Commit graph

4007 commits

Author SHA1 Message Date
Dante Catalfamo
4df9ae01a6
41542 android cert resend backend (#42099)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41542
2026-03-23 17:01:52 -04:00
Victor Lyuboslavsky
7a6a95703f
Reduced redundant database calls in the osquery distributed query results hot path (#42157)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42156

The core change: instead of loading AppConfig, HostFeatures,
TeamMDMConfig, and rebuilding the detail query map **independently
inside each call** to `directIngestDetailQuery` and `ingestDetailQuery`
(so ~2N times per check-in with N detail results), we load everything
**once** into a `hostDetailQueryConfig` struct and pass it through.

## Before

```
SubmitDistributedQueryResults loop:
  for each query result:
    → ingestQueryResults
      → directIngestDetailQuery:  loads AppConfig, HostFeatures, TeamMDMConfig, builds detail query map
      → ingestDetailQuery:        loads AppConfig, HostFeatures, TeamMDMConfig, builds detail query map
  after loop:
    loads AppConfig for labels/policies
    loads AppConfig AGAIN for deferred host save
```

## After

```
SubmitDistributedQueryResults loop:
  on first detail query result:
    → loadHostDetailQueryConfig: loads AppConfig, HostFeatures, TeamMDMConfig, builds detail query map ONCE
  for each query result:
    → ingestQueryResults (receives pre-loaded config)
      → directIngestDetailQuery: just looks up the query in the cached map
      → ingestDetailQuery:       just looks up the query in the cached map
  after loop:
    loads AppConfig once for labels/policies/deferred host save
```

The detail config is **lazy-loaded** — if a check-in only has
label/policy results and no detail queries, the
HostFeatures/TeamMDMConfig calls are skipped entirely.

## Other changes bundled in

1. **`serialUpdateHost`** now receives the request context and uses
`context.WithoutCancel(ctx)` instead of `context.Background()`, so the
background goroutine preserves OTEL traces and logging context without
being subject to request cancellation.

2. **Deferred save host** at the end of `SubmitDistributedQueryResults`
reuses the already-loaded AppConfig instead of loading it a third time.
The old code silently skipped the host save if that third load failed.


# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually
  - Ran a local load test with osquery perf

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Performance**
* Optimized distributed query result processing by preloading
configuration once per request instead of repeatedly per query result,
reducing redundant database calls and improving overall query
performance.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-23 10:31:12 -05:00
Victor Lyuboslavsky
109b4e10cd
Throttle CA access through MDM (#42114)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #38002 

Demo video: https://www.youtube.com/watch?v=JOZh1iQ34iI
Docs: https://github.com/fleetdm/fleet/pull/42190/changes

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

## New Fleet configuration settings

- [x] Setting(s) is/are explicitly excluded from GitOps

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added the `FLEET_MDM_CERTIFICATE_PROFILES_LIMIT` configuration option
to control the number of certificate authority (CA) profiles installed
during each Apple MDM profile reconciliation cycle. This new setting
enables administrators to throttle CA profile installations and manage
installation performance during normal reconciliation operations across
large-scale deployments. Set this value to 0 to disable throttling.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 09:04:55 -05:00
salgattll
ae269f8967
Add Flatcar Container Linux and CoreOS to recognized Linux platforms (#42186)
Resolves #42185

## Summary

- Added `flatcar` and `coreos` to `HostLinuxOSs` in
`server/fleet/hosts.go`
- Added both to `HostNeitherDebNorRpmPackageOSs` (neither distro uses
deb or rpm)
- Added both to `HOST_LINUX_PLATFORMS` in
`frontend/interfaces/platform.ts`
- Added test cases in `server/fleet/hosts_test.go`
- Updated platform lists in
`docs/Contributing/product-groups/orchestration/understanding-host-vitals.md`
- Added changelog entry

## Problem

Flatcar Container Linux reports `platform=flatcar` and
`platform_like=coreos` via osquery's `os_version` table. Neither value
is in `HostLinuxOSs`, so `PlatformFromHost("flatcar")` returns `""` and
`RunsForPlatform` skips all Linux-platform-filtered detail queries.

