Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
36 commits
Select commit Hold shift + click to select a range
925ce38
Removed trying to load Windows system DLLs from user folders (#329)
panreyes Feb 12, 2026
609a2ce
Fix (UAC/Lock screen) (#320)
LightZirconite Feb 12, 2026
ac59c22
update duktape commit date/hash
si458 Feb 12, 2026
2277c1b
update win-wmi with fixes from meshcentral
si458 Feb 12, 2026
6860fd7
Fixed typo (net stort instead of net start) (#330)
panreyes Feb 12, 2026
8bbc945
Upgrade CodeQL actions to v2 and v4
si458 Feb 14, 2026
9bda665
Downgrade CodeQL action version to v2
si458 Feb 14, 2026
c1bb5cc
Enable JavaScript and C++ for CodeQL analysis
si458 Feb 14, 2026
4f9692c
Added option to limit the width of the desktop notification bar and a…
panreyes Feb 14, 2026
3e6203d
Code safely fix
Ylianst Feb 16, 2026
4a34966
Feat/agent validate webcert (#259)
HuFlungDu Feb 16, 2026
62b206e
Force alignment of allocated memory to prevent segmentation faults on…
gutschke Feb 16, 2026
c0faef2
Fixed compiler warnings
Ylianst Feb 16, 2026
9cb8ba1
Security note
Ylianst Feb 16, 2026
8dece7d
Linux compile fix
Ylianst Feb 16, 2026
ca0ebf2
Update README with supported agent keys table
si458 Mar 24, 2026
1d3662e
add mutliple monitor support to x11 for linux (#340)
si458 Apr 26, 2026
795b7d4
Corrected kvm_server_SetResolution definition and call. Fixes UAC del…
panreyes May 20, 2026
973b720
Run Duktape GC after system proxy detection (#346)
stachi May 20, 2026
a040c51
fix: prevent double-free of controlChannelRequest on connection timeo…
bdasnevesKP May 20, 2026
19e7135
macOS Tahoe: helper joins console user audit session for screen captu…
Austin519 May 20, 2026
f9ace66
fix db.Delete and add extra arguments to dbTool.js
si458 May 26, 2026
b33a61d
update WindowsTargetPlatformVersion and commit.h
si458 May 26, 2026
a20c31f
macOS Tahoe: split KVM helper into a user LaunchAgent (replaces #344 …
Austin519 Jun 2, 2026
6565c5e
fix macos kvmagent reconnect
si458 Jun 2, 2026
f3e031a
Fix UninstallString issues with paths with spaces (#352)
panreyes Jun 2, 2026
f2302c1
update modules #332
si458 Jun 2, 2026
7b55490
update agent-installer
si458 Jun 2, 2026
cb62daa
add xrandr and universal mac build to makefile instructions
si458 Jun 4, 2026
a116e9c
add Linux build workflow
si458 Jul 5, 2026
bbb477f
Refactor Linux build workflow for ARM architecture
si458 Jul 5, 2026
09d970c
use sudo for linux build
si458 Jul 5, 2026
40b0799
Update Windows build workflow for GitHub Actions
si458 Jul 5, 2026
b67fcda
Rename windows-build to windows-build.yml
si458 Jul 5, 2026
331b708
use any 10.0 platform instead of fixed, also continue on fail build
si458 Jul 5, 2026
542d57b
replace afxres with winresrc and use windows-2022 to run on workflows
si458 Jul 5, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Locate and display the workflow section around the referenced lines
FILE=".github/workflows/codeql-analysis.yml"

echo "== File exists? =="
test -f "$FILE" && echo "Found: $FILE" || (echo "Missing: $FILE" && exit 1)

echo
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,120p'

Repository: flamingo-stack/meshagent

Length of output: 213


🏁 Script executed:

#!/bin/bash
set -euo pipefail

FILE=".github/workflows/codeql-analysis.yml"

echo "== Relevant lines (1-120) with numbers =="
awk 'NR>=1 && NR<=120 {printf "%d\t%s\n", NR, $0}' "$FILE"

echo
echo "== Lines mentioning github/codeql-action =="
rg -n "github/codeql-action/" "$FILE" || true

echo
echo "== Lines mentioning actions/checkout =="
rg -n "actions/checkout@" "$FILE" || true

echo
echo "== Full file (only if <= 200 lines) =="
LINES=$(wc -l < "$FILE" 2>/dev/null || echo 999999)
if [ "$LINES" -le 200 ]; then
  awk '{printf "%d\t%s\n", NR, $0}' "$FILE"
else
  echo "Skipping full file; file has $LINES lines."
fi

