Skip to content

[pull] dev from KelvinTegelaar:dev#1059

Merged
pull[bot] merged 40 commits into
bmsimp:devfrom
KelvinTegelaar:dev
Jul 1, 2026
Merged

[pull] dev from KelvinTegelaar:dev#1059
pull[bot] merged 40 commits into
bmsimp:devfrom
KelvinTegelaar:dev

Conversation

@pull

@pull pull Bot commented Jul 1, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

JohnDuprey and others added 30 commits April 28, 2026 17:46
Updated to write to and read from cetralised CIPP database
Added license check for new Defender category

Signed-off-by: DamienMatthys <damien@pcunplug.com>
Cleaned up logging

Signed-off-by: DamienMatthys <damien@pcunplug.com>
…enant.ps1

Remove old sync function

Signed-off-by: DamienMatthys <damien@pcunplug.com>
Remove old sync schedule

Signed-off-by: DamienMatthys <damien@pcunplug.com>
Fixed sync to add one CVE per Device

Signed-off-by: DamienMatthys <damien@pcunplug.com>
Add severity and resolvingComment to the incident PATCH so users can
reprioritise and document why an incident was resolved. Build the body
as a hashtable/JSON so free-text comments with quotes are escaped, and
gate assignee changes behind an explicit AssignToSelf flag so status
and severity and status edits no longer clobber the existing owner.
The generated openapi.json types every request body but leaves each 200
response as the generic StandardResults envelope, and carries no operationId
on any operation. That makes the spec hard to consume: OpenAPI importers that
key on operationId skip every operation, and downstream tools get no typed
output fields to map against.

This adds a deterministic post-processing stage that enriches the generated
spec without replacing the upstream generator:

- operationId injection: bare endpoint name per operation, method-prefixed
  only where a single path carries multiple methods. Existing operationIds are
  preserved; collisions are a hard failure.
- typed 200 responses: derived from two checked-in sources, the frontend shape
  baselines (Tests/Shapes/*.json) and page simpleColumns declarations. The
  { Results, Metadata } envelope is preserved as the API actually returns it.

The enriched spec is published as the openapi.enriched.json asset on each
GitHub Release. A PR check workflow runs the test suite and strictly lints the
enriched spec against a committed ignore-baseline that pins pre-existing
upstream findings, so any new finding fails CI.

Pure function of the two repositories; same input produces byte-identical
output. Stage and runner are PowerShell with a Pester suite (50 tests).
Add ExcludeGroupIds and AssignmentDirection so exclude groups are
targeted by ID and a Replace edits only one direction, preserving
the other plus All Users/All Devices. Exclude-only requests no longer
error or wipe assignments, and exclusion targets drop the settings
block that Graph rejects.
…vanced)

Get-CIPPAlertCheckExtension reads a per-tenant watermark from the AlertLastRun
table to only fetch alerts newer than the previous run, but never wrote it back.
So $Since always fell back to the default 24h window and the same alerts were
re-sent on every scheduled run.

Capture the run start, read/store an explicit LastRunTime watermark (falling
back to the existing Timestamp for compatibility), and upsert it after
processing so each run only sends alerts created since the last run.

Fixes #6216
The detection script of a Win32 Custom Application was base64-encoded from the
raw input, so %tenantid% and other Get-CIPPTextReplacement tokens were not
resolved (they reached Intune as literal text), unlike the install and uninstall
scripts. Run the detection script through Get-CIPPTextReplacement first, matching
the install/uninstall handling.

Fixes KelvinTegelaar/CIPP#6226
…vanced) (#2114)

## What

The "Check" add-in's alerts are re-sent on every scheduled run - each
run dumps the whole recent backlog to the configured webhook instead of
only new alerts. Reported in #6216 (e.g. 13 test alerts resulted in 13
entries on every run).

## Cause

`Get-CIPPAlertCheckExtension` reads a per-tenant watermark from the
`AlertLastRun` table (`PartitionKey 'AlertLastRun'`, `RowKey
"<tenant>-Get-CIPPAlertCheckExtension"`) so it only fetches alerts newer
than the previous run - but it never writes that watermark back. As a
result `$Since` always falls back to the default 24-hour window, so
every run re-fetches and re-sends the same alerts (and the
day-partitioned de-dupe in `Write-AlertTrace` resets at midnight, which
lines up with the reported timing jumps).

## Fix

Capture the run start, read/store an explicit `LastRunTime` watermark
(falling back to the existing `Timestamp` for backward compatibility),
and upsert the `AlertLastRun` row after processing. Each run now only
sends alerts created since the previous run.

## Testing

- PowerShell parses clean.
- A mock-storage harness confirms the behaviour: run 1 sends the
backlog, run 2 (no new alerts) sends nothing, run 3 sends only a
newly-added alert.

Fixes KelvinTegelaar/CIPP#6216
# Resolve tenant variables in the Win32 Custom App detection script

Fixes KelvinTegelaar/CIPP#6226.

`%tenantid%` and the other `Get-CIPPTextReplacement` tokens resolve in a
Win32 Custom Application's install and uninstall scripts, but not in the
detection script, which reaches Intune with the literal `%tenantid%`
string.

