Skip to content

chore(deps): update dependency nethesis/checkmk-tools to v1#1773

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-nethesis-checkmk-tools-1-x
Open

chore(deps): update dependency nethesis/checkmk-tools to v1#1773
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-nethesis-checkmk-tools-1-x

Conversation

@renovate

@renovate renovate Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
nethesis/checkmk-tools major 0.0.51.7.1

Release Notes

nethesis/checkmk-tools (nethesis/checkmk-tools)

v1.7.1: - promote pyuci beta checks to full

Compare Source

Promoted:

• 14 pyuci-based NethSecurity 8.8 checks promoted from beta/ to full/ (zero subprocess, zero shell=True, UCI read-only via pyuci)
• All scripts validated: syntax OK, no unsafe command execution, proper failure handling

Removed:

• script-check-nsec8/full/beta/ directory (scripts promoted, directory removed)

Added:

• review_compare_outputs.py: tool to compare original vs beta check outputs
• REVIEW-BETA-DIFFERENCES.md: full review documentation
• README.md: beta documentation

v1.7.0: - Checkmk agent sync tool and systemd templates

Compare Source

v1.7.0

Added

  • Added checkmk-agent-sync.py, a dedicated Checkmk agent synchronization tool.
  • Added optional systemd service and timer templates for future controlled agent synchronization.
  • Added environment configuration example for the agent-sync service.
  • Added docs/PENDING_RELEASE.md to track pushed but unreleased work.

Agent sync tool

The new tool is available at:

  • script-tools/full/agent_maintenance/checkmk-agent-sync.py

It is designed to compare the locally installed Checkmk agent version with the agent package exposed by a configured Checkmk site.

Supported behavior includes:

  • verify-only mode by default;
  • dry-run mode with no system modifications;
  • target detection for Debian/Ubuntu, RHEL-like systems, NethSecurity 8, and NS8 container scenarios;
  • structured status reporting;
  • package version comparison;
  • optional install mode for controlled future use.

Systemd templates

The release includes templates only:

  • script-tools/full/agent_maintenance/checkmk-agent-sync.service
  • script-tools/full/agent_maintenance/checkmk-agent-sync.timer
  • script-tools/full/agent_maintenance/checkmk-agent-sync.env.example

These templates are not installed or enabled automatically.

Validation

Validation already performed before release:

  • syntax validation passed;
  • help output validation passed;
  • dry-run validation passed;
  • verify-only default behavior confirmed;
  • download-only test passed;
  • autosync verified on reachable Checkmk servers;
  • dry-run executed from /opt/checkmk-tools on staging;
  • no package installation occurred;
  • no systemd service or timer was enabled;
  • production was checked read-only only.

Reachable server sync status before release:

  • checkmk-vps-02: synced and staging dry-run tested;
  • srv-monitoring-us: synced, read-only verification only;
  • srv-monitoring-sp: synced, read-only verification only;
  • checkmk-z1-00: not verified because unreachable from the current environment.

Operational note

This release makes the tool available in the repository.

It does not activate automatic agent synchronization on any server.

Installing/enabling the service and timer remains a separate manual operation requiring explicit approval.

v1.2.10

Compare Source

v1.2.9: - notification-limiter-report time-of-day recurrence insights

Compare Source

Added:

• notification-limiter-report.py v1.2.9: --pattern-history-days N (default 7, range 1-30) — read-only historical log lookback for time-of-day recurrence analysis in section 9.6
• Section 9.6 rewritten as "Time-of-Day Recurrence Insights" with confirmed recurring patterns, candidate observations, confidence levels (high/medium/low), and cautious interpretation language
• No persistent state, no HistoryStore, no --history-file, no Section 11

Changed:

• ReportEngine accepts pattern_engine parameter for cross-period execution comparison
• Pattern history period computed as report_end - pattern_history_days to report_end

v1.2.8: auto-git-sync v1.2.8

Compare Source

fix(sync): persist release tag fetching in installer templates

v1.2.7: notification-limiter-report v1.2.7

Compare Source

feat(notifications): report v1.2.7 - add recurring pattern analysis

v1.2.6: - fix(notifications): limiter v1.4.0-beta - enable adaptive auto-apply and fix reporting

Compare Source

Changed:

Notifier scripts (M@​il-20 / Telegram-20 v1.4.0-beta):

