_none());
5600 }
5601
5602 // ---- checked-in JSON Schema freshness (docs/schemas/) ----
5603
5604 /// The JSON Schemas under `docs/schemas/` must match what
5605 /// `schema_for!` produces today — a Cargo.lock-style freshness guard
5606 /// so a `Schedule` / `Manifest` field change can't silently drift
5607 /// the operator-facing schema. The SPA editor, the backend
5608 /// `/api/schemas/*` endpoints, and these files all read the same
5609 /// derived shape; this test fails CI if the checked-in copy lags.
5610 /// Regenerate with:
5611 /// `UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current`
5612 #[test]
5613 fn schema_files_are_current() {
5614 assert_schema_file("schedule.schema.json", &schemars::schema_for!(Schedule));
5615 assert_schema_file("job.schema.json", &schemars::schema_for!(Manifest));
5616 assert_schema_file("view.schema.json", &schemars::schema_for!(View));
5617 }
5618
5619 fn assert_schema_file(name: &str, schema: &schemars::Schema) {
5620 let generated = serde_json::to_string_pretty(schema).expect("serialize schema") + "\n";
5621 let path = std::path::Path::new(env!("CARGO_MANIFEST_DIR"))
5622 .join("../../docs/schemas")
5623 .join(name);
5624 if std::env::var_os("UPDATE_SCHEMAS").is_some() {
5625 std::fs::create_dir_all(path.parent().unwrap()).expect("mkdir docs/schemas");
5626 std::fs::write(&path, &generated).unwrap_or_else(|e| panic!("write {path:?}: {e}"));
5627 return;
5628 }
5629 // Normalize CRLF→LF before comparing: `.gitattributes` already
5630 // pins these files to `eol=lf`, but a stray CRLF working-tree
5631 // copy (autocrlf, a tool rewrite) shouldn't turn a *content*-
5632 // freshness check into a confusing line-ending failure — that's
5633 // .gitattributes' job, not this test's (gemini #588).
5634 let on_disk = std::fs::read_to_string(&path)
5635 .unwrap_or_else(|e| {
5636 panic!(
5637 "read {path:?}: {e}\n\
5638 generate it with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5639 )
5640 })
5641 .replace("\r\n", "\n");
5642 assert_eq!(
5643 on_disk, generated,
5644 "{name} is stale — a Schedule/Manifest schema change isn't reflected in docs/schemas/. \
5645 Refresh with: UPDATE_SCHEMAS=1 cargo test -p kanade-shared schema_files_are_current"
5646 );
5647 }
5648}
5649
5650/// Periodic schedule (spec §2.4.3). v0.18.0 carries the fanout plan
5651/// (target + optional rollout + optional jitter) inline; the
5652/// referenced job (`job_id` → [`BUCKET_JOBS`]) supplies only the
5653/// script body. Two schedules of the same job can target different
5654/// groups on different cadences without copying the manifest.
5655///
5656/// #418 Phase 1: the cadence is the single [`When`] field. The old
5657/// `cron` × `mode` × `cooldown` × `auto_disable_when_done` quartet
5658/// is gone (no back-compat — pre-Phase-1 KV blobs fail to parse and
5659/// are warn-skipped; re-`schedule create` to upgrade them). The
5660/// engine underneath is unchanged: [`Schedule::lowered`] maps `when`
5661/// onto the same (cron, ExecMode, cooldown) trio the scheduler and
5662/// `decide_fire` always ran on.
5663#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone)]
5664pub struct Schedule {
5665 pub id: String,
5666 /// When to fire — a reconcile cadence (`per_pc` / `per_target`)
5667 /// or a calendar time trigger (`at` / `days`). See [`When`].
5668 ///
5669 /// `singleton_map`: serde_yaml 0.9 renders externally-tagged
5670 /// enums as `!per_pc` YAML tags by default; this keeps the
5671 /// operator-facing map shape (`when: { per_pc: once }`). JSON
5672 /// output is identical either way, and the schemars schema
5673 /// (external tagging = oneOf of single-key objects) already
5674 /// matches the singleton-map wire shape.
5675 #[serde(with = "serde_yaml::with::singleton_map")]
5676 #[schemars(with = "When")]
5677 pub when: When,
5678 /// Key into [`crate::kv::BUCKET_JOBS`]. Must equal a registered
5679 /// Manifest's `id`.
5680 pub job_id: String,
5681 /// Who + how-to-phase + when-to-stagger. The Manifest doesn't
5682 /// carry these any more — same job + different fanout = different
5683 /// schedule.
5684 #[serde(flatten)]
5685 pub plan: FanoutPlan,
5686 /// Optional validity window. Outside `[from, until)` the
5687 /// schedule is dormant — still registered, still visible, but
5688 /// every tick is skipped (deleted ≠ dormant: a campaign that
5689 /// ended stays inspectable and can be re-armed by editing the
5690 /// window). Checked at tick time on both the backend scheduler
5691 /// and the agent's local scheduler.
5692 #[serde(default, skip_serializing_if = "Active::is_empty")]
5693 pub active: Active,
5694 /// #418 operational constraints gating *when within an active
5695 /// period* a fire may happen: a maintenance `window`, a fleet
5696 /// `max_concurrent` cap, and `skip_dates` (holiday exclusion). The
5697 /// wall-clock ones are evaluated in the schedule's `tz`; future
5698 /// `require` (env gates) lands in the same namespace. Checked at
5699 /// tick time on both schedulers (and surfaced by `preview`).
5700 #[serde(default, skip_serializing_if = "Constraints::is_empty")]
5701 pub constraints: Constraints,
5702 /// #418 Phase 4: what to do after a fire's script comes back
5703 /// failed. Currently just `retry` (fixed-backoff in-process
5704 /// re-run); future `notify` / `disable` join the same namespace.
5705 /// Applied fire-side in `handle_command` (the retry policy is
5706 /// lowered onto every Command this schedule produces), so it
5707 /// covers both `runs_on` locations.
5708 #[serde(default, skip_serializing_if = "OnFailure::is_empty")]
5709 pub on_failure: OnFailure,
5710 /// #418 Phase 2: the timezone this schedule's wall-clock fields
5711 /// are evaluated in — both the calendar `at` firing time AND the
5712 /// `active.{from,until}` window bounds. `local` (default) = the
5713 /// running host's TZ (the agent's for `runs_on: agent`, the
5714 /// backend server's otherwise); `utc` for TZ-independent
5715 /// schedules. Reconcile shapes (`per_pc`/`per_target`) ignore it
5716 /// for firing (poll cron runs every minute regardless) but still
5717 /// honor it for the `active` window.
5718 #[serde(default)]
5719 pub tz: ScheduleTz,
5720 /// v0.22: optional humantime window after a cron tick during
5721 /// which the Command is still considered "live". The scheduler
5722 /// computes `tick_at + starting_deadline` and stamps it onto
5723 /// each Command as `deadline_at`; agents skip Commands they
5724 /// receive after that absolute time. `None` (default) = no
5725 /// deadline, meaning a Command queued in the broker / stream
5726 /// during agent downtime runs whenever the agent reconnects —
5727 /// good for kitting / inventory / cleanup. Set this for
5728 /// time-of-day notifications, lunch reminders, etc., where
5729 /// "fire 3 hours late" would be wrong.
5730 #[serde(default, skip_serializing_if = "Option::is_none")]
5731 pub starting_deadline: Option<String>,
5732 /// v0.23: where does the cron tick happen? `Backend` (default,
5733 /// historical) = backend's scheduler fires Commands via NATS;
5734 /// agents passively receive. `Agent` = each targeted agent runs
5735 /// its own internal cron and fires locally, so the schedule
5736 /// keeps ticking even when the broker is unreachable (laptop on
5737 /// the train, broker maintenance window, full WAN outage). The
5738 /// two locations are mutually exclusive — when `Agent`, the
5739 /// backend scheduler stays out and just keeps the definition in
5740 /// KV for agents to read.
5741 #[serde(default)]
5742 pub runs_on: RunsOn,
5743 #[serde(default = "default_true")]
5744 pub enabled: bool,
5745 /// Free-form operator taxonomy for the Schedules page — the
5746 /// schedule-side mirror of `Manifest.tags` (added in #640; a plain
5747 /// code ref rather than an intra-doc link, since that field isn't
5748 /// on this branch until #640 merges). Purely a SPA-side
5749 /// organisational aid (search / filter chips alongside the
5750 /// id-prefix grouping); the scheduler never reads it, so any
5751 /// string is allowed and it carries no firing semantics. A
5752 /// schedule's own tags are independent of its job's: the same job
5753 /// may back a `weekly` maintenance schedule and a `canary` rollout
5754 /// schedule. Empty by default and `skip_serializing_if`-elided per
5755 /// the #492 gradual-upgrade wire rule.
5756 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5757 pub tags: Vec<String>,
5758 /// GitOps provenance (#695) — see [`RepoOrigin`]. Stamped by
5759 /// `kanade schedule create` when the source YAML lives inside a Git
5760 /// work tree, so the SPA renders the schedule read-only and points
5761 /// edits back at the repo (SPEC design principle #3: 設定駆動 YAML +
5762 /// Git), parity with a job's [`Manifest::origin`]. `None` for
5763 /// SPA-born schedules and ones applied from outside any repo. Purely
5764 /// informational — the scheduler never reads it. New field ⇒ #492
5765 /// wire rule (`default` + `skip_serializing_if`).
5766 #[serde(default, skip_serializing_if = "Option::is_none")]
5767 pub origin: Option<RepoOrigin>,
5768}
5769
5770/// v0.23 — where the cron tick fires from.
