Deprecate "team" and "query" API params

[sgress454]

Related issue: For #39344

Details

This PR builds on the previous PR (#39847) which added renameto tags to certain API parameters to mark them as deprecated. How this is used:

In requests

• When decoding requests, log a warning if a json or query param is used that has a renameto tag, e.g. if a team_id param is sent but the related struct has renameto:"fleet_id" in it.
• If the renamedto version (e.g. fleet_id) is sent in the request, rewrite it to the deprecated name so that it can be unmarshalled into the struct
• If both versions are sent (e.g. team_id AND fleet_id), throw an error and quit

In responses

• Output both the deprecated and new names for fields that have renameto tags, so that we don't break existing workflows expecting the old keys.

In fleetctl

• Similar to requests, log warnings when deprecated keys are used and rewrite the new keys internally so that they can be unmarshalled.
• For fleetctl get and fleetctl generate-gitops, only output the new names

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information.

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements)

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests

• Where appropriate, automated tests simulate multiple hosts and test for host isolation (updates to one hosts's records do not affect another)

• QA'd all new/changed functionality manually

For unreleased bug fixes in a release candidate, one of:

• Confirmed that the fix is not expected to adversely impact load test results
• Alerted the release DRI if additional load testing is needed

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

New Fleet configuration settings

• Setting(s) is/are explicitly excluded from GitOps

If you didn't check the box above, follow this checklist for GitOps-enabled settings:

• Verified that the setting is exported via fleetctl generate-gitops
• Verified the setting is documented in a separate PR to the GitOps documentation
• Verified that the setting is cleared on the server if it is not supplied in a YAML file (or that it is documented as being optional)
• Verified that any relevant UI is disabled when GitOps mode is enabled

fleetd/orbit/Fleet Desktop

• Verified compatibility with the latest released version of Fleet (see Must rule)
• If the change applies to only one platform, confirmed that runtime.GOOS is used as needed to isolate changes
• Verified that fleetd runs on macOS, Linux and Windows
• Verified auto-update works from the released version of component to the new version (see tools/tuf/test)

Summary by CodeRabbit

• New Features

  • Added backward compatibility support for deprecated field names in API requests and responses.

• Bug Fixes

  • Fixed handling of legacy configuration formats by automatically mapping old field names to new ones.

• Refactor

  • Renamed terminology throughout the platform: "team" → "fleet," "team_settings" → "settings," and query-related settings to report-related settings for consistency and clarity in API responses and GitOps configurations.

[sgress454]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Walkthrough

This pull request implements field name migration across Fleet's API and configuration, renaming terminology from team-based to fleet-based and query-based to report-based. It introduces deprecation-handling infrastructure in the endpoint utilities package for backward compatibility, including JSON key rewriting and aliasing mechanisms for streaming and in-memory JSON processing. The changes update fleetctl code generation and spec parsing to apply these transformations automatically, and update activity logging and webhook payload serialization to include both old and new field names. Comprehensive test updates reflect the new field names throughout the codebase.

Possibly related PRs

• Move software self-service, labels, categories, and setup experience to team level in GitOps #32245: Modifies GitOps parsing and spec generation in the same pkg/spec package and fleetctl code, touching overlapping areas of configuration file handling and field transformations.
• Refactor endpoint_utils for modularization #36484: Modifies server/platform/endpointer code for JSON key rewriting and alias rules extraction, directly related to the endpoint utilities infrastructure introduced here.
• Allow configuring webhook policy automations for "No team" #32129: Implements coordinated No Team webhook and default-team configuration handling that integrates with the GitOps parsing and field mapping changes in this PR.

🚥 Pre-merge checks | ✅ 3 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 24.30% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Deprecate "team" and "query" API params' directly and clearly summarizes the main objective of the changeset: implementing deprecation support for the team/query API parameters in favor of fleet/reports naming.
Description check	✅ Passed	The PR description provides a comprehensive explanation of the deprecation approach for requests, responses, and fleetctl, with clear details on handling deprecated keys. Most checklist items are appropriately left unchecked as they don't apply to this refactoring PR.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into sgress454/39344-rename-tags-only

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sgress454/39344-rename-teams-to-fleet-transformation

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 10

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

pkg/spec/spec.go (1)

144-152: ⚠️ Potential issue | 🟠 Major

TeamKind case hardcodes rawTeam["team"] — will miss input using the new "fleet" key.

For all other spec kinds, rewriteNewToOldKeys rewrites new key names back to old names before unmarshaling. The TeamKind case bypasses this by unmarshaling into a raw map and directly accessing rawTeam["team"]. If a user provides fleet: (the new name) in their YAML, line 152 will produce a nil value since the map won't contain the "team" key.

