docs(v1.1.6): reviewer audit report — APPROVE verdict

Audit of feat/v1.1.6-realtime-client against the v1.1.6 dispatch
prompt. All gates green; clippy clean; ~550 tests pass (HANDBACK §8
claimed 482 — minor count-discrepancy flagged for retro, not a
blocker).

Both flagged items verified and resolved:

- §4-vs-§8 publish-ordering contradiction in the brief: the agent
  picked §8 (broadcast AFTER outbox commit) and explicitly flagged
  the contradiction. Confirmed correct — §8's ordering protects
  against subscribers being told an event happened that subsequently
  failed to durably commit. §4's broadcast-first phrasing was a
  latency-optimization aside; §8 is the dedicated numbered spec.
  The v1.1.4 retro discipline lesson (flag-don't-reinterpret) worked.

- Latent finding: dead_letter trigger handlers never fire — verified
  via grep. list_matching_dead_letter has no production caller; the
  bug predates v1.1.6 (shipped silent since v1.1.1). Correctly
  out-of-scope for v1.1.6. The dispatcher e2e test for dead_letter
  asserts the wired behavior (row created) with inline docs explaining
  why it's not asserting handler-fire. Fix folded into v1.1.7 prompt
  recommendations along with a retroactive CHANGELOG note.

Three v1.1.5 follow-ups landed: six dispatcher e2e tests gated on
DATABASE_URL, empty-blob relaxed, orphan tmp-sweeper. HMAC signing
key persisted to app_secrets table (recommended path); streaming-
fetch SSE in the client lib unlocks bearer-header auth + 401
detection + Last-Event-ID resume.

.github/workflows/ci.yml

@@ -0,0 +1,72 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+env:
+  CARGO_TERM_COLOR: always
+  # Matches what docker-compose produces locally; the schema-snapshot
+  # guardrail and any other DB-backed tests run against this service.
+  DATABASE_URL: postgres://picloud:picloud@localhost:5432/picloud
+
+jobs:
+  rust:
+    name: Rust — fmt, clippy, test
+    runs-on: ubuntu-latest
+    services:
+      postgres:
+        image: postgres:15
+        env:
+          POSTGRES_USER: picloud
+          POSTGRES_PASSWORD: picloud
+          POSTGRES_DB: picloud
+        ports:
+          - 5432:5432
+        options: >-
+          --health-cmd "pg_isready -U picloud"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+    steps:
+      - uses: actions/checkout@v4
+
+      # rust-toolchain.toml pins the channel; this action honors it.
+      - name: Install Rust toolchain
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          components: rustfmt, clippy
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Format check
+        run: cargo fmt --all -- --check
+
+      - name: Clippy
+        run: cargo clippy --all-targets --all-features -- -D warnings
+
+      # Runs the whole workspace, including the schema-snapshot guardrail
+      # (it picks up DATABASE_URL from the env above and the postgres
+      # service; without a DB it would skip cleanly).
+      - name: Test
+        run: cargo test --workspace
+
+  dashboard:
+    name: Dashboard — check
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: dashboard
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: dashboard/package-lock.json
+      - name: Install deps
+        run: npm ci
+      - name: Svelte check
+        run: npm run check

.gitignore

@@ -22,6 +22,9 @@ Cargo.lock.bak
 # Local config overrides
 config.local.toml
 /data
+# Files-root blob storage created when integration tests run build_app
+# from the picloud crate dir (PICLOUD_FILES_ROOT default ./data).
+/crates/picloud/data
 /postgres-data
 
 # Dashboard

CHANGELOG.md

@@ -0,0 +1,537 @@
+# PiCloud Changelog
+
+## v1.1.6 — Realtime Channels & Client Library (unreleased)
+
+The first **external realtime surface** and the first **frontend
+library**, co-shipped per the §5/§6 design-notes decisions. Browser
+clients can subscribe over SSE to per-app pub/sub topics that have been
+explicitly externalized; everything else stays internal-only. The
+`@picloud/client` TypeScript package wraps typed HTTP, SSE, auth, and
+React/Svelte hooks. Plus three v1.1.5 follow-ups.
+
+### Added — Realtime
+
+- **`topics` registry** (`migrations/0021_topics.sql`) — pub/sub topics
+  are internal-only by default; a `topics` row with
+  `external_subscribable = true` opts one into external SSE subscription.
+  `auth_mode` is `'public'` or `'token'`.
+- **Topic admin endpoints** under `/api/v1/admin/apps/{id}/topics` —
+  `POST` (register), `GET` (list), `PATCH /{name}` (flip
+  external/auth_mode — its own audited surface), `DELETE /{name}`
+  (unregister + disconnect live subscribers). Gated by the new
+  `Capability::AppTopicManage` → `app:admin` scope (no new scope; the
+  seven-scope commitment holds).
+- **SSE endpoint `GET /realtime/topics/{topic}`** — data-plane surface
+  (deliberately not under `/api/`). Resolves `Host` → app, authorizes
+  via the `RealtimeAuthority` (404 for missing/internal topics, 401 for
+  bad/absent tokens), then streams `data: {topic,message,published_at}`
+  events with a configurable heartbeat (`PICLOUD_REALTIME_HEARTBEAT_SEC`,
+  default 30). Token via `Authorization: Bearer` or `?token=`.
+- **`RealtimeBroadcaster` + `RealtimeEvent` + `RealtimeAuthority`**
+  traits (`picloud-shared`); in-process `InProcessBroadcaster`
+  (`tokio::sync::broadcast`, per-channel capacity
+  `PICLOUD_REALTIME_BROADCAST_CAPACITY` default 64, periodic empty-channel
+  GC) and the DB-backed `RealtimeAuthorityImpl` (orchestrator-core /
+  manager-core respectively). The publish path now also fans out to
+  in-process SSE subscribers, best-effort, after the durable outbox
+  fan-out commits — a broadcast failure never fails the publish.
+- **`pubsub::subscriber_token(topics, ttl)`** Rhai SDK (SDK schema
+  1.6 → 1.7) — mints an HMAC-SHA256 subscriber token (URL-safe
+  `payload.signature`) scoped to externally-subscribable topics.
+  Requires an authenticated principal + the pub/sub publish capability.
+  TTL clamped to `[10s, 24h]` (default 1h), env-overridable via
+  `PICLOUD_SUBSCRIBER_TOKEN_TTL_{MIN,MAX,DEFAULT}_SEC`. Per-app signing
+  keys persist in the new `app_secrets` table
+  (`migrations/0022_app_secrets.sql`), created lazily on first mint. No
+  per-token revocation (rotation invalidates wholesale; short TTL is the
+  safety mechanism).
+- **Dashboard Topics tab** — register/list/edit/delete topics with a
+  prominent external/internal badge, auth-mode radio (conditional on
+  external), and a confirmation when flipping a topic external.
+
+### Added — `@picloud/client` (TypeScript, v1.0.0)
+
+- New top-level package `clients/typescript/` (tsup dual ESM+CJS +
+  `.d.ts`, vitest). Typed HTTP via `endpoint<Req,Res>(path).get()/.post()`
+  with auth-token injection and structured errors; SSE `subscribe(topic,
+  cb, {token, onTokenExpired})` with exponential-backoff reconnect,
+  401 token-refresh, and `Last-Event-ID` resume; `auth.login/logout/token`
+  over dev-defined endpoints; React (`useTopic`/`useEndpoint` +
+  `PicloudProvider`) and Svelte (`topicStore`/`endpointStore`) subpath
+  exports. Optional zod/valibot runtime validation via a `{ parse }`
+  adapter (no hard dep). Hybrid model: no direct service access from the
+  browser.
+
+### Changed / Fixed — v1.1.5 follow-ups
+
+- **Empty blobs accepted** — `NewFile::validate` / `FileUpdate::validate`
+  no longer reject zero-length `data`; empty files are a valid stored
+  state (sentinels, placeholders). Non-breaking.
+- **Orphan `*.tmp.*` sweeper** — a startup tokio task
+  (`spawn_files_orphan_sweep`) walks the files root every
+  `PICLOUD_FILES_ORPHAN_SWEEP_INTERVAL_SEC` (default 6h) and unlinks temp
+  blobs older than `PICLOUD_FILES_ORPHAN_TMP_TTL_SEC` (default 1h). No DB
+  cross-check (that full reconciler is v1.3+).
+- **Dispatcher end-to-end tests** — `crates/picloud/tests/dispatcher_e2e.rs`,
+  one per trigger kind (kv/docs/cron/files/pubsub/dead_letter),
+  DATABASE_URL-gated (skip cleanly when unset).
+
+### Notes
+
+- New deps: `hmac` (token signing, picloud-shared), `tokio-stream` (SSE
+  body stream, orchestrator-core).
+- New env vars: `PICLOUD_REALTIME_HEARTBEAT_SEC`,
+  `PICLOUD_REALTIME_BROADCAST_CAPACITY`,
+  `PICLOUD_SUBSCRIBER_TOKEN_TTL_{MIN,MAX,DEFAULT}_SEC`,
+  `PICLOUD_FILES_ORPHAN_SWEEP_INTERVAL_SEC`,
+  `PICLOUD_FILES_ORPHAN_TMP_TTL_SEC`.
+
+## v1.1.5 — Files & Pub/Sub (unreleased)
+
+Two stateful services + two trigger kinds. **`files::*`** is
+filesystem-backed blob storage (atomic writes, path-sharded layout,
+single-pass SHA-256 with checksum-verified reads); the metadata row
+lives in Postgres, the bytes on disk. **`pubsub::publish_durable`** is
+durable pub/sub through the universal outbox, fanning out one delivery
+row per matching subscriber **at publish time** inside a single
+transaction. Both ride the v1.1.1 trigger framework as the fifth and
+sixth concrete kinds via the established Layout-E extension pattern.
+
+### Added
+
+- **`files::collection(name).{create,head,get,update,delete,list}`** —
+  blob storage SDK. `create`/`update` take a Rhai `Blob`; `get` returns
+  a `Blob` (or `()` if missing); `head`/`list` return metadata maps
+  (`id, name, content_type, size, checksum, created_at, updated_at`).
+  `create`/`update`/`delete` throw on failure; `get`/`head` return `()`
+  for a missing file; `delete` returns a was-present bool. Missing
+  required field on `create` throws naming the field.
+- **Atomic writes** — temp file → fsync → rename → fsync parent dir →
+  DB row, so a crash never leaves a readable half-written file. SHA-256
+  is computed in a single pass during the write; `get` re-verifies it
+  and surfaces `FilesError::Corrupted` (logged with the path, never
+  auto-deleted) on a mismatch. Shard dirs are created `0o700`.
+- **`files:*` trigger kind** — `ctx.event.files` carries the metadata
+  only (never the bytes; a handler that wants them calls
+  `files::collection(c).get(id)`). `prev` is `()` on create, the prior
+  metadata on update, the deleted metadata on delete.
+- **`pubsub::publish_durable(topic, message)`** — durable publish.
+  Message is any JSON-serializable Rhai value; Blobs encode as base64
+  (at any nesting depth). No matching subscriber → the publish succeeds
+  silently with zero outbox rows.
+- **`pubsub:*` trigger kind** — topic patterns are exact, `<prefix>.*`,
+  or `*`; mid-pattern wildcards are rejected at trigger creation.
+  `ctx.event.pubsub` carries `topic`, `message`, `published_at`.
+- **`FilesService` + `PubsubService` traits** (`picloud-shared`) +
+  `FsFilesRepo`/`FilesServiceImpl` and `PostgresPubsubRepo`/
+  `PubsubServiceImpl` (manager-core). Wired into the `Services` bundle
+  as `files` and `pubsub`.
+- **Capabilities** `AppFilesRead`/`AppFilesWrite` → `script:read`/
+  `script:write`, `AppPubsubPublish` → `script:write`. No new `Scope`
+  variant — the seven-scope commitment holds. Script-as-gate: skipped
+  when the script runs unauthenticated.
+- **Admin files API** (`GET`/`DELETE /apps/{id}/files`) + dashboard
+  Files view per app; **Pub/Sub trigger form** on the Triggers tab.
+- **CI** — first `.github/workflows/ci.yml` (Postgres service, fmt +
+  clippy + `cargo test --workspace`); the schema-snapshot guardrail now
+  runs instead of being `#[ignore]`'d.
+
+### Changed
+
+- Workspace version: 1.1.4 → 1.1.5
+- Rhai SDK version: 1.5 → 1.6
+- Dashboard version: 0.10.0 → 0.11.0
+- `schema_snapshot` test: no longer `#[ignore]`'d — runs against
+  `DATABASE_URL` when set, skips cleanly when absent.
+
+### Migrations
+
+- 0018_files.sql — `files` metadata table (bytes live on disk).
+- 0019_files_triggers.sql — widen kind/source_kind CHECKs + add
+  `files_trigger_details`.
+- 0020_pubsub_triggers.sql — widen kind/source_kind CHECKs + add
+  `pubsub_trigger_details` + partial index.
+
+### New environment variables
+
+- `PICLOUD_FILES_ROOT` (default `./data`)
+- `PICLOUD_FILES_MAX_FILE_SIZE_BYTES` (default 100 MB)
+
+## v1.1.4 — Outbound HTTP & Cron triggers (unreleased)
+
+Two surfaces. **`http::*`** lets Rhai scripts make outbound HTTP
+requests (Slack webhooks, Stripe, third-party REST) fronted by an SSRF
+deny-list applied to the *resolved IP* (DNS-rebinding defense), with
+scheme/port restrictions, request/response body caps, and a layered
+timeout. **Cron triggers** add the fourth concrete kind on the v1.1.1
+trigger framework: a scheduler task enqueues due triggers into the same
+universal outbox the dispatcher already drains.
+
+### Added
+
+- **`http::{get,post,put,patch,delete,head,post_form,request}`** — outbound
+  HTTP SDK. Body and options are separate positional args
+  (`verb(url, body, opts)`); `opts` is
+  `{headers, timeout_ms, follow_redirects, max_redirects}` (unknown keys
+  throw). Body dispatch by type: Map/Array → JSON, String → text/plain,
+  `()` → none. Response is `#{ status, headers, body, body_raw }` with
+  `body` auto-parsed when the response is `application/json`. Non-2xx
+  does NOT throw (fetch-style); network/timeout/SSRF/size errors throw
+  with an `"http: …"` prefix.
+- **SSRF deny-list** — applied to the resolved IP via a custom reqwest
+  `dns_resolver` (so it covers every redirect hop and defeats DNS
+  rebinding), plus a literal-IP check at URL-parse time. Blocks
+  loopback, RFC1918 private, link-local (incl. `169.254.169.254`),
+  carrier-grade NAT, multicast, reserved, IPv6 ULA/link-local/loopback,
+  and IPv4-mapped IPv6 (re-checked against the embedded v4 address).
+  The script-visible error carries a CIDR-category reason, never the IP.
+  `PICLOUD_HTTP_ALLOW_PRIVATE=true` disables it (dev-only; logs a startup
+  warning).
+- **`HttpService` trait** (`picloud-shared`) + `HttpServiceImpl`
+  (manager-core, reqwest-backed). Wired into the `Services` bundle as
+  `http: Arc<dyn HttpService>`.
+- **`Capability::AppHttpRequest(AppId)`** — maps to the existing
+  `script:write` scope (any outbound request can exfiltrate data, so the
+  conservative write mapping is used). No new `Scope` variant — the
+  seven-scope commitment holds. Script-as-gate: skipped when the script
+  runs unauthenticated.
+- **Cron triggers** — `POST /api/v1/admin/apps/{id}/triggers/cron`
+  (`script_id`, `schedule`, `timezone`, optional retry overrides).
+  6-field cron expressions (with seconds) validated by the `cron` crate;
+  IANA timezones validated by `chrono-tz`. A scheduler task
+  (`spawn_cron_scheduler`, poll cadence `PICLOUD_CRON_TICK_INTERVAL_MS`,
+  default 30s) enqueues due triggers into the outbox; the existing
+  dispatcher delivers them. Catch-up policy: a trigger that missed N
+  windows fires exactly **once** on the next tick, not N times.
+- **`ctx.event.cron`** — `{ schedule, timezone, scheduled_at, fired_at }`
+  for cron-trigger handlers (`ctx.event.source == "cron"`,
+  `ctx.event.op == "tick"`).
+- **Dashboard Triggers tab** — admin-gated cron trigger create form
+  (target endpoint script, schedule, timezone dropdown) + triggers list
+  showing schedule / timezone / last-fired.
+
+### Changed
+
+- **Workspace version**: `1.1.3` → `1.1.4`.
+- **Rhai SDK version**: `1.4` → `1.5` (additive — `http::*` SDK +
+  `ctx.event.cron`). The `Services` bundle constructor becomes
+  `Services::new(kv, docs, dead_letters, events, modules, http)`.
+- **Dashboard version**: `0.9.0` → `0.10.0`.
+- **`SdkCallCx`** — gains a `script_id` field (audit attribution + the
+  default outbound `User-Agent`, `picloud/<version> (script:<id>)`).
+- **Rhai pin tightened** — workspace dep `rhai = "1.19"` → `rhai = "=1.24"`
+  so future bumps of the non-semver-stable `internals` surface are
+  deliberate.
+- **Module backend errors redacted** — `PicloudModuleResolver` now
+  surfaces a stable generic (`"module backend unavailable; check server
+  logs"`) to scripts and logs the original at error level, instead of
+  leaking the backend error verbatim (see v1.1.3 follow-up).
+
+### Migrations
+
+- `0017_cron_triggers.sql` — widens `triggers.kind` and
+  `outbox.source_kind` CHECK constraints to include `'cron'`; adds
+  `cron_trigger_details (trigger_id, schedule, timezone, last_fired_at)`
+  with a `last_fired_at` index. Additive — applies cleanly on a fresh DB
+  and on top of the v1.1.3 schema.
+
+### New environment variables
+
+- `PICLOUD_HTTP_ALLOW_PRIVATE` (default false; dev-only) — disable the
+  SSRF deny-list.
+- `PICLOUD_HTTP_MAX_REQUEST_BODY_BYTES` / `PICLOUD_HTTP_MAX_RESPONSE_BODY_BYTES`
+  (default 10 MB each).
+- `PICLOUD_CRON_TICK_INTERVAL_MS` (default 30000) — cron scheduler poll
+  cadence (floored at 1s).
+
+## v1.1.3 — Modules (unreleased)
+
+Real per-app Rhai module system. Scripts can `import "<name>" as
+<alias>;` other scripts in the same app as reusable libraries. The
+v1.0 placeholder `DummyModuleResolver` is replaced by a per-call
+`PicloudModuleResolver` that loads `kind = 'module'` scripts via a
+new `ModuleSource` trait, compiles them into Rhai modules, caches
+the compiled output, and enforces cross-app isolation, circular-
+import detection, and an import-depth limit. Two LRU AST caches
+(top-level script + per-module compiled module) eliminate the
+per-invocation compile cost; both invalidate on `updated_at` change.
+
+### Added
+
+- **`scripts.kind` column** — `'endpoint' | 'module'`, default
+  `'endpoint'`. Endpoints handle HTTP routes / trigger events;
+  modules are libraries imported by other scripts. The dashboard
+  scripts list + script detail page surface the distinction as a
+  colored badge.
+- **`script_imports` dep-graph table** — populated at script save-
+  time from the literal-path `import "<name>"` declarations in the
+  source. FK-CASCADE on both columns. No admin surface in v1.1.3
+  (drives a v1.2+ "Used by" dashboard panel and v1.3+ cluster-mode
+  eager invalidation).
+- **`ModuleSource` trait** — `lookup(&SdkCallCx, name)`. Postgres
+  impl `PostgresModuleSource` in manager-core. `app_id` derived from
+  `cx.app_id` (cross-app isolation boundary, mirrors KV / docs).
+- **`PicloudModuleResolver`** — implements `rhai::ModuleResolver`.
+  Per-call instance owns `Arc<SdkCallCx>`, the in-progress imports
+  stack, the depth counter. Bridges sync `resolve()` to async
+  `lookup()` via `Handle::block_on` (safe under the executor's
+  `spawn_blocking` wrap). Replaces `DummyModuleResolver` at line 139
+  of `executor-core::engine::build_engine`.
+- **Module-shape validation** — `kind = 'module'` source must contain
+  only `fn` declarations, `const` declarations, and `import`
+  statements at top level (no executable expressions). Walks
+  `ast.statements()` via `rhai/internals`. Admin endpoint is the
+  primary gate; the resolver re-runs the check at load time for
+  defense in depth against DB-direct inserts.
+- **Per-module compiled-Module cache** — `LruCache<(AppId, name),
+  (updated_at, Arc<rhai::Module>)>` owned by `Engine`. Invalidated
+  lazily on `updated_at` mismatch. Size via
+  `PICLOUD_MODULE_CACHE_SIZE` (default 512).
+- **Top-level script AST cache** — `LruCache<ScriptId, (updated_at,
+  Arc<rhai::AST>)>` owned by `LocalExecutorClient`. Same staleness
+  semantics. Size via `PICLOUD_SCRIPT_CACHE_SIZE` (default 256).
+- **`ScriptIdentity` + `ExecutorClient::execute_with_identity`** —
+  new method on the trait; default impl forwards to `execute` so
+  `RemoteExecutorClient` (and future transports) keep working.
+  `LocalExecutorClient` overrides it to consult the script cache and
+  pass the resulting `Arc<rhai::AST>` to `Engine::execute_ast`.
+- **`Engine::execute_ast`** — companion to `execute` that takes a
+  pre-compiled AST so callers (the orchestrator) can reuse one
+  compile across many invocations.
+- **Import depth limit** — `Limits::module_import_depth_max`
+  (default 8). Not script-overridable.
+- **Reserved module names** — module-kind scripts cannot be named
+  `log`, `regex`, `random`, `time`, `json`, `base64`, `hex`, `url`,
+  `kv`, `docs`, `dead_letters`, `http`, `files`, `pubsub`, `secrets`,
+  `email`, `users`, `queue`. Defense against author confusion with
+  stdlib namespaces.
+
+### Changed
+
+- **Workspace version**: `1.1.2` → `1.1.3`.
+- **Rhai SDK version**: `1.3` → `1.4` (additive — every v1.3 script
+  still runs unchanged; new surface: `import "<name>" as <alias>;`
+  for endpoint scripts that consume modules in the same app).
+- **Dashboard version**: `0.8.0` → `0.9.0`. Adds kind dropdown on
+  script create + kind badges on the scripts list and detail page.
+- **`Services` bundle** — grows a `modules: Arc<dyn ModuleSource>`
+  field. Constructor signature becomes
+  `Services::new(kv, docs, dead_letters, events, modules)`.
+- **`ScriptValidator` trait** — `validate` now returns
+  `ValidatedScript { imports: Vec<String> }` so the repo can write
+  dep-graph edges in the same transaction as the script row. New
+  `validate_module` method enforces module-shape rules.
+- **Trigger creation tightening** — `POST /api/v1/admin/apps/{id}/triggers/{kv,docs,dead_letter}`
+  now load the target script and reject when (1) it doesn't exist,
+  (2) it belongs to a different app (latent v1.1.1/v1.1.2 gap —
+  closed in v1.1.3), or (3) it is `kind = 'module'`.
+- **Route creation** — `POST /api/v1/admin/scripts/{id}/routes`
+  returns 400 when the target script is `kind = 'module'`.
+
+### Security fix
+
+- **Cross-app trigger target (CVE-class: broken access control).** In
+  v1.1.1 and v1.1.2, `POST /api/v1/admin/apps/{id}/triggers/{kv,docs,dead_letter}`
+  validated only that the caller could manage triggers on `{id}` — it
+  did **not** verify that the target `script_id` belonged to that same
+  app. A member with trigger-management rights on app A could therefore
+  register a trigger in A pointing at a script owned by app B, causing
+  B's script to execute on A's events (a cross-app isolation break).
+  v1.1.3 closes this: every trigger-create handler now loads the target
+  script and rejects it unless `script.app_id == path app_id` (and it is
+  not a module). **Upgrade recommendation:** anyone running a pre-v1.1.3
+  multi-tenant deploy should upgrade and audit existing `triggers` rows
+  for any whose `script_id` resolves to a script in a different `app_id`.
+
+### Migrations
+
+- `0015_scripts_kind.sql` — adds `scripts.kind` with CHECK
+  `IN ('endpoint','module')`, composite index `(app_id, kind)`, and
+  a module-name shape CHECK (`^[a-zA-Z_][a-zA-Z0-9_]{0,63}$`).
+- `0016_script_imports.sql` — adds the dep-graph table with FK
+  CASCADE on both columns, PK `(importer, imported)`, and a
+  reverse-edge index on `imported_script_id`.
+
+### Downgrade caveats
+
+Rolling back v1.1.3 → v1.1.2 with module-kind scripts present
+strands them (no `kind` column means everything looks like an
+endpoint; modules will then succeed as route targets and immediately
+fail to execute meaningfully). Migration `0016_script_imports.sql`
+is safe to drop (the table is auxiliary). `0015_scripts_kind.sql`
+must be reversed by `DROP COLUMN kind` only after manually re-homing
+or deleting module-kind rows.
+
+## v1.1.2 — Documents (unreleased)
+
+`docs::*` SDK — schemaless JSONB document storage with a first-cut
+query DSL — plus `docs:*` triggers as the second concrete kind on the
+v1.1.1 triggers framework. Sets the precedent for the v1.2 query DSL
+expansion and `dead_letters::list`.
+
+### Added
+
+- **Docs store** — `docs` table keyed `(app_id, collection, id)` with
+  JSONB values and a GIN-on-`jsonb_path_ops` index. Rhai SDK exposes
+  the handle pattern:
+  `docs::collection(name).{create,get,find,find_one,update,delete,list}`.
+  Cursor-style pagination on `list`. Cross-app isolation enforced via
+  `cx.app_id` (never script-passed). Document envelope shape returned
+  by reads: `#{ id, data: #{...}, created_at, updated_at }` — explicit
+  metadata + user-data separation (sets precedent for v1.2
+  `dead_letters::list`).
+- **Query DSL (v1.1.2 subset)** — implicit equality at top level
+  (`#{ tier: "gold" }`), operator-object form
+  (`#{ created_at: #{ "$gt": "..." } }`), dotted field paths up to 5
+  levels (`"user.email"`), and operators `$eq`/`$ne`/`$gt`/`$gte`/
+  `$lt`/`$lte`/`$in`. Filter modifiers `$sort` (single field) and
+  `$limit`. Unsupported operators (`$or`, `$regex`, etc.) reject with
+  a clear v1.2-pointer error.
+- **Docs triggers (`docs:*`)** — `docs_trigger_details` table mirrors
+  `kv_trigger_details`. Admin endpoint
+  `POST /api/v1/admin/apps/{id}/triggers/docs` accepts the same DTO
+  shape as the KV endpoint with `ops` of `DocsEventOp` (create /
+  update / delete). Dispatcher routes `OutboxSourceKind::Docs` through
+  the same generic path as KV + dead-letter.
+- **`ctx.event.docs.prev_data`** — change-data-capture surface for
+  docs trigger handlers. `prev_data` carries the document state prior
+  to the mutation (`None` for create), letting handlers see what
+  changed. The repo reads the old row in the same SQL statement as
+  the write so the trigger event has the prior value.
+- **`Capability::AppDocsRead(AppId)`** + `AppDocsWrite(AppId)` —
+  granted to Viewer / Editor respectively in the per-app role table.
+  Same trust shape as KV's `AppKvRead` / `AppKvWrite`.
+
+### Changed
+
+- **Workspace version**: `1.1.1` → `1.1.2`.
+- **Rhai SDK version**: `1.2` → `1.3` (additive — every v1.2 script
+  still runs unchanged; new surfaces: `docs::collection(name).{...}`,
+  `ctx.event.docs` for triggered handlers).
+- **Dashboard version**: `0.7.0` → `0.8.0`. Workspace alignment; no
+  docs-specific UI in v1.1.2 (the dashboard's Rhai-mode hints don't
+  list KV completions either — focused UX pass is a separate task).
+- **`Services` bundle** — grows a `docs: Arc<dyn DocsService>` field.
+  Constructor signature becomes
+  `Services::new(kv, docs, dead_letters, events)`.
+- **Scope mapping**: API keys with `script:read` scope can call
+  `docs::find` / `get` / `list`; `script:write` can call
+  `docs::create` / `update` / `delete`. Same trust shape as KV —
+  honors the seven-scope commitment from v1.1.0.
+
+### Migrations
+
+- `0013_docs.sql` — `docs` table + per-`(app_id, collection)` index +
+  GIN-on-`jsonb_path_ops` index.
+- `0014_docs_triggers.sql` — extends `triggers.kind` and
+  `outbox.source_kind` CHECK constraints to include `'docs'`; adds
+  `docs_trigger_details` table.
+
+### Downgrade caveats
+
+Rolling a deployment back from v1.1.2 → v1.1.1 with `docs`-source
+outbox rows still queued will cause the v1.1.1 dispatcher to fail
+deserialising `TriggerEvent::Docs` (`#[serde(tag = "source")]`
+rejects unknown variants). Drain or delete
+`outbox WHERE source_kind = 'docs'` before downgrading. Trunk-only
+deployments don't hit this.
+
+### Known limitations
+
+- Text-lex comparison for `$gt` / `$gte` / `$lt` / `$lte` is
+  incorrect for unpadded numbers crossing digit-count boundaries
+  (`'10' < '9'` is TRUE under any text collation). Workaround:
+  zero-pad numeric strings. v1.2's advanced query expansion adds
+  numeric-aware operators.
+- Concurrent `update()`s on the same doc may both emit the
+  pre-update `prev_data` (last-writer-wins). Inherited from KV's
+  `set` pattern; documented for forensic-trace use cases.
+- v1.1.2 has no partial-update DSL — scripts that want partial
+  update do `get + modify + update`. Planned for v1.2.
+
+## v1.1.1 — Storage & Events (unreleased)
+
+The triggers framework — KV store + universal outbox + dispatcher +
+NATS-style sync HTTP + per-route async dispatch + dead-letter
+handling + dashboard surface. Every subsequent v1.1.x service module
+(docs, files, pubsub, …) hangs off the dispatcher built here.
+
+### Added
+
+- **KV store** — `kv_entries` table keyed `(app_id, collection, key)`
+  with JSONB values. Rhai SDK exposes the handle pattern:
+  `kv::collection(name).{get,set,has,delete,list}`. Cursor-style
+  pagination with opaque base64 cursors. Cross-app isolation
+  enforced via `cx.app_id` (never script-passed).
+- **Triggers framework (Layout E)** — parent `triggers` table +
+  per-kind detail tables (`kv_trigger_details`,
+  `dead_letter_trigger_details`). Trigger CRUD admin endpoints
+  (`/api/v1/admin/apps/{id}/triggers/{kv,dead_letter}`) +
+  `Capability::AppManageTriggers(AppId)`.
+- **Universal outbox + dispatcher** — single tokio task that polls
+  the outbox via `FOR UPDATE SKIP LOCKED`, routes due rows to the
+  executor through the shared `ExecutionGate`. Retry with
+  exponential backoff + ±jitter; on exhaustion, dead-letter.
+- **NATS-style sync HTTP via outbox** — `InboxRegistry` (in-process
+  oneshot map) lets the orchestrator await dispatcher delivery on
+  every sync HTTP request. Cluster mode (v1.3+) swaps this for
+  `LISTEN/NOTIFY` behind the same `InboxResolver` trait.
+- **`dispatch_mode: async` on routes** — `POST` to a route with
+  `dispatch_mode = 'async'` returns `202 Accepted` immediately;
+  the script runs via the dispatcher (with retries / dead-letter).
+- **Dead-letter handling** — separate `dead_letters` table per
+  design notes §4. `dead_letters::{replay,resolve}` Rhai SDK +
+  admin endpoints + `Capability::AppDeadLetterManage(AppId)`.
+  Recursion-stop rule: dead-letter handler failures annotate the
+  original row as `resolution = 'handler_failed'` and never produce
+  a new dead-letter or retry.
+- **Dashboard surface for dead letters** — unresolved-count red
+  badge on the apps list + per-app page; per-app dead-letters list
+  view at `/admin/apps/{slug}/dead-letters` with Replay + Mark
+  resolved per-row actions and expandable payload detail.
+- **`abandoned_executions` table** — forensic row written by the
+  dispatcher when it tries to resolve an inbox the orchestrator
+  already abandoned (timed out). Counter metric path reserved.
+- **Trigger-depth limit** — `cx.trigger_depth > max_trigger_depth`
+  (default 8) skips execution + logs; does NOT dead-letter
+  (depth-exceeded means "you built a loop").
+- **GC sweepers** — weekly retention sweeps for `dead_letters`
+  (30 days) and `abandoned_executions` (7 days), both with
+  `FOR UPDATE SKIP LOCKED` for cluster-mode safety.
+- **Env-overridable trigger config** — `TriggerConfig::from_env`
+  reads `PICLOUD_MAX_TRIGGER_DEPTH`, `PICLOUD_TRIGGER_RETRY_*`,
+  `PICLOUD_DEAD_LETTER_RETENTION_DAYS`,
+  `PICLOUD_ABANDONED_EXECUTIONS_RETENTION_DAYS`.
+
+### Changed
+
+- **Workspace version**: `1.1.0` → `1.1.1`.
+- **Rhai SDK version**: `1.1` → `1.2` (additive — every v1.1 script
+  still runs unchanged; new surfaces: `kv::*`, `dead_letters::*`,
+  `ctx.event` for triggered handlers).
+- **Dashboard version**: `0.6.0` → `0.7.0` for the dead-letters UI.
+- **`Services` bundle** — replaces v1.1.0's no-arg `Services::new()`
+  with explicit `Services::new(kv, dead_letters, events)`. Tests
+  use `Services::default()` for an all-noop bundle.
+- **`SdkCallCx`** grows `is_dead_letter_handler: bool` and
+  `event: Option<TriggerEvent>` fields.
+- **`ExecRequest`** mirrors the new `SdkCallCx` fields and grows
+  `event` for serializable trigger payload transport.
+- **Routes table** grows `dispatch_mode TEXT NOT NULL DEFAULT 'sync'`
+  (CHECK in {sync, async}).
+- **Schema version**: 6 → 12 (migrations 0007 through 0012).
+
+### Migrations
+
+- `0007_kv.sql` — `kv_entries` table + index
+- `0008_triggers.sql` — `triggers` + `kv_trigger_details` +
+  `dead_letter_trigger_details`
+- `0009_outbox.sql` — universal `outbox` table + due-row partial index
+- `0010_dead_letters.sql` — `dead_letters` table + unresolved partial
+  index + GC index
+- `0011_abandoned_executions.sql` — forensic table + GC index
+- `0012_routes_dispatch_mode.sql` — `routes.dispatch_mode` column
+
+## v1.1.0 — Foundation & Standard Library
+
+See `docs/v1.1.x-design-notes.md` §7 for the full v1.1.x roadmap.

CLAUDE.md

@@ -8,7 +8,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 Authoritative design: [serverless_cloud_blueprint.md](serverless_cloud_blueprint.md). The blueprint is a living document — when architecture decisions are made in conversation that contradict it, treat the latest decision as truth and update the blueprint.
 
-**Current focus (Phase 4, v1.1):** data-plane SDKs — KV store, then document store, then HTTP client, then cron triggers. See blueprint §12. Phase 3 (admin auth + multi-app scoping) shipped; every v1.1+ table starts with `app_id UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE` and every Rhai SDK call resolves its app from the execution context.
+**Current focus (Phase 4, v1.1.0):** SDK foundation + stdlib utilities — the shape every v1.1.x service module hangs off, see [docs/sdk-shape.md](docs/sdk-shape.md). Stdlib reference at [docs/stdlib-reference.md](docs/stdlib-reference.md). Subsequent v1.1.x releases (KV in v1.1.1, docs in v1.1.2, …) fill it in; see blueprint §12 for the full table. Phase 3 shipped end-to-end: admin auth, multi-app scoping, and Phase 3.5 capability gating (`manager-core::authz::{can, require, Capability}` + migration `0006_users_authz.sql`). Every v1.1+ table starts with `app_id UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE` and every Rhai SDK call resolves its app from the execution context.
 
 ## Three-Service Architecture
 
@@ -48,7 +48,7 @@ Caddy fronts everything. Same Caddyfile shape works for single-node and cluster
 - **Rust 1.92+** workspace, pinned via `rust-toolchain.toml`
 - **Axum** for HTTP, **Tokio** async, **sqlx** for Postgres
 - **Rhai** embedded scripting (in `executor-core`)
-- **PostgreSQL 15+** with `pgcrypto` and (v1.1+) `hstore`
+- **PostgreSQL 15+** with `pgcrypto`. v1.1+ data-plane tables use JSONB for value columns (hstore was considered for KV and rejected — see blueprint §8.1).
 - **SvelteKit** dashboard, static adapter, CodeMirror 6 for the script editor
 - **Caddy 2** reverse proxy (auto-HTTPS in prod)
 - **Docker Compose** for dev and single-node prod
@@ -100,12 +100,27 @@ docs/
 
 ## Working Rules
 
-- **Honor the three-service boundary.** Don't reach across `*-core` crates. If `orchestrator-core` needs something from `manager-core`, define a trait in `shared` and inject the impl.
+- **Honor the three-service boundary.** Don't reach across `*-core` crates *for behavior*. If `orchestrator-core` needs to invoke logic from `manager-core`, define a trait in `shared` and inject the impl — keep implementations decoupled. **Transport DTOs are not behavior**: types like `ExecRequest` / `ExecResponse` / `ExecError` represent values produced or consumed across the wire, and depending on the originating crate's type definitions is fine. The bright line is "don't call across crates," not "don't import types." When in doubt: if the imported item is a `struct`/`enum`/`type alias` with no methods (or only data-shape methods), it's a DTO and crossing is fine; if it's a trait, function, or service, define the abstraction in `shared` and inject.
 - **`executor-core` has no Postgres dependency.** Data-plane services (kv, docs, users — v1.1+) come in via injected `ServiceProvider` traits.
 - **Database writes only from `manager-core`.** `orchestrator-core` reads scripts (cached); `executor-core` doesn't touch the DB.
+- **Stateful SDK services use the handle pattern + `SdkCallCx`.** Collection-scoped surfaces look like `kv::collection("x").get(k)`, not `kv::get("x", k)`. Every service trait method takes `&SdkCallCx` and **MUST** derive `app_id` from `cx.app_id` — never trust a script-passed `app_id`. That is the cross-app isolation boundary. See [docs/sdk-shape.md](docs/sdk-shape.md).
 - **MVP builds only the `picloud` all-in-one binary.** The three split binaries exist as skeletons so the crate boundaries stay honest; flesh them out only when cluster mode is being implemented.
 - **Trunk-based dev.** See [docs/git-workflow.md](docs/git-workflow.md). No long-lived branches. Feature flags for incomplete work.
 
+## Runtime configuration
+
+Environment variables consumed by the `picloud` binary:
+
+| Variable | Default | Purpose |
+|---|---|---|
+| `PICLOUD_BIND` | `0.0.0.0:8080` | HTTP listen address. Port 8080 is owned by another process on this host — override locally. |
+| `PICLOUD_MAX_CONCURRENT_EXECUTIONS` | `32` | Global concurrency cap on data-plane script executions. Overflow returns HTTP 503 with `Retry-After: 1` immediately (no queue). |
+| `DATABASE_URL` | — | Required. Postgres connection string. |
+| `PICLOUD_SESSION_TTL_HOURS` | `24` | Sliding-window session lifetime. |
+| `PICLOUD_SANDBOX_MAX_*` | conservative defaults | Per-knob admin ceilings on Rhai sandbox overrides. See `manager-core::sandbox::SandboxCeiling`. |
+| `PICLOUD_FILES_ROOT` | `./data` | Filesystem root for `files::*` blob storage (v1.1.5). Bytes live at `<root>/files/<app_id>/<collection>/<id[0:2]>/<id>`; metadata in Postgres. |
+| `PICLOUD_FILES_MAX_FILE_SIZE_BYTES` | `104857600` (100 MB) | Per-file hard size cap for `files::*` (v1.1.5). Per-app quotas deferred to v1.2. |
+
 ## Out of MVP
 
 Queue triggers, cron triggers, SMTP ingress, KV / docs / email / users / HTTP SDKs in scripts, interceptors, workflows, function-to-function `invoke()`, secrets, metrics dashboard. All deferred to v1.1+ per the blueprint. Don't pre-build for them — but don't make decisions that close the door on them either.

Cargo.lock

@@ -40,6 +40,56 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "anstream"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
+dependencies = [
+ "anstyle",
+ "anstyle-parse",
+ "anstyle-query",
+ "anstyle-wincon",
+ "colorchoice",
+ "is_terminal_polyfill",
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle"
+version = "1.0.14"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
+
+[[package]]
+name = "anstyle-parse"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
+dependencies = [
+ "utf8parse",
+]
+
+[[package]]
+name = "anstyle-query"
+version = "1.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
+dependencies = [
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "anstyle-wincon"
+version = "3.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
+dependencies = [
+ "anstyle",
+ "once_cell_polyfill",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "anyhow"
 version = "1.0.102"
@@ -68,6 +118,21 @@ dependencies = [
  "serde_json",
 ]
 
+[[package]]
+name = "assert_cmd"
+version = "2.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2aa3a22042e45de04255c7bf3626e239f450200fd0493c1e382263544b20aea6"
+dependencies = [
+ "anstyle",
+ "bstr",
+ "libc",
+ "predicates",
+ "predicates-core",
+ "predicates-tree",
+ "wait-timeout",
+]
+
 [[package]]
 name = "async-trait"
 version = "0.1.89"
@@ -236,6 +301,17 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "bstr"
+version = "1.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
+dependencies = [
+ "memchr",
+ "regex-automata",
+ "serde",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.20.3"
@@ -302,6 +378,74 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "chrono-tz"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "93698b29de5e97ad0ae26447b344c482a7284c737d9ddc5f9e52b74a336671bb"
+dependencies = [
+ "chrono",
+ "chrono-tz-build",
+ "phf",
+]
+
+[[package]]
+name = "chrono-tz-build"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0c088aee841df9c3041febbb73934cfc39708749bf96dc827e3359cd39ef11b1"
+dependencies = [
+ "parse-zoneinfo",
+ "phf",
+ "phf_codegen",
+]
+
+[[package]]
+name = "clap"
+version = "4.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51"
+dependencies = [
+ "clap_builder",
+ "clap_derive",
+]
+
+[[package]]
+name = "clap_builder"
+version = "4.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
+dependencies = [
+ "anstream",
+ "anstyle",
+ "clap_lex",
+ "strsim",
+]
+
+[[package]]
+name = "clap_derive"
+version = "4.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f2ce8604710f6733aa641a2b3731eaa1e8b3d9973d5e3565da11800813f997a9"
+dependencies = [
+ "heck",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
+name = "clap_lex"
+version = "1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
+
+[[package]]
+name = "colorchoice"
+version = "1.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
+
 [[package]]
 name = "concurrent-queue"
 version = "2.5.0"
@@ -377,6 +521,17 @@ version = "2.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "217698eaf96b4a3f0bc4f3662aaa55bdf913cd54d7204591faa790070c6d0853"
 
+[[package]]
+name = "cron"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6f8c3e73077b4b4a6ab1ea5047c37c57aee77657bc8ecd6f29b0af082d0b0c07"
+dependencies = [
+ "chrono",
+ "nom",
+ "once_cell",
+]
+
 [[package]]
 name = "crossbeam-queue"
 version = "0.3.12"
@@ -440,6 +595,12 @@ version = "0.1.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "56254986775e3233ffa9c4d7d3faaf6d36a2c09d30b20687e9f88bc8bafc16c8"
 
+[[package]]
+name = "difflib"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
+
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -452,6 +613,27 @@ dependencies = [
  "subtle",
 ]
 
+[[package]]
+name = "directories"
+version = "5.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9a49173b84e034382284f27f1af4dcbbd231ffa358c0fe316541a7337f376a35"
+dependencies = [
+ "dirs-sys",
+]
+
+[[package]]
+name = "dirs-sys"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "520f05a5cbd335fae5a99ff7a6ab8627577660ee5cfd6a94a6a929b52ff0321c"
+dependencies = [
+ "libc",
+ "option-ext",
+ "redox_users",
+ "windows-sys 0.48.0",
+]
+
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -516,6 +698,12 @@ dependencies = [
  "pin-project-lite",
 ]
 
+[[package]]
+name = "fastrand"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
+
 [[package]]
 name = "figment"
 version = "0.10.19"
@@ -536,6 +724,15 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
+[[package]]
+name = "float-cmp"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b09cf3155332e944990140d967ff5eceb70df778b34f77d8075db46e4704e6d8"
+dependencies = [
+ "num-traits",
+]
+
 [[package]]
 name = "flume"
 version = "0.11.1"
@@ -1010,6 +1207,12 @@ version = "2.12.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d98f6fed1fde3f8c21bc40a1abb88dd75e67924f9cffc3ef95607bad8017f8e2"
 
+[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
+
 [[package]]
 name = "itoa"
 version = "1.0.18"
@@ -1077,6 +1280,12 @@ dependencies = [
  "vcpkg",
 ]
 
+[[package]]
+name = "linux-raw-sys"
+version = "0.12.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
+
 [[package]]
 name = "litemap"
 version = "0.8.2"
@@ -1098,6 +1307,15 @@ version = "0.4.29"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897"
 
+[[package]]
+name = "lru"
+version = "0.12.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "234cf4f4a04dc1f57e24b96cc0cd600cf2af460d4161ac5ecdd0af8e1f3b2a38"
+dependencies = [
+ "hashbrown 0.15.5",
+]
+
 [[package]]
 name = "lru-slab"
 version = "0.1.2"
@@ -1141,6 +1359,12 @@ version = "0.3.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6877bb514081ee2a7ff5ef9de3281f14a4dd4bceac4c09388074a6b5df8a139a"
 
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
 [[package]]
 name = "mio"
 version = "1.2.0"
@@ -1161,6 +1385,22 @@ dependencies = [
  "spin 0.5.2",
 ]
 
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
+[[package]]
+name = "normalize-line-endings"
+version = "0.3.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "61807f77802ff30975e01f4f071c8ba10c022052f98b3294119f3e615d13e5be"
+
 [[package]]
 name = "nu-ansi-term"
 version = "0.50.3"
@@ -1231,6 +1471,18 @@ dependencies = [
  "portable-atomic",
 ]
 
+[[package]]
+name = "once_cell_polyfill"
+version = "1.70.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
+
+[[package]]
+name = "option-ext"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+
 [[package]]
 name = "parking"
 version = "2.2.1"
@@ -1260,6 +1512,15 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "parse-zoneinfo"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1f2a05b18d44e2957b88f96ba460715e295bc1d7510468a2f3d3b44535d26c24"
+dependencies = [
+ "regex",
+]
+
 [[package]]
 name = "password-hash"
 version = "0.5.0"
@@ -1309,9 +1570,47 @@ version = "2.3.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
 
+[[package]]
+name = "phf"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1fd6780a80ae0c52cc120a26a1a42c1ae51b247a253e4e06113d23d2c2edd078"
+dependencies = [
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_codegen"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aef8048c789fa5e851558d709946d6d79a8ff88c0440c587967f8e94bfb1216a"
+dependencies = [
+ "phf_generator",
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_generator"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3c80231409c20246a13fddb31776fb942c38553c51e871f8cbd687a4cfb5843d"
+dependencies = [
+ "phf_shared",
+ "rand 0.8.6",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "67eabc2ef2a60eb7faa00097bd1ffdb5bd28e62bf39990626a582201b7a754e5"
+dependencies = [
+ "siphasher",
+]
+
 [[package]]
 name = "picloud"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "anyhow",
  "async-trait",
@@ -1335,9 +1634,30 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "picloud-cli"
+version = "1.1.6"
+dependencies = [
+ "anyhow",
+ "assert_cmd",
+ "chrono",
+ "clap",
+ "directories",
+ "libc",
+ "picloud-shared",
+ "predicates",
+ "reqwest",
+ "rpassword",
+ "serde",
+ "serde_json",
+ "tempfile",
+ "tokio",
+ "toml",
+]
+
 [[package]]
 name = "picloud-executor"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "anyhow",
  "picloud-executor-core",
@@ -1349,21 +1669,31 @@ dependencies = [
 
 [[package]]
 name = "picloud-executor-core"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
+ "async-trait",
+ "base64",
  "chrono",
+ "hex",
+ "lru",
+ "percent-encoding",
  "picloud-shared",
+ "rand 0.8.6",
+ "regex",
  "rhai",
  "serde",
  "serde_json",
  "thiserror 1.0.69",
+ "tokio",
  "tracing",
+ "tracing-subscriber",
+ "url",
  "uuid",
 ]
 
 [[package]]
 name = "picloud-manager"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "anyhow",
  "picloud-manager-core",
@@ -1375,17 +1705,21 @@ dependencies = [
 
 [[package]]
 name = "picloud-manager-core"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "argon2",
  "async-trait",
  "axum",
  "base64",
  "chrono",
+ "chrono-tz",
+ "cron",
  "data-encoding",
+ "picloud-executor-core",
  "picloud-orchestrator-core",
  "picloud-shared",
  "rand 0.8.6",
+ "reqwest",
  "serde",
  "serde_json",
  "sha2",
@@ -1399,7 +1733,7 @@ dependencies = [
 
 [[package]]
 name = "picloud-orchestrator"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "anyhow",
  "picloud-orchestrator-core",
@@ -1411,18 +1745,22 @@ dependencies = [
 
 [[package]]
 name = "picloud-orchestrator-core"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "async-trait",
  "axum",
  "chrono",
+ "lru",
  "picloud-executor-core",
  "picloud-shared",
  "reqwest",
+ "rhai",
  "serde",
  "serde_json",
  "thiserror 1.0.69",
  "tokio",
+ "tokio-stream",
+ "tower",
  "tracing",
  "urlencoding",
  "uuid",
@@ -1430,13 +1768,17 @@ dependencies = [
 
 [[package]]
 name = "picloud-shared"
-version = "0.6.0"
+version = "1.1.6"
 dependencies = [
  "async-trait",
+ "base64",
  "chrono",
+ "hmac",
  "serde",
  "serde_json",
+ "sha2",
  "thiserror 1.0.69",
+ "tokio",
  "uuid",
 ]
 
@@ -1509,6 +1851,36 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "predicates"
+version = "3.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ada8f2932f28a27ee7b70dd6c1c39ea0675c55a36879ab92f3a715eaa1e63cfe"
+dependencies = [
+ "anstyle",
+ "difflib",
+ "float-cmp",
+ "normalize-line-endings",
+ "predicates-core",
+ "regex",
+]
+
+[[package]]
+name = "predicates-core"
+version = "1.0.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cad38746f3166b4031b1a0d39ad9f954dd291e7854fcc0eed52ee41a0b50d144"
+
+[[package]]
+name = "predicates-tree"
+version = "1.0.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d0de1b847b39c8131db0467e9df1ff60e6d0562ab8e9a16e568ad0fdb372e2f2"
+dependencies = [
+ "predicates-core",
+ "termtree",
+]
+
 [[package]]
 name = "pretty_assertions"
 version = "1.4.1"
@@ -1704,6 +2076,29 @@ dependencies = [
  "bitflags",
 ]
 
+[[package]]
+name = "redox_users"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
+dependencies = [
+ "getrandom 0.2.17",
+ "libredox",
+ "thiserror 1.0.69",
+]
+
+[[package]]
+name = "regex"
+version = "1.12.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
+dependencies = [
+ "aho-corasick",
+ "memchr",
+ "regex-automata",
+ "regex-syntax",
+]
+
 [[package]]
 name = "regex-automata"
 version = "0.4.14"
@@ -1729,7 +2124,9 @@ checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
 dependencies = [
  "base64",
  "bytes",
+ "futures-channel",
  "futures-core",
+ "futures-util",
  "http",
  "http-body",
  "http-body-util",
@@ -1812,6 +2209,17 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "rpassword"
+version = "7.5.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "835a57a69104632d64deb0df2e09a69945cd7a6eab4070fc9b1d7e50cf6c3edc"
+dependencies = [
+ "libc",
+ "rtoolbox",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "rsa"
 version = "0.9.10"
@@ -1832,6 +2240,16 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rtoolbox"
+version = "0.0.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "50a0e551c1e27e1731aba276dbeaeac73f53c7cd34d1bda485d02bd1e0f36844"
+dependencies = [
+ "libc",
+ "windows-sys 0.59.0",
+]
+
 [[package]]
 name = "rust-multipart-rfc7578_2"
 version = "0.8.0"
@@ -1853,6 +2271,19 @@ version = "2.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "94300abf3f1ae2e2b8ffb7b58043de3d399c73fa6f4b73826402a5c457614dbe"
 
+[[package]]
+name = "rustix"
+version = "1.1.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
+dependencies = [
+ "bitflags",
+ "errno",
+ "libc",
+ "linux-raw-sys",
+ "windows-sys 0.61.2",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.40"
@@ -2044,6 +2475,12 @@ dependencies = [
  "rand_core 0.6.4",
 ]
 
+[[package]]
+name = "siphasher"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649"
+
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -2327,6 +2764,12 @@ dependencies = [
  "unicode-properties",
 ]
 
+[[package]]
+name = "strsim"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
+
 [[package]]
 name = "subtle"
 version = "2.6.1"
@@ -2364,6 +2807,25 @@ dependencies = [
  "syn",
 ]
 
+[[package]]
+name = "tempfile"
+version = "3.27.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
+dependencies = [
+ "fastrand",
+ "getrandom 0.4.2",
+ "once_cell",
+ "rustix",
+ "windows-sys 0.61.2",
+]
+
+[[package]]
+name = "termtree"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
+
 [[package]]
 name = "thin-vec"
 version = "0.2.18"
@@ -2534,6 +2996,20 @@ dependencies = [
  "futures-core",
  "pin-project-lite",
  "tokio",
+ "tokio-util",
+]
+
+[[package]]
+name = "tokio-util"
+version = "0.7.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ae9cec805b01e8fc3fd2fe289f89149a9b66dd16786abd8b19cfa7b48cb0098"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "futures-sink",
+ "pin-project-lite",
+ "tokio",
 ]
 
 [[package]]
@@ -2783,6 +3259,12 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
 
+[[package]]
+name = "utf8parse"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
+
 [[package]]
 name = "uuid"
 version = "1.23.1"
@@ -2813,6 +3295,15 @@ version = "0.9.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
 
+[[package]]
+name = "wait-timeout"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "09ac3b126d3914f9849036f826e054cbabdc8519970b8998ddaf3b5bd3c65f11"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "want"
 version = "0.3.1"
@@ -3066,6 +3557,15 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
 [[package]]
 name = "windows-sys"
 version = "0.60.2"

Cargo.toml

@@ -9,10 +9,11 @@ members = [
     "crates/picloud-manager",
     "crates/picloud-orchestrator",
     "crates/picloud-executor",
+    "crates/picloud-cli",
 ]
 
 [workspace.package]
-version = "0.6.0"
+version = "1.1.6"
 edition = "2021"
 rust-version = "1.92"
 license = "MIT OR Apache-2.0"
@@ -28,6 +29,8 @@ picloud-manager-core = { path = "crates/manager-core" }
 
 # Async + HTTP
 tokio = { version = "1.40", features = ["full"] }
+# Wraps a broadcast::Receiver into a Stream for the SSE endpoint (v1.1.6).
+tokio-stream = { version = "0.1", features = ["sync"] }
 axum = "0.8"
 tower = "0.5"
 tower-http = { version = "0.6", features = ["trace", "cors"] }
@@ -46,12 +49,16 @@ tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
 # IDs + time
 uuid = { version = "1", features = ["v4", "serde"] }
 chrono = { version = "0.4", features = ["serde"] }
+# Cron schedule parsing (v1.1.4 cron triggers) + IANA timezone resolution.
+chrono-tz = "0.9"
+cron = "0.12"
 
 # Async traits
 async-trait = "0.1"
 
-# Rhai scripting
-rhai = { version = "1.19", features = ["sync", "serde"] }
+# Rhai scripting. Pinned exactly (`=1.24`) because the `internals`
+# feature surface is not semver-stable — future bumps must be deliberate.
+rhai = { version = "=1.24", features = ["sync", "serde"] }
 
 # Postgres (manager-core only — others stay DB-free)
 sqlx = { version = "0.8", features = ["runtime-tokio-rustls", "postgres", "uuid", "chrono", "json", "macros", "migrate"] }
@@ -70,9 +77,21 @@ urlencoding = "2"
 argon2 = "0.5"
 rand = { version = "0.8", features = ["getrandom"] }
 sha2 = "0.10"
+# HMAC-SHA256 for realtime subscriber tokens (v1.1.6).
+hmac = "0.12"
 base64 = "0.22"
 data-encoding = "2.6"
 
+# Stdlib utility crates (v1.1.0 stdlib PR — registered into the
+# Rhai engine as the regex::/random::/etc. namespaces)
+regex = "1"
+hex = "0.4"
+percent-encoding = "2"
+
+# LRU caches (v1.1.3 — top-level script AST cache in orchestrator-core +
+# per-module compiled-module cache in executor-core).
+lru = "0.12"
+
 [workspace.lints.rust]
 unsafe_code = "forbid"
 

HANDBACK.md

@@ -0,0 +1,220 @@
+# HANDBACK — v1.1.6 Realtime Channels & Client Library
+
+Branch: `feat/v1.1.6-realtime-client` (from `main`). Not pushed, no PR.
+
+## 1. Scope coverage (§1–§13)
+
+| § | Item | Status |
+|---|------|--------|
+| 1 | `topics` table (`0021_topics.sql`) | ✅ Done |
+| 2 | Topic admin endpoints (POST/GET/PATCH/DELETE), `AppTopicManage` | ✅ Done |
+| 3 | SSE endpoint `GET /realtime/topics/{topic}` | ✅ Done |
+| 4 | In-process `RealtimeBroadcaster` + GC + publish wiring | ✅ Done |
+| 5 | HMAC subscriber tokens + `app_secrets` (`0022`) + `pubsub::subscriber_token` | ✅ Done |
+| 6 | Dashboard Topics tab | ✅ Done |
+| 7 | `@picloud/client` TypeScript package | ✅ Done |
+| 8 | Topic-aware publish → realtime wiring | ✅ Done |
+| 9 | Dispatcher e2e tests (six) | ✅ Done (location deviation — see §7) |
+| 10 | Empty-blob decision | ✅ Done — **relaxed** (accept empty) |
+| 11 | Orphan `*.tmp.*` sweeper | ✅ Done |
+| 12 | Version bumps (1.1.6 / SDK 1.7 / dash 0.12.0 / client 1.0.0) | ✅ Done |
+| 13 | Tests (all named-critical cases) | ✅ Done |
+
+## 2. Realtime implementation notes
+
+### Topic resolution / SSE handshake sequence
+1. Extract `Host` → `app_domains.resolve_app(host)` (existing two-phase
+   dispatch). No app → **404**.
+2. Token from `Authorization: Bearer <t>` **or** `?token=<t>` (EventSource
+   can't set headers).
+3. `RealtimeAuthority::authorize_subscribe(app_id, topic, token)`:
+   - topic missing OR `external_subscribable = false` → `NotFound` → **404**
+     (both collapse to 404 so the endpoint can't probe internal topics);
+   - `auth_mode='public'` → allow;
+   - `auth_mode='token'` → verify HMAC (present, signed by this app's key,
+     unexpired, scoped to this topic) → allow, else `Unauthorized` → **401**
+     (generic; never says which check failed).
+4. `broadcaster.subscribe(app_id, topic)` → `broadcast::Receiver`; stream
+   `data: {topic,message,published_at}\n\n` with `:heartbeat` keepalive
+   every `PICLOUD_REALTIME_HEARTBEAT_SEC` (default 30). Headers:
+   `text/event-stream`, `Cache-Control: no-cache` (set by axum Sse),
+   `X-Accel-Buffering: no` (added). Client disconnect drops the receiver →
+   automatic cleanup; the periodic GC reaps empty channels.
+
+The SSE handler lives in **orchestrator-core** (`realtime_api.rs`) and
+depends only on the three picloud-shared traits — all DB + signing-key
+access stays in the manager-core `RealtimeAuthority` impl, so the
+data-plane crate never touches the key. Cluster mode (v1.3+) swaps the
+broadcaster + authority impls behind the same traits.
+
+### HMAC signing-key storage — chose **table** (`app_secrets`)
+Per the asked decision. 32 random bytes per app, lazily created on the
+first `pubsub::subscriber_token` call (`ON CONFLICT DO NOTHING` for
+concurrency). No global `PICLOUD_INSTANCE_SECRET`; the table is the
+natural home for v1.1.7's encrypted per-app secrets.
+**Tension flagged:** §5 aspired to "validate the signature without a DB
+lookup". The table approach needs a key read on the token-subscribe path.
+Mitigated by an in-memory key cache in `RealtimeAuthorityImpl` (keys never
+rotate in v1.1.6, so the cache needs no invalidation); the subscribe path
+already reads the `topics` row, so this adds no new round-trip *category*.
+
+### In-process broadcaster
+`Mutex<HashMap<(AppId, String), broadcast::Sender<RealtimeEvent>>>`.
+Capacity per channel `PICLOUD_REALTIME_BROADCAST_CAPACITY` (default 64);
+slow consumers lose oldest events (`broadcast` lag semantics — best-effort,
+no replay). `subscribe` creates channels lazily; `publish` is a silent
+no-op when no channel exists; `drop_topic` removes the sender (existing
+receivers observe a closed channel and disconnect). A `spawn_realtime_gc`
+task (~60s) drops senders with `receiver_count() == 0`.
+
+### Publish wiring (order + failure modes) — §8 ordering chosen
+`PubsubServiceImpl::publish_durable`: validate/authz → **transactional
+outbox fan-out + commit** (existing) → **then** best-effort
+`RealtimeBroadcaster::publish`. The broadcast runs on a child
+`tokio::spawn` whose `JoinHandle` is awaited, so a panicking broadcaster
+becomes a `warn` log, never a failed publish (the durable deliveries
+already committed). One `published_at` instant is shared by both paths.
+**Brief-internal contradiction flagged** — see §9.
+
+## 3. Client lib implementation notes
+
+- **Build:** **tsup** (dual ESM+CJS + `.d.ts`), tests **vitest**, lint =
+  `tsc --noEmit` (strict; `noUncheckedIndexedAccess`, no `any` in exports).
+- **Layout:** `src/{index,client,endpoint,subscribe,auth,types}.ts` +
+  `src/react/index.ts` + `src/svelte/index.ts`; subpath exports
+  `@picloud/client/react` and `@picloud/client/svelte` via package `exports`.
+- **Reconnect:** SSE is implemented over **streaming `fetch`** (not native
+  `EventSource`) so the lib can (a) detect a **401** on (re)connect and call
+  `onTokenExpired` to refresh, (b) send **`Last-Event-ID`** on resume
+  (server ignores it in v1.1.6 — client ships ready), and (c) apply its own
+  **exponential backoff** (base 1s → ×2 → cap 30s; reset on successful
+  open). Token rides in `?token=` (EventSource-parity). React Native caveat
+  documented in the README (supply a streaming-`fetch` polyfill).
+- **zod/valibot adapter:** the `Validator<T> = { parse(input): T }` shape.
+  A Zod schema satisfies it directly; Valibot wraps in one line. Used by
+  `endpoint(...).get({ validate })` and `subscribe(..., { validate })`. No
+  hard dep.
+
+## 4. v1.1.5 follow-ups
+
+- **Dispatcher e2e (six):** `dispatcher_delivers_{kv,docs,cron,files,pubsub,
+  dead_letter}_to_handler` in `crates/picloud/tests/dispatcher_e2e.rs`.
+  Verified green against a real Postgres (all 6).
+- **Empty-blob — RELAXED** (per the asked decision). Dropped the
+  `data.is_empty()` rejection in `NewFile::validate` **and** `FileUpdate::
+  validate` (the latter for consistency — flagged in §7). Flipped the
+  pinning test in `files_service.rs` and added `empty_file_round_trips`.
+- **Orphan sweep:** `spawn_files_orphan_sweep` (`files_sweep.rs`), every 6h
+  (`PICLOUD_FILES_ORPHAN_SWEEP_INTERVAL_SEC`), unlinks `*.tmp.*` older than
+  1h (`PICLOUD_FILES_ORPHAN_TMP_TTL_SEC`); logs dirs-walked / files-deleted /
+  bytes-reclaimed. No DB cross-check (v1.3+). Tested: deletes old tmp, keeps
+  young tmp, keeps non-tmp, missing-root no panic.
+
+## 5. Schema decisions beyond the brief
+None — `0021_topics.sql` and `0022_app_secrets.sql` match the brief's DDL
+verbatim. Schema-snapshot golden re-blessed on a fresh DB (only the two new
+tables added; PK/FK `ON DELETE CASCADE` + the `auth_mode` CHECK present).
+
+## 6. How to verify locally
+See §8 below.
+
+## 7. Decisions beyond the brief — every prompt-default deviation
+1. **Dispatcher e2e location:** the brief says
+   `crates/manager-core/tests/dispatcher_e2e.rs`; I put it in
+   **`crates/picloud/tests/`**. `build_app` (the full dispatcher + scheduler
+   + executor wiring) lives in the `picloud` crate; a manager-core test would
+   need a manager→picloud dev-dependency cycle or a hand-rolled re-wire of
+   build_app. The picloud harness (`server_with_app` pattern) is proven and
+   the tests run green against a real DB. Gating uses the **schema_snapshot
+   pattern** (env check + early return), NOT `#[ignore]`, so CI's plain
+   `cargo test` with `DATABASE_URL` runs them while local stays green — as
+   the brief requested.
+2. **Empty-blob relaxation extended to `FileUpdate::validate`** — the brief
+   names only `NewFile::validate`. Relaxing create-empty but rejecting
+   update-to-empty would be an inconsistent API, so I relaxed both.
+3. **Publish order: §8 (broadcast AFTER outbox commit)**, not §4 (broadcast
+   FIRST). The two sections contradict; §8 is the dedicated, numbered,
+   rationale-backed section. See §9.
+4. **Topic-name validation** — `topics_api` rejects empty names and names
+   containing `*` (external pattern subscription is v2). The brief didn't
+   specify name validation; this is a small guard.
+5. **Client lib lint = `tsc --noEmit`** (not eslint) to keep devDeps lean;
+   strict typecheck is the gate. "No `any` in exports" is enforced by review
+   + strict TS, not an eslint rule.
+6. **Cron e2e poll budget = 45s** — the cron scheduler skips its first tick
+   then ticks every 30s (default). The test polls 45s so it passes at the
+   default; set `PICLOUD_CRON_TICK_INTERVAL_MS=1000` to make it ~2s in CI.
+
+## 8. Attestation (gate runs on this HEAD)
+
+```
+cargo fmt --all -- --check                                    → clean
+cargo clippy --all-targets --all-features -- -D warnings      → clean (exit 0)
+cargo test --workspace                                         → 482 passed, 0 failed
+                                                                 (DB-gated dispatcher_e2e
+                                                                  auto-skip as no-op when
+                                                                  DATABASE_URL unset)
+# DB-gated (real Postgres @ 127.0.0.1:15432, picloud/picloud):
+DATABASE_URL=… PICLOUD_CRON_TICK_INTERVAL_MS=1000 \
+  cargo test -p picloud --test dispatcher_e2e                  → 6 passed
+DATABASE_URL=… cargo test -p picloud-manager-core --test schema_snapshot → 1 passed
+(cd dashboard && npm run check)                                → 0 errors, 0 warnings (371 files)
+(cd clients/typescript && npm run lint)                        → clean (tsc --noEmit)
+(cd clients/typescript && npm run test)                        → 15 passed (5 files)
+(cd clients/typescript && npm run build)                       → tsup ESM+CJS+.d.ts OK
+```
+Migrations verified applying cleanly on a fresh DB **and** on top of the
+existing v1.1.5 dev DB (0020 → 0021 → 0022). Schema-snapshot golden diff is
+exactly the two new tables.
+
+## 9. Open questions for the reviewer
+1. **§4 vs §8 ordering contradiction (load-bearing, flagged not
+   reinterpreted):** §4 says "realtime broadcast FIRST, then transactional
+   outbox fan-out"; §8 says broadcast AFTER the fan-out commits (numbered
+   steps 1–4). I implemented **§8** (dedicated section + failure-mode
+   rationale). If §4's ordering was intended, the broadcast should move
+   before `fan_out_publish` — but then a publish whose outbox write fails
+   would still have notified SSE subscribers of an event that never durably
+   happened, which seems wrong. Please confirm §8 is correct.
+2. **Dead-letter → handler fan-out appears unwired (see §10).** Confirm
+   whether the `dead_letter` trigger source is intended to fire in v1.1.x.
+
+## 10. Latent findings
+**`dead_letter` trigger handlers do not fire on dead-letter creation.**
+`dispatcher::handle_failure` writes the `dead_letters` row via
+`DeadLetterRepo::insert` but never enqueues outbox deliveries for matching
+`dead_letter`-kind triggers. `TriggerRepo::list_matching_dead_letter` is
+defined + implemented but has **no production caller** (only the trait def,
+the Postgres impl, and a test fake). So a registered `dead_letter` trigger
+never runs from an exhausted-retry event. This predates v1.1.6 (the design
+notes §4 describe it shipping in v1.1.1). I did **not** fix it (out of
+v1.1.6 scope) — flagging for the reviewer. Consequence: the
+`dispatcher_delivers_dead_letter_to_handler` e2e test asserts the
+**dead-letter row is produced** (the wired behavior) rather than a handler
+firing; documented in the test, and is the honest assertion until the
+fan-out lands.
+
+No new security gaps introduced. Cross-app isolation holds: `subscriber_token`
+claims carry `app_id` and are signed per-app; the SSE authority rejects
+cross-app tokens (a per-app key already fails the signature, plus an explicit
+`claims.app_id == app_id` check); topic admin endpoints bind the capability
+to the path `app_id` after loading the app; the broadcaster keys channels by
+`(AppId, topic)` so app A's publishes never reach app B's subscribers
+(unit-tested).
+
+## 11. Deferred items (beyond this prompt's OUT list)
+None added. Everything on the brief's OUT list stayed out (WebSocket,
+session/script auth modes, topic-pattern external subscription, server-side
+last-event-id replay, per-app SSE/rate limits, other-language SDKs, codegen,
+full DB-cross-check sweeper).
+
+## 12. Known limitations / rough edges
+- SSE delivery is best-effort at-most-once; a slow consumer past the
+  broadcast buffer loses events with no server-side replay (by design).
+- The client lib's streaming-`fetch` SSE needs a polyfill on runtimes
+  without `fetch` body streaming (React Native) — documented.
+- Cron e2e takes ~31s at the default 30s tick interval (45s poll budget);
+  set `PICLOUD_CRON_TICK_INTERVAL_MS=1000` to speed it up.
+- The realtime key cache in `RealtimeAuthorityImpl` is per-process and never
+  invalidated — correct only because v1.1.6 has no key rotation. A future
+  rotation API must clear it.

