fix about

Adds a SubscribeStatus gRPC RPC that pushes a fresh FullStatus snapshot
on every peer-recorder state change, replacing the Wails UI's 2-second
Status poll. The daemon's notifier already triggers on Connected /
Disconnected / Connecting / management or signal flip / address
change / peers-list change; we now coalesce those into ticks on a
buffered chan and stream the resulting snapshots over gRPC.

- Status recorder gains SubscribeToStateChanges /
  UnsubscribeFromStateChanges + a non-blocking notifyStateChange that
  drops ticks when a subscriber's 1-slot buffer is full (next snapshot
  the consumer pulls already reflects everything).
- Server.Status handler split: the snapshot composition is shared
  with the new SubscribeStatus stream handler so unary and stream
  paths return identical bytes.
- UI peers service: pollLoop replaced by statusStreamLoop. The local
  name of the existing SubscribeEvents loop is now toastStreamLoop so
  the two streams are easy to tell apart — the underlying RPC name is
  unchanged.
- Tray applyStatus skips the icon refresh when connected/lastStatus
  hasn't changed; rapid SubscribeStatus bursts during health probes
  no longer churn Shell_NotifyIcon or the log.

.github/workflows/release.yml

@@ -114,13 +114,7 @@ jobs:
           retention-days: 30
 
   release:
-    runs-on: ubuntu-24.04-8-core
-    outputs:
-      release_artifact_url: ${{ steps.upload_release.outputs.artifact-url }}
-      linux_packages_artifact_url: ${{ steps.upload_linux_packages.outputs.artifact-url }}
-      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
-      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
-      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
+    runs-on: ubuntu-latest-m
     env:
       flags: ""
     steps:
@@ -219,13 +213,10 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: Tag and push images (amd64 only)
-        id: tag_and_push_images
         if: |
           (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
           (github.event_name == 'push' && github.ref == 'refs/heads/main')
         run: |
-          set -euo pipefail
-
           resolve_tags() {
             if [[ "${{ github.event_name }}" == "pull_request" ]]; then
               echo "pr-${{ github.event.pull_request.number }}"
@@ -234,17 +225,6 @@ jobs:
             fi
           }
 
-          ghcr_package_url() {
-            local image="$1" package encoded_package
-            package="${image#ghcr.io/}"
-            package="${package#*/}"
-            package="${package%%:*}"
-            encoded_package="${package//\//%2F}"
-            echo "https://github.com/orgs/netbirdio/packages/container/package/${encoded_package}"
-          }
-
-          image_refs=()
-
           tag_and_push() {
             local src="$1" img_name tag dst
             img_name="${src%%:*}"
@@ -253,56 +233,35 @@ jobs:
               echo "Tagging ${src} -> ${dst}"
               docker tag "$src" "$dst"
               docker push "$dst"
-              image_refs+=("$dst")
             done
           }
 
-          cat > /tmp/goreleaser-artifacts.json <<'JSON'
-          ${{ steps.goreleaser.outputs.artifacts }}
-          JSON
+          export -f tag_and_push resolve_tags
 
-          mapfile -t src_images < <(
-            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name | select(startswith("ghcr.io/"))' /tmp/goreleaser-artifacts.json
-          )
-
-          for src in "${src_images[@]}"; do
-            tag_and_push "$src"
-          done
-
-          {
-            echo "images_markdown<<EOF"
-            if [[ ${#image_refs[@]} -eq 0 ]]; then
-              echo "_No GHCR images were pushed._"
-            else
-              printf '%s\n' "${image_refs[@]}" | sort -u | while read -r image; do
-                printf -- '- [`%s`](%s)\n' "$image" "$(ghcr_package_url "$image")"
-              done
-            fi
-            echo "EOF"
-          } >> "$GITHUB_OUTPUT"
+          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
+            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
+            grep '^ghcr.io/' | while read -r SRC; do
+              tag_and_push "$SRC"
+            done
       - name: upload non tags for debug purposes
-        id: upload_release
         uses: actions/upload-artifact@v4
         with:
           name: release
           path: dist/
           retention-days: 7
       - name: upload linux packages
-        id: upload_linux_packages
         uses: actions/upload-artifact@v4
         with:
           name: linux-packages
           path: dist/netbird_linux**
           retention-days: 7
       - name: upload windows packages
-        id: upload_windows_packages
         uses: actions/upload-artifact@v4
         with:
           name: windows-packages
           path: dist/netbird_windows**
           retention-days: 7
       - name: upload macos packages
-        id: upload_macos_packages
         uses: actions/upload-artifact@v4
         with:
           name: macos-packages
@@ -311,8 +270,6 @@ jobs:
 
   release_ui:
     runs-on: ubuntu-latest
-    outputs:
-      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
     steps:
       - name: Parse semver string
         id: semver_parser
@@ -403,7 +360,6 @@ jobs:
         if: always()
         run: rm -f /tmp/gpg-rpm-signing-key.asc
       - name: upload non tags for debug purposes
-        id: upload_release_ui
         uses: actions/upload-artifact@v4
         with:
           name: release-ui
@@ -412,8 +368,6 @@ jobs:
 
   release_ui_darwin:
     runs-on: macos-latest
-    outputs:
-      release_ui_darwin_artifact_url: ${{ steps.upload_release_ui_darwin.outputs.artifact-url }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -448,258 +402,15 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: upload non tags for debug purposes
-        id: upload_release_ui_darwin
         uses: actions/upload-artifact@v4
         with:
           name: release-ui-darwin
           path: dist/
           retention-days: 3
 
-  test_windows_installer:
-    name: "Windows Installer / Build Test"
-    runs-on: windows-2022
-    needs: [release, release_ui]
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - arch: amd64
-            wintun_arch: amd64
-          - arch: arm64
-            wintun_arch: arm64
-    defaults:
-      run:
-        shell: powershell
-    env:
-      PackageWorkdir: netbird_windows_${{ matrix.arch }}
-      downloadPath: '${{ github.workspace }}\temp'
-    steps:
-      - name: Parse semver string
-        id: semver_parser
-        uses: booxmedialtd/ws-action-parse-semver@v1
-        with:
-          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-          version_extractor_regex: '\/v(.*)$'
-
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Add 7-Zip to PATH
-        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Download release artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: release
-          path: release
-
-      - name: Download UI release artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: release-ui
-          path: release-ui
-
-      - name: Stage binaries into dist
-        run: |
-          $workdir = "dist\${{ env.PackageWorkdir }}"
-          New-Item -ItemType Directory -Force -Path $workdir | Out-Null
-          $client = Get-ChildItem -Recurse -Path release -Filter "netbird_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
-          $ui = Get-ChildItem -Recurse -Path release-ui -Filter "netbird-ui-windows_*_windows_${{ matrix.arch }}.tar.gz" | Select-Object -First 1
-          if (-not $client) { Write-Host "::error::client tarball not found for ${{ matrix.arch }}"; exit 1 }
-          if (-not $ui) { Write-Host "::error::ui tarball not found for ${{ matrix.arch }}"; exit 1 }
-          Write-Host "Client: $($client.FullName)"
-          Write-Host "UI:     $($ui.FullName)"
-          tar -zvxf $client.FullName -C $workdir
-          tar -zvxf $ui.FullName -C $workdir
-          Get-ChildItem $workdir
-
-      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
-        id: download-wintun
-        with:
-          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
-
-      - name: Decompress wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
-
-      - name: Move wintun.dll into dist
-        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
-
-      - name: Download Mesa3D (amd64 only)
-        uses: carlosperate/download-file-action@v2
-        id: download-mesa3d
-        if: matrix.arch == 'amd64'
-        with:
-          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
-          file-name: mesa3d.7z
-          location: ${{ env.downloadPath }}
-          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
-
-      - name: Extract Mesa3D driver (amd64 only)
-        if: matrix.arch == 'amd64'
-        run: 7z x -o"${{ env.downloadPath }}" "${{ env.downloadPath }}/mesa3d.7z"
-
-      - name: Move opengl32.dll into dist (amd64 only)
-        if: matrix.arch == 'amd64'
-        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
-
-      - name: Download EnVar plugin for NSIS
-        uses: carlosperate/download-file-action@v2
-        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
-          file-name: envar_plugin.zip
-          location: ${{ github.workspace }}
-
-      - name: Extract EnVar plugin
-        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"
-
-      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
-        uses: carlosperate/download-file-action@v2
-        if: matrix.arch == 'amd64'
-        with:
-          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
-          file-name: ShellExecAsUser_amd64-Unicode.7z
-          location: ${{ github.workspace }}
-
-      - name: Extract ShellExecAsUser plugin (amd64 only)
-        if: matrix.arch == 'amd64'
-        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"
-
-      - name: Build NSIS installer
-        uses: joncloud/makensis-action@v3.3
-        with:
-          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
-          script-file: client/installer.nsis
-          arguments: "/V4 /DARCH=${{ matrix.arch }}"
-        env:
-          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
-
-      - name: Rename NSIS installer
-        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
-
-      - name: Install WiX
-        run: |
-          dotnet tool install --global wix --version 6.0.2
-          wix extension add WixToolset.Util.wixext/6.0.2
-
-      - name: Build MSI installer
-        env:
-          NETBIRD_VERSION: "${{ steps.semver_parser.outputs.fullversion }}"
-        run: wix build -arch ${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -ext WixToolset.Util.wixext -o netbird_installer_test_windows_${{ matrix.arch }}.msi .\client\netbird.wxs -d ProcessorArchitecture=${{ matrix.arch == 'amd64' && 'x64' || 'arm64' }} -d ArchSuffix=${{ matrix.arch }}
-
-      - name: Upload installer artifacts
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: windows-installer-test-${{ matrix.arch }}
-          path: |
-            netbird_installer_test_windows_${{ matrix.arch }}.exe
-            netbird_installer_test_windows_${{ matrix.arch }}.msi
-          retention-days: 3
-
-  comment_release_artifacts:
-    name: Comment release artifacts
-    runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin]
-    if: ${{ always() && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository }}
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
-    steps:
-      - name: Create or update PR comment
-        uses: actions/github-script@v7
-        env:
-          RELEASE_RESULT: ${{ needs.release.result }}
-          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
-          RELEASE_UI_DARWIN_RESULT: ${{ needs.release_ui_darwin.result }}
-          RELEASE_ARTIFACT_URL: ${{ needs.release.outputs.release_artifact_url }}
-          LINUX_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.linux_packages_artifact_url }}
-          WINDOWS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.windows_packages_artifact_url }}
-          MACOS_PACKAGES_ARTIFACT_URL: ${{ needs.release.outputs.macos_packages_artifact_url }}
-          RELEASE_UI_ARTIFACT_URL: ${{ needs.release_ui.outputs.release_ui_artifact_url }}
-          RELEASE_UI_DARWIN_ARTIFACT_URL: ${{ needs.release_ui_darwin.outputs.release_ui_darwin_artifact_url }}
-          GHCR_IMAGES_MARKDOWN: ${{ needs.release.outputs.ghcr_images }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const marker = '<!-- netbird-release-artifacts -->';
-            const { owner, repo } = context.repo;
-            const issue_number = context.payload.pull_request.number;
-            const runUrl = `${context.serverUrl}/${owner}/${repo}/actions/runs/${context.runId}`;
-            const shortSha = context.payload.pull_request.head.sha.slice(0, 7);
-
-            const artifactCell = (url, result) => {
-              if (url) return `[Download](${url})`;
-              return result && result !== 'success' ? `_Not available (${result})_` : '_Not available_';
-            };
-
-            const artifacts = [
-              ['All release artifacts', process.env.RELEASE_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Linux packages', process.env.LINUX_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['Windows packages', process.env.WINDOWS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['macOS packages', process.env.MACOS_PACKAGES_ARTIFACT_URL, process.env.RELEASE_RESULT],
-              ['UI artifacts', process.env.RELEASE_UI_ARTIFACT_URL, process.env.RELEASE_UI_RESULT],
-              ['UI macOS artifacts', process.env.RELEASE_UI_DARWIN_ARTIFACT_URL, process.env.RELEASE_UI_DARWIN_RESULT],
-            ];
-
-            const artifactRows = artifacts
-              .map(([name, url, result]) => `| ${name} | ${artifactCell(url, result)} |`)
-              .join('\n');
-
-            const ghcrImages = (process.env.GHCR_IMAGES_MARKDOWN || '').trim() || '_No GHCR images were pushed._';
-
-            const body = [
-              marker,
-              '## Release artifacts',
-              '',
-              `Built for PR head \`${shortSha}\` in [workflow run #${process.env.GITHUB_RUN_NUMBER}](${runUrl}).`,
-              '',
-              '| Artifact | Link |',
-              '| --- | --- |',
-              artifactRows,
-              '',
-              '### GHCR images (amd64)',
-              ghcrImages,
-              '',
-              '_This comment is updated by the Release workflow. Artifact links expire according to the workflow retention policy._',
-            ].join('\n');
-
-            const comments = await github.paginate(github.rest.issues.listComments, {
-              owner,
-              repo,
-              issue_number,
-              per_page: 100,
-            });
-
-            const previous = comments.find(comment =>
-              comment.user?.type === 'Bot' && comment.body?.includes(marker)
-            );
-
-            if (previous) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: previous.id,
-                body,
-              });
-              core.info(`Updated release artifacts comment ${previous.id}`);
-            } else {
-              const { data } = await github.rest.issues.createComment({
-                owner,
-                repo,
-                issue_number,
-                body,
-              });
-              core.info(`Created release artifacts comment ${data.id}`);
-            }
-
   trigger_signer:
     runs-on: ubuntu-latest
-    needs: [release, release_ui, release_ui_darwin, test_windows_installer]
+    needs: [release, release_ui, release_ui_darwin]
     if: startsWith(github.ref, 'refs/tags/')
     steps:
       - name: Trigger binaries sign pipelines

.github/workflows/sync-tag.yml

@@ -9,8 +9,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
-# Receiving workflows (cloud sync-tag, mobile bump-netbird) expect the short
-# tag form (e.g. v0.30.0), not refs/tags/v0.30.0 — github.ref_name, not github.ref.
 jobs:
   trigger_sync_tag:
     runs-on: ubuntu-latest
@@ -22,30 +20,4 @@ jobs:
           ref: main
           repo: ${{ secrets.UPSTREAM_REPO }}
           token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_android_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/android-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
-
-  trigger_ios_bump:
-    runs-on: ubuntu-latest
-    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
-    steps:
-      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
-        with:
-          workflow: bump-netbird.yml
-          ref: main
-          repo: netbirdio/ios-client
-          token: ${{ secrets.NC_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref_name }}" }'

client/Dockerfile

@@ -17,7 +17,6 @@ ENV \
     NETBIRD_BIN="/usr/local/bin/netbird" \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/Dockerfile-rootless

@@ -23,7 +23,6 @@ ENV \
     NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
     NB_LOG_FILE="console,/var/lib/netbird/client.log" \
     NB_DISABLE_DNS="true" \
-    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/cmd/capture.go

@@ -1,196 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/hashicorp/go-multierror"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/durationpb"
-
-	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-var captureCmd = &cobra.Command{
-	Use:   "capture",
-	Short: "Capture packets on the WireGuard interface",
-	Long: `Captures decrypted packets flowing through the WireGuard interface.
-
-Default output is human-readable text. Use --pcap or --output for pcap binary.
-Requires --enable-capture to be set at service install or reconfigure time.
-
-Examples:
-  netbird debug capture
-  netbird debug capture host 100.64.0.1 and port 443
-  netbird debug capture tcp
-  netbird debug capture icmp
-  netbird debug capture src host 10.0.0.1 and dst port 80
-  netbird debug capture -o capture.pcap
-  netbird debug capture --pcap | tshark -r -
-  netbird debug capture --pcap | tcpdump -r - -n`,
-	Args: cobra.ArbitraryArgs,
-	RunE: runCapture,
-}
-
-func init() {
-	debugCmd.AddCommand(captureCmd)
-
-	captureCmd.Flags().Bool("pcap", false, "Force pcap binary output (default when --output is set)")
-	captureCmd.Flags().BoolP("verbose", "v", false, "Show seq/ack, TTL, window, total length")
-	captureCmd.Flags().Bool("ascii", false, "Print payload as ASCII after each packet (useful for HTTP)")
-	captureCmd.Flags().Uint32("snap-len", 0, "Max bytes per packet (0 = full)")
-	captureCmd.Flags().DurationP("duration", "d", 0, "Capture duration (0 = until interrupted)")
-	captureCmd.Flags().StringP("output", "o", "", "Write pcap to file instead of stdout")
-}
-
-func runCapture(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			cmd.PrintErrf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	req, err := buildCaptureRequest(cmd, args)
-	if err != nil {
-		return err
-	}
-
-	ctx, cancel := signal.NotifyContext(cmd.Context(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
-	stream, err := client.StartCapture(ctx, req)
-	if err != nil {
-		return handleCaptureError(err)
-	}
-
-	// First Recv is the empty acceptance message from the server. If the
-	// device is unavailable (kernel WG, not connected, capture disabled),
-	// the server returns an error instead.
-	if _, err := stream.Recv(); err != nil {
-		return handleCaptureError(err)
-	}
-
-	out, cleanup, err := captureOutput(cmd)
-	if err != nil {
-		return err
-	}
-
-	if req.TextOutput {
-		cmd.PrintErrf("Capturing packets... Press Ctrl+C to stop.\n")
-	} else {
-		cmd.PrintErrf("Capturing packets (pcap)... Press Ctrl+C to stop.\n")
-	}
-
-	streamErr := streamCapture(ctx, cmd, stream, out)
-	cleanupErr := cleanup()
-	if streamErr != nil {
-		return streamErr
-	}
-	return cleanupErr
-}
-
-func buildCaptureRequest(cmd *cobra.Command, args []string) (*proto.StartCaptureRequest, error) {
-	req := &proto.StartCaptureRequest{}
-
-	if len(args) > 0 {
-		expr := strings.Join(args, " ")
-		if _, err := capture.ParseFilter(expr); err != nil {
-			return nil, fmt.Errorf("invalid filter: %w", err)
-		}
-		req.FilterExpr = expr
-	}
-
-	if snap, _ := cmd.Flags().GetUint32("snap-len"); snap > 0 {
-		req.SnapLen = snap
-	}
-	if d, _ := cmd.Flags().GetDuration("duration"); d != 0 {
-		if d < 0 {
-			return nil, fmt.Errorf("duration must not be negative")
-		}
-		req.Duration = durationpb.New(d)
-	}
-	req.Verbose, _ = cmd.Flags().GetBool("verbose")
-	req.Ascii, _ = cmd.Flags().GetBool("ascii")
-
-	outPath, _ := cmd.Flags().GetString("output")
-	forcePcap, _ := cmd.Flags().GetBool("pcap")
-	req.TextOutput = !forcePcap && outPath == ""
-
-	return req, nil
-}
-
-func streamCapture(ctx context.Context, cmd *cobra.Command, stream proto.DaemonService_StartCaptureClient, out io.Writer) error {
-	for {
-		pkt, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.PrintErrf("\nCapture stopped.\n")
-				return nil //nolint:nilerr // user interrupted
-			}
-			if err == io.EOF {
-				cmd.PrintErrf("\nCapture finished.\n")
-				return nil
-			}
-			return handleCaptureError(err)
-		}
-		if _, err := out.Write(pkt.GetData()); err != nil {
-			return fmt.Errorf("write output: %w", err)
-		}
-	}
-}
-
-// captureOutput returns the writer for capture data and a cleanup function
-// that finalizes the file. Errors from the cleanup must be propagated.
-func captureOutput(cmd *cobra.Command) (io.Writer, func() error, error) {
-	outPath, _ := cmd.Flags().GetString("output")
-	if outPath == "" {
-		return os.Stdout, func() error { return nil }, nil
-	}
-
-	f, err := os.CreateTemp(filepath.Dir(outPath), filepath.Base(outPath)+".*.tmp")
-	if err != nil {
-		return nil, nil, fmt.Errorf("create output file: %w", err)
-	}
-	tmpPath := f.Name()
-	return f, func() error {
-		var merr *multierror.Error
-		if err := f.Close(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("close output file: %w", err))
-		}
-		fi, statErr := os.Stat(tmpPath)
-		if statErr != nil || fi.Size() == 0 {
-			if rmErr := os.Remove(tmpPath); rmErr != nil && !os.IsNotExist(rmErr) {
-				merr = multierror.Append(merr, fmt.Errorf("remove empty output file: %w", rmErr))
-			}
-			return nberrors.FormatErrorOrNil(merr)
-		}
-		if err := os.Rename(tmpPath, outPath); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("rename output file: %w", err))
-			return nberrors.FormatErrorOrNil(merr)
-		}
-		cmd.PrintErrf("Wrote %s\n", outPath)
-		return nberrors.FormatErrorOrNil(merr)
-	}, nil
-}
-
-func handleCaptureError(err error) error {
-	if s, ok := status.FromError(err); ok {
-		return fmt.Errorf("%s", s.Message())
-	}
-	return err
-}

client/cmd/debug.go

@@ -9,7 +9,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -240,50 +239,11 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		}()
 	}
 
-	captureStarted := false
-	if wantCapture, _ := cmd.Flags().GetBool("capture"); wantCapture {
-		captureTimeout := duration + 30*time.Second
-		const maxBundleCapture = 10 * time.Minute
-		if captureTimeout > maxBundleCapture {
-			captureTimeout = maxBundleCapture
-		}
-		_, err := client.StartBundleCapture(cmd.Context(), &proto.StartBundleCaptureRequest{
-			Timeout: durationpb.New(captureTimeout),
-		})
-		if err != nil {
-			cmd.PrintErrf("Failed to start packet capture: %v\n", status.Convert(err).Message())
-		} else {
-			captureStarted = true
-			cmd.Println("Packet capture started.")
-			// Safety: always stop on exit, even if the normal stop below runs too.
-			defer func() {
-				if captureStarted {
-					stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-					defer cancel()
-					if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-						cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
-					}
-				}
-			}()
-		}
-	}
-
 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")
 