Repository: flamingo-stack/meshagent

Length of output: 3846


🌐 Web query:

GitHub documentation github/codeql-action init analyze v2 deprecation v3 supported runners pin to SHA

💡 Result:

As of June 2, 2026, the GitHub CodeQL Action is currently in its v4 release cycle, which is the recommended version for all users [1]. Deprecation Status of Older Versions: - CodeQL Action v2: This version was officially retired and deprecated in early 2025 following the deprecation of GitHub Enterprise Server (GHES) 3.11 [2]. - CodeQL Action v3: This version is scheduled for official deprecation in December 2026, coinciding with the deprecation of GHES 3.19 [3][4]. Users are advised to migrate to v4 before this date to ensure continued access to new features and security updates [3][4]. Migration to v4: To upgrade your workflows, replace all references to v3 with v4 in your workflow files (e.g., init@v3 to init@v4, analyze@v3 to analyze@v4) [4]. Note that on older GHES versions, you may need to ensure your administrator has enabled GitHub Connect to download the necessary action versions [4]. Best Practices for Pinning: While using version tags like v4 is common for flexibility, it is not cryptographically immutable, as tags can be moved or deleted [5][6]. For maximum security, GitHub and security experts strongly recommend pinning GitHub Actions to a full-length commit SHA [5][7]. This prevents unauthorized code changes from being automatically pulled into your pipeline if an action repository is compromised [8][6]. Recommended Pinning Strategy: To maintain both security and maintainability, use the following pattern in your workflow files [6]: - uses: github/codeql-action/init@ # v4 By including the tag version in a comment, you maintain readability and compatibility with automated update tools like Dependabot, while the SHA ensures immutability [6]. You can audit your current workflow files for unpinned actions using grep or specialized security tooling [6].

Citations:


Pin CodeQL GitHub Actions to commit SHAs (v2 is deprecated).

The workflow uses github/codeql-action/init@v2 (line 29) and github/codeql-action/analyze@v2 (line 52); CodeQL action v2 is deprecated/retired, so the scan may fail or stop receiving fixes. Also, actions/checkout@v4 (line 16) is tag-based and not pinned—pin these uses: entries to full commit SHAs for immutability.

Also applies to: 29-29, 52-52

🧰 Tools
🪛 zizmor (1.25.2)

[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/codeql-analysis.yml at line 16, The workflow currently
references tag-based and deprecated actions (uses: actions/checkout@v4,
github/codeql-action/init@v2, github/codeql-action/analyze@v2); update each of
those uses: entries to pin to full commit SHAs instead of tags and replace the
deprecated CodeQL v2 references with the maintained CodeQL action commit SHAs.
Specifically, locate the uses: lines for actions/checkout,
github/codeql-action/init, and github/codeql-action/analyze and change their
version specifiers to full commit SHAs (the exact commit SHAs for the current
stable/main commits of those repos).

with:
# We must fetch at least the immediate parents so that if this is
# a pull request then we can checkout the head.
Expand All @@ -26,7 +26,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
# Override language selection by uncommenting this and choosing your languages
with:
languages: javascript, cpp
Expand All @@ -49,4 +49,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2
49 changes: 49 additions & 0 deletions .github/workflows/linux-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
name: Linux Build
run-name: Build Linux versions of MeshAgent
on: [push]
jobs:
linux-build-x86:
runs-on: ubuntu-24.04
steps:
- name: Check out repository code
uses: actions/checkout@v7.0.0
- name: Install Packages
run: |
sudo dpkg --add-architecture i386 &&
sudo apt clean all && sudo apt update &&
sudo apt-get install -y libx11-dev libxtst-dev libxext-dev libjpeg62-dev build-essential &&
sudo apt-get install -y linux-libc-dev:i386 libc6-dev-i386 libjpeg62-dev:i386 &&
sudo apt-get install -y libc6-armel-cross libc6-dev-armel-cross binutils-arm-linux-gnueabi libncurses5-dev gcc-arm-linux-gnueabihf &&
sudo apt-get install -y libxrandr-dev
- name: Build 32 Bit Linux
run: make -j4 linux ARCHID=5 && make clean
- name: Build 64 Bit Linux
run: make -j4 linux ARCHID=6 && make clean
- name: Build 32 Bit NOKVM Linux
run: make -j4 linux ARCHID=19 && make clean
- name: Build 64 Bit NOKVM Linux
run: make -j4 linux ARCHID=20 && make clean
- name: Build 64 Bit Alpine Linux
run: make -j4 linux ARCHID=33 && make clean
- name: Upload Artifacts
uses: actions/upload-artifact@v7.0.1
with:
name: meshagent-binaries-x86
path: ${{ github.workspace }}/meshagent_*

