PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	02335a8132	fix(v1.1.7-dead-letter): wire dispatcher → list_matching_dead_letter dead_letter triggers have been registerable since v1.1.1 but their handlers never fired: dispatcher::handle_failure wrote the dead_letters row and stopped — list_matching_dead_letter had no production caller. Any deploy v1.1.1–v1.1.6 with dead_letter triggers had silently non-functional handlers. The fix: after the dead-letter row is inserted on retry exhaustion, fan out to matching dead_letter triggers (filtered by source / originating trigger_id / script_id) and enqueue one outbox row per match carrying a real-shape TriggerEvent::DeadLetter (the §6 brief field names were stale — used the actual variant: dead_letter_id, original: Box<TriggerEvent>, attempts, last_error, trigger_id, script_id, first/last_attempt_at). The recursion-stop (a handler's own failure isn't re-dead-lettered) is upheld by the existing is_dead_letter_handler short-circuit. Tests (DB-gated): handler actually fires with the nested original event; existing row-create test now also asserts handler-fire; source_filter excludes non-matching; failing handler does not recurse. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 22:30:25 +02:00
MechaCat02	2d11090d1a	feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard Encrypted per-app secrets, reachable from scripts as secrets::{get,set,delete,list}(name) and managed from the dashboard Secrets tab. Values are AES-256-GCM-sealed with the process master key (picloud_shared::crypto) before they touch Postgres; the repo only ever sees ciphertext + nonce. JSON round-trip preserves Rhai types. - migration 0023_secrets.sql (PRIMARY KEY (app_id, name)). - SecretsService trait (picloud-shared) + SecretsServiceImpl + repo (manager-core), wired into the Services bundle and Rhai engine. - Capability::AppSecretsRead/Write (→ script:read / script:write); no new Scope variants (seven-scope commitment). - Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names + updated_at, never values). - build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in main.rs; test callers pass a fixed test key. - 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent emission (secret writes don't fire triggers, by design). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 21:37:17 +02:00
MechaCat02	fcbcc576a2	feat(v1.1.6): realtime channels + v1.1.5 follow-ups + version bumps Server-side realtime SSE on per-app pub/sub topics, plus the three v1.1.5 follow-ups and the version bumps. Realtime: - topics registry (0021) + admin endpoints + Capability::AppTopicManage (-> app:admin; no new scope). - GET /realtime/topics/{topic} SSE endpoint (orchestrator-core data plane): Host -> app, RealtimeAuthority gate (404 missing/internal, 401 bad/absent token), broadcast::Receiver stream + heartbeat. - RealtimeBroadcaster / RealtimeEvent / RealtimeAuthority traits (picloud-shared); InProcessBroadcaster + GC (orchestrator-core); DB-backed RealtimeAuthorityImpl (manager-core). Publish path fans out to in-process subscribers after the durable outbox commit (best-effort, panic-isolated). - HMAC subscriber tokens (subscriber_token.rs) + app_secrets table (0022) + pubsub::subscriber_token SDK (schema 1.6 -> 1.7). TTL clamp + env overrides. - Dashboard Topics tab (register/list/edit/delete, prominent external badge, flip confirmation). v1.1.5 follow-ups: - Empty blobs accepted (NewFile/FileUpdate::validate) + round-trip test. - Orphan .tmp. sweeper (spawn_files_orphan_sweep). - Dispatcher e2e tests, one per trigger kind (DATABASE_URL-gated). Versions: workspace 1.1.6, SDK 1.7, dashboard 0.12.0. Schema-snapshot golden re-blessed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-04 20:18:50 +02:00

Author

SHA1

Message

Date

MechaCat02

02335a8132

fix(v1.1.7-dead-letter): wire dispatcher → list_matching_dead_letter

dead_letter triggers have been registerable since v1.1.1 but their
handlers never fired: dispatcher::handle_failure wrote the dead_letters
row and stopped — list_matching_dead_letter had no production caller.
Any deploy v1.1.1–v1.1.6 with dead_letter triggers had silently
non-functional handlers.

The fix: after the dead-letter row is inserted on retry exhaustion, fan
out to matching dead_letter triggers (filtered by source / originating
trigger_id / script_id) and enqueue one outbox row per match carrying a
real-shape TriggerEvent::DeadLetter (the §6 brief field names were stale
— used the actual variant: dead_letter_id, original: Box<TriggerEvent>,
attempts, last_error, trigger_id, script_id, first/last_attempt_at).
The recursion-stop (a handler's own failure isn't re-dead-lettered)
is upheld by the existing is_dead_letter_handler short-circuit.

Tests (DB-gated): handler actually fires with the nested original event;
existing row-create test now also asserts handler-fire; source_filter
excludes non-matching; failing handler does not recurse.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 22:30:25 +02:00

MechaCat02

2d11090d1a

feat(v1.1.7-secrets): secrets SDK + table + admin API + dashboard

Encrypted per-app secrets, reachable from scripts as
secrets::{get,set,delete,list}(name) and managed from the dashboard
Secrets tab. Values are AES-256-GCM-sealed with the process master key
(picloud_shared::crypto) before they touch Postgres; the repo only ever
sees ciphertext + nonce. JSON round-trip preserves Rhai types.

- migration 0023_secrets.sql (PRIMARY KEY (app_id, name)).
- SecretsService trait (picloud-shared) + SecretsServiceImpl + repo
  (manager-core), wired into the Services bundle and Rhai engine.
- Capability::AppSecretsRead/Write (→ script:read / script:write); no
  new Scope variants (seven-scope commitment).
- Admin API GET/POST/DELETE /apps/{id}/secrets (list returns names +
  updated_at, never values).
- build_app now takes a MasterKey, sourced from PICLOUD_SECRET_KEY in
  main.rs; test callers pass a fixed test key.
- 64 KB value cap (PICLOUD_SECRET_MAX_VALUE_BYTES); no ServiceEvent
  emission (secret writes don't fire triggers, by design).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 21:37:17 +02:00

MechaCat02

fcbcc576a2

feat(v1.1.6): realtime channels + v1.1.5 follow-ups + version bumps

Server-side realtime SSE on per-app pub/sub topics, plus the three
v1.1.5 follow-ups and the version bumps.

Realtime:
- topics registry (0021) + admin endpoints + Capability::AppTopicManage
  (-> app:admin; no new scope).
- GET /realtime/topics/{topic} SSE endpoint (orchestrator-core data
  plane): Host -> app, RealtimeAuthority gate (404 missing/internal,
  401 bad/absent token), broadcast::Receiver stream + heartbeat.
- RealtimeBroadcaster / RealtimeEvent / RealtimeAuthority traits
  (picloud-shared); InProcessBroadcaster + GC (orchestrator-core);
  DB-backed RealtimeAuthorityImpl (manager-core). Publish path fans out
  to in-process subscribers after the durable outbox commit (best-effort,
  panic-isolated).
- HMAC subscriber tokens (subscriber_token.rs) + app_secrets table (0022)
  + pubsub::subscriber_token SDK (schema 1.6 -> 1.7). TTL clamp + env
  overrides.
- Dashboard Topics tab (register/list/edit/delete, prominent external
  badge, flip confirmation).

v1.1.5 follow-ups:
- Empty blobs accepted (NewFile/FileUpdate::validate) + round-trip test.
- Orphan *.tmp.* sweeper (spawn_files_orphan_sweep).
- Dispatcher e2e tests, one per trigger kind (DATABASE_URL-gated).

Versions: workspace 1.1.6, SDK 1.7, dashboard 0.12.0. Schema-snapshot
golden re-blessed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-04 20:18:50 +02:00

3 Commits