5771#[derive(
5772 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5773)]
5774#[serde(rename_all = "snake_case")]
5775pub enum RunsOn {
5776 /// Backend's central scheduler ticks and publishes Commands to
5777 /// NATS. Historical default, what every pre-v0.23 schedule
5778 /// uses. Agent offline ⇒ Command queued in STREAM_EXEC; agent
5779 /// reconnects ⇒ catch-up via [`command_replay`](crate)
5780 /// (see kanade-agent's command_replay module).
5781 #[default]
5782 Backend,
5783 /// Each targeted agent runs the cron tick locally. Survives
5784 /// broker / WAN outages. Best for laptops / mobile devices that
5785 /// roam off the corporate network. Agent must be online for the
5786 /// initial schedule + job-catalog pull, but once cached the
5787 /// agent fires the script standalone.
5788 Agent,
5789}
5790
5791/// Per-pc/per-target dedup semantics for a [`Schedule`] (v0.19).
5792#[derive(
5793 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
5794)]
5795#[serde(rename_all = "snake_case")]
5796pub enum ExecMode {
5797 /// Fire on every cron tick at the whole target. Historical
5798 /// (pre-v0.19) behavior; no dedup.
5799 #[default]
5800 EveryTick,
5801 /// Fire at each pc until that pc succeeds; then skip it until
5802 /// the optional cooldown elapses (or forever if no cooldown).
5803 /// Use for kitting / first-boot / per-pc compliance checks.
5804 OncePerPc,
5805 /// Fire at the whole target until **any** pc succeeds; then
5806 /// skip the whole target until the optional cooldown elapses
5807 /// (or forever if no cooldown). Use for "one delegate is
5808 /// enough" tasks like license check-in.
5809 OncePerTarget,
5810 /// #418 OS-native event trigger (`when: { on: [...] }`). There is
5811 /// no cron — the agent fires it from an OS event source (boot /
5812 /// session-change), not a tick — so the scheduler skips
5813 /// `tokio-cron` registration for it. Each event occurrence fires
5814 /// once, gated by the standard freeze / active / window /
5815 /// skip_dates checks.
5816 Event,
5817}
5818
5819/// #418 Phase 1 — the single "when does this fire" axis.
5820///
5821/// Replaces the old `cron` + `mode` + `cooldown` trio whose
5822/// interactions were implicit (cron doubled as both a real
5823/// time-of-day trigger and a reconcile poll period; contradictory
5824/// combinations silently no-opped). Two shapes:
5825///
5826/// * **reconcile** (`per_pc` / `per_target`) — desired-state: "each
5827/// pc (or one delegate) should have run this within `every`".
5828/// The poll period is system-generated ([`POLL_CRON`], every
5829/// minute) and no longer the operator's concern.
5830/// * **calendar** (`{ at, days }`) — a wall-clock time trigger
5831/// (#418 Phase 2, replacing the old raw-cron escape hatch). Fires
5832/// the whole target at the given time, no dedup. `at: "09:00"` +
5833/// `days` repeats; `at: "2026-06-10 09:00"` (a date+time) fires
5834/// exactly once. Evaluated in the schedule's top-level `tz`.
5835#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5836#[serde(rename_all = "snake_case")]
5837pub enum When {
5838 /// Fire at each targeted pc: `once` (kitting — succeed once,
5839 /// skip forever, forever catching brand-new / re-imaged pcs)
5840 /// or `{ every: <humantime> }` (patrol — re-arm per pc after
5841 /// the interval).
5842 PerPc(PerPolicy),
5843 /// Fire until **any** one pc of the target succeeds, then skip
5844 /// the whole target (`once`) or re-arm after `every`. Needs
5845 /// fleet-wide completion data, so it is backend-only —
5846 /// `runs_on: agent` + `per_target` is rejected by
5847 /// [`Schedule::validate`].
5848 PerTarget(PerPolicy),
5849 /// Calendar time trigger: `{ at: "09:00", days: [mon-fri] }`
5850 /// (repeating) or `{ at: "2026-06-10 09:00" }` (one-shot). Fires
5851 /// the whole target at that wall-clock time in the schedule's
5852 /// `tz` — no dedup, no cooldown.
5853 Calendar(CalendarSpec),
5854 /// #418 OS-native event trigger: `when: { on: [startup, logon] }`.
5855 /// Fires when the agent observes the listed OS event(s) rather than
5856 /// on a clock — there is no cron. `runs_on: agent` only (the agent
5857 /// owns the event source); [`Schedule::validate`] rejects it on
5858 /// `backend` and rejects an empty list. Each event occurrence fires
5859 /// once, gated by the same freeze / active / `constraints.window` /
5860 /// `skip_dates` checks as the cron path. `startup` fires once per OS
5861 /// boot (deduped via the host boot time); a `starting_deadline`, if
5862 /// set, limits it to "agent came up within that long after boot".
5863 On(Vec<OnTrigger>),
5864}
5865
5866/// An OS event the agent can fire a schedule on (#418 `when: { on }`).
5867#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Hash)]
5868#[serde(rename_all = "snake_case")]
5869pub enum OnTrigger {
5870 /// Once per OS boot (the agent's first run for that boot). Catches
5871 /// freshly-imaged / reinstalled hosts at their next startup.
5872 Startup,
5873 /// On an interactive-session user logon — console, RDP, or
5874 /// auto-logon (Windows `WTS_SESSION_LOGON`). Does not fire for
5875 /// service / network / batch logons (no interactive session).
5876 Logon,
5877 /// When the workstation is locked (Win+L / idle lock; Windows
5878 /// `WTS_SESSION_LOCK`). Use for step-away compliance / cleanup.
5879 Lock,
5880 /// When the workstation is unlocked — the user returns to a locked
5881 /// session (Windows `WTS_SESSION_UNLOCK`). Use to re-check
5882 /// compliance / refresh state when work resumes.
5883 Unlock,
5884 /// When the host's network changes — IP address table change on
5885 /// connect / disconnect / DHCP renew / VPN / Wi-Fi roam (Windows
5886 /// `NotifyAddrChange`). Debounced agent-side (a burst of changes
5887 /// from one transition fires once after the network settles), so
5888 /// use it for "re-check connectivity / re-register on network move"
5889 /// rather than expecting one fire per raw adapter event.
5890 ///
5891 /// IPv4 only: `NotifyAddrChange` watches the IPv4 address table, so a
5892 /// transition that touches only IPv6 addresses won't fire. In practice
5893 /// dual-stack networks change both tables together, but a pure-IPv6
5894 /// move (e.g. an IPv6-only Wi-Fi roam) is not detected.
5895 NetworkChange,
5896}
5897
5898/// Calendar time trigger (#418 Phase 2). `at` is either a time of
5899/// day (`"HH:MM"`, repeating — combine with `days`) or a full
5900/// date+time (`"YYYY-MM-DD HH:MM"`, a one-shot that fires once and
5901/// never again). Evaluated in the schedule's top-level `tz`.
5902#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
5903pub struct CalendarSpec {
5904 /// `"HH:MM"` (24h) for a repeating trigger, or
5905 /// `"YYYY-MM-DD HH:MM"` (hyphen / slash / `T` separators all
5906 /// accepted) for a one-shot. Parsed lazily —
5907 /// [`Schedule::validate`] rejects garbage at create time.
5908 pub at: String,
5909 /// Day-of-week filter for a time-of-day `at`: `["mon-fri"]`,
5910 /// `["mon","wed","fri"]`, … (passed verbatim to the cron DOW
5911 /// field, so ranges and names both work). An **nth-weekday**
5912 /// `["tue#2"]` fires only on the 2nd Tuesday of each month
5913 /// ("Patch Tuesday"); the ordinal is `1..5`. A **last-weekday**
5914 /// `["friL"]` fires only on the last Friday of each month (handy
5915 /// for monthly maintenance). Empty = every day. Must be empty
5916 /// when `at` carries a date (the date already pins the day).
5917 #[serde(default, skip_serializing_if = "Vec::is_empty")]
5918 pub days: Vec<String>,
5919}
5920
5921/// Parsed `CalendarSpec.at`: the wall-clock minute/hour, plus the
5922/// date for a one-shot (`None` = repeating time-of-day).
5923struct ParsedAt {
5924 minute: u32,
5925 hour: u32,
5926 date: Option<chrono::NaiveDate>,
5927}
5928
5929impl CalendarSpec {
5930 /// Parse `at`: a date+time (`YYYY-MM-DD HH:MM`, hyphen / slash /
5931 /// `T` separators) is a one-shot; a bare `HH:MM` is repeating.
5932 fn parse_at(&self) -> Result<ParsedAt, String> {
5933 use chrono::Timelike;
5934 let s = self.at.trim();
5935 for fmt in ["%Y-%m-%d %H:%M", "%Y-%m-%dT%H:%M", "%Y/%m/%d %H:%M"] {
5936 if let Ok(dt) = chrono::NaiveDateTime::parse_from_str(s, fmt) {
5937 return Ok(ParsedAt {
5938 minute: dt.minute(),
5939 hour: dt.hour(),
5940 date: Some(dt.date()),
5941 });
5942 }
5943 }
5944 if let Ok(t) = chrono::NaiveTime::parse_from_str(s, "%H:%M") {
5945 return Ok(ParsedAt {
5946 minute: t.minute(),
5947 hour: t.hour(),
5948 date: None,
5949 });
5950 }
5951 Err(format!(
5952 "when.at: unparseable '{}' (want HH:MM or YYYY-MM-DD HH:MM)",
5953 self.at
5954 ))
5955 }
5956
5957 /// Pre-flight check on the `days` tokens so a bad day name gives
5958 /// a `when.days:`-scoped error instead of croner's confusing
5959 /// "when.at lowered to invalid cron" (claude #432 review). Each
5960 /// token is a day name (`mon`..`sun`), a numeric DOW (`0`..`7`),
5961 /// `*`, a `-` range of those, an **nth-weekday** like `tue#2`
5962 /// (2nd Tuesday of the month — "Patch Tuesday"), or a
5963 /// **last-weekday** like `friL` (last Friday of the month).
