PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	10b5f655d5	feat(v1.1.4): outbound HTTP SDK + cron triggers HTTP (`http::*`): - `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl` (manager-core), wired into the `Services` bundle. - SSRF deny-list applied to the resolved IP via a custom reqwest `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus a literal-IP check at URL-parse time. Scheme/port restrictions, request + response body caps (stream-with-cap), layered timeout. Error reason is a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override (logs a startup warning). - Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the brief's body-vs-opts contradiction; unknown opt keys throw). Body dispatch by type; response `#{status,headers,body,body_raw}` with JSON auto-parse; non-2xx does not throw. - `Capability::AppHttpRequest` → existing `script:write` scope (no new Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent). Cron triggers (4th trigger kind): - Migration 0017 widens the kind/source_kind CHECKs and adds `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field schedules and IANA timezones. - `spawn_cron_scheduler` polls due triggers and enqueues to the universal outbox; the dispatcher delivers them (one-line match-arm extension). Catch-up fires exactly once per trigger per tick, not once per missed window. `ctx.event.cron` for handlers. - `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3 cross-app + kind!=module target check. - Dashboard: admin-gated Triggers tab (cron create form + list). Follow-ups: redact module backend errors at the resolver boundary (log original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4, SDK 1.5, dashboard 0.10.0. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-03 20:23:18 +02:00
MechaCat02	20f1b5e64d	feat(v1.1.1-dead-letters): service + Rhai SDK + admin endpoints `PostgresDeadLetterService` lands as the real `DeadLetterService` impl, replacing `NoopDeadLetterService` in the picloud binary's `Services` bundle. Both methods are gated by `Capability::AppDeadLetterManage(AppId)` — public-HTTP scripts with `principal: None` fail the check, per design notes §4. - `dead_letters::replay(id)` (Rhai SDK + admin endpoint): re-inserts the original event payload into the outbox with attempt_count=0, reply_to=None. The DL row is marked `resolution='replayed'`. - `dead_letters::resolve(id, reason)` (Rhai SDK + admin endpoint): closes the row with `resolved_at = NOW()` and the given reason. CHECK constraint on the column enforces the 4-value vocabulary. - `dead_letters::list(filter)` is intentionally NOT shipped — design notes §4 defers it to v1.2 to align with the eventual `docs::find()` query DSL. Admin endpoints under `/api/v1/admin/apps/{id}/dead_letters/`: - `GET /` (with `?unresolved=true`) → list view - `GET /count` → unresolved-count badge - `GET /{dl_id}` → row detail (full payload + error) - `POST /{dl_id}/replay` → re-enqueue - `POST /{dl_id}/resolve` body `{reason}` → close out All cross-app-aware: the row's `app_id` is compared against the path param so a caller with rights on app A cannot manipulate app B's dead letters by id alone. The Rhai bridge for `dead_letters::` follows the same sync↔async pattern as the `kv::` bridge (`Handle::current().block_on(...)` inside the spawn_blocking-wrapped Rhai engine). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-01 22:17:25 +02:00

Author

SHA1

Message

Date

MechaCat02

10b5f655d5

feat(v1.1.4): outbound HTTP SDK + cron triggers

HTTP (`http::*`):
- `HttpService` trait (picloud-shared) + reqwest-backed `HttpServiceImpl`
  (manager-core), wired into the `Services` bundle.
- SSRF deny-list applied to the resolved IP via a custom reqwest
  `dns_resolver` (covers every redirect hop + defeats DNS rebinding) plus
  a literal-IP check at URL-parse time. Scheme/port restrictions, request
  + response body caps (stream-with-cap), layered timeout. Error reason is
  a CIDR category, never the IP. `PICLOUD_HTTP_ALLOW_PRIVATE` dev override
  (logs a startup warning).
- Rhai bridge with three-arg split `verb(url, body, opts)` (resolves the
  brief's body-vs-opts contradiction; unknown opt keys throw). Body
  dispatch by type; response `#{status,headers,body,body_raw}` with JSON
  auto-parse; non-2xx does not throw.
- `Capability::AppHttpRequest` → existing `script:write` scope (no new
  Scope variant). `SdkCallCx` gains `script_id` (attribution + User-Agent).

Cron triggers (4th trigger kind):
- Migration 0017 widens the kind/source_kind CHECKs and adds
  `cron_trigger_details`. `cron`/`chrono-tz` parse + validate 6-field
  schedules and IANA timezones.
- `spawn_cron_scheduler` polls due triggers and enqueues to the universal
  outbox; the dispatcher delivers them (one-line match-arm extension).
  Catch-up fires exactly once per trigger per tick, not once per missed
  window. `ctx.event.cron` for handlers.
- `POST /api/v1/admin/apps/{id}/triggers/cron` reuses the v1.1.3
  cross-app + kind!=module target check.
- Dashboard: admin-gated Triggers tab (cron create form + list).

Follow-ups: redact module backend errors at the resolver boundary (log
original at error level); pin `rhai = "=1.24"`; CHANGELOG incl. retroactive
v1.1.3 cross-app-trigger security note. Version bumps: workspace 1.1.4,
SDK 1.5, dashboard 0.10.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-03 20:23:18 +02:00

MechaCat02

20f1b5e64d

feat(v1.1.1-dead-letters): service + Rhai SDK + admin endpoints

`PostgresDeadLetterService` lands as the real `DeadLetterService`
impl, replacing `NoopDeadLetterService` in the picloud binary's
`Services` bundle. Both methods are gated by
`Capability::AppDeadLetterManage(AppId)` — public-HTTP scripts with
`principal: None` fail the check, per design notes §4.

- `dead_letters::replay(id)` (Rhai SDK + admin endpoint): re-inserts
  the original event payload into the outbox with attempt_count=0,
  reply_to=None. The DL row is marked `resolution='replayed'`.
- `dead_letters::resolve(id, reason)` (Rhai SDK + admin endpoint):
  closes the row with `resolved_at = NOW()` and the given reason.
  CHECK constraint on the column enforces the 4-value vocabulary.
- `dead_letters::list(filter)` is intentionally NOT shipped —
  design notes §4 defers it to v1.2 to align with the eventual
  `docs::find()` query DSL.

Admin endpoints under `/api/v1/admin/apps/{id}/dead_letters/*`:
- `GET    /` (with `?unresolved=true`) → list view
- `GET    /count`                       → unresolved-count badge
- `GET    /{dl_id}`                     → row detail (full payload + error)
- `POST   /{dl_id}/replay`              → re-enqueue
- `POST   /{dl_id}/resolve` body `{reason}` → close out
All cross-app-aware: the row's `app_id` is compared against the path
param so a caller with rights on app A cannot manipulate app B's
dead letters by id alone.

The Rhai bridge for `dead_letters::*` follows the same sync↔async
pattern as the `kv::` bridge (`Handle::current().block_on(...)`
inside the spawn_blocking-wrapped Rhai engine).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-01 22:17:25 +02:00

2 Commits