linux-build-arm:
runs-on: ubuntu-24.04-arm
steps:
- name: Check out repository code
uses: actions/checkout@v7.0.0
- name: Install Packages
run: |
sudo apt clean all && sudo apt update &&
sudo apt-get install -y libx11-dev libxtst-dev libxext-dev libjpeg-dev libxrandr-dev build-essential
- name: Build ARM64 Linux
run: make -j4 linux ARCHID=26 && make clean
- name: Upload Artifacts
uses: actions/upload-artifact@v7.0.1
with:
name: meshagent-binaries-arm
path: ${{ github.workspace }}/meshagent_*
27 changes: 27 additions & 0 deletions .github/workflows/windows-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Windows Build

run-name: Build Windows versions of MeshAgent

on:
push:
pull_request:

jobs:
windows-build:
runs-on: ${{ matrix.platform == 'ARM64' && 'windows-11-arm' || 'windows-2022' }}
strategy:
fail-fast: false
matrix:
platform: [x64, x86, ARM64]
steps:
- uses: actions/checkout@v7
- name: Setup Visual Studio
uses: microsoft/setup-msbuild@v3
- name: Build ${{ matrix.platform }}
run: msbuild MeshAgent-2022.sln /p:Configuration=Release /p:Platform=${{ matrix.platform }}
- name: Upload ${{ matrix.platform }} artifacts
uses: actions/upload-artifact@v7
with:
name: meshagent-windows-${{ matrix.platform }}
path: Release/*.exe

48 changes: 48 additions & 0 deletions com.meshagent.kvm.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.meshagent.kvm</string>

<!--
Launchd loads this LaunchAgent into gui/<console-uid> (and
LoginWindow), so the kvm process runs natively in the user's
GUI audit session. com.apple.replayd is reachable from this
session, which is what makes ScreenCaptureKit / ReplayKit
screen-capture work on macOS Tahoe without the
audit_session_join workaround the daemon-spawn path needs.
-->
<key>LimitLoadToSessionType</key>
<array>
<string>Aqua</string>
<string>LoginWindow</string>
</array>

<key>ProgramArguments</key>
<array>
<string>/usr/local/mesh_services/meshagent/meshagent/meshagent</string>
<string>-kvmagent</string>
</array>

<!--
Always restart unless we exited cleanly. ThrottleInterval keeps
us from hammering on a persistent failure (e.g., replayd genuinely
unreachable).
-->
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<false/>
</dict>
<key>ThrottleInterval</key>
<integer>30</integer>