Consider either:

1. Applying rewriteNewToOldKeys to s.Spec before the raw-map unmarshal (using a representative struct that has json:"team" renameto:"fleet"), or
2. Checking for both rawTeam["team"] and rawTeam["fleet"] with appropriate precedence.

Option 2: check both keys

 	case fleet.TeamKind:
 		rawTeam := make(map[string]json.RawMessage)
 		if err := yaml.Unmarshal(s.Spec, &rawTeam); err != nil {
 			return nil, fmt.Errorf("unmarshaling %s spec: %w", kind, err)
 		}
-		specs.Teams = append(specs.Teams, rawTeam["team"])
+		teamData, ok := rawTeam["team"]
+		if !ok {
+			teamData = rawTeam["fleet"]
+		}
+		specs.Teams = append(specs.Teams, teamData)

server/service/hosts.go (1)

252-258: ⚠️ Potential issue | 🔴 Critical

Bug: DuplicateJSONKeys is called before checking the marshal error.

Line 253 processes data from marshalJson before line 254 checks whether marshalJson returned an error. While DuplicateJSONKeys handles empty/nil data gracefully, the intent is clearly to skip processing on error. Move the call after the error check.

🐛 Proposed fix

 		data, err := marshalJson(hostResp)
-		data = endpointer.DuplicateJSONKeys(data, aliasRules)
 		if err != nil {
 			fmt.Fprint(w, `],`)
 			fmt.Fprint(w, marshalError(fmt.Sprintf("marshaling host response: %s", err.Error())))
 			fmt.Fprint(w, `}`)
 			return
 		}
+		data = endpointer.DuplicateJSONKeys(data, aliasRules)
 		if !firstHost {

🤖 Fix all issues with AI agents

In `@cmd/fleetctl/fleetctl/generate_gitops.go`:
- Around line 507-516: The nil-pointer occurs because the error path logs
team.Name when team can be nil; update the error handling in the block that
calls cmd.generateQueries(teamToProcess.ID) to avoid dereferencing team.Name —
use a safe name variable (e.g., derive name := "global" or use
teamToProcess.Name if non-nil) or include teamToProcess.ID in the error message
instead, and write that safe value when reporting the error and when assigning
cmd.FilesToWrite[fileName].(map[string]any)["reports"]; apply the same defensive
change to the analogous policies block (the call to cmd.generatePolicies) so
neither error path dereferences team.Name when team is nil.

In
`@cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go`:
- Line 715: Replace the typo in the inline comment "Check script existance" with
the correct spelling "Check script existence" in the
gitops_enterprise_integration_deprecated_test.go test file (search for the exact
comment string to locate it).
- Around line 1599-1600: Update the truncated single-line doc comment above
TestGitOpsSoftwareDisplayName so it is either a complete descriptive sentence or
remove it; do the same for the three other nearby test-function comments that
were cut off (they currently end mid-sentence). Locate the comment tokens
starting with "//" immediately above the test function declarations (e.g.,
TestGitOpsSoftwareDisplayName) and replace each truncated comment with a full,
concise description of what the test verifies or delete the comment entirely to
avoid incomplete/copy-paste artifacts.
- Around line 296-329: The test currently uses globalFile.WriteString(...) to
append YAML blocks (the calls using globalFile.WriteString with dirPath,
digiCertServer.URL and scepServer.URL) which leaves the file handle in append
mode and concatenates documents; replace these append-style writes with a full
overwrite using os.WriteFile(globalFile.Name(), []byte(yamlContent), 0o600) (or
appropriate perm) so the file is truncated and contains only the intended YAML;
do this for both occurrences where globalFile.WriteString is used in this test
(the two multi-line YAML writes) and ensure you check and require.NoError on the
os.WriteFile call.
- Around line 1892-1898: The SQL query that fetches icon filenames uses a
hardcoded team_id = 0 which is wrong for titles created for a specific team;
update the query invocation inside the anonymous function (the call using
sqlx.In with "SELECT filename FROM software_title_icons WHERE team_id = ? AND
software_title_id IN (?)", 0, teamTitleIDs) to pass team.ID instead of 0 so it
filters by the actual team (use team.ID, keeping teamTitleIDs as before) and
ensure the surrounding call to mysql.ExecAdhocSQL/sqlx.SelectContext remains
unchanged.

