test(v1.1.3-modules): resolver, cache, validator, kind-rejection coverage

Adds ~46 new tests across the v1.1.3 surface: executor-core/tests/modules.rs (NEW, 23 tests): - resolver_loads_simple_module / endpoint_can_import_module / module_can_import_module — end-to-end through Engine::execute. - resolver_cross_app_blocked / resolver_cross_app_module_not_found / module_cache_keyed_by_app — same-name modules in different apps resolve independently; cross-app lookup returns ModuleNotFound. - resolver_self_import_detected / resolver_circular_detected — cycle detector reports the chain. - resolver_depth_limit_enforced / resolver_depth_limit_just_under_succeeds. - resolver_module_not_found / resolver_backend_error_surfaces. - resolver_runtime_validation_rejects_top_level_expr — defense-in- depth: a module with a top-level expression that bypassed the admin gate is rejected at resolve time. - module_cache_hit_reuses_compiled_module / module_cache_stale_invalidated_on_updated_at_change / module_cache_lru_evicts_when_capacity_exceeded. - validate_module_{accepts_fn_const_import_only, rejects_top_level_let, rejects_top_level_expr, rejects_top_level_while}. - validate_endpoint_{extracts_literal_imports, top_level_expr_still_allowed, skips_dynamic_imports_in_imports_list}. orchestrator-core/src/client.rs cache_tests (6 tests): - cache_hit_when_identity_matches / cache_invalidated_when_updated_at_changes / distinct_script_ids_cache_independently / lru_eviction_caps_cache_size / script_identity_is_copy / compile_error_does_not_poison_cache. shared/src/script.rs kind_tests (3 tests): - default_is_endpoint / round_trips_through_serde_lowercase / parse_str_round_trip. manager-core/src/triggers_api.rs v1.1.3 tests (6 tests): - kv_trigger_rejects_module_target / docs_trigger_rejects_module_target / dl_trigger_rejects_module_target — modules cannot be trigger targets. - kv_trigger_rejects_missing_script / kv_trigger_rejects_cross_app_script — closes the latent v1.1.1/v1.1.2 isolation gap. - kv_trigger_accepts_endpoint_target — happy path through the validate_trigger_target check. picloud/tests/api.rs (8 #[ignore]'d Postgres-gated integration tests): - create_script_default_kind_is_endpoint / create_module_kind_persists. - create_module_with_top_level_expr_rejected / create_module_with_reserved_name_rejected. - route_bind_rejects_module. - endpoint_imports_module_end_to_end / module_edit_visible_on_next_invocation / cross_app_import_blocked. Lint cleanup along the way: - `ScriptKind::from_str` renamed to `parse_str` to dodge the `should_implement_trait` lint (FromStr's `Result<…,Err>` shape doesn't fit a 0-info lookup). - `derive(Default)` on `ScriptKind` (Endpoint marked `#[default]`). - Match-arm collapse in `check_module_shape` for Import + Noop. - `#[allow(clippy::too_many_lines)]` on `resolve()` (the bridge logic is genuinely cohesive and would lose clarity if split). - Elided `'r` lifetime on `StackGuard`. Three gates clean on this commit's HEAD: - cargo fmt --all -- --check: clean - cargo clippy --all-targets --all-features -- -D warnings: clean - cargo test --workspace: 358 passed, 140 ignored (Postgres-gated) - npm run check: 0 errors, 0 warnings Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 07:18:18 +02:00
parent 10f76d29ca
commit 3dbead426f
9 changed files with 1249 additions and 43 deletions
--- a/crates/manager-core/src/repo.rs
+++ b/crates/manager-core/src/repo.rs
@@ -62,10 +62,8 @@ pub trait ScriptRepository: Send + Sync {
    /// v1.1.3: list module dependencies of this script — the rows in
    /// `script_imports` where `importer_script_id = script_id`. Used
    /// by tests and (eventually) a dashboard "Imports" panel.
-    async fn list_imports(
-        &self,
-        script_id: ScriptId,
-    ) -> Result<Vec<Script>, ScriptRepositoryError>;
+    async fn list_imports(&self, script_id: ScriptId)
+        -> Result<Vec<Script>, ScriptRepositoryError>;
 }

 /// Inbound shape for create. Defaults match the migration's CHECK
@@ -267,7 +265,7 @@ impl ScriptRepository for PostgresScriptRepository {
        .bind(patch.timeout_seconds)
        .bind(patch.memory_limit_mb)
        .bind(sandbox_json)
-        .bind(patch.kind.map(|k| k.as_str()))
+        .bind(patch.kind.map(ScriptKind::as_str))
        .fetch_optional(&mut *tx)
        .await;

