<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42991
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [ ] Timeouts are implemented and retries are limited to avoid infinite
loops
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
Comment out Zoom Fleet Maintained App entries and associated labels and
patch policies until Zoom FMA is present in Fleet. Files updated:
workstations.yml (zoom/darwin and zoom/windows software entries
commented), labels/* (macOS and x86 Windows Zoom labels commented), and
macOS/Windows patch policy files (Zoom patch policies disabled via
comments). This prevents Fleet from referencing or enforcing Zoom
policies while the FMA is not available.
Closes: https://github.com/fleetdm/fleet/issues/42116
Changes:
- Updated the syntax highlighting styles on documentation pages
(app-details, query-details, osquery-table-details, vital-details,
command-details, script-details, and policy-details)
- Added support and styles for syntax highlighting on article pages.
I learned that it doesn't matter if the client certificate is signed by
a root CA certificate specified under `Certificates[0].X509` when `Type`
is `Authority`.
In the case of `customer-pingali`, they have a client certificate signed
by a different CA, which confused their IT team. They initially used the
root CA that signed the client certificate and assumed that the same
certificate also signed the server certificate.
- @noahtalerman: Feedback from `cisneros` that it's not clear that Fleet
retries 3 times for software and scripts.
For the following quick win:
- https://github.com/fleetdm/fleet/issues/41107
Temporarily disable Zoom-related Fleet Maintained App (FMA) labels and
patch policies across macOS and Windows while the FMA installer issue is
resolved in gitops (SQL returned no rows). Commented out the Zoom label
entries in lib/all/labels/*-with-fleet-maintained-apps-installed.yml and
the corresponding Zoom patch policies in
it-and-security/lib/macos/policies/patch-fleet-maintained-apps.yml and
it-and-security/lib/windows/policies/patch-fleet-maintained-apps.yml,
with comments noting to uncomment them together when re-enabling.
Remove local Zoom software manifests and icon and replace them with
fleet-maintained app slugs. Workstations fleet now references
zoom/darwin and zoom/windows slugs; added dynamic labels for Macs and
x86 Windows hosts with Zoom installed. Patch policies for macOS and
Windows updated to include Zoom using the new slugs so patch
checks/notifications are centralized. Deleted legacy
it-and-security/lib/*/software/zoom.yml and the Zoom icon to avoid
duplicate/local package definitions.
Add lock_end_user_info: false to it-and-security/fleets/workstations.yml
under macos_setup so end-user information is not locked during macOS
enrollment. This allows end users to view or edit their info while
end-user authentication remains enabled.
## Summary
- Adds a new kilocode skill for cherry-picking PRs onto release
candidate branches
- Codifies the single-session constraint to prevent duplicate PRs
- Documents branch naming, commit message format, and common issues
## Test plan
- [ ] Verify the skill is picked up by Kilo when prompted with a
cherry-pick task
- [ ] Confirm the documented steps match the existing cherry-pick
workflow
Usage:
- `/cherry-pick 43082`: auto-picks the latest RC branch
- `/cherry-pick 43082 rc-minor-fleet-v4.84.0`: targets a specific RC
branch
Sample PR I opened with the skill:
https://github.com/fleetdm/fleet/pull/43110
This PR updates VSCode settings to use Fleet's installed version of
Typescript (v4.7.4) for its language server (linting, autocomplete,
etc.) instead of what's built in to VSCode (v6.0.2). As the two can
drift, we end up with VSCode incorrectly highlighting certain syntax as
incorrect.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#43064
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Release Notes
* **New Features**
* Certificate enrollment now verifies system delegation availability
before attempting installation, preventing unnecessary failures.
* **Bug Fixes**
* Enhanced error messages to include specific certificate alias and
delegation status information for better troubleshooting.
* Improved handling of system state exceptions during the enrollment
process.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Replace individual department-*.yml label files with a single
lib/all/labels/departments.yml and update it-and-security/default.yml to
reference the consolidated file. Removes the separate department files
and moves their label entries into departments.yml; behavior and label
criteria are unchanged — this is a refactor to reduce file clutter and
simplify label management.
