feat: persist execution logs + dashboard detail view + integration tests

Three threads landing together because they share a public surface
(the new execution_log shape) and verifying any one in isolation
would mean re-doing the work later.

== (A) execution log persistence ==

  * shared::ExecutionLog + ExecutionStatus carry the audit-trail
    shape that flows from the orchestrator through the sink and
    back out via the manager's logs endpoint.

  * shared::ExecutionLogSink trait — abstraction the orchestrator
    writes through. In single-process MVP mode the manager's
    Postgres-backed impl is plugged in directly; in cluster mode
    (v1.3+) the orchestrator's impl will post over HTTP to the
    manager. Trait lives in `shared` so neither *-core crate has
    to know about the other.

  * manager-core::PostgresExecutionLogSink writes to the
    execution_logs table (already in the initial migration);
    PostgresExecutionLogRepository reads them back, paginated.
    AdminState now carries both a script repo and a log repo, so
    `admin_router` exposes `GET /scripts/{id}/logs?limit=&offset=`
    capped at 200 rows per page to keep the dashboard responsive.

  * orchestrator-core::DataPlaneState gains `log_sink`. The
    execute handler builds an ExecutionLog on every outcome —
    success, error, timeout, budget-exceeded — and awaits the
    sink. Sink failures are logged at warn and DO NOT mask the
    user-facing result, since "we couldn't write the audit row"
    is a separate concern from "the script ran".

  * picloud binary refactored into a lib (`build_app(pool)` is
    the seam) + thin bin shell. Same Postgres pool backs the
    script repo, the log repo, and the sink — no double pool.

== (B) dashboard ==

  * Typed API client extended with `scripts.logs(id, opts)`,
    `scripts.update/remove`, and `execute(id, body, headers)`.
    Plain `fetch` wrapper now surfaces server-side error
    messages via a typed ApiError so the UI can render them.

  * `/` — create-script form now actually creates; on success
    the list reloads. List entries link to detail.

  * `/scripts/[id]` — new detail route: source editor with save
    (calls update, version bumps); Test invoke panel that sends
    arbitrary JSON body + headers to /api/execute and shows the
    response; Recent executions panel reading from /logs with
    expandable per-row request/response/script-log views.
    Delete button with confirm. SPA-routed; Caddy serves
    `build/` with the same index.html fallback.

== (C) integration tests ==

  * crates/picloud/tests/api.rs — 14 sqlx::test cases driving
    `build_app` through an axum_test::TestServer against a fresh
    Postgres DB per test. Covers: health, full script CRUD,
    duplicate-name conflict, invalid-source rejection on both
    create and update, execute echoing the body, status+header
    passthrough, 404 on missing scripts, error-path executions
    landing in the audit log with the right status.

  * Tests are `#[ignore]` by default so plain `cargo test
    --workspace` stays green without infrastructure. Opt-in via:
    `docker compose up -d postgres && \
       DATABASE_URL=postgres://picloud:picloud@127.0.0.1:15432/picloud \
       cargo test -p picloud --test api -- --include-ignored`

Verified live through Caddy on :8000: three logged invocations
land in the logs endpoint with the right structured `data` on
each `log::info`/`log::warn`, error-path executions are still
captured with status=error, dashboard list + SPA detail route
both reachable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/shared/src/execution_log.rs

@@ -0,0 +1,54 @@
+use std::collections::BTreeMap;
+
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::{RequestId, ScriptId};
+
+/// One row in the `execution_logs` table. Same shape flows through the
+/// `ExecutionLogSink` trait and the `GET /scripts/{id}/logs` response.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct ExecutionLog {
+    pub id: Uuid,
+    pub script_id: ScriptId,
+    pub request_id: RequestId,
+
+    pub request_path: String,
+    pub request_headers: BTreeMap<String, String>,
+    pub request_body: serde_json::Value,
+
+    pub response_code: Option<u16>,
+    pub response_body: Option<serde_json::Value>,
+
+    /// `log::*` entries captured during the execution, serialized as a
+    /// JSON array of `{timestamp, level, message, data}` objects.
+    pub script_logs: serde_json::Value,
+
+    pub duration_ms: u64,
+    pub status: ExecutionStatus,
+    pub created_at: DateTime<Utc>,
+}
+
+/// Matches the CHECK constraint on `execution_logs.status`. Keep the
+/// serde rename in sync with the migration.
+#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "snake_case")]
+pub enum ExecutionStatus {
+    Success,
+    Error,
+    Timeout,
+    BudgetExceeded,
+}
+
+impl ExecutionStatus {
+    #[must_use]
+    pub fn as_str(self) -> &'static str {
+        match self {
+            Self::Success => "success",
+            Self::Error => "error",
+            Self::Timeout => "timeout",
+            Self::BudgetExceeded => "budget_exceeded",
+        }
+    }
+}

crates/shared/src/lib.rs

@@ -5,11 +5,15 @@
 //! entity, error roots, transport DTOs).
 
 pub mod error;
+pub mod execution_log;
 pub mod ids;
+pub mod log_sink;
 pub mod script;
 pub mod validator;
 
 pub use error::Error;
+pub use execution_log::{ExecutionLog, ExecutionStatus};
 pub use ids::{ExecutionId, RequestId, ScriptId};
+pub use log_sink::{ExecutionLogSink, LogSinkError};
 pub use script::Script;
 pub use validator::{ScriptValidator, ValidationError};

crates/shared/src/log_sink.rs

@@ -0,0 +1,22 @@
+//! Abstraction over how execution logs are recorded.
+//!
+//! Lives in `shared` so the orchestrator can append logs without
+//! depending on `manager-core`. In single-process MVP mode, the
+//! manager's Postgres sink is plugged in directly. In cluster mode
+//! (v1.3+) the orchestrator's impl will post over HTTP to the manager.
+
+use async_trait::async_trait;
+use thiserror::Error;
+
+use crate::execution_log::ExecutionLog;
+
+#[derive(Debug, Error)]
+pub enum LogSinkError {
+    #[error("sink backend error: {0}")]
+    Backend(String),
+}
+
+#[async_trait]
+pub trait ExecutionLogSink: Send + Sync {
+    async fn record(&self, log: ExecutionLog) -> Result<(), LogSinkError>;
+}