feat: end-to-end script CRUD + Rhai execution

Brings the MVP feature set online: upload a Rhai script, get an HTTP endpoint that runs it sandboxed in-process, list/update/delete it, and have invalid sources rejected at upload time. Verified live through Caddy with a full lifecycle (`create → list → get → execute → update → delete`) plus error paths (syntax error, duplicate name, deleted). Layout — every concern lands behind the trait seam its layer owns, so cluster-mode in v1.3+ is a swap of two impls, not a rewrite: * shared::ScriptValidator — manager calls into validation without a hard dep on executor-core; executor-core impls the trait on `Engine`. Pinned in shared so neither crate has to know about the other. * executor-core::Engine — real Rhai engine: sandbox limits (max operations / string size / map size / call depth), disabled `print`, blocked `import` (DummyModuleResolver), `log::trace /info/warn/error` registered as a static module with shared log-capture buffer (no `log::debug` because `debug` is a Rhai reserved keyword — `log::trace` covers the same need). - `ctx` is pushed as a Scope constant exposing execution_id, script_id, script_name, request_id, invocation_type, request.{path,headers,body}. - Response convention: a Map with `statusCode` is the structured shape (`{statusCode, headers?, body}`); any other return value is a 200 with the value as the body. - Engine::execute is now synchronous (pure compute); the async wrapper + wall-clock timeout live in LocalExecutorClient, which spawns_blocking and applies a 300s hard ceiling regardless of per-script config. - 10 unit tests cover validate, exec, structured response, ctx exposure, log capture, op-budget enforcement, runtime errors, blocked imports, JSON round-tripping. * manager-core::repo — full sqlx CRUD over the `scripts` table, with proper unique-violation handling for duplicate names. Embedded migrations via `sqlx::migrate!` (one initial `0001_init.sql` for pgcrypto + scripts + execution_logs). * manager-core::api — `admin_router` mounts `/scripts` and `/scripts/{id}`. Create + Update validate source through the injected `ScriptValidator` before persistence. Returns proper 422/409/404 status codes via `ApiError::IntoResponse`. * orchestrator-core::api — `data_plane_router` mounts `/execute/{id}`: resolves the script through `ScriptResolver`, constructs the `ExecRequest` from headers+body, awaits `ExecutorClient::execute(..., timeout)`, translates the `ExecResponse` to an axum `Response` with header passthrough. Maps `ExecError` variants to 422/504/502/507. * picloud all-in-one — opens the pool, runs migrations, builds one engine, nests both routers under `/api/admin` and `/api`, enables structured JSON tracing and graceful shutdown on SIGTERM. Single `PostgresScriptRepository` Arc is shared by the admin router (writes) and the resolver (reads). Other changes: * Workspace axum bump 0.7 → 0.8 for the `{id}` path syntax matching the route definitions. * Workspace clippy: allow `needless_pass_by_value` and `boxed_local` to keep API ergonomics over pedantic noise. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-23 00:00:36 +02:00
parent 9efe678983
commit 4f044e7b81
19 changed files with 1272 additions and 76 deletions
--- a/crates/manager-core/src/api.rs
+++ b/crates/manager-core/src/api.rs
@@ -0,0 +1,197 @@
+//! Control-plane HTTP surface. Mounted by the `picloud` all-in-one
+//! binary under `/api/admin` and by the future split `picloud-manager`
+//! binary at its own root.
+
+use std::sync::Arc;
+
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    response::{IntoResponse, Response},
+    routing::get,
+    Json, Router,
+};
+use picloud_shared::{Script, ScriptId, ScriptValidator, ValidationError};
+use serde::Deserialize;
+
+use crate::repo::{NewScript, ScriptPatch, ScriptRepository, ScriptRepositoryError};
+
+/// State shared by control-plane handlers. Separates concerns so the
+/// manager can validate at upload time without depending on the
+/// concrete executor-core types.
+pub struct AdminState<R> {
+    pub repo: Arc<R>,
+    pub validator: Arc<dyn ScriptValidator>,
+}
+
+impl<R> Clone for AdminState<R> {
+    fn clone(&self) -> Self {
+        Self {
+            repo: self.repo.clone(),
+            validator: self.validator.clone(),
+        }
+    }
+}
+
+/// Build the admin router. The caller (binary) chooses where to mount
+/// it (typically `Router::new().nest("/api/admin", admin_router(state))`).
