chore(deps): update dependency nethesis/checkmk-tools to v1#1773
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency nethesis/checkmk-tools to v1#1773renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.0.5→1.7.1Release Notes
nethesis/checkmk-tools (nethesis/checkmk-tools)
v1.7.1: - promote pyuci beta checks to fullCompare Source
Promoted:
• 14 pyuci-based NethSecurity 8.8 checks promoted from beta/ to full/ (zero subprocess, zero shell=True, UCI read-only via pyuci)
• All scripts validated: syntax OK, no unsafe command execution, proper failure handling
Removed:
• script-check-nsec8/full/beta/ directory (scripts promoted, directory removed)
Added:
• review_compare_outputs.py: tool to compare original vs beta check outputs
• REVIEW-BETA-DIFFERENCES.md: full review documentation
• README.md: beta documentation
v1.7.0: - Checkmk agent sync tool and systemd templatesCompare Source
v1.7.0
Added
checkmk-agent-sync.py, a dedicated Checkmk agent synchronization tool.docs/PENDING_RELEASE.mdto track pushed but unreleased work.Agent sync tool
The new tool is available at:
script-tools/full/agent_maintenance/checkmk-agent-sync.pyIt is designed to compare the locally installed Checkmk agent version with the agent package exposed by a configured Checkmk site.
Supported behavior includes:
Systemd templates
The release includes templates only:
script-tools/full/agent_maintenance/checkmk-agent-sync.servicescript-tools/full/agent_maintenance/checkmk-agent-sync.timerscript-tools/full/agent_maintenance/checkmk-agent-sync.env.exampleThese templates are not installed or enabled automatically.
Validation
Validation already performed before release:
/opt/checkmk-toolson staging;Reachable server sync status before release:
checkmk-vps-02: synced and staging dry-run tested;srv-monitoring-us: synced, read-only verification only;srv-monitoring-sp: synced, read-only verification only;checkmk-z1-00: not verified because unreachable from the current environment.Operational note
This release makes the tool available in the repository.
It does not activate automatic agent synchronization on any server.
Installing/enabling the service and timer remains a separate manual operation requiring explicit approval.
v1.2.10Compare Source
v1.2.9: - notification-limiter-report time-of-day recurrence insightsCompare Source
Added:
• notification-limiter-report.py v1.2.9: --pattern-history-days N (default 7, range 1-30) — read-only historical log lookback for time-of-day recurrence analysis in section 9.6
• Section 9.6 rewritten as "Time-of-Day Recurrence Insights" with confirmed recurring patterns, candidate observations, confidence levels (high/medium/low), and cautious interpretation language
• No persistent state, no HistoryStore, no --history-file, no Section 11
Changed:
• ReportEngine accepts pattern_engine parameter for cross-period execution comparison
• Pattern history period computed as report_end - pattern_history_days to report_end
v1.2.8: auto-git-sync v1.2.8Compare Source
fix(sync): persist release tag fetching in installer templates
v1.2.7: notification-limiter-report v1.2.7Compare Source
feat(notifications): report v1.2.7 - add recurring pattern analysis
v1.2.6: - fix(notifications): limiter v1.4.0-beta - enable adaptive auto-apply and fix reportingCompare Source
Changed:
Notifier scripts (M@il-20 / Telegram-20 v1.4.0-beta):
• Fixed runtime
auto_applylookup — DECISION log now readsadaptive.cooldown.auto_applyinstead of the top-leveladaptive.auto_apply• Added real adaptive cooldown auto-apply persistence: when
adaptive.cooldown.auto_apply = true, the best candidate cooldown is written to the JSON config file and applied in-memory• Recommendation log now reports the actual
auto_applyvalue instead of hardcodedfalse•
ADAPTIVE_COOLDOWN_AUTO_APPLYlog event emitted when cooldown is automatically applied• Set aggressive 7200s cooldown baseline (enforce mode)
• Restricted candidate cooldowns to [7200, 10800, 21600]
• Preserved recovery bypass and enforce mode
Report script (notification-limiter-report.py v1.0.0):
• Fixed report aggregation by normalized execution_id-based objects (two-phase: execution_id groups + orphan matching)
• Fixed per-script/per-host/per-category totals — no more Delivered > Input
• Fixed Telegram-20 truncation ("Telegram-2") — column width increased to 12
• Fixed "unknown" host/category buckets — DECISION/COOLDOWN records now inherit host/category from related records
• Fixed Cdwn(s) display — shows numeric value or N/A instead of "?"