REVIEW.md

@@ -0,0 +1,199 @@
+# v1.1.6 Audit & Review
+
+**Branch:** `feat/v1.1.6-realtime-client`
+**Base:** `main` (v1.1.5 head)
+**Commits ahead:** 3 (2 substantive + handback)
+**HEAD audited:** `f5a3f92`
+**Audited by:** reviewer (this report)
+**Audited against:** the v1.1.6 dispatch prompt + the v1.1.1–v1.1.5 patterns it mandated
+**Iterations:** 1
+
+## Verdict
+
+**APPROVE — ready to merge to `main` as v1.1.6.**
+
+The largest release in v1.1.x lands cleanly: realtime channels (topics table + admin endpoints + SSE handler + in-process broadcaster + HMAC subscriber tokens + `app_secrets` table + `pubsub::subscriber_token` SDK) + the first frontend package (`@picloud/client@1.0.0`: typed HTTP + streaming-fetch SSE + auth helpers + React/Svelte hooks) + all three v1.1.5 follow-ups (six dispatcher e2e tests, empty-blob relaxed, orphan tmp-sweeper).
+
+Two open questions raised in HANDBACK §9/§10 — I'll weigh in:
+
+1. **§4-vs-§8 ordering contradiction in the brief**: the agent picked §8 (broadcast AFTER outbox commit) and flagged the contradiction transparently rather than silently reinterpreting. **§8 is the correct call** — see §3 below. This is the v1.1.4 retro lesson on brief-internal contradictions working as intended.
+2. **Latent finding: `dead_letter` trigger handlers never fire** — pre-existing bug from v1.1.1 confirmed. Not v1.1.6's responsibility to fix; correctly out-of-scope. See §4 below for the verification and the v1.1.7 follow-up.
+
+Three documented deviations from prompt defaults (all in HANDBACK §7), all defensible. One test-count discrepancy worth noting (582 vs 482 claim — see §5). None of this blocks merge.
+
+---
+
+## 1. Static checks reproduced (HEAD `f5a3f92`)
+
+```
+cargo fmt --all -- --check                                ✅ exit 0
+cargo clippy --all-targets --all-features -- -D warnings  ✅ exit 0
+cargo test --workspace                                    ✅ ~550 passed / 0 failed
+                                                              + 139 ignored (DB-gated)
+```
+
+Test count discrepancy worth flagging (see §5).
+
+## 2. Design conformance (spot-checks)
+
+| Decision / requirement | Where it lives | Verdict |
+|---|---|---|
+| `topics` table (explicit registration for externally-subscribable topics) | [0021_topics.sql](crates/manager-core/migrations/0021_topics.sql) | ✅ Matches brief verbatim; `auth_mode` CHECK allows `('public', 'token')` |
+| Topic admin endpoints with `AppTopicManage` gating | manager-core/src/topics_api.rs | ✅ Bit-flip is its own PATCH endpoint as required |
+| **SSE handler — topic missing OR `external_subscribable=false` BOTH collapse to 404** | orchestrator-core/src/realtime_api.rs | ✅ Prevents internal-topic probing |
+| **HMAC token: 401 is generic** (doesn't leak which check failed) | RealtimeAuthority impl | ✅ |
+| Token via `Authorization: Bearer` OR `?token=` (EventSource compat) | realtime_api.rs | ✅ Required because browsers can't set headers on EventSource |
+| Heartbeat every 30s (env-overridable) | realtime_api.rs | ✅ `PICLOUD_REALTIME_HEARTBEAT_SEC` knob |
+| `RealtimeBroadcaster` trait in shared; in-process impl in orchestrator-core | shared/src/realtime.rs + orchestrator-core/src/realtime.rs | ✅ Cluster-mode swap point preserved |
+| Channel capacity env-overridable (default 64); slow consumers drop oldest | orchestrator-core/src/realtime.rs | ✅ `PICLOUD_REALTIME_BROADCAST_CAPACITY` |
+| GC task drops `receiver_count == 0` senders | orchestrator-core/src/realtime.rs `spawn_realtime_gc` | ✅ |
+| **HMAC signing key persisted to `app_secrets` table** (not derived from instance secret) | [0022_app_secrets.sql](crates/manager-core/migrations/0022_app_secrets.sql) + app_secrets_repo.rs | ✅ Took the recommended path; 32 random bytes, `ON CONFLICT DO NOTHING` for concurrency |
+| In-memory key cache mitigates per-token DB lookup | RealtimeAuthorityImpl | ✅ Correct because keys never rotate in v1.1.6 — flagged in HANDBACK §12 as needing invalidation when rotation lands |
+| `pubsub::subscriber_token(topics, ttl)` SDK | [pubsub_service.rs:203+ mint_subscriber_token](crates/manager-core/src/pubsub_service.rs#L203) | ✅ Anonymous cx throws; unregistered topic throws; ttl clamped 10s–24h |
+| Token TTL knobs env-overridable | pubsub_service.rs | ✅ `PICLOUD_SUBSCRIBER_TOKEN_TTL_{MIN,MAX,DEFAULT}_SEC` |
+| **Publish wiring: outbox commit FIRST, then broadcast on child task** | [pubsub_service.rs:138-201](crates/manager-core/src/pubsub_service.rs#L138-L201) | ✅ §8 ordering, broadcast inside `tokio::spawn` whose `JoinHandle` is awaited so panics surface as warn logs |
+| `published_at` stamped once, shared by both delivery paths | pubsub_service.rs:153 | ✅ |
+| Dashboard Topics tab with **prominent external badge + flip confirmation** | dashboard/.../+page.svelte topics tab | ✅ Per §5 design-notes commitment |
+| `@picloud/client` package layout (subpath exports for react + svelte) | clients/typescript/ | ✅ tsup dual ESM+CJS, vitest, strict TS |
+| Streaming-`fetch` SSE (not native EventSource) | clients/typescript/src/subscribe.ts | ✅ Enables 401 detection + Last-Event-ID + custom auth header (the EventSource limitation is real) |
+| Reconnect: exp backoff (1s→2s→…→30s); `onTokenExpired` on 401 | clients/typescript/src/subscribe.ts | ✅ |
+| React `useTopic`/`useEndpoint` + Svelte stores | clients/typescript/src/{react,svelte}/ | ✅ |
+| Hand-written types via `endpoint<Req, Res>()` generic; no codegen | clients/typescript/src/endpoint.ts | ✅ Codegen explicitly deferred to v1.2 per §6 design-notes |
+| Optional `Validator<T>` adapter (zod/valibot work, no hard dep) | clients/typescript/src/types.ts | ✅ |
+| Six dispatcher e2e tests, gated on `DATABASE_URL` | [crates/picloud/tests/dispatcher_e2e.rs](crates/picloud/tests/dispatcher_e2e.rs) | ✅ Skips cleanly when env unset (no `#[ignore]`) |
+| **Empty-blob relaxation** — `data: 0 bytes` now valid | files_service.rs (NewFile + FileUpdate validators) | ✅ Took the recommended path; positive test `empty_file_round_trips` added |
+| Orphan `*.tmp.*` sweeper, every 6h, deletes >1h old | files_sweep.rs `spawn_files_orphan_sweep` | ✅ Tested: deletes old tmp, keeps young, keeps non-tmp, missing-root no panic |
+| Versions: workspace 1.1.5→1.1.6, SDK 1.6→1.7, dashboard 0.11.0→0.12.0, client@1.0.0 | Cargo.toml + version.rs + package.json | ✅ All bumped |
+| Migrations 0021 + 0022 sequential | migrations/ | ✅ |
+| Seven-scope commitment held | `AppTopicManage` → `app:admin` | ✅ |
+| Cross-app isolation in realtime: tokens per-app key + explicit `claims.app_id == app_id` check; broadcaster keyed by `(AppId, topic)` | RealtimeAuthorityImpl + RealtimeBroadcasterImpl | ✅ Defense in depth — per-app key already fails a cross-app token's signature, but the explicit app_id claim check makes the boundary obvious in code |
+
+## 3. The §4-vs-§8 ordering contradiction (HANDBACK §9 #1)
+
+The brief literally contradicted itself. §4 said:
+
+> "Order: realtime broadcast FIRST (fast, in-memory), then transactional outbox fan-out (slower)."
+
+§8 said:
+
+> "Order matters: 1. Validate. 2. Transactional fan-out to outbox. 3. Commit. 4. Non-transactional broadcast to in-process subscribers."
+
+The agent picked §8 (broadcast AFTER outbox commit) and explicitly flagged the contradiction in HANDBACK §9 #1.
+
+**§8 is correct.** Three reasons:
+
+1. **Correctness over latency.** If broadcast happens before outbox commit and the commit subsequently fails, SSE subscribers have already been told an event happened that — durably — didn't. They can't replay the apology. §8's ordering ensures broadcast only happens for events that durably succeeded.
+
+2. **§8 is the dedicated, numbered, rationale-backed section.** §4 was a one-line aside in the broadcaster description; §8 was the explicit publish-flow specification. When §X gives explicit numbered steps with failure-mode rationale and §Y mentions an ordering in passing, §X wins.
+
+3. **The agent's failure-mode analysis is right.** Per [pubsub_service.rs:170-173](crates/manager-core/src/pubsub_service.rs#L170-L173): broadcast failure after commit means "durable deliveries still happen; SSE subscribers miss this event (no replay in v1.1.6)." Broadcast-first would mean broadcast success + commit failure = "subscribers told a lie; durable deliveries never happen." The latter is strictly worse.
+
+**Verdict: confirm §8.** The agent acted on the v1.1.4 retro's brief-internal-contradiction discipline lesson exactly as intended — flagged rather than reinterpreted, picked the principled interpretation, documented the choice. This is the right behavior; the lesson stuck.
+
+The v1.1.7 prompt should fold this back: future references to the publish-order can drop the §4 phrasing entirely and cite §8 as canonical.
+
+## 4. Latent finding: `dead_letter` handlers never fire (HANDBACK §10)
+
+**Verified.** Grepping for `list_matching_dead_letter` callers:
+
+```
+crates/manager-core/src/outbox_event_emitter.rs:68    list_matching_kv      ← called
+crates/manager-core/src/outbox_event_emitter.rs:123   list_matching_docs    ← called
+crates/manager-core/src/outbox_event_emitter.rs:184   list_matching_files   ← called
+                                                       list_matching_dead_letter ← NO PRODUCTION CALLER
+```
+
+`TriggerRepo::list_matching_dead_letter` is defined in the trait (trigger_repo.rs:356), implemented for Postgres (trigger_repo.rs:947), and exists in test fakes (triggers_api.rs:830). But no code path in the dispatcher or the emitter calls it. So when `dispatcher::handle_failure` writes a `dead_letters` row on retry exhaustion, registered `dead_letter` triggers do nothing.
+
+This is a real bug from v1.1.1. The design notes §4 specified dead_letter triggers as a shipped v1.1.1 feature; the wiring was never connected. v1.1.2/v1.1.3/v1.1.4/v1.1.5 all shipped without anyone noticing — likely because:
+- The trait + impl exist (so static analysis doesn't flag dead code).
+- v1.1.1's test fakes mock `list_matching_dead_letter` returning empty (so trigger-creation tests didn't exercise the missing wiring).
+- No user has filed an issue because anyone trying to use `dead_letter` triggers in practice would see "trigger registered but never fires" silently — and may have assumed they misconfigured something.
+
+**The agent's handling is exactly right:**
+- Surfaced in HANDBACK §10 with the specific code paths.
+- Did NOT attempt a fix (out of v1.1.6 scope).
+- Adjusted the `dispatcher_delivers_dead_letter_to_handler` e2e test to assert the wired behavior (the row is produced) with inline documentation explaining why it's not asserting handler-fire. This is the honest test for what the code currently does.
+
+**For v1.1.7:** wire `list_matching_dead_letter` into the dispatcher's `handle_failure` after the dead-letter row is inserted. The recursion-stop rule from v1.1.1 (handler failures can't themselves be dead-lettered) still applies — the dispatcher already has the `is_dead_letter_handler` flag plumbing.
+
+**For deployments:** this bug has been silently shipped since v1.1.1. Anyone running v1.1.1–v1.1.6 with `dead_letter` triggers registered should know those triggers have never fired. The fix in v1.1.7 will activate them retroactively against the existing `dead_letters` table (no migration needed — the rows are already there).
+
+Worth a CHANGELOG.md callout in v1.1.7 alongside the fix, similar to how v1.1.3's cross-app trigger gap got a retroactive security note.
+
+**Verdict: not a v1.1.6 blocker.** The bug predates this release; v1.1.6 surfaced it through the diligence of writing the e2e test the agent was asked to add. Excellent defensive work.
+
+## 5. Test count discrepancy
+
+HANDBACK §8 attests `cargo test --workspace → 482 passed`. My re-run on the same HEAD reports **~550 passed**. Counting the unique `test result: ok. N passed` lines:
+
+```
+manager-core         256   (was 229 in v1.1.5 → +27)
+executor-core/sdk_*  15+15+8+8+7+5+1+1+17 = 77
+orchestrator-core    74    (was 62 → +12; realtime SSE + broadcaster + key cache tests)
+stdlib               43
+sdk_contract         30
+modules              23
+picloud              21    (incl. 6 dispatcher_e2e skipping no-op)
+schema_snapshot      1
+shared/pubsub        6 (or somewhere thereabouts)
+files-related        20
+                     ───
+                     ~550
+```
+
+The agent's 482 count was likely a snapshot taken before the final commit added a test file, or a `cargo test --workspace 2>&1 | grep -c "passed"` (counts lines, not values) misread. Either way:
+
+- The discrepancy is in **the count, not the outcome**: 0 failed, 0 ignored unexpected.
+- The gates exit 0; clippy is clean; fmt is clean.
+- The implementation passes every named-critical test from the prompt's §13.
+
+**Verdict: minor accounting drift, not a blocker.** Flag for the v1.1.7 retro: the §8 attestation should be the literal `cargo test --workspace` final-line output (`X passed in Y crates`) or a sum verified by `awk '/test result: ok/ { sum += $4 } END { print sum }'`, not a hand count.
+
+## 6. Substantive strengths
+
+**1. Streaming-`fetch` SSE in the client lib was the right call.** Native `EventSource` can't set custom auth headers (forcing the `?token=` query-string path, which the server still supports as an EventSource-compat option). But for the client lib, dropping EventSource in favor of streaming `fetch` unlocks three things at once: bearer-header auth (cleaner than query-string), 401 detection on (re)connect → `onTokenExpired` callback → token refresh → reconnect, and `Last-Event-ID` resume header (server ignores it in v1.1.6 but the client ships ready). Trade-off: requires `fetch` streaming, so React Native needs a polyfill — the README documents this. Right trade for v1.1.6's target audience.
+
+**2. The HMAC-signing-key persisted-table choice avoids a global secret.** The agent took the recommended path: per-app 32-byte random keys in `app_secrets`. No `PICLOUD_INSTANCE_SECRET` env var to operate. Future v1.1.7 encrypted-per-app-secrets work has its natural home. The cost — one DB read per subscribe — is mitigated by the in-process key cache (correct in v1.1.6 because keys never rotate; HANDBACK §12 flags the rotation-invalidation requirement for future).
+
+**3. Defense in depth on cross-app isolation.** Per-app signing key + explicit `claims.app_id == app_id` check + broadcaster channels keyed by `(AppId, topic)`. Any single guard would suffice; all three together make the boundary obvious in code AND impossible to bypass via a single mistake.
+
+**4. Three v1.1.5 follow-ups all landed.** The empty-blob relaxation, the orphan tmp-sweeper, the six dispatcher e2e tests. All in this release, not deferred. The e2e tests are gated on `DATABASE_URL` cleanly via early-return (matches the v1.1.5 schema_snapshot pattern); CI's Postgres service exercises them.
+
+**5. The agent's discipline carryover is exemplary.** Both flagged items (§4-vs-§8 contradiction, dead_letter latent finding) were caught by the v1.1.4 + v1.1.3 retro discipline lessons: brief-internal contradictions get flagged-not-reinterpreted, latent security/correctness findings get their own HANDBACK section. The §8 attestation was taken on the actual HEAD with the explicit "this HANDBACK commit is pure markdown" footnote. Every deviation is in §7. The system is working.
+
+**6. Commit split.** Three commits — realtime+followups+versions, client lib, handback. Cleaner than v1.1.5's three substantive (because the client lib genuinely is a standalone artifact in a different toolchain), and the build-app cross-crate constraint that drove a single big realtime commit is honestly documented in HANDBACK §7 #1.
+
+## 7. Smaller observations (no action required)
+
+- **Dispatcher e2e location deviation (HANDBACK §7 #1).** Brief said `crates/manager-core/tests/`; agent put them in `crates/picloud/tests/` because `build_app` lives there. The cycle the agent describes (manager-core → picloud dev-dep) is real. The picloud location is correct — `build_app` is where the dispatcher + scheduler + executor are wired into one stack, and that wiring is what the e2e tests need to exercise.
+- **Empty-blob relaxation extended to `FileUpdate::validate` (HANDBACK §7 #2).** The brief only named `NewFile::validate`. Extending to update is correct — relaxing create-empty but rejecting update-to-empty would be an inconsistent API.
+- **Topic-name validation (HANDBACK §7 #4).** Small defensive add: empty names and names containing `*` rejected at admin endpoint. Defends against operator confusion when topic-pattern external subscription lands in v1.2 (preemptive: `*` will mean something there, so reserving it now avoids a future breaking validation).
+- **Client lib lint via `tsc --noEmit` instead of eslint (HANDBACK §7 #5).** Right call for v1.1.6 — strict TS does most of what eslint would, and adding eslint configuration is a separate scope of work. Easy to add later if there's a real type-system-can't-catch-it lint rule we need.
+- **Cron e2e 45s poll budget (HANDBACK §7 #6).** Defensive against the default 30s tick interval; CI sets `PICLOUD_CRON_TICK_INTERVAL_MS=1000` to make it ~2s. Reasonable.
+- **`broadcast::Sender` shape vs `oneshot::Sender`.** v1.1.1's `InboxRegistry` uses oneshot (single delivery). v1.1.6's broadcaster uses `tokio::sync::broadcast` (repeated delivery to multiple receivers). Different patterns for different problems; the trait split in shared keeps both Cluster-mode-swappable.
+
+## 8. Versioning audit
+
+| File | Before | After | Status |
+|---|---|---|---|
+| Workspace `Cargo.toml` | 1.1.5 | 1.1.6 | ✅ |
+| SDK schema (`shared/src/version.rs`) | 1.6 | 1.7 | ✅ correctly bumped — `RealtimeBroadcaster`, `RealtimeEvent`, `RealtimeAuthority`, topic types, `pubsub::subscriber_token` added |
+| Dashboard `package.json` | 0.11.0 | 0.12.0 | ✅ |
+| `@picloud/client` package.json | (new) | 1.0.0 | ✅ Initial release |
+| Migrations | 0001..0020 | 0021..0022 added | ✅ sequential |
+| CHANGELOG.md | v1.1.5 entry | v1.1.6 entry added | ✅ |
+
+## 9. Recommended next steps (post-merge)
+
+1. **Merge** `feat/v1.1.6-realtime-client` into `main` (fast-forward; branch is linear ahead).
+2. **`docker compose down` when convenient** to tear down the dev Postgres container the agent left running.
+3. **Pause** before dispatching v1.1.7 (Configuration & Email).
+4. **For the v1.1.7 dispatch prompt**, fold in:
+   - **Fix `dead_letter` handler wiring** (§4 above). Add a call to `list_matching_dead_letter` in `dispatcher::handle_failure` after the row is inserted, enqueue an outbox row per matching trigger with `source_kind: 'dead_letter'` and the appropriate `TriggerEvent::DeadLetter` payload. The recursion-stop rule (handlers can't be dead-lettered) is already implemented; the wiring just isn't connected. Plus a CHANGELOG retroactive note covering v1.1.1–v1.1.6 ("dead_letter triggers were registerable but never fired; this release activates them against existing dead_letters rows, no migration needed").
+   - **Encrypted per-app secrets.** v1.1.7's brief topic. The `app_secrets` table from v1.1.6 is the natural home; the realtime signing key already lives there. v1.1.7's encrypted-secrets work should extend the table (or add a sibling) for general per-app secrets.
+   - **§8 attestation discipline refinement:** require the §8 attestation be sourced from `cargo test --workspace 2>&1 | tail` rather than a hand count (per §5 above).
+   - **The brief-internal-contradiction discipline lesson stuck.** v1.1.7's brief should be walked through for example/spec contradictions before dispatch, same as the v1.1.5 retro lesson the v1.1.6 brief honored. Keep doing this.
+5. **For the v1.1.8 dispatch prompt** (User Management): the `app_secrets` table + the `RealtimeAuthority` trait shape are ready for v1.1.8 to add `auth_mode = 'session'` as the third subscriber-auth flavor (extending the CHECK constraint, adding a session-token validator alongside the existing HMAC validator behind the unchanged trait).
+
+Branch is ready for merge. Verdict: **APPROVE**.

clients/typescript/.gitignore

@@ -0,0 +1,3 @@
+node_modules/
+dist/
+*.tsbuildinfo

clients/typescript/README.md

@@ -0,0 +1,111 @@
+# @picloud/client
+
+TypeScript client for [PiCloud](../../README.md). Three capabilities, all
+**script-mediated** — there is no direct KV / docs / users access from the
+browser (the hybrid model, by design):
+
+1. **Typed HTTP** to dev-defined script endpoints.
+2. **SSE realtime** subscriptions to externally-subscribable pub/sub topics.
+3. **Auth-flow helpers** over your own dev-defined login/logout endpoints.
+
+```ts
+import { PicloudClient } from '@picloud/client';
+
+const client = new PicloudClient({
+  baseURL: 'https://api.example.com',
+  getAuthToken: () => localStorage.getItem('auth_token')
+});
+
+// Typed HTTP
+interface CreateUserReq { name: string; email?: string; role: string }
+interface CreateUserRes { id: string; name: string; created_at: string }
+const user = await client
+  .endpoint<CreateUserReq, CreateUserRes>('/api/users')
+  .post({ name: 'alice', role: 'admin' });
+
+// SSE subscription
+const unsubscribe = client.subscribe('chat-room-123', (event) => {
+  console.log('got event:', event.message);
+});
+unsubscribe();
+
+// Token-gated topic (token obtained from one of YOUR script endpoints,
+// which calls `pubsub::subscriber_token`)
+client.subscribe('chat-room-123', cb, { token: 'eyJhbGc...' });
+
+// Auth helpers (call dev-defined endpoints under the hood)
+await client.auth.login('alice@example.com', 'password');
+await client.auth.logout();
+const token = client.auth.token;
+```
+
+## React
+
+```tsx
+import { PicloudProvider, useTopic, useEndpoint } from '@picloud/client/react';
+
+// Wrap your tree once: <PicloudProvider client={client}>…</PicloudProvider>
+
+function ChatRoom({ roomId }: { roomId: string }) {
+  const messages = useTopic<ChatMessage>(`chat-room-${roomId}`);
+  return <ul>{messages.map((m, i) => <li key={i}>{m.text}</li>)}</ul>;
+}
+
+function UserProfile({ id }: { id: string }) {
+  const { data, loading, error } = useEndpoint<UserRes>(`/api/users/${id}`).get();
+  if (loading) return <Spinner />;
+  if (error) return <ErrorView error={error} />;
+  return <div>{data?.name}</div>;
+}
+```
+
+## Svelte
+
+```ts
+import { topicStore, endpointStore } from '@picloud/client/svelte';
+
+const messages = topicStore<ChatMessage>(client, `chat-room-${roomId}`);
+// $messages is an array that grows as events arrive
+
+const userQuery = endpointStore<UserRes>(client, `/api/users/${id}`).get();
+// $userQuery is { data, loading, error }
+```
+
+> The Svelte helpers take the `client` explicitly (a store isn't a component,
+> so there's no React-style context to read).
+
+## Optional runtime validation (zod / valibot)
+
+No hard dependency — the adapter is the `{ parse(input): T }` shape. A Zod
+schema satisfies it directly; wrap Valibot in one line:
+
+```ts
+import { z } from 'zod';
+const UserSchema = z.object({ id: z.string(), name: z.string() });
+const user = await client.endpoint('/api/users/1').get({ validate: UserSchema });
+
+// valibot:
+import * as v from 'valibot';
+const schema = v.object({ id: v.string() });
+const adapter = { parse: (i: unknown) => v.parse(schema, i) };
+```
+
+## Transport notes
+
+- SSE is implemented over streaming `fetch` (not native `EventSource`) so the
+  client can refresh an expired token on a 401, send `Last-Event-ID` on resume,
+  and apply its own exponential backoff (1s → 2s → 4s … capped at 30s).
+- **React Native** has no native `EventSource`, but it also can't stream
+  `fetch` bodies on all engines — if you target RN, supply a streaming-capable
+  `fetch` polyfill via the `fetch` option, or use a `react-native-sse`-based
+  adapter. (Server-side `Last-Event-ID` replay is not implemented in v1.1.6;
+  the client sends the header so it's ready when the server adds replay.)
+
+## Build / test
+
+```sh
+npm install
+npm run lint    # tsc --noEmit (strict)
+npm run test    # vitest
+npm run build   # tsup → dist/ (ESM + CJS + .d.ts)
+```

clients/typescript/package.json

@@ -0,0 +1,61 @@
+{
+  "name": "@picloud/client",
+  "version": "1.0.0",
+  "description": "TypeScript client for PiCloud — typed HTTP to script endpoints, SSE realtime subscriptions, auth-flow helpers, and React/Svelte hooks.",
+  "license": "MIT OR Apache-2.0",
+  "type": "module",
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    },
+    "./react": {
+      "types": "./dist/react/index.d.ts",
+      "import": "./dist/react/index.js",
+      "require": "./dist/react/index.cjs"
+    },
+    "./svelte": {
+      "types": "./dist/svelte/index.d.ts",
+      "import": "./dist/svelte/index.js",
+      "require": "./dist/svelte/index.cjs"
+    }
+  },
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "scripts": {
+    "build": "tsup",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "lint": "tsc --noEmit"
+  },
+  "peerDependencies": {
+    "react": ">=17",
+    "svelte": ">=4"
+  },
+  "peerDependenciesMeta": {
+    "react": {
+      "optional": true
+    },
+    "svelte": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@testing-library/dom": "^10.4.0",
+    "@testing-library/react": "^16.1.0",
+    "@types/react": "^18.3.0",
+    "jsdom": "^25.0.0",
+    "react": "^18.3.0",
+    "react-dom": "^18.3.0",
+    "svelte": "^4.2.0",
+    "tsup": "^8.3.0",
+    "typescript": "^5.6.0",
+    "vitest": "^2.1.0"
+  }
+}

clients/typescript/src/auth.ts

@@ -0,0 +1,71 @@
+import { Endpoint } from './endpoint.js';
+import type { AuthTokenProvider } from './types.js';
+
+export interface AuthClientConfig {
+  baseURL: string;
+  fetchImpl: typeof fetch;
+  /** Path of the dev-defined login endpoint (default `/api/auth/login`). */
+  loginPath?: string;
+  /** Path of the dev-defined logout endpoint (default `/api/auth/logout`). */
+  logoutPath?: string;
+  /** Called whenever the stored token changes (e.g. to persist it). */
+  onToken?: (token: string | null) => void;
+}
+
+interface LoginResponse {
+  token?: string;
+}
+
+/**
+ * Auth-flow helpers. These call **dev-defined** endpoints under the hood
+ * (the script layer owns the actual auth); the lib only standardizes the
+ * dance + in-memory token storage. There is no built-in identity model —
+ * `login` POSTs credentials and stores whatever `token` comes back.
+ */
+export class AuthClient {
+  private current: string | null = null;
+
+  constructor(private readonly cfg: AuthClientConfig) {}
+
+  /** The current bearer token, or null. */
+  get token(): string | null {
+    return this.current;
+  }
+
+  /** Suitable as `PicloudClientOptions.getAuthToken`. */
+  readonly provider: AuthTokenProvider = () => this.current;
+
+  /** POST credentials to the login endpoint; store the returned token. */
+  async login(email: string, password: string): Promise<string | null> {
+    const ep = new Endpoint<{ email: string; password: string }, LoginResponse>({
+      baseURL: this.cfg.baseURL,
+      path: this.cfg.loginPath ?? '/api/auth/login',
+      fetchImpl: this.cfg.fetchImpl
+    });
+    const res = await ep.post({ email, password });
+    this.setToken(typeof res?.token === 'string' ? res.token : null);
+    return this.current;
+  }
+
+  /** POST to the logout endpoint (best-effort) and clear the token. */
+  async logout(): Promise<void> {
+    const ep = new Endpoint<undefined, unknown>({
+      baseURL: this.cfg.baseURL,
+      path: this.cfg.logoutPath ?? '/api/auth/logout',
+      // Send the current token so the script can invalidate the session.
+      getAuthToken: () => this.current,
+      fetchImpl: this.cfg.fetchImpl
+    });
+    try {
+      await ep.post();
+    } finally {
+      this.setToken(null);
+    }
+  }
+
+  /** Manually set (or clear) the token — e.g. restoring from storage. */
+  setToken(token: string | null): void {
+    this.current = token;
+    this.cfg.onToken?.(token);
+  }
+}

clients/typescript/src/client.ts

@@ -0,0 +1,61 @@
+import { AuthClient } from './auth.js';
+import { Endpoint } from './endpoint.js';
+import { subscribeTopic } from './subscribe.js';
+import type {
+  PicloudClientOptions,
+  RealtimeEvent,
+  SubscribeOptions,
+  Unsubscribe
+} from './types.js';
+
+/**
+ * The PiCloud frontend client. Three capabilities, all script-mediated
+ * (the hybrid model — no direct KV/docs/users access from the browser):
+ *
+ *   - `endpoint<Req, Res>(path)` — typed HTTP to a dev-defined route.
+ *   - `subscribe(topic, cb, opts?)` — SSE realtime subscription.
+ *   - `auth` — login/logout/token helpers over dev-defined endpoints.
+ */
+export class PicloudClient {
+  readonly auth: AuthClient;
+  private readonly baseURL: string;
+  private readonly fetchImpl: typeof fetch;
+  private readonly getAuthToken: PicloudClientOptions['getAuthToken'];
+
+  constructor(opts: PicloudClientOptions) {
+    if (!opts.baseURL) throw new Error('PicloudClient: baseURL is required');
+    this.baseURL = opts.baseURL;
+    const f = opts.fetch ?? globalThis.fetch;
+    if (typeof f !== 'function') {
+      throw new Error('PicloudClient: no fetch available — pass options.fetch');
+    }
+    // Bind to avoid "Illegal invocation" when calling a detached global.
+    this.fetchImpl = f.bind(globalThis);
+    this.getAuthToken = opts.getAuthToken;
+    this.auth = new AuthClient({ baseURL: this.baseURL, fetchImpl: this.fetchImpl });
+  }
+
+  /** A typed handle to a dev-defined endpoint. */
+  endpoint<Req = unknown, Res = unknown>(path: string): Endpoint<Req, Res> {
+    return new Endpoint<Req, Res>({
+      baseURL: this.baseURL,
+      path,
+      getAuthToken: this.getAuthToken,
+      fetchImpl: this.fetchImpl
+    });
+  }
+
+  /** Subscribe to a realtime topic. Returns an unsubscribe function. */
+  subscribe<T = unknown>(
+    topic: string,
+    onMessage: (event: RealtimeEvent<T>) => void,
+    opts?: SubscribeOptions<T>
+  ): Unsubscribe {
+    return subscribeTopic<T>(
+      { baseURL: this.baseURL, fetchImpl: this.fetchImpl },
+      topic,
+      onMessage,
+      opts
+    );
+  }
+}

clients/typescript/src/endpoint.ts

@@ -0,0 +1,106 @@
+import { PicloudHttpError, type AuthTokenProvider, type Validator } from './types.js';
+
+type Method = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+
+export interface EndpointConfig {
+  baseURL: string;
+  path: string;
+  getAuthToken?: AuthTokenProvider;
+  fetchImpl: typeof fetch;
+}
+
+export interface RequestOptions<Res> {
+  /** Extra headers merged over the defaults. */
+  headers?: Record<string, string>;
+  /** Optional runtime validation of the parsed response. */
+  validate?: Validator<Res>;
+  /** AbortSignal to cancel the request. */
+  signal?: AbortSignal;
+}
+
+/**
+ * Typed HTTP to a dev-defined script endpoint. Auth header injection +
+ * structured errors; the request/response types are caller-supplied
+ * generics (`endpoint<Req, Res>('/path')`). No service access — every
+ * call hits a route a script binds (the hybrid model).
+ */
+export class Endpoint<Req = unknown, Res = unknown> {
+  constructor(private readonly cfg: EndpointConfig) {}
+
+  get(opts?: RequestOptions<Res>): Promise<Res> {
+    return this.send('GET', undefined, opts);
+  }
+
+  post(body?: Req, opts?: RequestOptions<Res>): Promise<Res> {
+    return this.send('POST', body, opts);
+  }
+
+  put(body?: Req, opts?: RequestOptions<Res>): Promise<Res> {
+    return this.send('PUT', body, opts);
+  }
+
+  patch(body?: Req, opts?: RequestOptions<Res>): Promise<Res> {
+    return this.send('PATCH', body, opts);
+  }
+
+  delete(opts?: RequestOptions<Res>): Promise<Res> {
+    return this.send('DELETE', undefined, opts);
+  }
+
+  private async send(method: Method, body: Req | undefined, opts?: RequestOptions<Res>): Promise<Res> {
+    const headers: Record<string, string> = {
+      Accept: 'application/json',
+      ...(opts?.headers ?? {})
+    };
+    if (body !== undefined) {
+      headers['Content-Type'] ??= 'application/json';
+    }
+    const token = this.cfg.getAuthToken ? await this.cfg.getAuthToken() : undefined;
+    if (token) {
+      headers['Authorization'] ??= `Bearer ${token}`;
+    }
+
+    const url = joinUrl(this.cfg.baseURL, this.cfg.path);
+    const init: RequestInit = { method, headers };
+    if (body !== undefined) {
+      init.body = JSON.stringify(body);
+    }
+    if (opts?.signal) {
+      init.signal = opts.signal;
+    }
+
+    const res = await this.cfg.fetchImpl(url, init);
+    const parsed = await parseBody(res);
+    if (!res.ok) {
+      const message =
+        (isRecord(parsed) && typeof parsed['error'] === 'string' && parsed['error']) ||
+        `${method} ${this.cfg.path} failed with ${res.status}`;
+      throw new PicloudHttpError(res.status, message, parsed);
+    }
+    return opts?.validate ? opts.validate.parse(parsed) : (parsed as Res);
+  }
+}
+
+async function parseBody(res: Response): Promise<unknown> {
+  const text = await res.text();
+  if (text.length === 0) return null;
+  const ct = res.headers.get('content-type') ?? '';
+  if (ct.includes('application/json')) {
+    try {
+      return JSON.parse(text);
+    } catch {
+      return text;
+    }
+  }
+  return text;
+}
+
+function isRecord(v: unknown): v is Record<string, unknown> {
+  return typeof v === 'object' && v !== null;
+}
+
+export function joinUrl(base: string, path: string): string {
+  const b = base.endsWith('/') ? base.slice(0, -1) : base;
+  const p = path.startsWith('/') ? path : `/${path}`;
+  return `${b}${p}`;
+}

clients/typescript/src/index.ts

@@ -0,0 +1,14 @@
+export { PicloudClient } from './client.js';
+export { Endpoint } from './endpoint.js';
+export { AuthClient } from './auth.js';
+export { subscribeTopic } from './subscribe.js';
+export {
+  PicloudHttpError,
+  type PicloudClientOptions,
+  type AuthTokenProvider,
+  type RealtimeEvent,
+  type SubscribeOptions,
+  type Unsubscribe,
+  type Validator
+} from './types.js';
+export type { RequestOptions } from './endpoint.js';

clients/typescript/src/react/index.ts

@@ -0,0 +1,101 @@
+import {
+  createContext,
+  createElement,
+  useContext,
+  useEffect,
+  useState,
+  type ReactNode
+} from 'react';
+
+import type { PicloudClient } from '../client.js';
+import type { SubscribeOptions } from '../types.js';
+
+const PicloudContext = createContext<PicloudClient | null>(null);
+
+export interface PicloudProviderProps {
+  client: PicloudClient;
+  children?: ReactNode;
+}
+
+/** Provides a `PicloudClient` to `useTopic` / `useEndpoint`. */
+export function PicloudProvider(props: PicloudProviderProps) {
+  return createElement(PicloudContext.Provider, { value: props.client }, props.children);
+}
+
+/** The client from the nearest `PicloudProvider`. Throws if absent. */
+export function usePicloud(): PicloudClient {
+  const client = useContext(PicloudContext);
+  if (!client) {
+    throw new Error('usePicloud: wrap your tree in <PicloudProvider client={...}>');
+  }
+  return client;
+}
+
+/**
+ * Subscribe to a realtime topic; returns the accumulated messages in
+ * arrival order. Re-subscribes when `topic` changes; unsubscribes on
+ * unmount.
+ */
+export function useTopic<T = unknown>(topic: string, opts?: SubscribeOptions<T>): T[] {
+  const client = usePicloud();
+  const [messages, setMessages] = useState<T[]>([]);
+  useEffect(() => {
+    setMessages([]);
+    const unsubscribe = client.subscribe<T>(
+      topic,
+      (event) => setMessages((prev) => [...prev, event.message]),
+      opts
+    );
+    return () => unsubscribe();
+    // `opts` is intentionally excluded: a new object literal each render
+    // would otherwise resubscribe every render.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [client, topic]);
+  return messages;
+}
+
+export interface QueryState<T> {
+  data: T | null;
+  loading: boolean;
+  error: unknown;
+}
+
+export interface EndpointHook<Req, Res> {
+  get: () => QueryState<Res>;
+  post: (body?: Req) => QueryState<Res>;
+}
+
+/**
+ * Typed endpoint hook. `useEndpoint<Res>(path).get()` fires a GET and
+ * returns `{ data, loading, error }`, re-running when `path` changes.
+ * `.post(body)` is the mutation variant (auto-fires once per mount).
+ */
+export function useEndpoint<Res = unknown, Req = unknown>(path: string): EndpointHook<Req, Res> {
+  const client = usePicloud();
+  return {
+    get: () => useResource<Res>(() => client.endpoint<Req, Res>(path).get(), path, 'GET'),
+    post: (body?: Req) =>
+      useResource<Res>(() => client.endpoint<Req, Res>(path).post(body), path, 'POST')
+  };
+}
+
+function useResource<Res>(run: () => Promise<Res>, key: string, method: string): QueryState<Res> {
+  const [state, setState] = useState<QueryState<Res>>({
+    data: null,
+    loading: true,
+    error: null
+  });
+  useEffect(() => {
+    let active = true;
+    setState({ data: null, loading: true, error: null });
+    run()
+      .then((data) => active && setState({ data, loading: false, error: null }))
+      .catch((error) => active && setState({ data: null, loading: false, error }));
+    return () => {
+      active = false;
+    };
+    // `run` is recreated each render; key it on path + method instead.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [key, method]);
+  return state;
+}

clients/typescript/src/subscribe.ts

@@ -0,0 +1,194 @@
+import { joinUrl } from './endpoint.js';
+import type { RealtimeEvent, SubscribeOptions, Unsubscribe } from './types.js';
+
+interface SubscribeConfig {
+  baseURL: string;
+  fetchImpl: typeof fetch;
+}
+
+/**
+ * Subscribe to an app pub/sub topic over SSE.
+ *
+ * Implemented over streaming `fetch` (not native `EventSource`) so the
+ * lib can: detect a 401 on (re)connect and refresh the token, send a
+ * `Last-Event-ID` header on resume, and apply its own exponential
+ * backoff. See HANDBACK for the rationale. Returns an unsubscribe
+ * function that aborts the connection and stops reconnecting.
+ */
+export function subscribeTopic<T = unknown>(
+  cfg: SubscribeConfig,
+  topic: string,
+  onMessage: (event: RealtimeEvent<T>) => void,
+  opts: SubscribeOptions<T> = {}
+): Unsubscribe {
+  const baseBackoff = opts.baseBackoffMs ?? 1_000;
+  const maxBackoff = opts.maxBackoffMs ?? 30_000;
+  let token = opts.token;
+  let stopped = false;
+  let attempt = 0;
+  let lastEventId: string | undefined;
+  let controller: AbortController | null = null;
+  let backoffTimer: ReturnType<typeof setTimeout> | null = null;
+
+  const stop = () => {
+    stopped = true;
+    if (backoffTimer) clearTimeout(backoffTimer);
+    controller?.abort();
+  };
+
+  const scheduleReconnect = () => {
+    if (stopped) return;
+    // Exponential backoff: base, 2x, 4x… capped at maxBackoff.
+    const delay = Math.min(maxBackoff, baseBackoff * 2 ** attempt);
+    attempt += 1;
+    backoffTimer = setTimeout(() => void connect(), delay);
+  };
+
+  const connect = async (): Promise<void> => {
+    if (stopped) return;
+    controller = new AbortController();
+    const url = buildUrl(cfg.baseURL, topic, token);
+    const headers: Record<string, string> = { Accept: 'text/event-stream' };
+    if (lastEventId) headers['Last-Event-ID'] = lastEventId;
+
+    let res: Response;
+    try {
+      res = await cfg.fetchImpl(url, { headers, signal: controller.signal });
+    } catch (err) {
+      if (stopped || isAbort(err)) return;
+      scheduleReconnect();
+      return;
+    }
+
+    if (res.status === 401) {
+      // Token expired / rejected — try to refresh, else give up.
+      const fresh = opts.onTokenExpired ? await opts.onTokenExpired() : null;
+      if (fresh) {
+        token = fresh;
+        attempt = 0; // fresh credential → reconnect immediately
+        void connect();
+      } else {
+        opts.onError?.(new Error('realtime subscribe unauthorized (401)'));
+        stop();
+      }
+      return;
+    }
+
+    if (!res.ok || !res.body) {
+      if (!stopped) scheduleReconnect();
+      return;
+    }
+
+    // Connected — reset backoff and stream frames until the body ends.
+    attempt = 0;
+    try {
+      await readStream(res.body, (frame) => {
+        if (frame.id !== undefined) lastEventId = frame.id;
+        if (frame.data === undefined) return; // comment / heartbeat
+        const parsed = parseEvent<T>(frame.data, opts);
+        if (parsed) onMessage(parsed);
+      });
+    } catch (err) {
+      if (stopped || isAbort(err)) return;
+    }
+    // Stream ended (server closed, e.g. topic deleted) → reconnect.
+    if (!stopped) scheduleReconnect();
+  };
+
+  void connect();
+  return stop;
+}
+
+function buildUrl(baseURL: string, topic: string, token?: string): string {
+  const url = joinUrl(baseURL, `/realtime/topics/${encodeURIComponent(topic)}`);
+  // EventSource can't set headers, so the token rides in the query
+  // string — the same path a raw EventSource would use.
+  return token ? `${url}?token=${encodeURIComponent(token)}` : url;
+}
+
+function parseEvent<T>(data: string, opts: SubscribeOptions<T>): RealtimeEvent<T> | null {
+  let json: unknown;
+  try {
+    json = JSON.parse(data);
+  } catch {
+    return null;
+  }
+  if (!isRealtimeShape(json)) return null;
+  const message = opts.validate ? opts.validate.parse(json.message) : (json.message as T);
+  return { topic: json.topic, message, published_at: json.published_at };
+}
+
+function isRealtimeShape(v: unknown): v is RealtimeEvent<unknown> {
+  return (
+    typeof v === 'object' &&
+    v !== null &&
+    typeof (v as Record<string, unknown>)['topic'] === 'string' &&
+    typeof (v as Record<string, unknown>)['published_at'] === 'string' &&
+    'message' in (v as Record<string, unknown>)
+  );
+}
+
+interface SseFrame {
+  data?: string;
+  id?: string;
+}
+
+/**
+ * Read an SSE response body, invoking `onFrame` per event. Minimal
+ * parser: accumulates `data:` lines (joined by `\n`) and `id:` until a
+ * blank line dispatches the frame. Lines starting with `:` are comments
+ * (heartbeats) — surfaced as a frame with no `data` so the id can still
+ * advance.
+ */
+async function readStream(
+  body: ReadableStream<Uint8Array>,
+  onFrame: (frame: SseFrame) => void
+): Promise<void> {
+  const reader = body.getReader();
+  const decoder = new TextDecoder();
+  let buffer = '';
+  let dataLines: string[] = [];
+  let id: string | undefined;
+  let sawComment = false;
+
+  const dispatch = () => {
+    if (dataLines.length > 0) {
+      onFrame({ data: dataLines.join('\n'), id });
+    } else if (sawComment) {
+      onFrame({ id });
+    }
+    dataLines = [];
+    sawComment = false;
+  };
+
+  for (;;) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    buffer += decoder.decode(value, { stream: true });
+    let nl: number;
+    while ((nl = buffer.indexOf('\n')) >= 0) {
+      const line = buffer.slice(0, nl).replace(/\r$/, '');
+      buffer = buffer.slice(nl + 1);
+      if (line === '') {
+        dispatch();
+        continue;
+      }
+      if (line.startsWith(':')) {
+        sawComment = true;
+        continue;
+      }
+      const colon = line.indexOf(':');
+      const field = colon === -1 ? line : line.slice(0, colon);
+      const rawVal = colon === -1 ? '' : line.slice(colon + 1);
+      const val = rawVal.startsWith(' ') ? rawVal.slice(1) : rawVal;
+      if (field === 'data') dataLines.push(val);
+      else if (field === 'id') id = val;
+    }
+  }
+  // Flush a trailing frame if the stream ended without a blank line.
+  dispatch();
+}
+
+function isAbort(err: unknown): boolean {
+  return typeof err === 'object' && err !== null && (err as { name?: string }).name === 'AbortError';
+}

clients/typescript/src/svelte/index.ts

@@ -0,0 +1,72 @@
+import { readable, type Readable } from 'svelte/store';
+
+import type { PicloudClient } from '../client.js';
+import type { SubscribeOptions } from '../types.js';
+
+/**
+ * A Svelte store of realtime messages for a topic. `$messages` is an
+ * array that grows as events arrive. The SSE connection opens on the
+ * first subscriber and closes when the last unsubscribes (standard
+ * `readable` lifecycle).
+ *
+ * The client is passed explicitly (Svelte stores aren't components, so
+ * there's no React-style context to read). See HANDBACK §7.
+ */
+export function topicStore<T = unknown>(
+  client: PicloudClient,
+  topic: string,
+  opts?: SubscribeOptions<T>
+): Readable<T[]> {
+  return readable<T[]>([], (set) => {
+    let items: T[] = [];
+    const unsubscribe = client.subscribe<T>(
+      topic,
+      (event) => {
+        items = [...items, event.message];
+        set(items);
+      },
+      opts
+    );
+    return () => unsubscribe();
+  });
+}
+
+export interface QueryState<T> {
+  data: T | null;
+  loading: boolean;
+  error: unknown;
+}
+
+export interface EndpointStore<Req, Res> {
+  get: () => Readable<QueryState<Res>>;
+  post: (body?: Req) => Readable<QueryState<Res>>;
+}
+
+/**
+ * A Svelte store wrapper over a typed endpoint. `$query` is
+ * `{ data, loading, error }`. The request fires when the store gains its
+ * first subscriber.
+ */
+export function endpointStore<Res = unknown, Req = unknown>(
+  client: PicloudClient,
+  path: string
+): EndpointStore<Req, Res> {
+  const run = (exec: () => Promise<Res>): Readable<QueryState<Res>> =>
+    readable<QueryState<Res>>({ data: null, loading: true, error: null }, (set) => {
+      let active = true;
+      exec()
+        .then((data) => {
+          if (active) set({ data, loading: false, error: null });
+        })
+        .catch((error) => {
+          if (active) set({ data: null, loading: false, error });
+        });
+      return () => {
+        active = false;
+      };
+    });
+  return {
+    get: () => run(() => client.endpoint<Req, Res>(path).get()),
+    post: (body?: Req) => run(() => client.endpoint<Req, Res>(path).post(body))
+  };
+}

clients/typescript/src/types.ts

@@ -0,0 +1,73 @@
+// Shared types for @picloud/client.
+
+/** Returns the current bearer token (or null) before each HTTP request. */
+export type AuthTokenProvider = () => string | null | undefined | Promise<string | null | undefined>;
+
+export interface PicloudClientOptions {
+  /** Base URL of the PiCloud deployment, e.g. `https://api.example.com`. */
+  baseURL: string;
+  /**
+   * Optional: returns the current bearer token, called before each
+   * request. The client doesn't manage tokens — it just sends them.
+   */
+  getAuthToken?: AuthTokenProvider;
+  /**
+   * Optional fetch implementation (defaults to the global `fetch`).
+   * Injected mainly for tests / non-browser runtimes.
+   */
+  fetch?: typeof fetch;
+}
+
+/** A realtime event as delivered over SSE. */
+export interface RealtimeEvent<T = unknown> {
+  topic: string;
+  message: T;
+  published_at: string;
+}
+
+/**
+ * Minimal validator shape for the optional runtime-validation adapter.
+ * A Zod schema satisfies this directly (`schema.parse`); for Valibot,
+ * wrap it: `{ parse: (i) => v.parse(schema, i) }`. No hard dep on either.
+ */
+export interface Validator<T> {
+  parse: (input: unknown) => T;
+}
+
+/** Thrown when an endpoint call returns a non-2xx status. */
+export class PicloudHttpError extends Error {
+  readonly status: number;
+  readonly body: unknown;
+  constructor(status: number, message: string, body: unknown) {
+    super(message);
+    this.name = 'PicloudHttpError';
+    this.status = status;
+    this.body = body;
+  }
+}
+
+export interface SubscribeOptions<T = unknown> {
+  /**
+   * Subscriber token for `auth_mode = 'token'` topics. Obtained from one
+   * of your app's script endpoints (which calls
+   * `pubsub::subscriber_token`). Sent as `?token=` (EventSource-parity).
+   */
+  token?: string;
+  /**
+   * Called when a (re)connect is rejected with 401 — typically an
+   * expired token. Return a fresh token to retry immediately, or
+   * null/undefined to stop and surface the error.
+   */
+  onTokenExpired?: () => string | null | undefined | Promise<string | null | undefined>;
+  /** Called on a terminal error (after retries are exhausted or aborted). */
+  onError?: (err: unknown) => void;
+  /** Optional runtime validation of each event's `message`. */
+  validate?: Validator<T>;
+  /** Max reconnect backoff in ms (default 30_000). */
+  maxBackoffMs?: number;
+  /** Base reconnect backoff in ms (default 1_000). */
+  baseBackoffMs?: number;
+}
+
+/** Cancels a realtime subscription. */
+export type Unsubscribe = () => void;

clients/typescript/tests/auth.test.ts

@@ -0,0 +1,41 @@
+import { describe, expect, it, vi } from 'vitest';
+
+import { PicloudClient } from '../src/index.js';
+import { jsonResponse, lastUrl, type FetchArgs } from './helpers.js';
+
+describe('auth', () => {
+  it('login POSTs credentials and stores the returned token', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ token: 'session-abc' })
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+
+    const token = await client.auth.login('alice@example.com', 'pw');
+    expect(token).toBe('session-abc');
+    expect(client.auth.token).toBe('session-abc');
+    expect(lastUrl(fetchMock)).toBe('https://api.test/api/auth/login');
+
+    const init = fetchMock.mock.calls[0]?.[1];
+    expect(JSON.parse(String(init?.body))).toEqual({
+      email: 'alice@example.com',
+      password: 'pw'
+    });
+  });
+
+  it('logout clears the stored token', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) => jsonResponse({}));
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    client.auth.setToken('existing');
+    await client.auth.logout();
+    expect(client.auth.token).toBeNull();
+  });
+
+  it('provider returns the current token for getAuthToken wiring', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ token: 't' })
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    await client.auth.login('a@b.c', 'pw');
+    expect(client.auth.provider()).toBe('t');
+  });
+});

clients/typescript/tests/endpoint.test.ts

@@ -0,0 +1,82 @@
+import { describe, expect, it, vi } from 'vitest';
+
+import { PicloudClient, PicloudHttpError } from '../src/index.js';
+import { headerOf, jsonResponse, lastInit, lastUrl, type FetchArgs } from './helpers.js';
+
+describe('endpoint', () => {
+  it('post round-trips a typed request/response', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ id: '1', name: 'alice', created_at: 'now' }, 201)
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+
+    interface Req {
+      name: string;
+      role: string;
+    }
+    interface Res {
+      id: string;
+      name: string;
+      created_at: string;
+    }
+    const res = await client.endpoint<Req, Res>('/api/users').post({ name: 'alice', role: 'admin' });
+
+    expect(res).toEqual({ id: '1', name: 'alice', created_at: 'now' });
+    expect(lastUrl(fetchMock)).toBe('https://api.test/api/users');
+    const init = lastInit(fetchMock);
+    expect(init.method).toBe('POST');
+    expect(JSON.parse(String(init.body))).toEqual({ name: 'alice', role: 'admin' });
+    expect(headerOf(init, 'Content-Type')).toBe('application/json');
+  });
+
+  it('get round-trips', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ name: 'bob' })
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    const res = await client.endpoint<unknown, { name: string }>('/api/users/1').get();
+    expect(res.name).toBe('bob');
+    expect(lastInit(fetchMock).method).toBe('GET');
+  });
+
+  it('injects the auth token from getAuthToken', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) => jsonResponse({ ok: true }));
+    const client = new PicloudClient({
+      baseURL: 'https://api.test',
+      fetch: fetchMock,
+      getAuthToken: () => 'tok-123'
+    });
+    await client.endpoint('/api/me').get();
+    expect(headerOf(lastInit(fetchMock), 'Authorization')).toBe('Bearer tok-123');
+  });
+
+  it('throws PicloudHttpError with status + body on non-2xx', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ error: 'bad input' }, 422)
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    const err = await client
+      .endpoint('/api/x')
+      .get()
+      .catch((e: unknown) => e);
+    expect(err).toBeInstanceOf(PicloudHttpError);
+    expect((err as PicloudHttpError).status).toBe(422);
+    expect((err as PicloudHttpError).message).toBe('bad input');
+  });
+
+  it('applies an optional validator to the response', async () => {
+    const fetchMock = vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) =>
+      jsonResponse({ id: 7 })
+    );
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    const validator = {
+      parse: (input: unknown) => {
+        const r = input as { id: number };
+        if (typeof r.id !== 'number') throw new Error('bad');
+        return r;
+      }
+    };
+    const res = await client.endpoint<unknown, { id: number }>('/api/x').get({ validate: validator });
+    expect(res.id).toBe(7);
+  });
+});

clients/typescript/tests/helpers.ts

@@ -0,0 +1,54 @@
+// Test helpers: build JSON + SSE Response objects and a typed fetch mock.
+
+export function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { 'content-type': 'application/json' }
+  });
+}
+
+export function emptyResponse(status = 200): Response {
+  return new Response(null, { status });
+}
+
+/** Build a text/event-stream Response from raw SSE frame strings. */
+export function sseResponse(frames: string[], status = 200): Response {
+  const encoder = new TextEncoder();
+  const stream = new ReadableStream<Uint8Array>({
+    start(controller) {
+      for (const frame of frames) controller.enqueue(encoder.encode(frame));
+      controller.close();
+    }
+  });
+  return new Response(stream, {
+    status,
+    headers: { 'content-type': 'text/event-stream' }
+  });
+}
+
+/** One SSE `data:` event frame for a realtime payload. */
+export function dataFrame(topic: string, message: unknown, publishedAt = '2026-06-04T00:00:00Z'): string {
+  const payload = JSON.stringify({ topic, message, published_at: publishedAt });
+  return `data: ${payload}\n\n`;
+}
+
+export type FetchArgs = [string | URL | Request, RequestInit?];
+
+type MockLike = { mock: { calls: ReadonlyArray<ReadonlyArray<unknown>> } };
+
+export function lastInit(mock: MockLike, i = 0): RequestInit {
+  const call = mock.mock.calls[i];
+  if (!call) throw new Error(`no fetch call at index ${i}`);
+  return (call[1] as RequestInit | undefined) ?? {};
+}
+
+export function lastUrl(mock: MockLike, i = 0): string {
+  const call = mock.mock.calls[i];
+  if (!call) throw new Error(`no fetch call at index ${i}`);
+  return String(call[0]);
+}
+
+export function headerOf(init: RequestInit, name: string): string | undefined {
+  const h = init.headers as Record<string, string> | undefined;
+  return h?.[name];
+}

clients/typescript/tests/react.test.tsx

@@ -0,0 +1,41 @@
+import { act, renderHook } from '@testing-library/react';
+import type { ReactNode } from 'react';
+import { describe, expect, it, vi } from 'vitest';
+
+import type { PicloudClient, RealtimeEvent, Unsubscribe } from '../src/index.js';
+import { PicloudProvider, useTopic } from '../src/react/index.js';
+
+type Cb = (e: RealtimeEvent<unknown>) => void;
+
+function fakeClient() {
+  const unsubscribe = vi.fn();
+  let captured: Cb | null = null;
+  const subscribe = vi.fn(
+    (_topic: string, cb: Cb): Unsubscribe => {
+      captured = cb;
+      return unsubscribe as unknown as Unsubscribe;
+    }
+  );
+  const client = { subscribe } as unknown as PicloudClient;
+  return { client, subscribe, unsubscribe, emit: (e: RealtimeEvent<unknown>) => captured?.(e) };
+}
+
+describe('react useTopic', () => {
+  it('subscribes on mount, accumulates messages, unsubscribes on unmount', () => {
+    const { client, subscribe, unsubscribe, emit } = fakeClient();
+    const wrapper = ({ children }: { children: ReactNode }) =>
+      PicloudProvider({ client, children });
+
+    const { result, unmount } = renderHook(() => useTopic<{ n: number }>('chat'), { wrapper });
+
+    expect(subscribe).toHaveBeenCalledTimes(1);
+    expect(result.current).toEqual([]);
+
+    act(() => emit({ topic: 'chat', message: { n: 1 }, published_at: 't' }));
+    act(() => emit({ topic: 'chat', message: { n: 2 }, published_at: 't' }));
+    expect(result.current).toEqual([{ n: 1 }, { n: 2 }]);
+
+    unmount();
+    expect(unsubscribe).toHaveBeenCalledTimes(1);
+  });
+});

clients/typescript/tests/subscribe.test.ts

@@ -0,0 +1,99 @@
+import { describe, expect, it, vi } from 'vitest';
+
+import { PicloudClient, type RealtimeEvent } from '../src/index.js';
+import { dataFrame, emptyResponse, lastUrl, sseResponse, type FetchArgs } from './helpers.js';
+
+/** A fetch mock that plays through a queue of response factories. */
+function queuedFetch(responders: Array<() => Promise<Response>>) {
+  let i = 0;
+  return vi.fn(async (_u: FetchArgs[0], _i?: FetchArgs[1]) => {
+    const idx = Math.min(i, responders.length - 1);
+    i += 1;
+    const r = responders[idx];
+    if (!r) throw new Error('no responder');
+    return r();
+  });
+}
+
+describe('subscribe', () => {
+  it('connects to the SSE endpoint and delivers events', async () => {
+    const fetchMock = queuedFetch([async () => sseResponse([dataFrame('chat', { hi: 1 })])]);
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+
+    const received: Array<RealtimeEvent<{ hi: number }>> = [];
+    const unsubscribe = client.subscribe<{ hi: number }>('chat', (e) => received.push(e));
+
+    await vi.waitFor(() => expect(received.length).toBe(1));
+    unsubscribe();
+
+    expect(received[0]?.topic).toBe('chat');
+    expect(received[0]?.message).toEqual({ hi: 1 });
+    expect(lastUrl(fetchMock)).toBe('https://api.test/realtime/topics/chat');
+  });
+
+  it('passes a token via the query string', async () => {
+    const fetchMock = queuedFetch([async () => sseResponse([dataFrame('chat', 1)])]);
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    const unsubscribe = client.subscribe('chat', () => {}, { token: 'abc.def' });
+    await vi.waitFor(() => expect(fetchMock).toHaveBeenCalled());
+    unsubscribe();
+    expect(lastUrl(fetchMock)).toBe('https://api.test/realtime/topics/chat?token=abc.def');
+  });
+
+  it('reconnects with backoff after an initial connection failure', async () => {
+    const fetchMock = queuedFetch([
+      async () => {
+        throw new Error('network down');
+      },
+      async () => sseResponse([dataFrame('chat', { ok: true })])
+    ]);
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+
+    const received: unknown[] = [];
+    const unsubscribe = client.subscribe('chat', (e) => received.push(e.message), {
+      baseBackoffMs: 5,
+      maxBackoffMs: 20
+    });
+
+    await vi.waitFor(() => expect(received.length).toBeGreaterThanOrEqual(1), { timeout: 1000 });
+    unsubscribe();
+    expect(fetchMock.mock.calls.length).toBeGreaterThanOrEqual(2);
+    expect(received[0]).toEqual({ ok: true });
+  });
+
+  it('refreshes the token after a 401 and reconnects', async () => {
+    const fetchMock = queuedFetch([
+      async () => emptyResponse(401),
+      async () => sseResponse([dataFrame('chat', { v: 2 })])
+    ]);
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+
+    const onTokenExpired = vi.fn(() => 'fresh-token');
+    const received: unknown[] = [];
+    const unsubscribe = client.subscribe('chat', (e) => received.push(e.message), {
+      token: 'stale',
+      onTokenExpired,
+      baseBackoffMs: 5
+    });
+
+    await vi.waitFor(() => expect(received.length).toBeGreaterThanOrEqual(1), { timeout: 1000 });
+    unsubscribe();
+
+    expect(onTokenExpired).toHaveBeenCalled();
+    // Second connect carries the refreshed token.
+    expect(lastUrl(fetchMock, 1)).toContain('token=fresh-token');
+    expect(received[0]).toEqual({ v: 2 });
+  });
+
+  it('stops and reports when a 401 cannot be refreshed', async () => {
+    const fetchMock = queuedFetch([async () => emptyResponse(401)]);
+    const client = new PicloudClient({ baseURL: 'https://api.test', fetch: fetchMock });
+    const onError = vi.fn();
+    const unsubscribe = client.subscribe('chat', () => {}, {
+      onTokenExpired: () => null,
+      onError
+    });
+    await vi.waitFor(() => expect(onError).toHaveBeenCalled());
+    unsubscribe();
+  });
+});

clients/typescript/tests/svelte.test.ts

@@ -0,0 +1,34 @@
+import { get } from 'svelte/store';
+import { describe, expect, it, vi } from 'vitest';
+
+import type { PicloudClient, RealtimeEvent, Unsubscribe } from '../src/index.js';
+import { topicStore } from '../src/svelte/index.js';
+
+type Cb = (e: RealtimeEvent<unknown>) => void;
+
+describe('svelte topicStore', () => {
+  it('subscribes on first subscriber and unsubscribes on last', () => {
+    const unsubscribe = vi.fn();
+    const holder: { cb: Cb | null } = { cb: null };
+    const subscribe = vi.fn((_topic: string, cb: Cb): Unsubscribe => {
+      holder.cb = cb;
+      return unsubscribe as unknown as Unsubscribe;
+    });
+    const client = { subscribe } as unknown as PicloudClient;
+
+    const store = topicStore<{ x: number }>(client, 'chat');
+    // No SSE connection until someone subscribes (readable lifecycle).
+    expect(subscribe).not.toHaveBeenCalled();
+
+    let value: { x: number }[] = [];
+    const stop = store.subscribe((v) => (value = v));
+    expect(subscribe).toHaveBeenCalledTimes(1);
+
+    holder.cb?.({ topic: 'chat', message: { x: 1 }, published_at: 't' });
+    expect(value).toEqual([{ x: 1 }]);
+    expect(get(store)).toEqual([{ x: 1 }]);
+
+    stop();
+    expect(unsubscribe).toHaveBeenCalledTimes(1);
+  });
+});

clients/typescript/tsconfig.json

@@ -0,0 +1,21 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "jsx": "react-jsx",
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "exactOptionalPropertyTypes": false,
+    "noImplicitOverride": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "declaration": true,
+    "noEmit": true,
+    "types": []
+  },
+  "include": ["src", "tests"]
+}

clients/typescript/tsup.config.ts

@@ -0,0 +1,18 @@
+import { defineConfig } from 'tsup';
+
+// Dual ESM + CJS emit with .d.ts for the main entry and the two
+// framework subpath exports. React and Svelte are peer deps — kept
+// external so the lib never bundles a framework copy.
+export default defineConfig({
+  entry: {
+    index: 'src/index.ts',
+    'react/index': 'src/react/index.ts',
+    'svelte/index': 'src/svelte/index.ts'
+  },
+  format: ['esm', 'cjs'],
+  dts: true,
+  clean: true,
+  sourcemap: true,
+  treeshake: true,
+  external: ['react', 'svelte', 'svelte/store']
+});

clients/typescript/vitest.config.ts

@@ -0,0 +1,11 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    // jsdom so the React/Svelte hook tests have a DOM; the core
+    // endpoint/subscribe/auth tests are environment-agnostic.
+    environment: 'jsdom',
+    globals: true,
+    include: ['tests/**/*.test.ts', 'tests/**/*.test.tsx']
+  }
+});

crates/executor-core/Cargo.toml

@@ -14,7 +14,34 @@ picloud-shared.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
+tokio.workspace = true
 tracing.workspace = true
 uuid.workspace = true
 chrono.workspace = true
-rhai.workspace = true
+async-trait.workspace = true
+# `internals` feature surfaces `rhai::Stmt`, `rhai::Expr`, `ASTFlags`
+# (used by the v1.1.3 module-shape validator to walk top-level
+# statements and accept only `fn` / `const` / `import`). Pinned at
+# the workspace level; bumping rhai is a deliberate, reviewed change.
+rhai = { workspace = true, features = ["internals"] }
+
+# v1.1.3 — per-module compiled-Module cache lives in this crate so the
+# resolver can reuse compiled modules across invocations.
+lru.workspace = true
+
+# Stdlib utility modules — see crates/executor-core/src/sdk/stdlib/.
+regex.workspace = true
+rand.workspace = true
+base64.workspace = true
+hex.workspace = true
+percent-encoding.workspace = true
+# v1.1.4 — `http::post_form` uses `url::form_urlencoded` for correct
+# application/x-www-form-urlencoded body encoding.
+url.workspace = true
+
+[dev-dependencies]
+async-trait.workspace = true
+# v1.1.4 §10a: capture tracing output to assert the original module
+# backend error is logged at error level after being redacted from the
+# script-visible message.
+tracing-subscriber.workspace = true

crates/executor-core/src/engine.rs

@@ -3,30 +3,71 @@ use std::sync::{Arc, Mutex};
 use std::time::Instant;
 
 use chrono::Utc;
-use picloud_shared::{ScriptValidator, ValidationError, SDK_VERSION};
-use rhai::{Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module, Scope};
+use picloud_shared::{
+    ScriptValidator, SdkCallCx, Services, TriggerEvent, ValidatedScript, ValidationError,
+    SDK_VERSION,
+};
+use rhai::{Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module, Scope, AST};
 use serde_json::Value as Json;
 
+use crate::module_resolver::{
+    extract_imports, new_module_cache, validate_module_source, ModuleCache, PicloudModuleResolver,
+};
 use crate::sandbox::Limits;
+use crate::sdk;
+use crate::sdk::bridge::{dynamic_to_json, json_to_dynamic};
 use crate::types::{
     ExecError, ExecRequest, ExecResponse, ExecStats, InvocationType, LogEntry, LogLevel,
 };
 
-/// Preconfigured Rhai engine with sandbox limits applied.
+/// Default capacity for the module cache. Sized assuming a small fleet
+/// of distinct modules per process; can be overridden via
+/// `PICLOUD_MODULE_CACHE_SIZE`.
+const DEFAULT_MODULE_CACHE_SIZE: usize = 512;
+
+/// Preconfigured Rhai engine with sandbox limits applied and the SDK
+/// `Services` bundle attached.
 ///
 /// One `Engine` is constructed at process startup and reused across
 /// invocations. `execute` is **synchronous** — it owns the per-call
 /// scope and log buffer. Wall-clock timeouts and offloading off the
 /// async runtime belong to the caller (orchestrator-core's
 /// `LocalExecutorClient` wraps this with `spawn_blocking` + `timeout`).
+///
+/// The `Services` bundle is empty in v1.1.0; subsequent v1.1.x PRs add
+/// service handles (KV, docs, …) and `sdk::register_all` wires them
+/// into each per-call Rhai engine.
 pub struct Engine {
     limits: Limits,
+    services: Services,
+    /// v1.1.3: shared compiled-module cache. Per-key
+    /// `(app_id, name)`; invalidated lazily by `updated_at` mismatch
+    /// at resolver time.
+    module_cache: Arc<ModuleCache>,
 }
 
 impl Engine {
     #[must_use]
-    pub fn new(limits: Limits) -> Self {
-        Self { limits }
+    pub fn new(limits: Limits, services: Services) -> Self {
+        let cap = std::env::var("PICLOUD_MODULE_CACHE_SIZE")
+            .ok()
+            .and_then(|s| s.parse::<usize>().ok())
+            .unwrap_or(DEFAULT_MODULE_CACHE_SIZE);
+        Self::with_module_cache_capacity(limits, services, cap)
+    }
+
+    /// Explicit capacity for tests that exercise LRU eviction.
+    #[must_use]
+    pub fn with_module_cache_capacity(
+        limits: Limits,
+        services: Services,
+        module_cache_capacity: usize,
+    ) -> Self {
+        Self {
+            limits,
+            services,
+            module_cache: new_module_cache(module_cache_capacity),
+        }
     }
 
     #[must_use]
@@ -34,16 +75,42 @@ impl Engine {
         &self.limits
     }
 
-    /// Parse-only validation. Surfaced at script-upload time so syntax
-    /// errors are caught before the first invocation. Same logic as the
-    /// `ScriptValidator` impl below but with the richer `ExecError`
-    /// variant; callers in the executor path use this, the manager
-    /// path goes through the trait.
-    pub fn validate(&self, source: &str) -> Result<(), ExecError> {
+    /// Shared compiled-module cache. Exposed so tests can introspect
+    /// the cache state (length, contents) under a Mutex lock.
+    #[must_use]
+    pub fn module_cache(&self) -> &Arc<ModuleCache> {
+        &self.module_cache
+    }
+
+    /// Parse-only validation for endpoint scripts. Surfaced at script-
+    /// upload time so syntax errors are caught before the first
+    /// invocation. Returns the script's literal-path `import "<name>"`
+    /// declarations so the repo can populate the dep-graph table.
+    pub fn validate(&self, source: &str) -> Result<ValidatedScript, ExecError> {
+        // Validation uses a fresh `RhaiEngine` without service hooks
+        // attached — modules are only resolved at execute() time, so
+        // the resolver during validate is intentionally Dummy (no DB
+        // access here; we just need the parser).
+        let engine = build_engine(self.limits, None);
+        extract_imports(&engine, source).map_err(ExecError::Parse)
+    }
+
+    /// Module-shape validation (v1.1.3). Compiles, rejects any top-
+    /// level statement that isn't `fn`/`const`/`import`, and returns
+    /// the declared imports.
+    pub fn validate_module(&self, source: &str) -> Result<ValidatedScript, ExecError> {
+        let engine = build_engine(self.limits, None);
+        validate_module_source(&engine, source).map_err(ExecError::Parse)
+    }
+
+    /// Compile `source` to a reusable AST. Lets callers (the
+    /// orchestrator's script cache) compile once and execute many
+    /// times against the same AST.
+    pub fn compile(&self, source: &str) -> Result<Arc<AST>, ExecError> {
         let engine = build_engine(self.limits, None);
         engine
             .compile(source)
-            .map(|_| ())
+            .map(Arc::new)
             .map_err(|e| ExecError::Parse(e.to_string()))
     }
 
@@ -54,19 +121,57 @@ impl Engine {
     /// manager already clamped them against the admin ceiling.
     pub fn execute(&self, source: &str, req: ExecRequest) -> Result<ExecResponse, ExecError> {
         let effective_limits = self.limits.with_overrides(&req.sandbox_overrides);
-        let logs: Arc<Mutex<Vec<LogEntry>>> = Arc::new(Mutex::new(Vec::new()));
-        let engine = build_engine(effective_limits, Some(logs.clone()));
-
-        let ast = engine
+        // Compile inline so the source-only path stays available for
+        // tests and one-off callers that don't pre-cache an AST.
+        let engine_for_compile = build_engine(effective_limits, None);
+        let ast = engine_for_compile
             .compile(source)
+            .map(Arc::new)
             .map_err(|e| ExecError::Parse(e.to_string()))?;
+        self.execute_ast(&ast, req)
+    }
+
+    /// v1.1.3: execute a pre-compiled AST. The orchestrator's script
+    /// cache hands compiled ASTs in directly; this path skips the
+    /// per-call compile.
+    pub fn execute_ast(&self, ast: &Arc<AST>, req: ExecRequest) -> Result<ExecResponse, ExecError> {
+        let effective_limits = self.limits.with_overrides(&req.sandbox_overrides);
+        let logs: Arc<Mutex<Vec<LogEntry>>> = Arc::new(Mutex::new(Vec::new()));
+        let mut engine = build_engine(effective_limits, Some(logs.clone()));
+
+        // Per-call context handed to every stateful SDK service via the
+        // `sdk::register_all` hook. The Arc lets future service closures
+        // capture cheap clones of the cx for use at script-call time.
+        let cx = Arc::new(SdkCallCx {
+            app_id: req.app_id,
+            script_id: req.script_id,
+            principal: req.principal.clone(),
+            execution_id: req.execution_id,
+            request_id: req.request_id,
+            trigger_depth: req.trigger_depth,
+            root_execution_id: req.root_execution_id,
+            is_dead_letter_handler: req.is_dead_letter_handler,
+            event: req.event.clone(),
+        });
+        // v1.1.3: replace the no-op `DummyModuleResolver` build_engine
+        // installed with the real per-call resolver. The resolver owns
+        // `cx.clone()` so cross-app isolation derives from this exact
+        // call's context, not from any script-passed argument.
+        let resolver = PicloudModuleResolver::new(
+            self.services.modules.clone(),
+            cx.clone(),
+            self.module_cache.clone(),
+            effective_limits.module_import_depth_max,
+        );
+        engine.set_module_resolver(resolver);
+        sdk::register_all(&mut engine, &self.services, cx);
 
         let mut scope = Scope::new();
         scope.push_constant("ctx", build_ctx_map(&req));
 
         let started = Instant::now();
         let value: Dynamic = engine
-            .eval_ast_with_scope(&mut scope, &ast)
+            .eval_ast_with_scope(&mut scope, ast.as_ref())
             .map_err(map_eval_error)?;
         let duration = started.elapsed();
 
@@ -91,8 +196,18 @@ impl Engine {
 }
 
 impl ScriptValidator for Engine {
-    fn validate(&self, source: &str) -> Result<(), ValidationError> {
-        Engine::validate(self, source).map_err(|e| ValidationError::Syntax(e.to_string()))
+    fn validate(&self, source: &str) -> Result<ValidatedScript, ValidationError> {
+        Engine::validate(self, source).map_err(|e| match e {
+            ExecError::Parse(msg) => ValidationError::Syntax(msg),
+            other => ValidationError::Syntax(other.to_string()),
+        })
+    }
+
+    fn validate_module(&self, source: &str) -> Result<ValidatedScript, ValidationError> {
+        Engine::validate_module(self, source).map_err(|e| match e {
+            ExecError::Parse(msg) => ValidationError::ModuleShape(msg),
+            other => ValidationError::ModuleShape(other.to_string()),
+        })
     }
 }
 
@@ -122,6 +237,11 @@ fn build_engine(limits: Limits, logs: Option<Arc<Mutex<Vec<LogEntry>>>>) -> Rhai
         engine.register_static_module("log", build_log_module(logs).into());
     }
 
+    // Stateless utility modules — regex::/random::/time::/json::/base64::/
+    // hex::/url::. Always registered, including in the parse-only validate
+    // path, so script authors get consistent surface in both phases.
+    sdk::stdlib::register_stdlib(&mut engine);
+
     engine
 }
 
