Docs/catch up 2024.2 to 2026.2

docs/admin/cloudshell-event-queue.md

@@ -89,7 +89,7 @@ In the above example, Cloudshell Server would only emit events related to new us
 
 **UserUpdatedEvent**:   This event happens when a user's details are updated.
 
-**LoginEvent**:   This event is triggered when a user logs in.
+**LoginEvent**:   This event is triggered when a user logs in. *Since CloudShell 2024.1.0.2596*, login events are also generated for SSO (Single Sign-On) logins. Previously, login events were only created for direct authentication.
 
 **UserGroupAddedEvent**:   This event occurs when a new user group is added.
 
@@ -162,3 +162,11 @@ In the above example, Cloudshell Server would only emit events related to new us
 **WorkOrderResourceUnsolvedEvent**:   This event is fired when a concrete match for a work order resource is unselected in an assembly lab sandbox.
 
 **WorkOrderResourceRemovedEvent**:   This event happens when a work order resource is removed in an assembly lab sandbox.
+
+**AttributeChangedEvent** *(Added in CloudShell 2024.1)*:   This event is triggered when an attribute value is changed on a resource. Useful for monitoring attribute changes via MQ integration for audit or automation purposes.
+
+## Domain ID in Events
+
+*Added in CloudShell 2024.1.0.2596*
+
+Certain server events now include a `DomainId` field in their message payload. This simplifies event handling and filtering by domain in MQ consumers, allowing subscribers to process only events relevant to a specific domain without additional API lookups.

docs/admin/cloudshell-manage-dashboard/maintenance-window.md

@@ -61,6 +61,26 @@ The maintenance window's areas are arranged as follows:
 | 9 | Warning on Reserve | The message shown to non-admin users who try in advance to create a sandbox that starts and ends outside the maintenance window. The user is presented with the option to either **Continue** or **Cancel**. If they select to continue, the sandbox will be created and remain active during the maintenance period, but it will be inaccessible.<br/>In the API, there is no warning, and the action is allowed. |
 | 10 | Delete button | <ul><li>**PLANNED** or **NEW** state: deletes the maintenance window</li><li>**ACTIVE** state: ends and deletes the maintenance window</li></ul> |
 
+## Maintenance Window By Domain
+
+*New in CloudShell 2026.1*
+
+In addition to the system-wide maintenance window described above, administrators can define maintenance windows scoped to individual domains. During a domain-scoped maintenance window, sandbox creation and modifications are restricted in that domain, while other domains continue operating normally.
+
+This is useful for planned infrastructure maintenance, upgrades, or other activities that require temporarily restricting access to specific lab resources without affecting other teams.
+
+### Configuring a Domain Maintenance Window
+
+To set a maintenance window for a specific domain, use the API:
+
+- **UpdateDomainSetting** — Set maintenance window parameters for a specific domain
+- **GetDomainSettings** — Retrieve current domain settings including maintenance window configuration
+
+:::note
+The system-wide maintenance window (configured from the **Manage** dashboard) takes precedence over domain-level maintenance windows. If both are active, the system-wide restrictions apply.
+:::
+
 ## Related Topics
 
 - [Manage Dashboard Overview](../../admin/cloudshell-manage-dashboard/manage-dashboard-overview.md)
+- [CloudShell Domains](../../admin/cloudshell-identity-management/cloudshell-domains/index.md)

docs/admin/cloudshell-manage-dashboard/manage-app-templates/app-template/deployment-path/aws-ec2-dp-attributes.md

@@ -82,7 +82,7 @@ If not specified, the protocol defaults to TCP.
 