• Fixed runtime auto_apply lookup — DECISION log now reads adaptive.cooldown.auto_apply instead of the top-level adaptive.auto_apply
• Added real adaptive cooldown auto-apply persistence: when adaptive.cooldown.auto_apply = true, the best candidate cooldown is written to the JSON config file and applied in-memory
• Recommendation log now reports the actual auto_apply value instead of hardcoded false
ADAPTIVE_COOLDOWN_AUTO_APPLY log event emitted when cooldown is automatically applied
• Set aggressive 7200s cooldown baseline (enforce mode)
• Restricted candidate cooldowns to [7200, 10800, 21600]
• Preserved recovery bypass and enforce mode

Report script (notification-limiter-report.py v1.0.0):

• Fixed report aggregation by normalized execution_id-based objects (two-phase: execution_id groups + orphan matching)
• Fixed per-script/per-host/per-category totals — no more Delivered > Input
• Fixed Telegram-20 truncation ("Telegram-2") — column width increased to 12
• Fixed "unknown" host/category buckets — DECISION/COOLDOWN records now inherit host/category from related records
• Fixed Cdwn(s) display — shows numeric value or N/A instead of "?"
• Fixed Elapsed display — shows duration_ms/1000 instead of boolean "True"
• Fixed recovery bypass counting — now correctly aggregated per normalized execution
• Added data quality metrics for executions with unknown host/category/synthetic EID
• No WATO/rules or notification_interval dependency

Files:

script-notify-checkmk/beta/M@il-20
script-notify-checkmk/beta/Telegram-20
script-notify-checkmk/beta/M@il-20-config.json
script-notify-checkmk/beta/Telegram-20-config.json
script-notify-checkmk/reporting/notification-limiter-report.py — +349/-195

v1.2.5: - fix(notifications): limiter v1.4.0-beta - enable runtime adaptive cooldown auto-apply

Compare Source

Changed:

• M@​il-20/Telegram-20 v1.4.0-beta: fixed runtime auto_apply lookup — DECISION log now reads adaptive.cooldown.auto_apply instead of the top-level adaptive.auto_apply
• Added real auto-apply cooldown persistence: when adaptive.cooldown.auto_apply = true, the best candidate cooldown is written to the JSON config file and applied in-memory
• Recommendation log now reports the actual auto_apply value instead of hardcoded false
• ADAPTIVE_COOLDOWN_AUTO_APPLY log event emitted when cooldown is automatically applied
• Preserved enforce mode (7200s), recovery bypass, and aggressive cooldown baseline
• No WATO/notification_interval dependency

Files:

script-notify-checkmk/beta/M@il-20 — +40/-5
script-notify-checkmk/beta/Telegram-20 — +40/-5
script-notify-checkmk/beta/M@il-20-config.json — +20/-1
script-notify-checkmk/beta/Telegram-20-config.json — +20/-1

v1.2.4: - notification limiter v1.4.0-beta and reporting script

Compare Source

Added:

• M@​il-20 v1.4.0-beta: per-host per-category cooldown limiter with adaptive learning
• Telegram-20 v1.4.0-beta: per-host per-category cooldown limiter with adaptive learning
• notification-limiter-report.py v1.0.0: standalone reporting script for JSON Lines diagnostic logs

Changed:

• M@​il-20 beta: fail2ban transition limiter + new cooldown limiter
• Telegram-20 beta: fail2ban transition limiter + new cooldown limiter

Security:

• Decision precedence: transition enforce suppression can never be overridden by cooldown

v1.2.3: - move qa-troubleshooting memory to .copilot

Compare Source

Moved memories/repo/qa-troubleshooting.md to Coverup20/.copilot/memories/repo/qa-troubleshooting.md

v1.2.2: - fix_site_ownership in upgrade-checkmk

Compare Source

Added:

• upgrade-checkmk.py v1.4.1: add fix_site_ownership() function that corrects root-owned files inside the OMD site tree before and after upgrade, preventing backup failures caused by Permission denied on files not owned by the monitoring user.

The function runs before the backend script (to unblock the pre-upgrade omd backup) and after a successful upgrade (to clean up any root-owned artifacts created during the process).

v1.2.1: - PATCH-only versioning policy for container-expert agents

Compare Source

Changed:

• Replaced hardcoded v0.0.X tag format with proper three-component SemVer PATCH progression in container-expert and container-expert-ds agent templates
• Added MANDATORY VERSION CLASSIFICATION AND PATCH PROGRESSION section to .github/copilot-instructions.md
• Replaced "Ignore v1.0.0" and "Do not propose v1.0.1" rules with correct PATCH-first classification
• Repository alignment now detects highest existing version tag instead of only v0.0.X family

v1.2.0: - notification-delivery monitoring local check

Compare Source

Added:

