PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	10b5f655d5	feat(v1.1.4): outbound HTTP SDK + cron triggers HTTP (`http::*`): - `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl` (manager-core), wired into the `Services` bundle. - SSRF deny-list applied to the resolved IP via a custom reqwest `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus a literal-IP check at URL-parse time. Scheme/port restrictions, request + response body caps (stream-with-cap), layered timeout. Error reason is a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override (logs a startup warning). - Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the brief's body-vs-opts contradiction; unknown opt keys throw). Body dispatch by type; response `#{status,headers,body,body_raw}` with JSON auto-parse; non-2xx does not throw. - `Capability::AppHttpRequest` → existing `script:write` scope (no new Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent). Cron triggers (4th trigger kind): - Migration 0017 widens the kind/source_kind CHECKs and adds `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field schedules and IANA timezones. - `spawn_cron_scheduler` polls due triggers and enqueues to the universal outbox; the dispatcher delivers them (one-line match-arm extension). Catch-up fires exactly once per trigger per tick, not once per missed window. `ctx.event.cron` for handlers. - `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3 cross-app + kind!=module target check. - Dashboard: admin-gated Triggers tab (cron create form + list). Follow-ups: redact module backend errors at the resolver boundary (log original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4, SDK 1.5, dashboard 0.10.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-03 20:23:18 +02:00
MechaCat02	3dbead426f	test(v1.1.3-modules): resolver, cache, validator, kind-rejection coverage Adds ~46 new tests across the v1.1.3 surface: executor-core/tests/modules.rs (NEW, 23 tests): - resolver_loads_simple_module / endpoint_can_import_module / module_can_import_module — end-to-end through Engine::execute. - resolver_cross_app_blocked / resolver_cross_app_module_not_found / module_cache_keyed_by_app — same-name modules in different apps resolve independently; cross-app lookup returns ModuleNotFound. - resolver_self_import_detected / resolver_circular_detected — cycle detector reports the chain. - resolver_depth_limit_enforced / resolver_depth_limit_just_under_succeeds. - resolver_module_not_found / resolver_backend_error_surfaces. - resolver_runtime_validation_rejects_top_level_expr — defense-in- depth: a module with a top-level expression that bypassed the admin gate is rejected at resolve time. - module_cache_hit_reuses_compiled_module / module_cache_stale_invalidated_on_updated_at_change / module_cache_lru_evicts_when_capacity_exceeded. - validate_module_{accepts_fn_const_import_only, rejects_top_level_let, rejects_top_level_expr, rejects_top_level_while}. - validate_endpoint_{extracts_literal_imports, top_level_expr_still_allowed, skips_dynamic_imports_in_imports_list}. orchestrator-core/src/client.rs cache_tests (6 tests): - cache_hit_when_identity_matches / cache_invalidated_when_updated_at_changes / distinct_script_ids_cache_independently / lru_eviction_caps_cache_size / script_identity_is_copy / compile_error_does_not_poison_cache. shared/src/script.rs kind_tests (3 tests): - default_is_endpoint / round_trips_through_serde_lowercase / parse_str_round_trip. manager-core/src/triggers_api.rs v1.1.3 tests (6 tests): - kv_trigger_rejects_module_target / docs_trigger_rejects_module_target / dl_trigger_rejects_module_target — modules cannot be trigger targets. - kv_trigger_rejects_missing_script / kv_trigger_rejects_cross_app_script — closes the latent v1.1.1/v1.1.2 isolation gap. - kv_trigger_accepts_endpoint_target — happy path through the validate_trigger_target check. picloud/tests/api.rs (8 #[ignore]'d Postgres-gated integration tests): - create_script_default_kind_is_endpoint / create_module_kind_persists. - create_module_with_top_level_expr_rejected / create_module_with_reserved_name_rejected. - route_bind_rejects_module. - endpoint_imports_module_end_to_end / module_edit_visible_on_next_invocation / cross_app_import_blocked. Lint cleanup along the way: - `ScriptKind::from_str` renamed to `parse_str` to dodge the `should_implement_trait` lint (FromStr's `Result<…,Err>` shape doesn't fit a 0-info lookup). - `derive(Default)` on `ScriptKind` (Endpoint marked `#[default]`). - Match-arm collapse in `check_module_shape` for Import + Noop. - `#[allow(clippy::too_many_lines)]` on `resolve()` (the bridge logic is genuinely cohesive and would lose clarity if split). - Elided `'r` lifetime on `StackGuard`. Three gates clean on this commit's HEAD: - cargo fmt --all -- --check: clean - cargo clippy --all-targets --all-features -- -D warnings: clean - cargo test --workspace: 358 passed, 140 ignored (Postgres-gated) - npm run check: 0 errors, 0 warnings Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-03 07:18:18 +02:00
MechaCat02	84833d3e4e	feat(v1.1.3-modules): shared types, migrations, engine + resolver scaffold Lays down the v1.1.3 plumbing: - `ScriptKind` enum in `picloud-shared` ('endpoint' \| 'module'). - `ModuleSource` trait + `ModuleScript` DTO + `NoopModuleSource` in `picloud-shared`. Resolver lives in `executor-core`; Postgres impl in `manager-core` (`PostgresModuleSource`). - `Services::new` grows a fifth `modules: Arc<dyn ModuleSource>` arg. - `ScriptValidator` returns `ValidatedScript { imports }` so the manager can populate the dep-graph table on save. New `validate_module` method on the trait gates module-shape rules. - `Engine::execute_ast(&Arc<rhai::AST>, req)` lets the orchestrator's script cache reuse compiled ASTs. `Engine::execute(&str, req)` is preserved as a convenience that compiles inline. `Engine::compile` exposes the AST for callers that want to cache. - `PicloudModuleResolver` replaces `DummyModuleResolver` per-call. Bridges Rhai's sync `ModuleResolver::resolve` to async `ModuleSource::lookup` via `Handle::block_on`. Enforces: - cross-app isolation (resolver captures `Arc<SdkCallCx>`), - circular import detection (in-progress stack on the resolver), - import depth limit (default 8 via `Limits::module_import_depth_max`). - Module-shape validation walks `ast.statements()` via `rhai/internals` and accepts only `Var { CONSTANT }`, `Import`, and `Noop`. The manager admin endpoint runs `validate_module` at save (primary gate); resolver re-runs it at load (defense in depth). - LRU cache `(AppId, name) -> (updated_at, Arc<Module>)` owned by `Engine`. Size from `PICLOUD_MODULE_CACHE_SIZE` (default 512). - Migration `0015_scripts_kind.sql` adds `scripts.kind` + composite index + module-name shape CHECK. - Migration `0016_script_imports.sql` adds the dep-graph table with FK CASCADE on both columns. - Repo: `kind` threaded through SELECT/INSERT/UPDATE. New `count_routes_for_script` / `count_triggers_for_script` / `list_imports` methods. `create`/`update` open a transaction and call `replace_imports_tx` to populate the dep-graph. - Admin endpoint: accepts `kind`; rejects reserved module names; rejects `endpoint → module` transitions when routes / triggers exist. - SDK_VERSION 1.3 → 1.4. Workspace builds; full test suite (~440 tests) green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-02 22:04:21 +02:00

