v0.2.55

its v0.2.55

Platforms: Windows (x64)

Quick install

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its rmm updates approve / defer — per-KB Windows-Update approval, the
  missing half of the patch workflow. TRMM installs only updates with
  action="approve", so an unapproved box was a silent no-op install. Target a
  single --kb KB5034441 (matched by digits, so 5034441 works too) or
  --all-pending (needs --confirm; previews otherwise). Verified against live
  TRMM. updates install now pre-checks for approved updates and points you at
  approve instead of no-opping; updates list shows the per-KB action
  column.
• its rmm updates install / scan fleet fan-out — --all-online /
  --client / --site / --policy (online agents, preview-then---confirm,
  batched), mirroring scripts run.
• its rmm updates report now splits pending into separate critical /
  important columns and sorts most-critical first.
• --ai-flat — AI mode without the columnar envelope (plain row objects),
  for consumers that don't decode {_fmt:"cols"}. The columnar decoder
  (expandColumnar) is now exported, and the envelope carries a _v format
  version. The columnar format is documented in docs/cli.md.
• its rmm checks edit can now retune script-check --timeout / --args.
• its dokploy env push/set/unset/copy gained --dry-run — a value-safe
  preview (key names + action, never values) that writes nothing.

Fixed

• its dokploy environments push — added the empty-file wipe guard
  (--force required to push 0 vars) that the app-level env push already had.
• Removed stale eventlog check-type mentions from help/docs and the bogus
  updates install --reboot example (the flag never existed; reboot-after-install
  is a patch-policy setting).

Security

• --dry-run no longer leaks secrets — the request-body preview now masks
  secret values embedded in KEY=value string fields (e.g. a dokploy env body),
  which the field-name redactor couldn't see. Honours --unsafe.

v0.2.54

its v0.2.54

Platforms: Windows (x64)

Quick install

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• --ai lossless columnar compaction — uniform object arrays (Graph
  entity lists, RMM agents, Wrike tickets, etc.) are emitted as
  {_fmt:"cols",consts,fields,rows}: field names stated once, columns with a
  single value across all rows factored into consts. Lossless and still
  valid JSON; 16–70% smaller on real payloads. --ai | --stdin pipelines are
  unaffected — the envelope is rehydrated transparently.
• its rmm checks + fleet — typed policies add-check, checks
  create/edit/results plus a fleet failing-sweep, fleet patch-report, and
  checks run-now. Agents list gained boot_time + humanised uptime and a
  --rebooted-since filter.
• its unifi clients list --json now exposes sw_mac / sw_port.

Changed

• its dokploy env handling hardened against secret-clobber, with secure
  copy/reveal (#20).

Fixed

• --ai truncation bug — the old char-based maxChars cut JSON mid-token
  (producing invalid JSON) and silently dropped rows past the cut. It now
  drops whole rows and records the count in _truncated.
• its rmm checks run — corrected endpoint, dropped the broken eventlog
  type (live-verified).
• its bw — redact TOTP seed in output, honour --copy in the totp
  table.

v0.2.53

its v0.2.53

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• New provider m365health (m365) — Microsoft 365 service health, reusing
  the shared Graph app-only creds: m365 health overview (per-service status),
  m365 health issues [--service] [--active] (incidents/advisories), and
  m365 messages list [--days N] (message-centre posts). Needs
  ServiceHealth.Read.All + ServiceMessage.Read.All.
• its rmm agents now surfaces boot_time + a humanised uptime column,
  plus a --rebooted-since <ISO|7d|24h|30m> filter.
• its dokploy apps env-drift [--project] [--drift-only] — fleet sweep
  comparing each app's saved env record against its live runtime env (the
  generalised Swarm env-freeze detector).
• its exo rules audit and rules get <name> — dump transport-rule
  conditions/actions and flag mail-exfiltration verbs (RedirectMessageTo,
  BlindCopyTo, AddToRecipients, CopyTo).
• its intune compliance why <device> — per-device failing-compliance-setting
  drilldown.
• its unifi portforwards list (alias port-forwards/ports) — WAN
  port-forward rules with the source ("any" = open to the internet) column.
• its az advisor list [--category] — Azure Advisor cost/security/reliability/
  performance recommendations.
• its bw items create/update custom fields — --field name=value (text),
  --field-hidden name=value (hidden), and --field-remove name (update only);
  comma-separated for multiple. update upserts by name and preserves everything
  omitted.

