remove offline_access from device default scopes

This reverts commit 24df442198.

.devcontainer/Dockerfile

@@ -1,15 +1,15 @@
-FROM golang:1.23-bullseye
+FROM golang:1.25-bookworm
 
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-4 \ 
-        iptables=1.8.7-1 \
-        libgl1-mesa-dev=20.3.5-1 \
-        xorg-dev=1:7.7+22 \
-        libayatana-appindicator3-dev=0.5.5-2+deb11u2 \
+        gettext-base=0.21-12 \
+        iptables=1.8.9-2 \
+        libgl1-mesa-dev=22.3.6-1+deb12u1 \
+        xorg-dev=1:7.7+23 \
+        libayatana-appindicator3-dev=0.5.92-1 \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
-    && go install -v golang.org/x/tools/gopls@v0.18.1
+    && go install -v golang.org/x/tools/gopls@latest
 
 
 WORKDIR /app

.github/workflows/golang-test-freebsd.yml

@@ -25,7 +25,7 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            
@@ -39,7 +39,7 @@ jobs:
             # check all component except management, since we do not support management server on freebsd
             time go test -timeout 1m -failfast ./base62/...
             # NOTE: without -p1 `client/internal/dns` will fail because of `listen udp4 :33100: bind: address already in use`
-            time go test -timeout 8m -failfast -p 1 ./client/...
+            time go test -timeout 8m -failfast -v -p 1 ./client/...
             time go test -timeout 1m -failfast ./dns/...
             time go test -timeout 1m -failfast ./encryption/...
             time go test -timeout 1m -failfast ./formatter/...

.github/workflows/golang-test-linux.yml

@@ -200,7 +200,7 @@ jobs:
             -e GOCACHE=${CONTAINER_GOCACHE} \
             -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
             -e CONTAINER=${CONTAINER} \
-            golang:1.24-alpine \
+            golang:1.25-alpine \
             sh -c ' \
               apk update; apk add --no-cache \
                 ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
@@ -259,7 +259,7 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           go test ${{ matrix.raceFlag }} \
             -exec 'sudo' \
-            -timeout 10m ./relay/... ./shared/relay/...
+            -timeout 10m -p 1 ./relay/... ./shared/relay/...
 
   test_signal:
     name: "Signal / Unit"

.github/workflows/golangci-lint.yml

@@ -52,7 +52,10 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
-          args: --timeout=12m --out-format colored-line-number
+          skip-cache: true
+          skip-save-cache: true
+          cache-invalidation-interval: 0
+          args: --timeout=12m

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.23"
+  SIGN_PIPE_VER: "v0.1.0"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -19,6 +19,100 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
+  release_freebsd_port:
+    name: "FreeBSD Port / Build & Test"
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Generate FreeBSD port diff
+        run: bash release_files/freebsd-port-diff.sh
+
+      - name: Generate FreeBSD port issue body
+        run: bash release_files/freebsd-port-issue-body.sh
+
+      - name: Check if diff was generated
+        id: check_diff
+        run: |
+          if ls netbird-*.diff 1> /dev/null 2>&1; then
+            echo "diff_exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "diff_exists=false" >> $GITHUB_OUTPUT
+            echo "No diff file generated (port may already be up to date)"
+          fi
+
+      - name: Extract version
+        if: steps.check_diff.outputs.diff_exists == 'true'
+        id: version
+        run: |
+          VERSION=$(ls netbird-*.diff | sed 's/netbird-\(.*\)\.diff/\1/')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Generated files for version: $VERSION"
+          cat netbird-*.diff
+
+      - name: Test FreeBSD port
+        if: steps.check_diff.outputs.diff_exists == 'true'
+        uses: vmactions/freebsd-vm@v1
+        with:
+          usesh: true
+          copyback: false
+          release: "15.0"
+          prepare: |
+            # Install required packages
+            pkg install -y git curl portlint go
+
+            # Install Go for building
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
+            GO_URL="https://go.dev/dl/$GO_TARBALL"
+            curl -LO "$GO_URL"
+            tar -C /usr/local -xzf "$GO_TARBALL"
+
+            # Clone ports tree (shallow, only what we need)
+            git clone --depth 1 --filter=blob:none https://git.FreeBSD.org/ports.git /usr/ports
+            cd /usr/ports
+
+          run: |
+            set -e -x
+            export PATH=$PATH:/usr/local/go/bin
+
+            # Find the diff file
+            echo "Finding diff file..."
+            DIFF_FILE=$(find $PWD -name "netbird-*.diff" -type f 2>/dev/null | head -1)
+            echo "Found: $DIFF_FILE"
+
+            if [[ -z "$DIFF_FILE" ]]; then
+              echo "ERROR: Could not find diff file"
+              find ~ -name "*.diff" -type f 2>/dev/null || true
+              exit 1
+            fi
+
+            # Apply the generated diff from /usr/ports (diff has a/security/netbird/... paths)
+            cd /usr/ports
+            patch -p1 -V none < "$DIFF_FILE"
+
+            # Show patched Makefile
+            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
+            
+            cd /usr/ports/security/netbird
+            export BATCH=yes
+            make package
+            pkg add ./work/pkg/netbird-*.pkg
+            
+            netbird version | grep "$version"
+
+            echo "FreeBSD port test completed successfully!"
+
+      - name: Upload FreeBSD port files
+        if: steps.check_diff.outputs.diff_exists == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: freebsd-port-files
+          path: |
+            ./netbird-*-issue.txt
+            ./netbird-*.diff
+          retention-days: 30
+
   release:
     runs-on: ubuntu-latest-m
     env:

.github/workflows/test-infrastructure-files.yml

@@ -243,6 +243,7 @@ jobs:
         working-directory: infrastructure_files/artifacts
         run: |
           sleep 30
+          docker compose logs
           docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City_[0-9]*.mmdb
           docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames_[0-9]*.db
 

.github/workflows/wasm-build-validation.yml

@@ -14,6 +14,9 @@ jobs:
   js_lint:
     name: "JS / Lint"
     runs-on: ubuntu-latest
+    env:
+      GOOS: js
+      GOARCH: wasm
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -24,16 +27,14 @@ jobs:
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
       - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
         with:
           version: latest
           install-mode: binary
           skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
+          skip-save-cache: true
+          cache-invalidation-interval: 0
+          working-directory: ./client
         continue-on-error: true
 
   js_build:

.gitignore

@@ -31,3 +31,4 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
+client/netbird-electron/

.golangci.yaml

@@ -1,139 +1,124 @@
-run:
-  # Timeout for analysis, e.g. 30s, 5m.
-  # Default: 1m
-  timeout: 6m
-
-# This file contains only configs which differ from defaults.
-# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
-linters-settings:
-  errcheck:
-    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
-    # Such cases aren't reported by default.
-    # Default: false
-    check-type-assertions: false
-
-  gosec:
-    includes:
-      - G101 # Look for hard coded credentials
-      #- G102 # Bind to all interfaces
-      - G103 # Audit the use of unsafe block
-      - G104 # Audit errors not checked
-      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-      #- G107 # Url provided to HTTP request as taint input
-      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-      - G110 # Potential DoS vulnerability via decompression bomb
-      - G111 # Potential directory traversal
-      #- G112 # Potential slowloris attack
-      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-      #- G114 # Use of net/http serve function that has no support for setting timeouts
-      - G201 # SQL query construction using format string
-      - G202 # SQL query construction using string concatenation
-      - G203 # Use of unescaped data in HTML templates
-      #- G204 # Audit use of command execution
-      - G301 # Poor file permissions used when creating a directory
-      - G302 # Poor file permissions used with chmod
-      - G303 # Creating tempfile using a predictable path
-      - G304 # File path provided as taint input
-      - G305 # File traversal when extracting zip/tar archive
-      - G306 # Poor file permissions used when writing to a new file
-      - G307 # Poor file permissions used when creating a file with os.Create
-      #- G401 # Detect the usage of DES, RC4, MD5 or SHA1
-      #- G402 # Look for bad TLS connection settings
-      - G403 # Ensure minimum RSA key length of 2048 bits
-      #- G404 # Insecure random number source (rand)
-      #- G501 # Import blocklist: crypto/md5
-      - G502 # Import blocklist: crypto/des
-      - G503 # Import blocklist: crypto/rc4
-      - G504 # Import blocklist: net/http/cgi
-      #- G505 # Import blocklist: crypto/sha1
-      - G601 # Implicit memory aliasing of items from a range statement
-      - G602 # Slice access out of bounds
-
-  gocritic:
-    disabled-checks:
-      - commentFormatting
-      - captLocal
-      - deprecatedComment
-
-  govet:
-    # Enable all analyzers.
-    # Default: false
-    enable-all: false
-    enable:
-      - nilness
-
-  revive:
-    rules:
-      - name: exported
-        severity: warning
-        disabled: false
-        arguments:
-          - "checkPrivateReceivers"
-          - "sayRepetitiveInsteadOfStutters"
-  tenv:
-    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
-    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
-    # Default: false
-    all: true
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
   enable:
-    ## enabled by default
-    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
-    - gosimple # specializes in simplifying a code
-    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
-    - ineffassign # detects when assignments to existing variables are not used
-    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
-    - tenv # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
-    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
-    - unused # checks for unused constants, variables, functions and types
-    ## disable by default but the have interesting results so lets add them
-    - bodyclose # checks whether HTTP response body is closed successfully
-    - dupword # dupword checks for duplicate words in the source code
-    - durationcheck # durationcheck checks for two durations multiplied together
-    - forbidigo # forbidigo forbids identifiers
-    - gocritic # provides diagnostics that check for bugs, performance and style issues
-    - gosec # inspects source code for security problems
-    - mirror # mirror reports wrong mirror patterns of bytes/strings usage
-    - misspell # misspess finds commonly misspelled English words in comments
-    - nilerr # finds the code that returns nil even if it checks that the error is not nil
-    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
-    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
-    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
-    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
-    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
-    - wastedassign # wastedassign finds wasted assignment statements
+    - bodyclose
+    - dupword
+    - durationcheck
+    - errcheck
+    - forbidigo
+    - gocritic
+    - gosec
+    - govet
+    - ineffassign
+    - mirror
+    - misspell
+    - nilerr
+    - nilnil
+    - predeclared
+    - revive
+    - sqlclosecheck
+    - staticcheck
+    - unused
+    - wastedassign
+  settings:
+    errcheck:
+      check-type-assertions: false
+    gocritic:
+      disabled-checks:
+        - commentFormatting
+        - captLocal
+        - deprecatedComment
+    gosec:
+      includes:
+        - G101
+        - G103
+        - G104
+        - G106
+        - G108
+        - G109
+        - G110
+        - G111
+        - G201
+        - G202
+        - G203
+        - G301
+        - G302
+        - G303
+        - G304
+        - G305
+        - G306
+        - G307
+        - G403
+        - G502
+        - G503
+        - G504
+        - G601
+        - G602
+    govet:
+      enable:
+        - nilness
+      enable-all: false
+    revive:
+      rules:
+        - name: exported
+          arguments:
+            - checkPrivateReceivers
+            - sayRepetitiveInsteadOfStutters
+          severity: warning
+          disabled: false
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    rules:
+      - linters:
+          - forbidigo
+        path: management/cmd/root\.go
+      - linters:
+          - forbidigo
+        path: signal/cmd/root\.go
+      - linters:
+          - unused
+        path: sharedsock/filter\.go
+      - linters:
+          - unused
+        path: client/firewall/iptables/rule\.go
+      - linters:
+          - gosec
+          - mirror
+        path: test\.go
+      - linters:
+          - nilnil
+        path: mock\.go
+      - linters:
+          - staticcheck
+        text: grpc.DialContext is deprecated
+      - linters:
+          - staticcheck
+        text: grpc.WithBlock is deprecated
+      - linters:
+          - staticcheck
+        text: "QF1001"
+      - linters:
+          - staticcheck
+        text: "QF1008"
+      - linters:
+          - staticcheck
+        text: "QF1012"
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
 issues:
-  # Maximum count of issues with the same text.
-  # Set to 0 to disable.
-  # Default: 3
   max-same-issues: 5
-
-  exclude-rules:
-    # allow fmt
-    - path: management/cmd/root\.go
-      linters: forbidigo
-    - path: signal/cmd/root\.go
-      linters: forbidigo
-    - path: sharedsock/filter\.go
-      linters:
-      - unused
-    - path: client/firewall/iptables/rule\.go
-      linters:
-      - unused
-    - path: test\.go
-      linters:
-      - mirror
-      - gosec
-    - path: mock\.go
-      linters:
-      - nilnil
-    # Exclude specific deprecation warnings for grpc methods
-    - linters:
-       - staticcheck
-      text: "grpc.DialContext is deprecated"
-    - linters:
-        - staticcheck
-      text: "grpc.WithBlock is deprecated"
+formatters:
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$

.goreleaser.yaml

@@ -713,8 +713,10 @@ checksum:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh
 
 release:
   extra_files:
     - glob: ./infrastructure_files/getting-started-with-zitadel.sh
     - glob: ./release_files/install.sh
+    - glob: ./infrastructure_files/getting-started.sh

README.md

@@ -85,7 +85,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 
 **Infrastructure requirements:**
 - A Linux VM with at least **1CPU** and **2GB** of memory.
-- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
 - **Public domain** name pointing to the VM.
 
 **Software requirements:**
@@ -98,7 +98,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 **Steps**
 - Download and run the installation script:
 ```bash
-export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
+export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
 ```
 - Once finished, you can manage the resources via `docker-compose`
 
@@ -113,7 +113,7 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/architecture/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

client/cmd/debug.go

@@ -136,6 +136,7 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
+		//nolint
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
 

client/cmd/login.go

@@ -81,6 +81,7 @@ var loginCmd = &cobra.Command{
 func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -206,6 +207,7 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/pprof.go

@@ -1,5 +1,4 @@
 //go:build pprof
-// +build pprof
 
 package cmd
 

client/cmd/root.go

@@ -390,6 +390,7 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/ssh.go

@@ -634,7 +634,11 @@ func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward
 		return err
 	}
 
-	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
+	if err := validateDestinationPort(remoteAddr); err != nil {
+		return fmt.Errorf("invalid remote address: %w", err)
+	}
+
+	log.Debugf("Local port forwarding: %s -> %s", localAddr, remoteAddr)
 
 	go func() {
 		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -652,7 +656,11 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 		return err
 	}
 
-	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
+	if err := validateDestinationPort(localAddr); err != nil {
+		return fmt.Errorf("invalid local address: %w", err)
+	}
+
+	log.Debugf("Remote port forwarding: %s -> %s", remoteAddr, localAddr)
 
 	go func() {
 		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
@@ -663,6 +671,35 @@ func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forwar
 	return nil
 }
 
+// validateDestinationPort checks that the destination address has a valid port.
+// Port 0 is only valid for bind addresses (where the OS picks an available port),
+// not for destination addresses where we need to connect.
+func validateDestinationPort(addr string) error {
+	if strings.HasPrefix(addr, "/") || strings.HasPrefix(addr, "./") {
+		return nil
+	}
+
+	_, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return fmt.Errorf("parse address %s: %w", addr, err)
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port %s: %w", portStr, err)
+	}
+
+	if port == 0 {
+		return fmt.Errorf("port 0 is not valid for destination address")
+	}
+
+	if port < 0 || port > 65535 {
+		return fmt.Errorf("port %d out of range (1-65535)", port)
+	}
+
+	return nil
+}
+
 // parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
 // Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
 func parsePortForwardSpec(spec string) (string, string, error) {

client/cmd/status.go

@@ -124,6 +124,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/cmd/testutil_test.go

@@ -89,9 +89,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	t.Cleanup(cleanUp)
 
 	eventStore := &activity.InMemoryEventStore{}
-	if err != nil {
-		return nil, nil
-	}
 
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
@@ -127,7 +124,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -216,6 +216,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
+		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)

client/firewall/iptables/acl_linux.go

@@ -386,11 +386,8 @@ func (m *aclManager) updateState() {
 
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
-	matchByIP := true
 	// don't use IP matching if IP is 0.0.0.0
-	if ip.IsUnspecified() {
-		matchByIP = false
-	}
+	matchByIP := !ip.IsUnspecified()
 
 	if matchByIP {
 		if ipsetName != "" {

client/firewall/iptables/manager_linux_test.go

@@ -161,7 +161,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 			t.Logf("  [%d] %s", i, rule)
 		}
 
-		var denyRuleIndex, acceptRuleIndex int = -1, -1
+		var denyRuleIndex, acceptRuleIndex = -1, -1
 		for i, rule := range rules {
 			if strings.Contains(rule, "DROP") {
 				t.Logf("Found DROP rule at index %d: %s", i, rule)

client/firewall/nftables/manager_linux_test.go

@@ -198,7 +198,7 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 	t.Logf("Found %d rules in nftables chain", len(rules))
 
 	// Find the accept and deny rules and verify deny comes before accept
-	var acceptRuleIndex, denyRuleIndex int = -1, -1
+	var acceptRuleIndex, denyRuleIndex = -1, -1
 	for i, rule := range rules {
 		hasAcceptHTTPSet := false
 		hasDenyHTTPSet := false
@@ -208,11 +208,13 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 		for _, e := range rule.Exprs {
 			// Check for set lookup
 			if lookup, ok := e.(*expr.Lookup); ok {
-				if lookup.SetName == "accept-http" {
+				switch lookup.SetName {
+				case "accept-http":
 					hasAcceptHTTPSet = true
-				} else if lookup.SetName == "deny-http" {
+				case "deny-http":
 					hasDenyHTTPSet = true
 				}
+
 			}
 			// Check for port 80
 			if cmp, ok := e.(*expr.Cmp); ok {
@@ -222,9 +224,10 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 			}
 			// Check for verdict
 			if verdict, ok := e.(*expr.Verdict); ok {
-				if verdict.Kind == expr.VerdictAccept {
+				switch verdict.Kind {
+				case expr.VerdictAccept:
 					action = "ACCEPT"
-				} else if verdict.Kind == expr.VerdictDrop {
+				case expr.VerdictDrop:
 					action = "DROP"
 				}
 			}
@@ -386,6 +389,97 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	verifyIptablesOutput(t, stdout, stderr)
 }
 
+func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	if _, err := exec.LookPath("iptables-save"); err != nil {
+		t.Skipf("iptables-save not available on this system: %v", err)
+	}
+
+	// First ensure iptables-nft tables exist by running iptables-save
+	stdout, stderr := runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "failed to create manager")
+	require.NoError(t, manager.Init(nil))
+
+	t.Cleanup(func() {
+		err := manager.Close(nil)
+		require.NoError(t, err, "failed to reset manager state")
+
+		// Verify iptables output after reset
+		stdout, stderr := runIptablesSave(t)
+		verifyIptablesOutput(t, stdout, stderr)
+	})
+
+	const octet2Count = 25
+	const octet3Count = 255
+	prefixes := make([]netip.Prefix, 0, (octet2Count-1)*(octet3Count-1))
+	for i := 1; i < octet2Count; i++ {
+		for j := 1; j < octet3Count; j++ {
+			addr := netip.AddrFrom4([4]byte{192, byte(j), byte(i), 0})
+			prefixes = append(prefixes, netip.PrefixFrom(addr, 24))
+		}
+	}
+	_, err = manager.AddRouteFiltering(
+		nil,
+		prefixes,
+		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err, "failed to add route filtering rule")
+
+	stdout, stderr = runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+}
+
+func TestNftablesManagerCompatibilityWithIptablesForEmptyPrefixes(t *testing.T) {
+	if check() != NFTABLES {
+		t.Skip("nftables not supported on this system")
+	}
+
+	if _, err := exec.LookPath("iptables-save"); err != nil {
+		t.Skipf("iptables-save not available on this system: %v", err)
+	}
+
+	// First ensure iptables-nft tables exist by running iptables-save
+	stdout, stderr := runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	require.NoError(t, err, "failed to create manager")
+	require.NoError(t, manager.Init(nil))
+
+	t.Cleanup(func() {
+		err := manager.Close(nil)
+		require.NoError(t, err, "failed to reset manager state")
+
+		// Verify iptables output after reset
+		stdout, stderr := runIptablesSave(t)
+		verifyIptablesOutput(t, stdout, stderr)
+	})
+
+	_, err = manager.AddRouteFiltering(
+		nil,
+		[]netip.Prefix{},
+		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []uint16{443}},
+		fw.ActionAccept,
+	)
+	require.NoError(t, err, "failed to add route filtering rule")
+
+	stdout, stderr = runIptablesSave(t)
+	verifyIptablesOutput(t, stdout, stderr)
+}
+
 func compareExprsIgnoringCounters(t *testing.T, got, want []expr.Any) {
 	t.Helper()
 	require.Equal(t, len(got), len(want), "expression count mismatch")

client/firewall/nftables/router_linux.go

@@ -48,9 +48,11 @@ const (
 
 	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
 	ipTCPHeaderMinSize = 40
-)
 
-const refreshRulesMapError = "refresh rules map: %w"
+	// maxPrefixesSet 1638 prefixes start to fail, taking some margin
+	maxPrefixesSet       = 1500
+	refreshRulesMapError = "refresh rules map: %w"
+)
 
 var (
 	errFilterTableNotFound = fmt.Errorf("'filter' table not found")
@@ -513,16 +515,35 @@ func (r *router) createIpSet(setName string, input setInput) (*nftables.Set, err
 	}
 
 	elements := convertPrefixesToSet(prefixes)
-	if err := r.conn.AddSet(nfset, elements); err != nil {
-		return nil, fmt.Errorf("error adding elements to set %s: %w", setName, err)
-	}
+	nElements := len(elements)
 
+	maxElements := maxPrefixesSet * 2
+	initialElements := elements[:min(maxElements, nElements)]
+
+	if err := r.conn.AddSet(nfset, initialElements); err != nil {
+		return nil, fmt.Errorf("error adding set %s: %w", setName, err)
+	}
 	if err := r.conn.Flush(); err != nil {
 		return nil, fmt.Errorf("flush error: %w", err)
 	}
+	log.Debugf("Created new ipset: %s with %d initial prefixes (total prefixes %d)", setName, len(initialElements)/2, len(prefixes))
 
-	log.Printf("Created new ipset: %s with %d elements", setName, len(elements)/2)
+	var subEnd int
+	for subStart := maxElements; subStart < nElements; subStart += maxElements {
+		subEnd = min(subStart+maxElements, nElements)
+		subElement := elements[subStart:subEnd]
+		nSubPrefixes := len(subElement) / 2
+		log.Tracef("Adding new prefixes (%d) in ipset: %s", nSubPrefixes, setName)
+		if err := r.conn.SetAddElements(nfset, subElement); err != nil {
+			return nil, fmt.Errorf("error adding prefixes (%d) to set %s: %w", nSubPrefixes, setName, err)
+		}
+		if err := r.conn.Flush(); err != nil {
+			return nil, fmt.Errorf("flush error: %w", err)
+		}
+		log.Debugf("Added new prefixes (%d) in ipset: %s", nSubPrefixes, setName)
+	}
 
+	log.Infof("Created new ipset: %s with %d prefixes", setName, len(prefixes))
 	return nfset, nil
 }
 

client/firewall/uspfilter/filter.go

@@ -29,7 +29,7 @@ import (
 )
 
 const (
-	layerTypeAll = 0
+	layerTypeAll = 255
 
 	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
 	ipTCPHeaderMinSize = 40
@@ -262,10 +262,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 }
 
 func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
-	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
-	if err != nil {
-		return nil, fmt.Errorf("parse wireguard network: %w", err)
-	}
+	wgPrefix := iface.Address().Network
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
 
 	rule, err := m.addRouteFiltering(
@@ -439,19 +436,7 @@ func (m *Manager) AddPeerFiltering(
 	r.sPort = sPort
 	r.dPort = dPort
 
-	switch proto {
-	case firewall.ProtocolTCP:
-		r.protoLayer = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		r.protoLayer = layers.LayerTypeUDP
-	case firewall.ProtocolICMP:
-		r.protoLayer = layers.LayerTypeICMPv4
-		if r.ipLayer == layers.LayerTypeIPv6 {
-			r.protoLayer = layers.LayerTypeICMPv6
-		}
-	case firewall.ProtocolALL:
-		r.protoLayer = layerTypeAll
-	}
+	r.protoLayer = protoToLayer(proto, r.ipLayer)
 
 	m.mutex.Lock()
 	var targetMap map[netip.Addr]RuleSet
@@ -496,16 +481,17 @@ func (m *Manager) addRouteFiltering(
 	}
 
 	ruleID := uuid.New().String()
+
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:      ruleID,
-		mgmtId:  id,
-		sources: sources,
-		dstSet:  destination.Set,
-		proto:   proto,
-		srcPort: sPort,
-		dstPort: dPort,
-		action:  action,
+		id:         ruleID,
+		mgmtId:     id,
+		sources:    sources,
+		dstSet:     destination.Set,
+		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
+		srcPort:    sPort,
+		dstPort:    dPort,
+		action:     action,
 	}
 	if destination.IsPrefix() {
 		rule.destinations = []netip.Prefix{destination.Prefix}
@@ -795,7 +781,7 @@ func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeade
 	pseudoSum += uint32(d.ip4.Protocol)
 	pseudoSum += uint32(tcpLength)
 
-	var sum uint32 = pseudoSum
+	var sum = pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
@@ -945,7 +931,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
 	if blocked {
-		_, pnum := getProtocolFromPacket(d)
+		pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
 
 		m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
@@ -1010,20 +996,22 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 		return false
 	}
 
-	proto, pnum := getProtocolFromPacket(d)
+	protoLayer := d.decoded[1]
 	srcPort, dstPort := getPortsFromPacket(d)
 
-	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
+	ruleID, pass := m.routeACLsPass(srcIP, dstIP, protoLayer, srcPort, dstPort)
 	if !pass {
+		proto := getProtocolFromPacket(d)
+
 		m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
+			ruleID, proto, srcIP, srcPort, dstIP, dstPort)
 
 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
 			Type:       nftypes.TypeDrop,
 			RuleID:     ruleID,
 			Direction:  nftypes.Ingress,
-			Protocol:   pnum,
+			Protocol:   proto,
 			SourceIP:   srcIP,
 			DestIP:     dstIP,
 			SourcePort: srcPort,
@@ -1052,16 +1040,33 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }
 
-func getProtocolFromPacket(d *decoder) (firewall.Protocol, nftypes.Protocol) {
+func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
+	switch proto {
+	case firewall.ProtocolTCP:
+		return layers.LayerTypeTCP
+	case firewall.ProtocolUDP:
+		return layers.LayerTypeUDP
+	case firewall.ProtocolICMP:
+		if ipLayer == layers.LayerTypeIPv6 {
+			return layers.LayerTypeICMPv6
+		}
+		return layers.LayerTypeICMPv4
+	case firewall.ProtocolALL:
+		return layerTypeAll
+	}
+	return 0
+}
+
+func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 	switch d.decoded[1] {
 	case layers.LayerTypeTCP:
-		return firewall.ProtocolTCP, nftypes.TCP
+		return nftypes.TCP
 	case layers.LayerTypeUDP:
-		return firewall.ProtocolUDP, nftypes.UDP
+		return nftypes.UDP
 	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
-		return firewall.ProtocolICMP, nftypes.ICMP
+		return nftypes.ICMP
 	default:
-		return firewall.ProtocolALL, nftypes.ProtocolUnknown
+		return nftypes.ProtocolUnknown
 	}
 }
 
@@ -1233,19 +1238,30 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 }
 
 // routeACLsPass returns true if the packet is allowed by the route ACLs
-func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) ([]byte, bool) {
+func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
 
 	for _, rule := range m.routeRules {
-		if matches := m.ruleMatches(rule, srcIP, dstIP, proto, srcPort, dstPort); matches {
+		if matches := m.ruleMatches(rule, srcIP, dstIP, protoLayer, srcPort, dstPort); matches {
 			return rule.mgmtId, rule.action == firewall.ActionAccept
 		}
 	}
 	return nil, false
 }
 
-func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
+func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
+	// TODO: handle ipv6 vs ipv4 icmp rules
+	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
+		return false
+	}
+
+	if protoLayer == layers.LayerTypeTCP || protoLayer == layers.LayerTypeUDP {
+		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
+			return false
+		}
+	}
+
 	destMatched := false
 	for _, dst := range rule.destinations {
 		if dst.Contains(dstAddr) {
@@ -1264,21 +1280,8 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 			break
 		}
 	}
-	if !sourceMatched {
-		return false
-	}
 
-	if rule.proto != firewall.ProtocolALL && rule.proto != proto {
-		return false
-	}
-
-	if proto == firewall.ProtocolTCP || proto == firewall.ProtocolUDP {
-		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
-			return false
-		}
-	}
-
-	return true
+	return sourceMatched
 }
 
 // AddUDPPacketHook calls hook when UDP packet from given direction matched

client/firewall/uspfilter/filter_bench_test.go

@@ -955,7 +955,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 		for _, tc := range cases {
 			srcIP := netip.MustParseAddr(tc.srcIP)
 			dstIP := netip.MustParseAddr(tc.dstIP)
-			manager.routeACLsPass(srcIP, dstIP, tc.proto, 0, tc.dstPort)
+			manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), 0, tc.dstPort)
 		}
 	}
 }

client/firewall/uspfilter/filter_filter_test.go

@@ -1259,7 +1259,7 @@ func TestRouteACLFiltering(t *testing.T) {
 
 			// testing routeACLsPass only and not FilterInbound, as routed packets are dropped after being passed
 			// to the forwarder
-			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, tc.proto, tc.srcPort, tc.dstPort)
+			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), tc.srcPort, tc.dstPort)
 			require.Equal(t, tc.shouldPass, isAllowed)
 		})
 	}
@@ -1445,7 +1445,7 @@ func TestRouteACLOrder(t *testing.T) {
 				srcIP := netip.MustParseAddr(p.srcIP)
 				dstIP := netip.MustParseAddr(p.dstIP)
 
-				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, p.proto, p.srcPort, p.dstPort)
+				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(p.proto, layers.LayerTypeIPv4), p.srcPort, p.dstPort)
 				require.Equal(t, p.shouldPass, isAllowed, "packet %d failed", i)
 			}
 		})
@@ -1488,13 +1488,13 @@ func TestRouteACLSet(t *testing.T) {
 	dstIP := netip.MustParseAddr("192.168.1.100")
 
 	// Check that traffic is dropped (empty set shouldn't match anything)
-	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.False(t, isAllowed, "Empty set should not allow any traffic")
 
 	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
 	require.NoError(t, err)
 
 	// Now the packet should be allowed
-	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }

client/firewall/uspfilter/filter_test.go

@@ -767,9 +767,9 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP2 := netip.MustParseAddr("192.168.1.100")
 	dstIP3 := netip.MustParseAddr("172.16.0.100")
 
-	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
@@ -784,8 +784,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	require.NoError(t, err)
 
 	// Check that all original prefixes are still included
-	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")
 
@@ -793,8 +793,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP4 := netip.MustParseAddr("172.16.1.100")
 	dstIP5 := netip.MustParseAddr("10.1.0.50")
 
-	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
+	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 
 	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
 	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
@@ -922,7 +922,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 
 	srcIP := netip.MustParseAddr("100.10.0.1")
 	for _, tc := range testCases {
-		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
+		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }

client/firewall/uspfilter/forwarder/endpoint.go

@@ -2,6 +2,7 @@ package forwarder
 
 import (
 	"fmt"
+	"sync/atomic"
 
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -16,7 +17,7 @@ type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
-	mtu        uint32
+	mtu        atomic.Uint32
 }
 
 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -28,7 +29,7 @@ func (e *endpoint) IsAttached() bool {
 }
 
 func (e *endpoint) MTU() uint32 {
-	return e.mtu
+	return e.mtu.Load()
 }
 
 func (e *endpoint) Capabilities() stack.LinkEndpointCapabilities {
@@ -82,6 +83,22 @@ func (e *endpoint) ParseHeader(*stack.PacketBuffer) bool {
 	return true
 }
 
+func (e *endpoint) Close() {
+	// Endpoint cleanup - nothing to do as device is managed externally
+}
+
+func (e *endpoint) SetLinkAddress(tcpip.LinkAddress) {
+	// Link address is not used for this endpoint type
+}
+
+func (e *endpoint) SetMTU(mtu uint32) {
+	e.mtu.Store(mtu)
+}
+
+func (e *endpoint) SetOnCloseAction(func()) {
+	// No action needed on close
+}
+
 type epID stack.TransportEndpointID
 
 func (i epID) String() string {

client/firewall/uspfilter/forwarder/forwarder.go

@@ -7,6 +7,7 @@ import (
 	"net/netip"
 	"runtime"
 	"sync"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -35,14 +36,16 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap    sync.Map
-	stack        *stack.Stack
-	endpoint     *endpoint
-	udpForwarder *udpForwarder
-	ctx          context.Context
-	cancel       context.CancelFunc
-	ip           tcpip.Address
-	netstack     bool
+	ruleIdMap        sync.Map
+	stack            *stack.Stack
+	endpoint         *endpoint
+	udpForwarder     *udpForwarder
+	ctx              context.Context
+	cancel           context.CancelFunc
+	ip               tcpip.Address
+	netstack         bool
+	hasRawICMPAccess bool
+	pingSemaphore    chan struct{}
 }
 
 func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
@@ -60,8 +63,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	endpoint := &endpoint{
 		logger: logger,
 		device: iface.GetWGDevice(),
-		mtu:    uint32(mtu),
 	}
+	endpoint.mtu.Store(uint32(mtu))
 
 	if err := s.CreateNIC(nicID, endpoint); err != nil {
 		return nil, fmt.Errorf("create NIC: %v", err)
@@ -103,15 +106,16 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &Forwarder{
-		logger:       logger,
-		flowLogger:   flowLogger,
-		stack:        s,
-		endpoint:     endpoint,
-		udpForwarder: newUDPForwarder(mtu, logger, flowLogger),
-		ctx:          ctx,
-		cancel:       cancel,
-		netstack:     netstack,
-		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		logger:        logger,
+		flowLogger:    flowLogger,
+		stack:         s,
+		endpoint:      endpoint,
+		udpForwarder:  newUDPForwarder(mtu, logger, flowLogger),
+		ctx:           ctx,
+		cancel:        cancel,
+		netstack:      netstack,
+		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		pingSemaphore: make(chan struct{}, 3),
 	}
 
 	receiveWindow := defaultReceiveWindow
@@ -129,6 +133,8 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 
 	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
 
+	f.checkICMPCapability()
+
 	log.Debugf("forwarder: Initialization complete with NIC %d", nicID)
 	return f, nil
 }
@@ -198,3 +204,24 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 		DstPort: dstPort,
 	}
 }
+
+// checkICMPCapability tests whether we have raw ICMP socket access at startup.
+func (f *Forwarder) checkICMPCapability() {
+	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+	defer cancel()
+
+	lc := net.ListenConfig{}
+	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
+	if err != nil {
+		f.hasRawICMPAccess = false
+		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
+		return
+	}
+
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
+	}
+
+	f.hasRawICMPAccess = true
+	f.logger.Debug("forwarder: Raw ICMP socket access available")
+}

client/firewall/uspfilter/forwarder/icmp.go

@@ -2,8 +2,11 @@ package forwarder
 
 import (
 	"context"
+	"fmt"
 	"net"
 	"net/netip"
+	"os/exec"
+	"runtime"
 	"time"
 
 	"github.com/google/uuid"
@@ -14,30 +17,95 @@ import (
 )
 
 // handleICMP handles ICMP packets from the network stack
-func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
+func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
 	icmpHdr := header.ICMPv4(pkt.TransportHeader().View().AsSlice())
-	icmpType := uint8(icmpHdr.Type())
-	icmpCode := uint8(icmpHdr.Code())
-
-	if header.ICMPv4Type(icmpType) == header.ICMPv4EchoReply {
-		// dont process our own replies
-		return true
-	}
 
 	flowID := uuid.New()
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
 
-	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	// For Echo Requests, send and wait for response
+	if icmpHdr.Type() == header.ICMPv4Echo {
+		return f.handleICMPEcho(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
+	}
+
+	// For other ICMP types (Time Exceeded, Destination Unreachable, etc), forward without waiting
+	if !f.hasRawICMPAccess {
+		f.logger.Debug2("forwarder: Cannot handle ICMP type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
+		return false
+	}
+
+	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
+	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
+		return true
+	}
+	if err := conn.Close(); err != nil {
+		f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", err)
+	}
+
+	return true
+}
+
+// handleICMPEcho handles ICMP echo requests asynchronously with rate limiting.
+func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
+	select {
+	case f.pingSemaphore <- struct{}{}:
+		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
+		rxBytes := pkt.Size()
+
+		go func() {
+			defer func() { <-f.pingSemaphore }()
+
+			if f.hasRawICMPAccess {
+				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			} else {
+				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
+			}
+		}()
+	default:
+		f.logger.Debug3("forwarder: ICMP rate limit exceeded for %v type %v code %v",
+			epID(id), icmpType, icmpCode)
+	}
+	return true
+}
+
+// forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
+// The caller is responsible for closing the returned connection.
+func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
+	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()
 
 	lc := net.ListenConfig{}
-	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		f.logger.Error2("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
+		return nil, fmt.Errorf("create ICMP socket: %w", err)
+	}
 
-		// This will make netstack reply on behalf of the original destination, that's ok for now
-		return false
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	dst := &net.IPAddr{IP: dstIP}
+
+	if _, err = conn.WriteTo(payload, dst); err != nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", closeErr)
+		}
+		return nil, fmt.Errorf("write ICMP packet: %w", err)
+	}
+
+	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	return conn, nil
+}
+
+// handleICMPViaSocket handles ICMP echo requests using raw sockets.
+func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	sendTime := time.Now()
+
+	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
+	if err != nil {
+		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
+		return
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
@@ -45,38 +113,22 @@ func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBuf
 		}
 	}()
 
-	dstIP := f.determineDialAddr(id.LocalAddress)
-	dst := &net.IPAddr{IP: dstIP}
+	txBytes := f.handleEchoResponse(conn, id)
+	rtt := time.Since(sendTime).Round(10 * time.Microsecond)
 
-	fullPacket := stack.PayloadSince(pkt.TransportHeader())
-	payload := fullPacket.AsSlice()
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+		epID(id), icmpType, icmpCode, rtt)
 
-	if _, err = conn.WriteTo(payload, dst); err != nil {
-		f.logger.Error2("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
-		return true
-	}
-
-	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	// For Echo Requests, send and handle response
-	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
-		rxBytes := pkt.Size()
-		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
-		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
-	}
-
-	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
-	return true
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
 
-func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
 	}
 
-	response := make([]byte, f.endpoint.mtu)
+	response := make([]byte, f.endpoint.mtu.Load())
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
@@ -85,31 +137,7 @@ func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketCon
 		return 0
 	}
 
