feat(v1.1.4): outbound HTTP SDK + cron triggers

HTTP (`http::*`): - `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl` (manager-core), wired into the `Services` bundle. - SSRF deny-list applied to the resolved IP via a custom reqwest `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus a literal-IP check at URL-parse time. Scheme/port restrictions, request + response body caps (stream-with-cap), layered timeout. Error reason is a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override (logs a startup warning). - Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the brief's body-vs-opts contradiction; unknown opt keys throw). Body dispatch by type; response `#{status,headers,body,body_raw}` with JSON auto-parse; non-2xx does not throw. - `Capability::AppHttpRequest` → existing `script:write` scope (no new Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent). Cron triggers (4th trigger kind): - Migration 0017 widens the kind/source_kind CHECKs and adds `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field schedules and IANA timezones. - `spawn_cron_scheduler` polls due triggers and enqueues to the universal outbox; the dispatcher delivers them (one-line match-arm extension). Catch-up fires exactly once per trigger per tick, not once per missed window. `ctx.event.cron` for handlers. - `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3 cross-app + kind!=module target check. - Dashboard: admin-gated Triggers tab (cron create form + list). Follow-ups: redact module backend errors at the resolver boundary (log original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4, SDK 1.5, dashboard 0.10.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-03 20:23:18 +02:00
parent 6f17259e06
commit 10b5f655d5
39 changed files with 3828 additions and 53 deletions
--- a/crates/shared/src/services.rs
+++ b/crates/shared/src/services.rs
@@ -20,8 +20,9 @@
 use std::sync::Arc;

 use crate::{
-    DeadLetterService, DocsService, KvService, ModuleSource, NoopDeadLetterService,
-    NoopDocsService, NoopEventEmitter, NoopKvService, NoopModuleSource, ServiceEventEmitter,
+    DeadLetterService, DocsService, HttpService, KvService, ModuleSource, NoopDeadLetterService,
+    NoopDocsService, NoopEventEmitter, NoopHttpService, NoopKvService, NoopModuleSource,
+    ServiceEventEmitter,
 };

 /// SDK service bundle. See module docs for the lifecycle and the v1.1.x
@@ -53,6 +54,12 @@ pub struct Services {
    /// `import`. Backed by Postgres in the picloud binary; in-memory
    /// fakes in resolver tests.
    pub modules: Arc<dyn ModuleSource>,
+
+    /// Outbound HTTP (v1.1.4). Scripts get `http::{get,post,…}`.
+    /// Backed by a reqwest client with the SSRF deny-list resolver in
+    /// the picloud binary; `NoopHttpService` in tests that don't make
+    /// network calls.
+    pub http: Arc<dyn HttpService>,
 }

 impl Services {
@@ -66,6 +73,7 @@ impl Services {
        dead_letters: Arc<dyn DeadLetterService>,
        events: Arc<dyn ServiceEventEmitter>,
        modules: Arc<dyn ModuleSource>,
+        http: Arc<dyn HttpService>,
    ) -> Self {
        Self {
            kv,
@@ -73,6 +81,7 @@ impl Services {
            dead_letters,
            events,
            modules,
+            http,
        }
    }

@@ -89,6 +98,7 @@ impl Services {
            Arc::new(NoopDeadLetterService),
            Arc::new(NoopEventEmitter),
            Arc::new(NoopModuleSource),
+            Arc::new(NoopHttpService),
        )
    }
 }