-	if captureStarted {
-		stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-			cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
-		} else {
-			captureStarted = false
-			cmd.Println("Packet capture stopped.")
-		}
-	}
-
 	if cpuProfilingStarted {
 		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
 			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
@@ -456,5 +416,4 @@ func init() {
 	forCmd.Flags().BoolVarP(&systemInfoFlag, "system-info", "S", true, "Adds system information to the debug bundle")
 	forCmd.Flags().BoolVarP(&uploadBundleFlag, "upload-bundle", "U", false, "Uploads the debug bundle to a server")
 	forCmd.Flags().StringVar(&uploadBundleURLFlag, "upload-bundle-url", types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
-	forCmd.Flags().Bool("capture", false, "Capture packets during the debug duration and include in bundle")
 }

client/cmd/root.go

@@ -75,7 +75,6 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
-	captureEnabled          bool
 	networksDisabled        bool
 
 	rootCmd = &cobra.Command{

client/cmd/service.go

@@ -44,7 +44,6 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
-	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, captureEnabled, networksDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,10 +59,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
-	if captureEnabled {
-		args = append(args, "--enable-capture")
-	}
-
 	if networksDisabled {
 		args = append(args, "--disable-networks")
 	}

client/cmd/service_params.go

@@ -28,7 +28,6 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
@@ -80,7 +79,6 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
-		EnableCapture:         captureEnabled,
 		DisableNetworks:       networksDisabled,
 	}
 
@@ -146,10 +144,6 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
-	if !serviceCmd.PersistentFlags().Changed("enable-capture") {
-		captureEnabled = params.EnableCapture
-	}
-
 	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
 		networksDisabled = params.DisableNetworks
 	}

client/cmd/service_params_test.go

@@ -535,7 +535,6 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
-		"EnableCapture":         "captureEnabled",
 		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}

client/cmd/testutil_test.go

@@ -135,7 +135,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		t.Fatal(err)
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -160,7 +160,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false, false, false)
+		"", "", false, false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/embed/capture.go

@@ -1,65 +0,0 @@
-package embed
-
-import (
-	"io"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-// CaptureOptions configures a packet capture session.
-type CaptureOptions struct {
-	// Output receives pcap-formatted data. Nil disables pcap output.
-	Output io.Writer
-	// TextOutput receives human-readable packet summaries. Nil disables text output.
-	TextOutput io.Writer
-	// Filter is a BPF-like filter expression (e.g. "host 10.0.0.1 and tcp port 443").
-	// Empty captures all packets.
-	Filter string
-	// Verbose adds seq/ack, TTL, window, and total length to text output.
-	Verbose bool
-	// ASCII dumps transport payload as printable ASCII after each packet line.
-	ASCII bool
-}
-
-// CaptureStats reports capture session counters.
-type CaptureStats struct {
-	Packets int64
-	Bytes   int64
-	Dropped int64
-}
-
-// CaptureSession represents an active packet capture. Call Stop to end the
-// capture and flush buffered packets.
-type CaptureSession struct {
-	sess   *capture.Session
-	engine *internal.Engine
-}
-
-// Stop ends the capture, flushes remaining packets, and detaches from the device.
-// Safe to call multiple times.
-func (cs *CaptureSession) Stop() {
-	if cs.engine != nil {
-		_ = cs.engine.SetCapture(nil)
-		cs.engine = nil
-	}
-	if cs.sess != nil {
-		cs.sess.Stop()
-	}
-}
-
-// Stats returns current capture counters.
-func (cs *CaptureSession) Stats() CaptureStats {
-	s := cs.sess.Stats()
-	return CaptureStats{
-		Packets: s.Packets,
-		Bytes:   s.Bytes,
-		Dropped: s.Dropped,
-	}
-}
-
-// Done returns a channel that is closed when the capture's writer goroutine
-// has fully exited and all buffered packets have been flushed.
-func (cs *CaptureSession) Done() <-chan struct{} {
-	return cs.sess.Done()
-}

client/embed/embed.go

@@ -24,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util/capture"
 )
 
 var (
@@ -66,7 +65,7 @@ type Options struct {
 	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
-	// PreSharedKey is the pre-shared key for the tunnel interface
+	// PreSharedKey is the pre-shared key for the WireGuard interface
 	PreSharedKey string
 	// LogOutput is the output destination for logs (defaults to os.Stderr if nil)
 	LogOutput io.Writer
@@ -82,9 +81,9 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
+	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
-	// MTU is the MTU for the tunnel interface.
+	// MTU is the MTU for the WireGuard interface.
 	// Valid values are in the range 576..8192 bytes.
 	// If non-nil, this value overrides any value stored in the config file.
 	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
@@ -470,52 +469,6 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 
-// StartCapture begins capturing packets on this client's tunnel device.
-// Only one capture can be active at a time; starting a new one stops the previous.
-// Call StopCapture (or CaptureSession.Stop) to end it.
-func (c *Client) StartCapture(opts CaptureOptions) (*CaptureSession, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	var matcher capture.Matcher
-	if opts.Filter != "" {
-		m, err := capture.ParseFilter(opts.Filter)
-		if err != nil {
-			return nil, fmt.Errorf("parse filter: %w", err)
-		}
-		matcher = m
-	}
-
-	sess, err := capture.NewSession(capture.Options{
-		Output:     opts.Output,
-		TextOutput: opts.TextOutput,
-		Matcher:    matcher,
-		Verbose:    opts.Verbose,
-		ASCII:      opts.ASCII,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("create capture session: %w", err)
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		sess.Stop()
-		return nil, fmt.Errorf("set capture: %w", err)
-	}
-
-	return &CaptureSession{sess: sess, engine: engine}, nil
-}
-
-// StopCapture stops the active capture session if one is running.
-func (c *Client) StopCapture() error {
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-	return engine.SetCapture(nil)
-}
-
 // getEngine safely retrieves the engine from the client with proper locking.
 // Returns ErrClientNotStarted if the client is not started.
 // Returns ErrEngineNotStarted if the engine is not available.

client/firewall/uspfilter/filter.go

@@ -115,13 +115,12 @@ type Manager struct {
 
 	localipmanager *localIPManager
 
-	udpTracker     *conntrack.UDPTracker
-	icmpTracker    *conntrack.ICMPTracker
-	tcpTracker     *conntrack.TCPTracker
-	forwarder      atomic.Pointer[forwarder.Forwarder]
-	pendingCapture atomic.Pointer[forwarder.PacketCapture]
-	logger         *nblog.Logger
-	flowLogger     nftypes.FlowLogger
+	udpTracker  *conntrack.UDPTracker
+	icmpTracker *conntrack.ICMPTracker
+	tcpTracker  *conntrack.TCPTracker
+	forwarder   atomic.Pointer[forwarder.Forwarder]
+	logger      *nblog.Logger
+	flowLogger  nftypes.FlowLogger
 
 	blockRule firewall.Rule
 
@@ -352,19 +351,6 @@ func (m *Manager) determineRouting() error {
 	return nil
 }
 
-// SetPacketCapture sets or clears packet capture on the forwarder endpoint.
-// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
-func (m *Manager) SetPacketCapture(pc forwarder.PacketCapture) {
-	if pc == nil {
-		m.pendingCapture.Store(nil)
-	} else {
-		m.pendingCapture.Store(&pc)
-	}
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.SetCapture(pc)
-	}
-}
-
 // initForwarder initializes the forwarder, it disables routing on errors
 func (m *Manager) initForwarder() error {
 	if m.forwarder.Load() != nil {
@@ -386,11 +372,6 @@ func (m *Manager) initForwarder() error {
 
 	m.forwarder.Store(forwarder)
 
-	// Re-load after store: a concurrent SetPacketCapture may have seen forwarder as nil and only updated pendingCapture.
-	if pc := m.pendingCapture.Load(); pc != nil {
-		forwarder.SetCapture(*pc)
-	}
-
 	log.Debug("forwarder initialized")
 
 	return nil
@@ -633,7 +614,6 @@ func (m *Manager) resetState() {
 	}
 
 	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.SetCapture(nil)
 		fwder.Stop()
 	}
 

client/firewall/uspfilter/forwarder/endpoint.go

@@ -12,19 +12,12 @@ import (
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 )
 
-// PacketCapture captures raw packets for debugging. Implementations must be
-// safe for concurrent use and must not block.
-type PacketCapture interface {
-	Offer(data []byte, outbound bool)
-}
-
 // endpoint implements stack.LinkEndpoint and handles integration with the wireguard device
 type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
 	mtu        atomic.Uint32
-	capture    atomic.Pointer[PacketCapture]
 }
 
 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -61,17 +54,13 @@ func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error)
 			continue
 		}
 
-		pktBytes := data.AsSlice()
-
+		// Send the packet through WireGuard
 		address := netHeader.DestinationAddress()
-		if err := e.device.CreateOutboundPacket(pktBytes, address.AsSlice()); err != nil {
+		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
+		if err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
-
-		if pc := e.capture.Load(); pc != nil {
-			(*pc).Offer(pktBytes, true)
-		}
 		written++
 	}
 

client/firewall/uspfilter/forwarder/forwarder.go

@@ -139,16 +139,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	return f, nil
 }
 
-// SetCapture sets or clears the packet capture on the forwarder endpoint.
-// This captures outbound packets that bypass the FilteredDevice (netstack forwarding).
-func (f *Forwarder) SetCapture(pc PacketCapture) {
-	if pc == nil {
-		f.endpoint.capture.Store(nil)
-		return
-	}
-	f.endpoint.capture.Store(&pc)
-}
-
 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	if len(payload) < header.IPv4MinimumSize {
 		return fmt.Errorf("packet too small: %d bytes", len(payload))

client/firewall/uspfilter/forwarder/icmp.go

@@ -270,9 +270,5 @@ func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []
 		return 0
 	}
 
-	if pc := f.endpoint.capture.Load(); pc != nil {
-		(*pc).Offer(fullPacket, true)
-	}
-
 	return len(fullPacket)
 }

client/iface/device/device_filter.go

@@ -3,7 +3,6 @@ package device
 import (
 	"net/netip"
 	"sync"
-	"sync/atomic"
 
 	"golang.zx2c4.com/wireguard/tun"
 )
@@ -29,20 +28,11 @@ type PacketFilter interface {
 	SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
 }
 
-// PacketCapture captures raw packets for debugging. Implementations must be
-// safe for concurrent use and must not block.
-type PacketCapture interface {
-	// Offer submits a packet for capture. outbound is true for packets
-	// leaving the host (Read path), false for packets arriving (Write path).
-	Offer(data []byte, outbound bool)
-}
-
 // FilteredDevice to override Read or Write of packets
 type FilteredDevice struct {
 	tun.Device
 
 	filter    PacketFilter
-	capture   atomic.Pointer[PacketCapture]
 	mutex     sync.RWMutex
 	closeOnce sync.Once
 }
@@ -73,25 +63,20 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
 		return 0, err
 	}
-
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
 
-	if filter != nil {
-		for i := 0; i < n; i++ {
-			if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
-				bufs = append(bufs[:i], bufs[i+1:]...)
-				sizes = append(sizes[:i], sizes[i+1:]...)
-				n--
-				i--
-			}
-		}
+	if filter == nil {
+		return
 	}
 
-	if pc := d.capture.Load(); pc != nil {
-		for i := 0; i < n; i++ {
-			(*pc).Offer(bufs[i][offset:offset+sizes[i]], true)
+	for i := 0; i < n; i++ {
+		if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
+			bufs = append(bufs[:i], bufs[i+1:]...)
+			sizes = append(sizes[:i], sizes[i+1:]...)
+			n--
+			i--
 		}
 	}
 
@@ -100,13 +85,6 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 
 // Write wraps write method with filtering feature
 func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
-	// Capture before filtering so dropped packets are still visible in captures.
-	if pc := d.capture.Load(); pc != nil {
-		for _, buf := range bufs {
-			(*pc).Offer(buf[offset:], false)
-		}
-	}
-
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
@@ -118,10 +96,9 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	filteredBufs := make([][]byte, 0, len(bufs))
 	dropped := 0
 	for _, buf := range bufs {
-		if filter.FilterInbound(buf[offset:], len(buf)) {
-			dropped++
-		} else {
+		if !filter.FilterInbound(buf[offset:], len(buf)) {
 			filteredBufs = append(filteredBufs, buf)
+			dropped++
 		}
 	}
 
@@ -136,14 +113,3 @@ func (d *FilteredDevice) SetFilter(filter PacketFilter) {
 	d.filter = filter
 	d.mutex.Unlock()
 }
-
-// SetCapture sets or clears the packet capture sink. Pass nil to disable.
-// Uses atomic store so the hot path (Read/Write) is a single pointer load
-// with no locking overhead when capture is off.
-func (d *FilteredDevice) SetCapture(pc PacketCapture) {
-	if pc == nil {
-		d.capture.Store(nil)
-		return
-	}
-	d.capture.Store(&pc)
-}

client/iface/device/device_filter_test.go

@@ -158,7 +158,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 			t.Errorf("unexpected error: %v", err)
 			return
 		}
-		if n != 1 {
+		if n != 0 {
 			t.Errorf("expected n=1, got %d", n)
 			return
 		}

client/installer.nsis

@@ -200,19 +200,9 @@ Pop $0
 !macroend
 
 Function .onInit
-StrCpy $INSTDIR "${INSTALL_DIR}"
-; Default autostart to enabled so silent installs (/S) match the interactive default
-StrCpy $AutostartEnabled "1"
-
-; Pre-0.70.1 installers ran without SetRegView, so their uninstall keys live
-; in the 32-bit view. Fall back to it so upgrades still find them.
 SetRegView 64
+StrCpy $INSTDIR "${INSTALL_DIR}"
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-${If} $R0 == ""
-    SetRegView 32
-    ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
-    SetRegView 64
-${EndIf}
 ${If} $R0 != ""
     # if silent install jump to uninstall step
     IfSilent uninstall

client/internal/debug/debug.go

@@ -61,7 +61,6 @@ allocs.prof: Allocations profiling information.
 threadcreate.prof: Thread creation profiling information.
 cpu.prof: CPU profiling information.
 stack_trace.txt: Complete stack traces of all goroutines at the time of bundle creation.
-capture.pcap: Packet capture in pcap format. Only present when capture was running during bundle collection. Omitted from anonymized bundles because it contains raw decrypted packet data.
 
 
 Anonymization Process
@@ -235,7 +234,6 @@ type BundleGenerator struct {
 	logPath        string
 	tempDir        string
 	cpuProfile     []byte
-	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
 
@@ -259,8 +257,7 @@ type GeneratorDependencies struct {
 	LogPath        string
 	TempDir        string // Directory for temporary bundle zip files. If empty, os.TempDir() is used.
 	CPUProfile     []byte
-	CapturePath    string
-	RefreshStatus  func()
+	RefreshStatus  func() // Optional callback to refresh status before bundle generation
 	ClientMetrics  MetricsExporter
 }
 
@@ -280,7 +277,6 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		logPath:        deps.LogPath,
 		tempDir:        deps.TempDir,
 		cpuProfile:     deps.CPUProfile,
-		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
 
@@ -350,10 +346,6 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add CPU profile to debug bundle: %v", err)
 	}
 
-	if err := g.addCaptureFile(); err != nil {
-		log.Errorf("failed to add capture file to debug bundle: %v", err)
-	}
-
 	if err := g.addStackTrace(); err != nil {
 		log.Errorf("failed to add stack trace to debug bundle: %v", err)
 	}
@@ -677,29 +669,6 @@ func (g *BundleGenerator) addCPUProfile() error {
 	return nil
 }
 
-func (g *BundleGenerator) addCaptureFile() error {
-	if g.capturePath == "" {
-		return nil
-	}
-
-	if g.anonymize {
-		log.Info("skipping capture file in anonymized bundle (contains raw packet data)")
-		return nil
-	}
-
-	f, err := os.Open(g.capturePath)
-	if err != nil {
-		return fmt.Errorf("open capture file: %w", err)
-	}
-	defer f.Close()
-
-	if err := g.addFileToZip(f, "capture.pcap"); err != nil {
-		return fmt.Errorf("add capture file to zip: %w", err)
-	}
-
-	return nil
-}
-
 func (g *BundleGenerator) addStackTrace() error {
 	buf := make([]byte, 5242880) // 5 MB buffer
 	n := runtime.Stack(buf, true)

client/internal/engine.go

@@ -28,7 +28,6 @@ import (
 	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/firewall/firewalld"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
@@ -69,7 +68,6 @@ import (
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/capture"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -220,8 +218,6 @@ type Engine struct {
 	portForwardManager *portforward.Manager
 	srWatcher          *guard.SRWatcher
 
-	afpacketCapture *capture.AFPacketCapture
-
 	// Sync response persistence (protected by syncRespMux)
 	syncRespMux         sync.RWMutex
 	persistSyncResponse bool
@@ -1707,11 +1703,6 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }
 
 func (e *Engine) close() {
-	if e.afpacketCapture != nil {
-		e.afpacketCapture.Stop()
-		e.afpacketCapture = nil
-	}
-
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 
 	if e.wgInterface != nil {
@@ -2177,62 +2168,6 @@ func (e *Engine) Address() (netip.Addr, error) {
 	return e.wgInterface.Address().IP, nil
 }
 
-// SetCapture sets or clears packet capture on the WireGuard device.
-// On userspace WireGuard, it taps the FilteredDevice directly.
-// On kernel WireGuard (Linux), it falls back to AF_PACKET raw socket capture.
-// Pass nil to disable capture.
-func (e *Engine) SetCapture(pc device.PacketCapture) error {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-
-	intf := e.wgInterface
-	if intf == nil {
-		return errors.New("wireguard interface not initialized")
-	}
-
-	if e.afpacketCapture != nil {
-		e.afpacketCapture.Stop()
-		e.afpacketCapture = nil
-	}
-
-	dev := intf.GetDevice()
-	if dev != nil {
-		dev.SetCapture(pc)
-		e.setForwarderCapture(pc)
-		return nil
-	}
-
-	// Kernel mode: no FilteredDevice. Use AF_PACKET on Linux.
-	if pc == nil {
-		return nil
-	}
-	sess, ok := pc.(*capture.Session)
-	if !ok {
-		return errors.New("filtered device not available and AF_PACKET requires *capture.Session")
-	}
-
-	afc := capture.NewAFPacketCapture(intf.Name(), sess)
-	if err := afc.Start(); err != nil {
-		return fmt.Errorf("start AF_PACKET capture on %s: %w", intf.Name(), err)
-	}
-	e.afpacketCapture = afc
-	return nil
-}
-
-// setForwarderCapture propagates capture to the USP filter's forwarder endpoint.
-// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
-func (e *Engine) setForwarderCapture(pc device.PacketCapture) {
-	if e.firewall == nil {
-		return
-	}
-	type forwarderCapturer interface {
-		SetPacketCapture(pc forwarder.PacketCapture)
-	}
-	if fc, ok := e.firewall.(forwarderCapturer); ok {
-		fc.SetPacketCapture(pc)
-	}
-}
-
 func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewallManager.ForwardRule, error) {
 	if e.firewall == nil {
 		log.Warn("firewall is disabled, not updating forwarding rules")
@@ -2454,8 +2389,6 @@ func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
 		}
 	}
 
-	relayIP := decodeRelayIP(msg.GetBody().GetRelayServerIP())
-
 	offerAnswer := peer.OfferAnswer{
 		IceCredentials: peer.IceCredentials{
 			UFrag: remoteCred.UFrag,
@@ -2466,23 +2399,7 @@ func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
 		RosenpassPubKey: rosenpassPubKey,
 		RosenpassAddr:   rosenpassAddr,
 		RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
-		RelaySrvIP:      relayIP,
 		SessionID:       sessionID,
 	}
 	return &offerAnswer, nil
 }
-
-// decodeRelayIP decodes the proto relayServerIP bytes (4 or 16) into a
-// netip.Addr. Returns the zero value for empty input and logs a warning
-// for malformed payloads.
-func decodeRelayIP(b []byte) netip.Addr {
-	if len(b) == 0 {
-		return netip.Addr{}
-	}
-	ip, ok := netip.AddrFromSlice(b)
-	if !ok {
-		log.Warnf("invalid relayServerIP in signal message (%d bytes), ignoring", len(b))
-		return netip.Addr{}
-	}
-	return ip.Unmap()
-}

client/internal/engine_test.go

@@ -1671,7 +1671,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -3,6 +3,7 @@ package activity
 import (
 	"net"
 	"net/netip"
+	"runtime"
 	"testing"
 	"time"
 
@@ -17,6 +18,10 @@ import (
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
+func isBindListenerPlatform() bool {
+	return runtime.GOOS == "windows" || runtime.GOOS == "js"
+}
+
 // mockEndpointManager implements device.EndpointManager for testing
 type mockEndpointManager struct {
 	endpoints map[netip.Addr]net.Conn
@@ -176,6 +181,10 @@ func TestBindListener_Close(t *testing.T) {
 }
 
 func TestManager_BindMode(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 
@@ -217,6 +226,10 @@ func TestManager_BindMode(t *testing.T) {
 }
 
 func TestManager_BindMode_MultiplePeers(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
 

client/internal/lazyconn/activity/manager.go

@@ -4,12 +4,14 @@ import (
 	"errors"
 	"net"
 	"net/netip"
+	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
@@ -73,6 +75,16 @@ func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error)
 		return NewUDPListener(m.wgIface, peerCfg)
 	}
 
