feat: per-script Rhai sandbox overrides with admin ceiling

Adds optional per-script overrides for the six Rhai sandbox knobs
(max_operations, max_string_size, max_array_size, max_map_size,
max_call_levels, max_expr_depth). The executor merges its defaults
with each script's overrides on every call; the manager validates
overrides against an admin-set ceiling at write time, so the
executor trusts whatever is stored.

Storage chose JSONB on the existing scripts table over six new
columns: lets future knobs land as code-only changes, keeps the
sparse common case (most scripts override nothing) cheap to store
and serialize, and matches how the manager + executor pass the
config across the wire.

  * 0002_sandbox.sql — ALTER TABLE scripts ADD COLUMN sandbox
    JSONB NOT NULL DEFAULT '{}'
  * shared::ScriptSandbox — six Option<u64> fields with
    deny_unknown_fields so typos surface as 422
  * Script.sandbox + ExecRequest.sandbox_overrides — typed end
    to end; cluster mode just serializes the same struct
  * executor-core::Limits::with_overrides — field-by-field
    replacement; tests cover the override actually tightening
    the live engine
  * manager-core::SandboxCeiling — built-in conservative
    defaults (10M ops, 1 MiB strings, 100k array/map, 128
    call/expr depth); env vars override per knob, invalid
    values warn-and-skip rather than blocking boot
  * manager-core admin API — POST/PUT accept `sandbox`; values
    above the ceiling return 422 with the specific field +
    requested + ceiling; absent or `{}` keeps platform defaults
  * picloud all-in-one — wires SandboxCeiling::from_env() into
    AdminState
  * memory_limit_mb stays in the schema, marked v1.3+ advisory
    (no enforcement until OS-level isolation lands with
    cluster-mode executors)

Verified live through Caddy:
  * /version reports schema 2, product 0.3.0
  * Script with max_operations: 500 → 507 on a 10k-iteration loop
  * Same script after PUT raising to 1M → succeeds, returns 10000
  * POST with max_operations: 1_000_000_000 → 422 (exceeds ceiling)

Tests:
  * 13 executor-core unit tests (added 2 for override semantics)
  * 20 integration tests (added 6 for sandbox CRUD + ceiling +
    unknown-field rejection + executor honoring overrides)
  * default cargo test --workspace stays green (integration tests
    remain #[ignore]'d until DATABASE_URL is set)

Bumps:
  * schema 1 → 2
  * product 0.2.0 → 0.3.0
  * SDK unchanged (scripts see nothing new)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/picloud/tests/api.rs

@@ -283,6 +283,144 @@ async fn execution_logs_capture_invocations(pool: PgPool) {
     assert_eq!(entries[0]["data"], json!({ "marker": 7 }));
 }
 
+// ============================================================================
+// Sandbox overrides
+// ============================================================================
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn create_without_sandbox_returns_empty_object(pool: PgPool) {
+    let s = server(pool);
+    let created: Value = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({ "name": "no-sandbox", "source": "1" }))
+        .await
+        .json();
+    assert_eq!(created["sandbox"], json!({}));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn create_with_sandbox_persists_and_returns_overrides(pool: PgPool) {
+    let s = server(pool);
+    let created: Value = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({
+            "name": "tight",
+            "source": "1",
+            "sandbox": { "max_operations": 500, "max_string_size": 1024 }
+        }))
+        .await
+        .json();
+    assert_eq!(
+        created["sandbox"],
+        json!({ "max_operations": 500, "max_string_size": 1024 })
+    );
+
+    let id = created["id"].as_str().unwrap();
+    let fetched: Value = s.get(&format!("/api/v1/admin/scripts/{id}")).await.json();
+    assert_eq!(
+        fetched["sandbox"],
+        json!({ "max_operations": 500, "max_string_size": 1024 })
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn sandbox_exceeding_ceiling_returns_422(pool: PgPool) {
+    // Default conservative ceiling caps max_operations at 10_000_000.
+    let s = server(pool);
+    let r = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({
+            "name": "too-loose",
+            "source": "1",
+            "sandbox": { "max_operations": 100_000_000 }
+        }))
+        .await;
+    r.assert_status(axum::http::StatusCode::UNPROCESSABLE_ENTITY);
+    let body: Value = r.json();
+    assert!(body["error"].as_str().unwrap().contains("max_operations"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn sandbox_unknown_field_returns_422(pool: PgPool) {
+    let s = server(pool);
+    let r = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({
+            "name": "typo",
+            "source": "1",
+            "sandbox": { "max_operashuns": 500 }
+        }))
+        .await;
+    // serde's deny_unknown_fields causes axum to reject with 422 or
+    // 400 depending on extractor; the routing is irrelevant here, just
+    // that it doesn't get stored silently.
+    assert!(
+        r.status_code() == axum::http::StatusCode::UNPROCESSABLE_ENTITY
+            || r.status_code() == axum::http::StatusCode::BAD_REQUEST
+    );
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn sandbox_overrides_take_effect_at_execute(pool: PgPool) {
+    let s = server(pool);
+    // Tight max_operations on a loop the default would happily run.
+    let created: Value = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({
+            "name": "tight-exec",
+            "source": "let n = 0; for i in 0..10000 { n += 1; } n",
+            "sandbox": { "max_operations": 500 }
+        }))
+        .await
+        .json();
+    let id = created["id"].as_str().unwrap();
+
+    let r = s
+        .post(&format!("/api/v1/execute/{id}"))
+        .json(&json!({}))
+        .await;
+    r.assert_status(axum::http::StatusCode::INSUFFICIENT_STORAGE);
+    let body: Value = r.json();
+    assert!(body["error"].as_str().unwrap().contains("operation budget"));
+}
+
+#[ignore = "needs DATABASE_URL pointing at a running Postgres"]
+#[sqlx::test(migrations = "../manager-core/migrations")]
+async fn update_replaces_sandbox_wholesale(pool: PgPool) {
+    let s = server(pool);
+    let created: Value = s
+        .post("/api/v1/admin/scripts")
+        .json(&json!({
+            "name": "patch-target",
+            "source": "1",
+            "sandbox": { "max_operations": 500, "max_string_size": 1024 }
+        }))
+        .await
+        .json();
+    let id = created["id"].as_str().unwrap();
+
+    // Replace with a single override; the other field disappears.
+    let updated: Value = s
+        .put(&format!("/api/v1/admin/scripts/{id}"))
+        .json(&json!({ "sandbox": { "max_array_size": 5000 } }))
+        .await
+        .json();
+    assert_eq!(updated["sandbox"], json!({ "max_array_size": 5000 }));
+
+    // Send empty object to clear all overrides.
+    let cleared: Value = s
+        .put(&format!("/api/v1/admin/scripts/{id}"))
+        .json(&json!({ "sandbox": {} }))
+        .await
+        .json();
+    assert_eq!(cleared["sandbox"], json!({}));
+}
+
 #[ignore = "needs DATABASE_URL pointing at a running Postgres"]
 #[sqlx::test(migrations = "../manager-core/migrations")]
 async fn execution_errors_are_still_logged(pool: PgPool) {