5964 fn validate_days(&self) -> Result<(), String> {
5965 const NAMES: [&str; 7] = ["mon", "tue", "wed", "thu", "fri", "sat", "sun"];
5966 let is_day = |p: &str| NAMES.contains(&p) || p.parse::<u8>().is_ok_and(|n| n <= 7);
5967 for tok in &self.days {
5968 // Report the whole token on a malformed range like `mon-`
5969 // (which would otherwise split to a cryptic empty part —
5970 // claude #432 follow-up).
5971 let invalid = |reason: &str| {
5972 Err(format!(
5973 "when.days: invalid day token '{tok}' ({reason}; \
5974 want mon..sun, 0-7, a range like mon-fri, an nth-weekday \
5975 like tue#2, a last-weekday like friL, or *)"
5976 ))
5977 };
5978 // #418: nth-weekday suffix (`tue#2` = 2nd Tuesday). Croner
5979 // accepts `<dow>#<n>` (n = 1..5) in the DOW field, and
5980 // `to_cron` passes the token through verbatim, so the
5981 // engine fires only on that occurrence. It's a single
5982 // weekday + ordinal — not combinable with a range.
5983 if let Some((day_part, nth_part)) = tok.split_once('#') {
5984 // Normalize once and use `d` consistently (gemini #547);
5985 // the outer `invalid` already echoes the raw `tok`.
5986 let d = day_part.trim().to_ascii_lowercase();
5987 if d.contains('-') || !is_day(&d) {
5988 return invalid("the part before # must be a single weekday");
5989 }
5990 match nth_part.trim().parse::<u8>() {
5991 Ok(n) if (1..=5).contains(&n) => {}
5992 _ => return invalid("the # ordinal must be 1..5 (e.g. tue#2 = 2nd Tuesday)"),
5993 }
5994 continue;
5995 }
5996 // #418: last-weekday suffix (`friL` = last Friday of the
5997 // month — the monthly-maintenance sibling of Patch Tuesday).
5998 // Croner accepts `<dow>L` in the DOW field with verified
5999 // last-<dow>-of-month semantics, and `to_cron` passes it
6000 // through verbatim. A single weekday + `L` — bare `L` and
6001 // ranges are rejected (croner would read bare `L` as
6002 // Saturday, which is a confusing footgun).
6003 if let Some(day_part) = tok.strip_suffix(['L', 'l']) {
6004 // No `.trim()`: a cron DOW token can't carry internal
6005 // whitespace, so `"fri L"` must be *rejected* here (its
6006 // strip leaves `"fri "`, and `is_day` catches the space)
6007 // rather than trimmed into a clean `"fri"` that then
6008 // produces a malformed `fri L` cron downstream and a
6009 // confusing croner error (gemini #560).
6010 let d = day_part.to_ascii_lowercase();
6011 if d.is_empty() {
6012 return invalid("`L` (last-weekday) needs a weekday before it, e.g. friL");
6013 }
6014 if d.contains('-') || !is_day(&d) {
6015 return invalid(
6016 "the part before L must be a single weekday (e.g. friL = last Friday)",
6017 );
6018 }
6019 continue;
6020 }
6021 for part in tok.split('-') {
6022 let p = part.trim().to_ascii_lowercase();
6023 if p.is_empty() {
6024 return invalid("empty range bound");
6025 }
6026 if p != "*" && !is_day(&p) {
6027 return invalid(&format!("'{part}' is not a day"));
6028 }
6029 }
6030 }
6031 Ok(())
6032 }
6033
6034 /// For a one-shot (`at` carries a date), the absolute instant it
6035 /// fires in `tz`. `None` for a repeating calendar. Used to warn
6036 /// about a one-shot whose date is already in the past (it would
6037 /// never fire).
6038 pub fn oneshot_instant(&self, tz: ScheduleTz) -> Option<chrono::DateTime<chrono::Utc>> {
6039 let p = self.parse_at().ok()?;
6040 let date = p.date?;
6041 let naive = date.and_hms_opt(p.hour, p.minute, 0)?;
6042 tz.naive_to_utc(naive)
6043 }
6044
6045 /// The wall-clock time-of-day this calendar fires at (`None` if
6046 /// `at` is unparseable — validate() guards that). Used to detect
6047 /// a calendar whose fire time can never fall inside its
6048 /// `constraints.window` (claude #452 review).
6049 pub fn fire_time(&self) -> Option<chrono::NaiveTime> {
6050 let p = self.parse_at().ok()?;
6051 chrono::NaiveTime::from_hms_opt(p.hour, p.minute, 0)
6052 }
6053
6054 /// Lower to the cron string the scheduler engine runs. Repeating
6055 /// → 6-field `0 {min} {hour} * * {dow}`; one-shot → 7-field
6056 /// `0 {min} {hour} {day} {month} * {year}` (a past year never
6057 /// fires — that's what makes it one-shot).
6058 fn to_cron(&self) -> Result<String, String> {
6059 use chrono::Datelike;
6060 let ParsedAt { minute, hour, date } = self.parse_at()?;
6061 match date {
6062 Some(d) => {
6063 if !self.days.is_empty() {
6064 return Err(
6065 "when.at with a date is a one-shot and cannot be combined with days".into(),
6066 );
6067 }
6068 Ok(format!(
6069 "0 {minute} {hour} {} {} * {}",
6070 d.day(),
6071 d.month(),
6072 d.year()
6073 ))
6074 }
6075 None => {
6076 let dow = if self.days.is_empty() {
6077 "*".to_string()
6078 } else {
6079 self.validate_days()?;
6080 self.days.join(",")
6081 };
6082 Ok(format!("0 {minute} {hour} * * {dow}"))
6083 }
6084 }
6085 }
6086}
6087
6088/// The timezone a schedule's wall-clock fields (`when.at`,
6089/// `active.{from,until}`) are evaluated in (#418 Phase 2).
6090#[derive(
6091 Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq, Default,
6092)]
6093#[serde(rename_all = "snake_case")]
6094pub enum ScheduleTz {
6095 /// The running host's local timezone — the agent's for
6096 /// `runs_on: agent`, the backend server's otherwise. Default.
6097 #[default]
6098 Local,
6099 /// UTC — for timezone-independent schedules.
6100 Utc,
6101}
6102
6103impl ScheduleTz {
6104 /// Interpret a naive (zoneless) datetime as being in this tz and
6105 /// convert to UTC. On a DST *fold* (the local time occurs twice
6106 /// when clocks go back) we pick `.earliest()` rather than
6107 /// rejecting it; `None` is reserved for a true DST *gap* (a local
6108 /// time that never exists). `Utc` is fixed-offset so neither ever
6109 /// happens; `Local` is whatever timezone the running host is set
6110 /// to and *can* hit a gap/fold on any DST-observing host — not
6111 /// just the JST we run today (gemini + claude #432 review).
6112 fn naive_to_utc(self, naive: chrono::NaiveDateTime) -> Option<chrono::DateTime<chrono::Utc>> {
6113 use chrono::TimeZone;
6114 match self {
6115 ScheduleTz::Utc => Some(chrono::DateTime::from_naive_utc_and_offset(
6116 naive,
6117 chrono::Utc,
6118 )),
6119 ScheduleTz::Local => chrono::Local
6120 .from_local_datetime(&naive)
6121 .earliest()
6122 .map(|dt| dt.with_timezone(&chrono::Utc)),
6123 }
6124 }
6125
6126 /// The wall-clock time-of-day `now` reads as in this tz — used by
6127 /// [`Constraints::allows`] to test a maintenance window
6128 /// (#418 Phase 3). `Utc` is the naive UTC time; `Local` is the
6129 /// running host's local time.
6130 fn wall_time(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveTime {
6131 match self {
6132 ScheduleTz::Utc => now.time(),
6133 ScheduleTz::Local => now.with_timezone(&chrono::Local).time(),
6134 }
6135 }
6136
6137 /// The wall-clock *date* `now` reads as in this tz — used by
6138 /// [`Constraints::allows`] to test `skip_dates` (#418 holiday
6139 /// exclusion). Same tz semantics as [`Self::wall_time`].
6140 fn wall_date(self, now: chrono::DateTime<chrono::Utc>) -> chrono::NaiveDate {
6141 match self {
6142 ScheduleTz::Utc => now.date_naive(),
6143 ScheduleTz::Local => now.with_timezone(&chrono::Local).date_naive(),
6144 }
6145 }
6146
6147 /// Stable lowercase wire/display label (`local` / `utc`) — matches
6148 /// the serde `snake_case` representation. Used for the preview
6149 /// response's `tz` field so the JSON shape isn't coupled to the
6150 /// `Debug` repr (claude #578 review).
6151 pub fn as_str(self) -> &'static str {
6152 match self {
6153 ScheduleTz::Local => "local",
6154 ScheduleTz::Utc => "utc",
6155 }
6156 }
6157}
6158
6159impl std::fmt::Display for ScheduleTz {
6160 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
6161 f.write_str(self.as_str())
6162 }
6163}
6164
6165/// `once` vs `{ every: <humantime> }` — shared by `per_pc` /
6166/// `per_target`. Untagged so the YAML stays the bare keyword or a
6167/// one-key map, nothing more ceremonial.
6168#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6169#[serde(untagged)]
6170pub enum PerPolicy {
6171 /// The bare string `once`: succeed once, then skip permanently
6172 /// (cooldown = infinity).