+	// BindListener is used on Windows, JS, and netstack platforms:
+	// - JS: Cannot listen to UDP sockets
+	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
+	//   gateway points to, preventing them from reaching the loopback interface.
+	// - Netstack: Allows multiple instances on the same host without port conflicts.
+	// BindListener bypasses these issues by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" && !netstack.IsEnabled() {
+		return NewUDPListener(m.wgIface, peerCfg)
+	}
+
 	provider, ok := m.wgIface.(bindProvider)
 	if !ok {
 		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")

client/internal/lazyconn/manager/manager.go

@@ -6,6 +6,7 @@ import (
 	"time"
 
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/lazyconn/activity"
@@ -90,8 +91,8 @@ func (m *Manager) UpdateRouteHAMap(haMap route.HAMap) {
 	m.routesMu.Lock()
 	defer m.routesMu.Unlock()
 
-	clear(m.peerToHAGroups)
-	clear(m.haGroupToPeers)
+	maps.Clear(m.peerToHAGroups)
+	maps.Clear(m.haGroupToPeers)
 
 	for haUniqueID, routes := range haMap {
 		var peers []string

client/internal/netflow/store/memory.go

@@ -3,6 +3,8 @@ package store
 import (
 	"sync"
 
+	"golang.org/x/exp/maps"
+
 	"github.com/google/uuid"
 
 	"github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -28,7 +30,7 @@ func (m *Memory) StoreEvent(event *types.Event) {
 func (m *Memory) Close() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
-	clear(m.events)
+	maps.Clear(m.events)
 }
 
 func (m *Memory) GetEvents() []*types.Event {

client/internal/peer/handshaker.go

@@ -3,7 +3,6 @@ package peer
 import (
 	"context"
 	"errors"
-	"net/netip"
 	"sync"
 	"sync/atomic"
 
@@ -41,10 +40,6 @@ type OfferAnswer struct {
 
 	// relay server address
 	RelaySrvAddress string
-	// RelaySrvIP is the IP the remote peer is connected to on its
-	// relay server. Used as a dial target if DNS for RelaySrvAddress
-	// fails. Zero value if the peer did not advertise an IP.
-	RelaySrvIP netip.Addr
 	// SessionID is the unique identifier of the session, used to discard old messages
 	SessionID *ICESessionID
 }
@@ -222,9 +217,8 @@ func (h *Handshaker) buildOfferAnswer() OfferAnswer {
 		answer.SessionID = &sid
 	}
 
-	if addr, ip, err := h.relay.RelayInstanceAddress(); err == nil {
+	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
 		answer.RelaySrvAddress = addr
-		answer.RelaySrvIP = ip
 	}
 
 	return answer

client/internal/peer/notifier_test.go

@@ -8,7 +8,6 @@ import (
 type mocListener struct {
 	lastState int
 	wg        sync.WaitGroup
-	peersWg   sync.WaitGroup
 	peers     int
 }
 
@@ -34,7 +33,6 @@ func (l *mocListener) OnAddressChanged(host, addr string) {
 }
 func (l *mocListener) OnPeersListChanged(size int) {
 	l.peers = size
-	l.peersWg.Done()
 }
 
 func (l *mocListener) setWaiter() {
@@ -45,14 +43,6 @@ func (l *mocListener) wait() {
 	l.wg.Wait()
 }
 
-func (l *mocListener) setPeersWaiter() {
-	l.peersWg.Add(1)
-}
-
-func (l *mocListener) waitPeers() {
-	l.peersWg.Wait()
-}
-
 func Test_notifier_serverState(t *testing.T) {
 
 	type scenario struct {
@@ -82,13 +72,11 @@ func Test_notifier_serverState(t *testing.T) {
 func Test_notifier_SetListener(t *testing.T) {
 	listener := &mocListener{}
 	listener.setWaiter()
-	listener.setPeersWaiter()
 
 	n := newNotifier()
 	n.lastNotification = stateConnecting
 	n.setListener(listener)
 	listener.wait()
-	listener.waitPeers()
 	if listener.lastState != n.lastNotification {
 		t.Errorf("invalid state: %d, expected: %d", listener.lastState, n.lastNotification)
 	}
@@ -97,14 +85,9 @@ func Test_notifier_SetListener(t *testing.T) {
 func Test_notifier_RemoveListener(t *testing.T) {
 	listener := &mocListener{}
 	listener.setWaiter()
-	listener.setPeersWaiter()
 	n := newNotifier()
 	n.lastNotification = stateConnecting
 	n.setListener(listener)
-	// setListener replays cached state on a goroutine; wait for both the state
-	// and peers callbacks to finish so we don't race on listener.peers.
-	listener.wait()
-	listener.waitPeers()
 	n.removeListener()
 	n.peerListChanged(1)
 

client/internal/peer/signaler.go

@@ -54,19 +54,19 @@ func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string,
 			log.Warnf("failed to get session ID bytes: %v", err)
 		}
 	}
-	msg, err := signal.MarshalCredential(s.wgPrivateKey, remoteKey, signal.CredentialPayload{
-		Type:         bodyType,
-		WgListenPort: offerAnswer.WgListenPort,
-		Credential: &signal.Credential{
+	msg, err := signal.MarshalCredential(
+		s.wgPrivateKey,
+		offerAnswer.WgListenPort,
+		remoteKey,
+		&signal.Credential{
 			UFrag: offerAnswer.IceCredentials.UFrag,
 			Pwd:   offerAnswer.IceCredentials.Pwd,
 		},
-		RosenpassPubKey: offerAnswer.RosenpassPubKey,
-		RosenpassAddr:   offerAnswer.RosenpassAddr,
-		RelaySrvAddress: offerAnswer.RelaySrvAddress,
-		RelaySrvIP:      offerAnswer.RelaySrvIP,
-		SessionID:       sessionIDBytes,
-	})
+		bodyType,
+		offerAnswer.RosenpassPubKey,
+		offerAnswer.RosenpassAddr,
+		offerAnswer.RelaySrvAddress,
+		sessionIDBytes)
 	if err != nil {
 		return err
 	}

client/internal/peer/status.go

@@ -215,6 +215,14 @@ type Status struct {
 	eventStreams map[string]chan *proto.SystemEvent
 	eventQueue   *EventQueue
 
+	// stateChangeStreams fan-out connection-state changes (connected /
+	// disconnected / connecting / address change / peers list change) to
+	// every active SubscribeStatus gRPC stream. Each subscriber gets a
+	// buffered chan; the notifier non-blockingly pings them so a slow
+	// consumer can never stall the daemon.
+	stateChangeMux     sync.Mutex
+	stateChangeStreams map[string]chan struct{}
+
 	ingressGwMgr *ingressgw.Manager
 
 	routeIDLookup routeIDLookup
@@ -228,6 +236,7 @@ func NewRecorder(mgmAddress string) *Status {
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
+		stateChangeStreams:    make(map[string]chan struct{}),
 		offlinePeers:          make([]State, 0),
 		notifier:              newNotifier(),
 		mgmAddress:            mgmAddress,
@@ -320,10 +329,10 @@ func (d *Status) RemovePeer(peerPubKey string) error {
 // UpdatePeerState updates peer status
 func (d *Status) UpdatePeerState(receivedState State) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -343,29 +352,23 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
-	// when we close the connection we will not notify the router manager
-	notifyRouter := receivedState.ConnStatus == StatusIdle
-	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
-	numPeers := d.numOfPeers()
-
-	d.mux.Unlock()
-
-	if notifyList {
-		d.notifier.peerListChanged(numPeers)
+	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
+		d.notifyPeerListChanged()
 	}
-	if notifyRouter {
-		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
+
+	// when we close the connection we will not notify the router manager
+	if receivedState.ConnStatus == StatusIdle {
+		d.notifyPeerStateChangeListeners(receivedState.PubKey)
 	}
 	return nil
 }
 
 func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.ResID) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[peer]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -377,20 +380,17 @@ func (d *Status) AddPeerStateRoute(peer string, route string, resourceId route.R
 		d.routeIDLookup.AddRemoteRouteID(resourceId, pref)
 	}
 
-	numPeers := d.numOfPeers()
-	d.mux.Unlock()
-
 	// todo: consider to make sense of this notification or not
-	d.notifier.peerListChanged(numPeers)
+	d.notifyPeerListChanged()
 	return nil
 }
 
 func (d *Status) RemovePeerStateRoute(peer string, route string) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[peer]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -402,11 +402,8 @@ func (d *Status) RemovePeerStateRoute(peer string, route string) error {
 		d.routeIDLookup.RemoveRemoteRouteID(pref)
 	}
 
-	numPeers := d.numOfPeers()
-	d.mux.Unlock()
-
 	// todo: consider to make sense of this notification or not
-	d.notifier.peerListChanged(numPeers)
+	d.notifyPeerListChanged()
 	return nil
 }
 
@@ -422,10 +419,10 @@ func (d *Status) CheckRoutes(ip netip.Addr) ([]byte, bool) {
 
 func (d *Status) UpdatePeerICEState(receivedState State) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -443,28 +440,22 @@ func (d *Status) UpdatePeerICEState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
-	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
-	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
-	numPeers := d.numOfPeers()
-
-	d.mux.Unlock()
-
-	if notifyList {
-		d.notifier.peerListChanged(numPeers)
+	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
+		d.notifyPeerListChanged()
 	}
-	if notifyRouter {
-		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
+
+	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
+		d.notifyPeerStateChangeListeners(receivedState.PubKey)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -479,28 +470,22 @@ func (d *Status) UpdatePeerRelayedState(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
-	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
-	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
-	numPeers := d.numOfPeers()
-
-	d.mux.Unlock()
-
-	if notifyList {
-		d.notifier.peerListChanged(numPeers)
+	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
+		d.notifyPeerListChanged()
 	}
-	if notifyRouter {
-		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
+
+	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
+		d.notifyPeerStateChangeListeners(receivedState.PubKey)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -514,28 +499,22 @@ func (d *Status) UpdatePeerRelayedStateToDisconnected(receivedState State) error
 
 	d.peers[receivedState.PubKey] = peerState
 
-	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
-	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
-	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
-	numPeers := d.numOfPeers()
-
-	d.mux.Unlock()
-
-	if notifyList {
-		d.notifier.peerListChanged(numPeers)
+	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
+		d.notifyPeerListChanged()
 	}
-	if notifyRouter {
-		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
+
+	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
+		d.notifyPeerStateChangeListeners(receivedState.PubKey)
 	}
 	return nil
 }
 
 func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	peerState, ok := d.peers[receivedState.PubKey]
 	if !ok {
-		d.mux.Unlock()
 		return errors.New("peer doesn't exist")
 	}
 
@@ -552,18 +531,12 @@ func (d *Status) UpdatePeerICEStateToDisconnected(receivedState State) error {
 
 	d.peers[receivedState.PubKey] = peerState
 
-	notifyList := hasConnStatusChanged(oldState, receivedState.ConnStatus)
-	notifyRouter := hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed)
-	routerSnapshot := d.snapshotRouterPeersLocked(receivedState.PubKey, notifyRouter)
-	numPeers := d.numOfPeers()
-
-	d.mux.Unlock()
-
-	if notifyList {
-		d.notifier.peerListChanged(numPeers)
+	if hasConnStatusChanged(oldState, receivedState.ConnStatus) {
+		d.notifyPeerListChanged()
 	}
-	if notifyRouter {
-		d.dispatchRouterPeers(receivedState.PubKey, routerSnapshot)
+
+	if hasStatusOrRelayedChange(oldState, receivedState.ConnStatus, oldIsRelayed, receivedState.Relayed) {
+		d.notifyPeerStateChangeListeners(receivedState.PubKey)
 	}
 	return nil
 }
@@ -630,33 +603,17 @@ func (d *Status) UpdatePeerSSHHostKey(peerPubKey string, sshHostKey []byte) erro
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()
+	defer d.mux.Unlock()
 
 	if !d.peerListChangedForNotification {
-		d.mux.Unlock()
 		return
 	}
 	d.peerListChangedForNotification = false
 
-	numPeers := d.numOfPeers()
+	d.notifyPeerListChanged()
 
-	// snapshot per-peer router state to deliver after the lock is released
-	type routerDispatch struct {
-		peerID   string
-		snapshot map[string]RouterState
-	}
-	dispatches := make([]routerDispatch, 0, len(d.peers))
 	for key := range d.peers {
-		snapshot := d.snapshotRouterPeersLocked(key, true)
-		if snapshot != nil {
-			dispatches = append(dispatches, routerDispatch{peerID: key, snapshot: snapshot})
-		}
-	}
-
-	d.mux.Unlock()
-
-	d.notifier.peerListChanged(numPeers)
-	for _, rd := range dispatches {
-		d.dispatchRouterPeers(rd.peerID, rd.snapshot)
+		d.notifyPeerStateChangeListeners(key)
 	}
 }
 
@@ -707,12 +664,10 @@ func (d *Status) GetLocalPeerState() LocalPeerState {
 // UpdateLocalPeerState updates local peer status
 func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Lock()
-	d.localPeer = localPeerState
-	fqdn := d.localPeer.FQDN
-	ip := d.localPeer.IP
-	d.mux.Unlock()
+	defer d.mux.Unlock()
 
-	d.notifier.localAddressChanged(fqdn, ip)
+	d.localPeer = localPeerState
+	d.notifyAddressChanged()
 }
 
 // AddLocalPeerStateRoute adds a route to the local peer state
@@ -775,36 +730,30 @@ func (d *Status) CleanLocalPeerStateRoutes() {
 // CleanLocalPeerState cleans local peer status
 func (d *Status) CleanLocalPeerState() {
 	d.mux.Lock()
-	d.localPeer = LocalPeerState{}
-	fqdn := d.localPeer.FQDN
-	ip := d.localPeer.IP
-	d.mux.Unlock()
+	defer d.mux.Unlock()
 
-	d.notifier.localAddressChanged(fqdn, ip)
+	d.localPeer = LocalPeerState{}
+	d.notifyAddressChanged()
 }
 
 // MarkManagementDisconnected sets ManagementState to disconnected
 func (d *Status) MarkManagementDisconnected(err error) {
 	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
 	d.managementState = false
 	d.managementError = err
-	mgm := d.managementState
-	sig := d.signalState
-	d.mux.Unlock()
-
-	d.notifier.updateServerStates(mgm, sig)
 }
 
 // MarkManagementConnected sets ManagementState to connected
 func (d *Status) MarkManagementConnected() {
 	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
 	d.managementState = true
 	d.managementError = nil
-	mgm := d.managementState
-	sig := d.signalState
-	d.mux.Unlock()
-
-	d.notifier.updateServerStates(mgm, sig)
 }
 
 // UpdateSignalAddress update the address of the signal server
@@ -838,25 +787,21 @@ func (d *Status) UpdateLazyConnection(enabled bool) {
 // MarkSignalDisconnected sets SignalState to disconnected
 func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
 	d.signalState = false
 	d.signalError = err
-	mgm := d.managementState
-	sig := d.signalState
-	d.mux.Unlock()
-
-	d.notifier.updateServerStates(mgm, sig)
 }
 
 // MarkSignalConnected sets SignalState to connected
 func (d *Status) MarkSignalConnected() {
 	d.mux.Lock()
+	defer d.mux.Unlock()
+	defer d.onConnectionChanged()
+
 	d.signalState = true
 	d.signalError = nil
-	mgm := d.managementState
-	sig := d.signalState
-	d.mux.Unlock()
-
-	d.notifier.updateServerStates(mgm, sig)
 }
 
 func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
@@ -983,7 +928,7 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 
 	// if the server connection is not established then we will use the general address
 	// in case of connection we will use the instance specific address
-	instanceAddr, _, err := d.relayMgr.RelayInstanceAddress()
+	instanceAddr, err := d.relayMgr.RelayInstanceAddress()
 	if err != nil {
 		// TODO add their status
 		for _, r := range d.relayMgr.ServerURLs() {
@@ -1054,16 +999,19 @@ func (d *Status) GetFullStatus() FullStatus {
 // ClientStart will notify all listeners about the new service state
 func (d *Status) ClientStart() {
 	d.notifier.clientStart()
+	d.notifyStateChange()
 }
 
 // ClientStop will notify all listeners about the new service state
 func (d *Status) ClientStop() {
 	d.notifier.clientStop()
+	d.notifyStateChange()
 }
 
 // ClientTeardown will notify all listeners about the service is under teardown
 func (d *Status) ClientTeardown() {
 	d.notifier.clientTearDown()
+	d.notifyStateChange()
 }
 
 // SetConnectionListener set a listener to the notifier
@@ -1076,17 +1024,19 @@ func (d *Status) RemoveConnectionListener() {
 	d.notifier.removeListener()
 }
 
-// snapshotRouterPeersLocked builds the RouterState map for a peer's subscribers.
-// Caller MUST hold d.mux. Returns nil when there are no subscribers for peerID
-// or when notify is false. The snapshot is consumed later by dispatchRouterPeers
-// outside the lock so the channel send cannot stall any d.mux holder.
-func (d *Status) snapshotRouterPeersLocked(peerID string, notify bool) map[string]RouterState {
-	if !notify {
-		return nil
-	}
-	if _, ok := d.changeNotify[peerID]; !ok {
-		return nil
+func (d *Status) onConnectionChanged() {
+	d.notifier.updateServerStates(d.managementState, d.signalState)
+	d.notifyStateChange()
+}
+
+// notifyPeerStateChangeListeners notifies route manager about the change in peer state
+func (d *Status) notifyPeerStateChangeListeners(peerID string) {
+	subs, ok := d.changeNotify[peerID]
+	if !ok {
+		return
 	}
+
+	// collect the relevant data for router peers
 	routerPeers := make(map[string]RouterState, len(d.changeNotify))
 	for pid := range d.changeNotify {
 		s, ok := d.peers[pid]
@@ -1094,35 +1044,13 @@ func (d *Status) snapshotRouterPeersLocked(peerID string, notify bool) map[strin
 			log.Warnf("router peer not found in peers list: %s", pid)
 			continue
 		}
+
 		routerPeers[pid] = RouterState{
 			Status:  s.ConnStatus,
 			Relayed: s.Relayed,
 			Latency: s.Latency,
 		}
 	}
-	return routerPeers
-}
-
-// dispatchRouterPeers delivers a previously snapshotted router-state map to
-// the peer's subscribers. Caller MUST NOT hold d.mux. The method takes a
-// fresh, short read of d.changeNotify under the lock to grab subscriber
-// channels, then sends outside the lock so a slow consumer cannot block other
-// d.mux holders. The send itself stays blocking (only short-circuited by the
-// subscriber's context) so peer state transitions are not silently dropped.
-func (d *Status) dispatchRouterPeers(peerID string, routerPeers map[string]RouterState) {
-	if routerPeers == nil {
-		return
-	}
-
-	d.mux.Lock()
-	subsMap, ok := d.changeNotify[peerID]
-	subs := make([]*StatusChangeSubscription, 0, len(subsMap))
-	if ok {
-		for _, sub := range subsMap {
-			subs = append(subs, sub)
-		}
-	}
-	d.mux.Unlock()
 
 	for _, sub := range subs {
 		select {
@@ -1132,6 +1060,16 @@ func (d *Status) dispatchRouterPeers(peerID string, routerPeers map[string]Route
 	}
 }
 
+func (d *Status) notifyPeerListChanged() {
+	d.notifier.peerListChanged(d.numOfPeers())
+	d.notifyStateChange()
+}
+
+func (d *Status) notifyAddressChanged() {
+	d.notifier.localAddressChanged(d.localPeer.FQDN, d.localPeer.IP)
+	d.notifyStateChange()
+}
+
 func (d *Status) numOfPeers() int {
 	return len(d.peers) + len(d.offlinePeers)
 }
@@ -1205,6 +1143,50 @@ func (d *Status) GetEventHistory() []*proto.SystemEvent {
 	return d.eventQueue.GetAll()
 }
 
+// SubscribeToStateChanges hands back a channel that receives a tick on
+// every connection-state change (connected / disconnected / connecting /
+// address change / peers-list change). The channel is buffered to one
+// pending tick so a coalesced burst still wakes the consumer exactly
+// once. Pass the returned id to UnsubscribeFromStateChanges to detach.
+func (d *Status) SubscribeToStateChanges() (string, <-chan struct{}) {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	id := uuid.New().String()
+	ch := make(chan struct{}, 1)
+	d.stateChangeStreams[id] = ch
+	return id, ch
+}
+
+// UnsubscribeFromStateChanges releases a SubscribeToStateChanges channel
+// and closes it so any consumer goroutine selecting on the channel
+// unblocks cleanly.
+func (d *Status) UnsubscribeFromStateChanges(id string) {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	if ch, ok := d.stateChangeStreams[id]; ok {
+		close(ch)
+		delete(d.stateChangeStreams, id)
+	}
+}
+
+// notifyStateChange wakes every SubscribeToStateChanges subscriber. Drops
+// the tick if a subscriber's buffer is full — by definition the consumer
+// is already going to fetch the latest snapshot, so multiple pending ticks
+// would be redundant.
+func (d *Status) notifyStateChange() {
+	d.stateChangeMux.Lock()
+	defer d.stateChangeMux.Unlock()
+
+	for _, ch := range d.stateChangeStreams {
+		select {
+		case ch <- struct{}{}:
+		default:
+		}
+	}
+}
+
 func (d *Status) SetWgIface(wgInterface WGIfaceStatus) {
 	d.mux.Lock()
 	defer d.mux.Unlock()

client/internal/peer/worker_relay.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"errors"
 	"net"
-	"net/netip"
 	"sync"
 	"sync/atomic"
 
@@ -54,19 +53,15 @@ func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 	w.relaySupportedOnRemotePeer.Store(true)
 
 	// the relayManager will return with error in case if the connection has lost with relay server
-	currentRelayAddress, _, err := w.relayManager.RelayInstanceAddress()
+	currentRelayAddress, err := w.relayManager.RelayInstanceAddress()
 	if err != nil {
 		w.log.Errorf("failed to handle new offer: %s", err)
 		return
 	}
 
 	srv := w.preferredRelayServer(currentRelayAddress, remoteOfferAnswer.RelaySrvAddress)
-	var serverIP netip.Addr
-	if srv == remoteOfferAnswer.RelaySrvAddress {
-		serverIP = remoteOfferAnswer.RelaySrvIP
-	}
 