@@ -414,7 +412,7 @@ impl From<ScriptRow> for Script {
        // Defensive: if a row's `kind` somehow falls outside the CHECK
        // constraint, treat it as Endpoint (the safe default — won't
        // grant a row import-target status it doesn't have).
-        let kind = ScriptKind::from_str(&r.kind).unwrap_or(ScriptKind::Endpoint);
+        let kind = ScriptKind::parse_str(&r.kind).unwrap_or(ScriptKind::Endpoint);
        Self {
            id: r.id.into(),
            app_id: r.app_id.into(),
--- a/crates/manager-core/src/triggers_api.rs
+++ b/crates/manager-core/src/triggers_api.rs
@@ -716,7 +716,7 @@ mod tests {
                    source: String::new(),
                    kind,
                    timeout_seconds: 30,
-                    sandbox: Default::default(),
+                    sandbox: picloud_shared::ScriptSandbox::default(),
                    memory_limit_mb: 256,
                    created_at: now,
                    updated_at: now,
@@ -766,10 +766,7 @@ mod tests {
        ) -> Result<picloud_shared::Script, crate::repo::ScriptRepositoryError> {
            unimplemented!()
        }
-        async fn delete(
-            &self,
-            _id: ScriptId,
-        ) -> Result<(), crate::repo::ScriptRepositoryError> {
+        async fn delete(&self, _id: ScriptId) -> Result<(), crate::repo::ScriptRepositoryError> {
            unimplemented!()
        }
        async fn count_routes_for_script(
@@ -1106,4 +1103,205 @@ mod tests {
        let err = res.expect_err("cross-app delete should 404");
        assert!(matches!(err, TriggersApiError::NotFound(_)));
    }
+
+    // ----------------------------------------------------------------
+    // v1.1.3: kind + cross-app target validation on trigger create.
+    // ----------------------------------------------------------------
+
+    #[tokio::test]
+    async fn kv_trigger_rejects_module_target() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_id),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts: InMemoryScriptRepo::with_module(app_id, script_id),
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_kv_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(CreateKvTriggerRequest {
+                script_id,
+                collection_glob: "widgets".into(),
+                ops: vec![KvEventOp::Insert],
+                dispatch_mode: TriggerDispatchMode::Async,
+                retry_max_attempts: None,
+                retry_backoff: None,
+                retry_base_ms: None,
+            }),
+        )
+        .await;
+        let err = res.expect_err("module script should be rejected as trigger target");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(
+            msg.to_lowercase().contains("module"),
+            "expected error to mention 'module', got {msg}"
+        );
+    }
+
+    #[tokio::test]
+    async fn docs_trigger_rejects_module_target() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_id),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts: InMemoryScriptRepo::with_module(app_id, script_id),
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_docs_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(CreateDocsTriggerRequest {
+                script_id,
+                collection_glob: "users".into(),
+                ops: vec![DocsEventOp::Create],
+                dispatch_mode: TriggerDispatchMode::Async,
+                retry_max_attempts: None,
+                retry_backoff: None,
+                retry_base_ms: None,
+            }),
+        )
+        .await;
+        let err = res.expect_err("module script should be rejected as docs-trigger target");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("module"));
+    }
+
+    #[tokio::test]
+    async fn dl_trigger_rejects_module_target() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_id),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts: InMemoryScriptRepo::with_module(app_id, script_id),
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_dl_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(CreateDeadLetterTriggerRequest {
+                script_id,
+                source_filter: None,
+                trigger_id_filter: None,
+                script_id_filter: None,
+            }),
+        )
+        .await;
+        let err = res.expect_err("module script should be rejected as dead-letter target");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("module"));
+    }
+
+    #[tokio::test]
+    async fn kv_trigger_rejects_missing_script() {
+        let app_id = AppId::new();
+        // Empty script repo — the requested script_id doesn't exist.
+        let state = state_with(Arc::new(AlwaysAllowAuthzRepo), app_id);
+        let res = create_kv_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(CreateKvTriggerRequest {
+                script_id: ScriptId::new(),
+                collection_glob: "widgets".into(),
+                ops: vec![],
+                dispatch_mode: TriggerDispatchMode::Async,
+                retry_max_attempts: None,
+                retry_backoff: None,
+                retry_base_ms: None,
+            }),
+        )
+        .await;
+        let err = res.expect_err("missing script should reject");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(msg.to_lowercase().contains("not found"));
+    }
+
+    #[tokio::test]
+    async fn kv_trigger_rejects_cross_app_script() {
+        // Latent v1.1.1/v1.1.2 isolation gap closed by v1.1.3: a
+        // member of app A could previously target a script in app B.
+        let app_a = AppId::new();
+        let app_b = AppId::new();
+        let script_id = ScriptId::new();
+        // Pre-populate the script repo with the script living in app B,
+        // but the trigger request targets app A.
+        let scripts = InMemoryScriptRepo::with_endpoint(app_b, script_id);
+        let state = TriggersState {
+            triggers: Arc::new(InMemoryTriggerRepo::default()),
+            apps: InMemoryAppRepo::with(app_a),
+            authz: Arc::new(AlwaysAllowAuthzRepo),
+            scripts,
+            config: TriggerConfig::conservative(),
+        };
+        let res = create_kv_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_a),
+            Json(CreateKvTriggerRequest {
+                script_id,
+                collection_glob: "widgets".into(),
+                ops: vec![],
+                dispatch_mode: TriggerDispatchMode::Async,
+                retry_max_attempts: None,
+                retry_backoff: None,
+                retry_base_ms: None,
+            }),
+        )
+        .await;
+        let err = res.expect_err("cross-app trigger target should reject");
+        let msg = match err {
+            TriggersApiError::Invalid(m) => m,
+            other => panic!("expected Invalid, got {other:?}"),
+        };
+        assert!(
+            msg.to_lowercase().contains("does not belong"),
+            "expected cross-app rejection message, got {msg}"
+        );
+    }
+
+    #[tokio::test]
+    async fn kv_trigger_accepts_endpoint_target() {
+        let app_id = AppId::new();
+        let script_id = ScriptId::new();
+        let state = state_with_endpoint(Arc::new(AlwaysAllowAuthzRepo), app_id, script_id);
+        let (status, _) = create_kv_trigger(
+            State(state),
+            Extension(member_principal()),
+            Path(app_id),
+            Json(CreateKvTriggerRequest {
+                script_id,
+                collection_glob: "widgets".into(),
+                ops: vec![KvEventOp::Insert],
+                dispatch_mode: TriggerDispatchMode::Async,
+                retry_max_attempts: None,
+                retry_backoff: None,
+                retry_base_ms: None,
+            }),
+        )
+        .await
+        .expect("endpoint target should succeed");
+        assert_eq!(status, StatusCode::CREATED);
+    }
 }