Fixed

• Help-UI mutation gate. POST /api/result had no read-only enforcement — the
  WebSocket-bridge hardening had missed its in-process twin, so a mutation could
  run via the REST path. Now fail-closed (403) like the bridge.
• its dokploy env push empty-wipe guard. Refuses to push an empty/all-comment
  file (which wholesale-replaced an app's env with nothing — unrecoverable) without
  --force.
• Secret redaction now catches camelCase keys. accessToken, refreshToken,
  sharedSecret, preSharedKey, buildSecrets etc. were slipping through the
  redactor (e.g. via graph get passthroughs); the key pattern now matches at
  word/camelCase boundaries.
• its exo destructive mutations now enforce --confirm (fail-closed) — six
  commands documented it but never checked it.
• its sp recycle-bin list <site> — listRecycleBin was paging the wrong Graph
  collection (OneDrive bundles); now uses the classic SP REST recycle bin, with
  corrected item-type labels.
• its m365 health classifies service status case-insensitively (the Graph wire
  format casing is inconsistent).

Changed

• Dokploy shellQuote (an SSH-injection guard) is now single-sourced from ssh.ts
  rather than duplicated across three files.

v0.2.52

its v0.2.52

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its dokploy apps env-runtime <app> [--show-values] [--diff] — read the env
  vars actually present in the running container (via docker exec printenv),
  the ground truth versus the saved record. --diff flags vars saved in the
  record but missing from the container (the un-applied / Swarm-freeze case) and
  runtime-only vars. Values redacted by default.
• its dokploy apps apply-env <app> — make a saved env change actually reach
  the container. On Docker Swarm a plain redeploy does not converge
  env-only changes; this stops the app (removes the swarm service), redeploys so
  Dokploy recreates it from the current env, then verifies every saved var is
  live. Brief outage.
• its dokploy env set <app> … --deploy and its dokploy env unset <app> <KEY…> [--deploy] — --deploy saves then recreates the swarm service and
  verifies the change landed. A plain set/unset now warns that the change is
  record-only until applied.

Fixed

• its dokploy env set no longer silently fails to reach Swarm containers.
  Root cause was a Dokploy 0.29.x Docker Swarm convergence bug: saveEnvironment
  persisted correctly but an in-place service.update rolled back to the
  creation-time spec, so vars added after creation never reached the container
  (Dokploy issues #4232 / #2150). The new --deploy / apply-env recreate path
  is the reliable apply route, and env-runtime --diff makes the drift visible.

Security

• Env writes now reject redaction-masked values. saveEnvironment and the
  shared-env writer refuse any value of *** (the display mask), preventing the
  footgun where pasting redacted env/environments env output back into a
  push/set overwrites real secrets.

v0.2.51

its v0.2.51

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its rmm clients create --name <n> [--site <s>] — create a client (TRMM
  creates its first site in the same call; --site names it, default
  Default). Idempotent.
• its rmm clients delete <id|name> --confirm [--move-to-site <id>] — delete
  a client; if it still has agents, --move-to-site reassigns them first (TRMM
  refuses otherwise, now surfaced with a clear message).
• its rmm sites list now shows a per-site agents (agent_count) column,
  sourced from /clients/ (the flat sites route omits it).