**Symptoms:** Flatcar hosts enroll successfully, appear online, and
respond to live queries. But host details (private IP, disk space, etc.)
are never populated because the detail queries that collect this data
are never sent to the host.

## Context

Flatcar Container Linux is an immutable, container-optimized Linux
distribution (successor to CoreOS Container Linux). We deploy Fleet's
Orbit agent on Flatcar via systemd-sysext and have confirmed that all
osquery tables work correctly — the only gap was this platform string
not being recognized.

This follows the same pattern as prior platform additions: #19011
(tuxedo), #28977 (neon), #34357 (manjaro-arm).

## Changes file

- [x] Changes file added in `changes/`

## Checklist

- [x] Added/updated automated tests
- [x] Manual QA: Verified on Flatcar Container Linux 4459.2.4 with
osquery 5.21.0 and Orbit 1.53.0 — confirmed detail queries work after
patching `HostLinuxOSs` locally
- [x] No database migrations needed
- [x] No endpoint changes
- [x] No backward compatibility concerns (additive change only)
2026-03-23 10:33:48 -03:00
Victor Lyuboslavsky
241779cd67
Differentiate between Windows Server Core and full desktop installations (#42034) 2026-03-21 10:03:57 -05:00
Scott Gress
91362ba2ca
Add fleetctl new command (#41909)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41345 

# Details

This PR:

* Adds a new `fleetctl new` command which creates a starter GitOps repo
file structure
* Adds support for file globs for the `configuration_profiles:` key in
GitOps, to support its use in the `fleetctl new` templates. This
involved moving the `BaseItem` type and `SupportsFileInclude` interface
into the `fleet` package so that the `MDMProfileSpec` type could
implement the interface and do glob expansion.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
  - [X] added unit and intg tests for globbing profiles
  - [ ] added tests for `fleetctl new`
- [X] QA'd all new/changed functionality manually
- [X] `fleetctl new` with no args prompted for org name and created a
new `it-and-security` folder under current folder w/ correct files
- [X] `fleetctl new --dir /tmp/testnew` created correct files under
`/tmp/testnew`
- [X] `fleetctl new --dir /tmp/testexisting --force` with an existing
`/tmp/testexisting` folder created correct files under
`/tmp/testexisting`
- [X] `fleetctl new --org-name=foo` created correct files under
`it-and-security` without prompting for org name
- [X] `paths:` in `configuration_profiles` picks up multiple matching
profiles
- [X] `paths:` + `path:` in `configuration_profiles` will error if the
same profile is picked up twice


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added `fleetctl new` command to initialize GitOps repository structure
via CLI.
* Added glob pattern support for `configuration_profiles` field,
enabling flexible profile selection.

* **Chores**
  * Updated CLI dependencies to support enhanced user interactions.
  * Removed legacy website generator configuration files.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-20 17:27:27 -05:00
Carlo
04980e8a5b
Improve VPP errors for large install failures (#41997)
Fixes #39066
2026-03-20 15:37:42 -04:00
Claude
111bb4692e
Bump MySQL test version from 8.0.39 to 8.0.42 (#42122)
Updates MySQL version references from 8.0.39 to 8.0.42 in GitHub Actions
workflow test matrices to match current Aurora version as of #42120.

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: iansltx <472804+iansltx@users.noreply.github.com>
Co-authored-by: Ian Littman <iansltx@gmail.com>
2026-03-20 14:24:29 -05:00
Scott Gress
40e91c0ece
Allow hosts key to be empty for manual labels (#42022)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41672 

# Details

Updates GitOps label functionality so that omitting the `hosts:` key
under a manual label will _not_ clear hosts from that label, but will
instead preserve the existing membership. This allows users to manage
manual hosts with an external system (via the labels API), while still
managing the labels themselves in GitOps.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
  - [X] verified that you can still add a manual label with `hosts:`
- [X] verified that leaving `hosts:` off a manual label doesn't change
the host assignment
- [X] verified that putting `hosts:` with no value on a manual label
clears the hosts
  - [X] verified that you can still add a dynamic label
  - [X] verified that generate-gitops still exports manual hosts

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-03-20 10:36:14 -05:00
Victor Lyuboslavsky
6d6a29a089
Fixed Admin By Request false positive CVEs (#42095)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41586