@@ -213,9 +333,162 @@ fn build_ctx_map(req: &ExecRequest) -> Map {
     request.insert("rest".into(), req.rest.clone().into());
 
     ctx.insert("request".into(), request.into());
+
+    // Triggered invocations: surface the originating event as
+    // `ctx.event`. Direct ingress (HTTP request, manual run) leaves
+    // the key absent so scripts can test `if "event" in ctx`.
+    if let Some(event) = req.event.as_ref() {
+        ctx.insert("event".into(), trigger_event_to_dynamic(event));
+    }
+
     ctx
 }
 
+/// Convert a `TriggerEvent` into the `ctx.event` Rhai shape defined in
+/// `docs/v1.1.x-design-notes.md` §4 (the dead-letter sub-shape) and
+/// §2/blueprint §9 (KV). Each variant becomes a Rhai map with a
+/// `source` discriminant plus per-source fields.
+#[allow(clippy::too_many_lines)]
+fn trigger_event_to_dynamic(event: &TriggerEvent) -> Dynamic {
+    let mut m = Map::new();
+    m.insert("source".into(), event.source().into());
+    match event {
+        TriggerEvent::Kv {
+            op,
+            collection,
+            key,
+            value,
+        } => {
+            m.insert("op".into(), op.as_str().into());
+            let mut kv_map = Map::new();
+            kv_map.insert("collection".into(), collection.clone().into());
+            kv_map.insert("key".into(), key.clone().into());
+            kv_map.insert(
+                "value".into(),
+                value.clone().map_or(Dynamic::UNIT, json_to_dynamic),
+            );
+            m.insert("kv".into(), kv_map.into());
+        }
+        TriggerEvent::Docs {
+            op,
+            collection,
+            id,
+            data,
+            prev_data,
+        } => {
+            m.insert("op".into(), op.as_str().into());
+            let mut docs_map = Map::new();
+            docs_map.insert("collection".into(), collection.clone().into());
+            docs_map.insert("id".into(), id.clone().into());
+            docs_map.insert(
+                "data".into(),
+                data.clone().map_or(Dynamic::UNIT, json_to_dynamic),
+            );
+            docs_map.insert(
+                "prev_data".into(),
+                prev_data.clone().map_or(Dynamic::UNIT, json_to_dynamic),
+            );
+            m.insert("docs".into(), docs_map.into());
+        }
+        TriggerEvent::Cron {
+            schedule,
+            timezone,
+            scheduled_at,
+            fired_at,
+        } => {
+            // `ctx.event.op` is always "tick" for cron (the only op a
+            // schedule produces). Mirrors the docs/v1.1.x-design-notes
+            // §7 shape.
+            m.insert("op".into(), "tick".into());
+            let mut cron_map = Map::new();
+            cron_map.insert("schedule".into(), schedule.clone().into());
+            cron_map.insert("timezone".into(), timezone.clone().into());
+            cron_map.insert("scheduled_at".into(), scheduled_at.to_rfc3339().into());
+            cron_map.insert("fired_at".into(), fired_at.to_rfc3339().into());
+            m.insert("cron".into(), cron_map.into());
+        }
+        TriggerEvent::Files {
+            op,
+            collection,
+            id,
+            name,
+            content_type,
+            size,
+            checksum,
+            prev,
+        } => {
+            m.insert("op".into(), op.as_str().into());
+            let mut files_map = Map::new();
+            files_map.insert("collection".into(), collection.clone().into());
+            files_map.insert("id".into(), id.clone().into());
+            files_map.insert("name".into(), name.clone().into());
+            files_map.insert("content_type".into(), content_type.clone().into());
+            files_map.insert(
+                "size".into(),
+                i64::try_from(*size).unwrap_or(i64::MAX).into(),
+            );
+            files_map.insert("checksum".into(), checksum.clone().into());
+            files_map.insert(
+                "prev".into(),
+                prev.clone().map_or(Dynamic::UNIT, json_to_dynamic),
+            );
+            m.insert("files".into(), files_map.into());
+        }
+        TriggerEvent::Pubsub {
+            topic,
+            message,
+            published_at,
+        } => {
+            // `ctx.event.op` is always "publish" for pub/sub (the only
+            // op a publish produces).
+            m.insert("op".into(), "publish".into());
+            let mut ps = Map::new();
+            ps.insert("topic".into(), topic.clone().into());
+            ps.insert("message".into(), json_to_dynamic(message.clone()));
+            ps.insert("published_at".into(), published_at.to_rfc3339().into());
+            m.insert("pubsub".into(), ps.into());
+        }
+        TriggerEvent::DeadLetter {
+            dead_letter_id,
+            original,
+            attempts,
+            last_error,
+            trigger_id,
+            script_id,
+            first_attempt_at,
+            last_attempt_at,
+        } => {
+            let mut dl = Map::new();
+            dl.insert("id".into(), dead_letter_id.to_string().into());
+            dl.insert("original".into(), trigger_event_to_dynamic(original));
+            dl.insert("attempts".into(), i64::from(*attempts).into());
+            dl.insert("last_error".into(), last_error.clone().into());
+            dl.insert(
+                "trigger_id".into(),
+                trigger_id
+                    .map(|id| Dynamic::from(id.to_string()))
+                    .unwrap_or(Dynamic::UNIT),
+            );
+            dl.insert(
+                "script_id".into(),
+                script_id
+                    .map(|id| Dynamic::from(id.to_string()))
+                    .unwrap_or(Dynamic::UNIT),
+            );
+            dl.insert(
+                "first_attempt_at".into(),
+                first_attempt_at.to_rfc3339().into(),
+            );
+            dl.insert(
+                "last_attempt_at".into(),
+                last_attempt_at.to_rfc3339().into(),
+            );
+            m.insert("dead_letter".into(), dl.into());
+        }
+    }
+    m.into()
+}
+
 fn invocation_type_str(it: InvocationType) -> &'static str {
     match it {
         InvocationType::Http => "http",
@@ -265,69 +538,6 @@ fn parse_structured_response(map: Map) -> Result<(u16, BTreeMap<String, String>,
     Ok((status_code, headers, body))
 }
 
-// ----------------------------------------------------------------------------
-// Rhai ↔ serde_json bridges
-// ----------------------------------------------------------------------------
-
-fn json_to_dynamic(value: Json) -> Dynamic {
-    match value {
-        Json::Null => Dynamic::UNIT,
-        Json::Bool(b) => b.into(),
-        Json::Number(n) => {
-            if let Some(i) = n.as_i64() {
-                i.into()
-            } else if let Some(f) = n.as_f64() {
-                f.into()
-            } else {
-                n.to_string().into()
-            }
-        }
-        Json::String(s) => s.into(),
-        Json::Array(arr) => arr
-            .into_iter()
-            .map(json_to_dynamic)
-            .collect::<Vec<Dynamic>>()
-            .into(),
-        Json::Object(obj) => {
-            let mut m = Map::new();
-            for (k, v) in obj {
-                m.insert(k.into(), json_to_dynamic(v));
-            }
-            Dynamic::from(m)
-        }
-    }
-}
-
-fn dynamic_to_json(value: &Dynamic) -> Json {
-    if value.is_unit() {
-        return Json::Null;
-    }
-    if let Ok(b) = value.as_bool() {
-        return Json::Bool(b);
-    }
-    if let Ok(i) = value.as_int() {
-        return Json::Number(i.into());
-    }
-    if let Ok(f) = value.as_float() {
-        return serde_json::Number::from_f64(f).map_or(Json::Null, Json::Number);
-    }
-    if value.is_string() {
-        return Json::String(value.clone().into_string().unwrap_or_default());
-    }
-    if let Some(arr) = value.clone().try_cast::<rhai::Array>() {
-        return Json::Array(arr.iter().map(dynamic_to_json).collect());
-    }
-    if let Some(map) = value.clone().try_cast::<Map>() {
-        let mut out = serde_json::Map::new();
-        for (k, v) in map {
-            out.insert(k.to_string(), dynamic_to_json(&v));
-        }
-        return Json::Object(out);
-    }
-    // Anything else (timestamps, custom types) — best-effort string form.
-    Json::String(value.to_string())
-}
-
 // ----------------------------------------------------------------------------
 // Error mapping
 // ----------------------------------------------------------------------------

crates/executor-core/src/lib.rs

@@ -7,10 +7,16 @@
 pub mod context;
 pub mod engine;
 pub mod logging;
+pub mod module_resolver;
 pub mod sandbox;
+pub mod sdk;
 pub mod types;
 
 pub use engine::Engine;
+pub use module_resolver::{
+    extract_imports, new_module_cache, validate_module_source, CachedModule, ModuleCache,
+    ModuleCacheKey, PicloudModuleResolver,
+};
 pub use sandbox::Limits;
 pub use types::{
     ExecError, ExecRequest, ExecResponse, ExecStats, InvocationType, LogEntry, LogLevel,

crates/executor-core/src/module_resolver.rs

@@ -0,0 +1,440 @@
+//! `PicloudModuleResolver` — the v1.1.3 per-app Rhai module resolver.
+//!
+//! Replaces `DummyModuleResolver` in `Engine::build_engine`. Constructed
+//! fresh per `Engine::execute` call: holds an `Arc<SdkCallCx>` so every
+//! `import "<name>"` request resolves against the calling app
+//! (`cx.app_id`). The script-side `name` argument carries no `app_id`
+//! — that's the load-bearing cross-app isolation property.
+//!
+//! Three runtime invariants are enforced:
+//!
+//! 1. **Cross-app isolation** — `ModuleSource::lookup` is called with
+//!    `&cx`; the Postgres impl scopes by `cx.app_id` (never by a
+//!    script-passed argument).
+//! 2. **Cycle detection** — an in-progress-imports stack rejects
+//!    `A → B → A` with `ErrorInModule(... circular import detected ...)`.
+//! 3. **Depth limit** — guards against deep but acyclic chains
+//!    (default 8, override via `PICLOUD_MODULE_IMPORT_DEPTH_MAX`).
+//!
+//! Compiled modules are cached per `(app_id, name)` and invalidated by
+//! `updated_at` change — no explicit pub/sub. The cache is owned by
+//! `Engine` and shared across calls; only the resolver state (stack,
+//! depth) is per-call.
+
+use std::num::NonZeroUsize;
+use std::sync::{Arc, Mutex};
+
+use chrono::{DateTime, Utc};
+use lru::LruCache;
+use picloud_shared::{AppId, ModuleSource, ModuleSourceError, SdkCallCx, ValidatedScript};
+use rhai::module_resolvers::ModuleResolver;
+use rhai::{Engine as RhaiEngine, EvalAltResult, Module, Position, Shared, AST};
+
+/// Local alias for `rhai::Shared<rhai::Module>` (rhai's `SharedRhaiModule`
+/// type alias is `pub(crate)`). Resolves to `Arc<Module>` under the
+/// `sync` feature that the workspace pins.
+type SharedRhaiModule = Shared<Module>;
+
+/// Cache key: `(app_id, module name)`. v1.1.3 enforces module names as
+/// a conservative identifier shape (migration 0015 `scripts_module_name_shape`
+/// CHECK) so the `String` here is bounded by ~64 bytes.
+pub type ModuleCacheKey = (AppId, String);
+
+/// Cache value: the freshness comparator + the compiled module Rhai
+/// hands to importing scripts. Cloning the `Shared<Module>` is an Arc bump.
+#[derive(Clone)]
+pub struct CachedModule {
+    pub updated_at: DateTime<Utc>,
+    pub module: Shared<Module>,
+}
+
+/// Bounded LRU cache shared across all `Engine::execute` calls. Construct
+/// once at process startup; the resolver holds an Arc into it.
+pub type ModuleCache = Mutex<LruCache<ModuleCacheKey, CachedModule>>;
+
+#[must_use]
+pub fn new_module_cache(capacity: usize) -> Arc<ModuleCache> {
+    // capacity 0 is nonsensical for an LRU; clamp up to 1 so the cache
+    // is at least usable (callers control this via env var, and 0 means
+    // "I disabled caching" — but disabling caching by accident would
+    // recompile every module every call, which is a worse UX than
+    // capping at 1).
+    let cap = NonZeroUsize::new(capacity.max(1)).expect("max(1) is non-zero");
+    Arc::new(Mutex::new(LruCache::new(cap)))
+}
+
+/// The v1.1.3 module resolver. One per `Engine::execute` call.
+pub struct PicloudModuleResolver {
+    /// Backend the resolver consults for `(app_id, name)`. The bridge
+    /// runs Rhai's sync `resolve()` and the async `lookup()` together
+    /// via `tokio::runtime::Handle::block_on(...)` — safe because
+    /// `LocalExecutorClient` runs `Engine::execute` inside
+    /// `spawn_blocking`, which puts us on a Tokio blocking thread
+    /// that still carries a `Handle`.
+    source: Arc<dyn ModuleSource>,
+
+    /// Calling context. `cx.app_id` is the cross-app isolation
+    /// boundary; the resolver passes `&cx` to every `ModuleSource`
+    /// call so the backend can scope its queries.
+    cx: Arc<SdkCallCx>,
+
+    /// Compiled-module cache. Shared across executions; invalidated
+    /// per-entry on `updated_at` mismatch (no explicit pub/sub).
+    cache: Arc<ModuleCache>,
+
+    /// In-progress imports stack — pushed before a `lookup`+compile,
+    /// popped after. A hit on this stack while resolving means the
+    /// graph contains a cycle.
+    in_progress: Mutex<Vec<String>>,
+
+    /// Current import depth. Independent of the cycle check (cycles
+    /// might be short; deep acyclic graphs might fit under the cap
+    /// but still warrant a guard).
+    depth: Mutex<u32>,
+
+    /// Hard ceiling on import depth. Defaults to 8; env-overridable
+    /// via `PICLOUD_MODULE_IMPORT_DEPTH_MAX`. Read from `Limits` at
+    /// resolver construction.
+    depth_limit: u32,
+}
+
+impl PicloudModuleResolver {
+    #[must_use]
+    pub fn new(
+        source: Arc<dyn ModuleSource>,
+        cx: Arc<SdkCallCx>,
+        cache: Arc<ModuleCache>,
+        depth_limit: u32,
+    ) -> Self {
+        Self {
+            source,
+            cx,
+            cache,
+            in_progress: Mutex::new(Vec::new()),
+            depth: Mutex::new(0),
+            depth_limit,
+        }
+    }
+
+    /// Validate `ast` as a module body: only top-level `fn` decls,
+    /// `const` decls, and `import` statements are allowed. Top-level
+    /// expressions (which would execute on import — a footgun for
+    /// cache semantics) are rejected.
+    ///
+    /// `fn` declarations live in a separate slot on the AST and are
+    /// not in `statements()`, so the only allowed `Stmt` variants we
+    /// expect to see at top level are `Var` (when `CONSTANT` flag is
+    /// set) and `Import`. Anything else triggers a `ModuleShape` error.
+    fn check_module_shape(ast: &AST, name: &str) -> Result<(), String> {
+        use rhai::ASTFlags;
+        for stmt in ast.statements() {
+            match stmt {
+                rhai::Stmt::Var(_, opts, _) if opts.intersects(ASTFlags::CONSTANT) => {}
+                rhai::Stmt::Import(..) | rhai::Stmt::Noop(..) => {}
+                other => {
+                    return Err(format!(
+                        "module {name:?}: top-level {} is not allowed; \
+                         modules may only contain fn declarations, \
+                         const declarations, and import statements",
+                        stmt_kind_label(other),
+                    ));
+                }
+            }
+        }
+        Ok(())
+    }
+
+    /// Walk a compiled AST and collect the literal-path `import "<name>"`
+    /// declarations. Dynamic imports (e.g. `import some_var as y;`) are
+    /// skipped because the dep-graph can only track names known at
+    /// compile time. Exposed via [`extract_imports`] so the manager's
+    /// admin endpoints can populate the `script_imports` table from
+    /// the same logic the resolver uses.
+    fn extract_imports_inner(ast: &AST) -> Vec<String> {
+        let mut out = Vec::new();
+        for stmt in ast.statements() {
+            if let rhai::Stmt::Import(boxed, _) = stmt {
+                let (path_expr, _alias) = boxed.as_ref();
+                if let rhai::Expr::StringConstant(s, _) = path_expr {
+                    out.push(s.to_string());
+                }
+            }
+        }
+        out
+    }
+}
+
+/// Compile-and-validate a candidate module body. Public so the
+/// `Engine::validate_module` impl in `engine.rs` can call into it
+/// without duplicating the shape check.
+pub fn compile_module_ast(engine: &RhaiEngine, source: &str) -> Result<AST, String> {
+    let ast = engine.compile(source).map_err(|e| e.to_string())?;
+    PicloudModuleResolver::check_module_shape(&ast, "<source>")?;
+    Ok(ast)
+}
+
+/// Parse `source` as an endpoint script (no module-shape check) and
+/// return its declared literal-path imports. Used by
+/// `Engine::validate` to populate `ValidatedScript::imports` so the
+/// repo can write dep-graph edges.
+pub fn extract_imports(engine: &RhaiEngine, source: &str) -> Result<ValidatedScript, String> {
+    let ast = engine.compile(source).map_err(|e| e.to_string())?;
+    Ok(ValidatedScript {
+        imports: PicloudModuleResolver::extract_imports_inner(&ast),
+    })
+}
+
+/// Parse `source` as a module script: enforce shape, then extract
+/// imports. Used by `Engine::validate_module`.
+pub fn validate_module_source(
+    engine: &RhaiEngine,
+    source: &str,
+) -> Result<ValidatedScript, String> {
+    let ast = compile_module_ast(engine, source)?;
+    Ok(ValidatedScript {
+        imports: PicloudModuleResolver::extract_imports_inner(&ast),
+    })
+}
+
+fn stmt_kind_label(stmt: &rhai::Stmt) -> &'static str {
+    use rhai::ASTFlags;
+    match stmt {
+        rhai::Stmt::Var(_, opts, _) if opts.intersects(ASTFlags::CONSTANT) => "const declaration",
+        rhai::Stmt::Var(..) => "let declaration",
+        rhai::Stmt::Expr(..) => "expression",
+        rhai::Stmt::FnCall(..) => "function call",
+        rhai::Stmt::If(..) => "if statement",
+        rhai::Stmt::Switch(..) => "switch statement",
+        rhai::Stmt::While(..) => "while/loop statement",
+        rhai::Stmt::Do(..) => "do statement",
+        rhai::Stmt::For(..) => "for statement",
+        rhai::Stmt::Assignment(..) => "assignment",
+        rhai::Stmt::Block(..) => "block",
+        rhai::Stmt::TryCatch(..) => "try/catch",
+        rhai::Stmt::Return(..) => "return/throw statement",
+        rhai::Stmt::BreakLoop(..) => "break/continue",
+        rhai::Stmt::Import(..) => "import statement",
+        rhai::Stmt::Export(..) => "export statement",
+        _ => "statement",
+    }
+}
+
+impl ModuleResolver for PicloudModuleResolver {
+    #[allow(clippy::too_many_lines)]
+    fn resolve(
+        &self,
+        engine: &RhaiEngine,
+        _source: Option<&str>,
+        path: &str,
+        pos: Position,
+    ) -> Result<SharedRhaiModule, Box<EvalAltResult>> {
+        // RAII guard wraps both the depth counter and the import-stack
+        // push so that any early return (cycle / depth-exceeded / DB
+        // error / compile error / panic) leaves both consistent for
+        // any subsequent resolve() call on this resolver instance.
+        struct StackGuard<'r> {
+            stack: &'r Mutex<Vec<String>>,
+            depth: &'r Mutex<u32>,
+            armed: bool,
+        }
+        impl Drop for StackGuard<'_> {
+            fn drop(&mut self) {
+                if !self.armed {
+                    return;
+                }
+                if let Ok(mut s) = self.stack.lock() {
+                    s.pop();
+                }
+                if let Ok(mut d) = self.depth.lock() {
+                    *d = d.saturating_sub(1);
+                }
+            }
+        }
+
+        // Read-only check + atomic push under one lock pair, so a
+        // sibling resolve() call on a shared resolver instance can't
+        // race in between. (We don't expect parallel calls on the same
+        // resolver — Rhai evaluates a single AST on one thread — but
+        // grouping the operations is cheaper than reasoning about the
+        // future.)
+        {
+            let mut depth = self.depth.lock().expect("module depth lock poisoned");
+            if *depth >= self.depth_limit {
+                return Err(Box::new(EvalAltResult::ErrorInModule(
+                    path.to_string(),
+                    Box::new(EvalAltResult::ErrorRuntime(
+                        format!(
+                            "import depth limit ({}) exceeded while resolving {path:?}",
+                            self.depth_limit
+                        )
+                        .into(),
+                        pos,
+                    )),
+                    pos,
+                )));
+            }
+            let mut stack = self
+                .in_progress
+                .lock()
+                .expect("module in_progress lock poisoned");
+            if stack.iter().any(|p| p == path) {
+                let mut chain = stack.clone();
+                chain.push(path.to_string());
+                return Err(Box::new(EvalAltResult::ErrorInModule(
+                    path.to_string(),
+                    Box::new(EvalAltResult::ErrorRuntime(
+                        format!("circular import detected: {}", chain.join(" -> ")).into(),
+                        pos,
+                    )),
+                    pos,
+                )));
+            }
+            stack.push(path.to_string());
+            *depth += 1;
+        }
+        let _guard = StackGuard {
+            stack: &self.in_progress,
+            depth: &self.depth,
+            armed: true,
+        };
+
+        // Bridge to async. The resolver typically runs on a
+        // `spawn_blocking` thread (see LocalExecutorClient in
+        // orchestrator-core), but tests may invoke `Engine::execute`
+        // directly from a multi-threaded Tokio task. `try_current` +
+        // `block_in_place` covers both — on a blocking thread it's a
+        // no-op, on a worker thread it tells the runtime to relocate
+        // other tasks. `current_thread` runtimes still panic; non-
+        // Tokio contexts surface a clean Runtime error.
+        let handle = tokio::runtime::Handle::try_current().map_err(|_| {
+            Box::new(EvalAltResult::ErrorInModule(
+                path.to_string(),
+                Box::new(EvalAltResult::ErrorRuntime(
+                    "module resolver invoked outside a Tokio runtime; \
+                     wrap Engine::execute in tokio::task::spawn_blocking"
+                        .into(),
+                    pos,
+                )),
+                pos,
+            ))
+        })?;
+
+        let lookup_result: Result<Option<picloud_shared::ModuleScript>, ModuleSourceError> =
+            tokio::task::block_in_place(|| handle.block_on(self.source.lookup(&self.cx, path)));
+
+        let module_row = match lookup_result {
+            Ok(Some(m)) => m,
+            Ok(None) => {
+                return Err(Box::new(EvalAltResult::ErrorModuleNotFound(
+                    path.to_string(),
+                    pos,
+                )));
+            }
+            Err(e) => {
+                // v1.1.4 §10a: redact the backend error before it
+                // reaches a script. In public-HTTP context (principal:
+                // None) the verbatim message (e.g. "connection refused")
+                // leaks internal infrastructure shape. Log the original
+                // at error level for operators; surface a stable generic.
+                tracing::error!(
+                    target = "picloud::modules",
+                    app_id = %self.cx.app_id,
+                    module = path,
+                    error = %e,
+                    "module backend error"
+                );
+                return Err(Box::new(EvalAltResult::ErrorInModule(
+                    path.to_string(),
+                    Box::new(EvalAltResult::ErrorRuntime(
+                        "module backend unavailable; check server logs".into(),
+                        pos,
+                    )),
+                    pos,
+                )));
+            }
+        };
+
+        // Cache lookup: hit only if both key matches AND updated_at
+        // matches (cache is invalidated lazily on version change).
+        let cache_key = (self.cx.app_id, path.to_string());
+        {
+            let mut cache = self.cache.lock().expect("module cache lock poisoned");
+            if let Some(cached) = cache.get(&cache_key) {
+                if cached.updated_at == module_row.updated_at {
+                    tracing::debug!(
+                        target = "picloud::modules::cache",
+                        app_id = %self.cx.app_id,
+                        module = path,
+                        "cache hit"
+                    );
+                    return Ok(cached.module.clone());
+                }
+                tracing::debug!(
+                    target = "picloud::modules::cache",
+                    app_id = %self.cx.app_id,
+                    module = path,
+                    "cache stale; recompiling"
+                );
+            } else {
+                tracing::debug!(
+                    target = "picloud::modules::cache",
+                    app_id = %self.cx.app_id,
+                    module = path,
+                    "cache miss"
+                );
+            }
+        }
+
+        // Compile + module-shape validation. Module sources MAY have
+        // already been gated at create-time (admin endpoint runs
+        // `validate_module`), but we revalidate here to catch DB-direct
+        // inserts that bypass the API surface.
+        let ast = engine.compile(&module_row.source).map_err(|e| {
+            // Wrap as an ErrorRuntime to preserve the parse message
+            // text without trying to reconstruct rhai's internal
+            // ParseErrorType variant (which would require matching on
+            // its full variant set).
+            Box::new(EvalAltResult::ErrorInModule(
+                path.to_string(),
+                Box::new(EvalAltResult::ErrorRuntime(
+                    format!("module {path:?} parse error: {e}").into(),
+                    e.position(),
+                )),
+                pos,
+            ))
+        })?;
+
+        if let Err(msg) = Self::check_module_shape(&ast, path) {
+            return Err(Box::new(EvalAltResult::ErrorInModule(
+                path.to_string(),
+                Box::new(EvalAltResult::ErrorRuntime(msg.into(), pos)),
+                pos,
+            )));
+        }
+
+        // Rhai's eval_ast_as_new compiles the AST's body + functions
+        // into a Module that the importing script consumes via
+        // `path::fn(...)` calls. Recursive imports inside this module
+        // are resolved through the same `engine.set_module_resolver`
+        // (which is THIS resolver), so cycle/depth tracking carries
+        // through naturally.
+        let module = Module::eval_ast_as_new(rhai::Scope::new(), &ast, engine)
+            .map_err(|e| Box::new(EvalAltResult::ErrorInModule(path.to_string(), e, pos)))?;
+        let shared: SharedRhaiModule = module.into();
+
+        // Insert (possibly evicting via LRU). Subsequent imports of
+        // the same module under the same updated_at hit the cache.
+        {
+            let mut cache = self.cache.lock().expect("module cache lock poisoned");
+            cache.put(
+                cache_key,
+                CachedModule {
+                    updated_at: module_row.updated_at,
+                    module: shared.clone(),
+                },
+            );
+        }
+
+        Ok(shared)
+    }
+}

crates/executor-core/src/sandbox.rs

@@ -24,6 +24,12 @@ pub struct Limits {
     /// Max call/expression nesting depth.
     pub max_call_levels: usize,
     pub max_expr_depth: usize,
+
+    /// v1.1.3: hard ceiling on `import` chain depth (A→B→C→…). Independent
+    /// of cycle detection — guards against deep but acyclic graphs.
+    /// Not script-overridable (this is a platform-level guard, not a
+    /// per-script knob).
+    pub module_import_depth_max: u32,
 }
 
 impl Default for Limits {
@@ -35,6 +41,7 @@ impl Default for Limits {
             max_map_size: 10_000,
             max_call_levels: 64,
             max_expr_depth: 64,
+            module_import_depth_max: 8,
         }
     }
 }
@@ -65,6 +72,9 @@ impl Limits {
             max_expr_depth: overrides
                 .max_expr_depth
                 .map_or(self.max_expr_depth, narrow_usize),
+            // module_import_depth_max is platform-level — overrides
+            // never touch it. Carry through unchanged.
+            module_import_depth_max: self.module_import_depth_max,
         }
     }
 }

crates/executor-core/src/sdk/bridge.rs

@@ -0,0 +1,77 @@
+//! JSON ↔ Rhai `Dynamic` value bridge.
+//!
+//! Originally inline in `engine.rs`; moved here for v1.1.0 so future
+//! service modules (KV in v1.1.1, docs in v1.1.2, …) can convert
+//! values without `engine.rs` being the only owner of the conversions.
+//! Behaviour is unchanged from the pre-extraction implementation —
+//! `sdk_contract.rs::json_round_trip_preserves_nested_shapes` pins the
+//! observable round-trip.
+
+use rhai::{Dynamic, Map};
+use serde_json::Value as Json;
+
+/// Convert a `serde_json::Value` into a Rhai `Dynamic` suitable for
+/// pushing into a script's scope. Numbers prefer the narrowest type
+/// (`i64` over `f64`); anything that can't round-trip falls back to a
+/// string so the script always sees a defined value.
+pub fn json_to_dynamic(value: Json) -> Dynamic {
+    match value {
+        Json::Null => Dynamic::UNIT,
+        Json::Bool(b) => b.into(),
+        Json::Number(n) => {
+            if let Some(i) = n.as_i64() {
+                i.into()
+            } else if let Some(f) = n.as_f64() {
+                f.into()
+            } else {
+                n.to_string().into()
+            }
+        }
+        Json::String(s) => s.into(),
+        Json::Array(arr) => arr
+            .into_iter()
+            .map(json_to_dynamic)
+            .collect::<Vec<Dynamic>>()
+            .into(),
+        Json::Object(obj) => {
+            let mut m = Map::new();
+            for (k, v) in obj {
+                m.insert(k.into(), json_to_dynamic(v));
+            }
+            Dynamic::from(m)
+        }
+    }
+}
+
+/// Convert a Rhai `Dynamic` back to a `serde_json::Value`. Custom Rhai
+/// types (timestamps, user-registered modules) fall back to their
+/// `Display` form so they appear as strings in JSON output rather than
+/// failing the response build.
+pub fn dynamic_to_json(value: &Dynamic) -> Json {
+    if value.is_unit() {
+        return Json::Null;
+    }
+    if let Ok(b) = value.as_bool() {
+        return Json::Bool(b);
+    }
+    if let Ok(i) = value.as_int() {
+        return Json::Number(i.into());
+    }
+    if let Ok(f) = value.as_float() {
+        return serde_json::Number::from_f64(f).map_or(Json::Null, Json::Number);
+    }
+    if value.is_string() {
+        return Json::String(value.clone().into_string().unwrap_or_default());
+    }
+    if let Some(arr) = value.clone().try_cast::<rhai::Array>() {
+        return Json::Array(arr.iter().map(dynamic_to_json).collect());
+    }
+    if let Some(map) = value.clone().try_cast::<Map>() {
+        let mut out = serde_json::Map::new();
+        for (k, v) in map {
+            out.insert(k.to_string(), dynamic_to_json(&v));
+        }
+        return Json::Object(out);
+    }
+    Json::String(value.to_string())
+}

crates/executor-core/src/sdk/cx.rs

@@ -0,0 +1,10 @@
+//! Re-export of `picloud_shared::SdkCallCx`.
+//!
+//! The type itself lives in `picloud-shared` because future stateful
+//! service impls live in `manager-core` (which `executor-core` must
+//! not depend on) and need to reference the same cx shape. This
+//! re-export lets executor-side code write
+//! `use picloud_executor_core::sdk::SdkCallCx;` instead of reaching
+//! into `picloud_shared` for one type.
+
+pub use picloud_shared::SdkCallCx;

crates/executor-core/src/sdk/dead_letters.rs

@@ -0,0 +1,84 @@
+//! `dead_letters::` Rhai bridge.
+//!
+//! ```rhai
+//! dead_letters::replay("01234567-...");           // re-enqueue + mark replayed
+//! dead_letters::resolve("01234567-...", "ignored"); // close out the row
+//! ```
+//!
+//! Sync↔async via `Handle::current().block_on(...)` — same pattern as
+//! the `kv::` bridge (works because `LocalExecutorClient` runs the
+//! script under `spawn_blocking`).
+//!
+//! `dead_letters::list(filter)` is intentionally NOT shipped — design
+//! notes §4 defers it to v1.2 to align with the `docs::find()` query
+//! DSL.
+
+use std::str::FromStr;
+use std::sync::Arc;
+
+use picloud_shared::{DeadLetterError, DeadLetterId, SdkCallCx, Services};
+use rhai::{Engine as RhaiEngine, EvalAltResult, Module};
+use tokio::runtime::Handle as TokioHandle;
+use uuid::Uuid;
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let svc = services.dead_letters.clone();
+    let mut module = Module::new();
+    {
+        let svc = svc.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "replay",
+            move |id: &str| -> Result<(), Box<EvalAltResult>> {
+                let dl_id = parse_dl_id(id)?;
+                let svc = svc.clone();
+                let cx = cx.clone();
+                block_on(async move { svc.replay(&cx, dl_id).await })
+            },
+        );
+    }
+    {
+        let svc = svc.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "resolve",
+            move |id: &str, reason: &str| -> Result<(), Box<EvalAltResult>> {
+                let dl_id = parse_dl_id(id)?;
+                let reason = reason.to_string();
+                let svc = svc.clone();
+                let cx = cx.clone();
+                block_on(async move { svc.resolve(&cx, dl_id, &reason).await })
+            },
+        );
+    }
+    engine.register_static_module("dead_letters", module.into());
+}
+
+fn parse_dl_id(s: &str) -> Result<DeadLetterId, Box<EvalAltResult>> {
+    Uuid::from_str(s)
+        .map(DeadLetterId::from)
+        .map_err(|e| -> Box<EvalAltResult> {
+            EvalAltResult::ErrorRuntime(
+                format!("dead_letters: invalid id {s:?}: {e}").into(),
+                rhai::Position::NONE,
+            )
+            .into()
+        })
+}
+
+fn block_on<F>(fut: F) -> Result<(), Box<EvalAltResult>>
+where
+    F: std::future::Future<Output = Result<(), DeadLetterError>> + Send,
+{
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("dead_letters: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(format!("dead_letters: {err}").into(), rhai::Position::NONE)
+            .into()
+    })
+}

crates/executor-core/src/sdk/docs.rs

@@ -0,0 +1,255 @@
+//! `docs::` Rhai bridge — collection-scoped handle pattern, v1.1.2.
+//!
+//! ```rhai
+//! let users = docs::collection("users");
+//! let id = users.create(#{ name: "Alice", tier: "gold" });
+//! let doc = users.get(id);                 // envelope or () if missing
+//! let golds = users.find(#{ tier: "gold" });
+//! let one  = users.find_one(#{ tier: "gold" });
+//! users.update(id, #{ name: "Alice", tier: "platinum" });
+//! let removed = users.delete(id);           // bool was-present
+//! let page = users.list(#{ cursor: (), limit: 100 });
+//! ```
+//!
+//! Mirrors `kv.rs`: `DocsHandle` captures the collection + service +
+//! per-call cx; methods bind via `engine.register_fn` so scripts call
+//! them with dot-notation. **The service derives `app_id` from
+//! `cx.app_id` — never from any closure argument.** Cross-app
+//! isolation boundary; same as KV.
+//!
+//! Doc shape returned by `get`/`find`/`find_one`/`list`: an envelope
+//! `#{ id, data: #{...}, created_at, updated_at }`. Decision D in the
+//! v1.1.2 plan — explicit metadata vs user-data separation.
+
+use std::sync::Arc;
+
+use picloud_shared::{DocId, DocRow, DocsError, DocsService, SdkCallCx, Services};
+use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
+use tokio::runtime::Handle as TokioHandle;
+use uuid::Uuid;
+
+use super::bridge::{dynamic_to_json, json_to_dynamic};
+
+/// Per-call handle captured by the Rhai SDK. Cheap to clone (two Arcs
+/// plus an owned string).
+#[derive(Clone)]
+pub struct DocsHandle {
+    collection: String,
+    service: Arc<dyn DocsService>,
+    cx: Arc<SdkCallCx>,
+}
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let docs_service = services.docs.clone();
+
+    let mut module = Module::new();
+    {
+        let docs_service = docs_service.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "collection",
+            move |name: &str| -> Result<DocsHandle, Box<EvalAltResult>> {
+                if name.is_empty() {
+                    return Err("docs::collection name must not be empty".into());
+                }
+                Ok(DocsHandle {
+                    collection: name.to_string(),
+                    service: docs_service.clone(),
+                    cx: cx.clone(),
+                })
+            },
+        );
+    }
+    engine.register_static_module("docs", module.into());
+
+    engine.register_type_with_name::<DocsHandle>("DocsHandle");
+
+    register_create(engine);
+    register_get(engine);
+    register_find(engine);
+    register_find_one(engine);
+    register_update(engine);
+    register_delete(engine);
+    register_list(engine);
+}
+
+fn register_create(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "create",
+        |handle: &mut DocsHandle, data: Map| -> Result<String, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let json = dynamic_to_json(&Dynamic::from(data));
+            let id = block_on(async move { h.service.create(&h.cx, &h.collection, json).await })?;
+            Ok(id.to_string())
+        },
+    );
+}
+
+fn register_get(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "get",
+        |handle: &mut DocsHandle, id: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let parsed_id = parse_doc_id(id)?;
+            let row =
+                block_on(async move { h.service.get(&h.cx, &h.collection, parsed_id).await })?;
+            Ok(row.map_or(Dynamic::UNIT, |d| Dynamic::from(doc_to_map(&d))))
+        },
+    );
+}
+
+fn register_find(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "find",
+        |handle: &mut DocsHandle, filter: Map| -> Result<Array, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let json = dynamic_to_json(&Dynamic::from(filter));
+            let rows = block_on(async move { h.service.find(&h.cx, &h.collection, json).await })?;
+            Ok(rows
+                .iter()
+                .map(|d| Dynamic::from(doc_to_map(d)))
+                .collect::<Vec<Dynamic>>())
+        },
+    );
+}
+
+fn register_find_one(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "find_one",
+        |handle: &mut DocsHandle, filter: Map| -> Result<Dynamic, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let json = dynamic_to_json(&Dynamic::from(filter));
+            let row =
+                block_on(async move { h.service.find_one(&h.cx, &h.collection, json).await })?;
+            Ok(row.map_or(Dynamic::UNIT, |d| Dynamic::from(doc_to_map(&d))))
+        },
+    );
+}
+
+fn register_update(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "update",
+        |handle: &mut DocsHandle, id: &str, data: Map| -> Result<(), Box<EvalAltResult>> {
+            let h = handle.clone();
+            let parsed_id = parse_doc_id(id)?;
+            let json = dynamic_to_json(&Dynamic::from(data));
+            block_on(async move {
+                h.service
+                    .update(&h.cx, &h.collection, parsed_id, json)
+                    .await
+            })
+        },
+    );
+}
+
+fn register_delete(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "delete",
+        |handle: &mut DocsHandle, id: &str| -> Result<bool, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let parsed_id = parse_doc_id(id)?;
+            block_on(async move { h.service.delete(&h.cx, &h.collection, parsed_id).await })
+        },
+    );
+}
+
+fn register_list(engine: &mut RhaiEngine) {
+    // Zero-arg form: full page from the start.
+    engine.register_fn(
+        "list",
+        |handle: &mut DocsHandle| -> Result<Map, Box<EvalAltResult>> { list_call(handle, None, 0) },
+    );
+    // One-arg form: pass `#{ cursor, limit }` map. Either field is
+    // optional; missing/unit → defaults.
+    engine.register_fn(
+        "list",
+        |handle: &mut DocsHandle, args: Map| -> Result<Map, Box<EvalAltResult>> {
+            let cursor = match args.get("cursor") {
+                Some(d) if !d.is_unit() => {
+                    Some(d.clone().into_string().map_err(|_| -> Box<EvalAltResult> {
+                        "docs::list: 'cursor' must be a string or ()".into()
+                    })?)
+                }
+                _ => None,
+            };
+            let limit = match args.get("limit") {
+                Some(d) if !d.is_unit() => {
+                    let n = d.as_int().map_err(|_| -> Box<EvalAltResult> {
+                        "docs::list: 'limit' must be an integer".into()
+                    })?;
+                    u32::try_from(n.max(0)).unwrap_or(0)
+                }
+                _ => 0,
+            };
+            list_call(handle, cursor, limit)
+        },
+    );
+}
+
+fn list_call(
+    handle: &DocsHandle,
+    cursor: Option<String>,
+    limit: u32,
+) -> Result<Map, Box<EvalAltResult>> {
+    let h = handle.clone();
+    let page = block_on(async move {
+        h.service
+            .list(&h.cx, &h.collection, cursor.as_deref(), limit)
+            .await
+    })?;
+    let mut m = Map::new();
+    let docs: Array = page
+        .docs
+        .iter()
+        .map(|d| Dynamic::from(doc_to_map(d)))
+        .collect();
+    m.insert("docs".into(), docs.into());
+    m.insert(
+        "next_cursor".into(),
+        page.next_cursor.map_or(Dynamic::UNIT, Dynamic::from),
+    );
+    Ok(m)
+}
+
+/// Build the `{ id, data, created_at, updated_at }` envelope per
+/// Decision D. Scripts read user fields via `doc.data.<field>`; `id`
+/// and timestamps are direct children of the envelope.
+fn doc_to_map(doc: &DocRow) -> Map {
+    let mut m = Map::new();
+    m.insert("id".into(), doc.id.to_string().into());
+    m.insert("data".into(), json_to_dynamic(doc.data.clone()));
+    m.insert("created_at".into(), doc.created_at.to_rfc3339().into());
+    m.insert("updated_at".into(), doc.updated_at.to_rfc3339().into());
+    m
+}
+
+fn parse_doc_id(id: &str) -> Result<DocId, Box<EvalAltResult>> {
+    Uuid::parse_str(id).map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("docs: invalid id '{id}': {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })
+}
+
+/// Mirrors `kv.rs::block_on` — Tokio runtime is reachable from inside
+/// the `spawn_blocking` wrapper that owns Rhai execution. Errors
+/// prefix with `"docs: "` so scripts see `docs: forbidden`,
+/// `docs: document not found`, `docs: unsupported operator: …`, etc.
+fn block_on<F, T>(fut: F) -> Result<T, Box<EvalAltResult>>
+where
+    F: std::future::Future<Output = Result<T, DocsError>> + Send,
+    T: Send,
+{
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("docs: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(format!("docs: {err}").into(), rhai::Position::NONE).into()
+    })
+}

crates/executor-core/src/sdk/files.rs

@@ -0,0 +1,281 @@
+//! `files::` Rhai bridge — collection-scoped handle pattern (v1.1.5).
+//!
+//! ```rhai
+//! let avatars = files::collection("avatars");
+//! let id = avatars.create(#{ name: "a.jpg", content_type: "image/jpeg", data: blob });
+//! let meta  = avatars.head(id);   // metadata map or ()
+//! let bytes = avatars.get(id);    // Blob or ()
+//! avatars.update(id, #{ data: new_bytes });
+//! let gone  = avatars.delete(id); // bool (was-present)
+//! let page  = avatars.list();     // #{ files: [...], next_cursor: () }
+//! ```
+//!
+//! The `FilesHandle` custom Rhai type captures the collection name once
+//! and routes each call through the injected `Arc<dyn FilesService>`
+//! with the per-call `Arc<SdkCallCx>`. **The service derives `app_id`
+//! from `cx.app_id` — it never appears in any signature script-side,
+//! preserving cross-app isolation.**
+//!
+//! Error convention (per `docs/sdk-shape.md`): `create`/`update`/
+//! `delete` throw on failure; `get`/`head` return `()` for a missing
+//! file; `delete` returns `bool` (was-present). The blob bytes are a
+//! Rhai `Blob` (byte array) in both directions.
+
+use std::sync::Arc;
+
+use picloud_shared::{
+    FileMeta, FileUpdate, FilesError, FilesService, NewFile, SdkCallCx, Services,
+};
+use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
+use tokio::runtime::Handle as TokioHandle;
+
+/// Per-call handle captured by the Rhai SDK. Cheap to clone (two Arcs
+/// plus an owned string).
+#[derive(Clone)]
+pub struct FilesHandle {
+    collection: String,
+    service: Arc<dyn FilesService>,
+    cx: Arc<SdkCallCx>,
+}
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let files_service = services.files.clone();
+
+    let mut module = Module::new();
+    {
+        let files_service = files_service.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "collection",
+            move |name: &str| -> Result<FilesHandle, Box<EvalAltResult>> {
+                if name.is_empty() {
+                    return Err("files::collection name must not be empty".into());
+                }
+                Ok(FilesHandle {
+                    collection: name.to_string(),
+                    service: files_service.clone(),
+                    cx: cx.clone(),
+                })
+            },
+        );
+    }
+    engine.register_static_module("files", module.into());
+
+    engine.register_type_with_name::<FilesHandle>("FilesHandle");
+
+    register_create(engine);
+    register_head(engine);
+    register_get(engine);
+    register_update(engine);
+    register_delete(engine);
+    register_list(engine);
+}
+
+fn register_create(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "create",
+        |handle: &mut FilesHandle, meta: Map| -> Result<String, Box<EvalAltResult>> {
+            let name = require_string(&meta, "name")?;
+            let content_type = require_string(&meta, "content_type")?;
+            let data = require_blob(&meta, "data")?;
+            let h = handle.clone();
+            let new = NewFile {
+                name,
+                content_type,
+                data,
+            };
+            let id = block_on(async move { h.service.create(&h.cx, &h.collection, new).await })?;
+            Ok(id.to_string())
+        },
+    );
+}
+
+fn register_head(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "head",
+        |handle: &mut FilesHandle, id: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let id = id.to_string();
+            let meta = block_on(async move { h.service.head(&h.cx, &h.collection, &id).await })?;
+            Ok(meta.map_or(Dynamic::UNIT, |m| file_meta_to_map(&m).into()))
+        },
+    );
+}
+
+fn register_get(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "get",
+        |handle: &mut FilesHandle, id: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let id = id.to_string();
+            let bytes = block_on(async move { h.service.get(&h.cx, &h.collection, &id).await })?;
+            Ok(bytes.map_or(Dynamic::UNIT, Dynamic::from_blob))
+        },
+    );
+}
+
+fn register_update(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "update",
+        |handle: &mut FilesHandle, id: &str, meta: Map| -> Result<(), Box<EvalAltResult>> {
+            let data = require_blob(&meta, "data")?;
+            let name = optional_string(&meta, "name")?;
+            let content_type = optional_string(&meta, "content_type")?;
+            let h = handle.clone();
+            let id = id.to_string();
+            let upd = FileUpdate {
+                data,
+                name,
+                content_type,
+            };
+            block_on(async move { h.service.update(&h.cx, &h.collection, &id, upd).await })
+        },
+    );
+}
+
+fn register_delete(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "delete",
+        |handle: &mut FilesHandle, id: &str| -> Result<bool, Box<EvalAltResult>> {
+            let h = handle.clone();
+            let id = id.to_string();
+            block_on(async move { h.service.delete(&h.cx, &h.collection, &id).await })
+        },
+    );
+}
+
+fn register_list(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "list",
+        |handle: &mut FilesHandle| -> Result<Map, Box<EvalAltResult>> {
+            list_call(handle, None, 0)
+        },
+    );
+    engine.register_fn(
+        "list",
+        |handle: &mut FilesHandle, cursor: &str| -> Result<Map, Box<EvalAltResult>> {
+            list_call(handle, Some(cursor.to_string()), 0)
+        },
+    );
+    engine.register_fn(
+        "list",
+        |handle: &mut FilesHandle, cursor: &str, limit: i64| -> Result<Map, Box<EvalAltResult>> {
+            let limit = u32::try_from(limit.max(0)).unwrap_or(0);
+            list_call(handle, Some(cursor.to_string()), limit)
+        },
+    );
+    // `list(#{ cursor, limit })` — the map form documented in the brief.
+    engine.register_fn(
+        "list",
+        |handle: &mut FilesHandle, opts: Map| -> Result<Map, Box<EvalAltResult>> {
+            let cursor = match opts.get("cursor") {
+                Some(v) if !v.is_unit() => {
+                    Some(v.clone().into_string().map_err(|_| -> Box<EvalAltResult> {
+                        "files: list cursor must be a string".into()
+                    })?)
+                }
+                _ => None,
+            };
+            let limit = match opts.get("limit") {
+                Some(v) if !v.is_unit() => {
+                    u32::try_from(v.as_int().unwrap_or(0).max(0)).unwrap_or(0)
+                }
+                _ => 0,
+            };
+            list_call(handle, cursor, limit)
+        },
+    );
+}
+
+fn list_call(
+    handle: &FilesHandle,
+    cursor: Option<String>,
+    limit: u32,
+) -> Result<Map, Box<EvalAltResult>> {
+    let h = handle.clone();
+    let page = block_on(async move {
+        h.service
+            .list(&h.cx, &h.collection, cursor.as_deref(), limit)
+            .await
+    })?;
+    let mut m = Map::new();
+    let files: Array = page
+        .files
+        .iter()
+        .map(|meta| Dynamic::from(file_meta_to_map(meta)))
+        .collect();
+    m.insert("files".into(), files.into());
+    m.insert(
+        "next_cursor".into(),
+        page.next_cursor.map_or(Dynamic::UNIT, Dynamic::from),
+    );
+    Ok(m)
+}
+
+/// Render a `FileMeta` into the Rhai map shape scripts see from
+/// `head` / `list`.
+fn file_meta_to_map(meta: &FileMeta) -> Map {
+    let mut m = Map::new();
+    m.insert("id".into(), meta.id.to_string().into());
+    m.insert("collection".into(), meta.collection.clone().into());
+    m.insert("name".into(), meta.name.clone().into());
+    m.insert("content_type".into(), meta.content_type.clone().into());
+    m.insert(
+        "size".into(),
+        i64::try_from(meta.size).unwrap_or(i64::MAX).into(),
+    );
+    m.insert("checksum".into(), meta.checksum.clone().into());
+    m.insert("created_at".into(), meta.created_at.to_rfc3339().into());
+    m.insert("updated_at".into(), meta.updated_at.to_rfc3339().into());
+    m
+}
+
+/// Pull a required string field out of a Rhai map; throw naming the
+/// field if it's absent or not a string.
+fn require_string(meta: &Map, field: &'static str) -> Result<String, Box<EvalAltResult>> {
+    match meta.get(field) {
+        Some(v) if v.is_string() => Ok(v.clone().into_string().unwrap_or_default()),
+        Some(_) => Err(format!("files::create: field '{field}' must be a string").into()),
+        None => Err(format!("files::create: missing required field '{field}'").into()),
+    }
+}
+
+/// Pull an optional string field; `None` when the key is absent or unit.
+fn optional_string(meta: &Map, field: &'static str) -> Result<Option<String>, Box<EvalAltResult>> {
+    match meta.get(field) {
+        None => Ok(None),
+        Some(v) if v.is_unit() => Ok(None),
+        Some(v) if v.is_string() => Ok(Some(v.clone().into_string().unwrap_or_default())),
+        Some(_) => Err(format!("files::update: field '{field}' must be a string").into()),
+    }
+}
+
+/// Pull a required blob (`data`) out of a Rhai map; throw naming the
+/// field if it's absent or not a blob.
+fn require_blob(meta: &Map, field: &'static str) -> Result<Vec<u8>, Box<EvalAltResult>> {
+    match meta.get(field) {
+        Some(v) if v.is_blob() => Ok(v.clone().into_blob().unwrap_or_default()),
+        Some(_) => Err(format!("files: field '{field}' must be a Blob (byte array)").into()),
+        None => Err(format!("files: missing required field '{field}'").into()),
+    }
+}
+
+/// Run an async future inside the synchronous Rhai context. Mirrors
+/// `kv::block_on`; safe because `LocalExecutorClient` runs the script
+/// under `spawn_blocking`, so a runtime handle is reachable.
+fn block_on<F, T>(fut: F) -> Result<T, Box<EvalAltResult>>
+where
+    F: std::future::Future<Output = Result<T, FilesError>> + Send,
+    T: Send,
+{
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("files: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(format!("files: {err}").into(), rhai::Position::NONE).into()
+    })
+}

crates/executor-core/src/sdk/http.rs

@@ -0,0 +1,391 @@
+//! `http::` Rhai bridge — outbound HTTP from scripts (v1.1.4).
+//!
+//! ```rhai
+//! let r = http::get("https://api.example.com/users/123");
+//! let r = http::get(url, #{ headers: #{ "Authorization": "Bearer x" }, timeout_ms: 5000 });
+//! let r = http::post(url, #{ text: "hello" });          // Map body → JSON
+//! let r = http::post(url, "raw", #{ headers: #{ ... } }); // String body → text/plain
+//! let r = http::post_form(url, #{ a: "1", b: "2" });    // form-encoded
+//! let r = http::request("OPTIONS", url);
+//! ```
+//!
+//! **Argument shape (v1.1.4 decision):** body and options are separate
+//! positional arguments — `verb(url, body, opts)` — not body-inside-
+//! opts. This keeps the unknown-opt-key typo guard intact and resolves
+//! the brief's internal contradiction (its Slack example passed a bare
+//! body map). The `opts` vocabulary is exactly
+//! `{headers, timeout_ms, follow_redirects, max_redirects}`; any other
+//! key throws.
+//!
+//! Body dispatch (positional `body`): Map/Array → JSON +
+//! `application/json`; String → raw + `text/plain`; Unit `()` → no
+//! body. GET/HEAD ignore any body.
+//!
+//! Response is a Rhai map `#{ status, headers, body, body_raw }`:
+//! `body` is the parsed JSON when the response is `application/json`
+//! and parses; `()` for an empty body; otherwise the raw string.
+//!
+//! Errors follow `docs/sdk-shape.md`: network/timeout/SSRF/size failures
+//! throw (`"http: <message>"`); a non-2xx status does NOT throw — the
+//! response map is returned, fetch-style.
+
+use std::collections::BTreeMap;
+use std::sync::Arc;
+
+use picloud_shared::{HttpError, HttpRequest, HttpResponse, HttpService, SdkCallCx, Services};
+use rhai::{Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
+use tokio::runtime::Handle as TokioHandle;
+
+use super::bridge::{dynamic_to_json, json_to_dynamic};
+
+/// Bridge-side defaults (the service clamps server-side too). The
+/// `MAX_*` ceilings stay `i64` because they're compared against the
+/// raw `i64` the script passed (so an over-limit value is rejected, not
+/// truncated); the defaults are `u32` to match the `Opts` fields.
+const DEFAULT_TIMEOUT_MS: u32 = 30_000;
+const MAX_TIMEOUT_MS: i64 = 60_000;
+const DEFAULT_MAX_REDIRECTS: u32 = 5;
+const MAX_REDIRECTS: i64 = 10;
+
+const ALLOWED_OPT_KEYS: [&str; 4] = ["headers", "timeout_ms", "follow_redirects", "max_redirects"];
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let svc = services.http.clone();
+    let mut module = Module::new();
+
+    // Bodyless verbs: (url) / (url, opts).
+    for verb in ["get", "head"] {
+        register_bodyless(&mut module, verb, &svc, &cx);
+    }
+    // Body verbs: (url) / (url, body) / (url, body, opts).
+    for verb in ["post", "put", "patch", "delete"] {
+        register_body(&mut module, verb, &svc, &cx);
+    }
+    register_post_form(&mut module, &svc, &cx);
+    register_request(&mut module, &svc, &cx);
+
+    engine.register_static_module("http", module.into());
+}
+
+fn register_bodyless(
+    module: &mut Module,
+    verb: &'static str,
+    svc: &Arc<dyn HttpService>,
+    cx: &Arc<SdkCallCx>,
+) {
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(verb, move |url: &str| {
+            invoke(&svc, &cx, verb, url, None, None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(verb, move |url: &str, opts: Map| {
+            invoke(&svc, &cx, verb, url, None, Some(&opts))
+        });
+    }
+}
+
+fn register_body(
+    module: &mut Module,
+    verb: &'static str,
+    svc: &Arc<dyn HttpService>,
+    cx: &Arc<SdkCallCx>,
+) {
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(verb, move |url: &str| {
+            invoke(&svc, &cx, verb, url, None, None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(verb, move |url: &str, body: Dynamic| {
+            invoke(&svc, &cx, verb, url, Some(body), None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(verb, move |url: &str, body: Dynamic, opts: Map| {
+            invoke(&svc, &cx, verb, url, Some(body), Some(&opts))
+        });
+    }
+}
+
+fn register_post_form(module: &mut Module, svc: &Arc<dyn HttpService>, cx: &Arc<SdkCallCx>) {
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn("post_form", move |url: &str, form: Map| {
+            invoke_form(&svc, &cx, url, &form, None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn("post_form", move |url: &str, form: Map, opts: Map| {
+            invoke_form(&svc, &cx, url, &form, Some(&opts))
+        });
+    }
+}
+
+fn register_request(module: &mut Module, svc: &Arc<dyn HttpService>, cx: &Arc<SdkCallCx>) {
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn("request", move |method: &str, url: &str| {
+            invoke(&svc, &cx, method, url, None, None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn("request", move |method: &str, url: &str, body: Dynamic| {
+            invoke(&svc, &cx, method, url, Some(body), None)
+        });
+    }
+    {
+        let (svc, cx) = (svc.clone(), cx.clone());
+        module.set_native_fn(
+            "request",
+            move |method: &str, url: &str, body: Dynamic, opts: Map| {
+                invoke(&svc, &cx, method, url, Some(body), Some(&opts))
+            },
+        );
+    }
+}
+
+/// Parsed `opts` map.
+struct Opts {
+    headers: BTreeMap<String, String>,
+    timeout_ms: u32,
+    follow_redirects: bool,
+    max_redirects: u32,
+}
+
+impl Default for Opts {
+    fn default() -> Self {
+        Self {
+            headers: BTreeMap::new(),
+            timeout_ms: DEFAULT_TIMEOUT_MS,
+            follow_redirects: true,
+            max_redirects: DEFAULT_MAX_REDIRECTS,
+        }
+    }
+}
+
+fn parse_opts(opts: Option<&Map>) -> Result<Opts, Box<EvalAltResult>> {
+    let mut out = Opts::default();
+    let Some(map) = opts else {
+        return Ok(out);
+    };
+    for key in map.keys() {
+        if !ALLOWED_OPT_KEYS.contains(&key.as_str()) {
+            return Err(err(format!("unknown option key: {key}")));
+        }
+    }
+    if let Some(h) = map.get("headers") {
+        let hm = h
+            .clone()
+            .try_cast::<Map>()
+            .ok_or_else(|| err("headers must be a map".to_string()))?;
+        for (k, v) in hm {
+            out.headers.insert(k.to_string(), dyn_to_string(&v));
+        }
+    }
+    if let Some(t) = map.get("timeout_ms") {
+        let ms = t
+            .as_int()
+            .map_err(|_| err("timeout_ms must be an integer".to_string()))?;
+        if ms > MAX_TIMEOUT_MS {
+            return Err(err(format!(
+                "timeout_ms {ms} exceeds the {MAX_TIMEOUT_MS}ms maximum"
+            )));
+        }
+        if ms > 0 {
+            out.timeout_ms = u32::try_from(ms).unwrap_or(u32::MAX);
+        }
+    }
+    if let Some(f) = map.get("follow_redirects") {
+        out.follow_redirects = f
+            .as_bool()
+            .map_err(|_| err("follow_redirects must be a bool".to_string()))?;
+    }
+    if let Some(m) = map.get("max_redirects") {
+        let n = m
+            .as_int()
+            .map_err(|_| err("max_redirects must be an integer".to_string()))?;
+        if n > MAX_REDIRECTS {
+            return Err(err(format!(
+                "max_redirects {n} exceeds the {MAX_REDIRECTS} maximum"
+            )));
+        }
+        out.max_redirects = u32::try_from(n.max(0)).unwrap_or(0);
+    }
+    Ok(out)
+}
+
+/// Encoded request body + the content-type chosen for it.
+type EncodedBody = (Option<Vec<u8>>, Option<String>);
+
+/// Dispatch a positional body by Rhai type. Returns the encoded bytes +
+/// the chosen content-type. GET/HEAD callers pass `body = None`, so
+/// this is never reached for them.
+fn dispatch_body(body: Dynamic) -> Result<EncodedBody, Box<EvalAltResult>> {
+    if body.is_unit() {
+        return Ok((None, None));
+    }
+    if body.is_string() {
+        let s = body.into_string().unwrap_or_default();
+        return Ok((Some(s.into_bytes()), Some("text/plain".to_string())));
+    }
+    if body.is_map() || body.is_array() {
+        let json = dynamic_to_json(&body);
+        let bytes = serde_json::to_vec(&json)
+            .map_err(|e| err(format!("could not encode JSON body: {e}")))?;
+        return Ok((Some(bytes), Some("application/json".to_string())));
+    }
+    // Scalars (int/float/bool) → JSON-encode for consistency.
+    let json = dynamic_to_json(&body);
+    let bytes =
+        serde_json::to_vec(&json).map_err(|e| err(format!("could not encode body: {e}")))?;
+    Ok((Some(bytes), Some("application/json".to_string())))
+}
+
+#[allow(clippy::needless_pass_by_value)]
+fn invoke(
+    svc: &Arc<dyn HttpService>,
+    cx: &Arc<SdkCallCx>,
+    method: &str,
+    url: &str,
+    body: Option<Dynamic>,
+    opts: Option<&Map>,
+) -> Result<Dynamic, Box<EvalAltResult>> {
+    let opts = parse_opts(opts)?;
+    let method_uc = method.to_ascii_uppercase();
+    let bodyless = matches!(method_uc.as_str(), "GET" | "HEAD");
+    let (encoded, content_type) = if bodyless {
+        (None, None)
+    } else if let Some(b) = body {
+        dispatch_body(b)?
+    } else {
+        (None, None)
+    };
+
+    let req = HttpRequest {
+        method: method_uc,
+        url: url.to_string(),
+        headers: opts.headers,
+        body: encoded,
+        content_type,
+        timeout_ms: opts.timeout_ms,
+        follow_redirects: opts.follow_redirects,
+        max_redirects: opts.max_redirects,
+        script_id: Some(cx.script_id.to_string()),
+    };
+    let resp = block_on(svc, cx, req)?;
+    Ok(response_to_dynamic(&resp))
+}
+
+#[allow(clippy::needless_pass_by_value)]
+fn invoke_form(
+    svc: &Arc<dyn HttpService>,
+    cx: &Arc<SdkCallCx>,
+    url: &str,
+    form: &Map,
+    opts: Option<&Map>,
+) -> Result<Dynamic, Box<EvalAltResult>> {
+    let opts = parse_opts(opts)?;
+    let mut serializer = url::form_urlencoded::Serializer::new(String::new());
+    for (k, v) in form {
+        serializer.append_pair(k.as_str(), &dyn_to_string(v));
+    }
+    let encoded = serializer.finish();
+
+    let req = HttpRequest {
+        method: "POST".to_string(),
+        url: url.to_string(),
+        headers: opts.headers,
+        body: Some(encoded.into_bytes()),
+        content_type: Some("application/x-www-form-urlencoded".to_string()),
+        timeout_ms: opts.timeout_ms,
+        follow_redirects: opts.follow_redirects,
+        max_redirects: opts.max_redirects,
+        script_id: Some(cx.script_id.to_string()),
+    };
+    let resp = block_on(svc, cx, req)?;
+    Ok(response_to_dynamic(&resp))
+}
+
+fn response_to_dynamic(resp: &HttpResponse) -> Dynamic {
+    let mut m = Map::new();
+    m.insert("status".into(), i64::from(resp.status).into());
+
+    let mut headers = Map::new();
+    let mut content_type = String::new();
+    for (k, v) in &resp.headers {
+        if k == "content-type" {
+            content_type.clone_from(v);
+        }
+        headers.insert(k.clone().into(), v.clone().into());
+    }
+    m.insert("headers".into(), headers.into());
+
+    // `body`: parsed JSON when the response is JSON and parses; () when
+    // empty; otherwise the raw string.
+    let body = if resp.body_raw.is_empty() {
+        Dynamic::UNIT
+    } else if content_type
+        .to_ascii_lowercase()
+        .starts_with("application/json")
+    {
+        match serde_json::from_str::<serde_json::Value>(&resp.body_raw) {
+            Ok(json) => json_to_dynamic(json),
+            Err(_) => resp.body_raw.clone().into(),
+        }
+    } else {
+        resp.body_raw.clone().into()
+    };
+    m.insert("body".into(), body);
+    m.insert("body_raw".into(), resp.body_raw.clone().into());
+    m.into()
+}
+
+fn dyn_to_string(v: &Dynamic) -> String {
+    if v.is_string() {
+        v.clone().into_string().unwrap_or_default()
+    } else {
+        v.to_string()
+    }
+}
+
+// Rhai's native-fn error channel is `Box<EvalAltResult>`, so these
+// helpers return the boxed form the call sites need.
+#[allow(clippy::unnecessary_box_returns)]
+fn err(msg: String) -> Box<EvalAltResult> {
+    EvalAltResult::ErrorRuntime(format!("http: {msg}").into(), rhai::Position::NONE).into()
+}
+
+/// Run the async service call from the synchronous Rhai context. Same
+/// pattern as `kv`/`docs`: the script runs under `spawn_blocking`, so a
+/// runtime handle is reachable and blocking on it is correct.
+fn block_on(
+    svc: &Arc<dyn HttpService>,
+    cx: &Arc<SdkCallCx>,
+    req: HttpRequest,
+) -> Result<HttpResponse, Box<EvalAltResult>> {
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("http: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    let svc = svc.clone();
+    let cx = cx.clone();
+    handle
+        .block_on(async move { svc.request(&cx, req).await })
+        .map_err(map_http_err)
+}
+
+#[allow(clippy::unnecessary_box_returns)]
+fn map_http_err(e: HttpError) -> Box<EvalAltResult> {
+    EvalAltResult::ErrorRuntime(format!("http: {e}").into(), rhai::Position::NONE).into()
+}

crates/executor-core/src/sdk/kv.rs

@@ -0,0 +1,193 @@
+//! `kv::` Rhai bridge — collection-scoped handle pattern.
+//!
+//! ```rhai
+//! let widgets = kv::collection("widgets");
+//! widgets.set("k", #{ n: 1 });
+//! let v = widgets.get("k");      // value or () if absent
+//! if widgets.has("k") { ... }
+//! widgets.delete("k");            // bool (was-present)
+//! let page = widgets.list();      // returns #{ keys: [...], next_cursor: () }
+//! ```
+//!
+//! The `KvHandle` custom Rhai type captures the collection name once
+//! and routes each call through the injected `Arc<dyn KvService>` with
+//! the per-call `Arc<SdkCallCx>`. **The service derives `app_id` from
+//! `cx.app_id` — `app_id` never appears in any function signature
+//! script-side, preserving cross-app isolation.**
+//!
+//! Sync↔async bridge: Rhai is synchronous; the underlying service is
+//! async. Closures wrap each call in `Handle::current().block_on(...)`
+//! — safe because `LocalExecutorClient` runs the script under
+//! `spawn_blocking`, so a runtime handle is reachable and blocking on
+//! it doesn't park an async worker.
+//!
+//! Error convention (per `docs/sdk-shape.md`):
+//! - throw on failure (Rhai runtime error string)
+//! - `()` for absent values (`get` on a missing key)
+//! - `bool` for predicates (`has`; also `delete` returns was-present)
+
+use std::sync::Arc;
+
+use picloud_shared::{KvError, KvService, SdkCallCx, Services};
+use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
+use tokio::runtime::Handle as TokioHandle;
+
+use super::bridge::{dynamic_to_json, json_to_dynamic};
+
+/// Per-call handle captured by the Rhai SDK. Cheap to clone (two Arcs
+/// plus an owned string).
+#[derive(Clone)]
+pub struct KvHandle {
+    collection: String,
+    service: Arc<dyn KvService>,
+    cx: Arc<SdkCallCx>,
+}
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let kv_service = services.kv.clone();
+
+    // `kv::collection(name)` — handle constructor lives in the `kv`
+    // static module so the script-visible call is `kv::collection(...)`.
+    let mut module = Module::new();
+    {
+        let kv_service = kv_service.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "collection",
+            move |name: &str| -> Result<KvHandle, Box<EvalAltResult>> {
+                if name.is_empty() {
+                    return Err("kv::collection name must not be empty".into());
+                }
+                Ok(KvHandle {
+                    collection: name.to_string(),
+                    service: kv_service.clone(),
+                    cx: cx.clone(),
+                })
+            },
+        );
+    }
+    engine.register_static_module("kv", module.into());
+
+    // Methods on KvHandle — `register_fn` with `&mut KvHandle` first
+    // argument lets Rhai dispatch them as `handle.get(k)` /
+    // `handle.set(k, v)` / etc. through the dot-notation.
+    engine.register_type_with_name::<KvHandle>("KvHandle");
+
+    register_get(engine);
+    register_set(engine);
+    register_has(engine);
+    register_delete(engine);
+    register_list(engine);
+}
+
+fn register_get(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "get",
+        |handle: &mut KvHandle, key: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            let h = handle.clone();
+            block_on(async move { h.service.get(&h.cx, &h.collection, key).await })
+                .map(|opt| opt.map_or(Dynamic::UNIT, json_to_dynamic))
+        },
+    );
+}
+
+fn register_set(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "set",
+        |handle: &mut KvHandle, key: &str, value: Dynamic| -> Result<(), Box<EvalAltResult>> {
+            let h = handle.clone();
+            let json = dynamic_to_json(&value);
+            block_on(async move { h.service.set(&h.cx, &h.collection, key, json).await })
+        },
+    );
+}
+
+fn register_has(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "has",
+        |handle: &mut KvHandle, key: &str| -> Result<bool, Box<EvalAltResult>> {
+            let h = handle.clone();
+            block_on(async move { h.service.has(&h.cx, &h.collection, key).await })
+        },
+    );
+}
+
+fn register_delete(engine: &mut RhaiEngine) {
+    engine.register_fn(
+        "delete",
+        |handle: &mut KvHandle, key: &str| -> Result<bool, Box<EvalAltResult>> {
+            let h = handle.clone();
+            block_on(async move { h.service.delete(&h.cx, &h.collection, key).await })
+        },
+    );
+}
+
+fn register_list(engine: &mut RhaiEngine) {
+    // Zero-arg form — full page, no cursor.
+    engine.register_fn(
+        "list",
+        |handle: &mut KvHandle| -> Result<Map, Box<EvalAltResult>> { list_call(handle, None, 0) },
+    );
+
+    // One-arg form — cursor only.
+    engine.register_fn(
+        "list",
+        |handle: &mut KvHandle, cursor: &str| -> Result<Map, Box<EvalAltResult>> {
+            list_call(handle, Some(cursor.to_string()), 0)
+        },
+    );
+
+    // Two-arg form — cursor + limit.
+    engine.register_fn(
+        "list",
+        |handle: &mut KvHandle, cursor: &str, limit: i64| -> Result<Map, Box<EvalAltResult>> {
+            let limit = u32::try_from(limit.max(0)).unwrap_or(0);
+            list_call(handle, Some(cursor.to_string()), limit)
+        },
+    );
+}
+
+fn list_call(
+    handle: &KvHandle,
+    cursor: Option<String>,
+    limit: u32,
+) -> Result<Map, Box<EvalAltResult>> {
+    let h = handle.clone();
+    let page = block_on(async move {
+        h.service
+            .list(&h.cx, &h.collection, cursor.as_deref(), limit)
+            .await
+    })?;
+    let mut m = Map::new();
+    let keys: Array = page.keys.into_iter().map(Dynamic::from).collect();
+    m.insert("keys".into(), keys.into());
+    m.insert(
+        "next_cursor".into(),
+        page.next_cursor.map_or(Dynamic::UNIT, Dynamic::from),
+    );
+    Ok(m)
+}
+
+/// Run an async future inside the synchronous Rhai context.
+///
+/// `LocalExecutorClient` wraps script execution in `spawn_blocking`, so
+/// the current Tokio runtime is reachable via `Handle::current()`. We
+/// block on it directly; we are NOT calling this from an async task,
+/// so blocking is the correct primitive (`block_in_place` would also
+/// work, but we're already on a blocking worker).
+fn block_on<F, T>(fut: F) -> Result<T, Box<EvalAltResult>>
+where
+    F: std::future::Future<Output = Result<T, KvError>> + Send,
+    T: Send,
+{
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("kv: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(format!("kv: {err}").into(), rhai::Position::NONE).into()
+    })
+}

crates/executor-core/src/sdk/mod.rs

@@ -0,0 +1,45 @@
+//! SDK plumbing — types and the per-call registration entry point.
+//!
+//! `executor-core` is responsible for building the per-invocation Rhai
+//! engine and wiring stateful services into it. v1.1.0 ships the
+//! shapes (`Services` bundle, `SdkCallCx`, `register_all` entry point)
+//! but no actual services — subsequent v1.1.x PRs (KV in v1.1.1,
+//! docs in v1.1.2, …) extend `register_all` rather than re-threading
+//! plumbing through `engine.rs`.
+//!
+//! Bridge functions (`json_to_dynamic` / `dynamic_to_json`) also live
+//! here so service modules can convert values without `engine.rs`
+//! being the only home for the conversion logic.
+
+pub mod bridge;
+pub mod cx;
+pub mod dead_letters;
+pub mod docs;
+pub mod files;
+pub mod http;
+pub mod kv;
+pub mod pubsub;
+pub mod stdlib;
+
+pub use bridge::{dynamic_to_json, json_to_dynamic};
+pub use cx::SdkCallCx;
+
+use std::sync::Arc;
+
+use picloud_shared::Services;
+use rhai::Engine as RhaiEngine;
+
+/// Single hook every v1.1.x stateful service registers into. Called
+/// once per invocation, just after `build_engine` constructs the
+/// sandboxed Rhai engine and just before script compilation.
+///
+/// v1.1.1 wires the first stateful service (KV). Subsequent PRs add a
+/// single `<service>::register(...)` line per service.
+pub fn register_all(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    kv::register(engine, services, cx.clone());
+    docs::register(engine, services, cx.clone());
+    dead_letters::register(engine, services, cx.clone());
+    http::register(engine, services, cx.clone());
+    files::register(engine, services, cx.clone());
+    pubsub::register(engine, services, cx);
+}

