New permission system

The release has three big stories — a new core permission system with optional client-cert principals on NRPE, a PDH overhaul that fixes long-standing counter-collection crashes and adds counter functions, and a WEB hardening option that lets monitoring-only deployments expose the WEB UI without seeding a privileged admin account. Everything else is bug fixes, small features, and follow-ups around those three threads.

Highlights

• Core permission system — opt-in policy layer that gates which caller can run which command. Configured under /settings/permissions. Disabled by default; existing installs keep working. See https://nsclient.org/docs/concepts/permissions/ for the model, identity table, and rollout recipe.
• NRPE client identity from cert CN — when client identity source = cn is set on NRPEServer and the listener verifies the client cert, the CN is stamped as the policy principal so rules can be written per-cert ( NRPEServer:icinga-master = ...). Hard guardrail at module start refuses to load the module if the TLS verify mode would let the CN be attacker-supplied.
• Global allow exec toggle — exec is now gated by a single on/off switch under /settings/permissions. The per-command rule table applies to queries only. Default true so enabling the policy system does not break exec callers.
• PDH (performance counter) overhaul — fixes for service crashes when PDH misbehaves (#592, #547), counter retry when temporarily unavailable (#634), reliable English counter lookup (#652, #906), a resource leak in the counter-lookup path, and a refactor to smart-buffer-based PDH enumeration. Most users running CheckSystem on Windows should see meaningfully better reliability.
• check_pdh counter scaling and functions (#281) — details-syntax and related rendering paths can now apply scaling and other functions, e.g. '${counter}'=${value:scale(/1024)}MB.
• check_network — human-readable strings, scaling, speed, and percentages (#329); team-network statistics (#625). See https://nsclient.org/docs/reference/check/CheckNet.
• Nagios range syntax in performance data (#748) — 1:10, ~:5, @10:20 etc. work in perfdata thresholds, matching the Nagios plugin spec.
• disable admin user on WEBServer — monitoring-only deployments can expose the WEB UI without ever seeding the built-in admin (and previously seeded admin entries are ignored). Pairs naturally with the new permission system to lock down reconfiguration surfaces.
• Path overrides moved to boot.ini + new --path-override CLI flag — path tokens (module-path, certificate-path, etc.) are now declared early in boot.ini so they take effect before the main config is loaded. Per-invocation overrides via --path-override KEY=VALUE. See https://nsclient.org/docs/concepts/settings.
• NRPE startup is no longer fatal on listener failure — bad bind address / port already in use logs a clear error and leaves the module loaded so settings and commands stay usable for diagnostics.
• Dual-stack listening fixed (#312) — v4 and v6 acceptors no longer trample each other's pending connection slot.
• disable admin user, client identity source, allow exec, and the policy table are all documented in https://nsclient.org/docs/concepts/permissions/ and https://nsclient.org/docs/setup/securing. Treat those two as the starting point for any new install.

Detailed changes

Security and permissions

Core permission system A policy layer in the core decides whether a given caller may run a given command. Disabled by default; when enabled, rules form a strict allow-list.

[/settings/permissions]
enabled = true
log denials = true
log allows = false      ; noisy, only flip on while rolling out
allow exec = true       ; queries-only rule table; exec is a global toggle

[/settings/permissions/policies]
NRPEServer = CheckHelpers.*, CheckSystem.check_cpu
WEBServer:admin   = *
WEBServer:viewer  = CheckSystem.check_cpu, CheckSystem.check_drivesize
Scheduler = CheckHelpers.*, CheckSystem.*

Subject is module[:principal]; object is module.command. Wildcards (*, ?) supported. Rules combine additively. See https://nsclient.org/docs/concepts/permissions/ for the full identity model, the CheckHelpers identity-forwarding behaviour, and a step-by-step rollout recipe.