The fix is speculative since I wasn't able to find/get the "Admin By
Request" app to install.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed false-positive vulnerability reports for "Admin By Request" on
macOS and Linux. Vulnerabilities CVE-2019-17201 and CVE-2019-17202 are
Windows-specific and will now only be reported on Windows systems,
eliminating unnecessary alerts on other platforms.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-20 10:35:56 -05:00
Scott Gress
f093406e04
Fix get/create/update query response (#41966)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41603 

# Details

Fixes an issue where the nested `query` key in the get, create and
update query API responses, which is the literal SQL query, was getting
duplicated into a `report` key with the SQL. This was happening because
our JSON field duplicator which adds the renamed version of deprecated
keys to responses is intentionally naive; it doesn't account for cases
where the parent and child structs have the same key with different
meanings because that is... not ideal. In Fleet 5 we won't have this
problem since it'll just be `report.query`, but for now the solution is
to just hard-code a `Report` field onto the response structs, rather
than over-complicate the duplicator code to account for different
nesting levels.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
- [X] verified no `query.report` or `report.report` present in get query
response
- [X] verified no `query.report` or `report.report` present in create
query response
- [X] verified no `query.report` or `report.report` present in modify
query response
2026-03-20 10:30:52 -05:00
Marko Lisica
dab138bfbf
Update SSO session validity from 5 to 15 min by default (#41456)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39968

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
2026-03-20 10:56:54 +01:00
Victor Lyuboslavsky
e53b9f024c
Fixed bug where Windows hosts would get 0 CVEs. (#42021)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #35067

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed MSRC vulnerability scanning on Windows hosts with empty display
version data, ensuring CVEs are now correctly retrieved instead of
returning zero vulnerabilities.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
2026-03-19 22:01:59 -05:00
Victor Lyuboslavsky
daa7988911
Refactored to improve NilAway coverage (#42106)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #42092

Renamed the major anonymous functions so that NilAway analyzes them.

Disable whitespace differences when reviewing.

lint-incremental catches issues that were there already. Not a concern.
Main doesn't run lint-incremental, so we can merge with errors.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually

## fleetd/orbit/Fleet Desktop

- [x] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [x] Verified that fleetd runs on macOS, Linux and Windows
- [x] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
2026-03-19 22:01:44 -05:00
George Karr
99f8639484
feat installers labels include all (#42061)
- **DB migration: Add `require_all` column to installers labels tables
(#41279)**
- **Backend: Support labels_include_all for installers/apps (#41324)**
- **ui impl for labels include all (#41836)**

<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39916

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually

## Database migrations

- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.

## New Fleet configuration settings

- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
2026-03-19 15:11:54 -05:00
Magnus Jensen
a8c9e261d7
speed up macOS profile delivery for initial enrollments (#41960)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #34433 

It speeds up the cron, meaning fleetd, bootstrap and now profiles should
be sent within 10 seconds of being known to fleet, compared to the
previous 1 minute.

It's heavily based on my last PR, so the structure and changes are close
to identical, with some small differences.
**I did not do the redis key part in this PR, as I think that should
come in it's own PR, to avoid overlooking logic bugs with that code, and
since this one is already quite sized since we're moving core pieces of
code around.**

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.


## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Faster macOS onboarding: device profiles are delivered and installed
as part of DEP enrollment, shortening initial setup.
* Improved profile handling: per-host profile preprocessing, secret
detection, and clearer failure marking.

* **Improvements**
  * Consolidated SCEP/NDES error messaging for clearer diagnostics.
  * Cron/work scheduling tuned to prioritize Apple MDM profile delivery.