Migrate Firefox management to the fleet-maintained app slug
(firefox/darwin): update workstations.yml to remove the old update
policy and replace the macOS software entry with the firefox/darwin
slug; add a dynamic label for Macs with Firefox installed; add a patch
policy that targets the fleet_maintained_app_slug and uses the new
label. Also remove legacy update policy and package files for Firefox
(macOS and Windows) and the hardcoded Firefox pkg URL. This consolidates
Firefox management under Fleet-maintained apps and removes
duplicated/obsolete artifacts.
## Summary
- Removes YubiKey/Yubikey mentions from onboarding-related handbook
pages
- Security policy pages (`handbook/it/security.md`) are intentionally
**not** modified
## Changes
### `handbook/it/README.md`
- Removed "and YubiKey security keys" from the equipment provisioning
intro
- Removed the bullet item to order YubiKey 5C NFC keys for new team
members
- Removed "and include Yubikeys (if requested)" from the shipping
checklist
### `handbook/company/leadership.md`
- Removed "do NOT receive Yubikeys" from the consultant distinction list
(no longer relevant since YubiKeys are not part of onboarding)
- Removed "and Yubikeys" from the core team member hiring description
### `handbook/company/communications.md`
- Removed "YubiKey security keys," from the tools & equipment overview
---
Built for [Isabell
Reedy](https://fleetdm.slack.com/archives/D0AEGJCGJR0/p1775558324267559?thread_ts=1775484858.521199&cid=D0AEGJCGJR0)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
**Related issue:** Resolves#42881
- Added user_api_endpoints table to track per user API endpoint
permissions.
- Added service/api_endpoints, used to handle service/api_endpoints.yml
artifact.
- Added check on server start that makes sure that
service/apin_endpoints.yml is a subset of router routes.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#36643
# Checklist for submitter
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] QA'd all new/changed functionality manually
**Related issue:** Resolves#40076
This clears out the enrollment from migration status from the
`nano_enrollment` table if the device is going through a fresh
enrollment (aka not from an mdm migration)
# Checklist for submitter
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
- [x] Added/updated automated tests
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Magnus Jensen <magnus@fleetdm.com>
Resolves#42979
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [X] QA'd all new/changed functionality manually
Tested UI flow described in issue with:
- Global admin.
- Global maintainer.
- Team admin of one team.
- Team admin of two teams (where bug manifests).
- Team maintainer of two teams.
- Team admin of one team, maintainer of another team.
- Team admin of one team, technician of another team.
This pull request transitions the Windows Slack package from an
MSI-based installer to an MSIX-based installer, updating the ingestion
logic, install/uninstall scripts, and package metadata to support the
new format. It also updates the Slack version and the associated
detection queries to match the MSIX deployment. The most important
changes are:
**Slack Package Migration to MSIX:**
* Changed the Slack package definition in `slack.json` to use
`installer_type: msix`, set the installer scope to `user`, and
referenced new install/uninstall scripts tailored for MSIX.
* Updated the output package version to `4.49.81`, switched the
installer URL to the MSIX package, and adjusted detection queries to
match the new MSIX app name and publisher.
**Installer/Uninstaller Script Updates:**
* Added a new PowerShell install script (`slack_install.ps1`) that
provisions the MSIX package machine-wide and registers it for the
current user to improve inventory visibility.
* Added a new PowerShell uninstall script (`slack_uninstall.ps1`) that
removes both provisioned and per-user MSIX installations, with a timeout
and error handling.
**Ingestion Logic Enhancements:**
* Updated the `wingetIngester` logic to handle MSIX installers by
populating `ProductCode` from `PackageFamilyName` when needed, and to
extract only the prefix for MSI product codes.
* Extended the `installer` struct to include a `PackageFamilyName` field
for MSIX support.