NRPE client cert CN as principal When two-way TLS is configured and verifying client certs against your CA, the Common Name is stamped as the policy principal:

[/settings/NRPE/server]
client identity source = cn        ; default: none
verify mode = peer-cert
ca = /etc/nsclient/ca.pem

[/settings/permissions/policies]
NRPEServer:icinga-master   = CheckHelpers.*, CheckSystem.*
NRPEServer:metrics-shipper = CheckSystem.check_cpu, CheckSystem.check_drivesize

Guardrails: the module refuses to start if client identity source = cn is configured without SSL, without verify_mode containing peer and fail-if-no-peer-cert (or the peer-cert alias), or without a non-empty ca path. The CN is logged at debug level on every accepted handshake for diagnostics. CN-only (not full DN) because INI key syntax uses = as the key/value separator and would corrupt DN-shaped policy keys; see the "Why CN-only" section of the permissions doc. See https://nsclient.org/docs/reference/client/NRPEServer.

Global allow exec toggle Per-command rules apply to queries only. The exec surface (WEB scripts UI, lua/python core:simple_exec(...), CLI exec) is gated by a single boolean:

[/settings/permissions]
allow exec = false   ; hard lockdown; default is true

When false and enabled = true, every exec call returns Permission denied: exec is globally disabled (/settings/permissions/allow exec = false). See "Why exec is a single toggle" in https://nsclient.org/docs/concepts/permissions/.

disable admin user on WEBServer For installations that expose the WEB UI for status/visualisation only and never want a remote-reconfiguration surface:

[/settings/WEB/server]
disable admin user = true

With this set, the built-in admin is not seeded on first boot, and any existing admin entry in the user settings is ignored at load time.

Security guide updates https://nsclient.org/docs/setup/securing was rewritten with concrete configurations for NRPE (with and without mTLS) and the WEB server. Read it before exposing either to a network you don't fully control.

Performance counters / PDH

The PDH subsystem (the Windows performance-counter collection backbone behind CheckSystem, check_cpu, check_pdh, check_network, etc.) got a substantial reliability pass. Most users running NSClient++ as a long-running service on Windows should see fewer crashes and more consistent results.

• Service crashes when PDH misbehaves on a particular machine (#592, #547) — root-caused and fixed. Misbehaving counter registrations no longer take the service down.
• Counter not retried if unavailable (#634) — counters that fail to bind at first sight now get retried on subsequent collection cycles, instead of being permanently unhealthy for the lifetime of the process.
• English counter lookup improved (#652, #906) — addresses reading of localised counters by their canonical English names on non- English Windows installs.
• Resource leak in PDH counter lookup fixed.
• PDH enumeration refactored to smart buffers — clearer memory ownership across the enumeration path, fewer footguns for future changes.
• check_pdh counter scaling and functions (#281) — all the details-syntax / rendering paths can now apply functions. Examples:

  check_pdh "counter=\Processor(_Total)\% Processor Time" \
          "details-syntax=${counter} = ${value:round(2)}%"

  See https://nsclient.org/docs/reference/check/CheckSystem for the function reference.

check_network

• Human-readable strings, scaling, speed, and percentages (#329) — perfdata and message output now render numbers in a way operators actually want to read:

  check_network 'filter=interface=Ethernet' \
              'top-syntax=${list}' \
              'detail-syntax=${interface}: ${total_rx_human}/s in, ${total_tx_human}/s out'

• Team network statistics (#625) — aggregate stats across Windows NIC teams.

See https://nsclient.org/docs/check/CheckNet.

Performance data formatting

• Nagios range syntax in performance data (#748) — the perfdata threshold fields now accept the standard Nagios range syntax: 5:10, ~:5, @10:20, etc. Brings NSClient++ into line with what Nagios consumers already expect.

Settings, paths, and CLI

• Path overrides moved to boot.ini — path tokens (module-path, certificate-path, data-path, log-path, …) now live under [paths] in boot.ini (next to nscp.exe), not in nsclient.ini. Overrides take effect before the main config is loaded — including the bootstrap step that decides where the main config itself lives.