In `@pkg/spec/gitops_deprecations.go`:
- Around line 21-33: Deprecated nested-array mappings in
DeprecatedGitOpsKeyMappings fail because migrateKeyPathRecursive expects array
markers as separate parts (oldParts[1] == "[]") but key parts like
"apple_business_manager[]" keep the "[]" suffix; update migrateKeyPathRecursive
to detect and handle a trailing "[]" on a part: when splitting path parts, if a
part endsWith "[]", strip the "[]" to get baseKey, use data[baseKey] to access
the slice (and iterate over its elements recursively), and ensure
newParts/newKey construction preserves or replaces the array marker
consistently; reference the function migrateKeyPathRecursive, variables oldParts
and oldKey, and the DeprecatedGitOpsKeyMappings entries (e.g.
"org_settings.mdm.apple_business_manager[].macos_team") when making this change.

In `@pkg/spec/gitops_test.go`:
- Around line 776-784: Update the stale test comment to accurately describe the
test: change the comment text that currently reads "Invalid policies in a
separate file" to something like "Invalid reports in a separate file" so it
matches the test block that writes "[2]" to a temp file and asserts an error
from gitOpsFromString; locate the comment above the tmpFile creation in the test
that uses getConfig, gitOpsFromString, and assert.ErrorContains and adjust the
wording accordingly.

In `@server/platform/endpointer/endpoint_utils.go`:
- Around line 310-331: The current query-parameter handling in the block around
queryVal/queryTagValue and fp.Sf.Tag.Lookup("renameto") ignores the new name
when both deprecated and new query params are present; update the logic to
detect when both the deprecated name (queryTagValue) and the parsed renameto
name (use ParseTag(renameTo) to get the actual newName) are present in
r.URL.Query(), and if so return the same AliasConflictError used by
JSONKeyRewriteReader (construct and return AliasConflictError with both names);
otherwise preserve existing behavior (warn when only old present, use new when
only new present). Ensure you reference queryVal, queryTagValue,
fp.Sf.Tag.Lookup("renameto"), ParseTag(renameTo), and r.URL.Query().Get(newName)
when implementing the check.

In `@server/service/integration_core_test.go`:
- Around line 14122-14126: The test mutates the global AI feature flag via
s.Do("PATCH", "/api/latest/fleet/config", ...) and leaves it disabled for later
tests; capture the original server_settings.ai_features_disabled value before
patching, and register a t.Cleanup that restores it by issuing a PATCH (using
the same s.Do helper and json.RawMessage payload) to set ai_features_disabled
back to the original boolean; use t.Cleanup to ensure restoration even if the
test fails.

In `@server/service/modules/activities/activities.go`:
- Around line 55-59: DuplicateJSONKeys currently re-encodes JSON with pretty
indentation causing inconsistent formatting; change DuplicateJSONKeys
(json_key_duplicator.go) to produce compact JSON by removing
jsontext.WithIndent("  ") or by adding a parameter/option (e.g., compact bool or
indent string) so callers can request compact output, then update the caller in
activities.go where DuplicateJSONKeys is invoked (after
endpointer.ExtractAliasRules) to call it with the compact option (or rely on the
default compact behavior). Ensure the function still applies alias rules and
returns bytes in compact form to keep stored activity details consistent with
json.Marshal output.

🧹 Nitpick comments (10)

pkg/spec/spec.go (1)

48-61: Silent error swallowing in rewriteNewToOldKeys is acceptable but worth a log.

The fallback to original data on error (line 58) is a safe default, but errors during key rewriting could silently mask issues (e.g., malformed JSON that happens to unmarshal differently). Consider adding a debug-level log when the rewrite fails so issues are diagnosable.

cmd/fleetctl/fleetctl/generate_gitops.go (1)

116-168: The aliasRules map contains broad key names like "team" and "queries" that are applied recursively.

replaceAliasKeys renames every occurrence of these keys at any nesting depth. This works for the current data model but is fragile — any future struct field with a json:"team" tag that is unrelated to this rename would be silently affected. Also, if a map already contains both the old and new key (e.g., "team_id" and "fleet_id"), the rename silently overwrites the existing value.

Consider either:

• Adding a conflict check in replaceAliasKeys (log a warning or return an error if the target key already exists), or
• Documenting the assumption that these keys are globally unique and won't conflict.

Proposed conflict check

 	var renames []rename
 	for k := range val {
 		if newKey, ok := rules[k]; ok {
+			if _, exists := val[newKey]; exists {
+				// Both old and new key exist — skip rename to avoid data loss.
+				continue
+			}
 			renames = append(renames, rename{k, newKey})
 		}
 	}

pkg/spec/gitops_deprecations.go (1)

56-118: migrateKeyPathRecursive assumes oldParts/newParts are always the same length — no validation.