-	relayedConn, err := w.relayManager.OpenConn(w.peerCtx, srv, w.config.Key, serverIP)
+	relayedConn, err := w.relayManager.OpenConn(w.peerCtx, srv, w.config.Key)
 	if err != nil {
 		if errors.Is(err, relayClient.ErrConnAlreadyExists) {
 			w.log.Debugf("handled offer by reusing existing relay connection")
@@ -95,7 +90,7 @@ func (w *WorkerRelay) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 	})
 }
 
-func (w *WorkerRelay) RelayInstanceAddress() (string, netip.Addr, error) {
+func (w *WorkerRelay) RelayInstanceAddress() (string, error) {
 	return w.relayManager.RelayInstanceAddress()
 }
 

client/internal/routemanager/systemops/systemops_darwin.go

@@ -89,16 +89,8 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 		return false, fmt.Errorf("unusable default nexthop for %s (no interface)", unspec)
 	}
 
-	reused := false
 	if err := r.addScopedDefault(unspec, nexthop); err != nil {
-		if !errors.Is(err, unix.EEXIST) {
-			return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
-		}
-		// macOS installs its own RTF_IFSCOPE defaults for primary service
-		// selection on multi-NIC setups, so a route on this ifindex can
-		// already exist before we try. Binding to it via IP[V6]_BOUND_IF
-		// still produces the scoped lookup we need.
-		reused = true
+		return false, fmt.Errorf("add scoped default on %s: %w", nexthop.Intf.Name, err)
 	}
 
 	af := unix.AF_INET
@@ -110,11 +102,7 @@ func (r *SysOps) installScopedDefaultFor(unspec netip.Addr) (bool, error) {
 	if nexthop.IP.IsValid() {
 		via = nexthop.IP.String()
 	}
-	verb := "installed"
-	if reused {
-		verb = "reused existing"
-	}
-	log.Infof("%s scoped default route via %s on %s for %s", verb, via, nexthop.Intf.Name, afOf(unspec))
+	log.Infof("installed scoped default route via %s on %s for %s", via, nexthop.Intf.Name, afOf(unspec))
 	return true, nil
 }
 

client/internal/routeselector/routeselector.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 
 	"github.com/hashicorp/go-multierror"
+	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
@@ -43,8 +44,8 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 		if rs.selectedRoutes == nil {
 			rs.selectedRoutes = map[route.NetID]struct{}{}
 		}
-		clear(rs.deselectedRoutes)
-		clear(rs.selectedRoutes)
+		maps.Clear(rs.deselectedRoutes)
+		maps.Clear(rs.selectedRoutes)
 		for _, r := range allRoutes {
 			rs.deselectedRoutes[r] = struct{}{}
 		}
@@ -77,8 +78,8 @@ func (rs *RouteSelector) SelectAllRoutes() {
 	if rs.selectedRoutes == nil {
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 	}
-	clear(rs.deselectedRoutes)
-	clear(rs.selectedRoutes)
+	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }
 
 // DeselectRoutes removes specific routes from the selection.
@@ -115,8 +116,8 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	if rs.selectedRoutes == nil {
 		rs.selectedRoutes = map[route.NetID]struct{}{}
 	}
-	clear(rs.deselectedRoutes)
-	clear(rs.selectedRoutes)
+	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }
 
 // IsSelected checks if a specific route is selected.

client/internal/sleep/detector_darwin.go

@@ -2,358 +2,217 @@
 
 package sleep
 
+/*
+#cgo LDFLAGS: -framework IOKit -framework CoreFoundation
+#include <IOKit/pwr_mgt/IOPMLib.h>
+#include <IOKit/IOMessage.h>
+#include <CoreFoundation/CoreFoundation.h>
+
+extern void sleepCallbackBridge();
+extern void poweredOnCallbackBridge();
+extern void suspendedCallbackBridge();
+extern void resumedCallbackBridge();
+
+
+// C global variables for IOKit state
+static IONotificationPortRef g_notifyPortRef = NULL;
+static io_object_t g_notifierObject = 0;
+static io_object_t g_generalInterestNotifier = 0;
+static io_connect_t g_rootPort = 0;
+static CFRunLoopRef g_runLoop = NULL;
+
+static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
+	switch (messageType) {
+		case kIOMessageSystemWillSleep:
+			sleepCallbackBridge();
+			IOAllowPowerChange(g_rootPort, (long)messageArgument);
+			break;
+        case kIOMessageSystemHasPoweredOn:
+          	poweredOnCallbackBridge();
+          	break;
+        case kIOMessageServiceIsSuspended:
+			suspendedCallbackBridge();
+			break;
+		case kIOMessageServiceIsResumed:
+			resumedCallbackBridge();
+			break;
+		default:
+			break;
+	}
+}
+
+static void registerNotifications() {
+	g_rootPort = IORegisterForSystemPower(
+		NULL,
+		&g_notifyPortRef,
+		(IOServiceInterestCallback)sleepCallback,
+		&g_notifierObject
+	);
+
+	if (g_rootPort == 0) {
+		return;
+	}
+
+	CFRunLoopAddSource(CFRunLoopGetCurrent(),
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	g_runLoop = CFRunLoopGetCurrent();
+	CFRunLoopRun();
+}
+
+static void unregisterNotifications() {
+	CFRunLoopRemoveSource(g_runLoop,
+		IONotificationPortGetRunLoopSource(g_notifyPortRef),
+		kCFRunLoopCommonModes);
+
+	IODeregisterForSystemPower(&g_notifierObject);
+	IOServiceClose(g_rootPort);
+	IONotificationPortDestroy(g_notifyPortRef);
+	CFRunLoopStop(g_runLoop);
+
+	g_notifyPortRef = NULL;
+	g_notifierObject = 0;
+	g_rootPort = 0;
+	g_runLoop = NULL;
+}
+
+*/
+import "C"
+
 import (
+	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
-	"unsafe"
 
-	"github.com/ebitengine/purego"
 	log "github.com/sirupsen/logrus"
 )
 
-// IOKit message types from IOKit/IOMessage.h.
-const (
-	kIOMessageCanSystemSleep     uintptr = 0xe0000270
-	kIOMessageSystemWillSleep    uintptr = 0xe0000280
-	kIOMessageSystemHasPoweredOn uintptr = 0xe0000300
-)
-
 var (
-	ioKit         iokitFuncs
-	cf            cfFuncs
-	cfCommonModes uintptr
-
-	libInitOnce sync.Once
-	libInitErr  error
-
-	// callbackThunk is the single C-callable trampoline registered with IOKit.
-	callbackThunk uintptr
-
 	serviceRegistry   = make(map[*Detector]struct{})
 	serviceRegistryMu sync.Mutex
-	session           *runLoopSession
-
-	// lifecycleMu serializes Register/Deregister so a new registration can't
-	// start a second runloop while a previous teardown is still pending.
-	lifecycleMu sync.Mutex
 )
 
-// iokitFuncs holds IOKit symbols resolved once at init.
-type iokitFuncs struct {
-	IORegisterForSystemPower           func(refcon uintptr, portRef *uintptr, callback uintptr, notifier *uintptr) uintptr
-	IODeregisterForSystemPower         func(notifier *uintptr) int32
-	IOAllowPowerChange                 func(kernelPort uintptr, notificationID uintptr) int32
-	IOServiceClose                     func(connect uintptr) int32
-	IONotificationPortGetRunLoopSource func(port uintptr) uintptr
-	IONotificationPortDestroy          func(port uintptr)
-}
-
-// cfFuncs holds CoreFoundation symbols resolved once at init.
-type cfFuncs struct {
-	CFRunLoopGetCurrent   func() uintptr
-	CFRunLoopRun          func()
-	CFRunLoopStop         func(rl uintptr)
-	CFRunLoopAddSource    func(rl, source, mode uintptr)
-	CFRunLoopRemoveSource func(rl, source, mode uintptr)
-}
-
-// runLoopSession bundles the handles owned by one CFRunLoop lifetime. A nil
-// session means no runloop is active and the next Register must start one.
-type runLoopSession struct {
-	rl       uintptr
-	port     uintptr
-	notifier uintptr
-	rp       uintptr
-}
-
-// detectorSnapshot pins a detector's callback and done channel so dispatch
-// runs with values valid at snapshot time, even if a concurrent
-// Deregister/Register rewrites the detector's fields.
-type detectorSnapshot struct {
-	detector *Detector
-	callback func(event EventType)
-	done     <-chan struct{}
-}
-
-// Detector delivers sleep and wake events to a registered callback.
-type Detector struct {
-	callback func(event EventType)
-	done     chan struct{}
-}
-
-// Register installs callback for power events. The first registration starts
-// the CFRunLoop on a dedicated OS-locked thread and blocks until IOKit
-// registration succeeds or fails; subsequent registrations just add to the
-// dispatch set.
-func (d *Detector) Register(callback func(event EventType)) error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
+//export sleepCallbackBridge
+func sleepCallbackBridge() {
+	log.Info("sleepCallbackBridge event triggered")
 
 	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeSleep)
+	}
+}
+
+//export resumedCallbackBridge
+func resumedCallbackBridge() {
+	log.Info("resumedCallbackBridge event triggered")
+}
+
+//export suspendedCallbackBridge
+func suspendedCallbackBridge() {
+	log.Info("suspendedCallbackBridge event triggered")
+}
+
+//export poweredOnCallbackBridge
+func poweredOnCallbackBridge() {
+	log.Info("poweredOnCallbackBridge event triggered")
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
+	for svc := range serviceRegistry {
+		svc.triggerCallback(EventTypeWakeUp)
+	}
+}
+
+type Detector struct {
+	callback func(event EventType)
+	ctx      context.Context
+	cancel   context.CancelFunc
+}
+
+func NewDetector() (*Detector, error) {
+	return &Detector{}, nil
+}
+
+func (d *Detector) Register(callback func(event EventType)) error {
+	serviceRegistryMu.Lock()
+	defer serviceRegistryMu.Unlock()
+
 	if _, exists := serviceRegistry[d]; exists {
-		serviceRegistryMu.Unlock()
 		return fmt.Errorf("detector service already registered")
 	}
-	d.callback = callback
-	d.done = make(chan struct{})
-	serviceRegistry[d] = struct{}{}
-	needSetup := session == nil
-	serviceRegistryMu.Unlock()
 
-	if !needSetup {
+	d.callback = callback
+
+	d.ctx, d.cancel = context.WithCancel(context.Background())
+
+	if len(serviceRegistry) > 0 {
+		serviceRegistry[d] = struct{}{}
 		return nil
 	}
 
-	errCh := make(chan error, 1)
-	go runRunLoop(errCh)
-	if err := <-errCh; err != nil {
-		serviceRegistryMu.Lock()
-		delete(serviceRegistry, d)
-		close(d.done)
-		d.done = nil
-		serviceRegistryMu.Unlock()
-		return err
-	}
+	serviceRegistry[d] = struct{}{}
+
+	// CFRunLoop must run on a single fixed OS thread
+	go func() {
+		runtime.LockOSThread()
+		defer runtime.UnlockOSThread()
+
+		C.registerNotifications()
+	}()
 
 	log.Info("sleep detection service started on macOS")
 	return nil
 }
 
-// Deregister removes the detector. When the last detector leaves, IOKit
-// notifications are torn down and the runloop is stopped.
+// Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
+// and the runloop is stopped and cleaned up.
 func (d *Detector) Deregister() error {
-	lifecycleMu.Lock()
-	defer lifecycleMu.Unlock()
-
 	serviceRegistryMu.Lock()
-	if _, exists := serviceRegistry[d]; !exists {
-		serviceRegistryMu.Unlock()
+	defer serviceRegistryMu.Unlock()
+	_, exists := serviceRegistry[d]
+	if !exists {
 		return nil
 	}
-	close(d.done)
+
+	// cancel and remove this detector
+	d.cancel()
 	delete(serviceRegistry, d)
 
+	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
-		serviceRegistryMu.Unlock()
 		return nil
 	}
-	sess := session
-	serviceRegistryMu.Unlock()
 
 	log.Info("sleep detection service stopping (deregister)")
 
-	if sess == nil {
-		return nil
-	}
-
-	if sess.rl != 0 && sess.port != 0 {
-		source := ioKit.IONotificationPortGetRunLoopSource(sess.port)
-		cf.CFRunLoopRemoveSource(sess.rl, source, cfCommonModes)
-	}
-	if sess.notifier != 0 {
-		n := sess.notifier
-		ioKit.IODeregisterForSystemPower(&n)
-	}
-
-	// Clear session only after IODeregisterForSystemPower returns so any
-	// in-flight powerCallback can still look up session.rp to ack sleep.
-	serviceRegistryMu.Lock()
-	session = nil
-	serviceRegistryMu.Unlock()
-
-	if sess.rp != 0 {
-		ioKit.IOServiceClose(sess.rp)
-	}
-	if sess.port != 0 {
-		ioKit.IONotificationPortDestroy(sess.port)
-	}
-	if sess.rl != 0 {
-		cf.CFRunLoopStop(sess.rl)
-	}
+	// Deregister IOKit notifications, stop runloop, and free resources
+	C.unregisterNotifications()
 
 	return nil
 }
 
-func (d *Detector) triggerCallback(event EventType, cb func(event EventType), done <-chan struct{}) {
-	if cb == nil || done == nil {
-		return
-	}
-
-	select {
-	case <-done:
-		return
-	default:
-	}
-
+func (d *Detector) triggerCallback(event EventType) {
 	doneChan := make(chan struct{})
+
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 
-	go func() {
-		defer close(doneChan)
-		defer func() {
-			if r := recover(); r != nil {
-				log.Errorf("panic in sleep callback: %v", r)
-			}
-		}()
+	cb := d.callback
+	go func(callback func(event EventType)) {
 		log.Info("sleep detection event fired")
-		cb(event)
-	}()
+		callback(event)
+		close(doneChan)
+	}(cb)
 
 	select {
 	case <-doneChan:
-	case <-done:
+	case <-d.ctx.Done():
 	case <-timeout.C:
-		log.Warn("sleep callback timed out")
+		log.Warnf("sleep callback timed out")
 	}
 }
-
-// NewDetector initializes IOKit/CoreFoundation bindings and returns a Detector.
-func NewDetector() (*Detector, error) {
-	if err := initLibs(); err != nil {
-		return nil, err
-	}
-	return &Detector{}, nil
-}
-
-func initLibs() error {
-	libInitOnce.Do(func() {
-		iokit, err := purego.Dlopen("/System/Library/Frameworks/IOKit.framework/IOKit", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen IOKit: %w", err)
-			return
-		}
-		cfLib, err := purego.Dlopen("/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation", purego.RTLD_NOW|purego.RTLD_GLOBAL)
-		if err != nil {
-			libInitErr = fmt.Errorf("dlopen CoreFoundation: %w", err)
-			return
-		}
-
-		purego.RegisterLibFunc(&ioKit.IORegisterForSystemPower, iokit, "IORegisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IODeregisterForSystemPower, iokit, "IODeregisterForSystemPower")
-		purego.RegisterLibFunc(&ioKit.IOAllowPowerChange, iokit, "IOAllowPowerChange")
-		purego.RegisterLibFunc(&ioKit.IOServiceClose, iokit, "IOServiceClose")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortGetRunLoopSource, iokit, "IONotificationPortGetRunLoopSource")
-		purego.RegisterLibFunc(&ioKit.IONotificationPortDestroy, iokit, "IONotificationPortDestroy")
-
-		purego.RegisterLibFunc(&cf.CFRunLoopGetCurrent, cfLib, "CFRunLoopGetCurrent")
-		purego.RegisterLibFunc(&cf.CFRunLoopRun, cfLib, "CFRunLoopRun")
-		purego.RegisterLibFunc(&cf.CFRunLoopStop, cfLib, "CFRunLoopStop")
-		purego.RegisterLibFunc(&cf.CFRunLoopAddSource, cfLib, "CFRunLoopAddSource")
-		purego.RegisterLibFunc(&cf.CFRunLoopRemoveSource, cfLib, "CFRunLoopRemoveSource")
-
-		modeAddr, err := purego.Dlsym(cfLib, "kCFRunLoopCommonModes")
-		if err != nil {
-			libInitErr = fmt.Errorf("dlsym kCFRunLoopCommonModes: %w", err)
-			return
-		}
-		// Launder the uintptr-to-pointer conversion through a Go variable so
-		// go vet's unsafeptr analyzer doesn't flag a system-library global.
-		cfCommonModes = **(**uintptr)(unsafe.Pointer(&modeAddr))
-
-		// NewCallback slots are a finite, non-reclaimable resource, so register
-		// a single thunk that dispatches to the current Detector set.
-		callbackThunk = purego.NewCallback(powerCallback)
-	})
-	return libInitErr
-}
-
-// powerCallback is the IOServiceInterestCallback trampoline, invoked on the
-// runloop thread. A Go panic crossing the purego boundary has undefined
-// behavior, so contain it here.
-func powerCallback(refcon, service, messageType, messageArgument uintptr) uintptr {
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep powerCallback: %v", r)
-		}
-	}()
-	switch messageType {
-	case kIOMessageCanSystemSleep:
-		// Not acknowledging forces a 30s IOKit timeout before idle sleep.
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemWillSleep:
-		dispatchEvent(EventTypeSleep)
-		allowPowerChange(messageArgument)
-	case kIOMessageSystemHasPoweredOn:
-		dispatchEvent(EventTypeWakeUp)
-	}
-	return 0
-}
-
-func allowPowerChange(messageArgument uintptr) {
-	serviceRegistryMu.Lock()
-	var port uintptr
-	if session != nil {
-		port = session.rp
-	}
-	serviceRegistryMu.Unlock()
-	if port != 0 {
-		ioKit.IOAllowPowerChange(port, messageArgument)
-	}
-}
-
-func dispatchEvent(event EventType) {
-	serviceRegistryMu.Lock()
-	snaps := make([]detectorSnapshot, 0, len(serviceRegistry))
-	for d := range serviceRegistry {
-		snaps = append(snaps, detectorSnapshot{
-			detector: d,
-			callback: d.callback,
-			done:     d.done,
-		})
-	}
-	serviceRegistryMu.Unlock()
-
-	for _, s := range snaps {
-		s.detector.triggerCallback(event, s.callback, s.done)
-	}
-}
-
-// runRunLoop owns the OS-locked thread that CFRunLoop is pinned to. Setup
-// result is reported on errCh so Register can surface failures synchronously.
-func runRunLoop(errCh chan<- error) {
-	runtime.LockOSThread()
-	defer runtime.UnlockOSThread()
-
-	sess, err := setupSession()
-	if err == nil {
-		serviceRegistryMu.Lock()
-		session = sess
-		serviceRegistryMu.Unlock()
-	}
-	errCh <- err
-	if err != nil {
-		return
-	}
-
-	defer func() {
-		if r := recover(); r != nil {
-			log.Errorf("panic in sleep runloop: %v", r)
-		}
-	}()
-	cf.CFRunLoopRun()
-}
-
-// setupSession performs the IOKit registration on the current thread. Panics
-// are converted to errors so runRunLoop never leaves errCh unsent.
-func setupSession() (s *runLoopSession, err error) {
-	defer func() {
-		if r := recover(); r != nil {
-			err = fmt.Errorf("panic during runloop setup: %v", r)
-		}
-	}()
-
-	var portRef, notifier uintptr
-	rp := ioKit.IORegisterForSystemPower(0, &portRef, callbackThunk, &notifier)
-	if rp == 0 {
-		return nil, fmt.Errorf("IORegisterForSystemPower returned zero")
-	}
-
-	rl := cf.CFRunLoopGetCurrent()
-	source := ioKit.IONotificationPortGetRunLoopSource(portRef)
-	cf.CFRunLoopAddSource(rl, source, cfCommonModes)
-
-	return &runLoopSession{rl: rl, port: portRef, notifier: notifier, rp: rp}, nil
-}

client/netbird.wxs

@@ -13,9 +13,6 @@
 
 		<MajorUpgrade AllowSameVersionUpgrades='yes' DowngradeErrorMessage="A newer version of [ProductName] is already installed. Setup will now exit."/>
 
-		<!-- Autostart: enabled by default, disable with AUTOSTART=0 on the msiexec command line -->
-		<Property Id="AUTOSTART" Value="1" />
-
 		<StandardDirectory Id="ProgramFiles64Folder">
 			<Directory Id="NetbirdInstallDir" Name="Netbird">
 				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
@@ -66,20 +63,9 @@
 			</Component>
 		</StandardDirectory>
 
-		<StandardDirectory Id="CommonAppDataFolder">
-			<Directory Id="NetbirdAutoStartDir" Name="Netbird">
-				<Component Id="NetbirdAutoStart" Guid="b199eaca-b0dd-4032-af19-679cfad48eb3" Bitness="always64" Condition='AUTOSTART = "1"'>
-					<RegistryValue Root="HKLM" Key="Software\Microsoft\Windows\CurrentVersion\Run"
-						Name="Netbird" Value="&quot;[NetbirdInstallDir]netbird-ui.exe&quot;"
-						Type="string" KeyPath="yes" />
-				</Component>
-			</Directory>
-		</StandardDirectory>
-
 		<ComponentGroup Id="NetbirdFilesComponent">
 			<ComponentRef Id="NetbirdFiles" />
 			<ComponentRef Id="NetbirdAumidRegistry" />
-			<ComponentRef Id="NetbirdAutoStart" />
 		</ComponentGroup>
 
 		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />

client/proto/daemon.proto

@@ -24,6 +24,12 @@ service DaemonService {
   // Status of the service.
   rpc Status(StatusRequest) returns (StatusResponse) {}
 
