[NDM] Add core check for NCM (#39735)

<!--
* Contributors are encouraged to read our
[CONTRIBUTING](/CONTRIBUTING.md) documentation.
* Both Contributor and Reviewer Checklists are available at
https://datadoghq.dev/datadog-agent/guidelines/contributing/#pull-requests.
* The pull request:
  * Should only fix one issue or add one feature at a time.
  * Must update the test suite for the relevant functionality.
  * Should pass all status checks before being reviewed or merged.
* Commit titles should be prefixed with general area of pull request's
change.
* Please fill the below sections if possible with relevant information
or links.
-->
### What does this PR do?
Adds the agent corecheck/integration for NCM / Network Config Management
feature owned by NDM

This PR adds:
* A new core check `network_config_management` + defaults around that
* Refine shared logic between the core check and traps/syslogs-based
retrieval
* Adds tests

You can refer to this
[documentation](https://datadoghq.atlassian.net/wiki/spaces/II/pages/5367792210/NCM+Architecture+Overview)
for details regarding the vision for the agent-based architecture.

**Core check flow**
1. Check is scheduled, configured according to the `conf.yaml` (example
below in QA section)
2. For the device, retrieval (default 15m) during the check only grabs
the running config (hardcoded for Cisco devices currently)
3. Finishes by submitting to EvP

Many tasks left open, including:
* Additional support for Telnet
* Refining SSH support / configurations
* Validation, parsing, refinement of config output post-retrieval (incl.
sensitive data scrubbing, etc.)
* etc.

these will be upcoming PRs to address, as this initial contribution has
grown large :^D

### Motivation

### Describe how you validated your changes
<!--
Validate your changes before merge, ensuring that:
* Your PR is tested by static / unit / integrations / e2e tests
* Your PR description details which e2e tests cover your changes, if any
* The PR description contains details of how you validated your changes.
If you validated changes manually and not through automated tests, add
context on why automated tests did not fit your changes validation.

If you want additional validation by a second person, you can ask
reviewers to do it. Describe how to set up an environment for manual
tests in the PR description. Manual validation is expected to happen on
every commit before merge.

Any manual validation step should then map to an automated test. Manual
validation should not substitute automation, minus exceptions not
supported by test tooling yet.
-->

**VALIDATION OUTPUT**
```
cisco@qa-agent:~$ sudo -u dd-agent -- datadog-agent check network_config_management
{"namespace":"zoe_ncm_test","integration":"","configs":[{"device_id":"zoe_ncm_test:10.10.1.1","device_ip":"10.10.1.1","config_type":"running","timestamp":1755274594,"tags":["device_ip:10.10.1.1"],"content":"\r\n\r\n\r\nBuilding configuration...\r\n\r\n  \r\nCurrent configuration : 3144 bytes\r\n!\r\n! Last configuration change at 20:53:27 UTC Thu Aug 14 2025\r\n!\r\nversion 15.9\r\nservice timestamps debug datetime msec\r\nservice timestamps log datetime msec\r\nno service password-encryption\r\n!\r\nhostname qa-device\r\n!\r\nboot-start-marker\r\nboot-end-marker\r\n!\r\n!\r\n!\r\nno aaa new-model\r\n!\r\n!\r\n!\r\nmmi polling-interval 60\r\nno mmi auto-configure\r\nno mmi pvc\r\nmmi snmp-timeout 180\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\n!\r\nip ...EDITED FOR THE SAKE OF CONCISENESS"}],"collect_timestamp":1755274594}


  Running Checks
  ==============

    network_config_management
    -------------------------
      Instance ID: network_config_management:zoe_ncm_test:51fd8431b479a10a [OK]
      Configuration Source: file:/etc/datadog-agent/conf.d/network_config_management.d/conf.yaml
      Total Runs: 1
      Metric Samples: Last Run: 0, Total: 0
      Events: Last Run: 0, Total: 0
      ndmconfig: Last Run: 1, Total: 1
      Service Checks: Last Run: 0, Total: 0
      Average Execution Time : 1.089s
      Last Execution Date : 2025-08-15 16:16:34 UTC (1755274594000)
      Last Successful Execution Date : 2025-08-15 16:16:34 UTC (1755274594000)


  Metadata
  ========
    config.hash: network_config_management:zoe_ncm_test:51fd8431b479a10a
    config.provider: file
    config.source: /etc/datadog-agent/conf.d/network_config_management.d/conf.yaml
```

QA steps/how to validate
* Pull in the `ndm-tools/cml-qa` repo and follow instructions for
setting up the CLI
([link](https://github.com/DataDog/ndm-tools/tree/main/cml-qa))
```
python cml_template_generator.py \
  --deb-url <INSERT THE DEB FROM CI/CD BUILD> \
  --api-key <INSERT YOUR KEY> \
  --site "datad0g.com" \
  --title "<YOUR NAME/TITLE> NCM Agent QA"
```
* Go the NDM hosted CML
([docs](https://datadoghq.atlassian.net/wiki/spaces/II/pages/5061640281/Getting+Started+with+Cisco+Modeling+Labs+CML))
* Press Import
* Pull in the YAML that gets created, start the lab
* <to fill in more details to prep the IOS device for SSH, etc.>
<img width="451" height="312" alt="image"
src="https://github.com/user-attachments/assets/73f72efe-3677-4faa-a50e-41337db5fba3"
/>

