<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34950
I changed from the original spec of 100 old commands to 3 due to load
test results. Admittedly my load test meant a very large number of hosts
all checked in and triggered deletion at once but at 100 per host and
per command the load was too high. 3 still results in cleanup over time
and doesn't seem to cause load issues.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [x] QA'd all new/changed functionality manually
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Changes:
- Added a new action `deliver-partner-registration-submission`
- Added a new page: `/partners` A page where users can submit a form to
register as a partner (reseller or integrations) or register a deal
- Updated `deliver-deal-registration-submission` to work with the new
form.
- Removed the route for the `/deals` page, and added a redirect to the
/partners page.
- Added a new email template `email-partner-registration`
- Added fake template data to the email tempalte preview tool's view
action for the new/updated email templates.
---------
Co-authored-by: Mike Thomas <78363703+mike-j-thomas@users.noreply.github.com>
## Summary
- Adds a new "MAC address" vital to the host details page, displaying
`primary_mac` from the host API response
- Follows the same rendering pattern as existing vitals (Private IP
address, Public IP address, etc.) using `DataSet` +
`TooltipTruncatedText`
- Scoped to the same host types that show IP addresses (excludes
iOS/iPadOS and Android hosts, matching the behavior in the Manage Hosts
table)
## Changes
- `frontend/pages/hosts/details/cards/Vitals/Vitals.tsx` — Added MAC
address vital entry within the existing `!isIosOrIpadosHost &&
!isAndroidHost` conditional block
Built for
[mikermcneil](https://fleetdm.slack.com/archives/D0AFASLRHNU/p1774991978746479)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Rachael Shaw <r@rachael.wtf>
Co-authored-by: Juan Fernandez <juan@fleetdm.com>
UPDATE: @noahtalerman: For the following quick win:
- https://github.com/fleetdm/fleet/issues/42054
## Summary
- Always use plural forms ("reports", "hosts", "policies") in delete
modal titles and success/error flash messages, regardless of selection
count
- Remove conditional singular/plural logic from delete reports, delete
hosts, and delete policies flows
- Fix DeleteHostModal body text to properly pluralize "host"/"hosts"
based on count while dropping "the record of" for cleaner messaging
Resolves#40164
Manually verified:
<img width="785" height="187" alt="image"
src="https://github.com/user-attachments/assets/c2b91fd4-3592-4760-8241-c33a89e162c0"
/>
Adds a "Learn more" link to the [End-user
Authentication](https://fleetdm.com/guides/setup-experience#end-user-authentication)
documentation on the `/settings/integrations/sso/end-users` page, making
it easier for customers to reference docs while configuring SSO
settings.
- **`EndUserAuthSection.tsx`**: Appended a `Learn more` anchor (opens in
new tab) after the description text in the end-user auth settings card.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a "Learn more" link in the end user authentication setup
section, providing quick access to comprehensive setup guidance and
documentation.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: getvictor <2685025+getvictor@users.noreply.github.com>
## Summary
**Mode 1 fix (structural):** Applies
\`MicrosoftVersionFromReleaseNotes\` to \`microsoft-outlook/darwin\`,
\`microsoft-powerpoint/darwin\`, and \`microsoft-onenote/darwin\` in the
FMA enrichment \`Funcs\` map, and regenerates output manifests with
corrected short versions (e.g. \`16.106.2\` instead of
\`16.106.26022219\`). Word and Excel already had this transformation;
this brings the remaining Office suite into parity.
**Mode 2 fix (reliability):** When the exact Homebrew build number
cannot be matched against Microsoft's release notes page (e.g., because
the page hasn't been updated yet for a newly published build), the
transformer now falls back to the base \`major.minor\` version (e.g.,
\`16.106\`) rather than leaving the raw build string in the manifest
(e.g., \`16.106.26021521\`). The raw build string caused a perpetual
"update available" loop because \`compareVersions("16.106.1",
"16.106.26021521")\` always evaluates to -1, regardless of how many
times the update is installed. Also adds a guard for versions with fewer
than 3 segments to prevent silent corruption.
**Root cause:** osquery reports installed app versions using
\`CFBundleShortVersionString\` (e.g. \`16.106.2\`), but the FMA manifest
stored the raw Homebrew build version (\`CFBundleVersion\`, e.g.
\`16.106.26022219\`). The mismatch caused Fleet to perpetually show
"update available" even after the latest version was installed.