-	ipHdr := make([]byte, header.IPv4MinimumSize)
-	ip := header.IPv4(ipHdr)
-	ip.Encode(&header.IPv4Fields{
-		TotalLength: uint16(header.IPv4MinimumSize + n),
-		TTL:         64,
-		Protocol:    uint8(header.ICMPv4ProtocolNumber),
-		SrcAddr:     id.LocalAddress,
-		DstAddr:     id.RemoteAddress,
-	})
-	ip.SetChecksum(^ip.CalculateChecksum())
-
-	fullPacket := make([]byte, 0, len(ipHdr)+n)
-	fullPacket = append(fullPacket, ipHdr...)
-	fullPacket = append(fullPacket, response[:n]...)
-
-	if err := f.InjectIncomingPacket(fullPacket); err != nil {
-		f.logger.Error1("forwarder: Failed to inject ICMP response: %v", err)
-
-		return 0
-	}
-
-	f.logger.Trace3("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
-		epID(id), icmpHdr.Type(), icmpHdr.Code())
-
-	return len(fullPacket)
+	return f.injectICMPReply(id, response[:n])
 }
 
 // sendICMPEvent stores flow events for ICMP packets
@@ -152,3 +180,95 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 
 	f.flowLogger.StoreEvent(fields)
 }
+
+// handleICMPViaPing handles ICMP echo requests by executing the system ping binary.
+// This is used as a fallback when raw socket access is not available.
+func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
+	defer cancel()
+
+	dstIP := f.determineDialAddr(id.LocalAddress)
+	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
+
+	pingStart := time.Now()
+	if err := cmd.Run(); err != nil {
+		f.logger.Warn4("forwarder: Ping binary failed for %v type %v code %v: %v", epID(id),
+			icmpType, icmpCode, err)
+		return
+	}
+	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
+
+	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
+		epID(id), icmpType, icmpCode)
+
+	txBytes := f.synthesizeEchoReply(id, icmpData)
+
+	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
+		epID(id), icmpType, icmpCode, rtt)
+
+	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+}
+
+// buildPingCommand creates a platform-specific ping command.
+func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
+	timeoutSec := int(timeout.Seconds())
+	if timeoutSec < 1 {
+		timeoutSec = 1
+	}
+
+	switch runtime.GOOS {
+	case "linux", "android":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+	case "darwin", "ios":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
+	case "freebsd":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
+	case "openbsd", "netbsd":
+		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
+	case "windows":
+		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
+	default:
+		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
+	}
+}
+
+// synthesizeEchoReply creates an ICMP echo reply from raw ICMP data and injects it back into the network stack.
+// Returns the size of the injected packet.
+func (f *Forwarder) synthesizeEchoReply(id stack.TransportEndpointID, icmpData []byte) int {
+	replyICMP := make([]byte, len(icmpData))
+	copy(replyICMP, icmpData)
+
+	replyICMPHdr := header.ICMPv4(replyICMP)
+	replyICMPHdr.SetType(header.ICMPv4EchoReply)
+	replyICMPHdr.SetChecksum(0)
+	replyICMPHdr.SetChecksum(header.ICMPv4Checksum(replyICMPHdr, 0))
+
+	return f.injectICMPReply(id, replyICMP)
+}
+
+// injectICMPReply wraps an ICMP payload in an IP header and injects it into the network stack.
+// Returns the total size of the injected packet, or 0 if injection failed.
+func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []byte) int {
+	ipHdr := make([]byte, header.IPv4MinimumSize)
+	ip := header.IPv4(ipHdr)
+	ip.Encode(&header.IPv4Fields{
+		TotalLength: uint16(header.IPv4MinimumSize + len(icmpPayload)),
+		TTL:         64,
+		Protocol:    uint8(header.ICMPv4ProtocolNumber),
+		SrcAddr:     id.LocalAddress,
+		DstAddr:     id.RemoteAddress,
+	})
+	ip.SetChecksum(^ip.CalculateChecksum())
+
+	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
+	fullPacket = append(fullPacket, ipHdr...)
+	fullPacket = append(fullPacket, icmpPayload...)
+
+	// Bypass netstack and send directly to peer to avoid looping through our ICMP handler
+	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
+		f.logger.Error1("forwarder: Failed to send ICMP reply to peer: %v", err)
+		return 0
+	}
+
+	return len(fullPacket)
+}

client/firewall/uspfilter/forwarder/udp.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"io"
 	"net"
 	"net/netip"
 	"sync"
@@ -131,10 +132,10 @@ func (f *udpForwarder) cleanup() {
 }
 
 // handleUDP is called by the UDP forwarder for new packets
-func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
+func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) bool {
 	if f.ctx.Err() != nil {
 		f.logger.Trace("forwarder: context done, dropping UDP packet")
-		return
+		return false
 	}
 
 	id := r.ID()
@@ -144,7 +145,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	f.udpForwarder.RUnlock()
 	if exists {
 		f.logger.Trace1("forwarder: existing UDP connection for %v", epID(id))
-		return
+		return true
 	}
 
 	flowID := uuid.New()
@@ -162,7 +163,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	if err != nil {
 		f.logger.Debug2("forwarder: UDP dial error for %v: %v", epID(id), err)
 		// TODO: Send ICMP error message
-		return
+		return false
 	}
 
 	// Create wait queue for blocking syscalls
@@ -173,10 +174,10 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug2("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
-		return
+		return false
 	}
 
-	inConn := gonet.NewUDPConn(f.stack, &wq, ep)
+	inConn := gonet.NewUDPConn(&wq, ep)
 	connCtx, connCancel := context.WithCancel(f.ctx)
 
 	pConn := &udpPacketConn{
@@ -199,7 +200,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 		if err := outConn.Close(); err != nil {
 			f.logger.Debug2("forwarder: UDP outConn close error for %v: %v", epID(id), err)
 		}
-		return
+		return true
 	}
 	f.udpForwarder.conns[id] = pConn
 	f.udpForwarder.Unlock()
@@ -208,6 +209,7 @@ func (f *Forwarder) handleUDP(r *udp.ForwarderRequest) {
 	f.logger.Trace1("forwarder: established UDP connection %v", epID(id))
 
 	go f.proxyUDP(connCtx, pConn, id, ep)
+	return true
 }
 
 func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack.TransportEndpointID, ep tcpip.Endpoint) {
@@ -348,7 +350,7 @@ func (c *udpPacketConn) copy(ctx context.Context, dst net.Conn, src net.Conn, bu
 }
 
 func isClosedError(err error) bool {
-	return errors.Is(err, net.ErrClosed) || errors.Is(err, context.Canceled)
+	return errors.Is(err, net.ErrClosed) || errors.Is(err, context.Canceled) || errors.Is(err, io.EOF)
 }
 
 func isTimeout(err error) bool {

client/firewall/uspfilter/localip.go

@@ -130,6 +130,7 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}
 	for i := 0; i < 8192; i++ {
+		// #nosec G602 -- bitmap is defined as [8192]uint32, loop range is correct
 		newIPv4Bitmap[127].bitmap[i] = 0xFFFFFFFF
 	}
 

client/firewall/uspfilter/localip_test.go

@@ -218,7 +218,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})
 
@@ -227,7 +227,7 @@ func BenchmarkIPChecks(b *testing.B) {
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
 			// nolint:gosimple
-			_, _ = mapManager.localIPs[ip.String()]
+			_ = mapManager.localIPs[ip.String()]
 		}
 	})
 }

client/firewall/uspfilter/log/log.go

@@ -168,6 +168,15 @@ func (l *Logger) Warn3(format string, arg1, arg2, arg3 any) {
 	}
 }
 
+func (l *Logger) Warn4(format string, arg1, arg2, arg3, arg4 any) {
+	if l.level.Load() >= uint32(LevelWarn) {
+		select {
+		case l.msgChannel <- logMessage{level: LevelWarn, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4}:
+		default:
+		}
+	}
+}
+
 func (l *Logger) Debug1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelDebug) {
 		select {

client/firewall/uspfilter/nat_test.go

@@ -234,9 +234,10 @@ func TestInboundPortDNATNegative(t *testing.T) {
 			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)
 
 			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
+			switch tc.protocol {
+			case layers.IPProtocolTCP:
 				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
+			case layers.IPProtocolUDP:
 				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
 			}
 		})

client/firewall/uspfilter/rule.go

@@ -34,7 +34,7 @@ type RouteRule struct {
 	sources      []netip.Prefix
 	dstSet       firewall.Set
 	destinations []netip.Prefix
-	proto        firewall.Protocol
+	protoLayer   gopacket.LayerType
 	srcPort      *firewall.Port
 	dstPort      *firewall.Port
 	action       firewall.Action

client/firewall/uspfilter/tracer.go

@@ -379,9 +379,9 @@ func (m *Manager) handleNativeRouter(trace *PacketTrace) *PacketTrace {
 }
 
 func (m *Manager) handleRouteACLs(trace *PacketTrace, d *decoder, srcIP, dstIP netip.Addr) *PacketTrace {
-	proto, _ := getProtocolFromPacket(d)
+	protoLayer := d.decoded[1]
 	srcPort, dstPort := getPortsFromPacket(d)
-	id, allowed := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
+	id, allowed := m.routeACLsPass(srcIP, dstIP, protoLayer, srcPort, dstPort)
 
 	strId := string(id)
 	if id == nil {

client/iface/bind/ice_bind.go

@@ -27,8 +27,23 @@ type receiverCreator struct {
 	iceBind *ICEBind
 }
 
-func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
-	return rc.iceBind.createIPv4ReceiverFn(pc, conn, rxOffload, msgPool)
+func (rc receiverCreator) CreateReceiverFn(pc wgConn.BatchReader, conn *net.UDPConn, rxOffload bool, msgPool *sync.Pool) wgConn.ReceiveFunc {
+	if ipv4PC, ok := pc.(*ipv4.PacketConn); ok {
+		return rc.iceBind.createIPv4ReceiverFn(ipv4PC, conn, rxOffload, msgPool)
+	}
+	// IPv6 is currently not supported in the udpmux, this is a stub for compatibility with the
+	// wireguard-go ReceiverCreator interface which is called for both IPv4 and IPv6.
+	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
+		buf := bufs[0]
+		size, ep, err := conn.ReadFromUDPAddrPort(buf)
+		if err != nil {
+			return 0, err
+		}
+		sizes[0] = size
+		stdEp := &wgConn.StdNetEndpoint{AddrPort: ep}
+		eps[0] = stdEp
+		return 1, nil
+	}
 }
 
 // ICEBind is a bind implementation with two main features:

client/iface/device/device_ios.go

@@ -1,9 +1,7 @@
-//go:build ios
-// +build ios
-
 package device
 
 import (
+	"fmt"
 	"os"
 
 	log "github.com/sirupsen/logrus"
@@ -45,10 +43,31 @@ func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu
 	}
 }
 
+// ErrInvalidTunnelFD is returned when the tunnel file descriptor is invalid (0).
+// This typically means the Swift code couldn't find the utun control socket.
+var ErrInvalidTunnelFD = fmt.Errorf("invalid tunnel file descriptor: fd is 0 (Swift failed to locate utun socket)")
+
 func (t *TunDevice) Create() (WGConfigurer, error) {
 	log.Infof("create tun interface")
 
-	dupTunFd, err := unix.Dup(t.tunFd)
+	var tunDevice tun.Device
+	var err error
+
+	// Validate the tunnel file descriptor.
+	// On iOS/tvOS, the FD must be provided by the NEPacketTunnelProvider.
+	// A value of 0 means the Swift code couldn't find the utun control socket
+	// (the low-level APIs like ctl_info, sockaddr_ctl may not be exposed in
+	// tvOS SDK headers). This is a hard error - there's no viable fallback
+	// since tun.CreateTUN() cannot work within the iOS/tvOS sandbox.
+	if t.tunFd == 0 {
+		log.Errorf("Tunnel file descriptor is 0 - Swift code failed to locate the utun control socket. " +
+			"On tvOS, ensure the NEPacketTunnelProvider is properly configured and the tunnel is started.")
+		return nil, ErrInvalidTunnelFD
+	}
+
+	// Normal iOS/tvOS path: use the provided file descriptor from NEPacketTunnelProvider
+	var dupTunFd int
+	dupTunFd, err = unix.Dup(t.tunFd)
 	if err != nil {
 		log.Errorf("Unable to dup tun fd: %v", err)
 		return nil, err
@@ -60,7 +79,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		_ = unix.Close(dupTunFd)
 		return nil, err
 	}
-	tunDevice, err := tun.CreateTUNFromFile(os.NewFile(uintptr(dupTunFd), "/dev/tun"), 0)
+	tunDevice, err = tun.CreateTUNFromFile(os.NewFile(uintptr(dupTunFd), "/dev/tun"), 0)
 	if err != nil {
 		log.Errorf("Unable to create new tun device from fd: %v", err)
 		_ = unix.Close(dupTunFd)

client/iface/wgproxy/factory_kernel.go

@@ -3,12 +3,19 @@
 package wgproxy
 
 import (
+	"os"
+	"strconv"
+
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
 	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 )
 
+const (
+	envDisableEBPFWGProxy = "NB_DISABLE_EBPF_WG_PROXY"
+)
+
 type KernelFactory struct {
 	wgPort int
 	mtu    uint16
@@ -22,6 +29,12 @@ func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 		mtu:    mtu,
 	}
 
+	if isEBPFDisabled() {
+		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
+		log.Infof("eBPF WireGuard proxy is disabled via %s environment variable", envDisableEBPFWGProxy)
+		return f
+	}
+
 	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
@@ -47,3 +60,16 @@ func (w *KernelFactory) Free() error {
 	}
 	return w.ebpfProxy.Free()
 }
+
+func isEBPFDisabled() bool {
+	val := os.Getenv(envDisableEBPFWGProxy)
+	if val == "" {
+		return false
+	}
+	disabled, err := strconv.ParseBool(val)
+	if err != nil {
+		log.Warnf("failed to parse %s: %v", envDisableEBPFWGProxy, err)
+		return false
+	}
+	return disabled
+}

client/internal/debug/debug_linux.go

@@ -507,15 +507,13 @@ func formatPayloadWithCmp(p *expr.Payload, cmp *expr.Cmp) string {
 	if p.Base == expr.PayloadBaseNetworkHeader {
 		switch p.Offset {
 		case 12:
-			if p.Len == 4 {
-				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
-			} else if p.Len == 2 {
+			switch p.Len {
+			case 4, 2:
 				return fmt.Sprintf("ip saddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		case 16:
-			if p.Len == 4 {
-				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
-			} else if p.Len == 2 {
+			switch p.Len {
+			case 4, 2:
 				return fmt.Sprintf("ip daddr %s %s", formatCmpOp(cmp.Op), formatIPBytes(cmp.Data))
 			}
 		}

client/internal/dns/server.go

@@ -80,6 +80,7 @@ type DefaultServer struct {
 	updateSerial       uint64
 	previousConfigHash uint64
 	currentConfig      HostDNSConfig
+	currentConfigHash  uint64
 	handlerChain       *HandlerChain
 	extraDomains       map[domain.Domain]int
 
@@ -207,6 +208,7 @@ func newDefaultServer(
 		hostsDNSHolder:    newHostsDNSHolder(),
 		hostManager:       &noopHostConfigurator{},
 		mgmtCacheResolver: mgmtCacheResolver,
+		currentConfigHash: ^uint64(0), // Initialize to max uint64 to ensure first config is always applied
 	}
 
 	// register with root zone, handler chain takes care of the routing
@@ -586,8 +588,29 @@ func (s *DefaultServer) applyHostConfig() {
 
 	log.Debugf("extra match domains: %v", maps.Keys(s.extraDomains))
 
+	hash, err := hashstructure.Hash(config, hashstructure.FormatV2, &hashstructure.HashOptions{
+		ZeroNil:         true,
+		IgnoreZeroValue: true,
+		SlicesAsSets:    true,
+		UseStringer:     true,
+	})
+	if err != nil {
+		log.Warnf("unable to hash the host dns configuration, will apply config anyway: %s", err)
+		// Fall through to apply config anyway (fail-safe approach)
+	} else if s.currentConfigHash == hash {
+		log.Debugf("not applying host config as there are no changes")
+		return
+	}
+
+	log.Debugf("applying host config as there are changes")
 	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
 		log.Errorf("failed to apply DNS host manager update: %v", err)
+		return
+	}
+
+	// Only update hash if it was computed successfully and config was applied
+	if err == nil {
+		s.currentConfigHash = hash
 	}
 
 	s.registerFallback(config)

client/internal/dns/server_test.go

@@ -1602,7 +1602,10 @@ func TestExtraDomains(t *testing.T) {
 				"other.example.com.",
 				"duplicate.example.com.",
 			},
-			applyHostConfigCall: 4,
+			// Expect 3 calls instead of 4 because when deregistering duplicate.example.com,
+			// the domain remains in the config (ref count goes from 2 to 1), so the host
+			// config hash doesn't change and applyDNSConfig is not called.
+			applyHostConfigCall: 3,
 		},
 		{
 			name: "Config update with new domains after registration",
@@ -1657,7 +1660,10 @@ func TestExtraDomains(t *testing.T) {
 			expectedMatchOnly: []string{
 				"extra.example.com.",
 			},
-			applyHostConfigCall: 3,
+			// Expect 2 calls instead of 3 because when deregistering protected.example.com,
+			// it's removed from extraDomains but still remains in the config (from customZones),
+			// so the host config hash doesn't change and applyDNSConfig is not called.
+			applyHostConfigCall: 2,
 		},
 		{
 			name: "Register domain that is part of nameserver group",

client/internal/engine.go

@@ -1121,6 +1121,15 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 
 	e.updateOfflinePeers(networkMap.GetOfflinePeers())
 
+	// Filter out own peer from the remote peers list
+	localPubKey := e.config.WgPrivateKey.PublicKey().String()
+	remotePeers := make([]*mgmProto.RemotePeerConfig, 0, len(networkMap.GetRemotePeers()))
+	for _, p := range networkMap.GetRemotePeers() {
+		if p.GetWgPubKey() != localPubKey {
+			remotePeers = append(remotePeers, p)
+		}
+	}
+
 	// cleanup request, most likely our peer has been deleted
 	if networkMap.GetRemotePeersIsEmpty() {
 		err := e.removeAllPeers()
@@ -1129,32 +1138,34 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 			return err
 		}
 	} else {
-		err := e.removePeers(networkMap.GetRemotePeers())
+		err := e.removePeers(remotePeers)
 		if err != nil {
 			return err
 		}
 
-		err = e.modifyPeers(networkMap.GetRemotePeers())
+		err = e.modifyPeers(remotePeers)
 		if err != nil {
 			return err
 		}
 
-		err = e.addNewPeers(networkMap.GetRemotePeers())
+		err = e.addNewPeers(remotePeers)
 		if err != nil {
 			return err
 		}
 
 		e.statusRecorder.FinishPeerListModifications()
 
-		e.updatePeerSSHHostKeys(networkMap.GetRemotePeers())
+		e.updatePeerSSHHostKeys(remotePeers)
 
-		if err := e.updateSSHClientConfig(networkMap.GetRemotePeers()); err != nil {
+		if err := e.updateSSHClientConfig(remotePeers); err != nil {
 			log.Warnf("failed to update SSH client config: %v", err)
 		}
+
+		e.updateSSHServerAuth(networkMap.GetSshAuth())
 	}
 
 	// must set the exclude list after the peers are added. Without it the manager can not figure out the peers parameters from the store
-	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, networkMap.GetRemotePeers())
+	excludedLazyPeers := e.toExcludedLazyPeers(forwardingRules, remotePeers)
 	e.connMgr.SetExcludeList(e.ctx, excludedLazyPeers)
 
 	e.networkSerial = serial

client/internal/engine_ssh.go

@@ -11,15 +11,18 @@ import (
 
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
 )
 
 type sshServer interface {
 	Start(ctx context.Context, addr netip.AddrPort) error
 	Stop() error
 	GetStatus() (bool, []sshserver.SessionInfo)
+	UpdateSSHAuth(config *sshauth.Config)
 }
 
 func (e *Engine) setupSSHPortRedirection() error {
@@ -353,3 +356,38 @@ func (e *Engine) GetSSHServerStatus() (enabled bool, sessions []sshserver.Sessio
 
 	return sshServer.GetStatus()
 }
+
+// updateSSHServerAuth updates SSH fine-grained access control configuration on a running SSH server
+func (e *Engine) updateSSHServerAuth(sshAuth *mgmProto.SSHAuth) {
+	if sshAuth == nil {
+		return
+	}
+
+	if e.sshServer == nil {
+		return
+	}
+
+	protoUsers := sshAuth.GetAuthorizedUsers()
+	authorizedUsers := make([]sshuserhash.UserIDHash, len(protoUsers))
+	for i, hash := range protoUsers {
+		if len(hash) != 16 {
+			log.Warnf("invalid hash length %d, expected 16 - skipping SSH server auth update", len(hash))
+			return
+		}
+		authorizedUsers[i] = sshuserhash.UserIDHash(hash)
+	}
+
+	machineUsers := make(map[string][]uint32)
+	for osUser, indexes := range sshAuth.GetMachineUsers() {
+		machineUsers[osUser] = indexes.GetIndexes()
+	}
+
+	// Update SSH server with new authorization configuration
+	authConfig := &sshauth.Config{
+		UserIDClaim:     sshAuth.GetUserIDClaim(),
+		AuthorizedUsers: authorizedUsers,
+		MachineUsers:    machineUsers,
+	}
+
+	e.sshServer.UpdateSSHAuth(authConfig)
+}

client/internal/engine_test.go

@@ -1631,7 +1631,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/iface.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package internal
 

client/internal/networkmonitor/check_change_darwin.go

@@ -110,7 +110,6 @@ func wakeUpListen(ctx context.Context) {
 			}
 
 			if newHash == initialHash {
-				log.Tracef("no wakeup detected")
 				continue
 			}
 

client/internal/peer/conn.go

@@ -148,13 +148,15 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
-	conn.semaphore.Add(engineCtx)
+	if err := conn.semaphore.Add(engineCtx); err != nil {
+		return err
+	}
 
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
 	if conn.opened {
-		conn.semaphore.Done(engineCtx)
+		conn.semaphore.Done()
 		return nil
 	}
 
@@ -165,6 +167,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	relayIsSupportedLocally := conn.workerRelay.RelayIsSupportedLocally()
 	workerICE, err := NewWorkerICE(conn.ctx, conn.Log, conn.config, conn, conn.signaler, conn.iFaceDiscover, conn.statusRecorder, relayIsSupportedLocally)
 	if err != nil {
+		conn.semaphore.Done()
 		return err
 	}
 	conn.workerICE = workerICE
@@ -200,7 +203,7 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 		defer conn.wg.Done()
 
 		conn.waitInitialRandomSleepTime(conn.ctx)
-		conn.semaphore.Done(conn.ctx)
+		conn.semaphore.Done()
 
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()

client/internal/profilemanager/config.go

@@ -3,6 +3,7 @@ package profilemanager
 import (
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
 	"net/url"
 	"os"
@@ -684,7 +685,7 @@ func update(input ConfigInput) (*Config, error) {
 	return config, nil
 }
 
-// GetConfig read config file and return with Config. Errors out if it does not exist
+// GetConfig read config file and return with Config and if it was created. Errors out if it does not exist
 func GetConfig(configPath string) (*Config, error) {
 	return readConfig(configPath, false)
 }
@@ -820,3 +821,85 @@ func readConfig(configPath string, createIfMissing bool) (*Config, error) {
 func WriteOutConfig(path string, config *Config) error {
 	return util.WriteJson(context.Background(), path, config)
 }
+
+// DirectWriteOutConfig writes config directly without atomic temp file operations.
+// Use this on platforms where atomic writes are blocked (e.g., tvOS sandbox).
+func DirectWriteOutConfig(path string, config *Config) error {
+	return util.DirectWriteJson(context.Background(), path, config)
+}
+
+// DirectUpdateOrCreateConfig is like UpdateOrCreateConfig but uses direct (non-atomic) writes.
+// Use this on platforms where atomic writes are blocked (e.g., tvOS sandbox).
+func DirectUpdateOrCreateConfig(input ConfigInput) (*Config, error) {
+	if !fileExists(input.ConfigPath) {
+		log.Infof("generating new config %s", input.ConfigPath)
+		cfg, err := createNewConfig(input)
+		if err != nil {
+			return nil, err
+		}
+		err = util.DirectWriteJson(context.Background(), input.ConfigPath, cfg)
+		return cfg, err
+	}
+
+	if isPreSharedKeyHidden(input.PreSharedKey) {
+		input.PreSharedKey = nil
+	}
+
+	// Enforce permissions on existing config files (same as UpdateOrCreateConfig)
+	if err := util.EnforcePermission(input.ConfigPath); err != nil {
+		log.Errorf("failed to enforce permission on config file: %v", err)
+	}
+
+	return directUpdate(input)
+}
+
+func directUpdate(input ConfigInput) (*Config, error) {
+	config := &Config{}
+
+	if _, err := util.ReadJson(input.ConfigPath, config); err != nil {
+		return nil, err
+	}
+
+	updated, err := config.apply(input)
+	if err != nil {
+		return nil, err
+	}
+
+	if updated {
+		if err := util.DirectWriteJson(context.Background(), input.ConfigPath, config); err != nil {
+			return nil, err
+		}
+	}
+
+	return config, nil
+}
+
+// ConfigToJSON serializes a Config struct to a JSON string.
+// This is useful for exporting config to alternative storage mechanisms
+// (e.g., UserDefaults on tvOS where file writes are blocked).
+func ConfigToJSON(config *Config) (string, error) {
+	bs, err := json.MarshalIndent(config, "", "    ")
+	if err != nil {
+		return "", err
+	}
+	return string(bs), nil
+}
+
+// ConfigFromJSON deserializes a JSON string to a Config struct.
+// This is useful for restoring config from alternative storage mechanisms.
+// After unmarshaling, defaults are applied to ensure the config is fully initialized.
+func ConfigFromJSON(jsonStr string) (*Config, error) {
+	config := &Config{}
+	err := json.Unmarshal([]byte(jsonStr), config)
+	if err != nil {
+		return nil, err
+	}
+
+	// Apply defaults to ensure required fields are initialized.
+	// This mirrors what readConfig does after loading from file.
+	if _, err := config.apply(ConfigInput{}); err != nil {
+		return nil, fmt.Errorf("failed to apply defaults to config: %w", err)
+	}
+
+	return config, nil
+}

client/internal/profilemanager/service.go

@@ -126,14 +126,6 @@ func (s *ServiceManager) CopyDefaultProfileIfNotExists() (bool, error) {
 		log.Warnf("failed to set permissions for default profile: %v", err)
 	}
 
-	if err := s.SetActiveProfileState(&ActiveProfileState{
-		Name:     "default",
-		Username: "",
-	}); err != nil {
-		log.Errorf("failed to set active profile state: %v", err)
-		return false, fmt.Errorf("failed to set active profile state: %w", err)
-	}
-
 	return true, nil
 }
 

client/internal/routemanager/iface/iface.go

@@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows
 
 package iface
 

client/internal/routemanager/systemops/systemops_generic.go

@@ -210,7 +210,8 @@ func (r *SysOps) refreshLocalSubnetsCache() {
 func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}
 
-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		if err := r.addToRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			return err
 		}
@@ -233,7 +234,7 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 		}
 
 		return nil
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		if err := r.addToRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			return fmt.Errorf("add unreachable route split 1: %w", err)
 		}
@@ -255,7 +256,8 @@ func (r *SysOps) genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) er
 func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
 	nextHop := Nexthop{netip.Addr{}, intf}
 
-	if prefix == vars.Defaultv4 {
+	switch prefix {
+	case vars.Defaultv4:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv4_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -273,7 +275,7 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}
 
 		return nberrors.FormatErrorOrNil(result)
-	} else if prefix == vars.Defaultv6 {
+	case vars.Defaultv6:
 		var result *multierror.Error
 		if err := r.removeFromRouteTable(splitDefaultv6_1, nextHop); err != nil {
 			result = multierror.Append(result, err)
@@ -283,9 +285,9 @@ func (r *SysOps) genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface)
 		}
 
 		return nberrors.FormatErrorOrNil(result)
+	default:
+		return r.removeFromRouteTable(prefix, nextHop)
 	}
-
-	return r.removeFromRouteTable(prefix, nextHop)
 }
 
 func (r *SysOps) setupHooks(initAddresses []net.IP, stateManager *statemanager.Manager) error {

client/internal/updatemanager/installer/installer_run_darwin.go

@@ -22,7 +22,7 @@ const (
 
 	defaultTempDir = "/var/lib/netbird/tmp-install"
 
-	pkgDownloadURL = "https://github.com/mlsmaycon/netbird/releases/download/v%version/netbird_%version_darwin_%arch.pkg"
+	pkgDownloadURL = "https://github.com/netbirdio/netbird/releases/download/v%version/netbird_%version_darwin_%arch.pkg"
 )
 
 var (

client/internal/updatemanager/installer/installer_run_windows.go

@@ -22,8 +22,8 @@ const (
 
 	msiLogFile = "msi.log"
 
-	msiDownloadURL = "https://github.com/mlsmaycon/netbird/releases/download/v%version/netbird_installer_%version_windows_%arch.msi"
-	exeDownloadURL = "https://github.com/mlsmaycon/netbird/releases/download/v%version/netbird_installer_%version_windows_%arch.exe"
+	msiDownloadURL = "https://github.com/netbirdio/netbird/releases/download/v%version/netbird_installer_%version_windows_%arch.msi"
+	exeDownloadURL = "https://github.com/netbirdio/netbird/releases/download/v%version/netbird_installer_%version_windows_%arch.exe"
 )
 
 var (

client/ios/NetBirdSDK/client.go

@@ -75,6 +75,8 @@ type Client struct {
 	dnsManager            dns.IosDnsManager
 	loginComplete         bool
 	connectClient         *internal.ConnectClient
+	// preloadedConfig holds config loaded from JSON (used on tvOS where file writes are blocked)
+	preloadedConfig *profilemanager.Config
 }
 
 // NewClient instantiate a new Client
@@ -92,17 +94,44 @@ func NewClient(cfgFile, stateFile, deviceName string, osVersion string, osName s
 	}
 }
 
+// SetConfigFromJSON loads config from a JSON string into memory.
+// This is used on tvOS where file writes to App Group containers are blocked.
+// When set, IsLoginRequired() and Run() will use this preloaded config instead of reading from file.
+func (c *Client) SetConfigFromJSON(jsonStr string) error {
+	cfg, err := profilemanager.ConfigFromJSON(jsonStr)
+	if err != nil {
+		log.Errorf("SetConfigFromJSON: failed to parse config JSON: %v", err)
+		return err
+	}
+	c.preloadedConfig = cfg
+	log.Infof("SetConfigFromJSON: config loaded successfully from JSON")
+	return nil
+}
+
 // Run start the internal client. It is a blocker function
 func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	exportEnvList(envList)
 	log.Infof("Starting NetBird client")
 	log.Debugf("Tunnel uses interface: %s", interfaceName)
-	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
-		ConfigPath:    c.cfgFile,
-		StateFilePath: c.stateFile,
-	})
-	if err != nil {
-		return err
+
+	var cfg *profilemanager.Config
+	var err error
+
+	// Use preloaded config if available (tvOS where file writes are blocked)
+	if c.preloadedConfig != nil {
+		log.Infof("Run: using preloaded config from memory")
+		cfg = c.preloadedConfig
+	} else {
+		log.Infof("Run: loading config from file")
+		// Use DirectUpdateOrCreateConfig to avoid atomic file operations (temp file + rename)
+		// which are blocked by the tvOS sandbox in App Group containers
+		cfg, err = profilemanager.DirectUpdateOrCreateConfig(profilemanager.ConfigInput{
+			ConfigPath:    c.cfgFile,
+			StateFilePath: c.stateFile,
+		})
+		if err != nil {
+			return err
+		}
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
 	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)
@@ -120,7 +149,7 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	c.ctxCancelLock.Unlock()
 
 	auth := NewAuthWithConfig(ctx, cfg)
-	err = auth.Login()
+	err = auth.LoginSync()
 	if err != nil {
 		return err
 	}
@@ -208,14 +237,45 @@ func (c *Client) IsLoginRequired() bool {
 	defer c.ctxCancelLock.Unlock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 
-	cfg, _ := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
-		ConfigPath: c.cfgFile,
-	})
+	var cfg *profilemanager.Config
+	var err error
 
-	needsLogin, _ := internal.IsLoginRequired(ctx, cfg)
+	// Use preloaded config if available (tvOS where file writes are blocked)
+	if c.preloadedConfig != nil {
+		log.Infof("IsLoginRequired: using preloaded config from memory")
+		cfg = c.preloadedConfig
+	} else {
+		log.Infof("IsLoginRequired: loading config from file")
+		// Use DirectUpdateOrCreateConfig to avoid atomic file operations (temp file + rename)
+		// which are blocked by the tvOS sandbox in App Group containers
+		cfg, err = profilemanager.DirectUpdateOrCreateConfig(profilemanager.ConfigInput{
+			ConfigPath: c.cfgFile,
+		})
+		if err != nil {
+			log.Errorf("IsLoginRequired: failed to load config: %v", err)
+			// If we can't load config, assume login is required
+			return true
+		}
+	}
+
+	if cfg == nil {
+		log.Errorf("IsLoginRequired: config is nil")
+		return true
+	}
+
+	needsLogin, err := internal.IsLoginRequired(ctx, cfg)
+	if err != nil {
+		log.Errorf("IsLoginRequired: check failed: %v", err)
+		// If the check fails, assume login is required to be safe
+		return true
+	}
+	log.Infof("IsLoginRequired: needsLogin=%v", needsLogin)
 	return needsLogin
 }
 
+// loginForMobileAuthTimeout is the timeout for requesting auth info from the server
+const loginForMobileAuthTimeout = 30 * time.Second
+
 func (c *Client) LoginForMobile() string {
 	var ctx context.Context
 	//nolint
@@ -228,16 +288,26 @@ func (c *Client) LoginForMobile() string {
 	defer c.ctxCancelLock.Unlock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 
-	cfg, _ := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
+	// Use DirectUpdateOrCreateConfig to avoid atomic file operations (temp file + rename)
+	// which are blocked by the tvOS sandbox in App Group containers
+	cfg, err := profilemanager.DirectUpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
+	if err != nil {
+		log.Errorf("LoginForMobile: failed to load config: %v", err)
+		return fmt.Sprintf("failed to load config: %v", err)
+	}
 
 	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false, false, "")
 	if err != nil {
 		return err.Error()
 	}
 
-	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
+	// Use a bounded timeout for the auth info request to prevent indefinite hangs
+	authInfoCtx, authInfoCancel := context.WithTimeout(ctx, loginForMobileAuthTimeout)
+	defer authInfoCancel()
+
+	flowInfo, err := oAuthFlow.RequestAuthInfo(authInfoCtx)
 	if err != nil {
 		return err.Error()
 	}
@@ -249,10 +319,14 @@ func (c *Client) LoginForMobile() string {
 		defer cancel()
 		tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 		if err != nil {
+			log.Errorf("LoginForMobile: WaitToken failed: %v", err)
 			return
 		}
 		jwtToken := tokenInfo.GetTokenToUse()
-		_ = internal.Login(ctx, cfg, "", jwtToken)
+		if err := internal.Login(ctx, cfg, "", jwtToken); err != nil {
+			log.Errorf("LoginForMobile: Login failed: %v", err)
+			return
+		}
 		c.loginComplete = true
 	}()
 

client/ios/NetBirdSDK/login.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/netbirdio/netbird/client/cmd"
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 )
@@ -33,7 +34,8 @@ type ErrListener interface {
 // URLOpener it is a callback interface. The Open function will be triggered if
 // the backend want to show an url for the user
 type URLOpener interface {
-	Open(string)
+	Open(url string, userCode string)
+	OnLoginSuccess()
 }
 
 // Auth can register or login new client
@@ -72,13 +74,32 @@ func NewAuthWithConfig(ctx context.Context, config *profilemanager.Config) *Auth
 // SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
 // If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
 // is not supported and returns false without saving the configuration. For other errors return false.
-func (a *Auth) SaveConfigIfSSOSupported() (bool, error) {
+func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
+	if listener == nil {
+		log.Errorf("SaveConfigIfSSOSupported: listener is nil")
+		return
+	}
+	go func() {
+		sso, err := a.saveConfigIfSSOSupported()
+		if err != nil {
+			listener.OnError(err)
+		} else {
+			listener.OnSuccess(sso)
+		}
+	}()
+}
+
+func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
 	supportsSSO := true
 	err := a.withBackOff(a.ctx, func() (err error) {
-		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
-			_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
-			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
+			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+			s, ok := gstatus.FromError(err)
+			if !ok {
+				return err
+			}
+			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
 				supportsSSO = false
 				err = nil
 			}
@@ -97,12 +118,29 @@ func (a *Auth) SaveConfigIfSSOSupported() (bool, error) {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
+	// Use DirectWriteOutConfig to avoid atomic file operations (temp file + rename)
+	// which are blocked by the tvOS sandbox in App Group containers
+	err = profilemanager.DirectWriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
 
 // LoginWithSetupKeyAndSaveConfig test the connectivity with the management server with the setup key.
-func (a *Auth) LoginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
+func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupKey string, deviceName string) {
+	if resultListener == nil {
+		log.Errorf("LoginWithSetupKeyAndSaveConfig: resultListener is nil")
+		return
+	}
+	go func() {
+		err := a.loginWithSetupKeyAndSaveConfig(setupKey, deviceName)
+		if err != nil {
+			resultListener.OnError(err)
+		} else {
+			resultListener.OnSuccess()
+		}
+	}()
+}
+
+func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
 	//nolint
 	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
 
@@ -118,10 +156,14 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(setupKey string, deviceName string
 		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
-	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
+	// Use DirectWriteOutConfig to avoid atomic file operations (temp file + rename)
+	// which are blocked by the tvOS sandbox in App Group containers
+	return profilemanager.DirectWriteOutConfig(a.cfgPath, a.config)
 }
 
-func (a *Auth) Login() error {
+// LoginSync performs a synchronous login check without UI interaction
+// Used for background VPN connection where user should already be authenticated
+func (a *Auth) LoginSync() error {
 	var needsLogin bool
 
