feat: persist execution logs + dashboard detail view + integration tests

Three threads landing together because they share a public surface
(the new execution_log shape) and verifying any one in isolation
would mean re-doing the work later.

== (A) execution log persistence ==

  * shared::ExecutionLog + ExecutionStatus carry the audit-trail
    shape that flows from the orchestrator through the sink and
    back out via the manager's logs endpoint.

  * shared::ExecutionLogSink trait — abstraction the orchestrator
    writes through. In single-process MVP mode the manager's
    Postgres-backed impl is plugged in directly; in cluster mode
    (v1.3+) the orchestrator's impl will post over HTTP to the
    manager. Trait lives in `shared` so neither *-core crate has
    to know about the other.

  * manager-core::PostgresExecutionLogSink writes to the
    execution_logs table (already in the initial migration);
    PostgresExecutionLogRepository reads them back, paginated.
    AdminState now carries both a script repo and a log repo, so
    `admin_router` exposes `GET /scripts/{id}/logs?limit=&offset=`
    capped at 200 rows per page to keep the dashboard responsive.

  * orchestrator-core::DataPlaneState gains `log_sink`. The
    execute handler builds an ExecutionLog on every outcome —
    success, error, timeout, budget-exceeded — and awaits the
    sink. Sink failures are logged at warn and DO NOT mask the
    user-facing result, since "we couldn't write the audit row"
    is a separate concern from "the script ran".

  * picloud binary refactored into a lib (`build_app(pool)` is
    the seam) + thin bin shell. Same Postgres pool backs the
    script repo, the log repo, and the sink — no double pool.

== (B) dashboard ==

  * Typed API client extended with `scripts.logs(id, opts)`,
    `scripts.update/remove`, and `execute(id, body, headers)`.
    Plain `fetch` wrapper now surfaces server-side error
    messages via a typed ApiError so the UI can render them.

  * `/` — create-script form now actually creates; on success
    the list reloads. List entries link to detail.

  * `/scripts/[id]` — new detail route: source editor with save
    (calls update, version bumps); Test invoke panel that sends
    arbitrary JSON body + headers to /api/execute and shows the
    response; Recent executions panel reading from /logs with
    expandable per-row request/response/script-log views.
    Delete button with confirm. SPA-routed; Caddy serves
    `build/` with the same index.html fallback.

== (C) integration tests ==

  * crates/picloud/tests/api.rs — 14 sqlx::test cases driving
    `build_app` through an axum_test::TestServer against a fresh
    Postgres DB per test. Covers: health, full script CRUD,
    duplicate-name conflict, invalid-source rejection on both
    create and update, execute echoing the body, status+header
    passthrough, 404 on missing scripts, error-path executions
    landing in the audit log with the right status.

  * Tests are `#[ignore]` by default so plain `cargo test
    --workspace` stays green without infrastructure. Opt-in via:
    `docker compose up -d postgres && \
       DATABASE_URL=postgres://picloud:picloud@127.0.0.1:15432/picloud \
       cargo test -p picloud --test api -- --include-ignored`

Verified live through Caddy on :8000: three logged invocations
land in the logs endpoint with the right structured `data` on
each `log::info`/`log::warn`, error-path executions are still
captured with status=error, dashboard list + SPA detail route
both reachable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/orchestrator-core/src/api.rs

@@ -14,20 +14,22 @@ use axum::{
     routing::post,
     Json, Router,
 };
-use picloud_executor_core::{ExecError, ExecRequest, InvocationType};
-use picloud_shared::{ExecutionId, RequestId, ScriptId};
+use chrono::Utc;
+use picloud_executor_core::{ExecError, ExecRequest, ExecResponse, InvocationType};
+use picloud_shared::{
+    ExecutionId, ExecutionLog, ExecutionLogSink, ExecutionStatus, RequestId, ScriptId,
+};
 use serde_json::Value as Json_;
+use uuid::Uuid;
 
 use crate::client::ExecutorClient;
 use crate::resolver::{ResolverError, ScriptResolver};
 