• check_notification_limiter_status.py v1.0.0 — stateful Checkmk local check
that reads M@​il-20 and Telegram-20 lifecycle logs and exposes four
services: M@​il-20 Delivery, M@​il-20 Limiter, Telegram-20 Delivery,
Telegram-20 Limiter
• Tracks notification delivery, provider failures, limiter transitions,
audit-only suppression decisions, and real suppressions
• Maintains retained event state across agent executions with configurable
retention periods (WARN=1800s, CRIT=3600s)
• Handles log rotation, truncation, first-run baseline, and malformed state
• Reads adaptive-learning state files for integrated learning status

v1.1.1: - CLI safety hotfix and log path fix

Compare Source

Fixed:

• M@​il-20 and Telegram-20 v1.3.1-beta: --help and -h no longer trigger
real notification delivery
• Pre-validate CLI arguments with _prevalidate_argv() — rejects mixed
utility+positional arguments (exit 2) before argparse processes them
• Restored standard argparse --help/-h (removed add_help=False)
• Replaced parse_known_args() with parse_args() — unknown/positional
args are now rejected with exit code 2
• Telegram-20: moved _SafeFileHandler before setup_logger() — fixes
NameError that silently prevented telegram-20.log creation
• Added diagnostic log init error reporting via MAIL20_DEBUG=1 /
TELEGRAM20_DEBUG=1

v1.1.0: - fail-safe logging and bounded state retention

Compare Source

Added:

• Structured JSON Lines diagnostic logging with invocation-scoped execution_id
• Lifecycle records: INVOKED, ACCEPTED, SUPPRESSED, DELIVERING, DELIVERED, FAILED, INVALID, ERROR, COMPLETE
• One final COMPLETE record per invocation with duration_ms and exit_code
• Top-level exception boundary with ERROR status
• Secret sanitization for tokens, passwords, API keys, Bearer tokens
• Optional debug logging via MAIL20_DEBUG / TELEGRAM20_DEBUG

Changed:

• All logging is now fail-safe — logger failure cannot block email or Telegram delivery
• Delivery return codes are preserved when logging fails
• Suppression behavior is preserved when logging fails
• _SafeFileHandler replaces FileHandler — self-protecting against emit() exceptions
• log_decision() uses _safe_log() — output is JSON Lines format
• _cleanup_stale_records() runs before write_state() — cleaned state is now persisted
• shutil.move() replaced with os.replace() for atomic state writes
• Temp files created in the same directory as the state file

Fixed:

• Logger handler exceptions propagating into delivery logic (Python 3.13 behavior)
• Stale host records never being removed from disk (cleanup-after-write bug)

Security:

• Telegram bot tokens, SMTP passwords, API keys, and Bearer tokens are redacted from all logged output
• Token-bearing URLs and query parameters are sanitized

v1.0.0

Compare Source

v0.0.18: - APK migration, NSec8 beta checks, flapping analyzer, cleanup

Compare Source

Added:

• script-check-nsec8/doc/nsec8-apk-migration-guide.md: APK to OPKG migration reference for NethSecurity 8
• script-check-nsec8/full/beta/: 17 NethSecurity 8 beta check scripts (APK packages, DHCP leases, DNS, firewall, VPN, WAN, etc.)

Changed:

• script-tools/full/monitoring_diagnostics/flapping_analyzer.py: improvements
• memories/repo/copilot-scripts-index.md: document flapping_analyzer

Removed:

• script-notify-checkmk/beta/checkmk-notification-rate-limit.py: replaced by M@​il-20 and Telegram-20

v0.0.17: - normalize beta notification scripts to LF, add .gitattributes protection, add line-ending regression tests

Compare Source

Added:

• .gitattributes: LF enforcement for *.json, *.md, and beta notification scripts
• script-notify-checkmk/beta/test-M@il-20.py: CRLF, CREOL, shebang, and direct-execution tests
• script-notify-checkmk/beta/test-Telegram-20.py: CRLF, CREOL, shebang, and direct-execution tests

Changed:

• script-notify-checkmk/beta/M@​il-20: CRLF -> Unix LF (shebang fix, was '#!/usr/bin/env python3\r\n')
• script-notify-checkmk/beta/Telegram-20: CRLF -> Unix LF (shebang fix, was '#!/usr/bin/env python3\r\n')
• script-notify-checkmk/beta/M@​il-20-config.json: CRLF -> Unix LF
• script-notify-checkmk/beta/Telegram-20-config.json: CRLF -> Unix LF
• script-notify-checkmk/beta/README-M@il-20.md: CRLF -> Unix LF
• script-notify-checkmk/beta/README-Telegram-20.md: CRLF -> Unix LF
• script-notify-checkmk/beta/test-M@il-20.py: CRLF -> Unix LF