  ; boot.ini
  [paths]
  module-path = D:\monitoring\modules
  certificate-path = D:\monitoring\certs

• --path-override CLI flag — per-invocation override, repeatable. (Renamed from --path to avoid colliding with the nscp settings --path subcommand option.)

  nscp client --path-override module-path=/build/modules --path-override log-path=. ...

• See https://nsclient.org/docs/concepts/settings for the precedence rules and the migration note for installs that had a [/paths] section in nsclient.ini.

Aliases and command registration

• CheckHelpers alias — aliases can now be defined under [/settings/check helpers/alias] and are registered by CheckHelpers directly, without requiring CheckExternalScripts to be loaded. This is the preferred place going forward; the legacy [/settings/external scripts/alias] is still honoured for backward compatibility.
• API to list registered query aliases (#506) — programmatic introspection of the alias table, useful for tooling.
• simple_command / simple_command_map — internal refactor that streamlines how modules register aliases. No user-visible behaviour change, but module authors may want to look at the new pattern.
• Icinga client alias (7c49a3d3) — minor module-specific addition.

NRPEServer

• Listener failure no longer kills the module — a bad bind to address that the resolver can't look up, or a port already in use, used to make the whole module fail to load. Now the failure is logged clearly, the listener stays down, and the module's settings and commands remain accessible for diagnostics and reconfiguration. Fix the config and reload — no service restart needed.
• Dual-stack fixed (#312) — the v4 and v6 acceptors used to share a single pending-connection slot, which caused intermittent Already open errors on v6 once v4 accepted a client. Each family now owns its own slot.
• Insecure mode produces an error-level log line — flipping insecure = true (for legacy check_nrpe interop) now surfaces as an ERROR so it shows up in monitoring dashboards, instead of silently disabling cert-based peer auth.

Plugin lifecycle

• prepare_shutdown hook — modules can opt in to a first-phase shutdown pass before any plugin is unloaded. Used by the Scheduler and similar long-running submitters to finish in-flight work cleanly. Operators see fewer "submission failed during shutdown" lines during service stop.

Settings store

• simpleini buffer NUL-termination fix — fixes a buffer allocation issue in the INI parser that could affect non-UTF-8 data paths.
• cache allowed host is now a real boolean — previously parsed as a string with surprising truthiness; matches what the docs always claimed.

Modules and clean-ups

• WMI module refactor — target handling and settings management cleaned up.
• IcingaClient cleanup — removed unused command-handling code paths.
• CheckLogFile config and descriptions — fixed misleading defaults and improved the help text.
• Web UI improvements — more settings elements exposed under modules, simpler module configuration. Web dependencies refreshed.
• Installer: UninstallString is now correct (#495) — removal via Windows "Apps & Features" works again.
• Rust dependencies bumped.

Upgrade notes

Most installs can upgrade in place — defaults are preserved. Read the specific items below if any of them apply.

Permission system

The new policy layer is disabled by default. Existing installs continue to behave exactly as before until an operator opts in via /settings/permissions/enabled = true.

If you do opt in:

• Per-command rules under /settings/permissions/policies apply to queries only. Any rules you might have written for exec command patterns will be silently ignored for the exec dispatch path — exec is gated by the single global allow exec boolean.
• The default for allow exec is true, so enabling the policy will not silently break the WEB scripts UI, lua/python core:simple_exec(...), or CLI exec. Flip to false only if you want a hard exec lockdown.
• Roll out with log allows = true first so you can inventory what your actual traffic looks like before tightening to a real allow-list. See the step-by-step recipe in https://nsclient.org/docs/concepts/permissions/.

NRPEServer

• The new client identity source setting defaults to none, which matches the previous behaviour (subject is bare NRPEServer). Set to cn only when you want per-cert principals — and only after you've configured verify_mode = peer-cert and a ca path. The module will refuse to start with a clear error if you set cn without those.
• Pin the ca path to your private monitoring CA. The system trust store (Windows root store / Linux distro bundle) accepts certs from every public CA on the planet and would let an attacker with a public cert choose their own CN. See "Pin to a private CA" in the permissions doc.

Path overrides

• If you had a [/paths] section in nsclient.ini from an older NSClient++ install, those overrides moved to [paths] in boot.ini (note: same section name, different file). There is no automatic migration. Copy each key = value to a [paths] section in boot.ini (next to nscp.exe) and delete the old section from nsclient.ini.

WEB server

• The new disable admin user = true setting is opt-in. Existing installs keep their admin and continue to work unchanged. Use this when you want to expose the WEB UI for status-only viewing and have no need to reconfigure the agent through the web.

NRPEServer startup robustness

• A failed listener (bad bind address, port in use) used to make the whole NRPEServer module fail to load. It now logs an ERROR and leaves the module loaded with no active listener — so you can reconfigure via nscp settings --path /settings/NRPE/server --key ... --set ... and reload, without restarting the service. If you had monitoring on "module load failed" specifically, you may want to add "NRPE listener failed" as a separate signal.

insecure = true on NRPEServer

• This option (for legacy check_nrpe interop) now logs at ERROR rather than DEBUG/INFO. Behaviour is unchanged; the message is louder so it shows up in dashboards. If your monitoring filters by severity, you may want to whitelist this specific message on agents that intentionally run in insecure mode.

cache allowed host

• Previously parsed as a string with surprising truthiness; now a real boolean. If you had cache allowed host = yes or = on, switch to true. Numeric 1 / 0 still work.

Nagios range syntax in performance data

• This is additive — existing perfdata that doesn't use range syntax continues to work. Plain numbers still parse as before. Only consumers that previously had to special-case NSClient++'s output may need adjusting, but most Nagios-ecosystem tools handle both forms.

Full Changelog: https://github.com/mickem/nscp/compare/0.12.5...0.12.6

Windows PDH overhaul, expression functions, boot.ini paths

This release lands a long-overdue stabilisation pass on the Windows PDH subsystem (multiple long-standing crashes and counter-availability issues), adds first-class functions in detail-syntax / warn / crit expressions, and moves path-resolver overrides from settings into boot.ini to unblock future moves of config and certificate storage.

Highlights

• Windows PDH subsystem overhaul. Fixes #547 / #592 (service crash when PDH misbehaves on a particular machine),

  634 (counters now retried when initially unavailable instead of staying broken until restart), and #652 / #906 (

  better English-counter fallback on non-English Windows).

• Functions in expressions and templates (#281). format_bytes, convert_bytes, scale, composable with and/ or/not — usable in detail-syntax, top-syntax, warn, crit, and filter. Today exposed by check_pdh; rolling out elsewhere.
• check_network understands NIC teams (#625). New mode=adapter / mode=both reads Win32_PerfRawData_Tcpip_NetworkAdapter, which is the only source that reports the team aggregate.
• Aliases in CheckHelpers. A new alias section under [/settings/check helpers/alias] provides the historical CheckExternalScripts alias mechanism without dragging in the external-scripts machinery. Preferred place for new aliases.
• WEB: disable admin user option. Suppresses the built-in admin user entirely — for monitoring-only exposures where remote reconfiguration must be impossible even if credentials leak.
• Plugin prepare-shutdown hook. Modules get a clean teardown phase before unload — listening sockets and pollers stop accepting work cleanly. Wired up in the network/scheduler modules.
• Path overrides moved from settings to boot.ini. [/paths] in nsclient.ini is no longer consulted; a new [paths] section in boot.ini (and a --path KEY=VALUE CLI flag) take its place. This is a breaking change for the small number of users who relied on [/paths] — see Upgrade notes below.

Detailed changes

Windows PDH — stability overhaul

Long-standing instability in the PDH-based Windows performance-counter subsystem, addressed in one pass:

• #547 / #592 — service crash when PDH misbehaves. Hardened the enumeration and lookup paths against the partial / inconsistent results PDH returns on certain machine states. PDH enumeration buffers were refactored to use smart buffers throughout, removing the manual sizing loops where the bug lived.
• #634 — counters now retried when initially unavailable. Previously a counter that wasn't ready at boot would stay broken until the service was restarted; the collector now re-attempts on the normal collection cadence.
• #652 / #906 — non-English Windows counter lookup. Improved the English-counter fallback path so checks that reference counters by English name keep working on localised installs.
• Resource leak in PDH counter lookup — handle leaked on the error path of counter-name → counter-path resolution.

CheckSystem — expression functions and counter scaling

#281. The expression language now supports function calls, usable in any context that takes an expression (filter, warn, crit) or a template (detail-syntax, top-syntax, perf-syntax). Use the %(...) placeholder form — the legacy ${...} form cannot capture nested parentheses and cannot call functions.

Built-ins exposed by check_pdh today:

# Threshold in MB, display human-friendly
check_pdh counter=memory_bytes \
  "warning=convert_bytes(value, 'MB') > 500" \
  "detail-syntax=%(alias) = %(format_bytes(value))"

# Network rates as Mbps (decimal — use scale, not convert_bytes)
check_pdh counter=bytes_per_sec \
  "detail-syntax=Speed = %(scale(value, 1000000)) Mbps"

check_pdh also exposes variable-style shortcuts (value_human, value_mb, value_gb, …) — syntactic sugar for the corresponding format_bytes / convert_bytes calls. Reach for variables when one of the prebuilt units fits; reach for functions when you need a custom unit, a custom divisor, or composition with other expressions.

CheckSystem — check_network NIC team support

#625. The default mode=interface reads Win32_PerfRawData_Tcpip_NetworkInterface (one row per physical adapter — does not report team aggregates). New modes:

• mode=adapter — reads Win32_PerfRawData_Tcpip_NetworkAdapter, which includes the team aggregate as a virtual interface named after the team. The team aggregate is the row with no matching Win32_NetworkAdapter MAC entry, so it can be selected with filter=MAC = ''.
• mode=both — returns both sources, tagged with a new source keyword for filtering.

# Monitor a NIC team aggregate
check_network mode=adapter "warn=total > 100M" "crit=total > 500M"

# Alert only on the team adapter
check_network mode=adapter "filter=MAC = ''"

CheckHelpers — aliases

Aliases (a fixed command + fixed argument list exposed under a new name) have historically lived in [/settings/external scripts/alias], requiring CheckExternalScripts to be loaded even when the alias only invoked internal commands. A new section under [/settings/check helpers/alias] provides the same mechanism in CheckHelpers, with no external-scripts dependency.

[/modules]
CheckHelpers = enabled

[/settings/check helpers/alias]
my_check_cpu = check_cpu warn=load>80 crit=load>90
my_check_process = check_process "process=$ARG1$" "crit=state != 'started'"

Both modules can coexist; each reads its own section. Last-loaded wins on name collisions — pick one as the home for new aliases so you don't have to remember which is which.

WEBServer — disable admin user (cccc14e4)

New boolean under [/settings/WEB/server] that suppresses the built-in admin user entirely: it is not seeded on first boot, any pre-existing admin row in [/settings/WEB/server/users] is dropped at load time, and the "no users → re-add admin" fallback is skipped. For monitoring-only WEB exposures where remote reconfiguration must be impossible even if credentials leak.

[/settings/WEB/server]
disable admin user = true

[/settings/WEB/server/users/readonly]
password = ...
role = monitoring

Mirrored on the install command:

nscp web install --disable-admin

Mutually exclusive with --password (the install would create no user, so a password would have nowhere to go — the command refuses explicitly).

Service — prepare_shutdown plugin hook

Plugins now receive a prepare_shutdown callback before unload, giving them a chance to flush state, stop accepting new work, and tear down listening sockets cleanly rather than racing the unload. Wired up in NRPEServer, NSCAServer, NSClientServer, CheckMKServer, WEBServer, and Scheduler. The callback is optional — custom plugins built against the older API continue to work unchanged.

Service — path overrides via boot.ini and --path CLI (fbdfe257, d2075b99)

Path-resolver tokens (module-path, certificate-path, log-path, cache-path, scripts, web-path, …) used to be overridden via [/paths] in nsclient.ini. That doesn't work for the upcoming move of writable state out of the install directory: the path resolver is needed before the main INI is opened, so overriding where the INI lives must happen earlier.

The override location is now boot.ini:

; boot.ini
[settings]
common = ini://${shared-path}/nsclient.ini

[paths]
module-path = C:\Program Files\NSClient++\modules
log-path = D:\nscp\logs
cache-path = D:\nscp\cache

A --path KEY=VALUE CLI flag layers on top of boot.ini and wins — useful for build tooling and CI:

nscp service --run \
  --path module-path=C:\build\modules \
  --path log-path=C:\build\log

IcingaClient — built-in alias and container test

Adds a built-in alias for the standard Icinga submission flow and a Docker-based end-to-end test so the integration is exercised on every build.

simpleini — NUL-termination fix for non-UTF-8 INI files

The INI loader passed an explicit length to mbstowcs, but per POSIX mbstowcs(NULL, src, n) ignores n and scans until \0. On non-UTF-8 stores the size probe could walk past the buffer. The buffer now carries an explicit terminator.

Upgrade notes

• [/paths] users: if you had a [/paths] section in your nsclient.ini, copy the entries into [paths] in boot.ini. The settings-side section is no longer consulted. The default install does not use [/paths] and is unaffected.
• Custom-plugin authors: the new prepare_shutdown callback is optional. If your module manages sockets or background threads, you should implement it — unload is now expected to be a last-resort teardown rather than the place where listeners get stopped.
• check_pdh configs using ${...} for function calls: there are none today (the feature is new), but if you adapt examples from third-party docs that use ${format_bytes(...)}, rewrite to %(format_bytes(...)). The ${...} form stops at the first } and cannot parse nested parentheses.
• Monitoring-only WEB deployments: flip disable admin user = true under [/settings/WEB/server] and define your own read-only users (or rely on allow anonymous access = true with a tightly scoped anonymous role). The built-in admin will not be seeded, even on first boot.

Full Changelog: https://github.com/mickem/nscp/compare/0.12.4...0.12.5

0.12.4 — Regression fixes for Icinga and CheckSystem

This is a maintenance release focused on regressions introduced since 0.12.3. No new features; no breaking changes for configurations that don't hit the items below.

Highlights

• Icinga check_nscp_api works again. The query-string credential path was removed in 0.12.3 for security (commit 340b8db1). That hardening broke Icinga's bundled check_nscp_api plugin, which still passes the password as ?password=.... This release reinstates the legacy path behind a User-Agent allowlist (default: clients whose User-Agent matches Icinga/check_nscp_api) — every other client keeps the strict post-340b8db1 rejection.
• Better "module not found" messages on Windows. When a configured module fails to load, the error now points at the WiX installer feature that ships the module (e.g. NRPEServer → "NRPE Support"), so operators can fix the cause (re-run the installer and tick that feature) without reading source.
• IcingaClient.dll is now in the installer. The DLL was being built but not packaged, so the corresponding Op5/Icinga client features were unusable on stock Windows installs.
• os_updates.status keyword renamed to update_status. The previous name clashed with the built-in status keyword every check exposes, which made filter / detail-syntax expressions ambiguous on check_os_updates. Any custom config that referenced os_updates.status must be updated — see Behaviour change below.
• check_wmi no longer crashes on warn/crit filters. A use-after-mutation in the WMI row iterator caused an access violation whenever a warn= or crit= filter touched a column value (e.g. check_wmi "query=Select Version from win32_OperatingSystem" "warn=Version not like '6.3'"). Affected every filter that exercised the post-iteration deferred-evaluation path.

Detailed changes

WebServer — legacy query-string authentication restored for specific clients (94b2057d)

The 0.12.3 hardening removed three paths because URL-borne credentials and tokens leak into browser history, proxy logs, and Referer headers:

• GET/POST /auth/token?password=...
• GET/POST /auth/logout?token=...
• ?TOKEN=... / ?__TOKEN=... as a session-token fallback on any endpoint

Removing them broke Icinga's bundled check_nscp_api plugin, which still ships with the query-string mechanism. To unblock that integration without re-opening the vector to browsers and arbitrary scrapers, this release gates the legacy paths on a User-Agent allowlist:

• New setting [/settings/WEB/server] legacy query auth user agents. Comma-separated list of User-Agent substrings ( case-insensitive). A request whose User-Agent contains any pattern is allowed to use the legacy query-string mechanism; everything else still gets the 0.12.3 rejection (410 Gone on /auth/*, 403 on ?TOKEN=).
• Default: Icinga/check_nscp_api — anchors on the specific plugin name, so unrelated tooling that merely mentions " Icinga" in its User-Agent doesn't slip through.
• Set to an empty string to disable the fallback entirely (matches the strict 0.12.3 behaviour).
• The 410 / 403 rejection log lines now mention this setting as the escape hatch so operators don't have to dig through source to find it.

Security posture, in short: this is not a defence against malicious clients — an attacker can spoof the User-Agent — but it keeps the legacy vector off the default surface for browsers, scrapers, and anything else that isn't check_nscp_api.

Service — installer-feature hints in module-load errors (793c3ee1)

When a referenced module's DLL isn't on disk (typically because the operator didn't tick the relevant feature in the Windows installer), the error now ends with a hint:

Failed to load NRPEServer:  (module 'NRPEServer' is part of the 'NRPE Support' installer feature; re-run the 
NSClient++ installer and enable that feature, or see installers/installer-NSCP/Product.wxs for the full feature map)

Covers every module shipped by the MSI: CheckPlugins (the bulk of check_* modules), NRPE Support, Check MK Support, NSCA / NSCA-NG, WEB Server, Lua / Python scripting, OP5 / Elastic / Icinga client, etc.

Hint is Windows-only — on Linux the package manager handles module installation and the hint would be misleading.

Installer — IcingaClient.dll added (3a9af3cf)

IcingaClient.dll is built by the CheckSystem solution but was missing from Product.wxs, so it was never shipped. The Op5 → Icinga integration path was effectively broken on stock Windows installs. The DLL is now in the "Various client plugins" feature alongside GraphiteClient, SMTPClient, SyslogClient, etc.

CheckSystem — check_os_updates keyword rename (cf3613e2)

The check_os_updates filter previously exposed a per-item field called status (overall update status: up_to_date / pending / error). Every check also exposes a built-in top-level status (OK / WARNING / CRITICAL / UNKNOWN), so filter and detail-syntax expressions like status = 'pending' were ambiguous — a regression caught by users upgrading from 0.11.x. The per-item field has been renamed to update_status.

The built-in status keyword (OK/WARNING/CRITICAL) is unaffected.

Upgrade notes

• Icinga users: check_nscp_api should start working again after the upgrade with no config changes. If you have a non-stock Icinga probe that uses a different binary name, set [/settings/WEB/server] legacy query auth user agents to a substring matching its User-Agent (or to plain Icinga to broaden the match beyond the default).
• Strict-deployment operators: if you want the strict 0.12.3 behaviour (no query-string credentials, no exceptions), set [/settings/WEB/server] legacy query auth user agents = (empty).

Full Changelog: https://github.com/mickem/nscp/compare/0.12.3...0.12.4