main · *_relcand · *_release · release/*
thresholdsseverity ≥ minor · confidence ≥ medium · cap 12
max diff0.4 MB
pollevery 300s
NMS Delegate — network management: device discovery/monitoring, condition triggering, agent deployment, SNMP traps, NetFlow, CLI/config. Talks to the Ninja Backend via WAMP/RPC. C++/Qt.
C++/Qt6 network-management agent (Windows service; also deployed on Linux). Discovers and
monitors devices (ICMP/TCP/HTTP/SNMP/NetFlow/Syslog), evaluates conditions, runs CLI/SSH/
Telnet config + agent-deployment tasks, and relays results to the **Ninja Backend over
WAMP/RPC** (Autobahn + WebSocket++/Boost.ASIO + TLS).
nmsmanager/ — entry point: bootstrap, WAMP login, Windows-service plumbing.nmscore/ — worker base (each worker owns a QThread + event loop), the HTTP jobqueue, and the WAMP/RPC layer; nmscore/condition/ condition evaluators;nmscore/structs/ JSON↔struct serialization.
wrk/ — the concrete workers (discovery, SNMP, NetFlow, CLI, config backup, deployment,syslog, ICMP/TCP/ARP/DNS, …); wrk/misc/ protocol clients (SSH/Telnet/SNMP) + DB migrator;wrk/flow/ flow parser + the encrypted flow DB.
app/ — platform shims (Windows COM/registry/firewall/minidump/service vs Linux).ncossl/ — OpenSSL/TLS (FIPS-capable); ninja-security — credential encryption (DPAPI).must go via signals/slots or invokeMethod; check the shutdown guard before dereferencing
shared worker pointers.
a possibly-null WAMP context, independent session-disconnect states — swallowed errors,
unchecked results, and silent hangs are the classic bugs. Clean up on partial failure.
use-after-free / null-after-check on replies and sessions is the recurring pitfall.
never log them; encrypt at rest.
numbered, append-only migrations; reordering/editing a shipped migration or changing
key derivation corrupts existing DBs silently.
DPAPI, WMI, registry, service) must be guarded and Linux equivalents not left as stubs.
Credential storage (DPAPI) + never-log discipline; WAMP auth — **every RPC handler must
validate the caller's authRole** before acting; SEE-encrypted SQLite key handling; backend
TLS (no downgrade / cert-skip); remote deployment (WMI / PowerShell) — injection via
unsanitized target/credential inputs.
contract for all deployed agents.
getConfig(since) protocol — delta semantics must match the backend._Orientation only — verify current specifics in the code; this describes durable architecture
and risk areas, not a snapshot._
How the monitored repos relate — so a change in one repo is reviewed with its blast
radius in mind (a change upstream of ncpeer can break ncpeer even if it looks local).
Orientation only; verify specifics in code.
speak the NCRP wire protocol (protocol/format changes must stay compatible across
client and server versions).
URLs, it pairs them and forwards frames verbatim. Signed join URLs are minted by the
Ninja backend — the signature scheme is a backend⇄relay contract, and the frame
semantics are a peer⇄peer contract.
a signed upload leg streams to a signed download leg through memory (never stored).
Two parallel implementations (Python ftsv2/ + Go fts_go/) must stay behaviorally
identical; the URL/signature scheme is shared-family with websocket-switch.
NinjaRemote file-transfer features ride on these relays when peers can't go direct.
or behaviour change here affects both consumers.
build against**. A dependency bump changes what those products link (security/ABI/build).
through the ncpeer_vcpkg overlay.
shares nccommon and ncpeer_vcpkg with ncpeer.
part of the remote-desktop family). Runs as a child process of the NinjaRMM agent (the
parent owns install/upgrade/policy/launch); NinjaFlow owns the CLI contract, config schema,
credential precedence, DB schema/migrations, and exit-code meanings the parent consumes —
those are cross-process contracts. Submits telemetry to the Ninja Backend. Shares no code with
ncpeer/nmsnj; adjacent to nmsnj only in domain (network), not in implementation.
not part of any product's build. It consumes the SBOMs the other products' pipelines emit
(Ninja-Remote/ncpeer, NMS/nmsnj, NinjaFlow all appear in its scope maps), scans them for CVEs
and files Jira issues — a downstream *security-scanning* relationship, not a code dependency.
Shares no code with the others; has its own DB/schema and a toolbox submodule.
authentication component: its pam_ninja.so gates SSH reverse-tunnel access into
Ninja infrastructure with a time-based OTP. Shares no code with the other repos; its
blast radius is operational (who can SSH-tunnel into hosts), not code-level. The client OTP
generators and the module must agree on the OTP scheme + shared secret.
these are *upstream* of ncpeer (and nccommon/vcpkg also of nmsnj) — weigh the consumer
side: API/ABI compatibility, build impact, and cross-platform reach.
contract.