<key>StandardOutPath</key>
<string>/tmp/meshagent-kvm.stdout.log</string>
<key>StandardErrorPath</key>
<string>/tmp/meshagent-kvm.stderr.log</string>
</dict>
</plist>
12 changes: 9 additions & 3 deletions makefile
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,27 @@
#
# To build MeshAgent2 on Linux you first got to download the dev libraries to compile the agent, we need x11, txt, ext and jpeg. To install, do this:
# Using APT:
# sudo apt-get install libx11-dev libxtst-dev libxext-dev libjpeg62-dev
# sudo apt-get install libx11-dev libxtst-dev libxext-dev libjpeg62-dev libxrandr-dev
#
# Using YUM:
# sudo yum install libX11-devel libXtst-devel libXext-devel libjpeg-devel
# sudo yum install libX11-devel libXtst-devel libXext-devel libjpeg-devel libXrandr-devel
#
# NOTE: If you install headers for jpeg8, you need to put the compiled .a in the v80 folder, and specify JPEGVER=v80 when building MeshAgent
# eg: make linux ARCHID=6 JPEGVER=v80
#
#
# To build for 32 bit on 64 bit linux
# sudo apt-get install linux-libc-dev:i386 libc6-dev-i386 libjpeg62-dev:i386
# sudo apt-get install linux-libc-dev:i386 libc6-dev-i386 libjpeg62-dev:i386 libxrandr-dev:i386
#
# To install ARM Cross Compiler for Raspberry PI
# sudo apt-get install libc6-armel-cross libc6-dev-armel-cross binutils-arm-linux-gnueabi libncurses5-dev gcc-arm-linux-gnueabihf
#
# To build universal binaries for macOS, you need to install the Xcode command line tools,
# and then use the following commands to build x86_64 and arm64 binaries, then combine them into a universal binary with lipo:
# make macos ARCHID=16 # macOS x86 64 bit
# make macos ARCHID=29 # macOS ARM 64 bit
# lipo -create -output meshagent_osx-universal-64 meshagent_osx-x86-64 meshagent_osx-arm-64 # Combine the two binaries into a universal binary
#
# Special builds:
#
# make linux ARCHID=6 WEBLOG=1 KVM=0 # Linux x86 64 bit, with Web Logging, and KVM disabled
Expand Down
2 changes: 1 addition & 1 deletion meshconsole/MeshConsole-2022.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -195,7 +195,7 @@
<PropertyGroup Label="Globals">
<ProjectGuid>{E377F156-BAED-4086-B534-3CC43164607A}</ProjectGuid>
<RootNamespace>MicrostackDuktape</RootNamespace>
<WindowsTargetPlatformVersion>10.0.22621.0</WindowsTargetPlatformVersion>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>MeshConsole-2022</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
Expand Down
45 changes: 45 additions & 0 deletions meshconsole/main.c
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,12 @@ MeshAgentHostContainer *agentHost = NULL;
char __agentExecPath[1024] = { 0 };
#endif

#if defined(__APPLE__)
#include <bsm/audit.h>
#include <bsm/audit_session.h>
#include <unistd.h>
#endif


#ifdef WIN32
BOOL CtrlHandler(DWORD fdwCtrlType)
Expand Down Expand Up @@ -277,6 +283,18 @@ char* crashMemory = ILib_POSIX_InstallCrashHandler(argv[0]);
#if defined(_LINKVM) && defined(__APPLE__)
if (argc > 1 && strcasecmp(argv[1], "-kvm0") == 0)
{
// Tahoe audit-session join: pre-exec in SpawnProcessEx4 (as
// root) is what discovers and joins the user's gui session;
// post-exec call here as uid 501 inherits enough visibility
// from that to re-join cleanly and ensures the helper's
// kernel-tracked asid lands on the user's gui session before
// kvm_server_mainloop opens its XPC connection to
// com.apple.replayd. Both calls together are needed: the
// pre-exec join doesn't survive exec on its own, and
// post-exec alone is denied (uid 501 can't audit_session_port
// arbitrary asids on Tahoe).
extern int ILibProcessPipe_JoinUserAuditSession_OSX_PostExec(uid_t uid);
ILibProcessPipe_JoinUserAuditSession_OSX_PostExec(getuid());
kvm_server_mainloop(NULL);
return 0;
}
Expand All @@ -285,6 +303,33 @@ char* crashMemory = ILib_POSIX_InstallCrashHandler(argv[0]);
kvm_server_mainloop((void*)(uint64_t)getpid());
return 0;
}
else if (argc > 1 && strcasecmp(argv[1], "-kvmagent") == 0)
{
// User-context LaunchAgent mode: long-running KVM server that
// listens on a Unix domain socket in the console user's session.
// Loaded by launchd into gui/<uid> via a LaunchAgent plist; runs
// natively in the user's GUI audit session, so com.apple.replayd
// (which only registers in gui/<uid>) is reachable without the
// audit_session_join workaround the daemon-spawn path needs.
// Daemon connects to this socket when MeshCentral's Desktop tab
// opens, instead of fork+exec'ing a -kvm0 helper.
// Optional argv[2] = socket path; defaults to a tmp-dir path
// keyed by uid so the agent can bind it as a non-root user.
extern void kvm_set_listener_path(const char *path);
char defaultPath[128];
if (argc > 2 && argv[2] != NULL && argv[2][0] != '\0')
{
kvm_set_listener_path(argv[2]);
}
else
{
snprintf(defaultPath, sizeof(defaultPath),
"/tmp/meshagent-kvm-%u.sock", (unsigned)getuid());
kvm_set_listener_path(defaultPath);
}
kvm_server_mainloop((void*)(uint64_t)getpid());
return 0;
}
#endif

if (argc > 2 && strcasecmp(argv[1], "-faddr") == 0)
Expand Down
Loading