 :::tip Tips
 - To allow QualiX in-browser connections to the VM from the sandbox, include port "22".
-- To set more specific security groups, it is recommended to use the TestShell API's [SetAppsSecurityGroup](pathname:///api-docs/2024.1/TestShell-API/TestShell%20XML%20RPC%20API.html) method instead. Unlike the Inbound Ports attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
+- To set more specific security groups, it is recommended to use the TestShell API's [SetAppsSecurityGroup](pathname:///api-docs/latest/TestShell-API/TestShell%20XML%20RPC%20API.html) method instead. Unlike the Inbound Ports attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
 :::
             </td>
         </tr>

docs/admin/cloudshell-manage-dashboard/manage-app-templates/app-template/deployment-path/azure-custom-image-dp-attributes.md

@@ -214,7 +214,7 @@ If not specified, the protocol defaults to TCP.
 :::
 :::tip Tips
 - To allow QualiX in-browser connections to the VM from the sandbox, include port "22".
-- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/2024.1/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the **Inbound Ports** attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
+- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/latest/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the **Inbound Ports** attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
 :::
             </td>
         </tr>

docs/admin/cloudshell-manage-dashboard/manage-app-templates/app-template/deployment-path/azure-galery-dp-attributes.md

@@ -191,7 +191,7 @@ If not specified, the protocol defaults to TCP.
 :::
 :::tip Tips
 - To allow QualiX in-browser connections to the VM from the sandbox, include port "22".
-- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/2024.1/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the **Inbound Ports** attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
+- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/latest/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the **Inbound Ports** attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
 :::
             </td>
         </tr>

docs/admin/cloudshell-manage-dashboard/manage-app-templates/app-template/deployment-path/azure-marketplace-dp-attributes.md

@@ -217,7 +217,7 @@ If not specified, the protocol defaults to TCP.
 :::
 :::tip Tips
 - To allow QualiX in-browser connections to the VM from the sandbox, include port "22".
-- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/2024.1/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the Inbound Ports attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
+- To set more specific security groups, it is recommended to use the TestShell API's [SetAppSecurityGroups](pathname:///api-docs/latest/TestShell-API/TestShell%20XML%20RPC%20API.html#SetAppSecurityGroups) method instead. Unlike the Inbound Ports attribute, it enables you to define different port settings per subnet and allow inbound access to specific source CIDRs. For additional information, see [SetAppSecurityGroups Code Example](../../../../supported-cloud-providers-in-cloudshell/public-cloud-provider-support-in-cloudshell/setappsecuritygroups-code-example.md).
 :::
             </td>
         </tr>

docs/admin/setting-up-cloudshell/assembly-lab/index.md

@@ -11,16 +11,40 @@ In the standard mode, the entire blueprint must be solved satisfactorily, or the
 
 In Assembly Lab, solving the blueprint partially is possible, and it is expected that further changes to the inventory OR to the request (originally a blueprint, but now a pending sandbox) will eventually bring the sandbox to the desired state.
 
+## Diagram Editor
+
+### Collapsing Abstract Nodes
+
+When working with complex blueprints that contain many abstract requirements, users can collapse abstract nodes in the diagram editor for a cleaner visualization. Right-click an abstract node and select **Collapse** to hide its child elements. This helps manage large diagrams while retaining access to the full structure when needed.
+
 ## Assembly Lab Rules
 
 ### Route Handling
 
 If there is a route between resources, the route will not be solved (i.e., Layer 1 ports will not be reserved). However, the system will attempt to select resources that are connected to Layer 1 switches.
 
+### Smart Route Creation with L1 Priority
+
+When creating routes between concrete devices in the sandbox, the system prioritizes using existing route segments (patch panels, Layer 1 infrastructure). If a valid route can be established through existing L1 infrastructure, it will be used automatically.
+
+If no valid route can be established through existing L1 infrastructure, a provisional direct connection (device-to-device) is created. This placeholder route can later be refined by selecting appropriate connections through Layer 1 switches or patch panels.
+
+### L1 Port Auto-Add on Solve
+
+When solving an abstract requirement that is part of a route, if the solution resource is connected to a Layer 1 port, that port is automatically added to the route and reservation. This eliminates the need to manually manage L1 port assignments when resolving abstract requirements within routes.
+
+Conversely, when unsolving an abstract, the associated L1 port is automatically removed from the route and reservation.
+
 ### Sandbox Creation
 
 A sandbox is always created, even if not all requirements are met. This approach ensures that users can proceed with their projects while resolving outstanding requirements.
 