In `Add-CIPPW32ScriptApplication.ps1` the install and uninstall scripts
are passed through `Get-CIPPTextReplacement` before being
base64-encoded, but the detection script was encoded from the raw
`$Properties.detectionScript`. This change runs the detection script
through `Get-CIPPTextReplacement` first, the same way as the install and
uninstall scripts directly below it.

Verified against the real `Get-CIPPTextReplacement` with mocked tenant
lookups: before the change the detection script keeps the literal
`%tenantid%`; after, it resolves to the tenant's customerId and matches
what the install script produces. Other tokens such as `%tenantfilter%`
resolve too.
Improve logging and error handling in the GDAP relationship termination
function
KelvinTegelaar and others added 10 commits June 30, 2026 20:59
…2112)

## What

Adds a deterministic post-processing stage that enriches the generated
`openapi.json` with typed `200` response schemas and a unique
`operationId` per operation, and publishes the result as a Release
asset. It does **not** replace the existing generator; it runs on its
output.

## Why

The generated spec types request bodies but leaves every `200` response
as the generic `StandardResults` envelope, and carries no `operationId`
on any operation. Two practical consequences:

- OpenAPI importers that key on `operationId` skip every operation.
Tested against a real importer: the unmodified spec imported as **0**
actions; with `operationId` injected it imports as **all 582**.
- Downstream tools get no typed output fields to map against.

## How

A PowerShell stage (`.build/Add-OpenApiResponseSchemas.ps1`) with two
passes, both pure functions of checked-in sources (no live API calls,
byte-identical output across runs):

- **operationId**: bare endpoint name per operation; method-prefixed
only where one path carries multiple methods (e.g. `GetExecCSPLicense` /
`PostExecCSPLicense`). Existing `operationId`s are preserved; any
collision is a hard failure.
- **typed 200 responses**: derived from the frontend shape baselines
(`Tests/Shapes/*.json`) and page `simpleColumns` declarations. The `{
Results, Metadata }` envelope is preserved exactly as the API returns it
(no flattening, so the schema stays truthful to the wire).

Endpoints with no typed source keep `StandardResults`, which is correct
for write/exec operations.

## Publishing + CI

- `openapi-enriched-release.yml` builds and uploads
`openapi.enriched.json` as an asset on each GitHub Release (no commits
back to the tree).
- `openapi-enriched-check.yml` runs the test suite and **strictly lints
the enriched spec** against a committed ignore-baseline
(`.redocly.lint-ignore.yaml`) that pins pre-existing findings, so any
*new* finding fails CI.
- `.github/workflows/` is gitignored in this repo (the existing
workflows are force-added), so these two were added with `git add -f`,
matching the repo convention.

## Tests

50 Pester tests + PSScriptAnalyzer (0 findings), run via
`Tests/Build/Invoke-BuildTests.ps1`. Covers operationId rules
(bare/disambiguated/preserve/collision-throws), response typing,
idempotency, and the frontend-scan edge cases.

## Known limitations (documented in `.build/README.md`)

- Only `get/post/put/patch/delete` are processed (the spec has no other
methods today).
- Paths are assumed to start with `/api/` (all current paths do).
- A typed `200` replaces the existing `200.content` (today only
`StandardResults` exists there).
- Conditional/ternary `simpleColumns` expressions are intentionally not
parsed (a conservative miss is preferred over capturing non-column
strings).

## Side benefit

Injecting `operationId` also removes the `operation-operationId` lint
warning that previously applied to every operation in the spec.


## CI activation note

Both workflows are guarded with `if: github.repository_owner ==
'KelvinTegelaar'`, matching the convention of the existing workflows in
this repo (forks do not run them). As a result they will **not** appear
as status checks on this PR from the fork; they activate once merged
into the upstream tree. Verification was therefore done locally before
opening this PR:

- `Tests/Build/Invoke-BuildTests.ps1`: 50 Pester tests passing,
PSScriptAnalyzer 0 findings
- strict Redocly lint of the generated `openapi.enriched.json`: 0
errors, 0 warnings, 5 pre-existing findings ignored via the committed
baseline; verified to fail on an injected new finding
- both workflow YAML files parse clean
- enrichment is deterministic: same inputs produce byte-identical output
across runs
This pull request enhances the `Push-BECRun` PowerShell function by
adding the retrieval and logging of sent message traces for a user, and
includes this data in the output object. These changes improve the
auditing and incident response capabilities of the function by providing
more comprehensive information about user activity.

**Enhancements to auditing and user activity tracking:**

* Added retrieval of sent message traces using the `Get-MessageTraceV2`
cmdlet, with error handling and logging in case of failures. The trace
includes message details such as status, subject, recipient, received
time, and sender IP.
* Included the collected sent message trace data as a new property
(`SentMessages`) in the output object returned by the function.
Introduce support for ExcludeGroupIds and ExcludeGroupNames in
assignment functions.

Frontend PR: KelvinTegelaar/CIPP#6244
Overhaul of the rather interesting way to construct a JSON payload and
add in severity and resolving comment functionality.

Frontend PR: KelvinTegelaar/CIPP#6234
Updated to write to and read from cetralised CIPP database
@pull pull Bot locked and limited conversation to collaborators Jul 1, 2026
@pull pull Bot added the ⤵️ pull label Jul 1, 2026
@pull pull Bot merged commit 25b4abf into bmsimp:dev Jul 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

7 participants