test(v1.1.3-modules): resolver, cache, validator, kind-rejection coverage

Adds ~46 new tests across the v1.1.3 surface:

executor-core/tests/modules.rs (NEW, 23 tests):
- resolver_loads_simple_module / endpoint_can_import_module /
  module_can_import_module — end-to-end through Engine::execute.
- resolver_cross_app_blocked / resolver_cross_app_module_not_found /
  module_cache_keyed_by_app — same-name modules in different apps
  resolve independently; cross-app lookup returns ModuleNotFound.
- resolver_self_import_detected / resolver_circular_detected —
  cycle detector reports the chain.
- resolver_depth_limit_enforced / resolver_depth_limit_just_under_succeeds.
- resolver_module_not_found / resolver_backend_error_surfaces.
- resolver_runtime_validation_rejects_top_level_expr — defense-in-
  depth: a module with a top-level expression that bypassed the
  admin gate is rejected at resolve time.
- module_cache_hit_reuses_compiled_module /
  module_cache_stale_invalidated_on_updated_at_change /
  module_cache_lru_evicts_when_capacity_exceeded.
- validate_module_{accepts_fn_const_import_only,
  rejects_top_level_let, rejects_top_level_expr,
  rejects_top_level_while}.
- validate_endpoint_{extracts_literal_imports,
  top_level_expr_still_allowed,
  skips_dynamic_imports_in_imports_list}.

orchestrator-core/src/client.rs cache_tests (6 tests):
- cache_hit_when_identity_matches / cache_invalidated_when_updated_at_changes
  / distinct_script_ids_cache_independently / lru_eviction_caps_cache_size
  / script_identity_is_copy / compile_error_does_not_poison_cache.

shared/src/script.rs kind_tests (3 tests):
- default_is_endpoint / round_trips_through_serde_lowercase
  / parse_str_round_trip.

manager-core/src/triggers_api.rs v1.1.3 tests (6 tests):
- kv_trigger_rejects_module_target / docs_trigger_rejects_module_target
  / dl_trigger_rejects_module_target — modules cannot be trigger
  targets.
- kv_trigger_rejects_missing_script / kv_trigger_rejects_cross_app_script
  — closes the latent v1.1.1/v1.1.2 isolation gap.
- kv_trigger_accepts_endpoint_target — happy path through the
  validate_trigger_target check.

picloud/tests/api.rs (8 #[ignore]'d Postgres-gated integration tests):
- create_script_default_kind_is_endpoint / create_module_kind_persists.
- create_module_with_top_level_expr_rejected /
  create_module_with_reserved_name_rejected.
- route_bind_rejects_module.
- endpoint_imports_module_end_to_end /
  module_edit_visible_on_next_invocation / cross_app_import_blocked.

Lint cleanup along the way:
- `ScriptKind::from_str` renamed to `parse_str` to dodge the
  `should_implement_trait` lint (FromStr's `Result<…,Err>` shape
  doesn't fit a 0-info lookup).
- `derive(Default)` on `ScriptKind` (Endpoint marked `#[default]`).
- Match-arm collapse in `check_module_shape` for Import + Noop.
- `#[allow(clippy::too_many_lines)]` on `resolve()` (the bridge
  logic is genuinely cohesive and would lose clarity if split).
- Elided `'r` lifetime on `StackGuard`.

Three gates clean on this commit's HEAD:
- cargo fmt --all -- --check: clean
- cargo clippy --all-targets --all-features -- -D warnings: clean
- cargo test --workspace: 358 passed, 140 ignored (Postgres-gated)
- npm run check: 0 errors, 0 warnings

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/orchestrator-core/src/client.rs