## Summary
- Adds a comprehensive `.claude/` configuration that gives every
engineer Fleet-aware AI assistance out of the box — no MCP servers,
plugins, or external dependencies required
- Converts legacy `.claude/commands/` to skills with YAML frontmatter,
adds new skills, agents, rules, and hooks
- Adds ~2,500 tokens at startup; rules, skill bodies, and agent bodies
load on demand
## What's included
**6 rules** (auto-apply by file path):
- Go backend, frontend, database, API endpoints, and Orbit agent
conventions
- Covers: ctxerr errors, banned imports, `fleethttp.NewClient()`,
`new(expression)` over legacy `server/ptr`, bounded contexts
(`server/activity/`, `server/mdm/`), transaction safety (no
`ds.reader`/`ds.writer` inside tx), terminology (fleets/reports), React
Query, BEM, permissions utilities, and more
**12 skills** (invoke with `/`):
- `/review-pr`, `/fix-ci`, `/test`, `/find-related-tests`, `/lint` —
review and testing workflows
- `/new-endpoint`, `/new-migration`, `/update-data-dictionary` —
scaffolding and maintenance
- `/fleet-gitops`, `/spec-story`, `/project` — planning and
configuration workflows.
- `/project` includes a minimal self-improvement mechanism. Claude adds
discoveries and gotchas to the workstream context as you work, so each
session starts with slightly richer context than the last.
**3 agents** (specialized reviewers):
- `go-reviewer` (sonnet, proactive) — Go conventions, ctxerr, auth,
testing
- `frontend-reviewer` (sonnet, proactive) — TypeScript, React Query,
BEM, accessibility
- `fleet-security-auditor` (opus, on-demand) — MDM, auth gaps,
injection, PII exposure
**4 hooks** (automated):
- PreToolUse guard blocking dangerous commands (`rm -rf`, `force push`,
`pipe-to-shell`)
- PostToolUse goimports on Go files (`**/*.go`)
- PostToolUse prettier on frontend files (`frontend/**`)
- PostToolUse `lint-on-save`: auto-fixes with `golangci-lint --fix` /
`eslint --fix`, then runs `make lint-go-incremental` and feeds remaining
violations back to Claude as context for self-correction
**Permissions** — pre-approves safe operations (`test`, `lint`, `build`,
`make`, `git` read, `gh` CLI) and blocks dangerous ones (`force push`,
`rm -rf`)
**README** — includes a Claude Code primer for engineers new to the
tool, full reference for all skills/agents/hooks/rules, customization
guide (how to override skills, agents, model, effort), and contributing
instructions
**DATA-DICTIONARY.md** — updated with 13 recent migrations (March 2026)
that were missing
## Not covered (future iterations)
- `android/` (Android app)
- `website/` (Sails.js marketing site)
- `ee/fleetd-chrome/` (Chrome extension)
- `ee/vulnerability-dashboard/` (legacy Sails dashboard)
- `third_party/` (forked external code)
- Documentation workflows (guides, API docs, handbook)
- Fleet-maintained apps (FMA catalog, packaging, `ee/maintained-apps/`)
- MDM-specific conventions beyond the Go backend rule
## How to test
Pull the `.claude/` folder into your working branch without switching:
```bash
git checkout origin/cc-setup-teamwide -- .claude/
claude --debug # start a session and work normally
git checkout -- .claude/ # revert when done
git clean -fd .claude/ # remove new files that weren't on your branch
```
Check the debug log at `~/.claude/debug/` for detailed hook and tool
execution traces.
Try `/test` on a recent change, `/lint` go to lint Go files, or ask
Claude to review your code and watch the `go-reviewer` agent kick in.