+### Exclusive Requirement Solving
+
+When solving exclusive abstract requirements, only the device itself is used as the solution — not the entire resource graph beneath it. This ensures that exclusive reservations are scoped precisely to the required resource.
+
+Additionally, the "unsolve abstract" operation accurately determines which resources to remove from the reservation, preventing unintended removal of resources that are still needed by other requirements.
+
 ### Whole Resource Utilization
 
 As many resource requirements as possible will be solved with whole resources. This approach minimizes fragmentation and maintains the integrity of individual resources.

docs/admin/setting-up-cloudshell/assembly-lab/work-order-management.md

@@ -15,7 +15,32 @@ Until each work order resource has a concrete resource that matches the abstract
 
 The Routes tab displays either cable routes or logical routes used to apply Layer 1 connectivity.
 
-Each record in the Routes tab represents a single route.
+Each record in the Routes tab represents a single route. Routes are sorted alphabetically for easier navigation.
 
-- For cable routes (known as "direct" in the work order), if both work order resources at the terminus have been selected, users can apply "connect" to indicate that the devices have been wired together in the lab (or "disconnect" for the inverse).
-- For Layer 1 routes, users can assign the work order resource to be connected to another device in the lab.
+- For cable routes (known as "direct" in the work order), if both work order resources at the terminus have been selected, users can apply "connect" to indicate that the devices have been wired together in the lab (or "disconnect" for the inverse). The **Save & Connect** button is disabled for Cable type routes since no Layer 1 connection is needed.
+- For Layer 1 routes, users can assign the work order resource to be connected to another device in the lab.
+
+### Route Search
+
+When searching for resources to assign to a route, the following search capabilities are available:
+
+- **L1Connectables filter** — filters the resource search to show only resources that can be connected via Layer 1 infrastructure.
+- **Free text search** — type any text to filter route entries by name or other attributes.
+
+## Permissions and State Management
+
+### Work Order Permissions
+
+Only administrators or users who have been explicitly granted permission can update work orders. This ensures that work order modifications are controlled and auditable.
+
+### Recursive State Updates
+
+When setting a parent resource's state to **Completed**, all child ports under that parent are automatically set to Completed as well. This eliminates the need to manually update each sub-resource individually.
+
+### Pending Sandbox Restrictions
+
+When a sandbox is in **Pending** state, connectivity changes (connecting or disconnecting routes) are blocked. The sandbox must transition out of the Pending state before route connectivity operations can be performed.
+
+### Resource Sorting
+
+Resources in the work order view are sorted by their request name, making it easier to find and manage specific work order items.

docs/admin/setting-up-cloudshell/cloudshell-configuration-options/advanced-cloudshell-customizations.md

@@ -1866,7 +1866,7 @@ Apps based on a public cloud provider, such as AWS EC2 and Azure, cannot be used
 
 By default, when trying to open a URL to a sandbox from a domain you can access but are not currently logged into, CloudShell prompts the user to switch to the domain (assuming the blueprint is public and the user is permitted to access the sandbox/blueprint). If the user confirms the switch, CloudShell will then open the sandbox/blueprint in its domain. However, you can choose to prevent this domain switch by setting the `AutoSwitchDomain` key. For additional information, see [Opening Sandboxes](../../../portal/sandboxes/opening-sandboxes.md).
 :::note
-When opening a blueprint from a URL, the domain switch only works if the blueprint URL includes the domain ID. To obtain a blueprint URL with the domain ID, use the CloudShell Automation API's [GetTopologyUrls](pathname:///api-docs/2024.1/python-api/cloudshell.api.html?#cloudshell.api.cloudshell_api.CloudShellAPISession.GetTopologyUrls) method.
+When opening a blueprint from a URL, the domain switch only works if the blueprint URL includes the domain ID. To obtain a blueprint URL with the domain ID, use the CloudShell Automation API's [GetTopologyUrls](pathname:///api-docs/latest/python-api/cloudshell.api.html?#cloudshell.api.cloudshell_api.CloudShellAPISession.GetTopologyUrls) method.
 :::
 **To disable the domain switch when accessing a sandbox/blueprint link:**
 

docs/admin/setting-up-cloudshell/cloudshell-configuration-options/customer-configuration-keys-repository/general.md

