Skip to content

Sync from Fork#7

Open
ivan-flamingo wants to merge 184 commits into
flamingo-stack:masterfrom
Ylianst:master
Open

Sync from Fork#7
ivan-flamingo wants to merge 184 commits into
flamingo-stack:masterfrom
Ylianst:master

Conversation

@ivan-flamingo

@ivan-flamingo ivan-flamingo commented Apr 3, 2026

Copy link
Copy Markdown

Summary by CodeRabbit

  • New Features

    • Software inventory panel (installed apps + store apps) with search and uninstall
    • Mobile trackpad mode for remote desktop with touch/trackpad controls
    • Linux inspection (AV/firewall/packages) and macOS flat .pkg installer support
    • Configurable terminal user-variable exposure for sessions
  • Bug Fixes

    • Fixed AMT activation password handling
    • Corrected consent message option name
    • Device event cleanup now domain-aware
  • Improvements

    • Better Windows app/store detection and uninstall flows; richer hardware/kernel details
    • Raised Node engine requirement; DOMPurify upgraded; stricter icon upload and web security
    • Docker: trusted-proxy and TLS offload options, default host ports standardized (80/443)

si458 and others added 17 commits March 21, 2026 16:38
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Updated checkout action to version 6 and removed token input.
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
si458 added 2 commits April 4, 2026 17:16
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
yevhen-maker
yevhen-maker previously approved these changes Apr 6, 2026
…up (#7741)

The addusertodevicegroup command sends the --userid value in the
'usernames' field of the addmeshuser websocket command. The server-side
handler treats 'usernames' as short username lookups, which fails for
full user IDs (e.g. user/domain/~azure:user@example.com).

This changes the field to 'userids', which the server resolves correctly
by full ID. This matches the behavior of removeuserfromdevicegroup which
already uses 'userid' (singular) and works correctly.

Fixes #7740
si458 and others added 6 commits April 14, 2026 11:01
Signed-off-by: si458 <simonsmith5521@gmail.com>
* Make the "Expand All"/"Collapse All" button larger

Cosmetic changes in the HTML to make the "Expand all"/"Collapse all" button larger and easier to click as proposed in #5360.

* Make the "Expand All"/"Collapse All" button larger on modern UI

Cosmetic changes in the HTML to make the "Expand all"/"Collapse all" button larger and easier to click as proposed in #5360. Now for the modern UI as well.
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
* Add files via upload

* Add files via upload
* feat: add TLSOffload variable to docker

* chore: add readme values

* chore: also edit the rest

* chore: remove parameters readme paragraph

* chore: set reasonable defaults

---------

Co-authored-by: DaanSelen <dselen@systemec.nl>
arkha10 and others added 30 commits July 2, 2026 08:29
The download page assigns the file name into a JavaScript string
(var filename = '...'). A name containing a single quote could end that
string early. This escapes backslashes and single quotes before the name is
placed there, so the name is always treated as text. File names with quotes
still display and download normally.
The Slack handle was used to build the request URL directly, so any URL could
be given. Slack incoming webhooks always live on hooks.slack.com, so this
checks the host is hooks.slack.com before sending and returns a failed result
otherwise.
The Linux and macOS storage volume mount point was placed into the device
details page without HTML-escaping, while the surrounding values already use
EscapeHtml(). This wraps it in EscapeHtml() too, matching the mobile view
which already does this for the same field.
…headings, text, forms, and navigation elements
…emes, ensuring better visibility and contrast for text and buttons
…oth light and dark modes with appropriate styles
…s in span tags for better styling and visibility
…istency

[ENH] Improves bootstrap/bootswatch theme compatibility in sitestyle 3 across light and dark modes
…nsole.log

Signed-off-by: si458 <simonsmith5521@gmail.com>
* UI Registry

Embedding the registry in the UI

* Add remote Registry management UI and agent tunnel support

- Add Registry device tab on desktop and mobile UI
- Implement protocol 4 registry tunnel flow between browser, relay, and agent
- Add read-only registry browsing with root hives, key navigation, path input, and details view
- Add registry write operations for New Key, New Value, Edit, Rename, Delete, and .reg export
- Integrate Registry with device consent, session tracking, relay indicators, and event logging
- Align Registry layout and behavior with existing Files UI patterns

* No Registry Access & RunDll32.exe

* fix: registry pr

Moved the registry tab from panel 18 to 9.

* fix sec: registry pr

Changes requested by si458: move the registry tab to panel 9, keep the
General tab name, drop the dash from the Registry heading, make the
registry UI strings translatable, and use fully-qualified paths for
reg.exe so the agent never runs it from PATH.

* fix: ff
* chore: make Docker build debian images again

* chore: let the repositories dictate npm versions

* chore: revert main dockerfile for another PR
…ed (#7979)

In updateDesktopButtons(), the "Input" toggle (DeskControl) is unchecked
whenever (rights & 8) is false. But GetNodeRights() returns 0 not only when
the user lacks remote-control rights, but also when currentNode is null or
its device group isn't in the local "meshes" cache yet. Those transient
states can happen after a reconnect or a node/mesh refresh, so an active
operator can see the input checkbox spontaneously uncheck itself (and turn
red) mid-session even though nothing about their permissions changed.

Remote input is enforced server-side by the agent (meshcore.js) and the
desktop multiplexor (meshdesktopmultiplex.js), so the checkbox is a client
convenience, not the security boundary. Only clear it when the rights were
actually evaluable (node present and its mesh in cache); otherwise leave the
current state untouched.

Applied to both default.handlebars and default3.handlebars (both carry the
same logic).
Signed-off-by: si458 <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
…ing (#7981)

* feat: enhance light/dark theme integration and improve icon customization UI

* fix: topbar active hover effects

* Fix icon customization reset button layout

* Fix icon customizer button layout

* Fix legacy surfaces in dark themes

* more fixes for legacy surfaces in dark themes

* Improve documentation for theme normalization function

---------

Co-authored-by: Sammy Ndabo <sammy.ndabo@evoludata.com>
* fix: reg p9 ids

* fix: new ui

* fix: goto

* fix: act

* fix: reg range

* fix: exp

---------

Co-authored-by: Simon Smith <simonsmith5521@gmail.com>
Signed-off-by: si458 <simonsmith5521@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.