+pub fn admin_router<R: ScriptRepository + 'static>(state: AdminState<R>) -> Router {
+    Router::new()
+        .route("/scripts", get(list_scripts::<R>).post(create_script::<R>))
+        .route(
+            "/scripts/{id}",
+            get(get_script::<R>)
+                .put(update_script::<R>)
+                .delete(delete_script::<R>),
+        )
+        .with_state(state)
+}
+
+// ----------------------------------------------------------------------------
+// DTOs
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, Deserialize)]
+pub struct CreateScriptRequest {
+    pub name: String,
+    pub description: Option<String>,
+    pub source: String,
+    pub timeout_seconds: Option<i32>,
+    pub memory_limit_mb: Option<i32>,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct UpdateScriptRequest {
+    pub name: Option<String>,
+    // Double Option lets clients explicitly clear the description by
+    // sending `"description": null`; an absent field leaves it alone.
+    #[serde(default, deserialize_with = "deserialize_optional_optional")]
+    #[allow(clippy::option_option)]
+    pub description: Option<Option<String>>,
+    pub source: Option<String>,
+    pub timeout_seconds: Option<i32>,
+    pub memory_limit_mb: Option<i32>,
+}
+
+#[allow(clippy::option_option)]
+fn deserialize_optional_optional<'de, D>(d: D) -> Result<Option<Option<String>>, D::Error>
+where
+    D: serde::Deserializer<'de>,
+{
+    Option::<String>::deserialize(d).map(Some)
+}
+
+// ----------------------------------------------------------------------------
+// Handlers
+// ----------------------------------------------------------------------------
+
+async fn list_scripts<R: ScriptRepository>(
+    State(state): State<AdminState<R>>,
+) -> Result<Json<Vec<Script>>, ApiError> {
+    Ok(Json(state.repo.list().await?))
+}
+
+async fn get_script<R: ScriptRepository>(
+    State(state): State<AdminState<R>>,
+    Path(id): Path<ScriptId>,
+) -> Result<Json<Script>, ApiError> {
+    state
+        .repo
+        .get(id)
+        .await?
+        .map(Json)
+        .ok_or(ApiError::NotFound(id))
+}
+
+async fn create_script<R: ScriptRepository>(
+    State(state): State<AdminState<R>>,
+    Json(input): Json<CreateScriptRequest>,
+) -> Result<(StatusCode, Json<Script>), ApiError> {
+    state.validator.validate(&input.source)?;
+    let created = state
+        .repo
+        .create(NewScript {
+            name: input.name,
+            description: input.description,
+            source: input.source,
+            timeout_seconds: input.timeout_seconds,
+            memory_limit_mb: input.memory_limit_mb,
+        })
+        .await?;
+    Ok((StatusCode::CREATED, Json(created)))
+}
+
+async fn update_script<R: ScriptRepository>(
+    State(state): State<AdminState<R>>,
+    Path(id): Path<ScriptId>,
+    Json(input): Json<UpdateScriptRequest>,
+) -> Result<Json<Script>, ApiError> {
+    if let Some(src) = input.source.as_deref() {
+        state.validator.validate(src)?;
+    }
+    let updated = state
+        .repo
+        .update(
+            id,
+            ScriptPatch {
+                name: input.name,
+                description: input.description,
+                source: input.source,
+                timeout_seconds: input.timeout_seconds,
+                memory_limit_mb: input.memory_limit_mb,
+            },
+        )
+        .await?;
+    Ok(Json(updated))
+}
+
+async fn delete_script<R: ScriptRepository>(
+    State(state): State<AdminState<R>>,
+    Path(id): Path<ScriptId>,
+) -> Result<StatusCode, ApiError> {
+    state.repo.delete(id).await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+// ----------------------------------------------------------------------------
+// Errors
+// ----------------------------------------------------------------------------
+
+#[derive(Debug, thiserror::Error)]
+pub enum ApiError {
+    #[error("script not found: {0}")]
+    NotFound(ScriptId),
+
+    #[error("conflict: {0}")]
+    Conflict(String),
+
+    #[error("invalid script: {0}")]
+    Invalid(#[from] ValidationError),
+
+    #[error("repository error: {0}")]
+    Repo(#[from] ScriptRepositoryError),
+}
+
+impl IntoResponse for ApiError {
+    fn into_response(self) -> Response {
+        let (status, message) = match &self {
+            Self::NotFound(_) => (StatusCode::NOT_FOUND, self.to_string()),
+            Self::Conflict(_) => (StatusCode::CONFLICT, self.to_string()),
+            Self::Invalid(_) => (StatusCode::UNPROCESSABLE_ENTITY, self.to_string()),
+            Self::Repo(ScriptRepositoryError::NotFound(_)) => {
+                (StatusCode::NOT_FOUND, self.to_string())
+            }
+            Self::Repo(ScriptRepositoryError::Conflict(_)) => {
+                (StatusCode::CONFLICT, self.to_string())
+            }
+            Self::Repo(ScriptRepositoryError::Db(e)) => {
+                tracing::error!(error = %e, "manager db error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "internal error".to_string(),
+                )
+            }
+        };
+        (status, Json(serde_json::json!({ "error": message }))).into_response()
+    }
+}