Fixes#40647
## Test plan
- [x] Verify \`microsoft-outlook/darwin.json\`,
\`microsoft-powerpoint/darwin.json\`, and
\`microsoft-onenote/darwin.json\` outputs now contain short version
strings (e.g. \`16.106.2\`)
- [x] Verify \`microsoft-word/darwin.json\` and
\`microsoft-excel/darwin.json\` are unchanged
- [x] Run \`go test ./ee/maintained-apps/...\` — all tests pass
- [ ] Add a fleet-maintained Outlook/PowerPoint/OneNote app to a team;
confirm a host with the current version installed shows as up-to-date
(no spurious "update available")
- [ ] Confirm that if the ingester runs against a Homebrew build whose
number is not yet in Microsoft's release notes, the manifest stores the
base version (e.g. \`16.107\`) rather than the raw build string (e.g.
\`16.107.26031234\`)
---------
Co-authored-by: Dante Catalfamo <43040593+dantecatalfamo@users.noreply.github.com>
## Summary
- Adds a new "Renewals" section to
`handbook/sales/opportunity-stages.md` with two callouts:
- When a renewal oppty is confirmed to churn, set the stage to "Meeting
set" (0% probability) to signify the churn.
- When renewals are created, they should be set to "PoV (Proof of
Value)".
Built for [Sam
Pfluger](https://fleetdm.slack.com/archives/C08BTMFTUCR/p1775071874174119?thread_ts=1775070601.552599&cid=C08BTMFTUCR)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#40117
Fix:
<img width="1033" height="320" alt="image"
src="https://github.com/user-attachments/assets/a6a642ef-d174-4ca7-b89b-8bb127c5c961"
/>
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Bug Fixes**
* Fixed incorrect platform detection for SQL queries that use table
aliases (e.g., `FROM mounts m`).
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes: https://github.com/fleetdm/fleet/issues/42829
Changes:
- Updated the trial licenses generated for users in
view-fleet-premium-trial-or-redirect and view-fleetctl-preview to use
"Fleet Premium trial" as the organization if a user does not have an
organization set (older accounts created for Fleet sandbox)
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37546
Docs: https://github.com/fleetdm/fleet/pull/42780
Demo: https://www.youtube.com/watch?v=K44wRg9_79M
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
## Testing
- [x] Added/updated automated tests
- [x] QA'd all new/changed functionality manually
## Database migrations
- [x] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Automatic retry for Android certificate installations: failed installs
are retried up to 3 times before marked terminal.
* Installation activities recorded: install/failed-install events (with
details) are logged for better visibility and troubleshooting.
* Resend/reset actions now reset retry state so retries behave
predictably after manual resend.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [X] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements), JS
inline code is prevented especially for url redirects, and untrusted
data interpolated into shell scripts/commands is validated against shell
metacharacters.
## Testing
- [X] QA'd all new/changed functionality manually
Server log when SCIM ingestion receives a deactivation event for the
last admin:
```log
ts=2026-04-01T15:23:01Z level=error msg="failed to delete fleet user on deactivation" component=SCIM err="cannot delete last global admin"
```
Server response when attempting to demote last admin:
```json
{
"message": "Validation Failed",
"errors": [
{
"name": "global_role",
"reason": "cannot demote the last global admin"
}
],
"uuid": "1d110f56-25ac-47b8-bc96-982354474a87"
}
```
Server response when attempting to delete last admin:
```json
{
"message": "Validation Failed",
"errors": [
{
"name": "id",
"reason": "cannot delete the last global admin"
}
],
"uuid": "1448c2da-30e2-4652-a9a8-a01fc4f9b9c1"
}
```
---
## Original AI Summary
- Fixes a TOCTOU race condition where two concurrent admin operations
could bypass the last-global-admin guard, leaving zero admins and
permanently locking out the Fleet instance (fleetdm/confidential#14827)
- Introduces two new atomic datastore methods
(`DeleteUserIfNotLastAdmin`, `SaveUserIfNotLastAdmin`) that wrap the
admin count check and the write in a single MySQL transaction with
`SELECT ... FOR UPDATE`
- Fixes all four vulnerable code paths: service `DeleteUser`, service
`ModifyUser` (two demotion paths), and SCIM user deletion
## Test plan
- [X] Manual verification: single admin cannot be deleted or demoted
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
## Summary
- Deletes the case study page at
`/case-study/global-social-media-platform` by removing
`articles/global-social-media-platform.md`
- Removes the redirect route from `website/config/routes.js`
- Removes the reference from `handbook/marketing/fleet-social-proof.md`
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1775065386519169)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This PR will remain in draft as a preview of upcoming documentation
changes for 4.83.0
---------
Co-authored-by: Marko Lisica <83164494+marko-lisica@users.noreply.github.com>
Co-authored-by: Jordan Montgomery <elijah.jordan.montgomery@gmail.com>
Co-authored-by: melpike <79950145+melpike@users.noreply.github.com>
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Co-authored-by: Jonathan Katz <44128041+jkatz01@users.noreply.github.com>
Co-authored-by: kilo-code-bot[bot] <240665456+kilo-code-bot[bot]@users.noreply.github.com>
Co-authored-by: Carlo <1778532+cdcme@users.noreply.github.com>
Added troubleshooting guidelines for managed cloud and self-hosted
customer infrastructure issues, including steps for log review and
escalation procedures.