If a mapping has paths of different depths (e.g., "a.b.c" → "x.y"), the recursion could index out of bounds or silently mismatch keys at each level. Consider adding an upfront check or at least a comment that equal-depth paths are required.

Add a validation in `migrateKeyPath`

 func migrateKeyPath(data map[string]any, oldPath, newPath string, logFn Logf) error {
 	oldParts := strings.Split(oldPath, ".")
 	newParts := strings.Split(newPath, ".")
+	if len(oldParts) != len(newParts) {
+		return fmt.Errorf("deprecated key mapping path depth mismatch: %q (%d) vs %q (%d)", oldPath, len(oldParts), newPath, len(newParts))
+	}
 
 	return migrateKeyPathRecursive(data, oldParts, newParts, oldPath, newPath, logFn)
 }

server/platform/endpointer/json_key_rewriter.go (1)

96-100: Stale comment on Close() — references "pipe" and "transform goroutine" that no longer exist.

The implementation reads everything eagerly into a bytes.Buffer (no goroutine or pipe). The doc comment should be updated.

Suggested doc fix

-// Close closes the reader end of the pipe to unblock the transform goroutine
-// if the consumer stops reading early.
+// Close is a no-op; the reader buffers all rewritten JSON eagerly in the constructor.
 func (r *JSONKeyRewriteReader) Close() error {
 	return nil
 }

cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_test.go (1)

2805-2821: Consider renaming the template parameter Queries to Reports for consistency.

The YAML key has been renamed to reports: but the Go template struct field is still Queries (line 2808, used at line 2813). This mismatch could confuse maintainers.

Proposed rename

 	type tmplParams struct {
 		Name    string
-		Queries string
+		Reports string
 		Labels  string
 	}
 	teamCfgTmpl, err := template.New("t1").Parse(`
 controls:
 software:
-reports:{{ .Queries }}
+reports:{{ .Reports }}
 policies:

And update usages at lines 2834 and 2877:

-		Queries: fmt.Sprintf("\n  - name: query-%d\n    query: SELECT 1", i),
+		Reports: fmt.Sprintf("\n  - name: query-%d\n    query: SELECT 1", i),

server/platform/endpointer/json_key_duplicator.go (2)

36-36: Output is always pretty-printed due to WithIndent(" ").

The encoder always indents the output. If callers expect compact JSON (e.g., for DB storage of activity details), this inflates payload size. Consider accepting an option or removing the indent if compact output is the common case.

Suggestion: use compact encoding by default

-	enc := jsontext.NewEncoder(&buf, jsontext.WithIndent("  "), jsontext.AllowDuplicateNames(true))
+	enc := jsontext.NewEncoder(&buf, jsontext.AllowDuplicateNames(true))

---

125-137: Recursive DuplicateJSONKeys for nested values re-creates decoder/encoder per nesting level.

dec.ReadValue() reads the entire nested value as raw JSON, then the recursive call re-parses it from scratch. For deeply nested or large payloads, this creates O(depth) full re-parses of inner content. This is acceptable if payloads are small (typical for API responses), but worth being aware of for large payloads.

server/platform/endpointer/endpoint_utils.go (3)

148-204: extractAliasRulesFromType is a thin wrapper that only allocates a visited map.

Consider inlining the visited map allocation into ExtractAliasRules directly and dropping extractAliasRulesFromType to reduce indirection. Not blocking.

---

695-706: Body-decoder deprecation warning omits the new field names, unlike the non-body path.

Lines 610-625 compute and log the replacement names (newNames), but the body-decoder path here (lines 698-705) only says "use the updated field names instead" without listing them. Consider reusing the same deprecation-logging logic.

Suggested fix

 			if rewriter != nil {
 				if deprecated := rewriter.UsedDeprecatedKeys(); len(deprecated) > 0 {
+					newNames := make([]string, len(deprecated))
+					for i, old := range deprecated {
+						for _, rule := range aliasRules {
+							if rule.OldKey == old {
+								newNames[i] = rule.NewKey
+								break
+							}
+						}
+					}
 					logging.WithLevel(ctx, level.Warn)
 					logging.WithExtras(ctx,
 						"deprecated_fields", fmt.Sprintf("%v", deprecated),
-						"deprecation_warning", "use the updated field names instead",
+						"deprecation_warning", fmt.Sprintf("use the updated field names (%s) instead", newNames),
 					)
 				}
 			}

---

299-299: Move context.Context to first parameter per Go convention.

context.Context should be the first parameter in Go functions per Go idioms. This refactoring requires updating both the function signature at line 299 and the call site at line 672.