Note: all 115 functional tests pass; both scripts verified via direct OS shebang execution.

v0.0.16: - python-cache-cleanup, APK migration, DHCP lease persistence

Compare Source

Added:

• script-tools/full/misc/python-cache-cleanup.py v1.0.0: scan Git repos for Python cache artifacts and clean them
• script-check-nsec8/full/check_apk_packages.py v1.0.0: APK package check for NethSecurity 8 (replaces OPKG)
• script-check-nsec8/full/.gitignore: local Python cache ignore rules
• memories/repo/hosts-access.md: SSH host access reference table
• memories/repo/copilot-scripts-index.md: index of reusable scripts

Changed:

• script-check-nsec8/full/check_dhcp_leases.py v2.1.0: support NethSecurity 8.8 persistent lease file at /mnt/data/dnsmasq/dhcp.leases; dynamic resolution via UCI config; fallback chain; /proc/mounts based mount detection
• .github/copilot-instructions.md: updated instructions
• memories/repo/qa-troubleshooting.md: Python cache cleanup workflow, APK migration notes
• .copilot-context.md: updated context
• documentation fixes in script-notify-checkmk and script-tools/doc

v0.0.15: - backup fixes and agent terminal routing

Compare Source

Added:\n• backup-simple.ps1: removed network share logic, replaced Send-MailMessage with System.Net.Mail.SmtpClient, forced TLS 1.2, added email logging\n• backup-sync-complete.ps1: removed network share logic\n• run-backup-unattended.ps1: removed 12-retry network share check\n• container-expert.agent.md + container-expert-ds.agent.md: added Terminal Context Routing policy

v0.0.14: - Python bytecode prevention policy for container agents

Compare Source

Added Python bytecode and cache prevention policy to container-expert and container-expert-ds agents. Updated .gitignore with *.py[cod] and *$py.class patterns.

v0.0.13: - fix half-configured dpkg packages in upgrade_checkmk.py

Compare Source

Fixed:

• upgrade_checkmk.py v1.5.0: add cleanup_half_configured_packages() that detects and removes check-mk-* packages left in iF (half-configured) state before installing a new .deb and after a dpkg failure
• upgrade_checkmk.py v1.5.0: add apt-get install -f -y before autoremove to fix residual broken dependencies

v0.0.12: - Data-Safe variant for Container Expert

Compare Source

Added:

• container-expert-ds.agent.md: Data-Safe variant of Container Expert with RULE DS (three-zone redaction, derived representation protection, case handling for container/registry/K8s secrets)

Changed:

• agent portfolio: Container Expert now has a DS variant for corporate-safe shared output

v0.0.11: - qa-troubleshooting behavioral rules for container agent

Compare Source

Added:

• container-expert.agent.md: qa-troubleshooting consultation rule
• container-expert.agent.md: manual timer/service execution rule

Changed:

• agent workflow: reusable qa-troubleshooting lessons are consulted before relevant troubleshooting
• operational safety: timer/service validation uses manual service execution instead of passive waiting

v0.0.10: - GH_PAGER pager safety fix

Compare Source

Fixed:

• container-expert.agent.md: add GH_PAGER=cat to no-pager safety rule for gh release view commands

v0.0.9: - release note style and pager safety workflow

Compare Source

Added:

• container-expert.agent.md: release-note style preservation rule for GitHub releases
• GitHub CLI workflow: mandatory pager-safe execution with GH_PAGER=cat

Changed:

• release workflow: GitHub releases must preserve existing repository title, section, bullet, and tone style
• command safety: gh release view must not open an interactive pager during automated workflows

v0.0.8: - automatic repository alignment and release workflow

Compare Source

Added:

• container-expert.agent.md: automatic repository alignment workflow for custom agents
• repository alignment workflow: commit approved tracked changes, push to origin/main, create v0.0.X tag, push tag, and create GitHub release
• release workflow: automatic GitHub release creation after successful tag push

Changed:

• agent Git workflow: "allinea il repo completo" now performs the full standard alignment cycle
• versioning workflow: v0.0.X tag sequence is used by default, ignoring v1.0.0 for this workflow
• safety rules: upstream, force push, reset, clean, merge, rebase, unrelated files, and local-only agent files remain protected

v0.0.7

Compare Source

v0.0.6: - add git-push-policy to mandatory session startup

Compare Source

Add git-push-policy.md to mandatory session startup files

Ensure git commit/tag/release workflow is loaded at the beginning of every Copilot session for consistent versioning across all repositories.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants