CSUD: add migration to track update profiles

[MagnusHJensen]

Related issue: Resolves #45281

Checklist for submitter

If some of the following don't apply, delete the relevant line.

• Changes file added for user-visible changes in changes/, orbit/changes/ or ee/fleetd-chrome/changes.
  See Changes files for more information. Will be added in the backend work PR

• Input data is properly validated, SELECT * is avoided, SQL injection is prevented (using placeholders for values in statements), JS inline code is prevented especially for url redirects, and untrusted data interpolated into shell scripts/commands is validated against shell metacharacters.

• Timeouts are implemented and retries are limited to avoid infinite loops

• If paths of existing endpoints are modified without backwards compatibility, checked the frontend/CLI for any necessary changes

Testing

• Added/updated automated tests
• QA'd all new/changed functionality manually

Database migrations

• Checked schema for all modified table for columns that will auto-update timestamps during migration.
• Confirmed that updating the timestamps is acceptable, and will not cause unwanted side effects.
• Ensured the correct collation is explicitly set for character columns (COLLATE utf8mb4_unicode_ci).

Summary by CodeRabbit

• Chores

  • Added backend tracking to consolidate Apple and Windows software update settings into a single, consistent store with uniqueness and cascade-delete safeguards.
  • Backfilled existing qualifying Apple and Windows update configurations into the new tracking store.

• Tests

  • Added tests validating correct population, constraint enforcement, and cascade-delete behavior.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

Adds a new MySQL migration that creates the mdm_configuration_profile_update_settings table to track which Windows configuration profiles and Apple declarations enforce software update settings, and backfills rows for existing user-uploaded profiles/declarations that contain update settings.

Changes:

• New migration 20260529091823_AddUpdateProfileSettingsTrackingTable.go creating the tracking table with FK cascades and an "exactly one of windows/apple" CHECK constraint.
• Backfill logic that scans existing Apple declarations (looking for com.apple.configuration.softwareupdate.enforcement.specific) and Windows profiles (looking for syncml.FleetOSUpdateTargetLocURI) and inserts rows.
• Migration test verifying inclusion/exclusion of matching rows, the exactly-one CHECK constraint, and FK cascade deletes; corresponding schema.sql update.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable.go	New migration creating the table and backfilling rows
server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable_test.go	Tests for table creation, backfill, CHECK constraint, and FK cascades
server/datastore/mysql/schema.sql	Reflects the new table and bumps migration AUTO_INCREMENT/INSERT list

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1b593573-104b-41f9-aade-75b02fb93d3d

📥 Commits

Reviewing files that changed from the base of the PR and between eeea650 and 41d8e17.

📒 Files selected for processing (2)

• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable.go
• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable.go
• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable_test.go

---

Walkthrough

This PR adds a migration that creates the mdm_configuration_profile_update_settings table (id, created_at, nullable apple_declaration_uuid/windows_profile_uuid), enforces exactly one UUID per row, registers the migration, backfills qualifying Apple declarations and Windows profiles by scanning raw_json and syncml content, updates migration_status_tables, and adds tests verifying population, the mutual-exclusion CHECK, and ON DELETE CASCADE behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the primary change: adding a database migration to track update profiles, which matches the changeset content.
Description check	✅ Passed	The description includes the related issue reference and covers the main checklist items pertaining to database migrations, testing, and data validation, though some sections are not applicable.
Linked Issues check	✅ Passed	The migration implements all requirements from issue #45281: creates the mdm_configuration_profile_update_settings table with correct schema, foreign keys, CHECK constraint, backfills for both Windows profiles and Apple declarations, and includes comprehensive tests.
Out of Scope Changes check	✅ Passed	All changes are directly related to the migration requirement: adding the table, implementing backfill logic for Windows profiles and Apple declarations, and adding comprehensive tests. No unrelated code changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 45281-migration-tracking-update-settings-profiles

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable_test.go`:
- Around line 18-28: The fixtures currently insert rows into
mdm_apple_declarations and mdm_windows_configuration_profiles without setting
uploaded_at, which conflicts with the user-uploaded-only backfill contract;
update the INSERT statements that reference decl1UUID/decl2UUID and
profile1UUID/profile2UUID to include the uploaded_at column and set a non-null
timestamp for the rows you intend to mark as "user-uploaded" and explicitly set
uploaded_at = NULL for rows that should not be considered user-uploaded so the
migration only backfills the intended records.

In
`@server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable.go`:
- Line 40: The backfill query is selecting all rows from mdm_apple_declarations
(and the analogous windows_profiles query) instead of only user-uploaded
records; update the SQL in the tx.Query calls that reference
mdm_apple_declarations and windows_profiles to include filtering for uploaded_at
IS NOT NULL (e.g., add a WHERE uploaded_at IS NOT NULL clause) so only
user-uploaded rows are iterated and tracked during the backfill.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7e28adf8-2abf-4055-bf5c-6dc17ddc08f3

📥 Commits

Reviewing files that changed from the base of the PR and between 02b6d08 and 0eb04ec.

📒 Files selected for processing (3)

• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable.go
• server/datastore/mysql/migrations/tables/20260529091823_AddUpdateProfileSettingsTrackingTable_test.go
• server/datastore/mysql/schema.sql

[codecov]

Codecov Report

❌ Patch coverage is 65.95745% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.92%. Comparing base (b42a154) to head (41d8e17).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...529091823_AddUpdateProfileSettingsTrackingTable.go	65.95%	9 Missing and 7 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #46433      +/-   ##
==========================================
+ Coverage   66.90%   66.92%   +0.02%     
==========================================
  Files        2797     2799       +2     
  Lines      223494   223547      +53     
  Branches    11297    11297              
==========================================
+ Hits       149519   149610      +91     
+ Misses      60432    60380      -52     
- Partials    13543    13557      +14     

Flag	Coverage Δ
backend	68.69% <65.95%> (+0.02%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.