Required changes

Function signature:

-func DecodeQueryTagValue(r *http.Request, fp fieldPair, customDecoder DomainQueryFieldDecoder, ctx context.Context) error {
+func DecodeQueryTagValue(ctx context.Context, r *http.Request, fp fieldPair, customDecoder DomainQueryFieldDecoder) error {

Call site at line 672:

-			err = DecodeQueryTagValue(r, fp, customQueryDecoder, ctx)
+			err = DecodeQueryTagValue(ctx, r, fp, customQueryDecoder)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Nil-pointer dereference on the error path when team is nil.

When processing the global config (team == nil), the guard on line 507 passes (team == nil || team.ID != 0). If generateQueries returns an error, line 511 dereferences team.Name, which will panic.

Note: the same pre-existing issue exists on line 502 for policies.

Proposed fix

 		if team == nil || team.ID != 0 {
 			// Generate reports (except for on No Team).
 			reports, err := cmd.generateQueries(teamToProcess.ID)
 			if err != nil {
-				fmt.Fprintf(cmd.CLI.App.ErrWriter, "Error generating reports for team %s: %s\n", team.Name, err)
+				teamName := "Global"
+				if team != nil {
+					teamName = team.Name
+				}
+				fmt.Fprintf(cmd.CLI.App.ErrWriter, "Error generating reports for team %s: %s\n", teamName, err)
 				return ErrGeneric
 			}

🤖 Prompt for AI Agents

In `@cmd/fleetctl/fleetctl/generate_gitops.go` around lines 507 - 516, The
nil-pointer occurs because the error path logs team.Name when team can be nil;
update the error handling in the block that calls
cmd.generateQueries(teamToProcess.ID) to avoid dereferencing team.Name — use a
safe name variable (e.g., derive name := "global" or use teamToProcess.Name if
non-nil) or include teamToProcess.ID in the error message instead, and write
that safe value when reporting the error and when assigning
cmd.FilesToWrite[fileName].(map[string]any)["reports"]; apply the same defensive
change to the analogous policies block (the call to cmd.generatePolicies) so
neither error path dereferences team.Name when team is nil.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

File content is appended, not replaced — the YAML file will contain concatenated documents.

globalFile.WriteString(...) at line 296 (and again at line 353) appends to the already-written file because the file handle was never truncated, seeked, or re-created. The resulting file will contain multiple YAML blocks without --- separators, producing either a parse error or silently merging keys in unexpected ways.

Other tests in this file correctly use os.WriteFile(globalFile.Name(), ...) (e.g., line 480) to replace file contents. Apply the same pattern here.

Suggested fix for the second write (line 296)

-	_, err = globalFile.WriteString(fmt.Sprintf(`
+	require.NoError(t, os.WriteFile(globalFile.Name(), []byte(fmt.Sprintf(`
 agent_options:
 ...
-	))
-	require.NoError(t, err)
+	)), 0o644))

Apply the same change for the third write at line 353.

🤖 Prompt for AI Agents

In
`@cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go`
around lines 296 - 329, The test currently uses globalFile.WriteString(...) to
append YAML blocks (the calls using globalFile.WriteString with dirPath,
digiCertServer.URL and scepServer.URL) which leaves the file handle in append
mode and concatenates documents; replace these append-style writes with a full
overwrite using os.WriteFile(globalFile.Name(), []byte(yamlContent), 0o600) (or
appropriate perm) so the file is truncated and contains only the intended YAML;
do this for both occurrences where globalFile.WriteString is used in this test
(the two multi-line YAML writes) and ensure you check and require.NoError on the
os.WriteFile call.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Typo in comment: "existance" → "existence" (line 715).

🤖 Prompt for AI Agents

In
`@cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go`
at line 715, Replace the typo in the inline comment "Check script existance"
with the correct spelling "Check script existence" in the
gitops_enterprise_integration_deprecated_test.go test file (search for the exact
comment string to locate it).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Truncated doc-comments on several test functions.

Lines 1599, 1717, 2093, and 2250 have // comments that end abruptly mid-sentence (e.g., "tests that display names for software packages and VPP apps"). These appear to be copy-paste artifacts with incomplete trailing text. Either complete or remove them.