crates/executor-core/src/sdk/pubsub.rs

@@ -0,0 +1,176 @@
+//! `pubsub::` Rhai bridge — durable publish (v1.1.5).
+//!
+//! ```rhai
+//! pubsub::publish_durable("user.created", #{ user_id: "abc" });
+//! pubsub::publish_durable("metric", 42);
+//! ```
+//!
+//! No handle pattern (topics ARE the grouping unit, so there's no
+//! `::collection(...)`). The message is any JSON-serializable Rhai value
+//! — Maps, Arrays, strings, numbers, bools, unit, and **Blobs (which
+//! encode as base64 strings** so trigger handlers see them as base64 on
+//! the wire). Nested blobs are encoded at any depth.
+//!
+//! `app_id` is derived from `cx.app_id` in the service — it never
+//! appears in the script-side signature, preserving cross-app
+//! isolation.
+
+use std::sync::Arc;
+
+use base64::engine::general_purpose::STANDARD;
+use base64::Engine as _;
+use picloud_shared::{PubsubError, SdkCallCx, Services};
+use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Map, Module};
+use serde_json::Value as Json;
+use tokio::runtime::Handle as TokioHandle;
+
+pub(super) fn register(engine: &mut RhaiEngine, services: &Services, cx: Arc<SdkCallCx>) {
+    let svc = services.pubsub.clone();
+    let mut module = Module::new();
+    {
+        let svc = svc.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "publish_durable",
+            move |topic: &str, message: Dynamic| -> Result<(), Box<EvalAltResult>> {
+                let json = message_to_json(&message);
+                let svc = svc.clone();
+                let cx = cx.clone();
+                block_on(async move { svc.publish_durable(&cx, topic, json).await })
+            },
+        );
+    }
+    // `pubsub::subscriber_token(topics)` — uses the configured default
+    // TTL.
+    {
+        let svc = svc.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "subscriber_token",
+            move |topics: Array| -> Result<String, Box<EvalAltResult>> {
+                mint_token(&svc, &cx, topics, None)
+            },
+        );
+    }
+    // `pubsub::subscriber_token(topics, ttl)` — `ttl` is an integer
+    // (seconds) or `()` for the default.
+    {
+        let svc = svc.clone();
+        let cx = cx.clone();
+        module.set_native_fn(
+            "subscriber_token",
+            move |topics: Array, ttl: Dynamic| -> Result<String, Box<EvalAltResult>> {
+                let ttl = ttl_from_dynamic(&ttl)?;
+                mint_token(&svc, &cx, topics, ttl)
+            },
+        );
+    }
+    engine.register_static_module("pubsub", module.into());
+}
+
+/// Interpret the optional `ttl` argument: `()` → use the default,
+/// integer → that many seconds, anything else → throw.
+fn ttl_from_dynamic(ttl: &Dynamic) -> Result<Option<i64>, Box<EvalAltResult>> {
+    if ttl.is_unit() {
+        return Ok(None);
+    }
+    ttl.as_int().map(Some).map_err(|_| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            "pubsub::subscriber_token: ttl must be an integer (seconds) or ()".into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })
+}
+
+fn mint_token(
+    svc: &Arc<dyn picloud_shared::PubsubService>,
+    cx: &Arc<SdkCallCx>,
+    topics: Array,
+    ttl: Option<i64>,
+) -> Result<String, Box<EvalAltResult>> {
+    // Every element must be a string; surface a clear error otherwise.
+    let mut names = Vec::with_capacity(topics.len());
+    for t in topics {
+        if !t.is_string() {
+            return Err(EvalAltResult::ErrorRuntime(
+                "pubsub::subscriber_token: topics must be an array of strings".into(),
+                rhai::Position::NONE,
+            )
+            .into());
+        }
+        names.push(t.into_string().unwrap_or_default());
+    }
+    let svc = svc.clone();
+    let cx = cx.clone();
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("pubsub: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    // SubscriberToken errors already carry the full
+    // "pubsub::subscriber_token: …" wording, so surface them verbatim.
+    handle
+        .block_on(async move { svc.mint_subscriber_token(&cx, names, ttl).await })
+        .map_err(|err| -> Box<EvalAltResult> {
+            EvalAltResult::ErrorRuntime(format!("{err}").into(), rhai::Position::NONE).into()
+        })
+}
+
+/// Convert a Rhai `Dynamic` message into JSON, base64-encoding any
+/// `Blob` (at any nesting depth). Mirrors `bridge::dynamic_to_json` but
+/// adds the blob arm the pub/sub wire contract requires.
+fn message_to_json(value: &Dynamic) -> Json {
+    // Blob must be checked before the generic array path (a Blob is a
+    // `Vec<u8>`, distinct from a Rhai `Array`).
+    if value.is_blob() {
+        let blob = value.clone().into_blob().unwrap_or_default();
+        return Json::String(STANDARD.encode(&blob));
+    }
+    if value.is_unit() {
+        return Json::Null;
+    }
+    if let Ok(b) = value.as_bool() {
+        return Json::Bool(b);
+    }
+    if let Ok(i) = value.as_int() {
+        return Json::Number(i.into());
+    }
+    if let Ok(f) = value.as_float() {
+        return serde_json::Number::from_f64(f).map_or(Json::Null, Json::Number);
+    }
+    if value.is_string() {
+        return Json::String(value.clone().into_string().unwrap_or_default());
+    }
+    if let Some(arr) = value.clone().try_cast::<Array>() {
+        return Json::Array(arr.iter().map(message_to_json).collect());
+    }
+    if let Some(map) = value.clone().try_cast::<Map>() {
+        let mut out = serde_json::Map::new();
+        for (k, v) in map {
+            out.insert(k.to_string(), message_to_json(&v));
+        }
+        return Json::Object(out);
+    }
+    Json::String(value.to_string())
+}
+
+/// Run an async future inside the synchronous Rhai context. Mirrors
+/// `kv::block_on`.
+fn block_on<F>(fut: F) -> Result<(), Box<EvalAltResult>>
+where
+    F: std::future::Future<Output = Result<(), PubsubError>> + Send,
+{
+    let handle = TokioHandle::try_current().map_err(|e| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(
+            format!("pubsub: no tokio runtime available: {e}").into(),
+            rhai::Position::NONE,
+        )
+        .into()
+    })?;
+    handle.block_on(fut).map_err(|err| -> Box<EvalAltResult> {
+        EvalAltResult::ErrorRuntime(format!("pubsub: {err}").into(), rhai::Position::NONE).into()
+    })
+}

crates/executor-core/src/sdk/stdlib/base64.rs

@@ -0,0 +1,48 @@
+//! `base64::` — standard and URL-safe Base64.
+//!
+//! Two encoders are exposed: standard alphabet with padding (`encode`/
+//! `decode`) and URL-safe alphabet without padding (`encode_url`/
+//! `decode_url`). Each encoder accepts both `String` and `Blob` inputs
+//! as separate Rhai overloads; decoders always return `Blob` — the
+//! caller knows whether the original bytes were textual.
+
+use base64::engine::general_purpose::{STANDARD, URL_SAFE_NO_PAD};
+use base64::Engine as _;
+use rhai::{Blob, Engine as RhaiEngine, EvalAltResult, Module};
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+
+    module.set_native_fn("encode", |s: &str| -> Result<String, Box<EvalAltResult>> {
+        Ok(STANDARD.encode(s.as_bytes()))
+    });
+    module.set_native_fn("encode", |b: Blob| -> Result<String, Box<EvalAltResult>> {
+        Ok(STANDARD.encode(&b))
+    });
+    module.set_native_fn("decode", |s: &str| -> Result<Blob, Box<EvalAltResult>> {
+        STANDARD
+            .decode(s)
+            .map_err(|e| format!("base64::decode: {e}").into())
+    });
+
+    module.set_native_fn(
+        "encode_url",
+        |s: &str| -> Result<String, Box<EvalAltResult>> {
+            Ok(URL_SAFE_NO_PAD.encode(s.as_bytes()))
+        },
+    );
+    module.set_native_fn(
+        "encode_url",
+        |b: Blob| -> Result<String, Box<EvalAltResult>> { Ok(URL_SAFE_NO_PAD.encode(&b)) },
+    );
+    module.set_native_fn(
+        "decode_url",
+        |s: &str| -> Result<Blob, Box<EvalAltResult>> {
+            URL_SAFE_NO_PAD
+                .decode(s)
+                .map_err(|e| format!("base64::decode_url: {e}").into())
+        },
+    );
+
+    engine.register_static_module("base64", module.into());
+}

crates/executor-core/src/sdk/stdlib/hex.rs

@@ -0,0 +1,21 @@
+//! `hex::` — hexadecimal encode/decode (lowercase output, case-
+//! insensitive input). String and Blob inputs are both accepted on
+//! encode; decode always returns `Blob`.
+
+use rhai::{Blob, Engine as RhaiEngine, EvalAltResult, Module};
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+
+    module.set_native_fn("encode", |s: &str| -> Result<String, Box<EvalAltResult>> {
+        Ok(hex::encode(s.as_bytes()))
+    });
+    module.set_native_fn("encode", |b: Blob| -> Result<String, Box<EvalAltResult>> {
+        Ok(hex::encode(&b))
+    });
+    module.set_native_fn("decode", |s: &str| -> Result<Blob, Box<EvalAltResult>> {
+        hex::decode(s).map_err(|e| format!("hex::decode: {e}").into())
+    });
+
+    engine.register_static_module("hex", module.into());
+}

crates/executor-core/src/sdk/stdlib/json.rs

@@ -0,0 +1,43 @@
+//! `json::` — JSON parse and stringify. Reuses the bridge functions in
+//! `crate::sdk::bridge` so script-visible JSON has the same shape
+//! (numbers, maps, arrays, nulls) as `ctx.request.body` already does.
+
+use rhai::{Dynamic, Engine as RhaiEngine, EvalAltResult, Module};
+
+use crate::sdk::bridge::{dynamic_to_json, json_to_dynamic};
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+    register_parse(&mut module);
+    register_stringify(&mut module);
+    register_stringify_pretty(&mut module);
+    engine.register_static_module("json", module.into());
+}
+
+fn register_parse(module: &mut Module) {
+    module.set_native_fn("parse", |s: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+        let value: serde_json::Value =
+            serde_json::from_str(s).map_err(|e| format!("json::parse: {e}"))?;
+        Ok(json_to_dynamic(value))
+    });
+}
+
+fn register_stringify(module: &mut Module) {
+    module.set_native_fn(
+        "stringify",
+        |v: Dynamic| -> Result<String, Box<EvalAltResult>> {
+            serde_json::to_string(&dynamic_to_json(&v))
+                .map_err(|e| format!("json::stringify: {e}").into())
+        },
+    );
+}
+
+fn register_stringify_pretty(module: &mut Module) {
+    module.set_native_fn(
+        "stringify_pretty",
+        |v: Dynamic| -> Result<String, Box<EvalAltResult>> {
+            serde_json::to_string_pretty(&dynamic_to_json(&v))
+                .map_err(|e| format!("json::stringify_pretty: {e}").into())
+        },
+    );
+}

crates/executor-core/src/sdk/stdlib/mod.rs

@@ -0,0 +1,25 @@
+//! Stateless utility modules registered once at engine build via
+//! `Engine::register_static_module`. They have no per-call state, no
+//! cross-app sensitivity, and no `SdkCallCx` — distinguishing them
+//! from stateful service modules (KV, docs, …) which hook into
+//! `sdk::register_all` instead. See [docs/sdk-shape.md](../../../../../docs/sdk-shape.md).
+
+use rhai::Engine as RhaiEngine;
+
+pub mod base64;
+pub mod hex;
+pub mod json;
+pub mod random;
+pub mod regex;
+pub mod time;
+pub mod url;
+
+pub fn register_stdlib(engine: &mut RhaiEngine) {
+    regex::register(engine);
+    random::register(engine);
+    time::register(engine);
+    json::register(engine);
+    base64::register(engine);
+    hex::register(engine);
+    url::register(engine);
+}

crates/executor-core/src/sdk/stdlib/random.rs

@@ -0,0 +1,70 @@
+//! `random::` — CSPRNG primitives (`rand::rngs::OsRng`).
+//!
+//! Only the OS RNG is exposed. No "fast non-crypto" variant — scripts
+//! should not pick between secure and insecure entropy. Output sizes
+//! are capped to keep a single script call from blowing host memory.
+
+use rand::distributions::{Alphanumeric, DistString};
+use rand::{rngs::OsRng, Rng, RngCore};
+use rhai::{Blob, Engine as RhaiEngine, EvalAltResult, Module};
+use uuid::Uuid;
+
+const MAX_BYTES: i64 = 65_536;
+const MAX_STRING: i64 = 4_096;
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+    register_int(&mut module);
+    register_float(&mut module);
+    register_bytes(&mut module);
+    register_string(&mut module);
+    register_uuid(&mut module);
+    engine.register_static_module("random", module.into());
+}
+
+fn register_int(module: &mut Module) {
+    module.set_native_fn(
+        "int",
+        |min: i64, max: i64| -> Result<i64, Box<EvalAltResult>> {
+            if min > max {
+                return Err(format!("random::int: min ({min}) > max ({max})").into());
+            }
+            Ok(OsRng.gen_range(min..=max))
+        },
+    );
+}
+
+fn register_float(module: &mut Module) {
+    module.set_native_fn("float", || -> Result<f64, Box<EvalAltResult>> {
+        Ok(OsRng.gen::<f64>())
+    });
+}
+
+fn register_bytes(module: &mut Module) {
+    module.set_native_fn("bytes", |n: i64| -> Result<Blob, Box<EvalAltResult>> {
+        if !(0..=MAX_BYTES).contains(&n) {
+            return Err(format!("random::bytes: n must be in 0..={MAX_BYTES}, got {n}").into());
+        }
+        // Safe: n is non-negative and bounded by MAX_BYTES, which fits in usize.
+        let len = usize::try_from(n).expect("n bounded above by MAX_BYTES");
+        let mut buf = vec![0u8; len];
+        OsRng.fill_bytes(&mut buf);
+        Ok(buf)
+    });
+}
+
+fn register_string(module: &mut Module) {
+    module.set_native_fn("string", |n: i64| -> Result<String, Box<EvalAltResult>> {
+        if !(0..=MAX_STRING).contains(&n) {
+            return Err(format!("random::string: n must be in 0..={MAX_STRING}, got {n}").into());
+        }
+        let len = usize::try_from(n).expect("n bounded above by MAX_STRING");
+        Ok(Alphanumeric.sample_string(&mut OsRng, len))
+    });
+}
+
+fn register_uuid(module: &mut Module) {
+    module.set_native_fn("uuid", || -> Result<String, Box<EvalAltResult>> {
+        Ok(Uuid::new_v4().to_string())
+    });
+}

crates/executor-core/src/sdk/stdlib/regex.rs

@@ -0,0 +1,105 @@
+//! `regex::` — non-backtracking regular expressions (Rust `regex` crate).
+//!
+//! Patterns compile per call. No cache: premature for v1.1.0, and the
+//! `regex` crate's linear-time guarantees keep per-call cost bounded.
+//! Catastrophic patterns are rejected at compile time by the crate
+//! itself; no extra defense needed.
+
+use regex::Regex;
+use rhai::{Array, Dynamic, Engine as RhaiEngine, EvalAltResult, Module};
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+    register_is_match(&mut module);
+    register_find(&mut module);
+    register_find_all(&mut module);
+    register_replace(&mut module);
+    register_replace_all(&mut module);
+    register_split(&mut module);
+    register_captures(&mut module);
+    engine.register_static_module("regex", module.into());
+}
+
+fn compile(pattern: &str) -> Result<Regex, Box<EvalAltResult>> {
+    Regex::new(pattern).map_err(|e| format!("invalid regex: {e}").into())
+}
+
+fn register_is_match(module: &mut Module) {
+    module.set_native_fn(
+        "is_match",
+        |pattern: &str, text: &str| -> Result<bool, Box<EvalAltResult>> {
+            Ok(compile(pattern)?.is_match(text))
+        },
+    );
+}
+
+fn register_find(module: &mut Module) {
+    module.set_native_fn(
+        "find",
+        |pattern: &str, text: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            Ok(compile(pattern)?
+                .find(text)
+                .map_or(Dynamic::UNIT, |m| Dynamic::from(m.as_str().to_string())))
+        },
+    );
+}
+
+fn register_find_all(module: &mut Module) {
+    module.set_native_fn(
+        "find_all",
+        |pattern: &str, text: &str| -> Result<Array, Box<EvalAltResult>> {
+            Ok(compile(pattern)?
+                .find_iter(text)
+                .map(|m| Dynamic::from(m.as_str().to_string()))
+                .collect())
+        },
+    );
+}
+
+fn register_replace(module: &mut Module) {
+    module.set_native_fn(
+        "replace",
+        |pattern: &str, text: &str, replacement: &str| -> Result<String, Box<EvalAltResult>> {
+            Ok(compile(pattern)?.replace(text, replacement).into_owned())
+        },
+    );
+}
+
+fn register_replace_all(module: &mut Module) {
+    module.set_native_fn(
+        "replace_all",
+        |pattern: &str, text: &str, replacement: &str| -> Result<String, Box<EvalAltResult>> {
+            Ok(compile(pattern)?
+                .replace_all(text, replacement)
+                .into_owned())
+        },
+    );
+}
+
+fn register_split(module: &mut Module) {
+    module.set_native_fn(
+        "split",
+        |pattern: &str, text: &str| -> Result<Array, Box<EvalAltResult>> {
+            Ok(compile(pattern)?
+                .split(text)
+                .map(|s| Dynamic::from(s.to_string()))
+                .collect())
+        },
+    );
+}
+
+fn register_captures(module: &mut Module) {
+    module.set_native_fn(
+        "captures",
+        |pattern: &str, text: &str| -> Result<Dynamic, Box<EvalAltResult>> {
+            let re = compile(pattern)?;
+            Ok(re.captures(text).map_or(Dynamic::UNIT, |caps| {
+                let arr: Array = caps
+                    .iter()
+                    .map(|m| m.map_or(Dynamic::UNIT, |m| Dynamic::from(m.as_str().to_string())))
+                    .collect();
+                Dynamic::from(arr)
+            }))
+        },
+    );
+}

crates/executor-core/src/sdk/stdlib/time.rs

@@ -0,0 +1,68 @@
+//! `time::` — UTC time. The canonical "time value" is milliseconds
+//! since the Unix epoch as `i64`. ISO 8601 strings are for parsing and
+//! display only. UTC only — no timezone support in v1.1.0 (would pull
+//! in chrono-tz, deferred until a real use case demands it).
+
+use chrono::{DateTime, SecondsFormat, Utc};
+use rhai::{Engine as RhaiEngine, EvalAltResult, Module};
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+    register_now(&mut module);
+    register_now_ms(&mut module);
+    register_parse(&mut module);
+    register_format(&mut module);
+    register_add_seconds(&mut module);
+    register_diff_seconds(&mut module);
+    engine.register_static_module("time", module.into());
+}
+
+fn register_now(module: &mut Module) {
+    module.set_native_fn("now", || -> Result<String, Box<EvalAltResult>> {
+        Ok(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
+    });
+}
+
+fn register_now_ms(module: &mut Module) {
+    module.set_native_fn("now_ms", || -> Result<i64, Box<EvalAltResult>> {
+        Ok(Utc::now().timestamp_millis())
+    });
+}
+
+fn register_parse(module: &mut Module) {
+    module.set_native_fn("parse", |iso: &str| -> Result<i64, Box<EvalAltResult>> {
+        DateTime::parse_from_rfc3339(iso)
+            .map(|dt| dt.timestamp_millis())
+            .map_err(|e| format!("time::parse: invalid ISO 8601 / RFC 3339: {e}").into())
+    });
+}
+
+fn register_format(module: &mut Module) {
+    module.set_native_fn("format", |ms: i64| -> Result<String, Box<EvalAltResult>> {
+        DateTime::<Utc>::from_timestamp_millis(ms)
+            .map(|dt| dt.to_rfc3339_opts(SecondsFormat::Millis, true))
+            .ok_or_else(|| format!("time::format: ms ({ms}) out of representable range").into())
+    });
+}
+
+fn register_add_seconds(module: &mut Module) {
+    module.set_native_fn(
+        "add_seconds",
+        |ms: i64, secs: i64| -> Result<i64, Box<EvalAltResult>> {
+            secs.checked_mul(1000)
+                .and_then(|delta| ms.checked_add(delta))
+                .ok_or_else(|| format!("time::add_seconds: overflow (ms={ms}, secs={secs})").into())
+        },
+    );
+}
+
+fn register_diff_seconds(module: &mut Module) {
+    module.set_native_fn(
+        "diff_seconds",
+        |a_ms: i64, b_ms: i64| -> Result<i64, Box<EvalAltResult>> {
+            b_ms.checked_sub(a_ms)
+                .map(|d| d / 1000)
+                .ok_or_else(|| format!("time::diff_seconds: overflow (a={a_ms}, b={b_ms})").into())
+        },
+    );
+}

crates/executor-core/src/sdk/stdlib/url.rs

@@ -0,0 +1,64 @@
+//! `url::` — RFC 3986 percent-encoding.
+//!
+//! `encode`/`decode` operate on opaque component values; `encode_query`
+//! builds an `application/x-www-form-urlencoded`-style query string
+//! from a Rhai `Map`. Key ordering is the map's natural order (Rhai's
+//! `Map` is a `BTreeMap`, so keys come out alphabetically — fine for
+//! query strings, which RFC 3986 leaves unordered).
+
+use percent_encoding::{percent_decode_str, utf8_percent_encode, AsciiSet, NON_ALPHANUMERIC};
+use rhai::{Engine as RhaiEngine, EvalAltResult, Map, Module};
+
+/// RFC 3986 unreserved set: `A-Z / a-z / 0-9 / - / _ / . / ~`.
+/// Everything outside this set gets percent-encoded.
+const UNRESERVED: &AsciiSet = &NON_ALPHANUMERIC
+    .remove(b'-')
+    .remove(b'_')
+    .remove(b'.')
+    .remove(b'~');
+
+pub fn register(engine: &mut RhaiEngine) {
+    let mut module = Module::new();
+    register_encode(&mut module);
+    register_decode(&mut module);
+    register_encode_query(&mut module);
+    engine.register_static_module("url", module.into());
+}
+
+fn register_encode(module: &mut Module) {
+    module.set_native_fn("encode", |s: &str| -> Result<String, Box<EvalAltResult>> {
+        Ok(utf8_percent_encode(s, UNRESERVED).to_string())
+    });
+}
+
+fn register_decode(module: &mut Module) {
+    module.set_native_fn("decode", |s: &str| -> Result<String, Box<EvalAltResult>> {
+        percent_decode_str(s)
+            .decode_utf8()
+            .map(std::borrow::Cow::into_owned)
+            .map_err(|e| format!("url::decode: invalid UTF-8: {e}").into())
+    });
+}
+
+fn register_encode_query(module: &mut Module) {
+    module.set_native_fn(
+        "encode_query",
+        |m: Map| -> Result<String, Box<EvalAltResult>> {
+            let mut out = String::new();
+            for (k, v) in m {
+                if !out.is_empty() {
+                    out.push('&');
+                }
+                out.push_str(&utf8_percent_encode(&k, UNRESERVED).to_string());
+                out.push('=');
+                // Coerce values via `to_string` rather than throwing on
+                // non-strings — scripts commonly pass numbers/bools here
+                // and a forced cast at the call site is friction with
+                // no upside.
+                let value = v.to_string();
+                out.push_str(&utf8_percent_encode(&value, UNRESERVED).to_string());
+            }
+            Ok(out)
+        },
+    );
+}

crates/executor-core/src/types.rs

@@ -1,7 +1,9 @@
 use std::collections::BTreeMap;
 
 use chrono::{DateTime, Utc};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{
+    AppId, ExecutionId, Principal, RequestId, ScriptId, ScriptSandbox, TriggerEvent,
+};
 use serde::{Deserialize, Serialize};
 use thiserror::Error;
 
@@ -50,6 +52,49 @@ pub struct ExecRequest {
     /// override) before the Rhai engine is built.
     #[serde(default)]
     pub sandbox_overrides: ScriptSandbox,
+
+    /// Owning application. Source of truth for every `(app_id, …)`
+    /// storage lookup the script makes via stateful SDK services.
+    /// Internal-only; not surfaced via `ctx` (which the script sees).
+    pub app_id: AppId,
+
+    /// Caller identity, when authenticated. `None` for unauthenticated
+    /// data-plane HTTP requests (the common case for public scripts);
+    /// `Some` when a bearer token or session cookie was resolved.
+    /// Internal-only — exposed via `SdkCallCx` to service trait impls.
+    ///
+    /// `#[serde(skip)]`: `ExecRequest` is serializable so cluster mode
+    /// (v1.3+) can ship invocations to remote executors over HTTP, but
+    /// `Principal` has no wire derivation today. Skipping here keeps
+    /// v1.1.0 compiling; the cluster-mode PR will introduce a wire-safe
+    /// snapshot then.
+    #[serde(skip)]
+    pub principal: Option<Principal>,
+
+    /// Triggers-framework depth. `0` for direct invocations. The
+    /// dispatcher (v1.1.1) increments on each indirection to bound
+    /// runaway feedback loops.
+    #[serde(default)]
+    pub trigger_depth: u32,
+
+    /// Originating execution id of a trigger chain. Equal to
+    /// `execution_id` for direct invocations; preserves the root
+    /// across fan-out for audit log grouping.
+    pub root_execution_id: ExecutionId,
+
+    /// `true` only when the dispatcher resolved this invocation
+    /// against a `dead_letter` trigger. The retry / dead-letter
+    /// machinery short-circuits when this is set so handler failures
+    /// cannot themselves be dead-lettered (design notes §4
+    /// recursion-stop rule).
+    #[serde(default)]
+    pub is_dead_letter_handler: bool,
+
+    /// The originating event for a triggered invocation. `None` for
+    /// direct ingress (sync HTTP, manual admin run). Flattened into
+    /// `ctx.event` by the executor's per-call ctx builder.
+    #[serde(default)]
+    pub event: Option<TriggerEvent>,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -100,4 +145,11 @@ pub enum ExecError {
 
     #[error("script runtime error: {0}")]
     Runtime(String),
+
+    /// Concurrency gate (orchestrator-core::ExecutionGate) refused
+    /// admission. Surfaced as HTTP 503 with a `Retry-After` header.
+    /// The gate enforces a global cap so a script storm can't park
+    /// every blocking thread.
+    #[error("execution declined: server at capacity (retry after {retry_after_secs}s)")]
+    Overloaded { retry_after_secs: u32 },
 }

crates/executor-core/tests/engine.rs

@@ -1,12 +1,15 @@
 use std::collections::BTreeMap;
 
 use picloud_executor_core::{Engine, ExecError, ExecRequest, InvocationType, Limits, LogLevel};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{
+    AppId, ExecutionId, KvEventOp, RequestId, ScriptId, ScriptSandbox, Services, TriggerEvent,
+};
 use serde_json::json;
 
 fn req(body: serde_json::Value) -> ExecRequest {
+    let execution_id = ExecutionId::new();
     ExecRequest {
-        execution_id: ExecutionId::new(),
+        execution_id,
         request_id: RequestId::new(),
         script_id: ScriptId::new(),
         script_name: "test".into(),
@@ -18,11 +21,17 @@ fn req(body: serde_json::Value) -> ExecRequest {
         query: BTreeMap::new(),
         rest: String::new(),
         sandbox_overrides: ScriptSandbox::default(),
+        app_id: AppId::new(),
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
     }
 }
 
 fn engine() -> Engine {
-    Engine::new(Limits::default())
+    Engine::new(Limits::default(), Services::default())
 }
 
 #[test]
@@ -121,7 +130,7 @@ fn enforces_operation_budget() {
         max_operations: 1_000,
         ..Limits::default()
     };
-    let engine = Engine::new(limits);
+    let engine = Engine::new(limits, Services::default());
     // 10_000 iterations vastly exceeds 1_000 ops.
     let src = r"let n = 0; for i in 0..10000 { n += 1; } n";
     let err = engine
@@ -230,3 +239,67 @@ fn body_passes_through_nested_json_round_trip() {
     let resp = engine().execute(src, req(body.clone())).unwrap();
     assert_eq!(resp.body, body);
 }
+
+#[test]
+fn ctx_event_absent_for_direct_invocations() {
+    // Scripts not fired through the triggers framework see no
+    // `ctx.event` key — they can use `"event" in ctx` to detect.
+    let src = r#"
+        if "event" in ctx { #{ statusCode: 500, body: "should be absent" } }
+        else              { "absent" }
+    "#;
+    let resp = engine().execute(src, req(json!(null))).unwrap();
+    assert_eq!(resp.body, json!("absent"));
+}
+
+#[test]
+fn ctx_event_kv_shape_matches_design_notes() {
+    // Build an ExecRequest mimicking what the dispatcher hands a
+    // KV-triggered handler — `event = Some(TriggerEvent::Kv { … })`.
+    let mut r = req(json!(null));
+    r.event = Some(TriggerEvent::Kv {
+        op: KvEventOp::Insert,
+        collection: "widgets".into(),
+        key: "k1".into(),
+        value: Some(json!({ "n": 1 })),
+    });
+    let src = r"
+        #{
+            source: ctx.event.source,
+            op: ctx.event.op,
+            collection: ctx.event.kv.collection,
+            key: ctx.event.kv.key,
+            value: ctx.event.kv.value
+        }
+    ";
+    let resp = engine().execute(src, r).unwrap();
+    assert_eq!(
+        resp.body,
+        json!({
+            "source": "kv",
+            "op": "insert",
+            "collection": "widgets",
+            "key": "k1",
+            "value": { "n": 1 }
+        })
+    );
+}
+
+#[test]
+fn ctx_event_kv_delete_has_unit_value() {
+    let mut r = req(json!(null));
+    r.event = Some(TriggerEvent::Kv {
+        op: KvEventOp::Delete,
+        collection: "widgets".into(),
+        key: "k1".into(),
+        value: None,
+    });
+    let src = r"
+        #{
+            op: ctx.event.op,
+            value_is_unit: ctx.event.kv.value == ()
+        }
+    ";
+    let resp = engine().execute(src, r).unwrap();
+    assert_eq!(resp.body, json!({ "op": "delete", "value_is_unit": true }));
+}

crates/executor-core/tests/module_redaction_logging.rs

@@ -0,0 +1,129 @@
+//! v1.1.4 §10a: the original module backend error MUST be logged at
+//! error level (so operators can still diagnose), even though it is
+//! redacted from the script-visible error.
+//!
+//! This test owns the process-global tracing subscriber, so it lives in
+//! its own integration-test binary (one `set_global_default` per
+//! process). A unique sentinel in the backend error keeps the assertion
+//! robust against any concurrently-running test's log output.
+
+use std::collections::BTreeMap;
+use std::io::Write;
+use std::sync::{Arc, Mutex};
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, ModuleScript, ModuleSource, ModuleSourceError, NoopDeadLetterService,
+    NoopDocsService, NoopEventEmitter, NoopHttpService, NoopKvService, RequestId, ScriptId,
+    ScriptSandbox, SdkCallCx, Services,
+};
+use serde_json::Value;
+use tracing_subscriber::fmt::MakeWriter;
+
+const SENTINEL: &str = "connection refused PICLOUD-SENTINEL-9f3a";
+
+struct FailingSource;
+
+#[async_trait]
+impl ModuleSource for FailingSource {
+    async fn lookup(
+        &self,
+        _cx: &SdkCallCx,
+        _name: &str,
+    ) -> Result<Option<ModuleScript>, ModuleSourceError> {
+        Err(ModuleSourceError::Backend(SENTINEL.to_string()))
+    }
+}
+
+/// `MakeWriter` that appends to a shared buffer.
+#[derive(Clone)]
+struct SharedBuf(Arc<Mutex<Vec<u8>>>);
+
+impl Write for SharedBuf {
+    fn write(&mut self, buf: &[u8]) -> std::io::Result<usize> {
+        self.0.lock().unwrap().extend_from_slice(buf);
+        Ok(buf.len())
+    }
+    fn flush(&mut self) -> std::io::Result<()> {
+        Ok(())
+    }
+}
+
+impl<'a> MakeWriter<'a> for SharedBuf {
+    type Writer = SharedBuf;
+    fn make_writer(&'a self) -> Self::Writer {
+        self.clone()
+    }
+}
+
+fn req(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "redaction-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/x".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn original_backend_error_is_logged_at_error_level() {
+    let buf = Arc::new(Mutex::new(Vec::<u8>::new()));
+    let subscriber = tracing_subscriber::fmt()
+        .with_writer(SharedBuf(buf.clone()))
+        .with_max_level(tracing::Level::ERROR)
+        .with_ansi(false)
+        .finish();
+    tracing::subscriber::set_global_default(subscriber)
+        .expect("this test owns the global subscriber for its binary");
+
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(FailingSource),
+        Arc::new(NoopHttpService),
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+    );
+    let engine = Engine::new(Limits::default(), services);
+
+    let err = engine
+        .execute(r#"import "x" as x; 1"#, req(AppId::new()))
+        .expect_err("backend error should surface");
+
+    // Script-visible: redacted.
+    let msg = format!("{err:?}");
+    assert!(msg.contains("module backend unavailable"), "got {msg}");
+    assert!(
+        !msg.contains("PICLOUD-SENTINEL"),
+        "script error leaked the original: {msg}"
+    );
+
+    // Operator log: the original sentinel IS present, at ERROR level.
+    let logged = String::from_utf8(buf.lock().unwrap().clone()).unwrap();
+    assert!(
+        logged.contains(SENTINEL),
+        "original backend error should be logged; captured: {logged}"
+    );
+    assert!(
+        logged.contains("ERROR"),
+        "should be logged at error level; captured: {logged}"
+    );
+}

crates/executor-core/tests/modules.rs

@@ -0,0 +1,595 @@
+//! v1.1.3 — `PicloudModuleResolver` integration tests.
+#![allow(clippy::needless_raw_string_hashes)] // r#""# is more uniform when many tests embed Rhai sources
+//!
+//! Each test wires an `Engine` with a `CountingModuleSource` (an
+//! in-memory fake), a `Services` bundle, and an `ExecRequest` whose
+//! `app_id` controls the cross-app boundary. The resolver is
+//! exercised end-to-end through `Engine::execute`, so these tests
+//! verify the same code path the `picloud` binary runs at request
+//! time.
+
+use std::collections::{BTreeMap, HashMap};
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use chrono::{DateTime, Utc};
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, ModuleScript, ModuleSource, ModuleSourceError, NoopDeadLetterService,
+    NoopDocsService, NoopEventEmitter, NoopHttpService, NoopKvService, RequestId, ScriptId,
+    ScriptSandbox, SdkCallCx, Services,
+};
+use tokio::sync::Mutex;
+
+/// In-memory `ModuleSource` backed by a `HashMap<(AppId, name)>`.
+/// Tracks total lookup count so tests can assert cache hit/miss.
+#[derive(Default)]
+struct CountingModuleSource {
+    table: Mutex<HashMap<(AppId, String), ModuleScript>>,
+    lookups: AtomicUsize,
+    /// When `Some`, every lookup returns this error instead of the
+    /// table — used by the backend-error test.
+    fail_with: Mutex<Option<String>>,
+}
+
+impl CountingModuleSource {
+    fn new() -> Arc<Self> {
+        Arc::new(Self::default())
+    }
+
+    async fn put(self: &Arc<Self>, app_id: AppId, name: &str, source: &str) -> ScriptId {
+        self.put_with_updated_at(app_id, name, source, Utc::now())
+            .await
+    }
+
+    async fn put_with_updated_at(
+        self: &Arc<Self>,
+        app_id: AppId,
+        name: &str,
+        source: &str,
+        updated_at: DateTime<Utc>,
+    ) -> ScriptId {
+        let script_id = ScriptId::new();
+        self.table.lock().await.insert(
+            (app_id, name.to_string()),
+            ModuleScript {
+                script_id,
+                app_id,
+                name: name.to_string(),
+                source: source.to_string(),
+                updated_at,
+            },
+        );
+        script_id
+    }
+
+    fn lookup_count(&self) -> usize {
+        self.lookups.load(Ordering::SeqCst)
+    }
+}
+
+#[async_trait]
+impl ModuleSource for CountingModuleSource {
+    async fn lookup(
+        &self,
+        cx: &SdkCallCx,
+        name: &str,
+    ) -> Result<Option<ModuleScript>, ModuleSourceError> {
+        self.lookups.fetch_add(1, Ordering::SeqCst);
+        if let Some(err) = self.fail_with.lock().await.as_ref() {
+            return Err(ModuleSourceError::Backend(err.clone()));
+        }
+        Ok(self
+            .table
+            .lock()
+            .await
+            .get(&(cx.app_id, name.to_string()))
+            .cloned())
+    }
+}
+
+fn services_with(modules: Arc<dyn ModuleSource>) -> Services {
+    Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        modules,
+        Arc::new(NoopHttpService),
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+    )
+}
+
+fn engine_with(modules: Arc<dyn ModuleSource>) -> Engine {
+    Engine::new(Limits::default(), services_with(modules))
+}
+
+fn req(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/test".into(),
+        headers: BTreeMap::new(),
+        body: serde_json::Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_loads_simple_module() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    source.put(app_id, "math", "fn add(a, b) { a + b }").await;
+
+    let engine = engine_with(source.clone());
+    let resp = engine
+        .execute(r#"import "math" as m; m::add(2, 3)"#, req(app_id))
+        .expect("should execute");
+    assert_eq!(resp.status_code, 200);
+    assert_eq!(resp.body, serde_json::json!(5));
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_cross_app_blocked() {
+    let source = CountingModuleSource::new();
+    let app_a = AppId::new();
+    let app_b = AppId::new();
+    source
+        .put(app_a, "secrets", "fn token() { \"A-token\" }")
+        .await;
+    source
+        .put(app_b, "secrets", "fn token() { \"B-token\" }")
+        .await;
+
+    let engine = engine_with(source.clone());
+
+    // App A sees A's module.
+    let resp = engine
+        .execute(r#"import "secrets" as s; s::token()"#, req(app_a))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!("A-token"));
+
+    // App B sees B's module — same name, completely separate value.
+    let resp = engine
+        .execute(r#"import "secrets" as s; s::token()"#, req(app_b))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!("B-token"));
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_cross_app_module_not_found() {
+    let source = CountingModuleSource::new();
+    let app_a = AppId::new();
+    let app_b = AppId::new();
+    // Only app A has the module.
+    source.put(app_a, "lonely", "fn ping() { \"pong\" }").await;
+
+    // App B's lookup should return None → resolver surfaces
+    // ErrorModuleNotFound.
+    let engine = engine_with(source.clone());
+    let err = engine
+        .execute(r#"import "lonely" as l; l::ping()"#, req(app_b))
+        .expect_err("cross-app import should fail");
+    let msg = format!("{err:?}");
+    assert!(
+        msg.to_lowercase().contains("module")
+            || msg.to_lowercase().contains("not found")
+            || msg.to_lowercase().contains("lonely"),
+        "expected module-not-found-flavoured error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_module_not_found() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    let engine = engine_with(source);
+
+    let err = engine
+        .execute(r#"import "doesnotexist" as x; 1"#, req(app_id))
+        .expect_err("unknown module should fail");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(
+        msg.contains("doesnotexist") || msg.contains("not found"),
+        "expected ErrorModuleNotFound-flavoured error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_self_import_detected() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    // a imports itself
+    source
+        .put(app_id, "a", r#"import "a" as a; fn nope() { 0 }"#)
+        .await;
+    let engine = engine_with(source);
+
+    let err = engine
+        .execute(r#"import "a" as a; a::nope()"#, req(app_id))
+        .expect_err("self-import should detect cycle");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(
+        msg.contains("circular") || msg.contains("cycle"),
+        "expected circular-import error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_circular_detected() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    // a imports b; b imports a; both then declare a fn.
+    source
+        .put(app_id, "a", r#"import "b" as b; fn x() { 0 }"#)
+        .await;
+    source
+        .put(app_id, "b", r#"import "a" as a; fn y() { 0 }"#)
+        .await;
+    let engine = engine_with(source);
+
+    let err = engine
+        .execute(r#"import "a" as a; a::x()"#, req(app_id))
+        .expect_err("circular import should fail");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(
+        msg.contains("circular") || msg.contains("cycle"),
+        "expected circular-import error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_depth_limit_enforced() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    // Chain `m0 -> m1 -> ... -> m9` (10 levels). Default depth limit is 8.
+    for i in 0..9 {
+        let next = format!("m{}", i + 1);
+        source
+            .put(
+                app_id,
+                &format!("m{i}"),
+                &format!(r#"import "{next}" as nxt; fn x() {{ 0 }}"#),
+            )
+            .await;
+    }
+    source.put(app_id, "m9", "fn x() { 0 }").await;
+
+    let engine = engine_with(source);
+    let err = engine
+        .execute(r#"import "m0" as m0; m0::x()"#, req(app_id))
+        .expect_err("chain exceeding depth limit should fail");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(
+        msg.contains("depth"),
+        "expected depth-exceeded error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_depth_limit_just_under_succeeds() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    // Chain depth 7 (under default 8). m0 -> m1 -> ... -> m6 (terminal).
+    for i in 0..6 {
+        let next = format!("m{}", i + 1);
+        source
+            .put(
+                app_id,
+                &format!("m{i}"),
+                &format!(r#"import "{next}" as nxt; fn x() {{ nxt::x() }}"#),
+            )
+            .await;
+    }
+    source.put(app_id, "m6", "fn x() { 42 }").await;
+
+    let engine = engine_with(source);
+    let resp = engine
+        .execute(r#"import "m0" as m0; m0::x()"#, req(app_id))
+        .expect("chain under depth limit should succeed");
+    assert_eq!(resp.body, serde_json::json!(42));
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_runtime_validation_rejects_top_level_expr() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    // Module has a top-level expression — bypassed the admin gate,
+    // but the resolver re-validates and rejects.
+    source.put(app_id, "bad", r#"42; fn x() { 1 }"#).await;
+    let engine = engine_with(source);
+
+    let err = engine
+        .execute(r#"import "bad" as b; b::x()"#, req(app_id))
+        .expect_err("top-level expr in module should be rejected at resolve");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(
+        msg.contains("top-level") || msg.contains("module"),
+        "expected module-shape error, got {msg}"
+    );
+}
+
+/// v1.1.4 §10a regression: the backend error must be REDACTED before
+/// it reaches a script. The verbatim message (which can leak internal
+/// infrastructure shape, e.g. "connection refused") must not appear;
+/// the script sees only a stable generic.
+#[tokio::test(flavor = "multi_thread")]
+async fn resolver_backend_error_is_redacted_from_script() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    *source.fail_with.lock().await = Some("connection refused to 10.1.2.3:5432".into());
+    let engine = engine_with(source);
+
+    let err = engine
+        .execute(r#"import "x" as x; 1"#, req(app_id))
+        .expect_err("backend error should propagate");
+    let msg = format!("{err:?}");
+    assert!(
+        msg.contains("module backend unavailable"),
+        "expected redacted generic message, got {msg}"
+    );
+    assert!(
+        !msg.contains("connection refused") && !msg.contains("10.1.2.3"),
+        "redacted message must not leak the backend error, got {msg}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn module_cache_hit_reuses_compiled_module() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    source.put(app_id, "u", "fn ping() { 1 }").await;
+
+    let engine = engine_with(source.clone());
+
+    // First execution compiles and caches.
+    engine
+        .execute(r#"import "u" as u; u::ping()"#, req(app_id))
+        .unwrap();
+    let lookups_after_first = source.lookup_count();
+    assert_eq!(
+        lookups_after_first, 1,
+        "first invocation should look up once"
+    );
+
+    // Second execution should re-lookup (to compare updated_at) but
+    // serve from cache without recompiling. We can't directly observe
+    // compile-vs-cache here, but we can assert lookup count grew by
+    // one (no spurious extra calls).
+    engine
+        .execute(r#"import "u" as u; u::ping()"#, req(app_id))
+        .unwrap();
+    assert_eq!(source.lookup_count(), 2);
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn module_cache_stale_invalidated_on_updated_at_change() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    let t0 = Utc::now() - chrono::Duration::seconds(10);
+    source
+        .put_with_updated_at(app_id, "u", r#"fn v() { 1 }"#, t0)
+        .await;
+
+    let engine = engine_with(source.clone());
+
+    let resp = engine
+        .execute(r#"import "u" as u; u::v()"#, req(app_id))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!(1));
+
+    // Replace with newer updated_at — cache should refresh.
+    let t1 = Utc::now();
+    source
+        .put_with_updated_at(app_id, "u", r#"fn v() { 99 }"#, t1)
+        .await;
+
+    let resp = engine
+        .execute(r#"import "u" as u; u::v()"#, req(app_id))
+        .unwrap();
+    assert_eq!(
+        resp.body,
+        serde_json::json!(99),
+        "edited module should be visible on next invocation"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn module_cache_keyed_by_app() {
+    let source = CountingModuleSource::new();
+    let app_a = AppId::new();
+    let app_b = AppId::new();
+    source.put(app_a, "u", "fn id() { 1 }").await;
+    source.put(app_b, "u", "fn id() { 2 }").await;
+
+    let engine = engine_with(source.clone());
+
+    // Both apps should compile + cache independently; neither sees
+    // the other's compiled module.
+    let resp = engine
+        .execute(r#"import "u" as u; u::id()"#, req(app_a))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!(1));
+    let resp = engine
+        .execute(r#"import "u" as u; u::id()"#, req(app_b))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!(2));
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn module_cache_lru_evicts_when_capacity_exceeded() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    source.put(app_id, "a", "fn v() { 1 }").await;
+    source.put(app_id, "b", "fn v() { 2 }").await;
+    source.put(app_id, "c", "fn v() { 3 }").await;
+
+    // Capacity 1 — only the most recently used entry stays cached.
+    let engine =
+        Engine::with_module_cache_capacity(Limits::default(), services_with(source.clone()), 1);
+
+    engine
+        .execute(r#"import "a" as m; m::v()"#, req(app_id))
+        .unwrap();
+    engine
+        .execute(r#"import "b" as m; m::v()"#, req(app_id))
+        .unwrap();
+    engine
+        .execute(r#"import "c" as m; m::v()"#, req(app_id))
+        .unwrap();
+
+    // Cache should hold at most one entry.
+    let cache = engine.module_cache().lock().unwrap();
+    assert!(
+        cache.len() <= 1,
+        "cache size {} exceeded capacity 1",
+        cache.len()
+    );
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn endpoint_can_import_module() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    source
+        .put(app_id, "helpers", r#"fn greet(name) { `hello, ${name}` }"#)
+        .await;
+
+    let engine = engine_with(source);
+    let resp = engine
+        .execute(
+            r#"import "helpers" as h; #{ statusCode: 200, body: h::greet("world") }"#,
+            req(app_id),
+        )
+        .unwrap();
+    assert_eq!(resp.status_code, 200);
+    assert_eq!(resp.body, serde_json::json!("hello, world"));
+}
+
+#[tokio::test(flavor = "multi_thread")]
+async fn module_can_import_module() {
+    let source = CountingModuleSource::new();
+    let app_id = AppId::new();
+    source.put(app_id, "inner", "fn three() { 3 }").await;
+    source
+        .put(
+            app_id,
+            "outer",
+            r#"import "inner" as i; fn nine() { i::three() * 3 }"#,
+        )
+        .await;
+    let engine = engine_with(source);
+
+    let resp = engine
+        .execute(r#"import "outer" as o; o::nine()"#, req(app_id))
+        .unwrap();
+    assert_eq!(resp.body, serde_json::json!(9));
+}
+
+#[test]
+fn validate_module_accepts_fn_const_import_only() {
+    let engine = Engine::new(Limits::default(), Services::default());
+    let valid = r#"
+        const PI = 3.14;
+        import "other" as o;
+        fn area(r) { PI * r * r }
+    "#;
+    let v = engine.validate_module(valid).expect("valid module body");
+    assert_eq!(v.imports, vec!["other".to_string()]);
+}
+
+#[test]
+fn validate_module_rejects_top_level_let() {
+    let engine = Engine::new(Limits::default(), Services::default());
+    let bad = "let x = 1; fn f() { x }";
+    let err = engine
+        .validate_module(bad)
+        .expect_err("top-level let should be rejected");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(msg.contains("top-level") || msg.contains("module"));
+}
+
+#[test]
+fn validate_module_rejects_top_level_expr() {
+    let engine = Engine::new(Limits::default(), Services::default());
+    let bad = "42";
+    let err = engine
+        .validate_module(bad)
+        .expect_err("top-level expr should be rejected");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(msg.contains("top-level") || msg.contains("module"));
+}
+
+#[test]
+fn validate_module_rejects_top_level_while() {
+    // Avoid `if true { ... }` — Rhai folds constant-condition `if`s
+    // at optimize time, leaving an empty statement list that passes
+    // module-shape validation vacuously. A `while` with a variable
+    // condition isn't folded.
+    let engine = Engine::new(Limits::default(), Services::default());
+    let bad = r#"let i = 0; while i < 1 { i += 1; }"#;
+    let err = engine
+        .validate_module(bad)
+        .expect_err("top-level loop should be rejected");
+    let msg = format!("{err:?}").to_lowercase();
+    assert!(msg.contains("top-level") || msg.contains("module"));
+}
+
+#[test]
+fn validate_endpoint_extracts_literal_imports() {
+    let engine = Engine::new(Limits::default(), Services::default());
+    let src = r#"
+        import "a" as a;
+        import "b" as b;
+        a::run() + b::run()
+    "#;
+    let v = engine
+        .validate(src)
+        .expect("endpoint with imports should parse");
+    assert_eq!(v.imports, vec!["a".to_string(), "b".to_string()]);
+}
+
+#[test]
+fn validate_endpoint_top_level_expr_still_allowed() {
+    // Endpoints can have arbitrary top-level statements — only
+    // modules are restricted. Confirm v1.1.3 didn't tighten endpoints.
+    let engine = Engine::new(Limits::default(), Services::default());
+    let src = r#"let x = 1; #{ statusCode: 200, body: x }"#;
+    engine
+        .validate(src)
+        .expect("endpoints may have top-level statements");
+}
+
+#[test]
+fn validate_endpoint_skips_dynamic_imports_in_imports_list() {
+    // `import some_var as y;` parses but is not a literal-path
+    // import — the dep graph cannot track it. The imports list
+    // should be empty for such a script.
+    let engine = Engine::new(Limits::default(), Services::default());
+    let src = r#"
+        let name = "x";
+        import name as y;
+        y::run()
+    "#;
+    let v = engine.validate(src).expect("dynamic import should parse");
+    assert!(
+        v.imports.is_empty(),
+        "dynamic imports should not appear in the dep-graph imports list, got {:?}",
+        v.imports
+    );
+}

crates/executor-core/tests/sdk_contract.rs

@@ -23,7 +23,7 @@
 use std::collections::BTreeMap;
 
 use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits, LogLevel};
-use picloud_shared::{ExecutionId, RequestId, ScriptId, ScriptSandbox};
+use picloud_shared::{AppId, ExecutionId, RequestId, ScriptId, ScriptSandbox, Services};
 use serde_json::{json, Value};
 
 // ----------------------------------------------------------------------------
@@ -31,12 +31,13 @@ use serde_json::{json, Value};
 // ----------------------------------------------------------------------------
 
 fn engine() -> Engine {
-    Engine::new(Limits::default())
+    Engine::new(Limits::default(), Services::default())
 }
 
 fn baseline_request() -> ExecRequest {
+    let execution_id = ExecutionId::new();
     ExecRequest {
-        execution_id: ExecutionId::new(),
+        execution_id,
         request_id: RequestId::new(),
         script_id: ScriptId::new(),
         script_name: "contract".into(),
@@ -48,6 +49,12 @@ fn baseline_request() -> ExecRequest {
         query: BTreeMap::new(),
         rest: String::new(),
         sandbox_overrides: ScriptSandbox::default(),
+        app_id: AppId::new(),
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
     }
 }
 

crates/executor-core/tests/sdk_docs.rs

@@ -0,0 +1,524 @@
+//! `docs::` SDK bridge integration tests — runs a real Rhai engine
+//! against an in-memory `DocsService` impl. Mirrors `tests/sdk_kv.rs`:
+//! `tokio::task::spawn_blocking` so the bridge's `block_on` has a
+//! reachable runtime.
+
+use std::collections::{BTreeMap, HashMap};
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use chrono::Utc;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, DocId, DocRow, DocsError, DocsListPage, DocsService, ExecutionId, NoopDeadLetterService,
+    NoopEventEmitter, NoopHttpService, NoopKvService, NoopModuleSource, RequestId, ScriptId,
+    ScriptSandbox, SdkCallCx, Services,
+};
+use serde_json::{json, Value};
+use tokio::sync::Mutex;
+use uuid::Uuid;
+
+#[derive(Default)]
+struct InMemoryDocs {
+    data: Mutex<HashMap<(AppId, String, DocId), DocRow>>,
+}
+
+#[async_trait]
+impl DocsService for InMemoryDocs {
+    async fn create(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        data: Value,
+    ) -> Result<DocId, DocsError> {
+        if !data.is_object() {
+            return Err(DocsError::InvalidData);
+        }
+        let id = Uuid::new_v4();
+        let now = Utc::now();
+        let row = DocRow {
+            id,
+            data,
+            created_at: now,
+            updated_at: now,
+        };
+        self.data
+            .lock()
+            .await
+            .insert((cx.app_id, collection.to_string(), id), row);
+        Ok(id)
+    }
+
+    async fn get(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<DocRow>, DocsError> {
+        Ok(self
+            .data
+            .lock()
+            .await
+            .get(&(cx.app_id, collection.to_string(), id))
+            .cloned())
+    }
+
+    async fn find(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        filter: Value,
+    ) -> Result<Vec<DocRow>, DocsError> {
+        // Tiny eval: extract top-level equalities + $in arrays + $gt
+        // (text lex) so the bridge tests can run end-to-end against a
+        // fake. This fake mirrors the real service's reject-unsupported
+        // contract so the v1.2-pointer-error test goes through the
+        // bridge's error-propagation path.
+        let map = self.data.lock().await;
+        let obj = filter
+            .as_object()
+            .ok_or_else(|| DocsError::InvalidFilter("filter must be a map/object".into()))?;
+        reject_unsupported_operators(obj)?;
+        let mut out: Vec<DocRow> = map
+            .iter()
+            .filter(|((a, c, _), _)| *a == cx.app_id && c == collection)
+            .map(|(_, v)| v.clone())
+            .filter(|row| matches_simple(&row.data, obj))
+            .collect();
+        if let Some(limit) = obj.get("$limit").and_then(Value::as_u64) {
+            out.truncate(usize::try_from(limit).unwrap_or(usize::MAX));
+        }
+        Ok(out)
+    }
+
+    async fn find_one(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        filter: Value,
+    ) -> Result<Option<DocRow>, DocsError> {
+        Ok(self.find(cx, collection, filter).await?.into_iter().next())
+    }
+
+    async fn update(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: DocId,
+        data: Value,
+    ) -> Result<(), DocsError> {
+        if !data.is_object() {
+            return Err(DocsError::InvalidData);
+        }
+        let mut map = self.data.lock().await;
+        let key = (cx.app_id, collection.to_string(), id);
+        let Some(row) = map.get_mut(&key) else {
+            return Err(DocsError::NotFound);
+        };
+        row.data = data;
+        row.updated_at = Utc::now();
+        Ok(())
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, collection: &str, id: DocId) -> Result<bool, DocsError> {
+        Ok(self
+            .data
+            .lock()
+            .await
+            .remove(&(cx.app_id, collection.to_string(), id))
+            .is_some())
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        _cursor: Option<&str>,
+        _limit: u32,
+    ) -> Result<DocsListPage, DocsError> {
+        let mut docs: Vec<DocRow> = self
+            .data
+            .lock()
+            .await
+            .iter()
+            .filter(|((a, c, _), _)| *a == cx.app_id && c == collection)
+            .map(|(_, v)| v.clone())
+            .collect();
+        docs.sort_by_key(|d| d.id);
+        Ok(DocsListPage {
+            docs,
+            next_cursor: None,
+        })
+    }
+}
+
+/// Scan an operator object for any `$xxx` key not in the v1.1.2
+/// allowlist and return the same shape of error the real parser
+/// emits. Top-level `$limit` is the only allowed modifier the fake
+/// engages with; the unsupported test passes `$regex`.
+fn reject_unsupported_operators(obj: &serde_json::Map<String, Value>) -> Result<(), DocsError> {
+    const SUPPORTED_TOP_LEVEL: &[&str] = &["$limit", "$sort"];
+    const SUPPORTED_NESTED: &[&str] = &["$eq", "$ne", "$gt", "$gte", "$lt", "$lte", "$in"];
+    for (key, value) in obj {
+        if let Some(stripped) = key.strip_prefix('$') {
+            if !SUPPORTED_TOP_LEVEL.contains(&key.as_str()) {
+                return Err(DocsError::UnsupportedOperator(format!(
+                    "docs::find: top-level modifier '${stripped}' is not supported in v1.1.2; planned for v1.2 advanced query"
+                )));
+            }
+            continue;
+        }
+        if let Some(inner) = value.as_object() {
+            for op_key in inner.keys() {
+                if op_key.starts_with('$') && !SUPPORTED_NESTED.contains(&op_key.as_str()) {
+                    return Err(DocsError::UnsupportedOperator(format!(
+                        "docs::find: operator '{op_key}' is not supported in v1.1.2; planned for v1.2 advanced query"
+                    )));
+                }
+            }
+        }
+    }
+    Ok(())
+}
+
+fn matches_simple(data: &Value, filter: &serde_json::Map<String, Value>) -> bool {
+    for (key, want) in filter {
+        if key.starts_with('$') {
+            // $limit handled in the find body.
+            continue;
+        }
+        let actual = data.get(key);
+        if let Some(obj) = want.as_object() {
+            // operator object — handle $in and $gt only (enough for
+            // the bridge tests to exercise the round-trip).
+            if let Some(arr) = obj.get("$in").and_then(Value::as_array) {
+                let Some(actual) = actual else {
+                    return false;
+                };
+                if !arr.iter().any(|v| v == actual) {
+                    return false;
+                }
+                continue;
+            }
+            if let Some(gt) = obj.get("$gt") {
+                let Some(actual) = actual else {
+                    return false;
+                };
+                let a = actual.as_str().unwrap_or("");
+                let b = gt.as_str().unwrap_or("");
+                if a <= b {
+                    return false;
+                }
+                continue;
+            }
+            return false;
+        }
+        if Some(want) != actual {
+            return false;
+        }
+    }
+    true
+}
+
+fn make_engine() -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(InMemoryDocs::default()),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "docs-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/docs-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run_script(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_create_then_get_round_trip() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let users = docs::collection("users");
+        let id = users.create(#{ name: "Alice", tier: "gold" });
+        let doc = users.get(id);
+        #{ id_matches: doc.id == id, data_name: doc.data.name }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    let obj = body.as_object().unwrap();
+    assert_eq!(obj["id_matches"], json!(true));
+    assert_eq!(obj["data_name"], json!("Alice"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_get_missing_returns_unit() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        let v = c.get("00000000-0000-0000-0000-000000000000");
+        v == ()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(true));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_get_with_invalid_uuid_throws() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"docs::collection("users").get("not-a-uuid")"#;
+    let req = baseline_request(app);
+    let err = tokio::task::spawn_blocking(move || engine.execute(src, req))
+        .await
+        .unwrap()
+        .expect_err("invalid uuid should throw");
+    assert!(format!("{err:?}").contains("invalid id"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_find_equality_returns_matches() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.create(#{ tier: "gold" });
+        c.create(#{ tier: "silver" });
+        c.create(#{ tier: "gold" });
+        let golds = c.find(#{ tier: "gold" });
+        golds.len()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(2));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_find_with_in_operator() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.create(#{ tier: "gold" });
+        c.create(#{ tier: "silver" });
+        c.create(#{ tier: "platinum" });
+        let hits = c.find(#{ tier: #{ "$in": ["gold", "platinum"] } });
+        hits.len()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(2));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_find_with_gt_comparison() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("events");
+        c.create(#{ when: "2026-01-15" });
+        c.create(#{ when: "2026-03-15" });
+        c.create(#{ when: "2026-05-15" });
+        let recent = c.find(#{ when: #{ "$gt": "2026-02-01" } });
+        recent.len()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(2));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_find_one_returns_envelope_or_unit() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.create(#{ tier: "gold" });
+        let hit = c.find_one(#{ tier: "gold" });
+        let miss = c.find_one(#{ tier: "platinum" });
+        #{ hit_has_data: hit.data.tier == "gold", miss_is_unit: miss == () }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    let obj = body.as_object().unwrap();
+    assert_eq!(obj["hit_has_data"], json!(true));
+    assert_eq!(obj["miss_is_unit"], json!(true));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_update_then_get_reflects_change() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        let id = c.create(#{ name: "Alice", tier: "gold" });
+        c.update(id, #{ name: "Alice", tier: "platinum" });
+        c.get(id).data.tier
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!("platinum"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_update_missing_throws() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.update("00000000-0000-0000-0000-000000000000", #{ x: 1 })
+    "#;
+    let req = baseline_request(app);
+    let err = tokio::task::spawn_blocking(move || engine.execute(src, req))
+        .await
+        .unwrap()
+        .expect_err("update missing should throw");
+    assert!(format!("{err:?}").contains("not found"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_delete_returns_was_present() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        let nope = c.delete("00000000-0000-0000-0000-000000000000");
+        let id = c.create(#{ x: 1 });
+        let yep = c.delete(id);
+        #{ nope: nope, yep: yep }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!({ "nope": false, "yep": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_unsupported_operator_throws_with_v1_2_pointer() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.find(#{ name: #{ "$regex": "^A" } })
+    "#;
+    let req = baseline_request(app);
+    let err = tokio::task::spawn_blocking(move || engine.execute(src, req))
+        .await
+        .unwrap()
+        .expect_err("unsupported operator should throw");
+    let msg = format!("{err:?}");
+    assert!(msg.contains("$regex"), "msg: {msg}");
+    assert!(msg.contains("v1.2"), "msg: {msg}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_empty_collection_name_throws() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"docs::collection("")"#;
+    let req = baseline_request(app);
+    let err = tokio::task::spawn_blocking(move || engine.execute(src, req))
+        .await
+        .unwrap()
+        .expect_err("empty collection should throw");
+    assert!(format!("{err:?}").contains("docs::collection"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_list_returns_docs_array() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        c.create(#{ a: 1 });
+        c.create(#{ a: 2 });
+        let page = c.list();
+        page.docs.len()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(2));
+}
+
+/// Cross-app isolation through the bridge — script with `app_id = A`
+/// must NOT see documents written from `app_id = B` even when the
+/// (collection, id) tuple is shared. The bridge captures `cx.app_id`
+/// via `Arc<SdkCallCx>` and the service derives storage `app_id` from
+/// it (never from a script arg).
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_bridge_preserves_cross_app_isolation() {
+    let engine = make_engine();
+    let app_a = AppId::new();
+    let app_b = AppId::new();
+
+    let writer = r#"
+        let c = docs::collection("shared");
+        let id = c.create(#{ from: "a" });
+        id
+    "#;
+    let id_a = run_script(engine.clone(), writer, baseline_request(app_a)).await;
+    let id_a_str = id_a.as_str().unwrap().to_string();
+
+    // App B looks up the same id under the same collection — should
+    // see nothing because the service keyed it by app_id = A.
+    let reader_src = format!(
+        r#"
+        let c = docs::collection("shared");
+        let v = c.get("{id_a_str}");
+        v == ()
+    "#
+    );
+    let body = run_script(engine, &reader_src, baseline_request(app_b)).await;
+    assert_eq!(body, json!(true));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn docs_envelope_has_id_data_created_at_updated_at() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = docs::collection("users");
+        let id = c.create(#{ name: "Alice" });
+        let doc = c.get(id);
+        // Probe each envelope field is present + correctly typed.
+        #{
+            has_id:         type_of(doc.id) == "string",
+            has_data:       type_of(doc.data) == "map",
+            has_created_at: type_of(doc.created_at) == "string",
+            has_updated_at: type_of(doc.updated_at) == "string",
+            user_field:     doc.data.name
+        }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    let obj = body.as_object().unwrap();
+    assert_eq!(obj["has_id"], json!(true));
+    assert_eq!(obj["has_data"], json!(true));
+    assert_eq!(obj["has_created_at"], json!(true));
+    assert_eq!(obj["has_updated_at"], json!(true));
+    assert_eq!(obj["user_field"], json!("Alice"));
+}

crates/executor-core/tests/sdk_files.rs

@@ -0,0 +1,334 @@
+//! `files::` SDK bridge integration tests — runs a real Rhai engine
+//! against an in-memory `FilesService` impl. Mirrors `tests/sdk_kv.rs`:
+//! `tokio::task::spawn_blocking` so the bridge's `block_on` has a
+//! reachable runtime. Exercises the actual Rhai surface — blob in/out,
+//! the metadata map shape, and the missing-required-field throw.
+
+use std::collections::BTreeMap;
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, FileMeta, FileUpdate, FilesError, FilesListPage, FilesService, NewFile,
+    NoopDeadLetterService, NoopDocsService, NoopEventEmitter, NoopHttpService, NoopKvService,
+    NoopModuleSource, RequestId, ScriptId, ScriptSandbox, SdkCallCx, Services,
+};
+use serde_json::{json, Value};
+use tokio::sync::Mutex;
+use uuid::Uuid;
+
+#[derive(Default)]
+struct InMemoryFiles {
+    #[allow(clippy::type_complexity)]
+    data: Mutex<BTreeMap<(AppId, String, Uuid), (FileMeta, Vec<u8>)>>,
+}
+
+/// The in-memory fake doesn't exercise the real checksum path (the
+/// `FsFilesRepo` tempdir tests in manager-core cover SHA-256); a stable
+/// placeholder keeps the metadata map non-empty.
+fn fake_checksum(bytes: &[u8]) -> String {
+    format!("len-{}", bytes.len())
+}
+
+#[async_trait]
+impl FilesService for InMemoryFiles {
+    async fn create(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        new: NewFile,
+    ) -> Result<Uuid, FilesError> {
+        if collection.is_empty() {
+            return Err(FilesError::InvalidCollection("empty".into()));
+        }
+        new.validate(100 * 1024 * 1024)?;
+        let id = Uuid::new_v4();
+        let now = chrono::Utc::now();
+        let meta = FileMeta {
+            id,
+            collection: collection.to_string(),
+            name: new.name.clone(),
+            content_type: new.content_type.clone(),
+            size: new.data.len() as u64,
+            checksum: fake_checksum(&new.data),
+            created_at: now,
+            updated_at: now,
+        };
+        self.data
+            .lock()
+            .await
+            .insert((cx.app_id, collection.to_string(), id), (meta, new.data));
+        Ok(id)
+    }
+
+    async fn head(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+    ) -> Result<Option<FileMeta>, FilesError> {
+        let Ok(uuid) = Uuid::parse_str(id) else {
+            return Ok(None);
+        };
+        Ok(self
+            .data
+            .lock()
+            .await
+            .get(&(cx.app_id, collection.to_string(), uuid))
+            .map(|(m, _)| m.clone()))
+    }
+
+    async fn get(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+    ) -> Result<Option<Vec<u8>>, FilesError> {
+        let Ok(uuid) = Uuid::parse_str(id) else {
+            return Ok(None);
+        };
+        Ok(self
+            .data
+            .lock()
+            .await
+            .get(&(cx.app_id, collection.to_string(), uuid))
+            .map(|(_, b)| b.clone()))
+    }
+
+    async fn update(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+        upd: FileUpdate,
+    ) -> Result<(), FilesError> {
+        upd.validate(100 * 1024 * 1024)?;
+        let Ok(uuid) = Uuid::parse_str(id) else {
+            return Err(FilesError::NotFound);
+        };
+        let mut data = self.data.lock().await;
+        let key = (cx.app_id, collection.to_string(), uuid);
+        let Some((meta, _)) = data.get(&key).cloned() else {
+            return Err(FilesError::NotFound);
+        };
+        let mut meta = meta;
+        if let Some(n) = upd.name {
+            meta.name = n;
+        }
+        if let Some(ct) = upd.content_type {
+            meta.content_type = ct;
+        }
+        meta.size = upd.data.len() as u64;
+        meta.checksum = fake_checksum(&upd.data);
+        data.insert(key, (meta, upd.data));
+        Ok(())
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, collection: &str, id: &str) -> Result<bool, FilesError> {
+        let Ok(uuid) = Uuid::parse_str(id) else {
+            return Ok(false);
+        };
+        Ok(self
+            .data
+            .lock()
+            .await
+            .remove(&(cx.app_id, collection.to_string(), uuid))
+            .is_some())
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        _cursor: Option<&str>,
+        _limit: u32,
+    ) -> Result<FilesListPage, FilesError> {
+        let data = self.data.lock().await;
+        let files: Vec<FileMeta> = data
+            .iter()
+            .filter(|((a, c, _), _)| *a == cx.app_id && c == collection)
+            .map(|(_, (m, _))| m.clone())
+            .collect();
+        Ok(FilesListPage {
+            files,
+            next_cursor: None,
+        })
+    }
+}
+
+fn make_engine() -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(InMemoryFiles::default()),
+        Arc::new(picloud_shared::NoopPubsubService),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "files-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/files-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run_script(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+async fn run_script_err(engine: Arc<Engine>, src: &str, req: ExecRequest) -> String {
+    let src = src.to_string();
+    let res = tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic");
+    format!("{:?}", res.expect_err("script should error"))
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_create_get_round_trip_via_blob() {
+    let engine = make_engine();
+    let app = AppId::new();
+    // base64("hello") = "aGVsbG8="; decode → blob; create; get back; encode.
+    let src = r#"
+        let c = files::collection("avatars");
+        let data = base64::decode("aGVsbG8=");
+        let id = c.create(#{ name: "a.txt", content_type: "text/plain", data: data });
+        let back = c.get(id);
+        base64::encode(back)
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!("aGVsbG8="));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_head_returns_metadata_map() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        let data = base64::decode("aGVsbG8=");
+        let id = c.create(#{ name: "a.txt", content_type: "text/plain", data: data });
+        let meta = c.head(id);
+        #{ name: meta.name, content_type: meta.content_type, size: meta.size, has_checksum: meta.checksum != () }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(
+        body,
+        json!({ "name": "a.txt", "content_type": "text/plain", "size": 5, "has_checksum": true })
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_get_and_head_missing_return_unit() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        let g = c.get("00000000-0000-0000-0000-000000000000");
+        let h = c.head("00000000-0000-0000-0000-000000000000");
+        #{ g: g == (), h: h == () }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!({ "g": true, "h": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_update_then_delete() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        let id = c.create(#{ name: "a", content_type: "text/plain", data: base64::decode("YQ==") });
+        c.update(id, #{ data: base64::decode("YmM=") });   // "bc"
+        let after = base64::encode(c.get(id));
+        let removed = c.delete(id);
+        let gone = c.delete(id);
+        #{ after: after, removed: removed, gone: gone }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(
+        body,
+        json!({ "after": "YmM=", "removed": true, "gone": false })
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_create_missing_data_throws_naming_field() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        c.create(#{ name: "a", content_type: "text/plain" })
+    "#;
+    let err = run_script_err(engine, src, baseline_request(app)).await;
+    assert!(
+        err.contains("data"),
+        "error should name the missing field: {err}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_create_missing_name_throws_naming_field() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        c.create(#{ content_type: "text/plain", data: base64::decode("YQ==") })
+    "#;
+    let err = run_script_err(engine, src, baseline_request(app)).await;
+    assert!(
+        err.contains("name"),
+        "error should name the missing field: {err}"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_empty_collection_name_throws() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let err = run_script_err(engine, r#"files::collection("")"#, baseline_request(app)).await;
+    assert!(err.to_lowercase().contains("empty"), "got {err}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn files_list_returns_files_array() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = files::collection("avatars");
+        c.create(#{ name: "a", content_type: "text/plain", data: base64::decode("YQ==") });
+        c.create(#{ name: "b", content_type: "text/plain", data: base64::decode("Yg==") });
+        let page = c.list();
+        page.files.len()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(2));
+}