 	// check if we need to generate JWT token
@@ -135,23 +177,142 @@ func (a *Auth) Login() error {
 
 	jwtToken := ""
 	if needsLogin {
-		return fmt.Errorf("Not authenticated")
+		return fmt.Errorf("not authenticated")
 	}
 
 	err = a.withBackOff(a.ctx, func() error {
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
-		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
-			return nil
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
+			// PermissionDenied means registration is required or peer is blocked
+			return backoff.Permanent(err)
 		}
 		return err
 	})
+	if err != nil {
+		return fmt.Errorf("login failed: %v", err)
+	}
+
+	return nil
+}
+
+// Login performs interactive login with device authentication support
+// Deprecated: Use LoginWithDeviceName instead to ensure proper device naming on tvOS
+func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, forceDeviceAuth bool) {
+	// Use empty device name - system will use hostname as fallback
+	a.LoginWithDeviceName(resultListener, urlOpener, forceDeviceAuth, "")
+}
+
+// LoginWithDeviceName performs interactive login with device authentication support
+// The deviceName parameter allows specifying a custom device name (required for tvOS)
+func (a *Auth) LoginWithDeviceName(resultListener ErrListener, urlOpener URLOpener, forceDeviceAuth bool, deviceName string) {
+	if resultListener == nil {
+		log.Errorf("LoginWithDeviceName: resultListener is nil")
+		return
+	}
+	if urlOpener == nil {
+		log.Errorf("LoginWithDeviceName: urlOpener is nil")
+		resultListener.OnError(fmt.Errorf("urlOpener is nil"))
+		return
+	}
+	go func() {
+		err := a.login(urlOpener, forceDeviceAuth, deviceName)
+		if err != nil {
+			resultListener.OnError(err)
+		} else {
+			resultListener.OnSuccess()
+		}
+	}()
+}
+
+func (a *Auth) login(urlOpener URLOpener, forceDeviceAuth bool, deviceName string) error {
+	var needsLogin bool
+
+	// Create context with device name if provided
+	ctx := a.ctx
+	if deviceName != "" {
+		//nolint:staticcheck
+		ctx = context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
+	}
+
+	// check if we need to generate JWT token
+	err := a.withBackOff(ctx, func() (err error) {
+		needsLogin, err = internal.IsLoginRequired(ctx, a.config)
+		return
+	})
 	if err != nil {
 		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 
+	jwtToken := ""
+	if needsLogin {
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener, forceDeviceAuth)
+		if err != nil {
+			return fmt.Errorf("interactive sso login failed: %v", err)
+		}
+		jwtToken = tokenInfo.GetTokenToUse()
+	}
+
+	err = a.withBackOff(ctx, func() error {
+		err := internal.Login(ctx, a.config, "", jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
+			// PermissionDenied means registration is required or peer is blocked
+			return backoff.Permanent(err)
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("login failed: %v", err)
+	}
+
+	// Save the config before notifying success to ensure persistence completes
+	// before the callback potentially triggers teardown on the Swift side.
+	// Note: This differs from Android which doesn't save config after login.
+	// On iOS/tvOS, we save here because:
+	// 1. The config may have been modified during login (e.g., new tokens)
+	// 2. On tvOS, the Network Extension context may be the only place with
+	//    write permissions to the App Group container
+	if a.cfgPath != "" {
+		if err := profilemanager.DirectWriteOutConfig(a.cfgPath, a.config); err != nil {
+			log.Warnf("failed to save config after login: %v", err)
+		}
+	}
+
+	// Notify caller of successful login synchronously before returning
+	urlOpener.OnLoginSuccess()
+
 	return nil
 }
 
+const authInfoRequestTimeout = 30 * time.Second
+
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, forceDeviceAuth bool) (*auth.TokenInfo, error) {
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, forceDeviceAuth, "")
+	if err != nil {
+		return nil, err
+	}
+
+	// Use a bounded timeout for the auth info request to prevent indefinite hangs
+	authInfoCtx, authInfoCancel := context.WithTimeout(a.ctx, authInfoRequestTimeout)
+	defer authInfoCancel()
+
+	flowInfo, err := oAuthFlow.RequestAuthInfo(authInfoCtx)
+	if err != nil {
+		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
+	}
+
+	urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)
+
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
+	defer cancel()
+	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
+	if err != nil {
+		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
+	}
+
+	return &tokenInfo, nil
+}
+
 func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
 	return backoff.RetryNotify(
 		bf,
@@ -160,3 +321,24 @@ func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
 			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
 		})
 }
+
+// GetConfigJSON returns the current config as a JSON string.
+// This can be used by the caller to persist the config via alternative storage
+// mechanisms (e.g., UserDefaults on tvOS where file writes are blocked).
+func (a *Auth) GetConfigJSON() (string, error) {
+	if a.config == nil {
+		return "", fmt.Errorf("no config available")
+	}
+	return profilemanager.ConfigToJSON(a.config)
+}
+
+// SetConfigFromJSON loads config from a JSON string.
+// This can be used to restore config from alternative storage mechanisms.
+func (a *Auth) SetConfigFromJSON(jsonStr string) error {
+	cfg, err := profilemanager.ConfigFromJSON(jsonStr)
+	if err != nil {
+		return err
+	}
+	a.config = cfg
+	return nil
+}

client/ios/NetBirdSDK/preferences.go

@@ -112,6 +112,8 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 
 // Commit write out the changes into config file
 func (p *Preferences) Commit() error {
-	_, err := profilemanager.UpdateOrCreateConfig(p.configInput)
+	// Use DirectUpdateOrCreateConfig to avoid atomic file operations (temp file + rename)
+	// which are blocked by the tvOS sandbox in App Group containers
+	_, err := profilemanager.DirectUpdateOrCreateConfig(p.configInput)
 	return err
 }

client/proto/daemon.pb.go

@@ -2013,6 +2013,7 @@ type SSHSessionInfo struct {
 	RemoteAddress string                 `protobuf:"bytes,2,opt,name=remoteAddress,proto3" json:"remoteAddress,omitempty"`
 	Command       string                 `protobuf:"bytes,3,opt,name=command,proto3" json:"command,omitempty"`
 	JwtUsername   string                 `protobuf:"bytes,4,opt,name=jwtUsername,proto3" json:"jwtUsername,omitempty"`
+	PortForwards  []string               `protobuf:"bytes,5,rep,name=portForwards,proto3" json:"portForwards,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -2075,6 +2076,13 @@ func (x *SSHSessionInfo) GetJwtUsername() string {
 	return ""
 }
 
+func (x *SSHSessionInfo) GetPortForwards() []string {
+	if x != nil {
+		return x.PortForwards
+	}
+	return nil
+}
+
 // SSHServerState contains the latest state of the SSH server
 type SSHServerState struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
@@ -5706,12 +5714,13 @@ const file_daemon_proto_rawDesc = "" +
 	"\aservers\x18\x01 \x03(\tR\aservers\x12\x18\n" +
 	"\adomains\x18\x02 \x03(\tR\adomains\x12\x18\n" +
 	"\aenabled\x18\x03 \x01(\bR\aenabled\x12\x14\n" +
-	"\x05error\x18\x04 \x01(\tR\x05error\"\x8e\x01\n" +
+	"\x05error\x18\x04 \x01(\tR\x05error\"\xb2\x01\n" +
 	"\x0eSSHSessionInfo\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12$\n" +
 	"\rremoteAddress\x18\x02 \x01(\tR\rremoteAddress\x12\x18\n" +
 	"\acommand\x18\x03 \x01(\tR\acommand\x12 \n" +
-	"\vjwtUsername\x18\x04 \x01(\tR\vjwtUsername\"^\n" +
+	"\vjwtUsername\x18\x04 \x01(\tR\vjwtUsername\x12\"\n" +
+	"\fportForwards\x18\x05 \x03(\tR\fportForwards\"^\n" +
 	"\x0eSSHServerState\x12\x18\n" +
 	"\aenabled\x18\x01 \x01(\bR\aenabled\x122\n" +
 	"\bsessions\x18\x02 \x03(\v2\x16.daemon.SSHSessionInfoR\bsessions\"\xaf\x04\n" +

client/proto/daemon.proto

@@ -372,6 +372,7 @@ message SSHSessionInfo {
   string remoteAddress = 2;
   string command = 3;
   string jwtUsername = 4;
+  repeated string portForwards = 5;
 }
 
 // SSHServerState contains the latest state of the SSH server

client/server/panic_windows.go

@@ -1,5 +1,4 @@
 //go:build windows
-// +build windows
 
 package server
 

client/server/server.go

@@ -145,10 +145,10 @@ func (s *Server) Start() error {
 	ctx, cancel := context.WithCancel(s.rootCtx)
 	s.actCancel = cancel
 
-	// set the default config if not exists
-	if err := s.setDefaultConfigIfNotExists(ctx); err != nil {
-		log.Errorf("failed to set default config: %v", err)
-		return fmt.Errorf("failed to set default config: %w", err)
+	// copy old default config
+	_, err = s.profileManager.CopyDefaultProfileIfNotExists()
+	if err != nil && !errors.Is(err, profilemanager.ErrorOldDefaultConfigNotFound) {
+		return err
 	}
 
 	activeProf, err := s.profileManager.GetActiveProfileState()
@@ -156,23 +156,11 @@ func (s *Server) Start() error {
 		return fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	config, err := s.getConfig(activeProf)
+	config, existingConfig, err := s.getConfig(activeProf)
 	if err != nil {
 		log.Errorf("failed to get active profile config: %v", err)
 
-		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			Name:     "default",
-			Username: "",
-		}); err != nil {
-			log.Errorf("failed to set active profile state: %v", err)
-			return fmt.Errorf("failed to set active profile state: %w", err)
-		}
-
-		config, err = profilemanager.GetConfig(s.profileManager.DefaultProfilePath())
-		if err != nil {
-			log.Errorf("failed to get default profile config: %v", err)
-			return fmt.Errorf("failed to get default profile config: %w", err)
-		}
+		return err
 	}
 	s.config = config
 
@@ -186,6 +174,13 @@ func (s *Server) Start() error {
 	}
 
 	if config.DisableAutoConnect {
+		state.Set(internal.StatusIdle)
+		return nil
+	}
+
+	if !existingConfig {
+		log.Warnf("not trying to connect when configuration was just created")
+		state.Set(internal.StatusNeedsLogin)
 		return nil
 	}
 
@@ -196,30 +191,6 @@ func (s *Server) Start() error {
 	return nil
 }
 
-func (s *Server) setDefaultConfigIfNotExists(ctx context.Context) error {
-	ok, err := s.profileManager.CopyDefaultProfileIfNotExists()
-	if err != nil {
-		if err := s.profileManager.CreateDefaultProfile(); err != nil {
-			log.Errorf("failed to create default profile: %v", err)
-			return fmt.Errorf("failed to create default profile: %w", err)
-		}
-
-		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			Name:     "default",
-			Username: "",
-		}); err != nil {
-			log.Errorf("failed to set active profile state: %v", err)
-			return fmt.Errorf("failed to set active profile state: %w", err)
-		}
-	}
-	if ok {
-		state := internal.CtxGetState(ctx)
-		state.Set(internal.StatusNeedsLogin)
-	}
-
-	return nil
-}
-
 // connectWithRetryRuns runs the client connection with a backoff strategy where we retry the operation as additional
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
@@ -487,7 +458,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 
 	s.mutex.Unlock()
 
-	config, err := s.getConfig(activeProf)
+	config, _, err := s.getConfig(activeProf)
 	if err != nil {
 		log.Errorf("failed to get active profile config: %v", err)
 		return nil, fmt.Errorf("failed to get active profile config: %w", err)
@@ -716,7 +687,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 
 	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
 
-	config, err := s.getConfig(activeProf)
+	config, _, err := s.getConfig(activeProf)
 	if err != nil {
 		log.Errorf("failed to get active profile config: %v", err)
 		return nil, fmt.Errorf("failed to get active profile config: %w", err)
@@ -811,7 +782,7 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 		log.Errorf("failed to get active profile state: %v", err)
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
-	config, err := s.getConfig(activeProf)
+	config, _, err := s.getConfig(activeProf)
 	if err != nil {
 		log.Errorf("failed to get default profile config: %v", err)
 		return nil, fmt.Errorf("failed to get default profile config: %w", err)
@@ -908,7 +879,7 @@ func (s *Server) handleActiveProfileLogout(ctx context.Context) (*proto.LogoutRe
 			return nil, gstatus.Errorf(codes.FailedPrecondition, "failed to get active profile state: %v", err)
 		}
 
-		config, err := s.getConfig(activeProf)
+		config, _, err := s.getConfig(activeProf)
 		if err != nil {
 			return nil, gstatus.Errorf(codes.FailedPrecondition, "not logged in")
 		}
@@ -932,19 +903,24 @@ func (s *Server) handleActiveProfileLogout(ctx context.Context) (*proto.LogoutRe
 	return &proto.LogoutResponse{}, nil
 }
 
-// getConfig loads the config from the active profile
-func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*profilemanager.Config, error) {
+// GetConfig reads config file and returns Config and whether the config file already existed. Errors out if it does not exist
+func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*profilemanager.Config, bool, error) {
 	cfgPath, err := activeProf.FilePath()
 	if err != nil {
-		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+		return nil, false, fmt.Errorf("failed to get active profile file path: %w", err)
 	}
 
-	config, err := profilemanager.GetConfig(cfgPath)
+	_, err = os.Stat(cfgPath)
+	configExisted := !os.IsNotExist(err)
+
+	log.Infof("active profile config existed: %t, err %v", configExisted, err)
+
+	config, err := profilemanager.ReadConfig(cfgPath)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get config: %w", err)
+		return nil, false, fmt.Errorf("failed to get config: %w", err)
 	}
 
-	return config, nil
+	return config, configExisted, nil
 }
 
 func (s *Server) canRemoveProfile(profileName string) error {
@@ -1128,6 +1104,7 @@ func (s *Server) getSSHServerState() *proto.SSHServerState {
 			RemoteAddress: session.RemoteAddress,
 			Command:       session.Command,
 			JwtUsername:   session.JWTUsername,
+			PortForwards:  session.PortForwards,
 		})
 	}
 

client/server/server_test.go

@@ -326,7 +326,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/ssh/auth/auth.go

@@ -0,0 +1,177 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
+)
+
+const (
+	// DefaultUserIDClaim is the default JWT claim used to extract user IDs
+	DefaultUserIDClaim = "sub"
+	// Wildcard is a special user ID that matches all users
+	Wildcard = "*"
+)
+
+var (
+	ErrEmptyUserID           = errors.New("JWT user ID is empty")
+	ErrUserNotAuthorized     = errors.New("user is not authorized to access this peer")
+	ErrNoMachineUserMapping  = errors.New("no authorization mapping for OS user")
+	ErrUserNotMappedToOSUser = errors.New("user is not authorized to login as OS user")
+)
+
+// Authorizer handles SSH fine-grained access control authorization
+type Authorizer struct {
+	// UserIDClaim is the JWT claim to extract the user ID from
+	userIDClaim string
+
+	// authorizedUsers is a list of hashed user IDs authorized to access this peer
+	authorizedUsers []sshuserhash.UserIDHash
+
+	// machineUsers maps OS login usernames to lists of authorized user indexes
+	machineUsers map[string][]uint32
+
+	// mu protects the list of users
+	mu sync.RWMutex
+}
+
+// Config contains configuration for the SSH authorizer
+type Config struct {
+	// UserIDClaim is the JWT claim to extract the user ID from (e.g., "sub", "email")
+	UserIDClaim string
+
+	// AuthorizedUsers is a list of hashed user IDs (FNV-1a 64-bit) authorized to access this peer
+	AuthorizedUsers []sshuserhash.UserIDHash
+
+	// MachineUsers maps OS login usernames to indexes in AuthorizedUsers
+	// If a user wants to login as a specific OS user, their index must be in the corresponding list
+	MachineUsers map[string][]uint32
+}
+
+// NewAuthorizer creates a new SSH authorizer with empty configuration
+func NewAuthorizer() *Authorizer {
+	a := &Authorizer{
+		userIDClaim:  DefaultUserIDClaim,
+		machineUsers: make(map[string][]uint32),
+	}
+
+	return a
+}
+
+// Update updates the authorizer configuration with new values
+func (a *Authorizer) Update(config *Config) {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+
+	if config == nil {
+		// Clear authorization
+		a.userIDClaim = DefaultUserIDClaim
+		a.authorizedUsers = []sshuserhash.UserIDHash{}
+		a.machineUsers = make(map[string][]uint32)
+		log.Info("SSH authorization cleared")
+		return
+	}
+
+	userIDClaim := config.UserIDClaim
+	if userIDClaim == "" {
+		userIDClaim = DefaultUserIDClaim
+	}
+	a.userIDClaim = userIDClaim
+
+	// Store authorized users list
+	a.authorizedUsers = config.AuthorizedUsers
+
+	// Store machine users mapping
+	machineUsers := make(map[string][]uint32)
+	for osUser, indexes := range config.MachineUsers {
+		if len(indexes) > 0 {
+			machineUsers[osUser] = indexes
+		}
+	}
+	a.machineUsers = machineUsers
+
+	log.Debugf("SSH auth: updated with %d authorized users, %d machine user mappings",
+		len(config.AuthorizedUsers), len(machineUsers))
+}
+
+// Authorize validates if a user is authorized to login as the specified OS user.
+// Returns a success message describing how authorization was granted, or an error.
+func (a *Authorizer) Authorize(jwtUserID, osUsername string) (string, error) {
+	if jwtUserID == "" {
+		return "", fmt.Errorf("JWT user ID is empty for OS user %q: %w", osUsername, ErrEmptyUserID)
+	}
+
+	// Hash the JWT user ID for comparison
+	hashedUserID, err := sshuserhash.HashUserID(jwtUserID)
+	if err != nil {
+		return "", fmt.Errorf("hash user ID %q for OS user %q: %w", jwtUserID, osUsername, err)
+	}
+
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+
+	// Find the index of this user in the authorized list
+	userIndex, found := a.findUserIndex(hashedUserID)
+	if !found {
+		return "", fmt.Errorf("user %q (hash: %s) not in authorized list for OS user %q: %w", jwtUserID, hashedUserID, osUsername, ErrUserNotAuthorized)
+	}
+
+	return a.checkMachineUserMapping(jwtUserID, osUsername, userIndex)
+}
+
+// checkMachineUserMapping validates if a user's index is authorized for the specified OS user
+// Checks wildcard mapping first, then specific OS user mappings
+func (a *Authorizer) checkMachineUserMapping(jwtUserID, osUsername string, userIndex int) (string, error) {
+	// If wildcard exists and user's index is in the wildcard list, allow access to any OS user
+	if wildcardIndexes, hasWildcard := a.machineUsers[Wildcard]; hasWildcard {
+		if a.isIndexInList(uint32(userIndex), wildcardIndexes) {
+			return fmt.Sprintf("granted via wildcard (index: %d)", userIndex), nil
+		}
+	}
+
+	// Check for specific OS username mapping
+	allowedIndexes, hasMachineUserMapping := a.machineUsers[osUsername]
+	if !hasMachineUserMapping {
+		// No mapping for this OS user - deny by default (fail closed)
+		return "", fmt.Errorf("no machine user mapping for OS user %q (JWT user: %s): %w", osUsername, jwtUserID, ErrNoMachineUserMapping)
+	}
+
+	// Check if user's index is in the allowed indexes for this specific OS user
+	if !a.isIndexInList(uint32(userIndex), allowedIndexes) {
+		return "", fmt.Errorf("user %q not mapped to OS user %q (index: %d): %w", jwtUserID, osUsername, userIndex, ErrUserNotMappedToOSUser)
+	}
+
+	return fmt.Sprintf("granted (index: %d)", userIndex), nil
+}
+
+// GetUserIDClaim returns the JWT claim name used to extract user IDs
+func (a *Authorizer) GetUserIDClaim() string {
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+	return a.userIDClaim
+}
+
+// findUserIndex finds the index of a hashed user ID in the authorized users list
+// Returns the index and true if found, 0 and false if not found
+func (a *Authorizer) findUserIndex(hashedUserID sshuserhash.UserIDHash) (int, bool) {
+	for i, id := range a.authorizedUsers {
+		if id == hashedUserID {
+			return i, true
+		}
+	}
+	return 0, false
+}
+
+// isIndexInList checks if an index exists in a list of indexes
+func (a *Authorizer) isIndexInList(index uint32, indexes []uint32) bool {
+	for _, idx := range indexes {
+		if idx == index {
+			return true
+		}
+	}
+	return false
+}

client/ssh/auth/auth_test.go

@@ -0,0 +1,612 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/shared/sshauth"
+)
+
+func TestAuthorizer_Authorize_UserNotInList(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up authorized users list with one user
+	authorizedUserHash, err := sshauth.HashUserID("authorized-user")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{authorizedUserHash},
+		MachineUsers:    map[string][]uint32{},
+	}
+	authorizer.Update(config)
+
+	// Try to authorize a different user
+	_, err = authorizer.Authorize("unauthorized-user", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotAuthorized)
+}
+
+func TestAuthorizer_Authorize_UserInList_NoMachineUserRestrictions(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash},
+		MachineUsers:    map[string][]uint32{}, // Empty = deny all (fail closed)
+	}
+	authorizer.Update(config)
+
+	// All attempts should fail when no machine user mappings exist (fail closed)
+	_, err = authorizer.Authorize("user1", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	_, err = authorizer.Authorize("user2", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+}
+
+func TestAuthorizer_Authorize_UserInList_WithMachineUserMapping_Allowed(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+	user3Hash, err := sshauth.HashUserID("user3")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash, user3Hash},
+		MachineUsers: map[string][]uint32{
+			"root":     {0, 1}, // user1 and user2 can access root
+			"postgres": {1, 2}, // user2 and user3 can access postgres
+			"admin":    {0},    // only user1 can access admin
+		},
+	}
+	authorizer.Update(config)
+
+	// user1 (index 0) should access root and admin
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user1", "admin")
+	assert.NoError(t, err)
+
+	// user2 (index 1) should access root and postgres
+	_, err = authorizer.Authorize("user2", "root")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user2", "postgres")
+	assert.NoError(t, err)
+
+	// user3 (index 2) should access postgres
+	_, err = authorizer.Authorize("user3", "postgres")
+	assert.NoError(t, err)
+}
+
+func TestAuthorizer_Authorize_UserInList_WithMachineUserMapping_Denied(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up authorized users list
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+	user3Hash, err := sshauth.HashUserID("user3")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash, user3Hash},
+		MachineUsers: map[string][]uint32{
+			"root":     {0, 1}, // user1 and user2 can access root
+			"postgres": {1, 2}, // user2 and user3 can access postgres
+			"admin":    {0},    // only user1 can access admin
+		},
+	}
+	authorizer.Update(config)
+
+	// user1 (index 0) should NOT access postgres
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+
+	// user2 (index 1) should NOT access admin
+	_, err = authorizer.Authorize("user2", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+
+	// user3 (index 2) should NOT access root
+	_, err = authorizer.Authorize("user3", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+
+	// user3 (index 2) should NOT access admin
+	_, err = authorizer.Authorize("user3", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+}
+
+func TestAuthorizer_Authorize_UserInList_OSUserNotInMapping(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up authorized users list
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers: map[string][]uint32{
+			"root": {0}, // only root is mapped
+		},
+	}
+	authorizer.Update(config)
+
+	// user1 should NOT access an unmapped OS user (fail closed)
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+}
+
+func TestAuthorizer_Authorize_EmptyJWTUserID(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up authorized users list
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers:    map[string][]uint32{},
+	}
+	authorizer.Update(config)
+
+	// Empty user ID should fail
+	_, err = authorizer.Authorize("", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrEmptyUserID)
+}
+
+func TestAuthorizer_Authorize_MultipleUsersInList(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up multiple authorized users
+	userHashes := make([]sshauth.UserIDHash, 10)
+	for i := 0; i < 10; i++ {
+		hash, err := sshauth.HashUserID("user" + string(rune('0'+i)))
+		require.NoError(t, err)
+		userHashes[i] = hash
+	}
+
+	// Create machine user mapping for all users
+	rootIndexes := make([]uint32, 10)
+	for i := 0; i < 10; i++ {
+		rootIndexes[i] = uint32(i)
+	}
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: userHashes,
+		MachineUsers: map[string][]uint32{
+			"root": rootIndexes,
+		},
+	}
+	authorizer.Update(config)
+
+	// All users should be authorized for root
+	for i := 0; i < 10; i++ {
+		_, err := authorizer.Authorize("user"+string(rune('0'+i)), "root")
+		assert.NoError(t, err, "user%d should be authorized", i)
+	}
+
+	// User not in list should fail
+	_, err := authorizer.Authorize("unknown-user", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotAuthorized)
+}
+
+func TestAuthorizer_Update_ClearsConfiguration(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up initial configuration
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers:    map[string][]uint32{"root": {0}},
+	}
+	authorizer.Update(config)
+
+	// user1 should be authorized
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	// Clear configuration
+	authorizer.Update(nil)
+
+	// user1 should no longer be authorized
+	_, err = authorizer.Authorize("user1", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotAuthorized)
+}
+
+func TestAuthorizer_Update_EmptyMachineUsersListEntries(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	// Machine users with empty index lists should be filtered out
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers: map[string][]uint32{
+			"root":     {0},
+			"postgres": {},  // empty list - should be filtered out
+			"admin":    nil, // nil list - should be filtered out
+		},
+	}
+	authorizer.Update(config)
+
+	// root should work
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	// postgres should fail (no mapping)
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	// admin should fail (no mapping)
+	_, err = authorizer.Authorize("user1", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+}
+
+func TestAuthorizer_CustomUserIDClaim(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up with custom user ID claim
+	user1Hash, err := sshauth.HashUserID("user@example.com")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     "email",
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers: map[string][]uint32{
+			"root": {0},
+		},
+	}
+	authorizer.Update(config)
+
+	// Verify the custom claim is set
+	assert.Equal(t, "email", authorizer.GetUserIDClaim())
+
+	// Authorize with email as user ID
+	_, err = authorizer.Authorize("user@example.com", "root")
+	assert.NoError(t, err)
+}
+
+func TestAuthorizer_DefaultUserIDClaim(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Verify default claim
+	assert.Equal(t, DefaultUserIDClaim, authorizer.GetUserIDClaim())
+	assert.Equal(t, "sub", authorizer.GetUserIDClaim())
+
+	// Set up with empty user ID claim (should use default)
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     "", // empty - should use default
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers:    map[string][]uint32{},
+	}
+	authorizer.Update(config)
+
+	// Should fall back to default
+	assert.Equal(t, DefaultUserIDClaim, authorizer.GetUserIDClaim())
+}
+
+func TestAuthorizer_MachineUserMapping_LargeIndexes(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Create a large authorized users list
+	const numUsers = 1000
+	userHashes := make([]sshauth.UserIDHash, numUsers)
+	for i := 0; i < numUsers; i++ {
+		hash, err := sshauth.HashUserID("user" + string(rune(i)))
+		require.NoError(t, err)
+		userHashes[i] = hash
+	}
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: userHashes,
+		MachineUsers: map[string][]uint32{
+			"root": {0, 500, 999}, // first, middle, and last user
+		},
+	}
+	authorizer.Update(config)
+
+	// First user should have access
+	_, err := authorizer.Authorize("user"+string(rune(0)), "root")
+	assert.NoError(t, err)
+
+	// Middle user should have access
+	_, err = authorizer.Authorize("user"+string(rune(500)), "root")
+	assert.NoError(t, err)
+
+	// Last user should have access
+	_, err = authorizer.Authorize("user"+string(rune(999)), "root")
+	assert.NoError(t, err)
+
+	// User not in mapping should NOT have access
+	_, err = authorizer.Authorize("user"+string(rune(100)), "root")
+	assert.Error(t, err)
+}
+
+func TestAuthorizer_ConcurrentAuthorization(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	// Set up authorized users
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash},
+		MachineUsers: map[string][]uint32{
+			"root": {0, 1},
+		},
+	}
+	authorizer.Update(config)
+
+	// Test concurrent authorization calls (should be safe to read concurrently)
+	const numGoroutines = 100
+	errChan := make(chan error, numGoroutines)
+
+	for i := 0; i < numGoroutines; i++ {
+		go func(idx int) {
+			user := "user1"
+			if idx%2 == 0 {
+				user = "user2"
+			}
+			_, err := authorizer.Authorize(user, "root")
+			errChan <- err
+		}(i)
+	}
+
+	// Wait for all goroutines to complete and collect errors
+	for i := 0; i < numGoroutines; i++ {
+		err := <-errChan
+		assert.NoError(t, err)
+	}
+}
+
+func TestAuthorizer_Wildcard_AllowsAllAuthorizedUsers(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+	user3Hash, err := sshauth.HashUserID("user3")
+	require.NoError(t, err)
+
+	// Configure with wildcard - all authorized users can access any OS user
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash, user3Hash},
+		MachineUsers: map[string][]uint32{
+			"*": {0, 1, 2}, // wildcard with all user indexes
+		},
+	}
+	authorizer.Update(config)
+
+	// All authorized users should be able to access any OS user
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user2", "postgres")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user3", "admin")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user1", "ubuntu")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user2", "nginx")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user3", "docker")
+	assert.NoError(t, err)
+}
+
+func TestAuthorizer_Wildcard_UnauthorizedUserStillDenied(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+
+	// Configure with wildcard
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash},
+		MachineUsers: map[string][]uint32{
+			"*": {0},
+		},
+	}
+	authorizer.Update(config)
+
+	// user1 should have access
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	// Unauthorized user should still be denied even with wildcard
+	_, err = authorizer.Authorize("unauthorized-user", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotAuthorized)
+}
+
+func TestAuthorizer_Wildcard_TakesPrecedenceOverSpecificMappings(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+
+	// Configure with both wildcard and specific mappings
+	// Wildcard takes precedence for users in the wildcard index list
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash},
+		MachineUsers: map[string][]uint32{
+			"*":    {0, 1}, // wildcard for both users
+			"root": {0},    // specific mapping that would normally restrict to user1 only
+		},
+	}
+	authorizer.Update(config)
+
+	// Both users should be able to access root via wildcard (takes precedence over specific mapping)
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user2", "root")
+	assert.NoError(t, err)
+
+	// Both users should be able to access any other OS user via wildcard
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.NoError(t, err)
+
+	_, err = authorizer.Authorize("user2", "admin")
+	assert.NoError(t, err)
+}
+
+func TestAuthorizer_NoWildcard_SpecificMappingsOnly(t *testing.T) {
+	authorizer := NewAuthorizer()
+
+	user1Hash, err := sshauth.HashUserID("user1")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+
+	// Configure WITHOUT wildcard - only specific mappings
+	config := &Config{
+		UserIDClaim:     DefaultUserIDClaim,
+		AuthorizedUsers: []sshauth.UserIDHash{user1Hash, user2Hash},
+		MachineUsers: map[string][]uint32{
+			"root":     {0}, // only user1
+			"postgres": {1}, // only user2
+		},
+	}
+	authorizer.Update(config)
+
+	// user1 can access root
+	_, err = authorizer.Authorize("user1", "root")
+	assert.NoError(t, err)
+
+	// user2 can access postgres
+	_, err = authorizer.Authorize("user2", "postgres")
+	assert.NoError(t, err)
+
+	// user1 cannot access postgres
+	_, err = authorizer.Authorize("user1", "postgres")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+
+	// user2 cannot access root
+	_, err = authorizer.Authorize("user2", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotMappedToOSUser)
+
+	// Neither can access unmapped OS users
+	_, err = authorizer.Authorize("user1", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	_, err = authorizer.Authorize("user2", "admin")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+}
+
+func TestAuthorizer_Wildcard_WithPartialIndexes_AllowsAllUsers(t *testing.T) {
+	// This test covers the scenario where wildcard exists with limited indexes.
+	// Only users whose indexes are in the wildcard list can access any OS user via wildcard.
+	// Other users can only access OS users they are explicitly mapped to.
+	authorizer := NewAuthorizer()
+
+	// Create two authorized user hashes (simulating the base64-encoded hashes in the config)
+	wasmHash, err := sshauth.HashUserID("wasm")
+	require.NoError(t, err)
+	user2Hash, err := sshauth.HashUserID("user2")
+	require.NoError(t, err)
+
+	// Configure with wildcard having only index 0, and specific mappings for other OS users
+	config := &Config{
+		UserIDClaim:     "sub",
+		AuthorizedUsers: []sshauth.UserIDHash{wasmHash, user2Hash},
+		MachineUsers: map[string][]uint32{
+			"*":     {0}, // wildcard with only index 0 - only wasm has wildcard access
+			"alice": {1}, // specific mapping for user2
+			"bob":   {1}, // specific mapping for user2
+		},
+	}
+	authorizer.Update(config)
+
+	// wasm (index 0) should access any OS user via wildcard
+	_, err = authorizer.Authorize("wasm", "root")
+	assert.NoError(t, err, "wasm should access root via wildcard")
+
+	_, err = authorizer.Authorize("wasm", "alice")
+	assert.NoError(t, err, "wasm should access alice via wildcard")
+
+	_, err = authorizer.Authorize("wasm", "bob")
+	assert.NoError(t, err, "wasm should access bob via wildcard")
+
+	_, err = authorizer.Authorize("wasm", "postgres")
+	assert.NoError(t, err, "wasm should access postgres via wildcard")
+
+	// user2 (index 1) should only access alice and bob (explicitly mapped), NOT root or postgres
+	_, err = authorizer.Authorize("user2", "alice")
+	assert.NoError(t, err, "user2 should access alice via explicit mapping")
+
+	_, err = authorizer.Authorize("user2", "bob")
+	assert.NoError(t, err, "user2 should access bob via explicit mapping")
+
+	_, err = authorizer.Authorize("user2", "root")
+	assert.Error(t, err, "user2 should NOT access root (not in wildcard indexes)")
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	_, err = authorizer.Authorize("user2", "postgres")
+	assert.Error(t, err, "user2 should NOT access postgres (not explicitly mapped)")
+	assert.ErrorIs(t, err, ErrNoMachineUserMapping)
+
+	// Unauthorized user should still be denied
+	_, err = authorizer.Authorize("user3", "root")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, ErrUserNotAuthorized, "unauthorized user should be denied")
+}

client/ssh/client/client.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"io"
 	"net"
 	"os"
 	"path/filepath"
@@ -551,14 +550,15 @@ func (c *Client) LocalPortForward(ctx context.Context, localAddr, remoteAddr str
 func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
 	defer func() {
 		if err := localConn.Close(); err != nil {
-			log.Debugf("local connection close error: %v", err)
+			log.Debugf("local port forwarding: close local connection: %v", err)
 		}
 	}()
 
 	channel, err := c.client.Dial("tcp", remoteAddr)
 	if err != nil {
-		if strings.Contains(err.Error(), "administratively prohibited") {
-			_, _ = fmt.Fprintf(os.Stderr, "channel open failed: administratively prohibited: port forwarding is disabled\n")
+		var openErr *ssh.OpenChannelError
+		if errors.As(err, &openErr) && openErr.Reason == ssh.Prohibited {
+			_, _ = fmt.Fprintf(os.Stderr, "channel open failed: port forwarding is disabled\n")
 		} else {
 			log.Debugf("local port forwarding to %s failed: %v", remoteAddr, err)
 		}
@@ -566,19 +566,11 @@ func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
 	}
 	defer func() {
 		if err := channel.Close(); err != nil {
-			log.Debugf("remote channel close error: %v", err)
+			log.Debugf("local port forwarding: close remote channel: %v", err)
 		}
 	}()
 
-	go func() {
-		if _, err := io.Copy(channel, localConn); err != nil {
-			log.Debugf("local forward copy error (local->remote): %v", err)
-		}
-	}()
-
-	if _, err := io.Copy(localConn, channel); err != nil {
-		log.Debugf("local forward copy error (remote->local): %v", err)
-	}
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }
 
 // RemotePortForward sets up remote port forwarding, binding on remote and forwarding to localAddr
@@ -633,7 +625,7 @@ func (c *Client) sendTCPIPForwardRequest(req tcpipForwardMsg) error {
 		return fmt.Errorf("send tcpip-forward request: %w", err)
 	}
 	if !ok {
-		return fmt.Errorf("remote port forwarding denied by server (check if --allow-ssh-remote-port-forwarding is enabled)")
+		return fmt.Errorf("remote port forwarding denied by server")
 	}
 	return nil
 }
@@ -676,7 +668,7 @@ func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr st
 	}
 	defer func() {
 		if err := channel.Close(); err != nil {
-			log.Debugf("remote channel close error: %v", err)
+			log.Debugf("remote port forwarding: close remote channel: %v", err)
 		}
 	}()
 
@@ -688,19 +680,11 @@ func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr st
 	}
 	defer func() {
 		if err := localConn.Close(); err != nil {
-			log.Debugf("local connection close error: %v", err)
+			log.Debugf("remote port forwarding: close local connection: %v", err)
 		}
 	}()
 
-	go func() {
-		if _, err := io.Copy(localConn, channel); err != nil {
-			log.Debugf("remote forward copy error (remote->local): %v", err)
-		}
-	}()
-
-	if _, err := io.Copy(channel, localConn); err != nil {
-		log.Debugf("remote forward copy error (local->remote): %v", err)
-	}
+	nbssh.BidirectionalCopy(log.NewEntry(log.StandardLogger()), localConn, channel)
 }
 
 // tcpipForwardMsg represents the structure for tcpip-forward requests

client/ssh/common.go

@@ -193,3 +193,64 @@ func buildAddressList(hostname string, remote net.Addr) []string {
 	}
 	return addresses
 }
+
+// BidirectionalCopy copies data bidirectionally between two io.ReadWriter connections.
+// It waits for both directions to complete before returning.
+// The caller is responsible for closing the connections.
+func BidirectionalCopy(logger *log.Entry, rw1, rw2 io.ReadWriter) {
+	done := make(chan struct{}, 2)
+
+	go func() {
+		if _, err := io.Copy(rw2, rw1); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (1->2): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	go func() {
+		if _, err := io.Copy(rw1, rw2); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (2->1): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	<-done
+	<-done
+}
+
+func isExpectedCopyError(err error) bool {
+	return errors.Is(err, io.EOF) || errors.Is(err, context.Canceled)
+}
+
+// BidirectionalCopyWithContext copies data bidirectionally between two io.ReadWriteCloser connections.
+// It waits for both directions to complete or for context cancellation before returning.
+// Both connections are closed when the function returns.
+func BidirectionalCopyWithContext(logger *log.Entry, ctx context.Context, conn1, conn2 io.ReadWriteCloser) {
+	done := make(chan struct{}, 2)
+
+	go func() {
+		if _, err := io.Copy(conn2, conn1); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (1->2): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	go func() {
+		if _, err := io.Copy(conn1, conn2); err != nil && !isExpectedCopyError(err) {
+			logger.Debugf("copy error (2->1): %v", err)
+		}
+		done <- struct{}{}
+	}()
+
+	select {
+	case <-ctx.Done():
+	case <-done:
+		select {
+		case <-ctx.Done():
+		case <-done:
+		}
+	}
+
+	_ = conn1.Close()
+	_ = conn2.Close()
+}

client/ssh/proxy/proxy.go

@@ -2,6 +2,7 @@ package proxy
 
 import (
 	"context"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
@@ -42,6 +43,14 @@ type SSHProxy struct {
 	conn          *grpc.ClientConn
 	daemonClient  proto.DaemonServiceClient
 	browserOpener func(string) error
+
+	mu            sync.RWMutex
+	backendClient *cryptossh.Client
+	// jwtToken is set once in runProxySSHServer before any handlers are called,
+	// so concurrent access is safe without additional synchronization.
+	jwtToken string
+
+	forwardedChannelsOnce sync.Once
 }
 
 func New(daemonAddr, targetHost string, targetPort int, stderr io.Writer, browserOpener func(string) error) (*SSHProxy, error) {
@@ -63,6 +72,17 @@ func New(daemonAddr, targetHost string, targetPort int, stderr io.Writer, browse
 }
 
 func (p *SSHProxy) Close() error {
+	p.mu.Lock()
+	backendClient := p.backendClient
+	p.backendClient = nil
+	p.mu.Unlock()
+
+	if backendClient != nil {
+		if err := backendClient.Close(); err != nil {
+			log.Debugf("close backend client: %v", err)
+		}
+	}
+
 	if p.conn != nil {
 		return p.conn.Close()
 	}
@@ -77,16 +97,16 @@ func (p *SSHProxy) Connect(ctx context.Context) error {
 		return fmt.Errorf(jwtAuthErrorMsg, err)
 	}
 