Also applies to: 1717-1718, 2093-2094, 2250-2251

🤖 Prompt for AI Agents

In
`@cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go`
around lines 1599 - 1600, Update the truncated single-line doc comment above
TestGitOpsSoftwareDisplayName so it is either a complete descriptive sentence or
remove it; do the same for the three other nearby test-function comments that
were cut off (they currently end mid-sentence). Locate the comment tokens
starting with "//" immediately above the test function declarations (e.g.,
TestGitOpsSoftwareDisplayName) and replace each truncated comment with a full,
concise description of what the test verifies or delete the comment entirely to
avoid incomplete/copy-paste artifacts.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

rg -n 'software_title_icons' --type=go -C 3 -g '!*_test.go'

Repository: fleetdm/fleet

Length of output: 11379

---

🏁 Script executed:

sed -n '1850,1920p' cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go

Repository: fleetdm/fleet

Length of output: 3133

---

Use team.ID instead of 0 when querying icons for team-scoped titles.

At line 1892, the query filters team_id = 0 for teamTitleIDs, but these titles were created for a specific team (retrieved at line 1859 with team.ID). The software_title_icons table stores team-scoped icons with the actual team.ID, not 0. Using team_id = 0 will return no results or incorrect icons. Change the query to use team.ID instead:

Diff

- stmt, args, err := sqlx.In("SELECT filename FROM software_title_icons WHERE team_id = ? AND software_title_id IN (?)", 0, teamTitleIDs)
+ stmt, args, err := sqlx.In("SELECT filename FROM software_title_icons WHERE team_id = ? AND software_title_id IN (?)", team.ID, teamTitleIDs)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	mysql.ExecAdhocSQL(t, s.DS, func(q sqlx.ExtContext) error {
	stmt, args, err := sqlx.In("SELECT filename FROM software_title_icons WHERE team_id = ? AND software_title_id IN (?)", 0, teamTitleIDs)
	if err != nil {
	return err
	}
	return sqlx.SelectContext(ctx, q, &teamIconFilenames, stmt, args...)
	})
	mysql.ExecAdhocSQL(t, s.DS, func(q sqlx.ExtContext) error {
	stmt, args, err := sqlx.In("SELECT filename FROM software_title_icons WHERE team_id = ? AND software_title_id IN (?)", team.ID, teamTitleIDs)
	if err != nil {
	return err
	}
	return sqlx.SelectContext(ctx, q, &teamIconFilenames, stmt, args...)
	})

🤖 Prompt for AI Agents

In
`@cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go`
around lines 1892 - 1898, The SQL query that fetches icon filenames uses a
hardcoded team_id = 0 which is wrong for titles created for a specific team;
update the query invocation inside the anonymous function (the call using
sqlx.In with "SELECT filename FROM software_title_icons WHERE team_id = ? AND
software_title_id IN (?)", 0, teamTitleIDs) to pass team.ID instead of 0 so it
filters by the actual team (use team.ID, keeping teamTitleIDs as before) and
ensure the surrounding call to mysql.ExecAdhocSQL/sqlx.SelectContext remains
unchanged.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Read the gitops_deprecations.go file to see the actual implementation
cat -n pkg/spec/gitops_deprecations.go

Repository: fleetdm/fleet

Length of output: 5769

---

🏁 Script executed:

# Search for test files related to gitops deprecations
find . -type f -name "*gitops*test*.go" -o -name "*test*gitops*.go" | head -20

Repository: fleetdm/fleet

Length of output: 397

---

🏁 Script executed:

# Check if there are any tests exercising the deprecated mappings
rg -l "DeprecatedGitOpsKeyMappings|migrateKeyPath" --type go

Repository: fleetdm/fleet

Length of output: 88

---

🏁 Script executed:

# Look for tests that use the nested deprecation mappings
rg -A 10 -B 5 "apple_business_manager|volume_purchasing_program" pkg/spec/gitops_test.go cmd/fleetctl/fleetctl/gitops_test.go 2>/dev/null | head -100

Repository: fleetdm/fleet

Length of output: 7689

---

🏁 Script executed:

# Check the integration tests for deprecated fields
rg -A 5 "deprecated" cmd/fleetctl/integrationtest/gitops/gitops_enterprise_integration_deprecated_test.go 2>/dev/null | head -80

Repository: fleetdm/fleet

Length of output: 2558

---

🏁 Script executed:

# Search for any test that validates the deprecated key mappings are actually applied
rg "DeprecatedGitOpsKeyMappings|ApplyDeprecatedKeyMappings" --type go

Repository: fleetdm/fleet

Length of output: 672

---

Nested array paths won't migrate due to path format mismatch in parser.

