feat(v1.1.4): outbound HTTP SDK + cron triggers

HTTP (`http::*`): - `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl` (manager-core), wired into the `Services` bundle. - SSRF deny-list applied to the resolved IP via a custom reqwest `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus a literal-IP check at URL-parse time. Scheme/port restrictions, request + response body caps (stream-with-cap), layered timeout. Error reason is a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override (logs a startup warning). - Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the brief's body-vs-opts contradiction; unknown opt keys throw). Body dispatch by type; response `#{status,headers,body,body_raw}` with JSON auto-parse; non-2xx does not throw. - `Capability::AppHttpRequest` → existing `script:write` scope (no new Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent). Cron triggers (4th trigger kind): - Migration 0017 widens the kind/source_kind CHECKs and adds `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field schedules and IANA timezones. - `spawn_cron_scheduler` polls due triggers and enqueues to the universal outbox; the dispatcher delivers them (one-line match-arm extension). Catch-up fires exactly once per trigger per tick, not once per missed window. `ctx.event.cron` for handlers. - `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3 cross-app + kind!=module target check. - Dashboard: admin-gated Triggers tab (cron create form + list). Follow-ups: redact module backend errors at the resolver boundary (log original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4, SDK 1.5, dashboard 0.10.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 20:23:18 +02:00
parent 6f17259e06
commit 10b5f655d5
39 changed files with 3828 additions and 53 deletions
--- a/crates/manager-core/src/lib.rs
+++ b/crates/manager-core/src/lib.rs
@@ -22,6 +22,7 @@ pub mod auth_api;
 pub mod auth_bootstrap;
 pub mod auth_middleware;
 pub mod authz;
+pub mod cron_scheduler;
 pub mod dead_letter_repo;
 pub mod dead_letter_service;
 pub mod dead_letters_api;
@@ -30,6 +31,7 @@ pub mod docs_filter;
 pub mod docs_repo;
 pub mod docs_service;
 pub mod gc;
+pub mod http_service;
 pub mod kv_repo;
 pub mod kv_service;
 pub mod log_sink;
@@ -43,6 +45,7 @@ pub mod route_admin;
 pub mod route_repo;
 pub mod sandbox;
 pub mod scheduler;
+pub mod ssrf;
 pub mod trigger_config;
 pub mod trigger_repo;
 pub mod triggers_api;
@@ -84,6 +87,7 @@ pub use auth_middleware::{
    API_KEY_PREFIX, API_KEY_PREFIX_LEN, SESSION_COOKIE,
 };
 pub use authz::{can, require, AuthzDenied, AuthzError, AuthzRepo, Capability, Decision};
+pub use cron_scheduler::spawn_cron_scheduler;
 pub use dead_letter_repo::{
    DeadLetterRepo, DeadLetterRepoError, DeadLetterRow, NewDeadLetter, PostgresDeadLetterRepo,
 };
@@ -93,6 +97,7 @@ pub use dispatcher::{compute_backoff, Dispatcher, DispatcherError};
 pub use docs_repo::{DocsRepo, DocsRepoError, PostgresDocsRepo};
 pub use docs_service::DocsServiceImpl;
 pub use gc::{spawn_abandoned_gc, spawn_dead_letter_gc};
+pub use http_service::{HttpConfig, HttpServiceImpl};
 pub use kv_repo::{KvRepo, KvRepoError, PostgresKvRepo};
 pub use kv_service::KvServiceImpl;
 pub use log_sink::PostgresExecutionLogSink;