• Fixed Elapsed display — shows duration_ms/1000 instead of boolean "True"
• Fixed recovery bypass counting — now correctly aggregated per normalized execution
• Added data quality metrics for executions with unknown host/category/synthetic EID
• No WATO/rules or notification_interval dependency
Files:
•
script-notify-checkmk/beta/M@il-20•
script-notify-checkmk/beta/Telegram-20•
script-notify-checkmk/beta/M@il-20-config.json•
script-notify-checkmk/beta/Telegram-20-config.json•
script-notify-checkmk/reporting/notification-limiter-report.py— +349/-195v1.2.5: - fix(notifications): limiter v1.4.0-beta - enable runtime adaptive cooldown auto-applyCompare Source
Changed:
• M@il-20/Telegram-20 v1.4.0-beta: fixed runtime
auto_applylookup — DECISION log now readsadaptive.cooldown.auto_applyinstead of the top-leveladaptive.auto_apply• Added real auto-apply cooldown persistence: when
adaptive.cooldown.auto_apply = true, the best candidate cooldown is written to the JSON config file and applied in-memory• Recommendation log now reports the actual
auto_applyvalue instead of hardcodedfalse• ADAPTIVE_COOLDOWN_AUTO_APPLY log event emitted when cooldown is automatically applied
• Preserved enforce mode (7200s), recovery bypass, and aggressive cooldown baseline
• No WATO/notification_interval dependency
Files:
•
script-notify-checkmk/beta/M@il-20— +40/-5•
script-notify-checkmk/beta/Telegram-20— +40/-5•
script-notify-checkmk/beta/M@il-20-config.json— +20/-1•
script-notify-checkmk/beta/Telegram-20-config.json— +20/-1v1.2.4: - notification limiter v1.4.0-beta and reporting scriptCompare Source
Added:
• M@il-20 v1.4.0-beta: per-host per-category cooldown limiter with adaptive learning
• Telegram-20 v1.4.0-beta: per-host per-category cooldown limiter with adaptive learning
• notification-limiter-report.py v1.0.0: standalone reporting script for JSON Lines diagnostic logs
Changed:
• M@il-20 beta: fail2ban transition limiter + new cooldown limiter
• Telegram-20 beta: fail2ban transition limiter + new cooldown limiter
Security:
• Decision precedence: transition enforce suppression can never be overridden by cooldown
v1.2.3: - move qa-troubleshooting memory to .copilotCompare Source
Moved memories/repo/qa-troubleshooting.md to Coverup20/.copilot/memories/repo/qa-troubleshooting.md
v1.2.2: - fix_site_ownership in upgrade-checkmkCompare Source
Added:
• upgrade-checkmk.py v1.4.1: add fix_site_ownership() function that corrects root-owned files inside the OMD site tree before and after upgrade, preventing backup failures caused by Permission denied on files not owned by the monitoring user.
The function runs before the backend script (to unblock the pre-upgrade omd backup) and after a successful upgrade (to clean up any root-owned artifacts created during the process).