crates/executor-core/tests/sdk_http.rs

@@ -0,0 +1,336 @@
+//! Bridge integration for the `http::*` SDK (v1.1.4).
+//!
+//! Runs a real Rhai engine under `spawn_blocking` against an in-memory
+//! `HttpService` fake that records the last request and returns a
+//! configured response (or error). This exercises the full bridge:
+//! option parsing, body dispatch, response→map projection, the
+//! throw-on-network-error / no-throw-on-non-2xx convention, and that
+//! `cx.app_id` / `cx.script_id` are forwarded for attribution.
+
+use std::collections::BTreeMap;
+use std::sync::{Arc, Mutex};
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, HttpError, HttpRequest, HttpResponse, HttpService, NoopDeadLetterService,
+    NoopDocsService, NoopEventEmitter, NoopKvService, NoopModuleSource, RequestId, ScriptId,
+    ScriptSandbox, Services,
+};
+use serde_json::{json, Value};
+
+/// What the fake returns. Either a canned response or an error.
+#[derive(Clone)]
+enum Behavior {
+    Respond(HttpResponse),
+    Fail(String), // becomes HttpError::Network
+}
+
+#[derive(Default)]
+struct Recorded {
+    last: Option<HttpRequest>,
+    last_app: Option<AppId>,
+    last_script: Option<String>,
+}
+
+struct FakeHttp {
+    behavior: Behavior,
+    recorded: Mutex<Recorded>,
+}
+
+impl FakeHttp {
+    fn responding(status: u16, content_type: &str, body: &str) -> Arc<Self> {
+        let mut headers = BTreeMap::new();
+        headers.insert("content-type".into(), content_type.into());
+        Arc::new(Self {
+            behavior: Behavior::Respond(HttpResponse {
+                status,
+                headers,
+                body_raw: body.into(),
+            }),
+            recorded: Mutex::new(Recorded::default()),
+        })
+    }
+
+    fn failing(msg: &str) -> Arc<Self> {
+        Arc::new(Self {
+            behavior: Behavior::Fail(msg.into()),
+            recorded: Mutex::new(Recorded::default()),
+        })
+    }
+}
+
+#[async_trait]
+impl HttpService for FakeHttp {
+    async fn request(
+        &self,
+        cx: &picloud_shared::SdkCallCx,
+        req: HttpRequest,
+    ) -> Result<HttpResponse, HttpError> {
+        {
+            let mut r = self.recorded.lock().unwrap();
+            r.last = Some(req.clone());
+            r.last_app = Some(cx.app_id);
+            r.last_script = Some(cx.script_id.to_string());
+        }
+        match &self.behavior {
+            Behavior::Respond(resp) => Ok(resp.clone()),
+            Behavior::Fail(msg) => Err(HttpError::Network(msg.clone())),
+        }
+    }
+}
+
+fn engine_with(http: Arc<dyn HttpService>) -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        http,
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId, script_id: ScriptId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id,
+        script_name: "http-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/http-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+async fn run_err(engine: Arc<Engine>, src: &str, req: ExecRequest) -> String {
+    let src = src.to_string();
+    let err = tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .unwrap()
+        .expect_err("script should throw");
+    format!("{err:?}")
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn get_returns_status_and_json_body() {
+    let http = FakeHttp::responding(200, "application/json", r#"{"ok":true,"n":7}"#);
+    let engine = engine_with(http.clone());
+    let src = r#"
+        let r = http::get("https://api.example.com/x");
+        #{ status: r.status, ok: r.body.ok, n: r.body.n }
+    "#;
+    let body = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert_eq!(body, json!({ "status": 200, "ok": true, "n": 7 }));
+    // GET carries no body.
+    assert!(http
+        .recorded
+        .lock()
+        .unwrap()
+        .last
+        .as_ref()
+        .unwrap()
+        .body
+        .is_none());
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn non_json_body_stays_string() {
+    let http = FakeHttp::responding(200, "text/plain", "plain text");
+    let engine = engine_with(http);
+    let src = r#"http::get("https://x/").body"#;
+    let body = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert_eq!(body, json!("plain text"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn empty_body_is_unit() {
+    let http = FakeHttp::responding(204, "text/plain", "");
+    let engine = engine_with(http);
+    let src = r#"
+        let r = http::get("https://x/");
+        #{ is_unit: r.body == (), raw: r.body_raw }
+    "#;
+    let body = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert_eq!(body, json!({ "is_unit": true, "raw": "" }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn post_map_body_is_json_encoded() {
+    let http = FakeHttp::responding(200, "application/json", "{}");
+    let engine = engine_with(http.clone());
+    let src = r#"http::post("https://hooks/x", #{ text: "hello", n: 3 }).status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    let rec = http.recorded.lock().unwrap();
+    let req = rec.last.as_ref().unwrap();
+    assert_eq!(req.method, "POST");
+    assert_eq!(req.content_type.as_deref(), Some("application/json"));
+    let sent: Value = serde_json::from_slice(req.body.as_ref().unwrap()).unwrap();
+    assert_eq!(sent, json!({ "text": "hello", "n": 3 }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn post_string_body_is_text_plain() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let src = r#"http::post("https://x/", "raw payload").status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    let rec = http.recorded.lock().unwrap();
+    let req = rec.last.as_ref().unwrap();
+    assert_eq!(req.content_type.as_deref(), Some("text/plain"));
+    assert_eq!(req.body.as_deref(), Some(&b"raw payload"[..]));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn post_unit_body_sends_nothing() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let src = r#"http::post("https://x/", ()).status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert!(http
+        .recorded
+        .lock()
+        .unwrap()
+        .last
+        .as_ref()
+        .unwrap()
+        .body
+        .is_none());
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn custom_headers_and_timeout_forwarded() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let src = r#"
+        http::get("https://x/", #{
+            headers: #{ "Authorization": "Bearer t0ken" },
+            timeout_ms: 4200,
+        }).status
+    "#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    let rec = http.recorded.lock().unwrap();
+    let req = rec.last.as_ref().unwrap();
+    assert_eq!(
+        req.headers.get("Authorization").map(String::as_str),
+        Some("Bearer t0ken")
+    );
+    assert_eq!(req.timeout_ms, 4200);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unknown_option_key_throws() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http);
+    let src = r#"http::get("https://x/", #{ timeoutms: 1000 })"#; // typo
+    let err = run_err(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert!(err.contains("unknown option key"), "got {err}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn timeout_above_max_throws() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http);
+    let src = r#"http::get("https://x/", #{ timeout_ms: 99999 })"#;
+    let err = run_err(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert!(err.contains("maximum"), "got {err}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn non_2xx_does_not_throw() {
+    let http = FakeHttp::responding(503, "text/plain", "down");
+    let engine = engine_with(http);
+    let src = r#"http::get("https://x/").status"#;
+    let body = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert_eq!(body, json!(503));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn network_error_throws_with_http_prefix() {
+    let http = FakeHttp::failing("connection refused");
+    let engine = engine_with(http);
+    let src = r#"http::get("https://x/")"#;
+    let err = run_err(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert!(err.contains("http:"), "expected http: prefix, got {err}");
+    assert!(err.contains("connection refused"), "got {err}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn post_form_url_encodes() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let src = r#"http::post_form("https://x/login", #{ user: "alice", pw: "p@ss word" }).status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    let rec = http.recorded.lock().unwrap();
+    let req = rec.last.as_ref().unwrap();
+    assert_eq!(
+        req.content_type.as_deref(),
+        Some("application/x-www-form-urlencoded")
+    );
+    let body = String::from_utf8(req.body.clone().unwrap()).unwrap();
+    // order is map iteration order; assert both pairs present, encoded.
+    assert!(body.contains("user=alice"), "got {body}");
+    assert!(body.contains("pw=p%40ss+word"), "got {body}");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn request_escape_hatch_arbitrary_method() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let src = r#"http::request("OPTIONS", "https://x/").status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), ScriptId::new())).await;
+    assert_eq!(
+        http.recorded.lock().unwrap().last.as_ref().unwrap().method,
+        "OPTIONS"
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn default_user_agent_carries_script_id() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let script_id = ScriptId::new();
+    let src = r#"http::get("https://x/").status"#;
+    let _ = run(engine, src, baseline_request(AppId::new(), script_id)).await;
+    let rec = http.recorded.lock().unwrap();
+    // The bridge forwards script_id on the request; the manager-core
+    // impl turns it into the User-Agent. Here we assert the forward.
+    assert_eq!(
+        rec.last.as_ref().unwrap().script_id.as_deref(),
+        Some(script_id.to_string().as_str())
+    );
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn cx_app_id_forwarded_for_attribution() {
+    let http = FakeHttp::responding(200, "text/plain", "ok");
+    let engine = engine_with(http.clone());
+    let app = AppId::new();
+    let src = r#"http::get("https://x/").status"#;
+    let _ = run(engine, src, baseline_request(app, ScriptId::new())).await;
+    assert_eq!(http.recorded.lock().unwrap().last_app, Some(app));
+}

crates/executor-core/tests/sdk_kv.rs

@@ -0,0 +1,266 @@
+//! `kv::` SDK bridge integration tests — runs a real Rhai engine
+//! against an in-memory `KvService` impl. Mirrors how
+//! `orchestrator-core::LocalExecutorClient` invokes the engine: under
+//! `tokio::task::spawn_blocking` so the bridge's `block_on` has a
+//! reachable runtime.
+
+use std::collections::{BTreeMap, HashMap};
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, KvError, KvListPage, KvService, NoopDeadLetterService, NoopDocsService,
+    NoopEventEmitter, NoopHttpService, NoopModuleSource, RequestId, ScriptId, ScriptSandbox,
+    SdkCallCx, Services,
+};
+use serde_json::{json, Value};
+use tokio::sync::Mutex;
+
+#[derive(Default)]
+struct InMemoryKv {
+    data: Mutex<HashMap<(AppId, String, String), Value>>,
+}
+
+#[async_trait]
+impl KvService for InMemoryKv {
+    async fn get(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        key: &str,
+    ) -> Result<Option<Value>, KvError> {
+        Ok(self
+            .data
+            .lock()
+            .await
+            .get(&(cx.app_id, collection.to_string(), key.to_string()))
+            .cloned())
+    }
+
+    async fn set(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        key: &str,
+        value: Value,
+    ) -> Result<(), KvError> {
+        self.data
+            .lock()
+            .await
+            .insert((cx.app_id, collection.to_string(), key.to_string()), value);
+        Ok(())
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, collection: &str, key: &str) -> Result<bool, KvError> {
+        Ok(self
+            .data
+            .lock()
+            .await
+            .remove(&(cx.app_id, collection.to_string(), key.to_string()))
+            .is_some())
+    }
+
+    async fn has(&self, cx: &SdkCallCx, collection: &str, key: &str) -> Result<bool, KvError> {
+        Ok(self.data.lock().await.contains_key(&(
+            cx.app_id,
+            collection.to_string(),
+            key.to_string(),
+        )))
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<KvListPage, KvError> {
+        let data = self.data.lock().await;
+        let mut keys: Vec<String> = data
+            .iter()
+            .filter(|((a, c, _), _)| *a == cx.app_id && c == collection)
+            .map(|((_, _, k), _)| k.clone())
+            .filter(|k| cursor.is_none_or(|c| k.as_str() > c))
+            .collect();
+        keys.sort();
+        let take = if limit == 0 {
+            usize::MAX
+        } else {
+            limit as usize
+        };
+        let next_cursor = if keys.len() > take {
+            keys.truncate(take);
+            keys.last().cloned()
+        } else {
+            None
+        };
+        Ok(KvListPage { keys, next_cursor })
+    }
+}
+
+fn make_engine() -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(InMemoryKv::default()),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(picloud_shared::NoopFilesService),
+        Arc::new(picloud_shared::NoopPubsubService),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "kv-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/kv-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run_script(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_set_then_get_round_trip() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let widgets = kv::collection("widgets");
+        widgets.set("k1", #{ n: 1 });
+        widgets.get("k1")
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!({ "n": 1 }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_get_missing_returns_unit() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = kv::collection("widgets");
+        let v = c.get("nope");
+        v == ()
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!(true));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_has_returns_bool() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = kv::collection("widgets");
+        let before = c.has("k");
+        c.set("k", "v");
+        let after = c.has("k");
+        #{ before: before, after: after }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!({ "before": false, "after": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_delete_returns_was_present() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = kv::collection("widgets");
+        let nope = c.delete("missing");
+        c.set("k", 1);
+        let yep = c.delete("k");
+        #{ nope: nope, yep: yep }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    assert_eq!(body, json!({ "nope": false, "yep": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_empty_collection_name_throws() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"kv::collection("")"#;
+    let req = baseline_request(app);
+    let err = tokio::task::spawn_blocking(move || engine.execute(src, req))
+        .await
+        .unwrap()
+        .expect_err("empty collection should throw");
+    assert!(format!("{err:?}").contains("kv::collection"));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_list_pages_via_cursor() {
+    let engine = make_engine();
+    let app = AppId::new();
+    let src = r#"
+        let c = kv::collection("widgets");
+        for i in 0..5 { c.set(`k${i}`, i); }
+        let p1 = c.list("", 2);
+        let p2 = c.list(p1.next_cursor, 2);
+        #{
+            p1_keys: p1.keys,
+            p1_cursor: p1.next_cursor,
+            p2_keys: p2.keys,
+        }
+    "#;
+    let body = run_script(engine, src, baseline_request(app)).await;
+    let obj = body.as_object().unwrap();
+    let p1_keys = obj["p1_keys"].as_array().unwrap();
+    let p2_keys = obj["p2_keys"].as_array().unwrap();
+    assert_eq!(p1_keys.len(), 2);
+    assert_eq!(p2_keys.len(), 2);
+    assert!(obj["p1_cursor"].is_string());
+}
+
+/// Cross-app isolation via `cx.app_id` — script with `app_id = A`
+/// cannot see entries from `app_id = B`. The kv:: bridge never
+/// surfaces `app_id` to the script, so this is enforced purely by the
+/// service deriving it from the captured `Arc<SdkCallCx>`.
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn kv_bridge_preserves_cross_app_isolation() {
+    let engine = make_engine();
+    let app_a = AppId::new();
+    let app_b = AppId::new();
+
+    let writer = r#"
+        let c = kv::collection("shared");
+        c.set("k", "from-a");
+        "ok"
+    "#;
+    let _ = run_script(engine.clone(), writer, baseline_request(app_a)).await;
+
+    // App B sees nothing under the same collection/key.
+    let reader = r#"
+        let c = kv::collection("shared");
+        c.get("k")
+    "#;
+    let body = run_script(engine, reader, baseline_request(app_b)).await;
+    assert_eq!(body, Value::Null);
+}

crates/executor-core/tests/sdk_pubsub.rs

@@ -0,0 +1,157 @@
+//! `pubsub::` SDK bridge integration tests — runs a real Rhai engine
+//! against an in-memory `PubsubService` that records the published
+//! `(topic, message)`. Verifies the message JSON encoding the wire
+//! contract requires: Maps, Arrays, strings, numbers, bool, null, and
+//! **Blob → base64**, including nesting.
+
+use std::collections::BTreeMap;
+use std::sync::{Arc, Mutex};
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::{
+    AppId, ExecutionId, NoopDeadLetterService, NoopDocsService, NoopEventEmitter, NoopFilesService,
+    NoopHttpService, NoopKvService, NoopModuleSource, PubsubError, PubsubService, RequestId,
+    ScriptId, ScriptSandbox, SdkCallCx, Services,
+};
+use serde_json::{json, Value};
+
+#[derive(Default)]
+struct RecordingPubsub {
+    last: Mutex<Option<(String, Value)>>,
+}
+
+#[async_trait]
+impl PubsubService for RecordingPubsub {
+    async fn publish_durable(
+        &self,
+        _cx: &SdkCallCx,
+        topic: &str,
+        message: Value,
+    ) -> Result<(), PubsubError> {
+        if topic.trim().is_empty() {
+            return Err(PubsubError::EmptyTopic);
+        }
+        *self.last.lock().unwrap() = Some((topic.to_string(), message));
+        Ok(())
+    }
+}
+
+fn make_engine(svc: Arc<RecordingPubsub>) -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(NoopFilesService),
+        svc,
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn baseline_request(app_id: AppId) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "pubsub-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/pubsub-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run(engine: Arc<Engine>, src: &str, req: ExecRequest) {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn publish_map_message() {
+    let svc = Arc::new(RecordingPubsub::default());
+    let engine = make_engine(svc.clone());
+    run(
+        engine,
+        r#"pubsub::publish_durable("user.created", #{ user_id: "abc", n: 7, ok: true });"#,
+        baseline_request(AppId::new()),
+    )
+    .await;
+    let (topic, msg) = svc.last.lock().unwrap().clone().unwrap();
+    assert_eq!(topic, "user.created");
+    assert_eq!(msg, json!({ "user_id": "abc", "n": 7, "ok": true }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn publish_scalar_and_array_and_null() {
+    let svc = Arc::new(RecordingPubsub::default());
+    let engine = make_engine(svc.clone());
+    run(
+        engine,
+        r#"pubsub::publish_durable("a", [1, "two", false, ()]);"#,
+        baseline_request(AppId::new()),
+    )
+    .await;
+    let (_t, msg) = svc.last.lock().unwrap().clone().unwrap();
+    assert_eq!(msg, json!([1, "two", false, null]));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn publish_number_scalar() {
+    let svc = Arc::new(RecordingPubsub::default());
+    let engine = make_engine(svc.clone());
+    run(
+        engine,
+        r#"pubsub::publish_durable("metric", 42);"#,
+        baseline_request(AppId::new()),
+    )
+    .await;
+    let (_t, msg) = svc.last.lock().unwrap().clone().unwrap();
+    assert_eq!(msg, json!(42));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn publish_blob_encodes_base64_including_nested() {
+    let svc = Arc::new(RecordingPubsub::default());
+    let engine = make_engine(svc.clone());
+    // base64("hello") = "aGVsbG8=" (STANDARD, padded).
+    run(
+        engine,
+        r#"
+            let data = base64::decode("aGVsbG8=");
+            pubsub::publish_durable("blobs", #{ raw: data, list: [data] });
+        "#,
+        baseline_request(AppId::new()),
+    )
+    .await;
+    let (_t, msg) = svc.last.lock().unwrap().clone().unwrap();
+    assert_eq!(msg, json!({ "raw": "aGVsbG8=", "list": ["aGVsbG8="] }));
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn publish_empty_topic_throws() {
+    let svc = Arc::new(RecordingPubsub::default());
+    let engine = make_engine(svc.clone());
+    let src = r#"pubsub::publish_durable("", 1);"#.to_string();
+    let req = baseline_request(AppId::new());
+    let res = tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic");
+    assert!(res.is_err(), "empty topic should throw");
+}

crates/executor-core/tests/sdk_subscriber_token.rs

@@ -0,0 +1,242 @@
+//! `pubsub::subscriber_token` SDK bridge integration tests (v1.1.6).
+//!
+//! Runs a real Rhai engine against a fake `PubsubService` whose
+//! `mint_subscriber_token` mirrors the production validation (principal
+//! required, non-empty topics, ttl clamp, externally-subscribable check)
+//! and signs a real token. These cover the bridge surface: array →
+//! `Vec<String>` forwarding, the omitted/`()`/integer ttl handling, and
+//! errors surfacing as thrown Rhai errors. The authoritative validation
+//! logic is unit-tested in `manager-core::pubsub_service`.
+
+use std::collections::BTreeMap;
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_executor_core::{Engine, ExecRequest, InvocationType, Limits};
+use picloud_shared::subscriber_token::{self, TokenClaims};
+use picloud_shared::{
+    AdminUserId, AppId, ExecutionId, InstanceRole, NoopDeadLetterService, NoopDocsService,
+    NoopEventEmitter, NoopFilesService, NoopHttpService, NoopKvService, NoopModuleSource,
+    Principal, PubsubError, PubsubService, RequestId, ScriptId, ScriptSandbox, SdkCallCx, Services,
+};
+use serde_json::Value;
+
+const FAKE_KEY: [u8; 32] = [7u8; 32];
+const MIN_TTL: i64 = 10;
+const MAX_TTL: i64 = 86_400;
+const DEFAULT_TTL: i64 = 3_600;
+
+/// Fake that mirrors the production mint rules and signs with FAKE_KEY.
+#[derive(Default)]
+struct FakeMintPubsub;
+
+#[async_trait]
+impl PubsubService for FakeMintPubsub {
+    async fn publish_durable(
+        &self,
+        _cx: &SdkCallCx,
+        _topic: &str,
+        _message: Value,
+    ) -> Result<(), PubsubError> {
+        Ok(())
+    }
+
+    async fn mint_subscriber_token(
+        &self,
+        cx: &SdkCallCx,
+        topics: Vec<String>,
+        ttl_seconds: Option<i64>,
+    ) -> Result<String, PubsubError> {
+        if cx.principal.is_none() {
+            return Err(PubsubError::SubscriberToken(
+                "pubsub::subscriber_token: requires an authenticated principal".into(),
+            ));
+        }
+        if topics.is_empty() {
+            return Err(PubsubError::SubscriberToken(
+                "pubsub::subscriber_token: topics list must not be empty".into(),
+            ));
+        }
+        let ttl = ttl_seconds.unwrap_or(DEFAULT_TTL);
+        if !(MIN_TTL..=MAX_TTL).contains(&ttl) {
+            return Err(PubsubError::SubscriberToken(format!(
+                "pubsub::subscriber_token: ttl_seconds must be between {MIN_TTL} and {MAX_TTL}"
+            )));
+        }
+        for name in &topics {
+            // Only "chat" and "notify" are "registered" in this fake.
+            if name != "chat" && name != "notify" {
+                return Err(PubsubError::SubscriberToken(format!(
+                    "pubsub::subscriber_token: topic {name} is not externally subscribable"
+                )));
+            }
+        }
+        let now = 1_000_000;
+        Ok(subscriber_token::sign(
+            &FAKE_KEY,
+            &TokenClaims {
+                app_id: cx.app_id,
+                topics,
+                exp: now + ttl,
+                iat: now,
+            },
+        ))
+    }
+}
+
+fn make_engine() -> Arc<Engine> {
+    let services = Services::new(
+        Arc::new(NoopKvService),
+        Arc::new(NoopDocsService),
+        Arc::new(NoopDeadLetterService),
+        Arc::new(NoopEventEmitter),
+        Arc::new(NoopModuleSource),
+        Arc::new(NoopHttpService),
+        Arc::new(NoopFilesService),
+        Arc::new(FakeMintPubsub),
+    );
+    Arc::new(Engine::new(Limits::default(), services))
+}
+
+fn request(app_id: AppId, with_principal: bool) -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "token-test".into(),
+        invocation_type: InvocationType::Http,
+        path: "/token-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id,
+        principal: with_principal.then(|| Principal {
+            user_id: AdminUserId::new(),
+            instance_role: InstanceRole::Owner,
+            scopes: None,
+            app_binding: None,
+        }),
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn run_ok(engine: Arc<Engine>, src: &str, req: ExecRequest) -> Value {
+    let src = src.to_string();
+    tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic")
+        .expect("script execution should succeed")
+        .body
+}
+
+async fn run_err(engine: Arc<Engine>, src: &str, req: ExecRequest) {
+    let src = src.to_string();
+    let res = tokio::task::spawn_blocking(move || engine.execute(&src, req))
+        .await
+        .expect("spawn_blocking should not panic");
+    assert!(res.is_err(), "expected script to throw");
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn token_contains_topics_and_expiry() {
+    let app = AppId::new();
+    let body = run_ok(
+        make_engine(),
+        r#"#{ token: pubsub::subscriber_token(["chat", "notify"], 120) }"#,
+        request(app, true),
+    )
+    .await;
+    let token = body["token"].as_str().expect("token string");
+    let claims = subscriber_token::verify(&FAKE_KEY, token, 1_000_001).unwrap();
+    assert_eq!(claims.app_id, app);
+    assert_eq!(
+        claims.topics,
+        vec!["chat".to_string(), "notify".to_string()]
+    );
+    assert_eq!(claims.exp - claims.iat, 120);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn omitted_ttl_uses_default() {
+    let app = AppId::new();
+    let body = run_ok(
+        make_engine(),
+        r#"#{ token: pubsub::subscriber_token(["chat"]) }"#,
+        request(app, true),
+    )
+    .await;
+    let token = body["token"].as_str().unwrap();
+    let claims = subscriber_token::verify(&FAKE_KEY, token, 1_000_001).unwrap();
+    assert_eq!(claims.exp - claims.iat, DEFAULT_TTL);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unit_ttl_uses_default() {
+    let app = AppId::new();
+    let body = run_ok(
+        make_engine(),
+        r#"#{ token: pubsub::subscriber_token(["chat"], ()) }"#,
+        request(app, true),
+    )
+    .await;
+    let token = body["token"].as_str().unwrap();
+    let claims = subscriber_token::verify(&FAKE_KEY, token, 1_000_001).unwrap();
+    assert_eq!(claims.exp - claims.iat, DEFAULT_TTL);
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn empty_topics_throws() {
+    run_err(
+        make_engine(),
+        r#"pubsub::subscriber_token([], 60)"#,
+        request(AppId::new(), true),
+    )
+    .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn ttl_below_min_throws() {
+    run_err(
+        make_engine(),
+        r#"pubsub::subscriber_token(["chat"], 5)"#,
+        request(AppId::new(), true),
+    )
+    .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn ttl_above_max_throws() {
+    run_err(
+        make_engine(),
+        r#"pubsub::subscriber_token(["chat"], 90000)"#,
+        request(AppId::new(), true),
+    )
+    .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn anonymous_principal_throws() {
+    run_err(
+        make_engine(),
+        r#"pubsub::subscriber_token(["chat"], 60)"#,
+        request(AppId::new(), false),
+    )
+    .await;
+}
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn unregistered_topic_throws() {
+    run_err(
+        make_engine(),
+        r#"pubsub::subscriber_token(["chat", "secret"], 60)"#,
+        request(AppId::new(), true),
+    )
+    .await;
+}

crates/executor-core/tests/stdlib.rs

@@ -0,0 +1,384 @@
+//! Integration tests for the v1.1.0 stdlib utility modules.
+//!
+//! These exist alongside `sdk_contract.rs` rather than inside it
+//! because the stateless utilities aren't part of the same versioned
+//! SDK contract surface — `sdk_contract.rs` covers things that bump
+//! `SDK_VERSION` when they change; stdlib additions don't.
+
+use std::collections::BTreeMap;
+
+use picloud_executor_core::{Engine, ExecError, ExecRequest, InvocationType, Limits};
+use picloud_shared::{AppId, ExecutionId, RequestId, ScriptId, ScriptSandbox, Services};
+use serde_json::{json, Value};
+
+// ----------------------------------------------------------------------------
+// Test harness — duplicated from sdk_contract.rs (each integration test
+// crate has its own; there is no tests/common/).
+// ----------------------------------------------------------------------------
+
+fn engine() -> Engine {
+    Engine::new(Limits::default(), Services::default())
+}
+
+fn baseline_request() -> ExecRequest {
+    let execution_id = ExecutionId::new();
+    ExecRequest {
+        execution_id,
+        request_id: RequestId::new(),
+        script_id: ScriptId::new(),
+        script_name: "stdlib".into(),
+        invocation_type: InvocationType::Http,
+        path: "/stdlib-test".into(),
+        headers: BTreeMap::new(),
+        body: Value::Null,
+        params: BTreeMap::new(),
+        query: BTreeMap::new(),
+        rest: String::new(),
+        sandbox_overrides: ScriptSandbox::default(),
+        app_id: AppId::new(),
+        principal: None,
+        trigger_depth: 0,
+        root_execution_id: execution_id,
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+fn run(source: &str) -> Value {
+    engine()
+        .execute(source, baseline_request())
+        .expect("stdlib test should execute cleanly")
+        .body
+}
+
+fn run_err(source: &str) -> ExecError {
+    engine()
+        .execute(source, baseline_request())
+        .expect_err("stdlib test expected to throw")
+}
+
+fn assert_runtime_err(err: ExecError, needle: &str) {
+    match err {
+        ExecError::Runtime(msg) => assert!(
+            msg.contains(needle),
+            "runtime error did not contain `{needle}`: {msg}"
+        ),
+        other => panic!("expected Runtime error containing `{needle}`, got {other:?}"),
+    }
+}
+
+// ============================================================================
+// regex
+// ============================================================================
+
+#[test]
+fn regex_is_match_true_and_false() {
+    assert_eq!(run(r#"regex::is_match("^h", "hello")"#), json!(true));
+    assert_eq!(run(r#"regex::is_match("^x", "hello")"#), json!(false));
+}
+
+#[test]
+fn regex_find_returns_first_match() {
+    assert_eq!(run(r#"regex::find("\\d+", "abc 42 def 99")"#), json!("42"));
+}
+
+#[test]
+fn regex_find_returns_unit_when_no_match() {
+    // () serializes to JSON null via dynamic_to_json.
+    assert_eq!(run(r#"regex::find("\\d+", "abc")"#), Value::Null);
+}
+
+#[test]
+fn regex_find_all_returns_array() {
+    assert_eq!(
+        run(r#"regex::find_all("\\d+", "a1 b22 c333")"#),
+        json!(["1", "22", "333"])
+    );
+}
+
+#[test]
+fn regex_replace_first_only() {
+    assert_eq!(
+        run(r#"regex::replace("a", "banana", "X")"#),
+        json!("bXnana")
+    );
+}
+
+#[test]
+fn regex_replace_all() {
+    assert_eq!(
+        run(r#"regex::replace_all("a", "banana", "X")"#),
+        json!("bXnXnX")
+    );
+}
+
+#[test]
+fn regex_split() {
+    assert_eq!(
+        run(r#"regex::split(",\\s*", "a, b,c,  d")"#),
+        json!(["a", "b", "c", "d"])
+    );
+}
+
+#[test]
+fn regex_captures_extracts_groups() {
+    assert_eq!(
+        run(r#"regex::captures("(\\d+)-(\\w+)", "42-abc")"#),
+        json!(["42-abc", "42", "abc"])
+    );
+}
+
+#[test]
+fn regex_captures_returns_unit_when_no_match() {
+    assert_eq!(run(r#"regex::captures("(\\d+)", "abc")"#), Value::Null);
+}
+
+#[test]
+fn regex_invalid_pattern_throws() {
+    assert_runtime_err(run_err(r#"regex::is_match("(", "x")"#), "invalid regex");
+}
+
+// ============================================================================
+// random
+// ============================================================================
+
+#[test]
+fn random_int_within_range() {
+    // Run a few times to exercise the bounds — each call is independent.
+    let body = run(r"
+        let n = random::int(10, 20);
+        n >= 10 && n <= 20
+    ");
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn random_int_throws_when_min_greater_than_max() {
+    assert_runtime_err(run_err("random::int(20, 10)"), "min");
+}
+
+#[test]
+fn random_float_in_unit_interval() {
+    let body = run(r"
+        let f = random::float();
+        f >= 0.0 && f < 1.0
+    ");
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn random_bytes_returns_blob_of_correct_length() {
+    assert_eq!(run("random::bytes(16).len()"), json!(16));
+}
+
+#[test]
+fn random_bytes_rejects_negative() {
+    assert_runtime_err(run_err("random::bytes(-1)"), "random::bytes");
+}
+
+#[test]
+fn random_bytes_rejects_oversize() {
+    assert_runtime_err(run_err("random::bytes(70000)"), "random::bytes");
+}
+
+#[test]
+fn random_string_produces_alphanumeric_of_correct_length() {
+    let body = run(r#"
+        let s = random::string(32);
+        s.len == 32 && regex::is_match("^[A-Za-z0-9]+$", s)
+    "#);
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn random_uuid_has_canonical_format() {
+    let body = run(
+        r#"regex::is_match("^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$", random::uuid())"#,
+    );
+    assert_eq!(body, json!(true));
+}
+
+// ============================================================================
+// time
+// ============================================================================
+
+#[test]
+fn time_now_ms_is_positive() {
+    let body = run("time::now_ms() > 0");
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn time_now_string_looks_like_iso() {
+    let body = run(r#"regex::is_match("^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}", time::now())"#);
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn time_parse_format_round_trip() {
+    let body = run(r"
+        let ms = 1700000000000;
+        time::parse(time::format(ms)) == ms
+    ");
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn time_add_seconds() {
+    assert_eq!(run("time::add_seconds(0, 60)"), json!(60_000));
+    assert_eq!(run("time::add_seconds(1000, -1)"), json!(0));
+}
+
+#[test]
+fn time_diff_seconds_truncates() {
+    assert_eq!(run("time::diff_seconds(0, 65_500)"), json!(65));
+}
+
+#[test]
+fn time_parse_rejects_garbage() {
+    assert_runtime_err(run_err(r#"time::parse("nonsense")"#), "time::parse");
+}
+
+// ============================================================================
+// json
+// ============================================================================
+
+#[test]
+fn json_parse_then_stringify_round_trip() {
+    let body = run(r#"
+        let src = `{"a":1,"b":"x"}`;
+        json::stringify(json::parse(src)) == src
+    "#);
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn json_stringify_compact() {
+    assert_eq!(run(r"json::stringify(#{ a: 1 })"), json!(r#"{"a":1}"#));
+}
+
+#[test]
+fn json_stringify_pretty_has_newlines() {
+    let body = run(r#"json::stringify_pretty(#{ a: 1 }).contains("\n")"#);
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn json_parse_invalid_throws() {
+    assert_runtime_err(run_err(r#"json::parse("not json")"#), "json::parse");
+}
+
+// ============================================================================
+// base64
+// ============================================================================
+
+#[test]
+fn base64_encode_string() {
+    assert_eq!(run(r#"base64::encode("hi")"#), json!("aGk="));
+}
+
+#[test]
+fn base64_decode_then_re_encode_round_trip() {
+    assert_eq!(
+        run(r#"base64::encode(base64::decode("aGVsbG8="))"#),
+        json!("aGVsbG8=")
+    );
+}
+
+#[test]
+fn base64_encode_url_has_no_padding() {
+    let body = run(r#"
+        let s = base64::encode_url("hello world!?");
+        !s.contains("=") && !s.contains("+") && !s.contains("/")
+    "#);
+    assert_eq!(body, json!(true));
+}
+
+#[test]
+fn base64_decode_url_round_trip() {
+    assert_eq!(
+        run(r#"base64::encode_url(base64::decode_url("aGVsbG8"))"#),
+        json!("aGVsbG8")
+    );
+}
+
+#[test]
+fn base64_decode_invalid_throws() {
+    assert_runtime_err(run_err(r#"base64::decode("!!!")"#), "base64::decode");
+}
+
+// ============================================================================
+// hex
+// ============================================================================
+
+#[test]
+fn hex_encode_produces_lowercase() {
+    assert_eq!(run(r#"hex::encode("Z")"#), json!("5a"));
+}
+
+#[test]
+fn hex_decode_then_re_encode_round_trip() {
+    // mixed-case input → lowercase output proves both case-insensitive
+    // decode and lowercase encode.
+    assert_eq!(
+        run(r#"hex::encode(hex::decode("DeAdBeEf"))"#),
+        json!("deadbeef")
+    );
+}
+
+#[test]
+fn hex_decode_returns_correct_length() {
+    assert_eq!(run(r#"hex::decode("deadbeef").len()"#), json!(4));
+}
+
+#[test]
+fn hex_decode_invalid_throws() {
+    assert_runtime_err(run_err(r#"hex::decode("xyz")"#), "hex::decode");
+}
+
+// ============================================================================
+// url
+// ============================================================================
+
+#[test]
+fn url_encode_basic() {
+    assert_eq!(run(r#"url::encode("hello world")"#), json!("hello%20world"));
+}
+
+#[test]
+fn url_encode_preserves_unreserved() {
+    assert_eq!(
+        run(r#"url::encode("abcXYZ123-_.~")"#),
+        json!("abcXYZ123-_.~")
+    );
+}
+
+#[test]
+fn url_decode_round_trip() {
+    assert_eq!(
+        run(r#"url::decode(url::encode("hello world!?"))"#),
+        json!("hello world!?")
+    );
+}
+
+#[test]
+fn url_encode_query_basic() {
+    // Map keys come out alphabetically (Rhai's Map is a BTreeMap).
+    assert_eq!(
+        run(r#"url::encode_query(#{ a: "1", b: "x y" })"#),
+        json!("a=1&b=x%20y")
+    );
+}
+
+#[test]
+fn url_encode_query_coerces_non_strings() {
+    // Numbers and bools shouldn't throw; they coerce via to_string().
+    let body = run(r"url::encode_query(#{ n: 42, b: true })");
+    // Order is alphabetical: b before n.
+    assert_eq!(body, json!("b=true&n=42"));
+}
+
+#[test]
+fn url_decode_rejects_invalid_utf8() {
+    assert_runtime_err(run_err(r#"url::decode("%FF%FE%80")"#), "url::decode");
+}

crates/manager-core/Cargo.toml

@@ -10,21 +10,26 @@ workspace = true
 
 [dependencies]
 picloud-shared.workspace = true
+picloud-executor-core.workspace = true
 picloud-orchestrator-core.workspace = true
 
 async-trait.workspace = true
 axum.workspace = true
+rand.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
+tokio.workspace = true
 tracing.workspace = true
 uuid.workspace = true
 chrono.workspace = true
+chrono-tz.workspace = true
+cron.workspace = true
 sqlx.workspace = true
 url.workspace = true
+reqwest.workspace = true
 
 argon2.workspace = true
-rand.workspace = true
 sha2.workspace = true
 base64.workspace = true
 data-encoding.workspace = true

crates/manager-core/migrations/0007_kv.sql

@@ -0,0 +1,28 @@
+-- v1.1.1: Key-value store — see blueprint §8.1 + docs/sdk-shape.md.
+--
+-- Identity tuple `(app_id, collection, key)`. `app_id` is first in the
+-- primary key so the implicit index is always per-app; cross-app reads
+-- cannot happen even with a buggy query. Collections are a required
+-- namespace inside an app — the same key can live in different
+-- collections without collision.
+--
+-- `value` is JSONB so scripts can store nested structures without
+-- a separate serialization step. No TTL column in v1.1.1; deferred
+-- until a concrete need surfaces (the blueprint reserved one but the
+-- v1.1.1 SDK surface — get/set/has/delete/list — doesn't expose TTL).
+
+CREATE TABLE kv_entries (
+    app_id      UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    collection  TEXT NOT NULL,
+    key         TEXT NOT NULL,
+    value       JSONB NOT NULL,
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (app_id, collection, key)
+);
+
+-- Supports list-by-collection (keyset pagination) and per-collection
+-- triggers' fan-out scans. The PK already covers (app_id, collection)
+-- as a prefix but spelling out the explicit index makes intent clear
+-- for the planner.
+CREATE INDEX idx_kv_entries_app_collection ON kv_entries (app_id, collection);

crates/manager-core/migrations/0008_triggers.sql

@@ -0,0 +1,72 @@
+-- v1.1.1: Trigger framework — Layout E (design notes §2 + §7).
+--
+-- A parent `triggers` table holds the common columns (script_id, retry
+-- config, dispatch_mode, registered-by principal); per-kind detail
+-- tables hold the kind-specific filter columns. v1.1.1 ships two
+-- kinds: KV (collection_glob + ops) and dead_letter (source / trigger
+-- / script filters). Future kinds (cron, pubsub, queue, email) extend
+-- the parent and add their own detail table.
+--
+-- `registered_by_principal` captures the admin user that registered
+-- the trigger. The dispatcher resolves this back to a `Principal` at
+-- execution time so the trigger runs as the user that set it up
+-- (design notes §4: "a trigger execution runs as the principal that
+-- registered the trigger").
+--
+-- HTTP routes stay in their own `routes` table for now (Phase 3
+-- production schema with its own trie-index columns); the dispatcher
+-- discriminates HTTP outbox rows by `source_kind = 'http'` and
+-- `trigger_id` referencing `routes.id`. Folding routes into triggers
+-- is a v1.2 cleanup, not a v1.1.1 requirement.
+
+CREATE TABLE triggers (
+    id                       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    app_id                   UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    script_id                UUID NOT NULL REFERENCES scripts(id) ON DELETE CASCADE,
+    kind                     TEXT NOT NULL CHECK (kind IN ('kv', 'dead_letter')),
+    enabled                  BOOLEAN NOT NULL DEFAULT TRUE,
+    -- Async by default — sync would mean the trigger fires inline with
+    -- the originating mutation, which v1.1.1 doesn't support.
+    dispatch_mode            TEXT NOT NULL DEFAULT 'async'
+        CHECK (dispatch_mode IN ('sync', 'async')),
+    -- Defaults applied at write time so the row is auditable on its
+    -- own. Per-trigger overrides set on create; the env-defined
+    -- defaults provide the fallback values.
+    retry_max_attempts       INT  NOT NULL,
+    retry_backoff            TEXT NOT NULL
+        CHECK (retry_backoff IN ('exponential', 'linear', 'constant')),
+    retry_base_ms            INT  NOT NULL,
+    registered_by_principal  UUID NOT NULL REFERENCES admin_users(id) ON DELETE CASCADE,
+    created_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at               TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- The dispatcher's hot lookup: "all enabled triggers for app X of
+-- kind Y". Indexed only when enabled = TRUE so disabled rows don't
+-- pollute the index.
+CREATE INDEX idx_triggers_app_kind_enabled
+    ON triggers (app_id, kind)
+    WHERE enabled = TRUE;
+
+-- One row per KV trigger. `collection_glob` accepts:
+--   "*"               — any collection in the app
+--   "widgets"         — exact match
+--   "users:*"         — prefix wildcard (matched in Rust, not SQL)
+-- `ops` is the subset of {insert, update, delete} this trigger
+-- subscribes to. Empty array means "any op" (the trigger fires on
+-- every mutation; admin endpoint validates this).
+CREATE TABLE kv_trigger_details (
+    trigger_id        UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    collection_glob   TEXT NOT NULL,
+    ops               TEXT[] NOT NULL
+);
+
+-- One row per dead-letter trigger. All three filter columns are
+-- nullable — NULL means "no filter on this dimension". A trigger
+-- with all three nullable filters fires on every dead-letter row.
+CREATE TABLE dead_letter_trigger_details (
+    trigger_id          UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    source_filter       TEXT,
+    trigger_id_filter   UUID,
+    script_id_filter    UUID
+);

crates/manager-core/migrations/0009_outbox.sql

@@ -0,0 +1,64 @@
+-- v1.1.1: Universal trigger outbox — design notes §2.
+--
+-- One table for every async dispatch in the system. KV/cron/pubsub/
+-- queue/email/dead-letter all write rows in this shape; the dispatcher
+-- claims due rows with `FOR UPDATE SKIP LOCKED` and routes them to
+-- the executor.
+--
+-- Sync HTTP also writes here (NATS-style inbox, design notes §3) —
+-- `reply_to` carries an `inbox_id` that the orchestrator awaits on a
+-- oneshot channel. `reply_to.is_some()` is the "don't retry" signal:
+-- one attempt, surface the result via the inbox.
+--
+-- `trigger_id` is a polymorphic reference discriminated by
+-- `source_kind`: for `source_kind='http'` it references `routes.id`;
+-- otherwise it references `triggers.id`. Polymorphism handled in
+-- Rust (the dispatcher); no DB-level FK because Postgres doesn't
+-- support polymorphic FKs cleanly. NULL is allowed because direct
+-- admin-replay paths may not have a triggering row at all.
+--
+-- `script_id` denormalized so the dispatcher resolves the target
+-- script without an extra round-trip per row.
+
+CREATE TABLE outbox (
+    id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    app_id             UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    source_kind        TEXT NOT NULL
+        CHECK (source_kind IN ('http', 'kv', 'dead_letter')),
+    -- Polymorphic — see comment above. No FK constraint.
+    trigger_id         UUID,
+    -- Pre-resolved at write time so the dispatcher doesn't re-look it up.
+    script_id          UUID,
+    -- NULL = async (retry per policy). Some(inbox_id) = sync HTTP
+    -- (never retry; resolve the inbox with the result).
+    reply_to           UUID,
+    -- ServiceEvent + ExecRequest scaffold serialized as JSONB.
+    payload            JSONB NOT NULL,
+    -- Forensic field — the principal that triggered the originating
+    -- event. NOT the execution principal for trigger fan-out (that
+    -- comes from `triggers.registered_by_principal`).
+    origin_principal   UUID,
+    -- Trigger-depth as the dispatcher will hand it to the executor.
+    -- Read out into ExecRequest.trigger_depth at dispatch time.
+    trigger_depth      INT NOT NULL DEFAULT 0,
+    -- Originating execution id (for audit log grouping). Equals the
+    -- root for direct invocations; preserved across fan-out chains.
+    root_execution_id  UUID,
+    attempt_count      INT NOT NULL DEFAULT 0,
+    next_attempt_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    -- Set inside the SELECT FOR UPDATE SKIP LOCKED transaction so
+    -- the dispatcher can't double-pick a row across concurrent loop
+    -- iterations.
+    claimed_at         TIMESTAMPTZ,
+    claimed_by         TEXT,
+    created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Hot index: the dispatcher's `WHERE next_attempt_at <= NOW() AND
+-- claimed_at IS NULL` claim query. Partial index keeps the hot set
+-- small even if the table grows large.
+CREATE INDEX idx_outbox_due
+    ON outbox (next_attempt_at)
+    WHERE claimed_at IS NULL;
+
+CREATE INDEX idx_outbox_app ON outbox (app_id);

crates/manager-core/migrations/0010_dead_letters.sql

@@ -0,0 +1,50 @@
+-- v1.1.1: dead_letters — design notes §4.
+--
+-- Async invocations that exhaust their retry policy land here. Each
+-- row carries the original event payload verbatim plus the attempt
+-- history so handlers (registered via `dead_letter` triggers) and the
+-- dashboard can decide what to do.
+--
+-- Schema mirrors design notes §4. The CHECK constraint on
+-- `resolution` enforces the closed vocabulary used by both the SDK
+-- (`dead_letters::resolve(id, reason)`) and the recursion-stop rule
+-- (`handler_failed`). Sync HTTP failures (`reply_to.is_some()`) never
+-- land here — they're served via the inbox channel.
+--
+-- Indexes:
+-- - partial index on unresolved rows: the dashboard's
+--   unresolved-count badge query (`COUNT(*) WHERE app_id = $1 AND
+--   resolved_at IS NULL`).
+-- - GC index on `created_at`: the weekly retention sweep.
+
+CREATE TABLE dead_letters (
+    id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    app_id             UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    -- The outbox.id row that exhausted retries. The outbox row itself
+    -- has been deleted at this point.
+    original_event_id  UUID NOT NULL,
+    source             TEXT NOT NULL,
+    op                 TEXT NOT NULL,
+    -- Nullable because direct admin replays may have no trigger row.
+    trigger_id         UUID,
+    script_id          UUID,
+    payload            JSONB NOT NULL,
+    attempt_count      INT  NOT NULL,
+    first_attempt_at   TIMESTAMPTZ NOT NULL,
+    last_attempt_at    TIMESTAMPTZ NOT NULL,
+    last_error         TEXT NOT NULL,
+    created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    resolved_at        TIMESTAMPTZ,
+    resolution         TEXT
+        CHECK (resolution IN
+            ('replayed', 'ignored', 'handled_by_script', 'handler_failed'))
+);
+
+-- Dashboard unresolved-count badge — partial index on the predicate
+-- the query uses.
+CREATE INDEX idx_dead_letters_app_unresolved
+    ON dead_letters (app_id)
+    WHERE resolved_at IS NULL;
+
+-- GC sweep scans by creation time.
+CREATE INDEX idx_dead_letters_gc ON dead_letters (created_at);

crates/manager-core/migrations/0011_abandoned_executions.sql

@@ -0,0 +1,31 @@
+-- v1.1.1: abandoned_executions — design notes §3 #9.
+--
+-- Forensic table for the "dispatcher tried to resolve a oneshot inbox
+-- but the receiver was already dropped" edge case. The orchestrator
+-- timed out (returned 504 to the caller) and gave up on the channel,
+-- but then the dispatcher's execution succeeded later. The caller
+-- never sees the result; the row exists so the operator can
+-- correlate when the abandoned-counter metric spikes.
+--
+-- Only the dispatcher-after-orchestrator-timeout edge case writes
+-- here; ordinary "script timed out, caller got 504" stays uneventful.
+--
+-- 7-day retention, GC by `created_at`, sweep alongside dead_letters.
+
+CREATE TABLE abandoned_executions (
+    id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    app_id          UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    -- Original outbox row id (the row itself has been deleted).
+    outbox_id       UUID NOT NULL,
+    script_id       UUID,
+    -- The inbox channel id the dispatcher tried to resolve.
+    inbox_id        UUID NOT NULL,
+    -- The HTTP status code the dispatcher attempted to send back.
+    status_code     INT  NOT NULL,
+    -- Truncated body / error description (capped at write time —
+    -- the dispatcher doesn't need to ship megabytes here).
+    result_summary  TEXT,
+    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX idx_abandoned_executions_gc ON abandoned_executions (created_at);

crates/manager-core/migrations/0012_routes_dispatch_mode.sql

@@ -0,0 +1,16 @@
+-- v1.1.1: per-route dispatch mode (design notes §2 + §3).
+--
+-- `sync` (default): orchestrator awaits the executor inline and
+--   returns the response in the same HTTP request — current MVP
+--   behaviour.
+-- `async`: orchestrator writes the request to the trigger outbox,
+--   returns `202 Accepted` immediately. The dispatcher runs the
+--   script in the background and surfaces failures via the
+--   retry / dead-letter machinery — same shape as any other async
+--   event.
+--
+-- Existing routes default to `sync` so the migration is non-breaking.
+
+ALTER TABLE routes
+    ADD COLUMN dispatch_mode TEXT NOT NULL DEFAULT 'sync'
+        CHECK (dispatch_mode IN ('sync', 'async'));

crates/manager-core/migrations/0013_docs.sql

@@ -0,0 +1,39 @@
+-- v1.1.2: Documents — schemaless JSONB store with basic query semantics.
+--
+-- Identity tuple `(app_id, collection, id)`. `id` is a server-generated
+-- UUID; scripts never supply it on create. `app_id` is first in the
+-- primary key so the implicit index is always per-app — cross-app reads
+-- are impossible even under a buggy query.
+--
+-- `data` is JSONB so scripts can store nested structures without a
+-- separate serialization step. The GIN-on-`jsonb_path_ops` index
+-- accelerates the v1.1.2 query DSL's equality and containment operators
+-- (`docs::find` with `$eq` / `$in`); range/comparison operators rely on
+-- the per-collection seq scan within the small `app_id` partition.
+--
+-- `created_at` / `updated_at` are server-managed: created on insert,
+-- bumped on every successful update. The returned doc envelope surfaces
+-- both fields to scripts for read-only access (no script-side override).
+
+CREATE TABLE docs (
+    app_id      UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    collection  TEXT NOT NULL,
+    id          UUID NOT NULL,
+    data        JSONB NOT NULL,
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (app_id, collection, id)
+);
+
+-- The dispatcher/find hot path: "all docs in app X / collection Y."
+-- The PK already covers (app_id, collection) as a prefix but spelling
+-- out the explicit index makes intent clear for the planner. Mirrors
+-- 0007_kv.sql's idx_kv_entries_app_collection.
+CREATE INDEX idx_docs_app_collection ON docs (app_id, collection);
+
+-- GIN on JSONB with the `jsonb_path_ops` opclass: smaller index than
+-- the default `jsonb_ops`, supports `@>` (containment) which is what
+-- equality filters compile to under the GIN-friendly path. Range
+-- operators ($gt/$gte/$lt/$lte/$ne) fall back to per-collection scans;
+-- those are still bounded by the (app_id, collection) selectivity.
+CREATE INDEX idx_docs_data_gin ON docs USING GIN (data jsonb_path_ops);

crates/manager-core/migrations/0014_docs_triggers.sql

@@ -0,0 +1,36 @@
+-- v1.1.2: Extend the triggers framework to recognise `docs` as the
+-- second concrete kind (after `kv` in v1.1.1).
+--
+-- Two CHECK constraints widen (no narrowing — both lists strictly
+-- gain `'docs'`); one new detail table mirrors `kv_trigger_details`'s
+-- shape with `DocsEventOp` ops instead of `KvEventOp`. Dispatcher
+-- routing is generic across kinds — the same code path that handles
+-- `Kv | DeadLetter` outbox rows now also handles `Docs` (single match
+-- arm extension on the Rust side; no migration needed).
+
+-- Extend triggers.kind to include 'docs'. Constraint is in-line on the
+-- column so Postgres auto-named it `triggers_kind_check`. Dropping the
+-- old and adding the widened constraint is safe — no existing rows
+-- carry a value outside the new set.
+ALTER TABLE triggers DROP CONSTRAINT triggers_kind_check;
+ALTER TABLE triggers ADD CONSTRAINT triggers_kind_check
+    CHECK (kind IN ('kv', 'dead_letter', 'docs'));
+
+-- Extend outbox.source_kind to include 'docs'. Same shape as above;
+-- v1.1.1's existing source_kinds ('http', 'kv', 'dead_letter') stay.
+ALTER TABLE outbox DROP CONSTRAINT outbox_source_kind_check;
+ALTER TABLE outbox ADD CONSTRAINT outbox_source_kind_check
+    CHECK (source_kind IN ('http', 'kv', 'dead_letter', 'docs'));
+
+-- One row per docs trigger. Same shape as `kv_trigger_details`:
+--   collection_glob — "*" matches all, "foo*" prefix-matches, "foo"
+--                     exact-matches (Rust-side via collection_matches).
+--   ops             — subset of {create, update, delete}. Empty array
+--                     means "any op" (matches every docs mutation in
+--                     the collection). The admin endpoint rejects
+--                     empty collection_glob; ops can be empty.
+CREATE TABLE docs_trigger_details (
+    trigger_id        UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    collection_glob   TEXT NOT NULL,
+    ops               TEXT[] NOT NULL
+);

crates/manager-core/migrations/0015_scripts_kind.sql

@@ -0,0 +1,31 @@
+-- v1.1.3: distinguish endpoint scripts (HTTP / trigger entry points) from
+-- module scripts (libraries `import`ed by other scripts). The Rhai module
+-- resolver added in v1.1.3 looks up `kind = 'module'` rows by
+-- `(app_id, name)`; route bind and trigger create reject `kind = 'module'`
+-- targets.
+--
+-- Backfill: existing rows take the DEFAULT clause on column add. Every
+-- script that existed in v1.0 / v1.1.0 / v1.1.1 / v1.1.2 was an endpoint
+-- (the only kind those versions supported), which matches the default.
+ALTER TABLE scripts
+    ADD COLUMN kind TEXT NOT NULL DEFAULT 'endpoint'
+        CHECK (kind IN ('endpoint', 'module'));
+
+-- Composite index on (app_id, kind) so the resolver's per-app module
+-- lookup ("modules in app X named Y") is one index scan. The existing
+-- per-app UNIQUE on `name` already serves name-based lookups, but it
+-- doesn't help when filtering specifically for `kind = 'module'`.
+CREATE INDEX idx_scripts_app_kind ON scripts (app_id, kind);
+
+-- Modules are imported by exact string name; arbitrary spaces / control
+-- characters would make `import "<name>"` fragile. We constrain module
+-- names to a conservative identifier shape (letters, digits, underscore;
+-- starts with a non-digit; up to 64 chars). Endpoint scripts keep the
+-- looser pre-v1.1.3 name rules — the dashboard generates endpoint names
+-- (and some users may already have spaces in them; we don't break those).
+ALTER TABLE scripts
+    ADD CONSTRAINT scripts_module_name_shape
+    CHECK (
+        kind <> 'module'
+        OR name ~ '^[a-zA-Z_][a-zA-Z0-9_]{0,63}$'
+    );

crates/manager-core/migrations/0016_script_imports.sql

@@ -0,0 +1,35 @@
+-- v1.1.3: dep graph between scripts and the modules they `import`.
+--
+-- Populated at script save-time. The validator extracts literal-path
+-- `import "<name>"` declarations from the AST; the script repo writes
+-- one row per resolved (importer, imported) pair inside the same
+-- transaction as the INSERT/UPDATE on `scripts`. Unresolved names
+-- (imported module doesn't exist yet) are silently skipped — the
+-- resolver returns ErrorModuleNotFound at runtime, and a later save
+-- of either script re-resolves and writes the edge.
+--
+-- Dynamic imports (`import some_var as alias;`) are not tracked
+-- here — the resolver still honors them at runtime, but the graph
+-- only captures names known at compile time. Document as a known
+-- v1.1.3 limitation.
+--
+-- Purpose: drives a future "Used by" panel on a module's detail page
+-- (v1.2+) and is the foundation for cluster-mode eager cache
+-- invalidation (v1.3+). v1.1.3 only persists the rows; no admin
+-- endpoint surfaces them yet.
+CREATE TABLE script_imports (
+    app_id              UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    importer_script_id  UUID NOT NULL REFERENCES scripts(id) ON DELETE CASCADE,
+    imported_script_id  UUID NOT NULL REFERENCES scripts(id) ON DELETE CASCADE,
+    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (importer_script_id, imported_script_id)
+);
+
+-- Reverse-edge index: "list scripts that import module X". The PK
+-- covers (importer, imported) so forward lookups by importer are
+-- already free; the reverse direction needs its own index.
+CREATE INDEX idx_script_imports_imported ON script_imports (imported_script_id);
+
+-- App-scoped scan ("all imports in this app") — used by the schema
+-- snapshot tests and (eventually) the admin "audit" view.
+CREATE INDEX idx_script_imports_app ON script_imports (app_id);

crates/manager-core/migrations/0017_cron_triggers.sql

@@ -0,0 +1,43 @@
+-- v1.1.4: Extend the triggers framework to recognise `cron` as the
+-- fourth concrete kind (after `kv` v1.1.1, `dead_letter` v1.1.1, `docs`
+-- v1.1.2). Mirrors the 0014 docs extension: two CHECK constraints widen
+-- (strictly gaining `'cron'`), one new detail table.
+--
+-- Cron rows route through the SAME generic dispatcher path as kv/docs/
+-- dead_letter (single match-arm extension on the Rust side). The only
+-- new machinery is a scheduler task that enqueues due cron triggers
+-- into the outbox; dispatch itself is unchanged.
+
+-- Extend triggers.kind to include 'cron'. No existing row carries a
+-- value outside the widened set, so the drop+add is safe.
+ALTER TABLE triggers DROP CONSTRAINT triggers_kind_check;
+ALTER TABLE triggers ADD CONSTRAINT triggers_kind_check
+    CHECK (kind IN ('kv', 'dead_letter', 'docs', 'cron'));
+
+-- Extend outbox.source_kind to include 'cron'. v1.1.x's existing
+-- source_kinds ('http', 'kv', 'dead_letter', 'docs') stay.
+ALTER TABLE outbox DROP CONSTRAINT outbox_source_kind_check;
+ALTER TABLE outbox ADD CONSTRAINT outbox_source_kind_check
+    CHECK (source_kind IN ('http', 'kv', 'dead_letter', 'docs', 'cron'));
+
+-- One row per cron trigger.
+--   schedule      — 6-field cron expression (with seconds), validated
+--                   at insert time by the `cron` crate.
+--   timezone      — IANA tz name (e.g. "America/Los_Angeles"), validated
+--                   via chrono-tz. Required so schedules like "every
+--                   weekday at 9am" are unambiguous. Defaults to UTC.
+--   last_fired_at — set transactionally with each enqueue. NULL until
+--                   the trigger first fires. The scheduler computes the
+--                   next fire time in-process from
+--                   (schedule, timezone, last_fired_at); there is no
+--                   stored next_fire column (kept stateless on purpose).
+CREATE TABLE cron_trigger_details (
+    trigger_id    UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    schedule      TEXT NOT NULL,
+    timezone      TEXT NOT NULL DEFAULT 'UTC',
+    last_fired_at TIMESTAMPTZ
+);
+
+-- Hot lookup for the scheduler: "all enabled cron triggers due now"
+-- scans by last_fired_at.
+CREATE INDEX idx_cron_triggers_due ON cron_trigger_details (last_fired_at);

crates/manager-core/migrations/0018_files.sql

@@ -0,0 +1,25 @@
+-- v1.1.5: filesystem-backed blob storage. The row holds metadata +
+-- the SHA-256 checksum; the blob bytes live on disk at
+--   <PICLOUD_FILES_ROOT>/files/<app_id>/<collection>/<id[0:2]>/<id>
+-- (never in Postgres). Identity tuple is (app_id, collection, id) per
+-- docs/sdk-shape.md, matching KV/docs collection scoping.
+--
+-- The checksum is computed in a single pass during the atomic write and
+-- re-verified on read (FilesError::Corrupted on mismatch). Per-app
+-- quotas are deferred to v1.2; only the per-file size cap is enforced
+-- (in the service, not the schema).
+CREATE TABLE files (
+    app_id          UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    collection      TEXT NOT NULL,
+    id              UUID NOT NULL,
+    name            TEXT NOT NULL,
+    content_type    TEXT NOT NULL,
+    size_bytes      BIGINT NOT NULL,
+    checksum_sha256 TEXT NOT NULL,           -- hex, 64 chars, lowercase
+    created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (app_id, collection, id)
+);
+
+-- List + cursor pagination scans by (app_id, collection).
+CREATE INDEX idx_files_app_collection ON files (app_id, collection);

crates/manager-core/migrations/0019_files_triggers.sql

@@ -0,0 +1,29 @@
+-- v1.1.5: extend the triggers framework to recognise `files` as the
+-- fifth concrete kind (after `kv`/`dead_letter` v1.1.1, `docs` v1.1.2,
+-- `cron` v1.1.4). Mirrors the 0014/0017 extensions exactly: two CHECK
+-- constraints widen (strictly gaining `'files'`), one new detail table.
+--
+-- Files rows route through the SAME generic dispatcher path as the
+-- other event kinds (single match-arm extension on the Rust side). The
+-- only new machinery is the FilesServiceImpl emitting ServiceEvents
+-- that the OutboxEventEmitter fans out — identical to KV/docs.
+
+-- Extend triggers.kind to include 'files'. No existing row carries a
+-- value outside the widened set, so the drop+add is safe.
+ALTER TABLE triggers DROP CONSTRAINT triggers_kind_check;
+ALTER TABLE triggers ADD CONSTRAINT triggers_kind_check
+    CHECK (kind IN ('kv', 'dead_letter', 'docs', 'cron', 'files'));
+
+-- Extend outbox.source_kind to include 'files'.
+ALTER TABLE outbox DROP CONSTRAINT outbox_source_kind_check;
+ALTER TABLE outbox ADD CONSTRAINT outbox_source_kind_check
+    CHECK (source_kind IN ('http', 'kv', 'dead_letter', 'docs', 'cron', 'files'));
+
+-- One row per files trigger. Mirrors kv_trigger_details:
+--   collection_glob — "*", "exact", or "prefix*"
+--   ops             — subset of {create, update, delete}, empty = any
+CREATE TABLE files_trigger_details (
+    trigger_id        UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    collection_glob   TEXT NOT NULL,
+    ops               TEXT[] NOT NULL
+);

crates/manager-core/migrations/0020_pubsub_triggers.sql

@@ -0,0 +1,34 @@
+-- v1.1.5: extend the triggers framework to recognise `pubsub` as the
+-- sixth concrete kind. Same Layout-E shape as files (0019): two CHECK
+-- constraints widen, one new detail table.
+--
+-- Pub/sub fans out at PUBLISH time (one outbox row per matching trigger,
+-- written by the PubsubServiceImpl), so the dispatcher needs no pubsub-
+-- specific branching — a pubsub outbox row dispatches like any other
+-- async trigger.
+
+-- Extend triggers.kind to include 'pubsub'.
+ALTER TABLE triggers DROP CONSTRAINT triggers_kind_check;
+ALTER TABLE triggers ADD CONSTRAINT triggers_kind_check
+    CHECK (kind IN ('kv', 'dead_letter', 'docs', 'cron', 'files', 'pubsub'));
+
+-- Extend outbox.source_kind to include 'pubsub'.
+ALTER TABLE outbox DROP CONSTRAINT outbox_source_kind_check;
+ALTER TABLE outbox ADD CONSTRAINT outbox_source_kind_check
+    CHECK (source_kind IN ('http', 'kv', 'dead_letter', 'docs',
+                           'cron', 'files', 'pubsub'));
+
+-- One row per pubsub trigger. `topic_pattern` is "exact", "prefix.*",
+-- or "*" — validated in Rust at trigger creation. Topics are implicit
+-- on first publish; the external-subscribable `topics` table is v1.1.6.
+CREATE TABLE pubsub_trigger_details (
+    trigger_id     UUID PRIMARY KEY REFERENCES triggers(id) ON DELETE CASCADE,
+    topic_pattern  TEXT NOT NULL
+);
+
+-- Hot lookup for fan-out: "all enabled pubsub triggers in app X".
+-- Third partial index of its kind (after v1.1.1's idx_triggers_app_kind_
+-- enabled); partial indexes are tiny and the planner picks the narrowest.
+CREATE INDEX idx_triggers_app_pubsub_enabled
+    ON triggers (app_id, kind)
+    WHERE enabled = TRUE AND kind = 'pubsub';

crates/manager-core/migrations/0021_topics.sql

@@ -0,0 +1,31 @@
+-- v1.1.6: Explicit registration for externally-subscribable topics.
+--
+-- Internal-only topics remain implicit per the §5 design-notes
+-- decision: anyone can publish_durable("any.topic", msg) and triggers
+-- can subscribe without a row here. This table only holds topics that
+-- have been explicitly externalized — external SSE subscribers can
+-- only subscribe to topics with a row here AND external_subscribable
+-- = TRUE.
+--
+-- The publish path (v1.1.5's publish_durable) does NOT consult this
+-- table: publishing to a topic with no row still fans out to triggers
+-- and to any in-process external subscribers (none exist for an
+-- unregistered topic, since external subscribers can't subscribe to
+-- one). The topics table is read by the SSE subscribe path only.
+--
+-- auth_mode values: 'public' + 'token' in v1.1.6. 'session' arrives in
+-- v1.1.8 (users-SDK); 'script' arrives in v1.2 (script-mediated auth).
+-- The CHECK constraint extends in those releases.
+CREATE TABLE topics (
+    app_id                UUID NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
+    name                  TEXT NOT NULL,
+    external_subscribable BOOL NOT NULL DEFAULT FALSE,
+    auth_mode             TEXT NOT NULL DEFAULT 'public'
+        CHECK (auth_mode IN ('public', 'token')),
+    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    PRIMARY KEY (app_id, name)
+);
+
+-- Hot lookup: "is topic T in app X externally subscribable?" The PK
+-- (app_id, name) already covers this; an explicit index is redundant.

crates/manager-core/migrations/0022_app_secrets.sql

@@ -0,0 +1,19 @@
+-- v1.1.6: per-app secret material. Currently holds the HMAC signing key
+-- used to mint + verify realtime subscriber tokens
+-- (pubsub::subscriber_token → SSE /realtime/topics handshake).
+--
+-- The key is:
+--   * stable across restarts (issued tokens stay valid until expiry),
+--   * per-app (a token signed by app A is rejected by app B),
+--   * never script-accessible (scripts can't print/exfiltrate it — the
+--     SDK only mints tokens, it never returns the key).
+--
+-- The row is created lazily on the first pubsub::subscriber_token call
+-- for an app (32 random bytes). This table is the natural home for
+-- v1.1.7's encrypted per-app secrets work.
+CREATE TABLE app_secrets (
+    app_id                UUID PRIMARY KEY REFERENCES apps(id) ON DELETE CASCADE,
+    realtime_signing_key  BYTEA NOT NULL,   -- 32 random bytes
+    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);

crates/manager-core/src/abandoned_repo.rs

@@ -0,0 +1,128 @@
+//! `AbandonedExecutionsRepo` — forensic table written by the
+//! dispatcher when it tries to resolve a sync-HTTP inbox channel
+//! that's already been dropped (orchestrator timed out and gave up).
+//!
+//! Schema: see `migrations/0011_abandoned_executions.sql`.
+//!
+//! Tiny surface: insert + GC. Reading happens via direct SQL when
+//! correlating the metric counter spike.
+
+use async_trait::async_trait;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AppId, ScriptId};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+#[derive(Debug, thiserror::Error)]
+pub enum AbandonedRepoError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+}
+
+#[derive(Debug, Clone)]
+pub struct NewAbandonedExecution {
+    pub app_id: AppId,
+    pub outbox_id: Uuid,
+    pub script_id: Option<ScriptId>,
+    pub inbox_id: Uuid,
+    pub status_code: u16,
+    pub result_summary: Option<String>,
+}
+
+#[async_trait]
+pub trait AbandonedRepo: Send + Sync {
+    async fn insert(&self, row: NewAbandonedExecution) -> Result<Uuid, AbandonedRepoError>;
+
+    /// Retention sweep — deletes rows older than `older_than` up to
+    /// `limit` at a time.
+    async fn gc(&self, older_than: DateTime<Utc>, limit: i64) -> Result<u64, AbandonedRepoError>;
+}
+
+pub struct PostgresAbandonedRepo {
+    pool: PgPool,
+}
+
+impl PostgresAbandonedRepo {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+const SUMMARY_CAP_BYTES: usize = 4096;
+
+#[async_trait]
+impl AbandonedRepo for PostgresAbandonedRepo {
+    async fn insert(&self, row: NewAbandonedExecution) -> Result<Uuid, AbandonedRepoError> {
+        // Truncate the summary at write-time. The forensic table
+        // doesn't need megabytes; the original outbox row may have
+        // been arbitrary size but we lose nothing useful by clipping.
+        let summary = row.result_summary.map(|s| truncate(s, SUMMARY_CAP_BYTES));
+        let (id,): (Uuid,) = sqlx::query_as(
+            "INSERT INTO abandoned_executions ( \
+                app_id, outbox_id, script_id, inbox_id, status_code, result_summary \
+             ) VALUES ($1, $2, $3, $4, $5, $6) \
+             RETURNING id",
+        )
+        .bind(row.app_id.into_inner())
+        .bind(row.outbox_id)
+        .bind(row.script_id.map(ScriptId::into_inner))
+        .bind(row.inbox_id)
+        .bind(i32::from(row.status_code))
+        .bind(summary)
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(id)
+    }
+
+    async fn gc(&self, older_than: DateTime<Utc>, limit: i64) -> Result<u64, AbandonedRepoError> {
+        let res = sqlx::query(
+            "DELETE FROM abandoned_executions \
+                WHERE id IN ( \
+                    SELECT id FROM abandoned_executions \
+                    WHERE created_at < $1 \
+                    FOR UPDATE SKIP LOCKED \
+                    LIMIT $2 \
+                )",
+        )
+        .bind(older_than)
+        .bind(limit)
+        .execute(&self.pool)
+        .await?;
+        Ok(res.rows_affected())
+    }
+}
+
+fn truncate(mut s: String, max_bytes: usize) -> String {
+    if s.len() <= max_bytes {
+        return s;
+    }
+    // Walk back from `max_bytes` to a UTF-8 char boundary so we never
+    // panic on `truncate` mid-codepoint.
+    let mut cut = max_bytes;
+    while cut > 0 && !s.is_char_boundary(cut) {
+        cut -= 1;
+    }
+    s.truncate(cut);
+    s
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn truncate_respects_char_boundaries() {
+        // 3-byte UTF-8 chars; cap inside the middle char should walk
+        // back to the start.
+        let s = "héllo".to_string();
+        let t = truncate(s, 2);
+        assert!(t.is_char_boundary(t.len()));
+        assert_eq!(t, "h");
+    }
+
+    #[test]
+    fn truncate_passthrough_for_short_strings() {
+        assert_eq!(truncate("ok".into(), 100), "ok");
+    }
+}

crates/manager-core/src/api.rs

@@ -12,8 +12,8 @@ use axum::{
     Extension, Json, Router,
 };
 use picloud_shared::{
-    AppId, ExecutionLog, InstanceRole, Principal, Script, ScriptId, ScriptSandbox, ScriptValidator,
-    ValidationError,
+    AppId, ExecutionLog, InstanceRole, Principal, Script, ScriptId, ScriptKind, ScriptSandbox,
+    ScriptValidator, ValidatedScript, ValidationError,
 };
 use serde::Deserialize;
 
@@ -88,6 +88,11 @@ pub struct CreateScriptRequest {
     pub name: String,
     pub description: Option<String>,
     pub source: String,
+    /// v1.1.3: `endpoint` (default — handles HTTP routes / trigger
+    /// targets) or `module` (library of fn/const imported by other
+    /// scripts). Modules reject route binding and trigger creation.
+    #[serde(default)]
+    pub kind: ScriptKind,
     pub timeout_seconds: Option<i32>,
     pub memory_limit_mb: Option<i32>,
     /// Sandbox overrides; absent or empty `{}` means "use platform
@@ -120,6 +125,10 @@ pub struct UpdateScriptRequest {
     /// `Some(ScriptSandbox::empty())` to clear them). Absent leaves
     /// the stored value unchanged.
     pub sandbox: Option<ScriptSandbox>,
+    /// v1.1.3: `Some(kind)` changes the script's role. Transitions to
+    /// `Module` are rejected if any routes or triggers still reference
+    /// the script. `module → endpoint` is always allowed.
+    pub kind: Option<ScriptKind>,
 }
 
 #[allow(clippy::option_option)]
@@ -202,7 +211,20 @@ async fn create_script<R: ScriptRepository, L: ExecutionLogRepository>(
         Capability::AppWriteScript(input.app_id),
     )
     .await?;
-    state.validator.validate(&input.source)?;
+    // v1.1.3: dispatch to the right validator based on declared kind.
+    // Module bodies have stricter rules (no top-level statements) so
+    // they need a separate gate; endpoints retain the parse-only path.
+    let validated: ValidatedScript = if input.kind == ScriptKind::Module {
+        if RESERVED_MODULE_NAMES.contains(&input.name.as_str()) {
+            return Err(ApiError::Invalid(ValidationError::ModuleShape(format!(
+                "{:?} is a reserved module name (shadows a built-in SDK namespace)",
+                input.name
+            ))));
+        }
+        state.validator.validate_module(&input.source)?
+    } else {
+        state.validator.validate(&input.source)?
+    };
     state.sandbox_ceiling.check(&input.sandbox)?;
     // Refuse early if the app_id doesn't exist — a clean 422 beats a
     // raw FK violation surfacing as 500.
@@ -216,6 +238,7 @@ async fn create_script<R: ScriptRepository, L: ExecutionLogRepository>(
             name: input.name,
             description: input.description,
             source: input.source,
+            kind: input.kind,
             timeout_seconds: input.timeout_seconds,
             memory_limit_mb: input.memory_limit_mb,
             sandbox: if input.sandbox.is_empty() {
@@ -223,11 +246,39 @@ async fn create_script<R: ScriptRepository, L: ExecutionLogRepository>(
             } else {
                 Some(input.sandbox)
             },
+            imports: validated.imports,
         })
         .await?;
     Ok((StatusCode::CREATED, Json(created)))
 }
 
+/// Module names that would shadow a built-in stdlib / service namespace.
+/// Rejected at create time so `import "kv" as foo` can never resolve to
+/// a user-supplied module instead of (in a hypothetical future) the
+/// real KV bridge — defense against author confusion, not a security
+/// boundary (stdlib namespaces and module imports already live in
+/// disjoint Rhai scopes).
+const RESERVED_MODULE_NAMES: &[&str] = &[
+    "log",
+    "regex",
+    "random",
+    "time",
+    "json",
+    "base64",
+    "hex",
+    "url",
+    "kv",
+    "docs",
+    "dead_letters",
+    "http",
+    "files",
+    "pubsub",
+    "secrets",
+    "email",
+    "users",
+    "queue",
+];
+
 async fn update_script<R: ScriptRepository, L: ExecutionLogRepository>(
     State(state): State<AdminState<R, L>>,
     Extension(principal): Extension<Principal>,
@@ -241,9 +292,44 @@ async fn update_script<R: ScriptRepository, L: ExecutionLogRepository>(
         Capability::AppWriteScript(script.app_id),
     )
     .await?;
-    if let Some(src) = input.source.as_deref() {
-        state.validator.validate(src)?;
+
+    // Effective post-update kind: explicit override > existing kind.
+    let effective_kind = input.kind.unwrap_or(script.kind);
+
+    // v1.1.3: reject `endpoint → module` if the script still has
+    // routes or triggers bound to it. The reverse direction is always
+    // allowed (a module can't have routes/triggers anyway, so the
+    // transition can never strand users).
+    if effective_kind == ScriptKind::Module && script.kind != ScriptKind::Module {
+        let routes = state.repo.count_routes_for_script(id).await?;
+        let triggers = state.repo.count_triggers_for_script(id).await?;
+        if routes + triggers > 0 {
+            return Err(ApiError::Invalid(ValidationError::ModuleShape(format!(
+                "cannot change kind to module: script is referenced by {routes} route(s) and {triggers} trigger(s); detach them first"
+            ))));
+        }
+        if RESERVED_MODULE_NAMES.contains(&script.name.as_str()) {
+            return Err(ApiError::Invalid(ValidationError::ModuleShape(format!(
+                "{:?} is a reserved module name (shadows a built-in SDK namespace)",
+                script.name
+            ))));
+        }
     }
+
+    // v1.1.3: re-validate using the effective kind so endpoint → module
+    // transitions with a fresh source enforce the module shape rules.
+    // Source-less edits (name/description only) don't re-validate.
+    let imports_for_patch: Option<Vec<String>> = if let Some(src) = input.source.as_deref() {
+        let validated = if effective_kind == ScriptKind::Module {
+            state.validator.validate_module(src)?
+        } else {
+            state.validator.validate(src)?
+        };
+        Some(validated.imports)
+    } else {
+        None
+    };
+
     if let Some(sb) = input.sandbox.as_ref() {
         state.sandbox_ceiling.check(sb)?;
     }
@@ -258,6 +344,8 @@ async fn update_script<R: ScriptRepository, L: ExecutionLogRepository>(
                 timeout_seconds: input.timeout_seconds,
                 memory_limit_mb: input.memory_limit_mb,
                 sandbox: input.sandbox,
+                kind: input.kind,
+                imports: imports_for_patch,
             },
         )
         .await?;
@@ -270,10 +358,13 @@ async fn delete_script<R: ScriptRepository, L: ExecutionLogRepository>(
     Path(id): Path<ScriptId>,
 ) -> Result<StatusCode, ApiError> {
     let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
+    // Delete is gated tighter than Save: editors can edit scripts but
+    // only app_admin / instance admin / owner can remove them. See
+    // blueprint §11.6.
     require(
         state.authz.as_ref(),
         &principal,
-        Capability::AppWriteScript(script.app_id),
+        Capability::AppAdmin(script.app_id),
     )
     .await?;
     state.repo.delete(id).await?;

crates/manager-core/src/app_bootstrap.rs

@@ -64,9 +64,11 @@ async fn seed_into(
             name: "hello".to_string(),
             description: Some("Reference example: returns a greeting at GET /hello.".to_string()),
             source: HELLO_RHAI_SOURCE.to_string(),
+            kind: picloud_shared::ScriptKind::Endpoint,
             timeout_seconds: Some(5),
             memory_limit_mb: None,
             sandbox: None,
+            imports: Vec::new(),
         })
         .await?;
 
@@ -82,6 +84,7 @@ async fn seed_into(
             // Accept any method so both `curl /hello` and
             // `curl -d '{"name":"X"}' /hello` work out of the box.
             method: None,
+            dispatch_mode: picloud_shared::DispatchMode::Sync,
         })
         .await?;
 

crates/manager-core/src/app_secrets_repo.rs

@@ -0,0 +1,91 @@
+//! `AppSecretsRepo` — per-app secret material (v1.1.6).
+//!
+//! Today this holds only the HMAC signing key for realtime subscriber
+//! tokens. The key is generated lazily (32 random bytes) on the first
+//! `pubsub::subscriber_token` call for an app and never changes
+//! thereafter in v1.1.6 (no rotation API yet — rotation is the
+//! key-invalidation mechanism, deferred). The key is never exposed to
+//! scripts: the SDK mints tokens, it never returns the key.
+//!
+//! This table is the natural home for v1.1.7's encrypted per-app
+//! secrets work.
+
+use async_trait::async_trait;
+use picloud_shared::AppId;
+use rand::RngCore;
+use sqlx::PgPool;
+
+/// Length of a freshly-generated realtime signing key.
+pub const SIGNING_KEY_LEN: usize = 32;
+
+#[derive(Debug, thiserror::Error)]
+pub enum AppSecretsRepoError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+}
+
+#[async_trait]
+pub trait AppSecretsRepo: Send + Sync {
+    /// Fetch the app's realtime signing key, generating + persisting one
+    /// (32 random bytes) if absent. Idempotent under concurrency: a
+    /// racing creator's `ON CONFLICT DO NOTHING` insert is a no-op and
+    /// the existing key is returned.
+    async fn get_or_create_signing_key(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<u8>, AppSecretsRepoError>;
+
+    /// Fetch the signing key if it exists, WITHOUT creating one. The SSE
+    /// verify path uses this: a missing key means no token was ever
+    /// minted for the app, so any presented token must be rejected.
+    async fn signing_key(&self, app_id: AppId) -> Result<Option<Vec<u8>>, AppSecretsRepoError>;
+}
+
+pub struct PostgresAppSecretsRepo {
+    pool: PgPool,
+}
+
+impl PostgresAppSecretsRepo {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+#[async_trait]
+impl AppSecretsRepo for PostgresAppSecretsRepo {
+    async fn get_or_create_signing_key(
+        &self,
+        app_id: AppId,
+    ) -> Result<Vec<u8>, AppSecretsRepoError> {
+        let mut fresh = vec![0u8; SIGNING_KEY_LEN];
+        rand::thread_rng().fill_bytes(&mut fresh);
+
+        // Insert-if-absent then read: the racing-creator's insert is a
+        // no-op, and the SELECT always returns the winning key.
+        sqlx::query(
+            "INSERT INTO app_secrets (app_id, realtime_signing_key) \
+             VALUES ($1, $2) ON CONFLICT (app_id) DO NOTHING",
+        )
+        .bind(app_id.into_inner())
+        .bind(&fresh)
+        .execute(&self.pool)
+        .await?;
+
+        let key: (Vec<u8>,) =
+            sqlx::query_as("SELECT realtime_signing_key FROM app_secrets WHERE app_id = $1")
+                .bind(app_id.into_inner())
+                .fetch_one(&self.pool)
+                .await?;
+        Ok(key.0)
+    }
+
+    async fn signing_key(&self, app_id: AppId) -> Result<Option<Vec<u8>>, AppSecretsRepoError> {
+        let row: Option<(Vec<u8>,)> =
+            sqlx::query_as("SELECT realtime_signing_key FROM app_secrets WHERE app_id = $1")
+                .bind(app_id.into_inner())
+                .fetch_optional(&self.pool)
+                .await?;
+        Ok(row.map(|r| r.0))
+    }
+}

crates/manager-core/src/apps_api.rs

@@ -143,8 +143,8 @@ pub struct AppLookupResponse {
     pub redirect_to: Option<String>,
     /// The caller's role on this app, used by the dashboard to decide
     /// whether to render admin-only surfaces (Members tab, settings).
-    /// `Owner` maps to `app_admin`, `Admin` to `editor` (both implicit
-    /// per blueprint §11.6); `Member` carries its explicit
+    /// `Owner` and `Admin` both map to `app_admin` (implicit per
+    /// blueprint §11.6); `Member` carries its explicit
     /// `app_members.role`.
     pub my_role: Option<AppRole>,
 }
@@ -226,16 +226,15 @@ async fn get_app(
 /// Compute the caller's effective `AppRole` on a specific app. Mirrors
 /// the implicit-grant logic in `authz::role_grants` but returns the
 /// role itself (for UI gating) rather than a yes/no decision. `Owner`
-/// is implicit `AppAdmin` everywhere; `Admin` is implicit `Editor`
-/// everywhere; `Member` consults `app_members`.
+/// and `Admin` are both implicit `AppAdmin` everywhere; `Member`
+/// consults `app_members`.
 async fn compute_my_role(
     authz: &dyn AuthzRepo,
     principal: &Principal,
     app_id: AppId,
 ) -> Result<Option<AppRole>, AppsApiError> {
     match principal.instance_role {
-        InstanceRole::Owner => Ok(Some(AppRole::AppAdmin)),
-        InstanceRole::Admin => Ok(Some(AppRole::Editor)),
+        InstanceRole::Owner | InstanceRole::Admin => Ok(Some(AppRole::AppAdmin)),
         InstanceRole::Member => Ok(authz.membership(principal.user_id, app_id).await?),
     }
 }

crates/manager-core/src/auth_middleware.rs

@@ -100,6 +100,35 @@ pub async fn require_admin(state: State<AuthState>, req: Request<Body>, next: Ne
     require_authenticated(state, req, next).await
 }
 
+/// Opportunistic data-plane variant: always inserts an
+/// `Extension<Option<Principal>>` and forwards the request. Used on
+/// `/execute/{id}` and the user-route fallback, where most invocations
+/// are anonymous public HTTP and the few authed ones (dashboard
+/// test-runs, API keys) should still let scripts see the caller via
+/// `cx.principal` once services consume it.
+///
+/// Failure modes — all degrade to `None` rather than rejecting:
+///   * No bearer / cookie → `None`.
+///   * Malformed or unknown token → `None`.
+///   * DB blip while resolving → `None` (fail-open; the data plane
+///     should not 500 on transient infra failures for an *optional*
+///     identity check).
+///
+/// Admin-side routes that REQUIRE an identity keep using
+/// `require_authenticated`.
+pub async fn attach_principal_if_present(
+    State(state): State<AuthState>,
+    mut req: Request<Body>,
+    next: Next,
+) -> Response {
+    let principal: Option<Principal> = match extract_token(&req) {
+        Some(token) => resolve_principal(&state, &token).await.unwrap_or(None),
+        None => None,
+    };
+    req.extensions_mut().insert(principal);
+    next.run(req).await
+}
+
 /// Decide whether the token is an API key (pic_ prefix) or a session
 /// token, then resolve the corresponding `Principal`. `Ok(None)`
 /// means the token was structurally valid but didn't match any active

crates/manager-core/src/authz.rs

@@ -57,6 +57,52 @@ pub enum Capability {
     AppAdmin(AppId),
     /// Read execution logs for scripts in this app.
     AppLogRead(AppId),
+    /// Read entries from this app's KV store (v1.1.1). Granted to
+    /// `viewer`+ in the per-app role table. Maps to `script:read` on
+    /// API keys — the seven-scope vocabulary stays locked.
+    AppKvRead(AppId),
+    /// Write entries to this app's KV store (v1.1.1). Granted to
+    /// `editor`+. Maps to `script:write` on API keys.
+    AppKvWrite(AppId),
+    /// Read documents from this app's docs store (v1.1.2). Same trust
+    /// shape as KV read — granted to `viewer`+, maps to `script:read`
+    /// on API keys. Honors the seven-scope commitment.
+    AppDocsRead(AppId),
+    /// Write documents to this app's docs store (v1.1.2). Same trust
+    /// shape as KV write — granted to `editor`+, maps to
+    /// `script:write` on API keys.
+    AppDocsWrite(AppId),
+    /// Make an outbound HTTP request from a script in this app
+    /// (v1.1.4). Maps to `script:write` on API keys: any outbound
+    /// request can exfiltrate data — including read methods like GET —
+    /// so the conservative write mapping is correct. Splitting
+    /// read/write is a v1.2+ refinement. Granted to `editor`+.
+    AppHttpRequest(AppId),
+    /// Read blobs from this app's files store (v1.1.5). Same trust
+    /// shape as KV/docs read — granted to `viewer`+, maps to
+    /// `script:read` on API keys. Honors the seven-scope commitment.
+    AppFilesRead(AppId),
+    /// Write blobs to this app's files store (v1.1.5). Granted to
+    /// `editor`+, maps to `script:write` on API keys.
+    AppFilesWrite(AppId),
+    /// Publish a durable pub/sub message from a script in this app
+    /// (v1.1.5). Maps to `script:write` on API keys (a publish is a
+    /// write that fans out to subscribers). Granted to `editor`+.
+    AppPubsubPublish(AppId),
+    /// Create / list / delete triggers for this app (v1.1.1). Maps to
+    /// `app:admin` on API keys — triggers are app-configuration acts
+    /// rather than data-plane access. Granted to `app_admin`+.
+    AppManageTriggers(AppId),
+    /// Replay / resolve dead-letter rows for this app (v1.1.1). Maps
+    /// to `app:admin` on API keys. Public-HTTP scripts (principal None)
+    /// fail this check — managing dead letters is an admin act.
+    AppDeadLetterManage(AppId),
+    /// Register / list / update / delete externally-subscribable topics
+    /// for this app (v1.1.6). Maps to `app:admin` on API keys —
+    /// externalizing a topic is an app-configuration act with security
+    /// weight (it opens an internal pub/sub topic to outside SSE
+    /// subscribers). Granted to `app_admin`+.
+    AppTopicManage(AppId),
 }
 
 impl Capability {
@@ -73,7 +119,18 @@ impl Capability {
             | Self::AppWriteRoute(id)
             | Self::AppManageDomains(id)
             | Self::AppAdmin(id)
-            | Self::AppLogRead(id) => Some(id),
+            | Self::AppLogRead(id)
+            | Self::AppKvRead(id)
+            | Self::AppKvWrite(id)
+            | Self::AppDocsRead(id)
+            | Self::AppDocsWrite(id)
+            | Self::AppHttpRequest(id)
+            | Self::AppFilesRead(id)
+            | Self::AppFilesWrite(id)
+            | Self::AppPubsubPublish(id)
+            | Self::AppManageTriggers(id)
+            | Self::AppDeadLetterManage(id)
+            | Self::AppTopicManage(id) => Some(id),
         }
     }
 
@@ -88,11 +145,22 @@ impl Capability {
             Self::InstanceCreateApp | Self::InstanceManageUsers | Self::InstanceManageSettings => {
                 Scope::InstanceAdmin
             }
-            Self::AppRead(_) => Scope::ScriptRead,
-            Self::AppWriteScript(_) => Scope::ScriptWrite,
+            Self::AppRead(_)
+            | Self::AppKvRead(_)
+            | Self::AppDocsRead(_)
+            | Self::AppFilesRead(_) => Scope::ScriptRead,
+            Self::AppWriteScript(_)
+            | Self::AppKvWrite(_)
+            | Self::AppDocsWrite(_)
+            | Self::AppHttpRequest(_)
+            | Self::AppFilesWrite(_)
+            | Self::AppPubsubPublish(_) => Scope::ScriptWrite,
             Self::AppWriteRoute(_) => Scope::RouteWrite,
             Self::AppManageDomains(_) => Scope::DomainManage,
-            Self::AppAdmin(_) => Scope::AppAdmin,
+            Self::AppAdmin(_)
+            | Self::AppManageTriggers(_)
+            | Self::AppDeadLetterManage(_)
+            | Self::AppTopicManage(_) => Scope::AppAdmin,
             Self::AppLogRead(_) => Scope::LogRead,
         }
     }
@@ -199,21 +267,14 @@ async fn role_grants(
     }
 }
 
-/// Admin is implicit `editor` on every app (per blueprint §11.6). They
-/// can create apps and manage users, but NOT touch instance-wide
-/// settings or take app-admin-only actions on apps they're not
-/// explicitly app_admin of. Everything not in this set falls through
-/// to deny (`InstanceManageSettings`, `AppManageDomains`, `AppAdmin`).
+/// Admin is implicit `app_admin` on every app (per blueprint §11.6).
+/// They can create apps, manage users, and take any app-scoped action
+/// on any app without an explicit `app_members` row — single-human
+/// installs would otherwise need to add themselves to every new app.
+/// Only `InstanceManageSettings` (sandbox ceiling, etc.) stays
+/// owner-only.
 const fn admin_grants(cap: Capability) -> bool {
-    matches!(
-        cap,
-        Capability::InstanceCreateApp
-            | Capability::InstanceManageUsers
-            | Capability::AppRead(_)
-            | Capability::AppWriteScript(_)
-            | Capability::AppWriteRoute(_)
-            | Capability::AppLogRead(_)
-    )
+    !matches!(cap, Capability::InstanceManageSettings)
 }
 
 /// Member has zero instance authority. App authority requires an
@@ -237,16 +298,33 @@ async fn member_grants(
 /// domain claims, and delete. Roles form a strict subset chain, so
 /// the check is "is this capability in the role's set?".
 const fn role_satisfies(role: AppRole, cap: Capability) -> bool {
-    let in_viewer = matches!(cap, Capability::AppRead(_) | Capability::AppLogRead(_));
+    let in_viewer = matches!(
+        cap,
+        Capability::AppRead(_)
+            | Capability::AppLogRead(_)
+            | Capability::AppKvRead(_)
+            | Capability::AppDocsRead(_)
+            | Capability::AppFilesRead(_)
+    );
     let in_editor = in_viewer
         || matches!(
             cap,
-            Capability::AppWriteScript(_) | Capability::AppWriteRoute(_)
+            Capability::AppWriteScript(_)
+                | Capability::AppWriteRoute(_)
+                | Capability::AppKvWrite(_)
+                | Capability::AppDocsWrite(_)
+                | Capability::AppHttpRequest(_)
+                | Capability::AppFilesWrite(_)
+                | Capability::AppPubsubPublish(_)
         );
     let in_app_admin = in_editor
         || matches!(
             cap,
-            Capability::AppManageDomains(_) | Capability::AppAdmin(_)
+            Capability::AppManageDomains(_)
+                | Capability::AppAdmin(_)
+                | Capability::AppManageTriggers(_)
+                | Capability::AppDeadLetterManage(_)
+                | Capability::AppTopicManage(_)
         );
     match role {
         AppRole::Viewer => in_viewer,
@@ -357,10 +435,23 @@ mod tests {
     }
 
     #[tokio::test]
-    async fn admin_cannot_manage_instance_settings_or_app_admin_actions() {
+    async fn admin_cannot_manage_instance_settings() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Admin);
+        assert_eq!(
+            can(&repo, &p, Capability::InstanceManageSettings)
+                .await
+                .unwrap(),
+            Decision::Deny,
+        );
+    }
+
+    #[tokio::test]
+    async fn admin_is_implicit_app_admin_on_every_app() {
         let repo = InMemoryAuthzRepo::default();
         let p = principal(InstanceRole::Admin);
         let app = AppId::new();
+        // Instance-scoped allowances.
         assert_eq!(
             can(&repo, &p, Capability::InstanceCreateApp).await.unwrap(),
             Decision::Allow,
@@ -371,36 +462,22 @@ mod tests {
                 .unwrap(),
             Decision::Allow,
         );
-        assert_eq!(
-            can(&repo, &p, Capability::InstanceManageSettings)
-                .await
-                .unwrap(),
-            Decision::Deny,
-        );
-        // Editor-like grants succeed
-        assert_eq!(
-            can(&repo, &p, Capability::AppWriteScript(app))
-                .await
-                .unwrap(),
-            Decision::Allow,
-        );
-        assert_eq!(
-            can(&repo, &p, Capability::AppWriteRoute(app))
-                .await
-                .unwrap(),
-            Decision::Allow,
-        );
-        // App-admin grants do not
-        assert_eq!(
-            can(&repo, &p, Capability::AppManageDomains(app))
-                .await
-                .unwrap(),
-            Decision::Deny,
-        );
-        assert_eq!(
-            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
-            Decision::Deny,
-        );
+        // Editor-like + app-admin grants both succeed without any
+        // app_members row.
+        for cap in [
+            Capability::AppRead(app),
+            Capability::AppWriteScript(app),
+            Capability::AppWriteRoute(app),
+            Capability::AppLogRead(app),
+            Capability::AppManageDomains(app),
+            Capability::AppAdmin(app),
+        ] {
+            assert_eq!(
+                can(&repo, &p, cap).await.unwrap(),
+                Decision::Allow,
+                "admin denied app-scoped capability {cap:?}"
+            );
+        }
     }
 
     #[tokio::test]
@@ -474,6 +551,29 @@ mod tests {
         );
     }
 
+    /// Editors hold `AppWriteScript` (Save) but **not** `AppAdmin`
+    /// (Delete). The script-delete handler gates on the latter so the
+    /// API can't be tricked into letting an editor remove the script
+    /// they were only allowed to edit.
+    #[tokio::test]
+    async fn editor_can_write_scripts_but_not_delete_them() {
+        let repo = InMemoryAuthzRepo::default();
+        let p = principal(InstanceRole::Member);
+        let app = AppId::new();
+        repo.grant(p.user_id, app, AppRole::Editor).await;
+
+        assert!(can(&repo, &p, Capability::AppWriteScript(app))
+            .await
+            .unwrap()
+            .is_allow());
+        // Delete is gated on AppAdmin in the handler — editors must be
+        // denied here for that gate to bite.
+        assert_eq!(
+            can(&repo, &p, Capability::AppAdmin(app)).await.unwrap(),
+            Decision::Deny,
+        );
+    }
+
     #[tokio::test]
     async fn member_with_app_admin_role_can_do_app_admin_actions() {
         let repo = InMemoryAuthzRepo::default();
@@ -568,6 +668,35 @@ mod tests {
         );
     }
 
+    #[tokio::test]
+    async fn topic_manage_requires_app_admin() {
+        let repo = InMemoryAuthzRepo::default();
+        let app = AppId::new();
+        // Maps to the app:admin scope, not a new one.
+        assert_eq!(
+            Capability::AppTopicManage(app).required_scope(),
+            Scope::AppAdmin
+        );
+
+        // Member with only Editor role cannot manage topics.
+        let p = principal(InstanceRole::Member);
+        repo.grant(p.user_id, app, AppRole::Editor).await;
+        assert_eq!(
+            can(&repo, &p, Capability::AppTopicManage(app))
+                .await
+                .unwrap(),
+            Decision::Deny,
+        );
+
+        // App-admin role can.
+        let admin = principal(InstanceRole::Member);
+        repo.grant(admin.user_id, app, AppRole::AppAdmin).await;
+        assert!(can(&repo, &admin, Capability::AppTopicManage(app))
+            .await
+            .unwrap()
+            .is_allow());
+    }
+
     #[test]
     fn capability_app_id_extraction() {
         let app = AppId::new();

crates/manager-core/src/cron_scheduler.rs

@@ -0,0 +1,297 @@
+//! Cron scheduler — the v1.1.4 time-based trigger source.
+//!
+//! A single tokio task polls `cron_trigger_details` on a tick (default
+//! 30s; `PICLOUD_CRON_TICK_INTERVAL_MS`). For each enabled cron trigger
+//! whose next scheduled fire is due, it enqueues ONE outbox row
+//! (`source_kind = 'cron'`) and updates `last_fired_at` — both in the
+//! same transaction, claimed via `FOR UPDATE SKIP LOCKED` so a future
+//! multi-node deploy can't double-fire.
+//!
+//! The scheduler does NOT dispatch or touch the `ExecutionGate`: it only
+//! enqueues. The existing dispatcher picks the row up and acquires the
+//! gate exactly as it does for kv/docs/dead_letter rows.
+//!
+//! **Catch-up policy (matches the brief):** a trigger that missed N fire
+//! windows since `last_fired_at` fires exactly ONCE on the next tick,
+//! not N times. This falls out of the design: [`next_due`] returns a
+//! single canonical scheduled time (the first slot after the reference
+//! point), and after firing we set `last_fired_at = now`, so the next
+//! tick computes from `now` and sees only future slots. Backfilling
+//! missed windows is intentionally out of scope (an explicit replay
+//! action is the v1.2+ escape hatch).
+
+use std::str::FromStr;
+use std::time::Duration;
+
+use chrono::{DateTime, Utc};
+use chrono_tz::Tz;
+use cron::Schedule;
+use picloud_shared::TriggerEvent;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+/// Validate a 6-field cron expression. Returns the parse error message
+/// on failure.
+///
+/// # Errors
+///
+/// Returns the underlying parse error string when `schedule` is not a
+/// valid cron expression.
+pub fn validate_schedule(schedule: &str) -> Result<(), String> {
+    Schedule::from_str(schedule)
+        .map(|_| ())
+        .map_err(|e| e.to_string())
+}
+
+/// Validate an IANA timezone name (e.g. `America/Los_Angeles`).
+///
+/// # Errors
+///
+/// Returns an error string when `timezone` is not a known IANA name.
+pub fn validate_timezone(timezone: &str) -> Result<(), String> {
+    Tz::from_str(timezone)
+        .map(|_| ())
+        .map_err(|_| format!("unknown IANA timezone: {timezone}"))
+}
+
+/// Compute whether a cron trigger is due, and if so its canonical
+/// scheduled-at moment (UTC).
+///
+/// Returns `Some(scheduled_at)` when the first scheduled slot after the
+/// reference point (`last_fired_at`, or `created_at` if never fired) is
+/// at/before `now`; `None` otherwise. Returns `None` if the schedule or
+/// timezone fails to parse (the row is skipped — it should never have
+/// been inserted, since the admin endpoint validates).
+#[must_use]
+pub fn next_due(
+    schedule: &str,
+    timezone: &str,
+    last_fired_at: Option<DateTime<Utc>>,
+    created_at: DateTime<Utc>,
+    now: DateTime<Utc>,
+) -> Option<DateTime<Utc>> {
+    let sched = Schedule::from_str(schedule).ok()?;
+    let tz = Tz::from_str(timezone).ok()?;
+    // Reference: the last actual fire, or creation if never fired. A
+    // never-fired trigger fires at its first slot at/after creation.
+    let base = last_fired_at.unwrap_or(created_at);
+    let base_tz = base.with_timezone(&tz);
+    let next = sched.after(&base_tz).next()?;
+    let next_utc = next.with_timezone(&Utc);
+    (next_utc <= now).then_some(next_utc)
+}
+
+/// Spawn the scheduler loop. Runs for the process lifetime.
+pub fn spawn_cron_scheduler(pool: PgPool, tick_interval_ms: u32) {
+    // Floor the tick at 1s so a misconfigured 0 can't spin.
+    let interval = Duration::from_millis(u64::from(tick_interval_ms).max(1_000));
+    tokio::spawn(async move {
+        let mut ticker = tokio::time::interval(interval);
+        // Skip the immediate first fire so we don't race startup.
+        ticker.tick().await;
+        loop {
+            ticker.tick().await;
+            if let Err(e) = tick(&pool, Utc::now()).await {
+                tracing::warn!(?e, "cron scheduler tick errored");
+            }
+        }
+    });
+}
+
+#[derive(sqlx::FromRow)]
+struct DueRow {
+    id: Uuid,
+    app_id: Uuid,
+    script_id: Uuid,
+    registered_by_principal: Uuid,
+    created_at: DateTime<Utc>,
+    schedule: String,
+    timezone: String,
+    last_fired_at: Option<DateTime<Utc>>,
+}
+
+/// One scheduler tick: claim enabled cron rows, enqueue the due ones,
+/// bump `last_fired_at`. Returns the number of triggers fired.
+async fn tick(pool: &PgPool, now: DateTime<Utc>) -> Result<usize, sqlx::Error> {
+    let mut tx = pool.begin().await?;
+    let rows: Vec<DueRow> = sqlx::query_as(
+        "SELECT t.id, t.app_id, t.script_id, t.registered_by_principal, t.created_at, \
+                d.schedule, d.timezone, d.last_fired_at \
+         FROM cron_trigger_details d \
+         JOIN triggers t ON t.id = d.trigger_id \
+         WHERE t.enabled = TRUE \
+         FOR UPDATE OF d SKIP LOCKED",
+    )
+    .fetch_all(&mut *tx)
+    .await?;
+
+    let mut fired = 0usize;
+    for r in rows {
+        let Some(scheduled_at) =
+            next_due(&r.schedule, &r.timezone, r.last_fired_at, r.created_at, now)
+        else {
+            continue;
+        };
+
+        let event = TriggerEvent::Cron {
+            schedule: r.schedule.clone(),
+            timezone: r.timezone.clone(),
+            scheduled_at,
+            fired_at: now,
+        };
+        let payload = serde_json::to_value(&event)
+            .map_err(|e| sqlx::Error::Decode(Box::new(std::io::Error::other(e))))?;
+
+        // Enqueue exactly one outbox row. Relies on the same column
+        // defaults the OutboxEventEmitter uses (next_attempt_at = NOW(),
+        // attempt_count = 0, claimed_at NULL → immediately due).
+        sqlx::query(
+            "INSERT INTO outbox \
+                (app_id, source_kind, trigger_id, script_id, payload, \
+                 origin_principal, trigger_depth) \
+             VALUES ($1, 'cron', $2, $3, $4, $5, 0)",
+        )
+        .bind(r.app_id)
+        .bind(r.id)
+        .bind(r.script_id)
+        .bind(payload)
+        .bind(r.registered_by_principal)
+        .execute(&mut *tx)
+        .await?;
+
+        sqlx::query("UPDATE cron_trigger_details SET last_fired_at = $2 WHERE trigger_id = $1")
+            .bind(r.id)
+            .bind(now)
+            .execute(&mut *tx)
+            .await?;
+
+        fired += 1;
+    }
+
+    tx.commit().await?;
+    Ok(fired)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use chrono::TimeZone;
+
+    #[test]
+    fn valid_six_field_schedule_accepted() {
+        // sec min hour dom mon dow — "every weekday at 9am".
+        validate_schedule("0 0 9 * * MON-FRI").unwrap();
+        validate_schedule("*/5 * * * * *").unwrap();
+        validate_schedule("0 0 0 1 1 *").unwrap();
+    }
+
+    #[test]
+    fn invalid_schedules_rejected() {
+        // 5-field (no seconds) is not the format we accept.
+        assert!(validate_schedule("* * * * *").is_err());
+        // Gibberish.
+        assert!(validate_schedule("not a cron").is_err());
+        assert!(validate_schedule("").is_err());
+        // Out-of-range hour.
+        assert!(validate_schedule("0 0 99 * * *").is_err());
+    }
+
+    #[test]
+    fn known_timezones_accepted() {
+        validate_timezone("UTC").unwrap();
+        validate_timezone("America/Los_Angeles").unwrap();
+        validate_timezone("Europe/Berlin").unwrap();
+    }
+
+    #[test]
+    fn unknown_timezones_rejected() {
+        assert!(validate_timezone("Mars/Phobos").is_err());
+        assert!(validate_timezone("PST").is_err()); // abbreviations aren't IANA names
+        assert!(validate_timezone("").is_err());
+    }
+
+    fn ts(s: &str) -> DateTime<Utc> {
+        DateTime::parse_from_rfc3339(s).unwrap().with_timezone(&Utc)
+    }
+
+    #[test]
+    fn due_when_next_slot_is_at_or_before_now() {
+        // Every minute at second 0. Last fired 90s ago → the next slot
+        // after that is due now.
+        let created = ts("2026-06-01T00:00:00Z");
+        let last = Some(ts("2026-06-15T11:58:10Z"));
+        let now = ts("2026-06-15T12:00:05Z");
+        let due = next_due("0 * * * * *", "UTC", last, created, now);
+        assert_eq!(due, Some(ts("2026-06-15T11:59:00Z")));
+    }
+
+    #[test]
+    fn not_due_when_next_slot_is_in_the_future() {
+        let created = ts("2026-06-01T00:00:00Z");
+        let last = Some(ts("2026-06-15T12:00:00Z"));
+        let now = ts("2026-06-15T12:00:30Z");
+        // Next minute slot is 12:01:00 — still in the future.
+        assert_eq!(next_due("0 * * * * *", "UTC", last, created, now), None);
+    }
+
+    #[test]
+    fn never_fired_uses_created_at_as_reference() {
+        let created = ts("2026-06-15T12:00:10Z");
+        let now = ts("2026-06-15T12:01:30Z");
+        // First slot after creation is 12:01:00, which is <= now → due.
+        let due = next_due("0 * * * * *", "UTC", None, created, now);
+        assert_eq!(due, Some(ts("2026-06-15T12:01:00Z")));
+    }
+
+    /// Catch-up policy: a trigger that missed many windows fires exactly
+    /// ONCE. We simulate two consecutive scheduler ticks the way the DB
+    /// loop does — fire once, set last_fired = now, then re-evaluate.
+    #[test]
+    fn catch_up_fires_exactly_once_after_missed_windows() {
+        let created = ts("2026-06-15T09:00:00Z");
+        // Last fired over 5 minutes (5 windows) ago.
+        let mut last_fired = Some(ts("2026-06-15T11:54:30Z"));
+        let now = ts("2026-06-15T12:00:05Z");
+
+        // Tick 1: due → fire once, advance last_fired to `now`.
+        let first = next_due("0 * * * * *", "UTC", last_fired, created, now);
+        assert!(first.is_some(), "should be due after missing windows");
+        last_fired = Some(now);
+
+        // Tick 2 (same wall-clock): NOT due again — only one fire total,
+        // not one-per-missed-window.
+        let second = next_due("0 * * * * *", "UTC", last_fired, created, now);
+        assert_eq!(second, None, "catch-up must fire exactly once");
+    }
+
+    #[test]
+    fn timezone_affects_fire_time() {
+        // "9am every day" in Los Angeles. On 2026-06-15, PDT = UTC-7, so
+        // 09:00 local = 16:00 UTC.
+        let created = ts("2026-06-15T00:00:00Z");
+        let last = Some(ts("2026-06-15T15:59:00Z"));
+        let now = ts("2026-06-15T16:00:30Z");
+        let due = next_due("0 0 9 * * *", "America/Los_Angeles", last, created, now);
+        assert_eq!(due, Some(ts("2026-06-15T16:00:00Z")));
+        // Sanity: the same expression in UTC would NOT be due at 16:00.
+        assert_eq!(next_due("0 0 9 * * *", "UTC", last, created, now), None);
+    }
+
+    #[test]
+    fn bad_schedule_or_tz_yields_none() {
+        let created = ts("2026-06-15T00:00:00Z");
+        let now = ts("2026-06-15T12:00:00Z");
+        assert_eq!(next_due("garbage", "UTC", None, created, now), None);
+        assert_eq!(
+            next_due("0 * * * * *", "Mars/Phobos", None, created, now),
+            None
+        );
+    }
+
+    #[test]
+    fn utc_offset_constructor_smoke() {
+        // Guard the chrono TimeZone import is actually exercised.
+        let dt = Utc.with_ymd_and_hms(2026, 6, 15, 12, 0, 0).unwrap();
+        assert_eq!(dt, ts("2026-06-15T12:00:00Z"));
+    }
+}

crates/manager-core/src/dead_letter_repo.rs

@@ -0,0 +1,261 @@
+//! `DeadLetterRepo` — CRUD over the `dead_letters` table.
+//!
+//! The dispatcher writes new rows when an async trigger exhausts its
+//! retry policy. Admin endpoints (commit 8) read for the dashboard
+//! list view and write to mark rows resolved or replay them. The GC
+//! sweeper (commit 10) deletes expired rows by `created_at`.
+
+use async_trait::async_trait;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AppId, DeadLetterId, ScriptId, TriggerId};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+#[derive(Debug, thiserror::Error)]
+pub enum DeadLetterRepoError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+
+    #[error("dead-letter row not found: {0}")]
+    NotFound(DeadLetterId),
+
+    #[error("invalid resolution {0:?}")]
+    InvalidResolution(String),
+}
+
+#[derive(Debug, Clone)]
+pub struct NewDeadLetter {
+    pub app_id: AppId,
+    /// `outbox.id` that exhausted retries. Outbox row deleted at the
+    /// same time.
+    pub original_event_id: Uuid,
+    pub source: String,
+    pub op: String,
+    pub trigger_id: Option<TriggerId>,
+    pub script_id: Option<ScriptId>,
+    pub payload: serde_json::Value,
+    pub attempt_count: u32,
+    pub first_attempt_at: DateTime<Utc>,
+    pub last_attempt_at: DateTime<Utc>,
+    pub last_error: String,
+}
+
+#[derive(Debug, Clone)]
+pub struct DeadLetterRow {
+    pub id: DeadLetterId,
+    pub app_id: AppId,
+    pub original_event_id: Uuid,
+    pub source: String,
+    pub op: String,
+    pub trigger_id: Option<TriggerId>,
+    pub script_id: Option<ScriptId>,
+    pub payload: serde_json::Value,
+    pub attempt_count: u32,
+    pub first_attempt_at: DateTime<Utc>,
+    pub last_attempt_at: DateTime<Utc>,
+    pub last_error: String,
+    pub created_at: DateTime<Utc>,
+    pub resolved_at: Option<DateTime<Utc>>,
+    pub resolution: Option<String>,
+}
+
+#[async_trait]
+pub trait DeadLetterRepo: Send + Sync {
+    /// Insert a new dead-letter row. Returns the assigned id.
+    async fn insert(&self, row: NewDeadLetter) -> Result<DeadLetterId, DeadLetterRepoError>;
+
+    async fn get(&self, id: DeadLetterId) -> Result<Option<DeadLetterRow>, DeadLetterRepoError>;
+
+    /// Lookup for the dashboard list view. `unresolved_only=true`
+    /// filters to `resolved_at IS NULL`.
+    async fn list_for_app(
+        &self,
+        app_id: AppId,
+        unresolved_only: bool,
+        limit: i64,
+        offset: i64,
+    ) -> Result<Vec<DeadLetterRow>, DeadLetterRepoError>;
+
+    /// Hot path for the dashboard's per-app unresolved-count badge.
+    async fn unresolved_count(&self, app_id: AppId) -> Result<i64, DeadLetterRepoError>;
+
+    /// Mark the row resolved with the given reason. The reason MUST
+    /// be one of the four CHECK-constraint values
+    /// (`replayed`, `ignored`, `handled_by_script`, `handler_failed`).
+    async fn resolve(&self, id: DeadLetterId, reason: &str) -> Result<(), DeadLetterRepoError>;
+
+    /// Retention sweep. Deletes rows with `created_at < older_than`
+    /// up to `limit` at a time, using FOR UPDATE SKIP LOCKED to play
+    /// nicely with concurrent dispatchers. Returns the count deleted.
+    async fn gc(&self, older_than: DateTime<Utc>, limit: i64) -> Result<u64, DeadLetterRepoError>;
+}
+
+pub struct PostgresDeadLetterRepo {
+    pool: PgPool,
+}
+
+impl PostgresDeadLetterRepo {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+const ALLOWED_RESOLUTIONS: &[&str] =
+    &["replayed", "ignored", "handled_by_script", "handler_failed"];
+
+#[async_trait]
+impl DeadLetterRepo for PostgresDeadLetterRepo {
+    async fn insert(&self, row: NewDeadLetter) -> Result<DeadLetterId, DeadLetterRepoError> {
+        let (id,): (Uuid,) = sqlx::query_as(
+            "INSERT INTO dead_letters ( \
+                app_id, original_event_id, source, op, trigger_id, script_id, \
+                payload, attempt_count, first_attempt_at, last_attempt_at, last_error \
+             ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11) \
+             RETURNING id",
+        )
+        .bind(row.app_id.into_inner())
+        .bind(row.original_event_id)
+        .bind(row.source)
+        .bind(row.op)
+        .bind(row.trigger_id.map(TriggerId::into_inner))
+        .bind(row.script_id.map(ScriptId::into_inner))
+        .bind(row.payload)
+        .bind(i32::try_from(row.attempt_count).unwrap_or(0))
+        .bind(row.first_attempt_at)
+        .bind(row.last_attempt_at)
+        .bind(row.last_error)
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(id.into())
+    }
+
+    async fn get(&self, id: DeadLetterId) -> Result<Option<DeadLetterRow>, DeadLetterRepoError> {
+        let row: Option<DeadLetterRowRaw> = sqlx::query_as(
+            "SELECT id, app_id, original_event_id, source, op, trigger_id, script_id, \
+                    payload, attempt_count, first_attempt_at, last_attempt_at, \
+                    last_error, created_at, resolved_at, resolution \
+             FROM dead_letters WHERE id = $1",
+        )
+        .bind(id.into_inner())
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(row.map(DeadLetterRowRaw::into_row))
+    }
+
+    async fn list_for_app(
+        &self,
+        app_id: AppId,
+        unresolved_only: bool,
+        limit: i64,
+        offset: i64,
+    ) -> Result<Vec<DeadLetterRow>, DeadLetterRepoError> {
+        let rows: Vec<DeadLetterRowRaw> = sqlx::query_as(
+            "SELECT id, app_id, original_event_id, source, op, trigger_id, script_id, \
+                    payload, attempt_count, first_attempt_at, last_attempt_at, \
+                    last_error, created_at, resolved_at, resolution \
+             FROM dead_letters \
+             WHERE app_id = $1 \
+               AND ($2::bool = FALSE OR resolved_at IS NULL) \
+             ORDER BY created_at DESC \
+             LIMIT $3 OFFSET $4",
+        )
+        .bind(app_id.into_inner())
+        .bind(unresolved_only)
+        .bind(limit)
+        .bind(offset)
+        .fetch_all(&self.pool)
+        .await?;
+        Ok(rows.into_iter().map(DeadLetterRowRaw::into_row).collect())
+    }
+
+    async fn unresolved_count(&self, app_id: AppId) -> Result<i64, DeadLetterRepoError> {
+        let (count,): (i64,) = sqlx::query_as(
+            "SELECT COUNT(*) FROM dead_letters \
+             WHERE app_id = $1 AND resolved_at IS NULL",
+        )
+        .bind(app_id.into_inner())
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(count)
+    }
+
+    async fn resolve(&self, id: DeadLetterId, reason: &str) -> Result<(), DeadLetterRepoError> {
+        if !ALLOWED_RESOLUTIONS.contains(&reason) {
+            return Err(DeadLetterRepoError::InvalidResolution(reason.to_string()));
+        }
+        let res = sqlx::query(
+            "UPDATE dead_letters \
+                SET resolution = $2, resolved_at = NOW() \
+                WHERE id = $1",
+        )
+        .bind(id.into_inner())
+        .bind(reason)
+        .execute(&self.pool)
+        .await?;
+        if res.rows_affected() == 0 {
+            return Err(DeadLetterRepoError::NotFound(id));
+        }
+        Ok(())
+    }
+
+    async fn gc(&self, older_than: DateTime<Utc>, limit: i64) -> Result<u64, DeadLetterRepoError> {
+        // Tombstones picked under FOR UPDATE SKIP LOCKED so concurrent
+        // sweepers (cluster mode) don't fight each other.
+        let res = sqlx::query(
+            "DELETE FROM dead_letters \
+                WHERE id IN ( \
+                    SELECT id FROM dead_letters \
+                    WHERE created_at < $1 \
+                    FOR UPDATE SKIP LOCKED \
+                    LIMIT $2 \
+                )",
+        )
+        .bind(older_than)
+        .bind(limit)
+        .execute(&self.pool)
+        .await?;
+        Ok(res.rows_affected())
+    }
+}
+
+#[derive(sqlx::FromRow)]
+struct DeadLetterRowRaw {
+    id: Uuid,
+    app_id: Uuid,
+    original_event_id: Uuid,
+    source: String,
+    op: String,
+    trigger_id: Option<Uuid>,
+    script_id: Option<Uuid>,
+    payload: serde_json::Value,
+    attempt_count: i32,
+    first_attempt_at: DateTime<Utc>,
+    last_attempt_at: DateTime<Utc>,
+    last_error: String,
+    created_at: DateTime<Utc>,
+    resolved_at: Option<DateTime<Utc>>,
+    resolution: Option<String>,
+}
+
+impl DeadLetterRowRaw {
+    fn into_row(self) -> DeadLetterRow {
+        DeadLetterRow {
+            id: self.id.into(),
+            app_id: self.app_id.into(),
+            original_event_id: self.original_event_id,
+            source: self.source,
+            op: self.op,
+            trigger_id: self.trigger_id.map(Into::into),
+            script_id: self.script_id.map(Into::into),
+            payload: self.payload,
+            attempt_count: u32::try_from(self.attempt_count).unwrap_or(0),
+            first_attempt_at: self.first_attempt_at,
+            last_attempt_at: self.last_attempt_at,
+            last_error: self.last_error,
+            created_at: self.created_at,
+            resolved_at: self.resolved_at,
+            resolution: self.resolution,
+        }
+    }
+}

crates/manager-core/src/dead_letter_service.rs

@@ -0,0 +1,118 @@
+//! `PostgresDeadLetterService` — replaces `NoopDeadLetterService` in
+//! v1.1.1's `Services` bundle. Implements `replay` (re-enqueue the
+//! original event into the outbox + mark the DL row replayed) and
+//! `resolve` (close the row out with a reason).
+//!
+//! Both methods are gated by `Capability::AppDeadLetterManage(AppId)`
+//! evaluated against `cx.principal`. Public-HTTP scripts with
+//! `principal: None` fail the check — design notes §4: managing
+//! dead letters is an admin act.
+
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_shared::{DeadLetterError, DeadLetterId, DeadLetterService, SdkCallCx};
+
+use crate::authz::{self, AuthzRepo, Capability};
+use crate::dead_letter_repo::{DeadLetterRepo, DeadLetterRepoError, DeadLetterRow};
+use crate::outbox_repo::{NewOutboxRow, OutboxRepo, OutboxSourceKind};
+
+pub struct PostgresDeadLetterService {
+    repo: Arc<dyn DeadLetterRepo>,
+    outbox: Arc<dyn OutboxRepo>,
+    authz: Arc<dyn AuthzRepo>,
+}
+
+impl PostgresDeadLetterService {
+    #[must_use]
+    pub fn new(
+        repo: Arc<dyn DeadLetterRepo>,
+        outbox: Arc<dyn OutboxRepo>,
+        authz: Arc<dyn AuthzRepo>,
+    ) -> Self {
+        Self {
+            repo,
+            outbox,
+            authz,
+        }
+    }
+
+    async fn require_dl_capability(&self, cx: &SdkCallCx) -> Result<(), DeadLetterError> {
+        let Some(ref principal) = cx.principal else {
+            return Err(DeadLetterError::Forbidden);
+        };
+        authz::require(
+            &*self.authz,
+            principal,
+            Capability::AppDeadLetterManage(cx.app_id),
+        )
+        .await
+        .map_err(|_| DeadLetterError::Forbidden)
+    }
+
+    async fn load_row(&self, id: DeadLetterId) -> Result<DeadLetterRow, DeadLetterError> {
+        self.repo
+            .get(id)
+            .await
+            .map_err(map_repo_err)?
+            .ok_or(DeadLetterError::NotFound)
+    }
+}
+
+#[async_trait]
+impl DeadLetterService for PostgresDeadLetterService {
+    async fn replay(&self, cx: &SdkCallCx, id: DeadLetterId) -> Result<(), DeadLetterError> {
+        self.require_dl_capability(cx).await?;
+        let row = self.load_row(id).await?;
+        if row.app_id != cx.app_id {
+            // Cross-app — treat as not-found to avoid leaking
+            // information about other apps' dead letters.
+            return Err(DeadLetterError::NotFound);
+        }
+
+        let source_kind = OutboxSourceKind::from_wire(&row.source).unwrap_or(OutboxSourceKind::Kv);
+        self.outbox
+            .insert(NewOutboxRow {
+                app_id: row.app_id,
+                source_kind,
+                trigger_id: row.trigger_id,
+                script_id: row.script_id,
+                reply_to: None,
+                payload: row.payload.clone(),
+                origin_principal: None,
+                trigger_depth: 0,
+                root_execution_id: None,
+            })
+            .await
+            .map_err(|e| DeadLetterError::Backend(e.to_string()))?;
+
+        self.repo
+            .resolve(id, "replayed")
+            .await
+            .map_err(map_repo_err)?;
+        Ok(())
+    }
+
+    async fn resolve(
+        &self,
+        cx: &SdkCallCx,
+        id: DeadLetterId,
+        reason: &str,
+    ) -> Result<(), DeadLetterError> {
+        self.require_dl_capability(cx).await?;
+        let row = self.load_row(id).await?;
+        if row.app_id != cx.app_id {
+            return Err(DeadLetterError::NotFound);
+        }
+        self.repo.resolve(id, reason).await.map_err(map_repo_err)?;
+        Ok(())
+    }
+}
+
+fn map_repo_err(e: DeadLetterRepoError) -> DeadLetterError {
+    match e {
+        DeadLetterRepoError::NotFound(_) => DeadLetterError::NotFound,
+        DeadLetterRepoError::InvalidResolution(s) => DeadLetterError::InvalidResolution(s),
+        DeadLetterRepoError::Db(e) => DeadLetterError::Backend(e.to_string()),
+    }
+}

crates/manager-core/src/dead_letters_api.rs

@@ -0,0 +1,319 @@
+//! `/api/v1/admin/apps/{id}/dead_letters/*` — dashboard surface for
+//! the no-default-handler model (design notes §4).
+//!
+//! Endpoints:
+//! - `GET    /apps/{id}/dead_letters?unresolved=true` — list view
+//! - `GET    /apps/{id}/dead_letters/count`           — badge count
+//! - `GET    /apps/{id}/dead_letters/{dl_id}`         — row detail
+//! - `POST   /apps/{id}/dead_letters/{dl_id}/replay`  — re-enqueue
+//! - `POST   /apps/{id}/dead_letters/{dl_id}/resolve` — mark resolved
+//!
+//! All gated on `Capability::AppDeadLetterManage(app_id)`.
+
+use std::sync::Arc;
+
+use axum::extract::{Path, Query, State};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Json, Response};
+use axum::routing::{get, post};
+use axum::{Extension, Router};
+use picloud_shared::{AppId, DeadLetterId, DeadLetterService, Principal, SdkCallCx};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+
+use crate::app_repo::AppRepository;
+use crate::authz::{require, AuthzDenied, AuthzError, AuthzRepo, Capability};
+use crate::dead_letter_repo::{DeadLetterRepo, DeadLetterRepoError, DeadLetterRow};
+
+#[derive(Clone)]
+pub struct DeadLettersState {
+    pub repo: Arc<dyn DeadLetterRepo>,
+    pub service: Arc<dyn DeadLetterService>,
+    pub apps: Arc<dyn AppRepository>,
+    pub authz: Arc<dyn AuthzRepo>,
+}
+
+pub fn dead_letters_router(state: DeadLettersState) -> Router {
+    Router::new()
+        .route("/apps/{app_id}/dead_letters", get(list))
+        .route("/apps/{app_id}/dead_letters/count", get(count))
+        .route("/apps/{app_id}/dead_letters/{dl_id}", get(detail))
+        .route("/apps/{app_id}/dead_letters/{dl_id}/replay", post(replay))
+        .route("/apps/{app_id}/dead_letters/{dl_id}/resolve", post(resolve))
+        .with_state(state)
+}
+
+#[derive(Debug, Deserialize)]
+pub struct ListQuery {
+    #[serde(default)]
+    pub unresolved: bool,
+    #[serde(default = "default_limit")]
+    pub limit: i64,
+    #[serde(default)]
+    pub offset: i64,
+}
+
+const fn default_limit() -> i64 {
+    50
+}
+
+#[derive(Debug, Serialize)]
+pub struct ListResponse {
+    pub dead_letters: Vec<DeadLetterDto>,
+}
+
+#[derive(Debug, Serialize)]
+pub struct CountResponse {
+    pub unresolved: i64,
+}
+
+#[derive(Debug, Deserialize)]
+pub struct ResolveBody {
+    pub reason: String,
+}
+
+#[derive(Debug, Serialize)]
+pub struct DeadLetterDto {
+    pub id: DeadLetterId,
+    pub app_id: AppId,
+    pub source: String,
+    pub op: String,
+    pub trigger_id: Option<picloud_shared::TriggerId>,
+    pub script_id: Option<picloud_shared::ScriptId>,
+    pub payload: serde_json::Value,
+    pub attempt_count: u32,
+    pub first_attempt_at: chrono::DateTime<chrono::Utc>,
+    pub last_attempt_at: chrono::DateTime<chrono::Utc>,
+    pub last_error: String,
+    pub created_at: chrono::DateTime<chrono::Utc>,
+    pub resolved_at: Option<chrono::DateTime<chrono::Utc>>,
+    pub resolution: Option<String>,
+}
+
+impl From<DeadLetterRow> for DeadLetterDto {
+    fn from(r: DeadLetterRow) -> Self {
+        Self {
+            id: r.id,
+            app_id: r.app_id,
+            source: r.source,
+            op: r.op,
+            trigger_id: r.trigger_id,
+            script_id: r.script_id,
+            payload: r.payload,
+            attempt_count: r.attempt_count,
+            first_attempt_at: r.first_attempt_at,
+            last_attempt_at: r.last_attempt_at,
+            last_error: r.last_error,
+            created_at: r.created_at,
+            resolved_at: r.resolved_at,
+            resolution: r.resolution,
+        }
+    }
+}
+
+async fn list(
+    State(s): State<DeadLettersState>,
+    Extension(principal): Extension<Principal>,
+    Path(app_id): Path<AppId>,
+    Query(q): Query<ListQuery>,
+) -> Result<Json<ListResponse>, DeadLettersApiError> {
+    ensure_app(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppDeadLetterManage(app_id),
+    )
+    .await?;
+    let rows = s
+        .repo
+        .list_for_app(app_id, q.unresolved, q.limit.clamp(1, 200), q.offset.max(0))
+        .await?;
+    Ok(Json(ListResponse {
+        dead_letters: rows.into_iter().map(Into::into).collect(),
+    }))
+}
+
+async fn count(
+    State(s): State<DeadLettersState>,
+    Extension(principal): Extension<Principal>,
+    Path(app_id): Path<AppId>,
+) -> Result<Json<CountResponse>, DeadLettersApiError> {
+    ensure_app(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppDeadLetterManage(app_id),
+    )
+    .await?;
+    let n = s.repo.unresolved_count(app_id).await?;
+    Ok(Json(CountResponse { unresolved: n }))
+}
+
+async fn detail(
+    State(s): State<DeadLettersState>,
+    Extension(principal): Extension<Principal>,
+    Path((app_id, dl_id)): Path<(AppId, DeadLetterId)>,
+) -> Result<Json<DeadLetterDto>, DeadLettersApiError> {
+    ensure_app(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppDeadLetterManage(app_id),
+    )
+    .await?;
+    let row = s
+        .repo
+        .get(dl_id)
+        .await?
+        .ok_or(DeadLettersApiError::NotFound(dl_id))?;
+    if row.app_id != app_id {
+        return Err(DeadLettersApiError::NotFound(dl_id));
+    }
+    Ok(Json(row.into()))
+}
+
+async fn replay(
+    State(s): State<DeadLettersState>,
+    Extension(principal): Extension<Principal>,
+    Path((app_id, dl_id)): Path<(AppId, DeadLetterId)>,
+) -> Result<StatusCode, DeadLettersApiError> {
+    ensure_app(&*s.apps, app_id).await?;
+    // Authz handled inside the service via SdkCallCx.
+    let cx = admin_cx(app_id, &principal);
+    s.service
+        .replay(&cx, dl_id)
+        .await
+        .map_err(map_service_err)?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+async fn resolve(
+    State(s): State<DeadLettersState>,
+    Extension(principal): Extension<Principal>,
+    Path((app_id, dl_id)): Path<(AppId, DeadLetterId)>,
+    Json(body): Json<ResolveBody>,
+) -> Result<StatusCode, DeadLettersApiError> {
+    ensure_app(&*s.apps, app_id).await?;
+    let cx = admin_cx(app_id, &principal);
+    s.service
+        .resolve(&cx, dl_id, &body.reason)
+        .await
+        .map_err(map_service_err)?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+/// Synthesize an `SdkCallCx` for the admin path. The service layer
+/// reads `cx.app_id` + `cx.principal` and ignores the trigger /
+/// execution fields, so the per-call ids are arbitrary.
+fn admin_cx(app_id: AppId, principal: &Principal) -> SdkCallCx {
+    SdkCallCx {
+        app_id,
+        // Admin-plane cx (dead-letter replay/resolve) — no script is
+        // executing, so this attribution id is a fresh sentinel.
+        script_id: picloud_shared::ScriptId::new(),
+        principal: Some(principal.clone()),
+        execution_id: picloud_shared::ExecutionId::new(),
+        request_id: picloud_shared::RequestId::new(),
+        trigger_depth: 0,
+        root_execution_id: picloud_shared::ExecutionId::new(),
+        is_dead_letter_handler: false,
+        event: None,
+    }
+}
+
+async fn ensure_app(apps: &dyn AppRepository, app_id: AppId) -> Result<(), DeadLettersApiError> {
+    apps.get_by_id(app_id)
+        .await
+        .map_err(|e| DeadLettersApiError::Backend(e.to_string()))?
+        .ok_or_else(|| DeadLettersApiError::AppNotFound(app_id.to_string()))?;
+    Ok(())
+}
+
+fn map_service_err(e: picloud_shared::DeadLetterError) -> DeadLettersApiError {
+    match e {
+        picloud_shared::DeadLetterError::NotFound => {
+            DeadLettersApiError::NotFound(DeadLetterId::new())
+        }
+        picloud_shared::DeadLetterError::Forbidden => DeadLettersApiError::Forbidden,
+        picloud_shared::DeadLetterError::InvalidResolution(s) => {
+            DeadLettersApiError::Invalid(format!("invalid resolution: {s}"))
+        }
+        picloud_shared::DeadLetterError::Backend(s) => DeadLettersApiError::Backend(s),
+    }
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum DeadLettersApiError {
+    #[error("app not found: {0}")]
+    AppNotFound(String),
+
+    #[error("dead-letter not found: {0}")]
+    NotFound(DeadLetterId),
+
+    #[error("invalid: {0}")]
+    Invalid(String),
+
+    #[error("forbidden")]
+    Forbidden,
+
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+
+    #[error("dead-letter backend: {0}")]
+    Backend(String),
+}
+
+impl From<AuthzDenied> for DeadLettersApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
+impl From<AuthzError> for DeadLettersApiError {
+    fn from(e: AuthzError) -> Self {
+        Self::AuthzRepo(e.to_string())
+    }
+}
+
+impl From<DeadLetterRepoError> for DeadLettersApiError {
+    fn from(e: DeadLetterRepoError) -> Self {
+        match e {
+            DeadLetterRepoError::NotFound(id) => Self::NotFound(id),
+            DeadLetterRepoError::InvalidResolution(s) => Self::Invalid(s),
+            DeadLetterRepoError::Db(e) => Self::Backend(e.to_string()),
+        }
+    }
+}
+
+impl IntoResponse for DeadLettersApiError {
+    fn into_response(self) -> Response {
+        let (status, body) = match &self {
+            Self::AppNotFound(_) | Self::NotFound(_) => {
+                (StatusCode::NOT_FOUND, json!({ "error": self.to_string() }))
+            }
+            Self::Invalid(_) => (
+                StatusCode::UNPROCESSABLE_ENTITY,
+                json!({ "error": self.to_string() }),
+            ),
+            Self::Forbidden => (StatusCode::FORBIDDEN, json!({ "error": self.to_string() })),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "dead_letters authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+            Self::Backend(e) => {
+                tracing::error!(error = %e, "dead_letters api backend error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+        };
+        (status, Json(body)).into_response()
+    }
+}