* **Tests**
* Expanded MDM unit and integration tests, including
DeclarativeManagement handling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-19 14:58:10 -05:00
Jordan Montgomery
97433a5de6
Update PEM header type per hydrant spec (#42052)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40910

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [x] QA'd all new/changed functionality manually
2026-03-19 15:37:22 -04:00
Jahziel Villasana-Espinoza
8575c9758c merge main 2026-03-19 13:02:42 -04:00
Victor Lyuboslavsky
8dfdb94885
Updated ingestion/CVE logic to support Jetbrains software with 2 version numbers (#42003)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #37323

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Improved JetBrains software version detection to support the newer
two-part version format (e.g., WebStorm 2025.1).
* Enhanced CVE/vulnerability tracking accuracy for JetBrains products
with updated version number parsing.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-19 11:14:14 -05:00
Jahziel Villasana-Espinoza
eb2393bce8 Merge branch 'main' into feat-installers-labels-include-all 2026-03-19 10:31:07 -04:00
Victor Lyuboslavsky
fbc5b9d8b6
Updated go to 1.26.1 (#42027)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41749

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
2026-03-19 07:01:00 -05:00
Victor Lyuboslavsky
d177078b40
Allow OTEL service name to be overridden (#41890)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41888

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* OpenTelemetry service name can now be configured via the standard
OTEL_SERVICE_NAME environment variable
* Support for OTEL_RESOURCE_ATTRIBUTES environment variable to customize
telemetry resource attributes

* **Chores**
* Enhanced OpenTelemetry resource initialization to support environment
variable overrides for improved deployment flexibility

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-18 13:59:28 -05:00
Jahziel Villasana-Espinoza
02a9eb8769 merge main 2026-03-18 14:49:08 -04:00
Martin Angers
ba04887100
Backend: Support labels_include_all for installers/apps (#41324)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40721 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [ ] QA'd all new/changed functionality manually

I (Martin) did test `labels_include_all` for FMA, custom installer, IPA
and VPP apps, and it seemed to all work great for gitops apply and
gitops generate, **except for VPP apps** which seem to have 2 important
pre-existing bugs, see
https://github.com/fleetdm/fleet/issues/40723#issuecomment-4041780707

## New Fleet configuration settings

- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled

---------

Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
2026-03-18 13:27:53 -04:00
Juan Fernandez
52822be6d4
Trim spaces on Fleet's names (36312)
Resolves #36312 

- Validate and trim fleet names in NewTeam, ModifyTeam, and
ApplyTeamSpecs
- Trim fleet names in gitops YAML parsing (parseName)
- Disable submit button in CreateTeamModal and RenameTeamModal when name
is whitespace-only
2026-03-18 12:20:23 -04:00
Juan Fernandez
b226eb56d0
New API endpoint for host reports (41534)
Resolves #41534 

Added GET /api/v1/fleet/hosts/{id}/reports endpoint (also accessible as
/hosts/{id}/queries) that lists the query reports associated with a
specific host.
2026-03-18 11:03:48 -04:00
Martin Angers
8c85ef8ad3
Bugfix: properly enqueue compatible setup experience items for arch/omarchy linux (#41778) 2026-03-17 15:04:33 -04:00
Nico
b89cc578ca
Add disk_space fleetd table for accurate macOS disk space reporting (#41575)
**Related issue:** Resolves #36799, Sub-task: #41556

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<img width="924" height="278" alt="Screenshot 2026-03-16 at 10 46 38 AM"
src="https://github.com/user-attachments/assets/313b6650-a849-4bc2-ba14-a62d3d13b60c"
/>
<img width="1441" height="300" alt="Screenshot 2026-03-16 at 10 46
44 AM"
src="https://github.com/user-attachments/assets/915cfd26-168f-4621-bcf5-6c26c40e5faf"
/>
<img width="1923" height="788" alt="Screenshot 2026-03-16 at 10 54
04 AM"
src="https://github.com/user-attachments/assets/62356a3e-84fe-4561-b7ad-0a35c9db3b2a"
/>
<img width="2529" height="483" alt="Screenshot 2026-03-16 at 10 47
02 AM"
src="https://github.com/user-attachments/assets/4dc51073-2c24-4934-bd9d-c5ee648d5ae1"
/>

Tested that with latest released fleetd (1.53.0), we still ingest the
available disk space. There's about 5% difference in the UI vs in the
macOS "Get Info" dialog (expected, since we use the old query, now
called `disk_space_darwin_legacy`):