`/etc/datadog-agent/conf.d/network_config_management.d/conf.yaml`
```
init_config:
instances:
- ip_address: "10.10.1.1"
  namespace: "zoe_ncm_test"
  auth:
    username: "cisco"
    password: "cisco"
    ssh_ciphers: [aes256-ctr, aes192-ctr, aes128-ctr]
    ssh_key_exchanges: [diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1]
    ssh_host_key_algorithms: [ssh-rsa]
```

`iosv-0/0` steps to enable SSH on network device
```
qa-device#enable
qa-device#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
qa-device(config)#username cisco privilege 15 secret cisco
qa-device(config)#line vty 0 4
qa-device(config-line)#login local
qa-device(config-line)#transport input ssh
qa-device(config-line)#exit
qa-device(config)#ip domain-name lab.local
qa-device(config)#crypto key generate rsa modulus 2048
The name for the keys will be: qa-device.lab.local

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

qa-device(config)#ip ssh version 2
qa-device(config)#end
qa-device#write memory
```

### Possible Drawbacks / Trade-offs

### Additional Notes
<!--
* Anything else we should know when reviewing?
* Include benchmarking information here whenever possible.
* Include info about alternatives that were considered and why the
proposed
  version was chosen.
-->

Author: zoedt

.github/CODEOWNERS

@@ -448,6 +448,7 @@
 /pkg/collector/corechecks/embed/apm/               @DataDog/agent-apm
 /pkg/collector/corechecks/embed/process/           @DataDog/container-experiences
 /pkg/collector/corechecks/gpu/                     @DataDog/ebpf-platform
+/pkg/collector/corechecks/networkconfigmanagement/ @DataDog/network-device-monitoring
 /pkg/collector/corechecks/network-devices/         @DataDog/ndm-integrations
 /pkg/collector/corechecks/orchestrator/   @DataDog/container-app
 /pkg/collector/corechecks/net/          @DataDog/agent-runtimes
@@ -608,6 +609,7 @@
 /pkg/network/tracer/*_windows*.go               @DataDog/windows-products
 /pkg/network/usm/                       @DataDog/universal-service-monitoring
 /pkg/network/usm/tests/*_windows*.go    @DataDog/windows-products
+/pkg/networkconfigmanagement/           @DataDog/network-device-monitoring
 /pkg/ebpf/                              @DataDog/ebpf-platform
 /pkg/ebpf/map_cleaner*.go               @DataDog/universal-service-monitoring
 /pkg/compliance/                        @DataDog/agent-cspm

comp/forwarder/eventplatform/component.go

@@ -25,6 +25,9 @@ const (
 	// EventTypeNetworkPath is the event type for network devices Network Path data
 	EventTypeNetworkPath = "network-path"
 
+	// EventTypeNetworkConfigManagement is the event type for network device configuration management
+	EventTypeNetworkConfigManagement = "ndmconfig"
+
 	// EventTypeContainerLifecycle represents a container lifecycle event
 	EventTypeContainerLifecycle = "container-lifecycle"
 	// EventTypeContainerImages represents a container images event

