BYOF: Frontend changes

[MagnusHJensen]

Needs #45600

Related issue: Resolves #45601

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information. In another PR

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

[qodo-free-for-open-source-projects]

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: test-go (mysql, mysql:8.0.44) / test

Failed stage: Run Go Tests [❌]

Failed test name: ""

Failure summary: The action failed during the Go test/build step because the package github.com/fleetdm/fleet/v4/server/datastore/mysql could not be built. - Compilation errors in server/service/apple_mdm.go reference an undefined identifier cryptoutil: - server/service/apple_mdm.go:2107:71: undefined: cryptoutil - server/service/apple_mdm.go:6730:71: undefined: cryptoutil - As a result, go test reported FAIL ... [build failed] and make test-go exited non-zero (Makefile:286: .run-go-tests). Note: earlier harden-runner logs show GitHub API rate limiting (403) and StepSecurity policy fetch auth issues (401), but the job ultimately failed due to the Go compile errors above.

Relevant error logs: 1: Runner name: 'ubuntu-8core-1000907765' 2: Runner group name: 'default larger runners' ... 50: disable-sudo-and-containers: false 51: disable-file-monitoring: false 52: use-policy-store: false 53: deploy-on-self-hosted-vm: false 54: env: 55: RACE_ENABLED: false 56: GO_TEST_TIMEOUT: 20m 57: DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test 58: ##[endgroup] 59: [harden-runner] pre-step 60: [!] Current Configuration: 61: {"repo":"fleetdm/fleet","run_id":"27425193283","correlation_id":"d1f49319-c6eb-4664-be65-81856628d9ca","working_directory":"/home/runner/work/fleet/fleet","api_url":"https://agent.api.stepsecurity.io/v1","telemetry_url":"https://prod.app-api.stepsecurity.io/v1","allowed_endpoints":"","egress_policy":"audit","disable_telemetry":false,"disable_sudo":false,"disable_sudo_and_containers":false,"disable_file_monitoring":false,"private":false,"is_github_hosted":true,"is_debug":false,"one_time_key":"","api_key":"","use_policy_store":false,"deploy_on_self_hosted_vm":false} 62: �[32mView security insights and recommended policy at:�[0m 63: https://app.stepsecurity.io/github/fleetdm/fleet/actions/runs/27425193283 64: RUNNER_NAME: ubuntu-8core-1000907765 65: error in connecting to https://agent.api.stepsecurity.io/v1: HttpClientError: All attempts fail: 66: #1: GET https://api.github.com/repos/fleetdm/fleet/actions/runs/27425193283: 403 API rate limit exceeded for installation ID 50820679. If you reach out to GitHub Support for help, please include the request ID 4608:268255:615E620:61FF1BD:6A2C2468 and timestamp 2026-06-12 15:23:20 UTC. For more on scraping GitHub and how it may affect your rights, please review our Terms of Service (https://docs.github.com/en/site-policy/github-terms/github-terms-of-service) [rate reset in 5m28s] ... 974: �[36;1mattempt=1�[0m 975: �[36;1m�[0m 976: �[36;1mwhile [ $attempt -le $max_attempts ]; do�[0m 977: �[36;1m echo "Attempt $attempt of $max_attempts"�[0m 978: �[36;1m�[0m 979: �[36;1m # Try to connect to MySQL�[0m 980: �[36;1m if wait_for_mysql "mysql_test"; then�[0m 981: �[36;1m # If MySQL is ready, try to connect to MySQL replica�[0m 982: �[36;1m if wait_for_mysql "mysql_replica_test"; then�[0m 983: �[36;1m # Both are ready, we're done�[0m 984: �[36;1m echo "All MySQL connections successful"�[0m 985: �[36;1m exit 0�[0m 986: �[36;1m fi�[0m 987: �[36;1m fi�[0m 988: �[36;1m�[0m 989: �[36;1m # If we get here, at least one connection failed�[0m 990: �[36;1m echo "Failed to connect to MySQL on attempt $attempt"�[0m 991: �[36;1m�[0m 992: �[36;1m if [ $attempt -lt $max_attempts ]; then�[0m 993: �[36;1m echo "Restarting containers and trying again..."