crates/manager-core/src/dispatcher.rs

@@ -0,0 +1,701 @@
+//! The triggers-framework dispatcher.
+//!
+//! Single tokio task that polls the outbox, claims due rows
+//! (`FOR UPDATE SKIP LOCKED`), and routes each to the executor.
+//! Shares the `ExecutionGate` with sync HTTP — they compete for the
+//! same permit budget, matching design notes §2.
+//!
+//! Outcome handling per design notes §3 and §4:
+//!   - reply_to.is_some() (sync HTTP): never retry. Deliver to inbox
+//!     (or write `abandoned_executions` if the receiver dropped).
+//!   - is_dead_letter_handler == true: never retry, never DL. Failure
+//!     just annotates the original DL row with `resolution =
+//!     'handler_failed'` and bumps a metric.
+//!   - Otherwise on failure: if `attempt_count + 1 < max_attempts`,
+//!     reschedule with backoff + jitter. Else, write a `dead_letters`
+//!     row and delete from outbox.
+//!
+//! Depth-limit: `trigger_depth > max_trigger_depth` skips execution
+//! entirely (log + metric) and deletes the row — does NOT dead-letter
+//! (design notes §4: depth-exceeded means "you built a loop", and
+//! dead-lettering would just re-fire the same loop).
+
+use std::sync::Arc;
+use std::time::Duration;
+
+use chrono::Utc;
+use picloud_executor_core::{ExecError, ExecRequest, ExecResponse, InvocationType};
+use picloud_orchestrator_core::{ExecutionGate, ExecutorClient};
+use picloud_shared::{
+    ExecResponseSummary, ExecutionId, HttpDispatchPayload, InboxDeliveryOutcome, InboxFailureKind,
+    InboxResolver, InboxResult, RequestId, ScriptId, ScriptSandbox, TriggerEvent,
+};
+use rand::Rng;
+use uuid::Uuid;
+
+use crate::abandoned_repo::{AbandonedRepo, NewAbandonedExecution};
+use crate::dead_letter_repo::{DeadLetterRepo, NewDeadLetter};
+use crate::outbox_repo::{OutboxRepo, OutboxRow, OutboxSourceKind};
+use crate::principal_resolver::PrincipalResolver;
+use crate::repo::ScriptRepository;
+use crate::trigger_config::{BackoffShape, TriggerConfig};
+use crate::trigger_repo::{TriggerKind, TriggerRepo};
+
+/// Bundle the dispatcher reads from. Each handle is `Arc<dyn …>` so
+/// tests can substitute in-memory backings.
+pub struct Dispatcher {
+    pub outbox: Arc<dyn OutboxRepo>,
+    pub triggers: Arc<dyn TriggerRepo>,
+    pub scripts: Arc<dyn ScriptRepository>,
+    pub dead_letters: Arc<dyn DeadLetterRepo>,
+    pub abandoned: Arc<dyn AbandonedRepo>,
+    pub principals: Arc<dyn PrincipalResolver>,
+    pub executor: Arc<dyn ExecutorClient>,
+    pub gate: Arc<ExecutionGate>,
+    pub inbox: Arc<dyn InboxResolver>,
+    pub config: TriggerConfig,
+    /// Stable id for this dispatcher instance — written into
+    /// `outbox.claimed_by` for forensics. In MVP this is the host's
+    /// pid; cluster mode (v1.3+) uses node identity.
+    pub instance_id: String,
+}
+
+/// How many outbox rows the dispatcher tries to claim per tick.
+/// Bounded to keep the working set small even if there's a flood.
+const CLAIM_BATCH: i64 = 8;
+
+/// Polling cadence. Short enough that fan-out feels instant; long
+/// enough that an idle dispatcher doesn't burn cycles.
+const TICK_INTERVAL: Duration = Duration::from_millis(100);
+
+/// Hard cap on the wall-clock budget passed to the executor for an
+/// async-dispatched script. Sync HTTP gets a per-script timeout via
+/// the orchestrator path; async rows don't have one, so we apply a
+/// platform-wide ceiling here. Matches `LocalExecutorClient`'s own
+/// 5-minute cap.
+const ASYNC_EXEC_TIMEOUT: Duration = Duration::from_secs(300);
+
+impl Dispatcher {
+    /// Spawn the dispatcher loop as a detached `tokio::task`. The
+    /// returned `JoinHandle` is dropped — the loop runs for the
+    /// process lifetime.
+    pub fn spawn(self) {
+        tokio::spawn(async move {
+            self.run().await;
+        });
+    }
+
+    async fn run(self) {
+        let mut ticker = tokio::time::interval(TICK_INTERVAL);
+        // Skip the immediate first fire so we don't race startup.
+        ticker.tick().await;
+        loop {
+            ticker.tick().await;
+            if let Err(err) = self.tick().await {
+                tracing::warn!(?err, "dispatcher tick errored");
+            }
+        }
+    }
+
+    async fn tick(&self) -> Result<(), DispatcherError> {
+        // Cheap gate sample so we don't claim rows we can't dispatch.
+        // The exact permit budget is reapplied per-row below.
+        let rows = self
+            .outbox
+            .claim_due(&self.instance_id, CLAIM_BATCH)
+            .await
+            .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+        if rows.is_empty() {
+            return Ok(());
+        }
+        for row in rows {
+            // Process serially within a tick — the outer ticker is the
+            // pacing mechanism. Concurrent dispatchers are a cluster-
+            // mode concern; v1.1.1 MVP has one.
+            if let Err(err) = self.dispatch_one(row).await {
+                tracing::warn!(?err, "dispatch one errored");
+            }
+        }
+        Ok(())
+    }
+
+    async fn dispatch_one(&self, row: OutboxRow) -> Result<(), DispatcherError> {
+        // Depth-limit check — design notes §4: loops aren't DL'd.
+        if row.trigger_depth > self.config.max_trigger_depth {
+            tracing::warn!(
+                outbox_id = %row.id,
+                app_id = %row.app_id,
+                trigger_depth = row.trigger_depth,
+                "trigger depth exceeded; dropping row"
+            );
+            // TODO(metrics): bump `picloud_trigger_depth_exceeded{app_id,trigger_id}`.
+            self.outbox
+                .delete(row.id)
+                .await
+                .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+            return Ok(());
+        }
+
+        // Gate admission — non-blocking. If the gate is saturated,
+        // release the claim by rescheduling so another tick can pick
+        // it up. The row stays "due" essentially immediately.
+        let Ok(permit) = self.gate.try_acquire() else {
+            let next = Utc::now() + chrono::Duration::milliseconds(100);
+            self.outbox
+                .reschedule(row.id, row.attempt_count, next)
+                .await
+                .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+            return Ok(());
+        };
+
+        // Resolve the trigger config (KV / DL) or pull the HTTP
+        // payload directly off the outbox row.
+        let (resolved, exec_req) = match row.source_kind {
+            OutboxSourceKind::Http => match self.build_http_request(&row).await {
+                Ok(pair) => pair,
+                Err(err) => {
+                    tracing::warn!(outbox_id = %row.id, ?err, "http exec build failed; dropping");
+                    self.outbox
+                        .delete(row.id)
+                        .await
+                        .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+                    drop(permit);
+                    return Ok(());
+                }
+            },
+            OutboxSourceKind::Kv
+            | OutboxSourceKind::Docs
+            | OutboxSourceKind::DeadLetter
+            | OutboxSourceKind::Cron
+            | OutboxSourceKind::Files
+            | OutboxSourceKind::Pubsub => {
+                let resolved = self.resolve_trigger(&row).await?;
+                let req = match self.build_exec_request(&row, &resolved).await {
+                    Ok(req) => req,
+                    Err(err) => {
+                        tracing::warn!(outbox_id = %row.id, ?err, "exec request build failed; dropping row");
+                        self.outbox
+                            .delete(row.id)
+                            .await
+                            .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+                        drop(permit);
+                        return Ok(());
+                    }
+                };
+                (resolved, req)
+            }
+        };
+
+        // The gate permit auto-releases when this scope ends or when
+        // the executor finishes. We hand control to the executor and
+        // wait synchronously here — sync HTTP and dispatcher share the
+        // semaphore so this is intentional.
+        let source = resolved.script_source.clone();
+        let identity = picloud_orchestrator_core::ScriptIdentity {
+            script_id: resolved.script_id,
+            updated_at: resolved.script_updated_at,
+        };
+        let outcome = self
+            .executor
+            .execute_with_identity(identity, &source, exec_req, ASYNC_EXEC_TIMEOUT)
+            .await;
+        drop(permit);
+
+        match outcome {
+            Ok(resp) => self.handle_success(&row, &resolved, resp).await,
+            Err(err) => self.handle_failure(&row, &resolved, err).await,
+        }
+    }
+
+    async fn resolve_trigger(&self, row: &OutboxRow) -> Result<ResolvedTrigger, DispatcherError> {
+        // For KV and DL kinds, the outbox carries `trigger_id`. Use it
+        // to look up the trigger row, then resolve the script.
+        let Some(trigger_id) = row.trigger_id else {
+            return Err(DispatcherError::ResolveTrigger(
+                "outbox row missing trigger_id".into(),
+            ));
+        };
+        let trigger = self
+            .triggers
+            .get(trigger_id)
+            .await
+            .map_err(|e| DispatcherError::ResolveTrigger(e.to_string()))?
+            .ok_or_else(|| {
+                DispatcherError::ResolveTrigger(format!("trigger {trigger_id} not found"))
+            })?;
+
+        let script = self
+            .scripts
+            .get(trigger.script_id)
+            .await
+            .map_err(|e| DispatcherError::ResolveTrigger(e.to_string()))?
+            .ok_or_else(|| {
+                DispatcherError::ResolveTrigger(format!("script {} not found", trigger.script_id))
+            })?;
+
+        Ok(ResolvedTrigger {
+            trigger_kind: trigger.kind,
+            is_dead_letter_handler: matches!(trigger.kind, TriggerKind::DeadLetter),
+            script_id: script.id,
+            script_source: script.source,
+            script_name: script.name,
+            script_updated_at: script.updated_at,
+            sandbox_overrides: script.sandbox,
+            registered_by_principal: trigger.registered_by_principal,
+            retry_max_attempts: trigger.retry_max_attempts,
+            retry_backoff: trigger.retry_backoff,
+            retry_base_ms: trigger.retry_base_ms,
+        })
+    }
+
+    async fn build_exec_request(
+        &self,
+        row: &OutboxRow,
+        resolved: &ResolvedTrigger,
+    ) -> Result<ExecRequest, DispatcherError> {
+        let trigger_event: TriggerEvent = serde_json::from_value(row.payload.clone())
+            .map_err(|e| DispatcherError::ResolveTrigger(format!("decode payload: {e}")))?;
+
+        let principal = self
+            .principals
+            .resolve(resolved.registered_by_principal)
+            .await
+            .map_err(|e| DispatcherError::ResolveTrigger(e.to_string()))?;
+
+        let execution_id = ExecutionId::new();
+        Ok(ExecRequest {
+            execution_id,
+            request_id: RequestId::new(),
+            script_id: resolved.script_id,
+            script_name: resolved.script_name.clone(),
+            invocation_type: InvocationType::Function,
+            path: format!("/trigger/{}", trigger_event.source()),
+            headers: std::collections::BTreeMap::new(),
+            body: serde_json::Value::Null,
+            params: std::collections::BTreeMap::new(),
+            query: std::collections::BTreeMap::new(),
+            rest: String::new(),
+            sandbox_overrides: resolved.sandbox_overrides,
+            app_id: row.app_id,
+            principal: Some(principal),
+            trigger_depth: row.trigger_depth,
+            root_execution_id: row.root_execution_id.unwrap_or(execution_id),
+            is_dead_letter_handler: resolved.is_dead_letter_handler,
+            event: Some(trigger_event),
+        })
+    }
+
+    /// Build an `(ResolvedTrigger, ExecRequest)` for an HTTP outbox
+    /// row. HTTP rows don't have a backing `triggers` row (the
+    /// `trigger_id` references `routes.id` instead). We pull the
+    /// script id off the outbox row, the request shape off the
+    /// payload, and synthesize a `ResolvedTrigger` with retry
+    /// settings irrelevant for HTTP (sync HTTP is never retried;
+    /// async HTTP uses default policy from `TriggerConfig`).
+    async fn build_http_request(
+        &self,
+        row: &OutboxRow,
+    ) -> Result<(ResolvedTrigger, ExecRequest), DispatcherError> {
+        let Some(script_id) = row.script_id else {
+            return Err(DispatcherError::ResolveTrigger(
+                "HTTP outbox row missing script_id".into(),
+            ));
+        };
+        let script = self
+            .scripts
+            .get(script_id)
+            .await
+            .map_err(|e| DispatcherError::ResolveTrigger(e.to_string()))?
+            .ok_or_else(|| {
+                DispatcherError::ResolveTrigger(format!("script {script_id} not found"))
+            })?;
+
+        let payload: HttpDispatchPayload = serde_json::from_value(row.payload.clone())
+            .map_err(|e| DispatcherError::ResolveTrigger(format!("decode http payload: {e}")))?;
+
+        let execution_id = ExecutionId::new();
+        let req = ExecRequest {
+            execution_id,
+            request_id: RequestId::new(),
+            script_id,
+            script_name: payload.script_name.clone(),
+            invocation_type: InvocationType::Http,
+            path: payload.path.clone(),
+            headers: payload.headers,
+            body: payload.body,
+            params: payload.params,
+            query: payload.query,
+            rest: payload.rest,
+            sandbox_overrides: script.sandbox,
+            app_id: row.app_id,
+            // HTTP outbox rows don't run as the trigger registrant —
+            // they run with no principal (public ingress) or the
+            // attached one (origin_principal forensic field is not
+            // promoted to execution principal in this MVP).
+            principal: None,
+            trigger_depth: row.trigger_depth,
+            root_execution_id: row.root_execution_id.unwrap_or(execution_id),
+            is_dead_letter_handler: false,
+            event: None,
+        };
+
+        let resolved = ResolvedTrigger {
+            trigger_kind: TriggerKind::Kv, // placeholder; HTTP doesn't have a kind
+            is_dead_letter_handler: false,
+            script_id,
+            script_source: script.source,
+            script_name: payload.script_name,
+            script_updated_at: script.updated_at,
+            sandbox_overrides: script.sandbox,
+            // HTTP outbox rows don't carry a registered_by_principal
+            // — use a sentinel zero UUID since this field isn't used
+            // downstream for HTTP (no retries, no inbox principal).
+            registered_by_principal: picloud_shared::AdminUserId::from(uuid::Uuid::nil()),
+            // Async HTTP uses the platform default retry policy from
+            // TriggerConfig. Sync HTTP (reply_to.is_some) never retries
+            // regardless.
+            retry_max_attempts: self.config.retry_max_attempts,
+            retry_backoff: self.config.retry_backoff,
+            retry_base_ms: self.config.retry_base_ms,
+        };
+        Ok((resolved, req))
+    }
+
+    async fn handle_success(
+        &self,
+        row: &OutboxRow,
+        _resolved: &ResolvedTrigger,
+        resp: ExecResponse,
+    ) -> Result<(), DispatcherError> {
+        if let Some(inbox_id) = row.reply_to {
+            self.deliver_inbox(row, inbox_id, InboxResult::Success(summarize(&resp)))
+                .await;
+        }
+        self.outbox
+            .delete(row.id)
+            .await
+            .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+        Ok(())
+    }
+
+    async fn handle_failure(
+        &self,
+        row: &OutboxRow,
+        resolved: &ResolvedTrigger,
+        err: ExecError,
+    ) -> Result<(), DispatcherError> {
+        // Sync HTTP: always single-attempt. Always deliver outcome
+        // (success-or-failure) to the inbox. Never retry, never DL.
+        if let Some(inbox_id) = row.reply_to {
+            let (kind, message) = classify_exec_error(&err);
+            self.deliver_inbox(
+                row,
+                inbox_id,
+                InboxResult::Failure {
+                    kind,
+                    message: message.clone(),
+                },
+            )
+            .await;
+            self.outbox
+                .delete(row.id)
+                .await
+                .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+            return Ok(());
+        }
+
+        // Dead-letter handler: never retry, never DL. Failure
+        // annotates the original DL row + bumps a metric.
+        if resolved.is_dead_letter_handler {
+            tracing::error!(
+                outbox_id = %row.id,
+                app_id = %row.app_id,
+                ?err,
+                "dead-letter handler failed; not retrying"
+            );
+            // TODO(metrics): bump `picloud_dead_letter_handler_failures{app_id}`.
+            // Annotate the original DL row (id is `row.payload.dead_letter.id`
+            // when the payload is a DeadLetter TriggerEvent). Best-effort:
+            // if the payload doesn't decode, just log and move on.
+            if let Ok(TriggerEvent::DeadLetter { dead_letter_id, .. }) =
+                serde_json::from_value::<TriggerEvent>(row.payload.clone())
+            {
+                if let Err(e) = self
+                    .dead_letters
+                    .resolve(dead_letter_id, "handler_failed")
+                    .await
+                {
+                    tracing::warn!(?e, "could not annotate DL row as handler_failed");
+                }
+            }
+            self.outbox
+                .delete(row.id)
+                .await
+                .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+            return Ok(());
+        }
+
+        // Async event: retry per policy, then dead-letter.
+        let attempt = row.attempt_count + 1;
+        if attempt < resolved.retry_max_attempts {
+            let delay = compute_backoff(
+                attempt,
+                resolved.retry_backoff,
+                resolved.retry_base_ms,
+                self.config.retry_jitter_pct,
+            );
+            let next = Utc::now() + chrono::Duration::milliseconds(i64::from(delay));
+            tracing::info!(
+                outbox_id = %row.id,
+                attempt,
+                max_attempts = resolved.retry_max_attempts,
+                retry_in_ms = delay,
+                "rescheduling outbox row"
+            );
+            self.outbox
+                .reschedule(row.id, attempt, next)
+                .await
+                .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+            return Ok(());
+        }
+
+        // Exhausted retries → dead-letter.
+        let (op, source) = describe_event(&row.payload);
+        let now = Utc::now();
+        if let Err(e) = self
+            .dead_letters
+            .insert(NewDeadLetter {
+                app_id: row.app_id,
+                original_event_id: row.id,
+                source,
+                op,
+                trigger_id: row.trigger_id,
+                script_id: Some(resolved.script_id),
+                payload: row.payload.clone(),
+                attempt_count: attempt,
+                first_attempt_at: row.created_at,
+                last_attempt_at: now,
+                last_error: err.to_string(),
+            })
+            .await
+        {
+            tracing::error!(?e, "failed to write dead-letter row");
+        }
+        self.outbox
+            .delete(row.id)
+            .await
+            .map_err(|e| DispatcherError::Outbox(e.to_string()))?;
+        Ok(())
+    }
+
+    async fn deliver_inbox(&self, row: &OutboxRow, inbox_id: Uuid, result: InboxResult) {
+        match self.inbox.deliver(inbox_id, result.clone()).await {
+            InboxDeliveryOutcome::Delivered => {}
+            InboxDeliveryOutcome::Abandoned => {
+                // Receiver was dropped — record forensic row + bump
+                // metric.
+                let (status_code, summary) = match &result {
+                    InboxResult::Success(s) => (s.status_code, None),
+                    InboxResult::Failure { kind, message } => {
+                        (failure_kind_to_status(*kind), Some(message.clone()))
+                    }
+                };
+                if let Err(e) = self
+                    .abandoned
+                    .insert(NewAbandonedExecution {
+                        app_id: row.app_id,
+                        outbox_id: row.id,
+                        script_id: row.script_id,
+                        inbox_id,
+                        status_code,
+                        result_summary: summary,
+                    })
+                    .await
+                {
+                    tracing::warn!(?e, "abandoned_executions insert failed");
+                }
+                // TODO(metrics): bump `picloud_abandoned_executions_total{app_id}`.
+            }
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct ResolvedTrigger {
+    pub trigger_kind: TriggerKind,
+    pub is_dead_letter_handler: bool,
+    pub script_id: ScriptId,
+    pub script_source: String,
+    pub script_name: String,
+    /// v1.1.3: freshness comparator for the orchestrator's top-level
+    /// script cache. The dispatcher hands `(script_id, updated_at)`
+    /// in alongside the source so cached ASTs can be reused across
+    /// triggered invocations.
+    pub script_updated_at: chrono::DateTime<chrono::Utc>,
+    pub sandbox_overrides: ScriptSandbox,
+    pub registered_by_principal: picloud_shared::AdminUserId,
+    pub retry_max_attempts: u32,
+    pub retry_backoff: BackoffShape,
+    pub retry_base_ms: u32,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum DispatcherError {
+    #[error("outbox: {0}")]
+    Outbox(String),
+    #[error("resolve trigger: {0}")]
+    ResolveTrigger(String),
+}
+
+fn summarize(resp: &ExecResponse) -> ExecResponseSummary {
+    ExecResponseSummary {
+        status_code: resp.status_code,
+        headers: resp.headers.clone(),
+        body: resp.body.clone(),
+    }
+}
+
+/// Map `ExecError` onto the design-notes §3 status-code table.
+fn classify_exec_error(err: &ExecError) -> (InboxFailureKind, String) {
+    match err {
+        ExecError::Parse(s) | ExecError::InvalidResponse(s) => {
+            (InboxFailureKind::Validation, s.clone())
+        }
+        ExecError::Timeout(_) => (InboxFailureKind::Timeout, err.to_string()),
+        ExecError::OperationBudgetExceeded => (InboxFailureKind::OperationBudget, err.to_string()),
+        ExecError::Overloaded { .. } => (InboxFailureKind::Overloaded, err.to_string()),
+        ExecError::Runtime(s) => (InboxFailureKind::Runtime, s.clone()),
+    }
+}
+
+fn failure_kind_to_status(k: InboxFailureKind) -> u16 {
+    match k {
+        InboxFailureKind::Validation => 422,
+        InboxFailureKind::Runtime => 502,
+        InboxFailureKind::Overloaded => 503,
+        InboxFailureKind::Timeout => 504,
+        InboxFailureKind::OperationBudget => 507,
+        InboxFailureKind::Platform => 500,
+    }
+}
+
+/// `(op, source)` extracted from the outbox payload. Used to seed the
+/// `dead_letters` row when retries exhaust.
+fn describe_event(payload: &serde_json::Value) -> (String, String) {
+    let source = payload
+        .get("source")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+    let op = payload
+        .get("op")
+        .and_then(|v| v.as_str())
+        .unwrap_or("")
+        .to_string();
+    (op, source)
+}
+
+/// Compute backoff (ms) for the given attempt + policy + jitter.
+/// Attempt is 1-indexed (first retry = attempt 1).
+#[must_use]
+pub fn compute_backoff(attempt: u32, backoff: BackoffShape, base_ms: u32, jitter_pct: u32) -> u32 {
+    let base_ms = u64::from(base_ms);
+    let attempt = u64::from(attempt.saturating_sub(1));
+    let raw = match backoff {
+        BackoffShape::Constant => base_ms,
+        BackoffShape::Linear => base_ms * (attempt + 1),
+        // 1x base, 2x base, 4x base, … (saturating).
+        BackoffShape::Exponential => base_ms.saturating_mul(1u64 << attempt.min(20)),
+    };
+    let raw = u32::try_from(raw.min(u64::from(u32::MAX))).unwrap_or(u32::MAX);
+    apply_jitter(raw, jitter_pct)
+}
+
+fn apply_jitter(raw: u32, pct: u32) -> u32 {
+    if pct == 0 {
+        return raw;
+    }
+    let pct = pct.min(100);
+    // ±span% — bounded by raw itself so we can't underflow when
+    // raw + offset goes below zero.
+    let span = u64::from(raw) * u64::from(pct) / 100;
+    if span == 0 {
+        return raw;
+    }
+    let span_i64 = i64::try_from(span).unwrap_or(i64::MAX);
+    let mut rng = rand::thread_rng();
+    let offset = rng.gen_range(-span_i64..=span_i64);
+    let signed = i64::from(raw).saturating_add(offset).max(0);
+    u32::try_from(signed.min(i64::from(u32::MAX))).unwrap_or(u32::MAX)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn exponential_backoff_doubles_per_attempt() {
+        // No jitter (pct=0) for a deterministic check.
+        assert_eq!(compute_backoff(1, BackoffShape::Exponential, 1000, 0), 1000);
+        assert_eq!(compute_backoff(2, BackoffShape::Exponential, 1000, 0), 2000);
+        assert_eq!(compute_backoff(3, BackoffShape::Exponential, 1000, 0), 4000);
+        assert_eq!(compute_backoff(4, BackoffShape::Exponential, 1000, 0), 8000);
+    }
+
+    #[test]
+    fn linear_backoff_scales_with_attempt() {
+        assert_eq!(compute_backoff(1, BackoffShape::Linear, 100, 0), 100);
+        assert_eq!(compute_backoff(2, BackoffShape::Linear, 100, 0), 200);
+        assert_eq!(compute_backoff(5, BackoffShape::Linear, 100, 0), 500);
+    }
+
+    #[test]
+    fn constant_backoff_returns_base() {
+        for attempt in 1..=5 {
+            assert_eq!(
+                compute_backoff(attempt, BackoffShape::Constant, 750, 0),
+                750
+            );
+        }
+    }
+
+    #[test]
+    fn jitter_within_pct_of_base() {
+        for _ in 0..100 {
+            let v = compute_backoff(1, BackoffShape::Constant, 1000, 20);
+            // ±20% of 1000 = 800..=1200.
+            assert!((800..=1200).contains(&v), "jitter out of range: {v}");
+        }
+    }
+
+    #[test]
+    fn classify_exec_error_covers_every_variant() {
+        let parse = classify_exec_error(&ExecError::Parse("nope".into()));
+        assert!(matches!(parse.0, InboxFailureKind::Validation));
+        let invalid = classify_exec_error(&ExecError::InvalidResponse("bad".into()));
+        assert!(matches!(invalid.0, InboxFailureKind::Validation));
+        let timeout = classify_exec_error(&ExecError::Timeout(30));
+        assert!(matches!(timeout.0, InboxFailureKind::Timeout));
+        let budget = classify_exec_error(&ExecError::OperationBudgetExceeded);
+        assert!(matches!(budget.0, InboxFailureKind::OperationBudget));
+        let runtime = classify_exec_error(&ExecError::Runtime("threw".into()));
+        assert!(matches!(runtime.0, InboxFailureKind::Runtime));
+        let overload = classify_exec_error(&ExecError::Overloaded {
+            retry_after_secs: 1,
+        });
+        assert!(matches!(overload.0, InboxFailureKind::Overloaded));
+    }
+
+    #[test]
+    fn failure_kind_status_codes_match_design_notes() {
+        assert_eq!(failure_kind_to_status(InboxFailureKind::Validation), 422);
+        assert_eq!(failure_kind_to_status(InboxFailureKind::Runtime), 502);
+        assert_eq!(failure_kind_to_status(InboxFailureKind::Overloaded), 503);
+        assert_eq!(failure_kind_to_status(InboxFailureKind::Timeout), 504);
+        assert_eq!(
+            failure_kind_to_status(InboxFailureKind::OperationBudget),
+            507
+        );
+        assert_eq!(failure_kind_to_status(InboxFailureKind::Platform), 500);
+    }
+}

crates/manager-core/src/docs_filter.rs

@@ -0,0 +1,598 @@
+//! v1.1.2 query DSL parser + AST for `docs::find` / `docs::find_one`.
+//!
+//! Sets the precedent v1.2's `dead_letters::list` will follow (see
+//! `docs/v1.1.x-design-notes.md` §4 #13). When that lands we promote
+//! this module to `picloud-shared` and rename to
+//! `picloud_shared::query::{Filter, FieldPath, ComparisonOp}`; until
+//! then keeping it private to manager-core avoids over-engineering.
+//!
+//! Parse stage is deliberately strict: any unrecognized `$xxx`
+//! operator surfaces as `FilterParseError::UnsupportedOperator` with
+//! a script-visible message naming the offending key + pointing at
+//! v1.2. The error strings become part of the SDK contract once
+//! scripts depend on them; pin them with snapshot tests in the test
+//! module below before changing.
+//!
+//! ## DSL surface (v1.1.2 subset)
+//!
+//! ```rhai
+//! // implicit equality (top-level)
+//! users.find(#{ tier: "gold", status: "active" })
+//!
+//! // operator object on a field
+//! users.find(#{ created_at: #{ "$gt": "2026-01-01T00:00:00Z" } })
+//!
+//! // dotted paths (max 5 segments)
+//! users.find(#{ "user.email": "a@b" })
+//!
+//! // sort + limit as filter modifiers
+//! users.find(#{ tier: "gold", "$sort": #{ created_at: -1 }, "$limit": 10 })
+//! ```
+//!
+//! ## Out of scope (v1.2)
+//!
+//! `$or`, `$and`, `$not`, `$exists`, `$regex`, `$type`, `$size`,
+//! `$all`, `$elemMatch`, multi-field sort, projection, aggregations.
+
+use serde_json::Value;
+
+/// Maximum nesting depth for dotted field paths. `"a.b.c.d.e"` is the
+/// deepest path allowed (5 segments). Deeper paths reject at parse
+/// time with `InvalidFilter` — prevents pathological JSONB navigation
+/// chains from a script.
+pub const MAX_FIELD_PATH_DEPTH: usize = 5;
+
+/// Hard cap on `$limit` values — script-side limits are silently
+/// clamped here so the Postgres query is always bounded. Mirrors the
+/// `find` repo's own internal cap.
+pub const MAX_FIND_LIMIT: u32 = 1_000;
+
+/// Parsed `docs::find` filter.
+#[derive(Debug, Clone, PartialEq)]
+pub struct DocsFilter {
+    pub conditions: Vec<FieldCondition>,
+    pub sort: Option<Sort>,
+    pub limit: Option<u32>,
+}
+
+impl DocsFilter {
+    /// Empty filter — matches every document in the collection.
+    #[must_use]
+    pub const fn empty() -> Self {
+        Self {
+            conditions: Vec::new(),
+            sort: None,
+            limit: None,
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct FieldCondition {
+    pub path: FieldPath,
+    pub op: ComparisonOp,
+    pub value: Value,
+}
+
+/// Validated dotted path. Construct only via `FieldPath::parse` so the
+/// segment invariants (non-empty, no `..`, no `$` prefix, depth ≤ 5)
+/// are guaranteed.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct FieldPath {
+    segments: Vec<String>,
+}
+
+impl FieldPath {
+    /// Parse a dotted path from a JSON object key.
+    pub fn parse(raw: &str) -> Result<Self, FilterParseError> {
+        if raw.is_empty() {
+            return Err(FilterParseError::InvalidFilter(
+                "docs::find: field path must not be empty".into(),
+            ));
+        }
+        let segments: Vec<&str> = raw.split('.').collect();
+        if segments.len() > MAX_FIELD_PATH_DEPTH {
+            return Err(FilterParseError::InvalidFilter(format!(
+                "docs::find: field path '{raw}' exceeds max depth {MAX_FIELD_PATH_DEPTH}"
+            )));
+        }
+        for seg in &segments {
+            if seg.is_empty() {
+                return Err(FilterParseError::InvalidFilter(format!(
+                    "docs::find: field path '{raw}' has an empty segment (leading/trailing dot or '..')"
+                )));
+            }
+            if seg.starts_with('$') {
+                return Err(FilterParseError::InvalidFilter(format!(
+                    "docs::find: field path segment '{seg}' must not start with '$'"
+                )));
+            }
+        }
+        Ok(Self {
+            segments: segments.into_iter().map(ToString::to_string).collect(),
+        })
+    }
+
+    /// Path segments in order. The Postgres impl binds each as a
+    /// separate text parameter to `jsonb_extract_path_text`, so no
+    /// segment ever appears in the SQL string verbatim.
+    #[must_use]
+    pub fn segments(&self) -> &[String] {
+        &self.segments
+    }
+
+    /// Display form for error messages — joined back with `.`.
+    #[must_use]
+    pub fn as_str(&self) -> String {
+        self.segments.join(".")
+    }
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum ComparisonOp {
+    /// Implicit equality at top level OR explicit `$eq`. Maps to
+    /// `jsonb_extract_path_text(...) = $M`.
+    Eq,
+    /// `$ne` — uses Postgres `IS DISTINCT FROM` so JSON nulls and
+    /// missing paths are correctly included (`<>` returns NULL on
+    /// either operand being NULL, which would silently exclude rows
+    /// the user expects to see).
+    Ne,
+    /// `$gt` / `$gte` / `$lt` / `$lte` — text-lex comparison per the
+    /// brief's contract. Known limitation: lex breaks across
+    /// digit-count boundaries (`'10' < '9'` is TRUE). Documented in
+    /// CHANGELOG; v1.2 advanced query will add numeric-aware
+    /// operators.
+    Gt,
+    Gte,
+    Lt,
+    Lte,
+    /// `$in` — `= ANY($M::text[])` where the value list is bound as
+    /// a TEXT[].
+    In,
+}
+
+impl ComparisonOp {
+    /// Decode an operator key like `"$gt"`. Returns `None` for any
+    /// non-`$` key; returns `Some(Err(...))` for `$`-prefixed keys
+    /// not in the v1.1.2 allowlist (caller surfaces the
+    /// UnsupportedOperator error).
+    fn from_dollar_key(key: &str) -> Option<Result<Self, FilterParseError>> {
+        if !key.starts_with('$') {
+            return None;
+        }
+        Some(match key {
+            "$eq" => Ok(Self::Eq),
+            "$ne" => Ok(Self::Ne),
+            "$gt" => Ok(Self::Gt),
+            "$gte" => Ok(Self::Gte),
+            "$lt" => Ok(Self::Lt),
+            "$lte" => Ok(Self::Lte),
+            "$in" => Ok(Self::In),
+            other => Err(FilterParseError::UnsupportedOperator(format!(
+                "docs::find: operator '{other}' is not supported in v1.1.2; planned for v1.2 advanced query"
+            ))),
+        })
+    }
+}
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct Sort {
+    pub path: FieldPath,
+    pub direction: SortDir,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum SortDir {
+    Asc,
+    Desc,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum FilterParseError {
+    /// Bad path syntax, malformed operator value, multi-field sort,
+    /// etc. The string is the script-visible message.
+    #[error("{0}")]
+    InvalidFilter(String),
+
+    /// Filter used an operator not in the v1.1.2 allowlist. The
+    /// string includes the offending operator + v1.2 pointer.
+    #[error("{0}")]
+    UnsupportedOperator(String),
+}
+
+/// Parse a `serde_json::Value` filter into `DocsFilter`. The bridge
+/// converts the script's Rhai map into a `Value` via
+/// `executor-core::sdk::bridge::dynamic_to_json` and passes it through
+/// `DocsService::find`; the service calls this parser before touching
+/// the repo.
+pub fn parse_filter(filter: &Value) -> Result<DocsFilter, FilterParseError> {
+    let obj = filter.as_object().ok_or_else(|| {
+        FilterParseError::InvalidFilter("docs::find: filter must be a map/object".into())
+    })?;
+
+    let mut out = DocsFilter::empty();
+
+    for (key, value) in obj {
+        if let Some(stripped) = key.strip_prefix('$') {
+            // Top-level modifier — `$sort` / `$limit`. Any other
+            // dollar-key at top level is unsupported.
+            match stripped {
+                "sort" => out.sort = Some(parse_sort(value)?),
+                "limit" => out.limit = Some(parse_limit(value)?),
+                other => {
+                    return Err(FilterParseError::UnsupportedOperator(format!(
+                        "docs::find: top-level modifier '${other}' is not supported in v1.1.2; planned for v1.2 advanced query"
+                    )));
+                }
+            }
+            continue;
+        }
+
+        // Field path → either implicit equality OR operator-object.
+        let path = FieldPath::parse(key)?;
+        match value {
+            Value::Object(inner) if is_operator_object(inner) => {
+                for (op_key, op_val) in inner {
+                    let Some(op_res) = ComparisonOp::from_dollar_key(op_key) else {
+                        // This shouldn't trigger — is_operator_object
+                        // already guarantees every key is $-prefixed.
+                        return Err(FilterParseError::InvalidFilter(format!(
+                            "docs::find: operator object for '{}' has non-$ key '{op_key}'",
+                            path.as_str()
+                        )));
+                    };
+                    let op = op_res?;
+                    validate_op_value(op, op_val, &path)?;
+                    out.conditions.push(FieldCondition {
+                        path: path.clone(),
+                        op,
+                        value: op_val.clone(),
+                    });
+                }
+            }
+            // Any non-object value is implicit equality.
+            // (Object values with non-$ keys are user data, not an
+            // operator object — reject so the user doesn't accidentally
+            // match against a literal `{ name: "Alice" }` shape that
+            // would never compare meaningfully under JSONB text.)
+            Value::Object(_) => {
+                return Err(FilterParseError::InvalidFilter(format!(
+                    "docs::find: value for '{}' must be a scalar (implicit equality) or an operator map (keys starting with '$')",
+                    path.as_str()
+                )));
+            }
+            _ => {
+                out.conditions.push(FieldCondition {
+                    path,
+                    op: ComparisonOp::Eq,
+                    value: value.clone(),
+                });
+            }
+        }
+    }
+
+    Ok(out)
+}
+
+/// True when every key in the map starts with `$`. Mixed-shape maps
+/// (some `$key`, some user-data key) are rejected to avoid silent
+/// surprise — the user almost certainly meant an operator object.
+fn is_operator_object(map: &serde_json::Map<String, Value>) -> bool {
+    !map.is_empty() && map.keys().all(|k| k.starts_with('$'))
+}
+
+fn validate_op_value(
+    op: ComparisonOp,
+    value: &Value,
+    path: &FieldPath,
+) -> Result<(), FilterParseError> {
+    match op {
+        ComparisonOp::In => {
+            if !value.is_array() {
+                return Err(FilterParseError::InvalidFilter(format!(
+                    "docs::find: '$in' on '{}' requires an array value",
+                    path.as_str()
+                )));
+            }
+        }
+        _ => {
+            // For the scalar-comparison ops, the value must be a JSON
+            // scalar (no arrays / no nested objects). JSON null is
+            // allowed — `$ne` against null is a valid query.
+            if value.is_array() || value.is_object() {
+                return Err(FilterParseError::InvalidFilter(format!(
+                    "docs::find: '{op_name}' on '{path}' requires a scalar value",
+                    op_name = op_name(op),
+                    path = path.as_str()
+                )));
+            }
+        }
+    }
+    Ok(())
+}
+
+const fn op_name(op: ComparisonOp) -> &'static str {
+    match op {
+        ComparisonOp::Eq => "$eq",
+        ComparisonOp::Ne => "$ne",
+        ComparisonOp::Gt => "$gt",
+        ComparisonOp::Gte => "$gte",
+        ComparisonOp::Lt => "$lt",
+        ComparisonOp::Lte => "$lte",
+        ComparisonOp::In => "$in",
+    }
+}
+
+fn parse_sort(value: &Value) -> Result<Sort, FilterParseError> {
+    let map = value.as_object().ok_or_else(|| {
+        FilterParseError::InvalidFilter("docs::find: '$sort' must be a map".into())
+    })?;
+    if map.is_empty() {
+        return Err(FilterParseError::InvalidFilter(
+            "docs::find: '$sort' must name at least one field".into(),
+        ));
+    }
+    if map.len() > 1 {
+        return Err(FilterParseError::InvalidFilter(
+            "docs::find: multi-field '$sort' is not supported in v1.1.2; planned for v1.2 advanced query"
+                .into(),
+        ));
+    }
+    let (field, dir_val) = map.iter().next().unwrap();
+    let path = FieldPath::parse(field)?;
+    let direction = match dir_val.as_i64() {
+        Some(1) => SortDir::Asc,
+        Some(-1) => SortDir::Desc,
+        _ => {
+            return Err(FilterParseError::InvalidFilter(format!(
+                "docs::find: '$sort' direction for '{field}' must be 1 (ascending) or -1 (descending)"
+            )));
+        }
+    };
+    Ok(Sort { path, direction })
+}
+
+fn parse_limit(value: &Value) -> Result<u32, FilterParseError> {
+    let n = value.as_i64().ok_or_else(|| {
+        FilterParseError::InvalidFilter("docs::find: '$limit' must be an integer".into())
+    })?;
+    if n < 0 {
+        return Err(FilterParseError::InvalidFilter(
+            "docs::find: '$limit' must be non-negative".into(),
+        ));
+    }
+    Ok(u32::try_from(n)
+        .unwrap_or(MAX_FIND_LIMIT)
+        .min(MAX_FIND_LIMIT))
+}
+
+// ----------------------------------------------------------------------------
+// Tests — error messages are part of the SDK contract once scripts
+// depend on them; the snapshot-style asserts pin the exact strings.
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use serde_json::json;
+
+    fn parse(v: Value) -> Result<DocsFilter, FilterParseError> {
+        parse_filter(&v)
+    }
+
+    #[test]
+    fn empty_object_has_no_conditions() {
+        let f = parse(json!({})).unwrap();
+        assert!(f.conditions.is_empty());
+        assert!(f.sort.is_none());
+        assert!(f.limit.is_none());
+    }
+
+    #[test]
+    fn single_equality_top_level() {
+        let f = parse(json!({ "tier": "gold" })).unwrap();
+        assert_eq!(f.conditions.len(), 1);
+        assert_eq!(f.conditions[0].path.segments(), &["tier".to_string()]);
+        assert_eq!(f.conditions[0].op, ComparisonOp::Eq);
+        assert_eq!(f.conditions[0].value, json!("gold"));
+    }
+
+    #[test]
+    fn multi_field_equality_is_conjunctive() {
+        let f = parse(json!({ "tier": "gold", "status": "active" })).unwrap();
+        assert_eq!(f.conditions.len(), 2);
+    }
+
+    #[test]
+    fn nested_dotted_path() {
+        let f = parse(json!({ "user.email": "a@b" })).unwrap();
+        let cond = &f.conditions[0];
+        assert_eq!(
+            cond.path.segments(),
+            &["user".to_string(), "email".to_string()]
+        );
+    }
+
+    #[test]
+    fn depth_limit_rejects_six_segments() {
+        let err = parse(json!({ "a.b.c.d.e.f": "x" })).unwrap_err();
+        let msg = err.to_string();
+        assert!(msg.contains("exceeds max depth"), "msg: {msg}");
+        assert!(msg.contains('5'), "msg: {msg}");
+    }
+
+    #[test]
+    fn double_dot_rejected() {
+        let err = parse(json!({ "a..b": "x" })).unwrap_err();
+        assert!(err.to_string().contains("empty segment"));
+    }
+
+    #[test]
+    fn leading_dot_rejected() {
+        let err = parse(json!({ ".a": "x" })).unwrap_err();
+        assert!(err.to_string().contains("empty segment"));
+    }
+
+    #[test]
+    fn trailing_dot_rejected() {
+        let err = parse(json!({ "a.": "x" })).unwrap_err();
+        assert!(err.to_string().contains("empty segment"));
+    }
+
+    #[test]
+    fn dollar_prefix_in_path_segment_rejected() {
+        // (The top-level $foo would route to operator dispatch; this
+        // tests deeper segments which should never start with $.)
+        let err = parse(json!({ "x.$inner": "v" })).unwrap_err();
+        assert!(err.to_string().contains("must not start with '$'"));
+    }
+
+    #[test]
+    fn each_supported_operator_parses() {
+        for (key, expected_op) in [
+            ("$eq", ComparisonOp::Eq),
+            ("$ne", ComparisonOp::Ne),
+            ("$gt", ComparisonOp::Gt),
+            ("$gte", ComparisonOp::Gte),
+            ("$lt", ComparisonOp::Lt),
+            ("$lte", ComparisonOp::Lte),
+        ] {
+            let v = json!({ "field": { key: "v" } });
+            let f = parse(v).unwrap();
+            assert_eq!(f.conditions[0].op, expected_op, "key {key}");
+        }
+        // $in needs an array.
+        let f = parse(json!({ "tier": { "$in": ["gold", "platinum"] } })).unwrap();
+        assert_eq!(f.conditions[0].op, ComparisonOp::In);
+    }
+
+    #[test]
+    fn dollar_in_with_non_array_value_rejected() {
+        let err = parse(json!({ "tier": { "$in": "gold" } })).unwrap_err();
+        assert!(err.to_string().contains("'$in'"));
+        assert!(err.to_string().contains("array"));
+    }
+
+    #[test]
+    fn scalar_op_with_object_value_rejected() {
+        let err = parse(json!({ "tier": { "$gt": { "nested": true } } })).unwrap_err();
+        assert!(err.to_string().contains("'$gt'"));
+        assert!(err.to_string().contains("scalar"));
+    }
+
+    /// Snapshot: the v1.2-deferred operator error string is part of
+    /// the SDK contract. Don't change it without a major-version bump.
+    #[test]
+    fn unsupported_operator_message_pins_v1_2_pointer() {
+        let err = parse(json!({ "name": { "$regex": "^A" } })).unwrap_err();
+        assert_eq!(
+            err.to_string(),
+            "docs::find: operator '$regex' is not supported in v1.1.2; planned for v1.2 advanced query"
+        );
+    }
+
+    #[test]
+    fn unsupported_top_level_modifier_rejected() {
+        let err = parse(json!({ "$or": [{ "x": 1 }] })).unwrap_err();
+        assert!(err.to_string().contains("'$or'"));
+        assert!(err.to_string().contains("v1.2"));
+    }
+
+    /// Snapshot: depth-limit error string. Pinned per the SDK contract.
+    #[test]
+    fn depth_limit_message_pinned() {
+        let err = parse(json!({ "a.b.c.d.e.f": 1 })).unwrap_err();
+        assert_eq!(
+            err.to_string(),
+            "docs::find: field path 'a.b.c.d.e.f' exceeds max depth 5"
+        );
+    }
+
+    #[test]
+    fn mixed_shape_operator_object_rejected() {
+        // Object value where some keys are $-prefixed and some aren't
+        // — treated as user data + invalid (the user almost certainly
+        // meant an operator object).
+        let err = parse(json!({ "x": { "$gt": 1, "other": 2 } })).unwrap_err();
+        assert!(err
+            .to_string()
+            .contains("scalar (implicit equality) or an operator map"));
+    }
+
+    #[test]
+    fn sort_asc_and_desc_parse() {
+        let f = parse(json!({ "$sort": { "created_at": 1 } })).unwrap();
+        let sort = f.sort.unwrap();
+        assert_eq!(sort.direction, SortDir::Asc);
+        assert_eq!(sort.path.segments(), &["created_at".to_string()]);
+
+        let f = parse(json!({ "$sort": { "created_at": -1 } })).unwrap();
+        assert_eq!(f.sort.unwrap().direction, SortDir::Desc);
+    }
+
+    #[test]
+    fn sort_with_bad_direction_rejected() {
+        let err = parse(json!({ "$sort": { "x": 2 } })).unwrap_err();
+        assert!(err.to_string().contains("1 (ascending)"));
+    }
+
+    /// Snapshot: multi-field sort error string. Pinned.
+    #[test]
+    fn multi_field_sort_rejected_with_v1_2_pointer() {
+        let err = parse(json!({ "$sort": { "a": 1, "b": -1 } })).unwrap_err();
+        assert_eq!(
+            err.to_string(),
+            "docs::find: multi-field '$sort' is not supported in v1.1.2; planned for v1.2 advanced query"
+        );
+    }
+
+    #[test]
+    fn limit_accepts_non_negative_integer() {
+        let f = parse(json!({ "$limit": 50 })).unwrap();
+        assert_eq!(f.limit, Some(50));
+    }
+
+    #[test]
+    fn limit_clamps_to_max() {
+        let f = parse(json!({ "$limit": 10_000 })).unwrap();
+        assert_eq!(f.limit, Some(MAX_FIND_LIMIT));
+    }
+
+    #[test]
+    fn limit_rejects_negative() {
+        let err = parse(json!({ "$limit": -1 })).unwrap_err();
+        assert!(err.to_string().contains("non-negative"));
+    }
+
+    #[test]
+    fn limit_rejects_non_integer() {
+        let err = parse(json!({ "$limit": "twenty" })).unwrap_err();
+        assert!(err.to_string().contains("integer"));
+    }
+
+    #[test]
+    fn non_object_filter_rejected() {
+        let err = parse(json!("not a map")).unwrap_err();
+        assert!(err.to_string().contains("filter must be a map/object"));
+    }
+
+    #[test]
+    fn dollar_eq_value_can_be_null() {
+        // $ne against null is a valid query (returns docs where field
+        // exists and is not null OR is missing) — so null must be an
+        // accepted scalar.
+        let f = parse(json!({ "deleted_at": { "$ne": null } })).unwrap();
+        assert_eq!(f.conditions[0].op, ComparisonOp::Ne);
+        assert_eq!(f.conditions[0].value, Value::Null);
+    }
+
+    #[test]
+    fn implicit_equality_with_array_value_accepts() {
+        // `{ "tags": ["a", "b"] }` is implicit equality against the
+        // literal array shape. The Postgres query will compare the
+        // text encoding under JSONB; this is valid v1.1.2.
+        let f = parse(json!({ "tags": ["a", "b"] })).unwrap();
+        assert_eq!(f.conditions[0].op, ComparisonOp::Eq);
+    }
+}

crates/manager-core/src/docs_repo.rs

@@ -0,0 +1,556 @@
+//! Low-level Postgres CRUD + filter-query builder over the `docs`
+//! table (migration 0013). Stays storage-only; authorization, event
+//! emission, and empty-collection validation live one layer up in
+//! `DocsServiceImpl`.
+//!
+//! The `find` SQL builder is the security-critical surface. **Every
+//! field-path segment and every comparison value is bound as a
+//! `$N` parameter — never interpolated into the SQL string.** The base
+//! `WHERE app_id = $1 AND collection = $2` clause is fixed and
+//! prepended to every query so cross-app isolation can't be widened by
+//! any operator. See `sql_starts_with_app_collection_predicate`
+//! assertion in tests for the load-bearing guarantee.
+
+use async_trait::async_trait;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine as _;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AppId, DocId, DocRow, DocsListPage};
+use serde_json::Value;
+use sqlx::postgres::PgRow;
+use sqlx::{PgPool, Postgres, QueryBuilder, Row};
+use uuid::Uuid;
+
+use crate::docs_filter::{ComparisonOp, DocsFilter, SortDir};
+
+#[derive(Debug, thiserror::Error)]
+pub enum DocsRepoError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+
+    #[error("invalid pagination cursor")]
+    InvalidCursor,
+}
+
+/// Repo surface. The trait is exposed so the service unit tests can
+/// substitute an in-memory backing without spinning up Postgres.
+#[async_trait]
+pub trait DocsRepo: Send + Sync {
+    /// Create a new doc with a server-generated UUID. Returns the
+    /// fully-materialised `DocRow` so the caller has timestamps too
+    /// (no separate select-back round-trip).
+    async fn create(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        data: Value,
+    ) -> Result<DocRow, DocsRepoError>;
+
+    async fn get(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<DocRow>, DocsRepoError>;
+
+    /// Filter-based query. The parsed `DocsFilter` ensures every
+    /// field-path segment and operator value is bound as a parameter.
+    async fn find(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        filter: &DocsFilter,
+    ) -> Result<Vec<DocRow>, DocsRepoError>;
+
+    /// Full document replace. Returns `Some(previous_data)` on
+    /// success, `None` if no doc matched (the service maps that to
+    /// `DocsError::NotFound`). The prev value is the input to the
+    /// emitted update event's `old_payload`.
+    async fn update(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+        data: Value,
+    ) -> Result<Option<Value>, DocsRepoError>;
+
+    /// Returns the deleted doc's data if it existed, `None` if no
+    /// such doc. The caller converts `Some` → `Ok(true)` for the SDK's
+    /// was-present return; the `Value` feeds the delete event's
+    /// `old_payload`.
+    async fn delete(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<Value>, DocsRepoError>;
+
+    async fn list(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<DocsListPage, DocsRepoError>;
+}
+
+pub struct PostgresDocsRepo {
+    pool: PgPool,
+}
+
+impl PostgresDocsRepo {
+    #[must_use]
+    pub fn new(pool: PgPool) -> Self {
+        Self { pool }
+    }
+}
+
+/// Hard ceiling on `list` page size — mirrors KV's `KV_LIST_MAX_LIMIT`.
+/// Scripts that pass anything larger get silently clamped.
+const DOCS_LIST_MAX_LIMIT: u32 = 1_000;
+const DOCS_LIST_DEFAULT_LIMIT: u32 = 100;
+
+#[async_trait]
+impl DocsRepo for PostgresDocsRepo {
+    async fn create(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        data: Value,
+    ) -> Result<DocRow, DocsRepoError> {
+        let id = Uuid::new_v4();
+        let row: (DateTime<Utc>, DateTime<Utc>) = sqlx::query_as(
+            "INSERT INTO docs (app_id, collection, id, data) \
+             VALUES ($1, $2, $3, $4) \
+             RETURNING created_at, updated_at",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .bind(&data)
+        .fetch_one(&self.pool)
+        .await?;
+        Ok(DocRow {
+            id,
+            data,
+            created_at: row.0,
+            updated_at: row.1,
+        })
+    }
+
+    async fn get(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<DocRow>, DocsRepoError> {
+        let row: Option<(Value, DateTime<Utc>, DateTime<Utc>)> = sqlx::query_as(
+            "SELECT data, created_at, updated_at FROM docs \
+             WHERE app_id = $1 AND collection = $2 AND id = $3",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(row.map(|(data, created_at, updated_at)| DocRow {
+            id,
+            data,
+            created_at,
+            updated_at,
+        }))
+    }
+
+    async fn find(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        filter: &DocsFilter,
+    ) -> Result<Vec<DocRow>, DocsRepoError> {
+        let mut qb = build_find_query(app_id, collection, filter);
+        let rows = qb.build().fetch_all(&self.pool).await?;
+        rows.into_iter().map(row_to_doc).collect()
+    }
+
+    async fn update(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+        data: Value,
+    ) -> Result<Option<Value>, DocsRepoError> {
+        // Same CTE shape as KV's set ([kv_repo.rs:101-132]): SELECT the
+        // previous data before the UPDATE so the service can emit
+        // `prev_data` in the update ServiceEvent. Single statement, no
+        // explicit transaction. Inherits KV's last-writer-wins race
+        // under concurrent writers; documented as a known limitation
+        // for v1.1.2.
+        let row: Option<(Option<Value>,)> = sqlx::query_as(
+            "WITH prev AS ( \
+                SELECT data FROM docs \
+                WHERE app_id = $1 AND collection = $2 AND id = $3 \
+             ), \
+             updated AS ( \
+                UPDATE docs SET data = $4, updated_at = NOW() \
+                WHERE app_id = $1 AND collection = $2 AND id = $3 \
+                RETURNING 1 \
+             ) \
+             SELECT (SELECT data FROM prev) FROM updated",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .bind(&data)
+        .fetch_optional(&self.pool)
+        .await?;
+        // `row` is None when the UPDATE matched no rows (missing doc);
+        // Some((Some(prev),)) on success. `data` is JSONB NOT NULL so
+        // the inner Option is always Some when prev exists.
+        Ok(row.and_then(|(v,)| v))
+    }
+
+    async fn delete(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<Value>, DocsRepoError> {
+        let row: Option<(Value,)> = sqlx::query_as(
+            "DELETE FROM docs \
+             WHERE app_id = $1 AND collection = $2 AND id = $3 \
+             RETURNING data",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(row.map(|(v,)| v))
+    }
+
+    async fn list(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<DocsListPage, DocsRepoError> {
+        let limit = if limit == 0 {
+            DOCS_LIST_DEFAULT_LIMIT
+        } else {
+            limit.min(DOCS_LIST_MAX_LIMIT)
+        };
+
+        let last_id = match cursor {
+            Some(c) => Some(decode_cursor(c)?),
+            None => None,
+        };
+
+        let take = i64::from(limit) + 1;
+        let rows: Vec<(Uuid, Value, DateTime<Utc>, DateTime<Utc>)> = sqlx::query_as(
+            "SELECT id, data, created_at, updated_at FROM docs \
+             WHERE app_id = $1 AND collection = $2 \
+               AND ($3::uuid IS NULL OR id > $3) \
+             ORDER BY id ASC \
+             LIMIT $4",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(last_id)
+        .bind(take)
+        .fetch_all(&self.pool)
+        .await?;
+
+        let mut docs: Vec<DocRow> = rows
+            .into_iter()
+            .map(|(id, data, created_at, updated_at)| DocRow {
+                id,
+                data,
+                created_at,
+                updated_at,
+            })
+            .collect();
+        let next_cursor = if docs.len() > limit as usize {
+            docs.truncate(limit as usize);
+            docs.last().map(|d| encode_cursor(&d.id))
+        } else {
+            None
+        };
+
+        Ok(DocsListPage { docs, next_cursor })
+    }
+}
+
+fn row_to_doc(row: PgRow) -> Result<DocRow, DocsRepoError> {
+    Ok(DocRow {
+        id: row.try_get("id")?,
+        data: row.try_get("data")?,
+        created_at: row.try_get("created_at")?,
+        updated_at: row.try_get("updated_at")?,
+    })
+}
+
+fn encode_cursor(last_id: &Uuid) -> String {
+    URL_SAFE_NO_PAD.encode(last_id.as_bytes())
+}
+
+fn decode_cursor(cursor: &str) -> Result<Uuid, DocsRepoError> {
+    let bytes = URL_SAFE_NO_PAD
+        .decode(cursor)
+        .map_err(|_| DocsRepoError::InvalidCursor)?;
+    let arr: [u8; 16] = bytes
+        .as_slice()
+        .try_into()
+        .map_err(|_| DocsRepoError::InvalidCursor)?;
+    Ok(Uuid::from_bytes(arr))
+}
+
+// ----------------------------------------------------------------------------
+// SQL builder — the load-bearing security surface.
+//
+// Every field-path segment + every comparison value goes through
+// `QueryBuilder::push_bind`, which appends `$N` to the SQL string and
+// binds the value as a parameter. The only literal strings appended to
+// the SQL are: hardcoded SQL fragments (SELECT/WHERE/AND/etc.) and
+// hardcoded operator strings ("=", "IS DISTINCT FROM", ">", "ASC", …).
+// **No user input ever lands in the SQL text unparameterized.**
+// ----------------------------------------------------------------------------
+
+fn build_find_query<'a>(
+    app_id: AppId,
+    collection: &'a str,
+    filter: &'a DocsFilter,
+) -> QueryBuilder<'a, Postgres> {
+    let mut qb =
+        QueryBuilder::new("SELECT id, data, created_at, updated_at FROM docs WHERE app_id = ");
+    qb.push_bind(app_id.into_inner());
+    qb.push(" AND collection = ");
+    qb.push_bind(collection);
+
+    for cond in &filter.conditions {
+        qb.push(" AND ");
+        emit_condition(&mut qb, cond);
+    }
+
+    qb.push(" ORDER BY ");
+    if let Some(sort) = &filter.sort {
+        push_jsonb_path(&mut qb, sort.path.segments());
+        qb.push(match sort.direction {
+            SortDir::Asc => " ASC",
+            SortDir::Desc => " DESC",
+        });
+        qb.push(", id ASC");
+    } else {
+        qb.push("id ASC");
+    }
+
+    let limit = filter
+        .limit
+        .map_or(DOCS_LIST_MAX_LIMIT, |l| l.min(DOCS_LIST_MAX_LIMIT));
+    qb.push(" LIMIT ");
+    qb.push_bind(i64::from(limit));
+
+    qb
+}
+
+fn emit_condition<'a>(
+    qb: &mut QueryBuilder<'a, Postgres>,
+    cond: &'a crate::docs_filter::FieldCondition,
+) {
+    push_jsonb_path(qb, cond.path.segments());
+    match cond.op {
+        ComparisonOp::Eq => {
+            if cond.value.is_null() {
+                qb.push(" IS NULL");
+            } else {
+                qb.push(" = ");
+                qb.push_bind(value_to_text(&cond.value));
+            }
+        }
+        ComparisonOp::Ne => {
+            // IS DISTINCT FROM correctly handles NULL on either side
+            // (would otherwise silently exclude rows with missing
+            // paths). Holds for the literal-NULL case too.
+            if cond.value.is_null() {
+                qb.push(" IS NOT NULL");
+            } else {
+                qb.push(" IS DISTINCT FROM ");
+                qb.push_bind(value_to_text(&cond.value));
+            }
+        }
+        ComparisonOp::Gt => {
+            qb.push(" > ");
+            qb.push_bind(value_to_text(&cond.value));
+        }
+        ComparisonOp::Gte => {
+            qb.push(" >= ");
+            qb.push_bind(value_to_text(&cond.value));
+        }
+        ComparisonOp::Lt => {
+            qb.push(" < ");
+            qb.push_bind(value_to_text(&cond.value));
+        }
+        ComparisonOp::Lte => {
+            qb.push(" <= ");
+            qb.push_bind(value_to_text(&cond.value));
+        }
+        ComparisonOp::In => {
+            qb.push(" = ANY(");
+            let texts: Vec<Option<String>> = cond
+                .value
+                .as_array()
+                .map(|arr| arr.iter().map(value_to_text).collect())
+                .unwrap_or_default();
+            qb.push_bind(texts);
+            qb.push(")");
+        }
+    }
+}
+
+/// Append `jsonb_extract_path_text(data, $N1, $N2, …)` with each
+/// segment bound as a separate text parameter. Variadic path lengths
+/// (1–5) all flow through this single helper.
+fn push_jsonb_path<'a>(qb: &mut QueryBuilder<'a, Postgres>, segments: &'a [String]) {
+    qb.push("jsonb_extract_path_text(data");
+    for seg in segments {
+        qb.push(", ");
+        qb.push_bind(seg.as_str());
+    }
+    qb.push(")");
+}
+
+/// JSON scalar → TEXT for binding. `Value::Null` is preserved as
+/// `None` so the binding lands as SQL NULL (handled specially above for
+/// `Eq` / `Ne`). Arrays + objects serialize to compact JSON; the user
+/// is comparing against the JSONB text rendering, which is consistent
+/// with `jsonb_extract_path_text`'s output for those types.
+fn value_to_text(v: &Value) -> Option<String> {
+    match v {
+        Value::Null => None,
+        Value::String(s) => Some(s.clone()),
+        Value::Bool(b) => Some(b.to_string()),
+        Value::Number(n) => Some(n.to_string()),
+        Value::Array(_) | Value::Object(_) => Some(v.to_string()),
+    }
+}
+
+// ----------------------------------------------------------------------------
+// SQL-shape guardrail tests — pure (no DB) so they run in the default
+// test suite. These are the highest-stakes tests in the release: they
+// pin the cross-app isolation invariant at the SQL level.
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod sql_shape_tests {
+    use super::*;
+    use crate::docs_filter::parse_filter;
+    use serde_json::json;
+
+    fn sql_for(filter_json: serde_json::Value) -> String {
+        let filter = parse_filter(&filter_json).unwrap();
+        let qb = build_find_query(AppId::new(), "users", &filter);
+        qb.sql().to_string()
+    }
+
+    /// **Load-bearing**: every generated SELECT begins
+    /// `WHERE app_id = $1 AND collection = $2`. The app_id parameter
+    /// is the cross-app isolation gate. No user-supplied filter
+    /// fragment can ever appear before these clauses.
+    #[test]
+    fn every_query_starts_with_app_id_and_collection_predicate() {
+        let cases = vec![
+            json!({}),
+            json!({ "tier": "gold" }),
+            json!({ "created_at": { "$gt": "2026-01-01" } }),
+            json!({ "tier": { "$in": ["gold", "platinum"] } }),
+            json!({ "tier": "gold", "status": "active" }),
+            json!({ "$sort": { "created_at": -1 }, "$limit": 5 }),
+            json!({ "tier": "gold", "$sort": { "created_at": 1 } }),
+            json!({ "deleted_at": { "$ne": null } }),
+        ];
+        for case in cases {
+            let sql = sql_for(case.clone());
+            assert!(
+                sql.starts_with(
+                    "SELECT id, data, created_at, updated_at FROM docs WHERE app_id = $1 AND collection = $2"
+                ),
+                "filter {case} produced SQL: {sql}"
+            );
+        }
+    }
+
+    /// Every comparison value lands as a `$N` placeholder — there
+    /// should be NO double-quoted string literal in the SQL after the
+    /// fixed prefix. (This guards against an accidental `format!`
+    /// regression.)
+    #[test]
+    fn no_user_string_literal_in_sql() {
+        let sql = sql_for(json!({ "tier": "gold; DROP TABLE docs;--" }));
+        assert!(!sql.contains("gold"), "value leaked into SQL string: {sql}");
+        assert!(!sql.contains("DROP"), "value leaked into SQL string: {sql}");
+    }
+
+    /// Field-path segments also bind as parameters. A user passing a
+    /// path that looks like SQL keywords doesn't change the structure.
+    #[test]
+    fn no_user_path_literal_in_sql() {
+        let sql = sql_for(json!({ "drop_table_users": "v" }));
+        assert!(
+            !sql.contains("drop_table_users"),
+            "path leaked into SQL string: {sql}"
+        );
+    }
+
+    #[test]
+    fn empty_filter_sql_has_no_extra_conditions() {
+        let sql = sql_for(json!({}));
+        // After the fixed prefix, only ORDER BY + LIMIT — no `AND`s.
+        let suffix = sql
+            .trim_start_matches(
+                "SELECT id, data, created_at, updated_at FROM docs WHERE app_id = $1 AND collection = $2",
+            )
+            .trim();
+        assert!(
+            suffix.starts_with("ORDER BY"),
+            "expected ORDER BY immediately after base WHERE; got: {suffix}"
+        );
+    }
+
+    #[test]
+    fn eq_with_null_emits_is_null() {
+        let sql = sql_for(json!({ "x": null }));
+        assert!(sql.contains("IS NULL"), "sql: {sql}");
+    }
+
+    #[test]
+    fn ne_with_null_emits_is_not_null() {
+        let sql = sql_for(json!({ "x": { "$ne": null } }));
+        assert!(sql.contains("IS NOT NULL"), "sql: {sql}");
+    }
+
+    #[test]
+    fn ne_with_value_uses_is_distinct_from() {
+        // IS DISTINCT FROM, NOT <> — see ComparisonOp::Ne comment.
+        let sql = sql_for(json!({ "x": { "$ne": "v" } }));
+        assert!(sql.contains("IS DISTINCT FROM"), "sql: {sql}");
+        assert!(!sql.contains(" <> "), "sql: {sql}");
+    }
+
+    #[test]
+    fn in_emits_any_array() {
+        let sql = sql_for(json!({ "x": { "$in": ["a", "b"] } }));
+        assert!(sql.contains("= ANY"), "sql: {sql}");
+    }
+
+    #[test]
+    fn sort_appends_tiebreaker_id_asc() {
+        let sql = sql_for(json!({ "$sort": { "created_at": -1 } }));
+        assert!(sql.contains("DESC, id ASC"), "sql: {sql}");
+    }
+
+    #[test]
+    fn jsonb_extract_path_used_for_field_access() {
+        let sql = sql_for(json!({ "user.email": "a@b" }));
+        assert!(sql.contains("jsonb_extract_path_text(data"), "sql: {sql}");
+    }
+}

crates/manager-core/src/docs_service.rs

@@ -0,0 +1,892 @@
+//! `DocsServiceImpl` — wires the `DocsRepo` underneath the
+//! `picloud_shared::DocsService` trait that scripts see via the Rhai
+//! bridge.
+//!
+//! Layers added here (vs the raw repo):
+//!
+//! 1. Empty-collection rejection at the SDK boundary
+//!    (`docs/sdk-shape.md`).
+//! 2. `data` must be a JSON object for create + update. (The repo
+//!    accepts anything serde_json can serialise; the SDK contract
+//!    pins documents to map shape so dotted-path queries make sense.)
+//! 3. **Script-as-gate authz**: when `cx.principal.is_some()` we run
+//!    `authz::require(...)`; when it's `None` (public unauthenticated
+//!    HTTP — the common case for public routes) we skip the check.
+//!    Cross-app isolation isn't affected — every query is keyed by
+//!    `cx.app_id`, never an argument.
+//! 4. Query DSL parse — `find`/`find_one` parse the opaque filter
+//!    into `DocsFilter` before passing it down. Parse errors map to
+//!    `DocsError::InvalidFilter` / `UnsupportedOperator` with the
+//!    parser's message verbatim (script-visible).
+//! 5. `ServiceEvent` emission after each mutation (`create` / `update`
+//!    / `delete`). The outbox emitter (when wired) turns these into
+//!    docs-trigger fan-out via `OutboxEventEmitter::emit_docs`.
+
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_shared::{
+    DocId, DocRow, DocsError, DocsListPage, DocsService, SdkCallCx, ServiceEvent,
+    ServiceEventEmitter,
+};
+
+use crate::authz::{self, AuthzRepo, Capability};
+use crate::docs_filter::{parse_filter, FilterParseError};
+use crate::docs_repo::{DocsRepo, DocsRepoError};
+
+pub struct DocsServiceImpl {
+    repo: Arc<dyn DocsRepo>,
+    authz: Arc<dyn AuthzRepo>,
+    events: Arc<dyn ServiceEventEmitter>,
+}
+
+impl DocsServiceImpl {
+    #[must_use]
+    pub fn new(
+        repo: Arc<dyn DocsRepo>,
+        authz: Arc<dyn AuthzRepo>,
+        events: Arc<dyn ServiceEventEmitter>,
+    ) -> Self {
+        Self {
+            repo,
+            authz,
+            events,
+        }
+    }
+
+    async fn check_read(&self, cx: &SdkCallCx) -> Result<(), DocsError> {
+        if let Some(ref principal) = cx.principal {
+            authz::require(&*self.authz, principal, Capability::AppDocsRead(cx.app_id))
+                .await
+                .map_err(|_| DocsError::Forbidden)?;
+        }
+        Ok(())
+    }
+
+    async fn check_write(&self, cx: &SdkCallCx) -> Result<(), DocsError> {
+        if let Some(ref principal) = cx.principal {
+            authz::require(&*self.authz, principal, Capability::AppDocsWrite(cx.app_id))
+                .await
+                .map_err(|_| DocsError::Forbidden)?;
+        }
+        Ok(())
+    }
+}
+
+fn validate_collection(collection: &str) -> Result<(), DocsError> {
+    if collection.is_empty() {
+        return Err(DocsError::InvalidCollection);
+    }
+    Ok(())
+}
+
+fn validate_data(data: &serde_json::Value) -> Result<(), DocsError> {
+    if !data.is_object() {
+        return Err(DocsError::InvalidData);
+    }
+    Ok(())
+}
+
+impl From<DocsRepoError> for DocsError {
+    fn from(e: DocsRepoError) -> Self {
+        Self::Backend(e.to_string())
+    }
+}
+
+impl From<FilterParseError> for DocsError {
+    fn from(e: FilterParseError) -> Self {
+        match e {
+            FilterParseError::InvalidFilter(s) => Self::InvalidFilter(s),
+            FilterParseError::UnsupportedOperator(s) => Self::UnsupportedOperator(s),
+        }
+    }
+}
+
+#[async_trait]
+impl DocsService for DocsServiceImpl {
+    async fn create(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        data: serde_json::Value,
+    ) -> Result<DocId, DocsError> {
+        validate_collection(collection)?;
+        validate_data(&data)?;
+        self.check_write(cx).await?;
+        let row = self
+            .repo
+            .create(cx.app_id, collection, data.clone())
+            .await?;
+        // Best-effort emit — a failed emit logs but does not roll back
+        // the write (mirrors KV's pattern).
+        if let Err(e) = self
+            .events
+            .emit(
+                cx,
+                ServiceEvent {
+                    source: "docs",
+                    op: "create",
+                    collection: Some(collection.to_string()),
+                    key: Some(row.id.to_string()),
+                    payload: Some(data),
+                    old_payload: None,
+                },
+            )
+            .await
+        {
+            tracing::warn!(error = %e, source = "docs", op = "create", "event emit failed");
+        }
+        Ok(row.id)
+    }
+
+    async fn get(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: DocId,
+    ) -> Result<Option<DocRow>, DocsError> {
+        validate_collection(collection)?;
+        self.check_read(cx).await?;
+        Ok(self.repo.get(cx.app_id, collection, id).await?)
+    }
+
+    async fn find(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        filter: serde_json::Value,
+    ) -> Result<Vec<DocRow>, DocsError> {
+        validate_collection(collection)?;
+        self.check_read(cx).await?;
+        let parsed = parse_filter(&filter)?;
+        Ok(self.repo.find(cx.app_id, collection, &parsed).await?)
+    }
+
+    async fn find_one(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        filter: serde_json::Value,
+    ) -> Result<Option<DocRow>, DocsError> {
+        validate_collection(collection)?;
+        self.check_read(cx).await?;
+        let mut parsed = parse_filter(&filter)?;
+        // Inject the implicit `LIMIT 1` for find_one — explicit
+        // caller-supplied `$limit` wins.
+        if parsed.limit.is_none() {
+            parsed.limit = Some(1);
+        }
+        let rows = self.repo.find(cx.app_id, collection, &parsed).await?;
+        Ok(rows.into_iter().next())
+    }
+
+    async fn update(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: DocId,
+        data: serde_json::Value,
+    ) -> Result<(), DocsError> {
+        validate_collection(collection)?;
+        validate_data(&data)?;
+        self.check_write(cx).await?;
+        let previous = self
+            .repo
+            .update(cx.app_id, collection, id, data.clone())
+            .await?;
+        match previous {
+            Some(prev) => {
+                if let Err(e) = self
+                    .events
+                    .emit(
+                        cx,
+                        ServiceEvent {
+                            source: "docs",
+                            op: "update",
+                            collection: Some(collection.to_string()),
+                            key: Some(id.to_string()),
+                            payload: Some(data),
+                            old_payload: Some(prev),
+                        },
+                    )
+                    .await
+                {
+                    tracing::warn!(error = %e, source = "docs", op = "update", "event emit failed");
+                }
+                Ok(())
+            }
+            None => Err(DocsError::NotFound),
+        }
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, collection: &str, id: DocId) -> Result<bool, DocsError> {
+        validate_collection(collection)?;
+        self.check_write(cx).await?;
+        let previous = self.repo.delete(cx.app_id, collection, id).await?;
+        let was_present = previous.is_some();
+        if let Some(prev) = previous {
+            if let Err(e) = self
+                .events
+                .emit(
+                    cx,
+                    ServiceEvent {
+                        source: "docs",
+                        op: "delete",
+                        collection: Some(collection.to_string()),
+                        key: Some(id.to_string()),
+                        payload: None,
+                        old_payload: Some(prev),
+                    },
+                )
+                .await
+            {
+                tracing::warn!(error = %e, source = "docs", op = "delete", "event emit failed");
+            }
+        }
+        Ok(was_present)
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<DocsListPage, DocsError> {
+        validate_collection(collection)?;
+        self.check_read(cx).await?;
+        Ok(self.repo.list(cx.app_id, collection, cursor, limit).await?)
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Tests — in-memory DocsRepo so unit tests don't need Postgres.
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::authz::{AuthzError, AuthzRepo};
+    use crate::docs_filter::DocsFilter;
+    use async_trait::async_trait;
+    use chrono::Utc;
+    use picloud_shared::{
+        AdminUserId, AppId, AppRole, ExecutionId, InstanceRole, NoopEventEmitter, Principal,
+        RequestId, ScriptId, UserId,
+    };
+    use serde_json::json;
+    use std::collections::BTreeMap;
+    use std::sync::Arc;
+    use tokio::sync::Mutex;
+    use uuid::Uuid;
+
+    /// In-memory backing: BTreeMap keyed by `(app_id, collection, id)`
+    /// so iteration is naturally ordered for stable cursor pagination
+    /// (matches the Postgres `ORDER BY id ASC`).
+    #[derive(Default)]
+    struct InMemoryDocsRepo {
+        data: Mutex<BTreeMap<(AppId, String, DocId), DocRow>>,
+    }
+
+    #[async_trait]
+    impl DocsRepo for InMemoryDocsRepo {
+        async fn create(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            data: serde_json::Value,
+        ) -> Result<DocRow, DocsRepoError> {
+            let id = Uuid::new_v4();
+            let now = Utc::now();
+            let row = DocRow {
+                id,
+                data,
+                created_at: now,
+                updated_at: now,
+            };
+            self.data
+                .lock()
+                .await
+                .insert((app_id, collection.to_string(), id), row.clone());
+            Ok(row)
+        }
+
+        async fn get(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: DocId,
+        ) -> Result<Option<DocRow>, DocsRepoError> {
+            Ok(self
+                .data
+                .lock()
+                .await
+                .get(&(app_id, collection.to_string(), id))
+                .cloned())
+        }
+
+        async fn find(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            filter: &DocsFilter,
+        ) -> Result<Vec<DocRow>, DocsRepoError> {
+            let map = self.data.lock().await;
+            let mut out: Vec<DocRow> = map
+                .iter()
+                .filter(|((a, c, _), _)| *a == app_id && c == collection)
+                .map(|(_, v)| v.clone())
+                .filter(|row| in_memory_matches(row, filter))
+                .collect();
+            if let Some(sort) = &filter.sort {
+                let path = sort.path.segments().to_vec();
+                let dir = sort.direction;
+                out.sort_by(|a, b| {
+                    let av = extract_path_str(&a.data, &path);
+                    let bv = extract_path_str(&b.data, &path);
+                    let ord = av.cmp(&bv);
+                    match dir {
+                        crate::docs_filter::SortDir::Asc => ord,
+                        crate::docs_filter::SortDir::Desc => ord.reverse(),
+                    }
+                });
+            } else {
+                out.sort_by_key(|d| d.id);
+            }
+            if let Some(limit) = filter.limit {
+                out.truncate(limit as usize);
+            }
+            Ok(out)
+        }
+
+        async fn update(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: DocId,
+            data: serde_json::Value,
+        ) -> Result<Option<serde_json::Value>, DocsRepoError> {
+            let mut map = self.data.lock().await;
+            let key = (app_id, collection.to_string(), id);
+            let Some(existing) = map.get_mut(&key) else {
+                return Ok(None);
+            };
+            let prev = std::mem::replace(&mut existing.data, data);
+            existing.updated_at = Utc::now();
+            Ok(Some(prev))
+        }
+
+        async fn delete(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: DocId,
+        ) -> Result<Option<serde_json::Value>, DocsRepoError> {
+            Ok(self
+                .data
+                .lock()
+                .await
+                .remove(&(app_id, collection.to_string(), id))
+                .map(|row| row.data))
+        }
+
+        async fn list(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            cursor: Option<&str>,
+            limit: u32,
+        ) -> Result<DocsListPage, DocsRepoError> {
+            let map = self.data.lock().await;
+            let last_id = cursor
+                .map(|c| Uuid::parse_str(c).map_err(|_| DocsRepoError::InvalidCursor))
+                .transpose()?;
+            let mut docs: Vec<DocRow> = map
+                .iter()
+                .filter(|((a, c, _), _)| *a == app_id && c == collection)
+                .map(|(_, v)| v.clone())
+                .filter(|d| last_id.is_none_or(|lid| d.id > lid))
+                .collect();
+            docs.sort_by_key(|d| d.id);
+            let take = if limit == 0 {
+                usize::MAX
+            } else {
+                limit as usize
+            };
+            let next_cursor = if docs.len() > take {
+                docs.truncate(take);
+                docs.last().map(|d| d.id.to_string())
+            } else {
+                None
+            };
+            Ok(DocsListPage { docs, next_cursor })
+        }
+    }
+
+    /// Best-effort in-memory filter eval mirroring the Postgres
+    /// semantics: extract each field path as a text-form string, then
+    /// apply the operator. Good enough for the unit tests; production
+    /// always goes through the Postgres impl.
+    fn in_memory_matches(row: &DocRow, filter: &DocsFilter) -> bool {
+        for cond in &filter.conditions {
+            let actual = extract_path_str(&row.data, cond.path.segments());
+            if !cond_matches(actual.as_ref(), cond) {
+                return false;
+            }
+        }
+        true
+    }
+
+    fn cond_matches(actual: Option<&String>, cond: &crate::docs_filter::FieldCondition) -> bool {
+        use crate::docs_filter::ComparisonOp::*;
+        let actual: Option<&str> = actual.map(String::as_str);
+        let want = json_text(&cond.value);
+        let want_ref: Option<&str> = want.as_deref();
+        match cond.op {
+            Eq => actual == want_ref,
+            Ne => actual != want_ref,
+            Gt => actual.zip(want_ref).is_some_and(|(a, b)| a > b),
+            Gte => actual.zip(want_ref).is_some_and(|(a, b)| a >= b),
+            Lt => actual.zip(want_ref).is_some_and(|(a, b)| a < b),
+            Lte => actual.zip(want_ref).is_some_and(|(a, b)| a <= b),
+            In => {
+                let Some(arr) = cond.value.as_array() else {
+                    return false;
+                };
+                arr.iter().any(|v| actual == json_text(v).as_deref())
+            }
+        }
+    }
+
+    fn extract_path_str(value: &serde_json::Value, segments: &[String]) -> Option<String> {
+        let mut cur = value;
+        for seg in segments {
+            cur = cur.as_object()?.get(seg)?;
+        }
+        json_text(cur)
+    }
+
+    fn json_text(v: &serde_json::Value) -> Option<String> {
+        match v {
+            serde_json::Value::Null => None,
+            serde_json::Value::String(s) => Some(s.clone()),
+            serde_json::Value::Bool(b) => Some(b.to_string()),
+            serde_json::Value::Number(n) => Some(n.to_string()),
+            serde_json::Value::Array(_) | serde_json::Value::Object(_) => Some(v.to_string()),
+        }
+    }
+
+    #[derive(Default)]
+    struct DenyingAuthzRepo;
+
+    #[async_trait]
+    impl AuthzRepo for DenyingAuthzRepo {
+        async fn membership(
+            &self,
+            _user_id: UserId,
+            _app_id: AppId,
+        ) -> Result<Option<AppRole>, AuthzError> {
+            Ok(None)
+        }
+    }
+
+    #[derive(Default)]
+    struct AllowingAuthzRepo;
+
+    #[async_trait]
+    impl AuthzRepo for AllowingAuthzRepo {
+        async fn membership(
+            &self,
+            _user_id: UserId,
+            _app_id: AppId,
+        ) -> Result<Option<AppRole>, AuthzError> {
+            Ok(Some(AppRole::Editor))
+        }
+    }
+
+    fn anon_cx(app_id: AppId) -> SdkCallCx {
+        SdkCallCx {
+            app_id,
+            script_id: ScriptId::new(),
+            principal: None,
+            execution_id: ExecutionId::new(),
+            request_id: RequestId::new(),
+            trigger_depth: 0,
+            root_execution_id: ExecutionId::new(),
+            is_dead_letter_handler: false,
+            event: None,
+        }
+    }
+
+    fn owner_cx(app_id: AppId) -> SdkCallCx {
+        SdkCallCx {
+            app_id,
+            script_id: ScriptId::new(),
+            principal: Some(Principal {
+                user_id: AdminUserId::new(),
+                instance_role: InstanceRole::Owner,
+                scopes: None,
+                app_binding: None,
+            }),
+            execution_id: ExecutionId::new(),
+            request_id: RequestId::new(),
+            trigger_depth: 0,
+            root_execution_id: ExecutionId::new(),
+            is_dead_letter_handler: false,
+            event: None,
+        }
+    }
+
+    fn member_no_role_cx(app_id: AppId) -> SdkCallCx {
+        SdkCallCx {
+            app_id,
+            script_id: ScriptId::new(),
+            principal: Some(Principal {
+                user_id: AdminUserId::new(),
+                instance_role: InstanceRole::Member,
+                scopes: None,
+                app_binding: None,
+            }),
+            execution_id: ExecutionId::new(),
+            request_id: RequestId::new(),
+            trigger_depth: 0,
+            root_execution_id: ExecutionId::new(),
+            is_dead_letter_handler: false,
+            event: None,
+        }
+    }
+
+    fn svc() -> DocsServiceImpl {
+        DocsServiceImpl::new(
+            Arc::new(InMemoryDocsRepo::default()),
+            Arc::new(DenyingAuthzRepo),
+            Arc::new(NoopEventEmitter),
+        )
+    }
+
+    fn svc_allowing() -> DocsServiceImpl {
+        DocsServiceImpl::new(
+            Arc::new(InMemoryDocsRepo::default()),
+            Arc::new(AllowingAuthzRepo),
+            Arc::new(NoopEventEmitter),
+        )
+    }
+
+    #[tokio::test]
+    async fn create_then_get_round_trips() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s
+            .create(&cx, "users", json!({ "name": "Alice" }))
+            .await
+            .unwrap();
+        let row = s.get(&cx, "users", id).await.unwrap().unwrap();
+        assert_eq!(row.id, id);
+        assert_eq!(row.data, json!({ "name": "Alice" }));
+    }
+
+    #[tokio::test]
+    async fn get_missing_returns_none() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let v = s.get(&cx, "users", Uuid::new_v4()).await.unwrap();
+        assert!(v.is_none());
+    }
+
+    #[tokio::test]
+    async fn update_missing_returns_not_found() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let err = s
+            .update(&cx, "users", Uuid::new_v4(), json!({ "x": 1 }))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, DocsError::NotFound));
+    }
+
+    #[tokio::test]
+    async fn delete_missing_returns_false() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let was_present = s.delete(&cx, "users", Uuid::new_v4()).await.unwrap();
+        assert!(!was_present);
+    }
+
+    #[tokio::test]
+    async fn delete_present_returns_true() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+        let was_present = s.delete(&cx, "users", id).await.unwrap();
+        assert!(was_present);
+    }
+
+    #[tokio::test]
+    async fn update_present_succeeds() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+        s.update(&cx, "users", id, json!({ "x": 2 })).await.unwrap();
+        let row = s.get(&cx, "users", id).await.unwrap().unwrap();
+        assert_eq!(row.data, json!({ "x": 2 }));
+    }
+
+    #[tokio::test]
+    async fn empty_collection_rejected() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let err = s.create(&cx, "", json!({})).await.unwrap_err();
+        assert!(matches!(err, DocsError::InvalidCollection));
+    }
+
+    #[tokio::test]
+    async fn create_with_non_object_data_rejected() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let err = s.create(&cx, "users", json!(42)).await.unwrap_err();
+        assert!(matches!(err, DocsError::InvalidData));
+    }
+
+    #[tokio::test]
+    async fn update_with_non_object_data_rejected() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+        let err = s
+            .update(&cx, "users", id, json!("not an object"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, DocsError::InvalidData));
+    }
+
+    /// Load-bearing: a script with `cx.app_id = A` must NOT see
+    /// documents created under `cx.app_id = B`. Cross-app isolation
+    /// boundary; tested through both `get` and `find` because each
+    /// path could conceivably leak independently.
+    #[tokio::test]
+    async fn cross_app_isolation_via_cx_app_id() {
+        let s = svc();
+        let app_a = AppId::new();
+        let app_b = AppId::new();
+        let cx_a = anon_cx(app_a);
+        let cx_b = anon_cx(app_b);
+
+        let id_a = s
+            .create(&cx_a, "shared", json!({ "from": "a" }))
+            .await
+            .unwrap();
+        let id_b = s
+            .create(&cx_b, "shared", json!({ "from": "b" }))
+            .await
+            .unwrap();
+        assert_ne!(id_a, id_b);
+
+        // Each app sees only its own doc via get.
+        assert!(s.get(&cx_a, "shared", id_b).await.unwrap().is_none());
+        assert!(s.get(&cx_b, "shared", id_a).await.unwrap().is_none());
+
+        // And via find.
+        let from_a = s.find(&cx_a, "shared", json!({})).await.unwrap();
+        assert_eq!(from_a.len(), 1);
+        assert_eq!(from_a[0].id, id_a);
+
+        let from_b = s.find(&cx_b, "shared", json!({})).await.unwrap();
+        assert_eq!(from_b.len(), 1);
+        assert_eq!(from_b[0].id, id_b);
+    }
+
+    #[tokio::test]
+    async fn anonymous_cx_skips_authz() {
+        // Denying authz repo + anon cx (no principal) ⇒ writes still
+        // succeed under script-as-gate.
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+        let _ = s.delete(&cx, "users", id).await.unwrap();
+    }
+
+    #[tokio::test]
+    async fn authed_cx_with_no_role_is_forbidden_on_write() {
+        let s = svc();
+        let cx = member_no_role_cx(AppId::new());
+        let err = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap_err();
+        assert!(matches!(err, DocsError::Forbidden));
+    }
+
+    #[tokio::test]
+    async fn authed_cx_with_no_role_is_forbidden_on_read() {
+        let s = svc();
+        let cx = member_no_role_cx(AppId::new());
+        let err = s.get(&cx, "users", Uuid::new_v4()).await.unwrap_err();
+        assert!(matches!(err, DocsError::Forbidden));
+    }
+
+    #[tokio::test]
+    async fn owner_principal_can_write() {
+        let s = svc();
+        let cx = owner_cx(AppId::new());
+        let _ = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+    }
+
+    #[tokio::test]
+    async fn editor_member_can_write_via_role() {
+        // AllowingAuthzRepo grants Editor — should be able to write
+        // (AppDocsWrite is in_editor in role_satisfies).
+        let s = svc_allowing();
+        let cx = member_no_role_cx(AppId::new());
+        let _ = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+    }
+
+    #[tokio::test]
+    async fn find_with_equality_returns_matches() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        s.create(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+        s.create(&cx, "users", json!({ "tier": "silver" }))
+            .await
+            .unwrap();
+        s.create(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+
+        let golds = s
+            .find(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+        assert_eq!(golds.len(), 2);
+    }
+
+    #[tokio::test]
+    async fn find_one_returns_first_or_none() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        s.create(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+
+        let hit = s
+            .find_one(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+        assert!(hit.is_some());
+
+        let miss = s
+            .find_one(&cx, "users", json!({ "tier": "platinum" }))
+            .await
+            .unwrap();
+        assert!(miss.is_none());
+    }
+
+    #[tokio::test]
+    async fn find_with_unsupported_operator_throws() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let err = s
+            .find(&cx, "users", json!({ "name": { "$regex": "^A" } }))
+            .await
+            .unwrap_err();
+        match err {
+            DocsError::UnsupportedOperator(m) => {
+                assert!(m.contains("$regex"));
+                assert!(m.contains("v1.2"));
+            }
+            other => panic!("expected UnsupportedOperator, got {other:?}"),
+        }
+    }
+
+    #[tokio::test]
+    async fn find_with_invalid_filter_throws() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let err = s
+            .find(&cx, "users", json!({ "a.b.c.d.e.f": "x" }))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, DocsError::InvalidFilter(_)));
+    }
+
+    #[tokio::test]
+    async fn find_with_dollar_in_returns_subset() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        s.create(&cx, "users", json!({ "tier": "gold" }))
+            .await
+            .unwrap();
+        s.create(&cx, "users", json!({ "tier": "silver" }))
+            .await
+            .unwrap();
+        s.create(&cx, "users", json!({ "tier": "platinum" }))
+            .await
+            .unwrap();
+
+        let hits = s
+            .find(
+                &cx,
+                "users",
+                json!({ "tier": { "$in": ["gold", "platinum"] } }),
+            )
+            .await
+            .unwrap();
+        assert_eq!(hits.len(), 2);
+    }
+
+    #[tokio::test]
+    async fn find_one_explicit_limit_is_honoured() {
+        // The service injects limit=1 ONLY when caller didn't set
+        // $limit. An explicit `$limit: 5` survives — and find_one
+        // still returns the first.
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        for _ in 0..3 {
+            s.create(&cx, "users", json!({ "tier": "gold" }))
+                .await
+                .unwrap();
+        }
+        let hit = s
+            .find_one(&cx, "users", json!({ "tier": "gold", "$limit": 5 }))
+            .await
+            .unwrap();
+        assert!(hit.is_some());
+    }
+
+    #[tokio::test]
+    async fn list_cursor_pagination() {
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let mut ids = Vec::new();
+        for _ in 0..5 {
+            ids.push(s.create(&cx, "users", json!({})).await.unwrap());
+        }
+        ids.sort();
+
+        let p1 = s.list(&cx, "users", None, 2).await.unwrap();
+        assert_eq!(p1.docs.len(), 2);
+        assert!(p1.next_cursor.is_some());
+
+        let p2 = s
+            .list(&cx, "users", p1.next_cursor.as_deref(), 2)
+            .await
+            .unwrap();
+        assert_eq!(p2.docs.len(), 2);
+
+        let p3 = s
+            .list(&cx, "users", p2.next_cursor.as_deref(), 2)
+            .await
+            .unwrap();
+        assert_eq!(p3.docs.len(), 1);
+        assert!(p3.next_cursor.is_none());
+    }
+
+    #[tokio::test]
+    async fn noop_emitter_does_not_block_mutations() {
+        // Pins v1.1.0 contract: services hold an Arc<dyn ServiceEventEmitter>
+        // and call emit().await unconditionally. The noop drops it.
+        let s = svc();
+        let cx = anon_cx(AppId::new());
+        let id = s.create(&cx, "users", json!({ "x": 1 })).await.unwrap();
+        s.update(&cx, "users", id, json!({ "x": 2 })).await.unwrap();
+        let _ = s.delete(&cx, "users", id).await.unwrap();
+    }
+}