6173 Once(OnceLiteral),
6174 /// Re-arm after the humantime interval, e.g. `{ every: 6h }`.
6175 Every(EverySpec),
6176}
6177
6178/// Single-variant enum so serde accepts exactly the string `once`
6179/// (a free-form `String` would swallow typos like `onec`).
6180#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Copy, PartialEq, Eq)]
6181#[serde(rename_all = "snake_case")]
6182pub enum OnceLiteral {
6183 Once,
6184}
6185
6186/// `{ every: <humantime> }`. Standalone struct (not an inline
6187/// struct variant). `{ evry: 6h }` still fails to parse (the
6188/// required `every` key is missing), and the create boundaries
6189/// reject the unknown `evry` via [`crate::strict`] with its path —
6190/// while agents reading a future writer's extra fields tolerate
6191/// them (#492).
6192#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6193pub struct EverySpec {
6194 /// Humantime interval (`10m`, `6h`, `1d`...). Parsed lazily —
6195 /// [`Schedule::validate`] rejects garbage at create time.
6196 pub every: String,
6197}
6198
6199impl PerPolicy {
6200 /// The cooldown this policy lowers to: `once` = `None`
6201 /// (permanent skip), `every` = the interval.
6202 fn cooldown(&self) -> Option<String> {
6203 match self {
6204 PerPolicy::Once(_) => None,
6205 PerPolicy::Every(EverySpec { every }) => Some(every.clone()),
6206 }
6207 }
6208}
6209
6210impl std::fmt::Display for When {
6211 /// Operator-facing one-liner (`per_pc once` / `per_pc every 6h`
6212 /// / `at 09:00 [mon-fri]` / `at 2026-06-10 09:00`) for log
6213 /// lines, audit payloads and the API's `ScheduleSummary`.
6214 fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
6215 let policy = |p: &PerPolicy| match p {
6216 PerPolicy::Once(_) => "once".to_string(),
6217 PerPolicy::Every(EverySpec { every }) => format!("every {every}"),
6218 };
6219 match self {
6220 When::PerPc(p) => write!(f, "per_pc {}", policy(p)),
6221 When::PerTarget(p) => write!(f, "per_target {}", policy(p)),
6222 When::Calendar(c) if c.days.is_empty() => write!(f, "at {}", c.at),
6223 When::Calendar(c) => write!(f, "at {} [{}]", c.at, c.days.join(",")),
6224 When::On(triggers) => {
6225 let names: Vec<&str> = triggers.iter().map(|t| t.as_str()).collect();
6226 write!(f, "on [{}]", names.join(","))
6227 }
6228 }
6229 }
6230}
6231
6232impl OnTrigger {
6233 /// Lowercase wire/display label (matches the serde `snake_case`).
6234 pub fn as_str(self) -> &'static str {
6235 match self {
6236 OnTrigger::Startup => "startup",
6237 OnTrigger::Logon => "logon",
6238 OnTrigger::Lock => "lock",
6239 OnTrigger::Unlock => "unlock",
6240 OnTrigger::NetworkChange => "network_change",
6241 }
6242 }
6243}
6244
6245/// Optional validity window for a [`Schedule`] (#418 decision G).
6246/// Half-open `[from, until)`; either bound may be omitted. Bounds
6247/// are `YYYY-MM-DD` (= that day's 00:00 in the schedule's `tz`) or
6248/// full RFC3339 (offset is honored as-is, `tz` ignored). Kept as
6249/// strings so the JSON Schema the SPA editor consumes stays two
6250/// plain string fields, mirroring `jitter` / `starting_deadline`.
6251///
6252/// #418 Phase 2: bounds are evaluated in the schedule's top-level
6253/// `tz` (was UTC-only in Phase 1) so `tz: local` makes both the
6254/// calendar `at` AND the `active` window local — one consistent
6255/// timezone per schedule.
6256#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6257pub struct Active {
6258 /// Dormant before this instant.
6259 #[serde(default, skip_serializing_if = "Option::is_none")]
6260 pub from: Option<String>,
6261 /// Dormant from this instant on (exclusive).
6262 #[serde(default, skip_serializing_if = "Option::is_none")]
6263 pub until: Option<String>,
6264}
6265
6266impl Active {
6267 /// `skip_serializing_if` helper — an empty window means "always
6268 /// active" and is omitted from the wire format entirely.
6269 pub fn is_empty(&self) -> bool {
6270 self.from.is_none() && self.until.is_none()
6271 }
6272
6273 /// Parse one bound: RFC3339 first (offset honored, `tz`
6274 /// ignored), then bare `YYYY-MM-DD` (00:00 in `tz`).
6275 pub fn parse_bound(s: &str, tz: ScheduleTz) -> Result<chrono::DateTime<chrono::Utc>, String> {
6276 if let Ok(dt) = chrono::DateTime::parse_from_rfc3339(s) {
6277 return Ok(dt.with_timezone(&chrono::Utc));
6278 }
6279 if let Ok(d) = chrono::NaiveDate::parse_from_str(s, "%Y-%m-%d") {
6280 let midnight = d.and_hms_opt(0, 0, 0).expect("00:00:00 is always valid");
6281 return tz.naive_to_utc(midnight).ok_or_else(|| {
6282 format!("active: bound '{s}' falls in a DST gap for the schedule's tz")
6283 });
6284 }
6285 Err(format!(
6286 "active: unparseable bound '{s}' (want YYYY-MM-DD or RFC3339)"
6287 ))
6288 }
6289
6290 /// Is `now` inside the window? Unparseable bounds are treated
6291 /// as absent here (fail-open) — [`Schedule::validate`] is the
6292 /// place that rejects them loudly; this runs on every tick and
6293 /// must never panic on a stale KV blob.
6294 pub fn contains(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
6295 let bound = |s: &Option<String>| s.as_deref().and_then(|s| Self::parse_bound(s, tz).ok());
6296 if bound(&self.from).is_some_and(|from| now < from) {
6297 return false;
6298 }
6299 if bound(&self.until).is_some_and(|until| now >= until) {
6300 return false;
6301 }
6302 true
6303 }
6304}
6305
6306/// Host-environment gate (#418 `constraints.require`). Fire only when
6307/// the target host is in the required state. Sensed **in-process by the
6308/// agent** (Win32), so it is `runs_on: agent` only — the backend cannot
6309/// read a target host's power/idle state ([`Schedule::validate`]
6310/// rejects it on `runs_on: backend`, symmetric with `when: { on }`).
6311///
6312/// Evaluated at fire time as a skip-this-tick gate (NOT in
6313/// [`Constraints::allows`], which stays pure for `preview`): a reconcile
6314/// cadence re-checks every minute (so it effectively defers until the
6315/// state is met — the intended pairing); a `calendar` fire that lands
6316/// while the state is unmet is simply missed, same as `window`. It is
6317/// therefore a *runtime* gate and does not appear in `preview`.
6318// No `Eq`: `cpu_below: Option<f64>` is only `PartialEq` (f64 is not Eq).
6319#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
6320pub struct Require {
6321 /// Fire only while on **AC power** (skip on battery). Reads
6322 /// `GetSystemPowerStatus`; an unknown/unreadable status is treated
6323 /// as not-on-AC (fail-closed — a restrictive gate must not fire
6324 /// when it can't confirm the condition). `false` (default) = no
6325 /// power requirement.
6326 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
6327 pub ac_power: bool,
6328 /// Fire only when the active console session has had **no keyboard /
6329 /// mouse input for at least this long** (humantime, e.g. `"10m"`) —
6330 /// "don't run while the user is actively working". Input-based
6331 /// (simpler than Task Scheduler's CPU/disk-aware idle). A
6332 /// headless / disconnected console (no interactive user) trivially
6333 /// satisfies it. `None` (default) = no idle requirement. Parsed
6334 /// lazily; [`Schedule::validate`] rejects garbage at create time.
6335 #[serde(default, skip_serializing_if = "Option::is_none")]
6336 pub idle: Option<String>,
6337 /// Fire only when the **whole-machine CPU usage is below this
6338 /// percent** (0–100; e.g. `20.0` = "system CPU < 20%") — "don't run
6339 /// while the box is busy". Reuses the agent's `host_perf` system CPU%
6340 /// sample (`sysinfo` mean over cores), so the reading is up to one
6341 /// `host_perf` cadence old (default 60s) — fine as a "generally
6342 /// busy?" proxy, and more accurate than a fresh one-shot read (CPU%
6343 /// needs two samples). An unavailable sample (host_perf not warmed
6344 /// up yet, or stale) is treated as "not below" (fail-closed — a
6345 /// restrictive gate must not fire when it can't confirm). `None`
6346 /// (default) = no CPU requirement. [`Schedule::validate`] rejects an
6347 /// out-of-range value at create time.
6348 #[serde(default, skip_serializing_if = "Option::is_none")]
6349 pub cpu_below: Option<f64>,
6350 /// Fire only when the host has **internet connectivity** (Windows
6351 /// `GetNetworkConnectivityHint` reports InternetAccess) — "don't run
6352 /// until online" for jobs that download / phone home. A captive
6353 /// portal (ConstrainedInternetAccess), LAN-only (LocalAccess), or
6354 /// unknown/unreadable state is treated as offline (fail-closed) — a
6355 /// portal would just fail a download, so we hold the run. For VPN /
6356 /// SASE / app-specific conditions, use a custom script gate (separate
6357 /// slice). `false` (default) = no network requirement.
6358 #[serde(default, skip_serializing_if = "std::ops::Not::not")]
6359 pub network: bool,
6360}
6361
6362impl Require {
6363 /// `skip_serializing_if` helper for an embedded empty `require`.