+  // SubscribeStatus pushes a fresh StatusResponse on connection state
+  // changes (Connected / Disconnected / Connecting / address change /
+  // peers list change). The first message on the stream is the current
+  // snapshot, so a freshly-subscribed UI doesn't need to also call Status.
+  rpc SubscribeStatus(StatusRequest) returns (stream StatusResponse) {}
+
   // Down stops engine work in the daemon.
   rpc Down(DownRequest) returns (DownResponse) {}
 
@@ -64,17 +70,6 @@ service DaemonService {
 
   rpc TracePacket(TracePacketRequest) returns (TracePacketResponse) {}
 
-  // StartCapture begins streaming packet capture on the WireGuard interface.
-  // Requires --enable-capture set at service install/reconfigure time.
-  rpc StartCapture(StartCaptureRequest) returns (stream CapturePacket) {}
-
-  // StartBundleCapture begins capturing packets to a server-side temp file
-  // for inclusion in the next debug bundle. Auto-stops after the given timeout.
-  rpc StartBundleCapture(StartBundleCaptureRequest) returns (StartBundleCaptureResponse) {}
-
-  // StopBundleCapture stops the running bundle capture. Idempotent.
-  rpc StopBundleCapture(StopBundleCaptureRequest) returns (StopBundleCaptureResponse) {}
-
   rpc SubscribeEvents(SubscribeRequest) returns (stream SystemEvent) {}
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
@@ -115,6 +110,8 @@ service DaemonService {
   // StopCPUProfile stops CPU profiling in the daemon
   rpc StopCPUProfile(StopCPUProfileRequest) returns (StopCPUProfileResponse) {}
 
+  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
+
   rpc GetInstallerResult(InstallerResultRequest) returns (InstallerResultResponse) {}
 
   // ExposeService exposes a local port via the NetBird reverse proxy
@@ -123,6 +120,20 @@ service DaemonService {
 
 
 
+message OSLifecycleRequest {
+  // avoid collision with loglevel enum
+  enum CycleType {
+    UNKNOWN = 0;
+    SLEEP = 1;
+    WAKEUP = 2;
+  }
+
+  CycleType type = 1;
+}
+
+message OSLifecycleResponse {}
+
+
 message LoginRequest {
   // setupKey netbird setup key.
   string setupKey = 1;
@@ -843,26 +854,3 @@ message ExposeServiceReady {
   string domain = 3;
   bool port_auto_assigned = 4;
 }
-
-message StartCaptureRequest {
-  bool text_output = 1;
-  uint32 snap_len = 2;
-  google.protobuf.Duration duration = 3;
-  string filter_expr = 4;
-  bool verbose = 5;
-  bool ascii = 6;
-}
-
-message CapturePacket {
-  bytes data = 1;
-}
-
-message StartBundleCaptureRequest {
-  // timeout auto-stops the capture after this duration.
-  // Clamped to a server-side maximum (10 minutes). Zero or unset defaults to the maximum.
-  google.protobuf.Duration timeout = 1;
-}
-
-message StartBundleCaptureResponse {}
-message StopBundleCaptureRequest {}
-message StopBundleCaptureResponse {}

client/server/capture.go

@@ -1,365 +0,0 @@
-package server
-
-import (
-	"context"
-	"io"
-	"os"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-const maxBundleCaptureDuration = 10 * time.Minute
-
-// bundleCapture holds the state of an in-progress capture destined for the
-// debug bundle. The lifecycle is:
-//
-//	StartBundleCapture → capture running, writing to temp file
-//	StopBundleCapture  → capture stopped, temp file available
-//	DebugBundle        → temp file included in zip, then cleaned up
-type bundleCapture struct {
-	mu      sync.Mutex
-	sess    *capture.Session
-	file    *os.File
-	engine  *internal.Engine
-	cancel  context.CancelFunc
-	stopped bool
-}
-
-// stop halts the capture session and closes the pcap writer. Idempotent.
-func (bc *bundleCapture) stop() {
-	bc.mu.Lock()
-	defer bc.mu.Unlock()
-
-	if bc.stopped {
-		return
-	}
-	bc.stopped = true
-
-	if bc.cancel != nil {
-		bc.cancel()
-	}
-	if bc.sess != nil {
-		bc.sess.Stop()
-	}
-}
-
-// path returns the temp file path, or "" if no file exists.
-func (bc *bundleCapture) path() string {
-	if bc.file == nil {
-		return ""
-	}
-	return bc.file.Name()
-}
-
-// cleanup removes the temp file.
-func (bc *bundleCapture) cleanup() {
-	if bc.file == nil {
-		return
-	}
-	name := bc.file.Name()
-	if err := bc.file.Close(); err != nil {
-		log.Debugf("close bundle capture file: %v", err)
-	}
-	if err := os.Remove(name); err != nil && !os.IsNotExist(err) {
-		log.Debugf("remove bundle capture file: %v", err)
-	}
-	bc.file = nil
-}
-
-// StartCapture streams a pcap or text packet capture over gRPC.
-// Gated by the --enable-capture service flag.
-func (s *Server) StartCapture(req *proto.StartCaptureRequest, stream proto.DaemonService_StartCaptureServer) error {
-	if !s.captureEnabled {
-		return status.Error(codes.PermissionDenied,
-			"packet capture is disabled; reinstall or reconfigure the service with --enable-capture")
-	}
-
-	if d := req.GetDuration(); d != nil && d.AsDuration() < 0 {
-		return status.Error(codes.InvalidArgument, "duration must not be negative")
-	}
-
-	matcher, err := parseCaptureFilter(req)
-	if err != nil {
-		return status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
-	}
-
-	pr, pw := io.Pipe()
-
-	opts := capture.Options{
-		Matcher: matcher,
-		SnapLen: req.GetSnapLen(),
-		Verbose: req.GetVerbose(),
-		ASCII:   req.GetAscii(),
-	}
-	if req.GetTextOutput() {
-		opts.TextOutput = pw
-	} else {
-		opts.Output = pw
-	}
-
-	sess, err := capture.NewSession(opts)
-	if err != nil {
-		pw.Close()
-		return status.Errorf(codes.Internal, "create capture session: %v", err)
-	}
-
-	engine, err := s.claimCapture(sess)
-	if err != nil {
-		sess.Stop()
-		pw.Close()
-		return err
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		s.releaseCapture(sess)
-		sess.Stop()
-		pw.Close()
-		return status.Errorf(codes.Internal, "set capture: %v", err)
-	}
-
-	// Send an empty initial message to signal that the capture was accepted.
-	// The client waits for this before printing the banner, so it must arrive
-	// before any packet data.
-	if err := stream.Send(&proto.CapturePacket{}); err != nil {
-		s.clearCaptureIfOwner(sess, engine)
-		sess.Stop()
-		pw.Close()
-		return status.Errorf(codes.Internal, "send initial message: %v", err)
-	}
-
-	ctx := stream.Context()
-	if d := req.GetDuration(); d != nil {
-		if dur := d.AsDuration(); dur > 0 {
-			var cancel context.CancelFunc
-			ctx, cancel = context.WithTimeout(ctx, dur)
-			defer cancel()
-		}
-	}
-
-	go func() {
-		<-ctx.Done()
-		s.clearCaptureIfOwner(sess, engine)
-		sess.Stop()
-		pw.Close()
-	}()
-	defer pr.Close()
-
-	log.Infof("packet capture started (text=%v, expr=%q)", req.GetTextOutput(), req.GetFilterExpr())
-	defer func() {
-		stats := sess.Stats()
-		log.Infof("packet capture stopped: %d packets, %d bytes, %d dropped",
-			stats.Packets, stats.Bytes, stats.Dropped)
-	}()
-
-	return streamToGRPC(pr, stream)
-}
-
-func streamToGRPC(r io.Reader, stream proto.DaemonService_StartCaptureServer) error {
-	buf := make([]byte, 32*1024)
-	for {
-		n, readErr := r.Read(buf)
-		if n > 0 {
-			if err := stream.Send(&proto.CapturePacket{Data: buf[:n]}); err != nil {
-				log.Debugf("capture stream send: %v", err)
-				return nil //nolint:nilerr // client disconnected
-			}
-		}
-		if readErr != nil {
-			return nil //nolint:nilerr // pipe closed, capture stopped normally
-		}
-	}
-}
-
-// StartBundleCapture begins capturing packets to a server-side temp file for
-// inclusion in the next debug bundle. Not gated by --enable-capture since the
-// output stays on the server (same trust level as CPU profiling).
-//
-// A timeout auto-stops the capture as a safety net if StopBundleCapture is
-// never called (e.g. CLI crash).
-func (s *Server) StartBundleCapture(_ context.Context, req *proto.StartBundleCaptureRequest) (*proto.StartBundleCaptureResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	s.stopBundleCaptureLocked()
-	s.cleanupBundleCapture()
-
-	if s.activeCapture != nil {
-		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
-	}
-
-	engine, err := s.getCaptureEngineLocked()
-	if err != nil {
-		// Not fatal: kernel mode or not connected. Log and return success
-		// so the debug bundle still generates without capture data.
-		log.Warnf("packet capture unavailable, skipping: %v", err)
-		return &proto.StartBundleCaptureResponse{}, nil
-	}
-
-	timeout := req.GetTimeout().AsDuration()
-	if timeout <= 0 || timeout > maxBundleCaptureDuration {
-		timeout = maxBundleCaptureDuration
-	}
-
-	f, err := os.CreateTemp("", "netbird.capture.*.pcap")
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "create temp file: %v", err)
-	}
-
-	sess, err := capture.NewSession(capture.Options{Output: f})
-	if err != nil {
-		f.Close()
-		os.Remove(f.Name())
-		return nil, status.Errorf(codes.Internal, "create capture session: %v", err)
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		sess.Stop()
-		f.Close()
-		os.Remove(f.Name())
-		log.Warnf("packet capture unavailable (no filtered device), skipping: %v", err)
-		return &proto.StartBundleCaptureResponse{}, nil
-	}
-	s.activeCapture = sess
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	bc := &bundleCapture{
-		sess:   sess,
-		file:   f,
-		engine: engine,
-		cancel: cancel,
-	}
-
-	s.bundleCapture = bc
-
-	go func() {
-		<-ctx.Done()
-		s.mutex.Lock()
-		if s.bundleCapture == bc {
-			s.stopBundleCaptureLocked()
-		} else {
-			bc.stop()
-		}
-		s.mutex.Unlock()
-		log.Infof("bundle capture auto-stopped after timeout")
-	}()
-	log.Infof("bundle capture started (timeout=%s, file=%s)", timeout, f.Name())
-
-	return &proto.StartBundleCaptureResponse{}, nil
-}
-
-// StopBundleCapture stops the running bundle capture. Idempotent.
-func (s *Server) StopBundleCapture(_ context.Context, _ *proto.StopBundleCaptureRequest) (*proto.StopBundleCaptureResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	s.stopBundleCaptureLocked()
-	return &proto.StopBundleCaptureResponse{}, nil
-}
-
-// stopBundleCaptureLocked stops the bundle capture if running. Must hold s.mutex.
-func (s *Server) stopBundleCaptureLocked() {
-	if s.bundleCapture == nil {
-		return
-	}
-	bc := s.bundleCapture
-	if bc.engine != nil && s.activeCapture == bc.sess {
-		if err := bc.engine.SetCapture(nil); err != nil {
-			log.Debugf("clear bundle capture: %v", err)
-		}
-		s.activeCapture = nil
-	}
-	bc.stop()
-
-	stats := bc.sess.Stats()
-	log.Infof("bundle capture stopped: %d packets, %d bytes, %d dropped",
-		stats.Packets, stats.Bytes, stats.Dropped)
-}
-
-// bundleCapturePath returns the temp file path if a capture has been taken,
-// stops any running capture, and returns "". Called from DebugBundle.
-// Must hold s.mutex.
-func (s *Server) bundleCapturePath() string {
-	if s.bundleCapture == nil {
-		return ""
-	}
-
-	s.bundleCapture.stop()
-	return s.bundleCapture.path()
-}
-
-// cleanupBundleCapture removes the temp file and clears state. Must hold s.mutex.
-func (s *Server) cleanupBundleCapture() {
-	if s.bundleCapture == nil {
-		return
-	}
-	s.bundleCapture.cleanup()
-	s.bundleCapture = nil
-}
-
-// claimCapture reserves the engine's capture slot for sess. Returns
-// FailedPrecondition if another capture is already active.
-func (s *Server) claimCapture(sess *capture.Session) (*internal.Engine, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	if s.activeCapture != nil {
-		return nil, status.Error(codes.FailedPrecondition, "another capture is already running")
-	}
-	engine, err := s.getCaptureEngineLocked()
-	if err != nil {
-		return nil, err
-	}
-	s.activeCapture = sess
-	return engine, nil
-}
-
-// releaseCapture clears the active-capture owner if it still matches sess.
-func (s *Server) releaseCapture(sess *capture.Session) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-	if s.activeCapture == sess {
-		s.activeCapture = nil
-	}
-}
-
-// clearCaptureIfOwner clears engine's capture slot only if sess still owns it.
-func (s *Server) clearCaptureIfOwner(sess *capture.Session, engine *internal.Engine) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-	if s.activeCapture != sess {
-		return
-	}
-	if err := engine.SetCapture(nil); err != nil {
-		log.Debugf("clear capture: %v", err)
-	}
-	s.activeCapture = nil
-}
-
-func (s *Server) getCaptureEngineLocked() (*internal.Engine, error) {
-	if s.connectClient == nil {
-		return nil, status.Error(codes.FailedPrecondition, "client not connected")
-	}
-	engine := s.connectClient.Engine()
-	if engine == nil {
-		return nil, status.Error(codes.FailedPrecondition, "engine not initialized")
-	}
-	return engine, nil
-}
-
-// parseCaptureFilter returns a Matcher from the request.
-// Returns nil (match all) when no filter expression is set.
-func parseCaptureFilter(req *proto.StartCaptureRequest) (capture.Matcher, error) {
-	expr := req.GetFilterExpr()
-	if expr == "" {
-		return nil, nil //nolint:nilnil // nil Matcher means "match all"
-	}
-	return capture.ParseFilter(expr)
-}

client/server/debug.go

@@ -43,9 +43,7 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 		}()
 	}
 
-	capturePath := s.bundleCapturePath()
-	defer s.cleanupBundleCapture()
-
+	// Prepare refresh callback for health probes
 	var refreshStatus func()
 	if s.connectClient != nil {
 		engine := s.connectClient.Engine()
@@ -64,7 +62,6 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			SyncResponse:   syncResponse,
 			LogPath:        s.logFile,
 			CPUProfile:     cpuProfileData,
-			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
 			ClientMetrics:  clientMetrics,
 		},

client/server/server.go

@@ -33,7 +33,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util/capture"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -90,11 +89,7 @@ type Server struct {
 	profileManager         *profilemanager.ServiceManager
 	profilesDisabled       bool
 	updateSettingsDisabled bool
-	captureEnabled         bool
-	bundleCapture          *bundleCapture
-	// activeCapture is the session currently installed on the engine; guarded by s.mutex.
-	activeCapture    *capture.Session
-	networksDisabled bool
+	networksDisabled       bool
 
 	sleepHandler *sleephandler.SleepHandler
 
@@ -111,7 +106,7 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, captureEnabled bool, networksDisabled bool) *Server {
+func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, networksDisabled bool) *Server {
 	s := &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
@@ -120,13 +115,11 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		profileManager:         profilemanager.NewServiceManager(configFile),
 		profilesDisabled:       profilesDisabled,
 		updateSettingsDisabled: updateSettingsDisabled,
-		captureEnabled:         captureEnabled,
 		networksDisabled:       networksDisabled,
 		jwtCache:               newJWTCache(),
 	}
 	agent := &serverAgent{s}
 	s.sleepHandler = sleephandler.New(agent)
-	s.startSleepDetector()
 
 	return s
 }
@@ -1108,6 +1101,13 @@ func (s *Server) Status(
 		}
 	}
 
+	return s.buildStatusResponse(msg)
+}
+
+// buildStatusResponse composes a StatusResponse from the current daemon
+// state. Shared between the unary Status RPC and the SubscribeStatus
+// stream so both paths return identical snapshots.
+func (s *Server) buildStatusResponse(msg *proto.StatusRequest) (*proto.StatusResponse, error) {
 	status, err := internal.CtxGetState(s.rootCtx).Status()
 	if err != nil {
 		return nil, err

client/server/server_test.go

@@ -104,7 +104,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "debug", "", false, false, false, false)
+	s := New(ctx, "debug", "", false, false, false)
 
 	s.config = config
 
@@ -165,7 +165,7 @@ func TestServer_Up(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false, false)
+	s := New(ctx, "console", "", false, false, false)
 	err = s.Start()
 	require.NoError(t, err)
 
@@ -235,7 +235,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false, false)
+	s := New(ctx, "console", "", false, false, false)
 
 	err = s.Start()
 	require.NoError(t, err)
@@ -335,7 +335,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil, nil)
+	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/server/setconfig_test.go

@@ -53,7 +53,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	ctx := context.Background()
-	s := New(ctx, "console", "", false, false, false, false)
+	s := New(ctx, "console", "", false, false, false)
 
 	rosenpassEnabled := true
 	rosenpassPermissive := true

client/server/sleep.go

@@ -2,18 +2,13 @@ package server
 
 import (
 	"context"
-	"os"
-	"strconv"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/sleep"
 	"github.com/netbirdio/netbird/client/proto"
 )
 
-const envDisableSleepDetector = "NB_DISABLE_SLEEP_DETECTOR"
-
 // serverAgent adapts Server to the handler.Agent and handler.StatusChecker interfaces
 type serverAgent struct {
 	s *Server
@@ -33,61 +28,19 @@ func (a *serverAgent) Status() (internal.StatusType, error) {
 	return internal.CtxGetState(a.s.rootCtx).Status()
 }
 
-// startSleepDetector starts the OS sleep/wake detector and forwards events to
-// the sleep handler. On platforms without a supported detector the attempt
-// logs a warning and returns. Setting NB_DISABLE_SLEEP_DETECTOR=true skips
-// registration entirely.
-func (s *Server) startSleepDetector() {
-	if sleepDetectorDisabled() {
-		log.Info("sleep detection disabled via " + envDisableSleepDetector)
-		return
-	}
-
-	svc, err := sleep.New()
-	if err != nil {
-		log.Warnf("failed to initialize sleep detection: %v", err)
-		return
-	}
-
-	err = svc.Register(func(event sleep.EventType) {
-		switch event {
-		case sleep.EventTypeSleep:
-			log.Info("handling sleep event")
-			if err := s.sleepHandler.HandleSleep(s.rootCtx); err != nil {
-				log.Errorf("failed to handle sleep event: %v", err)
-			}
-		case sleep.EventTypeWakeUp:
-			log.Info("handling wakeup event")
-			if err := s.sleepHandler.HandleWakeUp(s.rootCtx); err != nil {
-				log.Errorf("failed to handle wakeup event: %v", err)
-			}
+// NotifyOSLifecycle handles operating system lifecycle events by executing appropriate logic based on the request type.
+func (s *Server) NotifyOSLifecycle(callerCtx context.Context, req *proto.OSLifecycleRequest) (*proto.OSLifecycleResponse, error) {
+	switch req.GetType() {
+	case proto.OSLifecycleRequest_WAKEUP:
+		if err := s.sleepHandler.HandleWakeUp(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	})
-	if err != nil {
-		log.Errorf("failed to register sleep detector: %v", err)
-		return
-	}
-
-	log.Info("sleep detection service initialized")
-
-	go func() {
-		<-s.rootCtx.Done()
-		log.Info("stopping sleep event listener")
-		if err := svc.Deregister(); err != nil {
-			log.Errorf("failed to deregister sleep detector: %v", err)
+	case proto.OSLifecycleRequest_SLEEP:
+		if err := s.sleepHandler.HandleSleep(callerCtx); err != nil {
+			return &proto.OSLifecycleResponse{}, err
 		}
-	}()
-}
-
-func sleepDetectorDisabled() bool {
-	val := os.Getenv(envDisableSleepDetector)
-	if val == "" {
-		return false
+	default:
+		log.Errorf("unknown OSLifecycleRequest type: %v", req.GetType())
 	}
-	disabled, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s=%q: %v", envDisableSleepDetector, val, err)
-		return false
-	}
-	return disabled
+	return &proto.OSLifecycleResponse{}, nil
 }

client/server/status_stream.go

@@ -0,0 +1,57 @@
+package server
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+// SubscribeStatus pushes a fresh StatusResponse on every connection state
+// change. The first message is the current snapshot, so a re-subscribing
+// client doesn't need to also call Status. Subsequent messages fire when
+// the peer recorder reports any of: connected/disconnected/connecting,
+// management or signal flip, address change, or peers list change.
+//
+// The change channel coalesces bursts to a single tick. If the consumer
+// is slow the daemon drops extras (not blocks), and the next snapshot
+// the consumer pulls already reflects everything.
+func (s *Server) SubscribeStatus(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
+	subID, ch := s.statusRecorder.SubscribeToStateChanges()
+	defer func() {
+		s.statusRecorder.UnsubscribeFromStateChanges(subID)
+		log.Debug("client unsubscribed from status updates")
+	}()
+
+	log.Debug("client subscribed to status updates")
+
+	if err := s.sendStatusSnapshot(req, stream); err != nil {
+		return err
+	}
+
+	for {
+		select {
+		case _, ok := <-ch:
+			if !ok {
+				return nil
+			}
+			if err := s.sendStatusSnapshot(req, stream); err != nil {
+				return err
+			}
+		case <-stream.Context().Done():
+			return nil
+		}
+	}
+}
+
+func (s *Server) sendStatusSnapshot(req *proto.StatusRequest, stream proto.DaemonService_SubscribeStatusServer) error {
+	resp, err := s.buildStatusResponse(req)
+	if err != nil {
+		log.Warnf("build status snapshot for stream: %v", err)
+		return err
+	}
+	if err := stream.Send(resp); err != nil {
+		log.Warnf("send status snapshot to stream: %v", err)
+		return err
+	}
+	return nil
+}

