FEAT: Admin UI refresh across every page — consistent card layout for edit forms, sticky table headers while scrolling, modernised login and start page, updated menu bar and bulk-action confirmations
FEAT: Creating a new account now starts with a plugin picker; the full form opens pre-filled with the plugin's defaults
FEAT: Host list search matches hostnames and any label value in one query. New bulk actions let you edit labels across many hosts at once or copy a host as new; copy and history icons sit on each row (visible in CMDB mode)
FEAT: Host detail view shows labels, inventory and CMDB values in a compact grid with type and source badges, and logs in a compact scrollable list
FEAT: Per-host label timeline records every change to a host's labels with the old and new value, where the change came from, who made it and when. Each host has a direct link to its timeline, grouped by day
FEAT: Debug page leads with Outcomes and the filtered label set. Each rule group shows how many rules matched, and rule names link straight to their edit page. Supports Checkmk, Netbox, Ansible, i-doit and VMware hosts
FEAT: CMDB host edit form splits manual labels from template labels, with the manual-labels editor as a compact two-column grid that sorts alphabetically
FEAT: Label and Inventory filters match boolean and numeric values and accept regex in the value part; long label values are truncated with ellipsis and the full value appears on hover
FEAT: License Information page surfaces soft warnings — "expiring soon" inside 30 days, "expired" past expiry, and an "over limit" badge when the host count exceeds the licensed cap. No feature is ever disabled by these signals; they are informational only
Community Edition additions
FIX: Checkmk version probe — when an account address is malformed or unreachable the syncer now raises a clear CmkException pointing at the bad address, instead of crashing with KeyError: 'versions' deep in CMK2.__init__. Both 2.4 (2.4.0pXX.<edition>) and 2.5 (2.5.0.<edition>) version strings are accepted unchanged
FEAT: Checkmk rule export now applies the configured Folder Index ordering — checkmk export_rules reorders the syncer-owned rules in each Checkmk ruleset to match the RuleMngmtOutcome.folder_index (and the rule's sort_field). Reordering uses after_specific_rule move chains anchored to the syncer's own rules; user-created rules in the same ruleset are never moved by command. Idempotent re-runs detect the existing rules by (comment, condition, value) so nothing is recreated when nothing changed
FEAT: Notifications — a new Settings → Notifications area with Channels and Rules. Ships with email delivery out of the box; the Enterprise Notifications feature adds Slack, MS Teams and webhook channels on top
FEAT: Cron groups can be triggered from the outside via a webhook with a per-group token that can be regenerated from a bulk action
FEAT: Cron groups are more resilient: a new option continues the remaining tasks when one task fails, crashed runs release their lock automatically, and each group tracks its last successful run for external monitoring
FEAT: Cron groups can be flagged "managed" — features that auto-create their own scheduled work (e.g. Scheduled Backups) own the group, which can be paused or edited but not deleted from the cron list
Enterprise (license-gated) features
FEAT: Four-eyes approval workflow — changes to critical resources queue up until a second admin approves, with a side-by-side diff and secrets redacted in the display. Self-approval needs an explicit, optionally expiring grant and is logged as a separate audit event. Submits, approvals and rejections are recorded in the audit log and routed to Notifications
FEAT: Scheduled backups — encrypted, rotated database backups to any S3-compatible target (AWS, GCS, Azure Blob, MinIO, B2, Wasabi, DO Spaces). Each backup config auto-manages its own protected CronGroup Backup: <name> so operators don't have to wire one up by hand; a CLI command restores from a backup
FEAT: Prometheus metrics — a /metrics endpoint for Prometheus, Grafana, Datadog and compatible scrapers. Covers license info, per-cron-group run state and host totals. Optional bearer-token authentication
FEAT: Signed webhook triggers — protects the cron-trigger webhook with a signed request, a replay window and per-group IP allowlists. Enforced only for groups that have a policy attached, so it can be rolled out group by group
FEAT: Notifications routing — alerts go to Slack, MS Teams, email and signed HTTPS webhooks. Rules select which channels fire for which events, templates format the message, and per-rule cooldowns and hourly caps prevent flooding. Covers cron failures and recoveries, webhook rejections, login events and audited-model changes
FEAT: Audit → SIEM streaming (requires Audit Log) — streams every audit entry to Splunk HEC, syslog over TCP/TLS or a generic webhook. Asynchronous, so a SIEM outage never blocks audit writes
FEAT: Native OIDC login — log in directly against Azure AD, Okta, Keycloak, Google Workspace, Auth0 or any OIDC-compliant identity provider. Group claims map to syncer roles, with an optional required-group gate
FEAT: Audit log — append-only compliance trail with field-level before/after diffs for accounts, users, cron groups, rules, custom attribute rules, config, secret stores and account bindings, plus login/logout and webhook events. Sensitive fields are redacted. CSV and JSON export, and a Prune-older-than-365-days bulk action
FEAT: JSON log stream — one-line structured logs in Elastic Common Schema on stdout, ready for Loki, Elastic, CloudWatch, Datadog, Splunk and similar collectors with no extra parsing
FEAT: Secrets manager — account passwords resolve from KeePass, LastPass, HashiCorp Vault, AWS Secrets Manager or an environment variable, transparent to every plugin; master passwords come from environment variables
FIX: Audit log entries record the actor again for changes that happen via MongoEngine signals — saves from admin views, the CLI and migrations now stamp the originating user / IP / trace headers instead of falling back to system