6364 pub fn is_empty(&self) -> bool {
6365 !self.ac_power && self.idle.is_none() && self.cpu_below.is_none() && !self.network
6366 }
6367
6368 /// Parsed minimum-idle duration (`None` = no idle requirement, or an
6369 /// unparseable value — `validate` rejects the latter at create time).
6370 pub fn min_idle(&self) -> Option<std::time::Duration> {
6371 self.idle
6372 .as_deref()
6373 .and_then(|s| humantime::parse_duration(s.trim()).ok())
6374 }
6375
6376 /// First unparseable field for create-time rejection (mirrors
6377 /// [`Constraints::bad_skip_date`]).
6378 pub fn bad_idle(&self) -> Option<String> {
6379 self.idle.as_deref().and_then(|s| {
6380 humantime::parse_duration(s.trim())
6381 .err()
6382 .map(|e| format!("constraints.require.idle: invalid duration '{s}': {e}"))
6383 })
6384 }
6385}
6386
6387/// Host-environment state sensed by the agent, fed to [`require_met`].
6388/// A named struct (not positional args) so the growing set of sensed
6389/// signals — several of them `bool` — can't be transposed at a call
6390/// site. The Win32 sensing lives in `kanade-agent::env_gate`.
6391#[derive(Debug, Clone, Copy, Default)]
6392pub struct EnvState {
6393 /// Is the host on AC power (`false` if on battery or unreadable).
6394 pub ac_online: bool,
6395 /// How long the console has been idle (`None` = couldn't determine).
6396 pub idle: Option<std::time::Duration>,
6397 /// Whole-machine CPU usage 0–100 (`None` = no sample yet).
6398 pub cpu_pct: Option<f64>,
6399 /// Does the host have internet connectivity (`false` if offline /
6400 /// LAN-only / unreadable).
6401 pub network_up: bool,
6402}
6403
6404/// Pure env-gate decision (#418 `constraints.require`). The Win32
6405/// sensing lives in the agent (`kanade-agent::env_gate`); this is the
6406/// testable core, fed the already-sensed [`EnvState`]. Deliberately a
6407/// free fn (not folded into [`Constraints::allows`]) so `allows` stays
6408/// pure and `preview` never evaluates a runtime gate. Each set
6409/// requirement is a restrictive AND: any unmet (or unknown) gate skips.
6410pub fn require_met(req: &Require, env: &EnvState) -> bool {
6411 if req.ac_power && !env.ac_online {
6412 return false;
6413 }
6414 if let Some(min) = req.min_idle() {
6415 match env.idle {
6416 Some(d) if d >= min => {}
6417 _ => return false,
6418 }
6419 }
6420 if let Some(max) = req.cpu_below {
6421 match env.cpu_pct {
6422 Some(p) if p < max => {}
6423 _ => return false,
6424 }
6425 }
6426 if req.network && !env.network_up {
6427 return false;
6428 }
6429 true
6430}
6431
6432/// [`Active`] decides *over what date range* a schedule is live,
6433/// `Constraints` decides *when, within an active period,* a fire is
6434/// allowed: `window` (a maintenance time-of-day window),
6435/// `max_concurrent` (a fleet-wide running-instance cap), `skip_dates`
6436/// (holiday exclusion) and `require` (host-environment gates, agent-only
6437/// — see [`Require`]).
6438// No `Eq`: contains `require: Option<Require>` which holds an f64.
6439#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq)]
6440pub struct Constraints {
6441 /// `"HH:MM-HH:MM"` wall-clock window (evaluated in the schedule's
6442 /// `tz`). Fires outside it are skipped — mainly for reconcile
6443 /// cadences ("patrol every 6h, but only fire overnight") and
6444 /// daytime change-freezes. `start > end` crosses midnight
6445 /// (`"22:00-05:00"` = 22:00 through 05:00 next morning). Parsed
6446 /// lazily; [`Schedule::validate`] rejects garbage at create time.
6447 #[serde(default, skip_serializing_if = "Option::is_none")]
6448 pub window: Option<String>,
6449 /// Fleet-wide cap on how many instances of this schedule's job may
6450 /// run **at the same time** (#418 "同時実行ハード上限"). The
6451 /// backend scheduler counts the job's still-in-flight runs
6452 /// (`execution_results.finished_at IS NULL`) each tick and only
6453 /// dispatches to as many remaining pcs as there are free slots —
6454 /// a rolling window that refills as runs complete. Useful for
6455 /// disk/CPU/network-heavy jobs you don't want hammering the whole
6456 /// fleet at once.
6457 ///
6458 /// **Backend-only** (it needs a central counter): combining it
6459 /// with `runs_on: agent` is rejected by [`Schedule::validate`]
6460 /// (#418 decision E — "中央上限には中央が要る"). Most meaningful
6461 /// for `per_pc` reconcile cadences, where the poll re-ticks and
6462 /// refills slots. `None` (default) = no cap.
6463 #[serde(default, skip_serializing_if = "Option::is_none")]
6464 pub max_concurrent: Option<u32>,
6465 /// Calendar dates the schedule must **not** fire on — holidays,
6466 /// blackout days, one-off freeze dates (#418 "祝日除外"). Each is
6467 /// `YYYY-MM-DD`, evaluated as a wall-clock date in the schedule's
6468 /// `tz`. Applies to every `when` shape (a reconcile cadence skips
6469 /// the whole day; a calendar fire landing on the date is
6470 /// suppressed) and is honored by both the live scheduler and
6471 /// `preview`, since both gate on [`Constraints::allows`]. Empty
6472 /// (default) = no skips. Operator-supplied: there is no built-in
6473 /// holiday calendar — list the dates you care about. Parsed lazily;
6474 /// [`Schedule::validate`] rejects a malformed date at create time.
6475 #[serde(default, skip_serializing_if = "Vec::is_empty")]
6476 pub skip_dates: Vec<String>,
6477 /// Host-environment gate (#418): fire only when the target host is
6478 /// in the required state (on AC power, idle). Agent-sensed at fire
6479 /// time, `runs_on: agent` only. See [`Require`]. `None` (default) =
6480 /// no environment requirement.
6481 #[serde(default, skip_serializing_if = "Option::is_none")]
6482 pub require: Option<Require>,
6483}
6484
6485impl Constraints {
6486 /// `skip_serializing_if` helper — empty constraints are omitted
6487 /// from the wire format entirely.
6488 pub fn is_empty(&self) -> bool {
6489 self.window.is_none()
6490 && self.max_concurrent.is_none()
6491 && self.skip_dates.is_empty()
6492 && self.require.as_ref().is_none_or(Require::is_empty)
6493 }
6494
6495 /// The first unparseable `skip_dates` entry, if any — the
6496 /// scheduler logs it at register time so a fail-closed
6497 /// (never-firing) schedule from a hand-edited KV blob is
6498 /// diagnosable, mirroring [`Schedule::bad_window`].
6499 pub fn bad_skip_date(&self) -> Option<String> {
6500 self.skip_dates.iter().find_map(|s| {
6501 chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d")
6502 .err()
6503 .map(|e| format!("constraints.skip_dates: invalid date '{s}': {e}"))
6504 })
6505 }
6506
6507 /// Parse `"HH:MM-HH:MM"` into `(start, end)`. Equal bounds are an
6508 /// error (a zero-width or all-day window is ambiguous — write no
6509 /// window for "always").
6510 pub fn parse_window(s: &str) -> Result<(chrono::NaiveTime, chrono::NaiveTime), String> {
6511 let (a, b) = s
6512 .split_once('-')
6513 .ok_or_else(|| format!("constraints.window: '{s}' must be 'HH:MM-HH:MM'"))?;
6514 let parse = |part: &str| {
6515 chrono::NaiveTime::parse_from_str(part.trim(), "%H:%M")
6516 .map_err(|e| format!("constraints.window: invalid time '{}': {e}", part.trim()))
6517 };
6518 let (start, end) = (parse(a)?, parse(b)?);
6519 if start == end {
6520 return Err(format!(
6521 "constraints.window: start and end are equal ('{s}'); omit window for 'always'"
6522 ));
6523 }
6524 Ok((start, end))
6525 }
6526
6527 /// Is a fire allowed at `now` (evaluated in `tz`)? No window =
6528 /// always allowed. Half-open `[start, end)`; `start > end`
6529 /// crosses midnight.
6530 ///
6531 /// **Fail-closed** on an unparseable window (returns `false`,
6532 /// gemini #452 review): a window is a *restrictive* constraint
6533 /// (change-freeze / overnight-only), so a corrupt one must NOT
6534 /// silently allow fires during the restricted hours. Bad windows
6535 /// are rejected at create time by [`Schedule::validate`]; this
6536 /// only bites a hand-edited KV blob, where blocking is the safe
6537 /// direction. The scheduler warns at register time
6538 /// ([`Schedule::bad_window`]) so a stuck schedule is diagnosable.
6539 /// The tick path never panics regardless.
6540 pub fn allows(&self, now: chrono::DateTime<chrono::Utc>, tz: ScheduleTz) -> bool {
6541 // #418 holiday / blackout dates: never fire on a listed wall
6542 // date (in `tz`). Checked before the window since a skipped day
6543 // overrides any within-window allowance. Fail-closed on a
6544 // corrupt entry (same posture as `window`): a skip date is a
6545 // *restrictive* constraint, so a garbled one must not silently
6546 // re-enable fires — it blocks until fixed (`validate` rejects it
6547 // at create time; `bad_skip_date` lets the scheduler warn).
6548 if !self.skip_dates.is_empty() {
6549 let today = tz.wall_date(now);
6550 let blocked = self.skip_dates.iter().any(|s| {
6551 match chrono::NaiveDate::parse_from_str(s.trim(), "%Y-%m-%d") {
6552 Ok(d) => d == today,
6553 Err(_) => true, // corrupt entry → fail-closed (block)
6554 }
6555 });
6556 if blocked {
6557 return false;
6558 }
6559 }
6560 match self.window.as_deref() {
6561 // No window → always allowed.