client/ui-wails/.gitignore

@@ -0,0 +1,8 @@
+.task
+bin
+frontend/dist
+frontend/node_modules
+frontend/bindings
+frontend/.vite
+build/linux/appimage/build
+build/windows/nsis/MicrosoftEdgeWebview2Setup.exe

client/ui-wails/README.md

@@ -0,0 +1,100 @@
+# NetBird desktop UI (Wails3 + React)
+
+Replaces `client/ui` (Fyne). One binary on Windows / macOS / Linux,
+talks to the NetBird daemon over gRPC, renders a React frontend in a
+WebView.
+
+## Prerequisites
+
+- Go ≥ 1.25, Node ≥ 20, **pnpm** (`corepack enable && corepack prepare pnpm@latest --activate`)
+- `wails3` CLI: `go install github.com/wailsapp/wails/v3/cmd/wails3@latest`
+- `task`: `go install github.com/go-task/task/v3/cmd/task@latest`
+- A running NetBird daemon (default: `unix:///var/run/netbird.sock`,
+  Windows `tcp://127.0.0.1:41731`)
+- Linux only: `libwebkit2gtk-4.1-dev`, `libgtk-3-dev`,
+  `libayatana-appindicator3-dev`
+
+## Develop without rebuilding
+
+```bash
+cd client/ui-wails
+task dev
+```
+
+`task dev` runs Vite (port 9245) + the Go binary + a `*.go` watcher.
+Frontend edits hot-reload instantly. Go edits trigger a rebuild and
+relaunch. Pass daemon flags after `--`:
+
+```bash
+task dev -- --daemon-addr=tcp://127.0.0.1:41731
+```
+
+For pure UI work (no native window, fastest loop):
+
+```bash
+cd frontend && pnpm dev
+```
+
+## Production build
+
+```bash
+task build
+```
+
+Output in `bin/`. Frontend assets are embedded into the binary.
+
+### Cross-compile Windows from Linux
+
+Install the mingw-w64 toolchain once:
+
+```bash
+sudo apt install gcc-mingw-w64-x86-64           # Debian/Ubuntu
+sudo dnf install mingw64-gcc                    # Fedora
+sudo pacman -S mingw-w64-gcc                    # Arch
+```
+
+Then:
+
+```bash
+CGO_ENABLED=1 task windows:build
+```
+
+Produces `bin/netbird-ui.exe`. macOS cross-compile from Linux is not
+supported (signing and notarization need a real Mac).
+
+### Windows console build (logs in the terminal)
+
+Default `windows:build` links the binary as a Windows GUI app, which
+detaches from the launching console — `logrus` output, `fmt.Println`,
+and panics go nowhere visible. To debug tray/event/daemon issues:
+
+```bash
+CGO_ENABLED=1 task windows:build:console
+```
+
+Produces `bin/netbird-ui-console.exe`. Run it from `cmd.exe` /
+PowerShell / Windows Terminal and stdout/stderr land in that
+terminal. Same flag works on a native Windows build (drop the
+`CGO_ENABLED=1` if your toolchain already has it set).
+
+## Regenerating bindings
+
+When a Go service signature changes:
+
+```bash
+wails3 generate bindings
+```
+
+`task dev` does this automatically on `*.go` save.
+
+## Tray icons
+
+Source SVGs live in `assets/svg/` (state.svg + state-macos.svg). After editing
+any SVG, rasterize to the PNGs the Go side embeds:
+
+```bash
+task common:generate:tray:icons
+```
+
+Requires Inkscape. Commit the resulting `assets/*.png` files alongside the
+SVG change so CI doesn't need Inkscape installed.

client/ui-wails/Taskfile.yml

@@ -0,0 +1,58 @@
+version: '3'
+
+includes:
+  common: ./build/Taskfile.yml
+  windows: ./build/windows/Taskfile.yml
+  darwin: ./build/darwin/Taskfile.yml
+  linux: ./build/linux/Taskfile.yml
+
+vars:
+  APP_NAME: "netbird-ui"
+  BIN_DIR: "bin"
+  VITE_PORT: '{{.WAILS_VITE_PORT | default 9245}}'
+
+tasks:
+  build:
+    summary: Builds the application
+    cmds:
+      - task: "{{OS}}:build"
+
+  package:
+    summary: Packages a production build of the application
+    cmds:
+      - task: "{{OS}}:package"
+
+  run:
+    summary: Runs the application
+    cmds:
+      - task: "{{OS}}:run"
+
+  dev:
+    summary: Runs the application in development mode
+    cmds:
+      - wails3 dev -config ./build/config.yml -port {{.VITE_PORT}}
+
+  setup:docker:
+    summary: Builds Docker image for cross-compilation (~800MB download)
+    cmds:
+      - task: common:setup:docker
+
+  build:server:
+    summary: Builds the application in server mode (no GUI, HTTP server only)
+    cmds:
+      - task: common:build:server
+
+  run:server:
+    summary: Runs the application in server mode
+    cmds:
+      - task: common:run:server
+
+  build:docker:
+    summary: Builds a Docker image for server mode deployment
+    cmds:
+      - task: common:build:docker
+
+  run:docker:
+    summary: Builds and runs the Docker image
+    cmds:
+      - task: common:run:docker

client/ui-wails/assets/svg/_base.svg

@@ -0,0 +1,14 @@
+<!--
+  NetBird base mark, centered in a 32×32 viewBox with badge-friendly margins.
+  Preserved across every state icon as required by the design plan; state
+  badges sit on top in the bottom-right 12×12 area (x=18..30, y=18..30).
+  The mark itself is taken verbatim from dashboard/src/assets/netbird.svg
+  (three orange/red paths) and translated into the 32×32 grid.
+-->
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g id="netbird-mark" transform="translate(2 5) scale(0.8)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+</svg>

client/ui-wails/assets/svg/appicon.svg

@@ -0,0 +1,17 @@
+<!--
+  App icon source. Rasterized to build/appicon.png by
+  `task common:generate:icons`, which then drives `wails3 generate icons`
+  to produce the per-platform .ico / .icns artifacts.
+
+  The mark fills ~90% of the canvas width (with vertical centering) so
+  Windows Explorer and macOS Finder render a recognisable bird at small
+  sizes. The mark's native aspect (31:23) is wider than tall, so width is
+  the binding dimension.
+-->
+<svg xmlns="http://www.w3.org/2000/svg" width="1024" height="1024" viewBox="0 0 1024 1024">
+  <g transform="translate(37 170) scale(29.7)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+</svg>

client/ui-wails/assets/svg/connected-macos.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="black"/>
+  <path d="M22 25 L24 27 L28 23" stroke="white" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/assets/svg/connected.svg

@@ -0,0 +1,14 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <!-- Mark fills the canvas. Badge overlaps the bottom-right corner so most
+       of the mark is still visible at 16 px tray sizes. -->
+  <g transform="translate(0.5 4.5) scale(1.0)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <!-- connected badge: green check, ~25% canvas, with a thin white halo so
+       the green disc reads cleanly on top of the orange mark. -->
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="#0E9F6E"/>
+  <path d="M22 25 L24 27 L28 23" stroke="white" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/assets/svg/connecting-macos.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="none" stroke="black" stroke-width="1.8" stroke-dasharray="2.5 2.5" stroke-linecap="round"/>
+</svg>

client/ui-wails/assets/svg/connecting.svg

@@ -0,0 +1,9 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5) scale(1.0)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="none" stroke="#F68330" stroke-width="1.8" stroke-dasharray="2.5 2.5" stroke-linecap="round"/>
+</svg>

client/ui-wails/assets/svg/disconnected-macos.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black" opacity="0.5">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="none" stroke="black" stroke-width="1.6"/>
+  <line x1="21.5" y1="25" x2="28.5" y2="25" stroke="black" stroke-width="1.6" stroke-linecap="round"/>
+</svg>

client/ui-wails/assets/svg/disconnected.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5) scale(1.0)" opacity="0.45">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="none" stroke="#7c8994" stroke-width="1.6"/>
+  <line x1="21.5" y1="25" x2="28.5" y2="25" stroke="#7c8994" stroke-width="1.6" stroke-linecap="round"/>
+</svg>

client/ui-wails/assets/svg/error-macos.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black" opacity="0.7">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="black"/>
+  <line x1="25" y1="21.5" x2="25" y2="26" stroke="white" stroke-width="1.8" stroke-linecap="round"/>
+  <circle cx="25" cy="28.4" r="1.0" fill="white"/>
+</svg>

client/ui-wails/assets/svg/error.svg

@@ -0,0 +1,11 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5) scale(1.0)" opacity="0.7">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="#E02424"/>
+  <line x1="25" y1="21.5" x2="25" y2="26" stroke="white" stroke-width="1.8" stroke-linecap="round"/>
+  <circle cx="25" cy="28.4" r="1.0" fill="white"/>
+</svg>

client/ui-wails/assets/svg/update-connected-macos.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="black"/>
+  <path d="M25 22 L25 28 M22.5 24.5 L25 22 L27.5 24.5" stroke="white" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/assets/svg/update-connected.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5) scale(1.0)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="#1C64F2"/>
+  <path d="M25 22 L25 28 M22.5 24.5 L25 22 L27.5 24.5" stroke="white" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/assets/svg/update-disconnected-macos.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5)" fill="black" opacity="0.5">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="black"/>
+  <path d="M25 22 L25 28 M22.5 24.5 L25 22 L27.5 24.5" stroke="white" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/assets/svg/update-disconnected.svg

@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" fill="none">
+  <g transform="translate(0.5 4.5) scale(1.0)" opacity="0.45">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+  <circle cx="25" cy="25" r="7" fill="white"/>
+  <circle cx="25" cy="25" r="6" fill="#1C64F2"/>
+  <path d="M25 22 L25 28 M22.5 24.5 L25 22 L27.5 24.5" stroke="white" stroke-width="1.6" stroke-linecap="round" stroke-linejoin="round" fill="none"/>
+</svg>

client/ui-wails/build/Taskfile.yml

@@ -0,0 +1,295 @@
+version: '3'
+
+tasks:
+  go:mod:tidy:
+    summary: Runs `go mod tidy`
+    internal: true
+    cmds:
+      - go mod tidy
+
+  install:frontend:deps:
+    summary: Install frontend dependencies
+    dir: frontend
+    sources:
+      - package.json
+      - pnpm-lock.yaml
+    generates:
+      - node_modules
+    preconditions:
+      - sh: pnpm --version
+        msg: "Looks like pnpm isn't installed. Install with: corepack enable && corepack prepare pnpm@latest --activate"
+    cmds:
+      - pnpm install
+
+  build:frontend:
+    label: build:frontend (DEV={{.DEV}})
+    summary: Build the frontend project
+    dir: frontend
+    sources:
+      - "**/*"
+      - exclude: node_modules/**/*
+    generates:
+      - dist/**/*
+    deps:
+      - task: install:frontend:deps
+      - task: generate:bindings
+        vars:
+          BUILD_FLAGS:
+            ref: .BUILD_FLAGS
+    cmds:
+      - pnpm run {{.BUILD_COMMAND}}
+    env:
+      PRODUCTION: '{{if eq .DEV "true"}}false{{else}}true{{end}}'
+    vars:
+      BUILD_COMMAND: '{{if eq .DEV "true"}}build:dev{{else}}build{{end}}'
+
+
+  frontend:vendor:puppertino:
+    summary: Fetches Puppertino CSS into frontend/public for consistent mobile styling
+    sources:
+      - frontend/public/puppertino/puppertino.css
+    generates:
+      - frontend/public/puppertino/puppertino.css
+    cmds:
+      - |
+        set -euo pipefail
+        mkdir -p frontend/public/puppertino
+        # If bundled Puppertino exists, prefer it. Otherwise, try to fetch, but don't fail build on error.
+        if [ ! -f frontend/public/puppertino/puppertino.css ]; then
+          echo "No bundled Puppertino found. Attempting to fetch from GitHub..."
+          if curl -fsSL https://raw.githubusercontent.com/codedgar/Puppertino/main/dist/css/full.css -o frontend/public/puppertino/puppertino.css; then
+            curl -fsSL https://raw.githubusercontent.com/codedgar/Puppertino/main/LICENSE -o frontend/public/puppertino/LICENSE || true
+            echo "Puppertino CSS downloaded to frontend/public/puppertino/puppertino.css"
+          else
+            echo "Warning: Could not fetch Puppertino CSS. Proceeding without download since template may bundle it."
+          fi
+        else
+          echo "Using bundled Puppertino at frontend/public/puppertino/puppertino.css"
+        fi
+        # Ensure index.html includes Puppertino CSS and button classes
+        INDEX_HTML=frontend/index.html
+        if [ -f "$INDEX_HTML" ]; then
+          if ! grep -q 'href="/puppertino/puppertino.css"' "$INDEX_HTML"; then
+            # Insert Puppertino link tag after style.css link
+            awk '
+              /href="\/style.css"\/?/ && !x { print; print "    <link rel=\"stylesheet\" href=\"/puppertino/puppertino.css\"/>"; x=1; next }1
+            ' "$INDEX_HTML" > "$INDEX_HTML.tmp" && mv "$INDEX_HTML.tmp" "$INDEX_HTML"
+          fi
+          # Replace default .btn with Puppertino primary button classes if present
+          sed -E -i'' 's/class=\"btn\"/class=\"p-btn p-prim-col\"/g' "$INDEX_HTML" || true
+        fi
+
+
+  generate:bindings:
+    label: generate:bindings (BUILD_FLAGS={{.BUILD_FLAGS}})
+    summary: Generates bindings for the frontend
+    deps:
+      - task: go:mod:tidy
+    sources:
+      - "**/*.[jt]s"
+      - exclude: frontend/**/*
+      - frontend/bindings/**/*  # Rerun when switching between dev/production mode causes changes in output
+      - "**/*.go"
+      - go.mod
+      - go.sum
+    generates:
+      - frontend/bindings/**/*
+    cmds:
+      - wails3 generate bindings -f '{{.BUILD_FLAGS}}' -clean=true -ts
+
+  generate:icons:
+    summary: Generates Windows `.ico` and Mac `.icns` from an image; on macOS, `-iconcomposerinput appicon.icon -macassetdir darwin` also produces `Assets.car` from a `.icon` file (skipped on other platforms).
+    dir: build
+    sources:
+      - "appicon.png"
+      - "appicon.icon"
+    generates:
+      - "darwin/icons.icns"
+      - "windows/icon.ico"
+    cmds:
+      - wails3 generate icons -input appicon.png -macfilename darwin/icons.icns -windowsfilename windows/icon.ico -iconcomposerinput appicon.icon -macassetdir darwin
+
+  generate:tray:icons:
+    summary: Rebuild Windows multi-res .ico files from the per-state PNGs.
+    desc: |
+      The colored tray PNGs (assets/netbird-systemtray-<state>.png) and the
+      macOS template variants are committed to the repo as the canonical
+      source. This task only regenerates the Windows multi-resolution .ico
+      files from those PNGs by downscaling each to 16/24/32/48 px and
+      packing them with icotool, so Shell_NotifyIcon picks the frame
+      matching the user's DPI instead of downscaling a single large PNG.
+
+      Run after replacing any of the colored PNGs (e.g. when copying a new
+      version of the icons from client/ui/assets). The SVG sources in
+      assets/svg/ are kept for reference but are not built by default.
+    dir: assets
+    sources:
+      - "netbird-systemtray-connected.png"
+      - "netbird-systemtray-disconnected.png"
+      - "netbird-systemtray-connecting.png"
+      - "netbird-systemtray-error.png"
+      - "netbird-systemtray-update-connected.png"
+      - "netbird-systemtray-update-disconnected.png"
+    generates:
+      - "netbird-systemtray-*.ico"
+    preconditions:
+      - sh: command -v magick >/dev/null 2>&1 || command -v convert >/dev/null 2>&1
+        msg: "ImageMagick is required to downscale PNGs (apt install imagemagick)"
+      - sh: command -v icotool >/dev/null 2>&1
+        msg: "icotool is required to pack tray .ico files (apt install icoutils)"
+    cmds:
+      - |
+        set -euo pipefail
+        tmp=$(mktemp -d)
+        trap 'rm -rf "$tmp"' EXIT
+        resize=$(command -v magick || echo convert)
+        for state in connected disconnected connecting error update-connected update-disconnected; do
+          for sz in 16 24 32 48; do
+            "$resize" "netbird-systemtray-$state.png" -resize ${sz}x${sz} "$tmp/$state-$sz.png"
+          done
+          icotool -c -o "netbird-systemtray-$state.ico" \
+            "$tmp/$state-16.png" "$tmp/$state-24.png" "$tmp/$state-32.png" "$tmp/$state-48.png"
+        done
+
+  dev:frontend:
+    summary: Runs the frontend in development mode
+    dir: frontend
+    deps:
+      - task: install:frontend:deps
+    cmds:
+      - pnpm exec vite --port {{.VITE_PORT}} --strictPort
+
+  update:build-assets:
+    summary: Updates the build assets
+    dir: build
+    cmds:
+      - wails3 update build-assets -name "{{.APP_NAME}}" -binaryname "{{.APP_NAME}}" -config config.yml -dir .
+
+  build:server:
+    summary: Builds the application in server mode (no GUI, HTTP server only)
+    desc: |
+      Builds the application with the server build tag enabled.
+      Server mode runs as a pure HTTP server without native GUI dependencies.
+      Usage: task build:server
+    deps:
+      - task: build:frontend
+        vars:
+          BUILD_FLAGS:
+            ref: .BUILD_FLAGS
+    cmds:
+      - go build -tags server {{.BUILD_FLAGS}} -o {{.BIN_DIR}}/{{.APP_NAME}}-server{{exeExt}}
+    vars:
+      BUILD_FLAGS: "{{.BUILD_FLAGS}}"
+
+  run:server:
+    summary: Builds and runs the application in server mode
+    deps:
+      - task: build:server
+    cmds:
+      - ./{{.BIN_DIR}}/{{.APP_NAME}}-server{{exeExt}}
+
+  build:docker:
+    summary: Builds a Docker image for server mode deployment
+    desc: |
+      Creates a minimal Docker image containing the server mode binary.
+      The image is based on distroless for security and small size.
+      Usage: task build:docker [TAG=myapp:latest]
+    cmds:
+      - docker build -t {{.TAG | default (printf "%s:latest" .APP_NAME)}} -f build/docker/Dockerfile.server .
+    vars:
+      TAG: "{{.TAG}}"
+    preconditions:
+      - sh: docker info > /dev/null 2>&1
+        msg: "Docker is required. Please install Docker first."
+      - sh: test -f build/docker/Dockerfile.server
+        msg: "Dockerfile.server not found. Run 'wails3 update build-assets' to generate it."
+
+  run:docker:
+    summary: Builds and runs the Docker image
+    desc: |
+      Builds the Docker image and runs it, exposing port 8080.
+      Usage: task run:docker [TAG=myapp:latest] [PORT=8080]
+      Note: The internal container port is always 8080. The PORT variable
+      only changes the host port mapping. Ensure your app uses port 8080
+      or modify the Dockerfile to match your ServerOptions.Port setting.
+    deps:
+      - task: build:docker
+        vars:
+          TAG:
+            ref: .TAG
+    cmds:
+      - docker run --rm -p {{.PORT | default "8080"}}:8080 {{.TAG | default (printf "%s:latest" .APP_NAME)}}
+    vars:
+      TAG: "{{.TAG}}"
+      PORT: "{{.PORT}}"
+
+  setup:docker:
+    summary: Builds Docker image for cross-compilation (~800MB download)
+    desc: |
+      Builds the Docker image needed for cross-compiling to any platform.
+      Run this once to enable cross-platform builds from any OS.
+    cmds:
+      - docker build -t wails-cross -f build/docker/Dockerfile.cross build/docker/
+    preconditions:
+      - sh: docker info > /dev/null 2>&1
+        msg: "Docker is required. Please install Docker first."
+
+  ios:device:list:
+    summary: Lists connected iOS devices (UDIDs)
+    cmds:
+      - xcrun xcdevice list
+
+  ios:run:device:
+    summary: Build, install, and launch on a physical iPhone using Apple tools (xcodebuild/devicectl)
+    vars:
+      PROJECT: '{{.PROJECT}}'   # e.g., build/ios/xcode/<YourProject>.xcodeproj
+      SCHEME: '{{.SCHEME}}'     # e.g., ios.dev
+      CONFIG: '{{.CONFIG | default "Debug"}}'
+      DERIVED: '{{.DERIVED | default "build/ios/DerivedData"}}'
+      UDID: '{{.UDID}}'         # from `task ios:device:list`
+      BUNDLE_ID: '{{.BUNDLE_ID}}' # e.g., com.yourco.wails.ios.dev
+      TEAM_ID: '{{.TEAM_ID}}'   # optional, if your project is not already set up for signing
+    preconditions:
+      - sh: xcrun -f xcodebuild
+        msg: "xcodebuild not found. Please install Xcode."
+      - sh: xcrun -f devicectl
+        msg: "devicectl not found. Please update to Xcode 15+ (which includes devicectl)."
+      - sh: test -n '{{.PROJECT}}'
+        msg: "Set PROJECT to your .xcodeproj path (e.g., PROJECT=build/ios/xcode/App.xcodeproj)."
+      - sh: test -n '{{.SCHEME}}'
+        msg: "Set SCHEME to your app scheme (e.g., SCHEME=ios.dev)."
+      - sh: test -n '{{.UDID}}'
+        msg: "Set UDID to your device UDID (see: task ios:device:list)."
+      - sh: test -n '{{.BUNDLE_ID}}'
+        msg: "Set BUNDLE_ID to your app's bundle identifier (e.g., com.yourco.wails.ios.dev)."
+    cmds:
+      - |
+        set -euo pipefail
+        echo "Building for device: UDID={{.UDID}} SCHEME={{.SCHEME}} PROJECT={{.PROJECT}}"
+        XCB_ARGS=(
+          -project "{{.PROJECT}}"
+          -scheme "{{.SCHEME}}"
+          -configuration "{{.CONFIG}}"
+          -destination "id={{.UDID}}"
+          -derivedDataPath "{{.DERIVED}}"
+          -allowProvisioningUpdates
+          -allowProvisioningDeviceRegistration
+        )
+        # Optionally inject signing identifiers if provided
+        if [ -n '{{.TEAM_ID}}' ]; then XCB_ARGS+=(DEVELOPMENT_TEAM={{.TEAM_ID}}); fi
+        if [ -n '{{.BUNDLE_ID}}' ]; then XCB_ARGS+=(PRODUCT_BUNDLE_IDENTIFIER={{.BUNDLE_ID}}); fi
+        xcodebuild "${XCB_ARGS[@]}" build | xcpretty || true
+        # If xcpretty isn't installed, run without it
+        if [ "${PIPESTATUS[0]}" -ne 0 ]; then
+          xcodebuild "${XCB_ARGS[@]}" build
+        fi
+        # Find built .app
+        APP_PATH=$(find "{{.DERIVED}}/Build/Products" -type d -name "*.app" -maxdepth 3 | head -n 1)
+        if [ -z "$APP_PATH" ]; then
+          echo "Could not locate built .app under {{.DERIVED}}/Build/Products" >&2
+          exit 1
+        fi
+        echo "Installing: $APP_PATH"
+        xcrun devicectl device install app --device "{{.UDID}}" "$APP_PATH"
+        echo "Launching: {{.BUNDLE_ID}}"
+        xcrun devicectl device process launch --device "{{.UDID}}" --stderr console --stdout console "{{.BUNDLE_ID}}"