-	return p.runProxySSHServer(ctx, jwtToken)
+	log.Debugf("JWT authentication successful, starting proxy to %s:%d", p.targetHost, p.targetPort)
+	return p.runProxySSHServer(jwtToken)
 }
 
-func (p *SSHProxy) runProxySSHServer(ctx context.Context, jwtToken string) error {
+func (p *SSHProxy) runProxySSHServer(jwtToken string) error {
+	p.jwtToken = jwtToken
 	serverVersion := fmt.Sprintf("%s-%s", detection.ProxyIdentifier, version.NetbirdVersion())
 
 	sshServer := &ssh.Server{
-		Handler: func(s ssh.Session) {
-			p.handleSSHSession(ctx, s, jwtToken)
-		},
+		Handler: p.handleSSHSession,
 		ChannelHandlers: map[string]ssh.ChannelHandler{
 			"session":      ssh.DefaultSessionHandler,
 			"direct-tcpip": p.directTCPIPHandler,
@@ -119,15 +139,20 @@ func (p *SSHProxy) runProxySSHServer(ctx context.Context, jwtToken string) error
 	return nil
 }
 
-func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jwtToken string) {
-	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+func (p *SSHProxy) handleSSHSession(session ssh.Session) {
+	ptyReq, winCh, isPty := session.Pty()
+	hasCommand := len(session.Command()) > 0
 
-	sshClient, err := p.dialBackend(ctx, targetAddr, session.User(), jwtToken)
+	sshClient, err := p.getOrCreateBackendClient(session.Context(), session.User())
 	if err != nil {
 		_, _ = fmt.Fprintf(p.stderr, "SSH connection to NetBird server failed: %v\n", err)
 		return
 	}
-	defer func() { _ = sshClient.Close() }()
+
+	if !isPty && !hasCommand {
+		p.handleNonInteractiveSession(session, sshClient)
+		return
+	}
 
 	serverSession, err := sshClient.NewSession()
 	if err != nil {
@@ -140,7 +165,6 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 	serverSession.Stdout = session
 	serverSession.Stderr = session.Stderr()
 
-	ptyReq, winCh, isPty := session.Pty()
 	if isPty {
 		if err := serverSession.RequestPty(ptyReq.Term, ptyReq.Window.Width, ptyReq.Window.Height, nil); err != nil {
 			log.Debugf("PTY request to backend: %v", err)
@@ -155,7 +179,7 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 		}()
 	}
 
-	if len(session.Command()) > 0 {
+	if hasCommand {
 		if err := serverSession.Run(strings.Join(session.Command(), " ")); err != nil {
 			log.Debugf("run command: %v", err)
 			p.handleProxyExitCode(session, err)
@@ -176,12 +200,29 @@ func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jw
 func (p *SSHProxy) handleProxyExitCode(session ssh.Session, err error) {
 	var exitErr *cryptossh.ExitError
 	if errors.As(err, &exitErr) {
-		if exitErr := session.Exit(exitErr.ExitStatus()); exitErr != nil {
-			log.Debugf("set exit status: %v", exitErr)
+		if err := session.Exit(exitErr.ExitStatus()); err != nil {
+			log.Debugf("set exit status: %v", err)
 		}
 	}
 }
 
+func (p *SSHProxy) handleNonInteractiveSession(session ssh.Session, sshClient *cryptossh.Client) {
+	// Create a backend session to mirror the client's session request.
+	// This keeps the connection alive on the server side while port forwarding channels operate.
+	serverSession, err := sshClient.NewSession()
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "create server session: %v\n", err)
+		return
+	}
+	defer func() { _ = serverSession.Close() }()
+
+	<-session.Context().Done()
+
+	if err := session.Exit(0); err != nil {
+		log.Debugf("session exit: %v", err)
+	}
+}
+
 func generateHostKey() (ssh.Signer, error) {
 	keyPEM, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
 	if err != nil {
@@ -250,8 +291,52 @@ func (c *stdioConn) SetWriteDeadline(_ time.Time) error {
 	return nil
 }
 
-func (p *SSHProxy) directTCPIPHandler(_ *ssh.Server, _ *cryptossh.ServerConn, newChan cryptossh.NewChannel, _ ssh.Context) {
-	_ = newChan.Reject(cryptossh.Prohibited, "port forwarding not supported in proxy")
+// directTCPIPHandler handles local port forwarding (direct-tcpip channel).
+func (p *SSHProxy) directTCPIPHandler(_ *ssh.Server, _ *cryptossh.ServerConn, newChan cryptossh.NewChannel, sshCtx ssh.Context) {
+	var payload struct {
+		DestAddr   string
+		DestPort   uint32
+		OriginAddr string
+		OriginPort uint32
+	}
+	if err := cryptossh.Unmarshal(newChan.ExtraData(), &payload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse direct-tcpip payload: %v\n", err)
+		_ = newChan.Reject(cryptossh.ConnectionFailed, "invalid payload")
+		return
+	}
+
+	dest := fmt.Sprintf("%s:%d", payload.DestAddr, payload.DestPort)
+	log.Debugf("local port forwarding: %s", dest)
+
+	backendClient, err := p.getOrCreateBackendClient(sshCtx, sshCtx.User())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "backend connection for port forwarding: %v\n", err)
+		_ = newChan.Reject(cryptossh.ConnectionFailed, "backend connection failed")
+		return
+	}
+
+	backendChan, backendReqs, err := backendClient.OpenChannel("direct-tcpip", newChan.ExtraData())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "open backend channel for %s: %v\n", dest, err)
+		var openErr *cryptossh.OpenChannelError
+		if errors.As(err, &openErr) {
+			_ = newChan.Reject(openErr.Reason, openErr.Message)
+		} else {
+			_ = newChan.Reject(cryptossh.ConnectionFailed, err.Error())
+		}
+		return
+	}
+	go cryptossh.DiscardRequests(backendReqs)
+
+	clientChan, clientReqs, err := newChan.Accept()
+	if err != nil {
+		log.Debugf("local port forwarding: accept channel: %v", err)
+		_ = backendChan.Close()
+		return
+	}
+	go cryptossh.DiscardRequests(clientReqs)
+
+	nbssh.BidirectionalCopyWithContext(log.NewEntry(log.StandardLogger()), sshCtx, clientChan, backendChan)
 }
 
 func (p *SSHProxy) sftpSubsystemHandler(s ssh.Session, jwtToken string) {
@@ -354,12 +439,143 @@ func (p *SSHProxy) runSFTPBridge(ctx context.Context, s ssh.Session, stdin io.Wr
 	}
 }
 
-func (p *SSHProxy) tcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
-	return false, []byte("port forwarding not supported in proxy")
+// tcpipForwardHandler handles remote port forwarding (tcpip-forward request).
+func (p *SSHProxy) tcpipForwardHandler(sshCtx ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
+	var reqPayload struct {
+		Host string
+		Port uint32
+	}
+	if err := cryptossh.Unmarshal(req.Payload, &reqPayload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse tcpip-forward payload: %v\n", err)
+		return false, nil
+	}
+
+	log.Debugf("tcpip-forward request for %s:%d", reqPayload.Host, reqPayload.Port)
+
+	backendClient, err := p.getOrCreateBackendClient(sshCtx, sshCtx.User())
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "backend connection for remote port forwarding: %v\n", err)
+		return false, nil
+	}
+
+	ok, payload, err := backendClient.SendRequest(req.Type, req.WantReply, req.Payload)
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "forward tcpip-forward request for %s:%d: %v\n", reqPayload.Host, reqPayload.Port, err)
+		return false, nil
+	}
+
+	if ok {
+		actualPort := reqPayload.Port
+		if reqPayload.Port == 0 && len(payload) >= 4 {
+			actualPort = binary.BigEndian.Uint32(payload)
+		}
+		log.Debugf("remote port forwarding established for %s:%d", reqPayload.Host, actualPort)
+		p.forwardedChannelsOnce.Do(func() {
+			go p.handleForwardedChannels(sshCtx, backendClient)
+		})
+	}
+
+	return ok, payload
 }
 
-func (p *SSHProxy) cancelTcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
-	return true, nil
+// cancelTcpipForwardHandler handles cancel-tcpip-forward request.
+func (p *SSHProxy) cancelTcpipForwardHandler(_ ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
+	var reqPayload struct {
+		Host string
+		Port uint32
+	}
+	if err := cryptossh.Unmarshal(req.Payload, &reqPayload); err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "parse cancel-tcpip-forward payload: %v\n", err)
+		return false, nil
+	}
+
+	log.Debugf("cancel-tcpip-forward request for %s:%d", reqPayload.Host, reqPayload.Port)
+
+	backendClient := p.getBackendClient()
+	if backendClient == nil {
+		return false, nil
+	}
+
+	ok, payload, err := backendClient.SendRequest(req.Type, req.WantReply, req.Payload)
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "cancel-tcpip-forward for %s:%d: %v\n", reqPayload.Host, reqPayload.Port, err)
+		return false, nil
+	}
+
+	return ok, payload
+}
+
+// getOrCreateBackendClient returns the existing backend client or creates a new one.
+func (p *SSHProxy) getOrCreateBackendClient(ctx context.Context, user string) (*cryptossh.Client, error) {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.backendClient != nil {
+		return p.backendClient, nil
+	}
+
+	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+	log.Debugf("connecting to backend %s", targetAddr)
+
+	client, err := p.dialBackend(ctx, targetAddr, user, p.jwtToken)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debugf("backend connection established to %s", targetAddr)
+	p.backendClient = client
+	return client, nil
+}
+
+// getBackendClient returns the existing backend client or nil.
+func (p *SSHProxy) getBackendClient() *cryptossh.Client {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	return p.backendClient
+}
+
+// handleForwardedChannels handles forwarded-tcpip channels from the backend for remote port forwarding.
+// When the backend receives incoming connections on the forwarded port, it sends them as
+// "forwarded-tcpip" channels which we need to proxy to the client.
+func (p *SSHProxy) handleForwardedChannels(sshCtx ssh.Context, backendClient *cryptossh.Client) {
+	sshConn, ok := sshCtx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
+	if !ok || sshConn == nil {
+		log.Debugf("no SSH connection in context for forwarded channels")
+		return
+	}
+
+	channelChan := backendClient.HandleChannelOpen("forwarded-tcpip")
+	for {
+		select {
+		case <-sshCtx.Done():
+			return
+		case newChannel, ok := <-channelChan:
+			if !ok {
+				return
+			}
+			go p.handleForwardedChannel(sshCtx, sshConn, newChannel)
+		}
+	}
+}
+
+// handleForwardedChannel handles a single forwarded-tcpip channel from the backend.
+func (p *SSHProxy) handleForwardedChannel(sshCtx ssh.Context, sshConn *cryptossh.ServerConn, newChannel cryptossh.NewChannel) {
+	backendChan, backendReqs, err := newChannel.Accept()
+	if err != nil {
+		log.Debugf("remote port forwarding: accept from backend: %v", err)
+		return
+	}
+	go cryptossh.DiscardRequests(backendReqs)
+
+	clientChan, clientReqs, err := sshConn.OpenChannel("forwarded-tcpip", newChannel.ExtraData())
+	if err != nil {
+		log.Debugf("remote port forwarding: open to client: %v", err)
+		_ = backendChan.Close()
+		return
+	}
+	go cryptossh.DiscardRequests(clientReqs)
+
+	nbssh.BidirectionalCopyWithContext(log.NewEntry(log.StandardLogger()), sshCtx, clientChan, backendChan)
 }
 
 func (p *SSHProxy) dialBackend(ctx context.Context, addr, user, jwtToken string) (*cryptossh.Client, error) {

client/ssh/proxy/proxy_test.go

@@ -27,9 +27,11 @@ import (
 
 	"github.com/netbirdio/netbird/client/proto"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/server"
 	"github.com/netbirdio/netbird/client/ssh/testutil"
 	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
 )
 
 func TestMain(m *testing.M) {
@@ -137,6 +139,21 @@ func TestSSHProxy_Connect(t *testing.T) {
 	sshServer := server.New(serverConfig)
 	sshServer.SetAllowRootLogin(true)
 
+	// Configure SSH authorization for the test user
+	testUsername := testutil.GetTestUsername(t)
+	testJWTUser := "test-username"
+	testUserHash, err := sshuserhash.HashUserID(testJWTUser)
+	require.NoError(t, err)
+
+	authConfig := &sshauth.Config{
+		UserIDClaim:     sshauth.DefaultUserIDClaim,
+		AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash},
+		MachineUsers: map[string][]uint32{
+			testUsername: {0}, // Index 0 in AuthorizedUsers
+		},
+	}
+	sshServer.UpdateSSHAuth(authConfig)
+
 	sshServerAddr := server.StartTestServer(t, sshServer)
 	defer func() { _ = sshServer.Stop() }()
 
@@ -150,10 +167,10 @@ func TestSSHProxy_Connect(t *testing.T) {
 
 	mockDaemon.setHostKey(host, hostPubKey)
 
-	validToken := generateValidJWT(t, privateKey, issuer, audience)
+	validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser)
 	mockDaemon.setJWTToken(validToken)
 
-	proxyInstance, err := New(mockDaemon.addr, host, port, nil, nil)
+	proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil)
 	require.NoError(t, err)
 
 	clientConn, proxyConn := net.Pipe()
@@ -347,12 +364,12 @@ func generateTestJWKS(t *testing.T) (*rsa.PrivateKey, []byte) {
 	return privateKey, jwksJSON
 }
 
-func generateValidJWT(t *testing.T, privateKey *rsa.PrivateKey, issuer, audience string) string {
+func generateValidJWT(t *testing.T, privateKey *rsa.PrivateKey, issuer, audience string, user string) string {
 	t.Helper()
 	claims := jwt.MapClaims{
 		"iss": issuer,
 		"aud": audience,
-		"sub": "test-user",
+		"sub": user,
 		"exp": time.Now().Add(time.Hour).Unix(),
 		"iat": time.Now().Unix(),
 	}

client/ssh/server/jwt_test.go

@@ -23,10 +23,12 @@ import (
 	"github.com/stretchr/testify/require"
 
 	nbssh "github.com/netbirdio/netbird/client/ssh"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/client"
 	"github.com/netbirdio/netbird/client/ssh/detection"
 	"github.com/netbirdio/netbird/client/ssh/testutil"
 	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
+	sshuserhash "github.com/netbirdio/netbird/shared/sshauth"
 )
 
 func TestJWTEnforcement(t *testing.T) {
@@ -577,6 +579,22 @@ func TestJWTAuthentication(t *testing.T) {
 				tc.setupServer(server)
 			}
 
+			// Always set up authorization for test-user to ensure tests fail at JWT validation stage
+			testUserHash, err := sshuserhash.HashUserID("test-user")
+			require.NoError(t, err)
+
+			// Get current OS username for machine user mapping
+			currentUser := testutil.GetTestUsername(t)
+
+			authConfig := &sshauth.Config{
+				UserIDClaim:     sshauth.DefaultUserIDClaim,
+				AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash},
+				MachineUsers: map[string][]uint32{
+					currentUser: {0}, // Allow test-user (index 0) to access current OS user
+				},
+			}
+			server.UpdateSSHAuth(authConfig)
+
 			serverAddr := StartTestServer(t, server)
 			defer require.NoError(t, server.Stop())
 
@@ -584,12 +602,13 @@ func TestJWTAuthentication(t *testing.T) {
 			require.NoError(t, err)
 
 			var authMethods []cryptossh.AuthMethod
-			if tc.token == "valid" {
+			switch tc.token {
+			case "valid":
 				token := generateValidJWT(t, privateKey, issuer, audience)
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(token),
 				}
-			} else if tc.token == "invalid" {
+			case "invalid":
 				invalidToken := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.invalid"
 				authMethods = []cryptossh.AuthMethod{
 					cryptossh.Password(invalidToken),

client/ssh/server/port_forwarding.go

@@ -1,25 +1,32 @@
+// Package server implements port forwarding for the SSH server.
+//
+// Security note: Port forwarding runs in the main server process without privilege separation.
+// The attack surface is primarily io.Copy through well-tested standard library code, making it
+// lower risk than shell execution which uses privilege-separated child processes. We enforce
+// user-level port restrictions: non-privileged users cannot bind to ports < 1024.
 package server
 
 import (
 	"encoding/binary"
 	"fmt"
-	"io"
 	"net"
+	"runtime"
 	"strconv"
 
 	"github.com/gliderlabs/ssh"
 	log "github.com/sirupsen/logrus"
 	cryptossh "golang.org/x/crypto/ssh"
+
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 )
 
-// SessionKey uniquely identifies an SSH session
-type SessionKey string
+const privilegedPortThreshold = 1024
 
-// ConnectionKey uniquely identifies a port forwarding connection within a session
-type ConnectionKey string
+// sessionKey uniquely identifies an SSH session
+type sessionKey string
 
-// ForwardKey uniquely identifies a port forwarding listener
-type ForwardKey string
+// forwardKey uniquely identifies a port forwarding listener
+type forwardKey string
 
 // tcpipForwardMsg represents the structure for tcpip-forward SSH requests
 type tcpipForwardMsg struct {
@@ -47,34 +54,32 @@ func (s *Server) configurePortForwarding(server *ssh.Server) {
 	allowRemote := s.allowRemotePortForwarding
 
 	server.LocalPortForwardingCallback = func(ctx ssh.Context, dstHost string, dstPort uint32) bool {
+		logger := s.getRequestLogger(ctx)
 		if !allowLocal {
-			log.Warnf("local port forwarding denied for %s from %s: disabled by configuration",
-				net.JoinHostPort(dstHost, fmt.Sprintf("%d", dstPort)), ctx.RemoteAddr())
+			logger.Warnf("local port forwarding denied for %s:%d: disabled", dstHost, dstPort)
 			return false
 		}
 
 		if err := s.checkPortForwardingPrivileges(ctx, "local", dstPort); err != nil {
-			log.Warnf("local port forwarding denied for %s:%d from %s: %v", dstHost, dstPort, ctx.RemoteAddr(), err)
+			logger.Warnf("local port forwarding denied for %s:%d: %v", dstHost, dstPort, err)
 			return false
 		}
 
-		log.Debugf("local port forwarding allowed: %s:%d", dstHost, dstPort)
 		return true
 	}
 
 	server.ReversePortForwardingCallback = func(ctx ssh.Context, bindHost string, bindPort uint32) bool {
+		logger := s.getRequestLogger(ctx)
 		if !allowRemote {
-			log.Warnf("remote port forwarding denied for %s from %s: disabled by configuration",
-				net.JoinHostPort(bindHost, fmt.Sprintf("%d", bindPort)), ctx.RemoteAddr())
+			logger.Warnf("remote port forwarding denied for %s:%d: disabled", bindHost, bindPort)
 			return false
 		}
 
 		if err := s.checkPortForwardingPrivileges(ctx, "remote", bindPort); err != nil {
-			log.Warnf("remote port forwarding denied for %s:%d from %s: %v", bindHost, bindPort, ctx.RemoteAddr(), err)
+			logger.Warnf("remote port forwarding denied for %s:%d: %v", bindHost, bindPort, err)
 			return false
 		}
 
-		log.Debugf("remote port forwarding allowed: %s:%d", bindHost, bindPort)
 		return true
 	}
 
@@ -82,23 +87,20 @@ func (s *Server) configurePortForwarding(server *ssh.Server) {
 }
 
 // checkPortForwardingPrivileges validates privilege requirements for port forwarding operations.
-// Returns nil if allowed, error if denied.
+// For remote port forwarding (binding), it enforces that non-privileged users cannot bind to
+// ports below 1024, mirroring the restriction they would face if binding directly.
+//
+// Note: FeatureSupportsUserSwitch is true because we accept requests from any authenticated user,
+// though we don't actually switch users - port forwarding runs in the server process. The resolved
+// user is used for privileged port access checks.
 func (s *Server) checkPortForwardingPrivileges(ctx ssh.Context, forwardType string, port uint32) error {
 	if ctx == nil {
 		return fmt.Errorf("%s port forwarding denied: no context", forwardType)
 	}
 
-	username := ctx.User()
-	remoteAddr := "unknown"
-	if ctx.RemoteAddr() != nil {
-		remoteAddr = ctx.RemoteAddr().String()
-	}
-
-	logger := log.WithFields(log.Fields{"user": username, "remote": remoteAddr, "port": port})
-
 	result := s.CheckPrivileges(PrivilegeCheckRequest{
-		RequestedUsername:         username,
-		FeatureSupportsUserSwitch: false,
+		RequestedUsername:         ctx.User(),
+		FeatureSupportsUserSwitch: true,
 		FeatureName:               forwardType + " port forwarding",
 	})
 
@@ -106,12 +108,42 @@ func (s *Server) checkPortForwardingPrivileges(ctx ssh.Context, forwardType stri
 		return result.Error
 	}
 
-	logger.Debugf("%s port forwarding allowed: user %s validated (port %d)",
-		forwardType, result.User.Username, port)
+	if err := s.checkPrivilegedPortAccess(forwardType, port, result); err != nil {
+		return err
+	}
 
 	return nil
 }
 
+// checkPrivilegedPortAccess enforces that non-privileged users cannot bind to privileged ports.
+// This applies to remote port forwarding where the server binds a port on behalf of the user.
+// On Windows, there is no privileged port restriction, so this check is skipped.
+func (s *Server) checkPrivilegedPortAccess(forwardType string, port uint32, result PrivilegeCheckResult) error {
+	if runtime.GOOS == "windows" {
+		return nil
+	}
+
+	isBindOperation := forwardType == "remote" || forwardType == "tcpip-forward"
+	if !isBindOperation {
+		return nil
+	}
+
+	// Port 0 means "pick any available port", which will be >= 1024
+	if port == 0 || port >= privilegedPortThreshold {
+		return nil
+	}
+
+	if result.User != nil && isPrivilegedUsername(result.User.Username) {
+		return nil
+	}
+
+	username := "unknown"
+	if result.User != nil {
+		username = result.User.Username
+	}
+	return fmt.Errorf("user %s cannot bind to privileged port %d (requires root)", username, port)
+}
+
 // tcpipForwardHandler handles tcpip-forward requests for remote port forwarding.
 func (s *Server) tcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *cryptossh.Request) (bool, []byte) {
 	logger := s.getRequestLogger(ctx)
@@ -132,8 +164,6 @@ func (s *Server) tcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *crypto
 		return false, nil
 	}
 
-	logger.Debugf("tcpip-forward request: %s:%d", payload.Host, payload.Port)
-
 	sshConn, err := s.getSSHConnection(ctx)
 	if err != nil {
 		logger.Warnf("tcpip-forward request denied: %v", err)
@@ -153,8 +183,10 @@ func (s *Server) cancelTcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *
 		return false, nil
 	}
 
-	key := ForwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
+	key := forwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
 	if s.removeRemoteForwardListener(key) {
+		forwardAddr := fmt.Sprintf("-R %s:%d", payload.Host, payload.Port)
+		s.removeConnectionPortForward(ctx.RemoteAddr(), forwardAddr)
 		logger.Infof("remote port forwarding cancelled: %s:%d", payload.Host, payload.Port)
 		return true, nil
 	}
@@ -165,14 +197,11 @@ func (s *Server) cancelTcpipForwardHandler(ctx ssh.Context, _ *ssh.Server, req *
 
 // handleRemoteForwardListener handles incoming connections for remote port forwarding.
 func (s *Server) handleRemoteForwardListener(ctx ssh.Context, ln net.Listener, host string, port uint32) {
-	log.Debugf("starting remote forward listener handler for %s:%d", host, port)
+	logger := s.getRequestLogger(ctx)
 
 	defer func() {
-		log.Debugf("cleaning up remote forward listener for %s:%d", host, port)
 		if err := ln.Close(); err != nil {
-			log.Debugf("remote forward listener close error: %v", err)
-		} else {
-			log.Debugf("remote forward listener closed successfully for %s:%d", host, port)
+			logger.Debugf("remote forward listener close error for %s:%d: %v", host, port, err)
 		}
 	}()
 
@@ -196,28 +225,43 @@ func (s *Server) handleRemoteForwardListener(ctx ssh.Context, ln net.Listener, h
 		select {
 		case result := <-acceptChan:
 			if result.err != nil {
-				log.Debugf("remote forward accept error: %v", result.err)
+				logger.Debugf("remote forward accept error: %v", result.err)
 				return
 			}
 			go s.handleRemoteForwardConnection(ctx, result.conn, host, port)
 		case <-ctx.Done():
-			log.Debugf("remote forward listener shutting down due to context cancellation for %s:%d", host, port)
+			logger.Debugf("remote forward listener shutting down for %s:%d", host, port)
 			return
 		}
 	}
 }
 
-// getRequestLogger creates a logger with user and remote address context
+// getRequestLogger creates a logger with session/conn and jwt_user context
 func (s *Server) getRequestLogger(ctx ssh.Context) *log.Entry {
-	remoteAddr := "unknown"
-	username := "unknown"
-	if ctx != nil {
-		if ctx.RemoteAddr() != nil {
-			remoteAddr = ctx.RemoteAddr().String()
+	sessionKey := s.findSessionKeyByContext(ctx)
+
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	if state, exists := s.sessions[sessionKey]; exists {
+		logger := log.WithField("session", sessionKey)
+		if state.jwtUsername != "" {
+			logger = logger.WithField("jwt_user", state.jwtUsername)
 		}
-		username = ctx.User()
+		return logger
 	}
-	return log.WithFields(log.Fields{"user": username, "remote": remoteAddr})
+
+	if ctx.RemoteAddr() != nil {
+		if connState, exists := s.connections[connKey(ctx.RemoteAddr().String())]; exists {
+			return s.connLogger(connState)
+		}
+	}
+
+	remoteAddr := "unknown"
+	if ctx.RemoteAddr() != nil {
+		remoteAddr = ctx.RemoteAddr().String()
+	}
+	return log.WithField("session", fmt.Sprintf("%s@%s", ctx.User(), remoteAddr))
 }
 
 // isRemotePortForwardingAllowed checks if remote port forwarding is enabled
@@ -227,6 +271,13 @@ func (s *Server) isRemotePortForwardingAllowed() bool {
 	return s.allowRemotePortForwarding
 }
 
+// isPortForwardingEnabled checks if any port forwarding (local or remote) is enabled
+func (s *Server) isPortForwardingEnabled() bool {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+	return s.allowLocalPortForwarding || s.allowRemotePortForwarding
+}
+
 // parseTcpipForwardRequest parses the SSH request payload
 func (s *Server) parseTcpipForwardRequest(req *cryptossh.Request) (*tcpipForwardMsg, error) {
 	var payload tcpipForwardMsg
@@ -267,10 +318,11 @@ func (s *Server) setupDirectForward(ctx ssh.Context, logger *log.Entry, sshConn
 		logger.Debugf("tcpip-forward allocated port %d for %s", actualPort, payload.Host)
 	}
 
-	key := ForwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
+	key := forwardKey(fmt.Sprintf("%s:%d", payload.Host, payload.Port))
 	s.storeRemoteForwardListener(key, ln)
 
-	s.markConnectionActivePortForward(sshConn, ctx.User(), ctx.RemoteAddr().String())
+	forwardAddr := fmt.Sprintf("-R %s:%d", payload.Host, actualPort)
+	s.addConnectionPortForward(ctx.User(), ctx.RemoteAddr(), forwardAddr)
 	go s.handleRemoteForwardListener(ctx, ln, payload.Host, actualPort)
 
 	response := make([]byte, 4)
@@ -288,44 +340,34 @@ type acceptResult struct {
 
 // handleRemoteForwardConnection handles a single remote port forwarding connection
 func (s *Server) handleRemoteForwardConnection(ctx ssh.Context, conn net.Conn, host string, port uint32) {
-	sessionKey := s.findSessionKeyByContext(ctx)
-	connID := fmt.Sprintf("pf-%s->%s:%d", conn.RemoteAddr(), host, port)
-	logger := log.WithFields(log.Fields{
-		"session": sessionKey,
-		"conn":    connID,
-	})
+	logger := s.getRequestLogger(ctx)
 
-	defer func() {
-		if err := conn.Close(); err != nil {
-			logger.Debugf("connection close error: %v", err)
-		}
-	}()
-
-	sshConn := ctx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
-	if sshConn == nil {
+	sshConn, ok := ctx.Value(ssh.ContextKeyConn).(*cryptossh.ServerConn)
+	if !ok || sshConn == nil {
 		logger.Debugf("remote forward: no SSH connection in context")
+		_ = conn.Close()
 		return
 	}
 
 	remoteAddr, ok := conn.RemoteAddr().(*net.TCPAddr)
 	if !ok {
 		logger.Warnf("remote forward: non-TCP connection type: %T", conn.RemoteAddr())
+		_ = conn.Close()
 		return
 	}
 
-	channel, err := s.openForwardChannel(sshConn, host, port, remoteAddr, logger)
+	channel, err := s.openForwardChannel(sshConn, host, port, remoteAddr)
 	if err != nil {
-		logger.Debugf("open forward channel: %v", err)
+		logger.Debugf("open forward channel for %s:%d: %v", host, port, err)
+		_ = conn.Close()
 		return
 	}
 
-	s.proxyForwardConnection(ctx, logger, conn, channel)
+	nbssh.BidirectionalCopyWithContext(logger, ctx, conn, channel)
 }
 
 // openForwardChannel creates an SSH forwarded-tcpip channel
-func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string, port uint32, remoteAddr *net.TCPAddr, logger *log.Entry) (cryptossh.Channel, error) {
-	logger.Tracef("opening forwarded-tcpip channel for %s:%d", host, port)
-
+func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string, port uint32, remoteAddr *net.TCPAddr) (cryptossh.Channel, error) {
 	payload := struct {
 		ConnectedAddress  string
 		ConnectedPort     uint32
@@ -346,41 +388,3 @@ func (s *Server) openForwardChannel(sshConn *cryptossh.ServerConn, host string,
 	go cryptossh.DiscardRequests(reqs)
 	return channel, nil
 }
-
-// proxyForwardConnection handles bidirectional data transfer between connection and SSH channel
-func (s *Server) proxyForwardConnection(ctx ssh.Context, logger *log.Entry, conn net.Conn, channel cryptossh.Channel) {
-	done := make(chan struct{}, 2)
-
-	go func() {
-		if _, err := io.Copy(channel, conn); err != nil {
-			logger.Debugf("copy error (conn->channel): %v", err)
-		}
-		done <- struct{}{}
-	}()
-
-	go func() {
-		if _, err := io.Copy(conn, channel); err != nil {
-			logger.Debugf("copy error (channel->conn): %v", err)
-		}
-		done <- struct{}{}
-	}()
-
-	select {
-	case <-ctx.Done():
-		logger.Debugf("session ended, closing connections")
-	case <-done:
-		// First copy finished, wait for second copy or context cancellation
-		select {
-		case <-ctx.Done():
-			logger.Debugf("session ended, closing connections")
-		case <-done:
-		}
-	}
-
-	if err := channel.Close(); err != nil {
-		logger.Debugf("channel close error: %v", err)
-	}
-	if err := conn.Close(); err != nil {
-		logger.Debugf("connection close error: %v", err)
-	}
-}

client/ssh/server/server.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 	"sync"
 	"time"
@@ -21,6 +22,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	sshauth "github.com/netbirdio/netbird/client/ssh/auth"
 	"github.com/netbirdio/netbird/client/ssh/detection"
 	"github.com/netbirdio/netbird/shared/auth"
 	"github.com/netbirdio/netbird/shared/auth/jwt"
@@ -39,6 +41,11 @@ const (
 
 	msgPrivilegedUserDisabled = "privileged user login is disabled"
 
+	cmdInteractiveShell = "<interactive shell>"
+	cmdPortForwarding   = "<port forwarding>"
+	cmdSFTP             = "<sftp>"
+	cmdNonInteractive   = "<idle>"
+
 	// DefaultJWTMaxTokenAge is the default maximum age for JWT tokens accepted by the SSH server
 	DefaultJWTMaxTokenAge = 5 * 60
 )
@@ -89,10 +96,10 @@ func logSessionExitError(logger *log.Entry, err error) {
 	}
 }
 
-// safeLogCommand returns a safe representation of the command for logging
+// safeLogCommand returns a safe representation of the command for logging.
 func safeLogCommand(cmd []string) string {
 	if len(cmd) == 0 {
-		return "<interactive shell>"
+		return cmdInteractiveShell
 	}
 	if len(cmd) == 1 {
 		return cmd[0]
@@ -100,26 +107,50 @@ func safeLogCommand(cmd []string) string {
 	return fmt.Sprintf("%s [%d args]", cmd[0], len(cmd)-1)
 }
 
-type sshConnectionState struct {
-	hasActivePortForward bool
-	username             string
-	remoteAddr           string
+// connState tracks the state of an SSH connection for port forwarding and status display.
+type connState struct {
+	username     string
+	remoteAddr   net.Addr
+	portForwards []string
+	jwtUsername  string
 }
 
+// authKey uniquely identifies an authentication attempt by username and remote address.
+// Used to temporarily store JWT username between passwordHandler and sessionHandler.
 type authKey string
 
+// connKey uniquely identifies an SSH connection by its remote address.
+// Used to track authenticated connections for status display and port forwarding.
+type connKey string
+
 func newAuthKey(username string, remoteAddr net.Addr) authKey {
 	return authKey(fmt.Sprintf("%s@%s", username, remoteAddr.String()))
 }
 
+// sessionState tracks an active SSH session (shell, command, or subsystem like SFTP).
+type sessionState struct {
+	session     ssh.Session
+	sessionType string
+	jwtUsername string
+}
+
 type Server struct {
-	sshServer       *ssh.Server
-	mu              sync.RWMutex
-	hostKeyPEM      []byte
-	sessions        map[SessionKey]ssh.Session
-	sessionCancels  map[ConnectionKey]context.CancelFunc
-	sessionJWTUsers map[SessionKey]string
-	pendingAuthJWT  map[authKey]string
+	sshServer  *ssh.Server
+	listener   net.Listener
+	mu         sync.RWMutex
+	hostKeyPEM []byte
+
+	// sessions tracks active SSH sessions (shell, command, SFTP).
+	// These are created when a client opens a session channel and requests shell/exec/subsystem.
+	sessions map[sessionKey]*sessionState
+
+	// pendingAuthJWT temporarily stores JWT username during the auth→session handoff.
+	// Populated in passwordHandler, consumed in sessionHandler/sftpSubsystemHandler.
+	pendingAuthJWT map[authKey]string
+
+	// connections tracks all SSH connections by their remote address.
+	// Populated at authentication time, stores JWT username and port forwards for status display.
+	connections map[connKey]*connState
 
 	allowLocalPortForwarding  bool
 	allowRemotePortForwarding bool
@@ -131,13 +162,14 @@ type Server struct {
 
 	wgAddress wgaddr.Address
 
-	remoteForwardListeners map[ForwardKey]net.Listener
-	sshConnections         map[*cryptossh.ServerConn]*sshConnectionState
+	remoteForwardListeners map[forwardKey]net.Listener
 
 	jwtValidator *jwt.Validator
 	jwtExtractor *jwt.ClaimsExtractor
 	jwtConfig    *JWTConfig
 
+	authorizer *sshauth.Authorizer
+
 	suSupportsPty    bool
 	loginIsUtilLinux bool
 }
@@ -164,6 +196,7 @@ type SessionInfo struct {
 	RemoteAddress string
 	Command       string
 	JWTUsername   string
+	PortForwards  []string
 }
 
 // New creates an SSH server instance with the provided host key and optional JWT configuration
@@ -172,13 +205,13 @@ func New(config *Config) *Server {
 	s := &Server{
 		mu:                     sync.RWMutex{},
 		hostKeyPEM:             config.HostKeyPEM,
-		sessions:               make(map[SessionKey]ssh.Session),
-		sessionJWTUsers:        make(map[SessionKey]string),
+		sessions:               make(map[sessionKey]*sessionState),
 		pendingAuthJWT:         make(map[authKey]string),
-		remoteForwardListeners: make(map[ForwardKey]net.Listener),
-		sshConnections:         make(map[*cryptossh.ServerConn]*sshConnectionState),
+		remoteForwardListeners: make(map[forwardKey]net.Listener),
+		connections:            make(map[connKey]*connState),
 		jwtEnabled:             config.JWT != nil,
 		jwtConfig:              config.JWT,
+		authorizer:             sshauth.NewAuthorizer(), // Initialize with empty config
 	}
 
 	return s
@@ -207,6 +240,7 @@ func (s *Server) Start(ctx context.Context, addr netip.AddrPort) error {
 		return fmt.Errorf("create SSH server: %w", err)
 	}
 
+	s.listener = ln
 	s.sshServer = sshServer
 	log.Infof("SSH server started on %s", addrDesc)
 
@@ -259,16 +293,11 @@ func (s *Server) Stop() error {
 	}
 
 	s.sshServer = nil
+	s.listener = nil
 
 	maps.Clear(s.sessions)
-	maps.Clear(s.sessionJWTUsers)
 	maps.Clear(s.pendingAuthJWT)
-	maps.Clear(s.sshConnections)
-
-	for _, cancelFunc := range s.sessionCancels {
-		cancelFunc()
-	}
-	maps.Clear(s.sessionCancels)
+	maps.Clear(s.connections)
 
 	for _, listener := range s.remoteForwardListeners {
 		if err := listener.Close(); err != nil {
@@ -280,32 +309,82 @@ func (s *Server) Stop() error {
 	return nil
 }
 
-// GetStatus returns the current status of the SSH server and active sessions
+// Addr returns the address the SSH server is listening on, or nil if the server is not running
+func (s *Server) Addr() net.Addr {
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	if s.listener == nil {
+		return nil
+	}
+
+	return s.listener.Addr()
+}
+
+// GetStatus returns the current status of the SSH server and active sessions.
 func (s *Server) GetStatus() (enabled bool, sessions []SessionInfo) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 
 	enabled = s.sshServer != nil
+	reportedAddrs := make(map[string]bool)
 
-	for sessionKey, session := range s.sessions {
-		cmd := "<interactive shell>"
-		if len(session.Command()) > 0 {
-			cmd = safeLogCommand(session.Command())
+	for _, state := range s.sessions {
+		info := s.buildSessionInfo(state)
+		reportedAddrs[info.RemoteAddress] = true
+		sessions = append(sessions, info)
+	}
+
+	// Add authenticated connections without sessions (e.g., -N/-T or port-forwarding only)
+	for key, connState := range s.connections {
+		remoteAddr := string(key)
+		if reportedAddrs[remoteAddr] {
+			continue
+		}
+		cmd := cmdNonInteractive
+		if len(connState.portForwards) > 0 {
+			cmd = cmdPortForwarding
 		}
-
-		jwtUsername := s.sessionJWTUsers[sessionKey]
-
 		sessions = append(sessions, SessionInfo{
-			Username:      session.User(),
-			RemoteAddress: session.RemoteAddr().String(),
+			Username:      connState.username,
+			RemoteAddress: remoteAddr,
 			Command:       cmd,
-			JWTUsername:   jwtUsername,
+			JWTUsername:   connState.jwtUsername,
+			PortForwards:  connState.portForwards,
 		})
 	}
 
 	return enabled, sessions
 }
 
+func (s *Server) buildSessionInfo(state *sessionState) SessionInfo {
+	session := state.session
+	cmd := state.sessionType
+	if cmd == "" {
+		cmd = safeLogCommand(session.Command())
+	}
+
+	remoteAddr := session.RemoteAddr().String()
+	info := SessionInfo{
+		Username:      session.User(),
+		RemoteAddress: remoteAddr,
+		Command:       cmd,
+		JWTUsername:   state.jwtUsername,
+	}
+
+	connState, exists := s.connections[connKey(remoteAddr)]
+	if !exists {
+		return info
+	}
+
+	info.PortForwards = connState.portForwards
+	if len(connState.portForwards) > 0 && (cmd == cmdInteractiveShell || cmd == cmdNonInteractive) {
+		info.Command = cmdPortForwarding
+	}
+
+	return info
+}
+
 // SetNetstackNet sets the netstack network for userspace networking
 func (s *Server) SetNetstackNet(net *netstack.Net) {
 	s.mu.Lock()
@@ -320,6 +399,19 @@ func (s *Server) SetNetworkValidation(addr wgaddr.Address) {
 	s.wgAddress = addr
 }
 
+// UpdateSSHAuth updates the SSH fine-grained access control configuration
+// This should be called when network map updates include new SSH auth configuration
+func (s *Server) UpdateSSHAuth(config *sshauth.Config) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	// Reset JWT validator/extractor to pick up new userIDClaim
+	s.jwtValidator = nil
+	s.jwtExtractor = nil
+
+	s.authorizer.Update(config)
+}
+
 // ensureJWTValidator initializes the JWT validator and extractor if not already initialized
 func (s *Server) ensureJWTValidator() error {
 	s.mu.RLock()
@@ -328,6 +420,7 @@ func (s *Server) ensureJWTValidator() error {
 		return nil
 	}
 	config := s.jwtConfig
+	authorizer := s.authorizer
 	s.mu.RUnlock()
 
 	if config == nil {
@@ -343,9 +436,16 @@ func (s *Server) ensureJWTValidator() error {
 		true,
 	)
 
-	extractor := jwt.NewClaimsExtractor(
+	// Use custom userIDClaim from authorizer if available
+	extractorOptions := []jwt.ClaimsExtractorOption{
 		jwt.WithAudience(config.Audience),
-	)
+	}
+	if authorizer.GetUserIDClaim() != "" {
+		extractorOptions = append(extractorOptions, jwt.WithUserIDClaim(authorizer.GetUserIDClaim()))
+		log.Debugf("Using custom user ID claim: %s", authorizer.GetUserIDClaim())
+	}
+
+	extractor := jwt.NewClaimsExtractor(extractorOptions...)
 
 	s.mu.Lock()
 	defer s.mu.Unlock()
@@ -493,59 +593,131 @@ func (s *Server) parseTokenWithoutValidation(tokenString string) (map[string]int
 }
 
 func (s *Server) passwordHandler(ctx ssh.Context, password string) bool {
+	osUsername := ctx.User()
+	remoteAddr := ctx.RemoteAddr()
+	logger := s.getRequestLogger(ctx)
+
 	if err := s.ensureJWTValidator(); err != nil {
-		log.Errorf("JWT validator initialization failed for user %s from %s: %v", ctx.User(), ctx.RemoteAddr(), err)
+		logger.Errorf("JWT validator initialization failed: %v", err)
 		return false
 	}
 
 	token, err := s.validateJWTToken(password)
 	if err != nil {
-		log.Warnf("JWT authentication failed for user %s from %s: %v", ctx.User(), ctx.RemoteAddr(), err)
+		logger.Warnf("JWT authentication failed: %v", err)
 		return false
 	}
 
 	userAuth, err := s.extractAndValidateUser(token)
 	if err != nil {
-		log.Warnf("User validation failed for user %s from %s: %v", ctx.User(), ctx.RemoteAddr(), err)
+		logger.Warnf("user validation failed: %v", err)
 		return false
 	}
 
-	key := newAuthKey(ctx.User(), ctx.RemoteAddr())
+	logger = logger.WithField("jwt_user", userAuth.UserId)
+
+	s.mu.RLock()
+	authorizer := s.authorizer
+	s.mu.RUnlock()
+
+	msg, err := authorizer.Authorize(userAuth.UserId, osUsername)
+	if err != nil {
+		logger.Warnf("SSH auth denied: %v", err)
+		return false
+	}
+
+	logger.Infof("SSH auth %s", msg)
+
+	key := newAuthKey(osUsername, remoteAddr)
+	remoteAddrStr := ctx.RemoteAddr().String()
 	s.mu.Lock()
 	s.pendingAuthJWT[key] = userAuth.UserId
+	s.connections[connKey(remoteAddrStr)] = &connState{
+		username:    ctx.User(),
+		remoteAddr:  ctx.RemoteAddr(),
+		jwtUsername: userAuth.UserId,
+	}
 	s.mu.Unlock()
 
-	log.Infof("JWT authentication successful for user %s (JWT user ID: %s) from %s", ctx.User(), userAuth.UserId, ctx.RemoteAddr())
 	return true
 }
 
-func (s *Server) markConnectionActivePortForward(sshConn *cryptossh.ServerConn, username, remoteAddr string) {
+func (s *Server) addConnectionPortForward(username string, remoteAddr net.Addr, forwardAddr string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	if state, exists := s.sshConnections[sshConn]; exists {
-		state.hasActivePortForward = true
-	} else {
-		s.sshConnections[sshConn] = &sshConnectionState{
-			hasActivePortForward: true,
-			username:             username,
-			remoteAddr:           remoteAddr,
+	key := connKey(remoteAddr.String())
+	if state, exists := s.connections[key]; exists {
+		if !slices.Contains(state.portForwards, forwardAddr) {
+			state.portForwards = append(state.portForwards, forwardAddr)
 		}
+		return
+	}
+
+	// Connection not in connections (non-JWT auth path)
+	s.connections[key] = &connState{
+		username:     username,
+		remoteAddr:   remoteAddr,
+		portForwards: []string{forwardAddr},
+		jwtUsername:  s.pendingAuthJWT[newAuthKey(username, remoteAddr)],
 	}
 }
 
-func (s *Server) connectionCloseHandler(conn net.Conn, err error) {
-	// We can't extract the SSH connection from net.Conn directly
-	// Connection cleanup will happen during session cleanup or via timeout
-	log.Debugf("SSH connection failed for %s: %v", conn.RemoteAddr(), err)
+func (s *Server) removeConnectionPortForward(remoteAddr net.Addr, forwardAddr string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	state, exists := s.connections[connKey(remoteAddr.String())]
+	if !exists {
+		return
+	}
+
+	state.portForwards = slices.DeleteFunc(state.portForwards, func(addr string) bool {
+		return addr == forwardAddr
+	})
 }
 
-func (s *Server) findSessionKeyByContext(ctx ssh.Context) SessionKey {
+// trackedConn wraps a net.Conn to detect when it closes
+type trackedConn struct {
+	net.Conn
+	server     *Server
+	remoteAddr string
+	onceClose  sync.Once
+}
+
+func (c *trackedConn) Close() error {
+	err := c.Conn.Close()
+	c.onceClose.Do(func() {
+		c.server.handleConnectionClose(c.remoteAddr)
+	})
+	return err
+}
+
+func (s *Server) handleConnectionClose(remoteAddr string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	key := connKey(remoteAddr)
+	state, exists := s.connections[key]
+	if exists && len(state.portForwards) > 0 {
+		s.connLogger(state).Info("port forwarding connection closed")
+	}
+	delete(s.connections, key)
+}
+
+func (s *Server) connLogger(state *connState) *log.Entry {
+	logger := log.WithField("session", fmt.Sprintf("%s@%s", state.username, state.remoteAddr))
+	if state.jwtUsername != "" {
+		logger = logger.WithField("jwt_user", state.jwtUsername)
+	}
+	return logger
+}
+
+func (s *Server) findSessionKeyByContext(ctx ssh.Context) sessionKey {
 	if ctx == nil {
 		return "unknown"
 	}
 
-	// Try to match by SSH connection
 	sshConn := ctx.Value(ssh.ContextKeyConn)
 	if sshConn == nil {
 		return "unknown"
@@ -554,19 +726,14 @@ func (s *Server) findSessionKeyByContext(ctx ssh.Context) SessionKey {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 
-	// Look through sessions to find one with matching connection
-	for sessionKey, session := range s.sessions {
-		if session.Context().Value(ssh.ContextKeyConn) == sshConn {
+	for sessionKey, state := range s.sessions {
+		if state.session.Context().Value(ssh.ContextKeyConn) == sshConn {
 			return sessionKey
 		}
 	}
 
-	// If no session found, this might be during early connection setup
-	// Return a temporary key that we'll fix up later
 	if ctx.User() != "" && ctx.RemoteAddr() != nil {
-		tempKey := SessionKey(fmt.Sprintf("%s@%s", ctx.User(), ctx.RemoteAddr().String()))
-		log.Debugf("Using temporary session key for early port forward tracking: %s (will be updated when session established)", tempKey)
-		return tempKey
+		return sessionKey(fmt.Sprintf("%s@%s", ctx.User(), ctx.RemoteAddr().String()))
 	}
 
 	return "unknown"
@@ -607,7 +774,11 @@ func (s *Server) connectionValidator(_ ssh.Context, conn net.Conn) net.Conn {
 	}
 
 	log.Infof("SSH connection from NetBird peer %s allowed", tcpAddr)
-	return conn
+	return &trackedConn{
+		Conn:       conn,
+		server:     s,
+		remoteAddr: conn.RemoteAddr().String(),
+	}
 }
 
 func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
@@ -635,9 +806,8 @@ func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
 			"tcpip-forward":        s.tcpipForwardHandler,
 			"cancel-tcpip-forward": s.cancelTcpipForwardHandler,
 		},
-		ConnCallback:             s.connectionValidator,
-		ConnectionFailedCallback: s.connectionCloseHandler,
-		Version:                  serverVersion,
+		ConnCallback: s.connectionValidator,
+		Version:      serverVersion,
 	}
 
 	if s.jwtEnabled {
@@ -653,13 +823,13 @@ func (s *Server) createSSHServer(addr net.Addr) (*ssh.Server, error) {
 	return server, nil
 }
 
-func (s *Server) storeRemoteForwardListener(key ForwardKey, ln net.Listener) {
+func (s *Server) storeRemoteForwardListener(key forwardKey, ln net.Listener) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.remoteForwardListeners[key] = ln
 }
 
-func (s *Server) removeRemoteForwardListener(key ForwardKey) bool {
+func (s *Server) removeRemoteForwardListener(key forwardKey) bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
@@ -677,6 +847,8 @@ func (s *Server) removeRemoteForwardListener(key ForwardKey) bool {
 }
 
 func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn, newChan cryptossh.NewChannel, ctx ssh.Context) {
+	logger := s.getRequestLogger(ctx)
+
 	var payload struct {
 		Host           string
 		Port           uint32
@@ -686,7 +858,7 @@ func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn,
 
 	if err := cryptossh.Unmarshal(newChan.ExtraData(), &payload); err != nil {
 		if err := newChan.Reject(cryptossh.ConnectionFailed, "parse payload"); err != nil {
-			log.Debugf("channel reject error: %v", err)
+			logger.Debugf("channel reject error: %v", err)
 		}
 		return
 	}
@@ -696,19 +868,20 @@ func (s *Server) directTCPIPHandler(srv *ssh.Server, conn *cryptossh.ServerConn,
 	s.mu.RUnlock()
 
 	if !allowLocal {
-		log.Warnf("local port forwarding denied for %s:%d: disabled by configuration", payload.Host, payload.Port)
+		logger.Warnf("local port forwarding denied for %s:%d: disabled", payload.Host, payload.Port)
 		_ = newChan.Reject(cryptossh.Prohibited, "local port forwarding disabled")
 		return
 	}
 
-	// Check privilege requirements for the destination port
 	if err := s.checkPortForwardingPrivileges(ctx, "local", payload.Port); err != nil {
-		log.Warnf("local port forwarding denied for %s:%d: %v", payload.Host, payload.Port, err)
+		logger.Warnf("local port forwarding denied for %s:%d: %v", payload.Host, payload.Port, err)
 		_ = newChan.Reject(cryptossh.Prohibited, "insufficient privileges")
 		return
 	}
 
-	log.Infof("local port forwarding: %s:%d", payload.Host, payload.Port)
+	forwardAddr := fmt.Sprintf("-L %s:%d", payload.Host, payload.Port)
+	s.addConnectionPortForward(ctx.User(), ctx.RemoteAddr(), forwardAddr)
+	logger.Infof("local port forwarding: %s:%d", payload.Host, payload.Port)
 
 	ssh.DirectTCPIPHandler(srv, conn, newChan, ctx)
 }

client/ssh/server/server_config_test.go

@@ -224,6 +224,96 @@ func TestServer_PortForwardingRestriction(t *testing.T) {
 	}
 }
 
+func TestServer_PrivilegedPortAccess(t *testing.T) {
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	serverConfig := &Config{
+		HostKeyPEM: hostKey,
+	}
+	server := New(serverConfig)
+	server.SetAllowRemotePortForwarding(true)
+
+	tests := []struct {
+		name          string
+		forwardType   string
+		port          uint32
+		username      string
+		expectError   bool
+		errorMsg      string
+		skipOnWindows bool
+	}{
+		{
+			name:          "non-root user remote forward privileged port",
+			forwardType:   "remote",
+			port:          80,
+			username:      "testuser",
+			expectError:   true,
+			errorMsg:      "cannot bind to privileged port",
+			skipOnWindows: true,
+		},
+		{
+			name:          "non-root user tcpip-forward privileged port",
+			forwardType:   "tcpip-forward",
+			port:          443,
+			username:      "testuser",
+			expectError:   true,
+			errorMsg:      "cannot bind to privileged port",
+			skipOnWindows: true,
+		},
+		{
+			name:        "non-root user remote forward unprivileged port",
+			forwardType: "remote",
+			port:        8080,
+			username:    "testuser",
+			expectError: false,
+		},
+		{
+			name:        "non-root user remote forward port 0",
+			forwardType: "remote",
+			port:        0,
+			username:    "testuser",
+			expectError: false,
+		},
+		{
+			name:        "root user remote forward privileged port",
+			forwardType: "remote",
+			port:        22,
+			username:    "root",
+			expectError: false,
+		},
+		{
+			name:        "local forward privileged port allowed for non-root",
+			forwardType: "local",
+			port:        80,
+			username:    "testuser",
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.skipOnWindows && runtime.GOOS == "windows" {
+				t.Skip("Windows does not have privileged port restrictions")
+			}
+
+			result := PrivilegeCheckResult{
+				Allowed: true,
+				User:    &user.User{Username: tt.username},
+			}
+
+			err := server.checkPrivilegedPortAccess(tt.forwardType, tt.port, result)
+
+			if tt.expectError {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tt.errorMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}
+
 func TestServer_PortConflictHandling(t *testing.T) {
 	// Test that multiple sessions requesting the same local port are handled naturally by the OS
 	// Get current user for SSH connection
@@ -392,3 +482,95 @@ func TestServer_IsPrivilegedUser(t *testing.T) {
 		})
 	}
 }
+
+func TestServer_PortForwardingOnlySession(t *testing.T) {
+	// Test that sessions without PTY and command are allowed when port forwarding is enabled
+	currentUser, err := user.Current()
+	require.NoError(t, err, "Should be able to get current user")
+
+	// Generate host key for server
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name                  string
+		allowLocalForwarding  bool
+		allowRemoteForwarding bool
+		expectAllowed         bool
+		description           string
+	}{
+		{
+			name:                  "session_allowed_with_local_forwarding",
+			allowLocalForwarding:  true,
+			allowRemoteForwarding: false,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when local forwarding is enabled",
+		},
+		{
+			name:                  "session_allowed_with_remote_forwarding",
+			allowLocalForwarding:  false,
+			allowRemoteForwarding: true,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when remote forwarding is enabled",
+		},
+		{
+			name:                  "session_allowed_with_both",
+			allowLocalForwarding:  true,
+			allowRemoteForwarding: true,
+			expectAllowed:         true,
+			description:           "Port-forwarding-only session should be allowed when both forwarding types enabled",
+		},
+		{
+			name:                  "session_denied_without_forwarding",
+			allowLocalForwarding:  false,
+			allowRemoteForwarding: false,
+			expectAllowed:         false,
+			description:           "Port-forwarding-only session should be denied when all forwarding is disabled",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			serverConfig := &Config{
+				HostKeyPEM: hostKey,
+				JWT:        nil,
+			}
+			server := New(serverConfig)
+			server.SetAllowRootLogin(true)
+			server.SetAllowLocalPortForwarding(tt.allowLocalForwarding)
+			server.SetAllowRemotePortForwarding(tt.allowRemoteForwarding)
+
+			serverAddr := StartTestServer(t, server)
+			defer func() {
+				_ = server.Stop()
+			}()
+
+			// Connect to the server without requesting PTY or command
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+
+			client, err := sshclient.Dial(ctx, serverAddr, currentUser.Username, sshclient.DialOptions{
+				InsecureSkipVerify: true,
+			})
+			require.NoError(t, err)
+			defer func() {
+				_ = client.Close()
+			}()
+
+			// Execute a command without PTY - this simulates ssh -T with no command
+			// The server should either allow it (port forwarding enabled) or reject it
+			output, err := client.ExecuteCommand(ctx, "")
+			if tt.expectAllowed {
+				// When allowed, the session stays open until cancelled
+				// ExecuteCommand with empty command should return without error
+				assert.NoError(t, err, "Session should be allowed when port forwarding is enabled")
+				assert.NotContains(t, output, "port forwarding is disabled",
+					"Output should not contain port forwarding disabled message")
+			} else if err != nil {
+				// When denied, we expect an error message about port forwarding being disabled
+				assert.Contains(t, err.Error(), "port forwarding is disabled",
+					"Should get port forwarding disabled message")
+			}
+		})
+	}
+}

client/ssh/server/session_handlers.go

@@ -6,37 +6,45 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"strings"
 	"time"
 
 	"github.com/gliderlabs/ssh"
 	log "github.com/sirupsen/logrus"
-	cryptossh "golang.org/x/crypto/ssh"
 )
 
+// associateJWTUsername extracts pending JWT username for the session and associates it with the session state.
+// Returns the JWT username (empty if none) for logging purposes.
+func (s *Server) associateJWTUsername(sess ssh.Session, sessionKey sessionKey) string {
+	key := newAuthKey(sess.User(), sess.RemoteAddr())
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	jwtUsername := s.pendingAuthJWT[key]
+	if jwtUsername == "" {
+		return ""
+	}
+
+	if state, exists := s.sessions[sessionKey]; exists {
+		state.jwtUsername = jwtUsername
+	}
+	delete(s.pendingAuthJWT, key)
+	return jwtUsername
+}
+
 // sessionHandler handles SSH sessions
 func (s *Server) sessionHandler(session ssh.Session) {
-	sessionKey := s.registerSession(session)
-
-	key := newAuthKey(session.User(), session.RemoteAddr())
-	s.mu.Lock()
-	jwtUsername := s.pendingAuthJWT[key]
-	if jwtUsername != "" {
-		s.sessionJWTUsers[sessionKey] = jwtUsername
-		delete(s.pendingAuthJWT, key)
-	}
-	s.mu.Unlock()
+	sessionKey := s.registerSession(session, "")
+	jwtUsername := s.associateJWTUsername(session, sessionKey)
 
 	logger := log.WithField("session", sessionKey)
 	if jwtUsername != "" {
 		logger = logger.WithField("jwt_user", jwtUsername)
-		logger.Infof("SSH session started (JWT user: %s)", jwtUsername)
-	} else {
-		logger.Infof("SSH session started")
 	}
+	logger.Info("SSH session started")
 	sessionStart := time.Now()
 
-	defer s.unregisterSession(sessionKey, session)
+	defer s.unregisterSession(sessionKey)
 	defer func() {
 		duration := time.Since(sessionStart).Round(time.Millisecond)
 		if err := session.Close(); err != nil && !errors.Is(err, io.EOF) {
@@ -65,27 +73,52 @@ func (s *Server) sessionHandler(session ssh.Session) {
 		// ssh <host> <cmd> - non-Pty command execution
 		s.handleCommand(logger, session, privilegeResult, nil)
 	default:
-		s.rejectInvalidSession(logger, session)
+		// ssh -T (or ssh -N) - no PTY, no command
+		s.handleNonInteractiveSession(logger, session)
 	}
 }
 
-func (s *Server) rejectInvalidSession(logger *log.Entry, session ssh.Session) {
-	if _, err := io.WriteString(session, "no command specified and Pty not requested\n"); err != nil {
-		logger.Debugf(errWriteSession, err)
+// handleNonInteractiveSession handles sessions that have no PTY and no command.
+// These are typically used for port forwarding (ssh -L/-R) or tunneling (ssh -N).
+func (s *Server) handleNonInteractiveSession(logger *log.Entry, session ssh.Session) {
+	s.updateSessionType(session, cmdNonInteractive)
+
+	if !s.isPortForwardingEnabled() {
+		if _, err := io.WriteString(session, "port forwarding is disabled on this server\n"); err != nil {
+			logger.Debugf(errWriteSession, err)
+		}
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+		logger.Infof("rejected non-interactive session: port forwarding disabled")
+		return
 	}
-	if err := session.Exit(1); err != nil {
+
+	<-session.Context().Done()
+
+	if err := session.Exit(0); err != nil {
 		logSessionExitError(logger, err)
 	}
-	logger.Infof("rejected non-Pty session without command from %s", session.RemoteAddr())
 }
 
-func (s *Server) registerSession(session ssh.Session) SessionKey {
+func (s *Server) updateSessionType(session ssh.Session, sessionType string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	for _, state := range s.sessions {
+		if state.session == session {
+			state.sessionType = sessionType
+			return
+		}
+	}
+}
+
+func (s *Server) registerSession(session ssh.Session, sessionType string) sessionKey {
 	sessionID := session.Context().Value(ssh.ContextKeySessionID)
 	if sessionID == nil {
 		sessionID = fmt.Sprintf("%p", session)
 	}
 
-	// Create a short 4-byte identifier from the full session ID
 	hasher := sha256.New()
 	hasher.Write([]byte(fmt.Sprintf("%v", sessionID)))
 	hash := hasher.Sum(nil)
@@ -93,43 +126,23 @@ func (s *Server) registerSession(session ssh.Session) SessionKey {
 
 	remoteAddr := session.RemoteAddr().String()
 	username := session.User()
-	sessionKey := SessionKey(fmt.Sprintf("%s@%s-%s", username, remoteAddr, shortID))
+	sessionKey := sessionKey(fmt.Sprintf("%s@%s-%s", username, remoteAddr, shortID))
 
 	s.mu.Lock()
-	s.sessions[sessionKey] = session
+	s.sessions[sessionKey] = &sessionState{
+		session:     session,
+		sessionType: sessionType,
+	}
 	s.mu.Unlock()
 
 	return sessionKey
 }
 
-func (s *Server) unregisterSession(sessionKey SessionKey, session ssh.Session) {
+func (s *Server) unregisterSession(sessionKey sessionKey) {
 	s.mu.Lock()
+	defer s.mu.Unlock()
+
 	delete(s.sessions, sessionKey)
-	delete(s.sessionJWTUsers, sessionKey)
-
-	// Cancel all port forwarding connections for this session
-	var connectionsToCancel []ConnectionKey
-	for key := range s.sessionCancels {
-		if strings.HasPrefix(string(key), string(sessionKey)+"-") {
-			connectionsToCancel = append(connectionsToCancel, key)
-		}
-	}
-
-	for _, key := range connectionsToCancel {
-		if cancelFunc, exists := s.sessionCancels[key]; exists {
-			log.WithField("session", sessionKey).Debugf("cancelling port forwarding context: %s", key)
-			cancelFunc()
-			delete(s.sessionCancels, key)
-		}
-	}
-
-	if sshConnValue := session.Context().Value(ssh.ContextKeyConn); sshConnValue != nil {
-		if sshConn, ok := sshConnValue.(*cryptossh.ServerConn); ok {
-			delete(s.sshConnections, sshConn)
-		}
-	}
-
-	s.mu.Unlock()
 }
 
 func (s *Server) handlePrivError(logger *log.Entry, session ssh.Session, err error) {

client/ssh/server/sftp.go

@@ -18,14 +18,26 @@ func (s *Server) SetAllowSFTP(allow bool) {
 
 // sftpSubsystemHandler handles SFTP subsystem requests
 func (s *Server) sftpSubsystemHandler(sess ssh.Session) {
+	sessionKey := s.registerSession(sess, cmdSFTP)
+	defer s.unregisterSession(sessionKey)
+
+	jwtUsername := s.associateJWTUsername(sess, sessionKey)
+
+	logger := log.WithField("session", sessionKey)
+	if jwtUsername != "" {
+		logger = logger.WithField("jwt_user", jwtUsername)
+	}
+	logger.Info("SFTP session started")
+	defer logger.Info("SFTP session closed")
+
 	s.mu.RLock()
 	allowSFTP := s.allowSFTP
 	s.mu.RUnlock()
 
 	if !allowSFTP {
-		log.Debugf("SFTP subsystem request denied: SFTP disabled")
+		logger.Debug("SFTP subsystem request denied: SFTP disabled")
 		if err := sess.Exit(1); err != nil {
-			log.Debugf("SFTP session exit failed: %v", err)
+			logger.Debugf("SFTP session exit: %v", err)
 		}
 		return
 	}
@@ -37,31 +49,27 @@ func (s *Server) sftpSubsystemHandler(sess ssh.Session) {
 	})
 
 	if !result.Allowed {
-		log.Warnf("SFTP access denied for user %s from %s: %v", sess.User(), sess.RemoteAddr(), result.Error)
+		logger.Warnf("SFTP access denied: %v", result.Error)
 		if err := sess.Exit(1); err != nil {
-			log.Debugf("exit SFTP session: %v", err)
+			logger.Debugf("exit SFTP session: %v", err)
 		}
 		return
 	}
 
-	log.Debugf("SFTP subsystem request from user %s (effective user %s)", sess.User(), result.User.Username)
-
 	if !result.RequiresUserSwitching {
 		if err := s.executeSftpDirect(sess); err != nil {
-			log.Errorf("SFTP direct execution: %v", err)
+			logger.Errorf("SFTP direct execution: %v", err)
 		}
 		return
 	}
 
 	if err := s.executeSftpWithPrivilegeDrop(sess, result.User); err != nil {
-		log.Errorf("SFTP privilege drop execution: %v", err)
+		logger.Errorf("SFTP privilege drop execution: %v", err)
 	}
 }
 
 // executeSftpDirect executes SFTP directly without privilege dropping
 func (s *Server) executeSftpDirect(sess ssh.Session) error {
-	log.Debugf("starting SFTP session for user %s (no privilege dropping)", sess.User())
-
 	sftpServer, err := sftp.NewServer(sess)
 	if err != nil {
 		return fmt.Errorf("SFTP server creation: %w", err)

client/ssh/server/test.go

@@ -3,7 +3,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"testing"
 	"time"
@@ -14,23 +13,21 @@ func StartTestServer(t *testing.T, server *Server) string {
 	errChan := make(chan error, 1)
 
 	go func() {
-		ln, err := net.Listen("tcp", "127.0.0.1:0")
-		if err != nil {
-			errChan <- err
-			return
-		}
-		actualAddr := ln.Addr().String()
-		if err := ln.Close(); err != nil {
-			errChan <- fmt.Errorf("close temp listener: %w", err)
-			return
-		}
-
-		addrPort := netip.MustParseAddrPort(actualAddr)
+		// Use port 0 to let the OS assign a free port
+		addrPort := netip.MustParseAddrPort("127.0.0.1:0")
 		if err := server.Start(context.Background(), addrPort); err != nil {
 			errChan <- err
 			return
 		}
-		started <- actualAddr
+
+		// Get the actual listening address from the server
+		actualAddr := server.Addr()
+		if actualAddr == nil {
+			errChan <- fmt.Errorf("server started but no listener address available")
+			return
+		}
+
+		started <- actualAddr.String()
 	}()
 
 	select {

client/status/status.go

@@ -82,10 +82,11 @@ type NsServerGroupStateOutput struct {
 }
 
 type SSHSessionOutput struct {
-	Username      string `json:"username" yaml:"username"`
-	RemoteAddress string `json:"remoteAddress" yaml:"remoteAddress"`
-	Command       string `json:"command" yaml:"command"`
-	JWTUsername   string `json:"jwtUsername,omitempty" yaml:"jwtUsername,omitempty"`
+	Username      string   `json:"username" yaml:"username"`
+	RemoteAddress string   `json:"remoteAddress" yaml:"remoteAddress"`
+	Command       string   `json:"command" yaml:"command"`
+	JWTUsername   string   `json:"jwtUsername,omitempty" yaml:"jwtUsername,omitempty"`
+	PortForwards  []string `json:"portForwards,omitempty" yaml:"portForwards,omitempty"`
 }
 
 type SSHServerStateOutput struct {
@@ -220,6 +221,7 @@ func mapSSHServer(sshServerState *proto.SSHServerState) SSHServerStateOutput {
 			RemoteAddress: session.GetRemoteAddress(),
 			Command:       session.GetCommand(),
 			JWTUsername:   session.GetJwtUsername(),
+			PortForwards:  session.GetPortForwards(),
 		})
 	}
 
@@ -475,6 +477,9 @@ func ParseGeneralSummary(overview OutputOverview, showURL bool, showRelays bool,
 					)
 				}
 				sshServerStatus += "\n  " + sessionDisplay
+				for _, pf := range session.PortForwards {
+					sshServerStatus += "\n    " + pf
+				}
 			}
 		}
 	}

client/system/info_android.go

@@ -1,6 +1,3 @@
-//go:build android
-// +build android
-
 package system
 
 import (

client/system/info_darwin.go

@@ -1,5 +1,4 @@
 //go:build !ios
-// +build !ios
 
 package system
 

client/system/info_ios.go

@@ -1,6 +1,3 @@
-//go:build ios
-// +build ios
-
 package system
 
 import (

client/ui/client_ui.go

@@ -312,6 +312,8 @@ type serviceClient struct {
 	daemonVersion        string
 	updateIndicationLock sync.Mutex
 	isUpdateIconActive   bool
+	settingsEnabled      bool
+	profilesEnabled      bool
 	showNetworks         bool
 	wNetworks            fyne.Window
 	wProfiles            fyne.Window
@@ -508,7 +510,7 @@ func (s *serviceClient) saveSettings() {
 		// Continue with default behavior if features can't be retrieved
 	} else if features != nil && features.DisableUpdateSettings {
 		log.Warn("Configuration updates are disabled by daemon")
-		dialog.ShowError(fmt.Errorf("Configuration updates are disabled by daemon"), s.wSettings)
+		dialog.ShowError(fmt.Errorf("configuration updates are disabled by daemon"), s.wSettings)
 		return
 	}
 
@@ -538,7 +540,7 @@ func (s *serviceClient) saveSettings() {
 func (s *serviceClient) validateSettings() error {
 	if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != censoredPreSharedKey {
 		if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
-			return fmt.Errorf("Invalid Pre-shared Key Value")
+			return fmt.Errorf("invalid pre-shared key value")
 		}
 	}
 	return nil
@@ -547,10 +549,10 @@ func (s *serviceClient) validateSettings() error {
 func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	port, err := strconv.ParseInt(s.iInterfacePort.Text, 10, 64)
 	if err != nil {
-		return 0, 0, errors.New("Invalid interface port")
+		return 0, 0, errors.New("invalid interface port")
 	}
 	if port < 1 || port > 65535 {
-		return 0, 0, errors.New("Invalid interface port: out of range 1-65535")
+		return 0, 0, errors.New("invalid interface port: out of range 1-65535")
 	}
 
 	var mtu int64
@@ -558,7 +560,7 @@ func (s *serviceClient) parseNumericSettings() (int64, int64, error) {
 	if mtuText != "" {
 		mtu, err = strconv.ParseInt(mtuText, 10, 64)
 		if err != nil {
-			return 0, 0, errors.New("Invalid MTU value")
+			return 0, 0, errors.New("invalid MTU value")
 		}
 		if mtu < iface.MinMTU || mtu > iface.MaxMTU {
 			return 0, 0, fmt.Errorf("MTU must be between %d and %d bytes", iface.MinMTU, iface.MaxMTU)
@@ -643,7 +645,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	if sshJWTCacheTTLText != "" {
 		sshJWTCacheTTL, err := strconv.ParseInt(sshJWTCacheTTLText, 10, 32)
 		if err != nil {
-			return nil, errors.New("Invalid SSH JWT Cache TTL value")
+			return nil, errors.New("invalid SSH JWT Cache TTL value")
 		}
 		if sshJWTCacheTTL < 0 || sshJWTCacheTTL > maxSSHJWTCacheTTL {
 			return nil, fmt.Errorf("SSH JWT Cache TTL must be between 0 and %d seconds", maxSSHJWTCacheTTL)
@@ -907,7 +909,7 @@ func (s *serviceClient) updateStatus() error {
 		var systrayIconState bool
 
 		switch {
-		case status.Status == string(internal.StatusConnected):
+		case status.Status == string(internal.StatusConnected) && !s.connected:
 			s.connected = true
 			s.sendNotification = true
 			if s.isUpdateIconActive {
@@ -921,6 +923,7 @@ func (s *serviceClient) updateStatus() error {
 			s.mUp.Disable()
 			s.mDown.Enable()
 			s.mNetworks.Enable()
+			s.mExitNode.Enable()
 			go s.updateExitNodes()
 			systrayIconState = true
 		case status.Status == string(internal.StatusConnecting):
@@ -1274,19 +1277,22 @@ func (s *serviceClient) checkAndUpdateFeatures() {
 		return
 	}
 
+	s.updateIndicationLock.Lock()
+	defer s.updateIndicationLock.Unlock()
+
 	// Update settings menu based on current features
-	if features != nil && features.DisableUpdateSettings {
-		s.setSettingsEnabled(false)
-	} else {
-		s.setSettingsEnabled(true)
+	settingsEnabled := features == nil || !features.DisableUpdateSettings
+	if s.settingsEnabled != settingsEnabled {
+		s.settingsEnabled = settingsEnabled
+		s.setSettingsEnabled(settingsEnabled)
 	}
 
 	// Update profile menu based on current features
 	if s.mProfile != nil {
-		if features != nil && features.DisableProfiles {
-			s.mProfile.setEnabled(false)
-		} else {
-			s.mProfile.setEnabled(true)
+		profilesEnabled := features == nil || !features.DisableProfiles
+		if s.profilesEnabled != profilesEnabled {
+			s.profilesEnabled = profilesEnabled
+			s.mProfile.setEnabled(profilesEnabled)
 		}
 	}
 }

client/ui/font_windows.go

@@ -31,7 +31,6 @@ func (s *serviceClient) getWindowsFontFilePath() string {
 			"chr-CHER-US": "Gadugi.ttf",
 			"zh-HK":       "Segoeui.ttf",
 			"zh-TW":       "Segoeui.ttf",
-			"ja-JP":       "Yugothm.ttc",
 			"km-KH":       "Leelawui.ttf",
 			"ko-KR":       "Malgun.ttf",
 			"th-TH":       "Leelawui.ttf",

client/ui/signal_windows.go

@@ -164,7 +164,7 @@ func sendShowWindowSignal(pid int32) error {
 
 	err = windows.SetEvent(eventHandle)
 	if err != nil {
-		return fmt.Errorf("Error setting event: %w", err)
+		return fmt.Errorf("error setting event: %w", err)
 	}
 
 	return nil

go.mod

@@ -1,6 +1,8 @@
 module github.com/netbirdio/netbird
 
-go 1.24.10
+go 1.25
+
+toolchain go1.25.5
 
 require (
 	cunicu.li/go-rosenpass v0.4.0
@@ -8,22 +10,22 @@ require (
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/mux v1.8.1
 	github.com/kardianos/service v1.2.3-0.20240613133416-becf2eb62b83
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.7.0
-	github.com/spf13/pflag v1.0.5
+	github.com/spf13/cobra v1.10.1
+	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.45.0
-	golang.org/x/sys v0.38.0
+	golang.org/x/crypto v0.46.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.73.0
-	google.golang.org/protobuf v1.36.8
+	google.golang.org/grpc v1.77.0
+	google.golang.org/protobuf v1.36.10
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
@@ -40,7 +42,9 @@ require (
 	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.13
 	github.com/coreos/go-iptables v0.7.0
-	github.com/creack/pty v1.1.18
+	github.com/creack/pty v1.1.24
+	github.com/dexidp/dex v0.0.0-00010101000000-000000000000
+	github.com/dexidp/dex/api/v2 v2.4.0
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
@@ -78,8 +82,8 @@ require (
 	github.com/pion/transport/v3 v3.0.7
 	github.com/pion/turn/v3 v3.0.1
 	github.com/pkg/sftp v1.13.9
-	github.com/prometheus/client_golang v1.22.0
-	github.com/quic-go/quic-go v0.49.1
+	github.com/prometheus/client_golang v1.23.2
+	github.com/quic-go/quic-go v0.55.0
 	github.com/redis/go-redis/v9 v9.7.3
 	github.com/rs/xid v1.3.0
 	github.com/shirou/gopsutil/v3 v3.24.4
@@ -96,39 +100,44 @@ require (
 	github.com/vmihailenco/msgpack/v5 v5.4.1
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0
+	go.opentelemetry.io/otel v1.38.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/metric v1.35.0
-	go.opentelemetry.io/otel/sdk/metric v1.35.0
-	go.uber.org/mock v0.5.0
+	go.opentelemetry.io/otel/metric v1.38.0
+	go.opentelemetry.io/otel/sdk/metric v1.38.0
+	go.uber.org/mock v0.5.2
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20251113184115-a159579294ab
 	golang.org/x/mod v0.30.0
 	golang.org/x/net v0.47.0
-	golang.org/x/oauth2 v0.30.0
-	golang.org/x/sync v0.18.0
-	golang.org/x/term v0.37.0
-	golang.org/x/time v0.12.0
-	google.golang.org/api v0.177.0
+	golang.org/x/oauth2 v0.34.0
+	golang.org/x/sync v0.19.0
+	golang.org/x/term v0.38.0
+	golang.org/x/time v0.14.0
+	google.golang.org/api v0.257.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
 	gorm.io/driver/postgres v1.5.7
 	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
-	gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1
+	gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c
 )
 
 require (
-	cloud.google.com/go/auth v0.3.0 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
-	dario.cat/mergo v1.0.0 // indirect
+	cloud.google.com/go/auth v0.17.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.8 // indirect
+	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	dario.cat/mergo v1.0.1 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/AppsFlyer/go-sundheit v0.6.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
@@ -149,12 +158,14 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
 	github.com/aws/smithy-go v1.22.2 // indirect
+	github.com/beevik/etree v1.6.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/containerd/containerd v1.7.29 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/coreos/go-oidc/v3 v3.14.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
@@ -168,26 +179,28 @@ require (
 	github.com/fyne-io/glfw-js v0.3.0 // indirect
 	github.com/fyne-io/image v0.1.1 // indirect
 	github.com/fyne-io/oksvg v0.2.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 // indirect
 	github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
+	github.com/go-ldap/ldap/v3 v3.4.12 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/go-sql-driver/mysql v1.8.1 // indirect
-	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-text/render v0.2.0 // indirect
 	github.com/go-text/typesetting v0.2.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/google/btree v1.1.2 // indirect
-	github.com/google/pprof v0.0.0-20211214055906-6f57359322fd // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.7 // indirect
+	github.com/googleapis/gax-go/v2 v2.15.0 // indirect
+	github.com/gorilla/handlers v1.5.2 // indirect
 	github.com/hack-pad/go-indexeddb v0.3.2 // indirect
 	github.com/hack-pad/safejs v0.1.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -196,18 +209,23 @@ require (
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 // indirect
 	github.com/kelseyhightower/envconfig v1.4.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.7 // indirect
 	github.com/kr/fs v0.1.0 // indirect
+	github.com/lib/pq v1.10.9 // indirect
 	github.com/libdns/libdns v0.2.2 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-sqlite3 v1.14.22 // indirect
+	github.com/mattermost/xml-roundtrip-validator v0.1.0 // indirect
+	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
 	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mholt/acmez/v2 v2.0.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/sys/sequential v0.5.0 // indirect
@@ -230,11 +248,14 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.62.0 // indirect
-	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/russellhaering/goxmldsig v1.5.0 // indirect
 	github.com/rymdport/portal v0.4.2 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
 	github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
@@ -245,17 +266,17 @@ require (
 	github.com/wlynxg/anet v0.0.3 // indirect
 	github.com/yuin/goldmark v1.7.8 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
-	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.38.0 // indirect
+	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/image v0.33.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )
@@ -264,10 +285,12 @@ replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-2024
 
 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949
 
-replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0
 
 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
 
 replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51
 
 replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
+
+replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0

go.sum

@@ -1,15 +1,14 @@
-cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/auth v0.3.0 h1:PRyzEpGfx/Z9e8+lHsbkoUVXD0gnu4MNmm7Gp8TQNIs=
-cloud.google.com/go/auth v0.3.0/go.mod h1:lBv6NKTWp8E3LPzmO1TbiiRKc4drLOfHsgmlH9ogv5w=
-cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
-cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
+cloud.google.com/go/auth v0.17.0 h1:74yCm7hCj2rUyyAocqnFzsAYXgJhrG26XCFimrc/Kz4=
+cloud.google.com/go/auth v0.17.0/go.mod h1:6wv/t5/6rOPAX4fJiRjKkJCvswLwdet7G8+UGXt7nCQ=
+cloud.google.com/go/auth/oauth2adapt v0.2.8 h1:keo8NaayQZ6wimpNSmW5OPc283g65QNIiLpZnkHRbnc=
+cloud.google.com/go/auth/oauth2adapt v0.2.8/go.mod h1:XQ9y31RkqZCcwJWNSx2Xvric3RrU88hAYYbjDWYDL+c=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
-cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
+cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
 cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 fyne.io/fyne/v2 v2.7.0 h1:GvZSpE3X0liU/fqstInVvRsaboIVpIWQ4/sfjDGIGGQ=
@@ -18,17 +17,28 @@ fyne.io/systray v1.11.1-0.20250603113521-ca66a66d8b58 h1:eA5/u2XRd8OUkoMqEv3IBlF
 fyne.io/systray v1.11.1-0.20250603113521-ca66a66d8b58/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+github.com/AppsFlyer/go-sundheit v0.6.0 h1:d2hBvCjBSb2lUsEWGfPigr4MCOt04sxB+Rppl0yUMSk=
+github.com/AppsFlyer/go-sundheit v0.6.0/go.mod h1:LDdBHD6tQBtmHsdW+i1GwdTt6Wqc0qazf5ZEJVTbTME=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
+github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
 github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
+github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/awnumar/memcall v0.4.0 h1:B7hgZYdfH6Ot1Goaz8jGne/7i8xD4taZie/PNSFZ29g=
@@ -73,6 +83,8 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/Xv
 github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
 github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
 github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
+github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
@@ -87,16 +99,10 @@ github.com/caddyserver/zerossl v0.1.3 h1:onS+pxp3M8HnHpN5MMbOMyNjmTheJyWRaZYwn+Y
 github.com/caddyserver/zerossl v0.1.3/go.mod h1:CxA0acn7oEGO6//4rtrRjYgEoa4MFw/XofZnrYwGqG4=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
-github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
-github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
 github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
-github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
-github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
 github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/containerd v1.7.29 h1:90fWABQsaN9mJhGkoVnuzEY+o1XDPbg9BTC9QTAHnuE=
@@ -107,16 +113,20 @@ github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpS
 github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
 github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
 github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-oidc/v3 v3.14.1 h1:9ePWwfdwC4QKRlCXsJGou56adA/owXczOzwKdOumLqk=
+github.com/coreos/go-oidc/v3 v3.14.1/go.mod h1:HaZ3szPaZ0e4r6ebqvsLWlk2Tn+aejfmrfah6hnSYEU=
 github.com/cpuguy83/dockercfg v0.3.2 h1:DlJTyZGBDlXqUZ2Dk2Q3xHs/FtnooJJVaad2S9GKorA=
 github.com/cpuguy83/dockercfg v0.3.2/go.mod h1:sugsbF4//dDlL/i+S+rtpIWp+5h0BHJHfjj5/jFyUJc=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
-github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:/DS5cDX3FJdl+XaN2D7XAwFpuanTxnp52DBLZAaJKx0=
 github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dexidp/dex/api/v2 v2.4.0 h1:gNba7n6BKVp8X4Jp24cxYn5rIIGhM6kDOXcZoL6tr9A=
+github.com/dexidp/dex/api/v2 v2.4.0/go.mod h1:/p550ADvFFh7K95VmhUD+jgm15VdaNnab9td8DHOpyI=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
@@ -133,14 +143,14 @@ github.com/eko/gocache/store/go_cache/v4 v4.2.2 h1:tAI9nl6TLoJyKG1ujF0CS0n/IgTEM
 github.com/eko/gocache/store/go_cache/v4 v4.2.2/go.mod h1:T9zkHokzr8K9EiC7RfMbDg6HSwaV6rv3UdcNu13SGcA=
 github.com/eko/gocache/store/redis/v4 v4.2.2 h1:Thw31fzGuH3WzJywsdbMivOmP550D6JS7GDHhvCJPA0=
 github.com/eko/gocache/store/redis/v4 v4.2.2/go.mod h1:LaTxLKx9TG/YUEybQvPMij++D7PBTIJ4+pzvk0ykz0w=
-github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
-github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
-github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
 github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fortytw2/leaktest v1.3.0 h1:u8491cBMTQ8ft8aeV+adlcytMZylmA5nnwwkRZjI8vw=
+github.com/fortytw2/leaktest v1.3.0/go.mod h1:jDsjWgpAGjm2CA7WthBh/CdZYEPF31XHquHwclZch5g=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fredbi/uri v1.1.1 h1:xZHJC08GZNIUhbP5ImTHnt5Ya0T8FI2VAwI/37kh2Ko=
 github.com/fredbi/uri v1.1.1/go.mod h1:4+DZQ5zBjEwQCDmXW5JdIjz0PUA+yJbvtBv+u+adr5o=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -159,13 +169,19 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
+github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71 h1:5BVwOaUSBTlVZowGO6VZGw2H/zl9nrd3eCZfYV+NfQA=
 github.com/go-gl/gl v0.0.0-20231021071112-07e5d0ea2e71/go.mod h1:9YTyiznxEY1fVinfM7RvRcjRHbw2xLBJ3AAGIT0I4Nw=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a h1:vxnBhFDDT+xzxf1jTJKMKZw3H0swfWk9RpWbBbDK5+0=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20240506104042-037f3cc74f2a/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@@ -178,8 +194,8 @@ github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZs
 github.com/go-redis/redis/v8 v8.11.5 h1:AcZZR7igkdvfVmQTPnu9WE37LRrO/YrBH5zWyjDC0oI=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
-github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
-github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
+github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
@@ -195,11 +211,6 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
 github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
-github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -210,9 +221,7 @@ github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:x
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
-github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
-github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
@@ -220,12 +229,9 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/btree v1.1.2 h1:xf4v41cLI2Z6FxbKm+8Bu+m8ifhj15JuZ9sa0jZCMUU=
 github.com/google/btree v1.1.2/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
-github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
@@ -240,23 +246,24 @@ github.com/google/nftables v0.3.0 h1:bkyZ0cbpVeMHXOrtlFc8ISmfVqq5gPJukoYieyVmITg
 github.com/google/nftables v0.3.0/go.mod h1:BCp9FsrbF1Fn/Yu6CLUc9GGZFw/+hsxfluNXXmxBfRM=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd h1:1FjCyPC+syAzJ5/2S8fqdZK1R22vvA0J7JZKcuOIQ7Y=
 github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
-github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
-github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
-github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/s2a-go v0.1.9 h1:LGD7gtMgezd8a/Xak7mEWL0PjoTQFvpRudN895yqKW0=
+github.com/google/s2a-go v0.1.9/go.mod h1:YA0Ei2ZQL3acow2O62kdp9UlnvMmU7kA6Eutn0dXayM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA=
-github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7 h1:zrn2Ee/nWmHulBx5sAVrGgAa0f2/R35S4DJwfFaUPFQ=
+github.com/googleapis/enterprise-certificate-proxy v0.3.7/go.mod h1:MkHOF77EYAE7qfSuSS9PU6g4Nt4e11cnsDUowfwewLA=
+github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81vgd/bo=
+github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=
 github.com/gopacket/gopacket v1.1.1 h1:zbx9F9d6A7sWNkFKrvMBZTfGgxFoY4NgUudFVVHMfcw=
 github.com/gopacket/gopacket v1.1.1/go.mod h1:HavMeONEl7W9036of9LbSWoonqhH7HA1+ZRO+rMIvFs=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357 h1:Fkzd8ktnpOR9h47SXHe2AYPwelXLH2GjGsjlAloiWfo=
 github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357/go.mod h1:w9Y7gY31krpLmrVU5ZPG9H7l9fZuRu5/3R3S3FMtVQ4=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/hack-pad/go-indexeddb v0.3.2 h1:DTqeJJYc1usa45Q5r52t01KhvlSN02+Oq+tQbSBI91A=
 github.com/hack-pad/go-indexeddb v0.3.2/go.mod h1:QvfTevpDVlkfomY498LhstjwbPW6QC4VC/lxYb0Kom0=
 github.com/hack-pad/safejs v0.1.0 h1:qPS6vjreAqh2amUqj4WNG1zIw7qlRQJ9K10eDKMCnE8=
@@ -274,7 +281,8 @@ github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
@@ -285,6 +293,18 @@ github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
 github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
 github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
 github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
+github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
+github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
+github.com/jcmturner/dnsutils/v2 v2.0.0/go.mod h1:b0TnjGOvI/n42bZa+hmXL+kFJZsFT7G4t3HTlQ184QM=
+github.com/jcmturner/gofork v1.7.6 h1:QH0l3hzAU1tfT3rZCnW5zXl+orbkNMMRGJfdJjHVETg=
+github.com/jcmturner/gofork v1.7.6/go.mod h1:1622LH6i/EZqLloHfE7IeZ0uEJwMSUyQ/nDd82IeqRo=
+github.com/jcmturner/goidentity/v6 v6.0.1 h1:VKnZd2oEIMorCTsFBnJWbExfNN7yZr3EhJAxwOkZg6o=
+github.com/jcmturner/goidentity/v6 v6.0.1/go.mod h1:X1YW3bgtvwAXju7V3LCIMpY0Gbxyjn/mY9zx4tFonSg=
+github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh687T8=
+github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
+github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
+github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade h1:FmusiCI1wHw+XQbvL9M+1r/C3SPqKrmBaIOYwVfQoDE=
 github.com/jeandeaual/go-locale v0.0.0-20250612000132-0ef82f21eade/go.mod h1:ZDXo8KHryOWSIqnsb/CiDq7hQUYryCgdVnxbj8tDG7o=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
@@ -295,6 +315,8 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 h1:YLvr1eE6cdCqjOe972w/cYF+FjW34v27+9Vo5106B4M=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25/go.mod h1:kLgvv7o6UM+0QSf0QjAse3wReFDsb9qbZJdfexWlrQw=
@@ -309,8 +331,11 @@ github.com/klauspost/cpuid/v2 v2.2.7 h1:ZWSB3igEs+d0qvnxR/ZBzXVmxkgt8DdzP6m9pfuV
 github.com/klauspost/cpuid/v2 v2.2.7/go.mod h1:Lcz8mBdAVJIBVzewtcLocK12l3Y+JytZYpaMropDUws=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -329,9 +354,11 @@ github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tA
 github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/mattermost/xml-roundtrip-validator v0.1.0 h1:RXbVD2UAl7A7nOTR4u7E3ILa4IbtvKBHw64LDsmu9hU=
+github.com/mattermost/xml-roundtrip-validator v0.1.0/go.mod h1:qccnGMcpgwcNaBnxqpJpWWUiPNr5H3O8eDgGV9gT5To=
 github.com/mattn/go-isatty v0.0.9/go.mod h1:YNRxwqDuOph6SZLI9vUUz6OYw3QyUt7WiY2yME+cCiQ=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
+github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
 github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
@@ -344,8 +371,12 @@ github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
 github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
@@ -364,6 +395,8 @@ github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U=
+github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
@@ -374,8 +407,8 @@ github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9ax
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45/go.mod h1:5/sjFmLb8O96B5737VCqhHyGRzNFIaN/Bu7ZodXc3qQ=
-github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6 h1:X5h5QgP7uHAv78FWgHV8+WYLjHxK9v3ilkVXT1cpCrQ=
-github.com/netbirdio/wireguard-go v0.0.0-20241230120307-6a676aebaaf6/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0 h1:h/QnNzm7xzHPm+gajcblYUOclrW2FeNeDlUNj6tTWKQ=
+github.com/netbirdio/wireguard-go v0.0.0-20260107100953-33b7c9d03db0/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/nicksnyder/go-i18n/v2 v2.5.1 h1:IxtPxYsR9Gp60cGXjfuR/llTqV8aYMsC472zD0D1vHk=
@@ -434,6 +467,7 @@ github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
 github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
 github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
@@ -445,25 +479,26 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
-github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
-github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
-github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
-github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/quic-go/quic-go v0.49.1 h1:e5JXpUyF0f2uFjckQzD8jTghZrOUK1xxDqqZhlwixo0=
-github.com/quic-go/quic-go v0.49.1/go.mod h1:s2wDnmCdooUQBmQfpUSTCYBl1/D4FcqbULMMkASvR6s=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/quic-go/quic-go v0.55.0 h1:zccPQIqYCXDt5NmcEabyYvOnomjs8Tlwl7tISjJh9Mk=
+github.com/quic-go/quic-go v0.55.0/go.mod h1:DR51ilwU1uE164KuWXhinFcKWGlEjzys2l8zUl5Ss1U=
 github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/russellhaering/goxmldsig v1.5.0 h1:AU2UkkYIUOTyZRbe08XMThaOCelArgvNfYapcmSjBNw=
+github.com/russellhaering/goxmldsig v1.5.0/go.mod h1:x98CjQNFJcWfMxeOrMnMKg70lvDP6tE0nTaeUnjXDmk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/rymdport/portal v0.4.2 h1:7jKRSemwlTyVHHrTGgQg7gmNPJs88xkbKcIL3NlcmSU=
 github.com/rymdport/portal v0.4.2/go.mod h1:kFF4jslnJ8pD5uCi17brj/ODlfIidOxlgUDTO5ncnC4=
@@ -473,21 +508,26 @@ github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFt
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
 github.com/shoenig/test v0.6.4/go.mod h1:byHiCGXqrVaflBLAMq/srcZIHynQPQgeyvkvXnjqq0k=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8 h1:TG/diQgUe0pntT/2D9tmUCz4VNwm9MfrtPr0SU2qSX8=
 github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8/go.mod h1:P5HUIBuIWKbyjl083/loAegFkfbFNx5i2qEP4CNbm7E=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c h1:km8GpoQut05eY3GiYWEedbTT0qnSxrCjsVbb7yKY1KE=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c/go.mod h1:cNQ3dwVJtS5Hmnjxy6AgTPd0Inb3pW05ftPSX7NZO7Q=
 github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef h1:Ch6Q+AZUxDBCVqdkI8FSpFyZDtCVBc2VmejdNrm5rRQ=
 github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef/go.mod h1:nXTWP6+gD5+LUJ8krVhhoeHjvHTutPxMYl5SvkcnJNE=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -499,7 +539,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
@@ -553,40 +592,40 @@ github.com/zeebo/blake3 v0.2.3 h1:TFoLXsjeXqRNFxSbk35Dk4YtszE/MQQGK10BH4ptoTg=
 github.com/zeebo/blake3 v0.2.3/go.mod h1:mjJjZpnsyIVtVgTOSpJ9vmRE4wgDeyt2HU3qXvvKCaQ=
 github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
 github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
-go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
-go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0 h1:q4XOmH/0opmeuJtPsbFNivyl7bCt7yRBbeEm2sC/XtQ=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.61.0/go.mod h1:snMWehoOh2wsEwnvvwtDyFCxVeDAODenXHtn5vzrKjo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.38.0 h1:RkfdswUDRimDg0m2Az18RKOsnI8UDzppJAtj01/Ymk8=
+go.opentelemetry.io/otel v1.38.0/go.mod h1:zcmtmQ1+YmQM9wrNsTGV/q/uyusom3P8RxwExxkZhjM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.38.0 h1:Kl6lzIYGAh5M159u9NgiRkmoMKjvbsKtYRwgfrA6WpA=
+go.opentelemetry.io/otel/metric v1.38.0/go.mod h1:kB5n/QoRM8YwmUahxvI3bO34eVtQf2i4utNVLr9gEmI=
+go.opentelemetry.io/otel/sdk v1.38.0 h1:l48sr5YbNf2hpCUj/FoGhW9yDkl+Ma+LrVl8qaM5b+E=
+go.opentelemetry.io/otel/sdk v1.38.0/go.mod h1:ghmNdGlVemJI3+ZB5iDEuk4bWA3GkTpW+DOoZMYBVVg=
+go.opentelemetry.io/otel/sdk/metric v1.38.0 h1:aSH66iL0aZqo//xXzQLYozmWrXxyFkBJ6qT5wthqPoM=
+go.opentelemetry.io/otel/sdk/metric v1.38.0/go.mod h1:dg9PBnW9XdQ1Hd6ZnRz689CbtrUp0wMMs9iPcgT9EZA=
+go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJrmcNLE=
+go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 goauthentik.io/api/v3 v3.2023051.3 h1:NebAhD/TeTWNo/9X3/Uj+rM5fG1HaiLOlKTNLQv9Qq4=
 goauthentik.io/api/v3 v3.2023051.3/go.mod h1:nYECml4jGbp/541hj8GcylKQG1gVBsKppHy4+7G8u4U=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -600,16 +639,12 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
 golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
 golang.org/x/image v0.33.0/go.mod h1:DD3OsTYT9chzuzTQt+zMcOlBHgfoKQb1gry8p76Y1sc=
-golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
-golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20251113184115-a159579294ab h1:Iqyc+2zr7aGyLuEadIm0KRJP0Wwt+fhlXLa51Fxf1+Q=
 golang.org/x/mobile v0.0.0-20251113184115-a159579294ab/go.mod h1:Eq3Nh/5pFSWug2ohiudJ1iyU59SO78QFuh4qTTN++I0=
@@ -624,18 +659,13 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
-golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
-golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -649,12 +679,10 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
-golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -665,9 +693,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -686,7 +713,6 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -703,8 +729,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -717,8 +743,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -730,15 +756,11 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
-golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@@ -761,42 +783,33 @@ golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvY
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-google.golang.org/api v0.177.0 h1:8a0p/BbPa65GlqGWtUKxot4p0TV8OGOfyTjtmkXNXmk=
-google.golang.org/api v0.177.0/go.mod h1:srbhue4MLjkjbkux5p3dw/ocYOSZTaIEvf7bCOnFQDw=
-google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
+gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
+google.golang.org/api v0.257.0 h1:8Y0lzvHlZps53PEaw+G29SsQIkuKrumGWs9puiexNAA=
+google.golang.org/api v0.257.0/go.mod h1:4eJrr+vbVaZSqs7vovFd1Jb/A6ml6iw2e6FBYf3GAO4=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
-google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
-google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
-google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
-google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
-google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
-google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
-google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822/go.mod h1:HubltRL7rMh0LfnQPkMH4NPDFEWp0jw3vixw7jEM53s=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8 h1:mepRgnBZa07I4TRuomDE4sTIYieg/osKmzIf4USdWS4=
+google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846 h1:Wgl1rcDNThT+Zn47YyCXOXyX/COgMTIdhJ717F0l4xk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20251124214823-79d6a2a48846/go.mod h1:7i2o+ce6H/6BluujYR+kqX3GKH+dChPTQU19wjRPiGk=
+google.golang.org/grpc v1.77.0 h1:wVVY6/8cGA6vvffn+wWK5ToddbgdU3d8MNENr4evgXM=
+google.golang.org/grpc v1.77.0/go.mod h1:z0BY1iVj0q8E1uSQCjL9cppRj+gnZjzDnzV0dHhrNig=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
-google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
-google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
@@ -830,7 +843,5 @@ gorm.io/gorm v1.25.12 h1:I0u8i2hWQItBq1WfE0o2+WuL9+8L21K9e2HHSTE/0f8=
 gorm.io/gorm v1.25.12/go.mod h1:xh7N7RHfYlNc5EmcI/El95gXusucDrQnHXe0+CgWcLQ=
 gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
 gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1 h1:qDCwdCWECGnwQSQC01Dpnp09fRHxJs9PbktotUqG+hs=
-gvisor.dev/gvisor v0.0.0-20231020174304-b8a429915ff1/go.mod h1:8hmigyCdYtw5xJGfQDJzSH5Ju8XEIDBnpyi8+O6GRt8=
-honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c h1:pfzmXIkkDgydR4ZRP+e1hXywZfYR21FA0Fbk6ptMkiA=
+gvisor.dev/gvisor v0.0.0-20251031020517-ecfcdd2f171c/go.mod h1:/mc6CfwbOm5KKmqoV7Qx20Q+Ja8+vO4g7FuCdlVoAfQ=

idp/dex/config.go

@@ -0,0 +1,301 @@
+package dex
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"os"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+	"gopkg.in/yaml.v3"
+
+	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sql"
+
+	"github.com/netbirdio/netbird/idp/dex/web"
+)
+
+// parseDuration parses a duration string (e.g., "6h", "24h", "168h").
+func parseDuration(s string) (time.Duration, error) {
+	return time.ParseDuration(s)
+}
+
+// YAMLConfig represents the YAML configuration file format (mirrors dex's config format)
+type YAMLConfig struct {
+	Issuer   string   `yaml:"issuer" json:"issuer"`
+	Storage  Storage  `yaml:"storage" json:"storage"`
+	Web      Web      `yaml:"web" json:"web"`
+	GRPC     GRPC     `yaml:"grpc" json:"grpc"`
+	OAuth2   OAuth2   `yaml:"oauth2" json:"oauth2"`
+	Expiry   Expiry   `yaml:"expiry" json:"expiry"`
+	Logger   Logger   `yaml:"logger" json:"logger"`
+	Frontend Frontend `yaml:"frontend" json:"frontend"`
+
+	// StaticConnectors are user defined connectors specified in the config file
+	StaticConnectors []Connector `yaml:"connectors" json:"connectors"`
+
+	// StaticClients cause the server to use this list of clients rather than
+	// querying the storage. Write operations, like creating a client, will fail.
+	StaticClients []storage.Client `yaml:"staticClients" json:"staticClients"`
+
+	// If enabled, the server will maintain a list of passwords which can be used
+	// to identify a user.
+	EnablePasswordDB bool `yaml:"enablePasswordDB" json:"enablePasswordDB"`
+
+	// StaticPasswords cause the server use this list of passwords rather than
+	// querying the storage.
+	StaticPasswords []Password `yaml:"staticPasswords" json:"staticPasswords"`
+}
+
+// Web is the config format for the HTTP server.
+type Web struct {
+	HTTP           string   `yaml:"http" json:"http"`
+	HTTPS          string   `yaml:"https" json:"https"`
+	AllowedOrigins []string `yaml:"allowedOrigins" json:"allowedOrigins"`
+	AllowedHeaders []string `yaml:"allowedHeaders" json:"allowedHeaders"`
+}
+
+// GRPC is the config for the gRPC API.
+type GRPC struct {
+	Addr        string `yaml:"addr" json:"addr"`
+	TLSCert     string `yaml:"tlsCert" json:"tlsCert"`
+	TLSKey      string `yaml:"tlsKey" json:"tlsKey"`
+	TLSClientCA string `yaml:"tlsClientCA" json:"tlsClientCA"`
+}
+
+// OAuth2 describes enabled OAuth2 extensions.
+type OAuth2 struct {
+	SkipApprovalScreen    bool     `yaml:"skipApprovalScreen" json:"skipApprovalScreen"`
+	AlwaysShowLoginScreen bool     `yaml:"alwaysShowLoginScreen" json:"alwaysShowLoginScreen"`
+	PasswordConnector     string   `yaml:"passwordConnector" json:"passwordConnector"`
+	ResponseTypes         []string `yaml:"responseTypes" json:"responseTypes"`
+	GrantTypes            []string `yaml:"grantTypes" json:"grantTypes"`
+}
+
+// Expiry holds configuration for the validity period of components.
+type Expiry struct {
+	SigningKeys    string              `yaml:"signingKeys" json:"signingKeys"`
+	IDTokens       string              `yaml:"idTokens" json:"idTokens"`
+	AuthRequests   string              `yaml:"authRequests" json:"authRequests"`
+	DeviceRequests string              `yaml:"deviceRequests" json:"deviceRequests"`
+	RefreshTokens  RefreshTokensExpiry `yaml:"refreshTokens" json:"refreshTokens"`
+}
+
+// RefreshTokensExpiry holds configuration for refresh token expiry.
+type RefreshTokensExpiry struct {
+	ReuseInterval     string `yaml:"reuseInterval" json:"reuseInterval"`
+	ValidIfNotUsedFor string `yaml:"validIfNotUsedFor" json:"validIfNotUsedFor"`
+	AbsoluteLifetime  string `yaml:"absoluteLifetime" json:"absoluteLifetime"`
+	DisableRotation   bool   `yaml:"disableRotation" json:"disableRotation"`
+}
+
+// Logger holds configuration required to customize logging.
+type Logger struct {
+	Level  string `yaml:"level" json:"level"`
+	Format string `yaml:"format" json:"format"`
+}
+
+// Frontend holds the server's frontend templates and assets config.
+type Frontend struct {
+	Dir     string            `yaml:"dir" json:"dir"`
+	Theme   string            `yaml:"theme" json:"theme"`
+	Issuer  string            `yaml:"issuer" json:"issuer"`
+	LogoURL string            `yaml:"logoURL" json:"logoURL"`
+	Extra   map[string]string `yaml:"extra" json:"extra"`
+}
+
+// Storage holds app's storage configuration.
+type Storage struct {
+	Type   string                 `yaml:"type" json:"type"`
+	Config map[string]interface{} `yaml:"config" json:"config"`
+}
+
+// Password represents a static user configuration
+type Password storage.Password
+
+func (p *Password) UnmarshalYAML(node *yaml.Node) error {
+	var data struct {
+		Email       string `yaml:"email"`
+		Username    string `yaml:"username"`
+		UserID      string `yaml:"userID"`
+		Hash        string `yaml:"hash"`
+		HashFromEnv string `yaml:"hashFromEnv"`
+	}
+	if err := node.Decode(&data); err != nil {
+		return err
+	}
+	*p = Password(storage.Password{
+		Email:    data.Email,
+		Username: data.Username,
+		UserID:   data.UserID,
+	})
+	if len(data.Hash) == 0 && len(data.HashFromEnv) > 0 {
+		data.Hash = os.Getenv(data.HashFromEnv)
+	}
+	if len(data.Hash) == 0 {
+		return fmt.Errorf("no password hash provided for user %s", data.Email)
+	}
+
+	// If this value is a valid bcrypt, use it.
+	_, bcryptErr := bcrypt.Cost([]byte(data.Hash))
+	if bcryptErr == nil {
+		p.Hash = []byte(data.Hash)
+		return nil
+	}
+
+	// For backwards compatibility try to base64 decode this value.
+	hashBytes, err := base64.StdEncoding.DecodeString(data.Hash)
+	if err != nil {
+		return fmt.Errorf("malformed bcrypt hash: %v", bcryptErr)
+	}
+	if _, err := bcrypt.Cost(hashBytes); err != nil {
+		return fmt.Errorf("malformed bcrypt hash: %v", err)
+	}
+	p.Hash = hashBytes
+	return nil
+}
+
+// Connector is a connector configuration that can unmarshal YAML dynamically.
+type Connector struct {
+	Type   string                 `yaml:"type" json:"type"`
+	Name   string                 `yaml:"name" json:"name"`
+	ID     string                 `yaml:"id" json:"id"`
+	Config map[string]interface{} `yaml:"config" json:"config"`
+}
+
+// ToStorageConnector converts a Connector to storage.Connector type.
+func (c *Connector) ToStorageConnector() (storage.Connector, error) {
+	data, err := json.Marshal(c.Config)
+	if err != nil {
+		return storage.Connector{}, fmt.Errorf("failed to marshal connector config: %v", err)
+	}
+
+	return storage.Connector{
+		ID:     c.ID,
+		Type:   c.Type,
+		Name:   c.Name,
+		Config: data,
+	}, nil
+}
+
+// StorageConfig is a configuration that can create a storage.
+type StorageConfig interface {
+	Open(logger *slog.Logger) (storage.Storage, error)
+}
+
+// OpenStorage opens a storage based on the config
+func (s *Storage) OpenStorage(logger *slog.Logger) (storage.Storage, error) {
+	switch s.Type {
+	case "sqlite3":
+		file, _ := s.Config["file"].(string)
+		if file == "" {
+			return nil, fmt.Errorf("sqlite3 storage requires 'file' config")
+		}
+		return (&sql.SQLite3{File: file}).Open(logger)
+	default:
+		return nil, fmt.Errorf("unsupported storage type: %s", s.Type)
+	}
+}
+
+// Validate validates the configuration
+func (c *YAMLConfig) Validate() error {
+	if c.Issuer == "" {
+		return fmt.Errorf("no issuer specified in config file")
+	}
+	if c.Storage.Type == "" {
+		return fmt.Errorf("no storage type specified in config file")
+	}
+	if c.Web.HTTP == "" && c.Web.HTTPS == "" {
+		return fmt.Errorf("must supply a HTTP/HTTPS address to listen on")
+	}
+	if !c.EnablePasswordDB && len(c.StaticPasswords) != 0 {
+		return fmt.Errorf("cannot specify static passwords without enabling password db")
+	}
+	return nil
+}
+
+// ToServerConfig converts YAMLConfig to dex server.Config
+func (c *YAMLConfig) ToServerConfig(stor storage.Storage, logger *slog.Logger) server.Config {
+	cfg := server.Config{
+		Issuer:             c.Issuer,
+		Storage:            stor,
+		Logger:             logger,
+		SkipApprovalScreen: c.OAuth2.SkipApprovalScreen,
+		AllowedOrigins:     c.Web.AllowedOrigins,
+		AllowedHeaders:     c.Web.AllowedHeaders,
+		Web: server.WebConfig{
+			Issuer:  c.Frontend.Issuer,
+			LogoURL: c.Frontend.LogoURL,
+			Theme:   c.Frontend.Theme,
+			Dir:     c.Frontend.Dir,
+			Extra:   c.Frontend.Extra,
+		},
+	}
+
+	// Use embedded NetBird-styled templates if no custom dir specified
+	if c.Frontend.Dir == "" {
+		cfg.Web.WebFS = web.FS()
+	}
+
+	if len(c.OAuth2.ResponseTypes) > 0 {
+		cfg.SupportedResponseTypes = c.OAuth2.ResponseTypes
+	}
+
+	// Apply expiry settings
+	if c.Expiry.SigningKeys != "" {
+		if d, err := parseDuration(c.Expiry.SigningKeys); err == nil {
+			cfg.RotateKeysAfter = d
+		}
+	}
+	if c.Expiry.IDTokens != "" {
+		if d, err := parseDuration(c.Expiry.IDTokens); err == nil {
+			cfg.IDTokensValidFor = d
+		}
+	}
+	if c.Expiry.AuthRequests != "" {
+		if d, err := parseDuration(c.Expiry.AuthRequests); err == nil {
+			cfg.AuthRequestsValidFor = d
+		}
+	}
+	if c.Expiry.DeviceRequests != "" {
+		if d, err := parseDuration(c.Expiry.DeviceRequests); err == nil {
+			cfg.DeviceRequestsValidFor = d
+		}
+	}
+
+	return cfg
+}
+
+// GetRefreshTokenPolicy creates a RefreshTokenPolicy from the expiry config.
+// This should be called after ToServerConfig and the policy set on the config.
+func (c *YAMLConfig) GetRefreshTokenPolicy(logger *slog.Logger) (*server.RefreshTokenPolicy, error) {
+	return server.NewRefreshTokenPolicy(
+		logger,
+		c.Expiry.RefreshTokens.DisableRotation,
+		c.Expiry.RefreshTokens.ValidIfNotUsedFor,
+		c.Expiry.RefreshTokens.AbsoluteLifetime,
+		c.Expiry.RefreshTokens.ReuseInterval,
+	)
+}
+
+// LoadConfig loads configuration from a YAML file
+func LoadConfig(path string) (*YAMLConfig, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read config file: %w", err)
+	}
+
+	var cfg YAMLConfig
+	if err := yaml.Unmarshal(data, &cfg); err != nil {
+		return nil, fmt.Errorf("failed to parse config file: %w", err)
+	}
+
+	if err := cfg.Validate(); err != nil {
+		return nil, err
+	}
+
+	return &cfg, nil
+}

idp/dex/logrus_handler.go

@@ -0,0 +1,113 @@
+package dex
+
+import (
+	"context"
+	"log/slog"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/formatter"
+)
+
+// LogrusHandler is an slog.Handler that delegates to logrus.
+// This allows Dex to use the same log format as the rest of NetBird.
+type LogrusHandler struct {
+	logger *logrus.Logger
+	attrs  []slog.Attr
+	groups []string
+}
+
+// NewLogrusHandler creates a new slog handler that wraps logrus with NetBird's text formatter.
+func NewLogrusHandler(level slog.Level) *LogrusHandler {
+	logger := logrus.New()
+	formatter.SetTextFormatter(logger)
+
+	// Map slog level to logrus level
+	switch level {
+	case slog.LevelDebug:
+		logger.SetLevel(logrus.DebugLevel)
+	case slog.LevelInfo:
+		logger.SetLevel(logrus.InfoLevel)
+	case slog.LevelWarn:
+		logger.SetLevel(logrus.WarnLevel)
+	case slog.LevelError:
+		logger.SetLevel(logrus.ErrorLevel)
+	default:
+		logger.SetLevel(logrus.WarnLevel)
+	}
+
+	return &LogrusHandler{logger: logger}
+}
+
+// Enabled reports whether the handler handles records at the given level.
+func (h *LogrusHandler) Enabled(_ context.Context, level slog.Level) bool {
+	switch level {
+	case slog.LevelDebug:
+		return h.logger.IsLevelEnabled(logrus.DebugLevel)
+	case slog.LevelInfo:
+		return h.logger.IsLevelEnabled(logrus.InfoLevel)
+	case slog.LevelWarn:
+		return h.logger.IsLevelEnabled(logrus.WarnLevel)
+	case slog.LevelError:
+		return h.logger.IsLevelEnabled(logrus.ErrorLevel)
+	default:
+		return true
+	}
+}
+
+// Handle handles the Record.
+func (h *LogrusHandler) Handle(_ context.Context, r slog.Record) error {
+	fields := make(logrus.Fields)
+
+	// Add pre-set attributes
+	for _, attr := range h.attrs {
+		fields[attr.Key] = attr.Value.Any()
+	}
+
+	// Add record attributes
+	r.Attrs(func(attr slog.Attr) bool {
+		fields[attr.Key] = attr.Value.Any()
+		return true
+	})
+
+	entry := h.logger.WithFields(fields)
+
+	switch r.Level {
+	case slog.LevelDebug:
+		entry.Debug(r.Message)
+	case slog.LevelInfo:
+		entry.Info(r.Message)
+	case slog.LevelWarn:
+		entry.Warn(r.Message)
+	case slog.LevelError:
+		entry.Error(r.Message)
+	default:
+		entry.Info(r.Message)
+	}
+
+	return nil
+}
+
+// WithAttrs returns a new Handler with the given attributes added.
+func (h *LogrusHandler) WithAttrs(attrs []slog.Attr) slog.Handler {
+	newAttrs := make([]slog.Attr, len(h.attrs)+len(attrs))
+	copy(newAttrs, h.attrs)
+	copy(newAttrs[len(h.attrs):], attrs)
+	return &LogrusHandler{
+		logger: h.logger,
+		attrs:  newAttrs,
+		groups: h.groups,
+	}
+}
+
+// WithGroup returns a new Handler with the given group appended to the receiver's groups.
+func (h *LogrusHandler) WithGroup(name string) slog.Handler {
+	newGroups := make([]string, len(h.groups)+1)
+	copy(newGroups, h.groups)
+	newGroups[len(h.groups)] = name
+	return &LogrusHandler{
+		logger: h.logger,
+		attrs:  h.attrs,
+		groups: newGroups,
+	}
+}

idp/dex/provider.go

@@ -0,0 +1,952 @@
+// Package dex provides an embedded Dex OIDC identity provider.
+package dex
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log/slog"
+	"net"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	dexapi "github.com/dexidp/dex/api/v2"
+	"github.com/dexidp/dex/server"
+	"github.com/dexidp/dex/storage"
+	"github.com/dexidp/dex/storage/sql"
+	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus"
+	"golang.org/x/crypto/bcrypt"
+	"google.golang.org/grpc"
+)
+
+// Config matches what management/internals/server/server.go expects
+type Config struct {
+	Issuer  string
+	Port    int
+	DataDir string
+	DevMode bool
+
+	// GRPCAddr is the address for the gRPC API (e.g., ":5557"). Empty disables gRPC.
+	GRPCAddr string
+}
+
+// Provider wraps a Dex server
+type Provider struct {
+	config       *Config
+	yamlConfig   *YAMLConfig
+	dexServer    *server.Server
+	httpServer   *http.Server
+	listener     net.Listener
+	grpcServer   *grpc.Server
+	grpcListener net.Listener
+	storage      storage.Storage
+	logger       *slog.Logger
+	mu           sync.Mutex
+	running      bool
+}
+
+// NewProvider creates and initializes the Dex server
+func NewProvider(ctx context.Context, config *Config) (*Provider, error) {
+	if config.Issuer == "" {
+		return nil, fmt.Errorf("issuer is required")
+	}
+	if config.Port <= 0 {
+		return nil, fmt.Errorf("invalid port")
+	}
+	if config.DataDir == "" {
+		return nil, fmt.Errorf("data directory is required")
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
+
+	// Ensure data directory exists
+	if err := os.MkdirAll(config.DataDir, 0700); err != nil {
+		return nil, fmt.Errorf("failed to create data directory: %w", err)
+	}
+
+	// Initialize SQLite storage
+	dbPath := filepath.Join(config.DataDir, "oidc.db")
+	sqliteConfig := &sql.SQLite3{File: dbPath}
+	stor, err := sqliteConfig.Open(logger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open storage: %w", err)
+	}
+
+	// Ensure a local connector exists (for password authentication)
+	if err := ensureLocalConnector(ctx, stor); err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to ensure local connector: %w", err)
+	}
+
+	// Ensure issuer ends with /oauth2 for proper path mounting
+	issuer := strings.TrimSuffix(config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+
+	// Build refresh token policy (required to avoid nil pointer panics)
+	refreshPolicy, err := server.NewRefreshTokenPolicy(logger, false, "", "", "")
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
+	}
+
+	// Build Dex server config - use Dex's types directly
+	dexConfig := server.Config{
+		Issuer:                 issuer,
+		Storage:                stor,
+		SkipApprovalScreen:     true,
+		SupportedResponseTypes: []string{"code"},
+		Logger:                 logger,
+		PrometheusRegistry:     prometheus.NewRegistry(),
+		RotateKeysAfter:        6 * time.Hour,
+		IDTokensValidFor:       24 * time.Hour,
+		RefreshTokenPolicy:     refreshPolicy,
+		Web: server.WebConfig{
+			Issuer: "NetBird",
+		},
+	}
+
+	dexSrv, err := server.NewServer(ctx, dexConfig)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create dex server: %w", err)
+	}
+
+	return &Provider{
+		config:    config,
+		dexServer: dexSrv,
+		storage:   stor,
+		logger:    logger,
+	}, nil
+}
+
+// NewProviderFromYAML creates and initializes the Dex server from a YAMLConfig
+func NewProviderFromYAML(ctx context.Context, yamlConfig *YAMLConfig) (*Provider, error) {
+	// Configure log level from config, default to WARN to avoid logging sensitive data (emails)
+	logLevel := slog.LevelWarn
+	if yamlConfig.Logger.Level != "" {
+		switch strings.ToLower(yamlConfig.Logger.Level) {
+		case "debug":
+			logLevel = slog.LevelDebug
+		case "info":
+			logLevel = slog.LevelInfo
+		case "warn", "warning":
+			logLevel = slog.LevelWarn
+		case "error":
+			logLevel = slog.LevelError
+		}
+	}
+	logger := slog.New(NewLogrusHandler(logLevel))
+
+	stor, err := yamlConfig.Storage.OpenStorage(logger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open storage: %w", err)
+	}
+
+	if err := initializeStorage(ctx, stor, yamlConfig); err != nil {
+		stor.Close()
+		return nil, err
+	}
+
+	dexConfig := buildDexConfig(yamlConfig, stor, logger)
+	dexConfig.RefreshTokenPolicy, err = yamlConfig.GetRefreshTokenPolicy(logger)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create refresh token policy: %w", err)
+	}
+
+	dexSrv, err := server.NewServer(ctx, dexConfig)
+	if err != nil {
+		stor.Close()
+		return nil, fmt.Errorf("failed to create dex server: %w", err)
+	}
+
+	return &Provider{
+		config:     &Config{Issuer: yamlConfig.Issuer, GRPCAddr: yamlConfig.GRPC.Addr},
+		yamlConfig: yamlConfig,
+		dexServer:  dexSrv,
+		storage:    stor,
+		logger:     logger,
+	}, nil
+}
+
+// initializeStorage sets up connectors, passwords, and clients in storage
+func initializeStorage(ctx context.Context, stor storage.Storage, cfg *YAMLConfig) error {
+	if cfg.EnablePasswordDB {
+		if err := ensureLocalConnector(ctx, stor); err != nil {
+			return fmt.Errorf("failed to ensure local connector: %w", err)
+		}
+	}
+	if err := ensureStaticPasswords(ctx, stor, cfg.StaticPasswords); err != nil {
+		return err
+	}
+	if err := ensureStaticClients(ctx, stor, cfg.StaticClients); err != nil {
+		return err
+	}
+	return ensureStaticConnectors(ctx, stor, cfg.StaticConnectors)
+}
+
+// ensureStaticPasswords creates or updates static passwords in storage
+func ensureStaticPasswords(ctx context.Context, stor storage.Storage, passwords []Password) error {
+	for _, pw := range passwords {
+		existing, err := stor.GetPassword(ctx, pw.Email)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreatePassword(ctx, storage.Password(pw)); err != nil {
+				return fmt.Errorf("failed to create password for %s: %w", pw.Email, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get password for %s: %w", pw.Email, err)
+		}
+		if string(existing.Hash) != string(pw.Hash) {
+			if err := stor.UpdatePassword(ctx, pw.Email, func(old storage.Password) (storage.Password, error) {
+				old.Hash = pw.Hash
+				old.Username = pw.Username
+				return old, nil
+			}); err != nil {
+				return fmt.Errorf("failed to update password for %s: %w", pw.Email, err)
+			}
+		}
+	}
+	return nil
+}
+
+// ensureStaticClients creates or updates static clients in storage
+func ensureStaticClients(ctx context.Context, stor storage.Storage, clients []storage.Client) error {
+	for _, client := range clients {
+		_, err := stor.GetClient(ctx, client.ID)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreateClient(ctx, client); err != nil {
+				return fmt.Errorf("failed to create client %s: %w", client.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get client %s: %w", client.ID, err)
+		}
+		if err := stor.UpdateClient(ctx, client.ID, func(old storage.Client) (storage.Client, error) {
+			old.RedirectURIs = client.RedirectURIs
+			old.Name = client.Name
+			old.Public = client.Public
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
+		}
+	}
+	return nil
+}
+
+// ensureStaticConnectors creates or updates static connectors in storage
+func ensureStaticConnectors(ctx context.Context, stor storage.Storage, connectors []Connector) error {
+	for _, conn := range connectors {
+		storConn, err := conn.ToStorageConnector()
+		if err != nil {
+			return fmt.Errorf("failed to convert connector %s: %w", conn.ID, err)
+		}
+		_, err = stor.GetConnector(ctx, conn.ID)
+		if errors.Is(err, storage.ErrNotFound) {
+			if err := stor.CreateConnector(ctx, storConn); err != nil {
+				return fmt.Errorf("failed to create connector %s: %w", conn.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get connector %s: %w", conn.ID, err)
+		}
+		if err := stor.UpdateConnector(ctx, conn.ID, func(old storage.Connector) (storage.Connector, error) {
+			old.Name = storConn.Name
+			old.Config = storConn.Config
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update connector %s: %w", conn.ID, err)
+		}
+	}
+	return nil
+}
+
+// buildDexConfig creates a server.Config with defaults applied
+func buildDexConfig(yamlConfig *YAMLConfig, stor storage.Storage, logger *slog.Logger) server.Config {
+	cfg := yamlConfig.ToServerConfig(stor, logger)
+	cfg.PrometheusRegistry = prometheus.NewRegistry()
+	if cfg.RotateKeysAfter == 0 {
+		cfg.RotateKeysAfter = 24 * 30 * time.Hour
+	}
+	if cfg.IDTokensValidFor == 0 {
+		cfg.IDTokensValidFor = 24 * time.Hour
+	}
+	if cfg.Web.Issuer == "" {
+		cfg.Web.Issuer = "NetBird"
+	}
+	if len(cfg.SupportedResponseTypes) == 0 {
+		cfg.SupportedResponseTypes = []string{"code"}
+	}
+	return cfg
+}
+
+// Start starts the HTTP server and optionally the gRPC API server
+func (p *Provider) Start(_ context.Context) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if p.running {
+		return fmt.Errorf("already running")
+	}
+
+	// Determine listen address from config
+	var addr string
+	if p.yamlConfig != nil {
+		addr = p.yamlConfig.Web.HTTP
+		if addr == "" {
+			addr = p.yamlConfig.Web.HTTPS
+		}
+	} else if p.config != nil && p.config.Port > 0 {
+		addr = fmt.Sprintf(":%d", p.config.Port)
+	}
+	if addr == "" {
+		return fmt.Errorf("no listen address configured")
+	}
+
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("failed to listen on %s: %w", addr, err)
+	}
+	p.listener = listener
+
+	// Mount Dex at /oauth2/ path for reverse proxy compatibility
+	// Don't strip the prefix - Dex's issuer includes /oauth2 so it expects the full path
+	mux := http.NewServeMux()
+	mux.Handle("/oauth2/", p.dexServer)
+
+	p.httpServer = &http.Server{Handler: mux}
+	p.running = true
+
+	go func() {
+		if err := p.httpServer.Serve(listener); err != nil && err != http.ErrServerClosed {
+			p.logger.Error("http server error", "error", err)
+		}
+	}()
+
+	// Start gRPC API server if configured
+	if p.config.GRPCAddr != "" {
+		if err := p.startGRPCServer(); err != nil {
+			// Clean up HTTP server on failure
+			_ = p.httpServer.Close()
+			_ = p.listener.Close()
+			return fmt.Errorf("failed to start gRPC server: %w", err)
+		}
+	}
+
+	p.logger.Info("HTTP server started", "addr", addr)
+	return nil
+}
+
+// startGRPCServer starts the gRPC API server using Dex's built-in API
+func (p *Provider) startGRPCServer() error {
+	grpcListener, err := net.Listen("tcp", p.config.GRPCAddr)
+	if err != nil {
+		return fmt.Errorf("failed to listen on %s: %w", p.config.GRPCAddr, err)
+	}
+	p.grpcListener = grpcListener
+
+	p.grpcServer = grpc.NewServer()
+	// Use Dex's built-in API server implementation
+	// server.NewAPI(storage, logger, version, dexServer)
+	dexapi.RegisterDexServer(p.grpcServer, server.NewAPI(p.storage, p.logger, "netbird-dex", p.dexServer))
+
+	go func() {
+		if err := p.grpcServer.Serve(grpcListener); err != nil {
+			p.logger.Error("grpc server error", "error", err)
+		}
+	}()
+
+	p.logger.Info("gRPC API server started", "addr", p.config.GRPCAddr)
+	return nil
+}
+
+// Stop gracefully shuts down
+func (p *Provider) Stop(ctx context.Context) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+
+	if !p.running {
+		return nil
+	}
+
+	var errs []error
+
+	// Stop gRPC server first
+	if p.grpcServer != nil {
+		p.grpcServer.GracefulStop()
+		p.grpcServer = nil
+	}
+	if p.grpcListener != nil {
+		p.grpcListener.Close()
+		p.grpcListener = nil
+	}
+
+	if p.httpServer != nil {
+		if err := p.httpServer.Shutdown(ctx); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	// Explicitly close listener as fallback (Shutdown should do this, but be safe)
+	if p.listener != nil {
+		if err := p.listener.Close(); err != nil {
+			// Ignore "use of closed network connection" - expected after Shutdown
+			if !strings.Contains(err.Error(), "use of closed") {
+				errs = append(errs, err)
+			}
+		}
+		p.listener = nil
+	}
+
+	if p.storage != nil {
+		if err := p.storage.Close(); err != nil {
+			errs = append(errs, err)
+		}
+	}
+
+	p.httpServer = nil
+	p.running = false
+
+	if len(errs) > 0 {
+		return fmt.Errorf("shutdown errors: %v", errs)
+	}
+	return nil
+}
+
+// EnsureDefaultClients creates dashboard and CLI OAuth clients
+// Uses Dex's storage.Client directly - no custom wrappers
+func (p *Provider) EnsureDefaultClients(ctx context.Context, dashboardURIs, cliURIs []string) error {
+	clients := []storage.Client{
+		{
+			ID:           "netbird-dashboard",
+			Name:         "NetBird Dashboard",
+			RedirectURIs: dashboardURIs,
+			Public:       true,
+		},
+		{
+			ID:           "netbird-cli",
+			Name:         "NetBird CLI",
+			RedirectURIs: cliURIs,
+			Public:       true,
+		},
+	}
+
+	for _, client := range clients {
+		_, err := p.storage.GetClient(ctx, client.ID)
+		if err == storage.ErrNotFound {
+			if err := p.storage.CreateClient(ctx, client); err != nil {
+				return fmt.Errorf("failed to create client %s: %w", client.ID, err)
+			}
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("failed to get client %s: %w", client.ID, err)
+		}
+		// Update if exists
+		if err := p.storage.UpdateClient(ctx, client.ID, func(old storage.Client) (storage.Client, error) {
+			old.RedirectURIs = client.RedirectURIs
+			return old, nil
+		}); err != nil {
+			return fmt.Errorf("failed to update client %s: %w", client.ID, err)
+		}
+	}
+
+	p.logger.Info("default OIDC clients ensured")
+	return nil
+}
+
+// Storage returns the underlying Dex storage for direct access
+// Users can use storage.Client, storage.Password, storage.Connector directly
+func (p *Provider) Storage() storage.Storage {
+	return p.storage
+}
+
+// Handler returns the Dex server as an http.Handler for embedding in another server.
+// The handler expects requests with path prefix "/oauth2/".
+func (p *Provider) Handler() http.Handler {
+	return p.dexServer
+}
+
+// CreateUser creates a new user with the given email, username, and password.
+// Returns the encoded user ID in Dex's format (base64-encoded protobuf with connector ID).
+func (p *Provider) CreateUser(ctx context.Context, email, username, password string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	userID := uuid.New().String()
+	err = p.storage.CreatePassword(ctx, storage.Password{
+		Email:    email,
+		Username: username,
+		UserID:   userID,
+		Hash:     hash,
+	})
+	if err != nil {
+		return "", err
+	}
+
+	// Encode the user ID in Dex's format: base64(protobuf{user_id, connector_id})
+	// This matches the format Dex uses in JWT tokens
+	encodedID := EncodeDexUserID(userID, "local")
+	return encodedID, nil
+}
+
+// EncodeDexUserID encodes user ID and connector ID into Dex's base64-encoded protobuf format.
+// Dex uses this format for the 'sub' claim in JWT tokens.
+// Format: base64(protobuf message with field 1 = user_id, field 2 = connector_id)
+func EncodeDexUserID(userID, connectorID string) string {
+	// Manually encode protobuf: field 1 (user_id) and field 2 (connector_id)
+	// Wire type 2 (length-delimited) for strings
+	var buf []byte
+
+	// Field 1: user_id (tag = 0x0a = field 1, wire type 2)
+	buf = append(buf, 0x0a)
+	buf = append(buf, byte(len(userID)))
+	buf = append(buf, []byte(userID)...)
+
+	// Field 2: connector_id (tag = 0x12 = field 2, wire type 2)
+	buf = append(buf, 0x12)
+	buf = append(buf, byte(len(connectorID)))
+	buf = append(buf, []byte(connectorID)...)
+
+	return base64.RawStdEncoding.EncodeToString(buf)
+}
+
+// DecodeDexUserID decodes Dex's base64-encoded user ID back to the raw user ID and connector ID.
+func DecodeDexUserID(encodedID string) (userID, connectorID string, err error) {
+	// Try RawStdEncoding first, then StdEncoding (with padding)
+	buf, err := base64.RawStdEncoding.DecodeString(encodedID)
+	if err != nil {
+		buf, err = base64.StdEncoding.DecodeString(encodedID)
+		if err != nil {
+			return "", "", fmt.Errorf("failed to decode base64: %w", err)
+		}
+	}
+
+	// Parse protobuf manually
+	i := 0
+	for i < len(buf) {
+		if i >= len(buf) {
+			break
+		}
+		tag := buf[i]
+		i++
+
+		fieldNum := tag >> 3
+		wireType := tag & 0x07
+
+		if wireType != 2 { // We only expect length-delimited strings
+			return "", "", fmt.Errorf("unexpected wire type %d", wireType)
+		}
+
+		if i >= len(buf) {
+			return "", "", fmt.Errorf("truncated message")
+		}
+		length := int(buf[i])
+		i++
+
+		if i+length > len(buf) {
+			return "", "", fmt.Errorf("truncated string field")
+		}
+		value := string(buf[i : i+length])
+		i += length
+
+		switch fieldNum {
+		case 1:
+			userID = value
+		case 2:
+			connectorID = value
+		}
+	}
+
+	return userID, connectorID, nil
+}
+
+// GetUser returns a user by email
+func (p *Provider) GetUser(ctx context.Context, email string) (storage.Password, error) {
+	return p.storage.GetPassword(ctx, email)
+}
+
+// GetUserByID returns a user by user ID.
+// The userID can be either an encoded Dex ID (base64 protobuf) or a raw UUID.
+// Note: This requires iterating through all users since dex storage doesn't index by userID.
+func (p *Provider) GetUserByID(ctx context.Context, userID string) (storage.Password, error) {
+	// Try to decode the user ID in case it's encoded
+	rawUserID, _, err := DecodeDexUserID(userID)
+	if err != nil {
+		// If decoding fails, assume it's already a raw UUID
+		rawUserID = userID
+	}
+
+	users, err := p.storage.ListPasswords(ctx)
+	if err != nil {
+		return storage.Password{}, fmt.Errorf("failed to list users: %w", err)
+	}
+	for _, user := range users {
+		if user.UserID == rawUserID {
+			return user, nil
+		}
+	}
+	return storage.Password{}, storage.ErrNotFound
+}
+
+// DeleteUser removes a user by email
+func (p *Provider) DeleteUser(ctx context.Context, email string) error {
+	return p.storage.DeletePassword(ctx, email)
+}
+
+// ListUsers returns all users
+func (p *Provider) ListUsers(ctx context.Context) ([]storage.Password, error) {
+	return p.storage.ListPasswords(ctx)
+}
+
+// ensureLocalConnector creates a local (password) connector if none exists
+func ensureLocalConnector(ctx context.Context, stor storage.Storage) error {
+	connectors, err := stor.ListConnectors(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to list connectors: %w", err)
+	}
+
+	// If any connector exists, we're good
+	if len(connectors) > 0 {
+		return nil
+	}
+
+	// Create a local connector for password authentication
+	localConnector := storage.Connector{
+		ID:   "local",
+		Type: "local",
+		Name: "Email",
+	}
+
+	if err := stor.CreateConnector(ctx, localConnector); err != nil {
+		return fmt.Errorf("failed to create local connector: %w", err)
+	}
+
+	return nil
+}
+
+// ConnectorConfig represents the configuration for an identity provider connector
+type ConnectorConfig struct {
+	// ID is the unique identifier for the connector
+	ID string
+	// Name is a human-readable name for the connector
+	Name string
+	// Type is the connector type (oidc, google, microsoft)
+	Type string
+	// Issuer is the OIDC issuer URL (for OIDC-based connectors)
+	Issuer string
+	// ClientID is the OAuth2 client ID
+	ClientID string
+	// ClientSecret is the OAuth2 client secret
+	ClientSecret string
+	// RedirectURI is the OAuth2 redirect URI
+	RedirectURI string
+}
+
+// CreateConnector creates a new connector in Dex storage.
+// It maps the connector config to the appropriate Dex connector type and configuration.
+func (p *Provider) CreateConnector(ctx context.Context, cfg *ConnectorConfig) (*ConnectorConfig, error) {
+	// Fill in the redirect URI if not provided
+	if cfg.RedirectURI == "" {
+		cfg.RedirectURI = p.GetRedirectURI()
+	}
+
+	storageConn, err := p.buildStorageConnector(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to build connector: %w", err)
+	}
+
+	if err := p.storage.CreateConnector(ctx, storageConn); err != nil {
+		return nil, fmt.Errorf("failed to create connector: %w", err)
+	}
+
+	p.logger.Info("connector created", "id", cfg.ID, "type", cfg.Type)
+	return cfg, nil
+}
+
+// GetConnector retrieves a connector by ID from Dex storage.
+func (p *Provider) GetConnector(ctx context.Context, id string) (*ConnectorConfig, error) {
+	conn, err := p.storage.GetConnector(ctx, id)
+	if err != nil {
+		if err == storage.ErrNotFound {
+			return nil, err
+		}
+		return nil, fmt.Errorf("failed to get connector: %w", err)
+	}
+
+	return p.parseStorageConnector(conn)
+}
+
+// ListConnectors returns all connectors from Dex storage (excluding the local connector).
+func (p *Provider) ListConnectors(ctx context.Context) ([]*ConnectorConfig, error) {
+	connectors, err := p.storage.ListConnectors(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list connectors: %w", err)
+	}
+
+	result := make([]*ConnectorConfig, 0, len(connectors))
+	for _, conn := range connectors {
+		// Skip the local password connector
+		if conn.ID == "local" && conn.Type == "local" {
+			continue
+		}
+
+		cfg, err := p.parseStorageConnector(conn)
+		if err != nil {
+			p.logger.Warn("failed to parse connector", "id", conn.ID, "error", err)
+			continue
+		}
+		result = append(result, cfg)
+	}
+
+	return result, nil
+}
+
+// UpdateConnector updates an existing connector in Dex storage.
+func (p *Provider) UpdateConnector(ctx context.Context, cfg *ConnectorConfig) error {
+	storageConn, err := p.buildStorageConnector(cfg)
+	if err != nil {
+		return fmt.Errorf("failed to build connector: %w", err)
+	}
+
+	if err := p.storage.UpdateConnector(ctx, cfg.ID, func(old storage.Connector) (storage.Connector, error) {
+		return storageConn, nil
+	}); err != nil {
+		return fmt.Errorf("failed to update connector: %w", err)
+	}
+
+	p.logger.Info("connector updated", "id", cfg.ID, "type", cfg.Type)
+	return nil
+}
+
+// DeleteConnector removes a connector from Dex storage.
+func (p *Provider) DeleteConnector(ctx context.Context, id string) error {
+	// Prevent deletion of the local connector
+	if id == "local" {
+		return fmt.Errorf("cannot delete the local password connector")
+	}
+
+	if err := p.storage.DeleteConnector(ctx, id); err != nil {
+		return fmt.Errorf("failed to delete connector: %w", err)
+	}
+
+	p.logger.Info("connector deleted", "id", id)
+	return nil
+}
+
+// buildStorageConnector creates a storage.Connector from ConnectorConfig.
+// It handles the type-specific configuration for each connector type.
+func (p *Provider) buildStorageConnector(cfg *ConnectorConfig) (storage.Connector, error) {
+	redirectURI := p.resolveRedirectURI(cfg.RedirectURI)
+
+	var dexType string
+	var configData []byte
+	var err error
+
+	switch cfg.Type {
+	case "oidc", "zitadel", "entra", "okta", "pocketid", "authentik", "keycloak":
+		dexType = "oidc"
+		configData, err = buildOIDCConnectorConfig(cfg, redirectURI)
+	case "google":
+		dexType = "google"
+		configData, err = buildOAuth2ConnectorConfig(cfg, redirectURI)
+	case "microsoft":
+		dexType = "microsoft"
+		configData, err = buildOAuth2ConnectorConfig(cfg, redirectURI)
+	default:
+		return storage.Connector{}, fmt.Errorf("unsupported connector type: %s", cfg.Type)
+	}
+	if err != nil {
+		return storage.Connector{}, err
+	}
+
+	return storage.Connector{ID: cfg.ID, Type: dexType, Name: cfg.Name, Config: configData}, nil
+}
+
+// resolveRedirectURI returns the redirect URI, using a default if not provided
+func (p *Provider) resolveRedirectURI(redirectURI string) string {
+	if redirectURI != "" || p.config == nil {
+		return redirectURI
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer + "/callback"
+}
+
+// buildOIDCConnectorConfig creates config for OIDC-based connectors
+func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte, error) {
+	oidcConfig := map[string]interface{}{
+		"issuer":               cfg.Issuer,
+		"clientID":             cfg.ClientID,
+		"clientSecret":         cfg.ClientSecret,
+		"redirectURI":          redirectURI,
+		"scopes":               []string{"openid", "profile", "email"},
+		"insecureEnableGroups": true,
+	}
+	switch cfg.Type {
+	case "zitadel":
+		oidcConfig["getUserInfo"] = true
+	case "entra":
+		oidcConfig["insecureSkipEmailVerified"] = true
+		oidcConfig["claimMapping"] = map[string]string{"email": "preferred_username"}
+	case "okta":
+		oidcConfig["insecureSkipEmailVerified"] = true
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
+	case "pocketid":
+		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
+	}
+	return encodeConnectorConfig(oidcConfig)
+}
+
+// buildOAuth2ConnectorConfig creates config for OAuth2 connectors (google, microsoft)
+func buildOAuth2ConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte, error) {
+	return encodeConnectorConfig(map[string]interface{}{
+		"clientID":     cfg.ClientID,
+		"clientSecret": cfg.ClientSecret,
+		"redirectURI":  redirectURI,
+	})
+}
+
+// parseStorageConnector converts a storage.Connector back to ConnectorConfig.
+// It infers the original identity provider type from the Dex connector type and ID.
+func (p *Provider) parseStorageConnector(conn storage.Connector) (*ConnectorConfig, error) {
+	cfg := &ConnectorConfig{
+		ID:   conn.ID,
+		Name: conn.Name,
+	}
+
+	if len(conn.Config) == 0 {
+		cfg.Type = conn.Type
+		return cfg, nil
+	}
+
+	var configMap map[string]interface{}
+	if err := decodeConnectorConfig(conn.Config, &configMap); err != nil {
+		return nil, fmt.Errorf("failed to parse connector config: %w", err)
+	}
+
+	// Extract common fields
+	if v, ok := configMap["clientID"].(string); ok {
+		cfg.ClientID = v
+	}
+	if v, ok := configMap["clientSecret"].(string); ok {
+		cfg.ClientSecret = v
+	}
+	if v, ok := configMap["redirectURI"].(string); ok {
+		cfg.RedirectURI = v
+	}
+	if v, ok := configMap["issuer"].(string); ok {
+		cfg.Issuer = v
+	}
+
+	// Infer the original identity provider type from Dex connector type and ID
+	cfg.Type = inferIdentityProviderType(conn.Type, conn.ID, configMap)
+
+	return cfg, nil
+}
+
+// inferIdentityProviderType determines the original identity provider type
+// based on the Dex connector type, connector ID, and configuration.
+func inferIdentityProviderType(dexType, connectorID string, _ map[string]interface{}) string {
+	if dexType != "oidc" {
+		return dexType
+	}
+	return inferOIDCProviderType(connectorID)
+}
+
+// inferOIDCProviderType infers the specific OIDC provider from connector ID
+func inferOIDCProviderType(connectorID string) string {
+	connectorIDLower := strings.ToLower(connectorID)
+	for _, provider := range []string{"pocketid", "zitadel", "entra", "okta", "authentik", "keycloak"} {
+		if strings.Contains(connectorIDLower, provider) {
+			return provider
+		}
+	}
+	return "oidc"
+}
+
+// encodeConnectorConfig serializes connector config to JSON bytes.
+func encodeConnectorConfig(config map[string]interface{}) ([]byte, error) {
+	return json.Marshal(config)
+}
+
+// decodeConnectorConfig deserializes connector config from JSON bytes.
+func decodeConnectorConfig(data []byte, v interface{}) error {
+	return json.Unmarshal(data, v)
+}
+
+// GetRedirectURI returns the default redirect URI for connectors.
+func (p *Provider) GetRedirectURI() string {
+	if p.config == nil {
+		return ""
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer + "/callback"
+}
+
+// GetIssuer returns the OIDC issuer URL.
+func (p *Provider) GetIssuer() string {
+	if p.config == nil {
+		return ""
+	}
+	issuer := strings.TrimSuffix(p.config.Issuer, "/")
+	if !strings.HasSuffix(issuer, "/oauth2") {
+		issuer += "/oauth2"
+	}
+	return issuer
+}
+
+// GetKeysLocation returns the JWKS endpoint URL for token validation.
+func (p *Provider) GetKeysLocation() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/keys"
+}
+
+// GetTokenEndpoint returns the OAuth2 token endpoint URL.
+func (p *Provider) GetTokenEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/token"
+}
+
+// GetDeviceAuthEndpoint returns the OAuth2 device authorization endpoint URL.
+func (p *Provider) GetDeviceAuthEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/device/code"
+}
+
+// GetAuthorizationEndpoint returns the OAuth2 authorization endpoint URL.
+func (p *Provider) GetAuthorizationEndpoint() string {
+	issuer := p.GetIssuer()
+	if issuer == "" {
+		return ""
+	}
+	return issuer + "/auth"
+}

idp/dex/provider_test.go

@@ -0,0 +1,197 @@
+package dex
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestUserCreationFlow(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a temporary directory for the test
+	tmpDir, err := os.MkdirTemp("", "dex-test-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	// Create provider with minimal config
+	config := &Config{
+		Issuer:  "http://localhost:5556/dex",
+		Port:    5556,
+		DataDir: tmpDir,
+	}
+
+	provider, err := NewProvider(ctx, config)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// Test user data
+	email := "test@example.com"
+	username := "testuser"
+	password := "testpassword123"
+
+	// Create the user
+	encodedID, err := provider.CreateUser(ctx, email, username, password)
+	require.NoError(t, err)
+	require.NotEmpty(t, encodedID)
+
+	t.Logf("Created user with encoded ID: %s", encodedID)
+
+	// Verify the encoded ID can be decoded
+	rawUserID, connectorID, err := DecodeDexUserID(encodedID)
+	require.NoError(t, err)
+	assert.NotEmpty(t, rawUserID)
+	assert.Equal(t, "local", connectorID)
+
+	t.Logf("Decoded: rawUserID=%s, connectorID=%s", rawUserID, connectorID)
+
+	// Verify we can look up the user by encoded ID
+	user, err := provider.GetUserByID(ctx, encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user.Email)
+	assert.Equal(t, username, user.Username)
+	assert.Equal(t, rawUserID, user.UserID)
+
+	// Verify we can also look up by raw UUID (backwards compatibility)
+	user2, err := provider.GetUserByID(ctx, rawUserID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user2.Email)
+
+	// Verify we can look up by email
+	user3, err := provider.GetUser(ctx, email)
+	require.NoError(t, err)
+	assert.Equal(t, rawUserID, user3.UserID)
+
+	// Verify encoding produces consistent format
+	reEncodedID := EncodeDexUserID(rawUserID, "local")
+	assert.Equal(t, encodedID, reEncodedID)
+}
+
+func TestDecodeDexUserID(t *testing.T) {
+	tests := []struct {
+		name       string
+		encodedID  string
+		wantUserID string
+		wantConnID string
+		wantErr    bool
+	}{
+		{
+			name:       "valid encoded ID",
+			encodedID:  "CiQ3YWFkOGMwNS0zMjg3LTQ3M2YtYjQyYS0zNjU1MDRiZjI1ZTcSBWxvY2Fs",
+			wantUserID: "7aad8c05-3287-473f-b42a-365504bf25e7",
+			wantConnID: "local",
+			wantErr:    false,
+		},
+		{
+			name:       "invalid base64",
+			encodedID:  "not-valid-base64!!!",
+			wantUserID: "",
+			wantConnID: "",
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			userID, connID, err := DecodeDexUserID(tt.encodedID)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, tt.wantUserID, userID)
+			assert.Equal(t, tt.wantConnID, connID)
+		})
+	}
+}
+
+func TestEncodeDexUserID(t *testing.T) {
+	userID := "7aad8c05-3287-473f-b42a-365504bf25e7"
+	connectorID := "local"
+
+	encoded := EncodeDexUserID(userID, connectorID)
+	assert.NotEmpty(t, encoded)
+
+	// Verify round-trip
+	decodedUserID, decodedConnID, err := DecodeDexUserID(encoded)
+	require.NoError(t, err)
+	assert.Equal(t, userID, decodedUserID)
+	assert.Equal(t, connectorID, decodedConnID)
+}
+
+func TestEncodeDexUserID_MatchesDexFormat(t *testing.T) {
+	// This is an actual ID from Dex - verify our encoding matches
+	knownEncodedID := "CiQ3YWFkOGMwNS0zMjg3LTQ3M2YtYjQyYS0zNjU1MDRiZjI1ZTcSBWxvY2Fs"
+	knownUserID := "7aad8c05-3287-473f-b42a-365504bf25e7"
+	knownConnectorID := "local"
+
+	// Decode the known ID
+	userID, connID, err := DecodeDexUserID(knownEncodedID)
+	require.NoError(t, err)
+	assert.Equal(t, knownUserID, userID)
+	assert.Equal(t, knownConnectorID, connID)
+
+	// Re-encode and verify it matches
+	reEncoded := EncodeDexUserID(knownUserID, knownConnectorID)
+	assert.Equal(t, knownEncodedID, reEncoded)
+}
+
+func TestCreateUserInTempDB(t *testing.T) {
+	ctx := context.Background()
+
+	// Create temp directory
+	tmpDir, err := os.MkdirTemp("", "dex-create-user-*")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	// Create YAML config for the test
+	yamlContent := `
+issuer: http://localhost:5556/dex
+storage:
+  type: sqlite3
+  config:
+    file: ` + filepath.Join(tmpDir, "dex.db") + `
+web:
+  http: 127.0.0.1:5556
+enablePasswordDB: true
+`
+	configPath := filepath.Join(tmpDir, "config.yaml")
+	err = os.WriteFile(configPath, []byte(yamlContent), 0644)
+	require.NoError(t, err)
+
+	// Load config and create provider
+	yamlConfig, err := LoadConfig(configPath)
+	require.NoError(t, err)
+
+	provider, err := NewProviderFromYAML(ctx, yamlConfig)
+	require.NoError(t, err)
+	defer func() { _ = provider.Stop(ctx) }()
+
+	// Create user
+	email := "newuser@example.com"
+	username := "newuser"
+	password := "securepassword123"
+
+	encodedID, err := provider.CreateUser(ctx, email, username, password)
+	require.NoError(t, err)
+
+	t.Logf("Created user: email=%s, encodedID=%s", email, encodedID)
+
+	// Verify lookup works with encoded ID
+	user, err := provider.GetUserByID(ctx, encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, email, user.Email)
+	assert.Equal(t, username, user.Username)
+
+	// Decode and verify format
+	rawID, connID, err := DecodeDexUserID(encodedID)
+	require.NoError(t, err)
+	assert.Equal(t, "local", connID)
+	assert.Equal(t, rawID, user.UserID)
+
+	t.Logf("User lookup successful: rawID=%s, connectorID=%s", rawID, connID)
+}

idp/dex/web/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

idp/dex/web/static/main.css

@@ -0,0 +1 @@
+/* NetBird DEX Static CSS - main styles are inline in header.html */

idp/dex/web/templates/approval.html

@@ -0,0 +1,26 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Grant Access</h1>
+    <p class="nb-subheading">{{ .Client }} wants to access your account</p>
+
+    <form method="post">
+        <input type="hidden" name="req" value="{{ .ReqID }}"/>
+        <input type="hidden" name="approval" value="approve"/>
+        <button type="submit" class="nb-btn">
+            Allow Access
+        </button>
+    </form>
+
+    <div class="nb-divider"></div>
+
+    <form method="post">
+        <input type="hidden" name="req" value="{{ .ReqID }}"/>
+        <input type="hidden" name="approval" value="rejected"/>
+        <button type="submit" class="nb-btn-connector" style="margin-bottom:0">
+            Deny Access
+        </button>
+    </form>
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/device.html

@@ -0,0 +1,34 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Device Login</h1>
+    <p class="nb-subheading">Enter the code shown on your device</p>
+
+    <form method="post" action="{{ .PostURL }}">
+        {{ if .Invalid }}
+        <div class="nb-error">
+            Invalid user code.
+        </div>
+        {{ end }}
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="user_code">Device Code</label>
+            <input
+                type="text"
+                id="user_code"
+                name="user_code"
+                class="nb-input"
+                placeholder="XXXX-XXXX"
+                {{ if .UserCode }}value="{{ .UserCode }}"{{ end }}
+                required
+                autofocus
+            >
+        </div>
+
+        <button type="submit" class="nb-btn">
+            Continue
+        </button>
+    </form>
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/device_success.html

@@ -0,0 +1,16 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#5cb85c" stroke-width="3"/>
+            <path d="M30 50 L45 65 L70 35" fill="none" stroke="#5cb85c" stroke-width="5"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">Device Authorized</h1>
+    <p class="nb-subheading">
+        Your device has been successfully authorized. You can close this window.
+    </p>
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/error.html

@@ -0,0 +1,16 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#f87171" stroke-width="3"/>
+            <path d="M30 30 L70 70 M30 70 L70 30" fill="none" stroke="#f87171" stroke-width="3"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">{{ .ErrType }}</h1>
+    <div class="nb-error">
+        {{ .ErrMsg }}
+    </div>
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/footer.html

@@ -0,0 +1,3 @@
+</div>
+</body>
+</html>

idp/dex/web/templates/header.html

@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <title>{{ issuer }}</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="icon" type="image/x-icon" href="{{ url .ReqPath "theme/favicon.ico" }}">
+    <style>
+        *,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}
+        html,body{margin:0;padding:0;font-family:ui-sans-serif,system-ui,sans-serif,Apple Color Emoji,Segoe UI Emoji;font-size:14px;line-height:1.5;background-color:#18191d;color:#e4e7e9;min-height:100vh}
+        .nb-container{max-width:820px;margin:0 auto;padding:40px 20px;display:flex;flex-direction:column;align-items:center;justify-content:center;min-height:100vh}
+        .nb-logo{width:180px;margin-bottom:40px}
+        .nb-card{background-color:#1b1f22;border:1px solid rgba(50,54,61,.5);border-radius:12px;padding:40px;width:100%;max-width:400px;box-shadow:0 20px 25px -5px rgba(0,0,0,.1),0 8px 10px -6px rgba(0,0,0,.1)}
+        .nb-heading{font-size:24px;font-weight:500;text-align:center;margin:0 0 24px 0;color:#fff}
+        .nb-subheading{font-size:14px;color:rgba(167,177,185,.8);text-align:center;margin-bottom:24px}
+        .nb-form-group{margin-bottom:16px}
+        .nb-label{display:block;font-size:13px;font-weight:500;color:#a7b1b9;margin-bottom:6px}
+        .nb-input{width:100%;padding:10px 14px;background-color:rgba(63,68,75,.5);border:1px solid rgba(63,68,75,.8);border-radius:8px;color:#e4e7e9;font-size:14px;outline:none;transition:border-color .2s}
+        .nb-input:focus{border-color:#f68330}
+        .nb-input::placeholder{color:rgba(167,177,185,.5)}
+        .nb-btn{width:100%;padding:12px 20px;background-color:#f68330;border:none;border-radius:8px;color:#fff;font-size:14px;font-weight:500;cursor:pointer;transition:background-color .2s}
+        .nb-btn:hover{background-color:#e5722a}
+        .nb-btn:disabled{opacity:.6;cursor:not-allowed}
+        .nb-btn-connector{width:100%;padding:12px 20px;background-color:rgba(63,68,75,.5);border:1px solid rgba(63,68,75,.8);border-radius:8px;color:#e4e7e9;font-size:14px;font-weight:500;cursor:pointer;transition:all .2s;display:flex;align-items:center;justify-content:flex-start;text-decoration:none;margin-bottom:12px;gap:12px}
+        .nb-btn-connector:hover{background-color:rgba(63,68,75,.8);border-color:rgba(63,68,75,1)}
+        .nb-btn-connector .nb-icon{width:20px;height:20px;flex-shrink:0;background-size:contain;background-position:center;background-repeat:no-repeat}
+        .nb-icon-google{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 48 48'%3E%3Cpath fill='%23FFC107' d='M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z'/%3E%3Cpath fill='%23FF3D00' d='m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z'/%3E%3Cpath fill='%234CAF50' d='M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z'/%3E%3Cpath fill='%231976D2' d='M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z'/%3E%3C/svg%3E")}
+        .nb-icon-github{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='1024' height='1024' fill='none'%3E%3Cpath fill='%23fff' fill-rule='evenodd' d='M512 0C229.12 0 0 229.12 0 512c0 226.56 146.56 417.92 350.08 485.76 25.6 4.48 35.2-10.88 35.2-24.32 0-12.16-.64-52.48-.64-95.36-128.64 23.68-161.92-31.36-172.16-60.16-5.76-14.72-30.72-60.16-52.48-72.32-17.92-9.6-43.52-33.28-.64-33.92 40.32-.64 69.12 37.12 78.72 52.48 46.08 77.44 119.68 55.68 149.12 42.24 4.48-33.28 17.92-55.68 32.64-68.48-113.92-12.8-232.96-56.96-232.96-252.8 0-55.68 19.84-101.76 52.48-137.6-5.12-12.8-23.04-65.28 5.12-135.68 0 0 42.88-13.44 140.8 52.48 40.96-11.52 84.48-17.28 128-17.28s87.04 5.76 128 17.28c97.92-66.56 140.8-52.48 140.8-52.48 28.16 70.4 10.24 122.88 5.12 135.68 32.64 35.84 52.48 81.28 52.48 137.6 0 196.48-119.68 240-233.6 252.8 18.56 16 34.56 46.72 34.56 94.72 0 68.48-.64 123.52-.64 140.8 0 13.44 9.6 29.44 35.2 24.32C877.44 929.92 1024 737.92 1024 512 1024 229.12 794.88 0 512 0' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-microsoft{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='221' height='221'%3E%3Cg fill='none'%3E%3Cpath fill='%23F1511B' d='M104.868 104.868H0V0h104.868z'/%3E%3Cpath fill='%2380CC28' d='M220.654 104.868H115.788V0h104.866z'/%3E%3Cpath fill='%2300ADEF' d='M104.865 220.695H0V115.828h104.865z'/%3E%3Cpath fill='%23FBBC09' d='M220.654 220.695H115.788V115.828h104.866z'/%3E%3C/g%3E%3C/svg%3E")}
+        .nb-icon-azure{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='150' height='150' viewBox='0 0 96 96'%3E%3Cdefs%3E%3ClinearGradient id='a' x1='-1032.172' x2='-1059.213' y1='145.312' y2='65.426' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-color='%23114a8b'/%3E%3Cstop offset='1' stop-color='%230669bc'/%3E%3C/linearGradient%3E%3ClinearGradient id='b' x1='-1023.725' x2='-1029.98' y1='108.083' y2='105.968' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-opacity='.3'/%3E%3Cstop offset='.071' stop-opacity='.2'/%3E%3Cstop offset='.321' stop-opacity='.1'/%3E%3Cstop offset='.623' stop-opacity='.05'/%3E%3Cstop offset='1' stop-opacity='0'/%3E%3C/linearGradient%3E%3ClinearGradient id='c' x1='-1027.165' x2='-997.482' y1='147.642' y2='68.561' gradientTransform='matrix(1 0 0 -1 1075 158)' gradientUnits='userSpaceOnUse'%3E%3Cstop offset='0' stop-color='%233ccbf4'/%3E%3Cstop offset='1' stop-color='%232892df'/%3E%3C/linearGradient%3E%3C/defs%3E%3Cpath fill='url(%23a)' d='M33.338 6.544h26.038l-27.03 80.087a4.15 4.15 0 0 1-3.933 2.824H8.149a4.145 4.145 0 0 1-3.928-5.47L29.404 9.368a4.15 4.15 0 0 1 3.934-2.825z'/%3E%3Cpath fill='%230078d4' d='M71.175 60.261h-41.29a1.911 1.911 0 0 0-1.305 3.309l26.532 24.764a4.17 4.17 0 0 0 2.846 1.121h23.38z'/%3E%3Cpath fill='url(%23b)' d='M33.338 6.544a4.12 4.12 0 0 0-3.943 2.879L4.252 83.917a4.14 4.14 0 0 0 3.908 5.538h20.787a4.44 4.44 0 0 0 3.41-2.9l5.014-14.777 17.91 16.705a4.24 4.24 0 0 0 2.666.972H81.24L71.024 60.261l-29.781.007L59.47 6.544z'/%3E%3Cpath fill='url(%23c)' d='M66.595 9.364a4.145 4.145 0 0 0-3.928-2.82H33.648a4.15 4.15 0 0 1 3.928 2.82l25.184 74.62a4.146 4.146 0 0 1-3.928 5.472h29.02a4.146 4.146 0 0 0 3.927-5.472z'/%3E%3C/svg%3E")}
+        .nb-icon-entra{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='18' height='18' data-name='Layer 1'%3E%3Cpath fill='%23225086' d='M3.802 14.032c.388.242 1.033.511 1.715.511.621 0 1.198-.18 1.676-.487l.002-.001L9 12.927V17a1.56 1.56 0 0 1-.824-.234z'/%3E%3Cpath fill='%236df' d='m7.853 1.507-7.5 8.46c-.579.654-.428 1.642.323 2.111l3.126 1.954c.388.242 1.033.511 1.715.511.621 0 1.198-.18 1.676-.487l.002-.001L9 12.927l-4.364-2.728 4.365-4.924V1c-.424 0-.847.169-1.147.507Z'/%3E%3Cpath fill='%23cbf8ff' d='m4.636 10.199.052.032L9 12.927h.001V5.276L9 5.275z'/%3E%3Cpath fill='%23074793' d='M17.324 12.078c.751-.469.902-1.457.323-2.111l-4.921-5.551a3.1 3.1 0 0 0-1.313-.291c-.925 0-1.752.399-2.302 1.026l-.109.123 4.364 4.924-4.365 2.728v4.073c.287 0 .573-.078.823-.234l7.5-4.688Z'/%3E%3Cpath fill='%230294e4' d='M9.001 1v4.275l.109-.123a3.05 3.05 0 0 1 2.302-1.026c.472 0 .916.107 1.313.291l-2.579-2.909A1.52 1.52 0 0 0 9 1.001Z'/%3E%3Cpath fill='%2396bcc2' d='M13.365 10.199 9.001 5.276v7.65z'/%3E%3C/svg%3E")}
+        .nb-icon-okta{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='36' height='36' fill='none'%3E%3Cpath fill='%23fff' fill-rule='evenodd' d='m19.8.26-.74 9.12c-.35-.04-.7-.06-1.06-.06-.45 0-.89.03-1.32.1L16.26 5c-.01-.14.1-.26.24-.26h.75L16.89.27c-.01-.14.1-.26.23-.26h2.45c.14 0 .25.12.23.26zm-6.18.45c-.04-.13-.18-.21-.31-.16l-2.3.84c-.13.05-.19.2-.13.32l1.87 4.08-.71.26c-.13.05-.19.2-.13.32l1.91 4.01c.69-.38 1.44-.67 2.23-.85L13.63.71zM7.98 3.25l5.29 7.46c-.67.44-1.28.96-1.8 1.56L8.3 9.15c-.1-.1-.09-.26.01-.35l.58-.48-3.15-3.19c-.1-.1-.09-.26.02-.35l1.87-1.57c.11-.09.26-.07.34.04zM3.54 7.57c-.11-.08-.27-.04-.34.08L1.98 9.77c-.07.12-.02.27.1.33l4.06 1.92-.38.65a.23.23 0 0 0 .11.33l4.04 1.85c.29-.75.68-1.45 1.16-2.08zM.55 13.33c.02-.14.16-.22.29-.19l8.85 2.31c-.23.75-.36 1.54-.38 2.36l-4.43-.36a.23.23 0 0 1-.21-.28l.13-.74-4.47-.42c-.14-.01-.23-.14-.21-.28l.42-2.41zm-.33 5.98c-.14.01-.23.14-.21.28L.44 22c.02.14.16.22.29.19l4.34-1.13.13.74c.02.14.16.22.29.19l4.28-1.18c-.25-.74-.41-1.53-.45-2.34l-9.11.84zm1.42 6.34a.236.236 0 0 1 .1-.33L10 21.4c.31.74.73 1.43 1.23 2.05l-3.62 2.58c-.11.08-.27.05-.34-.07l-.38-.66-3.69 2.55c-.11.08-.27.04-.34-.08l-1.23-2.12zm10.01-1.72-6.43 6.51c-.1.1-.09.26.02.35l1.88 1.57c.11.09.26.07.34-.04l2.6-3.66.58.49c.11.09.27.07.35-.05l2.52-3.66c-.68-.42-1.31-.93-1.85-1.51zm-1.27 10.45a.234.234 0 0 1-.13-.32l3.81-8.32c.7.36 1.46.63 2.25.78l-1.12 4.3c-.03.13-.18.21-.31.16l-.71-.26-1.19 4.33c-.04.13-.18.21-.31.16l-2.3-.84zm6.56-7.75-.74 9.12c-.01.14.1.26.23.26h2.45c.14 0 .25-.12.23-.26l-.36-4.47h.75c.14 0 .25-.12.24-.26l-.42-4.42c-.43.07-.87.1-1.32.1-.36 0-.71-.02-1.06-.07m8.82-24.69c.06-.13 0-.27-.13-.32l-2.3-.84c-.13-.05-.27.03-.31.16l-1.19 4.33-.71-.26c-.13-.05-.27.03-.31.16l-1.12 4.3c.8.16 1.55.43 2.25.78zm5.02 3.63-6.43 6.51a8.7 8.7 0 0 0-1.85-1.51l2.52-3.66c.08-.11.24-.14.35-.05l.58.49 2.6-3.66c.08-.11.24-.13.34-.04l1.88 1.57c.11.09.11.25.02.35zm3.48 5.12c.13-.06.17-.21.1-.33l-1.23-2.12a.246.246 0 0 0-.34-.08l-3.69 2.55-.38-.65c-.07-.12-.23-.16-.34-.07l-3.62 2.58c.5.62.91 1.31 1.23 2.05l8.26-3.92zm1.3 3.32.42 2.41c.02.14-.07.26-.21.28l-9.11.85c-.04-.82-.2-1.6-.45-2.34l4.28-1.18c.13-.04.27.05.29.19l.13.74 4.34-1.13c.13-.03.27.05.29.19zm-.41 8.85c.13.03.27-.05.29-.19l.42-2.41a.24.24 0 0 0-.21-.28l-4.47-.42.13-.74a.24.24 0 0 0-.21-.28l-4.43-.36c-.02.82-.15 1.61-.38 2.36l8.85 2.31zm-2.36 5.5c-.07.12-.23.15-.34.08l-7.53-5.2c.48-.63.87-1.33 1.16-2.08l4.04 1.85c.13.06.18.21.11.33l-.38.65 4.06 1.92c.12.06.17.21.1.33zm-10.07-3.07 5.29 7.46c.08.11.24.13.34.04l1.87-1.57c.11-.09.11-.25.02-.35l-3.15-3.19.58-.48c.11-.09.11-.25.01-.35l-3.17-3.12c-.53.6-1.13 1.13-1.8 1.56zm-.05 10.16c-.13.05-.27-.03-.31-.16l-2.42-8.82c.79-.18 1.54-.47 2.23-.85l1.91 4.01c.06.13 0 .28-.13.32l-.71.26 1.87 4.08c.06.13 0 .27-.13.32l-2.3.84z' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-jumpcloud{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='168' height='82' fill='none'%3E%3Cpath fill='%23fff' d='M167.627 58.455a22.705 22.705 0 0 1-22.707 22.707h-6.243c-.651-7.57-8.461-14.005-19.501-16.994a19.72 19.72 0 0 0 4.394-21.52 19.72 19.72 0 0 0-18.243-12.235 19.718 19.718 0 0 0-13.848 33.755 34.3 34.3 0 0 0-14.246 7.231 34.3 34.3 0 0 0-8.268-3.398 16.874 16.874 0 1 0-23.623 0C36.64 70.41 30.3 75.232 28.95 81.065h-6.243a22.73 22.73 0 0 1 0-45.438c2.89.01 5.753.567 8.437 1.64A22.66 22.66 0 0 1 51.85 24.08h1.64a29.601 29.601 0 0 1 54.429-9.642 24.1 24.1 0 0 1 21.003 3.439 24.11 24.11 0 0 1 10.092 18.738 22.66 22.66 0 0 1 28.613 21.935z'/%3E%3C/svg%3E")}
+        .nb-icon-pocketid{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Ccircle cx='256' cy='256' r='256' fill='%23fff'/%3E%3Cpath d='M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z' fill='%23191919'/%3E%3C/svg%3E")}
+        .nb-icon-zitadel{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='80' height='79' viewBox='0 0 80 79' fill='none'%3E%3Cdefs%3E%3ClinearGradient id='a' x1='3.86' x2='76.88' y1='47.89' y2='47.89' gradientUnits='userSpaceOnUse'%3E%3Cstop stop-color='%23FF8F00'/%3E%3Cstop offset='1' stop-color='%23FE00FF'/%3E%3C/linearGradient%3E%3C/defs%3E%3Cpath fill='url(%23a)' fill-rule='evenodd' d='M17.12 39.17l1.42 5.32-6.68 6.68 9.12 2.44 1.43 5.32-19.77-5.3L17.12 39.17zM58.82 22.41l-5.32-1.43-2.44-9.12-6.68 6.68-5.32-1.43 14.47-14.47 5.3 19.77zM52.65 67.11l3.89-3.89 9.12 2.44-2.44-9.12 3.9-3.9 5.29 19.77-19.76-5.3zM36.43 69.54l-1.18-12.07 8.23 2.21-7.05 9.86zM23 23.84l5.02 11.04 6.02-6.02L23 23.84zM69.32 36.2l-12.07-1.18 2.2 8.23 9.87-7.05z' clip-rule='evenodd'/%3E%3C/svg%3E")}
+        .nb-icon-authentik{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='-0.03 59.9 512.03 392.1'%3E%3Cpath fill='%23fd4b2d' d='M279.9 141h17.9v51.2h-17.9zm46.6-2.2h17.9v40h-17.9zM65.3 197.3c-24 0-46 13.2-57.4 34.3h30.4c13.5-11.6 33-15 47.1 0h32.2c-12.6-17.1-31.4-34.3-52.3-34.3'/%3E%3Cpath fill='%23fd4b2d' d='M108.7 262.4C66.8 350-6.6 275.3 38.3 231.5H7.9C-15.9 273 17 329 65.3 327.8c37.4 0 68.2-55.5 68.2-65.3 0-4.3-6-17.6-16-31H85.4c10.7 9.7 20 23.7 23.3 30.9'/%3E%3Cpath fill='%23fd4b2d' d='M512 140.3v231.3c0 44.3-36.1 80.4-80.4 80.4h-34.1v-78.8h-163V452h-34.1c-44.4 0-80.4-36.1-80.4-80.4v-72.8h258.4v-139H253.6V238H119.9v-97.6c0-3.1.2-6.2.5-9.2.4-3.7 1.1-7.3 2-10.8.3-1.1.6-2.3 1-3.4l.3-.8c.2-.6.4-1.1.5-1.7l.6-1.7.7-1.8.8-1.8c2-4.7 4.4-9.3 7.3-13.6l.1-.1 2.3-3.2 2-2.6 2.4-2.8 2.4-2.6.1-.1 1.4-1.4c3-2.9 6.2-5.6 9.6-8l2.8-1.9 3.3-2c2.1-1.2 4.2-2.4 6.5-3.4l2.1-1c3.1-1.3 6.2-2.5 9.4-3.4 1.2-.4 2.5-.7 3.7-1l1.8-.4c3.6-.8 7.2-1.3 10.9-1.6l1.6-.1h.8c1.2-.1 2.4-.1 3.7-.1h231.3c1.2 0 2.5 0 3.7.1h.8l1.6.1c3.7.3 7.3.8 10.9 1.6l1.8.4 3.7 1c3.2.9 6.3 2.1 9.4 3.4l2.1 1c2.2 1 4.4 2.2 6.5 3.4l3.3 2 2.8 1.9c3.9 2.8 7.6 6 11 9.4l2.4 2.6 2.4 2.8 2 2.6 2.3 3.2.1.1c2.9 4.3 5.3 8.8 7.3 13.6l.8 1.8.7 1.8.6 1.7.5 1.7.3.8 1 3.4c.9 3.6 1.6 7.2 2 10.8 0 3.1.2 6.1.2 9.2'/%3E%3Cpath fill='%23fd4b2d' d='M498.3 95.5H133.5c14.9-22.2 40-35.6 66.7-35.6h231.3c26.9 0 51.9 13.4 66.8 35.6m13.2 35.6H120.4c1.4-12.8 6-25 13.1-35.6h364.8c7.2 10.6 11.7 22.9 13.2 35.6m.5 9.2v26.4H378.3v-6.9H253.6v6.9H119.9v-26.4c0-3.1.2-6.2.5-9.2h391.1c.3 3.1.5 6.1.5 9.2M119.9 166.7h133.7v35.6H119.9zm258.4 0H512v35.6H378.3zm-258.4 35.6h133.7v35.6H119.9zm258.4 0H512v35.6H378.3z'/%3E%3C/svg%3E")}
+        .nb-icon-keycloak{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 512 512'%3E%3Cpath fill='%234d4d4d' d='M432.9 149.2c-1.4 0-2.7-.7-3.4-2L370.1 44.1c-.7-1.2-2-2-3.5-2H124.2c-1.4 0-2.7.7-3.4 2L58.9 150.9l23.9 34.9c-.7 1.2-6.2 24-5.5 25.2L58.9 360.9l61.9 106.9c.7 1.2 2 2 3.4 2h242.4c1.4 0 2.7-.7 3.5-2l59.4-103.2c.7-1.2 2-2 3.4-2h73.8c2.4 0 4.4-2 4.4-4.4V153.6c0-2.4-2-4.4-4.4-4.4z'/%3E%3Cpath fill='%2300b8e3' d='m223.9 151-59.7 103.4c-.3.5-.4 1.1-.4 1.7h-41.7l82-142q.75.45 1.2 1.2l18.6 32.3c.5 1.1.5 2.4 0 3.4'/%3E%3Cpath fill='%2333c6e9' d='M223.8 364.9 205.3 397q-.45.75-1.2 1.2l-82-142.2h41.7c0 .6.1 1.1.4 1.6l59.6 103.2c.8 1.2.9 2.9 0 4.1'/%3E%3Cpath fill='%23008aaa' d='m204 114.2-82 141.9-20.6 35.6-19.6-34c-.3-.5-.4-1-.4-1.6s.1-1.2.4-1.7l19.9-34.4 60.4-104.5c.6-1.1 1.8-1.8 3-1.8h37.2c.6 0 1.2.2 1.7.5'/%3E%3Cpath fill='%2300b8e3' d='M204 398.2c-.5.3-1.1.5-1.8.5h-37.1c-1.3 0-2.4-.7-3-1.8l-55.2-95.6-5.5-9.5 20.6-35.6z'/%3E%3Cpath fill='%23008aaa' d='m368.9 256.1-82 142q-.75-.45-1.2-1.2L267 364.7c-.5-1-.5-2.3 0-3.3L326.7 258c.3-.5.5-1.2.5-1.8z'/%3E%3Cpath fill='%2300b8e3' d='M409.4 256.1c0 .6-.2 1.3-.5 1.8l-80.3 139.3c-.6 1-1.8 1.7-3 1.6h-37c-.6 0-1.2-.2-1.8-.5L368.9 256l20.6-35.6 19.5 33.8c.3.7.4 1.3.4 1.9'/%3E%3Cpath fill='%2300b8e3' d='M368.9 256.1h-41.7c0-.6-.2-1.2-.5-1.8L267 151.2c-.6-1.1-.6-2.5 0-3.6l18.6-32.2q.45-.75 1.2-1.2z'/%3E%3Cpath fill='%2333c6e9' d='m389.4 220.5-20.6 35.6-82-142c.6-.3 1.2-.5 1.8-.5h37.1c1.2 0 2.3.6 3 1.6z'/%3E%3C/svg%3E")}
+        .nb-icon-email{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='%23a7b1b9' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Crect x='2' y='4' width='20' height='16' rx='2'/%3E%3Cpath d='m22 7-8.97 5.7a1.94 1.94 0 0 1-2.06 0L2 7'/%3E%3C/svg%3E")}
+        .nb-icon-default{background-image:url("data:image/svg+xml;charset=utf-8,%3Csvg xmlns='http://www.w3.org/2000/svg' width='24' height='24' viewBox='0 0 24 24' fill='none' stroke='%23a7b1b9' stroke-width='2' stroke-linecap='round' stroke-linejoin='round'%3E%3Cpath d='M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4'/%3E%3Cpolyline points='10 17 15 12 10 7'/%3E%3Cline x1='15' y1='12' x2='3' y2='12'/%3E%3C/svg%3E")}
+        .nb-error{background-color:rgba(153,27,27,.2);border:1px solid rgba(153,27,27,.5);border-radius:8px;padding:12px 16px;color:#f87171;font-size:13px;text-align:center;margin-bottom:16px}
+        .nb-link{color:#f68330;text-decoration:none;font-size:13px}
+        .nb-link:hover{text-decoration:underline}
+        .nb-back-link{text-align:center;margin-top:20px}
+        .nb-divider{height:1px;background-color:rgba(63,68,75,.5);margin:24px 0}
+    </style>
+</head>
+<body>
+<div class="nb-container">
+    <div class="nb-logo">
+        <svg width="180" height="31" viewBox="0 0 133 23" fill="none" xmlns="http://www.w3.org/2000/svg">
+            <g clip-path="url(#clip0)">
+                <path d="M46.9438 7.5013C48.1229 8.64688 48.7082 10.3025 48.7082 12.4683V21.6663H46.1411V12.8362C46.1411 11.2809 45.7481 10.0851 44.9704 9.26566C44.1928 8.43783 43.1308 8.0281 41.7846 8.0281C40.4383 8.0281 39.3345 8.45455 38.5234 9.30747C37.7123 10.1604 37.3109 11.4063 37.3109 13.0369V21.6663H34.7188V6.06305H37.3109V8.28732C37.821 7.49294 38.5234 6.87416 39.4014 6.43934C40.2878 6.00452 41.2578 5.78711 42.3197 5.78711C44.2179 5.78711 45.7565 6.36408 46.9355 7.50966L46.9438 7.5013Z" fill="#F2F2F2"/>
+                <path d="M67.1048 14.8344H54.6288C54.7208 16.373 55.2476 17.5771 56.2092 18.4384C57.1708 19.2997 58.3331 19.7345 59.6961 19.7345C60.8166 19.7345 61.7531 19.4753 62.4973 18.9485C63.2499 18.4301 63.7767 17.7277 64.0777 16.858H66.8706C66.4525 18.3548 65.6163 19.5756 64.3621 20.5205C63.1078 21.4571 61.5525 21.9337 59.6878 21.9337C58.2077 21.9337 56.8865 21.5992 55.7159 20.9386C54.5452 20.278 53.6337 19.3331 52.9648 18.1039C52.2958 16.8831 51.9697 15.4616 51.9697 13.8477C51.9697 12.2339 52.2958 10.8207 52.9397 9.60825C53.5836 8.39578 54.495 7.45924 55.6573 6.80702C56.828 6.15479 58.1659 5.82031 59.6878 5.82031C61.2096 5.82031 62.4806 6.14643 63.6178 6.79029C64.7551 7.43416 65.6331 8.32052 66.2518 9.44938C66.8706 10.5782 67.18 11.8576 67.18 13.2791C67.18 13.7725 67.1549 14.2909 67.0964 14.8428L67.1048 14.8344ZM63.8603 10.1769C63.4255 9.4661 62.8318 8.92258 62.0793 8.55465C61.3267 8.18673 60.4989 8.00277 59.5874 8.00277C58.2746 8.00277 57.1625 8.42086 56.2427 9.25705C55.3228 10.0932 54.796 11.2472 54.6623 12.7356H64.5126C64.5126 11.7489 64.2952 10.896 63.8603 10.1852V10.1769Z" fill="#F2F2F2"/>
+                <path d="M73.7695 8.20355V17.4016C73.7695 18.1626 73.9284 18.6977 74.2545 19.0071C74.5806 19.3165 75.1409 19.4754 75.9352 19.4754H77.8418V21.6662H75.5088C74.0622 21.6662 72.9835 21.3317 72.2644 20.6711C71.5452 20.0105 71.1857 18.9151 71.1857 17.3933V8.19519H69.1621V6.0629H71.1857V2.13281H73.7779V6.0629H77.8501V8.19519H73.7779L73.7695 8.20355Z" fill="#F2F2F2"/>
+                <path d="M85.9022 6.68902C86.9307 6.10369 88.093 5.80266 89.4058 5.80266C90.8106 5.80266 92.0732 6.13714 93.1937 6.79773C94.3142 7.46668 95.2006 8.39485 95.8444 9.59896C96.4883 10.8031 96.8144 12.2079 96.8144 13.7966C96.8144 15.3854 96.4883 16.7818 95.8444 18.011C95.2006 19.2486 94.3142 20.2018 93.1854 20.8875C92.0565 21.5732 90.7939 21.916 89.4141 21.916C88.0344 21.916 86.8805 21.6234 85.8687 21.0297C84.8569 20.4443 84.0876 19.6918 83.5775 18.7803V21.6568H80.9854V0.601562H83.5775V8.97182C84.1127 8.04365 84.8904 7.28272 85.9105 6.69738L85.9022 6.68902ZM93.4529 10.7362C92.9763 9.86654 92.3408 9.19759 91.5297 8.74605C90.7186 8.29451 89.8322 8.06037 88.8706 8.06037C87.909 8.06037 87.0394 8.29451 86.2366 8.75441C85.4255 9.22268 84.7817 9.89163 84.2967 10.778C83.8117 11.6643 83.5692 12.6845 83.5692 13.8384C83.5692 14.9924 83.8117 16.046 84.2967 16.9323C84.7817 17.8187 85.4255 18.4877 86.2366 18.9559C87.0394 19.4242 87.9174 19.65 88.8706 19.65C89.8239 19.65 90.727 19.4158 91.5297 18.9559C92.3324 18.4877 92.9763 17.8187 93.4529 16.9323C93.9296 16.046 94.1637 15.0091 94.1637 13.8134C94.1637 12.6176 93.9296 11.6142 93.4529 10.7362Z" fill="#F2F2F2"/>
+                <path d="M100.318 3.01864C99.9749 2.67581 99.8076 2.25771 99.8076 1.76436C99.8076 1.27101 99.9749 0.852913 100.318 0.510076C100.661 0.167238 101.079 0 101.572 0C102.065 0 102.45 0.167238 102.784 0.510076C103.119 0.852913 103.286 1.27101 103.286 1.76436C103.286 2.25771 103.119 2.67581 102.784 3.01864C102.45 3.36148 102.049 3.52872 101.572 3.52872C101.095 3.52872 100.661 3.36148 100.318 3.01864ZM102.826 6.06237V21.6657H100.234V6.06237H102.826Z" fill="#F2F2F2"/>
+                <path d="M111.773 6.52155C112.617 6.0282 113.646 5.77734 114.867 5.77734V8.45315H114.181C111.28 8.45315 109.825 10.0252 109.825 13.1776V21.6649H107.232V6.06165H109.825V8.5953C110.276 7.70058 110.928 7.00654 111.773 6.51319V6.52155Z" fill="#F2F2F2"/>
+                <path d="M117.861 9.60732C118.505 8.40321 119.391 7.46668 120.52 6.80609C121.649 6.1455 122.92 5.81102 124.325 5.81102C125.537 5.81102 126.666 6.09533 127.711 6.64721C128.757 7.20746 129.551 7.94331 130.103 8.85475V0.601562H132.72V21.6735H130.103V18.7385C129.593 19.6667 128.832 20.436 127.828 21.0297C126.825 21.6317 125.646 21.9244 124.3 21.9244C122.953 21.9244 121.657 21.5816 120.528 20.8959C119.4 20.2102 118.513 19.257 117.869 18.0194C117.226 16.7818 116.899 15.377 116.899 13.805C116.899 12.233 117.226 10.8114 117.869 9.60732H117.861ZM129.392 10.7613C128.915 9.89163 128.28 9.22268 127.469 8.75441C126.658 8.28614 125.771 8.06037 124.81 8.06037C123.848 8.06037 122.962 8.28614 122.159 8.74605C121.356 9.20595 120.729 9.86654 120.253 10.7362C119.776 11.6058 119.542 12.6343 119.542 13.8134C119.542 14.9924 119.776 16.046 120.253 16.9323C120.729 17.8187 121.365 18.4877 122.159 18.9559C122.953 19.4242 123.84 19.65 124.81 19.65C125.78 19.65 126.666 19.4158 127.469 18.9559C128.272 18.4877 128.915 17.8187 129.392 16.9323C129.869 16.046 130.103 15.0175 130.103 13.8384C130.103 12.6594 129.869 11.6393 129.392 10.7613Z" fill="#F2F2F2"/>
+                <path d="M21.4651 0.568359C17.8193 0.902835 16.0047 3.00167 15.3191 4.06363L4.66602 22.5183H17.5182L30.1949 0.568359H21.4651Z" fill="#F68330"/>
+                <path d="M17.5265 22.5187L0 3.9302C0 3.9302 19.8177 -1.39633 21.7493 15.2188L17.5265 22.5187Z" fill="#F68330"/>
+                <path d="M14.9255 4.75055L9.54883 14.0657L17.5177 22.5196L21.7405 15.2029C21.0715 9.49174 18.287 6.37276 14.9255 4.74219" fill="#F35E32"/>
+            </g>
+            <defs>
+                <clipPath id="clip0">
+                    <rect width="132.72" height="22.5186" fill="white"/>
+                </clipPath>
+            </defs>
+        </svg>
+    </div>

idp/dex/web/templates/login.html

@@ -0,0 +1,56 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Sign in</h1>
+    <p class="nb-subheading">Choose your login method</p>
+
+    {{/* First pass: render Email/Local connectors at the top */}}
+    {{ range $c := .Connectors }}
+    {{- $nameLower := lower $c.Name -}}
+    {{- $idLower := lower $c.ID -}}
+    {{- if or (contains "email" $nameLower) (contains "email" $idLower) (contains "local" $nameLower) (contains "local" $idLower) -}}
+    <a href="{{ $c.URL }}" class="nb-btn-connector">
+        <span class="nb-icon nb-icon-email"></span>
+        <span>Continue with {{ $c.Name }}</span>
+    </a>
+    {{- end -}}
+    {{ end }}
+
+    {{/* Second pass: render all other connectors */}}
+    {{ range $c := .Connectors }}
+    {{- $nameLower := lower $c.Name -}}
+    {{- $idLower := lower $c.ID -}}
+    {{- if not (or (contains "email" $nameLower) (contains "email" $idLower) (contains "local" $nameLower) (contains "local" $idLower)) -}}
+    <a href="{{ $c.URL }}" class="nb-btn-connector">
+        {{- $iconClass := "nb-icon-default" -}}
+        {{- if or (contains "google" $nameLower) (contains "google" $idLower) -}}
+            {{- $iconClass = "nb-icon-google" -}}
+        {{- else if or (contains "github" $nameLower) (contains "github" $idLower) -}}
+            {{- $iconClass = "nb-icon-github" -}}
+        {{- else if or (contains "entra" $nameLower) (contains "entra" $idLower) -}}
+            {{- $iconClass = "nb-icon-entra" -}}
+        {{- else if or (contains "azure" $nameLower) (contains "azure" $idLower) -}}
+            {{- $iconClass = "nb-icon-azure" -}}
+        {{- else if or (contains "microsoft" $nameLower) (contains "microsoft" $idLower) -}}
+            {{- $iconClass = "nb-icon-microsoft" -}}
+        {{- else if or (contains "okta" $nameLower) (contains "okta" $idLower) -}}
+            {{- $iconClass = "nb-icon-okta" -}}
+        {{- else if or (contains "jumpcloud" $nameLower) (contains "jumpcloud" $idLower) -}}
+            {{- $iconClass = "nb-icon-jumpcloud" -}}
+        {{- else if or (contains "pocket" $nameLower) (contains "pocket" $idLower) -}}
+            {{- $iconClass = "nb-icon-pocketid" -}}
+        {{- else if or (contains "zitadel" $nameLower) (contains "zitadel" $idLower) -}}
+            {{- $iconClass = "nb-icon-zitadel" -}}
+        {{- else if or (contains "authentik" $nameLower) (contains "authentik" $idLower) -}}
+            {{- $iconClass = "nb-icon-authentik" -}}
+        {{- else if or (contains "keycloak" $nameLower) (contains "keycloak" $idLower) -}}
+            {{- $iconClass = "nb-icon-keycloak" -}}
+        {{- end -}}
+        <span class="nb-icon {{ $iconClass }}"></span>
+        <span>Continue with {{ $c.Name }}</span>
+    </a>
+    {{- end -}}
+    {{ end }}
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/oob.html

@@ -0,0 +1,19 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <div style="text-align:center;margin-bottom:24px">
+        <svg height="48" viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
+            <circle cx="50" cy="50" fill="none" r="45" stroke="#5cb85c" stroke-width="3"/>
+            <path d="M30 50 L45 65 L70 35" fill="none" stroke="#5cb85c" stroke-width="5"/>
+        </svg>
+    </div>
+    <h1 class="nb-heading">Login Successful</h1>
+    <p class="nb-subheading">
+        Copy this code back to your application:
+    </p>
+    <div style="background-color:rgba(63,68,75,.5);border-radius:8px;padding:16px;text-align:center;font-family:monospace;font-size:16px;color:#f68330;margin-top:16px">
+        {{ .Code }}
+    </div>
+</div>
+
+{{ template "footer.html" . }}

idp/dex/web/templates/password.html

@@ -0,0 +1,58 @@
+{{ template "header.html" . }}
+
+<div class="nb-card">
+    <h1 class="nb-heading">Sign in</h1>
+    <p class="nb-subheading">Enter your credentials</p>
+
+    <form method="post" action="{{ .PostURL }}">
+        {{ if .Invalid }}
+        <div class="nb-error">
+            Invalid {{ .UsernamePrompt }} or password.
+        </div>
+        {{ end }}
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="login">{{ .UsernamePrompt }}</label>
+            <input
+                type="text"
+                id="login"
+                name="login"
+                class="nb-input"
+                placeholder="Enter your {{ .UsernamePrompt | lower }}"
+                {{ if .Username }}value="{{ .Username }}"{{ else }}autofocus{{ end }}
+                required
+            >
+        </div>
+
+        <div class="nb-form-group">
+            <label class="nb-label" for="password">Password</label>
+            <input
+                type="password"
+                id="password"
+                name="password"
+                class="nb-input"
+                placeholder="Enter your password"
+                {{ if .Invalid }}autofocus{{ end }}
+                required
+            >
+        </div>
+
+        <button type="submit" id="submit-login" class="nb-btn">
+            Sign in
+        </button>
+    </form>
+
+    {{ if .BackLink }}
+    <div class="nb-back-link">
+        <a href="{{ .BackLink }}" class="nb-link">Choose another login method</a>
+    </div>
+    {{ end }}
+</div>
+
+<script>
+document.querySelector('form').onsubmit = function() {
+    document.getElementById('submit-login').disabled = true;
+};
+</script>
+
+{{ template "footer.html" . }}