<img width="267" height="306" alt="Screenshot 2026-03-17 at 8 47 22 AM"
src="https://github.com/user-attachments/assets/73fc1eef-a32c-4d8d-a9ca-13980885f8fe"
/>
<img width="883" height="407" alt="Screenshot 2026-03-17 at 8 47 33 AM"
src="https://github.com/user-attachments/assets/98851b9b-82a8-4ac8-af5c-dbb878f85fad"
/>
<img width="159" height="127" alt="Screenshot 2026-03-17 at 8 47 40 AM"
src="https://github.com/user-attachments/assets/209f784a-29a8-4af5-b95d-0f9bd59917c9"
/>

Also tested running with vanilla osquery by stopping fleetd and then
running osquery manually (adding the `--allow_unsafe` flag). Result is
same as above, `disk_space_darwin_legacy` is used:

<img width="1152" height="418" alt="Screenshot 2026-03-17 at 8 59 23 AM"
src="https://github.com/user-attachments/assets/2b34d23d-61de-4ec1-8d1c-2d3ddb682d11"
/>
<img width="893" height="414" alt="Screenshot 2026-03-17 at 8 59 28 AM"
src="https://github.com/user-attachments/assets/d28ee8fb-08c5-434f-abfa-3825b27ac73b"
/>



## Summary

- Adds a new macOS-only fleetd table `disk_space` that uses
`NSURLVolumeAvailableCapacityForImportantUsageKey` to report available
disk capacity including purgeable storage — matching what macOS shows in
Finder's "Get Info" dialog.
- Adds a new `disk_space_darwin` detail query that uses the new table
(with Discovery, so it only runs on hosts with fleetd ≥ 1.54.0).
- Restricts the existing `disk_space_unix` query to Linux only (darwin
was removed since the new query handles it).
- Adds schema documentation for the new table.

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-17 12:59:17 -03:00
Nico
b0a3c8a90c
Save logo URL for dark and light backgrounds during setup (#41823)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39082 

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually


https://github.com/user-attachments/assets/51ede24f-3317-455a-8995-fd50e9281a47

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-03-17 12:35:36 -03:00
Nico
5c4445e1dc
Allow typing whitespaces on Settings > Integrations > SSO > End users form (#41817)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40715

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] QA'd all new/changed functionality manually



https://github.com/user-attachments/assets/98d6cc51-06b5-4120-86de-65d3f6dbf359

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
2026-03-17 12:35:25 -03:00
Victor Lyuboslavsky
02e8d474e2
Use swap table pattern and batch delete to improve DB access patterns for vuln cron (#41729)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41664

Switching `kernel_host_counts` to the established swap pattern. Reduce
load on the DB writer by moving the large read to the DB reader.

Do `CleanupSoftwareTitles` in batches. With a single large
select/delete, it took > 16 minutes. In batches, it took ~1.5 minutes in
loadtest with 100K hosts.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [x] Alerted the release DRI if additional load testing is needed

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Performance Improvements**
* Added indexing and a batched swap/insert flow to speed up
vulnerability-related queries and lower maintenance contention.
* Batched cleanup of orphaned records to reduce long-running delete
operations.

* **Reliability**
* Migration removes a legacy constraint to simplify data maintenance and
avoid migration failures.
* Scheduled vulnerability refresh now runs more atomically to reduce
disruption.

* **Tests**
* Updated assertion logic to improve test clarity for host-count
verification.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-17 10:34:52 -05:00
Lucas Manuel Rodriguez
3a223ca939
Windows conditional access: Ingest device_id from Windows devices (#41822)
Resolves #41475

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)

- [X] QA'd all new/changed functionality manually
2026-03-17 12:33:39 -03:00
Magnus Jensen
190652cc65
up default limit for software batch (#41827)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** None

Based on a Slack thread from a customer, this endpoint seems like it was
missed

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] QA'd all new/changed functionality manually
2026-03-17 10:20:09 -05:00
Scott Gress
30632040b1
Fix addFleetMaintainedAppEndpoint to accept fleet_id param (#41805)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41771

# Details

Solves two issues in 4.82:

1. The `fleet_id` param in `POST /software/fleet_maintained_apps` wasn't
being read, causing all FMAs using that param to be added to fleet ID 0
(unassigned aka No Team)
2. We were logging deprecation warnings for body params even if the
topic was turned off, meaning Fleet would generate deprecation warnings
in certain cases that users wouldn't be able to fix.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
Added unit tests for the decoder since it's got one-off logic in it
- [X] QA'd all new/changed functionality manually
  - [X] Added an FMA to a fleet successfully using `fleet_id`
- [X] Added an FMA to a fleet successfully using `team_id` and saw
deprecation warning
  - [X] Added an FMA to "Unassigned" successfully using `fleet_id=0`
  - [X] Added an FMA to "Unassigned" successfully using `team_id=0`
- [X] Added an FMA to "Unassigned" successfully with no `fleet_id` or
`team_id` param (this seems like a bug but it's existing behavior)

---------

Co-authored-by: Ian Littman <iansltx@gmail.com>
2026-03-17 09:59:03 -05:00
Victor Lyuboslavsky
3b43629a81
Fixed nondeterministic CPE matching when multiple CPE candidates share the same product name (#41649)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39899

This fix fixes the determinism issue by ordering the results, however,
it does not necessarily fix the correctness issue. Another bug opened
for that: https://github.com/fleetdm/fleet/issues/41644

That's why you see changes in `cpe_test.go` that may seem incorrect in
some cases. In reality the previous behavior was purely by coincidence
(based on insert order).

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed nondeterministic CPE matching when multiple candidates share the
same product name. CPE selection is now deterministic and prioritizes
matches based on vendor alignment with the software being analyzed.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-17 07:22:23 -05:00
Carlo
c0fc3787fc
Fix icon upload for multi-team software titles (#41785)
Fixes #41688

---------

Co-authored-by: Ian Littman <iansltx@gmail.com>
2026-03-17 06:55:22 -04:00
jacobshandling
235a79eeaa
Generate correct CPE from malformed ipswitch whatsup CPE, ensure matches relevant CVEs (#41704)
**Related issue:** Resolves #32662 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [ ] Changes file added for user-visible changes in `changes/`
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Use CPE alias handling to generate correct CPE from malformed one,
ensuring correct CVEs are matched.

* **Tests**
* Added comprehensive test coverage for the enhanced CPE alias
expansion, including malformed CPE mapping scenarios and CVE matching
validation for Ipswitch WhatsUp.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-16 16:17:47 -05:00
Victor Lyuboslavsky
85b5e7a95a
Fixed 500 and 402 on My Device page. (#41748)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41742

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Bug Fixes**
* Fixed crashes on the "My device" page for Fleet Free instances when a
host is assigned to a team.
* Improved error handling to prevent application crashes when policy
data is unavailable.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-16 16:09:43 -05:00
Victor Lyuboslavsky
902b4af289
Fixed GitOps failing to delete a certificate authority (#41693)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #38036

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* GitOps now correctly orders operations so certificate authorities can
be removed only after referencing certificate templates are handled,
preventing failed deletions during config updates.
* Improved user-facing error when a CA cannot be deleted because
certificate templates still reference it, with guidance to remove
templates first.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-16 15:51:28 -05:00
Juan Fernandez
139e365d42
Improve contention around policy_membership table (35484) (#40853)
Resolves #35484

Concurrent execution of GitOps apply runs and
RecordPolicyQueryExecutions led to database locking issues when the
policy_membership table was large. This occurred because the cleanup
process (DELETE operations) was bundled within the same transaction as
the GitOps policy updates. To resolve this, the deletion logic has been
batched and moved outside the primary GitOps transaction, reducing lock
contention.
2026-03-16 15:12:25 -04:00
Victor Lyuboslavsky
4e7c2e5715
Fixed team maintainers, admins, and GitOps users being unable to add certificate templates (#41740)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #39308

Doc updates: https://github.com/fleetdm/fleet/pull/41760/changes

The reason secrets are involved here is because `gitops generate` can
get them.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Release Notes

* **Bug Fixes**
* Fixed access permissions for team maintainers, admins, and GitOps
users, enabling them to add certificate templates by granting required
read access to certificate authorities.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-16 12:24:31 -05:00
Sarah Gillespie
3b859303d2
Improve UI for FileVault "action required" notifications banner (#41594) 2026-03-16 11:21:25 -05:00
Magnus Jensen
ed53670201
don't short circuit scep renewal if awaiting configuration (#41523)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #40881 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
2026-03-16 10:37:06 -05:00
Nico
48a1935c2b
Fixed editing reports on free tier failing due to triggering a premium license check (#41747)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41652

Solution is to not pass `labels_include_any` to the payload of the PATCH
endpoint request.