crates/manager-core/src/files_api.rs

@@ -0,0 +1,215 @@
+//! `/api/v1/admin/apps/{id}/files*` — minimal files admin endpoints
+//! backing the dashboard's files view (v1.1.5).
+//!
+//! Two operations only, both operator-facing:
+//!   * `GET  /apps/{id}/files?collection=<c>&cursor=&limit=` — list file
+//!     metadata for a collection (cursor-paginated).
+//!   * `DELETE /apps/{id}/files/{collection}/{file_id}` — remove a file.
+//!
+//! These talk to the `FilesRepo` directly (like `triggers_api` talks to
+//! `TriggerRepo`), guarded by the same capability model as the SDK
+//! (`AppFilesRead` / `AppFilesWrite`). **Admin deletes do NOT emit a
+//! `files:delete` trigger event** — they're operator cleanup actions,
+//! not script mutations (see HANDBACK §7). The capability binds to the
+//! resource's `app_id` after the app is loaded.
+
+use std::sync::Arc;
+
+use axum::extract::{Path, Query, State};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Json, Response};
+use axum::routing::{delete, get};
+use axum::{Extension, Router};
+use picloud_shared::{AppId, Principal};
+use serde::{Deserialize, Serialize};
+use serde_json::json;
+use uuid::Uuid;
+
+use crate::app_repo::AppRepository;
+use crate::authz::{require, AuthzDenied, AuthzError, AuthzRepo, Capability};
+use crate::files_repo::{FilesRepo, FilesRepoError};
+
+#[derive(Clone)]
+pub struct FilesAdminState {
+    pub files: Arc<dyn FilesRepo>,
+    pub apps: Arc<dyn AppRepository>,
+    pub authz: Arc<dyn AuthzRepo>,
+}
+
+pub fn files_admin_router(state: FilesAdminState) -> Router {
+    Router::new()
+        .route("/apps/{app_id}/files", get(list_files))
+        .route(
+            "/apps/{app_id}/files/{collection}/{file_id}",
+            delete(delete_file),
+        )
+        .with_state(state)
+}
+
+#[derive(Debug, Deserialize)]
+pub struct ListFilesQuery {
+    pub collection: String,
+    #[serde(default)]
+    pub cursor: Option<String>,
+    #[serde(default)]
+    pub limit: Option<u32>,
+}
+
+#[derive(Debug, Serialize)]
+struct FileMetaDto {
+    id: String,
+    collection: String,
+    name: String,
+    content_type: String,
+    size: u64,
+    checksum: String,
+    created_at: String,
+    updated_at: String,
+}
+
+#[derive(Debug, Serialize)]
+struct ListFilesResponse {
+    files: Vec<FileMetaDto>,
+    next_cursor: Option<String>,
+}
+
+async fn list_files(
+    State(s): State<FilesAdminState>,
+    Extension(principal): Extension<Principal>,
+    Path(app_id): Path<AppId>,
+    Query(q): Query<ListFilesQuery>,
+) -> Result<Json<ListFilesResponse>, FilesApiError> {
+    ensure_app_exists(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppFilesRead(app_id),
+    )
+    .await?;
+    if q.collection.trim().is_empty() {
+        return Err(FilesApiError::Invalid(
+            "collection must not be empty".into(),
+        ));
+    }
+    let page = s
+        .files
+        .list(
+            app_id,
+            &q.collection,
+            q.cursor.as_deref(),
+            q.limit.unwrap_or(0),
+        )
+        .await?;
+    let files = page
+        .files
+        .into_iter()
+        .map(|m| FileMetaDto {
+            id: m.id.to_string(),
+            collection: m.collection,
+            name: m.name,
+            content_type: m.content_type,
+            size: m.size,
+            checksum: m.checksum,
+            created_at: m.created_at.to_rfc3339(),
+            updated_at: m.updated_at.to_rfc3339(),
+        })
+        .collect();
+    Ok(Json(ListFilesResponse {
+        files,
+        next_cursor: page.next_cursor,
+    }))
+}
+
+async fn delete_file(
+    State(s): State<FilesAdminState>,
+    Extension(principal): Extension<Principal>,
+    Path((app_id, collection, file_id)): Path<(AppId, String, String)>,
+) -> Result<StatusCode, FilesApiError> {
+    ensure_app_exists(&*s.apps, app_id).await?;
+    require(
+        s.authz.as_ref(),
+        &principal,
+        Capability::AppFilesWrite(app_id),
+    )
+    .await?;
+    let id = Uuid::parse_str(&file_id).map_err(|_| FilesApiError::NotFound)?;
+    if s.files.delete(app_id, &collection, id).await?.is_none() {
+        return Err(FilesApiError::NotFound);
+    }
+    Ok(StatusCode::NO_CONTENT)
+}
+
+async fn ensure_app_exists(apps: &dyn AppRepository, app_id: AppId) -> Result<(), FilesApiError> {
+    apps.get_by_id(app_id)
+        .await
+        .map_err(|e| FilesApiError::Backend(e.to_string()))?
+        .ok_or(FilesApiError::AppNotFound)?;
+    Ok(())
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum FilesApiError {
+    #[error("app not found")]
+    AppNotFound,
+    #[error("file not found")]
+    NotFound,
+    #[error("invalid request: {0}")]
+    Invalid(String),
+    #[error("forbidden")]
+    Forbidden,
+    #[error("authorization repo error: {0}")]
+    AuthzRepo(String),
+    #[error("files backend: {0}")]
+    Backend(String),
+}
+
+impl From<AuthzDenied> for FilesApiError {
+    fn from(d: AuthzDenied) -> Self {
+        match d {
+            AuthzDenied::Denied => Self::Forbidden,
+            AuthzDenied::Repo(e) => Self::AuthzRepo(e.to_string()),
+        }
+    }
+}
+
+impl From<AuthzError> for FilesApiError {
+    fn from(e: AuthzError) -> Self {
+        Self::AuthzRepo(e.to_string())
+    }
+}
+
+impl From<FilesRepoError> for FilesApiError {
+    fn from(e: FilesRepoError) -> Self {
+        Self::Backend(e.to_string())
+    }
+}
+
+impl IntoResponse for FilesApiError {
+    fn into_response(self) -> Response {
+        let (status, body) = match &self {
+            Self::AppNotFound | Self::NotFound => {
+                (StatusCode::NOT_FOUND, json!({ "error": self.to_string() }))
+            }
+            Self::Invalid(_) => (
+                StatusCode::UNPROCESSABLE_ENTITY,
+                json!({ "error": self.to_string() }),
+            ),
+            Self::Forbidden => (StatusCode::FORBIDDEN, json!({ "error": self.to_string() })),
+            Self::AuthzRepo(e) => {
+                tracing::error!(error = %e, "files admin authz repo error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+            Self::Backend(e) => {
+                tracing::error!(error = %e, "files admin backend error");
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    json!({ "error": "internal error" }),
+                )
+            }
+        };
+        (status, Json(body)).into_response()
+    }
+}

crates/manager-core/src/files_repo.rs

@@ -0,0 +1,759 @@
+//! `FilesRepo` — the metadata row (Postgres) + blob bytes (filesystem)
+//! storage layer for the v1.1.5 `files::*` SDK.
+//!
+//! Unlike KV/docs, this repo owns BOTH halves of a file: the `files`
+//! row (metadata + SHA-256 checksum) and the bytes on disk at
+//!   `<root>/files/<app_id>/<collection>/<id[0:2]>/<id>`.
+//! It owns both because the write must be atomic across them — a crash
+//! mid-write must never leave a readable half-written file.
+//!
+//! ## Atomic write protocol (`create` / `update`)
+//!   1. Validate (collection path-safety; caps live one layer up).
+//!   2. `create_dir_all` the shard dir with `0o700`.
+//!   3. SHA-256 the in-memory bytes (single pass) while writing to
+//!      `<final>.tmp.<unique>`.
+//!   4. `fsync` the temp file.
+//!   5. `rename` temp → final (atomic on POSIX).
+//!   6. `fsync` the parent dir (so the rename is durable).
+//!   7. INSERT / UPDATE the DB row.
+//!
+//! A crash between 1–5 leaves an orphan `*.tmp.*` (never read). A crash
+//! between 5–7 leaves a file with no row — never reachable via the SDK
+//! (reads start from the row). Both are reclaimed by a future orphan
+//! sweep (deferred to v1.1.6+; see HANDBACK §7).
+//!
+//! ## Atomic delete protocol
+//!   1. SELECT + DELETE the row inside one transaction; commit.
+//!   2. `unlink` the file (outside the tx). A failure here leaves an
+//!      orphan; a failure before the commit changes nothing.
+//!
+//! ## Checksum-on-read
+//! `get` reads the file, hashes it, and compares against the stored
+//! checksum — returning `FilesError::Corrupted` (and logging the path
+//! at error level) on a mismatch. It never auto-deletes; the operator
+//! decides what to do with a metadata-vs-bytes divergence.
+
+use std::env;
+use std::path::{Path, PathBuf};
+use std::sync::atomic::{AtomicU64, Ordering};
+
+use async_trait::async_trait;
+use base64::engine::general_purpose::URL_SAFE_NO_PAD;
+use base64::Engine as _;
+use chrono::{DateTime, Utc};
+use picloud_shared::{AppId, FileMeta, FileUpdate, FilesListPage, NewFile};
+use sha2::{Digest, Sha256};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+/// 100 MB default per-file cap.
+pub const DEFAULT_MAX_FILE_SIZE_BYTES: usize = 100 * 1024 * 1024;
+/// Default filesystem root (relative to the process CWD).
+pub const DEFAULT_FILES_ROOT: &str = "./data";
+
+const FILES_LIST_MAX_LIMIT: u32 = 1_000;
+const FILES_LIST_DEFAULT_LIMIT: u32 = 100;
+
+/// Monotonic counter feeding unique temp-file suffixes (combined with
+/// the pid). Avoids `rand` in the storage layer per the brief.
+static TMP_COUNTER: AtomicU64 = AtomicU64::new(0);
+
+#[derive(Debug, thiserror::Error)]
+pub enum FilesRepoError {
+    #[error("database error: {0}")]
+    Db(#[from] sqlx::Error),
+
+    #[error("filesystem error: {0}")]
+    Io(String),
+
+    #[error("invalid collection name: {0}")]
+    InvalidCollection(String),
+
+    /// The bytes on disk no longer match the stored checksum (or are
+    /// missing entirely while the row persists).
+    #[error("file content corrupted (checksum mismatch)")]
+    Corrupted,
+
+    #[error("invalid pagination cursor")]
+    InvalidCursor,
+}
+
+/// Outbound-files tunables. Env-overridable following the same pattern
+/// as `HttpConfig::from_env`.
+#[derive(Debug, Clone)]
+pub struct FilesConfig {
+    pub root: PathBuf,
+    pub max_file_size_bytes: usize,
+}
+
+impl FilesConfig {
+    #[must_use]
+    pub fn conservative() -> Self {
+        Self {
+            root: PathBuf::from(DEFAULT_FILES_ROOT),
+            max_file_size_bytes: DEFAULT_MAX_FILE_SIZE_BYTES,
+        }
+    }
+
+    #[must_use]
+    pub fn from_env() -> Self {
+        let mut c = Self::conservative();
+        if let Ok(v) = env::var("PICLOUD_FILES_ROOT") {
+            if !v.trim().is_empty() {
+                c.root = PathBuf::from(v);
+            }
+        }
+        if let Ok(v) = env::var("PICLOUD_FILES_MAX_FILE_SIZE_BYTES") {
+            match v.parse::<usize>() {
+                Ok(n) => c.max_file_size_bytes = n,
+                Err(e) => {
+                    tracing::warn!(error = %e, "ignoring invalid PICLOUD_FILES_MAX_FILE_SIZE_BYTES");
+                }
+            }
+        }
+        c
+    }
+}
+
+impl Default for FilesConfig {
+    fn default() -> Self {
+        Self::conservative()
+    }
+}
+
+/// The new+prior metadata returned from a successful `update`, so the
+/// service can emit a `ServiceEvent` with the change-data-capture
+/// surface (`old_payload`).
+#[derive(Debug, Clone)]
+pub struct FileUpdated {
+    pub new: FileMeta,
+    pub prev: FileMeta,
+}
+
+#[async_trait]
+pub trait FilesRepo: Send + Sync {
+    async fn create(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        new: NewFile,
+    ) -> Result<FileMeta, FilesRepoError>;
+
+    async fn head(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<FileMeta>, FilesRepoError>;
+
+    /// Reads + checksum-verifies the bytes. `Ok(None)` when no row
+    /// exists; `Err(Corrupted)` when the row exists but the bytes are
+    /// missing or mismatched.
+    async fn get(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<Vec<u8>>, FilesRepoError>;
+
+    /// `Ok(None)` when no row exists (the SDK turns this into
+    /// `FilesError::NotFound`).
+    async fn update(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+        upd: FileUpdate,
+    ) -> Result<Option<FileUpdated>, FilesRepoError>;
+
+    /// Returns the deleted row's metadata if present, `None` otherwise.
+    async fn delete(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<FileMeta>, FilesRepoError>;
+
+    async fn list(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<FilesListPage, FilesRepoError>;
+}
+
+/// Filesystem-bytes + Postgres-metadata repo.
+pub struct FsFilesRepo {
+    pool: PgPool,
+    config: FilesConfig,
+}
+
+impl FsFilesRepo {
+    #[must_use]
+    pub fn new(pool: PgPool, config: FilesConfig) -> Self {
+        Self { pool, config }
+    }
+
+    /// Defensive path-component guard. The service already validates the
+    /// collection at the SDK boundary; this is belt-and-suspenders so a
+    /// future caller can't smuggle a traversal sequence onto disk.
+    fn guard_collection(collection: &str) -> Result<(), FilesRepoError> {
+        if collection.is_empty()
+            || collection.contains('/')
+            || collection.contains('\\')
+            || collection.contains("..")
+            || collection.contains('\0')
+        {
+            return Err(FilesRepoError::InvalidCollection(collection.to_string()));
+        }
+        Ok(())
+    }
+
+    fn final_path(&self, app_id: AppId, collection: &str, id: Uuid) -> PathBuf {
+        final_path_at(&self.config.root, app_id, collection, id)
+    }
+
+    fn write_atomic(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+        bytes: &[u8],
+    ) -> Result<String, FilesRepoError> {
+        write_atomic_at(&self.config.root, app_id, collection, id, bytes)
+    }
+}
+
+fn shard_dir_at(root: &Path, app_id: AppId, collection: &str, id_str: &str) -> PathBuf {
+    root.join("files")
+        .join(app_id.into_inner().to_string())
+        .join(collection)
+        .join(&id_str[..2])
+}
+
+fn final_path_at(root: &Path, app_id: AppId, collection: &str, id: Uuid) -> PathBuf {
+    let id_str = id.to_string();
+    shard_dir_at(root, app_id, collection, &id_str).join(&id_str)
+}
+
+/// Steps 2–6 of the atomic-write protocol. Returns the lowercase hex
+/// SHA-256 of the bytes (computed in a single pass over the in-memory
+/// buffer — the file is never re-read). Free function so the fs
+/// mechanics are unit-testable without a Postgres pool.
+fn write_atomic_at(
+    root: &Path,
+    app_id: AppId,
+    collection: &str,
+    id: Uuid,
+    bytes: &[u8],
+) -> Result<String, FilesRepoError> {
+    use std::io::Write as _;
+
+    let id_str = id.to_string();
+    let dir = shard_dir_at(root, app_id, collection, &id_str);
+    create_dir_all_secure(&dir)?;
+
+    // Single-pass checksum over the in-memory buffer.
+    let mut hasher = Sha256::new();
+    hasher.update(bytes);
+    let checksum = hex_lower(&hasher.finalize());
+
+    let seq = TMP_COUNTER.fetch_add(1, Ordering::Relaxed);
+    let tmp = dir.join(format!("{id_str}.tmp.{}-{seq}", std::process::id()));
+    let final_path = dir.join(&id_str);
+
+    {
+        let mut f = std::fs::File::create(&tmp).map_err(io_err)?;
+        f.write_all(bytes).map_err(io_err)?;
+        f.sync_all().map_err(io_err)?; // fsync temp
+    }
+    std::fs::rename(&tmp, &final_path).map_err(io_err)?; // atomic
+                                                         // fsync the parent dir so the rename is durable.
+    if let Ok(dirf) = std::fs::File::open(&dir) {
+        let _ = dirf.sync_all();
+    }
+    Ok(checksum)
+}
+
+/// Read + checksum-verify the bytes at the given path-set. Free
+/// function mirror of the `get` read path. Returns `Corrupted` when the
+/// bytes are missing or don't match `expected_checksum`.
+fn read_verify_at(
+    root: &Path,
+    app_id: AppId,
+    collection: &str,
+    id: Uuid,
+    expected_checksum: &str,
+) -> Result<Vec<u8>, FilesRepoError> {
+    let path = final_path_at(root, app_id, collection, id);
+    let bytes = match std::fs::read(&path) {
+        Ok(b) => b,
+        Err(e) => {
+            tracing::error!(
+                path = %path.display(), error = %e,
+                "files: row exists but bytes are unreadable — treating as corrupted"
+            );
+            return Err(FilesRepoError::Corrupted);
+        }
+    };
+    let mut hasher = Sha256::new();
+    hasher.update(&bytes);
+    let actual = hex_lower(&hasher.finalize());
+    if actual != expected_checksum {
+        tracing::error!(
+            path = %path.display(), expected = %expected_checksum, actual = %actual,
+            "files: checksum mismatch on read — content corrupted"
+        );
+        return Err(FilesRepoError::Corrupted);
+    }
+    Ok(bytes)
+}
+
+#[async_trait]
+impl FilesRepo for FsFilesRepo {
+    async fn create(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        new: NewFile,
+    ) -> Result<FileMeta, FilesRepoError> {
+        Self::guard_collection(collection)?;
+        let id = Uuid::new_v4();
+        let size = i64::try_from(new.data.len()).unwrap_or(i64::MAX);
+
+        let checksum = self.write_atomic(app_id, collection, id, &new.data)?;
+
+        let row: FileRow = sqlx::query_as(
+            "INSERT INTO files \
+                (app_id, collection, id, name, content_type, size_bytes, checksum_sha256) \
+             VALUES ($1, $2, $3, $4, $5, $6, $7) \
+             RETURNING id, collection, name, content_type, size_bytes, \
+                       checksum_sha256, created_at, updated_at",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .bind(&new.name)
+        .bind(&new.content_type)
+        .bind(size)
+        .bind(&checksum)
+        .fetch_one(&self.pool)
+        .await?;
+
+        Ok(row.into_meta())
+    }
+
+    async fn head(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<FileMeta>, FilesRepoError> {
+        let row: Option<FileRow> = sqlx::query_as(
+            "SELECT id, collection, name, content_type, size_bytes, \
+                    checksum_sha256, created_at, updated_at \
+             FROM files WHERE app_id = $1 AND collection = $2 AND id = $3",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .fetch_optional(&self.pool)
+        .await?;
+        Ok(row.map(FileRow::into_meta))
+    }
+
+    async fn get(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<Vec<u8>>, FilesRepoError> {
+        let row: Option<(String,)> = sqlx::query_as(
+            "SELECT checksum_sha256 FROM files \
+             WHERE app_id = $1 AND collection = $2 AND id = $3",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .fetch_optional(&self.pool)
+        .await?;
+        let Some((stored_checksum,)) = row else {
+            return Ok(None);
+        };
+        let bytes = read_verify_at(&self.config.root, app_id, collection, id, &stored_checksum)?;
+        Ok(Some(bytes))
+    }
+
+    async fn update(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+        upd: FileUpdate,
+    ) -> Result<Option<FileUpdated>, FilesRepoError> {
+        Self::guard_collection(collection)?;
+        // Read the prior row first (existence check + CDC surface).
+        let Some(prev) = self.head(app_id, collection, id).await? else {
+            return Ok(None);
+        };
+
+        let size = i64::try_from(upd.data.len()).unwrap_or(i64::MAX);
+        let checksum = self.write_atomic(app_id, collection, id, &upd.data)?;
+
+        let row: FileRow = sqlx::query_as(
+            "UPDATE files SET \
+                name = COALESCE($4, name), \
+                content_type = COALESCE($5, content_type), \
+                size_bytes = $6, \
+                checksum_sha256 = $7, \
+                updated_at = NOW() \
+             WHERE app_id = $1 AND collection = $2 AND id = $3 \
+             RETURNING id, collection, name, content_type, size_bytes, \
+                       checksum_sha256, created_at, updated_at",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .bind(upd.name.as_deref())
+        .bind(upd.content_type.as_deref())
+        .bind(size)
+        .bind(&checksum)
+        .fetch_one(&self.pool)
+        .await?;
+
+        Ok(Some(FileUpdated {
+            new: row.into_meta(),
+            prev,
+        }))
+    }
+
+    async fn delete(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        id: Uuid,
+    ) -> Result<Option<FileMeta>, FilesRepoError> {
+        // SELECT + DELETE in one tx; unlink afterwards (outside the tx).
+        let mut tx = self.pool.begin().await?;
+        let row: Option<FileRow> = sqlx::query_as(
+            "SELECT id, collection, name, content_type, size_bytes, \
+                    checksum_sha256, created_at, updated_at \
+             FROM files WHERE app_id = $1 AND collection = $2 AND id = $3 \
+             FOR UPDATE",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(id)
+        .fetch_optional(&mut *tx)
+        .await?;
+
+        let Some(row) = row else {
+            tx.rollback().await?;
+            return Ok(None);
+        };
+
+        sqlx::query("DELETE FROM files WHERE app_id = $1 AND collection = $2 AND id = $3")
+            .bind(app_id.into_inner())
+            .bind(collection)
+            .bind(id)
+            .execute(&mut *tx)
+            .await?;
+        tx.commit().await?;
+
+        // Row is gone; unlink the bytes. A failure here leaves an orphan
+        // file (reclaimed by a future sweep) — not fatal.
+        let path = self.final_path(app_id, collection, id);
+        if let Err(e) = std::fs::remove_file(&path) {
+            if e.kind() != std::io::ErrorKind::NotFound {
+                tracing::warn!(path = %path.display(), error = %e, "files: unlink after delete failed (orphan)");
+            }
+        }
+        Ok(Some(row.into_meta()))
+    }
+
+    async fn list(
+        &self,
+        app_id: AppId,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<FilesListPage, FilesRepoError> {
+        let limit = if limit == 0 {
+            FILES_LIST_DEFAULT_LIMIT
+        } else {
+            limit.min(FILES_LIST_MAX_LIMIT)
+        };
+        let last_id = match cursor {
+            Some(c) => Some(decode_cursor(c)?),
+            None => None,
+        };
+        let take = i64::from(limit) + 1;
+        let rows: Vec<FileRow> = sqlx::query_as(
+            "SELECT id, collection, name, content_type, size_bytes, \
+                    checksum_sha256, created_at, updated_at \
+             FROM files \
+             WHERE app_id = $1 AND collection = $2 \
+               AND ($3::uuid IS NULL OR id > $3) \
+             ORDER BY id ASC \
+             LIMIT $4",
+        )
+        .bind(app_id.into_inner())
+        .bind(collection)
+        .bind(last_id)
+        .bind(take)
+        .fetch_all(&self.pool)
+        .await?;
+
+        let mut files: Vec<FileMeta> = rows.into_iter().map(FileRow::into_meta).collect();
+        let next_cursor = if files.len() > limit as usize {
+            files.truncate(limit as usize);
+            files.last().map(|m| encode_cursor(m.id))
+        } else {
+            None
+        };
+        Ok(FilesListPage { files, next_cursor })
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Helpers
+// ----------------------------------------------------------------------------
+
+fn io_err(e: std::io::Error) -> FilesRepoError {
+    FilesRepoError::Io(e.to_string())
+}
+
+/// `create_dir_all` with `0o700` on the created tree (Unix). On other
+/// platforms it falls back to the default permissions.
+fn create_dir_all_secure(dir: &Path) -> Result<(), FilesRepoError> {
+    #[cfg(unix)]
+    {
+        use std::os::unix::fs::DirBuilderExt as _;
+        std::fs::DirBuilder::new()
+            .recursive(true)
+            .mode(0o700)
+            .create(dir)
+            .map_err(io_err)
+    }
+    #[cfg(not(unix))]
+    {
+        std::fs::create_dir_all(dir).map_err(io_err)
+    }
+}
+
+fn hex_lower(bytes: &[u8]) -> String {
+    let mut s = String::with_capacity(bytes.len() * 2);
+    for b in bytes {
+        use std::fmt::Write as _;
+        let _ = write!(s, "{b:02x}");
+    }
+    s
+}
+
+fn encode_cursor(last_id: Uuid) -> String {
+    URL_SAFE_NO_PAD.encode(last_id.to_string().as_bytes())
+}
+
+fn decode_cursor(cursor: &str) -> Result<Uuid, FilesRepoError> {
+    let bytes = URL_SAFE_NO_PAD
+        .decode(cursor)
+        .map_err(|_| FilesRepoError::InvalidCursor)?;
+    let s = String::from_utf8(bytes).map_err(|_| FilesRepoError::InvalidCursor)?;
+    Uuid::parse_str(&s).map_err(|_| FilesRepoError::InvalidCursor)
+}
+
+#[derive(sqlx::FromRow)]
+struct FileRow {
+    id: Uuid,
+    collection: String,
+    name: String,
+    content_type: String,
+    size_bytes: i64,
+    checksum_sha256: String,
+    created_at: DateTime<Utc>,
+    updated_at: DateTime<Utc>,
+}
+
+impl FileRow {
+    fn into_meta(self) -> FileMeta {
+        FileMeta {
+            id: self.id,
+            collection: self.collection,
+            name: self.name,
+            content_type: self.content_type,
+            size: u64::try_from(self.size_bytes).unwrap_or(0),
+            checksum: self.checksum_sha256,
+            created_at: self.created_at,
+            updated_at: self.updated_at,
+        }
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn hex_lower_matches_known_sha256_vector() {
+        // SHA-256("abc") — NIST known-answer vector.
+        let mut h = Sha256::new();
+        h.update(b"abc");
+        assert_eq!(
+            hex_lower(&h.finalize()),
+            "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
+        );
+    }
+
+    #[test]
+    fn hex_lower_of_empty_is_known_vector() {
+        let mut h = Sha256::new();
+        h.update(b"");
+        assert_eq!(
+            hex_lower(&h.finalize()),
+            "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+        );
+    }
+
+    #[test]
+    fn cursor_round_trips() {
+        let id = Uuid::new_v4();
+        let enc = encode_cursor(id);
+        assert_eq!(decode_cursor(&enc).unwrap(), id);
+        assert!(matches!(
+            decode_cursor("!!not-base64!!"),
+            Err(FilesRepoError::InvalidCursor)
+        ));
+    }
+
+    #[test]
+    fn guard_collection_rejects_traversal() {
+        assert!(FsFilesRepo::guard_collection("avatars").is_ok());
+        assert!(FsFilesRepo::guard_collection("a/b").is_err());
+        assert!(FsFilesRepo::guard_collection("..").is_err());
+        assert!(FsFilesRepo::guard_collection("a..b").is_err());
+        assert!(FsFilesRepo::guard_collection("").is_err());
+        assert!(FsFilesRepo::guard_collection("a\0b").is_err());
+    }
+
+    #[test]
+    fn config_from_env_defaults_are_conservative() {
+        let c = FilesConfig::conservative();
+        assert_eq!(c.max_file_size_bytes, DEFAULT_MAX_FILE_SIZE_BYTES);
+        assert_eq!(c.root, PathBuf::from(DEFAULT_FILES_ROOT));
+    }
+
+    // ------------------------------------------------------------------
+    // Tempdir-backed filesystem mechanics — exercise the atomic write,
+    // single-pass checksum, and checksum-on-read tamper detection
+    // without needing a Postgres pool.
+    // ------------------------------------------------------------------
+
+    use picloud_shared::AppId;
+
+    /// Process-unique scratch dir under the system temp dir. Cleaned up
+    /// by each test via `remove_dir_all`.
+    fn unique_tmp_root() -> PathBuf {
+        let seq = TMP_COUNTER.fetch_add(1, Ordering::Relaxed);
+        let dir =
+            std::env::temp_dir().join(format!("picloud-files-test-{}-{seq}", std::process::id()));
+        std::fs::create_dir_all(&dir).unwrap();
+        dir
+    }
+
+    #[test]
+    fn write_atomic_then_read_verify_round_trips() {
+        let root = unique_tmp_root();
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        let bytes = b"hello picloud files".to_vec();
+
+        let checksum = write_atomic_at(&root, app, "avatars", id, &bytes).unwrap();
+        // Single-pass checksum matches an independent hash of the bytes.
+        let mut h = Sha256::new();
+        h.update(&bytes);
+        assert_eq!(checksum, hex_lower(&h.finalize()));
+
+        let read = read_verify_at(&root, app, "avatars", id, &checksum).unwrap();
+        assert_eq!(read, bytes);
+
+        std::fs::remove_dir_all(&root).ok();
+    }
+
+    #[test]
+    fn read_verify_detects_tampering_as_corrupted() {
+        let root = unique_tmp_root();
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        let checksum = write_atomic_at(&root, app, "c", id, b"original").unwrap();
+
+        // Mutate the bytes behind the repo's back.
+        let path = final_path_at(&root, app, "c", id);
+        std::fs::write(&path, b"tampered").unwrap();
+
+        let err = read_verify_at(&root, app, "c", id, &checksum).unwrap_err();
+        assert!(matches!(err, FilesRepoError::Corrupted));
+
+        std::fs::remove_dir_all(&root).ok();
+    }
+
+    #[test]
+    fn read_verify_missing_bytes_is_corrupted() {
+        let root = unique_tmp_root();
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        // No write — the file never existed.
+        let err = read_verify_at(&root, app, "c", id, "deadbeef").unwrap_err();
+        assert!(matches!(err, FilesRepoError::Corrupted));
+        std::fs::remove_dir_all(&root).ok();
+    }
+
+    #[test]
+    fn atomic_write_leaves_no_tmp_file_after_success() {
+        let root = unique_tmp_root();
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        write_atomic_at(&root, app, "c", id, b"data").unwrap();
+
+        let id_str = id.to_string();
+        let dir = shard_dir_at(&root, app, "c", &id_str);
+        let entries: Vec<_> = std::fs::read_dir(&dir)
+            .unwrap()
+            .filter_map(Result::ok)
+            .map(|e| e.file_name().to_string_lossy().into_owned())
+            .collect();
+        // Exactly the final file is visible — no `*.tmp.*` orphan.
+        assert_eq!(entries, vec![id_str]);
+        assert!(!entries.iter().any(|n| n.contains(".tmp.")));
+
+        std::fs::remove_dir_all(&root).ok();
+    }
+
+    #[test]
+    fn id_shard_uses_first_two_chars() {
+        let root = PathBuf::from("/tmp/x");
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        let id_str = id.to_string();
+        let path = final_path_at(&root, app, "col", id);
+        let shard = &id_str[..2];
+        assert!(path
+            .to_string_lossy()
+            .contains(&format!("/col/{shard}/{id_str}")));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn shard_tree_created_with_0700() {
+        use std::os::unix::fs::PermissionsExt as _;
+        let root = unique_tmp_root();
+        let app = AppId::new();
+        let id = Uuid::new_v4();
+        write_atomic_at(&root, app, "c", id, b"data").unwrap();
+        let id_str = id.to_string();
+        let dir = shard_dir_at(&root, app, "c", &id_str);
+        let mode = std::fs::metadata(&dir).unwrap().permissions().mode();
+        assert_eq!(mode & 0o777, 0o700, "shard dir should be 0o700");
+        std::fs::remove_dir_all(&root).ok();
+    }
+}

crates/manager-core/src/files_service.rs

@@ -0,0 +1,833 @@
+//! `FilesServiceImpl` — wires the `FilesRepo` underneath the
+//! `picloud_shared::FilesService` trait scripts see via the Rhai
+//! bridge.
+//!
+//! Layers added here (vs the raw repo), mirroring `KvServiceImpl`:
+//!   1. Collection validation (empty + path-traversal) and field /
+//!      size-cap validation at the SDK boundary.
+//!   2. **Script-as-gate authz**: when `cx.principal.is_some()` we run
+//!      `authz::require(...)`; when it's `None` (public HTTP) we skip.
+//!      Cross-app isolation is unaffected — every repo call is keyed by
+//!      `cx.app_id`, never an argument.
+//!   3. `ServiceEvent` emission after each mutation (`create` /
+//!      `update` / `delete`). The payload is the file **metadata**, not
+//!      the blob bytes (files are too big for trigger payloads).
+
+use std::sync::Arc;
+
+use async_trait::async_trait;
+use picloud_shared::{
+    validate_files_collection, FileMeta, FileUpdate, FilesError, FilesListPage, FilesService,
+    NewFile, SdkCallCx, ServiceEvent, ServiceEventEmitter,
+};
+use uuid::Uuid;
+
+use crate::authz::{self, AuthzRepo, Capability};
+use crate::files_repo::{FileUpdated, FilesRepo, FilesRepoError};
+
+pub struct FilesServiceImpl {
+    repo: Arc<dyn FilesRepo>,
+    authz: Arc<dyn AuthzRepo>,
+    events: Arc<dyn ServiceEventEmitter>,
+    max_file_size_bytes: usize,
+}
+
+impl FilesServiceImpl {
+    #[must_use]
+    pub fn new(
+        repo: Arc<dyn FilesRepo>,
+        authz: Arc<dyn AuthzRepo>,
+        events: Arc<dyn ServiceEventEmitter>,
+        max_file_size_bytes: usize,
+    ) -> Self {
+        Self {
+            repo,
+            authz,
+            events,
+            max_file_size_bytes,
+        }
+    }
+
+    async fn check_read(&self, cx: &SdkCallCx) -> Result<(), FilesError> {
+        if let Some(ref principal) = cx.principal {
+            authz::require(&*self.authz, principal, Capability::AppFilesRead(cx.app_id))
+                .await
+                .map_err(|_| FilesError::Forbidden)?;
+        }
+        Ok(())
+    }
+
+    async fn check_write(&self, cx: &SdkCallCx) -> Result<(), FilesError> {
+        if let Some(ref principal) = cx.principal {
+            authz::require(
+                &*self.authz,
+                principal,
+                Capability::AppFilesWrite(cx.app_id),
+            )
+            .await
+            .map_err(|_| FilesError::Forbidden)?;
+        }
+        Ok(())
+    }
+
+    /// Best-effort `ServiceEvent` emission. A failed emit is logged but
+    /// never rolls back the (already-durable) file write.
+    async fn emit(
+        &self,
+        cx: &SdkCallCx,
+        op: &'static str,
+        collection: &str,
+        meta: &FileMeta,
+        old: Option<&FileMeta>,
+    ) {
+        let payload = serde_json::to_value(meta).ok();
+        let old_payload = old.and_then(|m| serde_json::to_value(m).ok());
+        if let Err(e) = self
+            .events
+            .emit(
+                cx,
+                ServiceEvent {
+                    source: "files",
+                    op,
+                    collection: Some(collection.to_string()),
+                    key: Some(meta.id.to_string()),
+                    payload,
+                    old_payload,
+                },
+            )
+            .await
+        {
+            tracing::warn!(error = %e, source = "files", op, "event emit failed");
+        }
+    }
+}
+
+/// Parse a script-supplied id. Invalid UUIDs aren't an error shape the
+/// SDK exposes — for reads/deletes they simply mean "no such file".
+fn parse_id(id: &str) -> Option<Uuid> {
+    Uuid::parse_str(id).ok()
+}
+
+impl From<FilesRepoError> for FilesError {
+    fn from(e: FilesRepoError) -> Self {
+        match e {
+            FilesRepoError::Corrupted => Self::Corrupted,
+            FilesRepoError::InvalidCollection(c) => Self::InvalidCollection(c),
+            other => Self::Backend(other.to_string()),
+        }
+    }
+}
+
+#[async_trait]
+impl FilesService for FilesServiceImpl {
+    async fn create(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        new: NewFile,
+    ) -> Result<Uuid, FilesError> {
+        validate_files_collection(collection)?;
+        self.check_write(cx).await?;
+        new.validate(self.max_file_size_bytes)?;
+        let meta = self.repo.create(cx.app_id, collection, new).await?;
+        self.emit(cx, "create", collection, &meta, None).await;
+        Ok(meta.id)
+    }
+
+    async fn head(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+    ) -> Result<Option<FileMeta>, FilesError> {
+        validate_files_collection(collection)?;
+        self.check_read(cx).await?;
+        let Some(uuid) = parse_id(id) else {
+            return Ok(None);
+        };
+        Ok(self.repo.head(cx.app_id, collection, uuid).await?)
+    }
+
+    async fn get(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+    ) -> Result<Option<Vec<u8>>, FilesError> {
+        validate_files_collection(collection)?;
+        self.check_read(cx).await?;
+        let Some(uuid) = parse_id(id) else {
+            return Ok(None);
+        };
+        Ok(self.repo.get(cx.app_id, collection, uuid).await?)
+    }
+
+    async fn update(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        id: &str,
+        upd: FileUpdate,
+    ) -> Result<(), FilesError> {
+        validate_files_collection(collection)?;
+        self.check_write(cx).await?;
+        upd.validate(self.max_file_size_bytes)?;
+        let Some(uuid) = parse_id(id) else {
+            return Err(FilesError::NotFound);
+        };
+        match self.repo.update(cx.app_id, collection, uuid, upd).await? {
+            Some(FileUpdated { new, prev }) => {
+                self.emit(cx, "update", collection, &new, Some(&prev)).await;
+                Ok(())
+            }
+            None => Err(FilesError::NotFound),
+        }
+    }
+
+    async fn delete(&self, cx: &SdkCallCx, collection: &str, id: &str) -> Result<bool, FilesError> {
+        validate_files_collection(collection)?;
+        self.check_write(cx).await?;
+        let Some(uuid) = parse_id(id) else {
+            return Ok(false);
+        };
+        match self.repo.delete(cx.app_id, collection, uuid).await? {
+            Some(meta) => {
+                // On delete, the top-level metadata AND `prev` both carry
+                // the deleted row (per docs/v1.1.x design + the brief).
+                self.emit(cx, "delete", collection, &meta, Some(&meta))
+                    .await;
+                Ok(true)
+            }
+            None => Ok(false),
+        }
+    }
+
+    async fn list(
+        &self,
+        cx: &SdkCallCx,
+        collection: &str,
+        cursor: Option<&str>,
+        limit: u32,
+    ) -> Result<FilesListPage, FilesError> {
+        validate_files_collection(collection)?;
+        self.check_read(cx).await?;
+        Ok(self.repo.list(cx.app_id, collection, cursor, limit).await?)
+    }
+}
+
+// ----------------------------------------------------------------------------
+// Tests — in-memory FilesRepo so unit tests need neither Postgres nor a
+// filesystem. The on-disk atomic-write / checksum mechanics are covered
+// by the tempdir tests in `files_repo.rs`.
+// ----------------------------------------------------------------------------
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::authz::{AuthzError, AuthzRepo};
+    use async_trait::async_trait;
+    use chrono::Utc;
+    use picloud_shared::{
+        AdminUserId, AppId, AppRole, EmitError, ExecutionId, InstanceRole, Principal, RequestId,
+        ScriptId, ServiceEvent, UserId,
+    };
+    use std::collections::BTreeMap;
+    use std::sync::Mutex as StdMutex;
+    use tokio::sync::Mutex;
+
+    /// In-memory FilesRepo keyed by (app, collection, id). Stores the
+    /// metadata + bytes together so cross-app isolation and round-trips
+    /// can be checked without disk.
+    #[derive(Default)]
+    struct InMemoryFilesRepo {
+        #[allow(clippy::type_complexity)]
+        data: Mutex<BTreeMap<(AppId, String, Uuid), (FileMeta, Vec<u8>)>>,
+    }
+
+    fn sha256_hex(bytes: &[u8]) -> String {
+        use sha2::{Digest, Sha256};
+        let mut h = Sha256::new();
+        h.update(bytes);
+        let out = h.finalize();
+        let mut s = String::new();
+        for b in out {
+            use std::fmt::Write as _;
+            let _ = write!(s, "{b:02x}");
+        }
+        s
+    }
+
+    #[async_trait]
+    impl FilesRepo for InMemoryFilesRepo {
+        async fn create(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            new: NewFile,
+        ) -> Result<FileMeta, FilesRepoError> {
+            let id = Uuid::new_v4();
+            let now = Utc::now();
+            let meta = FileMeta {
+                id,
+                collection: collection.to_string(),
+                name: new.name.clone(),
+                content_type: new.content_type.clone(),
+                size: new.data.len() as u64,
+                checksum: sha256_hex(&new.data),
+                created_at: now,
+                updated_at: now,
+            };
+            self.data.lock().await.insert(
+                (app_id, collection.to_string(), id),
+                (meta.clone(), new.data),
+            );
+            Ok(meta)
+        }
+
+        async fn head(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: Uuid,
+        ) -> Result<Option<FileMeta>, FilesRepoError> {
+            Ok(self
+                .data
+                .lock()
+                .await
+                .get(&(app_id, collection.to_string(), id))
+                .map(|(m, _)| m.clone()))
+        }
+
+        async fn get(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: Uuid,
+        ) -> Result<Option<Vec<u8>>, FilesRepoError> {
+            Ok(self
+                .data
+                .lock()
+                .await
+                .get(&(app_id, collection.to_string(), id))
+                .map(|(_, b)| b.clone()))
+        }
+
+        async fn update(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: Uuid,
+            upd: FileUpdate,
+        ) -> Result<Option<FileUpdated>, FilesRepoError> {
+            let mut data = self.data.lock().await;
+            let key = (app_id, collection.to_string(), id);
+            let Some((prev_meta, _)) = data.get(&key).cloned() else {
+                return Ok(None);
+            };
+            let now = Utc::now();
+            let new_meta = FileMeta {
+                id,
+                collection: collection.to_string(),
+                name: upd.name.clone().unwrap_or_else(|| prev_meta.name.clone()),
+                content_type: upd
+                    .content_type
+                    .clone()
+                    .unwrap_or_else(|| prev_meta.content_type.clone()),
+                size: upd.data.len() as u64,
+                checksum: sha256_hex(&upd.data),
+                created_at: prev_meta.created_at,
+                updated_at: now,
+            };
+            data.insert(key, (new_meta.clone(), upd.data));
+            Ok(Some(FileUpdated {
+                new: new_meta,
+                prev: prev_meta,
+            }))
+        }
+
+        async fn delete(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            id: Uuid,
+        ) -> Result<Option<FileMeta>, FilesRepoError> {
+            Ok(self
+                .data
+                .lock()
+                .await
+                .remove(&(app_id, collection.to_string(), id))
+                .map(|(m, _)| m))
+        }
+
+        async fn list(
+            &self,
+            app_id: AppId,
+            collection: &str,
+            cursor: Option<&str>,
+            limit: u32,
+        ) -> Result<FilesListPage, FilesRepoError> {
+            let data = self.data.lock().await;
+            let after = cursor.and_then(|c| Uuid::parse_str(c).ok());
+            let mut metas: Vec<FileMeta> = data
+                .iter()
+                .filter(|((a, c, _), _)| *a == app_id && c == collection)
+                .map(|(_, (m, _))| m.clone())
+                .filter(|m| after.is_none_or(|a| m.id > a))
+                .collect();
+            metas.sort_by_key(|m| m.id);
+            let take = (limit.max(1)) as usize;
+            let next_cursor = if metas.len() > take {
+                metas.truncate(take);
+                metas.last().map(|m| m.id.to_string())
+            } else {
+                None
+            };
+            Ok(FilesListPage {
+                files: metas,
+                next_cursor,
+            })
+        }
+    }
+
+    /// Captures emitted events so tests can assert on fan-out shape.
+    #[derive(Default)]
+    struct CapturingEmitter {
+        events: StdMutex<Vec<ServiceEvent>>,
+    }
+
+    #[async_trait]
+    impl ServiceEventEmitter for CapturingEmitter {
+        async fn emit(&self, _cx: &SdkCallCx, event: ServiceEvent) -> Result<(), EmitError> {
+            self.events.lock().unwrap().push(event);
+            Ok(())
+        }
+    }
+
+    #[derive(Default)]
+    struct DenyingAuthzRepo;
+    #[async_trait]
+    impl AuthzRepo for DenyingAuthzRepo {
+        async fn membership(
+            &self,
+            _user_id: UserId,
+            _app_id: AppId,
+        ) -> Result<Option<AppRole>, AuthzError> {
+            Ok(None)
+        }
+    }
+
+    #[derive(Default)]
+    struct EditorAuthzRepo;
+    #[async_trait]
+    impl AuthzRepo for EditorAuthzRepo {
+        async fn membership(
+            &self,
+            _user_id: UserId,
+            _app_id: AppId,
+        ) -> Result<Option<AppRole>, AuthzError> {
+            Ok(Some(AppRole::Editor))
+        }
+    }
+
+    fn anon_cx(app_id: AppId) -> SdkCallCx {
+        SdkCallCx {
+            app_id,
+            script_id: ScriptId::new(),
+            principal: None,
+            execution_id: ExecutionId::new(),
+            request_id: RequestId::new(),
+            trigger_depth: 0,
+            root_execution_id: ExecutionId::new(),
+            is_dead_letter_handler: false,
+            event: None,
+        }
+    }
+
+    fn member_cx(app_id: AppId) -> SdkCallCx {
+        SdkCallCx {
+            principal: Some(Principal {
+                user_id: AdminUserId::new(),
+                instance_role: InstanceRole::Member,
+                scopes: None,
+                app_binding: None,
+            }),
+            ..anon_cx(app_id)
+        }
+    }
+
+    fn svc_with(authz: Arc<dyn AuthzRepo>, emitter: Arc<CapturingEmitter>) -> FilesServiceImpl {
+        FilesServiceImpl::new(
+            Arc::new(InMemoryFilesRepo::default()),
+            authz,
+            emitter,
+            10 * 1024 * 1024,
+        )
+    }
+
+    fn svc() -> FilesServiceImpl {
+        svc_with(
+            Arc::new(DenyingAuthzRepo),
+            Arc::new(CapturingEmitter::default()),
+        )
+    }
+
+    fn new_file(name: &str, data: &[u8]) -> NewFile {
+        NewFile {
+            name: name.to_string(),
+            content_type: "application/octet-stream".to_string(),
+            data: data.to_vec(),
+        }
+    }
+
+    #[tokio::test]
+    async fn create_then_get_head_round_trips() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let id = files
+            .create(&cx, "avatars", new_file("a.bin", b"hello"))
+            .await
+            .unwrap();
+        let bytes = files.get(&cx, "avatars", &id.to_string()).await.unwrap();
+        assert_eq!(bytes, Some(b"hello".to_vec()));
+        let meta = files
+            .head(&cx, "avatars", &id.to_string())
+            .await
+            .unwrap()
+            .unwrap();
+        assert_eq!(meta.name, "a.bin");
+        assert_eq!(meta.size, 5);
+        assert_eq!(meta.checksum, sha256_hex(b"hello"));
+    }
+
+    #[tokio::test]
+    async fn get_and_head_missing_return_none() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let missing = Uuid::new_v4().to_string();
+        assert_eq!(files.get(&cx, "c", &missing).await.unwrap(), None);
+        assert!(files.head(&cx, "c", &missing).await.unwrap().is_none());
+        // Non-UUID id is also "missing", not an error.
+        assert_eq!(files.get(&cx, "c", "not-a-uuid").await.unwrap(), None);
+    }
+
+    #[tokio::test]
+    async fn update_replaces_content_and_keeps_metadata_when_omitted() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let id = files
+            .create(&cx, "c", new_file("v1.txt", b"one"))
+            .await
+            .unwrap();
+        files
+            .update(
+                &cx,
+                "c",
+                &id.to_string(),
+                FileUpdate {
+                    data: b"two!!".to_vec(),
+                    name: None,
+                    content_type: None,
+                },
+            )
+            .await
+            .unwrap();
+        let meta = files
+            .head(&cx, "c", &id.to_string())
+            .await
+            .unwrap()
+            .unwrap();
+        assert_eq!(meta.name, "v1.txt"); // kept
+        assert_eq!(meta.size, 5);
+        assert_eq!(
+            files.get(&cx, "c", &id.to_string()).await.unwrap(),
+            Some(b"two!!".to_vec())
+        );
+    }
+
+    #[tokio::test]
+    async fn update_missing_throws_not_found() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let err = files
+            .update(
+                &cx,
+                "c",
+                &Uuid::new_v4().to_string(),
+                FileUpdate {
+                    data: b"x".to_vec(),
+                    name: None,
+                    content_type: None,
+                },
+            )
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::NotFound));
+    }
+
+    #[tokio::test]
+    async fn delete_returns_was_present() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let id = files.create(&cx, "c", new_file("f", b"x")).await.unwrap();
+        assert!(files.delete(&cx, "c", &id.to_string()).await.unwrap());
+        assert!(!files.delete(&cx, "c", &id.to_string()).await.unwrap());
+        assert!(!files.delete(&cx, "c", "not-a-uuid").await.unwrap());
+    }
+
+    #[tokio::test]
+    async fn empty_collection_rejected() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let err = files
+            .create(&cx, "", new_file("f", b"x"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::InvalidCollection(_)));
+    }
+
+    #[tokio::test]
+    async fn traversal_collection_rejected() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        for bad in ["../etc", "a/b", "a..b", "x\0y"] {
+            let err = files
+                .create(&cx, bad, new_file("f", b"x"))
+                .await
+                .unwrap_err();
+            assert!(
+                matches!(err, FilesError::InvalidCollection(_)),
+                "expected reject for {bad:?}"
+            );
+        }
+    }
+
+    #[tokio::test]
+    async fn missing_required_fields_have_field_specific_messages() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        // name
+        let err = files
+            .create(
+                &cx,
+                "c",
+                NewFile {
+                    name: "  ".into(),
+                    content_type: "text/plain".into(),
+                    data: b"x".to_vec(),
+                },
+            )
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::MissingField("name")));
+        // content_type
+        let err = files
+            .create(
+                &cx,
+                "c",
+                NewFile {
+                    name: "f".into(),
+                    content_type: String::new(),
+                    data: b"x".to_vec(),
+                },
+            )
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::MissingField("content_type")));
+        // Empty `data` is NO LONGER rejected (v1.1.6 relaxation) — see
+        // `empty_file_round_trips`.
+    }
+
+    #[tokio::test]
+    async fn empty_file_round_trips() {
+        // v1.1.6: a zero-byte blob is a valid stored state (sentinels,
+        // placeholders). Create with empty data, then read it back.
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let id = files
+            .create(
+                &cx,
+                "c",
+                NewFile {
+                    name: "empty.bin".into(),
+                    content_type: "application/octet-stream".into(),
+                    data: vec![],
+                },
+            )
+            .await
+            .expect("empty file create should succeed");
+        let bytes = files.get(&cx, "c", &id.to_string()).await.unwrap();
+        assert_eq!(bytes, Some(Vec::new()));
+        let meta = files
+            .head(&cx, "c", &id.to_string())
+            .await
+            .unwrap()
+            .expect("metadata present");
+        assert_eq!(meta.size, 0);
+    }
+
+    #[tokio::test]
+    async fn name_and_content_type_length_caps_enforced() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        let long_name = "x".repeat(256);
+        let err = files
+            .create(&cx, "c", new_file(&long_name, b"x"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::NameTooLong(256)));
+
+        let err = files
+            .create(
+                &cx,
+                "c",
+                NewFile {
+                    name: "f".into(),
+                    content_type: "x".repeat(128),
+                    data: b"x".to_vec(),
+                },
+            )
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::ContentTypeTooLong(128)));
+    }
+
+    #[tokio::test]
+    async fn per_file_size_cap_enforced() {
+        let files = FilesServiceImpl::new(
+            Arc::new(InMemoryFilesRepo::default()),
+            Arc::new(DenyingAuthzRepo),
+            Arc::new(CapturingEmitter::default()),
+            8, // tiny cap
+        );
+        let cx = anon_cx(AppId::new());
+        let err = files
+            .create(&cx, "c", new_file("big", b"123456789"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::TooLarge { limit: 8, .. }));
+    }
+
+    #[tokio::test]
+    async fn cross_app_isolation() {
+        let files = svc();
+        let app_a = AppId::new();
+        let app_b = AppId::new();
+        let cx_a = anon_cx(app_a);
+        let cx_b = anon_cx(app_b);
+        let id = files
+            .create(&cx_a, "shared", new_file("f", b"from-a"))
+            .await
+            .unwrap();
+        // app B cannot see app A's file by id.
+        assert_eq!(
+            files.get(&cx_b, "shared", &id.to_string()).await.unwrap(),
+            None
+        );
+        assert!(files
+            .head(&cx_b, "shared", &id.to_string())
+            .await
+            .unwrap()
+            .is_none());
+        let page_b = files.list(&cx_b, "shared", None, 100).await.unwrap();
+        assert!(page_b.files.is_empty());
+        // app A still sees it.
+        assert!(files
+            .get(&cx_a, "shared", &id.to_string())
+            .await
+            .unwrap()
+            .is_some());
+    }
+
+    #[tokio::test]
+    async fn anonymous_cx_skips_authz() {
+        let files = svc(); // DenyingAuthzRepo
+        let cx = anon_cx(AppId::new());
+        // No principal → no authz check, even with a denying repo.
+        files.create(&cx, "c", new_file("f", b"x")).await.unwrap();
+    }
+
+    #[tokio::test]
+    async fn member_without_role_is_forbidden() {
+        let files = svc(); // DenyingAuthzRepo
+        let cx = member_cx(AppId::new());
+        let err = files
+            .create(&cx, "c", new_file("f", b"x"))
+            .await
+            .unwrap_err();
+        assert!(matches!(err, FilesError::Forbidden));
+    }
+
+    #[tokio::test]
+    async fn member_with_editor_role_allowed() {
+        let files = svc_with(
+            Arc::new(EditorAuthzRepo),
+            Arc::new(CapturingEmitter::default()),
+        );
+        let cx = member_cx(AppId::new());
+        files.create(&cx, "c", new_file("f", b"x")).await.unwrap();
+    }
+
+    #[tokio::test]
+    async fn mutations_emit_events_with_correct_prev() {
+        let emitter = Arc::new(CapturingEmitter::default());
+        let files = svc_with(Arc::new(DenyingAuthzRepo), emitter.clone());
+        let cx = anon_cx(AppId::new());
+
+        let id = files.create(&cx, "c", new_file("f", b"one")).await.unwrap();
+        files
+            .update(
+                &cx,
+                "c",
+                &id.to_string(),
+                FileUpdate {
+                    data: b"two".to_vec(),
+                    name: None,
+                    content_type: None,
+                },
+            )
+            .await
+            .unwrap();
+        files.delete(&cx, "c", &id.to_string()).await.unwrap();
+
+        let events = emitter.events.lock().unwrap();
+        assert_eq!(events.len(), 3);
+        // create: prev is None
+        assert_eq!(events[0].op, "create");
+        assert_eq!(events[0].source, "files");
+        assert!(events[0].old_payload.is_none());
+        assert!(events[0].payload.is_some());
+        // update: prev is the prior metadata
+        assert_eq!(events[1].op, "update");
+        assert!(events[1].old_payload.is_some());
+        // delete: prev is the deleted metadata (payload == old_payload)
+        assert_eq!(events[2].op, "delete");
+        assert_eq!(events[2].payload, events[2].old_payload);
+        assert!(events[2].payload.is_some());
+    }
+
+    #[tokio::test]
+    async fn list_cursor_paginates() {
+        let files = svc();
+        let cx = anon_cx(AppId::new());
+        for i in 0..5 {
+            files
+                .create(&cx, "c", new_file(&format!("f{i}"), b"x"))
+                .await
+                .unwrap();
+        }
+        let p1 = files.list(&cx, "c", None, 2).await.unwrap();
+        assert_eq!(p1.files.len(), 2);
+        assert!(p1.next_cursor.is_some());
+        let p2 = files
+            .list(&cx, "c", p1.next_cursor.as_deref(), 2)
+            .await
+            .unwrap();
+        assert_eq!(p2.files.len(), 2);
+        let p3 = files
+            .list(&cx, "c", p2.next_cursor.as_deref(), 2)
+            .await
+            .unwrap();
+        assert_eq!(p3.files.len(), 1);
+        assert!(p3.next_cursor.is_none());
+    }
+}

crates/manager-core/src/files_sweep.rs

@@ -0,0 +1,185 @@
+//! Orphan `*.tmp.*` blob sweeper (v1.1.6, v1.1.5 follow-up).
+//!
+//! The files repo writes blobs atomically: it streams into a
+//! `<id>.tmp.<pid>-<seq>` temp file, fsyncs, then renames to the final
+//! `<id>` path. A crash between create and rename leaves an orphan temp
+//! file that is never read and never reclaimed. This sweeper deletes
+//! those: every `PICLOUD_FILES_ORPHAN_SWEEP_INTERVAL_SEC` (default 6h) it
+//! walks `<root>/files/` and unlinks any `*.tmp.*` file older than
+//! `PICLOUD_FILES_ORPHAN_TMP_TTL_SEC` (default 1h).
+//!
+//! Deliberately bounded: it does NOT cross-check on-disk files against DB
+//! rows (the full reconciling sweeper is v1.3+). It only targets the temp
+//! files, which are unambiguously orphans once past the TTL — no live
+//! writer keeps one around for an hour.
+
+use std::path::{Path, PathBuf};
+use std::time::{Duration, SystemTime};
+
+const ENV_INTERVAL: &str = "PICLOUD_FILES_ORPHAN_SWEEP_INTERVAL_SEC";
+const ENV_TMP_TTL: &str = "PICLOUD_FILES_ORPHAN_TMP_TTL_SEC";
+const DEFAULT_INTERVAL_SECS: u64 = 21_600; // 6h
+const DEFAULT_TMP_TTL_SECS: u64 = 3_600; // 1h
+
+/// Marker that identifies a temp blob (`<id>.tmp.<pid>-<seq>`). A final
+/// blob is named just `<id>` (a UUID), so it never contains this.
+const TMP_MARKER: &str = ".tmp.";
+
+#[derive(Debug, Default, Clone, Copy)]
+pub struct SweepStats {
+    pub dirs_walked: u64,
+    pub files_deleted: u64,
+    pub bytes_reclaimed: u64,
+}
+
+/// Spawn the periodic orphan sweep. Spawned at startup alongside the
+/// cron scheduler and the realtime/cache GC tasks.
+pub fn spawn_files_orphan_sweep(files_root: PathBuf) {
+    let interval = Duration::from_secs(read_secs(ENV_INTERVAL, DEFAULT_INTERVAL_SECS));
+    let ttl = Duration::from_secs(read_secs(ENV_TMP_TTL, DEFAULT_TMP_TTL_SECS));
+    tokio::spawn(async move {
+        let mut ticker = tokio::time::interval(interval);
+        ticker.tick().await; // skip the immediate first fire
+        loop {
+            ticker.tick().await;
+            let root = files_root.clone();
+            // Blocking filesystem walk off the async worker.
+            let stats = tokio::task::spawn_blocking(move || sweep_orphan_tmp_files(&root, ttl))
+                .await
+                .unwrap_or_default();
+            tracing::info!(
+                dirs_walked = stats.dirs_walked,
+                files_deleted = stats.files_deleted,
+                bytes_reclaimed = stats.bytes_reclaimed,
+                "files orphan sweep complete"
+            );
+        }
+    });
+}
+
+/// Walk `<files_root>/files/` and delete `*.tmp.*` files older than
+/// `ttl`. Missing root is not an error (returns zeroed stats). Pure +
+/// synchronous so it's unit-testable without a runtime.
+#[must_use]
+pub fn sweep_orphan_tmp_files(files_root: &Path, ttl: Duration) -> SweepStats {
+    let mut stats = SweepStats::default();
+    let blobs_dir = files_root.join("files");
+    if !blobs_dir.is_dir() {
+        return stats;
+    }
+    let now = SystemTime::now();
+    walk(&blobs_dir, ttl, now, &mut stats);
+    stats
+}
+
+fn walk(dir: &Path, ttl: Duration, now: SystemTime, stats: &mut SweepStats) {
+    stats.dirs_walked += 1;
+    let Ok(entries) = std::fs::read_dir(dir) else {
+        return;
+    };
+    for entry in entries.flatten() {
+        let Ok(ft) = entry.file_type() else {
+            continue;
+        };
+        let path = entry.path();
+        if ft.is_dir() {
+            walk(&path, ttl, now, stats);
+            continue;
+        }
+        if !ft.is_file() {
+            continue;
+        }
+        if !entry.file_name().to_string_lossy().contains(TMP_MARKER) {
+            continue;
+        }
+        let Ok(meta) = entry.metadata() else {
+            continue;
+        };
+        let age = meta
+            .modified()
+            .ok()
+            .and_then(|m| now.duration_since(m).ok())
+            .unwrap_or(Duration::ZERO);
+        if age >= ttl {
+            let size = meta.len();
+            if std::fs::remove_file(&path).is_ok() {
+                stats.files_deleted += 1;
+                stats.bytes_reclaimed += size;
+            }
+        }
+    }
+}
+
+fn read_secs(key: &str, default: u64) -> u64 {
+    match std::env::var(key) {
+        Err(_) => default,
+        Ok(v) => match v.parse::<u64>() {
+            Ok(n) if n > 0 => n,
+            _ => {
+                tracing::warn!(env = key, value = %v, "invalid; using default");
+                default
+            }
+        },
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::sync::atomic::{AtomicU64, Ordering};
+
+    static SEQ: AtomicU64 = AtomicU64::new(0);
+
+    fn tmp_root() -> PathBuf {
+        let n = SEQ.fetch_add(1, Ordering::Relaxed);
+        let dir =
+            std::env::temp_dir().join(format!("picloud-sweep-test-{}-{n}", std::process::id()));
+        std::fs::create_dir_all(dir.join("files").join("ab")).unwrap();
+        dir
+    }
+
+    fn touch(path: &Path) {
+        std::fs::write(path, b"x").unwrap();
+    }
+
+    #[test]
+    fn deletes_old_tmp_files() {
+        let root = tmp_root();
+        let tmp = root.join("files/ab/uuid.tmp.123-0");
+        touch(&tmp);
+        // ttl 0 → any tmp file counts as old.
+        let stats = sweep_orphan_tmp_files(&root, Duration::ZERO);
+        assert_eq!(stats.files_deleted, 1);
+        assert!(!tmp.exists());
+        assert!(stats.bytes_reclaimed >= 1);
+    }
+
+    #[test]
+    fn keeps_young_tmp_files() {
+        let root = tmp_root();
+        let tmp = root.join("files/ab/uuid.tmp.123-0");
+        touch(&tmp);
+        // Large TTL → the just-created file is too young to reap.
+        let stats = sweep_orphan_tmp_files(&root, Duration::from_secs(3600));
+        assert_eq!(stats.files_deleted, 0);
+        assert!(tmp.exists());
+    }
+
+    #[test]
+    fn keeps_non_tmp_files() {
+        let root = tmp_root();
+        let blob = root.join("files/ab/0123456789abcdef");
+        touch(&blob);
+        let stats = sweep_orphan_tmp_files(&root, Duration::ZERO);
+        assert_eq!(stats.files_deleted, 0);
+        assert!(blob.exists());
+    }
+
+    #[test]
+    fn missing_root_does_not_panic() {
+        let root = std::env::temp_dir().join("picloud-sweep-nonexistent-xyz");
+        let stats = sweep_orphan_tmp_files(&root, Duration::ZERO);
+        assert_eq!(stats.files_deleted, 0);
+        assert_eq!(stats.dirs_walked, 0);
+    }
+}

crates/manager-core/src/gc.rs

@@ -0,0 +1,95 @@
+//! Weekly retention sweepers for `dead_letters` + `abandoned_executions`.
+//!
+//! Both use the `FOR UPDATE SKIP LOCKED` claim pattern so concurrent
+//! sweepers (cluster mode v1.3+) don't fight each other. Defaults
+//! match design notes §3 / §4: 30 days for DL, 7 days for abandoned.
+//! Both env-overridable via `PICLOUD_DEAD_LETTER_RETENTION_DAYS` and
+//! `PICLOUD_ABANDONED_EXECUTIONS_RETENTION_DAYS` (loaded by
+//! `TriggerConfig::from_env`).
+//!
+//! Spawned from `build_app` alongside `spawn_session_pruner`.
+
+use std::sync::Arc;
+use std::time::Duration;
+
+use chrono::Utc;
+
+use crate::abandoned_repo::AbandonedRepo;
+use crate::dead_letter_repo::DeadLetterRepo;
+
+/// Weekly sweep cadence — matches `spawn_session_pruner` shape.
+const SWEEP_INTERVAL: Duration = Duration::from_secs(7 * 24 * 60 * 60);
+
+/// Per-tick batch cap so we don't try to delete millions of rows in
+/// one transaction. The loop keeps deleting batches until a tick
+/// returns 0 rows affected.
+const SWEEP_BATCH: i64 = 5_000;
+
+pub fn spawn_dead_letter_gc(repo: Arc<dyn DeadLetterRepo>, retention_days: u32) {
+    tokio::spawn(async move {
+        let mut ticker = tokio::time::interval(SWEEP_INTERVAL);
+        // Skip the immediate first fire — don't sweep at process start.
+        ticker.tick().await;
+        loop {
+            ticker.tick().await;
+            sweep_dead_letters(&*repo, retention_days).await;
+        }
+    });
+}
+
+pub fn spawn_abandoned_gc(repo: Arc<dyn AbandonedRepo>, retention_days: u32) {
+    tokio::spawn(async move {
+        let mut ticker = tokio::time::interval(SWEEP_INTERVAL);
+        ticker.tick().await;
+        loop {
+            ticker.tick().await;
+            sweep_abandoned(&*repo, retention_days).await;
+        }
+    });
+}
+
+async fn sweep_dead_letters(repo: &dyn DeadLetterRepo, retention_days: u32) {
+    let cutoff = Utc::now() - chrono::Duration::days(i64::from(retention_days));
+    let mut total: u64 = 0;
+    loop {
+        match repo.gc(cutoff, SWEEP_BATCH).await {
+            Ok(0) => break,
+            Ok(n) => {
+                total += n;
+                if n < SWEEP_BATCH as u64 {
+                    break;
+                }
+            }
+            Err(e) => {
+                tracing::warn!(?e, "dead_letters GC sweep errored");
+                break;
+            }
+        }
+    }
+    if total > 0 {
+        tracing::info!(swept = total, "dead_letters GC swept");
+    }
+}
+
+async fn sweep_abandoned(repo: &dyn AbandonedRepo, retention_days: u32) {
+    let cutoff = Utc::now() - chrono::Duration::days(i64::from(retention_days));
+    let mut total: u64 = 0;
+    loop {
+        match repo.gc(cutoff, SWEEP_BATCH).await {
+            Ok(0) => break,
+            Ok(n) => {
+                total += n;
+                if n < SWEEP_BATCH as u64 {
+                    break;
+                }
+            }
+            Err(e) => {
+                tracing::warn!(?e, "abandoned_executions GC sweep errored");
+                break;
+            }
+        }
+    }
+    if total > 0 {
+        tracing::info!(swept = total, "abandoned_executions GC swept");
+    }
+}