 /// State shared by data-plane handlers.
-///
-/// Both fields are `Arc` because handlers run concurrently; the
-/// underlying impls are `Send + Sync` (enforced by their traits).
 pub struct DataPlaneState<E, R> {
     pub executor: Arc<E>,
     pub resolver: Arc<R>,
+    pub log_sink: Arc<dyn ExecutionLogSink>,
 }
 
 impl<E, R> Clone for DataPlaneState<E, R> {
@@ -35,6 +37,7 @@ impl<E, R> Clone for DataPlaneState<E, R> {
         Self {
             executor: self.executor.clone(),
             resolver: self.resolver.clone(),
+            log_sink: self.log_sink.clone(),
         }
     }
 }
@@ -71,11 +74,35 @@ where
         .ok_or(ApiError::NotFound(id))?;
 
     let req = build_exec_request(id, &script.name, &headers, &body)?;
+    let request_id = req.request_id;
+    let request_path = req.path.clone();
+    let request_headers = req.headers.clone();
+    let request_body = req.body.clone();
 
     let timeout = Duration::from_secs(u64::from(script.timeout_seconds));
-    let resp = state.executor.execute(&script.source, req, timeout).await?;
+    let started = Utc::now();
+    let outcome = state.executor.execute(&script.source, req, timeout).await;
+    let finished = Utc::now();
 
-    Ok(exec_response_to_http(resp))
+    // Build and dispatch the audit log regardless of outcome. We await
+    // the sink — recording the trail is part of correctness for an
+    // audit-visible platform — but a sink failure must not mask the
+    // user-facing result, so we only log a warning if it fails.
+    let log = build_execution_log(
+        id,
+        request_id,
+        request_path,
+        request_headers,
+        request_body,
+        &outcome,
+        started,
+        finished,
+    );
+    if let Err(e) = state.log_sink.record(log).await {
+        tracing::warn!(error = %e, script_id = %id, "failed to persist execution log");
+    }
+
+    Ok(exec_response_to_http(outcome?))
 }
 
 // ----------------------------------------------------------------------------
@@ -114,7 +141,7 @@ fn build_exec_request(
     })
 }
 
-fn exec_response_to_http(resp: picloud_executor_core::ExecResponse) -> Response {
+fn exec_response_to_http(resp: ExecResponse) -> Response {
     let status =
         StatusCode::from_u16(resp.status_code).unwrap_or(StatusCode::INTERNAL_SERVER_ERROR);
 
@@ -124,7 +151,6 @@ fn exec_response_to_http(resp: picloud_executor_core::ExecResponse) -> Response
             http_headers.insert(name, value);
         }
     }
-    // Default content type to JSON; the script can override via `headers`.
     http_headers
         .entry(axum::http::header::CONTENT_TYPE)
         .or_insert_with(|| HeaderValue::from_static("application/json"));
@@ -132,6 +158,66 @@ fn exec_response_to_http(resp: picloud_executor_core::ExecResponse) -> Response
     (status, http_headers, Json(resp.body)).into_response()
 }
 
+#[allow(clippy::too_many_arguments)]
+fn build_execution_log(
+    script_id: ScriptId,
+    request_id: RequestId,
+    request_path: String,
+    request_headers: BTreeMap<String, String>,
+    request_body: Json_,
+    outcome: &Result<ExecResponse, ExecError>,
+    started: chrono::DateTime<Utc>,
+    finished: chrono::DateTime<Utc>,
+) -> ExecutionLog {
+    let duration_ms = u64::try_from(
+        finished
+            .signed_duration_since(started)
+            .num_milliseconds()
+            .max(0),
+    )
+    .unwrap_or(0);
+
+    let (status, response_code, response_body, script_logs) = match outcome {
+        Ok(resp) => {
+            let logs = serde_json::to_value(&resp.logs).unwrap_or(Json_::Array(vec![]));
+            (
+                ExecutionStatus::Success,
+                Some(resp.status_code),
+                Some(resp.body.clone()),
+                logs,
+            )
+        }
+        Err(e) => {
+            let status = match e {
+                ExecError::Timeout(_) => ExecutionStatus::Timeout,
+                ExecError::OperationBudgetExceeded => ExecutionStatus::BudgetExceeded,
+                _ => ExecutionStatus::Error,
+            };
+            (
+                status,
+                None,
+                Some(serde_json::json!({ "error": e.to_string() })),
+                Json_::Array(vec![]),
+            )
+        }
+    };
+
+    ExecutionLog {
+        id: Uuid::new_v4(),
+        script_id,
+        request_id,
+        request_path,
+        request_headers,
+        request_body,
+        response_code,
+        response_body,
+        script_logs,
+        duration_ms,
+        status,
+        created_at: started,
+    }
+}
+
 // ----------------------------------------------------------------------------
 // Errors
 // ----------------------------------------------------------------------------