Jordan Montgomery 227e94de5b 🤖 Chore: remove deprecated appendListOptionsWithCursorToSQL (#44385) ... <!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #44723 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters. - [x] If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes ## Testing - [x] Added/updated automated tests - [x] Where appropriate, [automated tests simulate multiple hosts and test for host isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing) (updates to one hosts's records do not affect another) - [ ] QA'd all new/changed functionality manually <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Strengthened validation of sorting/order parameters across many list and cursor-based endpoints — unsupported sort keys now return explicit errors and prevent unsafe queries. * Labels listing: label-list pagination query name changed; ordering by host_count is rejected when host counts are disabled (validated at request parsing). * **Tests** * Added/expanded tests covering allowed order keys, rejection of unknown keys, and pagination behavior for multiple listing APIs. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>		2026-05-05 10:26:47 -04:00
..
async	Removed duplicate FlippingPoliciesForHost DB calls (#42845)	2026-04-06 10:11:07 -05:00
calendar	Migrated logging and google calendar files to use slog (#40541)	2026-02-26 12:48:54 -06:00
conditional_access_microsoft_proxy	Fixed client-side errors being incorrectly reported as server errors in OTEL telemetry (#40051)	2026-02-19 16:06:00 -06:00
contract	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
externalsvc
integrationtest	Converted old activity module into function. Cleaned up activity types. (#40752)	2026-03-03 01:01:42 -06:00
middleware	Skip membership catalog test for API-only users if they have access to everything (#44473)	2026-04-30 11:24:31 -04:00
mock	Add missing platform_like during orbit enrollment (#32671)	2025-09-05 16:05:19 -03:00
osquery_utils	43885: MLAPR migration + UUID capture (#44244)	2026-04-29 11:14:50 -04:00
redis_key_value	use redis to block double profile work for apple devices setting up (#42421)	2026-03-30 16:37:18 -05:00
redis_lock
redis_policy_set
schedule	Fix flaky test: TestTriggerPollPicksUpQueuedRecord (#41155)	2026-03-10 12:55:42 -05:00
testdata	Bugfix: properly enqueue compatible setup experience items for arch/omarchy linux (#41778)	2026-03-17 15:04:33 -04:00
activities.go	Converted old activity module into function. Cleaned up activity types. (#40752)	2026-03-03 01:01:42 -06:00
activities_test.go	Move PostJSONWithTimeout to platform/http package and activity cleanup (#40561)	2026-02-26 17:39:10 -06:00
api_endpoints.go	Implement GET /api/v1/fleet/rest_api (#42883)	2026-04-10 11:12:38 -04:00
appconfig.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
appconfig_test.go	Better Apple server URL validation (#44163)	2026-04-28 07:37:05 -06:00
apple_mdm.go	add missing IDP required check for OTA profiles (#44644)	2026-05-04 15:43:34 +02:00
apple_mdm_cmd_results.go	produce failed enrollment renewal activity (#44511)	2026-05-01 11:38:08 -06:00
apple_mdm_cmd_results_test.go	Backend: Auto rotate recovery lock passwords (#42084)	2026-03-26 12:12:41 -06:00
apple_mdm_ddm_test.go	DDMV: Support Fleet variables in DDM (#43222)	2026-04-20 09:14:52 -04:00
apple_mdm_test.go	updated default profile, added endpoint for seeing what default is applied (#44236)	2026-04-28 07:38:15 -06:00
build_tags_test.go
calendar.go	Moved common endpointer packages to platform dir. (#37780)	2026-01-06 14:23:07 -06:00
campaigns.go	Follow-up changes to observer live query bypass (#41146)	2026-03-11 13:42:33 -03:00
campaigns_test.go	Follow-up changes to observer live query bypass (#41146)	2026-03-11 13:42:33 -03:00
carves.go	Authenticate carve block endpoint before parsing the "data" field (#39353)	2026-02-05 15:55:03 -03:00
carves_test.go	Authenticate carve block endpoint before parsing the "data" field (#39353)	2026-02-05 15:55:03 -03:00
certificate_authorities.go	Fixed GitOps failing to delete a certificate authority (#41693)	2026-03-16 15:51:28 -05:00
certificate_authorities_test.go	Add backend support for Smallstep CA (#32872)	2025-09-25 10:03:36 -05:00
certificate_templates.go	Android certificate crud: validate variable replacement (#36648)	2025-12-05 12:14:14 -06:00
certificate_templates_test.go	Don't resend pending certificates (#43820)	2026-04-22 13:08:59 -04:00
certificates.go	Don't resend pending certificates (#43820)	2026-04-22 13:08:59 -04:00
client.go	Fix gitops dry-run to catch manual_agent_install + macos_script conflict (#44432)	2026-05-04 15:32:21 -04:00
client_android_certificates.go	Update fleetctl client urls and params (#41463)	2026-03-13 08:38:55 -05:00
client_appconfig.go	Update fleetctl client urls and params (#41463)	2026-03-13 08:38:55 -05:00
client_carves.go
client_certificate_authorities.go	Fixed GitOps failing to delete a certificate authority (#41693)	2026-03-16 15:51:28 -05:00
client_compat.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
client_debug.go
client_hosts.go
client_labels.go	Move label request/response types to server/fleet package (#43140)	2026-04-08 11:07:06 -03:00
client_live_query.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
client_live_query_test.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
client_mdm.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
client_mdm_test.go
client_packs.go
client_policies.go	Move policy request and response types to server/fleet/ package (#43068)	2026-04-07 11:04:08 -03:00
client_profiles.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
client_queries.go	Move query and scheduled query request and response types to server/fleet/ (#43236)	2026-04-13 16:02:23 -03:00
client_scripts.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
client_secret_variables.go	Add backend APIs for adding, deleting and listing secret variables (#31936)	2025-08-14 19:33:47 -03:00
client_sessions.go
client_setup.go
client_software.go	Use list FMA endpoint in generate-gitops to match FMAs by ID (#42483)	2026-03-26 15:52:28 -04:00
client_targets.go	Activate deprecation warnings (#41449)	2026-04-06 09:59:32 -05:00
client_teams.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
client_test.go	Fix GitOps policy-software resolution to fall back to hash when URL lookup fails (#42816)	2026-04-02 17:22:14 -04:00
client_trigger.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
client_users.go	Allow the creation of API-only users (#43440)	2026-04-16 11:11:39 -04:00
conditional_access_idp.go	Only allow FLEET_DEV_* env vars when --dev is passed, allow overriding configs one at a time in dev (#38652)	2026-01-27 14:32:56 -06:00
conditional_access_idp_test.go	Okta IdP Apple profile endpoint + fixes (#35526)	2025-11-14 13:49:08 -06:00
conditional_access_microsoft.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
cron_schedules.go	Trigger vuln processing when it runs on a separate server (#39612)	2026-02-17 09:18:03 -06:00
cron_schedules_test.go
debug_handler.go	Migrate HTTP request logging from go-kit/log to slog (#39729)	2026-02-14 13:04:41 -06:00
debug_handler_test.go	Revise auth requirements for debug endpoints (#38173)	2026-01-12 10:37:06 -06:00
devices.go	Fixed 500 and 402 on My Device page. (#41748)	2026-03-16 16:09:43 -05:00
devices_endpoint_test.go	Add conditional access already bypassed check (#39037)	2026-02-02 10:35:55 -05:00
devices_test.go	Update backend error messages (#40364)	2026-02-25 13:54:45 -06:00
devices_url_auth_test.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
endpoint_campaigns.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
endpoint_middleware.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
endpoint_middleware_test.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
endpoint_setup.go	Use fleetctl new templates for new instances (#42768)	2026-04-03 09:58:03 -05:00
endpoint_utils.go	🤖 Chore: remove deprecated appendListOptionsWithCursorToSQL (#44385)	2026-05-05 10:26:47 -04:00
endpoint_utils_test.go	Add CSP to fleet(currently disabled - needs frontend work) (#41395)	2026-03-12 18:06:54 -04:00
frontend.go	Add CSP to fleet(currently disabled - needs frontend work) (#41395)	2026-03-12 18:06:54 -04:00
frontend_test.go	Add CSP to fleet(currently disabled - needs frontend work) (#41395)	2026-03-12 18:06:54 -04:00
full_test.go
global_policies.go	Add include_all label scope to policies and reports (#44305)	2026-04-30 11:28:30 -04:00
global_policies_test.go	Make dynamic default policy type for ApplyPolicySpecs (#43197)	2026-04-08 09:56:38 -04:00
global_schedule.go	Add renameto tags to prepare for deprecating team and query API params (#39847)	2026-02-17 10:00:59 -06:00
global_schedule_test.go	Move NewActivity to activity bounded context (#39521)	2026-02-25 14:11:03 -06:00
handler.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
handler_deprecated_paths.go	Deprecate URLs with "team" and "query" terminology (#40520)	2026-02-25 22:20:35 -06:00
handler_test.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
hosts.go	Add activities for user actions on labels (#44522)	2026-05-01 10:19:45 -03:00
hosts_reports_test.go	Performance improvements for Host Reports (41540)	2026-03-26 07:04:18 -04:00
hosts_test.go	Fixed a race where a host could silently revert to its previous team (#44074)	2026-04-24 14:34:37 -05:00
http_auth_test.go	Move NewActivity to activity bounded context (#39521)	2026-02-25 14:11:03 -06:00
integration_android_certificate_templates_test.go	Reset verified certificates to pending during Android host re-enrollment (#43443)	2026-04-15 07:36:45 -05:00
integration_android_software_test.go	Rename Apple Business Manager in UI (#42584)	2026-04-08 11:14:19 -06:00
integration_certificate_authorities_test.go	use redis to block double profile work for apple devices setting up (#42421)	2026-03-30 16:37:18 -05:00
integration_core_test.go	🤖 Chore: remove deprecated appendListOptionsWithCursorToSQL (#44385)	2026-05-05 10:26:47 -04:00
integration_desktop_test.go	Request body limits (#39080)	2026-02-05 10:29:53 -05:00
integration_ds_only_test.go
integration_enterprise_test.go	Enable disk encryption when only Windows MDM is configured. (#44462)	2026-05-01 09:19:34 -05:00
integration_enterprise_vulns_test.go	Remove duplicate RHEL kernel in os_version (#39746)	2026-02-12 09:13:24 -07:00
integration_install_test.go	Make orbit and Fleet Desktop not depend on server/service/ packages (#42231)	2026-03-26 10:59:42 -03:00
integration_live_queries_test.go	Renamed activity tables and moved host activities cleanup to activity bounded context. (#41194)	2026-03-08 21:54:06 -05:00
integration_logger_test.go	Move query and scheduled query request and response types to server/fleet/ (#43236)	2026-04-13 16:02:23 -03:00
integration_mdm_commands_test.go	Wipe host cancels all upcoming activities (#44323)	2026-05-01 14:01:46 -06:00
integration_mdm_ddm_test.go	DDMV: fix unresolved Fleet variable in DDM profile behavior (#43556)	2026-04-20 14:05:21 -04:00
integration_mdm_dep_test.go	updated default profile, added endpoint for seeing what default is applied (#44236)	2026-04-28 07:38:15 -06:00
integration_mdm_lifecycle_test.go	Added EUA to the Fleet MSI installer (#43295)	2026-04-13 12:17:23 -05:00
integration_mdm_profiles_test.go	add missing IDP required check for OTA profiles (#44644)	2026-05-04 15:43:34 +02:00
integration_mdm_release_worker_test.go	use redis to block double profile work for apple devices setting up (#42421)	2026-03-30 16:37:18 -05:00
integration_mdm_setup_experience_test.go	Clean up setup experience cancellation behavior (#43437)	2026-04-14 09:39:26 -05:00
integration_mdm_test.go	Revert "Fix SCEP autorenew failing for offline hosts (#44250)" (#44535)	2026-05-04 13:33:42 -06:00
integration_smtp_test.go	Final slog migration PR: test infrastructure + tools + remaining standalone files (#40727)	2026-02-28 05:52:21 -06:00
integration_software_titles_test.go	Move label request/response types to server/fleet package (#43140)	2026-04-08 11:07:06 -03:00
integration_sso_test.go	Fix TOCTOU race in last global admin protection (#42172)	2026-04-01 15:00:08 -03:00
integration_vpp_install_test.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
invites.go	Migrate from aws-sdk-go v1 to v2 (#30308)	2025-06-30 17:45:39 -03:00
invites_test.go
jitter.go
jitter_test.go
labels.go	Add activities for user actions on labels (#44522)	2026-05-01 10:19:45 -03:00
labels_test.go	Add activities for user actions on labels (#44522)	2026-05-01 10:19:45 -03:00
labels_util.go	Address backend review feedback from #37208 (#37742)	2025-12-30 08:48:55 -03:00
linux_mdm.go	Implement BitLocker "action required" status (#31451)	2025-08-05 11:23:27 -05:00
linux_mdm_test.go	Update GET /hosts/:id/encryption_key to return archived key when current key is unavailable (#30396)	2025-07-02 14:57:25 -05:00
live_queries.go	Migrated to slog method signatures in service files (#40468)	2026-02-26 07:16:44 -06:00
mail_test.go	Run multiple independent Fleet dev servers in parallel (#41865)	2026-03-18 13:58:58 -05:00
maintained_apps.go	merge main	2026-03-18 14:49:08 -04:00
maintained_apps_test.go	Fix addFleetMaintainedAppEndpoint to accept fleet_id param (#41805)	2026-03-17 09:59:03 -05:00
mdm.go	Fixed GET /api/v1/fleet/commands timeout in large Fleet deployments (#44297)	2026-04-30 15:44:19 -05:00
mdm_profiles.go	ARCW: Add Renewal ID verification and support in windows profiles (#37179)	2025-12-12 13:14:59 -04:00
mdm_profiles_test.go	ARCW: Add Renewal ID verification and support in windows profiles (#37179)	2025-12-12 13:14:59 -04:00
mdm_scep.go	Final slog migration PR: test infrastructure + tools + remaining standalone files (#40727)	2026-02-28 05:52:21 -06:00
mdm_test.go	Windows wipe failed acivitiy (#43795)	2026-04-22 17:53:59 -05:00
mem_failing_policies_set_test.go
metrics.go
metrics_appconfig.go
metrics_change_email.go
metrics_invites.go
metrics_labels.go	API + auth + UI changes for team labels (#37208)	2025-12-29 21:28:45 -06:00
metrics_sessions.go	extend the expiration date for the auth token cookie (#41261)	2026-03-10 17:15:09 +00:00
metrics_users.go
microsoft_mdm.go	Wipe host cancels all upcoming activities (#44323)	2026-05-01 14:01:46 -06:00
microsoft_mdm_integration_test.go	Improved the performance of Windows MDM profile reconciliation (#44075)	2026-04-28 15:37:43 -05:00
microsoft_mdm_test.go	Return Windows Enrollment Status Page (ESP) (#43454)	2026-04-28 15:39:03 -05:00
orbit.go	Wipe host cancels all upcoming activities (#44323)	2026-05-01 14:01:46 -06:00
orbit_eua_test.go	Added EUA to the Fleet MSI installer (#43295)	2026-04-13 12:17:23 -05:00
orbit_test.go	Bugfix: fallback the script execution timeout from agent options to global if not set for team (#43911)	2026-04-22 12:00:58 -04:00
org_logo.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
org_logo_test.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
osquery.go	incorporate display name into setup experience ordering and enforce 1 at a time execution (#42393)	2026-04-06 11:51:39 -05:00
osquery_test.go	Remove unused windows_updates MySQL table and ingestion (#44128)	2026-04-24 15:21:34 -03:00
packs.go	Add renameto tags to prepare for deprecating team and query API params (#39847)	2026-02-17 10:00:59 -06:00
packs_test.go	Move NewActivity to activity bounded context (#39521)	2026-02-25 14:11:03 -06:00
queries.go	Add include_all label scope to policies and reports (#44305)	2026-04-30 11:28:30 -04:00
queries_test.go	Add include_all label scope to policies and reports (#44305)	2026-04-30 11:28:30 -04:00
reconcile_windows_profiles_property_test.go	Improved the performance of Windows MDM profile reconciliation (#44075)	2026-04-28 15:37:43 -05:00
scheduled_queries.go	Move query and scheduled query request and response types to server/fleet/ (#43236)	2026-04-13 16:02:23 -03:00
scheduled_queries_test.go
scim.go
scripts.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
scripts_encoding.go	Fix FMAs on Render (#37557)	2025-12-23 13:01:32 -05:00
scripts_encoding_test.go	Fix FMAs on Render (#37557)	2025-12-23 13:01:32 -05:00
scripts_test.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
secret_variables.go	Prevent IT admins from deleting a secret variable in use (#32161)	2025-08-22 11:22:37 -03:00
secret_variables_test.go	Add backend APIs for adding, deleting and listing secret variables (#31936)	2025-08-14 19:33:47 -03:00
service.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
service_appconfig.go	Use OSV for ubuntu vulnerability scanning (#42063)	2026-04-03 15:59:32 -05:00
service_appconfig_test.go	Move NewActivity to activity bounded context (#39521)	2026-02-25 14:11:03 -06:00
service_campaign_test.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
service_campaigns.go	slog migration: service layer + subsystem libraries (#40661)	2026-02-26 17:40:46 -06:00
service_errors.go	Fixed client-side errors being incorrectly reported as server errors in OTEL telemetry (#40051)	2026-02-19 16:06:00 -06:00
service_users.go	Refactor endpoint_utils for modularization (#36484)	2025-12-31 09:12:00 -06:00
sessions.go	add expiration to auth token via sso login (#42094)	2026-03-24 12:17:21 +00:00
sessions_test.go	Enable JIT provisioning for Technician role (#41286)	2026-03-10 10:15:01 -03:00
setup_experience.go	Revert "Partial revert of #38785 work-in-progress (#44061)" (#44285)	2026-04-28 13:35:50 -05:00
setup_experience_test.go	Revert "Partial revert of #38785 work-in-progress (#44061)" (#44285)	2026-04-28 13:35:50 -05:00
software.go	Return light software metadata when listing hosts filtered by software present only on a different team (#42519)	2026-03-30 21:33:21 -07:00
software_installers.go	Move script request and response types from server/service to server/fleet (#43868)	2026-04-28 09:12:43 -03:00
software_installers_test.go	Allow conditional downloads across fleets (#43679)	2026-04-21 17:06:23 -05:00
software_test.go
software_title_icons.go	Update fleetctl client urls and params (#41463)	2026-03-13 08:38:55 -05:00
software_title_icons_test.go	Backend: Support labels_include_all for installers/apps (#41324)	2026-03-18 13:27:53 -04:00
software_titles.go	Pin FMA major version in GitOps (#43053)	2026-04-06 12:36:47 -04:00
software_titles_test.go
status.go
targets.go	Follow-up changes to observer live query bypass (#41146)	2026-03-11 13:42:33 -03:00
targets_test.go
team_policies.go	Add include_all label scope to policies and reports (#44305)	2026-04-30 11:28:30 -04:00
team_policies_test.go	Feat/31914 patch policy (#41518)	2026-03-13 16:47:09 -04:00
team_schedule.go	Move query and scheduled query request and response types to server/fleet/ (#43236)	2026-04-13 16:02:23 -03:00
team_schedule_test.go	Move NewActivity to activity bounded context (#39521)	2026-02-25 14:11:03 -06:00
teams.go	Add renameto tags to prepare for deprecating team and query API params (#39847)	2026-02-17 10:00:59 -06:00
teams_test.go	Enforce consistent fleet name uniqueness across UI and GitOps (#33557)	2026-04-23 16:44:09 -04:00
testing_client.go	Implement clear passcode backend (#43072)	2026-04-07 15:23:59 -05:00
testing_utils.go	Add ability to upload custom org logos (#44390)	2026-05-05 14:42:52 +02:00
translator.go	Moved common endpointer packages to platform dir. (#37780)	2026-01-06 14:23:07 -06:00
transport.go	🤖 Chore: remove deprecated appendListOptionsWithCursorToSQL (#44385)	2026-05-05 10:26:47 -04:00
transport_error.go	Improved OpenTelemetry error handling (#38757)	2026-01-26 17:07:32 -06:00
transport_setup.go
transport_test.go	Fix filtering in /api/v1/fleet/labels/:id/hosts endpoint (#44293)	2026-04-29 10:43:39 -03:00
trigger.go
user_roles.go
users.go	Allow the creation of API-only users (#43440)	2026-04-16 11:11:39 -04:00
users_test.go	Allow the creation of API-only users (#43440)	2026-04-16 11:11:39 -04:00
validation_setup.go
vpp.go	merge main	2026-03-19 13:02:42 -04:00
vpp_test.go	Immediately reject duplicate Android web-clips (#42704)	2026-03-31 09:34:12 -04:00
vulnerabilities.go	Update backend error messages (#40364)	2026-02-25 13:54:45 -06:00
vulnerabilities_test.go
windows_mdm_profiles.go	Fixed a server panic when uploading an MDM profile to a team on a free license (#42834)	2026-04-02 13:18:15 -05:00
windows_mdm_profiles_test.go	Added support for NDES CA for Windows hosts (#41356)	2026-03-12 15:36:44 -05:00