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [x] QA'd all new/changed functionality manually



https://github.com/user-attachments/assets/7c825b92-0b03-448a-8e42-83e39a2acdf6



For unreleased bug fixes in a release candidate, one of:

- [x] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
2026-03-16 11:42:58 -03:00
Victor Lyuboslavsky
8c81821d0f
Reduced database contention during the vulnerability cron (#41667)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41664

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

- [x] Alerted the release DRI if additional load testing is needed

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
* Optimized database performance for vulnerability processing to reduce
contention during routine operations.
  * Improved query efficiency for software cleanup processes.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-14 09:31:58 -05:00
Jahziel Villasana-Espinoza
ce5f1e050a
fix issue with duplicate entries in setup experience for FMAs (#41685)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41663 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects

## Testing

- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually

The 2 first software entries are for FMAs that had multiple versions in
Fleet and had been rolled back. Note that there is 1 row for each.

<img width="2940" height="1912" alt="LWScreenShot 2026-03-13 at 2 53
50 PM"
src="https://github.com/user-attachments/assets/48464655-5728-4965-8fd4-4c4c0c550f35"
/>
2026-03-13 18:10:55 -04:00
Carlo
2abacc577e
Feat/31914 patch policy (#41518)
Implements patch policies #31914 

- https://github.com/fleetdm/fleet/pull/40816
- https://github.com/fleetdm/fleet/pull/41248
- https://github.com/fleetdm/fleet/pull/41276
- https://github.com/fleetdm/fleet/pull/40948
- https://github.com/fleetdm/fleet/pull/40837
- https://github.com/fleetdm/fleet/pull/40956
- https://github.com/fleetdm/fleet/pull/41168
- https://github.com/fleetdm/fleet/pull/41171
- https://github.com/fleetdm/fleet/pull/40691
- https://github.com/fleetdm/fleet/pull/41524
- https://github.com/fleetdm/fleet/pull/41674

---------

Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: jkatz01 <yehonatankatz@gmail.com>
Co-authored-by: RachelElysia <71795832+RachelElysia@users.noreply.github.com>
Co-authored-by: Jahziel Villasana-Espinoza <jahziel@fleetdm.com>
2026-03-13 16:47:09 -04:00
Victor Lyuboslavsky
ca89b035ac
Don't clear past lock/wipe (#41504)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41190 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

## Bug Fixes
* Improved audit log accuracy when canceling pending lock or wipe
commands. The original activity record is now preserved, with the
cancellation tracked as a separate follow-up entry for better
visibility.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-13 15:21:24 -05:00
Victor Lyuboslavsky
8f24773d2e
Added per-IP rate limiting and response caching (#41516)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #37092 

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.

## Testing

- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Added per‑IP rate limiting to IdP metadata and SSO endpoints.
* Implemented TTL-backed in‑memory caching for IdP metadata responses to
reduce backend load.

* **Tests**
* Added tests covering metadata caching behavior, cache miss/error
handling, and content type preservation.
* Added tests validating rate limiting behavior across clients, bursts,
and proxy scenarios.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2026-03-13 15:21:16 -05:00
Scott Gress
759c95100a
Add aliases for more multi-platform setup experience fields (#41599)
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #41091

# Details

Implements the following config key aliases:

- [x] Add a second name for `bootstrap_package`:
`macos_bootstrap_package`
  - Support `bootstrap_package` for backwards compatibility
- [x] Add a second name for `manual_agent_install`:
`macos_manual_agent_install`
  - Support `manual_agent_install` for backwards compatibility
- [x] Add a second name for `enable_release_device_manually `: `apple_
enable_release_device_manually `
  - Support `enable_release_device_manually` for backwards compatibility
- [x] Add a second name for `script`: `macos_script`
  - Support `script` for backwards compatibility

Also cleans up some error messages missed in previous alias PRs.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.

## Testing

- [X] Added/updated automated tests
- [X] QA'd all new/changed functionality manually
ran gitops successfully with new keys
2026-03-13 15:17:05 -05:00