6562 None => true,
6563 // Window set: membership, or fail-closed if unparseable
6564 // (`window_contains` returns None for a corrupt window).
6565 Some(_) => self.window_contains(tz.wall_time(now)).unwrap_or(false),
6566 }
6567 }
6568
6569 /// Membership of a wall-clock time-of-day in the window. `None`
6570 /// when there is no window or it's unparseable (callers decide
6571 /// the failure direction). `start > end` crosses midnight.
6572 fn window_contains(&self, t: chrono::NaiveTime) -> Option<bool> {
6573 let (start, end) = Self::parse_window(self.window.as_deref()?).ok()?;
6574 Some(if start <= end {
6575 start <= t && t < end
6576 } else {
6577 t >= start || t < end
6578 })
6579 }
6580}
6581
6582/// What to do when a fire's script fails (#418 Phase 4 — the "高"
6583/// retry/backoff gap). Where [`Constraints`] gates *whether* a fire
6584/// happens, `OnFailure` decides what happens *after* one ran and
6585/// came back bad. Only `retry` so far; future `notify` / `disable`
6586/// would join the same namespace.
6587#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6588pub struct OnFailure {
6589 /// Re-run the script in-process when it exits non-zero (or times
6590 /// out), up to a cap, with a fixed backoff between attempts.
6591 /// `None` (default) = no retry: a failed run is published as-is
6592 /// and (for reconcile cadences) simply re-fires on the next poll
6593 /// tick. See [`Retry`].
6594 #[serde(default, skip_serializing_if = "Option::is_none")]
6595 pub retry: Option<Retry>,
6596}
6597
6598impl OnFailure {
6599 /// `skip_serializing_if` helper — an empty policy is omitted from
6600 /// the wire format entirely.
6601 pub fn is_empty(&self) -> bool {
6602 self.retry.is_none()
6603 }
6604
6605 /// Lower the operator-facing `retry` (humantime backoff) onto the
6606 /// engine vocabulary the agent's executor runs on (backoff in
6607 /// whole seconds). Single seam shared by the backend command
6608 /// builder and the agent's local scheduler so the two stamp the
6609 /// same [`crate::wire::RetrySpec`] onto every Command. Returns
6610 /// `None` when there is no retry policy or the backoff is
6611 /// unparseable (validate() rejects the latter at create time;
6612 /// this stays fail-safe = "no retry" for a hand-edited KV blob
6613 /// rather than panicking on the fire path).
6614 pub fn lowered_retry(&self) -> Option<crate::wire::RetrySpec> {
6615 let r = self.retry.as_ref()?;
6616 let backoff_secs = humantime::parse_duration(&r.backoff).ok()?.as_secs();
6617 Some(crate::wire::RetrySpec {
6618 max: r.max,
6619 backoff_secs,
6620 })
6621 }
6622}
6623
6624/// Fixed-backoff retry policy (#418 Phase 4). `max` is the number of
6625/// *additional* attempts after the first run (so `max: 3` = up to 4
6626/// total executions); `backoff` is the humantime delay slept between
6627/// attempts. The retry happens fire-side (inside `kanade fire` /
6628/// `handle_command`) on every OS for the PoC — the Windows-native
6629/// "restart on failure" Task Scheduler path is deferred to the
6630/// native-delegation phase (#418 decision H).
6631#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, PartialEq, Eq)]
6632pub struct Retry {
6633 /// Max additional attempts after the first failure. Bounded
6634 /// `1..=10` by [`Schedule::validate`] — a typo'd `max: 1000`
6635 /// with a short backoff would otherwise pin a flapping script in
6636 /// a tight loop for the whole window.
6637 pub max: u32,
6638 /// Humantime delay slept between attempts (`"10m"`, `"30s"`).
6639 pub backoff: String,
6640}
6641
6642/// Fleet-wide change-freeze (#418 Phase 5 — the "メンテナンス窓 /
6643/// 変更凍結" gap's global half). Where [`Constraints::window`] is a
6644/// *per-schedule* time-of-day gate, a `Freeze` is a *single, fleet-
6645/// global* "stop all automated change" switch the operator flips
6646/// during an incident or a year-end change-freeze. It lives in its
6647/// own KV singleton ([`crate::kv::KEY_FREEZE`]); when present and
6648/// active, both the backend scheduler and every agent's local
6649/// scheduler skip *every* fire.
6650///
6651/// Shapes:
6652/// * `{}` (no bounds) — frozen indefinitely until the operator
6653/// clears it (incident "big red button").
6654/// * `{ from, until }` — frozen only within `[from, until)`,
6655/// evaluated in `tz` (planned change-freeze; auto-thaws).
6656///
6657/// The KV key being *absent* means "not frozen" — so clearing the
6658/// freeze is a KV delete, and `is_active` only ever runs on a freeze
6659/// the operator actually set.
6660#[derive(Serialize, Deserialize, schemars::JsonSchema, Debug, Clone, Default, PartialEq, Eq)]
6661pub struct Freeze {
6662 /// Frozen from this instant (RFC3339 or bare `YYYY-MM-DD` in
6663 /// `tz`). `None` ⇒ frozen from the beginning of time.
6664 #[serde(default, skip_serializing_if = "Option::is_none")]
6665 pub from: Option<String>,
6666 /// Thawed from this instant on, exclusive. `None` ⇒ frozen with
6667 /// no scheduled end (manual clear required).
6668 #[serde(default, skip_serializing_if = "Option::is_none")]
6669 pub until: Option<String>,
6670 /// Operator-supplied note surfaced on the freeze-skip log and the
6671 /// SPA banner ("year-end change freeze", "INC-1234"). Advisory.
6672 #[serde(default, skip_serializing_if = "Option::is_none")]
6673 pub reason: Option<String>,
6674 /// Timezone the bare-date bounds are evaluated in (RFC3339 bounds
6675 /// carry their own offset). Defaults to host-local like a
6676 /// schedule's `tz`.
6677 #[serde(default)]
6678 pub tz: ScheduleTz,
6679}
6680
6681impl Freeze {
6682 /// Is the fleet frozen at `now`? An empty window (`from`/`until`
6683 /// both absent) is frozen unconditionally; otherwise membership of
6684 /// `[from, until)` in `tz`. Half-open like [`Active::contains`],
6685 /// but **fails CLOSED** on an unparseable bound — a freeze is a
6686 /// safety switch, so a corrupt window (only reachable via a
6687 /// hand-edited KV blob; `validate` rejects it at set time) must
6688 /// mean "frozen", not "fire normally" (coderabbit #472). This is
6689 /// the one deliberate divergence from `active`'s fail-OPEN
6690 /// behaviour, where an unparseable bound dormant-skips a schedule.
6691 pub fn is_active(&self, now: chrono::DateTime<chrono::Utc>) -> bool {
6692 // Parse a bound; an unparseable one short-circuits the whole
6693 // check to `true` (frozen) via the closure's `None` sentinel
6694 // handled below.
6695 let bound = |s: &Option<String>| -> Result<Option<chrono::DateTime<chrono::Utc>>, ()> {
6696 match s.as_deref() {
6697 None => Ok(None),
6698 Some(raw) => Active::parse_bound(raw, self.tz).map(Some).map_err(|_| ()),
6699 }
6700 };
6701 let (from, until) = match (bound(&self.from), bound(&self.until)) {
6702 (Ok(f), Ok(u)) => (f, u),
6703 // Any corrupt bound → fail closed (frozen).
6704 _ => return true,
6705 };
6706 if from.is_some_and(|f| now < f) {
6707 return false;
6708 }
6709 if until.is_some_and(|u| now >= u) {
6710 return false;
6711 }
6712 true
6713 }
6714
6715 /// Reject unparseable bounds / `from >= until` at set time (the
6716 /// API + CLI counterpart to [`Schedule::validate`]).
6717 pub fn validate(&self) -> Result<(), String> {
6718 let from = self
6719 .from
6720 .as_deref()
6721 .map(|s| Active::parse_bound(s, self.tz))
6722 .transpose()
6723 .map_err(|e| e.replace("active:", "freeze:"))?;
6724 let until = self
6725 .until
6726 .as_deref()
6727 .map(|s| Active::parse_bound(s, self.tz))
6728 .transpose()
6729 .map_err(|e| e.replace("active:", "freeze:"))?;
6730 if let (Some(f), Some(u)) = (from, until) {
6731 if f >= u {
6732 return Err(format!(
6733 "freeze.from ({}) must be strictly before freeze.until ({})",
6734 self.from.as_deref().unwrap_or_default(),
6735 self.until.as_deref().unwrap_or_default(),
6736 ));
6737 }
6738 }
6739 Ok(())
6740 }
6741}
6742
6743/// The system-generated poll cadence every reconcile-shaped `when`
6744/// lowers to. Operators never write this: the real inter-run
6745/// spacing is the `every` cooldown; this only bounds "how soon do
6746/// we notice somebody is due" (#418 decision B took the poll
6747/// period away from the operator).
6748pub const POLL_CRON: &str = "0 * * * * *";
6749
6750/// What a [`When`] lowers to — the exact (cron, mode, cooldown)
6751/// trio the pre-#418 engine ran on. Keeping the engine vocabulary
6752/// unchanged is what lets Phase 1 swap the operator surface without
6753/// touching the tick / dedup machinery.
6754pub struct Lowered {
6755 /// Cron handed to `tokio-cron-scheduler` — [`POLL_CRON`] for
6756 /// reconcile shapes, a 6/7-field cron for calendar shapes.