## Changes
- Added new quarterly access review ritual to IT rituals configuration
- Task is scheduled to start on 2026-04-01 with quarterly frequency
- Configured to automatically create issues using the
compliance-quarterly-access-review template
- Assigned to lppepper2 as DRI
- Tagged with `:help-it` label in confidential repo
## Summary
- Deletes the case study page at
`/case-study/european-financial-services` by removing
`articles/european-financial-services.md`.
- The case study was dynamically discovered by the build system via its
`category: "case study"` meta tag, so removing the markdown file fully
removes the page and its card on the `/customers` listing page. No other
files reference it.
---
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1775052553517879)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
- Add documentation for historical events and salesforce campaigns.
- Moved and consolidated "Connecting Eventbrite registrations to
Salesforce campaigns (event ID key)"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#37546
Noah approved design here:
https://fleetdm.slack.com/archives/C09HG9VMRSS/p1774895365069069?thread_ts=1774647818.613419&cid=C09HG9VMRSS
Docs: https://github.com/fleetdm/fleet/pull/42609
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
## Testing
- [x] QA'd all new/changed functionality manually
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Certificate installation activity logging for Android hosts (success &
failure)
* "Installed certificate" activity type displayed in host activity feed
with status
* Host activity card enabled on Android host details page to show
installs
* Detailed install modal with error detail reveal when failures occur
* Upcoming activities tab disabled for Android hosts where unsupported
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Motivation: add a check for a common issue I see humans and AI agents
making, so that we don't have to waste time on it in code reviews.
Resolves#42635
Note: This lint check has been mostly AI generated. I don't think it
needs a thorough review because it is not production code and not even
test code. Any issues will be obvious from usage by contributors.
Add a custom go/analysis analyzer that detects map[T]bool variables
used as sets (where only the literal `true` is ever assigned) and
suggests using map[T]struct{} instead, which is the idiomatic Go
approach for sets — zero memory for values and unambiguous semantics.
The analyzer minimizes false positives by:
- Only flagging when ALL indexed assignments use the literal `true`
- Skipping variables initialized from function calls (unknown source)
- Skipping variables reassigned from unknown sources
- Skipping function parameters and exported package-level variables
- Skipping range loop variables
Integrated as an incremental linter (new/changed code only) to avoid
breaking existing code.
Running this check on our whole codebase flags valid cases:
```
cmd/fleet/serve.go:306:2: map[string]bool used as a set; consider map[string]struct{} instead (setboolcheck)
allowedHostIdentifiers := map[string]bool{
^
cmd/fleetctl/fleetctl/generate_gitops.go:189:3: map[string]bool used as a set; consider map[string]struct{} instead (setboolcheck)
handled := make(map[string]bool, len(renames)*2)
^
cmd/fleetctl/fleetctl/generate_gitops.go:1593:2: map[uint]bool used as a set; consider map[uint]struct{} instead (setboolcheck)
m := make(map[uint]bool, len(ids))
```
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Added a new code analyzer to detect maps used as boolean sets and
recommend more efficient alternatives for better performance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Scott Gress <scottmgress@gmail.com>
Co-authored-by: Scott Gress <scott@fleetdm.com>
## Summary
- Updated the press boilerplate text in the marketing handbook page
(`handbook/marketing/README.md`) with refreshed messaging that
highlights Fleet's built-in AI capabilities, plain English
configuration, deployment flexibility, and Fleet Cloud option.
Built for [Ashish
Kuthiala](https://fleetdm.slack.com/archives/D0AG9JQ53GA/p1774990303517969)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