�[0m 994: �[36;1m restart_containers�[0m 995: �[36;1m else�[0m 996: �[36;1m echo "Maximum attempts reached. Failing the job."�[0m 997: �[36;1m exit 1�[0m ... 1111: go: downloading github.com/dunglas/httpsfv v1.0.2 1112: go: downloading github.com/jonboulle/clockwork v0.5.0 1113: go: downloading github.com/tklauser/go-sysconf v0.3.16 1114: go: downloading github.com/tklauser/numcpus v0.11.0 1115: go: downloading github.com/siderolabs/go-cmd v0.1.1 1116: go: downloading github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d 1117: go: downloading github.com/edsrzf/mmap-go v1.1.0 1118: go: downloading github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 1119: go: downloading github.com/bits-and-blooms/bitset v1.12.0 1120: github.com/fleetdm/fleet/v4/server/datastore/mysql: 1121: github.com/fleetdm/fleet/v4/server/datastore/mysql/mysqltest: 1122: github.com/fleetdm/fleet/v4/server/datastore/mysql/migrations/data: 1123: github.com/fleetdm/fleet/v4/server/datastore/mysql/rdsauth: 1124: github.com/fleetdm/fleet/v4/server/datastore/mysql/migrations/tables: 1125: �[32m✓�[0m Basic migration step (0.00s) 1126: �[32m✓�[0m Basic migration step error (0.00s) 1127: �[32m✓�[0m Basic migration step success (0.00s) 1128: �[32m✓�[0m Collation (7.17s) 1129: �[32m✓�[0m Incremental migration step (0.08s) 1130: �[32m✓�[0m Incremental migration step count error is returned (0.00s) 1131: �[32m✓�[0m Incremental migration step executor error is returned (0.00s) 1132: �[32m✓�[0m Incremental migration step increment updates progress (0.03s) ... 1442: �[32m✓�[0m Up 20260529120000 (7.23s) 1443: �[32m✓�[0m Up 20260603101320 (7.25s) 1444: �[32m✓�[0m Up 20260603101320 mdm configuration profile labels blocks label deletion (0.00s) 1445: �[32m✓�[0m Up 20260603101320 mdm declaration labels blocks label deletion (0.00s) 1446: �[32m✓�[0m Up 20260603120000 (7.29s) 1447: �[32m✓�[0m Up 20260604221206 (7.43s) 1448: �[32m✓�[0m Up 20260605195941 (7.29s) 1449: �[32m✓�[0m Up 20260606051849 (7.27s) 1450: �[32m✓�[0m Up 20260608160653 (7.29s) 1451: �[32m✓�[0m Up 20260608202705 (7.32s) 1452: �[32m✓�[0m Up 20260608210432 (7.38s) 1453: �[32m✓�[0m Up 20260609104220 (7.31s) 1454: �[32m✓�[0m Up 20260610172952 (7.57s) 1455: �[32m✓�[0m With steps (0.00s) 1456: �[32m✓�[0m With steps empty steps succeeds (0.00s) 1457: �[32m✓�[0m With steps error stops execution (0.00s) 1458: �[32m✓�[0m With steps integration with basic migration step (0.00s) ... 2032: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2033: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260324161944 (0.00s) 2034: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2035: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260326210603 (0.00s) 2036: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2037: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260401153503_SomeAssignments (0.00s) 2038: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2039: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260401153503_NoAssignment (0.00s) 2040: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2041: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260401153503_ManyAssignments (0.00s) 2042: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2043: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260409153715 (0.00s) 2044: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2045: === �[33mSKIP�[0m: server/datastore/mysql/migrations/tables TestUp_20260409153717 (0.00s) 2046: migration_test.go:109: Skipping migration test for old migration, DB migrations are immutable so once tested for a release they don't need to be tested again. 