feat(v1.1.4): outbound HTTP SDK + cron triggers

HTTP (`http::*`): - `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl` (manager-core), wired into the `Services` bundle. - SSRF deny-list applied to the resolved IP via a custom reqwest `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus a literal-IP check at URL-parse time. Scheme/port restrictions, request + response body caps (stream-with-cap), layered timeout. Error reason is a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override (logs a startup warning). - Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the brief's body-vs-opts contradiction; unknown opt keys throw). Body dispatch by type; response `#{status,headers,body,body_raw}` with JSON auto-parse; non-2xx does not throw. - `Capability::AppHttpRequest` → existing `script:write` scope (no new Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent). Cron triggers (4th trigger kind): - Migration 0017 widens the kind/source_kind CHECKs and adds `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field schedules and IANA timezones. - `spawn_cron_scheduler` polls due triggers and enqueues to the universal outbox; the dispatcher delivers them (one-line match-arm extension). Catch-up fires exactly once per trigger per tick, not once per missed window. `ctx.event.cron` for handlers. - `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3 cross-app + kind!=module target check. - Dashboard: admin-gated Triggers tab (cron create form + list). Follow-ups: redact module backend errors at the resolver boundary (log original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4, SDK 1.5, dashboard 0.10.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 20:23:18 +02:00
parent 6f17259e06
commit 10b5f655d5
39 changed files with 3828 additions and 53 deletions
--- a/crates/manager-core/src/triggers_api.rs
+++ b/crates/manager-core/src/triggers_api.rs
@@ -25,8 +25,8 @@ use crate::authz::{require, AuthzDenied, AuthzError, AuthzRepo, Capability};
 use crate::repo::{ScriptRepository, ScriptRepositoryError};
 use crate::trigger_config::{BackoffShape, TriggerConfig};
 use crate::trigger_repo::{
-    CreateDeadLetterTrigger, CreateDocsTrigger, CreateKvTrigger, Trigger, TriggerDispatchMode,
-    TriggerRepo, TriggerRepoError,
+    CreateCronTrigger, CreateDeadLetterTrigger, CreateDocsTrigger, CreateKvTrigger, Trigger,
+    TriggerDispatchMode, TriggerRepo, TriggerRepoError,
 };

 #[derive(Clone)]
@@ -53,6 +53,7 @@ pub fn triggers_router(state: TriggersState) -> Router {
        )
        .route("/apps/{app_id}/triggers/kv", post(create_kv_trigger))
        .route("/apps/{app_id}/triggers/docs", post(create_docs_trigger))
+        .route("/apps/{app_id}/triggers/cron", post(create_cron_trigger))
        .route(
            "/apps/{app_id}/triggers/dead_letter",
            post(create_dl_trigger),
@@ -116,6 +117,28 @@ pub struct CreateDocsTriggerRequest {
    pub retry_base_ms: Option<u32>,
 }

+/// v1.1.4 cron trigger. `schedule` is a 6-field cron expression (with
+/// seconds); `timezone` is an IANA name (defaults to UTC if omitted).
+#[derive(Debug, Deserialize)]
+pub struct CreateCronTriggerRequest {
+    pub script_id: ScriptId,
+    pub schedule: String,
+    #[serde(default = "default_timezone")]
+    pub timezone: String,
+    #[serde(default = "default_dispatch")]
+    pub dispatch_mode: TriggerDispatchMode,
+    #[serde(default)]
+    pub retry_max_attempts: Option<u32>,
+    #[serde(default)]
+    pub retry_backoff: Option<BackoffShape>,
+    #[serde(default)]
+    pub retry_base_ms: Option<u32>,
+}
+
+fn default_timezone() -> String {
+    "UTC".to_string()
+}
+
 #[derive(Debug, Deserialize)]
 pub struct CreateDeadLetterTriggerRequest {
    pub script_id: ScriptId,
@@ -264,6 +287,47 @@ async fn create_docs_trigger(
    Ok((StatusCode::CREATED, Json(created)))
 }

+async fn create_cron_trigger(
+    State(s): State<TriggersState>,
+    Extension(principal): Extension<Principal>,
+    Path(app_id): Path<AppId>,
+    Json(input): Json<CreateCronTriggerRequest>,
+) -> Result<(StatusCode, Json<Trigger>), TriggersApiError> {
+    ensure_app_exists(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppManageTriggers(app_id),
+    )
+    .await?;
+
+    // Validate the schedule + timezone before touching the script repo
+    // so a bad expression fails fast with a clear 422.
+    crate::cron_scheduler::validate_schedule(&input.schedule)
+        .map_err(|e| TriggersApiError::Invalid(format!("invalid cron schedule: {e}")))?;
+    crate::cron_scheduler::validate_timezone(&input.timezone)
+        .map_err(|e| TriggersApiError::Invalid(format!("invalid timezone: {e}")))?;
+
+    // v1.1.3 check: target script exists, lives in this app, is an
+    // endpoint (not a module).
+    validate_trigger_target(&*s.scripts, app_id, input.script_id).await?;
+
+    let req = CreateCronTrigger {
+        script_id: input.script_id,
+        schedule: input.schedule,
+        timezone: input.timezone,
+        dispatch_mode: input.dispatch_mode,
+        retry_max_attempts: input
+            .retry_max_attempts
+            .unwrap_or(s.config.retry_max_attempts),
+        retry_backoff: input.retry_backoff.unwrap_or(s.config.retry_backoff),
+        retry_base_ms: input.retry_base_ms.unwrap_or(s.config.retry_base_ms),
+        registered_by_principal: principal.user_id,
+    };
+    let created = s.triggers.create_cron_trigger(app_id, req).await?;
+    Ok((StatusCode::CREATED, Json(created)))
+}
+
 async fn create_dl_trigger(
    State(s): State<TriggersState>,
    Extension(principal): Extension<Principal>,
@@ -420,8 +484,8 @@ mod tests {
    use super::*;
    use crate::app_repo::{AppLookup, AppRepository};
    use crate::trigger_repo::{
-        DeadLetterTriggerMatch, DocsTriggerMatch, KvTriggerMatch, Trigger, TriggerDetails,
-        TriggerRepo, TriggerRepoError,
+        CreateCronTrigger, DeadLetterTriggerMatch, DocsTriggerMatch, KvTriggerMatch, Trigger,
+        TriggerDetails, TriggerRepo, TriggerRepoError,
    };
    use async_trait::async_trait;
    use chrono::Utc;
@@ -523,6 +587,35 @@ mod tests {
            self.inner.lock().await.insert(id, trigger.clone());
            Ok(trigger)
        }
+        async fn create_cron_trigger(
+            &self,
+            app_id: AppId,
+            req: CreateCronTrigger,
+        ) -> Result<Trigger, TriggerRepoError> {
+            let now = Utc::now();
+            let id = TriggerId::new();
+            let trigger = Trigger {
+                id,
+                app_id,
+                script_id: req.script_id,
+                kind: crate::trigger_repo::TriggerKind::Cron,
+                enabled: true,
+                dispatch_mode: req.dispatch_mode,
+                retry_max_attempts: req.retry_max_attempts,
+                retry_backoff: req.retry_backoff,
+                retry_base_ms: req.retry_base_ms,
+                registered_by_principal: req.registered_by_principal,
+                created_at: now,
+                updated_at: now,
+                details: TriggerDetails::Cron {
+                    schedule: req.schedule,
+                    timezone: req.timezone,
+                    last_fired_at: None,
+                },
+            };
+            self.inner.lock().await.insert(id, trigger.clone());
+            Ok(trigger)
+        }
        async fn list_for_app(&self, app_id: AppId) -> Result<Vec<Trigger>, TriggerRepoError> {
            Ok(self
                .inner
@@ -1281,6 +1374,169 @@ mod tests {
        );
    }

+    // ----------------------------------------------------------------
+    // v1.1.4: cron trigger create.
+    // ----------------------------------------------------------------
+
+    fn cron_req(script_id: ScriptId, schedule: &str, timezone: &str) -> CreateCronTriggerRequest {
+        CreateCronTriggerRequest {
+            script_id,
+            schedule: schedule.into(),
+            timezone: timezone.into(),
+            dispatch_mode: TriggerDispatchMode::Async,
+            retry_max_attempts: None,
+            retry_backoff: None,
+            retry_base_ms: None,
+        }
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_create_succeeds() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = state_with_endpoint(Arc::new(AlwaysAllowAuthzRepo), app_id, script_id);
+        let (status, Json(trigger)) = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(cron_req(
+                script_id,
+                "0 0 9 * * MON-FRI",
+                "America/Los_Angeles",
+            )),
+        )
+        .await
+        .unwrap();
+        assert_eq!(status, StatusCode::CREATED);
+        assert!(matches!(
+            trigger.kind,
+            crate::trigger_repo::TriggerKind::Cron
+        ));
+        match trigger.details {
+            TriggerDetails::Cron {
+                schedule,
+                timezone,
+                last_fired_at,
+            } => {
+                assert_eq!(schedule, "0 0 9 * * MON-FRI");
+                assert_eq!(timezone, "America/Los_Angeles");
+                assert!(last_fired_at.is_none());
+            }
+            other => panic!("expected Cron details, got {other:?}"),
+        }
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_rejects_invalid_schedule() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = state_with_endpoint(Arc::new(AlwaysAllowAuthzRepo), app_id, script_id);
+        let res = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            // 5-field expression — not the 6-field format we accept.
+            Json(cron_req(script_id, "* * * * *", "UTC")),
+        )
+        .await;
+        let err = res.expect_err("invalid schedule should reject");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("schedule"), "got {msg}");
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_rejects_unknown_timezone() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = state_with_endpoint(Arc::new(AlwaysAllowAuthzRepo), app_id, script_id);
+        let res = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(cron_req(script_id, "0 * * * * *", "Mars/Phobos")),
+        )
+        .await;
+        let err = res.expect_err("unknown timezone should reject");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("timezone"), "got {msg}");
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_rejects_module_target() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_id),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts: InMemoryScriptRepo::with_module(app_id, script_id),
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(cron_req(script_id, "0 * * * * *", "UTC")),
+        )
+        .await;
+        let err = res.expect_err("module script should be rejected as cron target");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("module"), "got {msg}");
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_rejects_cross_app_script() {
+        // v1.1.3 isolation gap regression: app A cannot target app B's
+        // script via a cron trigger.
+        let app_a = AppId::new();
+        let app_b = AppId::new();
+        let script_id = ScriptId::new();
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_a),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts: InMemoryScriptRepo::with_endpoint(app_b, script_id),
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_a),
+            Json(cron_req(script_id, "0 * * * * *", "UTC")),
+        )
+        .await;
+        let err = res.expect_err("cross-app cron target should reject");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("does not belong"), "got {msg}");
+    }
+
+    #[tokio::test]
+    async fn cron_trigger_member_without_role_is_forbidden() {
+        let app_id = AppId::new();
+        let state = state_with(Arc::new(AlwaysDenyAuthzRepo), app_id);
+        let res = create_cron_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(cron_req(ScriptId::new(), "0 * * * * *", "UTC")),
+        )
+        .await;
+        let err = res.expect_err("member without role should be forbidden");
+        assert!(matches!(err, TriggersApiError::Forbidden));
+    }
+
    #[tokio::test]
    async fn kv_trigger_accepts_endpoint_target() {
        let app_id = AppId::new();