Fixed

• its rmm agents list now populates the client and site columns
  (and makes --client/--site filters work) — the list endpoint returns these
  as site_name/client_name, which were not mapped, so the columns were blank.
• its rmm sites delete now returns a clear message for the two expected
  400s — "a client must keep ≥1 site" and "site still has agents" — instead of
  the raw API error.

v0.2.50

its v0.2.50

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its entra groups audit-rules [group_id] — scan dynamic groups'
  membershipRules for dead user exceptions: hardcoded
  userPrincipalName/objectId/mail -eq clauses whose account no longer
  exists (missing) or is disabled (disabled — a leaver still pinned). No
  arg scans every dynamic group (one paged Graph query); pass a group ID to
  scan one. --all also lists refs that resolve OK. Output is sorted dead-first
  and suggests the edit-rule --remove-upn fix. Read-only.

v0.2.49

its v0.2.49

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its entra groups edit-rule <id> — edit a dynamic group's
  membershipRule (closes the ctxc 1052 gap; previously needed a raw
  graph patch). --add-upn appends an or (user.userPrincipalName -eq …)
  exception (grants a user who doesn't match the rule — OR clauses only ADD, so
  existing members are never dropped); --remove-upn strips one; --set-rule
  replaces the whole rule. --confirm required; without it, prints a
  current→new diff. Guards: refuses non-dynamic groups, no-ops when the UPN is
  already present, and (on --add-upn) refuses a UPN that doesn't resolve
  unless --force. Note: Graph membershipRule writes are eventually consistent
  — an immediate re-read may show the old rule for a few seconds.

v0.2.48

its v0.2.48

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its rmm policies patch-policy <id> — edit a policy's Windows Update
  schedule + per-severity approvals (the WinUpdatePolicy). Flags:
  --run-time-hour 0-23, --frequency daily|monthly|inherit, --days mon,wed,fri (weekly), --day-of-month 1-31 (monthly), --reboot never|required|always|inherit, and per-severity
  --critical|--important|--moderate|--low|--other approve|manual|ignore|inherit.
  Partial update — only the flags you pass change. --confirm required (affects
  every agent under the policy); without it, prints a current→new diff.
  • Correct route is PUT /automation/patchpolicy/<winupdatepolicy_pk>/
    (the WinUpdatePolicy id, inlined on the policy LIST). The previously assumed
    PUT /winupdate/<pk>/ is a different route (per-KB update records) and 404s.
    Falls back to POST /automation/patchpolicy/ when the policy has no
    WinUpdatePolicy yet.

v0.2.47

its v0.2.47

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its sp files share — create a sharing link (Graph createLink) for a
  file/folder and return its URL. --type view|edit, --scope organisation|anonymous (anonymous may be tenant-blocked).
• its rmm scripts run --raw — emit the script's real stdout verbatim
  (status line on stderr) so output can be piped/parsed without unescaping a
  JSON-wrapped string; exits with the script's return code.

Fixed

• its rmm tasks create — was broken (missing the required name) and
  incomplete. Now builds the full task in a single TRMM POST with an actions[]
  payload and supports manual / --daily-time HH:MM / --weekdays mon,wed,fri
  (bitmask) schedules, plus --script, --name, --args, --timeout,
  --run-asap. Resolves agents by id / hostname / username, incl. offline.
• its rmm checks list <agent> — now reads the per-agent
  /agents/<id>/checks/ route which carries each check's live result
  (status / last-run / more-info); the previous /checks/?agent_id= route only
  returned policy-inherited definitions with empty results (ctxc 1048).

v0.2.46

its v0.2.46

Platforms: Windows (x64) · Linux (x64)

Quick install

Linux (drops its into ~/.local/bin):

curl -fsSL https://github.com/sling86/its-releases/releases/latest/download/install.sh | bash

Windows (drops its.exe into %LOCALAPPDATA%\Programs\its and adds it to the user PATH):

irm https://github.com/sling86/its-releases/releases/latest/download/install.ps1 | iex

Or download ItsSetup.exe for the Inno Setup installer.

Full asset list below. docs/ · CHANGELOG.md · LICENSE — all auto-synced into this repo on every release.

Changes

Added

• its dokploy environments — manage a project's environment-level shared
  env vars (the ${{project.VAR}} model), alongside the existing app-level
  its dokploy env:
  • its dokploy environments <projectId> — list environments (id, name,
    default, shared-var count).
  • its dokploy environments env <environmentId> — show shared vars; keys
    visible, values redacted unless --show-values.
  • its dokploy environments push|pull <environmentId> -f <file> — upload /
    download the shared env file.
  • its dokploy environments set <environmentId> KEY=value … — set single vars.