client/ui-wails/build/appicon.icon/Assets/wails_icon_vector.svg

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+  macOS Icon Composer source. Designed on a 1024x1024 canvas with the bird
+  glyph centered and sized to ~75% of canvas width, leaving padding for
+  the system squircle treatment.
+-->
+<svg xmlns="http://www.w3.org/2000/svg" width="1024" height="1024" viewBox="0 0 1024 1024">
+  <g transform="translate(128, 227) scale(24.77)">
+    <path d="M21.4631 0.523438C17.8173 0.857913 16.0028 2.95675 15.3171 4.01871L4.66406 22.4734H17.5163L30.1929 0.523438H21.4631Z" fill="#F68330"/>
+    <path d="M17.5265 22.4737L0 3.88525C0 3.88525 19.8177 -1.44128 21.7493 15.1738L17.5265 22.4737Z" fill="#F68330"/>
+    <path d="M14.9236 4.70563L9.54688 14.0208L17.5158 22.4747L21.7385 15.158C21.0696 9.44682 18.2851 6.32784 14.9236 4.69727" fill="#F05252"/>
+  </g>
+</svg>

client/ui-wails/build/appicon.icon/icon.json

@@ -0,0 +1,26 @@
+{
+  "fill" : {
+    "solid" : "srgb:1.00000,1.00000,1.00000,1.00000"
+  },
+  "groups" : [
+    {
+      "layers" : [
+        {
+          "image-name" : "wails_icon_vector.svg",
+          "name" : "wails_icon_vector"
+        }
+      ],
+      "shadow" : {
+        "kind" : "neutral",
+        "opacity" : 0.5
+      },
+      "specular" : true
+    }
+  ],
+  "supported-platforms" : {
+    "circles" : [
+      "watchOS"
+    ],
+    "squares" : "shared"
+  }
+}

client/ui-wails/build/config.yml

@@ -0,0 +1,78 @@
+# This file contains the configuration for this project.
+# When you update `info` or `fileAssociations`, run `wails3 task common:update:build-assets` to update the assets.
+# Note that this will overwrite any changes you have made to the assets.
+version: '3'
+
+# This information is used to generate the build assets.
+info:
+  companyName: "My Company" # The name of the company
+  productName: "My Product" # The name of the application
+  productIdentifier: "com.mycompany.myproduct" # The unique product identifier
+  description: "A program that does X" # The application description
+  copyright: "(c) 2025, My Company" # Copyright text
+  comments: "Some Product Comments" # Comments
+  version: "0.0.1" # The application version
+  # cfBundleIconName: "appicon" # The macOS icon name in Assets.car icon bundles (optional)
+  #                               # Should match the name of your .icon file without the extension
+  #                               # If not set and Assets.car exists, defaults to "appicon"
+
+# iOS build configuration (uncomment to customise iOS project generation)
+# Note: Keys under `ios` OVERRIDE values under `info` when set.
+# ios:
+#   # The iOS bundle identifier used in the generated Xcode project (CFBundleIdentifier)
+#   bundleID: "com.mycompany.myproduct"
+#   # The display name shown under the app icon (CFBundleDisplayName/CFBundleName)
+#   displayName: "My Product"
+#   # The app version to embed in Info.plist (CFBundleShortVersionString/CFBundleVersion)
+#   version: "0.0.1"
+#   # The company/organisation name for templates and project settings
+#   company: "My Company"
+#   # Additional comments to embed in Info.plist metadata
+#   comments: "Some Product Comments"
+
+# Dev mode configuration
+dev_mode:
+  root_path: .
+  log_level: warn
+  debounce: 1000
+  ignore:
+    dir:
+      - .git
+      - node_modules
+      - frontend
+      - bin
+    file:
+      - .DS_Store
+      - .gitignore
+      - .gitkeep
+    watched_extension:
+      - "*.go"
+      - "*.js" # Watch for changes to JS/TS files included using the //wails:include directive.
+      - "*.ts" # The frontend directory will be excluded entirely by the setting above.
+    git_ignore: true
+  executes:
+    - cmd: wails3 build DEV=true
+      type: blocking
+    - cmd: wails3 task common:dev:frontend
+      type: background
+    - cmd: wails3 task run
+      type: primary
+
+# File Associations
+# More information at: https://v3.wails.io/noit/done/yet
+fileAssociations:
+#  - ext: wails
+#    name: Wails
+#    description: Wails Application File
+#    iconName: wailsFileIcon
+#    role: Editor
+#  - ext: jpg
+#    name: JPEG
+#    description: Image File
+#    iconName: jpegFileIcon
+#    role: Editor
+#    mimeType: image/jpeg  # (optional)
+
+# Other data
+other:
+  - name: My Other Data

client/ui-wails/build/darwin/Info.dev.plist

@@ -0,0 +1,36 @@
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>CFBundlePackageType</key>
+            <string>APPL</string>
+        <key>CFBundleName</key>
+            <string>NetBird</string>
+        <key>CFBundleDisplayName</key>
+            <string>NetBird</string>
+        <key>CFBundleExecutable</key>
+            <string>netbird-ui</string>
+        <key>CFBundleIdentifier</key>
+            <string>io.netbird.client</string>
+        <key>CFBundleVersion</key>
+            <string>0.0.1</string>
+        <key>CFBundleGetInfoString</key>
+            <string>This is a comment</string>
+        <key>CFBundleShortVersionString</key>
+            <string>0.0.1</string>
+        <key>CFBundleIconFile</key>
+            <string>icons</string>
+        <key>CFBundleIconName</key>
+            <string>appicon</string>
+        <key>LSMinimumSystemVersion</key>
+            <string>10.15.0</string>
+        <key>NSHighResolutionCapable</key>
+            <string>true</string>
+        <key>NSHumanReadableCopyright</key>
+            <string>© 2026, My Company</string>
+        <key>NSAppTransportSecurity</key>
+        <dict>
+            <key>NSAllowsLocalNetworking</key>
+            <true/>
+        </dict>
+    </dict>
+</plist>

client/ui-wails/build/darwin/Info.plist

@@ -0,0 +1,31 @@
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+    <dict>
+        <key>CFBundlePackageType</key>
+            <string>APPL</string>
+        <key>CFBundleName</key>
+            <string>NetBird</string>
+        <key>CFBundleDisplayName</key>
+            <string>NetBird</string>
+        <key>CFBundleExecutable</key>
+            <string>netbird-ui</string>
+        <key>CFBundleIdentifier</key>
+            <string>io.netbird.client</string>
+        <key>CFBundleVersion</key>
+            <string>0.0.1</string>
+        <key>CFBundleGetInfoString</key>
+            <string>This is a comment</string>
+        <key>CFBundleShortVersionString</key>
+            <string>0.0.1</string>
+        <key>CFBundleIconFile</key>
+            <string>icons</string>
+        <key>CFBundleIconName</key>
+            <string>appicon</string>
+        <key>LSMinimumSystemVersion</key>
+            <string>10.15.0</string>
+        <key>NSHighResolutionCapable</key>
+            <string>true</string>
+        <key>NSHumanReadableCopyright</key>
+            <string>© 2026, My Company</string>
+    </dict>
+</plist>

client/ui-wails/build/darwin/Taskfile.yml

@@ -0,0 +1,208 @@
+version: '3'
+
+includes:
+  common: ../Taskfile.yml
+
+vars:
+  # Signing configuration - edit these values for your project
+  # SIGN_IDENTITY: "Developer ID Application: Your Company (TEAMID)"
+  # KEYCHAIN_PROFILE: "my-notarize-profile"
+  # ENTITLEMENTS: "build/darwin/entitlements.plist"
+
+  # Docker image for cross-compilation (used when building on non-macOS)
+  CROSS_IMAGE: wails-cross
+
+tasks:
+  build:
+    summary: Builds the application
+    cmds:
+      - task: '{{if eq OS "darwin"}}build:native{{else}}build:docker{{end}}'
+        vars:
+          ARCH: '{{.ARCH}}'
+          DEV: '{{.DEV}}'
+          OUTPUT: '{{.OUTPUT}}'
+          EXTRA_TAGS: '{{.EXTRA_TAGS}}'
+    vars:
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+
+  build:native:
+    summary: Builds the application natively on macOS
+    internal: true
+    deps:
+      - task: common:go:mod:tidy
+      - task: common:build:frontend
+        vars:
+          BUILD_FLAGS:
+            ref: .BUILD_FLAGS
+          DEV:
+            ref: .DEV
+      - task: common:generate:icons
+    cmds:
+      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
+    vars:
+      BUILD_FLAGS: '{{if eq .DEV "true"}}{{if .EXTRA_TAGS}}-tags {{.EXTRA_TAGS}} {{end}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+    env:
+      GOOS: darwin
+      CGO_ENABLED: 1
+      GOARCH: '{{.ARCH | default ARCH}}'
+      CGO_CFLAGS: "-mmacosx-version-min=10.15"
+      CGO_LDFLAGS: "-mmacosx-version-min=10.15"
+      MACOSX_DEPLOYMENT_TARGET: "10.15"
+
+  build:docker:
+    summary: Cross-compiles for macOS using Docker (for Linux/Windows hosts)
+    internal: true
+    deps:
+      - task: common:build:frontend
+      - task: common:generate:icons
+    preconditions:
+      - sh: docker info > /dev/null 2>&1
+        msg: "Docker is required for cross-compilation. Please install Docker."
+      - sh: docker image inspect {{.CROSS_IMAGE}} > /dev/null 2>&1
+        msg: |
+          Docker image '{{.CROSS_IMAGE}}' not found.
+          Build it first: wails3 task setup:docker
+    cmds:
+      - docker run --rm -v "{{.ROOT_DIR}}:/app" {{.GO_CACHE_MOUNT}} {{.REPLACE_MOUNTS}} -e APP_NAME="{{.APP_NAME}}" {{if .EXTRA_TAGS}}-e EXTRA_TAGS="{{.EXTRA_TAGS}}"{{end}} {{.CROSS_IMAGE}} darwin {{.DOCKER_ARCH}}
+      - docker run --rm -v "{{.ROOT_DIR}}:/app" alpine chown -R $(id -u):$(id -g) /app/bin
+      - mkdir -p {{.BIN_DIR}}
+      - mv "bin/{{.APP_NAME}}-darwin-{{.DOCKER_ARCH}}" "{{.OUTPUT}}"
+    vars:
+      DOCKER_ARCH: '{{if eq .ARCH "arm64"}}arm64{{else if eq .ARCH "amd64"}}amd64{{else}}arm64{{end}}'
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+      # Mount Go module cache for faster builds
+      GO_CACHE_MOUNT:
+        sh: 'echo "-v ${GOPATH:-$HOME/go}/pkg/mod:/go/pkg/mod"'
+      # Extract replace directives from go.mod and create -v mounts for each
+      # Handles both relative (=> ../) and absolute (=> /) paths
+      REPLACE_MOUNTS:
+        sh: |
+          grep -E '^replace .* => ' go.mod 2>/dev/null | while read -r line; do
+            path=$(echo "$line" | sed -E 's/^replace .* => //' | tr -d '\r')
+            # Convert relative paths to absolute
+            if [ "${path#/}" = "$path" ]; then
+              path="$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
+            fi
+            # Only mount if directory exists
+            if [ -d "$path" ]; then
+              echo "-v $path:$path:ro"
+            fi
+          done | tr '\n' ' '
+
+  build:universal:
+    summary: Builds darwin universal binary (arm64 + amd64)
+    deps:
+      - task: build
+        vars:
+          ARCH: amd64
+          OUTPUT: "{{.BIN_DIR}}/{{.APP_NAME}}-amd64"
+      - task: build
+        vars:
+          ARCH: arm64
+          OUTPUT: "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
+    cmds:
+      - task: '{{if eq OS "darwin"}}build:universal:lipo:native{{else}}build:universal:lipo:go{{end}}'
+
+  build:universal:lipo:native:
+    summary: Creates universal binary using native lipo (macOS)
+    internal: true
+    cmds:
+      - lipo -create -output "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
+      - rm "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
+
+  build:universal:lipo:go:
+    summary: Creates universal binary using wails3 tool lipo (Linux/Windows)
+    internal: true
+    cmds:
+      - wails3 tool lipo -output "{{.BIN_DIR}}/{{.APP_NAME}}" -input "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" -input "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
+      - rm -f "{{.BIN_DIR}}/{{.APP_NAME}}-amd64" "{{.BIN_DIR}}/{{.APP_NAME}}-arm64"
+
+  package:
+    summary: Packages the application into a `.app` bundle
+    deps:
+      - task: build
+    cmds:
+      - task: create:app:bundle
+
+  package:universal:
+    summary: Packages darwin universal binary (arm64 + amd64)
+    deps:
+      - task: build:universal
+    cmds:
+      - task: create:app:bundle
+
+
+  create:app:bundle:
+    summary: Creates an `.app` bundle
+    cmds:
+      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/MacOS"
+      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
+      - cp build/darwin/icons.icns "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
+      - |
+        if [ -f build/darwin/Assets.car ]; then
+          cp build/darwin/Assets.car "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/Resources"
+        fi
+      - cp "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents/MacOS"
+      - cp build/darwin/Info.plist "{{.BIN_DIR}}/{{.APP_NAME}}.app/Contents"
+      - task: '{{if eq OS "darwin"}}codesign:adhoc{{else}}codesign:skip{{end}}'
+
+  codesign:adhoc:
+    summary: Ad-hoc signs the app bundle (macOS only)
+    internal: true
+    cmds:
+      - codesign --force --deep --sign - "{{.BIN_DIR}}/{{.APP_NAME}}.app"
+
+  codesign:skip:
+    summary: Skips codesigning when cross-compiling
+    internal: true
+    cmds:
+      - 'echo "Skipping codesign (not available on {{OS}}). Sign the .app on macOS before distribution."'
+
+  run:
+    cmds:
+      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS"
+      - mkdir -p "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
+      - cp build/darwin/icons.icns "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
+      - |
+        if [ -f build/darwin/Assets.car ]; then
+          cp build/darwin/Assets.car "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Resources"
+        fi
+      - cp "{{.BIN_DIR}}/{{.APP_NAME}}" "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS"
+      - cp "build/darwin/Info.dev.plist" "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/Info.plist"
+      - codesign --force --deep --sign - "{{.BIN_DIR}}/{{.APP_NAME}}.dev.app"
+      - '{{.BIN_DIR}}/{{.APP_NAME}}.dev.app/Contents/MacOS/{{.APP_NAME}}'
+
+  sign:
+    summary: Signs the application bundle with Developer ID
+    desc: |
+      Signs the .app bundle for distribution.
+      Configure SIGN_IDENTITY in the vars section at the top of this file.
+    deps:
+      - task: package
+    cmds:
+      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}.app" --identity "{{.SIGN_IDENTITY}}" {{if .ENTITLEMENTS}}--entitlements {{.ENTITLEMENTS}}{{end}}
+    preconditions:
+      - sh: '[ -n "{{.SIGN_IDENTITY}}" ]'
+        msg: "SIGN_IDENTITY is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"
+
+  sign:notarize:
+    summary: Signs and notarizes the application bundle
+    desc: |
+      Signs the .app bundle and submits it for notarization.
+      Configure SIGN_IDENTITY and KEYCHAIN_PROFILE in the vars section at the top of this file.
+
+      Setup (one-time):
+        wails3 signing credentials --apple-id "you@email.com" --team-id "TEAMID" --password "app-specific-password" --profile "my-profile"
+    deps:
+      - task: package
+    cmds:
+      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}.app" --identity "{{.SIGN_IDENTITY}}" {{if .ENTITLEMENTS}}--entitlements {{.ENTITLEMENTS}}{{end}} --notarize --keychain-profile {{.KEYCHAIN_PROFILE}}
+    preconditions:
+      - sh: '[ -n "{{.SIGN_IDENTITY}}" ]'
+        msg: "SIGN_IDENTITY is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"
+      - sh: '[ -n "{{.KEYCHAIN_PROFILE}}" ]'
+        msg: "KEYCHAIN_PROFILE is required. Set it in the vars section at the top of build/darwin/Taskfile.yml"

client/ui-wails/build/docker/Dockerfile.cross

@@ -0,0 +1,203 @@
+# Cross-compile Wails v3 apps to any platform
+#
+# Darwin: Zig + macOS SDK
+# Linux: Native GCC when host matches target, Zig for cross-arch
+# Windows: Zig + bundled mingw
+#
+# Usage:
+#   docker build -t wails-cross -f Dockerfile.cross .
+#   docker run --rm -v $(pwd):/app wails-cross darwin arm64
+#   docker run --rm -v $(pwd):/app wails-cross darwin amd64
+#   docker run --rm -v $(pwd):/app wails-cross linux amd64
+#   docker run --rm -v $(pwd):/app wails-cross linux arm64
+#   docker run --rm -v $(pwd):/app wails-cross windows amd64
+#   docker run --rm -v $(pwd):/app wails-cross windows arm64
+
+FROM golang:1.25-bookworm
+
+ARG TARGETARCH
+
+# Install base tools, GCC, and GTK/WebKit dev packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    curl xz-utils nodejs npm pkg-config gcc libc6-dev \
+    libgtk-3-dev libwebkit2gtk-4.1-dev \
+    libgtk-4-dev libwebkitgtk-6.0-dev \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Zig - automatically selects correct binary for host architecture
+ARG ZIG_VERSION=0.14.0
+RUN ZIG_ARCH=$(case "${TARGETARCH}" in arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
+    curl -L "https://ziglang.org/download/${ZIG_VERSION}/zig-linux-${ZIG_ARCH}-${ZIG_VERSION}.tar.xz" \
+    | tar -xJ -C /opt \
+    && ln -s /opt/zig-linux-${ZIG_ARCH}-${ZIG_VERSION}/zig /usr/local/bin/zig
+
+# Download macOS SDK (required for darwin targets)
+ARG MACOS_SDK_VERSION=14.5
+RUN curl -L "https://github.com/joseluisq/macosx-sdks/releases/download/${MACOS_SDK_VERSION}/MacOSX${MACOS_SDK_VERSION}.sdk.tar.xz" \
+    | tar -xJ -C /opt \
+    && mv /opt/MacOSX${MACOS_SDK_VERSION}.sdk /opt/macos-sdk
+
+ENV MACOS_SDK_PATH=/opt/macos-sdk
+
+# Create Zig CC wrappers for cross-compilation targets
+# Darwin and Windows use Zig; Linux uses native GCC (run with --platform for cross-arch)
+
+# Darwin arm64
+COPY <<'ZIGWRAP' /usr/local/bin/zcc-darwin-arm64
+#!/bin/sh
+ARGS=""
+SKIP_NEXT=0
+for arg in "$@"; do
+    if [ $SKIP_NEXT -eq 1 ]; then
+        SKIP_NEXT=0
+        continue
+    fi
+    case "$arg" in
+        -target) SKIP_NEXT=1 ;;
+        -mmacosx-version-min=*) ;;
+        *) ARGS="$ARGS $arg" ;;
+    esac
+done
+exec zig cc -fno-sanitize=all -target aarch64-macos-none -isysroot /opt/macos-sdk -I/opt/macos-sdk/usr/include -L/opt/macos-sdk/usr/lib -F/opt/macos-sdk/System/Library/Frameworks -w $ARGS
+ZIGWRAP
+RUN chmod +x /usr/local/bin/zcc-darwin-arm64
+
+# Darwin amd64
+COPY <<'ZIGWRAP' /usr/local/bin/zcc-darwin-amd64
+#!/bin/sh
+ARGS=""
+SKIP_NEXT=0
+for arg in "$@"; do
+    if [ $SKIP_NEXT -eq 1 ]; then
+        SKIP_NEXT=0
+        continue
+    fi
+    case "$arg" in
+        -target) SKIP_NEXT=1 ;;
+        -mmacosx-version-min=*) ;;
+        *) ARGS="$ARGS $arg" ;;
+    esac
+done
+exec zig cc -fno-sanitize=all -target x86_64-macos-none -isysroot /opt/macos-sdk -I/opt/macos-sdk/usr/include -L/opt/macos-sdk/usr/lib -F/opt/macos-sdk/System/Library/Frameworks -w $ARGS
+ZIGWRAP
+RUN chmod +x /usr/local/bin/zcc-darwin-amd64
+
+# Windows amd64 - uses Zig's bundled mingw
+COPY <<'ZIGWRAP' /usr/local/bin/zcc-windows-amd64
+#!/bin/sh
+ARGS=""
+SKIP_NEXT=0
+for arg in "$@"; do
+    if [ $SKIP_NEXT -eq 1 ]; then
+        SKIP_NEXT=0
+        continue
+    fi
+    case "$arg" in
+        -target) SKIP_NEXT=1 ;;
+        -Wl,*) ;;
+        *) ARGS="$ARGS $arg" ;;
+    esac
+done
+exec zig cc -target x86_64-windows-gnu $ARGS
+ZIGWRAP
+RUN chmod +x /usr/local/bin/zcc-windows-amd64
+
+# Windows arm64 - uses Zig's bundled mingw
+COPY <<'ZIGWRAP' /usr/local/bin/zcc-windows-arm64
+#!/bin/sh
+ARGS=""
+SKIP_NEXT=0
+for arg in "$@"; do
+    if [ $SKIP_NEXT -eq 1 ]; then
+        SKIP_NEXT=0
+        continue
+    fi
+    case "$arg" in
+        -target) SKIP_NEXT=1 ;;
+        -Wl,*) ;;
+        *) ARGS="$ARGS $arg" ;;
+    esac
+done
+exec zig cc -target aarch64-windows-gnu $ARGS
+ZIGWRAP
+RUN chmod +x /usr/local/bin/zcc-windows-arm64
+
+# Build script
+COPY <<'SCRIPT' /usr/local/bin/build.sh
+#!/bin/sh
+set -e
+
+OS=${1:-darwin}
+ARCH=${2:-arm64}
+
+case "${OS}-${ARCH}" in
+    darwin-arm64|darwin-aarch64)
+        export CC=zcc-darwin-arm64
+        export GOARCH=arm64
+        export GOOS=darwin
+        ;;
+    darwin-amd64|darwin-x86_64)
+        export CC=zcc-darwin-amd64
+        export GOARCH=amd64
+        export GOOS=darwin
+        ;;
+    linux-arm64|linux-aarch64)
+        export CC=gcc
+        export GOARCH=arm64
+        export GOOS=linux
+        ;;
+    linux-amd64|linux-x86_64)
+        export CC=gcc
+        export GOARCH=amd64
+        export GOOS=linux
+        ;;
+    windows-arm64|windows-aarch64)
+        export CC=zcc-windows-arm64
+        export GOARCH=arm64
+        export GOOS=windows
+        ;;
+    windows-amd64|windows-x86_64)
+        export CC=zcc-windows-amd64
+        export GOARCH=amd64
+        export GOOS=windows
+        ;;
+    *)
+        echo "Usage: <os> <arch>"
+        echo "  os: darwin, linux, windows"
+        echo "  arch: amd64, arm64"
+        exit 1
+        ;;
+esac
+
+export CGO_ENABLED=1
+export CGO_CFLAGS="-w"
+
+# Build frontend if exists and not already built (host may have built it)
+if [ -d "frontend" ] && [ -f "frontend/package.json" ] && [ ! -d "frontend/dist" ]; then
+    (cd frontend && npm install --silent && npm run build --silent)
+fi
+
+# Build
+APP=${APP_NAME:-$(basename $(pwd))}
+mkdir -p bin
+
+EXT=""
+LDFLAGS="-s -w"
+if [ "$GOOS" = "windows" ]; then
+    EXT=".exe"
+    LDFLAGS="-s -w -H windowsgui"
+fi
+
+TAGS="production"
+if [ -n "$EXTRA_TAGS" ]; then
+    TAGS="${TAGS},${EXTRA_TAGS}"
+fi
+
+go build -tags "$TAGS" -trimpath -buildvcs=false -ldflags="$LDFLAGS" -o bin/${APP}-${GOOS}-${GOARCH}${EXT} .
+echo "Built: bin/${APP}-${GOOS}-${GOARCH}${EXT}"
+SCRIPT
+RUN chmod +x /usr/local/bin/build.sh
+
+WORKDIR /app
+ENTRYPOINT ["/usr/local/bin/build.sh"]
+CMD ["darwin", "arm64"]

client/ui-wails/build/docker/Dockerfile.server

@@ -0,0 +1,41 @@
+# Wails Server Mode Dockerfile
+# Multi-stage build for minimal image size
+
+# Build stage
+FROM golang:alpine AS builder
+
+WORKDIR /app
+
+# Install build dependencies
+RUN apk add --no-cache git
+
+# Copy source code
+COPY . .
+
+# Remove local replace directive if present (for production builds)
+RUN sed -i '/^replace/d' go.mod || true
+
+# Download dependencies
+RUN go mod tidy
+
+# Build the server binary
+RUN go build -tags server -ldflags="-s -w" -o server .
+
+# Runtime stage - minimal image
+FROM gcr.io/distroless/static-debian12
+
+# Copy the binary
+COPY --from=builder /app/server /server
+
+# Copy frontend assets
+COPY --from=builder /app/frontend/dist /frontend/dist
+
+# Expose the default port
+EXPOSE 8080
+
+# Bind to all interfaces (required for Docker)
+# Can be overridden at runtime with -e WAILS_SERVER_HOST=...
+ENV WAILS_SERVER_HOST=0.0.0.0
+
+# Run the server
+ENTRYPOINT ["/server"]

client/ui-wails/build/linux/Taskfile.yml

@@ -0,0 +1,235 @@
+version: '3'
+
+includes:
+  common: ../Taskfile.yml
+
+vars:
+  # Signing configuration - edit these values for your project
+  # PGP_KEY: "path/to/signing-key.asc"
+  # SIGN_ROLE: "builder"  # Options: origin, maint, archive, builder
+  #
+  # Password is stored securely in system keychain. Run: wails3 setup signing
+
+  # Docker image for cross-compilation (used when building on non-Linux or no CC available)
+  CROSS_IMAGE: wails-cross
+
+tasks:
+  build:
+    summary: Builds the application for Linux
+    cmds:
+      # Linux requires CGO - use Docker when:
+      # 1. Cross-compiling from non-Linux, OR
+      # 2. No C compiler is available, OR
+      # 3. Target architecture differs from host architecture (cross-arch compilation)
+      - task: '{{if and (eq OS "linux") (eq .HAS_CC "true") (eq .TARGET_ARCH ARCH)}}build:native{{else}}build:docker{{end}}'
+        vars:
+          ARCH: '{{.ARCH}}'
+          DEV: '{{.DEV}}'
+          OUTPUT: '{{.OUTPUT}}'
+          EXTRA_TAGS: '{{.EXTRA_TAGS}}'
+    vars:
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+      # Determine target architecture (defaults to host ARCH if not specified)
+      TARGET_ARCH: '{{.ARCH | default ARCH}}'
+      # Check if a C compiler is available (gcc or clang)
+      HAS_CC:
+        sh: '(command -v gcc >/dev/null 2>&1 || command -v clang >/dev/null 2>&1) && echo "true" || echo "false"'
+
+  build:native:
+    summary: Builds the application natively on Linux
+    internal: true
+    deps:
+      - task: common:go:mod:tidy
+      - task: common:build:frontend
+        vars:
+          BUILD_FLAGS:
+            ref: .BUILD_FLAGS
+          DEV:
+            ref: .DEV
+      - task: common:generate:icons
+      - task: generate:dotdesktop
+    cmds:
+      - go build {{.BUILD_FLAGS}} -o {{.OUTPUT}}
+    vars:
+      BUILD_FLAGS: '{{if eq .DEV "true"}}{{if .EXTRA_TAGS}}-tags {{.EXTRA_TAGS}} {{end}}-buildvcs=false -gcflags=all="-l"{{else}}-tags production{{if .EXTRA_TAGS}},{{.EXTRA_TAGS}}{{end}} -trimpath -buildvcs=false -ldflags="-w -s"{{end}}'
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+    env:
+      GOOS: linux
+      CGO_ENABLED: 1
+      GOARCH: '{{.ARCH | default ARCH}}'
+
+  build:docker:
+    summary: Builds for Linux using Docker (for non-Linux hosts or when no C compiler available)
+    internal: true
+    deps:
+      - task: common:build:frontend
+      - task: common:generate:icons
+      - task: generate:dotdesktop
+    preconditions:
+      - sh: docker info > /dev/null 2>&1
+        msg: "Docker is required for cross-compilation to Linux. Please install Docker."
+      - sh: docker image inspect {{.CROSS_IMAGE}} > /dev/null 2>&1
+        msg: |
+          Docker image '{{.CROSS_IMAGE}}' not found.
+          Build it first: wails3 task setup:docker
+    cmds:
+      - docker run --rm -v "{{.ROOT_DIR}}:/app" {{.GO_CACHE_MOUNT}} {{.REPLACE_MOUNTS}} -e APP_NAME="{{.APP_NAME}}" {{if .EXTRA_TAGS}}-e EXTRA_TAGS="{{.EXTRA_TAGS}}"{{end}} "{{.CROSS_IMAGE}}" linux {{.DOCKER_ARCH}}
+      - docker run --rm -v "{{.ROOT_DIR}}:/app" alpine chown -R $(id -u):$(id -g) /app/bin
+      - mkdir -p {{.BIN_DIR}}
+      - mv "bin/{{.APP_NAME}}-linux-{{.DOCKER_ARCH}}" "{{.OUTPUT}}"
+    vars:
+      DOCKER_ARCH: '{{.ARCH | default "amd64"}}'
+      DEFAULT_OUTPUT: '{{.BIN_DIR}}/{{.APP_NAME}}'
+      OUTPUT: '{{ .OUTPUT | default .DEFAULT_OUTPUT }}'
+      # Mount Go module cache for faster builds
+      GO_CACHE_MOUNT:
+        sh: 'echo "-v ${GOPATH:-$HOME/go}/pkg/mod:/go/pkg/mod"'
+      # Extract replace directives from go.mod and create -v mounts for each
+      REPLACE_MOUNTS:
+        sh: |
+          grep -E '^replace .* => ' go.mod 2>/dev/null | while read -r line; do
+            path=$(echo "$line" | sed -E 's/^replace .* => //' | tr -d '\r')
+            # Convert relative paths to absolute
+            if [ "${path#/}" = "$path" ]; then
+              path="$(cd "$(dirname "$path")" 2>/dev/null && pwd)/$(basename "$path")"
+            fi
+            # Only mount if directory exists
+            if [ -d "$path" ]; then
+              echo "-v $path:$path:ro"
+            fi
+          done | tr '\n' ' '
+
+  package:
+    summary: Packages the application for Linux
+    deps:
+      - task: build
+    cmds:
+      - task: create:appimage
+      - task: create:deb
+      - task: create:rpm
+      - task: create:aur
+
+  create:appimage:
+    summary: Creates an AppImage
+    dir: build/linux/appimage
+    deps:
+      - task: build
+      - task: generate:dotdesktop
+    cmds:
+      - cp "{{.APP_BINARY}}" "{{.APP_NAME}}"
+      - cp ../../appicon.png "{{.APP_NAME}}.png"
+      - wails3 generate appimage -binary "{{.APP_NAME}}" -icon {{.ICON}} -desktopfile {{.DESKTOP_FILE}} -outputdir {{.OUTPUT_DIR}} -builddir {{.ROOT_DIR}}/build/linux/appimage/build
+    vars:
+      APP_NAME: '{{.APP_NAME}}'
+      APP_BINARY: '../../../bin/{{.APP_NAME}}'
+      ICON: '{{.APP_NAME}}.png'
+      DESKTOP_FILE: '../{{.APP_NAME}}.desktop'
+      OUTPUT_DIR: '../../../bin'
+
+  create:deb:
+    summary: Creates a deb package
+    deps:
+      - task: build
+    cmds:
+      - task: generate:dotdesktop
+      - task: generate:deb
+
+  create:rpm:
+    summary: Creates a rpm package
+    deps:
+      - task: build
+    cmds:
+      - task: generate:dotdesktop
+      - task: generate:rpm
+
+  create:aur:
+    summary: Creates a arch linux packager package
+    deps:
+      - task: build
+    cmds:
+      - task: generate:dotdesktop
+      - task: generate:aur
+
+  generate:deb:
+    summary: Creates a deb package
+    cmds:
+      - wails3 tool package -name "{{.APP_NAME}}" -format deb -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
+
+  generate:rpm:
+    summary: Creates a rpm package
+    cmds:
+      - wails3 tool package -name "{{.APP_NAME}}" -format rpm -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
+
+  generate:aur:
+    summary: Creates a arch linux packager package
+    cmds:
+      - wails3 tool package -name "{{.APP_NAME}}" -format archlinux -config ./build/linux/nfpm/nfpm.yaml -out {{.ROOT_DIR}}/bin
+
+  generate:dotdesktop:
+    summary: Generates a `.desktop` file
+    dir: build
+    cmds:
+      - mkdir -p {{.ROOT_DIR}}/build/linux/appimage
+      - wails3 generate .desktop -name "{{.APP_NAME}}" -exec "{{.EXEC}}" -icon "{{.ICON}}" -outputfile "{{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop" -categories "{{.CATEGORIES}}"
+      # Wrap Exec= with `env WEBKIT_DISABLE_DMABUF_RENDERER=1 ...` so launches
+      # from any desktop environment use the working renderer. See build/linux/Taskfile.yml :run for the matching dev-mode env block.
+      - sed -i -E 's|^Exec=([^ ]+)(.*)$|Exec=env WEBKIT_DISABLE_DMABUF_RENDERER=1 \1\2|' {{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop
+    vars:
+      APP_NAME: '{{.APP_NAME}}'
+      EXEC: '{{.APP_NAME}}'
+      ICON: '{{.APP_NAME}}'
+      CATEGORIES: 'Development;'
+      OUTPUTFILE: '{{.ROOT_DIR}}/build/linux/{{.APP_NAME}}.desktop'
+
+  run:
+    cmds:
+      - '{{.BIN_DIR}}/{{.APP_NAME}}'
+    env:
+      # WebKitGTK 2.50's default DMA-BUF renderer fails on RDP, VirtualBox/QEMU,
+      # and some bare WMs (Fluxbox, dwm) where DRM dumb-buffer access is
+      # restricted. Disabling it falls back to the GLES2/cairo path which works
+      # everywhere. Production launchers must set this too.
+      WEBKIT_DISABLE_DMABUF_RENDERER: "1"
+
+  sign:deb:
+    summary: Signs the DEB package
+    desc: |
+      Signs the .deb package with a PGP key.
+      Configure PGP_KEY in the vars section at the top of this file.
+      Password is retrieved from system keychain (run: wails3 setup signing)
+    deps:
+      - task: create:deb
+    cmds:
+      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}*.deb" --pgp-key {{.PGP_KEY}} {{if .SIGN_ROLE}}--role {{.SIGN_ROLE}}{{end}}
+    preconditions:
+      - sh: '[ -n "{{.PGP_KEY}}" ]'
+        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"
+
+  sign:rpm:
+    summary: Signs the RPM package
+    desc: |
+      Signs the .rpm package with a PGP key.
+      Configure PGP_KEY in the vars section at the top of this file.
+      Password is retrieved from system keychain (run: wails3 setup signing)
+    deps:
+      - task: create:rpm
+    cmds:
+      - wails3 tool sign --input "{{.BIN_DIR}}/{{.APP_NAME}}*.rpm" --pgp-key {{.PGP_KEY}}
+    preconditions:
+      - sh: '[ -n "{{.PGP_KEY}}" ]'
+        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"
+
+  sign:packages:
+    summary: Signs all Linux packages (DEB and RPM)
+    desc: |
+      Signs both .deb and .rpm packages with a PGP key.
+      Configure PGP_KEY in the vars section at the top of this file.
+      Password is retrieved from system keychain (run: wails3 setup signing)
+    cmds:
+      - task: sign:deb
+      - task: sign:rpm
+    preconditions:
+      - sh: '[ -n "{{.PGP_KEY}}" ]'
+        msg: "PGP_KEY is required. Set it in the vars section at the top of build/linux/Taskfile.yml"

client/ui-wails/build/linux/appimage/build.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Copyright (c) 2018-Present Lea Anthony
+# SPDX-License-Identifier: MIT
+
+# Fail script on any error
+set -euxo pipefail
+
+# Define variables
+APP_DIR="${APP_NAME}.AppDir"
+
+# Create AppDir structure
+mkdir -p "${APP_DIR}/usr/bin"
+cp -r "${APP_BINARY}" "${APP_DIR}/usr/bin/"
+cp "${ICON_PATH}" "${APP_DIR}/"
+cp "${DESKTOP_FILE}" "${APP_DIR}/"
+
+if [[ $(uname -m) == *x86_64* ]]; then
+    # Download linuxdeploy and make it executable
+    wget -q -4 -N https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage
+    chmod +x linuxdeploy-x86_64.AppImage
+
+    # Run linuxdeploy to bundle the application
+    ./linuxdeploy-x86_64.AppImage --appdir "${APP_DIR}" --output appimage
+else
+    # Download linuxdeploy and make it executable (arm64)
+    wget -q -4 -N https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-aarch64.AppImage
+    chmod +x linuxdeploy-aarch64.AppImage
+
+    # Run linuxdeploy to bundle the application (arm64)
+    ./linuxdeploy-aarch64.AppImage --appdir "${APP_DIR}" --output appimage
+fi
+
+# Rename the generated AppImage
+mv "${APP_NAME}*.AppImage" "${APP_NAME}.AppImage"
+

client/ui-wails/build/linux/desktop

@@ -0,0 +1,13 @@
+[Desktop Entry]
+Version=1.0
+Name=NetBird
+Comment=NetBird desktop client
+# The Exec line includes %u to pass the URL to the application
+Exec=/usr/local/bin/netbird-ui %u
+Terminal=false
+Type=Application
+Icon=netbird-ui
+Categories=Utility;
+StartupWMClass=netbird-ui
+
+ 

client/ui-wails/build/linux/netbird-ui.desktop

@@ -0,0 +1,10 @@
+[Desktop Entry]
+Type=Application
+Name=netbird-ui
+Exec=netbird-ui
+Icon=netbird-ui
+Categories=Development;
+Terminal=false
+Keywords=wails
+Version=1.0
+StartupNotify=false

client/ui-wails/build/linux/nfpm/nfpm.yaml

@@ -0,0 +1,67 @@
+# Feel free to remove those if you don't want/need to use them.
+# Make sure to check the documentation at https://nfpm.goreleaser.com
+#
+# The lines below are called `modelines`. See `:help modeline`
+
+name: "netbird-ui"
+arch: ${GOARCH}
+platform: "linux"
+version: "0.0.1"
+section: "default"
+priority: "extra"
+maintainer: ${GIT_COMMITTER_NAME} <${GIT_COMMITTER_EMAIL}>
+description: "NetBird desktop client"
+vendor: "NetBird"
+homepage: "https://wails.io"
+license: "MIT"
+release: "1"
+
+contents:
+  - src: "./bin/netbird-ui"
+    dst: "/usr/local/bin/netbird-ui"
+  - src: "./build/appicon.png"
+    dst: "/usr/share/icons/hicolor/128x128/apps/netbird-ui.png"
+  - src: "./build/linux/netbird-ui.desktop"
+    dst: "/usr/share/applications/netbird-ui.desktop"
+
+# Default dependencies for Debian 12/Ubuntu 22.04+ with WebKit 4.1
+depends:
+  - libgtk-3-0
+  - libwebkit2gtk-4.1-0
+
+# Distribution-specific overrides for different package formats and WebKit versions
+overrides:
+  # RPM packages for RHEL/CentOS/AlmaLinux/Rocky Linux (WebKit 4.0)
+  rpm:
+    depends:
+      - gtk3
+      - webkit2gtk4.1
+  
+  # Arch Linux packages (WebKit 4.1)  
+  archlinux:
+    depends:
+      - gtk3
+      - webkit2gtk-4.1
+
+# scripts section to ensure desktop database is updated after install
+scripts:
+  postinstall: "./build/linux/nfpm/scripts/postinstall.sh"
+  # You can also add preremove, postremove if needed
+  # preremove: "./build/linux/nfpm/scripts/preremove.sh"
+  # postremove: "./build/linux/nfpm/scripts/postremove.sh"
+
+# replaces:
+#   - foobar
+# provides:
+#   - bar
+# depends:
+#   - gtk3
+#   - libwebkit2gtk
+# recommends:
+#   - whatever
+# suggests:
+#   - something-else
+# conflicts:
+#   - not-foo
+#   - not-bar
+# changelog: "changelog.yaml"

client/ui-wails/build/linux/nfpm/scripts/postinstall.sh

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Update desktop database for .desktop file changes
+# This makes the application appear in application menus and registers its capabilities.
+if command -v update-desktop-database >/dev/null 2>&1; then
+  echo "Updating desktop database..."
+  update-desktop-database -q /usr/share/applications
+else
+  echo "Warning: update-desktop-database command not found. Desktop file may not be immediately recognized." >&2
+fi
+
+# Update MIME database for custom URL schemes (x-scheme-handler)
+# This ensures the system knows how to handle your custom protocols.
+if command -v update-mime-database >/dev/null 2>&1; then
+  echo "Updating MIME database..."
+  update-mime-database -n /usr/share/mime
+else
+  echo "Warning: update-mime-database command not found. Custom URL schemes may not be immediately recognized." >&2
+fi
+
+exit 0