The migrateKeyPathRecursive function detects array iteration by checking oldParts[1] == "[]" (line 71). However, strings.Split("org_settings.mdm.apple_business_manager[].macos_team", ".") produces ["org_settings", "mdm", "apple_business_manager[]", "macos_team"]—the [] remains fused with the key name instead of appearing as a standalone part.

When recursion reaches the level where oldKey = "apple_business_manager[]", the code attempts data["apple_business_manager[]"] (line 75), but the actual map key is "apple_business_manager". The lookup returns nil and returns silently (lines 109–111), meaning the nested ABM and VPP mappings (lines 27–32) never trigger array iteration.

Fix: Either separate the array marker with a dot in the path strings ("org_settings.mdm.apple_business_manager.[].macos_team") or update the parser to strip a trailing [] suffix from key names and treat it as an array marker.

🤖 Prompt for AI Agents

In `@pkg/spec/gitops_deprecations.go` around lines 21 - 33, Deprecated
nested-array mappings in DeprecatedGitOpsKeyMappings fail because
migrateKeyPathRecursive expects array markers as separate parts (oldParts[1] ==
"[]") but key parts like "apple_business_manager[]" keep the "[]" suffix; update
migrateKeyPathRecursive to detect and handle a trailing "[]" on a part: when
splitting path parts, if a part endsWith "[]", strip the "[]" to get baseKey,
use data[baseKey] to access the slice (and iterate over its elements
recursively), and ensure newParts/newKey construction preserves or replaces the
array marker consistently; reference the function migrateKeyPathRecursive,
variables oldParts and oldKey, and the DeprecatedGitOpsKeyMappings entries (e.g.
"org_settings.mdm.apple_business_manager[].macos_team") when making this change.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Stale comment: says "Invalid policies" but tests invalid reports.

The comment on line 776 still says "Invalid policies in a separate file" but the test block (lines 777–784) validates invalid reports in a separate file.

Proposed fix

-				// Invalid policies in a separate file
+				// Invalid reports in a separate file
 				tmpFile, err = os.CreateTemp(t.TempDir(), "*reports.yml")

🤖 Prompt for AI Agents

In `@pkg/spec/gitops_test.go` around lines 776 - 784, Update the stale test
comment to accurately describe the test: change the comment text that currently
reads "Invalid policies in a separate file" to something like "Invalid reports
in a separate file" so it matches the test block that writes "[2]" to a temp
file and asserts an error from gitOpsFromString; locate the comment above the
tmpFile creation in the test that uses getConfig, gitOpsFromString, and
assert.ErrorContains and adjust the wording accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing conflict check when both deprecated and new query parameter names are provided.

The PR objectives state that if both the deprecated and the new name are provided, an error should be returned. For JSON bodies this is handled by JSONKeyRewriteReader / AliasConflictError, but for query parameters only the deprecated name is used while the new name is silently ignored.

If a client sends ?old_name=foo&new_name=bar, the old value wins without any error. This is inconsistent with the JSON-body behavior and could mask client mistakes.

Suggested fix

 		if queryVal != "" {
 			if renameTo, hasRenameTo := fp.Sf.Tag.Lookup("renameto"); hasRenameTo {
+				renameParsed, _, _ := ParseTag(renameTo)
+				if newVal := r.URL.Query().Get(renameParsed); newVal != "" {
+					return &platform_http.BadRequestError{
+						Message: fmt.Sprintf("Specify only one of %q or %q", queryTagValue, renameParsed),
+					}
+				}
 				// Log deprecation warning - the old name was used.
 				logging.WithLevel(ctx, level.Warn)

🤖 Prompt for AI Agents

In `@server/platform/endpointer/endpoint_utils.go` around lines 310 - 331, The
current query-parameter handling in the block around queryVal/queryTagValue and
fp.Sf.Tag.Lookup("renameto") ignores the new name when both deprecated and new
query params are present; update the logic to detect when both the deprecated
name (queryTagValue) and the parsed renameto name (use ParseTag(renameTo) to get
the actual newName) are present in r.URL.Query(), and if so return the same
AliasConflictError used by JSONKeyRewriteReader (construct and return
AliasConflictError with both names); otherwise preserve existing behavior (warn
when only old present, use new when only new present). Ensure you reference
queryVal, queryTagValue, fp.Sf.Tag.Lookup("renameto"), ParseTag(renameTo), and
r.URL.Query().Get(newName) when implementing the check.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Restore AI feature flag after the test to avoid state leakage.
This test mutates global config and currently leaves AI features disabled for subsequent tests. Capture the original value and restore it in t.Cleanup.