### Test plan
- [x] Start a new Claude Code session in the Fleet project and run
`/context` to verify loading
- [x] Type `/` and confirm all 12 skills appear
- [x] Run `/test` on a small package
- [x] Edit a `.go` file and verify goimports runs automatically
- [x] Edit a `.go` file with a lint violation and verify `lint-on-save`
auto-fixes it
- [x] Edit a `.tsx` file and verify prettier runs automatically
- [x] Run a command like `echo test` and verify no permission prompt
(allowed by settings)
- [x] Verify `git diff` runs without prompt
- [x] Ask Claude to review code and check that the `go-reviewer` agent
is invoked
- [x] Verify skills
- [x] `/update-data-dictionary` correctly updates `DATA-DICTIONARY.md`
- [x] `/spec-story` fetches issue and follows the process defined in the
skill
- [x] `/project` detects memory directory and runs in a fork
- [x] `/review-pr` runs in fork, produces detailed review
- [x] `/lint go` detects changes and runs appropriate linters
- [x] `/lint frontend` detects changes and runs appropriate linters
- [x] `/lint full` runs all linters
- [x] `/test` detects changed packages and runs with correct env vars
- [x] `/test` runs frontend tests when frontend files changed
- [x] `/find-related-tests` outputs correct test files and go test
commands
- [x] `/fix-ci` with a real failing CI run URL
- [x] `/fleet-gitops` provides GitOps context and references
- [x] `/new-endpoint` scaffolds with correct Fleet patterns
- [x] `/new-migration` creates timestamped file + test file with correct
structure
- [x] Verify hooks
- [x] Verify agents
- [x] Verify rules
### Hooks test results
<img width="792" height="502" alt="Screenshot 2026-04-04 at 10 16 14 AM"
src="https://github.com/user-attachments/assets/ed066f65-1b79-4faa-a06f-3ce50837f055"
/>
<img width="811" height="693" alt="Screenshot 2026-04-06 at 8 49 28 AM"
src="https://github.com/user-attachments/assets/4513423e-d16c-40c1-a8d8-27f38a87acfd"
/>
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated internal developer documentation and Claude Code configuration
for improved development workflows, including coding standards, security
guidelines, testing procedures, and automated code review/formatting
setup.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
To deploy certificates, you must have a server private key setup or
GitOps errors with 'Error: applying certificate authorities: POST
/api/latest/fleet/spec/certificate_authorities received status 500
crypto/aes: invalid key size 0: crypto/aes: invalid key size 0'
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#42853
This PR simply adds the `require_all_software_windows` config option. It
doesn't use it. The logic to use it will be hooked up in subsequent PRs.
The fleetctl TestIntegrationsPreview test is expected to fail since it
builds the server against main and doesn't know about our new config
option.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## New Fleet configuration settings
- [x] Verified that the setting is exported via `fleetctl
generate-gitops`
- Not exported. generate-gitops does not export
require_all_software_windows (or require_all_software_macos either). The
generateControls function (generate_gitops.go) outputs a "TODO: update
with your setup_experience configuration" placeholder when any setup
experience config exists, rather than exporting individual field values.
This is a pre-existing limitation that applies equally to both fields -
not something introduced by our PR.
- [x] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- Yes. PR #42046 adds require_all_software_windows to both docs/REST
API/rest-api.md and docs/Configuration/yaml-files.md.
- [x] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- Yes, it gets cleared to false - both when setup_experience: is present
without the field, and when setup_experience: is omitted entirely. This
is the same behavior as the existing require_all_software_macos field
- [x] Verified that any relevant UI is disabled when GitOps mode is
enabled
- Covered by #42854 (frontend subtask). The existing macOS checkbox in
InstallSoftwareForm.tsx:271 already checks gitOpsModeEnabled to disable
itself. The Windows checkbox to be added in #42854 will follow the same
pattern.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a Windows setup experience software requirement setting. When
enabled, Windows devices will cancel the Autopilot setup if any required
software installation fails.
* **Tests**
* Added test coverage for the new Windows software requirement
configuration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes https://github.com/fleetdm/fleet/issues/41798
Changes:
- Added an "About Fleet" section to the case study article template
page.
- Removed the "About Fleet" sections from case study articles.
FYI @irenareedy: After this change is merged, you will not need to
include an "About Fleet" section on new case study articles.
Bug fix for
https://github.com/fleetdm/fleet/pull/42063
**Related issue:** Resolves#40057
# Checklist for submitter
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
