Checkmk
diff --git a/‎.bazelrc‎
Lines changed: 6 additions & 0 deletions b/‎.bazelrc‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎requirements/rust/host/.cargo/config.toml‎ ‎.cargo/config.toml‎requirements/rust/host/.cargo/config.toml renamed to .cargo/config.toml b/‎requirements/rust/host/.cargo/config.toml‎ ‎.cargo/config.toml‎requirements/rust/host/.cargo/config.toml renamed to .cargo/config.toml
diff --git a/‎requirements/rust/host/.cargo/readme.md‎ ‎.cargo/readme.md‎requirements/rust/host/.cargo/readme.md renamed to .cargo/readme.md b/‎requirements/rust/host/.cargo/readme.md‎ ‎.cargo/readme.md‎requirements/rust/host/.cargo/readme.md renamed to .cargo/readme.md
diff --git a/‎.github/agents/code-review.agent.md‎
Lines changed: 11 additions & 1 deletion b/‎.github/agents/code-review.agent.md‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 0 additions & 1 deletion b/‎.gitignore‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.werks/18744.md‎
Lines changed: 16 additions & 0 deletions b/‎.werks/18744.md‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.werks/19191.md‎
Lines changed: 18 additions & 0 deletions b/‎.werks/19191.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.werks/19343.md‎
Lines changed: 18 additions & 0 deletions b/‎.werks/19343.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎.werks/19512.md‎
Lines changed: 19 additions & 0 deletions b/‎.werks/19512.md‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.werks/19522.md‎
Lines changed: 20 additions & 0 deletions b/‎.werks/19522.md‎
Lines changed: 20 additions & 0 deletions
@@ -8,6 +8,12 @@ build --workspace_status_command=bazel/tools/workspace_status.sh
 # Add mirrors for certain download URLs
 common --downloader_config=bazel_downloader.cfg
 
+# Limit JVM thread pools to match cgroup CPU limit (nproc reports host CPUs, not cgroup)
+# --host_jvm_args is a startup option, see https://bazel.build/run/bazelrc
+startup --host_jvm_args=-XX:ActiveProcessorCount=8
+startup --host_jvm_args=-XX:ParallelGCThreads=4
+startup --host_jvm_args=-XX:ConcGCThreads=2
+
 # enable a local disk cache: this is especially relevant for local builds without an enabled bazel-remote
 common:linux --disk_cache=~/.cache/bazel_disk_cache/
 common:linux --experimental_disk_cache_gc_max_size=100G
 
@@ -34,7 +34,7 @@ You are an expert code reviewer at Checkmk. Your job is to find **problems** in
    - Find related tests if the change affects testable behavior
    - If fixing a bug, search for the same pattern elsewhere that may have the same issue
 3. **Review the change given the context**
-4. **Report back in standardized output format:**
+4. **Report back in standardized output format.** Note that the 4 backticks help to display raw text to be copy & pasted.
 
 <output-format>
 # Change <number>: <one-line summary>
@@ -61,10 +61,13 @@ If the change reveals broader issues or incomplete fixes:
 
 **<file>:<line>**
 
+<!-- prettier-ignore -->
+````markdown
 Brief explanation of the problem and why it matters (1-3 sentences).
 Include a code snippet if it clarifies the issue.
 
 Suggest a concrete fix, or list options if there are multiple valid approaches.
+````
 
 </issue-1>
 
@@ -75,7 +78,11 @@ Suggest a concrete fix, or list options if there are multiple valid approaches.
 
 **<file>:<line>**
 
+<!-- prettier-ignore -->
+````markdown
 ...
+````
+
 </issue-2>
 </list-of-issues>
 </output-format>
@@ -143,6 +150,7 @@ Good addition for controlling request timeouts, but there's a potential issue wi
 
 **cmk/base/sources/\_api.py:142**
 
+````markdown
 The default timeout of `0` will cause immediate timeout errors in production.
 Looking at the underlying `requests` library usage:
 
@@ -161,6 +169,8 @@ To fix this:
 - Make the parameter required to force callers to choose explicitly
 
 I'd recommend option 2 with `timeout: float = 30.0` as a reasonable default.
+````
+
 </good-example-minor-issues>
 
 ## Guidelines
 
@@ -2,7 +2,6 @@
 .bugs/.last
 .bugs/.my_ids
 .cache
-.cargo
 .coverage
 .coverage.*
 .directory
 
@@ -0,0 +1,16 @@
+[//]: # (werk v3)
+# OTel: Hosts monitored only via OpenTelemetry are incorrectly treated as ping hosts
+
+key        | value
+---------- | ---
+date       | 2026-03-19T09:28:02.224095+00:00
+version    | 2.6.0b1
+class      | fix
+edition    | ultimate
+component  | checks
+level      | 1
+compatible | yes
+
+Hosts configured to receive OpenTelemetry data but lacking a Checkmk agent or SNMP were incorrectly classified as ping-only. This caused their services to show an UNKNOWN state instead of processing the incoming OpenTelemetry metrics, leading to confusion or missed alerts.
+
+We now correctly recognize hosts with an OpenTelemetry metrics association as having a valid data source. This fix ensures these hosts display their OpenTelemetry metrics accurately, improving monitoring reliability. No user action is required to benefit from this update.
@@ -0,0 +1,18 @@
+[//]: # (werk v3)
+# mk-sql: skip inaccessible databases in SQL Server Always On Availability Groups
+
+key        | value
+---------- | ---
+date       | 2026-03-20T12:34:51+00:00
+version    | 2.6.0b1
+class      | fix
+edition    | community
+component  | checks
+level      | 2
+compatible | yes
+
+mk-sql previously queried all SQL Server databases indiscriminately, including secondary replicas in Always On Availability Groups (AG) that were not directly accessible. This caused spurious errors when monitoring SQL Server instances participating in an AG.
+
+Now, mk-sql only queries databases that are actually accessible: standalone databases, primary replicas, and readable secondary replicas. Inaccessible AG secondaries are silently skipped — this is expected behavior, not an error.
+
+This change improves monitoring reliability by eliminating false error messages. No configuration adjustments are necessary, as the update is fully automatic and transparent to users.
@@ -0,0 +1,18 @@
+[//]: # (werk v3)
+# Enforce "Query metric backend from custom graph editor" permission on graph view, edit and AJAX endpoints
+
+key        | value
+---------- | ---
+date       | 2026-03-20T09:18:51+00:00
+version    | 2.6.0b1
+class      | fix
+edition    | ultimate
+component  | wato
+level      | 1
+compatible | yes
+
+The "Query metric backend from custom graph editor" permission now restricts access to the graph view, edit, and AJAX endpoints. Previously, all users—regardless of this permission—could query the metric backend.
+
+With this change, only users granted this permission are allowed to query the metric backend.
+
+No action is required to benefit from this update.
@@ -0,0 +1,19 @@
+[//]: # (werk v3)
+# Agent connection test: Token generation only shown for tabs that need it
+
+key        | value
+---------- | ---
+date       | 2026-03-19T09:32:09+00:00
+version    | 2.6.0b1
+class      | fix
+edition    | community
+component  | wato
+level      | 1
+compatible | yes
+
+In the community edition, the agent connection test slide-out always showed the
+token generation prompt, even for tabs that only display a documentation link
+and do not need a token. This was confusing but not blocking.
+
+The token generation is now only shown for tabs that actually include install
+commands requiring a token.
@@ -0,0 +1,20 @@
+[//]: # (werk v3)
+# Fix crash when viewing parameters for services of third-party check plugins
+
+key        | value
+---------- | ---
+date       | 2026-03-19T12:11:17.079858+00:00
+version    | 2.6.0b1
+class      | fix
+edition    | community
+component  | wato
+level      | 1
+compatible | yes
+
+Previously, opening the "Parameters for service" page in Setup for a
+discovered service could crash with a KeyError if the check plugin's
+checkgroup had no registered ruleset — which is common for third-party
+check plugins (e.g. infortend_chassis1).
+
+The page now correctly shows "This check is not configurable via Setup"
+for such services instead of crashing with an internal error.