Author

SHA1

Message

Date

MechaCat02

10b5f655d5

feat(v1.1.4): outbound HTTP SDK + cron triggers

HTTP (`http::*`):
- `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl`
  (manager-core), wired into the `Services` bundle.
- SSRF deny-list applied to the resolved IP via a custom reqwest
  `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus
  a literal-IP check at URL-parse time. Scheme/port restrictions, request
  + response body caps (stream-with-cap), layered timeout. Error reason is
  a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override
  (logs a startup warning).
- Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the
  brief's body-vs-opts contradiction; unknown opt keys throw). Body
  dispatch by type; response `#{status,headers,body,body_raw}` with JSON
  auto-parse; non-2xx does not throw.
- `Capability::AppHttpRequest` → existing `script:write` scope (no new
  Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent).

Cron triggers (4th trigger kind):
- Migration 0017 widens the kind/source_kind CHECKs and adds
  `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field
  schedules and IANA timezones.
- `spawn_cron_scheduler` polls due triggers and enqueues to the universal
  outbox; the dispatcher delivers them (one-line match-arm extension).
  Catch-up fires exactly once per trigger per tick, not once per missed
  window. `ctx.event.cron` for handlers.
- `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3
  cross-app + kind!=module target check.
- Dashboard: admin-gated Triggers tab (cron create form + list).

Follow-ups: redact module backend errors at the resolver boundary (log
original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive
v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4,
SDK 1.5, dashboard 0.10.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-03 20:23:18 +02:00

MechaCat02

3dbead426f

test(v1.1.3-modules): resolver, cache, validator, kind-rejection coverage

Adds ~46 new tests across the v1.1.3 surface:

executor-core/tests/modules.rs (NEW, 23 tests):
- resolver_loads_simple_module / endpoint_can_import_module /
  module_can_import_module — end-to-end through Engine::execute.
- resolver_cross_app_blocked / resolver_cross_app_module_not_found /
  module_cache_keyed_by_app — same-name modules in different apps
  resolve independently; cross-app lookup returns ModuleNotFound.
- resolver_self_import_detected / resolver_circular_detected —
  cycle detector reports the chain.
- resolver_depth_limit_enforced / resolver_depth_limit_just_under_succeeds.
- resolver_module_not_found / resolver_backend_error_surfaces.
- resolver_runtime_validation_rejects_top_level_expr — defense-in-
  depth: a module with a top-level expression that bypassed the
  admin gate is rejected at resolve time.
- module_cache_hit_reuses_compiled_module /
  module_cache_stale_invalidated_on_updated_at_change /
  module_cache_lru_evicts_when_capacity_exceeded.
- validate_module_{accepts_fn_const_import_only,
  rejects_top_level_let, rejects_top_level_expr,
  rejects_top_level_while}.
- validate_endpoint_{extracts_literal_imports,
  top_level_expr_still_allowed,
  skips_dynamic_imports_in_imports_list}.