2047: === �[31mFailed�[0m 2048: === �[31mFAIL�[0m: server/datastore/mysql (0.00s) 2049: FAIL github.com/fleetdm/fleet/v4/server/datastore/mysql [build failed] 2050: �[35m 2051: === Errors�[0m 2052: ##[error]server/service/apple_mdm.go:2107:71: undefined: cryptoutil 2053: ##[error]server/service/apple_mdm.go:6730:71: undefined: cryptoutil 2054: DONE 336 tests, 284 skipped, 1 failure, 2 errors in 212.505s 2055: make[1]: *** [Makefile:286: .run-go-tests] Error 1 2056: make[1]: Leaving directory '/home/runner/work/fleet/fleet' 2057: make: *** [Makefile:401: test-go] Error 2 2058: ##[error]Process completed with exit code 2. 2059: ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a 2060: with: 2061: name: mysql-mysql8.0.44-coverage 2062: path: ./coverage.txt 2063: if-no-files-found: error 2064: compression-level: 6 ... 2076: With the provided path, there will be 1 file uploaded 2077: Artifact name is valid! 2078: Root directory input is valid! 2079: Beginning upload of artifact content to blob storage 2080: Uploaded bytes 224947 2081: Finished uploading artifact content to blob storage! 2082: SHA256 hash of uploaded artifact zip is 7b8a54f9bf34d8cebcb13e36b21dd0e5d43456346bd38ff5716ae0119b126713 2083: Finalizing artifact upload 2084: Artifact mysql-mysql8.0.44-coverage.zip successfully finalized. Artifact ID 7595694193 2085: Artifact mysql-mysql8.0.44-coverage has been successfully uploaded! Final size is 224947 bytes. Artifact ID is 7595694193 2086: Artifact download URL: https://github.com/fleetdm/fleet/actions/runs/27425193283/artifacts/7595694193 2087: ##[group]Run c1grep() { grep "$@" || test $? = 1; } 2088: �[36;1mc1grep() { grep "$@" || test $? = 1; }�[0m 2089: �[36;1mc1grep -oP 'FAIL: .*$' /tmp/gotest.log > /tmp/summary.txt�[0m 2090: �[36;1mc1grep 'test timed out after' /tmp/gotest.log >> /tmp/summary.txt�[0m 2091: �[36;1mc1grep 'fatal error:' /tmp/gotest.log >> /tmp/summary.txt�[0m 2092: �[36;1mc1grep -A 10 'panic: runtime error: ' /tmp/gotest.log >> /tmp/summary.txt�[0m 2093: �[36;1mc1grep ' FAIL\t' /tmp/gotest.log >> /tmp/summary.txt�[0m 2094: �[36;1mGO_FAIL_SUMMARY=$(head -n 5 /tmp/summary.txt | sed ':a;N;$!ba;s/\n/\\n/g')�[0m 2095: �[36;1mecho "GO_FAIL_SUMMARY=$GO_FAIL_SUMMARY"�[0m 2096: �[36;1mif [[ -z "$GO_FAIL_SUMMARY" ]]; then�[0m 2097: �[36;1m GO_FAIL_SUMMARY="unknown, please check the build URL"�[0m 2098: �[36;1mfi�[0m 2099: �[36;1mGO_FAIL_SUMMARY=$GO_FAIL_SUMMARY envsubst < .github/workflows/config/slack_payload_template.json > ./payload.json�[0m 2100: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 2101: env: 2102: RACE_ENABLED: false 2103: GO_TEST_TIMEOUT: 20m 2104: DOCKER_COMMAND: docker compose -f docker-compose.yml -f docker-compose-redis-cluster.yml up -d mysql_test mysql_replica_test redis redis-cluster-1 redis-cluster-2 redis-cluster-3 redis-cluster-4 redis-cluster-5 redis-cluster-6 redis-cluster-setup s3 saml_idp mailhog mailpit smtp4dev_test 2105: RUN_TESTS_ARG: 2106: CI_TEST_PKG: mysql 2107: NEED_DOCKER: 1 2108: ARTIFACT_PREFIX: mysql-mysql8.0.44 2109: GOTOOLCHAIN: local 2110: ##[endgroup] 2111: GO_FAIL_SUMMARY= 2112: ##[group]Run actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a 2113: with: 2114: name: mysql-mysql8.0.44-test-log 2115: path: /tmp/gotest.log 2116: if-no-files-found: error 2117: compression-level: 6 ... 