pkg/collector/corechecks/networkconfigmanagement/networkconfigmanagement.go

@@ -0,0 +1,155 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+//go:build ncm
+
+// Package networkconfigmanagement defines the agent core check for retrieving network device configurations
+package networkconfigmanagement
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/benbjohnson/clock"
+
+	"github.com/DataDog/datadog-agent/comp/core/autodiscovery/integration"
+	"github.com/DataDog/datadog-agent/comp/core/config"
+	"github.com/DataDog/datadog-agent/pkg/aggregator/sender"
+	"github.com/DataDog/datadog-agent/pkg/collector/check"
+	core "github.com/DataDog/datadog-agent/pkg/collector/corechecks"
+	ncmconfig "github.com/DataDog/datadog-agent/pkg/networkconfigmanagement/config"
+	ncmremote "github.com/DataDog/datadog-agent/pkg/networkconfigmanagement/remote"
+	ncmreport "github.com/DataDog/datadog-agent/pkg/networkconfigmanagement/report"
+	ncmsender "github.com/DataDog/datadog-agent/pkg/networkconfigmanagement/sender"
+	"github.com/DataDog/datadog-agent/pkg/util/log"
+	"github.com/DataDog/datadog-agent/pkg/util/option"
+)
+
+// CheckName is the name of the check
+const CheckName = "network_config_management"
+
+// Check is the main struct for the network configuration management check
+type Check struct {
+	core.CheckBase
+	checkContext *ncmconfig.NcmCheckContext
+	sender       *ncmsender.NCMSender
+	agentConfig  config.Component
+	remoteClient ncmremote.Client
+	clock        clock.Clock
+}
+
+// Run executes the check to retrieve network device configurations from a device
+func (c *Check) Run() error {
+	var checkErr error
+	var configs []ncmreport.NetworkDeviceConfig
+
+	checkErr = c.remoteClient.Connect()
+	if checkErr != nil {
+		log.Errorf("unable to connect to remote device %s: %s", c.checkContext.Device.IPAddress, checkErr)
+		return checkErr
+	}
+	defer func() {
+		if c.remoteClient != nil {
+			_ = c.remoteClient.Close()
+		}
+	}()
+
+	// TODO: validate the running config to make sure it's valid, extract other information from it, etc.
+	runningConfig, checkErr := c.remoteClient.RetrieveRunningConfig()
+	if checkErr != nil {
+		return checkErr
+	}
+
+	deviceID := fmt.Sprintf("%s:%s", c.checkContext.Namespace, c.checkContext.Device.IPAddress)
+	tags := []string{
+		"device_ip:" + c.checkContext.Device.IPAddress,
+	}
+	runningTimestamp, checkErr := ncmreport.RetrieveTimestampFromConfig(runningConfig)
+	if checkErr != nil {
+		log.Warnf("unable to extract last change timestamp from running config for %s, using agent collection ts: %s", deviceID, checkErr)
+		runningTimestamp = c.clock.Now().Unix()
+	}
+	configs = append(configs, ncmreport.ToNetworkDeviceConfig(deviceID, c.checkContext.Device.IPAddress, ncmreport.RUNNING, runningTimestamp, tags, runningConfig))
+
+	// TODO: validate the startup config to make sure it's valid, extract other information from it, etc.
+	startupConfig, checkErr := c.remoteClient.RetrieveStartupConfig()
+	if checkErr != nil {
+		// If the startup config cannot be retrieved, log a warning but continue
+		log.Warnf("unable to retrieve startup config for %s, will not send: %s", deviceID, checkErr)
+	} else {
+		startupTimestamp, checkErr := ncmreport.RetrieveTimestampFromConfig(startupConfig)
+		if checkErr != nil {
+			log.Warnf("unable to extract last change timestamp from startup config for %s, using agent collection ts: %s", deviceID, checkErr)
+			startupTimestamp = c.clock.Now().Unix()
+		}
+		// add the startup config to the payload if it was retrieved successfully
+		configs = append(configs, ncmreport.ToNetworkDeviceConfig(deviceID, c.checkContext.Device.IPAddress, ncmreport.STARTUP, startupTimestamp, tags, startupConfig))
+	}
+
+	checkErr = c.sender.SendNCMConfig(ncmreport.ToNCMPayload(c.checkContext.Namespace, "", configs, c.clock.Now().Unix()))
+	if checkErr != nil {
+		return checkErr
+	}
+
+	// TODO: Send any metrics as well
+	//c.sender.SendNCMMetrics()
+
+	c.sender.Commit()
+	return nil
+}
+
+// Configure sets up the check with the provided configuration and sender manager
+func (c *Check) Configure(senderManager sender.SenderManager, integrationConfigDigest uint64, rawInstance integration.Data, rawInitConfig integration.Data, source string) error {
+	var err error
+
+	// Load/parse the configuration for the device instance
+	c.checkContext, err = ncmconfig.NewNcmCheckContext(rawInstance, rawInitConfig)
+	if err != nil {
+		return fmt.Errorf("build config failed: %s", err)
+	}
+
+	// Must be called before v.CommonConfigure
+	c.BuildID(integrationConfigDigest, rawInstance, rawInitConfig)
+	err = c.CommonConfigure(senderManager, rawInitConfig, rawInstance, source)
+	if err != nil {
+		return fmt.Errorf("common configure failed: %s", err)
+	}
+
+	// Initialize the Sender
+	s, err := c.GetSender()
+	if err != nil {
+		return err
+	}
+	ncmSender := ncmsender.NewNCMSender(s, c.checkContext.Namespace)
+	c.sender = ncmSender
+
+	// TODO: add check to see the device's credentials type (SSH/Telnet) and create appropriate client factory
+	c.remoteClient = ncmremote.NewSSHClient(c.checkContext.Device)
+
+	// Initialize the clock
+	c.clock = clock.New()
+
+	return nil
+}
+
+// Interval returns the interval at which the check should run (default 15 minutes for now)
+func (c *Check) Interval() time.Duration {
+	return c.checkContext.MinCollectionInterval
+}
+
+// Factory creates a new check factory
+func Factory(agentConfig config.Component) option.Option[func() check.Check] {
+	return option.New(func() check.Check {
+		return newCheck(agentConfig)
+	})
+}
+
+// newCheck creates a new instance of the Check with the provided agent configuration
+func newCheck(agentConfig config.Component) check.Check {
+	return &Check{
+		CheckBase:   core.NewCheckBase(CheckName),
+		agentConfig: agentConfig,
+	}
+}