@@ -722,4 +722,111 @@ Python 3 automation requires Microsoft Visual C++ Redistributable 2015 x86 and x
 			<td>2024.1 and above</td>
 		</tr>
 	</tbody>
+</table>
+
+## Environment variable configuration overrides
+
+*Starting with CloudShell 2024.1*, CloudShell supports overriding `customer.config` values using environment variables. This enables configuration management without modifying files directly, which is useful for containerized deployments and automation scenarios.
+
+To override a configuration key, set an environment variable with the prefix `QS_` followed by the key name (with dots replaced by underscores). For example, to override `<add key="MyKey" value="SomeValue"/>`, set the environment variable `QS_MyKey`.
+
+<table>
+	<tbody>
+		<tr>
+			<td>Key</td>
+			<td>N/A (environment variable prefix: `QS_`)</td>
+		</tr>
+		<tr>
+			<td>Possible values</td>
+			<td>Any value that would be valid in the corresponding `customer.config` key</td>
+		</tr>
+		<tr>
+			<td>Where to add/change</td>
+			<td>System environment variables on the machine running the CloudShell component</td>
+		</tr>
+		<tr>
+			<td>Default value</td>
+			<td>N/A</td>
+		</tr>
+		<tr>
+			<td>Affected CloudShell Component</td>
+			<td>All (Quali Server, Portal, Execution Server)</td>
+		</tr>
+		<tr>
+			<td>Version</td>
+			<td>2024.1 and above</td>
+		</tr>
+	</tbody>
+</table>
+
+:::note
+Environment variable overrides take precedence over values defined in `customer.config`. This allows you to manage configuration centrally (e.g., via orchestration tools or container runtime) without modifying config files on disk.
+:::
+
+## Allow unicode characters in script command context
+
+When set to `true`, allows passing unicode characters to script environment variables. This is useful when usernames or other context values contain unicode characters.
+
+<table>
+	<tbody>
+		<tr>
+			<td>Key</td>
+			<td>`<add key="AllowUnicodeForCommandContext" value="True"/>`</td>
+		</tr>
+		<tr>
+			<td>Possible values</td>
+			<td>True/False</td>
+		</tr>
+		<tr>
+			<td>Where to add/change</td>
+			<td>`customer.config` CloudShell Server installation directory</td>
+		</tr>
+		<tr>
+			<td>Default value</td>
+			<td>False</td>
+		</tr>
+		<tr>
+			<td>Affected CloudShell Component</td>
+			<td>CloudShell Server</td>
+		</tr>
+		<tr>
+			<td>Version</td>
+			<td>2024.1 and above</td>
+		</tr>
+	</tbody>
+</table>
+
+## Configure AI Assistant chat menu item in Portal
+
+Administrators can configure an AI Assistant menu item in the Portal by setting a URL template. This adds a menu item that opens an AI chat interface, optionally passing context about the current page or resource.
+
+The URL template can include placeholders that are replaced with context values at runtime, such as `{resource}` or `{page}`.
+
+<table>
+	<tbody>
+		<tr>
+			<td>Key</td>
+			<td>`<add key="AIChatURL" value="https://your-ai-chat-url.com?context={page}"/>`</td>
+		</tr>
+		<tr>
+			<td>Possible values</td>
+			<td>A URL template. Supported placeholders: `{page}`, `{resource}`, `{sandbox}`</td>
+		</tr>
+		<tr>
+			<td>Where to add/change</td>
+			<td>`customer.config` CloudShell Portal installation directory</td>
+		</tr>
+		<tr>
+			<td>Default value</td>
+			<td>N/A (disabled)</td>
+		</tr>
+		<tr>
+			<td>Affected CloudShell Component</td>
+			<td>CloudShell Portal</td>
+		</tr>
+		<tr>
+			<td>Version</td>
+			<td>2026.2 and above</td>
+		</tr>
+	</tbody>
 </table>