3119: Jun 12 15:23:29 runnervmqtt2i sudo[2293]: root : *** ; USER=root ; COMMAND=/usr/bin/resolvectl flush-caches 3120: Jun 12 15:23:29 runnervmqtt2i sudo[2293]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) 3121: Jun 12 15:23:29 runnervmqtt2i sudo[2293]: pam_unix(sudo:session): session closed for user root 3122: Jun 12 15:23:29 runnervmqtt2i sudo[2296]: root : *** ; USER=root ; COMMAND=/usr/bin/systemctl reload docker 3123: Jun 12 15:23:29 runnervmqtt2i sudo[2296]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) 3124: Jun 12 15:23:29 runnervmqtt2i sudo[2296]: pam_unix(sudo:session): session closed for user root 3125: Jun 12 15:23:29 runnervmqtt2i sudo[2300]: root : *** ; USER=root ; COMMAND=/usr/bin/systemctl daemon-reload 3126: Jun 12 15:23:29 runnervmqtt2i sudo[2300]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) 3127: Jun 12 15:23:29 runnervmqtt2i systemd[1]: /etc/systemd/system/agent.service:9: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. 3128: Jun 12 15:23:29 runnervmqtt2i systemd[1]: /etc/systemd/system/agent.service:10: Standard output type syslog is obsolete, automatically updating to journal. Please update your unit file, and consider removing the setting altogether. 3129: Jun 12 15:23:29 runnervmqtt2i sudo[2300]: pam_unix(sudo:session): session closed for user root 3130: Jun 12 15:23:29 runnervmqtt2i sudo[2346]: root : *** ; USER=root ; COMMAND=/usr/bin/systemctl restart docker 3131: Jun 12 15:23:29 runnervmqtt2i sudo[2346]: pam_unix(sudo:session): session opened for user root(uid=0) by (uid=0) 3132: Jun 12 15:23:30 runnervmqtt2i sudo[2346]: pam_unix(sudo:session): session closed for user root 3133: Jun 12 15:23:31 runnervmqtt2i agentservice[2267]: 2026/06/12 15:23:31 INFO Fetching custom detection rules module=armour api_url=https://agent.api.stepsecurity.io/v1 repo=fleetdm/fleet 3134: Jun 12 15:23:31 runnervmqtt2i agentservice[2267]: 2026/06/12 15:23:31 ERROR Failed to initialize detection rules, continuing with eBPF attachment module=armour error="init custom detection rules: fetch policies: API error status 401: {\"error\":\"invalid authorization header format\"}\n" 3135: Jun 12 15:23:31 runnervmqtt2i agentservice[2267]: 2026/06/12 15:23:31 INFO Config module=armour AGENT_PID=2267

[codecov]

Codecov Report

❌ Patch coverage is 0% with 120 lines in your changes missing coverage. Please review.
✅ Project coverage is 30.26%. Comparing base (557def9) to head (39b543c).
⚠️ Report is 53 commits behind head on main.

Files with missing lines	Patch %	Lines
server/datastore/mysql/apple_mdm.go	0.00%	103 Missing ⚠️
server/mdm/apple/apple_mdm.go	0.00%	16 Missing ⚠️
server/mdm/lifecycle/lifecycle.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main   #47523       +/-   ##
===========================================
- Coverage   67.19%   30.26%   -36.93%     
===========================================
  Files        3274     2892      -382     
  Lines      227975   135894    -92081     
  Branches    11746    11908      +162     
===========================================
- Hits       153195    41133   -112062     
- Misses      60965    92274    +31309     
+ Partials    13815     2487    -11328     

Flag	Coverage Δ
backend	19.82% <0.00%> (-49.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.