v1.2.1: - PATCH-only versioning policy for container-expert agentsCompare Source
Changed:
• Replaced hardcoded v0.0.X tag format with proper three-component SemVer PATCH progression in container-expert and container-expert-ds agent templates
• Added MANDATORY VERSION CLASSIFICATION AND PATCH PROGRESSION section to .github/copilot-instructions.md
• Replaced "Ignore v1.0.0" and "Do not propose v1.0.1" rules with correct PATCH-first classification
• Repository alignment now detects highest existing version tag instead of only v0.0.X family
v1.2.0: - notification-delivery monitoring local checkCompare Source
Added:
• check_notification_limiter_status.py v1.0.0 — stateful Checkmk local check
that reads M@il-20 and Telegram-20 lifecycle logs and exposes four
services: M@il-20 Delivery, M@il-20 Limiter, Telegram-20 Delivery,
Telegram-20 Limiter
• Tracks notification delivery, provider failures, limiter transitions,
audit-only suppression decisions, and real suppressions
• Maintains retained event state across agent executions with configurable
retention periods (WARN=1800s, CRIT=3600s)
• Handles log rotation, truncation, first-run baseline, and malformed state
• Reads adaptive-learning state files for integrated learning status
v1.1.1: - CLI safety hotfix and log path fixCompare Source
Fixed:
• M@il-20 and Telegram-20 v1.3.1-beta: --help and -h no longer trigger
real notification delivery
• Pre-validate CLI arguments with _prevalidate_argv() — rejects mixed
utility+positional arguments (exit 2) before argparse processes them
• Restored standard argparse --help/-h (removed add_help=False)
• Replaced parse_known_args() with parse_args() — unknown/positional
args are now rejected with exit code 2
• Telegram-20: moved _SafeFileHandler before setup_logger() — fixes
NameError that silently prevented telegram-20.log creation
• Added diagnostic log init error reporting via MAIL20_DEBUG=1 /
TELEGRAM20_DEBUG=1
v1.1.0: - fail-safe logging and bounded state retentionCompare Source
Added:
• Structured JSON Lines diagnostic logging with invocation-scoped execution_id
• Lifecycle records: INVOKED, ACCEPTED, SUPPRESSED, DELIVERING, DELIVERED, FAILED, INVALID, ERROR, COMPLETE
• One final COMPLETE record per invocation with duration_ms and exit_code
• Top-level exception boundary with ERROR status
• Secret sanitization for tokens, passwords, API keys, Bearer tokens
• Optional debug logging via MAIL20_DEBUG / TELEGRAM20_DEBUG
Changed:
• All logging is now fail-safe — logger failure cannot block email or Telegram delivery
• Delivery return codes are preserved when logging fails
• Suppression behavior is preserved when logging fails
• _SafeFileHandler replaces FileHandler — self-protecting against emit() exceptions
• log_decision() uses _safe_log() — output is JSON Lines format
• _cleanup_stale_records() runs before write_state() — cleaned state is now persisted
• shutil.move() replaced with os.replace() for atomic state writes
• Temp files created in the same directory as the state file
Fixed:
• Logger handler exceptions propagating into delivery logic (Python 3.13 behavior)
• Stale host records never being removed from disk (cleanup-after-write bug)
Security:
• Telegram bot tokens, SMTP passwords, API keys, and Bearer tokens are redacted from all logged output
• Token-bearing URLs and query parameters are sanitized
v1.0.0Compare Source
v0.0.18: - APK migration, NSec8 beta checks, flapping analyzer, cleanupCompare Source
Added:
• script-check-nsec8/doc/nsec8-apk-migration-guide.md: APK to OPKG migration reference for NethSecurity 8
• script-check-nsec8/full/beta/: 17 NethSecurity 8 beta check scripts (APK packages, DHCP leases, DNS, firewall, VPN, WAN, etc.)
Changed:
• script-tools/full/monitoring_diagnostics/flapping_analyzer.py: improvements
• memories/repo/copilot-scripts-index.md: document flapping_analyzer
Removed:
• script-notify-checkmk/beta/checkmk-notification-rate-limit.py: replaced by M@il-20 and Telegram-20
v0.0.17: - normalize beta notification scripts to LF, add .gitattributes protection, add line-ending regression testsCompare Source
Added:
• .gitattributes: LF enforcement for *.json, *.md, and beta notification scripts
• script-notify-checkmk/beta/test-M@il-20.py: CRLF, CREOL, shebang, and direct-execution tests
• script-notify-checkmk/beta/test-Telegram-20.py: CRLF, CREOL, shebang, and direct-execution tests
Changed:
• script-notify-checkmk/beta/M@il-20: CRLF -> Unix LF (shebang fix, was '#!/usr/bin/env python3\r\n')
• script-notify-checkmk/beta/Telegram-20: CRLF -> Unix LF (shebang fix, was '#!/usr/bin/env python3\r\n')
• script-notify-checkmk/beta/M@il-20-config.json: CRLF -> Unix LF
• script-notify-checkmk/beta/Telegram-20-config.json: CRLF -> Unix LF
• script-notify-checkmk/beta/README-M@il-20.md: CRLF -> Unix LF
• script-notify-checkmk/beta/README-Telegram-20.md: CRLF -> Unix LF
• script-notify-checkmk/beta/test-M@il-20.py: CRLF -> Unix LF
Note: all 115 functional tests pass; both scripts verified via direct OS shebang execution.