@@ -280,3 +280,131 @@ impl ExecutorClient for RemoteExecutorClient {
         ))
     }
 }
+
+#[cfg(test)]
+mod cache_tests {
+    use super::*;
+    use picloud_executor_core::Limits;
+    use picloud_shared::Services;
+
+    fn engine() -> Arc<Engine> {
+        Arc::new(Engine::new(Limits::default(), Services::default()))
+    }
+
+    fn client_with_cap(cap: usize) -> LocalExecutorClient {
+        LocalExecutorClient::with_script_cache_capacity(
+            engine(),
+            Arc::new(ExecutionGate::new(32)),
+            cap,
+        )
+    }
+
+    fn identity_at(t: DateTime<Utc>) -> ScriptIdentity {
+        ScriptIdentity {
+            script_id: ScriptId::new(),
+            updated_at: t,
+        }
+    }
+
+    #[test]
+    fn cache_hit_when_identity_matches() {
+        let client = client_with_cap(8);
+        let identity = identity_at(Utc::now());
+        let src = "fn f() { 1 }";
+
+        let ast_a = client.get_or_compile(identity, src).unwrap();
+        let ast_b = client.get_or_compile(identity, src).unwrap();
+
+        // Same Arc — cache served the second call without recompiling.
+        assert!(
+            Arc::ptr_eq(&ast_a, &ast_b),
+            "expected identical Arc<AST> from cache hit"
+        );
+    }
+
+    #[test]
+    fn cache_invalidated_when_updated_at_changes() {
+        let client = client_with_cap(8);
+        let script_id = ScriptId::new();
+        let t0 = Utc::now() - chrono::Duration::seconds(10);
+        let t1 = Utc::now();
+
+        let ast_a = client
+            .get_or_compile(
+                ScriptIdentity {
+                    script_id,
+                    updated_at: t0,
+                },
+                "fn f() { 1 }",
+            )
+            .unwrap();
+        let ast_b = client
+            .get_or_compile(
+                ScriptIdentity {
+                    script_id,
+                    updated_at: t1,
+                },
+                "fn f() { 2 }",
+            )
+            .unwrap();
+
+        // Different Arc — cache miss forced recompile.
+        assert!(
+            !Arc::ptr_eq(&ast_a, &ast_b),
+            "expected recompile on updated_at change"
+        );
+    }
+
+    #[test]
+    fn distinct_script_ids_cache_independently() {
+        let client = client_with_cap(8);
+        let now = Utc::now();
+        let a = identity_at(now);
+        let b = identity_at(now);
+        client.get_or_compile(a, "fn x() { 1 }").unwrap();
+        client.get_or_compile(b, "fn x() { 1 }").unwrap();
+
+        let cache = client.script_cache().lock().unwrap();
+        assert_eq!(
+            cache.len(),
+            2,
+            "distinct script_ids should yield two entries"
+        );
+    }
+
+    #[test]
+    fn lru_eviction_caps_cache_size() {
+        // Capacity 1 — every new script evicts the previous.
+        let client = client_with_cap(1);
+        client
+            .get_or_compile(identity_at(Utc::now()), "fn a() { 1 }")
+            .unwrap();
+        client
+            .get_or_compile(identity_at(Utc::now()), "fn b() { 2 }")
+            .unwrap();
+        client
+            .get_or_compile(identity_at(Utc::now()), "fn c() { 3 }")
+            .unwrap();
+        assert_eq!(client.script_cache().lock().unwrap().len(), 1);
+    }
+
+    #[test]
+    fn script_identity_is_copy() {
+        // Copy is load-bearing — many call sites pass it by value.
+        let id = identity_at(Utc::now());
+        let _ = id;
+        let _ = id; // should still be usable
+    }
+
+    #[test]
+    fn compile_error_does_not_poison_cache() {
+        let client = client_with_cap(8);
+        let identity = identity_at(Utc::now());
+        // Bad source — should error and not insert anything.
+        let res = client.get_or_compile(identity, "@@@ not valid rhai @@@");
+        assert!(res.is_err(), "garbage source should fail to compile");
+        // A subsequent good compile under a fresh identity must still work.
+        let good = client.get_or_compile(identity_at(Utc::now()), "fn ok() { 1 }");
+        assert!(good.is_ok());
+    }
+}