orchestrator-core/src/client.rs cache_tests (6 tests):
- cache_hit_when_identity_matches / cache_invalidated_when_updated_at_changes
  / distinct_script_ids_cache_independently / lru_eviction_caps_cache_size
  / script_identity_is_copy / compile_error_does_not_poison_cache.

shared/src/script.rs kind_tests (3 tests):
- default_is_endpoint / round_trips_through_serde_lowercase
  / parse_str_round_trip.

manager-core/src/triggers_api.rs v1.1.3 tests (6 tests):
- kv_trigger_rejects_module_target / docs_trigger_rejects_module_target
  / dl_trigger_rejects_module_target — modules cannot be trigger
  targets.
- kv_trigger_rejects_missing_script / kv_trigger_rejects_cross_app_script
  — closes the latent v1.1.1/v1.1.2 isolation gap.
- kv_trigger_accepts_endpoint_target — happy path through the
  validate_trigger_target check.

picloud/tests/api.rs (8 #[ignore]'d Postgres-gated integration tests):
- create_script_default_kind_is_endpoint / create_module_kind_persists.
- create_module_with_top_level_expr_rejected /
  create_module_with_reserved_name_rejected.
- route_bind_rejects_module.
- endpoint_imports_module_end_to_end /
  module_edit_visible_on_next_invocation / cross_app_import_blocked.

Lint cleanup along the way:
- `ScriptKind::from_str` renamed to `parse_str` to dodge the
  `should_implement_trait` lint (FromStr's `Result<…,Err>` shape
  doesn't fit a 0-info lookup).
- `derive(Default)` on `ScriptKind` (Endpoint marked `#[default]`).
- Match-arm collapse in `check_module_shape` for Import + Noop.
- `#[allow(clippy::too_many_lines)]` on `resolve()` (the bridge
  logic is genuinely cohesive and would lose clarity if split).
- Elided `'r` lifetime on `StackGuard`.

Three gates clean on this commit's HEAD:
- cargo fmt --all -- --check: clean
- cargo clippy --all-targets --all-features -- -D warnings: clean
- cargo test --workspace: 358 passed, 140 ignored (Postgres-gated)
- npm run check: 0 errors, 0 warnings

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-03 07:18:18 +02:00

MechaCat02

84833d3e4e

feat(v1.1.3-modules): shared types, migrations, engine + resolver scaffold

Lays down the v1.1.3 plumbing:

- `ScriptKind` enum in `picloud-shared` ('endpoint' | 'module').
- `ModuleSource` trait + `ModuleScript` DTO + `NoopModuleSource` in
  `picloud-shared`. Resolver lives in `executor-core`; Postgres impl
  in `manager-core` (`PostgresModuleSource`).
- `Services::new` grows a fifth `modules: Arc<dyn ModuleSource>` arg.
- `ScriptValidator` returns `ValidatedScript { imports }` so the
  manager can populate the dep-graph table on save. New
  `validate_module` method on the trait gates module-shape rules.
- `Engine::execute_ast(&Arc<rhai::AST>, req)` lets the orchestrator's
  script cache reuse compiled ASTs. `Engine::execute(&str, req)` is
  preserved as a convenience that compiles inline. `Engine::compile`
  exposes the AST for callers that want to cache.
- `PicloudModuleResolver` replaces `DummyModuleResolver` per-call.
  Bridges Rhai's sync `ModuleResolver::resolve` to async
  `ModuleSource::lookup` via `Handle::block_on`. Enforces:
  - cross-app isolation (resolver captures `Arc<SdkCallCx>`),
  - circular import detection (in-progress stack on the resolver),
  - import depth limit (default 8 via
    `Limits::module_import_depth_max`).
- Module-shape validation walks `ast.statements()` via `rhai/internals`
  and accepts only `Var { CONSTANT }`, `Import`, and `Noop`. The
  manager admin endpoint runs `validate_module` at save (primary
  gate); resolver re-runs it at load (defense in depth).
- LRU cache `(AppId, name) -> (updated_at, Arc<Module>)` owned by
  `Engine`. Size from `PICLOUD_MODULE_CACHE_SIZE` (default 512).
- Migration `0015_scripts_kind.sql` adds `scripts.kind` + composite
  index + module-name shape CHECK.
- Migration `0016_script_imports.sql` adds the dep-graph table with
  FK CASCADE on both columns.
- Repo: `kind` threaded through SELECT/INSERT/UPDATE. New
  `count_routes_for_script` / `count_triggers_for_script` /
  `list_imports` methods. `create`/`update` open a transaction and
  call `replace_imports_tx` to populate the dep-graph.
- Admin endpoint: accepts `kind`; rejects reserved module names;
  rejects `endpoint → module` transitions when routes / triggers
  exist.
- SDK_VERSION 1.3 → 1.4.

Workspace builds; full test suite (~440 tests) green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-02 22:04:21 +02:00

3 Commits