v0.0.16: - python-cache-cleanup, APK migration, DHCP lease persistenceCompare Source
Added:
• script-tools/full/misc/python-cache-cleanup.py v1.0.0: scan Git repos for Python cache artifacts and clean them
• script-check-nsec8/full/check_apk_packages.py v1.0.0: APK package check for NethSecurity 8 (replaces OPKG)
• script-check-nsec8/full/.gitignore: local Python cache ignore rules
• memories/repo/hosts-access.md: SSH host access reference table
• memories/repo/copilot-scripts-index.md: index of reusable scripts
Changed:
• script-check-nsec8/full/check_dhcp_leases.py v2.1.0: support NethSecurity 8.8 persistent lease file at /mnt/data/dnsmasq/dhcp.leases; dynamic resolution via UCI config; fallback chain; /proc/mounts based mount detection
• .github/copilot-instructions.md: updated instructions
• memories/repo/qa-troubleshooting.md: Python cache cleanup workflow, APK migration notes
• .copilot-context.md: updated context
• documentation fixes in script-notify-checkmk and script-tools/doc
v0.0.15: - backup fixes and agent terminal routingCompare Source
Added:\n• backup-simple.ps1: removed network share logic, replaced Send-MailMessage with System.Net.Mail.SmtpClient, forced TLS 1.2, added email logging\n• backup-sync-complete.ps1: removed network share logic\n• run-backup-unattended.ps1: removed 12-retry network share check\n• container-expert.agent.md + container-expert-ds.agent.md: added Terminal Context Routing policy
v0.0.14: - Python bytecode prevention policy for container agentsCompare Source
Added Python bytecode and cache prevention policy to container-expert and container-expert-ds agents. Updated .gitignore with *.py[cod] and *$py.class patterns.
v0.0.13: - fix half-configured dpkg packages in upgrade_checkmk.pyCompare Source
Fixed:
• upgrade_checkmk.py v1.5.0: add cleanup_half_configured_packages() that detects and removes check-mk-* packages left in iF (half-configured) state before installing a new .deb and after a dpkg failure
• upgrade_checkmk.py v1.5.0: add apt-get install -f -y before autoremove to fix residual broken dependencies
v0.0.12: - Data-Safe variant for Container ExpertCompare Source
Added:
• container-expert-ds.agent.md: Data-Safe variant of Container Expert with RULE DS (three-zone redaction, derived representation protection, case handling for container/registry/K8s secrets)
Changed:
• agent portfolio: Container Expert now has a DS variant for corporate-safe shared output
v0.0.11: - qa-troubleshooting behavioral rules for container agentCompare Source
Added:
• container-expert.agent.md: qa-troubleshooting consultation rule
• container-expert.agent.md: manual timer/service execution rule
Changed:
• agent workflow: reusable qa-troubleshooting lessons are consulted before relevant troubleshooting
• operational safety: timer/service validation uses manual service execution instead of passive waiting
v0.0.10: - GH_PAGER pager safety fixCompare Source
Fixed:
• container-expert.agent.md: add GH_PAGER=cat to no-pager safety rule for gh release view commands
v0.0.9: - release note style and pager safety workflowCompare Source
Added:
• container-expert.agent.md: release-note style preservation rule for GitHub releases
• GitHub CLI workflow: mandatory pager-safe execution with GH_PAGER=cat
Changed:
• release workflow: GitHub releases must preserve existing repository title, section, bullet, and tone style
• command safety: gh release view must not open an interactive pager during automated workflows
v0.0.8: - automatic repository alignment and release workflowCompare Source
Added:
• container-expert.agent.md: automatic repository alignment workflow for custom agents
• repository alignment workflow: commit approved tracked changes, push to origin/main, create v0.0.X tag, push tag, and create GitHub release
• release workflow: automatic GitHub release creation after successful tag push
Changed:
• agent Git workflow: "allinea il repo completo" now performs the full standard alignment cycle
• versioning workflow: v0.0.X tag sequence is used by default, ignoring v1.0.0 for this workflow
• safety rules: upstream, force push, reset, clean, merge, rebase, unrelated files, and local-only agent files remain protected
v0.0.7Compare Source
v0.0.6: - add git-push-policy to mandatory session startupCompare Source
Add git-push-policy.md to mandatory session startup files
Ensure git commit/tag/release workflow is loaded at the beginning of every Copilot session for consistent versioning across all repositories.
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.