6757 pub cron: String,
6758 /// Dedup semantics for `decide_fire`.
6759 pub mode: ExecMode,
6760 /// Humantime re-arm interval (`None` = succeed once, skip
6761 /// forever).
6762 pub cooldown: Option<String>,
6763 /// Timezone to evaluate `cron` in (#418 Phase 2). The scheduler
6764 /// passes this to `Job::new_async_tz`. Reconcile shapes carry
6765 /// the schedule's tz too even though POLL_CRON is tz-agnostic,
6766 /// so the same value drives the `active`-window check.
6767 pub tz: ScheduleTz,
6768}
6769
6770impl Schedule {
6771 /// The error message if this schedule's `constraints.window` is
6772 /// set but unparseable, else `None`. The scheduler logs this at
6773 /// register time so a fail-closed (never-firing) schedule from a
6774 /// hand-edited KV blob is diagnosable (gemini #452 review).
6775 pub fn bad_window(&self) -> Option<String> {
6776 let w = self.constraints.window.as_deref()?;
6777 Constraints::parse_window(w).err()
6778 }
6779
6780 /// True when this is a `calendar` schedule whose fire time can
6781 /// never fall inside its `constraints.window` — the cron fires,
6782 /// the window check rejects it, and (firing only at that
6783 /// time-of-day) it effectively never runs. An easy misconfig to
6784 /// set up by accident; the scheduler warns at register time
6785 /// (claude #452 review). Reconcile shapes poll every minute, so
6786 /// they always catch the window opening and aren't affected.
6787 pub fn calendar_outside_window(&self) -> bool {
6788 let When::Calendar(c) = &self.when else {
6789 return false;
6790 };
6791 let Some(t) = c.fire_time() else {
6792 return false;
6793 };
6794 matches!(self.constraints.window_contains(t), Some(false))
6795 }
6796
6797 /// Up to `count` future instants this schedule will fire, as
6798 /// absolute UTC, strictly after `now` — the dry-run / preview
6799 /// surface (#418 "ドライラン / プレビュー"). Only **calendar**
6800 /// schedules have discrete fire times; reconcile shapes
6801 /// (`per_pc`/`per_target`) poll every minute gated by cooldown, so
6802 /// they return an empty vec and the caller describes the cadence
6803 /// instead. Occurrences outside the `active.{from,until}` window or
6804 /// the `constraints.window` are **skipped**, so the list reflects
6805 /// when the schedule will ACTUALLY run, not the raw cron ticks.
6806 /// Evaluated in the schedule's `tz`, exactly like the scheduler's
6807 /// `Job::new_async_tz`, and with the same croner config the
6808 /// scheduler / [`Schedule::validate`] use, so a preview can never
6809 /// disagree with a real fire. A schedule that can never fire (a
6810 /// calendar time wholly outside its window, a past one-shot,
6811 /// `enabled: false` is *not* considered here — callers gate on
6812 /// `enabled` separately) yields an empty vec.
6813 pub fn preview_fires(
6814 &self,
6815 now: chrono::DateTime<chrono::Utc>,
6816 count: usize,
6817 ) -> Vec<chrono::DateTime<chrono::Utc>> {
6818 use croner::parser::{CronParser, Seconds};
6819 if !matches!(self.when, When::Calendar(_)) {
6820 return Vec::new();
6821 }
6822 // Same lowering + croner config as `next_calendar_fire` and the
6823 // live scheduler, so a preview can never disagree with a real
6824 // fire. `preview_fires` adds the N-occurrence walk and the
6825 // active / window filtering on top of that single seam.
6826 let lowered = self.lowered();
6827 let Ok(cron) = CronParser::builder()
6828 .seconds(Seconds::Required)
6829 .dom_and_dow(true)
6830 .build()
6831 .parse(&lowered.cron)
6832 else {
6833 return Vec::new();
6834 };
6835 let accept = |utc: chrono::DateTime<chrono::Utc>| {
6836 self.active.contains(utc, self.tz) && self.constraints.allows(utc, self.tz)
6837 };
6838 match self.tz {
6839 ScheduleTz::Utc => Self::next_occurrences(&cron, now, count, accept),
6840 ScheduleTz::Local => {
6841 Self::next_occurrences(&cron, now.with_timezone(&chrono::Local), count, accept)
6842 }
6843 }
6844 }
6845
6846 /// Walk croner forward from `after` collecting up to `count`
6847 /// accepted occurrences (converted to UTC). Generic over the tz the
6848 /// cron is evaluated in so `preview_fires` can run it in either
6849 /// `Utc` or `Local` without duplicating the loop.
6850 fn next_occurrences<Tz>(
6851 cron: &croner::Cron,
6852 after: chrono::DateTime<Tz>,
6853 count: usize,
6854 accept: impl Fn(chrono::DateTime<chrono::Utc>) -> bool,
6855 ) -> Vec<chrono::DateTime<chrono::Utc>>
6856 where
6857 Tz: chrono::TimeZone,
6858 {
6859 // Bound the scan so an `active`/window dead-end (every future
6860 // tick rejected) can't spin forever: ~4096 raw ticks covers
6861 // >10y of a daily calendar while staying instant for croner.
6862 const SCAN_CAP: usize = 4096;
6863 let mut out = Vec::with_capacity(count.min(SCAN_CAP));
6864 let mut cursor = after;
6865 let mut scanned = 0usize;
6866 while out.len() < count && scanned < SCAN_CAP {
6867 scanned += 1;
6868 let Ok(next) = cron.find_next_occurrence(&cursor, false) else {
6869 break;
6870 };
6871 let utc = next.with_timezone(&chrono::Utc);
6872 if accept(utc) {
6873 out.push(utc);
6874 }
6875 // `find_next_occurrence(.., inclusive = false)` already
6876 // advances strictly past `cursor`, so handing it `next`
6877 // verbatim gets the following occurrence — no manual +1s
6878 // nudge (and `DateTime<Tz>` is `Copy`, so no clone).
6879 cursor = next;
6880 }
6881 out
6882 }
6883
6884 /// Lower the operator-facing `when` onto the engine vocabulary.
6885 /// Single seam shared by the backend scheduler and the agent's
6886 /// local scheduler so the two can never drift.
6887 pub fn lowered(&self) -> Lowered {
6888 let tz = self.tz;
6889 match &self.when {
6890 When::PerPc(p) => Lowered {
6891 cron: POLL_CRON.into(),
6892 mode: ExecMode::OncePerPc,
6893 cooldown: p.cooldown(),
6894 tz,
6895 },
6896 When::PerTarget(p) => Lowered {
6897 cron: POLL_CRON.into(),
6898 mode: ExecMode::OncePerTarget,
6899 cooldown: p.cooldown(),
6900 tz,
6901 },
6902 // `to_cron` only fails on a malformed `at` (rejected by
6903 // validate() at create time). For a hand-edited KV blob
6904 // that slipped past, emit a deliberately-invalid cron so
6905 // register()'s Job::new_async_tz fails → warn+skip,
6906 // rather than firing at the wrong time.
6907 When::Calendar(c) => Lowered {
6908 cron: c
6909 .to_cron()
6910 .unwrap_or_else(|_| "# invalid calendar at".into()),
6911 mode: ExecMode::EveryTick,
6912 cooldown: None,
6913 tz,
6914 },
6915 // Event triggers have no cron — the agent fires them from an
6916 // OS event source. The `# event-trigger` cron is never
6917 // registered (the scheduler branches on `is_event()` first),
6918 // but keep it deliberately-invalid as a belt-and-suspenders
6919 // so a stray registration would fail rather than misfire.
6920 When::On(_) => Lowered {
6921 cron: "# event-trigger (no cron)".into(),
6922 mode: ExecMode::Event,
6923 cooldown: None,
6924 tz,
6925 },
6926 }
6927 }
6928
6929 /// True when this schedule fires from an OS event (`when: { on }`)
6930 /// rather than a clock — the agent skips `tokio-cron` registration
6931 /// for these and drives them from boot / session-change instead.
6932 pub fn is_event(&self) -> bool {
6933 matches!(self.when, When::On(_))
6934 }
6935
6936 /// The OS event triggers this schedule listens for, or `&[]` when it
6937 /// is not an event schedule.
6938 pub fn event_triggers(&self) -> &[OnTrigger] {
6939 match &self.when {
6940 When::On(t) => t,
6941 _ => &[],
6942 }
6943 }
6944
6945 /// The next absolute (UTC) time this schedule fires, or `None` when
6946 /// it has no discrete upcoming fire to preview.
6947 ///
6948 /// Used by the KLP `maintenance.list` preview ("what's about to
6949 /// happen on my PC", SPEC §2.1). Returns `None` for:
6950 ///
6951 /// - reconcile shapes (`per_pc` / `per_target`) — they lower to the
6952 /// every-minute [`POLL_CRON`] and re-converge state continuously,
6953 /// so "next fire" is always ~60s away and means nothing to a user
6954 /// previewing upcoming maintenance;
6955 /// - a calendar schedule whose lowered cron won't parse (a
6956 /// hand-edited KV blob that slipped past [`Schedule::validate`]);
6957 /// - a cron with no future occurrence.
6958 ///
6959 /// The wall-clock fire is evaluated in the schedule's own `tz`
6960 /// (matching the live tick's `Job::new_async_tz`) then normalised
6961 /// to UTC for the wire. `inclusive = false`: strictly the *next*
6962 /// fire after `now`, never one matching the current instant.
6963 pub fn next_calendar_fire(
6964 &self,
6965 now: chrono::DateTime<chrono::Utc>,
6966 ) -> Option<chrono::DateTime<chrono::Utc>> {
6967 if !matches!(self.when, When::Calendar(_)) {
6968 return None;
6969 }
6970 let lowered = self.lowered();
6971 // Same parser configuration tokio-cron-scheduler 0.15 uses
6972 // internally, so this can never compute a fire the live
6973 // scheduler wouldn't (seconds required, DOM-and-DOW honored).