🔧 Suggested fix (restore original config)

 func (s *integrationTestSuite) TestAutofillPolicies() {
 	t := s.T()
 
 	// Ensure AI features are enabled (may have been disabled by a previous test).
+	origCfg := s.getConfig()
+	origAIDisabled := origCfg.ServerSettings.AIFeaturesDisabled
+	t.Cleanup(func() {
+		s.Do("PATCH", "/api/latest/fleet/config", map[string]map[string]bool{
+			"server_settings": {"ai_features_disabled": origAIDisabled},
+		}, http.StatusOK)
+	})
 	s.Do("PATCH", "/api/latest/fleet/config", json.RawMessage(`{
 		"server_settings": {"ai_features_disabled": false}
 	}`), http.StatusOK)

🤖 Prompt for AI Agents

In `@server/service/integration_core_test.go` around lines 14122 - 14126, The test
mutates the global AI feature flag via s.Do("PATCH", "/api/latest/fleet/config",
...) and leaves it disabled for later tests; capture the original
server_settings.ai_features_disabled value before patching, and register a
t.Cleanup that restores it by issuing a PATCH (using the same s.Do helper and
json.RawMessage payload) to set ai_features_disabled back to the original
boolean; use t.Cleanup to ensure restoration even if the test fails.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

fd -name "json_key_duplicator.go" -type f

Repository: fleetdm/fleet

Length of output: 287

---

🏁 Script executed:

rg -n "DuplicateJSONKeys" --type=go -B2 -A15

Repository: fleetdm/fleet

Length of output: 17807

---

🏁 Script executed:

rg -n "WithIndent" --type=go -B2 -A2

Repository: fleetdm/fleet

Length of output: 2606

---

DuplicateJSONKeys hardcodes indentation, creating inconsistent JSON formatting in stored activity details.

json.Marshal on line 51 produces compact JSON, but DuplicateJSONKeys uses jsontext.NewEncoder with jsontext.WithIndent(" ") (line 36 of json_key_duplicator.go). Activities with alias rules are re-encoded to pretty-printed JSON, while activities without rules retain compact JSON. This causes:

• Inconsistent formatting of stored activity details across rows
• Increased storage size for rows with alias rules due to added whitespace
• Potential issues with downstream tools performing string comparison on details

Consider making the indentation configurable or using compact output to maintain consistent storage format.

🤖 Prompt for AI Agents

In `@server/service/modules/activities/activities.go` around lines 55 - 59,
DuplicateJSONKeys currently re-encodes JSON with pretty indentation causing
inconsistent formatting; change DuplicateJSONKeys (json_key_duplicator.go) to
produce compact JSON by removing jsontext.WithIndent("  ") or by adding a
parameter/option (e.g., compact bool or indent string) so callers can request
compact output, then update the caller in activities.go where DuplicateJSONKeys
is invoked (after endpointer.ExtractAliasRules) to call it with the compact
option (or rely on the default compact behavior). Ensure the function still
applies alias rules and returns bytes in compact form to keep stored activity
details consistent with json.Marshal output.

[codecov]

Codecov Report

❌ Patch coverage is 71.72897% with 121 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.34%. Comparing base (2e08e88) to head (e34e84f).

Files with missing lines	Patch %	Lines
pkg/spec/gitops_deprecations.go	55.55%	19 Missing and 5 partials ⚠️
server/platform/endpointer/endpoint_utils.go	79.82%	18 Missing and 5 partials ⚠️
server/platform/endpointer/json_key_duplicator.go	73.41%	11 Missing and 10 partials ⚠️
server/platform/endpointer/json_key_rewriter.go	80.00%	11 Missing and 10 partials ⚠️
pkg/spec/gitops.go	69.23%	9 Missing and 3 partials ⚠️
pkg/spec/spec.go	46.15%	5 Missing and 2 partials ⚠️
server/service/appconfig.go	28.57%	4 Missing and 1 partial ⚠️
server/service/client.go	0.00%	3 Missing ⚠️
server/webhooks/failing_policies.go	50.00%	1 Missing and 2 partials ⚠️
server/service/modules/activities/activities.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@                         Coverage Diff                          @@
##           sgress454/39344-rename-tags-only   #39873      +/-   ##
====================================================================
- Coverage                             64.60%   62.34%   -2.26%     
====================================================================
  Files                                  2438     2408      -30     
  Lines                                195399   188405    -6994     
  Branches                               8604     8604              
====================================================================
- Hits                                 126230   117458    -8772     
- Misses                                57569    60255    +2686     
+ Partials                              11600    10692     -908     

Flag	Coverage Δ
backend	63.57% <71.72%> (-2.57%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.