6974 let cron = croner::parser::CronParser::builder()
6975 .seconds(croner::parser::Seconds::Required)
6976 .dom_and_dow(true)
6977 .build()
6978 .parse(&lowered.cron)
6979 .ok()?;
6980 match lowered.tz {
6981 ScheduleTz::Utc => cron.find_next_occurrence(&now, false).ok(),
6982 ScheduleTz::Local => {
6983 let now_local = now.with_timezone(&chrono::Local);
6984 cron.find_next_occurrence(&now_local, false)
6985 .ok()
6986 .map(|t| t.with_timezone(&chrono::Utc))
6987 }
6988 }
6989 }
6990
6991 /// Cross-field semantic checks that don't fit pure serde derive
6992 /// — the [`Manifest::validate`] counterpart (#418 decision F;
6993 /// pre-Phase-1 a broken schedule was accepted at create time
6994 /// and silently warn-skipped at tick time). Run at every create
6995 /// site: `kanade schedule create` (client-side) and
6996 /// `POST /api/schedules`. The job_id-exists check lives in the
6997 /// API handler instead — it needs the JOBS KV.
6998 pub fn validate(&self) -> Result<(), String> {
6999 if matches!(self.runs_on, RunsOn::Agent) && matches!(self.when, When::PerTarget(_)) {
7000 return Err(
7001 "when.per_target needs fleet-wide completion data and is backend-only; \
7002 it cannot be combined with runs_on: agent (each agent self-schedules, \
7003 so per-target dedup would be deduping across a target of 1)"
7004 .into(),
7005 );
7006 }
7007 // #418 event triggers: the agent owns the OS event source
7008 // (boot / session-change), so `when: { on }` is agent-only and
7009 // needs at least one trigger.
7010 if let When::On(triggers) = &self.when {
7011 if !matches!(self.runs_on, RunsOn::Agent) {
7012 return Err(
7013 "when.on (OS event trigger) is fired by the agent's own event \
7014 source, so it requires runs_on: agent"
7015 .into(),
7016 );
7017 }
7018 if triggers.is_empty() {
7019 return Err(
7020 "when.on must list at least one trigger (e.g. [startup, logon])".into(),
7021 );
7022 }
7023 }
7024 if let Some(cd) = self.lowered().cooldown.as_deref() {
7025 humantime::parse_duration(cd)
7026 .map_err(|e| format!("when.every: invalid duration '{cd}': {e}"))?;
7027 }
7028 if let When::Calendar(c) = &self.when {
7029 // Lower the calendar form to its cron (catches a bad `at`
7030 // and the date+days conflict), then validate that cron
7031 // with the same parser configuration tokio-cron-scheduler
7032 // 0.15 uses internally (croner, seconds required,
7033 // DOM-and-DOW both honored, year optional) — create-time
7034 // validation can never accept what register() rejects.
7035 let cron = c.to_cron()?;
7036 croner::parser::CronParser::builder()
7037 .seconds(croner::parser::Seconds::Required)
7038 .dom_and_dow(true)
7039 .build()
7040 .parse(&cron)
7041 .map_err(|e| format!("when.at lowered to invalid cron '{cron}': {e}"))?;
7042 }
7043 // The other humantime strings on the schedule (claude #419
7044 // review): runtime degrades gracefully on both (bad jitter →
7045 // silent no-op, bad starting_deadline → warn + skipped tick),
7046 // but "rejected at create time" should cover every field the
7047 // operator can typo, not just `when`.
7048 if let Some(j) = &self.plan.jitter {
7049 humantime::parse_duration(j)
7050 .map_err(|e| format!("jitter: invalid duration '{j}': {e}"))?;
7051 }
7052 if let Some(sd) = &self.starting_deadline {
7053 humantime::parse_duration(sd)
7054 .map_err(|e| format!("starting_deadline: invalid duration '{sd}': {e}"))?;
7055 }
7056 let from = self
7057 .active
7058 .from
7059 .as_deref()
7060 .map(|s| Active::parse_bound(s, self.tz))
7061 .transpose()?;
7062 let until = self
7063 .active
7064 .until
7065 .as_deref()
7066 .map(|s| Active::parse_bound(s, self.tz))
7067 .transpose()?;
7068 if let (Some(f), Some(u)) = (from, until) {
7069 if f >= u {
7070 return Err(format!(
7071 "active.from ({}) must be strictly before active.until ({})",
7072 self.active.from.as_deref().unwrap_or_default(),
7073 self.active.until.as_deref().unwrap_or_default(),
7074 ));
7075 }
7076 }
7077 // #418 Phase 3: a bad maintenance window is rejected at create
7078 // time (parse_window also catches equal bounds).
7079 if let Some(w) = self.constraints.window.as_deref() {
7080 Constraints::parse_window(w)?;
7081 }
7082 // #418 holiday exclusion: reject a malformed skip date at create
7083 // time so the fail-closed `allows` path only ever bites a
7084 // hand-edited KV blob, not a fresh `kanade schedule create`.
7085 if let Some(err) = self.constraints.bad_skip_date() {
7086 return Err(err);
7087 }
7088 // #418: constraints.max_concurrent is a central running-instance
7089 // cap, so it needs the backend's counter — reject it on
7090 // runs_on: agent (decision E), and reject a meaningless 0.
7091 if let Some(mc) = self.constraints.max_concurrent {
7092 // Check the structural incompatibility (agent has no central
7093 // counter) before the value range, so a `max_concurrent: 0`
7094 // + `runs_on: agent` combo reports the more fundamental
7095 // problem first (claude #542).
7096 if matches!(self.runs_on, RunsOn::Agent) {
7097 return Err(
7098 "constraints.max_concurrent needs a central counter and is backend-only; \
7099 it cannot be combined with runs_on: agent (each agent self-schedules, \
7100 so there is no fleet-wide count to cap against)"
7101 .into(),
7102 );
7103 }
7104 if mc == 0 {
7105 return Err(
7106 "constraints.max_concurrent must be >= 1 (0 would never fire; \
7107 omit it for no cap)"
7108 .into(),
7109 );
7110 }
7111 }
7112 // #418: constraints.require (host-state env gates: ac_power /
7113 // idle / cpu_below / network) is sensed in-process by the agent,
7114 // so it needs runs_on: agent — the backend can't read a target
7115 // host's power / idle / cpu / connectivity state. Symmetric with
7116 // `when: { on }` (also agent-only); inverse of max_concurrent
7117 // (backend-only).
7118 if let Some(req) = &self.constraints.require {
7119 if !req.is_empty() && matches!(self.runs_on, RunsOn::Backend) {
7120 return Err(
7121 "constraints.require (host-state env gates: ac_power / idle / cpu_below / \
7122 network) is sensed in-process by the agent and needs runs_on: agent; the \
7123 backend cannot read a target host's power / idle / cpu / connectivity state"
7124 .into(),
7125 );
7126 }
7127 // Reject a malformed idle duration at create time so the
7128 // fail-closed runtime path only ever bites a hand-edited
7129 // KV blob (mirror skip_dates / on_failure.retry).
7130 if let Some(err) = req.bad_idle() {
7131 return Err(err);
7132 }
7133 // cpu_below is a percent — reject out-of-range so a typo
7134 // can't make a schedule that never (>=100 is always-busy?
7135 // no — <0 never matches) or trivially fires.
7136 if let Some(c) = req.cpu_below
7137 && !(c > 0.0 && c <= 100.0)
7138 {
7139 return Err(format!(
7140 "constraints.require.cpu_below must be in (0, 100] percent (got {c}); \
7141 omit it for no CPU requirement"
7142 ));
7143 }
7144 }
7145 // #418 Phase 4: a bad on_failure.retry is rejected at create
7146 // time — backoff must be valid humantime, and max is bounded
7147 // so a typo can't pin a flapping script in a tight loop.
7148 if let Some(r) = &self.on_failure.retry {
7149 let backoff = humantime::parse_duration(&r.backoff).map_err(|e| {
7150 format!(
7151 "on_failure.retry.backoff: invalid duration '{}': {e}",
7152 r.backoff
7153 )
7154 })?;
7155 // The wire form lowers backoff to whole seconds, so a
7156 // sub-second value would silently become a 0s no-wait
7157 // (coderabbit #466). Reject it rather than honour a backoff
7158 // the operator can't actually get.
7159 if backoff.as_secs() < 1 {
7160 return Err(format!(
7161 "on_failure.retry.backoff must be >= 1s (got '{}'); sub-second backoffs \
7162 round to 0 on the wire",
7163 r.backoff
7164 ));
7165 }
7166 if !(1..=10).contains(&r.max) {
7167 return Err(format!(
7168 "on_failure.retry.max must be 1..=10 (got {}); it counts additional \
7169 attempts after the first run",
7170 r.max
7171 ));
7172 }
7173 }
7174 // A blank / whitespace-only tag renders an empty filter chip on
7175 // the Schedules page — reject it at create time, mirroring the
7176 // Manifest::validate tag guard.
7177 for tag in &self.tags {
7178 if tag.trim().is_empty() {
7179 return Err("tags must not contain empty entries".to_string());
7180 }
7181 }
7182 Ok(())
7183 }
7184}
7185
7186/// Shared `serde(default)` for `bool` fields that default to `true`
7187/// (e.g. `CheckHint::fleet` / `CheckHint::health`). Generic name so it
7188/// doesn't read as "fleet" when reused for `health`.
7189fn default_true() -> bool {
7190 true
7191}